├── .crypto1.c.swp ├── LICENSE ├── Makefile ├── README ├── crapto1.c ├── crapto1.h ├── crypto1.c ├── iso14443crc.c ├── iso14443crc.h ├── mf_nonce_brute.c ├── protocol.h ├── sleep.c └── sleep.h /.crypto1.c.swp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/J-Run/mf_nonce_brute/90cd60c46b6e633cba6faf078f4bce97e9c28901/.crypto1.c.swp -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | LD = gcc 3 | CFLAGS = -std=c99 -Wall -Winline -O3 4 | LDFLAGS = 5 | 6 | OBJS = crapto1.o crypto1.o iso14443crc.o 7 | HEADERS = crapto1.h iso14443crc.h 8 | EXES = mf_nonce_brute 9 | LIBS = 10 | 11 | all: $(OBJS) $(EXES) $(LIBS) 12 | 13 | % : %.c $(OBJS) 14 | $(LD) $(CFLAGS) -o $@ $< $(OBJS) $(LDFLAGS) -lpthread 15 | 16 | clean: 17 | rm -f $(OBJS) $(EXES) $(LIBS) 18 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | mf_nonce_brute 2 | Nested authentificated sector key recovery tool. 3 | Compatible tags: 4 | Mifare Classic 1k (4k) 5 | Mifare Plus in SL1 mode 6 | 7 | To recover keys to nested authentificated sectors you need a reader-card communication log. To get it use 8 | hardware tools that able to sniff communication (for example Proxmark3 or HydraNFC). 9 | 10 | This enhanced version 11 | First 2 bytes should be bruteforced in phase 2 with mf_key_brute tool that interacts with a card. 12 | 13 | Sample trace: 14 | 15 | 93 70 fd ac f6 d8 7f 21 4f // select card with UID fdacf6d8 16 | TAG 08 b6 dd // sak 17 | 60 04 d1 3d // wanna auth block 0x04 with A key 18 | TAG ed 12 9c 74 // 1st auth clear text nt 19 | 55 53 9f cc 41 8d e8 f3 // nr', ar' (nr^ks1, ar^ks2 ) 20 | TAG 05 49 e1 65 // at' ( at^ks3 ) 21 | 03 24 26 56 // wanna read block 0x04 22 | TAG ac 69 ef 58 45 e1 c2 1d a9 47 a5 94 54 ef 5d c7 1e a9 // block 0x04 content 23 | d4 3e a8 aa 24 | TAG 8e 8e e3 e6 e9 e2 5f dd f6 08 ce fb 02 6a db 75 94 2f 25 | 79 77 68 3c 26 | TAG e0 00 00 80 80 08 cc 80 08 9c 82 e0 68 64 60 30 91 60 // 18 bytes = 16 byte content + 2 bytes crc 27 | ea 88 c3 c2 // 4 byte read cmd 28 | TAG a3 76 dc df c1 42 e0 ee c6 75 a4 ca eb 0c da eb 46 a0 // 18 bytes = 16 byte content + 2 bytes crc ks8 + crc 29 | 2d 27 ab 6f // wanna auth to 0x04 block with key B 30 | 31 | -------Until this line we can recover key or decrypt communication with no troubles (see mfkey64 tool)-------------------------------- 32 | 33 | TAG 52 6e af 8b // nested auth encrypted tag nonce that we dont know 34 | 8e 21 3a 29 a4 80 7e 02 // nr_enc = nr^ks1, ar_enc = ar^ks2 35 | TAG b9 43 74 8d // at_enc = at^ks3 36 | e2 25 f8 32 // probably next command (actually is read block cmd, but we dont know it yet) 37 | TAG 1f 26 82 8d 12 21 dd 42 c2 84 3e d0 26 7f 6b 2a 81 a9 // probably data 38 | ba 85 1d 36 // probably read cmd 39 | TAG 62 a8 78 69 ee 36 22 16 1c ff 4b 4e 69 cb 27 c2 e8 7e // probably data 40 | a7 b1 c8 da // probably read cmd 41 | TAG b2 fc 6c 65 60 ec 35 83 87 56 e3 7e 3c bf 38 b8 73 21 // probably data 42 | 99 92 13 55 // probably read cmd 43 | TAG 93 5b 65 a3 1d 8c 75 b8 3a 63 e2 31 f0 d0 a9 24 9a f6 // probably data 44 | 45 | ############################################################################################## 46 | 47 | Mifare classic nested auth key recovery. Phase 1. 48 | syntax: mf_nonce_brute.exe <{nt}> <{nr}> <{ar}> <{at}> [<{next_command}>] 49 | 50 | example: nt in trace = 8c! 42 e6! 4e! 51 | nt = 8c42e64e 52 | nt_par_err = 1011 53 | #### 54 | 55 | Example with parity (from this trace http://www.proxmark.org/forum/viewtopic.php?pid=550#p550) 56 | ---------------------------------------------------------------------------------------------- 57 | + 561882: 1 : 26 58 | + 64: 2 : TAG 04 00 59 | + 10217: 2 : 93 20 60 | + 64: 5 : TAG 9c 59 9b 32 6c UID 61 | + 12313: 9 : 93 70 9c 59 9b 32 6c 6b 30 62 | + 64: 3 : TAG 08 b6 dd 63 | + 923318: 4 : 60 00 f5 7b AUTH Block 0 64 | + 112: 4 : TAG 82 a4 16 6c Nonce Tag (NT) 65 | + 6985: 8 : a1 e4! 58 ce! 6e ea! 41 e0! NR , AR 66 | + 64: 4 : TAG 5c! ad f4 39! AT 67 | + 811513: 4 : 8e 0e! 5d! b9 AUTH Block 0 (nested) 68 | + 112: 4 : TAG 5a! 92 0d! 85! Nonce Tag (NT) 69 | + 6946: 8 : 98! d7 6b! 77 d6 c6 e8 70 NR , AR 70 | + 64: 4 : TAG ca 7e! 0b! 63! AT 71 | + 670868: 4 : 3e! 70 9c! 8a 72 | + 112: 4 : TAG 36! 41 24! 79 73 | + 9505: 8 : 1b! 8c 3a! 48! 83 5a 4a! 27 74 | + 64: 4 : TAG 40! 6a! 99! 4b 75 | + 905612: 4 : c9 7c 64! 13! !crc 76 | + 112: 4 : TAG b5! ab! 1d! 2b 77 | + 6936: 8 : 7e! d2 5c! ca! 4b! 50! 88! c4 !crc 78 | + 64: 4 : TAG bf dd 01 be! 79 | + 987853: 4 : 56 98 49 d6! !crc 80 | 81 | # 82 | # Samples 83 | # |-nt_par_err |-at_par_err |-at_par_err 84 | # ./mf_nonce_brute 9c599b32 82a4166c 0000 a1e458ce 6eea41e0 0101 5cadf439 1001 3e709c8a 85 | # ^--UID ^-nt_enc ^ ^-nr_enc ^-ar_enc ^ ^-at_enc ^ ^-encrypted next cmd 86 | # 87 | # 88 | # These two taken from above uses the plaintext tagnonce (nt) '82a4166c', it still finds a possible key candidate. 89 | # 90 | ./mf_nonce_brute 9c599b32 82a4166c 0000 a1e458ce 6eea41e0 0101 5cadf439 1001 91 | ./mf_nonce_brute 9c599b32 82a4166c 0000 98d76b77 d6c6e870 0000 ca7e0b63 0111 92 | 93 | # This uses the encrypted tagnonce (nt) '5a920d85', it finds a valid key. 94 | # 95 | ./mf_nonce_brute 9c599b32 5a920d85 1011 98d76b77 d6c6e870 0000 ca7e0b63 0111 96 | 97 | # This uses the encrypted tagnonce (nt) '5a920d85' and the encrypted cmd '3e709c8a' to validate , it finds a valid key. 98 | # 99 | ./mf_nonce_brute 9c599b32 5a920d85 1011 98d76b77 d6c6e870 0000 ca7e0b63 0111 3e709c8a 100 | 101 | # Another sample 102 | ./mf_nonce_brute fa247164 fb47c594 0000 71909d28 0c254817 1000 0dc7cfbd 1110 103 | 104 | # 105 | # 106 | # 107 | # demo 108 | # 109 | pm3 ~/tools/mf_nonce_brute$ mf_nonce_brute.exe fa247164 fb47c594 0000 71909d28 0c254817 1000 0dc7cfbd 1110 110 | Mifare classic nested auth key recovery. Phase 1. 111 | ------------------------------------------------- 112 | uid: fa247164 113 | nt encrypted: fb47c594 114 | nt parity err: 0000 115 | nr encrypted: 71909d28 116 | ar encrypted: 0c254817 117 | ar parity err: 1000 118 | at encrypted: 0dc7cfbd 119 | at parity err: 1110 120 | 121 | Starting 4 threads to bruteforce encrypted tag nonce last bytes 122 | 123 | Valid Key found: [ffffffffffff] 124 | 125 | Time in mf_nonce_brute (Phase 1): 2496 ticks 2.0 seconds 126 | pm3 ~/tools/mf_nonce_brute$ 127 | # 128 | # 129 | # 130 | pm3 ~/tools/mf_nonce_brute$ ./mf_nonce_brute.exe 9c599b32 5a920d85 1011 98d76b77 d6c6e870 0000 ca7e0b63 0111 3e709c8a 131 | Mifare classic nested auth key recovery. Phase 1. 