github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 22:03:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1820 from jmichelp/master

Browse source 
Fix overflow in SPI memory when writing default key dictionnaries.
This commit is contained in:
Iceman 2022-11-25 07:21:09 +01:00 committed by GitHub
commit 2453d9bc81
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -14,6 +14,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Fixed `trace list -c` - annotation of CRC bytes now is colored or squared if no ansi colors is supported (@iceman1001) - Fixed `trace list -c` - annotation of CRC bytes now is colored or squared if no ansi colors is supported (@iceman1001)
- Fixed `trace list -t mf` - now also finds UID if anticollision is partial captured, to be used for mfkey (@iceman1001) - Fixed `trace list -t mf` - now also finds UID if anticollision is partial captured, to be used for mfkey (@iceman1001)
- Added `hf mf gload, gsave, ggetblk, gsetblk` for Gen4 GTU in mifare classic mode (@DidierA) - Added `hf mf gload, gsave, ggetblk, gsetblk` for Gen4 GTU in mifare classic mode (@DidierA)
- Fixed SPI flash overflow when loading dictionnaries into flash. Breaking change: added 1 more sector for Mifare - dictionnaries should be loaded again (@jmichelp)
## [Radium.4.15864][2022-10-29] ## [Radium.4.15864][2022-10-29]
- Changed `lf indala sim` - now accepts fc / cn (@iceman1001) - Changed `lf indala sim` - now accepts fc / cn (@iceman1001)

6
armsrc/flashmem.c
View file

@ -594,7 +594,7 @@ void Flashmem_print_info(void) {
if (isok == 2) { if (isok == 2) {
num = ((keysum[1] << 8) | keysum[0]); num = ((keysum[1] << 8) | keysum[0]);
if (num != 0xFFFF && num != 0x0) if (num != 0xFFFF && num != 0x0)
Dbprintf(" Mifare.................. "_YELLOW_("%d")" keys", num); Dbprintf(" Mifare.................. "_YELLOW_("%d")" / "_GREEN_("%d")" keys", num, DEFAULT_MF_KEYS_MAX);
} }
Flash_CheckBusy(BUSY_TIMEOUT); Flash_CheckBusy(BUSY_TIMEOUT);
@ -602,7 +602,7 @@ void Flashmem_print_info(void) {
if (isok == 2) { if (isok == 2) {
num = ((keysum[1] << 8) | keysum[0]); num = ((keysum[1] << 8) | keysum[0]);
if (num != 0xFFFF && num != 0x0) if (num != 0xFFFF && num != 0x0)
Dbprintf(" T55x7................... "_YELLOW_("%d")" keys", num); Dbprintf(" T55x7................... "_YELLOW_("%d")" / "_GREEN_("%d")" keys", num, DEFAULT_T55XX_KEYS_MAX);
} }
Flash_CheckBusy(BUSY_TIMEOUT); Flash_CheckBusy(BUSY_TIMEOUT);
@ -610,7 +610,7 @@ void Flashmem_print_info(void) {
if (isok == 2) { if (isok == 2) {
num = ((keysum[1] << 8) | keysum[0]); num = ((keysum[1] << 8) | keysum[0]);
if (num != 0xFFFF && num != 0x0) if (num != 0xFFFF && num != 0x0)
Dbprintf(" iClass.................. "_YELLOW_("%d")" keys", num); Dbprintf(" iClass.................. "_YELLOW_("%d")" / "_GREEN_("%d")" keys", num, DEFAULT_ICLASS_KEYS_MAX);
} }
FlashStop(); FlashStop();

27
client/src/cmdflashmem.c
View file

@ -204,19 +204,23 @@ static int CmdFlashMemLoad(const char *Cmd) {
size_t datalen = 0; size_t datalen = 0;
uint32_t keycount = 0; uint32_t keycount = 0;
int res = 0; int res = 0;
uint8_t keylen = 0;
uint8_t *data = calloc(FLASH_MEM_MAX_SIZE, sizeof(uint8_t)); uint8_t *data = calloc(FLASH_MEM_MAX_SIZE, sizeof(uint8_t));
switch (d) { switch (d) {
case DICTIONARY_MIFARE: case DICTIONARY_MIFARE:
offset = DEFAULT_MF_KEYS_OFFSET; offset = DEFAULT_MF_KEYS_OFFSET;
res = loadFileDICTIONARY(filename, data + 2, &datalen, 6, &keycount); keylen = 6;
res = loadFileDICTIONARY(filename, data + 2, &datalen, keylen, &keycount);
if (res || !keycount) { if (res || !keycount) {
free(data); free(data);
return PM3_EFILE; return PM3_EFILE;
} }
// limited space on flash mem // limited space on flash mem
if (keycount > 0xFFFF) if (keycount > DEFAULT_MF_KEYS_MAX) {
keycount &= 0xFFFF; keycount = DEFAULT_MF_KEYS_MAX;
datalen = keycount * keylen;
}
data[0] = (keycount >> 0) & 0xFF; data[0] = (keycount >> 0) & 0xFF;
data[1] = (keycount >> 8) & 0xFF; data[1] = (keycount >> 8) & 0xFF;
@ -224,14 +228,17 @@ static int CmdFlashMemLoad(const char *Cmd) {
break; break;
case DICTIONARY_T55XX: case DICTIONARY_T55XX:
offset = DEFAULT_T55XX_KEYS_OFFSET; offset = DEFAULT_T55XX_KEYS_OFFSET;
res = loadFileDICTIONARY(filename, data + 2, &datalen, 4, &keycount); keylen = 4;
res = loadFileDICTIONARY(filename, data + 2, &datalen, keylen, &keycount);
if (res || !keycount) { if (res || !keycount) {
free(data); free(data);
return PM3_EFILE; return PM3_EFILE;
} }
// limited space on flash mem // limited space on flash mem
if (keycount > 0xFFFF) if (keycount > DEFAULT_T55XX_KEYS_MAX) {
keycount &= 0xFFFF; keycount = DEFAULT_T55XX_KEYS_MAX;
datalen = keycount * keylen;
}
data[0] = (keycount >> 0) & 0xFF; data[0] = (keycount >> 0) & 0xFF;
data[1] = (keycount >> 8) & 0xFF; data[1] = (keycount >> 8) & 0xFF;
@ -239,14 +246,16 @@ static int CmdFlashMemLoad(const char *Cmd) {
break; break;
case DICTIONARY_ICLASS: case DICTIONARY_ICLASS:
offset = DEFAULT_ICLASS_KEYS_OFFSET; offset = DEFAULT_ICLASS_KEYS_OFFSET;
res = loadFileDICTIONARY(filename, data + 2, &datalen, 8, &keycount); res = loadFileDICTIONARY(filename, data + 2, &datalen, keylen, &keycount);
if (res || !keycount) { if (res || !keycount) {
free(data); free(data);
return PM3_EFILE; return PM3_EFILE;
} }
// limited space on flash mem // limited space on flash mem
if (keycount > 0xFFFF) if (keycount > DEFAULT_ICLASS_KEYS_MAX) {
keycount &= 0xFFFF; keycount = DEFAULT_ICLASS_KEYS_MAX;
datalen = keycount * keylen;
}
data[0] = (keycount >> 0) & 0xFF; data[0] = (keycount >> 0) & 0xFF;
data[1] = (keycount >> 8) & 0xFF; data[1] = (keycount >> 8) & 0xFF;

16
include/pmflash.h
View file

@ -28,7 +28,7 @@
// 0x3E000 - 1 4kb sector = settings // 0x3E000 - 1 4kb sector = settings
// 0x3D000 - 1 4kb sector = default T55XX keys dictionary // 0x3D000 - 1 4kb sector = default T55XX keys dictionary
// 0x3B000 - 1 4kb sector = default ICLASS keys dictionary // 0x3B000 - 1 4kb sector = default ICLASS keys dictionary
// 0x39000 - 2 4kb sectors = default MFC keys dictionary // 0x38000 - 3 4kb sectors = default MFC keys dictionary
// //
#ifndef FLASH_MEM_BLOCK_SIZE #ifndef FLASH_MEM_BLOCK_SIZE
# define FLASH_MEM_BLOCK_SIZE 256 # define FLASH_MEM_BLOCK_SIZE 256
@ -65,17 +65,23 @@
// Reserved space for T55XX PWD = 4 kb // Reserved space for T55XX PWD = 4 kb
#ifndef DEFAULT_T55XX_KEYS_OFFSET #ifndef DEFAULT_T55XX_KEYS_OFFSET
# define DEFAULT_T55XX_KEYS_OFFSET (FLASH_MEM_MAX_4K_SECTOR - 0x3000) # define DEFAULT_T55XX_KEYS_LEN (0x1000)
# define DEFAULT_T55XX_KEYS_OFFSET (T55XX_CONFIG_OFFSET - DEFAULT_T55XX_KEYS_LEN)
# define DEFAULT_T55XX_KEYS_MAX ((DEFAULT_T55XX_KEYS_LEN - 2) / 4)
#endif #endif
// Reserved space for iClass keys = 4 kb // Reserved space for iClass keys = 4 kb
#ifndef DEFAULT_ICLASS_KEYS_OFFSET #ifndef DEFAULT_ICLASS_KEYS_OFFSET
# define DEFAULT_ICLASS_KEYS_OFFSET (FLASH_MEM_MAX_4K_SECTOR - 0x4000) # define DEFAULT_ICLASS_KEYS_LEN (0x1000)
# define DEFAULT_ICLASS_KEYS_OFFSET (DEFAULT_T55XX_KEYS_OFFSET - DEFAULT_ICLASS_KEYS_LEN)
# define DEFAULT_ICLASS_KEYS_MAX ((DEFAULT_ICLASS_KEYS_LEN - 2) / 8)
#endif #endif
// Reserved space for MIFARE Keys = 8 kb // Reserved space for MIFARE Keys = 12 kb
#ifndef DEFAULT_MF_KEYS_OFFSET #ifndef DEFAULT_MF_KEYS_OFFSET
# define DEFAULT_MF_KEYS_OFFSET (FLASH_MEM_MAX_4K_SECTOR - 0x6000) # define DEFAULT_MF_KEYS_LEN (0x3000)
# define DEFAULT_MF_KEYS_OFFSET (DEFAULT_ICLASS_KEYS_OFFSET - DEFAULT_MF_KEYS_LEN)
# define DEFAULT_MF_KEYS_MAX ((DEFAULT_MF_KEYS_LEN - 2) / 6)
#endif #endif
// RDV40, validation structure to help identifying that client/firmware is talking with RDV40 // RDV40, validation structure to help identifying that client/firmware is talking with RDV40