]>
git.zerfleddert.de Git - proxmark3-svn/blob - client/mifare/mifarehost.c
2 // people from mifare@nethemba.com, 2010
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
7 //-----------------------------------------------------------------------------
9 //-----------------------------------------------------------------------------
11 #include "mifarehost.h"
19 #include "crapto1/crapto1.h"
26 #include "iso14443crc.h"
27 #include "util_posix.h"
32 // mifare tracer flags used in mfTraceDecode()
33 #define TRACE_IDLE 0x00
34 #define TRACE_AUTH1 0x01
35 #define TRACE_AUTH2 0x02
36 #define TRACE_AUTH_OK 0x03
37 #define TRACE_READ_DATA 0x04
38 #define TRACE_WRITE_OK 0x05
39 #define TRACE_WRITE_DATA 0x06
40 #define TRACE_ERROR 0xFF
43 static int compare_uint64 ( const void * a
, const void * b
) {
44 // didn't work: (the result is truncated to 32 bits)
45 //return (*(int64_t*)b - *(int64_t*)a);
48 if (*( uint64_t *) b
== *( uint64_t *) a
) return 0 ;
49 else if (*( uint64_t *) b
< *( uint64_t *) a
) return 1 ;
54 // create the intersection (common members) of two sorted lists. Lists are terminated by -1. Result will be in list1. Number of elements is returned.
55 static uint32_t intersection ( uint64_t * list1
, uint64_t * list2
)
57 if ( list1
== NULL
|| list2
== NULL
) {
60 uint64_t * p1
, * p2
, * p3
;
64 while ( * p1
!= - 1 && * p2
!= - 1 ) {
65 if ( compare_uint64 ( p1
, p2
) == 0 ) {
70 while ( compare_uint64 ( p1
, p2
) < 0 ) ++ p1
;
71 while ( compare_uint64 ( p1
, p2
) > 0 ) ++ p2
;
79 // Darkside attack (hf mf mifare)
80 static uint32_t nonce2key ( uint32_t uid
, uint32_t nt
, uint32_t nr
, uint32_t ar
, uint64_t par_info
, uint64_t ks_info
, uint64_t ** keys
) {
81 struct Crypto1State
* states
;
83 uint8_t bt
, ks3x
[ 8 ], par
[ 8 ][ 8 ];
84 uint64_t key_recovered
;
87 // Reset the last three significant bits of the reader nonce
90 for ( pos
= 0 ; pos
< 8 ; pos
++) {
91 ks3x
[ 7 - pos
] = ( ks_info
>> ( pos
* 8 )) & 0x0f ;
92 bt
= ( par_info
>> ( pos
* 8 )) & 0xff ;
94 par
[ 7 - pos
][ i
] = ( bt
>> i
) & 0x01 ;
98 states
= lfsr_common_prefix ( nr
, ar
, ks3x
, par
, ( par_info
== 0 ));
100 if ( states
== NULL
) {
105 keylist
= ( uint64_t *) states
;
107 for ( i
= 0 ; keylist
[ i
]; i
++) {
108 lfsr_rollback_word ( states
+ i
, uid
^ nt
, 0 );
109 crypto1_get_lfsr ( states
+ i
, & key_recovered
);
110 keylist
[ i
] = key_recovered
;
119 int mfDarkside ( uint64_t * key
) {
121 uint32_t nt
= 0 , nr
= 0 , ar
= 0 ;
122 uint64_t par_list
= 0 , ks_list
= 0 ;
123 uint64_t * keylist
= NULL
, * last_keylist
= NULL
;
124 uint32_t keycount
= 0 ;
127 UsbCommand c
= { CMD_READER_MIFARE
, { true , 0 , 0 }};
130 printf ( "------------------------------------------------------------------------- \n " );
131 printf ( "Executing command. Expected execution time: 25sec on average \n " );
132 printf ( "Press button on the proxmark3 device to abort both proxmark3 and client. \n " );
133 printf ( "------------------------------------------------------------------------- \n " );
137 clearCommandBuffer ();
142 int c
= getchar (); ( void ) c
;
155 if ( WaitForResponseTimeout ( CMD_ACK
, & resp
, 1000 )) {
160 uid
= ( uint32_t ) bytes_to_num ( resp
. d
. asBytes
+ 0 , 4 );
161 nt
= ( uint32_t ) bytes_to_num ( resp
. d
. asBytes
+ 4 , 4 );
162 par_list
= bytes_to_num ( resp
. d
. asBytes
+ 8 , 8 );
163 ks_list
= bytes_to_num ( resp
. d
. asBytes
+ 16 , 8 );
164 nr
= ( uint32_t ) bytes_to_num ( resp
. d
. asBytes
+ 24 , 4 );
165 ar
= ( uint32_t ) bytes_to_num ( resp
. d
. asBytes
+ 28 , 4 );
170 if ( par_list
== 0 && c
. arg
[ 0 ] == true ) {
171 PrintAndLog ( "Parity is all zero. Most likely this card sends NACK on every failed authentication." );
175 keycount
= nonce2key ( uid
, nt
, nr
, ar
, par_list
, ks_list
, & keylist
);
178 PrintAndLog ( "Key not found (lfsr_common_prefix list is null). Nt=%08x" , nt
);
179 PrintAndLog ( "This is expected to happen in 25%% of all cases. Trying again with a different reader nonce..." );
184 qsort ( keylist
, keycount
, sizeof (* keylist
), compare_uint64
);
185 keycount
= intersection ( last_keylist
, keylist
);
188 last_keylist
= keylist
;
194 PrintAndLog ( "Found %u possible keys. Trying to authenticate with each of them ... \n " , keycount
);
196 PrintAndLog ( "Found a possible key. Trying to authenticate... \n " );
199 uint8_t * keys_to_chk
= malloc ( keycount
* 6 );
200 for ( int i
= 0 ; i
< keycount
; i
++) {
201 num_to_bytes ( keylist
[ i
], 6 , keys_to_chk
+ i
);
205 mfCheckKeys ( 0 , 0 , 0 , false , keycount
, keys_to_chk
, key
);
214 PrintAndLog ( "Authentication failed. Trying again..." );
216 last_keylist
= keylist
;
224 static int mfCheckKeysEx ( uint8_t blockNo
, uint8_t keyType
, uint16_t timeout14a
, bool clear_trace
, uint32_t keycnt
, uint8_t * keys
, uint64_t * found_key
, bool fixed_nonce
) {
226 bool display_progress
= false ;
227 uint64_t start_time
= msclock ();
228 uint64_t next_print_time
= start_time
+ 5 * 1000 ;
231 PrintAndLog ( "We have %d keys to check. This can take some time!" , keycnt
);
232 PrintAndLog ( "Press button to abort." );
233 display_progress
= true ;
236 uint8_t bytes_per_key
= fixed_nonce
? 5 : 6 ;
237 uint32_t max_keys
= keycnt
> USB_CMD_DATA_SIZE
/ bytes_per_key
? USB_CMD_DATA_SIZE
/ bytes_per_key
: keycnt
;
239 bool multisectorCheck
= false ;
241 for ( int i
= 0 , ii
= 0 ; i
< keycnt
; i
+= max_keys
) {
243 if (( i
+ max_keys
) >= keycnt
) {
244 max_keys
= keycnt
- i
;
247 bool init
= ( i
== 0 );
248 bool drop_field
= ( max_keys
== keycnt
);
249 uint8_t flags
= clear_trace
| multisectorCheck
<< 1 | init
<< 2 | drop_field
<< 3 | fixed_nonce
<< 4 ;
251 UsbCommand c
= { CMD_MIFARE_CHKKEYS
, {(( blockNo
& 0xff ) | (( keyType
& 0xff ) << 8 )), flags
| timeout14a
<< 16 , max_keys
}};
252 memcpy ( c
. d
. asBytes
, keys
+ i
* bytes_per_key
, max_keys
* bytes_per_key
);
256 if (! WaitForResponseTimeout ( CMD_ACK
, & resp
, 3000 ))
259 if (( resp
. arg
[ 0 ] & 0xff ) != 0x01 ) {
260 if (( int ) resp
. arg
[ 1 ] < 0 ) { // error or user aborted
261 return ( int ) resp
. arg
[ 1 ];
262 } else { // nothing found yet
263 if ( display_progress
&& msclock () >= next_print_time
) {
264 float brute_force_per_second
= ( float )( i
- ii
) / ( float )( msclock () - start_time
) * 1000.0 ;
266 start_time
= msclock ();
267 next_print_time
= start_time
+ 10 * 1000 ;
268 PrintAndLog ( " %8d keys left | %5.1f keys/sec | worst case %6.1f seconds remaining" , keycnt
- i
, brute_force_per_second
, ( keycnt
- i
)/ brute_force_per_second
);
273 * found_key
= i
+ resp
. arg
[ 1 ] - 1 ;
275 * found_key
= bytes_to_num ( resp
. d
. asBytes
, 6 );
281 return 2 ; // nothing found
285 int mfCheckKeys ( uint8_t blockNo
, uint8_t keyType
, uint16_t timeout14a
, bool clear_trace
, uint32_t keycnt
, uint8_t * keys
, uint64_t * found_key
) {
286 return mfCheckKeysEx ( blockNo
, keyType
, timeout14a
, clear_trace
, keycnt
, keys
, found_key
, false );
290 static int mfCheckKeysFixedNonce ( uint8_t blockNo
, uint8_t keyType
, uint16_t timeout14a
, bool clear_trace
, uint32_t keycnt
, uint8_t * keys
, uint32_t * key_index
) {
291 return mfCheckKeysEx ( blockNo
, keyType
, timeout14a
, clear_trace
, keycnt
, keys
, ( uint64_t *) key_index
, true );
295 int mfCheckKeysSec ( uint8_t sectorCnt
, uint8_t keyType
, uint16_t timeout14a
, bool clear_trace
, bool init
, bool drop_field
, uint8_t keycnt
, uint8_t * keyBlock
, sector_t
* e_sector
) {
299 if ( e_sector
== NULL
)
302 bool multisectorCheck
= true ;
303 uint8_t flags
= clear_trace
| multisectorCheck
<< 1 | init
<< 2 | drop_field
<< 3 ;
305 UsbCommand c
= { CMD_MIFARE_CHKKEYS
, {(( sectorCnt
& 0xff ) | (( keyType
& 0xff ) << 8 )), flags
| timeout14a
<< 16 , keycnt
}};
306 memcpy ( c
. d
. asBytes
, keyBlock
, 6 * keycnt
);
310 if (! WaitForResponseTimeoutW ( CMD_ACK
, & resp
, MAX ( 3000 , 1000 + 13 * sectorCnt
* keycnt
* ( keyType
== 2 ? 2 : 1 )), false )) return 1 ; // timeout: 13 ms / fail auth
311 if (( resp
. arg
[ 0 ] & 0xff ) != 0x01 ) return 2 ;
313 bool foundAKey
= false ;
314 for ( int sec
= 0 ; sec
< sectorCnt
; sec
++){
315 for ( int keyAB
= 0 ; keyAB
< 2 ; keyAB
++){
316 keyPtr
= *( resp
. d
. asBytes
+ keyAB
* 40 + sec
);
318 e_sector
[ sec
]. foundKey
[ keyAB
] = true ;
319 e_sector
[ sec
]. Key
[ keyAB
] = bytes_to_num ( keyBlock
+ ( keyPtr
- 1 ) * 6 , 6 );
324 return foundAKey
? 0 : 3 ;
327 // Compare 16 Bits out of cryptostate
328 int Compare16Bits ( const void * a
, const void * b
) {
329 if ((*( uint64_t *) b
& 0x00ff000000ff0000 ) == (*( uint64_t *) a
& 0x00ff000000ff0000 )) return 0 ;
330 else if ((*( uint64_t *) b
& 0x00ff000000ff0000 ) > (*( uint64_t *) a
& 0x00ff000000ff0000 )) return 1 ;
337 struct Crypto1State
* slhead
;
341 struct Crypto1State
* sltail
;
353 // wrapper function for multi-threaded lfsr_recovery32
355 #ifdef __has_attribute
356 #if __has_attribute(force_align_arg_pointer)
357 __attribute__ (( force_align_arg_pointer
))
360 * nested_worker_thread ( void * arg
) {
361 struct Crypto1State
* p1
;
362 StateList_t
* statelist
= arg
;
364 statelist
-> head
. slhead
= lfsr_recovery32 ( statelist
-> ks1
, statelist
-> nt
^ statelist
-> uid
);
365 for ( p1
= statelist
-> head
. slhead
; *( uint64_t *) p1
!= 0 ; p1
++);
366 statelist
-> len
= p1
- statelist
-> head
. slhead
;
367 statelist
-> tail
. sltail
= -- p1
;
368 qsort ( statelist
-> head
. slhead
, statelist
-> len
, sizeof ( uint64_t ), Compare16Bits
);
370 return statelist
-> head
. slhead
;
374 static int nested_fixed_nonce ( StateList_t statelist
, uint32_t fixed_nt
, uint32_t authentication_timeout
, uint8_t * resultKey
) {
375 // We have a tag with a fixed nonce (nt) and therefore only one (usually long) list of possible crypto states.
376 // Instead of testing all those keys on the device with a complete authentication cycle, we do all of the crypto operations here.
377 uint8_t nr_enc
[ 4 ] = NESTED_FIXED_NR_ENC
; // we use a fixed {nr}
379 num_to_bytes ( prng_successor ( fixed_nt
, 64 ), 4 , ar
); // ... and ar is fixed too
381 // create an array of possible {ar} and parity bits
382 uint32_t num_ar_par
= statelist
. len
;
383 uint8_t * ar_par
= calloc ( num_ar_par
, 5 );
384 if ( ar_par
== NULL
) {
385 free ( statelist
. head
. slhead
);
389 for ( int i
= 0 ; i
< num_ar_par
; i
++) {
390 // roll back to initial state using the nt observed with the nested authentication
391 lfsr_rollback_word ( statelist
. head
. slhead
+ i
, statelist
. nt
^ statelist
. uid
, 0 );
392 // instead feed in the fixed_nt for the first authentication
393 struct Crypto1State cs
= *( statelist
. head
. slhead
+ i
);
394 crypto1_word (& cs
, fixed_nt
^ statelist
. uid
, 0 );
395 // determine nr such that the resulting {nr} is constant and feed it into the cypher. Calculate the encrypted parity bits
397 for ( int j
= 0 ; j
< 4 ; j
++) {
398 uint8_t nr_byte
= crypto1_byte (& cs
, nr_enc
[ j
], 1 ) ^ nr_enc
[ j
];
399 par_enc
|= ((( filter ( cs
. odd
) ^ oddparity8 ( nr_byte
)) & 0x01 ) << ( 7 - j
));
401 // calculate the encrypted reader response {ar} and its parity bits
402 for ( int j
= 0 ; j
< 4 ; j
++) {
403 ar_par
[ 5 * i
+ j
] = crypto1_byte (& cs
, 0 , 0 ) ^ ar
[ j
];
404 par_enc
|= (( filter ( cs
. odd
) ^ oddparity8 ( ar
[ j
])) & 0x01 ) << ( 3 - j
);
406 ar_par
[ 5 * i
+ 4 ] = par_enc
;
409 // test each {ar} response
412 int isOK
= mfCheckKeysFixedNonce ( statelist
. blockNo
, statelist
. keyType
, authentication_timeout
, true , num_ar_par
, ar_par
, & key_index
);
414 if ( isOK
== 0 ) { // success, key found
415 // key_index contains the index into the cypher state list
416 struct Crypto1State
* p1
= statelist
. head
. slhead
+ key_index
;
418 crypto1_get_lfsr ( p1
, & key64
);
419 num_to_bytes ( key64
, 6 , resultKey
);
421 if ( isOK
== 1 ) { // timeout
424 free ( statelist
. head
. slhead
);
430 static int nested_standard ( StateList_t statelists
[ 2 ], uint32_t authentication_timeout
, uint8_t * resultKey
) {
432 // the first 16 Bits of the crypto states already contain part of our key.
433 // Create the intersection of the two lists based on these 16 Bits and
434 // roll back the crypto state for the remaining states
435 struct Crypto1State
* p1
, * p2
, * p3
, * p4
;
436 p1
= p3
= statelists
[ 0 ]. head
. slhead
;
437 p2
= p4
= statelists
[ 1 ]. head
. slhead
;
438 while ( p1
<= statelists
[ 0 ]. tail
. sltail
&& p2
<= statelists
[ 1 ]. tail
. sltail
) {
439 if ( Compare16Bits ( p1
, p2
) == 0 ) {
440 struct Crypto1State savestate
, * savep
= & savestate
;
442 while ( Compare16Bits ( p1
, savep
) == 0 && p1
<= statelists
[ 0 ]. tail
. sltail
) {
444 lfsr_rollback_word ( p3
, statelists
[ 0 ]. nt
^ statelists
[ 0 ]. uid
, 0 );
449 while ( Compare16Bits ( p2
, savep
) == 0 && p2
<= statelists
[ 1 ]. tail
. sltail
) {
451 lfsr_rollback_word ( p4
, statelists
[ 1 ]. nt
^ statelists
[ 1 ]. uid
, 0 );
457 while ( Compare16Bits ( p1
, p2
) == - 1 ) p1
++;
458 while ( Compare16Bits ( p1
, p2
) == 1 ) p2
++;
463 statelists
[ 0 ]. len
= p3
- statelists
[ 0 ]. head
. slhead
;
464 statelists
[ 1 ]. len
= p4
- statelists
[ 1 ]. head
. slhead
;
465 statelists
[ 0 ]. tail
. sltail
=-- p3
;
466 statelists
[ 1 ]. tail
. sltail
=-- p4
;
468 // the statelists now contain possible crypto states initialized with the key. The key we are searching for
469 // must be in the intersection of both lists. Sort the lists and create the intersection:
470 qsort ( statelists
[ 0 ]. head
. keyhead
, statelists
[ 0 ]. len
, sizeof ( uint64_t ), compare_uint64
);
471 qsort ( statelists
[ 1 ]. head
. keyhead
, statelists
[ 1 ]. len
, sizeof ( uint64_t ), compare_uint64
);
472 statelists
[ 0 ]. len
= intersection ( statelists
[ 0 ]. head
. keyhead
, statelists
[ 1 ]. head
. keyhead
);
474 // create an array of the possible keys
475 uint32_t num_keys
= statelists
[ 0 ]. len
;
476 uint8_t * keys
= calloc ( num_keys
, 6 );
478 free ( statelists
[ 0 ]. head
. slhead
);
479 free ( statelists
[ 1 ]. head
. slhead
);
484 for ( int i
= 0 ; i
< num_keys
; i
++) {
485 crypto1_get_lfsr ( statelists
[ 0 ]. head
. slhead
+ i
, & key64
);
486 num_to_bytes ( key64
, 6 , keys
+ i
* 6 );
489 // and test each key with mfCheckKeys
490 int isOK
= mfCheckKeys ( statelists
[ 0 ]. blockNo
, statelists
[ 0 ]. keyType
, authentication_timeout
, true , num_keys
, keys
, & key64
);
492 if ( isOK
== 0 ) { // success, key found
493 num_to_bytes ( key64
, 6 , resultKey
);
495 if ( isOK
== 1 ) { // timeout
498 free ( statelists
[ 0 ]. head
. slhead
);
499 free ( statelists
[ 1 ]. head
. slhead
);
505 int mfnested ( uint8_t blockNo
, uint8_t keyType
, uint16_t timeout14a
, uint8_t * key
, uint8_t trgBlockNo
, uint8_t trgKeyType
, uint8_t * resultKey
, bool calibrate
) {
508 clearCommandBuffer ();
510 UsbCommand c
= { CMD_MIFARE_NESTED
, { blockNo
+ keyType
* 0x100 , trgBlockNo
+ trgKeyType
* 0x100 , calibrate
}};
511 memcpy ( c
. d
. asBytes
, key
, 6 );
515 if (! WaitForResponseTimeout ( CMD_ACK
, & resp
, 1500 )) {
519 if (( int ) resp
. arg
[ 0 ]) {
520 return ( int ) resp
. arg
[ 0 ]; // error during nested
524 memcpy (& uid
, resp
. d
. asBytes
, 4 );
525 PrintAndLog ( "uid:%08x trgbl=%d trgkey=%x" , uid
, ( uint16_t ) resp
. arg
[ 2 ] & 0xff , ( uint16_t ) resp
. arg
[ 2 ] >> 8 );
527 StateList_t statelists
[ 2 ];
528 for ( int i
= 0 ; i
< 2 ; i
++) {
529 statelists
[ i
]. blockNo
= resp
. arg
[ 2 ] & 0xff ;
530 statelists
[ i
]. keyType
= ( resp
. arg
[ 2 ] >> 8 ) & 0xff ;
531 statelists
[ i
]. uid
= uid
;
532 memcpy (& statelists
[ i
]. nt
, ( void *)( resp
. d
. asBytes
+ 4 + i
* 8 + 0 ), 4 );
533 memcpy (& statelists
[ i
]. ks1
, ( void *)( resp
. d
. asBytes
+ 4 + i
* 8 + 4 ), 4 );
536 uint32_t authentication_timeout
;
537 memcpy (& authentication_timeout
, resp
. d
. asBytes
+ 20 , 4 );
538 PrintAndLog ( "Setting authentication timeout to %" PRIu32
"us" , authentication_timeout
* 1000 / 106 );
540 uint8_t num_unique_nonces
;
541 uint32_t fixed_nt
= 0 ;
542 if ( statelists
[ 0 ]. nt
== statelists
[ 1 ]. nt
&& statelists
[ 0 ]. ks1
== statelists
[ 1 ]. ks1
) {
543 num_unique_nonces
= 1 ;
544 memcpy (& fixed_nt
, resp
. d
. asBytes
+ 24 , 4 );
545 PrintAndLog ( "Fixed nt detected: %08" PRIx32
" on first authentication, %08" PRIx32
" on nested authentication" , fixed_nt
, statelists
[ 0 ]. nt
);
547 num_unique_nonces
= 2 ;
550 // create and run worker threads to calculate possible crypto states
551 pthread_t thread_id
[ 2 ];
552 for ( int i
= 0 ; i
< num_unique_nonces
; i
++) {
553 pthread_create ( thread_id
+ i
, NULL
, nested_worker_thread
, & statelists
[ i
]);
555 // wait for threads to terminate:
556 for ( int i
= 0 ; i
< num_unique_nonces
; i
++) {
557 pthread_join ( thread_id
[ i
], ( void *)& statelists
[ i
]. head
. slhead
);
560 if ( num_unique_nonces
== 2 ) {
561 return nested_standard ( statelists
, authentication_timeout
, resultKey
);
563 return nested_fixed_nonce ( statelists
[ 0 ], fixed_nt
, authentication_timeout
, resultKey
);
569 int mfReadSector ( uint8_t sectorNo
, uint8_t keyType
, uint8_t * key
, uint8_t * data
) {
571 UsbCommand c
= { CMD_MIFARE_READSC
, { sectorNo
, keyType
, 0 }};
572 memcpy ( c
. d
. asBytes
, key
, 6 );
573 clearCommandBuffer ();
577 if ( WaitForResponseTimeout ( CMD_ACK
, & resp
, 1500 )) {
578 uint8_t isOK
= resp
. arg
[ 0 ] & 0xff ;
581 memcpy ( data
, resp
. d
. asBytes
, mfNumBlocksPerSector ( sectorNo
) * 16 );
587 PrintAndLogEx ( ERR
, "Command execute timeout" );
596 int mfEmlGetMem ( uint8_t * data
, int blockNum
, int blocksCount
) {
597 UsbCommand c
= { CMD_MIFARE_EML_MEMGET
, { blockNum
, blocksCount
, 0 }};
601 if (! WaitForResponseTimeout ( CMD_ACK
,& resp
, 1500 )) return 1 ;
602 memcpy ( data
, resp
. d
. asBytes
, blocksCount
* 16 );
606 int mfEmlSetMem ( uint8_t * data
, int blockNum
, int blocksCount
) {
607 UsbCommand c
= { CMD_MIFARE_EML_MEMSET
, { blockNum
, blocksCount
, 0 }};
608 memcpy ( c
. d
. asBytes
, data
, blocksCount
* 16 );
615 int mfCGetBlock ( uint8_t blockNo
, uint8_t * data
, uint8_t params
) {
618 UsbCommand c
= { CMD_MIFARE_CGETBLOCK
, { params
, 0 , blockNo
}};
622 if ( WaitForResponseTimeout ( CMD_ACK
,& resp
, 1500 )) {
623 isOK
= resp
. arg
[ 0 ] & 0xff ;
624 memcpy ( data
, resp
. d
. asBytes
, 16 );
627 PrintAndLog ( "Command execute timeout" );
633 int mfCSetBlock ( uint8_t blockNo
, uint8_t * data
, uint8_t * uid
, bool wantWipe
, uint8_t params
) {
636 UsbCommand c
= { CMD_MIFARE_CSETBLOCK
, { wantWipe
, params
& ( 0xFE | ( uid
== NULL
? 0 : 1 )), blockNo
}};
637 memcpy ( c
. d
. asBytes
, data
, 16 );
641 if ( WaitForResponseTimeout ( CMD_ACK
, & resp
, 1500 )) {
642 isOK
= resp
. arg
[ 0 ] & 0xff ;
644 memcpy ( uid
, resp
. d
. asBytes
, 4 );
648 PrintAndLog ( "Command execute timeout" );
655 int mfCWipe ( uint32_t numSectors
, bool gen1b
, bool wantWipe
, bool wantFill
) {
657 uint8_t cmdParams
= wantWipe
+ wantFill
* 0x02 + gen1b
* 0x04 ;
658 UsbCommand c
= { CMD_MIFARE_CWIPE
, { numSectors
, cmdParams
, 0 }};
662 WaitForResponse ( CMD_ACK
,& resp
);
663 isOK
= resp
. arg
[ 0 ] & 0xff ;
668 int mfCSetUID ( uint8_t * uid
, uint8_t * atqa
, uint8_t * sak
, uint8_t * oldUID
) {
669 uint8_t oldblock0
[ 16 ] = { 0x00 };
670 uint8_t block0
[ 16 ] = { 0x00 };
675 /* generation 1a magic card by default */
676 uint8_t cmdParams
= CSETBLOCK_SINGLE_OPER
;
678 /* generation 1b magic card */
679 cmdParams
= CSETBLOCK_SINGLE_OPER
| CSETBLOCK_MAGIC_1B
;
682 res
= mfCGetBlock ( 0 , oldblock0
, cmdParams
);
685 memcpy ( block0
, oldblock0
, 16 );
686 PrintAndLog ( "old block 0: %s" , sprint_hex ( block0
, 16 ));
688 PrintAndLog ( "Couldn't get old data. Will write over the last bytes of Block 0." );
691 // fill in the new values
693 memcpy ( block0
, uid
, 4 );
695 block0
[ 4 ] = block0
[ 0 ] ^ block0
[ 1 ] ^ block0
[ 2 ] ^ block0
[ 3 ];
696 // mifare classic SAK(byte 5) and ATQA(byte 6 and 7, reversed)
703 PrintAndLog ( "new block 0: %s" , sprint_hex ( block0
, 16 ));
705 res
= mfCSetBlock ( 0 , block0
, oldUID
, false , cmdParams
);
707 PrintAndLog ( "Can't set block 0. Error: %d" , res
);
715 UsbCommand c
= { CMD_MIFARE_CIDENT
, { 0 , 0 , 0 }};
718 WaitForResponse ( CMD_ACK
,& resp
);
720 uint8_t isGeneration
= resp
. arg
[ 0 ] & 0xff ;
721 switch ( isGeneration
){
722 case 1 : PrintAndLog ( "Chinese magic backdoor commands (GEN 1a) detected" ); break ;
723 case 2 : PrintAndLog ( "Chinese magic backdoor command (GEN 1b) detected" ); break ;
724 default : PrintAndLog ( "No chinese magic backdoor command detected" ); break ;
727 return ( int ) isGeneration
;
734 static uint8_t trailerAccessBytes
[ 4 ] = { 0x08 , 0x77 , 0x8F , 0x00 };
737 char logHexFileName
[ FILE_PATH_SIZE
] = { 0x00 };
738 static uint8_t traceCard
[ 4096 ] = { 0x00 };
739 static char traceFileName
[ FILE_PATH_SIZE
] = { 0x00 };
740 static int traceState
= TRACE_IDLE
;
741 static uint8_t traceCurBlock
= 0 ;
742 static uint8_t traceCurKey
= 0 ;
744 struct Crypto1State
* traceCrypto1
= NULL
;
746 struct Crypto1State
* revstate
;
752 uint32_t uid
; // serial number
753 uint32_t nt
; // tag challenge
754 uint32_t nt_enc
; // encrypted tag challenge
755 uint8_t nt_enc_par
; // encrypted tag challenge parity
756 uint32_t nr_enc
; // encrypted reader challenge
757 uint32_t ar_enc
; // encrypted reader response
758 uint8_t ar_enc_par
; // encrypted reader response parity
759 uint32_t at_enc
; // encrypted tag response
760 uint8_t at_enc_par
; // encrypted tag response parity
762 int isTraceCardEmpty ( void ) {
763 return (( traceCard
[ 0 ] == 0 ) && ( traceCard
