]>
Commit | Line | Data |
---|---|---|
1 | //----------------------------------------------------------------------------- | |
2 | // Copyright (C) Merlok - 2017 | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // Command: hf mf list. It shows data from arm buffer. | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include "cmdhflist.h" | |
12 | ||
13 | #include <stdlib.h> | |
14 | #include <stdio.h> | |
15 | #include <string.h> | |
16 | #include <stdint.h> | |
17 | #include <stdbool.h> | |
18 | #include "util.h" | |
19 | #include "data.h" | |
20 | #include "ui.h" | |
21 | #include "iso14443crc.h" | |
22 | #include "parity.h" | |
23 | #include "protocols.h" | |
24 | #include "crapto1/crapto1.h" | |
25 | #include "mifarehost.h" | |
26 | #include "mifaredefault.h" | |
27 | ||
28 | ||
29 | enum MifareAuthSeq { | |
30 | masNone, | |
31 | masNt, | |
32 | masNrAr, | |
33 | masAt, | |
34 | masAuthComplete, | |
35 | masFirstData, | |
36 | masData, | |
37 | masError, | |
38 | }; | |
39 | static enum MifareAuthSeq MifareAuthState; | |
40 | static TAuthData AuthData; | |
41 | ||
42 | void ClearAuthData() { | |
43 | AuthData.uid = 0; | |
44 | AuthData.nt = 0; | |
45 | AuthData.first_auth = true; | |
46 | AuthData.ks2 = 0; | |
47 | AuthData.ks3 = 0; | |
48 | } | |
49 | ||
50 | /** | |
51 | * @brief iso14443A_CRC_check Checks CRC in command or response | |
52 | * @param isResponse | |
53 | * @param data | |
54 | * @param len | |
55 | * @return 0 : CRC-command, CRC not ok | |
56 | * 1 : CRC-command, CRC ok | |
57 | * 2 : Not crc-command | |
58 | */ | |
59 | uint8_t iso14443A_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
60 | { | |
61 | uint8_t b1,b2; | |
62 | ||
63 | if(len <= 2) return 2; | |
64 | ||
65 | if(isResponse & (len < 6)) return 2; | |
66 | ||
67 | ComputeCrc14443(CRC_14443_A, data, len-2, &b1, &b2); | |
68 | if (b1 != data[len-2] || b2 != data[len-1]) { | |
69 | return 0; | |
70 | } else { | |
71 | return 1; | |
72 | } | |
73 | } | |
74 | ||
75 | uint8_t mifare_CRC_check(bool isResponse, uint8_t* data, uint8_t len) | |
76 | { | |
77 | switch(MifareAuthState) { | |
78 | case masNone: | |
79 | case masError: | |
80 | return iso14443A_CRC_check(isResponse, data, len); | |
81 | default: | |
82 | return 2; | |
83 | } | |
84 | } | |
85 | ||
86 | void annotateIclass(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
87 | { | |
88 | switch(cmd[0]) | |
89 | { | |
90 | case ICLASS_CMD_ACTALL: snprintf(exp,size,"ACTALL"); break; | |
91 | case ICLASS_CMD_READ_OR_IDENTIFY:{ | |
92 | if(cmdsize > 1){ | |
93 | snprintf(exp,size,"READ(%d)",cmd[1]); | |
94 | }else{ | |
95 | snprintf(exp,size,"IDENTIFY"); | |
96 | } | |
97 | break; | |
98 | } | |
99 | case ICLASS_CMD_SELECT: snprintf(exp,size,"SELECT"); break; | |
100 | case ICLASS_CMD_PAGESEL: snprintf(exp,size,"PAGESEL(%d)", cmd[1]); break; | |
101 | case ICLASS_CMD_READCHECK_KC:snprintf(exp,size,"READCHECK[Kc](%d)", cmd[1]); break; | |
102 | case ICLASS_CMD_READCHECK_KD:snprintf(exp,size,"READCHECK[Kd](%d)", cmd[1]); break; | |
103 | case ICLASS_CMD_CHECK: snprintf(exp,size,"CHECK"); break; | |
104 | case ICLASS_CMD_DETECT: snprintf(exp,size,"DETECT"); break; | |
105 | case ICLASS_CMD_HALT: snprintf(exp,size,"HALT"); break; | |
106 | case ICLASS_CMD_UPDATE: snprintf(exp,size,"UPDATE(%d)",cmd[1]); break; | |
107 | case ICLASS_CMD_ACT: snprintf(exp,size,"ACT"); break; | |
108 | case ICLASS_CMD_READ4: snprintf(exp,size,"READ4(%d)",cmd[1]); break; | |
109 | default: snprintf(exp,size,"?"); break; | |
110 | } | |
111 | return; | |
112 | } | |
113 | ||
114 | void annotateIso15693(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
115 | { | |
116 | ||
117 | if(cmd[0] == 0x26) | |
118 | { | |
119 | switch(cmd[1]){ | |
120 | case ISO15693_INVENTORY :snprintf(exp, size, "INVENTORY");break; | |
121 | case ISO15693_STAYQUIET :snprintf(exp, size, "STAY_QUIET");break; | |
122 | default: snprintf(exp,size,"?"); break; | |
123 | ||
124 | } | |
125 | }else if(cmd[0] == 0x02) | |
126 | { | |
127 | switch(cmd[1]) | |
128 | { | |
129 | case ISO15693_READBLOCK :snprintf(exp, size, "READBLOCK");break; | |
130 | case ISO15693_WRITEBLOCK :snprintf(exp, size, "WRITEBLOCK");break; | |
131 | case ISO15693_LOCKBLOCK :snprintf(exp, size, "LOCKBLOCK");break; | |
132 | case ISO15693_READ_MULTI_BLOCK :snprintf(exp, size, "READ_MULTI_BLOCK");break; | |
133 | case ISO15693_SELECT :snprintf(exp, size, "SELECT");break; | |
134 | case ISO15693_RESET_TO_READY :snprintf(exp, size, "RESET_TO_READY");break; | |
135 | case ISO15693_WRITE_AFI :snprintf(exp, size, "WRITE_AFI");break; | |
136 | case ISO15693_LOCK_AFI :snprintf(exp, size, "LOCK_AFI");break; | |
137 | case ISO15693_WRITE_DSFID :snprintf(exp, size, "WRITE_DSFID");break; | |
138 | case ISO15693_LOCK_DSFID :snprintf(exp, size, "LOCK_DSFID");break; | |
139 | case ISO15693_GET_SYSTEM_INFO :snprintf(exp, size, "GET_SYSTEM_INFO");break; | |
140 | case ISO15693_READ_MULTI_SECSTATUS :snprintf(exp, size, "READ_MULTI_SECSTATUS");break; | |
141 | default: snprintf(exp,size,"?"); break; | |
142 | } | |
143 | } | |
144 | } | |
145 | ||
146 | ||
147 | void annotateTopaz(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
148 | { | |
149 | switch(cmd[0]) { | |
150 | case TOPAZ_REQA :snprintf(exp, size, "REQA");break; | |
151 | case TOPAZ_WUPA :snprintf(exp, size, "WUPA");break; | |
152 | case TOPAZ_RID :snprintf(exp, size, "RID");break; | |
153 | case TOPAZ_RALL :snprintf(exp, size, "RALL");break; | |
154 | case TOPAZ_READ :snprintf(exp, size, "READ");break; | |
155 | case TOPAZ_WRITE_E :snprintf(exp, size, "WRITE-E");break; | |
156 | case TOPAZ_WRITE_NE :snprintf(exp, size, "WRITE-NE");break; | |
157 | case TOPAZ_RSEG :snprintf(exp, size, "RSEG");break; | |
158 | case TOPAZ_READ8 :snprintf(exp, size, "READ8");break; | |
159 | case TOPAZ_WRITE_E8 :snprintf(exp, size, "WRITE-E8");break; | |
160 | case TOPAZ_WRITE_NE8 :snprintf(exp, size, "WRITE-NE8");break; | |
161 | default: snprintf(exp,size,"?"); break; | |
162 | } | |
163 | } | |
164 | ||
165 | ||
166 | /** | |
167 | 06 00 = INITIATE | |
168 | 0E xx = SELECT ID (xx = Chip-ID) | |
169 | 0B = Get UID | |
170 | 08 yy = Read Block (yy = block number) | |
171 | 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written) | |
172 | 0C = Reset to Inventory | |
173 | 0F = Completion | |
174 | 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate) | |
175 | **/ | |
176 | ||
177 | void annotateIso14443b(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
178 | { | |
179 | switch(cmd[0]){ | |
180 | case ISO14443B_REQB : snprintf(exp,size,"REQB");break; | |
181 | case ISO14443B_ATTRIB : snprintf(exp,size,"ATTRIB");break; | |
182 | case ISO14443B_HALT : snprintf(exp,size,"HALT");break; | |
183 | case ISO14443B_INITIATE : snprintf(exp,size,"INITIATE");break; | |
184 | case ISO14443B_SELECT : snprintf(exp,size,"SELECT(%d)",cmd[1]);break; | |
185 | case ISO14443B_GET_UID : snprintf(exp,size,"GET UID");break; | |
186 | case ISO14443B_READ_BLK : snprintf(exp,size,"READ_BLK(%d)", cmd[1]);break; | |
187 | case ISO14443B_WRITE_BLK : snprintf(exp,size,"WRITE_BLK(%d)",cmd[1]);break; | |
188 | case ISO14443B_RESET : snprintf(exp,size,"RESET");break; | |
189 | case ISO14443B_COMPLETION : snprintf(exp,size,"COMPLETION");break; | |
190 | case ISO14443B_AUTHENTICATE : snprintf(exp,size,"AUTHENTICATE");break; | |
191 | default : snprintf(exp,size ,"?");break; | |
192 | } | |
193 | ||
194 | } | |
195 | ||
196 | void annotateIso14443a(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize) | |
197 | { | |
198 | switch(cmd[0]) | |
199 | { | |
200 | case ISO14443A_CMD_WUPA: | |
201 | snprintf(exp,size,"WUPA"); | |
202 | break; | |
203 | case ISO14443A_CMD_ANTICOLL_OR_SELECT:{ | |
204 | // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor) | |
205 | // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK) | |
206 | if(cmd[1] == 0x70) | |
207 | { | |
208 | snprintf(exp,size,"SELECT_UID"); break; | |
209 | }else | |
210 | { | |
211 | snprintf(exp,size,"ANTICOLL"); break; | |
212 | } | |
213 | } | |
214 | case ISO14443A_CMD_ANTICOLL_OR_SELECT_2:{ | |
215 | //95 20 = Anticollision of cascade level2 | |
216 | //95 70 = Select of cascade level2 | |
217 | if(cmd[2] == 0x70) | |
218 | { | |
219 | snprintf(exp,size,"SELECT_UID-2"); break; | |
220 | }else | |
221 | { | |
222 | snprintf(exp,size,"ANTICOLL-2"); break; | |
223 | } | |
224 | } | |
225 | case ISO14443A_CMD_REQA: | |
226 | snprintf(exp,size,"REQA"); | |
227 | break; | |
228 | case ISO14443A_CMD_READBLOCK: snprintf(exp,size,"READBLOCK(%d)",cmd[1]); break; | |
229 | case ISO14443A_CMD_WRITEBLOCK: snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); break; | |
230 | case ISO14443A_CMD_HALT: | |
231 | snprintf(exp,size,"HALT"); | |
232 | MifareAuthState = masNone; | |
233 | break; | |
234 | case ISO14443A_CMD_RATS: snprintf(exp,size,"RATS"); break; | |
235 | case MIFARE_CMD_INC: snprintf(exp,size,"INC(%d)",cmd[1]); break; | |
236 | case MIFARE_CMD_DEC: snprintf(exp,size,"DEC(%d)",cmd[1]); break; | |
237 | case MIFARE_CMD_RESTORE: snprintf(exp,size,"RESTORE(%d)",cmd[1]); break; | |
238 | case MIFARE_CMD_TRANSFER: snprintf(exp,size,"TRANSFER(%d)",cmd[1]); break; | |
239 | case MIFARE_AUTH_KEYA: | |
240 | if ( cmdsize > 3) { | |
241 | snprintf(exp,size,"AUTH-A(%d)",cmd[1]); | |
242 | MifareAuthState = masNt; | |
243 | } else { | |
244 | // case MIFARE_ULEV1_VERSION : both 0x60. | |
245 | snprintf(exp,size,"EV1 VERSION"); | |
246 | } | |
247 | break; | |
248 | case MIFARE_AUTH_KEYB: | |
249 | MifareAuthState = masNt; | |
250 | snprintf(exp,size,"AUTH-B(%d)",cmd[1]); | |
251 | break; | |
252 | case MIFARE_MAGICWUPC1: snprintf(exp,size,"MAGIC WUPC1"); break; | |
253 | case MIFARE_MAGICWUPC2: snprintf(exp,size,"MAGIC WUPC2"); break; | |
254 | case MIFARE_MAGICWIPEC: snprintf(exp,size,"MAGIC WIPEC"); break; | |
255 | case MIFARE_ULC_AUTH_1: snprintf(exp,size,"AUTH "); break; | |
256 | case MIFARE_ULC_AUTH_2: snprintf(exp,size,"AUTH_ANSW"); break; | |
257 | case MIFARE_ULEV1_AUTH: | |
258 | if ( cmdsize == 7 ) | |
259 | snprintf(exp,size,"PWD-AUTH KEY: 0x%02x%02x%02x%02x", cmd[1], cmd[2], cmd[3], cmd[4] ); | |
260 | else | |
261 | snprintf(exp,size,"PWD-AUTH"); | |
262 | break; | |
263 | case MIFARE_ULEV1_FASTREAD:{ | |
264 | if ( cmdsize >=3 && cmd[2] <= 0xE6) | |
265 | snprintf(exp,size,"READ RANGE (%d-%d)",cmd[1],cmd[2]); | |
266 | else | |
267 | snprintf(exp,size,"?"); | |
268 | break; | |
269 | } | |
270 | case MIFARE_ULC_WRITE:{ | |
271 | if ( cmd[1] < 0x21 ) | |
272 | snprintf(exp,size,"WRITEBLOCK(%d)",cmd[1]); | |
273 | else | |
274 | snprintf(exp,size,"?"); | |
275 | break; | |
276 | } | |
277 | case MIFARE_ULEV1_READ_CNT:{ | |
278 | if ( cmd[1] < 5 ) | |
279 | snprintf(exp,size,"READ CNT(%d)",cmd[1]); | |
280 | else | |
281 | snprintf(exp,size,"?"); | |
282 | break; | |
283 | } | |
284 | case MIFARE_ULEV1_INCR_CNT:{ | |
285 | if ( cmd[1] < 5 ) | |
286 | snprintf(exp,size,"INCR(%d)",cmd[1]); | |
287 | else | |
288 | snprintf(exp,size,"?"); | |
289 | break; | |
290 | } | |
291 | case MIFARE_ULEV1_READSIG: snprintf(exp,size,"READ_SIG"); break; | |
292 | case MIFARE_ULEV1_CHECKTEAR: snprintf(exp,size,"CHK_TEARING(%d)",cmd[1]); break; | |
293 | case MIFARE_ULEV1_VCSL: snprintf(exp,size,"VCSL"); break; | |
294 | default: snprintf(exp,size,"?"); break; | |
295 | } | |
296 | return; | |
297 | } | |
298 | ||
299 | void annotateMifare(char *exp, size_t size, uint8_t* cmd, uint8_t cmdsize, uint8_t* parity, uint8_t paritysize, bool isResponse) { | |
300 | if (!isResponse && cmdsize == 1) { | |
301 | switch(cmd[0]) { | |
302 | case ISO14443A_CMD_WUPA: | |
303 | case ISO14443A_CMD_REQA: | |
304 | MifareAuthState = masNone; | |
305 | break; | |
306 | default: | |
307 | break; | |
308 | } | |
309 | } | |
310 | ||
311 | // get UID | |
312 | if (MifareAuthState == masNone) { | |
313 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && cmd[1] == 0x70) { | |
314 | ClearAuthData(); | |
315 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
316 | } | |
317 | if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && cmd[1] == 0x70) { | |
318 | ClearAuthData(); | |
319 | AuthData.uid = bytes_to_num(&cmd[2], 4); | |
320 | } | |
321 | } | |
322 | ||
323 | switch(MifareAuthState) { | |
324 | case masNt: | |
325 | if (cmdsize == 4 && isResponse) { | |
326 | snprintf(exp,size,"AUTH: nt %s", (AuthData.first_auth) ? "" : "(enc)"); | |
327 | MifareAuthState = masNrAr; | |
328 | if (AuthData.first_auth) { | |
329 | AuthData.nt = bytes_to_num(cmd, 4); | |
