github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-19 04:49:38 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

'hf iclass loclass': fix error handling (#865)

Browse source 
* fix handling of "BEING_CRACKED" flag
* don't try to calculate KCus when some bytes couldn't be brute forced
* whitespace fixes
This commit is contained in:
pwpiwi 2019-09-12 09:21:10 +02:00 committed by GitHub
commit d8ecc98a8e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 158 additions and 167 deletions
Download patch file Download diff file Expand all files Collapse all files

87
client/loclass/elite_crack.c
View file

@ -306,8 +306,7 @@ static uint32_t startvalue = 0;
* @param keytable where to write found values.
* @return
*/
int bruteforceItem(dumpdata item, uint16_t keytable[])
{
int bruteforceItem(dumpdata item, uint16_t keytable[]) {
int errors = 0;
uint8_t key_sel_p[8] = { 0 };
uint8_t div_key[8] = {0};
@ -319,6 +318,8 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
uint8_t key_index[8] = {0};
hash1(item.csn, key_index);
printvar("CSN ", item.csn, 8);
printvar("HASH1", key_index, 8);
/*
* Determine which bytes to retrieve. A hash is typically
@ -333,26 +334,20 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
* Only the lower eight bits correspond to the (hopefully cracked) key-value.
**/
uint8_t bytes_to_recover[3] = {0};
uint8_t numbytes_to_recover = 0 ;
int i;
for(i =0 ; i < 8 ; i++)
{
if(keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
bytes_to_recover[numbytes_to_recover++] = key_index[i];
keytable[key_index[i]] |= BEING_CRACKED;
uint8_t numbytes_to_recover = 0;
if(numbytes_to_recover > 3)
{
for (int i = 0; i < 8; i++) {
if (keytable[key_index[i]] & (CRACKED | BEING_CRACKED)) continue;
if (numbytes_to_recover == 3) {
prnlog("The CSN requires > 3 byte bruteforce, not supported");
printvar("CSN", item.csn,8);
printvar("HASH1", key_index,8);
//Before we exit, reset the 'BEING_CRACKED' to zero
keytable[bytes_to_recover[0]] &= ~BEING_CRACKED;
keytable[bytes_to_recover[1]] &= ~BEING_CRACKED;
keytable[bytes_to_recover[2]] &= ~BEING_CRACKED;
return 1;
} else {
bytes_to_recover[numbytes_to_recover++] = key_index[i];
keytable[key_index[i]] |= BEING_CRACKED;
}
}
@ -370,24 +365,27 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
uint32_t endmask = 1 << 8*numbytes_to_recover;
for(i =0 ; i < numbytes_to_recover && numbytes_to_recover > 1; i++)
for (int i = 0; i < numbytes_to_recover; i++) {
prnlog("Bruteforcing byte %d", bytes_to_recover[i]);
}
while(!found && !(brute & endmask))
{
while (!found && !(brute & endmask)) {
//Update the keytable with the brute-values
for(i =0 ; i < numbytes_to_recover; i++)
{
for(int i = 0 ; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= 0xFF00;
keytable[bytes_to_recover[i]] |= (brute >> (i*8) & 0xFF);
keytable[bytes_to_recover[i]] |= ((brute >> (i*8)) & 0xFF);
}
// Piece together the key
key_sel[0] = keytable[key_index[0]] & 0xFF;key_sel[1] = keytable[key_index[1]] & 0xFF;
key_sel[2] = keytable[key_index[2]] & 0xFF;key_sel[3] = keytable[key_index[3]] & 0xFF;
key_sel[4] = keytable[key_index[4]] & 0xFF;key_sel[5] = keytable[key_index[5]] & 0xFF;
key_sel[6] = keytable[key_index[6]] & 0xFF;key_sel[7] = keytable[key_index[7]] & 0xFF;
key_sel[0] = keytable[key_index[0]] & 0xFF;
key_sel[1] = keytable[key_index[1]] & 0xFF;
key_sel[2] = keytable[key_index[2]] & 0xFF;
key_sel[3] = keytable[key_index[3]] & 0xFF;
key_sel[4] = keytable[key_index[4]] & 0xFF;
key_sel[5] = keytable[key_index[5]] & 0xFF;
key_sel[6] = keytable[key_index[6]] & 0xFF;
key_sel[7] = keytable[key_index[7]] & 0xFF;
//Permute from iclass format to standard format
permutekey_rev(key_sel,key_sel_p);
@ -396,10 +394,9 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
//Calc mac
doMAC(item.cc_nr, div_key,calculated_MAC);
if(memcmp(calculated_MAC, item.mac, 4) == 0)
{
for(i =0 ; i < numbytes_to_recover; i++)
prnlog("=> %d: 0x%02x", bytes_to_recover[i],0xFF & keytable[bytes_to_recover[i]]);
if (memcmp(calculated_MAC, item.mac, 4) == 0) {
for (int i = 0; i < numbytes_to_recover; i++)
prnlog("=> %d: 0x%02x", bytes_to_recover[i], 0xFF & keytable[bytes_to_recover[i]]);
found = true;
break;
}
@ -410,27 +407,22 @@ int bruteforceItem(dumpdata item, uint16_t keytable[])
fflush(stdout);
}
}
if(! found)
{
prnlog("Failed to recover %d bytes using the following CSN",numbytes_to_recover);
printvar("CSN",item.csn,8);
if (!found) {
prnlog("\nFailed to recover %d bytes", numbytes_to_recover);
errors++;
//Before we exit, reset the 'BEING_CRACKED' to zero
for(i =0 ; i < numbytes_to_recover; i++)
{
keytable[bytes_to_recover[i]] &= 0xFF;
keytable[bytes_to_recover[i]] |= CRACK_FAILED;
for (int i = 0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= ~BEING_CRACKED;
}
}else
{
for(i =0 ; i < numbytes_to_recover; i++)
{
keytable[bytes_to_recover[i]] &= 0xFF;
} else {
for (int i = 0; i < numbytes_to_recover; i++) {
keytable[bytes_to_recover[i]] &= ~BEING_CRACKED;
keytable[bytes_to_recover[i]] |= CRACKED;
}
}
return errors;
}
@ -532,12 +524,11 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
// master key calculation
uint8_t first16bytes[16] = {0};
for(i = 0 ; i < 16 ; i++)
{
for (int i = 0; i < 16; i++) {
first16bytes[i] = keytable[i] & 0xFF;
if(!(keytable[i] & CRACKED))
{
prnlog("Error, we are missing byte %d, custom key calculation will fail...", i);
if (!(keytable[i] & CRACKED)) {
prnlog("Error, we are missing byte %d, cannot calculate custom key.", i);
return 1;
}
}
errors += calculateMasterKey(first16bytes, NULL);