github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-25 07:25:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge ec421250b6 into 086583f6d1

Browse source
This commit is contained in:
douniwan5788 2017-02-20 20:12:19 +00:00 committed by GitHub
commit c11de4a64b
11 changed files with 231 additions and 153 deletions
Download patch file Download diff file Expand all files Collapse all files

4
armsrc/appmain.c
View file

@ -452,7 +452,7 @@ void StandAloneMode14a()
SpinDelay(300); SpinDelay(300);
} }
} }
if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid)) if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, 1))
continue; continue;
else else
{ {
@ -1136,7 +1136,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
break; break;
case CMD_READER_MIFARE: case CMD_READER_MIFARE:
ReaderMifare(c->arg[0]); ReaderMifare(c->arg[0], c->arg[1], c->arg[2]);
break; break;
case CMD_MIFARE_READBL: case CMD_MIFARE_READBL:
MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);

2
armsrc/apps.h
View file

@ -114,7 +114,7 @@ void EPA_PACE_Collect_Nonce(UsbCommand * c);
void EPA_PACE_Replay(UsbCommand *c); void EPA_PACE_Replay(UsbCommand *c);
// mifarecmd.h // mifarecmd.h
void ReaderMifare(bool first_try); void ReaderMifare(bool first_try, uint8_t blockNo, uint8_t keyType);
int32_t dist_nt(uint32_t nt1, uint32_t nt2); int32_t dist_nt(uint32_t nt1, uint32_t nt2);
void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data); void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain); void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);

2
armsrc/epa.c
View file

@ -526,7 +526,7 @@ int EPA_Setup()
// power up the field // power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
// select the card // select the card
return_code = iso14443a_select_card(uid, &card_select_info, NULL); return_code = iso14443a_select_card(uid, &card_select_info, NULL, 0);
if (return_code == 1) { if (return_code == 1) {
// send the PPS request // send the PPS request
ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL); ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);

