From fbacd60e41f320a36a1e461f50f69b89eb1e8bde Mon Sep 17 00:00:00 2001 From: Antiklesys Date: Fri, 12 Jul 2024 14:46:23 +0800 Subject: [PATCH] Implemented VB6 rng for iclass chk elite key search Implemented VB6 rng for iclass chk elite key search based on @bettse implementation on Flipper Zero Picopass app --- CHANGELOG.md | 2 +- client/src/cmdhficlass.c | 41 +++++++++++++++++++++++++++++++--------- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89143f958..12c8e95c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added `pm3_tears_for_fears.py` - a ISO14443b tear off script by Pierre Granier - Added new t55xx password (002BCFCF) sniffed from cheap cloner (@davidbeauchamp) - Fixed 'hf 14b sim' - now works (@michi-jung) -- Added VB6 Rng for iclass elite keys lookup by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) +- Added VB6 Rng for iclass elite keys `hf iclass lookup` and `hf iclass chk` functions by porting @bettse work in the Flipper Zero Picopass App (@antiklesys) ## [Aurora.4.18589][2024-05-28] - Fixed the pm3 regressiontests for Hitag2Crack (@iceman1001) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index f3bf3fd51..eaa83aeaf 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -3581,26 +3581,33 @@ static int CmdHFiClassCheckKeys(const char *Cmd) { CLIParserInit(&ctx, "hf iclass chk", "Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag", "hf iclass chk -f iclass_default_keys.dic\n" - "hf iclass chk -f iclass_elite_keys.dic --elite"); + "hf iclass chk -f iclass_elite_keys.dic --elite\n" + "hf iclass chk --vb6kdf\n"); void *argtable[] = { arg_param_begin, - arg_str1("f", "file", "", "Dictionary file with default iclass keys"), + arg_str0("f", "file", "", "Dictionary file with default iclass keys"), arg_lit0(NULL, "credit", "key is assumed to be the credit key"), arg_lit0(NULL, "elite", "elite computations applied to key"), arg_lit0(NULL, "raw", "no computations applied to key (raw)"), arg_lit0(NULL, "shallow", "use shallow (ASK) reader modulation instead of OOK"), + arg_lit0(NULL, "vb6kdf", "use the VB6 elite KDF instead of a file"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); int fnlen = 0; char filename[FILE_PATH_SIZE] = {0}; - CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); - - bool use_credit_key = arg_get_lit(ctx, 2); + bool use_vb6kdf = arg_get_lit(ctx, 6); bool use_elite = arg_get_lit(ctx, 3); bool use_raw = arg_get_lit(ctx, 4); + if(use_vb6kdf){ + use_elite = true; + }else{ + CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + } + + bool use_credit_key = arg_get_lit(ctx, 2); bool shallow_mod = arg_get_lit(ctx, 5); CLIParserFree(ctx); @@ -3613,10 +3620,26 @@ static int CmdHFiClassCheckKeys(const char *Cmd) { // load keys uint8_t *keyBlock = NULL; uint32_t keycount = 0; - int res = loadFileDICTIONARY_safe(filename, (void **)&keyBlock, 8, &keycount); - if (res != PM3_SUCCESS || keycount == 0) { - free(keyBlock); - return res; + + if (!use_vb6kdf) { + // Load keys + int res = loadFileDICTIONARY_safe(filename, (void **)&keyBlock, 8, &keycount); + if (res != PM3_SUCCESS || keycount == 0) { + free(keyBlock); + return res; + } + } else { + // Generate 5000 keys using VB6 KDF + keycount = 5000; + keyBlock = malloc(keycount * 8); + if (!keyBlock) { + return PM3_EMALLOC; + } + + picopass_elite_reset(); + for (uint32_t i = 0; i < keycount; i++) { + picopass_elite_nextKey(keyBlock + (i * 8)); + } } // limit size of keys that can be held in memory