github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-14 10:36:58 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

1. fixed hf 14a mifare. added functionality to ignore one Nt

Browse source 
2. completed hf 14a nested
3. added hf 14a chk to check keys
5. added check keys to hf 14a mifare and hf 14a nested
6. added debug level to mifare commands
7. small bugs and improvements
This commit is contained in:
Merlokbr@gmail.com 2011-06-07 12:35:52 +00:00
commit f397b5cc87
16 changed files with 877 additions and 317 deletions
Download patch file Download diff file Expand all files Collapse all files

1
client/Makefile
View file

@ -43,6 +43,7 @@ CMDSRCS = \
nonce2key/crapto1.c\
nonce2key/crypto1.c\
nonce2key/nonce2key.c\
mifarehost.c\
crc16.c \
iso14443crc.c \
iso15693tools.c \

482
client/cmdhf14a.c
View file

@ -12,7 +12,8 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <conio.h>
#include <unistd.h>
#include <ctype.h>
#include "util.h"
#include "iso14443crc.h"
#include "data.h"
@ -24,6 +25,7 @@
#include "cmdmain.h"
#include "nonce2key/nonce2key.h"
#include "nonce2key/crapto1.h"
#include "mifarehost.h"
static int CmdHelp(const char *Cmd);
@ -165,13 +167,18 @@ int CmdHF14AMifare(const char *Cmd)
uint32_t nt = 0;
uint64_t par_list = 0, ks_list = 0, r_key = 0;
uint8_t isOK = 0;
uint8_t keyBlock[6] = {0,0,0,0,0,0};
UsbCommand c = {CMD_READER_MIFARE, {strtol(Cmd, NULL, 0), 0, 0}};
if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, keyBlock, 8)) {
PrintAndLog("Nt must include 8 HEX symbols");
return 1;
}
UsbCommand c = {CMD_READER_MIFARE, {(uint32_t)bytes_to_num(keyBlock, 4), 0, 0}};
SendCommand(&c);
//flush queue
while (kbhit()) getchar();
while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ;
while (ukbhit()) getchar();
// message
printf("-------------------------------------------------------------------------\n");
@ -183,7 +190,7 @@ int CmdHF14AMifare(const char *Cmd)
// wait cycle
while (true) {
printf(".");
if (kbhit()) {
if (ukbhit()) {
getchar();
printf("\naborted via keyboard!\n");
break;
@ -211,79 +218,52 @@ int CmdHF14AMifare(const char *Cmd)
// execute original function from util nonce2key
if (nonce2key(uid, nt, par_list, ks_list, &r_key)) return 2;
printf("-------------------------------------------------------------------------\n");
printf("------------------------------------------------------------------\n");
PrintAndLog("Key found:%012llx \n", r_key);
num_to_bytes(r_key, 6, keyBlock);
isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);
if (!isOK)
PrintAndLog("Found valid key:%012llx", r_key);
else
PrintAndLog("Found invalid key. (");
return 0;
}
int CmdHF14AMfWrBl(const char *Cmd)
{
int i, temp;
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
const char *cmdp = Cmd;
const char *cmdpe = Cmd;
char cmdp = 0x00;
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf 14 mfwrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
PrintAndLog(" sample: hf 14a mfwrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
PrintAndLog(" sample: hf 14a mfwrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
return 0;
}
PrintAndLog("l: %s", Cmd);
// skip spaces
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
blockNo = strtol(cmdp, NULL, 0) & 0xff;
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (*cmdp != 'A' && *cmdp != 'a') {
keyType = 1;
blockNo = param_get8(Cmd, 0);
cmdp = param_getchar(Cmd, 1);
if (cmdp == 0x00) {
PrintAndLog("Key type must be A or B");
