]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhfmfhard.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ADD: @pwpiwi 's latest code from his 'hardnested' branch.
[proxmark3-svn] / client / cmdhfmfhard.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2015 piwi
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Implements a card only attack based on crypto text (encrypted nonces
9 // received during a nested authentication) only. Unlike other card only
10 // attacks this doesn't rely on implementation errors but only on the
11 // inherent weaknesses of the crypto1 cypher. Described in
12 // Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
13 // Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
14 // Computer and Communications Security, 2015
15 //-----------------------------------------------------------------------------
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <pthread.h>
21 #include <math.h>
22 #include "proxmark3.h"
23 #include "cmdmain.h"
24 #include "ui.h"
25 #include "util.h"
26 #include "nonce2key/crapto1.h"
27 #include "parity.h"
28
29 // uint32_t test_state_odd = 0;
30 // uint32_t test_state_even = 0;
31
32 #define CONFIDENCE_THRESHOLD 0.95 // Collect nonces until we are certain enough that the following brute force is successfull
33 #define GOOD_BYTES_REQUIRED 60
34
35
36 static const float p_K[257] = { // the probability that a random nonce has a Sum Property == K
37 0.0290, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
38 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
39 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
40 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
41 0.0083, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
42 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
43 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
44 0.0006, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
45 0.0339, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
46 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
47 0.0048, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
48 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
49 0.0934, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
50 0.0119, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
51 0.0489, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
52 0.0602, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
53 0.4180, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
54 0.0602, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
55 0.0489, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
56 0.0119, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
57 0.0934, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
58 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
59 0.0048, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
60 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
61 0.0339, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
62 0.0006, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
63 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
64 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
65 0.0083, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
66 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
67 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
68 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000,
69 0.0290 };
70
71
72 typedef struct noncelistentry {
73 uint32_t nonce_enc;
74 uint8_t par_enc;
75 void *next;
76 } noncelistentry_t;
77
78 typedef struct noncelist {
79 uint16_t num;
80 uint16_t Sum;
81 uint16_t Sum8_guess;
82 uint8_t BitFlip[2];
83 float Sum8_prob;
84 bool updated;
85 noncelistentry_t *first;
86 } noncelist_t;
87
88
89 static uint32_t cuid;
90 static noncelist_t nonces[256];
91 static uint16_t first_byte_Sum = 0;
92 static uint16_t first_byte_num = 0;
93 static uint16_t num_good_first_bytes = 0;
94 static uint64_t maximum_states = 0;
95 static uint64_t known_target_key;
96
97 #define MAX_BEST_BYTES 256
98 static uint8_t best_first_bytes[MAX_BEST_BYTES];
99
100
101 typedef enum {
102 EVEN_STATE = 0,
103 ODD_STATE = 1
104 } odd_even_t;
105
106 #define STATELIST_INDEX_WIDTH 16
107 #define STATELIST_INDEX_SIZE (1<<STATELIST_INDEX_WIDTH)
108
109 typedef struct {
110 uint32_t *states[2];
111 uint32_t len[2];
112 uint32_t *index[2][STATELIST_INDEX_SIZE];
113 } partial_indexed_statelist_t;
114
115 typedef struct {
116 uint32_t *states[2];
117 uint32_t len[2];
118 void* next;
119 } statelist_t;
120
121
122 static partial_indexed_statelist_t partial_statelist[17];
123 static partial_indexed_statelist_t statelist_bitflip;
124
125 static statelist_t *candidates = NULL;
126
127
128 static int add_nonce(uint32_t nonce_enc, uint8_t par_enc)
129 {
130 uint8_t first_byte = nonce_enc >> 24;
131 noncelistentry_t *p1 = nonces[first_byte].first;
132 noncelistentry_t *p2 = NULL;
133
134 if (p1 == NULL) { // first nonce with this 1st byte
135 first_byte_num++;
136 first_byte_Sum += evenparity32((nonce_enc & 0xff000000) | (par_enc & 0x08));
137 // printf("Adding nonce 0x%08x, par_enc 0x%02x, parity(0x%08x) = %d\n",
138 // nonce_enc,
139 // par_enc,
140 // (nonce_enc & 0xff000000) | (par_enc & 0x08) |0x01,
141 // parity((nonce_enc & 0xff000000) | (par_enc & 0x08));
142 }
143
144 while (p1 != NULL && (p1->nonce_enc & 0x00ff0000) < (nonce_enc & 0x00ff0000)) {
145 p2 = p1;
146 p1 = p1->next;
147 }
148
149 if (p1 == NULL) { // need to add at the end of the list
150 if (p2 == NULL) { // list is empty yet. Add first entry.
151 p2 = nonces[first_byte].first = malloc(sizeof(noncelistentry_t));
152 } else { // add new entry at end of existing list.
153 p2 = p2->next = malloc(sizeof(noncelistentry_t));
154 }
155 } else if ((p1->nonce_enc & 0x00ff0000) != (nonce_enc & 0x00ff0000)) { // found distinct 2nd byte. Need to insert.
156 if (p2 == NULL) { // need to insert at start of list
157 p2 = nonces[first_byte].first = malloc(sizeof(noncelistentry_t));
158 } else {
159 p2 = p2->next = malloc(sizeof(noncelistentry_t));
160 }
161 } else { // we have seen this 2nd byte before. Nothing to add or insert.
162 return (0);
163 }
164
165 // add or insert new data
166 p2->next = p1;
167 p2->nonce_enc = nonce_enc;
168 p2->par_enc = par_enc;
169
170 nonces[first_byte].num++;
171 nonces[first_byte].Sum += evenparity32((nonce_enc & 0x00ff0000) | (par_enc & 0x04));
172 nonces[first_byte].updated = true; // indicates that we need to recalculate the Sum(a8) probability for this first byte
173
174 return (1); // new nonce added
175 }
176
177
178 static uint16_t PartialSumProperty(uint32_t state, odd_even_t odd_even)
179 {
180 uint16_t sum = 0;
181 for (uint16_t j = 0; j < 16; j++) {
182 uint32_t st = state;
183 uint16_t part_sum = 0;
184 if (odd_even == ODD_STATE) {
185 for (uint16_t i = 0; i < 5; i++) {
186 part_sum ^= filter(st);
187 st = (st << 1) | ((j >> (3-i)) & 0x01) ;
188 }
189 part_sum ^= 1; // XOR 1 cancelled out for the other 8 bits
190 } else {
191 for (uint16_t i = 0; i < 4; i++) {
192 st = (st << 1) | ((j >> (3-i)) & 0x01) ;
193 part_sum ^= filter(st);
194 }
195 }
196 sum += part_sum;
197 }
198 return sum;
199 }
200
201
202 static uint16_t SumProperty(struct Crypto1State *s)
203 {
204 uint16_t sum_odd = PartialSumProperty(s->odd, ODD_STATE);
205 uint16_t sum_even = PartialSumProperty(s->even, EVEN_STATE);
206 return (sum_odd*(16-sum_even) + (16-sum_odd)*sum_even);
207 }
208
209
210 static double p_hypergeometric(uint16_t N, uint16_t K, uint16_t n, uint16_t k)
211 {
212 // for efficient computation we are using the recursive definition
213 // (K-k+1) * (n-k+1)
214 // P(X=k) = P(X=k-1) * --------------------
215 // k * (N-K-n+k)
216 // and
217 // (N-K)*(N-K-1)*...*(N-K-n+1)
218 // P(X=0) = -----------------------------
219 // N*(N-1)*...*(N-n+1)
220
221 if (n-k > N-K || k > K) return 0.0; // avoids log(x<=0) in calculation below
222 if (k == 0) {
223 // use logarithms to avoid overflow with huge factorials (double type can only hold 170!)
224 double log_result = 0.0;
225 for (int16_t i = N-K; i >= N-K-n+1; i--) {
226 log_result += log(i);
227 }
228 for (int16_t i = N; i >= N-n+1; i--) {
229 log_result -= log(i);
230 }
231 return exp(log_result);
232 } else {
233 if (n-k == N-K) { // special case. The published recursion below would fail with a divide by zero exception
234 double log_result = 0.0;
235 for (int16_t i = k+1; i <= n; i++) {
236 log_result += log(i);
237 }
238 for (int16_t i = K+1; i <= N; i++) {
239 log_result -= log(i);
240 }
241 return exp(log_result);
242 } else { // recursion
243 return (p_hypergeometric(N, K, n, k-1) * (K-k+1) * (n-k+1) / (k * (N-K-n+k)));
244 }
245 }
246 }
247
248
249 static float sum_probability(uint16_t K, uint16_t n, uint16_t k)
250 {
251 const uint16_t N = 256;
252
253
254
255 if (k > K || p_K[K] == 0.0) return 0.0;
256
257 double p_T_is_k_when_S_is_K = p_hypergeometric(N, K, n, k);
258 double p_S_is_K = p_K[K];
259 double p_T_is_k = 0;
260 for (uint16_t i = 0; i <= 256; i++) {
261 if (p_K[i] != 0.0) {
262 p_T_is_k += p_K[i] * p_hypergeometric(N, i, n, k);
263 }
264 }
265 return(p_T_is_k_when_S_is_K * p_S_is_K / p_T_is_k);
266 }
267
268
269 static void Tests()
270 {
271 printf("Tests: Partial Statelist sizes\n");
272 for (uint16_t i = 0; i <= 16; i+=2) {
273 printf("Partial State List Odd [%2d] has %8d entries\n", i, partial_statelist[i].len[ODD_STATE]);
274 }
275 for (uint16_t i = 0; i <= 16; i+=2) {
276 printf("Partial State List Even [%2d] has %8d entries\n", i, partial_statelist[i].len[EVEN_STATE]);
277 }
278
279 // #define NUM_STATISTICS 100000
280 // uint32_t statistics_odd[17];
281 // uint64_t statistics[257];
282 // uint32_t statistics_even[17];
283 // struct Crypto1State cs;
284 // time_t time1 = clock();
285
286 // for (uint16_t i = 0; i < 257; i++) {
287 // statistics[i] = 0;
288 // }
289 // for (uint16_t i = 0; i < 17; i++) {
290 // statistics_odd[i] = 0;
291 // statistics_even[i] = 0;
292 // }
293
294 // for (uint64_t i = 0; i < NUM_STATISTICS; i++) {
295 // cs.odd = (rand() & 0xfff) << 12 | (rand() & 0xfff);
296 // cs.even = (rand() & 0xfff) << 12 | (rand() & 0xfff);
297 // uint16_t sum_property = SumProperty(&cs);
298 // statistics[sum_property] += 1;
299 // sum_property = PartialSumProperty(cs.even, EVEN_STATE);
300 // statistics_even[sum_property]++;
301 // sum_property = PartialSumProperty(cs.odd, ODD_STATE);
302 // statistics_odd[sum_property]++;
303 // if (i%(NUM_STATISTICS/100) == 0) printf(".");
304 // }
305
306 // printf("\nTests: Calculated %d Sum properties in %0.3f seconds (%0.0f calcs/second)\n", NUM_STATISTICS, ((float)clock() - time1)/CLOCKS_PER_SEC, NUM_STATISTICS/((float)clock() - time1)*CLOCKS_PER_SEC);
307 // for (uint16_t i = 0; i < 257; i++) {
308 // if (statistics[i] != 0) {
309 // printf("probability[%3d] = %0.5f\n", i, (float)statistics[i]/NUM_STATISTICS);
310 // }
311 // }
312 // for (uint16_t i = 0; i <= 16; i++) {
313 // if (statistics_odd[i] != 0) {
314 // printf("probability odd [%2d] = %0.5f\n", i, (float)statistics_odd[i]/NUM_STATISTICS);
315 // }
316 // }
317 // for (uint16_t i = 0; i <= 16; i++) {
318 // if (statistics_odd[i] != 0) {
319 // printf("probability even [%2d] = %0.5f\n", i, (float)statistics_even[i]/NUM_STATISTICS);
320 // }
321 // }
322
323 // printf("Tests: Sum Probabilities based on Partial Sums\n");
324 // for (uint16_t i = 0; i < 257; i++) {
325 // statistics[i] = 0;
326 // }
327 // uint64_t num_states = 0;
328 // for (uint16_t oddsum = 0; oddsum <= 16; oddsum += 2) {
329 // for (uint16_t evensum = 0; evensum <= 16; evensum += 2) {
330 // uint16_t sum = oddsum*(16-evensum) + (16-oddsum)*evensum;
331 // statistics[sum] += (uint64_t)partial_statelist[oddsum].len[ODD_STATE] * partial_statelist[evensum].len[EVEN_STATE] * (1<<8);
332 // num_states += (uint64_t)partial_statelist[oddsum].len[ODD_STATE] * partial_statelist[evensum].len[EVEN_STATE] * (1<<8);
333 // }
334 // }
335 // printf("num_states = %lld, expected %lld\n", num_states, (1LL<<48));
336 // for (uint16_t i = 0; i < 257; i++) {
337 // if (statistics[i] != 0) {
338 // printf("probability[%3d] = %0.5f\n", i, (float)statistics[i]/num_states);
339 // }
340 // }
341
342 // printf("\nTests: Hypergeometric Probability for selected parameters\n");
343 // printf("p_hypergeometric(256, 206, 255, 206) = %0.8f\n", p_hypergeometric(256, 206, 255, 206));
344 // printf("p_hypergeometric(256, 206, 255, 205) = %0.8f\n", p_hypergeometric(256, 206, 255, 205));
345 // printf("p_hypergeometric(256, 156, 1, 1) = %0.8f\n", p_hypergeometric(256, 156, 1, 1));
346 // printf("p_hypergeometric(256, 156, 1, 0) = %0.8f\n", p_hypergeometric(256, 156, 1, 0));
347 // printf("p_hypergeometric(256, 1, 1, 1) = %0.8f\n", p_hypergeometric(256, 1, 1, 1));
348 // printf("p_hypergeometric(256, 1, 1, 0) = %0.8f\n", p_hypergeometric(256, 1, 1, 0));
349
350 struct Crypto1State *pcs;
351 pcs = crypto1_create(0xffffffffffff);
352 printf("\nTests: for key = 0xffffffffffff:\nSum(a0) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
353 SumProperty(pcs), pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
354 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
355 printf("After adding best first byte 0x%02x:\nSum(a8) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
356 best_first_bytes[0],
357 SumProperty(pcs),
358 pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
359 //test_state_odd = pcs->odd & 0x00ffffff;
360 //test_state_even = pcs->even & 0x00ffffff;
361 crypto1_destroy(pcs);
362 pcs = crypto1_create(0xa0a1a2a3a4a5);
363 printf("Tests: for key = 0xa0a1a2a3a4a5:\nSum(a0) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
364 SumProperty(pcs), pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
365 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
366 printf("After adding best first byte 0x%02x:\nSum(a8) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
367 best_first_bytes[0],
368 SumProperty(pcs),
369 pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
370 // test_state_odd = pcs->odd & 0x00ffffff;
371 // test_state_even = pcs->even & 0x00ffffff;
372 crypto1_destroy(pcs);
373 pcs = crypto1_create(0xa6b9aa97b955);
374 printf("Tests: for key = 0xa6b9aa97b955:\nSum(a0) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
375 SumProperty(pcs), pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
376 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
377 printf("After adding best first byte 0x%02x:\nSum(a8) = %d\nodd_state = 0x%06x\neven_state = 0x%06x\n",
378 best_first_bytes[0],
379 SumProperty(pcs),
380 pcs->odd & 0x00ffffff, pcs->even & 0x00ffffff);
381 //test_state_odd = pcs->odd & 0x00ffffff;
382 //test_state_even = pcs->even & 0x00ffffff;
383 crypto1_destroy(pcs);
384
385
386
387 printf("\nTests: number of states with BitFlipProperty: %d, (= %1.3f%% of total states)\n", statelist_bitflip.len[0], 100.0 * statelist_bitflip.len[0] / (1<<20));
388
389 printf("\nTests: Actual BitFlipProperties odd/even:\n");
390 for (uint16_t i = 0; i < 256; i++) {
391 printf("[%02x]:%c%c ", i, nonces[i].BitFlip[ODD_STATE]?'o':' ', nonces[i].BitFlip[EVEN_STATE]?'e':' ');
392 if (i % 8 == 7) {
393 printf("\n");
394 }
395 }
396
397 printf("\nTests: Best %d first bytes:\n", MAX_BEST_BYTES);
398 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
399 uint8_t best_byte = best_first_bytes[i];
400 uint16_t best_num = nonces[best_byte].num;
401 uint16_t best_sum = nonces[best_byte].Sum;
402 uint16_t best_sum8 = nonces[best_byte].Sum8_guess;
403 float confidence = nonces[best_byte].Sum8_prob;
404 printf("#%03d Byte: %02x, n = %2d, k = %2d, Sum(a8): %3d, Confidence: %2.1f%%\n", i, best_byte, best_num, best_sum, best_sum8, confidence*100);
405 }
406
407 // printf("\nTests: parity performance\n");
408 // time_t time1p = clock();
409 // uint32_t par_sum = 0;
410 // for (uint32_t i = 0; i < 100000000; i++) {
411 // par_sum += parity(i);
412 // }
413 // printf("parsum oldparity = %d, time = %1.5fsec\n", par_sum, (float)(clock() - time1p)/CLOCKS_PER_SEC);
414
415 // time1p = clock();
416 // par_sum = 0;
417 // for (uint32_t i = 0; i < 100000000; i++) {
418 // par_sum += evenparity32(i);
419 // }
420 // printf("parsum newparity = %d, time = %1.5fsec\n", par_sum, (float)(clock() - time1p)/CLOCKS_PER_SEC);
421
422 }
423
424
425 static int common_bits(uint8_t byte1, uint8_t byte2)
426 {
427 uint8_t common_bits = byte1 ^ byte2;
428 uint8_t j = 0;
429 while ((common_bits & 0x01) == 0 && j < 8) {
430 j++;
431 common_bits >>= 1;
432 }
433 return j;
434 }
435
436
437 static void sort_best_first_bytes(void)
438 {
439 // first, sort based on probability for correct guess
440 for (uint16_t i = 0; i < 256; i++ ) {
441 uint16_t j = 0;
442 float prob1 = nonces[i].Sum8_prob;
443 float prob2 = nonces[best_first_bytes[0]].Sum8_prob;
444 while (prob1 < prob2 && j < MAX_BEST_BYTES-1) {
445 prob2 = nonces[best_first_bytes[++j]].Sum8_prob;
446 }
447 if (prob1 >= prob2) {
448 for (uint16_t k = MAX_BEST_BYTES-1; k > j; k--) {
449 best_first_bytes[k] = best_first_bytes[k-1];
450 }
451 best_first_bytes[j] = i;
452 }
453 }
454
455 // determine, how many are above the CONFIDENCE_THRESHOLD
456 uint16_t num_good_nonces = 0;
457 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
458 if (nonces[best_first_bytes[i]].Sum8_prob > CONFIDENCE_THRESHOLD) {
459 ++num_good_nonces;
460 }
461 }
462
463 uint16_t best_first_byte = 0;
464
465 // select the best possible first byte based on number of common bits with all {b'}
466 // uint16_t max_common_bits = 0;
467 // for (uint16_t i = 0; i < num_good_nonces; i++) {
468 // uint16_t sum_common_bits = 0;
469 // for (uint16_t j = 0; j < num_good_nonces; j++) {
470 // if (i != j) {
471 // sum_common_bits += common_bits(best_first_bytes[i],best_first_bytes[j]);
472 // }
473 // }
474 // if (sum_common_bits > max_common_bits) {
475 // max_common_bits = sum_common_bits;
476 // best_first_byte = i;
477 // }
478 // }
479
480 // select best possible first byte {b} based on least likely sum/bitflip property
481 float min_p_K = 1.0;
482 for (uint16_t i = 0; i < num_good_nonces; i++ ) {
483 uint16_t sum8 = nonces[best_first_bytes[i]].Sum8_guess;
484 float bitflip_prob = 1.0;
485 if (nonces[best_first_bytes[i]].BitFlip[ODD_STATE] || nonces[best_first_bytes[i]].BitFlip[EVEN_STATE]) {
486 bitflip_prob = 0.09375;
487 }
488 if (p_K[sum8] * bitflip_prob <= min_p_K) {
489 min_p_K = p_K[sum8] * bitflip_prob;
490 best_first_byte = i;
491 }
492 }
493
494 // use number of commmon bits as a tie breaker
495 uint16_t max_common_bits = 0;
496 for (uint16_t i = 0; i < num_good_nonces; i++) {
497 float bitflip_prob = 1.0;
498 if (nonces[best_first_bytes[i]].BitFlip[ODD_STATE] || nonces[best_first_bytes[i]].BitFlip[EVEN_STATE]) {
499 bitflip_prob = 0.09375;
500 }
501 if (p_K[nonces[best_first_bytes[i]].Sum8_guess] * bitflip_prob == min_p_K) {
502 uint16_t sum_common_bits = 0;
503 for (uint16_t j = 0; j < num_good_nonces; j++) {
504 sum_common_bits += common_bits(best_first_bytes[i],best_first_bytes[j]);
505 }
506 if (sum_common_bits > max_common_bits) {
507 max_common_bits = sum_common_bits;
508 best_first_byte = i;
509 }
510 }
511 }
512
513 // swap best possible first bytes to the pole position
514 uint16_t temp = best_first_bytes[0];
515 best_first_bytes[0] = best_first_bytes[best_first_byte];
516 best_first_bytes[best_first_byte] = temp;
517
518 }
519
520
521 static uint16_t estimate_second_byte_sum(void)
522 {
523 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
524 best_first_bytes[i] = 0;
525 }
526
527 for (uint16_t first_byte = 0; first_byte < 256; first_byte++) {
528 float Sum8_prob = 0.0;
529 uint16_t Sum8 = 0;
530 if (nonces[first_byte].updated) {
531 for (uint16_t sum = 0; sum <= 256; sum++) {
532 float prob = sum_probability(sum, nonces[first_byte].num, nonces[first_byte].Sum);
533 if (prob > Sum8_prob) {
534 Sum8_prob = prob;
535 Sum8 = sum;
536 }
537 }
538 nonces[first_byte].Sum8_guess = Sum8;
539 nonces[first_byte].Sum8_prob = Sum8_prob;
540 nonces[first_byte].updated = false;
541 }
542 }
543
544 sort_best_first_bytes();
545
546 uint16_t num_good_nonces = 0;
547 for (uint16_t i = 0; i < MAX_BEST_BYTES; i++) {
548 if (nonces[best_first_bytes[i]].Sum8_prob > CONFIDENCE_THRESHOLD) {
549 ++num_good_nonces;
550 }
551 }
552
553 return num_good_nonces;
554 }
555
556
557 static int read_nonce_file(void)
558 {
559 FILE *fnonces = NULL;
560 uint8_t trgBlockNo;
561 uint8_t trgKeyType;
562 uint8_t read_buf[9];
563 uint32_t nt_enc1, nt_enc2;
564 uint8_t par_enc;
565 int total_num_nonces = 0;
566
567 if ((fnonces = fopen("nonces.bin","rb")) == NULL) {
568 PrintAndLog("Could not open file nonces.bin");
569 return 1;
570 }
571
572 PrintAndLog("Reading nonces from file nonces.bin...");
573 if (fread(read_buf, 1, 6, fnonces) == 0) {
574 PrintAndLog("File reading error.");
575 fclose(fnonces);
576 return 1;
577 }
578 cuid = bytes_to_num(read_buf, 4);
579 trgBlockNo = bytes_to_num(read_buf+4, 1);
580 trgKeyType = bytes_to_num(read_buf+5, 1);
581
582 while (fread(read_buf, 1, 9, fnonces) == 9) {
583 nt_enc1 = bytes_to_num(read_buf, 4);
584 nt_enc2 = bytes_to_num(read_buf+4, 4);
585 par_enc = bytes_to_num(read_buf+8, 1);
586 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
587 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
588 add_nonce(nt_enc1, par_enc >> 4);
589 add_nonce(nt_enc2, par_enc & 0x0f);
590 total_num_nonces += 2;
591 }
592 fclose(fnonces);
593 PrintAndLog("Read %d nonces from file. cuid=%08x, Block=%d, Keytype=%c", total_num_nonces, cuid, trgBlockNo, trgKeyType==0?'A':'B');
594
595 return 0;
596 }
597
598
599 static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, bool nonce_file_write, bool slow)
600 {
601 clock_t time1 = clock();
602 bool initialize = true;
603 bool field_off = false;
604 bool finished = false;
605 uint32_t flags = 0;
606 uint8_t write_buf[9];
607 uint32_t total_num_nonces = 0;
608 uint32_t next_fivehundred = 500;
609 uint32_t total_added_nonces = 0;
610 FILE *fnonces = NULL;
611 UsbCommand resp;
612
613 printf("Acquiring nonces...\n");
614
615 clearCommandBuffer();
616
617 do {
618 flags = 0;
619 flags |= initialize ? 0x0001 : 0;
620 flags |= slow ? 0x0002 : 0;
621 flags |= field_off ? 0x0004 : 0;
622 UsbCommand c = {CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, flags}};
623 memcpy(c.d.asBytes, key, 6);
624
625 SendCommand(&c);
626
627 if (field_off) finished = true;
628
629 if (initialize) {
630 if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) return 1;
631 if (resp.arg[0]) return resp.arg[0]; // error during nested_hard
632
633 cuid = resp.arg[1];
634 // PrintAndLog("Acquiring nonces for CUID 0x%08x", cuid);
635 if (nonce_file_write && fnonces == NULL) {
636 if ((fnonces = fopen("nonces.bin","wb")) == NULL) {
637 PrintAndLog("Could not create file nonces.bin");
638 return 3;
639 }
640 PrintAndLog("Writing acquired nonces to binary file nonces.bin");
641 num_to_bytes(cuid, 4, write_buf);
642 fwrite(write_buf, 1, 4, fnonces);
643 fwrite(&trgBlockNo, 1, 1, fnonces);
644 fwrite(&trgKeyType, 1, 1, fnonces);
645 }
646 }
647
648 if (!initialize) {
649 uint32_t nt_enc1, nt_enc2;
650 uint8_t par_enc;
651 uint16_t num_acquired_nonces = resp.arg[2];
652 uint8_t *bufp = resp.d.asBytes;
653 for (uint16_t i = 0; i < num_acquired_nonces; i+=2) {
654 nt_enc1 = bytes_to_num(bufp, 4);
655 nt_enc2 = bytes_to_num(bufp+4, 4);
656 par_enc = bytes_to_num(bufp+8, 1);
657
658 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
659 total_added_nonces += add_nonce(nt_enc1, par_enc >> 4);
660 //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
661 total_added_nonces += add_nonce(nt_enc2, par_enc & 0x0f);
662
663
664 if (nonce_file_write) {
665 fwrite(bufp, 1, 9, fnonces);
666 }
667
668 bufp += 9;
669 }
670
671 total_num_nonces += num_acquired_nonces;
672 }
673
674 if (first_byte_num == 256 ) {
675 // printf("first_byte_num = %d, first_byte_Sum = %d\n", first_byte_num, first_byte_Sum);
676 num_good_first_bytes = estimate_second_byte_sum();
677 if (total_num_nonces > next_fivehundred) {
678 next_fivehundred = (total_num_nonces/500+1) * 500;
679 printf("Acquired %5d nonces (%5d with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > %1.1f%%: %d\n",
680 total_num_nonces,
681 total_added_nonces,
682 CONFIDENCE_THRESHOLD * 100.0,
683 num_good_first_bytes);
684 }
685 if (num_good_first_bytes >= GOOD_BYTES_REQUIRED) {
686 field_off = true; // switch off field with next SendCommand and then finish
687 }
688 }
689
690 if (!initialize) {
691 if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) return 1;
692 if (resp.arg[0]) return resp.arg[0]; // error during nested_hard
693 }
694
695 initialize = false;
696
697 } while (!finished);
698
699
700 if (nonce_file_write) {
701 fclose(fnonces);
702 }
703
704 PrintAndLog("Acquired a total of %d nonces in %1.1f seconds (%0.0f nonces/minute)",
705 total_num_nonces,
706 ((float)clock()-time1)/CLOCKS_PER_SEC,
707 total_num_nonces*60.0*CLOCKS_PER_SEC/((float)clock()-time1));
708
709 return 0;
710 }
711
712
713 static int init_partial_statelists(void)
714 {
715 const uint32_t sizes_odd[17] = { 126757, 0, 18387, 0, 74241, 0, 181737, 0, 248801, 0, 182033, 0, 73421, 0, 17607, 0, 125601 };
716 const uint32_t sizes_even[17] = { 125723, 0, 17867, 0, 74305, 0, 178707, 0, 248801, 0, 185063, 0, 73356, 0, 18127, 0, 126634 };
717
718 printf("Allocating memory for partial statelists...\n");
719 for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
720 for (uint16_t i = 0; i <= 16; i+=2) {
721 partial_statelist[i].len[odd_even] = 0;
722 uint32_t num_of_states = odd_even == ODD_STATE ? sizes_odd[i] : sizes_even[i];
723 partial_statelist[i].states[odd_even] = malloc(sizeof(uint32_t) * num_of_states);
724 if (partial_statelist[i].states[odd_even] == NULL) {
725 PrintAndLog("Cannot allocate enough memory. Aborting");
726 return 4;
727 }
728 for (uint32_t j = 0; j < STATELIST_INDEX_SIZE; j++) {
729 partial_statelist[i].index[odd_even][j] = NULL;
730 }
731 }
732 }
733
734 printf("Generating partial statelists...\n");
735 for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
736 uint32_t index = -1;
737 uint32_t num_of_states = 1<<20;
738 for (uint32_t state = 0; state < num_of_states; state++) {
739 uint16_t sum_property = PartialSumProperty(state, odd_even);
740 uint32_t *p = partial_statelist[sum_property].states[odd_even];
741 p += partial_statelist[sum_property].len[odd_even];
742 *p = state;
743 partial_statelist[sum_property].len[odd_even]++;
744 uint32_t index_mask = (STATELIST_INDEX_SIZE-1) << (20-STATELIST_INDEX_WIDTH);
745 if ((state & index_mask) != index) {
746 index = state & index_mask;
747 }
748 if (partial_statelist[sum_property].index[odd_even][index >> (20-STATELIST_INDEX_WIDTH)] == NULL) {
749 partial_statelist[sum_property].index[odd_even][index >> (20-STATELIST_INDEX_WIDTH)] = p;
750 }
751 }
752 // add End Of List markers
753 for (uint16_t i = 0; i <= 16; i += 2) {
754 uint32_t *p = partial_statelist[i].states[odd_even];
755 p += partial_statelist[i].len[odd_even];
756 *p = 0xffffffff;
757 }
758 }
759
760 return 0;
761 }
762
763
764 static void init_BitFlip_statelist(void)
765 {
766 printf("Generating bitflip statelist...\n");
767 uint32_t *p = statelist_bitflip.states[0] = malloc(sizeof(uint32_t) * 1<<20);
768 uint32_t index = -1;
769 uint32_t index_mask = (STATELIST_INDEX_SIZE-1) << (20-STATELIST_INDEX_WIDTH);
770 for (uint32_t state = 0; state < (1 << 20); state++) {
771 if (filter(state) != filter(state^1)) {
772 if ((state & index_mask) != index) {
773 index = state & index_mask;
774 }
775 if (statelist_bitflip.index[0][index >> (20-STATELIST_INDEX_WIDTH)] == NULL) {
776 statelist_bitflip.index[0][index >> (20-STATELIST_INDEX_WIDTH)] = p;
777 }
778 *p++ = state;
779 }
780 }
781 // set len and add End Of List marker
782 statelist_bitflip.len[0] = p - statelist_bitflip.states[0];
783 *p = 0xffffffff;
784 statelist_bitflip.states[0] = realloc(statelist_bitflip.states[0], sizeof(uint32_t) * (statelist_bitflip.len[0] + 1));
785 }
786
787
788 static void add_state(statelist_t *sl, uint32_t state, odd_even_t odd_even)
789 {
790 uint32_t *p;
791
792 p = sl->states[odd_even];
793 p += sl->len[odd_even];
794 *p = state;
795 sl->len[odd_even]++;
796 }
797
798
799 static uint32_t *find_first_state(uint32_t state, uint32_t mask, partial_indexed_statelist_t *sl, odd_even_t odd_even)
800 {
801 uint32_t *p = sl->index[odd_even][(state & mask) >> (20-STATELIST_INDEX_WIDTH)]; // first Bits as index
802
803 if (p == NULL) return NULL;
804 while ((*p & mask) < (state & mask)) p++;
805 if (*p == 0xffffffff) return NULL; // reached end of list, no match
806 if ((*p & mask) == (state & mask)) return p; // found a match.
807 return NULL; // no match
808 }
809
810
811 static bool remaining_bits_match(uint8_t num_common_bits, uint8_t byte1, uint8_t byte2, uint32_t state1, uint32_t state2, odd_even_t odd_even)
812 {
813 uint8_t j = num_common_bits;
814 if (odd_even == ODD_STATE) {
815 j |= 0x01; // consider the next odd bit
816 } else {
817 j = (j+1) & 0xfe; // consider the next even bit
818 }
819
820 while (j <= 7) {
821 if (j != num_common_bits) { // this is not the first differing bit, we need first to check if the invariant still holds
822 uint32_t bit_diff = ((byte1 ^ byte2) << (17-j)) & 0x00010000; // difference of (j-1)th bit -> bit 16
823 uint32_t filter_diff = filter(state1 >> (4-j/2)) ^ filter(state2 >> (4-j/2)); // difference in filter function -> bit 0
824 uint32_t mask_y12_y13 = 0x000000c0 >> (j/2);
825 uint32_t state_diff = (state1 ^ state2) & mask_y12_y13; // difference in state bits 12 and 13 -> bits 6/7 ... 3/4
826 uint32_t all_diff = parity(bit_diff | state_diff | filter_diff); // use parity function to XOR all 4 bits
827 if (all_diff) { // invariant doesn't hold any more. Accept this state.
828 // if ((odd_even == ODD_STATE && state1 == test_state_odd)
829 // || (odd_even == EVEN_STATE && state1 == test_state_even)) {
830 // printf("remaining_bits_match(): %s test state: Invariant doesn't hold. Bytes = %02x, %02x, Common Bits=%d, Testing Bit %d, State1=0x%08x, State2=0x%08x\n",
831 // odd_even==ODD_STATE?"odd":"even", byte1, byte2, num_common_bits, j, state1, state2);
832 // }
833 return true;
834 }
835 }
836 // check for validity of state candidate
837 uint32_t bit_diff = ((byte1 ^ byte2) << (16-j)) & 0x00010000; // difference of jth bit -> bit 16
838 uint32_t mask_y13_y16 = 0x00000048 >> (j/2);
839 uint32_t state_diff = (state1 ^ state2) & mask_y13_y16; // difference in state bits 13 and 16 -> bits 3/6 ... 0/3
840 uint32_t all_diff = parity(bit_diff | state_diff); // use parity function to XOR all 3 bits
841 if (all_diff) { // not a valid state
842 // if ((odd_even == ODD_STATE && state1 == test_state_odd)
843 // || (odd_even == EVEN_STATE && state1 == test_state_even)) {
844 // printf("remaining_bits_match(): %s test state: Invalid state. Bytes = %02x, %02x, Common Bits=%d, Testing Bit %d, State1=0x%08x, State2=0x%08x\n",
845 // odd_even==ODD_STATE?"odd":"even", byte1, byte2, num_common_bits, j, state1, state2);
846 // printf(" byte1^byte2: 0x%02x, bit_diff: 0x%08x, state_diff: 0x%08x, all_diff: 0x%08x\n",
847 // byte1^byte2, bit_diff, state_diff, all_diff);
848 // }
849 return false;
850 }
851 // continue checking for the next bit
852 j += 2;
853 }
854
855 return true; // valid state
856 }
857
858
859 static bool all_other_first_bytes_match(uint32_t state, odd_even_t odd_even)
860 {
861 for (uint16_t i = 1; i < num_good_first_bytes; i++) {
862 uint16_t sum_a8 = nonces[best_first_bytes[i]].Sum8_guess;
863 uint8_t j = 0; // number of common bits
864 uint8_t common_bits = best_first_bytes[0] ^ best_first_bytes[i];
865 uint32_t mask = 0xfffffff0;
866 if (odd_even == ODD_STATE) {
867 while ((common_bits & 0x01) == 0 && j < 8) {
868 j++;
869 common_bits >>= 1;
870 if (j % 2 == 0) { // the odd bits
871 mask >>= 1;
872 }
873 }
874 } else {
875 while ((common_bits & 0x01) == 0 && j < 8) {
876 j++;
877 common_bits >>= 1;
878 if (j % 2 == 1) { // the even bits
879 mask >>= 1;
880 }
881 }
882 }
883 mask &= 0x000fffff;
884 //printf("bytes 0x%02x and 0x%02x: %d common bits, mask = 0x%08x, state = 0x%08x, sum_a8 = %d", best_first_bytes[0], best_first_bytes[i], j, mask, state, sum_a8);
885 bool found_match = false;
886 for (uint16_t r = 0; r <= 16 && !found_match; r += 2) {
887 for (uint16_t s = 0; s <= 16 && !found_match; s += 2) {
888 if (r*(16-s) + (16-r)*s == sum_a8) {
889 //printf("Checking byte 0x%02x for partial sum (%s) %d\n", best_first_bytes[i], odd_even==ODD_STATE?"odd":"even", odd_even==ODD_STATE?r:s);
890 uint16_t part_sum_a8 = (odd_even == ODD_STATE) ? r : s;
891 uint32_t *p = find_first_state(state, mask, &partial_statelist[part_sum_a8], odd_even);
892 if (p != NULL) {
893 while ((state & mask) == (*p & mask) && (*p != 0xffffffff)) {
894 if (remaining_bits_match(j, best_first_bytes[0], best_first_bytes[i], state, (state&0x00fffff0) | *p, odd_even)) {
895 found_match = true;
896 // if ((odd_even == ODD_STATE && state == test_state_odd)
897 // || (odd_even == EVEN_STATE && state == test_state_even)) {
898 // printf("all_other_first_bytes_match(): %s test state: remaining bits matched. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
899 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
900 // }
901 break;
902 } else {
903 // if ((odd_even == ODD_STATE && state == test_state_odd)
904 // || (odd_even == EVEN_STATE && state == test_state_even)) {
905 // printf("all_other_first_bytes_match(): %s test state: remaining bits didn't match. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
906 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
907 // }
908 }
909 p++;
910 }
911 } else {
912 // if ((odd_even == ODD_STATE && state == test_state_odd)
913 // || (odd_even == EVEN_STATE && state == test_state_even)) {
914 // printf("all_other_first_bytes_match(): %s test state: couldn't find a matching state. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
915 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
916 // }
917 }
918 }
919 }
920 }
921
922 if (!found_match) {
923 // if ((odd_even == ODD_STATE && state == test_state_odd)
924 // || (odd_even == EVEN_STATE && state == test_state_even)) {
925 // printf("all_other_first_bytes_match(): %s test state: Eliminated. Bytes = %02x, %02x, Common Bits = %d\n", odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j);
926 // }
927 return false;
928 }
929 }
930
931 return true;
932 }
933
934
935 static bool all_bit_flips_match(uint32_t state, odd_even_t odd_even)
936 {
937 for (uint16_t i = 0; i < 256; i++) {
938 if (nonces[i].BitFlip[odd_even] && i != best_first_bytes[0]) {
939 uint8_t j = 0; // number of common bits
940 uint8_t common_bits = best_first_bytes[0] ^ i;
941 uint32_t mask = 0xfffffff0;
942 if (odd_even == ODD_STATE) {
943 while ((common_bits & 0x01) == 0 && j < 8) {
944 j++;
945 common_bits >>= 1;
946 if (j % 2 == 0) { // the odd bits
947 mask >>= 1;
948 }
949 }
950 } else {
951 while ((common_bits & 0x01) == 0 && j < 8) {
952 j++;
953 common_bits >>= 1;
954 if (j % 2 == 1) { // the even bits
955 mask >>= 1;
956 }
957 }
958 }
959 mask &= 0x000fffff;
960 //printf("bytes 0x%02x and 0x%02x: %d common bits, mask = 0x%08x, state = 0x%08x, sum_a8 = %d", best_first_bytes[0], best_first_bytes[i], j, mask, state, sum_a8);
961 bool found_match = false;
962 uint32_t *p = find_first_state(state, mask, &statelist_bitflip, 0);
963 if (p != NULL) {
964 while ((state & mask) == (*p & mask) && (*p != 0xffffffff)) {
965 if (remaining_bits_match(j, best_first_bytes[0], i, state, (state&0x00fffff0) | *p, odd_even)) {
966 found_match = true;
967 // if ((odd_even == ODD_STATE && state == test_state_odd)
968 // || (odd_even == EVEN_STATE && state == test_state_even)) {
969 // printf("all_other_first_bytes_match(): %s test state: remaining bits matched. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
970 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
971 // }
972 break;
973 } else {
974 // if ((odd_even == ODD_STATE && state == test_state_odd)
975 // || (odd_even == EVEN_STATE && state == test_state_even)) {
976 // printf("all_other_first_bytes_match(): %s test state: remaining bits didn't match. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
977 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
978 // }
979 }
980 p++;
981 }
982 } else {
983 // if ((odd_even == ODD_STATE && state == test_state_odd)
984 // || (odd_even == EVEN_STATE && state == test_state_even)) {
985 // printf("all_other_first_bytes_match(): %s test state: couldn't find a matching state. Bytes = %02x, %02x, Common Bits=%d, mask=0x%08x, PartSum(a8)=%d\n",
986 // odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j, mask, part_sum_a8);
987 // }
988 }
989 if (!found_match) {
990 // if ((odd_even == ODD_STATE && state == test_state_odd)
991 // || (odd_even == EVEN_STATE && state == test_state_even)) {
992 // printf("all_other_first_bytes_match(): %s test state: Eliminated. Bytes = %02x, %02x, Common Bits = %d\n", odd_even==ODD_STATE?"odd":"even", best_first_bytes[0], best_first_bytes[i], j);
993 // }
994 return false;
995 }
996 }
997
998 }
999
1000 return true;
1001 }
1002
1003
1004 #define INVALID_BIT (1<<30)
1005 #define SET_INVALID(pstate) (*(pstate) |= INVALID_BIT)
1006 #define IS_INVALID(state) (state & INVALID_BIT)
1007
1008 static int add_matching_states(statelist_t *candidates, uint16_t part_sum_a0, uint16_t part_sum_a8, odd_even_t odd_even)
1009 {
1010 uint32_t worstcase_size = 1<<20;
1011
1012 candidates->states[odd_even] = (uint32_t *)malloc(sizeof(uint32_t) * worstcase_size);
1013 if (candidates->states[odd_even] == NULL) {
1014 PrintAndLog("Out of memory error.\n");
1015 return 4;
1016 }
1017 for (uint32_t *p1 = partial_statelist[part_sum_a0].states[odd_even]; *p1 != 0xffffffff; p1++) {
1018 uint32_t search_mask = 0x000ffff0;
1019 uint32_t *p2 = find_first_state((*p1 << 4), search_mask, &partial_statelist[part_sum_a8], odd_even);
1020 if (p2 != NULL) {
1021 while (((*p1 << 4) & search_mask) == (*p2 & search_mask) && *p2 != 0xffffffff) {
1022 if (all_other_first_bytes_match((*p1 << 4) | *p2, odd_even)) {
1023 if (all_bit_flips_match((*p1 << 4) | *p2, odd_even)) {
1024 add_state(candidates, (*p1 << 4) | *p2, odd_even);
1025 }
1026 }
1027 p2++;
1028 }
1029 }
1030 }
1031
1032 // set end of list marker
1033 uint32_t *p = candidates->states[odd_even];
1034 p += candidates->len[odd_even];
1035 *p = 0xffffffff;
1036
1037 candidates->states[odd_even] = realloc(candidates->states[odd_even], sizeof(uint32_t) * (candidates->len[odd_even] + 1));
1038
1039 return 0;
1040 }
1041
1042
1043 static statelist_t *add_more_candidates(statelist_t *current_candidates)
1044 {
1045 statelist_t *new_candidates = NULL;
1046 if (current_candidates == NULL) {
1047 if (candidates == NULL) {
1048 candidates = (statelist_t *)malloc(sizeof(statelist_t));
1049 }
1050 new_candidates = candidates;
1051 } else {
1052 new_candidates = current_candidates->next = (statelist_t *)malloc(sizeof(statelist_t));
1053 }
1054 new_candidates->next = NULL;
1055 new_candidates->len[ODD_STATE] = 0;
1056 new_candidates->len[EVEN_STATE] = 0;
1057 new_candidates->states[ODD_STATE] = NULL;
1058 new_candidates->states[EVEN_STATE] = NULL;
1059 return new_candidates;
1060 }
1061
1062
1063 static void TestIfKeyExists(uint64_t key)
1064 {
1065 struct Crypto1State *pcs;
1066 pcs = crypto1_create(key);
1067 crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
1068
1069 uint32_t state_odd = pcs->odd & 0x00ffffff;
1070 uint32_t state_even = pcs->even & 0x00ffffff;
1071 //printf("Tests: searching for key %llx after first byte 0x%02x (state_odd = 0x%06x, state_even = 0x%06x) ...\n", key, best_first_bytes[0], state_odd, state_even);
1072
1073 uint64_t count = 0;
1074 for (statelist_t *p = candidates; p != NULL; p = p->next) {
1075 bool found_odd = false;
1076 bool found_even = false;
1077 uint32_t *p_odd = p->states[ODD_STATE];
1078 uint32_t *p_even = p->states[EVEN_STATE];
1079 while (*p_odd != 0xffffffff) {
1080 if ((*p_odd & 0x00ffffff) == state_odd) {
1081 found_odd = true;
1082 break;
1083 }
1084 p_odd++;
1085 }
1086 while (*p_even != 0xffffffff) {
1087 if ((*p_even & 0x00ffffff) == state_even) {
1088 found_even = true;
1089 }
1090 p_even++;
1091 }
1092 count += (p_odd - p->states[ODD_STATE]) * (p_even - p->states[EVEN_STATE]);
1093 if (found_odd && found_even) {
1094 PrintAndLog("Key Found after testing %lld (2^%1.1f) out of %lld (2^%1.1f) keys. A brute force would have taken approx %lld minutes.",
1095 count, log(count)/log(2),
1096 maximum_states, log(maximum_states)/log(2),
1097 (count>>22)/60);
1098 crypto1_destroy(pcs);
1099 return;
1100 }
1101 }
1102
1103 printf("Key NOT found!\n");
1104 crypto1_destroy(pcs);
1105 }
1106
1107
1108 static void generate_candidates(uint16_t sum_a0, uint16_t sum_a8)
1109 {
1110 printf("Generating crypto1 state candidates... \n");
1111
1112 statelist_t *current_candidates = NULL;
1113 // estimate maximum candidate states
1114 maximum_states = 0;
1115 for (uint16_t sum_odd = 0; sum_odd <= 16; sum_odd += 2) {
1116 for (uint16_t sum_even = 0; sum_even <= 16; sum_even += 2) {
1117 if (sum_odd*(16-sum_even) + (16-sum_odd)*sum_even == sum_a0) {
1118 maximum_states += (uint64_t)partial_statelist[sum_odd].len[ODD_STATE] * partial_statelist[sum_even].len[EVEN_STATE] * (1<<8);
1119 }
1120 }
1121 }
1122 printf("Number of possible keys with Sum(a0) = %d: %lld (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2.0));
1123
1124 for (uint16_t p = 0; p <= 16; p += 2) {
1125 for (uint16_t q = 0; q <= 16; q += 2) {
1126 if (p*(16-q) + (16-p)*q == sum_a0) {
1127 printf("Reducing Partial Statelists (p,q) = (%d,%d) with lengths %d, %d\n",
1128 p, q, partial_statelist[p].len[ODD_STATE], partial_statelist[q].len[EVEN_STATE]);
1129 for (uint16_t r = 0; r <= 16; r += 2) {
1130 for (uint16_t s = 0; s <= 16; s += 2) {
1131 if (r*(16-s) + (16-r)*s == sum_a8) {
1132 current_candidates = add_more_candidates(current_candidates);
1133 add_matching_states(current_candidates, p, r, ODD_STATE);
1134 printf("Odd state candidates: %d (2^%0.1f)\n", current_candidates->len[ODD_STATE], log(current_candidates->len[ODD_STATE])/log(2));
1135 add_matching_states(current_candidates, q, s, EVEN_STATE);
1136 printf("Even state candidates: %d (2^%0.1f)\n", current_candidates->len[EVEN_STATE], log(current_candidates->len[EVEN_STATE])/log(2));
1137 }
1138 }
1139 }
1140 }
1141 }
1142 }
1143
1144
1145 maximum_states = 0;
1146 for (statelist_t *sl = candidates; sl != NULL; sl = sl->next) {
1147 maximum_states += (uint64_t)sl->len[ODD_STATE] * sl->len[EVEN_STATE];
1148 }
1149 printf("Number of remaining possible keys: %lld (2^%1.1f)\n", maximum_states, log(maximum_states)/log(2.0));
1150
1151 }
1152
1153
1154 static void Check_for_FilterFlipProperties(void)
1155 {
1156 printf("Checking for Filter Flip Properties...\n");
1157
1158 for (uint16_t i = 0; i < 256; i++) {
1159 nonces[i].BitFlip[ODD_STATE] = false;
1160 nonces[i].BitFlip[EVEN_STATE] = false;
1161 }
1162
1163 for (uint16_t i = 0; i < 256; i++) {
1164 uint8_t parity1 = (nonces[i].first->par_enc) >> 3; // parity of first byte
1165 uint8_t parity2_odd = (nonces[i^0x80].first->par_enc) >> 3; // XOR 0x80 = last bit flipped
1166 uint8_t parity2_even = (nonces[i^0x40].first->par_enc) >> 3; // XOR 0x40 = second last bit flipped
1167
1168 if (parity1 == parity2_odd) { // has Bit Flip Property for odd bits
1169 nonces[i].BitFlip[ODD_STATE] = true;
1170 } else if (parity1 == parity2_even) { // has Bit Flip Property for even bits
1171 nonces[i].BitFlip[EVEN_STATE] = true;
1172 }
1173 }
1174 }
1175
1176
1177 static void brute_force(void)
1178 {
1179 if (known_target_key != -1) {
1180 PrintAndLog("Looking for known target key in remaining key space...");
1181 TestIfKeyExists(known_target_key);
1182 return;
1183 } else {
1184 PrintAndLog("Brute Force phase is not implemented.");
1185 return;
1186 }
1187
1188
1189 }
1190
1191
1192 int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t *trgkey, bool nonce_file_read, bool nonce_file_write, bool slow)
1193 {
1194 if (trgkey != NULL) {
1195 known_target_key = bytes_to_num(trgkey, 6);
1196 } else {
1197 known_target_key = -1;
1198 }
1199
1200 // initialize the list of nonces
1201 for (uint16_t i = 0; i < 256; i++) {
1202 nonces[i].num = 0;
1203 nonces[i].Sum = 0;
1204 nonces[i].Sum8_guess = 0;
1205 nonces[i].Sum8_prob = 0.0;
1206 nonces[i].updated = true;
1207 nonces[i].first = NULL;
1208 }
1209 first_byte_num = 0;
1210 first_byte_Sum = 0;
1211 num_good_first_bytes = 0;
1212
1213 init_partial_statelists();
1214 init_BitFlip_statelist();
1215
1216 if (nonce_file_read) { // use pre-acquired data from file nonces.bin
1217 if (read_nonce_file() != 0) {
1218 return 3;
1219 }
1220 num_good_first_bytes = MIN(estimate_second_byte_sum(), GOOD_BYTES_REQUIRED);
1221 } else { // acquire nonces.
1222 uint16_t is_OK = acquire_nonces(blockNo, keyType, key, trgBlockNo, trgKeyType, nonce_file_write, slow);
1223 if (is_OK != 0) {
1224 return is_OK;
1225 }
1226 }
1227
1228 Check_for_FilterFlipProperties();
1229
1230 Tests();
1231
1232 PrintAndLog("");
1233 PrintAndLog("Sum(a0) = %d", first_byte_Sum);
1234 // PrintAndLog("Best 10 first bytes: %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x",
1235 // best_first_bytes[0],
1236 // best_first_bytes[1],
1237 // best_first_bytes[2],
1238 // best_first_bytes[3],
1239 // best_first_bytes[4],
1240 // best_first_bytes[5],
1241 // best_first_bytes[6],
1242 // best_first_bytes[7],
1243 // best_first_bytes[8],
1244 // best_first_bytes[9] );
1245 PrintAndLog("Number of first bytes with confidence > %2.1f%%: %d", CONFIDENCE_THRESHOLD*100.0, num_good_first_bytes);
1246
1247 generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].Sum8_guess);
1248
1249 brute_force();
1250
1251 return 0;
1252 }
1253
1254
Proxmark3 GIT tracking
Impressum, Datenschutz