github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-20 21:33:19 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Major rework of hf mf nested:

Browse source 
- PM: used GetCountMifare in MifareNested() for improved timing accuracy and to deliver better quality nonces
- PM: MifareNested now delivers exactly two different nonces to avoid time consuming multiple lfsr_recovery32() on client side
- Client: replaced quicksort by bucketsort in crapto1.c which is faster 
- Client: use multithreading (two parallel calls to lfsr_recovery32())
- Client: fixed a small bug in mfnested() (always showed trgkey=0)
- Client: introduced a mutex for PrintAndLog() to avoid interlaced printing
Minor rework of hf mf chk:
- Avoid time consuming off/on cycles. Send a "halt" instead.
This commit is contained in:
micki.held@gmx.de 2013-09-15 09:33:17 +00:00
commit 9492e0b098
14 changed files with 728 additions and 630 deletions
Download patch file Download diff file Expand all files Collapse all files

77
client/cmdhfmf.c
View file

@ -500,7 +500,7 @@ int CmdHF14AMfNested(const char *Cmd)
uint8_t blDiff = 0;
int SectorsCnt = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
uint8_t keyBlock[16 * 6];
uint8_t keyBlock[6*6];
uint64_t key64 = 0;
int transferToEml = 0;
@ -572,20 +572,12 @@ int CmdHF14AMfNested(const char *Cmd)
PrintAndLog("--target block no:%02x target key type:%02x ", trgBlockNo, trgKeyType);
if (cmdp == 'o') {
if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) {
if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {
PrintAndLog("Nested error.");
return 2;
}
for (i = 0; i < 16; i++) {
PrintAndLog("count=%d key= %s", i, sprint_hex(keyBlock + i * 6, 6));
}
// test keys
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);
if (res)
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);
if (!res) {
key64 = bytes_to_num(keyBlock, 6);
if (key64) {
PrintAndLog("Found valid key:%012"llx, key64);
// transfer key to the emulator
@ -603,6 +595,9 @@ int CmdHF14AMfNested(const char *Cmd)
}
}
else { // ------------------------------------ multiple sectors working
clock_t time1;
time1 = clock();
blDiff = blockNo % 4;
PrintAndLog("Block shift=%d", blDiff);
e_sector = calloc(SectorsCnt, sizeof(sector));
@ -610,10 +605,10 @@ int CmdHF14AMfNested(const char *Cmd)
//test current key 4 sectors
memcpy(keyBlock, key, 6);
num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 1 * 6));
num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 2 * 6));
num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 3 * 6));
num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 4 * 6));
num_to_bytes(0xffffffffffff, 6, (uint8_t*)(keyBlock + 1 * 6));
num_to_bytes(0x000000000000, 6, (uint8_t*)(keyBlock + 2 * 6));
num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));
num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));
num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));
PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
@ -628,32 +623,41 @@ int CmdHF14AMfNested(const char *Cmd)
e_sector[i].foundKey[j] = 1;
}
}
}
}
// nested sectors
iterations = 0;
PrintAndLog("nested...");
bool calibrate = true;
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4)
for (trgBlockNo = blDiff; trgBlockNo < SectorsCnt * 4; trgBlockNo = trgBlockNo + 4) {
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) {
if (e_sector[trgBlockNo / 4].foundKey[trgKeyType]) continue;
if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock)) continue;
PrintAndLog("-----------------------------------------------");
if(mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, calibrate)) {
PrintAndLog("Nested error.\n");
return 2;
}
else {
calibrate = false;
}
iterations++;
//try keys from nested
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, keyBlock, &key64);
if (res)
res = mfCheckKeys(trgBlockNo, trgKeyType, 8, &keyBlock[6 * 8], &key64);
if (!res) {
key64 = bytes_to_num(keyBlock, 6);
