4 * Contains state and functions for an emulated Hitag2 tag. Offers an entry
5 * point to handle commands, needs a callback to send response.
7 * (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
10 #include <proxmark3.h>
16 struct hitag2_cipher_state
{
23 TAG_STATE_RESET
, // Just powered up, awaiting GetSnr
24 TAG_STATE_ACTIVATING
, // In activation phase (password mode), sent UID, awaiting reader password
25 TAG_STATE_AUTHENTICATING
, // In activation phase (crypto mode), awaiting reader authentication
26 TAG_STATE_ACTIVATED
, // Activation complete, awaiting read/write commands
27 TAG_STATE_WRITING
, // In write command, awaiting sector contents to be written
29 unsigned int active_sector
;
31 struct hitag2_cipher_state cs
;
35 static void hitag2_cipher_reset(struct hitag2_tag
*tag
, const char *challenge
);
36 static int hitag2_cipher_authenticate(struct hitag2_cipher_state
*cs
, const char *authenticator
);
37 static int hitag2_cipher_transcrypt(struct hitag2_cipher_state
*cs
, char *data
, unsigned int bytes
, unsigned int bits
);
39 static struct hitag2_tag tag
;
40 static const struct hitag2_tag resetdata
= {
41 .state
= TAG_STATE_RESET
,
42 .sectors
= { // Password mode: | Crypto mode:
43 [0] = { 0x35, 0x33, 0x70, 0x11}, // UID | UID
44 [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key
45 [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved
46 [3] = { 0x0e, 0xaa, 'H', 'T'}, // Configuration, password TAG | Configuration, password TAG
50 int hitag2_reset(void)
52 tag
.state
= TAG_STATE_RESET
;
53 tag
.crypto_active
= 0;
59 memcpy(&tag
, &resetdata
, sizeof(tag
));
64 int hitag2_handle_command(const char* data
, const int length
, hitag2_response_callback_t cb
, void *cb_cookie
)
66 (void)data
; (void)length
; (void)cb
; (void)cb_cookie
;
67 int retry
= 0, done
= 0, result
=0;
70 if(tag
.crypto_active
&& length
< sizeof(temp
)*8) {
72 memcpy(temp
, data
, (length
+7)/8);
73 hitag2_cipher_transcrypt(&(tag
.cs
), temp
, length
/8, length
%8);
81 if(length
== 5 && data
[0] == 0xC0) {
82 /* Received 11000 from the reader, request for UID, send UID */
83 result
=cb(tag
.sectors
[0], sizeof(tag
.sectors
[0])*8, 208, cb_cookie
);
85 if(tag
.sectors
[3][0] & 0x08) {
86 tag
.state
=TAG_STATE_AUTHENTICATING
;
88 tag
.state
=TAG_STATE_ACTIVATING
;
92 case TAG_STATE_ACTIVATING
:
94 /* Received RWD password, respond with configuration and our password */
95 result
=cb(tag
.sectors
[3], sizeof(tag
.sectors
[3])*8, 208, cb_cookie
);
97 tag
.state
=TAG_STATE_ACTIVATED
;
100 case TAG_STATE_AUTHENTICATING
:
102 /* Received initialisation vector || authentication token, fire up cipher, send our password */
103 hitag2_cipher_reset(&tag
, data
);
104 if(hitag2_cipher_authenticate(&(tag
.cs
), data
+4)) {
105 char response_enc
[4];
106 memcpy(response_enc
, tag
.sectors
[3], 4);
107 hitag2_cipher_transcrypt(&(tag
.cs
), response_enc
, 4, 0);
108 result
=cb(response_enc
, 4*8, 208, cb_cookie
);
110 tag
.crypto_active
= 1;
111 tag
.state
= TAG_STATE_ACTIVATED
;
113 /* The reader failed to authenticate, do nothing */
114 DbpString("Reader authentication failed");
118 case TAG_STATE_ACTIVATED
