github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-21 05:43:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix hf iclass sim

Browse source 
* sim 2: add responses to read(1) (Config) and read(5) (AIA)
* sim 2/3: don't restrict CC to 00 bytes only
* sim 3: add responding to read block commands
* sim 2/3: add responding to READ_CHECK_KC
* fix sizes of pre-encoded tag answers
* change default card challenge
* remove commented code
* use #defines instead of numerical constants for simulation modes
* some reformatting
This commit is contained in:
pwpiwi 2019-08-28 11:57:53 +02:00
commit 0ab9002f36
5 changed files with 227 additions and 224 deletions
Download patch file Download diff file Expand all files Collapse all files

67
client/cmdhficlass.c
View file

@ -110,28 +110,20 @@ int CmdHFiClassSim(const char *Cmd) {
}
simType = param_get8ex(Cmd, 0, 0, 10);
if(simType == 0)
{
if (simType == ICLASS_SIM_MODE_CSN) {
if (param_gethex(Cmd, 1, CSN, 16)) {
PrintAndLog("A CSN should consist of 16 HEX symbols");
return usage_hf_iclass_sim();
}
PrintAndLog("--simtype:%02x csn:%s", simType, sprint_hex(CSN, 8));
}
if(simType > 3)
{
PrintAndLog("Undefined simptype %d", simType);
return usage_hf_iclass_sim();
}
uint8_t numberOfCSNs=0;
if(simType == 2)
{
UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,NUM_CSNS}};
uint8_t numberOfCSNs = 0;
if (simType == ICLASS_SIM_MODE_READER_ATTACK) {
UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType, NUM_CSNS}};
UsbCommand resp = {0};
uint8_t csns[8*NUM_CSNS] = {
uint8_t csns[8 * NUM_CSNS] = {
0x00, 0x0B, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0,
0x00, 0x04, 0x0E, 0x08, 0xF7, 0xFF, 0x12, 0xE0,
0x00, 0x09, 0x0D, 0x05, 0xF7, 0xFF, 0x12, 0xE0,
@ -148,7 +140,7 @@ int CmdHFiClassSim(const char *Cmd) {
0x00, 0x00, 0x02, 0x24, 0xF7, 0xFF, 0x12, 0xE0,
0x00, 0x05, 0x01, 0x21, 0xF7, 0xFF, 0x12, 0xE0 };
memcpy(c.d.asBytes, csns, 8*NUM_CSNS);
memcpy(c.d.asBytes, csns, 8 * NUM_CSNS);
SendCommand(&c);
if (!WaitForResponseTimeout(CMD_ACK, &resp, -1)) {
@ -157,9 +149,9 @@ int CmdHFiClassSim(const char *Cmd) {
}
uint8_t num_mac_responses = resp.arg[1];
PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses,NUM_CSNS);
PrintAndLog("Mac responses: %d MACs obtained (should be %d)", num_mac_responses, NUM_CSNS);
size_t datalen = NUM_CSNS*24;
size_t datalen = NUM_CSNS * 24;
/*
* Now, time to dump to file. We'll use this format:
* <8-byte CSN><8-byte CC><4 byte NR><4 byte MAC>....
@ -167,28 +159,29 @@ int CmdHFiClassSim(const char *Cmd) {
* 8 * 24 bytes.
*
* The returndata from the pm3 is on the following format
* <4 byte NR><4 byte MAC>
* CC are all zeroes, CSN is the same as was sent in
* <8 byte CC><4 byte NR><4 byte MAC>
* CSN is the same as was sent in
**/
void* dump = malloc(datalen);
memset(dump,0,datalen);//<-- Need zeroes for the CC-field
uint8_t i = 0;
for(i = 0 ; i < NUM_CSNS ; i++)
{
memcpy(dump+i*24, csns+i*8,8); //CSN
//8 zero bytes here...
for(int i = 0; i < NUM_CSNS; i++) {
memcpy(dump + i*24, csns+i*8, 8); //CSN
//copy CC from response
memcpy(dump + i*24 + 8, resp.d.asBytes + i*16, 8);
//Then comes NR_MAC (eight bytes from the response)
memcpy(dump+i*24+16,resp.d.asBytes+i*8,8);
memcpy(dump + i*24 + 16, resp.d.asBytes + i*16 + 8, 8);
}
/** Now, save to dumpfile **/
saveFile("iclass_mac_attack", "bin", dump,datalen);
free(dump);
}else
{
UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType,numberOfCSNs}};
} else if (simType == ICLASS_SIM_MODE_CSN || simType == ICLASS_SIM_MODE_CSN_DEFAULT) {
UsbCommand c = {CMD_SIMULATE_TAG_ICLASS, {simType, numberOfCSNs}};
memcpy(c.d.asBytes, CSN, 8);
SendCommand(&c);
} else {
PrintAndLog("Undefined simtype %d", simType);
return usage_hf_iclass_sim();
}
return 0;
@ -1265,24 +1258,18 @@ int CmdHFiClass_loclass(const char *Cmd) {
return 0;
}
char fileName[255] = {0};
if(opt == 'f')
{
if(param_getstr(Cmd, 1, fileName, sizeof(fileName)) > 0)
{
if(opt == 'f') {
if(param_getstr(Cmd, 1, fileName, sizeof(fileName)) > 0) {
return bruteforceFileNoKeys(fileName);
}else
{
} else {
PrintAndLog("You must specify a filename");
}
}
else if(opt == 't')
{
} else if(opt == 't') {
int errors = testCipherUtils();
errors += testMAC();
errors += doKeyTests(0);
errors += testElite();
if(errors)
{
if(errors) {
prnlog("OBS! There were errors!!!");
}
return errors;

1
client/loclass/cipher.c
View file

@ -240,6 +240,7 @@ void doMAC(uint8_t *cc_nr_p, uint8_t *div_key_p, uint8_t mac[4])
//free(cc_nr);
return;
}
void doMAC_N(uint8_t *address_data_p, uint8_t address_data_size, uint8_t *div_key_p, uint8_t mac[4])
{
uint8_t *address_data;

49
client/loclass/elite_crack.c
View file

@ -333,16 +333,14 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
* Only the lower eight bits correspond to the (hopefully cracked) key-value.
**/
uint8_t bytes_to_recover[3] = {0};
uint8_t numbytes_to_recover = 0 ;
int i;
for(i =0 ; i < 8 ; i++)
{
if(keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
uint8_t numbytes_to_recover = 0;
for(int i = 0; i < 8; i++) {
if (keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
bytes_to_recover[numbytes_to_recover++] = key_index[i];
keytable[key_index[i]] |= BEING_CRACKED;
if(numbytes_to_recover > 3)
{
if(numbytes_to_recover > 3) {
prnlog("The CSN requires > 3 byte bruteforce, not supported");
printvar("CSN", item.csn,8);
printvar("HASH1", key_index,8);
@ -370,15 +368,14 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
uint32_t endmask = 1 << 8*numbytes_to_recover;
for(i =0 ; i < numbytes_to_recover && numbytes_to_recover > 1; i++)
for (int i = 0; i < numbytes_to_recover && numbytes_to_recover > 1; i++) {
prnlog("Bruteforcing byte %d", bytes_to_recover[i]);
}
while(!found && !(brute & endmask))
{
while(!found && !(brute & endmask)) {
//Update the keytable with the brute-values
for(i =0 ; i < numbytes_to_recover; i++)
{
for (int i = 0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF00;
keytable[bytes_to_recover[i]] |= (brute >> (i*8) & 0xFF);
}
@ -394,42 +391,34 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
//Diversify
diversifyKey(item.csn, key_sel_p, div_key);
//Calc mac
doMAC(item.cc_nr, div_key,calculated_MAC);
doMAC(item.cc_nr, div_key, calculated_MAC);
if(memcmp(calculated_MAC, item.mac, 4) == 0)
{
for(i =0 ; i < numbytes_to_recover; i++)
prnlog("=> %d: 0x%02x", bytes_to_recover[i],0xFF & keytable[bytes_to_recover[i]]);
if (memcmp(calculated_MAC, item.mac, 4) == 0) {
for (int i =0 ; i < numbytes_to_recover; i++)
prnlog("=> %d: 0x%02x", bytes_to_recover[i], 0xFF & keytable[bytes_to_recover[i]]);
found = true;
break;
}
brute++;
if((brute & 0xFFFF) == 0)
{
if ((brute & 0xFFFF) == 0) {
printf("%d",(brute >> 16) & 0xFF);
fflush(stdout);
}
}
if(! found)
{
if (! found) {
prnlog("Failed to recover %d bytes using the following CSN",numbytes_to_recover);
printvar("CSN",item.csn,8);
errors++;
//Before we exit, reset the 'BEING_CRACKED' to zero
for(i =0 ; i < numbytes_to_recover; i++)
{
for (int i = 0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACK_FAILED;
}
}else
{
for(i =0 ; i < numbytes_to_recover; i++)
{
} else {
for (int i = 0 ;i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACKED;
}
}
return errors;
}
@ -516,7 +505,7 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
dumpdata* attack = (dumpdata* ) malloc(itemsize);
for(i = 0 ; i * itemsize < dumpsize ; i++ )
for (i = 0 ; i * itemsize < dumpsize ; i++ )
{
memcpy(attack,dump+i*itemsize, itemsize);
errors += bruteforceItem(*attack, keytable);