X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/051643995984009593bcb8180ff9f9d570af7df5..4697964f6a9dd166246de0072720e409b69cc61a:/client/cmdlft55xx.c?ds=sidebyside
diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c
index 2efe0c22..28149eff 100644
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -42,13 +42,13 @@ void Set_t55xx_Config(t55xx_conf_block_t conf){
int usage_t55xx_config(){
PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");
PrintAndLog("Options:");
- PrintAndLog(" h This help");
- PrintAndLog(" b <8|16|32|40|50|64|100|128> Set bitrate");
- PrintAndLog(" d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");
- PrintAndLog(" i [1] Invert data signal, defaults to normal");
- PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream");
- PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7");
- PrintAndLog(" ST Set Sequence Terminator on");
+ PrintAndLog(" h - This help");
+ PrintAndLog(" b <8|16|32|40|50|64|100|128> - Set bitrate");
+ PrintAndLog(" d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> - Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");
+ PrintAndLog(" i [1] - Invert data signal, defaults to normal");
+ PrintAndLog(" o [offset] - Set offset, where data should start decode in bitstream");
+ PrintAndLog(" Q5 - Set as Q5(T5555) chip instead of T55x7");
+ PrintAndLog(" ST - Set Sequence Terminator on");
PrintAndLog("");
PrintAndLog("Examples:");
PrintAndLog(" lf t55xx config d FSK - FSK demodulation");
@@ -92,7 +92,7 @@ int usage_t55xx_write(){
int usage_t55xx_trace() {
PrintAndLog("Usage: lf t55xx trace [1]");
PrintAndLog("Options:");
- PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
+ PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
PrintAndLog("");
PrintAndLog("Examples:");
PrintAndLog(" lf t55xx trace");
@@ -103,7 +103,7 @@ int usage_t55xx_trace() {
int usage_t55xx_info() {
PrintAndLog("Usage: lf t55xx info [1]");
PrintAndLog("Options:");
- PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
+ PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
PrintAndLog("");
PrintAndLog("Examples:");
PrintAndLog(" lf t55xx info");
@@ -150,7 +150,7 @@ int usage_t55xx_wakup(){
int usage_t55xx_bruteforce(){
PrintAndLog("This command uses A) bruteforce to scan a number range");
PrintAndLog(" B) a dictionary attack");
- PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
+ PrintAndLog("Usage: lf t55xx bruteforce [h] <start password> <end password> [i <*.dic>]");
PrintAndLog(" password must be 4 bytes (8 hex symbols)");
PrintAndLog("Options:");
PrintAndLog(" h - this help");
@@ -164,7 +164,22 @@ int usage_t55xx_bruteforce(){
PrintAndLog("");
return 0;
}
-int usage_t55xx_wipe(){
+int usage_t55xx_recoverpw(){
+ PrintAndLog("This command uses a few tricks to try to recover mangled password");
+ PrintAndLog("WARNING: this may brick non-password protected chips!");
+ PrintAndLog("Usage: lf t55xx recoverpw [password]");
+ PrintAndLog(" password must be 4 bytes (8 hex symbols)");
+ PrintAndLog(" default password is 51243648, used by many cloners");
+ PrintAndLog("Options:");
+ PrintAndLog(" h - this help");
+ PrintAndLog(" [password] - 4 byte hex value of password written by cloner");
+ PrintAndLog("");
+ PrintAndLog("Examples:");
+ PrintAndLog(" lf t55xx recoverpw");
+ PrintAndLog(" lf t55xx recoverpw 51243648");
+ PrintAndLog("");
+ return 0;
+}int usage_t55xx_wipe(){
PrintAndLog("Usage: lf t55xx wipe [h] [Q5]");
PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");
PrintAndLog("Options:");
@@ -441,6 +456,14 @@ bool DecodeT5555TraceBlock() {
return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1);
}
+// sanity check. Don't use proxmark if it is offline and you didn't specify useGraphbuf
+static int SanityOfflineCheck( bool useGraphBuffer ){
+ if ( !useGraphBuffer && offline) {
+ PrintAndLog("Your proxmark3 device is offline. Specify [1] to use graphbuffer data instead");
+ return 0;
+ }
+ return 1;
+}
int CmdT55xxDetect(const char *Cmd){
bool errors = FALSE;
@@ -473,15 +496,18 @@ int CmdT55xxDetect(const char *Cmd){
}
if (errors) return usage_t55xx_detect();
+ // sanity check.
