mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-08-21 22:03:42 -07:00
hf mf sim: simplify nonce collection
This commit is contained in:
Philippe Teuwen
parent
e9445851e3
commit
ffd5601325
1 changed files with 33 additions and 82 deletions
|
|
@ -510,13 +510,8 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
|
||||||
nonces_t ar_nr_resp[ATTACK_KEY_COUNT * 2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
|
nonces_t ar_nr_resp[ATTACK_KEY_COUNT * 2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
|
||||||
memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
|
memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
|
||||||
|
|
||||||
uint8_t ar_nr_collected[ATTACK_KEY_COUNT * 2]; // *2 for 2nd attack type (moebius)
|
uint8_t ar_nr_collected[ATTACK_KEY_COUNT ]; // for moebius attack type
|
||||||
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
|
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
|
||||||
uint8_t nonce1_count = 0;
|
|
||||||
uint8_t nonce2_count = 0;
|
|
||||||
uint8_t moebius_n_count = 0;
|
|
||||||
bool gettingMoebius = false;
|
|
||||||
uint8_t mM = 0; //moebius_modifier for collection storage
|
|
||||||
|
|
||||||
// Authenticate response - nonce
|
// Authenticate response - nonce
|
||||||
uint8_t rAUTH_NT[4] = {0, 0, 0, 1};
|
uint8_t rAUTH_NT[4] = {0, 0, 0, 1};
|
||||||
|
|
@ -1150,61 +1145,37 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
|
||||||
if ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) {
|
if ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) {
|
||||||
|
|
||||||
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
|
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
|
||||||
if (ar_nr_collected[i + mM] == 0 ||
|
if (ar_nr_collected[i] == 0 ||
|
||||||
(
|
(
|
||||||
(cardAUTHSC == ar_nr_resp[i + mM].sector) &&
|
(cardAUTHSC == ar_nr_resp[i].sector) &&
|
||||||
(cardAUTHKEY == ar_nr_resp[i + mM].keytype) &&
|
(cardAUTHKEY == ar_nr_resp[i].keytype) &&
|
||||||
(ar_nr_collected[i + mM] > 0)
|
(ar_nr_collected[i] > 0)
|
||||||
)
|
)
|
||||||
) {
|
) {
|
||||||
// if first auth for sector, or matches sector and keytype of previous auth
|
// if first auth for sector, or matches sector and keytype of previous auth
|
||||||
if (ar_nr_collected[i + mM] < 2) {
|
if (ar_nr_collected[i] < 2) {
|
||||||
// if we haven't already collected 2 nonces for this sector
|
// if we haven't already collected 2 nonces for this sector
|
||||||
if (ar_nr_resp[ar_nr_collected[i + mM]].ar != ar) {
|
if (ar_nr_resp[ar_nr_collected[i]].ar != ar) {
|
||||||
// Avoid duplicates... probably not necessary, ar should vary.
|
// Avoid duplicates... probably not necessary, ar should vary.
|
||||||
if (ar_nr_collected[i + mM] == 0) {
|
if (ar_nr_collected[i] == 0) {
|
||||||
// first nonce collect
|
// first nonce collect
|
||||||
ar_nr_resp[i + mM].cuid = cuid;
|
ar_nr_resp[i].cuid = cuid;
|
||||||
ar_nr_resp[i + mM].sector = cardAUTHSC;
|
ar_nr_resp[i].sector = cardAUTHSC;
|
||||||
ar_nr_resp[i + mM].keytype = cardAUTHKEY;
|
ar_nr_resp[i].keytype = cardAUTHKEY;
|
||||||
ar_nr_resp[i + mM].nonce = nonce;
|
ar_nr_resp[i].nonce = nonce;
|
||||||
ar_nr_resp[i + mM].nr = nr;
|
ar_nr_resp[i].nr = nr;
|
||||||
ar_nr_resp[i + mM].ar = ar;
|
ar_nr_resp[i].ar = ar;
|
||||||
nonce1_count++;
|
ar_nr_collected[i]++;
|
||||||
// add this nonce to first moebius nonce
|
} else { // second nonce collect
|
||||||
ar_nr_resp[i + ATTACK_KEY_COUNT].cuid = cuid;
|
// make sure we have different nonces for moebius attack
|
||||||
ar_nr_resp[i + ATTACK_KEY_COUNT].sector = cardAUTHSC;
|
if (ar_nr_resp[i].nonce != nonce) {
|
||||||
ar_nr_resp[i + ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
|
ar_nr_resp[i].nonce2 = nonce;
|
||||||
ar_nr_resp[i + ATTACK_KEY_COUNT].nonce = nonce;
|
ar_nr_resp[i].nr2 = nr;
|
||||||
ar_nr_resp[i + ATTACK_KEY_COUNT].nr = nr;
|
ar_nr_resp[i].ar2 = ar;
|
||||||
ar_nr_resp[i + ATTACK_KEY_COUNT].ar = ar;
|
ar_nr_collected[i]++;
|
||||||
ar_nr_collected[i + ATTACK_KEY_COUNT]++;
|
finished = true;
|
||||||
} else { // second nonce collect (std and moebius)
|
|
||||||
ar_nr_resp[i + mM].nonce2 = nonce;
|
|
||||||
ar_nr_resp[i + mM].nr2 = nr;
|
|
||||||
ar_nr_resp[i + mM].ar2 = ar;
|
|
||||||
|
|
||||||
if (!gettingMoebius) {
|
|
||||||
nonce2_count++;
|
|
||||||
// check if this was the last second nonce we need for std attack
|
|
||||||
if (nonce2_count == nonce1_count) {
|
|
||||||
// done collecting std test switch to moebius
|
|
||||||
// first finish incrementing last sample
|
|
||||||
ar_nr_collected[i + mM]++;
|
|
||||||
// switch to moebius collection
|
|
||||||
gettingMoebius = true;
|
|
||||||
mM = ATTACK_KEY_COUNT;
|
|
||||||
nonce = nonce * 7;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
moebius_n_count++;
|
|
||||||
// if we've collected all the nonces we need - finish.
|
|
||||||
if (nonce1_count == moebius_n_count)
|
|
||||||
finished = true;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ar_nr_collected[i + mM]++;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// we found right spot for this nonce stop looking
|
// we found right spot for this nonce stop looking
|
||||||
|
|
@ -1356,45 +1327,25 @@ void Mifare1ksim(uint16_t flags, uint8_t exitAfterNReads, uint8_t *datain, uint1
|
||||||
FpgaDisableTracing();
|
FpgaDisableTracing();
|
||||||
|
|
||||||
// NR AR ATTACK
|
// NR AR ATTACK
|
||||||
// mfkey32
|
|
||||||
if (((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) && (g_dbglevel >= DBG_INFO)) {
|
if (((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK) && (g_dbglevel >= DBG_INFO)) {
|
||||||
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
|
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
|
||||||
if (ar_nr_collected[i] == 2) {
|
if (ar_nr_collected[i] == 2) {
|
||||||
Dbprintf("Collected two pairs of AR/NR which can be used to extract sector %d " _YELLOW_("%s")
|
Dbprintf("Collected two pairs of AR/NR which can be used to extract sector %d " _YELLOW_("%s")
|
||||||
, ar_nr_resp[i].sector
|
, ar_nr_resp[i].sector
|
||||||
, (ar_nr_resp[i].keytype == AUTHKEYA) ? "key A" : "key B"
|
, (ar_nr_resp[i].keytype == AUTHKEYA) ? "key A" : "key B"
|
||||||
);
|
);
|
||||||
Dbprintf("../tools/mfc/card_reader/mfkey32 %08x %08x %08x %08x %08x %08x",
|
Dbprintf("../tools/mfc/card_reader/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
|
||||||
ar_nr_resp[i].cuid, //UID
|
ar_nr_resp[i].cuid, //UID
|
||||||
ar_nr_resp[i].nonce, //NT
|
ar_nr_resp[i].nonce, //NT
|
||||||
ar_nr_resp[i].nr, //NR1
|
ar_nr_resp[i].nr, //NR1
|
||||||
ar_nr_resp[i].ar, //AR1
|
ar_nr_resp[i].ar, //AR1
|
||||||
ar_nr_resp[i].nr2, //NR2
|
ar_nr_resp[i].nonce2,//NT2
|
||||||
ar_nr_resp[i].ar2 //AR2
|
ar_nr_resp[i].nr2, //NR2
|
||||||
|
ar_nr_resp[i].ar2 //AR2
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// mfkey32 v2
|
|
||||||
for (uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT * 2; i++) {
|
|
||||||
if (ar_nr_collected[i] == 2) {
|
|
||||||
Dbprintf("Collected two pairs of AR/NR which can be used to extract sector %d " _YELLOW_("%s")
|
|
||||||
, ar_nr_resp[i].sector
|
|
||||||
, (ar_nr_resp[i].keytype == AUTHKEYA) ? "key A" : "key B"
|
|
||||||
);
|
|
||||||
Dbprintf("../tools/mfc/card_reader/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
|
|
||||||
ar_nr_resp[i].cuid, //UID
|
|
||||||
ar_nr_resp[i].nonce, //NT
|
|
||||||
ar_nr_resp[i].nr, //NR1
|
|
||||||
ar_nr_resp[i].ar, //AR1
|
|
||||||
ar_nr_resp[i].nonce2,//NT2
|
|
||||||
ar_nr_resp[i].nr2, //NR2
|
|
||||||
ar_nr_resp[i].ar2 //AR2
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (g_dbglevel >= DBG_ERROR) {
|
if (g_dbglevel >= DBG_ERROR) {
|
||||||
Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
|
Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue