]>
Commit | Line | Data |
---|---|---|
1 | //----------------------------------------------------------------------------- | |
2 | // Copyright (C) Merlok - 2017 | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Command: hf mf list. It shows data from arm buffer. | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include "cmdhflist.h" | |
12 | ||
13 | #include <stdlib.h> | |
14 | #include <stdio.h> | |
15 | #include <string.h> | |
16 | #include <stdint.h> | |
17 | #include <stdbool.h> | |
18 | #include "util.h" | |
19 | #include "ui.h" | |
20 | #include "iso14443crc.h" | |
21 | #include "parity.h" | |
22 | #include "protocols.h" | |
23 | #include "crapto1/crapto1.h" | |
24 | #include "mifarehost.h" | |
25 | #include "mifaredefault.h" | |
26 | ||
27 | ||
28 | enum MifareAuthSeq { | |
29 | masNone, | |
30 | masNt, | |
31 | masNrAr, | |
32 | masAt, | |
33 | masAuthComplete, | |
34 | masFirstData, | |
35 | masData, | |
36 | masError, | |
37 | }; | |
38 | static enum MifareAuthSeq MifareAuthState; | |
39 | static TAuthData AuthData; | |
40 | ||
41 | void ClearAuthData() { | |
42 | AuthData.uid = 0; | |
43 | AuthData.nt = 0; | |
44 | AuthData.first_auth = true; | |
45 | AuthData.ks2 = 0; | |
46 | AuthData.ks3 = 0; | |
47 | } | |
48 | ||
49 | /** | |
50 | * @brief iso14443A_CRC_check Checks CRC in command or response | |
51 | * @param isResponse | |
52 | * @param data | |
53 | * @param len | |
54 | * @return 0 : CRC-command, CRC not ok | |
55 | * 1 : CRC-command, CRC ok | |
56 | * 2 : Not crc-command | |
57 | */ | |
58 | uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
59 | { | |
60 | uint8_t b1,b2; | |
61 | ||
62 | if(len <= 2) return 2; | |
63 | ||
64 | if(isResponse & (len < 6)) return 2; | |
65 | ||
66 | ComputeCrc14443(CRC_14443_A, data, len-2, &b1, &b2); | |
67 | if (b1 != data[len-2] || b2 != data[len-1]) { | |
68 | return 0; | |
69 | } else { | |
70 | return 1; | |
71 | } | |
72 | } | |
73 | ||
74 | uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
75 | { | |
76 | switch(MifareAuthState) { | |
77 | case masNone: | |
78 | case masError: | |
79 | return iso14443A_CRC_check(isResponse, data, len); | |
80 | default: | |
81 | return 2; | |
82 | } | |
83 | } | |
84 | ||
85 | void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
86 | { | |
87 | switch(cmd[0]) | |
88 | { | |
89 | case ICLASS_CMD_ACTALL: snprintf(exp,size,"ACTALL"); break; | |
90 | case ICLASS_CMD_READ_OR_IDENTIFY:{ | |
91 | if(cmdsize > 1){ | |
92 | snprintf(exp,size,"READ(%d)",cmd[1]); | |
93 | }else{ | |
94 | snprintf(exp,size,"IDENTIFY"); | |
95 | } | |
96 | break; | |
97 | } | |
98 | case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break; | |
99 | case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL(%d)", cmd[1]); break; | |
100 | case ICLASS_CMD_READCHECK_KC:snprintf(exp,size,"READCHECK[Kc](%d)", cmd[1]); break; | |
101 | case ICLASS_CMD_READCHECK_KD:snprintf(exp,size,"READCHECK[Kd](%d)", cmd[1]); break; | |
102 | case ICLASS_CMD_CHECK: snprintf(exp,size,"CHECK"); break; | |
103 | case ICLASS_CMD_DETECT: snprintf(exp,size,"DETECT"); break; | |
104 | case ICLASS_CMD_HALT: snprintf(exp,size,"HALT"); break; | |
105 | case ICLASS_CMD_UPDATE: snprintf(exp,size,"UPDATE(%d)",cmd[1]); break; | |
106 | case ICLASS_CMD_ACT: snprintf(exp,size,"ACT"); break; | |
107 | case ICLASS_CMD_READ4: snprintf(exp,size,"READ4(%d)",cmd[1]); break; | |
108 | default: snprintf(exp,size,"?"); break; | |
109 | } | |
110 | return; | |
111 | } | |
112 | ||
113 | void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
114 | { | |
115 | ||
116 | if(cmd[0] == 0x26) | |
117 | { | |
118 | switch(cmd[1]){ | |
119 | case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");break; | |
120 | case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");break; | |
121 | default: snprintf(exp,size,"?"); break; | |
122 | ||
123 | } | |
124 | }else if(cmd[0] == 0x02) | |
125 | { | |
126 | switch(cmd[1]) | |
127 | { | |
128 | case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");break; | |
129 | case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");break; | |
130 | case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");break; | |
131 | case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");break; | |
132 | case ISO15693_SELECT :snprintf(exp, size, "SELECT");break; | |
133 | case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");break; | |
134 | case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");break; | |
135 | case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");break; | |
136 | case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");break; | |
137 | case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break; | |
138 | case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break; | |
139 | case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break; | |
140 | default: snprintf(exp,size,"?"); break; | |
141 | } | |
142 | } | |
143 | } | |
144 | ||
145 | ||
146 | void annotateTopaz(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
147 | { | |
148 | switch(cmd[0]) { | |
149 | case TOPAZ_REQA :snprintf(exp, size, "REQA");break; | |
150 | case TOPAZ_WUPA :snprintf(exp, size, "WUPA");break; | |
151 | case TOPAZ_RID :snprintf(exp, size, "RID");break; | |
152 | case TOPAZ_RALL :snprintf(exp, size, "RALL");break; | |
153 | case TOPAZ_READ :snprintf(exp, size, "READ");break; | |
154 | case TOPAZ_WRITE_E :snprintf(exp, size, "WRITE-E");break; | |
155 | case TOPAZ_WRITE_NE :snprintf(exp, size, "WRITE-NE");break; | |
156 | case TOPAZ_RSEG :snprintf(exp, size, "RSEG");break; | |
157 | case TOPAZ_READ8 :snprintf(exp, size, "READ8");break; | |
158 | case TOPAZ_WRITE_E8 :snprintf(exp, size, "WRITE-E8");break; | |
159 | case TOPAZ_WRITE_NE8 :snprintf(exp, size, "WRITE-NE8");break; | |
160 | default: snprintf(exp,size,"?"); break; | |
161 | } | |
162 | } | |
163 | ||
164 | ||
165 | /** | |
166 | 06 00 = INITIATE | |
167 | 0E xx = SELECT ID (xx = Chip-ID) | |
168 | 0B = Get UID | |
169 | 08 yy = Read Block (yy = block number) | |
170 | 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written) | |
171 | 0C = Reset to Inventory | |
172 | 0F = Completion | |
173 | 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate) | |
174 | **/ | |
175 | ||
176 | void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
177 | { | |
178 | switch(cmd[0]){ | |
179 | case ISO14443B_REQB : snprintf(exp,size,"REQB");break; | |
180 | case ISO14443B_ATTRIB : snprintf(exp,size,"ATTRIB");break; | |
181 | case ISO14443B_HALT : snprintf(exp,size,"HALT");break; | |
182 | case ISO14443B_INITIATE : snprintf(exp,size,"INITIATE");break; | |
183 | case ISO14443B_SELECT : snprintf(exp,size,"SELECT(%d)",cmd[1]);break; | |
184 | case ISO14443B_GET_UID : snprintf(exp,size,"GET UID");break; | |
185 | case ISO14443B_READ_BLK : snprintf(exp,size,"READ_BLK(%d)", cmd[1]);break; | |
186 | case ISO14443B_WRITE_BLK : snprintf(exp,size,"WRITE_BLK(%d)",cmd[1]);break; | |
187 | case ISO14443B_RESET : snprintf(exp,size,"RESET");break; | |
188 | case ISO14443B_COMPLETION : snprintf(exp,size,"COMPLETION");break; | |
189 | case ISO14443B_AUTHENTICATE : snprintf(exp,size,"AUTHENTICATE");break; | |
190 | default : snprintf(exp,size ,"?");break; | |
