github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-07-05 20:51:18 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

New: implementing hf mf hardnested

Browse source 
This implements the attack described in
	Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
	Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
	Computer and Communications Security, 2015
It uses precomputed tables for many bitflip properties (not only two as in the paper)
and is therefore quite efficient. To prevent failing it doesn't do
differential analysis with several nonce bytes' Sum(a8) properties (each of them
may be wrongly guessed) - instead it concentrates on one nonce byte and tries all
Sum(a8) property guesses sequentially (ordered by probability). The brute force phase
makes use of aczid's bit sliced brute forcer (https://github.com/aczid/crypto1_bs).
Includes runtime CPU-detection to leverage modern (and old) SIMD instructions
with a single executable.
This commit is contained in:
pwpiwi 2017-05-29 10:56:37 +02:00
parent a5eb7820a5
commit c48c4d7856
370 changed files with 687839 additions and 172 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitattributes vendored
View file

@ -1,4 +1,4 @@
# .gitattributes
# prevent binary files from CRLF handling, diff and merge:
fpga/fpga.bit -crlf -diff
*.bin -crlf -diff

3
.gitignore vendored
View file

@ -11,13 +11,16 @@
*.s19
*.map
*.bin
!client/hardnested/*.bin
*.dll
*.moc.cpp
*.z
usb_cmd.lua
version.c
client/ui/ui_overlays.h
*.exe
hardnested_stats.txt
proxmark3
flasher
lua

3
armsrc/appmain.c
View file

@ -1163,6 +1163,9 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_MIFAREU_WRITEBL:
MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
break;
case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
break;
case CMD_MIFARE_NESTED:
MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
break;

1
armsrc/apps.h
View file

@ -126,6 +126,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
//void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain);
void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain);
void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);

36
client/Makefile
View file

@ -112,6 +112,8 @@ CMDSRCS = crapto1/crapto1.c\
cmdhficlass.c \
cmdhfmf.c \
cmdhfmfu.c \
cmdhfmfhard.c \
hardnested/hardnested_bruteforce.c \
cmdhftopaz.c \
cmdhw.c \
cmdlf.c \
@ -153,6 +155,8 @@ CMDSRCS = crapto1/crapto1.c\
reveng/poly.c\
reveng/getopt.c\
MULTIARCHSRCS = hardnested/hardnested_bf_core.c hardnested/hardnested_bitarray_core.c
ZLIBSRCS = deflate.c adler32.c trees.c zutil.c inflate.c inffast.c inftrees.c
ZLIBFLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED
#-DDEBUG -Dverbose=1
@ -162,10 +166,16 @@ QTGUISRCS = proxgui.cpp proxguiqt.cpp proxguiqt.moc.cpp guidummy.cpp
COREOBJS = $(CORESRCS:%.c=$(OBJDIR)/%.o)
CMDOBJS = $(CMDSRCS:%.c=$(OBJDIR)/%.o)
ZLIBOBJS = $(ZLIBSRCS:%.c=$(OBJDIR)/%.o)
MULTIARCHOBJS = $(MULTIARCHSRCS:%.c=$(OBJDIR)/%_NOSIMD.o) \
$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_MMX.o) \
$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_SSE2.o) \
$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX.o) \
$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX2.o) \
$(MULTIARCHSRCS:%.c=$(OBJDIR)/%_AVX512.o)
BINS = proxmark3 flasher fpga_compress
WINBINS = $(patsubst %, %.exe, $(BINS))
CLEAN = $(BINS) $(WINBINS) $(COREOBJS) $(CMDOBJS) $(ZLIBOBJS) $(QTGUIOBJS) $(OBJDIR)/*.o *.moc.cpp ui/ui_overlays.h
CLEAN = $(BINS) $(WINBINS) $(COREOBJS) $(CMDOBJS) $(ZLIBOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(OBJDIR)/*.o *.moc.cpp ui/ui_overlays.h
# need to assign dependancies to build these first...
all: ui/ui_overlays.h lua_build $(BINS)
@ -174,8 +184,8 @@ all-static: LDLIBS:=-static $(LDLIBS)
all-static: proxmark3 flasher fpga_compress
proxmark3: LDLIBS+=$(LUALIB) $(QTLDLIBS)
proxmark3: $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(QTGUIOBJS) lualibs/usb_cmd.lua
$(LD) $(LDFLAGS) $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(QTGUIOBJS) $(LDLIBS) -o $@
proxmark3: $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) lualibs/usb_cmd.lua
$(LD) $(LDFLAGS) $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(QTGUIOBJS) $(MULTIARCHOBJS) $(LDLIBS) -o $@
flasher: $(OBJDIR)/flash.o $(OBJDIR)/flasher.o $(COREOBJS)
$(LD) $(LDFLAGS) $^ $(LDLIBS) -o $@
@ -205,6 +215,24 @@ lua_build:
.PHONY: all clean
$(OBJDIR)/%_NOSIMD.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) -mno-mmx -mno-sse2 -mno-avx -mno-avx2 -mno-avx512f -c -o $@ $<
$(OBJDIR)/%_MMX.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) -mmmx -mno-sse2 -mno-avx -mno-avx2 -mno-avx512f -c -o $@ $<
$(OBJDIR)/%_SSE2.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) -mmmx -msse2 -mno-avx -mno-avx2 -mno-avx512f -c -o $@ $<
$(OBJDIR)/%_AVX.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) -mmmx -msse2 -mavx -mno-avx2 -mno-avx512f -c -o $@ $<
$(OBJDIR)/%_AVX2.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) -mmmx -msse2 -mavx -mavx2 -mno-avx512f -c -o $@ $<
$(OBJDIR)/%_AVX512.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) -mmmx -msse2 -mavx -mavx2 -mavx512f -c -o $@ $<
%.o: %.c
$(OBJDIR)/%.o : %.c $(OBJDIR)/%.d
$(CC) $(DEPFLAGS) $(CFLAGS) $(ZLIBFLAGS) -c -o $@ $<

184
client/cmdhfmf.c
View file

@ -8,6 +8,8 @@
// High frequency MIFARE commands
//-----------------------------------------------------------------------------
#include "cmdhfmf.h"
#include <inttypes.h>
#include <string.h>
#include <stdio.h>
@ -15,7 +17,9 @@
#include <ctype.h>
#include "proxmark3.h"
#include "cmdmain.h"
#include "cmdhfmfhard.h"
#include "util.h"
#include "usb_cmd.h"
#include "ui.h"
#include "mifarehost.h"
#include "mifare.h"
@ -26,19 +30,17 @@
static int CmdHelp(const char *Cmd);
int CmdHF14AMifare(const char *Cmd)
{
int isOK = 0;
uint64_t key = 0;
isOK = mfDarkside(&key);
switch (isOK) {
case -1 : PrintAndLog("Button pressed. Aborted."); return 1;
case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;
case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;
case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;
PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;
case -5 : PrintAndLog("Aborted via keyboard."); return 1;
default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);
}
@ -764,6 +766,127 @@ int CmdHF14AMfNested(const char *Cmd)
return 0;
}
int CmdHF14AMfNestedHard(const char *Cmd)
{
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t trgBlockNo = 0;
uint8_t trgKeyType = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
uint8_t trgkey[6] = {0, 0, 0, 0, 0, 0};
char ctmp;
ctmp = param_getchar(Cmd, 0);
if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) {
PrintAndLog("Usage:");
PrintAndLog(" hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");
PrintAndLog(" <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]");
PrintAndLog(" or hf mf hardnested r [known target key]");
PrintAndLog(" ");
PrintAndLog("Options: ");
PrintAndLog(" w: Acquire nonces and write them to binary file nonces.bin");
PrintAndLog(" s: Slower acquisition (required by some non standard cards)");
PrintAndLog(" r: Read nonces.bin and start attack");
PrintAndLog(" ");
PrintAndLog(" sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");
PrintAndLog(" sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");
PrintAndLog(" sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s");
PrintAndLog(" sample4: hf mf hardnested r");
PrintAndLog(" ");
PrintAndLog("Add the known target key to check if it is present in the remaining key space:");
PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF");
return 0;
}
bool know_target_key = false;
bool nonce_file_read = false;
bool nonce_file_write = false;
bool slow = false;
int tests = 0;
if (ctmp == 'R' || ctmp == 'r') {
nonce_file_read = true;
if (!param_gethex(Cmd, 1, trgkey, 12)) {
know_target_key = true;
}
} else if (ctmp == 'T' || ctmp == 't') {
tests = param_get32ex(Cmd, 1, 100, 10);
if (!param_gethex(Cmd, 2, trgkey, 12)) {
know_target_key = true;
}
} else {
blockNo = param_get8(Cmd, 0);
ctmp = param_getchar(Cmd, 1);
if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
PrintAndLog("Key type must be A or B");
return 1;
}
if (ctmp != 'A' && ctmp != 'a') {
keyType = 1;
}
if (param_gethex(Cmd, 2, key, 12)) {
PrintAndLog("Key must include 12 HEX symbols");
return 1;
}
trgBlockNo = param_get8(Cmd, 3);
ctmp = param_getchar(Cmd, 4);
if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
PrintAndLog("Target key type must be A or B");
return 1;
}
if (ctmp != 'A' && ctmp != 'a') {
trgKeyType = 1;
}
uint16_t i = 5;
if (!param_gethex(Cmd, 5, trgkey, 12)) {
know_target_key = true;
i++;
}
while ((ctmp = param_getchar(Cmd, i))) {
if (ctmp == 's' || ctmp == 'S') {
slow = true;
} else if (ctmp == 'w' || ctmp == 'W') {
nonce_file_write = true;
} else {
PrintAndLog("Possible options are w and/or s");
return 1;
}
i++;
}
}
PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ",
trgBlockNo,
trgKeyType?'B':'A',
trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],
know_target_key?"":" (not set)",
nonce_file_write?"write":nonce_file_read?"read":"none",
slow?"Yes":"No",
tests);
int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);
if (isOK) {
switch (isOK) {
case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
case 2 : PrintAndLog("Button pressed. Aborted.\n"); break;
default : break;
}
return 2;
}
return 0;
}
int CmdHF14AMfChk(const char *Cmd)
{
if (strlen(Cmd)<3) {
@ -2183,33 +2306,34 @@ int CmdDecryptTraceCmds(const char *Cmd){
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
{"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
{"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
{"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
{"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},
{"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
{"chk", CmdHF14AMfChk, 0, "Test block keys"},
{"mifare", CmdHF14AMifare, 0, "Read parity error messages."},
{"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
{"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},
{"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},
{"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},
{"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},
{"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},
{"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},
{"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},
{"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},
{"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},
{"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},
{"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},
{"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},
{"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
{NULL, NULL, 0, NULL}
{"help", CmdHelp, 1, "This help"},
{"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
{"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},
{"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},
{"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},
{"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},
{"chk", CmdHF14AMfChk, 0, "Test block keys"},
{"mifare", CmdHF14AMifare, 0, "Read parity error messages."},
{"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},
{"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
{"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},
{"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},
{"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},
{"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},
{"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},
{"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},
{"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},
{"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},
{"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},
{"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},
{"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},
{"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},
{"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
{NULL, NULL, 0, NULL}
};
int CmdHFMF(const char *Cmd)

2687
client/cmdhfmfhard.c Normal file
View file

File diff suppressed because it is too large Load diff

48
client/cmdhfmfhard.h Normal file
View file

@ -0,0 +1,48 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2015 piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// hf mf hardnested command
//-----------------------------------------------------------------------------
#ifndef CMDHFMFHARD_H__
#define CMDHFMFHARD_H__
#include <stdint.h>
#include <stdbool.h>
#define NUM_SUMS 19 // number of possible sum property values
typedef struct guess_sum_a8 {
float prob;
uint64_t num_states;
uint8_t sum_a8_idx;
} guess_sum_a8_t;
typedef struct noncelistentry {
uint32_t nonce_enc;
uint8_t par_enc;
void *next;
} noncelistentry_t;
typedef struct noncelist {
uint16_t num;
uint16_t Sum;
guess_sum_a8_t sum_a8_guess[NUM_SUMS];
bool sum_a8_guess_dirty;
float expected_num_brute_force;
uint8_t BitFlips[0x400];
uint32_t *states_bitarray[2];
uint32_t num_states_bitarray[2];
bool all_bitflips_dirty[2];
noncelistentry_t *first;
} noncelist_t;
int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t *trgkey, bool nonce_file_read, bool nonce_file_write, bool slow, int tests);
void hardnested_print_progress(uint32_t nonces, char *activity, float brute_force, uint64_t min_diff_print_time);
#endif

BIN
client/hardnested/bf_bench_data.bin Normal file
View file

Binary file not shown.

573
client/hardnested/hardnested_bf_core.c Normal file
View file

@ -0,0 +1,573 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2016, 2017 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
//
// brute forcing is based on @aczids bitsliced brute forcer
// https://github.com/aczid/crypto1_bs with some modifications. Mainly:
// - don't rollback. Start with 2nd byte of nonce instead
// - reuse results of filter subfunctions
// - reuse results of previous nonces if some first bits are identical
//
//-----------------------------------------------------------------------------
// aczid's Copyright notice:
//
// Bit-sliced Crypto-1 brute-forcing implementation
// Builds on the data structures returned by CraptEV1 craptev1_get_space(nonces, threshold, uid)
/*
Copyright (c) 2015-2016 Aram Verstegen
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
#include "hardnested_bf_core.h"
#include <stdint.h>
#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <malloc.h>
#include <string.h>
#include "crapto1/crapto1.h"
#include "parity.h"
// bitslice type
// while AVX supports 256 bit vector floating point operations, we need integer operations for boolean logic
// same for AVX2 and 512 bit vectors
// using larger vectors works but seems to generate more register pressure
#if defined(__AVX512F__)
#define MAX_BITSLICES 512
#elif defined(__AVX2__)
#define MAX_BITSLICES 256
#elif defined(__AVX__)
#define MAX_BITSLICES 128
#elif defined(__SSE2__)
#define MAX_BITSLICES 128
#else // MMX or SSE
#define MAX_BITSLICES 64
#endif
#define VECTOR_SIZE (MAX_BITSLICES/8)
typedef unsigned int __attribute__((aligned(VECTOR_SIZE))) __attribute__((vector_size(VECTOR_SIZE))) bitslice_value_t;
typedef union {
bitslice_value_t value;
uint64_t bytes64[MAX_BITSLICES/64];
uint8_t bytes[MAX_BITSLICES/8];
} bitslice_t;
// filter function (f20)
// sourced from ``Wirelessly Pickpocketing a Mifare Classic Card'' by Flavio Garcia, Peter van Rossum, Roel Verdult and Ronny Wichers Schreur
#define f20a(a,b,c,d) (((a|b)^(a&d))^(c&((a^b)|d)))
#define f20b(a,b,c,d) (((a&b)|c)^((a^b)&(c|d)))
#define f20c(a,b,c,d,e) ((a|((b|e)&(d^e)))^((a^(b&d))&((c^d)|(b&e))))
// bit indexing
#define get_bit(n, word) (((word) >> (n)) & 1)
#define get_vector_bit(slice, value) get_bit((slice)&0x3f, value.bytes64[(slice)>>6])
// size of crypto-1 state
#define STATE_SIZE 48
// size of nonce to be decrypted
#define KEYSTREAM_SIZE 24
// endianness conversion
#define rev32(word) ((((word) & 0xff) << 24) | ((((word) >> 8) & 0xff) << 16) | ((((word) >> 16) & 0xff) << 8) | ((((word) >> 24) & 0xff)))
// this needs to be compiled several times for each instruction set.
// For each instruction set, define a dedicated function name:
#if defined (__AVX512F__)
#define BITSLICE_TEST_NONCES bitslice_test_nonces_AVX512
#define CRACK_STATES_BITSLICED crack_states_bitsliced_AVX512
#elif defined (__AVX2__)
#define BITSLICE_TEST_NONCES bitslice_test_nonces_AVX2
#define CRACK_STATES_BITSLICED crack_states_bitsliced_AVX2
#elif defined (__AVX__)
#define BITSLICE_TEST_NONCES bitslice_test_nonces_AVX
#define CRACK_STATES_BITSLICED crack_states_bitsliced_AVX
#elif defined (__SSE2__)
#define BITSLICE_TEST_NONCES bitslice_test_nonces_SSE2
#define CRACK_STATES_BITSLICED crack_states_bitsliced_SSE2
#elif defined (__MMX__)
#define BITSLICE_TEST_NONCES bitslice_test_nonces_MMX
#define CRACK_STATES_BITSLICED crack_states_bitsliced_MMX
#endif
// typedefs and declaration of functions:
typedef const uint64_t crack_states_bitsliced_t(uint32_t, uint8_t*, statelist_t*, uint32_t*, uint64_t*, uint32_t, uint8_t*, noncelist_t*);
crack_states_bitsliced_t crack_states_bitsliced_AVX512;
crack_states_bitsliced_t crack_states_bitsliced_AVX2;
crack_states_bitsliced_t crack_states_bitsliced_AVX;
crack_states_bitsliced_t crack_states_bitsliced_SSE2;
crack_states_bitsliced_t crack_states_bitsliced_MMX;
crack_states_bitsliced_t crack_states_bitsliced_dispatch;
typedef void bitslice_test_nonces_t(uint32_t, uint32_t*, uint8_t*);
bitslice_test_nonces_t bitslice_test_nonces_AVX512;
bitslice_test_nonces_t bitslice_test_nonces_AVX2;
bitslice_test_nonces_t bitslice_test_nonces_AVX;
bitslice_test_nonces_t bitslice_test_nonces_SSE2;
bitslice_test_nonces_t bitslice_test_nonces_MMX;
bitslice_test_nonces_t bitslice_test_nonces_dispatch;
#ifdef _WIN32
#define malloc_bitslice(x) __builtin_assume_aligned(_aligned_malloc((x), MAX_BITSLICES/8), MAX_BITSLICES/8)
#define free_bitslice(x) _aligned_free(x)
#else
#define malloc_bitslice(x) memalign(MAX_BITSLICES/8, (x))
#define free_bitslice(x) free(x)
#endif
#if defined (__MMX__) // (including more sophisticated instruction sets)
typedef enum {
EVEN_STATE = 0,
ODD_STATE = 1
} odd_even_t;
// arrays of bitsliced states with identical values in all slices
static bitslice_t bitsliced_encrypted_nonces[256][KEYSTREAM_SIZE];
static bitslice_t bitsliced_encrypted_parity_bits[256][4];
// 1 and 0 vectors
static bitslice_t bs_ones;
static bitslice_t bs_zeroes;
void BITSLICE_TEST_NONCES(uint32_t nonces_to_bruteforce, uint32_t *bf_test_nonce, uint8_t *bf_test_nonce_par) {
// initialize 1 and 0 vectors
memset(bs_ones.bytes, 0xff, VECTOR_SIZE);
memset(bs_zeroes.bytes, 0x00, VECTOR_SIZE);
// bitslice nonces' 2nd to 4th byte
for (uint32_t i = 0; i < nonces_to_bruteforce; i++) {
for(uint32_t bit_idx = 0; bit_idx < KEYSTREAM_SIZE; bit_idx++){
bool bit = get_bit(KEYSTREAM_SIZE-1-bit_idx, rev32(bf_test_nonce[i] << 8));
if(bit){
bitsliced_encrypted_nonces[i][bit_idx].value = bs_ones.value;
} else {
bitsliced_encrypted_nonces[i][bit_idx].value = bs_zeroes.value;
}
}
}
// bitslice nonces' parity (4 bits)
for (uint32_t i = 0; i < nonces_to_bruteforce; i++) {
for(uint32_t bit_idx = 0; bit_idx < 4; bit_idx++){
bool bit = get_bit(4-1-bit_idx, bf_test_nonce_par[i]);
if(bit){
bitsliced_encrypted_parity_bits[i][bit_idx].value = bs_ones.value;
} else {
bitsliced_encrypted_parity_bits[i][bit_idx].value = bs_zeroes.value;
}
}
}
}
const uint64_t CRACK_STATES_BITSLICED(uint32_t cuid, uint8_t *best_first_bytes, statelist_t *p, uint32_t *keys_found, uint64_t *num_keys_tested, uint32_t nonces_to_bruteforce, uint8_t *bf_test_nonce_2nd_byte, noncelist_t *nonces){
// Unlike aczid's implementation this doesn't roll back at all when performing bitsliced bruteforce.
// We know that the best first byte is already shifted in. Testing with the remaining three bytes of
// the nonces is sufficient to eliminate most of them. The small rest is tested with a simple unsliced
// brute forcing (including roll back).
bitslice_t states[KEYSTREAM_SIZE+STATE_SIZE];
bitslice_t * restrict state_p;
uint64_t key = -1;
uint64_t bucket_states_tested = 0;
uint32_t bucket_size[(p->len[EVEN_STATE] - 1)/MAX_BITSLICES + 1];
uint32_t bitsliced_blocks = 0;
uint32_t const *restrict p_even_end = p->states[EVEN_STATE] + p->len[EVEN_STATE];
#if defined (DEBUG_BRUTE_FORCE)
uint32_t elimination_step = 0;
#define MAX_ELIMINATION_STEP 32
uint64_t keys_eliminated[MAX_ELIMINATION_STEP] = {0};
#endif
#ifdef DEBUG_KEY_ELIMINATION
bool bucket_contains_test_key[(p->len[EVEN_STATE] - 1)/MAX_BITSLICES + 1];
#endif
// constant ones/zeroes
bitslice_t bs_ones;
memset(bs_ones.bytes, 0xff, VECTOR_SIZE);
bitslice_t bs_zeroes;
memset(bs_zeroes.bytes, 0x00, VECTOR_SIZE);
// bitslice all the even states
bitslice_t **restrict bitsliced_even_states = (bitslice_t **)malloc(((p->len[EVEN_STATE] - 1)/MAX_BITSLICES + 1) * sizeof(bitslice_t *));
if (bitsliced_even_states == NULL) {
printf("Out of memory error in brute_force. Aborting...");
exit(4);
}
bitslice_value_t *restrict bitsliced_even_feedback = malloc_bitslice(((p->len[EVEN_STATE] - 1)/MAX_BITSLICES + 1) * sizeof(bitslice_value_t));
if (bitsliced_even_feedback == NULL) {
printf("Out of memory error in brute_force. Aborting...");
exit(4);
}
for(uint32_t *restrict p_even = p->states[EVEN_STATE]; p_even < p_even_end; p_even += MAX_BITSLICES){
bitslice_t *restrict lstate_p = malloc_bitslice(STATE_SIZE/2*sizeof(bitslice_t));
if (lstate_p == NULL) {
printf("Out of memory error in brute_force. Aborting... \n");
exit(4);
}
memset(lstate_p, 0x00, STATE_SIZE/2*sizeof(bitslice_t)); // zero even bits
// bitslice even half-states
const uint32_t max_slices = (p_even_end-p_even) < MAX_BITSLICES ? p_even_end-p_even : MAX_BITSLICES;
bucket_size[bitsliced_blocks] = max_slices;
#ifdef DEBUG_KEY_ELIMINATION
bucket_contains_test_key[bitsliced_blocks] = false;
#endif
uint32_t slice_idx;
for(slice_idx = 0; slice_idx < max_slices; ++slice_idx){
uint32_t e = *(p_even+slice_idx);
#ifdef DEBUG_KEY_ELIMINATION
if (known_target_key != -1 && e == test_state[EVEN_STATE]) {
bucket_contains_test_key[bitsliced_blocks] = true;
// printf("bucket %d contains test key even state\n", bitsliced_blocks);
// printf("in slice %d\n", slice_idx);
}
#endif
for(uint32_t bit_idx = 0; bit_idx < STATE_SIZE/2; bit_idx++, e >>= 1){
// set even bits
if(e&1){
lstate_p[bit_idx].bytes64[slice_idx>>6] |= 1ull << (slice_idx & 0x3f);
}
}
}
// padding with last even state
for ( ; slice_idx < MAX_BITSLICES; ++slice_idx) {
uint32_t e = *(p_even_end-1);
for(uint32_t bit_idx = 0; bit_idx < STATE_SIZE/2; bit_idx++, e >>= 1){
// set even bits
if(e&1){
lstate_p[bit_idx].bytes64[slice_idx>>6] |= 1ull << (slice_idx & 0x3f);
}
}
}
bitsliced_even_states[bitsliced_blocks] = lstate_p;
// bitsliced_even_feedback[bitsliced_blocks] = bs_ones;
bitsliced_even_feedback[bitsliced_blocks] = lstate_p[(47- 0)/2].value ^
lstate_p[(47-10)/2].value ^ lstate_p[(47-12)/2].value ^ lstate_p[(47-14)/2].value ^
lstate_p[(47-24)/2].value ^ lstate_p[(47-42)/2].value;
bitsliced_blocks++;
}
// bitslice every odd state to every block of even states
for(uint32_t const *restrict p_odd = p->states[ODD_STATE]; p_odd < p->states[ODD_STATE] + p->len[ODD_STATE]; ++p_odd){
// early abort
if(*keys_found){
goto out;
}
// set odd state bits and pre-compute first keystream bit vector. This is the same for all blocks of even states
state_p = &states[KEYSTREAM_SIZE];
uint32_t o = *p_odd;
// pre-compute the odd feedback bit
bool odd_feedback_bit = evenparity32(o&0x29ce5c);
const bitslice_value_t odd_feedback = odd_feedback_bit ? bs_ones.value : bs_zeroes.value;
// set odd state bits
for (uint32_t state_idx = 0; state_idx < STATE_SIZE; o >>= 1, state_idx += 2) {
if (o & 1){
state_p[state_idx] = bs_ones;
} else {
state_p[state_idx] = bs_zeroes;
}
}
bitslice_value_t crypto1_bs_f20b_2[16];
bitslice_value_t crypto1_bs_f20b_3[8];
crypto1_bs_f20b_2[0] = f20b(state_p[47-25].value, state_p[47-27].value, state_p[47-29].value, state_p[47-31].value);
crypto1_bs_f20b_3[0] = f20b(state_p[47-41].value, state_p[47-43].value, state_p[47-45].value, state_p[47-47].value);
bitslice_value_t ksb[8];
ksb[0] = f20c(f20a(state_p[47- 9].value, state_p[47-11].value, state_p[47-13].value, state_p[47-15].value),
f20b(state_p[47-17].value, state_p[47-19].value, state_p[47-21].value, state_p[47-23].value),
crypto1_bs_f20b_2[0],
f20a(state_p[47-33].value, state_p[47-35].value, state_p[47-37].value, state_p[47-39].value),
crypto1_bs_f20b_3[0]);
uint32_t *restrict p_even = p->states[EVEN_STATE];
for (uint32_t block_idx = 0; block_idx < bitsliced_blocks; ++block_idx, p_even += MAX_BITSLICES) {
#ifdef DEBUG_KEY_ELIMINATION
