From 30d59ac371213845969c84bea7c49b47f5918397 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 11 Dec 2023 00:06:40 +0100 Subject: [PATCH 1/4] Thanks to @h1kari for reversing this algo and sharing it back in 2019. And well done the rest of you who solved it later. --- CHANGELOG.md | 1 + common/generator.c | 67 ++++++++++++++++++++++++++++++++++++---------- 2 files changed, 54 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 15a2f4dca..e7940e2c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added Saflok KDF - generate MFC keys (@h1kari) - Changed `lf fdx demod` - now raw bytes shows all data (@iceman1001) - Changed `data num` - now can print reversed and inverse (@iceman1001) - Fixed `hf mf sim -ix` never returning console (@datatags) diff --git a/common/generator.c b/common/generator.c index 20f8a0b5f..27099224a 100644 --- a/common/generator.c +++ b/common/generator.c @@ -326,10 +326,41 @@ int mfc_algo_yale_all(uint8_t *uid, uint8_t *keys) { int mfc_algo_saflok_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t *key) { if (sector > 15) return PM3_EINVARG; if (key == NULL) return PM3_EINVARG; - if (keytype > 2) return PM3_EINVARG; - *key = 0; + + if (keytype == 0 && sector == 2) { + *key = 0xFFFFFFFFFFFF; return PM3_SUCCESS; } + + if (keytype == 0 && sector == 1) { + *key = 0x2a2c13cc242a; + return PM3_SUCCESS; + } + + if (keytype == 0) { + uint64_t lut[16] = { + 0xf057b39ee3d8ULL, 0x969d954ac157ULL, 0x8f43580d2c9dULL, 0xffcce0050c43ULL, + 0x341b15a690ccULL, 0x89585612e71bULL, 0xbb74b0953658ULL, 0xfb97f84b5b74ULL, + 0xc9d188359f92ULL, 0x8f92e97f5897ULL, 0x166ca2b09fd1ULL, 0x27dd93101c6cULL, + 0xda3e3fd649ddULL, 0x58dded078e3eULL, 0x5cd005cfd907ULL, 0x118dd00187d0ULL + }; + + uint8_t h = ((uid[3] >> 4) & 0xF); + h += ((uid[2] >> 4) & 0xF); + h += uid[0] & 0xF; + + uint64_t m = lut[h & 0xF]; + + uint64_t id = (bytes_to_num(uid, 4) << 8); + + *key = (h + (id + m + ((uint64_t)h << 40ULL))) & 0xFFFFFFFFFFFFULL; + + } else { + *key = 0xFFFFFFFFFFFF; + } + return PM3_SUCCESS; +} + int mfc_algo_saflok_all(uint8_t *uid, uint8_t *keys) { if (keys == NULL) return PM3_EINVARG; @@ -583,7 +614,7 @@ int mfc_algo_touch_one(uint8_t *uid, uint8_t sector, uint8_t keytype, uint64_t * int generator_selftest(void) { #ifndef ON_DEVICE -#define NUM_OF_TEST 9 +#define NUM_OF_TEST 10 PrintAndLogEx(INFO, "PWD / KEY generator selftest"); PrintAndLogEx(INFO, "----------------------------"); @@ -596,42 +627,42 @@ int generator_selftest(void) { if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid1, 7), pwd1, success ? "OK" : "->8432EB17<-"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid1, 7), pwd1, success ? _GREEN_("ok") : "->8432EB17<-"); uint8_t uid2[] = {0x04, 0x1f, 0x98, 0xea, 0x1e, 0x3e, 0x81}; uint32_t pwd2 = ul_ev1_pwdgenB(uid2); success = (pwd2 == 0x5fd37eca); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid2, 7), pwd2, success ? "OK" : "->5fd37eca<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid2, 7), pwd2, success ? _GREEN_("ok") : "->5fd37eca<--"); uint8_t uid3[] = {0x04, 0x62, 0xB6, 0x8A, 0xB4, 0x42, 0x80}; uint32_t pwd3 = ul_ev1_pwdgenC(uid3); success = (pwd3 == 0x5a349515); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid3, 7), pwd3, success ? "OK" : "->5a349515<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid3, 7), pwd3, success ? _GREEN_("ok") : "->5a349515<--"); uint8_t uid4[] = {0x04, 0xC5, 0xDF, 0x4A, 0x6D, 0x51, 0x80}; uint32_t pwd4 = ul_ev1_pwdgenD(uid4); success = (pwd4 == 0x72B1EC61); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid4, 7), pwd4, success ? "OK" : "->72B1EC61<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid4, 7), pwd4, success ? _GREEN_("ok") : "->72B1EC61<--"); uint8_t uid5[] = {0x04, 0xA0, 0x3C, 0xAA, 0x1E, 0x70, 0x80}; uint32_t pwd5 = ul_ev1_pwdgenE(uid5); success = (pwd5 == 0xCD91AFCC); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid5, 7), pwd5, success ? "OK" : "->CD91AFCC<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid5, 7), pwd5, success ? _GREEN_("ok") : "->CD91AFCC<--"); uint8_t uid6[] = {0x04, 0x77, 0x42, 0xAB, 0xEF, 0x42, 0x70}; uint32_t pwd6 = ul_ev1_pwdgenF(uid6); success = (pwd6 == 0xA9C4C3C0); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid6, 7), pwd6, success ? "OK" : "->A9C4C3C0<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid6, 7), pwd6, success ? _GREEN_("ok") : "->A9C4C3C0<--"); uint8_t uid7[] = {0x04, 0x0D, 0x4B, 0x5A, 0xC5, 0x71, 0x81}; uint8_t mfg[] = {0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x20, 0x35, 0x32, 0x4D}; @@ -639,13 +670,13 @@ int generator_selftest(void) { success = (pwd7 == 0xFBCFACC1); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid7, 7), pwd7, success ? "OK" : "->FBCFACC1<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %08X - %s", sprint_hex(uid7, 7), pwd7, success ? _GREEN_("ok") : "->FBCFACC1<--"); // uint8_t uid5[] = {0x11, 0x22, 0x33, 0x44}; // uint64_t key1 = mfc_algo_a(uid5); // success = (key1 == 0xD1E2AA68E39A); -// PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIx64" - %s", sprint_hex(uid5, 4), key1, success ? "OK" : "->D1E2AA68E39A<--"); +// PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIx64" - %s", sprint_hex(uid5, 4), key1, success ? _GREEN_("ok") : "->D1E2AA68E39A<--"); uint8_t uid8[] = {0x74, 0x57, 0xCA, 0xA9}; uint64_t key8 = 0; @@ -653,16 +684,24 @@ int generator_selftest(void) { success = (key8 == 0x82c7e64bc565); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIx64" - %s", sprint_hex(uid8, 4), key8, success ? "OK" : "->82C7E64BC565<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIx64" - %s", sprint_hex(uid8, 4), key8, success ? _GREEN_("ok") : "->82C7E64BC565<--"); + // MFC SAFLOK + uint8_t uid9[] = {0x11, 0x22, 0x33, 0x44}; + uint64_t key9 = 0; + mfc_algo_saflok_one(uid9, 0, 0, &key9); + success = (key9 == 0xD1E2AA68E39A); + if (success) + testresult++; + PrintAndLogEx(success ? SUCCESS : WARNING, "UID | %s | %"PRIX64" - %s", sprint_hex(uid9, 4), key9, success ? _GREEN_("ok") : _RED_(">> D1E2AA68E39A <<")); uint32_t lf_id = lf_t55xx_white_pwdgen(0x00000080); success = (lf_id == 0x00018383); if (success) testresult++; - PrintAndLogEx(success ? SUCCESS : WARNING, "ID | 0x00000080 | %08"PRIx32 " - %s", lf_id, success ? "OK" : "->00018383<--"); + PrintAndLogEx(success ? SUCCESS : WARNING, "ID | 0x00000080 | %08"PRIx32 " - %s", lf_id, success ? _GREEN_("ok") : "->00018383<--"); - PrintAndLogEx(SUCCESS, "------------------- Selftest %s", (testresult == NUM_OF_TEST) ? "OK" : "fail"); + PrintAndLogEx(SUCCESS, "------------------- Selftest %s", (testresult == NUM_OF_TEST) ? _GREEN_("ok") : _RED_("fail")); #endif return PM3_SUCCESS; From 9d55455d6628d98b3070874e76f3525c978115e4 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 11 Dec 2023 00:10:53 +0100 Subject: [PATCH 2/4] fix test for the change of text --- tools/pm3_tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/pm3_tests.sh b/tools/pm3_tests.sh index 8798ec269..e56ce5d25 100755 --- a/tools/pm3_tests.sh +++ b/tools/pm3_tests.sh @@ -402,7 +402,7 @@ while true; do if ! CheckExecute "reveng readline test" "$CLIENTBIN -c 'reveng -h;reveng -D'" "CRC-64/GO-ISO"; then break; fi if ! CheckExecute "reveng -g test" "$CLIENTBIN -c 'reveng -g abda202c'" "CRC-16/ISO-IEC-14443-3-A"; then break; fi if ! CheckExecute "reveng -w test" "$CLIENTBIN -c 'reveng -w 8 -s 01020304e3 010204039d'" "CRC-8/SMBUS"; then break; fi - if ! CheckExecute "mfu pwdgen test" "$CLIENTBIN -c 'hf mfu pwdgen -t'" "Selftest OK"; then break; fi + if ! CheckExecute "mfu pwdgen test" "$CLIENTBIN -c 'hf mfu pwdgen -t'" "Selftest ok"; then break; fi if ! CheckExecute "mfu keygen test" "$CLIENTBIN -c 'hf mfu keygen --uid 11223344556677'" "80 B1 C2 71 D8 A0"; then break; fi if ! CheckExecute "jooki encode test" "$CLIENTBIN -c 'hf jooki encode -t'" "04 28 F4 DA F0 4A 81 \( ok \)"; then break; fi if ! CheckExecute "trace load/list 14a" "$CLIENTBIN -c 'trace load -f traces/hf_14a_mfu.trace; trace list -1 -t 14a;'" "READBLOCK\(8\)"; then break; fi From e2f568b740f17842a52f3a2cd8ec1ca82c6ff0ca Mon Sep 17 00:00:00 2001 From: kitsunehunter <90627943+kitsunehunter@users.noreply.github.com> Date: Sun, 10 Dec 2023 22:34:12 -0500 Subject: [PATCH 3/4] Update Notes documentation Added documentation on HID downgrades and RM Signed-off-by: kitsunehunter <90627943+kitsunehunter@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 89bacebf1..538d5b952 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ The Proxmark3 is the swiss-army tool of RFID, allowing for interactions with the |[Developing standalone mode](/armsrc/Standalone/readme.md)|[Wiki about standalone mode](https://github.com/RfidResearchGroup/proxmark3/wiki/Standalone-mode)|[Notes on Magic UID cards](/doc/magic_cards_notes.md)| |[Notes on Color usage](/doc/colors_notes.md)|[Makefile vs CMake](/doc/md/Development/Makefile-vs-CMake.md)|[Notes on Cloner guns](/doc/cloner_notes.md)| |[Notes on cliparser usage](/doc/cliparser.md)|[Notes on clocks](/doc/clocks.md)|[Notes on MIFARE DESFire](/doc/desfire.md)| -|[Notes on CIPURSE](/doc/cipurse.md)|[Notes on NDEF type4a](/doc/ndef_type4a.md)|| +|[Notes on CIPURSE](/doc/cipurse.md)|[Notes on NDEF type4a](/doc/ndef_type4a.md)|[Notes on HID downgrades / RM](https://gist.github.com/kitsunehunter/c75294bdbd0533eca298d122c39fb1bd)| # How to build? From 1ab70541aa6fba2b412fcf2efbe1d0961ec3dccd Mon Sep 17 00:00:00 2001 From: kitsunehunter <90627943+kitsunehunter@users.noreply.github.com> Date: Sun, 10 Dec 2023 22:47:06 -0500 Subject: [PATCH 4/4] Update extensions_notes.md eml deprecated Signed-off-by: kitsunehunter <90627943+kitsunehunter@users.noreply.github.com> --- doc/extensions_notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/extensions_notes.md b/doc/extensions_notes.md index 063ce2b85..266a4df1e 100644 --- a/doc/extensions_notes.md +++ b/doc/extensions_notes.md @@ -6,7 +6,7 @@ The Proxmark3 client uses a wide range of files. Here is a brief recap to get yo |---|---| | .exe | windows executable | | .bin | binary file, can be firmware or memory dump of a tag or keys dump of a tag| -| .eml | text file, with memory dump of a tag | +| .eml | text file, with memory dump of a tag (deprecated) | | .mfd | binary file, MIFARE file dump, name comes from NFC-Tools. Usually created with Mifare Classic Tool app (MCT) or NFC-Tools, contains memory dump of tag. Very similar to .bin file | | .json | JSON file, usually settings file or it can also be a memory dump of a tag | | .dic | dictionary file. textual, with keys/passwords one line / key |