191 | } | |
192 | ||
193 | } | |
194 | ||
195 | void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
196 | { | |
197 | switch(cmd[0]) | |
198 | { | |
199 | case ISO14443A_CMD_WUPA: | |
200 | snprintf(exp,size,"WUPA"); | |
201 | break; | |
202 | case ISO14443A_CMD_ANTICOLL_OR_SELECT:{ | |
203 | // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) | |
204 | // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) | |
205 | if(cmd[1] == 0x70) | |
206 | { | |
207 | snprintf(exp,size,"SELECT_UID"); break; | |
208 | }else | |
209 | { | |
210 | snprintf(exp,size,"ANTICOLL"); break; | |
211 | } | |
212 | } | |
213 | case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{ | |
214 | //95 20 = Anticollision of cascade level2 | |
215 | //95 70 = Select of cascade level2 | |
216 | if(cmd[2] == 0x70) | |
217 | { | |
218 | snprintf(exp,size,"SELECT_UID-2"); break; | |
219 | }else | |
220 | { | |
221 | snprintf(exp,size,"ANTICOLL-2"); break; | |
222 | } | |
223 | } | |
224 | case ISO14443A_CMD_REQA: | |
225 | snprintf(exp,size,"REQA"); | |
226 | break; | |
227 | case ISO14443A_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; | |
228 | case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; | |
229 | case ISO14443A_CMD_HALT: | |
230 | snprintf(exp,size,"HALT"); | |
231 | MifareAuthState = masNone; | |
232 | break; | |
233 | case ISO14443A_CMD_RATS: snprintf(exp,size,"RATS"); break; | |
234 | case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; | |
235 | case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; | |
236 | case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; | |
237 | case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; | |
238 | case MIFARE_AUTH_KEYA: | |
239 | if ( cmdsize > 3) { | |
240 | snprintf(exp,size,"AUTH-A(%d)",cmd[1]); | |
241 | MifareAuthState = masNt; | |
242 | } else { | |
243 | // case MIFARE_ULEV1_VERSION : both 0x60. | |
244 | snprintf(exp,size,"EV1 VERSION"); | |
245 | } | |
246 | break; | |
247 | case MIFARE_AUTH_KEYB: | |
248 | MifareAuthState = masNt; | |
249 | snprintf(exp,size,"AUTH-B(%d)",cmd[1]); | |
250 | break; | |
251 | case MIFARE_MAGICWUPC1: snprintf(exp,size,"MAGIC WUPC1"); break; | |
252 | case MIFARE_MAGICWUPC2: snprintf(exp,size,"MAGIC WUPC2"); break; | |
253 | case MIFARE_MAGICWIPEC: snprintf(exp,size,"MAGIC WIPEC"); break; | |
254 | case MIFARE_ULC_AUTH_1: snprintf(exp,size,"AUTH "); break; | |
255 | case MIFARE_ULC_AUTH_2: snprintf(exp,size,"AUTH_ANSW"); break; | |
256 | case MIFARE_ULEV1_AUTH: | |
257 | if ( cmdsize == 7 ) | |
258 | snprintf(exp,size,"PWD-AUTH KEY: 0x%02x%02x%02x%02x", cmd[1], cmd[2], cmd[3], cmd[4] ); | |
259 | else | |
260 | snprintf(exp,size,"PWD-AUTH"); | |
261 | break; | |
262 | case MIFARE_ULEV1_FASTREAD:{ | |
263 | if ( cmdsize >=3 && cmd[2] <= 0xE6) | |
264 | snprintf(exp,size,"READ RANGE (%d-%d)",cmd[1],cmd[2]); | |
265 | else | |
266 | snprintf(exp,size,"?"); | |
267 | break; | |
268 | } | |
269 | case MIFARE_ULC_WRITE:{ | |
270 | if ( cmd[1] < 0x21 ) | |
271 | snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); | |
272 | else | |
273 | snprintf(exp,size,"?"); | |
274 | break; | |
275 | } | |
276 | case MIFARE_ULEV1_READ_CNT:{ | |
277 | if ( cmd[1] < 5 ) | |
278 | snprintf(exp,size,"READ CNT(%d)",cmd[1]); | |
279 | else | |
280 | snprintf(exp,size,"?"); | |
281 | break; | |
282 | } | |
283 | case MIFARE_ULEV1_INCR_CNT:{ | |
284 | if ( cmd[1] < 5 ) | |
285 | snprintf(exp,size,"INCR(%d)",cmd[1]); | |
286 | else | |
287 | snprintf(exp,size,"?"); | |
288 | break; | |
289 | } | |
