- uint32_t tmp = 0;\r
- for (; j >= 0; --j, ++i){\r
- tmp |= bits[i] << j;\r
- }\r
- return tmp;\r
-}\r
-\r
-static command_t CommandTable[] =\r
-{\r
- {"help", CmdHelp, 1, "This help"},\r
- {"config", CmdT55xxSetConfig, 1, "Set T55XX config for modulation, inversed data"},\r
- {"detect", CmdT55xxDetect, 0, "Try detecting the tag modulation from reading the configuration block."},\r
- {"read", CmdT55xxReadBlock, 0, "<block> [password] -- Read T55xx block data (page 0) [optional password]"},\r
- {"write", CmdT55xxWriteBlock,0, "<block> <data> [password] -- Write T55xx block data (page 0) [optional password]"},\r
- {"trace", CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},\r
- {"info", CmdT55xxInfo, 0, "[1] Show T55xx configuration data (page 0/ blk 0)"},\r
- {"dump", CmdT55xxDump, 0, "[password] Dump T55xx card block 0-7. [optional password]"},\r
- {"special", special, 0, "Shows how a datablock changes with 32 different offsets"},\r
- {NULL, NULL, 0, NULL}\r
+ \r
+ // Try to read Block 7, first :)\r
+ \r
+ // incremental pwd range search\r
+ start_password = param_get32ex(Cmd, 0, 0, 16);\r
+ end_password = param_get32ex(Cmd, 1, 0, 16);\r
+ \r
+ if ( start_password >= end_password ) {\r
+ free(keyBlock);\r
+ return usage_t55xx_bruteforce();\r
+ }\r
+ \r
+ PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+ \r
+ uint32_t i = start_password;\r
+\r
+ while ((!found) && (i <= end_password)){\r
+\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ \r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ found = tryDetectModulation();\r
+ \r
+ if (found) break;\r
+ i++;\r
+ }\r
+ \r
+ PrintAndLog("");\r
+ \r
+ if (found)\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ else\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+ free(keyBlock);\r
+ return 0;\r
+}\r
+\r
+int tryOnePassword(uint32_t password) {\r
+ PrintAndLog("Trying password %08x", password);\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return -1;\r
+ }\r
+\r
+ if (tryDetectModulation())\r
+ return 1;\r
+ else return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+ int bit = 0;\r
+ uint32_t orig_password = 0x0;\r
+ uint32_t curr_password = 0x0;\r
+ uint32_t prev_password = 0xffffffff;\r
+ uint32_t mask = 0x0;\r
+ int found = 0;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+ orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+ // first try fliping each bit in the expected password\r
+ while ((found != 1) && (bit < 32)) {\r
+ curr_password = orig_password ^ ( 1 << bit );\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ }\r
+\r
+ // now try to use partial original password, since block 7 should have been completely\r
+ // erased during the write sequence and it is possible that only partial password has been\r
+ // written\r
+ // not sure from which end the bit bits are written, so try from both ends \r
+ // from low bit to high bit\r
+ bit = 0;\r
+ while ((found != 1) && (bit < 32)) {\r
+ mask += ( 1 << bit );\r
+ curr_password = orig_password & mask;\r
+ // if updated mask didn't change the password, don't try it again\r
+ if (prev_password == curr_password) {\r
+ bit++;\r
+ continue;\r
+ }\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ prev_password=curr_password;\r
+ }\r
+\r
+ // from high bit to low\r
+ bit = 0;\r
+ mask = 0xffffffff;\r
+ while ((found != 1) && (bit < 32)) {\r
+ mask -= ( 1 << bit );\r
+ curr_password = orig_password & mask;\r
+ // if updated mask didn't change the password, don't try it again\r
+ if (prev_password == curr_password) {\r
+ bit++;\r
+ continue;\r
+ }\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ prev_password=curr_password;\r
+ }\r
+done:\r
+ PrintAndLog("");\r
+\r
+ if (found == 1)\r
+ PrintAndLog("Found valid password: [%08x]", curr_password);\r
+ else\r
+ PrintAndLog("Password NOT found.");\r
+\r
+ return 0;\r
+}\r
+\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"bruteforce", CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+ {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+ {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+ {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+ {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+ {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+ {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+ {"recoverpw", CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},\r
+ {"special", special, 0, "Show block changes with 64 different offsets"}, \r
+ {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+ {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
+ {"wipe", CmdT55xxWipe, 0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+ {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+ {NULL, NULL, 0, NULL}\r