use authuid instead uid name when handling the authentication uid bytes (different from UID with 7bytes MIFARE Classic
This commit is contained in:
Romuald Conty
parent
bc109b9252
commit
451f2fa29c
2 changed files with 8 additions and 12 deletions
18
src/mfoc.c
18
src/mfoc.c
|
|
@ -214,13 +214,9 @@ int main(int argc, char * const argv[]) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Support Mifare Classic with 7 bytes UID ?
|
|
||||||
if (t.nt.nti.nai.szUidLen != 4) {
|
|
||||||
ERR ("only Mifare Classic with UID on 4 bytes are supported");
|
|
||||||
}
|
|
||||||
// Save tag's block size (b4K)
|
// Save tag's block size (b4K)
|
||||||
t.b4K = (t.nt.nti.nai.abtAtqa[1] == 0x02);
|
t.b4K = (t.nt.nti.nai.abtAtqa[1] == 0x02);
|
||||||
t.uid = (uint32_t) bytes_to_num(t.nt.nti.nai.abtUid, 4);
|
t.authuid = (uint32_t) bytes_to_num(t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, 4);
|
||||||
|
|
||||||
t.num_blocks = (t.b4K) ? 0xff : 0x3f;
|
t.num_blocks = (t.b4K) ? 0xff : 0x3f;
|
||||||
t.num_sectors = t.b4K ? NR_TRAILERS_4k : NR_TRAILERS_1k;
|
t.num_sectors = t.b4K ? NR_TRAILERS_4k : NR_TRAILERS_1k;
|
||||||
|
|
@ -432,7 +428,7 @@ int main(int argc, char * const argv[]) {
|
||||||
// We haven't found any key, exiting
|
// We haven't found any key, exiting
|
||||||
if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) {
|
if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) {
|
||||||
ERR ("No success, maybe you should increase the probes");
|
ERR ("No success, maybe you should increase the probes");
|
||||||
exit (EXIT_FAILURE);
|
goto error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -507,7 +503,7 @@ int main(int argc, char * const argv[]) {
|
||||||
if (fwrite(&mtDump, 1, sizeof(mtDump), pfDump) != sizeof(mtDump)) {
|
if (fwrite(&mtDump, 1, sizeof(mtDump), pfDump) != sizeof(mtDump)) {
|
||||||
fprintf(stdout, "Error, cannot write dump\n");
|
fprintf(stdout, "Error, cannot write dump\n");
|
||||||
fclose(pfDump);
|
fclose(pfDump);
|
||||||
exit (EXIT_FAILURE);
|
goto error;
|
||||||
}
|
}
|
||||||
fclose(pfDump);
|
fclose(pfDump);
|
||||||
}
|
}
|
||||||
|
|
@ -716,7 +712,7 @@ int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load (plain) uid^nt into the cipher {48..79} bits
|
// Load (plain) uid^nt into the cipher {48..79} bits
|
||||||
crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.uid, 0);
|
crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.authuid, 0);
|
||||||
|
|
||||||
// Generate (encrypted) nr+parity by loading it into the cipher
|
// Generate (encrypted) nr+parity by loading it into the cipher
|
||||||
for (i = 0; i < 4; i++) {
|
for (i = 0; i < 4; i++) {
|
||||||
|
|
@ -785,7 +781,7 @@ int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d
|
||||||
} else {
|
} else {
|
||||||
pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6));
|
pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6));
|
||||||
}
|
}
|
||||||
NtLast = bytes_to_num(Rx, 4) ^ crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.uid, 1);
|
NtLast = bytes_to_num(Rx, 4) ^ crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.authuid, 1);
|
||||||
|
|
||||||
// Save the determined nonces distance
|
// Save the determined nonces distance
|
||||||
d->distances[m] = nonce_distance(Nt, NtLast);
|
d->distances[m] = nonce_distance(Nt, NtLast);
|
||||||
|
|
@ -868,12 +864,12 @@ int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d
|
||||||
revstate_start = NULL;
|
revstate_start = NULL;
|
||||||
if (valid_nonce(NtProbe, NtEnc, Ks1, d->parity)) {
|
if (valid_nonce(NtProbe, NtEnc, Ks1, d->parity)) {
|
||||||
// And finally recover the first 32 bits of the key
|
// And finally recover the first 32 bits of the key
|
||||||
revstate = lfsr_recovery32(Ks1, NtProbe ^ t.uid);
|
revstate = lfsr_recovery32(Ks1, NtProbe ^ t.authuid);
|
||||||
if (revstate_start == NULL) {
|
if (revstate_start == NULL) {
|
||||||
revstate_start = revstate;
|
revstate_start = revstate;
|
||||||
}
|
}
|
||||||
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
|
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
|
||||||
lfsr_rollback_word(revstate, NtProbe ^ t.uid, 0);
|
lfsr_rollback_word(revstate, NtProbe ^ t.authuid, 0);
|
||||||
crypto1_get_lfsr(revstate, &lfsr);
|
crypto1_get_lfsr(revstate, &lfsr);
|
||||||
// Allocate a new space for keys
|
// Allocate a new space for keys
|
||||||
if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) {
|
if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) {
|
||||||
|
|
|
||||||
|
|
@ -45,7 +45,7 @@ typedef struct {
|
||||||
sector e_sector; // Exploit sector
|
sector e_sector; // Exploit sector
|
||||||
uint8_t num_sectors;
|
uint8_t num_sectors;
|
||||||
uint8_t num_blocks;
|
uint8_t num_blocks;
|
||||||
uint32_t uid;
|
uint32_t authuid;
|
||||||
bool b4K;
|
bool b4K;
|
||||||
} mftag;
|
} mftag;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue