iceman1001 [Tue, 12 Jan 2016 22:35:06 +0000 (23:35 +0100)]
FIX: Coverity, out-of-bounds write, CID#121340, CID#121341, CID#121342, CID#121343, wrong size in check, sprintf always adds a null terminator, so if filepath would have been 996 chars long, this might had happend... but no more.
iceman1001 [Tue, 12 Jan 2016 22:27:42 +0000 (23:27 +0100)]
FIX: Coverity, CID#121314, Explicit null dereferenced, in really odd occasions buf would be NULL, and sending NULL to memcpy dereferences it. Not sure about this fix.
iceman1001 [Tue, 12 Jan 2016 22:05:10 +0000 (23:05 +0100)]
FIX: Coverity, out-of-bounds, CID#121330, CID#121331, CID#121332, CID#121333,
keyNbr has to be smaller then ICLASS_KEYS_MAX (since the Iclass_Key_Table array is initialised with it).
iceman1001 [Tue, 12 Jan 2016 21:33:54 +0000 (22:33 +0100)]
FIX: Coverity, unintended sign extention, CID #121363, (numbits << 16) becomes int, then uint64_t. But the signness might set all upper bits to 1 in the process.
iceman1001 [Sat, 9 Jan 2016 16:17:36 +0000 (17:17 +0100)]
ADD: a new pwdgen algo Nicknamed C, (Huge props to @Bettse for everything) also added to the "hf mfu info" command. However, that will not work given the system's lockbits.. :( Maybe I'll add a function to test all imp pwdgens given a UID without making a authentication call to tag.
iceman1001 [Fri, 8 Jan 2016 13:30:56 +0000 (14:30 +0100)]
FIX: coverty scan, resourceleak in "hf mf sniff", added call to 'free' befor return.
FIX: coverty scan, overflow in "hf 14a raw", added an extra len check against USB_CMD_DATA_SIZE
iceman1001 [Fri, 8 Jan 2016 13:28:13 +0000 (14:28 +0100)]
ADD: @go_tus 's code to generate wiegand codes from FacilityCode/SiteCode and Cardnumber. Almost there, formatlength supported is 26,34,35,37,38,40,44,75,84, when its finised.
iceman1001 [Fri, 8 Jan 2016 13:25:10 +0000 (14:25 +0100)]
FIX: coverty scan reveals some resourceleaks and overruns, which is supposed to be fixed now.
/armsrc/des.c overflow 7 instead of 6
/client/cmdlfhitag.c overflows traclen
/client/util.c sprint_bin_break overflows.
/client/cmdhficlass.c need to free memory after malloc.
iceman1001 [Mon, 21 Dec 2015 18:48:00 +0000 (19:48 +0100)]
CHG: some textual change to README.txt
ADD: a prng.c to collect some different PRNG's i've ran into
ADD: some changes the tea implementation
ADD: a enhanced version - SwapEndian64ex
iceman1001 [Mon, 14 Dec 2015 21:50:54 +0000 (22:50 +0100)]
REM: removed an unused doublett function "printBits" in util.c
ADD: added a new string helper function "sprint_hex_ascii" in util.c
ADD: added "LF AWID BRUTE", a very simple bruteforce command for the awid commands.
it takes a facility-code, and iterates all possible 0xFFFF cardnum by sending sim command. It also uses the usb_poll function to stop the bruteforce on keypress and not leaving the pm3 device running the simulation.
the command implements the help parameter.
iceman1001 [Wed, 2 Dec 2015 21:46:11 +0000 (22:46 +0100)]
CHG: updated helptext for lf t55xx bruteforce
ADD: a ROL function in util.c
ADD: two pwdgen functions in cmdhfmfu.c, call them with a 7byte UID and get a 4byte number back. Will see if it can be connected with the "hf mfu info" command, make data extraction easier later on.
ADD: added some more easy pwd in the dictionary file default_pwd.dic
iceman1001 [Tue, 1 Dec 2015 21:47:03 +0000 (22:47 +0100)]
ADD: Added the possibility to exit the bruteforce mode (either rangesearch or file) with the keyboard.
