X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/6426f6ba86c8a2d3e390fab1ced35223a92d8647..8ce3e4b4e937f2e3b2fda5b0d5d2c6bd9c6b3ebc:/client/cmdlft55xx.c diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 31958eea..92e6f745 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -126,13 +126,15 @@ int usage_t55xx_dump(){ return 0; } int usage_t55xx_detect(){ - PrintAndLog("Usage: lf t55xx detect [1]"); + PrintAndLog("Usage: lf t55xx detect [1] [p ]"); PrintAndLog("Options:"); - PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" p - OPTIONAL password (8 hex characters)"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx detect"); PrintAndLog(" lf t55xx detect 1"); + PrintAndLog(" lf t55xx detect p 11223344"); PrintAndLog(""); return 0; } @@ -147,6 +149,19 @@ int usage_t55xx_wakup(){ PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password"); return 0; } +int usage_t55xx_bruteforce(){ + PrintAndLog("Usage: lf t55xx bruteforce [i <*.dic>]"); + PrintAndLog(" password must be 4 bytes (8 hex symbols)"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb"); + PrintAndLog(" lf t55xx bruteforce i mykeys.dic"); + PrintAndLog(""); + return 0; +} static int CmdHelp(const char *Cmd); @@ -397,28 +412,41 @@ bool DecodeT55xxBlock(){ int CmdT55xxDetect(const char *Cmd){ - //bool override = false; - //bool pwdmode = false; + bool errors = FALSE; + bool useGB = FALSE; + bool usepwd = FALSE; + uint32_t password = 0; + uint8_t cmdp = 0; - uint32_t password = 0; //default to blank Block 7 - bool usepwd = ( strlen(Cmd) > 0); - if ( usepwd ){ - password = param_get32ex(Cmd, 0, 0, 16); - // if (param_getchar(Cmd, 1) =='o' ) - // override = true; + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_t55xx_detect(); + case 'p': + case 'P': + password = param_get32ex(Cmd, cmdp+1, 0, 16); + usepwd = TRUE; + cmdp += 2; + break; + case '1': + // use Graphbuffer data + useGB = TRUE; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } } - - char cmdp = param_getchar(Cmd, 0); - if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect(); + if (errors) return usage_t55xx_detect(); - if (strlen(Cmd)==0) { - password = param_get32ex(Cmd, 0, 0, 16); - //if (param_getchar(Cmd, 1) =='o' ) override = true; + if ( !useGB) { + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) ) + return 0; } - - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) ) - return 0; - + if ( !tryDetectModulation() ) PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'"); @@ -461,14 +489,14 @@ bool tryDetectModulation(){ } else { clk = GetAskClock("", FALSE, FALSE); if (clk>0) { - if ( ASKDemod("0 0 1", TRUE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; tests[hits].inverted = FALSE; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); ++hits; } - if ( ASKDemod("0 1 1", TRUE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( ASKDemod("0 1 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; tests[hits].inverted = TRUE; @@ -862,19 +890,21 @@ int CmdT55xxWriteBlock(const char *Cmd) { UsbCommand resp; c.d.asBytes[0] = (page1) ? 0x2 : 0; - PrintAndLog("Writing to page: %d block: %d data : 0x%08X", page1, block, data); + char pwdStr[16] = {0}; + snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password); + + PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" ); //Password mode if (usepwd) { c.arg[2] = password; c.d.asBytes[0] |= 0x1; - PrintAndLog("pwd : 0x%08X", password); } clearCommandBuffer(); SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)"); - return 0; + return 0; } return 1; } @@ -1230,26 +1260,24 @@ char * GetSelectedModulationStr( uint8_t id){ } void t55x7_create_config_block( int tagtype ){ - //switch? - - -} -/* -uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){ + /* + T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK + T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK, + T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK + T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK, T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK + */ + static char buf[60]; + char *retStr = buf; - int i = start; - int j = len-1; - - if (len > 32) return 0; - - uint32_t tmp = 0; - for (; j >= 0; --j, ++i) - tmp |= bits[i] << j; - - return tmp; + switch (tagtype){ + case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break; + case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break; + default: + break; + } + PrintAndLog(buf); } -*/ int CmdResetRead(const char *Cmd) { UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}}; @@ -1271,48 +1299,192 @@ int CmdResetRead(const char *Cmd) { int CmdT55xxWipe(const char *Cmd) { char writeData[20] = {0}; char *ptrData = writeData; - uint8_t blk = 0; + PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n"); + //try with the default password to reset block 0 (with a pwd should work even if pwd bit not set) - snprintf(ptrData,sizeof(writeData),"b %d d 00088040 p 0", blk); - if (!CmdT55xxWriteBlock(ptrData)){ - PrintAndLog("Error writing blk %d", blk); - } - blk = 1; - for (; blk<8; blk++) { + snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0"); + + if (!CmdT55xxWriteBlock(ptrData)) + PrintAndLog("Error writing blk 0"); + + for (uint8_t blk = 1; blk<8; blk++) { + snprintf(ptrData,sizeof(writeData),"b %d d 0", blk); - if (!CmdT55xxWriteBlock(ptrData)){ + + if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk %d", blk); - } + + memset(writeData, sizeof(writeData), 0x00); } return 0; } -static command_t CommandTable[] = -{ - {"help", CmdHelp, 1, "This help"}, - {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, - {"detect", CmdT55xxDetect, 0, "[1] Try detecting the tag modulation from reading the configuration block."}, - {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"}, - {"resetread",CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"}, - {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"}, - {"trace", CmdT55xxReadTrace, 0, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"}, - {"info", CmdT55xxInfo, 0, "[1] Show T55x7 configuration data (page 0/ blk 0)"}, - {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"}, - {"special", special, 0, "Show block changes with 64 different offsets"}, - {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"}, - {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"}, - {NULL, NULL, 0, NULL} +int CmdT55xxBruteForce(const char *Cmd) { + + // load a default pwd file. + char buf[9]; + char filename[FILE_PATH_SIZE]={0}; + int keycnt = 0; + uint8_t stKeyBlock = 20; + uint8_t *keyBlock = NULL, *p; + keyBlock = calloc(stKeyBlock, 6); + if (keyBlock == NULL) return 1; + + uint32_t start_password = 0x00000000; //start password + uint32_t end_password = 0xFFFFFFFF; //end password + bool found = false; + + char cmdp = param_getchar(Cmd, 0); + if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce(); + + if (cmdp == 'i' || cmdp == 'I') { + + int len = strlen(Cmd+2); + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + memcpy(filename, Cmd+2, len); + + FILE * f = fopen( filename , "r"); + + if ( !f ) { + PrintAndLog("File: %s: not found or locked.", filename); + free(keyBlock); + return 1; + } + + while( fgets(buf, sizeof(buf), f) ){ + if (strlen(buf) < 8 || buf[7] == '\n') continue; + + while (fgetc(f) != '\n' && !feof(f)) ; //goto next line + + //The line start with # is comment, skip + if( buf[0]=='#' ) continue; + + if (!isxdigit(buf[0])){ + PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf); + continue; + } + + buf[8] = 0; + + if ( stKeyBlock - keycnt < 2) { + p = realloc(keyBlock, 6*(stKeyBlock+=10)); + if (!p) { + PrintAndLog("Cannot allocate memory for defaultKeys"); + free(keyBlock); + return 2; + } + keyBlock = p; + } + memset(keyBlock + 4 * keycnt, 0, 4); + num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt); + PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4)); + keycnt++; + memset(buf, 0, sizeof(buf)); + } + fclose(f); + + if (keycnt == 0) { + PrintAndLog("No keys found in file"); + return 1; + } + PrintAndLog("Loaded %d keys", keycnt); + + // loop + uint64_t testpwd = 0x00; + for (uint16_t c = 0; c < keycnt; ++c ) { + + if (ukbhit()) { + getchar(); + printf("\naborted via keyboard!\n"); + return 0; + } + + testpwd = bytes_to_num(keyBlock + 4*c, 4); + + PrintAndLog("Testing %08X", testpwd); + + + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) { + PrintAndLog("Aquireing data from device failed. Quitting"); + return 0; + } + + found = tryDetectModulation(); + + if ( found ) { + PrintAndLog("Found valid password: [%08X]", testpwd); + return 0; + } + } + PrintAndLog("Password NOT found."); + return 0; + } + + // Try to read Block 7, first :) + + // incremental pwd range search + start_password = param_get32ex(Cmd, 0, 0, 16); + end_password = param_get32ex(Cmd, 1, 0, 16); + + if ( start_password >= end_password ) return usage_t55xx_bruteforce(); + + PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password); + + uint32_t i = start_password; + + while ((!found) && (i <= end_password)){ + + printf("."); + fflush(stdout); + if (ukbhit()) { + getchar(); + printf("\naborted via keyboard!\n"); + return 0; + } + + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) { + PrintAndLog("Aquireing data from device failed. Quitting"); + return 0; + } + found = tryDetectModulation(); + + if (found) break; + i++; + } + + PrintAndLog(""); + + if (found) + PrintAndLog("Found valid password: [%08x]", i); + else + PrintAndLog("Password NOT found. Last tried: [%08x]", --i); + return 0; +} + +static command_t CommandTable[] = { + {"help", CmdHelp, 1, "This help"}, + {"bruteforce", CmdT55xxBruteForce,0, "Simple bruteforce attack to find password"}, + {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, + {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."}, + {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"}, + {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"}, + {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"}, + {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"}, + {"special", special, 0, "Show block changes with 64 different offsets"}, + {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"}, + {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"}, + {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"}, + {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"}, + {NULL, NULL, 0, NULL} }; -int CmdLFT55XX(const char *Cmd) -{ +int CmdLFT55XX(const char *Cmd) { CmdsParse(CommandTable, Cmd); return 0; } -int CmdHelp(const char *Cmd) -{ +int CmdHelp(const char *Cmd) { CmdsHelp(CommandTable); return 0; }