]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhfmfhard.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add: missing two hard_nested files..
[proxmark3-svn] / client / cmdhfmfhard.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2015 piwi
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Implements a card only attack based on crypto text (encrypted nonces
9 // received during a nested authentication) only. Unlike other card only
10 // attacks this doesn't rely on implementation errors but only on the
11 // inherent weaknesses of the crypto1 cypher. Described in
12 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
13 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
14 // Computer and Communications Security, 2015
15 //-----------------------------------------------------------------------------
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <pthread.h>
21 #include <math.h>
22 #include "proxmark3.h"
23 #include "cmdmain.h"
24 #include "ui.h"
25 #include "util.h"
26 #include "nonce2key/crapto1.h"
27
28 // uint32_t test_state_odd = 0;
29 // uint32_t test_state_even = 0;
30
31 #define CONFIDENCE_THRESHOLD 0.99 // Collect nonces until we are certain enough that the following brute force is successfull
32 #define GOOD_BYTES_REQUIRED 25
33
34
35 static const float p_K[257] = { // the probability that a random nonce has a Sum Property == K
36 0.0290, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
37 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
38 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
39 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
40 0.0083, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
41 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
42 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
43 0.0006, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
44 0.0339, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
45 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
46 0.0048, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
47 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
48 0.0934, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
49 0.0119, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
50 0.0489, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
51 0.0602, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
52 0.4180, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
53 0.0602, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
54 0.0489, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
55 0.0119, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
56 0.0934, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
57 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
58 0.0048, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
59 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
60 0.0339, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
61 0.0006, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
62 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
63 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
64 0.0083, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
65 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
66 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
67 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
68 0.0290 };
69
70
71 typedef struct noncelistentry {
72 uint32_t nonce_enc;
73 uint8_t par_enc;
74 void *next;
75 } noncelistentry_t;
76
77 typedef struct noncelist {
78 uint16_t num;
79 uint16_t Sum;
80 uint16_t Sum8_guess;
81 uint8_t BitFlip[2];
82 float Sum8_prob;
83 bool updated;
84 noncelistentry_t *first;
85 } noncelist_t;
86
87
88 static uint32_t cuid;
89 static noncelist_t nonces[256];
90 static uint16_t first_byte_Sum = 0;
91 static uint16_t first_byte_num = 0;
92 static uint16_t num_good_first_bytes = 0;
93
94 #define MAX_BEST_BYTES 40
95 static uint8_t best_first_bytes[MAX_BEST_BYTES];
96
97
98 typedef enum {
99 EVEN_STATE = 0,
100 ODD_STATE = 1
101 } odd_even_t;
102
103 #define STATELIST_INDEX_WIDTH 16
104 #define STATELIST_INDEX_SIZE (1<<STATELIST_INDEX_WIDTH)
105
106 typedef struct {
107 uint32_t *states[2];
108 uint32_t len[2];
109 uint32_t *index[2][STATELIST_INDEX_SIZE];
110 } partial_indexed_statelist_t;
111
112 typedef struct {
113 uint32_t *states[2];
114 uint32_t len[2];
115 void* next;
116 } statelist_t;
117
118
119 partial_indexed_statelist_t partial_statelist[17];
120 partial_indexed_statelist_t statelist_bitflip;
121
122 statelist_t *candidates = NULL;
123
124
125 static int add_nonce(uint32_t nonce_enc, uint8_t par_enc)
126 {
127 uint8_t first_byte = nonce_enc >> 24;
128 noncelistentry_t *p1 = nonces[first_byte].first;
129 noncelistentry_t *p2 = NULL;
130
131 if (p1 == NULL) { // first nonce with this 1st byte
132 first_byte_num++;
133 first_byte_Sum += parity((nonce_enc & 0xff000000) | (par_enc & 0x08) | 0x01); // 1st byte sum property. Note: added XOR 1
134 // printf("Adding nonce 0x%08x, par_enc 0x%02x, parity(0x%08x) = %d\n",
135 // nonce_enc,
136 // par_enc,
137 // (nonce_enc & 0xff000000) | (par_enc & 0x08) |0x01,
138 // parity((nonce_enc & 0xff000000) | (par_enc & 0x08) | 0x01));
139 }
140
141 while (p1 != NULL && (p1->nonce_enc & 0x00ff0000) < (nonce_enc & 0x00ff0000)) {
142 p2 = p1;
143 p1 = p1->next;
144 }
145
146 if (p1 == NULL) { // need to add at the end of the list
147 if (p2 == NULL) { // list is empty yet. Add first entry.
148 p2 = nonces[first_byte].first = malloc(sizeof(noncelistentry_t));
149 } else { // add new entry at end of existing list.
150 p2 = p2->next = malloc(sizeof(noncelistentry_t));
151 }
152 } else if ((p1->nonce_enc & 0x00ff0000) != (nonce_enc & 0x00ff0000)) { // found distinct 2nd byte. Need to insert.
153 if (p2 == NULL) { // need to insert at start of list
154 p2 = nonces[first_byte].first = malloc(sizeof(noncelistentry_t));
155 } else {
156 p2 = p2->next = malloc(sizeof(noncelistentry_t));
157 }
158 } else { // we have seen this 2nd byte before. Nothing to add or insert.
159 return (0);
160 }
161
162 // add or insert new data
163 p2->next = p1;
164 p2->nonce_enc = nonce_enc;
165 p2->par_enc = par_enc;
166
167 nonces[first_byte].num++;
168 nonces[first_byte].Sum += parity((nonce_enc & 0x00ff0000) | (par_enc & 0x04) | 0x01); // 2nd byte sum property. Note: added XOR 1
169 nonces[first_byte].updated = true; // indicates that we need to recalculate the Sum(a8) probability for this first byte
170
171 return (1); // new nonce added
172 }
173
174
175 static uint16_t PartialSumProperty(uint32_t state, odd_even_t odd_even)
176 {
177 uint16_t sum = 0;
178 for (uint16_t j = 0; j < 16; j++) {
179 uint32_t st = state;
180 uint16_t part_sum = 0;
181 if (odd_even == ODD_STATE) {
182 for (uint16_t i = 0; i < 5; i++) {
183 part_sum ^= filter(st);
184 st = (st << 1) | ((j >> (3-i)) & 0x01) ;
185 }
186 } else {
187 for (uint16_t i = 0; i < 4; i++) {
188 st = (st << 1) | ((j >> (3-i)) & 0x01) ;
189 part_sum ^= filter(st);
190 }
191 }
192 sum += part_sum;
193 }
194 return sum;
195 }
196
197
198 static uint16_t SumProperty(struct Crypto1State *s)
199 {
200 uint16_t sum_odd = PartialSumProperty(s->odd, ODD_STATE);
201 uint16_t sum_even = PartialSumProperty(s->even, EVEN_STATE);
202 return (sum_odd*(16-sum_even) + (16-sum_odd)*sum_even);
203 }
204
205
206 static double p_hypergeometric(uint16_t N, uint16_t K, uint16_t n, uint16_t k)
207 {
208 // for efficient computation we are using the recursive definition
209 // (K-k+1) * (n-k+1)
210 // P(X=k) = P(X=k-1) * --------------------
211 // k * (N-K-n+k)
212 // and
213 // (N-K)*(N-K-1)*...*(N-K-n+1)
214 // P(X=0) = -----------------------------
215 // N*(N-1)*...*(N-n+1)
216
217 if (n-k > N-K || k > K) return 0.0; // avoids log(x<=0) in calculation below
218 if (k == 0) {
219 // use logarithms to avoid overflow with huge factorials (double type can only hold 170!)
220 double log_result = 0.0;
221 for (int16_t i = N-K; i >= N-K-n+1; i--) {
222 log_result += log(i);
223 }
224 for (int16_t i = N; i >= N-n+1; i--) {
225 log_result -= log(i);
226 }
227 return exp(log_result);
228 } else {
229 if (n-k == N-K) { // special case. The published recursion below would fail with a divide by zero exception
230 double log_result = 0.0;
231 for (int16_t i = k+1; i <= n; i++) {
232 log_result += log(i);
233 }
234 for (int16_t i = K+1; i <= N; i++) {
235 log_result -= log(i);
236 }
237 return exp(log_result);
238 } else { // recursion
239 return (p_hypergeometric(N, K, n, k-1) * (K-k+1) * (n-k+1) / (k * (N-K-n+k)));
240 }
241 }
242 }
243
244
245 static float sum_probability(uint16_t K, uint16_t n, uint16_t k)
246 {
247 const uint16_t N = 256;
248
249
250
251 if (k > K || p_K[K] == 0.0) return 0.0;
252
253 double p_T_is_k_when_S_is_K = p_hypergeometric(N, K, n, k);
254 double p_S_is_K = p_K[K];
255 double p_T_is_k = 0;
256 for (uint16_t i = 0; i <= 256; i++) {
257 if (p_K[i] != 0.0) {
258 p_T_is_k += p_K[i] * p_hypergeometric(N, i, n, k);
259 }
260 }
261 return(p_T_is_k_when_S_is_K * p_S_is_K / p_T_is_k);
262 }
263
264
265 static void Tests()
266 {
267 printf("Tests: Partial Statelist sizes\n");
268 for (uint16_t i = 0; i <= 16; i+=2) {
269 printf("Partial State List Odd [%2d] has %8d entries\n", i, partial_statelist[i].len[ODD_STATE]);
270 }
271 for (uint16_t i = 0; i <= 16; i+=2) {
272 printf("Partial State List Even [%2d] has %8d entries\n", i, partial_statelist[i].len[EVEN_STATE]);
273 }
274
275 // #define NUM_STATISTICS 100000
276 // uint64_t statistics[257];
277 // uint32_t statistics_odd[17];
278 // uint32_t statistics_even[17];
279 // struct Crypto1State cs;
280 // time_t time1 = clock();
281
282 // for (uint16_t i = 0; i < 257; i++) {
283 // statistics[i] = 0;
284 // }
285 // for (uint16_t i = 0; i < 17; i++) {
286 // statistics_odd[i] = 0;
287 // statistics_even[i] = 0;
288 // }
289
290 // for (uint64_t i = 0; i < NUM_STATISTICS; i++) {
291 // cs.odd = (rand() & 0xfff) << 12 | (rand() & 0xfff);
292 // cs.even = (rand() & 0xfff) << 12 | (rand() & 0xfff);
293 // uint16_t sum_property = SumProperty(&cs);
294 // statistics[sum_property] += 1;
295 // sum_property = PartialSumProperty(cs.even, EVEN_STATE);
296 // statistics_even[sum_property]++;
297 // sum_property = PartialSumProperty(cs.odd, ODD_STATE);
298 // statistics_odd[sum_property]++;
299 // if (i%(NUM_STATISTICS/100) == 0) printf(".");
300 // }
301
302 // printf("\nTests: Calculated %d Sum properties in %0.3f seconds (%0.0f calcs/second)\n", NUM_STATISTICS, ((float)clock() - time1)/CLOCKS_PER_SEC, NUM_STATISTICS/((float)clock() - time1)*CLOCKS_PER_SEC);
303 // for (uint16_t i = 0; i < 257; i++) {
304 // if (statistics[i] != 0) {
305 // printf("probability[%3d] = %0.5f\n", i, (float)statistics[i]/NUM_STATISTICS);
306 // }
307 // }
308 // for (uint16_t i = 0; i <= 16; i++) {
309 // if (statistics_odd[i] != 0) {
310 // printf("probability odd [%2d] = %0.5f\n", i, (float)statistics_odd[i]/NUM_STATISTICS);
