PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
PrintAndLog(" o - OPTIONAL override safety check");\r
PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");\r
- PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");\r
+ PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");\r
PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); \r
PrintAndLog(" ****WARNING****");\r
PrintAndLog(" Use of read with password on a tag not configured for a pwd");\r
PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");\r
PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");\r
PrintAndLog(" t - OPTIONAL test mode write - ****DANGER****"); \r
- PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");\r
+ PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");\r
PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); \r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog("Options:");\r
PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");\r
PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
- PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");\r
+ PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");\r
PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); \r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" <password> - [required] password 4bytes (8 hex symbols)");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
- PrintAndLog(" lf t55xx wakeup 11223344 - send wakeup password");\r
+ PrintAndLog(" lf t55xx wakeup 11223344 - send wakeup password");\r
return 0;\r
}\r
int usage_t55xx_bruteforce(){\r
PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
PrintAndLog("Options:");\r
PrintAndLog(" h - this help");\r
+ PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default)"); \r
+ PrintAndLog(" '1' long leading reference, '2' leading zero ");\r
+ PrintAndLog(" '3' 1 of 4 coding reference, '4' special - try all downlink modes");\r
PrintAndLog(" <start_pwd> - 4 byte hex value to start pwd search at");\r
PrintAndLog(" <end_pwd> - 4 byte hex value to end pwd search at");\r
PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
- PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
- PrintAndLog(" lf t55xx bruteforce i default_pwd.dic");\r
- PrintAndLog("");\r
- return 0;\r
-}\r
-int usage_t55xx_bruteforce_downlink(){\r
- PrintAndLog("This command uses A) bruteforce to scan a number range");\r
- PrintAndLog(" B) a dictionary attack");\r
- PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
- PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
- PrintAndLog("Options:");\r
- PrintAndLog(" h - this help");\r
- PrintAndLog(" r <start_pwd> <end_pwd> - 4 byte hex value to start and end pwd search at");\r
- PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");\r
- PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default)"); \r
- PrintAndLog(" '1' long leading reference, '2' leading zero ");\r
- PrintAndLog(" '3' 1 of 4 coding reference, '4' special - try all downlink modes");\r
- PrintAndLog("");\r
- PrintAndLog("Examples:");\r
- PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
- PrintAndLog(" lf t55xx bruteforce i default_pwd.dic");\r
+ PrintAndLog(" lf t55xx bruteforce [r 2] aaaaaaaa bbbbbbbb");\r
+ PrintAndLog(" lf t55xx bruteforce [r 2] i default_pwd.dic");\r
PrintAndLog("");\r
return 0;\r
}\r
}\r
\r
// No args\r
- if (cmdp == 0) return printConfiguration( config );\r
+ if (cmdp == 0) return printConfiguration( config);\r
\r
//Validations\r
if (errors) return usage_t55xx_config();\r
\r
config.block0 = 0;\r
- return printConfiguration ( config );\r
+ return printConfiguration ( config);\r
}\r
\r
int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){\r
page1 = true;\r
cmdp++;\r
break;\r
- case 'e':\r
- case 'E':\r
+ case 'r':\r
+ case 'R':\r
downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
if (downlink_mode > 3) downlink_mode = 0;\r
cmdp +=2;\r
return (bool) ASKDemod("64 0 1", false, false, 1);\r
}\r
\r
+void T55xx_Print_DownlinkMode (uint8_t downlink_mode)\r
+{\r
+ char Msg[80];\r
