mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-08-20 21:33:47 -07:00
new function CmdEM4x50BruteForce + hint for lsb notation regarding CmdEM450WritePassword
This commit is contained in:
tharexde
parent
688a2e741c
commit
55ba7c695d
1 changed files with 75 additions and 4 deletions
|
|
@ -37,8 +37,8 @@ static int usage_lf_em4x50_write(void) {
|
||||||
PrintAndLogEx(NORMAL, "Options:");
|
PrintAndLogEx(NORMAL, "Options:");
|
||||||
PrintAndLogEx(NORMAL, " h - this help");
|
PrintAndLogEx(NORMAL, " h - this help");
|
||||||
PrintAndLogEx(NORMAL, " a <addr> - memory address to write to (dec)");
|
PrintAndLogEx(NORMAL, " a <addr> - memory address to write to (dec)");
|
||||||
PrintAndLogEx(NORMAL, " w <word> - word to write (hex)");
|
PrintAndLogEx(NORMAL, " w <word> - word to write (hex, lsb notation)");
|
||||||
PrintAndLogEx(NORMAL, " p <pwd> - password (hex) (optional)");
|
PrintAndLogEx(NORMAL, " p <pwd> - password (hex, lsb notation) (optional)");
|
||||||
PrintAndLogEx(NORMAL, "Examples:");
|
PrintAndLogEx(NORMAL, "Examples:");
|
||||||
PrintAndLogEx(NORMAL, _YELLOW_(" lf em 4x50_write a 3 w deadc0de"));
|
PrintAndLogEx(NORMAL, _YELLOW_(" lf em 4x50_write a 3 w deadc0de"));
|
||||||
PrintAndLogEx(NORMAL, "");
|
PrintAndLogEx(NORMAL, "");
|
||||||
|
|
@ -50,8 +50,8 @@ static int usage_lf_em4x50_write_password(void) {
|
||||||
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write_password [h] [p <pwd>] [n <pwd>]");
|
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write_password [h] [p <pwd>] [n <pwd>]");
|
||||||
PrintAndLogEx(NORMAL, "Options:");
|
PrintAndLogEx(NORMAL, "Options:");
|
||||||
PrintAndLogEx(NORMAL, " h - this help");
|
PrintAndLogEx(NORMAL, " h - this help");
|
||||||
PrintAndLogEx(NORMAL, " p <pwd> - password (hex)");
|
PrintAndLogEx(NORMAL, " p <pwd> - password (hex, lsb notation)");
|
||||||
PrintAndLogEx(NORMAL, " n <pwd> - new password (hex)");
|
PrintAndLogEx(NORMAL, " n <pwd> - new password (hex, lsb notation)");
|
||||||
PrintAndLogEx(NORMAL, "Examples:");
|
PrintAndLogEx(NORMAL, "Examples:");
|
||||||
PrintAndLogEx(NORMAL, _YELLOW_(" lf em 4x50_write_password p 11223344 n 01020304"));
|
PrintAndLogEx(NORMAL, _YELLOW_(" lf em 4x50_write_password p 11223344 n 01020304"));
|
||||||
PrintAndLogEx(NORMAL, "");
|
PrintAndLogEx(NORMAL, "");
|
||||||
|
|
@ -97,6 +97,19 @@ static int usage_lf_em4x50_wipe(void) {
|
||||||
PrintAndLogEx(NORMAL, "");
|
PrintAndLogEx(NORMAL, "");
|
||||||
return PM3_SUCCESS;
|
return PM3_SUCCESS;
|
||||||
}
|
}
|
||||||
|
static int usage_lf_em4x50_bruteforce(void) {
|
||||||
|
PrintAndLogEx(NORMAL, "Guess password of EM4x50 tag. Tag must be on antenna. ");
|
||||||
|
PrintAndLogEx(NORMAL, "");
|
||||||
|
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_bruteforce [h] f <pwd> l <pwd>");
|
||||||
|
PrintAndLogEx(NORMAL, "Options:");
|
||||||
|
PrintAndLogEx(NORMAL, " h - this help");
|
||||||
|
PrintAndLogEx(NORMAL, " f <pwd> - start password (hex, lsb notation)");
|
||||||
|
PrintAndLogEx(NORMAL, " l <pwd> - stop password (hex, lsb notation)");
|
||||||
|
PrintAndLogEx(NORMAL, "Examples:");
|
||||||
|
PrintAndLogEx(NORMAL, _YELLOW_(" lf em 4x50_bruteforce f 11200000 l 11300000"));
|
||||||
|
PrintAndLogEx(NORMAL, "");
|
||||||
|
return PM3_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) {
|
static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) {
|
||||||
|
|
||||||
|
|
@ -740,3 +753,61 @@ int CmdEM4x50Wipe(const char *Cmd) {
|
||||||
|
|
||||||
return PM3_SUCCESS;
|
return PM3_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int CmdEM4x50BruteForce(const char *Cmd) {
|
||||||
|
|
||||||
|
bool startpwd = false, stoppwd = false, errors = false;
|
||||||
|
const int speed = 27; // 27 passwords/second (empirical value)
|
||||||
|
int no_iter = 0, dur_h = 0, dur_m = 0, dur_s = 0;
|
||||||
|
uint8_t cmdp = 0;
|
||||||
|
em4x50_data_t etd;
|
||||||
|
PacketResponseNG resp;
|
||||||
|
|
||||||
|
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
|
||||||
|
|
||||||
|
switch (tolower(param_getchar(Cmd, cmdp))) {
|
||||||
|
case 'h':
|
||||||
|
return usage_lf_em4x50_bruteforce();
|
||||||
|
case 'f':
|
||||||
|
etd.start_password = param_get32ex(Cmd, cmdp + 1, 0, 16);
|
||||||
|
startpwd = true;
|
||||||
|
cmdp += 2;
|
||||||
|
break;
|
||||||
|
case 'l':
|
||||||
|
etd.stop_password = param_get32ex(Cmd, cmdp + 1, 0, 16);
|
||||||
|
stoppwd = true;
|
||||||
|
cmdp += 2;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
|
||||||
|
errors = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (errors || !startpwd || !stoppwd)
|
||||||
|
return usage_lf_em4x50_bruteforce();
|
||||||
|
|
||||||
|
// print some information
|
||||||
|
no_iter = etd.stop_password - etd.start_password + 1;
|
||||||
|
dur_s = no_iter / speed;
|
||||||
|
dur_h = dur_s / 3600;
|
||||||
|
dur_m = (dur_s - dur_h * 3600) / 60;
|
||||||
|
dur_s -= dur_h * 3600 + dur_m * 60;
|
||||||
|
PrintAndLogEx(NORMAL, "\ntrying %i passwords in range [0x%08x, 0x%08x]",
|
||||||
|
no_iter, etd.start_password, etd.stop_password);
|
||||||
|
PrintAndLogEx(NORMAL, "estimated duration: %ih%im%is\n", dur_h, dur_m, dur_s);
|
||||||
|
|
||||||
|
// start
|
||||||
|
clearCommandBuffer();
|
||||||
|
SendCommandNG(CMD_LF_EM4X50_BRUTEFORCE, (uint8_t *)&etd, sizeof(etd));
|
||||||
|
WaitForResponse(CMD_ACK, &resp);
|
||||||
|
|
||||||
|
// print response
|
||||||
|
if ((bool)resp.status)
|
||||||
|
PrintAndLogEx(NORMAL, "\npassword " _GREEN_("found") ": 0x%08x\n", resp.data.asDwords[0]);
|
||||||
|
else
|
||||||
|
PrintAndLogEx(NORMAL, "\npassword: " _RED_("not found") "\n");
|
||||||
|
|
||||||
|
return PM3_SUCCESS;
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue