| 1 | /***************************************************************************** |
| 2 | * WARNING |
| 3 | * |
| 4 | * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY. |
| 5 | * |
| 6 | * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL |
| 7 | * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL, |
| 8 | * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES. |
| 9 | * |
| 10 | * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS. |
| 11 | * |
| 12 | ***************************************************************************** |
| 13 | * |
| 14 | * This file is part of loclass. It is a reconstructon of the cipher engine |
| 15 | * used in iClass, and RFID techology. |
| 16 | * |
| 17 | * The implementation is based on the work performed by |
| 18 | * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and |
| 19 | * Milosch Meriac in the paper "Dismantling IClass". |
| 20 | * |
| 21 | * Copyright (C) 2014 Martin Holst Swende |
| 22 | * |
| 23 | * This is free software: you can redistribute it and/or modify |
| 24 | * it under the terms of the GNU General Public License version 2 as published |
| 25 | * by the Free Software Foundation. |
| 26 | * |
| 27 | * This file is distributed in the hope that it will be useful, |
| 28 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 29 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 30 | * GNU General Public License for more details. |
| 31 | * |
| 32 | * You should have received a copy of the GNU General Public License |
| 33 | * along with loclass. If not, see <http://www.gnu.org/licenses/>. |
| 34 | * |
| 35 | * |
| 36 | * |
| 37 | ****************************************************************************/ |
| 38 | |
| 39 | |
| 40 | #ifndef ELITE_CRACK_H |
| 41 | #define ELITE_CRACK_H |
| 42 | void permutekey(uint8_t key[8], uint8_t dest[8]); |
| 43 | /** |
| 44 | * Permutes a key from iclass specific format to NIST format |
| 45 | * @brief permutekey_rev |
| 46 | * @param key |
| 47 | * @param dest |
| 48 | */ |
| 49 | void permutekey_rev(uint8_t key[8], uint8_t dest[8]); |
| 50 | //Crack status, see below |
| 51 | #define CRACKED 0x0100 |
| 52 | #define BEING_CRACKED 0x0200 |
| 53 | #define CRACK_FAILED 0x0400 |
| 54 | |
| 55 | /** |
| 56 | * Perform a bruteforce against a file which has been saved by pm3 |
| 57 | * |
| 58 | * @brief bruteforceFile |
| 59 | * @param filename |
| 60 | * @param keytable an arrah (128 x 16 bit ints). This is where the keydata is stored. |
| 61 | * OBS! the upper part of the 16 bits store crack-status, |
| 62 | * @return |
| 63 | */ |
| 64 | int bruteforceFile(const char *filename, uint16_t keytable[]); |
| 65 | /** |
| 66 | * |
| 67 | * @brief Same as above, if you don't care about the returned keytable (results only printed on screen) |
| 68 | * @param filename |
| 69 | * @return |
| 70 | */ |
| 71 | int bruteforceFileNoKeys(const char *filename); |
| 72 | /** |
| 73 | * @brief Same as bruteforcefile, but uses a an array of dumpdata instead |
| 74 | * @param dump |
| 75 | * @param dumpsize |
| 76 | * @param keytable |
| 77 | * @return |
| 78 | */ |
| 79 | int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]); |
| 80 | |
| 81 | /** |
| 82 | This is how we expect each 'entry' in a dumpfile to look |
| 83 | **/ |
| 84 | typedef struct { |
| 85 | uint8_t csn[8]; |
| 86 | uint8_t cc_nr[12]; |
| 87 | uint8_t mac[4]; |
| 88 | |
| 89 | }dumpdata; |
| 90 | |
| 91 | /** |
| 92 | * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac. |
| 93 | *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced |
| 94 | *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts. |
| 95 | *It updates the keytable with the findings, also using the upper half of the 16-bit ints |
| 96 | *to signal if the particular byte has been cracked or not. |
| 97 | * |
| 98 | * @param dump The dumpdata from iclass reader attack. |
| 99 | * @param keytable where to write found values. |
| 100 | * @return |
| 101 | */ |
| 102 | int bruteforceItem(dumpdata item, uint16_t keytable[]); |
| 103 | /** |
| 104 | * Hash1 takes CSN as input, and determines what bytes in the keytable will be used |
| 105 | * when constructing the K_sel. |
| 106 | * @param csn the CSN used |
| 107 | * @param k output |
| 108 | */ |
| 109 | void hash1(uint8_t csn[] , uint8_t k[]); |
| 110 | void hash2(uint8_t *key64, uint8_t *outp_keytable); |
| 111 | /** |
| 112 | * From dismantling iclass-paper: |
| 113 | * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] . |
| 114 | * Then he can simply recover the master custom key K_cus by computing |
| 115 | * K_cus = ~DES(z[0] , y[0] ) . |
| 116 | * |
| 117 | * Furthermore, the adversary is able to verify that he has the correct K cus by |
| 118 | * checking whether z [0] = DES enc (K_cus , ~K_cus ). |
| 119 | * @param keytable an array (128 bytes) of hash2(kcus) |
| 120 | * @param master_key where to put the master key |
| 121 | * @return 0 for ok, 1 for failz |
| 122 | */ |
| 123 | int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] ); |
| 124 | |
| 125 | /** |
| 126 | * @brief Test function |
| 127 | * @return |
| 128 | */ |
| 129 | int testElite(); |
| 130 | |
| 131 | /** |
| 132 | Here are some pretty optimal values that can be used to recover necessary data in only |
| 133 | eight auth attempts. |
| 134 | // CSN HASH1 Bytes recovered // |
| 135 | { {0x00,0x0B,0x0F,0xFF,0xF7,0xFF,0x12,0xE0} , {0x01,0x01,0x00,0x00,0x45,0x01,0x45,0x45 } ,{0,1 }}, |
| 136 | { {0x00,0x13,0x94,0x7e,0x76,0xff,0x12,0xe0} , {0x02,0x0c,0x01,0x00,0x45,0x01,0x45,0x45} , {2,12}}, |
| 137 | { {0x2a,0x99,0xac,0x79,0xec,0xff,0x12,0xe0} , {0x07,0x45,0x0b,0x00,0x45,0x01,0x45,0x45} , {7,11}}, |
| 138 | { {0x17,0x12,0x01,0xfd,0xf7,0xff,0x12,0xe0} , {0x03,0x0f,0x00,0x00,0x45,0x01,0x45,0x45} , {3,15}}, |
| 139 | { {0xcd,0x56,0x01,0x7c,0x6f,0xff,0x12,0xe0} , {0x04,0x00,0x08,0x00,0x45,0x01,0x45,0x45} , {4,8}}, |
| 140 | { {0x4b,0x5e,0x0b,0x72,0xef,0xff,0x12,0xe0} , {0x0e,0x06,0x08,0x00,0x45,0x01,0x45,0x45} , {6,14}}, |
| 141 | { {0x00,0x73,0xd8,0x75,0x58,0xff,0x12,0xe0} , {0x0b,0x09,0x0f,0x00,0x45,0x01,0x05,0x45} , {9,5}}, |
| 142 | { {0x0c,0x90,0x32,0xf3,0x5d,0xff,0x12,0xe0} , {0x0d,0x0f,0x0a,0x00,0x45,0x01,0x05,0x45} , {10,13}}, |
| 143 | |
| 144 | **/ |
| 145 | |
| 146 | |
| 147 | #endif |