]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdlft55xx.c
ADD: @marshmellow42 's changes to "hf mfu *" ,
[proxmark3-svn] / client / cmdlft55xx.c
index 31958eea12df0090e2617f2bc9edc65917cb25e6..de0ade283813695a73ccaa99b55aad4cf3a5803d 100644 (file)
@@ -126,13 +126,15 @@ int usage_t55xx_dump(){
        return 0;\r
 }\r
 int usage_t55xx_detect(){\r
-       PrintAndLog("Usage:  lf t55xx detect [1]");\r
+       PrintAndLog("Usage:  lf t55xx detect [1] [p <password>]");\r
        PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     p <password>  - OPTIONAL password (8 hex characters)");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx detect");\r
        PrintAndLog("      lf t55xx detect 1");\r
+       PrintAndLog("      lf t55xx detect p 11223344");\r
        PrintAndLog("");\r
        return 0;\r
 }\r
@@ -147,6 +149,21 @@ int usage_t55xx_wakup(){
     PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
        return 0;\r
 }\r
+int usage_t55xx_bruteforce(){\r
+    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+    PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("This command uses A) bruteforce to scan a number range");\r
+       PrintAndLog("                  B) a dictionary attack");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h                     - this help");\r
+    PrintAndLog("     i <*.dic>        - loads a default keys dictionary file <*.dic>");\r
+    PrintAndLog("");\r
+    PrintAndLog("Examples:");\r
+    PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+       PrintAndLog("       lf t55xx bruteforce i default_pwd.dic");\r
+    PrintAndLog("");\r
+    return 0;\r
+}\r
 \r
 static int CmdHelp(const char *Cmd);\r
 \r
@@ -367,18 +384,22 @@ bool DecodeT55xxBlock(){
                        ans = ASKDemod(cmdStr, FALSE, FALSE, 1);\r
                        break;\r
                case DEMOD_PSK1:\r
-                       // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       // skip first 16 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
                        CmdLtrim("160");\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
                        ans = PSKDemod(cmdStr, FALSE);\r
+                       save_restoreGB(0);\r
                        break;\r
                case DEMOD_PSK2: //inverted won't affect this\r
                case DEMOD_PSK3: //not fully implemented\r
                        // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
                        CmdLtrim("160");\r
                        snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
                        ans = PSKDemod(cmdStr, FALSE);\r
                        psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+                       save_restoreGB(1);\r
                        break;\r
                case DEMOD_NRZ:\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
@@ -397,28 +418,41 @@ bool DecodeT55xxBlock(){
 \r
 int CmdT55xxDetect(const char *Cmd){\r
 \r
-       //bool override = false;\r
-       //bool pwdmode = false;\r
+       bool errors = FALSE;\r
+       bool useGB = FALSE;\r
+       bool usepwd = FALSE;\r
+       uint32_t password = 0;\r
+       uint8_t cmdp = 0;\r
 \r
-       uint32_t password = 0; //default to blank Block 7\r
-       bool usepwd = ( strlen(Cmd) > 0);       \r
-       if ( usepwd ){\r
-               password = param_get32ex(Cmd, 0, 0, 16);\r
-               // if (param_getchar(Cmd, 1) =='o' )\r
-                       // override = true;\r
+       while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_t55xx_detect();\r
+               case 'p':\r
+               case 'P':\r
+                       password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       usepwd = TRUE;\r
+                       cmdp += 2;\r
+                       break;\r
+               case '1':\r
+                       // use Graphbuffer data\r
+                       useGB = TRUE;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r
        }\r
-\r
-       char cmdp = param_getchar(Cmd, 0);\r
-       if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect();\r
+       if (errors) return usage_t55xx_detect();\r
        \r
-       if (strlen(Cmd)==0) {\r
-               password = param_get32ex(Cmd, 0, 0, 16);\r
-               //if (param_getchar(Cmd, 1) =='o' ) override = true;\r
+       if ( !useGB) {\r
+               if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
+                       return 0;\r
        }\r
-\r
-       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
-               return 0;\r
-               \r
+       \r
        if ( !tryDetectModulation() )\r
                PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
 \r
@@ -461,14 +495,14 @@ bool tryDetectModulation(){
        } else {\r
                clk = GetAskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
-                       if ( ASKDemod("0 0 1", TRUE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                ++hits;\r
                        }\r
-                       if ( ASKDemod("0 1 1", TRUE, FALSE, 1)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       if ( ASKDemod("0 1 1", FALSE, FALSE, 1)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
@@ -862,19 +896,21 @@ int CmdT55xxWriteBlock(const char *Cmd) {
        UsbCommand resp;\r
        c.d.asBytes[0] = (page1) ? 0x2 : 0; \r
 \r
-       PrintAndLog("Writing to page: %d  block: %d  data : 0x%08X", page1, block, data);\r
+       char pwdStr[16] = {0};\r
+       snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);\r
+       \r
