From a6a48f0e6d294ba7432076a93efa03c274489000 Mon Sep 17 00:00:00 2001
From: iceman1001 <iceman@iuse.se>
Date: Mon, 23 Dec 2019 15:23:04 +0100
Subject: [PATCH] Chg 'hf 14a info' - static/fixed nonce detection

---
 armsrc/appmain.c           |  4 +++
 armsrc/mifarecmd.c         | 51 ++++++++++++++++++++++++++++++++++++++
 armsrc/mifarecmd.h         |  1 +
 client/mifare/mifarehost.c | 28 +++++++++++++++++++++
 client/mifare/mifarehost.h |  1 +
 include/pm3_cmd.h          |  1 +
 6 files changed, 86 insertions(+)

diff --git a/armsrc/appmain.c b/armsrc/appmain.c
index ef4dc6a6c..62feed4d0 100644
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -1251,6 +1251,10 @@ static void PacketReceived(PacketCommandNG *packet) {
             MifareU_Otp_Tearoff();
             break;
         }
+        case CMD_HF_MIFARE_STATIC_NONCE: {
+            MifareHasStaticNonce();
+            break;
+        }
 #endif
 
 #ifdef WITH_NFCBARCODE
diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c
index ea7e8482a..d0dd27be8 100644
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -2057,6 +2057,57 @@ OUT:
     BigBuf_Clear_ext(false);
 }
 
+void MifareHasStaticNonce() {
+
+    // variables
+    int retval = PM3_SUCCESS, len;
+
+    uint32_t nt = 0 ;
+    uint8_t rec[1] = {0x00};
+    uint8_t recpar[1] = {0x00};
+    uint8_t *uid = BigBuf_malloc(10);
+    uint8_t data[1] = {0x00};
+
+    struct Crypto1State mpcs = {0, 0};
+    struct Crypto1State *pcs;
+    pcs = &mpcs;
+    iso14a_card_select_t card_info;
+
+    iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+
+    for (int i = 0; i < 3; i++) {
+        if (!iso14443a_select_card(uid, &card_info, NULL, true, 0, true)) {
+            retval = PM3_ESOFT;
+            goto OUT;
+        }
+
+        // Transmit MIFARE_CLASSIC_AUTH
+        len = mifare_sendcmd_short(pcs, false, 0x60, 0, rec, recpar, NULL);
+        if (len != 4) {
+            retval = PM3_ESOFT;
+            goto OUT;
+        }
+
+        // Save the tag nonce (nt)
+        if (nt == bytes_to_num(rec, 4)) {
+            data[0]++;
+        }
+
+        nt = bytes_to_num(rec, 4);
+
+        CHK_TIMEOUT();
+    }
+
+OUT:
+    reply_ng(CMD_HF_MIFARE_STATIC_NONCE, retval, data, sizeof(data));
+    // turns off
+    OnSuccessMagic();
+    BigBuf_free();
+    BigBuf_Clear_ext(false);
+
+    crypto1_deinit(pcs);
+}
+
 void OnSuccessMagic() {
     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
     LEDsoff();
diff --git a/armsrc/mifarecmd.h b/armsrc/mifarecmd.h
index 6b730fb58..2cb22d28b 100644
--- a/armsrc/mifarecmd.h
+++ b/armsrc/mifarecmd.h
@@ -39,6 +39,7 @@ int MifareECardLoadExt(uint8_t numSectors, uint8_t keyType);
 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain);  // Work with "magic Chinese" card
 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain);
 void MifareCIdent();  // is "magic chinese" card?
+void MifareHasStaticNonce();  // Has the tag a static nonce?
 
 void MifareSetMod(uint8_t *datain);
 void MifareUSetPwd(uint8_t arg0, uint8_t *datain);
diff --git a/client/mifare/mifarehost.c b/client/mifare/mifarehost.c
index 2aa56507c..8017af076 100644
--- a/client/mifare/mifarehost.c
+++ b/client/mifare/mifarehost.c
@@ -1132,6 +1132,34 @@ int detect_classic_nackbug(bool verbose) {
     }
     return PM3_SUCCESS;
 }
+
+/* Detect Mifare Classic Static / Fixed nonce
+detects special magic cards that has a static / fixed nonce
+returns:
+0  = has normal nonce
+1  = has static/fixed nonce
+2  = cmd failed
+*/
+int detect_classic_static_nonce(void) {
+
+    clearCommandBuffer();
+    SendCommandNG(CMD_HF_MIFARE_STATIC_NONCE, NULL, 0);
+    PacketResponseNG resp;
+
+    if (WaitForResponseTimeout(CMD_HF_MIFARE_STATIC_NONCE, &resp, 500)) {
+
+        if (resp.status == PM3_ESOFT)
+            return 2;
+
+        if (resp.data.asBytes[0] == 0)
+            return 0;
+
+        if (resp.data.asBytes[0] != 0)
+            return 1;
+    }
+    return 2;
+}
+
 /* try to see if card responses to "chinese magic backdoor" commands. */
 void detect_classic_magic(void) {
 
diff --git a/client/mifare/mifarehost.h b/client/mifare/mifarehost.h
index 50ed9d8e2..d81595942 100644
--- a/client/mifare/mifarehost.h
+++ b/client/mifare/mifarehost.h
@@ -90,5 +90,6 @@ int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data,
 int detect_classic_prng(void);
 int detect_classic_nackbug(bool verbose);
 void detect_classic_magic(void);
+int detect_classic_static_nonce(void);
 void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *data, int len, bool isEncrypted);
 #endif
diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h
index e775b3413..64a0c5fd1 100644
--- a/include/pm3_cmd.h
+++ b/include/pm3_cmd.h
@@ -507,6 +507,7 @@ typedef struct {
 #define CMD_HF_DESFIRE_COMMAND                                            0x072e
 
 #define CMD_HF_MIFARE_NACK_DETECT                                         0x0730
+#define CMD_HF_MIFARE_STATIC_NONCE                                        0x0731
 
 // MFU OTP TearOff
 #define CMD_HF_MFU_OTP_TEAROFF                                            0x0740