armsrc/hitag2_crypto.c

   1 //-----------------------------------------------------------------------------
   2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
   3 // at your option, any later version. See the LICENSE.txt file for the text of
   4 // the license.
   5 //-----------------------------------------------------------------------------
   6 // Hitag2 Crypto
   7 //
   8 // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
   9 // (c) 2012 Roel Verdult
  10 // (c) 2019 Iceman
  11 //-----------------------------------------------------------------------------
  12 #include "hitag2_crypto.h"
  13
  14 #include "util.h"
  15 #include "string.h"
  16
  17 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
  18 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
  19 // For educational purposes only.
  20 // No warranties or guarantees of any kind.
  21 // This code is released into the public domain by its author.
  22
  23 // Single bit Hitag2 functions:
  24 #ifndef i4
  25 #define i4(x,a,b,c,d)    ((uint32_t)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
  26 #endif
  27
  28 static const uint32_t ht2_f4a = 0x2C79;     // 0010 1100 0111 1001
  29 static const uint32_t ht2_f4b = 0x6671;     // 0110 0110 0111 0001
  30 static const uint32_t ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
  31
  32 uint32_t _f20(const uint64_t x) {
  33     uint32_t i5;
  34
  35     i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
  36          + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
  37          + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
  38          + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
  39          + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
  40
  41     return (ht2_f5c >> i5) & 1;
  42 }
  43
  44 uint64_t _hitag2_init(const uint64_t key, const uint32_t serial, const uint32_t IV) {
  45     uint32_t i;
  46     uint64_t x = ((key & 0xFFFF) << 32) + serial;
  47
  48     for (i = 0; i < 32; i++) {
  49         x >>= 1;
  50         x += (uint64_t)(_f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
  51     }
  52     return x;
  53 }
  54
  55 uint64_t _hitag2_round(uint64_t *state) {
  56     uint64_t x = *state;
  57
  58     x = (x >>  1) +
  59         ((((x >>  0) ^ (x >>  2) ^ (x >>  3) ^ (x >>  6)
  60            ^ (x >>  7) ^ (x >>  8) ^ (x >> 16) ^ (x >> 22)
  61            ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41)
  62            ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47);
  63
  64     *state = x;
  65     return _f20(x);
  66 }
  67
  68 // "MIKRON"             =  O  N  M  I  K  R
  69 // Key                  = 4F 4E 4D 49 4B 52             - Secret 48-bit key
  70 // Serial               = 49 43 57 69                   - Serial number of the tag, transmitted in clear
  71 // Random               = 65 6E 45 72                   - Random IV, transmitted in clear
  72 //~28~DC~80~31  = D7 23 7F CE                   - Authenticator value = inverted first 4 bytes of the keystream
  73
  74 // The code below must print out "D7 23 7F CE 8C D0 37 A9 57 49 C1 E6 48 00 8A B6".
  75 // The inverse of the first 4 bytes is sent to the tag to authenticate.
  76 // The rest is encrypted by XORing it with the subsequent keystream.
  77
  78 uint32_t _hitag2_byte(uint64_t *x) {
  79     uint32_t i, c;
  80     for (i = 0, c = 0; i < 8; i++) {
  81         c += (uint32_t) _hitag2_round(x) << (i ^ 7);
  82     }
  83     return c;
  84 }
  85
  86 void hitag2_cipher_reset(struct hitag2_tag *tag, const uint8_t *iv) {
  87     uint64_t key = ((uint64_t)tag->sectors[2][2]) |
  88                    ((uint64_t)tag->sectors[2][3] << 8) |
  89                    ((uint64_t)tag->sectors[1][0] << 16) |
  90                    ((uint64_t)tag->sectors[1][1] << 24) |
  91                    ((uint64_t)tag->sectors[1][2] << 32) |
  92                    ((uint64_t)tag->sectors[1][3] << 40);
  93     uint32_t uid = ((uint32_t)tag->sectors[0][0]) |
  94                    ((uint32_t)tag->sectors[0][1] << 8) |
  95                    ((uint32_t)tag->sectors[0][2] << 16) |
  96                    ((uint32_t)tag->sectors[0][3] << 24);
  97     uint32_t iv_ = (((uint32_t)(iv[0]))) |
  98                    (((uint32_t)(iv[1])) << 8) |
  99                    (((uint32_t)(iv[2])) << 16) |
 100                    (((uint32_t)(iv[3])) << 24);
 101     tag->cs = _hitag2_init(REV64(key), REV32(uid), REV32(iv_));
 102 }
 103
 104 int hitag2_cipher_authenticate(uint64_t *cs, const uint8_t *authenticator_is) {
 105     uint8_t authenticator_should[4];
 106     authenticator_should[0] = ~_hitag2_byte(cs);
 107     authenticator_should[1] = ~_hitag2_byte(cs);
 108     authenticator_should[2] = ~_hitag2_byte(cs);
 109     authenticator_should[3] = ~_hitag2_byte(cs);
 110     return (memcmp(authenticator_should, authenticator_is, 4) == 0);
 111 }
 112
 113 int hitag2_cipher_transcrypt(uint64_t *cs, uint8_t *data, uint16_t bytes, uint16_t bits) {
 114     int i;
 115     for (i = 0; i < bytes; i++) data[i] ^= _hitag2_byte(cs);
 116     for (i = 0; i < bits; i++) data[bytes] ^= _hitag2_round(cs) << (7 - i);
 117     return 0;
 118 }
 119