FIX: if not found, the range search printed wrong number.
iceman1001 [Tue, 1 Dec 2015 21:38:37 +0000 (22:38 +0100)]
FIX: the lfsampling.c for t55xx had a tendecy to enter a neverending loop. Moved exit branch into the while statement, which seems to solve it.
FIX: Strange int -> uint8_t casting behavior (0x05 gets the 25bit set and becomes 0x10005 instead) in fskdemod, removed int and sscanf.
iceman1001 [Tue, 1 Dec 2015 12:07:01 +0000 (13:07 +0100)]
ADD: added the possibility to load a default pwd file to be used with the "lf t55xx bruteforce" command.
new option:
lf t55xx brutefore i default_pwd.dic - will load default pwds from file and test against tag.
iceman1001 [Sun, 22 Nov 2015 17:13:26 +0000 (18:13 +0100)]
ADD: 'hf mfu info' now prints following settings:
NFC_COUNTER_EN - If set, every read,fast_read increases a counter.
NFC_COUNTER_PROT_PWD - If set, reading nfc_counter needs a successfull pwd authentication before
These new settings is only valid for NTAG213/215/216,
iceman1001 [Sun, 22 Nov 2015 16:33:41 +0000 (17:33 +0100)]
ADD: @marshmellow's fixes to awid, viking and T55x7
ADD: 'lf t55xx detect' now can be called with a password.
ADD: trying to add the read counter and increase counter commands for ntag sim.
iceman1001 [Sat, 21 Nov 2015 17:48:58 +0000 (18:48 +0100)]
ADD: lf indalademod output, The binary string is now printed with linebreaks every 16bits
ADD: lf awid code is modified, some minor changes in outputs
ADD: lf t55xx write now prints the password on the same row, looks better when using the new "lf t55xx wipe" command.
ADD: the ioprox T55X7_IOPROX_CONFIG_BLOCK block.
iceman1001 [Tue, 10 Nov 2015 10:45:45 +0000 (11:45 +0100)]
FIX: an error that I introduced to the csetblock command with wrong length of crc calcs.
CHG: variable name in csetblock change. just trying to be consistant.
ADD: code clean up in hf 14a, added some help text methods.
iceman1001 [Mon, 9 Nov 2015 20:46:15 +0000 (21:46 +0100)]
CHG: a major remake of the "hf mf c*" commands. Ie chinese magic tags. Tried to make them consistent in parameter calls and simplified. And fixed the annoying gen1 tags that answers with a ACK/NACK on HALT commands..
iceman1001 [Sun, 1 Nov 2015 21:16:16 +0000 (22:16 +0100)]
CHG: some magic generation1 tags is not following protocol and answers to the "halt" command. This gives an error and makes the users think something went wrong. This also affected the magic identification in "Hf 14a reader" command, where it in those moments stated "NO" even if the tag is indeed a generation1.
iceman1001 [Sun, 1 Nov 2015 18:49:08 +0000 (19:49 +0100)]
ADD: help text for 'hf snoop' / 'hf search' / 'hf list'
CHG: minor code changes.
CHG: makefile , moved hi_sniffer.v from LF into HF row. @piwi suggestion for PR https://github.com/Proxmark/proxmark3/pull/141
iceman1001 [Wed, 21 Oct 2015 07:12:33 +0000 (09:12 +0200)]
ADD: 'LF T55X7 WAKEUP' command. For tags with AOR bit set, send this command with password to wake tag up and be able to do a "LF SEARCH" etc on it.
CHG: Minor code changes on T55X7 code. Default password is back to 'FF FF FF FF',
REM: removed @marshmellow42 's wakeup option in "lf t55x7 read",
--- BASICALLY:
if a T55X7 tag has following bits set:
AOR - send wakeup command with pwd, to enable LF interacting with it.
PWD - send read/write/trace/info command with pwd. No need to send wakeup.