2ae8a312 |
1 | /***************************************************************************** |
2 | * WARNING |
3 | * |
4 | * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. |
5 | * |
6 | * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL |
7 | * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, |
8 | * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. |
9 | * |
10 | * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. |
11 | * |
12 | ***************************************************************************** |
13 | * |
14 | * This file is part of loclass. It is a reconstructon of the cipher engine |
15 | * used in iClass, and RFID techology. |
16 | * |
17 | * The implementation is based on the work performed by |
18 | * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and |
19 | * Milosch Meriac in the paper "Dismantling IClass". |
20 | * |
21 | * Copyright (C) 2014 Martin Holst Swende |
22 | * |
23 | * This is free software: you can redistribute it and/or modify |
24 | * it under the terms of the GNU General Public License version 2 as published |
25 | * by the Free Software Foundation. |
26 | * |
27 | * This file is distributed in the hope that it will be useful, |
28 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
29 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
30 | * GNU General Public License for more details. |
31 | * |
32 | * You should have received a copy of the GNU General Public License |
33 | * along with loclass. If not, see <http://www.gnu.org/licenses/>. |
34 | * |
35 | * |
36 | * |
37 | ****************************************************************************/ |
38 | |
39 | |
f38a1528 |
40 | #ifndef ELITE_CRACK_H |
41 | #define ELITE_CRACK_H |
42 | void permutekey(uint8_t key[8], uint8_t dest[8]); |
43 | /** |
44 | * Permutes a key from iclass specific format to NIST format |
45 | * @brief permutekey_rev |
46 | * @param key |
47 | * @param dest |
48 | */ |
49 | void permutekey_rev(uint8_t key[8], uint8_t dest[8]); |
50 | //Crack status, see below |
51 | #define CRACKED 0x0100 |
52 | #define BEING_CRACKED 0x0200 |
53 | #define CRACK_FAILED 0x0400 |
54 | |
55 | /** |
56 | * Perform a bruteforce against a file which has been saved by pm3 |
57 | * |
58 | * @brief bruteforceFile |
59 | * @param filename |
60 | * @param keytable an arrah (128 x 16 bit ints). This is where the keydata is stored. |
61 | * OBS! the upper part of the 16 bits store crack-status, |
62 | * @return |
63 | */ |
64 | int bruteforceFile(const char *filename, uint16_t keytable[]); |
65 | /** |
66 | * |
67 | * @brief Same as above, if you don't care about the returned keytable (results only printed on screen) |
68 | * @param filename |
69 | * @return |
70 | */ |
71 | int bruteforceFileNoKeys(const char *filename); |
72 | /** |
73 | * @brief Same as bruteforcefile, but uses a an array of dumpdata instead |
74 | * @param dump |
75 | * @param dumpsize |
76 | * @param keytable |
77 | * @return |
78 | */ |
79 | int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]); |
80 | |
81 | /** |
82 | This is how we expect each 'entry' in a dumpfile to look |
83 | **/ |
84 | typedef struct { |
85 | uint8_t csn[8]; |
86 | uint8_t cc_nr[12]; |
87 | uint8_t mac[4]; |
88 | |
89 | }dumpdata; |
90 | |
91 | /** |
92 | * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac. |
93 | *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced |
94 | *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts. |
95 | *It updates the keytable with the findings, also using the upper half of the 16-bit ints |
96 | *to signal if the particular byte has been cracked or not. |
97 | * |
98 | * @param dump The dumpdata from iclass reader attack. |
99 | * @param keytable where to write found values. |
100 | * @return |
101 | */ |
102 | int bruteforceItem(dumpdata item, uint16_t keytable[]); |
103 | /** |
104 | * Hash1 takes CSN as input, and determines what bytes in the keytable will be used |
105 | * when constructing the K_sel. |
106 | * @param csn the CSN used |
107 | * @param k output |
108 | */ |
109 | void hash1(uint8_t csn[] , uint8_t k[]); |
110 | void hash2(uint8_t *key64, uint8_t *outp_keytable); |
111 | /** |
112 | * From dismantling iclass-paper: |
113 | * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] . |
114 | * Then he can simply recover the master custom key K_cus by computing |
115 | * K_cus = ~DES(z[0] , y[0] ) . |
116 | * |
117 | * Furthermore, the adversary is able to verify that he has the correct K cus by |
118 | * checking whether z [0] = DES enc (K_cus , ~K_cus ). |
119 | * @param keytable an array (128 bytes) of hash2(kcus) |
120 | * @param master_key where to put the master key |
121 | * @return 0 for ok, 1 for failz |
122 | */ |
123 | int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] ); |
124 | |
125 | /** |
126 | * @brief Test function |
127 | * @return |
128 | */ |
129 | int testElite(); |
130 | |
131 | /** |
132 | Here are some pretty optimal values that can be used to recover necessary data in only |
133 | eight auth attempts. |
134 | // CSN HASH1 Bytes recovered // |
135 | { {0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0} , {0x01,0x01,0x00,0x00,0x45,0x01,0x45,0x45 } ,{0,1 }}, |
136 | { {0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0} , {0x02,0x0c,0x01,0x00,0x45,0x01,0x45,0x45} , {2,12}}, |
137 | { {0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0} , {0x07,0x45,0x0b,0x00,0x45,0x01,0x45,0x45} , {7,11}}, |
138 | { {0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0} , {0x03,0x0f,0x00,0x00,0x45,0x01,0x45,0x45} , {3,15}}, |
139 | { {0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0} , {0x04,0x00,0x08,0x00,0x45,0x01,0x45,0x45} , {4,8}}, |
140 | { {0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0} , {0x0e,0x06,0x08,0x00,0x45,0x01,0x45,0x45} , {6,14}}, |
141 | { {0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0} , {0x0b,0x09,0x0f,0x00,0x45,0x01,0x05,0x45} , {9,5}}, |
142 | { {0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0} , {0x0d,0x0f,0x0a,0x00,0x45,0x01,0x05,0x45} , {10,13}}, |
143 | |
144 | **/ |
145 | |
146 | |
147 | #endif |