]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfhid.c
projects / proxmark3-svn / blob
? search:


3abbfdec030187c2f2ec5e2ab11986fc4f266c34
[proxmark3-svn] / client / cmdlfhid.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency HID commands
9 //-----------------------------------------------------------------------------
10
11 #include "cmdlfhid.h"
12
13 static int CmdHelp(const char *Cmd);
14
15 int usage_lf_hid_wiegand(void){
16 PrintAndLog("This command converts facility code/card number to Wiegand code");
17 PrintAndLog("Usage: lf hid wiegand [h] [OEM] [FC] [CN]");
18
19 PrintAndLog("Options:");
20 PrintAndLog(" h - This help");
21 PrintAndLog(" OEM - OEM number / site code");
22 PrintAndLog(" FC - facility code");
23 PrintAndLog(" CN - card number");
24 PrintAndLog("Examples:");
25 PrintAndLog(" lf hid wiegand 0 101 2001");
26 return 0;
27 }
28 int usage_lf_hid_sim(void){
29 PrintAndLog("HID Tag simulator");
30 PrintAndLog("");
31 PrintAndLog("Usage: lf hid sim [h] [ID]");
32 PrintAndLog("Options:");
33 PrintAndLog(" h - This help");
34 PrintAndLog(" ID - HID id");
35 PrintAndLog("Examples:");
36 PrintAndLog(" lf hid sim 224");
37 return 0;
38 }
39 int usage_lf_hid_clone(void){
40 PrintAndLog("Clone HID to T55x7. Tag must be on antenna. ");
41 PrintAndLog("");
42 PrintAndLog("Usage: lf hid clone [h] [ID] <L>");
43 PrintAndLog("Options:");
44 PrintAndLog(" h - This help");
45 PrintAndLog(" ID - HID id");
46 PrintAndLog(" L - 84bit ID");
47 PrintAndLog("Examples:");
48 PrintAndLog(" lf hid clone 224");
49 PrintAndLog(" lf hid clone 224 L");
50 return 0;
51 }
52 int usage_lf_hid_brute(void){
53 PrintAndLog("Enables bruteforce of HID readers with specified facility code.");
54 PrintAndLog("This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step");
55 PrintAndLog("if cardnumber is not given, it starts with 1 and goes up to 65535");
56 PrintAndLog("");
57 PrintAndLog("Usage: lf hid brute [h] a <format> f <facility-code> c <cardnumber> d <delay>");
58 PrintAndLog("Options :");
59 PrintAndLog(" h : This help");
60 PrintAndLog(" a <format> : 26|33|34|35|37|40|44|84");
61 PrintAndLog(" f <facility-code> : 8-bit value HID facility code");
62 PrintAndLog(" c <cardnumber> : (optional) cardnumber to start with, max 65535");
63 PrintAndLog(" d <delay> : delay betweens attempts in ms. Default 1000ms");
64 PrintAndLog("");
65 PrintAndLog("Samples:");
66 PrintAndLog(" lf hid brute a 26 f 224");
67 PrintAndLog(" lf hid brute a 26 f 21 d 2000");
68 PrintAndLog(" lf hid brute a 26 f 21 c 200 d 2000");
69 return 0;
70 }
71
72 static int sendPing(void){
73 UsbCommand ping = {CMD_PING, {1, 2, 3}};
74 SendCommand(&ping);
75 SendCommand(&ping);
76 SendCommand(&ping);
77 clearCommandBuffer();
78 UsbCommand resp;
79 if (WaitForResponseTimeout(CMD_ACK, &resp, 1000))
80 return 0;
81 return 1;
82 }
83 static bool sendTry(uint8_t fmtlen, uint32_t fc, uint32_t cn, uint32_t delay, uint8_t *bs){
84
85 PrintAndLog("Trying FC: %u; CN: %u", fc, cn);
86
87 calcWiegand( fmtlen, fc, cn, bs);
88
89 uint64_t arg1 = bytebits_to_byte(bs,32);
90 uint64_t arg2 = bytebits_to_byte(bs+32,32);
91 UsbCommand c = {CMD_HID_SIM_TAG, {arg1, arg2, 0}};
92 clearCommandBuffer();
93 SendCommand(&c);
94 msleep(delay);
95 sendPing();
96 return TRUE;
97 }
98
