[proxmark3-svn] / client / nonce2key / nonce2key.c

//-----------------------------------------------------------------------------
// Merlok - June 2011
// Roel - Dec 2009
// Unknown author
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// MIFARE Darkside hack
//-----------------------------------------------------------------------------
#include "nonce2key.h"
#include "mifarehost.h"
#include "ui.h"
#include "proxmark3.h"

int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) {

	struct Crypto1State *state;
	uint32_t i, pos, rr = 0, nr_diff;
	byte_t bt, ks3x[8], par[8][8];

	// Reset the last three significant bits of the reader nonce
	nr &= 0xffffff1f;
  
	PrintAndLog("\nuid(%08x) nt(%08x) par(%016"llx") ks(%016"llx") nr(%08"llx")\n\n", uid, nt, par_info, ks_info, nr);

	for ( pos = 0; pos < 8; pos++ ) {
		ks3x[7-pos] = (ks_info >> (pos*8)) & 0x0f;
		bt = (par_info >> (pos*8)) & 0xff;

		for ( i = 0; i < 8; i++) {
			par[7-pos][i] = (bt >> i) & 0x01;
		}
	}

	printf("|diff|{nr}    |ks3|ks3^5|parity         |\n");
	printf("+----+--------+---+-----+---------------+\n");

	for ( i = 0; i < 8; i++) {
		nr_diff = nr | i << 5;
		printf("| %02x |%08x|", i << 5, nr_diff);
		printf(" %01x |  %01x  |", ks3x[i], ks3x[i]^5);
		for (pos = 0; pos < 7; pos++) printf("%01x,", par[i][pos]);
		printf("%01x|\n", par[i][7]);
	}
	printf("+----+--------+---+-----+---------------+\n");

	state = lfsr_common_prefix(nr, rr, ks3x, par);
	lfsr_rollback_word(state, uid^nt, 0);
	crypto1_get_lfsr(state, key);
	crypto1_destroy(state);
	return 0;
}

// *outputkey is not used...
int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){

	struct Crypto1State *s,*t;
	uint64_t key;     // recovered key
	uint32_t uid;     // serial number
	uint32_t nt;      // tag challenge
	uint32_t nr0_enc; // first encrypted reader challenge
	uint32_t ar0_enc; // first encrypted reader response
	uint32_t nr1_enc; // second encrypted reader challenge
	uint32_t ar1_enc; // second encrypted reader response	
	bool isSuccess = FALSE;
	int counter = 0;
	
	uid 	= myuid;//(uint32_t)bytes_to_num(data +  0, 4);
	nt 		= *(uint32_t*)(data+8);
	nr0_enc = *(uint32_t*)(data+12);
	ar0_enc = *(uint32_t*)(data+16);
	nr1_enc = *(uint32_t*)(data+32);
	ar1_enc = *(uint32_t*)(data+36);

	// PrintAndLog("recovering key for:");
	// PrintAndLog("    uid: %08x   %08x",uid, myuid);
	// PrintAndLog("     nt: %08x",nt);
	// PrintAndLog(" {nr_0}: %08x",nr0_enc);
	// PrintAndLog(" {ar_0}: %08x",ar0_enc);
	// PrintAndLog(" {nr_1}: %08x",nr1_enc);
	// PrintAndLog(" {ar_1}: %08x",ar1_enc);

	s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
  
	for(t = s; t->odd | t->even; ++t) {
		lfsr_rollback_word(t, 0, 0);
		lfsr_rollback_word(t, nr0_enc, 1);
		lfsr_rollback_word(t, uid ^ nt, 0);
		crypto1_get_lfsr(t, &key);
		crypto1_word(t, uid ^ nt, 0);
		crypto1_word(t, nr1_enc, 1);
		if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
			PrintAndLog("Found Key: [%012"llx"]", key);
			isSuccess = TRUE;
			++counter;
			if (counter==20)
				break;
		}
	}
	
	num_to_bytes(key, 6, outputkey);
	crypto1_destroy(t);
	return isSuccess;
}

int tryMfk32_moebius(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){

	struct Crypto1State *s, *t;
	uint64_t key;     // recovered key
	uint32_t uid;     // serial number
	uint32_t nt0;     // tag challenge first
	uint32_t nt1;     // tag challenge second
	uint32_t nr0_enc; // first encrypted reader challenge
	uint32_t ar0_enc; // first encrypted reader response
	uint32_t nr1_enc; // second encrypted reader challenge
	uint32_t ar1_enc; // second encrypted reader response	
	bool isSuccess = FALSE;
	int counter = 0;
	
	uid 	= myuid;//(uint32_t)bytes_to_num(data +  0, 4);
	nt0 	= *(uint32_t*)(data+8);
	nr0_enc = *(uint32_t*)(data+12);
	ar0_enc = *(uint32_t*)(data+16);
	nt1 	= *(uint32_t*)(data+8);
	nr1_enc = *(uint32_t*)(data+32);
	ar1_enc = *(uint32_t*)(data+36);

	s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0);
  
	for(t = s; t->odd | t->even; ++t) {
		lfsr_rollback_word(t, 0, 0);
		lfsr_rollback_word(t, nr0_enc, 1);
		lfsr_rollback_word(t, uid ^ nt0, 0);
		crypto1_get_lfsr(t, &key);
		
		crypto1_word(t, uid ^ nt1, 0);
		crypto1_word(t, nr1_enc, 1);
		if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) {
			PrintAndLog("Found Key: [%012"llx"]",key);
			isSuccess = TRUE;
			++counter;
			if (counter==20)
				break;
		}
	}
	num_to_bytes(key, 6, outputkey);
	crypto1_destroy(t);
	return isSuccess;
}

int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){

	struct Crypto1State *revstate;
	uint64_t key;     // recovered key
	uint32_t uid;     // serial number
	uint32_t nt;      // tag challenge
	uint32_t nr_enc;  // encrypted reader challenge
	uint32_t ar_enc;  // encrypted reader response
	uint32_t at_enc;  // encrypted tag response
	uint32_t ks2;     // keystream used to encrypt reader response
	uint32_t ks3;     // keystream used to encrypt tag response

	struct Crypto1State mpcs = {0, 0};
	struct Crypto1State *pcs;
	pcs = &mpcs;
	
	uid 	= myuid;//(uint32_t)bytes_to_num(data +  0, 4);
	nt 		= *(uint32_t*)(data+8);
	nr_enc = *(uint32_t*)(data+12);
	ar_enc = *(uint32_t*)(data+16);
	
	crypto1_word(pcs, nr_enc , 1);
	at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);

	// printf("Recovering key for:\n");
	// printf("  uid: %08x\n",uid);
	// printf("   nt: %08x\n",nt);
	// printf(" {nr}: %08x\n",nr_enc);
	// printf(" {ar}: %08x\n",ar_enc);
	// printf(" {at}: %08x\n",at_enc);

	// Extract the keystream from the messages
	ks2 = ar_enc ^ prng_successor(nt, 64);
	ks3 = at_enc ^ prng_successor(nt, 96);

	revstate = lfsr_recovery64(ks2, ks3);
	lfsr_rollback_word(revstate, 0, 0);
	lfsr_rollback_word(revstate, 0, 0);
	lfsr_rollback_word(revstate, nr_enc, 1);
	lfsr_rollback_word(revstate, uid ^ nt, 0);
	crypto1_get_lfsr(revstate, &key);
	PrintAndLog("Found Key: [%012"llx"]",key);
	num_to_bytes(key, 6, outputkey);
	crypto1_destroy(revstate);
	return 0;
}
Commit	Line	Data
f89c7050 M	1	//-----------------------------------------------------------------------------
	2	// Merlok - June 2011
	3	// Roel - Dec 2009
	4	// Unknown author
	5	//
	6	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	7	// at your option, any later version. See the LICENSE.txt file for the text of
	8	// the license.
	9	//-----------------------------------------------------------------------------
	10	// MIFARE Darkside hack
	11	//-----------------------------------------------------------------------------
f89c7050	12	#include "nonce2key.h"
b19bd5d6	13	#include "mifarehost.h"
f89c7050	14	#include "ui.h"
a0f33b66	15	#include "proxmark3.h"
f89c7050	16
1c611bbd	17	int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) {
738eeccd	18
0de8e387	19	struct Crypto1State *state;
a0f33b66	20	uint32_t i, pos, rr = 0, nr_diff;
0de8e387	21	byte_t bt, ks3x[8], par[8][8];
b19bd5d6	22
0de8e387	23	// Reset the last three significant bits of the reader nonce
0de8e387	24	nr &= 0xffffff1f;
f89c7050	25
0de8e387	26	PrintAndLog("\nuid(%08x) nt(%08x) par(%016"llx") ks(%016"llx") nr(%08"llx")\n\n", uid, nt, par_info, ks_info, nr);
0de8e387	27
738eeccd	28	for ( pos = 0; pos < 8; pos++ ) {
0de8e387	29	ks3x[7-pos] = (ks_info >> (pos*8)) & 0x0f;
0de8e387	30	bt = (par_info >> (pos*8)) & 0xff;
738eeccd	31
738eeccd	32	for ( i = 0; i < 8; i++) {
0de8e387	33	par[7-pos][i] = (bt >> i) & 0x01;
	34	}
	35	}
f89c7050	36
0de8e387	37	printf("\|diff\|{nr} \|ks3\|ks3^5\|parity \|\n");
0de8e387	38	printf("+----+--------+---+-----+---------------+\n");
738eeccd	39
738eeccd	40	for ( i = 0; i < 8; i++) {
0de8e387	41	nr_diff = nr \| i << 5;
	42	printf("\| %02x \|%08x\|", i << 5, nr_diff);
	43	printf(" %01x \| %01x \|", ks3x[i], ks3x[i]^5);
a0f33b66	44	for (pos = 0; pos < 7; pos++) printf("%01x,", par[i][pos]);
0de8e387	45	printf("%01x\|\n", par[i][7]);
	46	}
	47	printf("+----+--------+---+-----+---------------+\n");
f89c7050	48
a0f33b66	49	state = lfsr_common_prefix(nr, rr, ks3x, par);
	50	lfsr_rollback_word(state, uid^nt, 0);
	51	crypto1_get_lfsr(state, key);
	52	crypto1_destroy(state);
	53	return 0;
f89c7050	54	}
46cd801c	55
738eeccd	56	// *outputkey is not used...
46cd801c	57	int tryMfk32(uint64_t myuid, uint8_t data, uint8_t outputkey ){
	58
	59	struct Crypto1State s,t;
	60	uint64_t key; // recovered key
	61	uint32_t uid; // serial number
	62	uint32_t nt; // tag challenge
	63	uint32_t nr0_enc; // first encrypted reader challenge
	64	uint32_t ar0_enc; // first encrypted reader response
	65	uint32_t nr1_enc; // second encrypted reader challenge
	66	uint32_t ar1_enc; // second encrypted reader response
	67	bool isSuccess = FALSE;
	68	int counter = 0;
	69
	70	uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
	71	nt = (uint32_t)(data+8);
	72	nr0_enc = (uint32_t)(data+12);
	73	ar0_enc = (uint32_t)(data+16);
	74	nr1_enc = (uint32_t)(data+32);
	75	ar1_enc = (uint32_t)(data+36);
	76
b69947c2	77	// PrintAndLog("recovering key for:");
b69947c2	78	// PrintAndLog(" uid: %08x %08x",uid, myuid);
46cd801c	79	// PrintAndLog(" nt: %08x",nt);
	80	// PrintAndLog(" {nr_0}: %08x",nr0_enc);
	81	// PrintAndLog(" {ar_0}: %08x",ar0_enc);
	82	// PrintAndLog(" {nr_1}: %08x",nr1_enc);
	83	// PrintAndLog(" {ar_1}: %08x",ar1_enc);
	84
	85	s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
	86
	87	for(t = s; t->odd \| t->even; ++t) {
	88	lfsr_rollback_word(t, 0, 0);
	89	lfsr_rollback_word(t, nr0_enc, 1);
	90	lfsr_rollback_word(t, uid ^ nt, 0);
	91	crypto1_get_lfsr(t, &key);
	92	crypto1_word(t, uid ^ nt, 0);
	93	crypto1_word(t, nr1_enc, 1);
	94	if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
738eeccd	95	PrintAndLog("Found Key: [%012"llx"]", key);
46cd801c	96	isSuccess = TRUE;
46cd801c	97	++counter;
b69947c2	98	if (counter==20)
46cd801c	99	break;
	100	}
	101	}
a0f33b66	102
a0f33b66	103	num_to_bytes(key, 6, outputkey);
738eeccd	104	crypto1_destroy(t);
46cd801c	105	return isSuccess;
	106	}
	107
d8af608f	108	int tryMfk32_moebius(uint64_t myuid, uint8_t data, uint8_t outputkey ){
d8af608f	109
738eeccd	110	struct Crypto1State s, t;
d8af608f	111	uint64_t key; // recovered key
d8af608f	112	uint32_t uid; // serial number
738eeccd	113	uint32_t nt0; // tag challenge first
738eeccd	114	uint32_t nt1; // tag challenge second
d8af608f	115	uint32_t nr0_enc; // first encrypted reader challenge
	116	uint32_t ar0_enc; // first encrypted reader response
	117	uint32_t nr1_enc; // second encrypted reader challenge
	118	uint32_t ar1_enc; // second encrypted reader response
	119	bool isSuccess = FALSE;
	120	int counter = 0;
	121
	122	uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
	123	nt0 = (uint32_t)(data+8);
	124	nr0_enc = (uint32_t)(data+12);
	125	ar0_enc = (uint32_t)(data+16);
	126	nt1 = (uint32_t)(data+8);
	127	nr1_enc = (uint32_t)(data+32);
	128	ar1_enc = (uint32_t)(data+36);
	129
	130	s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0);
	131
	132	for(t = s; t->odd \| t->even; ++t) {
	133	lfsr_rollback_word(t, 0, 0);
	134	lfsr_rollback_word(t, nr0_enc, 1);
	135	lfsr_rollback_word(t, uid ^ nt0, 0);
	136	crypto1_get_lfsr(t, &key);
	137
	138	crypto1_word(t, uid ^ nt1, 0);
	139	crypto1_word(t, nr1_enc, 1);
	140	if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) {
	141	PrintAndLog("Found Key: [%012"llx"]",key);
	142	isSuccess = TRUE;
	143	++counter;
	144	if (counter==20)
	145	break;
	146	}
	147	}
a0f33b66	148	num_to_bytes(key, 6, outputkey);
738eeccd	149	crypto1_destroy(t);
d8af608f	150	return isSuccess;
	151	}
	152
46cd801c	153	int tryMfk64(uint64_t myuid, uint8_t data, uint8_t outputkey ){
	154
	155	struct Crypto1State *revstate;
	156	uint64_t key; // recovered key
	157	uint32_t uid; // serial number
	158	uint32_t nt; // tag challenge
	159	uint32_t nr_enc; // encrypted reader challenge
	160	uint32_t ar_enc; // encrypted reader response
	161	uint32_t at_enc; // encrypted tag response
	162	uint32_t ks2; // keystream used to encrypt reader response
	163	uint32_t ks3; // keystream used to encrypt tag response
	164
	165	struct Crypto1State mpcs = {0, 0};
	166	struct Crypto1State *pcs;
	167	pcs = &mpcs;
	168
	169	uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
	170	nt = (uint32_t)(data+8);
	171	nr_enc = (uint32_t)(data+12);
	172	ar_enc = (uint32_t)(data+16);
	173
	174	crypto1_word(pcs, nr_enc , 1);
	175	at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
	176
	177	// printf("Recovering key for:\n");
	178	// printf(" uid: %08x\n",uid);
	179	// printf(" nt: %08x\n",nt);
	180	// printf(" {nr}: %08x\n",nr_enc);
	181	// printf(" {ar}: %08x\n",ar_enc);
	182	// printf(" {at}: %08x\n",at_enc);
	183
	184	// Extract the keystream from the messages
	185	ks2 = ar_enc ^ prng_successor(nt, 64);
	186	ks3 = at_enc ^ prng_successor(nt, 96);
	187
	188	revstate = lfsr_recovery64(ks2, ks3);
	189	lfsr_rollback_word(revstate, 0, 0);
	190	lfsr_rollback_word(revstate, 0, 0);
	191	lfsr_rollback_word(revstate, nr_enc, 1);
	192	lfsr_rollback_word(revstate, uid ^ nt, 0);
	193	crypto1_get_lfsr(revstate, &key);
	194	PrintAndLog("Found Key: [%012"llx"]",key);
a0f33b66	195	num_to_bytes(key, 6, outputkey);
46cd801c	196	crypto1_destroy(revstate);
46cd801c	197	return 0;
e98572a1	198	}