X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/940d53098c64fde87ac035a3b6ba7722d43e755e..818e15b0c815d25fdfb914cd826baf14b48fa19d:/client/cmdlfpcf7931.c diff --git a/client/cmdlfpcf7931.c b/client/cmdlfpcf7931.c index b1e1ae9e..9882da5f 100644 --- a/client/cmdlfpcf7931.c +++ b/client/cmdlfpcf7931.c @@ -1,6 +1,7 @@ //----------------------------------------------------------------------------- // Copyright (C) 2012 Chalk // 2015 Dake +// 2018 sguerrini97 // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -9,128 +10,223 @@ // Low frequency PCF7931 commands //----------------------------------------------------------------------------- +#include "cmdlfpcf7931.h" + #include #include -#include "proxmark3.h" +#include "comms.h" #include "ui.h" +#include "util.h" #include "graph.h" #include "cmdparser.h" #include "cmddata.h" #include "cmdmain.h" #include "cmdlf.h" -#include "cmdlfpcf7931.h" static int CmdHelp(const char *Cmd); -struct pcf7931_config configPcf = {{0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF},17500,{0,0}}; +#define PCF7931_DEFAULT_INITDELAY 17500 +#define PCF7931_DEFAULT_OFFSET_WIDTH 0 +#define PCF7931_DEFAULT_OFFSET_POSITION 0 + +// Default values - Configuration +struct pcf7931_config configPcf = { + {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, + PCF7931_DEFAULT_INITDELAY, + PCF7931_DEFAULT_OFFSET_WIDTH, + PCF7931_DEFAULT_OFFSET_POSITION + }; + +// Resets the configuration settings to default values. +int pcf7931_resetConfig(){ + memset(configPcf.Pwd, 0xFF, sizeof(configPcf.Pwd) ); + configPcf.InitDelay = PCF7931_DEFAULT_INITDELAY; + configPcf.OffsetWidth = PCF7931_DEFAULT_OFFSET_WIDTH; + configPcf.OffsetPosition = PCF7931_DEFAULT_OFFSET_POSITION; + return 0; +} + +int pcf7931_printConfig(){ + PrintAndLog("Password (LSB first on bytes) : %s", sprint_hex( configPcf.Pwd, sizeof(configPcf.Pwd))); + PrintAndLog("Tag initialization delay : %d us", configPcf.InitDelay); + PrintAndLog("Offset low pulses width : %d us", configPcf.OffsetWidth); + PrintAndLog("Offset low pulses position : %d us", configPcf.OffsetPosition); + return 0; +} + +int usage_pcf7931_read(){ + PrintAndLog("Usage: lf pcf7931 read [h] "); + PrintAndLog("This command tries to read a PCF7931 tag."); + PrintAndLog("Options:"); + PrintAndLog(" h This help"); + PrintAndLog("Examples:"); + PrintAndLog(" lf pcf7931 read"); + return 0; +} + +int usage_pcf7931_write(){ + PrintAndLog("Usage: lf pcf7931 write [h] "); + PrintAndLog("This command tries to write a PCF7931 tag."); + PrintAndLog("Options:"); + PrintAndLog(" h This help"); + PrintAndLog(" blockaddress Block to save [0-7]"); + PrintAndLog(" byteaddress Index of byte inside block to write [0-15]"); + PrintAndLog(" data one byte of data (hex)"); + PrintAndLog("Examples:"); + PrintAndLog(" lf pcf7931 write 2 1 FF"); + return 0; +} -int CmdLFPCF7931Read(const char *Cmd) +int usage_pcf7931_bruteforce() { - UsbCommand c = {CMD_PCF7931_READ}; - SendCommand(&c); - UsbCommand resp; - WaitForResponse(CMD_ACK,&resp); - return 0; + PrintAndLog("Usage: lf pcf7931 bruteforce [h] "); + PrintAndLog("This command tries to disable PAC of a PCF7931 transponder by bruteforcing the password."); + PrintAndLog("!! THIS IS NOT INTENDED TO RECOVER THE FULL PASSWORD !!"); + PrintAndLog("!! DO NOT USE UNLESS THE FIRST 5 BYTES OF THE PASSWORD ARE KNOWN !!"); + PrintAndLog("Options:"); + PrintAndLog(" h This help"); + PrintAndLog(" start password hex password to start from"); + PrintAndLog(" tries How many times to send the same data frame"); + PrintAndLog("Examples:"); + PrintAndLog(" lf pcf7931 bruteforce 00000000123456 3"); + return 0; } -int CmdLFPCF7931Config(const char *Cmd) -{ - int res = 0; - res = sscanf(Cmd, "%02x %02x %02x %02x %02x %02x %02x %d %d %d", &configPcf.password[0], &configPcf.password[1], &configPcf.password[2], &configPcf.password[3], &configPcf.password[4], &configPcf.password[5], &configPcf.password[6], &configPcf.init_delay, &configPcf.offset[0], &configPcf.offset[1]); - - if (res >= 7 || res < 1){ - if(res == 7) configPcf.init_delay = 17500; //default value - - if(res<=8){ - configPcf.offset[0] = 0; //default value - configPcf.offset[1] = 0; //default value - } - - if(res < 1){ - PrintAndLog("Usage: [...] "); - PrintAndLog("The time offsets could be usefull to correct slew rate generated by the antenna."); - } - - PrintAndLog("Current configuration :"); - PrintAndLog("Password (LSB first on each byte) : %02x %02x %02x %02x %02x %02x %02x", configPcf.password[0], configPcf.password[1], configPcf.password[2], configPcf.password[3], configPcf.password[4], configPcf.password[5], configPcf.password[6]); - PrintAndLog("Tag initialization delay : %d us", configPcf.init_delay); - PrintAndLog("Offsets : %d us on the low pulses width, %d us on the low pulses positions", configPcf.offset[0], configPcf.offset[1]); - - return 0; - } - - //default values - configPcf.password[0] = 0xFF; - configPcf.password[1] = 0xFF; - configPcf.password[2] = 0xFF; - configPcf.password[3] = 0xFF; - configPcf.password[4] = 0xFF; - configPcf.password[5] = 0xFF; - configPcf.password[6] = 0xFF; - - configPcf.init_delay = 17500; - configPcf.offset[0] = 0; - configPcf.offset[1] = 0; - - PrintAndLog("Incorrect format"); - PrintAndLog("Examples of right usage : lf pcf7931 config 11 22 33 44 55 66 77 20000"); - PrintAndLog(" lf pcf7931 config FF FF FF FF FF FF FF 17500 -10 30"); - return 0; +int usage_pcf7931_config(){ + PrintAndLog("Usage: lf pcf7931 config [h] [r] "); + PrintAndLog("This command tries to set the configuration used with PCF7931 commands"); + PrintAndLog("The time offsets could be useful to correct slew rate generated by the antenna"); + PrintAndLog("Caling without some parameter will print the current configuration."); + PrintAndLog("Options:"); + PrintAndLog(" h This help"); + PrintAndLog(" r Reset configuration to default values"); + PrintAndLog(" pwd Password, hex, 7bytes, LSB-order"); + PrintAndLog(" delay Tag initialization delay (in us) decimal"); + PrintAndLog(" offset Low pulses width (in us) decimal"); + PrintAndLog(" offset Low pulses position (in us) decimal"); + PrintAndLog("Examples:"); + PrintAndLog(" lf pcf7931 config"); + PrintAndLog(" lf pcf7931 config r"); + PrintAndLog(" lf pcf7931 config 11223344556677 20000"); + PrintAndLog(" lf pcf7931 config 11223344556677 17500 -10 30"); + return 0; } +int CmdLFPCF7931Read(const char *Cmd){ + uint8_t ctmp = param_getchar(Cmd, 0); + if ( ctmp == 'H' || ctmp == 'h' ) return usage_pcf7931_read(); -int CmdLFPCF7931Write(const char *Cmd) -{ - UsbCommand c = {CMD_PCF7931_WRITE}; - - int res = 0; - res = sscanf(Cmd, "%x %x %x", &c.arg[0], &c.arg[1], &c.arg[2]); - - if(res < 1) { - PrintAndLog("Please specify the block address in hex"); - return 0; - } - if (res == 1){ - PrintAndLog("Please specify the byte address in hex"); - return 0; - } - if(res == 2) { - PrintAndLog("Please specify the data in hex (1 byte)"); - return 0; - } - if(res == 3) { - uint8_t n=0; - for(n=0;n<7;n++) c.d.asDwords[n] = configPcf.password[n]; - c.d.asDwords[7] = (configPcf.offset[0]+128); - c.d.asDwords[8] = (configPcf.offset[1]+128); - c.d.asDwords[9] = configPcf.init_delay; - SendCommand(&c); - return 0; - } - - PrintAndLog("INCORRECT FORMAT"); - return 0; + UsbCommand resp; + UsbCommand c = {CMD_PCF7931_READ, {0, 0, 0}}; + clearCommandBuffer(); + SendCommand(&c); + if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) { + PrintAndLog("command