//-----------------------------------------------------------------------------\r
// Low frequency T55xx commands\r
//-----------------------------------------------------------------------------\r
-\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <inttypes.h>\r
-#include "proxmark3.h"\r
-#include "ui.h"\r
-#include "graph.h"\r
-#include "cmdmain.h"\r
-#include "cmdparser.h"\r
-#include "cmddata.h"\r
-#include "cmdlf.h"\r
#include "cmdlft55xx.h"\r
-#include "util.h"\r
-#include "data.h"\r
-#include "lfdemod.h"\r
-#include "cmdhf14a.h" //for getTagInfo\r
-\r
-#define T55x7_CONFIGURATION_BLOCK 0x00\r
-#define T55x7_PAGE0 0x00\r
-#define T55x7_PAGE1 0x01\r
-#define T55x7_PWD 0x00000010\r
-#define REGULAR_READ_MODE_BLOCK 0xFF\r
\r
// Default configuration\r
t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
int usage_t55xx_bruteforce(){\r
PrintAndLog("This command uses A) bruteforce to scan a number range");\r
PrintAndLog(" B) a dictionary attack");\r
+ PrintAndLog("press 'enter' to cancel the command");\r
PrintAndLog("Usage: lf t55xx bruteforce [h] <start password> <end password> [i <*.dic>]");\r
PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
PrintAndLog("Options:");\r
}\r
int usage_t55xx_recoverpw(){\r
PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+ PrintAndLog("press 'enter' to cancel the command");\r
PrintAndLog("WARNING: this may brick non-password protected chips!");\r
PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
\r
void printT5xxHeader(uint8_t page){\r
PrintAndLog("Reading Page %d:", page); \r
- PrintAndLog("blk | hex data | binary");\r
- PrintAndLog("----+----------+---------------------------------"); \r
+ PrintAndLog("blk | hex data | binary | ascii");\r
+ PrintAndLog("----+----------+----------------------------------+-------"); \r
}\r
\r
int CmdT55xxSetConfig(const char *Cmd) {\r
clk = GetAskClock("", FALSE, FALSE);\r
if (clk>0) {\r
tests[hits].ST = TRUE;\r
+ // "0 0 1 " == clock auto, invert false, maxError 1.\r
+ // false = no verbose\r
+ // false = no emSearch\r
+ // 1 = Ask/Man\r
+ // st = true\r
if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
tests[hits].modulation = DEMOD_ASK;\r
tests[hits].bitrate = bitRate;\r
++hits;\r
}\r
tests[hits].ST = TRUE;\r
+ // "0 0 1 " == clock auto, invert true, maxError 1.\r
+ // false = no verbose\r
+ // false = no emSearch\r
+ // 1 = Ask/Man\r
+ // st = true\r
if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
tests[hits].modulation = DEMOD_ASK;\r
tests[hits].bitrate = bitRate;\r
return TRUE;\r
}\r
\r
+ bool retval = FALSE;\r
if ( hits > 1) {\r
PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
for(int i=0; i<hits; ++i){\r
- PrintAndLog("--[%d]---------------", i+1);\r
+ retval = testKnownConfigBlock(tests[i].block0);\r
+ if ( retval ) { \r
+ PrintAndLog("--[%d]--------------- << selected this", i+1);\r
+ config.modulation = tests[i].modulation;\r
+ config.bitrate = tests[i].bitrate;\r
+ config.inverted = tests[i].inverted;\r
+ config.offset = tests[i].offset;\r
+ config.block0 = tests[i].block0;\r
+ config.Q5 = tests[i].Q5;\r
+ config.ST = tests[i].ST;\r
+ } else {\r
+ PrintAndLog("--[%d]---------------", i+1);\r
+ }\r
printConfiguration( tests[i] );\r
}\r
}\r
+ return retval;\r
+}\r
+\r
+bool testKnownConfigBlock(uint32_t block0) {\r
+ switch(block0){\r
+ case T55X7_DEFAULT_CONFIG_BLOCK:\r
+ case T55X7_RAW_CONFIG_BLOCK:\r
+ case T55X7_EM_UNIQUE_CONFIG_BLOCK:\r
+ case T55X7_FDXB_CONFIG_BLOCK:\r
+ case T55X7_HID_26_CONFIG_BLOCK:\r
+ case T55X7_PYRAMID_CONFIG_BLOCK:\r
+ case T55X7_INDALA_64_CONFIG_BLOCK:\r
+ case T55X7_INDALA_224_CONFIG_BLOCK:\r
+ case T55X7_GUARDPROXII_CONFIG_BLOCK:\r
+ case T55X7_VIKING_CONFIG_BLOCK:\r
+ case T55X7_NORALYS_CONFIG_BLOCK:\r
+ case T55X7_IOPROX_CONFIG_BLOCK:\r
+ case T55X7_PRESCO_CONFIG_BLOCK:\r
+ return TRUE;\r
+ }\r
return FALSE;\r
}\r
\r
bits[i - config.offset] = DemodBuffer[i];\r
\r
blockData = PackBits(0, 32, bits);\r
+ uint8_t bytes[4] = {0};\r
+ num_to_bytes(blockData, 4, bytes);\r
\r
- PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));\r
+ PrintAndLog(" %s | %08X | %s | %s", blockNum, blockData, sprint_bin(bits,32), sprint_ascii(bytes,4));\r
}\r
\r
int special(const char *Cmd) {\r
uint32_t blockData = 0;\r
uint8_t bits[32] = {0x00};\r
\r
- PrintAndLog("OFFSET | DATA | BINARY");\r
- PrintAndLog("----------------------------------------------------");\r
+ PrintAndLog("OFFSET | DATA | BINARY | ASCII");\r
+ PrintAndLog("-------+-------+-------------------------------------+------");\r
int i,j = 0;\r
for (; j < 64; ++j){\r
\r
}\r
clearCommandBuffer();\r
SendCommand(&c);\r
- if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)){\r
PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
return 0;\r
}\r
\r
int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
// arg0 bitmodes:\r
- // bit0 = pwdmode\r
- // bit1 = page to read from\r
+ // bit0 = pwdmode\r
+ // bit1 = page to read from\r
+ // arg1: which block to read\r
+ // arg2: password\r
uint8_t arg0 = (page<<1) | pwdmode;\r
UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
- \r
clearCommandBuffer();\r
SendCommand(&c);\r
- if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
PrintAndLog("command execution time out");\r
return 0;\r
}\r
\r
- uint8_t got[12000];\r
- GetFromBigBuf(got,sizeof(got),0);\r
- WaitForResponse(CMD_ACK,NULL);\r
+ //uint8_t got[12288];\r
+ uint8_t got[7679];\r
+ GetFromBigBuf(got, sizeof(got), 0);\r
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {\r
+ PrintAndLog("command execution time out");\r
+ return 0;\r
+ }\r
setGraphBuf(got, sizeof(got));\r
return 1;\r
}\r
\r
int CmdResetRead(const char *Cmd) {\r
UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
-\r
clearCommandBuffer();\r
SendCommand(&c);\r
- if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
PrintAndLog("command execution time out");\r
return 0;\r
}\r
// With a pwd should work even if pwd bit not set\r
PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
\r
- if ( Q5 ){\r
+ if ( Q5 )\r
snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
- } else {\r
+ else\r
snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
- }\r
\r
if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
\r
return 0;\r
}\r
\r
+bool IsCancelled(void) {\r
+ if (ukbhit()) {\r
+ int ch = getchar();\r
+ (void)ch;\r
+ printf("\naborted via keyboard!\n");\r
+ return TRUE;\r
+ }\r
+ return FALSE;\r
+}\r
+\r
int CmdT55xxBruteForce(const char *Cmd) {\r
\r
// load a default pwd file.\r
- char buf[9];\r
+ char line[9];\r
char filename[FILE_PATH_SIZE]={0};\r
int keycnt = 0;\r
- int ch;\r
uint8_t stKeyBlock = 20;\r
uint8_t *keyBlock = NULL, *p = NULL;\r
uint32_t start_password = 0x00000000; //start password\r
uint32_t end_password = 0xFFFFFFFF; //end password\r
bool found = false;\r
\r
+ memset(line, 0, sizeof(line));\r
+ \r
char cmdp = param_getchar(Cmd, 0);\r
if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
\r
- keyBlock = calloc(stKeyBlock, 6);\r
+ keyBlock = calloc(stKeyBlock, 4);\r
if (keyBlock == NULL) return 1;\r
\r
if (cmdp == 'i' || cmdp == 'I') {\r
if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
memcpy(filename, Cmd+2, len);\r
\r
- FILE * f = fopen( filename , "r");\r
- \r
+ FILE * f = fopen( filename , "r"); \r
if ( !f ) {\r
PrintAndLog("File: %s: not found or locked.", filename);\r
free(keyBlock);\r
return 1;\r
} \r
- \r
- while( fgets(buf, sizeof(buf), f) ){\r
- if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
\r
- while (fgetc(f) != '\n' && !feof(f)) ; //goto next line\r
- \r
+ while( fgets(line, sizeof(line), f) ){\r
+ if (strlen(line) < 8 || line[7] == '\n') continue;\r
+ \r
+ //goto next line\r
+ while (fgetc(f) != '\n' && !feof(f)) ;\r
+ \r
//The line start with # is comment, skip\r
- if( buf[0]=='#' ) continue;\r
+ if( line[0]=='#' ) continue;\r
\r
- if (!isxdigit(buf[0])){\r
- PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+ if (!isxdigit(line[0])) {\r
+ PrintAndLog("File content error. '%s' must include 8 HEX symbols", line);\r
continue;\r
}\r
\r
- buf[8] = 0;\r
-\r
+ line[8] = 0; \r
+ \r
+ // realloc keyblock array size.\r
if ( stKeyBlock - keycnt < 2) {\r
- p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+ p = realloc(keyBlock, 4 * (stKeyBlock += 10));\r
if (!p) {\r
PrintAndLog("Cannot allocate memory for defaultKeys");\r
free(keyBlock);\r
- fclose(f);\r
+ if (f)\r
+ fclose(f);\r
return 2;\r
}\r
keyBlock = p;\r
}\r
+ // clear mem\r
memset(keyBlock + 4 * keycnt, 0, 4);\r
- num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
- PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
- keycnt++;\r
- memset(buf, 0, sizeof(buf));\r
+ \r
+ num_to_bytes( strtoll(line, NULL, 16), 4, keyBlock + 4*keycnt);\r
+ \r
+ PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4 * keycnt, 4) ); \r
+ keycnt++; \r
+ memset(line, 0, sizeof(line));\r
} \r
- fclose(f);\r
+ if (f)\r
+ fclose(f);\r
\r
if (keycnt == 0) {\r
PrintAndLog("No keys found in file");\r
// loop\r
uint64_t testpwd = 0x00;\r
for (uint16_t c = 0; c < keycnt; ++c ) {\r
- \r
- if (ukbhit()) {\r
- ch = getchar();\r
- (void)ch;\r
- printf("\naborted via keyboard!\n");\r
+\r
+ if ( offline ) {\r
+ printf("Device offline\n");\r
+ free(keyBlock);\r
+ return 2;\r
+ }\r
+ \r
+ if (IsCancelled()) {\r
free(keyBlock);\r
return 0;\r
}\r
testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
\r
PrintAndLog("Testing %08X", testpwd);\r
- \r
- \r
+ \r
if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
+ PrintAndLog("Acquire data from device failed. Quitting");\r
free(keyBlock);\r
return 0;\r
}\r
\r
found = tryDetectModulation();\r
-\r
if ( found ) {\r
PrintAndLog("Found valid password: [%08X]", testpwd);\r
- free(keyBlock);\r
- return 0;\r
+ //free(keyBlock);\r
+ //return 0;\r
} \r
}\r
PrintAndLog("Password NOT found.");\r
\r
printf(".");\r
fflush(stdout);\r
- if (ukbhit()) {\r
- ch = getchar();\r
- (void)ch;\r
- printf("\naborted via keyboard!\n");\r
+ \r
+ if (IsCancelled()) {\r
free(keyBlock);\r
return 0;\r
}\r
\r
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
+ PrintAndLog("Acquire data from device failed. Quitting");\r
free(keyBlock);\r
return 0;\r
}\r
return 0;\r
}\r
\r
-int tryOnePassword(uint32_t password)\r
-{\r
+int tryOnePassword(uint32_t password) {\r
PrintAndLog("Trying password %08x", password);\r
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
- PrintAndLog("Aquireing data from device failed. Quitting");\r
+ PrintAndLog("Acquire data from device failed. Quitting");\r
return -1;\r
}\r
\r
if (tryDetectModulation())\r
return 1;\r
- else return 0;\r
+ else \r
+ return 0;\r
}\r
\r
int CmdT55xxRecoverPW(const char *Cmd) {\r
uint32_t prev_password = 0xffffffff;\r
uint32_t mask = 0x0;\r
int found = 0;\r
-\r
char cmdp = param_getchar(Cmd, 0);\r
if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
\r
orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
\r
// first try fliping each bit in the expected password\r
- while ((found != 1) && (bit < 32)) {\r
+ while (bit < 32) {\r
curr_password = orig_password ^ ( 1 << bit );\r
found = tryOnePassword(curr_password);\r
- if (found == 1)\r
- goto done;\r
- else if (found == -1)\r
- return 0;\r
+ if (found == -1) return 0;\r
bit++;\r
+ \r
+ if (IsCancelled()) return 0;\r
}\r
\r
// now try to use partial original password, since block 7 should have been completely\r
// not sure from which end the bit bits are written, so try from both ends \r
// from low bit to high bit\r
bit = 0;\r
- while ((found != 1) && (bit < 32)) {\r
+ while (bit < 32) {\r
mask += ( 1 << bit );\r
curr_password = orig_password & mask;\r
// if updated mask didn't change the password, don't try it again\r
continue;\r
}\r
found = tryOnePassword(curr_password);\r
- if (found == 1)\r
- goto done;\r
- else if (found == -1)\r
- return 0;\r
+ if (found == -1) return 0;\r
bit++;\r
- prev_password=curr_password;\r
+ prev_password = curr_password;\r
+ \r
+ if (IsCancelled()) return 0;\r
}\r
\r
// from high bit to low\r
bit = 0;\r
mask = 0xffffffff;\r
- while ((found != 1) && (bit < 32)) {\r
+ while (bit < 32) {\r
mask -= ( 1 << bit );\r
curr_password = orig_password & mask;\r
// if updated mask didn't change the password, don't try it again\r
continue;\r
}\r
found = tryOnePassword(curr_password);\r
- if (found == 1)\r
- goto done;\r
- else if (found == -1)\r
+ if (found == -1)\r
return 0;\r
bit++;\r
- prev_password=curr_password;\r
+ prev_password = curr_password;\r
+ \r
+ if (IsCancelled()) return 0;\r
}\r
-done:\r
+\r
PrintAndLog("");\r
\r
if (found == 1)\r