MERGED: @holimans changes
MERGED: @piwi changes MERGED: @marshmellows changes. I'm not even gonna try write up all that stuff.. ADD: changed some commands inside the "Hf 14a sim" on deviceside. ADD: @mobeius "two nonce" version for mfkey32. It is also inside the "hf 14a sim" with the "x" parameter.
This commit is contained in:
iceman1001
@@ -549,6 +549,7 @@ int CmdHF14ASim(const char *Cmd)
|
||||
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
|
||||
memcpy(data, resp.d.asBytes, len);
|
||||
tryMfk32(uid, data, key);
|
||||
tryMfk32_moebius(uid, data, key);
|
||||
//tryMfk64(uid, data, key);
|
||||
PrintAndLog("--");
|
||||
}
|
||||
@@ -726,6 +727,7 @@ int CmdHF14ACmdRaw(const char *cmd) {
|
||||
c.arg[1] = (datalen & 0xFFFF) | (numbits << 16);
|
||||
memcpy(c.d.asBytes,data,datalen);
|
||||
|
||||
clearCommandBuffer();
|
||||
SendCommand(&c);
|
||||
|
||||
if (reply) {
|
||||
|
||||
@@ -1813,13 +1813,13 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
|
||||
|
||||
int CmdHF14AMfuELoad(const char *Cmd)
|
||||
{
|
||||
FILE * f;
|
||||
char filename[FILE_PATH_SIZE];
|
||||
char *fnameptr = filename;
|
||||
char buf[64] = {0x00};
|
||||
uint8_t buf8[64] = {0x00};
|
||||
int i, len, blockNum, numBlocks;
|
||||
int nameParamNo = 1;
|
||||
//FILE * f;
|
||||
//char filename[FILE_PATH_SIZE];
|
||||
//char *fnameptr = filename;
|
||||
//char buf[64] = {0x00};
|
||||
//uint8_t buf8[64] = {0x00};
|
||||
//int i, len, blockNum, numBlocks;
|
||||
//int nameParamNo = 1;
|
||||
|
||||
char ctmp = param_getchar(Cmd, 0);
|
||||
|
||||
|
||||
@@ -405,22 +405,45 @@ int CmdTune(const char *Cmd)
|
||||
int CmdVersion(const char *Cmd)
|
||||
{
|
||||
|
||||
clearCommandBuffer();
|
||||
UsbCommand c = {CMD_VERSION};
|
||||
static UsbCommand resp = {0, {0, 0, 0}};
|
||||
|
||||
|
||||
if (resp.arg[0] == 0 && resp.arg[1] == 0) { // no cached information available
|
||||
SendCommand(&c);
|
||||
if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && Cmd != NULL) {
|
||||
PrintAndLog("Prox/RFID mark3 RFID instrument");
|
||||
PrintAndLog((char*)resp.d.asBytes);
|
||||
lookupChipID(resp.arg[0], resp.arg[1]);
|
||||
}
|
||||
} else if (Cmd != NULL) {
|
||||
if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
|
||||
PrintAndLog("Prox/RFID mark3 RFID instrument");
|
||||
PrintAndLog((char*)resp.d.asBytes);
|
||||
lookupChipID(resp.arg[0], resp.arg[1]);
|
||||
}
|
||||
|
||||
} else {
|
||||
PrintAndLog("[[[ Cached information ]]]\n");
|
||||
PrintAndLog("Prox/RFID mark3 RFID instrument");
|
||||
PrintAndLog((char*)resp.d.asBytes);
|
||||
lookupChipID(resp.arg[0], resp.arg[1]);
|
||||
PrintAndLog("");
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CmdStatus(const char *Cmd)
|
||||
{
|
||||
UsbCommand c = {CMD_STATUS};
|
||||
SendCommand(&c);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CmdPing(const char *Cmd)
|
||||
{
|
||||
clearCommandBuffer();
|
||||
UsbCommand resp;
|
||||
UsbCommand c = {CMD_PING};
|
||||
SendCommand(&c);
|
||||
if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
|
||||
PrintAndLog("Ping successfull");
|
||||
}else{
|
||||
PrintAndLog("Ping failed");
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -437,6 +460,8 @@ static command_t CommandTable[] =
|
||||
{"setmux", CmdSetMux, 0, "<loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific value"},