return 1;
}
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
// next value here:cmdpe
cmdpe = cmdp;
while (*cmdpe!=' ' && *cmdpe!='\t') cmdpe++;
while (*cmdpe==' ' || *cmdpe=='\t') cmdpe++;
if ((int)cmdpe - (int)cmdp != 13) {
PrintAndLog("Length of key must be 12 hex symbols");
return 0;
if (cmdp != 'A' && cmdp != 'a') keyType = 1;
if (param_gethex(Cmd, 2, key, 12)) {
PrintAndLog("Key must include 12 HEX symbols");
return 1;
}
for(i = 0; i < 6; i++) {
sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
key[i] = temp & 0xff;
cmdp++;
cmdp++;
}
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (strlen(cmdp) != 32) {
PrintAndLog("Length of block data must be 32 hex symbols");
return 0;
if (param_gethex(Cmd, 3, bldata, 32)) {
PrintAndLog("Block data must include 32 HEX symbols");
return 1;
}
for(i = 0; i < 16; i++) {
sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
bldata[i] = temp & 0xff;
cmdp++;
cmdp++;
}
PrintAndLog(" block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
PrintAndLog(" data: %s", sprint_hex(bldata, 16));
PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
PrintAndLog("--data: %s", sprint_hex(bldata, 16));
UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
@ -304,47 +284,31 @@ int CmdHF14AMfWrBl(const char *Cmd)
int CmdHF14AMfRdBl(const char *Cmd)
{
int i, temp;
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
const char *cmdp = Cmd;
char cmdp = 0x00;
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf 14 mfrdbl <block number> <key A/B> <key (12 hex symbols)>");
PrintAndLog(" sample: hf 14a mfrdbl 0 A FFFFFFFFFFFF ");
PrintAndLog(" sample: hf 14a mfrdbl 0 A FFFFFFFFFFFF ");
return 0;
}
// skip spaces
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
blockNo = strtol(cmdp, NULL, 0) & 0xff;
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (*cmdp != 'A' && *cmdp != 'a') {
keyType = 1;
blockNo = param_get8(Cmd, 0);
cmdp = param_getchar(Cmd, 1);
if (cmdp == 0x00) {
PrintAndLog("Key type must be A or B");
return 1;
}
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (strlen(cmdp) != 12) {
PrintAndLog("Length of key must be 12 hex symbols");
return 0;
if (cmdp != 'A' && cmdp != 'a') keyType = 1;
if (param_gethex(Cmd, 2, key, 12)) {
PrintAndLog("Key must include 12 HEX symbols");
return 1;
}
for(i = 0; i < 6; i++) {
sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
key[i] = temp & 0xff;
cmdp++;
cmdp++;
}
PrintAndLog(" block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
@ -355,7 +319,10 @@ int CmdHF14AMfRdBl(const char *Cmd)
uint8_t isOK = resp->arg[0] & 0xff;
uint8_t * data = resp->d.asBytes;
PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
if (isOK)
PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
else
PrintAndLog("isOk:%02x", isOK);
} else {
PrintAndLog("Command execute timeout");
}
@ -365,47 +332,38 @@ int CmdHF14AMfRdBl(const char *Cmd)
int CmdHF14AMfRdSc(const char *Cmd)
{
int i, temp;
int i;
uint8_t sectorNo = 0;
uint8_t keyType = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
const char *cmdp = Cmd;
uint8_t isOK = 0;
uint8_t * data = NULL;
char cmdp = 0x00;
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf 14 mfrdsc <sector number> <key A/B> <key (12 hex symbols)>");
PrintAndLog(" sample: hf 14a mfrdsc 0 A FFFFFFFFFFFF ");
PrintAndLog(" sample: hf 14a mfrdsc 0 A FFFFFFFFFFFF ");
return 0;
}
// skip spaces
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
sectorNo = strtol(cmdp, NULL, 0) & 0xff;
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (*cmdp != 'A' && *cmdp != 'a') {
keyType = 1;
sectorNo = param_get8(Cmd, 0);
if (sectorNo > 63) {
PrintAndLog("Sector number must be less than 64");
return 1;
}
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (strlen(cmdp) != 12) {
PrintAndLog("Length of key must be 12 hex symbols");
return 0;
cmdp = param_getchar(Cmd, 1);
if (cmdp == 0x00) {
PrintAndLog("Key type must be A or B");
return 1;
}
for(i = 0; i < 6; i++) {
sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
key[i] = temp & 0xff;
cmdp++;
cmdp++;
}
PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));
if (cmdp != 'A' && cmdp != 'a') keyType = 1;
if (param_gethex(Cmd, 2, key, 12)) {
PrintAndLog("Key must include 12 HEX symbols");
return 1;
}
PrintAndLog("--sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));
UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
@ -414,13 +372,14 @@ int CmdHF14AMfRdSc(const char *Cmd)
PrintAndLog(" ");
if (resp != NULL) {
uint8_t isOK = resp->arg[0] & 0xff;
uint8_t * data = resp->d.asBytes;
isOK = resp->arg[0] & 0xff;
data = resp->d.asBytes;
PrintAndLog("isOk:%02x", isOK);
for (i = 0; i < 2; i++) {
PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
}
if (isOK)
for (i = 0; i < 2; i++) {
PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
}
} else {
PrintAndLog("Command1 execute timeout");
}
@ -430,10 +389,12 @@ int CmdHF14AMfRdSc(const char *Cmd)
PrintAndLog(" ");
if (resp != NULL) {
uint8_t * data = resp->d.asBytes;
isOK = resp->arg[0] & 0xff;
data = resp->d.asBytes;
for (i = 0; i < 2; i++) {
PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
if (isOK)
for (i = 0; i < 2; i++) {
PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
}
} else {
PrintAndLog("Command2 execute timeout");
@ -444,115 +405,207 @@ int CmdHF14AMfRdSc(const char *Cmd)
int CmdHF14AMfNested(const char *Cmd)
{
int i, temp, len;
uint8_t sectorNo = 0;
int i, j, res, iterations;
sector * e_sector = NULL;
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t trgBlockNo = 0;
uint8_t trgKeyType = 0;
uint8_t blDiff = 0;
int SectorsCnt = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
uint8_t isEOF;
uint8_t * data;
uint32_t uid;
fnVector * vector = NULL;
int lenVector = 0;
UsbCommand * resp = NULL;
uint8_t keyBlock[16 * 6];
uint64_t key64 = 0;
const char *cmdp = Cmd;
char cmdp, ctmp;
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf 14a nested <sector number> <key A/B> <key (12 hex symbols)>");
PrintAndLog(" sample: hf 14a nested 0 A FFFFFFFFFFFF ");
PrintAndLog("Usage:");
PrintAndLog(" all sectors: hf 14a nested <card memory> <block number> <key A/B> <key (12 hex symbols)>");
PrintAndLog(" one sector: hf 14a nested o <block number> <key A/B> <key (12 hex symbols)>");
PrintAndLog(" <target block number> <target key A/B>");
PrintAndLog("card memory - 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
PrintAndLog(" ");
PrintAndLog(" sample1: hf 14a nested 1 0 A FFFFFFFFFFFF ");
PrintAndLog(" sample2: hf 14a nested o 0 A FFFFFFFFFFFF 4 A");
return 0;
}
// skip spaces
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
sectorNo = strtol(cmdp, NULL, 0) & 0xff;
cmdp = param_getchar(Cmd, 0);
blockNo = param_get8(Cmd, 1);
ctmp = param_getchar(Cmd, 2);
if (ctmp == 0x00) {
PrintAndLog("Key type must be A or B");
return 1;
}
if (ctmp != 'A' && ctmp != 'a') keyType = 1;
if (param_gethex(Cmd, 3, key, 12)) {
PrintAndLog("Key must include 12 HEX symbols");
return 1;
}
