]>
Commit | Line | Data |
---|---|---|
4f131b53 | 1 | //----------------------------------------------------------------------------- |
2 | // Copyright (C) Merlok - 2017 | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Command: hf mf list. It shows data from arm buffer. | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include "cmdhflist.h" | |
12 | ||
13 | #include <stdlib.h> | |
14 | #include <stdio.h> | |
15 | #include <string.h> | |
6612a5a2 | 16 | #include <stdint.h> |
17 | #include <stdbool.h> | |
18 | #include "util.h" | |
19 | #include "data.h" | |
20 | #include "ui.h" | |
21 | #include "iso14443crc.h" | |
22 | #include "parity.h" | |
23 | #include "protocols.h" | |
7b215d14 OM |
24 | #include "crapto1/crapto1.h" |
25 | #include "mifarehost.h" | |
c6a886fb | 26 | #include "mifaredefault.h" |
4f131b53 | 27 | |
28 | ||
6612a5a2 | 29 | enum MifareAuthSeq { |
30 | masNone, | |
31 | masNt, | |
32 | masNrAr, | |
33 | masAt, | |
747885a6 | 34 | masAuthComplete, |
aadc6bf1 | 35 | masFirstData, |
6612a5a2 | 36 | masData, |
6612a5a2 | 37 | masError, |
38 | }; | |
39 | static enum MifareAuthSeq MifareAuthState; | |
aadc6bf1 OM |
40 | static TAuthData AuthData; |
41 | ||
42 | void ClearAuthData() { | |
43 | AuthData.uid = 0; | |
44 | AuthData.nt = 0; | |
7b215d14 | 45 | AuthData.first_auth = true; |
aadc6bf1 | 46 | } |
6612a5a2 | 47 | |
48 | /** | |
49 | * @brief iso14443A_CRC_check Checks CRC in command or response | |
50 | * @param isResponse | |
51 | * @param data | |
52 | * @param len | |
53 | * @return 0 : CRC-command, CRC not ok | |
54 | * 1 : CRC-command, CRC ok | |
55 | * 2 : Not crc-command | |
56 | */ | |
57 | uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
58 | { | |
59 | uint8_t b1,b2; | |
60 | ||
61 | if(len <= 2) return 2; | |
62 | ||
63 | if(isResponse & (len < 6)) return 2; | |
64 | ||
65 | ComputeCrc14443(CRC_14443_A, data, len-2, &b1, &b2); | |
66 | if (b1 != data[len-2] || b2 != data[len-1]) { | |
67 | return 0; | |
68 | } else { | |
69 | return 1; | |
70 | } | |
71 | } | |
72 | ||
73 | uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
74 | { | |
75 | switch(MifareAuthState) { | |
76 | case masNone: | |
6612a5a2 | 77 | case masError: |
78 | return iso14443A_CRC_check(isResponse, data, len); | |
79 | default: | |
80 | return 2; | |
81 | } | |
6612a5a2 | 82 | } |
83 | ||
84 | void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
85 | { | |
86 | switch(cmd[0]) | |
87 | { | |
a31f7f89 OM |
88 | case ISO14443A_CMD_WUPA: |
89 | snprintf(exp,size,"WUPA"); | |
90 | MifareAuthState = masNone; | |
91 | break; | |
6612a5a2 | 92 | case ISO14443A_CMD_ANTICOLL_OR_SELECT:{ |
93 | // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) | |
94 | // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) | |
95 | if(cmd[1] == 0x70) | |
96 | { | |
97 | snprintf(exp,size,"SELECT_UID"); break; | |
98 | }else | |
99 | { | |
100 | snprintf(exp,size,"ANTICOLL"); break; | |
101 | } | |
102 | } | |
103 | case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{ | |
104 | //95 20 = Anticollision of cascade level2 | |
105 | //95 70 = Select of cascade level2 | |
106 | if(cmd[2] == 0x70) | |
107 | { | |
108 | snprintf(exp,size,"SELECT_UID-2"); break; | |
109 | }else | |
110 | { | |
111 | snprintf(exp,size,"ANTICOLL-2"); break; | |
112 | } | |
113 | } | |
a31f7f89 OM |
114 | case ISO14443A_CMD_REQA: |
115 | snprintf(exp,size,"REQA"); | |
116 | MifareAuthState = masNone; | |
117 | break; | |
6612a5a2 | 118 | case ISO14443A_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; |
119 | case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; | |
120 | case ISO14443A_CMD_HALT: | |
121 | snprintf(exp,size,"HALT"); | |
122 | MifareAuthState = masNone; | |
123 | break; | |
