github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-07-16 02:03:00 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

improved command hf mf sniff. Now it cant decode nested authentication and cant write emulator files

Browse source
This commit is contained in:
Merlokbr@gmail.com 2012-07-16 14:49:51 +00:00
parent 39864b0bd4
commit 55acbb2a39
8 changed files with 357 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

6
armsrc/apps.h
View file

@ -70,6 +70,12 @@ void FpgaGatherVersion(char *dst, int len);
void FpgaSetupSsc(void); void FpgaSetupSsc(void);
void SetupSpi(int mode); void SetupSpi(int mode);
void FpgaSetupSscDma(uint8_t *buf, int len); void FpgaSetupSscDma(uint8_t *buf, int len);
void inline FpgaDisableSscDma(void){
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
}
void inline FpgaEnableSscDma(void){
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
}
void SetAdcMuxFor(uint32_t whichGpio); void SetAdcMuxFor(uint32_t whichGpio);
// Definitions for the FPGA commands. // Definitions for the FPGA commands.

9
armsrc/iso14443a.c
View file

@ -2416,7 +2416,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
if (++sniffCounter > 65) { if (++sniffCounter > 65) {
if (MfSniffSend(2000)) { if (MfSniffSend(2000)) {
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; FpgaEnableSscDma();
} }
sniffCounter = 0; sniffCounter = 0;
} }
@ -2442,7 +2442,7 @@ void RAMFUNC SniffMifare(uint8_t param) {
if (!AT91C_BASE_PDC_SSC->PDC_RCR) { if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf; AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
Dbprintf("RxEmpty ERROR!!! %d", dataLen); // temporary Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
} }
// secondary buffer sets as primary, secondary buffer was stopped // secondary buffer sets as primary, secondary buffer was stopped
if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
@ -2487,10 +2487,9 @@ void RAMFUNC SniffMifare(uint8_t param) {
DbpString("COMMAND FINISHED"); DbpString("COMMAND FINISHED");
done: done:
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; FpgaDisableSscDma();
MfSniffEnd(); MfSniffEnd();
Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt); Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x Uart.byteCntMax=%x", maxDataLen, Uart.state, Uart.byteCnt, Uart.byteCntMax);
Dbprintf("Uart.byteCntMax=%x, traceLen=%x", Uart.byteCntMax, traceLen);
LEDsoff(); LEDsoff();
} }

4
armsrc/mifaresniff.c
View file

@ -42,7 +42,7 @@ int MfSniffEnd(void){
int RAMFUNC MfSniffLogic(const uint8_t * data, int len, int bitCnt, int reader) { int RAMFUNC MfSniffLogic(const uint8_t * data, int len, int bitCnt, int reader) {
if ((len == 1) && (bitCnt = 9)) { if ((len == 1) && (bitCnt = 9) && (data[0] > 0x0F)) {
sniffState = SNF_INIT; sniffState = SNF_INIT;
} }
@ -163,7 +163,7 @@ int intMfSniffSend() {
if (!traceLen) return 0; if (!traceLen) return 0;
AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; FpgaDisableSscDma();
while (pckLen > 0) { while (pckLen > 0) {
pckSize = min(32, pckLen); pckSize = min(32, pckLen);

33
client/cmdhfmf.c
View file

@ -1542,6 +1542,13 @@ int CmdHF14AMfCSave(const char *Cmd) {
} }
int CmdHF14AMfSniff(const char *Cmd){ int CmdHF14AMfSniff(const char *Cmd){
// params
bool wantLogToFile = 0;
bool wantDecrypt = 0;
bool wantSaveToEml = 0;
bool wantSaveToEmlFile = 0;
//var
int res = 0; int res = 0;
int len = 0; int len = 0;
int blockLen = 0; int blockLen = 0;
@ -1556,11 +1563,25 @@ int CmdHF14AMfSniff(const char *Cmd){
memset(buf, 0x00, 3000); memset(buf, 0x00, 3000);
if (param_getchar(Cmd, 0) == 'h') { if (param_getchar(Cmd, 0) == 'h') {
PrintAndLog("Usage: hf mf sniff "); PrintAndLog("It continuously get data from the field and saves it to: log, emulator, emulator file.");
PrintAndLog(" sample: hf mf sniff "); PrintAndLog("You can specify:");
PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");
PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`");
PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");
PrintAndLog(" n/a r - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");
PrintAndLog("Usage: hf mf sniff [l][d][e][r]");
PrintAndLog(" sample: hf mf sniff l d e");
return 0; return 0;
} }
for (int i = 0; i < 4; i++) {
char ctmp = param_getchar(Cmd, i);
if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;
if (ctmp == 'd' || ctmp == 'D') wantDecrypt = true;
if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true;
if (ctmp == 'f' || ctmp == 'F') wantSaveToEmlFile = true;
}
printf("-------------------------------------------------------------------------\n"); printf("-------------------------------------------------------------------------\n");
printf("Executing command. \n"); printf("Executing command. \n");
printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n"); printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");
@ -1611,9 +1632,17 @@ int CmdHF14AMfSniff(const char *Cmd){
memcpy(uid, bufPtr + 2, 7); memcpy(uid, bufPtr + 2, 7);
memcpy(atqa, bufPtr + 2 + 7, 2); memcpy(atqa, bufPtr + 2 + 7, 2);
sak = bufPtr[11]; sak = bufPtr[11];
PrintAndLog("tag select uid:%s atqa:%02x %02x sak:0x%02x", sprint_hex(uid, 7), atqa[0], atqa[1], sak); PrintAndLog("tag select uid:%s atqa:%02x %02x sak:0x%02x", sprint_hex(uid, 7), atqa[0], atqa[1], sak);
if (wantLogToFile) {
FillFileNameByUID(logHexFileName, uid, ".log");
AddLogCurrentDT(logHexFileName);
}
if (wantDecrypt) mfTraceInit(uid, atqa, sak);
} else { } else {
PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len)); PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));
if (wantLogToFile) AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
if (wantDecrypt) mfTraceDecode(bufPtr, len);
} }
bufPtr += len; bufPtr += len;
num++; num++;