132 | ------------------------------------------------- 133 | uid: 9c599b32 134 | nt encrypted: 5a920d85 135 | nt parity err: 1011 136 | nr encrypted: 98d76b77 137 | ar encrypted: d6c6e870 138 | ar parity err: 0000 139 | at encrypted: ca7e0b63 140 | at parity err: 0111 141 | next cmd enc: 3e709c8a 142 | 143 | 144 | Starting 4 threads to bruteforce encrypted tag nonce last bytes 145 | CMD enc(3e709c8a) 146 | dec(6000f57b) <-- Valid cmd 147 | 148 | Valid Key found: [ffffffffffff] 149 | 150 | Time in mf_nonce_brute (Phase 1): 1763 ticks 2.0 seconds 151 | pm3 ~/tools/mf_nonce_brute$ -------------------------------------------------------------------------------- /crapto1.c: -------------------------------------------------------------------------------- 1 | /* crapto1.c 2 | 3 | This program is free software; you can redistribute it and/or 4 | modify it under the terms of the GNU General Public License 5 | as published by the Free Software Foundation; either version 2 6 | of the License, or (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program; if not, write to the Free Software 15 | Foundation, Inc., 51 Franklin Street, Fifth Floor, 16 | Boston, MA 02110-1301, US$ 17 | 18 | Copyright (C) 2008-2014 bla 19 | */ 20 | #include "crapto1.h" 21 | #include 22 | 23 | #if !defined LOWMEM && defined __GNUC__ 24 | static uint8_t filterlut[1 << 20]; 25 | static void __attribute__((constructor)) fill_lut() 26 | { 27 | uint32_t i; 28 | for(i = 0; i < 1 << 20; ++i) 29 | filterlut[i] = filter(i); 30 | } 31 | #define filter(x) (filterlut[(x) & 0xfffff]) 32 | #endif 33 | 34 | 35 | 36 | typedef struct bucket { 37 | uint32_t *head; 38 | uint32_t *bp; 39 | } bucket_t; 40 | 41 | typedef bucket_t bucket_array_t[2][0x100]; 42 | 43 | typedef struct bucket_info { 44 | struct { 45 | uint32_t *head, *tail; 46 | } bucket_info[2][0x100]; 47 | uint32_t numbuckets; 48 | } bucket_info_t; 49 | 50 | 51 | static void bucket_sort_intersect(uint32_t* const estart, uint32_t* const estop, 52 | uint32_t* const ostart, uint32_t* const ostop, 53 | bucket_info_t *bucket_info, bucket_array_t bucket) 54 | { 55 | uint32_t *p1, *p2; 56 | uint32_t *start[2]; 57 | uint32_t *stop[2]; 58 | 59 | start[0] = estart; 60 | stop[0] = estop; 61 | start[1] = ostart; 62 | stop[1] = ostop; 63 | 64 | // init buckets to be empty 65 | for (uint32_t i = 0; i < 2; i++) { 66 | for (uint32_t j = 0x00; j <= 0xff; j++) { 67 | bucket[i][j].bp = bucket[i][j].head; 68 | } 69 | } 70 | 71 | // sort the lists into the buckets based on the MSB (contribution bits) 72 | for (uint32_t i = 0; i < 2; i++) { 73 | for (p1 = start[i]; p1 <= stop[i]; p1++) { 74 | uint32_t bucket_index = (*p1 & 0xff000000) >> 24; 75 | *(bucket[i][bucket_index].bp++) = *p1; 76 | } 77 | } 78 | 79 | 80 | // write back intersecting buckets as sorted list. 81 | // fill in bucket_info with head and tail of the bucket contents in the list and number of non-empty buckets. 82 | uint32_t nonempty_bucket; 83 | for (uint32_t i = 0; i < 2; i++) { 84 | p1 = start[i]; 85 | nonempty_bucket = 0; 86 | for (uint32_t j = 0x00; j <= 0xff; j++) { 87 | if (bucket[0][j].bp != bucket[0][j].head && bucket[1][j].bp != bucket[1][j].head) { // non-empty intersecting buckets only 88 | bucket_info->bucket_info[i][nonempty_bucket].head = p1; 89 | for (p2 = bucket[i][j].head; p2 < bucket[i][j].bp; *p1++ = *p2++); 90 | bucket_info->bucket_info[i][nonempty_bucket].tail = p1 - 1; 91 | nonempty_bucket++; 92 | } 93 | } 94 | bucket_info->numbuckets = nonempty_bucket; 95 | } 96 | } 97 | 98 | 99 | /** update_contribution 100 | * helper, calculates the partial linear feedback contributions and puts in MSB 101 | */ 102 | static inline void update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2) 103 | { 104 | uint32_t p = *item >> 25; 105 | 106 | p = p << 1 | parity(*item & mask1); 107 | p = p << 1 | parity(*item & mask2); 108 | *item = p << 24 | (*item & 0xffffff); 109 | } 110 | 111 | /** extend_table 112 | * using a bit of the keystream extend the table of possible lfsr states 113 | */ 114 | static inline void extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in) 115 | { 116 | in <<= 24; 117 | for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1) 118 | if(filter(*tbl) ^ filter(*tbl | 1)) { 119 | *tbl |= filter(*tbl) ^ bit; 120 | update_contribution(tbl, m1, m2); 121 | *tbl ^= in; 122 | } else if(filter(*tbl) == bit) { 123 | *++*end = tbl[1]; 124 | tbl[1] = tbl[0] | 1; 125 | update_contribution(tbl, m1, m2); 126 | *tbl++ ^= in; 127 | update_contribution(tbl, m1, m2); 128 | *tbl ^= in; 129 | } else 130 | *tbl-- = *(*end)--; 131 | } 132 | /** extend_table_simple 133 | * using a bit of the keystream extend the table of possible lfsr states 134 | */ 135 | static inline void extend_table_simple(uint32_t *tbl, uint32_t **end, int bit) 136 | { 137 | for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1) { 138 | if(filter(*tbl) ^ filter(*tbl | 1)) { // replace 139 | *tbl |= filter(*tbl) ^ bit; 140 | } else if(filter(*tbl) == bit) { // insert 141 | *++*end = *++tbl; 142 | *tbl = tbl[-1] | 1; 143 | } else { // drop 144 | *tbl-- = *(*end)--; 145 | } 146 | } 147 | } 148 | /** recover 149 | * recursively narrow down the search space, 4 bits of keystream at a time 150 | */ 151 | static struct Crypto1State* 152 | recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks, 153 | uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem, 154 | struct Crypto1State *sl, uint32_t in, bucket_array_t bucket) 155 | { 156 | uint32_t *o, *e; 157 | bucket_info_t bucket_info; 158 | 159 | if(rem == -1) { 160 | for(e = e_head; e <= e_tail; ++e) { 161 | *e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4); 162 | for(o = o_head; o <= o_tail; ++o, ++sl) { 163 | sl->even = *o; 164 | sl->odd = *e ^ parity(*o & LF_POLY_ODD); 165 | sl[1].odd = sl[1].even = 0; 166 | } 167 | } 168 | return sl; 169 | } 170 | 171 | for(uint32_t i = 0; i < 4 && rem--; i++) { 172 | oks >>= 1; 173 | eks >>= 1; 174 | in >>= 2; 175 | extend_table(o_head, &o_tail, oks & 1, LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0); 176 | if(o_head > o_tail) 177 | return sl; 178 | 179 | extend_table(e_head, &e_tail, eks & 1, LF_POLY_ODD, LF_POLY_EVEN << 1 | 1, in & 3); 180 | if(e_head > e_tail) 181 | return sl; 182 | } 183 | 184 | bucket_sort_intersect(e_head, e_tail, o_head, o_tail, &bucket_info, bucket); 185 | 186 | for (int i = bucket_info.numbuckets - 1; i >= 0; i--) { 187 | sl = recover(bucket_info.bucket_info[1][i].head, bucket_info.bucket_info[1][i].tail, oks, 188 | bucket_info.bucket_info[0][i].head, bucket_info.bucket_info[0][i].tail, eks, 189 | rem, sl, in, bucket); 190 | } 191 | 192 | return sl; 193 | } 194 | /** lfsr_recovery 195 | * recover the state of the lfsr given 32 bits of the keystream 196 | * additionally you can use the in parameter to specify the value 197 | * that was fed into the lfsr at the time the keystream was generated 198 | */ 199 | struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in) 200 | { 201 | struct Crypto1State *statelist; 202 | uint32_t *odd_head = 0, *odd_tail = 0, oks = 0; 203 | uint32_t *even_head = 0, *even_tail = 0, eks = 0; 204 | int i; 205 | 206 | // split the keystream into an odd and even part 207 | for(i = 31; i >= 0; i -= 2) 208 | oks = oks << 1 | BEBIT(ks2, i); 209 | for(i = 30; i >= 0; i -= 2) 210 | eks = eks << 1 | BEBIT(ks2, i); 211 | 212 | odd_head = odd_tail = malloc(sizeof(uint32_t) << 21); 213 | even_head = even_tail = malloc(sizeof(uint32_t) << 21); 214 | statelist = malloc(sizeof(struct Crypto1State) << 18); 215 | if(!odd_tail-- || !even_tail-- || !statelist) { 216 | free(statelist); 217 | statelist = 0; 218 | goto out; 219 | } 220 | 221 | statelist->odd = statelist->even = 0; 222 | 223 | // allocate memory for out of place bucket_sort 224 | bucket_array_t bucket; 225 | 226 | for (uint32_t i = 0; i < 2; i++) { 227 | for (uint32_t j = 0; j <= 0xff; j++) { 228 | bucket[i][j].head = malloc(sizeof(uint32_t)<<14); 229 | if (!bucket[i][j].head) { 230 | goto out; 231 | } 232 | } 233 | } 234 | 235 | // initialize statelists: add all possible states which would result into the rightmost 2 bits of the keystream 236 | for(i = 1 << 20; i >= 0; --i) { 237 | if(filter(i) == (oks & 1)) 238 | *++odd_tail = i; 239 | if(filter(i) == (eks & 1)) 240 | *++even_tail = i; 241 | } 242 | 243 | // extend the statelists. Look at the next 8 Bits of the keystream (4 Bit each odd and even): 244 | for(i = 0; i < 4; i++) { 245 | extend_table_simple(odd_head, &odd_tail, (oks >>= 1) & 1); 246 | extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1); 247 | } 248 | 249 | // the statelists now contain all states which could have generated the last 10 Bits of the keystream. 250 | // 22 bits to go to recover 32 bits in total. From now on, we need to take the "in" 251 | // parameter into account. 252 | in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00); // Byte swapping 253 | recover(odd_head, odd_tail, oks, even_head, even_tail, eks, 11, statelist, in << 1, bucket); 254 | 255 | out: 256 | for (uint32_t i = 0; i < 2; i++) 257 | for (uint32_t j = 0; j <= 0xff; j++) 258 | free(bucket[i][j].head); 259 | free(odd_head); 260 | free(even_head); 261 | return statelist; 262 | } 263 | 264 | static const uint32_t S1[] = { 0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214, 265 | 0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83, 266 | 0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA}; 267 | static const uint32_t S2[] = { 0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60, 268 | 0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8, 269 | 0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20, 270 | 0x7EC7EE90, 0x7F63F748, 0x79117020}; 271 | static const uint32_t T1[] = { 272 | 0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66, 273 | 0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B, 274 | 0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615, 275 | 0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C}; 276 | static const uint32_t T2[] = { 0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0, 277 | 0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268, 278 | 0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0, 279 | 0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0, 280 | 0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950, 281 | 0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0}; 282 | static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD}; 283 | static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0}; 284 | /** Reverse 64 bits of keystream into possible cipher states 285 | * Variation mentioned in the paper. Somewhat optimized version 286 | */ 287 | struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3) 288 | { 289 | struct Crypto1State *statelist, *sl; 290 | uint8_t oks[32], eks[32], hi[32]; 291 | uint32_t low = 0, win = 0; 292 | uint32_t *tail, table[1 << 16]; 293 | int i, j; 294 | 295 | sl = statelist = malloc(sizeof(struct Crypto1State) << 4); 296 | if(!sl) 297 | return 0; 298 | sl->odd = sl->even = 0; 299 | 300 | for(i = 30; i >= 0; i -= 2) { 301 | oks[i >> 1] = BEBIT(ks2, i); 302 | oks[16 + (i >> 1)] = BEBIT(ks3, i); 303 | } 304 | for(i = 31; i >= 0; i -= 2) { 305 | eks[i >> 1] = BEBIT(ks2, i); 306 | eks[16 + (i >> 1)] = BEBIT(ks3, i); 307 | } 308 | 309 | for(i = 0xfffff; i >= 0; --i) { 310 | if (filter(i) != oks[0]) 311 | continue; 312 | 313 | *(tail = table) = i; 314 | for(j = 1; tail >= table && j < 29; ++j) 315 | extend_table_simple(table, &tail, oks[j]); 316 | 317 | if(tail < table) 318 | continue; 319 | 320 | for(j = 0; j < 19; ++j) 321 | low = low << 1 | parity(i & S1[j]); 322 | for(j = 0; j < 32; ++j) 323 | hi[j] = parity(i & T1[j]); 324 | 325 | for(; tail >= table; --tail) { 326 | for(j = 0; j < 3; ++j) { 327 | *tail = *tail << 1; 328 | *tail |= parity((i & C1[j]) ^ (*tail & C2[j])); 329 | if(filter(*tail) != oks[29 + j]) 330 | goto continue2; 331 | } 332 | 333 | for(j = 0; j < 19; ++j) 334 | win = win << 1 | parity(*tail & S2[j]); 335 | 336 | win ^= low; 337 | for(j = 0; j < 32; ++j) { 338 | win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]); 339 | if(filter(win) != eks[j]) 340 | goto continue2; 341 | } 342 | 343 | *tail = *tail << 1 | parity(LF_POLY_EVEN & *tail); 344 | sl->odd = *tail ^ parity(LF_POLY_ODD & win); 345 | sl->even = win; 346 | ++sl; 347 | sl->odd = sl->even = 0; 348 | continue2:; 349 | } 350 | } 351 | return statelist; 352 | } 353 | 354 | /** lfsr_rollback_bit 355 | * Rollback the shift register in order to get previous states 356 | */ 357 | uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb) 358 | { 359 | int out; 360 | uint8_t ret; 361 | uint32_t t; 362 | 363 | s->odd &= 0xffffff; 364 | t = s->odd, s->odd = s->even, s->even = t; 365 | 366 | out = s->even & 1; 367 | out ^= LF_POLY_EVEN & (s->even >>= 1); 368 | out ^= LF_POLY_ODD & s->odd; 369 | out ^= !!in; 370 | out ^= (ret = filter(s->odd)) & !!fb; 371 | 372 | s->even |= parity(out) << 23; 373 | return ret; 374 | } 375 | /** lfsr_rollback_byte 376 | * Rollback the shift register in order to get previous states 377 | */ 378 | uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb) 379 | { 380 | /* 381 | int i, ret = 0; 382 | for (i = 7; i >= 0; --i) 383 | ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i; 384 | */ 385 | // unfold loop 20160112 386 | uint8_t ret = 0; 387 | ret |= lfsr_rollback_bit(s, BIT(in, 7), fb) << 7; 388 | ret |= lfsr_rollback_bit(s, BIT(in, 6), fb) << 6; 389 | ret |= lfsr_rollback_bit(s, BIT(in, 5), fb) << 5; 390 | ret |= lfsr_rollback_bit(s, BIT(in, 4), fb) << 4; 391 | ret |= lfsr_rollback_bit(s, BIT(in, 3), fb) << 3; 392 | ret |= lfsr_rollback_bit(s, BIT(in, 2), fb) << 2; 393 | ret |= lfsr_rollback_bit(s, BIT(in, 1), fb) << 1; 394 | ret |= lfsr_rollback_bit(s, BIT(in, 0), fb) << 0; 395 | return ret; 396 | } 397 | /** lfsr_rollback_word 398 | * Rollback the shift register in order to get previous states 399 | */ 400 | uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) 401 | { 402 | /* 403 | int i; 404 | uint32_t ret = 0; 405 | for (i = 31; i >= 0; --i) 406 | ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24); 407 | */ 408 | // unfold loop 20160112 409 | uint32_t ret = 0; 410 | ret |= lfsr_rollback_bit(s, BEBIT(in, 31), fb) << (31 ^ 24); 411 | ret |= lfsr_rollback_bit(s, BEBIT(in, 30), fb) << (30 ^ 24); 412 | ret |= lfsr_rollback_bit(s, BEBIT(in, 29), fb) << (29 ^ 24); 413 | ret |= lfsr_rollback_bit(s, BEBIT(in, 28), fb) << (28 ^ 24); 414 | ret |= lfsr_rollback_bit(s, BEBIT(in, 27), fb) << (27 ^ 24); 415 | ret |= lfsr_rollback_bit(s, BEBIT(in, 26), fb) << (26 ^ 24); 416 | ret |= lfsr_rollback_bit(s, BEBIT(in, 25), fb) << (25 ^ 24); 417 | ret |= lfsr_rollback_bit(s, BEBIT(in, 24), fb) << (24 ^ 24); 418 | 419 | ret |= lfsr_rollback_bit(s, BEBIT(in, 23), fb) << (23 ^ 24); 420 | ret |= lfsr_rollback_bit(s, BEBIT(in, 22), fb) << (22 ^ 24); 421 | ret |= lfsr_rollback_bit(s, BEBIT(in, 21), fb) << (21 ^ 24); 422 | ret |= lfsr_rollback_bit(s, BEBIT(in, 20), fb) << (20 ^ 24); 423 | ret |= lfsr_rollback_bit(s, BEBIT(in, 19), fb) << (19 ^ 24); 424 | ret |= lfsr_rollback_bit(s, BEBIT(in, 18), fb) << (18 ^ 24); 425 | ret |= lfsr_rollback_bit(s, BEBIT(in, 17), fb) << (17 ^ 24); 426 | ret |= lfsr_rollback_bit(s, BEBIT(in, 16), fb) << (16 ^ 24); 427 | 428 | ret |= lfsr_rollback_bit(s, BEBIT(in, 15), fb) << (15 ^ 24); 429 | ret |= lfsr_rollback_bit(s, BEBIT(in, 14), fb) << (14 ^ 24); 430 | ret |= lfsr_rollback_bit(s, BEBIT(in, 13), fb) << (13 ^ 24); 431 | ret |= lfsr_rollback_bit(s, BEBIT(in, 12), fb) << (12 ^ 24); 432 | ret |= lfsr_rollback_bit(s, BEBIT(in, 11), fb) << (11 ^ 24); 433 | ret |= lfsr_rollback_bit(s, BEBIT(in, 10), fb) << (10 ^ 24); 434 | ret |= lfsr_rollback_bit(s, BEBIT(in, 9), fb) << (9 ^ 24); 435 | ret |= lfsr_rollback_bit(s, BEBIT(in, 8), fb) << (8 ^ 24); 436 | 437 | ret |= lfsr_rollback_bit(s, BEBIT(in, 7), fb) << (7 ^ 24); 438 | ret |= lfsr_rollback_bit(s, BEBIT(in, 6), fb) << (6 ^ 24); 439 | ret |= lfsr_rollback_bit(s, BEBIT(in, 5), fb) << (5 ^ 24); 440 | ret |= lfsr_rollback_bit(s, BEBIT(in, 4), fb) << (4 ^ 24); 441 | ret |= lfsr_rollback_bit(s, BEBIT(in, 3), fb) << (3 ^ 24); 442 | ret |= lfsr_rollback_bit(s, BEBIT(in, 2), fb) << (2 ^ 24); 443 | ret |= lfsr_rollback_bit(s, BEBIT(in, 1), fb) << (1 ^ 24); 444 | ret |= lfsr_rollback_bit(s, BEBIT(in, 0), fb) << (0 ^ 24); 445 | return ret; 446 | } 447 | 448 | /** nonce_distance 449 | * x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y 450 | */ 451 | static uint16_t *dist = 0; 452 | int nonce_distance(uint32_t from, uint32_t to) 453 | { 454 | uint16_t x, i; 455 | if(!dist) { 456 | dist = malloc(2 << 16); 457 | if(!dist) 458 | return -1; 459 | for (x = i = 1; i; ++i) { 460 | dist[(x & 0xff) << 8 | x >> 8] = i; 461 | x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15; 462 | } 463 | } 464 | return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535; 465 | } 466 | 467 | 468 | static uint32_t fastfwd[2][8] = { 469 | { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB}, 470 | { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}}; 471 | 472 | 473 | /** lfsr_prefix_ks 474 | * 475 | * Is an exported helper function from the common prefix attack 476 | * Described in the "dark side" paper. It returns an -1 terminated array 477 | * of possible partial(21 bit) secret state. 478 | * The required keystream(ks) needs to contain the keystream that was used to 479 | * encrypt the NACK which is observed when varying only the 3 last bits of Nr 480 | * only correct iff [NR_3] ^ NR_3 does not depend on Nr_3 481 | */ 482 | uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd) 483 | { 484 | uint32_t *candidates = malloc(4 << 10); 485 | if(!candidates) return 0; 486 | 487 | uint32_t c, entry; 488 | int size = 0, i, good; 489 | 490 | for(i = 0; i < 1 << 21; ++i) { 491 | for(c = 0, good = 1; good && c < 8; ++c) { 492 | entry = i ^ fastfwd[isodd][c]; 493 | good &= (BIT(ks[c], isodd) == filter(entry >> 1)); 494 | good &= (BIT(ks[c], isodd + 2) == filter(entry)); 495 | } 496 | if(good) 497 | candidates[size++] = i; 498 | } 499 | 500 | candidates[size] = -1; 501 | 502 | return candidates; 503 | } 504 | 505 | /** check_pfx_parity 506 | * helper function which eliminates possible secret states using parity bits 507 | */ 508 | static struct Crypto1State* check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8], uint32_t odd, uint32_t even, struct Crypto1State* sl) 509 | { 510 | uint32_t ks1, nr, ks2, rr, ks3, c, good = 1; 511 | 512 | for(c = 0; good && c < 8; ++c) { 513 | sl->odd = odd ^ fastfwd[1][c]; 514 | sl->even = even ^ fastfwd[0][c]; 515 | 516 | lfsr_rollback_bit(sl, 0, 0); 517 | lfsr_rollback_bit(sl, 0, 0); 518 | 519 | ks3 = lfsr_rollback_bit(sl, 0, 0); 520 | ks2 = lfsr_rollback_word(sl, 0, 0); 521 | ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1); 522 | 523 | nr = ks1 ^ (prefix | c << 5); 524 | rr = ks2 ^ rresp; 525 | 526 | good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24); 527 | good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16); 528 | good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8); 529 | good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0); 530 | good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3; 531 | } 532 | 533 | return sl + good; 534 | } 535 | 536 | /** lfsr_common_prefix 537 | * Implentation of the common prefix attack. 538 | * Requires the 28 bit constant prefix used as reader nonce (pfx) 539 | * The reader response used (rr) 540 | * The keystream used to encrypt the observed NACK's (ks) 541 | * The parity bits (par) 542 | * It returns a zero terminated list of possible cipher states after the 543 | * tag nonce was fed in 544 | */ 545 | 546 | struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]) 547 | { 548 | struct Crypto1State *statelist, *s; 549 | uint32_t *odd, *even, *o, *e, top; 550 | 551 | odd = lfsr_prefix_ks(ks, 1); 552 | even = lfsr_prefix_ks(ks, 0); 553 | 554 | s = statelist = malloc((sizeof *statelist) << 20); 555 | if(!s || !odd || !even) { 556 | free(statelist); 557 | statelist = 0; 558 | goto out; 559 | } 560 | 561 | for(o = odd; *o + 1; ++o) 562 | for(e = even; *e + 1; ++e) 563 | for(top = 0; top < 64; ++top) { 564 | *o += 1 << 21; 565 | *e += (!(top & 7) + 1) << 21; 566 | s = check_pfx_parity(pfx, rr, par, *o, *e, s); 567 | } 568 | 569 | s->odd = s->even = 0; 570 | out: 571 | free(odd); 572 | free(even); 573 | return statelist; 574 | } 575 | -------------------------------------------------------------------------------- /crapto1.h: -------------------------------------------------------------------------------- 1 | /* crapto1.h 2 | 3 | This program is free software; you can redistribute it and/or 4 | modify it under the terms of the GNU General Public License 5 | as published by the Free Software Foundation; either version 2 6 | of the License, or (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program; if not, write to the Free Software 15 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 16 | MA 02110-1301, US$ 17 | 18 | Copyright (C) 2008-2014 bla 19 | */ 20 | #ifndef CRAPTO1_H__ 21 | #define CRAPTO1_H__ 22 | #include 23 | #ifdef __cplusplus 24 | extern "C" { 25 | #endif 26 | 27 | struct Crypto1State {uint32_t odd, even;}; 28 | struct Crypto1State* crypto1_create(uint64_t); 29 | void crypto1_destroy(struct Crypto1State*); 30 | void crypto1_get_lfsr(struct Crypto1State*, uint64_t*); 31 | uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int); 32 | uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int); 33 | uint32_t crypto1_word(struct Crypto1State*, uint32_t, int); 34 | uint32_t prng_successor(uint32_t x, uint32_t n); 35 | 36 | struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in); 37 | struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3); 38 | uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd); 39 | struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]); 40 | 41 | uint8_t lfsr_rollback_bit(struct Crypto1State* s, uint32_t in, int fb); 42 | uint8_t lfsr_rollback_byte(struct Crypto1State* s, uint32_t in, int fb); 43 | uint32_t lfsr_rollback_word(struct Crypto1State* s, uint32_t in, int fb); 44 | int nonce_distance(uint32_t from, uint32_t to); 45 | #define SWAPENDIAN(x)\ 46 | (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16) 47 | 48 | #define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\ 49 | uint32_t __n = 0,__M = 0, N = 0;\ 50 | int __i;\ 51 | for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\ 52 | for(__i = FSIZE - 1; __i >= 0; __i--)\ 53 | if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\ 54 | break;\ 55 | else if(__i)\ 56 | __M = prng_successor(__M, (__i == 7) ? 48 : 8);\ 57 | else 58 | 59 | #define LF_POLY_ODD (0x29CE5C) 60 | #define LF_POLY_EVEN (0x870804) 61 | #define BIT(x, n) ((x) >> (n) & 1) 62 | #define BEBIT(x, n) BIT(x, (n) ^ 24) 63 | static inline int parity(uint32_t x) 64 | { 65 | #if !defined __i386__ || !defined __GNUC__ 66 | x ^= x >> 16; 67 | x ^= x >> 8; 68 | x ^= x >> 4; 69 | return BIT(0x6996, x & 0xf); 70 | #else 71 | __asm__( "movl %1, %%eax\n" 72 | "mov %%ax, %%cx\n" 73 | "shrl $0x10, %%eax\n" 74 | "xor %%ax, %%cx\n" 75 | "xor %%ch, %%cl\n" 76 | "setpo %%al\n" 77 | "movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx"); 78 | return x; 79 | #endif 80 | } 81 | static inline int filter(uint32_t const x) 82 | { 83 | uint32_t f; 84 | 85 | f = 0xf22c0 >> (x & 0xf) & 16; 86 | f |= 0x6c9c0 >> (x >> 4 & 0xf) & 8; 87 | f |= 0x3c8b0 >> (x >> 8 & 0xf) & 4; 88 | f |= 0x1e458 >> (x >> 12 & 0xf) & 2; 89 | f |= 0x0d938 >> (x >> 16 & 0xf) & 1; 90 | return BIT(0xEC57E80A, f); 91 | } 92 | #ifdef __cplusplus 93 | } 94 | #endif 95 | #endif 96 | -------------------------------------------------------------------------------- /crypto1.c: -------------------------------------------------------------------------------- 1 | /* crypto1.c 2 | 3 | This program is free software; you can redistribute it and/or 4 | modify it under the terms of the GNU General Public License 5 | as published by the Free Software Foundation; either version 2 6 | of the License, or (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program; if not, write to the Free Software 15 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 16 | MA 02110-1301, US 17 | 18 | Copyright (C) 2008-2008 bla 19 | */ 20 | #include "crapto1.h" 21 | #include 22 | 23 | struct Crypto1State * crypto1_create(uint64_t key) 24 | { 25 | struct Crypto1State *s = malloc(sizeof(*s)); 26 | if ( !s ) return NULL; 27 | 28 | s->odd = s->even = 0; 29 | 30 | int i; 31 | //for(i = 47;s && i > 0; i -= 2) { 32 | for(i = 47; i > 0; i -= 2) { 33 | s->odd = s->odd << 1 | BIT(key, (i - 1) ^ 7); 34 | s->even = s->even << 1 | BIT(key, i ^ 7); 35 | } 36 | return s; 37 | } 38 | void crypto1_destroy(struct Crypto1State *state) 39 | { 40 | free(state); 41 | } 42 | void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr) 43 | { 44 | int i; 45 | for(*lfsr = 0, i = 23; i >= 0; --i) { 46 | *lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3); 47 | *lfsr = *lfsr << 1 | BIT(state->even, i ^ 3); 48 | } 49 | } 50 | uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted) 51 | { 52 | uint32_t feedin; 53 | uint32_t tmp; 54 | uint8_t ret = filter(s->odd); 55 | 56 | feedin = ret & !!is_encrypted; 57 | feedin ^= !!in; 58 | feedin ^= LF_POLY_ODD & s->odd; 59 | feedin ^= LF_POLY_EVEN & s->even; 60 | s->even = s->even << 1 | parity(feedin); 61 | 62 | tmp = s->odd; 63 | s->odd = s->even; 64 | s->even = tmp; 65 | 66 | return ret; 67 | } 68 | uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted) 69 | { 70 | /* 71 | uint8_t i, ret = 0; 72 | 73 | for (i = 0; i < 8; ++i) 74 | ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i; 75 | */ 76 | // unfold loop 20161012 77 | uint8_t ret = 0; 78 | ret |= crypto1_bit(s, BIT(in, 0), is_encrypted) << 0; 79 | ret |= crypto1_bit(s, BIT(in, 1), is_encrypted) << 1; 80 | ret |= crypto1_bit(s, BIT(in, 2), is_encrypted) << 2; 81 | ret |= crypto1_bit(s, BIT(in, 3), is_encrypted) << 3; 82 | ret |= crypto1_bit(s, BIT(in, 4), is_encrypted) << 4; 83 | ret |= crypto1_bit(s, BIT(in, 5), is_encrypted) << 5; 84 | ret |= crypto1_bit(s, BIT(in, 6), is_encrypted) << 6; 85 | ret |= crypto1_bit(s, BIT(in, 7), is_encrypted) << 7; 86 | return ret; 87 | } 88 | uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted) 89 | { 90 | /* 91 | uint32_t i, ret = 0; 92 | 93 | for (i = 0; i < 32; ++i) 94 | ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24); 95 | */ 96 | //unfold loop 2016012 97 | uint32_t ret = 0; 98 | ret |= crypto1_bit(s, BEBIT(in, 0), is_encrypted) << (0 ^ 24); 99 | ret |= crypto1_bit(s, BEBIT(in, 1), is_encrypted) << (1 ^ 24); 100 | ret |= crypto1_bit(s, BEBIT(in, 2), is_encrypted) << (2 ^ 24); 101 | ret |= crypto1_bit(s, BEBIT(in, 3), is_encrypted) << (3 ^ 24); 102 | ret |= crypto1_bit(s, BEBIT(in, 4), is_encrypted) << (4 ^ 24); 103 | ret |= crypto1_bit(s, BEBIT(in, 5), is_encrypted) << (5 ^ 24); 104 | ret |= crypto1_bit(s, BEBIT(in, 6), is_encrypted) << (6 ^ 24); 105 | ret |= crypto1_bit(s, BEBIT(in, 7), is_encrypted) << (7 ^ 24); 106 | 107 | ret |= crypto1_bit(s, BEBIT(in, 8), is_encrypted) << (8 ^ 24); 108 | ret |= crypto1_bit(s, BEBIT(in, 9), is_encrypted) << (9 ^ 24); 109 | ret |= crypto1_bit(s, BEBIT(in, 10), is_encrypted) << (10 ^ 24); 110 | ret |= crypto1_bit(s, BEBIT(in, 11), is_encrypted) << (11 ^ 24); 111 | ret |= crypto1_bit(s, BEBIT(in, 12), is_encrypted) << (12 ^ 24); 112 | ret |= crypto1_bit(s, BEBIT(in, 13), is_encrypted) << (13 ^ 24); 113 | ret |= crypto1_bit(s, BEBIT(in, 14), is_encrypted) << (14 ^ 24); 114 | ret |= crypto1_bit(s, BEBIT(in, 15), is_encrypted) << (15 ^ 24); 115 | 116 | ret |= crypto1_bit(s, BEBIT(in, 16), is_encrypted) << (16 ^ 24); 117 | ret |= crypto1_bit(s, BEBIT(in, 17), is_encrypted) << (17 ^ 24); 118 | ret |= crypto1_bit(s, BEBIT(in, 18), is_encrypted) << (18 ^ 24); 119 | ret |= crypto1_bit(s, BEBIT(in, 19), is_encrypted) << (19 ^ 24); 120 | ret |= crypto1_bit(s, BEBIT(in, 20), is_encrypted) << (20 ^ 24); 121 | ret |= crypto1_bit(s, BEBIT(in, 21), is_encrypted) << (21 ^ 24); 122 | ret |= crypto1_bit(s, BEBIT(in, 22), is_encrypted) << (22 ^ 24); 123 | ret |= crypto1_bit(s, BEBIT(in, 23), is_encrypted) << (23 ^ 24); 124 | 125 | ret |= crypto1_bit(s, BEBIT(in, 24), is_encrypted) << (24 ^ 24); 126 | ret |= crypto1_bit(s, BEBIT(in, 25), is_encrypted) << (25 ^ 24); 127 | ret |= crypto1_bit(s, BEBIT(in, 26), is_encrypted) << (26 ^ 24); 128 | ret |= crypto1_bit(s, BEBIT(in, 27), is_encrypted) << (27 ^ 24); 129 | ret |= crypto1_bit(s, BEBIT(in, 28), is_encrypted) << (28 ^ 24); 130 | ret |= crypto1_bit(s, BEBIT(in, 29), is_encrypted) << (29 ^ 24); 131 | ret |= crypto1_bit(s, BEBIT(in, 30), is_encrypted) << (30 ^ 24); 132 | ret |= crypto1_bit(s, BEBIT(in, 31), is_encrypted) << (31 ^ 24); 133 | return ret; 134 | } 135 | 136 | /* prng_successor 137 | * helper used to obscure the keystream during authentication 138 | */ 139 | uint32_t prng_successor(uint32_t x, uint32_t n) 140 | { 141 | SWAPENDIAN(x); 142 | while(n--) 143 | x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31; 144 | 145 | return SWAPENDIAN(x); 146 | } 147 | -------------------------------------------------------------------------------- /iso14443crc.c: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | // at your option, any later version. See the LICENSE.txt file for the text of 4 | // the license. 5 | //----------------------------------------------------------------------------- 6 | // ISO14443 CRC calculation code. 7 | //----------------------------------------------------------------------------- 8 | 9 | #include "iso14443crc.h" 10 | 11 | static unsigned short UpdateCrc14443(unsigned char ch, unsigned short *lpwCrc) 12 | { 13 | ch = (ch ^ (unsigned char) ((*lpwCrc) & 0x00FF)); 14 | ch = (ch ^ (ch << 4)); 15 | *lpwCrc = (*lpwCrc >> 8) ^ ((unsigned short) ch << 8) ^ 16 | ((unsigned short) ch << 3) ^ ((unsigned short) ch >> 4); 17 | return (*lpwCrc); 18 | } 19 | 20 | void ComputeCrc14443(int CrcType, 21 | const unsigned char *Data, int Length, 22 | unsigned char *TransmitFirst, 23 | unsigned char *TransmitSecond) 24 | { 25 | unsigned char chBlock; 26 | unsigned short wCrc=CrcType; 27 | 28 | do { 29 | chBlock = *Data++; 30 | UpdateCrc14443(chBlock, &wCrc); 31 | } while (--Length); 32 | 33 | if (CrcType == CRC_14443_B) 34 | wCrc = ~wCrc; /* ISO/IEC 13239 (formerly ISO/IEC 3309) */ 35 | 36 | *TransmitFirst = (unsigned char) (wCrc & 0xFF); 37 | *TransmitSecond = (unsigned char) ((wCrc >> 8) & 0xFF); 38 | return; 39 | } 40 | 41 | int CheckCrc14443(int CrcType, const unsigned char *Data, int Length) { 42 | unsigned char b1; 43 | unsigned char b2; 44 | if (Length < 3) return 0; 45 | ComputeCrc14443(CrcType, Data, Length - 2, &b1, &b2); 46 | if ((b1 == Data[Length - 2]) && (b2 == Data[Length - 1])) return 1; 47 | return 0; 48 | } 49 | -------------------------------------------------------------------------------- /iso14443crc.h: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 3 | // at your option, any later version. See the LICENSE.txt file for the text of 4 | // the license. 5 | //----------------------------------------------------------------------------- 6 | // ISO14443 CRC calculation code. 7 | //----------------------------------------------------------------------------- 8 | 9 | #ifndef __ISO14443CRC_H 10 | #define __ISO14443CRC_H 11 | 12 | //----------------------------------------------------------------------------- 13 | // Routines to compute the CRCs (two different flavours, just for confusion) 14 | // required for ISO 14443, swiped directly from the spec. 15 | //----------------------------------------------------------------------------- 16 | #define CRC_14443_A 0x6363 /* ITU-V.41 */ 17 | #define CRC_14443_B 0xFFFF /* ISO/IEC 13239 (formerly ISO/IEC 3309) */ 18 | #define CRC_ICLASS 0xE012 /* ICLASS PREFIX */ 19 | 20 | void ComputeCrc14443(int CrcType, 21 | const unsigned char *Data, int Length, 22 | unsigned char *TransmitFirst, 23 | unsigned char *TransmitSecond); 24 | int CheckCrc14443(int CrcType, const unsigned char *Data, int Length); 25 | 26 | #endif 27 | -------------------------------------------------------------------------------- /mf_nonce_brute.c: -------------------------------------------------------------------------------- 1 | #define __STDC_FORMAT_MACROS 2 | #define _USE_32BIT_TIME_T 1 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "crapto1.h" 12 | #include "protocol.h" 13 | #include "iso14443crc.h" 14 | 15 | #define odd_parity(i) (( (i) ^ (i)>>1 ^ (i)>>2 ^ (i)>>3 ^ (i)>>4 ^ (i)>>5 ^ (i)>>6 ^ (i)>>7 ^ 1) & 0x01) 16 | 17 | // a global mutex to prevent interlaced printing from different threads 18 | pthread_mutex_t print_lock; 19 | 20 | //--------------------- define options here 21 | uint32_t uid = 0; // serial number 22 | uint32_t nt_enc = 0; // Encrypted tag nonce 23 | uint32_t nr_enc = 0; // encrypted reader challenge 24 | uint32_t ar_enc = 0; // encrypted reader response 25 | uint32_t at_enc = 0; // encrypted tag response 26 | uint32_t cmd_enc = 0; // next encrypted command to sector 27 | 28 | uint32_t nt_par_err = 0; 29 | uint32_t ar_par_err = 0; 30 | uint32_t at_par_err = 0; 31 | 32 | typedef struct thread_args{ 33 | uint16_t xored; 34 | int thread; 35 | int idx; 36 | bool ev1; 37 | } targs; 38 | 39 | //------------------------------------------------------------------ 40 | uint8_t cmds[] = { 41 | ISO14443A_CMD_READBLOCK, 42 | ISO14443A_CMD_WRITEBLOCK, 43 | MIFARE_AUTH_KEYA, 44 | MIFARE_AUTH_KEYB, 45 | MIFARE_CMD_INC, 46 | MIFARE_CMD_DEC, 47 | MIFARE_CMD_RESTORE, 48 | MIFARE_CMD_TRANSFER 49 | }; 50 | 51 | int global_counter = 0; 52 | int global_fin_flag = 0; 53 | int global_found = 0; 54 | int global_found_candidate = 0; 55 | size_t thread_count = 4; 56 | 57 | // Return 1 == nonce is invalid 58 | // return 0 == valid 59 | int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, int * parity) { 60 | return ((odd_parity((Nt >> 24) & 0xFF) == ((parity[0]) ^ odd_parity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \ 61 | (odd_parity((Nt >> 16) & 0xFF) == ((parity[1]) ^ odd_parity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \ 62 | (odd_parity((Nt >> 8) & 0xFF) == ((parity[2]) ^ odd_parity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0; 63 | } 64 | 65 | uint16_t parity_from_err(uint32_t data, uint16_t par_err) { 66 | 67 | uint16_t par = 0; 68 | par |= odd_parity((data >> 24) & 0xFF) ^ ((par_err >> 12) & 1); 69 | par <<= 4; 70 | 71 | par |= odd_parity((data >> 16) & 0xFF) ^ ((par_err >> 8) & 1); 72 | par <<= 4; 73 | 74 | par |= odd_parity((data >> 8) & 0xFF) ^ ((par_err >> 4) & 1); 75 | par <<= 4; 76 | 77 | par |= odd_parity(data & 0xFF) ^ (par_err & 1); 78 | return par; 79 | } 80 | 81 | uint16_t xored_bits(uint16_t nt_par, uint32_t nt_enc, uint16_t ar_par, uint32_t ar_enc, uint16_t at_par, uint32_t at_enc) { 82 | uint16_t xored = 0; 83 | 84 | uint8_t par; 85 | //1st (1st nt) 86 | par = (nt_par >> 12 ) & 1; 87 | xored |= par ^ ((nt_enc >> 16) & 1); 88 | xored <<= 1; 89 | 90 | //2nd (2nd nt) 91 | par = (nt_par >> 8) & 1; 92 | xored |= par ^ ((nt_enc >> 8) & 1); 93 | xored <<= 1; 94 | 95 | //3rd (3rd nt) 96 | par = (nt_par >> 4) & 1; 97 | xored |= par ^ (nt_enc & 1); 98 | xored <<= 1; 99 | 100 | //4th (1st ar) 101 | par = (ar_par >> 12 ) & 1; 102 | xored |= par ^ ((ar_enc >> 16) & 1); 103 | xored <<= 1; 104 | 105 | //5th (2nd ar) 106 | par = (ar_par >> 8) & 1; 107 | xored |= par ^ ((ar_enc >> 8) & 1); 108 | xored <<= 1; 109 | 110 | //6th (3rd ar) 111 | par = (ar_par >> 4 ) & 1; 112 | xored |= par ^ (ar_enc & 1); 113 | xored <<= 1; 114 | 115 | //7th (4th ar) 116 | par = ar_par & 1; 117 | xored |= par ^ ((at_enc >> 24 ) & 1); 118 | xored <<= 1; 119 | 120 | //8th (1st at) 121 | par = (at_par >> 12) & 1; 122 | xored |= par ^ ((at_enc >> 16) & 1); 123 | xored <<= 1; 124 | 125 | //9th (2nd at) 126 | par = (at_par >> 8) & 1; 127 | xored |= par ^ ((at_enc >> 8) & 1); 128 | xored <<= 1; 129 | 130 | //10th (3rd at) 131 | par = (at_par >> 4 ) & 1; 132 | xored |= par ^ (at_enc & 1); 133 | 134 | return xored; 135 | } 136 | 137 | bool candidate_nonce(uint32_t xored, uint32_t nt, bool ev1) { 138 | uint8_t byte, check; 139 | 140 | if (!ev1) { 141 | //1st (1st nt) 142 | byte = (nt >> 24) & 0xFF; 143 | check = odd_parity(byte) ^ ((nt > 16) & 1) ^ ((xored >> 9) & 1); 144 | if(check) return false; 145 | 146 | //2nd (2nd nt) 147 | byte = (nt >> 16) & 0xFF; 148 | check = odd_parity(byte) ^ ((nt >> 8) & 1) ^ ((xored >> 8 ) & 1); 149 | if(check) return false; 150 | } 151 | 152 | //3rd (3rd nt) 153 | byte = (nt >> 8) & 0xFF; 154 | check = odd_parity(byte) ^ (nt & 1) ^ ((xored >> 7) & 1); 155 | if (check) return false; 156 | 157 | uint32_t ar = prng_successor(nt, 64); 158 | 159 | //4th (1st ar) 160 | byte = (ar >> 24) & 0xFF; 161 | check = odd_parity(byte) ^ ((ar >> 16) & 1) ^ ((xored >> 6) & 1); 162 | if (check) return false; 163 | 164 | //5th (2nd ar) 165 | byte = (ar >> 16) & 0x0FF; 166 | check = odd_parity(byte) ^ ((ar >> 8) & 1) ^ ((xored >> 5) & 1); 167 | if (check) return false; 168 | 169 | //6th (3rd ar) 170 | byte = (ar >> 8) & 0xFF; 171 | check = odd_parity(byte) ^ (ar & 1) ^ ((xored >> 4) & 1); 172 | if (check) return false; 173 | 174 | uint32_t at = prng_successor(nt, 96); 175 | 176 | //7th (4th ar) 177 | byte = ar & 0xFF; 178 | check = odd_parity(byte) ^ ((at >> 24) & 1) ^ ((xored >> 3) & 1); 179 | if (check) return false; 180 | 181 | //8th (1st at) 182 | byte = (at >> 24) & 0xFF; 183 | check = odd_parity(byte) ^ ((at >> 16) & 1) ^ ((xored >> 2) & 1); 184 | if (check) return false; 185 | 186 | //9th (2nd at) 187 | byte = (at >> 16) & 0xFF; 188 | check = odd_parity(byte) ^ ((at >> 8) & 1) ^ ((xored >> 1) & 1) ; 189 | if (check) return false; 190 | 191 | //10th (3rd at) 192 | byte = (at >> 8) & 0xFF; 193 | check = odd_parity(byte) ^ (at & 1) ^ (xored & 1); 194 | if (check) return false; 195 | 196 | return true; 197 | } 198 | 199 | bool checkValidCmd(uint32_t decrypted){ 200 | uint8_t cmd = (decrypted >> 24) & 0xFF; 201 | for (int i = 0; i < sizeof(cmds); ++i){ 202 | if ( cmd == cmds[i] ) 203 | return true; 204 | } 205 | return false; 206 | } 207 | bool checkCRC(uint32_t decrypted){ 208 | uint8_t data[] = { 209 | (decrypted >> 24) & 0xFF, 210 | (decrypted >> 16) & 0xFF, 211 | (decrypted >> 8) & 0xFF, 212 | decrypted & 0xFF 213 | }; 214 | return CheckCrc14443(CRC_14443_A, data, sizeof(data)); 215 | } 216 | 217 | void* brute_thread(void *arguments) { 218 | 219 | //int shift = (int)arg; 220 | struct thread_args *args = (struct thread_args*) arguments; 221 | 222 | struct Crypto1State *revstate; 223 | uint64_t key; // recovered key candidate 224 | uint32_t ks2; // keystream used to encrypt reader response 225 | uint32_t ks3; // keystream used to encrypt tag response 226 | uint32_t ks4; // keystream used to encrypt next command 227 | uint32_t nt; // current tag nonce 228 | 229 | uint32_t p64 = 0; 230 | uint32_t count; 231 | int found = 0; 232 | // TC == 4 ( 233 | // threads calls 0 ev1 == false 234 | // threads calls 0,1,2 ev1 == true 235 | for (count = args->idx; count < 0xFFFF; count += thread_count-1) { 236 | 237 | found = global_found; 238 | if ( found ) break; 239 | 240 | nt = count << 16 | prng_successor(count, 16); 241 | 242 | if ( !candidate_nonce( args->xored, nt, args->ev1) ) 243 | continue; 244 | 245 | p64 = prng_successor(nt, 64); 246 | ks2 = ar_enc ^ p64; 247 | ks3 = at_enc ^ prng_successor(p64, 32); 248 | revstate = lfsr_recovery64(ks2, ks3); 249 | ks4 = crypto1_word(revstate, 0, 0); 250 | 251 | if (ks4 != 0) { 252 | 253 | // lock this section to avoid interlacing prints from different threats 254 | pthread_mutex_lock(&print_lock); 255 | if ( args->ev1 ) 256 | printf("\n**** Possible key candidate ****\n"); 257 | 258 | #if 0 259 | printf("thread #%d idx %d %s\n", args->thread, args->idx, (args->ev1)?"(Ev1)":""); 260 | printf("current nt(%08x) ar_enc(%08x) at_enc(%08x)\n", nt, ar_enc, at_enc); 261 | printf("ks2:%08x\n", ks2); 262 | printf("ks3:%08x\n", ks3); 263 | printf("ks4:%08x\n", ks4); 264 | #endif 265 | if (cmd_enc) { 266 | uint32_t decrypted = ks4 ^ cmd_enc; 267 | printf("CMD enc(%08x)\n", cmd_enc); 268 | printf(" dec(%08x)\t", decrypted ); 269 | 270 | uint8_t isOK = 0; 271 | // check if cmd exists 272 | isOK = checkValidCmd(decrypted); 273 | 274 | // Add a crc-check. 275 | isOK = checkCRC(decrypted); 276 | 277 | if ( !isOK) { 278 | printf("<-- not a valid cmd\n"); 279 | pthread_mutex_unlock(&print_lock); 280 | continue; 281 | } else { 282 | printf("<-- Valid cmd\n"); 283 | } 284 | } 285 | 286 | lfsr_rollback_word(revstate, 0, 0); 287 | lfsr_rollback_word(revstate, 0, 0); 288 | lfsr_rollback_word(revstate, 0, 0); 289 | lfsr_rollback_word(revstate, nr_enc, 1); 290 | lfsr_rollback_word(revstate, uid ^ nt, 0); 291 | crypto1_get_lfsr(revstate, &key); 292 | free(revstate); 293 | 294 | if ( args->ev1 ) { 295 | printf("\nKey candidate: [%012" PRIx64 "]\n\n", key); 296 | __sync_fetch_and_add(&global_found_candidate, 1); 297 | } else { 298 | printf("\nValid Key found: [%012" PRIx64 "]\n\n", key); 299 | __sync_fetch_and_add(&global_found, 1); 300 | } 301 | //release lock 302 | pthread_mutex_unlock(&print_lock); 303 | } 304 | } 305 | return NULL; 306 | } 307 | 308 | int usage(){ 309 | printf(" syntax: mf_nonce_brute []\n\n"); 310 | printf(" example: nt in trace = 8c! 42 e6! 4e!\n"); 311 | printf(" nt = 8c42e64e\n"); 312 | printf(" nt_par_err = 1011\n\n"); 313 | printf("\n expected outcome:\n"); 314 | printf(" KEY 0xFFFFFFFFFFFF == fa247164 fb47c594 0000 71909d28 0c254817 1000 0dc7cfbd 1110\n"); 315 | return 1; 316 | } 317 | 318 | int main (int argc, char *argv[]) { 319 | printf("Mifare classic nested auth key recovery. Phase 1.\n"); 320 | 321 | if(argc < 9) return usage(); 322 | 323 | sscanf(argv[1],"%x",&uid); 324 | sscanf(argv[2],"%x",&nt_enc); 325 | sscanf(argv[3],"%x",&nt_par_err); 326 | sscanf(argv[4],"%x",&nr_enc); 327 | sscanf(argv[5],"%x",&ar_enc); 328 | sscanf(argv[6],"%x",&ar_par_err); 329 | sscanf(argv[7],"%x",&at_enc); 330 | sscanf(argv[8],"%x",&at_par_err); 331 | 332 | if(argc > 9) 333 | sscanf(argv[9],"%x",&cmd_enc); 334 | 335 | printf("-------------------------------------------------\n"); 336 | printf("uid:\t\t%08x\n",uid); 337 | printf("nt encrypted:\t%08x\n",nt_enc); 338 | printf("nt parity err:\t%04x\n",nt_par_err); 339 | printf("nr encrypted:\t%08x\n",nr_enc); 340 | printf("ar encrypted:\t%08x\n",ar_enc); 341 | printf("ar parity err:\t%04x\n",ar_par_err); 342 | printf("at encrypted:\t%08x\n",at_enc); 343 | printf("at parity err:\t%04x\n",at_par_err); 344 | 345 | if(argc > 9) 346 | printf("next cmd enc:\t%08x\n\n",cmd_enc); 347 | 348 | clock_t t1 = clock(); 349 | uint16_t nt_par = parity_from_err(nt_enc, nt_par_err); 350 | uint16_t ar_par = parity_from_err(ar_enc, ar_par_err); 351 | uint16_t at_par = parity_from_err(at_enc, at_par_err); 352 | 353 | //calc (parity XOR corresponding nonce bit encoded with the same keystream bit) 354 | uint16_t xored = xored_bits(nt_par, nt_enc, ar_par, ar_enc, at_par, at_enc); 355 | 356 | #ifndef __WIN32 357 | thread_count = sysconf(_SC_NPROCESSORS_CONF); 358 | if ( thread_count < 2) 359 | thread_count = 2; 360 | #endif /* _WIN32 */ 361 | 362 | printf("\nBruteforce using %d threads to find encrypted tagnonce last bytes\n", thread_count); 363 | 364 | pthread_t threads[thread_count]; 365 | 366 | // create a mutex to avoid interlacing print commands from our different threads 367 | pthread_mutex_init(&print_lock, NULL); 368 | 369 | // one thread T0 for none EV1. 370 | struct thread_args *a = malloc(sizeof(struct thread_args)); 371 | a->xored = xored; 372 | a->thread = 0; 373 | a->idx = 0; 374 | a->ev1 = false; 375 | pthread_create(&threads[0], NULL, brute_thread, (void*)a); 376 | 377 | // the rest of available threads to EV1 scenario 378 | for (int i = 0; i < thread_count-1; ++i) { 379 | struct thread_args *b = malloc(sizeof(struct thread_args)); 380 | b->xored = xored; 381 | b->thread = i+1; 382 | b->idx = i; 383 | b->ev1 = true; 384 | pthread_create(&threads[i+1], NULL, brute_thread, (void*)b); 385 | } 386 | 387 | // wait for threads to terminate: 388 | for (int i = 0; i < thread_count; ++i) 389 | pthread_join(threads[i], NULL); 390 | 391 | if (!global_found && !global_found_candidate) { 392 | printf("\nFailed to find a key\n\n"); 393 | } 394 | 395 | t1 = clock() - t1; 396 | if ( t1 > 0 ) 397 | printf("Execution time: %.0f ticks\n", (float)t1); 398 | 399 | // clean up mutex 400 | pthread_mutex_destroy(&print_lock); 401 | return 0; 402 | } 403 | -------------------------------------------------------------------------------- /protocol.h: -------------------------------------------------------------------------------- 1 | #ifndef PROTOCOL_H 2 | #define PROTOCOL_H 3 | 4 | #define ISO14443A_CMD_READBLOCK 0x30 5 | #define ISO14443A_CMD_WRITEBLOCK 0xA0 6 | 7 | #define MIFARE_AUTH_KEYA 0x60 8 | #define MIFARE_AUTH_KEYB 0x61 9 | #define MIFARE_CMD_INC 0xC0 10 | #define MIFARE_CMD_DEC 0xC1 11 | #define MIFARE_CMD_RESTORE 0xC2 12 | #define MIFARE_CMD_TRANSFER 0xB0 13 | 14 | // mifare 4bit card answers 15 | #define CARD_ACK 0x0A // 1010 - ACK 16 | #define CARD_NACK_NA 0x04 // 0100 - NACK, not allowed (command not allowed) 17 | #define CARD_NACK_TR 0x05 // 0101 - NACK, transmission error 18 | 19 | #endif 20 | // PROTOCOL_H -------------------------------------------------------------------------------- /sleep.c: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // Copyright (C) 2010 iZsh 3 | // 4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 5 | // at your option, any later version. See the LICENSE.txt file for the text of 6 | // the license. 7 | //----------------------------------------------------------------------------- 8 | // platform-independant sleep macros 9 | //----------------------------------------------------------------------------- 10 | 11 | #ifndef _WIN32 12 | 13 | #define _POSIX_C_SOURCE 199309L 14 | #include "sleep.h" 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | void nsleep(uint64_t n) { 21 | struct timespec timeout; 22 | timeout.tv_sec = n/1000000000; 23 | timeout.tv_nsec = n%1000000000; 24 | while (nanosleep(&timeout, &timeout) && errno == EINTR); 25 | } 26 | 27 | #endif // _WIN32 28 | 29 | -------------------------------------------------------------------------------- /sleep.h: -------------------------------------------------------------------------------- 1 | //----------------------------------------------------------------------------- 2 | // Copyright (C) 2010 iZsh 3 | // 4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, 5 | // at your option, any later version. See the LICENSE.txt file for the text of 6 | // the license. 7 | //----------------------------------------------------------------------------- 8 | // platform-independant sleep macros 9 | //----------------------------------------------------------------------------- 10 | 11 | #ifndef SLEEP_H__ 12 | #define SLEEP_H__ 13 | 14 | #ifdef _WIN32 15 | # include 16 | # define sleep(n) Sleep(1000 * n) 17 | # define msleep(n) Sleep(n) 18 | #else 19 | # include 20 | # include 21 | void nsleep(uint64_t n); 22 | # define msleep(n) nsleep(1000000 * n) 23 | # define usleep(n) nsleep(1000 * n) 24 | #endif // _WIN32 25 | 26 | #endif // SLEEP_H__ 27 | 28 | --------------------------------------------------------------------------------