Improve hf mf chk and hf mf nested
* hf mf chk. added interrupt of procedure by usb
* extract mifare default keys into separate module
* arm side multisector `hf mf chk`
* hf mf nested. change key search procedure
* hf mf nested. added key check after we have found a key.
* small fix hf list f
* hf mf chk. add timeout (arm side) and some tweaks.
* Fix typo in hf mf csave help
* Fix gcc 7 warning: '~' on an expression of type bool [-Wbool-operation], use logical ! not instead of ~
* Fix gcc 7 warning: ‘memset’ used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]
* Fix gcc 7 warning: warning: duplicate ‘const’ declaration specifier [-Wduplicate-decl-specifier]
* Improve 'Magic' Mifare tags detection
* Magic Mifare tags detection and version printing
* Magic s50/1k tag halt error correction for cload and csave
* hf mf c* commands for gen1b
* Use |= for bitwise operation
* gen1b: don't issue wipe command and don't expect response from WUPC1 magic command after a SELECT_UID: old UID display works in hf mf csetuid
* hf mf cgetsc compatibility for 4k
* hf mf csave compatibility for 4k
* hf mf cload compatibility for 4k, suppress halt errors messages for debug level 2
* Revert to MF_DBG_ERROR level in mifare_classic_halt() and don't issue the halt command for gen1b
* Improve 'Magic' Mifare tags generation detection & hf mf c* commands magic 4k compatibility
* Fix compile errors with MacOS
- _POSIX_C_SOURCE must not be defined for num_CPU()
* separate util_posix.c require changes in tools directory as well
* remove unnecessary self-include
This implements the attack described in
Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security, 2015
It uses precomputed tables for many bitflip properties (not only two as in the paper)
and is therefore quite efficient. To prevent failing it doesn't do
differential analysis with several nonce bytes' Sum(a8) properties (each of them
may be wrongly guessed) - instead it concentrates on one nonce byte and tries all
Sum(a8) property guesses sequentially (ordered by probability). The brute force phase
makes use of aczid's bit sliced brute forcer (https://github.com/aczid/crypto1_bs).
Includes runtime CPU-detection to leverage modern (and old) SIMD instructions
with a single executable.
- cleanup some header files and respective #includes
- rearrange functions (definition before first use)
- use SCNxxx instead of PRIxxx macros in scanf()
- use stdbool true/false instead of self defined TRUE/FALSE
helps get the data dumped even if positioning isn't 100% perfect.
also switched em4x05 commands to WaitUS instead of SpinDelayUs, per
@pwpiwi 's suggestion.
- correctly using stdtypes.h printf and scanf format string macros (PRIx64 et al)
- coverity fixes to client/cmdhfmf.c
- fix linker warning re missing entry point when linking fullimage.elf
- Don't increment the nonce when random mode is disabled (this breaks the
standard attack).
- Don't attempt the standard attack when random mode is enabled (there's no
point as it won't work, per comments from @pwpiwi).
- Attempt the moebius attack if the standard attack fails.
This makes the PM3 generate pseudo-random nonces rather than sequential
nonces, to make it act a bit more like a "real" MFC card. A reader would
otherwise be able to detect the PM3 probing based on the predictable nonces
and throw different authentication challenges (or refuse to authenticate at
all).
The code includes an implementation of a rand-like function (prand), similar
to the one from libc, which is seeded automatically based on the time it
takes between the PM3 starting up and the first call to the RNG.
This isn't cryptographically random, but should be "good enough" to be able
to evade basic detection.
Moebius attack didn't yield any better results in my testing so
disabling it, but allowing it to be re-enabled at will.
also disabled the auto logging of all keys with uid delimited file
stats.txt - can be uncommented when needed
also cleaned up some comments
note previous update added the creation of a stats.txt file to generate
statistics of the differences between std mfkey32 and the moebius
version.
- provided a BigBuf_malloc() function to dynamically allocate parts of BigBuf
e.g. for DMA-Buffers, Frame-Buffers, Emulator-Memory
- the whole rest of BigBuf is now available for traces (instead of a small fixed amount)
- send actual traceLen together with trace data
- changed client side to cope with varying traceLen
- changed small buffers to automatic variables instead of parts of BigBuf
