]>
git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdanalyse.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2016 iceman
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
7 //-----------------------------------------------------------------------------
8 // Analyse bytes commands
9 //-----------------------------------------------------------------------------
10 #include "cmdanalyse.h"
11 #include "nonce2key/nonce2key.h"
13 static int CmdHelp ( const char * Cmd
);
15 int usage_analyse_lcr ( void ) {
16 PrintAndLog ( "Specifying the bytes of a UID with a known LRC will find the last byte value" );
17 PrintAndLog ( "needed to generate that LRC with a rolling XOR. All bytes should be specified in HEX." );
19 PrintAndLog ( "Usage: analyse lcr [h] <bytes>" );
20 PrintAndLog ( "Options:" );
21 PrintAndLog ( " h This help" );
22 PrintAndLog ( " <bytes> bytes to calc missing XOR in a LCR" );
24 PrintAndLog ( "Samples:" );
25 PrintAndLog ( " analyse lcr 04008064BA" );
26 PrintAndLog ( "expected output: Target (BA) requires final LRC XOR byte value: 5A" );
29 int usage_analyse_checksum ( void ) {
30 PrintAndLog ( "The bytes will be added with eachother and than limited with the applied mask" );
31 PrintAndLog ( "Finally compute ones' complement of the least significant bytes" );
33 PrintAndLog ( "Usage: analyse chksum [h] b <bytes> m <mask>" );
34 PrintAndLog ( "Options:" );
35 PrintAndLog ( " h This help" );
36 PrintAndLog ( " b <bytes> bytes to calc missing XOR in a LCR" );
37 PrintAndLog ( " m <mask> bit mask to limit the outpuyt" );
39 PrintAndLog ( "Samples:" );
40 PrintAndLog ( " analyse chksum b 137AF00A0A0D m FF" );
41 PrintAndLog ( "expected output: 0x61" );
44 int usage_analyse_crc ( void ){
45 PrintAndLog ( "A stub method to test different crc implementations inside the PM3 sourcecode. Just because you figured out the poly, doesn't mean you get the desired output" );
47 PrintAndLog ( "Usage: analyse crc [h] <bytes>" );
48 PrintAndLog ( "Options:" );
49 PrintAndLog ( " h This help" );
50 PrintAndLog ( " <bytes> bytes to calc crc" );
52 PrintAndLog ( "Samples:" );
53 PrintAndLog ( " analyse crc 137AF00A0A0D" );
56 int usage_analyse_hid ( void ){
57 PrintAndLog ( "Permute function from 'heart of darkness' paper." );
59 PrintAndLog ( "Usage: analyse hid [h] <r|f> <bytes>" );
60 PrintAndLog ( "Options:" );
61 PrintAndLog ( " h This help" );
62 PrintAndLog ( " r reverse permuted key" );
63 PrintAndLog ( " f permute key" );
64 PrintAndLog ( " <bytes> input bytes" );
66 PrintAndLog ( "Samples:" );
67 PrintAndLog ( " analyse hid r 0123456789abcdef" );
71 static uint8_t calculateLRC ( uint8_t * bytes
, uint8_t len
) {
73 for ( uint8_t i
= 0 ; i
< len
; i
++)
78 static uint8_t calcSumCrumbAdd ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
80 for ( uint8_t i
= 0 ; i
< len
; i
++) {
81 sum
+= CRUMB ( bytes
[ i
], 0 );
82 sum
+= CRUMB ( bytes
[ i
], 2 );
83 sum
+= CRUMB ( bytes
[ i
], 4 );
84 sum
+= CRUMB ( bytes
[ i
], 6 );
89 static uint8_t calcSumCrumbAddOnes ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
90 return ~ calcSumCrumbAdd ( bytes
, len
, mask
);
92 static uint8_t calcSumNibbleAdd ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
94 for ( uint8_t i
= 0 ; i
< len
; i
++) {
95 sum
+= NIBBLE_LOW ( bytes
[ i
]);
96 sum
+= NIBBLE_HIGH ( bytes
[ i
]);
101 static uint8_t calcSumNibbleAddOnes ( uint8_t * bytes
, uint8_t len
, uint32_t mask
){
102 return ~ calcSumNibbleAdd ( bytes
, len
, mask
);
