]>
Commit | Line | Data |
---|---|---|
4f131b53 | 1 | //----------------------------------------------------------------------------- |
2 | // Copyright (C) Merlok - 2017 | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Command: hf mf list. It shows data from arm buffer. | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include "cmdhflist.h" | |
12 | ||
13 | #include <stdlib.h> | |
14 | #include <stdio.h> | |
15 | #include <string.h> | |
6612a5a2 | 16 | #include <stdint.h> |
17 | #include <stdbool.h> | |
18 | #include "util.h" | |
19 | #include "data.h" | |
20 | #include "ui.h" | |
21 | #include "iso14443crc.h" | |
22 | #include "parity.h" | |
23 | #include "protocols.h" | |
7b215d14 OM |
24 | #include "crapto1/crapto1.h" |
25 | #include "mifarehost.h" | |
c6a886fb | 26 | #include "mifaredefault.h" |
4f131b53 | 27 | |
28 | ||
6612a5a2 | 29 | enum MifareAuthSeq { |
30 | masNone, | |
31 | masNt, | |
32 | masNrAr, | |
33 | masAt, | |
747885a6 | 34 | masAuthComplete, |
aadc6bf1 | 35 | masFirstData, |
6612a5a2 | 36 | masData, |
6612a5a2 | 37 | masError, |
38 | }; | |
39 | static enum MifareAuthSeq MifareAuthState; | |
aadc6bf1 OM |
40 | static TAuthData AuthData; |
41 | ||
42 | void ClearAuthData() { | |
43 | AuthData.uid = 0; | |
44 | AuthData.nt = 0; | |
7b215d14 | 45 | AuthData.first_auth = true; |
aadc6bf1 | 46 | } |
6612a5a2 | 47 | |
48 | /** | |
49 | * @brief iso14443A_CRC_check Checks CRC in command or response | |
50 | * @param isResponse | |
51 | * @param data | |
52 | * @param len | |
53 | * @return 0 : CRC-command, CRC not ok | |
54 | * 1 : CRC-command, CRC ok | |
55 | * 2 : Not crc-command | |
56 | */ | |
57 | uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
58 | { | |
59 | uint8_t b1,b2; | |
60 | ||
61 | if(len <= 2) return 2; | |
62 | ||
63 | if(isResponse & (len < 6)) return 2; | |
64 | ||
65 | ComputeCrc14443(CRC_14443_A, data, len-2, &b1, &b2); | |
66 | if (b1 != data[len-2] || b2 != data[len-1]) { | |
67 | return 0; | |
68 | } else { | |
69 | return 1; | |
70 | } | |
71 | } | |
72 | ||
73 | uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
74 | { | |
75 | switch(MifareAuthState) { | |
76 | case masNone: | |
6612a5a2 | 77 | case masError: |
78 | return iso14443A_CRC_check(isResponse, data, len); | |
79 | default: | |
80 | return 2; | |
81 | } | |
6612a5a2 | 82 | } |
83 | ||
84 | void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
85 | { | |
86 | switch(cmd[0]) | |
87 | { | |
a31f7f89 OM |
88 | case ISO14443A_CMD_WUPA: |
89 | snprintf(exp,size,"WUPA"); | |
90 | MifareAuthState = masNone; | |
91 | break; | |
6612a5a2 | 92 | case ISO14443A_CMD_ANTICOLL_OR_SELECT:{ |
93 | // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) | |
94 | // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) | |
95 | if(cmd[1] == 0x70) | |
96 | { | |
97 | snprintf(exp,size,"SELECT_UID"); break; | |
98 | }else | |
99 | { | |
100 | snprintf(exp,size,"ANTICOLL"); break; | |
101 | } | |
102 | } | |
103 | case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{ | |
104 | //95 20 = Anticollision of cascade level2 | |
105 | //95 70 = Select of cascade level2 | |
106 | if(cmd[2] == 0x70) | |
107 | { | |
108 | snprintf(exp,size,"SELECT_UID-2"); break; | |
109 | }else | |
110 | { | |
111 | snprintf(exp,size,"ANTICOLL-2"); break; | |
112 | } | |
113 | } | |
a31f7f89 OM |
114 | case ISO14443A_CMD_REQA: |
115 | snprintf(exp,size,"REQA"); | |
116 | MifareAuthState = masNone; | |
117 | break; | |
