X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/7f0d5926362d50ed01ea04af95a1e03777fce47c..2378bb24c3d4ce21d71b4ab5739c58a9979b8b69:/client/cmdlfpcf7931.c diff --git a/client/cmdlfpcf7931.c b/client/cmdlfpcf7931.c index ffaf946f..9882da5f 100644 --- a/client/cmdlfpcf7931.c +++ b/client/cmdlfpcf7931.c @@ -1,6 +1,7 @@ //----------------------------------------------------------------------------- // Copyright (C) 2012 Chalk // 2015 Dake +// 2018 sguerrini97 // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -8,9 +9,12 @@ //----------------------------------------------------------------------------- // Low frequency PCF7931 commands //----------------------------------------------------------------------------- + +#include "cmdlfpcf7931.h" + #include #include -#include "proxmark3.h" +#include "comms.h" #include "ui.h" #include "util.h" #include "graph.h" @@ -18,7 +22,6 @@ #include "cmddata.h" #include "cmdmain.h" #include "cmdlf.h" -#include "cmdlfpcf7931.h" static int CmdHelp(const char *Cmd); @@ -74,6 +77,21 @@ int usage_pcf7931_write(){ return 0; } +int usage_pcf7931_bruteforce() +{ + PrintAndLog("Usage: lf pcf7931 bruteforce [h] "); + PrintAndLog("This command tries to disable PAC of a PCF7931 transponder by bruteforcing the password."); + PrintAndLog("!! THIS IS NOT INTENDED TO RECOVER THE FULL PASSWORD !!"); + PrintAndLog("!! DO NOT USE UNLESS THE FIRST 5 BYTES OF THE PASSWORD ARE KNOWN !!"); + PrintAndLog("Options:"); + PrintAndLog(" h This help"); + PrintAndLog(" start password hex password to start from"); + PrintAndLog(" tries How many times to send the same data frame"); + PrintAndLog("Examples:"); + PrintAndLog(" lf pcf7931 bruteforce 00000000123456 3"); + return 0; +} + int usage_pcf7931_config(){ PrintAndLog("Usage: lf pcf7931 config [h] [r] "); PrintAndLog("This command tries to set the configuration used with PCF7931 commands"); @@ -157,12 +175,47 @@ int CmdLFPCF7931Write(const char *Cmd){ return 0; } +int CmdLFPCF7931BruteForce(const char *Cmd){ + + uint8_t ctmp = param_getchar(Cmd, 0); + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_bruteforce(); + + uint64_t start_password = 0; + uint8_t tries = 3; + + if (param_gethex(Cmd, 0, (uint8_t*)(&start_password), 14)) return usage_pcf7931_bruteforce(); + if (param_getdec(Cmd, 1, &tries)) return usage_pcf7931_bruteforce(); + + PrintAndLog("Bruteforcing from password: %02x %02x %02x %02x %02x %02x %02x", + start_password & 0xFF, + (start_password >> 8) & 0xFF, + (start_password >> 16) & 0xFF, + (start_password >> 24) & 0xFF, + (start_password >> 32) & 0xFF, + (start_password >> 48) & 0xFF, + (start_password >> 56) & 0xFF); + + PrintAndLog("Trying each password %d times", tries); + + UsbCommand c = {CMD_PCF7931_BRUTEFORCE, {start_password, tries} }; + + c.d.asDwords[7] = (configPcf.OffsetWidth + 128); + c.d.asDwords[8] = (configPcf.OffsetPosition + 128); + c.d.asDwords[9] = configPcf.InitDelay; + + clearCommandBuffer(); + SendCommand(&c); + //no ack? + return 0; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, {"read", CmdLFPCF7931Read, 0, "Read content of a PCF7931 transponder"}, {"write", CmdLFPCF7931Write, 0, "Write data on a PCF7931 transponder."}, {"config", CmdLFPCF7931Config, 1, "Configure the password, the tags initialization delay and time offsets (optional)"}, + {"bruteforce", CmdLFPCF7931BruteForce, 0, "Bruteforce a PCF7931 transponder password."}, {NULL, NULL, 0, NULL} };