Reversing a coffee machine key

Posté le ven. 07 mai 2021 dans blog

At $DAYJOB, a long time ago, we had big a coffee machine allowing us to store money in NFC keys. NFC keys were Mifare 1K ones, so they had a security hole (Search mfoc), so I tried reverse engineering them, you know, free coffee…

Before starting you can download key dumps to follow along with me.

I will not paste all dumps in this page, (1k dumps are big in hexadecimal on a blog post) but I dumped a few keys with a few different values, and I'll post the diffs between dumps.

I got two keys, and two dumps per key. First key from 9.2€ to 8.35€. Second key from 0€ to 0.10€

Diff of the first key (Between a dump of 9.2€ and a dump of 8.35€):

< 2 060  b491 7e19 0000 0000 0000 0000 1801 003f  100 R:AB W:-B I:-- DTR:-- r/w block
---
> 2 060  82bb 261a 0000 0000 0000 0000 1c01 0020  100 R:AB W:-B I:-- DTR:-- r/w block
26,27c26,27
< 0 080  9803 0000 67fc ffff 9803 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block
< 1 090  c503 0000 3afc ffff c503 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block
---
> 0 080  4303 0000 bcfc ffff 4303 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block
> 1 090  7003 0000 8ffc ffff 7003 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block

Diff of the second key (Between a dump of 0€ and a dump of 0.10€):

< 2 060  daa0 9019 0000 0000 0000 0000 2200 0098  100 R:AB W:-B I:-- DTR:-- r/w block
---
> 2 060  2eaf 261a 0000 0000 0000 0000 2300 00d2  100 R:AB W:-B I:-- DTR:-- r/w block
26,27c26,27
< 0 080  0000 0000 ffff ffff 0000 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block
< 1 090  2d00 0000 d2ff ffff 2d00 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block
---
> 0 080  0a00 0000 f5ff ffff 0a00 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block
> 1 090  0000 0000 ffff ffff 0000 0000 09f6 09f6  110 R:AB W:-B I:-B DTR:AB r/w block

To start let's focus on the two-lines diff, at adresses 0x080 and 0x090.

When I reverse engineer I like to loop between "presentation" (put an effort to make the data readable) and "understanding" (get an information from the data), so my first step, is to render this in a clean way. I had an intuition for a one's complement (as I spotted ffff / 0000, what an intuition...), so I wanted to see binary data. I also dropped columns of data that were identical between two dumps:

9.2 : 9803 0000 67fc  c503 0000 3afc | 10011000.00000011 ... 01100111.11111100  11000101.00000011 ... 00111010.11111100
8.3 : 4303 0000 bcfc  7003 0000 8ffc | 01000011.00000011 ... 10111100.11111100  01110000.00000011 ... 10001111.11111100
0.1 : 0a00 0000 f5ff  0000 0000 ffff | 00001010.00000000 ... 11110101.11111111  00000000.00000000 ... 11111111.11111111
0.0 : 0000 0000 ffff  2d00 0000 d2ff | 00000000.00000000 ... 11111111.11111111  00101101.00000000 ... 11010010.11111111

So, my first intuition was true: the data is stored twice, the 2nd one is the one's complement of the first. So half of the data is useless for me, I can drop it from my representation.

Follow a simplified presentation witout duplicate (complemented) data:

9.2 : 9803 c503 10011000.00000011 11000101.00000011 0398 -> 920 | 03c5 -> 965
8.3 : 4303 7003 01000011.00000011 01110000.00000011 0343 -> 835 | 0370 -> 880
0.1 : 0a00 0000 00001010.00000000 00000000.00000000 000A ->  10 | 0000 ->   0
0.0 : 0000 2d00 00000000.00000000 00101101.00000000 0000 ->   0 | 002d ->  45

At this point I see 0a00 on the 0.10€ key, as 0a(16) is 10(10), 0a00 is 10 in big endian... money may be stored here… in big endian in 1/100 of euros. Let's test with 9803(16be), gives 920(10) that give 9.20€, yes!! Free coffee not far away!

This is the big part of the dump, the remaining part (top one) seems to store metadata but is not reversed yet.

Follow two tables, for the two keys, showing old_value -> new_value, with, for each value, its binay representation and its base 10 representation as if value is stored in big endian.

In the following table, 16be mean "From base 16 big endian to decimal", 16le for little endian.

