| blob | 2d1650d0d4abf714712dff4de2920ae89b8daf7c |
1 /*****************************************************************************
2 * WARNING
3 *
4 * THIS CODE IS CREATED FOR EXPERIMENTATION AND EDUCATIONAL USE ONLY.
5 *
6 * USAGE OF THIS CODE IN OTHER WAYS MAY INFRINGE UPON THE INTELLECTUAL
7 * PROPERTY OF OTHER PARTIES, SUCH AS INSIDE SECURE AND HID GLOBAL,
8 * AND MAY EXPOSE YOU TO AN INFRINGEMENT ACTION FROM THOSE PARTIES.
9 *
10 * THIS CODE SHOULD NEVER BE USED TO INFRINGE PATENTS OR INTELLECTUAL PROPERTY RIGHTS.
11 *
12 *****************************************************************************
13 *
14 * This file is part of loclass. It is a reconstructon of the cipher engine
15 * used in iClass, and RFID techology.
16 *
17 * The implementation is based on the work performed by
18 * Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult and
19 * Milosch Meriac in the paper "Dismantling IClass".
20 *
21 * Copyright (C) 2014 Martin Holst Swende
22 *
23 * This is free software: you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License version 2 as published
25 * by the Free Software Foundation, or, at your option, any later version.
26 *
27 * This file is distributed in the hope that it will be useful,
28 * but WITHOUT ANY WARRANTY; without even the implied warranty of
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30 * GNU General Public License for more details.
31 *
32 * You should have received a copy of the GNU General Public License
33 * along with loclass. If not, see <http://www.gnu.org/licenses/>.
34 *
35 *
36 *
37 ****************************************************************************/
38 #include <stdint.h>
39 #include <stdbool.h>
40 #include <string.h>
41 #include <stdio.h>
42 #include <pthread.h>
43 #include <time.h>
52 /**
53 * @brief Permutes a key from standard NIST format to Iclass specific format
54 * from http://www.proxmark.org/forum/viewtopic.php?pid=11220#p11220
55 *
56 * If you permute [6c 8d 44 f9 2a 2d 01 bf] you get [8a 0d b9 88 bb a7 90 ea] as shown below.
57 *
58 * 1 0 1 1 1 1 1 1 bf
59 * 0 0 0 0 0 0 0 1 01
60 * 0 0 1 0 1 1 0 1 2d
61 * 0 0 1 0 1 0 1 0 2a
62 * 1 1 1 1 1 0 0 1 f9
63 * 0 1 0 0 0 1 0 0 44
64 * 1 0 0 0 1 1 0 1 8d
65 * 0 1 1 0 1 1 0 0 6c
66 *
67 * 8 0 b 8 b a 9 e
68 * a d 9 8 b 7 0 a
69 *
70 * @param key
71 * @param dest
72 */
83 }
84 }
85 /**
86 * Permutes a key from iclass specific format to NIST format
87 * @brief permutekey_rev
88 * @param key
89 * @param dest
90 */
102 }
103 }
105 /**
106 * Helper function for hash1
107 * @brief rr
108 * @param val
109 * @return
110 */
113 }
115 /**
116 * Helper function for hash1
117 * @brief rl
118 * @param val
119 * @return
120 */
123 }
125 /**
126 * Helper function for hash1
127 * @brief swap
128 * @param val
129 * @return
130 */
133 }
135 /**
136 * Hash1 takes CSN as input, and determines what bytes in the keytable will be used
137 * when constructing the K_sel.
138 * @param csn the CSN used
139 * @param k output
140 */
159 }
160 /**
161 Definition 14. Define the rotate key function rk : (F 82 ) 8 × N → (F 82 ) 8 as
162 rk(x [0] . . . x [7] , 0) = x [0] . . . x [7]
163 rk(x [0] . . . x [7] , n + 1) = rk(rl(x [0] ) . . . rl(x [7] ), n)
164 **/
176 }
177 }
187 }
194 }
196 /**
197 * @brief Insert uint8_t[8] custom master key to calculate hash2 and return key_select.
198 * @param key unpermuted custom key
199 * @param hash1 hash1
200 * @param key_sel output key_sel=h[hash1[i]]
201 */
203 /**
204 *Expected:
205 * High Security Key Table
207 00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1
208 10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21
209 20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2
210 30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C
211 40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6
212 50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42
213 60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95
214 70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB
216 **** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ******/
220 //calculate complement of key
230 // Once again, key is on iclass-format
236 }
240 // y[0]=DES_dec(z[0],~key)
241 // Once again, key is on iclass-format
243 // PrintAndLogEx(INFO, "y0 %s", sprint_hex(y[0],8));
246 // z [i] = DES dec (rk(K cus , i), z [i−1] )
248 //y [i] = DES enc (rk(K cus , i), y [i−1] )
252 }
258 }
261 }
262 }
264 /**
265 * @brief Reads data from the iclass-reader-attack dump file.
266 * @param dump, data from a iclass reader attack dump. The format of the dumpdata is expected to be as follows:
267 * <8 byte CSN><8 byte CC><4 byte NR><4 byte MAC><8 byte HASH1><1 byte NUM_BYTES_TO_RECOVER><3 bytes BYTES_TO_RECOVER>
268 * .. N times...
269 *
270 * So the first attack, with 3 bytes to recover would be : ... 03000145
271 * And a later attack, with 1 byte to recover (byte 0x5)would be : ...01050000
272 * And an attack, with 2 bytes to recover (byte 0x5 and byte 0x07 )would be : ...02050700
273 *
274 * @param cc_nr an array to store cc_nr into (12 bytes)
275 * @param csn an arracy ot store CSN into (8 bytes)
276 * @param received_mac an array to store MAC into (4 bytes)
277 * @param i the number to read. Should be less than 127, or something is wrong...
278 * @return
279 */
280 /*
281 static int _readFromDump(uint8_t dump[], dumpdata *item, uint8_t i) {
282 size_t itemsize = sizeof(dumpdata);
283 memcpy(item, dump + i * itemsize, itemsize);
285 if (true) {
286 PrintAndLogEx(INFO, "csn %s", sprint_hex(item->csn, sizeof(item->csn)));
287 PrintAndLogEx(INFO, "cc_nr %s", sprint_hex(item->cc_nr, sizeof(item->cc_nr)));
288 PrintAndLogEx(INFO, "mac %s", sprint_hex(item->mac, sizeof(item->mac)));
289 }
290 return 0;
291 }
292 */
301 loclass_dumpdata_t item;
339 //Update the keytable with the brute-values
343 }
347 // Piece together the key
357 // Permute from iclass format to standard format
362 // Diversify
366 // Calc mac
370 // success
377 }
380 }
388 PrintAndLogEx(INPLACE, "[ %02x %02x %02x ] %8u / %u", bytes_to_recover[0], bytes_to_recover[1], bytes_to_recover[2], brute, 0xFFFFFF);
389 }
392 PrintAndLogEx(INPLACE, "[ %02x %02x ] %5u / %u" _CLR_, bytes_to_recover[0], bytes_to_recover[1], brute, 0xFFFF);
396 }
397 }
402 }
406 // reset thread signals
409 //Get the key index (hash1)
413 /*
414 * Determine which bytes to retrieve. A hash is typically
415 * 01010000454501
416 * We go through that hash, and in the corresponding keytable, we put markers
417 * on what state that particular index is:
418 * - CRACKED (this has already been cracked)
419 * - BEING_CRACKED (this is being bruteforced now)
420 * - CRACK_FAILED (self-explaining...)
421 *
422 * The markers are placed in the high area of the 16 bit key-table.
423 * Only the lower eight bits correspond to the (hopefully cracked) key-value.
424 **/
438 //Before we exit, reset the 'BEING_CRACKED' to zero
443 }
444 }
449 }
452 // init thread arguments
462 }
465 // create threads
472 }
473 }
474 // wait for threads to terminate:
479 // was it a success?
484 PrintAndLogEx(WARNING, "Failed to recover %d bytes using the following CSN", numbytes_to_recover);
487 //Before we exit, reset the 'BEING_CRACKED' to zero
491 }
500 }
503 }
504 }
509 }
511 /**
512 * @brief Performs brute force attack against a dump-data item, containing csn, cc_nr and mac.
513 *This method calculates the hash1 for the CSN, and determines what bytes need to be bruteforced
514 *on the fly. If it finds that more than three bytes need to be bruteforced, it aborts.
515 *It updates the keytable with the findings, also using the upper half of the 16-bit ints
516 *to signal if the particular byte has been cracked or not.
517 *
518 * @param dump The dumpdata from iclass reader attack.
519 * @param keytable where to write found values.
520 * @return
521 */
522 /*
523 int bruteforceItem(loclass_dumpdata_t item, uint16_t keytable[]) {
525 //Get the key index (hash1)
526 uint8_t key_index[8] = {0};
527 hash1(item.csn, key_index);
528 */
529 /*
530 * Determine which bytes to retrieve. A hash is typically
531 * 01010000454501
532 * We go through that hash, and in the corresponding keytable, we put markers
533 * on what state that particular index is:
534 * - CRACKED (this has already been cracked)
535 * - BEING_CRACKED (this is being bruteforced now)
536 * - CRACK_FAILED (self-explaining...)
537 *
538 * The markers are placed in the high area of the 16 bit key-table.
539 * Only the lower eight bits correspond to the (hopefully cracked) key-value.
