From d6d96eb7fecf1378cdfe2c2f8bd875eded7ac466 Mon Sep 17 00:00:00 2001 From: bogiton <34060135+bogiton@users.noreply.github.com> Date: Tue, 6 Nov 2018 13:36:00 +0000 Subject: [PATCH 1/2] Fixed offset bug (thanks iceman) --- armsrc/Standalone/hf_bog.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index 761e67b1a..01232a6a0 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -15,7 +15,8 @@ The retrieved sniffing session can be acquired by connecting the device to a client that supports the reconnect capability and issue 'hf 14a list'. In order to view the grabbed authentication attempts in the flash mem, -you can simply 'mem read l 256' from the client to view the stored quadlets. +you can simply run 'script run read_pwd_mem' or just 'mem read l 256' +from the client to view the stored quadlets. */ #include "hf_bog.h" @@ -31,7 +32,7 @@ uint8_t FindOffsetInFlash() { uint8_t eom[4] = { 0xFF, 0xFF, 0xFF, 0xFF }; uint8_t memcnt = 0; - while (memcnt < 4096) + while (memcnt < 0xFF) { Flash_ReadData(memcnt, mem, 4); if (memcmp(mem, eom, 4) == 0) { @@ -240,10 +241,20 @@ void RAMFUNC SniffAndStore(uint8_t param) { uint8_t memoffset = FindOffsetInFlash(); if (MF_DBGLEVEL > 1) Dbprintf("[!] Memory offset = %u", memoffset); + if ((memoffset + 4 * auth_attempts) > 0xFF) + { + // We opt to keep the new data only + memoffset = 0; + if (MF_DBGLEVEL > 1) Dbprintf("[!] Size of total data > 256 bytes. Discarding the old data."); + } + // Get previous data from flash mem uint8_t *previousdata = BigBuf_malloc(memoffset); - uint16_t readlen = Flash_ReadData(0, previousdata, memoffset); - if (MF_DBGLEVEL > 1) Dbprintf("[!] Read %u bytes from flash mem", readlen); + if (memoffset > 0) + { + uint16_t readlen = Flash_ReadData(0, previousdata, memoffset); + if (MF_DBGLEVEL > 1) Dbprintf("[!] Read %u bytes from flash mem", readlen); + } // create new bigbuf to hold all data size_t total_size = memoffset + 4 * auth_attempts; @@ -276,7 +287,7 @@ void RunMod() { Dbprintf("Sniffing started"); - SpinDelay(200); + SpinDelay(200); // param: // bit 0 - trigger from first card answer From db374585451b2098925abc2c294e269c1dd58d22 Mon Sep 17 00:00:00 2001 From: bogiton <34060135+bogiton@users.noreply.github.com> Date: Tue, 6 Nov 2018 13:37:34 +0000 Subject: [PATCH 2/2] Added lua script to read stored pwds in flashmem --- client/scripts/read_pwd_mem.lua | 86 +++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 client/scripts/read_pwd_mem.lua diff --git a/client/scripts/read_pwd_mem.lua b/client/scripts/read_pwd_mem.lua new file mode 100644 index 000000000..fbe4d0459 --- /dev/null +++ b/client/scripts/read_pwd_mem.lua @@ -0,0 +1,86 @@ +local getopt = require('getopt') +local bin = require('bin') + +author = "Bogito" +version = 'v1.0.0' +desc =[[ +This script will read the flash memory of RDV4 and print the stored passwords. +It was meant to be used as a help tool after using the BogRun standalone mode. +]] +usage = [[ +Usage: + script run read_pwd_mem -h -o -l + +Arguments: + -h : this help + -o : Memory offset. Default is 0. + -l : Length in bytes. Default is 256. +]] +example =[[ +Examples: + -- This will scan the first 256 bytes of flash memory for stored passwords + script run read_pwd_mem + + -- This will scan 256 bytes of flash memory at offset 64 for stored passwords + script run read_pwd_mem -o 64 + + -- This will scan 32 bytes of flash memory at offset 64 for stored passwords + script run read_pwd_mem -o 64 -l 32 +]] + +-- Usage help +local function help() + print(desc) + print(usage) + print(example) +end + +local function main(args) + + local data, err, quadlet, pwdcnt + local offset = 0 + local length = 256 + + -- Read the parameters + for o, a in getopt.getopt(args, 'ho:l:') do + if o == "h" then return help() end + if o == "o" then offset = tonumber(a) end + if o == "l" then length = tonumber(a) end + end + + if length < 0 or length > 256 then + return print('Error: Length is not valid. Must be less than 256') + end + + if ((offset < 0) or (offset % 4 ~= 0)) then + return print('Error: Offset is not valid. Mod-4 values are only allowed.') + end + + print('Offset: ' .. offset) + print('Length: ' .. length) + print() + + data, err = core.GetFromFlashMem(offset, length) + + if err then + print(err) + return + end + + local count, s = bin.unpack('H'..length, data) + + pwdcnt = 0 + for i = 1,(length/4),1 + do + quadlet = string.sub(s, (i-1)*8+1, i*8) + if quadlet == "FFFFFFFF" then break end + print(string.format("[%02d]",i) .. ' ' .. quadlet) + pwdcnt = pwdcnt + 1 + + end + print() + print('Found passwords: ' .. pwdcnt) + +end + +main(args)