311 // }
312 // }
313 // for (uint16_t i = 0; i <= 16; i++) {
314 // if (statistics_odd[i] != 0) {
315 // printf("probability even [%2d] = %0.5f\n", i, (float)statistics_even[i]/NUM_STATISTICS);
316 // }
317 // }
318
319 // printf("Tests: Sum Probabilities based on Partial Sums\n");
320 // for (uint16_t i = 0; i < 257; i++) {
321 // statistics[i] = 0;
322 // }
323 // uint64_t num_states = 0;
324 // for (uint16_t oddsum = 0; oddsum <= 16; oddsum += 2) {
325 // for (uint16_t evensum = 0; evensum <= 16; evensum += 2) {
326 // uint16_t sum = oddsum*(16-evensum) + (16-oddsum)*evensum;
327 // statistics[sum] += (uint64_t)partial_statelist[oddsum].len[ODD_STATE] * partial_statelist[evensum].len[EVEN_STATE] * (1<<8);
328 // num_states += (uint64_t)partial_statelist[oddsum].len[ODD_STATE] * partial_statelist[evensum].len[EVEN_STATE] * (1<<8);
329 // }
330 // }
331 // printf("num_states = %lld, expected %lld\n", num_states, (1LL<<48));
332 // for (uint16_t i = 0; i < 257; i++) {
333 // if (statistics[i] != 0) {
334 // printf("probability[%3d] = %0.5f\n", i, (float)statistics[i]/num_states);
335 // }
336 // }
337
338 // printf("\nTests: Hypergeometric Probability for selected parameters\n");
339 // printf("p_hypergeometric(256, 206, 255, 206) = %0.8f\n", p_hypergeometric(256, 206, 255, 206));
340 // printf("p_hypergeometric(256, 206, 255, 205) = %0.8f\n", p_hypergeometric(256, 206, 255, 205));
341 // printf("p_hypergeometric(256, 156, 1, 1) = %0.8f\n", p_hypergeometric(256, 156, 1, 1));
342 // printf("p_hypergeometric(256, 156, 1, 0) = %0.8f\n", p_hypergeometric(256, 156, 1, 0));
343 // printf("p_hypergeometric(256, 1, 1, 1) = %0.8f\n", p_hypergeometric(256, 1, 1, 1));
344 // printf("p_hypergeometric(256, 1, 1, 0) = %0.8f\n", p_hypergeometric(256, 1, 1, 0));
345
346 struct Crypto1State *pcs;
347 pcs = crypto1_create(0xffffffffffff);
348 printf("\nTests: for key = 0xffffffffffff:\nSum(a0) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
349 SumProperty(pcs), pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
350 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
351 printf("After adding best first byte 0x%02x:\nSum(a8) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
352 best_first_bytes[0],
353 SumProperty(pcs),
354 pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
355 //test_state_odd = pcs->odd & 0x00ffffff;
356 //test_state_even = pcs->even & 0x00ffffff;
357 crypto1_destroy(pcs);
358 pcs = crypto1_create(0xa0a1a2a3a4a5);
359 printf("Tests: for key = 0xa0a1a2a3a4a5:\nSum(a0) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
360 SumProperty(pcs), pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
361 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
362 printf("After adding best first byte 0x%02x:\nSum(a8) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
363 best_first_bytes[0],
364 SumProperty(pcs),
365 pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
366 // test_state_odd = pcs->odd & 0x00ffffff;
367 // test_state_even = pcs->even & 0x00ffffff;
368 crypto1_destroy(pcs);
369
370
371 printf("\nTests: number of states with BitFlipProperty: %d, (= %1.3f%% of total states)\n", statelist_bitflip.len[0], 100.0 * statelist_bitflip.len[0] / (1<<20));
372
373 printf("\nTests: Actual BitFlipProperties odd/even:\n");
374 for (uint16_t i = 0; i < 256; i++) {
375 printf("[%3d]:%c%c ", i, nonces[i].BitFlip[ODD_STATE]?'o':' ', nonces[i].BitFlip[EVEN_STATE]?'e':' ');
376 if (i % 8 == 7) {
377 printf("\n");
378 }
379 }
380
381 printf("\nTests: Best %d first bytes:\n", MAX_BEST_BYTES);
382 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
383 uint8_t best_byte = best_first_bytes[i];
384 uint16_t best_num = nonces[best_byte].num;
385 uint16_t best_sum = nonces[best_byte].Sum;
386 uint16_t best_sum8 = nonces[best_byte].Sum8_guess;
387 float confidence = nonces[best_byte].Sum8_prob;
388 printf("Byte: %02x, n = %2d, k = %2d, Sum(a8): %3d, Confidence: %2.1f%%\n", best_byte, best_num, best_sum, best_sum8, confidence*100);
389 }
390 }
391
392
393 static void sort_best_first_bytes(void)
394 {
395 // find the best choice for the very first byte (b)
396 float min_p_K = 1.0;
397 float max_prob_min_p_K = 0.0;
398 uint8_t best_byte = 0;
399 for (uint16_t i = 0; i < 256; i++ ) {
400 float prob1 = nonces[i].Sum8_prob;
401 uint16_t sum8 = nonces[i].Sum8_guess;
402 if (p_K[sum8] <= min_p_K && prob1 > CONFIDENCE_THRESHOLD) {
403 if (p_K[sum8] < min_p_K) {
404 min_p_K = p_K[sum8];
405 best_byte = i;
406 max_prob_min_p_K = prob1;
407 } else if (prob1 > max_prob_min_p_K) {
408 max_prob_min_p_K = prob1;
409 best_byte = i;
410 }
411 }
412 }
413 best_first_bytes[0] = best_byte;
414 // printf("Best Byte = 0x%02x, Sum8=%d, prob=%1.3f\n", best_byte, nonces[best_byte].Sum8_guess, nonces[best_byte].Sum8_prob);
415
416 // sort the most probable guesses as following bytes (b')
417 for (uint16_t i = 0; i < 256; i++ ) {
418 if (i == best_first_bytes[0]) {
419 continue;
420 }
421 uint16_t j = 1;
422 float prob1 = nonces[i].Sum8_prob;
423 float prob2 = nonces[best_first_bytes[1]].Sum8_prob;
424 while (prob1 < prob2 && j < MAX_BEST_BYTES-1) {
425 prob2 = nonces[best_first_bytes[++j]].Sum8_prob;
426 }
427 if (prob1 >= prob2) {
428 for (uint16_t k = MAX_BEST_BYTES-1; k > j; k--) {
429 best_first_bytes[k] = best_first_bytes[k-1];
430 }
431 best_first_bytes[j] = i;
432 }
433 }
434 }
435
436
437 static uint16_t estimate_second_byte_sum(void)
438 {
439 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
440 best_first_bytes[i] = 0;
441 }
442
443 for (uint16_t first_byte = 0; first_byte < 256; first_byte++) {
444 float Sum8_prob = 0.0;
445 uint16_t Sum8 = 0;
446 if (nonces[first_byte].updated) {
447 for (uint16_t sum = 0; sum <= 256; sum++) {
448 float prob = sum_probability(sum, nonces[first_byte].num, nonces[first_byte].Sum);
449 if (prob > Sum8_prob) {
450 Sum8_prob = prob;
451 Sum8 = sum;
452 }
453 }
454 nonces[first_byte].Sum8_guess = Sum8;
455 nonces[first_byte].Sum8_prob = Sum8_prob;
456 nonces[first_byte].updated = false;
457 }
458 }
459
460 sort_best_first_bytes();
461
462 uint16_t num_good_nonces = 0;
463 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
464 if (nonces[best_first_bytes[i]].Sum8_prob > CONFIDENCE_THRESHOLD) {
465 ++num_good_nonces;
466 }
467 }
468
469 return num_good_nonces;
470 }
471
472
473 static int read_nonce_file(void)
474 {
475 FILE *fnonces = NULL;
476 uint8_t trgBlockNo;
477 uint8_t trgKeyType;
478 uint8_t read_buf[9];
479 uint32_t nt_enc1, nt_enc2;
480 uint8_t par_enc;
481 int total_num_nonces = 0;
482
483 if ((fnonces = fopen("nonces.bin","rb")) == NULL) {
484 PrintAndLog("Could not open file nonces.bin");
485 return 1;
486 }
487
488 PrintAndLog("Reading nonces from file nonces.bin...");
489 if (fread(read_buf, 1, 6, fnonces) == 0) {
490 PrintAndLog("File reading error.");
491 fclose(fnonces);
492 return 1;
493 }
494 cuid = bytes_to_num(read_buf, 4);
495 trgBlockNo = bytes_to_num(read_buf+4, 1);
496 trgKeyType = bytes_to_num(read_buf+5, 1);
497
498 while (fread(read_buf, 1, 9, fnonces) == 9) {
499 nt_enc1 = bytes_to_num(read_buf, 4);
500 nt_enc2 = bytes_to_num(read_buf+4, 4);
501 par_enc = bytes_to_num(read_buf+8, 1);
502 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
503 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
504 add_nonce(nt_enc1, par_enc >> 4);
505 add_nonce(nt_enc2, par_enc & 0x0f);
506 total_num_nonces += 2;
507 }
508 fclose(fnonces);
509 PrintAndLog("Read %d nonces from file. cuid=%08x, Block=%d, Keytype=%c", total_num_nonces, cuid, trgBlockNo, trgKeyType==0?'A':'B');
510
511 return 0;
512 }
513
514
515 int static acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, bool nonce_file_write, bool slow)
516 {
517 clock_t time1 = clock();
518 bool initialize = true;
519 bool field_off = false;
520 bool finished = false;
521 uint32_t flags = 0;
522 uint8_t write_buf[9];
523 uint32_t total_num_nonces = 0;
524 uint32_t next_fivehundred = 500;
525 uint32_t total_added_nonces = 0;
526 FILE *fnonces = NULL;
527 UsbCommand resp;
528
529 printf("Acquiring nonces...\n");
530
531 clearCommandBuffer();
532
533 do {
534 flags = 0;
535 flags |= initialize ? 0x0001 : 0;
536 flags |= slow ? 0x0002 : 0;
537 flags |= field_off ? 0x0004 : 0;
538 UsbCommand c = {CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, flags}};
539 memcpy(c.d.asBytes, key, 6);
540
541 SendCommand(&c);
542
543 if (field_off) finished = true;
544
545 if (initialize) {
546 if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) return 1;
547 if (resp.arg[0]) return resp.arg[0]; // error during nested_hard
548
549 cuid = resp.arg[1];
550 // PrintAndLog("Acquiring nonces for CUID 0x%08x", cuid);
551 if (nonce_file_write && fnonces == NULL) {
552 if ((fnonces = fopen("nonces.bin","wb")) == NULL) {
553 PrintAndLog("Could not create file nonces.bin");
554 return 3;
555 }
556 PrintAndLog("Writing acquired nonces to binary file nonces.bin");
557 num_to_bytes(cuid, 4, write_buf);
558 fwrite(write_buf, 1, 4, fnonces);
559 fwrite(&trgBlockNo, 1, 1, fnonces);
560 fwrite(&trgKeyType, 1, 1, fnonces);
561 }
562 }
563
564 if (!initialize) {
565 uint32_t nt_enc1, nt_enc2;
566 uint8_t par_enc;
567 uint16_t num_acquired_nonces = resp.arg[2];
568 uint8_t *bufp = resp.d.asBytes;
569 for (uint16_t i = 0; i < num_acquired_nonces; i+=2) {
570 nt_enc1 = bytes_to_num(bufp, 4);
571 nt_enc2 = bytes_to_num(bufp+4, 4);
572 par_enc = bytes_to_num(bufp+8, 1);
573
574 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
575 total_added_nonces += add_nonce(nt_enc1, par_enc >> 4);
576 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
577 total_added_nonces += add_nonce(nt_enc2, par_enc & 0x0f);
578
579
580 if (nonce_file_write) {
581 fwrite(bufp, 1, 9, fnonces);
582 }
583
584 bufp += 9;
585 }
586
587 total_num_nonces += num_acquired_nonces;
588 }
589
590 if (first_byte_num == 256 ) {
591 // printf("first_byte_num = %d, first_byte_Sum = %d\n", first_byte_num, first_byte_Sum);
592 num_good_first_bytes = estimate_second_byte_sum();
593 if (total_num_nonces > next_fivehundred) {
594 next_fivehundred = (total_num_nonces/500+1) * 500;
595 printf("Acquired %5d nonces (%5d with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > %1.1f%%: %d\n",
596 total_num_nonces,
597 total_added_nonces,
598 CONFIDENCE_THRESHOLD * 100.0,
599 num_good_first_bytes);
600 }
601 if (num_good_first_bytes >= GOOD_BYTES_REQUIRED) {
602 field_off = true; // switch off field with next SendCommand and then finish
603 }
604 }
605
606 if (!initialize) {
607 if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) return 1;
608 if (resp.arg[0]) return resp.arg[0]; // error during nested_hard
609 }
610
611 initialize = false;
612
613 } while (!finished);
614
615
616 if (nonce_file_write) {
617 fclose(fnonces);
618 }
619
620 PrintAndLog("Acquired a total of %d nonces in %1.1f seconds (%d nonces/minute)",
621 total_num_nonces,
622 ((float)clock()-time1)/CLOCKS_PER_SEC,
623 total_num_nonces*60*CLOCKS_PER_SEC/(clock()-time1));
624
625 return 0;
626 }
627
628
629 static int init_partial_statelists(void)
630 {
631 const uint32_t sizes_odd[17] = { 125601, 0, 17607, 0, 73421, 0, 182033, 0, 248801, 0, 181737, 0, 74241, 0, 18387, 0, 126757 };
632 const uint32_t sizes_even[17] = { 125723, 0, 17867, 0, 74305, 0, 178707, 0, 248801, 0, 185063, 0, 73356, 0, 18127, 0, 126634 };
633
634 printf("Allocating memory for partial statelists...\n");
635 for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
636 for (uint16_t i = 0; i <= 16; i+=2) {
637 partial_statelist[i].len[odd_even] = 0;
638 uint32_t num_of_states = odd_even == ODD_STATE ? sizes_odd[i] : sizes_even[i];
639 partial_statelist[i].states[odd_even] = malloc(sizeof(uint32_t) * num_of_states);
640 if (partial_statelist[i].states[odd_even] == NULL) {
641 PrintAndLog("Cannot allocate enough memory. Aborting");
642 return 4;
643 }
644 for (uint32_t j = 0; j < STATELIST_INDEX_SIZE; j++) {
645 partial_statelist[i].index[odd_even][j] = NULL;
646 }
647 }
648 }
649
650 printf("Generating partial statelists...\n");
651 for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
652 uint32_t index = -1;
653 uint32_t num_of_states = 1<<20;
654 for (uint32_t state = 0; state < num_of_states; state++) {
655 uint16_t sum_property = PartialSumProperty(state, odd_even);
656 uint32_t *p = partial_statelist[sum_property].states[odd_even];
657 p += partial_statelist[sum_property].len[odd_even];
658 *p = state;
659 partial_statelist[sum_property].len[odd_even]++;
660 uint32_t index_mask = (STATELIST_INDEX_SIZE-1) << (20-STATELIST_INDEX_WIDTH);
661 if ((state & index_mask) != index) {
662 index = state & index_mask;
663 }
664 if (partial_statelist[sum_property].index[odd_even][index >> (20-STATELIST_INDEX_WIDTH)] == NULL) {
665 partial_statelist[sum_property].index[odd_even][index >> (20-STATELIST_INDEX_WIDTH)] = p;
666 }
667 }
668 // add End Of List markers
669 for (uint16_t i = 0; i <= 16; i += 2) {
670 uint32_t *p = partial_statelist[i].states[odd_even];
671 p += partial_statelist[i].len[odd_even];
672 *p = 0xffffffff;
673 }
674 }
675
676 return 0;
677 }
678
679
680 static void init_BitFlip_statelist(void)
681 {
682 printf("Generating bitflip statelist...\n");
683 uint32_t *p = statelist_bitflip.states[0] = malloc(sizeof(uint32_t) * 1<<20);
684 uint32_t index = -1;
685 uint32_t index_mask = (STATELIST_INDEX_SIZE-1) << (20-STATELIST_INDEX_WIDTH);
686 for (uint32_t state = 0; state < (1 << 20); state++) {
687 if (filter(state) != filter(state^1)) {
688 if ((state & index_mask) != index) {
689 index = state & index_mask;
690 }
691 if (statelist_bitflip.index[0][index >> (20-STATELIST_INDEX_WIDTH)] == NULL) {
692 statelist_bitflip.index[0][index >> (20-STATELIST_INDEX_WIDTH)] = p;
693 }
694 *p++ = state;
695 }
696 }
697 // set len and add End Of List marker
698 statelist_bitflip.len[0] = p - statelist_bitflip.states[0];
699 *p = 0xffffffff;
700 statelist_bitflip.states[0] = realloc(statelist_bitflip.states[0], sizeof(uint32_t) * (statelist_bitflip.len[0] + 1));
701 }
702
703
704 static void add_state(statelist_t *sl, uint32_t state, odd_even_t odd_even)
705 {
706 uint32_t *p;
707
708 p = sl->states[odd_even];
709 p += sl->len[odd_even];
710 *p = state;
711 sl->len[odd_even]++;
712 }
713
714
715 uint32_t *find_first_state(uint32_t state, uint32_t mask, partial_indexed_statelist_t *sl, odd_even_t odd_even)
716 {
717 uint32_t *p = sl->index[odd_even][(state & mask) >> (20-STATELIST_INDEX_WIDTH)]; // first Bits as index
718
719 if (p == NULL) return NULL;
720 while ((*p & mask) < (state & mask)) p++;
721 if (*p == 0xffffffff) return NULL; // reached end of list, no match
722 if ((*p & mask) == (state & mask)) return p; // found a match.
723 return NULL; // no match
724 }
725
726
727 static bool remaining_bits_match(uint8_t num_common_bits, uint8_t byte1, uint8_t byte2, uint32_t state1, uint32_t state2, odd_even_t odd_even)
728 {
729 uint8_t j = num_common_bits;
730 if (odd_even == ODD_STATE) {
731 j |= 0x01; // consider the next odd bit
732 } else {
733 j = (j+1) & 0xfe; // consider the next even bit
734 }
735
736 while (j <= 7) {
737 if (j != num_common_bits) { // this is not the first differing bit, we need first to check if the invariant still holds
738 uint32_t bit_diff = ((byte1 ^ byte2) << (17-j)) & 0x00010000; // difference of (j-1)th bit -> bit 16
739 uint32_t filter_diff = filter(state1 >> (4-j/2)) ^ filter(state2 >> (4-j/2)); // difference in filter function -> bit 0
740 uint32_t mask_y12_y13 = 0x000000c0 >> (j/2);
741 uint32_t state_diff = (state1 ^ state2) & mask_y12_y13; // difference in state bits 12 and 13 -> bits 6/7 ... 4/5
742 uint32_t all_diff = parity(bit_diff | state_diff | filter_diff); // use parity function to XOR all 4 bits
743 if (all_diff) { // invariant doesn't hold any more. Accept this state.
744 // if ((odd_even == ODD_STATE && state1 == test_state_odd)
745 // || (odd_even == EVEN_STATE && state1 == test_state_even)) {
746 // printf("remaining_bits_match(): %s test state: Invariant doesn't hold. Bytes = %02x, %02x, Common Bits=%d, Testing Bit %d, State1=0x%08x, State2=0x%08x\n",
747 // odd_even==ODD_STATE?"odd":"even", byte1, byte2, num_common_bits, j, state1, state2);
748 // }
749 return true;
750 }
751 }
752 // check for validity of state candidate
753 uint32_t bit_diff = ((byte1 ^ byte2) << (16-j)) & 0x00010000; // difference of jth bit -> bit 16
754 uint32_t mask_y13_y16 = 0x00000048 >> (j/2);
755 uint32_t state_diff = (state1 ^ state2) & mask_y13_y16; // difference in state bits 13 and 16 -> bits 3/6 ... 0/3
756 uint32_t all_diff = parity(bit_diff | state_diff); // use parity function to XOR all 3 bits
757 if (all_diff) { // not a valid state
758 // if ((odd_even == ODD_STATE && state1 == test_state_odd)
759 // || (odd_even == EVEN_STATE && state1 == test_state_even)) {
760 // printf("remaining_bits_match(): %s test state: Invalid state. Bytes = %02x, %02x, Common Bits=%d, Testing Bit %d, State1=0x%08x, State2=0x%08x\n",
761 // odd_even==ODD_STATE?"odd":"even", byte1, byte2, num_common_bits, j, state1, state2);
762 // printf(" byte1^byte2: 0x%02x, bit_diff: 0x%08x, state_diff: 0x%08x, all_diff: 0x%08x\n",
763 // byte1^byte2, bit_diff, state_diff, all_diff);
764 // }
765 return false;
766 }
767 // continue checking for the next bit
768 j += 2;
769 }
770
771 return true; // valid state
772 }
773
774
775 static bool all_other_first_bytes_match(uint32_t state, odd_even_t odd_even)
776 {
777 for (uint16_t i = 1; i < num_good_first_bytes; i++) {
778 uint16_t sum_a8 = nonces[best_first_bytes[i]].Sum8_guess;
779 uint8_t j = 0; // number of common bits
780 uint8_t common_bits = best_first_bytes[0] ^ best_first_bytes[i];
781 uint32_t mask = 0xfffffff0;
782 if (odd_even == ODD_STATE) {
783 while ((common_bits & 0x01) == 0 && j < 8) {
784 j++;
785 common_bits >>= 1;
786 if (j % 2 == 0) { // the odd bits
787 mask >>= 1;
788 }
789 }
790 } else {
791 while ((common_bits & 0x01) == 0 && j < 8) {
792 j++;
793 common_bits >>= 1;
794 if (j % 2 == 1) { // the even bits
795 mask >>= 1;
796 }
797 }
798 }
799 mask &= 0x000fffff;
800 //printf("bytes 0x%02x and 0x%02x: %d common bits, mask = 0x%08x, state = 0x%08x, sum_a8 = %d", best_first_bytes[0], best_first_bytes[i], j, mask, state, sum_a8);
801 bool found_match = false;
802 for (uint16_t r = 0; r <= 16 && !found_match; r += 2) {
803 for (uint16_t s = 0; s <= 16 && !found_match; s += 2) {
804 if (r*(16-s) + (16-r)*s == sum_a8) {
805 //printf("Checking byte 0x%02x for partial sum (%s) %d\n", best_first_bytes[i], odd_even==ODD_STATE?"odd":"even", odd_even==ODD_STATE?r:s);
806 uint16_t part_sum_a8 = (odd_even == ODD_STATE) ? r : s;
807 uint32_t *p = find_first_state(state, mask, &partial_statelist[part_sum_a8], odd_even);
808 if (p != NULL) {
809 while ((state & mask) == (*p & mask) && (*p != 0xffffffff)) {
810 if (remaining_bits_match(j, best_first_bytes[0], best_first_bytes[i], state, (state&0x00fffff0) | *p, odd_even)) {
811 found_match = true;
812 // if ((odd_even == ODD_STATE && state == test_state_odd)
813 // || (odd_even == EVEN_STATE && state == test_state_even)) {
814 // printf("all_other_first_bytes_match(): %s test state: remaining bits matched. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
815 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
816 // }
817 break;
818 } else {
819 // if ((odd_even == ODD_STATE && state == test_state_odd)
820 // || (odd_even == EVEN_STATE && state == test_state_even)) {
821 // printf("all_other_first_bytes_match(): %s test state: remaining bits didn't match. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
822 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
823 // }
824 }
825 p++;
826 }
827 } else {
828 // if ((odd_even == ODD_STATE && state == test_state_odd)
829 // || (odd_even == EVEN_STATE && state == test_state_even)) {
830 // printf("all_other_first_bytes_match(): %s test state: couldn't find a matching state. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
831 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
832 // }
833 }
834 }
835 }
836 }
837
838 if (!found_match) {
839 // if ((odd_even == ODD_STATE && state == test_state_odd)
840 // || (odd_even == EVEN_STATE && state == test_state_even)) {
841 // printf("all_other_first_bytes_match(): %s test state: Eliminated. Bytes = %02x, %02x, Common Bits = %d\n", odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j);
842 // }
843 return false;
844 }
845 }
846
847 return true;
848 }
849
850
851 static int add_matching_states(statelist_t *candidates, uint16_t part_sum_a0, uint16_t part_sum_a8, odd_even_t odd_even)
852 {
853 uint32_t worstcase_size = 1<<20;
854
855 candidates->states[odd_even] = (uint32_t *)malloc(sizeof(uint32_t) * worstcase_size);
856 if (candidates->states[odd_even] == NULL) {
857 PrintAndLog("Out of memory error.\n");
858 return 4;
859 }
860 for (uint32_t *p1 = partial_statelist[part_sum_a0].states[odd_even]; *p1 != 0xffffffff; p1++) {
861 uint32_t search_mask = 0x000ffff0;
862 uint32_t *p2 = find_first_state((*p1 << 4), search_mask, &partial_statelist[part_sum_a8], odd_even);
863 if (p2 != NULL) {
864 while (((*p1 << 4) & search_mask) == (*p2 & search_mask) && *p2 != 0xffffffff) {
865 if (all_other_first_bytes_match((*p1 << 4) | *p2, odd_even)) {
866 add_state(candidates, (*p1 << 4) | *p2, odd_even);
867 }
868 p2++;
869 }
870 }
871 p2 = candidates->states[odd_even];
872 p2 += candidates->len[odd_even];
873 *p2 = 0xffffffff;
874 }
875 candidates->states[odd_even] = realloc(candidates->states[odd_even], sizeof(uint32_t) * (candidates->len[odd_even] + 1));
876
877 return 0;
878 }
879
880
881 static statelist_t *add_more_candidates(statelist_t *current_candidates)
882 {
883 statelist_t *new_candidates = NULL;
884 if (current_candidates == NULL) {
885 if (candidates == NULL) {
886 candidates = (statelist_t *)malloc(sizeof(statelist_t));
887 }
888 new_candidates = candidates;
889 } else {
890 new_candidates = current_candidates->next = (statelist_t *)malloc(sizeof(statelist_t));
891 }
892 new_candidates->next = NULL;
893 new_candidates->len[ODD_STATE] = 0;
894 new_candidates->len[EVEN_STATE] = 0;
895 new_candidates->states[ODD_STATE] = NULL;
896 new_candidates->states[EVEN_STATE] = NULL;
897 return new_candidates;
898 }
899
900
901 static void TestIfKeyExists(uint64_t key)
902 {
903 struct Crypto1State *pcs;
904 pcs = crypto1_create(key);
905 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
906
907 uint32_t state_odd = pcs->odd & 0x00ffffff;
908 uint32_t state_even = pcs->even & 0x00ffffff;
909 printf("Tests: searching for key %llx after first byte 0x%02x (state_odd = 0x%06x, state_even = 0x%06x) ...\n", key, best_first_bytes[0], state_odd, state_even);
910
911 for (statelist_t *p = candidates; p != NULL; p = p->next) {
912 uint32_t *p_odd = p->states[ODD_STATE];
913 uint32_t *p_even = p->states[EVEN_STATE];
914 while (*p_odd != 0xffffffff) {
915 if (*p_odd == state_odd) printf("o");
916 p_odd++;
917 }
918 while (*p_even != 0xffffffff) {
919 if (*p_even == state_even) printf("e");
920 p_even++;
921 }
922 printf("|");
923 }
924 printf("\n");
925 crypto1_destroy(pcs);
926 }
927
928
929 static void generate_candidates(uint16_t sum_a0, uint16_t sum_a8)
930 {
931 printf("Generating crypto1 state candidates... \n");
932
933 statelist_t *current_candidates = NULL;
934 // estimate maximum candidate states
935 uint64_t maximum_states = 0;
936 for (uint16_t sum_odd = 0; sum_odd <= 16; sum_odd += 2) {
