RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-02-24 16:14:59 +08:00
Code Issues Projects Releases Packages Wiki Activity

adaptations

Browse source
This commit is contained in:
iceman1001 2020-10-11 11:09:58 +02:00
parent 43f4bba432
commit 1f03d93600
1 changed files with 51 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
client/luascripts/lf_em_tearoff_protect.lua
View file

@ -6,7 +6,7 @@ author = [[
'Author Iceman 'Author Iceman
CoAuthor Doegox CoAuthor Doegox
]] ]]
version = 'v0.9.9' version = 'v1.0.1'
desc = [[ desc = [[
This is scripts loops though a tear attack and reads expected value. This is scripts loops though a tear attack and reads expected value.
]] ]]
@ -28,6 +28,9 @@ arguments = [[
end end
]] ]]
local set_tearoff_delay = 'hw tearoff -s --on --delay %d'
local wr_template = 'lf em 4x05_write %s %s %s'
--- ---
-- This is only meant to be used when errors occur -- This is only meant to be used when errors occur
local function oops(err) local function oops(err)
@ -50,6 +53,20 @@ local function help()
print(example) print(example)
end end
local function exit_msg()
print('')
print('================= '..ansicolors.green..'verify with'..ansicolors.reset..' =================')
print('1. lf em 4x05_write 99 00000000')
print('2. lf em 4x05_dump')
print('===============================================')
return nil
end
local function reset(wr_value, password)
print('[=] '..ansicolors.red..'reseting the active lock block'..ansicolors.reset)
core.console(wr_template:format(99, wr_value, password))
end
local function main(args) local function main(args)
--[[ --[[
@ -66,7 +83,7 @@ local function main(args)
--]] --]]
local n, password, sd, ed local n, password, sd, ed
for o, a in getopt.getopt(args, 'he:s:a:p:n:r:w:') do for o, a in getopt.getopt(args, 'he:s:p:n:') do
if o == 'h' then return help() end if o == 'h' then return help() end
if o == 'n' then n = a end if o == 'n' then n = a end
if o == 'p' then password = a end if o == 'p' then password = a end
@ -97,7 +114,7 @@ local function main(args)
return oops('start delay can\'t be larger than end delay', sd, ed) return oops('start delay can\'t be larger than end delay', sd, ed)
end end
print('==========================================') print('==========================================')
print('Starting EM4x05 tear off :: target PROTECT') print('Starting EM4x05 tear off :: target PROTECT')
if password then if password then
@ -112,27 +129,25 @@ local function main(args)
local res_tear = 0 local res_tear = 0
local res_nowrite = 0 local res_nowrite = 0
local set_tearoff_delay = 'hw tearoff --delay %d'
local enable_tearoff = 'hw tearoff --on'
local wr_template = 'lf em 4x05_write %s %s %s'
-- fix at one specific delay -- fix at one specific delay
if sd == ed then if sd == ed then
n = 0 n = 0
end end
local locked_on = false
local tries = 0 local tries = 0
while sd <= ed do while sd <= ed do
-- increase loop -- increase loop
sd = sd + n sd = sd + n
if (tries == 20) and (n == 0) then if not locked_on then
tries = 0 if (tries == 10) and (n == 0) then
sd = sd + 1 print(ansicolors.cyan..('[!] Tried %d times, increased delay with 1us'):format(tries)..ansicolors.reset)
ed = ed + 1 tries = 0
print(ansicolors.cyan..'[!] Tried 20 times, increased delay with 1us'..ansicolors.reset) sd = sd + 1
ed = ed + 1
end
end end
io.flush() io.flush()
@ -145,7 +160,6 @@ local function main(args)
local c = set_tearoff_delay:format(sd) local c = set_tearoff_delay:format(sd)
core.console(c); core.console(c);
core.console(enable_tearoff)
c = wr_template:format(99, wr_value, password) c = wr_template:format(99, wr_value, password)
core.console(c) core.console(c)
@ -163,27 +177,39 @@ local function main(args)
end end
local wordstr15 = ('%08X'):format(word15) local wordstr15 = ('%08X'):format(word15)
if (not (wordstr14 == '00000000' and wordstr15 == wr_value)) and (not (wordstr14 == wr_value and wordstr15 == '00000000')) then if wordstr14 == rd_value and wordstr15 ~= wr_value then
print((ansicolors.yellow..'[!] TEAR OFF occurred:'..ansicolors.reset..' 14:%08X 15:%08X'):format(word14, word15)) print(('[!] '..ansicolors.cyan..'TEAR OFF'..ansicolors.reset..' occurred: 14: %08X 15: '..ansicolors.cyan..'%08X'..ansicolors.reset):format(word14, word15))
end end
if wordstr14 == rd_value then if wordstr14 == rd_value then
if wordstr15 ~= rd_value and wordstr15 ~= wr_value then if wordstr15 ~= rd_value and wordstr15 ~= wr_value then
print((ansicolors.red..'[!] tear off result: '..ansicolors.reset..' 14:%08X 15:%08X'):format(word14, word15)) print(('[!] '..ansicolors.red..'TEAR OFF bitflip: '..ansicolors.reset..' 14: %08X 15: %08X'):format(word14, word15))
return oops('Success?')
local bit15 = bit.band(0x00008000, word15)
if bit15 == 0x00008000 then
return exit_msg()
else
reset(wr_value, password)
print('[+] locked on to this delay')
locked_on = true
end
end end
if wordstr15 == rd_value then if wordstr15 == rd_value then
print(ansicolors.red..'[!] need to reset'..ansicolors.reset) reset(wr_value, password)
c = wr_template:format(99, wr_value, password) if not locked_on then
core.console(c) tries = 0
tries = 0 end
end end
else else
print('...') print('...write ok, erase not done', wordstr14, rd_value)
end
if not locked_on then
tries = tries + 1
end end
tries = tries + 1
end end
end end