From 6c163fa26218030a60b3ceae85911f4d46f2cc10 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 15 Nov 2022 07:07:26 +0100 Subject: [PATCH] added a check for static encrypted nonces when collecting encrypted nonces for hardnested to run. Will abort the collection if detected. --- CHANGELOG.md | 1 + armsrc/mifarecmd.c | 27 +++++++++++++++++++++++---- client/src/cmdhfmf.c | 7 +++++++ client/src/mifare/mifarehost.c | 2 +- include/pm3_cmd.h | 4 ++++ 5 files changed, 36 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30314d514..8f75478e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Changed `hf mf hardnested` - a detection for static encrypted nonces (@iceman1001) - Added requirements.txt file to tools folder. Minimum to run pm3_tests.sh (@iceman1001) - Changed `hf mf hardnested` - now can detect and use MFC EV1 signature sector key (@iceman1001) - Changed `hf mf autopwn` - now can detect and use MFC EV1 signature sector key (@iceman1001) diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index 4fd74c9ef..e9cc713bd 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -775,7 +775,7 @@ void MifareAcquireNonces(uint32_t arg0, uint32_t flags) { if (!have_uid) { // need a full select cycle to get the uid first iso14a_card_select_t card_info; - if (!iso14443a_select_card(uid, &card_info, &cuid, true, 0, true)) { + if (iso14443a_select_card(uid, &card_info, &cuid, true, 0, true) == 0) { if (g_dbglevel >= DBG_ERROR) Dbprintf("AcquireNonces: Can't select card (ALL)"); continue; } @@ -794,7 +794,7 @@ void MifareAcquireNonces(uint32_t arg0, uint32_t flags) { } have_uid = true; } else { // no need for anticollision. We can directly select the card - if (!iso14443a_fast_select_card(uid, cascade_levels)) { + if (iso14443a_fast_select_card(uid, cascade_levels) == 0) { if (g_dbglevel >= DBG_ERROR) Dbprintf("AcquireNonces: Can't select card (UID)"); continue; } @@ -878,6 +878,9 @@ void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, LED_C_ON(); + uint8_t prev_enc_nt[] = {0,0,0,0}; + uint8_t prev_counter = 0; + for (uint16_t i = 0; i <= PM3_CMD_DATA_SIZE - 9;) { // Test if the action was cancelled @@ -944,6 +947,22 @@ void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, memcpy(buf + i + 8, &nt_par_enc, 1); i += 9; } + + + if (prev_enc_nt[0] == receivedAnswer[0] && + prev_enc_nt[1] == receivedAnswer[1] && + prev_enc_nt[2] == receivedAnswer[2] && + prev_enc_nt[3] == receivedAnswer[3] + ) { + prev_counter++; + } + memcpy(prev_enc_nt, receivedAnswer, 4); + if (prev_counter == 5) { + if (g_dbglevel >= DBG_EXTENDED) DbpString("Static encrypted nonce detected, exiting..."); + isOK = PM3_ESTATIC_NONCE; + break; + } + } LED_C_OFF(); @@ -952,7 +971,7 @@ void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, reply_old(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf)); LED_B_OFF(); - if (g_dbglevel >= 3) DbpString("AcquireEncryptedNonces finished"); + if (g_dbglevel >= DBG_ERROR) DbpString("AcquireEncryptedNonces finished"); if (field_off) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); @@ -1030,7 +1049,7 @@ void MifareNested(uint8_t blockNo, uint8_t keyType, uint8_t targetBlockNo, uint8 continue; } - if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) { + if (iso14443a_select_card(uid, NULL, &cuid, true, 0, true) == 0) { if (g_dbglevel >= DBG_INFO) Dbprintf("Nested: Can't select card"); rtr--; continue; diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c index 5609d0363..1847bc1a6 100644 --- a/client/src/cmdhfmf.c +++ b/client/src/cmdhfmf.c @@ -2054,6 +2054,9 @@ static int CmdHF14AMfNestedHard(const char *Cmd) { case PM3_EOPABORTED: PrintAndLogEx(WARNING, "Button pressed. Aborted.\n"); break; + case PM3_ESTATIC_NONCE: + PrintAndLogEx(ERR, "Error: Static encrypted nonce detected. Aborted.\n"); + break; default : break; } @@ -2744,6 +2747,10 @@ tryHardnested: // If the nested attack fails then we try the hardnested attack PrintAndLogEx(NORMAL, "\nButton pressed, user aborted"); break; } + case PM3_ESTATIC_NONCE: { + PrintAndLogEx(ERR, "\nError: Static encrypted nonce detected. Aborted.\n"); + break; + } default: { break; } diff --git a/client/src/mifare/mifarehost.c b/client/src/mifare/mifarehost.c index 93727e45f..f12f78eab 100644 --- a/client/src/mifare/mifarehost.c +++ b/client/src/mifare/mifarehost.c @@ -437,7 +437,7 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, clearCommandBuffer(); SendCommandNG(CMD_HF_MIFARE_NESTED, (uint8_t *)&payload, sizeof(payload)); - if (!WaitForResponseTimeout(CMD_HF_MIFARE_NESTED, &resp, 2000)) { + if (WaitForResponseTimeout(CMD_HF_MIFARE_NESTED, &resp, 2000) == false) { SendCommandNG(CMD_BREAK_LOOP, NULL, 0); return PM3_ETIMEOUT; } diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index eebf0bfd3..95750b9b7 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -773,11 +773,15 @@ typedef struct { // Got bad CRC client/pm3: error in transfer of data, crc mismatch. #define PM3_ECRC -24 +// STATIC Nonce detect pm3: when collecting nonces for hardnested +#define PM3_ESTATIC_NONCE -25 + // No data pm3: no data available, no host frame available (not really an error) #define PM3_ENODATA -98 // Quit program client: reserved, order to quit the program #define PM3_EFATAL -99 + // LF #define LF_FREQ2DIV(f) ((int)(((12000.0 + (f)/2.0)/(f))-1)) #define LF_DIVISOR_125 LF_FREQ2DIV(125)