290 | case MIFARE_ULEV1_READSIG: snprintf(exp,size,"READ_SIG"); break; | |
291 | case MIFARE_ULEV1_CHECKTEAR: snprintf(exp,size,"CHK_TEARING(%d)",cmd[1]); break; | |
292 | case MIFARE_ULEV1_VCSL: snprintf(exp,size,"VCSL"); break; | |
293 | default: snprintf(exp,size,"?"); break; | |
294 | } | |
295 | return; | |
296 | } | |
297 | ||
298 | void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8_t* parity, uint8_t paritysize, bool isResponse) { | |
299 | if (!isResponse && cmdsize == 1) { | |
300 | switch(cmd[0]) { | |
301 | case ISO14443A_CMD_WUPA: | |
302 | case ISO14443A_CMD_REQA: | |
303 | MifareAuthState = masNone; | |
304 | break; | |
305 | default: | |
306 | break; | |
307 | } | |
308 | } | |
309 | ||
310 | // get UID | |
311 | if (MifareAuthState == masNone) { | |
312 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && cmd[1] == 0x70) { | |
313 | ClearAuthData(); | |
314 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
315 | } | |
316 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && cmd[1] == 0x70) { | |
317 | ClearAuthData(); | |
318 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
319 | } | |
320 | } | |
321 | ||
322 | switch(MifareAuthState) { | |
323 | case masNt: | |
324 | if (cmdsize == 4 && isResponse) { | |
325 | snprintf(exp,size,"AUTH: nt %s", (AuthData.first_auth) ? "" : "(enc)"); | |
326 | MifareAuthState = masNrAr; | |
327 | if (AuthData.first_auth) { | |
328 | AuthData.nt = bytes_to_num(cmd, 4); | |
329 | } else { | |
330 | AuthData.nt_enc = bytes_to_num(cmd, 4); | |
331 | AuthData.nt_enc_par = parity[0]; | |
332 | } | |
333 | return; | |
334 | } else { | |
335 | MifareAuthState = masError; | |
336 | } | |
337 | break; | |
338 | case masNrAr: | |
339 | if (cmdsize == 8 && !isResponse) { | |
340 | snprintf(exp,size,"AUTH: nr ar (enc)"); | |
341 | MifareAuthState = masAt; | |
342 | AuthData.nr_enc = bytes_to_num(cmd, 4); | |
343 | AuthData.ar_enc = bytes_to_num(&cmd[4], 4); | |
344 | AuthData.ar_enc_par = parity[0] << 4; | |
345 | return; | |
346 | } else { | |
347 | MifareAuthState = masError; | |
348 | } | |
349 | break; | |
350 | case masAt: | |
351 | if (cmdsize == 4 && isResponse) { | |
352 | snprintf(exp,size,"AUTH: at (enc)"); | |
353 | MifareAuthState = masAuthComplete; | |
354 | AuthData.at_enc = bytes_to_num(cmd, 4); | |
355 | AuthData.at_enc_par = parity[0]; | |
356 | return; | |
357 | } else { | |
358 | MifareAuthState = masError; | |
359 | } | |
360 | break; | |
361 | default: | |
362 | break; | |
363 | } | |
364 | ||
365 | if (!isResponse && ((MifareAuthState == masNone) || (MifareAuthState == masError))) | |
366 | annotateIso14443a(exp, size, cmd, cmdsize); | |
367 | ||
368 | } | |
369 | ||
370 | bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen) { | |
371 | static struct Crypto1State *traceCrypto1; | |
372 | static uint64_t mfLastKey; | |
373 | ||
374 | *mfDataLen = 0; | |
375 | ||
376 | if (MifareAuthState == masAuthComplete) { | |
377 | if (traceCrypto1) { | |
378 | crypto1_destroy(traceCrypto1); | |
379 | traceCrypto1 = NULL; | |
380 | } | |
381 | ||
382 | MifareAuthState = masFirstData; | |
383 | return false; | |
384 | } | |
385 | ||
386 | if (cmdsize > 32) | |
387 | return false; | |
388 | ||
389 | if (MifareAuthState == masFirstData) { | |
390 | if (AuthData.first_auth) { | |
391 | AuthData.ks2 = AuthData.ar_enc ^ prng_successor(AuthData.nt, 64); | |
392 | AuthData.ks3 = AuthData.at_enc ^ prng_successor(AuthData.nt, 96); | |
393 | ||
394 | mfLastKey = GetCrypto1ProbableKey(&AuthData); | |
395 | PrintAndLog(" | * | key | probable key:%012"PRIx64" Prng:%s ks2:%08x ks3:%08x | |", | |
396 | mfLastKey, | |
397 | validate_prng_nonce(AuthData.nt) ? "WEAK": "HARD", | |
398 | AuthData.ks2, | |
399 | AuthData.ks3); | |
400 | ||
401 | AuthData.first_auth = false; | |
402 | ||
403 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
404 | } else { | |
405 | if (traceCrypto1) { | |
406 | crypto1_destroy(traceCrypto1); | |
407 | traceCrypto1 = NULL; | |
408 | } | |
409 | ||
410 | // check last used key | |
411 | if (mfLastKey) { | |
412 | if (NestedCheckKey(mfLastKey, &AuthData, cmd, cmdsize, parity)) { | |
413 | PrintAndLog(" | * | key | last used key:%012"PRIx64" ks2:%08x ks3:%08x | |", | |
414 | mfLastKey, | |
415 | AuthData.ks2, | |
416 | AuthData.ks3); | |
417 | ||
418 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
419 | }; | |
420 | } | |
421 | ||
422 | // check default keys | |
423 | if (!traceCrypto1) { | |
424 | for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){ | |
425 | if (NestedCheckKey(MifareDefaultKeys[defaultKeyCounter], &AuthData, cmd, cmdsize, parity)) { | |
426 | PrintAndLog(" | * | key | default key:%012"PRIx64" ks2:%08x ks3:%08x | |", | |
427 | MifareDefaultKeys[defaultKeyCounter], | |
428 | AuthData.ks2, | |
429 | AuthData.ks3); | |
430 | ||
431 | mfLastKey = MifareDefaultKeys[defaultKeyCounter]; | |
432 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
433 | break; | |
434 | }; | |
435 | } | |
436 | } | |
437 | ||
438 | // nested | |
439 | if (!traceCrypto1 && validate_prng_nonce(AuthData.nt)) { | |
440 | uint32_t ntx = prng_successor(AuthData.nt, 90); | |
441 | for (int i = 0; i < 16383; i++) { | |
442 | ntx = prng_successor(ntx, 1); | |
443 | if (NTParityChk(&AuthData, ntx)){ | |
444 | ||
445 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(ntx, 64); | |
446 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(ntx, 96); | |
447 | struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3); | |
448 | memcpy(mfData, cmd, cmdsize); | |
449 | mf_crypto1_decrypt(pcs, mfData, cmdsize, 0); | |
450 | ||
451 | crypto1_destroy(pcs); | |
452 | if (CheckCrypto1Parity(cmd, cmdsize, mfData, parity) && CheckCrc14443(CRC_14443_A, mfData, cmdsize)) { | |
453 | AuthData.ks2 = ks2; | |
454 | AuthData.ks3 = ks3; | |
455 | ||
456 | AuthData.nt = ntx; | |
457 | mfLastKey = GetCrypto1ProbableKey(&AuthData); | |
458 | PrintAndLog(" | * | key | nested probable key:%012"PRIx64" ks2:%08x ks3:%08x | |", | |
459 | mfLastKey, | |
460 | AuthData.ks2, | |
461 | AuthData.ks3); | |
462 | ||
463 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
464 | break; | |
465 | } | |
466 | } | |
467 | } | |
468 | } | |
469 | ||
470 | //hardnested | |
471 | if (!traceCrypto1) { | |
472 | printf("hardnested not implemented. uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc); | |
473 | MifareAuthState = masError; | |
474 | ||
475 | /* TOO SLOW( needs to have more strong filter. with this filter - aprox 4 mln tests | |
476 | uint32_t t = msclock(); | |
477 | uint32_t t1 = t; | |
478 | int n = 0; | |
479 | for (uint32_t i = 0; i < 0xFFFFFFFF; i++) { | |
480 | if (NTParityChk(&AuthData, i)){ | |
481 | ||
482 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(i, 64); | |
483 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(i, 96); | |
484 | struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3); | |
485 | ||
486 | ||
487 | ||
488 | ||
489 | n++; | |
490 | ||
491 | if (!(n % 100000)) { | |
492 | printf("delta=%d n=%d ks2=%x ks3=%x \n", msclock() - t1 , n, ks2, ks3); | |
493 | t1 = msclock(); | |
494 | } | |
495 | ||
496 | } | |
497 | } | |
498 | printf("delta=%d n=%d\n", msclock() - t, n); | |
499 | */ | |
500 | } | |
501 | } | |
502 | ||