330 | } else { | |
331 | AuthData.nt_enc = bytes_to_num(cmd, 4); | |
332 | AuthData.nt_enc_par = parity[0]; | |
333 | } | |
334 | return; | |
335 | } else { | |
336 | MifareAuthState = masError; | |
337 | } | |
338 | break; | |
339 | case masNrAr: | |
340 | if (cmdsize == 8 && !isResponse) { | |
341 | snprintf(exp,size,"AUTH: nr ar (enc)"); | |
342 | MifareAuthState = masAt; | |
343 | AuthData.nr_enc = bytes_to_num(cmd, 4); | |
344 | AuthData.ar_enc = bytes_to_num(&cmd[4], 4); | |
345 | AuthData.ar_enc_par = parity[0] << 4; | |
346 | return; | |
347 | } else { | |
348 | MifareAuthState = masError; | |
349 | } | |
350 | break; | |
351 | case masAt: | |
352 | if (cmdsize == 4 && isResponse) { | |
353 | snprintf(exp,size,"AUTH: at (enc)"); | |
354 | MifareAuthState = masAuthComplete; | |
355 | AuthData.at_enc = bytes_to_num(cmd, 4); | |
356 | AuthData.at_enc_par = parity[0]; | |
357 | return; | |
358 | } else { | |
359 | MifareAuthState = masError; | |
360 | } | |
361 | break; | |
362 | default: | |
363 | break; | |
364 | } | |
365 | ||
366 | if (!isResponse && ((MifareAuthState == masNone) || (MifareAuthState == masError))) | |
367 | annotateIso14443a(exp, size, cmd, cmdsize); | |
368 | ||
369 | } | |
370 | ||
371 | bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen) { | |
372 | static struct Crypto1State *traceCrypto1; | |
373 | static uint64_t mfLastKey; | |
374 | ||
375 | *mfDataLen = 0; | |
376 | ||
377 | if (MifareAuthState == masAuthComplete) { | |
378 | if (traceCrypto1) { | |
379 | crypto1_destroy(traceCrypto1); | |
380 | traceCrypto1 = NULL; | |
381 | } | |
382 | ||
383 | MifareAuthState = masFirstData; | |
384 | return false; | |
385 | } | |
386 | ||
387 | if (cmdsize > 32) | |
388 | return false; | |
389 | ||
390 | if (MifareAuthState == masFirstData) { | |
391 | if (AuthData.first_auth) { | |
392 | AuthData.ks2 = AuthData.ar_enc ^ prng_successor(AuthData.nt, 64); | |
393 | AuthData.ks3 = AuthData.at_enc ^ prng_successor(AuthData.nt, 96); | |
394 | ||
395 | mfLastKey = GetCrypto1ProbableKey(&AuthData); | |
396 | PrintAndLog(" | * | key | probable key:%012"PRIx64" Prng:%s ks2:%08x ks3:%08x | |", | |
397 | mfLastKey, | |
398 | validate_prng_nonce(AuthData.nt) ? "WEAK": "HARD", | |
399 | AuthData.ks2, | |
400 | AuthData.ks3); | |
401 | ||
402 | AuthData.first_auth = false; | |
403 | ||
404 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
405 | } else { | |
406 | if (traceCrypto1) { | |
407 | crypto1_destroy(traceCrypto1); | |
408 | traceCrypto1 = NULL; | |
409 | } | |
410 | ||
411 | // check last used key | |
412 | if (mfLastKey) { | |
413 | if (NestedCheckKey(mfLastKey, &AuthData, cmd, cmdsize, parity)) { | |
414 | PrintAndLog(" | * | key | last used key:%012"PRIx64" ks2:%08x ks3:%08x | |", | |
415 | mfLastKey, | |
416 | AuthData.ks2, | |
417 | AuthData.ks3); | |
418 | ||
419 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
420 | }; | |
421 | } | |
422 | ||
423 | // check default keys | |
424 | if (!traceCrypto1) { | |
425 | for (int defaultKeyCounter = 0; defaultKeyCounter < MifareDefaultKeysSize; defaultKeyCounter++){ | |
