nested attack: really testing default/known keys

and restarts nested attack with different found key if not all has been found, but last round added new ones.
2025-08-23 22:45:27 -07:00 · 2015-09-10 19:31:40 +02:00 · 2015-09-10 19:31:40 +02:00 · 0ee816d0d9
commit 0ee816d0d9
parent 9dd0ac57ed
1 changed files with 74 additions and 34 deletions
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -534,8 +534,9 @@ int CmdHF14AMfRestore(const char *Cmd)

 int CmdHF14AMfNested(const char *Cmd)
 {
-	int i, j, res, iterations;
+	int i, j, res, iterations, NumFound, NumFoundOld;
 	sector *e_sector = NULL;
+	bool *triedOnes = NULL;
 	uint8_t blockNo = 0;
 	uint8_t keyType = 0;
 	uint8_t trgBlockNo = 0;
@ -655,6 +656,8 @@ int CmdHF14AMfNested(const char *Cmd)
 		clock_t time1;
 		time1 = clock();

+		NumFound = 0; // did not foud a key, yet
+		triedOnes = calloc(2 * SectorsCnt, sizeof(bool));
 		e_sector = calloc(SectorsCnt, sizeof(sector));
 		if (e_sector == NULL) return 1;
 		
@ -676,20 +679,53 @@ int CmdHF14AMfNested(const char *Cmd)

 		PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
 		for (i = 0; i < SectorsCnt; i++) {
+			PrintAndLog(". test sector: %03d of %03d", i, SectorsCnt);
 			for (j = 0; j < 2; j++) {
 				if (e_sector[i].foundKey[j]) continue;
 				
-				res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);
+				// new loop to iterate through the given keys
+				for (int h = 0; h < sizeof(keyBlock)/6; h++){
+					res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, (uint8_t*)(keyBlock + h * 6), &key64);
+
 				
 					if (!res) {
 						e_sector[i].Key[j] = key64;
 						e_sector[i].foundKey[j] = 1;
+						NumFound++; // found a new one
+						break;
+					}else if(res == 1){
+						PrintAndLog("Error: No response from Proxmark.\n");
+						free(triedOnes);
+						free(e_sector);
+					}
 				}
 			}
 		}
 		
 		// nested sectors
+
 		iterations = 0;
+		do{
+			NumFoundOld = NumFound;
+			// find a new sector or key for the sector
+			for (i = 0; i < SectorsCnt; i++) {
+				for (j = 0; j < 2; j++) {
+					if (e_sector[i].foundKey[j]){
+						if(!triedOnes[2 * i + j]){
+							triedOnes[2 * i + j] = true; // try this one
+							// reset default values
+							num_to_bytes(e_sector[i].Key[j], 6, key);
+							keyType = j;
+							blockNo = FirstBlockOfSector(i);
+							PrintAndLog("\nTrying block %03d type %01d", blockNo, keyType);
+							goto start;
+						}
+					}
+				}
+			}
+
+			start:
+			PrintAndLog("# Keys found so far: %03d \n", NumFound);
 			PrintAndLog("nested...");
 			bool calibrate = true;
 			for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
@ -705,6 +741,7 @@ int CmdHF14AMfNested(const char *Cmd)
 								case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
 								default : PrintAndLog("Unknown Error.\n");
 							}
+							free(triedOnes);
 							free(e_sector);
 							return 2;
 						} else {
@ -718,10 +755,13 @@ int CmdHF14AMfNested(const char *Cmd)
 							PrintAndLog("Found valid key:%012"llx, key64);
 							e_sector[sectorNo].foundKey[trgKeyType] = 1;
 							e_sector[sectorNo].Key[trgKeyType] = key64;
+							NumFound++;
 						}
 					}
 				}
 			}
+		}while((NumFound != NumFoundOld) && (NumFound < 2 * SectorsCnt));
+		free(triedOnes);

 		printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);