503 | ||
504 | ||
505 | MifareAuthState = masData; | |
506 | } | |
507 | ||
508 | if (MifareAuthState == masData && traceCrypto1) { | |
509 | memcpy(mfData, cmd, cmdsize); | |
510 | mf_crypto1_decrypt(traceCrypto1, mfData, cmdsize, 0); | |
511 | *mfDataLen = cmdsize; | |
512 | } | |
513 | ||
514 | return *mfDataLen > 0; | |
515 | } | |
516 | ||
517 | bool NTParityChk(TAuthData *ad, uint32_t ntx) { | |
518 | if ( | |
519 | (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) || | |
520 | (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) || | |
521 | (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01)) | |
522 | ) | |
523 | return false; | |
524 | ||
525 | uint32_t ar = prng_successor(ntx, 64); | |
526 | if ( | |
527 | (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) || | |
528 | (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) || | |
529 | (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01)) | |
530 | ) | |
531 | return false; | |
532 | ||
533 | uint32_t at = prng_successor(ntx, 96); | |
534 | if ( | |
535 | (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) || | |
536 | (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) || | |
537 | (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) || | |
538 | (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01)) | |
539 | ) | |
540 | return false; | |
541 | ||
542 | return true; | |
543 | } | |
544 | ||
545 | bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity) { | |
546 | uint8_t buf[32] = {0}; | |
547 | struct Crypto1State *pcs; | |
548 | ||
549 | AuthData.ks2 = 0; | |
550 | AuthData.ks3 = 0; | |
551 | ||
552 | pcs = crypto1_create(key); | |
553 | uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc; | |
554 | uint32_t ar = prng_successor(nt1, 64); | |
555 | uint32_t at = prng_successor(nt1, 96); | |
556 | ||
557 | crypto1_word(pcs, ad->nr_enc, 1); | |
558 | // uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; // if needs deciphered nr | |
559 | uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc; | |
560 | uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc; | |
561 | ||
562 | if (!(ar == ar1 && at == at1 && NTParityChk(ad, nt1))) { | |
563 | crypto1_destroy(pcs); | |
564 | return false; | |
565 | } | |
566 | ||
567 | memcpy(buf, cmd, cmdsize); | |
568 | mf_crypto1_decrypt(pcs, buf, cmdsize, 0); | |
569 | ||
570 | crypto1_destroy(pcs); | |
571 | ||
572 | if (!CheckCrypto1Parity(cmd, cmdsize, buf, parity)) | |
573 | return false; | |
574 | ||
575 | if(!CheckCrc14443(CRC_14443_A, buf, cmdsize)) | |
576 | return false; | |
577 | ||
578 | AuthData.nt = nt1; | |
579 | AuthData.ks2 = AuthData.ar_enc ^ ar; | |
580 | AuthData.ks3 = AuthData.at_enc ^ at; | |
581 | ||
582 | return true; | |
583 | } | |
584 | ||
585 | bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc) { | |
586 | for (int i = 0; i < cmdsize - 1; i++) { | |
587 | if (oddparity8(cmd[i]) ^ (cmd[i + 1] & 0x01) ^ ((parity_enc[i / 8] >> (7 - i % 8)) & 0x01) ^ (cmd_enc[i + 1] & 0x01)) | |
588 | return false; | |
589 | } | |
590 | ||
591 | return true; | |
592 | } | |
593 | ||
594 | uint64_t GetCrypto1ProbableKey(TAuthData *ad) { | |
595 | struct Crypto1State *revstate = lfsr_recovery64(ad->ks2, ad->ks3); | |
596 | lfsr_rollback_word(revstate, 0, 0); | |
597 | lfsr_rollback_word(revstate, 0, 0); | |
598 | lfsr_rollback_word(revstate, ad->nr_enc, 1); | |
599 | lfsr_rollback_word(revstate, ad->uid ^ ad->nt, 0); | |
600 | ||
601 | uint64_t lfsr = 0; | |
602 | crypto1_get_lfsr(revstate, &lfsr); | |
603 | crypto1_destroy(revstate); | |
604 | ||
605 | return lfsr; | |
606 | } |