github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

White Cloner Password

Browse source 
Based on the findings of paleopterix
This commit is contained in:
mwalker33 2020-09-26 13:19:35 +10:00
commit 131b587846
2 changed files with 36 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased] ## [unreleased][unreleased]
- Add lf t55xx chk e <EM4100> option. Checks calculated password based on the EM4100 id from some white cloners forumla by paleopterix (@mwalker33)
- Add lf t55xx sniff to allow extracting commands and passwords used be cloners. (@mwalker33) - Add lf t55xx sniff to allow extracting commands and passwords used be cloners. (@mwalker33)
- Add options to `lf read`, `lf cmdread`, `lf sniff` for repeated acquisitions (@doegox) - Add options to `lf read`, `lf cmdread`, `lf sniff` for repeated acquisitions (@doegox)
- Change options of `lf read` to match `lf cmdread`, this affects historical `d` and `s` options (@doegox) - Change options of `lf read` to match `lf cmdread`, this affects historical `d` and `s` options (@doegox)

36
client/src/cmdlft55xx.c
View file

@ -254,16 +254,18 @@ static int usage_t55xx_chk(void) {
PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command");
PrintAndLogEx(NORMAL, _RED_("WARNING:") " this may brick non-password protected chips!"); PrintAndLogEx(NORMAL, _RED_("WARNING:") " this may brick non-password protected chips!");
PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Try to reading block 7 before\n");
PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r <mode>] [f <*.dic>]"); PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r <mode>] [f <*.dic>] [e <em4100 id>]");
PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help"); PrintAndLogEx(NORMAL, " h - this help");
PrintAndLogEx(NORMAL, " m - use dictionary from flashmemory\n"); PrintAndLogEx(NORMAL, " m - use dictionary from flashmemory\n");
print_usage_t55xx_downloadlink(T55XX_DLMODE_ALL, T55XX_DLMODE_ALL); print_usage_t55xx_downloadlink(T55XX_DLMODE_ALL, T55XX_DLMODE_ALL);
PrintAndLogEx(NORMAL, " f <*.dic> - loads a default keys dictionary file <*.dic>"); PrintAndLogEx(NORMAL, " f <*.dic> - loads a default keys dictionary file <*.dic>");
PrintAndLogEx(NORMAL, " e <EM4100> - will try the calculated password from some cloners based on EM4100 ID");
PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk m")); PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk m"));
PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk f t55xx_default_pwds")); PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk f t55xx_default_pwds"));
PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk e aa11223344"));
PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "");
return PM3_SUCCESS; return PM3_SUCCESS;
} }
@ -3003,6 +3005,8 @@ static int CmdT55xxChkPwds(const char *Cmd) {
int dl_mode; // to try each downlink mode for each password int dl_mode; // to try each downlink mode for each password
uint8_t cmdp = 0; uint8_t cmdp = 0;
bool errors = false; bool errors = false;
bool useCardPassword = false;
uint32_t cardPassword = 0x00000000;
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) { switch (tolower(param_getchar(Cmd, cmdp))) {
@ -3028,6 +3032,15 @@ static int CmdT55xxChkPwds(const char *Cmd) {
use_pwd_file = true; use_pwd_file = true;
cmdp += 2; cmdp += 2;
break; break;
case 'e':
// White cloner password based on EM4100 ID
useCardPassword = true;
uint64_t EMID = param_get64ex(Cmd,cmdp + 1,0,16); // Get 5 byte EM4100 ID
uint32_t ID = EMID & 0xFFFFFFFF; // White Cloner only using low 32 bits
// Final formula found by paleopterix (proxmark forum)
cardPassword = 0x00010303 + ((ID & 0x86ee00ec) ^ ((ID & 0x000000ec) << 8) ^ ((ID & 0x86000000) >> 16));
cmdp+=2;
break;
default: default:
PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp)); PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true; errors = true;
@ -3090,6 +3103,27 @@ static int CmdT55xxChkPwds(const char *Cmd) {
goto out; goto out;
} }
// try calculated password
if (useCardPassword) {
PrintAndLogEx(INFO, "Testing %08"PRIX32, cardPassword);
for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) {
if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, cardPassword, dl_mode)) {
continue;
}
found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, cardPassword);
if (found) {
PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX32) " ]", cardPassword);
dl_mode = 4; // Exit other downlink mode checks
}
if (!try_all_dl_modes) // Exit loop if not trying all downlink modes
dl_mode = 4;
}
}
if (use_pwd_file) { if (use_pwd_file) {
uint32_t keycount = 0; uint32_t keycount = 0;