PCF7931: improved read code and implemented a simple password bruteforce (#745)

* Improved PCF 7931 read code and implemented a simple PCF7931 password bruteforce
* Warning on the PCF7931 bruteforce command

client/cmdlfpcf7931.c

@@ -1,6 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2012 Chalk <chalk.secu at gmail.com>
 //               2015 Dake <thomas.cayrou at gmail.com>
+//				 2018 sguerrini97 <sguerrini97 at gmail.com>
 
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -76,6 +77,21 @@ int usage_pcf7931_write(){
 	return 0;
 }
 
+int usage_pcf7931_bruteforce()
+{
+	PrintAndLog("Usage: lf pcf7931 bruteforce [h] <start password> <tries>");
+	PrintAndLog("This command tries to disable PAC of a PCF7931 transponder by bruteforcing the password.");
+	PrintAndLog("!! THIS IS NOT INTENDED TO RECOVER THE FULL PASSWORD !!");
+	PrintAndLog("!! DO NOT USE UNLESS THE FIRST 5 BYTES OF THE PASSWORD ARE KNOWN !!");
+	PrintAndLog("Options:");
+	PrintAndLog("       h                This help");
+	PrintAndLog("       start password   hex password to start from");
+	PrintAndLog("       tries            How many times to send the same data frame");
+	PrintAndLog("Examples:");
+	PrintAndLog("      lf pcf7931 bruteforce 00000000123456 3");
+	return 0;
+}
+
 int usage_pcf7931_config(){
 	PrintAndLog("Usage: lf pcf7931 config [h] [r] <pwd> <delay> <offset width> <offset position>");
 	PrintAndLog("This command tries to set the configuration used with PCF7931 commands");
@@ -159,12 +175,47 @@ int CmdLFPCF7931Write(const char *Cmd){
 	return 0;
 }
 
+int CmdLFPCF7931BruteForce(const char *Cmd){
+
+	uint8_t ctmp = param_getchar(Cmd, 0);
+	if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_pcf7931_bruteforce();  
+
+	uint64_t start_password = 0;
+	uint8_t tries = 3;
+	
+	if (param_gethex(Cmd, 0, (uint8_t*)(&start_password), 14)) return usage_pcf7931_bruteforce();
+	if (param_getdec(Cmd, 1, &tries)) return usage_pcf7931_bruteforce();
+	
+	PrintAndLog("Bruteforcing from password: %02x %02x %02x %02x %02x %02x %02x",
+			start_password & 0xFF,
+			(start_password >> 8) & 0xFF,
+			(start_password >> 16) & 0xFF,
+			(start_password >> 24) & 0xFF,
+			(start_password >> 32) & 0xFF,
+			(start_password >> 48) & 0xFF,
+			(start_password >> 56) & 0xFF);
+			
+	PrintAndLog("Trying each password %d times", tries);
+
+	UsbCommand c = {CMD_PCF7931_BRUTEFORCE, {start_password, tries} };
+	
+	c.d.asDwords[7] = (configPcf.OffsetWidth + 128);
+	c.d.asDwords[8] = (configPcf.OffsetPosition + 128);
+	c.d.asDwords[9] = configPcf.InitDelay;
+
+	clearCommandBuffer();
+	SendCommand(&c);
+	//no ack?
+	return 0;
+}
+
 static command_t CommandTable[] = 
 {
 	{"help",   CmdHelp,            1, "This help"},
 	{"read",   CmdLFPCF7931Read,   0, "Read content of a PCF7931 transponder"},
 	{"write",  CmdLFPCF7931Write,  0, "Write data on a PCF7931 transponder."},
 	{"config", CmdLFPCF7931Config, 1, "Configure the password, the tags initialization delay and time offsets (optional)"},
+	{"bruteforce", CmdLFPCF7931BruteForce, 0, "Bruteforce a PCF7931 transponder password."},
 	{NULL,     NULL,               0, NULL}
 };
 

client/cmdlfpcf7931.h

@@ -1,6 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2012 Chalk <chalk.secu at gmail.com>
 //				 2015 Dake <thomas.cayrou at gmail.com>
+//				 2018 sguerrini97 <sguerrini97 at gmail.com>
 
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
@@ -26,12 +27,14 @@ int pcf7931_printConfig();
 
 int usage_pcf7931_read();
 int usage_pcf7931_write();
+int usage_pcf7931_bruteforce();
 int usage_pcf7931_config();
 
 int CmdLFPCF7931(const char *Cmd);
 
 int CmdLFPCF7931Read(const char *Cmd);
 int CmdLFPCF7931Write(const char *Cmd);
+int CmdLFPCF7931BruteForce(const char *Cmd);
 int CmdLFPCF7931Config(const char *Cmd);
 
 #endif