if (key64) {
PrintAndLog("Found valid key:%012"llx, key64);
e_sector[trgBlockNo / 4].foundKey[trgKeyType] = 1;
e_sector[trgBlockNo / 4].Key[trgKeyType] = key64;
}
}
}
}
PrintAndLog("Iterations count: %d", iterations);
printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/1000.0, ((float)clock() - time1)/iterations/1000.0);
PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);
//print them
PrintAndLog("|---|----------------|---|----------------|---|");
PrintAndLog("|sec|key A |res|key B |res|");
@ -830,16 +834,16 @@ int CmdHF14AMfChk(const char *Cmd)
while( !feof(f) ){
memset(buf, 0, sizeof(buf));
if (fgets(buf, sizeof(buf), f) == NULL) {
PrintAndLog("File reading error.");
return 2;
}
PrintAndLog("File reading error.");
return 2;
}
if (strlen(buf) < 12 || buf[11] == '\n')
continue;
while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
if( buf[0]=='#' ) continue; //The line start with # is remcommnet,skip
if( buf[0]=='#' ) continue; //The line start with # is comment, skip
if (!isxdigit(buf[0])){
PrintAndLog("File content error. '%s' must include 12 HEX symbols",buf);
@ -883,10 +887,10 @@ int CmdHF14AMfChk(const char *Cmd)
int b=blockNo;
for (int i=0; i<SectorsCnt; ++i) {
PrintAndLog("--SectorsCnt:%d block no:0x%02x key type:%C key count:%d ", i, b, t?'B':'A', keycnt);
int size = keycnt>8?8:keycnt;
for (int c = 0; c < keycnt; c+=size) {
size=keycnt-c>8?8:keycnt-c;
res = mfCheckKeys(b, t, size, keyBlock +6*c, &key64);
uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;
for (uint32_t c = 0; c < keycnt; c+=max_keys) {
uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;
res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);
if (res !=1) {
if (!res) {
PrintAndLog("Found valid key:[%012"llx"]",key64);
@ -896,11 +900,6 @@ int CmdHF14AMfChk(const char *Cmd)
num_to_bytes(key64, 6, block + t*10);
mfEmlSetMem(block, get_trailer_block(b), 1);
}
break;
}
else {
printf("Not found yet, keycnt:%d\r", c+size);
fflush(stdout);
}
} else {
PrintAndLog("Command execute timeout");

293
client/mifarehost.c
View file

@ -11,181 +11,204 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pthread.h>
#include "mifarehost.h"
#include "proxmark3.h"
// MIFARE
int compar_int(const void * a, const void * b) {
return (*(uint64_t*)b - *(uint64_t*)a);
// didn't work: (the result is truncated to 32 bits)
//return (*(uint64_t*)b - *(uint64_t*)a);
// better:
if (*(uint64_t*)b == *(uint64_t*)a) return 0;
else if (*(uint64_t*)b > *(uint64_t*)a) return 1;
else return -1;
}
// Compare countKeys structure
int compar_special_int(const void * a, const void * b) {
return (((countKeys *)b)->count - ((countKeys *)a)->count);
// Compare 16 Bits out of cryptostate
int Compare16Bits(const void * a, const void * b) {
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;
else if ((*(uint64_t*)b & 0x00ff000000ff0000) > (*(uint64_t*)a & 0x00ff000000ff0000)) return 1;
else return -1;
}
countKeys * uniqsort(uint64_t * possibleKeys, uint32_t size) {
int i, j = 0;
int count = 0;
countKeys *our_counts;
qsort(possibleKeys, size, sizeof (uint64_t), compar_int);
our_counts = calloc(size, sizeof(countKeys));
if (our_counts == NULL) {
PrintAndLog("Memory allocation error for our_counts");
return NULL;
}
for (i = 0; i < size; i++) {
if (possibleKeys[i+1] == possibleKeys[i]) {
count++;
} else {
our_counts[j].key = possibleKeys[i];
our_counts[j].count = count;
j++;
count=0;
}
}
qsort(our_counts, j, sizeof(countKeys), compar_special_int);
return (our_counts);
}
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKeys)
typedef
struct {
union {
struct Crypto1State *slhead;
uint64_t *keyhead;
};
union {
struct Crypto1State *sltail;
uint64_t *keytail;
};
uint32_t len;
uint32_t uid;
uint32_t blockNo;
uint32_t keyType;
uint32_t nt;
uint32_t ks1;
} StateList_t;
// wrapper function for multi-threaded lfsr_recovery32
void* nested_worker_thread(void *arg)
{
int i, m, len;
uint8_t isEOF;
uint32_t uid;
fnVector * vector = NULL;
countKeys *ck;
int lenVector = 0;
UsbCommand resp;
memset(resultKeys, 0x00, 16 * 6);
struct Crypto1State *p1;
StateList_t *statelist = arg;
statelist->slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid);
for (p1 = statelist->slhead; *(uint64_t *)p1 != 0; p1++);
statelist->len = p1 - statelist->slhead;
statelist->sltail = --p1;
qsort(statelist->slhead, statelist->len, sizeof(uint64_t), Compare16Bits);
return statelist->slhead;
}
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate)
{
uint16_t i, len;
uint32_t uid;
UsbCommand resp;
StateList_t statelists[2];
struct Crypto1State *p1, *p2, *p3, *p4;
// flush queue
WaitForResponseTimeout(CMD_ACK,NULL,100);
UsbCommand c = {CMD_MIFARE_NESTED, {blockNo, keyType, trgBlockNo + trgKeyType * 0x100}};
UsbCommand c = {CMD_MIFARE_NESTED, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, calibrate}};
memcpy(c.d.asBytes, key, 6);
SendCommand(&c);
SendCommand(&c);
PrintAndLog("\n");
// wait cycle
while (true) {
printf(".");
if (ukbhit()) {
getchar();
printf("\naborted via keyboard!\n");
break;
}
if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
isEOF = resp.arg[0] & 0xff;
if (isEOF) break;
len = resp.arg[1] & 0xff;
if (len == 0) continue;
if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
len = resp.arg[1];
if (len == 2) {
memcpy(&uid, resp.d.asBytes, 4);
PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, resp.arg[2] & 0xff, (resp.arg[2] >> 8) & 0xff);
vector = (fnVector *) realloc((void *)vector, (lenVector + len) * sizeof(fnVector) + 200);
if (vector == NULL) {
PrintAndLog("Memory allocation error for fnVector. len: %d bytes: %d", lenVector + len, (lenVector + len) * sizeof(fnVector));
break;
}
PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8);
for (i = 0; i < len; i++) {
vector[lenVector + i].blockNo = resp.arg[2] & 0xff;
vector[lenVector + i].keyType = (resp.arg[2] >> 8) & 0xff;
vector[lenVector + i].uid = uid;
for (i = 0; i < 2; i++) {
statelists[i].blockNo = resp.arg[2] & 0xff;
statelists[i].keyType = (resp.arg[2] >> 8) & 0xff;
statelists[i].uid = uid;
memcpy(&vector[lenVector + i].nt, (void *)(resp.d.asBytes + 8 + i * 8 + 0), 4);
memcpy(&vector[lenVector + i].ks1, (void *)(resp.d.asBytes + 8 + i * 8 + 4), 4);
memcpy(&statelists[i].nt, (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4);
memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4);
}
lenVector += len;
}
else {
PrintAndLog("Got 0 keys from proxmark.");
return 1;
}
}
if (!lenVector) {
PrintAndLog("Got 0 keys from proxmark.");
return 1;
}
printf("------------------------------------------------------------------\n");
// calc keys
struct Crypto1State* revstate = NULL;
struct Crypto1State* revstate_start = NULL;
uint64_t lfsr;
int kcount = 0;
pKeys *pk;
if ((pk = (void *) malloc(sizeof(pKeys))) == NULL) return 1;
memset(pk, 0x00, sizeof(pKeys));
pthread_t thread_id[2];
// create and run worker threads
for (i = 0; i < 2; i++) {
pthread_create(thread_id + i, NULL, nested_worker_thread, &statelists[i]);
}
for (m = 0; m < lenVector; m++) {
// And finally recover the first 32 bits of the key
revstate = lfsr_recovery32(vector[m].ks1, vector[m].nt ^ vector[m].uid);
if (revstate_start == NULL) revstate_start = revstate;
while ((revstate->odd != 0x0) || (revstate->even != 0x0)) {
lfsr_rollback_word(revstate, vector[m].nt ^ vector[m].uid, 0);
crypto1_get_lfsr(revstate, &lfsr);
// wait for threads to terminate:
for (i = 0; i < 2; i++) {
pthread_join(thread_id[i], (void*)&statelists[i].slhead);
}
// Allocate a new space for keys
if (((kcount % MEM_CHUNK) == 0) || (kcount >= pk->size)) {
pk->size += MEM_CHUNK;
//fprintf(stdout, "New chunk by %d, sizeof %d\n", kcount, pk->size * sizeof(uint64_t));
pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t));
if (pk->possibleKeys == NULL) {
PrintAndLog("Memory allocation error for pk->possibleKeys");
return 1;
}
// the first 16 Bits of the cryptostate already contain part of our key.
// Create the intersection of the two lists based on these 16 Bits and
// roll back the cryptostate
p1 = p3 = statelists[0].slhead;
p2 = p4 = statelists[1].slhead;
while (p1 <= statelists[0].sltail && p2 <= statelists[1].sltail) {
if (Compare16Bits(p1, p2) == 0) {
struct Crypto1State savestate, *savep = &savestate;
savestate = *p1;
while(Compare16Bits(p1, savep) == 0 && p1 <= statelists[0].sltail) {
*p3 = *p1;
lfsr_rollback_word(p3, statelists[0].nt ^ statelists[0].uid, 0);
p3++;
p1++;
}
savestate = *p2;
while(Compare16Bits(p2, savep) == 0 && p2 <= statelists[1].sltail) {
*p4 = *p2;
lfsr_rollback_word(p4, statelists[1].nt ^ statelists[1].uid, 0);
p4++;
p2++;
}
pk->possibleKeys[kcount] = lfsr;
kcount++;
revstate++;
}
free(revstate_start);
revstate_start = NULL;
else {
while (Compare16Bits(p1, p2) == -1) p1++;
while (Compare16Bits(p1, p2) == 1) p2++;
}
}
p3->even = 0; p3->odd = 0;
p4->even = 0; p4->odd = 0;
statelists[0].len = p3 - statelists[0].slhead;
statelists[1].len = p4 - statelists[1].slhead;
statelists[0].sltail=--p3;
statelists[1].sltail=--p4;
// the statelists now contain possible keys. The key we are searching for must be in the
// intersection of both lists. Create the intersection:
qsort(statelists[0].keyhead, statelists[0].len, sizeof(uint64_t), compar_int);
qsort(statelists[1].keyhead, statelists[1].len, sizeof(uint64_t), compar_int);
uint64_t *p5, *p6, *p7;
p5 = p7 = statelists[0].keyhead;
p6 = statelists[1].keyhead;
while (p5 <= statelists[0].keytail && p6 <= statelists[1].keytail) {
if (compar_int(p5, p6) == 0) {
*p7++ = *p5++;
p6++;
}
else {
while (compar_int(p5, p6) == -1) p5++;
while (compar_int(p5, p6) == 1) p6++;
}
}
statelists[0].len = p7 - statelists[0].keyhead;
statelists[0].keytail=--p7;
memset(resultKey, 0, 6);
// The list may still contain several key candidates. Test each of them with mfCheckKeys
for (i = 0; i < statelists[0].len; i++) {
uint8_t keyBlock[6];
uint64_t key64;
crypto1_get_lfsr(statelists[0].slhead + i, &key64);
num_to_bytes(key64, 6, keyBlock);
key64 = 0;
if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, 1, keyBlock, &key64)) {
num_to_bytes(key64, 6, resultKey);
break;
}
}
// Truncate
if (kcount != 0) {
pk->size = --kcount;
if ((pk->possibleKeys = (uint64_t *) realloc((void *)pk->possibleKeys, pk->size * sizeof(uint64_t))) == NULL) {
PrintAndLog("Memory allocation error for pk->possibleKeys");
return 1;
}
}
PrintAndLog("Total keys count:%d", kcount);
ck = uniqsort(pk->possibleKeys, pk->size);
// fill key array
for (i = 0; i < 16 ; i++) {
num_to_bytes(ck[i].key, 6, (uint8_t*)(resultKeys + i * 6));
}
// finalize
free(pk->possibleKeys);
free(pk);
free(ck);
free(vector);
free(statelists[0].slhead);
free(statelists[1].slhead);
return 0;
}
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key){
*key = 0;
UsbCommand c = {CMD_MIFARE_CHKKEYS, {blockNo, keyType, keycnt}};
UsbCommand c = {CMD_MIFARE_CHKKEYS, {blockNo, keyType, keycnt}};
memcpy(c.d.asBytes, keyBlock, 6 * keycnt);
SendCommand(&c);
SendCommand(&c);
UsbCommand resp;
if (!WaitForResponseTimeout(CMD_ACK,&resp,3000)) return 1;

14
client/mifarehost.h
View file

@ -43,26 +43,14 @@
#define TRACE_ERROR 0xFF
typedef struct fnVector { uint8_t blockNo, keyType; uint32_t uid, nt, ks1; } fnVector;
typedef struct {
uint64_t Key[2];
int foundKey[2];
} sector;
typedef struct {
uint64_t *possibleKeys;
uint32_t size;
} pKeys;
typedef struct {
uint64_t key;
int count;
} countKeys;
extern char logHexFileName[200];
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys);
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * ResultKeys, bool calibrate);
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key);
int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount);

176
client/nonce2key/crapto1.c
View file

@ -31,6 +31,71 @@ static void __attribute__((constructor)) fill_lut()
#define filter(x) (filterlut[(x) & 0xfffff])
#endif
typedef struct bucket {
uint32_t *head;
uint32_t *bp;
} bucket_t;
typedef bucket_t bucket_array_t[2][0x100];
typedef struct bucket_info {
struct {
uint32_t *head, *tail;
} bucket_info[2][0x100];
uint32_t numbuckets;
} bucket_info_t;
static void bucket_sort_intersect(uint32_t* const estart, uint32_t* const estop,
uint32_t* const ostart, uint32_t* const ostop,
bucket_info_t *bucket_info, bucket_array_t bucket)
{
uint32_t *p1, *p2;
uint32_t *start[2];
uint32_t *stop[2];
start[0] = estart;
stop[0] = estop;
start[1] = ostart;
stop[1] = ostop;
// init buckets to be empty
for (uint32_t i = 0; i < 2; i++) {
for (uint32_t j = 0x00; j <= 0xff; j++) {
bucket[i][j].bp = bucket[i][j].head;
}
}
// sort the lists into the buckets based on the MSB (contribution bits)
for (uint32_t i = 0; i < 2; i++) {
for (p1 = start[i]; p1 <= stop[i]; p1++) {
uint32_t bucket_index = (*p1 & 0xff000000) >> 24;
*(bucket[i][bucket_index].bp++) = *p1;
}
}
// write back intersecting buckets as sorted list.
// fill in bucket_info with head and tail of the bucket contents in the list and number of non-empty buckets.
uint32_t nonempty_bucket;
for (uint32_t i = 0; i < 2; i++) {
p1 = start[i];
nonempty_bucket = 0;
for (uint32_t j = 0x00; j <= 0xff; j++) {
if (bucket[0][j].bp != bucket[0][j].head && bucket[1][j].bp != bucket[1][j].head) { // non-empty intersecting buckets only
bucket_info->bucket_info[i][nonempty_bucket].head = p1;
for (p2 = bucket[i][j].head; p2 < bucket[i][j].bp; *p1++ = *p2++);
bucket_info->bucket_info[i][nonempty_bucket].tail = p1 - 1;
nonempty_bucket++;
}
}
bucket_info->numbuckets = nonempty_bucket;
}
}
static void quicksort(uint32_t* const start, uint32_t* const stop)
{
uint32_t *it = start + 1, *rit = stop;
@ -54,6 +119,8 @@ static void quicksort(uint32_t* const start, uint32_t* const stop)
quicksort(start, rit - 1);
quicksort(rit + 1, stop);
}
/** binsearch
* Binary search for the first occurence of *stop's MSB in sorted [start,stop]
*/
@ -90,45 +157,55 @@ static inline void
extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)
{
in <<= 24;
for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if(filter(*tbl) ^ filter(*tbl | 1)) {
*tbl |= filter(*tbl) ^ bit;
update_contribution(tbl, m1, m2);
*tbl ^= in;
} else if(filter(*tbl) == bit) {
*++*end = tbl[1];
tbl[1] = tbl[0] | 1;
update_contribution(tbl, m1, m2);
*tbl++ ^= in;
update_contribution(tbl, m1, m2);
*tbl ^= in;
} else
*tbl-- = *(*end)--;
for(uint32_t *p = tbl; p <= *end; p++) {
*p <<= 1;
if(filter(*p) != filter(*p | 1)) { // replace
*p |= filter(*p) ^ bit;
update_contribution(p, m1, m2);
*p ^= in;
} else if(filter(*p) == bit) { // insert
*++*end = p[1];
p[1] = p[0] | 1;
update_contribution(p, m1, m2);
*p++ ^= in;
update_contribution(p, m1, m2);
*p ^= in;
} else { // drop
*p-- = *(*end)--;
}
}
}
/** extend_table_simple
* using a bit of the keystream extend the table of possible lfsr states
*/
static inline void
extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)
{
for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if(filter(*tbl) ^ filter(*tbl | 1)) {
for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
if(filter(*tbl) ^ filter(*tbl | 1)) { // replace
*tbl |= filter(*tbl) ^ bit;
} else if(filter(*tbl) == bit) {
} else if(filter(*tbl) == bit) { // insert
*++*end = *++tbl;
*tbl = tbl[-1] | 1;
} else
} else // drop
*tbl-- = *(*end)--;
}
/** recover
* recursively narrow down the search space, 4 bits of keystream at a time
*/
static struct Crypto1State*
recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,
struct Crypto1State *sl, uint32_t in)
struct Crypto1State *sl, uint32_t in, bucket_array_t bucket)
{
uint32_t *o, *e, i;
uint32_t *o, *e;
bucket_info_t bucket_info;
if(rem == -1) {
for(e = e_head; e <= e_tail; ++e) {
@ -136,13 +213,13 @@ recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
for(o = o_head; o <= o_tail; ++o, ++sl) {
sl->even = *o;
sl->odd = *e ^ parity(*o & LF_POLY_ODD);
sl[1].odd = sl[1].even = 0;
}
}
sl->odd = sl->even = 0;
return sl;
}
for(i = 0; i < 4 && rem--; i++) {
for(uint32_t i = 0; i < 4 && rem--; i++) {
extend_table(o_head, &o_tail, (oks >>= 1) & 1,
LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0);
if(o_head > o_tail)
@ -154,21 +231,14 @@ recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
return sl;
}
quicksort(o_head, o_tail);
quicksort(e_head, e_tail);
while(o_tail >= o_head && e_tail >= e_head)
if(((*o_tail ^ *e_tail) >> 24) == 0) {
o_tail = binsearch(o_head, o = o_tail);
e_tail = binsearch(e_head, e = e_tail);
sl = recover(o_tail--, o, oks,
e_tail--, e, eks, rem, sl, in);
}
else if(*o_tail > *e_tail)
o_tail = binsearch(o_head, o_tail) - 1;
else
e_tail = binsearch(e_head, e_tail) - 1;
bucket_sort_intersect(e_head, e_tail, o_head, o_tail, &bucket_info, bucket);
for (int i = bucket_info.numbuckets - 1; i >= 0; i--) {
sl = recover(bucket_info.bucket_info[1][i].head, bucket_info.bucket_info[1][i].tail, oks,
bucket_info.bucket_info[0][i].head, bucket_info.bucket_info[0][i].tail, eks,
rem, sl, in, bucket);
}
return sl;
}
/** lfsr_recovery
@ -183,6 +253,7 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
uint32_t *even_head = 0, *even_tail = 0, eks = 0;
int i;
// split the keystream into an odd and even part
for(i = 31; i >= 0; i -= 2)
oks = oks << 1 | BEBIT(ks2, i);
for(i = 30; i >= 0; i -= 2)
@ -191,11 +262,23 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);
even_head = even_tail = malloc(sizeof(uint32_t) << 21);
statelist = malloc(sizeof(struct Crypto1State) << 18);
if(!odd_tail-- || !even_tail-- || !statelist)
if(!odd_tail-- || !even_tail-- || !statelist) {
goto out;
}
statelist->odd = statelist->even = 0;
// allocate memory for out of place bucket_sort
bucket_array_t bucket;
for (uint32_t i = 0; i < 2; i++)
for (uint32_t j = 0; j <= 0xff; j++) {
bucket[i][j].head = malloc(sizeof(uint32_t)<<14);
if (!bucket[i][j].head) {
goto out;
}
}
// initialize statelists: add all possible states which would result into the rightmost 2 bits of the keystream
for(i = 1 << 20; i >= 0; --i) {
if(filter(i) == (oks & 1))
*++odd_tail = i;
@ -203,18 +286,29 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
*++even_tail = i;
}
// extend the statelists. Look at the next 8 Bits of the keystream (4 Bit each odd and even):
for(i = 0; i < 4; i++) {
extend_table_simple(odd_head, &odd_tail, (oks >>= 1) & 1);
extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1);
}
in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);
// the statelists now contain all states which could have generated the last 10 Bits of the keystream.
// 22 bits to go to recover 32 bits in total. From now on, we need to take the "in"
// parameter into account.
in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00); // Byte swapping
recover(odd_head, odd_tail, oks,
even_head, even_tail, eks, 11, statelist, in << 1);
even_head, even_tail, eks, 11, statelist, in << 1, bucket);
out:
free(odd_head);
free(even_head);
for (uint32_t i = 0; i < 2; i++)
for (uint32_t j = 0; j <= 0xff; j++)
free(bucket[i][j].head);
return statelist;
}

80
client/proxmark3.c
View file

@ -24,10 +24,14 @@
#include "ui.h"
#include "sleep.h"
// a global mutex to prevent interlaced printing from different threads
pthread_mutex_t print_lock;
static serial_port sp;
static UsbCommand txcmd;
volatile static bool txcmd_pending = false;
void SendCommand(UsbCommand *c) {
#if 0
printf("Sending %d bytes\n", sizeof(UsbCommand));
@ -196,20 +200,20 @@ static void *main_loop(void *targ) {
}
int main(int argc, char* argv[]) {
srand(time(0));
srand(time(0));
if (argc < 2) {
printf("syntax: %s <port>\n\n",argv[0]);
printf("\tLinux example:'%s /dev/ttyACM0'\n\n", argv[0]);
return 1;
}
if (argc < 2) {
printf("syntax: %s <port>\n\n",argv[0]);
printf("\tLinux example:'%s /dev/ttyACM0'\n\n", argv[0]);
return 1;
}
// Make sure to initialize
struct main_loop_arg marg = {
.usb_present = 0,
.script_cmds_file = NULL
};
pthread_t main_loop_t;
// Make sure to initialize
struct main_loop_arg marg = {
.usb_present = 0,
