github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-19 21:03:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

em tearoff full auto mode

Browse source
This commit is contained in:
Philippe Teuwen 2020-10-11 16:01:34 +02:00
commit 91f9ea4b40
1 changed files with 71 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

94
client/luascripts/lf_em_tearoff_protect.lua
View file

@ -84,7 +84,7 @@ local function main(args)
for o, a in getopt.getopt(args, 'he:s:p:n:') do for o, a in getopt.getopt(args, 'he:s:p:n:') do
if o == 'h' then return help() end if o == 'h' then return help() end
if o == 'n' then n = a end if o == 'n' then n = tonumber(a) end
if o == 'p' then password = a end if o == 'p' then password = a end
if o == 'e' then ed = tonumber(a) end if o == 'e' then ed = tonumber(a) end
if o == 's' then sd = tonumber(a) end if o == 's' then sd = tonumber(a) end
@ -115,20 +115,30 @@ local function main(args)
return nil return nil
end end
local wr_value = '00000000' local wr_value = '00000000'
n = n or 2 local auto = false
sd = sd or 2000 if n == nil then
ed = ed or 2100 auto = true
sd = sd or 2000
if sd > ed then ed = ed or 6000
return oops('start delay can\'t be larger than end delay', sd, ed) n = (ed - sd) / 2
else
if sd == nil or ed == nil then
return oops('start and stop delays need to be defined')
end
if sd > ed then
return oops('start delay can\'t be larger than end delay', sd, ed)
end
end end
print('==========================================') print('==========================================')
print('Starting EM4x05 tear off :: target PROTECT') print('Starting EM4x05 tear-off : target PROTECT')
if password then if password ~= '' then
print('target pwd', password) print('target pwd', password)
end end
if auto then
print('automatic mode', 'enabled')
end
print('target stepping', n) print('target stepping', n)
print('target delay', sd ,ed) print('target delay', sd ,ed)
print('read value', rd_value) print('read value', rd_value)
@ -143,20 +153,33 @@ local function main(args)
n = 0 n = 0
end end
local locked_on = false
local tries = 0 local tries = 0
local soon = 0
local late = 0
while sd <= ed do while sd <= ed do
-- increase loop if auto and n < 1 then -- n is a float
sd = sd + n print('[!] Reached n < 1 => '..ansicolors.yellow..'disabling automatic mode'..ansicolors.reset)
ed = sd
if not locked_on then auto = false
if (tries == 10) and (n == 0) then n = 0
print(ansicolors.cyan..('[!] Tried %d times, increased delay with 1us'):format(tries)..ansicolors.reset) end
tries = 0 if not auto then
sd = sd + n
end
if (tries >= 5) and (n == 0) and (soon ~= late) then
if soon > late then
print(('[!] Tried %d times, soon:%i late:%i => '):format(tries, soon, late)..ansicolors.yellow..'adjusting delay by +1 us'..ansicolors.reset)
sd = sd + 1 sd = sd + 1
ed = ed + 1 ed = ed + 1
else
print(('[!] Tried %d times, soon:%i late:%i => '):format(tries, soon, late)..ansicolors.yellow..'adjusting delay by -1 us'..ansicolors.reset)
sd = sd - 1
ed = ed - 1
end end
tries = 0
soon = 0
late = 0
end end
io.flush() io.flush()
@ -192,6 +215,13 @@ local function main(args)
if wordstr14 == rd_value and wordstr15 == '00000000' then if wordstr14 == rd_value and wordstr15 == '00000000' then
print('[=] Status: Nothing happened => '..ansicolors.green..'tearing too soon'..ansicolors.reset) print('[=] Status: Nothing happened => '..ansicolors.green..'tearing too soon'..ansicolors.reset)
if auto then
sd = sd + n
n = n / 2
print(('[+] Adjusting params: n=%i sd=%i ed=%i'):format(n, sd, ed))
else
soon = soon + 1
end
else else
if wordstr15 == rd_value then if wordstr15 == rd_value then
if wordstr14 == '00000000' then if wordstr14 == '00000000' then
@ -210,12 +240,24 @@ local function main(args)
return oops(err14b) return oops(err14b)
end end
local wordstr14b = ('%08X'):format(word14b) local wordstr14b = ('%08X'):format(word14b)
if (wordstr14b == '00000000') then
reset(wr_value, password)
end
if (wordstr14b ~= rd_value) then if (wordstr14b ~= rd_value) then
local word15b, err15b = core.em4x05_read(15, password)
if err15b then
return oops(err15b)
end
print(('[=] Status: new definitive value! => '..ansicolors.red..'SUCCESS: '..ansicolors.reset..'14: '..ansicolors.cyan..'%08X'..ansicolors.reset..' 15: %08X'):format(word14b, word15b)) print(('[=] Status: new definitive value! => '..ansicolors.red..'SUCCESS: '..ansicolors.reset..'14: '..ansicolors.cyan..'%08X'..ansicolors.reset..' 15: %08X'):format(word14b, word15b))
return exit_msg() return exit_msg()
end end
if not locked_on then if auto then
tries = 0 ed = sd
sd = sd - n
n = n / 2
print(('[+] Adjusting params: n=%i sd=%i ed=%i'):format(n, sd, ed))
else
late = late + 1
end end
else else
bit15 = bit.band(0x00008000, word15) bit15 = bit.band(0x00008000, word15)
@ -251,12 +293,18 @@ local function main(args)
end end
else else
print(('[=] Status: 15 bitflipped but inactive => '..ansicolors.yellow..'PROMISING: '..ansicolors.reset..'14: %08X 15: '..ansicolors.cyan..'%08X'..ansicolors.reset):format(word14, word15)) print(('[=] Status: 15 bitflipped but inactive => '..ansicolors.yellow..'PROMISING: '..ansicolors.reset..'14: %08X 15: '..ansicolors.cyan..'%08X'..ansicolors.reset):format(word14, word15))
print('[+] locked on to this delay') end
locked_on = true if auto then
n = 0
ed = sd
else
tries = 0
soon = 0
late = 0
end end
end end
end end
if not locked_on then if not auto then
tries = tries + 1 tries = tries + 1
end end
end end