github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

CHG: marshmellow42 's improved "hf mf sim x"

Browse source
This commit is contained in:
iceman1001 2016-08-04 21:57:18 +02:00
commit f0e183ece4
2 changed files with 45 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

74
client/nonce2key/nonce2key.c
View file

@ -10,9 +10,6 @@
// MIFARE Darkside hack // MIFARE Darkside hack
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
#include "nonce2key.h" #include "nonce2key.h"
#include "mifarehost.h"
#include "ui.h"
#include "proxmark3.h"
int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) { int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key) {
struct Crypto1State *state; struct Crypto1State *state;
@ -155,22 +152,22 @@ int nonce2key_ex(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t ks_info, uint6
return 1; return 1;
} }
int tryMfk32(uint8_t *data, uint64_t *outputkey ){ // 32 bit recover key from 2 nonces
bool tryMfk32(nonces_t data, uint64_t *outputkey) {
struct Crypto1State *s,*t; struct Crypto1State *s,*t;
uint64_t key; // recovered key uint64_t outkey = 0;
uint32_t uid = le32toh(data); uint64_t key=0; // recovered key
uint32_t nt = le32toh(data+4); // tag challenge uint32_t uid = data.cuid;
uint32_t nr0_enc = le32toh(data+8); // first encrypted reader challenge uint32_t nt = data.nonce; // first tag challenge (nonce)
uint32_t ar0_enc = le32toh(data+12); // first encrypted reader response uint32_t nr0_enc = data.nr; // first encrypted reader challenge
//+16 uid2 uint32_t ar0_enc = data.ar; // first encrypted reader response
//+20 nt2 uint32_t nr1_enc = data.nr2; // second encrypted reader challenge
uint32_t nr1_enc = le32toh(data+24); // second encrypted reader challenge uint32_t ar1_enc = data.ar2; // second encrypted reader response
uint32_t ar1_enc = le32toh(data+28); // second encrypted reader response
bool isSuccess = FALSE;
int counter = 0;
PrintAndLog("Enter mfkey32");
clock_t t1 = clock(); clock_t t1 = clock();
bool isSuccess = FALSE;
uint8_t counter = 0;
s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0); s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
for(t = s; t->odd | t->even; ++t) { for(t = s; t->odd | t->even; ++t) {
@ -181,35 +178,36 @@ int tryMfk32(uint8_t *data, uint64_t *outputkey ){
crypto1_word(t, uid ^ nt, 0); crypto1_word(t, uid ^ nt, 0);
crypto1_word(t, nr1_enc, 1); crypto1_word(t, nr1_enc, 1);
if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) { if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
PrintAndLog("Found Key: [%012"llx"]", key); //PrintAndLog("Found Key: [%012"llx"]", key);
isSuccess = TRUE; outkey = key;
++counter; ++counter;
if (counter==100) if (counter==20) break;
break;
} }
} }
isSuccess = (counter > 0);
t1 = clock() - t1; t1 = clock() - t1;
if ( t1 > 0 ) PrintAndLog("Time in mf32key: %.0f ticks \n", (float)t1); if ( t1 > 0 ) PrintAndLog("Time in mfkey32: %.0f ticks - possible keys %d\n", (float)t1, counter);
*outputkey = ( isSuccess ) ? key : 0; *outputkey = ( isSuccess ) ? outkey : 0;
crypto1_destroy(s); crypto1_destroy(s);
return isSuccess; return isSuccess;
} }
int tryMfk32_moebius(uint8_t *data, uint64_t *outputkey ){ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey) {
struct Crypto1State *s, *t; struct Crypto1State *s, *t;
uint64_t outkey = 0;
uint64_t key = 0; // recovered key uint64_t key = 0; // recovered key
uint32_t uid = le32toh(data); uint32_t uid = data.cuid;
uint32_t nt0 = le32toh(data+4); // first tag challenge (nonce) uint32_t nt0 = data.nonce; // first tag challenge (nonce)
uint32_t nr0_enc = le32toh(data+8); // first encrypted reader challenge uint32_t nr0_enc = data.nr; // first encrypted reader challenge
uint32_t ar0_enc = le32toh(data+12); // first encrypted reader response uint32_t ar0_enc = data.ar; // first encrypted reader response
//uint32_t uid1 = le32toh(data+16); //uint32_t uid1 = le32toh(data+16);
uint32_t nt1 = le32toh(data+20); // second tag challenge (nonce) uint32_t nt1 = data.nonce2; // second tag challenge (nonce)
uint32_t nr1_enc = le32toh(data+24); // second encrypted reader challenge uint32_t nr1_enc = data.nr2; // second encrypted reader challenge
uint32_t ar1_enc = le32toh(data+28); // second encrypted reader response uint32_t ar1_enc = data.ar2; // second encrypted reader response
bool isSuccess = FALSE; bool isSuccess = FALSE;
int counter = 0; int counter = 0;
PrintAndLog("Enter mfkey32_moebius"); //PrintAndLog("Enter mfkey32_moebius");
clock_t t1 = clock(); clock_t t1 = clock();
s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0); s = lfsr_recovery32(ar0_enc ^ prng_successor(nt0, 64), 0);
@ -223,16 +221,16 @@ int tryMfk32_moebius(uint8_t *data, uint64_t *outputkey ){
crypto1_word(t, uid ^ nt1, 0); crypto1_word(t, uid ^ nt1, 0);
crypto1_word(t, nr1_enc, 1); crypto1_word(t, nr1_enc, 1);
if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) { if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt1, 64))) {
PrintAndLog("Found Key: [%012"llx"]",key); //PrintAndLog("Found Key: [%012"llx"]",key);
isSuccess = TRUE; outkey=key;
++counter; ++counter;
if (counter==20) if (counter==20) break;
break;
} }
} }
isSuccess = (counter > 0);
t1 = clock() - t1; t1 = clock() - t1;
if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks \n", (float)t1); if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks - possible keys %d\n", (float)t1, counter);
*outputkey = ( isSuccess ) ? key : 0; *outputkey = ( isSuccess ) ? outkey : 0;
crypto1_destroy(s); crypto1_destroy(s);
return isSuccess; return isSuccess;
} }

14
client/nonce2key/nonce2key.h
View file

@ -3,6 +3,7 @@
// Roel - Dec 2009 // Roel - Dec 2009
// Unknown author // Unknown author
// iceman - may 2015 // iceman - may 2015
// marshmellow42 - june 2016
// This code is licensed to you under the terms of the GNU GPL, version 2 or, // This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of // at your option, any later version. See the LICENSE.txt file for the text of
// the license. // the license.
@ -17,14 +18,17 @@
#include <stdlib.h> #include <stdlib.h>
#include "crapto1.h" #include "crapto1.h"
#include "common.h" #include "common.h"
#include "mifare.h" // nonces_t struct
#include "ui.h"
#include "proxmark3.h"
#include "mifarehost.h"
int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key); extern int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key);
extern int nonce2key_ex(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t ks_info, uint64_t * key);
int nonce2key_ex(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t ks_info, uint64_t * key);
//iceman, added these to be able to crack key direct from "hf 14 sim" && "hf mf sim" //iceman, added these to be able to crack key direct from "hf 14 sim" && "hf mf sim"
int tryMfk32(uint8_t *data, uint64_t *outputkey ); bool tryMfk32(nonces_t data, uint64_t *outputkey );
int tryMfk32_moebius(uint8_t *data, uint64_t *outputkey ); // <<-- this one has best success bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey ); // <<-- this one has best success
int tryMfk64_ex(uint8_t *data, uint64_t *outputkey ); int tryMfk64_ex(uint8_t *data, uint64_t *outputkey );
int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey); int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey);
#endif #endif