9.2 -> 8.35
Value: As binary          16be  16le    Value: As binary          16be  16le
DAA0 : 11011010.10100000 41178 55968 -> 2EAF : 00101110.10101111 44846 11951 date ?
9019 : 10010000.00011001  6544 36889 -> 261A : 00100110.00011010  6694  9754
2200 : 00100010.00000000    34  8704 -> 2300 : 00100011.00000000    35  8960 count ?
0098 : 00000000.10011000 38912   152 -> 00D2 : 00000000.11010010 53760   210
0.0 -> 0.1
Value: As binary          16be  16le    Value: As binary          16be  16le
B491 : 10110100.10010001 37300 46225 -> 82BB : 10000010.10111011 48002 d33467 date ?
7E19 : 01111110.00011001  6526 32281 -> 261A : 00100110.00011010  6694   9754
1801 : 00011000.00000001   280  6145 -> 1C01 : 00011100.00000001   284   7169 count ?
003F : 00000000.00111111 16128    63 -> 0020 : 00000000.00100000  8192     32

Non reversed data:

mandark@blanc$ grep 00000060 *.dmp.hex | column -t
step1-0.dmp.hex:00000060    da  a0  90  19  00  00  00  00  00  00  00  00  22  00  00  98  |............"...|
step2-0.1.dmp.hex:00000060  2e  af  26  1a  00  00  00  00  00  00  00  00  23  00  00  d2  |..&.........#...|
step3-0.2.dmp.hex:00000060  53  1a  51  1a  00  00  00  00  00  00  00  00  24  00  00  98  |S.Q.........$...|
mandark@blanc$ grep 00000060 *.dmp.hex | column -t
step1-9.2.dmp.hex:00000060   b4  91  7e  19  00  00  00  00  00  00  00  00  18  01  00  3f  |..~............?|
step2-8.35.dmp.hex:00000060  82  bb  26  1a  00  00  00  00  00  00  00  00  1c  01  00  20  |..&............ |
step3-3.9.dmp.hex:00000060   c7  9a  59  1a  00  00  00  00  00  00  00  00  2a  01  00  91  |..Y.........*...|

Clearly 0022 0023 0024, and 0118 011C 012A are juste counters. I only add 10 cents on the key1 between each dumps, but I drink some coffee between each dumps on key2, so it's normal values. I now know I drank 18 coffees between first and last dump!

-----------------------------------------------------------------------------------
|money |  counter     |    Last byte ?    | First long, kind of timestamp         |
|---------------------------------------------------------------------------------|
|euro  |  hex     dec | hex  dec      bin |         hex  little endian        dec |
|---------------------------------------------------------------------------------|
|0     |  22 00    34 |  98  152 10011000 | da a0 90 19    19 90 a0 da  428908762 |
|0.1   |  23 00    35 |  D2  210 11010010 | 2e af 26 1a    1a 26 af 2e  438742830 |
|0.2   |  24 00    36 |  98  152 10011000 | 53 1a 51 1a    1a 51 1a 53  441522771 |
|---------------------------------------------------------------------------------|
|9.2   |  18 01   280 |  3F   63 00111111 | b4 91 7e 19    19 7e 91 b4  427725236 |
|8.35  |  1C 01   284 |  20   32 00100000 | 82 bb 26 1a    1a 26 bb 82  438745986 |
|3.9   |  2A 01   298 |  91  145 10010001 | c7 9a 59 1a    1a 59 9a c7  442079943 |
-----------------------------------------------------------------------------------

First long seems to be a kind of timestamp, but it's not a unix timestamp. It seems to count seconds, but I don't know the start point. Start point may be random ^-^

About last byte, I tried some crc's (namely crc-8, crc-8-darc, crc-8-i-code, crc-8-itu, crc-8-maxim, crc-8-rohc, crc-8-wcdma, crc-16, crc-16-buypass, crc-16-dds-110, crc-16-dect, crc-16-dnp, crc-16-en-13757, crc-16-genibus, crc-16-maxim, crc-16-mcrf4xx, crc-16-riello, crc-16-t10-dif, crc-16-teledisk, crc-16-usb, x-25, xmodem, modbus, kermit, crc-ccitt-false, crc-aug-ccitt, crc-24, crc-24-flexray-a, crc-24-flexray-b, crc-32, crc-32-bzip2, crc-32c, crc-32d, crc-32-mpeg, posix, crc-32q, jamcrc, xfer, crc-64, crc-64-we, crc-64-jones)

I tried with last byte set to any possible value and I '% 255'ed results, also tried without last byte, so I got a lot of false positive matches, for example, for step1-0.dmp.hex:00000060, I have 39 possibilities yielding to 98, but I found NO possibility working with the same params for two different dumps.

We may try to compute more value in CRC's, for example whole block, I just tried to CRC a single line (16 bytes), but I stopped my research here and get back to work.