]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitag2.c
26ab10667d132739928519c9092bb2a298472e81
[proxmark3-svn] / armsrc / hitag2.c
1 /*
2 * Hitag2 emulation
3 *
4 * Contains state and functions for an emulated Hitag2 tag. Offers an entry
5 * point to handle commands, needs a callback to send response.
6 *
7 * (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
8 */
9
10 #include <proxmark3.h>
11 #include <stdint.h>
12
13 #include "apps.h"
14 #include "hitag2.h"
15
16 struct hitag2_cipher_state {
17 uint64_t state;
18 };
19
20 struct hitag2_tag {
21 uint32_t uid;
22 enum {
23 TAG_STATE_RESET, // Just powered up, awaiting GetSnr
24 TAG_STATE_ACTIVATING, // In activation phase (password mode), sent UID, awaiting reader password
25 TAG_STATE_AUTHENTICATING, // In activation phase (crypto mode), awaiting reader authentication
26 TAG_STATE_ACTIVATED, // Activation complete, awaiting read/write commands
27 TAG_STATE_WRITING, // In write command, awaiting sector contents to be written
28 } state;
29 unsigned int active_sector;
30 char crypto_active;
31 struct hitag2_cipher_state cs;
32 char sectors[8][4];
33 };
34
35 static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *challenge);
36 static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator);
37 static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits);
38
39 static struct hitag2_tag tag;
40 static const struct hitag2_tag resetdata = {
41 .state = TAG_STATE_RESET,
42 .sectors = { // Password mode: | Crypto mode:
43 [0] = { 0x35, 0x33, 0x70, 0x11}, // UID | UID
44 [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key
45 [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved
46 [3] = { 0x0e, 0xaa, 'H', 'T'}, // Configuration, password TAG | Configuration, password TAG
47 },
48 };
49
50 int hitag2_reset(void)
51 {
52 tag.state = TAG_STATE_RESET;
53 tag.crypto_active = 0;
54 return 0;
55 }
56
57 int hitag2_init(void)
58 {
59 memcpy(&tag, &resetdata, sizeof(tag));
60 hitag2_reset();
61 return 0;
62 }
63
64 int hitag2_handle_command(const char* data, const int length, hitag2_response_callback_t cb, void *cb_cookie)
65 {
66 (void)data; (void)length; (void)cb; (void)cb_cookie;
67 int retry = 0, done = 0, result=0;
68 char temp[10];
69
70 if(tag.crypto_active && length < sizeof(temp)*8) {
71 /* Decrypt command */
72 memcpy(temp, data, (length+7)/8);
73 hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8);
74 data = temp;
75 }
76
77
78 handle_command_retry:
79 switch(tag.state) {
80 case TAG_STATE_RESET:
81 if(length == 5 && data[0] == 0xC0) {
82 /* Received 11000 from the reader, request for UID, send UID */
83 result=cb(tag.sectors[0], sizeof(tag.sectors[0])*8, 208, cb_cookie);
84 done=1;
85 if(tag.sectors[3][0] & 0x08) {
86 tag.state=TAG_STATE_AUTHENTICATING;
87 } else {
88 tag.state=TAG_STATE_ACTIVATING;
89 }
90 }
91 break;
92 case TAG_STATE_ACTIVATING:
93 if(length == 0x20) {
94 /* Received RWD password, respond with configuration and our password */
95 result=cb(tag.sectors[3], sizeof(tag.sectors[3])*8, 208, cb_cookie);
96 done=1;
97 tag.state=TAG_STATE_ACTIVATED;
98 }
99 break;
100 case TAG_STATE_AUTHENTICATING:
101 if(length == 0x40) {
102 /* Received initialisation vector || authentication token, fire up cipher, send our password */
103 hitag2_cipher_reset(&tag, data);
104 if(hitag2_cipher_authenticate(&(tag.cs), data+4)) {
105 char response_enc[4];
106 memcpy(response_enc, tag.sectors[3], 4);
107 hitag2_cipher_transcrypt(&(tag.cs), response_enc, 4, 0);
108 result=cb(response_enc, 4*8, 208, cb_cookie);
109 done=1;
110 tag.crypto_active = 1;
111 tag.state = TAG_STATE_ACTIVATED;
112 } else {
113 /* The reader failed to authenticate, do nothing */
114 DbpString("Reader authentication failed");
115 }
116 }
117 break;
118 case TAG_STATE_ACTIVATED:
119 if(length == 10) {
120 if( ((data[0] & 0xC0) == 0xC0) && ((data[0] & 0x06) == 0) ) {
121 /* Read command: 11xx x00y yy with yyy == ~xxx, xxx is sector number */
122 unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07);
123 if(sector == ( (data[0]>>3)&0x07 ) ) {
124 memcpy(temp, tag.sectors[sector], 4);
125 if(tag.crypto_active) {
126 hitag2_cipher_transcrypt(&(tag.cs), temp, 4, 0);
127 }
128 /* Respond with contents of sector sector */
129 result = cb(temp, 4*8, 208, cb_cookie);
130 done=1;
131 } else {
132 /* transmission error */
133 DbpString("Transmission error (read) in activated state");
134 }
135 } else if( ((data[0] & 0xC0) == 0x80) && ((data[0] & 0x06) == 2) ) {
136 /* Write command: 10xx x01y yy with yyy == ~xxx, xxx is sector number */
137 unsigned int sector = (~( ((data[0]<<2)&0x04) | ((data[1]>>6)&0x03) ) & 0x07);
138 if(sector == ( (data[0]>>3)&0x07 ) ) {
139 /* Prepare write, acknowledge by repeating command */
140 if(tag.crypto_active) {
141 hitag2_cipher_transcrypt(&(tag.cs), temp, length/8, length%8);
142 }
143 result = cb(data, length, 208, cb_cookie);
144 done=1;
145 tag.active_sector = sector;
146 tag.state=TAG_STATE_WRITING;
147 } else {
148 /* transmission error */
149 DbpString("Transmission error (write) in activated state");
150 }
151 }
152
153 }
154 case TAG_STATE_WRITING:
155 if(length == 32) {
156 /* These are the sector contents to be written. We don't have to do anything else. */
157 memcpy(tag.sectors[tag.active_sector], data, length/8);
158 tag.state=TAG_STATE_ACTIVATED;
159 done=1;
160 }
161 }
162
163 if(!done && !retry) {
164 /* We didn't respond, maybe our state is faulty. Reset and try again. */
165 retry=1;
166 if(tag.crypto_active) {
167 /* Restore undeciphered data */
168 memcpy(temp, data, (length+7)/8);
169 }
170 hitag2_reset();
171 goto handle_command_retry;
172 }
173
174 return result;
175 }
176
177 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
178 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
179 // For educational purposes only.
180 // No warranties or guarantees of any kind.
181 // This code is released into the public domain by its author.
182
183 // Basic macros:
184
185 #define u8 uint8_t
186 #define u32 uint32_t
187 #define u64 uint64_t
188 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
189 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
190 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
191 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
192 #define bit(x,n) (((x)>>(n))&1)
193 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
194 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
195 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
196
197 // Single bit Hitag2 functions:
198
199 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
200
201 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
202 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
203 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
204
205 static u32 _f20 (const u64 x)
206 {
207 u32 i5;
208
209 i5 = ((ht2_f4a >> i4 (x, 1, 2, 4, 5)) & 1)* 1
210 + ((ht2_f4b >> i4 (x, 7,11,13,14)) & 1)* 2
211 + ((ht2_f4b >> i4 (x,16,20,22,25)) & 1)* 4
212 + ((ht2_f4b >> i4 (x,27,28,30,32)) & 1)* 8
213 + ((ht2_f4a >> i4 (x,33,42,43,45)) & 1)*16;
214
215 return (ht2_f5c >> i5) & 1;
216 }
217
218 static u64 _hitag2_init (const u64 key, const u32 serial, const u32 IV)
