ADD: @donwan581 select keytype for the darkside attack.
This commit is contained in:
iceman1001
@@ -176,7 +176,16 @@ int CmdAnalyseCRC(const char *Cmd) {
|
||||
PrintAndLog("LEGIC: CRC8 : %X (0xC6 expected)", legic8);
|
||||
PrintAndLog("MAXIM: CRC8 : %X (0xA1 expected)", CRC8Maxim(dataStr, sizeof(dataStr)));
|
||||
PrintAndLog("DNP : CRC16: %X (0x82EA expected)", CRC16_DNP(dataStr, sizeof(dataStr)));
|
||||
PrintAndLog("CCITT: CRC16: %X (0xE5CC expected)", CRC16_CCITT(dataStr, sizeof(dataStr)));
|
||||
PrintAndLog("CCITT: CRC16: %X (0xE5CC expected)", CRC16_CCITT(dataStr, sizeof(dataStr)));
|
||||
|
||||
PrintAndLog("ICLASS org: CRC16: %X (0x expected)",iclass_crc16( (char*)dataStr, sizeof(dataStr)));
|
||||
PrintAndLog("ICLASS ice: CRC16: %X (0x expected)",CRC16_ICLASS(dataStr, sizeof(dataStr)));
|
||||
|
||||
|
||||
|
||||
uint8_t dataStr1234[] = { 0x1,0x2,0x3,0x4};
|
||||
PrintAndLog("ISO15693 org: : CRC16: %X (0xF0B8 expected)", Iso15693Crc(dataStr1234, sizeof(dataStr1234)));
|
||||
PrintAndLog("ISO15693 ice: : CRC16: %X (0xF0B8 expected)", CRC16_Iso15693(dataStr1234, sizeof(dataStr1234)));
|
||||
|
||||
free(data);
|
||||
return 0;
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
#include "ui.h" // PrintAndLog
|
||||
#include "util.h"
|
||||
#include "crc.h"
|
||||
#include "../common/iso15693tools.h"
|
||||
|
||||
int usage_analyse_lcr(void);
|
||||
int usage_analyse_checksum(void);
|
||||
|
||||
186
client/cmdhfmf.c
186
client/cmdhfmf.c
@@ -9,18 +9,18 @@
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
#include "cmdhfmf.h"
|
||||
#include "cmdhfmfhard.h"
|
||||
#include "nonce2key/nonce2key.h"
|
||||
|
||||
static int CmdHelp(const char *Cmd);
|
||||
int usage_hf14_mifare(void){
|
||||
PrintAndLog("Usage: hf mf mifare [h] <block number>");
|
||||
PrintAndLog("Usage: hf mf mifare [h] <block number> <A|B>");
|
||||
PrintAndLog("options:");
|
||||
PrintAndLog(" h this help");
|
||||
PrintAndLog(" <block number> (Optional) target other key A than block 0.");
|
||||
PrintAndLog(" h this help");
|
||||
PrintAndLog(" <block number> (Optional) target other block");
|
||||
PrintAndLog(" <A|B> (optional) target key type");
|
||||
PrintAndLog("samples:");
|
||||
PrintAndLog(" hf mf mifare");
|
||||
PrintAndLog(" hf mf mifare 16");
|
||||
PrintAndLog(" hf mf mifare 16 B");
|
||||
return 0;
|
||||
}
|
||||
int usage_hf14_mf1ksim(void){
|
||||
@@ -132,13 +132,18 @@ int CmdHF14AMifare(const char *Cmd) {
|
||||
uint64_t par_list = 0, ks_list = 0, r_key = 0;
|
||||
int16_t isOK = 0;
|
||||
int tmpchar;
|
||||
uint8_t blockNo = 0;
|
||||
uint8_t blockNo = 0, keytype = MIFARE_AUTH_KEYA;
|
||||
|
||||
char cmdp = param_getchar(Cmd, 0);
|
||||
if ( cmdp == 'H' || cmdp == 'h') return usage_hf14_mifare();
|
||||
|
||||
blockNo = param_get8(Cmd, 0);
|
||||
UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}};
|
||||
blockNo = param_get8(Cmd, 0);
|
||||
|
||||
cmdp = param_getchar(Cmd, 1);
|
||||
if (cmdp == 'B' || cmdp == 'b')
|
||||
keytype = MIFARE_AUTH_KEYB;
|
||||
|
||||
UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, keytype}};
|
||||
|
||||
// message
|
||||
printf("-------------------------------------------------------------------------\n");
|
||||
@@ -1315,45 +1320,121 @@ int CmdHF14AMfChk(const char *Cmd) {
|
||||
PrintAndLog("");
|
||||
return 0;
|
||||
}
|
||||
#define ATTACK_KEY_COUNT 8
|
||||
sector *k_sector = NULL;
|
||||
uint8_t k_sectorsCount = 16;
|
||||
void readerAttack(nonces_t data[], bool setEmulatorMem) {
|
||||
|
||||
// initialize storage for found keys
|
||||
if (k_sector == NULL);
|
||||
k_sector = calloc(k_sectorsCount, sizeof(sector));
|
||||
if (k_sector == NULL)
|
||||
return;
|
||||
|
||||
uint64_t key = 0;
|
||||
|
||||
// empty e_sector
|
||||
for(int i = 0; i < k_sectorsCount; ++i){
|
||||
k_sector[i].Key[0] = 0xffffffffffff;
|
||||
k_sector[i].Key[1] = 0xffffffffffff;
|
||||
k_sector[i].foundKey[0] = FALSE;
|
||||
k_sector[i].foundKey[1] = FALSE;
|
||||
}
|
||||
|
||||
printf("enter reader attack\n");
|
||||
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {
|
||||
if (data[i].ar2 > 0) {
|
||||
|
||||
if (tryMfk32(data[i], &key)) {
|
||||
PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"
|
||||
, (data[i].keytype) ? "B" : "A"
|
||||
, data[i].sector
|
||||
, key
|
||||
);
|
||||
|
||||
k_sector[i].Key[data[i].keytype] = key;
|
||||
k_sector[i].foundKey[data[i].keytype] = TRUE;
|
||||
|
||||
//set emulator memory for keys
|
||||
if (setEmulatorMem) {
|
||||
uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
|
||||
num_to_bytes( k_sector[i].Key[0], 6, memBlock);
|
||||
num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);
|
||||
mfEmlSetMem( memBlock, i*4 + 3, 1);
|
||||
PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
|
||||
, i*4 + 3
|
||||
, sprint_hex( memBlock, sizeof(memBlock))
|
||||
);
|
||||
}
|
||||
break;
|
||||
}
|
||||
//moebius attack
|
||||
// if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key)) {
|
||||
// PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"
|
||||
// ,(data[i+ATTACK_KEY_COUNT].keytype) ? "B" : "A"
|
||||
// , data[i+ATTACK_KEY_COUNT].sector
|
||||
// , key
|
||||
// );
|
||||
// }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int CmdHF14AMf1kSim(const char *Cmd) {
|
||||
|
||||
uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
|
||||
uint8_t exitAfterNReads = 0;
|
||||
uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);
|
||||
int uidlen = 0;
|
||||
uint8_t pnr = 0;
|
||||
uint8_t cmdp = param_getchar(Cmd, 0);
|
||||
int uidlen = 0;
|
||||
bool setEmulatorMem = false;
|
||||
uint8_t cmdp = 0;
|
||||
bool errors = false;
|
||||
|
||||
if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim();
|
||||
|
||||
cmdp = param_getchar(Cmd, pnr);
|
||||
if (cmdp == 'u' || cmdp == 'U') {
|
||||
param_gethex_ex(Cmd, pnr+1, uid, &uidlen);
|
||||
switch(uidlen){
|
||||
case 20: flags = FLAG_10B_UID_IN_DATA; break;
|
||||
case 14: flags = FLAG_7B_UID_IN_DATA; break;
|
||||
case 8: flags = FLAG_4B_UID_IN_DATA; break;
|
||||
default: return usage_hf14_mf1ksim();
|
||||
while(param_getchar(Cmd, cmdp) != 0x00) {
|
||||
switch(param_getchar(Cmd, cmdp)) {
|
||||
case 'e':
|
||||
case 'E':
|
||||
setEmulatorMem = true;
|
||||
cmdp++;
|
||||
break;
|
||||
case 'h':
|
||||
case 'H':
|
||||
return usage_hf14_mf1ksim();
|
||||
case 'i':
|
||||
case 'I':
|
||||
flags |= FLAG_INTERACTIVE;
|
||||
cmdp++;
|
||||
break;
|
||||
case 'n':
|
||||
case 'N':
|
||||
exitAfterNReads = param_get8(Cmd, cmdp+1);
|
||||
cmdp += 2;
|
||||
break;
|
||||
case 'u':
|
||||
case 'U':
|
||||
param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
|
||||
switch(uidlen) {
|
||||
case 20: flags = FLAG_10B_UID_IN_DATA; break;
|
||||
case 14: flags = FLAG_7B_UID_IN_DATA; break;
|
||||
case 8: flags = FLAG_4B_UID_IN_DATA; break;
|
||||
default: return usage_hf14_mf1ksim();
|
||||
}
|
||||
cmdp +=2;
|
||||
break;
|
||||
case 'x':
|
||||
case 'X':
|
||||
flags |= FLAG_NR_AR_ATTACK;
|
||||
cmdp++;
|
||||
break;
|
||||
default:
|
||||
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
|
||||
errors = true;
|
||||
break;
|
||||
}
|
||||
pnr +=2;
|
||||
}
|
||||
|
||||
cmdp = param_getchar(Cmd, pnr);
|
||||
if (cmdp == 'n' || cmdp == 'N') {
|
||||
exitAfterNReads = param_get8(Cmd, pnr+1);
|
||||
pnr += 2;
|
||||
}
|
||||
|
||||
cmdp = param_getchar(Cmd, pnr);
|
||||
if (cmdp == 'i' || cmdp == 'I' ) {
|
||||
flags |= FLAG_INTERACTIVE;
|
||||
pnr++;
|
||||
}
|
||||
|
||||
cmdp = param_getchar(Cmd, pnr);
|
||||
if (cmdp == 'x' || cmdp == 'X') {
|
||||
flags |= FLAG_NR_AR_ATTACK;
|
||||
if(errors) break;
|
||||
}
|
||||
//Validations
|
||||
if(errors) return usage_hf14_mf1ksim();
|
||||
|
||||
PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) "
|
||||
, (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen>>1)
|
||||
@@ -1367,24 +1448,24 @@ int CmdHF14AMf1kSim(const char *Cmd) {
|
||||
SendCommand(&c);
|
||||
|
||||
if(flags & FLAG_INTERACTIVE) {
|
||||
uint8_t data[32];
|
||||
uint64_t key;
|
||||
UsbCommand resp;
|
||||
PrintAndLog("Press pm3-button or send another cmd to abort simulation");
|
||||
|
||||
nonces_t data[ATTACK_KEY_COUNT*2];
|
||||
UsbCommand resp;
|
||||
|
||||
while( !ukbhit() ){
|
||||
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
|
||||
|
||||
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
|
||||
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
|
||||
|
||||
memset(data, 0x00, sizeof(data));
|
||||
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
|
||||
|
||||
memcpy(data, resp.d.asBytes, len);
|
||||
key = 0;
|
||||
bool found = tryMfk32(data, &key);
|
||||
found ^= tryMfk32_moebius(data, &key);
|
||||
if ( found ) break;
|
||||
memcpy( data, resp.d.asBytes, sizeof(data) );
|
||||
readerAttack(data, setEmulatorMem);
|
||||
}
|
||||
|
||||
if (k_sector != NULL) {
|
||||
printKeyTable(k_sectorsCount, k_sector );
|
||||
free(k_sector);
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
@@ -1548,7 +1629,7 @@ int CmdHF14AMfSniff(const char *Cmd){
|
||||
int CmdHF14AMfDbg(const char *Cmd) {
|
||||
|
||||