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
if (*cmdp != 'A' && *cmdp != 'a') {
keyType = 1;
if (cmdp =='o' || cmdp == 'O') {
cmdp = 'o';
trgBlockNo = param_get8(Cmd, 4);
ctmp = param_getchar(Cmd, 5);
if (ctmp == 0x00) {
PrintAndLog("Target key type must be A or B");
return 1;
}
if (ctmp != 'A' && ctmp != 'a') trgKeyType = 1;
} else {
switch (cmdp) {
case '1': SectorsCnt = 16; break;
case '2': SectorsCnt = 32; break;
case '4': SectorsCnt = 64; break;
default: SectorsCnt = 16;
}
}
PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
if (cmdp == 'o')
PrintAndLog("--target block no:%02x target key type:%02x ", trgBlockNo, trgKeyType);
if (cmdp == 'o') {
if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) {
PrintAndLog("Nested error.");
return 2;
}
for (i = 0; i < 16; i++) {
PrintAndLog("cnt=%d key= %s", i, sprint_hex(keyBlock + i * 6, 6));
}
// test keys
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);
if (res)
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);
if (!res)
PrintAndLog("Found valid key:%012llx", key64);
else
PrintAndLog("No valid key found");
} else // ------------------------------------ multiple sectors working
{
blDiff = blockNo % 4;
PrintAndLog("Block shift=%d", blDiff);
e_sector = calloc(SectorsCnt, sizeof(sector));
if (e_sector == NULL) return 1;
//test current key 4 sectors
memcpy(keyBlock, key, 6);
num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 1 * 6));
num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 2 * 6));
num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 3 * 6));
num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 4 * 6));
num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));
PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
for (i = 0; i < SectorsCnt; i++) {
for (j = 0; j < 2; j++) {
if (e_sector[i].foundKey[j]) continue;
res = mfCheckKeys(i * 4 + blDiff, j, 6, keyBlock, &key64);
if (!res) {
e_sector[i].Key[j] = key64;
e_sector[i].foundKey[j] = 1;
}
}
}
// nested sectors
iterations = 0;
PrintAndLog("nested...");
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4)
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
if (e_sector[trgBlockNo / 4].foundKey[trgKeyType]) continue;
if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) continue;
iterations++;
//try keys from nested
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);
if (res)
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);
if (!res) {
PrintAndLog("Found valid key:%012llx", key64);
e_sector[trgBlockNo / 4].foundKey[trgKeyType] = 1;
e_sector[trgBlockNo / 4].Key[trgKeyType] = key64;
}
}
}
PrintAndLog("Iterations count: %d", iterations);
//print them
PrintAndLog("|---|----------------|---|----------------|---|");
PrintAndLog("|blk|key A |res|key B |res|");
PrintAndLog("|---|----------------|---|----------------|---|");
for (i = 0; i < SectorsCnt; i++) {
PrintAndLog("|%03d| %012llx | %d | %012llx | %d |", i,
e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
}
PrintAndLog("|---|----------------|---|----------------|---|");
free(e_sector);
}
// next value
while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
while (*cmdp==' ' || *cmdp=='\t') cmdp++;
return 0;
}
if (strlen(cmdp) != 12) {
PrintAndLog("Length of key must be 12 hex symbols");
int CmdHF14AMfChk(const char *Cmd)
{
int i, res;
int keycnt = 0;
char ctmp = 0x00;
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t keyBlock[8 * 6];
uint64_t key64 = 0;
memset(keyBlock, 0x00, sizeof(keyBlock));
