rat167
February 16th, 2011, 04:14
hello again.
After partial success with HASP dongles I have another topic to debate.
How to obtain iButton passwords ;]
The dongle has 3 user memory bank called Subkey 0, Subkey 1, Subkey 2.
From what I had read the authentication is made by SHA-1 engine computing 20byte MAC from
Internal 8-byte secret
32-byte memory page
13 bytes of constants
Numeric value of selected page - 1 byte
DS 2432 Family code 1 byte
DS2432 48 bit serial number - 6 bytes
3 bytes of scratchpad
scratchpad in this case is random challenge made to compare both host and client MACs to prove authentic.
I will be able to physically do anything with the machine that uses iButton.
My plan was to "overhear" the message between machine and dongle and intercept it.
That would be: random challenge, MAC device ID and basically everything.
Only reading of 1 wire function control and 64 bit lasered ROM are parasite powered by the host so intercepting shouldn't disrupt work of the device (sorry for my bad english).
After interception of the message I believe it is possible to brute force the SHA-1 hash in order to obtain the passwords. If I had 13 bytes of constants and 3 random bytes (or only 3 random bytes which would be significantly harder to break).
Only thing is that I wasn't able find the tool that would do such a trick.
And I'm not sure how exactly I should intercept the message (I have help with building a device for such a thing) and how to "write it down" to be readable.
If there is a way of reversing this using only 1-wire usb adapter and tool it would be great.
One more thing, I know that this had been done before and it is possible I just don't know exactly how.
I'm also not able to contact with someone who's done that.
Thanks for help already ;]
After partial success with HASP dongles I have another topic to debate.
How to obtain iButton passwords ;]
The dongle has 3 user memory bank called Subkey 0, Subkey 1, Subkey 2.
From what I had read the authentication is made by SHA-1 engine computing 20byte MAC from
Internal 8-byte secret
32-byte memory page
13 bytes of constants
Numeric value of selected page - 1 byte
DS 2432 Family code 1 byte
DS2432 48 bit serial number - 6 bytes
3 bytes of scratchpad
scratchpad in this case is random challenge made to compare both host and client MACs to prove authentic.
I will be able to physically do anything with the machine that uses iButton.
My plan was to "overhear" the message between machine and dongle and intercept it.
That would be: random challenge, MAC device ID and basically everything.
Only reading of 1 wire function control and 64 bit lasered ROM are parasite powered by the host so intercepting shouldn't disrupt work of the device (sorry for my bad english).
After interception of the message I believe it is possible to brute force the SHA-1 hash in order to obtain the passwords. If I had 13 bytes of constants and 3 random bytes (or only 3 random bytes which would be significantly harder to break).
Only thing is that I wasn't able find the tool that would do such a trick.
And I'm not sure how exactly I should intercept the message (I have help with building a device for such a thing) and how to "write it down" to be readable.
If there is a way of reversing this using only 1-wire usb adapter and tool it would be great.
One more thing, I know that this had been done before and it is possible I just don't know exactly how.
I'm also not able to contact with someone who's done that.
Thanks for help already ;]