6612a5a2 | 118 | case ISO14443A_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; |
119 | case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; | |
120 | case ISO14443A_CMD_HALT: | |
121 | snprintf(exp,size,"HALT"); | |
122 | MifareAuthState = masNone; | |
123 | break; | |
124 | case ISO14443A_CMD_RATS: snprintf(exp,size,"RATS"); break; | |
125 | case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; | |
126 | case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; | |
127 | case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; | |
128 | case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; | |
129 | case MIFARE_AUTH_KEYA: | |
130 | if ( cmdsize > 3) { | |
131 | snprintf(exp,size,"AUTH-A(%d)",cmd[1]); | |
132 | MifareAuthState = masNt; | |
133 | } else { | |
134 | // case MIFARE_ULEV1_VERSION : both 0x60. | |
135 | snprintf(exp,size,"EV1 VERSION"); | |
136 | } | |
137 | break; | |
138 | case MIFARE_AUTH_KEYB: | |
139 | MifareAuthState = masNt; | |
140 | snprintf(exp,size,"AUTH-B(%d)",cmd[1]); | |
141 | break; | |
142 | case MIFARE_MAGICWUPC1: snprintf(exp,size,"MAGIC WUPC1"); break; | |
143 | case MIFARE_MAGICWUPC2: snprintf(exp,size,"MAGIC WUPC2"); break; | |
144 | case MIFARE_MAGICWIPEC: snprintf(exp,size,"MAGIC WIPEC"); break; | |
145 | case MIFARE_ULC_AUTH_1: snprintf(exp,size,"AUTH "); break; | |
146 | case MIFARE_ULC_AUTH_2: snprintf(exp,size,"AUTH_ANSW"); break; | |
147 | case MIFARE_ULEV1_AUTH: | |
148 | if ( cmdsize == 7 ) | |
149 | snprintf(exp,size,"PWD-AUTH KEY: 0x%02x%02x%02x%02x", cmd[1], cmd[2], cmd[3], cmd[4] ); | |
150 | else | |
151 | snprintf(exp,size,"PWD-AUTH"); | |
152 | break; | |
153 | case MIFARE_ULEV1_FASTREAD:{ | |
154 | if ( cmdsize >=3 && cmd[2] <= 0xE6) | |
155 | snprintf(exp,size,"READ RANGE (%d-%d)",cmd[1],cmd[2]); | |
156 | else | |
157 | snprintf(exp,size,"?"); | |
158 | break; | |
159 | } | |
160 | case MIFARE_ULC_WRITE:{ | |
161 | if ( cmd[1] < 0x21 ) | |
162 | snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); | |
163 | else | |
164 | snprintf(exp,size,"?"); | |
165 | break; | |
166 | } | |
167 | case MIFARE_ULEV1_READ_CNT:{ | |
168 | if ( cmd[1] < 5 ) | |
169 | snprintf(exp,size,"READ CNT(%d)",cmd[1]); | |
170 | else | |
171 | snprintf(exp,size,"?"); | |
172 | break; | |
173 | } | |
174 | case MIFARE_ULEV1_INCR_CNT:{ | |
175 | if ( cmd[1] < 5 ) | |
176 | snprintf(exp,size,"INCR(%d)",cmd[1]); | |
177 | else | |
178 | snprintf(exp,size,"?"); | |
179 | break; | |
180 | } | |
181 | case MIFARE_ULEV1_READSIG: snprintf(exp,size,"READ_SIG"); break; | |
182 | case MIFARE_ULEV1_CHECKTEAR: snprintf(exp,size,"CHK_TEARING(%d)",cmd[1]); break; | |
183 | case MIFARE_ULEV1_VCSL: snprintf(exp,size,"VCSL"); break; | |
184 | default: snprintf(exp,size,"?"); break; | |
185 | } | |
186 | return; | |
187 | } | |
188 | ||
b957bcd3 | 189 | void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8_t* parity, uint8_t paritysize, bool isResponse) { |
aadc6bf1 OM |
190 | // get UID |
191 | if (MifareAuthState == masNone) { | |
7b215d14 | 192 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && cmd[1] == 0x70) { |
aadc6bf1 OM |
193 | ClearAuthData(); |
194 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
195 | } | |
7b215d14 | 196 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && cmd[1] == 0x70) { |
aadc6bf1 OM |
197 | ClearAuthData(); |
198 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
199 | } | |
200 | } | |
201 | ||
6612a5a2 | 202 | switch(MifareAuthState) { |
