From d6d96eb7fecf1378cdfe2c2f8bd875eded7ac466 Mon Sep 17 00:00:00 2001 From: bogiton <34060135+bogiton@users.noreply.github.com> Date: Tue, 6 Nov 2018 13:36:00 +0000 Subject: [PATCH] Fixed offset bug (thanks iceman) --- armsrc/Standalone/hf_bog.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index 761e67b1a..01232a6a0 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -15,7 +15,8 @@ The retrieved sniffing session can be acquired by connecting the device to a client that supports the reconnect capability and issue 'hf 14a list'. In order to view the grabbed authentication attempts in the flash mem, -you can simply 'mem read l 256' from the client to view the stored quadlets. +you can simply run 'script run read_pwd_mem' or just 'mem read l 256' +from the client to view the stored quadlets. */ #include "hf_bog.h" @@ -31,7 +32,7 @@ uint8_t FindOffsetInFlash() { uint8_t eom[4] = { 0xFF, 0xFF, 0xFF, 0xFF }; uint8_t memcnt = 0; - while (memcnt < 4096) + while (memcnt < 0xFF) { Flash_ReadData(memcnt, mem, 4); if (memcmp(mem, eom, 4) == 0) { @@ -240,10 +241,20 @@ void RAMFUNC SniffAndStore(uint8_t param) { uint8_t memoffset = FindOffsetInFlash(); if (MF_DBGLEVEL > 1) Dbprintf("[!] Memory offset = %u", memoffset); + if ((memoffset + 4 * auth_attempts) > 0xFF) + { + // We opt to keep the new data only + memoffset = 0; + if (MF_DBGLEVEL > 1) Dbprintf("[!] Size of total data > 256 bytes. Discarding the old data."); + } + // Get previous data from flash mem uint8_t *previousdata = BigBuf_malloc(memoffset); - uint16_t readlen = Flash_ReadData(0, previousdata, memoffset); - if (MF_DBGLEVEL > 1) Dbprintf("[!] Read %u bytes from flash mem", readlen); + if (memoffset > 0) + { + uint16_t readlen = Flash_ReadData(0, previousdata, memoffset); + if (MF_DBGLEVEL > 1) Dbprintf("[!] Read %u bytes from flash mem", readlen); + } // create new bigbuf to hold all data size_t total_size = memoffset + 4 * auth_attempts; @@ -276,7 +287,7 @@ void RunMod() { Dbprintf("Sniffing started"); - SpinDelay(200); + SpinDelay(200); // param: // bit 0 - trigger from first card answer