From 9133a9164f5e743dd2c6c0f3f6e9d91e15689a1f Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 16:18:40 +0100 Subject: [PATCH 1/6] chg: 'lf t55xx chk' - refactored to use loadDictionary --- client/cmdlft55xx.c | 81 ++++++++++----------------------------------- client/cmdlft55xx.h | 5 +-- 2 files changed, 21 insertions(+), 65 deletions(-) diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 659ddea0c..066b2b846 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -1625,17 +1625,14 @@ bool IsCancelled(void) { return false; } +// load a default pwd file. int CmdT55xxChkPwds(const char *Cmd) { - // load a default pwd file. - char line[9]; + char filename[FILE_PATH_SIZE] = {0}; - int keycnt = 0; - uint8_t stKeyBlock = 20; - uint8_t *keyBlock = NULL, *p = NULL; + bool found = false; uint8_t timeout = 0; - - memset(line, 0, sizeof(line)); + uint8_t *keyBlock = NULL; char cmdp = tolower(param_getchar(Cmd, 0)); if (strlen(Cmd) == 0 || cmdp == 'h') return usage_t55xx_chk(); @@ -1688,78 +1685,37 @@ int CmdT55xxChkPwds(const char *Cmd) { goto out; } - keyBlock = calloc(stKeyBlock, 4); - if (keyBlock == NULL) return 1; - if (cmdp == 'i') { - + int len = strlen(Cmd + 2); if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; memcpy(filename, Cmd + 2, len); - - FILE *f = fopen(filename, "r"); - if (!f) { - PrintAndLogEx(FAILED, "File: " _YELLOW_("%s") ": not found or locked.", filename); - free(keyBlock); + + uint16_t keycount = 0; + size_t datalen = 0; + + // TODO, a way of reallocating memory if file was larger + keyBlock = calloc(4*200, sizeof(uint8_t)); + if ( keyBlock == NULL ) { + PrintAndLogDevice(WARNING, "error, cannot allocate memory "); return 1; } - - while (fgets(line, sizeof(line), f)) { - if (strlen(line) < 8 || line[7] == '\n') continue; - - //goto next line - while (fgetc(f) != '\n' && !feof(f)) ; - - //The line start with # is comment, skip - if (line[0] == '#') continue; - - if (!isxdigit(line[0])) { - PrintAndLogEx(WARNING, "File content error. '%s' must include 8 HEX symbols", line); - continue; - } - - line[8] = 0; - - // realloc keyblock array size. - if (stKeyBlock - keycnt < 2) { - p = realloc(keyBlock, 4 * (stKeyBlock += 10)); - if (!p) { - PrintAndLogEx(WARNING, "Cannot allocate memory for defaultKeys"); - free(keyBlock); - if (f) - fclose(f); - return 2; - } - keyBlock = p; - } - // clear mem - memset(keyBlock + 4 * keycnt, 0, 4); - - num_to_bytes(strtoll(line, NULL, 16), 4, keyBlock + 4 * keycnt); - -// PrintAndLogEx(NORMAL, "chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4 * keycnt, 4) ); - keycnt++; - memset(line, 0, sizeof(line)); - } - - if (f) - fclose(f); - - if (keycnt == 0) { + + int res = loadFileDICTIONARY(filename, "dic", keyBlock, &datalen, 4, &keycount ); + if (res || keycount == 0) { PrintAndLogEx(WARNING, "No keys found in file"); free(keyBlock); return 1; } - PrintAndLogEx(SUCCESS, "Loaded %d keys", keycnt); // loop uint64_t testpwd = 0x00; - for (uint16_t c = 0; c < keycnt; ++c) { + for (uint16_t c = 0; c < keycount; ++c) { if (IsOffline()) { PrintAndLogEx(WARNING, "Device offline\n"); free(keyBlock); - return 2; + return 2; } if (IsCancelled()) { @@ -1780,7 +1736,6 @@ int CmdT55xxChkPwds(const char *Cmd) { return 0; } */ - found = tryDetectModulation(); if (found) break; diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index 3505b3cee..d9539855a 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -24,7 +24,9 @@ #include "cmdlf.h" #include "util.h" #include "lfdemod.h" -#include "cmdhf14a.h" //for getTagInfo +#include "cmdhf14a.h" // for getTagInfo +#include "loclass/fileutils.h" // loadDictionary + #define T55x7_CONFIGURATION_BLOCK 0x00 #define T55x7_PAGE0 0x00 @@ -162,7 +164,6 @@ extern bool tryDetectP1(bool getData); bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5); int special(const char *Cmd); bool AquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password); -//bool AquireDataEx(uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint32_t timing) ; bool detectPassword(int password); From 834832be312b59f3a8b1e842481220d020a46470 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 