git.zerfleddert.de Git - proxmark3-svn/blob - tools/mfkey/mfkey64.c

   1 #include <inttypes.h>
   2 #include "crapto1.h"
   3 #include <stdio.h>
   4 #include <string.h>
   5
   6 int main (int argc, char *argv[]) {
   7   struct Crypto1State *revstate;
   8   uint64_t key;     // recovered key
   9   uint32_t uid;     // serial number
  10   uint32_t nt;      // tag challenge
  11   uint32_t nr_enc;  // encrypted reader challenge
  12   uint32_t ar_enc;  // encrypted reader response
  13   uint32_t at_enc;  // encrypted tag response
  14   uint32_t ks2;     // keystream used to encrypt reader response
  15   uint32_t ks3;     // keystream used to encrypt tag response
  16
  17   printf("MIFARE Classic key recovery - based 64 bits of keystream\n");
  18   printf("Recover key from only one complete authentication!\n\n");
  19
  20   if (argc < 6 ) {
  21     printf(" syntax: %s <uid> <nt> <{nr}> <{ar}> <{at}> [enc] [enc...]\n\n", argv[0]);
  22     return 1;
  23   }
  24
  25   int encc = argc - 6;
  26   int enclen[encc];
  27   uint8_t enc[encc][120];
  28
  29   sscanf(argv[1], "%x", &uid);
  30   sscanf(argv[2], "%x", &nt);
  31   sscanf(argv[3], "%x", &nr_enc);
  32   sscanf(argv[4], "%x", &ar_enc);
  33   sscanf(argv[5], "%x", &at_enc);
  34   for (int i = 0; i < encc; i++) {
  35     enclen[i] = strlen(argv[i + 6]) / 2;
  36     for (int i2 = 0; i2 < enclen[i]; i2++) {
  37       sscanf(argv[i+6] + i2*2,"%2x", (uint8_t*)&enc[i][i2]);
  38     }
  39   }
  40   printf("Recovering key for:\n");
  41
  42   printf("  uid: %08x\n", uid);
  43   printf("   nt: %08x\n", nt);
  44   printf(" {nr}: %08x\n", nr_enc);
  45   printf(" {ar}: %08x\n", ar_enc);
  46   printf(" {at}: %08x\n", at_enc);
  47   for (int i = 0; i < encc; i++) {
  48       printf("{enc%d}: ", i);
  49       for (int i2 = 0; i2 < enclen[i]; i2++) {
  50           printf("%02x", enc[i][i2]);
  51       }
  52       printf("\n");
  53   }
  54
  55
  56   /*
  57   uint32_t uid                = 0x9c599b32;
  58   uint32_t tag_challenge      = 0x82a4166c;
  59   uint32_t nr_enc             = 0xa1e458ce;
  60   uint32_t reader_response    = 0x6eea41e0;
  61   uint32_t tag_response       = 0x5cadf439;
  62 */
  63   // Generate lfsr succesors of the tag challenge
  64   printf("\nLFSR succesors of the tag challenge:\n");
  65   printf("  nt': %08x\n",prng_successor(nt, 64));
  66   printf(" nt'': %08x\n",prng_successor(nt, 96));
  67
  68   // Extract the keystream from the messages
  69   printf("\nKeystream used to generate {ar} and {at}:\n");
  70   ks2 = ar_enc ^ prng_successor(nt, 64);
  71   ks3 = at_enc ^ prng_successor(nt, 96);
  72   printf("  ks2: %08x\n",ks2);
  73   printf("  ks3: %08x\n",ks3);
  74
  75   revstate = lfsr_recovery64(ks2, ks3);
  76
  77   // Decrypting communication using keystream if presented
  78   if (argc > 6 ) {
  79   printf("\nDecrypted communication:\n");
  80   uint8_t ks4;
  81   int rollb = 0;
  82   for (int i = 0; i < encc; i++) {
  83     printf("{dec%d}: ", i);
  84     for (int i2 = 0; i2 < enclen[i]; i2++) {
  85       ks4 = crypto1_byte(revstate, 0, 0);
  86       printf("%02x", ks4 ^ enc[i][i2]);
  87       rollb += 1;
  88     }
  89     printf("\n");
  90   }
  91   for (int i = 0; i < rollb; i++) {
  92     lfsr_rollback_byte(revstate, 0, 0);
  93     }
  94   }
  95
  96   lfsr_rollback_word(revstate, 0, 0);
  97   lfsr_rollback_word(revstate, 0, 0);
  98   lfsr_rollback_word(revstate, nr_enc, 1);
  99   lfsr_rollback_word(revstate, uid ^ nt, 0);
 100   crypto1_get_lfsr(revstate, &key);
 101   printf("\nFound Key: [%012" PRIx64"]\n\n",key);
 102   crypto1_destroy(revstate);
 103
 104   return 0;
 105 }