]>
git.zerfleddert.de Git - proxmark3-svn/blob - client/mfkey.c
1 //-----------------------------------------------------------------------------
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
9 //-----------------------------------------------------------------------------
10 // MIFARE Darkside hack
11 //-----------------------------------------------------------------------------
15 #include "crapto1/crapto1.h"
18 // recover key from 2 different reader responses on same tag challenge
19 bool mfkey32(nonces_t data
, uint64_t *outputkey
) {
20 struct Crypto1State
*s
,*t
;
22 uint64_t key
= 0; // recovered key
23 bool isSuccess
= false;
26 s
= lfsr_recovery32(data
.ar
^ prng_successor(data
.nonce
, 64), 0);
28 for(t
= s
; t
->odd
| t
->even
; ++t
) {
29 lfsr_rollback_word(t
, 0, 0);
30 lfsr_rollback_word(t
, data
.nr
, 1);
31 lfsr_rollback_word(t
, data
.cuid
^ data
.nonce
, 0);
32 crypto1_get_lfsr(t
, &key
);
33 crypto1_word(t
, data
.cuid
^ data
.nonce
, 0);
34 crypto1_word(t
, data
.nr2
, 1);
35 if (data
.ar2
== (crypto1_word(t
, 0, 0) ^ prng_successor(data
.nonce
, 64))) {
36 //PrintAndLog("Found Key: [%012" PRIx64 "]",key);
39 if (counter
== 20) break;
42 isSuccess
= (counter
== 1);
43 *outputkey
= ( isSuccess
) ? outkey
: 0;
45 /* //un-comment to save all keys to a stats.txt file
47 if ((fout = fopen("stats.txt","ab")) == NULL) {
48 PrintAndLog("Could not create file name stats.txt");
51 fprintf(fout, "mfkey32,%d,%08x,%d,%s,%04x%08x,%.0Lf\r\n", counter, data.cuid, data.sector, (data.keytype) ? "B" : "A", (uint32_t)(outkey>>32) & 0xFFFF,(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
57 // recover key from 2 reader responses on 2 different tag challenges
58 bool mfkey32_moebius(nonces_t data
, uint64_t *outputkey
) {
59 struct Crypto1State
*s
, *t
;
61 uint64_t key
= 0; // recovered key
62 bool isSuccess
= false;
65 s
= lfsr_recovery32(data
.ar
^ prng_successor(data
.nonce
, 64), 0);
67 for(t
= s
; t
->odd
| t
->even
; ++t
) {
68 lfsr_rollback_word(t
, 0, 0);
69 lfsr_rollback_word(t
, data
.nr
, 1);
70 lfsr_rollback_word(t
, data
.cuid
^ data
.nonce
, 0);
71 crypto1_get_lfsr(t
, &key
);
73 crypto1_word(t
, data
.cuid
^ data
.nonce2
, 0);
74 crypto1_word(t
, data
.nr2
, 1);
75 if (data
.ar2
== (crypto1_word(t
, 0, 0) ^ prng_successor(data
.nonce2
, 64))) {
76 //PrintAndLog("Found Key: [%012" PRIx64 "]",key);
83 isSuccess
= (counter
== 1);
84 *outputkey
= ( isSuccess
) ? outkey
: 0;
86 /* // un-comment to output all keys to stats.txt
88 if ((fout = fopen("stats.txt","ab")) == NULL) {
89 PrintAndLog("Could not create file name stats.txt");
92 fprintf(fout, "moebius,%d,%08x,%d,%s,%04x%08x,%0.Lf\r\n", counter, data.cuid, data.sector, (data.keytype) ? "B" : "A", (uint32_t) (outkey>>32),(uint32_t)(outkey&0xFFFFFFFF),(long double)t1);
98 // recover key from reader response and tag response of one authentication sequence
99 int mfkey64(nonces_t data
, uint64_t *outputkey
){
100 uint64_t key
= 0; // recovered key
101 uint32_t ks2
; // keystream used to encrypt reader response
102 uint32_t ks3
; // keystream used to encrypt tag response
103 struct Crypto1State
*revstate
;
105 // Extract the keystream from the messages
106 ks2
= data
.ar
^ prng_successor(data
.nonce
, 64);
107 ks3
= data
.at
^ prng_successor(data
.nonce
, 96);
108 revstate
= lfsr_recovery64(ks2
, ks3
);
109 lfsr_rollback_word(revstate
, 0, 0);
110 lfsr_rollback_word(revstate
, 0, 0);
111 lfsr_rollback_word(revstate
, data
.nr
, 1);
112 lfsr_rollback_word(revstate
, data
.cuid
^ data
.nonce
, 0);
113 crypto1_get_lfsr(revstate
, &key
);
114 // PrintAndLog("Found Key: [%012" PRIx64 "]", key);
115 crypto1_destroy(revstate
);