RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 23:36:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse source 
Signed-off-by: Gary Bell <github@whiteneon.com>
This commit is contained in:
Gary Bell 2024-08-16 20:06:22 -04:00 committed by GitHub
parent 2152d563c9 691e76675a
commit 783daad6ae
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
37 changed files with 613 additions and 257 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -5,6 +5,10 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
## [unreleased][unreleased]
- Fixed missing require of ansicolors in `lf_hid_bulkclone_v2.lua` script (@whiteneon)
- Added `lf_t55xx_reset.lua` - a script to aid in quickly resetting t55xx chips (@whiteneon)
- Added more fingerprinting in `hf mf info` (@doegox)
- Added --issue and (--emu)lator support to `hf iclass encode` command (@micsen)
- Added custom CTF Wiegand format from Defcon32 with comments (@micsen)
- Added native output grabbing for Python and Lua: less hacky than `output_grabber.py`, should work on ProxSpace as well (@doegox)
- Changed `hf mf chk/fchk`: added option `--no-default` to skip loading the usual ~61 hardcoded keys (@doegox)
- Fixed `hf mf wipe` to detect properly write errors (@doegox)
- Fixed `hf mf fchk` which was leaving the RF field on when interrupted by keyboard (@doegox)

2
client/Makefile
View file

@ -394,7 +394,7 @@ ifeq ($(PYTHON_FOUND),1)
endif
#######################################################################################################
# macOS doesn't like this params
# clang doesn't like this params
#MYCFLAGS += --param max-completely-peeled-insns=1000 --param max-completely-peel-times=10000
MYCFLAGS += -O3

2
client/dictionaries/mfc_default_keys.dic
View file

@ -2529,3 +2529,5 @@ bd6af9754c18
60FCB3C42ABF
# key for hotel in greece
722F24F0722F
# STS Hotel 2A
535453535453

3
client/experimental_client_with_swig/02b_run_test_py_grabber.sh
View file

@ -1,3 +0,0 @@
#!/bin/bash
../../pm3 -c "script run testembedded_grab.py" -i

11
client/experimental_client_with_swig/testembedded.lua
View file

@ -1,4 +1,13 @@
local pm3 = require("pm3")
p=pm3.pm3()
p:console("hw status")
print(p.name)
p:console("hw version")
for line in p.grabbed_output:gmatch("[^\r\n]+") do
if line:find("Unique ID") or line:find("uC:") then
print(line)
end
end
print("Device:", p.name)
p:console("Rem passthru remark! :coffee:", true)

8
client/experimental_client_with_swig/testembedded.py
View file

@ -2,5 +2,13 @@
import pm3
p=pm3.pm3()
p.console("hw status")
p.console("hw version")
for line in p.grabbed_output.split('\n'):
if "Unique ID" in line:
print(line)
if "uC:" in line:
print(line)
print("Device:", p.name)
p.console("Rem passthru remark! :coffee:", True)

13
client/experimental_client_with_swig/testembedded_grab.py
View file

@ -1,13 +0,0 @@
#!/usr/bin/env python3
import pm3
from output_grabber import OutputGrabber
out = OutputGrabber()
p=pm3.pm3()
print("Device:", p.name)
with out:
p.console("hw status")
for line in out.captured_output.split('\n'):
if "Unique ID" in line:
print(line)

11
client/experimental_lib/example_lua/test.lua
View file

@ -2,5 +2,14 @@
local pm3 = require("pm3")
p=pm3.pm3("/dev/ttyACM0")
p:console("hw status")
print(p.name)
p:console("hw version")
for line in p.grabbed_output:gmatch("[^\r\n]+") do
if line:find("Unique ID") or line:find("uC:") then
print(line)
end
end
print("Device:", p.name)
p:console("Rem passthru remark! :coffee:", true)

3
client/experimental_lib/example_py/02run_test_grab_interactive.sh
View file

@ -1,3 +0,0 @@
#!/bin/bash
PYTHONPATH=../../pyscripts ipython3 -i ./test_grab.py

8
client/experimental_lib/example_py/test.py
View file

@ -2,5 +2,13 @@
import pm3
p=pm3.pm3("/dev/ttyACM0")
p.console("hw status")
p.console("hw version")
for line in p.grabbed_output.split('\n'):
if "Unique ID" in line:
print(line)
if "uC:" in line:
print(line)
print("Device:", p.name)
p.console("Rem passthru remark! :coffee:", True)

13
client/experimental_lib/example_py/test_grab.py
View file

@ -1,13 +0,0 @@
#!/usr/bin/env python3
import pm3
from output_grabber import OutputGrabber
out = OutputGrabber()
p=pm3.pm3("/dev/ttyACM0")
print("Device:", p.name)
with out:
p.console("hw status")
for line in out.captured_output.split('\n'):
if "Unique ID" in line:
print(line)

5
client/include/pm3.h
View file

@ -16,10 +16,13 @@
#ifndef LIBPM3_H
#define LIBPM3_H
#include <stdbool.h>
typedef struct pm3_device pm3;
pm3 *pm3_open(const char *port);
int pm3_console(pm3 *dev, const char *cmd);
int pm3_console(pm3 *dev, const char *cmd, bool passthru);
const char *pm3_grabbed_output_get(pm3 *dev);
const char *pm3_name_get(pm3 *dev);
void pm3_close(pm3 *dev);
pm3 *pm3_get_current_dev(void);

