From: henryk@ploetzli.ch Date: Mon, 31 Aug 2009 00:47:12 +0000 (+0000) Subject: Add forgotten file X-Git-Tag: v1.0.0~499 X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/3742d905632dbce9792f70b110e7ba5605bf312f?ds=sidebyside Add forgotten file --- diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c new file mode 100644 index 00000000..26ab1066 --- /dev/null +++ b/armsrc/hitag2.c @@ -0,0 +1,337 @@ +/* + * Hitag2 emulation + * + * Contains state and functions for an emulated Hitag2 tag. Offers an entry + * point to handle commands, needs a callback to send response. + * + * (c) 2009 Henryk Plötz + */ + +#include +#include + +#include "apps.h" +#include "hitag2.h" + +struct hitag2_cipher_state { + uint64_t state; +}; + +struct hitag2_tag { + uint32_t uid; + enum { + TAG_STATE_RESET, // Just powered up, awaiting GetSnr + TAG_STATE_ACTIVATING, // In activation phase (password mode), sent UID, awaiting reader password + TAG_STATE_AUTHENTICATING, // In activation phase (crypto mode), awaiting reader authentication + TAG_STATE_ACTIVATED, // Activation complete, awaiting read/write commands + TAG_STATE_WRITING, // In write command, awaiting sector contents to be written + } state; + unsigned int active_sector; + char crypto_active; + struct hitag2_cipher_state cs; + char sectors[8][4]; +}; + +static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *challenge); +static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator); +static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits); + +static struct hitag2_tag tag; +static const struct hitag2_tag resetdata = { + .state = TAG_STATE_RESET, + .sectors = { // Password mode: | Crypto mode: + [0] = { 0x35, 0x33, 0x70, 0x11}, // UID | UID + [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key + [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved + [3] = { 0x0e, 0xaa, 'H', 'T'}, // Configuration, password TAG | Configuration, password TAG + }, +}; + +int hitag2_reset(void) +{ + tag.state = TAG_STATE_RESET; + tag.crypto_active = 0; + return 0; +} + +int hitag2_init(void) +{ + memcpy(&tag, &resetdata, sizeof(tag)); + hitag2_reset(); + return 0; +} + +int hitag2_handle_command(const char* data, const int length, hitag2_response_callback_t cb, void *cb_cookie) +{ + (void)data; (void)length; (void)cb; (void)cb_cookie; + int retry = 0, done = 0, result=0; + char temp[10]; + + if(tag.crypto_active && length < sizeof(temp)*8) { + /* Decrypt command */ + memcpy(temp, data, (length+7)/8); + hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8); + data = temp; + } + + +handle_command_retry: + switch(tag.state) { + case TAG_STATE_RESET: + if(length == 5 && data[0] == 0xC0) { + /* Received 11000 from the reader, request for UID, send UID */ + result=cb(tag.sectors[0], sizeof(tag.sectors[0])*8, 208, cb_cookie); + done=1; + if(tag.sectors[3][0] & 0x08) { + tag.state=TAG_STATE_AUTHENTICATING; + } else { + tag.state=TAG_STATE_ACTIVATING; + } + } + break; + case TAG_STATE_ACTIVATING: + if(length == 0x20) { + /* Received RWD password, respond with configuration and our password */ + result=cb(tag.sectors[3], sizeof(tag.sectors[3])*8, 208, cb_cookie); + done=1; + tag.state=TAG_STATE_ACTIVATED; + } + break; + case TAG_STATE_AUTHENTICATING: + if(length == 0x40) { + /* Received initialisation vector || authentication token, fire up cipher, send our password */ + hitag2_cipher_reset(&tag, data); + if(hitag2_cipher_authenticate(&(tag.cs), data+4)) { + char response_enc[4]; + memcpy(response_enc, tag.sectors[3], 4); + hitag2_cipher_transcrypt(&(tag.cs), response_enc, 4, 0); + result=cb(response_enc, 4*8, 208, cb_cookie); + done=1; + tag.crypto_active = 1; + tag.state = TAG_STATE_ACTIVATED; + } else { + /* The reader failed to authenticate, do nothing */ + DbpString("Reader authentication failed"); + } + } + break; + case TAG_STATE_ACTIVATED: + if(length == 10) { + if( ((data[0] & 0xC0) == 0xC0) && ((data[0] & 0x06) == 0) ) { + /* Read command: 11xx x00y yy with yyy == ~xxx, xxx is sector number */ + unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07); + if(sector == ( (data[0]>>3)&0x07 ) ) { + memcpy(temp, tag.sectors[sector], 4); + if(tag.crypto_active) { + hitag2_cipher_transcrypt(&(tag.cs), temp, 4, 0); + } + /* Respond with contents of sector sector */ + result = cb(temp, 4*8, 208, cb_cookie); + done=1; + } else { + /* transmission error */ + DbpString("Transmission error (read) in activated state"); + } + } else if( ((data[0] & 0xC0) == 0x80) && ((data[0] & 0x06) == 2) ) { + /* Write command: 10xx x01y yy with yyy == ~xxx, xxx is sector number */ + unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07); + if(sector == ( (data[0]>>3)&0x07 ) ) { + /* Prepare write, acknowledge by repeating command */ + if(tag.crypto_active) { + hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8); + } + result = cb(data, length, 208, cb_cookie); + done=1; + tag.active_sector = sector; + tag.state=TAG_STATE_WRITING; + } else { + /* transmission error */ + DbpString("Transmission error (write) in activated state"); + } + } + + } + case TAG_STATE_WRITING: + if(length == 32) { + /* These are the sector contents to be written. We don't have to do anything else. */ + memcpy(tag.sectors[tag.active_sector], data, length/8); + tag.state=TAG_STATE_ACTIVATED; + done=1; + } + } + + if(!done && !retry) { + /* We didn't respond, maybe our state is faulty. Reset and try again. */ + retry=1; + if(tag.crypto_active) { + /* Restore undeciphered data */ + memcpy(temp, data, (length+7)/8); + } + hitag2_reset(); + goto handle_command_retry; + } + + return result; +} + +/* Following is a modified version of cryptolib.com/ciphers/hitag2/ */ +// Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007. +// For educational purposes only. +// No warranties or guarantees of any kind. +// This code is released into the public domain by its author. + +// Basic macros: + +#define u8 uint8_t +#define u32 uint32_t +#define u64 uint64_t +#define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7)) +#define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8)) +#define rev32(x) (rev16(x)+(rev16(x>>16)<<16)) +#define rev64(x) (rev32(x)+(rev32(x>>32)<<32)) +#define bit(x,n) (((x)>>(n))&1) +#define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1) +#define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31)) +#define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63))) + +// Single bit Hitag2 functions: + +#define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8)) + +static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001 +static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001 +static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011 + +static u32 _f20 (const u64 x) +{ + u32 i5; + + i5 = ((ht2_f4a >> i4 (x, 1, 2, 4, 5)) & 1)* 1 + + ((ht2_f4b >> i4 (x, 7,11,13,14)) & 1)* 2 + + ((ht2_f4b >> i4 (x,16,20,22,25)) & 1)* 4 + + ((ht2_f4b >> i4 (x,27,28,30,32)) & 1)* 8 + + ((ht2_f4a >> i4 (x,33,42,43,45)) & 1)*16; + + return (ht2_f5c >> i5) & 1; +} + +static u64 _hitag2_init (const u64 key, const u32 serial, const u32 IV) +{ + u32 i; + u64 x = ((key & 0xFFFF) << 32) + serial; + + for (i = 0; i < 32; i++) + { + x >>= 1; + x += (u64) (_f20 (x) ^ (((IV >> i) ^ (key >> (i+16))) & 1)) << 47; + } + return x; +} + +static u64 _hitag2_round (u64 *state) +{ + u64 x = *state; + + x = (x >> 1) + + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) + ^ (x >> 7) ^ (x >> 8) ^ (x >> 16) ^ (x >> 22) + ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41) + ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47); + + *state = x; + return _f20 (x); +} + +// Bitslice Hitag2 functions: + +#define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b)) +#define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b))) +#define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c)))) + +#define uf20bs u32 // choose your own type/width + +static uf20bs _f20bs (const uf20bs *x) +{ + return ht2bs_5c ( + ht2bs_4a(x[ 1],x[ 2],x[ 4],x[ 5]), + ht2bs_4b(x[ 7],x[11],x[13],x[14]), + ht2bs_4b(x[16],x[20],x[22],x[25]), + ht2bs_4b(x[27],x[28],x[30],x[32]), + ht2bs_4a(x[33],x[42],x[43],x[45])); +} + +static void _hitag2bs_init (uf20bs *x, const uf20bs *key, const uf20bs *serial, const uf20bs *IV) +{ + u32 i, r; + + for (i = 0; i < 32; i++) x[i] = serial[i]; + for (i = 0; i < 16; i++) x[32+i] = key[i]; + + for (r = 0; r < 32; r++) + { + for (i = 0; i < 47; i++) x[i] = x[i+1]; + x[47] = _f20bs (x) ^ IV[i] ^ key[16+i]; + } +} + +static uf20bs _hitag2bs_round (uf20bs *x) +{ + uf20bs y; + u32 i; + + y = x[ 0] ^ x[ 2] ^ x[ 3] ^ x[ 6] ^ x[ 7] ^ x[ 8] ^ x[16] ^ x[22] + ^ x[23] ^ x[26] ^ x[30] ^ x[41] ^ x[42] ^ x[43] ^ x[46] ^ x[47]; + + for (i = 0; i < 47; i++) x[i] = x[i+1]; + x[47] = y; + + return _f20bs (x); +} + +static u32 _hitag2_byte (u64 * x) +{ + u32 i, c; + + for (i = 0, c = 0; i < 8; i++) c += (u32) _hitag2_round (x) << (i^7); + return c; +} + + +/* Cipher/tag glue code: */ + +static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *iv) +{ + uint64_t key = ((uint64_t)tag->sectors[2][2]) | + ((uint64_t)tag->sectors[2][3] << 8) | + ((uint64_t)tag->sectors[1][0] << 16) | + ((uint64_t)tag->sectors[1][1] << 24) | + ((uint64_t)tag->sectors[1][2] << 32) | + ((uint64_t)tag->sectors[1][3] << 40); + uint32_t uid = ((uint32_t)tag->sectors[0][0]) | + ((uint32_t)tag->sectors[0][1] << 8) | + ((uint32_t)tag->sectors[0][2] << 16) | + ((uint32_t)tag->sectors[0][3] << 24); + uint32_t iv_ = (((uint32_t)(iv[0]))) | + (((uint32_t)(iv[1])) << 8) | + (((uint32_t)(iv[2])) << 16) | + (((uint32_t)(iv[3])) << 24); + tag->cs.state = _hitag2_init(rev64(key), rev32(uid), rev32(iv_)); +} + +static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator_is) +{ + char authenticator_should[4]; + authenticator_should[0] = ~_hitag2_byte(&(cs->state)); + authenticator_should[1] = ~_hitag2_byte(&(cs->state)); + authenticator_should[2] = ~_hitag2_byte(&(cs->state)); + authenticator_should[3] = ~_hitag2_byte(&(cs->state)); + return memcmp(authenticator_should, authenticator_is, 4) == 0; +} + +static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits) +{ + int i; + for(i=0; istate)); + for(i=0; istate)) << (7-i); + return 0; +}