104 static uint8_t calcSumNibbleXor ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
106 for ( uint8_t i
= 0 ; i
< len
; i
++) {
107 sum
^= NIBBLE_LOW ( bytes
[ i
]);
108 sum
^= NIBBLE_HIGH ( bytes
[ i
]);
113 static uint8_t calcSumByteXor ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
115 for ( uint8_t i
= 0 ; i
< len
; i
++)
121 static uint8_t calcSumByteAdd ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
123 for ( uint8_t i
= 0 ; i
< len
; i
++)
129 static uint8_t calcSumByteAddOnes ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
130 return ~ calcSumByteAdd ( bytes
, len
, mask
);
135 static uint8_t calcSumByteSub ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
137 for ( uint8_t i
= 0 ; i
< len
; i
++)
142 static uint8_t calcSumByteSubOnes ( uint8_t * bytes
, uint8_t len
, uint32_t mask
){
143 return ~ calcSumByteSub ( bytes
, len
, mask
);
145 static uint8_t calcSumNibbleSub ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
147 for ( uint8_t i
= 0 ; i
< len
; i
++) {
148 sum
-= NIBBLE_LOW ( bytes
[ i
]);
149 sum
-= NIBBLE_HIGH ( bytes
[ i
]);
154 static uint8_t calcSumNibbleSubOnes ( uint8_t * bytes
, uint8_t len
, uint32_t mask
) {
155 return ~ calcSumNibbleSub ( bytes
, len
, mask
);
158 // measuring LFSR maximum length
159 int CmdAnalyseLfsr ( const char * Cmd
){
161 uint16_t start_state
= 0 ; /* Any nonzero start state will work. */
162 uint16_t lfsr
= start_state
;
163 //uint32_t period = 0;
165 uint8_t iv
= param_get8ex ( Cmd
, 0 , 0 , 16 );
166 uint8_t find
= param_get8ex ( Cmd
, 1 , 0 , 16 );
168 printf ( "LEGIC LFSR IV 0x%02X: \n " , iv
);
169 printf ( " bit# | lfsr | ^0x40 | 0x%02X ^ lfsr \n " , find
);
171 for ( uint8_t i
= 0x01 ; i
< 0x30 ; i
+= 1 ) {
174 legic_prng_forward ( i
);
175 lfsr
= legic_prng_get_bits ( 12 );
177 printf ( " %02X | %03X | %03X | %03X \n " , i
, lfsr
, 0x40 ^ lfsr
, find
^ lfsr
);
181 int CmdAnalyseLCR ( const char * Cmd
) {
183 char cmdp
= param_getchar ( Cmd
, 0 );
184 if ( strlen ( Cmd
) == 0 || cmdp
== 'h' || cmdp
== 'H' ) return usage_analyse_lcr ();
187 param_gethex_ex ( Cmd
, 0 , data
, & len
);
188 if ( len
% 2 ) return usage_analyse_lcr ();
190 uint8_t finalXor
= calculateLRC ( data
, len
);
191 PrintAndLog ( "Target [%02X] requires final LRC XOR byte value: 0x%02X" , data
[ len
- 1 ] , finalXor
);
194 int CmdAnalyseCRC ( const char * Cmd
) {
196 char cmdp
= param_getchar ( Cmd
, 0 );
197 if ( strlen ( Cmd
) == 0 || cmdp
== 'h' || cmdp
== 'H' ) return usage_analyse_crc ();
199 int len
= strlen ( Cmd
);
200 if ( len
& 1 ) return usage_analyse_crc ();
202 // add 1 for null terminator.
203 uint8_t * data
= malloc ( len
+ 1 );
204 if ( data
== NULL
) return 1 ;
206 if ( param_gethex ( Cmd
, 0 , data
, len
)) {
208 return usage_analyse_crc ();
212 //PrintAndLog("\nTests with '%s' hex bytes", sprint_hex(data, len));
214 PrintAndLog ( " \n Tests of reflection. Two current methods in source code" );
215 PrintAndLog ( " reflect(0x3e23L,3) is %04X == 0x3e26" , reflect ( 0x3e23 L
, 3 ) );
216 PrintAndLog ( " SwapBits(0x3e23L,3) is %04X == 0x3e26" , SwapBits ( 0x3e23 L
, 3 ) );
217 PrintAndLog ( " 0xB400 == %04X" , reflect ( ( 1 << 16 | 0xb400 ), 16 ) );
220 // Test of CRC16, '123456789' string.
222 PrintAndLog ( " \n Tests with '123456789' string" );
223 uint8_t dataStr
[] = { 0x31 , 0x32 , 0x33 , 0x34 , 0x35 , 0x36 , 0x37 , 0x38 , 0x39 };
224 uint8_t legic8
= CRC8Legic ( dataStr
, sizeof ( dataStr
));
226 PrintAndLog ( "LEGIC: CRC16: %X" , CRC16Legic ( dataStr
, sizeof ( dataStr
), legic8
));
228 //these below has been tested OK.
