Merge pull request #548 from merlokk/mfsniff_fix

`hf mf sniff` not a small fix
2025-07-16 02:03:00 -07:00 · 2018-01-17 23:16:08 +01:00 · 2018-01-17 23:16:08 +01:00 · 30bb6d6591
commit 30bb6d6591
parent af1940a5d8 2ba37081ec
4 changed files with 186 additions and 197 deletions
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -2539,7 +2539,9 @@ void RAMFUNC SniffMifare(uint8_t param) {
 			if(!TagIsActive) {		// no need to try decoding tag data if the reader is sending
 				uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
 				if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
-					LED_C_INV();
+					LED_B_ON();
 					LED_C_OFF();
 					if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
 					/* And ready to receive another command. */
@ -2554,7 +2556,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
 			if(!ReaderIsActive) {		// no need to try decoding tag data if the reader is sending
 				uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
 				if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
-					LED_C_INV();
+					LED_B_OFF();
 					LED_C_ON();
 					if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
--- a/armsrc/mifaresniff.c
+++ b/armsrc/mifaresniff.c
@ -59,32 +59,27 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui
 				memset(sniffUID, 0x00, 8);
 				memset(sniffATQA, 0x00, 2);
 				sniffSAK = 0;
-				sniffState = SNF_WUPREQ;
+				sniffState = SNF_ATQA;
 				if (data[0] == 0x40) 
 					sniffState = SNF_MAGIC_WUPC2;
 			}
 			break;
 		}
-		case SNF_WUPREQ:{
+		case SNF_MAGIC_WUPC2:
 			if ((len == 1) && (reader) && (data[0] == 0x43) ) {  
 				sniffState = SNF_CARD_IDLE;
 			}
 			break;
 		case SNF_ATQA:{
 			if ((!reader) && (len == 2)) { 		// ATQA from tag
 				memcpy(sniffATQA, data, 2);
 				sniffState = SNF_ATQA;
 			}
 			break;
 		}
 		case SNF_ATQA:{
 			if ((reader) && (len == 2) && (data[0] == 0x93) && (data[1] == 0x20)) { // Select ALL from reader
 				sniffState = SNF_ANTICOL1;
 			}
 			break;
 		}
 		case SNF_ANTICOL1:{
 			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) {  // UID from tag (CL1) 
 				memcpy(sniffUID + 3, data, 4);
 				sniffState = SNF_UID1;
 			}
 			break;
 		}
 		case SNF_UID1:{
 			if ((reader) && (len == 9) && (data[0] == 0x93) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {   // Select 4 Byte UID from reader
 				memcpy(sniffUID + 3, &data[2], 4);
 				sniffState = SNF_SAK;
 			}
 			break;
@ -92,25 +87,19 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui
 		case SNF_SAK:{
 			if ((!reader) && (len == 3) && (CheckCrc14443(CRC_14443_A, data, 3))) { // SAK from card?
 				sniffSAK = data[0];
-				if (sniffUID[3] == 0x88) {			// CL2 UID part to be expected
+				if ((sniffUID[3] == 0x88) && (sniffUIDType == SNF_UID_4)) {			// CL2 UID part to be expected
-					sniffState = SNF_ANTICOL2;
+					sniffUIDType = SNF_UID_7;
-				} else {							// select completed
+					memcpy(sniffUID, sniffUID + 4, 3);
 					sniffState = SNF_UID2;
 				} else {															// select completed
 					sniffState = SNF_CARD_IDLE;
 				}
 			}
 			break;
 		}
 		case SNF_ANTICOL2:{
 			if ((!reader) && (len == 5) && ((data[0] ^ data[1] ^ data[2] ^ data[3]) == data[4])) { // CL2 UID 
 				memcpy(sniffUID, sniffUID+4, 3);
 				memcpy(sniffUID+3, data, 4);
 				sniffUIDType = SNF_UID_7;
 				sniffState = SNF_UID2;
 			}
 			break;
 		}
 		case SNF_UID2:{
-			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {	// Select 2nd part of 7 Byte UID
+			if ((reader) && (len == 9) && (data[0] == 0x95) && (data[1] == 0x70) && (CheckCrc14443(CRC_14443_A, data, 9))) {
 				memcpy(sniffUID + 3, &data[2], 4);
 				sniffState = SNF_SAK;
 			}
 			break;
@ -124,16 +113,10 @@ bool RAMFUNC MfSniffLogic(const uint8_t *data, uint16_t len, uint8_t *parity, ui
 			sniffBuf[12] = 0xFF;
 			sniffBuf[13] = 0xFF;
 			LogTrace(sniffBuf, 14, 0, 0, NULL, TRUE);
 			sniffState = SNF_CARD_CMD;
 		}	// intentionally no break;
 		case SNF_CARD_CMD:{	
-			LogTrace(data, len, 0, 0, NULL, TRUE);
+			LogTrace(data, len, 0, 0, NULL, reader);
 			sniffState = SNF_CARD_RESP;
 			timerData = GetTickCount();
 			break;
 		}
 		case SNF_CARD_RESP:{
 			LogTrace(data, len, 0, 0, NULL, FALSE);
 			sniffState = SNF_CARD_CMD;
 			timerData = GetTickCount();
 			break;
 		}
--- a/armsrc/mifaresniff.h
+++ b/armsrc/mifaresniff.h
@ -27,6 +27,7 @@
 #define SNF_CARD_IDLE			9
 #define SNF_CARD_CMD			10
 #define SNF_CARD_RESP			11
 #define SNF_MAGIC_WUPC2			12
 #define SNF_UID_4				0
 #define SNF_UID_7				0
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@ -609,7 +609,8 @@ int saveTraceCard(void) {
 	for (int i = 0; i < 64; i++) {  // blocks
 		for (int j = 0; j < 16; j++)  // bytes
 			fprintf(f, "%02x", *(traceCard + i * 16 + j));
-		fprintf(f,"\n");
+		if (i < 63)
 			fprintf(f,"\n");
 	}
 	fclose(f);
 	return 0;
@ -826,20 +827,30 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 		if (len ==4) {
 			traceState = TRACE_IDLE;
-			at_enc = bytes_to_num(data, 4);
+			if (!traceCrypto1) {
 				at_enc = bytes_to_num(data, 4);
-			//  decode key here)
+				//  decode key here)
-			ks2 = ar_enc ^ prng_successor(nt, 64);
+				ks2 = ar_enc ^ prng_successor(nt, 64);
-			ks3 = at_enc ^ prng_successor(nt, 96);
+				ks3 = at_enc ^ prng_successor(nt, 96);
-			revstate = lfsr_recovery64(ks2, ks3);
+				revstate = lfsr_recovery64(ks2, ks3);
-			lfsr_rollback_word(revstate, 0, 0);
+				lfsr_rollback_word(revstate, 0, 0);
-			lfsr_rollback_word(revstate, 0, 0);
+				lfsr_rollback_word(revstate, 0, 0);
-			lfsr_rollback_word(revstate, nr_enc, 1);
+				lfsr_rollback_word(revstate, nr_enc, 1);
-			lfsr_rollback_word(revstate, uid ^ nt, 0);
+				lfsr_rollback_word(revstate, uid ^ nt, 0);
-			crypto1_get_lfsr(revstate, &lfsr);
+				crypto1_get_lfsr(revstate, &lfsr);
-			printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF));
+				printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF));
-			AddLogUint64(logHexFileName, "key> ", lfsr);
+				AddLogUint64(logHexFileName, "key> ", lfsr);
 			} else {
 				printf("key> nested not implemented!\n");
 				at_enc = bytes_to_num(data, 4);
 				crypto1_destroy(traceCrypto1);
 				// not implemented
 				traceState = TRACE_ERROR;
 			}
 			int blockShift = ((traceCurBlock & 0xFC) + 3) * 16;
 			if (isBlockEmpty((traceCurBlock & 0xFC) + 3)) memcpy(traceCard + blockShift + 6, trailerAccessBytes, 4);
@ -857,15 +868,6 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 			// set cryptosystem state
 			traceCrypto1 = lfsr_recovery64(ks2, ks3);
 //	nt = crypto1_word(traceCrypto1, nt ^ uid, 1) ^ nt;
 	/*	traceCrypto1 = crypto1_create(lfsr); // key in lfsr
 		crypto1_word(traceCrypto1, nt ^ uid, 0);
 		crypto1_word(traceCrypto1, ar, 1);
 		crypto1_word(traceCrypto1, 0, 0);
 		crypto1_word(traceCrypto1, 0, 0);*/
 			return 0;
 		} else {
 			traceState = TRACE_ERROR;