diff --git a/armsrc/Standalone/lf_hidbrute.c b/armsrc/Standalone/lf_hidbrute.c index 87878cfa3..6bdf27384 100644 --- a/armsrc/Standalone/lf_hidbrute.c +++ b/armsrc/Standalone/lf_hidbrute.c @@ -150,7 +150,7 @@ void RunMod(void) { } else if (playing && selected == 2) { // Now it work only with HID Corporate 1000 (35bit), but is easily extensible to others RFID. // It is necessary only to calculate the correct parity. - + // Brute force code // Check if the badge is an HID Corporate 1000 if ((high[selected] & 0xFFFFFFF8) != 0x28) { @@ -257,7 +257,7 @@ void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low // Calculate new high and low base value from card number and facility code, without parity new_low = (fc << 21) | (cardnum << 1); - new_high = 0x28 | ((fc >> 11) & 1); // 0x28 is 101000 + new_high = (fc >> 11) & 1; int n_ones; uint32_t i; @@ -319,6 +319,7 @@ void hid_corporate_1000_calculate_checksum_and_set(uint32_t *high, uint32_t *low new_high = new_high | 0x4; // Setting new calculated values + add_HID_preamble(0, &new_high, &new_low, 35); *low = new_low; *high = new_high; } diff --git a/armsrc/Standalone/lf_hidfcbrute.c b/armsrc/Standalone/lf_hidfcbrute.c index 75c97e0bf..ef7102fdb 100644 --- a/armsrc/Standalone/lf_hidfcbrute.c +++ b/armsrc/Standalone/lf_hidfcbrute.c @@ -176,8 +176,7 @@ void hid_calculate_checksum_and_set(uint32_t *high, uint32_t *low, uint32_t card newlow |= oddparity32((newlow >> 1) & 0xFFF); newlow |= (evenparity32((newlow >> 13) & 0xFFF)) << 25; - newhigh |= 0x20; // Bit 37; standard header - newlow |= 1U << 26; // leading 1: start bit + add_HID_preamble(NULL, &newhigh, &newlow, 26); *low = newlow; *high = newhigh; diff --git a/armsrc/Standalone/lf_prox2brute.c b/armsrc/Standalone/lf_prox2brute.c index 851dd597a..ab736a9d1 100644 --- a/armsrc/Standalone/lf_prox2brute.c +++ b/armsrc/Standalone/lf_prox2brute.c @@ -16,8 +16,8 @@ //----------------------------------------------------------------------------- // LF HID ProxII Brutforce v2 by lnv42 - based on Proxbrute by Brad antoniewicz // -// Following code is a trivial brute forcer for when you know the facility -// code and want to find valid(s) card number(s). It will try all card +// Following code is a trivial brute forcer (H10301 26-bit) when you know the +// facility code and want to find valid(s) card number(s). It will try all card // fnumbers rom CARDNUM_START to CARDNUM_END one by one (max. ~65k tries). // This brute force will be a lot faster than Proxbrute that will try all // possibles values for LF low, even those with bad checksum (~4g tries). @@ -46,8 +46,7 @@ void RunMod(void) { StandAloneMode(); Dbprintf(">> LF HID proxII bruteforce v2 a.k.a Prox2Brute Started <<"); FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - - const uint32_t high = 0x20; // LF high value is always 0x20 here + uint32_t high = 0, low = 0; uint32_t fac = FACILITY_CODE, cardnum = 0; @@ -79,9 +78,10 @@ void RunMod(void) { if (BUTTON_HELD(1000) == BUTTON_HOLD) break; // long button press (>=1sec) exit // calculate the new LF low value including Card number, Facility code and checksum - uint32_t low = (cardnum << 1) | (fac << 17); + low = (cardnum << 1) | (fac << 17); low |= oddparity32((low >> 1) & 0xFFF); low |= evenparity32((low >> 13) & 0xFFF) << 25; + add_HID_preamble(NULL, &high, &low, 26); Dbprintf("[=] trying Facility = %08x, Card = %08x, raw = %08x%08x", fac, cardnum, high, low); diff --git a/armsrc/lfops.c b/armsrc/lfops.c index d28e4f4e7..8215a07ea 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -944,6 +944,33 @@ static void fcAll(uint8_t fc, int *n, uint8_t clock, int16_t *remainder) { } } +bool add_HID_preamble(uint32_t *hi2, uint32_t *hi, uint32_t *lo, uint8_t length){ + // Invalid value + if (length > 84 || length == 0) + return false; + + if (length == 48) { + *hi |= 1U << (length - 32); // Example leading 1: start bit + return true; + } + if (length >= 64) { + *hi2 |= 0x09e00000; // Extended-length header + *hi2 |= 1U << (length - 64); // leading 1: start bit + } else if (length > 37) { + *hi2 |= 0x09e00000; // Extended-length header + *hi |= 1U << (length - 32); // leading 1: start bit + } else if (length == 37) { + // No header bits added to 37-bit cards + } else if (length >= 32) { + *hi |= 0x20; // Bit 37; standard header + *hi |= 1U << (length - 32); // leading 1: start bit + } else { + *hi |= 0x20; // Bit 37; standard header + *lo |= 1U << length; // leading 1: start bit + } + return true; +} + // prepare a waveform pattern in the buffer based on the ID given then // simulate a HID tag until the button is pressed void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles) { diff --git a/armsrc/lfops.h b/armsrc/lfops.h index c3f00b4af..9d9a029d4 100644 --- a/armsrc/lfops.h +++ b/armsrc/lfops.h @@ -24,7 +24,7 @@ void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint16_t period_0, uint16_t period_1, const uint8_t *symbol_extra, uint16_t *period_extra, uint8_t *command, bool verbose, bool keep_field_on, uint32_t samples, bool ledcontrol); - + void ReadTItag(bool ledcontrol); void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc, bool ledcontrol); @@ -34,6 +34,7 @@ void SimulateTagLowFrequencyEx(int period, int gap, bool ledcontrol, int numcycl void SimulateTagLowFrequency(int period, int gap, bool ledcontrol); void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); +bool add_HID_preamble(uint32_t *hi2, uint32_t *hi, uint32_t *lo, uint8_t length); void CmdHIDsimTAGEx(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol, int numcycles); void CmdHIDsimTAG(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool ledcontrol);