github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-20 13:23:51 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

change data available check in hf mf sim on device side.

Browse source
This commit is contained in:
iceman1001 2024-09-14 18:37:56 +02:00
commit 34e00146c6
8 changed files with 131 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

1
armsrc/dbprint.c
View file

@ -16,7 +16,6 @@
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
#include "dbprint.h" #include "dbprint.h"
#include "string.h" #include "string.h"
#include "cmd.h" #include "cmd.h"
#include "printf.h" #include "printf.h"

51
armsrc/desfire_crypto.c
View file

@ -31,7 +31,7 @@
#include "crc32.h" #include "crc32.h"
#include "crc.h" #include "crc.h"
#include "crc16.h" // crc16 ccitt #include "crc16.h" // crc16 ccitt
#include "printf.h" #include "nprintf.h"
#include "iso14443a.h" #include "iso14443a.h"
#include "dbprint.h" #include "dbprint.h"
#include "BigBuf.h" #include "BigBuf.h"
@ -65,25 +65,32 @@ void des_decrypt(void *out, const void *in, const void *key) {
mbedtls_des_crypt_ecb(&ctx, in, out); mbedtls_des_crypt_ecb(&ctx, in, out);
} }
void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) { void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode) {
if (length % 8) return;
if (keymode == 2) // must be even blocks of 8 bytes.
mbedtls_des3_set2key_dec(&ctx3, key); if (length % 8) {
else return;
mbedtls_des3_set3key_dec(&ctx3, key); }
if (keymode == 2) {
mbedtls_des3_set2key_dec(&ctx3, key);
} else {
mbedtls_des3_set3key_dec(&ctx3, key);
}
uint8_t i;
unsigned char temp[8]; unsigned char temp[8];
uint8_t *tin = (uint8_t *) in; uint8_t *tin = (uint8_t *) in;
uint8_t *tout = (uint8_t *) out; uint8_t *tout = (uint8_t *) out;
while (length > 0) { while (length > 0) {
memcpy(temp, tin, 8); memcpy(temp, tin, 8);
mbedtls_des3_crypt_ecb(&ctx3, tin, tout); mbedtls_des3_crypt_ecb(&ctx3, tin, tout);
for (i = 0; i < 8; i++) for (uint8_t i = 0; i < 8; i++) {
tout[i] = (unsigned char)(tout[i] ^ iv[i]); tout[i] ^= iv[i];
}
memcpy(iv, temp, 8); memcpy(iv, temp, 8);
@ -93,20 +100,26 @@ void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key,
} }
} }
void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode) { void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode) {
if (length % 8) return;
if (keymode == 2) // must be even blocks of 8 bytes.
mbedtls_des3_set2key_enc(&ctx3, key); if (length % 8) {
else return;
mbedtls_des3_set3key_enc(&ctx3, key); }
if (keymode == 2) {
mbedtls_des3_set2key_enc(&ctx3, key);
} else {
mbedtls_des3_set3key_enc(&ctx3, key);
}
uint8_t i;
uint8_t *tin = (uint8_t *) in; uint8_t *tin = (uint8_t *) in;
uint8_t *tout = (uint8_t *) out; uint8_t *tout = (uint8_t *) out;
while (length > 0) { while (length > 0) {
for (i = 0; i < 8; i++) {
tin[i] = (unsigned char)(tin[i] ^ iv[i]); for (uint8_t i = 0; i < 8; i++) {
tin[i] ^= iv[i];
} }
mbedtls_des3_crypt_ecb(&ctx3, tin, tout); mbedtls_des3_crypt_ecb(&ctx3, tin, tout);