+ if (!SanityOfflineCheck(useGB)) return 1;
+
if ( !useGB) {
if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )
- return 0;
+ return 1;
}
if ( !tryDetectModulation() )
PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");
- return 1;
+ return 0;
}
// detect configuration?
@@ -521,6 +547,11 @@ bool tryDetectModulation(){
clk = GetAskClock("", FALSE, FALSE);
if (clk>0) {
tests[hits].ST = TRUE;
+ // "0 0 1 " == clock auto, invert false, maxError 1.
+ // false = no verbose
+ // false = no emSearch
+ // 1 = Ask/Man
+ // st = true
if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
tests[hits].modulation = DEMOD_ASK;
tests[hits].bitrate = bitRate;
@@ -529,6 +560,11 @@ bool tryDetectModulation(){
++hits;
}
tests[hits].ST = TRUE;
+ // "0 0 1 " == clock auto, invert true, maxError 1.
+ // false = no verbose
+ // false = no emSearch
+ // 1 = Ask/Man
+ // st = true
if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
tests[hits].modulation = DEMOD_ASK;
tests[hits].bitrate = bitRate;
@@ -970,17 +1006,21 @@ int CmdT55xxReadTrace(const char *Cmd) {
uint32_t password = 0;
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();
- if (strlen(Cmd)==0)
+ if (strlen(Cmd)==0) {
+ // sanity check.
+ if (!SanityOfflineCheck(FALSE)) return 1;
+
if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )
- return 0;
+ return 1;
+ }
if ( config.Q5 ){
- if (!DecodeT5555TraceBlock()) return 0;
+ if (!DecodeT5555TraceBlock()) return 1;
} else {
- if (!DecodeT55xxBlock()) return 0;
+ if (!DecodeT55xxBlock()) return 1;
}
- if ( !DemodBufferLen ) return 0;
+ if ( !DemodBufferLen ) return 1;
RepaintGraphWindow();
uint8_t repeat = (config.offset > 5) ? 32 : 0;
@@ -994,7 +1034,7 @@ int CmdT55xxReadTrace(const char *Cmd) {
if (hdr != 0x1FF) {
PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);
- return 0;
+ return 1;
}
t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};
@@ -1033,7 +1073,7 @@ int CmdT55xxReadTrace(const char *Cmd) {
data.acl = PackBits(si, 8, DemodBuffer); si += 8;
if ( data.acl != 0xE0 ) {
PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");
- return 0;
+ return 1;
}
data.mfc = PackBits(si, 8, DemodBuffer); si += 8;
@@ -1133,9 +1173,13 @@ int CmdT55xxInfo(const char *Cmd){
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();
- if (strlen(Cmd)==0)
+ if (strlen(Cmd)==0){
+ // sanity check.
+ if (!SanityOfflineCheck(FALSE)) return 1;
+
if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )
return 1;
+ }
if (!DecodeT55xxBlock()) return 1;
@@ -1215,8 +1259,11 @@ int CmdT55xxDump(const char *Cmd){
int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){
// arg0 bitmodes:
- // bit0 = pwdmode
- // bit1 = page to read from
+ // bit0 = pwdmode
+ // bit1 = page to read from
+ // arg1: which block to read
+ // arg2: password
+
uint8_t arg0 = (page<<1) | pwdmode;
UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};
@@ -1397,21 +1444,18 @@ int CmdT55xxBruteForce(const char *Cmd) {
char buf[9];
char filename[FILE_PATH_SIZE]={0};
int keycnt = 0;
- int c;
+ int ch;
uint8_t stKeyBlock = 20;
uint8_t *keyBlock = NULL, *p = NULL;
- keyBlock = calloc(stKeyBlock, 6);
- if (keyBlock == NULL) return 1;
-
uint32_t start_password = 0x00000000; //start password
uint32_t end_password = 0xFFFFFFFF; //end password
bool found = false;
char cmdp = param_getchar(Cmd, 0);
- if (cmdp == 'h' || cmdp == 'H') {
- free(keyBlock);
- return usage_t55xx_bruteforce();
- }
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
+
+ keyBlock = calloc(stKeyBlock, 6);
+ if (keyBlock == NULL) return 1;
if (cmdp == 'i' || cmdp == 'I') {
@@ -1472,8 +1516,8 @@ int CmdT55xxBruteForce(const char *Cmd) {
for (uint16_t c = 0; c < keycnt; ++c ) {
if (ukbhit()) {
- c = getchar();
- (void)c;
+ ch = getchar();
+ (void)ch;
printf("\naborted via keyboard!\n");
free(keyBlock);
return 0;
@@ -1523,8 +1567,8 @@ int CmdT55xxBruteForce(const char *Cmd) {
printf(".");
fflush(stdout);
if (ukbhit()) {
- c = getchar();
- (void)c;
+ ch = getchar();
+ (void)ch;
printf("\naborted via keyboard!\n");
free(keyBlock);
return 0;
@@ -1552,15 +1596,105 @@ int CmdT55xxBruteForce(const char *Cmd) {
return 0;
}
+int tryOnePassword(uint32_t password) {
+ PrintAndLog("Trying password %08x", password);
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {
+ PrintAndLog("Aquireing data from device failed. Quitting");
+ return -1;
+ }
+
+ if (tryDetectModulation())
+ return 1;
+ else return 0;
+}
+
+int CmdT55xxRecoverPW(const char *Cmd) {
+ int bit = 0;
+ uint32_t orig_password = 0x0;
+ uint32_t curr_password = 0x0;
+ uint32_t prev_password = 0xffffffff;
+ uint32_t mask = 0x0;
+ int found = 0;
+
+ char cmdp = param_getchar(Cmd, 0);
+ if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();
+
+ orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners
+
+ // first try fliping each bit in the expected password
+ while ((found != 1) && (bit < 32)) {
+ curr_password = orig_password ^ ( 1 << bit );
+ found = tryOnePassword(curr_password);
+ if (found == 1)
+ goto done;
+ else if (found == -1)
+ return 0;
+ bit++;
+ }
+
+ // now try to use partial original password, since block 7 should have been completely
+ // erased during the write sequence and it is possible that only partial password has been
+ // written
+ // not sure from which end the bit bits are written, so try from both ends
+ // from low bit to high bit
+ bit = 0;
+ while ((found != 1) && (bit < 32)) {
+ mask += ( 1 << bit );
+ curr_password = orig_password & mask;
+ // if updated mask didn't change the password, don't try it again
+ if (prev_password == curr_password) {
+ bit++;
+ continue;
+ }
+ found = tryOnePassword(curr_password);
+ if (found == 1)
+ goto done;
+ else if (found == -1)
+ return 0;
+ bit++;
+ prev_password=curr_password;
+ }
+
+ // from high bit to low
+ bit = 0;
+ mask = 0xffffffff;
+ while ((found != 1) && (bit < 32)) {
+ mask -= ( 1 << bit );
+ curr_password = orig_password & mask;
+ // if updated mask didn't change the password, don't try it again
+ if (prev_password == curr_password) {
+ bit++;
+ continue;
+ }
+ found = tryOnePassword(curr_password);
+ if (found == 1)
+ goto done;
+ else if (found == -1)
+ return 0;
+ bit++;
+ prev_password=curr_password;
+ }
+done:
+ PrintAndLog("");
+
+ if (found == 1)
+ PrintAndLog("Found valid password: [%08x]", curr_password);
+ else
+ PrintAndLog("Password NOT found.");
+
+ return 0;
+}
+
static command_t CommandTable[] = {
{"help", CmdHelp, 1, "This help"},
- {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
+ {"bruteforce", CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
{"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
{"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},
{"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
{"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},
{"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
{"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
+ {"recoverpw", CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},
{"special", special, 0, "Show block changes with 64 different offsets"},
{"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},
{"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},