diff --git a/README.md b/README.md index e77062fff..ac155f993 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ On the software side: quite a lot, see the [Changelog file](CHANGELOG.md). This repo compiles nicely on - Proxspace v3.x - - [latest release v3.4](https://github.com/Gator96100/ProxSpace/releases) + - [latest release v3.5](https://github.com/Gator96100/ProxSpace/releases) - Windows/mingw environment with Qt5.6.1 & GCC 4.9 - Ubuntu 1604 -> 2004 - ParrotOS, Gentoo, Pentoo, Kali, Nethunter, Archlinux, Fedora, Debian @@ -109,8 +109,9 @@ Offical channels - [Proxmark3 IRC channel](http://webchat.freenode.net/?channels=#proxmark3) - [Proxmark3 sub reddit](https://www.reddit.com/r/proxmark3/) - [Twitter](https://twitter.com/proxmark3/) - - _no discord or slack channel_ + - [Proxmark3 community discord server](https://discord.gg/zjxc8ZB) + + _no slack channel_ Iceman has quite a few videos on his [youtube channel](https://www.youtube.com/c/ChrisHerrmann1001) diff --git a/armsrc/Makefile b/armsrc/Makefile index 8b1fbfc2b..2768ab3a4 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -20,7 +20,7 @@ endif #in the next section to remove that particular feature from compilation. # NO space,TABs after the "\" sign. APP_CFLAGS = $(PLATFORM_DEFS) \ - -ffunction-sections -fdata-sections -fno-common + -ffunction-sections -fdata-sections SRC_LF = lfops.c lfsampling.c pcf7931.c lfdemod.c lfadc.c SRC_ISO15693 = iso15693.c iso15693tools.c diff --git a/client/gen_pm3mfsim_script.sh b/client/gen_pm3mfsim_script.sh index 73c7a4dd4..c3726d69c 100644 --- a/client/gen_pm3mfsim_script.sh +++ b/client/gen_pm3mfsim_script.sh @@ -11,7 +11,7 @@ show_usage() { echo echo "Usage:" - echo "${0##/} input_eml_without_extension output.pm3scr" + echo "${0##/} input_eml_without_extension output.cmd" exit } @@ -32,4 +32,4 @@ rm $2 echo "hf mf eclr" >> $2 echo "hf mf eload" $1 >> $2 echo "hf mf ekeyprn" >> $2 -echo "hf mf sim" `cat $1.eml | (read -n 8 uid; echo $uid)` >> $2 \ No newline at end of file +echo "hf mf sim u" `cat $1.eml | (read -n 8 uid; echo $uid)` >> $2 \ No newline at end of file diff --git a/client/src/cmdhflto.c b/client/src/cmdhflto.c index c62289108..6623f9cd2 100644 --- a/client/src/cmdhflto.c +++ b/client/src/cmdhflto.c @@ -32,7 +32,7 @@ static int usage_lto_info(void) { PrintAndLogEx(NORMAL, " h this help"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " hf lto info"); + PrintAndLogEx(NORMAL, _YELLOW_(" hf lto info")); return PM3_SUCCESS; } @@ -44,7 +44,7 @@ static int usage_lto_rdbl(void) { PrintAndLogEx(NORMAL, " e end block in decimal <= 254"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " hf lto rdbl s 0 e 254 - Read data block from 0 to 254"); + PrintAndLogEx(NORMAL, _YELLOW_(" hf lto rdbl s 0 e 254") " - Read data block from 0 to 254"); return PM3_SUCCESS; } @@ -56,8 +56,7 @@ static int usage_lto_wrbl(void) { PrintAndLogEx(NORMAL, " d 32 bytes of data to write (64 hex characters, no space)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " hf lto wrbl b 128 d 0001020304050607080910111213141516171819202122232425262728293031 - write 00..31 to block address 128"); - PrintAndLogEx(NORMAL, " Use 'hf lto rdbl' for verification"); + PrintAndLogEx(NORMAL, _YELLOW_(" hf lto wrbl b 128 d 0001020304050607080910111213141516171819202122232425262728293031") " - write 00..31 to block address 128"); return PM3_SUCCESS; } @@ -68,7 +67,7 @@ static int usage_lto_dump(void) { PrintAndLogEx(NORMAL, " f file name"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " hf lto dump f myfile"); + PrintAndLogEx(NORMAL, _YELLOW_(" hf lto dump f myfile")); return PM3_SUCCESS; } @@ -79,7 +78,7 @@ static int usage_lto_restore(void) { PrintAndLogEx(NORMAL, " f file name [.bin|.eml]"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " hf lto restore f hf_lto_92C7842CFF.bin|.eml"); + PrintAndLogEx(NORMAL, _YELLOW_(" hf lto restore f hf_lto_92C7842CFF.bin|.eml")); return PM3_SUCCESS; } @@ -180,8 +179,7 @@ static int CmdHfLTOInfo(const char *Cmd) { //Validations if (errors) { - usage_lto_info(); - return PM3_EINVARG; + return usage_lto_info(); } return infoLTO(true); @@ -384,7 +382,7 @@ static int CmdHfLTOWriteBlock(const char *Cmd) { bool b_opt_selected = false; bool d_opt_selected = false; uint8_t blk = 128; - uint8_t blkData[32] = {0}; + uint8_t block_data[32] = {0}; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -396,7 +394,7 @@ static int CmdHfLTOWriteBlock(const char *Cmd) { cmdp += 2; break; case 'd': - if (param_gethex(Cmd, cmdp + 1, blkData, 64)) { + if (param_gethex(Cmd, cmdp + 1, block_data, 64)) { PrintAndLogEx(WARNING, "block data must include 64 HEX symbols"); errors = true; break; @@ -413,14 +411,17 @@ static int CmdHfLTOWriteBlock(const char *Cmd) { //Validations if (errors) { - usage_lto_wrbl(); - return PM3_EINVARG; + return usage_lto_wrbl(); } else if (b_opt_selected == false || d_opt_selected == false) { - PrintAndLogEx(WARNING, "Need to specify block address and data. See usage, h option"); - return PM3_EINVARG; + PrintAndLogEx(WARNING, "Need to specify block address and data."); + return usage_lto_wrbl(); } - return