github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-14 18:48:13 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

remove spurious spaces & tabs at end of lines

Browse source
This commit is contained in:
Philippe Teuwen 2019-03-09 08:59:13 +01:00
commit 60f292b18e
249 changed files with 8481 additions and 8481 deletions
Download patch file Download diff file Expand all files Collapse all files

48
client/mifare/mad.c
View file

@ -15,7 +15,7 @@
// https://www.nxp.com/docs/en/application-note/AN10787.pdf
static madAIDDescr madKnownAIDs[] = {
{0x0000, "free"},
{0x0000, "free"},
{0x0001, "defect, e.g. access keys are destroyed or unknown"},
{0x0002, "reserved"},
{0x0003, "contains additional directory info"},
@ -103,7 +103,7 @@ static const char *GetAIDDescription(uint16_t AID) {
for(int i = 0; i < ARRAYLEN(madKnownClusterCodes); i++)
if (madKnownClusterCodes[i].AID == (AID >> 8)) // high byte - cluster code
return madKnownClusterCodes[i].Description;
return unknownAID;
}
@ -121,33 +121,33 @@ int madCRCCheck(uint8_t *sector, bool verbose, int MADver) {
return 3;
};
}
return 0;
}
uint16_t madGetAID(uint8_t *sector, int MADver, int sectorNo) {
if (MADver == 1)
return (sector[16 + 2 + (sectorNo - 1) * 2] << 8) + (sector[16 + 2 + (sectorNo - 1) * 2 + 1]);
return (sector[16 + 2 + (sectorNo - 1) * 2] << 8) + (sector[16 + 2 + (sectorNo - 1) * 2 + 1]);
else
return (sector[2 + (sectorNo - 1) * 2] << 8) + (sector[2 + (sectorNo - 1) * 2 + 1]);
return (sector[2 + (sectorNo - 1) * 2] << 8) + (sector[2 + (sectorNo - 1) * 2 + 1]);
}
int MADCheck(uint8_t *sector0, uint8_t *sector10, bool verbose, bool *haveMAD2) {
int res = 0;
if (!sector0)
return 1;
uint8_t GPB = sector0[3 * 16 + 9];
if (verbose)
PrintAndLogEx(NORMAL, "GPB: 0x%02x", GPB);
// DA (MAD available)
if (!(GPB & 0x80)) {
PrintAndLogEx(ERR, "DA=0! MAD not available.");
return 1;
}
// MA (multi-application card)
if (verbose) {
if (GPB & 0x40)
@ -155,34 +155,34 @@ int MADCheck(uint8_t *sector0, uint8_t *sector10, bool verbose, bool *haveMAD2)
else
PrintAndLogEx(NORMAL, "Single application card.");
}
uint8_t MADVer = GPB & 0x03;
if (verbose)
PrintAndLogEx(NORMAL, "MAD version: %d", MADVer);
// MAD version
if ((MADVer != 0x01) && (MADVer != 0x02)) {
PrintAndLogEx(ERR, "Wrong MAD version: 0x%02x", MADVer);
return 2;
};
if (haveMAD2)
*haveMAD2 = (MADVer == 2);
res = madCRCCheck(sector0, true, 1);
if (verbose && !res)
PrintAndLogEx(NORMAL, "CRC8-MAD1 OK.");
if (MADVer == 2 && sector10) {
int res2 = madCRCCheck(sector10, true, 2);
if (!res)
res = res2;
res = res2;
if (verbose & !res2)
PrintAndLogEx(NORMAL, "CRC8-MAD2 OK.");
}
return res;
}
@ -190,12 +190,12 @@ int MADDecode(uint8_t *sector0, uint8_t *sector10, uint16_t *mad, size_t *madlen
*madlen = 0;
bool haveMAD2 = false;
MADCheck(sector0, sector10, false, &haveMAD2);
for (int i = 1; i < 16; i++) {
mad[*madlen] = madGetAID(sector0, 1, i);
(*madlen)++;
}
if (haveMAD2) {
// mad2 sector (0x10 == 16dec) here
mad[*madlen] = 0x0005;
@ -206,7 +206,7 @@ int MADDecode(uint8_t *sector0, uint8_t *sector10, uint16_t *mad, size_t *madlen
(*madlen)++;
}
}
return 0;
}
@ -215,7 +215,7 @@ int MAD1DecodeAndPrint(uint8_t *sector, bool verbose, bool *haveMAD2) {
// check MAD1 only
MADCheck(sector, NULL, verbose, haveMAD2);
// info byte
uint8_t InfoByte = sector[16 + 1] & 0x3f;
if (InfoByte) {
@ -226,13 +226,13 @@ int MAD1DecodeAndPrint(uint8_t *sector, bool verbose, bool *haveMAD2) {
}
if (InfoByte == 0x10 || InfoByte >= 0x28)
PrintAndLogEx(WARNING, "Info byte error");
PrintAndLogEx(NORMAL, "00 MAD1");
for(int i = 1; i < 16; i++) {
uint16_t AID = madGetAID(sector, 1, i);
PrintAndLogEx(NORMAL, "%02d [%04X] %s", i, AID, GetAIDDescription(AID));
};
return 0;
};
@ -250,7 +250,7 @@ int MAD2DecodeAndPrint(uint8_t *sector, bool verbose) {
for(int i = 1; i < 8 + 8 + 7 + 1; i++) {
uint16_t AID = madGetAID(sector, 2, i);
PrintAndLogEx(NORMAL, "%02d [%04X] %s", i + 16, AID, GetAIDDescription(AID));
};
};
return 0;
};

2
client/mifare/mad.h
View file

@ -18,7 +18,7 @@
typedef struct {
uint16_t AID;
const char *Description;
} madAIDDescr;
} madAIDDescr;
extern int MADCheck(uint8_t *sector0, uint8_t *sector10, bool verbose, bool *haveMAD2);
extern int MADDecode(uint8_t *sector0, uint8_t *sector10, uint16_t *mad, size_t *madlen);

