Add 'lf_icehid' - new standalone mode for reading lf HID credentials and store it to RDV4 flashmem

2025-08-14 10:37:23 -07:00 · 2020-01-30 17:05:59 +01:00 · 2020-01-30 17:05:59 +01:00 · 4f912abaf6
commit 4f912abaf6
parent a612cc9414
5 changed files with 140 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+ - Added `LF_ICEHID` standalone mode which searches for lf HID credentials and store to RDV4 flashmem (@iceman1001)
+ - Added `HF_14ASNIFF` standalone mode with storing trace to RDV4 flashmem (@micolous)
 - Added `hf lto dump` - dump 8160 bytes of data from LTO cartridge memory and save to file (@Kevin-Nakamoto)
 - Change `data plot` - write serial port name in window title for plot / slider window (@iceman1001)
 - Added `hf lto wrbl` - write block support for LTO Cartridge memory (@Kevin-Nakamoto)
--- a/armsrc/Standalone/Makefile.hal
+++ b/armsrc/Standalone/Makefile.hal
@ -38,13 +38,15 @@ define KNOWN_STANDALONE_DEFINITIONS
 | HF_14ASNIFF     | 14a sniff to flashmem                  |
 | (RDV4 only)     |                                        |
 +----------------------------------------------------------+
-
+| LF_ICEHID       | LF HID collector to flashmem           |
+| (RDV4 only)     |                                        |
+----------------------------------------------------------+
 endef

