From 506672c48bdae1b045bb65c2939656806bc8be50 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Wed, 2 Dec 2015 17:27:12 -0500 Subject: [PATCH] icemans lf fixes & adjustments + lf t55xx bruteforce Fix small fskdemod clock bug --- CHANGELOG.md | 10 +++ armsrc/lfops.c | 2 +- armsrc/lfsampling.c | 5 +- client/cmddata.c | 38 ++++----- client/cmdlft55xx.c | 192 +++++++++++++++++++++++++++++++++++++++----- client/cmdlft55xx.h | 1 + 6 files changed, 207 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3a0799e..6dfa6384 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ## [unreleased][unreleased] ### Added +- `lf t55xx bruteforce [i <*.dic>]` - Simple bruteforce attack to find password - (iceman and others) +- `lf viking clone`- clone viking tag to t55x7 or Q5 from 4byte hex ID input +- `lf viking sim` - sim full viking tag from 4byte hex ID input +- `lf viking read` - read viking tag and output ID +- `lf t55xx wipe` - sets t55xx back to factory defaults - Added viking demod to `lf search` (marshmellow) - `data askvikingdemod` demod viking id tag from graphbuffer (marshmellow) - `lf t55xx resetread` added reset then read command - should allow determining start @@ -26,6 +31,11 @@ of stream transmissions (marshmellow) - Added option c to 'hf list' (mark CRC bytes) (piwi) ### Changed +- Adjusted lf awid clone to optionally clone to Q5 tags +- Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7 +- Adjusted all lf NRZ demods - works more acurately and consistantly (as long as you have strong signal) +- Adjusted lf pskindalademod to reduce false positive reads. +- Small adjustments to psk, nrz, and ask clock detect routines - more reliable. - Adjusted lf em410x em410xsim to accept a clock argument - Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow) - Adjusted lf t55xx write input variables (marshmellow) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 5cdfe834..47fec7c2 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -17,7 +17,7 @@ #include "lfdemod.h" #include "lfsampling.h" #include "protocols.h" -#include "usb_cdc.h" //test +#include "usb_cdc.h" // for usb_poll_validate_length /** * Function to do a modulation and then get samples. diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index b6ca9209..ab7c79dd 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -10,7 +10,7 @@ #include "apps.h" #include "util.h" #include "string.h" - +#include "usb_cdc.h" // for usb_poll_validate_length #include "lfsampling.h" sample_config config = { 1, 8, 1, 95, 0 } ; @@ -272,7 +272,7 @@ void doT55x7Acquisition(size_t sample_size) { uint8_t curSample = 0; uint8_t lastSample = 0; uint16_t skipCnt = 0; - while(!BUTTON_PRESS() && skipCnt<1000) { + while(!BUTTON_PRESS() && !usb_poll_validate_length() && skipCnt<1000 && iSSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = 0x43; @@ -311,7 +311,6 @@ void doT55x7Acquisition(size_t sample_size) { } // collect samples dest[i++] = curSample; - if (i >= bufsize-1) break; } } } diff --git a/client/cmddata.c b/client/cmddata.c index ca4fcafc..30546f11 100644 --- a/client/cmddata.c +++ b/client/cmddata.c @@ -934,14 +934,14 @@ char *GetFSKType(uint8_t fchigh, uint8_t fclow, uint8_t invert) int FSKrawDemod(const char *Cmd, bool verbose) { //raw fsk demod no manchester decoding no start bit finding just get binary from wave - //set defaults - int rfLen = 0; - int invert = 0; - int fchigh = 0; - int fclow = 0; + uint8_t rfLen, invert, fchigh, fclow; + //set defaults //set options from parameters entered with the command - sscanf(Cmd, "%i %i %i %i", &rfLen, &invert, &fchigh, &fclow); + rfLen = param_get8ex(Cmd, 0, 0, 10); + invert = param_get8ex(Cmd, 1, 0, 10); + fchigh = param_get8ex(Cmd, 2, 0, 10); + fclow = param_get8ex(Cmd, 3, 0, 10); if (strlen(Cmd)>0 && strlen(Cmd)<=2) { if (rfLen==1){ @@ -955,34 +955,34 @@ int FSKrawDemod(const char *Cmd, bool verbose) if (BitLen==0) return 0; //get field clock lengths uint16_t fcs=0; - if (fchigh==0 || fclow == 0){ + if (!fchigh || !fclow) { fcs = countFC(BitStream, BitLen, 1); - if (fcs==0){ - fchigh=10; - fclow=8; - }else{ - fchigh = (fcs >> 8) & 0xFF; - fclow = fcs & 0xFF; + if (!fcs) { + fchigh = 10; + fclow = 8; + } else { + fchigh = (fcs >> 8) & 0x00FF; + fclow = fcs & 0x00FF; } } //get bit clock length - if (rfLen==0){ + if (!rfLen){ rfLen = detectFSKClk(BitStream, BitLen, fchigh, fclow); - if (rfLen == 0) rfLen = 50; + if (!rfLen) rfLen = 50; } - int size = fskdemod(BitStream,BitLen,(uint8_t)rfLen,(uint8_t)invert,(uint8_t)fchigh,(uint8_t)fclow); - if (size>0){ + int size = fskdemod(BitStream, BitLen, rfLen, invert, fchigh, fclow); + if (size > 0){ setDemodBuf(BitStream,size,0); // Now output the bitstream to the scrollback by line of 16 bits if (verbose || g_debugMode) { - PrintAndLog("\nUsing Clock:%d, invert:%d, fchigh:%d, fclow:%d", rfLen, invert, fchigh, fclow); + PrintAndLog("\nUsing Clock:%u, invert:%u, fchigh:%u, fclow:%u", rfLen, invert, fchigh, fclow); PrintAndLog("%s decoded bitstream:",GetFSKType(fchigh,fclow,invert)); printDemodBuff(); } return 1; - } else{ + } else { if (g_debugMode) PrintAndLog("no FSK data found"); } return 0; diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 490850f8..7bf2c25c 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -29,6 +29,7 @@ #define T55x7_CONFIGURATION_BLOCK 0x00 #define T55x7_PAGE0 0x00 #define T55x7_PAGE1 0x01 +#define T55x7_PWD 0x00000010 #define REGULAR_READ_MODE_BLOCK 0xFF // Default configuration @@ -148,11 +149,24 @@ int usage_t55xx_wakup(){ PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password"); return 0; } +int usage_t55xx_bruteforce(){ + PrintAndLog("Usage: lf t55xx bruteforce [i <*.dic>]"); + PrintAndLog(" password must be 4 bytes (8 hex symbols)"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb"); + PrintAndLog(" lf t55xx bruteforce i mykeys.dic"); + PrintAndLog(""); + return 0; +} static int CmdHelp(const char *Cmd); void printT5xxHeader(uint8_t page){ - PrintAndLog("Reading Page %d:", page); + PrintAndLog("Reading Page %d:", page); PrintAndLog("blk | hex data | binary"); PrintAndLog("----+----------+---------------------------------"); } @@ -442,7 +456,6 @@ bool tryDetectModulation(){ t55xx_conf_block_t tests[15]; int bitRate=0; uint8_t fc1 = 0, fc2 = 0, clk=0; - save_restoreGB(1); if (GetFskClock("", FALSE, FALSE)){ fskClocks(&fc1, &fc2, &clk, FALSE); @@ -502,7 +515,7 @@ bool tryDetectModulation(){ } } //undo trim from ask - save_restoreGB(0); + //save_restoreGB(0); clk = GetNrzClock("", FALSE, FALSE); if (clk>0) { if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { @@ -522,9 +535,9 @@ bool tryDetectModulation(){ } } - //undo trim from nrz - save_restoreGB(0); + // allow undo // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) + save_restoreGB(1); CmdLtrim("160"); clk = GetPskClock("", FALSE, FALSE); if (clk>0) { @@ -565,8 +578,9 @@ bool tryDetectModulation(){ } } // inverse waves does not affect this demod } + //undo trim samples + save_restoreGB(0); } - save_restoreGB(0); if ( hits == 1) { config.modulation = tests[0].modulation; config.bitrate = tests[0].bitrate; @@ -1297,19 +1311,161 @@ int CmdT55xxWipe(const char *Cmd) { return 0; } +int CmdT55xxBruteForce(const char *Cmd) { + + // load a default pwd file. + char buf[9]; + char filename[FILE_PATH_SIZE]={0}; + int keycnt = 0; + uint8_t stKeyBlock = 20; + uint8_t *keyBlock = NULL, *p; + keyBlock = calloc(stKeyBlock, 6); + if (keyBlock == NULL) return 1; + + uint32_t start_password = 0x00000000; //start password + uint32_t end_password = 0xFFFFFFFF; //end password + bool found = false; + + char cmdp = param_getchar(Cmd, 0); + if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce(); + + if (cmdp == 'i' || cmdp == 'I') { + + int len = strlen(Cmd+2); + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + memcpy(filename, Cmd+2, len); + + FILE * f = fopen( filename , "r"); + + if ( !f ) { + PrintAndLog("File: %s: not found or locked.", filename); + free(keyBlock); + return 1; + } + + while( fgets(buf, sizeof(buf), f) ){ + if (strlen(buf) < 8 || buf[7] == '\n') continue; + + while (fgetc(f) != '\n' && !feof(f)) ; //goto next