117
client/pyscripts/fm11rf08s_recovery.py
View file

@ -11,7 +11,7 @@
# * 16 random keys with keyA==keyB in each sector: ~30 min
# * 24 random keys, some reused across sectors: <1 min
#
# Doegox, 2024
# Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
import os
import sys
@ -19,7 +19,6 @@ import time
import subprocess
import argparse
import pm3
from output_grabber import OutputGrabber
# optional color support
try:
# pip install ansicolors
@ -33,18 +32,25 @@ BACKDOOR_RF08S = "A396EFA4E24F"
NUM_SECTORS = 16
if os.path.basename(os.path.dirname(os.path.dirname(sys.argv[0]))) == 'client':
# dev setup
TOOLS_PATH = f"{os.path.dirname(sys.argv[0])}/../../tools/mfc/card_only"
TOOLS_PATH = os.path.normpath(os.path.join(f"{os.path.dirname(sys.argv[0])}",
"..", "..", "tools", "mfc", "card_only"))
else:
# assuming installed
TOOLS_PATH = f"{os.path.dirname(sys.argv[0])}/../tools"
TOOLS_PATH = os.path.normpath(os.path.join(f"{os.path.dirname(sys.argv[0])}",
"..", "tools"))
STATICNESTED_1NT = f"{TOOLS_PATH}/staticnested_1nt"
STATICNESTED_2X1NT = f"{TOOLS_PATH}/staticnested_2x1nt_rf08s"
STATICNESTED_2X1NT1KEY = f"{TOOLS_PATH}/staticnested_2x1nt_rf08s_1key"
for bin in [STATICNESTED_1NT, STATICNESTED_2X1NT, STATICNESTED_2X1NT1KEY]:
tools = {
"staticnested_1nt": os.path.join(f"{TOOLS_PATH}", "staticnested_1nt"),
"staticnested_2x1nt": os.path.join(f"{TOOLS_PATH}", "staticnested_2x1nt_rf08s"),
"staticnested_2x1nt1key": os.path.join(f"{TOOLS_PATH}", "staticnested_2x1nt_rf08s_1key"),
}
for tool, bin in tools.items():
if not os.path.isfile(bin):
print(f"Cannot find {bin}, abort!")
exit()
if os.path.isfile(bin + ".exe"):
tools[tool] = bin + ".exe"
else:
print(f"Cannot find {bin}, abort!")
exit()
parser = argparse.ArgumentParser(description='A script combining staticnested* tools '
'to recover all keys from a FM11RF08S card.')
@ -54,27 +60,24 @@ parser.add_argument('-d', '--debug', action='store_true', help='Enable debug mod
args = parser.parse_args()
start_time = time.time()
out = OutputGrabber()
p = pm3.pm3()
restore_color = False
with out:
p.console("prefs get color")
p.console("prefs set color --off")
for line in out.captured_output.split('\n'):
p.console("prefs get color")
p.console("prefs set color --off")
for line in p.grabbed_output.split('\n'):
if "ansi" in line:
restore_color = True
with out:
p.console("hf 14a read")
p.console("hf 14a read")
uid = None
for line in out.captured_output.split('\n'):
for line in p.grabbed_output.split('\n'):
if "UID:" in line:
uid = int(line[10:].replace(' ', ''), 16)
if uid is None:
print("Card not found")
if restore_color:
with out:
p.console("prefs set color --ansi")
p.console("prefs set color --ansi")
_ = p.grabbed_output
exit()
print("UID: " + color(f"{uid:08X}", fg="green"))
@ -87,9 +90,8 @@ def print_key(sec, key_type, key):
found_keys = [["", ""] for _ in range(NUM_SECTORS)]
if not args.no_init_check:
print("Checking default keys...")
with out:
p.console("hf mf fchk")
for line in out.captured_output.split('\n'):
p.console("hf mf fchk")
for line in p.grabbed_output.split('\n'):
if "[+] 0" in line:
res = [x.strip() for x in line.split('|')]
sec = int(res[0][4:])
@ -104,18 +106,17 @@ nt = [["", ""] for _ in range(NUM_SECTORS)]
nt_enc = [["", ""] for _ in range(NUM_SECTORS)]
par_err = [["", ""] for _ in range(NUM_SECTORS)]
print("Getting nonces...")
with out:
for sec in range(NUM_SECTORS):
blk = sec * 4
if found_keys[sec][0] == "" or found_keys[sec][1] == "":
# Even if one key already found, we'll need both nt
for key_type in [0, 1]:
cmd = f"hf mf isen -n1 --blk {blk} -c {key_type+4} --key {BACKDOOR_RF08S}"
p.console(cmd)
cmd += f" --c2 {key_type}"
p.console(cmd)
for sec in range(NUM_SECTORS):
blk = sec * 4
if found_keys[sec][0] == "" or found_keys[sec][1] == "":
# Even if one key already found, we'll need both nt
for key_type in [0, 1]:
cmd = f"hf mf isen -n1 --blk {blk} -c {key_type+4} --key {BACKDOOR_RF08S}"
p.console(cmd)
cmd += f" --c2 {key_type}"
p.console(cmd)
print("Processing traces...")
for line in out.captured_output.split('\n'):
for line in p.grabbed_output.split('\n'):
if "nested cmd: 64" in line or "nested cmd: 65" in line:
sec = int(line[24:26], 16)//4
key_type = int(line[21:23], 16) - 0x64
@ -128,6 +129,17 @@ for line in out.captured_output.split('\n'):
nt_enc[sec][key_type] = data
data = line[128:136]
par_err[sec][key_type] = data
for sec in range(NUM_SECTORS):
if found_keys[sec][0] == "" or found_keys[sec][1] == "":
for key_type in [0, 1]:
if (nt[sec][key_type] == "" or
nt_enc[sec][key_type] == "" or
par_err[sec][key_type] == ""):
print("Error, could not collect nonces, abort")
if restore_color:
p.console("prefs set color --ansi")
_ = p.grabbed_output
exit()
print("Running staticnested_1nt & 2x1nt when doable...")
keys = [[set(), set()] for _ in range(NUM_SECTORS)]
@ -140,12 +152,12 @@ for sec in range(NUM_SECTORS):
continue
if found_keys[sec][0] == "" and found_keys[sec][1] == "" and nt[sec][0] != nt[sec][1]:
for key_type in [0, 1]:
cmd = [STATICNESTED_1NT, f"{uid:08X}", f"{sec}",
cmd = [tools["staticnested_1nt"], f"{uid:08X}", f"{sec}",
nt[sec][key_type], nt_enc[sec][key_type], par_err[sec][key_type]]
if args.debug:
print(' '.join(cmd))
subprocess.run(cmd, capture_output=True)
cmd = [STATICNESTED_2X1NT,
cmd = [tools["staticnested_2x1nt"],
f"keys_{uid:08x}_{sec:02}_{nt[sec][0]}.dic", f"keys_{uid:08x}_{sec:02}_{nt[sec][1]}.dic"]
if args.debug:
print(' '.join(cmd))
@ -165,7 +177,7 @@ for sec in range(NUM_SECTORS):
key_type = 0
else:
key_type = 1
cmd = [STATICNESTED_1NT, f"{uid:08X}", f"{sec}",
cmd = [tools["staticnested_1nt"], f"{uid:08X}", f"{sec}",
nt[sec][key_type], nt_enc[sec][key_type], par_err[sec][key_type]]
if args.debug:
print(' '.join(cmd))
@ -217,9 +229,8 @@ for sec in range(NUM_SECTORS):
cmd = f"hf mf fchk --blk {sec * 4} -{kt} -f {dic} --no-default"
if args.debug:
print(cmd)
with out:
p.console(cmd)
for line in out.captured_output.split('\n'):
p.console(cmd)
for line in p.grabbed_output.split('\n'):
if "aborted via keyboard" in line:
abort = True
if "found:" in line:
@ -244,9 +255,8 @@ for sec in range(NUM_SECTORS):
cmd = f"hf mf fchk --blk {sec * 4} -{kt} -f {dic} --no-default"
if args.debug:
print(cmd)
with out:
p.console(cmd)
for line in out.captured_output.split('\n'):
p.console(cmd)
for line in p.grabbed_output.split('\n'):
if "aborted via keyboard" in line:
abort = True
if "found:" in line:
@ -266,9 +276,8 @@ for sec in range(NUM_SECTORS):
cmd = f"hf mf fchk --blk {sec * 4} -{kt} -f {dic} --no-default"
if args.debug:
print(cmd)
with out:
p.console(cmd)
for line in out.captured_output.split('\n'):
p.console(cmd)
for line in p.grabbed_output.split('\n'):
if "aborted via keyboard" in line:
abort = True
if "found:" in line:
@ -293,7 +302,7 @@ for sec in range(NUM_SECTORS):
dic = f"keys_{uid:08x}_{sec:02}_{nt[sec][key_type_target]}_filtered.dic"
else:
dic = f"keys_{uid:08x}_{sec:02}_{nt[sec][key_type_target]}.dic"
cmd = [STATICNESTED_2X1NT1KEY, nt[sec][key_type_source], found_keys[sec][key_type_source], dic]
cmd = [tools["staticnested_2x1nt1key"], nt[sec][key_type_source], found_keys[sec][key_type_source], dic]
if args.debug:
print(' '.join(cmd))
result = subprocess.run(cmd, capture_output=True, text=True).stdout
@ -309,9 +318,8 @@ for sec in range(NUM_SECTORS):
cmd += f" -k {k}"
if args.debug:
print(cmd)
with out:
p.console(cmd)
for line in out.captured_output.split('\n'):
p.console(cmd)
for line in p.grabbed_output.split('\n'):
if "aborted via keyboard" in line:
abort = True
if "found:" in line:
@ -323,8 +331,8 @@ for sec in range(NUM_SECTORS):
if abort:
break
if restore_color:
with out:
p.console("prefs set color --ansi")
p.console("prefs set color --ansi")
_ = p.grabbed_output
if abort:
print("Brute-forcing phase aborted via keyboard!")
@ -374,10 +382,7 @@ else:
cmd = f"hf mf fchk -f keys_{uid:08x}.dic --no-default --dump"
if args.debug:
print(cmd)
with out:
p.console(cmd)
for line in out.captured_output.split('\n'):
print(line)
p.console(cmd, passthru = True)
elapsed_time = time.time() - start_time
minutes = int(elapsed_time // 60)

