diff --git a/INSTALL b/INSTALL deleted file mode 100644 index 7d1c323..0000000 --- a/INSTALL +++ /dev/null @@ -1,365 +0,0 @@ -Installation Instructions -************************* - -Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, -2006, 2007, 2008, 2009 Free Software Foundation, Inc. - - Copying and distribution of this file, with or without modification, -are permitted in any medium without royalty provided the copyright -notice and this notice are preserved. This file is offered as-is, -without warranty of any kind. - -Basic Installation -================== - - Briefly, the shell commands `./configure; make; make install' should -configure, build, and install this package. The following -more-detailed instructions are generic; see the `README' file for -instructions specific to this package. Some packages provide this -`INSTALL' file but do not implement all of the features documented -below. The lack of an optional feature in a given package is not -necessarily a bug. More recommendations for GNU packages can be found -in *note Makefile Conventions: (standards)Makefile Conventions. - - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). - - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. Caching is -disabled by default to prevent problems with accidental use of stale -cache files. - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you -may remove or edit it. - - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You need `configure.ac' if -you want to change it or regenerate `configure' using a newer version -of `autoconf'. - - The simplest way to compile this package is: - - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. - - Running `configure' might take a while. While running, it prints - some messages telling which features it is checking for. - - 2. Type `make' to compile the package. - - 3. Optionally, type `make check' to run any self-tests that come with - the package, generally using the just-built uninstalled binaries. - - 4. Type `make install' to install the programs and any data files and - documentation. When installing into a prefix owned by root, it is - recommended that the package be configured and built as a regular - user, and only the `make install' phase executed with root - privileges. - - 5. Optionally, type `make installcheck' to repeat any self-tests, but - this time using the binaries in their final installed location. - This target does not install anything. Running this target as a - regular user, particularly if the prior `make install' required - root privileges, verifies that the installation completed - correctly. - - 6. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly - for the package's developers. If you use it, you may have to get - all sorts of other programs in order to regenerate files that came - with the distribution. - - 7. Often, you can also type `make uninstall' to remove the installed - files again. In practice, not all packages have tested that - uninstallation works correctly, even though it is required by the - GNU Coding Standards. - - 8. Some packages, particularly those that use Automake, provide `make - distcheck', which can by used by developers to test that all other - targets like `make install' and `make uninstall' work correctly. - This target is generally not run by end users. - -Compilers and Options -===================== - - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' -for details on some of the pertinent environment variables. - - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: - - ./configure CC=c99 CFLAGS=-g LIBS=-lposix - - *Note Defining Variables::, for more details. - -Compiling For Multiple Architectures -==================================== - - You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you can use GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. This -is known as a "VPATH" build. - - With a non-GNU `make', it is safer to compile the package for one -architecture at a time in the source code directory. After you have -installed the package for one architecture, use `make distclean' before -reconfiguring for another architecture. - - On MacOS X 10.5 and later systems, you can create libraries and -executables that work on multiple system types--known as "fat" or -"universal" binaries--by specifying multiple `-arch' options to the -compiler but only a single `-arch' option to the preprocessor. Like -this: - - ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CPP="gcc -E" CXXCPP="g++ -E" - - This is not guaranteed to produce working output in all cases, you -may have to build one architecture at a time and combine the results -using the `lipo' tool if you have problems. - -Installation Names -================== - - By default, `make install' installs the package's commands under -`/usr/local/bin', include files under `/usr/local/include', etc. You -can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX', where PREFIX must be an -absolute file name. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -pass the option `--exec-prefix=PREFIX' to `configure', the package uses -PREFIX as the prefix for installing programs and libraries. -Documentation and other data files still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=DIR' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. In general, the -default for these options is expressed in terms of `${prefix}', so that -specifying just `--prefix' will affect all of the other directory -specifications that were not explicitly provided. - - The most portable way to affect installation locations is to pass the -correct locations to `configure'; however, many packages provide one or -both of the following shortcuts of passing variable assignments to the -`make install' command line to change installation locations without -having to reconfigure or recompile. - - The first method involves providing an override variable for each -affected directory. For example, `make install -prefix=/alternate/directory' will choose an alternate location for all -directory configuration variables that were expressed in terms of -`${prefix}'. Any directories that were specified during `configure', -but not in terms of `${prefix}', must each be overridden at install -time for the entire installation to be relocated. The approach of -makefile variable overrides for each directory variable is required by -the GNU Coding Standards, and ideally causes no recompilation. -However, some platforms have known limitations with the semantics of -shared libraries that end up requiring recompilation when using this -method, particularly noticeable in packages that use GNU Libtool. - - The second method involves providing the `DESTDIR' variable. For -example, `make install DESTDIR=/alternate/directory' will prepend -`/alternate/directory' before all installation names. The approach of -`DESTDIR' overrides is not required by the GNU Coding Standards, and -does not work on platforms that have drive letters. On the other hand, -it does better at avoiding recompilation issues, and works well even -when some directory options were not specified in terms of `${prefix}' -at `configure' time. - -Optional Features -================= - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. - - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - - Some packages offer the ability to configure how verbose the -execution of `make' will be. For these packages, running `./configure ---enable-silent-rules' sets the default to minimal output, which can be -overridden with `make V=1'; while running `./configure ---disable-silent-rules' sets the default to verbose, which can be -overridden with `make V=0'. - -Particular systems -================== - - On HP-UX, the default C compiler is not ANSI C compatible. If GNU -CC is not installed, it is recommended to use the following options in -order to use an ANSI C compiler: - - ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" - -and if that doesn't work, install pre-built binaries of GCC for HP-UX. - - On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot -parse its `' header file. The option `-nodtk' can be used as -a workaround. If GNU CC is not installed, it is therefore recommended -to try - - ./configure CC="cc" - -and if that doesn't work, try - - ./configure CC="cc -nodtk" - - On Solaris, don't put `/usr/ucb' early in your `PATH'. This -directory contains several dysfunctional programs; working variants of -these programs are available in `/usr/bin'. So, if you need `/usr/ucb' -in your `PATH', put it _after_ `/usr/bin'. - - On Haiku, software installed for all users goes in `/boot/common', -not `/usr/local'. It is recommended to use the following options: - - ./configure --prefix=/boot/common - -Specifying the System Type -========================== - - There may be some features `configure' cannot figure out -automatically, but needs to determine by the type of machine the package -will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints -a message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: - - CPU-COMPANY-SYSTEM - -where SYSTEM can have one of these forms: - - OS - KERNEL-OS - - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the machine type. - - If you are _building_ compiler tools for cross-compiling, you should -use the option `--target=TYPE' to select the type of system they will -produce code for. - - If you want to _use_ a cross compiler, that generates code for a -platform different from the build platform, you should specify the -"host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. - -Sharing Defaults -================ - - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. - -Defining Variables -================== - - Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run -configure again during the build, and the customized values of these -variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: - - ./configure CC=/usr/local2/bin/gcc - -causes the specified `gcc' to be used as the C compiler (unless it is -overridden in the site shell script). - -Unfortunately, this technique does not work for `CONFIG_SHELL' due to -an Autoconf bug. Until the bug is fixed you can use this workaround: - - CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash - -`configure' Invocation -====================== - - `configure' recognizes the following options to control how it -operates. - -`--help' -`-h' - Print a summary of all of the options to `configure', and exit. - -`--help=short' -`--help=recursive' - Print a summary of the options unique to this package's - `configure', and exit. The `short' variant lists options used - only in the top level, while the `recursive' variant lists options - also present in any nested packages. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' - script, and exit. - -`--cache-file=FILE' - Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to - disable caching. - -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' - Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error - messages will still be shown). - -`--srcdir=DIR' - Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. - -`--prefix=DIR' - Use DIR as the installation prefix. *note Installation Names:: - for more details, including other options available for fine-tuning - the installation locations. - -`--no-create' -`-n' - Run the configure checks, but stop before creating any output - files. - -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. - diff --git a/configure.ac b/configure.ac index 6aef785..0918f1d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([mfoc], [0.10.3], [mifare@nethemba.com]) +AC_INIT([mfoc],[0.10.3],[mifare@nethemba.com]) AC_CONFIG_MACRO_DIR([m4]) @@ -13,8 +13,8 @@ AM_INIT_AUTOMAKE m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])]) # Checks for pkg-config modules. -LIBNFC_REQUIRED_VERSION=1.5.1 -PKG_CHECK_MODULES([LIBNFC], [libnfc >= $LIBNFC_REQUIRED_VERSION], [], [AC_MSG_ERROR([libnfc >= $LIBNFC_REQUIRED_VERSION is mandatory.])]) +LIBNFC_REQUIRED_VERSION=1.6.0 +PKG_CHECK_MODULES([libnfc], [libnfc >= $LIBNFC_REQUIRED_VERSION], [], [AC_MSG_ERROR([libnfc >= $LIBNFC_REQUIRED_VERSION is mandatory.])]) PKG_CONFIG_REQUIRES="libnfc" AC_SUBST([PKG_CONFIG_REQUIRES]) @@ -34,6 +34,9 @@ AC_FUNC_MALLOC AC_FUNC_REALLOC AC_CHECK_FUNCS([memset]) +# C99 +CFLAGS="$CFLAGS -std=c99" + AC_CONFIG_FILES([Makefile src/Makefile]) AC_OUTPUT diff --git a/debian/control b/debian/control index ca02158..2f41428 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: mfoc Section: utils Priority: extra Maintainer: Thomas Hood -Build-Depends: debhelper (>= 7.0.50~), dh-autoreconf, libnfc-dev (>= 1.5.1), pkg-config +Build-Depends: debhelper (>= 7.0.50~), dh-autoreconf, libnfc-dev (>= 1.6.0), pkg-config Standards-Version: 3.9.2 Homepage: http://code.google.com/p/nfc-tools/wiki/mfoc Vcs-Svn: http://nfc-tools.googlecode.com/svn/trunk/mfoc @@ -10,7 +10,7 @@ Vcs-Browser: http://code.google.com/p/nfc-tools/source/browse/#svn/trunk/mfoc Package: mfoc Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libnfc2 (>= 1.5.0) +Depends: ${shlibs:Depends}, ${misc:Depends} Description: MIFARE Classic offline cracker This package includes the mfoc program which cracks the encryption keys of the MIFARE Classic chip and dumps the diff --git a/src/Makefile.am b/src/Makefile.am index 49a219a..27de9de 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,10 +1,10 @@ -AM_CFLAGS = @LIBNFC_CFLAGS@ +AM_CFLAGS = @libnfc_CFLAGS@ bin_PROGRAMS = mfoc noinst_HEADERS = crapto1.h mfoc.h mifare.h nfc-utils.h mfoc_SOURCES = crapto1.c crypto1.c mfoc.c mifare.c nfc-utils.c -mfoc_LDADD = @LIBNFC_LIBS@ +mfoc_LDADD = @libnfc_LIBS@ dist_man_MANS = mfoc.1 diff --git a/src/crapto1.c b/src/crapto1.c index ab599a6..9fc1e5f 100644 --- a/src/crapto1.c +++ b/src/crapto1.c @@ -22,7 +22,7 @@ #if !defined LOWMEM && defined __GNUC__ static uint8_t filterlut[1 << 20]; -static void __attribute__((constructor)) fill_lut() +static void __attribute__((constructor)) fill_lut(void) { uint32_t i; for(i = 0; i < 1 << 20; ++i) @@ -308,6 +308,11 @@ struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3) return statelist; } +uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb); +uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb); +uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb); +uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd); + /** lfsr_rollback_bit * Rollback the shift register in order to get previous states */ @@ -444,6 +449,8 @@ check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8], } +struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]); + /** lfsr_common_prefix * Implentation of the common prefix attack. * Requires the 29 bit constant prefix used as reader nonce (pfx) diff --git a/src/mfoc.c b/src/mfoc.c index 3bb4e63..273b18f 100644 --- a/src/mfoc.c +++ b/src/mfoc.c @@ -32,11 +32,14 @@ /* vim: set ts=2 sw=2 et: */ +#define _XOPEN_SOURCE 1 // To enable getopt + #include #include -#include #include +#include + // NFC #include @@ -55,7 +58,7 @@ int main(int argc, char * const argv[]) { .nbr = NBR_106, }; - int ch, i, k, n, j, m, o; + int ch, i, k, n, j, m; int key, block; int succeed = 1; @@ -120,12 +123,16 @@ int main(int argc, char * const argv[]) { // fprintf(stdout, "Number of probes: %d\n", probes); break; case 'T': + { + int res; // Nonce tolerance range - if (!(d.tolerance = atoi(optarg)) || d.tolerance < 0) { + if (((res = atoi(optarg)) != 0) || (res < 0)) { ERR ("The nonce distances range must be a zero or a positive number"); exit (EXIT_FAILURE); } + d.tolerance = (uint32_t)res; // fprintf(stdout, "Tolerance number: %d\n", probes); + } break; case 'k': // Add this key to the default keys @@ -235,15 +242,15 @@ int main(int argc, char * const argv[]) { bk->size = 0; } - d.distances = (void *) calloc(d.num_distances, sizeof(u_int32_t)); + d.distances = (void *) calloc(d.num_distances, sizeof(uint32_t)); if (d.distances == NULL) { ERR ("Cannot allocate memory for t.distances"); goto error; } // Initialize t.sectors, keys are not known yet - for (i = 0; i < (t.num_sectors); ++i) { - t.sectors[i].foundKeyA = t.sectors[i].foundKeyB = false; + for (uint8_t s = 0; s < (t.num_sectors); ++s) { + t.sectors[s].foundKeyA = t.sectors[s].foundKeyB = false; } print_nfc_iso14443a_info (t.nt.nti.nai, true); @@ -332,7 +339,7 @@ int main(int argc, char * const argv[]) { // First, try already broken keys skip = false; - for (o = 0; o < bk->size; o++) { + for (uint32_t o = 0; o < bk->size; o++) { num_to_bytes(bk->brokenKeys[o], 6, mp.mpa.abtKey); mc = dumpKeysA ? 0x60 : 0x61; if (!nfc_initiator_mifare_cmd(r.pdi,mc,t.sectors[j].trailer,&mp)) { @@ -662,7 +669,7 @@ int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d uint8_t RxPar[MAX_FRAME_LEN]; // Tag response size_t RxLen; - u_int32_t Nt, NtLast, NtProbe, NtEnc, Ks1; + uint32_t Nt, NtLast, NtProbe, NtEnc, Ks1; int i, m; @@ -685,7 +692,7 @@ int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d exit (EXIT_FAILURE); } - if (nfc_initiator_transceive_bytes(r.pdi, Auth, 4, Rx, &RxLen, 0) < 0) { + if (nfc_initiator_transceive_bytes(r.pdi, Auth, 4, Rx, sizeof(Rx), 0) < 0) { fprintf(stdout, "Error while requesting plain tag-nonce\n"); exit(EXIT_FAILURE); } @@ -900,7 +907,7 @@ int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d // Return the median value from the nonce distances array uint32_t median(denonce d) { int middle = (int) d.num_distances / 2; - qsort(d.distances, d.num_distances, sizeof(u_int32_t), compar_int); + qsort(d.distances, d.num_distances, sizeof(uint32_t), compar_int); if (d.num_distances % 2 == 1) { // Odd number of elements diff --git a/src/mfoc.h b/src/mfoc.h index 863bbcb..cf1fe63 100644 --- a/src/mfoc.h +++ b/src/mfoc.h @@ -32,10 +32,10 @@ typedef struct { } sector; typedef struct { - u_int32_t *distances; - int32_t median; - int32_t num_distances; - int32_t tolerance; + uint32_t *distances; + uint32_t median; + uint32_t num_distances; + uint32_t tolerance; uint8_t parity[3]; // used for 3 bits of parity information } denonce; // Revealed information about nonce @@ -43,8 +43,8 @@ typedef struct { nfc_target nt; sector * sectors; // Allocate later, we do not know the number of sectors yet sector e_sector; // Exploit sector - int32_t num_sectors; - int32_t num_blocks; + uint8_t num_sectors; + uint8_t num_blocks; uint32_t uid; bool b4K; } mftag; diff --git a/src/mifare.c b/src/mifare.c index d9ea0b0..b3c3b63 100644 --- a/src/mifare.c +++ b/src/mifare.c @@ -51,7 +51,6 @@ bool nfc_initiator_mifare_cmd (nfc_device *pnd, const mifare_cmd mc, const uint8_t ui8Block, mifare_param *pmp) { uint8_t abtRx[265]; - size_t szRx = sizeof(abtRx); size_t szParamLen; uint8_t abtCmd[265]; //bool bEasyFraming; @@ -102,7 +101,7 @@ nfc_initiator_mifare_cmd (nfc_device *pnd, const mifare_cmd mc, const uint8_t ui } // Fire the mifare command int res; - if ((res = nfc_initiator_transceive_bytes (pnd, abtCmd, 2 + szParamLen, abtRx, &szRx, -1)) < 0) { + if ((res = nfc_initiator_transceive_bytes (pnd, abtCmd, 2 + szParamLen, abtRx, sizeof(abtRx), -1)) < 0) { if (res == NFC_ERFTRANS) { // "Invalid received frame", usual means we are // authenticated on a sector but the requested MIFARE cmd (read, write) @@ -123,7 +122,7 @@ nfc_initiator_mifare_cmd (nfc_device *pnd, const mifare_cmd mc, const uint8_t ui // When we have executed a read command, copy the received bytes into the param if (mc == MC_READ) { - if (szRx == 16) { + if (res == 16) { memcpy (pmp->mpd.abtData, abtRx, 16); } else { return false;