github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

hf mfu otptear - textual

Browse source
This commit is contained in:
iceman1001 2020-10-11 09:51:56 +02:00
commit ec679385b9
2 changed files with 43 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

7
armsrc/mifarecmd.c
View file

@ -2704,7 +2704,7 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
memcpy(data_testwrite, datain + 4, 4); memcpy(data_testwrite, datain + 4, 4);
// optional authentication before? // optional authentication before?
if (DBGLEVEL >= DBG_ERROR) DbpString("Preparing OTP tear-off"); if (DBGLEVEL >= DBG_DEBUG) DbpString("Preparing OTP tear-off");
LEDsoff(); LEDsoff();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -2720,7 +2720,7 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
MifareUWriteBlock(blockNo, 0, data_fullwrite); MifareUWriteBlock(blockNo, 0, data_fullwrite);
AddCrc14A(cmd, sizeof(cmd) - 2); AddCrc14A(cmd, sizeof(cmd) - 2);
if (DBGLEVEL >= DBG_ERROR) DbpString("Transmitting");
// anticollision / select card // anticollision / select card
if (!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) { if (!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card"); if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card");
@ -2733,10 +2733,9 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
// Wait before cutting power. aka tear-off // Wait before cutting power. aka tear-off
LED_D_ON(); LED_D_ON();
WaitUS(tearOffTime); WaitUS(tearOffTime);
if (DBGLEVEL >= DBG_ERROR) Dbprintf(_YELLOW_("OTP tear-off triggered!"));
switch_off(); switch_off();
reply_ng(CMD_HF_MFU_OTP_TEAROFF, PM3_SUCCESS, NULL, 0); reply_ng(CMD_HF_MFU_OTP_TEAROFF, PM3_SUCCESS, NULL, 0);
StopTicks(); StopTicks();
if (DBGLEVEL >= DBG_ERROR) DbpString("Done");
} }

57
client/src/cmdhfmfu.c
View file

@ -2883,52 +2883,73 @@ static int CmdHF14AMfuOtpTearoff(const char *Cmd) {
if (errors) return usage_hf_mfu_otp_tearoff(); if (errors) return usage_hf_mfu_otp_tearoff();
PrintAndLogEx(INFO, "Starting TearOff test - Selected Block no: %u", blockNoUint); PrintAndLogEx(INFO, "Starting Tear-off test");
PrintAndLogEx(INFO, "Target block no: %u", blockNoUint);
uint8_t isOK;
bool got_pre = false, got_post = false;
uint8_t pre[4] = {0};
uint8_t post[4] = {0};
uint32_t actualTime = startTime; uint32_t actualTime = startTime;
while (actualTime <= (timeLimit - interval)) { while (actualTime <= (timeLimit - interval)) {
PrintAndLogEx(INFO, "Using tear-off at: %" PRIu32 " us", actualTime); PrintAndLogEx(INFO, "Using tear-off delay " _GREEN_("%" PRIu32) " us", actualTime);
PrintAndLogEx(INFO, "Reading block BEFORE attack");
clearCommandBuffer(); clearCommandBuffer();
SendCommandMIX(CMD_HF_MIFAREU_READBL, blockNoUint, 0, 0, NULL, 0); SendCommandMIX(CMD_HF_MIFAREU_READBL, blockNoUint, 0, 0, NULL, 0);
PacketResponseNG resp; PacketResponseNG resp;
got_pre = false;
if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
uint8_t isOK = resp.oldarg[0] & 0xff; isOK = resp.oldarg[0] & 0xFF;
if (isOK) { if (isOK) {
uint8_t *d = resp.data.asBytes; memcpy(pre, resp.data.asBytes, sizeof(pre));
PrintAndLogEx(NORMAL, "\nBlock# | Data | Ascii"); got_pre = true;
PrintAndLogEx(NORMAL, "-----------------------------");
PrintAndLogEx(NORMAL, "%02d/0x%02X | %s| %s\n", blockNoUint, blockNoUint, sprint_hex(d, 4), sprint_ascii(d, 4));
} }
} }
PrintAndLogEx(INFO, ".....");
clearCommandBuffer(); clearCommandBuffer();
SendCommandMIX(CMD_HF_MFU_OTP_TEAROFF, blockNoUint, actualTime, 0, teardata, 8); SendCommandMIX(CMD_HF_MFU_OTP_TEAROFF, blockNoUint, actualTime, 0, teardata, 8);
if (!WaitForResponseTimeout(CMD_HF_MFU_OTP_TEAROFF, &resp, 4000)) { if (!WaitForResponseTimeout(CMD_HF_MFU_OTP_TEAROFF, &resp, 2000)) {
PrintAndLogEx(WARNING, "Failed"); PrintAndLogEx(WARNING, "Failed");
return PM3_ESOFT; return PM3_ESOFT;
} }
PrintAndLogEx(INFO, "Reading block AFTER attack"); got_post = false;
clearCommandBuffer(); clearCommandBuffer();
SendCommandMIX(CMD_HF_MIFAREU_READBL, blockNoUint, 0, 0, NULL, 0); SendCommandMIX(CMD_HF_MIFAREU_READBL, blockNoUint, 0, 0, NULL, 0);
if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
uint8_t isOK = resp.oldarg[0] & 0xff; isOK = resp.oldarg[0] & 0xFF;
if (isOK) { if (isOK) {
uint8_t *d = resp.data.asBytes; memcpy(post, resp.data.asBytes, sizeof(post));
PrintAndLogEx(NORMAL, "\nBlock# | Data | Ascii"); got_post = true;
PrintAndLogEx(NORMAL, "-----------------------------");
PrintAndLogEx(NORMAL, "%02d/0x%02X | %s| %s\n", blockNoUint, blockNoUint, sprint_hex(d, 4), sprint_ascii(d, 4));
} }
} }
if (got_pre && got_post) {
char post_res[30] = {0};
if (memcmp(pre, post, sizeof(pre)) == 0)
snprintf(post_res, sizeof(post_res) - 1, "%s", sprint_hex_inrow(post, sizeof(post)));
else
snprintf(post_res, sizeof(post_res) - 1, _CYAN_("%s"), sprint_hex_inrow(post, sizeof(post)));
PrintAndLogEx(INFO, "Result %02d/0x%02X | %s vs %s"
, blockNoUint
, blockNoUint
, sprint_hex_inrow(pre, sizeof(pre))
, post_res
);
} else {
if (got_pre == false)
PrintAndLogEx(FAILED, "Failed to read block BEFORE");
if (got_post == false)
PrintAndLogEx(FAILED, "Failed to read block AFTER");
}
/* TEMPORALLY DISABLED /* TEMPORALLY DISABLED
uint8_t d0, d1, d2, d3; uint8_t d0, d1, d2, d3;
d0 = *resp.data.asBytes; d0 = *resp.data.asBytes;