229 PrintAndLog ( "Confirmed CRC Implementations" );
230 PrintAndLog ( "LEGIC: CRC8 : %X (0xC6 expected)" , legic8
);
231 PrintAndLog ( "MAXIM: CRC8 : %X (0xA1 expected)" , CRC8Maxim ( dataStr
, sizeof ( dataStr
)));
232 PrintAndLog ( "DNP : CRC16: %X (0x82EA expected)" , CRC16_DNP ( dataStr
, sizeof ( dataStr
)));
233 PrintAndLog ( "CCITT: CRC16: %X (0xE5CC expected)" , CRC16_CCITT ( dataStr
, sizeof ( dataStr
)));
235 PrintAndLog ( "ICLASS org: CRC16: %X (0x expected)" , iclass_crc16 ( ( char *) dataStr
, sizeof ( dataStr
)));
236 PrintAndLog ( "ICLASS ice: CRC16: %X (0x expected)" , CRC16_ICLASS ( dataStr
, sizeof ( dataStr
)));
240 uint8_t dataStr1234
[] = { 0x1 , 0x2 , 0x3 , 0x4 };
241 PrintAndLog ( "ISO15693 org: : CRC16: %X (0xF0B8 expected)" , Iso15693Crc ( dataStr1234
, sizeof ( dataStr1234
)));
242 PrintAndLog ( "ISO15693 ice: : CRC16: %X (0xF0B8 expected)" , CRC16_Iso15693 ( dataStr1234
, sizeof ( dataStr1234
)));
247 int CmdAnalyseCHKSUM ( const char * Cmd
){
251 uint32_t mask
= 0xFF ;
254 memset ( data
, 0x0 , sizeof ( data
));
256 while ( param_getchar ( Cmd
, cmdp
) != 0x00 ) {
257 switch ( param_getchar ( Cmd
, cmdp
)) {
260 param_gethex_ex ( Cmd
, cmdp
+ 1 , data
, & len
);
261 if ( len
% 2 ) errors
= true ;
267 mask
= param_get32ex ( Cmd
, cmdp
+ 1 , 0 , 16 );
272 return usage_analyse_checksum ();
274 PrintAndLog ( "Unknown parameter '%c'" , param_getchar ( Cmd
, cmdp
));
281 if ( errors
) return usage_analyse_checksum ();
283 PrintAndLog ( " \n Byte Add | 0x%X" , calcSumByteAdd ( data
, len
, mask
));
284 PrintAndLog ( "Nibble Add | 0x%X" , calcSumNibbleAdd ( data
, len
, mask
));
285 PrintAndLog ( "Crumb Add | 0x%X" , calcSumCrumbAdd ( data
, len
, mask
));
287 PrintAndLog ( " \n Byte Subtract | 0x%X" , calcSumByteSub ( data
, len
, mask
));
288 PrintAndLog ( "Nibble Subtract | 0x%X" , calcSumNibbleSub ( data
, len
, mask
));
290 PrintAndLog ( " \n CHECKSUM - One's complement" );
291 PrintAndLog ( "Byte Add | 0x%X" , calcSumByteAddOnes ( data
, len
, mask
));
292 PrintAndLog ( "Nibble Add | 0x%X" , calcSumNibbleAddOnes ( data
, len
, mask
));
293 PrintAndLog ( "Crumb Add | 0x%X" , calcSumCrumbAddOnes ( data
, len
, mask
));
295 PrintAndLog ( "Byte Subtract | 0x%X" , calcSumByteSubOnes ( data
, len
, mask
));
296 PrintAndLog ( "Nibble Subtract | 0x%X" , calcSumNibbleSubOnes ( data
, len
, mask
));
298 PrintAndLog ( " \n XOR" );
299 PrintAndLog ( "Byte Xor | 0x%X" , calcSumByteXor ( data
, len
, mask
));
300 PrintAndLog ( "Nibble Xor | 0x%X" , calcSumNibbleXor ( data
, len
, mask
));
305 int CmdAnalyseDates ( const char * Cmd
){
306 // look for datestamps in a given array of bytes
307 PrintAndLog ( "To be implemented. Feel free to contribute!" );
310 int CmdAnalyseTEASelfTest ( const char * Cmd
){
312 uint8_t v
[ 8 ], v_le
[ 8 ];
313 memset ( v
, 0x00 , sizeof ( v
));
314 memset ( v_le
, 0x00 , sizeof ( v_le
));
315 uint8_t * v_ptr
= v_le
;
317 uint8_t cmdlen
= strlen ( Cmd
);
318 cmdlen
= ( sizeof ( v
)<< 2 < cmdlen
) ? sizeof ( v
