Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2015-11-06 18:47:57

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

bruceforce attack for t55xx

Hi, everyone I think I would be nice to have a bruceforce attack for t55xx smile

[== Undefined ==]
proxmark3> lf t55xx dump
[0] 0x1D555555  00011101010101010101010101010101          
[1] 0x1D555555  00011101010101010101010101010101          
[2] 0x1D555555  00011101010101010101010101010101          
[3] 0x1D555555  00011101010101010101010101010101          
[4] 0x1D555555  00011101010101010101010101010101          
[5] 0x1D555555  00011101010101010101010101010101          
[6] 0x1D555555  00011101010101010101010101010101          
[7] 0x1D555555  00011101010101010101010101010101          
proxmark3> lf t55xx dump feedbeef
[0] 0x00107070  00000000000100000111000001110000          
[1] 0x1D555555  00011101010101010101010101010101          
[2] 0x55555555  01010101010101010101010101010101          
[3] 0x59555555  01011001010101010101010101010101          
[4] 0x00000000  00000000000000000000000000000000          
[5] 0x00000000  00000000000000000000000000000000          
[6] 0x00000000  00000000000000000000000000000000          
[7] 0xFEEDBEEF  11111110111011011011111011101111       

proxmark3> lf t55xx 
help             This help          
config           Set/Get T55XX configuration (modulation, inverted, offset, rate)          
detect           [1] Try detecting the tag modulation from reading the configuration block.          
read             <block> [password] -- Read T55xx block data (page 0) [optional password]          
write            <block> <data> [password] -- Write T55xx block data (page 0) [optional password]          
trace            [1] Show T55xx traceability data (page 1/ blk 0-1)          
info             [1] Show T55xx configuration data (page 0/ blk 0)          
dump             [password] Dump T55xx card block 0-7. [optional password]          
special          Show block changes with 64 different offsets          
bruceforce       BruceForce Attack to get Password          

proxmark3> lf t55xx bruceforce h
Usage:  lf t55xx bruceforce <start password> <end password>          
     <password>, OPTIONAL password 4bytes (8 hex symbols)          
          
Examples:          
      lf t55xx bruceforce           
      lf t55xx bruceforce feedbeef          
      lf t55xx bruceforce aaaaaaaa bbbbbbbb          
          
proxmark3> 
proxmark3> lf t55xx bruceforce feedbee0 feedbfff
Start Password feedbee0
  End Password feedbfff

pass [feedbee0] ........Modulation : FSK2a          
Bit Rate   : 4 - RF/50          
Inverted   : Yes          
Offset     : 0          
Block0     : 0x00107070          
          

Found Password = feedbeef
proxmark3> 
   

Offline

#2 2015-11-06 18:53:56

meter
Contributor
Registered: 2015-07-13
Posts: 78

Re: bruceforce attack for t55xx

Are you developing a bruteforce for t55xx?
I have seen there is already an entry in this thread http://proxmark.org/forum/viewtopic.php?id=2405

Last edited by meter (2015-11-06 18:56:08)

Offline

#3 2015-11-06 19:09:13

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: bruceforce attack for t55xx

It would take a long long time to brute force the pwd.

Offline

#4 2015-11-06 19:21:39

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: bruceforce attack for t55xx

if 1 second per try lol at myself

Sorry wrong calculation it will be 136 years  sad

Last edited by Go_tus (2015-11-06 19:56:50)

Offline

#5 2015-11-06 22:06:11

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

I suppose you are iterating with +1 increase,..  how do you verify that the pwd is correct?

Offline

#6 2015-11-07 02:59:29

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: bruceforce attack for t55xx

I use trydetectmodulation. I am not  quite sure but I have tested 2 tags with 2 different passwords.

Offline

#7 2015-11-24 06:53:12

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: bruceforce attack for t55xx

Here it's a simple code by noob programmer

[== Undefined ==]
int usage_t55xx_bruceforce(){
    PrintAndLog("Usage: lf t55xx bruceforce <start password> <end password>");
    PrintAndLog("       password must be 4 bytes (8 hex symbols)");
    PrintAndLog("Examples:");
    PrintAndLog("       lf t55xx bruceforce aaaaaaaa bbbbbbbb");
    PrintAndLog("");
    return 0;
}
bool SubBruceForce(int password){
    uint8_t block = 0;
    UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, 0}};
    c.d.asBytes[0] = 0x0;
    
    //Password mode
        c.arg[2] = password;
        c.d.asBytes[0] = 0x1;

    clearCommandBuffer();
    SendCommand(&c);
    if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
        PrintAndLog("command execution time out");
        return 2;
    }
    
    uint8_t got[12000];
    GetFromBigBuf(got,sizeof(got),0);
    WaitForResponse(CMD_ACK,NULL);
    setGraphBuf(got,12000);
    DemodBufferLen=0;
    return tryDetectModulation();
}
int CmdT55xxBruceForce(const char *Cmd){
    uint32_t start_password = 0x00000000; //start password
    uint32_t end_password   = 0xFFFFFFFF; //end   password
    uint8_t t[4];
    int res;
    int h;
    bool found = false;
    char cmdp = param_getchar(Cmd, 0);
    if (cmdp == 'h' || cmdp == 'H')
        return usage_t55xx_bruceforce();

    res = sscanf(Cmd,"%08x %08x",&start_password,&end_password);
    if (res < 2)
    return usage_t55xx_bruceforce();

    h = param_gethex(Cmd, 0,t,8);
    if (h == 0)
    start_password = t[0] << 24 | t[1] << 16 | t[2] << 8 | t[3];
    else
    return usage_t55xx_bruceforce();
    
    h = param_gethex(Cmd, 1,t,8);
    
    if (h == 0)
    end_password = t[0] << 24 | t[1] << 16 | t[2] << 8 | t[3];
    else
    return usage_t55xx_bruceforce();

    
    printf("Start Password %08x\n",start_password);
    printf("  End Password %08x\n",end_password);
    int i = start_password;
    if ((i % 0x100) != 0)
    printf("\n[%08x] ",i);
    while ((!found) && (i <= end_password)){
        found = SubBruceForce(i);
        if (found)
        break;
        
        if ((i % 0x100) == 0)
        fprintf(stdout,"\n[%08x] ",i);
        else
        fprintf(stdout,".");
        fflush(stdout);

        //usleep(1);
        i++;
    }
    
    printf("\n");
    if (found)
    printf("Found Password = %08x\n",i);
    else
    printf("NOT Found Last Password = %08x\n",i);
    
    return 0;
}
static command_t CommandTable[] =
{
  {"help",   CmdHelp,           1, "This help"},
  {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
  {"detect", CmdT55xxDetect,    0, "[1] Try detecting the tag modulation from reading the configuration block."},
  {"read",   CmdT55xxReadBlock, 0, "<block> [password] -- Read T55xx block data (page 0) [optional password]"},
  {"write",  CmdT55xxWriteBlock,0, "<block> <data> [password] -- Write T55xx block data (page 0) [optional password]"},
  {"trace",  CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},
  {"info",   CmdT55xxInfo,      0, "[1] Show T55xx configuration data (page 0/ blk 0)"},
  {"dump",   CmdT55xxDump,      0, "[password] Dump T55xx card block 0-7. [optional password]"},
  {"special", special,          0, "Show block changes with 64 different offsets"},
  {"bruceforce",CmdT55xxBruceForce,0,"BruceForce Attack to get Password"},
  {NULL, NULL, 0, NULL}
};

Last edited by Go_tus (2015-11-24 06:57:37)

Offline

#8 2015-11-27 17:43:46

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

I tried your code and made it a bit simpler.

Using the config block and detectModulation might not be the fastest way to detect a valid password but it works.

pm3 --> lf t55 brute 0 3
Search password  range [00000000 -> 00000003]
[00000000],
Password NOT found. Last tried: [00000004]
pm3 --> lf t55 brute 11223340 11223346
Search password  range [11223340 -> 11223346]
Chip Type  : T55x7
Modulation : ASK
Bit Rate   : 5 - RF/64
Inverted   : No
Offset     : 33
Block0     : 0x00148050


Password found [11223344]

Offline

#9 2015-12-01 13:11:29

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

I added some ideas from Piwi, and the bruteforce can now load a default_pwd.dic file with some easy pwds and the two known cloners pwd.

Offline

#10 2015-12-01 23:37:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

and some other fixes like cancel bruteforce via keyboard, showing the wrong end pwd when not found,...

If the PM3 community has more known passwords for t55xx cloners,  now it would be nice to add them.

Offline

#11 2015-12-02 16:45:28

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: bruceforce attack for t55xx

Hi Piwi,

I'll try (deseperatly)  to compile your fork of pm3,

but I stuck on :
cmdhfmf.c:12:25: fatal error: cmdhfmfhard.h: No such file or directory
#include "cmdhfmfhard.h"

I try to build with :
LANG=C make UBUNTU_1404_QT4=1

I was looking into github from iceman and you, but I can't find these two files.

Could you point me in the right direction ?

Regards

Offline

#12 2015-12-02 17:32:07

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

Its in piwi's fork,  branch hard_nested...

ref https://github.com/pwpiwi/proxmark3/blo … hfmfhard.h

Offline

#13 2015-12-02 17:36:04

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

but I noticed that piwis files was missing in my fork too..  I added them and push it to github.

Offline

#14 2015-12-02 18:00:34

rbubba1911
Contributor
Registered: 2014-08-14
Posts: 86

Re: bruceforce attack for t55xx

Thanks a lot iceman,

with your help, I was able to compile successfully the Piwi fork and yours .

note : must use "make UBUNTU_1404_QT4=1" to build your fork

Big hello to my Sweden friends smile

Last edited by rbubba1911 (2015-12-02 19:12:55)

Offline

#15 2016-02-23 17:26:59

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

@rbubba1911,   as a sidenote,  I change the makefile, so you no longer require that extra parameter. 

--

There were some questions about how this bruteforce works.

its quite simple,  following go_tus original version,  as mentioned an explained in this thread.

I just modified to to work a bit better.

The BF is a simple incremental one,  where it starts with a number and goes up until it finds a working pwd.
It's a online BF,  where you need the t55xx tag on your PM3.   It works against the tag,  not a reader.

there is two modes,   one range scan  from start number to end number,  another one is loading dictionary (ie known pwds list) which it tries one by one.

The inner workings is the following part,   where it tries to read Block 0 with a test pwd,   and the verify part is that it tries to decode the block0 (config) to a working configblock.  That is done inside the "trydetectmodulation" function.

This is also why it is so slow. Trying to decode a configblock takes quite much time.  This is the only way to figure out if a pwd was correct or not.  Its not perfect since the decoding can find non-existent but still a config block,  it would then give a false positive answer about the pwd.

Running against the whole searchspace is not practical,  however a dictionary list with pwds would be acceptable.
I've added such a one list with some defaults and some found known cloner pwds. 



    !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd))
    found = tryDetectModulation();

This command uses A) bruteforce to scan a number range
                  B) a dictionary attack

Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]
       password must be 4 bytes (8 hex symbols)

Options:
     h                  - this help
     <start_pwd> - 4 byte hex value to start pwd search at
     <end_pwd>   - 4 byte hex value to end pwd search at
     i <*.dic>  - loads a default keys dictionary file <*.dic>

Examples:
       lf t55xx bruteforce aaaaaaaa bbbbbbbb
       lf t55xx bruteforce i default_pwd.dic

Last edited by iceman (2016-02-23 17:30:01)

Offline

#16 2016-02-23 20:28:28

Apt-Get
Contributor
Registered: 2015-12-23
Posts: 111

Re: bruceforce attack for t55xx

Sorry if this is silly but would there not be a way to glitch this chip?  probably faster than brute..

Offline

#17 2016-02-23 21:06:18

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

We are all open to solutions here,   preferably not just products of the mind but actual implementations. 
How are you suggesting we glitch the chip?

@marshmellow and I have been bouncing the idea of measure the exact startup time until the first response.
But we never got it past the idea stage.  Its hard to measure the exact time to response...

Offline

#18 2016-02-23 21:36:00

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: bruceforce attack for t55xx

iceman wrote:

We are all open to solutions here,   preferably not just products of the mind but actual implementations. 
How are you suggesting we glitch the chip?

@marshmellow and I have been bouncing the idea of measure the exact startup time until the first response.
But we never got it past the idea stage.  Its hard to measure the exact time to response...

In my testing Using the pm3 and measuring the time there was no easy attack possible.  The chip response delay appears to vary only slightly and no direct correlation could be made to the password input.  although a full statistical analysis with significantly more testing might reveal something different.

Other ideas would likely require a teardown of the chip.

Last edited by marshmellow (2016-02-23 22:12:57)

Offline

#19 2016-02-24 16:16:41

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: bruceforce attack for t55xx

moved to
http://www.proxmark.org/forum/viewtopic … 264#p20264

Last edited by ntk (2016-02-24 19:35:58)

Offline

#20 2016-02-24 19:02:55

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: bruceforce attack for t55xx

One enhancement would be checking if MAXBLOCKS allows reading Block 7.   smile
Next yes,  searching whole keyspace takes 2.4years,   but there is no garantee that the key is found early or late,  hence stating the max time.  You can get lucky and find it within 1min.   When it comes to statiscally analysing the BF time estimate, well,  its guess work at the best.

Marshmellow and I had an idea if the pwd checking function would do its checking  bit by bit OR byte by byte.   Hence making a oracle to look for.  Every correct byte would give longer response times.    This doesn't seem to be the case.
It looks like it responses within the same time span regardless.

Next is that once we send the right pwd,  we don't know that until we analyse the response,..   and we need to know what that data might be on a unknown tag.  Which go_tus choosed to look at block0 and the trydetectmodulation  function.
This will give use a proper set of data which we can verify on unknown tags.

Next,   this is a BF attack against a card..    Not against a reader.

If you want to attack a reader,  try sniffing the traffic and read the password which is sent in clear.
Thats how ppl on the forum found the pwd for cloner tools.

You are mixing up all kinds of stuff in your ideas.  Understand what is going on and find possible attack vectors given a specific situation and target.

Offline

#21 2016-02-24 19:45:00

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: bruceforce attack for t55xx

moved to

http://www.proxmark.org/forum/viewtopic … 264#p20264

(oh dear I did not realise you answer here already iceman. Should continue here or on the the new one. Sorry

Last edited by ntk (2016-02-24 19:49:26)

Offline

#22 2016-02-24 19:53:44

marshmellow
Contributor
From: US
Registered: 2013-06-10
Posts: 2,302

Re: bruceforce attack for t55xx

sorry ntk, but the translation is too bad, the words are too many, and the value too little for me to bother even reading it anymore...

Offline

#23 2016-02-24 20:02:02

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: bruceforce attack for t55xx

not just 

iceman wrote:

...  its guess work at the best.
.

, iceman

Strategic
Divide to conquer
Structured
Confusing the enemy
Rigid, like an army thoughtless and fearsom.

that is the way of a Roman wolf pack total attack, have you seen wolfs attack for food in Natur programs ...

Offline

#24 2016-02-24 20:11:44

ntk
Contributor
Registered: 2015-05-24
Posts: 701

Re: bruceforce attack for t55xx

dont worry Marshmellow, if you could find out even without knowing the password, copy the exact card data  is possible, then for the next step not much words are needed.

I talk, I circle, I separate and think solution that is why it seems confusing to other

In the chaos there is senses and lights ....  if it is none then we call it dead-end & darkness

Offline

#25 2016-02-25 02:37:19

Go_tus
Contributor
Registered: 2015-06-03
Posts: 81

Re: bruceforce attack for t55xx

Problem is searching and mining, in NP problem bruceforce maybe inpractical or even greedy, so I agree that maybe random is better in some cases.

Offline

Board footer

Powered by FluxBB