+ sprintf (Msg,"Downlink Mode used : ");\r
+ \r
+ switch (downlink_mode) {\r
+ case 0 : strcat (Msg,"default/fixed bit length"); break;\r
+ case 1 : strcat (Msg,"long leading reference (r 1)"); break;\r
+ case 2 : strcat (Msg,"leading zero reference (r 2)"); break;\r
+ case 3 : strcat (Msg,"1 of 4 coding reference (r 3)"); break;\r
+ default :\r
+ strcat (Msg,"default/fixed bit length"); break;\r
+\r
+ }\r
+ \r
+ PrintAndLog (Msg);\r
+ \r
+}\r
+\r
int CmdT55xxDetect(const char *Cmd){\r
bool errors = false;\r
bool useGB = false;\r
useGB = true;\r
cmdp++;\r
break;\r
- case 'e':\r
- case 'E':\r
+ case 'r':\r
+ case 'R':\r
downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
if (downlink_mode > 3) downlink_mode = 0;\r
cmdp +=2;\r
if ( !tryDetectModulation() )\r
PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
else {\r
- // Add downlink mode to reference.\r
- switch (downlink_mode) {\r
- case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;\r
- case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;\r
- case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;\r
- case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;\r
- // default:\r
- \r
- // No default action\r
- }\r
+ // Add downlink mode for reference.\r
+ T55xx_Print_DownlinkMode (downlink_mode);\r
}\r
return 1;\r
}\r
config.block0 = tests[0].block0;\r
config.Q5 = tests[0].Q5;\r
config.ST = tests[0].ST;\r
- printConfiguration( config );\r
+ \r
+ printConfiguration( config);\r
return true;\r
}\r
\r
PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
for(int i=0; i<hits; ++i){\r
PrintAndLog("--[%d]---------------", i+1);\r
- printConfiguration( tests[i] );\r
+ printConfiguration( tests[i]);\r
}\r
}\r
return false;\r
page1 = true;\r
cmdp++;\r
break;\r
- case 'e':\r
- case 'E':\r
+ case 'r':\r
+ case 'R':\r
downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
if (downlink_mode > 3) downlink_mode = 0;\r
cmdp +=2;\r
char buf[9];\r
char filename[FILE_PATH_SIZE]={0};\r
int keycnt = 0;\r
- uint8_t downlink_mode = 0;\r
int ch;\r
uint8_t stKeyBlock = 20;\r
uint8_t *keyBlock = NULL, *p = NULL;\r
uint32_t start_password = 0x00000000; //start password\r
uint32_t end_password = 0xFFFFFFFF; //end password\r
bool found = false;\r
-\r
+ uint8_t downlink_mode = 0;\r
+ bool try_all_dl_modes = false;\r
+ uint8_t dl_mode = 0;\r
+ uint8_t cmd_offset = 0;\r
+ int cmd_opt = 0;\r
+ \r
char cmdp = param_getchar(Cmd, 0);\r
+ \r
if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+ if (cmdp == 'r' || cmdp == 'R') {\r
+ downlink_mode = param_getchar(Cmd, 1) - '0'; // get 2nd option, as this is fixed order.\r
+ if (downlink_mode == 4) try_all_dl_modes = true;\r
+ if (downlink_mode > 3) downlink_mode = 0;\r
+ cmd_opt += 2; // To help start/end passwords for range to be found\r
+ cmd_offset += 4; // r <sp> x <sp> To help the string offset for filename start position in cmd\r
+ cmdp = param_getchar(Cmd, 2); // get 3rd option, as this is fixed order.\r
+ }\r
\r
keyBlock = calloc(stKeyBlock, 6);\r
if (keyBlock == NULL) return 1;\r
\r
int len = strlen(Cmd+2);\r
if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
- memcpy(filename, Cmd+2, len);\r
+ memcpy(filename, Cmd+2+cmd_offset, len);\r
\r
FILE * f = fopen( filename , "r");\r
\r
testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
\r
PrintAndLog("Testing %08X", testpwd);\r
+ \r
+ // Try each downlink_mode if asked to \r
+ // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3\r
+ for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd, dl_mode)) {\r
+ PrintAndLog("Acquiring data from device failed. Quitting");\r
+ free(keyBlock);\r
+ return 0;\r
+ }\r
\r
- if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,downlink_mode)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
- free(keyBlock);\r
- return 0;\r
- }\r
+ found = tryDetectModulation();\r
\r
- found = tryDetectModulation();\r
+ if ( found ) {\r
+ PrintAndLog("Found valid password: [%08X]", testpwd);\r
+ free(keyBlock);\r
+ \r
+ T55xx_Print_DownlinkMode (dl_mode);\r
\r
