| blob | 9e949942676d66e909b41d6408ea26e6c304ba1d |
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // Hitag2 Crypto
17 //-----------------------------------------------------------------------------
19 #include <inttypes.h>
25 #ifndef ON_DEVICE
27 #endif
29 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
30 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
31 // For educational purposes only.
32 // No warranties or guarantees of any kind.
33 // This code is released into the public domain by its author.
36 // Single bit Hitag2 functions:
37 #ifndef i4
38 #define i4(x,a,b,c,d) ((uint32_t)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
39 #endif
54 }
56 // return a single bit from a value
60 }
62 // the sub-function R that rollback depends upon
64 // renumbered bits because my state is 0-47, not 1-48
72 );
73 }
75 /*
76 static void ht2_rollback(hitag_state_t *hstate, unsigned int steps) {
77 for (int i = 0; i < steps; i++) {
78 hstate->shiftreg = ((hstate->shiftreg << 1) & 0xffffffffffff) | ht2_fnR(hstate->shiftreg);
79 }
80 }
81 */
82 // the rollback function that lets us go backwards in time
87 }
88 }
90 // the three filter sub-functions that feed fnf
91 #define ht2_fa(x) ht2_bitn(0x2C79, (x))
92 #define ht2_fb(x) ht2_bitn(0x6671, (x))
93 #define ht2_fc(x) ht2_bitn(0x7907287B, (x))
95 // the filter function that generates a bit of output from the prng state
98 uint32_t x1 = (ht2_bitn(state, 2) << 0) | (ht2_bitn(state, 3) << 1) | (ht2_bitn(state, 5) << 2) | (ht2_bitn(state, 6) << 3);
99 uint32_t x2 = (ht2_bitn(state, 8) << 0) | (ht2_bitn(state, 12) << 1) | (ht2_bitn(state, 14) << 2) | (ht2_bitn(state, 15) << 3);
100 uint32_t x3 = (ht2_bitn(state, 17) << 0) | (ht2_bitn(state, 21) << 1) | (ht2_bitn(state, 23) << 2) | (ht2_bitn(state, 26) << 3);
101 uint32_t x4 = (ht2_bitn(state, 28) << 0) | (ht2_bitn(state, 29) << 1) | (ht2_bitn(state, 31) << 2) | (ht2_bitn(state, 33) << 3);
102 uint32_t x5 = (ht2_bitn(state, 34) << 0) | (ht2_bitn(state, 43) << 1) | (ht2_bitn(state, 44) << 2) | (ht2_bitn(state, 46) << 3);
104 uint32_t x6 = (ht2_fa(x1) << 0) | (ht2_fb(x2) << 1) | (ht2_fb(x3) << 2) | (ht2_fb(x4) << 3) | (ht2_fa(x5) << 4);
106 }
108 // builds the lfsr for the prng (quick calcs for hitag2_nstep())
109 /*
110 static void ht2_buildlfsr(hitag_state_t *hstate) {
111 if (hstate == NULL) {
112 return;
113 }
115 uint64_t state = hstate->shiftreg;
116 uint64_t temp = state ^ (state >> 1);
117 hstate->lfsr = state ^ (state >> 6) ^ (state >> 16)
118 ^ (state >> 26) ^ (state >> 30) ^ (state >> 41)
119 ^ (temp >> 2) ^ (temp >> 7) ^ (temp >> 22)
120 ^ (temp >> 42) ^ (temp >> 46);
121 }
122 */
123 #ifndef ON_DEVICE
124 #include <stdio.h>
125 #endif
129 // hstate->shiftreg = (uint64_t)(((hstate->shiftreg << 1) & 0xffffffffffff) | (uint64_t)ht2_fnR(hstate->shiftreg));
130 // hstate->shiftreg = (uint64_t)(((hstate->shiftreg << 1) & 0xffffffffffff) | (uint64_t)ht2_fnR(hstate->shiftreg));
132 #ifndef ON_DEVICE
134 #endif
136 // key lower 16 bits are lower 16 bits of prng state
140 // rollback and extract bits b
145 }
151 #ifndef ON_DEVICE
155 PrintAndLogEx(INFO, "b..... %08" PRIx32 " %08" PRIx32 " %012" PRIx64, b, nRenc, hstate->shiftreg);
157 #endif
159 }
161 /*
162 * Parameters:
163 * Hitag_State* pstate - output, internal state after initialisation
164 * uint64_t sharedkey - 48 bit key shared between reader & tag
165 * uint32_t serialnum - 32 bit tag serial number
166 * uint32_t iv - 32 bit random IV from reader, part of tag authentication