124 | case ISO14443A_CMD_RATS: snprintf(exp,size,"RATS"); break; | |
125 | case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; | |
126 | case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; | |
127 | case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; | |
128 | case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; | |
129 | case MIFARE_AUTH_KEYA: | |
130 | if ( cmdsize > 3) { | |
131 | snprintf(exp,size,"AUTH-A(%d)",cmd[1]); | |
132 | MifareAuthState = masNt; | |
133 | } else { | |
134 | // case MIFARE_ULEV1_VERSION : both 0x60. | |
135 | snprintf(exp,size,"EV1 VERSION"); | |
136 | } | |
137 | break; | |
138 | case MIFARE_AUTH_KEYB: | |
139 | MifareAuthState = masNt; | |
140 | snprintf(exp,size,"AUTH-B(%d)",cmd[1]); | |
141 | break; | |
142 | case MIFARE_MAGICWUPC1: snprintf(exp,size,"MAGIC WUPC1"); break; | |
143 | case MIFARE_MAGICWUPC2: snprintf(exp,size,"MAGIC WUPC2"); break; | |
144 | case MIFARE_MAGICWIPEC: snprintf(exp,size,"MAGIC WIPEC"); break; | |
145 | case MIFARE_ULC_AUTH_1: snprintf(exp,size,"AUTH "); break; | |
146 | case MIFARE_ULC_AUTH_2: snprintf(exp,size,"AUTH_ANSW"); break; | |
147 | case MIFARE_ULEV1_AUTH: | |
148 | if ( cmdsize == 7 ) | |
149 | snprintf(exp,size,"PWD-AUTH KEY: 0x%02x%02x%02x%02x", cmd[1], cmd[2], cmd[3], cmd[4] ); | |
150 | else | |
151 | snprintf(exp,size,"PWD-AUTH"); | |
152 | break; | |
153 | case MIFARE_ULEV1_FASTREAD:{ | |
154 | if ( cmdsize >=3 && cmd[2] <= 0xE6) | |
155 | snprintf(exp,size,"READ RANGE (%d-%d)",cmd[1],cmd[2]); | |
156 | else | |
157 | snprintf(exp,size,"?"); | |
158 | break; | |
159 | } | |
160 | case MIFARE_ULC_WRITE:{ | |
161 | if ( cmd[1] < 0x21 ) | |
162 | snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); | |
163 | else | |
164 | snprintf(exp,size,"?"); | |
165 | break; | |
166 | } | |
167 | case MIFARE_ULEV1_READ_CNT:{ | |
168 | if ( cmd[1] < 5 ) | |
169 | snprintf(exp,size,"READ CNT(%d)",cmd[1]); | |
170 | else | |
171 | snprintf(exp,size,"?"); | |
172 | break; | |
173 | } | |
174 | case MIFARE_ULEV1_INCR_CNT:{ | |
175 | if ( cmd[1] < 5 ) | |
176 | snprintf(exp,size,"INCR(%d)",cmd[1]); | |
177 | else | |
178 | snprintf(exp,size,"?"); | |
179 | break; | |
180 | } | |
181 | case MIFARE_ULEV1_READSIG: snprintf(exp,size,"READ_SIG"); break; | |
182 | case MIFARE_ULEV1_CHECKTEAR: snprintf(exp,size,"CHK_TEARING(%d)",cmd[1]); break; | |
183 | case MIFARE_ULEV1_VCSL: snprintf(exp,size,"VCSL"); break; | |
184 | default: snprintf(exp,size,"?"); break; | |
185 | } | |
186 | return; | |
187 | } | |
188 | ||
b957bcd3 | 189 | void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8_t* parity, uint8_t paritysize, bool isResponse) { |
aadc6bf1 OM |
190 | // get UID |
191 | if (MifareAuthState == masNone) { | |
7b215d14 | 192 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && cmd[1] == 0x70) { |
aadc6bf1 OM |
193 | ClearAuthData(); |
194 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
195 | } | |
7b215d14 | 196 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && cmd[1] == 0x70) { |
aadc6bf1 OM |
197 | ClearAuthData(); |
198 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
199 | } | |
200 | } | |
201 | ||
6612a5a2 | 202 | switch(MifareAuthState) { |
203 | case masNt: | |
fb30f5a1 | 204 | if (cmdsize == 4 && isResponse) { |
aadc6bf1 | 205 | snprintf(exp,size,"AUTH: nt %s", (AuthData.first_auth) ? "" : "(enc)"); |
6612a5a2 | 206 | MifareAuthState = masNrAr; |
aadc6bf1 | 207 | if (AuthData.first_auth) |
7b215d14 | 208 | AuthData.nt = bytes_to_num(cmd, 4); |
aadc6bf1 | 209 | else |
7b215d14 | 210 | AuthData.nt_enc = bytes_to_num(cmd, 4); |
b957bcd3 | 211 | AuthData.nt_enc_par = parity[0]; |
6612a5a2 | 212 | return; |
213 | } else { | |
214 | MifareAuthState = masError; | |
6612a5a2 | 215 | } |
