]>
git.zerfleddert.de Git - proxmark3-svn/blob - tools/mfkey/mfkey32.c
4ab4bad4e10f65ffbaee1716e2f051ba9ac4e1f5
5 #include "crapto1/crapto1.h"
9 // 32 bit recover key from 2 nonces
10 int main (int argc
, char *argv
[]) {
13 uint32_t ks2
; // keystream used to encrypt reader response
14 uint64_t key
; // recovered key
16 printf("MIFARE Classic key recovery - based on 32 bits of keystream\n");
17 printf("Recover key from two 32-bit reader authentication answers only!\n\n");
19 if (argc
!= 7 && argc
!= 8) {
20 printf(" syntax: %s <uid> <nt0> <{nr_0}> <{ar_0}> [<nt1>] <{nr_1}> <{ar_1}>\n", argv
[0]);
21 printf(" (you may omit nt1 if it is equal to nt0)\n\n");
25 bool moebius_attack
= (argc
== 8);
27 sscanf(argv
[1],"%x",&data
.cuid
);
28 sscanf(argv
[2],"%x",&data
.nonce
);
29 data
.nonce2
= data
.nonce
;
30 sscanf(argv
[3],"%x",&data
.nr
);
31 sscanf(argv
[4],"%x",&data
.ar
);
33 sscanf(argv
[5],"%x",&data
.nonce2
);
34 sscanf(argv
[6],"%x",&data
.nr2
);
35 sscanf(argv
[7],"%x",&data
.ar2
);
37 sscanf(argv
[5],"%x",&data
.nr2
);
38 sscanf(argv
[6],"%x",&data
.ar2
);
41 printf("Recovering key for:\n");
42 printf(" uid: %08x\n",data
.cuid
);
43 printf(" nt0: %08x\n",data
.nonce
);
44 printf(" {nr_0}: %08x\n",data
.nr
);
45 printf(" {ar_0}: %08x\n",data
.ar
);
46 printf(" nt1: %08x\n",data
.nonce2
);
47 printf(" {nr_1}: %08x\n",data
.nr2
);
48 printf(" {ar_1}: %08x\n",data
.ar2
);
50 uint64_t start_time
= msclock();
52 // Generate lfsr succesors of the tag challenge
53 printf("\nLFSR succesors of the tag challenge:\n");
54 printf(" nt': %08x\n",prng_successor(data
.nonce
, 64));
55 printf(" nt'': %08x\n",prng_successor(data
.nonce
, 96));
57 // Extract the keystream from the messages
58 printf("\nKeystream used to generate {ar} and {at}:\n");
59 ks2
= data
.ar
^ prng_successor(data
.nonce
, 64);
60 printf(" ks2: %08x\n",ks2
);
64 success
= mfkey32_moebius(data
, &key
);
66 success
= mfkey32(data
, &key
);
70 printf("Recovered key: %012" PRIx64
"\n", key
);
72 printf("Couldn't recover key.\n");
75 printf("Time spent: %1.2f seconds\n", (float)(msclock() - start_time
)/1000.0);