14
client/mifare/mfkey.c
View file

@ -22,7 +22,7 @@ int compare_uint64(const void *a, const void *b) {
uint32_t intersection(uint64_t *listA, uint64_t *listB) {
if (listA == NULL || listB == NULL)
return 0;
uint64_t *p1, *p2, *p3;
p1 = p3 = listA;
p2 = listB;
@ -56,7 +56,7 @@ uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint32_t ar, uint64_t
for ( pos = 0; pos < 8; pos++ ) {
ks3x[7-pos] = (ks_info >> (pos*8)) & 0x0F;
bt = (par_info >> (pos*8)) & 0xFF;
par[7-pos][0] = (bt >> 0) & 1;
par[7-pos][1] = (bt >> 1) & 1;
par[7-pos][2] = (bt >> 2) & 1;
@ -128,15 +128,15 @@ bool mfkey32_moebius(nonces_t data, uint64_t *outputkey) {
int counter = 0;
uint32_t p640 = prng_successor(data.nonce, 64);
uint32_t p641 = prng_successor(data.nonce2, 64);
s = lfsr_recovery32(data.ar ^ p640, 0);
for(t = s; t->odd | t->even; ++t) {
lfsr_rollback_word(t, 0, 0);
lfsr_rollback_word(t, data.nr, 1);
lfsr_rollback_word(t, data.cuid ^ data.nonce, 0);
crypto1_get_lfsr(t, &key);
crypto1_word(t, data.cuid ^ data.nonce2, 0);
crypto1_word(t, data.nr2, 1);
if (data.ar2 == (crypto1_word(t, 0, 0) ^ p641)) {
@ -157,7 +157,7 @@ int mfkey64(nonces_t data, uint64_t *outputkey){
uint32_t ks2; // keystream used to encrypt reader response
uint32_t ks3; // keystream used to encrypt tag response
struct Crypto1State *revstate;
// Extract the keystream from the messages
ks2 = data.ar ^ prng_successor(data.nonce, 64);
ks3 = data.at ^ prng_successor(data.nonce, 96);
@ -168,6 +168,6 @@ int mfkey64(nonces_t data, uint64_t *outputkey){
lfsr_rollback_word(revstate, data.cuid ^ data.nonce, 0);
crypto1_get_lfsr(revstate, &key);
crypto1_destroy(revstate);
*outputkey = key;
*outputkey = key;
return 0;
}

104
client/mifare/mifare4.c
View file

@ -46,7 +46,7 @@ const char * mfpGetErrorDescription(uint8_t errorCode) {
for(int i = 0; i < PlusErrorsLen; i++)
if (errorCode == PlusErrors[i].Code)
return PlusErrors[i].Description;
return PlusErrors[0].Description;
}
@ -74,11 +74,11 @@ AccessConditions_t MFAccessConditionsTrailer[] = {
char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data) {
static char StaticNone[] = "none";
uint8_t data1 = ((data[1] >> 4) & 0x0f) >> blockn;
uint8_t data2 = ((data[2]) & 0x0f) >> blockn;
uint8_t data3 = ((data[2] >> 4) & 0x0f) >> blockn;
uint8_t cond = (data1 & 0x01) << 2 | (data2 & 0x01) << 1 | (data3 & 0x01);
if (blockn == 3) {
@ -92,7 +92,7 @@ char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data) {
return MFAccessConditions[i].description;
}
};
return StaticNone;
};
@ -124,9 +124,9 @@ int CalculateEncIVResponse(mf4Session *session, uint8_t *iv, bool verbose) {
int CalculateMAC(mf4Session *session, MACType_t mtype, uint8_t blockNum, uint8_t blockCount, uint8_t *data, int datalen, uint8_t *mac, bool verbose) {
if (!session || !session->Authenticated || !mac || !data || !datalen || datalen < 1)
return 1;
memset(mac, 0x00, 8);
uint16_t ctr = session->R_Ctr;
switch(mtype) {
case mtypWriteCmd:
@ -162,23 +162,23 @@ int CalculateMAC(mf4Session *session, MACType_t mtype, uint8_t blockNum, uint8_t
macdatalen = 1 + 6;
break;
}
if (verbose)
PrintAndLog("MAC data[%d]: %s", macdatalen, sprint_hex(macdata, macdatalen));
return aes_cmac8(NULL, session->Kmac, macdata, mac, macdatalen);
}
int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool verbose) {
uint8_t data[257] = {0};
int datalen = 0;
uint8_t RndA[17] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00};
uint8_t RndB[17] = {0};
if (session)
session->Authenticated = false;
session->Authenticated = false;
uint8_t cmd1[] = {0x70, keyn[1], keyn[0], 0x00};
int res = ExchangeRAW14a(cmd1, sizeof(cmd1), activateField, true, data, sizeof(data), &datalen);
if (res) {
@ -186,16 +186,16 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF
DropField();
return 2;
}
if (verbose)
PrintAndLogEx(INFO, "<phase1: %s", sprint_hex(data, datalen));
if (datalen < 1) {
PrintAndLogEx(ERR, "Card response wrong length: %d", datalen);
DropField();
return 3;
}
if (data[0] != 0x90) {
PrintAndLogEx(ERR, "Card response error: %02x", data[2]);
DropField();
@ -207,7 +207,7 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF
DropField();
return 3;
}
aes_decode(NULL, key, &data[1], RndB, 16);
RndB[16] = RndB[0];
if (verbose)
@ -223,19 +223,19 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF
aes_encode(NULL, key, raw, &cmd2[1], 32);
if (verbose)
PrintAndLogEx(INFO, ">phase2: %s", sprint_hex(cmd2, 33));
res = ExchangeRAW14a(cmd2, sizeof(cmd2), false, true, data, sizeof(data), &datalen);
if (res) {
PrintAndLogEx(ERR, "Exchande raw error: %d", res);
DropField();
return 4;
}
if (verbose)
PrintAndLogEx(INFO, "<phase2: %s", sprint_hex(data, datalen));
aes_decode(NULL, key, &data[1], raw, 32);
if (verbose) {
PrintAndLogEx(INFO, "res: %s", sprint_hex(raw, 32));
PrintAndLogEx(INFO, "RndA`: %s", sprint_hex(&raw[4], 16));
@ -256,31 +256,31 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF
PrintAndLogEx(INFO, "pic: %s", sprint_hex(&raw[20], 6));
PrintAndLogEx(INFO, "pcd: %s", sprint_hex(&raw[26], 6));
}
uint8_t kenc[16] = {0};
memcpy(&kenc[0], &RndA[11], 5);
memcpy(&kenc[5], &RndB[11], 5);
for(int i = 0; i < 5; i++)
kenc[10 + i] = RndA[4 + i] ^ RndB[4 + i];
kenc[15] = 0x11;
aes_encode(NULL, key, kenc, kenc, 16);
if (verbose) {
PrintAndLogEx(INFO, "kenc: %s", sprint_hex(kenc, 16));
}
uint8_t kmac[16] = {0};
memcpy(&kmac[0], &RndA[7], 5);
memcpy(&kmac[5], &RndB[7], 5);
for(int i = 0; i < 5; i++)
kmac[10 + i] = RndA[0 + i] ^ RndB[0 + i];
kmac[15] = 0x22;
aes_encode(NULL, key, kmac, kmac, 16);
if (verbose) {
PrintAndLogEx(INFO, "kmac: %s", sprint_hex(kmac, 16));
}
}
if (!leaveSignalON)
DropField();
@ -301,53 +301,53 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF
memmove(session->Kenc, kenc, 16);
memmove(session->Kmac, kmac, 16);
}
if (verbose)
PrintAndLogEx(INFO, "Authentication OK");
return 0;
}
int intExchangeRAW14aPlus(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
if(VerboseMode)
PrintAndLogEx(INFO, ">>> %s", sprint_hex(datain, datainlen));
int res = ExchangeRAW14a(datain, datainlen, activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen);
if(VerboseMode)
PrintAndLogEx(INFO, "<<< %s", sprint_hex(dataout, *dataoutlen));
return res;
}
int MFPWritePerso(uint8_t *keyNum, uint8_t *key, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
uint8_t rcmd[3 + 16] = {0xa8, keyNum[1], keyNum[0], 0x00};
memmove(&rcmd[3], key, 16);
return intExchangeRAW14aPlus(rcmd, sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen);
}
int MFPCommitPerso(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
uint8_t rcmd[1] = {0xaa};
return intExchangeRAW14aPlus(rcmd, sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen);
}
int MFPReadBlock(mf4Session *session, bool plain, uint8_t blockNum, uint8_t blockCount, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac) {
uint8_t rcmd[4 + 8] = {(plain?(0x37):(0x33)), blockNum, 0x00, blockCount};
uint8_t rcmd[4 + 8] = {(plain?(0x37):(0x33)), blockNum, 0x00, blockCount};
if (!plain && session)
CalculateMAC(session, mtypReadCmd, blockNum, blockCount, rcmd, 4, &rcmd[4], VerboseMode);
int res = intExchangeRAW14aPlus(rcmd, plain?4:sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen);
if(res)
return res;
if (session)
if (session)
session->R_Ctr++;
if(session && mac && *dataoutlen > 11)
CalculateMAC(session, mtypReadResp, blockNum, blockCount, dataout, *dataoutlen - 8 - 2, mac, VerboseMode);
return 0;
}
@ -356,37 +356,37 @@ int MFPWriteBlock(mf4Session *session, uint8_t blockNum, uint8_t *data, bool act
memmove(&rcmd[3], data, 16);
if (session)
CalculateMAC(session, mtypWriteCmd, blockNum, 1, rcmd, 19, &rcmd[19], VerboseMode);
int res = intExchangeRAW14aPlus(rcmd, sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen);
if(res)
return res;
if (session)
if (session)
session->W_Ctr++;
if(session && mac && *dataoutlen > 3)
CalculateMAC(session, mtypWriteResp, blockNum, 1, dataout, *dataoutlen, mac, VerboseMode);
return 0;
}
int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose){
uint8_t keyn[2] = {0};
bool plain = false;
uint16_t uKeyNum = 0x4000 + sectorNo * 2 + (keyType ? 1 : 0);
keyn[0] = uKeyNum >> 8;
keyn[1] = uKeyNum & 0xff;
if (verbose)
PrintAndLogEx(INFO, "--sector[%d]:%02x key:%04x", mfNumBlocksPerSector(sectorNo), sectorNo, uKeyNum);
mf4Session session;
int res = MifareAuth4(&session, keyn, key, true, true, verbose);
if (res) {
PrintAndLogEx(ERR, "Sector %d authentication error: %d", sectorNo, res);
return res;
}
uint8_t data[250] = {0};
int datalen = 0;
uint8_t mac[8] = {0};
@ -398,7 +398,7 @@ int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data
DropField();
return res;
}
if (datalen && data[0] != 0x90) {
PrintAndLogEx(ERR, "Sector %d card read error: %02x %s", sectorNo, data[0], mfpGetErrorDescription(data[0]));
DropField();
@ -411,31 +411,31 @@ int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data
}
memcpy(&dataout[(n - firstBlockNo) * 16], &data[1], 16);
if (verbose)
PrintAndLogEx(INFO, "data[%03d]: %s", n, sprint_hex(&data[1], 16));
if (memcmp(&data[1 + 16], mac, 8)) {
PrintAndLogEx(WARNING, "WARNING: mac on block %d not equal...", n);
PrintAndLogEx(WARNING, "MAC card: %s", sprint_hex(&data[1 + 16], 8));
PrintAndLogEx(WARNING, "MAC reader: %s", sprint_hex(mac, 8));
if (!verbose)
return 7;
} else {
return 7;
} else {
if(verbose)
PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[1 + 16], 8));
}
}
DropField();
return 0;
return 0;
}
// Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards),
// plus evtl. 8 sectors with 16 blocks each (4k cards)
uint8_t mfNumBlocksPerSector(uint8_t sectorNo) {
if (sectorNo < 32)
if (sectorNo < 32)
return 4;
else
return 16;
@ -465,5 +465,5 @@ uint8_t mfSectorNum(uint8_t blockNo) {
return blockNo / 4;
else
return 32 + (blockNo - 32 * 4) / 16;
}

4
client/mifare/mifare4.h
View file

@ -30,7 +30,7 @@ typedef struct {
uint16_t R_Ctr;
uint16_t W_Ctr;
}mf4Session;
typedef enum {
mtypReadCmd,
mtypReadResp,
@ -45,7 +45,7 @@ typedef struct {
extern void mfpSetVerboseMode(bool verbose);
extern const char * mfpGetErrorDescription(uint8_t errorCode);
extern int CalculateMAC(mf4Session *session, MACType_t mtype, uint8_t blockNum, uint8_t blockCount, uint8_t *data, int datalen, uint8_t *mac, bool verbose);
extern int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool verbose);

268
client/mifare/mifarehost.c
View file

@ -17,7 +17,7 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
uint64_t *keylist = NULL, *last_keylist = NULL;
uint32_t keycount = 0;
int16_t isOK = 0;
UsbCommand c = {CMD_READER_MIFARE, {true, blockno, key_type}};
// message
@ -31,11 +31,11 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
SendCommand(&c);
//flush queue
while (ukbhit()) {
int gc = getchar(); (void)gc;
while (ukbhit()) {
int gc = getchar(); (void)gc;
return -5;
}
// wait cycle
while (true) {
printf("."); fflush(stdout);
@ -47,9 +47,9 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
UsbCommand resp;
if (WaitForResponseTimeout(CMD_ACK, &resp, 2000)) {
isOK = resp.arg[0];
if (isOK < 0)
if (isOK < 0)
return isOK;
uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);
nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);
par_list = bytes_to_num(resp.d.asBytes + 8, 8);
@ -60,7 +60,7 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
}
}
PrintAndLogEx(NORMAL, "\n");
if (par_list == 0 && c.arg[0] == true) {
PrintAndLogEx(SUCCESS, "Parity is all zero. Most likely this card sends NACK on every authentication.");
}
@ -92,7 +92,7 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
uint8_t keyBlock[USB_CMD_DATA_SIZE];
int max_keys = USB_CMD_DATA_SIZE / 6;
for (int i = 0; i < keycount; i += max_keys) {
int size = keycount - i > max_keys ? max_keys : keycount - i;
for (int j = 0; j < size; j++) {
if (par_list == 0) {
@ -101,12 +101,12 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
num_to_bytes(keylist[i*max_keys + j], 6, keyBlock+(j*6));
}
}
if (!mfCheckKeys(blockno, key_type - 0x60, false, size, keyBlock, key)) {
break;
}
}
if (*key != -1) {
break;
} else {
@ -121,7 +121,7 @@ int mfDarkside(uint8_t blockno, uint8_t key_type, uint64_t *key) {
return 0;
}
int mfCheckKeys(uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key){
*key = -1;
*key = -1;
UsbCommand c = {CMD_MIFARE_CHKKEYS, { (blockNo | (keyType << 8)), clear_trace, keycnt}};
memcpy(c.d.asBytes, keyBlock, 6 * keycnt);
clearCommandBuffer();
@ -133,9 +133,9 @@ int mfCheckKeys(uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t keyc
return 0;
}
// Sends chunks of keys to device.
// Sends chunks of keys to device.
// 0 == ok all keys found
// 1 ==
// 1 ==
// 2 == Time-out, aborting
int mfCheckKeys_fast( uint8_t sectorsCnt, uint8_t firstChunk, uint8_t lastChunk, uint8_t strategy,
uint32_t size, uint8_t *keyBlock, sector_t *e_sector, bool use_flashmemory) {
@ -143,8 +143,8 @@ int mfCheckKeys_fast( uint8_t sectorsCnt, uint8_t firstChunk, uint8_t lastChunk,
uint64_t t2 = msclock();
uint32_t timeout = 0;
// send keychunk
UsbCommand c = {CMD_MIFARE_CHKKEYS_FAST, { (sectorsCnt | (firstChunk << 8) | (lastChunk << 12) ), ((use_flashmemory << 8) | strategy), size}};
// send keychunk
UsbCommand c = {CMD_MIFARE_CHKKEYS_FAST, { (sectorsCnt | (firstChunk << 8) | (lastChunk << 12) ), ((use_flashmemory << 8) | strategy), size}};
memcpy(c.d.asBytes, keyBlock, 6 * size);
clearCommandBuffer();
SendCommand(&c);
@ -167,11 +167,11 @@ int mfCheckKeys_fast( uint8_t sectorsCnt, uint8_t firstChunk, uint8_t lastChunk,
uint8_t curr_keys = resp.arg[0];
PrintAndLogEx(SUCCESS, "\nChunk: %.1fs | found %u/%u keys (%u)", (float)(t2/1000.0), curr_keys, (sectorsCnt<<1), size);
// all keys?
// all keys?
if ( curr_keys == sectorsCnt*2 || lastChunk ) {
// success array. each byte is status of key
// success array. each byte is status of key
uint8_t arr[80];
uint64_t foo = 0;
uint16_t bar = 0;
@ -180,10 +180,10 @@ int mfCheckKeys_fast( uint8_t sectorsCnt, uint8_t firstChunk, uint8_t lastChunk,
for (uint8_t i = 0; i < 64; i++)
arr[i] = (foo >> i) & 0x1;
for (uint8_t i = 0; i < 16; i++)
arr[i+64] = (bar >> i) & 0x1;
// initialize storage for found keys
icesector_t *tmp = calloc(sectorsCnt, sizeof(icesector_t));
if (tmp == NULL)
@ -203,7 +203,7 @@ int mfCheckKeys_fast( uint8_t sectorsCnt, uint8_t firstChunk, uint8_t lastChunk,
}
}
free(tmp);
if ( curr_keys == sectorsCnt*2 )
return 0;
if ( lastChunk )
@ -226,11 +226,11 @@ int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultk
memset(candidates, 0, sizeof(candidates));
memset(keyBlock, 0, sizeof(keyBlock));
// Generate all possible keys for the first two unknown bytes.
for (uint16_t i = 0; i < 0xFFFF; ++i) {
uint32_t j = i * 6;
candidates[0 + j] = i >> 8;
for (uint16_t i = 0; i < 0xFFFF; ++i) {
uint32_t j = i * 6;
candidates[0 + j] = i >> 8;
candidates[1 + j] = i;
candidates[2 + j] = key[2];
candidates[3 + j] = key[3];
@ -241,7 +241,7 @@ int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultk
for ( i = 0, counter = 1; i < CANDIDATE_SIZE; i += KEYBLOCK_SIZE, ++counter){
key64 = 0;
// copy candidatekeys to test key block
memcpy(keyBlock, candidates + i, KEYBLOCK_SIZE);
@ -251,8 +251,8 @@ int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultk
found = true;
break;
}
// progress
// progress
if ( counter % 20 == 0 )
PrintAndLogEx(SUCCESS, "tried : %s.. \t %u keys", sprint_hex(candidates + i, 6), counter * KEYS_IN_BLOCK );
}
@ -270,20 +270,20 @@ int Compare16Bits(const void * a, const void * b) {
void
#ifdef __has_attribute
#if __has_attribute(force_align_arg_pointer)
__attribute__((force_align_arg_pointer))
__attribute__((force_align_arg_pointer))
#endif
#endif
*nested_worker_thread(void *arg) {
struct Crypto1State *p1;
StateList_t *statelist = arg;
statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid);
statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid);
for (p1 = statelist->head.slhead; *(uint64_t *)p1 != 0; p1++) {};
statelist->len = p1 - statelist->head.slhead;
statelist->tail.sltail = --p1;
qsort(statelist->head.slhead, statelist->len, sizeof(uint64_t), Compare16Bits);
return statelist->head.slhead;
}
@ -293,7 +293,7 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
UsbCommand resp;
StateList_t statelists[2];
struct Crypto1State *p1, *p2, *p3, *p4;
UsbCommand c = {CMD_MIFARE_NESTED, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, calibrate}};
memcpy(c.d.asBytes, key, 6);
clearCommandBuffer();
@ -302,9 +302,9 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
// error during nested
if (resp.arg[0]) return resp.arg[0];
memcpy(&uid, resp.d.asBytes, 4);
for (i = 0; i < 2; i++) {
statelists[i].blockNo = resp.arg[2] & 0xff;
statelists[i].keyType = (resp.arg[2] >> 8) & 0xff;
@ -312,10 +312,10 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
memcpy(&statelists[i].nt, (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4);
memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4);
}
// calc keys
// calc keys
pthread_t thread_id[2];
// create and run worker threads
for (i = 0; i < 2; i++)
pthread_create(thread_id + i, NULL, nested_worker_thread, &statelists[i]);
@ -327,12 +327,12 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
// the first 16 Bits of the cryptostate already contain part of our key.
// Create the intersection of the two lists based on these 16 Bits and
// roll back the cryptostate
p1 = p3 = statelists[0].head.slhead;
p1 = p3 = statelists[0].head.slhead;
p2 = p4 = statelists[1].head.slhead;
while (p1 <= statelists[0].tail.sltail && p2 <= statelists[1].tail.sltail) {
if (Compare16Bits(p1, p2) == 0) {
struct Crypto1State savestate, *savep = &savestate;
savestate = *p1;
while(Compare16Bits(p1, savep) == 0 && p1 <= statelists[0].tail.sltail) {
@ -381,15 +381,15 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
uint8_t keyBlock[USB_CMD_DATA_SIZE] = {0x00};
for (int i = 0; i < keycnt; i += max_keys) {
int size = keycnt - i > max_keys ? max_keys : keycnt - i;
for (int j = 0; j < size; j++) {
crypto1_get_lfsr(statelists[0].head.slhead + i, &key64);
num_to_bytes(key64, 6, keyBlock + i * 6);
}
if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, size, keyBlock, &key64)) {
if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, size, keyBlock, &key64)) {
free(statelists[0].head.slhead);
free(statelists[1].head.slhead);
num_to_bytes(key64, 6, resultKey);
@ -400,14 +400,14 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
key64
);
return -5;
}
}
}
out:
PrintAndLogEx(SUCCESS, "target block:%3u key type: %c",
(uint16_t)resp.arg[2] & 0xff,
(resp.arg[2] >> 8) ? 'B' : 'A'
);
);
free(statelists[0].head.slhead);
free(statelists[1].head.slhead);
@ -416,7 +416,7 @@ out:
// MIFARE
int mfReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data) {
UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
clearCommandBuffer();
@ -436,7 +436,7 @@ int mfReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data)
PrintAndLogEx(ERR, "Command execute timeout");
return 2;
}
return 0;
}
@ -457,7 +457,7 @@ int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
int mfEmlSetMem_xt(uint8_t *data, int blockNum, int blocksCount, int blockBtWidth) {
UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNum, blocksCount, blockBtWidth}};
memcpy(c.d.asBytes, data, blocksCount * blockBtWidth);
memcpy(c.d.asBytes, data, blocksCount * blockBtWidth);
clearCommandBuffer();
SendCommand(&c);
return 0;
@ -473,27 +473,27 @@ int mfCSetUID(uint8_t *uid, uint8_t *atqa, uint8_t *sak, uint8_t *oldUID, uint8_
int old = mfCGetBlock(0, block0, params);
if (old == 0)
PrintAndLogEx(SUCCESS, "old block 0: %s", sprint_hex(block0, sizeof(block0)));
else
PrintAndLogEx(FAILED, "couldn't get old data. Will write over the last bytes of Block 0.");
else
PrintAndLogEx(FAILED, "couldn't get old data. Will write over the last bytes of Block 0.");
// fill in the new values
// UID
memcpy(block0, uid, 4);
memcpy(block0, uid, 4);
// Mifare UID BCC
block0[4] = block0[0] ^ block0[1] ^ block0[2] ^ block0[3];
// mifare classic SAK(byte 5) and ATQA(byte 6 and 7, reversed)
if ( sak != NULL )
block0[5] = sak[0];
if ( atqa != NULL ) {
block0[6] = atqa[1];
block0[7] = atqa[0];
}
PrintAndLogEx(SUCCESS, "new block 0: %s", sprint_hex(block0,16));
if ( wipecard ) params |= MAGIC_WIPE;
if ( wipecard ) params |= MAGIC_WIPE;
if ( oldUID == NULL) params |= MAGIC_UID;
return mfCSetBlock(0, block0, oldUID, params);
}
@ -501,15 +501,15 @@ int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, uint8_t params) {
uint8_t isOK = 0;
UsbCommand c = {CMD_MIFARE_CSETBLOCK, {params, blockNo, 0}};
memcpy(c.d.asBytes, data, 16);
memcpy(c.d.asBytes, data, 16);
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
isOK = resp.arg[0] & 0xff;
if (uid != NULL)
if (uid != NULL)
memcpy(uid, resp.d.asBytes, 4);
if (!isOK)
if (!isOK)
return 2;
} else {
PrintAndLogEx(WARNING, "command execute timeout");
@ -520,14 +520,14 @@ int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, uint8_t params) {
int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) {
uint8_t isOK = 0;
UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
isOK = resp.arg[0] & 0xff;
if (!isOK)
return 2;
if (!isOK)
return 2;
memcpy(data, resp.d.asBytes, 16);
} else {
PrintAndLogEx(WARNING, "command execute timeout");
@ -567,7 +567,7 @@ int isTraceCardEmpty(void) {
}
int isBlockEmpty(int blockN) {
for (int i = 0; i < 16; i++)
for (int i = 0; i < 16; i++)
if (traceCard[blockN * 16 + i] != 0) return 0;
return 1;
@ -583,10 +583,10 @@ int loadTraceCard(uint8_t *tuid, uint8_t uidlen) {
uint8_t buf8[64] = {0x00};
int i, blockNum;
uint32_t tmp;
if (!isTraceCardEmpty())
if (!isTraceCardEmpty())
saveTraceCard();
memset(traceCard, 0x00, 4096);
memcpy(traceCard, tuid, uidlen);
@ -594,11 +594,11 @@ int loadTraceCard(uint8_t *tuid, uint8_t uidlen) {
f = fopen(traceFileName, "r");
if (!f) return 1;
blockNum = 0;
while (!feof(f)){
memset(buf, 0, sizeof(buf));
if (fgets(buf, sizeof(buf), f) == NULL) {
PrintAndLogEx(FAILED, "No trace file found or reading error.");
@ -632,19 +632,19 @@ int loadTraceCard(uint8_t *tuid, uint8_t uidlen) {
}
int saveTraceCard(void) {
if ((!strlen(traceFileName)) || (isTraceCardEmpty())) return 0;
FILE * f;
f = fopen(traceFileName, "w+");
if ( !f ) return 1;
// given 4096 tracecard size, these loop will only match a 1024, 1kb card memory
// 4086/16 == 256blocks.
// 4086/16 == 256blocks.
for (uint16_t i = 0; i < 256; i++) { // blocks
for (uint8_t j = 0; j < 16; j++) // bytes
fprintf(f, "%02X", *(traceCard + i * 16 + j));
fprintf(f, "%02X", *(traceCard + i * 16 + j));
// no extra line in the end
if ( i < 255 )
fprintf(f, "\n");
@ -656,14 +656,14 @@ int saveTraceCard(void) {
//
int mfTraceInit(uint8_t *tuid, uint8_t uidlen, uint8_t *atqa, uint8_t sak, bool wantSaveToEmlFile) {
if (traceCrypto1)
if (traceCrypto1)
crypto1_destroy(traceCrypto1);
traceCrypto1 = NULL;
if (wantSaveToEmlFile)
if (wantSaveToEmlFile)
loadTraceCard(tuid, uidlen);
traceCard[4] = traceCard[0] ^ traceCard[1] ^ traceCard[2] ^ traceCard[3];
traceCard[5] = sak;
memcpy(&traceCard[6], atqa, 2);
@ -676,16 +676,16 @@ int mfTraceInit(uint8_t *tuid, uint8_t uidlen, uint8_t *atqa, uint8_t sak, bool
void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *data, int len, bool isEncrypted){
uint8_t bt = 0;
int i;
if (len != 1) {
for (i = 0; i < len; i++)
data[i] = crypto1_byte(pcs, 0x00, isEncrypted) ^ data[i];
} else {
bt = 0;
bt = 0;
bt |= (crypto1_bit(pcs, 0, isEncrypted) ^ BIT(data[0], 0)) << 0;
bt |= (crypto1_bit(pcs, 0, isEncrypted) ^ BIT(data[0], 1)) << 1;
bt |= (crypto1_bit(pcs, 0, isEncrypted) ^ BIT(data[0], 2)) << 2;
bt |= (crypto1_bit(pcs, 0, isEncrypted) ^ BIT(data[0], 3)) << 3;
bt |= (crypto1_bit(pcs, 0, isEncrypted) ^ BIT(data[0], 3)) << 3;
data[0] = bt;
}
}
@ -699,28 +699,28 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
traceState = TRACE_ERROR;
return 1;
}
uint8_t data[255];
memset(data, 0x00, sizeof(data));
memcpy(data, data_src, len);
if ((traceCrypto1) && ((traceState == TRACE_IDLE) || (traceState > TRACE_AUTH_OK))) {
mf_crypto1_decrypt(traceCrypto1, data, len, 0);
PrintAndLogEx(NORMAL, "DEC| %s", sprint_hex(data, len));
AddLogHex(logHexFileName, "DEC| ", data, len);
AddLogHex(logHexFileName, "DEC| ", data, len);
}
switch (traceState) {
case TRACE_IDLE:
case TRACE_IDLE:
// check packet crc16!
if ((len >= 4) && (!check_crc(CRC_14443_A, data, len))) {
PrintAndLogEx(NORMAL, "DEC| CRC ERROR!!!");
AddLogLine(logHexFileName, "DEC| ", "CRC ERROR!!!");
AddLogLine(logHexFileName, "DEC| ", "CRC ERROR!!!");
traceState = TRACE_ERROR; // do not decrypt the next commands
return 1;
}
// AUTHENTICATION
if ((len == 4) && ((data[0] == MIFARE_AUTH_KEYA) || (data[0] == MIFARE_AUTH_KEYB))) {
traceState = TRACE_AUTH1;
@ -750,7 +750,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
}
return 0;
case TRACE_READ_DATA:
case TRACE_READ_DATA:
if (len == 18) {
traceState = TRACE_IDLE;
@ -766,7 +766,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
return 1;
}
break;
case TRACE_WRITE_OK:
case TRACE_WRITE_OK:
if ((len == 1) && (data[0] == 0x0a)) {
traceState = TRACE_WRITE_DATA;
return 0;
@ -775,7 +775,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
return 1;
}
break;
case TRACE_WRITE_DATA:
case TRACE_WRITE_DATA:
if (len == 18) {
traceState = TRACE_IDLE;
memcpy(traceCard + traceCurBlock * 16, data, 16);
@ -786,7 +786,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
return 1;
}
break;
case TRACE_AUTH1:
case TRACE_AUTH1:
if (len == 4) {
traceState = TRACE_AUTH2;
nt = bytes_to_num(data, 4);
@ -796,7 +796,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
return 1;
}
break;
case TRACE_AUTH2:
case TRACE_AUTH2:
if (len == 8) {
traceState = TRACE_AUTH_OK;
nr_enc = bytes_to_num(data, 4);
@ -807,11 +807,11 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
return 1;
}
break;
case TRACE_AUTH_OK:
case TRACE_AUTH_OK:
if (len == 4) {
traceState = TRACE_IDLE;
at_enc = bytes_to_num(data, 4);
// mfkey64 recover key.
ks2 = ar_enc ^ prng_successor(nt, 64);
ks3 = at_enc ^ prng_successor(nt, 96);
@ -822,37 +822,37 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
lfsr_rollback_word(revstate, cuid ^ nt, 0);
crypto1_get_lfsr(revstate, &key);
PrintAndLogEx(SUCCESS, "found Key: [%012" PRIx64 "]", key);
//if ( tryMfk64(cuid, nt, nr_enc, ar_enc, at_enc, &key) )
AddLogUint64(logHexFileName, "Found Key: ", key);
AddLogUint64(logHexFileName, "Found Key: ", key);
int blockShift = ((traceCurBlock & 0xFC) + 3) * 16;
if (isBlockEmpty((traceCurBlock & 0xFC) + 3))
if (isBlockEmpty((traceCurBlock & 0xFC) + 3))
memcpy(traceCard + blockShift + 6, trailerAccessBytes, 4);
// keytype A/B
if (traceCurKey)
num_to_bytes(key, 6, traceCard + blockShift + 10);
else
num_to_bytes(key, 6, traceCard + blockShift);
if (wantSaveToEmlFile)
saveTraceCard();
if (traceCrypto1)
crypto1_destroy(traceCrypto1);
// set cryptosystem state
traceCrypto1 = lfsr_recovery64(ks2, ks3);
traceCrypto1 = lfsr_recovery64(ks2, ks3);
} else {
PrintAndLogEx(NORMAL, "[!] nested key recovery not implemented!\n");
at_enc = bytes_to_num(data, 4);
crypto1_destroy(traceCrypto1);
crypto1_destroy(traceCrypto1);
traceState = TRACE_ERROR;
}
break;
default:
default:
traceState = TRACE_ERROR;
return 1;
}
@ -871,30 +871,30 @@ int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data,
return 0;
}
/* Detect Tag Prng,
/* Detect Tag Prng,
* function performs a partial AUTH, where it tries to authenticate against block0, key A, but only collects tag nonce.
* the tag nonce is check to see if it has a predictable PRNG.
* @returns
* @returns
* TRUE if tag uses WEAK prng (ie Now the NACK bug also needs to be present for Darkside attack)
* FALSE is tag uses HARDEND prng (ie hardnested attack possible, with known key)
*/
int detect_classic_prng(void){
UsbCommand resp, respA;
UsbCommand resp, respA;
uint8_t cmd[] = {MIFARE_AUTH_KEYA, 0x00};
uint32_t flags = ISO14A_CONNECT | ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_RATS;
UsbCommand c = {CMD_READER_ISO_14443a, {flags, sizeof(cmd), 0}};
memcpy(c.d.asBytes, cmd, sizeof(cmd));
clearCommandBuffer();
SendCommand(&c);
SendCommand(&c);
if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) {
PrintAndLogEx(WARNING, "PRNG UID: Reply timeout.");
return -1;
}
// if select tag failed.
if ( resp.arg[0] == 0 ) {
PrintAndLogEx(WARNING, "error: selecting tag failed, can't detect prng\n");
@ -909,12 +909,12 @@ int detect_classic_prng(void){
if (respA.arg[0] != 4) {
PrintAndLogEx(WARNING, "PRNG data error: Wrong length: %d", respA.arg[0]);
return -4;
}
}
uint32_t nonce = bytes_to_num(respA.d.asBytes, respA.arg[0]);
return validate_prng_nonce(nonce);
}
/* Detect Mifare Classic NACK bug
/* Detect Mifare Classic NACK bug
returns:
0 = error during test / aborted
@ -923,25 +923,25 @@ returns:
3 = always leak nacks (clones)
*/
int detect_classic_nackbug(bool verbose){
UsbCommand c = {CMD_MIFARE_NACK_DETECT, {0, 0, 0}};
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if ( verbose )
PrintAndLogEx(SUCCESS, "press pm3-button on the proxmark3 device to abort both proxmark3 and client.\n");
// for nice animation
// for nice animation
bool term = !isatty(STDIN_FILENO);
#if defined(__linux__) || (__APPLE__)
char star[] = {'-', '\\', '|', '/'};
uint8_t staridx = 0;
#endif
uint8_t staridx = 0;
#endif
while (true) {
if (term) {
if (term) {
printf(".");
} else {
printf(
@ -958,21 +958,21 @@ int detect_classic_nackbug(bool verbose){
return -1;
break;
}
if (WaitForResponseTimeout(CMD_ACK, &resp, 500)) {
int32_t ok = resp.arg[0];
uint32_t nacks = resp.arg[1];
uint32_t auths = resp.arg[2];
PrintAndLogEx(NORMAL, "");
if ( verbose ) {
PrintAndLogEx(SUCCESS, "num of auth requests : %u", auths);
PrintAndLogEx(SUCCESS, "num of received NACK : %u", nacks);
}
switch( ok ) {
case 99 : PrintAndLogEx(WARNING, "button pressed. Aborted."); return 0;
case 96 :
case 98 : {
case 96 :
case 98 : {
if (verbose)
PrintAndLogEx(FAILED, "card random number generator is not predictable.");
PrintAndLogEx(WARNING, "detection failed");
@ -981,10 +981,10 @@ int detect_classic_nackbug(bool verbose){
case 97 : {
if (verbose) {
PrintAndLogEx(FAILED, "card random number generator seems to be based on the well-known generating polynomial");
PrintAndLogEx(NORMAL, "[- ]with 16 effective bits only, but shows unexpected behavior, try again.");
PrintAndLogEx(NORMAL, "[- ]with 16 effective bits only, but shows unexpected behavior, try again.");
}
return 2;
}
}
case 2 : PrintAndLogEx(SUCCESS, _GREEN_(always leak NACK detected)); return 3;
case 1 : PrintAndLogEx(SUCCESS, _GREEN_(NACK bug detected)); return 1;
case 0 : PrintAndLogEx(SUCCESS, "No NACK bug detected"); return 2;
@ -992,12 +992,12 @@ int detect_classic_nackbug(bool verbose){
}
break;
}
}
}
return 0;
}
/* try to see if card responses to "chinese magic backdoor" commands. */
void detect_classic_magic(void) {
uint8_t isGeneration = 0;
UsbCommand resp;
UsbCommand c = {CMD_MIFARE_CIDENT, {0, 0, 0}};
@ -1005,11 +1005,11 @@ void detect_classic_magic(void) {
SendCommand(&c);
if (WaitForResponseTimeout(CMD_ACK, &resp, 1500))
isGeneration = resp.arg[0] & 0xff;
switch( isGeneration ){
case 1: PrintAndLogEx(SUCCESS, "Answers to magic commands (GEN 1a): " _GREEN_(YES)); break;
case 2: PrintAndLogEx(SUCCESS, "Answers to magic commands (GEN 1b): " _GREEN_(YES)); break;
//case 4: PrintAndLogEx(SUCCESS, "Answers to magic commands (GEN 2): " _GREEN_(YES)); break;
default: PrintAndLogEx(INFO, "Answers to magic commands: " _YELLOW_(NO)); break;
}
}
}

2
client/mifare/mifarehost.h
View file

@ -55,7 +55,7 @@ typedef struct {
uint32_t nt;
uint32_t ks1;
} StateList_t;
typedef struct {
uint64_t Key[2];
uint8_t foundKey[2];

88
client/mifare/ndef.c
View file

@ -89,7 +89,7 @@ uint16_t ndefTLVGetLength(uint8_t *data, size_t *indx) {
len = data[0];
*indx += 1;
}
return len;
}
@ -107,12 +107,12 @@ int ndefDecodeHeader(uint8_t *data, size_t datalen, NDEFHeader_t *header) {
header->len = 1 + 1 + (header->ShortRecordBit ? 1 : 4) + (header->IDLenPresent ? 1 : 0); // header + typelen + payloadlen + idlen
if (header->len > datalen)
return 1;
header->TypeLen = data[1];
header->Type = data + header->len;
header->PayloadLen = (header->ShortRecordBit ? (data[2]) : ((data[2] << 24) + (data[3] << 16) + (data[4] << 8) + data[5]));
if (header->IDLenPresent) {
header->IDLen = (header->ShortRecordBit ? (data[3]) : (data[6]));
header->Payload = header->Type + header->TypeLen;
@ -121,9 +121,9 @@ int ndefDecodeHeader(uint8_t *data, size_t datalen, NDEFHeader_t *header) {
}
header->Payload = header->Type + header->TypeLen + header->IDLen;
header->RecLen = header->len + header->TypeLen + header->PayloadLen + header->IDLen;
if (header->RecLen > datalen)
return 3;
@ -132,7 +132,7 @@ int ndefDecodeHeader(uint8_t *data, size_t datalen, NDEFHeader_t *header) {
int ndefPrintHeader(NDEFHeader_t *header) {
PrintAndLogEx(INFO, "Header:");
PrintAndLogEx(NORMAL, "\tMessage Begin: %s", STRBOOL(header->MessageBegin));
PrintAndLogEx(NORMAL, "\tMessage End: %s", STRBOOL(header->MessageEnd));
PrintAndLogEx(NORMAL, "\tChunk Flag: %s", STRBOOL(header->ChunkFlag));
@ -157,21 +157,21 @@ int ndefDecodeSig(uint8_t *sig, size_t siglen) {
return 1;
}
indx++;
uint8_t sigType = sig[indx] & 0x7f;
bool sigURI = sig[indx] & 0x80;
PrintAndLogEx(NORMAL, "\tsignature type: %s", ((sigType < stNA) ? ndefSigType_s[sigType] : ndefSigType_s[stNA]));
PrintAndLogEx(NORMAL, "\tsignature uri: %s", (sigURI ? "present" : "not present"));
size_t intsiglen = (sig[indx + 1] << 8) + sig[indx + 2];
// ecdsa 0x04
if (sigType == stECDSA) {
indx += 3;
PrintAndLogEx(NORMAL, "\tsignature [%d]: %s", intsiglen, sprint_hex_inrow(&sig[indx], intsiglen));
uint8_t rval[300] = {0};
uint8_t sval[300] = {0};
uint8_t rval[300] = {0};
uint8_t sval[300] = {0};
int res = ecdsa_asn1_get_signature(&sig[indx], intsiglen, rval, sval);
if (!res) {
PrintAndLogEx(NORMAL ,"\t\tr: %s", sprint_hex(rval, 32));
@ -179,28 +179,28 @@ int ndefDecodeSig(uint8_t *sig, size_t siglen) {
}
}
indx += intsiglen;
if (sigURI) {
size_t intsigurilen = (sig[indx] << 8) + sig[indx + 1];
indx += 2;
PrintAndLogEx(NORMAL, "\tsignature uri [%d]: %.*s", intsigurilen, intsigurilen, &sig[indx]);
PrintAndLogEx(NORMAL, "\tsignature uri [%d]: %.*s", intsigurilen, intsigurilen, &sig[indx]);
indx += intsigurilen;
}
uint8_t certFormat = (sig[indx] >> 4) & 0x07;
uint8_t certCount = sig[indx] & 0x0f;
bool certURI = sig[indx] & 0x80;
PrintAndLogEx(NORMAL, "\tcertificate format: %s", ((certFormat < sfNA) ? ndefCertificateFormat_s[certFormat] : ndefCertificateFormat_s[sfNA]));
PrintAndLogEx(NORMAL, "\tcertificates count: %d", certCount);
// print certificates
indx++;
for (int i = 0; i < certCount; i++) {
size_t intcertlen = (sig[indx + 1] << 8) + sig[indx + 2];
indx += 2;
PrintAndLogEx(NORMAL, "\tcertificate %d [%d]: %s", i + 1, intcertlen, sprint_hex_inrow(&sig[indx], intcertlen));
PrintAndLogEx(NORMAL, "\tcertificate %d [%d]: %s", i + 1, intcertlen, sprint_hex_inrow(&sig[indx], intcertlen));
indx += intcertlen;
}
@ -208,32 +208,32 @@ int ndefDecodeSig(uint8_t *sig, size_t siglen) {
if ((indx <= siglen) && certURI) {
size_t inturilen = (sig[indx] << 8) + sig[indx + 1];
indx += 2;
PrintAndLogEx(NORMAL, "\tcertificate uri [%d]: %.*s", inturilen, inturilen, &sig[indx]);
PrintAndLogEx(NORMAL, "\tcertificate uri [%d]: %.*s", inturilen, inturilen, &sig[indx]);
indx += inturilen;
}
return 0;
};
int ndefDecodePayload(NDEFHeader_t *ndef) {
switch(ndef->TypeNameFormat) {
case tnfWellKnownRecord:
PrintAndLogEx(INFO, "Well Known Record");
PrintAndLogEx(NORMAL, "\ttype: %.*s", ndef->TypeLen, ndef->Type);
if (!strncmp((char *)ndef->Type, "T", ndef->TypeLen)) {
PrintAndLogEx(NORMAL, "\ttext : %.*s", ndef->PayloadLen, ndef->Payload);
}
if (!strncmp((char *)ndef->Type, "U", ndef->TypeLen)) {
PrintAndLogEx(NORMAL, "\turi : %s%.*s", (ndef->Payload[0] <= 0x23 ? URI_s[ndef->Payload[0]] : "[err]"), ndef->PayloadLen, &ndef->Payload[1]);
}
if (!strncmp((char *)ndef->Type, "Sig", ndef->TypeLen)) {
ndefDecodeSig(ndef->Payload, ndef->PayloadLen);
}
break;
case tnfAbsoluteURIRecord:
PrintAndLogEx(INFO, "Absolute URI Record");
@ -242,7 +242,7 @@ int ndefDecodePayload(NDEFHeader_t *ndef) {
break;
default:
break;
}
}
return 0;
}
@ -251,9 +251,9 @@ int ndefRecordDecodeAndPrint(uint8_t *ndefRecord, size_t ndefRecordLen) {
int res = ndefDecodeHeader(ndefRecord, ndefRecordLen, &NDEFHeader);
if (res)
return res;
ndefPrintHeader(&NDEFHeader);
if (NDEFHeader.TypeLen) {
PrintAndLogEx(INFO, "Type data:");
dump_buffer(NDEFHeader.Type, NDEFHeader.TypeLen, stdout, 1);
@ -275,13 +275,13 @@ int ndefRecordDecodeAndPrint(uint8_t *ndefRecord, size_t ndefRecordLen) {
int ndefRecordsDecodeAndPrint(uint8_t *ndefRecord, size_t ndefRecordLen) {
bool firstRec = true;
size_t len = 0;
while (len < ndefRecordLen) {
NDEFHeader_t NDEFHeader = {0};
int res = ndefDecodeHeader(&ndefRecord[len], ndefRecordLen - len, &NDEFHeader);
if (res)
return res;
if (firstRec) {
if (!NDEFHeader.MessageBegin) {
PrintAndLogEx(ERR, "NDEF first record have MessageBegin=false!");
@ -289,27 +289,27 @@ int ndefRecordsDecodeAndPrint(uint8_t *ndefRecord, size_t ndefRecordLen) {
}
firstRec = false;
}
if (NDEFHeader.MessageEnd && len + NDEFHeader.RecLen != ndefRecordLen) {
PrintAndLogEx(ERR, "NDEF records have wrong length. Must be %d, calculated %d", ndefRecordLen, len + NDEFHeader.RecLen);
return 1;
}
ndefRecordDecodeAndPrint(&ndefRecord[len], NDEFHeader.RecLen);
ndefRecordDecodeAndPrint(&ndefRecord[len], NDEFHeader.RecLen);
len += NDEFHeader.RecLen;
if (NDEFHeader.MessageEnd)
break;
}
}
return 0;
}
int NDEFDecodeAndPrint(uint8_t *ndef, size_t ndefLen, bool verbose) {
size_t indx = 0;
PrintAndLogEx(INFO, "NDEF decoding:");
while (indx < ndefLen) {
switch (ndef[indx]) {
@ -326,11 +326,11 @@ int NDEFDecodeAndPrint(uint8_t *ndef, size_t ndefLen, bool verbose) {
indx++;
uint16_t len = ndefTLVGetLength(&ndef[indx], &indx);
PrintAndLogEx(INFO, "-- NDEF message. len: %d", len);
int res = ndefRecordsDecodeAndPrint(&ndef[indx], len);
if (res)
return res;
indx += len;
break;
}
@ -350,8 +350,8 @@ int NDEFDecodeAndPrint(uint8_t *ndef, size_t ndefLen, bool verbose) {
PrintAndLogEx(ERR, "unknown tag 0x%02x", ndef[indx]);
return 1;
}
}
}
}
return 0;
}