RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-12-27 02:24:47 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1982 from phaseloop/em4x50-bruteforce

Browse source 
Bruteforce engine to crack non-random 32 bit keys
This commit is contained in:
Iceman 2023-05-27 10:06:09 +02:00 committed by GitHub
commit 1571f95a2a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 317 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
armsrc/Makefile
View file

@ -77,7 +77,7 @@ else
endif
ifneq (,$(findstring WITH_EM4x50,$(APP_CFLAGS)))
SRC_EM4x50 = em4x50.c
SRC_EM4x50 = em4x50.c bruteforce.c
else
SRC_EM4x50 =
endif

20
armsrc/em4x50.c
View file

@ -27,6 +27,7 @@
#include "BigBuf.h"
#include "spiffs.h"
#include "appmain.h" // tear
#include "bruteforce.h"
// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
@ -632,12 +633,21 @@ static int login(uint32_t password) {
return PM3_EFAILED;
}
// searching for password in given range
static bool brute(uint32_t start, uint32_t stop, uint32_t *pwd) {
// searching for password using chosen bruteforce algorithm
static bool brute(em4x50_data_t *etd, uint32_t *pwd) {
generator_context_t ctx;
bool pwd_found = false;
int generator_ret = 0;
int cnt = 0;
for (*pwd = start; *pwd <= stop; (*pwd)++) {
bf_generator_init(&ctx, etd->bruteforce_mode);
if (etd->bruteforce_mode == BRUTEFORCE_MODE_CHARSET)
bf_generator_set_charset(&ctx, etd->bruteforce_charset);
while ((generator_ret = bf_generate32(&ctx)) == GENERATOR_NEXT) {
*pwd = ctx.current_key32;
WDT_HIT();
@ -702,7 +712,7 @@ void em4x50_login(uint32_t *password, bool ledcontrol) {
reply_ng(CMD_LF_EM4X50_LOGIN, status, NULL, 0);
}
// envoke password search
// invoke password search
void em4x50_brute(em4x50_data_t *etd, bool ledcontrol) {
em4x50_setup_read();
@ -714,7 +724,7 @@ void em4x50_brute(em4x50_data_t *etd, bool ledcontrol) {
LED_C_OFF();
LED_D_ON();
}
bsuccess = brute(etd->password1, etd->password2, &pwd);
bsuccess = brute(etd, &pwd);
}
if (ledcontrol) LEDsoff();