81
client/pyscripts/output_grabber.py
View file

@ -1,81 +0,0 @@
import os
import sys
import threading
import time
# From https://stackoverflow.com/a/29834357
class OutputGrabber(object):
"""
Class used to grab standard output or another stream.
"""
escape_char = "\b"
def __init__(self, stream=None, threaded=False):
self.origstream = stream
self.threaded = threaded
if self.origstream is None:
self.origstream = sys.stdout
self.origstreamfd = self.origstream.fileno()
self.captured_output = ""
def __enter__(self):
self.start()
return self
def __exit__(self, type, value, traceback):
self.stop()
def start(self):
"""
Start capturing the stream data.
"""
self.captured_output = ""
# Create a pipe so the stream can be captured:
self.pipe_out, self.pipe_in = os.pipe()
# Save a copy of the stream:
self.streamfd = os.dup(self.origstreamfd)
# Replace the original stream with our write pipe:
os.dup2(self.pipe_in, self.origstreamfd)
if self.threaded:
# Start thread that will read the stream:
self.workerThread = threading.Thread(target=self.readOutput)
self.workerThread.start()
# Make sure that the thread is running and os.read() has executed:
time.sleep(0.01)
def stop(self):
"""
Stop capturing the stream data and save the text in `captured_output`.
"""
# Print the escape character to make the readOutput method stop:
self.origstream.write(self.escape_char)
# Flush the stream to make sure all our data goes in before
# the escape character:
self.origstream.flush()
if self.threaded:
# wait until the thread finishes so we are sure that
# we have until the last character:
self.workerThread.join()
else:
self.readOutput()
# Close the pipe:
os.close(self.pipe_in)
os.close(self.pipe_out)
# Restore the original stream:
os.dup2(self.streamfd, self.origstreamfd)
# Close the duplicate stream:
os.close(self.streamfd)
def readOutput(self):
"""
Read the stream data (one byte at a time)
and save the text in `captured_output`.
"""
while True:
char = os.read(self.pipe_out,1).decode(self.origstream.encoding, errors='replace')
if not char or self.escape_char in char:
break
self.captured_output += char
if __name__ == "__main__":
print("This is a library, don't use it as a script")

20
client/pyscripts/pm3.py
View file

@ -1,13 +1,10 @@
# This file was automatically generated by SWIG (http://www.swig.org).
# Version 4.0.2
# This file was automatically generated by SWIG (https://www.swig.org).
# Version 4.2.1
#
# Do not make changes to this file unless you know what you are doing--modify
# Do not make changes to this file unless you know what you are doing - modify
# the SWIG interface file instead.
from sys import version_info as _swig_python_version_info
if _swig_python_version_info < (2, 7, 0):
raise RuntimeError("Python 2.7 or later required")
# Import the low-level C/C++ module
if __package__ or "." in __name__:
from . import _pm3
@ -29,10 +26,10 @@ def _swig_repr(self):
def _swig_setattr_nondynamic_instance_variable(set):
def set_instance_attr(self, name, value):
if name == "thisown":
self.this.own(value)
elif name == "this":
if name == "this":
set(self, name, value)
elif name == "thisown":
self.this.own(value)
elif hasattr(self, name) and isinstance(getattr(type(self), name), property):
set(self, name, value)
else:
@ -69,9 +66,10 @@ class pm3(object):
_pm3.pm3_swiginit(self, _pm3.new_pm3(*args))
__swig_destroy__ = _pm3.delete_pm3
def console(self, cmd):
return _pm3.pm3_console(self, cmd)
def console(self, cmd, passthru=False):
return _pm3.pm3_console(self, cmd, passthru)
name = property(_pm3.pm3_name_get)
grabbed_output = property(_pm3.pm3_grabbed_output_get)
# Register pm3 in _pm3:
_pm3.pm3_swigregister(pm3)

