From dd79e03a1ac063d3f0b5c6ec5c07bc67866a00a7 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 9 Jan 2016 17:17:36 +0100 Subject: [PATCH] ADD: a new pwdgen algo Nicknamed C, (Huge props to @Bettse for everything) also added to the "hf mfu info" command. However, that will not work given the system's lockbits.. :( Maybe I'll add a function to test all imp pwdgens given a UID without making a authentication call to tag. ADD: BSWAP_32 macro, for changing endianness. --- armsrc/util.c | 2 +- client/cmdhfmfu.c | 32 +++++++++++++++++++++++++++++++- client/cmdhfmfu.h | 4 +++- client/util.h | 11 ++++++++--- 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/armsrc/util.c b/armsrc/util.c index 3d536f39..4fffb60e 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -74,6 +74,7 @@ void rol(uint8_t *data, const size_t len){ } data[len-1] = first; } + void lsl (uint8_t *data, size_t len) { for (size_t n = 0; n < len - 1; n++) { data[n] = (data[n] << 1) | (data[n+1] >> 7); @@ -421,7 +422,6 @@ void StartCountSspClk() while (AT91C_BASE_TC0->TC_CV < 0xFFF0); } - uint32_t RAMFUNC GetCountSspClk(){ uint32_t tmp_count; tmp_count = (AT91C_BASE_TC2->TC_CV << 16) | AT91C_BASE_TC0->TC_CV; diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 7aa16b89..7567efb8 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -100,6 +100,25 @@ uint32_t ul_ev1_pwdgenB(uint8_t* uid) { return (uint32_t)bytes_to_num(pwd, 4); } +// Certain pwd generation algo nickname C. +uint32_t ul_ev1_pwdgenC(uint8_t* uid){ + uint32_t pwd = 0; + uint8_t base[] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x28, + 0x63, 0x29, 0x20, 0x43, 0x6f, 0x70, 0x79, 0x72, + 0x69, 0x67, 0x68, 0x74, 0x20, 0x4c, 0x45, 0x47, + 0x4f, 0x20, 0x32, 0x30, 0x31, 0x34, 0xaa, 0xaa + }; + + memcpy(base, uid, 7); + + for (int i = 0; i < 32; i += 4) { + uint32_t b = *(uint32_t *)(base + i); + pwd = b + ROTR(pwd, 25) + ROTR(pwd, 10) - pwd; + } + return BSWAP_32(pwd); +} + void ul_ev1_pwdgen_selftest(){ uint8_t uid1[] = {0x04,0x11,0x12,0x11,0x12,0x11,0x10}; @@ -109,6 +128,10 @@ void ul_ev1_pwdgen_selftest(){ uint8_t uid2[] = {0x04,0x1f,0x98,0xea,0x1e,0x3e,0x81}; uint32_t pwd2 = ul_ev1_pwdgenB(uid2); PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid2,7), pwd2, (pwd2 == 0x5fd37eca)?"OK":"->5fd37eca<--"); + + uint8_t uid3[] = {0x04,0x62, 0xB6, 0x8A, 0xB4, 0x42, 0x80}; + uint32_t pwd3 = ul_ev1_pwdgenC(uid3); + PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid3,7), pwd3, (pwd3 == 0x5a349515)?"OK":"->5a349515<--"); return; } @@ -915,6 +938,14 @@ int CmdHF14AMfUInfo(const char *Cmd){ PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]); } if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; + + // test pwd gen C + num_to_bytes( ul_ev1_pwdgenC(card.uid), 4, key); + len = ulev1_requestAuthentication(key, pack, sizeof(pack)); + if (len >= 1) { + PrintAndLog("Found a default password: %s || Pack: %02X %02X",sprint_hex(key, 4), pack[0], pack[1]); + } + if (!ul_auth_select( &card, tagtype, hasAuthKey, authkeyptr, pack, sizeof(pack))) return -1; for (uint8_t i = 0; i < KEYS_PWD_COUNT; ++i ) { key = default_pwd_pack[i]; @@ -1876,7 +1907,6 @@ int CmdHF14AMfucSetUid(const char *Cmd){ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ uint8_t uid[4]; - char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_gendiverse(); diff --git a/client/cmdhfmfu.h b/client/cmdhfmfu.h index 621d5c0b..36240c2e 100644 --- a/client/cmdhfmfu.h +++ b/client/cmdhfmfu.h @@ -32,11 +32,13 @@ int usage_hf_mfu_sim(void); int usage_hf_mfu_ucauth(void); int usage_hf_mfu_ucsetpwd(void); int usage_hf_mfu_ucsetuid(void); -int usage_hf_mfu_gendiverse(void); +int usage_hf_mfu_gendiverse(void); int CmdHFMFUltra(const char *Cmd); uint32_t ul_ev1_pwdgenA(uint8_t* uid); +uint32_t ul_ev1_pwdgenA(uint8_t* uid); +uint32_t ul_ev1_pwdgenC(uint8_t* uid); typedef enum TAGTYPE_UL { UNKNOWN = 0x000000, diff --git a/client/util.h b/client/util.h index 12f15929..39ed51b4 100644 --- a/client/util.h +++ b/client/util.h @@ -26,6 +26,11 @@ #ifndef MAX # define MAX(a, b) (((a) > (b)) ? (a) : (b)) #endif +#ifndef BSWAP_32 +#define BSWAP_32(x) \ + ((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) | \ + (((x) & 0x0000ff00) << 8) | (((x) & 0x000000ff) << 24)) +#endif #define TRUE 1 #define FALSE 0 #define EVEN 0 @@ -40,9 +45,9 @@ void AddLogCurrentDT(char *fileName); void FillFileNameByUID(char *fileName, uint8_t * uid, char *ext, int byteCount); void print_hex(const uint8_t * data, const size_t len); -char * sprint_hex(const uint8_t * data, const size_t len); -char * sprint_bin(const uint8_t * data, const size_t len); -char * sprint_bin_break(const uint8_t *data, const size_t len, const uint8_t breaks); +char *sprint_hex(const uint8_t * data, const size_t len); +char *sprint_bin(const uint8_t * data, const size_t len); +char *sprint_bin_break(const uint8_t *data, const size_t len, const uint8_t breaks); char *sprint_hex_ascii(const uint8_t *data, const size_t len); void num_to_bytes(uint64_t n, size_t len, uint8_t* dest); -- 2.39.5