ADD: added the possibility to load a default pwd file to be used with the "lf t55xx bruteforce" command.

new option: lf t55xx brutefore i default_pwd.dic - will load default pwds from file and test against tag.
2025-01-07 00:28:07 +08:00 · 2015-12-01 13:07:01 +01:00 · 2015-12-01 13:07:01 +01:00 · 21865cda09
commit 21865cda09
parent 1063a0a872
3 changed files with 159 additions and 5 deletions
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -792,7 +792,6 @@ int CmdHF14AMfNested(const char *Cmd)
 	return 0;
 }

-
 int CmdHF14AMfNestedHard(const char *Cmd)
 {
 	uint8_t blockNo = 0;
@ -889,7 +888,6 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 	return 0;
 }

-
 int CmdHF14AMfChk(const char *Cmd)
 {
 	if (strlen(Cmd)<3) {
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -150,10 +150,15 @@ int usage_t55xx_wakup(){
 	return 0;
 }
 int usage_t55xx_bruteforce(){
-    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password>");
+    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
    PrintAndLog("       password must be 4 bytes (8 hex symbols)");
+	PrintAndLog("Options:");
+	PrintAndLog("     h			- this help");
+    PrintAndLog("     i <*.dic>	- loads a default keys dictionary file <*.dic>");
+    PrintAndLog("");
    PrintAndLog("Examples:");
    PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");
+	PrintAndLog("       lf t55xx bruteforce i mykeys.dic");
    PrintAndLog("");
    return 0;
 }
@ -1316,13 +1321,91 @@ int CmdT55xxWipe(const char *Cmd) {
 }

 int CmdT55xxBruteForce(const char *Cmd) {
+	
+	// load a default pwd file.
+	char buf[9];
+	char filename[FILE_PATH_SIZE]={0};
+	int	keycnt = 0;
+	uint8_t stKeyBlock = 20;
+	uint8_t *keyBlock = NULL, *p;
+	keyBlock = calloc(stKeyBlock, 6);
+	if (keyBlock == NULL) return 1;
+	
    uint32_t start_password = 0x00000000; //start password
    uint32_t end_password   = 0xFFFFFFFF; //end   password
-
    bool found = false;
+
    char cmdp = param_getchar(Cmd, 0);
    if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();

+	if (cmdp == 'i' || cmdp == 'I') {
+	
+		int len = strlen(Cmd+2);
+		if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+		memcpy(filename, Cmd+2, len);
+	
+		FILE * f = fopen( filename , "r");
+		
+		if ( !f ) {
+			PrintAndLog("File: %s: not found or locked.", filename);
+			free(keyBlock);
+			return 1;
+		}			
+			
+		while( fgets(buf, sizeof(buf), f) ){
+			if (strlen(buf) < 8 || buf[7] == '\n') continue;
+		
+			while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line
+			
+			//The line start with # is comment, skip
+			if( buf[0]=='#' ) continue;
+
+			if (!isxdigit(buf[0])){
+				PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);
+				continue;
+			}
+			
+			buf[8] = 0;
+
+			if ( stKeyBlock - keycnt < 2) {
+				p = realloc(keyBlock, 6*(stKeyBlock+=10));
+				if (!p) {
+					PrintAndLog("Cannot allocate memory for defaultKeys");
+					free(keyBlock);
+					return 2;
+				}
+				keyBlock = p;
+			}
+			memset(keyBlock + 4 * keycnt, 0, 4);
+			num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);
+			PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));
+			keycnt++;
+			memset(buf, 0, sizeof(buf));
+		}		
+		fclose(f);
+		
+		if (keycnt == 0) {
+			PrintAndLog("No keys found in file");
+			return 1;
+		}
+		
+		// loop
+		uint32_t testpwd = 0x00;
+		for (uint16_t c = 0; c < keycnt; ++c ) {
+	
+			testpwd = bytes_to_num(keyBlock + 4*keycnt, 4);
+			
+			AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd);
+			found = tryDetectModulation();
+		
+			if ( found ) {
+				PrintAndLog("Found valid password:[%08X]", testpwd);
+				return 0;
+			} 
+		}
+	}
+	
+	
    start_password = param_get32ex(Cmd, 0, 0, 16);
 	end_password = param_get32ex(Cmd, 1, 0, 16);
 	
@ -1348,7 +1431,7 @@ int CmdT55xxBruteForce(const char *Cmd) {
    PrintAndLog("");
 	
    if (found)
-		PrintAndLog("Password found [%08x]", i);
+		PrintAndLog("Found valid password: [%08x]", i);
    else
 		PrintAndLog("Password NOT found. Last tried: [%08x]", i);
    return 0;
--- a/client/default_pwd.dic
+++ b/client/default_pwd.dic
@ -0,0 +1,73 @@
+# known cloners
+# ref. http://www.proxmark.org/forum/viewtopic.php?id=2022
+51243648,
+000D8787,
+# Default pwd, simple:
+00000000,
+11111111,
+22222222,
+33333333,
+44444444,
+55555555,
+66666666,
+77777777,
+88888888,
+99999999,
+AAAAAAAA,
+BBBBBBBB,
+CCCCCCCC,
+DDDDDDDD,
+EEEEEEEE,
+FFFFFFFF,
+a0a1a2a3,
+b0b1b2b3,
+aabbccdd,
+bbccddee,
+ccddeeff,
+00000001,
+00000002,
+0000000a,
+0000000b,
+01020304,
+02030405,
+03040506,
+04050607,
+05060708,
+06070809,
+0708090A,
+08090A0B,
+090A0B0C,
+0A0B0C0D,
+0B0C0D0E,
+0C0D0E0F,
+01234567,
+12345678,
+10000000,
+20000000,
+30000000,
+40000000,
+50000000,
+60000000,
+70000000,
+80000000,
+90000000,
+A0000000,
+B0000000,
+C0000000,
+D0000000,
+E0000000,
+F0000000,
+10101010,
+01010101,
+11223344,
+22334455,
+33445566,
+44556677,
+55667788,
+66778899,
+778899AA,
+8899AABB,
+99AABBCC,
+AABBCCDD,
+BBCCDDEE,
+CCDDEEFF,