From aeed5e3c26f7accaaf69f817961fd786fa2b2172 Mon Sep 17 00:00:00 2001 From: cjbrigato Date: Tue, 23 Jul 2019 23:26:26 +0200 Subject: [PATCH 1/4] FIX: Patch HF_BOG standalone for new SPIFFS compatibility --- armsrc/Standalone/hf_bog.c | 118 +++++++++++++++---------------------- 1 file changed, 46 insertions(+), 72 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index ca0b0eeeb..08e0345c7 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -27,9 +27,11 @@ from the client to view the stored quadlets. // Maximum number of auth attempts per standalone session #define MAX_PWDS_PER_SESSION 64 +#define HF_BOG_LOGFILE "hf_bog.log" + uint8_t FindOffsetInFlash() { - uint8_t mem[4] = { 0x00, 0x00, 0x00, 0x00 }; - uint8_t eom[4] = { 0xFF, 0xFF, 0xFF, 0xFF }; + uint8_t mem[4] = {0x00, 0x00, 0x00, 0x00}; + uint8_t eom[4] = {0xFF, 0xFF, 0xFF, 0xFF}; uint8_t memcnt = 0; while (memcnt < 0xFF) { @@ -52,7 +54,8 @@ void EraseMemory() { Flash_WriteEnable(); Flash_Erase4k(0, 0); - if (DBGLEVEL > 1) Dbprintf("[!] Erased flash!"); + if (DBGLEVEL > 1) + Dbprintf("[!] Erased flash!"); FlashStop(); SpinDelay(100); } @@ -96,8 +99,9 @@ void RAMFUNC SniffAndStore(uint8_t param) { UartInit(receivedCmd, receivedCmdPar); // Setup and start DMA. - if (!FpgaSetupSscDma((uint8_t *) dmaBuf, DMA_BUFFER_SIZE)) { - if (DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); + if (!FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE)) { + if (DBGLEVEL > 1) + Dbprintf("FpgaSetupSscDma failed. Exiting"); return; } @@ -134,17 +138,18 @@ void RAMFUNC SniffAndStore(uint8_t param) { Dbprintf("[!] blew circular buffer! | datalen %u", dataLen); break; } - if (dataLen < 1) continue; + if (dataLen < 1) + continue; // primary buffer was stopped( <-- we lost data! if (!AT91C_BASE_PDC_SSC->PDC_RCR) { - AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf; + AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t)dmaBuf; AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE; - //Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary + // Dbprintf("[-] RxEmpty ERROR | data length %d", dataLen); // temporary } // secondary buffer sets as primary, secondary buffer was stopped if (!AT91C_BASE_PDC_SSC->PDC_RNCR) { - AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; + AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t)dmaBuf; AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; } @@ -159,23 +164,24 @@ void RAMFUNC SniffAndStore(uint8_t param) { LED_C_ON(); // check - if there is a short 7bit request from reader - if ((!triggered) && (param & 0x02) && (uart->len == 1) && (uart->bitCount == 7)) triggered = true; + if ((!triggered) && (param & 0x02) && (uart->len == 1) && (uart->bitCount == 7)) + triggered = true; if (triggered) { - if ((receivedCmd) && ((receivedCmd[0] == MIFARE_ULEV1_AUTH) || (receivedCmd[0] == MIFARE_ULC_AUTH_1))) { - if (DBGLEVEL > 1) Dbprintf("PWD-AUTH KEY: 0x%02x%02x%02x%02x", receivedCmd[1], receivedCmd[2], receivedCmd[3], receivedCmd[4]); + if ((receivedCmd) && + ((receivedCmd[0] == MIFARE_ULEV1_AUTH) || (receivedCmd[0] == MIFARE_ULC_AUTH_1))) { + if (DBGLEVEL > 1) + Dbprintf("PWD-AUTH KEY: 0x%02x%02x%02x%02x", receivedCmd[1], receivedCmd[2], + receivedCmd[3], receivedCmd[4]); // temporarily save the captured pwd in our array memcpy(&capturedPwds[4 * auth_attempts], receivedCmd + 1, 4); auth_attempts++; } - if (!LogTrace(receivedCmd, - uart->len, - uart->startTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER, - uart->endTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER, - uart->parity, - true)) break; + if (!LogTrace(receivedCmd, uart->len, uart->startTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER, + uart->endTime * 16 - DELAY_READER_AIR2ARM_AS_SNIFFER, uart->parity, true)) + break; } /* ready to receive another command. */ UartReset(); @@ -193,20 +199,18 @@ void RAMFUNC SniffAndStore(uint8_t param) { if (ManchesterDecoding(tagdata, 0, (my_rsamples - 1) * 4)) { LED_B_ON(); - if (!LogTrace(receivedResp, - demod->len, - demod->startTime * 16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, - demod->endTime * 16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, - demod->parity, - false)) break; + if (!LogTrace(receivedResp, demod->len, demod->startTime * 16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, + demod->endTime * 16 - DELAY_TAG_AIR2ARM_AS_SNIFFER, demod->parity, false)) + break; - if ((!triggered) && (param & 0x01)) triggered = true; + if ((!triggered) && (param & 0x01)) + triggered = true; // ready to receive another response. DemodReset(); // reset the Miller decoder including its (now outdated) input buffer UartReset(); - //UartInit(receivedCmd, receivedCmdPar); + // UartInit(receivedCmd, receivedCmdPar); LED_C_OFF(); } TagIsActive = (demod->state != DEMOD_UNSYNCD); @@ -228,57 +232,27 @@ void RAMFUNC SniffAndStore(uint8_t param) { SpinDelay(200); - // Write stuff to flash + // Write stuff to spiffs logfile if (auth_attempts > 0) { - if (DBGLEVEL > 1) Dbprintf("[!] Authentication attempts = %u", auth_attempts); + if (DBGLEVEL > 1) + Dbprintf("[!] Authentication attempts = %u", auth_attempts); - // Setting the SPI Baudrate to 48MHz to avoid the bit-flip issue (https://github.com/RfidResearchGroup/proxmark3/issues/34) - FlashmemSetSpiBaudrate(48000000); + if + size_t size = 4 * auth_attempts; + uint8_t *data = BigBuf_malloc(size); - // Find the offset in flash mem to continue writing the auth attempts - uint8_t memoffset = FindOffsetInFlash(); - if (DBGLEVEL > 1) Dbprintf("[!] Memory offset = %u", memoffset); - - if ((memoffset + 4 * auth_attempts) > 0xFF) { - // We opt to keep the new data only - memoffset = 0; - if (DBGLEVEL > 1) Dbprintf("[!] Size of total data > 256 bytes. Discarding the old data."); + if (!exists_in_spiffs((char *)HF_BOG_LOGFILE)) { + rdv40_spiffs_write((char *)HF_BOG_LOGFILE, (uint8_t *)data, size, RDV40_SPIFFS_SAFETY_SAFE); + } else { + rdv40_spiffs_append((char *)HF_BOG_LOGFILE, (uint8_t *)data, size, RDV40_SPIFFS_SAFETY_SAFE); } - - // Get previous data from flash mem - uint8_t *previousdata = BigBuf_malloc(memoffset); - if (memoffset > 0) { - uint16_t readlen = Flash_ReadData(0, previousdata, memoffset); - if (DBGLEVEL > 1) Dbprintf("[!] Read %u bytes from flash mem", readlen); - } - - // create new bigbuf to hold all data - size_t total_size = memoffset + 4 * auth_attempts; - uint8_t *total_data = BigBuf_malloc(total_size); - - // Add the previousdata array into total_data array - memcpy(total_data, previousdata, memoffset); - - // Copy bytes of capturedPwds immediately following bytes of previousdata - memcpy(total_data + memoffset, capturedPwds, 4 * auth_attempts); - - // Erase first page of flash mem - EraseMemory(); - - // Write total data to flash mem - uint16_t writelen = Flash_WriteData(0, total_data, memoffset + 4 * auth_attempts); - if (DBGLEVEL > 1) Dbprintf("[!] Wrote %u bytes into flash mem", writelen); - - // If pwd saved successfully, blink led A three times - if (writelen > 0) { - SpinErr(0, 200, 5); // blink led A - } - - SpinDelay(100); - - // Reset the SPI Baudrate to the default value (24MHz) - FlashmemSetSpiBaudrate(24000000); } + + if (DBGLEVEL > 1) + Dbprintf("[!] Wrote %u Authentification attempts into logfile", auth_attempts); + + SpinErr(0, 200, 5); // blink led A + SpinDelay(100); } void ModInfo(void) { From d3633b719f92f32c9c892b619702ce5ed93b196a Mon Sep 17 00:00:00 2001 From: cjbrigato Date: Tue, 23 Jul 2019 23:27:35 +0200 Subject: [PATCH 2/4] FIX: Patch HF_BOG standalone for new SPIFFS compatibility --- armsrc/Standalone/hf_bog.c | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index 08e0345c7..eaa69cd47 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -29,37 +29,6 @@ from the client to view the stored quadlets. #define HF_BOG_LOGFILE "hf_bog.log" -uint8_t FindOffsetInFlash() { - uint8_t mem[4] = {0x00, 0x00, 0x00, 0x00}; - uint8_t eom[4] = {0xFF, 0xFF, 0xFF, 0xFF}; - uint8_t memcnt = 0; - - while (memcnt < 0xFF) { - Flash_ReadData(memcnt, mem, 4); - if (memcmp(mem, eom, 4) == 0) { - return memcnt; - } - memcnt += 4; - } - - return 0; // wrap-around -} - -void EraseMemory() { - if (!FlashInit()) { - return; - } - - Flash_CheckBusy(BUSY_TIMEOUT); - Flash_WriteEnable(); - Flash_Erase4k(0, 0); - - if (DBGLEVEL > 1) - Dbprintf("[!] Erased flash!"); - FlashStop(); - SpinDelay(100); -} - // This is actually copied from SniffIso14443a void RAMFUNC SniffAndStore(uint8_t param) { From e59e0f619443afc5defcd22e7a99eebd462637df Mon Sep 17 00:00:00 2001 From: "Colin J. Brigato" Date: Tue, 23 Jul 2019 23:42:48 +0200 Subject: [PATCH 3/4] Typo --- armsrc/Standalone/hf_bog.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index eaa69cd47..5a950bddc 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -205,8 +205,7 @@ void RAMFUNC SniffAndStore(uint8_t param) { if (auth_attempts > 0) { if (DBGLEVEL > 1) Dbprintf("[!] Authentication attempts = %u", auth_attempts); - - if + size_t size = 4 * auth_attempts; uint8_t *data = BigBuf_malloc(size); From 6614995256a3e80eb429c1027d8fbad6a3d244c4 Mon Sep 17 00:00:00 2001 From: cjbrigato Date: Wed, 24 Jul 2019 00:20:00 +0200 Subject: [PATCH 4/4] HF_BOG make style --- armsrc/Standalone/hf_bog.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/armsrc/Standalone/hf_bog.c b/armsrc/Standalone/hf_bog.c index eaa69cd47..eaf27008b 100644 --- a/armsrc/Standalone/hf_bog.c +++ b/armsrc/Standalone/hf_bog.c @@ -138,7 +138,7 @@ void RAMFUNC SniffAndStore(uint8_t param) { if (triggered) { if ((receivedCmd) && - ((receivedCmd[0] == MIFARE_ULEV1_AUTH) || (receivedCmd[0] == MIFARE_ULC_AUTH_1))) { + ((receivedCmd[0] == MIFARE_ULEV1_AUTH) || (receivedCmd[0] == MIFARE_ULC_AUTH_1))) { if (DBGLEVEL > 1) Dbprintf("PWD-AUTH KEY: 0x%02x%02x%02x%02x", receivedCmd[1], receivedCmd[2], receivedCmd[3], receivedCmd[4]); @@ -207,8 +207,8 @@ void RAMFUNC SniffAndStore(uint8_t param) { Dbprintf("[!] Authentication attempts = %u", auth_attempts); if - size_t size = 4 * auth_attempts; - uint8_t *data = BigBuf_malloc(size); + size_t size = 4 * auth_attempts; + uint8_t *data = BigBuf_malloc(size); if (!exists_in_spiffs((char *)HF_BOG_LOGFILE)) { rdv40_spiffs_write((char *)HF_BOG_LOGFILE, (uint8_t *)data, size, RDV40_SPIFFS_SAFETY_SAFE);