EM 4x05 login bf

2020-10-20 13:18:43 +02:00
parent 9003b96312
commit 3b83e8e703
7 changed files with 110 additions and 8 deletions
--- a/client/src/cmdlfem4x.c
+++ b/client/src/cmdlfem4x.c
@@ -647,6 +647,7 @@ static command_t CommandTable[] = {
    {"4x05_write",  CmdEM4x05Write,       IfPm3Lf,         "write word data to EM4x05/EM4x69"},
    {"4x05_unlock", CmdEM4x05Unlock,      IfPm3Lf,         "execute tear off against EM4x05/EM4x69"},
    {"4x05_sniff",  CmdEM4x05Sniff,       IfPm3Lf,         "Attempt to recover em4x05 commands from sample buffer"},
+    {"4x05_brute",  CmdEM4x05Brute,       IfPm3Lf,         "Bruteforce password"},
    {"----------",  CmdHelp,              AlwaysAvailable,         "----------------------- " _CYAN_("EM 4x50") " -----------------------"},
    {"4x50_dump",   CmdEM4x50Dump,        IfPm3EM4x50,     "dump EM4x50 tag"},
    {"4x50_info",   CmdEM4x50Info,        IfPm3EM4x50,     "tag information EM4x50"},
--- a/client/src/cmdlfem4x05.c
+++ b/client/src/cmdlfem4x05.c
@@ -1178,6 +1178,48 @@ int CmdEM4x05Chk(const char *Cmd) {
    return PM3_SUCCESS;
 }

+int CmdEM4x05Brute(const char *Cmd) {
+    CLIParserContext *ctx;
+    CLIParserInit(&ctx, "lf em 4x05_brute",
+                  "This command tries to bruteforce the password of a EM4205/4305/4469/4569\n",
+                  "Note: if you get many false positives, change position on the antenna"
+                  "lf em 4x05_brute\n"
+                  "lf em 4x05_brute -n 1                   -> stop after first candidate found\n"
+                  "lf em 4x05_brute -s 0x00000022B8        -> remember to use 0x for hex"
+                 );
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_u64_0("s", "start", "<pwd>", "Start bruteforce enumeration from this password value"),
+        arg_int0("n", "", "<digits>", "Stop after having found n candidates. Default: 0 => infinite"),
+        arg_param_end
+    };
+    CLIExecWithReturn(ctx, Cmd, argtable, true);
+    uint32_t start_pwd = arg_get_u64_def(ctx, 1, 0);
+    uint32_t n = arg_get_int_def(ctx, 1, 0);
+    CLIParserFree(ctx);
+
+    PrintAndLogEx(NORMAL, "");
+
+    struct {
+        uint32_t start_pwd;
+        uint32_t n;
+    } PACKED payload;
+
+    payload.start_pwd = start_pwd;
+    payload.n = n;
+
+    clearCommandBuffer();
+    SendCommandNG(CMD_LF_EM4X_BF, (uint8_t *)&payload, sizeof(payload));
+    PacketResponseNG resp;
+    if (!WaitForResponseTimeout(CMD_LF_EM4X_BF, &resp, 1000)) {
+        PrintAndLogEx(WARNING, "(EM4x05 Bruteforce) timeout while waiting for reply.");
+        return PM3_ETIMEOUT;
+    }
+    PrintAndLogEx(INFO, "Bruteforce is running on device side, press button to interrupt");
+    return PM3_SUCCESS;
+}
+
 typedef struct {
    uint16_t cnt;
    uint32_t value;
--- a/client/src/cmdlfem4x05.h
+++ b/client/src/cmdlfem4x05.h
@@ -28,5 +28,6 @@ int CmdEM4x05Info(const char *Cmd);
 int CmdEM4x05Chk(const char *Cmd);
 int CmdEM4x05Unlock(const char *Cmd);
 int CmdEM4x05Sniff(const char *Cmd);
+int CmdEM4x05Brute(const char *Cmd);

 #endif