wrblLTO(blk, blkData, true); + int res = wrblLTO(blk, block_data, true); + if (res == PM3_SUCCESS) + PrintAndLogEx(HINT, "Try use 'hf lto rdbl' for verification"); + + return res; } int dumpLTO(uint8_t *dump, bool verbose) { @@ -446,11 +447,9 @@ int dumpLTO(uint8_t *dump, bool verbose) { ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose); if (ret_val == PM3_SUCCESS) { - //Remove CRCs - for (int t = 0; t < 16; t++) { - dump[t + i * 32] = block_data_d00_d15[t]; - dump[t + i * 32 + 16] = block_data_d16_d31[t]; - } + // remove CRCs + memcpy(dump + i * 32, block_data_d00_d15, 16); + memcpy(dump + (i * 32) + 16, block_data_d16_d31, 16); } else { lto_switch_off_field(); return ret_val; @@ -467,7 +466,6 @@ static int CmdHfLTODump(const char *Cmd) { bool errors = false; uint32_t dump_len = CM_MEM_MAX_SIZE; char filename[FILE_PATH_SIZE] = {0}; - char serial_number[10] = {0}; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -488,39 +486,32 @@ static int CmdHfLTODump(const char *Cmd) { } } - //Validations if (errors) { usage_lto_dump(); return PM3_EINVARG; } - // alloc memory uint8_t *dump = calloc(dump_len, sizeof(uint8_t)); if (!dump) { PrintAndLogEx(ERR, "error, cannot allocate memory"); return PM3_EMALLOC; } - // loop all blocks int ret_val = dumpLTO(dump, true); if (ret_val != PM3_SUCCESS) { free(dump); return ret_val; } - // save to file if (filename[0] == '\0') { - memcpy(serial_number, sprint_hex_inrow(dump, sizeof(serial_number)), sizeof(serial_number)); - char tmp_name[17] = "hf_lto_"; - strcat(tmp_name, serial_number); - memcpy(filename, tmp_name, sizeof(tmp_name)); + char *fptr = filename; + fptr += sprintf(fptr, "hf-lto-"); + FillFileNameByUID(fptr, dump, "-dump", 5); } saveFile(filename, ".bin", dump, dump_len); saveFileEML(filename, dump, dump_len, 32); - // free memory free(dump); - return PM3_SUCCESS; } @@ -539,16 +530,14 @@ int restoreLTO(uint8_t *dump, bool verbose) { return ret_val; } - uint8_t blkData[32] = {0}; + uint8_t block_data[32] = {0}; //Block address 0 and 1 are read-only for (uint8_t blk = 2; blk < 255; blk++) { - for (int i = 0; i < 32; i++) { - blkData[i] = dump[i + blk * 32]; - } + memcpy(block_data, dump + (blk * 32), 32); - ret_val = lto_wrbl(blk, blkData, verbose); + ret_val = lto_wrbl(blk, block_data, verbose); if (ret_val == PM3_SUCCESS) { PrintAndLogEx(SUCCESS, "Block %03d - " _YELLOW_("write success"), blk); diff --git a/client/src/cmdsmartcard.c b/client/src/cmdsmartcard.c index 3c13c3bde..1265262c2 100644 --- a/client/src/cmdsmartcard.c +++ b/client/src/cmdsmartcard.c @@ -27,7 +27,7 @@ static int CmdHelp(const char *Cmd); static int usage_sm_raw(void) { - PrintAndLogEx(NORMAL, "Usage: sc raw [h|r|c] d <0A 0B 0C ... hex>"); + PrintAndLogEx(NORMAL, "Usage: smart raw [h|r|c] d <0A 0B 0C ... hex>"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " r : do not read response"); PrintAndLogEx(NORMAL, " a : active smartcard without select (reset sc module)"); @@ -37,58 +37,58 @@ static int usage_sm_raw(void) { PrintAndLogEx(NORMAL, " d : bytes to send"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " sc raw s 0 d 00a404000e315041592e5359532e4444463031 - `1PAY.SYS.DDF01` PPSE directory with get ATR"); - PrintAndLogEx(NORMAL, " sc raw 0 d 00a404000e325041592e5359532e4444463031 - `2PAY.SYS.DDF01` PPSE directory"); - PrintAndLogEx(NORMAL, " sc raw 0 t d 00a4040007a0000000041010 - Mastercard"); - PrintAndLogEx(NORMAL, " sc raw 0 t d 00a4040007a0000000031010 - Visa"); + PrintAndLogEx(NORMAL, " smart raw s 0 d 00a404000e315041592e5359532e4444463031 - `1PAY.SYS.DDF01` PPSE directory with get ATR"); + PrintAndLogEx(NORMAL, " smart raw 0 d 00a404000e325041592e5359532e4444463031 - `2PAY.SYS.DDF01` PPSE directory"); + PrintAndLogEx(NORMAL, " smart raw 0 t d 00a4040007a0000000041010 - Mastercard"); + PrintAndLogEx(NORMAL, " smart raw 0 t d 00a4040007a0000000031010 - Visa"); return PM3_SUCCESS; } static int usage_sm_reader(void) { - PrintAndLogEx(NORMAL, "Usage: sc reader [h|s]"); + PrintAndLogEx(NORMAL, "Usage: smart reader [h|s]"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " s : silent (no messages)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " sc reader"); + PrintAndLogEx(NORMAL, " smart reader"); return PM3_SUCCESS; } static int usage_sm_info(void) { - PrintAndLogEx(NORMAL, "Usage: sc info [h|s]"); + PrintAndLogEx(NORMAL, "Usage: smart info [h|s]"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " s : silent (no messages)"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " sc info"); + PrintAndLogEx(NORMAL, " smart info"); return PM3_SUCCESS; } static int usage_sm_upgrade(void) { PrintAndLogEx(NORMAL, "Upgrade RDV4.0 Sim module firmware"); - PrintAndLogEx(NORMAL, "Usage: sc upgrade f "); + PrintAndLogEx(NORMAL, "Usage: smart upgrade f "); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " f : firmware file name"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " sc upgrade f ../tools/simmodule/sim011.bin"); + PrintAndLogEx(NORMAL, " smart upgrade f ../tools/simmodule/sim011.bin"); return PM3_SUCCESS; } static int usage_sm_setclock(void) { - PrintAndLogEx(NORMAL, "Usage: sc setclock [h] c "); + PrintAndLogEx(NORMAL, "Usage: smart setclock [h] c "); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " c <> : clockspeed (0 = 16MHz, 1=8MHz, 2=4MHz) "); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " sc setclock c 2"); + PrintAndLogEx(NORMAL, " smart setclock c 2"); return PM3_SUCCESS; } static int usage_sm_brute(void) { PrintAndLogEx(NORMAL, "Tries to bruteforce SFI, using a known list of AID's "); - PrintAndLogEx(NORMAL, "Usage: sc brute [h]"); + PrintAndLogEx(NORMAL, "Usage: smart brute [h]"); PrintAndLogEx(NORMAL, " h : this help"); PrintAndLogEx(NORMAL, " t : executes TLV decoder if it possible"); // PrintAndLogEx(NORMAL, " 0 : use protocol T=0"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " sc brute t"); + PrintAndLogEx(NORMAL, " smart brute t"); return PM3_SUCCESS; } @@ -1203,3 +1203,4 @@ bool smart_select(bool silent, smart_card_atr_t *atr) { return true; } + diff --git a/client/src/cmdusart.c b/client/src/cmdusart.c index 56d4b88bb..290e543eb 100644 --- a/client/src/cmdusart.c +++ b/client/src/cmdusart.c @@ -36,7 +36,7 @@ static int usage_usart_bt_pin(void) { PrintAndLogEx(NORMAL, " d NNNN Desired PIN"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Example:"); - PrintAndLogEx(NORMAL, " usart btpin 1234"); + PrintAndLogEx(NORMAL, " usart btpin d 1234"); PrintAndLogEx(NORMAL, "expected output: nothing"); return PM3_SUCCESS; } diff --git a/common/crapto1/crapto1.c b/common/crapto1/crapto1.c index 0d7aaa49e..407449382 100644 --- a/common/crapto1/crapto1.c +++ b/common/crapto1/crapto1.c @@ -332,41 +332,43 @@ uint8_t lfsr_rollback_byte(struct Crypto1State *s, uint32_t in, int fb) { uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) { uint32_t ret = 0; - ret |= lfsr_rollback_bit(s, BEBIT(in, 31), fb) << (31 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 30), fb) << (30 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 29), fb) << (29 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 28), fb) << (28 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 27), fb) << (27 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 26), fb) << (26 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 25), fb) << (25 ^ 24); + // note: xor args have been swapped because some compilers emit a warning + // for 10^x and 2^x as possible misuses for exponentiation. No comment. + ret |= lfsr_rollback_bit(s, BEBIT(in, 31), fb) << (24 ^ 31); + ret |= lfsr_rollback_bit(s, BEBIT(in, 30), fb) << (24 ^ 30); + ret |= lfsr_rollback_bit(s, BEBIT(in, 29), fb) << (24 ^ 29); + ret |= lfsr_rollback_bit(s, BEBIT(in, 28), fb) << (24 ^ 28); + ret |= lfsr_rollback_bit(s, BEBIT(in, 27), fb) << (24 ^ 27); + ret |= lfsr_rollback_bit(s, BEBIT(in, 26), fb) << (24 ^ 26); + ret |= lfsr_rollback_bit(s, BEBIT(in, 25), fb) << (24 ^ 25); ret |= lfsr_rollback_bit(s, BEBIT(in, 24), fb) << (24 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 23), fb) << (23 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 22), fb) << (22 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 21), fb) << (21 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 20), fb) << (20 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 19), fb) << (19 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 18), fb) << (18 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 17), fb) << (17 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 16), fb) << (16 ^ 24); + ret |= lfsr_rollback_bit(s, BEBIT(in, 23), fb) << (24 ^ 23); + ret |= lfsr_rollback_bit(s, BEBIT(in, 22), fb) << (24 ^ 22); + ret |= lfsr_rollback_bit(s, BEBIT(in, 21), fb) << (24 ^ 21); + ret |= lfsr_rollback_bit(s, BEBIT(in, 20), fb) << (24 ^ 20); + ret |= lfsr_rollback_bit(s, BEBIT(in, 19), fb) << (24 ^ 19); + ret |= lfsr_rollback_bit(s, BEBIT(in, 18), fb) << (24 ^ 18); + ret |= lfsr_rollback_bit(s, BEBIT(in, 17), fb) << (24 ^ 17); + ret |= lfsr_rollback_bit(s, BEBIT(in, 16), fb) << (24 ^ 16); - ret |= lfsr_rollback_bit(s, BEBIT(in, 15), fb) << (15 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 14), fb) << (14 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 13), fb) << (13 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 12), fb) << (12 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 11), fb) << (11 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 10), fb) << (10 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 9), fb) << (9 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 8), fb) << (8 ^ 24); + ret |= lfsr_rollback_bit(s, BEBIT(in, 15), fb) << (24 ^ 15); + ret |= lfsr_rollback_bit(s, BEBIT(in, 14), fb) << (24 ^ 14); + ret |= lfsr_rollback_bit(s, BEBIT(in, 13), fb) << (24 ^ 13); + ret |= lfsr_rollback_bit(s, BEBIT(in, 12), fb) << (24 ^ 12); + ret |= lfsr_rollback_bit(s, BEBIT(in, 11), fb) << (24 ^ 11); + ret |= lfsr_rollback_bit(s, BEBIT(in, 10), fb) << (24 ^ 10); + ret |= lfsr_rollback_bit(s, BEBIT(in, 9), fb) << (24 ^ 9); + ret |= lfsr_rollback_bit(s, BEBIT(in, 8), fb) << (24 ^ 8); - ret |= lfsr_rollback_bit(s, BEBIT(in, 7), fb) << (7 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 6), fb) << (6 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 