PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
PrintAndLog(" o - OPTIONAL override safety check");\r
PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");\r
+ PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed-bit-length (default), '1' Long Zero Reference"); \r
+ PrintAndLog(" '2' Leading Zero, '3' 1 of 4 "); \r
PrintAndLog(" ****WARNING****");\r
PrintAndLog(" Use of read with password on a tag not configured for a pwd");\r
PrintAndLog(" can damage the tag");\r
PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");\r
PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");\r
PrintAndLog(" t - OPTIONAL test mode write - ****DANGER****"); \r
+ PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed-bit-length (default), '1' Long Zero Reference"); \r
+ PrintAndLog(" '2' Leading Zero, '3' 1 of 4 "); \r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3");\r
PrintAndLog("Options:");\r
PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");\r
PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
+ PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed-bit-length (default), '1' Long Zero Reference");\r
+ PrintAndLog(" '2' Leading Zero, '3' 1 of 4 "); \r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx detect");\r
PrintAndLog("");\r
return 0;\r
}\r
+int usage_t55xx_bruteforce_downlink(){\r
+ PrintAndLog("This command uses A) bruteforce to scan a number range");\r
+ PrintAndLog(" B) a dictionary attack");\r
+ PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+ PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
+ PrintAndLog("Options:");\r
+ PrintAndLog(" h - this help");\r
+ PrintAndLog(" r <start_pwd> <end_pwd> - 4 byte hex value to start and end pwd search at");\r
+ PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");\r
+ PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed-bit-length (default), '1' Long Zero Reference"); \r
+ PrintAndLog(" '2' Leading Zero, '3' 1 of 4 "); \r
+ PrintAndLog("");\r
+ PrintAndLog("Examples:");\r
+ PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+ PrintAndLog(" lf t55xx bruteforce i default_pwd.dic");\r
+ PrintAndLog("");\r
+ return 0;\r
+}\r
int usage_t55xx_wipe(){\r
PrintAndLog("Usage: lf t55xx wipe [h] [Q5]");\r
PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
return printConfiguration ( config );\r
}\r
\r
-int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){\r
+int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){\r
//Password mode\r
if ( usepwd ) {\r
// try reading the config block and verify that PWD bit is set before doing this!\r
if ( !override ) {\r
- if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0,downlink_mode ) ) return 0;\r
if ( !tryDetectModulation() ) {\r
PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");\r
return 0;\r
}\r
}\r
\r
- if (!AquireData(page1, block, usepwd, password) ) return 0;\r
+ if (!AquireData(page1, block, usepwd, password,downlink_mode) ) return 0;\r
if (!DecodeT55xxBlock()) return 0;\r
\r
char blk[10]={0};\r
int CmdT55xxReadBlock(const char *Cmd) {\r
uint8_t block = REGULAR_READ_MODE_BLOCK;\r
uint32_t password = 0; //default to blank Block 7\r
+ uint8_t downlink_mode = 0;\r
+ \r
bool usepwd = false;\r
bool override = false;\r
bool page1 = false;\r
page1 = true;\r
cmdp++;\r
break;\r
+ case 'e':\r
+ case 'E':\r
+ downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
+ if (downlink_mode > 3) downlink_mode = 0;\r
+ cmdp +=2;\r
+ break;\r
default:\r
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
errors = true;\r
}\r
\r
printT5xxHeader(page1);\r
- return T55xxReadBlock(block, page1, usepwd, override, password);\r
+ return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode);\r
}\r
\r
bool DecodeT55xxBlock(){\r
bool usepwd = false;\r
uint32_t password = 0;\r
uint8_t cmdp = 0;\r
+ uint8_t downlink_mode = 0;\r
\r
while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
switch(param_getchar(Cmd, cmdp)) {\r
useGB = true;\r
cmdp++;\r
break;\r
+ case 'e':\r
+ case 'E':\r
+ downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
+ if (downlink_mode > 3) downlink_mode = 0;\r
+ cmdp +=2;\r
+ break; \r
default:\r
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
errors = true;\r
if (errors) return usage_t55xx_detect();\r
\r
if ( !useGB) {\r
- if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password,downlink_mode) )\r
return 0;\r
}\r
\r
if ( !tryDetectModulation() )\r
PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
-\r
+ else {\r
+ // Add downlink mode to reference.\r
+ switch (downlink_mode) {\r
+ case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;\r
+ case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;\r
+ case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;\r
+ case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;\r