240
client/mifarehost.c
View file

@ -5,7 +5,7 @@
// at your option, any later version. See the LICENSE.txt file for the text of // at your option, any later version. See the LICENSE.txt file for the text of
// the license. // the license.
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
// High frequency ISO14443A commands // mifare commands
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
#include <stdio.h> #include <stdio.h>
@ -13,6 +13,7 @@
#include <string.h> #include <string.h>
#include "mifarehost.h" #include "mifarehost.h"
// MIFARE
int compar_int(const void * a, const void * b) { int compar_int(const void * a, const void * b) {
return (*(uint64_t*)b - *(uint64_t*)a); return (*(uint64_t*)b - *(uint64_t*)a);
@ -197,6 +198,8 @@ int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * key
return 0; return 0;
} }
// EMULATOR
int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount) { int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount) {
UsbCommand c = {CMD_MIFARE_EML_MEMGET, {blockNum, blocksCount, 0}}; UsbCommand c = {CMD_MIFARE_EML_MEMGET, {blockNum, blocksCount, 0}};
@ -216,6 +219,8 @@ int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
return 0; return 0;
} }
// "MAGIC" CARD
int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe) { int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe) {
uint8_t block0[16]; uint8_t block0[16];
memset(block0, 0, 16); memset(block0, 0, 16);
@ -267,3 +272,236 @@ int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) {
} }
return 0; return 0;
} }
// SNIFFER
// variables
char logHexFileName[200] = {0x00};
static uint8_t traceCard[4096];
static int traceState = TRACE_IDLE;
static uint8_t traceCurBlock = 0;
static uint8_t traceCurKey = 0;
struct Crypto1State *traceCrypto1 = NULL;
struct Crypto1State *revstate;
uint64_t lfsr;
uint32_t ks2;
uint32_t ks3;
uint32_t uid; // serial number
uint32_t nt; // tag challenge
uint32_t nr_enc; // encrypted reader challenge
uint32_t ar_enc; // encrypted reader response
uint32_t at_enc; // encrypted tag response
int mfTraceInit(uint8_t *tuid, uint8_t *atqa, uint8_t sak) {
if (traceCrypto1) crypto1_destroy(traceCrypto1);
traceCrypto1 = NULL;
memset(traceCard, 0x00, 4096);
memcpy(traceCard, tuid + 3, 4);
traceCard[4] = traceCard[0] ^ traceCard[1] ^ traceCard[2] ^ traceCard[3];
traceCard[5] = sak;
memcpy(&traceCard[6], atqa, 2);
traceCurBlock = 0;
uid = bytes_to_num(tuid + 3, 4);
traceState = TRACE_IDLE;
return 0;
}
void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *data, int len, bool isEncrypted){
uint8_t bt = 0;
int i;
if (len != 1) {
for (i = 0; i < len; i++)
data[i] = crypto1_byte(pcs, 0x00, isEncrypted) ^ data[i];
} else {
bt = 0;
for (i = 0; i < 4; i++)
bt |= (crypto1_bit(pcs, 0, isEncrypted) ^ BIT(data[0], i)) << i;
data[0] = bt;
}
return;
}
int mfTraceDecode(uint8_t *data_src, int len) {
uint8_t data[64];
if (traceState == TRACE_ERROR) return 1;
if (len > 64) {
traceState = TRACE_ERROR;
return 1;
}
memcpy(data, data_src, len);
if ((traceCrypto1) && ((traceState == TRACE_IDLE) || (traceState > TRACE_AUTH_OK))) {
mf_crypto1_decrypt(traceCrypto1, data, len, 0);
PrintAndLog("dec> %s", sprint_hex(data, len));
AddLogHex(logHexFileName, "dec> ", data, len);
}
switch (traceState) {
case TRACE_IDLE:
// TODO: check packet crc16!
// AUTHENTICATION
if ((len ==4) && ((data[0] == 0x60) || (data[0] == 0x61))) {
traceState = TRACE_AUTH1;
traceCurBlock = data[1];
traceCurKey = data[0] == 60 ? 1:0;
return 0;
}
// READ
if ((len ==4) && ((data[0] == 0x30))) {
traceState = TRACE_READ_DATA;
traceCurBlock = data[1];
return 0;
}
// WRITE
if ((len ==4) && ((data[0] == 0xA0))) {
traceState = TRACE_WRITE_OK;
traceCurBlock = data[1];
return 0;
}
// HALT
if ((len ==4) && ((data[0] == 0x50) && (data[1] == 0x00))) {
traceState = TRACE_ERROR; // do not decrypt the next commands
return 0;
}
return 0;
break;
case TRACE_READ_DATA:
if (len == 18) {
traceState = TRACE_IDLE;
memcpy(traceCard + traceCurBlock * 16, data, 16);
return 0;
} else {
traceState = TRACE_ERROR;
return 1;
}
break;
case TRACE_WRITE_OK:
if ((len == 1) && (data[0] = 0x0a)) {
traceState = TRACE_WRITE_DATA;
return 0;
} else {
traceState = TRACE_ERROR;
return 1;
}
break;
case TRACE_WRITE_DATA:
if (len == 18) {
traceState = TRACE_IDLE;
memcpy(traceCard + traceCurBlock * 16, data, 16);
return 0;
} else {
traceState = TRACE_ERROR;
return 1;
}
break;
case TRACE_AUTH1:
if (len == 4) {
traceState = TRACE_AUTH2;
nt = bytes_to_num(data, 4);
return 0;
} else {
traceState = TRACE_ERROR;
return 1;
}
break;
case TRACE_AUTH2:
if (len == 8) {
traceState = TRACE_AUTH_OK;
nr_enc = bytes_to_num(data, 4);
ar_enc = bytes_to_num(data + 4, 4);
return 0;
} else {
traceState = TRACE_ERROR;
return 1;
}
break;
case TRACE_AUTH_OK:
if (len ==4) {
traceState = TRACE_IDLE;
at_enc = bytes_to_num(data, 4);
// decode key here)
if (!traceCrypto1) {
ks2 = ar_enc ^ prng_successor(nt, 64);
ks3 = at_enc ^ prng_successor(nt, 96);
revstate = lfsr_recovery64(ks2, ks3);
lfsr_rollback_word(revstate, 0, 0);
lfsr_rollback_word(revstate, 0, 0);
lfsr_rollback_word(revstate, nr_enc, 1);
lfsr_rollback_word(revstate, uid ^ nt, 0);
}else{
ks2 = ar_enc ^ prng_successor(nt, 64);
ks3 = at_enc ^ prng_successor(nt, 96);
revstate = lfsr_recovery64(ks2, ks3);
lfsr_rollback_word(revstate, 0, 0);
lfsr_rollback_word(revstate, 0, 0);
lfsr_rollback_word(revstate, nr_enc, 1);
lfsr_rollback_word(revstate, uid ^ nt, 0);
}
crypto1_get_lfsr(revstate, &lfsr);
printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF));
AddLogUint64(logHexFileName, "key> ", lfsr);
if (traceCurKey) {
num_to_bytes(lfsr, 6, traceCard + traceCurBlock * 16 + 10);
} else {
num_to_bytes(lfsr, 6, traceCard + traceCurBlock * 16);
}
if (traceCrypto1) {
crypto1_destroy(traceCrypto1);
}
// set cryptosystem state
traceCrypto1 = lfsr_recovery64(ks2, ks3);
// nt = crypto1_word(traceCrypto1, nt ^ uid, 1) ^ nt;
/* traceCrypto1 = crypto1_create(lfsr); // key in lfsr
crypto1_word(traceCrypto1, nt ^ uid, 0);
crypto1_word(traceCrypto1, ar, 1);
crypto1_word(traceCrypto1, 0, 0);
crypto1_word(traceCrypto1, 0, 0);*/
return 0;
} else {
traceState = TRACE_ERROR;
return 1;
}
break;
default:
traceState = TRACE_ERROR;
return 1;
}
return 0;
}