:
120 if( ((data
[0] & 0xC0) == 0xC0) && ((data
[0] & 0x06) == 0) ) {
121 /* Read command: 11xx x00y yy with yyy == ~xxx, xxx is sector number */
122 unsigned int sector
= (~( ((data
[0]<<2)&0x04) | ((data
[1]>>6)&0x03) ) & 0x07);
123 if(sector
== ( (data
[0]>>3)&0x07 ) ) {
124 memcpy(temp
, tag
.sectors
[sector
], 4);
125 if(tag
.crypto_active
) {
126 hitag2_cipher_transcrypt(&(tag
.cs
), temp
, 4, 0);
128 /* Respond with contents of sector sector */
129 result
= cb(temp
, 4*8, 208, cb_cookie
);
132 /* transmission error */
133 DbpString("Transmission error (read) in activated state");
135 } else if( ((data
[0] & 0xC0) == 0x80) && ((data
[0] & 0x06) == 2) ) {
136 /* Write command: 10xx x01y yy with yyy == ~xxx, xxx is sector number */
137 unsigned int sector
= (~( ((data
[0]<<2)&0x04) | ((data
[1]>>6)&0x03) ) & 0x07);
138 if(sector
== ( (data
[0]>>3)&0x07 ) ) {
139 /* Prepare write, acknowledge by repeating command */
140 if(tag
.crypto_active
) {
141 hitag2_cipher_transcrypt(&(tag
.cs
), temp
, length
/8, length
%8);
143 result
= cb(data
, length
, 208, cb_cookie
);
145 tag
.active_sector
= sector
;
146 tag
.state
=TAG_STATE_WRITING
;
148 /* transmission error */
149 DbpString("Transmission error (write) in activated state");
154 case TAG_STATE_WRITING
:
156 /* These are the sector contents to be written. We don't have to do anything else. */
157 memcpy(tag
.sectors
[tag
.active_sector
], data
, length
/8);
158 tag
.state
=TAG_STATE_ACTIVATED
;
163 if(!done
&& !retry
) {
164 /* We didn't respond, maybe our state is faulty. Reset and try again. */
166 if(tag
.crypto_active
) {
167 /* Restore undeciphered data */
168 memcpy(temp
, data
, (length
+7)/8);
171 goto handle_command_retry
;
177 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
178 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
179 // For educational purposes only.
180 // No warranties or guarantees of any kind.
181 // This code is released into the public domain by its author.
188 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
189 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
190 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
191 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
192 #define bit(x,n) (((x)>>(n))&1)
193 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
194 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
195 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
197 // Single bit Hitag2 functions:
199 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
201 static const u32 ht2_f4a
= 0x2C79; // 0010 1100 0111 1001
202 static const u32 ht2_f4b
= 0x6671; // 0110 0110 0111 0001
203 static const u32 ht2_f5c
= 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
205 static u32
_f20 (const u64 x
)
209 i5
= ((ht2_f4a
>> i4 (x
, 1, 2, 4, 5)) & 1)* 1
210 + ((ht2_f4b
>> i4 (x
, 7,11,13,14)) & 1)* 2
211 + ((ht2_f4b
>> i4 (x
,16,20,22,25)) & 1)* 4
212 + ((ht2_f4b
>> i4 (x
,27,28,30,32)) & 1)* 8
213 + ((ht2_f4a
>> i4 (x
,33,42,43,45)) & 1)*16;
215 return (ht2_f5c
>> i5
) & 1;
218 static u64
_hitag2_init (const u64 key
, const u32 serial
, const u32 IV
)
221 u64 x
= ((key
& 0xFFFF) << 32) + serial
;
223 for (i
= 0; i
< 32; i
++)
226 x
+= (u64
) (_f20 (x
) ^ (((IV
>> i
) ^ (key
>> (i
+16))) & 1)) << 47;
231 static u64
_hitag2_round (u64
*state
)
236 ((((x
>> 0) ^ (x
>> 2) ^ (x
>> 3) ^ (x
>> 6)
237 ^ (x
>> 7) ^ (x
>> 8) ^ (x
>> 16) ^ (x
>> 22)
238 ^ (x
>> 23) ^ (x
>> 26) ^ (x
>> 30) ^ (x
>> 41)
239 ^ (x
>> 42) ^ (x
>> 43) ^ (x
>> 46) ^ (x
>> 47)) & 1) << 47);
245 // Bitslice Hitag2 functions:
247 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
248 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
249 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
251 #define uf20bs u32 // choose your own type/width
253 static uf20bs
_f20bs (const uf20bs
*x
)
256 ht2bs_4a(x
[ 1],x
[ 2],x
[ 4],x
[ 5]),
257 ht2bs_4b(x
[ 7],x
[11],x
[13],x
[14]),
258 ht2bs_4b(x
[16],x
[20],x
[22],x
[25]),
259 ht2bs_4b(x
[27],x
[28],x
[30],x
[32]),
260 ht2bs_4a(x
[33],x
[42],x
[43],x
[45]));
263 static void _hitag2bs_init (uf20bs
*x
, const uf20bs
*key
, const uf20bs
*serial
, const uf20bs
*IV
)
267 for (i
= 0; i
< 32; i
++) x
[i
] = serial
[i
];
268 for (i
= 0; i
< 16; i
++) x
[32+i
] = key
[i
];
270 for (r
= 0; r
< 32; r
++)
272 for (i
= 0; i
< 47; i
++) x
[i
] = x
[i
+1];
273 x
[47] = _f20bs (x
) ^ IV
[i
] ^ key
[16+i
];
277 static uf20bs
_hitag2bs_round (uf20bs
*x
)
282 y
= x
[ 0] ^ x
[ 2] ^ x
[ 3] ^ x
[ 6] ^ x
[ 7] ^ x
[ 8] ^ x
[16] ^ x
[22]
283 ^ x
[23] ^ x
[26] ^ x
[30] ^ x
[41] ^ x
[42] ^ x
[43] ^ x
[46] ^ x
[47];
285 for (i
= 0; i
< 47; i
++) x
[i
] = x
[i
+1];
291 static u32
_hitag2_byte (u64
* x
)
295 for (i
= 0, c
= 0; i
< 8; i
++) c
+= (u32
) _hitag2_round (x
) << (i
^7);
300 /* Cipher/tag glue code: */
302 static void hitag2_cipher_reset(struct hitag2_tag
*tag
, const char *iv
)
304 uint64_t key
= ((uint64_t)tag
->sectors
[2][2]) |
305 ((uint64_t)tag
->sectors
[2][3] << 8) |
306 ((uint64_t)tag
->sectors
[1][0] << 16) |
307 ((uint64_t)tag
->sectors
[1][1] << 24) |
308 ((uint64_t)tag
->sectors
[1][2] << 32) |
309 ((uint64_t)tag
->sectors
[1][3] << 40);
310 uint32_t uid
= ((uint32_t)tag
->sectors
[0][0]) |
311 ((uint32_t)tag
->sectors
[0][1] << 8) |
312 ((uint32_t)tag
->sectors
[0][2] << 16) |
313 ((uint32_t)tag
->sectors
[0][3] << 24);
314 uint32_t iv_
= (((uint32_t)(iv
[0]))) |
315 (((uint32_t)(iv
[1])) << 8) |
316 (((uint32_t)(iv
[2])) << 16) |
317 (((uint32_t)(iv
[3])) << 24);
318 tag
->cs
.state
= _hitag2_init(rev64(key
), rev32(uid
), rev32(iv_
));
321 static int hitag2_cipher_authenticate(struct hitag2_cipher_state
*cs
, const char *authenticator_is
)
323 char authenticator_should
[4];
324 authenticator_should
[0] = ~_hitag2_byte(&(cs
->state
));
325 authenticator_should
[1] = ~_hitag2_byte(&(cs
->state
));
326 authenticator_should
[2] = ~_hitag2_byte(&(cs
->state
));
327 authenticator_should
[3] = ~_hitag2_byte(&(cs
->state
));
328 return memcmp(authenticator_should
, authenticator_is
, 4) == 0;
331 static int hitag2_cipher_transcrypt(struct hitag2_cipher_state
*cs
, char *data
, unsigned int bytes
, unsigned int bits
)
334 for(i
=0; i
<bytes
; i
++) data
[i
] ^= _hitag2_byte(&(cs
->state
));
335 for(i
=0; i
<bits
; i
++) data
[bytes
] ^= _hitag2_round(&(cs
->state
)) << (7-i
);