From 131b58784601ee1ce10281837d3d954670d514aa Mon Sep 17 00:00:00 2001 From: mwalker33 Date: Sat, 26 Sep 2020 13:19:35 +1000 Subject: [PATCH] White Cloner Password Based on the findings of paleopterix --- CHANGELOG.md | 1 + client/src/cmdlft55xx.c | 36 +++++++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b07ce95dc..bb7fbe7b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Add lf t55xx chk e option. Checks calculated password based on the EM4100 id from some white cloners forumla by paleopterix (@mwalker33) - Add lf t55xx sniff to allow extracting commands and passwords used be cloners. (@mwalker33) - Add options to `lf read`, `lf cmdread`, `lf sniff` for repeated acquisitions (@doegox) - Change options of `lf read` to match `lf cmdread`, this affects historical `d` and `s` options (@doegox) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 92c78dfa6..1c415dca7 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -254,16 +254,18 @@ static int usage_t55xx_chk(void) { PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); PrintAndLogEx(NORMAL, _RED_("WARNING:") " this may brick non-password protected chips!"); PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); - PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r ] [f <*.dic>]"); + PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r ] [f <*.dic>] [e ]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h - this help"); PrintAndLogEx(NORMAL, " m - use dictionary from flashmemory\n"); print_usage_t55xx_downloadlink(T55XX_DLMODE_ALL, T55XX_DLMODE_ALL); PrintAndLogEx(NORMAL, " f <*.dic> - loads a default keys dictionary file <*.dic>"); + PrintAndLogEx(NORMAL, " e - will try the calculated password from some cloners based on EM4100 ID"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk m")); PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk f t55xx_default_pwds")); + PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk e aa11223344")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } @@ -3003,6 +3005,8 @@ static int CmdT55xxChkPwds(const char *Cmd) { int dl_mode; // to try each downlink mode for each password uint8_t cmdp = 0; bool errors = false; + bool useCardPassword = false; + uint32_t cardPassword = 0x00000000; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -3028,6 +3032,15 @@ static int CmdT55xxChkPwds(const char *Cmd) { use_pwd_file = true; cmdp += 2; break; + case 'e': + // White cloner password based on EM4100 ID + useCardPassword = true; + uint64_t EMID = param_get64ex(Cmd,cmdp + 1,0,16); // Get 5 byte EM4100 ID + uint32_t ID = EMID & 0xFFFFFFFF; // White Cloner only using low 32 bits + // Final formula found by paleopterix (proxmark forum) + cardPassword = 0x00010303 + ((ID & 0x86ee00ec) ^ ((ID & 0x000000ec) << 8) ^ ((ID & 0x86000000) >> 16)); + cmdp+=2; + break; default: PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -3090,6 +3103,27 @@ static int CmdT55xxChkPwds(const char *Cmd) { goto out; } + // try calculated password + if (useCardPassword) { + + PrintAndLogEx(INFO, "Testing %08"PRIX32, cardPassword); + for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) { + + if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, cardPassword, dl_mode)) { + continue; + } + + found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, cardPassword); + if (found) { + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX32) " ]", cardPassword); + dl_mode = 4; // Exit other downlink mode checks + } + + if (!try_all_dl_modes) // Exit loop if not trying all downlink modes + dl_mode = 4; + } + } + if (use_pwd_file) { uint32_t keycount = 0;