216 | break; | |
217 | case masNrAr: | |
fb30f5a1 | 218 | if (cmdsize == 8 && !isResponse) { |
6c30a244 | 219 | snprintf(exp,size,"AUTH: nr ar (enc)"); |
6612a5a2 | 220 | MifareAuthState = masAt; |
7b215d14 OM |
221 | AuthData.nr_enc = bytes_to_num(cmd, 4); |
222 | AuthData.ar_enc = bytes_to_num(&cmd[4], 4); | |
b957bcd3 | 223 | AuthData.ar_enc_par = parity[0] << 4; |
6612a5a2 | 224 | return; |
225 | } else { | |
226 | MifareAuthState = masError; | |
227 | } | |
228 | break; | |
229 | case masAt: | |
fb30f5a1 | 230 | if (cmdsize == 4 && isResponse) { |
6c30a244 | 231 | snprintf(exp,size,"AUTH: at (enc)"); |
747885a6 | 232 | MifareAuthState = masAuthComplete; |
7b215d14 | 233 | AuthData.at_enc = bytes_to_num(cmd, 4); |
b957bcd3 | 234 | AuthData.at_enc_par = parity[0]; |
6612a5a2 | 235 | return; |
236 | } else { | |
237 | MifareAuthState = masError; | |
238 | } | |
239 | break; | |
240 | default: | |
241 | break; | |
242 | } | |
243 | ||
747885a6 | 244 | if (!isResponse && ((MifareAuthState == masNone) || (MifareAuthState == masError))) |
6612a5a2 | 245 | annotateIso14443a(exp, size, cmd, cmdsize); |
246 | ||
247 | } | |
7b215d14 OM |
248 | |
249 | bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, bool isResponse, uint8_t *mfData, size_t *mfDataLen) { | |
747885a6 | 250 | static struct Crypto1State *traceCrypto1; |
dca8220f | 251 | static uint64_t mfLastKey; |
747885a6 | 252 | |
7b215d14 OM |
253 | *mfDataLen = 0; |
254 | ||
747885a6 OM |
255 | if (MifareAuthState == masAuthComplete) { |
256 | if (traceCrypto1) { | |
257 | crypto1_destroy(traceCrypto1); | |
258 | } | |
259 | ||
260 | MifareAuthState = masFirstData; | |
261 | return false; | |
262 | } | |
263 | ||
7b215d14 OM |
264 | if (cmdsize > 32) |
265 | return false; | |
266 | ||
267 | if (MifareAuthState == masFirstData) { | |
268 | if (AuthData.first_auth) { | |
269 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(AuthData.nt, 64); | |
270 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(AuthData.nt, 96); | |
271 | struct Crypto1State *revstate = lfsr_recovery64(ks2, ks3); | |
272 | lfsr_rollback_word(revstate, 0, 0); | |
273 | lfsr_rollback_word(revstate, 0, 0); | |
274 | lfsr_rollback_word(revstate, AuthData.nr_enc, 1); | |
275 | lfsr_rollback_word(revstate, AuthData.uid ^ AuthData.nt, 0); | |
276 | ||
277 | uint64_t lfsr = 0; | |
278 | crypto1_get_lfsr(revstate, &lfsr); | |
279 | crypto1_destroy(revstate); | |
747885a6 | 280 | mfLastKey = lfsr; |
28ee794f | 281 | PrintAndLog(" | * | key | probable key:%x%x Prng:%s ks2:%08x ks3:%08x | |", |
7b215d14 | 282 | (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF), |
28ee794f | 283 | validate_prng_nonce(AuthData.nt) ? "WEAK": "HARD", |
7b215d14 OM |
284 | ks2, |
285 | ks3); | |
286 | ||
287 | AuthData.first_auth = false; | |
747885a6 OM |
288 | |
289 | traceCrypto1 = lfsr_recovery64(ks2, ks3); | |
7b215d14 | 290 | } else { |
28ee794f | 291 | printf("uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc); |
747885a6 OM |
292 | |
293 | // check last used key | |
294 | if (mfLastKey) { | |
c6a886fb OM |
295 | if (NestedCheckKey(mfLastKey, &AuthData, cmd, cmdsize)) { |
296 | }; | |
747885a6 OM |
297 | } |
298 | ||
299 | // check default keys | |
7bea1581 OM |
300 | if (!traceCrypto1) { |
301 | for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){ | |
302 | if (NestedCheckKey(MifareDefaultKeys[defaultKeyCounter], &AuthData, cmd, cmdsize)) { | |
303 | ||
304 | break; | |
305 | }; | |
306 | } | |
c6a886fb | 307 | } |
747885a6 OM |
308 | |
309 | // nested | |
7bea1581 OM |
310 | if (!traceCrypto1 && validate_prng_nonce(AuthData.nt)) { |
311 | uint32_t ntx = prng_successor(AuthData.nt, 90); | |
312 | for (int i = 0; i < 16383; i++) { | |
313 | ntx = prng_successor(ntx, 1); | |
314 | if (NTParityChk(&AuthData, ntx)){ | |
315 | ||
316 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(ntx, 64); | |
317 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(ntx, 96); | |
318 | struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3); | |
319 | memcpy(mfData, cmd, cmdsize); | |
320 | mf_crypto1_decrypt(pcs, mfData, cmdsize, 0); | |
321 | ||
322 | crypto1_destroy(pcs); | |
323 | if (CheckCrc14443(CRC_14443_A, mfData, cmdsize)) { | |
324 | traceCrypto1 = lfsr_recovery64(ks2, ks3); | |
325 | break; | |
326 | } | |
327 | } | |
328 | } | |
329 | if (traceCrypto1) | |
330 | printf("key> nt=%08x nonce distance=%d \n", ntx, nonce_distance(AuthData.nt, ntx)); | |
331 | else | |
332 | printf("key> don't have any valid nt( \n"); | |
747885a6 OM |
333 | } |
334 | ||
335 | //hardnested | |
7bea1581 OM |
336 | if (!traceCrypto1) { |
337 | } | |
7b215d14 OM |
338 | } |
339 | ||
340 | ||
341 | ||
342 | MifareAuthState = masData; | |
7b215d14 OM |
343 | } |
344 | ||
747885a6 OM |
345 | if (MifareAuthState == masData && traceCrypto1) { |
346 | memcpy(mfData, cmd, cmdsize); | |
347 | mf_crypto1_decrypt(traceCrypto1, mfData, cmdsize, 0); | |
348 | *mfDataLen = cmdsize; | |
7b215d14 OM |
349 | } |
350 | ||
351 | return *mfDataLen > 0; | |
352 | } | |
353 | ||
dca8220f OM |
354 | bool NTParityChk(TAuthData *ad, uint32_t ntx) { |
355 | if ( | |
356 | (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) || | |
357 | (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) || | |
358 | (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01)) | |
359 | ) | |
360 | return false; | |
361 | ||
362 | uint32_t ar = prng_successor(ntx, 64); | |
363 | if ( | |
364 | (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) || | |
365 | (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) || | |
366 | (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01)) | |
367 | ) | |
368 | return false; | |
369 | ||
370 | uint32_t at = prng_successor(ntx, 96); | |
371 | if ( | |
372 | (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) || | |
373 | (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) || | |
374 | (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) || | |
375 | (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01)) | |
376 | ) | |
377 | return false; | |
378 | ||
379 | return true; | |
380 | } | |
381 | ||
c6a886fb | 382 | bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize) { |
dca8220f OM |
383 | uint8_t buf[32] = {0}; |
384 | struct Crypto1State *pcs; | |
385 | ||
386 | pcs = crypto1_create(key); | |
387 | uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc; | |
388 | uint32_t ar = prng_successor(nt1, 64); | |
389 | uint32_t at = prng_successor(nt1, 96); | |
390 | printf("key> nested auth uid: %08x nt: %08x nt_parity: %s ar: %08x at: %08x\n", ad->uid, nt1, printBitsPar(&ad->nt_enc_par, 4), ar, at); | |
391 | uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; | |
392 | uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc; | |
393 | uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc; | |
394 | printf("key> the same key test. nr1: %08x ar1: %08x at1: %08x \n", nr1, ar1, at1); | |
395 | ||
396 | if (NTParityChk(ad, nt1)) | |
397 | printf("key> the same key test OK. key=%x%x\n", (unsigned int)((key & 0xFFFFFFFF00000000) >> 32), (unsigned int)(key & 0xFFFFFFFF)); | |
398 | else { | |
399 | printf("key> the same key test. check nt parity error.\n"); | |
400 | return false; | |
401 | } | |
402 | ||
403 | memcpy(buf, cmd, cmdsize); | |
404 | mf_crypto1_decrypt(pcs, buf, cmdsize, 0); | |
405 | ||
e0158d33 OM |
406 | crypto1_destroy(pcs); |
407 | ||
dca8220f | 408 | return CheckCrc14443(CRC_14443_A, buf, cmdsize); |
c6a886fb | 409 | } |