]>
Commit | Line | Data |
---|---|---|
bd20f8f4 | 1 | //----------------------------------------------------------------------------- |
2 | // (c) 2009 Henryk Plötz <henryk@ploetzli.ch> | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Hitag2 emulation | |
9 | // | |
10 | // Contains state and functions for an emulated Hitag2 tag. Offers an entry | |
11 | // point to handle commands, needs a callback to send response. | |
12 | //----------------------------------------------------------------------------- | |
3742d905 | 13 | |
e30c654b | 14 | #include "proxmark3.h" |
3742d905 | 15 | #include "apps.h" |
f7e3ed82 | 16 | #include "util.h" |
3742d905 | 17 | #include "hitag2.h" |
9ab7a6c7 | 18 | #include "string.h" |
3742d905 | 19 | |
20 | struct hitag2_cipher_state { | |
21 | uint64_t state; | |
22 | }; | |
23 | ||
24 | struct hitag2_tag { | |
25 | uint32_t uid; | |
e30c654b | 26 | enum { |
3742d905 | 27 | TAG_STATE_RESET, // Just powered up, awaiting GetSnr |
28 | TAG_STATE_ACTIVATING, // In activation phase (password mode), sent UID, awaiting reader password | |
29 | TAG_STATE_AUTHENTICATING, // In activation phase (crypto mode), awaiting reader authentication | |
30 | TAG_STATE_ACTIVATED, // Activation complete, awaiting read/write commands | |
31 | TAG_STATE_WRITING, // In write command, awaiting sector contents to be written | |
32 | } state; | |
33 | unsigned int active_sector; | |
34 | char crypto_active; | |
35 | struct hitag2_cipher_state cs; | |
36 | char sectors[8][4]; | |
37 | }; | |
38 | ||
39 | static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *challenge); | |
40 | static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator); | |
41 | static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits); | |
42 | ||
43 | static struct hitag2_tag tag; | |
44 | static const struct hitag2_tag resetdata = { | |
45 | .state = TAG_STATE_RESET, | |
46 | .sectors = { // Password mode: | Crypto mode: | |
47 | [0] = { 0x35, 0x33, 0x70, 0x11}, // UID | UID | |
48 | [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key | |
49 | [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved | |
50 | [3] = { 0x0e, 0xaa, 'H', 'T'}, // Configuration, password TAG | Configuration, password TAG | |
51 | }, | |
52 | }; | |
53 | ||
54 | int hitag2_reset(void) | |
55 | { | |
56 | tag.state = TAG_STATE_RESET; | |
57 | tag.crypto_active = 0; | |
58 | return 0; | |
59 | } | |
60 | ||
61 | int hitag2_init(void) | |
62 | { | |
63 | memcpy(&tag, &resetdata, sizeof(tag)); | |
64 | hitag2_reset(); | |
65 | return 0; | |
66 | } | |
67 | ||
68 | int hitag2_handle_command(const char* data, const int length, hitag2_response_callback_t cb, void *cb_cookie) | |
69 | { | |
70 | (void)data; (void)length; (void)cb; (void)cb_cookie; | |
71 | int retry = 0, done = 0, result=0; | |
72 | char temp[10]; | |
73 | ||
74 | if(tag.crypto_active && length < sizeof(temp)*8) { | |
75 | /* Decrypt command */ | |
76 | memcpy(temp, data, (length+7)/8); | |
77 | hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8); | |
78 | data = temp; | |
79 | } | |
80 | ||
e30c654b | 81 | |
3742d905 | 82 | handle_command_retry: |
83 | switch(tag.state) { | |
84 | case TAG_STATE_RESET: | |
85 | if(length == 5 && data[0] == 0xC0) { | |
86 | /* Received 11000 from the reader, request for UID, send UID */ | |
87 | result=cb(tag.sectors[0], sizeof(tag.sectors[0])*8, 208, cb_cookie); | |
88 | done=1; | |
89 | if(tag.sectors[3][0] & 0x08) { | |
90 | tag.state=TAG_STATE_AUTHENTICATING; | |
91 | } else { | |
92 | tag.state=TAG_STATE_ACTIVATING; | |
93 | } | |
94 | } | |
95 | break; | |
96 | case TAG_STATE_ACTIVATING: | |
97 | if(length == 0x20) { | |
98 | /* Received RWD password, respond with configuration and our password */ | |
99 | result=cb(tag.sectors[3], sizeof(tag.sectors[3])*8, 208, cb_cookie); | |
100 | done=1; | |
101 | tag.state=TAG_STATE_ACTIVATED; | |
102 | } | |
103 | break; | |
104 | case TAG_STATE_AUTHENTICATING: | |
105 | if(length == 0x40) { | |
106 | /* Received initialisation vector || authentication token, fire up cipher, send our password */ | |
107 | hitag2_cipher_reset(&tag, data); | |
108 | if(hitag2_cipher_authenticate(&(tag.cs), data+4)) { | |
109 | char response_enc[4]; | |
110 | memcpy(response_enc, tag.sectors[3], 4); | |
111 | hitag2_cipher_transcrypt(&(tag.cs), response_enc, 4, 0); | |
112 | result=cb(response_enc, 4*8, 208, cb_cookie); | |
113 | done=1; | |
114 | tag.crypto_active = 1; | |
115 | tag.state = TAG_STATE_ACTIVATED; | |
116 | } else { | |
117 | /* The reader failed to authenticate, do nothing */ | |
118 | DbpString("Reader authentication failed"); | |
119 | } | |
120 | } | |
121 | break; | |
122 | case TAG_STATE_ACTIVATED: | |
123 | if(length == 10) { | |
124 | if( ((data[0] & 0xC0) == 0xC0) && ((data[0] & 0x06) == 0) ) { | |
125 | /* Read command: 11xx x00y yy with yyy == ~xxx, xxx is sector number */ | |
126 | unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07); | |
127 | if(sector == ( (data[0]>>3)&0x07 ) ) { | |
128 | memcpy(temp, tag.sectors[sector], 4); | |
129 | if(tag.crypto_active) { | |
130 | hitag2_cipher_transcrypt(&(tag.cs), temp, 4, 0); | |
131 | } | |
132 | /* Respond with contents of sector sector */ | |
133 | result = cb(temp, 4*8, 208, cb_cookie); | |
134 | done=1; | |
135 | } else { | |
136 | /* transmission error */ | |
137 | DbpString("Transmission error (read) in activated state"); | |
138 | } | |
139 | } else if( ((data[0] & 0xC0) == 0x80) && ((data[0] & 0x06) == 2) ) { | |
140 | /* Write command: 10xx x01y yy with yyy == ~xxx, xxx is sector number */ | |
141 | unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07); | |
142 | if(sector == ( (data[0]>>3)&0x07 ) ) { | |
143 | /* Prepare write, acknowledge by repeating command */ | |
144 | if(tag.crypto_active) { | |
145 | hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8); | |
146 | } | |
147 | result = cb(data, length, 208, cb_cookie); | |
148 | done=1; | |
149 | tag.active_sector = sector; | |
150 | tag.state=TAG_STATE_WRITING; | |
151 | } else { | |
152 | /* transmission error */ | |
153 | DbpString("Transmission error (write) in activated state"); | |
154 | } | |
e30c654b | 155 | } |
156 | ||
3742d905 | 157 | } |
158 | case TAG_STATE_WRITING: | |
159 | if(length == 32) { | |
160 | /* These are the sector contents to be written. We don't have to do anything else. */ | |
161 | memcpy(tag.sectors[tag.active_sector], data, length/8); | |
162 | tag.state=TAG_STATE_ACTIVATED; | |
163 | done=1; | |
164 | } | |
165 | } | |
e30c654b | 166 | |
3742d905 | 167 | if(!done && !retry) { |
168 | /* We didn't respond, maybe our state is faulty. Reset and try again. */ | |
169 | retry=1; | |
170 | if(tag.crypto_active) { | |
171 | /* Restore undeciphered data */ | |
172 | memcpy(temp, data, (length+7)/8); | |
173 | } | |
174 | hitag2_reset(); | |
175 | goto handle_command_retry; | |
176 | } | |
177 | ||
178 | return result; | |
179 | } | |
180 | ||
181 | /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */ | |
182 | // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007. | |
183 | // For educational purposes only. | |
184 | // No warranties or guarantees of any kind. | |
185 | // This code is released into the public domain by its author. | |
186 | ||
187 | // Basic macros: | |
188 | ||
189 | #define u8 uint8_t | |
190 | #define u32 uint32_t | |
191 | #define u64 uint64_t | |
192 | #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7)) | |
193 | #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8)) | |
194 | #define rev32(x) (rev16(x)+(rev16(x>>16)<<16)) | |
195 | #define rev64(x) (rev32(x)+(rev32(x>>32)<<32)) | |
196 | #define bit(x,n) (((x)>>(n))&1) | |
197 | #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1) | |
198 | #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31)) | |
199 | #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63))) | |
200 | ||
201 | // Single bit Hitag2 functions: | |
202 | ||
203 | #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8)) | |
204 | ||
205 | static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001 | |
206 | static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001 | |
207 | static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011 | |
208 | ||
209 | static u32 _f20 (const u64 x) | |
210 | { | |
211 | u32 i5; | |
e30c654b | 212 | |
3742d905 | 213 | i5 = ((ht2_f4a >> i4 (x, 1, 2, 4, 5)) & 1)* 1 |
214 | + ((ht2_f4b >> i4 (x, 7,11,13,14)) & 1)* 2 | |
215 | + ((ht2_f4b >> i4 (x,16,20,22,25)) & 1)* 4 | |
216 | + ((ht2_f4b >> i4 (x,27,28,30,32)) & 1)* 8 | |
217 | + ((ht2_f4a >> i4 (x,33,42,43,45)) & 1)*16; | |
e30c654b | 218 | |
3742d905 | 219 | return (ht2_f5c >> i5) & 1; |
220 | } | |
221 | ||
222 | static u64 _hitag2_init (const u64 key, const u32 serial, const u32 IV) | |
223 | { | |
224 | u32 i; | |
225 | u64 x = ((key & 0xFFFF) << 32) + serial; | |
e30c654b | 226 | |
3742d905 | 227 | for (i = 0; i < 32; i++) |
228 | { | |
229 | x >>= 1; | |
230 | x += (u64) (_f20 (x) ^ (((IV >> i) ^ (key >> (i+16))) & 1)) << 47; | |
231 | } | |
232 | return x; | |
233 | } | |
234 | ||
235 | static u64 _hitag2_round (u64 *state) | |
236 | { | |
237 | u64 x = *state; | |
e30c654b | 238 | |
3742d905 | 239 | x = (x >> 1) + |
240 | ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) | |
241 | ^ (x >> 7) ^ (x >> 8) ^ (x >> 16) ^ (x >> 22) | |
242 | ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41) | |
243 | ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47); | |
e30c654b | 244 | |
3742d905 | 245 | *state = x; |
246 | return _f20 (x); | |
247 | } | |
248 | ||
3742d905 | 249 | static u32 _hitag2_byte (u64 * x) |
250 | { | |
251 | u32 i, c; | |
e30c654b | 252 | |
3742d905 | 253 | for (i = 0, c = 0; i < 8; i++) c += (u32) _hitag2_round (x) << (i^7); |
254 | return c; | |
255 | } | |
256 | ||
257 | ||
258 | /* Cipher/tag glue code: */ | |
259 | ||
260 | static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *iv) | |
261 | { | |
262 | uint64_t key = ((uint64_t)tag->sectors[2][2]) | | |
263 | ((uint64_t)tag->sectors[2][3] << 8) | | |
264 | ((uint64_t)tag->sectors[1][0] << 16) | | |
265 | ((uint64_t)tag->sectors[1][1] << 24) | | |
266 | ((uint64_t)tag->sectors[1][2] << 32) | | |
267 | ((uint64_t)tag->sectors[1][3] << 40); | |
268 | uint32_t uid = ((uint32_t)tag->sectors[0][0]) | | |
269 | ((uint32_t)tag->sectors[0][1] << 8) | | |
270 | ((uint32_t)tag->sectors[0][2] << 16) | | |
271 | ((uint32_t)tag->sectors[0][3] << 24); | |
272 | uint32_t iv_ = (((uint32_t)(iv[0]))) | | |
273 | (((uint32_t)(iv[1])) << 8) | | |
274 | (((uint32_t)(iv[2])) << 16) | | |
275 | (((uint32_t)(iv[3])) << 24); | |
276 | tag->cs.state = _hitag2_init(rev64(key), rev32(uid), rev32(iv_)); | |
277 | } | |
278 | ||
279 | static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator_is) | |
280 | { | |
281 | char authenticator_should[4]; | |
282 | authenticator_should[0] = ~_hitag2_byte(&(cs->state)); | |
283 | authenticator_should[1] = ~_hitag2_byte(&(cs->state)); | |
284 | authenticator_should[2] = ~_hitag2_byte(&(cs->state)); | |
285 | authenticator_should[3] = ~_hitag2_byte(&(cs->state)); | |
286 | return memcmp(authenticator_should, authenticator_is, 4) == 0; | |
287 | } | |
288 | ||
289 | static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits) | |
290 | { | |
291 | int i; | |
292 | for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(&(cs->state)); | |
293 | for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(&(cs->state)) << (7-i); | |
294 | return 0; | |
295 | } |