Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2013-03-10 10:15:41

MF
Member
Registered: 2013-03-09
Posts: 8

Bug in proxmark3.exe - lf hid clone

Hi,

I am not sure if this is the correct forum to raise a bug report, so apologies if this is not correct.

I am using r671 firmware and I have discovered a bug in the lf hid clone command. See the following command output:

proxmark3> lf hid clone 2006e23731
Cloning tag with ID 2006e23731
#db# Tags can only have 44 bits.
proxmark3> lf hid clone
Cloning tag with ID 000000000
#db# DONE!
proxmark3> lf hid clone F
Cloning tag with ID 00000000f
#db# DONE!
proxmark3> lf hid clone FF
Cloning tag with ID 0000000ff
#db# DONE!
proxmark3> lf hid clone FFF
Cloning tag with ID 000000fff
#db# DONE!
proxmark3> lf hid clone FFFF
Cloning tag with ID 00000ffff
#db# Tags can only have 44 bits.

Looking at the source code for lfops.c, it seems that on line 1108, it checks that the high 12 bits are not greater than 0xFFF. The output of the above commands indicates that the lf hid clone command is sending the low 32 bits in the high 12 bits argument.

Looking at the source code for cmdlfhid.c you can see that CmdHIDSim sends the command like this:

  c.cmd = CMD_HID_CLONE_TAG;
          c.arg[0] = hi2;
          c.arg[1] = hi;
          c.arg[2] = lo;
      //  UsbCommand c = {CMD_HID_SIM_TAG, {hi, lo, 0}};
    SendCommand(&c); 

But CmdHIDClone sends the command like this:

  UsbCommand c = {CMD_HID_CLONE_TAG, {hi, lo}};
    SendCommand(&c); 

So, in my humble opinion, it appears that r657 changed the parameter list for the CopyHIDtoT55x7 function, but it has not been updated in cmdlfhid.c.

Also, in cmdlfhid.c, the lf hid sim command is calling the clone command instead of the sim command.

Thanks,
Michael.

Offline

#2 2013-03-10 15:34:34

MF
Member
Registered: 2013-03-09
Posts: 8

Re: Bug in proxmark3.exe - lf hid clone

Hi Roel,

I see that you partially fixed this in r673, but you are still only passing hi and lo to CMD_HID_CLONE_TAG at line 99, which is where I think the "Tags can only have 44 bits" error is coming from.

Thanks,
Michael.

Offline

#3 2013-03-11 09:12:19

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Bug in proxmark3.exe - lf hid clone

It looks like the clone part got messed up (and the long UID option went away).
I'll fix and upload later today if possible.

Offline

#4 2013-03-11 12:45:35

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Bug in proxmark3.exe - lf hid clone

I was going to update the cmdlfhid.c file, but I'm not sure about current modifications.
I think is a mistake while merging the CDC interface but I would prefer Roel to check it.
The simulator was updated with long format support, but this is not yet implemented in the ARM.
I think is a mistake where the long format support was pasted on SIM instead of CLONE.

While someone confirms this point you can fis the file by changing SIM and CLONE functions to this (just replace in cmdlfhid.c in the client):

int CmdHIDSim(const char *Cmd)
{
  unsigned int hi = 0, lo = 0;
  int n = 0, i = 0;

  while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
    hi = (hi << 4) | (lo >> 28);
    lo = (lo << 4) | (n & 0xf);
  }

  PrintAndLog("Emulating tag with ID %x%16x", hi, lo);

  UsbCommand c = {CMD_HID_SIM_TAG, {hi, lo, 0}};
  SendCommand(&c);
  return 0;
}

int CmdHIDClone(const char *Cmd)
{
  unsigned int hi2 = 0, hi = 0, lo = 0;
  int n = 0, i = 0;
  UsbCommand c;

  if (strchr(Cmd,'l') != 0) {
      while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
      hi2 = (hi2 << 4) | (hi >> 28);
      hi = (hi << 4) | (lo >> 28);
      lo = (lo << 4) | (n & 0xf);
    }

    PrintAndLog("Cloning tag with long ID %x%08x%08x", hi2, hi, lo);

    c.d.asBytes[0] = 1;
  }
  else {
      while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
      hi = (hi << 4) | (lo >> 28);
      lo = (lo << 4) | (n & 0xf);
    }

    PrintAndLog("Cloning tag with ID %x%08x", hi, lo);

    hi2 = 0;
    c.d.asBytes[0] = 0;
  }

  c.cmd = CMD_HID_CLONE_TAG;
  c.arg[0] = hi2;
  c.arg[1] = hi;
  c.arg[2] = lo;

  SendCommand(&c);
  return 0;
}

Offline

#5 2013-03-11 12:52:11

MF
Member
Registered: 2013-03-09
Posts: 8

Re: Bug in proxmark3.exe - lf hid clone

That is great, thanks. It is pretty much what I had done already, I just wanted to make sure it got fixed in the production version.

Thanks,
Michael.

Offline

#6 2013-03-12 09:09:15

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Bug in proxmark3.exe - lf hid clone

I'm sorry for breaking the code. It was not on purpose, and yes, it happened when I try to merged all branches together.

@Cex: Could you look at the (your?) HID code an try to fix what I broke in the new CDC trunk? Or maybe you already did as you pointed out in your earlier post, but commit the changes into the SVN as well? Thanks a lot in advance!

Offline

#7 2013-03-13 08:13:07

Cex
Contributor
Registered: 2009-12-14
Posts: 104

Re: Bug in proxmark3.exe - lf hid clone

roel wrote:

I'm sorry for breaking the code. It was not on purpose, and yes, it happened when I try to merged all branches together.

@Cex: Could you look at the (your?) HID code an try to fix what I broke in the new CDC trunk? Or maybe you already did as you pointed out in your earlier post, but commit the changes into the SVN as well? Thanks a lot in advance!

No problem, you made a very good work with the CDC interface.
Fixed in r675.

Offline

#8 2013-03-13 09:39:38

rule
Member
Registered: 2008-05-21
Posts: 417

Re: Bug in proxmark3.exe - lf hid clone

Thanks a lot!

Offline

Board footer

Powered by FluxBB