99 int CmdHIDDemodFSK(const char *Cmd) {
100 int findone = ( Cmd[0] == '1' ) ? 1 : 0;
101 UsbCommand c = {CMD_HID_DEMOD_FSK, {findone, 0 , 0}};
102 clearCommandBuffer();
103 SendCommand(&c);
104 return 0;
105 }
106
107 int CmdHIDSim(const char *Cmd) {
108 unsigned int hi = 0, lo = 0;
109 int n = 0, i = 0;
110
111 uint8_t ctmp = param_getchar(Cmd, 0);
112 if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_hid_sim();
113
114 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
115 hi = (hi << 4) | (lo >> 28);
116 lo = (lo << 4) | (n & 0xf);
117 }
118
119 PrintAndLog("Emulating tag with ID %x%16x", hi, lo);
120 PrintAndLog("Press pm3-button to abort simulation");
121
122 UsbCommand c = {CMD_HID_SIM_TAG, {hi, lo, 0}};
123 clearCommandBuffer();
124 SendCommand(&c);
125 return 0;
126 }
127
128 int CmdHIDClone(const char *Cmd) {
129
130 uint32_t hi2 = 0, hi = 0, lo = 0;
131 int n = 0, i = 0;
132 UsbCommand c;
133
134 uint8_t ctmp = param_getchar(Cmd, 0);
135 if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_hid_clone();
136
137 if (strchr(Cmd,'l') != 0) {
138 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
139 hi2 = (hi2 << 4) | (hi >> 28);
140 hi = (hi << 4) | (lo >> 28);
141 lo = (lo << 4) | (n & 0xf);
142 }
143
144 PrintAndLog("Cloning tag with long ID %x%08x%08x", hi2, hi, lo);
145
146 c.d.asBytes[0] = 1;
147 } else {
148 while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
149 hi = (hi << 4) | (lo >> 28);
150 lo = (lo << 4) | (n & 0xf);
151 }
152
153 PrintAndLog("Cloning tag with ID %x%08x", hi, lo);
154
155 hi2 = 0;
156 c.d.asBytes[0] = 0;
157 }
158
159 c.cmd = CMD_HID_CLONE_TAG;
160 c.arg[0] = hi2;
161 c.arg[1] = hi;
162 c.arg[2] = lo;
163
164 clearCommandBuffer();
165 SendCommand(&c);
166 return 0;
167 }
168 // struct to handle wiegand
169 typedef struct {
170 uint8_t FormatLen;
171 uint8_t SiteCode;
172 uint8_t FacilityCode;
173 uint8_t CardNumber;
174 uint8_t* Wiegand;
175 size_t Wiegand_n;
176 } wiegand_t;
177
178 static void addHIDMarker(uint8_t fmtlen, uint8_t *out) {
179
180 switch(fmtlen) {
181 case 26:
182 //*out |= (1 << 26); // why this?
183 //*out |= (1 << 37); // bit format for hid?
184 break;
185 case 34:
186 // set bit format for less than 37 bit format
187 // 5+32= 1
188 //*hi = (1 << 5) | (fc >> 15);
189 break;
190 default:break;
191 }
192 }
193
194 // static void getParity34(uint32_t *hi, uint32_t *lo){
195 // uint32_t result = 0;
196 // int i;
197
198 // // even parity
199 // for (i = 7;i >= 0;i--)
200 // result ^= (*hi >> i) & i;
201 // for (i = 31;i >= 24;i--)
202 // result ^= (*lo >> i) & 1;
203
204 // *hi |= result << 2;
205
206 // // odd parity bit
207 // result = 0;
208 // for (i = 23;i >= 1;i--)
209 // result ^= (*lo >> i) & 1;
210
211 // *lo |= !result;
212 // }
213 // static void getParity37H(uint32_t *hi, uint32_t *lo){
214 // uint32_t result = 0;
215 // int i;
216
217 // // even parity
218 // for (i = 4;i >= 0;i--)
219 // result ^= (*hi >> i) & 1;
220 // for (i = 31;i >= 20;i--)
221 // result ^= (*lo >> i) & 1;
222 // *hi |= result << 4;
223
224 // // odd parity
225 // result = 0;
226 // for (i = 19;i >= 1;i--)
227 // result ^= (*lo >> i) & 1;
228 // *lo |= result;
229 // }
230
231 //static void calc26(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
232 static void calc26(uint16_t fc, uint32_t cardno, uint8_t *out){
233 uint8_t wiegand[24];
234 num_to_bytebits(fc, 8, wiegand);
235 num_to_bytebits(cardno, 16, wiegand+8);
236 wiegand_add_parity(out, wiegand, sizeof(wiegand) );
237 }
238 // static void calc33(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
239 // }
240 static void calc34(uint16_t fc, uint32_t cardno, uint8_t *out){
241 uint8_t wiegand[32];
242 num_to_bytebits(fc, 16, wiegand);
243 num_to_bytebits(cardno, 16, wiegand + 16);
244 wiegand_add_parity(out, wiegand, sizeof(wiegand) );
245 }
246 // static void calc35(uint16_t fc, uint32_t cardno, uint32_t *hi, uint32_t *lo){
247 // *lo = ((cardno & 0xFFFFF) << 1) | fc << 21;
248 // *hi = (1 << 5) | ((fc >> 11) & 1);
249 // }
250 static void calc37S(uint16_t fc, uint32_t cardno, uint8_t *out){
251 // FC 2 - 17 - 16 bit
252 // cardno 18 - 36 - 19 bit
253 // Even P1 1 - 19
254 // Odd P37 19 - 36
255 uint8_t wiegand[35];
256 num_to_bytebits(fc, 16, wiegand);
257 num_to_bytebits(cardno, 19, wiegand + 16);
258 wiegand_add_parity(out, wiegand, sizeof(wiegand) );
259 }
260 static void calc37H(uint64_t cardno, uint8_t *out){
261 // SC NONE
262 // cardno 1-35 34 bits
263 // Even Parity 0th bit 1-18
264 // Odd Parity 36th bit 19-35
265 uint8_t wiegand[37];
266 num_to_bytebits( (uint32_t)(cardno >> 32), 2, wiegand);
267 num_to_bytebits( (uint32_t)(cardno >> 0), 32, wiegand + 2);
268 wiegand_add_parity(out, wiegand, sizeof(wiegand) );
269
270 printf("%x %x\n", (uint32_t)(cardno >> 32), (uint32_t)cardno );
271 }
272 // static void calc40(uint64_t cardno, uint32_t *hi, uint32_t *lo){
273 // cardno = (cardno & 0xFFFFFFFFFF);
274 // *lo = ((cardno & 0xFFFFFFFF) << 1 );
275 // *hi = (cardno >> 31);
276 // }
277
278 void calcWiegand(uint8_t fmtlen, uint16_t fc, uint64_t cardno, uint8_t *bits){
279
280 // uint32_t hi = 0, lo = 0;
281 uint32_t cn32 = (cardno & 0xFFFFFFFF);
282 switch ( fmtlen ) {
283 case 26 : {
284 calc26(fc, cn32, bits);
285 //addHIDFormatMarker(fmtlen, bits);
286 break;
287 }
288 // case 33 : {
289 // // calc33(fc, cn32, hi, lo);
290 // // getParity33(hi, lo);
291 // break;
292 // }
293 case 34 : {
294 calc34(fc, cn32, bits);
295 //addHIDFormatMarker(fmtlen, bits);
296 break;
297 }
298 // case 35 : {
299 // calc35(fc, cn32, hi, lo);
300 // getParity35(hi, lo);
301 // break;
302 // }
303 case 37 : {
304 calc37S(fc, cn32, bits);
305 //addHIDFormatMarker(fmtlen, bits);
306 break;
307 }
308 case 38 : {
309 calc37H(cardno, bits);
310 break;
311 }
312 // case 40 : calc40(cardno, hi, lo); break;
313 // case 44 : { break; }
314 // case 84 : { break; }
315 default: break;
316 }
317 }
318
319 int CmdHIDWiegand(const char *Cmd) {
320 uint32_t oem = 0, fc = 0;
321 uint64_t cardnum = 0;
322 uint64_t blocks = 0, wiegand = 0;
323
324 uint8_t bits[96];
325 uint8_t *bs = bits;
326 memset(bs, 0, sizeof(bits));
327
328 uint8_t ctmp = param_getchar(Cmd, 0);
329 if ( strlen(Cmd) == 0 || strlen(Cmd) < 3 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_hid_wiegand();
330
331 oem = param_get8(Cmd, 0);
332 fc = param_get32ex(Cmd, 1, 0, 10);
333 cardnum = param_get64ex(Cmd, 2, 0, 10);
334
335 uint8_t fmtlen[] = {26,33,34,35,37,38,40};
336
337 PrintAndLog("HID | OEM | FC | CN | Wiegand | HID Formatted");
338 PrintAndLog("----+-----+------+---------+-----------+--------------------");
339 for (uint8_t i = 0; i < sizeof(fmtlen); i++){
340 memset(bits, 0x00, sizeof(bits));
341 calcWiegand( fmtlen[i], fc, cardnum, bs);
342 wiegand = (uint64_t)bytebits_to_byte(bs, 32) << 32 | bytebits_to_byte(bs+32, 32);
343 blocks = (uint64_t)bytebits_to_byte(bs, 32) << 32 | bytebits_to_byte(bs+32, 32);
344 uint8_t shifts = 64-fmtlen[i];
345 wiegand >>= shifts;
346
347 PrintAndLog(" %u | %03u | %03u | %llu | %llX | %llX",
348 fmtlen[i],
349 oem,
350 fc,
351 cardnum,
352 wiegand,
353 blocks
354 );
355 }
356 PrintAndLog("----+-----+-----+-------+-----------+--------------------");
357 return 0;
358 }
359
360 int CmdHIDBrute(const char *Cmd){
361
362 bool errors = false;
363 uint32_t fc = 0, cn = 0, delay = 1000;
364 uint8_t fmtlen = 0;
365 uint8_t bits[96];
366 uint8_t *bs = bits;
367 memset(bs, 0, sizeof(bits));
368 uint8_t cmdp = 0;
369
370 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
371 switch(param_getchar(Cmd, cmdp)) {
372 case 'h':
373 case 'H':
374 return usage_lf_hid_brute();
375 case 'f':
376 case 'F':
377 fc = param_get32ex(Cmd ,cmdp+1, 0, 10);
378 if ( !fc )
379 errors = true;
380 cmdp += 2;
381 break;
382 case 'd':
383 case 'D':
384 // delay between attemps, defaults to 1000ms.
385 delay = param_get32ex(Cmd, cmdp+1, 1000, 10);
386 cmdp += 2;
387 break;
388 case 'c':
389 case 'C':
390 cn = param_get32ex(Cmd, cmdp+1, 0, 10);
391 // truncate cardnumber.
392 cn &= 0xFFFF;
393 cmdp += 2;
394 break;
395 case 'a':
396 case 'A':
397 fmtlen = param_get8(Cmd, cmdp+1);
398 cmdp += 2;
399 bool is_ftm_ok = FALSE;
400 uint8_t ftms[] = {26,33,34,35,37};
401 for ( uint8_t i = 0; i < sizeof(ftms); i++){
402 if ( ftms[i] == fmtlen ) {
403 is_ftm_ok = TRUE;
404 }
405 }
406 // negated
407 errors = !is_ftm_ok;
408 break;
409 default:
410 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
411 errors = true;
412 break;
413 }
414 }
415 if ( fc == 0 ) errors = true;
416 if ( errors ) return usage_lf_hid_brute();
417
418 PrintAndLog("Brute-forcing HID reader");
419 PrintAndLog("Press pm3-button to abort simulation or run another command");
420
421 uint16_t up = cn;
422 uint16_t down = cn;
423
424 for (;;){
425
426 if ( offline ) {
427 printf("Device offline\n");
428 return 2;
429 }
430
431 if (ukbhit()) {
432 PrintAndLog("aborted via keyboard!");
433 return sendPing();
434 }
435
436 // Do one up
437 if ( up < 0xFFFF )
438 if ( !sendTry(fmtlen, fc, up++, delay, bs)) return 1;
439
440 // Do one down (if cardnumber is given)
441 if ( cn > 1 )
442 if ( down > 1 )
443 if ( !sendTry(fmtlen, fc, --down, delay, bs)) return 1;
444 }
445 return 0;
446 }
447
448 static command_t CommandTable[] = {
449 {"help", CmdHelp, 1, "This help"},
450 {"fskdemod",CmdHIDDemodFSK, 0, "Realtime HID FSK demodulator"},
451 {"sim", CmdHIDSim, 0, "HID tag simulator"},
452 {"clone", CmdHIDClone, 0, "Clone HID to T55x7"},
453 {"wiegand", CmdHIDWiegand, 1, "Convert facility code/card number to Wiegand code"},
454 {"brute", CmdHIDBrute, 0, "Bruteforce card number against reader"},
455 {NULL, NULL, 0, NULL}
456 };
457
458 int CmdLFHID(const char *Cmd) {
459 clearCommandBuffer();
460 CmdsParse(CommandTable, Cmd);
461 return 0;
462 }
463
464 int CmdHelp(const char *Cmd) {
465 CmdsHelp(CommandTable);
466 return 0;
467 }
Proxmark3 GIT tracking
Impressum, Datenschutz