| blob | 72fd6baa6d89012e909ad49892b6caf5c8ce6169 |
1 HiTag2 Cracking Suite
2 ---------------------
4 Authors:
6 * Attacks 1, 2, 3, 4 : Kevin Sheldrake <kev@headhacking.com>
7 * Attacks 5, 5gpu : anonymous, based on https://github.com/factoritbv/hitag2hell by FactorIT B.V.
8 * Attack 5opencl : Gabriele Gristina <gabriele.gristina@gmail.com>, based on 5gpu
10 Introduction
11 ------------
13 These tools are implementations of the four attacks detailed in the papers,
14 Gone In 360 Seconds - Hijacking With HiTag 2 by Roel Verdult, Flavio Garcia
15 and Josep Balasch, and Lock It And Still Lose It - on the (In)Security of
16 Automotive Remote Keyless Entry Systems by Flavio Garcia, David Oswald,
17 Timo Kasper and Pierre Pavlides. The first three attacks come from the first
18 paper and the fourth attack comes from the second paper.
20 Attack 1
21 --------
23 Attack 1 is a nonce replay and length extension attack. This is an attack on
24 a single HiTag2 RFID tag, given a single encrypted nonce and challenge
25 response value pair (nR, aR) for the tag's UID. The attack runs entirely on
26 the Proxmark3 with it acting like a RWD that replays the same encrypted nonce
27 and challenge response pair for every interaction; this fixes the key stream
28 that the tag's PRNG outputs to the same stream for every interaction.
30 By brute forcing a subset of the encrypted command space, the Proxmark3 finds a
31 single valid encrypted command - invalid commands return a known unencrypted
32 error response so finding a valid one is simply a case of trying different
33 values until a response other than the error response is received.
35 It then bit flips the valid encrypted command to find the other 15 valid
36 encrypted commands. By knowing the contents of page 0 - it's the UID that
37 is presented in clear at the start of each interaction - it tries each
38 encrypted response in turn, assuming each to be the encrypted version of
39 'read page 0 non-inverted' and each response to be the encrypted version of
40 page 0.
42 For each attempted command, it calculates the key stream that would have
43 correctly generated the encrypted command and response:
44 command ++ response XOR key stream = encrypted command ++ encrypted response
45 therefore:
46 key stream = command ++ response XOR encrypted command ++ encrypted response
48 It then tests the potentially recovered key stream by creating an encrypted
49 command that consumes as much of it as possible, re-initialising with the same
50 encrypted nonce and challenge response pair (to set the key stream to the
51 same stream as that which produced the encrypted command response it is
52 testing), and then sending this extended encrypted command. If the response
53 is not the error response, then the key stream is valid and the response is
54 the encryption of the page 0 contents (the UID).
56 When one of the valid encrypted commands satisfies this situation, the
57 recovered key stream must be the output of the PRNG for the given encrypted
58 nonce and challenge response pair.
60 The Proxmark3 then uses this key stream to encrypt commands and decrypt the
61 responses, and therefore requests the contents of all 8 pages. Pages 1 and 2
62 contain the encryption key.
64 Attack 2
65 --------
67 Attack 2 is a time/space trade off to recover the key for situations where the
68 tag has been configured to prevent reading of pages 1 and 2. This attack uses
69 a pre-computed table of 2^37 PRNG states and resultant PRNG output, sorted on
70 the PRNG output. The Proxmark3 is used to recover 2048 bits of key stream using
71 a modification of attack 1 and this is used to search the table for matching
72 PRNG output. When the output is found, it is tested for validity (by testing
73 previous or following PRNG output) and then the PRNG state is rolled back to
74 the initialisation state, from which the unencrypted nonce and key can be
75 recovered.
77 Attack 3
78 --------
80 Attack 3 is a cryptanalytic attack that focuses on the RWD and a bias in the
81 PRNG output. By capturing 136 encrypted nonce and challenge response pairs,
82 candidates for the first 34 bits of the key can be identified, and for each
83 the remaining 14 bits can be brute forced.
85 Attack 4
86 --------
88 Attack 4 is a fast correlative attack on the key based on a number of captured
89 encrypted nonce and challenge response pairs (up to 32, but 16 usually
90 sufficient). It starts by guessing the first 16 bits of the key and scores
91 all these guesses against how likely they are to be the correct key, given the
92 encrypted nonces and the keystream they should produce. Each guess is then
93 expanded by 1 bit and the process iterates, with only the best guesses taken
94 forward to the next iteration.
96 Attack 5
97 --------
99 Attack 5 is heavily based on the HiTag2 Hell CPU implementation from https://github.com/factoritbv/hitag2hell by FactorIT B.V.,
100 with the following changes:
102 * Main takes a UID and 2 {nR},{aR} pairs as arguments and searches for states producing the first aR sample, reconstructs the corresponding key candidates and tests them against the second nR,aR pair;
103 * Reuses the Hitag helping functions of the other attacks.
105 Attack 5gpu
106 -----------
108 Attack 5gpu is identical to attack 5, simply the code has been ported to OpenCL
109 to run on GPUs and is therefore much faster than attack 5.
111 Attack 5opencl
112 --------------
114 Attack 5opencl is an optimized OpenCL version based on 5gpu.
115 It runs on multi GPUs/CPUs and is faster than 5gpu.
117 Usage details: Attack 1
118 -----------------------
120 Attack 1 requires a valid tag and a valid encrypted nonce and challenge
121 response pair. The attacker needs to obtain a valid tag and then use this to
122 obtain a valid encrypted nonce and challenge response pair. This can be
123 achieved by using the Proxmark3 `lf hitag sniff` command, placing the coil on the RWD and
124 presenting the valid tag. The encrypted nonce and challenge response pairs
125 can then be read out. These values can then
126 be used to attack the tag with `lf hitag ht2crack <nR> <aR>`.
128 **TODO** example
129 ```
130 pm3 --> lf hitag sniff
131 pm3 --> lf hitag ht2crack <nR> <aR>
132 ```
134 Usage details: Attack 2
135 -----------------------
137 Attack 2 requires the same resources as attack 1, plus a pre-computed table.
138 The table can be generated on a disk with >1.5TB of storage, although it takes
139 some time (allow a couple of days, privilege SSD). This can be
140 achieved by using the Proxmark3 `lf hitag sniff` command, placing the coil on the RWD and
141 presenting the valid tag. The encrypted nonce and challenge response pairs
142 can then be read out. These values can then
143 be used to attack the tag with `lf hitag ht2keystream <nR> <aR>`.
145 **TODO** example
146 ```
147 ./ht2crack2buildtable
148 pm3 --> lf hitag sniff
149 pm3 --> lf hitag ht2keystream <nR> <aR>
150 ```
152 It creates a file `Hitag2_<UID>_<nR>_<aR>_keystream.txt`.
154 ```
155 ./ht2crack2search Hitag2_<UID>_<nR>_<aR>_keystream.txt <UID> <nR>
156 ```
158 Usage details: Attack 3
159 -----------------------
161 Attack 3 requires only interaction with the RWD and does not require a valid
162 tag, although it does require a HiTag2 tag that the RWD will initially respond
163 to; e.g. you could potentially use any HiTag2 tag as long as the RWD starts
164 the crypto handshake with it. It requires >=136 encrypted nonce and challenge
165 response pairs for the same tag UID.
167 **TODO** will be ht2 sim or sniff with actual tag ?
169 ```
170 pm3 --> lf hitag sniff
171 ```
173 It creates a file `Hitag2_<UID>_<nR>_<aR>_collection.txt`.
174 Stop once you got enough pairs.
176 ```
177 ./ht2crack3 <UID> Hitag2_<UID>_<nR>_<aR>_collection.txt
178 ```
180 Usage details: Attack 4
181 -----------------------
183 Attack 4 requires the same information as attack 3, but only 16-32 encrypted
184 nonce and challenge response pairs are required.
186 ```
187 pm3 --> lf hitag sniff
188 ```
190 It creates a file `Hitag2_<UID>_<nR>_<aR>_collection.txt`.
191 Stop once you got enough pairs.
193 ```
194 ./ht2crack4 -u <UID> -n Hitag2_<UID>_<nR>_<aR>_collection.txt [-N <number of nonces to use>] [-t <table size>]
195 ```
197 Start with -N 16 and -t 500000. If the attack fails to find the key, double
198 the table size and try again, repeating if it still fails.
200 Usage details: Attack 5
201 -----------------------
203 Attack 5 requires two encrypted nonce and challenge
204 response value pairs (nR, aR) for the tag's UID.
206 ```
207 pm3 --> lf hitag sniff
208 ```
209 Stop once you got two pairs.
211 ```
212 $ ./ht2crack5 <UID> <nR1> <aR1> <nR2> <aR2>
213 ```
215 Usage details: Attack 5gpu/5opencl
216 ----------------------------------
218 Attacks 5gpu and 5opencl require two encrypted nonce and challenge
219 response value pairs (nR, aR) for the tag's UID.
221 ```
222 pm3 --> lf hitag sniff
223 ```
224 Stop once you got two pairs.
226 ```
227 $ ./ht2crack5gpu <UID> <nR1> <aR1> <nR2> <aR2>
228 ```
230 or
232 ```
233 $ ./ht2crack5opencl <UID> <nR1> <aR1> <nR2> <aR2>
234 ```
236 5opencl supports a number of additional parameters, see [crack5opencl/README.md](/tools/hitag2crack/crack5opencl/README.md) for details.
238 Usage details: Next steps
239 -------------------------
241 Once the key has been recovered using one of these attacks, the Proxmark3 can
242 be configured to operate as a RWD and will capture tags using that key.
244 **TODO** example
246 Tags can be copied with standard Proxmark3 commands.
248 **TODO** example