937 for (uint16_t sum_even = 0; sum_even <= 16; sum_even += 2) {
938 if (sum_odd*(16-sum_even) + (16-sum_odd)*sum_even == sum_a0) {
939 maximum_states += (uint64_t)partial_statelist[sum_odd].len[ODD_STATE] * partial_statelist[sum_even].len[EVEN_STATE] * (1<<8);
940 }
941 }
942 }
943 printf("Number of possible keys with Sum(a0) = %d: %lld (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2.0));
944
945 for (uint16_t p = 0; p <= 16; p += 2) {
946 for (uint16_t q = 0; q <= 16; q += 2) {
947 if (p*(16-q) + (16-p)*q == sum_a0) {
948 printf("Reducing Partial Statelists (p,q) = (%d,%d) with lengths %d, %d\n",
949 p, q, partial_statelist[p].len[ODD_STATE], partial_statelist[q].len[EVEN_STATE]);
950 for (uint16_t r = 0; r <= 16; r += 2) {
951 for (uint16_t s = 0; s <= 16; s += 2) {
952 if (r*(16-s) + (16-r)*s == sum_a8) {
953 current_candidates = add_more_candidates(current_candidates);
954 add_matching_states(current_candidates, p, r, ODD_STATE);
955 printf("Odd state candidates: %d (2^%0.1f)\n", current_candidates->len[ODD_STATE], log(current_candidates->len[ODD_STATE])/log(2));
956 add_matching_states(current_candidates, q, s, EVEN_STATE);
957 printf("Even state candidates: %d (2^%0.1f)\n", current_candidates->len[EVEN_STATE], log(current_candidates->len[EVEN_STATE])/log(2));
958 }
959 }
960 }
961 }
962 }
963 }
964
965
966 maximum_states = 0;
967 for (statelist_t *sl = candidates; sl != NULL; sl = sl->next) {
968 maximum_states += (uint64_t)sl->len[ODD_STATE] * sl->len[EVEN_STATE];
969 }
970 printf("Number of remaining possible keys: %lld (2^%1.1f)\n", maximum_states, log(maximum_states)/log(2.0));
971
972 TestIfKeyExists(0xffffffffffff);
973 TestIfKeyExists(0xa0a1a2a3a4a5);
974
975 }
976
977
978 static void Check_for_FilterFlipProperties(void)
979 {
980 printf("Checking for Filter Flip Properties...\n");
981
982 for (uint16_t i = 0; i < 256; i++) {
983 nonces[i].BitFlip[ODD_STATE] = false;
984 nonces[i].BitFlip[EVEN_STATE] = false;
985 }
986
987 for (uint16_t i = 0; i < 256; i++) {
988 uint8_t parity1 = (nonces[i].first->par_enc) >> 3; // parity of first byte
989 uint8_t parity2_odd = (nonces[i^0x80].first->par_enc) >> 3; // XOR 0x80 = last bit flipped
990 uint8_t parity2_even = (nonces[i^0x40].first->par_enc) >> 3; // XOR 0x40 = second last bit flipped
991
992 if (parity1 == parity2_odd) { // has Bit Flip Property for odd bits
993 nonces[i].BitFlip[ODD_STATE] = true;
994 } else if (parity1 == parity2_even) { // has Bit Flip Property for even bits
995 nonces[i].BitFlip[EVEN_STATE] = true;
996 }
997 }
998 }
999
1000
1001 int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, bool nonce_file_read, bool nonce_file_write, bool slow)
1002 {
1003
1004 // initialize the list of nonces
1005 for (uint16_t i = 0; i < 256; i++) {
1006 nonces[i].num = 0;
1007 nonces[i].Sum = 0;
1008 nonces[i].Sum8_guess = 0;
1009 nonces[i].Sum8_prob = 0.0;
1010 nonces[i].updated = true;
1011 nonces[i].first = NULL;
1012 }
1013 first_byte_num = 0;
1014 first_byte_Sum = 0;
1015 num_good_first_bytes = 0;
1016
1017 init_partial_statelists();
1018 init_BitFlip_statelist();
1019
1020 if (nonce_file_read) { // use pre-acquired data from file nonces.bin
1021 if (read_nonce_file() != 0) {
1022 return 3;
1023 }
1024 num_good_first_bytes = estimate_second_byte_sum();
1025 } else { // acquire nonces.
1026 uint16_t is_OK = acquire_nonces(blockNo, keyType, key, trgBlockNo, trgKeyType, nonce_file_write, slow);
1027 if (is_OK != 0) {
1028 return is_OK;
1029 }
1030 }
1031
1032 Check_for_FilterFlipProperties();
1033
1034 Tests();
1035
1036 PrintAndLog("");
1037 PrintAndLog("Sum(a0) = %d", first_byte_Sum);
1038 // PrintAndLog("Best 10 first bytes: %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x",
1039 // best_first_bytes[0],
1040 // best_first_bytes[1],
1041 // best_first_bytes[2],
1042 // best_first_bytes[3],
1043 // best_first_bytes[4],
1044 // best_first_bytes[5],
1045 // best_first_bytes[6],
1046 // best_first_bytes[7],
1047 // best_first_bytes[8],
1048 // best_first_bytes[9] );
1049 PrintAndLog("Number of first bytes with confidence > %2.1f%%: %d", CONFIDENCE_THRESHOLD*100.0, num_good_first_bytes);
1050
1051 generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].Sum8_guess);
1052
1053 PrintAndLog("Brute force phase not yet implemented");
1054
1055 return 0;
1056 }
1057
1058
Proxmark3 GIT tracking
Impressum, Datenschutz