Mirror/Momentum-Firmware
1
0
Fork 0
mirror of https://github.com/Next-Flip/Momentum-Firmware.git synced 2026-05-19 04:44:47 -07:00
Code Issues Packages Projects Releases Wiki Activity

MIFARE Classic Key Recovery Improvements (#3822)

Browse Source 
* Initial structure for nonce collection
* Nonce logging
* Dictionary attack structure
* Fix compilation
* Identified method to reduce candidate states
* Use EXT_PATH instead of ANY_PATH
* Use median calibrated distance, collect parity bits
* Modify parity collection
* Fixed parity bit collection
* Add note to fix nonce logging
* Fix nonce logging
* Clean redundant code
* Fix valid_nonce
* First attempt disambiguous nonce implementation
* FM11RF08S backdoor detection
* Initial accelerated dictionary attack for weak PRNGs
* Refactor to nested dictionary attack
* Renaming some variables
* Hard PRNG support for accelerated dictionary attack
* Update found keys, initial attempt
* Update found keys, second attempt
* Code cleanup
* Misc bugfixes
* Only use dicts in search_dicts_for_nonce_key if we have them
* Collect nonces again
* Should be detecting both backdoors now
* Relocate backdoor detection
* Hardnested support
* Fix regression for regular nested attack
* Backdoor read
* Backdoor working up to calibration
* Backdoor nested calibration
* Don't recalibrate hard PRNG tags
* Static encrypted nonce collection
* Update TODO
* NFC app UI updates, MVP
* Bump f18 API version (all functions are NFC related)
* Add new backdoor key, fix UI status update carrying over from previous read
* Clear TODO line
* Fix v1/v2 backdoor nonce collection
* Speed up backdoor detection, alert on new backdoor
* Add additional condition to backdoor check
* I'll try freeing memory, that's a good trick!
* Do not enter nested attack if card is already finished
* Do not reset the poller between collected nonces
* Clean up various issues
* Fix Hardnested sector/key type logging
* Add nested_target_key 64 to TODO
* Implement progress bar for upgraded attacks in NFC app
* Typo
* Zero nested_target_key and msb_count on exit
* Note TODO (malloc)
* Dismiss duplicate nonces
* Fix calibration (ensure values are within 3 standard deviations)
* Log static
* No nested dictionary attack re-entry
* Note minor inefficiency
* Uniformly use crypto1_ prefix for symbols in Crypto1 API
* Fix include paths
* Fix include paths cont
* Support CUID dictionary
* Fix log levels
* Avoid storage errors, clean up temporary files
* Handle invalid key candidates
* Fix memory leak in static encrypted attack
* Fix memory leak, use COUNT_OF macro
* Use single call to free FuriString
* Refactor enums to avoid redefinition
* Fix multiple crashes and state machine logic
* Fix inconsistent assignment of known key and known key type/sector
* Backdoor known key logic still needs the current key
* Larger data type for 4K support
* Fix typo
* Fix issue with resume logic
* Mark TODOs for next PR
* Remove redundant assignment
* Fix size_t format specifier
* Simplify auth_passed condition

Co-authored-by: Aleksandr Kutuzov <alleteam@gmail.com>
Co-authored-by: gornekich <n.gorbadey@gmail.com>
This commit is contained in:
Nathan N
2024-10-30 20:53:58 -04:00
committed by GitHub
parent f8fa71c575
commit 8427ec0098
20 changed files with 1929 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
applications/main/nfc/views/dict_attack.c
View File

@@ -21,6 +21,11 @@ typedef struct {
size_t dict_keys_current;
bool is_key_attack;
uint8_t key_attack_current_sector;
MfClassicNestedPhase nested_phase;
MfClassicPrngType prng_type;
MfClassicBackdoor backdoor;
uint16_t nested_target_key;
uint16_t msb_count;
} DictAttackViewModel;
static void dict_attack_draw_callback(Canvas* canvas, void* model) {
@@ -34,9 +39,47 @@ static void dict_attack_draw_callback(Canvas* canvas, void* model) {
} else {
char draw_str[32] = {};
canvas_set_font(canvas, FontSecondary);
switch(m->nested_phase) {
case MfClassicNestedPhaseAnalyzePRNG:
furi_string_set(m->header, "PRNG Analysis");
break;
case MfClassicNestedPhaseDictAttack:
case MfClassicNestedPhaseDictAttackVerify:
case MfClassicNestedPhaseDictAttackResume:
furi_string_set(m->header, "Nested Dictionary");
break;
case MfClassicNestedPhaseCalibrate:
case MfClassicNestedPhaseRecalibrate:
furi_string_set(m->header, "Calibration");
break;
case MfClassicNestedPhaseCollectNtEnc:
furi_string_set(m->header, "Nonce Collection");
break;
default:
break;
}
if(m->prng_type == MfClassicPrngTypeHard) {
furi_string_cat(m->header, " (Hard)");
}
if(m->backdoor != MfClassicBackdoorNone && m->backdoor != MfClassicBackdoorUnknown) {
if(m->nested_phase != MfClassicNestedPhaseNone) {
furi_string_cat(m->header, " (Backdoor)");
} else {
furi_string_set(m->header, "Backdoor Read");
}
}
canvas_draw_str_aligned(
canvas, 64, 0, AlignCenter, AlignTop, furi_string_get_cstr(m->header));
if(m->is_key_attack) {
canvas, 0, 0, AlignLeft, AlignTop, furi_string_get_cstr(m->header));
if(m->nested_phase == MfClassicNestedPhaseCollectNtEnc) {
uint8_t nonce_sector =
m->nested_target_key / (m->prng_type == MfClassicPrngTypeWeak ? 4 : 2);
snprintf(draw_str, sizeof(draw_str), "Collecting from sector: %d", nonce_sector);
canvas_draw_str_aligned(canvas, 0, 10, AlignLeft, AlignTop, draw_str);
} else if(m->is_key_attack) {
snprintf(
draw_str,
sizeof(draw_str),
@@ -46,21 +89,48 @@ static void dict_attack_draw_callback(Canvas* canvas, void* model) {
snprintf(draw_str, sizeof(draw_str), "Unlocking sector: %d", m->current_sector);
}
canvas_draw_str_aligned(canvas, 0, 10, AlignLeft, AlignTop, draw_str);
float dict_progress = m->dict_keys_total == 0 ?
0 :
(float)(m->dict_keys_current) / (float)(m->dict_keys_total);
float progress = m->sectors_total == 0 ? 0 :
((float)(m->current_sector) + dict_progress) /
(float)(m->sectors_total);
if(progress > 1.0f) {
progress = 1.0f;
}
if(m->dict_keys_current == 0) {
// Cause when people see 0 they think it's broken
snprintf(draw_str, sizeof(draw_str), "%d/%zu", 1, m->dict_keys_total);
float dict_progress = 0;
if(m->nested_phase == MfClassicNestedPhaseAnalyzePRNG ||
m->nested_phase == MfClassicNestedPhaseDictAttack ||
m->nested_phase == MfClassicNestedPhaseDictAttackVerify ||
m->nested_phase == MfClassicNestedPhaseDictAttackResume) {
// Phase: Nested dictionary attack
uint8_t target_sector =
m->nested_target_key / (m->prng_type == MfClassicPrngTypeWeak ? 2 : 16);
dict_progress = (float)(target_sector) / (float)(m->sectors_total);
snprintf(draw_str, sizeof(draw_str), "%d/%d", target_sector, m->sectors_total);
} else if(
m->nested_phase == MfClassicNestedPhaseCalibrate ||
m->nested_phase == MfClassicNestedPhaseRecalibrate ||
m->nested_phase == MfClassicNestedPhaseCollectNtEnc) {
// Phase: Nonce collection
if(m->prng_type == MfClassicPrngTypeWeak) {
uint8_t target_sector = m->nested_target_key / 4;
dict_progress = (float)(target_sector) / (float)(m->sectors_total);
snprintf(draw_str, sizeof(draw_str), "%d/%d", target_sector, m->sectors_total);
} else {
uint16_t max_msb = UINT8_MAX + 1;
dict_progress = (float)(m->msb_count) / (float)(max_msb);
snprintf(draw_str, sizeof(draw_str), "%d/%d", m->msb_count, max_msb);
}
} else {
snprintf(
draw_str, sizeof(draw_str), "%zu/%zu", m->dict_keys_current, m->dict_keys_total);
dict_progress = m->dict_keys_total == 0 ?
0 :
(float)(m->dict_keys_current) / (float)(m->dict_keys_total);
if(m->dict_keys_current == 0) {
// Cause when people see 0 they think it's broken
snprintf(draw_str, sizeof(draw_str), "%d/%zu", 1, m->dict_keys_total);
} else {
snprintf(
draw_str,
sizeof(draw_str),
"%zu/%zu",
m->dict_keys_current,
m->dict_keys_total);
}
}
if(dict_progress > 1.0f) {
dict_progress = 1.0f;
}
elements_progress_bar_with_text(canvas, 0, 20, 128, dict_progress, draw_str);
canvas_set_font(canvas, FontSecondary);
@@ -132,6 +202,11 @@ void dict_attack_reset(DictAttack* instance) {
model->dict_keys_total = 0;
model->dict_keys_current = 0;
model->is_key_attack = false;
model->nested_phase = MfClassicNestedPhaseNone;
model->prng_type = MfClassicPrngTypeUnknown;
model->backdoor = MfClassicBackdoorUnknown;
model->nested_target_key = 0;
model->msb_count = 0;
furi_string_reset(model->header);
},
false);
@@ -242,3 +317,41 @@ void dict_attack_reset_key_attack(DictAttack* instance) {
with_view_model(
instance->view, DictAttackViewModel * model, { model->is_key_attack = false; }, true);
}
void dict_attack_set_nested_phase(DictAttack* instance, MfClassicNestedPhase nested_phase) {
furi_assert(instance);
with_view_model(
instance->view, DictAttackViewModel * model, { model->nested_phase = nested_phase; }, true);
}
void dict_attack_set_prng_type(DictAttack* instance, MfClassicPrngType prng_type) {
furi_assert(instance);
with_view_model(
instance->view, DictAttackViewModel * model, { model->prng_type = prng_type; }, true);
}
void dict_attack_set_backdoor(DictAttack* instance, MfClassicBackdoor backdoor) {
furi_assert(instance);
with_view_model(
instance->view, DictAttackViewModel * model, { model->backdoor = backdoor; }, true);
}
void dict_attack_set_nested_target_key(DictAttack* instance, uint16_t nested_target_key) {
furi_assert(instance);
with_view_model(
instance->view,
DictAttackViewModel * model,
{ model->nested_target_key = nested_target_key; },
true);
}
void dict_attack_set_msb_count(DictAttack* instance, uint16_t msb_count) {
furi_assert(instance);
with_view_model(
instance->view, DictAttackViewModel * model, { model->msb_count = msb_count; }, true);
}