mirrors/unleashed-firmware
1
Fork 0
mirror of https://github.com/DarkFlippers/unleashed-firmware.git synced 2025-12-12 12:42:30 +04:00
Code Issues Activity

Support CUID dictionary

Browse Source
This commit is contained in:
noproto
2024-09-25 10:27:32 -04:00
parent 099bb4071a
commit ba672e775f
5 changed files with 83 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
applications/main/nfc/nfc_app_i.h
View File

@@ -102,6 +102,7 @@ typedef struct {
uint8_t backdoor; uint8_t backdoor;
uint16_t nested_target_key; uint16_t nested_target_key;
uint16_t msb_count; uint16_t msb_count;
bool enhanced_dict;
} NfcMfClassicDictAttackContext; } NfcMfClassicDictAttackContext;
struct NfcApp { struct NfcApp {

74
applications/main/nfc/scenes/nfc_scene_mf_classic_dict_attack.c
View File

@@ -1,5 +1,6 @@
#include "../nfc_app_i.h" #include "../nfc_app_i.h"
#include <bit_lib/bit_lib.h>
#include <dolphin/dolphin.h> #include <dolphin/dolphin.h>
#include <lib/nfc/protocols/mf_classic/mf_classic_poller.h> #include <lib/nfc/protocols/mf_classic/mf_classic_poller.h>
@@ -9,6 +10,7 @@
// TODO: Re-enters backdoor detection between user and system dictionary if no backdoor is found // TODO: Re-enters backdoor detection between user and system dictionary if no backdoor is found
typedef enum { typedef enum {
DictAttackStateCUIDDictInProgress,
DictAttackStateUserDictInProgress, DictAttackStateUserDictInProgress,
DictAttackStateSystemDictInProgress, DictAttackStateSystemDictInProgress,
} DictAttackState; } DictAttackState;
@@ -32,7 +34,9 @@ NfcCommand nfc_dict_attack_worker_callback(NfcGenericEvent event, void* context)
} else if(mfc_event->type == MfClassicPollerEventTypeRequestMode) { } else if(mfc_event->type == MfClassicPollerEventTypeRequestMode) {
const MfClassicData* mfc_data = const MfClassicData* mfc_data =
nfc_device_get_data(instance->nfc_device, NfcProtocolMfClassic); nfc_device_get_data(instance->nfc_device, NfcProtocolMfClassic);
mfc_event->data->poller_mode.mode = MfClassicPollerModeDictAttack; mfc_event->data->poller_mode.mode = (instance->nfc_dict_context.enhanced_dict) ?
MfClassicPollerModeDictAttackEnhanced :
MfClassicPollerModeDictAttackStandard;
mfc_event->data->poller_mode.data = mfc_data; mfc_event->data->poller_mode.data = mfc_data;
instance->nfc_dict_context.sectors_total = instance->nfc_dict_context.sectors_total =
mf_classic_get_total_sectors_num(mfc_data->type); mf_classic_get_total_sectors_num(mfc_data->type);
@@ -136,8 +140,37 @@ static void nfc_scene_mf_classic_dict_attack_update_view(NfcApp* instance) {
static void nfc_scene_mf_classic_dict_attack_prepare_view(NfcApp* instance) { static void nfc_scene_mf_classic_dict_attack_prepare_view(NfcApp* instance) {
uint32_t state = uint32_t state =
scene_manager_get_scene_state(instance->scene_manager, NfcSceneMfClassicDictAttack); scene_manager_get_scene_state(instance->scene_manager, NfcSceneMfClassicDictAttack);
if(state == DictAttackStateCUIDDictInProgress) {
do {
size_t cuid_len = 0;
const uint8_t* cuid = nfc_device_get_uid(instance->nfc_device, &cuid_len);
FuriString* cuid_dict_path = furi_string_alloc_printf(
"%s/mf_classic_dict_%08lx.nfc",
EXT_PATH("nfc/assets"),
(uint32_t)bit_lib_bytes_to_num_be(cuid + (cuid_len - 4), 4));
if(!keys_dict_check_presence(furi_string_get_cstr(cuid_dict_path))) {
state = DictAttackStateUserDictInProgress;
break;
}
instance->nfc_dict_context.dict = keys_dict_alloc(
furi_string_get_cstr(cuid_dict_path),
KeysDictModeOpenExisting,
sizeof(MfClassicKey));
if(keys_dict_get_total_keys(instance->nfc_dict_context.dict) == 0) {
keys_dict_free(instance->nfc_dict_context.dict);
state = DictAttackStateUserDictInProgress;
break;
}
dict_attack_set_header(instance->dict_attack, "MF Classic CUID Dictionary");
} while(false);
}
if(state == DictAttackStateUserDictInProgress) { if(state == DictAttackStateUserDictInProgress) {
do { do {
instance->nfc_dict_context.enhanced_dict = true;
// TODO: Check for errors // TODO: Check for errors
storage_common_remove(instance->storage, NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH); storage_common_remove(instance->storage, NFC_APP_MF_CLASSIC_DICT_SYSTEM_NESTED_PATH);
storage_common_copy( storage_common_copy(
@@ -191,7 +224,7 @@ void nfc_scene_mf_classic_dict_attack_on_enter(void* context) {
NfcApp* instance = context; NfcApp* instance = context;
scene_manager_set_scene_state( scene_manager_set_scene_state(
instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateUserDictInProgress); instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateCUIDDictInProgress);
nfc_scene_mf_classic_dict_attack_prepare_view(instance); nfc_scene_mf_classic_dict_attack_prepare_view(instance);
dict_attack_set_card_state(instance->dict_attack, true); dict_attack_set_card_state(instance->dict_attack, true);
view_dispatcher_switch_to_view(instance->view_dispatcher, NfcViewDictAttack); view_dispatcher_switch_to_view(instance->view_dispatcher, NfcViewDictAttack);
@@ -222,7 +255,19 @@ bool nfc_scene_mf_classic_dict_attack_on_event(void* context, SceneManagerEvent
if(event.event == NfcCustomEventDictAttackComplete) { if(event.event == NfcCustomEventDictAttackComplete) {
bool ran_nested_dict = instance->nfc_dict_context.nested_phase != bool ran_nested_dict = instance->nfc_dict_context.nested_phase !=
MfClassicNestedPhaseNone; MfClassicNestedPhaseNone;
if(state == DictAttackStateUserDictInProgress && !(ran_nested_dict)) { if(state == DictAttackStateCUIDDictInProgress) {
nfc_poller_stop(instance->poller);
nfc_poller_free(instance->poller);
keys_dict_free(instance->nfc_dict_context.dict);
scene_manager_set_scene_state(
instance->scene_manager,
NfcSceneMfClassicDictAttack,
DictAttackStateUserDictInProgress);
nfc_scene_mf_classic_dict_attack_prepare_view(instance);
instance->poller = nfc_poller_alloc(instance->nfc, NfcProtocolMfClassic);
nfc_poller_start(instance->poller, nfc_dict_attack_worker_callback, instance);
consumed = true;
} else if(state == DictAttackStateUserDictInProgress && !(ran_nested_dict)) {