-STANDALONE_MODES := LF_SAMYRUN LF_ICERUN LF_PROXBRUTE LF_HIDBRUTE
+STANDALONE_MODES := LF_SAMYRUN LF_ICERUN LF_PROXBRUTE LF_HIDBRUTE LF_ICEHID
 STANDALONE_MODES += HF_YOUNG HF_MATTYRUN HF_COLIN HF_BOG HF_14ASNIFF
 STANDALONE_MODES_REQ_SMARTCARD :=
-STANDALONE_MODES_REQ_FLASH := HF_COLIN HF_BOG HF_14ASNIFF
+STANDALONE_MODES_REQ_FLASH := HF_COLIN HF_BOG HF_14ASNIFF LF_ICEHID
 ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),)
    STANDALONE_PLATFORM_DEFS += -DWITH_STANDALONE_$(STANDALONE)
    ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES_REQ_SMARTCARD)),)
--- a/armsrc/Standalone/Makefile.inc
+++ b/armsrc/Standalone/Makefile.inc
@ -37,3 +37,7 @@ endif
 ifneq (,$(findstring WITH_STANDALONE_HF_14ASNIFF,$(APP_CFLAGS)))
    SRC_STANDALONE = hf_14asniff.c
 endif
+# WITH_STANDALONE_LF_ICEHID
+ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS)))
+    SRC_STANDALONE = lf_icehid.c
+endif
--- a/armsrc/Standalone/lf_icehid.c
+++ b/armsrc/Standalone/lf_icehid.c
@ -0,0 +1,126 @@
+//-----------------------------------------------------------------------------
+// Christian Herrmann, 2020
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// main code for HID collector aka IceHID by Iceman
+//-----------------------------------------------------------------------------
+#include "standalone.h" // standalone definitions
+#include "proxmark3_arm.h"
+#include "appmain.h"
+#include "lfops.h"
+#include "fpgaloader.h"
+#include "util.h"
+#include "dbprint.h"
+#include "printf.h"
+#include "spiffs.h"
+#include "ticks.h"
+
+/*
+ * `lf_hidcollect` sniffs after LF HID credentials, and stores them in internal
+ * flash. It requires RDV4 hardware (for flash and battery).
+ *
+ * On entering stand-alone mode, this module will start reading/record HID credentials.
+ * Every found / collected credential will be written/appended to the logfile in flash 
+ * as a text string. 
+ *
+ * LEDs:
+ * - LED A: reading / record
+ * - LED B: writing to flash
+ * - LED C: unmounting/sync'ing flash (normally < 100ms)
+ *
+ * To retrieve log file from flash:
+ *
+ * 1. mem spiffs dump o lf_hidcollect.log f lf_hidcollect.log
+ *    Copies log file from flash to your PC.
+ *
+ * 2. exit the Proxmark3 client
+ *
+ * 3. more lf_hidcollect.log
+ *
+ * This module emits debug strings during normal operation -- so try it out in
+ * the lab connected to PM3 client before taking it into the field.
+ *
+ * To delete the log file from flash: 
+ * 
+ * 1. mem spiffs remove lf_hidcollect.log
+ */
+
+#define LF_HIDCOLLECT_LOGFILE "lf_hidcollect.log"
+
+void DownloadLogInstructions() {
+    Dbprintf("");
+    Dbprintf("[=] To get the logfile from flash and display it:");
+    Dbprintf("[=] " _YELLOW_("1.") "mem spiffs dump o "LF_HIDCOLLECT_LOGFILE" f "LF_HIDCOLLECT_LOGFILE);
+    Dbprintf("[=] " _YELLOW_("2.") "exit proxmark3 client");
+    Dbprintf("[=] " _YELLOW_("3.") "cat "LF_HIDCOLLECT_LOGFILE);    
+}
+
+void ModInfo(void) {
+    DbpString("  LF HID collector mode -  a.k.a IceHID (Iceman)");
+}
+
+void RunMod() {
+
+    FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+    StandAloneMode();
+    Dbprintf("[=] LF HID collector a.k.a IceHID started");
+  
+    rdv40_spiffs_lazy_mount();
+    
+    bool log_exists = exists_in_spiffs(LF_HIDCOLLECT_LOGFILE);
+    
+    // the main loop for your standalone mode
+    for (;;) {
+        WDT_HIT();
+
+        // exit from IceHID, send a usbcommand.
+        if (data_available()) break;
+
+        // Was our button held down or pressed?
+        int button_pressed = BUTTON_HELD(280);
+        if (button_pressed == BUTTON_HOLD)
+            break;
+
+        LED_A_ON();    
+        // findone, high, low,
+        uint32_t hi = 0, lo = 0;
+        CmdHIDdemodFSK(1, &hi, &lo, 0);
+
+        LED_A_OFF();
+        
+        //didn't collect any, loop
+        if (hi == 0 && lo == 0)
+            continue;
+        
+        uint8_t entry[20];
+        memset(entry, 0, sizeof(entry));
+        sprintf((char *)entry, "%lx%08lx\n", hi, lo);
+
+        LED_B_ON();
+        if (!log_exists) {
+            rdv40_spiffs_write(LF_HIDCOLLECT_LOGFILE, entry, sizeof(entry), RDV40_SPIFFS_SAFETY_SAFE);
+            log_exists = true;
+        } else {
+            rdv40_spiffs_append(LF_HIDCOLLECT_LOGFILE, entry, sizeof(entry), RDV40_SPIFFS_SAFETY_SAFE);
+        }
+        LED_B_OFF();
+
+        SpinErr(LED_A, 250, 2);
+    }
+
+    LED_C_ON();
+    rdv40_spiffs_lazy_unmount();
+    LED_C_OFF();
+
+    SpinErr(LED_A, 200, 5);
+    SpinDelay(100);
+    
+    LEDsoff();
+    SpinDelay(300);  
+    DownloadLogInstructions();
+    
+    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+}
--- a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md
+++ b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md
@ -73,13 +73,15 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo
 |-----------------|----------------------------------------|
 |                 | No standalone mode
 | LF_SAMYRUN (def)| HID26 read/clone/sim - Samy Kamkar
-| LF_ICERUN       | standalone mode skeleton - iceman
+| LF_ICERUN       | standalone mode skeleton - Iceman
 | LF_PROXBRUTE    | HID ProxII bruteforce - Brad Antoniewicz
 | LF_HIDBRUTE     | HID corporate 1000 bruteforce - Federico dotta & Maurizio Agazzini
 | HF_YOUNG        | Mifare sniff/simulation - Craig Young
 | HF_MATTYRUN     | Mifare sniff/clone - Matías A. Ré Medina
 | HF_COLIN        | Mifare ultra fast sniff/sim/clone - Colin Brigato
 | HF_BOG          | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito
+| HF_14ASNIFF     | 14a sniff storing to flashmem - Micolous
+| LF_ICEHID       | LF HID collector to flashmem - Iceman

 By default `STANDALONE=LF_SAMYRUN`.