// if (known_target_key != -1 && bucket_contains_test_key[block_idx] && *p_odd == test_state[ODD_STATE]) {
// printf("Now testing known target key.\n");
// printf("block_idx = %d/%d\n", block_idx, bitsliced_blocks);
// }
#endif
// add the even state bits
const bitslice_t const *restrict bitsliced_even_state = bitsliced_even_states[block_idx];
for(uint32_t state_idx = 1; state_idx < STATE_SIZE; state_idx += 2) {
state_p[state_idx] = bitsliced_even_state[state_idx/2];
}
// pre-compute first feedback bit vector. This is the same for all nonces
bitslice_value_t fbb[8];
fbb[0] = odd_feedback ^ bitsliced_even_feedback[block_idx];
// vector to contain test results (1 = passed, 0 = failed)
bitslice_t results = bs_ones;
// parity_bits
bitslice_value_t par[8];
par[0] = bs_zeroes.value;
uint32_t next_common_bits = 0;
for(uint32_t tests = 0; tests < nonces_to_bruteforce; ++tests){
// common bits with preceding test nonce
uint32_t common_bits = next_common_bits; //tests ? trailing_zeros(bf_test_nonce_2nd_byte[tests] ^ bf_test_nonce_2nd_byte[tests-1]) : 0;
next_common_bits = tests < nonces_to_bruteforce - 1 ? trailing_zeros(bf_test_nonce_2nd_byte[tests] ^ bf_test_nonce_2nd_byte[tests+1]) : 0;
uint32_t parity_bit_idx = 1; // start checking with the parity of second nonce byte
bitslice_value_t fb_bits = fbb[common_bits]; // start with precomputed feedback bits from previous nonce
bitslice_value_t ks_bits = ksb[common_bits]; // dito for first keystream bits
bitslice_value_t parity_bit_vector = par[common_bits]; // dito for first parity vector
// bitslice_value_t fb_bits = fbb[0]; // start with precomputed feedback bits from previous nonce
// bitslice_value_t ks_bits = ksb[0]; // dito for first keystream bits
// bitslice_value_t parity_bit_vector = par[0]; // dito for first parity vector
state_p -= common_bits; // and reuse the already calculated state bits
// highest bit is transmitted/received first. We start with Bit 23 (highest bit of second nonce byte),
// or the highest bit which differs from the previous nonce
for (int32_t ks_idx = KEYSTREAM_SIZE-1-common_bits; ks_idx >= 0; --ks_idx) {
// decrypt nonce bits
const bitslice_value_t encrypted_nonce_bit_vector = bitsliced_encrypted_nonces[tests][ks_idx].value;
const bitslice_value_t decrypted_nonce_bit_vector = encrypted_nonce_bit_vector ^ ks_bits;
// compute real parity bits on the fly
parity_bit_vector ^= decrypted_nonce_bit_vector;
// update state
state_p--;
state_p[0].value = fb_bits ^ decrypted_nonce_bit_vector;
// update crypto1 subfunctions
bitslice_value_t f20a_1, f20b_1, f20b_2, f20a_2, f20b_3;
f20a_2 = f20a(state_p[47-33].value, state_p[47-35].value, state_p[47-37].value, state_p[47-39].value);
f20b_3 = f20b(state_p[47-41].value, state_p[47-43].value, state_p[47-45].value, state_p[47-47].value);
if (ks_idx > KEYSTREAM_SIZE - 8) {
f20a_1 = f20a(state_p[47- 9].value, state_p[47-11].value, state_p[47-13].value, state_p[47-15].value);
f20b_1 = f20b(state_p[47-17].value, state_p[47-19].value, state_p[47-21].value, state_p[47-23].value);
f20b_2 = f20b(state_p[47-25].value, state_p[47-27].value, state_p[47-29].value, state_p[47-31].value);
crypto1_bs_f20b_2[KEYSTREAM_SIZE - ks_idx] = f20b_2;
crypto1_bs_f20b_3[KEYSTREAM_SIZE - ks_idx] = f20b_3;
} else if (ks_idx > KEYSTREAM_SIZE - 16) {
f20a_1 = f20a(state_p[47- 9].value, state_p[47-11].value, state_p[47-13].value, state_p[47-15].value);
f20b_1 = crypto1_bs_f20b_2[KEYSTREAM_SIZE - ks_idx - 8];
f20b_2 = f20b(state_p[47-25].value, state_p[47-27].value, state_p[47-29].value, state_p[47-31].value);
crypto1_bs_f20b_2[KEYSTREAM_SIZE - ks_idx] = f20b_2;
} else if (ks_idx > KEYSTREAM_SIZE - 24){
f20a_1 = f20a(state_p[47- 9].value, state_p[47-11].value, state_p[47-13].value, state_p[47-15].value);
f20b_1 = crypto1_bs_f20b_2[KEYSTREAM_SIZE - ks_idx - 8];
f20b_2 = crypto1_bs_f20b_3[KEYSTREAM_SIZE - ks_idx - 16];
} else {
f20a_1 = f20a(state_p[47- 9].value, state_p[47-11].value, state_p[47-13].value, state_p[47-15].value);
f20b_1 = f20b(state_p[47-17].value, state_p[47-19].value, state_p[47-21].value, state_p[47-23].value);
f20b_2 = f20b(state_p[47-25].value, state_p[47-27].value, state_p[47-29].value, state_p[47-31].value);
}
// update keystream bit
ks_bits = f20c(f20a_1, f20b_1, f20b_2, f20a_2, f20b_3);
// for each completed byte:
if ((ks_idx & 0x07) == 0) {
// get encrypted parity bits
const bitslice_value_t encrypted_parity_bit_vector = bitsliced_encrypted_parity_bits[tests][parity_bit_idx++].value;
// decrypt parity bits
const bitslice_value_t decrypted_parity_bit_vector = encrypted_parity_bit_vector ^ ks_bits;
// compare actual parity bits with decrypted parity bits and take count in results vector
results.value &= ~parity_bit_vector ^ decrypted_parity_bit_vector;
// make sure we still have a match in our set
// if(memcmp(&results, &bs_zeroes, sizeof(bitslice_t)) == 0){
// this is much faster on my gcc, because somehow a memcmp needlessly spills/fills all the xmm registers to/from the stack - ???
// the short-circuiting also helps
if(results.bytes64[0] == 0
#if MAX_BITSLICES > 64
&& results.bytes64[1] == 0
#endif
#if MAX_BITSLICES > 128
&& results.bytes64[2] == 0
&& results.bytes64[3] == 0
#endif
) {
#if defined (DEBUG_BRUTE_FORCE)
if (elimination_step < MAX_ELIMINATION_STEP) {
keys_eliminated[elimination_step] += MAX_BITSLICES;
}
#endif
#ifdef DEBUG_KEY_ELIMINATION
if (known_target_key != -1 && bucket_contains_test_key[block_idx] && *p_odd == test_state[ODD_STATE]) {
printf("Known target key eliminated in brute_force.\n");
printf("block_idx = %d/%d, nonce = %d/%d\n", block_idx, bitsliced_blocks, tests, nonces_to_bruteforce);
}
#endif
goto stop_tests;
}
// prepare for next nonce byte
#if defined (DEBUG_BRUTE_FORCE)
elimination_step++;
#endif
parity_bit_vector = bs_zeroes.value;
}
// update feedback bit vector
if (ks_idx != 0) {
fb_bits =
(state_p[47- 0].value ^ state_p[47- 5].value ^ state_p[47- 9].value ^
state_p[47-10].value ^ state_p[47-12].value ^ state_p[47-14].value ^
state_p[47-15].value ^ state_p[47-17].value ^ state_p[47-19].value ^
state_p[47-24].value ^ state_p[47-25].value ^ state_p[47-27].value ^
state_p[47-29].value ^ state_p[47-35].value ^ state_p[47-39].value ^
state_p[47-41].value ^ state_p[47-42].value ^ state_p[47-43].value);
}
// remember feedback and keystream vectors for later use
uint8_t bit = KEYSTREAM_SIZE - ks_idx;
if (bit <= next_common_bits) { // if needed and not yet stored
fbb[bit] = fb_bits;
ksb[bit] = ks_bits;
par[bit] = parity_bit_vector;
}
}
// prepare for next nonce. Revert to initial state
state_p = &states[KEYSTREAM_SIZE];
}
// all nonce tests were successful: we've found a possible key in this block!
uint32_t *p_even_test = p_even;
for (uint32_t results_word = 0; results_word < MAX_BITSLICES / 64; ++results_word) {
uint64_t results64 = results.bytes64[results_word];
for (uint32_t results_bit = 0; results_bit < 64; results_bit++) {
if (results64 & 0x01) {
if (verify_key(cuid, nonces, best_first_bytes, *p_odd, *p_even_test)) {
struct Crypto1State pcs;
pcs.odd = *p_odd;
pcs.even = *p_even_test;
lfsr_rollback_byte(&pcs, (cuid >> 24) ^ best_first_bytes[0], true);
crypto1_get_lfsr(&pcs, &key);
bucket_states_tested += 64 * results_word + results_bit;
goto out;
}
#ifdef DEBUG_KEY_ELIMINATION
if (known_target_key != -1 && *p_even_test == test_state[EVEN_STATE] && *p_odd == test_state[ODD_STATE]) {
printf("Known target key eliminated in brute_force verification.\n");
printf("block_idx = %d/%d\n", block_idx, bitsliced_blocks);
}
#endif
}
#ifdef DEBUG_KEY_ELIMINATION
if (known_target_key != -1 && *p_even_test == test_state[EVEN_STATE] && *p_odd == test_state[ODD_STATE]) {
printf("Known target key eliminated in brute_force (results_bit == 0).\n");
printf("block_idx = %d/%d\n", block_idx, bitsliced_blocks);
}
#endif
results64 >>= 1;
p_even_test++;
if (p_even_test == p_even_end) {
goto stop_tests;
}
}
}
stop_tests:
#if defined (DEBUG_BRUTE_FORCE)
elimination_step = 0;
#endif
bucket_states_tested += bucket_size[block_idx];
// prepare to set new states
state_p = &states[KEYSTREAM_SIZE];
continue;
}
}
out:
for(uint32_t block_idx = 0; block_idx < bitsliced_blocks; ++block_idx){
free_bitslice(bitsliced_even_states[block_idx]);
}
free(bitsliced_even_states);
free_bitslice(bitsliced_even_feedback);
__sync_fetch_and_add(num_keys_tested, bucket_states_tested);
#if defined (DEBUG_BRUTE_FORCE)
for (uint32_t i = 0; i < MAX_ELIMINATION_STEP; i++) {
printf("Eliminated after %2u test_bytes: %5.2f%%\n", i+1, (float)keys_eliminated[i] / bucket_states_tested * 100);
}
#endif
return key;
}
#endif
#ifndef __MMX__
// pointers to functions:
crack_states_bitsliced_t *crack_states_bitsliced_function_p = &crack_states_bitsliced_dispatch;
bitslice_test_nonces_t *bitslice_test_nonces_function_p = &bitslice_test_nonces_dispatch;
// determine the available instruction set at runtime and call the correct function
const uint64_t crack_states_bitsliced_dispatch(uint32_t cuid, uint8_t *best_first_bytes, statelist_t *p, uint32_t *keys_found, uint64_t *num_keys_tested, uint32_t nonces_to_bruteforce, uint8_t *bf_test_nonce_2nd_byte, noncelist_t *nonces) {
if (__builtin_cpu_supports("avx512f")) crack_states_bitsliced_function_p = &crack_states_bitsliced_AVX512;
else if (__builtin_cpu_supports("avx2")) crack_states_bitsliced_function_p = &crack_states_bitsliced_AVX2;
else if (__builtin_cpu_supports("avx")) crack_states_bitsliced_function_p = &crack_states_bitsliced_AVX;
else if (__builtin_cpu_supports("sse2")) crack_states_bitsliced_function_p = &crack_states_bitsliced_SSE2;
else if (__builtin_cpu_supports("mmx")) crack_states_bitsliced_function_p = &crack_states_bitsliced_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*crack_states_bitsliced_function_p)(cuid, best_first_bytes, p, keys_found, num_keys_tested, nonces_to_bruteforce, bf_test_nonce_2nd_byte, nonces);
}
void bitslice_test_nonces_dispatch(uint32_t nonces_to_bruteforce, uint32_t *bf_test_nonce, uint8_t *bf_test_nonce_par) {
if (__builtin_cpu_supports("avx512f")) bitslice_test_nonces_function_p = &bitslice_test_nonces_AVX512;
else if (__builtin_cpu_supports("avx2")) bitslice_test_nonces_function_p = &bitslice_test_nonces_AVX2;
else if (__builtin_cpu_supports("avx")) bitslice_test_nonces_function_p = &bitslice_test_nonces_AVX;
else if (__builtin_cpu_supports("sse2")) bitslice_test_nonces_function_p = &bitslice_test_nonces_SSE2;
else if (__builtin_cpu_supports("mmx")) bitslice_test_nonces_function_p = &bitslice_test_nonces_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
(*bitslice_test_nonces_function_p)(nonces_to_bruteforce, bf_test_nonce, bf_test_nonce_par);
}
// Entries to dispatched function calls
const uint64_t crack_states_bitsliced(uint32_t cuid, uint8_t *best_first_bytes, statelist_t *p, uint32_t *keys_found, uint64_t *num_keys_tested, uint32_t nonces_to_bruteforce, uint8_t *bf_test_nonce_2nd_byte, noncelist_t *nonces) {
return (*crack_states_bitsliced_function_p)(cuid, best_first_bytes, p, keys_found, num_keys_tested, nonces_to_bruteforce, bf_test_nonce_2nd_byte, nonces);
}
void bitslice_test_nonces(uint32_t nonces_to_bruteforce, uint32_t *bf_test_nonce, uint8_t *bf_test_nonce_par) {
(*bitslice_test_nonces_function_p)(nonces_to_bruteforce, bf_test_nonce, bf_test_nonce_par);
}
#endif

