iceman1001 [Mon, 16 Jan 2017 13:46:42 +0000 (14:46 +0100)]
CHG: 'lf t55xx' the no-time limit waiting for the device to ACK when transfering data from device to client, is changed to 8 seconds.
CHG: 'lf t55xx dump' - added ASCII printing of dumped data blocks.
iceman1001 [Wed, 11 Jan 2017 21:00:17 +0000 (22:00 +0100)]
FIX: 'hf 14a reader' - when card SAK was 0x00, it calls GetHF14AMfU_Type() to try to identify if it is a UL/NTAG etc. The bug is that it ignored the return value.
when return_value == UL_ERROR, it shall not print the mfu tagtype annotation.
iceman1001 [Tue, 10 Jan 2017 21:21:16 +0000 (22:21 +0100)]
CHG: 'hf iclass replay' added help text.
CHG: 'hf iclass snoop' added help text.
CHG: 'hf iclass reader' added help text.
ADD: 'hf iclass reader' added the possibility to read only one tag instead of looping.
CHG: 'sprint_hex_ascii' function now replaces unprintable chars with '.', added this call to printIclassDumpInfo
iceman1001 [Tue, 10 Jan 2017 17:23:05 +0000 (18:23 +0100)]
CHG: 'hf iclass decrypt' - adjusted the loops, to only decrypt Application 1. However I've noticed not all blocks in Application 1 is encrypted. :/ Still needs to be adjusted.
CHG: 'hf iclass reader' - added some output accessrights from the CopyReader source code.
And ofcourse, moved around stuff, like the usages in cmdhficlass.c
iceman1001 [Thu, 5 Jan 2017 14:55:19 +0000 (15:55 +0100)]
CHG: some indala output is now only in debug mode
CHG: added 34|37 bits AWID format. I'm guessing 37bit is wrong since the parity is still there. Which it shouldn't
iceman1001 [Mon, 19 Dec 2016 13:55:58 +0000 (14:55 +0100)]
CHG: 'lf awid brute' - extra check if device gotten offline
CHG: 'lf t55x7 brute' - extra check if device gotten offline
CHG: 'lf nedap' - Nedap is supposed to be Diphase.
iceman1001 [Fri, 16 Dec 2016 11:47:49 +0000 (12:47 +0100)]
ADD: 'LF VISA2000' added one checksum test when demod / clone / sim
CHG: 'LF NORALSY' when chksum fails, return 0, to indicate for LF SEARCH that it failed.
iceman1001 [Wed, 14 Dec 2016 22:23:16 +0000 (23:23 +0100)]
ADD: 'lf visa2000' commands. (SIM/CLONE/READ) almost finished.
CHG: 'lf xxxxx' reduced number of samples from 30000 -> 20000 in "lf xxxxxx read" commands.
CHG: 'data samples' - didn't honor the silent parameter. It now output less for the 'lf xxxxxx read' commands.
iceman1001 [Mon, 21 Nov 2016 15:08:12 +0000 (16:08 +0100)]
ADD: added the 'hf mf hardnested' to be called within LUA scripts.
ADD: 'script run hard' - a first try for a lua script to run the hardnested attack on a complete tag.
iceman1001 [Thu, 17 Nov 2016 17:20:44 +0000 (18:20 +0100)]
ADD: "analyse hid" - new function that implements the 'heart of darkness' hid/iclass permute function. Its converted from the php-solution found in the paper to C. Ref: https://github.com/akw0088/HID-Card-Copy/blob/master/key-permutation/permute.php
iceman1001 [Wed, 16 Nov 2016 17:16:14 +0000 (18:16 +0100)]
CHG: "hf mf hardnested" - fixes and additions.
- freeing candidate lists after generate_candidates calls.
- longer timeout when waiting for responses (it takes a while to collect 58 nonces per call) From 3sec to 6sec
- if best_first_byte[0] (best guess) has been the same for 3 nonces calls in a row, it enters the generate_candidates test.
- when total_added_nonces increases but does not enter generate_candidates tests, it now increases the threshold_index variable. Make the output look better
Known bugs still.
- TestIfKeyExists sometimes crashes the client, still after the null check.
- proxmark3 device doesn't answer calls after entering brute_force call and fails finding a key, where it should start collecting nonces again. This bug doesn't make sense.
iceman1001 [Tue, 15 Nov 2016 11:49:13 +0000 (12:49 +0100)]
CHG: "hf mf hardnested"
- latest clean up from @matrix
- the device still doesnt answer when brute_force call fails. I've been trying to get the device to init after the brute_force call.
iceman1001 [Mon, 14 Nov 2016 20:41:18 +0000 (21:41 +0100)]
FIX: 'LF PYRAMID' the crc8_MAXIM and crc16_DNP was calling the wrong crc method. (update2 is the older and correct version). This solves the pyrmid issue with wrong checksums calculated.
Thanks to @rookieatall @marshmellow42 for pointing out the bug. ref: http://www.proxmark.org/forum/viewtopic.php?id=4006
iceman1001 [Sat, 5 Nov 2016 13:54:25 +0000 (14:54 +0100)]
FIX: @matrix https://github.com/matrix/proxmark3/commit/869a03c2c6267db16cd1418b9e5f2b9049b9a015
it still counts down the good bytes,
and I fixed the elapsed time.
iceman1001 [Sat, 29 Oct 2016 20:12:38 +0000 (22:12 +0200)]
FIX: several calls to nonce2key/nonce2key_ex has problems with not clearing up memory pointers laying around.
Still exists problem which needs to be dealt with.
iceman1001 [Sat, 29 Oct 2016 19:41:02 +0000 (21:41 +0200)]
FIX: 'hf mf mifare' - special zero parity attack vector now works. Thanks to the dude who figured this vector out: @douniwan5788 (sorry for comments, I was clearly wrong.) @piwi - for proving me wrong.
this version uses int64_t (signed) to signify end-of-lists (-1). It also needs its own compare function for the qsort. I didn't merge this into existing code which uses uint64_t. (too lazy)
iceman1001 [Fri, 28 Oct 2016 18:43:07 +0000 (20:43 +0200)]
CHG: 'HF MF C*' (chinese backdoor commands) According to douniwan5788 some magic/clone tags answers to the halt cmd and some not. I think I captured his ideas.