github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 13:53:55 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

lf t55 chk m (works again!). lf t55 config (prints correct pwd if used)

Browse source
This commit is contained in:
iceman1001 2020-08-21 14:10:32 +02:00
commit e3767a3e28
3 changed files with 80 additions and 76 deletions
Download patch file Download diff file Expand all files Collapse all files

84
armsrc/lfops.c
View file

@ -2010,13 +2010,12 @@ void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block,
flags |= (downlink_mode & 3) << 3;
if (brute_mem) flags |= 0x0100;
// T55xxReadBlockExt (flags,block,pwd);
size_t samples = 12000;
// bool brute_mem = (flags & 0x0100) >> 8;
LED_A_ON();
if (brute_mem) samples = 1024;
if (brute_mem) samples = 2048;
//-- Set Read Flag to ensure SendCMD does not add "data" to the packet
//-- flags |= 0x40;
@ -2044,44 +2043,56 @@ void T55xxReadBlock(uint8_t page, bool pwd_mode, bool brute_mem, uint8_t block,
DoPartialAcquisition(0, false, samples, 0);
// Turn the field off
if (!brute_mem) {
if (brute_mem == false) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
reply_ng(CMD_LF_T55XX_READBL, PM3_SUCCESS, NULL, 0);
LED_A_OFF();
}
}
void T55xx_ChkPwds(uint8_t flags) {
DbpString("[+] T55XX Check pwds using flashmemory starting");
#define CHK_SAMPLES_SIGNAL 2048
#ifdef WITH_FLASH
DbpString(_CYAN_("T55XX Check pwds using flashmemory starting"));
#else
DbpString(_CYAN_("T55XX Check pwds starting"));
#endif
// First get baseline and setup LF mode.
// tends to mess up BigBuf
uint8_t *buf = BigBuf_get_addr();
uint8_t ret = 0;
uint8_t downlink_mode = (flags >> 3) & 0x03;
uint32_t b1, baseline = 0;
uint64_t b1, baseline_faulty = 0;
// collect baseline for failed attempt
DbpString("Determine baseline...");
// collect baseline for failed attempt ( should give me block1 )
uint8_t x = 32;
while (x--) {
b1 = 0;
T55xxReadBlock(0, 0, true, 1, 0, downlink_mode);
for (uint16_t j = 0; j < 1024; ++j)
T55xxReadBlock(0, 0, true, 0, 0, downlink_mode);
for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) {
b1 += buf[j];
}
b1 *= b1;
b1 >>= 8;
baseline += b1;
baseline_faulty += b1;
}
baseline >>= 5;
Dbprintf("[=] Baseline determined [%u]", baseline);
baseline_faulty >>= 5;
uint8_t *pwds = BigBuf_get_EM_addr();
uint16_t pwd_count = 0;
uint32_t candidate = 0;
struct p {
bool found;
uint32_t candidate;
} PACKED payload;
payload.found = false;
payload.candidate = 0;
#ifdef WITH_FLASH
BigBuf_Clear_EM();
@ -2107,48 +2118,45 @@ void T55xx_ChkPwds(uint8_t flags) {
if (isok != pwd_size_available)
goto OUT;
Dbprintf("[=] Password dictionary count %d ", pwd_count);
Dbprintf("Password dictionary count " _YELLOW_("%d"), pwd_count);
#endif
uint32_t pwd = 0, curr = 0, prev = 0;
for (uint16_t i = 0; i < pwd_count; ++i) {
uint64_t curr = 0, prev = 0;
int32_t idx = -1;
if (BUTTON_PRESS() && !data_available()) {
goto OUT;
}
for (uint32_t i = 0; i < pwd_count; i++) {
pwd = bytes_to_num(pwds + i * 4, 4);
uint32_t pwd = bytes_to_num(pwds + (i * 4), 4);
T55xxReadBlock(0, true, true, 0, pwd, downlink_mode);
// calc mean of BigBuf 1024 samples.
uint32_t sum = 0;
for (uint16_t j = 0; j < 1024; ++j) {
uint64_t sum = 0;
for (uint16_t j = 0; j < CHK_SAMPLES_SIGNAL; ++j) {
sum += buf[j];
}
sum *= sum;
sum >>= 8;
int32_t tmp = (sum - baseline);
curr = ABS(tmp);
Dbprintf("[=] Pwd %08X | ABS %u", pwd, curr);
int64_t tmp_dist = (baseline_faulty - sum);
curr = ABS(tmp_dist);
if (curr > prev) {
Dbprintf("[=] --> ABS %u Candidate %08X <--", curr, pwd);
candidate = pwd;
idx = i;
prev = curr;
}
}
if (candidate)
ret = 1;
if (idx != -1) {
payload.found = true;
payload.candidate = bytes_to_num(pwds + (idx * 4), 4);
}
OUT:
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
reply_mix(CMD_ACK, ret, candidate, 0, 0, 0);
LEDsoff();
reply_ng(CMD_LF_T55XX_CHK_PWDS, PM3_SUCCESS, (uint8_t*)&payload, sizeof(payload));
BigBuf_free();
}
void T55xxWakeUp(uint32_t pwd, uint8_t flags) {