[ 1 ] == 0 ) && ( traceCard
[ 2 ] == 0 ) && ( traceCard
[ 3 ] == 0 ));
766 int isBlockEmpty ( int blockN
) {
767 for ( int i
= 0 ; i
< 16 ; i
++)
768 if ( traceCard
[ blockN
* 16 + i
] != 0 ) return 0 ;
773 int isBlockTrailer ( int blockN
) {
774 return (( blockN
& 0x03 ) == 0x03 );
777 int saveTraceCard ( void ) {
780 if ((! strlen ( traceFileName
)) || ( isTraceCardEmpty ())) return 0 ;
782 f
= fopen ( traceFileName
, "w+" );
785 for ( int i
= 0 ; i
< 64 ; i
++) { // blocks
786 for ( int j
= 0 ; j
< 16 ; j
++) // bytes
787 fprintf ( f
, "%02x" , *( traceCard
+ i
* 16 + j
));
795 int loadTraceCard ( uint8_t * tuid
) {
797 char buf
[ 64 ] = { 0x00 };
798 uint8_t buf8
[ 64 ] = { 0x00 };
801 if (! isTraceCardEmpty ())
804 memset ( traceCard
, 0x00 , 4096 );
805 memcpy ( traceCard
, tuid
+ 3 , 4 );
807 FillFileNameByUID ( traceFileName
, tuid
, ".eml" , 7 );
809 f
= fopen ( traceFileName
, "r" );
816 memset ( buf
, 0 , sizeof ( buf
));
817 if ( fgets ( buf
, sizeof ( buf
), f
) == NULL
) {
818 PrintAndLog ( "File reading error." );
823 if ( strlen ( buf
) < 32 ){
825 PrintAndLog ( "File content error. Block data must include 32 HEX symbols" );
829 for ( i
= 0 ; i
< 32 ; i
+= 2 )
830 sscanf (& buf
[ i
], "%02x" , ( unsigned int *)& buf8
[ i
/ 2 ]);
832 memcpy ( traceCard
+ blockNum
* 16 , buf8
, 16 );
841 int mfTraceInit ( uint8_t * tuid
, uint8_t * atqa
, uint8_t sak
, bool wantSaveToEmlFile
) {
844 crypto1_destroy ( traceCrypto1
);
848 if ( wantSaveToEmlFile
)
851 traceCard
[ 4 ] = traceCard
[ 0 ] ^ traceCard
[ 1 ] ^ traceCard
[ 2 ] ^ traceCard
[ 3 ];
853 memcpy (& traceCard
[ 6 ], atqa
, 2 );
855 uid
= bytes_to_num ( tuid
+ 3 , 4 );
857 traceState
= TRACE_IDLE
;
862 void mf_crypto1_decrypt ( struct Crypto1State
* pcs
, uint8_t * data
, int len
, bool isEncrypted
){
867 for ( i
= 0 ; i
< len
; i
++)
868 data
[ i
] = crypto1_byte ( pcs
, 0x00 , isEncrypted
) ^ data
[ i
];
871 for ( i
= 0 ; i
< 4 ; i
++)
872 bt
|= ( crypto1_bit ( pcs
, 0 , isEncrypted
) ^ BIT ( data
[ 0 ], i
)) << i
;
879 bool NTParityCheck ( uint32_t ntx
) {
881 ( oddparity8 ( ntx
>> 8 & 0xff ) ^ ( ntx
& 0x01 ) ^ (( nt_enc_par
>> 5 ) & 0x01 ) ^ ( nt_enc
& 0x01 )) ||
882 ( oddparity8 ( ntx
>> 16 & 0xff ) ^ ( ntx
>> 8 & 0x01 ) ^ (( nt_enc_par
>> 6 ) & 0x01 ) ^ ( nt_enc
>> 8 & 0x01 )) ||
883 ( oddparity8 ( ntx
>> 24 & 0xff ) ^ ( ntx
>> 16 & 0x01 ) ^ (( nt_enc_par
>> 7 ) & 0x01 ) ^ ( nt_enc
>> 16 & 0x01 ))
887 uint32_t ar
= prng_successor ( ntx
, 64 );
889 ( oddparity8 ( ar
>> 8 & 0xff ) ^ ( ar
& 0x01 ) ^ (( ar_enc_par
>> 5 ) & 0x01 ) ^ ( ar_enc
& 0x01 )) ||
890 ( oddparity8 ( ar
>> 16 & 0xff ) ^ ( ar
>> 8 & 0x01 ) ^ (( ar_enc_par
>> 6 ) & 0x01 ) ^ ( ar_enc
>> 8 & 0x01 )) ||
891 ( oddparity8 ( ar
>> 24 & 0xff ) ^ ( ar
>> 16 & 0x01 ) ^ (( ar_enc_par
>> 7 ) & 0x01 ) ^ ( ar_enc
>> 16 & 0x01 ))
895 uint32_t at
= prng_successor ( ntx
, 96 );
897 ( oddparity8 ( ar
& 0xff ) ^ ( at
>> 24 & 0x01 ) ^ (( ar_enc_par
>> 4 ) & 0x01 ) ^ ( at_enc
>> 24 & 0x01 )) ||
898 ( oddparity8 ( at
>> 8 & 0xff ) ^ ( at
& 0x01 ) ^ (( at_enc_par
>> 5 ) & 0x01 ) ^ ( at_enc
& 0x01 )) ||
899 ( oddparity8 ( at
>> 16 & 0xff ) ^ ( at
>> 8 & 0x01 ) ^ (( at_enc_par
>> 6 ) & 0x01 ) ^ ( at_enc
>> 8 & 0x01 )) ||
900 ( oddparity8 ( at
>> 24 & 0xff ) ^ ( at
>> 16 & 0x01 ) ^ (( at_enc_par
>> 7 ) & 0x01 ) ^ ( at_enc
>> 16 & 0x01 ))
908 int mfTraceDecode ( uint8_t * data_src
, int len
, uint8_t parity
, bool wantSaveToEmlFile
) {
911 if ( traceState
== TRACE_ERROR
) return 1 ;
913 traceState
= TRACE_ERROR
;
917 memcpy ( data
, data_src
, len
);
918 if (( traceCrypto1
) && (( traceState
== TRACE_IDLE
) || ( traceState
> TRACE_AUTH_OK
))) {
919 mf_crypto1_decrypt ( traceCrypto1
, data
, len
, 0 );
921 oddparitybuf ( data
, len
, parity
);
922 PrintAndLog ( "dec> %s [%s]" , sprint_hex ( data
, len
), printBitsPar ( parity
, len
));
923 AddLogHex ( logHexFileName
, "dec> " , data
, len
);
926 switch ( traceState
) {
928 // check packet crc16!
929 if (( len
>= 4 ) && (! CheckCrc14443 ( CRC_14443_A
, data
, len
))) {
930 PrintAndLog ( "dec> CRC ERROR!!!" );
931 AddLogLine ( logHexFileName
, "dec> " , "CRC ERROR!!!" );
932 traceState
= TRACE_ERROR
; // do not decrypt the next commands
937 if (( len
== 4 ) && (( data
[ 0 ] == 0x60 ) || ( data
[ 0 ] == 0x61 ))) {
938 traceState
= TRACE_AUTH1
;
939 traceCurBlock
= data
[ 1 ];
940 traceCurKey
= data
[ 0 ] == 60 ? 1 : 0 ;
945 if (( len
== 4 ) && (( data
[ 0 ] == 0x30 ))) {
946 traceState
= TRACE_READ_DATA
;
947 traceCurBlock
= data
[ 1 ];
952 if (( len
== 4 ) && (( data
[ 0 ] == 0xA0 ))) {
953 traceState
= TRACE_WRITE_OK
;
954 traceCurBlock
= data
[ 1 ];
959 if (( len
== 4 ) && (( data
[ 0 ] == 0x50 ) && ( data
[ 1 ] == 0x00 ))) {
960 traceState
= TRACE_ERROR
; // do not decrypt the next commands
967 case TRACE_READ_DATA
:
969 traceState
= TRACE_IDLE
;
971 if ( isBlockTrailer ( traceCurBlock
)) {
972 memcpy ( traceCard
+ traceCurBlock
* 16 + 6 , data
+ 6 , 4 );
974 memcpy ( traceCard
+ traceCurBlock
* 16 , data
, 16 );
976 if ( wantSaveToEmlFile
) saveTraceCard ();
979 traceState
= TRACE_ERROR
;
985 if (( len
== 1 ) && ( data
[ 0 ] == 0x0a )) {
986 traceState
= TRACE_WRITE_DATA
;
990 traceState
= TRACE_ERROR
;
995 case TRACE_WRITE_DATA
:
997 traceState
= TRACE_IDLE
;
999 memcpy ( traceCard
+ traceCurBlock
* 16 , data
, 16 );
1000 if ( wantSaveToEmlFile
) saveTraceCard ();
1003 traceState
= TRACE_ERROR
;
1010 traceState
= TRACE_AUTH2
;
1011 if (! traceCrypto1
) {
1012 nt
= bytes_to_num ( data
, 4 );
1014 nt_enc
= bytes_to_num ( data
, 4 );
1015 nt_enc_par
= parity
;
1019 traceState
= TRACE_ERROR
;
1026 traceState
= TRACE_AUTH_OK
;
1028 nr_enc
= bytes_to_num ( data
, 4 );
1029 ar_enc
= bytes_to_num ( data
+ 4 , 4 );
1030 ar_enc_par
= parity
<< 4 ;
1033 traceState
= TRACE_ERROR
;
1040 traceState
= TRACE_IDLE
;
1042 at_enc
= bytes_to_num ( data
, 4 );
1043 at_enc_par
= parity
;
1044 if (! traceCrypto1
) {
1047 ks2
= ar_enc
^ prng_successor ( nt
, 64 );
1048 ks3
= at_enc
^ prng_successor ( nt
, 96 );
1049 revstate
= lfsr_recovery64 ( ks2
, ks3
);
1050 lfsr_rollback_word ( revstate
, 0 , 0 );
1051 lfsr_rollback_word ( revstate
, 0 , 0 );
1052 lfsr_rollback_word ( revstate
, nr_enc
, 1 );
1053 lfsr_rollback_word ( revstate
, uid
^ nt
, 0 );
1055 crypto1_get_lfsr ( revstate
, & lfsr
);
1056 crypto1_destroy ( revstate
);
1058 printf ( "key> probable key:%x%x Prng:%s ks2:%08x ks3:%08x \n " ,
1059 ( unsigned int )(( lfsr
& 0xFFFFFFFF00000000 ) >> 32 ), ( unsigned int )( lfsr
& 0xFFFFFFFF ),
1060 validate_prng_nonce ( nt
) ? "WEAK" : "HARDEND" ,
1063 AddLogUint64 ( logHexFileName
, "key> " , lfsr
);
1065 if ( validate_prng_nonce ( nt
)) {
1066 struct Crypto1State
* pcs
;
1067 pcs
= crypto1_create ( ui64Key
);
1068 uint32_t nt1
= crypto1_word ( pcs
, nt_enc
^ uid
, 1 ) ^ nt_enc
;
1069 uint32_t ar
= prng_successor ( nt1
, 64 );
1070 uint32_t at
= prng_successor ( nt1
, 96 );
1071 printf ( "key> nested auth uid: %08x nt: %08x nt_parity: %s ar: %08x at: %08x \n " , uid
, nt1
, printBitsPar (& nt_enc_par
, 4 ), ar
, at
);
1072 uint32_t nr1
= crypto1_word ( pcs
, nr_enc
, 1 ) ^ nr_enc
;
1073 uint32_t ar1
= crypto1_word ( pcs
, 0 , 0 ) ^ ar_enc
;
1074 uint32_t at1
= crypto1_word ( pcs
, 0 , 0 ) ^ at_enc
;
1075 crypto1_destroy ( pcs
);
1076 printf ( "key> the same key test. nr1: %08x ar1: %08x at1: %08x \n " , nr1
, ar1
, at1
);
1078 if ( NTParityCheck ( nt1
))
1079 printf ( "key> the same key test OK. key=%x%x \n " , ( unsigned int )(( ui64Key
& 0xFFFFFFFF00000000 ) >> 32 ), ( unsigned int )( ui64Key
& 0xFFFFFFFF ));
1081 printf ( "key> the same key test. check nt parity error. \n " );
1083 uint32_t ntc
= prng_successor ( nt
, 90 );
1086 for ( int i
= 0 ; i
< 16383 ; i
++) {
1087 ntc
= prng_successor ( ntc
, 1 );
1088 if ( NTParityCheck ( ntc
)){
1095 printf ( "key> nt candidate=%08x nonce distance=%d candidates count=%d \n " , ntx
