diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index ae380b3c3..5b5be6f20 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -792,7 +792,6 @@ int CmdHF14AMfNested(const char *Cmd) return 0; } - int CmdHF14AMfNestedHard(const char *Cmd) { uint8_t blockNo = 0; @@ -889,7 +888,6 @@ int CmdHF14AMfNestedHard(const char *Cmd) return 0; } - int CmdHF14AMfChk(const char *Cmd) { if (strlen(Cmd)<3) { diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 43a760958..ba82087af 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -150,10 +150,15 @@ int usage_t55xx_wakup(){ return 0; } int usage_t55xx_bruteforce(){ - PrintAndLog("Usage: lf t55xx bruteforce "); + PrintAndLog("Usage: lf t55xx bruteforce [i <*.dic>]"); PrintAndLog(" password must be 4 bytes (8 hex symbols)"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>"); + PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb"); + PrintAndLog(" lf t55xx bruteforce i mykeys.dic"); PrintAndLog(""); return 0; } @@ -1316,13 +1321,91 @@ int CmdT55xxWipe(const char *Cmd) { } int CmdT55xxBruteForce(const char *Cmd) { + + // load a default pwd file. + char buf[9]; + char filename[FILE_PATH_SIZE]={0}; + int keycnt = 0; + uint8_t stKeyBlock = 20; + uint8_t *keyBlock = NULL, *p; + keyBlock = calloc(stKeyBlock, 6); + if (keyBlock == NULL) return 1; + uint32_t start_password = 0x00000000; //start password uint32_t end_password = 0xFFFFFFFF; //end password - bool found = false; + char cmdp = param_getchar(Cmd, 0); if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce(); + if (cmdp == 'i' || cmdp == 'I') { + + int len = strlen(Cmd+2); + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + memcpy(filename, Cmd+2, len); + + FILE * f = fopen( filename , "r"); + + if ( !f ) { + PrintAndLog("File: %s: not found or locked.", filename); + free(keyBlock); + return 1; + } + + while( fgets(buf, sizeof(buf), f) ){ + if (strlen(buf) < 8 || buf[7] == '\n') continue; + + while (fgetc(f) != '\n' && !feof(f)) ; //goto next line + + //The line start with # is comment, skip + if( buf[0]=='#' ) continue; + + if (!isxdigit(buf[0])){ + PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf); + continue; + } + + buf[8] = 0; + + if ( stKeyBlock - keycnt < 2) { + p = realloc(keyBlock, 6*(stKeyBlock+=10)); + if (!p) { + PrintAndLog("Cannot allocate memory for defaultKeys"); + free(keyBlock); + return 2; + } + keyBlock = p; + } + memset(keyBlock + 4 * keycnt, 0, 4); + num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt); + PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4)); + keycnt++; + memset(buf, 0, sizeof(buf)); + } + fclose(f); + + if (keycnt == 0) { + PrintAndLog("No keys found in file"); + return 1; + } + + // loop + uint32_t testpwd = 0x00; + for (uint16_t c = 0; c < keycnt; ++c ) { + + testpwd = bytes_to_num(keyBlock + 4*keycnt, 4); + + AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd); + found = tryDetectModulation(); + + if ( found ) { + PrintAndLog("Found valid password:[%08X]", testpwd); + return 0; + } + } + } + + start_password = param_get32ex(Cmd, 0, 0, 16); end_password = param_get32ex(Cmd, 1, 0, 16); @@ -1348,7 +1431,7 @@ int CmdT55xxBruteForce(const char *Cmd) { PrintAndLog(""); if (found) - PrintAndLog("Password found [%08x]", i); + PrintAndLog("Found valid password: [%08x]", i); else PrintAndLog("Password NOT found. Last tried: [%08x]", i); return 0; diff --git a/client/default_pwd.dic b/client/default_pwd.dic new file mode 100644 index 000000000..1ec49d4ce --- /dev/null +++ b/client/default_pwd.dic @@ -0,0 +1,73 @@ +# known cloners +# ref. http://www.proxmark.org/forum/viewtopic.php?id=2022 +51243648, +000D8787, +# Default pwd, simple: +00000000, +11111111, +22222222, +33333333, +44444444, +55555555, +66666666, +77777777, +88888888, +99999999, +AAAAAAAA, +BBBBBBBB, +CCCCCCCC, +DDDDDDDD, +EEEEEEEE, +FFFFFFFF, +a0a1a2a3, +b0b1b2b3, +aabbccdd, +bbccddee, +ccddeeff, +00000001, +00000002, +0000000a, +0000000b, +01020304, +02030405, +03040506, +04050607, +05060708, +06070809, +0708090A, +08090A0B, +090A0B0C, +0A0B0C0D, +0B0C0D0E, +0C0D0E0F, +01234567, +12345678, +10000000, +20000000, +30000000, +40000000, +50000000, +60000000, +70000000, +80000000, +90000000, +A0000000, +B0000000, +C0000000, +D0000000, +E0000000, +F0000000, +10101010, +01010101, +11223344, +22334455, +33445566, +44556677, +55667788, +66778899, +778899AA, +8899AABB, +99AABBCC, +AABBCCDD, +BBCCDDEE, +CCDDEEFF, \ No newline at end of file