mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2024-09-20 07:16:14 +08:00
lf search - now tries to read out hitag2 data with the paxton key.
This commit is contained in:
parent
c9531ae62b
commit
805dc99b97
|
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
|
|||
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
|
||||
|
||||
## [unreleased][unreleased]
|
||||
- Changed `lf search` - it now tries to read and decode paxton id (@iceman1001)
|
||||
- Changed `lf search` - to identify hitag2/s/82xx in chipset detection to preserve their EM4100 or other outputs (@iceman1001)
|
||||
- Added `lf hitag hts reader` - to act as a HitagS / 82xx reader (@iceman1001)
|
||||
- Changed `lf hitag hts write` -> ´lf hitag hts wdbl` to fit rest of client command names (@iceman1001)
|
||||
|
|
|
@ -766,12 +766,12 @@ void hts_simulate(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol) {
|
|||
|
||||
for (int i = 0; i < tag.max_page; i++) {
|
||||
DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X",
|
||||
i,
|
||||
(tag.pages[i][3]) & 0xFF,
|
||||
(tag.pages[i][2]) & 0xFF,
|
||||
(tag.pages[i][1]) & 0xFF,
|
||||
tag.pages[i][0] & 0xFF
|
||||
);
|
||||
i,
|
||||
(tag.pages[i][3]) & 0xFF,
|
||||
(tag.pages[i][2]) & 0xFF,
|
||||
(tag.pages[i][1]) & 0xFF,
|
||||
tag.pages[i][0] & 0xFF
|
||||
);
|
||||
}
|
||||
|
||||
//con1
|
||||
|
@ -1442,15 +1442,15 @@ void hts_read(const lf_hitag_data_t *payload, bool ledcontrol) {
|
|||
if (g_dbglevel >= DBG_EXTENDED) {
|
||||
if (tag.auth && tag.LKP && pageNum == 1) {
|
||||
DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
|
||||
(tag.pages[pageNum][2]) & 0xff,
|
||||
(tag.pages[pageNum][1]) & 0xff,
|
||||
tag.pages[pageNum][0] & 0xff);
|
||||
(tag.pages[pageNum][2]) & 0xff,
|
||||
(tag.pages[pageNum][1]) & 0xff,
|
||||
tag.pages[pageNum][0] & 0xff);
|
||||
} else {
|
||||
DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
|
||||
(tag.pages[pageNum][3]) & 0xff,
|
||||
(tag.pages[pageNum][2]) & 0xff,
|
||||
(tag.pages[pageNum][1]) & 0xff,
|
||||
tag.pages[pageNum][0] & 0xff);
|
||||
(tag.pages[pageNum][3]) & 0xff,
|
||||
(tag.pages[pageNum][2]) & 0xff,
|
||||
(tag.pages[pageNum][1]) & 0xff,
|
||||
tag.pages[pageNum][0] & 0xff);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1459,17 +1459,17 @@ void hts_read(const lf_hitag_data_t *payload, bool ledcontrol) {
|
|||
if (pageNum == 2 && tag.auth == 1 && tag.LKP) {
|
||||
if (payload->cmd == RHTSF_KEY) {
|
||||
DBG Dbprintf("Page[ 2]: %02X %02X %02X %02X",
|
||||
payload->key[1],
|
||||
payload->key[0],
|
||||
pwdl1,
|
||||
pwdl0
|
||||
);
|
||||
payload->key[1],
|
||||
payload->key[0],
|
||||
pwdl1,
|
||||
pwdl0
|
||||
);
|
||||
DBG Dbprintf("Page[ 3]: %02X %02X %02X %02X",
|
||||
payload->key[5],
|
||||
payload->key[4],
|
||||
payload->key[3],
|
||||
payload->key[2]
|
||||
);
|
||||
payload->key[5],
|
||||
payload->key[4],
|
||||
payload->key[3],
|
||||
payload->key[2]
|
||||
);
|
||||
} else {
|
||||
//if the authentication is done with a challenge the key and password are unknown
|
||||
DBG Dbprintf("Page[ 2]: __ __ __ __");
|
||||
|
@ -1676,12 +1676,12 @@ void hts_check_challenges(const uint8_t *data, uint32_t datalen, bool ledcontrol
|
|||
int res = hts_select_tag(&payload, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol);
|
||||
|
||||
DBG Dbprintf("Challenge %s: %02X %02X %02X %02X %02X %02X %02X %02X",
|
||||
res == -1 ? "failed " : "success",
|
||||
payload.NrAr[0], payload.NrAr[1],
|
||||
payload.NrAr[2], payload.NrAr[3],
|
||||
payload.NrAr[4], payload.NrAr[5],
|
||||
payload.NrAr[6], payload.NrAr[7]
|
||||
);
|
||||
res == -1 ? "failed " : "success",
|
||||
payload.NrAr[0], payload.NrAr[1],
|
||||
payload.NrAr[2], payload.NrAr[3],
|
||||
payload.NrAr[4], payload.NrAr[5],
|
||||
payload.NrAr[6], payload.NrAr[7]
|
||||
);
|
||||
|
||||
if (res == -1) {
|
||||
// Need to do a dummy UID select that will fail
|
||||
|
|
|
@ -1719,9 +1719,22 @@ int CmdLFfind(const char *Cmd) {
|
|||
PrintAndLogEx(INFO, _CYAN_("Checking for known tags..."));
|
||||
PrintAndLogEx(INFO, "");
|
||||
|
||||
int retval = PM3_SUCCESS;
|
||||
|
||||
// only run these tests if device is online
|
||||
if (is_online) {
|
||||
|
||||
if (IfPm3Hitag()) {
|
||||
if (ht2_read_paxton() == PM3_SUCCESS) {
|
||||
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("Paxton ID") " found!");
|
||||
if (search_cont) {
|
||||
found++;
|
||||
} else {
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#if !defined ICOPYX
|
||||
if (IfPm3EM4x50()) {
|
||||
if (read_em4x50_uid() == PM3_SUCCESS) {
|
||||
|
@ -1769,8 +1782,6 @@ int CmdLFfind(const char *Cmd) {
|
|||
}
|
||||
}
|
||||
|
||||
int retval = PM3_SUCCESS;
|
||||
|
||||
// ask / man
|
||||
if (demodEM410x(true) == PM3_SUCCESS) {
|
||||
PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("EM410x ID") " found!");
|
||||
|
|
|
@ -35,6 +35,10 @@
|
|||
|
||||
static int CmdHelp(const char *Cmd);
|
||||
|
||||
static const uint8_t ht2_default_keys[] = {
|
||||
0xBD, 0xF5, 0xE8, 0x46 // PAXTON
|
||||
};
|
||||
|
||||
static const char *getHitagTypeStr(uint32_t uid) {
|
||||
//uid s/n ********
|
||||
uint8_t type = (uid >> 4) & 0xF;
|
||||
|
@ -205,7 +209,7 @@ static int CmdLFHitagList(const char *Cmd) {
|
|||
*/
|
||||
}
|
||||
|
||||
static void print_hitag2_paxton(const uint8_t *data) {
|
||||
static void print_hitag2_paxton(bool show_header, const uint8_t *data) {
|
||||
|
||||
// if the pwd isn't..
|
||||
if (memcmp(data + 4, "\xBD\xF5\xE8\x46", 4)) {
|
||||
|
@ -263,10 +267,14 @@ static void print_hitag2_paxton(const uint8_t *data) {
|
|||
}
|
||||
}
|
||||
|
||||
PrintAndLogEx(INFO, "");
|
||||
PrintAndLogEx(INFO, "--- " _CYAN_("Possible de-scramble patterns") " -------------");
|
||||
if (show_header) {
|
||||
PrintAndLogEx(INFO, "");
|
||||
PrintAndLogEx(INFO, "--- " _CYAN_("Possible de-scramble patterns") " -------------");
|
||||
}
|
||||
PrintAndLogEx(SUCCESS, "Paxton id... %" PRIu64 " | 0x%" PRIx64 " ( %s )", paxton_id, paxton_id, formfactor);
|
||||
PrintAndLogEx(INFO, "");
|
||||
if (show_header) {
|
||||
PrintAndLogEx(INFO, "");
|
||||
}
|
||||
}
|
||||
|
||||
static void print_hitag2_configuration(uint32_t uid, uint8_t config) {
|
||||
|
@ -1079,7 +1087,7 @@ static int CmdLFHitagRd(const char *Cmd) {
|
|||
|
||||
if (use_ht2) {
|
||||
print_hitag2_blocks(data, HITAG2_MAX_BYTE_SIZE);
|
||||
print_hitag2_paxton(data);
|
||||
print_hitag2_paxton(true, data);
|
||||
} else {
|
||||
print_hex_break(data, HITAG_MAX_BYTE_SIZE, HITAG_BLOCK_SIZE);
|
||||
}
|
||||
|
@ -1624,7 +1632,7 @@ out:
|
|||
if (use_ht2) {
|
||||
print_hitag2_configuration(uid, data[HITAG_BLOCK_SIZE * 3]);
|
||||
print_hitag2_blocks(data, HITAG2_MAX_BYTE_SIZE);
|
||||
print_hitag2_paxton(data);
|
||||
print_hitag2_paxton(true, data);
|
||||
} else {
|
||||
PrintAndLogEx(INFO, "No memory printing available");
|
||||
}
|
||||
|
@ -1685,7 +1693,7 @@ static int CmdLFHitagView(const char *Cmd) {
|
|||
uint8_t config = dump[HITAG2_CONFIG_OFFSET];
|
||||
uint32_t uid = bytes_to_num(dump, HITAG_UID_SIZE);
|
||||
print_hitag2_configuration(uid, config);
|
||||
print_hitag2_paxton(dump);
|
||||
print_hitag2_paxton(true, dump);
|
||||
}
|
||||
print_hitag2_blocks(dump, HITAG2_MAX_BYTE_SIZE);
|
||||
free(dump);
|
||||
|
@ -1800,7 +1808,7 @@ static int CmdLFHitagEview(const char *Cmd) {
|
|||
uint8_t config = dump[HITAG2_CONFIG_OFFSET];
|
||||
uint32_t uid = bytes_to_num(dump, HITAG_UID_SIZE);
|
||||
print_hitag2_configuration(uid, config);
|
||||
print_hitag2_paxton(dump);
|
||||
print_hitag2_paxton(true, dump);
|
||||
}
|
||||
print_hitag2_blocks(dump, HITAG2_MAX_BYTE_SIZE);
|
||||
free(dump);
|
||||
|
@ -2486,6 +2494,35 @@ int ht2_read_uid(void) {
|
|||
return PM3_SUCCESS;
|
||||
}
|
||||
|
||||
int ht2_read_paxton(void) {
|
||||
|
||||
// read block 4,5,6,7
|
||||
|
||||
lf_hitag_data_t packet;
|
||||
memset(&packet, 0, sizeof(packet));
|
||||
|
||||
packet.cmd = RHT2F_PASSWORD;
|
||||
memcpy(packet.pwd, ht2_default_keys, sizeof(packet.pwd));
|
||||
|
||||
clearCommandBuffer();
|
||||
SendCommandNG(CMD_LF_HITAG_READER, (uint8_t *)&packet, sizeof(packet));
|
||||
|
||||
PacketResponseNG resp;
|
||||
if (WaitForResponseTimeout(CMD_LF_HITAG_READER, &resp, 2000) == false) {
|
||||
SendCommandNG(CMD_BREAK_LOOP, NULL, 0);
|
||||
return PM3_ETIMEOUT;
|
||||
}
|
||||
|
||||
if (resp.status != PM3_SUCCESS) {
|
||||
PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed");
|
||||
return PM3_ESOFT;
|
||||
}
|
||||
|
||||
uint8_t *data = resp.data.asBytes;
|
||||
print_hitag2_paxton(false, data);
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
|
||||
static command_t CommandTable[] = {
|
||||
{"help", CmdHelp, AlwaysAvailable, "This help"},
|
||||
{"list", CmdLFHitagList, AlwaysAvailable, "List Hitag trace history"},
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
int CmdLFHitag(const char *Cmd);
|
||||
|
||||
int ht2_read_uid(void);
|
||||
int ht2_read_paxton(void);
|
||||
void annotateHitag1(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response);
|
||||
void annotateHitag2(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, uint8_t bits, bool is_response, const uint64_t *keys, uint32_t keycount, bool isdecrypted);
|
||||
void annotateHitagS(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response);
|
||||
|
|
|
@ -9731,7 +9731,7 @@
|
|||
"description": "Read Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
|
||||
"notes": [
|
||||
"lf hitag hts rdbl -> Hitag S/8211, plain mode",
|
||||
"lf hitag hts rdbl --8 -k BBDD3399 -> 8268/8310, password mode",
|
||||
"lf hitag hts rdbl --82xx -k BBDD3399 -> 8268/8310, password mode",
|
||||
"lf hitag hts rdbl --nrar 0102030411223344 -> Hitag S, challenge mode",
|
||||
"lf hitag hts rdbl --crypto -> Hitag S, crypto mode, def key",
|
||||
"lf hitag hts rdbl -k 4F4E4D494B52 -> Hitag S, crypto mode"
|
||||
|
@ -9765,7 +9765,7 @@
|
|||
"description": "Write a page in Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399",
|
||||
"notes": [
|
||||
"lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode",
|
||||
"lf hitag hts wrbl -p 6 -d 01020304 --8 -k BBDD3399 -> 8268/8310, password mode",
|
||||
"lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode",
|
||||
"lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode",
|
||||
"lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key",
|
||||
"lf hitag hts wrbl -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag S, crypto mode"
|
||||
|
@ -9774,13 +9774,13 @@
|
|||
"options": [
|
||||
"-h, --help This help",
|
||||
"--nrar <hex> nonce / answer writer, 8 hex bytes",
|
||||
"--8 8268/8310 mode",
|
||||
"-8, --82xx 8268/8310 mode",
|
||||
"--crypto crypto mode",
|
||||
"-k, --key <hex> pwd or key, 4 or 6 hex bytes",
|
||||
"-p, --page <dec> page address to write to",
|
||||
"-d, --data <hex> data, 4 hex bytes"
|
||||
],
|
||||
"usage": "lf hitag hts wrbl [-h] [--nrar <hex>] [--8] [--crypto] [-k <hex>] -p <dec> -d <hex>"
|
||||
"usage": "lf hitag hts wrbl [-h8] [--nrar <hex>] [--crypto] [-k <hex>] -p <dec> -d <hex>"
|
||||
},
|
||||
"lf hitag info": {
|
||||
"command": "lf hitag info",
|
||||
|
@ -12902,8 +12902,8 @@
|
|||
}
|
||||
},
|
||||
"metadata": {
|
||||
"commands_extracted": 744,
|
||||
"commands_extracted": 745,
|
||||
"extracted_by": "PM3Help2JSON v1.00",
|
||||
"extracted_on": "2024-09-15T09:53:32"
|
||||
"extracted_on": "2024-09-15T16:16:09"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue