X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/3ad48540d4d77f50cc62d16acb78f17019ef431d..e772774ba1823d55f7839da54bc850a8c42a3571:/client/loclass/elite_crack.c
diff --git a/client/loclass/elite_crack.c b/client/loclass/elite_crack.c
index 27a2a1bc..ebe82297 100644
--- a/client/loclass/elite_crack.c
+++ b/client/loclass/elite_crack.c
@@ -1,3 +1,41 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see .
+ *
+ *
+ *
+ ****************************************************************************/
+
#include
#include
#include
@@ -33,7 +71,6 @@
*/
void permutekey(uint8_t key[8], uint8_t dest[8])
{
-
int i;
for(i = 0 ; i < 8 ; i++)
{
@@ -46,7 +83,6 @@ void permutekey(uint8_t key[8], uint8_t dest[8])
(((key[1] & (0x80 >> i)) >> (7-i)) << 1) |
(((key[0] & (0x80 >> i)) >> (7-i)) << 0);
}
-
return;
}
/**
@@ -113,16 +149,116 @@ void hash1(uint8_t csn[] , uint8_t k[])
k[0] = csn[0]^csn[1]^csn[2]^csn[3]^csn[4]^csn[5]^csn[6]^csn[7];
k[1] = csn[0]+csn[1]+csn[2]+csn[3]+csn[4]+csn[5]+csn[6]+csn[7];
k[2] = rr(swap( csn[2]+k[1] ));
- k[3] = rr(swap( csn[3]+k[0] ));
- k[4] = ~rr(swap( csn[4]+k[2] ))+1;
- k[5] = ~rr(swap( csn[5]+k[3] ))+1;
+ k[3] = rl(swap( csn[3]+k[0] ));
+ k[4] = ~rr( csn[4]+k[2] )+1;
+ k[5] = ~rl( csn[5]+k[3] )+1;
k[6] = rr( csn[6]+(k[4]^0x3c) );
k[7] = rl( csn[7]+(k[5]^0xc3) );
- int i;
- for(i = 7; i >=0; i--)
- k[i] = k[i] & 0x7F;
+
+ k[7] &= 0x7F;
+ k[6] &= 0x7F;
+ k[5] &= 0x7F;
+ k[4] &= 0x7F;
+ k[3] &= 0x7F;
+ k[2] &= 0x7F;
+ k[1] &= 0x7F;
+ k[0] &= 0x7F;
+}
+/**
+Definition 14. Define the rotate key function rk : (F 82 ) 8 Ã N â (F 82 ) 8 as
+rk(x [0] . . . x [7] , 0) = x [0] . . . x [7]
+rk(x [0] . . . x [7] , n + 1) = rk(rl(x [0] ) . . . rl(x [7] ), n)
+**/
+void rk(uint8_t *key, uint8_t n, uint8_t *outp_key)
+{
+ memcpy(outp_key, key, 8);
+ uint8_t j;
+ while(n-- > 0) {
+ for(j=0; j < 8 ; j++)
+ outp_key[j] = rl(outp_key[j]);
+ }
+ return;
}
+static des_context ctx_enc = {DES_ENCRYPT,{0}};
+static des_context ctx_dec = {DES_DECRYPT,{0}};
+
+void desdecrypt_iclass(uint8_t *iclass_key, uint8_t *input, uint8_t *output)
+{
+ uint8_t key_std_format[8] = {0};
+ permutekey_rev(iclass_key, key_std_format);
+ des_setkey_dec( &ctx_dec, key_std_format);
+ des_crypt_ecb(&ctx_dec,input,output);
+}
+void desencrypt_iclass(uint8_t *iclass_key, uint8_t *input, uint8_t *output)
+{
+ uint8_t key_std_format[8] = {0};
+ permutekey_rev(iclass_key, key_std_format);
+ des_setkey_enc( &ctx_enc, key_std_format);
+ des_crypt_ecb(&ctx_enc,input,output);
+}
+
+/**
+ * @brief Insert uint8_t[8] custom master key to calculate hash2 and return key_select.
+ * @param key unpermuted custom key
+ * @param hash1 hash1
+ * @param key_sel output key_sel=h[hash1[i]]
+ */
+void hash2(uint8_t *key64, uint8_t *outp_keytable)
+{
+ /**
+ *Expected:
+ * High Security Key Table
+
+00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1
+10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21
+20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2
+30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C
+40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6
+50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42
+60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95
+70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB
+
+**** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ******/
+ uint8_t key64_negated[8] = {0};
+ uint8_t z[8][8]={{0},{0}};
+ uint8_t temp_output[8]={0};
+ //calculate complement of key
+ int i;
+ for (i=0; i<8; i++)
+ key64_negated[i]= ~key64[i];
+
+ // Once again, key is on iclass-format
+ desencrypt_iclass(key64, key64_negated, z[0]);
+
+ prnlog("\nHigh security custom key (Kcus):");
+ printvar("z0 ", z[0],8);
+
+ uint8_t y[8][8]={{0},{0}};
+
+ // y[0]=DES_dec(z[0],~key)
+ // Once again, key is on iclass-format
+ desdecrypt_iclass(z[0], key64_negated, y[0]);
+ printvar("y0 ", y[0],8);
+
+ for (i=1; i<8; i++) {
+ // z [i] = DES dec (rk(K cus , i), z [iâ1] )
+ rk(key64, i, temp_output);
+ //y [i] = DES enc (rk(K cus , i), y [iâ1] )
+
+ desdecrypt_iclass(temp_output,z[i-1], z[i]);
+ desencrypt_iclass(temp_output,y[i-1], y[i]);
+ }
+
+ if (outp_keytable != NULL) {
+ for(i = 0 ; i < 8 ; i++) {
+ memcpy(outp_keytable+i*16,y[i],8);
+ memcpy(outp_keytable+8+i*16,z[i],8);
+ }
+ } else {
+ printarr_human_readable("hash2", outp_keytable,128);
+ }
+}
/**
* @brief Reads data from the iclass-reader-attack dump file.
