]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdlft55xx.c
updated
[proxmark3-svn] / client / cmdlft55xx.c
index f8865c8da89898488265e90f382024de18f0d452..1b005d96a1313262c87b5caf5940b1eeec3d1f40 100644 (file)
@@ -6,28 +6,7 @@
 //-----------------------------------------------------------------------------\r
 // Low frequency T55xx commands\r
 //-----------------------------------------------------------------------------\r
-\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <inttypes.h>\r
-#include "proxmark3.h"\r
-#include "ui.h"\r
-#include "graph.h"\r
-#include "cmdmain.h"\r
-#include "cmdparser.h"\r
-#include "cmddata.h"\r
-#include "cmdlf.h"\r
 #include "cmdlft55xx.h"\r
-#include "util.h"\r
-#include "data.h"\r
-#include "lfdemod.h"\r
-#include "cmdhf14a.h" //for getTagInfo\r
-\r
-#define T55x7_CONFIGURATION_BLOCK 0x00\r
-#define T55x7_PAGE0 0x00\r
-#define T55x7_PAGE1 0x01\r
-#define T55x7_PWD      0x00000010\r
-#define REGULAR_READ_MODE_BLOCK 0xFF\r
 \r
 // Default configuration\r
 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
@@ -150,6 +129,7 @@ int usage_t55xx_wakup(){
 int usage_t55xx_bruteforce(){\r
        PrintAndLog("This command uses A) bruteforce to scan a number range");\r
        PrintAndLog("                  B) a dictionary attack");\r
+       PrintAndLog("press 'enter' to cancel the command");\r
     PrintAndLog("Usage: lf t55xx bruteforce [h] <start password> <end password> [i <*.dic>]");\r
     PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
        PrintAndLog("Options:");\r
@@ -166,6 +146,7 @@ int usage_t55xx_bruteforce(){
 }\r
 int usage_t55xx_recoverpw(){\r
        PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+       PrintAndLog("press 'enter' to cancel the command");\r
        PrintAndLog("WARNING: this may brick non-password protected chips!");\r
        PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
        PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
@@ -195,8 +176,8 @@ static int CmdHelp(const char *Cmd);
 \r
 void printT5xxHeader(uint8_t page){\r
        PrintAndLog("Reading Page %d:", page);  \r
-       PrintAndLog("blk | hex data | binary");\r
-       PrintAndLog("----+----------+---------------------------------");       \r
+       PrintAndLog("blk | hex data | binary                           | ascii");\r
+       PrintAndLog("----+----------+----------------------------------+-------");      \r
 }\r
 \r
 int CmdT55xxSetConfig(const char *Cmd) {\r
@@ -547,6 +528,11 @@ bool tryDetectModulation(){
                clk = GetAskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
                        tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert false, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
                        if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
@@ -555,6 +541,11 @@ bool tryDetectModulation(){
                                ++hits;\r
                        }\r
                        tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert true, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
                        if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
@@ -664,13 +655,46 @@ bool tryDetectModulation(){
                return TRUE;\r
        }\r
        \r
+       bool retval = FALSE;\r
        if ( hits > 1) {\r
                PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
                for(int i=0; i<hits; ++i){\r
-                       PrintAndLog("--[%d]---------------", i+1);\r
+                       retval = testKnownConfigBlock(tests[i].block0);\r
+                       if ( retval ) {                         \r
+                               PrintAndLog("--[%d]--------------- << selected this", i+1);\r
+                               config.modulation = tests[i].modulation;\r
+                               config.bitrate = tests[i].bitrate;\r
+                               config.inverted = tests[i].inverted;\r
+                               config.offset = tests[i].offset;\r
+                               config.block0 = tests[i].block0;\r
+                               config.Q5 = tests[i].Q5;\r
+                               config.ST = tests[i].ST;\r
+                       } else {\r
+                               PrintAndLog("--[%d]---------------", i+1);\r
+                       }\r
                        printConfiguration( tests[i] );\r
                }\r
        }\r
+       return retval;\r
+}\r
+\r
+bool testKnownConfigBlock(uint32_t block0) {\r
+       switch(block0){\r
+               case T55X7_DEFAULT_CONFIG_BLOCK:\r
+               case T55X7_RAW_CONFIG_BLOCK:\r
+               case T55X7_EM_UNIQUE_CONFIG_BLOCK:\r
+               case T55X7_FDXB_CONFIG_BLOCK:\r
+               case T55X7_HID_26_CONFIG_BLOCK:\r
+               case T55X7_PYRAMID_CONFIG_BLOCK:\r
+               case T55X7_INDALA_64_CONFIG_BLOCK:\r
+               case T55X7_INDALA_224_CONFIG_BLOCK:\r
+               case T55X7_GUARDPROXII_CONFIG_BLOCK:\r
+               case T55X7_VIKING_CONFIG_BLOCK:\r
+               case T55X7_NORALYS_CONFIG_BLOCK:\r
+               case T55X7_IOPROX_CONFIG_BLOCK:\r
+               case T55X7_PRESCO_CONFIG_BLOCK:\r
+                       return TRUE;\r
+       }\r
        return FALSE;\r
 }\r
 \r
@@ -854,16 +878,18 @@ void printT55xxBlock(const char *blockNum){
                bits[i - config.offset] = DemodBuffer[i];\r
 \r
        blockData = PackBits(0, 32, bits);\r
+       uint8_t bytes[4] = {0};\r
+       num_to_bytes(blockData, 4, bytes);\r
 \r
-       PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));\r
+       PrintAndLog(" %s | %08X | %s | %s", blockNum, blockData, sprint_bin(bits,32), sprint_ascii(bytes,4));\r
 }\r
 \r
 int special(const char *Cmd) {\r
        uint32_t blockData = 0;\r
        uint8_t bits[32] = {0x00};\r
 \r
-       PrintAndLog("OFFSET | DATA  | BINARY");\r
-       PrintAndLog("----------------------------------------------------");\r
+       PrintAndLog("OFFSET | DATA  | BINARY                              | ASCII");\r
+       PrintAndLog("-------+-------+-------------------------------------+------");\r
        int i,j = 0;\r
        for (; j < 64; ++j){\r
                \r
@@ -983,7 +1009,7 @@ int CmdT55xxWriteBlock(const char *Cmd) {
        }\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
-       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)){\r
                PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
                return 0;\r
        }\r
@@ -1249,21 +1275,26 @@ int CmdT55xxDump(const char *Cmd){
 \r
 int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
        // arg0 bitmodes:\r
-       // bit0 = pwdmode\r
-       // bit1 = page to read from\r
+       //      bit0 = pwdmode\r
+       //      bit1 = page to read from\r
+       // arg1: which block to read\r
+       // arg2: password\r
        uint8_t arg0 = (page<<1) | pwdmode;\r
        UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
-       \r
        clearCommandBuffer();\r
        SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
                PrintAndLog("command execution time out");\r
                return 0;\r
        }\r
 \r
-       uint8_t got[12000];\r
-       GetFromBigBuf(got,sizeof(got),0);\r
-       WaitForResponse(CMD_ACK,NULL);\r
+       //uint8_t got[12288];\r
+       uint8_t got[7679];\r
+       GetFromBigBuf(got, sizeof(got), 0);\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {\r
+               PrintAndLog("command execution time out");\r
+               return 0;\r
+       }\r
        setGraphBuf(got, sizeof(got));\r
        return 1;\r
 }\r
@@ -1379,10 +1410,9 @@ void t55x7_create_config_block( int tagtype ){
 \r
 int CmdResetRead(const char *Cmd) {\r
        UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
-\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
                PrintAndLog("command execution time out");\r
                return 0;\r
        }\r
@@ -1406,11 +1436,10 @@ int CmdT55xxWipe(const char *Cmd) {
        // With a pwd should work even if pwd bit not set\r
        PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
                \r
-       if ( Q5 ){\r
+       if ( Q5 )\r
                snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
-       } else {\r
+       else\r
                snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
-       }\r
        \r
        if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
        \r
@@ -1425,23 +1454,34 @@ int CmdT55xxWipe(const char *Cmd) {
        return 0;\r
 }\r
 \r
+bool IsCancelled(void) {\r
+       if (ukbhit()) {\r
+               int ch = getchar();\r
+               (void)ch;\r
+               printf("\naborted via keyboard!\n");\r
+               return TRUE;\r
+       }\r
+       return FALSE;\r
+}\r
+\r
 int CmdT55xxBruteForce(const char *Cmd) {\r
        \r
        // load a default pwd file.\r
-       char buf[9];\r
+       char line[9];\r
        char filename[FILE_PATH_SIZE]={0};\r
        int     keycnt = 0;\r
-       int ch;\r
        uint8_t stKeyBlock = 20;\r
        uint8_t *keyBlock = NULL, *p = NULL;\r
     uint32_t start_password = 0x00000000; //start password\r
     uint32_t end_password   = 0xFFFFFFFF; //end   password\r
     bool found = false;\r
 \r
+       memset(line, 0, sizeof(line));\r
+       \r
     char cmdp = param_getchar(Cmd, 0);\r
        if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
 \r
-       keyBlock = calloc(stKeyBlock, 6);\r
+       keyBlock = calloc(stKeyBlock, 4);\r
        if (keyBlock == NULL) return 1;\r
 \r
        if (cmdp == 'i' || cmdp == 'I') {\r
@@ -1450,46 +1490,52 @@ int CmdT55xxBruteForce(const char *Cmd) {
                if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
                memcpy(filename, Cmd+2, len);\r
        \r
-               FILE * f = fopen( filename , "r");\r
-               \r
+               FILE * f = fopen( filename , "r");              \r
                if ( !f ) {\r
                        PrintAndLog("File: %s: not found or locked.", filename);\r
                        free(keyBlock);\r
                        return 1;\r
                }                       \r
-                       \r
-               while( fgets(buf, sizeof(buf), f) ){\r
-                       if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
                \r
-                       while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
-                       \r
+               while( fgets(line, sizeof(line), f) ){\r
+                       if (strlen(line) < 8 || line[7] == '\n') continue;\r
+               \r
+                       //goto next line\r
+                       while (fgetc(f) != '\n' && !feof(f)) ;\r
+               \r
                        //The line start with # is comment, skip\r
-                       if( buf[0]=='#' ) continue;\r
+                       if( line[0]=='#' ) continue;\r
 \r
-                       if (!isxdigit(buf[0])){\r
-                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+                       if (!isxdigit(line[0])) {\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", line);\r
                                continue;\r
                        }\r
                        \r
-                       buf[8] = 0;\r
-\r
+                       line[8] = 0;            \r
+                       \r
+                       // realloc keyblock array size.\r
                        if ( stKeyBlock - keycnt < 2) {\r
-                               p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+                               p = realloc(keyBlock, 4 * (stKeyBlock += 10));\r
                                if (!p) {\r
                                        PrintAndLog("Cannot allocate memory for defaultKeys");\r
                                        free(keyBlock);\r
-                                       fclose(f);\r
+                                       if (f)\r
+                                               fclose(f);\r
                                        return 2;\r
                                }\r
                                keyBlock = p;\r
                        }\r
+                       // clear mem\r
                        memset(keyBlock + 4 * keycnt, 0, 4);\r
-                       num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
-                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
-                       keycnt++;\r
-                       memset(buf, 0, sizeof(buf));\r
+                       \r
+                       num_to_bytes( strtoll(line, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       \r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4 * keycnt, 4) );                       \r
+                       keycnt++;                       \r
+                       memset(line, 0, sizeof(line));\r
                }               \r
-               fclose(f);\r
+               if (f)\r
+                       fclose(f);\r
                \r
                if (keycnt == 0) {\r
                        PrintAndLog("No keys found in file");\r
@@ -1501,11 +1547,14 @@ int CmdT55xxBruteForce(const char *Cmd) {
                // loop\r
                uint64_t testpwd = 0x00;\r
                for (uint16_t c = 0; c < keycnt; ++c ) {\r
-       \r
-                       if (ukbhit()) {\r
-                               ch = getchar();\r
-                               (void)ch;\r
-                               printf("\naborted via keyboard!\n");\r
+\r
+                       if ( offline ) {\r
+                               printf("Device offline\n");\r
+                               free(keyBlock);\r
+                               return  2;\r
+                       }\r
+               \r
+                       if (IsCancelled()) {\r
                                free(keyBlock);\r
                                return 0;\r
                        }\r
@@ -1513,20 +1562,18 @@ int CmdT55xxBruteForce(const char *Cmd) {
                        testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
 \r
                        PrintAndLog("Testing %08X", testpwd);\r
-                       \r
-                       \r
+                                               \r
                        if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
-                               PrintAndLog("Aquireing data from device failed. Quitting");\r
+                               PrintAndLog("Acquire data from device failed. Quitting");\r
                                free(keyBlock);\r
                                return 0;\r
                        }\r
                        \r
                        found = tryDetectModulation();\r
-\r
                        if ( found ) {\r
                                PrintAndLog("Found valid password: [%08X]", testpwd);\r
-                               free(keyBlock);\r
-                               return 0;\r
+                               //free(keyBlock);\r
+                               //return 0;\r
                        } \r
                }\r
                PrintAndLog("Password NOT found.");\r
@@ -1553,16 +1600,14 @@ int CmdT55xxBruteForce(const char *Cmd) {
 \r
                printf(".");\r
                fflush(stdout);\r
-               if (ukbhit()) {\r
-                       ch = getchar();\r
-                       (void)ch;\r
-                       printf("\naborted via keyboard!\n");\r
+               \r
+               if (IsCancelled()) {\r
                        free(keyBlock);\r
                        return 0;\r
                }\r
                        \r
                if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
-                       PrintAndLog("Aquireing data from device failed. Quitting");\r
+                       PrintAndLog("Acquire data from device failed. Quitting");\r
                        free(keyBlock);\r
                        return 0;\r
                }\r
@@ -1583,17 +1628,17 @@ int CmdT55xxBruteForce(const char *Cmd) {
     return 0;\r
 }\r
 \r
-int tryOnePassword(uint32_t password)\r
-{\r
+int tryOnePassword(uint32_t password) {\r
        PrintAndLog("Trying password %08x", password);\r
        if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
-               PrintAndLog("Aquireing data from device failed. Quitting");\r
+               PrintAndLog("Acquire data from device failed. Quitting");\r
                return -1;\r
        }\r
 \r
        if (tryDetectModulation())\r
                return 1;\r
-       else return 0;\r
+       else \r
+               return 0;\r
 }\r
 \r
 int CmdT55xxRecoverPW(const char *Cmd) {\r
@@ -1603,21 +1648,19 @@ int CmdT55xxRecoverPW(const char *Cmd) {
        uint32_t prev_password = 0xffffffff;\r
        uint32_t mask = 0x0;\r
        int found = 0;\r
-\r
        char cmdp = param_getchar(Cmd, 0);\r
        if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
 \r
        orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
 \r
        // first try fliping each bit in the expected password\r
-       while ((found != 1) && (bit < 32)) {\r
+       while (bit < 32) {\r
                curr_password = orig_password ^ ( 1 << bit );\r
                found = tryOnePassword(curr_password);\r
-               if (found == 1)\r
-                       goto done;\r
-               else if (found == -1)\r
-                       return 0;\r
+               if (found == -1) return 0;\r
                bit++;\r
+               \r
+               if (IsCancelled()) return 0;\r
        }\r
 \r
        // now try to use partial original password, since block 7 should have been completely\r
@@ -1626,7 +1669,7 @@ int CmdT55xxRecoverPW(const char *Cmd) {
        // not sure from which end the bit bits are written, so try from both ends \r
        // from low bit to high bit\r
        bit = 0;\r
-       while ((found != 1) && (bit < 32)) {\r
+       while (bit < 32) {\r
                mask += ( 1 << bit );\r
                curr_password = orig_password & mask;\r
                // if updated mask didn't change the password, don't try it again\r
@@ -1635,18 +1678,17 @@ int CmdT55xxRecoverPW(const char *Cmd) {
                        continue;\r
                }\r
                found = tryOnePassword(curr_password);\r
-               if (found == 1)\r
-                       goto done;\r
-               else if (found == -1)\r
-                       return 0;\r
+               if (found == -1) return 0;\r
                bit++;\r
-               prev_password=curr_password;\r
+               prev_password = curr_password;\r
+               \r
+               if (IsCancelled()) return 0;\r
        }\r
 \r
        // from high bit to low\r
        bit = 0;\r
        mask = 0xffffffff;\r
-       while ((found != 1) && (bit < 32)) {\r
+       while (bit < 32) {\r
                mask -= ( 1 << bit );\r
                curr_password = orig_password & mask;\r
                // if updated mask didn't change the password, don't try it again\r
@@ -1655,14 +1697,14 @@ int CmdT55xxRecoverPW(const char *Cmd) {
                        continue;\r
                }\r
                found = tryOnePassword(curr_password);\r
-               if (found == 1)\r
-                       goto done;\r
-               else if (found == -1)\r
+               if (found == -1)\r
                        return 0;\r
                bit++;\r
-               prev_password=curr_password;\r
+               prev_password = curr_password;\r
+               \r
+               if (IsCancelled()) return 0;\r
        }\r
-done:\r
+\r
        PrintAndLog("");\r
 \r
        if (found == 1)\r
Impressum, Datenschutz