, nonce_distance ( nt
, ntx
), ntcnt
);
1097 printf ( "key> don't have any nt candidate( \n " );
1100 ks2
= ar_enc
^ prng_successor ( ntx
, 64 );
1101 ks3
= at_enc
^ prng_successor ( ntx
, 96 );
1104 revstate
= lfsr_recovery64 ( ks2
, ks3
);
1105 lfsr_rollback_word ( revstate
, 0 , 0 );
1106 lfsr_rollback_word ( revstate
, 0 , 0 );
1107 lfsr_rollback_word ( revstate
, nr_enc
, 1 );
1108 lfsr_rollback_word ( revstate
, uid
^ nt
, 0 );
1110 crypto1_get_lfsr ( revstate
, & lfsr
);
1111 crypto1_destroy ( revstate
);
1113 printf ( "key> probable key:%x%x ks2:%08x ks3:%08x \n " ,
1114 ( unsigned int )(( lfsr
& 0xFFFFFFFF00000000 ) >> 32 ), ( unsigned int )( lfsr
& 0xFFFFFFFF ),
1117 AddLogUint64 ( logHexFileName
, "key> " , lfsr
);
1119 printf ( "key> hardnested not implemented! \n " );
1121 crypto1_destroy ( traceCrypto1
);
1124 traceState
= TRACE_ERROR
;
1128 int blockShift
= (( traceCurBlock
& 0xFC ) + 3 ) * 16 ;
1129 if ( isBlockEmpty (( traceCurBlock
& 0xFC ) + 3 )) memcpy ( traceCard
+ blockShift
+ 6 , trailerAccessBytes
, 4 );
1132 num_to_bytes ( lfsr
, 6 , traceCard
+ blockShift
+ 10 );
1134 num_to_bytes ( lfsr
, 6 , traceCard
+ blockShift
);
1136 if ( wantSaveToEmlFile
) saveTraceCard ();
1139 crypto1_destroy ( traceCrypto1
);
1142 // set cryptosystem state
1143 traceCrypto1
= lfsr_recovery64 ( ks2
, ks3
);
1146 traceState
= TRACE_ERROR
;
1152 traceState
= TRACE_ERROR
;
1161 int tryDecryptWord ( uint32_t nt
, uint32_t ar_enc
, uint32_t at_enc
, uint8_t * data
, int len
){
1163 uint32_t nt; // tag challenge
1164 uint32_t ar_enc; // encrypted reader response
1165 uint32_t at_enc; // encrypted tag response
1168 crypto1_destroy ( traceCrypto1
);
1170 ks2
= ar_enc
^ prng_successor ( nt
, 64 );
1171 ks3
= at_enc
^ prng_successor ( nt
, 96 );
1172 traceCrypto1
= lfsr_recovery64 ( ks2
, ks3
);
1174 mf_crypto1_decrypt ( traceCrypto1
, data
, len
, 0 );
1176 PrintAndLog ( "Decrypted data: [%s]" , sprint_hex ( data
, len
) );
1177 crypto1_destroy ( traceCrypto1
);
1181 /** validate_prng_nonce
1182 * Determine if nonce is deterministic. ie: Suspectable to Darkside attack.
1185 * false = hardend prng
1187 bool validate_prng_nonce ( uint32_t nonce
) {
1191 dist
= malloc ( 2 << 16 );
1196 for ( x
= i
= 1 ; i
; ++ i
) {
1197 dist
[( x
& 0xff ) << 8 | x
>> 8 ] = i
;
1198 x
= x
>> 1 | ( x
^ x
>> 2 ^ x
>> 3 ^ x
>> 5 ) << 15 ;
1201 uint32_t res
= ( 65535 - dist
[ nonce
>> 16 ] + dist
[ nonce
& 0xffff ]) % 65535 ;
1208 * function performs a partial AUTH, where it tries to authenticate against block0, key A, but only collects tag nonce.
1209 * the tag nonce is check to see if it has a predictable PRNG.
1211 * TRUE if tag uses WEAK prng (ie Now the NACK bug also needs to be present for Darkside attack)
1212 * FALSE is tag uses HARDEND prng (ie hardnested attack possible, with known key)
1214 int DetectClassicPrng ( void ){
1216 UsbCommand resp
, respA
;
1217 uint8_t cmd
[] = { 0x60 , 0x00 }; // MIFARE_AUTH_KEYA
1218 uint32_t flags
= ISO14A_CONNECT
| ISO14A_RAW
| ISO14A_APPEND_CRC
| ISO14A_NO_RATS
;
1220 UsbCommand c
= { CMD_READER_ISO_14443a
, { flags
, sizeof ( cmd
), 0 }};
1221 memcpy ( c
. d
. asBytes
, cmd
, sizeof ( cmd
));
1223 clearCommandBuffer ();
1225 if (! WaitForResponseTimeout ( CMD_NACK
, & resp
, 2000 )) {
1226 PrintAndLog ( "PRNG UID: Reply timeout." );
1230 // if select tag failed.
1231 if ( resp
. arg
[ 0 ] == 0 ) {
1232 PrintAndLog ( "PRNG error: selecting tag failed, can't detect prng." );
1236 if (! WaitForResponseTimeout ( CMD_ACK
, & respA
, 5000 )) {
1237 PrintAndLog ( "PRNG data: Reply timeout." );
1242 if ( respA
. arg
[ 0 ] != 4 ) {
1243 PrintAndLog ( "PRNG data error: Wrong length: %d" , respA
. arg
[ 0 ]);
1247 uint32_t nonce
= bytes_to_num ( respA
. d
. asBytes
, respA
. arg
[ 0 ]);
1248 return validate_prng_nonce ( nonce
);