Merge pull request #125 from pwpiwi/hf_mifare_fix

(implementing suggestion #94)
2025-07-12 00:06:09 -07:00 · 2015-06-29 07:50:52 +02:00 · 2015-06-29 07:50:52 +02:00 · a88c28271c
commit a88c28271c
parent 86ed606758 dc8ba239fb
4 changed files with 83 additions and 43 deletions
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -2041,17 +2041,20 @@ void ReaderMifare(bool first_try)
 	LED_C_OFF();
 	#define DARKSIDE_MAX_TRIES	32		// number of tries to sync on PRNG cycle. Then give up.
 	uint16_t unsuccessfull_tries = 0;
 	for(uint16_t i = 0; TRUE; i++) {
 		LED_C_ON();
 		WDT_HIT();
 		// Test if the action was cancelled
 		if(BUTTON_PRESS()) {
 			isOK = -1;
 			break;
 		}
 		LED_C_ON();
 		if(!iso14443a_select_card(uid, NULL, &cuid)) {
 			if (MF_DBGLEVEL >= 1)	Dbprintf("Mifare: Can't select card");
 			continue;
@ -2086,8 +2089,14 @@ void ReaderMifare(bool first_try)
 				nt_attacked = nt;
 			}
 			else {
-				if (nt_distance == -99999) { // invalid nonce received, try again
+				if (nt_distance == -99999) { // invalid nonce received
-					continue;
+					unsuccessfull_tries++;
 					if (!nt_attacked && unsuccessfull_tries > DARKSIDE_MAX_TRIES) {
 						isOK = -3;		// Card has an unpredictable PRNG. Give up	
 						break;
 					} else {
 						continue;		// continue trying...
 					}
 				}
 				sync_cycles = (sync_cycles - nt_distance);
 				if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
@ -2149,6 +2158,10 @@ void ReaderMifare(bool first_try)
 			if (nt_diff == 0 && first_try)
 			{
 				par[0]++;
 				if (par[0] == 0x00) {		// tried all 256 possible parities without success. Card doesn't send NACK.
 					isOK = -2;
 					break;
 				}
 			} else {
 				par[0] = ((par[0] & 0x1F) + 1) | par_low;
 			}
@ -2165,7 +2178,7 @@ void ReaderMifare(bool first_try)
 	memcpy(buf + 16, ks_list, 8);
 	memcpy(buf + 24, mf_nr_ar, 4);
-	cmd_send(CMD_ACK,isOK,0,0,buf,28);
+	cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
 	// Thats it...
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -645,6 +645,9 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 	// statistics on nonce distance
 	int16_t isOK = 0;
 	#define NESTED_MAX_TRIES 12
 	uint16_t unsuccessfull_tries = 0;
 	if (calibrate) {	// for first call only. Otherwise reuse previous calibration
 		LED_B_ON();
 		WDT_HIT();
@ -655,6 +658,12 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 		for (rtr = 0; rtr < 17; rtr++) {
 			// Test if the action was cancelled
 			if(BUTTON_PRESS()) {
 				isOK = -2;
 				break;
 			}
 			// prepare next select. No need to power down the card.