33
armsrc/iso14443a.c
View file

@ -1699,7 +1699,7 @@ int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
/* performs iso14443a anticollision procedure /* performs iso14443a anticollision procedure
* fills the uid pointer unless NULL * fills the uid pointer unless NULL
* fills resp_data unless NULL */ * fills resp_data unless NULL */
int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr) { int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, uint8_t no_rats) {
uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
uint8_t sel_all[] = { 0x93,0x20 }; uint8_t sel_all[] = { 0x93,0x20 };
uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
@ -1822,7 +1822,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
} }
// non iso14443a compliant tag // non iso14443a compliant tag
if( (sak & 0x20) == 0) return 2; // some Mifare/CPU hybird card won't response to Mifare command any more if send RATS command.
if( no_rats || (sak & 0x20) == 0) return 2;
// Request for answer to select // Request for answer to select
AppendCrc14443a(rats, 2); AppendCrc14443a(rats, 2);
@ -1927,7 +1928,7 @@ void ReaderIso14443a(UsbCommand *c)
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
if(!(param & ISO14A_NO_SELECT)) { if(!(param & ISO14A_NO_SELECT)) {
iso14a_card_select_t *card = (iso14a_card_select_t*)buf; iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
arg0 = iso14443a_select_card(NULL,card,NULL); arg0 = iso14443a_select_card(NULL,card,NULL,0);
cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t)); cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
} }
} }
@ -2023,16 +2024,18 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime" // Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
// (article by Nicolas T. Courtois, 2009) // (article by Nicolas T. Courtois, 2009)
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
void ReaderMifare(bool first_try) void ReaderMifare(bool first_try, uint8_t blockNo, uint8_t keyType)
{ {
// Mifare AUTH // Mifare AUTH
uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; uint8_t mf_auth[] = { 0x60 + (keyType & 0x01), blockNo ,0x00,0x00 };
uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
static uint8_t mf_nr_ar3; static uint8_t mf_nr_ar3;
uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE]; uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE]; uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
AppendCrc14443a(mf_auth, 2);
if (first_try) { if (first_try) {
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
} }
@ -2056,7 +2059,7 @@ void ReaderMifare(bool first_try)
byte_t par_list[8] = {0x00}; byte_t par_list[8] = {0x00};
byte_t ks_list[8] = {0x00}; byte_t ks_list[8] = {0x00};
#define PRNG_SEQUENCE_LENGTH (1 << 16); #define PRNG_SEQUENCE_LENGTH (1 << 16)
static uint32_t sync_time; static uint32_t sync_time;
static int32_t sync_cycles; static int32_t sync_cycles;
int catch_up_cycles = 0; int catch_up_cycles = 0;
@ -2124,7 +2127,7 @@ void ReaderMifare(bool first_try)
SpinDelay(100); SpinDelay(100);
} }
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
continue; continue;
} }
@ -2193,12 +2196,16 @@ void ReaderMifare(bool first_try)
isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly isOK = -4; // Card's PRNG runs at an unexpected frequency or resets unexpectedly
break; break;
} else { // continue for a while, just to collect some debug info } else { // continue for a while, just to collect some debug info
debug_info[strategy][debug_info_nr] = nt_distance; if (-1 != debug_info_nr)
debug_info_nr++; {
if (debug_info_nr == NUM_DEBUG_INFOS) { debug_info[strategy][debug_info_nr] = nt_distance;
strategy++; if (debug_info_nr == NUM_DEBUG_INFOS) {
debug_info_nr = 0; strategy++;
if (MF_DBGLEVEL >= 3) Dbprintf("strategy:%d", strategy);
debug_info_nr = 0;
}
} }
debug_info_nr++;
continue; continue;
} }
} }
@ -2217,6 +2224,7 @@ void ReaderMifare(bool first_try)
catch_up_cycles = -dist_nt(nt_attacked, nt); catch_up_cycles = -dist_nt(nt_attacked, nt);
if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one. if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
catch_up_cycles = 0; catch_up_cycles = 0;
if (MF_DBGLEVEL >= 3) Dbprintf("invalid nonce received. Don't resync on that one\n");
continue; continue;
} }
catch_up_cycles /= elapsed_prng_sequences; catch_up_cycles /= elapsed_prng_sequences;
@ -2269,6 +2277,7 @@ void ReaderMifare(bool first_try)
if (nt_diff == 0 && first_try) if (nt_diff == 0 && first_try)
{ {
par[0]++; par[0]++;
if (MF_DBGLEVEL >= 3) Dbprintf("par: %d\n",par[0]);
if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK. if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
isOK = -2; isOK = -2;
break; break;

2
armsrc/iso14443a.h
View file

@ -82,7 +82,7 @@ extern int ReaderReceive(uint8_t *receivedAnswer, uint8_t *par);
extern void iso14443a_setup(uint8_t fpga_minor_mode); extern void iso14443a_setup(uint8_t fpga_minor_mode);
extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data); extern int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data);
extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr); extern int iso14443a_select_card(uint8_t *uid_ptr, iso14a_card_select_t *resp_data, uint32_t *cuid_ptr, uint8_t no_rats);
extern void iso14a_set_trigger(bool enable); extern void iso14a_set_trigger(bool enable);
#endif /* __ISO14443A_H */ #endif /* __ISO14443A_H */

54
armsrc/mifarecmd.c
View file

@ -53,7 +53,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
LED_C_OFF(); LED_C_OFF();
while (true) { while (true) {
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
break; break;
}; };
@ -100,7 +100,7 @@ void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){
clear_trace(); clear_trace();
if(!iso14443a_select_card(NULL, NULL, NULL)) { if(!iso14443a_select_card(NULL, NULL, NULL, 1)) {
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
OnError(0); OnError(0);
return; return;
@ -135,7 +135,7 @@ void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
clear_trace(); clear_trace();
int len = iso14443a_select_card(NULL, NULL, NULL); int len = iso14443a_select_card(NULL, NULL, NULL, 1);
if(!len) { if(!len) {
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len); if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
OnError(1); OnError(1);
@ -211,7 +211,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
LED_C_OFF(); LED_C_OFF();
isOK = 1; isOK = 1;
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
isOK = 0; isOK = 0;
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
} }
@ -275,7 +275,7 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
return; return;
} }
int len = iso14443a_select_card(NULL, NULL, NULL); int len = iso14443a_select_card(NULL, NULL, NULL, 1);
if (!len) { if (!len) {
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len); if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);
OnError(1); OnError(1);
@ -377,7 +377,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
LED_C_OFF(); LED_C_OFF();
while (true) { while (true) {
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
break; break;
}; };
@ -431,7 +431,7 @@ void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)
clear_trace(); clear_trace();
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
if(!iso14443a_select_card(uid, NULL, NULL)) { if(!iso14443a_select_card(uid, NULL, NULL, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
OnError(0); OnError(0);
return; return;
@ -477,7 +477,7 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
clear_trace(); clear_trace();
if(!iso14443a_select_card(NULL, NULL, NULL)) { if(!iso14443a_select_card(NULL, NULL, NULL, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
OnError(0); OnError(0);
return; return;
@ -536,7 +536,7 @@ void MifareUSetPwd(uint8_t arg0, uint8_t *datain){
clear_trace(); clear_trace();
if(!iso14443a_select_card(NULL, NULL, NULL)) { if(!iso14443a_select_card(NULL, NULL, NULL, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
OnError(0); OnError(0);
return; return;
@ -672,7 +672,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
continue; continue;
} }
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
rtr--; rtr--;
continue; continue;
@ -746,7 +746,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
continue; continue;
} }
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");
continue; continue;
}; };
@ -861,7 +861,7 @@ void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error"); if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");
} }
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card"); if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");
break; break;
}; };
@ -954,7 +954,7 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
bool isOK = true; bool isOK = true;
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
isOK = false; isOK = false;
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
} }
@ -1054,15 +1054,12 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
// get UID from chip // get UID from chip
if (workFlags & 0x01) { if (workFlags & 0x01) {
if(!iso14443a_select_card(uid, NULL, &cuid)) { if(!iso14443a_select_card(uid, NULL, &cuid, 1)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
break; break;
}; };
if(mifare_classic_halt(NULL, cuid)) { mifare_classic_halt(NULL, cuid);
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
break;
};
}; };
// reset chip // reset chip
@ -1079,10 +1076,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
break; break;
}; };
if(mifare_classic_halt(NULL, cuid)) { mifare_classic_halt(NULL, cuid);
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
break;
};
}; };
// write block // write block
@ -1115,10 +1109,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
}; };
if (workFlags & 0x04) { if (workFlags & 0x04) {
if (mifare_classic_halt(NULL, cuid)) { mifare_classic_halt(NULL, cuid);
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
break;
};
} }
isOK = 1; isOK = 1;
@ -1192,10 +1183,7 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
memcpy(data, receivedAnswer, 18); memcpy(data, receivedAnswer, 18);
if (workFlags & 0x04) { if (workFlags & 0x04) {
if (mifare_classic_halt(NULL, cuid)) { mifare_classic_halt(NULL, cuid);
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
break;
};
} }
isOK = 1; isOK = 1;
@ -1222,6 +1210,7 @@ void MifareCIdent(){
// card commands // card commands
uint8_t wupC1[] = { 0x40 }; uint8_t wupC1[] = { 0x40 };
uint8_t wupC2[] = { 0x43 }; uint8_t wupC2[] = { 0x43 };
uint8_t halt_ret = 0;
// variables // variables
byte_t isOK = 1; byte_t isOK = 1;
@ -1239,7 +1228,8 @@ void MifareCIdent(){
isOK = 0; isOK = 0;
}; };
if (mifare_classic_halt(NULL, 0)) { halt_ret = mifare_classic_halt(NULL, 0);
if (halt_ret && halt_ret != 4) {
isOK = 0; isOK = 0;
}; };
@ -1259,7 +1249,7 @@ void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
clear_trace(); clear_trace();
int len = iso14443a_select_card(uid, NULL, &cuid); int len = iso14443a_select_card(uid, NULL, &cuid, 0);
if(!len) { if(!len) {
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card"); if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
OnError(1); OnError(1);

4
armsrc/mifareutil.c
View file

@ -511,7 +511,9 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
len = mifare_sendcmd_short(pcs, pcs == NULL ? false:true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL); len = mifare_sendcmd_short(pcs, pcs == NULL ? false:true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);
if (len != 0) { if (len != 0) {
if (MF_DBGLEVEL >= MF_DBG_ERROR) if (MF_DBGLEVEL >= MF_DBG_ERROR)
Dbprintf("halt error. response len: %x", len); Dbprintf("halt error. response len: %x data:%02X %02X %02X %02X", len, receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3]);
if (len == 1 && receivedAnswer[0]==0x04)
return 4;
return 1; return 1;
} }

31
client/cmdhfmf.c
View file

@ -20,7 +20,24 @@ int CmdHF14AMifare(const char *Cmd)
uint64_t par_list = 0, ks_list = 0, r_key = 0; uint64_t par_list = 0, ks_list = 0, r_key = 0;
int16_t isOK = 0; int16_t isOK = 0;
UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}}; uint8_t blockNo = 0, keyType = 0;
char cmdp = 0x00;
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf mf mifare <block number> <key A/B>");
PrintAndLog(" sample: hf mf mi 0 A");
return 0;
}
blockNo = param_get8(Cmd, 0);
cmdp = param_getchar(Cmd, 1);
if (cmdp == 0x00) {
PrintAndLog("Key type must be A or B");
return 1;
}
if (cmdp != 'A' && cmdp != 'a') keyType = 1;
UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, keyType}};
// message // message
printf("-------------------------------------------------------------------------\n"); printf("-------------------------------------------------------------------------\n");
@ -72,8 +89,16 @@ int CmdHF14AMifare(const char *Cmd)
// error // error
if (isOK != 1) return 1; if (isOK != 1) return 1;
// execute original function from util nonce2key if (par_list == 0)
if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) { {
//parity is all zero,try special attack!just wait for few more seconds...
isOK = magic_nonce2key(uid, nt, nr, par_list, ks_list, &r_key, blockNo, keyType);
} else {
// execute original function from util nonce2key
isOK = nonce2key(uid, nt, nr, par_list, ks_list, &r_key);
}
if (isOK) {
isOK = 2; isOK = 2;
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);
PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce..."); PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");

