github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

hf iclass sim - now use cliparser

Browse source
This commit is contained in:
tcprst 2020-11-27 21:22:23 -05:00
commit 448a0546b1
No known key found for this signature in database
GPG key ID: 9145EAF5121AED25
4 changed files with 48 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

69
client/src/cmdhficlass.c
View file

@ -51,27 +51,6 @@ static uint8_t iClass_Key_Table[ICLASS_KEYS_MAX][8] = {
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
};
static int usage_hf_iclass_sim(void) {
PrintAndLogEx(NORMAL, "Simulate a iCLASS legacy/standard tag\n");
PrintAndLogEx(NORMAL, "Usage: hf iCLASS sim [h] <option> [CSN]\n");
PrintAndLogEx(NORMAL, "Options");
PrintAndLogEx(NORMAL, " h : Show this help");
PrintAndLogEx(NORMAL, " 0 <CSN> : simulate the given CSN");
PrintAndLogEx(NORMAL, " 1 : simulate default CSN");
PrintAndLogEx(NORMAL, " 2 : Reader-attack, gather reader responses to extract elite key");
PrintAndLogEx(NORMAL, " 3 : Full simulation using emulator memory (see 'hf iclass eload')");
PrintAndLogEx(NORMAL, " 4 : Reader-attack, adapted for KeyRoll mode, gather reader responses to extract elite key");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, _YELLOW_("\thf iclass sim 0 031FEC8AF7FF12E0"));
PrintAndLogEx(NORMAL, " -- execute loclass attack online part");
PrintAndLogEx(NORMAL, _YELLOW_("\thf iclass sim 2"));
PrintAndLogEx(NORMAL, " -- simulate full iCLASS 2k tag");
PrintAndLogEx(NORMAL, _YELLOW_("\thf iclass eload -f hf-iclass-AA162D30F8FF12F1-dump.bin"));
PrintAndLogEx(NORMAL, _YELLOW_("\thf iclass sim 3"));
PrintAndLogEx(NORMAL, "");
return PM3_SUCCESS;
}
static int cmp_uint32(const void *a, const void *b) {
const iclass_prekey_t *x = (const iclass_prekey_t *)a;
@ -379,24 +358,48 @@ static int CmdHFiClassSniff(const char *Cmd) {
}
static int CmdHFiClassSim(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf iclass sim",
"Simulate a iCLASS legacy/standard tag",
"hf iclass sim -t 0 --csn 031FEC8AF7FF12E0 -> simulate with specficied CSN\n"
"hf iclass sim -t 1 -> simulate with default CSN\n"
"hf iclass sim -t 2 -> execute loclass attack online part\n"
"hf iclass eload -f hf-iclass-AA162D30F8FF12F1-dump.bin -> simulate full iCLASS 2k tag\n"
"hf iclass sim -t 3 -> simulate full iCLASS 2k tag\n"
"hf iclass sim -t 4 -> Reader-attack, adapted for KeyRoll mode, gather reader responses to extract elite key");
char cmdp = tolower(param_getchar(Cmd, 0));
if (strlen(Cmd) < 1 || cmdp == 'h') return usage_hf_iclass_sim();
void *argtable[] = {
arg_param_begin,
arg_int1("t", "type", NULL, "Simulation type to use"),
arg_str0(NULL, "csn", "<hex>", "Specify CSN as 8 bytes (16 hex symbols) to use with sim type 0"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
uint8_t CSN[8] = {0, 0, 0, 0, 0, 0, 0, 0};
uint8_t sim_type = param_get8ex(Cmd, 0, 0, 10);
int sim_type = arg_get_int(ctx, 1);
if (sim_type == 0) {
if (param_gethex(Cmd, 1, CSN, 16)) {
PrintAndLogEx(ERR, "A CSN should consist of 16 HEX symbols");
return usage_hf_iclass_sim();
int csn_len = 0;
uint8_t csn[8] = {0};
CLIGetHexWithReturn(ctx, 2, csn, &csn_len);
if (sim_type == 0 && csn_len > 0) {
if (csn_len != 8) {
PrintAndLogEx(ERR, "CSN is incorrect length");
CLIParserFree(ctx);
return PM3_EINVARG;
}
PrintAndLogEx(INFO, " simtype: %02x CSN: %s", sim_type, sprint_hex(CSN, 8));
PrintAndLogEx(INFO, " simtype: %02x CSN: %s", sim_type, sprint_hex(csn, 8));
} else if (sim_type == 0 && csn_len == 0) {
PrintAndLogEx(ERR, "Simtype 0 requires CSN argument (--csn)");
CLIParserFree(ctx);
return PM3_EINVARG;
}
CLIParserFree(ctx);
if (sim_type > 4) {
PrintAndLogEx(ERR, "Undefined simtype %d", sim_type);
return usage_hf_iclass_sim();
return PM3_EINVARG;
}
// remember to change the define NUM_CSNS to match.
@ -550,10 +553,10 @@ static int CmdHFiClassSim(const char *Cmd) {
case ICLASS_SIM_MODE_FULL:
default: {
PrintAndLogEx(INFO, "Starting iCLASS simulation");
PrintAndLogEx(INFO, "press " _YELLOW_("`enter`") " to cancel");
PrintAndLogEx(INFO, "press " _YELLOW_("`button`") " to cancel");
uint8_t numberOfCSNs = 0;
clearCommandBuffer();
SendCommandMIX(CMD_HF_ICLASS_SIMULATE, sim_type, numberOfCSNs, 1, CSN, 8);
SendCommandMIX(CMD_HF_ICLASS_SIMULATE, sim_type, numberOfCSNs, 1, csn, 8);
if (sim_type == ICLASS_SIM_MODE_FULL)
PrintAndLogEx(HINT, "Try `" _YELLOW_("hf iclass esave -h") "` to save the emulator memory to file");

2
client/src/loclass/elite_crack.c
View file

@ -515,7 +515,7 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]) {
PrintAndLogEx(SUCCESS, "time: %" PRIu64 " seconds", t1 / 1000);
if (res != PM3_SUCCESS) {
PrintAndLogEx(ERR, "loclass exiting. Try run " _YELLOW_("`hf iclass sim 2`") " again and collect new data");
PrintAndLogEx(ERR, "loclass exiting. Try run " _YELLOW_("`hf iclass sim -t 2`") " again and collect new data");
return PM3_ESOFT;
}

15
doc/cheatsheet.md
View file

@ -168,20 +168,23 @@ Simulate iCLASS
```
Options
---
0 <CSN> simulate the given CSN
-t, --type <int> Simulation type to use
--csn <hex> Specify CSN as 8 bytes (16 hex symbols) to use with sim type 0
Types:
0 simulate the given CSN
1 simulate default CSN
2 Runs online part of LOCLASS attack
3 Full simulation using emulator memory (see 'hf iclass eload')
4 Runs online part of LOCLASS attack against reader in keyroll mode
pm3 --> hf iclass sim 3
pm3 --> hf iclass sim -t 3
```
Simulate iCLASS Sequence
```
pm3 --> hf iclass dump --ki 0
pm3 --> hf iclass eload -f hf-iclass-db883702f8ff12e0.bin
pm3 --> hf iclass sim 3
pm3 --> hf iclass sim -t 3
```
Extract custom iCLASS key (loclass attack)
@ -190,11 +193,11 @@ Options
---
f <filename> : specify a filename to clone from
k <key> : Access Key as 16 hex symbols or 1 hex to select key from memory
e : If 'e' is specified, elite computations applied to key
--elite : Elite computations applied to key
pm3 --> hf iclass sim 2
pm3 --> hf iclass sim -t 2
pm3 --> hf iclass loclass -f iclass_mac_attack.bin
pm3 --> hf iclass managekeys n 7 k <Kcus>
pm3 --> hf iclass managekeys --ki 7 -k <Kcus>
pm3 --> hf iclass dump --ki 7 --elite
```

4
doc/loclass_notes.md
View file

@ -4,7 +4,7 @@ This document is primarily intended for understanding `hf iclass loclass` and fi
LOCLASS aim is to recover the used masterkey for that specific reader configured in Elite mode / High Security mode.
LOCLASS, is a two part attack. First is the online part where you gather needed information from the reader by presenting a carefully selected CSN and save the responses to file. For the first part you run `hf iclass sim 2` and take notice of the saved filename.
LOCLASS, is a two part attack. First is the online part where you gather needed information from the reader by presenting a carefully selected CSN and save the responses to file. For the first part you run `hf iclass sim -t 2` and take notice of the saved filename.
The second part is offline, where the information gathered from the first step is used in a series of DES operations to figure out the used
masterkey.
@ -21,6 +21,6 @@ run `hf iclass loclass --test`.
This test mode uses two files.
- `iclass_dump.bin`
this is a sample file from `hf iclass sim 2`, with complete keytable recovery, using 128 carefully selected CSN and the file contains the MAC results from reader.
this is a sample file from `hf iclass sim -t 2`, with complete keytable recovery, using 128 carefully selected CSN and the file contains the MAC results from reader.
- `iclass_key.bin`
this is file shall contain the legacy masterkey, AA1 key. loclass uses it to verify that permutation / reversing / generation of key is correct.