|
||||
{"tune", CmdTune, 0, "Measure antenna tuning"},
|
||||
{"version", CmdVersion, 0, "Show version information about the connected Proxmark"},
|
||||
{"status", CmdStatus, 0, "Show runtime status information about the connected Proxmark"},
|
||||
{"ping", CmdPing, 0, "Test if the pm3 is responsive"},
|
||||
{NULL, NULL, 0, NULL}
|
||||
};
|
||||
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
#include "cmdparser.h" // CmdsParse, CmdsHelp
|
||||
#include "cmdlfawid.h" // AWID function declarations
|
||||
#include "lfdemod.h" // parityTest
|
||||
|
||||
#include "cmdmain.h"
|
||||
static int CmdHelp(const char *Cmd);
|
||||
|
||||
|
||||
@@ -69,6 +69,7 @@ int CmdAWIDDemodFSK(const char *Cmd)
|
||||
if (Cmd[0]=='h' || Cmd[0] == 'H') return usage_lf_awid_fskdemod();
|
||||
UsbCommand c={CMD_AWID_DEMOD_FSK};
|
||||
c.arg[0]=findone;
|
||||
clearCommandBuffer();
|
||||
SendCommand(&c);
|
||||
return 0;
|
||||
}
|
||||
@@ -167,17 +168,18 @@ int CmdAWIDSim(const char *Cmd)
|
||||
c.arg[2] = 96; // Bitstream length: 96-bits == 12 bytes
|
||||
for (i=0; i < 96; i++)
|
||||
c.d.asBytes[i] = (BS[i/8] & (1<<(7-(i%8))))?1:0;
|
||||
SendCommand(&c);
|
||||
clearCommandBuffer();
|
||||
SendCommand(&c);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CmdAWIDClone(const char *Cmd)
|
||||
{
|
||||
clearCommandBuffer();
|
||||
uint32_t fc=0,cn=0,blocks[4] = {0x00107060, 0, 0, 0x11111111}, i=0;
|
||||
uint8_t BitStream[12];
|
||||
uint8_t *BS=BitStream;
|
||||
UsbCommand c;
|
||||
|
||||
UsbCommand c, resp;
|
||||
|
||||
if (sscanf(Cmd, "%u %u", &fc, &cn ) != 2) {
|
||||
return usage_lf_awid_clone();
|
||||
@@ -206,6 +208,11 @@ int CmdAWIDClone(const char *Cmd)
|
||||
c.arg[1] = i;
|
||||
c.arg[2] = 0;
|
||||
SendCommand(&c);
|
||||
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
|
||||
PrintAndLog("Error occurred, device did not respond during write operation.");
|
||||
return -1;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
#include "elf.h"
|
||||
#include "proxendian.h"
|
||||
#include "usb_cmd.h"
|
||||
#include "at91sam7s512.h"
|
||||
|
||||
void SendCommand(UsbCommand* txcmd);
|
||||
void ReceiveCommand(UsbCommand* rxcmd);
|
||||
@@ -352,12 +353,11 @@ static int enter_bootloader(char *serial_port_name)
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int wait_for_ack(void)
|
||||
static int wait_for_ack(UsbCommand *ack)
|
||||
{
|
||||
UsbCommand ack;
|
||||
ReceiveCommand(&ack);
|
||||
if (ack.cmd != CMD_ACK) {
|
||||
printf("Error: Unexpected reply 0x%04"llx" (expected ACK)\n", ack.cmd);
|
||||
ReceiveCommand(ack);
|
||||
if (ack->cmd != CMD_ACK) {
|
||||
printf("Error: Unexpected reply 0x%04"llx" (expected ACK)\n", ack->cmd);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
@@ -389,7 +389,7 @@ int flash_start_flashing(int enable_bl_writes,char *serial_port_name)
|
||||
c.arg[2] = 0;
|
||||
}
|
||||
SendCommand(&c);
|
||||
return wait_for_ack();
|
||||
return wait_for_ack(&c);
|
||||
} else {
|
||||
fprintf(stderr, "Note: Your bootloader does not understand the new START_FLASH command\n");
|
||||
fprintf(stderr, " It is recommended that you update your bootloader\n\n");
|
||||
@@ -409,7 +409,18 @@ static int write_block(uint32_t address, uint8_t *data, uint32_t length)
|
||||
c.arg[0] = address;
|
||||
memcpy(c.d.asBytes, block_buf, length);
