armsrc/Standalone/lf_samyrun.c

   1 //-----------------------------------------------------------------------------
   2 // Copyright (C) Samy Kamkar, 2012
   3 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
   4 //
   5 // This program is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // This program is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // See LICENSE.txt for the text of the license.
  16 //-----------------------------------------------------------------------------
  17 // main code for LF aka SamyRun by Samy Kamkar
  18 //-----------------------------------------------------------------------------
  19 #include "standalone.h" // standalone definitions
  20 #include "proxmark3_arm.h"
  21 #include "appmain.h"
  22 #include "fpgaloader.h"
  23 #include "lfops.h"
  24 #include "util.h"
  25 #include "dbprint.h"
  26 #include "ticks.h"
  27
  28 #define OPTS 2
  29
  30 void ModInfo(void) {
  31     DbpString("  LF HID26 standalone - aka SamyRun (Samy Kamkar)");
  32 }
  33
  34 // samy's sniff and repeat routine for LF
  35
  36 //  LEDS.
  37 //  A  ,  B  == which bank (recording)
  38 //  FLASHING A, B =  clone bank
  39 //  C = playing bank A
  40 //  D = playing bank B
  41
  42 void RunMod(void) {
  43     StandAloneMode();
  44     FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
  45     Dbprintf(">>  LF HID Read/Clone/Sim a.k.a SamyRun Started  <<");
  46
  47     uint32_t high[OPTS], low[OPTS];
  48     int selected = 0;
  49
  50 #define STATE_READ 0
  51 #define STATE_SIM 1
  52 #define STATE_CLONE 2
  53
  54     uint8_t state = STATE_READ;
  55
  56     for (;;) {
  57
  58         WDT_HIT();
  59
  60         // exit from SamyRun,   send a usbcommand.
  61         if (data_available()) break;
  62
  63         // Was our button held down or pressed?
  64         int button_pressed = BUTTON_HELD(280);
  65         if (button_pressed != BUTTON_HOLD)
  66             continue;
  67
  68         if (state == STATE_READ) {
  69
  70             if (selected == 0) {
  71                 LED_A_ON();
  72                 LED_B_OFF();
  73             } else {
  74                 LED_B_ON();
  75                 LED_A_OFF();
  76             }
  77
  78             LED_C_OFF();
  79             LED_D_OFF();
  80
  81             WAIT_BUTTON_RELEASED();
  82
  83             // record
  84             DbpString("[=] start recording");
  85
  86             // findone, high, low, no ledcontrol (A)
  87             uint32_t hi = 0, lo = 0;
  88             lf_hid_watch(1, &hi, &lo, true);
  89             high[selected] = hi;
  90             low[selected] = lo;
  91
  92             Dbprintf("[=]   recorded %x | %x%08x", selected, high[selected], low[selected]);
  93
  94             // got nothing. blink and loop.
  95             if (hi == 0 && lo == 0) {
  96                 SpinErr((selected == 0) ? LED_A : LED_B, 100, 12);
  97                 DbpString("[=] only got zeros, retry recording after click");
  98                 continue;
  99             }
 100
 101             SpinErr((selected == 0) ? LED_A : LED_B, 250, 2);
 102             state = STATE_SIM;
 103             continue;
 104
 105         } else if (state == STATE_SIM) {
 106
 107             LED_C_ON();   // Simulate
 108             LED_D_OFF();
 109             WAIT_BUTTON_RELEASED();
 110
 111             Dbprintf("[=] simulating %x | %x%08x", selected, high[selected], low[selected]);
 112
 113             // high, low, no led control(A)  no time limit
 114             CmdHIDsimTAGEx(0, high[selected], low[selected], 0, false, -1);
 115
 116             DbpString("[=] simulating done");
 117
 118             uint8_t leds = ((selected == 0) ? LED_A : LED_B) | LED_C;
 119             SpinErr(leds, 250, 2);
 120             state = STATE_CLONE;
 121             continue;
 122
 123         } else if (state == STATE_CLONE) {
 124
 125             LED_C_OFF();
 126             LED_D_ON();   // clone
 127             WAIT_BUTTON_RELEASED();
 128
 129             Dbprintf("[=]    cloning %x | %x%08x", selected, high[selected], low[selected]);
 130
 131             // high2, high, low,  no longFMT
 132             CopyHIDtoT55x7(0, high[selected], low[selected], 0, false, false, true);
 133
 134             DbpString("[=] cloned done");
 135
 136             state = STATE_READ;
 137             uint8_t leds = ((selected == 0) ? LED_A : LED_B) | LED_D;
 138             SpinErr(leds, 250, 2);
 139             selected = (selected + 1) % OPTS;
 140             LEDsoff();
 141         }
 142     }
 143
 144     SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5);
 145     DbpString("[=] You can take shell back :) ...");
 146     LEDsoff();
 147 }