58
client/hardnested/hardnested_bf_core.h Normal file
View file

@ -0,0 +1,58 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2016, 2017 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
//
// brute forcing is based on @aczids bitsliced brute forcer
// https://github.com/aczid/crypto1_bs with some modifications. Mainly:
// - don't rollback. Start with 2nd byte of nonce instead
// - reuse results of filter subfunctions
// - reuse results of previous nonces if some first bits are identical
//
//-----------------------------------------------------------------------------
// aczid's Copyright notice:
//
// Bit-sliced Crypto-1 brute-forcing implementation
// Builds on the data structures returned by CraptEV1 craptev1_get_space(nonces, threshold, uid)
/*
Copyright (c) 2015-2016 Aram Verstegen
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
#ifndef HARDNESTED_BF_CORE_H__
#define HARDNESTED_BF_CORE_H__
#include "hardnested_bruteforce.h" // statelist_t
extern const uint64_t crack_states_bitsliced(uint32_t cuid, uint8_t *best_first_bytes, statelist_t *p, uint32_t *keys_found, uint64_t *num_keys_tested, uint32_t nonces_to_bruteforce, uint8_t *bf_test_nonces_2nd_byte, noncelist_t *nonces);
extern void bitslice_test_nonces(uint32_t nonces_to_bruteforce, uint32_t *bf_test_nonces, uint8_t *bf_test_nonce_par);
#endif

545
client/hardnested/hardnested_bitarray_core.c Normal file
View file

@ -0,0 +1,545 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2016, 2017 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.ch b
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
// some helper functions which can benefit from SIMD instructions or other special instructions
//
#include "hardnested_bitarray_core.h"
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
// #include <stdint.h>
// #include <stdbool.h>
// #include <stdlib.h>
// #include <stdio.h>
// #include <malloc.h>
// #include <string.h>
// #include "crapto1/crapto1.h"
// #include "parity.h"
// this needs to be compiled several times for each instruction set.
// For each instruction set, define a dedicated function name:
#if defined (__AVX512F__)
#define MALLOC_BITARRAY malloc_bitarray_AVX512
#define FREE_BITARRAY free_bitarray_AVX512
#define BITCOUNT bitcount_AVX512
#define COUNT_STATES count_states_AVX512
#define BITARRAY_AND bitarray_AND_AVX512
#define BITARRAY_LOW20_AND bitarray_low20_AND_AVX512
#define COUNT_BITARRAY_AND count_bitarray_AND_AVX512
#define COUNT_BITARRAY_LOW20_AND count_bitarray_low20_AND_AVX512
#define BITARRAY_AND4 bitarray_AND4_AVX512
#define BITARRAY_OR bitarray_OR_AVX512
#define COUNT_BITARRAY_AND2 count_bitarray_AND2_AVX512
#define COUNT_BITARRAY_AND3 count_bitarray_AND3_AVX512
#define COUNT_BITARRAY_AND4 count_bitarray_AND4_AVX512
#elif defined (__AVX2__)
#define MALLOC_BITARRAY malloc_bitarray_AVX2
#define FREE_BITARRAY free_bitarray_AVX2
#define BITCOUNT bitcount_AVX2
#define COUNT_STATES count_states_AVX2
#define BITARRAY_AND bitarray_AND_AVX2
#define BITARRAY_LOW20_AND bitarray_low20_AND_AVX2
#define COUNT_BITARRAY_AND count_bitarray_AND_AVX2
#define COUNT_BITARRAY_LOW20_AND count_bitarray_low20_AND_AVX2
#define BITARRAY_AND4 bitarray_AND4_AVX2
#define BITARRAY_OR bitarray_OR_AVX2
#define COUNT_BITARRAY_AND2 count_bitarray_AND2_AVX2
#define COUNT_BITARRAY_AND3 count_bitarray_AND3_AVX2
#define COUNT_BITARRAY_AND4 count_bitarray_AND4_AVX2
#elif defined (__AVX__)
#define MALLOC_BITARRAY malloc_bitarray_AVX
#define FREE_BITARRAY free_bitarray_AVX
#define BITCOUNT bitcount_AVX
#define COUNT_STATES count_states_AVX
#define BITARRAY_AND bitarray_AND_AVX
#define BITARRAY_LOW20_AND bitarray_low20_AND_AVX
#define COUNT_BITARRAY_AND count_bitarray_AND_AVX
#define COUNT_BITARRAY_LOW20_AND count_bitarray_low20_AND_AVX
#define BITARRAY_AND4 bitarray_AND4_AVX
#define BITARRAY_OR bitarray_OR_AVX
#define COUNT_BITARRAY_AND2 count_bitarray_AND2_AVX
#define COUNT_BITARRAY_AND3 count_bitarray_AND3_AVX
#define COUNT_BITARRAY_AND4 count_bitarray_AND4_AVX
#elif defined (__SSE2__)
#define MALLOC_BITARRAY malloc_bitarray_SSE2
#define FREE_BITARRAY free_bitarray_SSE2
#define BITCOUNT bitcount_SSE2
#define COUNT_STATES count_states_SSE2
#define BITARRAY_AND bitarray_AND_SSE2
#define BITARRAY_LOW20_AND bitarray_low20_AND_SSE2
#define COUNT_BITARRAY_AND count_bitarray_AND_SSE2
#define COUNT_BITARRAY_LOW20_AND count_bitarray_low20_AND_SSE2
#define BITARRAY_AND4 bitarray_AND4_SSE2
#define BITARRAY_OR bitarray_OR_SSE2
#define COUNT_BITARRAY_AND2 count_bitarray_AND2_SSE2
#define COUNT_BITARRAY_AND3 count_bitarray_AND3_SSE2
#define COUNT_BITARRAY_AND4 count_bitarray_AND4_SSE2
#elif defined (__MMX__)
#define MALLOC_BITARRAY malloc_bitarray_MMX
#define FREE_BITARRAY free_bitarray_MMX
#define BITCOUNT bitcount_MMX
#define COUNT_STATES count_states_MMX
#define BITARRAY_AND bitarray_AND_MMX
#define BITARRAY_LOW20_AND bitarray_low20_AND_MMX
#define COUNT_BITARRAY_AND count_bitarray_AND_MMX
#define COUNT_BITARRAY_LOW20_AND count_bitarray_low20_AND_MMX
#define BITARRAY_AND4 bitarray_AND4_MMX
#define BITARRAY_OR bitarray_OR_MMX
#define COUNT_BITARRAY_AND2 count_bitarray_AND2_MMX
#define COUNT_BITARRAY_AND3 count_bitarray_AND3_MMX
#define COUNT_BITARRAY_AND4 count_bitarray_AND4_MMX
#endif
// typedefs and declaration of functions:
typedef uint32_t* malloc_bitarray_t(uint32_t);
malloc_bitarray_t malloc_bitarray_AVX512, malloc_bitarray_AVX2, malloc_bitarray_AVX, malloc_bitarray_SSE2, malloc_bitarray_MMX, malloc_bitarray_dispatch;
typedef void free_bitarray_t(uint32_t*);
free_bitarray_t free_bitarray_AVX512, free_bitarray_AVX2, free_bitarray_AVX, free_bitarray_SSE2, free_bitarray_MMX, free_bitarray_dispatch;
typedef uint32_t bitcount_t(uint32_t);
bitcount_t bitcount_AVX512, bitcount_AVX2, bitcount_AVX, bitcount_SSE2, bitcount_MMX, bitcount_dispatch;
typedef uint32_t count_states_t(uint32_t*);
count_states_t count_states_AVX512, count_states_AVX2, count_states_AVX, count_states_SSE2, count_states_MMX, count_states_dispatch;
typedef void bitarray_AND_t(uint32_t[], uint32_t[]);
bitarray_AND_t bitarray_AND_AVX512, bitarray_AND_AVX2, bitarray_AND_AVX, bitarray_AND_SSE2, bitarray_AND_MMX, bitarray_AND_dispatch;
typedef void bitarray_low20_AND_t(uint32_t*, uint32_t*);
bitarray_low20_AND_t bitarray_low20_AND_AVX512, bitarray_low20_AND_AVX2, bitarray_low20_AND_AVX, bitarray_low20_AND_SSE2, bitarray_low20_AND_MMX, bitarray_low20_AND_dispatch;
typedef uint32_t count_bitarray_AND_t(uint32_t*, uint32_t*);
count_bitarray_AND_t count_bitarray_AND_AVX512, count_bitarray_AND_AVX2, count_bitarray_AND_AVX, count_bitarray_AND_SSE2, count_bitarray_AND_MMX, count_bitarray_AND_dispatch;
typedef uint32_t count_bitarray_low20_AND_t(uint32_t*, uint32_t*);
count_bitarray_low20_AND_t count_bitarray_low20_AND_AVX512, count_bitarray_low20_AND_AVX2, count_bitarray_low20_AND_AVX, count_bitarray_low20_AND_SSE2, count_bitarray_low20_AND_MMX, count_bitarray_low20_AND_dispatch;
typedef void bitarray_AND4_t(uint32_t*, uint32_t*, uint32_t*, uint32_t*);
bitarray_AND4_t bitarray_AND4_AVX512, bitarray_AND4_AVX2, bitarray_AND4_AVX, bitarray_AND4_SSE2, bitarray_AND4_MMX, bitarray_AND4_dispatch;
typedef void bitarray_OR_t(uint32_t[], uint32_t[]);
bitarray_OR_t bitarray_OR_AVX512, bitarray_OR_AVX2, bitarray_OR_AVX, bitarray_OR_SSE2, bitarray_OR_MMX, bitarray_OR_dispatch;
typedef uint32_t count_bitarray_AND2_t(uint32_t*, uint32_t*);
count_bitarray_AND2_t count_bitarray_AND2_AVX512, count_bitarray_AND2_AVX2, count_bitarray_AND2_AVX, count_bitarray_AND2_SSE2, count_bitarray_AND2_MMX, count_bitarray_AND2_dispatch;
typedef uint32_t count_bitarray_AND3_t(uint32_t*, uint32_t*, uint32_t*);
count_bitarray_AND3_t count_bitarray_AND3_AVX512, count_bitarray_AND3_AVX2, count_bitarray_AND3_AVX, count_bitarray_AND3_SSE2, count_bitarray_AND3_MMX, count_bitarray_AND3_dispatch;
typedef uint32_t count_bitarray_AND4_t(uint32_t*, uint32_t*, uint32_t*, uint32_t*);
count_bitarray_AND4_t count_bitarray_AND4_AVX512, count_bitarray_AND4_AVX2, count_bitarray_AND4_AVX, count_bitarray_AND4_SSE2, count_bitarray_AND4_MMX, count_bitarray_AND4_dispatch;
inline uint32_t *MALLOC_BITARRAY(uint32_t x)
{
#ifdef _WIN32
return __builtin_assume_aligned(_aligned_malloc((x), __BIGGEST_ALIGNMENT__), __BIGGEST_ALIGNMENT__);
#else
return __builtin_assume_aligned(memalign(__BIGGEST_ALIGNMENT__, (x)), __BIGGEST_ALIGNMENT__);
#endif
}
inline void FREE_BITARRAY(uint32_t *x)
{
#ifdef _WIN32
_aligned_free(x);
#else
free(x);
#endif
}
inline uint32_t BITCOUNT(uint32_t a)
{
return __builtin_popcountl(a);
}
inline uint32_t COUNT_STATES(uint32_t *A)
{
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<19); i++) {
count += BITCOUNT(A[i]);
}
return count;
}
inline void BITARRAY_AND(uint32_t *restrict A, uint32_t *restrict B)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
for (uint32_t i = 0; i < (1<<19); i++) {
A[i] &= B[i];
}
}
inline void BITARRAY_LOW20_AND(uint32_t *restrict A, uint32_t *restrict B)
{
uint16_t *a = (uint16_t *)__builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
uint16_t *b = (uint16_t *)__builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
for (uint32_t i = 0; i < (1<<20); i++) {
if (!b[i]) {
a[i] = 0;
}
}
}
inline uint32_t COUNT_BITARRAY_AND(uint32_t *restrict A, uint32_t *restrict B)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<19); i++) {
A[i] &= B[i];
count += BITCOUNT(A[i]);
}
return count;
}
inline uint32_t COUNT_BITARRAY_LOW20_AND(uint32_t *restrict A, uint32_t *restrict B)
{
uint16_t *a = (uint16_t *)__builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
uint16_t *b = (uint16_t *)__builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<20); i++) {
if (!b[i]) {
a[i] = 0;
}
count += BITCOUNT(a[i]);
}
return count;
}
inline void BITARRAY_AND4(uint32_t *restrict A, uint32_t *restrict B, uint32_t *restrict C, uint32_t *restrict D)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
C = __builtin_assume_aligned(C, __BIGGEST_ALIGNMENT__);
D = __builtin_assume_aligned(D, __BIGGEST_ALIGNMENT__);
for (uint32_t i = 0; i < (1<<19); i++) {
A[i] = B[i] & C[i] & D[i];
}
}
inline void BITARRAY_OR(uint32_t *restrict A, uint32_t *restrict B)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
for (uint32_t i = 0; i < (1<<19); i++) {
A[i] |= B[i];
}
}
inline uint32_t COUNT_BITARRAY_AND2(uint32_t *restrict A, uint32_t *restrict B)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<19); i++) {
count += BITCOUNT(A[i] & B[i]);
}
return count;
}
inline uint32_t COUNT_BITARRAY_AND3(uint32_t *restrict A, uint32_t *restrict B, uint32_t *restrict C)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
C = __builtin_assume_aligned(C, __BIGGEST_ALIGNMENT__);
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<19); i++) {
count += BITCOUNT(A[i] & B[i] & C[i]);
}
return count;
}
inline uint32_t COUNT_BITARRAY_AND4(uint32_t *restrict A, uint32_t *restrict B, uint32_t *restrict C, uint32_t *restrict D)
{
A = __builtin_assume_aligned(A, __BIGGEST_ALIGNMENT__);
B = __builtin_assume_aligned(B, __BIGGEST_ALIGNMENT__);
C = __builtin_assume_aligned(C, __BIGGEST_ALIGNMENT__);
D = __builtin_assume_aligned(D, __BIGGEST_ALIGNMENT__);
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<19); i++) {
count += BITCOUNT(A[i] & B[i] & C[i] & D[i]);
}
return count;
}
#ifndef __MMX__
// pointers to functions:
malloc_bitarray_t *malloc_bitarray_function_p = &malloc_bitarray_dispatch;
free_bitarray_t *free_bitarray_function_p = &free_bitarray_dispatch;
bitcount_t *bitcount_function_p = &bitcount_dispatch;
count_states_t *count_states_function_p = &count_states_dispatch;
bitarray_AND_t *bitarray_AND_function_p = &bitarray_AND_dispatch;
bitarray_low20_AND_t *bitarray_low20_AND_function_p = &bitarray_low20_AND_dispatch;
count_bitarray_AND_t *count_bitarray_AND_function_p = &count_bitarray_AND_dispatch;
count_bitarray_low20_AND_t *count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_dispatch;
bitarray_AND4_t *bitarray_AND4_function_p = &bitarray_AND4_dispatch;
bitarray_OR_t *bitarray_OR_function_p = &bitarray_OR_dispatch;
count_bitarray_AND2_t *count_bitarray_AND2_function_p = &count_bitarray_AND2_dispatch;
count_bitarray_AND3_t *count_bitarray_AND3_function_p = &count_bitarray_AND3_dispatch;
count_bitarray_AND4_t *count_bitarray_AND4_function_p = &count_bitarray_AND4_dispatch;
// determine the available instruction set at runtime and call the correct function
uint32_t *malloc_bitarray_dispatch(uint32_t x) {
if (__builtin_cpu_supports("avx512f")) malloc_bitarray_function_p = &malloc_bitarray_AVX512;
else if (__builtin_cpu_supports("avx2")) malloc_bitarray_function_p = &malloc_bitarray_AVX2;
else if (__builtin_cpu_supports("avx")) malloc_bitarray_function_p = &malloc_bitarray_AVX;
else if (__builtin_cpu_supports("sse2")) malloc_bitarray_function_p = &malloc_bitarray_SSE2;
else if (__builtin_cpu_supports("mmx")) malloc_bitarray_function_p = &malloc_bitarray_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*malloc_bitarray_function_p)(x);
}
void free_bitarray_dispatch(uint32_t *x) {
if (__builtin_cpu_supports("avx512f")) free_bitarray_function_p = &free_bitarray_AVX512;
else if (__builtin_cpu_supports("avx2")) free_bitarray_function_p = &free_bitarray_AVX2;
else if (__builtin_cpu_supports("avx")) free_bitarray_function_p = &free_bitarray_AVX;
else if (__builtin_cpu_supports("sse2")) free_bitarray_function_p = &free_bitarray_SSE2;
else if (__builtin_cpu_supports("mmx")) free_bitarray_function_p = &free_bitarray_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
(*free_bitarray_function_p)(x);
}
uint32_t bitcount_dispatch(uint32_t a) {
if (__builtin_cpu_supports("avx512f")) bitcount_function_p = &bitcount_AVX512;
else if (__builtin_cpu_supports("avx2")) bitcount_function_p = &bitcount_AVX2;
else if (__builtin_cpu_supports("avx")) bitcount_function_p = &bitcount_AVX;
else if (__builtin_cpu_supports("sse2")) bitcount_function_p = &bitcount_SSE2;
else if (__builtin_cpu_supports("mmx")) bitcount_function_p = &bitcount_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*bitcount_function_p)(a);
}
uint32_t count_states_dispatch(uint32_t *bitarray) {
if (__builtin_cpu_supports("avx512f")) count_states_function_p = &count_states_AVX512;
else if (__builtin_cpu_supports("avx2")) count_states_function_p = &count_states_AVX2;
else if (__builtin_cpu_supports("avx")) count_states_function_p = &count_states_AVX;
else if (__builtin_cpu_supports("sse2")) count_states_function_p = &count_states_SSE2;
else if (__builtin_cpu_supports("mmx")) count_states_function_p = &count_states_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*count_states_function_p)(bitarray);
}
void bitarray_AND_dispatch(uint32_t *A, uint32_t *B) {
if (__builtin_cpu_supports("avx512f")) bitarray_AND_function_p = &bitarray_AND_AVX512;
else if (__builtin_cpu_supports("avx2")) bitarray_AND_function_p = &bitarray_AND_AVX2;
else if (__builtin_cpu_supports("avx")) bitarray_AND_function_p = &bitarray_AND_AVX;
else if (__builtin_cpu_supports("sse2")) bitarray_AND_function_p = &bitarray_AND_SSE2;
else if (__builtin_cpu_supports("mmx")) bitarray_AND_function_p = &bitarray_AND_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
(*bitarray_AND_function_p)(A,B);
}
void bitarray_low20_AND_dispatch(uint32_t *A, uint32_t *B) {
if (__builtin_cpu_supports("avx512f")) bitarray_low20_AND_function_p = &bitarray_low20_AND_AVX512;
else if (__builtin_cpu_supports("avx2")) bitarray_low20_AND_function_p = &bitarray_low20_AND_AVX2;
else if (__builtin_cpu_supports("avx")) bitarray_low20_AND_function_p = &bitarray_low20_AND_AVX;
else if (__builtin_cpu_supports("sse2")) bitarray_low20_AND_function_p = &bitarray_low20_AND_SSE2;
else if (__builtin_cpu_supports("mmx")) bitarray_low20_AND_function_p = &bitarray_low20_AND_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
(*bitarray_low20_AND_function_p)(A, B);
}
uint32_t count_bitarray_AND_dispatch(uint32_t *A, uint32_t *B) {
if (__builtin_cpu_supports("avx512f")) count_bitarray_AND_function_p = &count_bitarray_AND_AVX512;
else if (__builtin_cpu_supports("avx2")) count_bitarray_AND_function_p = &count_bitarray_AND_AVX2;
else if (__builtin_cpu_supports("avx")) count_bitarray_AND_function_p = &count_bitarray_AND_AVX;
else if (__builtin_cpu_supports("sse2")) count_bitarray_AND_function_p = &count_bitarray_AND_SSE2;
else if (__builtin_cpu_supports("mmx")) count_bitarray_AND_function_p = &count_bitarray_AND_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*count_bitarray_AND_function_p)(A, B);
}
uint32_t count_bitarray_low20_AND_dispatch(uint32_t *A, uint32_t *B) {
if (__builtin_cpu_supports("avx512f")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_AVX512;
else if (__builtin_cpu_supports("avx2")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_AVX2;
else if (__builtin_cpu_supports("avx")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_AVX;
else if (__builtin_cpu_supports("sse2")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_SSE2;
else if (__builtin_cpu_supports("mmx")) count_bitarray_low20_AND_function_p = &count_bitarray_low20_AND_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*count_bitarray_low20_AND_function_p)(A, B);
}
void bitarray_AND4_dispatch(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) {
if (__builtin_cpu_supports("avx512f")) bitarray_AND4_function_p = &bitarray_AND4_AVX512;
else if (__builtin_cpu_supports("avx2")) bitarray_AND4_function_p = &bitarray_AND4_AVX2;
else if (__builtin_cpu_supports("avx")) bitarray_AND4_function_p = &bitarray_AND4_AVX;
else if (__builtin_cpu_supports("sse2")) bitarray_AND4_function_p = &bitarray_AND4_SSE2;
else if (__builtin_cpu_supports("mmx")) bitarray_AND4_function_p = &bitarray_AND4_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
(*bitarray_AND4_function_p)(A, B, C, D);
}
void bitarray_OR_dispatch(uint32_t *A, uint32_t *B) {
if (__builtin_cpu_supports("avx512f")) bitarray_OR_function_p = &bitarray_OR_AVX512;
else if (__builtin_cpu_supports("avx2")) bitarray_OR_function_p = &bitarray_OR_AVX2;
else if (__builtin_cpu_supports("avx")) bitarray_OR_function_p = &bitarray_OR_AVX;
else if (__builtin_cpu_supports("sse2")) bitarray_OR_function_p = &bitarray_OR_SSE2;
else if (__builtin_cpu_supports("mmx")) bitarray_OR_function_p = &bitarray_OR_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
(*bitarray_OR_function_p)(A,B);
}
uint32_t count_bitarray_AND2_dispatch(uint32_t *A, uint32_t *B) {
if (__builtin_cpu_supports("avx512f")) count_bitarray_AND2_function_p = &count_bitarray_AND2_AVX512;
else if (__builtin_cpu_supports("avx2")) count_bitarray_AND2_function_p = &count_bitarray_AND2_AVX2;
else if (__builtin_cpu_supports("avx")) count_bitarray_AND2_function_p = &count_bitarray_AND2_AVX;
else if (__builtin_cpu_supports("sse2")) count_bitarray_AND2_function_p = &count_bitarray_AND2_SSE2;
else if (__builtin_cpu_supports("mmx")) count_bitarray_AND2_function_p = &count_bitarray_AND2_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*count_bitarray_AND2_function_p)(A, B);
}
uint32_t count_bitarray_AND3_dispatch(uint32_t *A, uint32_t *B, uint32_t *C) {
if (__builtin_cpu_supports("avx512f")) count_bitarray_AND3_function_p = &count_bitarray_AND3_AVX512;
else if (__builtin_cpu_supports("avx2")) count_bitarray_AND3_function_p = &count_bitarray_AND3_AVX2;
else if (__builtin_cpu_supports("avx")) count_bitarray_AND3_function_p = &count_bitarray_AND3_AVX;
else if (__builtin_cpu_supports("sse2")) count_bitarray_AND3_function_p = &count_bitarray_AND3_SSE2;
else if (__builtin_cpu_supports("mmx")) count_bitarray_AND3_function_p = &count_bitarray_AND3_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*count_bitarray_AND3_function_p)(A, B, C);
}
uint32_t count_bitarray_AND4_dispatch(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) {
if (__builtin_cpu_supports("avx512f")) count_bitarray_AND4_function_p = &count_bitarray_AND4_AVX512;
else if (__builtin_cpu_supports("avx2")) count_bitarray_AND4_function_p = &count_bitarray_AND4_AVX2;
else if (__builtin_cpu_supports("avx")) count_bitarray_AND4_function_p = &count_bitarray_AND4_AVX;
else if (__builtin_cpu_supports("sse2")) count_bitarray_AND4_function_p = &count_bitarray_AND4_SSE2;
else if (__builtin_cpu_supports("mmx")) count_bitarray_AND4_function_p = &count_bitarray_AND4_MMX;
else {
printf("\nFatal: you need at least a CPU with MMX instruction set support. Aborting...\n");
exit(5);
}
// call the most optimized function for this CPU
return (*count_bitarray_AND4_function_p)(A, B, C, D);
}
///////////////////////////////////////////////77
// Entries to dispatched function calls
uint32_t *malloc_bitarray(uint32_t x) {
return (*malloc_bitarray_function_p)(x);
}
void free_bitarray(uint32_t *x) {
(*free_bitarray_function_p)(x);
}
uint32_t bitcount(uint32_t a) {
return (*bitcount_function_p)(a);
}
uint32_t count_states(uint32_t *bitarray) {
return (*count_states_function_p)(bitarray);
}
void bitarray_AND(uint32_t *A, uint32_t *B) {
(*bitarray_AND_function_p)(A, B);
}
void bitarray_low20_AND(uint32_t *A, uint32_t *B) {
(*bitarray_low20_AND_function_p)(A, B);
}
uint32_t count_bitarray_AND(uint32_t *A, uint32_t *B) {
return (*count_bitarray_AND_function_p)(A, B);
}
uint32_t count_bitarray_low20_AND(uint32_t *A, uint32_t *B) {
return (*count_bitarray_low20_AND_function_p)(A, B);
}
void bitarray_AND4(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) {
(*bitarray_AND4_function_p)(A, B, C, D);
}
void bitarray_OR(uint32_t *A, uint32_t *B) {
(*bitarray_OR_function_p)(A, B);
}
uint32_t count_bitarray_AND2(uint32_t *A, uint32_t *B) {
return (*count_bitarray_AND2_function_p)(A, B);
}
uint32_t count_bitarray_AND3(uint32_t *A, uint32_t *B, uint32_t *C) {
return (*count_bitarray_AND3_function_p)(A, B, C);
}
uint32_t count_bitarray_AND4(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D) {
return (*count_bitarray_AND4_function_p)(A, B, C, D);
}
#endif

69
client/hardnested/hardnested_bitarray_core.h Normal file
View file

@ -0,0 +1,69 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2016, 2017 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
//
// brute forcing is based on @aczids bitsliced brute forcer
// https://github.com/aczid/crypto1_bs with some modifications. Mainly:
// - don't rollback. Start with 2nd byte of nonce instead
// - reuse results of filter subfunctions
// - reuse results of previous nonces if some first bits are identical
//
//-----------------------------------------------------------------------------
// aczid's Copyright notice:
//
// Bit-sliced Crypto-1 brute-forcing implementation
// Builds on the data structures returned by CraptEV1 craptev1_get_space(nonces, threshold, uid)
/*
Copyright (c) 2015-2016 Aram Verstegen
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
#ifndef HARDNESTED_BITARRAY_CORE_H__
#define HARDNESTED_BITARRAY_CORE_H__
#include <stdint.h>
extern uint32_t *malloc_bitarray(uint32_t x);
extern void free_bitarray(uint32_t *x);
extern uint32_t bitcount(uint32_t a);
extern uint32_t count_states(uint32_t *A);
extern void bitarray_AND(uint32_t *A, uint32_t *B);
extern void bitarray_low20_AND(uint32_t *A, uint32_t *B);
extern uint32_t count_bitarray_AND(uint32_t *A, uint32_t *B);
extern uint32_t count_bitarray_low20_AND(uint32_t *A, uint32_t *B);
extern void bitarray_AND4(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D);
extern void bitarray_OR(uint32_t *A, uint32_t *B);
extern uint32_t count_bitarray_AND2(uint32_t *A, uint32_t *B);
extern uint32_t count_bitarray_AND3(uint32_t *A, uint32_t *B, uint32_t *C);
extern uint32_t count_bitarray_AND4(uint32_t *A, uint32_t *B, uint32_t *C, uint32_t *D);
#endif

