Add option to use SPI flash dictionary for autopwn

armsrc/mifarecmd.c

@@ -1896,32 +1896,33 @@ void MifareChkKeys_fast(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *da
         if (exists_in_spiffs(MF_KEYS_FILE)) {
             size = size_in_spiffs(MF_KEYS_FILE);
         }
-        if (size == 0) {
+        if ((size == 0) || (size < MF_KEY_LENGTH)) {
             Dbprintf("Spiffs file: %s does not exists or empty.", MF_KEYS_FILE);
             goto OUT;
         }
 
-        keyCount = size / MF_KEY_LENGTH;
+        // Compute how many keys can fit in bigbuff
-
-        if (keyCount == 0)
-            goto OUT;
-
-        // limit size of available for keys in bigbuff
         // a key is 6bytes
-        uint16_t key_mem_available = MIN(BigBuf_get_size(), keyCount * MF_KEY_LENGTH);
+        uint16_t key_mem_available = MIN(BigBuf_get_size() / MF_KEY_LENGTH, keyCount + (size / MF_KEY_LENGTH));
 
-        keyCount = key_mem_available / MF_KEY_LENGTH;
+        uint8_t *dictkeys = BigBuf_malloc(key_mem_available * MF_KEY_LENGTH);
-
+        if (dictkeys == NULL)
-        datain = BigBuf_malloc(key_mem_available);
-        if (datain == NULL)
             goto OUT;
 
-        if (SPIFFS_OK == rdv40_spiffs_read_as_filetype(MF_KEYS_FILE, datain, keyCount * MF_KEY_LENGTH, RDV40_SPIFFS_SAFETY_SAFE)) {
+        // Put user and hard-coded keys first
-            if (g_dbglevel >= DBG_ERROR) Dbprintf("Loaded %u keys from spiffs file: %s", keyCount, MF_KEYS_FILE);
+        memcpy(dictkeys, datain, keyCount * MF_KEY_LENGTH);
+
+        // Now append the SPI flash dictionnary
+        if (SPIFFS_OK == rdv40_spiffs_read_as_filetype(MF_KEYS_FILE, dictkeys + keyCount * MF_KEY_LENGTH, (key_mem_available - keyCount) * MF_KEY_LENGTH, RDV40_SPIFFS_SAFETY_SAFE)) {
+            if (g_dbglevel >= DBG_ERROR) {
+                Dbprintf("Loaded %u keys from spiffs file: %s", key_mem_available, MF_KEYS_FILE);
+            }
         } else {
             Dbprintf("Spiffs file: %s cannot be read.", MF_KEYS_FILE);
             goto OUT;
         }
+        // Replace client provided keys
+        datain = dictkeys;
     }
 #endif
 

client/src/cmdhfmf.c

@@ -2490,6 +2490,7 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
         arg_lit0(NULL, "slow",             "Slower acquisition (required by some non standard cards)"),
         arg_lit0("l",  "legacy",           "legacy mode (use the slow `hf mf chk`)"),
         arg_lit0("v",  "verbose",          "verbose output"),
+        arg_lit0(NULL, "mem", "Use dictionary from flashmemory"),
 
         arg_lit0(NULL, "ns", "No save to file"),
 
@@ -2542,26 +2543,27 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
     bool slow = arg_get_lit(ctx, 7);
     bool legacy_mfchk = arg_get_lit(ctx, 8);
     bool verbose = arg_get_lit(ctx, 9);
+    bool use_flashmemory = arg_get_lit(ctx, 10);
 
-    bool no_save = arg_get_lit(ctx, 10);
+    bool no_save = arg_get_lit(ctx, 11);
 
-    bool m0 = arg_get_lit(ctx, 11);
+    bool m0 = arg_get_lit(ctx, 12);
-    bool m1 = arg_get_lit(ctx, 12);
+    bool m1 = arg_get_lit(ctx, 13);
-    bool m2 = arg_get_lit(ctx, 13);
+    bool m2 = arg_get_lit(ctx, 14);
-    bool m4 = arg_get_lit(ctx, 14);
+    bool m4 = arg_get_lit(ctx, 15);
 
-    bool in = arg_get_lit(ctx, 15);
+    bool in = arg_get_lit(ctx, 16);
 #if defined(COMPILER_HAS_SIMD_X86)
-    bool im = arg_get_lit(ctx, 16);
+    bool im = arg_get_lit(ctx, 17);
-    bool is = arg_get_lit(ctx, 17);
+    bool is = arg_get_lit(ctx, 1);
-    bool ia = arg_get_lit(ctx, 18);
+    bool ia = arg_get_lit(ctx, 19);
-    bool i2 = arg_get_lit(ctx, 19);
+    bool i2 = arg_get_lit(ctx, 20);
 #endif
 #if defined(COMPILER_HAS_SIMD_AVX512)
-    bool i5 = arg_get_lit(ctx, 20);
+    bool i5 = arg_get_lit(ctx, 21);
 #endif
 #if defined(COMPILER_HAS_SIMD_NEON)
-    bool ie = arg_get_lit(ctx, 16);
+    bool ie = arg_get_lit(ctx, 17);
 #endif
 
     CLIParserFree(ctx);
@@ -2784,6 +2786,11 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
     // Start the timer
     uint64_t t1 = msclock();
 
+    // If we use the dictionary in flash memory, we don't want to load keys
+    // from hard drive dictionary as it could exceed BigBuf capacity
+    if (use_flashmemory) {
+        fnlen = 0;
+    }
     int ret = mf_load_keys(&keyBlock, &key_cnt, in_keys, in_keys_len, filename, fnlen, true);
     if (ret != PM3_SUCCESS) {
         free(e_sector);
@@ -2793,7 +2800,9 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
     int32_t res = PM3_SUCCESS;
 
     // Use the dictionary to find sector keys on the card
-    if (verbose) PrintAndLogEx(INFO, "======================= " _YELLOW_("START DICTIONARY ATTACK") " =======================");
+    if (verbose) {
+        PrintAndLogEx(INFO, "======================= " _YELLOW_("START DICTIONARY ATTACK") " =======================");
+    }
 
     if (legacy_mfchk) {
         PrintAndLogEx(INFO, "." NOLF);
@@ -2817,12 +2826,16 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
         }
         PrintAndLogEx(NORMAL, "");
     } else {
+        if (use_flashmemory) {
+            PrintAndLogEx(SUCCESS, "Using dictionary in flash memory");
+            res = mf_check_keys_fast(sector_cnt, true, true, 1, key_cnt, keyBlock, e_sector, use_flashmemory, verbose);
+        } else {
 
             uint32_t chunksize = key_cnt > (PM3_CMD_DATA_SIZE / MIFARE_KEY_SIZE) ? (PM3_CMD_DATA_SIZE / MIFARE_KEY_SIZE) : key_cnt;
             bool firstChunk = true, lastChunk = false;
 
             for (uint8_t strategy = 1; strategy < 3; strategy++) {
-            PrintAndLogEx(INFO, "running strategy %u", strategy);
+                PrintAndLogEx(INFO, "Running strategy %u", strategy);
                 // main keychunk loop
                 for (uint32_t i = 0; i < key_cnt; i += chunksize) {
 
@@ -2853,6 +2866,7 @@ static int CmdHF14AMfAutoPWN(const char *Cmd) {
                 lastChunk = false;
             } // end strategy
         }
+    }
 
     // Analyse the dictionary attack
     uint8_t num_found_keys = 0;