RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 07:16:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

lf search - now tries to read out hitag2 data with the paxton key.

Browse source
This commit is contained in:
iceman1001 2024-09-15 18:19:28 +02:00
parent c9531ae62b
commit 805dc99b97
6 changed files with 95 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Changed `lf search` - it now tries to read and decode paxton id (@iceman1001)
- Changed `lf search` - to identify hitag2/s/82xx in chipset detection to preserve their EM4100 or other outputs (@iceman1001)
- Added `lf hitag hts reader` - to act as a HitagS / 82xx reader (@iceman1001)
- Changed `lf hitag hts write` -> ´lf hitag hts wdbl` to fit rest of client command names (@iceman1001)

58
armsrc/hitagS.c
View file

@ -766,12 +766,12 @@ void hts_simulate(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol) {
for (int i = 0; i < tag.max_page; i++) {
DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X",
i,
(tag.pages[i][3]) & 0xFF,
(tag.pages[i][2]) & 0xFF,
(tag.pages[i][1]) & 0xFF,
tag.pages[i][0] & 0xFF
);
i,
(tag.pages[i][3]) & 0xFF,
(tag.pages[i][2]) & 0xFF,
(tag.pages[i][1]) & 0xFF,
tag.pages[i][0] & 0xFF
);
}
//con1
@ -1442,15 +1442,15 @@ void hts_read(const lf_hitag_data_t *payload, bool ledcontrol) {
if (g_dbglevel >= DBG_EXTENDED) {
if (tag.auth && tag.LKP && pageNum == 1) {
DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
(tag.pages[pageNum][2]) & 0xff,
(tag.pages[pageNum][1]) & 0xff,
tag.pages[pageNum][0] & 0xff);
(tag.pages[pageNum][2]) & 0xff,
(tag.pages[pageNum][1]) & 0xff,
tag.pages[pageNum][0] & 0xff);
} else {
DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
(tag.pages[pageNum][3]) & 0xff,
(tag.pages[pageNum][2]) & 0xff,
(tag.pages[pageNum][1]) & 0xff,
tag.pages[pageNum][0] & 0xff);
(tag.pages[pageNum][3]) & 0xff,
(tag.pages[pageNum][2]) & 0xff,
(tag.pages[pageNum][1]) & 0xff,
tag.pages[pageNum][0] & 0xff);
}
}
@ -1459,17 +1459,17 @@ void hts_read(const lf_hitag_data_t *payload, bool ledcontrol) {
if (pageNum == 2 && tag.auth == 1 && tag.LKP) {
if (payload->cmd == RHTSF_KEY) {
DBG Dbprintf("Page[ 2]: %02X %02X %02X %02X",
payload->key[1],
payload->key[0],
pwdl1,
pwdl0
);
payload->key[1],
payload->key[0],
pwdl1,
pwdl0
);
DBG Dbprintf("Page[ 3]: %02X %02X %02X %02X",
payload->key[5],
payload->key[4],
payload->key[3],
payload->key[2]
);
payload->key[5],
payload->key[4],
payload->key[3],
payload->key[2]
);
} else {
//if the authentication is done with a challenge the key and password are unknown
DBG Dbprintf("Page[ 2]: __ __ __ __");
@ -1676,12 +1676,12 @@ void hts_check_challenges(const uint8_t *data, uint32_t datalen, bool ledcontrol
int res = hts_select_tag(&payload, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol);
DBG Dbprintf("Challenge %s: %02X %02X %02X %02X %02X %02X %02X %02X",
res == -1 ? "failed " : "success",
payload.NrAr[0], payload.NrAr[1],
payload.NrAr[2], payload.NrAr[3],
payload.NrAr[4], payload.NrAr[5],
payload.NrAr[6], payload.NrAr[7]
);
res == -1 ? "failed " : "success",
payload.NrAr[0], payload.NrAr[1],
payload.NrAr[2], payload.NrAr[3],
payload.NrAr[4], payload.NrAr[5],
payload.NrAr[6], payload.NrAr[7]
);
if (res == -1) {
// Need to do a dummy UID select that will fail

15
client/src/cmdlf.c
View file

@ -1719,9 +1719,22 @@ int CmdLFfind(const char *Cmd) {
PrintAndLogEx(INFO, _CYAN_("Checking for known tags..."));
PrintAndLogEx(INFO, "");
int retval = PM3_SUCCESS;
// only run these tests if device is online
if (is_online) {
if (IfPm3Hitag()) {
if (ht2_read_paxton() == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("Paxton ID") " found!");
if (search_cont) {
found++;
} else {
goto out;
}
}
}
#if !defined ICOPYX
if (IfPm3EM4x50()) {
if (read_em4x50_uid() == PM3_SUCCESS) {
@ -1769,8 +1782,6 @@ int CmdLFfind(const char *Cmd) {
}
}
int retval = PM3_SUCCESS;
// ask / man
if (demodEM410x(true) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("EM410x ID") " found!");

53
client/src/cmdlfhitag.c
View file

@ -35,6 +35,10 @@
static int CmdHelp(const char *Cmd);
static const uint8_t ht2_default_keys[] = {
0xBD, 0xF5, 0xE8, 0x46 // PAXTON
};
static const char *getHitagTypeStr(uint32_t uid) {
//uid s/n ********
uint8_t type = (uid >> 4) & 0xF;
@ -205,7 +209,7 @@ static int CmdLFHitagList(const char *Cmd) {
*/
}
static void print_hitag2_paxton(const uint8_t *data) {
static void print_hitag2_paxton(bool show_header, const uint8_t *data) {
// if the pwd isn't..
if (memcmp(data + 4, "\xBD\xF5\xE8\x46", 4)) {
@ -263,10 +267,14 @@ static void print_hitag2_paxton(const uint8_t *data) {
}
}
PrintAndLogEx(INFO, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Possible de-scramble patterns") " -------------");
if (show_header) {
PrintAndLogEx(INFO, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Possible de-scramble patterns") " -------------");
}
PrintAndLogEx(SUCCESS, "Paxton id... %" PRIu64 " | 0x%" PRIx64 " ( %s )", paxton_id, paxton_id, formfactor);
PrintAndLogEx(INFO, "");
if (show_header) {
PrintAndLogEx(INFO, "");
}
}
static void print_hitag2_configuration(uint32_t uid, uint8_t config) {
@ -1079,7 +1087,7 @@ static int CmdLFHitagRd(const char *Cmd) {
if (use_ht2) {
print_hitag2_blocks(data, HITAG2_MAX_BYTE_SIZE);
print_hitag2_paxton(data);
print_hitag2_paxton(true, data);
} else {
print_hex_break(data, HITAG_MAX_BYTE_SIZE, HITAG_BLOCK_SIZE);
}
@ -1624,7 +1632,7 @@ out:
if (use_ht2) {
print_hitag2_configuration(uid, data[HITAG_BLOCK_SIZE * 3]);
print_hitag2_blocks(data, HITAG2_MAX_BYTE_SIZE);
print_hitag2_paxton(data);
print_hitag2_paxton(true, data);
} else {
PrintAndLogEx(INFO, "No memory printing available");
}
@ -1685,7 +1693,7 @@ static int CmdLFHitagView(const char *Cmd) {
uint8_t config = dump[HITAG2_CONFIG_OFFSET];
uint32_t uid = bytes_to_num(dump, HITAG_UID_SIZE);
print_hitag2_configuration(uid, config);
print_hitag2_paxton(dump);
print_hitag2_paxton(true, dump);
}
print_hitag2_blocks(dump, HITAG2_MAX_BYTE_SIZE);
free(dump);
@ -1800,7 +1808,7 @@ static int CmdLFHitagEview(const char *Cmd) {
uint8_t config = dump[HITAG2_CONFIG_OFFSET];
uint32_t uid = bytes_to_num(dump, HITAG_UID_SIZE);
print_hitag2_configuration(uid, config);
print_hitag2_paxton(dump);
print_hitag2_paxton(true, dump);
}
print_hitag2_blocks(dump, HITAG2_MAX_BYTE_SIZE);
free(dump);
@ -2486,6 +2494,35 @@ int ht2_read_uid(void) {
return PM3_SUCCESS;
}
int ht2_read_paxton(void) {
// read block 4,5,6,7
lf_hitag_data_t packet;
memset(&packet, 0, sizeof(packet));
packet.cmd = RHT2F_PASSWORD;
memcpy(packet.pwd, ht2_default_keys, sizeof(packet.pwd));
clearCommandBuffer();
SendCommandNG(CMD_LF_HITAG_READER, (uint8_t *)&packet, sizeof(packet));
PacketResponseNG resp;
if (WaitForResponseTimeout(CMD_LF_HITAG_READER, &resp, 2000) == false) {
SendCommandNG(CMD_BREAK_LOOP, NULL, 0);
return PM3_ETIMEOUT;
}
if (resp.status != PM3_SUCCESS) {
PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
return PM3_ESOFT;
}
uint8_t *data = resp.data.asBytes;
print_hitag2_paxton(false, data);
return PM3_SUCCESS;
}
static command_t CommandTable[] = {
{"help", CmdHelp, AlwaysAvailable, "This help"},
{"list", CmdLFHitagList, AlwaysAvailable, "List Hitag trace history"},

1
client/src/cmdlfhitag.h
View file

@ -28,6 +28,7 @@
int CmdLFHitag(const char *Cmd);
int ht2_read_uid(void);
int ht2_read_paxton(void);
void annotateHitag1(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response);
void annotateHitag2(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, uint8_t bits, bool is_response, const uint64_t *keys, uint32_t keycount, bool isdecrypted);
void annotateHitagS(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response);

12
doc/commands.json
View file

@ -9731,7 +9731,7 @@
"description": "Read Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
"notes": [
"lf hitag hts rdbl -> Hitag S/8211, plain mode",
"lf hitag hts rdbl --8 -k BBDD3399 -> 8268/8310, password mode",
"lf hitag hts rdbl --82xx -k BBDD3399 -> 8268/8310, password mode",
"lf hitag hts rdbl --nrar 0102030411223344 -> Hitag S, challenge mode",
"lf hitag hts rdbl --crypto -> Hitag S, crypto mode, def key",
"lf hitag hts rdbl -k 4F4E4D494B52 -> Hitag S, crypto mode"
@ -9765,7 +9765,7 @@
"description": "Write a page in Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
"notes": [
"lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode",
"lf hitag hts wrbl -p 6 -d 01020304 --8 -k BBDD3399 -> 8268/8310, password mode",
"lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode",
"lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode",
"lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key",
"lf hitag hts wrbl -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag S, crypto mode"
@ -9774,13 +9774,13 @@
"options": [
"-h, --help This help",
"--nrar <hex> nonce / answer writer, 8 hex bytes",
"--8 8268/8310 mode",
"-8, --82xx 8268/8310 mode",
"--crypto crypto mode",
"-k, --key <hex> pwd or key, 4 or 6 hex bytes",
"-p, --page <dec> page address to write to",
"-d, --data <hex> data, 4 hex bytes"
],
"usage": "lf hitag hts wrbl [-h] [--nrar <hex>] [--8] [--crypto] [-k <hex>] -p <dec> -d <hex>"
"usage": "lf hitag hts wrbl [-h8] [--nrar <hex>] [--crypto] [-k <hex>] -p <dec> -d <hex>"
},
"lf hitag info": {
"command": "lf hitag info",
@ -12902,8 +12902,8 @@
}
},
"metadata": {
"commands_extracted": 744,
"commands_extracted": 745,
"extracted_by": "PM3Help2JSON v1.00",
"extracted_on": "2024-09-15T09:53:32"
"extracted_on": "2024-09-15T16:16:09"
}
}