return 0;\r
}\r
int usage_t55xx_detect(){\r
- PrintAndLog("Usage: lf t55xx detect [1]");\r
+ PrintAndLog("Usage: lf t55xx detect [1] [p <password>]");\r
PrintAndLog("Options:");\r
- PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");\r
+ PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");\r
+ PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx detect");\r
PrintAndLog(" lf t55xx detect 1");\r
+ PrintAndLog(" lf t55xx detect p 11223344");\r
PrintAndLog("");\r
return 0;\r
}\r
PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password");\r
return 0;\r
}\r
+int usage_t55xx_bruteforce(){\r
+ PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+ PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
+ PrintAndLog("This command uses A) bruteforce to scan a number range");\r
+ PrintAndLog(" B) a dictionary attack");\r
+ PrintAndLog("Options:");\r
+ PrintAndLog(" h - this help");\r
+ PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");\r
+ PrintAndLog("");\r
+ PrintAndLog("Examples:");\r
+ PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+ PrintAndLog(" lf t55xx bruteforce i default_pwd.dic");\r
+ PrintAndLog("");\r
+ return 0;\r
+}\r
\r
static int CmdHelp(const char *Cmd);\r
\r
ans = ASKDemod(cmdStr, FALSE, FALSE, 1);\r
break;\r
case DEMOD_PSK1:\r
- // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+ // skip first 16 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+ save_restoreGB(1);\r
CmdLtrim("160");\r
snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
ans = PSKDemod(cmdStr, FALSE);\r
+ save_restoreGB(0);\r
break;\r
case DEMOD_PSK2: //inverted won't affect this\r
case DEMOD_PSK3: //not fully implemented\r
// skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+ save_restoreGB(1);\r
CmdLtrim("160");\r
snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
ans = PSKDemod(cmdStr, FALSE);\r
psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+ save_restoreGB(1);\r
break;\r
case DEMOD_NRZ:\r
snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
\r
int CmdT55xxDetect(const char *Cmd){\r
\r
- //bool override = false;\r
- //bool pwdmode = false;\r
+ bool errors = FALSE;\r
+ bool useGB = FALSE;\r
+ bool usepwd = FALSE;\r
+ uint32_t password = 0;\r
+ uint8_t cmdp = 0;\r
\r
- uint32_t password = 0; //default to blank Block 7\r
- bool usepwd = ( strlen(Cmd) > 0); \r
- if ( usepwd ){\r
- password = param_get32ex(Cmd, 0, 0, 16);\r
- // if (param_getchar(Cmd, 1) =='o' )\r
- // override = true;\r
+ while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'h':\r
+ case 'H':\r
+ return usage_t55xx_detect();\r
+ case 'p':\r
+ case 'P':\r
+ password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ usepwd = TRUE;\r
+ cmdp += 2;\r
+ break;\r
+ case '1':\r
+ // use Graphbuffer data\r
+ useGB = TRUE;\r
+ cmdp++;\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = true;\r
+ break;\r
+ }\r
}\r
-\r
- char cmdp = param_getchar(Cmd, 0);\r
- if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect();\r
+ if (errors) return usage_t55xx_detect();\r
\r
- if (strlen(Cmd)==0) {\r
- password = param_get32ex(Cmd, 0, 0, 16);\r
- //if (param_getchar(Cmd, 1) =='o' ) override = true;\r
+ if ( !useGB) {\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
+ return 0;\r
}\r
-\r
- if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
- return 0;\r
- \r
+ \r
if ( !tryDetectModulation() )\r
PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
\r
} else {\r
clk = GetAskClock("", FALSE, FALSE);\r
if (clk>0) {\r
- if ( ASKDemod("0 0 1", TRUE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+ if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
tests[hits].modulation = DEMOD_ASK;\r
tests[hits].bitrate = bitRate;\r
tests[hits].inverted = FALSE;\r
tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
++hits;\r
}\r
- if ( ASKDemod("0 1 1", TRUE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+ if ( ASKDemod("0 1 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
tests[hits].modulation = DEMOD_ASK;\r
tests[hits].bitrate = bitRate;\r