+       PrintAndLog("Writing page %d  block: %02d  data: 0x%08X %s", page1, block, data,  (usepwd) ? pwdStr : "" );\r
 \r
        //Password mode\r
        if (usepwd) {\r
                c.arg[2] = password;\r
                c.d.asBytes[0] |= 0x1; \r
-               PrintAndLog("pwd   : 0x%08X", password);\r
        }\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
        if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
                PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
-       return 0;\r
+               return 0;\r
        }\r
        return 1;\r
 }\r
@@ -979,8 +1015,14 @@ int CmdT55xxInfo(const char *Cmd){
 \r
        if (!DecodeT55xxBlock()) return 1;\r
 \r
+       // too little space to start with\r
        if ( DemodBufferLen < 32) return 1;\r
 \r
+       // \r
+       PrintAndLog("Offset+32 ==%d\n DemodLen == %d", config.offset + 32,DemodBufferLen );\r
+               \r
+\r
+       \r
        uint8_t si = config.offset;\r
        uint32_t bl0      = PackBits(si, 32, DemodBuffer);\r
        \r
@@ -1230,26 +1272,24 @@ char * GetSelectedModulationStr( uint8_t id){
 }\r
 \r
 void t55x7_create_config_block( int tagtype ){\r
-       //switch?\r
-       \r
-       \r
-}\r
 \r
-/*\r
-uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){\r
+       /*\r
+     T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK\r
+     T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK,\r
+        T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK \r
+        T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK,     T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK   \r
+       */\r
+       static char buf[60];\r
+       char *retStr = buf;\r
        \r
-       int i = start;\r
-       int j = len-1;\r
-\r
-       if (len > 32) return 0;\r
-\r
-       uint32_t tmp = 0;\r
-       for (; j >= 0; --j, ++i)\r
-               tmp     |= bits[i] << j;\r
-\r
-       return tmp;\r
+       switch (tagtype){\r
+               case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
+               case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
+               default:\r
+                       break;\r
+       }\r
+       PrintAndLog(buf);\r
 }\r
-*/\r
 \r
 int CmdResetRead(const char *Cmd) {\r
        UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
@@ -1271,48 +1311,192 @@ int CmdResetRead(const char *Cmd) {
 int CmdT55xxWipe(const char *Cmd) {\r
        char writeData[20] = {0};\r
        char *ptrData = writeData;\r
-       uint8_t blk = 0;\r
+       \r
        PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+       \r
        //try with the default password to reset block 0  (with a pwd should work even if pwd bit not set)\r
-       snprintf(ptrData,sizeof(writeData),"b %d d 00088040 p 0", blk);\r
-       if (!CmdT55xxWriteBlock(ptrData)){\r
-               PrintAndLog("Error writing blk %d", blk);\r
-       }\r
-       blk = 1;\r
-       for (; blk<8; blk++) {\r
+       snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
+       \r
+       if (!CmdT55xxWriteBlock(ptrData))\r
+               PrintAndLog("Error writing blk 0");\r
+       \r
+       for (uint8_t blk = 1; blk<8; blk++) {\r
+               \r
                snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
-               if (!CmdT55xxWriteBlock(ptrData)){\r
+               \r
+               if (!CmdT55xxWriteBlock(ptrData)) \r
                        PrintAndLog("Error writing blk %d", blk);\r
-               }\r
+               \r
+               memset(writeData,0x00, sizeof(writeData));\r
        }\r
        return 0;\r
 }\r
 \r
-static command_t CommandTable[] =\r
-{\r
-  {"help",   CmdHelp,           1, "This help"},\r
-  {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
-  {"detect", CmdT55xxDetect,    0, "[1] Try detecting the tag modulation from reading the configuration block."},\r
-  {"read",     CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
-  {"resetread",CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
-  {"write",    CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
-  {"trace",    CmdT55xxReadTrace, 0, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
-  {"info",     CmdT55xxInfo,      0, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
-  {"dump",     CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
-  {"special", special,          0, "Show block changes with 64 different offsets"},\r
-  {"wakeup", CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
-  {"wipe",     CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
-  {NULL, NULL, 0, NULL}\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+       \r
+       // load a default pwd file.\r
+       char buf[9];\r
+       char filename[FILE_PATH_SIZE]={0};\r
+       int     keycnt = 0;\r
+       uint8_t stKeyBlock = 20;\r
+       uint8_t *keyBlock = NULL, *p;\r
+       keyBlock = calloc(stKeyBlock, 6);\r
+       if (keyBlock == NULL) return 1;\r
+       \r
+    uint32_t start_password = 0x00000000; //start password\r
+    uint32_t end_password   = 0xFFFFFFFF; //end   password\r
+    bool found = false;\r
+\r
+    char cmdp = param_getchar(Cmd, 0);\r
+    if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+       if (cmdp == 'i' || cmdp == 'I') {\r
+       \r
+               int len = strlen(Cmd+2);\r
+               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               memcpy(filename, Cmd+2, len);\r
+       \r
+               FILE * f = fopen( filename , "r");\r
+               \r
+               if ( !f ) {\r
+                       PrintAndLog("File: %s: not found or locked.", filename);\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }                       \r
+                       \r
+               while( fgets(buf, sizeof(buf), f) ){\r
+                       if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+               \r
+                       while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
+                       \r
+                       //The line start with # is comment, skip\r
+                       if( buf[0]=='#' ) continue;\r
+\r
+                       if (!isxdigit(buf[0])){\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+                               continue;\r
+                       }\r
+                       \r
+                       buf[8] = 0;\r
+\r
+                       if ( stKeyBlock - keycnt < 2) {\r
+                               p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+                               if (!p) {\r
+                                       PrintAndLog("Cannot allocate memory for defaultKeys");\r
+                                       free(keyBlock);\r
+                                       return 2;\r
+                               }\r
+                               keyBlock = p;\r
+                       }\r
+                       memset(keyBlock + 4 * keycnt, 0, 4);\r
+                       num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+                       keycnt++;\r
+                       memset(buf, 0, sizeof(buf));\r
+               }               \r
+               fclose(f);\r
+               \r
+               if (keycnt == 0) {\r
+                       PrintAndLog("No keys found in file");\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loaded %d keys", keycnt);\r
+               \r
+               // loop\r
+               uint64_t testpwd = 0x00;\r
+               for (uint16_t c = 0; c < keycnt; ++c ) {\r
+       \r
+                       if (ukbhit()) {\r
+                               getchar();\r
+                               printf("\naborted via keyboard!\n");\r
+                               return 0;\r
+                       }\r
+               \r
+                       testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+                       PrintAndLog("Testing %08X", testpwd);\r
+                       \r
+                       \r
+                       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+                               PrintAndLog("Aquireing data from device failed. Quitting");\r
+                               return 0;\r
+                       }\r
+                       \r
+                       found = tryDetectModulation();\r
+\r
+                       if ( found ) {\r
+                               PrintAndLog("Found valid password: [%08X]", testpwd);\r
+                               return 0;\r
+                       } \r
+               }\r
+               PrintAndLog("Password NOT found.");\r
+               return 0;\r
+       }\r
+       \r
+       // Try to read Block 7, first :)\r
+       \r
+       // incremental pwd range search\r
+    start_password = param_get32ex(Cmd, 0, 0, 16);\r
+       end_password = param_get32ex(Cmd, 1, 0, 16);\r
+       \r
+       if ( start_password >= end_password ) return usage_t55xx_bruteforce();\r
+       \r
+    PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+       \r
+    uint32_t i = start_password;\r
+\r
+    while ((!found) && (i <= end_password)){\r
+\r
+               printf(".");\r
+               fflush(stdout);\r
+               if (ukbhit()) {\r
+                       getchar();\r
+                       printf("\naborted via keyboard!\n");\r
+                       return 0;\r
+               }\r
+                       \r
+               if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+                       PrintAndLog("Aquireing data from device failed. Quitting");\r
+                       return 0;\r
+               }\r
+               found = tryDetectModulation();\r
+        \r
+               if (found) break;\r
+               i++;\r
+    }\r
+    \r
+    PrintAndLog("");\r
+       \r
+    if (found)\r
+               PrintAndLog("Found valid password: [%08x]", i);\r
+    else\r
+               PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+    return 0;\r
+}\r
+\r
+static command_t CommandTable[] = {\r
+       {"help",                CmdHelp,           1, "This help"},\r
+       {"bruteforce",  CmdT55xxBruteForce,0, "Simple bruteforce attack to find password"},\r
+       {"config",              CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+       {"detect",              CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+       {"dump",                CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+       {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+       {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+       {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+       {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
+       {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+       {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
+       {"wipe",                CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+       {"write",               CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+       {NULL, NULL, 0, NULL}\r
 };\r
 \r
-int CmdLFT55XX(const char *Cmd)\r
-{\r
+int CmdLFT55XX(const char *Cmd) {\r
   CmdsParse(CommandTable, Cmd);\r
   return 0;\r
 }\r
 \r
-int CmdHelp(const char *Cmd)\r
-{\r
+int CmdHelp(const char *Cmd) {\r
   CmdsHelp(CommandTable);\r
   return 0;\r
 }\r
Impressum, Datenschutz