4
armsrc/desfire_crypto.h
View file

@ -177,8 +177,8 @@ struct desfire_tag {
typedef struct desfire_tag *desfiretag_t; typedef struct desfire_tag *desfiretag_t;
void des_encrypt(void *out, const void *in, const void *key); void des_encrypt(void *out, const void *in, const void *key);
void des_decrypt(void *out, const void *in, const void *key); void des_decrypt(void *out, const void *in, const void *key);
void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode); void tdes_nxp_receive(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode);
void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[8], int keymode); void tdes_nxp_send(const void *in, void *out, size_t length, const void *key, uint8_t *iv, int keymode);
void aes128_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]); void aes128_nxp_receive(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]);
void aes128_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]); void aes128_nxp_send(const void *in, void *out, size_t length, const void *key, unsigned char iv[16]);

4
armsrc/em4x50.c
View file

@ -129,9 +129,9 @@ static bool extract_parities(uint64_t word, uint32_t *data) {
} }
} }
if ((row_parities == row_parities_calculated) && (col_parities == col_parities_calculated)) if ((row_parities == row_parities_calculated) && (col_parities == col_parities_calculated)) {
return true; return true;
}
return false; return false;
} }

115
armsrc/iso14443a.c
View file

@ -340,17 +340,20 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0; else if ((Uart.fourBits & (ISO14443A_STARTBIT_MASK >> 7)) == ISO14443A_STARTBIT_PATTERN >> 7) Uart.syncBit = 0;
if (Uart.syncBit != 9999) { // found a sync bit if (Uart.syncBit != 9999) { // found a sync bit
Uart.startTime = non_real_time ? non_real_time : (GetCountSspClk() & 0xfffffff8); Uart.startTime = (non_real_time) ? non_real_time : (GetCountSspClk() & 0xfffffff8);
Uart.startTime -= Uart.syncBit; Uart.startTime -= Uart.syncBit;
Uart.endTime = Uart.startTime; Uart.endTime = Uart.startTime;
Uart.state = STATE_14A_START_OF_COMMUNICATION; Uart.state = STATE_14A_START_OF_COMMUNICATION;
} }
} else { } else {
if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) { if (IsMillerModulationNibble1(Uart.fourBits >> Uart.syncBit)) {
if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation in both halves - error
Uart14aReset(); Uart14aReset();
} else { // Modulation in first half = Sequence Z = logic "0" } else { // Modulation in first half = Sequence Z = logic "0"
if (Uart.state == STATE_14A_MILLER_X) { // error - must not follow after X if (Uart.state == STATE_14A_MILLER_X) { // error - must not follow after X
Uart14aReset(); Uart14aReset();
} else { } else {
@ -358,6 +361,7 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg
Uart.state = STATE_14A_MILLER_Z; Uart.state = STATE_14A_MILLER_Z;
Uart.endTime = Uart.startTime + 8 * (9 * Uart.len + Uart.bitCount + 1) - 6; Uart.endTime = Uart.startTime + 8 * (9 * Uart.len + Uart.bitCount + 1) - 6;
if (Uart.bitCount >= 9) { // if we decoded a full byte (including parity) if (Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
Uart.parityBits <<= 1; // make room for the parity bit Uart.parityBits <<= 1; // make room for the parity bit
@ -372,27 +376,36 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
} }
} }
} else { } else {
if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1" if (IsMillerModulationNibble2(Uart.fourBits >> Uart.syncBit)) { // Modulation second half = Sequence X = logic "1"
Uart.bitCount++; Uart.bitCount++;
Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg Uart.shiftReg = (Uart.shiftReg >> 1) | 0x100; // add a 1 to the shiftreg
Uart.state = STATE_14A_MILLER_X; Uart.state = STATE_14A_MILLER_X;
Uart.endTime = Uart.startTime + 8 * (9 * Uart.len + Uart.bitCount + 1) - 2; Uart.endTime = Uart.startTime + 8 * (9 * Uart.len + Uart.bitCount + 1) - 2;
if (Uart.bitCount >= 9) { // if we decoded a full byte (including parity) if (Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
Uart.parityBits <<= 1; // make room for the new parity bit Uart.parityBits <<= 1; // make room for the new parity bit
Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
Uart.bitCount = 0; Uart.bitCount = 0;
Uart.shiftReg = 0; Uart.shiftReg = 0;
if ((Uart.len & 0x0007) == 0) { // every 8 data bytes if ((Uart.len & 0x0007) == 0) { // every 8 data bytes
Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
Uart.parityBits = 0; Uart.parityBits = 0;
} }
} }
} else { // no modulation in both halves - Sequence Y } else { // no modulation in both halves - Sequence Y
if (Uart.state == STATE_14A_MILLER_Z || Uart.state == STATE_14A_MILLER_Y) { // Y after logic "0" - End of Communication if (Uart.state == STATE_14A_MILLER_Z || Uart.state == STATE_14A_MILLER_Y) { // Y after logic "0" - End of Communication
Uart.state = STATE_14A_UNSYNCD; Uart.state = STATE_14A_UNSYNCD;
Uart.bitCount--; // last "0" was part of EOC sequence Uart.bitCount--; // last "0" was part of EOC sequence
Uart.shiftReg <<= 1; // drop it Uart.shiftReg <<= 1; // drop it
if (Uart.bitCount > 0) { // if we decoded some bits if (Uart.bitCount > 0) { // if we decoded some bits
Uart.shiftReg >>= (9 - Uart.bitCount); // right align them Uart.shiftReg >>= (9 - Uart.bitCount); // right align them
Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); // add last byte to the output
@ -400,10 +413,13 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
Uart.parityBits <<= (8 - (Uart.len & 0x0007)); // left align parity bits Uart.parityBits <<= (8 - (Uart.len & 0x0007)); // left align parity bits
Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store it
return true; return true;
} else if (Uart.len & 0x0007) { // there are some parity bits to store }
if (Uart.len & 0x0007) { // there are some parity bits to store
Uart.parityBits <<= (8 - (Uart.len & 0x0007)); // left align remaining parity bits Uart.parityBits <<= (8 - (Uart.len & 0x0007)); // left align remaining parity bits
Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them Uart.parity[Uart.parityLen++] = Uart.parityBits; // and store them
} }
if (Uart.len) { if (Uart.len) {
return true; // we are finished with decoding the raw data sequence return true; // we are finished with decoding the raw data sequence
} else { } else {
@ -411,18 +427,24 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time) {
return false; return false;
} }
} }
if (Uart.state == STATE_14A_START_OF_COMMUNICATION) { // error - must not follow directly after SOC if (Uart.state == STATE_14A_START_OF_COMMUNICATION) { // error - must not follow directly after SOC
Uart14aReset(); Uart14aReset();
} else { // a logic "0" } else { // a logic "0"
Uart.bitCount++; Uart.bitCount++;
Uart.shiftReg = (Uart.shiftReg >> 1); // add a 0 to the shiftreg Uart.shiftReg >>= 1; // add a 0 to the shiftreg
Uart.state = STATE_14A_MILLER_Y; Uart.state = STATE_14A_MILLER_Y;
if (Uart.bitCount >= 9) { // if we decoded a full byte (including parity) if (Uart.bitCount >= 9) { // if we decoded a full byte (including parity)
Uart.output[Uart.len++] = (Uart.shiftReg & 0xff); Uart.output[Uart.len++] = (Uart.shiftReg & 0xff);
Uart.parityBits <<= 1; // make room for the parity bit Uart.parityBits <<= 1; // make room for the parity bit
Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit Uart.parityBits |= ((Uart.shiftReg >> 8) & 0x01); // store parity bit
Uart.bitCount = 0; Uart.bitCount = 0;
Uart.shiftReg = 0; Uart.shiftReg = 0;
// Every 8 data bytes, store 8 parity bits into a parity byte
if ((Uart.len & 0x0007) == 0) { // every 8 data bytes if ((Uart.len & 0x0007) == 0) { // every 8 data bytes
Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits Uart.parity[Uart.parityLen++] = Uart.parityBits; // store 8 parity bits
Uart.parityBits = 0; Uart.parityBits = 0;
@ -467,17 +489,18 @@ tDemod14a *GetDemod14a(void) {
} }
void Demod14aReset(void) { void Demod14aReset(void) {
Demod.state = DEMOD_14A_UNSYNCD; Demod.state = DEMOD_14A_UNSYNCD;
Demod.len = 0; // number of decoded data bytes
Demod.parityLen = 0;
Demod.shiftReg = 0; // shiftreg to hold decoded data bits
Demod.parityBits = 0; //
Demod.collisionPos = 0; // Position of collision bit
Demod.twoBits = 0xFFFF; // buffer for 2 Bits Demod.twoBits = 0xFFFF; // buffer for 2 Bits
Demod.highCnt = 0; Demod.highCnt = 0;
Demod.bitCount = 0;
Demod.collisionPos = 0; // Position of collision bit
Demod.syncBit = 0xFFFF;
Demod.parityBits = 0;
Demod.parityLen = 0;
Demod.shiftReg = 0; // shiftreg to hold decoded data bits
Demod.samples = 0;
Demod.len = 0; // number of decoded data bytes
Demod.startTime = 0; Demod.startTime = 0;
Demod.endTime = 0; Demod.endTime = 0;
Demod.bitCount = 0;
Demod.syncBit = 0xFFFF;
Demod.samples = 0; Demod.samples = 0;
} }
@ -735,10 +758,11 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
register int readBufDataP = data - dma->buf; register int readBufDataP = data - dma->buf;
register int dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR; register int dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
if (readBufDataP <= dmaBufDataP) if (readBufDataP <= dmaBufDataP) {
dataLen = dmaBufDataP - readBufDataP; dataLen = dmaBufDataP - readBufDataP;
else } else {
dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP; dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP;
}
// test for length of buffer // test for length of buffer
if (dataLen > maxDataLen) { if (dataLen > maxDataLen) {
@ -748,7 +772,9 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
break; break;
} }
} }
if (dataLen < 1) continue; if (dataLen < 1) {
continue;
}
// primary buffer was stopped( <-- we lost data! // primary buffer was stopped( <-- we lost data!
if (!AT91C_BASE_PDC_SSC->PDC_RCR) { if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
@ -767,26 +793,32 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
// Need two samples to feed Miller and Manchester-Decoder // Need two samples to feed Miller and Manchester-Decoder
if (rx_samples & 0x01) { if (rx_samples & 0x01) {
if (TagIsActive == false) { // no need to try decoding reader data if the tag is sending // no need to try decoding reader data if the tag is sending
if (TagIsActive == false) {
uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4); uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
if (MillerDecoding(readerdata, (rx_samples - 1) * 4)) { if (MillerDecoding(readerdata, (rx_samples - 1) * 4)) {
LED_C_ON(); LED_C_ON();
// check - if there is a short 7bit request from reader // check - if there is a short 7bit request from reader
if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) triggered = true; if ((!triggered) && (param & 0x02) && (Uart.len == 1) && (Uart.bitCount == 7)) {
triggered = true;
if (triggered) {
if (!LogTrace(receivedCmd, if (!LogTrace(receivedCmd,
Uart.len, Uart.len,
Uart.startTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER, Uart.startTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
Uart.endTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER, Uart.endTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER,
Uart.parity, Uart.parity,
true)) break; true)) {
break;
} }
/* ready to receive another command. */ }
// ready to receive another command
Uart14aReset(); Uart14aReset();
/* reset the demod code, which might have been */ // reset the demod code, which might have been
/* false-triggered by the commands from the reader. */ // false-triggered by the commands from the reader
Demod14aReset(); Demod14aReset();
LED_B_OFF(); LED_B_OFF();
} }
@ -795,8 +827,11 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
// no need to try decoding tag data if the reader is sending - and we cannot afford the time // no need to try decoding tag data if the reader is sending - and we cannot afford the time
if (ReaderIsActive == false) { if (ReaderIsActive == false) {
uint8_t tagdata = (previous_data << 4) | (*data & 0x0F); uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
if (ManchesterDecoding(tagdata, 0, (rx_samples - 1) * 4)) { if (ManchesterDecoding(tagdata, 0, (rx_samples - 1) * 4)) {
LED_B_ON(); LED_B_ON();
if (!LogTrace(receivedResp, if (!LogTrace(receivedResp,
@ -806,7 +841,9 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
Demod.parity, Demod.parity,
false)) break; false)) break;
if ((!triggered) && (param & 0x01)) triggered = true; if ((!triggered) && (param & 0x01)) {
triggered = true;
}
// ready to receive another response. // ready to receive another response.
Demod14aReset(); Demod14aReset();
@ -971,16 +1008,18 @@ bool GetIso14443aCommandFromReader(uint8_t *received, uint16_t received_maxlen,
// ever 3 * 4000, check if we got any data from client // ever 3 * 4000, check if we got any data from client
// takes long time, usually messes with simualtion // takes long time, usually messes with simualtion
if (flip == 3) { if (flip == 3) {
if (data_available()) if (data_available()) {
return false; return false;
}
flip = 0; flip = 0;
} }
// button press, takes a bit time, might mess with simualtion // button press, takes a bit time, might mess with simualtion
if (checker-- == 0) { if (checker-- == 0) {
if (BUTTON_PRESS()) if (BUTTON_PRESS()) {
return false; return false;
}
flip++; flip++;
checker = 4000; checker = 4000;
@ -1266,6 +1305,7 @@ bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_r
AddCrc14A(rSAKc2, sizeof(rSAKc2) - 2); AddCrc14A(rSAKc2, sizeof(rSAKc2) - 2);
*cuid = bytes_to_num(data + 3, 4); *cuid = bytes_to_num(data + 3, 4);
} else if ((flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) { } else if ((flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
rUIDc1[0] = MIFARE_SELECT_CT; // Cascade Tag marker rUIDc1[0] = MIFARE_SELECT_CT; // Cascade Tag marker
@ -2114,19 +2154,32 @@ int EmGetCmd(uint8_t *received, uint16_t received_max_len, uint16_t *len, uint8_
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
(void)b; (void)b;
uint16_t check = 0; uint8_t flip = 0;
uint16_t checker = 4000;
for (;;) { for (;;) {
WDT_HIT(); WDT_HIT();
if (check == 1000) { // ever 3 * 4000, check if we got any data from client
if (BUTTON_PRESS() || data_available()) { // takes long time, usually messes with simualtion
Dbprintf("----------- " _GREEN_("BREAKING") " ----------"); if (flip == 3) {
return 1; if (data_available()) {
Dbprintf("----------- " _GREEN_("Breaking / Data") " ----------");
return false;
} }
check = 0; flip = 0;
} }
++check;
// button press, takes a bit time, might mess with simualtion
if (checker-- == 0) {
if (BUTTON_PRESS()) {
Dbprintf("----------- " _GREEN_("Breaking / User aborted") " ----------");
return false;
}
flip++;
checker = 4000;
}
// test if the field exists // test if the field exists
if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) { if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {

16
client/src/cmdhfict.c
View file

@ -120,12 +120,16 @@ static int derive_app_key(uint8_t *uid, uint8_t *app_key) {
} }
// Might miss payload.. // Might miss payload..
static int diversify_mifare_key(const uint8_t *uid, uint8_t *app_key) { static int diversify_mifare_key(const uint8_t *uid, uint8_t *app_key, uint8_t app_keylen) {
if (uid == NULL || app_key == NULL) { if (uid == NULL || app_key == NULL) {
return PM3_EINVARG; return PM3_EINVARG;
} }
uint8_t input[8]; if (app_keylen > AES_KEY_LEN) {
return PM3_EINVARG;
}
uint8_t input[AES_KEY_LEN];
memcpy(input, uid, 4); memcpy(input, uid, 4);
uint32_t big = bytes_to_num(uid, 4); uint32_t big = bytes_to_num(uid, 4);
@ -143,12 +147,12 @@ static int diversify_mifare_key(const uint8_t *uid, uint8_t *app_key) {
return PM3_ESOFT; return PM3_ESOFT;
} }
uint8_t output[8]; uint8_t output[AES_KEY_LEN];
if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, sizeof(input), iv, input, output)) { if (mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, sizeof(input), iv, input, output)) {
return PM3_ESOFT; return PM3_ESOFT;
} }
mbedtls_aes_free(&aes); mbedtls_aes_free(&aes);
memcpy(app_key, output, MIFARE_KEY_SIZE); memcpy(app_key, output, app_keylen);
return PM3_SUCCESS; return PM3_SUCCESS;
} }
@ -161,7 +165,7 @@ static int decrypt_card_sector(uint8_t *uid, const uint8_t *sector_data, uint8_t
memcpy(input, sector_data, len); memcpy(input, sector_data, len);
uint8_t key[AES_KEY_LEN]; uint8_t key[AES_KEY_LEN];
diversify_mifare_key(uid, key); diversify_mifare_key(uid, key, sizeof(key));
uint8_t iv[16] = {0}; uint8_t iv[16] = {0};
mbedtls_aes_context aes; mbedtls_aes_context aes;
@ -186,7 +190,7 @@ static int derive_mifare_key(uint8_t *uid, const uint8_t *base_key, uint8_t *app
} }
uint8_t diverse[MIFARE_KEY_SIZE]; uint8_t diverse[MIFARE_KEY_SIZE];
diversify_mifare_key(uid, diverse); diversify_mifare_key(uid, diverse, sizeof(diverse));
for (uint8_t i = 0; i < MIFARE_KEY_SIZE; i++) { for (uint8_t i = 0; i < MIFARE_KEY_SIZE; i++) {
app_key[i] = base_key[i] ^ diverse[i]; app_key[i] = base_key[i] ^ diverse[i];

1
client/src/cmdhfmf.h
View file

@ -25,7 +25,6 @@
int CmdHFMF(const char *Cmd); int CmdHFMF(const char *Cmd);
int CmdHF14AMfELoad(const char *Cmd); // used by "hf mfu eload" int CmdHF14AMfELoad(const char *Cmd); // used by "hf mfu eload"
int CmdHF14AMfDbg(const char *Cmd); // used by "hf mfu dbg"
int CmdHFMFNDEFRead(const char *Cmd); // used by "nfc mf cread" int CmdHFMFNDEFRead(const char *Cmd); // used by "nfc mf cread"
int CmdHFMFNDEFFormat(const char *Cmd); // used by "nfc mf cformat" int CmdHFMFNDEFFormat(const char *Cmd); // used by "nfc mf cformat"
int CmdHFMFNDEFWrite(const char *Cmd); // used by "nfc mf cwrite" int CmdHFMFNDEFWrite(const char *Cmd); // used by "nfc mf cwrite"

2
client/src/cmdhfmfu.c
View file

@ -4129,7 +4129,7 @@ static int CmdHF14AMfUCSetUid(const char *Cmd) {
hf14a_config config; hf14a_config config;
SendCommandNG(CMD_HF_ISO14443A_GET_CONFIG, NULL, 0); SendCommandNG(CMD_HF_ISO14443A_GET_CONFIG, NULL, 0);
if (!WaitForResponseTimeout(CMD_HF_ISO14443A_GET_CONFIG, &resp, 2000)) { if (!WaitForResponseTimeout(CMD_HF_ISO14443A_GET_CONFIG, &resp, 2000)) {
PrintAndLogEx(WARNING, "command execution time out); PrintAndLogEx(WARNING, "command execution time out");
return PM3_ETIMEOUT; return PM3_ETIMEOUT;
} }
memcpy(&config, resp.data.asBytes, sizeof(hf14a_config)); memcpy(&config, resp.data.asBytes, sizeof(hf14a_config));