5), fb) << (5 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 4), fb) << (4 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 3), fb) << (3 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 2), fb) << (2 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 1), fb) << (1 ^ 24); - ret |= lfsr_rollback_bit(s, BEBIT(in, 0), fb) << (0 ^ 24); + ret |= lfsr_rollback_bit(s, BEBIT(in, 7), fb) << (24 ^ 7); + ret |= lfsr_rollback_bit(s, BEBIT(in, 6), fb) << (24 ^ 6); + ret |= lfsr_rollback_bit(s, BEBIT(in, 5), fb) << (24 ^ 5); + ret |= lfsr_rollback_bit(s, BEBIT(in, 4), fb) << (24 ^ 4); + ret |= lfsr_rollback_bit(s, BEBIT(in, 3), fb) << (24 ^ 3); + ret |= lfsr_rollback_bit(s, BEBIT(in, 2), fb) << (24 ^ 2); + ret |= lfsr_rollback_bit(s, BEBIT(in, 1), fb) << (24 ^ 1); + ret |= lfsr_rollback_bit(s, BEBIT(in, 0), fb) << (24 ^ 0); return ret; } diff --git a/common/crapto1/crypto1.c b/common/crapto1/crypto1.c index 866a0fb98..2aebc2e83 100644 --- a/common/crapto1/crypto1.c +++ b/common/crapto1/crypto1.c @@ -103,41 +103,43 @@ uint8_t crypto1_byte(struct Crypto1State *s, uint8_t in, int is_encrypted) { } uint32_t crypto1_word(struct Crypto1State *s, uint32_t in, int is_encrypted) { uint32_t ret = 0; - ret |= crypto1_bit(s, BEBIT(in, 0), is_encrypted) << (0 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 1), is_encrypted) << (1 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 2), is_encrypted) << (2 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 3), is_encrypted) << (3 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 4), is_encrypted) << (4 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 5), is_encrypted) << (5 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 6), is_encrypted) << (6 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 7), is_encrypted) << (7 ^ 24); + // note: xor args have been swapped because some compilers emit a warning + // for 10^x and 2^x as possible misuses for exponentiation. No comment. + ret |= crypto1_bit(s, BEBIT(in, 0), is_encrypted) << (24 ^ 0); + ret |= crypto1_bit(s, BEBIT(in, 1), is_encrypted) << (24 ^ 1); + ret |= crypto1_bit(s, BEBIT(in, 2), is_encrypted) << (24 ^ 2); + ret |= crypto1_bit(s, BEBIT(in, 3), is_encrypted) << (24 ^ 3); + ret |= crypto1_bit(s, BEBIT(in, 4), is_encrypted) << (24 ^ 4); + ret |= crypto1_bit(s, BEBIT(in, 5), is_encrypted) << (24 ^ 5); + ret |= crypto1_bit(s, BEBIT(in, 6), is_encrypted) << (24 ^ 6); + ret |= crypto1_bit(s, BEBIT(in, 7), is_encrypted) << (24 ^ 7); - ret |= crypto1_bit(s, BEBIT(in, 8), is_encrypted) << (8 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 9), is_encrypted) << (9 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 10), is_encrypted) << (10 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 11), is_encrypted) << (11 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 12), is_encrypted) << (12 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 13), is_encrypted) << (13 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 14), is_encrypted) << (14 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 15), is_encrypted) << (15 ^ 24); + ret |= crypto1_bit(s, BEBIT(in, 8), is_encrypted) << (24 ^ 8); + ret |= crypto1_bit(s, BEBIT(in, 9), is_encrypted) << (24 ^ 9); + ret |= crypto1_bit(s, BEBIT(in, 10), is_encrypted) << (24 ^ 10); + ret |= crypto1_bit(s, BEBIT(in, 11), is_encrypted) << (24 ^ 11); + ret |= crypto1_bit(s, BEBIT(in, 12), is_encrypted) << (24 ^ 12); + ret |= crypto1_bit(s, BEBIT(in, 13), is_encrypted) << (24 ^ 13); + ret |= crypto1_bit(s, BEBIT(in, 14), is_encrypted) << (24 ^ 14); + ret |= crypto1_bit(s, BEBIT(in, 15), is_encrypted) << (24 ^ 15); - ret |= crypto1_bit(s, BEBIT(in, 16), is_encrypted) << (16 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 17), is_encrypted) << (17 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 18), is_encrypted) << (18 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 19), is_encrypted) << (19 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 20), is_encrypted) << (20 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 21), is_encrypted) << (21 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 22), is_encrypted) << (22 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 23), is_encrypted) << (23 ^ 24); + ret |= crypto1_bit(s, BEBIT(in, 16), is_encrypted) << (24 ^ 16); + ret |= crypto1_bit(s, BEBIT(in, 17), is_encrypted) << (24 ^ 17); + ret |= crypto1_bit(s, BEBIT(in, 18), is_encrypted) << (24 ^ 18); + ret |= crypto1_bit(s, BEBIT(in, 19), is_encrypted) << (24 ^ 19); + ret |= crypto1_bit(s, BEBIT(in, 20), is_encrypted) << (24 ^ 20); + ret |= crypto1_bit(s, BEBIT(in, 21), is_encrypted) << (24 ^ 21); + ret |= crypto1_bit(s, BEBIT(in, 22), is_encrypted) << (24 ^ 22); + ret |= crypto1_bit(s, BEBIT(in, 23), is_encrypted) << (24 ^ 23); ret |= crypto1_bit(s, BEBIT(in, 24), is_encrypted) << (24 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 25), is_encrypted) << (25 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 26), is_encrypted) << (26 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 27), is_encrypted) << (27 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 28), is_encrypted) << (28 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 29), is_encrypted) << (29 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 30), is_encrypted) << (30 ^ 24); - ret |= crypto1_bit(s, BEBIT(in, 31), is_encrypted) << (31 ^ 24); + ret |= crypto1_bit(s, BEBIT(in, 25), is_encrypted) << (24 ^ 25); + ret |= crypto1_bit(s, BEBIT(in, 26), is_encrypted) << (24 ^ 26); + ret |= crypto1_bit(s, BEBIT(in, 27), is_encrypted) << (24 ^ 27); + ret |= crypto1_bit(s, BEBIT(in, 28), is_encrypted) << (24 ^ 28); + ret |= crypto1_bit(s, BEBIT(in, 29), is_encrypted) << (24 ^ 29); + ret |= crypto1_bit(s, BEBIT(in, 30), is_encrypted) << (24 ^ 30); + ret |= crypto1_bit(s, BEBIT(in, 31), is_encrypted) << (24 ^ 31); return ret; } diff --git a/doc/cheatsheet.md b/doc/cheatsheet.md index 0217600d6..a032d620d 100644 --- a/doc/cheatsheet.md +++ b/doc/cheatsheet.md @@ -3,8 +3,8 @@ |Generic|Low Frequence 125 kHz|High Frequence 13.56 MHz| |---|---|---| -|[Generic](#Generic)|[T55XX](#T55XX)|[Mifare](#Mifare)| -|[Data](#Data)|[HID Prox](#HID-Prox)|[iClass](#iClass)| +|[Generic](#Generic)|[T55XX](#T55XX)|[MIFARE](#MIFARE)| +|[Data](#Data)|[HID Prox](#HID-Prox)|[iCLASS](#iCLASS)| |[Memory](#Memory)|[Indala](#Indala)|| |[Sim Module](#Sim-Module)|[Hitag](#Hitag)|| |[Lua Scripts](#Lua-Scripts)||| @@ -39,10 +39,10 @@ Check overall status pm3 --> hw status ``` -## iClass +## iCLASS ^[Top](#top) -Reverse permute iClass master key +Reverse permute iCLASS master key ``` Options --- @@ -51,12 +51,13 @@ r reverse permuted key pm3 --> hf iclass permute r 3F90EBF0910F7B6F ``` -iClass Reader +iCLASS Reader + ``` pm3 --> hf iclass reader ``` -Dump iClass card contents +Dump iCLASS card contents ``` Options --- @@ -65,7 +66,7 @@ k : *Access Key as 16 hex symbols or 1 hex to select key from memory m3 --> hf iclass dump k 0 ``` -Read iClass Block +Read iCLASS Block ``` Options --- @@ -75,7 +76,7 @@ k : Access Key as 16 hex symbols or 1 hex to select key from memory pm3 --> hf iclass rdbl b 7 k 0 ``` -Write to iClass Block +Write to iCLASS Block ``` Options --- @@ -105,21 +106,44 @@ k : set a key in memory pm3 --> hf iclass managekeys n 3 k AFA785A7DAB33378 ``` -Encrypt iClass Block -``` -pm3 --> hf iclass encrypt 0000000f2aa3dba8 -``` - -Load iClass dump into memory for simulation +Encrypt iCLASS Block ``` Options --- -f : load iclass tag-dump filename +d : 16 bytes hex +k : 16 bytes hex + +pm3 --> hf iclass encrypt d 0000000f2aa3dba8 +``` + +Decrypt iCLASS Block / file +``` +Options +--- +d : 16 bytes hex +f : filename of dump +k : 16 bytes hex + +pm3 --> hf iclass decrypt d 2AD4C8211F996871 +pm3 --> hf iclass decrypt f hf-iclass-db883702f8ff12e0.bin +``` + +Load iCLASS dump into memory for simulation +``` +Options +--- +f : load iCLASS tag-dump filename pm3 --> hf iclass eload f hf-iclass-db883702f8ff12e0.bin ``` -Simulate iClass +Clone iCLASS Legacy Sequence +``` +pm3 --> hf iclass rdbl b 7 k 0 +pm3 --> hf iclass wrbl b 7 d 6ce099fe7e614fd0 k 0 +``` + +Simulate iCLASS ``` Options --- @@ -132,20 +156,14 @@ Options pm3 --> hf iclass sim 3 ``` -Clone iClass Legacy Sequence -``` -pm3 --> hf iclass rdbl b 7 k 0 -pm3 --> hf iclass wrbl b 7 d 6ce099fe7e614fd0 k 0 -``` - -Simulate iClass Sequence +Simulate iCLASS Sequence ``` pm3 --> hf iclass dump k 0 pm3 --> hf iclass eload f hf-iclass-db883702f8ff12e0.bin pm3 --> hf iclass sim 3 ``` -Extract custom iClass key (loclass attack) +Extract custom iCLASS key (loclass attack) ``` Options --- @@ -155,14 +173,15 @@ e : If 'e' is specified, elite computations applied to key pm3 --> hf iclass sim 2 pm3 --> hf iclass loclass f iclass_mac_attack.bin -pm3 --> hf iclass dump k e +pm3 --> hf iclass managekeys n 7 k +pm3 --> hf iclass dump k 7 e ``` -Verify custom iClass key +Verify custom iCLASS key ``` Options --- -f : Dictionary file with default iclass keys +f : Dictionary file with default iCLASS keys u : CSN p : EPURSE m : macs @@ -171,7 +190,7 @@ e : elite pm3 --> hf iclass lookup u 010a0ffff7ff12e0 p feffffffffffffff m 66348979153c41b9 f iclass_default_keys e ``` -## Mifare +## MIFARE ^[Top](#top) Check for default keys @@ -196,11 +215,11 @@ m : use dictionary from flashmemory pm3 --> hf mf fchk 1 m ``` -Dump Mifare card contents +Dump MIFARE card contents ``` Options --- - : 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K + : 0 = 320 bytes (MIFARE Mini), 1 = 1K (default), 2 = 2K, 4 = 4K k : key filename, if no given, UID will be used as filename" f : data filename, if no given, UID will be used as filename @@ -217,7 +236,7 @@ i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is us pm3 --> script run dumptoemul -i dumpdata.bin ``` -Write to Mifare block +Write to MIFARE block ``` Options --- @@ -226,7 +245,7 @@ Options pm3 --> hf mf wrbl 0 A FFFFFFFFFFFF d3a2859f6b880400c801002000000016 ``` -Run autopwn +Run autopwn, to backup a MIFARE tag ``` Options --- @@ -234,7 +253,7 @@ Options pm3 --> hf mf autopwn ``` -Run Hardnested attack +Run hardnested attack ``` Options --- @@ -244,25 +263,25 @@ w : Acquire nonces and write them to binary file nonces.bin pm3 --> hf mf hardnested 0 A 8829da9daf76 0 A w ``` -Load Mifare emul dump file into memory for simulation +Load MIFARE emul dump file into memory for simulation ``` Options --- -[card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL +[card memory]: 0 = 320 bytes (MIFARE Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL pm3 --> hf mf eload hf-mf-353C2AA6 pm3 --> hf mf eload 1 hf-mf-353C2AA6 ``` -Simulate Mifare +Simulate MIFARE ``` u : (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used pm3 --> hf mf sim u 353c2aa6 ``` -Simulate Mifare Sequence +Simulate MIFARE Sequence ``` pm3 --> hf mf chk *1 ? d mfc_default_keys pm3 --> hf mf dump 1 @@ -271,19 +290,19 @@ pm3 --> hf mf eload 353C2AA6 pm3 --> hf mf sim u 353c2aa6 ``` -Clone Mifare 1K Sequence +Clone MIFARE 1K Sequence ``` pm3 --> hf mf chk *1 ? d mfc_default_keys pm3 --> hf mf dump pm3 --> hf mf restore 1 u 4A6CE843 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-dump.bin ``` -Read Mifare Ultralight EV1 +Read MIFARE Ultralight EV1 ``` pm3 --> hf mfu info ``` -Clone Mifare Ultralight EV1 Sequence +Clone MIFARE Ultralight EV1 Sequence ``` pm3 --> hf mfu dump k FFFFFFFF pm3 --> script run dumptoemul-mfu -i hf-mfu-XXXX-dump.bin -o hf-mfu-XXXX-dump.eml @@ -291,12 +310,12 @@ pm3 --> hf mfu eload u hf-mfu-XXXX-dump.eml pm3 --> hf mfu sim t 7 u hf-mfu-XXXX-dump.eml ``` -Bruteforce Mifare Classic card numbers from 11223344 to 11223346 +Bruteforce MIFARE Classic card numbers from 11223344 to 11223346 ``` pm3 --> script run hf_bruteforce -s 0x11223344 -e 0x11223346 -t 1000 -x mfc ``` -Bruteforce Mifare Ultralight EV1 card numbers from 11223344556677 to 11223344556679 +Bruteforce MIFARE Ultralight EV1 card numbers from 11223344556677 to 11223344556679 ``` pm3 --> script run hf_bruteforce -s 0x11223344556677 -e 0x11223344556679 -t 1000 -x mfu ``` @@ -524,29 +543,47 @@ pm3 --> data load ## Lua Scripts ^[Top](#top) -List Lua Scripts +List lua Scripts ``` pm3 --> script list ``` +View lua helptext + +``` +pm3 --> script run -h +``` + + Convert .bin to .eml ``` Options --- -i : Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used +-i Specifies the dump-file (input). If omitted, 'dumpdata.bin' is used +-o Specifies the output file. If omitted, .eml is used pm3 --> script run dumptoemul -i xxxxxxxxxxxxxx.bin ``` +Convert .eml to .bin +``` +Options +--- +-i Specifies the dump-file (input). If omitted, 'dumpdata.eml' is used +-o Specifies the output file. If omitted, .bin is used + +pm3 --> script run emul2dump -i myfile.eml -o myfile.bin +``` + Format Mifare card ``` Options --- -k : the current six byte key with write access -n : the new key that will be written to the card -a : the new access bytes that will be written to the card -x : execute the commands aswell. +-k The current six byte key with write access +-n The new key that will be written to the card +-a The new access bytes that will be written to the card +-x Execute the commands aswell pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x ``` @@ -554,7 +591,7 @@ pm3 --> script run formatMifare -k FFFFFFFFFFFF -n FFFFFFFFFFFF -x ## Memory ^[Top](#top) -Load default keys into memory +Load default keys into flash memory (RDV4 only) ``` Options --- @@ -574,7 +611,7 @@ pm3 --> mem load f iclass_default_keys i Upgrade Sim Module firmware ``` -pm3 --> sc upgrade f ../tools/simmodule/sim011.bin +pm3 --> smart upgrade f ../tools/simmodule/sim011.bin ``` ## Smart Card @@ -582,12 +619,12 @@ pm3 --> sc upgrade f ../tools/simmodule/sim011.bin Get Smart Card Information ``` -pm3 --> sc info +pm3 --> smart info ``` Act like an IS07816 reader ``` -pm3 --> sc reader +pm3 --> smart reader ``` Set clock speed @@ -596,7 +633,7 @@ Options --- c : clockspeed (0 = 16MHz, 1=8MHz, 2=4MHz) -pm3 --> sc setclock c 2 +pm3 --> smart setclock c 2 ``` Send raw hex data @@ -604,16 +641,16 @@ Send raw hex data Options --- r : do not read response -a : active smartcard without select (reset sc module) +a : active smartcard without select (reset smart module) s : active smartcard with select (get ATR) t : executes TLV decoder if it possible 0 : use protocol T=0 d : bytes to send -pm3 --> sc raw s 0 d 00a404000e315041592e5359532e4444463031 : 1PAY.SYS.DDF01 PPSE directory with get ATR -pm3 --> sc raw 0 d 00a404000e325041592e5359532e4444463031 : 2PAY.SYS.DDF01 PPSE directory -pm3 --> sc raw 0 t d 00a4040007a0000000041010 : Mastercard -pm3 --> sc raw 0 t d 00a4040007a0000000031010 : Visa +pm3 --> smart raw s 0 d 00a404000e315041592e5359532e4444463031 : 1PAY.SYS.DDF01 PPSE directory with get ATR +pm3 --> smart raw 0 d 00a404000e325041592e5359532e4444463031 : 2PAY.SYS.DDF01 PPSE directory +pm3 --> smart raw 0 t d 00a4040007a0000000041010 : Mastercard +pm3 --> smart raw 0 t d 00a4040007a0000000031010 : Visa ```` Bruteforce SPI @@ -622,6 +659,6 @@ Options --- t : executes TLV decoder if it possible -pm3 --> sc brute -pm3 --> sc brute t +pm3 --> smart brute +pm3 --> smart brute t ``` diff --git a/doc/commands.md b/doc/commands.md index ba9f14c93..93e8d98fb 100644 --- a/doc/commands.md +++ b/doc/commands.md @@ -845,14 +845,14 @@ Check column "offline" for their availability. |command |offline |description |------- |------- |----------- -|`sc help `|Y |`This help` -|`sc list `|N |`List ISO 7816 history` -|`sc info `|N |`Tag information` -|`sc reader `|N |`Act like an IS07816 reader` -|`sc raw `|N |`Send raw hex data to tag` -|`sc upgrade `|Y |`Upgrade sim module firmware` -|`sc setclock `|N |`Set clock speed` -|`sc brute `|N |`Bruteforce SFI` +|`smart help `|Y |`This help` +|`smart list `|N |`List ISO 7816 history` +|`smart info `|N |`Tag information` +|`smart reader `|N |`Act like an IS07816 reader` +|`smart raw `|N |`Send raw hex data to tag` +|`smart upgrade `|Y |`Upgrade sim module firmware` +|`smart setclock `|N |`Set clock speed` +|`smart brute `|N |`Bruteforce SFI` ### script diff --git a/doc/md/Installation_Instructions/Troubleshooting.md b/doc/md/Installation_Instructions/Troubleshooting.md index dac35cd74..da41d56bd 100644 --- a/doc/md/Installation_Instructions/Troubleshooting.md +++ b/doc/md/Installation_Instructions/Troubleshooting.md @@ -127,9 +127,9 @@ proxmark3 --flash --image /usr/local/share/proxmark3/firmware/f <> proxmark3 --flash --image /usr/share/proxmark3/firmware/fullimage.elf -pm3 --> sc upgrade f /usr/local/share/proxmark3/firmware/sim011.bin +pm3 --> smart upgrade f /usr/local/share/proxmark3/firmware/sim011.bin <> -pm3 --> sc upgrade f /usr/share/proxmark3/firmware/sim011.bin +pm3 --> smart upgrade f /usr/share/proxmark3/firmware/sim011.bin ``` If you didn't install the PRoxmark but you're working from the sources directory and depending how you launch the client, your working directory might be the root of the repository: @@ -152,9 +152,9 @@ client/proxmark3 --flash --image armsrc/obj/fullimage.elf <> ./proxmark3 --flash --image ../armsrc/obj/fullimage.elf -pm3 --> sc upgrade f tools/simmodule/sim011.bin +pm3 --> smart upgrade f tools/simmodule/sim011.bin <> -pm3 --> sc upgrade f ../tools/simmodule/sim011.bin +pm3 --> smart upgrade f ../tools/simmodule/sim011.bin ``` etc. diff --git a/doc/md/Use_of_Proxmark/2_Configuration-and-Verification.md b/doc/md/Use_of_Proxmark/2_Configuration-and-Verification.md index fe87ec633..8264e3245 100644 --- a/doc/md/Use_of_Proxmark/2_Configuration-and-Verification.md +++ b/doc/md/Use_of_Proxmark/2_Configuration-and-Verification.md @@ -46,9 +46,9 @@ Don't not turn off your device during the execution of this command!! Even its a quite fast command you should be warned. You may brick it if you interrupt it. ``` -[usb] pm3 --> sc upgrade f /usr/local/share/proxmark3/firmware/sim011.bin +[usb] pm3 --> smart upgrade f /usr/local/share/proxmark3/firmware/sim011.bin # or if from local repo -[usb] pm3 --> sc upgrade f tools/simmodule/sim011.bin +[usb] pm3 --> smart upgrade f tools/simmodule/sim011.bin ``` You get the following output if the execution was successful: diff --git a/doc/termux_notes.md b/doc/termux_notes.md index 1b1ccc75c..c90e60e32 100644 --- a/doc/termux_notes.md +++ b/doc/termux_notes.md @@ -12,22 +12,27 @@ * [ Setup ](#setup) * [ Setting up Termux ](#setting-up-termux) * [ Install Proxmark3 package ](#install-proxmark3-package) + * [ PC-like method ](#pc-like-method) + * [ Specific requirements ](#specific-requirements) * [ USB_ACM ](#usb_acm) * [ Enable the driver ](#enable-the-driver) * [ Building the kernel ](#building-the-kernel) * [ Flashing the kernel ](#flashing-the-kernel) - * [ Testing ](#testing) - * [ Troubleshooting ](#troubleshooting) + * [ Testing ](#testing) + * [ Troubleshooting ](#troubleshooting) + * [ TCP bridge method ](#tcp-bridge-method) + * [ USB connection ](#usb-connection) + * [ USB-UART bridge application ](#usb-uart-bridge-application) + * [ Setting up usb socket ](#setting-up-usb-socket) + * [ Bluetooth connection ](#bluetooth-connection) + * [ BT-UART bridge application ](#bt-uart-bridge-application) + * [ Setting up bt socket ](#setting-up-bt-socket) + * [ Termux connection ](#termux-connection) ## Requirements ^[Top](#top) - Android phone -- Kernel with one of: - - USB_ACM driver - - module loading enabled - - published sources -- Root - [Termux](https://play.google.com/store/apps/details?id=com.termux) ## Notes @@ -81,16 +86,33 @@ Install [Termux](https://play.google.com/store/apps/details?id=com.termux) and s Run the following commands: ``` -pkg install proxmark3 tsu +pkg install proxmark3 ``` ### Optional: Building Proxmark3 client from source ``` -pkg install make clang clang++ readline libc++ git tsu +pkg install make clang clang++ readline libc++ git git clone https://github.com/RfidResearchGroup/proxmark3.git cd proxmark make clean && make client ``` +## PC-like method +^[Top](#top) + +### Specific requirements +^[Top](#top) + +- Kernel with one of: + - USB_ACM driver + - module loading enabled + - published sources +- Root + +termux shell: +``` +pkg install tsu +``` + ### USB_ACM ^[Top](#top) @@ -125,3 +147,53 @@ Everything should work just like if it was your PC! - `dmesg | grep usb` - useful debug info - `/proc/config.gz` - contains your kernel's build configuration. Look for `CONFIG_USB_ACM`, which should be enabled + +## TCP bridge method +^[Top](#top) + +Termux doesn't come with usb serial neither bluetooth serial drivers. +However, it is fully integrated with phone's network, so we need to talk to the proxmark using serial to tcp sockets (carried out by android apps). + +### USB connection +^[Top](#top) + +### USB-UART Bridge Application +^[Top](#top) + +Install [this free app](https://play.google.com/store/apps/details?id=com.hardcodedjoy.tcpuart) on the Play Store + +### Setting up usb socket +^[Top](#top) + +The app lets you choose the baudrate. Default value (115 200 baud) is fine. +Plug the PM3 in and click connect. +Set the toggle in server mode and choose a random port not used by system (e.g. 4321) and start the server. + +### Bluetooth connection +^[Top](#top) + +### BT-UART Bridge Application +^[Top](#top) + +Install [this free app](https://play.google.com/store/apps/details?id=masar.bb) or [the paid version](https://play.google.com/store/apps/details?id=masar.bluetoothbridge.pro) (which includes usb bridge) + +### Setting up bt socket +^[Top](#top) + +You need to pair the proxmark3 in the Android settings. +In the app choose your registred PM3 device as 'device A'. +Select TCP server as 'Device B' and choose an unused port (e.g. 4321). +Ensure 'Retransmission' is set to 'both ways'. + +### Termux connection +^[Top](#top) + +Start a new session, then: +``` +proxmark3 tcp:localhost: +``` +Alternatively, if you have made the client in the git repo: +``` +./client/proxmark3 tcp:localhost: +``` +ENJOY ! diff --git a/tools/pm3_amii_bin2eml.pl b/tools/pm3_amii_bin2eml.pl index b042e1e73..2c46c95ea 100755 --- a/tools/pm3_amii_bin2eml.pl +++ b/tools/pm3_amii_bin2eml.pl @@ -12,12 +12,13 @@ # perl -lne 'chomp; s/\s+(\S+)$//;$f=$1;if($f=~s/-(\S+)//){$g=hex($1);}else{$g=hex($f)}$f=hex($f); for$m($f..$g){print "0x" . substr(unpack("H4",pack("n",$m)),1) ." => \"$_\","}' /tmp/game >> game2 # perl -lne 'if(/^(\S.*?)\s+\w?\w\w\w\w(\s*-\s*\w?\w\w\w\w)?\s*$/){$l=$1} s/(\w{4,5}\s*-\s*)?(\w{4,5})$//; $a=$1;$b=$2; $b=hex($b); $a=$a?hex($a):$b; for$m($a..$b){print "0x" . substr(unpack("H4",pack("n",$m)),0) ." => \"$l\","}' /tmp/g2 -my $BLOCKS = 255; my $UIDLOC = -540; # UID is 540 bytes from the end my $BLOCKSIZE = 4; # in bytes my $AMIITOOL = '../client/amiitool/amiitool'; # path to amiitool (unless in $PATH) my $KEYFILE = '../client/amiitool/key_retail.bin'; # path to retail key file -my $ADDHDR = 1; # add 48 byte header? +my $ADDHDR = 1; # add 56 byte header? +my $FIXPWD = 1; # recalculate PWD if dump value is 0 +my $FIXACK = 1; # set ACK if dump value is 0 my $DECRYPT = 0; # auto-decrypt my %game = ( @@ -605,59 +606,80 @@ elsif (!$dec_check && !$enc_check) die "Does not look like proper file format! Exiting.\n"; } -my $lines = $BLOCKS; +my @blocks = (); my $uid = unpack("H14", substr($file, length($file) + $UIDLOC, 3) . substr($file, (length($file) + $UIDLOC) + 4, 4)); my $pwd = unpack("H8", substr($file, length($file) - 8, 4)); +my $ack = unpack("H8", substr($file, length($file) - 4, 4)); -# file does not contain our 48 byte header, let's add it +my $fixedpwd = 0; +if ($FIXPWD && hex($pwd) == 0) { + # calculate correct amiibo password according to UID + err "PWD is blank, recalculating"; + my $uid_a = hex(substr $uid, 2, 8); + my $uid_b = hex(substr $uid, 6, 8); + $pwd = sprintf("%08x", $uid_a ^ $uid_b ^ 0xaa55aa55); + + $fixedpwd = 1; +} + +my $fixedack = 0; +if ($FIXACK && hex($ack) == 0) { + # this is the command to be sent back to the Switch if + # the Switch sends the correct PWD + err "ACK is blank, fixing"; + $ack = "80808080"; + + $fixedack = 1; +} + +# file does not contain our 56 byte header, let's add it +my $addedhdr = 0; if ($ADDHDR && length($file) == -1 * $UIDLOC) { err "Does not contain header, adding"; while () { - $lines--; chomp; # there may not be a newline so chomp and add below - print "$_\n"; + push @blocks, $_; } + + $addedhdr = 1; } +my $pages = 0; while (length($file)) { my $out = substr($file, 0, $BLOCKSIZE, ""); # was 16 $out = unpack("H*", $out); - print "$out\n"; + push @blocks, $out; - # grab UID -=cut - if ($BLOCKS - $lines == 12) - { - $uid = substr($out, 0, 6); - } - elsif ($BLOCKS - $lines == 13) - { - $uid .= substr($out, 0, 8); - } -=cut - - $lines--; + $pages++; } -# still need to pad to 255 4-byte (8 hex char) blocks -if ($lines > 0) -{ - while ($lines--) - { - print "00000000\n"; - } +if ($fixedpwd) { + @blocks[-2] = $pwd; } +if ($fixedack) { + @blocks[-1] = $ack; +} + +if ($addedhdr) { + @blocks[2] .= sprintf "%02X", ($pages - 1); +} + +# finally, output the data +foreach(@blocks) { + print "$_\n"; +} print STDERR "\n"; print STDERR "$_\n" for @err; print STDERR "UID: $uid\n"; print STDERR "PWD: $pwd\n"; +print STDERR "ACK: $ack\n"; print STDERR "\n"; $uid = uc $uid; #print STDERR "amiitool -d -k ../client/amiitool/key_retail.bin -i $input -o $input.decrypted\n"; @@ -669,13 +691,15 @@ print STDERR "hf 14a sim t 7 u $uid\n"; __DATA__ 00040402 01001103 -01000000 -00808000 -92580b4c -45a9c42f -a90145ce -5e5f9c43 -09a43d47 -d232a3d1 -68cbade6 -7f8185c6 +010000 +92580B4C +45A9C42F +A90145CE +5E5F9C43 +09A43D47 +D232A3D1 +68CBADE6 +7F8185C6 +00000000 +00000000 +00000000 \ No newline at end of file