Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
There is two different versions of the nonce2key code.
A) /client/nonce2key
B) /tools/nonce2key
The code unde A is updated, and the B code compiles but when running it the last two bytes of the found key is zeroed out.
I'm trying to get the code A to compile into a nice little program. However the linker complains..
~/client/nonce2key$ gcc -std=c99 -I../../include -I../../common -I../ *.c
c:\Temp\ccCWZQau.o:nonce2key.c:(.text+0x623): undefined reference to `num_to_bytes'
c:\Temp\ccCWZQau.o:nonce2key.c:(.text+0x667): undefined reference to `mfCheckKeys'
c:/mingw/bin/../lib/gcc/mingw32/4.8.1/../../../../mingw32/bin/ld.exe: c:\Temp\ccCWZQau.o: bad reloc address 0x20 in section `.eh_f
rame'
c:/mingw/bin/../lib/gcc/mingw32/4.8.1/../../../../mingw32/bin/ld.exe: final link failed: Invalid operation
collect2.exe: error: ld returned 1 exit status
pm3 ~/client/nonce2key$
What am I missing ??
Hi dudes,
I face exactly the same problem, did someone was able to compile (on linux i486) the nonce2key.c program, (located in ./client/nonce2key/)
I invoke gcc in this way :
gcc -I../../include/ -I../../common/ -I../ nonce2key.c
and I got this result :
/tmp/ccuabwqX.o: In function `nonce2key':
nonce2key.c:(.text+0x120): undefined reference to `PrintAndLog'
nonce2key.c:(.text+0x335): undefined reference to `PrintAndLog'
nonce2key.c:(.text+0x372): undefined reference to `lfsr_common_prefix'
nonce2key.c:(.text+0x3c1): undefined reference to `lfsr_rollback_word'
nonce2key.c:(.text+0x3e5): undefined reference to `crypto1_get_lfsr'
nonce2key.c:(.text+0x6ec): undefined reference to `num_to_bytes'
nonce2key.c:(.text+0x72c): undefined reference to `mfCheckKeys'
collect2: error: ld returned 1 exit status
note: I was able to compile the pm3 client without trouble .
What am I missing too ??
Last edited by rbubba1911 (2016-01-19 17:20:39)
Hi iceman,
glad to ear you, I follow your fork with attention, I see your great progress on hardnested, I'm waiting for the BF
I already use your firmware version, tomorrow I'l update my repo and compile your tools/nonce2key
thanks for the info, I keep you in touch
Can't wait tomorrow !
update/make
.. your version compiles without problem, nice job.
thank again iceman
Last edited by rbubba1911 (2016-01-19 19:14:47)
sorry, I don't touch the hardnested. That is @piwi 's baby,
What I did was using hardnested and save the nonces, then run the crapto-ev1 solver (BF) from @blapost. My testresult just verify what @piwi and @blapost already have done, and that their different solutions works.
Doh !
I read so many post of both of you, I swaped your name
Hahaa, I understand a bit more, unfortunately the crapto-ev1 solver from bla is now unavailable, I can't do anything without this part (wink).
about the @piwi implementation, As I understand, it's work in progress and it need the brute force engine to find a key.
I'm missing something ?
yes, you are missing @piwi's point of not releasing a BF for his hardnested. He will not do that.
But @blapost will do release his tool again.
I've compile so many times now on MinGW/Win7 and on Ubuntu1404, 1510, to remove warnings and fix crashes, so yeah my fork should be very stable in that sence.
oO !
In fact, I miss the party !!
that's what I was afraid to understand when I read the end pf his post.
so, my only hope is the bla tool, is it a big deal to ask you to send me a copy ?
Why don't you ask @blapost ?
You know that you need to have a known key to be able to crack another key on the same tag? If you don't have that then the hardnested attack is useless. So don't put too much hope on it.
[edit] does the nonce2key work for you?
Last edited by iceman (2016-01-19 20:17:53)
Good idea, I will ask to bla too !
I'm aware about the know key requirement (it's currently the case !)
the program compile find, but I don't know how to find theses info, probably from nonces.bin or sniff trace ?
syntax: ./nonce2key <uid> <nt> <par> <ks>
again, you make my night !
I was looking for this into hardnested output !
I drop a mail to bla, cross my fingers, fire a candle, kill a chicken and now I'm waiting for a reply
big thanks
sorry, I don't touch the hardnested. That is @piwi 's baby,
What I did was using hardnested and save the nonces, then run the crapto-ev1 solver (BF) from @blapost. My testresult just verify what @piwi and @blapost already have done, and that their different solutions works.
Hey iceman,
did you save the nonces with the w command in nonces.bin? Because I saved the nonces.bin and use the command ./solve -f nonces.bin and the program says "Input parse error pos:0".
