github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 13:00:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

lf hid clone - prepped for EM. Disabled it for viking / hid clone until further testing

Browse source
This commit is contained in:
iceman1001 2020-11-30 21:06:37 +01:00
commit 1bccb77654
7 changed files with 70 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
armsrc/Standalone/lf_hidbrute.c
View file

@ -95,7 +95,7 @@ void RunMod(void) {
WAIT_BUTTON_RELEASED(); WAIT_BUTTON_RELEASED();
CopyHIDtoT55x7(0, high[selected], low[selected], 0); CopyHIDtoT55x7(0, high[selected], low[selected], 0, false, false);
Dbprintf("[=] cloned %x %x %08x", selected, high[selected], low[selected]); Dbprintf("[=] cloned %x %x %08x", selected, high[selected], low[selected]);
LEDsoff(); LEDsoff();

2
armsrc/Standalone/lf_samyrun.c
View file

@ -121,7 +121,7 @@ void RunMod(void) {
Dbprintf("[=] cloning %x | %x%08x", selected, high[selected], low[selected]); Dbprintf("[=] cloning %x | %x%08x", selected, high[selected], low[selected]);
// high2, high, low, no longFMT // high2, high, low, no longFMT
CopyHIDtoT55x7(0, high[selected], low[selected], 0); CopyHIDtoT55x7(0, high[selected], low[selected], 0, false, false);
DbpString("[=] cloned done"); DbpString("[=] cloned done");

2
armsrc/appmain.c
View file

@ -874,7 +874,7 @@ static void PacketReceived(PacketCommandNG *packet) {
} }
case CMD_LF_HID_CLONE: { case CMD_LF_HID_CLONE: {
lf_hidsim_t *payload = (lf_hidsim_t *)packet->data.asBytes; lf_hidsim_t *payload = (lf_hidsim_t *)packet->data.asBytes;
CopyHIDtoT55x7(payload->hi2, payload->hi, payload->lo, payload->longFMT); CopyHIDtoT55x7(payload->hi2, payload->hi, payload->lo, payload->longFMT, payload->Q5, payload->EM);
break; break;
} }
case CMD_LF_IO_WATCH: { case CMD_LF_IO_WATCH: {

34
armsrc/lfops.c
View file

@ -2190,10 +2190,8 @@ void T55xxWakeUp(uint32_t pwd, uint8_t flags) {
reply_ng(CMD_LF_T55XX_WAKEUP, PM3_SUCCESS, NULL, 0); reply_ng(CMD_LF_T55XX_WAKEUP, PM3_SUCCESS, NULL, 0);
} }
/*-------------- Cloning routines -----------*/ /*-------------- Cloning routines -----------*/
static void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) { static void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
t55xx_write_block_t cmd; t55xx_write_block_t cmd;
cmd.pwd = 0; cmd.pwd = 0;
cmd.flags = 0; cmd.flags = 0;
@ -2203,11 +2201,18 @@ static void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblock
cmd.blockno = i - 1; cmd.blockno = i - 1;
T55xxWriteBlock((uint8_t *)&cmd); T55xxWriteBlock((uint8_t *)&cmd);
} }
} }
/* disabled until verified.
static void WriteEM4x05(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
for (uint8_t i = numblocks + startblock; i > startblock; i--) {
EM4xWriteWord(i - 1, blockdata[i - 1], 0, false);
}
}
*/
// Copy HID id to card and setup block 0 config // Copy HID id to card and setup block 0 config
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) { void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool q5, bool em) {
uint32_t data[] = {0, 0, 0, 0, 0, 0, 0}; uint32_t data[] = {0, 0, 0, 0, 0, 0, 0};
uint8_t last_block = 0; uint8_t last_block = 0;
@ -2244,11 +2249,21 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT; data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
//TODO add selection of chip for Q5 or T55x7 //TODO add selection of chip for Q5 or T55x7
// data[0] = T5555_SET_BITRATE(50) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT; if (q5) {
data[0] = T5555_SET_BITRATE(50) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
} else if (em) {
data[0] = (EM4x05_SET_BITRATE(50) | EM4x05_MODULATION_FSK2 | EM4x05_INVERT | EM4x05_SET_NUM_BLOCKS(last_block));
}
LED_D_ON(); LED_D_ON();
WriteT55xx(data, 0, last_block + 1); if (em) {
Dbprintf("Clone HID Prox to EM4x05 is untested and disabled until verified");
//WriteEM4x05(data, 0, last_block + 1);
} else {
WriteT55xx(data, 0, last_block + 1);
}
LED_D_OFF(); LED_D_OFF();
reply_ng(CMD_LF_HID_CLONE, PM3_SUCCESS, NULL, 0);
} }
// clone viking tag to T55xx // clone viking tag to T55xx
@ -2265,7 +2280,12 @@ void CopyVikingtoT55xx(uint8_t *blocks, bool q5, bool em) {
data[2] = bytes_to_num(blocks + 4, 4); data[2] = bytes_to_num(blocks + 4, 4);
// Program the data blocks for supplied ID and the block 0 config // Program the data blocks for supplied ID and the block 0 config
WriteT55xx(data, 0, 3); if (em) {
Dbprintf("Clone Viking to EM4x05 is untested and disabled until verified");
//WriteEM4x05(data, 0, 3);
} else {
WriteT55xx(data, 0, 3);
}
LED_D_OFF(); LED_D_OFF();
reply_ng(CMD_LF_VIKING_CLONE, PM3_SUCCESS, NULL, 0); reply_ng(CMD_LF_VIKING_CLONE, PM3_SUCCESS, NULL, 0);
} }

3
armsrc/lfops.h
View file

@ -39,8 +39,7 @@ int lf_awid_watch(int findone, uint32_t *high, uint32_t *low); // Realtime demod
int lf_em410x_watch(int findone, uint32_t *high, uint64_t *low); int lf_em410x_watch(int findone, uint32_t *high, uint64_t *low);
int lf_io_watch(int findone, uint32_t *high, uint32_t *low); int lf_io_watch(int findone, uint32_t *high, uint32_t *low);
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool q5, bool em); // Clone an HID card to T5557/T5567
void CopyVikingtoT55xx(uint8_t *blocks, bool q5, bool em); void CopyVikingtoT55xx(uint8_t *blocks, bool q5, bool em);
int copy_em410x_to_t55xx(uint8_t card, uint8_t clock, uint32_t id_hi, uint32_t id_lo); int copy_em410x_to_t55xx(uint8_t card, uint8_t clock, uint32_t id_hi, uint32_t id_lo);

43
client/src/cmdlfhid.c
View file

@ -167,7 +167,7 @@ static int CmdHIDDemod(const char *Cmd) {
} }
// this read is the "normal" read, which download lf signal and tries to demod here. // this read is the "normal" read, which download lf signal and tries to demod here.
static int CmdHIDRead(const char *Cmd) { static int CmdHIDReader(const char *Cmd) {
CLIParserContext *ctx; CLIParserContext *ctx;
CLIParserInit(&ctx, "lf hid reader", CLIParserInit(&ctx, "lf hid reader",
"read a HID Prox tag", "read a HID Prox tag",
@ -318,6 +318,8 @@ static int CmdHIDClone(const char *Cmd) {
"lf hid clone -r 01f0760643c3 -> HID P10001 40 bit\n" "lf hid clone -r 01f0760643c3 -> HID P10001 40 bit\n"
"lf hid clone -r 01400076000c86 -> HID Corporate 48 bit\n" "lf hid clone -r 01400076000c86 -> HID Corporate 48 bit\n"
"lf hid clone -w H10301 --fc 118 --cn 1603 -> HID 10301 26 bit\n" "lf hid clone -w H10301 --fc 118 --cn 1603 -> HID 10301 26 bit\n"
"lf hid clone -w H10301 --fc 118 --cn 1603 --q5 -> HID 10301 26 bit, encode for Q5/T5555 tag\n"
"lf hid clone -w H10301 --fc 118 --cn 1603 --em -> HID 10301 26 bit, encode for EM4305/4469"
); );
@ -329,7 +331,8 @@ static int CmdHIDClone(const char *Cmd) {
arg_int0("i", NULL, "<dec>", "issue level"), arg_int0("i", NULL, "<dec>", "issue level"),
arg_int0("o", "oem", "<dec>", "OEM code"), arg_int0("o", "oem", "<dec>", "OEM code"),
arg_strx0("r", "raw", "<hex>", "raw bytes"), arg_strx0("r", "raw", "<hex>", "raw bytes"),
// arg_lit0("q", "Q5", "optional - specify writing to Q5/T5555 tag"), arg_lit0(NULL, "q5", "optional - specify writing to Q5/T5555 tag"),
arg_lit0(NULL, "em", "optional - specify writing to EM4305/4469 tag"),
arg_param_end arg_param_end
}; };
CLIExecWithReturn(ctx, Cmd, argtable, false); CLIExecWithReturn(ctx, Cmd, argtable, false);
@ -349,9 +352,15 @@ static int CmdHIDClone(const char *Cmd) {
char raw[40] = {0}; char raw[40] = {0};
CLIParamStrToBuf(arg_get_str(ctx, 6), (uint8_t *)raw, sizeof(raw), &raw_len); CLIParamStrToBuf(arg_get_str(ctx, 6), (uint8_t *)raw, sizeof(raw), &raw_len);
//bool q5 = arg_get_lit(ctx, 7); bool q5 = arg_get_lit(ctx, 7);
bool em = arg_get_lit(ctx, 8);
CLIParserFree(ctx); CLIParserFree(ctx);
if (q5 && em) {
PrintAndLogEx(FAILED, "Can't specify both Q5 and EM4305 at the same time");
return PM3_EINVARG;
}
wiegand_message_t packed; wiegand_message_t packed;
memset(&packed, 0, sizeof(wiegand_message_t)); memset(&packed, 0, sizeof(wiegand_message_t));
@ -375,6 +384,17 @@ static int CmdHIDClone(const char *Cmd) {
} }
} }
char cardtype[16] = {"T55x7"};
// Q5
if (q5) {
snprintf(cardtype, sizeof(cardtype), "Q5/T5555");
}
// EM4305
if (em) {
snprintf(cardtype, sizeof(cardtype), "EM4305/4469");
}
if (raw_len == 0) { if (raw_len == 0) {
PrintAndLogEx(INFO, "Preparing to clone HID tag"); PrintAndLogEx(INFO, "Preparing to clone HID tag");
HIDTryUnpack(&packed, false); HIDTryUnpack(&packed, false);
@ -387,11 +407,22 @@ static int CmdHIDClone(const char *Cmd) {
payload.hi = packed.Mid; payload.hi = packed.Mid;
payload.lo = packed.Bot; payload.lo = packed.Bot;
payload.longFMT = (packed.Mid > 0xFFF); payload.longFMT = (packed.Mid > 0xFFF);
payload.Q5 = q5;
payload.EM = em;
clearCommandBuffer(); clearCommandBuffer();
SendCommandNG(CMD_LF_HID_CLONE, (uint8_t *)&payload, sizeof(payload)); SendCommandNG(CMD_LF_HID_CLONE, (uint8_t *)&payload, sizeof(payload));
PrintAndLogEx(SUCCESS, "Done");
PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf hid read`") " to verify"); PacketResponseNG resp;
WaitForResponse(CMD_LF_HID_CLONE, &resp);
if (resp.status == PM3_SUCCESS) {
PrintAndLogEx(INFO, "Done");
} else {
PrintAndLogEx(FAILED, "Failed cloning");
return resp.status;
}
PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf hid reader`") " to verify");
return PM3_SUCCESS; return PM3_SUCCESS;
} }
@ -561,7 +592,7 @@ static int CmdHIDBrute(const char *Cmd) {
static command_t CommandTable[] = { static command_t CommandTable[] = {
{"help", CmdHelp, AlwaysAvailable, "this help"}, {"help", CmdHelp, AlwaysAvailable, "this help"},
{"demod", CmdHIDDemod, AlwaysAvailable, "demodulate HID Prox tag from the GraphBuffer"}, {"demod", CmdHIDDemod, AlwaysAvailable, "demodulate HID Prox tag from the GraphBuffer"},
{"read", CmdHIDRead, IfPm3Lf, "attempt to read and extract tag data"}, {"reader", CmdHIDReader, IfPm3Lf, "attempt to read and extract tag data"},
{"clone", CmdHIDClone, IfPm3Lf, "clone HID tag to T55x7"}, {"clone", CmdHIDClone, IfPm3Lf, "clone HID tag to T55x7"},
{"sim", CmdHIDSim, IfPm3Lf, "simulate HID tag"}, {"sim", CmdHIDSim, IfPm3Lf, "simulate HID tag"},
{"brute", CmdHIDBrute, IfPm3Lf, "bruteforce card number against reader"}, {"brute", CmdHIDBrute, IfPm3Lf, "bruteforce card number against reader"},

2
include/pm3_cmd.h
View file

@ -238,6 +238,8 @@ typedef struct {
uint32_t hi; uint32_t hi;
uint32_t lo; uint32_t lo;
uint8_t longFMT; uint8_t longFMT;
bool Q5;
bool EM;
} PACKED lf_hidsim_t; } PACKED lf_hidsim_t;
// For CMD_LF_FSK_SIMULATE (FSK) // For CMD_LF_FSK_SIMULATE (FSK)