jarjar/mfoc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update crapto1 and fix compiling warnings

Browse Source 
Crapto1 library from proxmark3 repo
This commit is contained in:
Valentín Kivachuk 2018-11-22 21:18:54 +01:00
parent ba072f16f6
commit 0723f53aaf
8 changed files with 751 additions and 624 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
configure.ac
View File

@ -35,7 +35,7 @@ AC_FUNC_REALLOC
AC_CHECK_FUNCS([memset])
# C99
CFLAGS="$CFLAGS -std=c99"
CFLAGS="$CFLAGS -std=c99 -O3 -Wall"
AC_CONFIG_FILES([Makefile
src/Makefile])

4
src/Makefile.am
View File

@ -2,9 +2,9 @@ AM_CFLAGS = @libnfc_CFLAGS@
bin_PROGRAMS = mfoc
noinst_HEADERS = crapto1.h mfoc.h mifare.h nfc-utils.h
noinst_HEADERS = crapto1.h mfoc.h mifare.h nfc-utils.h parity.h
mfoc_SOURCES = crapto1.c crypto1.c mfoc.c mifare.c nfc-utils.c
mfoc_SOURCES = crapto1.c crypto1.c mfoc.c mifare.c nfc-utils.c parity.c
mfoc_LDADD = @libnfc_LIBS@
dist_man_MANS = mfoc.1

332
src/crapto1.c
View File

@ -15,15 +15,17 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301, US$
Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
Copyright (C) 2008-2014 bla <blapost@gmail.com>
*/
#include "crapto1.h"
#include <stdlib.h>
#include "parity.h"
#if !defined LOWMEM && defined __GNUC__
static uint8_t filterlut[1 << 20];
static void __attribute__((constructor)) fill_lut(void)
{
static void __attribute__((constructor)) fill_lut() {
uint32_t i;
for (i = 0; i < 1 << 20; ++i)
filterlut[i] = filter(i);
@ -31,55 +33,91 @@ static void __attribute__((constructor)) fill_lut(void)
#define filter(x) (filterlut[(x) & 0xfffff])
#endif
static void quicksort(uint32_t *const start, uint32_t *const stop)
{
uint32_t *it = start + 1, *rit = stop;
typedef struct bucket {
uint32_t *head;
uint32_t *bp;
} bucket_t;
if (it > rit)
return;
typedef bucket_t bucket_array_t[2][0x100];
while (it < rit)
if (*it <= *start)
++it;
else if (*rit > *start)
--rit;
else
*it ^= (*it ^= *rit, *rit ^= *it);
typedef struct bucket_info {
if (*rit >= *start)
--rit;
if (rit != start)
*rit ^= (*rit ^= *start, *start ^= *rit);
struct {
uint32_t *head, *tail;
} bucket_info[2][0x100];
uint32_t numbuckets;
} bucket_info_t;
quicksort(start, rit - 1);
quicksort(rit + 1, stop);
static void bucket_sort_intersect(uint32_t * const estart, uint32_t * const estop,
uint32_t * const ostart, uint32_t * const ostop,
bucket_info_t *bucket_info, bucket_array_t bucket) {
uint32_t *p1, *p2;
uint32_t * start[2];
uint32_t * stop[2];
start[0] = estart;
stop[0] = estop;
start[1] = ostart;
stop[1] = ostop;
// init buckets to be empty
for (uint32_t i = 0; i < 2; i++) {
for (uint32_t j = 0x00; j <= 0xff; j++) {
bucket[i][j].bp = bucket[i][j].head;
}
}
// sort the lists into the buckets based on the MSB (contribution bits)
for (uint32_t i = 0; i < 2; i++) {
for (p1 = start[i]; p1 <= stop[i]; p1++) {
uint32_t bucket_index = (*p1 & 0xff000000) >> 24;
*(bucket[i][bucket_index].bp++) = *p1;
}
}
// write back intersecting buckets as sorted list.
// fill in bucket_info with head and tail of the bucket contents in the list and number of non-empty buckets.
uint32_t nonempty_bucket;
for (uint32_t i = 0; i < 2; i++) {
p1 = start[i];
nonempty_bucket = 0;
for (uint32_t j = 0x00; j <= 0xff; j++) {
if (bucket[0][j].bp != bucket[0][j].head && bucket[1][j].bp != bucket[1][j].head) { // non-empty intersecting buckets only
bucket_info->bucket_info[i][nonempty_bucket].head = p1;
for (p2 = bucket[i][j].head; p2 < bucket[i][j].bp; *p1++ = *p2++);
bucket_info->bucket_info[i][nonempty_bucket].tail = p1 - 1;
nonempty_bucket++;
}
}
bucket_info->numbuckets = nonempty_bucket;
}
}
/** binsearch
* Binary search for the first occurence of *stop's MSB in sorted [start,stop]
*/
static inline uint32_t *
binsearch(uint32_t *start, uint32_t *stop)
/* static inline uint32_t* binsearch(uint32_t *start, uint32_t *stop)
{
uint32_t mid, val = *stop & 0xff000000;
while (start != stop)
if (start[mid = (stop - start) >> 1] > val)
while(start != stop)
if(start[mid = (stop - start) >> 1] > val)
stop = &start[mid];
else
start += mid + 1;
return start;
}
*/
/** update_contribution
* helper, calculates the partial linear feedback contributions and puts in MSB
*/
static inline void
update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2)
{
update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2) {
uint32_t p = *item >> 25;
p = p << 1 | parity(*item & mask1);
p = p << 1 | parity(*item & mask2);
p = p << 1 | evenparity32(*item & mask1);
p = p << 1 | evenparity32(*item & mask2);
*item = p << 24 | (*item & 0xffffff);
}
@ -87,8 +125,7 @@ update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2)
* using a bit of the keystream extend the table of possible lfsr states
*/
static inline void
extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)
{
extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in) {
in <<= 24;
for (*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if (filter(*tbl) ^ filter(*tbl | 1)) {
@ -105,36 +142,38 @@ extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in
} else
*tbl-- = *(*end)--;
}
/** extend_table_simple
* using a bit of the keystream extend the table of possible lfsr states
*/
static inline void
extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)
{
static inline void extend_table_simple(uint32_t *tbl, uint32_t **end, int bit) {
for (*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if (filter(*tbl) ^ filter(*tbl | 1)) {
if (filter(*tbl) ^ filter(*tbl | 1))
*tbl |= filter(*tbl) ^ bit;
} else if (filter(*tbl) == bit) {
else if (filter(*tbl) == bit) {
*++*end = *++tbl;
*tbl = tbl[-1] | 1;
} else
*tbl-- = *(*end)--;
}
/** recover
* recursively narrow down the search space, 4 bits of keystream at a time
*/
static struct Crypto1State *
static struct Crypto1State*
recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,
struct Crypto1State *sl, uint32_t in) {
struct Crypto1State *sl, uint32_t in, bucket_array_t bucket) {
uint32_t *o, *e, i;
bucket_info_t bucket_info;
if (rem == -1) {
for (e = e_head; e <= e_tail; ++e) {
*e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4);
*e = *e << 1 ^ evenparity32(*e & LF_POLY_EVEN) ^ !!(in & 4);
for (o = o_head; o <= o_tail; ++o, ++sl) {
sl->even = *o;
sl->odd = *e ^ parity(*o & LF_POLY_ODD);
sl->odd = *e ^ evenparity32(*o & LF_POLY_ODD);
sl[1].odd = sl[1].even = 0;
}
}
@ -142,39 +181,36 @@ recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
}
for (i = 0; i < 4 && rem--; i++) {
extend_table(o_head, &o_tail, (oks >>= 1) & 1,
LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0);
oks >>= 1;
eks >>= 1;
in >>= 2;
extend_table(o_head, &o_tail, oks & 1, LF_POLY_EVEN << 1 | 1,
LF_POLY_ODD << 1, 0);
if (o_head > o_tail)
return sl;
extend_table(e_head, &e_tail, (eks >>= 1) & 1,
LF_POLY_ODD, LF_POLY_EVEN << 1 | 1, (in >>= 2) & 3);
extend_table(e_head, &e_tail, eks & 1, LF_POLY_ODD,
LF_POLY_EVEN << 1 | 1, in & 3);
if (e_head > e_tail)
return sl;
}
bucket_sort_intersect(e_head, e_tail, o_head, o_tail, &bucket_info, bucket);
quicksort(o_head, o_tail);
quicksort(e_head, e_tail);
while (o_tail >= o_head && e_tail >= e_head)
if (((*o_tail ^ *e_tail) >> 24) == 0) {
o_tail = binsearch(o_head, o = o_tail);
e_tail = binsearch(e_head, e = e_tail);
sl = recover(o_tail--, o, oks,
e_tail--, e, eks, rem, sl, in);
} else if (*o_tail > *e_tail)
o_tail = binsearch(o_head, o_tail) - 1;
else
e_tail = binsearch(e_head, e_tail) - 1;
for (int i = bucket_info.numbuckets - 1; i >= 0; i--) {
sl = recover(bucket_info.bucket_info[1][i].head, bucket_info.bucket_info[1][i].tail, oks,
bucket_info.bucket_info[0][i].head, bucket_info.bucket_info[0][i].tail, eks,
rem, sl, in, bucket);
}
return sl;
}
/** lfsr_recovery
* recover the state of the lfsr given 32 bits of the keystream
* additionally you can use the in parameter to specify the value
* that was fed into the lfsr at the time the keystream was generated
*/
struct Crypto1State *lfsr_recovery32(uint32_t ks2, uint32_t in) {
struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in) {
struct Crypto1State *statelist;
uint32_t *odd_head = 0, *odd_tail = 0, oks = 0;
uint32_t *even_head = 0, *even_tail = 0, eks = 0;
@ -185,14 +221,27 @@ struct Crypto1State *lfsr_recovery32(uint32_t ks2, uint32_t in) {
for (i = 30; i >= 0; i -= 2)
eks = eks << 1 | BEBIT(ks2, i);
odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);
even_head = even_tail = malloc(sizeof(uint32_t) << 21);
statelist = malloc(sizeof(struct Crypto1State) << 18);
if (!odd_tail-- || !even_tail-- || !statelist)
odd_head = odd_tail = malloc(sizeof (uint32_t) << 21);
even_head = even_tail = malloc(sizeof (uint32_t) << 21);
statelist = malloc(sizeof (struct Crypto1State) << 18);
if (!odd_tail-- || !even_tail-- || !statelist) {
free(statelist);
statelist = 0;
goto out;
}
statelist->odd = statelist->even = 0;
// allocate memory for out of place bucket_sort
bucket_array_t bucket;
for (uint32_t i = 0; i < 2; i++)
for (uint32_t j = 0; j <= 0xff; j++) {
bucket[i][j].head = malloc(sizeof (uint32_t) << 14);
if (!bucket[i][j].head) {
goto out;
}
}
for (i = 1 << 20; i >= 0; --i) {
if (filter(i) == (oks & 1))
*++odd_tail = i;
@ -207,60 +256,62 @@ struct Crypto1State *lfsr_recovery32(uint32_t ks2, uint32_t in) {
in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);
recover(odd_head, odd_tail, oks,
even_head, even_tail, eks, 11, statelist, in << 1);
even_head, even_tail, eks, 11, statelist, in << 1, bucket);
out:
free(odd_head);
free(even_head);
for (uint32_t i = 0; i < 2; i++)
for (uint32_t j = 0; j <= 0xff; j++)
free(bucket[i][j].head);
return statelist;
}
static const uint32_t S1[] = { 0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214,
static const uint32_t S1[] = {0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214,
0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83,
0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA
};
static const uint32_t S2[] = { 0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60,
0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA};
static const uint32_t S2[] = {0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60,
0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8,
0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20,
0x7EC7EE90, 0x7F63F748, 0x79117020
};
0x7EC7EE90, 0x7F63F748, 0x79117020};
static const uint32_t T1[] = {
0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66,
0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B,
0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615,
0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C
};
static const uint32_t T2[] = { 0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0,
static const uint32_t T2[] = {0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0,
0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268,
0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0,
0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0,
0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950,
0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0
};
static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD};
static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0};
0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0};
static const uint32_t C1[] = {0x846B5, 0x4235A, 0x211AD};
static const uint32_t C2[] = {0x1A822E0, 0x21A822E0, 0x21A822E0};
/** Reverse 64 bits of keystream into possible cipher states
* Variation mentioned in the paper. Somewhat optimized version
*/
struct Crypto1State *lfsr_recovery64(uint32_t ks2, uint32_t ks3) {
struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3) {
struct Crypto1State *statelist, *sl;
uint8_t oks[32], eks[32], hi[32];
uint32_t low = 0, win = 0;
uint32_t *tail, table[1 << 16];
int i, j;
sl = statelist = malloc(sizeof(struct Crypto1State) << 4);
sl = statelist = malloc(sizeof (struct Crypto1State) << 4);
if (!sl)
return 0;
sl->odd = sl->even = 0;
for (i = 30; i >= 0; i -= 2) {
oks[i >> 1] = BIT(ks2, i ^ 24);
oks[16 + (i >> 1)] = BIT(ks3, i ^ 24);
oks[i >> 1] = BEBIT(ks2, i);
oks[16 + (i >> 1)] = BEBIT(ks3, i);
}
for (i = 31; i >= 0; i -= 2) {
eks[i >> 1] = BIT(ks2, i ^ 24);
eks[16 + (i >> 1)] = BIT(ks3, i ^ 24);
eks[i >> 1] = BEBIT(ks2, i);
eks[16 + (i >> 1)] = BEBIT(ks3, i);
}
for (i = 0xfffff; i >= 0; --i) {
@ -275,30 +326,30 @@ struct Crypto1State *lfsr_recovery64(uint32_t ks2, uint32_t ks3) {
continue;
for (j = 0; j < 19; ++j)
low = low << 1 | parity(i & S1[j]);
low = low << 1 | evenparity32(i & S1[j]);
for (j = 0; j < 32; ++j)
hi[j] = parity(i & T1[j]);
hi[j] = evenparity32(i & T1[j]);
for (; tail >= table; --tail) {
for (j = 0; j < 3; ++j) {
*tail = *tail << 1;
*tail |= parity((i & C1[j]) ^(*tail & C2[j]));
*tail |= evenparity32((i & C1[j]) ^ (*tail & C2[j]));
if (filter(*tail) != oks[29 + j])
goto continue2;
}
for (j = 0; j < 19; ++j)
win = win << 1 | parity(*tail & S2[j]);
win = win << 1 | evenparity32(*tail & S2[j]);
win ^= low;
for (j = 0; j < 32; ++j) {
win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]);
win = win << 1 ^ hi[j] ^ evenparity32(*tail & T2[j]);
if (filter(win) != eks[j])
goto continue2;
}
*tail = *tail << 1 | parity(LF_POLY_EVEN & *tail);
sl->odd = *tail ^ parity(LF_POLY_ODD & win);
*tail = *tail << 1 | evenparity32(LF_POLY_EVEN & *tail);
sl->odd = *tail ^ evenparity32(LF_POLY_ODD & win);
sl->even = win;
++sl;
sl->odd = sl->even = 0;
@ -309,20 +360,16 @@ continue2:
return statelist;
}
uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb);
uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb);
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd);
/** lfsr_rollback_bit
* Rollback the shift register in order to get previous states
*/
uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)
{
uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb) {
int out;
uint8_t ret;
uint32_t t;
s->odd &= 0xffffff;
s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
t = s->odd, s->odd = s->even, s->even = t;
out = s->even & 1;
out ^= LF_POLY_EVEN & (s->even >>= 1);
@ -330,25 +377,24 @@ uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)
out ^= !!in;
out ^= (ret = filter(s->odd)) & !!fb;
s->even |= parity(out) << 23;
s->even |= evenparity32(out) << 23;
return ret;
}
/** lfsr_rollback_byte
* Rollback the shift register in order to get previous states
*/
uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb)
{
int i;
uint8_t ret = 0;
uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb) {
int i, ret = 0;
for (i = 7; i >= 0; --i)
ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i;
return ret;
}
/** lfsr_rollback_word
* Rollback the shift register in order to get previous states
*/
uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb)
{
uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) {
int i;
uint32_t ret = 0;
for (i = 31; i >= 0; --i)
@ -360,8 +406,8 @@ uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb)
* x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y
*/
static uint16_t *dist = 0;
int nonce_distance(uint32_t from, uint32_t to)
{
int nonce_distance(uint32_t from, uint32_t to) {
uint16_t x, i;
if (!dist) {
dist = malloc(2 << 16);
@ -374,6 +420,7 @@ int nonce_distance(uint32_t from, uint32_t to)
}
return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535;
}
bool validate_prng_nonce(uint32_t nonce)
{
// init prng table:
@ -381,43 +428,38 @@ bool validate_prng_nonce(uint32_t nonce)
return ((65535 - dist[nonce >> 16] + dist[nonce & 0xffff]) % 65535) == 16;
}
static uint32_t fastfwd[2][8] = {
{ 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB},
{ 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}
};
/** lfsr_prefix_ks
*
* Is an exported helper function from the common prefix attack
* Described in the "dark side" paper. It returns an -1 terminated array
* of possible partial(21 bit) secret state.
* The required keystream(ks) needs to contain the keystream that was used to
* encrypt the NACK which is observed when varying only the 4 last bits of Nr
* encrypt the NACK which is observed when varying only the 3 last bits of Nr
* only correct iff [NR_3] ^ NR_3 does not depend on Nr_3
*/
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)
{
uint32_t c, entry, *candidates = malloc(4 << 21);
int i, size = (1 << 21) - 1;
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd) {
uint32_t c, entry, *candidates = malloc(4 << 10);
int i, size = 0, good;
if (!candidates)
return 0;
for (i = 0; i <= size; ++i)
candidates[i] = i;
for (c = 0; c < 8; ++c)
for (i = 0; i <= size; ++i) {
entry = candidates[i] ^ fastfwd[isodd][c];
if (filter(entry >> 1) != BIT(ks[c], isodd) ||
filter(entry) != BIT(ks[c], isodd + 2))
candidates[i--] = candidates[size--];
for (i = 0; i < 1 << 21; ++i) {
for (c = 0, good = 1; good && c < 8; ++c) {
entry = i ^ fastfwd[isodd][c];
good &= (BIT(ks[c], isodd) == filter(entry >> 1));
good &= (BIT(ks[c], isodd + 2) == filter(entry));
}
if (good)
candidates[size++] = i;
}
candidates[size + 1] = -1;
candidates[size] = -1;
return candidates;
}
@ -425,9 +467,9 @@ uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)
/** check_pfx_parity
* helper function which eliminates possible secret states using parity bits
*/
static struct Crypto1State *
static struct Crypto1State*
check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8],
uint32_t odd, uint32_t even, struct Crypto1State *sl) {
uint32_t odd, uint32_t even, struct Crypto1State* sl, uint32_t no_par) {
uint32_t ks1, nr, ks2, rr, ks3, c, good = 1;
for (c = 0; good && c < 8; ++c) {
@ -441,45 +483,38 @@ check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8],
ks2 = lfsr_rollback_word(sl, 0, 0);
ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1);
nr = ks1 ^(prefix | c << 5);
if (no_par)
break;
nr = ks1 ^ (prefix | c << 5);
rr = ks2 ^ rresp;
good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24);
good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16);
good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8);
good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0);
good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3;
good &= evenparity32(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24);
good &= evenparity32(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16);
good &= evenparity32(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2, 8);
good &= evenparity32(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2, 0);
good &= evenparity32(rr & 0x000000ff) ^ parities[c][7] ^ ks3;
}
return sl + good;
}
struct Crypto1State *lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]);
/** lfsr_common_prefix
* Implentation of the common prefix attack.
* Requires the 29 bit constant prefix used as reader nonce (pfx)
* The reader response used (rr)
* The keystream used to encrypt the observed NACK's (ks)
* The parity bits (par)
* It returns a zero terminated list of possible cipher states after the
* tag nonce was fed in
*/
struct Crypto1State *
lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]) {
struct Crypto1State*
lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], uint32_t no_par) {
struct Crypto1State *statelist, *s;
uint32_t *odd, *even, *o, *e, top;
odd = lfsr_prefix_ks(ks, 1);
even = lfsr_prefix_ks(ks, 0);
s = statelist = malloc((sizeof *statelist) << 20);
s = statelist = malloc((sizeof *statelist) << 22); // was << 20. Need more for no_par special attack. Enough???
if (!s || !odd || !even) {
free(odd);
free(even);
free(statelist);
return 0;
statelist = 0;
goto out;
}
for (o = odd; *o + 1; ++o)
@ -487,13 +522,12 @@ lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])
for (top = 0; top < 64; ++top) {
*o += 1 << 21;
*e += (!(top & 7) + 1) << 21;
s = check_pfx_parity(pfx, rr, par, *o, *e, s);
s = check_pfx_parity(pfx, rr, par, *o, *e, s, no_par);
}
s->odd = s->even = 0;
out:
free(odd);
free(even);
return statelist;
}

61
src/crapto1.h
View File

@ -15,8 +15,8 @@
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, US$
Copyright (C) 2008-2009 bla <blapost@gmail.com>
*/
Copyright (C) 2008-2014 bla <blapost@gmail.com>
*/
#ifndef CRAPTO1_INCLUDED
#define CRAPTO1_INCLUDED
#include <stdint.h>
@ -25,20 +25,31 @@
extern "C" {
#endif
struct Crypto1State {uint32_t odd, even;};
struct Crypto1State *crypto1_create(uint64_t);
void crypto1_destroy(struct Crypto1State *);
void crypto1_get_lfsr(struct Crypto1State *, uint64_t *);
uint8_t crypto1_bit(struct Crypto1State *, uint8_t, int);
uint8_t crypto1_byte(struct Crypto1State *, uint8_t, int);
uint32_t crypto1_word(struct Crypto1State *, uint32_t, int);
struct Crypto1State {
uint32_t odd, even;
};
#if defined(__arm__) && !defined(__linux__) && !defined(_WIN32) && !defined(__APPLE__) // bare metal ARM Proxmark lacks malloc()/free()
void crypto1_create(struct Crypto1State *s, uint64_t key);
#else
struct Crypto1State *crypto1_create(uint64_t key);
#endif
void crypto1_destroy(struct Crypto1State*);
void crypto1_get_lfsr(struct Crypto1State*, uint64_t*);
uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int);
uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int);
uint32_t crypto1_word(struct Crypto1State*, uint32_t, int);
uint32_t prng_successor(uint32_t x, uint32_t n);
struct Crypto1State *lfsr_recovery32(uint32_t ks2, uint32_t in);
struct Crypto1State *lfsr_recovery64(uint32_t ks2, uint32_t ks3);
struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in);
struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3);
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd);
struct Crypto1State*
lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], uint32_t no_par);
void lfsr_rollback(struct Crypto1State *s, uint32_t in, int fb);
uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb);
uint8_t lfsr_rollback_bit(struct Crypto1State* s, uint32_t in, int fb);
uint8_t lfsr_rollback_byte(struct Crypto1State* s, uint32_t in, int fb);
uint32_t lfsr_rollback_word(struct Crypto1State* s, uint32_t in, int fb);
int nonce_distance(uint32_t from, uint32_t to);
bool validate_prng_nonce(uint32_t nonce);
#define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\
@ -46,7 +57,7 @@ extern "C" {
int __i;\
for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\
for(__i = FSIZE - 1; __i >= 0; __i--)\
if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\
if(BIT(FILTER, __i) ^ evenparity32(__M & 0xFF01))\
break;\
else if(__i)\
__M = prng_successor(__M, (__i == 7) ? 48 : 8);\
@ -56,26 +67,8 @@ extern "C" {
#define LF_POLY_EVEN (0x870804)
#define BIT(x, n) ((x) >> (n) & 1)
#define BEBIT(x, n) BIT(x, (n) ^ 24)
static inline int parity(uint32_t x)
{
#if !defined __i386__ || !defined __GNUC__
x ^= x >> 16;
x ^= x >> 8;
x ^= x >> 4;
return BIT(0x6996, x & 0xf);
#else
__asm__("movl %1, %%eax\n"
"mov %%ax, %%cx\n"
"shrl $0x10, %%eax\n"
"xor %%ax, %%cx\n"
"xor %%ch, %%cl\n"
"setpo %%al\n"
"movzx %%al, %0\n": "=r"(x) : "r"(x): "eax", "ecx");
return x;
#endif
}
static inline int filter(uint32_t const x)
{
static inline int filter(uint32_t const x) {
uint32_t f;
f = 0xf22c0 >> (x & 0xf) & 16;

