diff --git a/armsrc/Makefile b/armsrc/Makefile index a2092ac0b..b69e724e0 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -23,9 +23,9 @@ APP_CFLAGS = -DWITH_CRC \ -DWITH_FELICA \ -DWITH_FLASH \ -DWITH_SMARTCARD \ + -DWITH_FPC \ -DWITH_HFSNOOP \ -DWITH_LF_SAMYRUN \ - -DWITH_FPC \ -fno-strict-aliasing -ffunction-sections -fdata-sections ### IMPORTANT - move the commented variable below this line @@ -39,7 +39,7 @@ APP_CFLAGS = -DWITH_CRC \ # -DWITH_LF_PROXBRUTE # -DWITH_LF_HIDBRUTE # -DWITH_HF_YOUNG -# -DWITH_HF_MATTYRUN +# -DWITH_HF_MATTYRUN - # -DWITH_HF_COLIN # -DWITH_HF_BOG diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index 1cf9a7c51..9079d5df3 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -280,16 +280,11 @@ void RAMFUNC SniffAndStore(uint8_t param) { void RunMod() { + StandAloneMode(); + Dbprintf(">> Bogiton 14a Sniff UL/UL-EV1/NTAG a.k.a BogitoRun Started <<"); Dbprintf("Starting to sniff"); - SpinDown(50); - SpinOff(50); - SpinUp(50); - SpinOff(50); - SpinDown(50); - SpinDelay(500); - // param: // bit 0 - trigger from first card answer // bit 1 - trigger from first reader 7-bit request @@ -297,4 +292,5 @@ void RunMod() { LEDsoff(); SpinDelay(300); Dbprintf("- [ End ] -> You can take shell back ..."); + Dbprintf("- [ ! ] -> use 'script run read_pwd_mem' to print passwords"); } diff --git a/armsrc/Standalone/hf_colin.c b/armsrc/Standalone/hf_colin.c index 31519080a..2eabd68d9 100644 --- a/armsrc/Standalone/hf_colin.c +++ b/armsrc/Standalone/hf_colin.c @@ -210,12 +210,14 @@ void WriteTagToFlash(uint8_t index, size_t size) void RunMod() { + StandAloneMode(); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + currline = 20; curlline = 20; currfline = 24; memset(cjuid, 0, sizeof(cjuid)); cjcuid = 0; - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); uint8_t sectorsCnt = (MF1KSZ / MF1KSZSIZE); uint64_t key64; // Defines current key uint8_t *keyBlock = NULL; // Where the keys will be held in memory. @@ -348,12 +350,6 @@ ACCBITS : 796788[00]+VALUE currfline = 24; cjSetCursLeft(); - SpinDown(50); - SpinOff(50); - SpinUp(50); - SpinOff(50); - SpinDown(50); - failtag: vtsend_cursor_position_save(NULL); diff --git a/armsrc/Standalone/hf_mattyrun.c b/armsrc/Standalone/hf_mattyrun.c index e83d13a1d..78f197383 100644 --- a/armsrc/Standalone/hf_mattyrun.c +++ b/armsrc/Standalone/hf_mattyrun.c @@ -35,8 +35,189 @@ on a blank card. #include "hf_mattyrun.h" +uint8_t uid[10]; +uint32_t cuid; + +//----------------------------------------------------------------------------- +// Matt's StandAlone mod. +// Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn) +//----------------------------------------------------------------------------- +static int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain) +{ + // params + uint8_t needWipe = arg0; + // bit 0 - need get UID + // bit 1 - need wupC + // bit 2 - need HALT after sequence + // bit 3 - need init FPGA and field before sequence + // bit 4 - need reset FPGA and LED + uint8_t workFlags = arg1; + uint8_t blockNo = arg2; + + // card commands + uint8_t wupC1[] = {0x40}; + uint8_t wupC2[] = {0x43}; + uint8_t wipeC[] = {0x41}; + + // variables + byte_t isOK = 0; + uint8_t d_block[18] = {0x00}; + + uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; + uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE]; + + // reset FPGA and LED + if (workFlags & 0x08) + { + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + set_tracing(false); + } + + while (true) + { + // get UID from chip + if (workFlags & 0x01) + { + if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) + { + DbprintfEx(FLAG_NOLOG, "Can't select card"); + break; + }; + + if (mifare_classic_halt(NULL, cuid)) + { + DbprintfEx(FLAG_NOLOG, "Halt error"); + break; + }; + }; + + // reset chip + if (needWipe) + { + ReaderTransmitBitsPar(wupC1, 7, 0, NULL); + if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) + { + DbprintfEx(FLAG_NOLOG, "wupC1 error"); + break; + }; + + ReaderTransmit(wipeC, sizeof(wipeC), NULL); + if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) + { + DbprintfEx(FLAG_NOLOG, "wipeC error"); + break; + }; + + if (mifare_classic_halt(NULL, cuid)) + { + DbprintfEx(FLAG_NOLOG, "Halt error"); + break; + }; + }; + + // chaud + // write block + if (workFlags & 0x02) + { + ReaderTransmitBitsPar(wupC1, 7, 0, NULL); + if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) + { + DbprintfEx(FLAG_NOLOG, "wupC1 error"); + break; + }; + + ReaderTransmit(wupC2, sizeof(wupC2), NULL); + if (!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) + { + DbprintfEx(FLAG_NOLOG, "wupC2 errorv"); + break; + }; + } + + if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) + { + DbprintfEx(FLAG_NOLOG, "write block send command error"); + break; + }; + + memcpy(d_block, datain, 16); + AddCrc14A(d_block, 16); + ReaderTransmit(d_block, sizeof(d_block), NULL); + if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) + { + DbprintfEx(FLAG_NOLOG, "write block send data error"); + break; + }; + + if (workFlags & 0x04) + { + if (mifare_classic_halt(NULL, cuid)) + { + DbprintfEx(FLAG_NOLOG, "Halt error"); + break; + }; + } + + isOK = 1; + break; + } + + if ((workFlags & 0x10) || (!isOK)) + { + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + } + + return isOK; +} + +/* the chk function is a piwi’ed(tm) check that will try all keys for +a particular sector. also no tracing no dbg */ +static int saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace, uint8_t keyCount, uint8_t *datain, uint64_t *key) +{ + MF_DBGLEVEL = MF_DBG_NONE; + iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); + set_tracing(false); + + struct Crypto1State mpcs = {0, 0}; + struct Crypto1State *pcs; + pcs = &mpcs; + + for (int i = 0; i < keyCount; ++i) + { + + /* no need for anticollision. just verify tag is still here */ + // if (!iso14443a_fast_select_card(cjuid, 0)) { + if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) + { + DbprintfEx(FLAG_NOLOG, "FATAL : E_MF_LOSTTAG"); + return -1; + } + + uint64_t ui64Key = bytes_to_num(datain + i * 6, 6); + if (mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) + { + uint8_t dummy_answer = 0; + ReaderTransmit(&dummy_answer, 1, NULL); + // wait for the card to become ready again + SpinDelayUs(AUTHENTICATION_TIMEOUT); + continue; + } + crypto1_destroy(pcs); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + *key = ui64Key; + return i; + } + crypto1_destroy(pcs); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + + return -1; +} + + void RunMod() { StandAloneMode(); + Dbprintf(">> Matty mifare chk/dump/sim a.k.a MattyRun Started <<"); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); /* It will check if the keys from the attacked tag are a subset from @@ -51,15 +232,13 @@ void RunMod() { If you're using the proxmark connected to a device that has an OS, and you're not using the proxmark3 client to see the debug messages, you MUST uncomment usb_disable(). */ - - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - // usb_disable(); // Comment this line if you want to see debug messages. - + + // Comment this line below if you want to see debug messages. + // usb_disable(); /* Pseudo-configuration block. */ - char keyTypec = '?'; // 'A'/'B' or both keys '?' bool printKeys = false; // Prints keys bool transferToEml = true; // Transfer keys to emulator memory bool ecfill = true; // Fill emulator memory with cards content. @@ -71,7 +250,7 @@ void RunMod() { uint8_t sectorSize = 64; // 1k's sector size is 64 bytes. uint8_t blockNo = 3; // Security block is number 3 for each sector. uint8_t sectorsCnt = (mifare_size/sectorSize); - uint8_t keyType; // Keytype buffer + uint8_t keyType = 2; // Keytype buffer uint64_t key64; // Defines current key uint8_t *keyBlock = NULL; // Where the keys will be held in memory. uint8_t stKeyBlock = 20; // Set the quantity of keys in the block. @@ -108,24 +287,6 @@ void RunMod() { num_to_bytes(mfKeys[mfKeyCounter], 6, (uint8_t*)(keyBlock + mfKeyCounter * 6)); } - /* - Simple switch just to handle keytpes. - */ - switch (keyTypec) { - case 'a': case 'A': - keyType = !0; - break; - case 'b': case 'B': - keyType = !1; - break; - case '?': - keyType = 2; - break; - default: - Dbprintf("[!] Key type must be A , B or ?"); - keyType = 2; - } - /* Pretty print of the keys to be checked. */ @@ -191,16 +352,14 @@ void RunMod() { } /* - TODO: This. - - - If at least one key was found, start a nested attack based on that key, and continue. - + TODO: - Get UID from tag and set accordingly in emulator memory and call mifare1ksim with right flags (iceman) */ if (!allKeysFound && keyFound) { Dbprintf("\t✕ There's currently no nested attack in MattyRun, sorry!"); LED_C_ON(); //red LED_A_ON(); //yellow + // no room to run nested attack on device (iceman) // Do nested attack, set allKeysFound = true; // allKeysFound = true; } else { @@ -250,7 +409,7 @@ void RunMod() { LED_B_ON(); // green // assuming arg0==0, use hardcoded uid 0xdeadbeaf - Mifare1ksim( 0, 0, 0, NULL); + Mifare1ksim( FLAG_4B_UID_IN_DATA | FLAG_UID_IN_EMUL, 0, 0, uid); LED_B_OFF(); /* diff --git a/armsrc/Standalone/hf_mattyrun.h b/armsrc/Standalone/hf_mattyrun.h index 508954998..9bf2166ab 100644 --- a/armsrc/Standalone/hf_mattyrun.h +++ b/armsrc/Standalone/hf_mattyrun.h @@ -16,6 +16,7 @@ #include "standalone.h" // standalone definitions #include "apps.h" // debugstatements, lfops? #include "usb_cmd.h" // mifare1ksim flags +#include "mifareutil.h" #define OPTS 2 diff --git a/armsrc/Standalone/hf_young.c b/armsrc/Standalone/hf_young.c index ef41bc64d..f4bc3db4f 100644 --- a/armsrc/Standalone/hf_young.c +++ b/armsrc/Standalone/hf_young.c @@ -20,6 +20,7 @@ typedef struct { void RunMod() { StandAloneMode(); + Dbprintf(">> Craig Young Mifare sniff UID/clone uid 2 magic/sim a.k.a YoungRun Started <<"); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); int selected = 0, playing = 0, iGotoRecord = 0, iGotoClone = 0; diff --git a/armsrc/Standalone/lf_hidbrute.c b/armsrc/Standalone/lf_hidbrute.c index 7ec3aba28..8c6b85f4f 100644 --- a/armsrc/Standalone/lf_hidbrute.c +++ b/armsrc/Standalone/lf_hidbrute.c @@ -29,6 +29,7 @@ // samy's sniff and repeat routine for LF void RunMod() { StandAloneMode(); + Dbprintf(">> LF HID corporate bruteforce a.k.a CorporateBrute Started <<"); FpgaDownloadAndGo(FPGA_BITSTREAM_LF); uint32_t high[OPTS], low[OPTS]; diff --git a/armsrc/Standalone/lf_proxbrute.c b/armsrc/Standalone/lf_proxbrute.c index e0c998d31..69b5f5331 100644 --- a/armsrc/Standalone/lf_proxbrute.c +++ b/armsrc/Standalone/lf_proxbrute.c @@ -14,6 +14,7 @@ // samy's sniff and repeat routine for LF void RunMod() { StandAloneMode(); + Dbprintf(">> LF HID proxII bruteforce a.k.a ProxBrute Started (Brad Antoniewicz) <<"); FpgaDownloadAndGo(FPGA_BITSTREAM_LF); uint32_t high[OPTS], low[OPTS]; diff --git a/armsrc/Standalone/lf_samyrun.c b/armsrc/Standalone/lf_samyrun.c index 88b6e9b15..c94d5fc42 100644 --- a/armsrc/Standalone/lf_samyrun.c +++ b/armsrc/Standalone/lf_samyrun.c @@ -13,6 +13,7 @@ // samy's sniff and repeat routine for LF void RunMod() { StandAloneMode(); + Dbprintf(">> LF HID Read/Clone/Sim a.k.a SamyRun Started <<"); FpgaDownloadAndGo(FPGA_BITSTREAM_LF); uint32_t high[OPTS], low[OPTS]; diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 2a3ae823a..a3b330e84 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -415,22 +415,19 @@ void SendStatus(void) { void StandAloneMode(void) { DbpString("Stand-alone mode! No PC necessary."); - // Oooh pretty -- notify user we're in elite samy mode now - LED(LED_RED, 200); - LED(LED_ORANGE, 200); - LED(LED_GREEN, 200); - LED(LED_ORANGE, 200); - LED(LED_RED, 200); - LED(LED_ORANGE, 200); - LED(LED_GREEN, 200); - LED(LED_ORANGE, 200); - LED(LED_RED, 200); + + SpinDown(50); + SpinOff(50); + SpinUp(50); + SpinOff(50); + SpinDown(50); + SpinDelay(500); } // detection of which Standalone Modes is installed // (iceman) void printStandAloneModes(void) { - DbpString("Installed StandAlone Mods"); + DbpString("Installed StandAlone Mode"); #if defined(WITH_LF_ICERUN) DbpString(" LF sniff/clone/simulation - aka IceRun (iceman)"); @@ -445,7 +442,7 @@ void printStandAloneModes(void) { DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)"); #endif #if defined(WITH_LF_HIDBRUTE) - DbpString(" LF HID corporate 1000 bruteforce - (Federico dotta & Maurizio Agazzini)"); + DbpString(" LF HID corporate 1000 bruteforce - aka Corporatebrute (Federico dotta & Maurizio Agazzini)"); #endif #if defined(WITH_HF_MATTYRUN) DbpString(" HF Mifare sniff/clone - aka MattyRun (Matías A. Ré Medina)");