From 4f912abaf6c576e44acfc82be406e9531182894f Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 30 Jan 2020 17:05:59 +0100 Subject: [PATCH] Add 'lf_icehid' - new standalone mode for reading lf HID credentials and store it to RDV4 flashmem --- CHANGELOG.md | 2 + armsrc/Standalone/Makefile.hal | 8 +- armsrc/Standalone/Makefile.inc | 4 + armsrc/Standalone/lf_icehid.c | 126 ++++++++++++++++++ .../4_Advanced-compilation-parameters.md | 4 +- 5 files changed, 140 insertions(+), 4 deletions(-) create mode 100644 armsrc/Standalone/lf_icehid.c diff --git a/CHANGELOG.md b/CHANGELOG.md index 828538e8d..77aefb23b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added `LF_ICEHID` standalone mode which searches for lf HID credentials and store to RDV4 flashmem (@iceman1001) + - Added `HF_14ASNIFF` standalone mode with storing trace to RDV4 flashmem (@micolous) - Added `hf lto dump` - dump 8160 bytes of data from LTO cartridge memory and save to file (@Kevin-Nakamoto) - Change `data plot` - write serial port name in window title for plot / slider window (@iceman1001) - Added `hf lto wrbl` - write block support for LTO Cartridge memory (@Kevin-Nakamoto) diff --git a/armsrc/Standalone/Makefile.hal b/armsrc/Standalone/Makefile.hal index fb952179a..2dec4cfde 100644 --- a/armsrc/Standalone/Makefile.hal +++ b/armsrc/Standalone/Makefile.hal @@ -38,13 +38,15 @@ define KNOWN_STANDALONE_DEFINITIONS | HF_14ASNIFF | 14a sniff to flashmem | | (RDV4 only) | | +----------------------------------------------------------+ - +| LF_ICEHID | LF HID collector to flashmem | +| (RDV4 only) | | ++----------------------------------------------------------+ endef -STANDALONE_MODES := LF_SAMYRUN LF_ICERUN LF_PROXBRUTE LF_HIDBRUTE +STANDALONE_MODES := LF_SAMYRUN LF_ICERUN LF_PROXBRUTE LF_HIDBRUTE LF_ICEHID STANDALONE_MODES += HF_YOUNG HF_MATTYRUN HF_COLIN HF_BOG HF_14ASNIFF STANDALONE_MODES_REQ_SMARTCARD := -STANDALONE_MODES_REQ_FLASH := HF_COLIN HF_BOG HF_14ASNIFF +STANDALONE_MODES_REQ_FLASH := HF_COLIN HF_BOG HF_14ASNIFF LF_ICEHID ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES)),) STANDALONE_PLATFORM_DEFS += -DWITH_STANDALONE_$(STANDALONE) ifneq ($(filter $(STANDALONE),$(STANDALONE_MODES_REQ_SMARTCARD)),) diff --git a/armsrc/Standalone/Makefile.inc b/armsrc/Standalone/Makefile.inc index c7c5ff327..d4de0411e 100644 --- a/armsrc/Standalone/Makefile.inc +++ b/armsrc/Standalone/Makefile.inc @@ -37,3 +37,7 @@ endif ifneq (,$(findstring WITH_STANDALONE_HF_14ASNIFF,$(APP_CFLAGS))) SRC_STANDALONE = hf_14asniff.c endif +# WITH_STANDALONE_LF_ICEHID +ifneq (,$(findstring WITH_STANDALONE_LF_ICEHID,$(APP_CFLAGS))) + SRC_STANDALONE = lf_icehid.c +endif \ No newline at end of file diff --git a/armsrc/Standalone/lf_icehid.c b/armsrc/Standalone/lf_icehid.c new file mode 100644 index 000000000..c490d8d68 --- /dev/null +++ b/armsrc/Standalone/lf_icehid.c @@ -0,0 +1,126 @@ +//----------------------------------------------------------------------------- +// Christian Herrmann, 2020 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// main code for HID collector aka IceHID by Iceman +//----------------------------------------------------------------------------- +#include "standalone.h" // standalone definitions +#include "proxmark3_arm.h" +#include "appmain.h" +#include "lfops.h" +#include "fpgaloader.h" +#include "util.h" +#include "dbprint.h" +#include "printf.h" +#include "spiffs.h" +#include "ticks.h" + +/* + * `lf_hidcollect` sniffs after LF HID credentials, and stores them in internal + * flash. It requires RDV4 hardware (for flash and battery). + * + * On entering stand-alone mode, this module will start reading/record HID credentials. + * Every found / collected credential will be written/appended to the logfile in flash + * as a text string. + * + * LEDs: + * - LED A: reading / record + * - LED B: writing to flash + * - LED C: unmounting/sync'ing flash (normally < 100ms) + * + * To retrieve log file from flash: + * + * 1. mem spiffs dump o lf_hidcollect.log f lf_hidcollect.log + * Copies log file from flash to your PC. + * + * 2. exit the Proxmark3 client + * + * 3. more lf_hidcollect.log + * + * This module emits debug strings during normal operation -- so try it out in + * the lab connected to PM3 client before taking it into the field. + * + * To delete the log file from flash: + * + * 1. mem spiffs remove lf_hidcollect.log + */ + +#define LF_HIDCOLLECT_LOGFILE "lf_hidcollect.log" + +void DownloadLogInstructions() { + Dbprintf(""); + Dbprintf("[=] To get the logfile from flash and display it:"); + Dbprintf("[=] " _YELLOW_("1.") "mem spiffs dump o "LF_HIDCOLLECT_LOGFILE" f "LF_HIDCOLLECT_LOGFILE); + Dbprintf("[=] " _YELLOW_("2.") "exit proxmark3 client"); + Dbprintf("[=] " _YELLOW_("3.") "cat "LF_HIDCOLLECT_LOGFILE); +} + +void ModInfo(void) { + DbpString(" LF HID collector mode - a.k.a IceHID (Iceman)"); +} + +void RunMod() { + + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + StandAloneMode(); + Dbprintf("[=] LF HID collector a.k.a IceHID started"); + + rdv40_spiffs_lazy_mount(); + + bool log_exists = exists_in_spiffs(LF_HIDCOLLECT_LOGFILE); + + // the main loop for your standalone mode + for (;;) { + WDT_HIT(); + + // exit from IceHID, send a usbcommand. + if (data_available()) break; + + // Was our button held down or pressed? + int button_pressed = BUTTON_HELD(280); + if (button_pressed == BUTTON_HOLD) + break; + + LED_A_ON(); + // findone, high, low, + uint32_t hi = 0, lo = 0; + CmdHIDdemodFSK(1, &hi, &lo, 0); + + LED_A_OFF(); + + //didn't collect any, loop + if (hi == 0 && lo == 0) + continue; + + uint8_t entry[20]; + memset(entry, 0, sizeof(entry)); + sprintf((char *)entry, "%lx%08lx\n", hi, lo); + + LED_B_ON(); + if (!log_exists) { + rdv40_spiffs_write(LF_HIDCOLLECT_LOGFILE, entry, sizeof(entry), RDV40_SPIFFS_SAFETY_SAFE); + log_exists = true; + } else { + rdv40_spiffs_append(LF_HIDCOLLECT_LOGFILE, entry, sizeof(entry), RDV40_SPIFFS_SAFETY_SAFE); + } + LED_B_OFF(); + + SpinErr(LED_A, 250, 2); + } + + LED_C_ON(); + rdv40_spiffs_lazy_unmount(); + LED_C_OFF(); + + SpinErr(LED_A, 200, 5); + SpinDelay(100); + + LEDsoff(); + SpinDelay(300); + DownloadLogInstructions(); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); +} diff --git a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md index 3b0599de5..01b7d083a 100644 --- a/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md +++ b/doc/md/Use_of_Proxmark/4_Advanced-compilation-parameters.md @@ -73,13 +73,15 @@ Here are the supported values you can assign to `STANDALONE` in `Makefile.platfo |-----------------|----------------------------------------| | | No standalone mode | LF_SAMYRUN (def)| HID26 read/clone/sim - Samy Kamkar -| LF_ICERUN | standalone mode skeleton - iceman +| LF_ICERUN | standalone mode skeleton - Iceman | LF_PROXBRUTE | HID ProxII bruteforce - Brad Antoniewicz | LF_HIDBRUTE | HID corporate 1000 bruteforce - Federico dotta & Maurizio Agazzini | HF_YOUNG | Mifare sniff/simulation - Craig Young | HF_MATTYRUN | Mifare sniff/clone - Matías A. Ré Medina | HF_COLIN | Mifare ultra fast sniff/sim/clone - Colin Brigato | HF_BOG | 14a sniff with ULC/ULEV1/NTAG auth storing in flashmem - Bogito +| HF_14ASNIFF | 14a sniff storing to flashmem - Micolous +| LF_ICEHID | LF HID collector to flashmem - Iceman By default `STANDALONE=LF_SAMYRUN`.