From 131b58784601ee1ce10281837d3d954670d514aa Mon Sep 17 00:00:00 2001 From: mwalker33 Date: Sat, 26 Sep 2020 13:19:35 +1000 Subject: [PATCH 1/3] White Cloner Password Based on the findings of paleopterix --- CHANGELOG.md | 1 + client/src/cmdlft55xx.c | 36 +++++++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b07ce95dc..bb7fbe7b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Add lf t55xx chk e option. Checks calculated password based on the EM4100 id from some white cloners forumla by paleopterix (@mwalker33) - Add lf t55xx sniff to allow extracting commands and passwords used be cloners. (@mwalker33) - Add options to `lf read`, `lf cmdread`, `lf sniff` for repeated acquisitions (@doegox) - Change options of `lf read` to match `lf cmdread`, this affects historical `d` and `s` options (@doegox) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 92c78dfa6..1c415dca7 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -254,16 +254,18 @@ static int usage_t55xx_chk(void) { PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); PrintAndLogEx(NORMAL, _RED_("WARNING:") " this may brick non-password protected chips!"); PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); - PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r ] [f <*.dic>]"); + PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [m] [r ] [f <*.dic>] [e ]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h - this help"); PrintAndLogEx(NORMAL, " m - use dictionary from flashmemory\n"); print_usage_t55xx_downloadlink(T55XX_DLMODE_ALL, T55XX_DLMODE_ALL); PrintAndLogEx(NORMAL, " f <*.dic> - loads a default keys dictionary file <*.dic>"); + PrintAndLogEx(NORMAL, " e - will try the calculated password from some cloners based on EM4100 ID"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk m")); PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk f t55xx_default_pwds")); + PrintAndLogEx(NORMAL, _YELLOW_(" lf t55xx chk e aa11223344")); PrintAndLogEx(NORMAL, ""); return PM3_SUCCESS; } @@ -3003,6 +3005,8 @@ static int CmdT55xxChkPwds(const char *Cmd) { int dl_mode; // to try each downlink mode for each password uint8_t cmdp = 0; bool errors = false; + bool useCardPassword = false; + uint32_t cardPassword = 0x00000000; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -3028,6 +3032,15 @@ static int CmdT55xxChkPwds(const char *Cmd) { use_pwd_file = true; cmdp += 2; break; + case 'e': + // White cloner password based on EM4100 ID + useCardPassword = true; + uint64_t EMID = param_get64ex(Cmd,cmdp + 1,0,16); // Get 5 byte EM4100 ID + uint32_t ID = EMID & 0xFFFFFFFF; // White Cloner only using low 32 bits + // Final formula found by paleopterix (proxmark forum) + cardPassword = 0x00010303 + ((ID & 0x86ee00ec) ^ ((ID & 0x000000ec) << 8) ^ ((ID & 0x86000000) >> 16)); + cmdp+=2; + break; default: PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -3090,6 +3103,27 @@ static int CmdT55xxChkPwds(const char *Cmd) { goto out; } + // try calculated password + if (useCardPassword) { + + PrintAndLogEx(INFO, "Testing %08"PRIX32, cardPassword); + for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) { + + if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, cardPassword, dl_mode)) { + continue; + } + + found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, cardPassword); + if (found) { + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX32) " ]", cardPassword); + dl_mode = 4; // Exit other downlink mode checks + } + + if (!try_all_dl_modes) // Exit loop if not trying all downlink modes + dl_mode = 4; + } + } + if (use_pwd_file) { uint32_t keycount = 0; From e05a10f3e550ae45e9c1abcdf4bc5b45e312a8d8 Mon Sep 17 00:00:00 2001 From: mwalker33 Date: Sat, 26 Sep 2020 17:31:46 +1000 Subject: [PATCH 2/3] Update cmdlft55xx.c Use generator function --- client/src/cmdlft55xx.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 1c415dca7..0ec4ab58f 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -29,6 +29,7 @@ #include "fileutils.h" // loadDictionary #include "util_posix.h" #include "cmdlf.h" // for lf sniff +#include "generator.h" // Some defines for readability #define T55XX_DLMODE_FIXED 0 // Default Mode @@ -3035,11 +3036,8 @@ static int CmdT55xxChkPwds(const char *Cmd) { case 'e': // White cloner password based on EM4100 ID useCardPassword = true; - uint64_t EMID = param_get64ex(Cmd,cmdp + 1,0,16); // Get 5 byte EM4100 ID - uint32_t ID = EMID & 0xFFFFFFFF; // White Cloner only using low 32 bits - // Final formula found by paleopterix (proxmark forum) - cardPassword = 0x00010303 + ((ID & 0x86ee00ec) ^ ((ID & 0x000000ec) << 8) ^ ((ID & 0x86000000) >> 16)); - cmdp+=2; + cardPassword = lf_t55xx_white_pwdgen (param_get64ex(Cmd,cmdp + 1,0,16) & 0xFFFFFFFF); + cmdp += 2; break; default: PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp)); From ff21ca77f9714aaeddcf840d7fa9784ac7ad9e0c Mon Sep 17 00:00:00 2001 From: mwalker33 Date: Sat, 26 Sep 2020 18:22:18 +1000 Subject: [PATCH 3/3] Update cmdlft55xx.c Clean up output --- client/src/cmdlft55xx.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/client/src/cmdlft55xx.c b/client/src/cmdlft55xx.c index 0ec4ab58f..8d6c3b8e3 100644 --- a/client/src/cmdlft55xx.c +++ b/client/src/cmdlft55xx.c @@ -3007,7 +3007,8 @@ static int CmdT55xxChkPwds(const char *Cmd) { uint8_t cmdp = 0; bool errors = false; bool useCardPassword = false; - uint32_t cardPassword = 0x00000000; + uint32_t cardPassword = 0x00; + uint64_t cardID = 0x00; while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -3036,7 +3037,9 @@ static int CmdT55xxChkPwds(const char *Cmd) { case 'e': // White cloner password based on EM4100 ID useCardPassword = true; - cardPassword = lf_t55xx_white_pwdgen (param_get64ex(Cmd,cmdp + 1,0,16) & 0xFFFFFFFF); + cardID = param_get64ex(Cmd,cmdp + 1,0,16); + uint32_t card32Bit = cardID & 0xFFFFFFFF; + cardPassword = lf_t55xx_white_pwdgen (card32Bit); cmdp += 2; break; default: @@ -3104,7 +3107,7 @@ static int CmdT55xxChkPwds(const char *Cmd) { // try calculated password if (useCardPassword) { - PrintAndLogEx(INFO, "Testing %08"PRIX32, cardPassword); + PrintAndLogEx(INFO, "Testing %08"PRIX32" generated ", cardPassword); for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) { if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, cardPassword, dl_mode)) { @@ -3113,7 +3116,7 @@ static int CmdT55xxChkPwds(const char *Cmd) { found = tryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, cardPassword); if (found) { - PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08"PRIX32) " ]", cardPassword); + PrintAndLogEx(SUCCESS, "Found valid password : [ " _GREEN_("%08"PRIX32) " ]", cardPassword); dl_mode = 4; // Exit other downlink mode checks } @@ -3122,7 +3125,7 @@ static int CmdT55xxChkPwds(const char *Cmd) { } } - if (use_pwd_file) { + if ((!found) && (use_pwd_file)) { uint32_t keycount = 0; int res = loadFileDICTIONARY_safe(filename, (void **) &keyBlock, 4, &keycount); @@ -3167,9 +3170,10 @@ static int CmdT55xxChkPwds(const char *Cmd) { dl_mode = 4; } } - if (!found) PrintAndLogEx(WARNING, "Check pwd failed"); } + if (!found) PrintAndLogEx(WARNING, "Check pwd failed"); + free(keyBlock); out: