From 01f215a924084083912777ad326b7d7e8a78acee Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 2 Jan 2020 15:29:15 +0100 Subject: [PATCH] Chg: hooked up generator --- client/Makefile | 1 + client/cmdhfmfu.c | 150 ++------------------------------------------- common/generator.c | 74 +++++++++++++++------- common/generator.h | 28 ++++----- 4 files changed, 70 insertions(+), 183 deletions(-) diff --git a/client/Makefile b/client/Makefile index 891a8b1e5..483856b8f 100644 --- a/client/Makefile +++ b/client/Makefile @@ -159,6 +159,7 @@ CMDSRCS = crapto1/crapto1.c \ legic_prng.c \ iso15693tools.c \ prng.c \ + generator.c \ graph.c \ cmddata.c \ lfdemod.c \ diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 7d2b8cfc6..b761494f5 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -20,6 +20,7 @@ #include "comms.h" #include "fileutils.h" #include "protocols.h" +#include "generator.h" #define MAX_UL_BLOCKS 0x0F #define MAX_ULC_BLOCKS 0x2B @@ -283,151 +284,6 @@ uint8_t UL_MEMORY_ARRAY[ARRAYLEN(UL_TYPES_ARRAY)] = { MAX_ULEV1a_BLOCKS, MAX_NTAG_213, MAX_NTAG_216, MAX_UL_NANO_40, MAX_NTAG_I2C_1K }; -//------------------------------------ -// Pwd & Pack generation Stuff -//------------------------------------ -const uint32_t c_D[] = { - 0x6D835AFC, 0x7D15CD97, 0x0942B409, 0x32F9C923, 0xA811FB02, 0x64F121E8, - 0xD1CC8B4E, 0xE8873E6F, 0x61399BBB, 0xF1B91926, 0xAC661520, 0xA21A31C9, - 0xD424808D, 0xFE118E07, 0xD18E728D, 0xABAC9E17, 0x18066433, 0x00E18E79, - 0x65A77305, 0x5AE9E297, 0x11FC628C, 0x7BB3431F, 0x942A8308, 0xB2F8FD20, - 0x5728B869, 0x30726D5A -}; - -static void transform_D(uint8_t *ru) { - //Transform - uint8_t i; - uint8_t p = 0; - uint32_t v1 = ((ru[3] << 24) | (ru[2] << 16) | (ru[1] << 8) | ru[0]) + c_D[p++]; - uint32_t v2 = ((ru[7] << 24) | (ru[6] << 16) | (ru[5] << 8) | ru[4]) + c_D[p++]; - for (i = 0; i < 12; i += 2) { - - uint32_t xor1 = v1 ^ v2; - uint32_t t1 = ROTL(xor1, v2 & 0x1F) + c_D[p++]; - uint32_t xor2 = v2 ^ t1; - uint32_t t2 = ROTL(xor2, t1 & 0x1F) + c_D[p++]; - uint32_t xor3 = t1 ^ t2; - uint32_t xor4 = t2 ^ v1; - v1 = ROTL(xor3, t2 & 0x1F) + c_D[p++]; - v2 = ROTL(xor4, v1 & 0x1F) + c_D[p++]; - } - - //Re-use ru - ru[0] = v1 & 0xFF; - ru[1] = (v1 >> 8) & 0xFF; - ru[2] = (v1 >> 16) & 0xFF; - ru[3] = (v1 >> 24) & 0xFF; - ru[4] = v2 & 0xFF; - ru[5] = (v2 >> 8) & 0xFF; - ru[6] = (v2 >> 16) & 0xFF; - ru[7] = (v2 >> 24) & 0xFF; -} - -// Certain pwd generation algo nickname A. -uint32_t ul_ev1_pwdgenA(uint8_t *uid) { - - uint8_t pos = (uid[3] ^ uid[4] ^ uid[5] ^ uid[6]) % 32; - - uint32_t xortable[] = { - 0x4f2711c1, 0x07D7BB83, 0x9636EF07, 0xB5F4460E, 0xF271141C, 0x7D7BB038, 0x636EF871, 0x5F4468E3, - 0x271149C7, 0xD7BB0B8F, 0x36EF8F1E, 0xF446863D, 0x7114947A, 0x7BB0B0F5, 0x6EF8F9EB, 0x44686BD7, - 0x11494fAF, 0xBB0B075F, 0xEF8F96BE, 0x4686B57C, 0x1494F2F9, 0xB0B07DF3, 0xF8F963E6, 0x686B5FCC, - 0x494F2799, 0x0B07D733, 0x8F963667, 0x86B5F4CE, 0x94F2719C, 0xB07D7B38, 0xF9636E70, 0x6B5F44E0 - }; - - uint8_t entry[] = {0x00, 0x00, 0x00, 0x00}; - uint8_t pwd[] = {0x00, 0x00, 0x00, 0x00}; - - num_to_bytes(xortable[pos], 4, entry); - - pwd[0] = entry[0] ^ uid[1] ^ uid[2] ^ uid[3]; - pwd[1] = entry[1] ^ uid[0] ^ uid[2] ^ uid[4]; - pwd[2] = entry[2] ^ uid[0] ^ uid[1] ^ uid[5]; - pwd[3] = entry[3] ^ uid[6]; - - return (uint32_t)bytes_to_num(pwd, 4); -} - -// Certain pwd generation algo nickname B. (very simple) -static uint32_t ul_ev1_pwdgenB(uint8_t *uid) { - - uint8_t pwd[] = {0x00, 0x00, 0x00, 0x00}; - - pwd[0] = uid[1] ^ uid[3] ^ 0xAA; - pwd[1] = uid[2] ^ uid[4] ^ 0x55; - pwd[2] = uid[3] ^ uid[5] ^ 0xAA; - pwd[3] = uid[4] ^ uid[6] ^ 0x55; - return (uint32_t)bytes_to_num(pwd, 4); -} - -// Certain pwd generation algo nickname C. -uint32_t ul_ev1_pwdgenC(uint8_t *uid) { - uint32_t pwd = 0; - uint8_t base[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x28, - 0x63, 0x29, 0x20, 0x43, 0x6f, 0x70, 0x79, 0x72, - 0x69, 0x67, 0x68, 0x74, 0x20, 0x4c, 0x45, 0x47, - 0x4f, 0x20, 0x32, 0x30, 0x31, 0x34, 0xaa, 0xaa - }; - - memcpy(base, uid, 7); - - for (int i = 0; i < 32; i += 4) { - uint32_t b = *(uint32_t *)(base + i); - pwd = b + ROTR(pwd, 25) + ROTR(pwd, 10) - pwd; - } - return BSWAP_32(pwd); -} -// Certain pwd generation algo nickname D. -// a.k.a xzy -uint32_t ul_ev1_pwdgenD(uint8_t *uid) { - uint8_t i; - //Rotate - uint8_t r = (uid[1] + uid[3] + uid[5]) & 7; //Rotation offset - uint8_t ru[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; //Rotated UID - for (i = 0; i < 7; i++) - ru[(i + r) & 7] = uid[i]; - - transform_D(ru); - - //Calc key - uint32_t pwd = 0; //Key as int - r = (ru[0] + ru[2] + ru[4] + ru[6]) & 3; //Offset - for (i = 0; i < 4; i++) - pwd = ru[i + r] + (pwd << 8); - - return BSWAP_32(pwd); -} -// pack generation for algo 1-3 -uint16_t ul_ev1_packgenA(uint8_t *uid) { - uint16_t pack = (uid[0] ^ uid[1] ^ uid[2]) << 8 | (uid[2] ^ 8); - return pack; -} -uint16_t ul_ev1_packgenB(uint8_t *uid) { - return 0x8080; -} -uint16_t ul_ev1_packgenC(uint8_t *uid) { - return 0xaa55; -} -uint16_t ul_ev1_packgenD(uint8_t *uid) { - uint8_t i; - //Rotate - uint8_t r = (uid[2] + uid[5]) & 7; //Rotation offset - uint8_t ru[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; //Rotated UID - for (i = 0; i < 7; i++) - ru[(i + r) & 7] = uid[i]; - - transform_D(ru); - - //Calc pack - uint32_t p = 0; - for (i = 0; i < 8; i++) - p += ru[i] * 13; - - p ^= 0x5555; - return BSWAP_16(p & 0xFFFF); -} - static int ul_ev1_pwdgen_selftest() { uint8_t uid1[] = {0x04, 0x11, 0x12, 0x11, 0x12, 0x11, 0x10}; @@ -2613,11 +2469,13 @@ static int CmdHF14AMfUGenDiverseKeys(const char *Cmd) { PrintAndLogEx(WARNING, "iso14443a card select failed"); return PM3_ESOFT; } +/* if (card.uidlen != 4) { PrintAndLogEx(WARNING, "Wrong sized UID, expected 4bytes got %d", card.uidlen); return PM3_ESOFT; } - memcpy(uid, card.uid, sizeof(uid)); +*/ + memcpy(uid, card.uid, card.uidlen); } else { if (param_gethex(Cmd, 0, uid, 8)) return usage_hf_mfu_gendiverse(); } diff --git a/common/generator.c b/common/generator.c index 060f126ca..f2bf33626 100644 --- a/common/generator.c +++ b/common/generator.c @@ -185,32 +185,49 @@ uint16_t ul_ev1_packgenD(uint8_t *uid) { // MFC keyfile generation stuff //------------------------------------ // Vinglock -void mfc_algo_ving_one(uint8_t *uid, uint8_t sector) { - return 0; +int mfc_algo_ving_one(uint8_t *uid, uint8_t sector, uint64_t *key) { + if (sector > 15) return PM3_EINVARG; + if (key == NULL) return PM3_EINVARG; + return PM3_SUCCESS; +} +int mfc_algo_ving_all(uint8_t *uid, uint8_t *keys) { + if (keys == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } -void mfc_algo_ving_all(uint8_t *uid, uint8_t *keys) {} // Yale Doorman -void mfc_algo_yale_one(uint8_t *uid, uint8_t sector) { - return 0; +int mfc_algo_yale_one(uint8_t *uid, uint8_t sector, uint64_t *key) { + if (sector > 15) return PM3_EINVARG; + if (key == NULL) return PM3_EINVARG; + return PM3_SUCCESS; +} +int mfc_algo_yale_all(uint8_t *uid, uint8_t *keys) { + if (keys == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } -void mfc_algo_yale_all(uint8_t *uid, uint8_t *keys) {} // Saflok / Maid UID to key. -uint64_t mfc_algo_saflok_one(uint8_t *uid, uint8_t sector) { - return 0; +int mfc_algo_saflok_one(uint8_t *uid, uint8_t sector, uint64_t *key) { + if (sector > 15) return PM3_EINVARG; + if (key == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } -void mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys) { +int mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys) { + if (keys == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } // MIZIP algo -void mfc_algo_mizip_one(uint8_t *uid, uint8_t sector) { - return 0; +int mfc_algo_mizip_one(uint8_t *uid, uint8_t sector, uint64_t *key) { + if (sector > 4) return PM3_EINVARG; + if (key == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } // returns all Mifare Mini (MFM) 10 keys. // keys must have 5*2*6 = 60bytes space -void mfc_algo_mizip_all(uint8_t *uid, uint8_t *keys) { - +int mfc_algo_mizip_all(uint8_t *uid, uint8_t *keys) { + if (keys == NULL) return PM3_EINVARG; + uint64_t xor_tbl[] = { 0x09125a2589e5ULL, 0xF12C8453D821ULL, 0xAB75C937922FULL, 0x73E799FE3241ULL, @@ -245,19 +262,30 @@ void mfc_algo_mizip_all(uint8_t *uid, uint8_t *keys) { ; num_to_bytes(b, 6, keys + 30 + (1 * i * 6)); } + return PM3_SUCCESS; } // Disney Infinity algo -void mfc_algo_di_one(uint8_t *uid, uint8_t sector) { - return 0; +int mfc_algo_di_one(uint8_t *uid, uint8_t sector, uint64_t *key) { + if (sector > 15) return PM3_EINVARG; + if (key == NULL) return PM3_EINVARG; + return PM3_SUCCESS; +} +int mfc_algo_di_all(uint8_t *uid, uint8_t *keys) { + if (keys == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } -void mfc_algo_di_all(uint8_t *uid, uint8_t *keys) {} // Skylanders -void mfc_algo_sky_one(uint8_t *uid, uint8_t sector) { - return 0; +int mfc_algo_sky_one(uint8_t *uid, uint8_t sector, uint64_t *key) { + if (sector > 15) return PM3_EINVARG; + if (key == NULL) return PM3_EINVARG; + return PM3_SUCCESS; +} +int mfc_algo_sky_all(uint8_t *uid, uint8_t *keys) { + if (keys == NULL) return PM3_EINVARG; + return PM3_SUCCESS; } -void mfc_algo_sky_all(uint8_t *uid, uint8_t *keys) {} //------------------------------------ @@ -290,10 +318,10 @@ int generator_selftest() { success = (pwd4 == 0x72B1EC61); PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X | %s", sprint_hex(uid4, 7), pwd4, success ? "OK" : "->72B1EC61<--"); - uint8_t uid5[] = {0x11, 0x22, 0x33, 0x44}; - uint64_t key1 = mfc_algo_a(uid5); - success = (key1 == 0xD1E2AA68E39A); - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIx64" | %s", sprint_hex(uid5, 4), key1, success ? "OK" : "->D1E2AA68E39A<--"); +// uint8_t uid5[] = {0x11, 0x22, 0x33, 0x44}; +// uint64_t key1 = mfc_algo_a(uid5); +// success = (key1 == 0xD1E2AA68E39A); +// PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIx64" | %s", sprint_hex(uid5, 4), key1, success ? "OK" : "->D1E2AA68E39A<--"); PrintAndLogEx(SUCCESS, "-------------------"); return PM3_SUCCESS; diff --git a/common/generator.h b/common/generator.h index 3ab678b73..8643c0de9 100644 --- a/common/generator.h +++ b/common/generator.h @@ -23,26 +23,26 @@ uint16_t ul_ev1_packgenB(uint8_t *uid); uint16_t ul_ev1_packgenC(uint8_t *uid); uint16_t ul_ev1_packgenD(uint8_t *uid); -uint64_t mfc_algo_ving_one(uint8_t *uid, uint8_t sector); -void mfc_algo_ving_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_ving_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_ving_all(uint8_t *uid, uint8_t *keys); -uint64_t mfc_algo_yale_one(uint8_t *uid, uint8_t sector); -void mfc_algo_yale_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_yale_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_yale_all(uint8_t *uid, uint8_t *keys); -uint64_t mfc_algo_saflok_one(uint8_t *uid, uint8_t sector); -void mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_saflok_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys); -uint64_t mfc_algo_saflok_one(uint8_t *uid, uint8_t sector); -void mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_saflok_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys); -uint64_t mfc_algo_mizip_one(uint8_t *uid, uint8_t sector); -void mfc_algo_mizip_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_mizip_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_mizip_all(uint8_t *uid, uint8_t *keys); -uint64_t mfc_algo_di_one(uint8_t *uid, uint8_t sector); -void mfc_algo_di_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_di_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_di_all(uint8_t *uid, uint8_t *keys); -uint64_t mfc_algo_sky_one(uint8_t *uid, uint8_t sector); -void mfc_algo_sky_all(uint8_t *uid, uint8_t *keys); +int mfc_algo_sky_one(uint8_t *uid, uint8_t sector, uint64_t *key); +int mfc_algo_sky_all(uint8_t *uid, uint8_t *keys); int generator_selftest(); #endif