RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-02-25 08:35:56 +08:00
Code Issues Projects Releases Packages Wiki Activity

lf t55 chk m (works again!). lf t55 config (prints correct pwd if used)

Browse source
This commit is contained in:
iceman1001 2020-08-21 14:10:32 +02:00
parent 8d97698bd5
commit e3767a3e28
3 changed files with 80 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
armsrc/lfops.c
View file

@ -2010,13 +2010,12 @@ void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block,
flags |= (downlink_mode & 3) << 3; flags |= (downlink_mode & 3) << 3;
if (brute_mem) flags |= 0x0100; if (brute_mem) flags |= 0x0100;
// T55xxReadBlockExt (flags,block,pwd);
size_t samples = 12000; size_t samples = 12000;
// bool brute_mem = (flags & 0x0100) >> 8;
LED_A_ON(); LED_A_ON();
if (brute_mem) samples = 1024; if (brute_mem) samples = 2048;
//-- Set Read Flag to ensure SendCMD does not add "data" to the packet //-- Set Read Flag to ensure SendCMD does not add "data" to the packet
//-- flags |= 0x40; //-- flags |= 0x40;
@ -2044,44 +2043,56 @@ void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block,
DoPartialAcquisition(0, false, samples, 0); DoPartialAcquisition(0, false, samples, 0);
// Turn the field off // Turn the field off
if (!brute_mem) { if (brute_mem == false) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
reply_ng(CMD_LF_T55XX_READBL, PM3_SUCCESS, NULL, 0); reply_ng(CMD_LF_T55XX_READBL, PM3_SUCCESS, NULL, 0);
LED_A_OFF(); LED_A_OFF();
} }
} }
void T55xx_ChkPwds(uint8_t flags) { void T55xx_ChkPwds(uint8_t flags) {
DbpString("[+] T55XX Check pwds using flashmemory starting"); #define CHK_SAMPLES_SIGNAL 2048
#ifdef WITH_FLASH
DbpString(_CYAN_("T55XX Check pwds using flashmemory starting"));
#else
DbpString(_CYAN_("T55XX Check pwds starting"));
#endif
// First get baseline and setup LF mode. // First get baseline and setup LF mode.
// tends to mess up BigBuf
uint8_t *buf = BigBuf_get_addr(); uint8_t *buf = BigBuf_get_addr();
uint8_t ret = 0;
uint8_t downlink_mode = (flags >> 3) & 0x03; uint8_t downlink_mode = (flags >> 3) & 0x03;
uint32_t b1, baseline = 0; uint64_t b1, baseline_faulty = 0;
// collect baseline for failed attempt DbpString("Determine baseline...");
// collect baseline for failed attempt ( should give me block1 )
uint8_t x = 32; uint8_t x = 32;
while (x--) { while (x--) {
b1 = 0; b1 = 0;
T55xxReadBlock(0, 0, true, 1, 0, downlink_mode); T55xxReadBlock(0, 0, true, 0, 0, downlink_mode);
for (uint16_t j = 0; j < 1024; ++j) for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) {
b1 += buf[j]; b1 += buf[j];
}
b1 *= b1; b1 *= b1;
b1 >>= 8; b1 >>= 8;
baseline += b1; baseline_faulty += b1;
} }
baseline_faulty >>= 5;
baseline >>= 5;
Dbprintf("[=] Baseline determined [%u]", baseline);
uint8_t *pwds = BigBuf_get_EM_addr(); uint8_t *pwds = BigBuf_get_EM_addr();
uint16_t pwd_count = 0; uint16_t pwd_count = 0;
uint32_t candidate = 0;
struct p {
bool found;
uint32_t candidate;
} PACKED payload;
payload.found = false;
payload.candidate = 0;
#ifdef WITH_FLASH #ifdef WITH_FLASH
BigBuf_Clear_EM(); BigBuf_Clear_EM();
@ -2107,48 +2118,45 @@ void T55xx_ChkPwds(uint8_t flags) {
if (isok != pwd_size_available) if (isok != pwd_size_available)
goto OUT; goto OUT;
Dbprintf("[=] Password dictionary count %d ", pwd_count); Dbprintf("Password dictionary count " _YELLOW_("%d"), pwd_count);
#endif #endif
uint32_t pwd = 0, curr = 0, prev = 0; uint64_t curr = 0, prev = 0;
for (uint16_t i = 0; i < pwd_count; ++i) { int32_t idx = -1;
if (BUTTON_PRESS() && !data_available()) { for (uint32_t i = 0; i < pwd_count; i++) {
goto OUT;
}
pwd = bytes_to_num(pwds + i * 4, 4); uint32_t pwd = bytes_to_num(pwds + (i * 4), 4);
T55xxReadBlock(0, true, true, 0, pwd, downlink_mode); T55xxReadBlock(0, true, true, 0, pwd, downlink_mode);
// calc mean of BigBuf 1024 samples. uint64_t sum = 0;
uint32_t sum = 0; for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) {
for (uint16_t j = 0; j < 1024; ++j) {
sum += buf[j]; sum += buf[j];
} }
sum *= sum; sum *= sum;
sum >>= 8; sum >>= 8;
int32_t tmp = (sum - baseline); int64_t tmp_dist = (baseline_faulty - sum);
curr = ABS(tmp); curr = ABS(tmp_dist);
Dbprintf("[=] Pwd %08X | ABS %u", pwd, curr);
if (curr > prev) { if (curr > prev) {
Dbprintf("[=] --> ABS %u Candidate %08X <--", curr, pwd); idx = i;
candidate = pwd;
prev = curr; prev = curr;
} }
} }
if (candidate) if (idx != -1) {
ret = 1; payload.found = true;
payload.candidate = bytes_to_num(pwds + (idx * 4), 4);
}
OUT: OUT:
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
reply_mix(CMD_ACK, ret, candidate, 0, 0, 0);
LEDsoff(); LEDsoff();
reply_ng(CMD_LF_T55XX_CHK_PWDS, PM3_SUCCESS, (uint8_t*)&payload, sizeof(payload));
BigBuf_free();
} }
void T55xxWakeUp(uint32_t pwd, uint8_t flags) { void T55xxWakeUp(uint32_t pwd, uint8_t flags) {

69
client/src/cmdlft55xx.c
View file

@ -575,18 +575,11 @@ bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0,
if (verbose) if (verbose)
PrintAndLogEx(INFO, "Block0 write detected, running `detect` to see if validation is possible"); PrintAndLogEx(INFO, "Block0 write detected, running `detect` to see if validation is possible");
// Update flags for usepwd pwd assume its correct
config.usepwd = usepwd;
if (usepwd)
config.pwd = password;
else
config.pwd = 0x00;
for (uint8_t m = 0; m < 4; m++) { for (uint8_t m = 0; m < 4; m++) {
if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, m) == false) if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, m) == false)
continue; continue;
if (tryDetectModulationEx(m, verbose, known_block0) == false) if (tryDetectModulationEx(m, verbose, known_block0, (usepwd) ? password : -1) == false)
continue; continue;
config.downlink_mode = m; config.downlink_mode = m;
@ -594,7 +587,6 @@ bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0,
} }
config.usepwd = false; // unknown so assume no password config.usepwd = false; // unknown so assume no password
config.pwd = 0x00; config.pwd = 0x00;
return false; return false;
} }
@ -850,7 +842,7 @@ int T55xxReadBlockEx(uint8_t block, bool page1, bool usepwd, uint8_t override, u
if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0, downlink_mode) == false) if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0, downlink_mode) == false)
return PM3_ERFTRANS; return PM3_ERFTRANS;
if (tryDetectModulation(downlink_mode, false) == false) { if (tryDetectModulationEx(downlink_mode, false, 0, password) == false) {
PrintAndLogEx(WARNING, "Safety check: Could not detect if PWD bit is set in config block. Exits."); PrintAndLogEx(WARNING, "Safety check: Could not detect if PWD bit is set in config block. Exits.");
return PM3_EWRONGANSWER; return PM3_EWRONGANSWER;
} else { } else {
@ -1079,28 +1071,15 @@ static int CmdT55xxDetect(const char *Cmd) {
if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, try_with_pwd && usepwd, password, m) == false) if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, try_with_pwd && usepwd, password, m) == false)
continue; continue;
// pre fill to save passing in. if (tryDetectModulationEx(m, T55XX_PrintConfig, 0, password) == false)
config.usepwd = try_with_pwd;
if (try_with_pwd)
config.pwd = password;
else
config.pwd = 0x00;
if (tryDetectModulation(m, T55XX_PrintConfig) == false)
continue; continue;
found = true; found = true;
break; break;
} }
} else { } else {
config.usepwd = try_with_pwd;
if (try_with_pwd)
config.pwd = password;
else
config.pwd = 0x00;
if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, downlink_mode)) { if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, downlink_mode)) {
found = tryDetectModulation(downlink_mode, T55XX_PrintConfig); found = tryDetectModulationEx(downlink_mode, T55XX_PrintConfig, 0, password);
} }
} }
@ -1126,10 +1105,10 @@ static int CmdT55xxDetect(const char *Cmd) {
// detect configuration? // detect configuration?
bool tryDetectModulation(uint8_t downlink_mode, bool print_config) { bool tryDetectModulation(uint8_t downlink_mode, bool print_config) {
return tryDetectModulationEx(downlink_mode, print_config, 0); return tryDetectModulationEx(downlink_mode, print_config, 0, -1);
} }
bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf) { bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf, uint64_t pwd) {
t55xx_conf_block_t tests[15]; t55xx_conf_block_t tests[15];
int bitRate = 0, clk = 0, firstClockEdge = 0; int bitRate = 0, clk = 0, firstClockEdge = 0;
@ -1301,6 +1280,10 @@ bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wa
config.Q5 = tests[0].Q5; config.Q5 = tests[0].Q5;
config.ST = tests[0].ST; config.ST = tests[0].ST;
config.downlink_mode = downlink_mode; config.downlink_mode = downlink_mode;
if (pwd != -1) {
config.usepwd = true;
config.pwd = pwd & 0xffffffff;
}
if (print_config) if (print_config)
printConfiguration(config); printConfiguration(config);
@ -1328,6 +1311,11 @@ bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wa
config.Q5 = tests[i].Q5; config.Q5 = tests[i].Q5;
config.ST = tests[i].ST; config.ST = tests[i].ST;
config.downlink_mode = tests[i].downlink_mode; config.downlink_mode = tests[i].downlink_mode;
if (pwd != -1) {
config.usepwd = true;
config.pwd = pwd & 0xffffffff;
}
} else { } else {
PrintAndLogEx(NORMAL, "--[%d]---------------", i + 1); PrintAndLogEx(NORMAL, "--[%d]---------------", i + 1);
} }
@ -2553,8 +2541,10 @@ bool AcquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password, u
} }
getSamples(12000, false); getSamples(12000, false);
bool ok = !getSignalProperties()->isnoise;
return !getSignalProperties()->isnoise; config.usepwd = pwdmode;
return ok;
} }
char *GetPskCfStr(uint32_t id, bool q5) { char *GetPskCfStr(uint32_t id, bool q5) {
@ -3044,7 +3034,7 @@ static int CmdT55xxChkPwds(const char *Cmd) {
SendCommandNG(CMD_LF_T55XX_CHK_PWDS, &flags, sizeof(flags)); SendCommandNG(CMD_LF_T55XX_CHK_PWDS, &flags, sizeof(flags));
PacketResponseNG resp; PacketResponseNG resp;
while (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { while (!WaitForResponseTimeout(CMD_LF_T55XX_CHK_PWDS, &resp, 2000)) {
timeout++; timeout++;
printf("."); printf(".");
fflush(stdout); fflush(stdout);
@ -3053,14 +3043,19 @@ static int CmdT55xxChkPwds(const char *Cmd) {
return PM3_ENODATA; return PM3_ENODATA;
} }
} }
struct p {
bool found;
uint32_t candidate;
} PACKED;
struct p* packet = (struct p*)resp.data.asBytes;
if (resp.oldarg[0]) { if (packet->found) {
PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08"PRIX64) " ]. Trying to validate", resp.oldarg[1]); PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08"PRIX64) " ]", packet->candidate);
if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.oldarg[1], downlink_mode)) { if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, packet->candidate, downlink_mode)) {
found = tryDetectModulation(downlink_mode, T55XX_PrintConfig); found = tryDetectModulationEx(downlink_mode, T55XX_PrintConfig, 0, packet->candidate);
if (found) { if (found) {
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX64) " ]", resp.oldarg[1]); PrintAndLogEx(SUCCESS, "Found valid password [ " _GREEN_("%08"PRIX64) " ]", packet->candidate);
} else { } else {
PrintAndLogEx(WARNING, "Check pwd failed"); PrintAndLogEx(WARNING, "Check pwd failed");
@ -3108,7 +3103,7 @@ static int CmdT55xxChkPwds(const char *Cmd) {
continue; continue;
} }
found = tryDetectModulation(dl_mode, T55XX_PrintConfig); found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, curr_password);
if (found) { if (found) {
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX64) " ]", curr_password); PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX64) " ]", curr_password);
dl_mode = 4; // Exit other downlink mode checks dl_mode = 4; // Exit other downlink mode checks
@ -3126,7 +3121,7 @@ static int CmdT55xxChkPwds(const char *Cmd) {
out: out:
t1 = msclock() - t1; t1 = msclock() - t1;
PrintAndLogEx(SUCCESS, "\nTime in check pwd: %.0f seconds\n", (float)t1 / 1000.0); PrintAndLogEx(SUCCESS, "\nTime in check pwd " _YELLOW_("%.0f") " seconds\n", (float)t1 / 1000.0);
return PM3_SUCCESS; return PM3_SUCCESS;
} }
@ -3225,7 +3220,7 @@ uint8_t tryOnePassword(uint32_t password, uint8_t downlink_mode) {
if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password, dl_mode)) { if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password, dl_mode)) {
// if (getSignalProperties()->isnoise == false) { // if (getSignalProperties()->isnoise == false) {
// } else { // } else {
if (tryDetectModulation(dl_mode, T55XX_PrintConfig)) { if (tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0 ,password)) {
return 1 + (dl_mode << 1); return 1 + (dl_mode << 1);
} }
// } // }

3
client/src/cmdlft55xx.h
View file

@ -181,7 +181,8 @@ int t55xxWrite(uint8_t block, bool page1, bool usepwd, bool testMode, uint32_t p
bool GetT55xxBlockData(uint32_t *blockdata); bool GetT55xxBlockData(uint32_t *blockdata);
bool DecodeT55xxBlock(void); bool DecodeT55xxBlock(void);
bool tryDetectModulation(uint8_t downlink_mode, bool print_config); bool tryDetectModulation(uint8_t downlink_mode, bool print_config);
bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf); //bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf);
bool tryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf, uint64_t pwd);
bool testKnownConfigBlock(uint32_t block0); bool testKnownConfigBlock(uint32_t block0);
bool tryDetectP1(bool getData); bool tryDetectP1(bool getData);