PrintAndLog("");\r
return 0;\r
}\r
-int usage_t55xx_wipe(){\r
+int usage_t55xx_recoverpw(){\r
+ PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+ PrintAndLog("WARNING: this may brick non-password protected chips!");\r
+ PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
+ PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
+ PrintAndLog(" default password is 51243648, used by many cloners");\r
+ PrintAndLog("Options:");\r
+ PrintAndLog(" h - this help");\r
+ PrintAndLog(" [password] - 4 byte hex value of password written by cloner");\r
+ PrintAndLog("");\r
+ PrintAndLog("Examples:");\r
+ PrintAndLog(" lf t55xx recoverpw");\r
+ PrintAndLog(" lf t55xx recoverpw 51243648");\r
+ PrintAndLog("");\r
+ return 0;\r
+}int usage_t55xx_wipe(){\r
PrintAndLog("Usage: lf t55xx wipe [h] [Q5]");\r
PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
PrintAndLog("Options:");\r
return 0;\r
}\r
\r
+int tryOnePassword(uint32_t password)\r
+{\r
+ PrintAndLog("Trying password %08x", password);\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+ PrintAndLog("Aquireing data from device failed. Quitting");\r
+ return -1;\r
+ }\r
+\r
+ if (tryDetectModulation())\r
+ return 1;\r
+ else return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+ int bit = 0;\r
+ uint32_t orig_password = 0x0;\r
+ uint32_t curr_password = 0x0;\r
+ uint32_t prev_password = 0xffffffff;\r
+ uint32_t mask = 0x0;\r
+ int found = 0;\r
+\r
+ char cmdp = param_getchar(Cmd, 0);\r
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+ orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+ // first try fliping each bit in the expected password\r
+ while ((found != 1) && (bit < 32)) {\r
+ curr_password = orig_password ^ ( 1 << bit );\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ }\r
+\r
+ // now try to use partial original password, since block 7 should have been completely\r
+ // erased during the write sequence and it is possible that only partial password has been\r
+ // written\r
+ // not sure from which end the bit bits are written, so try from both ends \r
+ // from low bit to high bit\r
+ bit = 0;\r
+ while ((found != 1) && (bit < 32)) {\r
+ mask += ( 1 << bit );\r
+ curr_password = orig_password & mask;\r
+ // if updated mask didn't change the password, don't try it again\r
+ if (prev_password == curr_password) {\r
+ bit++;\r
+ continue;\r
+ }\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ prev_password=curr_password;\r
+ }\r
+\r
+ // from high bit to low\r
+ bit = 0;\r
+ mask = 0xffffffff;\r
+ while ((found != 1) && (bit < 32)) {\r
+ mask -= ( 1 << bit );\r
+ curr_password = orig_password & mask;\r
+ // if updated mask didn't change the password, don't try it again\r
+ if (prev_password == curr_password) {\r
+ bit++;\r
+ continue;\r
+ }\r
+ found = tryOnePassword(curr_password);\r
+ if (found == 1)\r
+ goto done;\r
+ else if (found == -1)\r
+ return 0;\r
+ bit++;\r
+ prev_password=curr_password;\r
+ }\r
+done:\r
+ PrintAndLog("");\r
+\r
+ if (found == 1)\r
+ PrintAndLog("Found valid password: [%08x]", curr_password);\r
+ else\r
+ PrintAndLog("Password NOT found.");\r
+\r
+ return 0;\r
+}\r
+\r
static command_t CommandTable[] = {\r
{"help", CmdHelp, 1, "This help"},\r
{"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
{"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
{"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
{"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+ {"recoverpw", CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},\r
{"special", special, 0, "Show block changes with 64 different offsets"}, \r
{"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
{"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
projects / proxmark3-svn / blobdiff