proxmark3/tools/mfc/card_only/staticnested_1nt.c
iceman1001 e50459b2c5 style
2024-09-06 22:59:23 +02:00

184 lines
5.6 KiB
C

// Backdoored Nested Attack
//
// Attack conditions:
// * Backdoor, or a way to know the clear static nested nT
//
// Strategy:
// * Use backdoor on the targeted sector to get the clear static nested nT
// * Enumerate key candidates based on clear and encrypted nT
// * Use the resulting dictionary to bruteforce the key
//
// Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>
#include "common.h"
#include "crapto1/crapto1.h"
#include "parity.h"
#define KEY_SPACE_SIZE (1 << 18)
typedef struct {
uint32_t authuid;
uint32_t nt;
uint32_t nt_enc;
uint8_t nt_par_enc;
} NtData;
static uint32_t hex_to_uint32(const char *hex_str) {
return (uint32_t)strtoul(hex_str, NULL, 16);
}
static int bin_to_uint8_arr(const char *bin_str, uint8_t bit_arr[], uint8_t arr_size) {
if (strlen(bin_str) != arr_size) {
fprintf(stderr, "Error: Binary string (%s) length does not match array size (%i).\n", bin_str, arr_size);
return 1;
}
for (uint8_t i = 0; i < arr_size; i++) {
if (bin_str[i] == '0') {
bit_arr[i] = 0;
} else if (bin_str[i] == '1') {
bit_arr[i] = 1;
} else {
fprintf(stderr, "Error: Invalid character '%c' in binary string.\n", bin_str[i]);
return 1;
}
}
return 0;
}
static uint64_t *generate_keys(uint64_t authuid, uint32_t nt, uint32_t nt_enc, uint32_t nt_par_enc, uint32_t *keyCount) {
uint64_t *result_keys = (uint64_t *)calloc(1, KEY_SPACE_SIZE * sizeof(uint64_t));
if (result_keys == NULL) {
fprintf(stderr, "\nCalloc error in generate_and_intersect_keys!\n");
return NULL;
}
struct Crypto1State *revstate, *revstate_start = NULL, *s = NULL;
uint64_t lfsr = 0;
uint32_t ks1 = nt ^ nt_enc;
revstate = lfsr_recovery32(ks1, nt ^ authuid);
if (revstate == NULL) {
fprintf(stderr, "\nCalloc error in generate_keys!\n");
free(result_keys);
return NULL;
}
revstate_start = revstate;
s = crypto1_create(0);
if (s == NULL) {
fprintf(stderr, "\nCalloc error in generate_keys!\n");
free(result_keys);
crypto1_destroy(revstate_start);
return 0;
}
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
lfsr_rollback_word(revstate, nt ^ authuid, 0);
crypto1_get_lfsr(revstate, &lfsr);
// only filtering possibility: last parity bit ks in ks2
uint32_t ks2;
uint8_t lastpar1, lastpar2, kslastp;
crypto1_init(s, lfsr);
crypto1_word(s, nt ^ authuid, 0);
ks2 = crypto1_word(s, 0, 0);
lastpar1 = oddparity8(nt & 0xFF);
kslastp = (ks2 >> 24) & 1;
lastpar2 = (nt_par_enc & 1) ^ kslastp;
if (lastpar1 == lastpar2) {
result_keys[(*keyCount)++] = lfsr;
if (*keyCount == KEY_SPACE_SIZE) {
fprintf(stderr, "No space left on result_keys, abort! Increase KEY_SPACE_SIZE\n");
break;
}
}
revstate++;
}
crypto1_destroy(s);
crypto1_destroy(revstate_start);
revstate_start = NULL;
return result_keys;
}
int main(int argc, char *const argv[]) {
if (argc != 6) {
int cmdlen = strlen(argv[0]);
printf("Usage:\n %s <uid:hex> <sector:dec> <nt:hex> <nt_enc:hex> <nt_par_err:bin>\n"
" parity example: if for block 63 == sector 15, nt in trace is 7b! fc! 7a! 5b\n"
" then nt_enc is 7bfc7a5b and nt_par_err is 1110\n"
"Example:\n"
" %*s a13e4902 15 d14191b3 2e9e49fc 1111\n"
" %*s +uid +s +nt +nt_enc +nt_par_err\n",
argv[0], cmdlen, argv[0], cmdlen, "");
return 1;
}
uint64_t *keys = NULL;
uint32_t keyCount = 0;
uint32_t authuid = hex_to_uint32(argv[1]);
uint32_t sector = atoi(argv[2]);
uint32_t nt = hex_to_uint32(argv[3]);
uint32_t nt_enc = hex_to_uint32(argv[4]);
uint8_t nt_par_err_arr[4];
if (bin_to_uint8_arr(argv[5], nt_par_err_arr, 4)) {
return 1;
}
uint8_t nt_par_enc = ((nt_par_err_arr[0] ^ oddparity8((nt_enc >> 24) & 0xFF)) << 3) |
((nt_par_err_arr[1] ^ oddparity8((nt_enc >> 16) & 0xFF)) << 2) |
((nt_par_err_arr[2] ^ oddparity8((nt_enc >> 8) & 0xFF)) << 1) |
((nt_par_err_arr[3] ^ oddparity8((nt_enc >> 0) & 0xFF)) << 0);
printf("uid=%08x nt=%08x nt_enc=%08x nt_par_err=%u%u%u%u nt_par_enc=%u%u%u%u ks1=%08x\n"
, authuid
, nt
, nt_enc
, nt_par_err_arr[0]
, nt_par_err_arr[1]
, nt_par_err_arr[2]
, nt_par_err_arr[3]
, (nt_par_enc >> 3) & 1
, (nt_par_enc >> 2) & 1
, (nt_par_enc >> 1) & 1
, nt_par_enc & 1
, nt ^ nt_enc
);
printf("Finding key candidates...\n");
keys = generate_keys(authuid, nt, nt_enc, nt_par_enc, &keyCount);
printf("Finding phase complete, found %u keys\n", keyCount);
FILE *fptr;
char filename[30];
snprintf(filename, sizeof(filename), "keys_%08x_%02u_%08x.dic", authuid, sector, nt);
fptr = fopen(filename, "w");
if (fptr != NULL) {
if (keyCount > 0) {
for (uint32_t j = 0; j < keyCount; j++) {
fprintf(fptr, "%012" PRIx64 "\n", keys[j]);
}
}
fclose(fptr);
} else {
fprintf(stderr, "Warning: Cannot save keys in %s\n", filename);
}
if (keys != NULL) {
free(keys);
}
return 0;
}