X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/ae6ead3dc84acd074be24c0da5efd94ea7a0b225..0ab9002f36f8297c640cf9920c06d106ccae2d70:/client/loclass/elite_crack.c
diff --git a/client/loclass/elite_crack.c b/client/loclass/elite_crack.c
index adedba85..21a67f54 100644
--- a/client/loclass/elite_crack.c
+++ b/client/loclass/elite_crack.c
@@ -1,14 +1,52 @@
+/*****************************************************************************
+ * WARNING
+ *
+ * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
+ *
+ * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
+ * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
+ * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
+ *
+ * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
+ *
+ *****************************************************************************
+ *
+ * This file is part of loclass. It is a reconstructon of the cipher engine
+ * used in iClass, and RFID techology.
+ *
+ * The implementation is based on the work performed by
+ * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
+ * Milosch Meriac in the paper "Dismantling IClass".
+ *
+ * Copyright (C) 2014 Martin Holst Swende
+ *
+ * This is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation, or, at your option, any later version.
+ *
+ * This file is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with loclass. If not, see .
+ *
+ *
+ ****************************************************************************/
+
#include
#include
#include
#include
-#include
+#include "util.h"
+#include "util_posix.h"
#include "cipherutils.h"
#include "cipher.h"
#include "ikeys.h"
#include "elite_crack.h"
#include "fileutils.h"
-#include "des.h"
+#include "mbedtls/des.h"
/**
* @brief Permutes a key from standard NIST format to Iclass specific format
@@ -141,22 +179,22 @@ void rk(uint8_t *key, uint8_t n, uint8_t *outp_key)
return;
}
-static des_context ctx_enc = {DES_ENCRYPT,{0}};
-static des_context ctx_dec = {DES_DECRYPT,{0}};
+static mbedtls_des_context ctx_enc = { {0} };
+static mbedtls_des_context ctx_dec = { {0} };
void desdecrypt_iclass(uint8_t *iclass_key, uint8_t *input, uint8_t *output)
{
uint8_t key_std_format[8] = {0};
permutekey_rev(iclass_key, key_std_format);
- des_setkey_dec( &ctx_dec, key_std_format);
- des_crypt_ecb(&ctx_dec,input,output);
+ mbedtls_des_setkey_dec( &ctx_dec, key_std_format);
+ mbedtls_des_crypt_ecb(&ctx_dec,input,output);
}
void desencrypt_iclass(uint8_t *iclass_key, uint8_t *input, uint8_t *output)
{
uint8_t key_std_format[8] = {0};
permutekey_rev(iclass_key, key_std_format);
- des_setkey_enc( &ctx_enc, key_std_format);
- des_crypt_ecb(&ctx_enc,input,output);
+ mbedtls_des_setkey_enc( &ctx_enc, key_std_format);
+ mbedtls_des_crypt_ecb(&ctx_enc,input,output);
}
/**
@@ -295,16 +333,14 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
* Only the lower eight bits correspond to the (hopefully cracked) key-value.
**/
uint8_t bytes_to_recover[3] = {0};
- uint8_t numbytes_to_recover = 0 ;
- int i;
- for(i =0 ; i < 8 ; i++)
- {
- if(keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
+ uint8_t numbytes_to_recover = 0;
+
+ for(int i = 0; i < 8; i++) {
+ if (keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
bytes_to_recover[numbytes_to_recover++] = key_index[i];
keytable[key_index[i]] |= BEING_CRACKED;
- if(numbytes_to_recover > 3)
- {
+ if(numbytes_to_recover > 3) {
prnlog("The CSN requires > 3 byte bruteforce, not supported");
printvar("CSN", item.csn,8);
printvar("HASH1", key_index,8);
@@ -332,15 +368,14 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
uint32_t endmask = 1 << 8*numbytes_to_recover;
- for(i =0 ; i < numbytes_to_recover && numbytes_to_recover > 1; i++)
+ for (int i = 0; i < numbytes_to_recover && numbytes_to_recover > 1; i++) {
prnlog("Bruteforcing byte %d", bytes_to_recover[i]);
+ }
- while(!found && !(brute & endmask))
- {
+ while(!found && !(brute & endmask)) {
//Update the keytable with the brute-values
- for(i =0 ; i < numbytes_to_recover; i++)
- {
+ for (int i = 0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF00;
keytable[bytes_to_recover[i]] |= (brute >> (i*8) & 0xFF);
}
@@ -356,42 +391,34 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
//Diversify
diversifyKey(item.csn, key_sel_p, div_key);
//Calc mac
- doMAC(item.cc_nr,12, div_key,calculated_MAC);
+ doMAC(item.cc_nr, div_key, calculated_MAC);
- if(memcmp(calculated_MAC, item.mac, 4) == 0)
- {
- for(i =0 ; i < numbytes_to_recover; i++)
- prnlog("=> %d: 0x%02x", bytes_to_recover[i],0xFF & keytable[bytes_to_recover[i]]);
+ if (memcmp(calculated_MAC, item.mac, 4) == 0) {
+ for (int i =0 ; i < numbytes_to_recover; i++)
+ prnlog("=> %d: 0x%02x", bytes_to_recover[i], 0xFF & keytable[bytes_to_recover[i]]);
found = true;
break;
}
brute++;
- if((brute & 0xFFFF) == 0)
- {
+ if ((brute & 0xFFFF) == 0) {
printf("%d",(brute >> 16) & 0xFF);
fflush(stdout);
}
}
- if(! found)
- {
+ if (! found) {
prnlog("Failed to recover %d bytes using the following CSN",numbytes_to_recover);
printvar("CSN",item.csn,8);
errors++;
//Before we exit, reset the 'BEING_CRACKED' to zero
- for(i =0 ; i < numbytes_to_recover; i++)
- {
+ for (int i = 0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACK_FAILED;
}
-
- }else
- {
- for(i =0 ; i < numbytes_to_recover; i++)
- {
+ } else {
+ for (int i = 0 ;i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACKED;
}
-
}
return errors;
}
@@ -411,7 +438,7 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
*/
int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] )
{
- des_context ctx_e = {DES_ENCRYPT,{0}};
+ mbedtls_des_context ctx_e = { {0} };
uint8_t z_0[8] = {0};
uint8_t y_0[8] = {0};
@@ -430,8 +457,8 @@ int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] )
permutekey_rev(z_0, z_0_rev);
// ~K_cus = DESenc(z[0], y[0])
- des_setkey_enc( &ctx_e, z_0_rev );
- des_crypt_ecb(&ctx_e, y_0, key64_negated);
+ mbedtls_des_setkey_enc( &ctx_e, z_0_rev );
+ mbedtls_des_crypt_ecb(&ctx_e, y_0, key64_negated);
int i;
for(i = 0; i < 8 ; i++)
@@ -444,8 +471,8 @@ int calculateMasterKey(uint8_t first16bytes[], uint64_t master_key[] )
uint8_t key64_stdformat[8] = {0};
permutekey_rev(key64, key64_stdformat);
- des_setkey_enc( &ctx_e, key64_stdformat );
- des_crypt_ecb(&ctx_e, key64_negated, result);
+ mbedtls_des_setkey_enc( &ctx_e, key64_stdformat );
+ mbedtls_des_crypt_ecb(&ctx_e, key64_negated, result);
prnlog("\nHigh security custom key (Kcus):");
printvar("Std format ", key64_stdformat,8);
printvar("Iclass format", key64,8);
@@ -474,19 +501,19 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
uint8_t i;
int errors = 0;
size_t itemsize = sizeof(dumpdata);
- clock_t t1 = clock();
+ uint64_t t1 = msclock();
dumpdata* attack = (dumpdata* ) malloc(itemsize);
- for(i = 0 ; i * itemsize < dumpsize ; i++ )
+ for (i = 0 ; i * itemsize < dumpsize ; i++ )
{
memcpy(attack,dump+i*itemsize, itemsize);
errors += bruteforceItem(*attack, keytable);
}
free(attack);
- clock_t t2 = clock();
- float diff = (((float)t2 - (float)t1) / CLOCKS_PER_SEC );
- prnlog("\nPerformed full crack in %f seconds",diff);
+ t1 = msclock() - t1;
+ float diff = (float)t1 / 1000.0;
+ prnlog("\nPerformed full crack in %f seconds", diff);
// Pick out the first 16 bytes of the keytable.
// The keytable is now in 16-bit ints, where the upper 8 bits
@@ -514,6 +541,7 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
*/
int bruteforceFile(const char *filename, uint16_t keytable[])
{
+
FILE *f = fopen(filename, "rb");
if(!f) {
prnlog("Failed to read from file '%s'", filename);
@@ -524,15 +552,23 @@ int bruteforceFile(const char *filename, uint16_t keytable[])
long fsize = ftell(f);
fseek(f, 0, SEEK_SET);
+ if (fsize < 0) {
+ prnlog("Error, when getting fsize");
+ fclose(f);
+ return 1;
+ }
+
uint8_t *dump = malloc(fsize);
size_t bytes_read = fread(dump, 1, fsize, f);
fclose(f);
- if (bytes_read < fsize)
- {
- prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
- }
- return bruteforceDump(dump,fsize,keytable);
+ if (bytes_read < fsize) {
+ prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize );
+ }
+
+ uint8_t res = bruteforceDump(dump,fsize,keytable);
+ free(dump);
+ return res;
}
/**
*
@@ -621,6 +657,21 @@ int _test_iclass_key_permutation()
prnlog("[+] Iclass key permutation OK!");
return 0;
}
+int _testHash1()
+{
+ uint8_t csn[8]= {0x01,0x02,0x03,0x04,0xF7,0xFF,0x12,0xE0};
+ uint8_t k[8] = {0};
+ hash1(csn, k);
+ uint8_t expected[8] = {0x7E,0x72,0x2F,0x40,0x2D,0x02,0x51,0x42};
+ if(memcmp(k,expected,8) != 0)
+ {
+ prnlog("Error with hash1!");
+ printarr("calculated", k, 8);
+ printarr("expected", expected, 8);
+ return 1;
+ }
+ return 0;
+}
int testElite()
{
@@ -653,11 +704,13 @@ int testElite()
prnlog("[+] Hash2 looks fine...");
}
- prnlog("[+] Testing key diversification ...");
-
int errors = 0 ;
- errors +=_test_iclass_key_permutation();
+ prnlog("[+] Testing hash1...");
+ errors += _testHash1();
+ prnlog("[+] Testing key diversification ...");
+ errors +=_test_iclass_key_permutation();
errors += _testBruteforce();
+
return errors;
}