219 {
220 u32 i;
221 u64 x = ((key & 0xFFFF) << 32) + serial;
222
223 for (i = 0; i < 32; i++)
224 {
225 x >>= 1;
226 x += (u64) (_f20 (x) ^ (((IV >> i) ^ (key >> (i+16))) & 1)) << 47;
227 }
228 return x;
229 }
230
231 static u64 _hitag2_round (u64 *state)
232 {
233 u64 x = *state;
234
235 x = (x >> 1) +
236 ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6)
237 ^ (x >> 7) ^ (x >> 8) ^ (x >> 16) ^ (x >> 22)
238 ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41)
239 ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47);
240
241 *state = x;
242 return _f20 (x);
243 }
244
245 // Bitslice Hitag2 functions:
246
247 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
248 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
249 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
250
251 #define uf20bs u32 // choose your own type/width
252
253 static uf20bs _f20bs (const uf20bs *x)
254 {
255 return ht2bs_5c (
256 ht2bs_4a(x[ 1],x[ 2],x[ 4],x[ 5]),
257 ht2bs_4b(x[ 7],x[11],x[13],x[14]),
258 ht2bs_4b(x[16],x[20],x[22],x[25]),
259 ht2bs_4b(x[27],x[28],x[30],x[32]),
260 ht2bs_4a(x[33],x[42],x[43],x[45]));
261 }
262
263 static void _hitag2bs_init (uf20bs *x, const uf20bs *key, const uf20bs *serial, const uf20bs *IV)
264 {
265 u32 i, r;
266
267 for (i = 0; i < 32; i++) x[i] = serial[i];
268 for (i = 0; i < 16; i++) x[32+i] = key[i];
269
270 for (r = 0; r < 32; r++)
271 {
272 for (i = 0; i < 47; i++) x[i] = x[i+1];
273 x[47] = _f20bs (x) ^ IV[i] ^ key[16+i];
274 }
275 }
276
277 static uf20bs _hitag2bs_round (uf20bs *x)
278 {
279 uf20bs y;
280 u32 i;
281
282 y = x[ 0] ^ x[ 2] ^ x[ 3] ^ x[ 6] ^ x[ 7] ^ x[ 8] ^ x[16] ^ x[22]
283 ^ x[23] ^ x[26] ^ x[30] ^ x[41] ^ x[42] ^ x[43] ^ x[46] ^ x[47];
284
285 for (i = 0; i < 47; i++) x[i] = x[i+1];
286 x[47] = y;
287
288 return _f20bs (x);
289 }
290
291 static u32 _hitag2_byte (u64 * x)
292 {
293 u32 i, c;
294
295 for (i = 0, c = 0; i < 8; i++) c += (u32) _hitag2_round (x) << (i^7);
296 return c;
297 }
298
299
300 /* Cipher/tag glue code: */
301
302 static void hitag2_cipher_reset(struct hitag2_tag *tag, const char *iv)
303 {
304 uint64_t key = ((uint64_t)tag->sectors[2][2]) |
305 ((uint64_t)tag->sectors[2][3] << 8) |
306 ((uint64_t)tag->sectors[1][0] << 16) |
307 ((uint64_t)tag->sectors[1][1] << 24) |
308 ((uint64_t)tag->sectors[1][2] << 32) |
309 ((uint64_t)tag->sectors[1][3] << 40);
310 uint32_t uid = ((uint32_t)tag->sectors[0][0]) |
311 ((uint32_t)tag->sectors[0][1] << 8) |
312 ((uint32_t)tag->sectors[0][2] << 16) |
313 ((uint32_t)tag->sectors[0][3] << 24);
314 uint32_t iv_ = (((uint32_t)(iv[0]))) |
315 (((uint32_t)(iv[1])) << 8) |
316 (((uint32_t)(iv[2])) << 16) |
317 (((uint32_t)(iv[3])) << 24);
318 tag->cs.state = _hitag2_init(rev64(key), rev32(uid), rev32(iv_));
319 }
320
321 static int hitag2_cipher_authenticate(struct hitag2_cipher_state *cs, const char *authenticator_is)
322 {
323 char authenticator_should[4];
324 authenticator_should[0] = ~_hitag2_byte(&(cs->state));
325 authenticator_should[1] = ~_hitag2_byte(&(cs->state));
326 authenticator_should[2] = ~_hitag2_byte(&(cs->state));
327 authenticator_should[3] = ~_hitag2_byte(&(cs->state));
328 return memcmp(authenticator_should, authenticator_is, 4) == 0;
329 }
330
331 static int hitag2_cipher_transcrypt(struct hitag2_cipher_state *cs, char *data, unsigned int bytes, unsigned int bits)
332 {
333 int i;
334 for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(&(cs->state));
335 for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(&(cs->state)) << (7-i);
336 return 0;
337 }
Impressum, Datenschutz