From c0765c1114ad865fb0417f31f44b987553eb6cdf Mon Sep 17 00:00:00 2001 From: MX <10697207+xMasterX@users.noreply.github.com> Date: Tue, 4 Oct 2022 03:15:28 +0300 Subject: [PATCH] rfid fuzzer H10301 support and bug fixes --- applications/plugins/flipfrid/flipfrid.h | 1 + .../scene/flipfrid_scene_entrypoint.c | 15 ++- .../flipfrid/scene/flipfrid_scene_load_file.c | 14 +++ .../scene/flipfrid_scene_run_attack.c | 119 ++++++++++++++++++ .../scene/flipfrid_scene_select_field.c | 7 ++ .../rfidfuzzer/example_uids_h10301.txt | 8 ++ 6 files changed, 159 insertions(+), 5 deletions(-) create mode 100644 assets/resources/rfidfuzzer/example_uids_h10301.txt diff --git a/applications/plugins/flipfrid/flipfrid.h b/applications/plugins/flipfrid/flipfrid.h index b9c17e659..5d3515c4d 100644 --- a/applications/plugins/flipfrid/flipfrid.h +++ b/applications/plugins/flipfrid/flipfrid.h @@ -32,6 +32,7 @@ typedef enum { EM4100, HIDProx, PAC, + H10301, } FlipFridProtos; typedef enum { diff --git a/applications/plugins/flipfrid/scene/flipfrid_scene_entrypoint.c b/applications/plugins/flipfrid/scene/flipfrid_scene_entrypoint.c index a7337b3ce..8bd5d72ff 100644 --- a/applications/plugins/flipfrid/scene/flipfrid_scene_entrypoint.c +++ b/applications/plugins/flipfrid/scene/flipfrid_scene_entrypoint.c @@ -1,7 +1,7 @@ #include "flipfrid_scene_entrypoint.h" string_t menu_items[4]; -string_t menu_proto_items[3]; +string_t menu_proto_items[4]; void flipfrid_scene_entrypoint_menu_callback( FlipFridState* context, @@ -45,6 +45,10 @@ void flipfrid_scene_entrypoint_menu_callback( context->proto = PAC; string_set_str(context->proto_name, "PAC/Stanley"); break; + case H10301: + context->proto = H10301; + string_set_str(context->proto_name, "H10301"); + break; default: break; } @@ -70,13 +74,14 @@ void flipfrid_scene_entrypoint_on_enter(FlipFridState* context) { string_set(menu_items[3], "Load uids from file"); context->menu_proto_index = 0; - for(uint32_t i = 0; i < 3; i++) { + for(uint32_t i = 0; i < 4; i++) { string_init(menu_proto_items[i]); } string_set(menu_proto_items[0], "EM4100"); string_set(menu_proto_items[1], "HIDProx"); string_set(menu_proto_items[2], "PAC/Stanley"); + string_set(menu_proto_items[3], "H10301"); } void flipfrid_scene_entrypoint_on_exit(FlipFridState* context) { @@ -85,7 +90,7 @@ void flipfrid_scene_entrypoint_on_exit(FlipFridState* context) { string_clear(menu_items[i]); } - for(uint32_t i = 0; i < 3; i++) { + for(uint32_t i = 0; i < 4; i++) { string_clear(menu_proto_items[i]); } } @@ -114,7 +119,7 @@ void flipfrid_scene_entrypoint_on_event(FlipFridEvent event, FlipFridState* cont } break; case InputKeyRight: - if(context->menu_proto_index < PAC) { + if(context->menu_proto_index < H10301) { context->menu_proto_index++; } break; @@ -186,7 +191,7 @@ void flipfrid_scene_entrypoint_on_draw(Canvas* canvas, FlipFridState* context) { canvas_set_font(canvas, FontPrimary); canvas_draw_str_aligned(canvas, 101, 4, AlignCenter, AlignTop, ">"); - if(context->menu_proto_index < PAC) { + if(context->menu_proto_index < H10301) { canvas_set_font(canvas, FontSecondary); canvas_draw_str_aligned( canvas, diff --git a/applications/plugins/flipfrid/scene/flipfrid_scene_load_file.c b/applications/plugins/flipfrid/scene/flipfrid_scene_load_file.c index 10ae624cf..92f947719 100644 --- a/applications/plugins/flipfrid/scene/flipfrid_scene_load_file.c +++ b/applications/plugins/flipfrid/scene/flipfrid_scene_load_file.c @@ -51,6 +51,13 @@ bool flipfrid_load(FlipFridState* context, const char* file_path) { string_set_str(context->notification_msg, "Unsupported Key type"); break; } + } else if(context->proto == H10301) { + if(strcmp(string_get_cstr(temp_str), "H10301") != 0) { + FURI_LOG_E(TAG, "Unsupported Key type"); + string_reset(context->notification_msg); + string_set_str(context->notification_msg, "Unsupported Key type"); + break; + } } else { if(strcmp(string_get_cstr(temp_str), "HIDProx") != 0) { FURI_LOG_E(TAG, "Unsupported Key type"); @@ -84,6 +91,13 @@ bool flipfrid_load(FlipFridState* context, const char* file_path) { string_set_str(context->notification_msg, "Incorrect Key length"); break; } + } else if(context->proto == H10301) { + if(string_size(context->data_str) != 8) { + FURI_LOG_E(TAG, "Incorrect Key length"); + string_reset(context->notification_msg); + string_set_str(context->notification_msg, "Incorrect Key length"); + break; + } } else { if(string_size(context->data_str) != 17) { FURI_LOG_E(TAG, "Incorrect Key length"); diff --git a/applications/plugins/flipfrid/scene/flipfrid_scene_run_attack.c b/applications/plugins/flipfrid/scene/flipfrid_scene_run_attack.c index f46955b2d..f50f781ed 100644 --- a/applications/plugins/flipfrid/scene/flipfrid_scene_run_attack.c +++ b/applications/plugins/flipfrid/scene/flipfrid_scene_run_attack.c @@ -60,6 +60,23 @@ uint8_t id_list_pac[17][4] = { {0xCA, 0xCA, 0xCA, 0xCA}, // From arha }; +uint8_t id_list_h[14][3] = { + {0x00, 0x00, 0x00}, // Null bytes + {0xFF, 0xFF, 0xFF}, // Only FF + {0x11, 0x11, 0x11}, // Only 11 + {0x22, 0x22, 0x22}, // Only 22 + {0x33, 0x33, 0x33}, // Only 33 + {0x44, 0x44, 0x44}, // Only 44 + {0x55, 0x55, 0x55}, // Only 55 + {0x66, 0x66, 0x66}, // Only 66 + {0x77, 0x77, 0x77}, // Only 77 + {0x88, 0x88, 0x88}, // Only 88 + {0x99, 0x99, 0x99}, // Only 99 + {0x12, 0x34, 0x56}, // Incremental UID + {0x56, 0x34, 0x12}, // Decremental UID + {0xCA, 0xCA, 0xCA}, // From arha +}; + void flipfrid_scene_run_attack_on_enter(FlipFridState* context) { context->attack_step = 0; context->dict = protocol_dict_alloc(lfrfid_protocols, LFRFIDProtocolMax); @@ -68,6 +85,8 @@ void flipfrid_scene_run_attack_on_enter(FlipFridState* context) { context->protocol = protocol_dict_get_protocol_by_name(context->dict, "HIDProx"); } else if(context->proto == PAC) { context->protocol = protocol_dict_get_protocol_by_name(context->dict, "PAC/Stanley"); + } else if(context->proto == H10301) { + context->protocol = protocol_dict_get_protocol_by_name(context->dict, "H10301"); } else { context->protocol = protocol_dict_get_protocol_by_name(context->dict, "EM4100"); } @@ -127,6 +146,21 @@ void flipfrid_scene_run_attack_on_tick(FlipFridState* context) { context->attack_step++; } break; + } else if(context->proto == H10301) { + context->payload[0] = id_list_h[context->attack_step][0]; + context->payload[1] = id_list_h[context->attack_step][1]; + context->payload[2] = id_list_h[context->attack_step][2]; + + if(context->attack_step == 13) { + context->attack_step = 0; + counter = 0; + context->is_attacking = false; + notification_message(context->notify, &sequence_blink_stop); + notification_message(context->notify, &sequence_single_vibro); + } else { + context->attack_step++; + } + break; } else { context->payload[0] = id_list_hid[context->attack_step][0]; context->payload[1] = id_list_hid[context->attack_step][1]; @@ -172,6 +206,21 @@ void flipfrid_scene_run_attack_on_tick(FlipFridState* context) { context->payload[2] = 0x00; context->payload[3] = 0x00; + if(context->attack_step == 255) { + context->attack_step = 0; + counter = 0; + context->is_attacking = false; + notification_message(context->notify, &sequence_blink_stop); + notification_message(context->notify, &sequence_single_vibro); + } else { + context->attack_step++; + } + break; + } else if(context->proto == H10301) { + context->payload[0] = context->attack_step; + context->payload[1] = 0x00; + context->payload[2] = 0x00; + if(context->attack_step == 255) { context->attack_step = 0; counter = 0; @@ -231,6 +280,24 @@ void flipfrid_scene_run_attack_on_tick(FlipFridState* context) { context->payload[context->key_index] = context->attack_step; + if(context->attack_step == 255) { + context->attack_step = 0; + counter = 0; + context->is_attacking = false; + notification_message(context->notify, &sequence_blink_stop); + notification_message(context->notify, &sequence_single_vibro); + break; + } else { + context->attack_step++; + } + break; + } else if(context->proto == H10301) { + context->payload[0] = context->data[0]; + context->payload[1] = context->data[1]; + context->payload[2] = context->data[2]; + + context->payload[context->key_index] = context->attack_step; + if(context->attack_step == 255) { context->attack_step = 0; counter = 0; @@ -342,6 +409,44 @@ void flipfrid_scene_run_attack_on_tick(FlipFridState* context) { context->payload[i] = (uint8_t)strtol(temp_str, NULL, 16); } break; + } else if(context->proto == H10301) { + bool end_of_list = false; + while(true) { + string_reset(context->data_str); + if(!stream_read_line(context->uids_stream, context->data_str)) { + context->attack_step = 0; + counter = 0; + context->is_attacking = false; + notification_message(context->notify, &sequence_blink_stop); + notification_message(context->notify, &sequence_single_vibro); + stream_rewind(context->uids_stream); + end_of_list = true; + break; + }; + if(string_get_char(context->data_str, 0) == '#') continue; + if(string_size(context->data_str) != 7) break; + break; + } + if(end_of_list) break; + FURI_LOG_D(TAG, string_get_cstr(context->data_str)); + if(string_size(context->data_str) != 7) { + context->attack_step = 0; + counter = 0; + context->is_attacking = false; + notification_message(context->notify, &sequence_blink_stop); + notification_message(context->notify, &sequence_error); + break; + }; + + // string is valid, parse it in context->payload + for(uint8_t i = 0; i < 3; i++) { + char temp_str[3]; + temp_str[0] = string_get_cstr(context->data_str)[i * 2]; + temp_str[1] = string_get_cstr(context->data_str)[i * 2 + 1]; + temp_str[2] = '\0'; + context->payload[i] = (uint8_t)strtol(temp_str, NULL, 16); + } + break; } else { bool end_of_list = false; while(true) { @@ -395,6 +500,12 @@ void flipfrid_scene_run_attack_on_tick(FlipFridState* context) { } else { counter++; } + } else if(context->proto == H10301) { + if(counter > 10) { + counter = 0; + } else { + counter++; + } } else { if(counter > TIME_BETWEEN_CARDS) { counter = 0; @@ -474,6 +585,14 @@ void flipfrid_scene_run_attack_on_draw(Canvas* canvas, FlipFridState* context) { context->payload[1], context->payload[2], context->payload[3]); + } else if(context->proto == H10301) { + snprintf( + uid, + sizeof(uid), + "%02X:%02X:%02X", + context->payload[0], + context->payload[1], + context->payload[2]); } else { snprintf( uid, diff --git a/applications/plugins/flipfrid/scene/flipfrid_scene_select_field.c b/applications/plugins/flipfrid/scene/flipfrid_scene_select_field.c index 6e4d5c6c4..f69a096d1 100644 --- a/applications/plugins/flipfrid/scene/flipfrid_scene_select_field.c +++ b/applications/plugins/flipfrid/scene/flipfrid_scene_select_field.c @@ -10,6 +10,12 @@ void flipfrid_center_displayed_key(FlipFridState* context, uint8_t index) { if(context->proto == EM4100) { key_len = 16; } + if(context->proto == PAC) { + key_len = 13; + } + if(context->proto == H10301) { + key_len = 10; + } for(uint8_t i = 0; i < data_len; i++) { if(context->data[i] < 9) { @@ -119,6 +125,7 @@ void flipfrid_scene_select_field_on_event(FlipFridEvent event, FlipFridState* co context->current_scene = SceneAttack; break; case InputKeyBack: + context->key_index = 0; string_reset(context->notification_msg); context->current_scene = SceneSelectFile; break; diff --git a/assets/resources/rfidfuzzer/example_uids_h10301.txt b/assets/resources/rfidfuzzer/example_uids_h10301.txt new file mode 100644 index 000000000..95ea9ac28 --- /dev/null +++ b/assets/resources/rfidfuzzer/example_uids_h10301.txt @@ -0,0 +1,8 @@ +# Example file, P.S. keep empty line at the end! +000000 +F00000 +E00000 +FE0000 +CAFE00 +00CAFE +0000CA