- if ( found ) {\r
- PrintAndLog("Found valid password: [%08X]", testpwd);\r
- free(keyBlock);\r
- return 0;\r
- }\r
+ return 0;\r
+ }\r
+ if (!try_all_dl_modes) // Exit loop if not trying all downlink modes\r
+ dl_mode = 4;\r
+ } \r
}\r
PrintAndLog("Password NOT found.");\r
free(keyBlock);\r
// Try to read Block 7, first :)\r
\r
// incremental pwd range search\r
- start_password = param_get32ex(Cmd, 0, 0, 16);\r
- end_password = param_get32ex(Cmd, 1, 0, 16);\r
+ start_password = param_get32ex(Cmd, cmd_opt , 0, 16);\r
+ end_password = param_get32ex(Cmd, cmd_opt+1 , 0, 16);\r
\r
if ( start_password >= end_password ) {\r
free(keyBlock);\r
free(keyBlock);\r
return 0;\r
}\r
-\r
- if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
- free(keyBlock);\r
- return 0;\r
- }\r
- found = tryDetectModulation();\r
-\r
- if (found) break;\r
- i++;\r
- }\r
-\r
- PrintAndLog("");\r
-\r
- if (found)\r
- PrintAndLog("Found valid password: [%08x]", i);\r
- else\r
- PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
-\r
- free(keyBlock);\r
- return 0;\r
-}\r
-\r
-int CmdT55xxBruteForce_downlink(const char *Cmd) {\r
-\r
- // load a default pwd file.\r
- char buf[9];\r
- char filename[FILE_PATH_SIZE]={0};\r
- int keycnt = 0;\r
- uint8_t downlink_mode = 0;\r
- int ch;\r
- uint8_t stKeyBlock = 20;\r
- uint8_t *keyBlock = NULL, *p = NULL;\r
- uint32_t start_password = 0x00000000; //start password\r
- uint32_t end_password = 0xFFFFFFFF; //end password\r
- bool found = false;\r
- uint8_t cmdp = 0;\r
- int cmd_offset = 0;\r
- int errors = 0;\r
- int len;\r
- bool use_file = false;\r
- bool use_range = false;\r
- bool try_all_dl_modes = false;\r
- uint8_t dl_mode = 0;\r
- \r
- keyBlock = calloc(stKeyBlock, 6);\r
- if (keyBlock == NULL) return 1;\r
-\r
- while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
- switch(param_getchar(Cmd, cmdp)) {\r
- case 'h':\r
- case 'H':\r
- return usage_t55xx_bruteforce_downlink();\r
- case 'e':\r
- case 'E':\r
- downlink_mode = param_getchar(Cmd, cmdp+1) - '0';\r
- if (downlink_mode == 4) try_all_dl_modes = true;\r
- if (downlink_mode > 3) downlink_mode = 0;\r
- cmdp +=2;\r
- cmd_offset += 4;\r
- break;\r
- case 'i':\r
- case 'I':\r
- if (use_range) {\r
- PrintAndLog ("use Range or File");\r
- return 0;\r
- }\r
- use_file = true;\r
- len = strlen(Cmd+2);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
- memcpy(filename, Cmd+cmd_offset+2, len);\r
- // Drop any characters after space\r
- char *p = strstr(filename," ");\r
- if (p) *p = 0;\r
- cmdp += 2;\r
- // PrintAndLog (" File : [%s]",filename);\r
- break;\r
- case 'r':\r
- case 'R':\r
- if (use_file) {\r
- PrintAndLog ("use Range or File");\r
- return 0;\r
- }\r
- use_range = true; \r
- start_password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
- end_password = param_get32ex(Cmd, cmdp+2, 0, 16);\r
- cmdp += 3;\r
- cmd_offset += 20; \r
- break;\r
- default:\r
- PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
- errors = true;\r
- break;\r
- }\r
- }\r
-\r
- if (use_file)\r
- {\r
- FILE * f = fopen( filename , "r");\r
-\r
- if ( !f ) {\r
- PrintAndLog("File: %s: not found or locked.", filename);\r
- free(keyBlock);\r
- return 1;\r
- }\r
-\r
- while( fgets(buf, sizeof(buf), f) ) {\r
- if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
-\r
- while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
-\r
- //The line start with # is comment, skip\r
- if( buf[0]=='#' ) continue;\r
-\r
- if (!isxdigit((unsigned char)buf[0])) {\r
- PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
- continue;\r
- }\r
- \r
- buf[8] = 0;\r
-\r
- if ( stKeyBlock - keycnt < 2) {\r
- p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
- if (!p) {\r
- PrintAndLog("Cannot allocate memory for defaultKeys");\r
- free(keyBlock);\r
- fclose(f);\r
- return 2;\r
- }\r
- keyBlock = p;\r
- }\r
- memset(keyBlock + 4 * keycnt, 0, 4);\r
- num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
- PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
- keycnt++;\r
- memset(buf, 0, sizeof(buf));\r
