diff --git a/armsrc/Makefile b/armsrc/Makefile index 5024aa1de..5203b0292 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -77,7 +77,7 @@ else endif ifneq (,$(findstring WITH_EM4x50,$(APP_CFLAGS))) - SRC_EM4x50 = em4x50.c + SRC_EM4x50 = em4x50.c bruteforce.c else SRC_EM4x50 = endif diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 86d44cd9a..d43a6a15f 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -27,6 +27,7 @@ #include "BigBuf.h" #include "spiffs.h" #include "appmain.h" // tear +#include "bruteforce.h" // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK) // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz @@ -632,12 +633,21 @@ static int login(uint32_t password) { return PM3_EFAILED; } -// searching for password in given range -static bool brute(uint32_t start, uint32_t stop, uint32_t *pwd) { +// searching for password using chosen bruteforce algorithm +static bool brute(em4x50_data_t *etd, uint32_t *pwd) { + + generator_context_t ctx; bool pwd_found = false; + int generator_ret = 0; int cnt = 0; - for (*pwd = start; *pwd <= stop; (*pwd)++) { + bf_generator_init(&ctx, etd->bruteforce_mode); + + if (etd->bruteforce_mode == BRUTEFORCE_MODE_CHARSET) + bf_generator_set_charset(&ctx, etd->bruteforce_charset); + + while ((generator_ret = bf_generate32(&ctx)) == GENERATOR_NEXT) { + *pwd = ctx.current_key32; WDT_HIT(); @@ -702,7 +712,7 @@ void em4x50_login(uint32_t *password, bool ledcontrol) { reply_ng(CMD_LF_EM4X50_LOGIN, status, NULL, 0); } -// envoke password search +// invoke password search void em4x50_brute(em4x50_data_t *etd, bool ledcontrol) { em4x50_setup_read(); @@ -714,7 +724,7 @@ void em4x50_brute(em4x50_data_t *etd, bool ledcontrol) { LED_C_OFF(); LED_D_ON(); } - bsuccess = brute(etd->password1, etd->password2, &pwd); + bsuccess = brute(etd, &pwd); } if (ledcontrol) LEDsoff(); diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 9b5bac06b..017f1c121 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -19,6 +19,7 @@ #include "cliparser.h" #include "cmdlfem4x50.h" #include +#include #include "cmdparser.h" // command_t #include "util_posix.h" // msclock #include "fileutils.h" @@ -349,54 +350,114 @@ int CmdEM4x50Brute(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "lf em 4x50 brute", "Tries to bruteforce the password of a EM4x50 card.\n" - "Function can be stopped by pressing pm3 button.", - "lf em 4x50 brute --first 12330000 --last 12340000 -> tries pwds from 0x12330000 to 0x1234000000\n" + "Function can be stopped by pressing pm3 button.\n", + + "lf em 4x50 brute --mode range --begin 12330000 --end 12340000 -> tries pwds from 0x12330000 to 0x12340000\n" + "lf em 4x50 brute --mode charset --digits --uppercase -> tries all combinations of ASCII codes for digits and uppercase letters\n" ); void *argtable[] = { arg_param_begin, - arg_str1(NULL, "first", "", "first password (start), 4 bytes, lsb"), - arg_str1(NULL, "last", "", "last password (stop), 4 bytes, lsb"), + arg_str1(NULL, "mode", "", "Bruteforce mode (range|charset)"), + arg_str0(NULL, "begin", "", "Range mode - start of the key range"), + arg_str0(NULL, "end", "", "Range mode - end of the key range"), + arg_lit0(NULL, "digits", "Charset mode - include ASCII codes for digits"), + arg_lit0(NULL, "uppercase", "Charset mode - include ASCII codes for uppercase letters"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, true); - int first_len = 0; - uint8_t first[4] = {0, 0, 0, 0}; - CLIGetHexWithReturn(ctx, 1, first, &first_len); - int last_len = 0; - uint8_t last[4] = {0, 0, 0, 0}; - CLIGetHexWithReturn(ctx, 2, last, &last_len); - CLIParserFree(ctx); - - if (first_len != 4) { - PrintAndLogEx(FAILED, "password length must be 4 bytes"); - return PM3_EINVARG; - } - if (last_len != 4) { - PrintAndLogEx(FAILED, "password length must be 4 bytes"); - return PM3_EINVARG; - } em4x50_data_t etd; - etd.password1 = BYTES2UINT32_BE(first); - etd.password2 = BYTES2UINT32_BE(last); + memset(&etd, 0, sizeof(etd)); + + int mode_len = 64; + char mode[64]; + CLIGetStrWithReturn(ctx, 1, (uint8_t *) mode, &mode_len); + PrintAndLogEx(INFO, "Chosen mode: %s", mode); + + if (strcmp(mode, "range") == 0) { + etd.bruteforce_mode = BRUTEFORCE_MODE_RANGE; + } else if (strcmp(mode, "charset") == 0) { + etd.bruteforce_mode = BRUTEFORCE_MODE_CHARSET; + } else { + PrintAndLogEx(FAILED, "Unknown bruteforce mode: %s", mode); + return PM3_EINVARG; + } + + if (etd.bruteforce_mode == BRUTEFORCE_MODE_RANGE) { + int begin_len = 0; + uint8_t begin[4] = {0x0}; + CLIGetHexWithReturn(ctx, 2, begin, &begin_len); + + int end_len = 0; + uint8_t end[4] = {0x0}; + CLIGetHexWithReturn(ctx, 3, end, &end_len); + + if (begin_len != 4) { + PrintAndLogEx(FAILED, "'begin' parameter must be 4 bytes"); + return PM3_EINVARG; + } + + if (end_len != 4) { + PrintAndLogEx(FAILED, "'end' parameter must be 4 bytes"); + return PM3_EINVARG; + } + + etd.password1 = BYTES2UINT32_BE(begin); + etd.password2 = BYTES2UINT32_BE(end); + } else if (etd.bruteforce_mode == BRUTEFORCE_MODE_CHARSET) { + bool enable_digits = arg_get_lit(ctx, 4); + bool enable_uppercase = arg_get_lit(ctx, 5); + + if (enable_digits) + etd.bruteforce_charset |= CHARSET_DIGITS; + if (enable_uppercase) + etd.bruteforce_charset |= CHARSET_UPPERCASE; + + if (etd.bruteforce_charset == 0) { + PrintAndLogEx(FAILED, "Please enable at least one charset when using charset bruteforce mode."); + return PM3_EINVARG; + } + + PrintAndLogEx(INFO, "Enabled charsets: %s%s", + enable_digits ? "digits " : "", + enable_uppercase ? "uppercase " : ""); + + } + + CLIParserFree(ctx); // 27 passwords/second (empirical value) const int speed = 27; + int no_iter = 0; + + if (etd.bruteforce_mode == BRUTEFORCE_MODE_RANGE) { + no_iter = etd.password2 - etd.password1 + 1; + PrintAndLogEx(INFO, "Trying " _YELLOW_("%i") " passwords in range [0x%08x, 0x%08x]" + , no_iter + , etd.password1 + , etd.password2 + ); + } else if (etd.bruteforce_mode == BRUTEFORCE_MODE_CHARSET) { + unsigned int digits = 0; + + if (etd.bruteforce_charset & CHARSET_DIGITS) + digits += CHARSET_DIGITS_SIZE; + + if (etd.bruteforce_charset & CHARSET_UPPERCASE) + digits += CHARSET_UPPERCASE_SIZE; + + no_iter = pow(digits, 4); + } // print some information - int no_iter = etd.password2 - etd.password1 + 1; int dur_s = no_iter / speed; int dur_h = dur_s / 3600; int dur_m = (dur_s - dur_h * 3600) / 60; dur_s -= dur_h * 3600 + dur_m * 60; - PrintAndLogEx(INFO, "Trying " _YELLOW_("%i") " passwords in range [0x%08x, 0x%08x]" - , no_iter - , etd.password1 - , etd.password2 - ); + PrintAndLogEx(INFO, "Estimated duration: %ih %im %is", dur_h, dur_m, dur_s); // start @@ -1190,7 +1251,7 @@ int CmdEM4x50Sim(const char *Cmd) { static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "This help"}, {"-----------", CmdHelp, AlwaysAvailable, "--------------------- " _CYAN_("operations") " ---------------------"}, - {"brute", CmdEM4x50Brute, IfPm3EM4x50, "Simple bruteforce attack to find password"}, + {"brute", CmdEM4x50Brute, IfPm3EM4x50, "Bruteforce attack to find password"}, {"chk", CmdEM4x50Chk, IfPm3EM4x50, "Check passwords from dictionary"}, {"dump", CmdEM4x50Dump, IfPm3EM4x50, "Dump EM4x50 tag"}, {"info", CmdEM4x50Info, IfPm3EM4x50, "Tag information"}, diff --git a/common/bruteforce.c b/common/bruteforce.c new file mode 100644 index 000000000..891796690 --- /dev/null +++ b/common/bruteforce.c @@ -0,0 +1,129 @@ +//----------------------------------------------------------------------------- +// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// See LICENSE.txt for the text of the license. +//----------------------------------------------------------------------------- + +#include "bruteforce.h" +#include +#include + +uint8_t charset_digits[] = { + '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', +}; + +uint8_t charset_uppercase[] = { + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', + 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'W', + 'X', 'Y', 'Z' +}; + +void bf_generator_init(generator_context_t *ctx, uint8_t mode) { + memset(ctx, 0, sizeof(generator_context_t)); + ctx->mode = mode; +} + +int bf_generator_set_charset(generator_context_t *ctx, uint8_t charsets) { + if (ctx->mode != BRUTEFORCE_MODE_CHARSET) { + return -1; + } + + if (charsets & CHARSET_DIGITS) { + memcpy(ctx->charset, charset_digits, sizeof(charset_digits)); + ctx->charset_length += sizeof(charset_digits); + } + + if (charsets & CHARSET_UPPERCASE) { + memcpy(ctx->charset + ctx->charset_length, charset_uppercase, sizeof(charset_uppercase)); + ctx->charset_length += sizeof(charset_uppercase); + } + + return 0; +} + +int bf_generate32(generator_context_t *ctx) { + + switch (ctx->mode) { + case BRUTEFORCE_MODE_RANGE: + return _bf_generate_mode_range32(ctx); + case BRUTEFORCE_MODE_CHARSET: + return _bf_generate_mode_charset32(ctx); + } + + return GENERATOR_ERROR; +} + +int _bf_generate_mode_range32(generator_context_t *ctx) { + + if (ctx->current_key32 >= ctx->range_high) { + return GENERATOR_END; + } + + // we use flag1 as indicator if value of range_low was already emitted + // so the range generated is + if (ctx->current_key32 <= ctx->range_low && ctx->flag1 == false) { + ctx->current_key32 = ctx->range_low; + ctx->pos[0] = true; + return GENERATOR_NEXT; + } + + ctx->current_key32++; + return GENERATOR_NEXT; +} + +int _bf_generate_mode_charset32(generator_context_t *ctx) { + + if (ctx->flag1) + return GENERATOR_END; + + ctx->current_key32 = ctx->charset[ctx->pos[0]] << 24 | ctx->charset[ctx->pos[1]] << 16 | + ctx->charset[ctx->pos[2]] << 8 | ctx->charset[ctx->pos[3]]; + + + if (bf_array_increment(ctx->pos, 4, ctx->charset_length) == -1) + // set flag1 to emit value last time and end generation + ctx->flag1 = true; + + return GENERATOR_NEXT; +} + +// increments values in array with carryover using modulo limit for each byte +// this is used to iterate each byte in key over charset table +// returns -1 if incrementing reaches its end +int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo) { + + uint8_t prev_value; + + // check if we reached max value already + uint8_t i; + for (i = 0; i < data_len; i++) + if (data[i] < modulo - 1) + break; + + if (i == data_len) + return -1; + + for (uint8_t pos = data_len - 1;; pos--) { + prev_value = ++data[pos]; + data[pos] = data[pos] % modulo; + if (prev_value == data[pos]) + return 0; + else if (pos == 0) { + // we cannot carryover to next byte + // with the max value check in place before, we should not reach this place + return -1; + } + } + + return 0; +} diff --git a/common/bruteforce.h b/common/bruteforce.h new file mode 100644 index 000000000..91e01172d --- /dev/null +++ b/common/bruteforce.h @@ -0,0 +1,79 @@ +//----------------------------------------------------------------------------- +// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// See LICENSE.txt for the text of the license. +//----------------------------------------------------------------------------- +// functions for bruteforcing card keys - key generators +//----------------------------------------------------------------------------- + +#ifndef BRUTEFORCE_H__ +#define BRUTEFORCE_H__ + +#include "common.h" + +typedef uint8_t bruteforce_mode_t; +// bruteforcing all keys sequentially between X and Y +#define BRUTEFORCE_MODE_RANGE 1 + +// try keys based on limited charset/passphrases +// some payment systems use user-provided passphrase as system key +#define BRUTEFORCE_MODE_CHARSET 2 + +// "smart" mode - try some predictable patterns +#define BRUTEFORCE_MODE_SMART 3 + + +typedef uint8_t bruteforce_charset_t; +// bit flags - can be used together using logical OR +#define CHARSET_DIGITS 1 +#define CHARSET_UPPERCASE 2 + +#define GENERATOR_END 0 +#define GENERATOR_NEXT 1 +#define GENERATOR_ERROR 2 + +#define CHARSET_DIGITS_SIZE 10 +#define CHARSET_UPPERCASE_SIZE 25 + +extern uint8_t charset_digits[]; +extern uint8_t charset_uppercase[]; + +// structure to hold key generator temporary data +typedef struct { + // position of each of 4 bytes in 32 bit key in charset mode + // add more bytes to support larger keys + // pos[0] is most significant byte - all maths avoid relying on little/big endian memory layout + uint8_t pos[4]; + uint32_t current_key32; + uint8_t mode; + uint8_t charset[ + CHARSET_DIGITS_SIZE + + CHARSET_UPPERCASE_SIZE + ]; + uint8_t charset_length; + + uint32_t range_low; + uint32_t range_high; + // flags to use internally by generators as they wish + bool flag1, flag2, flag3; + +} generator_context_t; + +void bf_generator_init(generator_context_t *ctx, uint8_t mode); +int bf_generator_set_charset(generator_context_t *ctx, uint8_t charsets); +int bf_generate32(generator_context_t *ctx); +int _bf_generate_mode_range32(generator_context_t *ctx); +int _bf_generate_mode_charset32(generator_context_t *ctx); +int _bf_generate_mode_smart32(generator_context_t *ctx); +int bf_array_increment(uint8_t *data, uint8_t data_len, uint8_t modulo); +#endif // BRUTEFORCE_H__ diff --git a/include/em4x50.h b/include/em4x50.h index bed01901c..9bf1ffc24 100644 --- a/include/em4x50.h +++ b/include/em4x50.h @@ -20,6 +20,7 @@ #define EM4X50_H__ #include "common.h" +#include "bruteforce.h" #define EM4X50_NO_WORDS 34 @@ -62,6 +63,8 @@ typedef struct { uint32_t password2; uint32_t word; uint32_t addresses; + bruteforce_mode_t bruteforce_mode; + bruteforce_charset_t bruteforce_charset; } PACKED em4x50_data_t; typedef struct {