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf 14a chk <block number> <key A/B> [<key (12 hex symbols)>]");
PrintAndLog(" sample: hf 14a chk 0 A FFFFFFFFFFFF a0a1a2a3a4a5 b01b2b3b4b5 ");
return 0;
}
for(i = 0; i < 6; i++) {
sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
key[i] = temp & 0xff;
cmdp++;
cmdp++;
}
PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));
// flush queue
while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ;
UsbCommand c = {CMD_MIFARE_NESTED, {sectorNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
SendCommand(&c);
blockNo = param_get8(Cmd, 0);
ctmp = param_getchar(Cmd, 1);
if (ctmp == 0x00) {
PrintAndLog("Key type must be A or B");
return 1;
}
if (ctmp != 'A' && ctmp != 'a') keyType = 1;
for (i = 0; i < 6; i++) {
if (!isxdigit(param_getchar(Cmd, 2 + i))) break;
PrintAndLog("\n");
printf("-------------------------------------------------------------------------\n");
// wait cycle
while (true) {
printf(".");
if (kbhit()) {
getchar();
printf("\naborted via keyboard!\n");
break;
}
resp = WaitForResponseTimeout(CMD_ACK, 1500);
if (resp != NULL) {
isEOF = resp->arg[0] & 0xff;
data = resp->d.asBytes;
PrintAndLog("isEOF:%02x", isEOF);
for (i = 0; i < 2; i++) {
PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
}
if (isEOF) break;
len = resp->arg[1] & 0xff;
if (len == 0) continue;
memcpy(&uid, resp->d.asBytes, 4);
PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%d", uid, len, resp->arg[2] & 0xff, (resp->arg[2] >> 8) & 0xff);
vector = (fnVector *) realloc((void *)vector, (lenVector + len) * sizeof(fnVector) + 200);
if (vector == NULL) {
PrintAndLog("Memory allocation error for fnVector. len: %d bytes: %d", lenVector + len, (lenVector + len) * sizeof(fnVector));
break;
}
for (i = 0; i < len; i++) {
vector[lenVector + i].blockNo = resp->arg[2] & 0xff;
vector[lenVector + i].keyType = (resp->arg[2] >> 8) & 0xff;
vector[lenVector + i].uid = uid;
memcpy(&vector[lenVector + i].nt, (void *)(resp->d.asBytes + 8 + i * 8 + 0), 4);
memcpy(&vector[lenVector + i].ks1, (void *)(resp->d.asBytes + 8 + i * 8 + 4), 4);
PrintAndLog("i=%d nt:%08x ks1:%08x", i, vector[lenVector + i].nt, vector[lenVector + i].ks1);
}
lenVector += len;
if (param_gethex(Cmd, 2 + i, keyBlock + 6 * i, 12)) {
PrintAndLog("Key[%d] must include 12 HEX symbols", i);
return 1;
}
keycnt = i + 1;
}
if (keycnt == 0) {
PrintAndLog("There is must be at least one key");
return 1;
}
PrintAndLog("--block no:%02x key type:%02x key count:%d ", blockNo, keyType, keycnt);
// finalize
free(vector);
res = mfCheckKeys(blockNo, keyType, keycnt, keyBlock, &key64);
if (res !=1) {
if (!res)
PrintAndLog("isOk:%02x valid key:%012llx", 1, key64);
else
PrintAndLog("isOk:%02x", 0);
} else {
PrintAndLog("Command execute timeout");
}
return 0;
}
@ -654,6 +707,7 @@ static command_t CommandTable[] =
{"mfrdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
{"mfwrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
{"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
{"chk", CmdHF14AMfChk, 0, "Test block up to 8 keys"},
{"mfsim", CmdHF14AMf1kSim, 0, "Simulate MIFARE 1k card - NOT WORKING!!!"},
{"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
{"sim", CmdHF14ASim, 0, "<UID> -- Fake ISO 14443a tag"},
@ -663,6 +717,10 @@ static command_t CommandTable[] =
int CmdHF14A(const char *Cmd)
{
// flush
while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ;
// parse
CmdsParse(CommandTable, Cmd);
return 0;
}

