Merge pull request #975 from mwalker33/white-cloner-pwd

White cloner pwd
2025-08-20 21:33:47 -07:00 · 2020-09-26 11:24:36 +02:00 · 2020-09-26 11:24:36 +02:00 · ef94ce3b25
commit ef94ce3b25
parent b4728157fb ff21ca77f9
2 changed files with 40 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...

 ## [unreleased][unreleased]
+ - Add lf t55xx chk e <EM4100> option.  Checks calculated password based on the EM4100 id from some white cloners forumla by paleopterix (@mwalker33)
 - Add lf t55xx sniff to allow extracting commands and passwords used be cloners. (@mwalker33)
 - Add options to `lf read`, `lf cmdread`, `lf sniff` for repeated acquisitions (@doegox)
 - Change options of `lf read` to match `lf cmdread`, this affects historical `d` and `s` options (@doegox)
--- a/client/src/cmdlft55xx.c
+++ b/client/src/cmdlft55xx.c
@ -29,6 +29,7 @@
 #include "fileutils.h"  // loadDictionary
 #include "util_posix.h"
 #include "cmdlf.h"      // for lf sniff
+#include "generator.h"

 // Some defines for readability
 #define T55XX_DLMODE_FIXED         0 // Default Mode
@ -254,16 +255,18 @@ static int usage_t55xx_chk(void) {
    PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command");
    PrintAndLogEx(NORMAL,  _RED_("WARNING:") " this may brick non-password protected chips!");
    PrintAndLogEx(NORMAL, "Try to reading block 7 before\n");
-    PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r <mode>] [f <*.dic>]");
+    PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r <mode>] [f <*.dic>] [e <em4100 id>]");
    PrintAndLogEx(NORMAL, "Options:");
    PrintAndLogEx(NORMAL, "     h            - this help");
    PrintAndLogEx(NORMAL, "     m            - use dictionary from flashmemory\n");
    print_usage_t55xx_downloadlink(T55XX_DLMODE_ALL, T55XX_DLMODE_ALL);
    PrintAndLogEx(NORMAL, "     f <*.dic>    - loads a default keys dictionary file <*.dic>");
+    PrintAndLogEx(NORMAL, "     e <EM4100>   - will try the calculated password from some cloners based on EM4100 ID");
    PrintAndLogEx(NORMAL, "");
    PrintAndLogEx(NORMAL, "Examples:");
    PrintAndLogEx(NORMAL, _YELLOW_("       lf t55xx chk m"));
    PrintAndLogEx(NORMAL, _YELLOW_("       lf t55xx chk f t55xx_default_pwds"));
+    PrintAndLogEx(NORMAL, _YELLOW_("       lf t55xx chk e aa11223344"));
    PrintAndLogEx(NORMAL, "");
    return PM3_SUCCESS;
 }
@ -3003,6 +3006,9 @@ static int CmdT55xxChkPwds(const char *Cmd) {
    int dl_mode; // to try each downlink mode for each password
    uint8_t cmdp = 0;
    bool errors = false;
+    bool useCardPassword = false;
+    uint32_t cardPassword = 0x00;
+    uint64_t cardID = 0x00;

    while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
        switch (tolower(param_getchar(Cmd, cmdp))) {
@ -3028,6 +3034,14 @@ static int CmdT55xxChkPwds(const char *Cmd) {
                use_pwd_file = true;
                cmdp += 2;
                break;
+            case 'e':
+                // White cloner password based on EM4100 ID
+                useCardPassword = true;
+                cardID = param_get64ex(Cmd,cmdp + 1,0,16);
+                uint32_t card32Bit = cardID & 0xFFFFFFFF;
+                cardPassword = lf_t55xx_white_pwdgen (card32Bit);
+                cmdp += 2;
+                break;
            default:
                PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
                errors = true;
@ -3090,7 +3104,28 @@ static int CmdT55xxChkPwds(const char *Cmd) {
        goto out;
    }

-    if (use_pwd_file) {
+    // try calculated password
+    if (useCardPassword) {
+
+        PrintAndLogEx(INFO, "Testing %08"PRIX32" generated ", cardPassword);
+        for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) {
+
+            if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, cardPassword, dl_mode)) {
+                continue;
+            }
+
+            found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, cardPassword);
+            if (found) {
+                PrintAndLogEx(SUCCESS, "Found valid password : [ " _GREEN_("%08"PRIX32) " ]", cardPassword);
+                dl_mode = 4; // Exit other downlink mode checks
+            }
+
+            if (!try_all_dl_modes) // Exit loop if not trying all downlink modes
+                dl_mode = 4;
+        }
+    }
+
+    if ((!found) && (use_pwd_file)) {
        uint32_t keycount = 0;

        int res = loadFileDICTIONARY_safe(filename, (void **) &keyBlock, 4, &keycount);
@ -3135,9 +3170,10 @@ static int CmdT55xxChkPwds(const char *Cmd) {
                    dl_mode = 4;
            }
        }
-        if (!found) PrintAndLogEx(WARNING, "Check pwd failed");
    }

+    if (!found) PrintAndLogEx(WARNING, "Check pwd failed");
+
    free(keyBlock);

 out: