From: Michael Farrell Date: Thu, 26 Jan 2017 09:27:08 +0000 (+1100) Subject: hf mf sim: Multiple fixes from review of PR #209. X-Git-Tag: v3.0.0~73^2 X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/refs/pull/209/head?ds=inline hf mf sim: Multiple fixes from review of PR #209. - Don't increment the nonce when random mode is disabled (this breaks the standard attack). - Don't attempt the standard attack when random mode is enabled (there's no point as it won't work, per comments from @pwpiwi). - Attempt the moebius attack if the standard attack fails. --- diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 07bbd37d..83907fce 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -2329,7 +2329,7 @@ typedef struct { * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that * FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later - * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data + * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack) *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ... * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted) */ @@ -2543,8 +2543,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * cardAUTHKEY = 0xff; if (flags & FLAG_RANDOM_NONCE) { nonce = prand(); - } else { - nonce++; } continue; } diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 2b14c763..cdac6476 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1016,7 +1016,7 @@ int CmdHF14AMfChk(const char *Cmd) return 0; } -void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) { +void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) { #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim() uint64_t key = 0; typedef struct { @@ -1034,7 +1034,7 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) { for (uint8_t i = 0; i 0) { //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2); - if (mfkey32(ar_resp[i], &key)) { + if (doStandardAttack && mfkey32(ar_resp[i], &key)) { PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); for (uint8_t ii = 0; ii' (implies x and i)"); - PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces."); + PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works."); PrintAndLog("samples:"); PrintAndLog(" hf mf sim u 0a0a0a0a"); PrintAndLog(" hf mf sim u 11223344556677"); @@ -1252,7 +1280,8 @@ int CmdHF14AMf1kSim(const char *Cmd) { //got a response nonces_t ar_resp[ATTACK_KEY_COUNT*2]; memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp)); - readerAttack(ar_resp, setEmulatorMem); + // We can skip the standard attack if we have RANDOM_NONCE set. + readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE)); if ((bool)resp.arg[1]) { PrintAndLog("Device button pressed - quitting"); fclose(f); @@ -1284,7 +1313,8 @@ int CmdHF14AMf1kSim(const char *Cmd) { if (flags & FLAG_NR_AR_ATTACK) { nonces_t ar_resp[ATTACK_KEY_COUNT*2]; memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp)); - readerAttack(ar_resp, setEmulatorMem); + // We can skip the standard attack if we have RANDOM_NONCE set. + readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE)); } } }