Any suggestions what I'm doing wrong?
The GiHub user Aczid has released a new bruteforcer for Hardnested. Which even outperforms blapost's solver. I'vent tested it yet.
https://github.com/aczid/crypto1_bs/
The GiHub user Aczid has released a new bruteforcer for Hardnested. Which even outperforms blapost's solver. I'vent tested it yet.
https://github.com/aczid/crypto1_bs/
Thank you iceman, I'll give it a try. I've seen, that I don't need to transform my bin for the tool from Aczid.
I'll give feedback...
The tool solve_piwi_bs works for me perfectly.
With a 6 core PC it finds the key in between 5 till 10 minutes.
Thanks for Aczid for this great BF.
Next step is to patch my pm3 client.
Hi all,
I'm trying to use these tools, but I've got strange result:
./solve -f 0xcafec0de.txt -u 0xcafec0de
Leftover complexity: ffffffff548b43a4
100.00% done
FOUND: 626c61003333
./solve_bs 0xcafec0de.txt 0xcafec0de
Initializing BS crypto-1
Using 64-bit bitslices
Bitslicing rollback byte: 1f...
Bitslicing nonces...
Starting 6 threads to test 1418412964 states
Found key: 000061003333
Tested 3467318262 states
./solve_piwi 0xcafec0de.bin
Starting 6 threads to test 1418412964 states
Cracking... 56.71%
Found key: 000061003333
./solve_piwi_bs 0xcafec0de.bin
Initializing BS crypto-1
Using 64-bit bitslices
Bitslicing rollback byte: 1f...
Bitslicing nonces...
Starting 6 threads to test 1418412964 states
Found key: 000061003333
Tested 3518176550 states
It's seems that the first 2 bytes is zeroed (0000)
I'm think the real key is "626c61003333", why I've go this 'bad' result ?
btw if I try to compile just by using the makefile I've got an error :
crapto1-v3.3/crapto1.h:69:9: warning: implicit declaration of function ‘asm’ [-Wimplicit-function-declaration]
asm( "movl %1, %%eax\n"
crapto1-v3.3/crapto1.h:75:35: error: expected ‘)’ before ‘:’ token
"movzx %%al, %0\n": "=r"(x) : "r"(x): "eax","ecx");
As a workaround, I build library (.so) of crapto1
gcc -O3 crapto1.c -shared -o crapto1.so
and then use it instead of source.
gcc -O3 -mpopcnt -std=c99 solve_bs.c crypto1_bs.c crypto1_bs_crack.c -Icraptev1-v1.0 craptev1-v1.0/craptev1.c ./crapto1.so ./solve.so -o solve_bs -lpthread
or
gcc -O3 -mpopcnt -std=c99 solve_piwi_bs.c crypto1_bs.c crypto1_bs_crack.c -Icraptev1-v1.0 craptev1-v1.0/craptev1.c ./crapto1.so -o solve_piwi_bs -lpthread
Hi iceman,
thank to you, now it's compile fine.
I'll add -mmmx to get ride of warning message
but the key is always truncated
Starting 6 threads to test 1418412964 states
Found key: 000061003333
Tested 3486435654 states
do you have an idea, what can be the cause ?
Last edited by rbubba1911 (2016-04-20 13:23:26)
I take yesterday's commit
I see many modification today (a least <24h)
I refresh my files, and try again.
I keep you in touch
I've got same result with latest files
key is truncated.
so sad !
./solve_bs Fail
a good point, now it's work with
"solve_piwi_bs" and "solve_piwi"
I've got full key
it's seems related to ./solve.so
Last edited by rbubba1911 (2016-04-20 13:47:03)
after some investigation,
I'm tend to think to a bug in solve_bs
is it working on your side ?
To test, I remove main() in solve.c and compile solve_bs like that
gcc -O3 -mpopcnt -mmmx -std=c99 solve_bs.c crypto1_bs.c crypto1_bs_crack.c -Icraptev1-v1.0 craptev1-v1.0/craptev1.c crapto1-v3.3/crapto1.c craptev1-v1.0/solve.c -o solve_bs -lpthread
(without building first the solve.so), compile fine but the key found is truncated.
Last edited by rbubba1911 (2016-04-20 14:08:46)
ok, I found the bug
in file "solve_bs.c" line 29
change the line :
printf("Found key: %012lx\n", key);
by :
printf("Found key: %012"llx"\n", key);
Hope it helps
and I got @azcid's patch merged into my fork. Buildw & work on Mingw & Ubuntu14.04, breaks in Travis CI I think Travis CI doesn't like "-march=native" option for GCC
[edit]
it builds on my updated mingw enviroment, with gcc 4.9.3. The mingw env in the proxspace distro, will have some gcc compiler issues.
[/edit]