github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

textual

Browse source
This commit is contained in:
iceman1001 2021-09-14 19:52:05 +02:00
commit 405931d565
1 changed files with 20 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

81
tools/hitag2crack/README.md
View file

@ -17,6 +17,13 @@ Automotive Remote Keyless Entry Systems by Flavio Garcia, David Oswald,
Timo Kasper and Pierre Pavlides. The first three attacks come from the first Timo Kasper and Pierre Pavlides. The first three attacks come from the first
paper and the fourth attack comes from the second paper. paper and the fourth attack comes from the second paper.
_note_
There are no Proxmark3 client implemented commands for these attacks. Only seperate executables to be compiled and run on your own system.
No guarantees of working binaries on all systems. Some work on linux only.
There is no easy way to extract the needed data from a live system and use with these tools.
You can use the `RFIdler` device but the Proxmark3 client needs some more love. Feel free to contribute.
Attack 1 Attack 1
-------- --------
@ -122,14 +129,12 @@ response pair. The attacker needs to obtain a valid tag and then use this to
obtain a valid encrypted nonce and challenge response pair. This can be obtain a valid encrypted nonce and challenge response pair. This can be
achieved by using the Proxmark3 `lf hitag sniff` command, placing the coil on the RWD and achieved by using the Proxmark3 `lf hitag sniff` command, placing the coil on the RWD and
presenting the valid tag. The encrypted nonce and challenge response pairs presenting the valid tag. The encrypted nonce and challenge response pairs
can then be read out. These values can then can then be read out.
be used to attack the tag with `lf hitag ht2crack <nR> <aR>`.
_note_ the Proxmark3 hitag sniff command isn't good enough yet to collect the needed data.
**TODO** example **TODO** example
```
pm3 --> lf hitag sniff
pm3 --> lf hitag ht2crack <nR> <aR>
```
Usage details: Attack 2 Usage details: Attack 2
----------------------- -----------------------
@ -139,21 +144,12 @@ The table can be generated on a disk with >1.5TB of storage, although it takes
some time (allow a couple of days, privilege SSD). This can be some time (allow a couple of days, privilege SSD). This can be
achieved by using the Proxmark3 `lf hitag sniff` command, placing the coil on the RWD and achieved by using the Proxmark3 `lf hitag sniff` command, placing the coil on the RWD and
presenting the valid tag. The encrypted nonce and challenge response pairs presenting the valid tag. The encrypted nonce and challenge response pairs
can then be read out. These values can then can then be read out.
be used to attack the tag with `lf hitag ht2keystream <nR> <aR>`.
_note_ the Proxmark3 hitag sniff command isn't good enough yet to collect the needed data.
**TODO** example **TODO** example
```
./ht2crack2buildtable
pm3 --> lf hitag sniff
pm3 --> lf hitag ht2keystream <nR> <aR>
```
It creates a file `Hitag2_<UID>_<nR>_<aR>_keystream.txt`.
```
./ht2crack2search Hitag2_<UID>_<nR>_<aR>_keystream.txt <UID> <nR>
```
Usage details: Attack 3 Usage details: Attack 3
----------------------- -----------------------
@ -164,18 +160,10 @@ to; e.g. you could potentially use any HiTag2 tag as long as the RWD starts
the crypto handshake with it. It requires >=136 encrypted nonce and challenge the crypto handshake with it. It requires >=136 encrypted nonce and challenge
response pairs for the same tag UID. response pairs for the same tag UID.
_note_ the Proxmark3 hitag sniff command isn't good enough yet to collect the needed data.
**TODO** will be ht2 sim or sniff with actual tag ? **TODO** will be ht2 sim or sniff with actual tag ?
```
pm3 --> lf hitag sniff
```
It creates a file `Hitag2_<UID>_<nR>_<aR>_collection.txt`.
Stop once you got enough pairs.
```
./ht2crack3 <UID> Hitag2_<UID>_<nR>_<aR>_collection.txt
```
Usage details: Attack 4 Usage details: Attack 4
----------------------- -----------------------
@ -183,19 +171,9 @@ Usage details: Attack 4
Attack 4 requires the same information as attack 3, but only 16-32 encrypted Attack 4 requires the same information as attack 3, but only 16-32 encrypted
nonce and challenge response pairs are required. nonce and challenge response pairs are required.
``` _note_ the Proxmark3 hitag sniff command isn't good enough yet to collect the needed data.
pm3 --> lf hitag sniff
```
It creates a file `Hitag2_<UID>_<nR>_<aR>_collection.txt`. **TODO** example
Stop once you got enough pairs.
```
./ht2crack4 -u <UID> -n Hitag2_<UID>_<nR>_<aR>_collection.txt [-N <number of nonces to use>] [-t <table size>]
```
Start with -N 16 and -t 500000. If the attack fails to find the key, double
the table size and try again, repeating if it still fails.
Usage details: Attack 5 Usage details: Attack 5
----------------------- -----------------------
@ -203,14 +181,8 @@ Usage details: Attack 5
Attack 5 requires two encrypted nonce and challenge Attack 5 requires two encrypted nonce and challenge
response value pairs (nR, aR) for the tag's UID. response value pairs (nR, aR) for the tag's UID.
``` **TODO** example
pm3 --> lf hitag sniff
```
Stop once you got two pairs.
```
$ ./ht2crack5 <UID> <nR1> <aR1> <nR2> <aR2>
```
Usage details: Attack 5gpu/5opencl Usage details: Attack 5gpu/5opencl
---------------------------------- ----------------------------------
@ -218,20 +190,7 @@ Usage details: Attack 5gpu/5opencl
Attacks 5gpu and 5opencl require two encrypted nonce and challenge Attacks 5gpu and 5opencl require two encrypted nonce and challenge
response value pairs (nR, aR) for the tag's UID. response value pairs (nR, aR) for the tag's UID.
``` **TODO** example
pm3 --> lf hitag sniff
```
Stop once you got two pairs.
```
$ ./ht2crack5gpu <UID> <nR1> <aR1> <nR2> <aR2>
```
or
```
$ ./ht2crack5opencl <UID> <nR1> <aR1> <nR2> <aR2>
```
5opencl supports a number of additional parameters, see [crack5opencl/README.md](/tools/hitag2crack/crack5opencl/README.md) for details. 5opencl supports a number of additional parameters, see [crack5opencl/README.md](/tools/hitag2crack/crack5opencl/README.md) for details.