icemans lf fixes & adjustments + lf t55xx bruteforce

Fix small fskdemod clock bug
2025-08-14 02:26:59 -07:00 · 2015-12-02 17:27:12 -05:00 · 2015-12-02 17:27:12 -05:00 · 506672c48b
commit 506672c48b
parent fe876493f8
6 changed files with 207 additions and 41 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 ## [unreleased][unreleased]

 ### Added
+- `lf t55xx bruteforce <start password> <end password> [i <*.dic>]` - Simple bruteforce attack to find password - (iceman and others)
+- `lf viking clone`- clone viking tag to t55x7 or Q5 from 4byte hex ID input 
+- `lf viking sim`  - sim full viking tag from 4byte hex ID input
+- `lf viking read` - read viking tag and output ID
+- `lf t55xx wipe`  - sets t55xx back to factory defaults
 - Added viking demod to `lf search` (marshmellow)
 - `data askvikingdemod` demod viking id tag from graphbuffer (marshmellow)
 - `lf t55xx resetread` added reset then read command - should allow determining start
@ -26,6 +31,11 @@ of stream transmissions (marshmellow)
 - Added option c to 'hf list' (mark CRC bytes) (piwi)

 ### Changed
+- Adjusted lf awid clone to optionally clone to Q5 tags
+- Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7
+- Adjusted all lf NRZ demods - works more acurately and consistantly (as long as you have strong signal)
+- Adjusted lf pskindalademod to reduce false positive reads.
+- Small adjustments to psk, nrz, and ask clock detect routines - more reliable.
 - Adjusted lf em410x em410xsim to accept a clock argument
 - Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow)
 - Adjusted lf t55xx write input variables (marshmellow)
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@ -17,7 +17,7 @@
 #include "lfdemod.h"
 #include "lfsampling.h"
 #include "protocols.h"
-#include "usb_cdc.h" //test
+#include "usb_cdc.h" // for usb_poll_validate_length

 /**
 * Function to do a modulation and then get samples.
--- a/armsrc/lfsampling.c
+++ b/armsrc/lfsampling.c
@ -10,7 +10,7 @@
 #include "apps.h"
 #include "util.h"
 #include "string.h"
-
+#include "usb_cdc.h" // for usb_poll_validate_length
 #include "lfsampling.h"

 sample_config config = { 1, 8, 1, 95, 0 } ;
@ -272,7 +272,7 @@ void doT55x7Acquisition(size_t sample_size) {
 	uint8_t curSample = 0;
 	uint8_t lastSample = 0;
 	uint16_t skipCnt = 0;
-	while(!BUTTON_PRESS() && skipCnt<1000) {
+	while(!BUTTON_PRESS() && !usb_poll_validate_length() && skipCnt<1000 && i<bufsize ) {
 		WDT_HIT();
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
@ -311,7 +311,6 @@ void doT55x7Acquisition(size_t sample_size) {
 				}
 				// collect samples
 				dest[i++] = curSample;
-				if (i >= bufsize-1) break;
 			}
 		}
 	}
--- a/client/cmddata.c
+++ b/client/cmddata.c
@ -934,14 +934,14 @@ char *GetFSKType(uint8_t fchigh, uint8_t fclow, uint8_t invert)
 int FSKrawDemod(const char *Cmd, bool verbose)
 {
 	//raw fsk demod  no manchester decoding no start bit finding just get binary from wave
-	//set defaults
-	int rfLen = 0;
-	int invert = 0;
-	int fchigh = 0;
-	int fclow = 0;
+	uint8_t rfLen, invert, fchigh, fclow;

+	//set defaults
 	//set options from parameters entered with the command
-	sscanf(Cmd, "%i %i %i %i", &rfLen, &invert, &fchigh, &fclow);
+	rfLen = param_get8ex(Cmd, 0, 0, 10);
+	invert = param_get8ex(Cmd, 1, 0, 10);
+	fchigh = param_get8ex(Cmd, 2, 0, 10);
+	fclow = param_get8ex(Cmd, 3, 0, 10);

 	if (strlen(Cmd)>0 && strlen(Cmd)<=2) {
 		 if (rfLen==1){
@ -955,34 +955,34 @@ int FSKrawDemod(const char *Cmd, bool verbose)
 	if (BitLen==0) return 0;
 	//get field clock lengths
 	uint16_t fcs=0;
-	if (fchigh==0 || fclow == 0){
+	if (!fchigh || !fclow) {
 		fcs = countFC(BitStream, BitLen, 1);
-		if (fcs==0){
-			fchigh=10;
-			fclow=8;
-		}else{
-			fchigh = (fcs >> 8) & 0xFF;
-			fclow = fcs & 0xFF;
+		if (!fcs) {
+			fchigh = 10;
+			fclow = 8;
+		} else {
+			fchigh = (fcs >> 8) & 0x00FF;
+			fclow = fcs & 0x00FF;
 		}
 	}
 	//get bit clock length
-	if (rfLen==0){
+	if (!rfLen){
 		rfLen = detectFSKClk(BitStream, BitLen, fchigh, fclow);
-		if (rfLen == 0) rfLen = 50;
+		if (!rfLen) rfLen = 50;
 	}
-	int size = fskdemod(BitStream,BitLen,(uint8_t)rfLen,(uint8_t)invert,(uint8_t)fchigh,(uint8_t)fclow);
-	if (size>0){
+	int size = fskdemod(BitStream, BitLen, rfLen, invert, fchigh, fclow);
+	if (size > 0){
 		setDemodBuf(BitStream,size,0);