119
client/src/cmdlfem4x50.c
View file

@ -19,6 +19,7 @@
#include "cliparser.h"
#include "cmdlfem4x50.h"
#include <ctype.h>
#include <math.h>
#include "cmdparser.h" // command_t
#include "util_posix.h" // msclock
#include "fileutils.h"
@ -349,54 +350,114 @@ int CmdEM4x50Brute(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "lf em 4x50 brute",
"Tries to bruteforce the password of a EM4x50 card.\n"
"Function can be stopped by pressing pm3 button.",
"lf em 4x50 brute --first 12330000 --last 12340000 -> tries pwds from 0x12330000 to 0x1234000000\n"
"Function can be stopped by pressing pm3 button.\n",
"lf em 4x50 brute --mode range --begin 12330000 --end 12340000 -> tries pwds from 0x12330000 to 0x12340000\n"
"lf em 4x50 brute --mode charset --digits --uppercase -> tries all combinations of ASCII codes for digits and uppercase letters\n"
);
void *argtable[] = {
arg_param_begin,
arg_str1(NULL, "first", "<hex>", "first password (start), 4 bytes, lsb"),
arg_str1(NULL, "last", "<hex>", "last password (stop), 4 bytes, lsb"),
arg_str1(NULL, "mode", "<str>", "Bruteforce mode (range|charset)"),
arg_str0(NULL, "begin", "<hex>", "Range mode - start of the key range"),
arg_str0(NULL, "end", "<hex>", "Range mode - end of the key range"),
arg_lit0(NULL, "digits", "Charset mode - include ASCII codes for digits"),
arg_lit0(NULL, "uppercase", "Charset mode - include ASCII codes for uppercase letters"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
int first_len = 0;
uint8_t first[4] = {0, 0, 0, 0};
CLIGetHexWithReturn(ctx, 1, first, &first_len);
int last_len = 0;
uint8_t last[4] = {0, 0, 0, 0};
CLIGetHexWithReturn(ctx, 2, last, &last_len);
CLIParserFree(ctx);
if (first_len != 4) {
PrintAndLogEx(FAILED, "password length must be 4 bytes");
return PM3_EINVARG;
}
if (last_len != 4) {
PrintAndLogEx(FAILED, "password length must be 4 bytes");
return PM3_EINVARG;
}
em4x50_data_t etd;
etd.password1 = BYTES2UINT32_BE(first);
etd.password2 = BYTES2UINT32_BE(last);
memset(&etd, 0, sizeof(etd));
int mode_len = 64;
char mode[64];
CLIGetStrWithReturn(ctx, 1, (uint8_t *) mode, &mode_len);
PrintAndLogEx(INFO, "Chosen mode: %s", mode);
if (strcmp(mode, "range") == 0) {
etd.bruteforce_mode = BRUTEFORCE_MODE_RANGE;
} else if (strcmp(mode, "charset") == 0) {
etd.bruteforce_mode = BRUTEFORCE_MODE_CHARSET;
} else {
PrintAndLogEx(FAILED, "Unknown bruteforce mode: %s", mode);
return PM3_EINVARG;
}
if (etd.bruteforce_mode == BRUTEFORCE_MODE_RANGE) {
int begin_len = 0;
uint8_t begin[4] = {0x0};
CLIGetHexWithReturn(ctx, 2, begin, &begin_len);
int end_len = 0;
uint8_t end[4] = {0x0};
CLIGetHexWithReturn(ctx, 3, end, &end_len);
if (begin_len != 4) {
PrintAndLogEx(FAILED, "'begin' parameter must be 4 bytes");
return PM3_EINVARG;
}
if (end_len != 4) {
PrintAndLogEx(FAILED, "'end' parameter must be 4 bytes");
return PM3_EINVARG;
}
etd.password1 = BYTES2UINT32_BE(begin);
etd.password2 = BYTES2UINT32_BE(end);
} else if (etd.bruteforce_mode == BRUTEFORCE_MODE_CHARSET) {
bool enable_digits = arg_get_lit(ctx, 4);
bool enable_uppercase = arg_get_lit(ctx, 5);
if (enable_digits)
etd.bruteforce_charset |= CHARSET_DIGITS;
if (enable_uppercase)
etd.bruteforce_charset |= CHARSET_UPPERCASE;
if (etd.bruteforce_charset == 0) {
PrintAndLogEx(FAILED, "Please enable at least one charset when using charset bruteforce mode.");
return PM3_EINVARG;
}
PrintAndLogEx(INFO, "Enabled charsets: %s%s",
enable_digits ? "digits " : "",
enable_uppercase ? "uppercase " : "");
}
CLIParserFree(ctx);
// 27 passwords/second (empirical value)
const int speed = 27;
int no_iter = 0;
if (etd.bruteforce_mode == BRUTEFORCE_MODE_RANGE) {
no_iter = etd.password2 - etd.password1 + 1;
PrintAndLogEx(INFO, "Trying " _YELLOW_("%i") " passwords in range [0x%08x, 0x%08x]"
, no_iter
, etd.password1
, etd.password2
);
} else if (etd.bruteforce_mode == BRUTEFORCE_MODE_CHARSET) {
unsigned int digits = 0;
if (etd.bruteforce_charset & CHARSET_DIGITS)
digits += CHARSET_DIGITS_SIZE;
if (etd.bruteforce_charset & CHARSET_UPPERCASE)
digits += CHARSET_UPPERCASE_SIZE;
no_iter = pow(digits, 4);
}
// print some information
int no_iter = etd.password2 - etd.password1 + 1;
int dur_s = no_iter / speed;
int dur_h = dur_s / 3600;
int dur_m = (dur_s - dur_h * 3600) / 60;
dur_s -= dur_h * 3600 + dur_m * 60;
PrintAndLogEx(INFO, "Trying " _YELLOW_("%i") " passwords in range [0x%08x, 0x%08x]"
, no_iter
, etd.password1
, etd.password2
);
PrintAndLogEx(INFO, "Estimated duration: %ih %im %is", dur_h, dur_m, dur_s);
// start
@ -1190,7 +1251,7 @@ int CmdEM4x50Sim(const char *Cmd) {
static command_t CommandTable[] = {
{"help", CmdHelp, AlwaysAvailable, "This help"},
{"-----------", CmdHelp, AlwaysAvailable, "--------------------- " _CYAN_("operations") " ---------------------"},
{"brute", CmdEM4x50Brute, IfPm3EM4x50, "Simple bruteforce attack to find password"},
{"brute", CmdEM4x50Brute, IfPm3EM4x50, "Bruteforce attack to find password"},
{"chk", CmdEM4x50Chk, IfPm3EM4x50, "Check passwords from dictionary"},
{"dump", CmdEM4x50Dump, IfPm3EM4x50, "Dump EM4x50 tag"},
{"info", CmdEM4x50Info, IfPm3EM4x50, "Tag information"},

129
common/bruteforce.c Normal file
View file

@ -0,0 +1,129 @@
//-----------------------------------------------------------------------------
// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// See LICENSE.txt for the text of the license.
//-----------------------------------------------------------------------------
#include "bruteforce.h"
#include <string.h>
#include <stdio.h>
uint8_t charset_digits[] = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
};
uint8_t charset_uppercase[] = {
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K',
'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'W',
'X', 'Y', 'Z'
};
void bf_generator_init(generator_context_t *ctx, uint8_t mode) {
memset(ctx, 0, sizeof(generator_context_t));
ctx->mode = mode;
}
int bf_generator_set_charset(generator_context_t *ctx, uint8_t charsets) {
if (ctx->mode != BRUTEFORCE_MODE_CHARSET) {
return -1;
}
if (charsets & CHARSET_DIGITS) {
memcpy(ctx->charset, charset_digits, sizeof(charset_digits));
ctx->charset_length += sizeof(charset_digits);
}
if (charsets & CHARSET_UPPERCASE) {
memcpy(ctx->charset + ctx->charset_length, charset_uppercase, sizeof(charset_uppercase));
ctx->charset_length += sizeof(charset_uppercase);
}
return 0;
}
int bf_generate32(generator_context_t *ctx) {
switch (ctx->mode) {
case BRUTEFORCE_MODE_RANGE:
return _bf_generate_mode_range32(ctx);
case BRUTEFORCE_MODE_CHARSET:
return _bf_generate_mode_charset32(ctx);
}
return GENERATOR_ERROR;
}
int _bf_generate_mode_range32(generator_context_t *ctx) {
if (ctx->current_key32 >= ctx->range_high) {
return GENERATOR_END;
}
// we use flag1 as indicator if value of range_low was already emitted
// so the range generated is <range_low, range_high>
if (ctx->current_key32 <= ctx->range_low && ctx->flag1 == false) {
ctx->current_key32 = ctx->range_low;
ctx->pos[0] = true;
return GENERATOR_NEXT;
}
ctx->current_key32++;
return GENERATOR_NEXT;
}
int _bf_generate_mode_charset32(generator_context_t *ctx) {
if (ctx->flag1)
return GENERATOR_END;
ctx->current_key32 = ctx->charset[ctx->pos[0]] << 24 | ctx->charset[ctx->pos[1]] << 16 |
ctx->charset[ctx->pos[2]] << 8 | ctx->charset[ctx->pos[3]];
if (bf_array_increment(ctx->pos, 4, ctx->charset_length) == -1)
// set flag1 to emit value last time and end generation
ctx->flag1 = true;
return GENERATOR_NEXT;
}
// increments values in array with carryover using modulo limit for each byte
// this is used to iterate each byte in key over charset table
// returns -1 if incrementing reaches its end
int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo) {
uint8_t prev_value;
// check if we reached max value already
uint8_t i;
for (i = 0; i < data_len; i++)
if (data[i] < modulo - 1)
break;
if (i == data_len)
return -1;
for (uint8_t pos = data_len - 1;; pos--) {
prev_value = ++data[pos];
data[pos] = data[pos] % modulo;
if (prev_value == data[pos])
return 0;
else if (pos == 0) {
// we cannot carryover to next byte
// with the max value check in place before, we should not reach this place
return -1;
}
}
return 0;
}

