]>
Commit | Line | Data |
---|---|---|
3742d905 | 1 | /* |
2 | * Hitag2 emulation | |
3 | * | |
4 | * Contains state and functions for an emulated Hitag2 tag. Offers an entry | |
5 | * point to handle commands, needs a callback to send response. | |
6 | * | |
7 | * (c) 2009 Henryk Plötz <henryk@ploetzli.ch> | |
8 | */ | |
9 | ||
10 | #include <proxmark3.h> | |
11 | #include <stdint.h> | |
12 | ||
13 | #include "apps.h" | |
14 | #include "hitag2.h" | |
15 | ||
16 | struct hitag2_cipher_state { | |
17 | uint64_t state; | |
18 | }; | |
19 | ||
20 | struct hitag2_tag { | |
21 | uint32_t uid; | |
22 | enum { | |
23 | TAG_STATE_RESET, // Just powered up, awaiting GetSnr | |
24 | TAG_STATE_ACTIVATING, // In activation phase (password mode), sent UID, awaiting reader password | |
25 | TAG_STATE_AUTHENTICATING, // In activation phase (crypto mode), awaiting reader authentication | |
26 | TAG_STATE_ACTIVATED, // Activation complete, awaiting read/write commands | |
27 | TAG_STATE_WRITING, // In write command, awaiting sector contents to be written | |
28 | } state; | |
29 | unsigned int active_sector; | |
30 | char crypto_active; | |
31 | struct hitag2_cipher_state cs; | |
32 | char sectors[8][4]; | |
33 | }; | |
34 | ||
35 | static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *challenge); | |
36 | static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator); | |
37 | static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits); | |
38 | ||
39 | static struct hitag2_tag tag; | |
40 | static const struct hitag2_tag resetdata = { | |
41 | .state = TAG_STATE_RESET, | |
42 | .sectors = { // Password mode: | Crypto mode: | |
43 | [0] = { 0x35, 0x33, 0x70, 0x11}, // UID | UID | |
44 | [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key | |
45 | [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved | |
46 | [3] = { 0x0e, 0xaa, 'H', 'T'}, // Configuration, password TAG | Configuration, password TAG | |
47 | }, | |
48 | }; | |
49 | ||
50 | int hitag2_reset(void) | |
51 | { | |
52 | tag.state = TAG_STATE_RESET; | |
53 | tag.crypto_active = 0; | |
54 | return 0; | |
55 | } | |
56 | ||
57 | int hitag2_init(void) | |
58 | { | |
59 | memcpy(&tag, &resetdata, sizeof(tag)); | |
60 | hitag2_reset(); | |
61 | return 0; | |
62 | } | |
63 | ||
64 | int hitag2_handle_command(const char* data, const int length, hitag2_response_callback_t cb, void *cb_cookie) | |
65 | { | |
66 | (void)data; (void)length; (void)cb; (void)cb_cookie; | |
67 | int retry = 0, done = 0, result=0; | |
68 | char temp[10]; | |
69 | ||
70 | if(tag.crypto_active && length < sizeof(temp)*8) { | |
71 | /* Decrypt command */ | |
72 | memcpy(temp, data, (length+7)/8); | |
73 | hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8); | |
74 | data = temp; | |
75 | } | |
76 | ||
77 | ||
78 | handle_command_retry: | |
79 | switch(tag.state) { | |
80 | case TAG_STATE_RESET: | |
81 | if(length == 5 && data[0] == 0xC0) { | |
82 | /* Received 11000 from the reader, request for UID, send UID */ | |
83 | result=cb(tag.sectors[0], sizeof(tag.sectors[0])*8, 208, cb_cookie); | |
84 | done=1; | |
85 | if(tag.sectors[3][0] & 0x08) { | |
86 | tag.state=TAG_STATE_AUTHENTICATING; | |
87 | } else { | |
88 | tag.state=TAG_STATE_ACTIVATING; | |
89 | } | |
90 | } | |
91 | break; | |
92 | case TAG_STATE_ACTIVATING: | |
93 | if(length == 0x20) { | |
94 | /* Received RWD password, respond with configuration and our password */ | |
95 | result=cb(tag.sectors[3], sizeof(tag.sectors[3])*8, 208, cb_cookie); | |
96 | done=1; | |
97 | tag.state=TAG_STATE_ACTIVATED; | |
98 | } | |
99 | break; | |
100 | case TAG_STATE_AUTHENTICATING: | |
101 | if(length == 0x40) { | |
102 | /* Received initialisation vector || authentication token, fire up cipher, send our password */ | |
103 | hitag2_cipher_reset(&tag, data); | |
104 | if(hitag2_cipher_authenticate(&(tag.cs), data+4)) { | |
105 | char response_enc[4]; | |
106 | memcpy(response_enc, tag.sectors[3], 4); | |
107 | hitag2_cipher_transcrypt(&(tag.cs), response_enc, 4, 0); | |
108 | result=cb(response_enc, 4*8, 208, cb_cookie); | |
109 | done=1; | |
110 | tag.crypto_active = 1; | |
111 | tag.state = TAG_STATE_ACTIVATED; | |
