From 54e8eafa492b3c3a8ba288599f7ce92c8f13d820 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 20:21:10 +0100 Subject: [PATCH] fix: 'lf t55xx chk' fix: 'lf t55xx brute' fix: 'lf t55xx recoverpwd' - now works like they should again. --- client/cmdlft55xx.c | 119 +++++++++++++++++++++----------------------- client/cmdlft55xx.h | 2 +- 2 files changed, 59 insertions(+), 62 deletions(-) diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 96136eac0..4f187367a 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -143,7 +143,9 @@ int usage_t55xx_wakup() { } int usage_t55xx_chk() { PrintAndLogEx(NORMAL, "This command uses a dictionary attack"); - PrintAndLogEx(NORMAL, "press 'enter' to cancel the command"); + PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); + PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!"); + PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [i <*.dic>]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h - this help"); @@ -158,7 +160,9 @@ int usage_t55xx_chk() { } int usage_t55xx_bruteforce() { PrintAndLogEx(NORMAL, "This command uses bruteforce to scan a number range"); - PrintAndLogEx(NORMAL, "press 'enter' to cancel the command"); + PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); + PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!"); + PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Usage: lf t55xx bruteforce [h] "); PrintAndLogEx(NORMAL, " password must be 4 bytes (8 hex symbols)"); PrintAndLogEx(NORMAL, "Options:"); @@ -167,14 +171,15 @@ int usage_t55xx_bruteforce() { PrintAndLogEx(NORMAL, " - 4 byte hex value to end pwd search at"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " lf t55xx bruteforce aaaaaaaa bbbbbbbb"); + PrintAndLogEx(NORMAL, " lf t55xx bruteforce aaaaaa77 aaaaaa99"); PrintAndLogEx(NORMAL, ""); return 0; } int usage_t55xx_recoverpw() { PrintAndLogEx(NORMAL, "This command uses a few tricks to try to recover mangled password"); - PrintAndLogEx(NORMAL, "press 'enter' to cancel the command"); + PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!"); + PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Usage: lf t55xx recoverpw [password]"); PrintAndLogEx(NORMAL, " password must be 4 bytes (8 hex symbols)"); PrintAndLogEx(NORMAL, " default password is 51243648, used by many cloners"); @@ -1629,16 +1634,16 @@ bool IsCancelled(void) { int CmdT55xxChkPwds(const char *Cmd) { char filename[FILE_PATH_SIZE] = {0}; - bool found = false; uint8_t timeout = 0; uint8_t *keyBlock = NULL; - + char cmdp = tolower(param_getchar(Cmd, 0)); if (strlen(Cmd) == 0 || cmdp == 'h') return usage_t55xx_chk(); /* - if ( T55xxReadBlock(7, 0, 0, 0, 0) ) { + // block 7, page1 = false, usepwd = false, override = false, pwd = 00000000 + if ( T55xxReadBlock(7, false, false, false, 0x00000000) ) { // now try to validate it.. PrintAndLogEx(WARNING, "\n Block 7 was readable"); @@ -1665,21 +1670,18 @@ int CmdT55xxChkPwds(const char *Cmd) { } if (resp.arg[0]) { - PrintAndLogEx(SUCCESS, "\nFound a candidate [ %08X ]. Trying to validate", resp.arg[1]); + PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08X") " ]. Trying to validate", resp.arg[1]); - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.arg[1])) { - PrintAndLogEx(INFO, "Aquireing data from device failed. Quitting"); - return 2; - } + AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.arg[1]); found = tryDetectModulation(); if (found) { - PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", resp.arg[1]); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08") " ]", resp.arg[1]); } else { - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Check pwd failed"); } } else { - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Check pwd failed"); } goto out; @@ -1709,7 +1711,7 @@ int CmdT55xxChkPwds(const char *Cmd) { } // loop - uint64_t testpwd = 0x00; + uint64_t curr_password = 0x00; for (uint16_t c = 0; c < keycount; ++c) { if (IsOffline()) { @@ -1723,38 +1725,33 @@ int CmdT55xxChkPwds(const char *Cmd) { return 0; } - testpwd = bytes_to_num(keyBlock + 4 * c, 4); + curr_password = bytes_to_num(keyBlock + 4 * c, 4); - PrintAndLogEx(INFO, "Testing %08X", testpwd); - - AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd); + PrintAndLogEx(INFO, "Testing %08X", curr_password); - /* - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd)) { - PrintAndLogEx(INFO, "Aquireing data from device failed. Quitting"); - free(keyBlock); - return 0; + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr_password)) { + continue; } -*/ + found = tryDetectModulation(); if (found) break; - } if (found) - PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", testpwd); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password); else - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Check pwd failed"); } free(keyBlock); out: t1 = msclock() - t1; - PrintAndLogEx(SUCCESS, "\nTime in bruteforce: %.0f seconds\n", (float)t1 / 1000.0); + PrintAndLogEx(SUCCESS, "\nTime in check pwd: %.0f seconds\n", (float)t1 / 1000.0); return 0; } +// Bruteforce - incremental password range search int CmdT55xxBruteForce(const char *Cmd) { uint32_t start_password = 0x00000000; //start password @@ -1762,15 +1759,11 @@ int CmdT55xxBruteForce(const char *Cmd) { uint32_t curr = 0; bool found = false; - char cmdp = tolower(param_getchar(Cmd, 0)); if (cmdp == 'h') return usage_t55xx_bruteforce(); uint64_t t1 = msclock(); - // Try to read Block 7, first :) - - // incremental pwd range search start_password = param_get32ex(Cmd, 0, 0, 16); end_password = param_get32ex(Cmd, 1, 0, 16); @@ -1783,7 +1776,7 @@ int CmdT55xxBruteForce(const char *Cmd) { PrintAndLogEx(INFO, "Search password range [%08X -> %08X]", start_password, end_password); while (!found) { - + printf("."); fflush(stdout); @@ -1791,28 +1784,20 @@ int CmdT55xxBruteForce(const char *Cmd) { return 0; } - AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr); - - /* - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr)) { - PrintAndLogEx(WARNING, "Aquiring data from device failed. Quitting"); - return 0; - } - */ - - found = tryDetectModulation(); + found = tryOnePassword(curr); if (curr == end_password) break; + curr++; } PrintAndLogEx(NORMAL, ""); if (found) - PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", curr); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr); else - PrintAndLogEx(WARNING, "Password NOT found. Last tried: [ %08X ]", --curr); + PrintAndLogEx(WARNING, "Bruteforce failed, last tried: [ " _YELLOW_("%08X") " ]", --curr); t1 = msclock() - t1; PrintAndLogEx(SUCCESS, "\nTime in bruteforce: %.0f seconds\n", (float)t1 / 1000.0); @@ -1820,12 +1805,13 @@ int CmdT55xxBruteForce(const char *Cmd) { } int tryOnePassword(uint32_t password) { - PrintAndLogEx(INFO, "Trying password %08x", password); - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password)) { - PrintAndLogEx(NORMAL, "Acquire data from device failed. Quitting"); - return -1; - } + PrintAndLogEx(INFO, "Trying password %08X", password); + + AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password); + if (getSignalProperties()->isnoise == false) + return 0; + if (tryDetectModulation()) return 1; else @@ -1848,10 +1834,13 @@ int CmdT55xxRecoverPW(const char *Cmd) { while (bit < 32) { curr_password = orig_password ^ (1u << bit); found = tryOnePassword(curr_password); - if (found == -1) return 0; + if ( found == 1) + goto out; + bit++; - if (IsCancelled()) return 0; + if (IsCancelled()) + return 0; } // now try to use partial original password, since block 7 should have been completely @@ -1868,12 +1857,16 @@ int CmdT55xxRecoverPW(const char *Cmd) { bit++; continue; } + found = tryOnePassword(curr_password); - if (found == -1) return 0; + if ( found == 1 ) + goto out; + bit++; prev_password = curr_password; - if (IsCancelled()) return 0; + if (IsCancelled()) + return 0; } // from high bit to low @@ -1888,20 +1881,24 @@ int CmdT55xxRecoverPW(const char *Cmd) { continue; } found = tryOnePassword(curr_password); - if (found == -1) - return 0; + if ( found == 1 ) + goto out; + bit++; prev_password = curr_password; - if (IsCancelled()) return 0; + if (IsCancelled()) + return 0; } +out: + PrintAndLogEx(NORMAL, ""); if (found == 1) - PrintAndLogEx(SUCCESS, "Found valid password: [%08x]", curr_password); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password); else - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Recover pwd failed"); return 0; } diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index d9539855a..1c1d77490 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -165,7 +165,7 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5) int special(const char *Cmd); bool AquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password); -bool detectPassword(int password); +int tryOnePassword(uint32_t password); void printT55x7Trace(t55x7_tracedata_t data, uint8_t repeat); void printT5555Trace(t5555_tracedata_t data, uint8_t repeat);