char ctmp = param_getchar(Cmd, 0);
|
||||
if (strlen(Cmd) < 1 || ctmp == 'h'|| ctmp == 'H') return usage_hf14_dbg();
|
||||
if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_hf14_dbg();
|
||||
|
||||
uint8_t dbgMode = param_get8ex(Cmd, 0, 0, 10);
|
||||
if (dbgMode > 4) return usage_hf14_dbg();
|
||||
@@ -1572,7 +1653,6 @@ void printKeyTable( uint8_t sectorscnt, sector *e_sector ){
|
||||
}
|
||||
|
||||
// EMULATOR COMMANDS
|
||||
|
||||
int CmdHF14AMfEGet(const char *Cmd)
|
||||
{
|
||||
uint8_t blockNo = 0;
|
||||
@@ -1586,7 +1666,7 @@ int CmdHF14AMfEGet(const char *Cmd)
|
||||
|
||||
blockNo = param_get8(Cmd, 0);
|
||||
|
||||
PrintAndLog(" ");
|
||||
PrintAndLog("");
|
||||
if (!mfEmlGetMem(data, blockNo, 1)) {
|
||||
PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));
|
||||
} else {
|
||||
|
||||
@@ -22,7 +22,10 @@
|
||||
#include "cmdparser.h"
|
||||
#include "common.h"
|
||||
#include "util.h"
|
||||
#include "mifarehost.h"
|
||||
//#include "mifarehost.h"
|
||||
#include "mifare.h" // nonces_t struct
|
||||
#include "cmdhfmfhard.h"
|
||||
#include "nonce2key/nonce2key.h"
|
||||
|
||||
int CmdHFMF(const char *Cmd);
|
||||
|
||||
@@ -56,5 +59,6 @@ int CmdHF14AMfCLoad(const char* cmd);
|
||||
int CmdHF14AMfCSave(const char* cmd);
|
||||
int CmdHf14MfDecryptBytes(const char *Cmd);
|
||||
|
||||
void readerAttack(nonces_t data[], bool setEmulatorMem);
|
||||
void printKeyTable( uint8_t sectorscnt, sector *e_sector );
|
||||
#endif
|
||||
|
||||
@@ -24,12 +24,15 @@
|
||||
#ifndef ROTR
|
||||
# define ROTR(x,n) (((uintmax_t)(x) >> (n)) | ((uintmax_t)(x) << ((sizeof(x) * 8) - (n))))
|
||||
#endif
|
||||
|
||||
#ifndef MIN
|
||||
# define MIN(a, b) (((a) < (b)) ? (a) : (b))
|
||||
#endif
|
||||
#ifndef MAX
|
||||
# define MAX(a, b) (((a) > (b)) ? (a) : (b))
|
||||
#endif
|
||||
|
||||
// Byte swapping
|
||||
#ifndef BSWAP_32
|
||||
# define BSWAP_32(x) \
|
||||
((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) | \
|
||||
@@ -39,11 +42,13 @@
|
||||
# define BSWAP_16(x) ((( ((x) & 0xFF00 ) >> 8))| ( (((x) & 0x00FF) << 8)))
|
||||
#endif
|
||||
|
||||
// Boolean
|
||||
#define TRUE 1
|
||||
#define FALSE 0
|
||||
#define EVEN 0
|
||||
#define ODD 1
|
||||
|
||||
// Nibble logic
|
||||
#ifndef NIBBLE_HIGH
|
||||
# define NIBBLE_HIGH(b) ( (b & 0xF0) >> 4 )
|
||||
#endif
|
||||
@@ -57,6 +62,7 @@
|
||||
# define SWAP_NIBBLE(b) ( (NIBBLE_LOW(b)<< 4) | NIBBLE_HIGH(b))
|
||||
#endif
|
||||
|
||||
// Binary Encoded Digit
|
||||
#ifndef BCD2DEC
|
||||
# define BCD2DEC(bcd) HornerScheme(bcd, 0x10, 10)
|
||||
#endif
|
||||
@@ -64,6 +70,15 @@
|
||||
# define DEC2BCD(dec) HornerScheme(dec, 10, 0x10)
|
||||
#endif
|
||||
|
||||
// used for save/load files
|
||||
#ifndef FILE_PATH_SIZE
|
||||
# define FILE_PATH_SIZE 1000
|
||||
#endif
|
||||
|
||||
#ifndef ARRAYLEN
|
||||
# define ARRAYLEN(x) (sizeof(x)/sizeof((x)[0]))
|
||||
#endif
|
||||
|
||||
int ukbhit(void);
|
||||
|
||||
void AddLogLine(char *fileName, char *extData, char *c);
|
||||
|
||||
Reference in New Issue
Block a user