)<< 2 : cmdlen
;
320 if ( param_gethex ( Cmd
, 0 , v
, cmdlen
) > 0 ){
321 PrintAndLog ( "can't read hex chars, uneven? :: %u" , cmdlen
);
325 SwapEndian64ex ( v
, 8 , 4 , v_ptr
);
328 uint8_t key
[ 16 ] = { 0x55 , 0xFE , 0xF6 , 0x30 , 0x62 , 0xBF , 0x0B , 0xC1 , 0xC9 , 0xB3 , 0x7C , 0x34 , 0x97 , 0x3E , 0x29 , 0xFB };
330 uint8_t * key_ptr
= keyle
;
331 SwapEndian64ex ( key
, sizeof ( key
), 4 , key_ptr
);
333 PrintAndLog ( "TEST LE enc| %s" , sprint_hex ( v_ptr
, 8 ));
335 tea_decrypt ( v_ptr
, key_ptr
);
336 PrintAndLog ( "TEST LE dec | %s" , sprint_hex_ascii ( v_ptr
, 8 ));
338 tea_encrypt ( v_ptr
, key_ptr
);
339 tea_encrypt ( v_ptr
, key_ptr
);
340 PrintAndLog ( "TEST enc2 | %s" , sprint_hex_ascii ( v_ptr
, 8 ));
345 int CmdAnalyseA ( const char * Cmd
){
348 // uid(2e086b1a) nt(230736f6) ks(0b0008000804000e) nr(000000000)
349 // uid(2e086b1a) nt(230736f6) ks(0e0b0e0b090c0d02) nr(000000001)
350 // uid(2e086b1a) nt(230736f6) ks(0e05060e01080b08) nr(000000002)
351 uint64_t d1[] = {0x2e086b1a, 0x230736f6, 0x0000001, 0x0e0b0e0b090c0d02};
352 uint64_t d2[] = {0x2e086b1a, 0x230736f6, 0x0000002, 0x0e05060e01080b08};
354 // uid(17758822) nt(c0c69e59) ks(080105020705040e) nr(00000001)
355 // uid(17758822) nt(c0c69e59) ks(01070a05050c0705) nr(00000002)
356 uint64_t d1[] = {0x17758822, 0xc0c69e59, 0x0000001, 0x080105020705040e};
357 uint64_t d2[] = {0x17758822, 0xc0c69e59, 0x0000002, 0x01070a05050c0705};
359 // uid(6e442129) nt(8f699195) ks(090d0b0305020f02) nr(00000001)
360 // uid(6e442129) nt(8f699195) ks(03030508030b0c0e) nr(00000002)
361 // uid(6e442129) nt(8f699195) ks(02010f030c0d050d) nr(00000003)
362 // uid(6e442129) nt(8f699195) ks(00040f0f0305030e) nr(00000004)
363 uint64_t d1[] = {0x6e442129, 0x8f699195, 0x0000001, 0x090d0b0305020f02};
364 uint64_t d2[] = {0x6e442129, 0x8f699195, 0x0000004, 0x00040f0f0305030e};
366 uid(3e172b29) nt(039b7bd2) ks(0c0e0f0505080800) nr(00000001)
367 uid(3e172b29) nt(039b7bd2) ks(0e06090d03000b0f) nr(00000002)
370 uint64_t d1
[] = { 0x3e172b29 , 0x039b7bd2 , 0x0000001 , 0x0c0e0f0505080800 };
371 uint64_t d2
[] = { 0x3e172b29 , 0x039b7bd2 , 0x0000002 , 0x0e06090d03000b0f };
373 nonce2key_ex ( 0 , 0 , d1
[ 0 ], d1
[ 1 ], d1
[ 2 ], d1
[ 3 ], & key
);
374 nonce2key_ex ( 0 , 0 , d2
[ 0 ], d2
[ 1 ], d2
[ 2 ], d2
[ 3 ], & key
);
378 static void permute ( uint8_t * data
, uint8_t len
, uint8_t * output
){
381 if ( len
> KEY_SIZE
) {
382 for ( uint8_t m
= 0 ; m
< len
; m
+= KEY_SIZE
){
383 permute ( data
+ m
, KEY_SIZE
, output
+ m
);
387 if ( len
!= KEY_SIZE
) {
388 printf ( "wrong key size \n " );
392 for ( i
= 0 ; i
< KEY_SIZE
; ++ i
){
395 for ( j
= 0 ; j
< KEY_SIZE
; ++ j
){
403 static void permute_rev ( uint8_t * data
, uint8_t len
, uint8_t * output
){
404 permute ( data
, len
, output
);
405 permute ( output
, len
, data
);
406 permute ( data
, len
, output
);
408 static void simple_crc ( uint8_t * data
, uint8_t len
, uint8_t * output
){
410 for ( uint8_t i
= 0 ; i
< len
; ++ i
){
411 // seventh byte contains the crc.