2
client/cmdhf14a.h
View file

@ -12,8 +12,6 @@
#ifndef CMDHF14A_H__
#define CMDHF14A_H__
typedef struct fnVector { uint8_t blockNo, keyType; uint32_t uid, nt, ks1; } fnVector;
int CmdHF14A(const char *Cmd);
int CmdHF14AList(const char *Cmd);

2
client/cmdmain.c
View file

@ -63,7 +63,7 @@ UsbCommand * WaitForResponseTimeout(uint32_t response_type, uint32_t ms_timeout)
msleep(10); // XXX ugh
}
// There was evil BUG
// There was an evil BUG
memcpy(&current_response_user, &current_response, sizeof(UsbCommand));
ret = &current_response_user;

197
client/mifarehost.c Normal file
View file

@ -0,0 +1,197 @@
// Merlok, 2011
// people from mifare@nethemba.com, 2010
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency ISO14443A commands
//-----------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include "mifarehost.h"
int compar_int(const void * a, const void * b) {
return (*(uint64_t*)b - *(uint64_t*)a);
}
// Compare countKeys structure
int compar_special_int(const void * a, const void * b) {
return (((countKeys *)b)->count - ((countKeys *)a)->count);
}
countKeys * uniqsort(uint64_t * possibleKeys, uint32_t size) {
int i, j = 0;
int count = 0;
countKeys *our_counts;
qsort(possibleKeys, size, sizeof (uint64_t), compar_int);
our_counts = calloc(size, sizeof(countKeys));
if (our_counts == NULL) {
PrintAndLog("Memory allocation error for our_counts");
return NULL;
}
for (i = 0; i < size; i++) {
if (possibleKeys[i+1] == possibleKeys[i]) {
count++;
} else {
our_counts[j].key = possibleKeys[i];
our_counts[j].count = count;
j++;
count=0;
}
}
qsort(our_counts, j, sizeof(countKeys), compar_special_int);
return (our_counts);
}
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKeys)
{
int i, m, len;
uint8_t isEOF;
uint32_t uid;
fnVector * vector = NULL;
countKeys *ck;
int lenVector = 0;
UsbCommand * resp = NULL;
memset(resultKeys, 0x00, 16 * 6);
// flush queue
while (WaitForResponseTimeout(CMD_ACK, 500) != NULL) ;
UsbCommand c = {CMD_MIFARE_NESTED, {blockNo, keyType, trgBlockNo + trgKeyType * 0x100}};
memcpy(c.d.asBytes, key, 6);
SendCommand(&c);
PrintAndLog("\n");
// wait cycle
while (true) {
printf(".");
if (ukbhit()) {
getchar();
printf("\naborted via keyboard!\n");
break;
}
resp = WaitForResponseTimeout(CMD_ACK, 1500);
if (resp != NULL) {
isEOF = resp->arg[0] & 0xff;
if (isEOF) break;
len = resp->arg[1] & 0xff;
if (len == 0) continue;
memcpy(&uid, resp->d.asBytes, 4);
PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, resp->arg[2] & 0xff, (resp->arg[2] >> 8) & 0xff);
vector = (fnVector *) realloc((void *)vector, (lenVector + len) * sizeof(fnVector) + 200);
if (vector == NULL) {
PrintAndLog("Memory allocation error for fnVector. len: %d bytes: %d", lenVector + len, (lenVector + len) * sizeof(fnVector));
break;
}
for (i = 0; i < len; i++) {
vector[lenVector + i].blockNo = resp->arg[2] & 0xff;
vector[lenVector + i].keyType = (resp->arg[2] >> 8) & 0xff;
vector[lenVector + i].uid = uid;
memcpy(&vector[lenVector + i].nt, (void *)(resp->d.asBytes + 8 + i * 8 + 0), 4);
memcpy(&vector[lenVector + i].ks1, (void *)(resp->d.asBytes + 8 + i * 8 + 4), 4);
}
lenVector += len;
}
}
if (!lenVector) {
PrintAndLog("Got 0 keys from proxmark.");
return 1;
}
printf("------------------------------------------------------------------\n");
// calc keys
struct Crypto1State* revstate = NULL;
struct Crypto1State* revstate_start = NULL;
uint64_t lfsr;
int kcount = 0;
pKeys *pk;
if ((pk = (void *) malloc(sizeof(pKeys))) == NULL) return 1;
memset(pk, 0x00, sizeof(pKeys));
for (m = 0; m < lenVector; m++) {
// And finally recover the first 32 bits of the key
revstate = lfsr_recovery32(vector[m].ks1, vector[m].nt ^ vector[m].uid);
if (revstate_start == NULL) revstate_start = revstate;
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
lfsr_rollback_word(revstate, vector[m].nt ^ vector[m].uid, 0);
crypto1_get_lfsr(revstate, &lfsr);
// Allocate a new space for keys
if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) {
pk->size += MEM_CHUNK;
//fprintf(stdout, "New chunk by %d, sizeof %d\n", kcount, pk->size * sizeof(uint64_t));
pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t));
if (pk->possibleKeys == NULL) {
PrintAndLog("Memory allocation error for pk->possibleKeys");
return 1;
}
}
pk->possibleKeys[kcount] = lfsr;
kcount++;
revstate++;
}
free(revstate_start);
revstate_start = NULL;
}
// Truncate
if (kcount != 0) {
pk->size = --kcount;
if ((pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t))) == NULL) {
PrintAndLog("Memory allocation error for pk->possibleKeys");
return 1;
}
}
PrintAndLog("Total keys count:%d", kcount);
ck = uniqsort(pk->possibleKeys, pk->size);
// fill key array
for (i = 0; i < 16 ; i++) {
num_to_bytes(ck[i].key, 6, (uint8_t*)(resultKeys + i * 6));
}
// finalize
free(pk->possibleKeys);
free(pk);
free(ck);
free(vector);
return 0;
}
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key){
*key = 0;
UsbCommand c = {CMD_MIFARE_CHKKEYS, {blockNo, keyType, keycnt}};
memcpy(c.d.asBytes, keyBlock, 6 * keycnt);
SendCommand(&c);
UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 3000);
if (resp == NULL) return 1;
if ((resp->arg[0] & 0xff) != 0x01) return 2;
*key = bytes_to_num(resp->d.asBytes, 6);
return 0;
}