56
src/crypto1.c
View File

@ -16,15 +16,35 @@
MA 02110-1301, US
Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
*/
#include "crapto1.h"
#include <stdlib.h>
#include "parity.h"
#define SWAPENDIAN(x)\
(x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)
struct Crypto1State *crypto1_create(uint64_t key) {
struct Crypto1State *s = malloc(sizeof(*s));
#if defined(__arm__) && !defined(__linux__) && !defined(_WIN32) && !defined(__APPLE__) // bare metal ARM Proxmark lacks malloc()/free()
void crypto1_create(struct Crypto1State *s, uint64_t key) {
int i;
for (i = 47; s && i > 0; i -= 2) {
s->odd = s->odd << 1 | BIT(key, (i - 1) ^ 7);
s->even = s->even << 1 | BIT(key, i ^ 7);
}
return;
}
void crypto1_destroy(struct Crypto1State *state) {
state->odd = 0;
state->even = 0;
}
#else
struct Crypto1State * crypto1_create(uint64_t key) {
struct Crypto1State *s = malloc(sizeof (*s));
int i;
for (i = 47; s && i > 0; i -= 2) {
@ -33,35 +53,36 @@ struct Crypto1State *crypto1_create(uint64_t key) {
}
return s;
}
void crypto1_destroy(struct Crypto1State *state)
{
void crypto1_destroy(struct Crypto1State *state) {
free(state);
}
void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr)
{
#endif
void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr) {
int i;
for (*lfsr = 0, i = 23; i >= 0; --i) {
*lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3);
*lfsr = *lfsr << 1 | BIT(state->even, i ^ 3);
}
}
uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted)
{
uint32_t feedin;
uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted) {
uint32_t feedin, t;
uint8_t ret = filter(s->odd);
feedin = ret & !!is_encrypted;
feedin ^= !!in;
feedin ^= LF_POLY_ODD & s->odd;
feedin ^= LF_POLY_EVEN & s->even;
s->even = s->even << 1 | parity(feedin);
s->even = s->even << 1 | evenparity32(feedin);
s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
t = s->odd, s->odd = s->even, s->even = t;
return ret;
}
uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
{
uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted) {
uint8_t i, ret = 0;
for (i = 0; i < 8; ++i)
@ -69,8 +90,8 @@ uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
return ret;
}
uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
{
uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted) {
uint32_t i, ret = 0;
for (i = 0; i < 32; ++i)
@ -82,8 +103,7 @@ uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
/* prng_successor
* helper used to obscure the keystream during authentication
*/
uint32_t prng_successor(uint32_t x, uint32_t n)
{
uint32_t prng_successor(uint32_t x, uint32_t n) {
SWAPENDIAN(x);
while (n--)
x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;

6
src/mfoc.c
View File

@ -37,7 +37,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>
#include <unistd.h>
// NFC
@ -131,7 +131,6 @@ int main(int argc, char *const argv[])
//File pointers for the keyfile
FILE * fp;
char line[20];
size_t len = 0;
char * read;
//Regexp declarations
@ -546,7 +545,7 @@ int main(int argc, char *const argv[])
nfc_close(r.pdi);
nfc_exit(context);
if(pfKey) {
fprintf(pfKey, "%012llx;%d;%c;%d;%c", knownKey, knownSector, knownKeyLetter, unknownSector, unknownKeyLetter);
fprintf(pfKey, "%012" PRIu64 ";%d;%c;%d;%c", knownKey, knownSector, knownKeyLetter, unknownSector, unknownKeyLetter);
fclose(pfKey);
}
return 9;
@ -883,7 +882,6 @@ get_rats_is_2k(mftag t, mfreader r)
{
int res;
uint8_t abtRx[MAX_FRAME_LEN];
int szRxBits;
uint8_t abtRats[2] = { 0xe0, 0x50};
// Use raw send/receive methods
if (nfc_device_set_property_bool(r.pdi, NP_EASY_FRAMING, false) < 0) {

28
src/parity.c Normal file
View File

@ -0,0 +1,28 @@
//-----------------------------------------------------------------------------
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// parity functions (all defined in parity.h)
//-----------------------------------------------------------------------------
#include <stdint.h>
const uint8_t OddByteParity[256] = {
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
};

54
src/parity.h Normal file
View File

@ -0,0 +1,54 @@
//-----------------------------------------------------------------------------
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Parity functions
//-----------------------------------------------------------------------------
// all functions defined in header file by purpose. Allows compiler optimizations.
#ifndef __PARITY_H
#define __PARITY_H
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
extern const uint8_t OddByteParity[256];
static inline bool oddparity8(const uint8_t x) {
return OddByteParity[x];
}
static inline void oddparitybuf(const uint8_t *x, size_t len, uint8_t *parity) {
memset(parity, 0x00, (len - 1) / 8 + 1);
for (int i = 0; i < len; i++)
parity[i / 8] |= oddparity8(x[i]) << (7 - (i % 8));
}
static inline bool evenparity8(const uint8_t x) {
return !OddByteParity[x];
}
static inline bool evenparity32(uint32_t x) {
#if !defined __GNUC__
x ^= x >> 16;
x ^= x >> 8;
return evenparity8(x);
#else
return __builtin_parity(x);
#endif
}
static inline bool oddparity32(uint32_t x) {
#if !defined __GNUC__
x ^= x >> 16;
x ^= x >> 8;
return oddparity8(x);
#else
return !__builtin_parity(x);
#endif
}
#endif /* __PARITY_H */