iceman1001 [Wed, 14 Dec 2016 22:23:16 +0000 (23:23 +0100)]
ADD: 'lf visa2000' commands. (SIM/CLONE/READ) almost finished.
CHG: 'lf xxxxx' reduced number of samples from 30000 -> 20000 in "lf xxxxxx read" commands.
CHG: 'data samples' - didn't honor the silent parameter. It now output less for the 'lf xxxxxx read' commands.
iceman1001 [Mon, 21 Nov 2016 15:08:12 +0000 (16:08 +0100)]
ADD: added the 'hf mf hardnested' to be called within LUA scripts.
ADD: 'script run hard' - a first try for a lua script to run the hardnested attack on a complete tag.
iceman1001 [Thu, 17 Nov 2016 17:20:44 +0000 (18:20 +0100)]
ADD: "analyse hid" - new function that implements the 'heart of darkness' hid/iclass permute function. Its converted from the php-solution found in the paper to C. Ref: https://github.com/akw0088/HID-Card-Copy/blob/master/key-permutation/permute.php
iceman1001 [Wed, 16 Nov 2016 17:16:14 +0000 (18:16 +0100)]
CHG: "hf mf hardnested" - fixes and additions.
- freeing candidate lists after generate_candidates calls.
- longer timeout when waiting for responses (it takes a while to collect 58 nonces per call) From 3sec to 6sec
- if best_first_byte[0] (best guess) has been the same for 3 nonces calls in a row, it enters the generate_candidates test.
- when total_added_nonces increases but does not enter generate_candidates tests, it now increases the threshold_index variable. Make the output look better
Known bugs still.
- TestIfKeyExists sometimes crashes the client, still after the null check.
- proxmark3 device doesn't answer calls after entering brute_force call and fails finding a key, where it should start collecting nonces again. This bug doesn't make sense.
iceman1001 [Tue, 15 Nov 2016 11:49:13 +0000 (12:49 +0100)]
CHG: "hf mf hardnested"
- latest clean up from @matrix
- the device still doesnt answer when brute_force call fails. I've been trying to get the device to init after the brute_force call.
iceman1001 [Mon, 14 Nov 2016 20:41:18 +0000 (21:41 +0100)]
FIX: 'LF PYRAMID' the crc8_MAXIM and crc16_DNP was calling the wrong crc method. (update2 is the older and correct version). This solves the pyrmid issue with wrong checksums calculated.
Thanks to @rookieatall @marshmellow42 for pointing out the bug. ref: http://www.proxmark.org/forum/viewtopic.php?id=4006
iceman1001 [Sat, 5 Nov 2016 13:54:25 +0000 (14:54 +0100)]
FIX: @matrix https://github.com/matrix/proxmark3/commit/869a03c2c6267db16cd1418b9e5f2b9049b9a015
it still counts down the good bytes,
and I fixed the elapsed time.
iceman1001 [Sat, 29 Oct 2016 20:12:38 +0000 (22:12 +0200)]
FIX: several calls to nonce2key/nonce2key_ex has problems with not clearing up memory pointers laying around.
Still exists problem which needs to be dealt with.
iceman1001 [Sat, 29 Oct 2016 19:41:02 +0000 (21:41 +0200)]
FIX: 'hf mf mifare' - special zero parity attack vector now works. Thanks to the dude who figured this vector out: @douniwan5788 (sorry for comments, I was clearly wrong.) @piwi - for proving me wrong.
this version uses int64_t (signed) to signify end-of-lists (-1). It also needs its own compare function for the qsort. I didn't merge this into existing code which uses uint64_t. (too lazy)
iceman1001 [Fri, 28 Oct 2016 18:43:07 +0000 (20:43 +0200)]
CHG: 'HF MF C*' (chinese backdoor commands) According to douniwan5788 some magic/clone tags answers to the halt cmd and some not. I think I captured his ideas.
- Fix `hf mf sim` to use nonce_t structures, so key recovery works
- Increases verbosity on the key recovery functionality
- Fix use-after-free for k_sector
- Add help info on `e` option to `hf mf sim`
iceman1001 [Wed, 19 Oct 2016 22:39:15 +0000 (00:39 +0200)]
FIX: lf sim, seems like "lf sim" call SimulateTagLowFrequency direct from appmain.c and I removed the LF bitstream call thinking SimulateTagLowFrequency was only called from the sub FSK;ASK;PSK commands.
iceman1001 [Wed, 19 Oct 2016 17:59:58 +0000 (19:59 +0200)]
FIX: "lf sim" after changes to ticks timers on device side, there was a "starticks" call missing, which lead to not having any timers which is a problem for the WaitUS call.