RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-03-19 19:38:52 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: 'lf t55xx chk'

Browse source 
fix: 'lf t55xx brute'
fix: 'lf t55xx recoverpwd'
 - now works like they should again.
This commit is contained in:
iceman1001 2019-03-26 20:21:10 +01:00
parent 834832be31
commit 54e8eafa49
2 changed files with 59 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
client/cmdlft55xx.c
View file

@ -143,7 +143,9 @@ int usage_t55xx_wakup() {
}
int usage_t55xx_chk() {
PrintAndLogEx(NORMAL, "This command uses a dictionary attack");
PrintAndLogEx(NORMAL, "press 'enter' to cancel the command");
PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command");
PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!");
PrintAndLogEx(NORMAL, "Try to reading block 7 before\n");
PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] <m> [i <*.dic>]");
PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help");
@ -158,7 +160,9 @@ int usage_t55xx_chk() {
}
int usage_t55xx_bruteforce() {
PrintAndLogEx(NORMAL, "This command uses bruteforce to scan a number range");
PrintAndLogEx(NORMAL, "press 'enter' to cancel the command");
PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command");
PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!");
PrintAndLogEx(NORMAL, "Try to reading block 7 before\n");
PrintAndLogEx(NORMAL, "Usage: lf t55xx bruteforce [h] <start password> <end password>");
PrintAndLogEx(NORMAL, " password must be 4 bytes (8 hex symbols)");
PrintAndLogEx(NORMAL, "Options:");
@ -167,14 +171,15 @@ int usage_t55xx_bruteforce() {
PrintAndLogEx(NORMAL, " <end_pwd> - 4 byte hex value to end pwd search at");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " lf t55xx bruteforce aaaaaaaa bbbbbbbb");
PrintAndLogEx(NORMAL, " lf t55xx bruteforce aaaaaa77 aaaaaa99");
PrintAndLogEx(NORMAL, "");
return 0;
}
int usage_t55xx_recoverpw() {
PrintAndLogEx(NORMAL, "This command uses a few tricks to try to recover mangled password");
PrintAndLogEx(NORMAL, "press 'enter' to cancel the command");
PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command");
PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!");
PrintAndLogEx(NORMAL, "Try to reading block 7 before\n");
PrintAndLogEx(NORMAL, "Usage: lf t55xx recoverpw [password]");
PrintAndLogEx(NORMAL, " password must be 4 bytes (8 hex symbols)");
PrintAndLogEx(NORMAL, " default password is 51243648, used by many cloners");
@ -1629,7 +1634,6 @@ bool IsCancelled(void) {
int CmdT55xxChkPwds(const char *Cmd) {
char filename[FILE_PATH_SIZE] = {0};
bool found = false;
uint8_t timeout = 0;
uint8_t *keyBlock = NULL;
@ -1638,7 +1642,8 @@ int CmdT55xxChkPwds(const char *Cmd) {
if (strlen(Cmd) == 0 || cmdp == 'h') return usage_t55xx_chk();
/*
if ( T55xxReadBlock(7, 0, 0, 0, 0) ) {
// block 7, page1 = false, usepwd = false, override = false, pwd = 00000000
if ( T55xxReadBlock(7, false, false, false, 0x00000000) ) {
// now try to validate it..
PrintAndLogEx(WARNING, "\n Block 7 was readable");
@ -1665,21 +1670,18 @@ int CmdT55xxChkPwds(const char *Cmd) {
}
if (resp.arg[0]) {
PrintAndLogEx(SUCCESS, "\nFound a candidate [ %08X ]. Trying to validate", resp.arg[1]);
PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08X") " ]. Trying to validate", resp.arg[1]);
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.arg[1])) {
PrintAndLogEx(INFO, "Aquireing data from device failed. Quitting");
return 2;
}
AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.arg[1]);
found = tryDetectModulation();
if (found) {
PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", resp.arg[1]);
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08") " ]", resp.arg[1]);
} else {
PrintAndLogEx(WARNING, "Password NOT found.");
PrintAndLogEx(WARNING, "Check pwd failed");
}
} else {
PrintAndLogEx(WARNING, "Password NOT found.");
PrintAndLogEx(WARNING, "Check pwd failed");
}
goto out;
@ -1709,7 +1711,7 @@ int CmdT55xxChkPwds(const char *Cmd) {
}
// loop
uint64_t testpwd = 0x00;
uint64_t curr_password = 0x00;
for (uint16_t c = 0; c < keycount; ++c) {
if (IsOffline()) {
@ -1723,38 +1725,33 @@ int CmdT55xxChkPwds(const char *Cmd) {
return 0;
}
testpwd = bytes_to_num(keyBlock + 4 * c, 4);
curr_password = bytes_to_num(keyBlock + 4 * c, 4);
PrintAndLogEx(INFO, "Testing %08X", testpwd);
PrintAndLogEx(INFO, "Testing %08X", curr_password);
AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd);
/*
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd)) {
PrintAndLogEx(INFO, "Aquireing data from device failed. Quitting");
free(keyBlock);
return 0;
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr_password)) {
continue;
}
*/
found = tryDetectModulation();
if (found)
break;
}
if (found)
PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", testpwd);
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password);
else
PrintAndLogEx(WARNING, "Password NOT found.");
PrintAndLogEx(WARNING, "Check pwd failed");
}
free(keyBlock);
out:
t1 = msclock() - t1;
PrintAndLogEx(SUCCESS, "\nTime in bruteforce: %.0f seconds\n", (float)t1 / 1000.0);
PrintAndLogEx(SUCCESS, "\nTime in check pwd: %.0f seconds\n", (float)t1 / 1000.0);
return 0;
}
// Bruteforce - incremental password range search
int CmdT55xxBruteForce(const char *Cmd) {
uint32_t start_password = 0x00000000; //start password
@ -1762,15 +1759,11 @@ int CmdT55xxBruteForce(const char *Cmd) {
uint32_t curr = 0;
bool found = false;
char cmdp = tolower(param_getchar(Cmd, 0));
if (cmdp == 'h') return usage_t55xx_bruteforce();
uint64_t t1 = msclock();
// Try to read Block 7, first :)
// incremental pwd range search
start_password = param_get32ex(Cmd, 0, 0, 16);
end_password = param_get32ex(Cmd, 1, 0, 16);
@ -1791,28 +1784,20 @@ int CmdT55xxBruteForce(const char *Cmd) {
return 0;
}
AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr);
/*
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr)) {
PrintAndLogEx(WARNING, "Aquiring data from device failed. Quitting");
return 0;
}
*/
found = tryDetectModulation();
found = tryOnePassword(curr);
if (curr == end_password)
break;
curr++;
}
PrintAndLogEx(NORMAL, "");
if (found)
PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", curr);
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr);
else
PrintAndLogEx(WARNING, "Password NOT found. Last tried: [ %08X ]", --curr);
PrintAndLogEx(WARNING, "Bruteforce failed, last tried: [ " _YELLOW_("%08X") " ]", --curr);
t1 = msclock() - t1;
PrintAndLogEx(SUCCESS, "\nTime in bruteforce: %.0f seconds\n", (float)t1 / 1000.0);
@ -1820,11 +1805,12 @@ int CmdT55xxBruteForce(const char *Cmd) {
}
int tryOnePassword(uint32_t password) {
PrintAndLogEx(INFO, "Trying password %08x", password);
if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password)) {
PrintAndLogEx(NORMAL, "Acquire data from device failed. Quitting");
return -1;
}
PrintAndLogEx(INFO, "Trying password %08X", password);
AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password);
if (getSignalProperties()->isnoise == false)
return 0;
if (tryDetectModulation())
return 1;
@ -1848,10 +1834,13 @@ int CmdT55xxRecoverPW(const char *Cmd) {
while (bit < 32) {
curr_password = orig_password ^ (1u << bit);
found = tryOnePassword(curr_password);
if (found == -1) return 0;
if ( found == 1)
goto out;
bit++;
if (IsCancelled()) return 0;
if (IsCancelled())
return 0;
}
// now try to use partial original password, since block 7 should have been completely
@ -1868,12 +1857,16 @@ int CmdT55xxRecoverPW(const char *Cmd) {
bit++;
continue;
}
found = tryOnePassword(curr_password);
if (found == -1) return 0;
if ( found == 1 )
goto out;
bit++;
prev_password = curr_password;
if (IsCancelled()) return 0;
if (IsCancelled())
return 0;
}
// from high bit to low
@ -1888,20 +1881,24 @@ int CmdT55xxRecoverPW(const char *Cmd) {
continue;
}
found = tryOnePassword(curr_password);
if (found == -1)
return 0;
if ( found == 1 )
goto out;
bit++;
prev_password = curr_password;
if (IsCancelled()) return 0;
if (IsCancelled())
return 0;
}
out:
PrintAndLogEx(NORMAL, "");
if (found == 1)
PrintAndLogEx(SUCCESS, "Found valid password: [%08x]", curr_password);
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password);
else
PrintAndLogEx(WARNING, "Password NOT found.");
PrintAndLogEx(WARNING, "Recover pwd failed");
return 0;
}

2
client/cmdlft55xx.h
View file

@ -165,7 +165,7 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5)
int special(const char *Cmd);
bool AquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password);
bool detectPassword(int password);
int tryOnePassword(uint32_t password);
void printT55x7Trace(t55x7_tracedata_t data, uint8_t repeat);
void printT5555Trace(t5555_tracedata_t data, uint8_t repeat);