Merge pull request #15 from alexgrin/iceman_master

Adding a 'recoverpw' command for T55xx to try to recover corrupt pass…

diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c
index bc30d7e3b18546192c2a04bb068d16212b33983d..6ddd84b11de169b96045c9a656b03a05df762e94 100644 (file)
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -164,7 +164,22 @@ int usage_t55xx_bruteforce(){
     PrintAndLog("");\r
     return 0;\r
 }\r
-int usage_t55xx_wipe(){\r
+int usage_t55xx_recoverpw(){\r
+       PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+       PrintAndLog("WARNING: this may brick non-password protected chips!");\r
+       PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
+       PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("       default password is 51243648, used by many cloners");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h           - this help");\r
+       PrintAndLog("     [password] - 4 byte hex value of password written by cloner");\r
+       PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+       PrintAndLog("       lf t55xx recoverpw");\r
+       PrintAndLog("       lf t55xx recoverpw 51243648");\r
+       PrintAndLog("");\r
+       return 0;\r
+}int usage_t55xx_wipe(){\r
        PrintAndLog("Usage:  lf t55xx wipe [h] [Q5]");\r
        PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
        PrintAndLog("Options:");\r
@@ -1549,6 +1564,96 @@ int CmdT55xxBruteForce(const char *Cmd) {
     return 0;\r
 }\r
 \r
+int tryOnePassword(uint32_t password)\r
+{\r
+       PrintAndLog("Trying password %08x", password);\r
+       if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+               PrintAndLog("Aquireing data from device failed. Quitting");\r
+               return -1;\r
+       }\r
+\r
+       if (tryDetectModulation())\r
+               return 1;\r
+       else return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+       int bit = 0;\r
+       uint32_t orig_password = 0x0;\r
+       uint32_t curr_password = 0x0;\r
+       uint32_t prev_password = 0xffffffff;\r
+       uint32_t mask = 0x0;\r
+       int found = 0;\r
+\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+       orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+       // first try fliping each bit in the expected password\r
+       while ((found != 1) && (bit < 32)) {\r
+               curr_password = orig_password ^ ( 1 << bit );\r
+               found = tryOnePassword(curr_password);\r
+               if (found == 1)\r
+                       goto done;\r
+               else if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+       }\r
+\r
+       // now try to use partial original password, since block 7 should have been completely\r
+       // erased during the write sequence and it is possible that only partial password has been\r
+       // written\r
+       // not sure from which end the bit bits are written, so try from both ends \r
+       // from low bit to high bit\r
+       bit = 0;\r
+       while ((found != 1) && (bit < 32)) {\r
+               mask += ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == 1)\r
+                       goto done;\r
+               else if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+               prev_password=curr_password;\r
+       }\r
+\r
+       // from high bit to low\r
+       bit = 0;\r
+       mask = 0xffffffff;\r
+       while ((found != 1) && (bit < 32)) {\r
+               mask -= ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == 1)\r
+                       goto done;\r
+               else if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+               prev_password=curr_password;\r
+       }\r
+done:\r
+       PrintAndLog("");\r
+\r
+       if (found == 1)\r
+               PrintAndLog("Found valid password: [%08x]", curr_password);\r
+       else\r
+               PrintAndLog("Password NOT found.");\r
+\r
+       return 0;\r
+}\r
+\r
 static command_t CommandTable[] = {\r
        {"help",                CmdHelp,           1, "This help"},\r
        {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
@@ -1558,6 +1663,7 @@ static command_t CommandTable[] = {
        {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
        {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
        {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+       {"recoverpw",   CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},\r
        {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
        {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
        {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r