]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdlft55xx.c
icemans lf fixes & adjustments + lf t55xx bruteforce
[proxmark3-svn] / client / cmdlft55xx.c
index 490850f86125c7bcd4e60eaaec070c39393226db..7bf2c25cab5cbe5cb144a355916a20d0838d4ab7 100644 (file)
@@ -29,6 +29,7 @@
 #define T55x7_CONFIGURATION_BLOCK 0x00\r
 #define T55x7_PAGE0 0x00\r
 #define T55x7_PAGE1 0x01\r
+#define T55x7_PWD      0x00000010\r
 #define REGULAR_READ_MODE_BLOCK 0xFF\r
 \r
 // Default configuration\r
@@ -148,11 +149,24 @@ int usage_t55xx_wakup(){
                PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
        return 0;\r
 }\r
+int usage_t55xx_bruteforce(){\r
+       PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+       PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h         - this help");\r
+       PrintAndLog("     i <*.dic> - loads a default keys dictionary file <*.dic>");\r
+       PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+       PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+       PrintAndLog("       lf t55xx bruteforce i mykeys.dic");\r
+       PrintAndLog("");\r
+       return 0;\r
+}\r
 \r
 static int CmdHelp(const char *Cmd);\r
 \r
 void printT5xxHeader(uint8_t page){\r
-       PrintAndLog("Reading Page %d:", page);  \r
+       PrintAndLog("Reading Page %d:", page);\r
        PrintAndLog("blk | hex data | binary");\r
        PrintAndLog("----+----------+---------------------------------");       \r
 }\r
@@ -442,7 +456,6 @@ bool tryDetectModulation(){
        t55xx_conf_block_t tests[15];\r
        int bitRate=0;\r
        uint8_t fc1 = 0, fc2 = 0, clk=0;\r
-       save_restoreGB(1);\r
 \r
        if (GetFskClock("", FALSE, FALSE)){ \r
                fskClocks(&fc1, &fc2, &clk, FALSE);\r
@@ -502,7 +515,7 @@ bool tryDetectModulation(){
                        }\r
                }\r
                //undo trim from ask\r
-               save_restoreGB(0);\r
+               //save_restoreGB(0);\r
                clk = GetNrzClock("", FALSE, FALSE);\r
                if (clk>0) {\r
                        if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -522,9 +535,9 @@ bool tryDetectModulation(){
                        }\r
                }\r
                \r
-               //undo trim from nrz\r
-               save_restoreGB(0);\r
+               // allow undo\r
                // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+               save_restoreGB(1);\r
                CmdLtrim("160");\r
                clk = GetPskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
@@ -565,8 +578,9 @@ bool tryDetectModulation(){
                                }\r
                        } // inverse waves does not affect this demod\r
                }\r
+               //undo trim samples\r
+               save_restoreGB(0);\r
        }       \r
-       save_restoreGB(0);      \r
        if ( hits == 1) {\r
                config.modulation = tests[0].modulation;\r
                config.bitrate = tests[0].bitrate;\r
@@ -1297,19 +1311,161 @@ int CmdT55xxWipe(const char *Cmd) {
        return 0;\r
 }\r
 \r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+\r
+       // load a default pwd file.\r
+       char buf[9];\r
+       char filename[FILE_PATH_SIZE]={0};\r
+       int keycnt = 0;\r
+       uint8_t stKeyBlock = 20;\r
+       uint8_t *keyBlock = NULL, *p;\r
+       keyBlock = calloc(stKeyBlock, 6);\r
+       if (keyBlock == NULL) return 1;\r
+\r
+       uint32_t start_password = 0x00000000; //start password\r
+       uint32_t end_password   = 0xFFFFFFFF; //end   password\r
+       bool found = false;\r
+\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+       if (cmdp == 'i' || cmdp == 'I') {\r
+\r
+               int len = strlen(Cmd+2);\r
+               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               memcpy(filename, Cmd+2, len);\r
+\r
+               FILE * f = fopen( filename , "r");\r
+\r
+               if ( !f ) {\r
+                       PrintAndLog("File: %s: not found or locked.", filename);\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }\r
+\r
+               while( fgets(buf, sizeof(buf), f) ){\r
+                       if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+\r
+                       while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
+\r
+                       //The line start with # is comment, skip\r
+                       if( buf[0]=='#' ) continue;\r
+\r
+                       if (!isxdigit(buf[0])){\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+                               continue;\r
+                       }\r
+                       \r
+                       buf[8] = 0;\r
+\r
+                       if ( stKeyBlock - keycnt < 2) {\r
+                               p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+                               if (!p) {\r
+                                       PrintAndLog("Cannot allocate memory for defaultKeys");\r
+                                       free(keyBlock);\r
+                                       return 2;\r
+                               }\r
+                               keyBlock = p;\r
+                       }\r
+                       memset(keyBlock + 4 * keycnt, 0, 4);\r
+                       num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+                       keycnt++;\r
+                       memset(buf, 0, sizeof(buf));\r
+               }\r
+               fclose(f);\r
+               \r
+               if (keycnt == 0) {\r
+                       PrintAndLog("No keys found in file");\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loaded %d keys", keycnt);\r
+               \r
+               // loop\r
+               uint64_t testpwd = 0x00;\r
+               for (uint16_t c = 0; c < keycnt; ++c ) {\r
+\r
+                       if (ukbhit()) {\r
+                               getchar();\r
+                               printf("\naborted via keyboard!\n");\r
+                               return 0;\r
+                       }\r
+\r
+                       testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+                       PrintAndLog("Testing %08X", testpwd);\r
+\r
+                       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+                               PrintAndLog("Aquireing data from device failed. Quitting");\r
+                               return 0;\r
+                       }\r
+\r
+                       found = tryDetectModulation();\r
+\r
+                       if ( found ) {\r
+                               PrintAndLog("Found valid password: [%08X]", testpwd);\r
+                               return 0;\r
+                       }\r
+               }\r
+               PrintAndLog("Password NOT found.");\r
+               return 0;\r
+       }\r
+\r
+       // Try to read Block 7, first :)\r
+\r
+       // incremental pwd range search\r
+       start_password = param_get32ex(Cmd, 0, 0, 16);\r
+       end_password = param_get32ex(Cmd, 1, 0, 16);\r
+       \r
+       if ( start_password >= end_password ) return usage_t55xx_bruteforce();\r
+\r
+       PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+\r
+       uint32_t i = start_password;\r
+\r
+       while ((!found) && (i <= end_password)){\r
+\r
+       printf(".");\r
+       fflush(stdout);\r
+       if (ukbhit()) {\r
+               getchar();\r
+               printf("\naborted via keyboard!\n");\r
+               return 0;\r
+       }\r
+\r
+       if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+               PrintAndLog("Aquireing data from device failed. Quitting");\r
+               return 0;\r
+       }\r
+       found = tryDetectModulation();\r
+           \r
+       if (found) break;\r
+       i++;\r
+       }\r
+\r
+       PrintAndLog("");\r
+\r
+       if (found)\r
+       PrintAndLog("Found valid password: [%08x]", i);\r
+       else\r
+       PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+       return 0;\r
+}\r
+\r
 static command_t CommandTable[] = {\r
-  {"help",     CmdHelp,           1, "This help"},\r
-  {"config",   CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
-  {"detect",   CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
-  {"read",     CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
-  {"resetread",CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
-  {"write",    CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
-  {"trace",    CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
-  {"info",     CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
-  {"dump",     CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
-  {"special",  special,           0, "Show block changes with 64 different offsets"},\r
-  {"wakeup",   CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
-  {"wipe",     CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+  {"help",      CmdHelp,           1, "This help"},\r
+       {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+  {"config",    CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+  {"detect",    CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+  {"read",      CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+  {"resetread", CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+  {"write",     CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+  {"trace",     CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+  {"info",      CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+  {"dump",      CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+  {"special",   special,           0, "Show block changes with 64 different offsets"},\r
+  {"wakeup",    CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
+  {"wipe",      CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
   {NULL, NULL, 0, NULL}\r
 };\r
 \r
Impressum, Datenschutz