167 */
168 void ht2_hitag2_init_ex(hitag_state_t *hstate, uint64_t sharedkey, uint32_t serialnum, uint32_t iv) {
169 // init state, from serial number and lowest 16 bits of shared key
172 // mix the initialisation vector and highest 32 bits of the shared key
175 // move 16 bits from (IV xor Shared Key) to top of uint64_t state
176 // these will be XORed in turn with output of the crypto function
180 // unrolled loop is faster on PIC32 (MIPS), do 32 times
181 // shift register, then calc new bit
201 // highest 16 bits of IV XOR Shared Key
222 // LSFR
225 /* naive version for reference, LFSR has 16 taps
226 pstate->lfsr = state ^ (state >> 2) ^ (state >> 3) ^ (state >> 6)
227 ^ (state >> 7) ^ (state >> 8) ^ (state >> 16) ^ (state >> 22)
228 ^ (state >> 23) ^ (state >> 26) ^ (state >> 30) ^ (state >> 41)
229 ^ (state >> 42) ^ (state >> 43) ^ (state >> 46) ^ (state >> 47);
230 */
231 {
232 // optimise with one 64-bit intermediate
238 }
239 }
241 /*
242 * Return up to 32 crypto bits.
243 * Last bit is in least significant bit, earlier bits are shifted left.
244 * Note that the Hitag transmission protocol is least significant bit,
245 * so we may want to change this, or add a function, that returns the
246 * crypto output bits in the other order.
247 *
248 * Parameters:
249 * Hitag_State* pstate - in/out, internal cipher state after initialisation
250 * uint32_t steps - number of bits requested, (capped at 32)
251 */
259 }
262 // update shift registers
266 // accumulate next bit of crypto
272 }
278 }
287 }
289 }
291 int ht2_try_state(uint64_t s, uint32_t uid, uint32_t aR2, uint32_t nR1, uint32_t nR2, uint64_t *key) {
293 hitag_state_t hstate;
297 hstate.shiftreg = (uint64_t)(((hstate.shiftreg << 1) & 0xffffffffffff) | (uint64_t)ht2_fnR(hstate.shiftreg));
298 hstate.shiftreg = (uint64_t)(((hstate.shiftreg << 1) & 0xffffffffffff) | (uint64_t)ht2_fnR(hstate.shiftreg));
300 #ifndef ON_DEVICE
301 hitag_state_t hs2;
306 PrintAndLogEx(INFO, "hstate shiftreg.... %" PRIx64 " lfsr... %" PRIx64, hstate.shiftreg, hstate.lfsr);
307 PrintAndLogEx(INFO, "hstate shiftreg.... %" PRIx64 " lfsr... %" PRIx64, hs2.shiftreg, hs2.lfsr);
308 #endif
310 // recover key
314 #ifndef ON_DEVICE
316 #endif
322 }
324 #ifndef ON_DEVICE
326 #endif
330 #ifndef ON_DEVICE
332 #endif
334 // test key
340 }
342 }
345 // "MIKRON" = O N M I K R
346 // Key = 4F 4E 4D 49 4B 52 - Secret 48-bit key
347 // Serial = 49 43 57 69 - Serial number of the tag, transmitted in clear
348 // Random = 65 6E 45 72 - Random IV, transmitted in clear
349 //~28~DC~80~31 = D7 23 7F CE - Authenticator value = inverted first 4 bytes of the keystream
351 // The code below must print out "D7 23 7F CE 8C D0 37 A9 57 49 C1 E6 48 00 8A B6".
352 // The inverse of the first 4 bytes is sent to the tag to authenticate.
353 // The rest is encrypted by XORing it with the subsequent keystream.
355 /*
356 * Return 8 crypto bits.
357 * Last bit is in least significant bit, earlier bits are shifted left.
358 * Note that the Hitag transmission protocol is least significant bit,
359 * so we may want to change this, or add a function, that returns the
360 * crypto output bits in the other order.
361 *
362 * Parameters:
363 * uint64_t *state - in/out, internal cipher state after initialisation
364 */
376 }
378 // Take a state and create one byte (8bits) of crypto
390 }
398 }
416 }
425 }
427 void ht2_hitag2_cipher_transcrypt(uint64_t *state, uint8_t *data, uint16_t bytes, uint16_t bits) {
431 }
435 }
436 }