git.zerfleddert.de Git - proxmark3-svn/blob - tools/mfkey/mfkey32.c

   1 #define __STDC_FORMAT_MACROS
   2 #include <inttypes.h>
   3 #define llx PRIx64
   4 #define lli PRIi64
   5
   6 // Test-file: test2.c
   7 #include "crapto1.h"
   8 #include <stdio.h>
   9 #include <stdlib.h>
  10
  11 int main (int argc, char *argv[]) {
  12   struct Crypto1State *s,*t;
  13   uint64_t key;     // recovered key
  14   uint32_t uid;     // serial number
  15   uint32_t nt;      // tag challenge
  16   uint32_t nr0_enc; // first encrypted reader challenge
  17   uint32_t ar0_enc; // first encrypted reader response
  18   uint32_t nr1_enc; // second encrypted reader challenge
  19   uint32_t ar1_enc; // second encrypted reader response
  20   uint32_t ks2;     // keystream used to encrypt reader response
  21
  22   printf("MIFARE Classic key recovery - based 32 bits of keystream\n");
  23   printf("Recover key from two 32-bit reader authentication answers only!\n\n");
  24
  25   if (argc < 7) {
  26     printf(" syntax: %s <uid> <nt> <{nr_0}> <{ar_0}> <{nr_1}> <{ar_1}>\n\n",argv[0]);
  27     return 1;
  28   }
  29
  30   sscanf(argv[1],"%x",&uid);
  31   sscanf(argv[2],"%x",&nt);
  32   sscanf(argv[3],"%x",&nr0_enc);
  33   sscanf(argv[4],"%x",&ar0_enc);
  34   sscanf(argv[5],"%x",&nr1_enc);
  35   sscanf(argv[6],"%x",&ar1_enc);
  36
  37   printf("Recovering key for:\n");
  38   printf("    uid: %08x\n",uid);
  39   printf("     nt: %08x\n",nt);
  40   printf(" {nr_0}: %08x\n",nr0_enc);
  41   printf(" {ar_0}: %08x\n",ar0_enc);
  42   printf(" {nr_1}: %08x\n",nr1_enc);
  43   printf(" {ar_1}: %08x\n",ar1_enc);
  44
  45         // Generate lfsr succesors of the tag challenge
  46   printf("\nLFSR succesors of the tag challenge:\n");
  47   printf("  nt': %08x\n",prng_successor(nt, 64));
  48   printf(" nt'': %08x\n",prng_successor(nt, 96));
  49
  50   // Extract the keystream from the messages
  51   printf("\nKeystream used to generate {ar} and {at}:\n");
  52   ks2 = ar0_enc ^ prng_successor(nt, 64);
  53   printf("  ks2: %08x\n",ks2);
  54
  55         s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
  56
  57         for(t = s; t->odd | t->even; ++t) {
  58                 lfsr_rollback_word(t, 0, 0);
  59                 lfsr_rollback_word(t, nr0_enc, 1);
  60                 lfsr_rollback_word(t, uid ^ nt, 0);
  61                 crypto1_get_lfsr(t, &key);
  62                 crypto1_word(t, uid ^ nt, 0);
  63                 crypto1_word(t, nr1_enc, 1);
  64                 if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
  65       printf("\nFound Key: [%012"llx"]\n\n",key);
  66                         break;
  67                 }
  68         }
  69   free(s);
  70
  71   return 0;
  72 }