+int CmdResetRead(const char *Cmd) {\r
+ UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
+\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
+ if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+ PrintAndLog("command execution time out");\r
+ return 0;\r
+ }\r
+\r
+ uint8_t got[BIGBUF_SIZE-1];\r
+ GetFromBigBuf(got,sizeof(got),0);\r
+ WaitForResponse(CMD_ACK,NULL);\r
+ setGraphBuf(got, sizeof(got));\r
+ return 1;\r
+}\r
+\r
+int CmdT55xxWipe(const char *Cmd) {\r
+ char writeData[20] = {0};\r
+ char *ptrData = writeData;\r
+\r
+ char cmdp = param_getchar(Cmd, 0); \r
+ if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();\r
+\r
+ bool Q5 = (cmdp == 'q' || cmdp == 'Q');\r
+\r
+ // Try with the default password to reset block 0\r
+ // With a pwd should work even if pwd bit not set\r
+ PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+\r
+ if ( Q5 ){\r
+ snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
+ } else {\r
+ snprintf(ptrData,sizeof(writeData),"b 0 d 00088040 p 0");\r
+ }\r
+\r
+ if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
+\r
+ for (uint8_t blk = 1; blk<8; blk++) {\r
+ snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
+ if (!CmdT55xxWriteBlock(ptrData))\r
+ PrintAndLog("Error writing blk %d", blk);\r
+\r
+ memset(writeData, 0x00, sizeof(writeData));\r
+ }\r
+ return 0;\r
+}\r
+\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+\r
+ // load a default pwd file.\r
+ char buf[9];\r
+ char filename[FILE_PATH_SIZE]={0};\r
+ int keycnt = 0;\r
+ int ch;\r
+ uint8_t stKeyBlock = 20;\r
+ uint8_t *keyBlock = NULL, *p = NULL;\r
+ uint32_t start_password = 0x00000000; //start password\r
+ uint32_t end_password = 0xFFFFFFFF; //end password\r
+ bool found = false;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+ keyBlock = calloc(stKeyBlock, 6);\r
+ if (keyBlock == NULL) return 1;\r
+\r
+ if (cmdp == 'i' || cmdp == 'I') {\r
+\r
+ int len = strlen(Cmd+2);\r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ memcpy(filename, Cmd+2, len);\r
+\r
+ FILE * f = fopen( filename , "r");\r
+\r
+ if ( !f ) {\r
+ PrintAndLog("File: %s: not found or locked.", filename);\r
+ free(keyBlock);\r
+ return 1;\r
+ }\r
+\r
+ while( fgets(buf, sizeof(buf), f) ) {\r
+ if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+\r
+ while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
+\r
+ //The line start with # is comment, skip\r
+ if( buf[0]=='#' ) continue;\r
+\r
+ if (!isxdigit(buf[0])) {\r
+ PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+ continue;\r
+ }\r
+ \r
+ buf[8] = 0;\r
+\r
+ if ( stKeyBlock - keycnt < 2) {\r
+ p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+ if (!p) {\r
+ PrintAndLog("Cannot allocate memory for defaultKeys");\r
+ free(keyBlock);\r
+ fclose(f);\r
+ return 2;\r
+ }\r
+ keyBlock = p;\r
+ }\r
+ memset(keyBlock + 4 * keycnt, 0, 4);\r
+ num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+ PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+ keycnt++;\r
+ memset(buf, 0, sizeof(buf));\r
+ }\r
+ fclose(f);\r
+ \r
+ if (keycnt == 0) {\r
+ PrintAndLog("No keys found in file");\r
+ free(keyBlock);\r
+ return 1;\r
+ }\r
+ PrintAndLog("Loaded %d keys", keycnt);\r
+ \r
+ // loop\r
+ uint64_t testpwd = 0x00;\r
+ for (uint16_t c = 0; c < keycnt; ++c ) {\r
+\r
+ if (ukbhit()) {\r
+ ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+ PrintAndLog("Testing %08X", testpwd);\r
+\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ found = tryDetectModulation();\r
+\r
+ if ( found ) {\r
+ PrintAndLog("Found valid password: [%08X]", testpwd);\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ }\r
+ PrintAndLog("Password NOT found.");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ // Try to read Block 7, first :)\r
+\r
+ // incremental pwd range search\r
+ start_password = param_get32ex(Cmd, 0, 0, 16);\r
+ end_password = param_get32ex(Cmd, 1, 0, 16);\r
+\r
+ if ( start_password >= end_password ) {\r
+ free(keyBlock);\r
+ return usage_t55xx_bruteforce();\r
+ }\r
+ PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+\r
+ uint32_t i = start_password;\r
+\r
+ while ((!found) && (i <= end_password)) {\r
+\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ found = tryDetectModulation();\r
+\r
+ if (found) break;\r
+ i++;\r
+ }\r
+\r
+ PrintAndLog("");\r
+\r
+ if (found)\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ else\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+ free(keyBlock);\r
+ return 0;\r
+}\r
+\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+ {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+ {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+ {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+ {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+ {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+ {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+ {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+ {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+ {"special", special, 0, "Show block changes with 64 different offsets"},\r
+ {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
+ {"wipe", CmdT55xxWipe, 0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r