1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
diff --git a/src/mfoc.c b/src/mfoc.c
index 0cb917d..195de68 100644
--- a/src/mfoc.c
+++ b/src/mfoc.c
@@ -93,8 +93,8 @@ int main(int argc, char *const argv[])
{0x58, 0x7e, 0xe5, 0xf9, 0x35, 0x0f},
{0xa0, 0x47, 0x8c, 0xc3, 0x90, 0x91},
{0x53, 0x3c, 0xb6, 0xc7, 0x23, 0xf6},
- {0x8f, 0xd0, 0xa4, 0xf2, 0x56, 0xe9}
-
+ {0x8f, 0xd0, 0xa4, 0xf2, 0x56, 0xe9},
+ {0xb4, 0xc1, 0x32, 0x43, 0x9e, 0xef}
};
mftag t;
@@ -219,12 +219,31 @@ int main(int argc, char *const argv[])
goto error;
}
- // Save tag's block size (b4K)
- t.b4K = (t.nt.nti.nai.abtAtqa[1] == 0x02);
t.authuid = (uint32_t) bytes_to_num(t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, 4);
- t.num_blocks = (t.b4K) ? 0xff : 0x3f;
- t.num_sectors = t.b4K ? NR_TRAILERS_4k : NR_TRAILERS_1k;
+ // Get Mifare Classic type from SAK
+ // see http://www.nxp.com/documents/application_note/AN10833.pdf Section 3.2
+ switch (t.nt.nti.nai.btSak)
+ {
+ case 0x08:
+ printf("Found Mifare Classic 1k tag\n");
+ t.num_sectors = NR_TRAILERS_1k;
+ t.num_blocks = NR_BLOCKS_1k;
+ break;
+ case 0x09:
+ printf("Found Mifare Classic Mini tag\n");
+ t.num_sectors = NR_TRAILERS_MINI;
+ t.num_blocks = NR_BLOCKS_MINI;
+ break;
+ case 0x18:
+ printf("Found Mifare Classic 4k tag\n");
+ t.num_sectors = NR_TRAILERS_4k;
+ t.num_blocks = NR_BLOCKS_4k;
+ break;
+ defaul:
+ ERR("Cannot determine card type from SAK");
+ goto error;
+ }
t.sectors = (void *) calloc(t.num_sectors, sizeof(sector));
if (t.sectors == NULL) {
@@ -564,7 +583,7 @@ void usage(FILE *stream, int errno)
fprintf(stream, " k try the specified key in addition to the default keys\n");
// fprintf(stream, " D number of distance probes, default is 20\n");
// fprintf(stream, " S number of sets with keystreams, default is 5\n");
- fprintf(stream, " P number of probes per sector, instead of default of 20\n");
+ fprintf(stream, " P number of probes per sector, instead of default of 150\n");
fprintf(stream, " T nonce tolerance half-range, instead of default of 20\n (i.e., 40 for the total range, in both directions)\n");
// fprintf(stream, " s specify the list of sectors to crack, for example -s 0,1,3,5\n");
fprintf(stream, " O file in which the card contents will be written (REQUIRED)\n");
diff --git a/src/mfoc.h b/src/mfoc.h
index b411670..532e834 100644
--- a/src/mfoc.h
+++ b/src/mfoc.h
@@ -2,11 +2,21 @@
#define TRY_KEYS 50
// Number of trailers == number of sectors
-// 16x64b = 16
+// Mifare Classic 1k 16x64b = 16
#define NR_TRAILERS_1k (16)
-// 32x64b + 8*256b = 40
+// Mifare Classic Mini
+#define NR_TRAILERS_MINI (5)
+// Mifare Classic 4k 32x64b + 8*256b = 40
#define NR_TRAILERS_4k (40)
+// Number of blocks
+// Mifare Classic 1k
+#define NR_BLOCKS_1k 0x3f
+// Mifare Classic Mini
+#define NR_BLOCKS_MINI 0x13
+// Mifare Classic 4k
+#define NR_BLOCKS_4k 0xff
+
#define MAX_FRAME_LEN 264
// Used for counting nonce distances, explore [nd-value, nd+value]
@@ -46,7 +56,6 @@ typedef struct {
uint8_t num_sectors;
uint8_t num_blocks;
uint32_t authuid;
- bool b4K;
} mftag;
typedef struct {
|