78
client/src/cmdhficlass.c
View file

@ -4579,20 +4579,24 @@ static int CmdHFiClassEncode(const char *Cmd) {
"Use either --bin or --wiegand/--fc/--cn",
"hf iclass encode --bin 10001111100000001010100011 --ki 0 -> FC 31 CN 337 (H10301)\n"
"hf iclass encode -w H10301 --fc 31 --cn 337 --ki 0 -> FC 31 CN 337 (H10301)\n"
"hf iclass encode --bin 10001111100000001010100011 --ki 0 --elite -> FC 31 CN 337 (H10301), writing w elite key"
"hf iclass encode --bin 10001111100000001010100011 --ki 0 --elite -> FC 31 CN 337 (H10301), writing w elite key\n"
"hf iclass encode -w H10301 --fc 31 --cn 337 --emu -> Writes the ecoded data to emulator memory\n"
"When using emulator you have to first load a credential into emulator memory"
);
void *argtable[] = {
arg_param_begin,
arg_str0(NULL, "bin", "<bin>", "Binary string i.e 0001001001"),
arg_int1(NULL, "ki", "<dec>", "Key index to select key from memory 'hf iclass managekeys'"),
arg_int0(NULL, "ki", "<dec>", "Key index to select key from memory 'hf iclass managekeys'"),
arg_lit0(NULL, "credit", "key is assumed to be the credit key"),
arg_lit0(NULL, "elite", "elite computations applied to key"),
arg_lit0(NULL, "raw", "no computations applied to key"),
arg_str0(NULL, "enckey", "<hex>", "3DES transport key, 16 hex bytes"),
arg_u64_0(NULL, "fc", "<dec>", "facility code"),
arg_u64_0(NULL, "cn", "<dec>", "card number"),
arg_u64_0(NULL, "issue", "<dec>", "issue level"),
arg_str0("w", "wiegand", "<format>", "see " _YELLOW_("`wiegand list`") " for available formats"),
arg_lit0(NULL, "emu", "Write to emulation memory instead of card"),
arg_lit0(NULL, "shallow", "use shallow (ASK) reader modulation instead of OOK"),
arg_lit0("v", NULL, "verbose (print encoded blocks)"),
arg_param_end
@ -4605,19 +4609,29 @@ static int CmdHFiClassEncode(const char *Cmd) {
CLIGetStrWithReturn(ctx, 1, bin, &bin_len);
int key_nr = arg_get_int_def(ctx, 2, -1);
bool auth = false;
bool use_emulator_memory = arg_get_lit(ctx, 11);
bool auth = false;
uint8_t key[8] = {0};
if (key_nr >= 0) {
if (key_nr < ICLASS_KEYS_MAX) {
auth = true;
memcpy(key, iClass_Key_Table[key_nr], 8);
PrintAndLogEx(SUCCESS, "Using key[%d] " _GREEN_("%s"), key_nr, sprint_hex(iClass_Key_Table[key_nr], 8));
} else {
PrintAndLogEx(ERR, "Key number is invalid");
CLIParserFree(ctx);
// If we use emulator memory skip key requirement
if (!use_emulator_memory) {
if (key_nr < 0) {
PrintAndLogEx(ERR, "Missing required arg for --ki or --emu");
return PM3_EINVARG;
}
if (key_nr >= 0) {
if (key_nr < ICLASS_KEYS_MAX) {
auth = true;
memcpy(key, iClass_Key_Table[key_nr], 8);
PrintAndLogEx(SUCCESS, "Using key[%d] " _GREEN_("%s"), key_nr, sprint_hex(iClass_Key_Table[key_nr], 8));
} else {
PrintAndLogEx(ERR, "Key number is invalid");
CLIParserFree(ctx);
return PM3_EINVARG;
}
}
}
bool use_credit_key = arg_get_lit(ctx, 3);
@ -4635,13 +4649,15 @@ static int CmdHFiClassEncode(const char *Cmd) {
memset(&card, 0, sizeof(wiegand_card_t));
card.FacilityCode = arg_get_u32_def(ctx, 7, 0);
card.CardNumber = arg_get_u32_def(ctx, 8, 0);
card.IssueLevel = arg_get_u32_def(ctx, 9, 0);
char format[16] = {0};
int format_len = 0;
CLIParamStrToBuf(arg_get_str(ctx, 9), (uint8_t *)format, sizeof(format), &format_len);
CLIParamStrToBuf(arg_get_str(ctx, 10), (uint8_t *)format, sizeof(format), &format_len);
bool shallow_mod = arg_get_lit(ctx, 10);
bool verbose = arg_get_lit(ctx, 11);
bool shallow_mod = arg_get_lit(ctx, 12);
bool verbose = arg_get_lit(ctx, 13);
CLIParserFree(ctx);
@ -4669,7 +4685,12 @@ static int CmdHFiClassEncode(const char *Cmd) {
}
if (have_enc_key == false) {
use_sc = IsCardHelperPresent(false);
// The IsCardHelperPresent function clears the emulator memory
if (use_emulator_memory) {
use_sc = false;
} else {
use_sc = IsCardHelperPresent(false);
}
if (use_sc == false) {
size_t keylen = 0;
int res = loadFile_safe(ICLASS_DECRYPTION_BIN, "", (void **)&enckeyptr, &keylen);
@ -4774,15 +4795,22 @@ static int CmdHFiClassEncode(const char *Cmd) {
int isok = PM3_SUCCESS;
// write
for (uint8_t i = 0; i < 4; i++) {
isok = iclass_write_block(6 + i, credential + (i * 8), NULL, key, use_credit_key, elite, rawkey, false, false, auth, shallow_mod);
switch (isok) {
case PM3_SUCCESS:
PrintAndLogEx(SUCCESS, "Write block %d/0x0%x ( " _GREEN_("ok") " ) --> " _YELLOW_("%s"), 6 + i, 6 + i, sprint_hex_inrow(credential + (i * 8), 8));
break;
default:
PrintAndLogEx(INFO, "Write block %d/0x0%x ( " _RED_("fail") " )", 6 + i, 6 + i);
break;
if (use_emulator_memory) {
uint16_t byte_sent = 0;
iclass_upload_emul(credential, sizeof(credential), 6 * PICOPASS_BLOCK_SIZE, &byte_sent);
PrintAndLogEx(SUCCESS, "uploaded " _YELLOW_("%d") " bytes to emulator memory", byte_sent);
PrintAndLogEx(HINT, "You are now ready to simulate. See " _YELLOW_("`hf iclass sim -h`"));
} else {
for (uint8_t i = 0; i < 4; i++) {
isok = iclass_write_block(6 + i, credential + (i * 8), NULL, key, use_credit_key, elite, rawkey, false, false, auth, shallow_mod);
switch (isok) {
case PM3_SUCCESS:
PrintAndLogEx(SUCCESS, "Write block %d/0x0%x ( " _GREEN_("ok") " ) --> " _YELLOW_("%s"), 6 + i, 6 + i, sprint_hex_inrow(credential + (i * 8), 8));
break;
default:
PrintAndLogEx(INFO, "Write block %d/0x0%x ( " _RED_("fail") " )", 6 + i, 6 + i);
break;
}
}
}
return isok;
@ -4962,7 +4990,7 @@ static int CmdHFiClassSAM(const char *Cmd) {
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "Wiegand decode");
wiegand_message_t packed = initialize_message_object(top, mid, bot, 0);
wiegand_message_t packed = initialize_message_object(top, mid, bot, strlen(binstr));
HIDTryUnpack(&packed);
PrintAndLogEx(NORMAL, "");

65
client/src/cmdhfmf.c
View file

@ -9512,9 +9512,9 @@ static int CmdHF14AMfInfo(const char *Cmd) {
return PM3_EMALLOC;
}
uint8_t blockdata[MFBLOCK_SIZE] = {0};
res = mfCheckKeys_fast(sectorsCnt, true, true, 1, keycnt, keyBlock, e_sector, false, verbose);
if (res == PM3_SUCCESS || res == PM3_EPARTIAL) {
uint8_t blockdata[MFBLOCK_SIZE] = {0};
if (e_sector[0].foundKey[MF_KEY_A]) {
PrintAndLogEx(SUCCESS, "Sector 0 key A... " _GREEN_("%012" PRIX64), e_sector[0].Key[MF_KEY_A]);
@ -9539,20 +9539,59 @@ static int CmdHF14AMfInfo(const char *Cmd) {
if (e_sector[1].foundKey[MF_KEY_A]) {
PrintAndLogEx(SUCCESS, "Sector 1 key A... " _GREEN_("%012" PRIX64), e_sector[1].Key[MF_KEY_A]);
}
}
if (fKeyType != 0xFF) {
PrintAndLogEx(SUCCESS, "Block 0.......... %s", sprint_hex(blockdata, MFBLOCK_SIZE));
uint8_t k08s[6] = {0xA3, 0x96, 0xEF, 0xA4, 0xE2, 0x4F};
if (mfReadBlock(0, 4, k08s, blockdata) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "Backdoor key..... " _RED_("%02X%02X%02X%02X%02X%02X"), k08s[0], k08s[1], k08s[2], k08s[3], k08s[4], k08s[5]);
fKeyType = MF_KEY_BD08S;
}
uint8_t k08[6] = {0xA3, 0x16, 0x67, 0xA8, 0xCE, 0xC1};
if (mfReadBlock(0, 4, k08, blockdata) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "Backdoor key..... " _RED_("%02X%02X%02X%02X%02X%02X"), k08[0], k08[1], k08[2], k08[3], k08[4], k08[5]);
fKeyType = MF_KEY_BD08;
}
if (fKeyType != 0xFF) {
PrintAndLogEx(SUCCESS, "Block 0.......... %s", sprint_hex(blockdata, MFBLOCK_SIZE));
}
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint"));
if (fKeyType != 0xFF) {
// cards with known backdoor
if (memcmp(blockdata + 8, "\x62\x63\x64\x65\x66\x67\x68\x69", 8) == 0) {
// backdoor might be present, or just a clone reusing Fudan MF data...
PrintAndLogEx(SUCCESS, "Fudan based card");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x08\x04\x00", 3) == 0
&& (blockdata[8] == 0x03 || blockdata[8] == 0x04) && blockdata[15] == 0x90) {
PrintAndLogEx(SUCCESS, "Fudan FM11RF08S");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x00\x03\x00\x10", 4) == 0
&& blockdata[15] == 0x90) {
PrintAndLogEx(SUCCESS, "Fudan FM11RF08S-7B");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x08\x04\x00", 3) == 0
&& (blockdata[8] >= 0x01 && blockdata[8] <= 0x03) && blockdata[15] == 0x1D) {
PrintAndLogEx(SUCCESS, "Fudan FM11RF08");
} else if (card.sak == 0x88 && memcmp(blockdata + 5, "\x88\x04\x00\x43", 4) == 0) {
PrintAndLogEx(SUCCESS, "Infineon SLE66R35");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x44", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS5003");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x45", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS5004");
} else if (fKeyType == MF_KEY_BD08 || fKeyType == MF_KEY_BD08S) {
PrintAndLogEx(SUCCESS, _RED_("Unknown card with backdoor, please report details!"));
}
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint"));
if (
(blockdata[8] == 0x03 && blockdata[15] == 0x90) ||
(blockdata[9] == 0x02 && blockdata[14] == 0x1D) ||
(blockdata[8] == 0x04 && blockdata[15] == 0x90) ||
(memcmp(blockdata + 8, "\x62\x63\x64\x65\x66\x67\x68\x69", 8) == 0)
) {
PrintAndLogEx(SUCCESS, "FUDAN based card");
// other cards
if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x46", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS5005");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x47", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS5006");
} else if (card.sak == 0x09 && memcmp(blockdata + 5, "\x89\x04\x00\x47", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS2006");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\x48", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS5007");
} else if (card.sak == 0x08 && memcmp(blockdata + 5, "\x88\x04\x00\xc0", 4) == 0) {
PrintAndLogEx(SUCCESS, "NXP MF1ICS5035");
}
if (e_sector[1].foundKey[MF_KEY_A] && (e_sector[1].Key[MF_KEY_A] == 0x2A2C13CC242A)) {

18
client/src/pm3.c
View file

@ -53,18 +53,32 @@ void pm3_close(pm3_device_t *dev) {
msleep(100); // Make sure command is sent before killing client
CloseProxmark(dev);
}
free_grabber();
}
int pm3_console(pm3_device_t *dev, const char *cmd) {
int pm3_console(pm3_device_t *dev, const char *cmd, bool passthru) {
// For now, there is no real device context:
(void) dev;
return CommandReceived(cmd);
uint8_t prev_printAndLog = g_printAndLog;
if (! passthru) {
g_printAndLog |= PRINTANDLOG_GRAB;
g_printAndLog &= ~PRINTANDLOG_PRINT;
}
int ret = CommandReceived(cmd);
g_printAndLog = prev_printAndLog;
return ret;
}
const char *pm3_name_get(pm3_device_t *dev) {
return dev->g_conn->serial_port_name;
}
const char *pm3_grabbed_output_get(pm3_device_t *dev) {
char *tmp = g_grabbed_output.ptr;
g_grabbed_output.idx = 0;
return tmp;
}
pm3_device_t *pm3_get_current_dev(void) {
return g_session.current_device;
}

10
client/src/pm3.i
View file

@ -8,6 +8,13 @@
/* Strip "pm3_" from API functions for SWIG */
%rename("%(strip:[pm3_])s") "";
%feature("immutable","1") pm3_current_dev;
#ifdef PYWRAP
#include <Python.h>
%typemap(default) bool passthru {
$1 = Py_False;
}
#endif
typedef struct {
%extend {
pm3() {
@ -30,8 +37,9 @@ typedef struct {
pm3_close($self);
}
}
int console(char *cmd);
int console(char *cmd, bool passthru = false);
char const * const name;
char const * const grabbed_output;
}
} pm3;
//%nodefaultctor device;

34
client/src/pm3_luawrap.c
View file

@ -2768,18 +2768,23 @@ static int _wrap_pm3_console(lua_State *L) {
int SWIG_arg = 0;
pm3 *arg1 = (pm3 *) 0 ;
char *arg2 = (char *) 0 ;
bool arg3 = (bool) false ;
int result;
SWIG_check_num_args("pm3::console", 2, 2)
SWIG_check_num_args("pm3::console", 2, 3)
if (!SWIG_isptrtype(L, 1)) SWIG_fail_arg("pm3::console", 1, "pm3 *");
if (!SWIG_lua_isnilstring(L, 2)) SWIG_fail_arg("pm3::console", 2, "char *");
if (lua_gettop(L) >= 3 && !lua_isboolean(L, 3)) SWIG_fail_arg("pm3::console", 3, "bool");
if (!SWIG_IsOK(SWIG_ConvertPtr(L, 1, (void **)&arg1, SWIGTYPE_p_pm3, 0))) {
SWIG_fail_ptr("pm3_console", 1, SWIGTYPE_p_pm3);
}
arg2 = (char *)lua_tostring(L, 2);
result = (int)pm3_console(arg1, arg2);
if (lua_gettop(L) >= 3) {
arg3 = (lua_toboolean(L, 3) != 0);
}
result = (int)pm3_console(arg1, arg2, arg3);
lua_pushnumber(L, (lua_Number) result);
SWIG_arg++;
return SWIG_arg;
@ -2815,6 +2820,30 @@ fail:
}
static int _wrap_pm3_grabbed_output_get(lua_State *L) {
int SWIG_arg = 0;
pm3 *arg1 = (pm3 *) 0 ;
char *result = 0 ;
SWIG_check_num_args("pm3::grabbed_output", 1, 1)
if (!SWIG_isptrtype(L, 1)) SWIG_fail_arg("pm3::grabbed_output", 1, "pm3 *");
if (!SWIG_IsOK(SWIG_ConvertPtr(L, 1, (void **)&arg1, SWIGTYPE_p_pm3, 0))) {
SWIG_fail_ptr("pm3_grabbed_output_get", 1, SWIGTYPE_p_pm3);
}
result = (char *)pm3_grabbed_output_get(arg1);
lua_pushstring(L, (const char *)result);
SWIG_arg++;
return SWIG_arg;
fail:
SWIGUNUSED;
lua_error(L);
return 0;
}
static void swig_delete_pm3(void *obj) {
pm3 *arg1 = (pm3 *) obj;
delete_pm3(arg1);
@ -2829,6 +2858,7 @@ static int _proxy__wrap_new_pm3(lua_State *L) {
}
static swig_lua_attribute swig_pm3_attributes[] = {
{ "name", _wrap_pm3_name_get, SWIG_Lua_set_immutable },
{ "grabbed_output", _wrap_pm3_grabbed_output_get, SWIG_Lua_set_immutable },
{0, 0, 0}
};
static swig_lua_method swig_pm3_methods[] = {

184
client/src/pm3_pywrap.c
View file

@ -3270,6 +3270,149 @@ SWIGINTERN void delete_pm3(pm3 *self) {
}
}
SWIGINTERN int
SWIG_AsVal_double(PyObject *obj, double *val) {
int res = SWIG_TypeError;
if (PyFloat_Check(obj)) {
if (val) *val = PyFloat_AsDouble(obj);
return SWIG_OK;
#if PY_VERSION_HEX < 0x03000000
} else if (PyInt_Check(obj)) {
if (val) *val = (double) PyInt_AsLong(obj);
return SWIG_OK;
#endif
} else if (PyLong_Check(obj)) {
double v = PyLong_AsDouble(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_OK;
} else {
PyErr_Clear();
}
}
#ifdef SWIG_PYTHON_CAST_MODE
{
int dispatch = 0;
double d = PyFloat_AsDouble(obj);
if (!PyErr_Occurred()) {
if (val) *val = d;
return SWIG_AddCast(SWIG_OK);
} else {
PyErr_Clear();
}
if (!dispatch) {
long v = PyLong_AsLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_AddCast(SWIG_AddCast(SWIG_OK));
} else {
PyErr_Clear();
}
}
}
#endif
return res;
}
#include <float.h>
#include <math.h>
SWIGINTERNINLINE int
SWIG_CanCastAsInteger(double *d, double min, double max) {
double x = *d;
if ((min <= x && x <= max)) {
double fx, cx, rd;
errno = 0;
fx = floor(x);
cx = ceil(x);
rd = ((x - fx) < 0.5) ? fx : cx; /* simple rint */
if ((errno == EDOM) || (errno == ERANGE)) {
errno = 0;
} else {
double summ, reps, diff;
if (rd < x) {
diff = x - rd;
} else if (rd > x) {
diff = rd - x;
} else {
return 1;
}
summ = rd + x;
reps = diff / summ;
if (reps < 8 * DBL_EPSILON) {
*d = rd;
return 1;
}
}
}
return 0;
}
SWIGINTERN int
SWIG_AsVal_long(PyObject *obj, long *val) {
#if PY_VERSION_HEX < 0x03000000
if (PyInt_Check(obj)) {
if (val) *val = PyInt_AsLong(obj);
return SWIG_OK;
} else
#endif
if (PyLong_Check(obj)) {
long v = PyLong_AsLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_OK;
} else {
PyErr_Clear();
return SWIG_OverflowError;
}
}
#ifdef SWIG_PYTHON_CAST_MODE
{
int dispatch = 0;
long v = PyInt_AsLong(obj);
if (!PyErr_Occurred()) {
if (val) *val = v;
return SWIG_AddCast(SWIG_OK);
} else {
PyErr_Clear();
}
if (!dispatch) {
double d;
int res = SWIG_AddCast(SWIG_AsVal_double(obj, &d));
// Largest double not larger than LONG_MAX (not portably calculated easily)
// Note that double(LONG_MAX) is stored in a double rounded up by one (for 64-bit long)
// 0x7ffffffffffffc00LL == (int64_t)std::nextafter(double(__uint128_t(LONG_MAX)+1), double(0))
const double long_max = sizeof(long) == 8 ? 0x7ffffffffffffc00LL : LONG_MAX;
// No equivalent needed for 64-bit double(LONG_MIN) is exactly LONG_MIN
if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, long_max)) {
if (val) *val = (long)(d);
return res;
}
}
}
#endif
return SWIG_TypeError;
}
SWIGINTERN int
SWIG_AsVal_bool(PyObject *obj, bool *val) {
int r;
if (!PyBool_Check(obj))
return SWIG_ERROR;
r = PyObject_IsTrue(obj);
if (r == -1)
return SWIG_ERROR;
if (val) *val = r ? true : false;
return SWIG_OK;
}
SWIGINTERNINLINE PyObject *
SWIG_From_int(int value) {
return PyInt_FromLong((long) value);
@ -3403,16 +3546,19 @@ SWIGINTERN PyObject *_wrap_pm3_console(PyObject *self, PyObject *args) {
PyObject *resultobj = 0;
pm3 *arg1 = (pm3 *) 0 ;
char *arg2 = (char *) 0 ;
bool arg3 = (bool) false ;
void *argp1 = 0 ;
int res1 = 0 ;
int res2 ;
char *buf2 = 0 ;
int alloc2 = 0 ;
PyObject *swig_obj[2] ;
bool val3 ;
int ecode3 = 0 ;
PyObject *swig_obj[3] ;
int result;
(void)self;
if (!SWIG_Python_UnpackTuple(args, "pm3_console", 2, 2, swig_obj)) SWIG_fail;
if (!SWIG_Python_UnpackTuple(args, "pm3_console", 2, 3, swig_obj)) SWIG_fail;
res1 = SWIG_ConvertPtr(swig_obj[0], &argp1, SWIGTYPE_p_pm3, 0 | 0);
if (!SWIG_IsOK(res1)) {
SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "pm3_console" "', argument " "1"" of type '" "pm3 *""'");
@ -3423,7 +3569,14 @@ SWIGINTERN PyObject *_wrap_pm3_console(PyObject *self, PyObject *args) {
SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "pm3_console" "', argument " "2"" of type '" "char *""'");
}
arg2 = (char *)(buf2);
result = (int)pm3_console(arg1, arg2);
if (swig_obj[2]) {
ecode3 = SWIG_AsVal_bool(swig_obj[2], &val3);
if (!SWIG_IsOK(ecode3)) {
SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "pm3_console" "', argument " "3"" of type '" "bool""'");
}
arg3 = (bool)(val3);
}
result = (int)pm3_console(arg1, arg2, arg3);
resultobj = SWIG_From_int((int)(result));
if (alloc2 == SWIG_NEWOBJ) free((char *)buf2);
return resultobj;
@ -3457,6 +3610,30 @@ fail:
}
SWIGINTERN PyObject *_wrap_pm3_grabbed_output_get(PyObject *self, PyObject *args) {
PyObject *resultobj = 0;
pm3 *arg1 = (pm3 *) 0 ;
void *argp1 = 0 ;
int res1 = 0 ;
PyObject *swig_obj[1] ;
char *result = 0 ;
(void)self;
if (!args) SWIG_fail;
swig_obj[0] = args;
res1 = SWIG_ConvertPtr(swig_obj[0], &argp1, SWIGTYPE_p_pm3, 0 | 0);
if (!SWIG_IsOK(res1)) {
SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "pm3_grabbed_output_get" "', argument " "1"" of type '" "pm3 *""'");
}
arg1 = (pm3 *)(argp1);
result = (char *)pm3_grabbed_output_get(arg1);
resultobj = SWIG_FromCharPtr((const char *)result);
return resultobj;
fail:
return NULL;
}
SWIGINTERN PyObject *pm3_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
PyObject *obj;
if (!SWIG_Python_UnpackTuple(args, "swigregister", 1, 1, &obj)) return NULL;
@ -3473,6 +3650,7 @@ static PyMethodDef SwigMethods[] = {
{ "delete_pm3", _wrap_delete_pm3, METH_O, NULL},
{ "pm3_console", _wrap_pm3_console, METH_VARARGS, NULL},
{ "pm3_name_get", _wrap_pm3_name_get, METH_O, NULL},
{ "pm3_grabbed_output_get", _wrap_pm3_grabbed_output_get, METH_O, NULL},
{ "pm3_swigregister", pm3_swigregister, METH_O, NULL},
{ "pm3_swiginit", pm3_swiginit, METH_VARARGS, NULL},
{ NULL, NULL, 0, NULL }

4
client/src/proxmark3.c
View file

@ -553,7 +553,7 @@ check_script:
if (cmd[0] != '\0') {
uint8_t old_printAndLog = g_printAndLog;
if (!printprompt) {
g_printAndLog &= PRINTANDLOG_LOG;
g_printAndLog &= ~PRINTANDLOG_PRINT;
}
char prompt[PROXPROMPT_MAX_SIZE] = {0};
prompt_compose(prompt, sizeof(prompt), prompt_ctx, prompt_dev, prompt_net, true);
@ -1462,6 +1462,8 @@ int main(int argc, char *argv[]) {
preferences_save();
}
free_grabber();
return mainret;
}
#endif //LIBPM3

2
client/src/uart/uart_posix.c
View file

@ -360,7 +360,7 @@ serial_port uart_open(const char *pcPortName, uint32_t speed, bool slient) {
free(prefix);
// Freshly available port can take a while before getting permission to access it. Up to 600ms on my machine...
for (uint8_t i =0; i < 10; i++) {
for (uint8_t i = 0; i < 10; i++) {
sp->fd = open(pcPortName, O_RDWR | O_NOCTTY | O_NDELAY | O_NONBLOCK);
if (sp->fd != -1 || errno != EACCES)
break;

62
client/src/ui.c
View file

@ -168,6 +168,33 @@ int searchHomeFilePath(char **foundpath, const char *subdir, const char *filenam
return PM3_SUCCESS;
}
void free_grabber(void) {
free(g_grabbed_output.ptr);
g_grabbed_output.ptr = NULL;
g_grabbed_output.size = 0;
g_grabbed_output.idx = 0;
}
static void fill_grabber(const char *string) {
if (g_grabbed_output.ptr == NULL || g_grabbed_output.size - g_grabbed_output.idx < MAX_PRINT_BUFFER) {
char *tmp = realloc(g_grabbed_output.ptr, g_grabbed_output.size + MAX_PRINT_BUFFER);
if (tmp == NULL) {
// We leave current g_grabbed_output untouched
PrintAndLogEx(ERR, "Out of memory error in fill_grabber()");
return;
}
g_grabbed_output.ptr = tmp;
g_grabbed_output.size += MAX_PRINT_BUFFER;
}
int len = snprintf(g_grabbed_output.ptr + g_grabbed_output.idx, MAX_PRINT_BUFFER, "%s", string);
if (len < 0 || len > MAX_PRINT_BUFFER) {
// We leave current g_grabbed_output_len untouched
PrintAndLogEx(ERR, "snprintf error in fill_grabber()");
return;
}
g_grabbed_output.idx += len;
}
void PrintAndLogOptions(const char *str[][2], size_t size, size_t space) {
char buff[2000] = "Options:\n";
char format[2000] = "";
@ -299,12 +326,15 @@ void PrintAndLogEx(logLevel_t level, const char *fmt, ...) {
} else {
snprintf(buffer2, sizeof(buffer2), "%s%s", prefix, buffer);
if (level == INPLACE) {
char buffer3[sizeof(buffer2)] = {0};
char buffer4[sizeof(buffer2)] = {0};
memcpy_filter_ansi(buffer3, buffer2, sizeof(buffer2), !g_session.supports_colors);
memcpy_filter_emoji(buffer4, buffer3, sizeof(buffer3), g_session.emoji_mode);
fprintf(stream, "\r%s", buffer4);
fflush(stream);
// ignore INPLACE if rest of output is grabbed
if (!(g_printAndLog & PRINTANDLOG_GRAB)) {
char buffer3[sizeof(buffer2)] = {0};
char buffer4[sizeof(buffer2)] = {0};
memcpy_filter_ansi(buffer3, buffer2, sizeof(buffer2), !g_session.supports_colors);
memcpy_filter_emoji(buffer4, buffer3, sizeof(buffer3), g_session.emoji_mode);
fprintf(stream, "\r%s", buffer4);
fflush(stream);
}
} else {
fPrintAndLog(stream, "%s", buffer2);
}
@ -401,18 +431,32 @@ static void fPrintAndLog(FILE *stream, const char *fmt, ...) {
}
#endif
if ((g_printAndLog & PRINTANDLOG_LOG) && logging && logfile) {
if (((g_printAndLog & PRINTANDLOG_LOG) && logging && logfile) ||
(g_printAndLog & PRINTANDLOG_GRAB)) {
memcpy_filter_emoji(buffer3, buffer2, sizeof(buffer2), EMO_ALTTEXT);
if (filter_ansi) { // already done
if (!filter_ansi) {
memcpy_filter_ansi(buffer, buffer3, sizeof(buffer3), true);
}
}
if ((g_printAndLog & PRINTANDLOG_LOG) && logging && logfile) {
if (filter_ansi) {
fprintf(logfile, "%s", buffer3);
} else {
memcpy_filter_ansi(buffer, buffer3, sizeof(buffer3), true);
fprintf(logfile, "%s", buffer);
}
if (linefeed)
fprintf(logfile, "\n");
fflush(logfile);
}
if (g_printAndLog & PRINTANDLOG_GRAB) {
if (filter_ansi) {
fill_grabber(buffer3);
} else {
fill_grabber(buffer);
}
if (linefeed)
fill_grabber("\n");
}
if (flushAfterWrite)
fflush(stdout);

1
client/src/ui.h
View file

@ -80,6 +80,7 @@ bool GetFlushAfterWrite(void);
void memcpy_filter_ansi(void *dest, const void *src, size_t n, bool filter);
void memcpy_filter_rlmarkers(void *dest, const void *src, size_t n);
void memcpy_filter_emoji(void *dest, const void *src, size_t n, emojiMode_t mode);
void free_grabber(void);
int searchHomeFilePath(char **foundpath, const char *subdir, const char *filename, bool create_home);

4
client/src/util.c
View file

@ -36,8 +36,10 @@
#define UTIL_BUFFER_SIZE_SPRINT 8196
// global client debug variable
uint8_t g_debugMode = 0;
// global client disable logging variable
// global client enable/disable printing/logging/grabbing variable
uint8_t g_printAndLog = PRINTANDLOG_PRINT | PRINTANDLOG_LOG;
// global pointer to grabbed output
grabbed_output g_grabbed_output = {NULL, 0, 0};
// global client tell if a pending prompt is present
bool g_pendingPrompt = false;
// global CPU core count override

8
client/src/util.h
View file

@ -34,8 +34,16 @@ extern uint8_t g_printAndLog;
extern bool g_pendingPrompt;
extern int g_numCPUs;
typedef struct {
char *ptr;
size_t size;
size_t idx;
} grabbed_output;
extern grabbed_output g_grabbed_output;
#define PRINTANDLOG_PRINT 1
#define PRINTANDLOG_LOG 2
#define PRINTANDLOG_GRAB 4
// Return error
#define PM3_RET_ERR(err, ...) { \

64
client/src/wiegand_formats.c
View file

@ -20,6 +20,69 @@
#include "commonutil.h"
static bool Pack_Defcon32(wiegand_card_t *card, wiegand_message_t *packed, bool preamble) {
memset(packed, 0, sizeof(wiegand_message_t));
if (card->FacilityCode > 0x00FFFF) return false; // Can't encode FC.
if (card->CardNumber > 0x0fffff) return false; // Can't encode CN.
if (card->IssueLevel > 0x00000F) return false; // Can't encode Issue
if (card->OEM > 0) return false; // Not used in this format
packed->Length = 42;
/*
By implementing this format I hope to make the CTF easier for people to get into next year
//~~The wiegand data consists of 3 32 bit units that we need to split the data between Bottom and Mid since we have a 42 bit format~~
We can use the set linear field function instead this seems to be easier.
|Mid part| | Bot part of the packed data |
PFFFFFFFFF FFFFFFFIIIICCCCCCCCCCCCCCCCCCCCP
1111111111 11111111111000000000000000001000
FC 111111111 1111111 = FF FF
//FC Mid 111111111 0000000 = FF 80 These where used to split data between bot/mid
//FC Bot 000000000 1111111 = 00 7F
Issuance 1111 = 0F
Card Number 11111111111111111111 = 0FFFFF
*/
// Referenced from MSB
set_linear_field(packed, card->CardNumber, 21, 20); // 20 bit
set_linear_field(packed, card->IssueLevel, 17, 4); // 4 bit
set_linear_field(packed, card->FacilityCode, 1, 16); // 16 bits
// Parity calc
//0123456789|0123456789|0123456789|0123456789|01
//E E E E E |E E E E E |EO O O O O| O O O O O| O
set_bit_by_position(packed,
evenparity32(
get_nonlinear_field(packed, 16, (uint8_t[]) {2, 4, 6, 8, 10, 12, 14, 16, 18, 20}))
, 0);
set_bit_by_position(packed,
oddparity32(
get_nonlinear_field(packed, 16, (uint8_t[]) {21, 23, 25, 27, 29, 31, 33, 35, 37, 39}))
, 41);
if (preamble)
return add_HID_header(packed);
return true;
}
static bool Unpack_Defcon32(wiegand_message_t *packed, wiegand_card_t *card) {
memset(card, 0, sizeof(wiegand_card_t));
if (packed->Length != 42) return false; // Wrong length? Stop here.
card->FacilityCode = get_linear_field(packed, 1, 16);
card->IssueLevel = get_linear_field(packed, 17, 4);
card->CardNumber = get_linear_field(packed, 21, 20);
card->ParityValid =
(get_bit_by_position(packed, 41) == oddparity32(
get_nonlinear_field(packed, 16, (uint8_t[]) {21, 23, 25, 27, 29, 31, 33, 35, 37, 39})))&&
(get_bit_by_position(packed, 0) ==
evenparity32(get_nonlinear_field(packed, 16, (uint8_t[]) {2, 4, 6, 8, 10, 12, 14, 16, 18, 20})));
return true;
}
static bool Pack_H10301(wiegand_card_t *card, wiegand_message_t *packed, bool preamble) {
memset(packed, 0, sizeof(wiegand_message_t));
@ -1474,6 +1537,7 @@ static const cardformat_t FormatTable[] = {
{"C1k48s", Pack_C1k48s, Unpack_C1k48s, "HID Corporate 1000 48-bit std", {1, 1, 0, 0, 1}}, // imported from old pack/unpack
{"BC40", Pack_bc40, Unpack_bc40, "Bundy TimeClock 40-bit", {1, 1, 0, 1, 1}}, // from
{"Avig56", Pack_Avig56, Unpack_Avig56, "Avigilon 56-bit", {1, 1, 0, 0, 1}},
{"Defcon32", Pack_Defcon32, Unpack_Defcon32, "Custom Defcon RFCTF 42 BIT format", {1, 1, 1, 0, 1}}, // Created by (@micsen) for the CTF
{NULL, NULL, NULL, NULL, {0, 0, 0, 0, 0}} // Must null terminate array
};

15
doc/commands.json
View file

@ -4340,9 +4340,10 @@
"--4k MIFARE Classic 4k / S70",
"--emu Fill simulator keys from found keys",
"--dump Dump found keys to binary file",
"-f, --file <fn> Filename of dictionary"
"-f, --file <fn> Filename of dictionary",
"--no-default Don't add the bunch of extra default keys"
],
"usage": "hf mf chk [-hab*] [-k <hex>]... [--tblk <dec>] [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [-f <fn>]"
"usage": "hf mf chk [-hab*] [-k <hex>]... [--tblk <dec>] [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [-f <fn>] [--no-default]"
},
"hf mf cload": {
"command": "hf mf cload",
@ -4703,9 +4704,10 @@
"-f, --file <fn> filename of dictionary",
"--blk <dec> block number (single block recovery mode)",
"-a single block recovery key A",
"-b single block recovery key B"
"-b single block recovery key B",
"--no-default Don't add the bunch of extra default keys"
],
"usage": "hf mf fchk [-hab] [-k <hex>]... [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [--mem] [-f <fn>] [--blk <dec>]"
"usage": "hf mf fchk [-hab] [-k <hex>]... [--mini] [--1k] [--2k] [--4k] [--emu] [--dump] [--mem] [-f <fn>] [--blk <dec>] [--no-default]"
},
"hf mf gchpwd": {
"command": "hf mf gchpwd",
@ -5044,13 +5046,14 @@
"--key2 <hex> nested key, 6 hex bytes (default=same)",
"-n <dec> number of nonces (default=2)",
"--reset reset between attempts, even if auth was successful",
"--hardreset hard reset (RF off/on) between attempts, even if auth was successful",
"--addread auth(blk)-read(blk)-auth(blk2)",
"--addauth auth(blk)-auth(blk)-auth(blk2)",
"--incblk2 auth(blk)-auth(blk2)-auth(blk2+4)-...",
"--corruptnrar corrupt {nR}{aR}, but with correct parity",
"--corruptnrarparity correct {nR}{aR}, but with corrupted parity"
],
"usage": "hf mf isen [-hab] [--blk <dec>] [-c <dec>] [-k <hex>] [--blk2 <dec>] [--a2] [--b2] [--c2 <dec>] [--key2 <hex>] [-n <dec>] [--reset] [--addread] [--addauth] [--incblk2] [--corruptnrar] [--corruptnrarparity]"
"usage": "hf mf isen [-hab] [--blk <dec>] [-c <dec>] [-k <hex>] [--blk2 <dec>] [--a2] [--b2] [--c2 <dec>] [--key2 <hex>] [-n <dec>] [--reset] [--hardreset] [--addread] [--addauth] [--incblk2] [--corruptnrar] [--corruptnrarparity]"
},
"hf mf mad": {
"command": "hf mf mad",
@ -12810,6 +12813,6 @@
"metadata": {
"commands_extracted": 740,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-08-03T19:17:38"
"extracted_on": "2024-08-14T11:49:06"
}
}

2
doc/magic_cards_notes.md
View file

@ -155,7 +155,7 @@ This is the cheapest and most common ID82xx chip available. It is usually sold a
#### Characteristics
* Chip is likely a Hitag μ (micro)
* Password protection (4b), usually "1AC4999C"
* Password protection (4b), usually "00000000"(default) or "9AC4999C"(FURUI)
* Currently unimplemented in proxmark3 client
* Other names:
* ID8210 (CN)

2
include/mifare.h
View file

@ -23,6 +23,8 @@
#define MF_KEY_A 0
#define MF_KEY_B 1
#define MF_KEY_BD08S 2
#define MF_KEY_BD08 3
#define MF_MAD1_SECTOR 0x00
#define MF_MAD2_SECTOR 0x10

4
tools/mfc/card_only/Makefile
View file

@ -23,8 +23,8 @@ ifneq (,$(findstring MINGW,$(platform)))
CFLAGS += -D_ISOC99_SOURCE
endif
# macOS doesn't like these compiler params
ifneq ($(platform),Darwin)
# clang doesn't like these compiler params
ifneq ($(DETECTED_COMPILER), clang)
MYCFLAGS += --param max-completely-peeled-insns=1000 --param max-completely-peel-times=10000
endif

2
tools/mfc/card_only/staticnested_0nt.c
View file

@ -7,7 +7,7 @@
// Strategy:
// * Find all possible key candidates for one reference sector, and check on-the-fly if they are compatible with any other sector we want to compare with
//
// Doegox, 2024
// Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
#include <stdio.h>
#include <stdlib.h>

2
tools/mfc/card_only/staticnested_1nt.c
View file

@ -8,7 +8,7 @@
// * Enumerate key candidates based on clear and encrypted nT
// * Use the resulting dictionary to bruteforce the key
//
// Doegox, 2024
// Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
#include <stdio.h>
#include <stdlib.h>

2
tools/mfc/card_only/staticnested_2x1nt_rf08s.c
View file

@ -10,7 +10,7 @@
// * Search couples of keyA/keyB satisfying some obscure relationship
// * Use the resulting dictionary to bruteforce the keyA (and staticnested_2x1nt_rf08s_1key for keyB)
//
// Doegox, 2024
// Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
#include <stdio.h>
#include <stdlib.h>

2
tools/mfc/card_only/staticnested_2x1nt_rf08s_1key.c
View file

@ -8,7 +8,7 @@
// * Use f08s_nested_known_collision to crack keyA
// * If keyB not readable, find keyB in its dictionary based on the obscure relationship between keyA, keyB and their nT
//
// Doegox, 2024
// Doegox, 2024, cf https://eprint.iacr.org/2024/1275 for more info
#include <stdio.h>
#include <stdlib.h>

4
tools/mfc/card_reader/Makefile
View file

@ -21,8 +21,8 @@ ifneq (,$(findstring MINGW,$(platform)))
CFLAGS += -D_ISOC99_SOURCE
endif
# macOS doesn't like these compiler params
ifneq ($(platform),Darwin)
# clang doesn't like these compiler params
ifneq ($(DETECTED_COMPILER), clang)
MYCFLAGS += --param max-completely-peeled-insns=1000 --param max-completely-peel-times=10000
endif