int FSKrawDemod(const char *Cmd, bool verbose)
{
//raw fsk demod no manchester decoding no start bit finding just get binary from wave
- //set defaults
- int rfLen = 0;
- int invert = 0;
- int fchigh = 0;
- int fclow = 0;
+ uint8_t rfLen, invert, fchigh, fclow;
+ //set defaults
//set options from parameters entered with the command
- sscanf(Cmd, "%i %i %i %i", &rfLen, &invert, &fchigh, &fclow);
+ rfLen = param_get8ex(Cmd, 0, 0, 10);
+ invert = param_get8ex(Cmd, 1, 0, 10);
+ fchigh = param_get8ex(Cmd, 2, 0, 10);
+ fclow = param_get8ex(Cmd, 3, 0, 10);
if (strlen(Cmd)>0 && strlen(Cmd)<=2) {
if (rfLen==1){
if (BitLen==0) return 0;
//get field clock lengths
uint16_t fcs=0;
- if (fchigh==0 || fclow == 0){
+ if (!fchigh || !fclow) {
fcs = countFC(BitStream, BitLen, 1);
- if (fcs==0){
- fchigh=10;
- fclow=8;
- }else{
- fchigh = (fcs >> 8) & 0xFF;
- fclow = fcs & 0xFF;
+ if (!fcs) {
+ fchigh = 10;
+ fclow = 8;
+ } else {
+ fchigh = (fcs >> 8) & 0x00FF;
+ fclow = fcs & 0x00FF;
}
}
//get bit clock length
- if (rfLen==0){
+ if (!rfLen){
rfLen = detectFSKClk(BitStream, BitLen, fchigh, fclow);
- if (rfLen == 0) rfLen = 50;
+ if (!rfLen) rfLen = 50;
}
- int size = fskdemod(BitStream,BitLen,(uint8_t)rfLen,(uint8_t)invert,(uint8_t)fchigh,(uint8_t)fclow);
- if (size>0){
+ int size = fskdemod(BitStream, BitLen, rfLen, invert, fchigh, fclow);
+ if (size > 0){
setDemodBuf(BitStream,size,0);
// Now output the bitstream to the scrollback by line of 16 bits
if (verbose || g_debugMode) {
- PrintAndLog("\nUsing Clock:%d, invert:%d, fchigh:%d, fclow:%d", rfLen, invert, fchigh, fclow);
+ PrintAndLog("\nUsing Clock:%u, invert:%u, fchigh:%u, fclow:%u", rfLen, invert, fchigh, fclow);
PrintAndLog("%s decoded bitstream:",GetFSKType(fchigh,fclow,invert));
printDemodBuff();
}
return 1;
- } else{
+ } else {
if (g_debugMode) PrintAndLog("no FSK data found");
}
return 0;
#define T55x7_CONFIGURATION_BLOCK 0x00\r
#define T55x7_PAGE0 0x00\r
#define T55x7_PAGE1 0x01\r
+#define T55x7_PWD 0x00000010\r
#define REGULAR_READ_MODE_BLOCK 0xFF\r
\r
// Default configuration\r
PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password");\r
return 0;\r
}\r
+int usage_t55xx_bruteforce(){\r
+ PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+ PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
+ PrintAndLog("Options:");\r
+ PrintAndLog(" h - this help");\r
+ PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");\r
+ PrintAndLog("");\r
+ PrintAndLog("Examples:");\r
+ PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+ PrintAndLog(" lf t55xx bruteforce i mykeys.dic");\r
+ PrintAndLog("");\r
+ return 0;\r
+}\r
\r
static int CmdHelp(const char *Cmd);\r
\r
void printT5xxHeader(uint8_t page){\r
- PrintAndLog("Reading Page %d:", page); \r
+ PrintAndLog("Reading Page %d:", page);\r
PrintAndLog("blk | hex data | binary");\r
PrintAndLog("----+----------+---------------------------------"); \r
}\r
t55xx_conf_block_t tests[15];\r
int bitRate=0;\r
uint8_t fc1 = 0, fc2 = 0, clk=0;\r
- save_restoreGB(1);\r
\r
if (GetFskClock("", FALSE, FALSE)){ \r
fskClocks(&fc1, &fc2, &clk, FALSE);\r
}\r
}\r
//undo trim from ask\r
- save_restoreGB(0);\r
+ //save_restoreGB(0);\r
clk = GetNrzClock("", FALSE, FALSE);\r
if (clk>0) {\r
if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
}\r
}\r
\r
- //undo trim from nrz\r
- save_restoreGB(0);\r
+ // allow undo\r
// skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+ save_restoreGB(1);\r
CmdLtrim("160");\r
clk = GetPskClock("", FALSE, FALSE);\r
if (clk>0) {\r
}\r
} // inverse waves does not affect this demod\r
}\r
+ //undo trim samples\r
+ save_restoreGB(0);\r
} \r
- save_restoreGB(0); \r
if ( hits == 1) {\r
config.modulation = tests[0].modulation;\r
config.bitrate = tests[0].bitrate;\r
return 0;\r
}\r
\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+\r
+ // load a default pwd file.\r
+ char buf[9];\r
+ char filename[FILE_PATH_SIZE]={0};\r
+ int keycnt = 0;\r
+ uint8_t stKeyBlock = 20;\r
+ uint8_t *keyBlock = NULL, *p;\r
+ keyBlock = calloc(stKeyBlock, 6);\r
+ if (keyBlock == NULL) return 1;\r
+\r
+ uint32_t start_password = 0x00000000; //start password\r
+ uint32_t end_password = 0xFFFFFFFF; //end password\r
+ bool found = false;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+ if (cmdp == 'i' || cmdp == 'I') {\r
+\r
+ int len = strlen(Cmd+2);\r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ memcpy(filename, Cmd+2, len);\r
+\r
+ FILE * f = fopen( filename , "r");\r
+\r
+ if ( !f ) {\r
+ PrintAndLog("File: %s: not found or locked.", filename);\r
+ free(keyBlock);\r
+ return 1;\r
+ }\r
+\r
+ while( fgets(buf, sizeof(buf), f) ){\r
+ if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+\r
+ while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
+\r
+ //The line start with # is comment, skip\r
+ if( buf[0]=='#' ) continue;\r
+\r
+ if (!isxdigit(buf[0])){\r
+ PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+ continue;\r
+ }\r
+ \r
+ buf[8] = 0;\r
+\r
+ if ( stKeyBlock - keycnt < 2) {\r
+ p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+ if (!p) {\r
+ PrintAndLog("Cannot allocate memory for defaultKeys");\r
+ free(keyBlock);\r
+ return 2;\r
+ }\r
+ keyBlock = p;\r
+ }\r
+ memset(keyBlock + 4 * keycnt, 0, 4);\r
+ num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+ PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+ keycnt++;\r
+ memset(buf, 0, sizeof(buf));\r
+ }\r
+ fclose(f);\r
+ \r
+ if (keycnt == 0) {\r
+ PrintAndLog("No keys found in file");\r
+ return 1;\r
+ }\r
+ PrintAndLog("Loaded %d keys", keycnt);\r
+ \r
+ // loop\r
+ uint64_t testpwd = 0x00;\r
+ for (uint16_t c = 0; c < keycnt; ++c ) {\r
+\r
+ if (ukbhit()) {\r
+ getchar();\r
+ printf("\naborted via keyboard!\n");\r
+ return 0;\r
+ }\r
+\r
+ testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+ PrintAndLog("Testing %08X", testpwd);\r
+\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return 0;\r
+ }\r
+\r
+ found = tryDetectModulation();\r
+\r
+ if ( found ) {\r
+ PrintAndLog("Found valid password: [%08X]", testpwd);\r
+ return 0;\r
+ }\r
+ }\r
+ PrintAndLog("Password NOT found.");\r
+ return 0;\r
+ }\r
+\r
+ // Try to read Block 7, first :)\r
+\r
+ // incremental pwd range search\r
+ start_password = param_get32ex(Cmd, 0, 0, 16);\r
+ end_password = param_get32ex(Cmd, 1, 0, 16);\r
+ \r
+ if ( start_password >= end_password ) return usage_t55xx_bruteforce();\r
+\r
+ PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+\r
+ uint32_t i = start_password;\r
+\r
+ while ((!found) && (i <= end_password)){\r
+\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ getchar();\r
+ printf("\naborted via keyboard!\n");\r
+ return 0;\r
+ }\r
+\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return 0;\r
+ }\r
+ found = tryDetectModulation();\r
+ \r
+ if (found) break;\r
+ i++;\r
+ }\r
+\r
+ PrintAndLog("");\r
+\r
+ if (found)\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ else\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+ return 0;\r
+}\r
+\r
static command_t CommandTable[] = {\r
- {"help", CmdHelp, 1, "This help"},\r
- {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
- {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
- {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
- {"resetread",CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
- {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
- {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
- {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
- {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
- {"special", special, 0, "Show block changes with 64 different offsets"},\r
- {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
- {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+ {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+ {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+ {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+ {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+ {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+ {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+ {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+ {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+ {"special", special, 0, "Show block changes with 64 different offsets"},\r
+ {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
+ {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
{NULL, NULL, 0, NULL}\r
};\r
\r
projects / proxmark3-svn / commitdiff