From 9984b1735acccec9503494c02fccdeefb2dafd86 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 2 Dec 2015 22:46:11 +0100 Subject: [PATCH] CHG: updated helptext for lf t55xx bruteforce ADD: a ROL function in util.c ADD: two pwdgen functions in cmdhfmfu.c, call them with a 7byte UID and get a 4byte number back. Will see if it can be connected with the "hf mfu info" command, make data extraction easier later on. ADD: added some more easy pwd in the dictionary file default_pwd.dic --- client/cmdhfmfu.c | 78 ++++++++++++++++++++++++++++-------------- client/cmdhfmfu.h | 2 ++ client/cmdlft55xx.c | 4 ++- client/default_pwd.dic | 34 +++++++++++++++++- client/util.c | 16 ++++++--- client/util.h | 7 ++-- 6 files changed, 106 insertions(+), 35 deletions(-) diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 9c2faa58..a2f3be20 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -74,6 +74,54 @@ uint8_t UL_MEMORY_ARRAY[MAX_UL_TYPES] = { MAX_UL_BLOCKS, MAX_MY_D_NFC, MAX_MY_D_MOVE, MAX_MY_D_MOVE, MAX_MY_D_MOVE_LEAN, MAX_UL_BLOCKS}; +// Certain pwd generation algo nickname A. +uint32_t ul_ev1_pwdgenA(uint8_t* uid) { + + uint8_t pos = (uid[3] ^ uid[4] ^ uid[5] ^ uid[6]) % 32; + + uint32_t xortable[] = { + 0x4f2711c1, 0x07D7BB83, 0x9636EF07, 0xB5F4460E, 0xF271141C, 0x7D7BB038, 0x636EF871, 0x5F4468E3, + 0x271149C7, 0xD7BB0B8F, 0x36EF8F1E, 0xF446863D, 0x7114947A, 0x7BB0B0F5, 0x6EF8F9EB, 0x44686BD7, + 0x11494fAF, 0xBB0B075F, 0xEF8F96BE, 0x4686B57C, 0x1494F2F9, 0xB0B07DF3, 0xF8F963E6, 0x686B5FCC, + 0x494F2799, 0x0B07D733, 0x8F963667, 0x86B5F4CE, 0x94F2719C, 0xB07D7B38, 0xF9636E70, 0x6B5F44E0 + }; + + uint8_t entry[] = {0x00,0x00,0x00,0x00}; + uint8_t pwd[] = {0x00,0x00,0x00,0x00}; + + num_to_bytes( xortable[pos], 4, entry); + + pwd[0] = entry[0] ^ uid[1] ^ uid[2] ^ uid[3]; + pwd[1] = entry[1] ^ uid[0] ^ uid[2] ^ uid[4]; + pwd[2] = entry[2] ^ uid[0] ^ uid[1] ^ uid[5]; + pwd[3] = entry[3] ^ uid[6]; + + return (uint32_t)bytes_to_num(pwd, 4); +} + +// Certain pwd generation algo nickname B. (very simple) +uint32_t ul_ev1_pwdgenB(uint8_t* uid) { + + uint8_t pwd[] = {0x00,0x00,0x00,0x00}; + + pwd[0] = uid[1] ^ uid[3] ^ 0xAA; + pwd[1] = uid[2] ^ uid[4] ^ 0x55; + pwd[2] = uid[3] ^ uid[5] ^ 0xAA; + pwd[3] = uid[4] ^ uid[6] ^ 0x55; + return (uint32_t)bytes_to_num(pwd, 4); +} + +void ul_ev1_pwdgen_selftest(){ + + uint8_t uid1[] = {0x04,0x11,0x12,0x11,0x12,0x11,0x10}; + uint32_t pwd1 = ul_ev1_pwdgenA(uid1); + PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid1,7), pwd1, (pwd1 == 0x8432EB17)?"OK":"->8432EB17<-"); + + uint8_t uid2[] = {0x04,0x1f,0x98,0xea,0x1e,0x3e,0x81}; + uint32_t pwd2 = ul_ev1_pwdgenB(uid2); + PrintAndLog("UID | %s | %08X | %s", sprint_hex(uid2,7), pwd2, (pwd2 == 0x5fd37eca)?"OK":"->5fd37eca<--"); + return; +} static int CmdHelp(const char *Cmd); @@ -237,16 +285,6 @@ static int ulev1_getVersion( uint8_t *response, uint16_t responseLength ){ return len; } -// static int ulev1_fastRead( uint8_t startblock, uint8_t endblock, uint8_t *response ){ - - // uint8_t cmd[] = {MIFARE_ULEV1_FASTREAD, startblock, endblock}; - - // if ( !ul_send_cmd_raw(cmd, sizeof(cmd), response)){ - // return -1; - // } - // return 0; -// } - static int ulev1_readCounter( uint8_t counter, uint8_t *response, uint16_t responseLength ){ uint8_t cmd[] = {MIFARE_ULEV1_READ_CNT, counter}; @@ -268,7 +306,6 @@ static int ulev1_readSignature( uint8_t *response, uint16_t responseLength ){ return len; } - // Fudan check checks for which error is given for a command with incorrect crc // NXP UL chip responds with 01, fudan 00. // other possible checks: @@ -338,12 +375,12 @@ static int ul_print_default( uint8_t *data){ PrintAndLog(" Lock : %s - %s", sprint_hex(data+10, 2), - printBits(2, data+10) + sprint_bin(data+10, 2) ); PrintAndLog("OneTimePad : %s - %s\n", sprint_hex(data + 12, 4), - printBits(4, data+12) + sprint_bin(data+12, 4) ); return 0; @@ -434,8 +471,8 @@ static