133
client/mifarehost.c
View file

@ -67,6 +67,139 @@ void* nested_worker_thread(void *arg)
return statelist->head.slhead; return statelist->head.slhead;
} }
int compar_state(const void * a, const void * b) {
// didn't work: (the result is truncated to 32 bits)
//return (*(int64_t*)b - *(int64_t*)a);
// better:
if (*(int64_t*)b == *(int64_t*)a) return 0;
else if (*(int64_t*)b > *(int64_t*)a) return 1;
else return -1;
}
int magic_nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key, uint32_t blockNo, uint8_t keyType)
{
struct Crypto1State *state;
uint32_t i, pos, rr, nr_diff, key_count;//, ks1, ks2;
byte_t bt, ks3x[8], par[8][8];
uint64_t key_recovered;
int64_t *state_s;
static uint32_t last_uid;
static int64_t *last_keylist;
rr = 0;
if (last_uid != uid && last_keylist != NULL)
{
free(last_keylist);
last_keylist = NULL;
}
last_uid = uid;
// Reset the last three significant bits of the reader nonce
nr &= 0xffffff1f;
PrintAndLog("\nuid(%08x) nt(%08x) par(%016"llx") ks(%016"llx") nr(%08"llx")\n\n",uid,nt,par_info,ks_info,nr);
for (pos=0; pos<8; pos++)
{
ks3x[7-pos] = (ks_info >> (pos*8)) & 0x0f;
bt = (par_info >> (pos*8)) & 0xff;
for (i=0; i<8; i++)
{
par[7-pos][i] = (bt >> i) & 0x01;
}
}
printf("|diff|{nr} |ks3|ks3^5|parity |\n");
printf("+----+--------+---+-----+---------------+\n");
for (i=0; i<8; i++)
{
nr_diff = nr | i << 5;
printf("| %02x |%08x|",i << 5, nr_diff);
printf(" %01x | %01x |",ks3x[i], ks3x[i]^5);
for (pos=0; pos<7; pos++) printf("%01x,", par[i][pos]);
printf("%01x|\n", par[i][7]);
}
if (par_info==0)
PrintAndLog("parity is all zero,try special attack!just wait for few more seconds...");
state = lfsr_common_prefix(nr, rr, ks3x, par, par_info==0);
state_s = (int64_t*)state;
//char filename[50] ;
//sprintf(filename, "nt_%08x_%d.txt", nt, nr);
//printf("name %s\n", filename);
//FILE* fp = fopen(filename,"w");
for (i = 0; (state) && ((state + i)->odd != -1); i++)
{
lfsr_rollback_word(state+i, uid^nt, 0);
crypto1_get_lfsr(state + i, &key_recovered);
*(state_s + i) = key_recovered;
//fprintf(fp, "%012llx\n",key_recovered);
}
//fclose(fp);
if(!state)
return 1;
qsort(state_s, i, sizeof(*state_s), compar_state);
*(state_s + i) = -1;
//Create the intersection:
if (par_info == 0 )
if ( last_keylist != NULL)
{
int64_t *p1, *p2, *p3;
p1 = p3 = last_keylist;
p2 = state_s;
while ( *p1 != -1 && *p2 != -1 ) {
if (compar_state(p1, p2) == 0) {
printf("p1:%"llx" p2:%"llx" p3:%"llx" key:%012"llx"\n",(uint64_t)(p1-last_keylist),(uint64_t)(p2-state_s),(uint64_t)(p3-last_keylist),*p1);
*p3++ = *p1++;
p2++;
}
else {
while (compar_state(p1, p2) == -1) ++p1;
while (compar_state(p1, p2) == 1) ++p2;
}
}
key_count = p3 - last_keylist;;
}
else
key_count = 0;
else
{
last_keylist = state_s;
key_count = i;
}
printf("key_count:%d\n", key_count);
// The list may still contain several key candidates. Test each of them with mfCheckKeys
for (i = 0; i < key_count; i++) {
uint8_t keyBlock[6];
uint64_t key64;
key64 = *(last_keylist + i);
num_to_bytes(key64, 6, keyBlock);
key64 = 0;
if (!mfCheckKeys(blockNo, keyType, false, 1, keyBlock, &key64)) {
*key = key64;
free(last_keylist);
last_keylist = NULL;
if (par_info ==0)
free(state);
return 0;
}
}
free(last_keylist);
last_keylist = state_s;
*key = last_keylist;
return key_count+1;
}
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate)
{ {
uint16_t i; uint16_t i;

1
client/mifarehost.h
View file

@ -49,6 +49,7 @@ typedef struct {
extern char logHexFileName[FILE_PATH_SIZE]; extern char logHexFileName[FILE_PATH_SIZE];
int magic_nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key, uint32_t blockNo, uint8_t keyType);
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys, bool calibrate); int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys, bool calibrate);
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key); int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key);

118
client/nonce2key/nonce2key.c
View file

@ -15,36 +15,15 @@
#define llx PRIx64 #define llx PRIx64
#include "nonce2key.h" #include "nonce2key.h"
#include "mifarehost.h"
#include "ui.h" #include "ui.h"
int compar_state(const void * a, const void * b) {
// didn't work: (the result is truncated to 32 bits)
//return (*(int64_t*)b - *(int64_t*)a);
// better:
if (*(int64_t*)b == *(int64_t*)a) return 0;
else if (*(int64_t*)b > *(int64_t*)a) return 1;
else return -1;
}
int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) { int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) {
struct Crypto1State *state; struct Crypto1State *state, *state_s;
uint32_t i, pos, rr, nr_diff, key_count;//, ks1, ks2; uint32_t pos, rr, nr_diff;//, ks1, ks2;
byte_t bt, ks3x[8], par[8][8]; byte_t bt, i, ks3x[8], par[8][8];
uint64_t key_recovered; uint64_t key_recovered;
int64_t *state_s;
static uint32_t last_uid;
static int64_t *last_keylist;
rr = 0; rr = 0;
if (last_uid != uid && last_keylist != NULL)
{
free(last_keylist);
last_keylist = NULL;
}
last_uid = uid;
// Reset the last three significant bits of the reader nonce // Reset the last three significant bits of the reader nonce
nr &= 0xffffff1f; nr &= 0xffffff1f;
@ -71,83 +50,22 @@ int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_
printf("%01x|\n", par[i][7]); printf("%01x|\n", par[i][7]);
} }
if (par_info==0) state = lfsr_common_prefix(nr, rr, ks3x, par, 0);
PrintAndLog("parity is all zero,try special attack!just wait for few more seconds..."); state_s = 0;
for (i = 0; (state) && ((state + i)->odd != -1 || (state + i)->even != -1) && (i < 10); i++)
{
printf("%08x|%08x\n",(state+i)->odd, (state+i)->even);
state_s = state + i;
}
if (!state_s) return 1;
lfsr_rollback_word(state_s, uid^nt, 0);
crypto1_get_lfsr(state_s, &key_recovered);
if (!state) free(state);
*key = key_recovered;
state = lfsr_common_prefix(nr, rr, ks3x, par, par_info==0); return 0;
state_s = (int64_t*)state;
//char filename[50] ;
//sprintf(filename, "nt_%08x_%d.txt", nt, nr);
//printf("name %s\n", filename);
//FILE* fp = fopen(filename,"w");
for (i = 0; (state) && ((state + i)->odd != -1); i++)
{
lfsr_rollback_word(state+i, uid^nt, 0);
crypto1_get_lfsr(state + i, &key_recovered);
*(state_s + i) = key_recovered;
//fprintf(fp, "%012llx\n",key_recovered);
}
//fclose(fp);
if(!state)
return 1;
qsort(state_s, i, sizeof(*state_s), compar_state);
*(state_s + i) = -1;
//Create the intersection:
if (par_info == 0 )
if ( last_keylist != NULL)
{
int64_t *p1, *p2, *p3;
p1 = p3 = last_keylist;
p2 = state_s;
while ( *p1 != -1 && *p2 != -1 ) {
if (compar_state(p1, p2) == 0) {
printf("p1:%"llx" p2:%"llx" p3:%"llx" key:%012"llx"\n",(uint64_t)(p1-last_keylist),(uint64_t)(p2-state_s),(uint64_t)(p3-last_keylist),*p1);
*p3++ = *p1++;
p2++;
}
else {
while (compar_state(p1, p2) == -1) ++p1;
while (compar_state(p1, p2) == 1) ++p2;
}
}
key_count = p3 - last_keylist;;
}
else
key_count = 0;
else
{
last_keylist = state_s;
key_count = i;
}
printf("key_count:%d\n", key_count);
// The list may still contain several key candidates. Test each of them with mfCheckKeys
for (i = 0; i < key_count; i++) {
uint8_t keyBlock[6];
uint64_t key64;
key64 = *(last_keylist + i);
num_to_bytes(key64, 6, keyBlock);
key64 = 0;
if (!mfCheckKeys(0, 0, false, 1, keyBlock, &key64)) {
*key = key64;
free(last_keylist);
last_keylist = NULL;
if (par_info ==0)
free(state);
return 0;
}
}
free(last_keylist);
last_keylist = state_s;
return 1;
} }
// 32 bit recover key from 2 nonces // 32 bit recover key from 2 nonces