cvs.zerfleddert.de Git - proxmark3-svn/blame_incremental

... / ...

Commit	Line	Data
	1	//-----------------------------------------------------------------------------
	2	// Merlok - June 2011
	3	// Roel - Dec 2009
	4	// Unknown author
	5	//
	6	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	7	// at your option, any later version. See the LICENSE.txt file for the text of
	8	// the license.
	9	//-----------------------------------------------------------------------------
	10	// MIFARE Darkside hack
	11	//-----------------------------------------------------------------------------
	12
	13	#define __STDC_FORMAT_MACROS
	14	#include <inttypes.h>
	15	#define llx PRIx64
	16
	17	#include "nonce2key.h"
	18	#include "mifarehost.h"
	19	#include "ui.h"
	20
	21	int compar_state(const void * a, const void * b) {
	22	// didn't work: (the result is truncated to 32 bits)
	23	//return ((int64_t)b - (int64_t)a);
	24
	25	// better:
	26	if ((int64_t)b == (int64_t)a) return 0;
	27	else if ((int64_t)b > (int64_t)a) return 1;
	28	else return -1;
	29	}
	30
	31	int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) {
	32
	33	struct Crypto1State *state;
	34	uint32_t i, pos, rr = 0, nr_diff, key_count;//, ks1, ks2;
	35	byte_t bt, ks3x[8], par[8][8];
	36	uint64_t key_recovered;
	37	int64_t *state_s;
	38
	39	static uint32_t last_uid;
	40	static int64_t *last_keylist;
	41
	42	if (last_uid != uid && last_keylist != NULL) {
	43	free(last_keylist);
	44	last_keylist = NULL;
	45	}
	46	last_uid = uid;
	47
	48	// Reset the last three significant bits of the reader nonce
	49	nr &= 0xffffff1f;
	50
	51	PrintAndLog("\nuid(%08x) nt(%08x) par(%016"llx") ks(%016"llx") nr(%08"llx")\n\n", uid, nt, par_info, ks_info, nr);
	52
	53	for ( pos = 0; pos < 8; pos++ ) {
	54	ks3x[7-pos] = (ks_info >> (pos*8)) & 0x0f;
	55	bt = (par_info >> (pos*8)) & 0xff;
	56
	57	for ( i = 0; i < 8; i++) {
	58	par[7-pos][i] = (bt >> i) & 0x01;
	59	}
	60	}
	61
	62	printf("\|diff\|{nr} \|ks3\|ks3^5\|parity \|\n");
	63	printf("+----+--------+---+-----+---------------+\n");
	64
	65	for ( i = 0; i < 8; i++) {
	66	nr_diff = nr \| i << 5;
	67	printf("\| %02x \|%08x\|", i << 5, nr_diff);
	68	printf(" %01x \| %01x \|", ks3x[i], ks3x[i]^5);
	69	for (pos = 0; pos < 7; pos++)
	70	printf("%01x,", par[i][pos]);
	71	printf("%01x\|\n", par[i][7]);
	72	}
	73	printf("+----+--------+---+-----+---------------+\n");
	74
	75	if ( par_info == 0 )
	76	PrintAndLog("Parity is all zero, try special attack! Wait for few more seconds...");
	77
	78	state = lfsr_common_prefix(nr, rr, ks3x, par, par_info==0);
	79	state_s = (int64_t*)state;
	80
	81	//char filename[50] ;
	82	//sprintf(filename, "nt_%08x_%d.txt", nt, nr);
	83	//printf("name %s\n", filename);
	84	//FILE* fp = fopen(filename,"w");
	85	for (i = 0; (state) && ((state + i)->odd != -1); i++)
	86	{
	87	lfsr_rollback_word(state+i, uid^nt, 0);
	88	crypto1_get_lfsr(state + i, &key_recovered);
	89	*(state_s + i) = key_recovered;
	90	//fprintf(fp, "%012llx\n",key_recovered);
	91	}
	92	//fclose(fp);
	93
	94	if(!state)
	95	return 1;
	96
	97	// quicksort statelist
	98	qsort(state_s, i, sizeof(*state_s), compar_state);