203 | case masNt: | |
fb30f5a1 | 204 | if (cmdsize == 4 && isResponse) { |
aadc6bf1 | 205 | snprintf(exp,size,"AUTH: nt %s", (AuthData.first_auth) ? "" : "(enc)"); |
6612a5a2 | 206 | MifareAuthState = masNrAr; |
aadc6bf1 | 207 | if (AuthData.first_auth) |
7b215d14 | 208 | AuthData.nt = bytes_to_num(cmd, 4); |
aadc6bf1 | 209 | else |
7b215d14 | 210 | AuthData.nt_enc = bytes_to_num(cmd, 4); |
b957bcd3 | 211 | AuthData.nt_enc_par = parity[0]; |
6612a5a2 | 212 | return; |
213 | } else { | |
214 | MifareAuthState = masError; | |
6612a5a2 | 215 | } |
216 | break; | |
217 | case masNrAr: | |
fb30f5a1 | 218 | if (cmdsize == 8 && !isResponse) { |
6c30a244 | 219 | snprintf(exp,size,"AUTH: nr ar (enc)"); |
6612a5a2 | 220 | MifareAuthState = masAt; |
7b215d14 OM |
221 | AuthData.nr_enc = bytes_to_num(cmd, 4); |
222 | AuthData.ar_enc = bytes_to_num(&cmd[4], 4); | |
b957bcd3 | 223 | AuthData.ar_enc_par = parity[0] << 4; |
6612a5a2 | 224 | return; |
225 | } else { | |
226 | MifareAuthState = masError; | |
227 | } | |
228 | break; | |
229 | case masAt: | |
fb30f5a1 | 230 | if (cmdsize == 4 && isResponse) { |
6c30a244 | 231 | snprintf(exp,size,"AUTH: at (enc)"); |
747885a6 | 232 | MifareAuthState = masAuthComplete; |
7b215d14 | 233 | AuthData.at_enc = bytes_to_num(cmd, 4); |
b957bcd3 | 234 | AuthData.at_enc_par = parity[0]; |
6612a5a2 | 235 | return; |
236 | } else { | |
237 | MifareAuthState = masError; | |
238 | } | |
239 | break; | |
240 | default: | |
241 | break; | |
242 | } | |
243 | ||
747885a6 | 244 | if (!isResponse && ((MifareAuthState == masNone) || (MifareAuthState == masError))) |
6612a5a2 | 245 | annotateIso14443a(exp, size, cmd, cmdsize); |
246 | ||
247 | } | |
7b215d14 OM |
248 | |
249 | bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, bool isResponse, uint8_t *mfData, size_t *mfDataLen) { | |
747885a6 | 250 | static struct Crypto1State *traceCrypto1; |
dca8220f | 251 | static uint64_t mfLastKey; |
747885a6 | 252 | |
7b215d14 OM |
253 | *mfDataLen = 0; |
254 | ||
747885a6 OM |
255 | if (MifareAuthState == masAuthComplete) { |
256 | if (traceCrypto1) { | |
257 | crypto1_destroy(traceCrypto1); | |
258 | } | |
259 | ||
260 | MifareAuthState = masFirstData; | |
261 | return false; | |
262 | } | |
263 | ||
7b215d14 OM |
264 | if (cmdsize > 32) |
265 | return false; | |
266 | ||
267 | if (MifareAuthState == masFirstData) { | |
268 | if (AuthData.first_auth) { | |
269 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(AuthData.nt, 64); | |
270 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(AuthData.nt, 96); | |
271 | struct Crypto1State *revstate = lfsr_recovery64(ks2, ks3); | |
272 | lfsr_rollback_word(revstate, 0, 0); | |
273 | lfsr_rollback_word(revstate, 0, 0); | |
274 | lfsr_rollback_word(revstate, AuthData.nr_enc, 1); | |
275 | lfsr_rollback_word(revstate, AuthData.uid ^ AuthData.nt, 0); | |
276 | ||
277 | uint64_t lfsr = 0; | |
278 | crypto1_get_lfsr(revstate, &lfsr); | |
279 | crypto1_destroy(revstate); | |
747885a6 | 280 | mfLastKey = lfsr; |
28ee794f | 281 | PrintAndLog(" | * | key | probable key:%x%x Prng:%s ks2:%08x ks3:%08x | |", |
7b215d14 | 282 | (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF), |
28ee794f | 283 | validate_prng_nonce(AuthData.nt) ? "WEAK": "HARD", |
7b215d14 OM |
284 | ks2, |
285 | ks3); | |
286 | ||
287 | AuthData.first_auth = false; | |
747885a6 OM |
288 | |
289 | traceCrypto1 = lfsr_recovery64(ks2, ks3); | |
7b215d14 | 290 | } else { |