execution time out"); + return 1; + } + return 0; +} + +int CmdLFPCF7931Config(const char *Cmd){ + + uint8_t ctmp = param_getchar(Cmd, 0); + if ( ctmp == 0) return pcf7931_printConfig(); + if ( ctmp == 'H' || ctmp == 'h' ) return usage_pcf7931_config(); + if ( ctmp == 'R' || ctmp == 'r' ) return pcf7931_resetConfig(); + + if ( param_gethex(Cmd, 0, configPcf.Pwd, 14) ) return usage_pcf7931_config(); + + configPcf.InitDelay = (param_get32ex(Cmd,1,0,10) & 0xFFFF); + configPcf.OffsetWidth = (int)(param_get32ex(Cmd,2,0,10) & 0xFFFF); + configPcf.OffsetPosition = (int)(param_get32ex(Cmd,3,0,10) & 0xFFFF); + + pcf7931_printConfig(); + return 0; } +int CmdLFPCF7931Write(const char *Cmd){ + + uint8_t ctmp = param_getchar(Cmd, 0); + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_write(); + + uint8_t block = 0, bytepos = 0, data = 0; + + if ( param_getdec(Cmd, 0, &block) ) return usage_pcf7931_write(); + if ( param_getdec(Cmd, 1, &bytepos) ) return usage_pcf7931_write(); + + if ( (block > 7) || (bytepos > 15) ) return usage_pcf7931_write(); + + data = param_get8ex(Cmd, 2, 0, 16); + + PrintAndLog("Writing block: %d", block); + PrintAndLog(" pos: %d", bytepos); + PrintAndLog(" data: 0x%02X", data); + + UsbCommand c = {CMD_PCF7931_WRITE, { block, bytepos, data} }; + memcpy(c.d.asDwords, configPcf.Pwd, sizeof(configPcf.Pwd) ); + c.d.asDwords[7] = (configPcf.OffsetWidth + 128); + c.d.asDwords[8] = (configPcf.OffsetPosition + 128); + c.d.asDwords[9] = configPcf.InitDelay; + + clearCommandBuffer(); + SendCommand(&c); + //no ack? + return 0; +} + +int CmdLFPCF7931BruteForce(const char *Cmd){ + + uint8_t ctmp = param_getchar(Cmd, 0); + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_bruteforce(); + + uint64_t start_password = 0; + uint8_t tries = 3; + + if (param_gethex(Cmd, 0, (uint8_t*)(&start_password), 14)) return usage_pcf7931_bruteforce(); + if (param_getdec(Cmd, 1, &tries)) return usage_pcf7931_bruteforce(); + + PrintAndLog("Bruteforcing from password: %02x %02x %02x %02x %02x %02x %02x", + start_password & 0xFF, + (start_password >> 8) & 0xFF, + (start_password >> 16) & 0xFF, + (start_password >> 24) & 0xFF, + (start_password >> 32) & 0xFF, + (start_password >> 48) & 0xFF, + (start_password >> 56) & 0xFF); + + PrintAndLog("Trying each password %d times", tries); + + UsbCommand c = {CMD_PCF7931_BRUTEFORCE, {start_password, tries} }; + + c.d.asDwords[7] = (configPcf.OffsetWidth + 128); + c.d.asDwords[8] = (configPcf.OffsetPosition + 128); + c.d.asDwords[9] = configPcf.InitDelay; + + clearCommandBuffer(); + SendCommand(&c); + //no ack? + return 0; +} static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"read", CmdLFPCF7931Read, 1, "Read content of a PCF7931 transponder"}, - {"write", CmdLFPCF7931Write, 1, "Write data on a PCF7931 transponder. Usage : lf pcf7931 write "}, - {"config", CmdLFPCF7931Config, 1, "Configure the password, the tags initialization delay and time offsets (optional)"}, - {NULL, NULL, 0, NULL} + {"help", CmdHelp, 1, "This help"}, + {"read", CmdLFPCF7931Read, 0, "Read content of a PCF7931 transponder"}, + {"write", CmdLFPCF7931Write, 0, "Write data on a PCF7931 transponder."}, + {"config", CmdLFPCF7931Config, 1, "Configure the password, the tags initialization delay and time offsets (optional)"}, + {"bruteforce", CmdLFPCF7931BruteForce, 0, "Bruteforce a PCF7931 transponder password."}, + {NULL, NULL, 0, NULL} }; int CmdLFPCF7931(const char *Cmd) { - CmdsParse(CommandTable, Cmd); - return 0; + CmdsParse(CommandTable, Cmd); + return 0; } int CmdHelp(const char *Cmd) { - CmdsHelp(CommandTable); - return 0; + CmdsHelp(CommandTable); + return 0; }