Using a dictionary file with 421keys,
Current implementation of checkkeys takes 300 sec.
This implementation of checkkeys takes 250 sec.
I implemented it as a separate command so it will be easier to compare between the old and new checkkeys.
Its also doing much on deviceside, which is a step to much funnier standalone modes :))
'hf iclass sniff' - playing with this one. Don't expect it to work yet :(
- increase dma_buffer_size to 256
- moved initialization to a own function. Just looks cleaner :)
- change the debug output to follow MF_DBGLEVEL
'hf mf sniff' - unnecessary cast removed
fix: 'hf mf hardnested' test cases doesn't need to verify key.
add: 'hf mf ' - collect nonces from classic tag.
chg: switch_off on armside, a more unified way, so we don't forget to turn of the antenna ...
chg: renamed 'hf iclass snoop' into 'hf iclass sniff' in an attempt to make all sniff/snoop commands only SNIFF
chg: 'standalone' -> starting the work of moving all standalone mods into a plugin kind of style, in its own folder.
ADD: 'hf mfu restore' - added a restore from file command, see helptext for instructions
CHG: some help-text updates and refactored to functions
CHG: 'hf mfu gen' - added the possibility to read uid from card as input
CHG: 'hf mfu dump' - refactored out the dump-printing
FIX: 'hf mf sim x i' - same as above.
In general we only use Moebius attack for "sim x", that means a clean up on device side code. simpler to understand. It still tries to gather 8 different collections of nonces combo. When one is complete, it get sent to client which runs moebius direct.
this version uses int64_t (signed) to signify end-of-lists (-1). It also needs its own compare function for the qsort. I didn't merge this into existing code which uses uint64_t. (too lazy)
- Fix `hf mf sim` to use nonce_t structures, so key recovery works
- Increases verbosity on the key recovery functionality
- Fix use-after-free for k_sector
- Add help info on `e` option to `hf mf sim`
J_Run's 2nd phase of multiple sector nested authentication key recovery
You have a known 4 last bytes of a key recovered with mf_nonce_brute tool.
First 2 bytes of key will be bruteforced
Usage: hf mf keybrute [h] <block number> <A|B> <key>
options:
h this help
<block number> target block number
<A|B> target key type
<key> candidate key from mf_nonce_brute tool
samples:
hf mf keybrute 1 A 000011223344