46
client/mifarehost.h Normal file
View file

@ -0,0 +1,46 @@
// Merlok, 2011
// people from mifare@nethemba.com, 2010
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency ISO14443A commands
//-----------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <conio.h>
#include "common.h"
#include "cmdmain.h"
#include "ui.h"
#include "data.h"
#include "proxusb.h"
#include "util.h"
#include "nonce2key/nonce2key.h"
#include "nonce2key/crapto1.h"
#define MEM_CHUNK 1000000
#define NESTED_SECTOR_RETRY 10
typedef struct fnVector { uint8_t blockNo, keyType; uint32_t uid, nt, ks1; } fnVector;
typedef struct {
uint64_t Key[2];
int foundKey[2];
} sector;
typedef struct {
uint64_t *possibleKeys;
uint32_t size;
} pKeys;
typedef struct {
uint64_t key;
int count;
} countKeys;
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys);
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key);

9
client/nonce2key/nonce2key.h
View file

@ -10,10 +10,15 @@
// MIFARE Darkside hack
//-----------------------------------------------------------------------------
#include "crapto1.h"
#ifndef __NONCE2KEY_H
#define __NONCE2KEY_H
#include <inttypes.h>
#include <stdio.h>
#include "crapto1.h"
typedef unsigned char byte_t;
int nonce2key(uint32_t uid, uint32_t nt, uint64_t par_info, uint64_t ks_info, uint64_t * key);
int nonce2key(uint32_t uid, uint32_t nt, uint64_t par_info, uint64_t ks_info, uint64_t * key);
#endif

139
client/util.c
View file

@ -8,8 +8,45 @@
// utilities
//-----------------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "util.h"
#ifdef __linux__
int ukbhit(void)
{
int cnt = 0;
int error;
static struct termios Otty, Ntty;
tcgetattr( 0, &Otty);
Ntty = Otty;
Ntty.c_iflag = 0; /* input mode */
Ntty.c_oflag = 0; /* output mode */
Ntty.c_lflag &= ~ICANON; /* raw mode */
Ntty.c_cc[VMIN] = CMIN; /* minimum time to wait */
Ntty.c_cc[VTIME] = CTIME; /* minimum characters to wait for */
if (0 == (error = tcsetattr(0, TCSANOW, &Ntty))) {
error += ioctl(0, FIONREAD, &cnt);
error += tcsetattr(0, TCSANOW, &Otty);
}
return ( error == 0 ? cnt : -1 );
}
#else
#include <conio.h>
int ukbhit(void) {
return kbhit();
}
#endif
void print_hex(const uint8_t * data, const size_t len)
{
size_t i;
@ -49,3 +86,105 @@ uint64_t bytes_to_num(uint8_t* src, size_t len)
}
return num;
}
// -------------------------------------------------------------------------
// line - param line
// bg, en - symbol numbers in param line of beginning an ending parameter
// paramnum - param number (from 0)
// -------------------------------------------------------------------------
int param_getptr(const char *line, int *bg, int *en, int paramnum)
{
int i;
int len = strlen(line);
*bg = 0;
*en = 0;
// skip spaces
while (line[*bg] ==' ' || line[*bg]=='\t') (*bg)++;
if (*bg >= len) {
return 1;
}
for (i = 0; i < paramnum; i++) {
while (line[*bg]!=' ' && line[*bg]!='\t' && line[*bg] != '\0') (*bg)++;
while (line[*bg]==' ' || line[*bg]=='\t') (*bg)++;
if (line[*bg] == '\0') return 1;
}
*en = *bg;
while (line[*en] != ' ' && line[*en] != '\t' && line[*en] != '\0') (*en)++;
(*en)--;
return 0;
}
char param_getchar(const char *line, int paramnum)
{
int bg, en;
if (param_getptr(line, &bg, &en, paramnum)) return 0x00;
return line[bg];
}
uint8_t param_get8(const char *line, int paramnum)
{
return param_get8ex(line, paramnum, 10, 0);
}
uint8_t param_get8ex(const char *line, int paramnum, int deflt, int base)
{
int bg, en;
if (!param_getptr(line, &bg, &en, paramnum))
return strtol(&line[bg], NULL, base) & 0xff;
else
return deflt;
}
uint32_t param_get32ex(const char *line, int paramnum, int deflt, int base)
{
int bg, en;
if (!param_getptr(line, &bg, &en, paramnum))
return strtol(&line[bg], NULL, base);
else
return deflt;
}
uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base)
{
int bg, en;
if (!param_getptr(line, &bg, &en, paramnum))
return strtol(&line[bg], NULL, base);
else
return deflt;
return 0;
}
int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt)
{
int bg, en, temp, i;
if (hexcnt % 2)
return 1;
if (param_getptr(line, &bg, &en, paramnum)) return 1;
if (en - bg + 1 != hexcnt)
return 1;
for(i = 0; i < hexcnt; i += 2) {
if (!(isxdigit(line[bg + i]) && isxdigit(line[bg + i + 1])) ) return 1;
sscanf((char[]){line[bg + i], line[bg + i + 1], 0}, "%X", &temp);
data[i / 2] = temp & 0xff;
}
return 0;
}

10
client/util.h
View file

@ -11,7 +11,17 @@
#include <stdio.h>
#include <stdint.h>
int ukbhit(void);
void print_hex(const uint8_t * data, const size_t len);
char * sprint_hex(const uint8_t * data, const size_t len);
void num_to_bytes(uint64_t n, size_t len, uint8_t* dest);
uint64_t bytes_to_num(uint8_t* src, size_t len);
char param_getchar(const char *line, int paramnum);
uint8_t param_get8(const char *line, int paramnum);
uint8_t param_get8ex(const char *line, int paramnum, int deflt, int base);
uint32_t param_get32ex(const char *line, int paramnum, int deflt, int base);
uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base);
int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt);