1 //-----------------------------------------------------------------------------
2 // Copyright (C) Merlok - 2017
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
7 //-----------------------------------------------------------------------------
8 // Command: hf mf list. It shows data from arm buffer.
9 //-----------------------------------------------------------------------------
11 #include "cmdhflist.h"
20 #include "iso14443crc.h"
22 #include "protocols.h"
23 #include "crapto1/crapto1.h"
24 #include "mifarehost.h"
25 #include "mifaredefault.h"
38 static enum MifareAuthSeq MifareAuthState
;
39 static TAuthData AuthData
;
41 void ClearAuthData() {
44 AuthData
.first_auth
= true;
50 * @brief iso14443A_CRC_check Checks CRC in command or response
54 * @return 0 : CRC-command, CRC not ok
55 * 1 : CRC-command, CRC ok
58 uint8_t iso14443A_CRC_check(bool isResponse
, uint8_t* data
, uint8_t len
)
62 if(len
<= 2) return 2;
64 if(isResponse
& (len
< 6)) return 2;
66 ComputeCrc14443(CRC_14443_A
, data
, len
-2, &b1
, &b2
);
67 if (b1
!= data
[len
-2] || b2
!= data
[len
-1]) {
74 uint8_t mifare_CRC_check(bool isResponse
, uint8_t* data
, uint8_t len
)
76 switch(MifareAuthState
) {
79 return iso14443A_CRC_check(isResponse
, data
, len
);
85 void annotateIclass(char *exp
, size_t size
, uint8_t* cmd
, uint8_t cmdsize
)
89 case ICLASS_CMD_ACTALL
: snprintf(exp
,size
,"ACTALL"); break;
90 case ICLASS_CMD_READ_OR_IDENTIFY
:{
92 snprintf(exp
,size
,"READ(%d)",cmd
[1]);
94 snprintf(exp
,size
,"IDENTIFY");
98 case ICLASS_CMD_SELECT
: snprintf(exp
,size
,"SELECT"); break;
99 case ICLASS_CMD_PAGESEL
: snprintf(exp
,size
,"PAGESEL(%d)", cmd
[1]); break;
100 case ICLASS_CMD_READCHECK_KC
:snprintf(exp
,size
,"READCHECK[Kc](%d)", cmd
[1]); break;
101 case ICLASS_CMD_READCHECK_KD
:snprintf(exp
,size
,"READCHECK[Kd](%d)", cmd
[1]); break;
102 case ICLASS_CMD_CHECK
: snprintf(exp
,size
,"CHECK"); break;
103 case ICLASS_CMD_DETECT
: snprintf(exp
,size
,"DETECT"); break;
104 case ICLASS_CMD_HALT
: snprintf(exp
,size
,"HALT"); break;
105 case ICLASS_CMD_UPDATE
: snprintf(exp
,size
,"UPDATE(%d)",cmd
[1]); break;
106 case ICLASS_CMD_ACT
: snprintf(exp
,size
,"ACT"); break;
107 case ICLASS_CMD_READ4
: snprintf(exp
,size
,"READ4(%d)",cmd
[1]); break;
108 default: snprintf(exp
,size
,"?"); break;
113 void annotateIso15693(char *exp
, size_t size
, uint8_t* cmd
, uint8_t cmdsize
)
119 case ISO15693_INVENTORY
:snprintf(exp
, size
, "INVENTORY");break;
120 case ISO15693_STAYQUIET
:snprintf(exp
, size
, "STAY_QUIET");break;
121 default: snprintf(exp
,size
,"?"); break;
124 }else if(cmd
[0] == 0x02)
128 case ISO15693_READBLOCK
:snprintf(exp
, size
, "READBLOCK");break;
129 case ISO15693_WRITEBLOCK
:snprintf(exp
, size
, "WRITEBLOCK");break;
130 case ISO15693_LOCKBLOCK
:snprintf(exp
, size
, "LOCKBLOCK");break;
131 case ISO15693_READ_MULTI_BLOCK
:snprintf(exp
, size
, "READ_MULTI_BLOCK");break;
132 case ISO15693_SELECT
:snprintf(exp
, size
, "SELECT");break;
133 case ISO15693_RESET_TO_READY
:snprintf(exp
, size
, "RESET_TO_READY");break;
134 case ISO15693_WRITE_AFI
:snprintf(exp
, size
, "WRITE_AFI");break;
135 case ISO15693_LOCK_AFI
:snprintf(exp
, size
, "LOCK_AFI");break;
136 case ISO15693_WRITE_DSFID
:snprintf(exp
, size
, "WRITE_DSFID");break;
137 case ISO15693_LOCK_DSFID
:snprintf(exp
, size
, "LOCK_DSFID");break;
138 case ISO15693_GET_SYSTEM_INFO
:snprintf(exp
, size
, "GET_SYSTEM_INFO");break;
139 case ISO15693_READ_MULTI_SECSTATUS
:snprintf(exp
, size
, "READ_MULTI_SECSTATUS");break;
140 default: snprintf(exp
,size
,"?"); break;
146 void annotateTopaz(char *exp
, size_t size
, uint8_t* cmd
, uint8_t cmdsize
)
149 case TOPAZ_REQA
:snprintf(exp
, size
, "REQA");break;
150 case TOPAZ_WUPA
:snprintf(exp
, size
, "WUPA");break;
151 case TOPAZ_RID
:snprintf(exp
, size
, "RID");break;
152 case TOPAZ_RALL
:snprintf(exp
, size
, "RALL");break;
153 case TOPAZ_READ
:snprintf(exp
, size
, "READ");break;
154 case TOPAZ_WRITE_E
:snprintf(exp
, size
, "WRITE-E");break;
155 case TOPAZ_WRITE_NE
:snprintf(exp
, size
, "WRITE-NE");break;
156 case TOPAZ_RSEG
:snprintf(exp
, size
, "RSEG");break;
157 case TOPAZ_READ8
:snprintf(exp
, size
, "READ8");break;
158 case TOPAZ_WRITE_E8
:snprintf(exp
, size
, "WRITE-E8");break;
159 case TOPAZ_WRITE_NE8
:snprintf(exp
, size
, "WRITE-NE8");break;
160 default: snprintf(exp
,size
,"?"); break;
167 0E xx = SELECT ID (xx = Chip-ID)
169 08 yy = Read Block (yy = block number)
170 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written)
171 0C = Reset to Inventory
173 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate)
176 void annotateIso14443b(char *exp
, size_t size
, uint8_t* cmd
, uint8_t cmdsize
)
179 case ISO14443B_REQB
: snprintf(exp
,size
,"REQB");break;
180 case ISO14443B_ATTRIB
: snprintf(exp
,size
,"ATTRIB");break;
181 case ISO14443B_HALT
: snprintf(exp
,size
,"HALT");break;
182 case ISO14443B_INITIATE
: snprintf(exp
,size
,"INITIATE");break;
183 case ISO14443B_SELECT
: snprintf(exp
,size
,"SELECT(%d)",cmd
[1]);break;
184 case ISO14443B_GET_UID
: snprintf(exp
,size
,"GET UID");break;
185 case ISO14443B_READ_BLK
: snprintf(exp
,size
,"READ_BLK(%d)", cmd
[1]);break;
186 case ISO14443B_WRITE_BLK
: snprintf(exp
,size
,"WRITE_BLK(%d)",cmd
[1]);break;
187 case ISO14443B_RESET
: snprintf(exp
,size
,"RESET");break;
188 case ISO14443B_COMPLETION
: snprintf(exp
,size
,"COMPLETION");break;
189 case ISO14443B_AUTHENTICATE
: snprintf(exp
,size
,"AUTHENTICATE");break;
190 default : snprintf(exp
,size
,"?");break;
195 void annotateIso14443a(char *exp
, size_t size
, uint8_t* cmd
, uint8_t cmdsize
)
199 case ISO14443A_CMD_WUPA
:
200 snprintf(exp
,size
,"WUPA");
202 case ISO14443A_CMD_ANTICOLL_OR_SELECT
:{
203 // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
204 // 93 70 = Select (usage: 9370+5bytes 9320 answer - answer: 1byte SAK)
207 snprintf(exp
,size
,"SELECT_UID"); break;
210 snprintf(exp
,size
,"ANTICOLL"); break;
213 case ISO14443A_CMD_ANTICOLL_OR_SELECT_2
:{
214 //95 20 = Anticollision of cascade level2
215 //95 70 = Select of cascade level2
218 snprintf(exp
,size
,"SELECT_UID-2"); break;
221 snprintf(exp
,size
,"ANTICOLL-2"); break;
224 case ISO14443A_CMD_REQA
:
225 snprintf(exp
,size
,"REQA");
227 case ISO14443A_CMD_READBLOCK
: snprintf(exp
,size
,"READBLOCK(%d)",cmd
[1]); break;
228 case ISO14443A_CMD_WRITEBLOCK
: snprintf(exp
,size
,"WRITEBLOCK(%d)",cmd
[1]); break;
229 case ISO14443A_CMD_HALT
:
230 snprintf(exp
,size
,"HALT");
231 MifareAuthState
= masNone
;
233 case ISO14443A_CMD_RATS
: snprintf(exp
,size
,"RATS"); break;
234 case MIFARE_CMD_INC
: snprintf(exp
,size
,"INC(%d)",cmd
[1]); break;
235 case MIFARE_CMD_DEC
: snprintf(exp
,size
,"DEC(%d)",cmd
[1]); break;
236 case MIFARE_CMD_RESTORE
: snprintf(exp
,size
,"RESTORE(%d)",cmd
[1]); break;
237 case MIFARE_CMD_TRANSFER
: snprintf(exp
,size
,"TRANSFER(%d)",cmd
[1]); break;
238 case MIFARE_AUTH_KEYA
:
240 snprintf(exp
,size
,"AUTH-A(%d)",cmd
[1]);
241 MifareAuthState
= masNt
;
243 // case MIFARE_ULEV1_VERSION : both 0x60.
244 snprintf(exp
,size
,"EV1 VERSION");
247 case MIFARE_AUTH_KEYB
:
248 MifareAuthState
= masNt
;
249 snprintf(exp
,size
,"AUTH-B(%d)",cmd
[1]);
251 case MIFARE_MAGICWUPC1
: snprintf(exp
,size
,"MAGIC WUPC1"); break;
252 case MIFARE_MAGICWUPC2
: snprintf(exp
,size
,"MAGIC WUPC2"); break;
253 case MIFARE_MAGICWIPEC
: snprintf(exp
,size
,"MAGIC WIPEC"); break;
254 case MIFARE_ULC_AUTH_1
: snprintf(exp
,size
,"AUTH "); break;
255 case MIFARE_ULC_AUTH_2
: snprintf(exp
,size
,"AUTH_ANSW"); break;
256 case MIFARE_ULEV1_AUTH
:
258 snprintf(exp
,size
,"PWD-AUTH KEY: 0x%02x%02x%02x%02x", cmd
[1], cmd
[2], cmd
[3], cmd
[4] );
260 snprintf(exp
,size
,"PWD-AUTH");
262 case MIFARE_ULEV1_FASTREAD
:{
263 if ( cmdsize
>=3 && cmd
[2] <= 0xE6)
264 snprintf(exp
,size
,"READ RANGE (%d-%d)",cmd
[1],cmd
[2]);
266 snprintf(exp
,size
,"?");
269 case MIFARE_ULC_WRITE
:{
271 snprintf(exp
,size
,"WRITEBLOCK(%d)",cmd
[1]);
273 snprintf(exp
,size
,"?");
276 case MIFARE_ULEV1_READ_CNT
:{
278 snprintf(exp
,size
,"READ CNT(%d)",cmd
[1]);
280 snprintf(exp
,size
,"?");
283 case MIFARE_ULEV1_INCR_CNT
:{
285 snprintf(exp
,size
,"INCR(%d)",cmd
[1]);
287 snprintf(exp
,size
,"?");
290 case MIFARE_ULEV1_READSIG
: snprintf(exp
,size
,"READ_SIG"); break;
291 case MIFARE_ULEV1_CHECKTEAR
: snprintf(exp
,size
,"CHK_TEARING(%d)",cmd
[1]); break;
292 case MIFARE_ULEV1_VCSL
: snprintf(exp
,size
,"VCSL"); break;
293 default: snprintf(exp
,size
,"?"); break;
298 void annotateMifare(char *exp
, size_t size
, uint8_t* cmd
, uint8_t cmdsize
, uint8_t* parity
, uint8_t paritysize
, bool isResponse
) {
299 if (!isResponse
&& cmdsize
== 1) {
301 case ISO14443A_CMD_WUPA
:
302 case ISO14443A_CMD_REQA
:
303 MifareAuthState
= masNone
;
311 if (MifareAuthState
== masNone
) {
312 if (cmdsize
== 9 && cmd
[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT
&& cmd
[1] == 0x70) {
314 AuthData
.uid
= bytes_to_num(&cmd
[2], 4);
316 if (cmdsize
== 9 && cmd
[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2
&& cmd
[1] == 0x70) {
318 AuthData
.uid
= bytes_to_num(&cmd
[2], 4);
322 switch(MifareAuthState
) {
324 if (cmdsize
== 4 && isResponse
) {
325 snprintf(exp
,size
,"AUTH: nt %s", (AuthData
.first_auth
) ? "" : "(enc)");
326 MifareAuthState
= masNrAr
;
327 if (AuthData
.first_auth
) {
328 AuthData
.nt
= bytes_to_num(cmd
, 4);
330 AuthData
.nt_enc
= bytes_to_num(cmd
, 4);
331 AuthData
.nt_enc_par
= parity
[0];
335 MifareAuthState
= masError
;
339 if (cmdsize
== 8 && !isResponse
) {
340 snprintf(exp
,size
,"AUTH: nr ar (enc)");
341 MifareAuthState
= masAt
;
342 AuthData
.nr_enc
= bytes_to_num(cmd
, 4);
343 AuthData
.ar_enc
= bytes_to_num(&cmd
[4], 4);
344 AuthData
.ar_enc_par
= parity
[0] << 4;
347 MifareAuthState
= masError
;
351 if (cmdsize
== 4 && isResponse
) {
352 snprintf(exp
,size
,"AUTH: at (enc)");
353 MifareAuthState
= masAuthComplete
;
354 AuthData
.at_enc
= bytes_to_num(cmd
, 4);
355 AuthData
.at_enc_par
= parity
[0];
358 MifareAuthState
= masError
;
365 if (!isResponse
&& ((MifareAuthState
== masNone
) || (MifareAuthState
== masError
)))
366 annotateIso14443a(exp
, size
, cmd
, cmdsize
);
370 bool DecodeMifareData(uint8_t *cmd
, uint8_t cmdsize
, uint8_t *parity
, bool isResponse
, uint8_t *mfData
, size_t *mfDataLen
) {
371 static struct Crypto1State
*traceCrypto1
;
372 static uint64_t mfLastKey
;
376 if (MifareAuthState
== masAuthComplete
) {
378 crypto1_destroy(traceCrypto1
);
382 MifareAuthState
= masFirstData
;
389 if (MifareAuthState
== masFirstData
) {
390 if (AuthData
.first_auth
) {
391 AuthData
.ks2
= AuthData
.ar_enc
^ prng_successor(AuthData
.nt
, 64);
392 AuthData
.ks3
= AuthData
.at_enc
^ prng_successor(AuthData
.nt
, 96);
394 mfLastKey
= GetCrypto1ProbableKey(&AuthData
);
395 PrintAndLog(" | * | key | probable key:%012"PRIx64
" Prng:%s ks2:%08x ks3:%08x | |",
397 validate_prng_nonce(AuthData
.nt
) ? "WEAK": "HARD",
401 AuthData
.first_auth
= false;
403 traceCrypto1
= lfsr_recovery64(AuthData
.ks2
, AuthData
.ks3
);
406 crypto1_destroy(traceCrypto1
);
410 // check last used key
412 if (NestedCheckKey(mfLastKey
, &AuthData
, cmd
, cmdsize
, parity
)) {
413 PrintAndLog(" | * | key | last used key:%012"PRIx64
" ks2:%08x ks3:%08x | |",
418 traceCrypto1
= lfsr_recovery64(AuthData
.ks2
, AuthData
.ks3
);
422 // check default keys
424 for (int defaultKeyCounter
= 0; defaultKeyCounter
< MifareDefaultKeysSize
; defaultKeyCounter
++){
425 if (NestedCheckKey(MifareDefaultKeys
[defaultKeyCounter
], &AuthData
, cmd
, cmdsize
, parity
)) {
426 PrintAndLog(" | * | key | default key:%012"PRIx64
" ks2:%08x ks3:%08x | |",
427 MifareDefaultKeys
[defaultKeyCounter
],
431 mfLastKey
= MifareDefaultKeys
[defaultKeyCounter
];
432 traceCrypto1
= lfsr_recovery64(AuthData
.ks2
, AuthData
.ks3
);
439 if (!traceCrypto1
&& validate_prng_nonce(AuthData
.nt
)) {
440 uint32_t ntx
= prng_successor(AuthData
.nt
, 90);
441 for (int i
= 0; i
< 16383; i
++) {
442 ntx
= prng_successor(ntx
, 1);
443 if (NTParityChk(&AuthData
, ntx
)){
445 uint32_t ks2
= AuthData
.ar_enc
^ prng_successor(ntx
, 64);
446 uint32_t ks3
= AuthData
.at_enc
^ prng_successor(ntx
, 96);
447 struct Crypto1State
*pcs
= lfsr_recovery64(ks2
, ks3
);
448 memcpy(mfData
, cmd
, cmdsize
);
449 mf_crypto1_decrypt(pcs
, mfData
, cmdsize
, 0);
451 crypto1_destroy(pcs
);
452 if (CheckCrypto1Parity(cmd
, cmdsize
, mfData
, parity
) && CheckCrc14443(CRC_14443_A
, mfData
, cmdsize
)) {
457 mfLastKey
= GetCrypto1ProbableKey(&AuthData
);
458 PrintAndLog(" | * | key | nested probable key:%012"PRIx64
" ks2:%08x ks3:%08x | |",
463 traceCrypto1
= lfsr_recovery64(AuthData
.ks2
, AuthData
.ks3
);
472 printf("hardnested not implemented. uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData
.uid
, AuthData
.nt
, AuthData
.ar_enc
, AuthData
.at_enc
);
473 MifareAuthState
= masError
;
475 /* TOO SLOW( needs to have more strong filter. with this filter - aprox 4 mln tests
476 uint32_t t = msclock();
479 for (uint32_t i = 0; i < 0xFFFFFFFF; i++) {
480 if (NTParityChk(&AuthData, i)){
482 uint32_t ks2 = AuthData.ar_enc ^ prng_successor(i, 64);
483 uint32_t ks3 = AuthData.at_enc ^ prng_successor(i, 96);
484 struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3);
492 printf("delta=%d n=%d ks2=%x ks3=%x \n", msclock() - t1 , n, ks2, ks3);
498 printf("delta=%d n=%d\n", msclock() - t, n);
505 MifareAuthState
= masData
;
508 if (MifareAuthState
== masData
&& traceCrypto1
) {
509 memcpy(mfData
, cmd
, cmdsize
);
510 mf_crypto1_decrypt(traceCrypto1
, mfData
, cmdsize
, 0);
511 *mfDataLen
= cmdsize
;
514 return *mfDataLen
> 0;
517 bool NTParityChk(TAuthData
*ad
, uint32_t ntx
) {
519 (oddparity8(ntx
>> 8 & 0xff) ^ (ntx
& 0x01) ^ ((ad
->nt_enc_par
>> 5) & 0x01) ^ (ad
->nt_enc
& 0x01)) ||
520 (oddparity8(ntx
>> 16 & 0xff) ^ (ntx
