feat(classic): MIFARE Classic key recovery via PN533 nested attack#240
Open
codebutler wants to merge 7 commits intoflipperfrom
Open
feat(classic): MIFARE Classic key recovery via PN533 nested attack#240codebutler wants to merge 7 commits intoflipperfrom
codebutler wants to merge 7 commits intoflipperfrom
Conversation
Faithful port of the crapto1 reference implementation by blapost. Implements the 48-bit LFSR cipher used in MIFARE Classic cards, including the nonlinear filter function, PRNG successor, key load/extract, forward and rollback clocking, and encrypted mode support. All test vectors verified against compiled C reference. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implement MIFARE Classic three-pass mutual authentication handshake using the Crypto1 cipher: initCipher, computeReaderResponse, verifyCardResponse, encryptBytes, decryptBytes, and ISO 14443-3A CRC-A computation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…teThru Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…stream) Implement LFSR state recovery from 32-bit keystream, ported faithfully from Proxmark3's crapto1 lfsr_recovery32(). The algorithm splits keystream into odd/even bits, builds filter-consistent tables, extends them from 20 to 24 bits, then recursively extends with contribution tracking and bucket-sort intersection to find matching state pairs. Key implementation details: - extendTableSimple: in-place table extension for initial 20->24 bit phase - extendTable: new-array approach with contribution bit tracking - recover: recursive extension with bucket-sort intersection (replaces mfcuk's buggy quicksort/binsearch merge) - Input parameter transformation matching C: byte-swap and left-shift - nonceDistance and recoverKeyFromNonces helper functions Tests verify end-to-end key recovery using: - mfkey32 attack pattern (ks2 with input=0, encrypted nR rollback) - Nested attack pattern (ks0 with input=uid^nT) - Simple and init-only recovery scenarios - Nonce distance computation - Filter constraint pruning (candidate count sanity check) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… recovery Implements NestedAttack class that coordinates the three-phase key recovery process: PRNG calibration, encrypted nonce collection via nested authentication, and key recovery using LFSR state recovery. Tests cover the pure-logic components (PRNG calibration, simulated key recovery) since the full attack requires PN533 hardware. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…eader Wire the MIFARE Classic nested attack into the card reading flow as a fallback when all dictionary-based authentication methods fail. When using a PN533 backend and at least one sector key is already known, the reader now attempts key recovery via the Crypto1 nested attack before giving up on a sector. Changes: - PN533ClassicTechnology: expose rawPn533, rawUid, and uidAsUInt properties so card/classic can construct PN533RawClassic directly (avoids circular dependency between card and card/classic modules) - ClassicCardReader: track successful keys in recoveredKeys map, attempt nested attack after global dictionary keys fail, add keyBytesToLong and longToKeyBytes helper functions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…overy status Thread an onProgress callback through ClassicCardReader.readCard so the UI can report nested attack key recovery status. The desktop PN53x backend prints progress messages to the console. The parameter defaults to null so existing callers are unaffected. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
InCommunicateThru, bypassing the chip's internal Crypto1 handling to expose raw authentication noncesClassicCardReader— works on PN533 backends (desktop USB + web WebUSB)New files
crypto1/Crypto1.ktcrypto1/Crypto1Auth.ktcrypto1/Crypto1Recovery.ktlfsr_recovery32— recovers LFSR states from 32-bit keystreamcrypto1/NestedAttack.ktpn533/PN533RawClassic.ktInCommunicateThruwith CIU register controlHow it works
ClassicCardReadertries known keys (default, MAD, user-provided, dictionary)NestedAttackauthenticates with the known key, sends nested AUTH to the target sectorlfsrRecovery32finds candidate LFSR states from the extracted keystreamPlatforms
Test plan
./gradlew :card:classic:jvmTestpasses (all crypto + recovery tests)🤖 Generated with Claude Code