Add mifare crypto trace decryption utility

allows manual decryption of hf 14a snoop traces of a mf card. someday we should fix hf mf sniff...
2025-07-31 12:00:10 -07:00 · 2015-10-07 00:24:55 -04:00 · 2015-10-07 00:24:55 -04:00 · 1a5a73abae
commit 1a5a73abae
parent e1c6e9e8f1
5 changed files with 51 additions and 0 deletions
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -1949,6 +1949,13 @@ int CmdHF14AMfSniff(const char *Cmd){
 	return 0;
 }
 //needs nt, ar, at, Data to decrypt
 int CmdDecryptTraceCmds(const char *Cmd){
 	uint8_t data[50];
 	int len = 0;
 	param_gethex_ex(Cmd,3,data,&len);
 	return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);
 }
 static command_t CommandTable[] =
 {
@ -1977,6 +1984,7 @@ static command_t CommandTable[] =
  {"cgetsc",	CmdHF14AMfCGetSc,		0, "Read sector - Magic Chinese card"},
  {"cload",		CmdHF14AMfCLoad,		0, "Load dump into magic Chinese card"},
  {"csave",		CmdHF14AMfCSave,		0, "Save dump from magic Chinese card into file or emulator"},
  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
  {NULL, NULL, 0, NULL}
 };
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@ -619,3 +619,23 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 	return 0;
 }
 int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len){
 	/*
 	uint32_t nt;      // tag challenge
 	uint32_t ar_enc;  // encrypted reader response
 	uint32_t at_enc;  // encrypted tag response
 	*/
 	if (traceCrypto1) {
 		crypto1_destroy(traceCrypto1);
 	}
 	ks2 = ar_enc ^ prng_successor(nt, 64);
 	ks3 = at_enc ^ prng_successor(nt, 96);
 	traceCrypto1 = lfsr_recovery64(ks2, ks3);
 	mf_crypto1_decrypt(traceCrypto1, data, len, 0);
 	PrintAndLog("Decrypted data: [%s]", sprint_hex(data,len) );
 	crypto1_destroy(traceCrypto1);
 	return 0;
 }
--- a/client/mifarehost.h
+++ b/client/mifarehost.h
@ -67,3 +67,4 @@ int isBlockEmpty(int blockN);
 int isBlockTrailer(int blockN);
 int loadTraceCard(uint8_t *tuid);
 int saveTraceCard(void);
 int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len);
--- a/client/util.c
+++ b/client/util.c
@ -333,7 +333,28 @@ int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt)
 	return 0;
 }
 int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt)
 {
 	int bg, en, temp, i;
 	//if (hexcnt % 2)
 	//	return 1;
 	if (param_getptr(line, &bg, &en, paramnum)) return 1;
 	*hexcnt = en - bg + 1;
 	if (*hexcnt % 2) //error if not complete hex bytes
 		return 1;
 	for(i = 0; i < *hexcnt; i += 2) {
 		if (!(isxdigit(line[bg + i]) && isxdigit(line[bg + i + 1])) )	return 1;
 		sscanf((char[]){line[bg + i], line[bg + i + 1], 0}, "%X", &temp);
 		data[i / 2] = temp & 0xff;
 	}	
 	return 0;
 }
 int param_getstr(const char *line, int paramnum, char * str)
 {
 	int bg, en;
--- a/client/util.h
+++ b/client/util.h
@ -54,6 +54,7 @@ uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base);
 uint8_t param_getdec(const char *line, int paramnum, uint8_t *destination);
 uint8_t param_isdec(const char *line, int paramnum);
 int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt);
 int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt);
 int param_getstr(const char *line, int paramnum, char * str);
 int hextobinarray( char *target,  char *source);