540 **/
543 /*
544 uint8_t bytes_to_recover[3] = {0};
545 uint8_t numbytes_to_recover = 0 ;
546 for (uint8_t i = 0; i < 8; i++) {
547 if (keytable[key_index[i]] & (LOCLASS_CRACKED | LOCLASS_BEING_CRACKED)) continue;
549 bytes_to_recover[numbytes_to_recover++] = key_index[i];
550 keytable[key_index[i]] |= LOCLASS_BEING_CRACKED;
552 if (numbytes_to_recover > 3) {
553 PrintAndLogEx(FAILED, "The CSN requires > 3 byte bruteforce, not supported");
554 PrintAndLogEx(INFO, "CSN %s", sprint_hex(item.csn, 8));
555 PrintAndLogEx(INFO, "HASH1 %s", sprint_hex(key_index, 8));
556 PrintAndLogEx(NORMAL, "");
557 //Before we exit, reset the 'BEING_CRACKED' to zero
558 keytable[bytes_to_recover[0]] &= ~LOCLASS_BEING_CRACKED;
559 keytable[bytes_to_recover[1]] &= ~LOCLASS_BEING_CRACKED;
560 keytable[bytes_to_recover[2]] &= ~LOCLASS_BEING_CRACKED;
561 return PM3_ESOFT;
562 }
563 }
565 uint8_t key_sel_p[8] = {0};
566 uint8_t div_key[8] = {0};
567 uint8_t key_sel[8] = {0};
568 uint8_t calculated_MAC[4] = {0};
571 //A uint32 has room for 4 bytes, we'll only need 24 of those bits to bruteforce up to three bytes,
572 uint32_t brute = 0;
573 */
574 /*
575 Determine where to stop the bruteforce. A 1-byte attack stops after 256 tries,
576 (when brute reaches 0x100). And so on...
577 bytes_to_recover = 1 --> endmask = 0x000000100
578 bytes_to_recover = 2 --> endmask = 0x000010000
579 bytes_to_recover = 3 --> endmask = 0x001000000
580 */
581 /*
582 uint32_t endmask = 1 << 8 * numbytes_to_recover;
583 PrintAndLogEx(NORMAL, "----------------------------");
584 for (uint8_t i = 0 ; i < numbytes_to_recover && numbytes_to_recover > 1; i++)
585 PrintAndLogEx(INFO, "Bruteforcing %d", bytes_to_recover[i]);
587 bool found = false;
588 while (!found && !(brute & endmask)) {
590 //Update the keytable with the brute-values
591 for (uint8_t i = 0; i < numbytes_to_recover; i++) {
592 keytable[bytes_to_recover[i]] &= 0xFF00;
593 keytable[bytes_to_recover[i]] |= (brute >> (i * 8) & 0xFF);
594 }
596 // Piece together the key
597 key_sel[0] = keytable[key_index[0]] & 0xFF;
598 key_sel[1] = keytable[key_index[1]] & 0xFF;
599 key_sel[2] = keytable[key_index[2]] & 0xFF;
600 key_sel[3] = keytable[key_index[3]] & 0xFF;
601 key_sel[4] = keytable[key_index[4]] & 0xFF;
602 key_sel[5] = keytable[key_index[5]] & 0xFF;
603 key_sel[6] = keytable[key_index[6]] & 0xFF;
604 key_sel[7] = keytable[key_index[7]] & 0xFF;
606 //Permute from iclass format to standard format
607 permutekey_rev(key_sel, key_sel_p);
609 diversifyKey(item.csn, key_sel_p, div_key);
610 doMAC(item.cc_nr, div_key, calculated_MAC);
612 // success
613 if (memcmp(calculated_MAC, item.mac, 4) == 0) {
614 PrintAndLogEx(NORMAL, "");
615 for (uint8_t i = 0 ; i < numbytes_to_recover; i++) {
616 PrintAndLogEx(SUCCESS, "%d: 0x%02x", bytes_to_recover[i], keytable[bytes_to_recover[i]] & 0xFF);
617 }
618 found = true;
619 break;
620 }
622 brute++;
623 if ((brute & 0xFFFF) == 0) {
624 PrintAndLogEx(INPLACE, "%3d", (brute >> 16) & 0xFF);
625 }
626 }
628 int errors = PM3_SUCCESS;
630 if (found == false) {
631 PrintAndLogEx(NORMAL, "");
632 PrintAndLogEx(WARNING, "Failed to recover %d bytes using the following CSN", numbytes_to_recover);
633 PrintAndLogEx(INFO, "CSN %s", sprint_hex(item.csn, 8));
634 errors = PM3_ESOFT;
636 //Before we exit, reset the 'BEING_CRACKED' to zero
637 for (uint8_t i = 0; i < numbytes_to_recover; i++) {
638 keytable[bytes_to_recover[i]] &= 0xFF;
639 keytable[bytes_to_recover[i]] |= LOCLASS_CRACK_FAILED;
640 }
641 } else {
642 //PrintAndLogEx(SUCCESS, "DES calcs: %u", brute);
643 for (uint8_t i = 0; i < numbytes_to_recover; i++) {
644 keytable[bytes_to_recover[i]] &= 0xFF;
645 keytable[bytes_to_recover[i]] |= LOCLASS_CRACKED;
646 }
647 }
648 return errors;
649 }
650 */
652 /**
653 * From dismantling iclass-paper:
654 * Assume that an adversary somehow learns the first 16 bytes of hash2(K_cus ), i.e., y [0] and z [0] .
655 * Then he can simply recover the master custom key K_cus by computing
656 * K_cus = ~DES(z[0] , y[0] ) .
657 *
658 * Furthermore, the adversary is able to verify that he has the correct K cus by
659 * checking whether z [0] = DES enc (K_cus , ~K_cus ).
660 * @param keytable an array (128 bytes) of hash2(kcus)
661 * @param master_key where to put the master key
662 * @return 0 for ok, 1 for failz
663 */
665 mbedtls_des_context ctx_e;
674 // y_0 and z_0 are the first 16 bytes of the keytable
678 // Our DES-implementation uses the standard NIST
679 // format for keys, thus must translate from iclass
680 // format to NIST-format
683 // ~K_cus = DESenc(z[0], y[0])
696 // Can we verify that the key is correct?
697 // Once again, key is on iclass-format
708 PrintAndLogEx(WARNING, _RED_("Failed to verify") " calculated master key (k_cus)! Something is wrong.");
710 }
718 }
719 /**
720 * @brief Same as bruteforcefile, but uses a an array of dumpdata instead
721 * @param dump
722 * @param dumpsize
723 * @param keytable
724 * @return
725 */
733 }
746 }
753 PrintAndLogEx(ERR, "loclass exiting. Try run " _YELLOW_("`hf iclass sim -t 2`") " again and collect new data");
755 }
757 // Pick out the first 16 bytes of the keytable.
758 // The keytable is now in 16-bit ints, where the upper 8 bits
759 // indicate crack-status. Those must be discarded for the
760 // master key calculation
766 PrintAndLogEx(WARNING, "Warning: we are missing byte %d, custom key calculation will fail...", i);
768 }
769 }
771 }
772 /**
773 * Perform a bruteforce against a file which has been saved by pm3
774 *
775 * @brief bruteforceFile
776 * @param filename
777 * @return
778 */
785 }
790 }
791 /**
792 *
793 * @brief Same as above, if you don't care about the returned keytable (results only printed on screen)
794 * @param filename
795 * @return
796 */
800 }
802 // ---------------------------------------------------------------------------------
803 // ALL CODE BELOW THIS LINE IS PURELY TESTING
804 // ---------------------------------------------------------------------------------
805 // ----------------------------------------------------------------------------
806 // TEST CODE BELOW
807 // ----------------------------------------------------------------------------
812 /**
813 Expected values for the dumpfile:
814 High Security Key Table
816 00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1
817 10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21
818 20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2
819 30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C
820 40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6
821 50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42
822 60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95
823 70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB
825 **** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ****
826 **/
831 }
833 }
849 }
855 }
859 }
872 }
874 }
881 /**
882 *Expected:
883 * High Security Key Table
885 00 F1 35 59 A1 0D 5A 26 7F 18 60 0B 96 8A C0 25 C1
886 10 BF A1 3B B0 FF 85 28 75 F2 1F C6 8F 0E 74 8F 21
887 20 14 7A 55 16 C8 A9 7D B3 13 0C 5D C9 31 8D A9 B2
888 30 A3 56 83 0F 55 7E DE 45 71 21 D2 6D C1 57 1C 9C
889 40 78 2F 64 51 42 7B 64 30 FA 26 51 76 D3 E0 FB B6
890 50 31 9F BF 2F 7E 4F 94 B4 BD 4F 75 91 E3 1B EB 42
891 60 3F 88 6F B8 6C 2C 93 0D 69 2C D5 20 3C C1 61 95
892 70 43 08 A0 2F FE B3 26 D7 98 0B 34 7B 47 70 A0 AB
894 **** The 64-bit HS Custom Key Value = 5B7C62C491C11B39 ****
895 */
898 printarr_human_readable("---------------------- Hash2 ----------------------", keytable, sizeof(keytable));
901 }
906 PrintAndLogEx((res == PM3_SUCCESS) ? SUCCESS : WARNING, " hash1 (%s)", (res == PM3_SUCCESS) ? _GREEN_("ok") : _RED_("fail"));
910 PrintAndLogEx((res == PM3_SUCCESS) ? SUCCESS : WARNING, " key diversification (%s)", (res == PM3_SUCCESS) ? _GREEN_("ok") : _RED_("fail"));
916 }