From e3767a3e284b2f7b9b804cf1cb34475896ade807 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 21 Aug 2020 14:10:32 +0200 Subject: [PATCH] lf t55 chk m (works again!). lf t55 config (prints correct pwd if used) --- armsrc/lfops.c | 84 ++++++++++++++++++++++------------------- client/src/cmdlft55xx.c | 69 ++++++++++++++++----------------- client/src/cmdlft55xx.h | 3 +- 3 files changed, 80 insertions(+), 76 deletions(-) diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 612458c9b..fe502a87d 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -2010,13 +2010,12 @@ void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block, flags |= (downlink_mode & 3) << 3; if (brute_mem) flags |= 0x0100; -// T55xxReadBlockExt (flags,block,pwd); + size_t samples = 12000; - // bool brute_mem = (flags & 0x0100) >> 8; LED_A_ON(); - if (brute_mem) samples = 1024; + if (brute_mem) samples = 2048; //-- Set Read Flag to ensure SendCMD does not add "data" to the packet //-- flags |= 0x40; @@ -2044,44 +2043,56 @@ void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block, DoPartialAcquisition(0, false, samples, 0); // Turn the field off - if (!brute_mem) { + if (brute_mem == false) { FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); reply_ng(CMD_LF_T55XX_READBL, PM3_SUCCESS, NULL, 0); LED_A_OFF(); } - } + void T55xx_ChkPwds(uint8_t flags) { - DbpString("[+] T55XX Check pwds using flashmemory starting"); +#define CHK_SAMPLES_SIGNAL 2048 + +#ifdef WITH_FLASH + DbpString(_CYAN_("T55XX Check pwds using flashmemory starting")); +#else + DbpString(_CYAN_("T55XX Check pwds starting")); +#endif // First get baseline and setup LF mode. - // tends to mess up BigBuf uint8_t *buf = BigBuf_get_addr(); - uint8_t ret = 0; uint8_t downlink_mode = (flags >> 3) & 0x03; - uint32_t b1, baseline = 0; + uint64_t b1, baseline_faulty = 0; - // collect baseline for failed attempt + DbpString("Determine baseline..."); + + // collect baseline for failed attempt ( should give me block1 ) uint8_t x = 32; while (x--) { b1 = 0; - T55xxReadBlock(0, 0, true, 1, 0, downlink_mode); - for (uint16_t j = 0; j < 1024; ++j) + T55xxReadBlock(0, 0, true, 0, 0, downlink_mode); + for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) { b1 += buf[j]; - + } b1 *= b1; b1 >>= 8; - baseline += b1; + baseline_faulty += b1; } - - baseline >>= 5; - Dbprintf("[=] Baseline determined [%u]", baseline); + baseline_faulty >>= 5; uint8_t *pwds = BigBuf_get_EM_addr(); uint16_t pwd_count = 0; - uint32_t candidate = 0; + + struct p { + bool found; + uint32_t candidate; + } PACKED payload; + + payload.found = false; + payload.candidate = 0; + #ifdef WITH_FLASH BigBuf_Clear_EM(); @@ -2107,48 +2118,45 @@ void T55xx_ChkPwds(uint8_t flags) { if (isok != pwd_size_available) goto OUT; - Dbprintf("[=] Password dictionary count %d ", pwd_count); + Dbprintf("Password dictionary count " _YELLOW_("%d"), pwd_count); + #endif - uint32_t pwd = 0, curr = 0, prev = 0; - for (uint16_t i = 0; i < pwd_count; ++i) { + uint64_t curr = 0, prev = 0; + int32_t idx = -1; - if (BUTTON_PRESS() && !data_available()) { - goto OUT; - } + for (uint32_t i = 0; i < pwd_count; i++) { - pwd = bytes_to_num(pwds + i * 4, 4); + uint32_t pwd = bytes_to_num(pwds + (i * 4), 4); T55xxReadBlock(0, true, true, 0, pwd, downlink_mode); - // calc mean of BigBuf 1024 samples. - uint32_t sum = 0; - for (uint16_t j = 0; j < 1024; ++j) { + uint64_t sum = 0; + for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) { sum += buf[j]; } - sum *= sum; sum >>= 8; - int32_t tmp = (sum - baseline); - curr = ABS(tmp); - - Dbprintf("[=] Pwd %08X | ABS %u", pwd, curr); + int64_t tmp_dist = (baseline_faulty - sum); + curr = ABS(tmp_dist); if (curr > prev) { - Dbprintf("[=] --> ABS %u Candidate %08X <--", curr, pwd); - candidate = pwd; + idx = i; prev = curr; } } - if (candidate) - ret = 1; + if (idx != -1) { + payload.found = true; + payload.candidate = bytes_to_num(pwds + (idx * 4), 4); + } OUT: FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - reply_mix(CMD_ACK, ret, candidate, 0, 0, 0); LEDsoff(); + reply_ng(CMD_LF_T55XX_CHK_PWDS, PM3_SUCCESS, (uint8_t*)&payload, sizeof(payload)); + BigBuf_free(); } void T55xxWakeUp(uint32_t pwd, uint8_t flags) { diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index e9fad9b9d..bfa8e12db 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -575,18 +575,11 @@ bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0, if (verbose) PrintAndLogEx(INFO, "Block0 write detected, running `detect` to see if validation is possible"); - // Update flags for usepwd pwd assume its correct - config.usepwd = usepwd; - if (usepwd) - config.pwd = password; - else - config.pwd = 0x00; - for (uint8_t m = 0; m < 4; m++) { if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, m) == false) continue; - if (tryDetectModulationEx(m, verbose, known_block0) == false) + if (tryDetectModulationEx(m, verbose, known_block0, (usepwd) ? password : -1) == false) continue; config.downlink_mode = m; @@ -594,7 +587,6 @@ bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0, } config.usepwd = false; // unknown so assume no password config.pwd = 0x00; - return false; } @@ -850,7 +842,7 @@ int T55xxReadBlockEx(uint8_t block, bool page1, bool usepwd, uint8_t override, u if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0, downlink_mode) == false) return PM3_ERFTRANS; - if (tryDetectModulation(downlink_mode, false) == false) { + if (tryDetectModulationEx(downlink_mode, false, 0, password) == false) { PrintAndLogEx(WARNING, "Safety check: Could not detect if PWD bit is set in config block. Exits."); return PM3_EWRONGANSWER; } else { @@ -1079,28 +1071,15 @@ static int CmdT55xxDetect(const char *Cmd) { if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, try_with_pwd && usepwd, password, m) == false) continue; - // pre fill to save passing in. - config.usepwd = try_with_pwd; - if (try_with_pwd) - config.pwd = password; - else - config.pwd = 0x00; - - if (tryDetectModulation(m, T55XX_PrintConfig) == false) + if (tryDetectModulationEx(m, T55XX_PrintConfig, 0, password) == false) continue; found = true; break; } } else { - config.usepwd = try_with_pwd; - if (try_with_pwd) - config.pwd = password; - else - config.pwd = 0x00; - if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, downlink_mode)) { - found = tryDetectModulation(downlink_mode, T55XX_PrintConfig); + found = tryDetectModulationEx(downlink_mode, T55XX_PrintConfig, 0, password); } } @@ -1126,10 +1105,10 @@ static int CmdT55xxDetect(const char *Cmd) { // detect configuration? bool tryDetectModulation(uint8_t downlink_mode, bool print_config) { - return tryDetectModulationEx(downlink_mode, print_config, 0); + return tryDetectModulationEx(downlink_mode, print_config, 0, -1); } -bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf) { +bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf, uint64_t pwd) { t55xx_conf_block_t tests[15]; int bitRate = 0, clk = 0, firstClockEdge = 0; @@ -1301,6 +1280,10 @@ bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wa config.Q5 = tests[0].Q5; config.ST = tests[0].ST; config.downlink_mode = downlink_mode; + if (pwd != -1) { + config.usepwd = true; + config.pwd = pwd & 0xffffffff; + } if (print_config) printConfiguration(config); @@ -1328,6 +1311,11 @@ bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wa config.Q5 = tests[i].Q5; config.ST = tests[i].ST; config.downlink_mode = tests[i].downlink_mode; + + if (pwd != -1) { + config.usepwd = true; + config.pwd = pwd & 0xffffffff; + } } else { PrintAndLogEx(NORMAL, "--[%d]---------------", i + 1); } @@ -2553,8 +2541,10 @@ bool AcquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password, u } getSamples(12000, false); + bool ok = !getSignalProperties()->isnoise; - return !getSignalProperties()->isnoise; + config.usepwd = pwdmode; + return ok; } char *GetPskCfStr(uint32_t id, bool q5) { @@ -3044,7 +3034,7 @@ static int CmdT55xxChkPwds(const char *Cmd) { SendCommandNG(CMD_LF_T55XX_CHK_PWDS, &flags, sizeof(flags)); PacketResponseNG resp; - while (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { + while (!WaitForResponseTimeout(CMD_LF_T55XX_CHK_PWDS, &resp, 2000)) { timeout++; printf("."); fflush(stdout); @@ -3053,14 +3043,19 @@ static int CmdT55xxChkPwds(const char *Cmd) { return PM3_ENODATA; } } + struct p { + bool found; + uint32_t candidate; + } PACKED; + struct p* packet = (struct p*)resp.data.asBytes; - if (resp.oldarg[0]) { - PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08"PRIX64) " ]. Trying to validate", resp.oldarg[1]); + if (packet->found) { + PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08"PRIX64) " ]", packet->candidate); - if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.oldarg[1], downlink_mode)) { - found = tryDetectModulation(downlink_mode, T55XX_PrintConfig); + if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, packet->candidate, downlink_mode)) { + found = tryDetectModulationEx(downlink_mode, T55XX_PrintConfig, 0, packet->candidate); if (found) { - PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX64) " ]", resp.oldarg[1]); + PrintAndLogEx(SUCCESS, "Found valid password [ " _GREEN_("%08"PRIX64) " ]", packet->candidate); } else { PrintAndLogEx(WARNING, "Check pwd failed"); @@ -3108,7 +3103,7 @@ static int CmdT55xxChkPwds(const char *Cmd) { continue; } - found = tryDetectModulation(dl_mode, T55XX_PrintConfig); + found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, curr_password); if (found) { PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX64) " ]", curr_password); dl_mode = 4; // Exit other downlink mode checks @@ -3126,7 +3121,7 @@ static int CmdT55xxChkPwds(const char *Cmd) { out: t1 = msclock() - t1; - PrintAndLogEx(SUCCESS, "\nTime in check pwd: %.0f seconds\n", (float)t1 / 1000.0); + PrintAndLogEx(SUCCESS, "\nTime in check pwd " _YELLOW_("%.0f") " seconds\n", (float)t1 / 1000.0); return PM3_SUCCESS; } @@ -3225,7 +3220,7 @@ uint8_t tryOnePassword(uint32_t password, uint8_t downlink_mode) { if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password, dl_mode)) { // if (getSignalProperties()->isnoise == false) { // } else { - if (tryDetectModulation(dl_mode, T55XX_PrintConfig)) { + if (tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0 ,password)) { return 1 + (dl_mode << 1); } // } diff --git a/client/src/cmdlft55xx.h b/client/src/cmdlft55xx.h index 46043d277..c710876cf 100644 --- a/client/src/cmdlft55xx.h +++ b/client/src/cmdlft55xx.h @@ -181,7 +181,8 @@ int t55xxWrite(uint8_t block, bool page1, bool usepwd, bool testMode, uint32_t p bool GetT55xxBlockData(uint32_t *blockdata); bool DecodeT55xxBlock(void); bool tryDetectModulation(uint8_t downlink_mode, bool print_config); -bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf); +//bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf); +bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf, uint64_t pwd); bool testKnownConfigBlock(uint32_t block0); bool tryDetectP1(bool getData);