From 59e66ce5fd74b61c79fd9a429cc3955744717318 Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Sun, 15 Sep 2019 01:17:47 +0200 Subject: [PATCH] lf hid sim: add support for long ID --- armsrc/Standalone/lf_hidbrute.c | 6 +- armsrc/Standalone/lf_proxbrute.c | 2 +- armsrc/Standalone/lf_samyrun.c | 2 +- armsrc/appmain.c | 3 +- armsrc/lfops.c | 109 ++++++++++++++++++++++--------- armsrc/lfops.h | 4 +- client/cmdlfhid.c | 31 +++++++-- include/pm3_cmd.h | 8 +++ 8 files changed, 120 insertions(+), 45 deletions(-) diff --git a/armsrc/Standalone/lf_hidbrute.c b/armsrc/Standalone/lf_hidbrute.c index 625459238..48efcf119 100644 --- a/armsrc/Standalone/lf_hidbrute.c +++ b/armsrc/Standalone/lf_hidbrute.c @@ -128,7 +128,7 @@ void RunMod() { WAIT_BUTTON_RELEASED(); Dbprintf("[=] %x %x %08x", selected, high[selected], low[selected]); - CmdHIDsimTAG(high[selected], low[selected], 0); + CmdHIDsimTAG(0, high[selected], low[selected], 0, 0); DbpString("[=] done playing"); if (BUTTON_HELD(1000) > 0) @@ -188,7 +188,7 @@ void RunMod() { // Print actual code to brute Dbprintf("[=] TAG ID: %x%08x (%d) - FC: %u - Card: %u", high[selected], low[selected], (low[selected] >> 1) & 0xFFFF, fc, cardnum); - CmdHIDsimTAGEx(high[selected], low[selected], 1, 50000); + CmdHIDsimTAGEx(0, high[selected], low[selected], 0, 1, 50000); } cardnum = original_cardnum; @@ -216,7 +216,7 @@ void RunMod() { // Print actual code to brute Dbprintf("[=] TAG ID: %x%08x (%d) - FC: %u - Card: %u", high[selected], low[selected], (low[selected] >> 1) & 0xFFFF, fc, cardnum); - CmdHIDsimTAGEx(high[selected], low[selected], 1, 50000); + CmdHIDsimTAGEx(0, high[selected], low[selected], 0, 1, 50000); } DbpString("[=] done bruteforcing"); diff --git a/armsrc/Standalone/lf_proxbrute.c b/armsrc/Standalone/lf_proxbrute.c index 5844dda84..25d62cc2a 100644 --- a/armsrc/Standalone/lf_proxbrute.c +++ b/armsrc/Standalone/lf_proxbrute.c @@ -102,7 +102,7 @@ void RunMod() { Dbprintf("[=] trying Facility = %08x ID %08x", high, i); // high, i, ledcontrol, timelimit 20000 - CmdHIDsimTAGEx(high, i, false, 20000); + CmdHIDsimTAGEx(0, high, i, 0, false, 20000); SpinDelay(100); } diff --git a/armsrc/Standalone/lf_samyrun.c b/armsrc/Standalone/lf_samyrun.c index d56f48e24..4dc45b0b3 100644 --- a/armsrc/Standalone/lf_samyrun.c +++ b/armsrc/Standalone/lf_samyrun.c @@ -108,7 +108,7 @@ void RunMod() { Dbprintf("[=] simulating %x | %x%08x", selected, high[selected], low[selected]); // high, low, no led control(A) no time limit - CmdHIDsimTAGEx(high[selected], low[selected], false, -1); + CmdHIDsimTAGEx(0, high[selected], low[selected], 0, false, -1); DbpString("[=] simulating done"); diff --git a/armsrc/appmain.c b/armsrc/appmain.c index d48b798a5..214e439b0 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -702,7 +702,8 @@ static void PacketReceived(PacketCommandNG *packet) { break; } case CMD_LF_HID_SIMULATE: { - CmdHIDsimTAG(packet->oldarg[0], packet->oldarg[1], 1); + lf_hidsim_t *payload = (lf_hidsim_t *)packet->data.asBytes; + CmdHIDsimTAG(payload->hi2, payload->hi, payload->lo, payload->longFMT, 1); break; } case CMD_LF_FSK_SIMULATE: { diff --git a/armsrc/lfops.c b/armsrc/lfops.c index b546fdc49..ead9966ae 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -901,16 +901,8 @@ static void fcAll(uint8_t fc, int *n, uint8_t clock, int16_t *remainder) { // prepare a waveform pattern in the buffer based on the ID given then // simulate a HID tag until the button is pressed -void CmdHIDsimTAGEx(uint32_t hi, uint32_t lo, bool ledcontrol, int numcycles) { +void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles) { - if (hi > 0xFFF) { - DbpString("[!] tags can only have 44 bits. - USE lf simfsk for larger tags"); - return; - } - - // special start of frame marker containing invalid Manchester bit sequences - uint8_t bits[8+44*2] = { 0, 0, 0, 1, 1, 1, 0, 1 }; - uint16_t n = 8; /* HID tag bitstream format The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits @@ -925,32 +917,87 @@ void CmdHIDsimTAGEx(uint32_t hi, uint32_t lo, bool ledcontrol, int numcycles) { bit 0 = fc8 */ - // TODO isn't there a manchester encoding function already available? - // manchester encode bits 43 to 32 - for (int i = 11; i >= 0; i--) { - if ((hi >> i) & 1) { - bits[n++] = 1; - bits[n++] = 0; - } else { - bits[n++] = 0; - bits[n++] = 1; + uint8_t bits[8+84*2] = { 0, 0, 0, 1, 1, 1, 0, 1 }; + uint8_t bitlen = 0; + + if (longFMT) { + // Ensure no more than 84 bits supplied + if (hi2 > 0xFFFFF) { + DbpString("Tags can only have 84 bits."); + return; + } + bitlen = 8+84*2; + // special start of frame marker containing invalid Manchester bit sequences + uint16_t n = 8; + hi2 |= 0x9E00000; // 9E: long format identifier + // manchester encode "9E" and bits 83 to 64 + for (int i = 27; i >= 0; i--) { + if ((hi2 >> i) & 1) { + bits[n++] = 1; + bits[n++] = 0; + } else { + bits[n++] = 0; + bits[n++] = 1; + } + } + // manchester encode bits 63 to 32 + for (int i = 31; i >= 0; i--) { + if ((hi >> i) & 1) { + bits[n++] = 1; + bits[n++] = 0; + } else { + bits[n++] = 0; + bits[n++] = 1; + } + } + // manchester encode bits 31 to 0 + for (int i = 31; i >= 0; i--) { + if ((lo >> i) & 1) { + bits[n++] = 1; + bits[n++] = 0; + } else { + bits[n++] = 0; + bits[n++] = 1; + } + } + + } else { + + if (hi > 0xFFF) { + DbpString("[!] tags can only have 44 bits. - USE lf simfsk for larger tags"); + return; + } + + bitlen = 8+44*2; + // special start of frame marker containing invalid Manchester bit sequences + uint16_t n = 8; + + // manchester encode bits 43 to 32 + for (int i = 11; i >= 0; i--) { + if ((hi >> i) & 1) { + bits[n++] = 1; + bits[n++] = 0; + } else { + bits[n++] = 0; + bits[n++] = 1; + } + } + // manchester encode bits 31 to 0 + for (int i = 31; i >= 0; i--) { + if ((lo >> i) & 1) { + bits[n++] = 1; + bits[n++] = 0; + } else { + bits[n++] = 0; + bits[n++] = 1; + } } } - // manchester encode bits 31 to 0 - for (int i = 31; i >= 0; i--) { - if ((lo >> i) & 1) { - bits[n++] = 1; - bits[n++] = 0; - } else { - bits[n++] = 0; - bits[n++] = 1; - } - } - CmdFSKsimTAGEx(10, 8, 0, 50, sizeof(bits), bits, ledcontrol, numcycles); + CmdFSKsimTAGEx(10, 8, 0, 50, bitlen, bits, ledcontrol, numcycles); } -void CmdHIDsimTAG(uint32_t hi, uint32_t lo, bool ledcontrol) { - CmdHIDsimTAGEx(hi, lo, ledcontrol, -1); +void CmdHIDsimTAG(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol) { + CmdHIDsimTAGEx(hi2, hi, lo, longFMT, ledcontrol, -1); reply_ng(CMD_LF_HID_SIMULATE, PM3_EOPABORTED, NULL, 0); } diff --git a/armsrc/lfops.h b/armsrc/lfops.h index 4f82dfae9..99d1b29eb 100644 --- a/armsrc/lfops.h +++ b/armsrc/lfops.h @@ -30,8 +30,8 @@ void SimulateTagLowFrequencyEx(int period, int gap, bool ledcontrol, int numcycl void SimulateTagLowFrequency(int period, int gap, bool ledcontrol); void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); -void CmdHIDsimTAGEx(uint32_t hi, uint32_t lo, bool ledcontrol, int numcycles); -void CmdHIDsimTAG(uint32_t hi, uint32_t lo, bool ledcontrol); +void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles); +void CmdHIDsimTAG(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol); void CmdFSKsimTAGEx(uint8_t fchigh, uint8_t fclow, uint8_t separator, uint8_t clk, uint16_t bitslen, uint8_t *bits, bool ledcontrol, int numcycles); void CmdFSKsimTAG(uint8_t fchigh, uint8_t fclow, uint8_t separator, uint8_t clk, uint16_t bitslen, uint8_t *bits, bool ledcontrol); diff --git a/client/cmdlfhid.c b/client/cmdlfhid.c index bfabcc237..d4d52fa9f 100644 --- a/client/cmdlfhid.c +++ b/client/cmdlfhid.c @@ -261,22 +261,41 @@ static int CmdHIDRead_device(const char *Cmd) { } */ static int CmdHIDSim(const char *Cmd) { - uint32_t hi = 0, lo = 0; + lf_hidsim_t payload; + payload.longFMT = 0; + uint32_t hi2 = 0, hi = 0, lo = 0; uint32_t n = 0, i = 0; uint8_t ctmp = tolower(param_getchar(Cmd, 0)); if (strlen(Cmd) == 0 || ctmp == 'h') return usage_lf_hid_sim(); - while (sscanf(&Cmd[i++], "%1x", &n) == 1) { - hi = (hi << 4) | (lo >> 28); - lo = (lo << 4) | (n & 0xf); + if (strchr(Cmd, 'l') != 0) { + i++; + while (sscanf(&Cmd[i++], "%1x", &n) == 1) { + hi2 = (hi2 << 4) | (hi >> 28); + hi = (hi << 4) | (lo >> 28); + lo = (lo << 4) | (n & 0xf); + } + + PrintAndLogEx(INFO, "Simulating HID tag with long ID %x%08x%08x", hi2, hi, lo); + payload.longFMT = 1; + } else { + while (sscanf(&Cmd[i++], "%1x", &n) == 1) { + hi = (hi << 4) | (lo >> 28); + lo = (lo << 4) | (n & 0xf); + } + PrintAndLogEx(SUCCESS, "Simulating HID tag with ID %x%08x", hi, lo); + hi2 = 0; } - PrintAndLogEx(SUCCESS, "Simulating HID tag with ID %x%08x", hi, lo); PrintAndLogEx(SUCCESS, "Press pm3-button to abort simulation"); + payload.hi2 = hi2; + payload.hi = hi; + payload.lo = lo; + clearCommandBuffer(); - SendCommandMIX(CMD_LF_HID_SIMULATE, hi, lo, 0, NULL, 0); + SendCommandNG(CMD_LF_HID_SIMULATE, (uint8_t *)&payload, sizeof(payload)); PacketResponseNG resp; WaitForResponse(CMD_LF_HID_SIMULATE, &resp); PrintAndLogEx(INFO, "Done"); diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index e87e8bc33..d79433fcf 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -197,6 +197,14 @@ typedef struct { uint8_t flags; } PACKED t55xx_write_block_t; +// For CMD_LF_HID_SIMULATE (FSK) +typedef struct { + uint32_t hi2; + uint32_t hi; + uint32_t lo; + uint8_t longFMT; +} PACKED lf_hidsim_t; + // For CMD_LF_FSK_SIMULATE (FSK) typedef struct { uint8_t fchigh;