426 | if (NestedCheckKey(MifareDefaultKeys[defaultKeyCounter], &AuthData, cmd, cmdsize, parity)) { | |
427 | PrintAndLog(" | * | key | default key:%012"PRIx64" ks2:%08x ks3:%08x | |", | |
428 | MifareDefaultKeys[defaultKeyCounter], | |
429 | AuthData.ks2, | |
430 | AuthData.ks3); | |
431 | ||
432 | mfLastKey = MifareDefaultKeys[defaultKeyCounter]; | |
433 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
434 | break; | |
435 | }; | |
436 | } | |
437 | } | |
438 | ||
439 | // nested | |
440 | if (!traceCrypto1 && validate_prng_nonce(AuthData.nt)) { | |
441 | uint32_t ntx = prng_successor(AuthData.nt, 90); | |
442 | for (int i = 0; i < 16383; i++) { | |
443 | ntx = prng_successor(ntx, 1); | |
444 | if (NTParityChk(&AuthData, ntx)){ | |
445 | ||
446 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(ntx, 64); | |
447 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(ntx, 96); | |
448 | struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3); | |
449 | memcpy(mfData, cmd, cmdsize); | |
450 | mf_crypto1_decrypt(pcs, mfData, cmdsize, 0); | |
451 | ||
452 | crypto1_destroy(pcs); | |
453 | if (CheckCrypto1Parity(cmd, cmdsize, mfData, parity) && CheckCrc14443(CRC_14443_A, mfData, cmdsize)) { | |
454 | AuthData.ks2 = ks2; | |
455 | AuthData.ks3 = ks3; | |
456 | ||
457 | AuthData.nt = ntx; | |
458 | mfLastKey = GetCrypto1ProbableKey(&AuthData); | |
459 | PrintAndLog(" | * | key | nested probable key:%012"PRIx64" ks2:%08x ks3:%08x | |", | |
460 | mfLastKey, | |
461 | AuthData.ks2, | |
462 | AuthData.ks3); | |
463 | ||
464 | traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3); | |
465 | break; | |
466 | } | |
467 | } | |
468 | } | |
469 | } | |
470 | ||
471 | //hardnested | |
472 | if (!traceCrypto1) { | |
473 | printf("hardnested not implemented. uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc); | |
474 | MifareAuthState = masError; | |
475 | ||
476 | /* TOO SLOW( needs to have more strong filter. with this filter - aprox 4 mln tests | |
477 | uint32_t t = msclock(); | |
478 | uint32_t t1 = t; | |
479 | int n = 0; | |
480 | for (uint32_t i = 0; i < 0xFFFFFFFF; i++) { | |
481 | if (NTParityChk(&AuthData, i)){ | |
482 | ||
483 | uint32_t ks2 = AuthData.ar_enc ^ prng_successor(i, 64); | |
484 | uint32_t ks3 = AuthData.at_enc ^ prng_successor(i, 96); | |
485 | struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3); | |
486 | ||
487 | ||
488 | ||
489 | ||
490 | n++; | |
491 | ||
492 | if (!(n % 100000)) { | |
493 | printf("delta=%d n=%d ks2=%x ks3=%x \n", msclock() - t1 , n, ks2, ks3); | |
494 | t1 = msclock(); | |
495 | } | |
496 | ||
497 | } | |
498 | } | |
499 | printf("delta=%d n=%d\n", msclock() - t, n); | |
500 | */ | |
501 | } | |
502 | } | |
503 | ||
504 | ||
505 | ||
506 | MifareAuthState = masData; | |
507 | } | |
508 | ||
509 | if (MifareAuthState == masData && traceCrypto1) { | |
510 | memcpy(mfData, cmd, cmdsize); | |
511 | mf_crypto1_decrypt(traceCrypto1, mfData, cmdsize, 0); | |
512 | *mfDataLen = cmdsize; | |
513 | } | |
514 | ||
515 | return *mfDataLen > 0; | |
516 | } | |
517 | ||
518 | bool NTParityChk(TAuthData *ad, uint32_t ntx) { | |
519 | if ( | |