79
common/bruteforce.h Normal file
View file

@ -0,0 +1,79 @@
//-----------------------------------------------------------------------------
// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// See LICENSE.txt for the text of the license.
//-----------------------------------------------------------------------------
// functions for bruteforcing card keys - key generators
//-----------------------------------------------------------------------------
#ifndef BRUTEFORCE_H__
#define BRUTEFORCE_H__
#include "common.h"
typedef uint8_t bruteforce_mode_t;
// bruteforcing all keys sequentially between X and Y
#define BRUTEFORCE_MODE_RANGE 1
// try keys based on limited charset/passphrases
// some payment systems use user-provided passphrase as system key
#define BRUTEFORCE_MODE_CHARSET 2
// "smart" mode - try some predictable patterns
#define BRUTEFORCE_MODE_SMART 3
typedef uint8_t bruteforce_charset_t;
// bit flags - can be used together using logical OR
#define CHARSET_DIGITS 1
#define CHARSET_UPPERCASE 2
#define GENERATOR_END 0
#define GENERATOR_NEXT 1
#define GENERATOR_ERROR 2
#define CHARSET_DIGITS_SIZE 10
#define CHARSET_UPPERCASE_SIZE 25
extern uint8_t charset_digits[];
extern uint8_t charset_uppercase[];
// structure to hold key generator temporary data
typedef struct {
// position of each of 4 bytes in 32 bit key in charset mode
// add more bytes to support larger keys
// pos[0] is most significant byte - all maths avoid relying on little/big endian memory layout
uint8_t pos[4];
uint32_t current_key32;
uint8_t mode;
uint8_t charset[
CHARSET_DIGITS_SIZE
+ CHARSET_UPPERCASE_SIZE
];
uint8_t charset_length;
uint32_t range_low;
uint32_t range_high;
// flags to use internally by generators as they wish
bool flag1, flag2, flag3;
} generator_context_t;
void bf_generator_init(generator_context_t *ctx, uint8_t mode);
int bf_generator_set_charset(generator_context_t *ctx, uint8_t charsets);
int bf_generate32(generator_context_t *ctx);
int _bf_generate_mode_range32(generator_context_t *ctx);
int _bf_generate_mode_charset32(generator_context_t *ctx);
int _bf_generate_mode_smart32(generator_context_t *ctx);
int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo);
#endif // BRUTEFORCE_H__

3
include/em4x50.h
View file

@ -20,6 +20,7 @@
#define EM4X50_H__
#include "common.h"
#include "bruteforce.h"
#define EM4X50_NO_WORDS 34
@ -62,6 +63,8 @@ typedef struct {
uint32_t password2;
uint32_t word;
uint32_t addresses;
bruteforce_mode_t bruteforce_mode;
bruteforce_charset_t bruteforce_charset;
} PACKED em4x50_data_t;
typedef struct {