- }\r
- fclose(f);\r
- \r
- if (keycnt == 0) {\r
- PrintAndLog("No keys found in file");\r
- free(keyBlock);\r
- return 1;\r
- }\r
- PrintAndLog("Loaded %d keys", keycnt);\r
- \r
- // loop\r
- uint64_t testpwd = 0x00;\r
- for (uint16_t c = 0; c < keycnt; ++c ) {\r
-\r
- if (ukbhit()) {\r
- ch = getchar();\r
- (void)ch;\r
- printf("\naborted via keyboard!\n");\r
- free(keyBlock);\r
- return 0;\r
- }\r
-\r
- testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
-\r
- PrintAndLog("Testing %08X", testpwd);\r
- \r
- // Try each downlink_mode if asked to \r
- // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3\r
- for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++)\r
- {\r
- if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,dl_mode)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
- free(keyBlock);\r
- return 0;\r
- }\r
-\r
- found = tryDetectModulation();\r
-\r
- if ( found ) {\r
- PrintAndLog("Found valid password: [%08X]", testpwd);\r
- free(keyBlock);\r
- // Add downlink mode for reference.\r
- switch (dl_mode) {\r
- case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;\r
- case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;\r
- case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;\r
- case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;\r
- }\r
- return 0;\r
- }\r
- if (!try_all_dl_modes) // Exit loop\r
- dl_mode = 4;\r
- }\r
- }\r
- PrintAndLog("Password NOT found.");\r
- free(keyBlock);\r
- return 0;\r
- }\r
-\r
- if (use_range)\r
- {\r
-\r
- if ( start_password >= end_password ) {\r
- free(keyBlock);\r
- return usage_t55xx_bruteforce_downlink();\r
- }\r
- PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
-\r
- uint32_t i = start_password;\r
-\r
- while ((!found) && (i <= end_password)) {\r
-\r
- printf(".");\r
- fflush(stdout);\r
- if (ukbhit()) {\r
- ch = getchar();\r
- (void)ch;\r
- printf("\naborted via keyboard!\n");\r
- free(keyBlock);\r
- return 0;\r
- }\r
-\r
- if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
+ // Try each downlink_mode if asked to \r
+ // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3\r
+ for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){\r
+ if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,dl_mode)) {\r
+ PrintAndLog("Acquiring data from device failed. Quitting");\r
free(keyBlock);\r
return 0;\r
}\r
found = tryDetectModulation();\r
\r
if (found) break;\r
- i++;\r
+ if (!try_all_dl_modes) // Exit loop if not trying all downlink modes\r
+ dl_mode = 4; \r
}\r
+ if (found) break;\r
+ i++;\r
+ }\r
\r
+ if (found){\r
+ PrintAndLog("Found valid password: [%08x]", i);\r
+ T55xx_Print_DownlinkMode (downlink_mode);\r
+ }\r
+ else{\r
PrintAndLog("");\r
- \r
- if (found) {\r
- PrintAndLog("Found valid password: [%08x]", i);\r
- // Add downlink mode for reference.\r
- switch (downlink_mode) {\r
- case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;\r
- case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;\r
- case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;\r
- case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;\r
- }\r
- }\r
- else\r
- PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
-\r
- free(keyBlock);\r
+ PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
}\r
+\r
+ free(keyBlock);\r
return 0;\r
}\r
-\r
// note length of data returned is different for different chips. \r
// some return all page 1 (64 bits) and others return just that block (32 bits) \r
// unfortunately the 64 bits makes this more likely to get a false positive...\r
static command_t CommandTable[] = {\r
{"help", CmdHelp, 1, "This help"},\r
{"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
- {"bruteforcedl",CmdT55xxBruteForce_downlink,0, "r <start password> <end password> [i <*.dic>] [e <downlink>] Simple bruteforce attack to find password"},\r
{"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
{"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
{"p1detect", CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"},\r