520 | (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) || | |
521 | (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) || | |
522 | (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01)) | |
523 | ) | |
524 | return false; | |
525 | ||
526 | uint32_t ar = prng_successor(ntx, 64); | |
527 | if ( | |
528 | (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) || | |
529 | (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) || | |
530 | (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01)) | |
531 | ) | |
532 | return false; | |
533 | ||
534 | uint32_t at = prng_successor(ntx, 96); | |
535 | if ( | |
536 | (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) || | |
537 | (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) || | |
538 | (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) || | |
539 | (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01)) | |
540 | ) | |
541 | return false; | |
542 | ||
543 | return true; | |
544 | } | |
545 | ||
546 | bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity) { | |
547 | uint8_t buf[32] = {0}; | |
548 | struct Crypto1State *pcs; | |
549 | ||
550 | AuthData.ks2 = 0; | |
551 | AuthData.ks3 = 0; | |
552 | ||
553 | pcs = crypto1_create(key); | |
554 | uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc; | |
555 | uint32_t ar = prng_successor(nt1, 64); | |
556 | uint32_t at = prng_successor(nt1, 96); | |
557 | ||
558 | crypto1_word(pcs, ad->nr_enc, 1); | |
559 | // uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; // if needs deciphered nr | |
560 | uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc; | |
561 | uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc; | |
562 | ||
563 | if (!(ar == ar1 && at == at1 && NTParityChk(ad, nt1))) | |
564 | return false; | |
565 | ||
566 | memcpy(buf, cmd, cmdsize); | |
567 | mf_crypto1_decrypt(pcs, buf, cmdsize, 0); | |
568 | ||
569 | crypto1_destroy(pcs); | |
570 | ||
571 | if (!CheckCrypto1Parity(cmd, cmdsize, buf, parity)) | |
572 | return false; | |
573 | ||
574 | if(!CheckCrc14443(CRC_14443_A, buf, cmdsize)) | |
575 | return false; | |
576 | ||
577 | AuthData.nt = nt1; | |
578 | AuthData.ks2 = AuthData.ar_enc ^ ar; | |
579 | AuthData.ks3 = AuthData.at_enc ^ at; | |
580 | ||
581 | return true; | |
582 | } | |
583 | ||
584 | bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc) { | |
585 | for (int i = 0; i < cmdsize - 1; i++) { | |
586 | if (oddparity8(cmd[i]) ^ (cmd[i + 1] & 0x01) ^ ((parity_enc[i / 8] >> (7 - i % 8)) & 0x01) ^ (cmd_enc[i + 1] & 0x01)) | |
587 | return false; | |
588 | } | |
589 | ||
590 | return true; | |
591 | } | |
592 | ||
593 | uint64_t GetCrypto1ProbableKey(TAuthData *ad) { | |
594 | struct Crypto1State *revstate = lfsr_recovery64(ad->ks2, ad->ks3); | |
595 | lfsr_rollback_word(revstate, 0, 0); | |
596 | lfsr_rollback_word(revstate, 0, 0); | |
597 | lfsr_rollback_word(revstate, ad->nr_enc, 1); | |
598 | lfsr_rollback_word(revstate, ad->uid ^ ad->nt, 0); | |
599 | ||
600 | uint64_t lfsr = 0; | |
601 | crypto1_get_lfsr(revstate, &lfsr); | |
602 | crypto1_destroy(revstate); | |
603 | ||
604 | return lfsr; | |
605 | } |