int ulc_print_3deskey( uint8_t *data){ static int ulc_print_configuration( uint8_t *data){ PrintAndLog("--- UL-C Configuration"); - PrintAndLog(" Higher Lockbits [40/0x28] : %s - %s", sprint_hex(data, 4), printBits(2, data)); - PrintAndLog(" Counter [41/0x29] : %s - %s", sprint_hex(data+4, 4), printBits(2, data+4)); + PrintAndLog(" Higher Lockbits [40/0x28] : %s - %s", sprint_hex(data, 4), sprint_bin(data, 2)); + PrintAndLog(" Counter [41/0x29] : %s - %s", sprint_hex(data+4, 4), sprint_bin(data+4, 2)); bool validAuth = (data[8] >= 0x03 && data[8] <= 0x30); if ( validAuth ) @@ -1829,15 +1866,8 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ return 0; } -// static uint8_t * diversify_key(uint8_t * key){ - - - // return key; -// } - // static void GenerateUIDe( uint8_t *uid, uint8_t len){ // for (int i=0; i [i <*.dic>]"); PrintAndLog(" password must be 4 bytes (8 hex symbols)"); + PrintAndLog("This command uses A) bruteforce to scan a number range"); + PrintAndLog(" B) a dictionary attack"); PrintAndLog("Options:"); PrintAndLog(" h - this help"); PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb"); - PrintAndLog(" lf t55xx bruteforce i mykeys.dic"); + PrintAndLog(" lf t55xx bruteforce i default_pwd.dic"); PrintAndLog(""); return 0; } diff --git a/client/default_pwd.dic b/client/default_pwd.dic index 5edb83ef..94cd4631 100644 --- a/client/default_pwd.dic +++ b/client/default_pwd.dic @@ -72,4 +72,36 @@ AABBCCDD, BBCCDDEE, CCDDEEFF, 0CB7E7FC, //rfidler? -FABADA11, //china? \ No newline at end of file +FABADA11, //china? +# 20 most common len==8 +#12345678, +#11111111, +#88888888, +87654321, +#00000000, +12341234, +69696969, +12121212, +#11223344, +12344321, +#77777777, +#99999999, +#22222222, +#55555555, +#33333333, +#44444444, +#66666666, +11112222, +13131313, +10041004, +## +31415926, //pii +abcd1234, +20002000, +19721972, +aa55aa55, //amiboo +55aa55aa, //rev amiboo +4f271149, // seeds ul-ev1 +07d7bb0b, // seeds ul-ev1 +9636ef8f, // seeds ul-ev1 +b5f44686, // seeds ul-ev1 diff --git a/client/util.c b/client/util.c index 11891233..860193e7 100644 --- a/client/util.c +++ b/client/util.c @@ -481,17 +481,25 @@ int32_t le24toh (uint8_t data[3]) { return (data[2] << 16) | (data[1] << 8) | data[0]; } - uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits) { + + if (len > 32) return 0; int i = start; int j = len-1; - - if (len > 32) return 0; - uint32_t tmp = 0; + for (; j >= 0; --j, ++i) tmp |= bits[i] << j; return tmp; } + +// RotateLeft - Ultralight, Desfire +void rol(uint8_t *data, const size_t len){ + uint8_t first = data[0]; + for (size_t i = 0; i < len-1; i++) { + data[i] = data[i+1]; + } + data[len-1] = first; +} \ No newline at end of file diff --git a/client/util.h b/client/util.h index eead10ec..5ba5eb6a 100644 --- a/client/util.h +++ b/client/util.h @@ -59,9 +59,9 @@ int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt); int param_gethex_ex(const char *line, int paramnum, uint8_t * data, int *hexcnt); int param_getstr(const char *line, int paramnum, char * str); - int hextobinarray( char *target, char *source); - int hextobinstring( char *target, char *source); - int binarraytohex( char *target, char *source, int length); +int hextobinarray( char *target, char *source); +int hextobinstring( char *target, char *source); +int binarraytohex( char *target, char *source, int length); void binarraytobinstring(char *target, char *source, int length); uint8_t GetParity( uint8_t *string, uint8_t type, int length); void wiegand_add_parity(uint8_t *target, uint8_t *source, uint8_t length); @@ -69,3 +69,4 @@ void wiegand_add_parity(uint8_t *target, uint8_t *source, uint8_t length); void xor(unsigned char * dst, unsigned char * src, size_t len); int32_t le24toh (uint8_t data[3]); uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits); +void rol(uint8_t *data, const size_t len); \ No newline at end of file -- 2.39.5