+ \r
+ PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+ \r
+ uint32_t i = start_password;\r
+\r
+ while ((!found) && (i <= end_password)){\r
+\r
+ printf(".");\r
+ fflush(stdout);\r
+ if (ukbhit()) {\r
+ ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ \r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
+ found = tryDetectModulation();\r
+ \r
+ if (found) break;\r
+ i++;\r
+ }\r
+ \r
+ PrintAndLog("");\r
+ \r
+ if (found)\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ else\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+ free(keyBlock);\r
+ return 0;\r
+}\r
+\r
+int tryOnePassword(uint32_t password) {\r
+ PrintAndLog("Trying password %08x", password);\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return -1;\r
+ }\r
+\r
+ if (tryDetectModulation())\r
+ return 1;\r
+ else \r
+ return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+ int bit = 0;\r
+ uint32_t orig_password = 0x0;\r
+ uint32_t curr_password = 0x0;\r
+ uint32_t prev_password = 0xffffffff;\r
+ uint32_t mask = 0x0;\r
+ int found = 0;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+ orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+ // first try fliping each bit in the expected password\r
+ while ((found != 1) && (bit < 32)) {\r
+ curr_password = orig_password ^ ( 1 << bit );\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ }\r
+\r
+ // now try to use partial original password, since block 7 should have been completely\r
+ // erased during the write sequence and it is possible that only partial password has been\r
+ // written\r
+ // not sure from which end the bit bits are written, so try from both ends \r
+ // from low bit to high bit\r
+ bit = 0;\r
+ while ((found != 1) && (bit < 32)) {\r
+ mask += ( 1 << bit );\r
+ curr_password = orig_password & mask;\r
+ // if updated mask didn't change the password, don't try it again\r
+ if (prev_password == curr_password) {\r
+ bit++;\r
+ continue;\r
+ }\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ prev_password=curr_password;\r
+ }\r
+\r
+ // from high bit to low\r
+ bit = 0;\r
+ mask = 0xffffffff;\r
+ while ((found != 1) && (bit < 32)) {\r
+ mask -= ( 1 << bit );\r
+ curr_password = orig_password & mask;\r
+ // if updated mask didn't change the password, don't try it again\r
+ if (prev_password == curr_password) {\r
+ bit++;\r
+ continue;\r
+ }\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ prev_password=curr_password;\r
+ }\r
+done:\r
+ PrintAndLog("");\r
+\r
+ if (found == 1)\r
+ PrintAndLog("Found valid password: [%08x]", curr_password);\r
+ else\r
+ PrintAndLog("Password NOT found.");\r
+\r