471
client/hardnested/hardnested_bruteforce.c Normal file
View file

@ -0,0 +1,471 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2016, 2017 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
//
// brute forcing is based on @aczids bitsliced brute forcer
// https://github.com/aczid/crypto1_bs with some modifications. Mainly:
// - don't rollback. Start with 2nd byte of nonce instead
// - reuse results of filter subfunctions
// - reuse results of previous nonces if some first bits are identical
//
//-----------------------------------------------------------------------------
// aczid's Copyright notice:
//
// Bit-sliced Crypto-1 brute-forcing implementation
// Builds on the data structures returned by CraptEV1 craptev1_get_space(nonces, threshold, uid)
/*
Copyright (c) 2015-2016 Aram Verstegen
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
#include "hardnested_bruteforce.h"
#include <inttypes.h>
#include <stdbool.h>
#include <stdio.h>
#include <pthread.h>
#include <string.h>
#include <malloc.h>
#include "proxmark3.h"
#include "cmdhfmfhard.h"
#include "hardnested_bf_core.h"
#include "ui.h"
#include "util.h"
#include "crapto1/crapto1.h"
#include "parity.h"
#define NUM_BRUTE_FORCE_THREADS (num_CPUs())
#define DEFAULT_BRUTE_FORCE_RATE (120000000.0) // if benchmark doesn't succeed
#define TEST_BENCH_SIZE (6000) // number of odd and even states for brute force benchmark
#define TEST_BENCH_FILENAME "hardnested/bf_bench_data.bin"
//#define WRITE_BENCH_FILE
// debugging options
#define DEBUG_KEY_ELIMINATION
// #define DEBUG_BRUTE_FORCE
typedef enum {
EVEN_STATE = 0,
ODD_STATE = 1
} odd_even_t;
static uint32_t nonces_to_bruteforce = 0;
static uint32_t bf_test_nonce[256];
static uint8_t bf_test_nonce_2nd_byte[256];
static uint8_t bf_test_nonce_par[256];
static uint32_t bucket_count = 0;
static statelist_t* buckets[128];
static uint32_t keys_found = 0;
static uint64_t num_keys_tested;
uint8_t trailing_zeros(uint8_t byte)
{
static const uint8_t trailing_zeros_LUT[256] = {
8, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
5, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
6, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
5, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
7, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
5, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
6, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
5, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0,
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
};
return trailing_zeros_LUT[byte];
}
bool verify_key(uint32_t cuid, noncelist_t *nonces, uint8_t *best_first_bytes, uint32_t odd, uint32_t even)
{
struct Crypto1State pcs;
for (uint16_t test_first_byte = 1; test_first_byte < 256; test_first_byte++) {
noncelistentry_t *test_nonce = nonces[best_first_bytes[test_first_byte]].first;
while (test_nonce != NULL) {
pcs.odd = odd;
pcs.even = even;
lfsr_rollback_byte(&pcs, (cuid >> 24) ^ best_first_bytes[0], true);
for (int8_t byte_pos = 3; byte_pos >= 0; byte_pos--) {
uint8_t test_par_enc_bit = (test_nonce->par_enc >> byte_pos) & 0x01; // the encoded parity bit
uint8_t test_byte_enc = (test_nonce->nonce_enc >> (8*byte_pos)) & 0xff; // the encoded nonce byte
uint8_t test_byte_dec = crypto1_byte(&pcs, test_byte_enc /* ^ (cuid >> (8*byte_pos)) */, true) ^ test_byte_enc; // decode the nonce byte
uint8_t ks_par = filter(pcs.odd); // the keystream bit to encode/decode the parity bit
uint8_t test_par_enc2 = ks_par ^ evenparity8(test_byte_dec); // determine the decoded byte's parity and encode it
if (test_par_enc_bit != test_par_enc2) {
return false;
}
}
test_nonce = test_nonce->next;
}
}
return true;
}
static void* crack_states_thread(void* x){
struct arg {
bool silent;
int thread_ID;
uint32_t cuid;
uint32_t num_acquired_nonces;
uint64_t maximum_states;
noncelist_t *nonces;
uint8_t* best_first_bytes;
} *thread_arg;
thread_arg = (struct arg *)x;
const int thread_id = thread_arg->thread_ID;
uint32_t current_bucket = thread_id;
while(current_bucket < bucket_count){
statelist_t *bucket = buckets[current_bucket];
if(bucket){
#if defined (DEBUG_BRUTE_FORCE)
printf("Thread %u starts working on bucket %u\n", thread_id, current_bucket);
#endif
const uint64_t key = crack_states_bitsliced(thread_arg->cuid, thread_arg->best_first_bytes, bucket, &keys_found, &num_keys_tested, nonces_to_bruteforce, bf_test_nonce_2nd_byte, thread_arg->nonces);
if(key != -1){
__sync_fetch_and_add(&keys_found, 1);
char progress_text[80];
sprintf(progress_text, "Brute force phase completed. Key found: %012" PRIx64, key);
hardnested_print_progress(thread_arg->num_acquired_nonces, progress_text, 0.0, 0);
break;
} else if(keys_found){
break;
} else {
if (!thread_arg->silent) {
char progress_text[80];
sprintf(progress_text, "Brute force phase: %6.02f%%", 100.0*(float)num_keys_tested/(float)(thread_arg->maximum_states));
float remaining_bruteforce = thread_arg->nonces[thread_arg->best_first_bytes[0]].expected_num_brute_force - (float)num_keys_tested/2;
hardnested_print_progress(thread_arg->num_acquired_nonces, progress_text, remaining_bruteforce, 5000);
}
}
}
current_bucket += NUM_BRUTE_FORCE_THREADS;
}
return NULL;
}
void prepare_bf_test_nonces(noncelist_t *nonces, uint8_t best_first_byte)
{
// we do bitsliced brute forcing with best_first_bytes[0] only.
// Extract the corresponding 2nd bytes
noncelistentry_t *test_nonce = nonces[best_first_byte].first;
uint32_t i = 0;
while (test_nonce != NULL) {
bf_test_nonce[i] = test_nonce->nonce_enc;
bf_test_nonce_par[i] = test_nonce->par_enc;
bf_test_nonce_2nd_byte[i] = (test_nonce->nonce_enc >> 16) & 0xff;
test_nonce = test_nonce->next;
i++;
}
nonces_to_bruteforce = i;
// printf("Nonces to bruteforce: %d\n", nonces_to_bruteforce);
// printf("Common bits of first 4 2nd nonce bytes (before sorting): %u %u %u\n",
// trailing_zeros(bf_test_nonce_2nd_byte[1] ^ bf_test_nonce_2nd_byte[0]),
// trailing_zeros(bf_test_nonce_2nd_byte[2] ^ bf_test_nonce_2nd_byte[1]),
// trailing_zeros(bf_test_nonce_2nd_byte[3] ^ bf_test_nonce_2nd_byte[2]));
uint8_t best_4[4] = {0};
int sum_best = -1;
for (uint16_t n1 = 0; n1 < nonces_to_bruteforce; n1++) {
for (uint16_t n2 = 0; n2 < nonces_to_bruteforce; n2++) {
if (n2 != n1) {
for (uint16_t n3 = 0; n3 < nonces_to_bruteforce; n3++) {
if ((n3 != n2 && n3 != n1) || nonces_to_bruteforce < 3
// && trailing_zeros(bf_test_nonce_2nd_byte[n1] ^ bf_test_nonce_2nd_byte[n2])
// > trailing_zeros(bf_test_nonce_2nd_byte[n2] ^ bf_test_nonce_2nd_byte[n3])
) {
for (uint16_t n4 = 0; n4 < nonces_to_bruteforce; n4++) {
if ((n4 != n3 && n4 != n2 && n4 != n1) || nonces_to_bruteforce < 4
// && trailing_zeros(bf_test_nonce_2nd_byte[n2] ^ bf_test_nonce_2nd_byte[n3])
// > trailing_zeros(bf_test_nonce_2nd_byte[n3] ^ bf_test_nonce_2nd_byte[n4])
) {
int sum = nonces_to_bruteforce > 1 ? trailing_zeros(bf_test_nonce_2nd_byte[n1] ^ bf_test_nonce_2nd_byte[n2]) : 0.0
+ nonces_to_bruteforce > 2 ? trailing_zeros(bf_test_nonce_2nd_byte[n2] ^ bf_test_nonce_2nd_byte[n3]) : 0.0
+ nonces_to_bruteforce > 3 ? trailing_zeros(bf_test_nonce_2nd_byte[n3] ^ bf_test_nonce_2nd_byte[n4]) : 0.0;
if (sum > sum_best) {
sum_best = sum;
best_4[0] = n1;
best_4[1] = n2;
best_4[2] = n3;
best_4[3] = n4;
}
}
}
}
}
}
}
}
uint32_t bf_test_nonce_temp[4];
uint8_t bf_test_nonce_par_temp[4];
uint8_t bf_test_nonce_2nd_byte_temp[4];
for (uint8_t i = 0; i < 4 && i < nonces_to_bruteforce; i++) {
bf_test_nonce_temp[i] = bf_test_nonce[best_4[i]];
bf_test_nonce_par_temp[i] = bf_test_nonce_par[best_4[i]];
bf_test_nonce_2nd_byte_temp[i] = bf_test_nonce_2nd_byte[best_4[i]];
}
for (uint8_t i = 0; i < 4 && i < nonces_to_bruteforce; i++) {
bf_test_nonce[i] = bf_test_nonce_temp[i];
bf_test_nonce_par[i] = bf_test_nonce_par_temp[i];
bf_test_nonce_2nd_byte[i] = bf_test_nonce_2nd_byte_temp[i];
}
}
#if defined (WRITE_BENCH_FILE)
static void write_benchfile(statelist_t *candidates) {
printf("Writing brute force benchmark data...");
FILE *benchfile = fopen(TEST_BENCH_FILENAME, "wb");
fwrite(&nonces_to_bruteforce, 1, sizeof(nonces_to_bruteforce), benchfile);
for (uint32_t i = 0; i < nonces_to_bruteforce; i++) {
fwrite(&(bf_test_nonce[i]), 1, sizeof(bf_test_nonce[i]), benchfile);
fwrite(&(bf_test_nonce_par[i]), 1, sizeof(bf_test_nonce_par[i]), benchfile);
}
uint32_t num_states = MIN(candidates->len[EVEN_STATE], TEST_BENCH_SIZE);
fwrite(&num_states, 1, sizeof(num_states), benchfile);
for (uint32_t i = 0; i < num_states; i++) {
fwrite(&(candidates->states[EVEN_STATE][i]), 1, sizeof(uint32_t), benchfile);
}
num_states = MIN(candidates->len[ODD_STATE], TEST_BENCH_SIZE);
fwrite(&num_states, 1, sizeof(num_states), benchfile);
for (uint32_t i = 0; i < num_states; i++) {
fwrite(&(candidates->states[ODD_STATE][i]), 1, sizeof(uint32_t), benchfile);
}
fclose(benchfile);
printf("done.\n");
}
#endif
bool brute_force_bs(float *bf_rate, statelist_t *candidates, uint32_t cuid, uint32_t num_acquired_nonces, uint64_t maximum_states, noncelist_t *nonces, uint8_t *best_first_bytes)
{
#if defined (WRITE_BENCH_FILE)
write_benchfile(candidates);
#endif
bool silent = (bf_rate != NULL);
// if (!silent) {
// PrintAndLog("Brute force phase starting.");
// PrintAndLog("Using %u-bit bitslices", MAX_BITSLICES);
// }
keys_found = 0;
num_keys_tested = 0;
bitslice_test_nonces(nonces_to_bruteforce, bf_test_nonce, bf_test_nonce_par);
// count number of states to go
bucket_count = 0;
for (statelist_t *p = candidates; p != NULL; p = p->next) {
if (p->states[ODD_STATE] != NULL && p->states[EVEN_STATE] != NULL) {
buckets[bucket_count] = p;
bucket_count++;
}
}
uint64_t start_time = msclock();
// enumerate states using all hardware threads, each thread handles one bucket
// if (!silent) {
// PrintAndLog("Starting %u cracking threads to search %u buckets containing a total of %" PRIu64" states...\n", NUM_BRUTE_FORCE_THREADS, bucket_count, maximum_states);
// printf("Common bits of first 4 2nd nonce bytes: %u %u %u\n",
// trailing_zeros(bf_test_nonce_2nd_byte[1] ^ bf_test_nonce_2nd_byte[0]),
// trailing_zeros(bf_test_nonce_2nd_byte[2] ^ bf_test_nonce_2nd_byte[1]),
// trailing_zeros(bf_test_nonce_2nd_byte[3] ^ bf_test_nonce_2nd_byte[2]));
// }
pthread_t threads[NUM_BRUTE_FORCE_THREADS];
struct args {
bool silent;
int thread_ID;
uint32_t cuid;
uint32_t num_acquired_nonces;
uint64_t maximum_states;
noncelist_t *nonces;
uint8_t *best_first_bytes;
} thread_args[NUM_BRUTE_FORCE_THREADS];
for(uint32_t i = 0; i < NUM_BRUTE_FORCE_THREADS; i++){
thread_args[i].thread_ID = i;
thread_args[i].silent = silent;
thread_args[i].cuid = cuid;
thread_args[i].num_acquired_nonces = num_acquired_nonces;
thread_args[i].maximum_states = maximum_states;
thread_args[i].nonces = nonces;
thread_args[i].best_first_bytes = best_first_bytes;
pthread_create(&threads[i], NULL, crack_states_thread, (void*)&thread_args[i]);
}
for(uint32_t i = 0; i < NUM_BRUTE_FORCE_THREADS; i++){
pthread_join(threads[i], 0);
}
uint64_t elapsed_time = msclock() - start_time;
// if (!silent) {
// printf("Brute force completed after testing %" PRIu64" (2^%1.1f) keys in %1.1f seconds at a rate of %1.0f (2^%1.1f) keys per second.\n",
// num_keys_tested,
// log(num_keys_tested) / log(2.0),
// (float)elapsed_time/1000.0,
// (float)num_keys_tested / ((float)elapsed_time / 1000.0),
// log((float)num_keys_tested / ((float)elapsed_time/1000.0)) / log(2.0));
// }
if (bf_rate != NULL) {
*bf_rate = (float)num_keys_tested / ((float)elapsed_time / 1000.0);
}
return (keys_found != 0);
}
static bool read_bench_data(statelist_t *test_candidates) {
size_t bytes_read = 0;
uint32_t temp = 0;
uint32_t num_states = 0;
uint32_t states_read = 0;
char bench_file_path[strlen(get_my_executable_directory()) + strlen(TEST_BENCH_FILENAME) + 1];
strcpy(bench_file_path, get_my_executable_directory());
strcat(bench_file_path, TEST_BENCH_FILENAME);
FILE *benchfile = fopen(bench_file_path, "rb");
if (benchfile == NULL) {
return false;
}
bytes_read = fread(&nonces_to_bruteforce, 1, sizeof(nonces_to_bruteforce), benchfile);
if (bytes_read != sizeof(nonces_to_bruteforce)) {
fclose(benchfile);
return false;
}
for (uint16_t i = 0; i < nonces_to_bruteforce && i < 256; i++) {
bytes_read = fread(&bf_test_nonce[i], 1, sizeof(uint32_t), benchfile);
if (bytes_read != sizeof(uint32_t)) {
fclose(benchfile);
return false;
}
bf_test_nonce_2nd_byte[i] = (bf_test_nonce[i] >> 16) & 0xff;
bytes_read = fread(&bf_test_nonce_par[i], 1, sizeof(uint8_t), benchfile);
if (bytes_read != sizeof(uint8_t)) {
fclose(benchfile);
return false;
}
}
bytes_read = fread(&num_states, 1, sizeof(uint32_t), benchfile);
if (bytes_read != sizeof(uint32_t)) {
fclose(benchfile);
return false;
}
for (states_read = 0; states_read < MIN(num_states, TEST_BENCH_SIZE); states_read++) {
bytes_read = fread(test_candidates->states[EVEN_STATE] + states_read, 1, sizeof(uint32_t), benchfile);
if (bytes_read != sizeof(uint32_t)) {
fclose(benchfile);
return false;
}
}
for (uint32_t i = states_read; i < TEST_BENCH_SIZE; i++) {
test_candidates->states[EVEN_STATE][i] = test_candidates->states[EVEN_STATE][i-states_read];
}
for (uint32_t i = states_read; i < num_states; i++) {
bytes_read = fread(&temp, 1, sizeof(uint32_t), benchfile);
if (bytes_read != sizeof(uint32_t)) {
fclose(benchfile);
return false;
}
}
for (states_read = 0; states_read < MIN(num_states, TEST_BENCH_SIZE); states_read++) {
bytes_read = fread(test_candidates->states[ODD_STATE] + states_read, 1, sizeof(uint32_t), benchfile);
if (bytes_read != sizeof(uint32_t)) {
fclose(benchfile);
return false;
}
}
for (uint32_t i = states_read; i < TEST_BENCH_SIZE; i++) {
test_candidates->states[ODD_STATE][i] = test_candidates->states[ODD_STATE][i-states_read];
}
fclose(benchfile);
return true;
}
float brute_force_benchmark()
{
statelist_t test_candidates[NUM_BRUTE_FORCE_THREADS];
test_candidates[0].states[ODD_STATE] = malloc((TEST_BENCH_SIZE+1) * sizeof(uint32_t));
test_candidates[0].states[EVEN_STATE] = malloc((TEST_BENCH_SIZE+1) * sizeof(uint32_t));
for (uint8_t i = 0; i < NUM_BRUTE_FORCE_THREADS - 1; i++){
test_candidates[i].next = test_candidates + i + 1;
test_candidates[i+1].states[ODD_STATE] = test_candidates[0].states[ODD_STATE];
test_candidates[i+1].states[EVEN_STATE] = test_candidates[0].states[EVEN_STATE];
}
test_candidates[NUM_BRUTE_FORCE_THREADS-1].next = NULL;
if (!read_bench_data(test_candidates)) {
PrintAndLog("Couldn't read benchmark data. Assuming brute force rate of %1.0f states per second", DEFAULT_BRUTE_FORCE_RATE);
return DEFAULT_BRUTE_FORCE_RATE;
}
for (uint8_t i = 0; i < NUM_BRUTE_FORCE_THREADS; i++) {
test_candidates[i].len[ODD_STATE] = TEST_BENCH_SIZE;
test_candidates[i].len[EVEN_STATE] = TEST_BENCH_SIZE;
test_candidates[i].states[ODD_STATE][TEST_BENCH_SIZE] = -1;
test_candidates[i].states[EVEN_STATE][TEST_BENCH_SIZE] = -1;
}
uint64_t maximum_states = TEST_BENCH_SIZE*TEST_BENCH_SIZE*(uint64_t)NUM_BRUTE_FORCE_THREADS;
float bf_rate;
brute_force_bs(&bf_rate, test_candidates, 0, 0, maximum_states, NULL, 0);
free(test_candidates[0].states[ODD_STATE]);
free(test_candidates[0].states[EVEN_STATE]);
return bf_rate;
}

36
client/hardnested/hardnested_bruteforce.h Normal file
View file

@ -0,0 +1,36 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2016, 2017 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
#ifndef HARDNESTED_BRUTEFORCE_H__
#define HARDNESTED_BRUTEFORCE_H__
#include <stdint.h>
#include <stdbool.h>
#include "cmdhfmfhard.h"
typedef struct {
uint32_t *states[2];
uint32_t len[2];
void* next;
} statelist_t;
extern void prepare_bf_test_nonces(noncelist_t *nonces, uint8_t best_first_byte);
extern bool brute_force_bs(float *bf_rate, statelist_t *candidates, uint32_t cuid, uint32_t num_acquired_nonces, uint64_t maximum_states, noncelist_t *nonces, uint8_t *best_first_bytes);
extern float brute_force_benchmark();
extern uint8_t trailing_zeros(uint8_t byte);
extern bool verify_key(uint32_t cuid, noncelist_t *nonces, uint8_t *best_first_bytes, uint32_t odd, uint32_t even);
#endif

591
client/hardnested/hardnested_tables.c Normal file
View file

@ -0,0 +1,591 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2015, 2016 by piwi
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Implements a card only attack based on crypto text (encrypted nonces
// received during a nested authentication) only. Unlike other card only
// attacks this doesn't rely on implementation errors but only on the
// inherent weaknesses of the crypto1 cypher. Described in
// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
// Computer and Communications Security, 2015
//-----------------------------------------------------------------------------
//
// This program calculates tables with possible states for a given
// bitflip property.
//
//-----------------------------------------------------------------------------
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
#include "crapto1/crapto1.h"
#include "parity.h"
#define NUM_PART_SUMS 9
#define BITFLIP_2ND_BYTE 0x0200
typedef enum {
EVEN_STATE = 0,
ODD_STATE = 1
} odd_even_t;
static uint16_t PartialSumProperty(uint32_t state, odd_even_t odd_even)
{
uint16_t sum = 0;
for (uint16_t j = 0; j < 16; j++) {
uint32_t st = state;
uint16_t part_sum = 0;
if (odd_even == ODD_STATE) {
for (uint16_t i = 0; i < 5; i++) {
part_sum ^= filter(st);
st = (st << 1) | ((j >> (3-i)) & 0x01) ;
}
part_sum ^= 1; // XOR 1 cancelled out for the other 8 bits
} else {
for (uint16_t i = 0; i < 4; i++) {
st = (st << 1) | ((j >> (3-i)) & 0x01) ;
part_sum ^= filter(st);
}
}
sum += part_sum;
}
return sum;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// bitarray functions
#define malloc_bitarray(x) __builtin_assume_aligned(_aligned_malloc(x, __BIGGEST_ALIGNMENT__), __BIGGEST_ALIGNMENT__)
#define free_bitarray(x) _aligned_free(x)
static inline void clear_bitarray24(uint32_t *bitarray)
{
memset(bitarray, 0x00, sizeof(uint32_t) * (1<<19));
}
static inline uint32_t test_bit24(uint32_t *bitarray, uint32_t index)
{
return bitarray[index>>5] & (0x80000000>>(index&0x0000001f));
}
static inline void set_bit24(uint32_t *bitarray, uint32_t index)
{
bitarray[index>>5] |= 0x80000000>>(index&0x0000001f);
}
static inline uint32_t next_state(uint32_t *bitset, uint32_t state)
{
if (++state == 1<<24) return 1<<24;
uint32_t index = state >> 5;
uint_fast8_t bit = state & 0x1f;
uint32_t line = bitset[index] << bit;
while (bit <= 0x1f) {
if (line & 0x80000000) return state;
state++;
bit++;
line <<= 1;
}
index++;
while (bitset[index] == 0x00000000 && state < 1<<24) {
index++;
state += 0x20;
}
if (state >= 1<<24) return 1<<24;
#if defined __GNUC__
return state + __builtin_clz(bitset[index]);
#else
bit = 0x00;
line = bitset[index];
while (bit <= 0x1f) {
if (line & 0x80000000) return state;
state++;
bit++;
line <<= 1;
}
return 1<<24;
#endif
}
static inline uint32_t next_not_state(uint32_t *bitset, uint32_t state)
{
if (++state == 1<<24) return 1<<24;
uint32_t index = state >> 5;
uint_fast8_t bit = state & 0x1f;
uint32_t line = bitset[index] << bit;
while (bit <= 0x1f) {
if ((line & 0x80000000) == 0) return state;
state++;
bit++;
line <<= 1;
}
index++;
while (bitset[index] == 0xffffffff && state < 1<<24) {
index++;
state += 0x20;
}
if (state >= 1<<24) return 1<<24;
#if defined __GNUC__
return state + __builtin_clz(~bitset[index]);
#else
bit = 0x00;
line = bitset[index];
while (bit <= 0x1f) {
if ((line & 0x80000000) == 0) return state;
state++;
bit++;
line <<= 1;
}
return 1<<24;
#endif
}
static inline uint32_t bitcount(uint32_t a)
{
#if defined __GNUC__
return __builtin_popcountl(a);
#else
a = a - ((a >> 1) & 0x55555555);
a = (a & 0x33333333) + ((a >> 2) & 0x33333333);
return (((a + (a >> 4)) & 0x0f0f0f0f) * 0x01010101) >> 24;
#endif
}
static inline uint32_t count_states(uint32_t *bitset)
{
uint32_t count = 0;
for (uint32_t i = 0; i < (1<<19); i++) {
count += bitcount(bitset[i]);
}
return count;
}
static void write_bitflips_file(odd_even_t odd_even, uint16_t bitflip, int sum_a0, uint32_t *bitset)
{
char filename[80];
sprintf(filename, "bitflip_%d_%03" PRIx16 "_sum%d_states.bin", odd_even, bitflip, sum_a0);
FILE *outfile = fopen(filename, "wb");
fwrite(bitset, 1, sizeof(uint32_t)*(1<<19), outfile);
fclose(outfile);
}
uint32_t *restrict part_sum_a0_bitarrays[2][NUM_PART_SUMS];
static void init_part_sum_bitarrays(void)
{
printf("init_part_sum_bitarrays()...");
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
for (uint16_t part_sum_a0 = 0; part_sum_a0 < NUM_PART_SUMS; part_sum_a0++) {
part_sum_a0_bitarrays[odd_even][part_sum_a0] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (part_sum_a0_bitarrays[odd_even][part_sum_a0] == NULL) {
printf("Out of memory error in init_part_suma0_statelists(). Aborting...\n");
exit(4);
}
clear_bitarray24(part_sum_a0_bitarrays[odd_even][part_sum_a0]);
}
}
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
//printf("(%d, %" PRIu16 ")...", odd_even, part_sum_a0);
for (uint32_t state = 0; state < (1<<20); state++) {
uint16_t part_sum_a0 = PartialSumProperty(state, odd_even) / 2;
for (uint16_t low_bits = 0; low_bits < 1<<4; low_bits++) {
set_bit24(part_sum_a0_bitarrays[odd_even][part_sum_a0], state<<4 | low_bits);
}
}
}
printf("done.\n");
}
static void free_part_sum_bitarrays(void)
{
printf("free_part_sum_bitarrays()...");
for (int16_t part_sum_a0 = (NUM_PART_SUMS-1); part_sum_a0 >= 0; part_sum_a0--) {
free_bitarray(part_sum_a0_bitarrays[ODD_STATE][part_sum_a0]);
}
for (int16_t part_sum_a0 = (NUM_PART_SUMS-1); part_sum_a0 >= 0; part_sum_a0--) {
free_bitarray(part_sum_a0_bitarrays[EVEN_STATE][part_sum_a0]);
}
printf("done.\n");
}
uint32_t *restrict sum_a0_bitarray[2];
void init_sum_bitarray(uint16_t sum_a0)
{
printf("init_sum_bitarray()...\n");
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
sum_a0_bitarray[odd_even] = (uint32_t *)malloc_bitarray(sizeof(uint32_t) * (1<<19));
if (sum_a0_bitarray[odd_even] == NULL) {
printf("Out of memory error in init_sum_bitarrays(). Aborting...\n");
exit(4);
}
clear_bitarray24(sum_a0_bitarray[odd_even]);
}
for (uint8_t p = 0; p < NUM_PART_SUMS; p++) {
for (uint8_t q = 0; q < NUM_PART_SUMS; q++) {
if (sum_a0 == 2*p*(16-2*q) + (16-2*p)*2*q) {
for (uint32_t i = 0; i < (1<<19); i++) {
sum_a0_bitarray[EVEN_STATE][i] |= part_sum_a0_bitarrays[EVEN_STATE][q][i];
sum_a0_bitarray[ODD_STATE][i] |= part_sum_a0_bitarrays[ODD_STATE][p][i];
}
}
}
}
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
uint32_t count = count_states(sum_a0_bitarray[odd_even]);
printf("sum_a0_bitarray[%s] has %d states (%5.2f%%)\n", odd_even==EVEN_STATE?"even":"odd ", count, (float)count/(1<<24)*100.0);
}
printf("done.\n");
}
static void free_sum_bitarray(void)
{
printf("free_sum_bitarray()...");
free_bitarray(sum_a0_bitarray[ODD_STATE]);
free_bitarray(sum_a0_bitarray[EVEN_STATE]);
printf("done.\n");
}
static void precalculate_bit0_bitflip_bitarrays(uint8_t const bitflip, uint16_t const sum_a0)
{
// #define TEST_RUN
#ifdef TEST_RUN
#define NUM_TEST_STATES (1<<10)
#else
#define NUM_TEST_STATES (1<<23)
#endif
time_t start_time = time(NULL);
time_t last_check_time = start_time;
uint32_t *restrict test_bitarray[2];
uint32_t *restrict test_not_bitarray[2];
test_bitarray[EVEN_STATE] = malloc_bitarray(sizeof(uint32_t) * (1<<19));
clear_bitarray24(test_bitarray[EVEN_STATE]);
test_bitarray[ODD_STATE] = malloc_bitarray(sizeof(uint32_t) * (1<<19));
clear_bitarray24(test_bitarray[ODD_STATE]);
test_not_bitarray[EVEN_STATE] = malloc_bitarray(sizeof(uint32_t) * (1<<19));
clear_bitarray24(test_not_bitarray[EVEN_STATE]);
test_not_bitarray[ODD_STATE] = malloc_bitarray(sizeof(uint32_t) * (1<<19));
clear_bitarray24(test_not_bitarray[ODD_STATE]);
uint32_t count[2];
bool all_odd_states_are_possible_for_notbitflip = false;
printf("\n\nStarting search for crypto1 states resulting in bitflip property 0x%03x...\n", bitflip);
for (uint32_t even_state = next_state(sum_a0_bitarray[EVEN_STATE], -1); even_state < NUM_TEST_STATES; even_state = next_state(sum_a0_bitarray[EVEN_STATE], even_state)) {
bool even_state_is_possible = false;
time_t time_now = time(NULL);
if (difftime(time_now, last_check_time) > 5*60) { // print status every 5 minutes
float runtime = difftime(time_now, start_time);
float remaining_time = runtime * ((1<<23) - even_state) / even_state;
printf("\n%1.1f hours elapsed, expected completion in %1.1f hours (%1.1f days)", runtime/3600, remaining_time/3600, remaining_time/3600/24);
last_check_time = time_now;
}
for (uint32_t odd_state = next_state(sum_a0_bitarray[ODD_STATE], -1); odd_state < (1<<24); odd_state = next_state(test_bitarray[ODD_STATE], odd_state)) {
if (even_state_is_possible && test_bit24(test_bitarray[ODD_STATE], odd_state)) continue;
// load crypto1 state
struct Crypto1State cs;
cs.odd = odd_state >> 4;
cs.even = even_state >> 4;
// track flipping bits in state
struct Crypto1DeltaState {
uint_fast8_t odd;
uint_fast8_t even;
} cs_delta;
cs_delta.odd = 0;
cs_delta.even = 0;
uint_fast16_t keystream = 0;
// decrypt 9 bits
for (int i = 0; i < 9; i++) {
uint_fast8_t keystream_bit = filter(cs.odd & 0x000fffff) ^ filter((cs.odd & 0x000fffff) ^ cs_delta.odd);
keystream = keystream << 1 | keystream_bit;
uint_fast8_t nt_bit = BIT(bitflip, i) ^ keystream_bit;
uint_fast8_t LSFR_feedback = BIT(cs_delta.odd, 2) ^ BIT(cs_delta.even, 2) ^ BIT(cs_delta.odd, 3);
cs_delta.even = cs_delta.even << 1 | (LSFR_feedback ^ nt_bit);
uint_fast8_t tmp = cs_delta.odd;
cs_delta.odd = cs_delta.even;
cs_delta.even = tmp;
cs.even = cs.odd;
if (i & 1) {
cs.odd = odd_state >> (7 - i) / 2;
} else {
cs.odd = even_state >> (7 - i) / 2;
}
}
if (evenparity32(keystream) == evenparity32(bitflip)) {
// found valid bitflip state
even_state_is_possible = true;
set_bit24(test_bitarray[EVEN_STATE], even_state);
set_bit24(test_bitarray[EVEN_STATE], 1 << 23 | even_state);
set_bit24(test_bitarray[ODD_STATE], odd_state);
} else {
// found valid !bitflip state
set_bit24(test_not_bitarray[EVEN_STATE], even_state);
set_bit24(test_not_bitarray[EVEN_STATE], 1 << 23 | even_state);
set_bit24(test_not_bitarray[ODD_STATE], odd_state);
}
}
if (!even_state_is_possible) {
all_odd_states_are_possible_for_notbitflip = true;
}
}
printf("\nAnalysis completed. Checking for effective bitflip properties...\n");
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
count[odd_even] = count_states(test_bitarray[odd_even]);
if (count[odd_even] != 1<<24) {
printf("Writing %d possible %s states for bitflip property %03x (%d (%1.2f%%) states eliminated)\n",
count[odd_even],
odd_even==EVEN_STATE?"even":"odd",
bitflip, (1<<24) - count[odd_even],
(float)((1<<24) - count[odd_even]) / (1<<24) * 100.0);
#ifndef TEST_RUN
write_bitflips_file(odd_even, bitflip, sum_a0, test_bitarray[odd_even]);
#endif
} else {
printf("All %s states for bitflip property %03x are possible. No file written.\n", odd_even==EVEN_STATE?"even":"odd", bitflip);
}
}
uint32_t *restrict test_bitarray_2nd = malloc_bitarray(sizeof(uint32_t) * (1<<19));
clear_bitarray24(test_bitarray_2nd);
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
if (count[odd_even] != 1<<24) {
for (uint32_t state = 0; state < (1<<24); state += 1<<4) {
uint32_t line = test_bitarray[odd_even][state>>5];
uint16_t half_line = state&0x000000010 ? line&0x0000ffff : line>>16;
if (half_line != 0) {
for (uint32_t low_bits = 0; low_bits < (1<<4); low_bits++) {
set_bit24(test_bitarray_2nd, low_bits << 20 | state >> 4);
}
}
}
count[odd_even] = count_states(test_bitarray_2nd);
if (count[odd_even] != 1<<24) {
printf("Writing %d possible %s states for bitflip property %03x (%d (%1.2f%%) states eliminated)\n",
count[odd_even],
odd_even==EVEN_STATE?"even":"odd",
bitflip | BITFLIP_2ND_BYTE, (1<<24) - count[odd_even],
(float)((1<<24) - count[odd_even]) / (1<<24) * 100.0);
#ifndef TEST_RUN
write_bitflips_file(odd_even, bitflip | BITFLIP_2ND_BYTE, sum_a0, test_bitarray_2nd);
#endif
} else {
printf("All %s states for bitflip property %03x are possible. No file written.\n", odd_even==EVEN_STATE?"even":"odd", bitflip | BITFLIP_2ND_BYTE);
}
} else {
printf("All %s states for bitflip property %03x are possible. No file written.\n", odd_even==EVEN_STATE?"even":"odd", bitflip | BITFLIP_2ND_BYTE);
}
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// second run for the remaining "not bitflip" states
printf("\n\nStarting search for crypto1 states resulting in bitflip property 0x%03x...", bitflip | 0x100);
start_time = time(NULL);
last_check_time = start_time;
for (uint32_t even_state = next_state(sum_a0_bitarray[EVEN_STATE], -1); even_state < NUM_TEST_STATES; even_state = next_state(sum_a0_bitarray[EVEN_STATE], even_state)) {
bool even_state_is_possible = test_bit24(test_not_bitarray[EVEN_STATE], even_state);
time_t time_now = time(NULL);
if (difftime(time_now, last_check_time) > 5*60) { // print status every 5 minutes
float runtime = difftime(time_now, start_time);
float remaining_time = runtime * ((1<<23) - even_state) / even_state;
printf("\n%1.1f hours elapsed, expected completion in %1.1f hours (%1.1f days)", runtime/3600, remaining_time/3600, remaining_time/3600/24);
last_check_time = time_now;
}
for (uint32_t odd_state = next_state(sum_a0_bitarray[ODD_STATE], -1); odd_state < (1<<24); odd_state = next_state(sum_a0_bitarray[ODD_STATE], odd_state)) {
if (even_state_is_possible) {
if (all_odd_states_are_possible_for_notbitflip) break;
if (test_bit24(test_not_bitarray[ODD_STATE], odd_state)) continue;
}
// load crypto1 state
struct Crypto1State cs;
cs.odd = odd_state >> 4;
cs.even = even_state >> 4;
// track flipping bits in state
struct Crypto1DeltaState {
uint_fast8_t odd;
uint_fast8_t even;
} cs_delta;
cs_delta.odd = 0;
cs_delta.even = 0;
uint_fast16_t keystream = 0;
// uint_fast16_t nt = 0;
// decrypt 9 bits
for (int i = 0; i < 9; i++) {
uint_fast8_t keystream_bit = filter(cs.odd & 0x000fffff) ^ filter((cs.odd & 0x000fffff) ^ cs_delta.odd);
keystream = keystream << 1 | keystream_bit;
uint_fast8_t nt_bit = BIT(bitflip|0x100, i) ^ keystream_bit;
uint_fast8_t LSFR_feedback = BIT(cs_delta.odd, 2) ^ BIT(cs_delta.even, 2) ^ BIT(cs_delta.odd, 3);
cs_delta.even = cs_delta.even << 1 | (LSFR_feedback ^ nt_bit);
uint_fast8_t tmp = cs_delta.odd;
cs_delta.odd = cs_delta.even;
cs_delta.even = tmp;
cs.even = cs.odd;
if (i & 1) {
cs.odd = odd_state >> (7 - i) / 2;
} else {
cs.odd = even_state >> (7 - i) / 2;
}
}
if (evenparity32(keystream) != evenparity32(bitflip)) {
// found valid !bitflip state
even_state_is_possible = true;
set_bit24(test_not_bitarray[EVEN_STATE], even_state);
set_bit24(test_not_bitarray[EVEN_STATE], 1 << 23 | even_state);
set_bit24(test_not_bitarray[ODD_STATE], odd_state);
}
}
}
printf("\nAnalysis completed. Checking for effective !bitflip properties...\n");
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
count[odd_even] = count_states(test_not_bitarray[odd_even]);
if (count[odd_even] != 1<<24) {
printf("Writing %d possible %s states for bitflip property %03x (%d (%1.2f%%) states eliminated)\n",
count[odd_even],
odd_even==EVEN_STATE?"even":"odd",
bitflip|0x100, (1<<24) - count[odd_even],
(float)((1<<24) - count[odd_even]) / (1<<24) * 100.0);
#ifndef TEST_RUN
write_bitflips_file(odd_even, bitflip|0x100, sum_a0, test_not_bitarray[odd_even]);
#endif
} else {
printf("All %s states for bitflip property %03x are possible. No file written.\n", odd_even==EVEN_STATE?"even":"odd", bitflip|0x100);
}
}
clear_bitarray24(test_bitarray_2nd);
for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
if (count[odd_even] != 1<<24) {
for (uint32_t state = 0; state < (1<<24); state += 1<<4) {
uint32_t line = test_not_bitarray[odd_even][state>>5];
uint16_t half_line = state&0x000000010 ? line&0x0000ffff : line>>16;
if (half_line != 0) {
for (uint32_t low_bits = 0; low_bits < (1<<4); low_bits++) {
set_bit24(test_bitarray_2nd, low_bits << 20 | state >> 4);
}
}
}
count[odd_even] = count_states(test_bitarray_2nd);
if (count[odd_even] != 1<<24) {
printf("Writing %d possible %s states for bitflip property %03x (%d (%1.2f%%) states eliminated)\n",
count[odd_even],
odd_even==EVEN_STATE?"even":"odd",
bitflip | 0x100| BITFLIP_2ND_BYTE, (1<<24) - count[odd_even],
(float)((1<<24) - count[odd_even]) / (1<<24) * 100.0);
#ifndef TEST_RUN
write_bitflips_file(odd_even, bitflip | 0x100 | BITFLIP_2ND_BYTE, sum_a0, test_bitarray_2nd);
#endif
} else {
printf("All %s states for bitflip property %03x are possible. No file written.\n", odd_even==EVEN_STATE?"even":"odd", bitflip | 0x100 | BITFLIP_2ND_BYTE);
}
} else {
printf("All %s states for bitflip property %03x are possible. No file written.\n", odd_even==EVEN_STATE?"even":"odd", bitflip | 0x100 | BITFLIP_2ND_BYTE);
}
}
free_bitarray(test_bitarray_2nd);
free_bitarray(test_not_bitarray[ODD_STATE]);
free_bitarray(test_not_bitarray[EVEN_STATE]);
free_bitarray(test_bitarray[ODD_STATE]);
free_bitarray(test_bitarray[EVEN_STATE]);
exit(0);
}
int main (int argc, char *argv[]) {
unsigned int bitflip_in;
int sum_a0;
printf("Create tables required by hardnested attack.\n");
printf("Expect a runtime in the range of days or weeks.\n");
printf("Single thread only. If you want to use several threads, start it multiple times :-)\n\n");
if (argc != 2 && argc != 3) {
printf(" syntax: %s <bitflip property> [<Sum_a0>]\n\n", argv[0]);
printf(" example: %s 1f\n", argv[0]);
return 1;
}
sscanf(argv[1],"%x", &bitflip_in);
if (bitflip_in > 255) {
printf("Bitflip property must be less than or equal to 0xff\n\n");
return 1;
}
if(argc == 3) {
sscanf(argv[2], "%d", &sum_a0);
}
switch (sum_a0) {
case 0:
case 32:
case 56:
case 64:
case 80:
case 96:
case 104:
case 112:
case 120:
case 128:
case 136:
case 144:
case 152:
case 160:
case 176:
case 192:
case 200:
case 224:
case 256: break;
default: sum_a0 = -1;
}
printf("Calculating for bitflip = %02x, sum_a0 = %d\n", bitflip_in, sum_a0);
init_part_sum_bitarrays();
init_sum_bitarray(sum_a0);
precalculate_bit0_bitflip_bitarrays(bitflip_in, sum_a0);
free_sum_bitarray();
free_part_sum_bitarrays();
return 0;
}

1
client/hardnested/tables/bitflip_0_001_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_003_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_005_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_007_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_009_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_00b_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_00d_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_00f_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_010_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_014_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_01c_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_021_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_023_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_025_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_027_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_029_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_02b_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_02d_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_02f_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_030_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_034_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_03c_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_040_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_044_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_04c_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_051_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_053_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_055_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_057_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_059_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_05b_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_05d_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_05f_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_064_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_06c_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_071_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_073_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_075_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_077_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_079_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_07b_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_07f_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_081_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_083_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_085_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_087_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_089_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_08b_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_08d_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_08f_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

341153
client/hardnested/tables/bitflip_0_090_states.bin Normal file
View file

File diff suppressed because it is too large Load diff

BIN
client/hardnested/tables/bitflip_0_094_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_09c_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0a1_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0a3_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_0a5_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0a7_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_0a9_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0ab_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_0ad_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0af_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0b0_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_0b4_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0bc_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_0c0_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_0c4_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0cc_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_0d1_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0d3_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0d5_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0d7_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0d9_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0db_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0dd_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0df_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_0e4_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0ec_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0f3_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_0f5_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0f7_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

BIN
client/hardnested/tables/bitflip_0_0f9_states.bin Normal file
View file

Binary file not shown.

BIN
client/hardnested/tables/bitflip_0_0fb_states.bin Normal file
View file

Binary file not shown.

1
client/hardnested/tables/bitflip_0_0fd_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

1
client/hardnested/tables/bitflip_0_0ff_states.bin Normal file
View file

File diff suppressed because one or more lines are too long

Some files were not shown because too many files have changed in this diff Show more