tests[hits].inverted = TRUE;\r
UsbCommand resp;\r
c.d.asBytes[0] = (page1) ? 0x2 : 0; \r
\r
- PrintAndLog("Writing to page: %d block: %d data : 0x%08X", page1, block, data);\r
+ char pwdStr[16] = {0};\r
+ snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);\r
+ \r
+ PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" );\r
\r
//Password mode\r
if (usepwd) {\r
c.arg[2] = password;\r
c.d.asBytes[0] |= 0x1; \r
- PrintAndLog("pwd : 0x%08X", password);\r
}\r
clearCommandBuffer();\r
SendCommand(&c);\r
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
- return 0;\r
+ return 0;\r
}\r
return 1;\r
}\r
\r
if (!DecodeT55xxBlock()) return 1;\r
\r
+ // too little space to start with\r
if ( DemodBufferLen < 32) return 1;\r
\r
+ // \r
+ PrintAndLog("Offset+32 ==%d\n DemodLen == %d", config.offset + 32,DemodBufferLen );\r
+ \r
+\r
+ \r
uint8_t si = config.offset;\r
uint32_t bl0 = PackBits(si, 32, DemodBuffer);\r
\r
}\r
\r
void t55x7_create_config_block( int tagtype ){\r
- //switch?\r
- \r
- \r
-}\r
\r
-/*\r
-uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){\r
+ /*\r
+ T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK\r
+ T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK,\r
+ T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK \r
+ T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK, T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK \r
+ */\r
+ static char buf[60];\r
+ char *retStr = buf;\r
\r
- int i = start;\r
- int j = len-1;\r
-\r
- if (len > 32) return 0;\r
-\r
- uint32_t tmp = 0;\r
- for (; j >= 0; --j, ++i)\r
- tmp |= bits[i] << j;\r
-\r
- return tmp;\r
+ switch (tagtype){\r
+ case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
+ case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
+ default:\r
+ break;\r
+ }\r
+ PrintAndLog(buf);\r
}\r
-*/\r
\r
int CmdResetRead(const char *Cmd) {\r
UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
int CmdT55xxWipe(const char *Cmd) {\r
char writeData[20] = {0};\r
char *ptrData = writeData;\r
- uint8_t blk = 0;\r
+ \r
PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+ \r
//try with the default password to reset block 0 (with a pwd should work even if pwd bit not set)\r
- snprintf(ptrData,sizeof(writeData),"b %d d 00088040 p 0", blk);\r
- if (!CmdT55xxWriteBlock(ptrData)){\r
- PrintAndLog("Error writing blk %d", blk);\r
- }\r
- blk = 1;\r
- for (; blk<8; blk++) {\r
+ snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
+ \r
+ if (!CmdT55xxWriteBlock(ptrData))\r
+ PrintAndLog("Error writing blk 0");\r
+ \r
+ for (uint8_t blk = 1; blk<8; blk++) {\r
+ \r
snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
- if (!CmdT55xxWriteBlock(ptrData)){\r
+ \r
+ if (!CmdT55xxWriteBlock(ptrData)) \r
PrintAndLog("Error writing blk %d", blk);\r
- }\r
+ \r
+ memset(writeData,0x00, sizeof(writeData));\r
}\r
return 0;\r
}\r
\r
-static command_t CommandTable[] =\r
-{\r
- {"help", CmdHelp, 1, "This help"},\r
- {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
- {"detect", CmdT55xxDetect, 0, "[1] Try detecting the tag modulation from reading the configuration block."},\r
- {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
- {"resetread",CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
- {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
- {"trace", CmdT55xxReadTrace, 0, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
- {"info", CmdT55xxInfo, 0, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
- {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
- {"special", special, 0, "Show block changes with 64 different offsets"},\r
- {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
- {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
- {NULL, NULL, 0, NULL}\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+ \r
+ // load a default pwd file.\r
+ char buf[9];\r
+ char filename[FILE_PATH_SIZE]={0};\r
+ int keycnt = 0;\r
+ uint8_t stKeyBlock = 20;\r
+ uint8_t *keyBlock = NULL, *p;\r
+ keyBlock = calloc(stKeyBlock, 6);\r
+ if (keyBlock == NULL) return 1;\r
+ \r
+ uint32_t start_password = 0x00000000; //start password\r
+ uint32_t end_password = 0xFFFFFFFF; //end password\r
+ bool found = false;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+ if (cmdp == 'i' || cmdp == 'I') {\r
+ \r
+ int len = strlen(Cmd+2);\r
+ if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ memcpy(filename, Cmd+2, len);\r
+ \r
+ FILE * f = fopen( filename , "r");\r
+ \r
+ if ( !f ) {\r
+ PrintAndLog("File: %s: not found or locked.", filename);\r
+ free(keyBlock);\r
+ return 1;\r
+ } \r
+ \r
+ while( fgets(buf, sizeof(buf), f) ){\r
+ if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+ \r
+ while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
+ \r
+ //The line start with # is comment, skip\r
+ if( buf[0]=='#' ) continue;\r
+\r
+ if (!isxdigit(buf[0])){\r
+ PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+ continue;\r
+ }\r
+ \r
+ buf[8] = 0;\r
+\r
+ if ( stKeyBlock - keycnt < 2) {\r
+ p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+ if (!p) {\r
+ PrintAndLog("Cannot allocate memory for defaultKeys");\r
+ free(keyBlock);\r
+ return 2;\r
+ }\r
+ keyBlock = p;\r
+ }\r
+ memset(keyBlock + 4 * keycnt, 0, 4);\r
+ num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+ PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+ keycnt++;\r
+ memset(buf, 0, sizeof(buf));\r
+ } \r
+ fclose(f);\r
+ \r
+ if (keycnt == 0) {\r
+ PrintAndLog("No keys found in file");\r
+ return 1;\r
+ }\r
+ PrintAndLog("Loaded %d keys", keycnt);\r
+ \r
+ // loop\r
+ uint64_t testpwd = 0x00;\r
+ for (uint16_t c = 0; c < keycnt; ++c ) {\r
+ \r
+ if (ukbhit()) {\r
+ getchar();\r
+ printf("\naborted via keyboard!\n");\r
+ return 0;\r
+ }\r
+ \r
+ testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+ PrintAndLog("Testing %08X", testpwd);\r
+ \r
+ \r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return 0;\r
+ }\r
+ \r
+ found = tryDetectModulation();\r
+\r
+ if ( found ) {\r
+ PrintAndLog("Found valid password: [%08X]", testpwd);\r
+ return 0;\r
+ } \r
+ }\r
+ PrintAndLog("Password NOT found.");\r
+ return 0;\r
+ }\r
+ \r
+ // Try to read Block 7, first :)\r
+ \r
+ // incremental pwd range search\r
+ start_password = param_get32ex(Cmd, 0, 0, 16);\r
+ end_password = param_get32ex(Cmd, 1, 0, 16);\r
+ \r
+ if ( start_password >= end_password ) return usage_t55xx_bruteforce();\r
+ \r
+ PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+ \r
+ uint32_t i = start_password;\r
+\r
+ while ((!found) && (i <= end_password)){\r
+\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ getchar();\r
+ printf("\naborted via keyboard!\n");\r
+ return 0;\r
+ }\r
+ \r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return 0;\r
+ }\r
+ found = tryDetectModulation();\r
+ \r
+ if (found) break;\r
+ i++;\r
+ }\r
+ \r
+ PrintAndLog("");\r
+ \r
+ if (found)\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ else\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+ return 0;\r
+}\r
+\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"bruteforce", CmdT55xxBruteForce,0, "Simple bruteforce attack to find password"},\r
+ {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+ {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+ {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+ {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+ {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+ {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+ {"special", special, 0, "Show block changes with 64 different offsets"}, \r
+ {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+ {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
+ {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+ {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+ {NULL, NULL, 0, NULL}\r
};\r
\r
-int CmdLFT55XX(const char *Cmd)\r
-{\r
+int CmdLFT55XX(const char *Cmd) {\r
CmdsParse(CommandTable, Cmd);\r
return 0;\r
}\r
\r
-int CmdHelp(const char *Cmd)\r
-{\r
+int CmdHelp(const char *Cmd) {\r
CmdsHelp(CommandTable);\r
return 0;\r
}\r
projects / proxmark3-svn / blobdiff