.script_cmds_file = NULL
};
pthread_t main_loop_t;
/*
usb_init();
@ -223,38 +227,44 @@ int main(int argc, char* argv[]) {
}
*/
sp = uart_open(argv[1]);
if (sp == INVALID_SERIAL_PORT) {
printf("ERROR: invalid serial port\n");
marg.usb_present = 0;
offline = 1;
} else if (sp == CLAIMED_SERIAL_PORT) {
printf("ERROR: serial port is claimed by another process\n");
marg.usb_present = 0;
offline = 1;
} else {
marg.usb_present = 1;
offline = 0;
}
sp = uart_open(argv[1]);
if (sp == INVALID_SERIAL_PORT) {
printf("ERROR: invalid serial port\n");
marg.usb_present = 0;
offline = 1;
} else if (sp == CLAIMED_SERIAL_PORT) {
printf("ERROR: serial port is claimed by another process\n");
marg.usb_present = 0;
offline = 1;
} else {
marg.usb_present = 1;
offline = 0;
}
// If the user passed the filename of the 'script' to execute, get it
if (argc > 2 && argv[2]) {
marg.script_cmds_file = argv[2];
}
// If the user passed the filename of the 'script' to execute, get it
if (argc > 2 && argv[2]) {
marg.script_cmds_file = argv[2];
}
pthread_create(&main_loop_t, NULL, &main_loop, &marg);
InitGraphics(argc, argv);
// create a mutex to avoid interlacing print commands from our different threads
pthread_mutex_init(&print_lock, NULL);
MainGraphics();
pthread_create(&main_loop_t, NULL, &main_loop, &marg);
InitGraphics(argc, argv);
pthread_join(main_loop_t, NULL);
MainGraphics();
pthread_join(main_loop_t, NULL);
// if (marg.usb_present == 1) {
// CloseProxmark();
// }
// Clean up the port
uart_close(sp);
// Clean up the port
uart_close(sp);
// clean up mutex
pthread_mutex_destroy(&print_lock);
return 0;
}

54
client/ui.c
View file

@ -14,6 +14,7 @@
#include <stdio.h>
#include <time.h>
#include <readline/readline.h>
#include <pthread.h>
#include "ui.h"
@ -21,23 +22,28 @@ double CursorScaleFactor;
int PlotGridX, PlotGridY, PlotGridXdefault= 64, PlotGridYdefault= 64;
int offline;
extern pthread_mutex_t print_lock;
static char *logfilename = "proxmark3.log";
void PrintAndLog(char *fmt, ...)
{
char *saved_line;
int saved_point;
va_list argptr, argptr2;
static FILE *logfile = NULL;
static int logging=1;
va_list argptr, argptr2;
static FILE *logfile = NULL;
static int logging=1;
if (logging && !logfile) {
logfile=fopen(logfilename, "a");
if (!logfile) {
fprintf(stderr, "Can't open logfile, logging disabled!\n");
logging=0;
}
}
// lock this section to avoid interlacing prints from different threats
pthread_mutex_lock(&print_lock);
if (logging && !logfile) {
logfile=fopen(logfilename, "a");
if (!logfile) {
fprintf(stderr, "Can't open logfile, logging disabled!\n");
logging=0;
}
}
int need_hack = (rl_readline_state & RL_STATE_READCMD) > 0;
@ -49,12 +55,12 @@ void PrintAndLog(char *fmt, ...)
rl_redisplay();
}
va_start(argptr, fmt);
va_copy(argptr2, argptr);
vprintf(fmt, argptr);
printf(" "); // cleaning prompt
va_end(argptr);
printf("\n");
va_start(argptr, fmt);
va_copy(argptr2, argptr);
vprintf(fmt, argptr);
printf(" "); // cleaning prompt
va_end(argptr);
printf("\n");
if (need_hack) {
rl_restore_prompt();
@ -64,14 +70,18 @@ void PrintAndLog(char *fmt, ...)
free(saved_line);
}
if (logging && logfile) {
vfprintf(logfile, fmt, argptr2);
fprintf(logfile,"\n");
fflush(logfile);
}
va_end(argptr2);
if (logging && logfile) {
vfprintf(logfile, fmt, argptr2);
fprintf(logfile,"\n");
fflush(logfile);
}
va_end(argptr2);
//release lock
pthread_mutex_unlock(&print_lock);
}
void SetLogFilename(char *fn)
{
logfilename = fn;