]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfhid.c
02c2fdb789af32ea7ef948b4ea13c81987987add
[proxmark3-svn] / client / cmdlfhid.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency HID commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include "proxmark3.h"
14 #include "ui.h"
15 #include "graph.h"
16 #include "cmdparser.h"
17 #include "cmdlfhid.h"
18 #include "util.h"
19 #include "cmdmain.h"
20 #include "sleep.h"
21
22 static int CmdHelp(const char *Cmd);
23
24 int usage_lf_hid_wiegand(void){
25 PrintAndLog("Usage: lf hid wiegand [h] [oem] [FacilityCode] [cardnumber]");
26 PrintAndLog("This command converts FC/Cardnum to wiegand code");
27 PrintAndLog("Options:");
28 PrintAndLog(" h - This help");
29 PrintAndLog(" oem - Oem number");
30 PrintAndLog(" facilitynum - Facility number");
31 PrintAndLog(" cardnum - Card number");
32 PrintAndLog("Examples:");
33 PrintAndLog(" lf hid wiegand 0 101 2001");
34 return 0;
35 }
36 int usage_lf_hid_brute(void){
37 PrintAndLog("Enables bruteforce of HID readers with specified facility-code.");
38 PrintAndLog("Different formatlength is supported");
39 PrintAndLog("This is a incremental attack against reader.");
40 PrintAndLog("");
41 PrintAndLog("Usage: lf hid brute <formatlength> <Facility-Code>");
42 PrintAndLog("Options :");
43 PrintAndLog(" <formatlength> : 26|33|34|35|37|40|44|84 ");
44 PrintAndLog(" <Facility-Code> : 8-bit value HID facility code");
45 PrintAndLog("");
46 PrintAndLog("Sample : lf hid brute 26 224");
47 return 0;
48 }
49 /*
50 int CmdHIDDemod(const char *Cmd)
51 {
52 if (GraphTraceLen < 4800) {
53 PrintAndLog("too short; need at least 4800 samples");
54 return 0;
55 }
56
57 GraphTraceLen = 4800;
58 for (int i = 0; i < GraphTraceLen; ++i) {
59 if (GraphBuffer[i] < 0) {
60 GraphBuffer[i] = 0;
61 } else {
62 GraphBuffer[i] = 1;
63 }
64 }
65 RepaintGraphWindow();
66 return 0;
67 }
68 */
69 int CmdHIDDemodFSK(const char *Cmd) {
70 int findone = ( Cmd[0] == '1' ) ? 1 : 0;
71 UsbCommand c = {CMD_HID_DEMOD_FSK, {findone, 0 , 0}};
72 clearCommandBuffer();
73 SendCommand(&c);
74 return 0;
75 }
76
77 int CmdHIDSim(const char *Cmd) {
78 unsigned int hi = 0, lo = 0;
79 int n = 0, i = 0;
80
81 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
82 hi = (hi << 4) | (lo >> 28);
83 lo = (lo << 4) | (n & 0xf);
84 }
85
86 PrintAndLog("Emulating tag with ID %x%16x", hi, lo);
87 PrintAndLog("Press pm3-button to abort simulation");
88
89 UsbCommand c = {CMD_HID_SIM_TAG, {hi, lo, 0}};
90 clearCommandBuffer();
91 SendCommand(&c);
92 return 0;
93 }
94
95 int CmdHIDClone(const char *Cmd) {
96 unsigned int hi2 = 0, hi = 0, lo = 0;
97 int n = 0, i = 0;
98 UsbCommand c;
99
100 if (strchr(Cmd,'l') != 0) {
101 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
102 hi2 = (hi2 << 4) | (hi >> 28);
103 hi = (hi << 4) | (lo >> 28);
104 lo = (lo << 4) | (n & 0xf);
105 }
106
107 PrintAndLog("Cloning tag with long ID %x%08x%08x", hi2, hi, lo);
108
109 c.d.asBytes[0] = 1;
110 } else {
111 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
112 hi = (hi << 4) | (lo >> 28);
113 lo = (lo << 4) | (n & 0xf);
114 }
115
116 PrintAndLog("Cloning tag with ID %x%08x", hi, lo);
117
118 hi2 = 0;
119 c.d.asBytes[0] = 0;
120 }
121
122 c.cmd = CMD_HID_CLONE_TAG;
123 c.arg[0] = hi2;
124 c.arg[1] = hi;
125 c.arg[2] = lo;
126
127 clearCommandBuffer();
128 SendCommand(&c);
129 return 0;
130 }
131
132 static void getParity26(uint32_t *hi, uint32_t *lo){
133 uint32_t result = 0;
134 int i;
135 // even parity
136 for (i = 24;i >= 13;i--)
137 result ^= (*lo >> i) & 1;
138 // even parity 26th bit
139 *lo |= result << 25;
140
141 // odd parity
142 result = 0;
143 for (i = 12;i >= 1;i--)
144 result ^= (*lo >> i) & 1;
145 *lo |= !result;
146 }
147 static void getParity33(uint32_t *hi, uint32_t *lo){
148
149 }
150 static void getParity34(uint32_t *hi, uint32_t *lo){
151 uint32_t result = 0;
152 int i;
153
154 // even parity
155 for (i = 7;i >= 0;i--)
156 result ^= (*hi >> i) & i;
157 for (i = 31;i >= 24;i--)
158 result ^= (*lo >> i) & 1;
159
160 *hi |= result << 2;
161
162 // odd parity bit
163 result = 0;
164 for (i = 23;i >= 1;i--)
165 result ^= (*lo >> i) & 1;
166
167 *lo |= !result;
168 }
169 static void getParity35(uint32_t *hi, uint32_t *lo){
170 *hi = *hi;
171 }
172 static void getParity37S(uint32_t *hi,uint32_t *lo){
173 uint32_t result = 0;
174 uint8_t i;
175
176 // even parity
177 for (i = 4; i >= 0; i--)
178 result ^= (*hi >> i) & 1;
179
180 for (i = 31; i >= 20; i--)
181 result ^= (*lo >> i) & 1;
182
183 *hi |= result;
184
185 // odd parity
186 result = 0;
187 for (i = 19; i >= 1; i--)
188 result ^= (*lo >> i) & 1;
189
190 *lo |= result;
191 }
192 static void getParity37H(uint32_t *hi, uint32_t *lo){
193 uint32_t result = 0;
194 int i;
195
196 // even parity
197 for (i = 4;i >= 0;i--)
198 result ^= (*hi >> i) & 1;
199 for (i = 31;i >= 20;i--)
200 result ^= (*lo >> i) & 1;
201 *hi |= result << 4;
202
203 // odd parity
204 result = 0;
205 for (i = 19;i >= 1;i--)
206 result ^= (*lo >> i) & 1;
207 *lo |= result;
208 }
209
210 static void calc26(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
211 *lo = ((cardno & 0xFFFF) << 1) | ((fc & 0xFF) << 17) | (1 << 26);
212 *hi = (1 << 5);
213 }
214 static void calc33(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
215
216 }
217 static void calc34(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
218 // put card number first bit 1 .. 20 //
219 *lo = ((cardno & 0X000F7FFF) << 1) | ((fc & 0XFFFF) << 17);
220 // set bit format for less than 37 bit format
221 *hi = (1 << 5) | (fc >> 15);
222 }
223 static void calc35(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
224 *lo = ((cardno & 0xFFFFF) << 1) | fc << 21;
225 *hi = (1 << 5) | ((fc >> 11) & 1);
226 }
227 static void calc37S(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
228 // FC 2 - 17 - 16 bit
229 // cardno 18 - 36 - 19 bit
230 // Even P1 1 - 19
231 // Odd P37 19 - 36
232
233 fc = fc & 0xFFFF;
234 *lo = ((fc << 20) | (cardno & 0x7FFFF) << 1);
235 *hi = (fc >> 12);
236 }
237 static void calc37H(uint64_t cardno, uint32_t *hi, uint32_t *lo){
238 // SC NONE
239 // cardno 1-35 34 bits
240 // Even Parity 0th bit 1-18
241 // Odd Parity 36th bit 19-35
242 cardno = (cardno & 0x00000003FFFFFFFF);
243 *lo = (cardno << 1);
244 *hi = (cardno >> 31);
245 }
246 static void calc40(uint64_t cardno, uint32_t *hi, uint32_t *lo){
247 cardno = (cardno & 0xFFFFFFFFFF);
248 *lo = ((cardno & 0xFFFFFFFF) << 1 );
249 *hi = (cardno >> 31);
250 }
251
252 static void calcWiegand(uint8_t fmtlen, uint16_t fc, uint64_t cardno, uint32_t *hi, uint32_t *lo){
253
254 uint32_t cn = (cardno & 0xFFFFFFFF);
255 switch ( fmtlen ) {
256 case 26 : {
257 calc26(fc, cn, hi, lo);
258 getParity26(hi, lo);
259 break;
260 }
261 case 33 : {
262 calc33(fc, cn, hi, lo);
263 getParity33(hi, lo);
264 break;
265 }
266 case 34 : {
267 calc34(fc, cn, hi, lo);
268 getParity34(hi, lo);
269 break;
270 }
271 case 35 : {
272 calc35(fc, cn, hi, lo);
273 getParity35(hi, lo);
274 break;
275 }
276 case 37 : {
277 calc37S(fc, cn, hi, lo);
278 getParity37S(hi, lo);
279 break;
280 }
281 case 38 : {
282 calc37H(cn, hi, lo);
283 getParity37H(hi, lo);
284 break;
285 }
286 case 40 : calc40(cardno, hi, lo); break;
287 case 44 : { break; }
288 case 84 : { break; }
289 }
290 }
291
292 int CmdHIDWiegand(const char *Cmd) {
293 uint32_t oem;
294 uint32_t fc, lo = 0, hi = 0;
295 uint64_t cardnum = 0;
296
297 uint8_t ctmp = param_getchar(Cmd, 0);
298 if ( strlen(Cmd) < 0 || strlen(Cmd) < 3 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_hid_wiegand();
299
300 oem = param_get8(Cmd, 0);
301 fc = param_get32ex(Cmd, 1, 0, 10);
302 cardnum = param_get64ex(Cmd, 2, 0, 10);
303
304 uint8_t ftmlen[] = {26,33,34,35,37,38,40};
305 for (uint8_t i = 0; i < sizeof(ftmlen); i++){
306 calcWiegand( ftmlen[i], fc, cardnum, &hi, &lo);
307 PrintAndLog("HID %d bit | FC: %d CN: %llu | Wiegand Code: %08X%08X", ftmlen[i], fc, cardnum, hi, lo);
308 }
309 return 0;
310 }
311
312 int CmdHIDBrute(const char *Cmd){
313
314 bool error = FALSE;
315 uint8_t fc = 0, fmtlen = 0;
316 uint32_t hi = 0, lo = 0;
317
318 UsbCommand c = {CMD_HID_SIM_TAG, {0, 0, 0}};
319
320 char cmdp = param_getchar(Cmd, 0);
321 if (strlen(Cmd) > 2 || strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_hid_brute();
322
323 fmtlen = param_get8(Cmd, 0);
324 switch(fmtlen){
325 case 26:
326 case 33:
327 case 34:
328 case 35:
329 case 37: {
330 error = FALSE;
331 break;
332 }
333 default: {
334 error = TRUE;
335 break;
336 }
337 }
338 if ( error ) return usage_lf_hid_brute();
339
340 fc = param_get8(Cmd, 1);
341 if ( fc == 0) return usage_lf_hid_brute();
342
343 PrintAndLog("Bruteforceing HID Reader");
344 PrintAndLog("Press pm3-button to abort simulation or run another command");
345
346 for ( uint16_t cn = 1; cn < 0xFFFF; ++cn){
347 if (ukbhit()) {
348 PrintAndLog("aborted via keyboard!");
349 c.cmd = CMD_PING;
350 c.arg[0] = 0x00;
351 c.arg[1] = 0x00;
352 c.arg[2] = 0x00;
353 clearCommandBuffer();
354 SendCommand(&c);
355 return 1;
356 }
357
358 calcWiegand( fmtlen, fc, cn, &hi, &lo);
359
360 c.arg[0] = hi;
361 c.arg[1] = lo;
362 clearCommandBuffer();
363 SendCommand(&c);
364
365 PrintAndLog("Trying FC: %u; CN: %u", fc, cn);
366 // pause
367 sleep(1);
368 }
369 return 0;
370 }
371
372 static command_t CommandTable[] = {
373 {"help", CmdHelp, 1, "This help"},
374 //{"demod", CmdHIDDemod, 1, "Demodulate HID Prox Card II (not optimal)"},
375 {"fskdemod", CmdHIDDemodFSK, 0, "['1'] Realtime HID FSK demodulator (option '1' for one tag only)"},
376 {"sim", CmdHIDSim, 0, "<ID> -- HID tag simulator"},
377 {"clone", CmdHIDClone, 0, "<ID> ['l'] -- Clone HID to T55x7 (tag must be in antenna)(option 'l' for 84bit ID)"},
378 {"wiegand", CmdHIDWiegand, 1, "<oem> <fmtlen> <fc> <cardnum> -- convert facilitycode, cardnumber to Wiegand code"},
379 {NULL, NULL, 0, NULL}
380 };
381
382 int CmdLFHID(const char *Cmd) {
383 CmdsParse(CommandTable, Cmd);
384 return 0;
385 }
386
387 int CmdHelp(const char *Cmd) {
388 CmdsHelp(CommandTable);
389 return 0;
390 }
Impressum, Datenschutz