412 if ( ( i
& 0x7 ) == 0x7 ) {
413 output
[ i
] = crc
^ 0xFF ;
421 // DES doesn't use the MSB.
422 static void shave ( uint8_t * data
, uint8_t len
){
423 for ( uint8_t i
= 0 ; i
< len
; ++ i
)
426 static void generate_rev ( uint8_t * data
, uint8_t len
) {
427 uint8_t * key
= calloc ( len
, 1 );
428 printf ( "input permuted key | %s \n " , sprint_hex ( data
, len
));
429 permute_rev ( data
, len
, key
);
430 printf ( " unpermuted key | %s \n " , sprint_hex ( key
, len
));
432 printf ( " key | %s \n " , sprint_hex ( key
, len
));
435 static void generate ( uint8_t * data
, uint8_t len
) {
436 uint8_t * key
= calloc ( len
, 1 );
437 uint8_t * pkey
= calloc ( len
, 1 );
438 printf ( " input key | %s \n " , sprint_hex ( data
, len
));
439 permute ( data
, len
, pkey
);
440 printf ( " permuted key | %s \n " , sprint_hex ( pkey
, len
));
441 simple_crc ( pkey
, len
, key
);
442 printf ( " CRC'ed key | %s \n " , sprint_hex ( key
, len
));
446 int CmdAnalyseHid ( const char * Cmd
){
448 uint8_t key
[ 8 ] = { 0 };
449 uint8_t key_std_format
[ 8 ] = { 0 };
450 uint8_t key_iclass_format
[ 8 ] = { 0 };
451 uint8_t data
[ 16 ] = { 0 };
452 bool isReverse
= FALSE
;
454 char cmdp
= param_getchar ( Cmd
, 0 );
455 if ( strlen ( Cmd
) == 0 || cmdp
== 'h' || cmdp
== 'H' ) return usage_analyse_hid ();
457 if ( cmdp
== 'r' || cmdp
== 'R' )
460 param_gethex_ex ( Cmd
, 1 , data
, & len
);
461 if ( len
% 2 ) return usage_analyse_hid ();
465 memcpy ( key
, data
, 8 );
468 generate_rev ( data
, len
);
469 permutekey_rev ( key
, key_std_format
);
470 printf ( " holiman iclass key | %s \n " , sprint_hex ( key_std_format
, 8 ));
474 permutekey ( key
, key_iclass_format
);
475 printf ( " holiman std key | %s \n " , sprint_hex ( key_iclass_format
, 8 ));
480 static command_t CommandTable
[] = {
481 { "help" , CmdHelp
, 1 , "This help" },
482 { "lcr" , CmdAnalyseLCR
, 1 , "Generate final byte for XOR LRC" },
483 { "crc" , CmdAnalyseCRC
, 1 , "Stub method for CRC evaluations" },
484 { "chksum" , CmdAnalyseCHKSUM
, 1 , "Checksum with adding, masking and one's complement" },
485 { "dates" , CmdAnalyseDates
, 1 , "Look for datestamps in a given array of bytes" },
486 { "tea" , CmdAnalyseTEASelfTest
, 1 , "Crypto TEA test" },
487 { "lfsr" , CmdAnalyseLfsr
, 1 , "LFSR tests" },
488 { "a" , CmdAnalyseA
, 1 , "num bits test" },
489 { "hid" , CmdAnalyseHid
, 1 , "Permute function from 'heart of darkness' paper" },
490 { NULL
, NULL
, 0 , NULL
}
493 int CmdAnalyse ( const char * Cmd
) {
494 clearCommandBuffer ();
495 CmdsParse ( CommandTable
, Cmd
);
499 int CmdHelp ( const char * Cmd
) {
500 CmdsHelp ( CommandTable
);