line + + //The line start with # is comment, skip + if( buf[0]=='#' ) continue; + + if (!isxdigit(buf[0])){ + PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf); + continue; + } + + buf[8] = 0; + + if ( stKeyBlock - keycnt < 2) { + p = realloc(keyBlock, 6*(stKeyBlock+=10)); + if (!p) { + PrintAndLog("Cannot allocate memory for defaultKeys"); + free(keyBlock); + return 2; + } + keyBlock = p; + } + memset(keyBlock + 4 * keycnt, 0, 4); + num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt); + PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4)); + keycnt++; + memset(buf, 0, sizeof(buf)); + } + fclose(f); + + if (keycnt == 0) { + PrintAndLog("No keys found in file"); + return 1; + } + PrintAndLog("Loaded %d keys", keycnt); + + // loop + uint64_t testpwd = 0x00; + for (uint16_t c = 0; c < keycnt; ++c ) { + + if (ukbhit()) { + getchar(); + printf("\naborted via keyboard!\n"); + return 0; + } + + testpwd = bytes_to_num(keyBlock + 4*c, 4); + + PrintAndLog("Testing %08X", testpwd); + + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) { + PrintAndLog("Aquireing data from device failed. Quitting"); + return 0; + } + + found = tryDetectModulation(); + + if ( found ) { + PrintAndLog("Found valid password: [%08X]", testpwd); + return 0; + } + } + PrintAndLog("Password NOT found."); + return 0; + } + + // Try to read Block 7, first :) + + // incremental pwd range search + start_password = param_get32ex(Cmd, 0, 0, 16); + end_password = param_get32ex(Cmd, 1, 0, 16); + + if ( start_password >= end_password ) return usage_t55xx_bruteforce(); + + PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password); + + uint32_t i = start_password; + + while ((!found) && (i <= end_password)){ + + printf("."); + fflush(stdout); + if (ukbhit()) { + getchar(); + printf("\naborted via keyboard!\n"); + return 0; + } + + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) { + PrintAndLog("Aquireing data from device failed. Quitting"); + return 0; + } + found = tryDetectModulation(); + + if (found) break; + i++; + } + + PrintAndLog(""); + + if (found) + PrintAndLog("Found valid password: [%08x]", i); + else + PrintAndLog("Password NOT found. Last tried: [%08x]", --i); + return 0; +} + static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, - {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."}, - {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"}, - {"resetread",CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"}, - {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"}, - {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"}, - {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"}, - {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"}, - {"special", special, 0, "Show block changes with 64 different offsets"}, - {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"}, - {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"}, + {"help", CmdHelp, 1, "This help"}, + {"bruteforce",CmdT55xxBruteForce,0, " [i <*.dic>] Simple bruteforce attack to find password"}, + {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, + {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."}, + {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"}, + {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"}, + {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"}, + {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"}, + {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"}, + {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"}, + {"special", special, 0, "Show block changes with 64 different offsets"}, + {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"}, + {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index 424e85ab..56b1b9b7 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -45,6 +45,7 @@ void Set_t55xx_Config(t55xx_conf_block_t conf); int CmdLFT55XX(const char *Cmd); +int CmdT55xxBruteForce(const char *Cmd); int CmdT55xxSetConfig(const char *Cmd); int CmdT55xxReadBlock(const char *Cmd); int CmdT55xxWriteBlock(const char *Cmd); -- 2.39.5