>> 8 & 0x01) ^ ((ad
->nt_enc_par
>> 6) & 0x01) ^ (ad
->nt_enc
>> 8 & 0x01)) ||
521 (oddparity8(ntx
>> 24 & 0xff) ^ (ntx
>> 16 & 0x01) ^ ((ad
->nt_enc_par
>> 7) & 0x01) ^ (ad
->nt_enc
>> 16 & 0x01))
525 uint32_t ar
= prng_successor(ntx
, 64);
527 (oddparity8(ar
>> 8 & 0xff) ^ (ar
& 0x01) ^ ((ad
->ar_enc_par
>> 5) & 0x01) ^ (ad
->ar_enc
& 0x01)) ||
528 (oddparity8(ar
>> 16 & 0xff) ^ (ar
>> 8 & 0x01) ^ ((ad
->ar_enc_par
>> 6) & 0x01) ^ (ad
->ar_enc
>> 8 & 0x01)) ||
529 (oddparity8(ar
>> 24 & 0xff) ^ (ar
>> 16 & 0x01) ^ ((ad
->ar_enc_par
>> 7) & 0x01) ^ (ad
->ar_enc
>> 16 & 0x01))
533 uint32_t at
= prng_successor(ntx
, 96);
535 (oddparity8(ar
& 0xff) ^ (at
>> 24 & 0x01) ^ ((ad
->ar_enc_par
>> 4) & 0x01) ^ (ad
->at_enc
>> 24 & 0x01)) ||
536 (oddparity8(at
>> 8 & 0xff) ^ (at
& 0x01) ^ ((ad
->at_enc_par
>> 5) & 0x01) ^ (ad
->at_enc
& 0x01)) ||
537 (oddparity8(at
>> 16 & 0xff) ^ (at
>> 8 & 0x01) ^ ((ad
->at_enc_par
>> 6) & 0x01) ^ (ad
->at_enc
>> 8 & 0x01)) ||
538 (oddparity8(at
>> 24 & 0xff) ^ (at
>> 16 & 0x01) ^ ((ad
->at_enc_par
>> 7) & 0x01) ^ (ad
->at_enc
>> 16 & 0x01))
545 bool NestedCheckKey(uint64_t key
, TAuthData
*ad
, uint8_t *cmd
, uint8_t cmdsize
, uint8_t *parity
) {
546 uint8_t buf
[32] = {0};
547 struct Crypto1State
*pcs
;
552 pcs
= crypto1_create(key
);
553 uint32_t nt1
= crypto1_word(pcs
, ad
->nt_enc
^ ad
->uid
, 1) ^ ad
->nt_enc
;
554 uint32_t ar
= prng_successor(nt1
, 64);
555 uint32_t at
= prng_successor(nt1
, 96);
557 crypto1_word(pcs
, ad
->nr_enc
, 1);
558 // uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; // if needs deciphered nr
559 uint32_t ar1
= crypto1_word(pcs
, 0, 0) ^ ad
->ar_enc
;
560 uint32_t at1
= crypto1_word(pcs
, 0, 0) ^ ad
->at_enc
;
562 if (!(ar
== ar1
&& at
== at1
&& NTParityChk(ad
, nt1
)))
565 memcpy(buf
, cmd
, cmdsize
);
566 mf_crypto1_decrypt(pcs
, buf
, cmdsize
, 0);
568 crypto1_destroy(pcs
);
570 if (!CheckCrypto1Parity(cmd
, cmdsize
, buf
, parity
))
573 if(!CheckCrc14443(CRC_14443_A
, buf
, cmdsize
))
577 AuthData
.ks2
= AuthData
.ar_enc
^ ar
;
578 AuthData
.ks3
= AuthData
.at_enc
^ at
;
583 bool CheckCrypto1Parity(uint8_t *cmd_enc
, uint8_t cmdsize
, uint8_t *cmd
, uint8_t *parity_enc
) {
584 for (int i
= 0; i
< cmdsize
- 1; i
++) {
585 if (oddparity8(cmd
[i
]) ^ (cmd
[i
+ 1] & 0x01) ^ ((parity_enc
[i
/ 8] >> (7 - i
% 8)) & 0x01) ^ (cmd_enc
[i
+ 1] & 0x01))
592 uint64_t GetCrypto1ProbableKey(TAuthData
*ad
) {
593 struct Crypto1State
*revstate
= lfsr_recovery64(ad
->ks2
, ad
->ks3
);
594 lfsr_rollback_word(revstate
, 0, 0);
595 lfsr_rollback_word(revstate
, 0, 0);
596 lfsr_rollback_word(revstate
, ad
->nr_enc
, 1);
597 lfsr_rollback_word(revstate
, ad
->uid
^ ad
->nt
, 0);
600 crypto1_get_lfsr(revstate
, &lfsr
);
601 crypto1_destroy(revstate
);