nfc_poller_stop(instance->poller); nfc_poller_stop(instance->poller);
nfc_poller_free(instance->poller); nfc_poller_free(instance->poller);
keys_dict_free(instance->nfc_dict_context.dict); keys_dict_free(instance->nfc_dict_context.dict);
@@ -253,7 +298,25 @@ bool nfc_scene_mf_classic_dict_attack_on_event(void* context, SceneManagerEvent
nfc_device_set_data(instance->nfc_device, NfcProtocolMfClassic, mfc_data); nfc_device_set_data(instance->nfc_device, NfcProtocolMfClassic, mfc_data);
bool ran_nested_dict = instance->nfc_dict_context.nested_phase != bool ran_nested_dict = instance->nfc_dict_context.nested_phase !=
MfClassicNestedPhaseNone; MfClassicNestedPhaseNone;
if(state == DictAttackStateUserDictInProgress && !(ran_nested_dict)) { if(state == DictAttackStateCUIDDictInProgress) {
if(instance->nfc_dict_context.is_card_present) {
nfc_poller_stop(instance->poller);
nfc_poller_free(instance->poller);
keys_dict_free(instance->nfc_dict_context.dict);
scene_manager_set_scene_state(
instance->scene_manager,
NfcSceneMfClassicDictAttack,
DictAttackStateUserDictInProgress);
nfc_scene_mf_classic_dict_attack_prepare_view(instance);
instance->poller = nfc_poller_alloc(instance->nfc, NfcProtocolMfClassic);
nfc_poller_start(instance->poller, nfc_dict_attack_worker_callback, instance);
} else {
nfc_scene_mf_classic_dict_attack_notify_read(instance);
scene_manager_next_scene(instance->scene_manager, NfcSceneReadSuccess);
dolphin_deed(DolphinDeedNfcReadSuccess);
}
consumed = true;
} else if(state == DictAttackStateUserDictInProgress && !(ran_nested_dict)) {
if(instance->nfc_dict_context.is_card_present) { if(instance->nfc_dict_context.is_card_present) {
nfc_poller_stop(instance->poller); nfc_poller_stop(instance->poller);
nfc_poller_free(instance->poller); nfc_poller_free(instance->poller);
@@ -293,7 +356,7 @@ void nfc_scene_mf_classic_dict_attack_on_exit(void* context) {
dict_attack_reset(instance->dict_attack); dict_attack_reset(instance->dict_attack);
scene_manager_set_scene_state( scene_manager_set_scene_state(
instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateUserDictInProgress); instance->scene_manager, NfcSceneMfClassicDictAttack, DictAttackStateCUIDDictInProgress);
keys_dict_free(instance->nfc_dict_context.dict); keys_dict_free(instance->nfc_dict_context.dict);
@@ -311,6 +374,7 @@ void nfc_scene_mf_classic_dict_attack_on_exit(void* context) {
instance->nfc_dict_context.backdoor = MfClassicBackdoorUnknown; instance->nfc_dict_context.backdoor = MfClassicBackdoorUnknown;
instance->nfc_dict_context.nested_target_key = 0; instance->nfc_dict_context.nested_target_key = 0;
instance->nfc_dict_context.msb_count = 0; instance->nfc_dict_context.msb_count = 0;
instance->nfc_dict_context.enhanced_dict = false;
nfc_blink_stop(instance); nfc_blink_stop(instance);
notification_message(instance->notifications, &sequence_display_backlight_enforce_auto); notification_message(instance->notifications, &sequence_display_backlight_enforce_auto);

15
lib/nfc/protocols/mf_classic/mf_classic_poller.c
View File

@@ -7,7 +7,7 @@
#define TAG "MfClassicPoller" #define TAG "MfClassicPoller"
// TODO: Buffer writes for Hardnested, set state to Log when finished and sum property matches // TODO: Buffer writes for Hardnested, set state to Log when finished and sum property matches
// TODO: Load dictionaries specific to a CUID to not clutter the user dictionary // TODO: Store target key in CUID dictionary
// TODO: Fix rare nested_target_key 64 bug // TODO: Fix rare nested_target_key 64 bug
// TODO: Dead code for malloc returning NULL? // TODO: Dead code for malloc returning NULL?
@@ -163,7 +163,10 @@ NfcCommand mf_classic_poller_handler_start(MfClassicPoller* instance) {
instance->mfc_event.type = MfClassicPollerEventTypeRequestMode; instance->mfc_event.type = MfClassicPollerEventTypeRequestMode;
command = instance->callback(instance->general_event, instance->context); command = instance->callback(instance->general_event, instance->context);
if(instance->mfc_event_data.poller_mode.mode == MfClassicPollerModeDictAttack) { if(instance->mfc_event_data.poller_mode.mode == MfClassicPollerModeDictAttackStandard) {
mf_classic_copy(instance->data, instance->mfc_event_data.poller_mode.data);
instance->state = MfClassicPollerStateRequestKey;
} else if(instance->mfc_event_data.poller_mode.mode == MfClassicPollerModeDictAttackEnhanced) {
mf_classic_copy(instance->data, instance->mfc_event_data.poller_mode.data); mf_classic_copy(instance->data, instance->mfc_event_data.poller_mode.data);
instance->state = MfClassicPollerStateAnalyzeBackdoor; instance->state = MfClassicPollerStateAnalyzeBackdoor;
} else if(instance->mfc_event_data.poller_mode.mode == MfClassicPollerModeRead) { } else if(instance->mfc_event_data.poller_mode.mode == MfClassicPollerModeRead) {
@@ -557,6 +560,7 @@ NfcCommand mf_classic_poller_handler_request_read_sector_blocks(MfClassicPoller*
NfcCommand mf_classic_poller_handler_analyze_backdoor(MfClassicPoller* instance) { NfcCommand mf_classic_poller_handler_analyze_backdoor(MfClassicPoller* instance) {
NfcCommand command = NfcCommandReset; NfcCommand command = NfcCommandReset;
MfClassicPollerDictAttackContext* dict_attack_ctx = &instance->mode_ctx.dict_attack_ctx; MfClassicPollerDictAttackContext* dict_attack_ctx = &instance->mode_ctx.dict_attack_ctx;
instance->mode_ctx.dict_attack_ctx.enhanced_dict = true;
size_t current_key_index = size_t current_key_index =
mf_classic_backdoor_keys_count - 1; // Default to the last valid index mf_classic_backdoor_keys_count - 1; // Default to the last valid index
@@ -861,9 +865,10 @@ NfcCommand mf_classic_poller_handler_key_reuse_start(MfClassicPoller* instance)
command = instance->callback(instance->general_event, instance->context); command = instance->callback(instance->general_event, instance->context);
// Nested entrypoint // Nested entrypoint
bool nested_active = dict_attack_ctx->nested_phase != MfClassicNestedPhaseNone; bool nested_active = dict_attack_ctx->nested_phase != MfClassicNestedPhaseNone;
if((nested_active && if((dict_attack_ctx->enhanced_dict) &&
(dict_attack_ctx->nested_phase != MfClassicNestedPhaseFinished)) || ((nested_active &&
(!(nested_active) && !(mf_classic_is_card_read(instance->data)))) { (dict_attack_ctx->nested_phase != MfClassicNestedPhaseFinished)) ||
(!(nested_active) && !(mf_classic_is_card_read(instance->data))))) {
instance->state = MfClassicPollerStateNestedController; instance->state = MfClassicPollerStateNestedController;
break; break;
} }

3
lib/nfc/protocols/mf_classic/mf_classic_poller.h
View File

@@ -44,7 +44,8 @@ typedef enum {
typedef enum { typedef enum {
MfClassicPollerModeRead, /**< Poller reading mode. */ MfClassicPollerModeRead, /**< Poller reading mode. */
MfClassicPollerModeWrite, /**< Poller writing mode. */ MfClassicPollerModeWrite, /**< Poller writing mode. */
MfClassicPollerModeDictAttack, /**< Poller dictionary attack mode. */ MfClassicPollerModeDictAttackStandard, /**< Poller dictionary attack mode. */
MfClassicPollerModeDictAttackEnhanced, /**< Poller enhanced dictionary attack mode. */
} MfClassicPollerMode; } MfClassicPollerMode;
/** /**

1
lib/nfc/protocols/mf_classic/mf_classic_poller_i.h
View File

@@ -159,6 +159,7 @@ typedef struct {
uint8_t reuse_key_sector; uint8_t reuse_key_sector;
MfClassicBackdoor backdoor; MfClassicBackdoor backdoor;
// Enhanced dictionary attack and nested nonce collection // Enhanced dictionary attack and nested nonce collection
bool enhanced_dict;
MfClassicNestedPhase nested_phase; MfClassicNestedPhase nested_phase;
MfClassicKey nested_known_key; MfClassicKey nested_known_key;
MfClassicKeyType nested_known_key_type; MfClassicKeyType nested_known_key_type;