 			if(mifare_classic_halt(pcs, cuid)) {
 				if (MF_DBGLEVEL >= 1)	Dbprintf("Nested: Halt error");
@ -702,14 +711,17 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 					delta_time = auth2_time - auth1_time + 32;  // allow some slack for proper timing
 				}
 				if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);
 			} else {
 				unsuccessfull_tries++;
 				if (unsuccessfull_tries > NESTED_MAX_TRIES) {	// card isn't vulnerable to nested attack (random numbers are not predictable)
 					isOK = -3;
 				}
 			}
 		}
 		if (rtr <= 1)	return;
 		davg = (davg + (rtr - 1)/2) / (rtr - 1);
-		if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);
+		if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);
 		dmin = davg - 2;
 		dmax = davg + 2;
@ -722,7 +734,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 	LED_C_ON();
 	//  get crypted nonces for target sector
-	for(i=0; i < 2; i++) { // look for exactly two different nonces
+	for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces
 		target_nt[i] = 0;
 		while(target_nt[i] == 0) { // continue until we have an unambiguous nonce
@ -800,7 +812,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 	memcpy(buf+16, &target_ks[1], 4);
 	LED_B_ON();
-	cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
+	cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));
 	LED_B_OFF();
 	if (MF_DBGLEVEL >= 3)	DbpString("NESTED FINISHED");
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -17,7 +17,7 @@ int CmdHF14AMifare(const char *Cmd)
 	uint32_t uid = 0;
 	uint32_t nt = 0, nr = 0;
 	uint64_t par_list = 0, ks_list = 0, r_key = 0;
-	uint8_t isOK = 0;
+	int16_t isOK = 0;
 	uint8_t keyBlock[8] = {0};
 	UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
@ -25,7 +25,7 @@ int CmdHF14AMifare(const char *Cmd)
 	// message
 	printf("-------------------------------------------------------------------------\n");
 	printf("Executing command. Expected execution time: 25sec on average  :-)\n");
-	printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");
+	printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");
 	printf("-------------------------------------------------------------------------\n");
@ -47,15 +47,20 @@ start:
 		}
 		UsbCommand resp;
-		if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+		if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
-			isOK  = resp.arg[0] & 0xff;
+			isOK  = resp.arg[0];
 			uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);
 			nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);
 			par_list = bytes_to_num(resp.d.asBytes +  8, 8);
 			ks_list = bytes_to_num(resp.d.asBytes +  16, 8);
 			nr = bytes_to_num(resp.d.asBytes + 24, 4);
 			printf("\n\n");
-			if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");
+			switch (isOK) {
 				case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;
 				case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;
 				case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;
 				default: ;
 			}
 			break;
 		}
 	}	
@ -622,8 +627,14 @@ int CmdHF14AMfNested(const char *Cmd)
 	if (cmdp == 'o') {
 		PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');
-		if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {
+		int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);
-			PrintAndLog("Nested error.");
+		if (isOK) {
 			switch (isOK) {
 				case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
 				case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
 				case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
 				default : PrintAndLog("Unknown Error.\n");
 			}
 			return 2;
 		}
 		key64 = bytes_to_num(keyBlock, 6);
@ -696,11 +707,17 @@ int CmdHF14AMfNested(const char *Cmd)
 				for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { 
 					if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
 					PrintAndLog("-----------------------------------------------");
-					if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {
+					int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);
-						PrintAndLog("Nested error.\n");
+					if(isOK) {
 						switch (isOK) {
 							case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
 							case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
 							case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
 							default : PrintAndLog("Unknown Error.\n");
 						}
 						free(e_sector);
-						return 2;					}
+						return 2;
-					else {
+					} else {
 						calibrate = false;
 					}
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@ -69,7 +69,7 @@ void* nested_worker_thread(void *arg)
 int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) 
 {
-	uint16_t i, len;
+	uint16_t i;
 	uint32_t uid;
 	UsbCommand resp;
@ -77,32 +77,30 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
 	struct Crypto1State *p1, *p2, *p3, *p4;
 	// flush queue
-	WaitForResponseTimeout(CMD_ACK,NULL,100);
+	WaitForResponseTimeout(CMD_ACK, NULL, 100);
 	UsbCommand c = {CMD_MIFARE_NESTED, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, calibrate}};
 	memcpy(c.d.asBytes, key, 6);
 	SendCommand(&c);
-	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
-		len = resp.arg[1];
+		return -1;
-		if (len == 2) {	
+	}
 	if (resp.arg[0]) {
 		return resp.arg[0];  // error during nested
 	}
 	memcpy(&uid, resp.d.asBytes, 4);
-			PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8);
+	PrintAndLog("uid:%08x trgbl=%d trgkey=%x", uid, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8);
 	for (i = 0; i < 2; i++) {
 		statelists[i].blockNo = resp.arg[2] & 0xff;
 		statelists[i].keyType = (resp.arg[2] >> 8) & 0xff;
 		statelists[i].uid = uid;
 		memcpy(&statelists[i].nt,  (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4);
 		memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4);
 	}
 		}
 		else {
 			PrintAndLog("Got 0 keys from proxmark."); 
 			return 1;
 		}
 	}
 	// calc keys