X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/59b5b7e14cbb43b7dd52b746fb565e8dda695f1b..70dbfc3fc7a177a81331bd8c86c9d993900f056b:/client/cmdlfpcf7931.c diff --git a/client/cmdlfpcf7931.c b/client/cmdlfpcf7931.c index 636db483..74bc3b3e 100644 --- a/client/cmdlfpcf7931.c +++ b/client/cmdlfpcf7931.c @@ -1,6 +1,7 @@ //----------------------------------------------------------------------------- // Copyright (C) 2012 Chalk // 2015 Dake +// 2018 sguerrini97 // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -8,9 +9,12 @@ //----------------------------------------------------------------------------- // Low frequency PCF7931 commands //----------------------------------------------------------------------------- + +#include "cmdlfpcf7931.h" + #include #include -#include "proxmark3.h" +#include "comms.h" #include "ui.h" #include "util.h" #include "graph.h" @@ -18,7 +22,6 @@ #include "cmddata.h" #include "cmdmain.h" #include "cmdlf.h" -#include "cmdlfpcf7931.h" static int CmdHelp(const char *Cmd); @@ -30,7 +33,7 @@ static int CmdHelp(const char *Cmd); struct pcf7931_config configPcf = { {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}, PCF7931_DEFAULT_INITDELAY, - PCF7931_DEFAULT_OFFSET_WIDTH, + PCF7931_DEFAULT_OFFSET_WIDTH, PCF7931_DEFAULT_OFFSET_POSITION }; @@ -38,8 +41,8 @@ struct pcf7931_config configPcf = { int pcf7931_resetConfig(){ memset(configPcf.Pwd, 0xFF, sizeof(configPcf.Pwd) ); configPcf.InitDelay = PCF7931_DEFAULT_INITDELAY; - configPcf.OffsetWidth = PCF7931_DEFAULT_OFFSET_WIDTH; - configPcf.OffsetPosition = PCF7931_DEFAULT_OFFSET_POSITION; + configPcf.OffsetWidth = PCF7931_DEFAULT_OFFSET_WIDTH; + configPcf.OffsetPosition = PCF7931_DEFAULT_OFFSET_POSITION; return 0; } @@ -67,13 +70,28 @@ int usage_pcf7931_write(){ PrintAndLog("Options:"); PrintAndLog(" h This help"); PrintAndLog(" blockaddress Block to save [0-7]"); - PrintAndLog(" byteaddress Index of byte inside block to write [0-3]"); + PrintAndLog(" byteaddress Index of byte inside block to write [0-15]"); PrintAndLog(" data one byte of data (hex)"); PrintAndLog("Examples:"); PrintAndLog(" lf pcf7931 write 2 1 FF"); return 0; } +int usage_pcf7931_bruteforce() +{ + PrintAndLog("Usage: lf pcf7931 bruteforce [h] "); + PrintAndLog("This command tries to disable PAC of a PCF7931 transponder by bruteforcing the password."); + PrintAndLog("!! THIS IS NOT INTENDED TO RECOVER THE FULL PASSWORD !!"); + PrintAndLog("!! DO NOT USE UNLESS THE FIRST 5 BYTES OF THE PASSWORD ARE KNOWN !!"); + PrintAndLog("Options:"); + PrintAndLog(" h This help"); + PrintAndLog(" start password hex password to start from"); + PrintAndLog(" tries How many times to send the same data frame"); + PrintAndLog("Examples:"); + PrintAndLog(" lf pcf7931 bruteforce 00000000123456 3"); + return 0; +} + int usage_pcf7931_config(){ PrintAndLog("Usage: lf pcf7931 config [h] [r] "); PrintAndLog("This command tries to set the configuration used with PCF7931 commands"); @@ -85,7 +103,7 @@ int usage_pcf7931_config(){ PrintAndLog(" pwd Password, hex, 7bytes, LSB-order"); PrintAndLog(" delay Tag initialization delay (in us) decimal"); PrintAndLog(" offset Low pulses width (in us) decimal"); - PrintAndLog(" offset Low pulses position (in us) decimal"); + PrintAndLog(" offset Low pulses position (in us) decimal"); PrintAndLog("Examples:"); PrintAndLog(" lf pcf7931 config"); PrintAndLog(" lf pcf7931 config r"); @@ -94,7 +112,7 @@ int usage_pcf7931_config(){ return 0; } -int CmdLFPCF7931Read(const char *Cmd){ +int CmdLFPCF7931Read(const char *Cmd){ uint8_t ctmp = param_getchar(Cmd, 0); if ( ctmp == 'H' || ctmp == 'h' ) return usage_pcf7931_read(); @@ -110,12 +128,12 @@ int CmdLFPCF7931Read(const char *Cmd){ return 0; } -int CmdLFPCF7931Config(const char *Cmd){ +int CmdLFPCF7931Config(const char *Cmd){ uint8_t ctmp = param_getchar(Cmd, 0); if ( ctmp == 0) return pcf7931_printConfig(); if ( ctmp == 'H' || ctmp == 'h' ) return usage_pcf7931_config(); - if ( ctmp == 'R' || ctmp == 'r' ) return pcf7931_resetConfig(); + if ( ctmp == 'R' || ctmp == 'r' ) return pcf7931_resetConfig(); if ( param_gethex(Cmd, 0, configPcf.Pwd, 14) ) return usage_pcf7931_config(); @@ -130,17 +148,17 @@ int CmdLFPCF7931Config(const char *Cmd){ int CmdLFPCF7931Write(const char *Cmd){ uint8_t ctmp = param_getchar(Cmd, 0); - if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_write(); + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_write(); uint8_t block = 0, bytepos = 0, data = 0; - + if ( param_getdec(Cmd, 0, &block) ) return usage_pcf7931_write(); if ( param_getdec(Cmd, 1, &bytepos) ) return usage_pcf7931_write(); - + if ( (block > 7) || (bytepos > 15) ) return usage_pcf7931_write(); data = param_get8ex(Cmd, 2, 0, 16); - + PrintAndLog("Writing block: %d", block); PrintAndLog(" pos: %d", bytepos); PrintAndLog(" data: 0x%02X", data); @@ -157,12 +175,47 @@ int CmdLFPCF7931Write(const char *Cmd){ return 0; } -static command_t CommandTable[] = +int CmdLFPCF7931BruteForce(const char *Cmd){ + + uint8_t ctmp = param_getchar(Cmd, 0); + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_bruteforce(); + + uint8_t start_password[7] = {0}; + uint8_t tries = 3; + + if (param_gethex(Cmd, 0, start_password, 14)) return usage_pcf7931_bruteforce(); + if (param_getdec(Cmd, 1, &tries)) return usage_pcf7931_bruteforce(); + + PrintAndLog("Bruteforcing from password: %02x %02x %02x %02x %02x %02x %02x", + start_password[0], + start_password[1], + start_password[2], + start_password[3], + start_password[4], + start_password[5], + start_password[6]); + + PrintAndLog("Trying each password %d times", tries); + + UsbCommand c = {CMD_PCF7931_BRUTEFORCE, {bytes_to_num(start_password, 7), tries} }; + + c.d.asDwords[7] = (configPcf.OffsetWidth + 128); + c.d.asDwords[8] = (configPcf.OffsetPosition + 128); + c.d.asDwords[9] = configPcf.InitDelay; + + clearCommandBuffer(); + SendCommand(&c); + //no ack? + return 0; +} + +static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, {"read", CmdLFPCF7931Read, 0, "Read content of a PCF7931 transponder"}, {"write", CmdLFPCF7931Write, 0, "Write data on a PCF7931 transponder."}, {"config", CmdLFPCF7931Config, 1, "Configure the password, the tags initialization delay and time offsets (optional)"}, + {"bruteforce", CmdLFPCF7931BruteForce, 0, "Bruteforce a PCF7931 transponder password."}, {NULL, NULL, 0, NULL} };