|
||||
SendCommand(&c);
|
||||
return wait_for_ack();
|
||||
int ret = wait_for_ack(&c);
|
||||
if (ret && c.arg[0]) {
|
||||
uint32_t lock_bits = c.arg[0] >> 16;
|
||||
bool lock_error = c.arg[0] & AT91C_MC_LOCKE;
|
||||
bool prog_error = c.arg[0] & AT91C_MC_PROGE;
|
||||
bool security_bit = c.arg[0] & AT91C_MC_SECURITY;
|
||||
printf("%s", lock_error?" Lock Error\n":"");
|
||||
printf("%s", prog_error?" Invalid Command or bad Keyword\n":"");
|
||||
printf("%s", security_bit?" Security Bit is set!\n":"");
|
||||
printf(" Lock Bits: 0x%04x\n", lock_bits);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
// Write a file's segments to Flash
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
#include "proxmark3.h"
|
||||
#include "flash.h"
|
||||
#include "uart.h"
|
||||
#include "../include/usb_cmd.h"
|
||||
#include "usb_cmd.h"
|
||||
|
||||
#ifdef _WIN32
|
||||
# define unlink(x)
|
||||
|
||||
@@ -50,6 +50,9 @@ typedef struct {
|
||||
#define CMD_BUFF_CLEAR 0x0105
|
||||
#define CMD_READ_MEM 0x0106
|
||||
#define CMD_VERSION 0x0107
|
||||
#define CMD_STATUS 0x0108
|
||||
#define CMD_PING 0x0109
|
||||
|
||||
|
||||
// For low-frequency tags
|
||||
#define CMD_READ_TI_TYPE 0x0202
|
||||
|
||||
@@ -20,7 +20,8 @@ local _commands = {
|
||||
CMD_BUFF_CLEAR = 0x0105,
|
||||
CMD_READ_MEM = 0x0106,
|
||||
CMD_VERSION = 0x0107,
|
||||
|
||||
CMD_STATUS = 0x0108,
|
||||
CMD_PING = 0x0109,
|
||||
--// For low-frequency tags
|
||||
CMD_READ_TI_TYPE = 0x0202,
|
||||
CMD_WRITE_TI_TYPE = 0x0203,
|
||||
|
||||
@@ -88,10 +88,33 @@ function mfcrack_inner()
|
||||
while not core.ukbhit() do
|
||||
local result = core.WaitForResponseTimeout(cmds.CMD_ACK,1000)
|
||||
if result then
|
||||
-- Unpacking the three arg-parameters
|
||||
local count,cmd,isOK = bin.unpack('LL',result)
|
||||
|
||||
if isOK ~= 1 then return nil, "Error occurred" end
|
||||
--[[
|
||||
I don't understand, they cmd and args are defined as uint32_t, however,
|
||||
looking at the returned data, they all look like 64-bit things:
|
||||
|
||||
print("result", bin.unpack("HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH", result))
|
||||
|
||||
FF 00 00 00 00 00 00 00 <-- 64 bits of data
|
||||
FE FF FF FF 00 00 00 00 <-- 64 bits of data
|
||||
00 00 00 00 00 00 00 00 <-- 64 bits of data
|
||||
00 00 00 00 00 00 00 00 <-- 64 bits of data
|
||||
04 7F 12 E2 00 <-- this is where 'data' starts
|
||||
|
||||
So below I use LI to pick out the "FEFF FFFF", don't know why it works..
|
||||
--]]
|
||||
-- Unpacking the arg-parameters
|
||||
local count,cmd,isOK = bin.unpack('LI',result)
|
||||
--print("response", isOK)--FF FF FF FF
|
||||
if isOK == 0xFFFFFFFF then
|
||||
return nil, "Button pressed. Aborted."
|
||||
elseif isOK == 0xFFFFFFFE then
|
||||
return nil, "Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests). You can try 'script run mfkeys' or 'hf mf chk' to test various known keys."
|
||||
elseif isOK == 0xFFFFFFFD then
|
||||
return nil, "Card is not vulnerable to Darkside attack (its random number generator is not predictable). You can try 'script run mfkeys' or 'hf mf chk' to test various known keys."
|
||||
elseif isOK ~= 1 then
|
||||
return nil, "Error occurred"
|
||||
end
|
||||
|
||||
|
||||
-- The data-part is left
|
||||
|
||||
Reference in New Issue
Block a user