github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

trace list -t mf - now gives needed data for mf_nonce_brute to recover the nested authentication key

Browse source
This commit is contained in:
iceman1001 2021-03-12 13:54:41 +01:00
commit ae0f98e8b2
2 changed files with 39 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

41
client/src/cmdhflist.c
View file

@ -1290,9 +1290,10 @@ void annotateMifare(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, uint8
MifareAuthState = masNrAr; MifareAuthState = masNrAr;
if (AuthData.first_auth) { if (AuthData.first_auth) {
AuthData.nt = bytes_to_num(cmd, 4); AuthData.nt = bytes_to_num(cmd, 4);
AuthData.nt_enc_par = 0;
} else { } else {
AuthData.nt_enc = bytes_to_num(cmd, 4); AuthData.nt_enc = bytes_to_num(cmd, 4);
AuthData.nt_enc_par = parity[0]; AuthData.nt_enc_par = parity[0] & 0xF0;
} }
return; return;
} else { } else {
@ -1304,6 +1305,7 @@ void annotateMifare(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, uint8
snprintf(exp, size, "AUTH: nr ar (enc)"); snprintf(exp, size, "AUTH: nr ar (enc)");
MifareAuthState = masAt; MifareAuthState = masAt;
AuthData.nr_enc = bytes_to_num(cmd, 4); AuthData.nr_enc = bytes_to_num(cmd, 4);
AuthData.nr_enc_par = parity[0] & 0xF0;
AuthData.ar_enc = bytes_to_num(&cmd[4], 4); AuthData.ar_enc = bytes_to_num(&cmd[4], 4);
AuthData.ar_enc_par = parity[0] << 4; AuthData.ar_enc_par = parity[0] << 4;
return; return;
@ -1316,7 +1318,7 @@ void annotateMifare(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, uint8
snprintf(exp, size, "AUTH: at (enc)"); snprintf(exp, size, "AUTH: at (enc)");
MifareAuthState = masAuthComplete; MifareAuthState = masAuthComplete;
AuthData.at_enc = bytes_to_num(cmd, 4); AuthData.at_enc = bytes_to_num(cmd, 4);
AuthData.at_enc_par = parity[0]; AuthData.at_enc_par = parity[0] & 0xF0;
return; return;
} else { } else {
MifareAuthState = masError; MifareAuthState = masError;
@ -1335,6 +1337,17 @@ void annotateMifare(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, uint8
} }
static void mf_get_paritybinstr(char *s, uint32_t val, uint8_t par) {
uint8_t foo[4] = {0,0,0,0};
num_to_bytes(val, sizeof(uint32_t), foo);
for (uint8_t i = 0; i < 4; i++) {
if (oddparity8(foo[i]) != ((par >> (7 - (i & 0x0007))) & 0x01))
sprintf(s++, "1");
else
sprintf(s++, "0");
}
}
bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen, const uint64_t *dicKeys, uint32_t dicKeysCount) { bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen, const uint64_t *dicKeys, uint32_t dicKeysCount) {
static struct Crypto1State *traceCrypto1; static struct Crypto1State *traceCrypto1;
@ -1428,7 +1441,29 @@ bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isRes
//hardnested //hardnested
if (!traceCrypto1) { if (!traceCrypto1) {
PrintAndLogEx(NORMAL, "hardnested not implemented. uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc);
//PrintAndLogEx(NORMAL, "hardnested not implemented. uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc);
char snt[5] = {0,0,0,0,0};
mf_get_paritybinstr(snt, AuthData.nt_enc, AuthData.nt_enc_par);
char sar[5] = {0,0,0,0,0};
mf_get_paritybinstr(sar, AuthData.ar_enc, AuthData.ar_enc_par);
char sat[5] = {0,0,0,0,0};
mf_get_paritybinstr(sat, AuthData.at_enc, AuthData.at_enc_par);
PrintAndLogEx(NORMAL, "Nested authentication detected. ");
PrintAndLogEx(NORMAL, "tools/mf_nonce_brute/mf_nonce_brute %x %x %s %x %x %s %x %s %s\n"
, AuthData.uid
, AuthData.nt_enc
, snt
, AuthData.nr_enc
, AuthData.ar_enc
, sar
, AuthData.at_enc
, sat
, sprint_hex_inrow(cmd, cmdsize)
);
MifareAuthState = masError; MifareAuthState = masError;
/* TOO SLOW( needs to have more strong filter. with this filter - aprox 4 mln tests /* TOO SLOW( needs to have more strong filter. with this filter - aprox 4 mln tests

1
client/src/cmdhflist.h
View file

@ -18,6 +18,7 @@ typedef struct {
uint32_t nt_enc; // encrypted tag challenge uint32_t nt_enc; // encrypted tag challenge
uint8_t nt_enc_par; // encrypted tag challenge parity uint8_t nt_enc_par; // encrypted tag challenge parity
uint32_t nr_enc; // encrypted reader challenge uint32_t nr_enc; // encrypted reader challenge
uint8_t nr_enc_par; // encrypted reader challenge parity
uint32_t ar_enc; // encrypted reader response uint32_t ar_enc; // encrypted reader response
uint8_t ar_enc_par; // encrypted reader response parity uint8_t ar_enc_par; // encrypted reader response parity
uint32_t at_enc; // encrypted tag response uint32_t at_enc; // encrypted tag response