 		// Now output the bitstream to the scrollback by line of 16 bits
 		if (verbose || g_debugMode) {
-			PrintAndLog("\nUsing Clock:%d, invert:%d, fchigh:%d, fclow:%d", rfLen, invert, fchigh, fclow);
+			PrintAndLog("\nUsing Clock:%u, invert:%u, fchigh:%u, fclow:%u", rfLen, invert, fchigh, fclow);
 			PrintAndLog("%s decoded bitstream:",GetFSKType(fchigh,fclow,invert));
 			printDemodBuff();
 		}

 		return 1;
-	} else{
+	} else {
 		if (g_debugMode) PrintAndLog("no FSK data found");
 	}
 	return 0;
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -29,6 +29,7 @@
 #define T55x7_CONFIGURATION_BLOCK 0x00
 #define T55x7_PAGE0 0x00
 #define T55x7_PAGE1 0x01
+#define T55x7_PWD	0x00000010
 #define REGULAR_READ_MODE_BLOCK 0xFF

 // Default configuration
@ -148,11 +149,24 @@ int usage_t55xx_wakup(){
 		PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");
 	return 0;
 }
+int usage_t55xx_bruteforce(){
+	PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
+	PrintAndLog("       password must be 4 bytes (8 hex symbols)");
+	PrintAndLog("Options:");
+	PrintAndLog("     h         - this help");
+	PrintAndLog("     i <*.dic> - loads a default keys dictionary file <*.dic>");
+	PrintAndLog("");
+	PrintAndLog("Examples:");
+	PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");
+	PrintAndLog("       lf t55xx bruteforce i mykeys.dic");
+	PrintAndLog("");
+	return 0;
+}

 static int CmdHelp(const char *Cmd);

 void printT5xxHeader(uint8_t page){
-	PrintAndLog("Reading Page %d:", page);	
+	PrintAndLog("Reading Page %d:", page);
 	PrintAndLog("blk | hex data | binary");
 	PrintAndLog("----+----------+---------------------------------");	
 }
@ -442,7 +456,6 @@ bool tryDetectModulation(){
 	t55xx_conf_block_t tests[15];
 	int bitRate=0;
 	uint8_t fc1 = 0, fc2 = 0, clk=0;
-	save_restoreGB(1);

 	if (GetFskClock("", FALSE, FALSE)){ 
 		fskClocks(&fc1, &fc2, &clk, FALSE);
@ -502,7 +515,7 @@ bool tryDetectModulation(){
 			}
 		}
 		//undo trim from ask
-		save_restoreGB(0);
+		//save_restoreGB(0);
 		clk = GetNrzClock("", FALSE, FALSE);
 		if (clk>0) {
 			if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
@ -522,9 +535,9 @@ bool tryDetectModulation(){
 			}
 		}
 		
-		//undo trim from nrz
-		save_restoreGB(0);
+		// allow undo
 		// skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
+		save_restoreGB(1);
 		CmdLtrim("160");
 		clk = GetPskClock("", FALSE, FALSE);
 		if (clk>0) {
@ -565,8 +578,9 @@ bool tryDetectModulation(){
 				}
 			} // inverse waves does not affect this demod
 		}
+		//undo trim samples
+		save_restoreGB(0);
 	}	
-	save_restoreGB(0);	
 	if ( hits == 1) {
 		config.modulation = tests[0].modulation;
 		config.bitrate = tests[0].bitrate;
@ -1297,19 +1311,161 @@ int CmdT55xxWipe(const char *Cmd) {
 	return 0;
 }

+int CmdT55xxBruteForce(const char *Cmd) {
+
+	// load a default pwd file.
+	char buf[9];
+	char filename[FILE_PATH_SIZE]={0};
+	int keycnt = 0;
+	uint8_t stKeyBlock = 20;
+	uint8_t *keyBlock = NULL, *p;
+	keyBlock = calloc(stKeyBlock, 6);
+	if (keyBlock == NULL) return 1;
+
+	uint32_t start_password = 0x00000000; //start password
+	uint32_t end_password   = 0xFFFFFFFF; //end   password
+	bool found = false;
+
+	char cmdp = param_getchar(Cmd, 0);
+	if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
+
+	if (cmdp == 'i' || cmdp == 'I') {
+
+		int len = strlen(Cmd+2);
+		if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+		memcpy(filename, Cmd+2, len);
+
+		FILE * f = fopen( filename , "r");
+
+		if ( !f ) {
+			PrintAndLog("File: %s: not found or locked.", filename);
+			free(keyBlock);
+			return 1;
+		}
+
+		while( fgets(buf, sizeof(buf), f) ){
+			if (strlen(buf) < 8 || buf[7] == '\n') continue;
+
+			while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line
+
+			//The line start with # is comment, skip
+			if( buf[0]=='#' ) continue;
+
+			if (!isxdigit(buf[0])){
+				PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);
+				continue;
+			}
+			
+			buf[8] = 0;
+
+			if ( stKeyBlock - keycnt < 2) {
+				p = realloc(keyBlock, 6*(stKeyBlock+=10));
+				if (!p) {
+					PrintAndLog("Cannot allocate memory for defaultKeys");
+					free(keyBlock);
+					return 2;
+				}
+				keyBlock = p;
+			}
+			memset(keyBlock + 4 * keycnt, 0, 4);
+			num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);
+			PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));
+			keycnt++;
+			memset(buf, 0, sizeof(buf));
+		}
+		fclose(f);
+		
+		if (keycnt == 0) {
+			PrintAndLog("No keys found in file");
+			return 1;
+		}
+		PrintAndLog("Loaded %d keys", keycnt);
+		
+		// loop
+		uint64_t testpwd = 0x00;
+		for (uint16_t c = 0; c < keycnt; ++c ) {
+
+			if (ukbhit()) {
+				getchar();
+				printf("\naborted via keyboard!\n");
+				return 0;
+			}
+
+			testpwd = bytes_to_num(keyBlock + 4*c, 4);
+
+			PrintAndLog("Testing %08X", testpwd);
+
+			if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {
+				PrintAndLog("Aquireing data from device failed. Quitting");
+				return 0;
+			}
+
+			found = tryDetectModulation();
+
+			if ( found ) {
+				PrintAndLog("Found valid password: [%08X]", testpwd);
+				return 0;
+			}
+		}
+		PrintAndLog("Password NOT found.");
+		return 0;
+	}
+
+	// Try to read Block 7, first :)
+
+	// incremental pwd range search
+	start_password = param_get32ex(Cmd, 0, 0, 16);
+	end_password = param_get32ex(Cmd, 1, 0, 16);
+	
+	if ( start_password >= end_password ) return usage_t55xx_bruteforce();
+
+	PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);
+
+	uint32_t i = start_password;
+
+	while ((!found) && (i <= end_password)){
+
+	printf(".");
+	fflush(stdout);
+	if (ukbhit()) {
+		getchar();
+		printf("\naborted via keyboard!\n");
+		return 0;
+	}
+
+	if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {
+		PrintAndLog("Aquireing data from device failed. Quitting");
+		return 0;
+	}
+	found = tryDetectModulation();
+	    
+	if (found) break;
+	i++;
+	}
+
+	PrintAndLog("");
+
+	if (found)
+	PrintAndLog("Found valid password: [%08x]", i);
+	else
+	PrintAndLog("Password NOT found. Last tried: [%08x]", --i);
+	return 0;
+}
+
 static command_t CommandTable[] = {
-  {"help",     CmdHelp,           1, "This help"},
-  {"config",   CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
-  {"detect",   CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},
-  {"read",     CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
-  {"resetread",CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
-  {"write",    CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},
-  {"trace",    CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},
-  {"info",     CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},
-  {"dump",     CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
-  {"special",  special,           0, "Show block changes with 64 different offsets"},
-  {"wakeup",   CmdT55xxWakeUp,    0, "Send AOR wakeup command"},
-  {"wipe",     CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},
+  {"help",      CmdHelp,           1, "This help"},
+	{"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
+  {"config",    CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
+  {"detect",    CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},
+  {"read",      CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
+  {"resetread", CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
+  {"write",     CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},
+  {"trace",     CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},
+  {"info",      CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},
+  {"dump",      CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
+  {"special",   special,           0, "Show block changes with 64 different offsets"},
+  {"wakeup",    CmdT55xxWakeUp,    0, "Send AOR wakeup command"},
+  {"wipe",      CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},
  {NULL, NULL, 0, NULL}
 };

--- a/client/cmdlft55xx.h
+++ b/client/cmdlft55xx.h
@ -45,6 +45,7 @@ void Set_t55xx_Config(t55xx_conf_block_t conf);


 int CmdLFT55XX(const char *Cmd);
+int CmdT55xxBruteForce(const char *Cmd);
 int CmdT55xxSetConfig(const char *Cmd);
 int CmdT55xxReadBlock(const char *Cmd);
 int CmdT55xxWriteBlock(const char *Cmd);