Commit | Line | Data |
---|---|---|
d60418a0 MHS |
1 | /***************************************************************************** |
2 | * WARNING | |
3 | * | |
4 | * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. | |
5 | * | |
6 | * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL | |
7 | * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, | |
8 | * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. | |
9 | * | |
10 | * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. | |
11 | * | |
12 | ***************************************************************************** | |
13 | * | |
14 | * This file is part of loclass. It is a reconstructon of the cipher engine | |
15 | * used in iClass, and RFID techology. | |
16 | * | |
17 | * The implementation is based on the work performed by | |
18 | * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and | |
19 | * Milosch Meriac in the paper "Dismantling IClass". | |
20 | * | |
21 | * Copyright (C) 2014 Martin Holst Swende | |
22 | * | |
23 | * This is free software: you can redistribute it and/or modify | |
24 | * it under the terms of the GNU General Public License version 2 as published | |
25 | * by the Free Software Foundation. | |
26 | * | |
27 | * This file is distributed in the hope that it will be useful, | |
28 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
29 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
30 | * GNU General Public License for more details. | |
31 | * | |
32 | * You should have received a copy of the GNU General Public License | |
33 | * along with loclass. If not, see <http://www.gnu.org/licenses/>. | |
34 | * | |
35 | * | |
36 | * | |
37 | ****************************************************************************/ | |
38 | ||
39 | ||
3ad48540 MHS |
40 | #ifndef ELITE_CRACK_H |
41 | #define ELITE_CRACK_H | |
42 | void permutekey(uint8_t key[8], uint8_t dest[8]); | |
43 | /** | |
44 | * Permutes a key from iclass specific format to NIST format | |
45 | * @brief permutekey_rev | |
46 | * @param key | |
47 | * @param dest | |
48 | */ | |
49 | void permutekey_rev(uint8_t key[8], uint8_t dest[8]); | |
50 | //Crack status, see below | |
51 | #define CRACKED 0x0100 | |
52 | #define BEING_CRACKED 0x0200 | |
53 | #define CRACK_FAILED 0x0400 | |
54 | ||
55 | /** | |
56 | * Perform a bruteforce against a file which has been saved by pm3 | |
57 | * | |
58 | * @brief bruteforceFile | |
59 | * @param filename | |
60 | * @param keytable an arrah (128 x 16 bit ints). This is where the keydata is stored. | |
61 | * OBS! the upper part of the 16 bits store crack-status, | |
62 | * @return | |
63 | */ | |
64 | int bruteforceFile(const char *filename, uint16_t keytable[]); | |
65 | /** | |
66 | * | |
67 | * @brief Same as above, if you don't care about the returned keytable (results only printed on screen) | |
68 | * @param filename | |
69 | * @return | |
70 | */ | |
71 | int bruteforceFileNoKeys(const char *filename); | |
72 | /** | |
73 | * @brief Same as bruteforcefile, but uses a an array of dumpdata instead | |
74 | * @param dump | |
75 | * @param dumpsize | |
76 | * @param keytable | |
77 | * @return | |
78 | */ | |
79 | int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]); | |
80 | ||
81 | /** | |
82 | This is how we expect each 'entry' in a dumpfile to look | |
83 | **/ | |
84 | typedef struct { | |
85 | uint8_t csn[8]; | |
86 | uint8_t cc_nr[12]; | |
87 | uint8_t mac[4]; | |
88 | ||
89 | }dumpdata; | |
90 | ||
91 | /** | |
92 | * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac. | |
93 | *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced | |
94 | *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts. | |
95 | *It updates the keytable with the findings, also using the upper half of the 16-bit ints | |
96 | *to signal if the particular byte has been cracked or not. | |
97 | * | |
98 | * @param dump The dumpdata from iclass reader attack. | |
99 | * @param keytable where to write found values. | |
100 | * @return | |
101 | */ | |
102 | int bruteforceItem(dumpdata item, uint16_t keytable[]); | |
103 | /** | |
104 | * Hash1 takes CSN as input, and determines what bytes in the keytable will be used | |
105 | * when constructing the K_sel. | |
106 | * @param csn the CSN used | |
107 | * @param k output | |
108 | */ | |
109 | void hash1(uint8_t csn[] , uint8_t k[]); | |
9b82de75 | 110 | void hash2(uint8_t *key64, uint8_t *outp_keytable); |
3ad48540 MHS |
111 | /** |
112 | * From dismantling iclass-paper: | |
113 | * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] . | |
114 | * Then he can simply recover the master custom key K_cus by computing | |
115 | * K_cus = ~DES(z[0] , y[0] ) . | |
116 | * | |
117 | * Furthermore, the adversary is able to verify that he has the correct K cus by | |
118 | * checking whether z [0] = DES enc (K_cus , ~K_cus ). | |
119 | * @param keytable an array (128 bytes) of hash2(kcus) | |
120 | * @param master_key where to put the master key | |
121 | * @return 0 for ok, 1 for failz | |
122 | */ | |
123 | int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] ); | |
124 | ||
125 | /** | |
126 | * @brief Test function | |
127 | * @return | |
128 | */ | |
129 | int testElite(); | |
130 | ||
131 | /** | |
132 | Here are some pretty optimal values that can be used to recover necessary data in only | |
133 | eight auth attempts. | |
134 | // CSN HASH1 Bytes recovered // | |
135 | { {0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0} , {0x01,0x01,0x00,0x00,0x45,0x01,0x45,0x45 } ,{0,1 }}, | |
136 | { {0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0} , {0x02,0x0c,0x01,0x00,0x45,0x01,0x45,0x45} , {2,12}}, | |
137 | { {0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0} , {0x07,0x45,0x0b,0x00,0x45,0x01,0x45,0x45} , {7,11}}, | |
138 | { {0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0} , {0x03,0x0f,0x00,0x00,0x45,0x01,0x45,0x45} , {3,15}}, | |
139 | { {0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0} , {0x04,0x00,0x08,0x00,0x45,0x01,0x45,0x45} , {4,8}}, | |
140 | { {0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0} , {0x0e,0x06,0x08,0x00,0x45,0x01,0x45,0x45} , {6,14}}, | |
141 | { {0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0} , {0x0b,0x09,0x0f,0x00,0x45,0x01,0x05,0x45} , {9,5}}, | |
142 | { {0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0} , {0x0d,0x0f,0x0a,0x00,0x45,0x01,0x05,0x45} , {10,13}}, | |
143 | ||
144 | **/ | |
145 | ||
146 | ||
147 | #endif |