112 | } else { | |
113 | /* The reader failed to authenticate, do nothing */ | |
114 | DbpString("Reader authentication failed"); | |
115 | } | |
116 | } | |
117 | break; | |
118 | case TAG_STATE_ACTIVATED: | |
119 | if(length == 10) { | |
120 | if( ((data[0] & 0xC0) == 0xC0) && ((data[0] & 0x06) == 0) ) { | |
121 | /* Read command: 11xx x00y yy with yyy == ~xxx, xxx is sector number */ | |
122 | unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07); | |
123 | if(sector == ( (data[0]>>3)&0x07 ) ) { | |
124 | memcpy(temp, tag.sectors[sector], 4); | |
125 | if(tag.crypto_active) { | |
126 | hitag2_cipher_transcrypt(&(tag.cs), temp, 4, 0); | |
127 | } | |
128 | /* Respond with contents of sector sector */ | |
129 | result = cb(temp, 4*8, 208, cb_cookie); | |
130 | done=1; | |
131 | } else { | |
132 | /* transmission error */ | |
133 | DbpString("Transmission error (read) in activated state"); | |
134 | } | |
135 | } else if( ((data[0] & 0xC0) == 0x80) && ((data[0] & 0x06) == 2) ) { | |
136 | /* Write command: 10xx x01y yy with yyy == ~xxx, xxx is sector number */ | |
137 | unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07); | |
138 | if(sector == ( (data[0]>>3)&0x07 ) ) { | |
139 | /* Prepare write, acknowledge by repeating command */ | |
140 | if(tag.crypto_active) { | |
141 | hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8); | |
142 | } | |
143 | result = cb(data, length, 208, cb_cookie); | |
144 | done=1; | |
145 | tag.active_sector = sector; | |
146 | tag.state=TAG_STATE_WRITING; | |
147 | } else { | |
148 | /* transmission error */ | |
149 | DbpString("Transmission error (write) in activated state"); | |
150 | } | |
151 | } | |
152 | ||
153 | } | |
154 | case TAG_STATE_WRITING: | |
155 | if(length == 32) { | |
156 | /* These are the sector contents to be written. We don't have to do anything else. */ | |
157 | memcpy(tag.sectors[tag.active_sector], data, length/8); | |
158 | tag.state=TAG_STATE_ACTIVATED; | |
159 | done=1; | |
160 | } | |
161 | } | |
162 | ||
163 | if(!done && !retry) { | |
164 | /* We didn't respond, maybe our state is faulty. Reset and try again. */ | |
165 | retry=1; | |
166 | if(tag.crypto_active) { | |
167 | /* Restore undeciphered data */ | |
168 | memcpy(temp, data, (length+7)/8); | |
169 | } | |
170 | hitag2_reset(); | |
171 | goto handle_command_retry; | |
172 | } | |
173 | ||
174 | return result; | |
175 | } | |
176 | ||
177 | /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */ | |
178 | // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007. | |
179 | // For educational purposes only. | |
180 | // No warranties or guarantees of any kind. | |
181 | // This code is released into the public domain by its author. | |
182 | ||
183 | // Basic macros: | |
184 | ||
185 | #define u8 uint8_t | |
186 | #define u32 uint32_t | |
187 | #define u64 uint64_t | |
188 | #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7)) | |
189 | #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8)) | |
190 | #define rev32(x) (rev16(x)+(rev16(x>>16)<<16)) | |
191 | #define rev64(x) (rev32(x)+(rev32(x>>32)<<32)) | |
192 | #define bit(x,n) (((x)>>(n))&1) | |
193 | #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1) | |
194 | #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31)) | |
195 | #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63))) | |
196 | ||
197 | // Single bit Hitag2 functions: | |
198 | ||
199 | #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8)) | |
200 | ||
201 | static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001 | |
202 | static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001 | |
203 | static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011 | |
204 | ||
205 | static u32 _f20 (const u64 x) | |
206 | { | |
207 | u32 i5; | |
208 | ||
209 | i5 = ((ht2_f4a >> i4 (x, 1, 2, 4, 5)) & 1)* 1 | |
210 | + ((ht2_f4b >> i4 (x, 7,11,13,14)) & 1)* 2 | |
211 | + ((ht2_f4b >> i4 (x,16,20,22,25)) & 1)* 4 | |
212 | + ((ht2_f4b >> i4 (x,27,28,30,32)) & 1)* 8 | |
213 | + ((ht2_f4a >> i4 (x,33,42,43,45)) & 1)*16; | |
214 | ||
215 | return (ht2_f5c >> i5) & 1; | |
216 | } | |
217 | ||
218 | static u64 _hitag2_init (const u64 key, const u32 serial, const u32 IV) | |
219 | { | |
220 | u32 i; | |
221 | u64 x = ((key & 0xFFFF) << 32) + serial; | |
222 | ||
223 | for (i = 0; i < 32; i++) | |
224 | { | |
225 | x >>= 1; | |
226 | x += (u64) (_f20 (x) ^ (((IV >> i) ^ (key >> (i+16))) & 1)) << 47; | |
227 | } | |
228 | return x; | |
229 | } | |
230 | ||
231 | static u64 _hitag2_round (u64 *state) | |
232 | { | |
233 | u64 x = *state; | |
234 | ||
235 | x = (x >> 1) + | |
236 | ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) | |
237 | ^ (x >> 7) ^ (x >> 8) ^ (x >> 16) ^ (x >> 22) | |
238 | ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41) | |
239 | ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47); | |
240 | ||
241 | *state = x; | |
242 | return _f20 (x); | |
243 | } | |
244 | ||
245 | // Bitslice Hitag2 functions: | |
246 | ||
247 | #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b)) | |
248 | #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b))) | |
249 | #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c)))) | |
250 | ||
251 | #define uf20bs u32 // choose your own type/width | |
252 | ||
253 | static uf20bs _f20bs (const uf20bs *x) | |
254 | { | |
255 | return ht2bs_5c ( | |
256 | ht2bs_4a(x[ 1],x[ 2],x[ 4],x[ 5]), | |
257 | ht2bs_4b(x[ 7],x[11],x[13],x[14]), | |
258 | ht2bs_4b(x[16],x[20],x[22],x[25]), | |
259 | ht2bs_4b(x[27],x[28],x[30],x[32]), | |
260 | ht2bs_4a(x[33],x[42],x[43],x[45])); | |
261 | } | |
262 | ||
263 | static void _hitag2bs_init (uf20bs *x, const uf20bs *key, const uf20bs *serial, const uf20bs *IV) | |
264 | { | |
265 | u32 i, r; | |
266 | ||
267 | for (i = 0; i < 32; i++) x[i] = serial[i]; | |
268 | for (i = 0; i < 16; i++) x[32+i] = key[i]; | |
269 | ||
270 | for (r = 0; r < 32; r++) | |
271 | { | |
272 | for (i = 0; i < 47; i++) x[i] = x[i+1]; | |
273 | x[47] = _f20bs (x) ^ IV[i] ^ key[16+i]; | |
274 | } | |
275 | } | |
276 | ||
277 | static uf20bs _hitag2bs_round (uf20bs *x) | |
278 | { | |
279 | uf20bs y; | |
280 | u32 i; | |
281 | ||
282 | y = x[ 0] ^ x[ 2] ^ x[ 3] ^ x[ 6] ^ x[ 7] ^ x[ 8] ^ x[16] ^ x[22] | |
283 | ^ x[23] ^ x[26] ^ x[30] ^ x[41] ^ x[42] ^ x[43] ^ x[46] ^ x[47]; | |
284 | ||
285 | for (i = 0; i < 47; i++) x[i] = x[i+1]; | |
286 | x[47] = y; | |
287 | ||
288 | return _f20bs (x); | |
289 | } | |
290 | ||
291 | static u32 _hitag2_byte (u64 * x) | |
292 | { | |
293 | u32 i, c; | |
294 | ||
295 | for (i = 0, c = 0; i < 8; i++) c += (u32) _hitag2_round (x) << (i^7); | |
296 | return c; | |
297 | } | |
298 | ||
299 | ||
300 | /* Cipher/tag glue code: */ | |
301 | ||
302 | static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *iv) | |
303 | { | |
304 | uint64_t key = ((uint64_t)tag->sectors[2][2]) | | |
305 | ((uint64_t)tag->sectors[2][3] << 8) | | |
306 | ((uint64_t)tag->sectors[1][0] << 16) | | |
307 | ((uint64_t)tag->sectors[1][1] << 24) | | |
308 | ((uint64_t)tag->sectors[1][2] << 32) | | |
309 | ((uint64_t)tag->sectors[1][3] << 40); | |
310 | uint32_t uid = ((uint32_t)tag->sectors[0][0]) | | |
311 | ((uint32_t)tag->sectors[0][1] << 8) | | |
312 | ((uint32_t)tag->sectors[0][2] << 16) | | |
313 | ((uint32_t)tag->sectors[0][3] << 24); | |
314 | uint32_t iv_ = (((uint32_t)(iv[0]))) | | |
315 | (((uint32_t)(iv[1])) << 8) | | |
316 | (((uint32_t)(iv[2])) << 16) | | |
317 | (((uint32_t)(iv[3])) << 24); | |
318 | tag->cs.state = _hitag2_init(rev64(key), rev32(uid), rev32(iv_)); | |
319 | } | |
320 | ||
321 | static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator_is) | |
322 | { | |
323 | char authenticator_should[4]; | |
324 | authenticator_should[0] = ~_hitag2_byte(&(cs->state)); | |
325 | authenticator_should[1] = ~_hitag2_byte(&(cs->state)); | |
326 | authenticator_should[2] = ~_hitag2_byte(&(cs->state)); | |
327 | authenticator_should[3] = ~_hitag2_byte(&(cs->state)); | |
328 | return memcmp(authenticator_should, authenticator_is, 4) == 0; | |
329 | } | |
330 | ||
331 | static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits) | |
332 | { | |
333 | int i; | |
334 | for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(&(cs->state)); | |
335 | for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(&(cs->state)) << (7-i); | |
336 | return 0; | |
337 | } |