@@ -145,6 +281,7 @@ int _readFromDump(uint8_t dump[], dumpdata* item, uint8_t i)
size_t itemsize = sizeof(dumpdata);
//dumpdata item = {0};
memcpy(item,dump+i*itemsize, itemsize);
+
if(true)
{
printvar("csn", item->csn,8);
@@ -179,7 +316,6 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
uint8_t key_index[8] = {0};
hash1(item.csn, key_index);
-
/*
* Determine which bytes to retrieve. A hash is typically
* 01010000454501
@@ -195,23 +331,21 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
uint8_t bytes_to_recover[3] = {0};
uint8_t numbytes_to_recover = 0 ;
int i;
- for(i =0 ; i < 8 ; i++)
- {
- if(keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
+ for (i=0; i<8; i++) {
+ if (keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
+
bytes_to_recover[numbytes_to_recover++] = key_index[i];
keytable[key_index[i]] |= BEING_CRACKED;
- if(numbytes_to_recover > 3)
- {
+ if (numbytes_to_recover > 3) {
prnlog("The CSN requires > 3 byte bruteforce, not supported");
- printvar("CSN", item.csn,8);
- printvar("HASH1", key_index,8);
+ printvar("CSN", item.csn, 8);
+ printvar("HASH1", key_index, 8);
//Before we exit, reset the 'BEING_CRACKED' to zero
keytable[bytes_to_recover[0]] &= ~BEING_CRACKED;
keytable[bytes_to_recover[1]] &= ~BEING_CRACKED;
keytable[bytes_to_recover[2]] &= ~BEING_CRACKED;
-
return 1;
}
}
@@ -235,61 +369,57 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
while(!found && !(brute & endmask))
{
-
//Update the keytable with the brute-values
- for(i =0 ; i < numbytes_to_recover; i++)
- {
+ for (i=0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF00;
keytable[bytes_to_recover[i]] |= (brute >> (i*8) & 0xFF);
}
// Piece together the key
- key_sel[0] = keytable[key_index[0]] & 0xFF;key_sel[1] = keytable[key_index[1]] & 0xFF;
- key_sel[2] = keytable[key_index[2]] & 0xFF;key_sel[3] = keytable[key_index[3]] & 0xFF;
- key_sel[4] = keytable[key_index[4]] & 0xFF;key_sel[5] = keytable[key_index[5]] & 0xFF;
- key_sel[6] = keytable[key_index[6]] & 0xFF;key_sel[7] = keytable[key_index[7]] & 0xFF;
+ key_sel[0] = keytable[key_index[0]] & 0xFF;
+ key_sel[1] = keytable[key_index[1]] & 0xFF;
+ key_sel[2] = keytable[key_index[2]] & 0xFF;
+ key_sel[3] = keytable[key_index[3]] & 0xFF;
+ key_sel[4] = keytable[key_index[4]] & 0xFF;
+ key_sel[5] = keytable[key_index[5]] & 0xFF;
+ key_sel[6] = keytable[key_index[6]] & 0xFF;
+ key_sel[7] = keytable[key_index[7]] & 0xFF;
//Permute from iclass format to standard format
- permutekey_rev(key_sel,key_sel_p);
+ permutekey_rev(key_sel, key_sel_p);
//Diversify
diversifyKey(item.csn, key_sel_p, div_key);
//Calc mac
- doMAC(item.cc_nr, div_key,calculated_MAC);
+ doMAC(item.cc_nr, div_key, calculated_MAC);
- if(memcmp(calculated_MAC, item.mac, 4) == 0)
- {
+ if(memcmp(calculated_MAC, item.mac, 4) == 0) {
for(i =0 ; i < numbytes_to_recover; i++)
prnlog("=> %d: 0x%02x", bytes_to_recover[i],0xFF & keytable[bytes_to_recover[i]]);
found = true;
break;
}
+
brute++;
- if((brute & 0xFFFF) == 0)
- {
+ if ((brute & 0xFFFF) == 0) {
printf("%d",(brute >> 16) & 0xFF);
fflush(stdout);
}
}
- if(! found)
- {
+ if (!found) {
prnlog("Failed to recover %d bytes using the following CSN",numbytes_to_recover);
printvar("CSN",item.csn,8);
errors++;
+
//Before we exit, reset the 'BEING_CRACKED' to zero
- for(i =0 ; i < numbytes_to_recover; i++)
- {
+ for (i=0; i < numbytes_to_recover; i++){
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACK_FAILED;
}
-
- }else
- {
- for(i =0 ; i < numbytes_to_recover; i++)
- {
+ } else {
+ for (i=0; i < numbytes_to_recover; i++){
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACKED;
}
-
}
return errors;
}
@@ -382,8 +512,8 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
errors += bruteforceItem(*attack, keytable);
}
free(attack);
- clock_t t2 = clock();
- float diff = (((float)t2 - (float)t1) / CLOCKS_PER_SEC );
+ t1 = clock() - t1;
+ float diff = ((float)t1 / CLOCKS_PER_SEC );
prnlog("\nPerformed full crack in %f seconds",diff);
// Pick out the first 16 bytes of the keytable.
@@ -412,9 +542,8 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
*/
int bruteforceFile(const char *filename, uint16_t keytable[])
{
-
FILE *f = fopen(filename, "rb");
- if(!f) {
+ if (!f) {
prnlog("Failed to read from file '%s'", filename);
return 1;
}
@@ -423,15 +552,23 @@ int bruteforceFile(const char *filename, uint16_t keytable[])
long fsize = ftell(f);
fseek(f, 0, SEEK_SET);
+ if (fsize < 0) {
+ prnlog("Error, when getting filesize");
+ if (f) fclose(f);
+ return 1;
+ }
+
uint8_t *dump = malloc(fsize);
- size_t bytes_read = fread(dump, fsize, 1, f);
+ size_t bytes_read = fread(dump, 1, fsize, f);
- fclose(f);
- if (bytes_read < fsize)
- {
+ if (f) fclose(f);
+
+ if (bytes_read < fsize) {
prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
}
- return bruteforceDump(dump,fsize,keytable);
+ uint8_t res = bruteforceDump(dump,fsize,keytable);
+ free(dump);
+ return res;
}
/**
*
@@ -475,9 +612,17 @@ int _testBruteforce()
**** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ****
**/
uint16_t keytable[128] = {0};
- //save some time...
- startvalue = 0x7B0000;
- errors |= bruteforceFile("iclass_dump.bin",keytable);
+
+ //Test a few variants
+ if (fileExists("iclass_dump.bin")){
+ errors |= bruteforceFile("iclass_dump.bin",keytable);
+ } else if (fileExists("loclass/iclass_dump.bin")){
+ errors |= bruteforceFile("loclass/iclass_dump.bin",keytable);
+ } else if (fileExists("client/loclass/iclass_dump.bin")){
+ errors |= bruteforceFile("client/loclass/iclass_dump.bin",keytable);
+ } else {
+ prnlog("Error: The file iclass_dump.bin was not found!");
+ }
}
return errors;
}
@@ -491,7 +636,6 @@ int _test_iclass_key_permutation()
permutekey(testcase, testcase_output);
permutekey_rev(testcase_output, testcase_output_rev);
-
if(memcmp(testcase_output, testcase_output_correct,8) != 0)
{
prnlog("Error with iclass key permute!");
@@ -511,15 +655,60 @@ int _test_iclass_key_permutation()
prnlog("[+] Iclass key permutation OK!");
return 0;
}
+int _testHash1()
+{
+ uint8_t csn[8]= {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0};
+ uint8_t k[8] = {0};
+ hash1(csn, k);
+ uint8_t expected[8] = {0x7E,0x72,0x2F,0x40,0x2D,0x02,0x51,0x42};
+ if(memcmp(k,expected,8) != 0)
+ {
+ prnlog("Error with hash1!");
+ printarr("calculated", k, 8);
+ printarr("expected", expected, 8);
+ return 1;
+ }
+ return 0;
+}
int testElite()
{
prnlog("[+] Testing iClass Elite functinality...");
- prnlog("[+] Testing key diversification ...");
+ prnlog("[+] Testing hash2");
+ uint8_t k_cus[8] = {0x5B,0x7C,0x62,0xC4,0x91,0xC1,0x1B,0x39};
+
+ /**
+ *Expected:
+ * High Security Key Table
+
+00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1
+10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21
+20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2
+30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C
+40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6
+50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42
+60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95
+70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB
+
+
+
+**** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ****
+ */
+ uint8_t keytable[128] = {0};
+ hash2(k_cus, keytable);
+ printarr_human_readable("Hash2", keytable, 128);
+ if(keytable[3] == 0xA1 && keytable[0x30] == 0xA3 && keytable[0x6F] == 0x95)
+ {
+ prnlog("[+] Hash2 looks fine...");
+ }
int errors = 0 ;
- errors +=_test_iclass_key_permutation();
+ prnlog("[+] Testing hash1...");
+ errors += _testHash1();
+ prnlog("[+] Testing key diversification ...");
+ errors +=_test_iclass_key_permutation();
errors += _testBruteforce();
+
return errors;
}