15
client/mifarehost.h
View file

@ -31,6 +31,17 @@
#define CSETBLOCK_RESET_FIELD 0x10 #define CSETBLOCK_RESET_FIELD 0x10
#define CSETBLOCK_SINGLE_OPER 0x1F #define CSETBLOCK_SINGLE_OPER 0x1F
// mifare tracer flags
#define TRACE_IDLE 0x00
#define TRACE_AUTH1 0x01
#define TRACE_AUTH2 0x02
#define TRACE_AUTH_OK 0x03
#define TRACE_READ_DATA 0x04
#define TRACE_WRITE_OK 0x05
#define TRACE_WRITE_DATA 0x06
#define TRACE_ERROR 0xFF
typedef struct fnVector { uint8_t blockNo, keyType; uint32_t uid, nt, ks1; } fnVector; typedef struct fnVector { uint8_t blockNo, keyType; uint32_t uid, nt, ks1; } fnVector;
typedef struct { typedef struct {
@ -48,6 +59,8 @@ typedef struct {
int count; int count;
} countKeys; } countKeys;
extern char logHexFileName[200];
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys); int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys);
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key); int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key);
int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount); int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount);
@ -55,3 +68,5 @@ int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount);
int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe); int mfCSetUID(uint8_t *uid, uint8_t *oldUID, int wantWipe);
int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, int wantWipe, uint8_t params); int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, int wantWipe, uint8_t params);
int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params); int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params);
int mfTraceInit(uint8_t *tuid, uint8_t *atqa, uint8_t sak);
int mfTraceDecode(uint8_t *data_src, int len);

52
client/util.c
View file

@ -8,10 +8,6 @@
// utilities // utilities
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "util.h" #include "util.h"
#ifndef WIN32 #ifndef WIN32
@ -48,6 +44,54 @@ int ukbhit(void) {
} }
#endif #endif
// log files functions
void AddLogLine(char *fileName, char *extData, char *c) {
FILE *fLog = NULL;
fLog = fopen(fileName, "a");
if (!fLog) {
printf("Could not append log file %s", fileName);
return;
}
fprintf(fLog, "%s", extData);
fprintf(fLog, "%s\n", c);
fclose(fLog);
}
void AddLogHex(char *fileName, char *extData, const uint8_t * data, const size_t len){
AddLogLine(fileName, extData, sprint_hex(data, len));
}
void AddLogUint64(char *fileName, char *extData, const uint64_t data) {
char buf[100] = {0};
sprintf(buf, "%x%x", (unsigned int)((data & 0xFFFFFFFF00000000) >> 32), (unsigned int)(data & 0xFFFFFFFF));
AddLogLine(fileName, extData, buf);
}
void AddLogCurrentDT(char *fileName) {
char buff[20];
struct tm *curTime;
time_t now = time(0);
curTime = gmtime(&now);
strftime (buff, sizeof(buff), "%Y-%m-%d %H:%M:%S", curTime);
AddLogLine(fileName, "\nanticollision: ", buff);
}
void FillFileNameByUID(char *fileName, uint8_t * uid, char *ext) {
char * fnameptr = fileName;
memset(fileName, 0x00, 200);
for (int j = 0; j < 7; j++, fnameptr += 2)
sprintf(fnameptr, "%02x", uid[j]);
sprintf(fnameptr, "%s", ext);
printf("fname:%s", fileName);
}
// printing and converting functions
void print_hex(const uint8_t * data, const size_t len) void print_hex(const uint8_t * data, const size_t len)
{ {

12
client/util.h
View file

@ -10,9 +10,20 @@
#include <stdio.h> #include <stdio.h>
#include <stdint.h> #include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <time.h>
int ukbhit(void); int ukbhit(void);
void AddLogLine(char *fileName, char *extData, char *c);
void AddLogHex(char *fileName, char *extData, const uint8_t * data, const size_t len);
void AddLogUint64(char *fileName, char *extData, const uint64_t data);
void AddLogCurrentDT(char *fileName);
void FillFileNameByUID(char *fileName, uint8_t * uid, char *ext);
void print_hex(const uint8_t * data, const size_t len); void print_hex(const uint8_t * data, const size_t len);
char * sprint_hex(const uint8_t * data, const size_t len); char * sprint_hex(const uint8_t * data, const size_t len);
@ -26,3 +37,4 @@ uint32_t param_get32ex(const char *line, int paramnum, int deflt, int base);
uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base); uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base);
int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt); int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt);
int param_getstr(const char *line, int paramnum, char * str); int param_getstr(const char *line, int paramnum, char * str);