github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

ADD: new pwdgen algo, (thanks @jackfagner) who did a great job figuring it out. Read his blog.

Browse source 
ref.   https://github.com/jackfagner/NfcKey/blob/master/NfcKeyC.c
This commit is contained in:
iceman1001 2017-11-25 08:48:36 +01:00
commit 0815f19389
3 changed files with 91 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

85
client/cmdhfmfu.c
View file

@ -65,6 +65,42 @@ uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = {
MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE,
MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS}; MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS};
//------------------------------------
// Pwd & Pack generation Stuff
//------------------------------------
const uint32_t c_D[] = {
0x6D835AFC, 0x7D15CD97, 0x0942B409, 0x32F9C923, 0xA811FB02, 0x64F121E8,
0xD1CC8B4E, 0xE8873E6F, 0x61399BBB, 0xF1B91926, 0xAC661520, 0xA21A31C9,
0xD424808D, 0xFE118E07, 0xD18E728D, 0xABAC9E17, 0x18066433, 0x00E18E79,
0x65A77305, 0x5AE9E297, 0x11FC628C, 0x7BB3431F, 0x942A8308, 0xB2F8FD20,
0x5728B869, 0x30726D5A
};
void transform_D(uint8_t* ru) {
//Transform
uint8_t i;
uint8_t p = 0;
uint32_t v1 = ((ru[3] << 24) | (ru[2] << 16) | (ru[1] << 8) | ru[0]) + c_D[p++];
uint32_t v2 = ((ru[7] << 24) | (ru[6] << 16) | (ru[5] << 8) | ru[4]) + c_D[p++];
for (i = 0; i < 12; i += 2)
{
uint32_t t1 = ROTL(v1 ^ v2, v2 & 0x1F) + c_D[p++];
uint32_t t2 = ROTL(v2 ^ t1, t1 & 0x1F) + c_D[p++];
v1 = ROTL(t1 ^ t2, t2 & 0x1F) + c_D[p++];
v2 = ROTL(t2 ^ v1, v1 & 0x1F) + c_D[p++];
}
//Re-use ru
ru[0] = v1 & 0xFF;
ru[1] = (v1 >> 8) & 0xFF;
ru[2] = (v1 >> 16) & 0xFF;
ru[3] = (v1 >> 24) & 0xFF;
ru[4] = v2 & 0xFF;
ru[5] = (v2 >> 8) & 0xFF;
ru[6] = (v2 >> 16) & 0xFF;
ru[7] = (v2 >> 24) & 0xFF;
}
// Certain pwd generation algo nickname A. // Certain pwd generation algo nickname A.
uint32_t ul_ev1_pwdgenA(uint8_t* uid) { uint32_t ul_ev1_pwdgenA(uint8_t* uid) {
@ -120,7 +156,26 @@ uint32_t ul_ev1_pwdgenC(uint8_t* uid){
} }
return BSWAP_32(pwd); return BSWAP_32(pwd);
} }
// Certain pwd generation algo nickname D.
// a.k.a xzy
uint32_t ul_ev1_pwdgenD(uint8_t* uid){
uint8_t i;
//Rotate
uint8_t r = (uid[1] + uid[3] + uid[5]) & 7; //Rotation offset
uint8_t ru[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; //Rotated UID
for (i = 0; i < 7; i++)
ru[(i + r) & 7] = uid[i];
transform_D(ru);
//Calc key
uint32_t pwd = 0; //Key as int
r = (ru[0] + ru[2] + ru[4] + ru[6]) & 3; //Offset
for (i = 0; i < 4; i++)
pwd = ru[i + r] + (pwd << 8);
return BSWAP_32(pwd);
}
// pack generation for algo 1-3 // pack generation for algo 1-3
uint16_t ul_ev1_packgenA(uint8_t* uid){ uint16_t ul_ev1_packgenA(uint8_t* uid){
uint16_t pack = (uid[0] ^ uid[1] ^ uid[2]) << 8 | (uid[2] ^ 8); uint16_t pack = (uid[0] ^ uid[1] ^ uid[2]) << 8 | (uid[2] ^ 8);
@ -132,6 +187,24 @@ uint16_t ul_ev1_packgenB(uint8_t* uid){
uint16_t ul_ev1_packgenC(uint8_t* uid){ uint16_t ul_ev1_packgenC(uint8_t* uid){
return 0xaa55; return 0xaa55;
} }
uint16_t ul_ev1_packgenD(uint8_t* uid){
uint8_t i;
//Rotate
uint8_t r = (uid[2] + uid[5]) & 7; //Rotation offset
uint8_t ru[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; //Rotated UID
for (i = 0; i < 7; i++)
ru[(i + r) & 7] = uid[i];
transform_D(ru);
//Calc pack
uint32_t p = 0;
for (i = 0; i < 8; i++)
p += ru[i] * 13;
p ^= 0x5555;
return BSWAP_16( p & 0xFFFF );
}
int ul_ev1_pwdgen_selftest(){ int ul_ev1_pwdgen_selftest(){
@ -146,9 +219,16 @@ int ul_ev1_pwdgen_selftest(){
uint8_t uid3[] = {0x04, 0x62, 0xB6, 0x8A, 0xB4, 0x42, 0x80}; uint8_t uid3[] = {0x04, 0x62, 0xB6, 0x8A, 0xB4, 0x42, 0x80};
uint32_t pwd3 = ul_ev1_pwdgenC(uid3); uint32_t pwd3 = ul_ev1_pwdgenC(uid3);
PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid3,7), pwd3, (pwd3 == 0x5a349515)?"OK":"->5a349515<--"); PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid3,7), pwd3, (pwd3 == 0x5a349515)?"OK":"->5a349515<--");
uint8_t uid4[] = {0x04, 0xC5, 0xDF, 0x4A, 0x6D, 0x51, 0x80};
uint32_t pwd4 = ul_ev1_pwdgenD(uid4);
PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid4,7), pwd4, (pwd4 == 0x72B1EC61)?"OK":"->72B1EC61<--");
return 0; return 0;
} }
//------------------------------------
static int CmdHelp(const char *Cmd); static int CmdHelp(const char *Cmd);
// get version nxp product type // get version nxp product type
@ -1384,14 +1464,16 @@ int usage_hf_mfu_gendiverse(void){
} }
int usage_hf_mfu_pwdgen(void){ int usage_hf_mfu_pwdgen(void){
PrintAndLog("Usage: hf mfu pwdgen [h] [r] <uid (14 hex symbols)>"); PrintAndLog("Usage: hf mfu pwdgen [h|t] [r] <uid (14 hex symbols)>");
PrintAndLog("options:"); PrintAndLog("options:");
PrintAndLog(" h : this help"); PrintAndLog(" h : this help");
PrintAndLog(" t : selftest");
PrintAndLog(" r : read uid from tag"); PrintAndLog(" r : read uid from tag");
PrintAndLog(" <uid> : 7 byte UID (optional)"); PrintAndLog(" <uid> : 7 byte UID (optional)");
PrintAndLog("samples:"); PrintAndLog("samples:");
PrintAndLog(" hf mfu pwdgen r"); PrintAndLog(" hf mfu pwdgen r");
PrintAndLog(" hf mfu pwdgen 11223344556677"); PrintAndLog(" hf mfu pwdgen 11223344556677");
PrintAndLog(" hf mfu pwdgen t");
PrintAndLog(""); PrintAndLog("");
return 0; return 0;
} }
@ -2352,6 +2434,7 @@ int CmdHF14AMfuPwdGen(const char *Cmd){
PrintAndLog(" EV1 | %08X | %04X", ul_ev1_pwdgenA(uid), ul_ev1_packgenA(uid)); PrintAndLog(" EV1 | %08X | %04X", ul_ev1_pwdgenA(uid), ul_ev1_packgenA(uid));
PrintAndLog(" Ami | %08X | %04X", ul_ev1_pwdgenB(uid), ul_ev1_packgenB(uid)); PrintAndLog(" Ami | %08X | %04X", ul_ev1_pwdgenB(uid), ul_ev1_packgenB(uid));
PrintAndLog(" LD | %08X | %04X", ul_ev1_pwdgenC(uid), ul_ev1_packgenC(uid)); PrintAndLog(" LD | %08X | %04X", ul_ev1_pwdgenC(uid), ul_ev1_packgenC(uid));
PrintAndLog(" XYZ | %08X | %04X", ul_ev1_pwdgenD(uid), ul_ev1_packgenD(uid));
PrintAndLog("------+----------+-----"); PrintAndLog("------+----------+-----");
PrintAndLog(" Vingcard algo"); PrintAndLog(" Vingcard algo");
PrintAndLog("--------------------"); PrintAndLog("--------------------");

9
client/cmdhfmfu.h
View file

@ -11,8 +11,6 @@
#include "protocols.h" #include "protocols.h"
#include "data.h" #include "data.h"
#define ul_switch_off_field DropField
typedef struct { typedef struct {
uint8_t version[8]; uint8_t version[8];
uint8_t tbo[2]; uint8_t tbo[2];
@ -43,7 +41,6 @@ extern int CmdHF14AMfUSim(const char *Cmd);
extern uint32_t GetHF14AMfU_Type(void); extern uint32_t GetHF14AMfU_Type(void);
extern int ul_print_type(uint32_t tagtype, uint8_t spacer); extern int ul_print_type(uint32_t tagtype, uint8_t spacer);
extern void ul_switch_off_field(void);
void printMFUdump(mfu_dump_t* card); void printMFUdump(mfu_dump_t* card);
void printMFUdumpEx(mfu_dump_t* card, uint16_t pages, uint8_t startpage); void printMFUdumpEx(mfu_dump_t* card, uint16_t pages, uint8_t startpage);
@ -65,10 +62,12 @@ int CmdHFMFUltra(const char *Cmd);
uint32_t ul_ev1_pwdgenA(uint8_t* uid); uint32_t ul_ev1_pwdgenA(uint8_t* uid);
uint32_t ul_ev1_pwdgenA(uint8_t* uid); uint32_t ul_ev1_pwdgenA(uint8_t* uid);
uint32_t ul_ev1_pwdgenC(uint8_t* uid); uint32_t ul_ev1_pwdgenC(uint8_t* uid);
uint32_t ul_ev1_pwdgenD(uint8_t* uid);
uint16_t ul_ev1_packgenA(uint8_t* uid); uint16_t ul_ev1_packgenA(uint8_t* uid);
uint16_t ul_ev1_packgenA(uint8_t* uid); uint16_t ul_ev1_packgenB(uint8_t* uid);
uint16_t ul_ev1_packgenA(uint8_t* uid); uint16_t ul_ev1_packgenC(uint8_t* uid);
uint16_t ul_ev1_packgenD(uint8_t* uid);
uint32_t ul_ev1_otpgenA(uint8_t* uid); uint32_t ul_ev1_otpgenA(uint8_t* uid);

3
client/util.h
View file

@ -26,6 +26,9 @@
#ifndef ROTR #ifndef ROTR
# define ROTR(x,n) (((uintmax_t)(x) >> (n)) | ((uintmax_t)(x) << ((sizeof(x) * 8) - (n)))) # define ROTR(x,n) (((uintmax_t)(x) >> (n)) | ((uintmax_t)(x) << ((sizeof(x) * 8) - (n))))
#endif #endif
#ifndef ROTL
# define ROTL(x,n) (((uintmax_t)(x) << (n)) | ((uintmax_t)(x) >> ((sizeof(x) * 8) - (n))))
#endif
#ifndef MIN #ifndef MIN
# define MIN(a, b) (((a) < (b)) ? (a) : (b)) # define MIN(a, b) (((a) < (b)) ? (a) : (b))