	99
	100	// set last element marker
	101	*(state_s + i) = -1;
	102
	103	//Create the intersection:
	104	if (par_info == 0 ) {
	105	if ( last_keylist != NULL) {
	106	int64_t p1, p2, *p3;
	107	p1 = p3 = last_keylist;
	108	p2 = state_s;
	109	while ( p1 != -1 && p2 != -1 ) {
	110	if (compar_state(p1, p2) == 0) {
	111	printf("p1:%"llx" p2:%"llx" p3:%"llx" key:%012"llx"\n",
	112	(uint64_t)(p1-last_keylist),
	113	(uint64_t)(p2-state_s),
	114	(uint64_t)(p3-last_keylist),
	115	*p1);
	116	p3++ = p1++;
	117	p2++;
	118	} else {
	119	while (compar_state(p1, p2) == -1) ++p1;
	120	while (compar_state(p1, p2) == 1) ++p2;
	121	}
	122	}
	123	key_count = p3 - last_keylist;
	124	} else {
	125	key_count = 0;
	126	}
	127	} else {
	128	last_keylist = state_s;
	129	key_count = i;
	130	}
	131
	132	printf("key candidates count: %d\n", key_count);
	133
	134	// The list may still contain several key candidates. Test each of them with mfCheckKeys
	135	int res;
	136	uint8_t keyBlock[6];
	137	uint64_t key64;
	138	for (i = 0; i < key_count; i++) {
	139
	140	key64 = *(last_keylist + i);
	141	num_to_bytes(key64, 6, keyBlock);
	142	key64 = 0;
	143	// Call tag to verify if key is correct
	144	res = mfCheckKeys(0, 0, false, 1, keyBlock, &key64);
	145	if (!res) {
	146	*key = key64;
	147	free(last_keylist);
	148	last_keylist = NULL;
	149	if (par_info == 0)
	150	free(state);
	151	return 0;
	152	}
	153	}
	154
	155	free(last_keylist);
	156	last_keylist = state_s;
	157	return 1;
	158	}
	159
	160	// *outputkey is not used...
	161	int tryMfk32(uint64_t myuid, uint8_t data, uint8_t outputkey ){
	162
	163	struct Crypto1State s,t;
	164	uint64_t key; // recovered key
	165	uint32_t uid; // serial number
	166	uint32_t nt; // tag challenge
	167	uint32_t nr0_enc; // first encrypted reader challenge
	168	uint32_t ar0_enc; // first encrypted reader response
	169	uint32_t nr1_enc; // second encrypted reader challenge
	170	uint32_t ar1_enc; // second encrypted reader response
	171	bool isSuccess = FALSE;
	172	int counter = 0;
	173
	174	uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
	175	nt = (uint32_t)(data+8);
	176	nr0_enc = (uint32_t)(data+12);
	177	ar0_enc = (uint32_t)(data+16);
	178	nr1_enc = (uint32_t)(data+32);
	179	ar1_enc = (uint32_t)(data+36);
	180
	181	// PrintAndLog("recovering key for:");
	182	// PrintAndLog(" uid: %08x %08x",uid, myuid);
	183	// PrintAndLog(" nt: %08x",nt);
	184	// PrintAndLog(" {nr_0}: %08x",nr0_enc);
	185	// PrintAndLog(" {ar_0}: %08x",ar0_enc);
	186	// PrintAndLog(" {nr_1}: %08x",nr1_enc);
	187	// PrintAndLog(" {ar_1}: %08x",ar1_enc);
	188
	189	s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
	190
	191	for(t = s; t->odd \| t->even; ++t) {
	192	lfsr_rollback_word(t, 0, 0);
	193	lfsr_rollback_word(t, nr0_enc, 1);
	194	lfsr_rollback_word(t, uid ^ nt, 0);
	195	crypto1_get_lfsr(t, &key);
	196	crypto1_word(t, uid ^ nt, 0);
	197	crypto1_word(t, nr1_enc, 1);
	198	if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
	199	PrintAndLog("Found Key: [%012"llx"]", key);
	200	isSuccess = TRUE;
	201	++counter;
	202	if (counter==20)
	203	break;
	204	}
	205	}
	206	crypto1_destroy(t);
	207	crypto1_destroy(s);
	208	return isSuccess;
	209	}
	210
	211	int tryMfk32_moebius(uint64_t myuid, uint8_t data, uint8_t outputkey ){
	212
	213	struct Crypto1State s, t;
	214	uint64_t key; // recovered key
	215	uint32_t uid; // serial number
	216	uint32_t nt0; // tag challenge first
	217	uint32_t nt1; // tag challenge second
	218	uint32_t nr0_enc; // first encrypted reader challenge
	219	uint32_t ar0_enc; // first encrypted reader response
	220	uint32_t nr1_enc; // second encrypted reader challenge
	221	uint32_t ar1_enc; // second encrypted reader response
	222	bool isSuccess = FALSE;
	223	int counter = 0;
	224
	225	uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
	226	nt0 = (uint32_t)(data+8);
	227	nr0_enc = (uint32_t)(data+12);
	228	ar0_enc = (uint32_t)(data+16);
	229	nt1 = (uint32_t)(data+8);
	230	nr1_enc = (uint32_t)(data+32);
	231	ar1_enc = (uint32_t)(data+36);
	232
	233	s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0);
	234
	235	for(t = s; t->odd \| t->even; ++t) {
	236	lfsr_rollback_word(t, 0, 0);
	237	lfsr_rollback_word(t, nr0_enc, 1);
	238	lfsr_rollback_word(t, uid ^ nt0, 0);
	239	crypto1_get_lfsr(t, &key);
	240
	241	crypto1_word(t, uid ^ nt1, 0);
	242	crypto1_word(t, nr1_enc, 1);
	243	if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) {
	244	PrintAndLog("Found Key: [%012"llx"]",key);
	245	isSuccess = TRUE;
	246	++counter;
	247	if (counter==20)
	248	break;
	249	}
	250	}
	251	crypto1_destroy(t);
	252	crypto1_destroy(s);
	253	return isSuccess;
	254	}
	255
	256	int tryMfk64(uint64_t myuid, uint8_t data, uint8_t outputkey ){
	257
	258	struct Crypto1State *revstate;
	259	uint64_t key; // recovered key
	260	uint32_t uid; // serial number
	261	uint32_t nt; // tag challenge
	262	uint32_t nr_enc; // encrypted reader challenge
	263	uint32_t ar_enc; // encrypted reader response
	264	uint32_t at_enc; // encrypted tag response
	265	uint32_t ks2; // keystream used to encrypt reader response
	266	uint32_t ks3; // keystream used to encrypt tag response
	267
	268	struct Crypto1State mpcs = {0, 0};
	269	struct Crypto1State *pcs;
	270	pcs = &mpcs;
	271
	272	uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
	273	nt = (uint32_t)(data+8);
	274	nr_enc = (uint32_t)(data+12);
	275	ar_enc = (uint32_t)(data+16);
	276
	277	crypto1_word(pcs, nr_enc , 1);
	278	at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
	279
	280	// printf("Recovering key for:\n");
	281	// printf(" uid: %08x\n",uid);
	282	// printf(" nt: %08x\n",nt);
	283	// printf(" {nr}: %08x\n",nr_enc);
	284	// printf(" {ar}: %08x\n",ar_enc);
	285	// printf(" {at}: %08x\n",at_enc);
	286
	287	// Extract the keystream from the messages
	288	ks2 = ar_enc ^ prng_successor(nt, 64);
	289	ks3 = at_enc ^ prng_successor(nt, 96);
	290
	291	revstate = lfsr_recovery64(ks2, ks3);
	292	lfsr_rollback_word(revstate, 0, 0);
	293	lfsr_rollback_word(revstate, 0, 0);
	294	lfsr_rollback_word(revstate, nr_enc, 1);
	295	lfsr_rollback_word(revstate, uid ^ nt, 0);
	296	crypto1_get_lfsr(revstate, &key);
	297	PrintAndLog("Found Key: [%012"llx"]",key);
	298	crypto1_destroy(revstate);
	299	return 0;
	300	}