From 85acdfe1090668a3afd0e46cf34ce1b92146e9d3 Mon Sep 17 00:00:00 2001 From: bogiton <34060135+bogiton@users.noreply.github.com> Date: Sat, 2 Nov 2019 18:06:02 +0000 Subject: [PATCH 1/3] Update hf_bog.c --- armsrc/Standalone/hf_bog.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index 5e84d4cc1..ac0bb7749 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -216,13 +216,11 @@ void RAMFUNC SniffAndStore(uint8_t param) { if (auth_attempts > 0) { if (DBGLEVEL > 1) Dbprintf("[!] Authentication attempts = %u", auth_attempts); - size_t size = 4 * auth_attempts; - uint8_t *buf = BigBuf_malloc(size); if (!exists_in_spiffs((char *)HF_BOG_LOGFILE)) { - rdv40_spiffs_write((char *)HF_BOG_LOGFILE, buf, size, RDV40_SPIFFS_SAFETY_SAFE); + rdv40_spiffs_write((char *)HF_BOG_LOGFILE, capturedPwds, 4 * auth_attempts, RDV40_SPIFFS_SAFETY_SAFE); } else { - rdv40_spiffs_append((char *)HF_BOG_LOGFILE, buf, size, RDV40_SPIFFS_SAFETY_SAFE); + rdv40_spiffs_append((char *)HF_BOG_LOGFILE, capturedPwds, 4 * auth_attempts, RDV40_SPIFFS_SAFETY_SAFE); } } From 22b7d54362b9a5bf9cb876c600b3d5a1c3d02ab6 Mon Sep 17 00:00:00 2001 From: bogiton <34060135+bogiton@users.noreply.github.com> Date: Sat, 2 Nov 2019 18:07:36 +0000 Subject: [PATCH 2/3] Add GetFromFlashMemSpiffs in scripting.c --- client/scripting.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/client/scripting.c b/client/scripting.c index 43bcbd9c7..6ad9bc0fc 100644 --- a/client/scripting.c +++ b/client/scripting.c @@ -304,6 +304,61 @@ static int l_GetFromFlashMem(lua_State *L) { } +/** + * @brief The following params expected: + * uint8_t *destfilename + * @param L + * @return + */ +static int l_GetFromFlashMemSpiffs(lua_State *L) { + + if (IfPm3Flash()) { + uint32_t start_index = 0, len = 0x40000; //FLASH_MEM_MAX_SIZE + char destfilename[32] = {0}; + size_t size; + + int n = lua_gettop(L); + if (n == 0) + return returnToLuaWithError(L, "You need to supply the destination filename"); + + if (n >= 1) { + const char *p_filename = luaL_checklstring(L, 1, &size); + if (size != 0) + memcpy(destfilename, p_filename, 31); + } + + if (destfilename[0] == '\0') + return returnToLuaWithError(L, "Filename missing or invalid"); + + // get size from spiffs itself ! + SendCommandMIX(CMD_SPIFFS_STAT, 0, 0, 0, (uint8_t *)destfilename, 32); + PacketResponseNG resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) + return returnToLuaWithError(L, "No response from the device"); + + len = resp.oldarg[0]; + + if (len <= 0) + return returnToLuaWithError(L, "Filename invalid or empty"); + + uint8_t *data = calloc(len, sizeof(uint8_t)); + if (!data) + return returnToLuaWithError(L, "Allocating memory failed"); + + if (!GetFromDevice(SPIFFS, data, len, start_index, (uint8_t *)destfilename, 32, NULL, -1, true)) { + free(data); + return returnToLuaWithError(L, "ERROR; downloading from spiffs(flashmemory)"); + } + + lua_pushlstring(L, (const char *)data, len); + lua_pushunsigned(L, len); + free(data); + return 2; + } else { + return returnToLuaWithError(L, "No FLASH MEM support"); + } +} + /** * @brief The following params expected: * uint32_t cmd @@ -1128,6 +1183,7 @@ int set_pm3_libraries(lua_State *L) { {"SendCommandNG", l_SendCommandNG}, {"GetFromBigBuf", l_GetFromBigBuf}, {"GetFromFlashMem", l_GetFromFlashMem}, + {"GetFromFlashMemSpiffs", l_GetFromFlashMemSpiffs}, {"WaitForResponseTimeout", l_WaitForResponseTimeout}, {"mfDarkside", l_mfDarkside}, {"foobar", l_foobar}, From 7a79901ed0633d6ba981ec523657275f287bf63f Mon Sep 17 00:00:00 2001 From: bogiton <34060135+bogiton@users.noreply.github.com> Date: Sat, 2 Nov 2019 18:08:59 +0000 Subject: [PATCH 3/3] Add read_pwd_mem_spiffs.lua --- client/luascripts/read_pwd_mem_spiffs.lua | 91 +++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 client/luascripts/read_pwd_mem_spiffs.lua diff --git a/client/luascripts/read_pwd_mem_spiffs.lua b/client/luascripts/read_pwd_mem_spiffs.lua new file mode 100644 index 000000000..8dbdac691 --- /dev/null +++ b/client/luascripts/read_pwd_mem_spiffs.lua @@ -0,0 +1,91 @@ +local getopt = require('getopt') +local bin = require('bin') + +copyright = 'Copyright (c) 2019 Bogito. All rights reserved.' +author = 'Bogito' +version = 'v1.1.0' +desc = +[[ +This script will read the flash memory of RDV4 using SPIFFS and print the stored passwords. +It was meant to be used as a help tool after using the BogRun standalone mode. +]] +example = +[[ + -- This will read the hf_bog.log file in SPIFFS and print the stored passwords + script run read_pwd_mem_spiffs + + -- This will read the other.log file in SPIFFS and print the stored passwords + script run read_pwd_mem_spiffs -f other.log +]] +usage = +[[ +Usage: + script run read_pwd_mem_spiffs -h -f + +Arguments: + -h : this help + -f : filename in SPIFFS +]] +--- +-- This is only meant to be used when errors occur +local function oops(err) + print('ERROR:', err) + core.clearCommandBuffer() + return nil, err +end +--- +-- Usage help +local function help() + print(copyright) + print(author) + print(version) + print(desc) + print('Example usage') + print(example) + print(usage) +end +--- +-- The main entry point +local function main(args) + + print( string.rep('--',20) ) + print('Read passwords stored in memory (SPIFFS)') + print( string.rep('--',20) ) + print() + + local data, length, err + local cnt = 0 + local filename = 'hf_bog.log' + local keylength = 4 + + for o, a in getopt.getopt(args, 'f:h') do + + -- help + if o == 'h' then return help() end + + -- offset + if o == 'f' then filename = a end + + end + + data, length, err = core.GetFromFlashMemSpiffs(filename) + if data == nil then return oops('Problem while reading file from SPIFFS') end + + --print('Filename', filename) + --print('Filesize (B)', length) + + _, s = bin.unpack('H'..length, data) + + local cnt = 0, i + for i = 1, length/keylength do + key = string.sub(s, (i-1)*8+1, i*8) + if key == 'FFFFFFFF' then break end + print(string.format('[%02d] %s',i, key)) + cnt = cnt + 1 + end + print( string.rep('--',20) ) + print( ('[+] found %d passwords'):format(cnt)) + +end + +main(args)