+ // default:\r
+ \r
+ // No default action\r
+ }\r
+ }\r
return 1;\r
}\r
\r
uint8_t block = 0xFF; //default to invalid block\r
uint32_t data = 0; //default to blank Block \r
uint32_t password = 0; //default to blank Block 7\r
+ uint32_t downlink_mode = 0;\r
+ \r
bool usepwd = false;\r
bool page1 = false; \r
bool gotdata = false;\r
page1 = true;\r
cmdp++;\r
break;\r
+ case 'e':\r
+ case 'E':\r
+ downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
+ if (downlink_mode > 3) downlink_mode = 0;\r
+ cmdp +=2;\r
+ break;\r
default:\r
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
errors = true;\r
UsbCommand resp;\r
c.d.asBytes[0] = (page1) ? 0x2 : 0; \r
c.d.asBytes[0] |= (testMode) ? 0x4 : 0; \r
-\r
+ c.d.asBytes[0] |= (downlink_mode << 3);\r
+ \r
char pwdStr[16] = {0};\r
snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);\r
\r
PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" );\r
-\r
+ \r
//Password mode\r
if (usepwd) {\r
c.arg[2] = password;\r
c.d.asBytes[0] |= 0x1; \r
}\r
+ \r
clearCommandBuffer();\r
SendCommand(&c);\r
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
return usage_t55xx_trace();\r
\r
if (strlen(Cmd)==0)\r
- if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
+ if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password,0 ) )\r
return 0;\r
\r
if ( config.Q5 ) {\r
return usage_t55xx_info();\r
\r
if (strlen(Cmd)==0)\r
- if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
+ if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password,0 ) )\r
return 1;\r
\r
if (!DecodeT55xxBlock()) return 1;\r
\r
printT5xxHeader(0);\r
for ( uint8_t i = 0; i <8; ++i)\r
- T55xxReadBlock(i, 0, usepwd, override, password);\r
+ T55xxReadBlock(i, 0, usepwd, override, password,0);\r
\r
printT5xxHeader(1);\r
for ( uint8_t i = 0; i<4; i++)\r
- T55xxReadBlock(i, 1, usepwd, override, password); \r
+ T55xxReadBlock(i, 1, usepwd, override, password,0); \r
\r
return 1;\r
}\r
\r
-int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode ){\r
// arg0 bitmodes:\r
// bit0 = pwdmode\r
// bit1 = page to read from\r
uint8_t arg0 = (page<<1) | pwdmode;\r
+ arg0 |= (downlink_mode << 3);\r
UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
\r
clearCommandBuffer();\r
char buf[9];\r
char filename[FILE_PATH_SIZE]={0};\r
int keycnt = 0;\r
+ uint8_t downlink_mode = 0;\r
int ch;\r
uint8_t stKeyBlock = 20;\r
uint8_t *keyBlock = NULL, *p = NULL;\r
\r
PrintAndLog("Testing %08X", testpwd);\r
\r
- if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd)) {\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,downlink_mode)) {\r
PrintAndLog("Aquireing data from device failed. Quitting");\r
free(keyBlock);\r
return 0;\r
return 0;\r
}\r
\r
- if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i)) {\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) {\r
PrintAndLog("Aquireing data from device failed. Quitting");\r
free(keyBlock);\r
return 0;\r
return 0;\r
}\r
\r
+int CmdT55xxBruteForce_downlink(const char *Cmd) {\r
+\r
+ // load a default pwd file.\r
+ char buf[9];\r
+ char filename[FILE_PATH_SIZE]={0};\r
+ int keycnt = 0;\r
+ uint8_t downlink_mode = 0;\r
+ int ch;\r
+ uint8_t stKeyBlock = 20;\r
+ uint8_t *keyBlock = NULL, *p = NULL;\r
+ uint32_t start_password = 0x00000000; //start password\r
+ uint32_t end_password = 0xFFFFFFFF; //end password\r
+ bool found = false;\r
+ uint8_t cmdp = 0;\r
+ int cmd_offset = 0;\r
+ int errors = 0;\r
+ int len;\r
+ bool use_file = false;\r
+ bool use_range = false;\r
+ bool try_all_dl_modes = false;\r
+ uint8_t dl_mode = 0;\r
+ \r
+ keyBlock = calloc(stKeyBlock, 6);\r
+ if (keyBlock == NULL) return 1;\r
+\r
+ PrintAndLog("New Downlink Supprt");\r
+\r
+ while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'h':\r
+ case 'H':\r
+ return usage_t55xx_bruteforce_downlink();\r
+ case 'e':\r
+ case 'E':\r
+ downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
+ if (downlink_mode == 4) try_all_dl_modes = true;\r
+ if (downlink_mode > 3) downlink_mode = 0;\r
+ cmdp +=2;\r
+ cmd_offset += 4;\r
+ PrintAndLog ("DL Mode : %d",downlink_mode);\r
+ break;\r
+ case 'i':\r
+ case 'I':\r
+ if (use_range) {\r
+ PrintAndLog ("use Range or File");\r
+ return 0;\r
+ }\r
+ use_file = true;\r
+ len = strlen(Cmd+2);\r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ memcpy(filename, Cmd+cmd_offset+2, len);\r
+ cmdp += 2;\r
+ // PrintAndLog (" File : [%s]",filename);\r
+ break;\r
+ case 'r':\r
+ case 'R':\r
+ if (use_file) {\r
+ PrintAndLog ("use Range or File");\r
+ return 0;\r
+ }\r
+ use_range = true; // = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ start_password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ end_password = param_get32ex(Cmd, cmdp+2, 0, 16);\r
+ cmdp += 3;\r
+ cmd_offset += 20; // 8 + 8 + 1 + 1 + 1\r
+ // PrintAndLog (" Range : [%0X] - [%0X]",start_password,end_password);\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = true;\r
+ break;\r
+ }\r
+ }\r
+\r
+\r
+// if (cmdp == 'i' || cmdp == 'I') {\r
+\r
+ if (use_file)\r
+ {\r
+ FILE * f = fopen( filename , "r");\r
+\r
+ if ( !f ) {\r
+ PrintAndLog("File: %s: not found or locked.", filename);\r
+ free(keyBlock);\r
+ return 1;\r
+ }\r
+\r
+ while( fgets(buf, sizeof(buf), f) ) {\r
+ if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+\r
+ while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
+\r
+ //The line start with # is comment, skip\r
+ if( buf[0]=='#' ) continue;\r
+\r
+ if (!isxdigit((unsigned char)buf[0])) {\r
+ PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+ continue;\r
+ }\r
+ \r
+ buf[8] = 0;\r
+\r
+ if ( stKeyBlock - keycnt < 2) {\r
+ p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+ if (!p) {\r
+ PrintAndLog("Cannot allocate memory for defaultKeys");\r
+ free(keyBlock);\r
+ fclose(f);\r
+ return 2;\r
+ }\r
+ keyBlock = p;\r
+ }\r
+ memset(keyBlock + 4 * keycnt, 0, 4);\r
+ num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+ PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+ keycnt++;\r
+ memset(buf, 0, sizeof(buf));\r
+ }\r
+ fclose(f);\r
+ \r
+ if (keycnt == 0) {\r
+ PrintAndLog("No keys found in file");\r
+ free(keyBlock);\r
+ return 1;\r
+ }\r
+ PrintAndLog("Loaded %d keys", keycnt);\r
+ \r
+ // loop\r
+ uint64_t testpwd = 0x00;\r
+ for (uint16_t c = 0; c < keycnt; ++c ) {\r
+\r
+ if (ukbhit()) {\r
+ ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+ PrintAndLog("Testing %08X", testpwd);\r
+ \r
+ // Try each downlink_mode of asked to \r
+ // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3\r
+ for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++)\r
+ {\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,dl_mode)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ found = tryDetectModulation();\r
+\r
+ if ( found ) {\r
+ PrintAndLog("Found valid password: [%08X]", testpwd);\r
+ free(keyBlock);\r
+ // Add downlink mode to reference.\r
+ switch (dl_mode) {\r
+ case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;\r
+ case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;\r
+ case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;\r
+ case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;\r
+ }\r
+ return 0;\r
+ }\r
+ if (!try_all_dl_modes) // Exit loop\r
+ dl_mode = 4;\r
+ }\r
+ }\r
+ PrintAndLog("Password NOT found.");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ if (use_range)\r
+ {\r
+ // incremental pwd range search\r
+ // start_password = param_get32ex(Cmd, 0, 0, 16);\r
+ // end_password = param_get32ex(Cmd, 1, 0, 16);\r
+\r
+ if ( start_password >= end_password ) {\r
+ free(keyBlock);\r
+ return usage_t55xx_bruteforce_downlink();\r
+ }\r
+ PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+\r
+ uint32_t i = start_password;\r
+\r
+ while ((!found) && (i <= end_password)) {\r
+\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ found = tryDetectModulation();\r
+\r
+ if (found) break;\r
+ i++;\r
+ }\r
+\r
+ PrintAndLog("");\r
+ \r
+ if (found) {\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ // Add downlink mode to reference.\r
+ switch (downlink_mode) {\r
+ case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;\r
+ case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;\r
+ case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;\r
+ case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;\r
+ }\r
+ }\r
+ else\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+ free(keyBlock);\r
+ }\r
+ return 0;\r
+}\r
+\r
// note length of data returned is different for different chips. \r
// some return all page 1 (64 bits) and others return just that block (32 bits) \r
// unfortunately the 64 bits makes this more likely to get a false positive...\r
bool st = true;\r
\r
if ( getData ) {\r
- if ( !AquireData(T55x7_PAGE1, 1, false, 0) )\r
+ if ( !AquireData(T55x7_PAGE1, 1, false, 0,0) )\r
return false;\r
}\r
\r
if (errors) return usage_t55xx_detectP1();\r
\r
if ( !useGB ) {\r
- if ( !AquireData(T55x7_PAGE1, 1, usepwd, password) )\r
+ if ( !AquireData(T55x7_PAGE1, 1, usepwd, password,0) )\r
return false;\r
}\r
bool success = tryDetectP1(false);\r
\r
static command_t CommandTable[] = {\r
{"help", CmdHelp, 1, "This help"},\r
- {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+ {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+ {"bruteforcedl",CmdT55xxBruteForce_downlink,0, "r <start password> <end password> [i <*.dic>] [e <downlink>] Simple bruteforce attack to find password"},\r
{"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
{"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
{"p1detect", CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"},\r
projects / proxmark3-svn / blobdiff