28ee794f | 291 | printf("uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc); |
747885a6 OM |
292 | |
293 | // check last used key | |
294 | if (mfLastKey) { | |
c6a886fb OM |
295 | if (NestedCheckKey(mfLastKey, &AuthData, cmd, cmdsize)) { |
296 | }; | |
747885a6 OM |
297 | } |
298 | ||
299 | // check default keys | |
c6a886fb OM |
300 | for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){ |
301 | if (NestedCheckKey(MifareDefaultKeys[defaultKeyCounter], &AuthData, cmd, cmdsize)) { | |
302 | ||
303 | break; | |
304 | }; | |
305 | } | |
747885a6 OM |
306 | |
307 | // nested | |
308 | if (validate_prng_nonce(AuthData.nt)) { | |
309 | } | |
310 | ||
311 | //hardnested | |
7b215d14 OM |
312 | } |
313 | ||
314 | ||
315 | ||
316 | MifareAuthState = masData; | |
7b215d14 OM |
317 | } |
318 | ||
747885a6 OM |
319 | if (MifareAuthState == masData && traceCrypto1) { |
320 | memcpy(mfData, cmd, cmdsize); | |
321 | mf_crypto1_decrypt(traceCrypto1, mfData, cmdsize, 0); | |
322 | *mfDataLen = cmdsize; | |
7b215d14 OM |
323 | } |
324 | ||
325 | return *mfDataLen > 0; | |
326 | } | |
327 | ||
dca8220f OM |
328 | bool NTParityChk(TAuthData *ad, uint32_t ntx) { |
329 | if ( | |
330 | (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) || | |
331 | (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) || | |
332 | (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01)) | |
333 | ) | |
334 | return false; | |
335 | ||
336 | uint32_t ar = prng_successor(ntx, 64); | |
337 | if ( | |
338 | (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) || | |
339 | (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) || | |
340 | (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01)) | |
341 | ) | |
342 | return false; | |
343 | ||
344 | uint32_t at = prng_successor(ntx, 96); | |
345 | if ( | |
346 | (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) || | |
347 | (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) || | |
348 | (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) || | |
349 | (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01)) | |
350 | ) | |
351 | return false; | |
352 | ||
353 | return true; | |
354 | } | |
355 | ||
c6a886fb | 356 | bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize) { |
dca8220f OM |
357 | uint8_t buf[32] = {0}; |
358 | struct Crypto1State *pcs; | |
359 | ||
360 | pcs = crypto1_create(key); | |
361 | uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc; | |
362 | uint32_t ar = prng_successor(nt1, 64); | |
363 | uint32_t at = prng_successor(nt1, 96); | |
364 | printf("key> nested auth uid: %08x nt: %08x nt_parity: %s ar: %08x at: %08x\n", ad->uid, nt1, printBitsPar(&ad->nt_enc_par, 4), ar, at); | |
365 | uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; | |
366 | uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc; | |
367 | uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc; | |
368 | printf("key> the same key test. nr1: %08x ar1: %08x at1: %08x \n", nr1, ar1, at1); | |
369 | ||
370 | if (NTParityChk(ad, nt1)) | |
371 | printf("key> the same key test OK. key=%x%x\n", (unsigned int)((key & 0xFFFFFFFF00000000) >> 32), (unsigned int)(key & 0xFFFFFFFF)); | |
372 | else { | |
373 | printf("key> the same key test. check nt parity error.\n"); | |
374 | return false; | |
375 | } | |
376 | ||
377 | memcpy(buf, cmd, cmdsize); | |
378 | mf_crypto1_decrypt(pcs, buf, cmdsize, 0); | |
379 | ||
380 | return CheckCrc14443(CRC_14443_A, buf, cmdsize); | |
c6a886fb | 381 | } |