From 805dc99b973b8e90e411e5408aefa1ac8e022ca5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 15 Sep 2024 18:19:28 +0200 Subject: [PATCH] lf search - now tries to read out hitag2 data with the paxton key. --- CHANGELOG.md | 1 + armsrc/hitagS.c | 58 ++++++++++++++++++++--------------------- client/src/cmdlf.c | 15 +++++++++-- client/src/cmdlfhitag.c | 53 +++++++++++++++++++++++++++++++------ client/src/cmdlfhitag.h | 1 + doc/commands.json | 12 ++++----- 6 files changed, 95 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a2ec5c1d5..99a63f7fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] +- Changed `lf search` - it now tries to read and decode paxton id (@iceman1001) - Changed `lf search` - to identify hitag2/s/82xx in chipset detection to preserve their EM4100 or other outputs (@iceman1001) - Added `lf hitag hts reader` - to act as a HitagS / 82xx reader (@iceman1001) - Changed `lf hitag hts write` -> ´lf hitag hts wdbl` to fit rest of client command names (@iceman1001) diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c index f82c5a75a..d4f4a775b 100644 --- a/armsrc/hitagS.c +++ b/armsrc/hitagS.c @@ -766,12 +766,12 @@ void hts_simulate(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol) { for (int i = 0; i < tag.max_page; i++) { DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", - i, - (tag.pages[i][3]) & 0xFF, - (tag.pages[i][2]) & 0xFF, - (tag.pages[i][1]) & 0xFF, - tag.pages[i][0] & 0xFF - ); + i, + (tag.pages[i][3]) & 0xFF, + (tag.pages[i][2]) & 0xFF, + (tag.pages[i][1]) & 0xFF, + tag.pages[i][0] & 0xFF + ); } //con1 @@ -1442,15 +1442,15 @@ void hts_read(const lf_hitag_data_t *payload, bool ledcontrol) { if (g_dbglevel >= DBG_EXTENDED) { if (tag.auth && tag.LKP && pageNum == 1) { DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0, - (tag.pages[pageNum][2]) & 0xff, - (tag.pages[pageNum][1]) & 0xff, - tag.pages[pageNum][0] & 0xff); + (tag.pages[pageNum][2]) & 0xff, + (tag.pages[pageNum][1]) & 0xff, + tag.pages[pageNum][0] & 0xff); } else { DBG Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, - (tag.pages[pageNum][3]) & 0xff, - (tag.pages[pageNum][2]) & 0xff, - (tag.pages[pageNum][1]) & 0xff, - tag.pages[pageNum][0] & 0xff); + (tag.pages[pageNum][3]) & 0xff, + (tag.pages[pageNum][2]) & 0xff, + (tag.pages[pageNum][1]) & 0xff, + tag.pages[pageNum][0] & 0xff); } } @@ -1459,17 +1459,17 @@ void hts_read(const lf_hitag_data_t *payload, bool ledcontrol) { if (pageNum == 2 && tag.auth == 1 && tag.LKP) { if (payload->cmd == RHTSF_KEY) { DBG Dbprintf("Page[ 2]: %02X %02X %02X %02X", - payload->key[1], - payload->key[0], - pwdl1, - pwdl0 - ); + payload->key[1], + payload->key[0], + pwdl1, + pwdl0 + ); DBG Dbprintf("Page[ 3]: %02X %02X %02X %02X", - payload->key[5], - payload->key[4], - payload->key[3], - payload->key[2] - ); + payload->key[5], + payload->key[4], + payload->key[3], + payload->key[2] + ); } else { //if the authentication is done with a challenge the key and password are unknown DBG Dbprintf("Page[ 2]: __ __ __ __"); @@ -1676,12 +1676,12 @@ void hts_check_challenges(const uint8_t *data, uint32_t datalen, bool ledcontrol int res = hts_select_tag(&payload, tx, ARRAYLEN(tx), rx, ARRAYLEN(rx), HITAG_T_WAIT_FIRST, ledcontrol); DBG Dbprintf("Challenge %s: %02X %02X %02X %02X %02X %02X %02X %02X", - res == -1 ? "failed " : "success", - payload.NrAr[0], payload.NrAr[1], - payload.NrAr[2], payload.NrAr[3], - payload.NrAr[4], payload.NrAr[5], - payload.NrAr[6], payload.NrAr[7] - ); + res == -1 ? "failed " : "success", + payload.NrAr[0], payload.NrAr[1], + payload.NrAr[2], payload.NrAr[3], + payload.NrAr[4], payload.NrAr[5], + payload.NrAr[6], payload.NrAr[7] + ); if (res == -1) { // Need to do a dummy UID select that will fail diff --git a/client/src/cmdlf.c b/client/src/cmdlf.c index 5943e6319..84550729f 100644 --- a/client/src/cmdlf.c +++ b/client/src/cmdlf.c @@ -1719,9 +1719,22 @@ int CmdLFfind(const char *Cmd) { PrintAndLogEx(INFO, _CYAN_("Checking for known tags...")); PrintAndLogEx(INFO, ""); + int retval = PM3_SUCCESS; + // only run these tests if device is online if (is_online) { + if (IfPm3Hitag()) { + if (ht2_read_paxton() == PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("Paxton ID") " found!"); + if (search_cont) { + found++; + } else { + goto out; + } + } + } + #if !defined ICOPYX if (IfPm3EM4x50()) { if (read_em4x50_uid() == PM3_SUCCESS) { @@ -1769,8 +1782,6 @@ int CmdLFfind(const char *Cmd) { } } - int retval = PM3_SUCCESS; - // ask / man if (demodEM410x(true) == PM3_SUCCESS) { PrintAndLogEx(SUCCESS, "\nValid " _GREEN_("EM410x ID") " found!"); diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index a438117c2..5a853ae77 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -35,6 +35,10 @@ static int CmdHelp(const char *Cmd); +static const uint8_t ht2_default_keys[] = { + 0xBD, 0xF5, 0xE8, 0x46 // PAXTON +}; + static const char *getHitagTypeStr(uint32_t uid) { //uid s/n ******** uint8_t type = (uid >> 4) & 0xF; @@ -205,7 +209,7 @@ static int CmdLFHitagList(const char *Cmd) { */ } -static void print_hitag2_paxton(const uint8_t *data) { +static void print_hitag2_paxton(bool show_header, const uint8_t *data) { // if the pwd isn't.. if (memcmp(data + 4, "\xBD\xF5\xE8\x46", 4)) { @@ -263,10 +267,14 @@ static void print_hitag2_paxton(const uint8_t *data) { } } - PrintAndLogEx(INFO, ""); - PrintAndLogEx(INFO, "--- " _CYAN_("Possible de-scramble patterns") " -------------"); + if (show_header) { + PrintAndLogEx(INFO, ""); + PrintAndLogEx(INFO, "--- " _CYAN_("Possible de-scramble patterns") " -------------"); + } PrintAndLogEx(SUCCESS, "Paxton id... %" PRIu64 " | 0x%" PRIx64 " ( %s )", paxton_id, paxton_id, formfactor); - PrintAndLogEx(INFO, ""); + if (show_header) { + PrintAndLogEx(INFO, ""); + } } static void print_hitag2_configuration(uint32_t uid, uint8_t config) { @@ -1079,7 +1087,7 @@ static int CmdLFHitagRd(const char *Cmd) { if (use_ht2) { print_hitag2_blocks(data, HITAG2_MAX_BYTE_SIZE); - print_hitag2_paxton(data); + print_hitag2_paxton(true, data); } else { print_hex_break(data, HITAG_MAX_BYTE_SIZE, HITAG_BLOCK_SIZE); } @@ -1624,7 +1632,7 @@ out: if (use_ht2) { print_hitag2_configuration(uid, data[HITAG_BLOCK_SIZE * 3]); print_hitag2_blocks(data, HITAG2_MAX_BYTE_SIZE); - print_hitag2_paxton(data); + print_hitag2_paxton(true, data); } else { PrintAndLogEx(INFO, "No memory printing available"); } @@ -1685,7 +1693,7 @@ static int CmdLFHitagView(const char *Cmd) { uint8_t config = dump[HITAG2_CONFIG_OFFSET]; uint32_t uid = bytes_to_num(dump, HITAG_UID_SIZE); print_hitag2_configuration(uid, config); - print_hitag2_paxton(dump); + print_hitag2_paxton(true, dump); } print_hitag2_blocks(dump, HITAG2_MAX_BYTE_SIZE); free(dump); @@ -1800,7 +1808,7 @@ static int CmdLFHitagEview(const char *Cmd) { uint8_t config = dump[HITAG2_CONFIG_OFFSET]; uint32_t uid = bytes_to_num(dump, HITAG_UID_SIZE); print_hitag2_configuration(uid, config); - print_hitag2_paxton(dump); + print_hitag2_paxton(true, dump); } print_hitag2_blocks(dump, HITAG2_MAX_BYTE_SIZE); free(dump); @@ -2486,6 +2494,35 @@ int ht2_read_uid(void) { return PM3_SUCCESS; } +int ht2_read_paxton(void) { + +// read block 4,5,6,7 + + lf_hitag_data_t packet; + memset(&packet, 0, sizeof(packet)); + + packet.cmd = RHT2F_PASSWORD; + memcpy(packet.pwd, ht2_default_keys, sizeof(packet.pwd)); + + clearCommandBuffer(); + SendCommandNG(CMD_LF_HITAG_READER, (uint8_t *)&packet, sizeof(packet)); + + PacketResponseNG resp; + if (WaitForResponseTimeout(CMD_LF_HITAG_READER, &resp, 2000) == false) { + SendCommandNG(CMD_BREAK_LOOP, NULL, 0); + return PM3_ETIMEOUT; + } + + if (resp.status != PM3_SUCCESS) { + PrintAndLogEx(DEBUG, "DEBUG: Error - hitag failed"); + return PM3_ESOFT; + } + + uint8_t *data = resp.data.asBytes; + print_hitag2_paxton(false, data); + return PM3_SUCCESS; +} + static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "This help"}, {"list", CmdLFHitagList, AlwaysAvailable, "List Hitag trace history"}, diff --git a/client/src/cmdlfhitag.h b/client/src/cmdlfhitag.h index 08d141aa3..81bc26a7e 100644 --- a/client/src/cmdlfhitag.h +++ b/client/src/cmdlfhitag.h @@ -28,6 +28,7 @@ int CmdLFHitag(const char *Cmd); int ht2_read_uid(void); +int ht2_read_paxton(void); void annotateHitag1(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response); void annotateHitag2(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, uint8_t bits, bool is_response, const uint64_t *keys, uint32_t keycount, bool isdecrypted); void annotateHitagS(char *exp, size_t size, const uint8_t *cmd, uint8_t cmdsize, bool is_response); diff --git a/doc/commands.json b/doc/commands.json index 3a50c61b7..1bec5da47 100644 --- a/doc/commands.json +++ b/doc/commands.json @@ -9731,7 +9731,7 @@ "description": "Read Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399", "notes": [ "lf hitag hts rdbl -> Hitag S/8211, plain mode", - "lf hitag hts rdbl --8 -k BBDD3399 -> 8268/8310, password mode", + "lf hitag hts rdbl --82xx -k BBDD3399 -> 8268/8310, password mode", "lf hitag hts rdbl --nrar 0102030411223344 -> Hitag S, challenge mode", "lf hitag hts rdbl --crypto -> Hitag S, crypto mode, def key", "lf hitag hts rdbl -k 4F4E4D494B52 -> Hitag S, crypto mode" @@ -9765,7 +9765,7 @@ "description": "Write a page in Hitag S memory. Crypto mode: - key format ISK high + ISK low - default key 4F4E4D494B52 (ONMIKR) 8268/8310 password mode: - default password BBDD3399", "notes": [ "lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode", - "lf hitag hts wrbl -p 6 -d 01020304 --8 -k BBDD3399 -> 8268/8310, password mode", + "lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode", "lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode", "lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key", "lf hitag hts wrbl -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag S, crypto mode" @@ -9774,13 +9774,13 @@ "options": [ "-h, --help This help", "--nrar nonce / answer writer, 8 hex bytes", - "--8 8268/8310 mode", + "-8, --82xx 8268/8310 mode", "--crypto crypto mode", "-k, --key pwd or key, 4 or 6 hex bytes", "-p, --page page address to write to", "-d, --data data, 4 hex bytes" ], - "usage": "lf hitag hts wrbl [-h] [--nrar ] [--8] [--crypto] [-k ] -p -d " + "usage": "lf hitag hts wrbl [-h8] [--nrar ] [--crypto] [-k ] -p -d " }, "lf hitag info": { "command": "lf hitag info", @@ -12902,8 +12902,8 @@ } }, "metadata": { - "commands_extracted": 744, + "commands_extracted": 745, "extracted_by": "PM3Help2JSON v1.00", - "extracted_on": "2024-09-15T09:53:32" + "extracted_on": "2024-09-15T16:16:09" } }