16:23:19 +0100 Subject: [PATCH 2/6] chg 'lf t55xx brute' - AquireData returns isnoise, but a pwd protected card signa looks like noise. --- client/cmdlft55xx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 066b2b846..96136eac0 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -1791,11 +1791,15 @@ int CmdT55xxBruteForce(const char *Cmd) { return 0; } + AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr); + + /* if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr)) { PrintAndLogEx(WARNING, "Aquiring data from device failed. Quitting"); return 0; } - + */ + found = tryDetectModulation(); if (curr == end_password) From 54e8eafa492b3c3a8ba288599f7ce92c8f13d820 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 20:21:10 +0100 Subject: [PATCH 3/6] fix: 'lf t55xx chk' fix: 'lf t55xx brute' fix: 'lf t55xx recoverpwd' - now works like they should again. --- client/cmdlft55xx.c | 119 +++++++++++++++++++++----------------------- client/cmdlft55xx.h | 2 +- 2 files changed, 59 insertions(+), 62 deletions(-) diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 96136eac0..4f187367a 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -143,7 +143,9 @@ int usage_t55xx_wakup() { } int usage_t55xx_chk() { PrintAndLogEx(NORMAL, "This command uses a dictionary attack"); - PrintAndLogEx(NORMAL, "press 'enter' to cancel the command"); + PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); + PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!"); + PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Usage: lf t55xx chk [h] [i <*.dic>]"); PrintAndLogEx(NORMAL, "Options:"); PrintAndLogEx(NORMAL, " h - this help"); @@ -158,7 +160,9 @@ int usage_t55xx_chk() { } int usage_t55xx_bruteforce() { PrintAndLogEx(NORMAL, "This command uses bruteforce to scan a number range"); - PrintAndLogEx(NORMAL, "press 'enter' to cancel the command"); + PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); + PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!"); + PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Usage: lf t55xx bruteforce [h] "); PrintAndLogEx(NORMAL, " password must be 4 bytes (8 hex symbols)"); PrintAndLogEx(NORMAL, "Options:"); @@ -167,14 +171,15 @@ int usage_t55xx_bruteforce() { PrintAndLogEx(NORMAL, " - 4 byte hex value to end pwd search at"); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " lf t55xx bruteforce aaaaaaaa bbbbbbbb"); + PrintAndLogEx(NORMAL, " lf t55xx bruteforce aaaaaa77 aaaaaa99"); PrintAndLogEx(NORMAL, ""); return 0; } int usage_t55xx_recoverpw() { PrintAndLogEx(NORMAL, "This command uses a few tricks to try to recover mangled password"); - PrintAndLogEx(NORMAL, "press 'enter' to cancel the command"); + PrintAndLogEx(NORMAL, "press " _YELLOW_("'enter'") " to cancel the command"); PrintAndLogEx(NORMAL, "WARNING: this may brick non-password protected chips!"); + PrintAndLogEx(NORMAL, "Try to reading block 7 before\n"); PrintAndLogEx(NORMAL, "Usage: lf t55xx recoverpw [password]"); PrintAndLogEx(NORMAL, " password must be 4 bytes (8 hex symbols)"); PrintAndLogEx(NORMAL, " default password is 51243648, used by many cloners"); @@ -1629,16 +1634,16 @@ bool IsCancelled(void) { int CmdT55xxChkPwds(const char *Cmd) { char filename[FILE_PATH_SIZE] = {0}; - bool found = false; uint8_t timeout = 0; uint8_t *keyBlock = NULL; - + char cmdp = tolower(param_getchar(Cmd, 0)); if (strlen(Cmd) == 0 || cmdp == 'h') return usage_t55xx_chk(); /* - if ( T55xxReadBlock(7, 0, 0, 0, 0) ) { + // block 7, page1 = false, usepwd = false, override = false, pwd = 00000000 + if ( T55xxReadBlock(7, false, false, false, 0x00000000) ) { // now try to validate it.. PrintAndLogEx(WARNING, "\n Block 7 was readable"); @@ -1665,21 +1670,18 @@ int CmdT55xxChkPwds(const char *Cmd) { } if (resp.arg[0]) { - PrintAndLogEx(SUCCESS, "\nFound a candidate [ %08X ]. Trying to validate", resp.arg[1]); + PrintAndLogEx(SUCCESS, "\nFound a candidate [ " _YELLOW_("%08X") " ]. Trying to validate", resp.arg[1]); - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.arg[1])) { - PrintAndLogEx(INFO, "Aquireing data from device failed. Quitting"); - return 2; - } + AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, resp.arg[1]); found = tryDetectModulation(); if (found) { - PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", resp.arg[1]); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08") " ]", resp.arg[1]); } else { - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Check pwd failed"); } } else { - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Check pwd failed"); } goto out; @@ -1709,7 +1711,7 @@ int CmdT55xxChkPwds(const char *Cmd) { } // loop - uint64_t testpwd = 0x00; + uint64_t curr_password = 0x00; for (uint16_t c = 0; c < keycount; ++c) { if (IsOffline()) { @@ -1723,38 +1725,33 @@ int CmdT55xxChkPwds(const char *Cmd) { return 0; } - testpwd = bytes_to_num(keyBlock + 4 * c, 4); + curr_password = bytes_to_num(keyBlock + 4 * c, 4); - PrintAndLogEx(INFO, "Testing %08X", testpwd); - - AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd); + PrintAndLogEx(INFO, "Testing %08X", curr_password); - /* - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd)) { - PrintAndLogEx(INFO, "Aquireing data from device failed. Quitting"); - free(keyBlock); - return 0; + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr_password)) { + continue; } -*/ + found = tryDetectModulation(); if (found) break; - } if (found) - PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", testpwd); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password); else - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Check pwd failed"); } free(keyBlock); out: t1 = msclock() - t1; - PrintAndLogEx(SUCCESS, "\nTime in bruteforce: %.0f seconds\n", (float)t1 / 1000.0); + PrintAndLogEx(SUCCESS, "\nTime in check pwd: %.0f seconds\n", (float)t1 / 1000.0); return 0; } +// Bruteforce - incremental password range search int CmdT55xxBruteForce(const char *Cmd) { uint32_t start_password = 0x00000000; //start password @@ -1762,15 +1759,11 @@ int CmdT55xxBruteForce(const char *Cmd) { uint32_t curr = 0; bool found = false; - char cmdp = tolower(param_getchar(Cmd, 0)); if (cmdp == 'h') return usage_t55xx_bruteforce(); uint64_t t1 = msclock(); - // Try to read Block 7, first :) - - // incremental pwd range search start_password = param_get32ex(Cmd, 0, 0, 16); end_password = param_get32ex(Cmd, 1, 0, 16); @@ -1783,7 +1776,7 @@ int CmdT55xxBruteForce(const char *Cmd) { PrintAndLogEx(INFO, "Search password range [%08X -> %08X]", start_password, end_password); while (!found) { - + printf("."); fflush(stdout); @@ -1791,28 +1784,20 @@ int CmdT55xxBruteForce(const char *Cmd) { return 0; } - AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr); - - /* - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr)) { - PrintAndLogEx(WARNING, "Aquiring data from device failed. Quitting"); - return 0; - } - */ - - found = tryDetectModulation(); + found = tryOnePassword(curr); if (curr == end_password) break; + curr++; } PrintAndLogEx(NORMAL, ""); if (found) - PrintAndLogEx(SUCCESS, "Found valid password: [ %08X ]", curr); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr); else - PrintAndLogEx(WARNING, "Password NOT found. Last tried: [ %08X ]", --curr); + PrintAndLogEx(WARNING, "Bruteforce failed, last tried: [ " _YELLOW_("%08X") " ]", --curr); t1 = msclock() - t1; PrintAndLogEx(SUCCESS, "\nTime in bruteforce: %.0f seconds\n", (float)t1 / 1000.0); @@ -1820,12 +1805,13 @@ int CmdT55xxBruteForce(const char *Cmd) { } int tryOnePassword(uint32_t password) { - PrintAndLogEx(INFO, "Trying password %08x", password); - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password)) { - PrintAndLogEx(NORMAL, "Acquire data from device failed. Quitting"); - return -1; - } + PrintAndLogEx(INFO, "Trying password %08X", password); + + AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password); + if (getSignalProperties()->isnoise == false) + return 0; + if (tryDetectModulation()) return 1; else @@ -1848,10 +1834,13 @@ int CmdT55xxRecoverPW(const char *Cmd) { while (bit < 32) { curr_password = orig_password ^ (1u << bit); found = tryOnePassword(curr_password); - if (found == -1) return 0; + if ( found == 1) + goto out; + bit++; - if (IsCancelled()) return 0; + if (IsCancelled()) + return 0; } // now try to use partial original password, since block 7 should have been completely @@ -1868,12 +1857,16 @@ int CmdT55xxRecoverPW(const char *Cmd) { bit++; continue; } + found = tryOnePassword(curr_password); - if (found == -1) return 0; + if ( found == 1 ) + goto out; + bit++; prev_password = curr_password; - if (IsCancelled()) return 0; + if (IsCancelled()) + return 0; } // from high bit to low @@ -1888,20 +1881,24 @@ int CmdT55xxRecoverPW(const char *Cmd) { continue; } found = tryOnePassword(curr_password); - if (found == -1) - return 0; + if ( found == 1 ) + goto out; + bit++; prev_password = curr_password; - if (IsCancelled()) return 0; + if (IsCancelled()) + return 0; } +out: + PrintAndLogEx(NORMAL, ""); if (found == 1) - PrintAndLogEx(SUCCESS, "Found valid password: [%08x]", curr_password); + PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password); else - PrintAndLogEx(WARNING, "Password NOT found."); + PrintAndLogEx(WARNING, "Recover pwd failed"); return 0; } diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index d9539855a..1c1d77490 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -165,7 +165,7 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5) int special(const char *Cmd); bool AquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password); -bool detectPassword(int password); +int tryOnePassword(uint32_t password); void printT55x7Trace(t55x7_tracedata_t data, uint8_t repeat); void printT5555Trace(t5555_tracedata_t data, uint8_t repeat); From 34f4ee490285cc72b253313f073a7a6cafc54602 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 20:22:12 +0100 Subject: [PATCH 4/6] whitespace --- client/loclass/fileutils.c | 1 - 1 file changed, 1 deletion(-) diff --git a/client/loclass/fileutils.c b/client/loclass/fileutils.c index 0c345ca14..4ac77633a 100644 --- a/client/loclass/fileutils.c +++ b/client/loclass/fileutils.c @@ -539,7 +539,6 @@ int loadFileDICTIONARY(const char *preferredName, const char *suffix, void *data if (strlen(line) < keylen) continue; - // The line start with # is comment, skip if (line[0] == '#') continue; From fb665ea7e38a1896cfbc8fab0d4d0c5a8086f247 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 20:22:39 +0100 Subject: [PATCH 5/6] chg: textual --- client/cmddata.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/client/cmddata.c b/client/cmddata.c index 9462fc510..146d30ba7 100644 --- a/client/cmddata.c +++ b/client/cmddata.c @@ -1317,7 +1317,10 @@ int CmdRawDemod(const char *Cmd) { void setClockGrid(int clk, int offset) { g_DemodStartIdx = offset; g_DemodClock = clk; - PrintAndLogEx(DEBUG, "DEBUG: (setClockGrid) demodoffset %d, clk %d", offset, clk); + if ( clk == 0 && offset == 0) + PrintAndLogEx(DEBUG, "DEBUG: (setClockGrid) clear settings"); + else + PrintAndLogEx(DEBUG, "DEBUG: (setClockGrid) demodoffset %d, clk %d", offset, clk); if (offset > clk) offset %= clk; if (offset < 0) offset += clk; From 069e73d025808681892f1590d0938f017d9601d5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 26 Mar 2019 21:13:57 +0100 Subject: [PATCH 6/6] preparing for more descramble patterns. --- client/cmdlfindala.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/client/cmdlfindala.c b/client/cmdlfindala.c index aabb0f0e3..64857d702 100644 --- a/client/cmdlfindala.c +++ b/client/cmdlfindala.c @@ -238,10 +238,24 @@ int CmdIndalaDemod(const char *Cmd) { p1 |= DemodBuffer[32+21] << 2; p1 |= DemodBuffer[32+22] << 0; p1 |= DemodBuffer[32+24] << 9; - + +/* + uint16_t fc = 0; + fc |= DemodBuffer[32+ 1] << 0; + fc |= DemodBuffer[32+ 2] << 1; + fc |= DemodBuffer[32+ 4] << 2; + fc |= DemodBuffer[32+ 5] << 3; + fc |= DemodBuffer[32+ 7] << 4; + fc |= DemodBuffer[32+10] << 5; + fc |= DemodBuffer[32+14] << 6; + fc |= DemodBuffer[32+15] << 7; + fc |= DemodBuffer[32+17] << 8; +*/ + PrintAndLogEx(NORMAL, ""); PrintAndLogEx(SUCCESS, "Possible de-scramble patterns"); PrintAndLogEx(SUCCESS, "\tPrinted | __%04d__ [0x%X]", p1, p1); + //PrintAndLogEx(SUCCESS, "\tPrinted | __%04d__ [0x%X]", fc, fc); PrintAndLogEx(SUCCESS, "\tInternal ID | %" PRIu64 , foo);