MIFARE Classic Key Recovery Improvements (#3822)

* Initial structure for nonce collection * Nonce logging * Dictionary attack structure * Fix compilation * Identified method to reduce candidate states * Use EXT_PATH instead of ANY_PATH * Use median calibrated distance, collect parity bits * Modify parity collection * Fixed parity bit collection * Add note to fix nonce logging * Fix nonce logging * Clean redundant code * Fix valid_nonce * First attempt disambiguous nonce implementation * FM11RF08S backdoor detection * Initial accelerated dictionary attack for weak PRNGs * Refactor to nested dictionary attack * Renaming some variables * Hard PRNG support for accelerated dictionary attack * Update found keys, initial attempt * Update found keys, second attempt * Code cleanup * Misc bugfixes * Only use dicts in search_dicts_for_nonce_key if we have them * Collect nonces again * Should be detecting both backdoors now * Relocate backdoor detection * Hardnested support * Fix regression for regular nested attack * Backdoor read * Backdoor working up to calibration * Backdoor nested calibration * Don't recalibrate hard PRNG tags * Static encrypted nonce collection * Update TODO * NFC app UI updates, MVP * Bump f18 API version (all functions are NFC related) * Add new backdoor key, fix UI status update carrying over from previous read * Clear TODO line * Fix v1/v2 backdoor nonce collection * Speed up backdoor detection, alert on new backdoor * Add additional condition to backdoor check * I'll try freeing memory, that's a good trick! * Do not enter nested attack if card is already finished * Do not reset the poller between collected nonces * Clean up various issues * Fix Hardnested sector/key type logging * Add nested_target_key 64 to TODO * Implement progress bar for upgraded attacks in NFC app * Typo * Zero nested_target_key and msb_count on exit * Note TODO (malloc) * Dismiss duplicate nonces * Fix calibration (ensure values are within 3 standard deviations) * Log static * No nested dictionary attack re-entry * Note minor inefficiency * Uniformly use crypto1_ prefix for symbols in Crypto1 API * Fix include paths * Fix include paths cont * Support CUID dictionary * Fix log levels * Avoid storage errors, clean up temporary files * Handle invalid key candidates * Fix memory leak in static encrypted attack * Fix memory leak, use COUNT_OF macro * Use single call to free FuriString * Refactor enums to avoid redefinition * Fix multiple crashes and state machine logic * Fix inconsistent assignment of known key and known key type/sector * Backdoor known key logic still needs the current key * Larger data type for 4K support * Fix typo * Fix issue with resume logic * Mark TODOs for next PR * Remove redundant assignment * Fix size_t format specifier * Simplify auth_passed condition Co-authored-by: Aleksandr Kutuzov <alleteam@gmail.com> Co-authored-by: gornekich <n.gorbadey@gmail.com>
2026-05-20 04:54:45 -07:00 · 2024-10-30 20:53:58 -04:00
parent f8fa71c575
commit 8427ec0098
20 changed files with 1929 additions and 106 deletions
--- a/lib/nfc/protocols/mf_classic/mf_classic_poller.h
+++ b/lib/nfc/protocols/mf_classic/mf_classic_poller.h
@@ -44,9 +44,46 @@ typedef enum {
 typedef enum {
    MfClassicPollerModeRead, /**< Poller reading mode. */
    MfClassicPollerModeWrite, /**< Poller writing mode. */
-    MfClassicPollerModeDictAttack, /**< Poller dictionary attack mode. */
+    MfClassicPollerModeDictAttackStandard, /**< Poller dictionary attack mode. */
+    MfClassicPollerModeDictAttackEnhanced, /**< Poller enhanced dictionary attack mode. */
 } MfClassicPollerMode;

+/**
+ * @brief MfClassic poller nested attack phase.
+ */
+typedef enum {
+    MfClassicNestedPhaseNone, /**< No nested attack has taken place yet. */
+    MfClassicNestedPhaseAnalyzePRNG, /**< Analyze nonces produced by the PRNG to determine if they fit a weak PRNG */
+    MfClassicNestedPhaseDictAttack, /**< Search keys which match the expected PRNG properties and parity for collected nonces */
+    MfClassicNestedPhaseDictAttackVerify, /**< Verify candidate keys by authenticating to the sector with the key */
+    MfClassicNestedPhaseDictAttackResume, /**< Resume nested dictionary attack from the last tested (invalid) key */
+    MfClassicNestedPhaseCalibrate, /**< Perform necessary calculations to recover the plaintext nonce during later collection phase (weak PRNG tags only) */
+    MfClassicNestedPhaseRecalibrate, /**< Collect the next plaintext static encrypted nonce for backdoor static encrypted nonce nested attack */
+    MfClassicNestedPhaseCollectNtEnc, /**< Log nonces collected during nested authentication for key recovery */
+    MfClassicNestedPhaseFinished, /**< Nested attack has finished */
+} MfClassicNestedPhase;
+
+/**
+ * @brief MfClassic pseudorandom number generator (PRNG) type.
+ */
+typedef enum {
+    MfClassicPrngTypeUnknown, // Tag not yet tested
+    MfClassicPrngTypeNoTag, // No tag detected during test
+    MfClassicPrngTypeWeak, // Weak PRNG, standard Nested
+    MfClassicPrngTypeHard, // Hard PRNG, Hardnested
+} MfClassicPrngType;
+
+/**
+ * @brief MfClassic authentication backdoor type.
+ */
+typedef enum {
+    MfClassicBackdoorUnknown, // Tag not yet tested
+    MfClassicBackdoorNone, // No observed backdoor
+    MfClassicBackdoorAuth1, // Tag responds to v1 auth backdoor
+    MfClassicBackdoorAuth2, // Tag responds to v2 auth backdoor (sometimes static encrypted)
+    MfClassicBackdoorAuth3, // Tag responds to v3 auth backdoor (static encrypted nonce)
+} MfClassicBackdoor;
+
 /**
 * @brief MfClassic poller request mode event data.
 *
@@ -77,6 +114,12 @@ typedef struct {
    uint8_t sectors_read; /**< Number of sectors read. */
    uint8_t keys_found; /**< Number of keys found. */
    uint8_t current_sector; /**< Current sector number. */
+    MfClassicNestedPhase nested_phase; /**< Nested attack phase. */
+    MfClassicPrngType prng_type; /**< PRNG (weak or hard). */
+    MfClassicBackdoor backdoor; /**< Backdoor type. */
+    uint16_t nested_target_key; /**< Target key for nested attack. */
+    uint16_t
+        msb_count; /**< Number of unique most significant bytes seen during Hardnested attack. */
 } MfClassicPollerEventDataUpdate;

 /**
@@ -170,13 +213,15 @@ typedef struct {
 * @param[in] block_num block number for authentication.
 * @param[in] key_type key type to be used for authentication.
 * @param[out] nt pointer to the MfClassicNt structure to be filled with nonce data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
 * @return MfClassicErrorNone on success, an error code on failure.
 */
 MfClassicError mf_classic_poller_get_nt(
    MfClassicPoller* instance,
    uint8_t block_num,
    MfClassicKeyType key_type,
-    MfClassicNt* nt);
+    MfClassicNt* nt,
+    bool backdoor_auth);

 /**
 * @brief Collect tag nonce during nested authentication.
@@ -189,13 +234,15 @@ MfClassicError mf_classic_poller_get_nt(
 * @param[in] block_num block number for authentication.
 * @param[in] key_type key type to be used for authentication.
 * @param[out] nt pointer to the MfClassicNt structure to be filled with nonce data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
 * @return MfClassicErrorNone on success, an error code on failure.
 */
 MfClassicError mf_classic_poller_get_nt_nested(
    MfClassicPoller* instance,
    uint8_t block_num,
    MfClassicKeyType key_type,
-    MfClassicNt* nt);
+    MfClassicNt* nt,
+    bool backdoor_auth);

 /**
 * @brief Perform authentication.
@@ -210,6 +257,7 @@ MfClassicError mf_classic_poller_get_nt_nested(
 * @param[in] key key to be used for authentication.
 * @param[in] key_type key type to be used for authentication.
 * @param[out] data pointer to MfClassicAuthContext structure to be filled with authentication data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
 * @return MfClassicErrorNone on success, an error code on failure.
 */
 MfClassicError mf_classic_poller_auth(
@@ -217,20 +265,23 @@ MfClassicError mf_classic_poller_auth(
    uint8_t block_num,
    MfClassicKey* key,
    MfClassicKeyType key_type,
-    MfClassicAuthContext* data);
+    MfClassicAuthContext* data,
+    bool backdoor_auth);

 /**
 * @brief Perform nested authentication.
 *
 * Must ONLY be used inside the callback function.
 *
- * Perform nested  authentication as specified in Mf Classic protocol.
+ * Perform nested authentication as specified in Mf Classic protocol.
 *
 * @param[in, out] instance pointer to the instance to be used in the transaction.
 * @param[in] block_num block number for authentication.
 * @param[in] key key to be used for authentication.
 * @param[in] key_type key type to be used for authentication.
 * @param[out] data pointer to MfClassicAuthContext structure to be filled with authentication data.
+ * @param[in] backdoor_auth flag indicating if backdoor authentication is used.
+ * @param[in] early_ret return immediately after receiving encrypted nonce.
 * @return MfClassicErrorNone on success, an error code on failure.
 */
 MfClassicError mf_classic_poller_auth_nested(
@@ -238,7 +289,9 @@ MfClassicError mf_classic_poller_auth_nested(
    uint8_t block_num,
    MfClassicKey* key,
    MfClassicKeyType key_type,
-    MfClassicAuthContext* data);
+    MfClassicAuthContext* data,
+    bool backdoor_auth,
+    bool early_ret);

 /**
 * @brief Halt the tag.