Mirror/Momentum-Firmware
1
0
Fork 0
mirror of https://github.com/Next-Flip/Momentum-Firmware.git synced 2026-05-23 05:24:46 -07:00
Code Issues Packages Projects Releases Wiki Activity

Fuzzer App: worker add RFID

Browse Source
This commit is contained in:
gid9798
2023-06-03 14:24:27 +03:00
parent 70edcf3f6a
commit d3a260e441
13 changed files with 365 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

255
applications/external/pacs_fuzzer/lib/worker/fake_worker.c vendored Normal file
View File

@@ -0,0 +1,255 @@
#include "fake_worker.h"
#include <furi.h>
#include <timer.h>
#if defined(RFID_125_PROTOCOL)
#else
#endif
#if defined(RFID_125_PROTOCOL)
#include <lib/lfrfid/lfrfid_worker.h>
#include <lfrfid/protocols/lfrfid_protocols.h>
#else
#include <lib/ibutton/ibutton_worker.h>
#include <lib/ibutton/ibutton_key.h>
#endif
#include <toolbox/stream/stream.h>
struct FuzzerWorker {
#if defined(RFID_125_PROTOCOL)
LFRFIDWorker* proto_worker;
ProtocolId protocol_id;
ProtocolDict* protocols_items;
#else
iButtonWorker* proto_worker;
iButtonProtocolId protocol_id; // TODO
iButtonProtocols* protocols_items;
iButtonKey* key;
#endif
const FuzzerProtocol* protocol;
FuzzerWorkerAttackType attack_type;
uint8_t timeer_delay;
uint8_t payload[MAX_PAYLOAD_SIZE];
Stream* uids_stream;
uint16_t index;
bool treead_running;
FuriTimer* timer;
FuzzerWorkerUidChagedCallback tick_callback;
void* tick_context;
FuzzerWorkerEndCallback end_callback;
void* end_context;
};
static bool fuzzer_worker_load_key(FuzzerWorker* worker, bool next) {
furi_assert(worker);
furi_assert(worker->protocol);
bool res = false;
const FuzzerProtocol* protocol = worker->protocol;
if(next) {
worker->index++;
}
switch(worker->attack_type) {
case FuzzerWorkerAttackTypeDefaultDict:
if(worker->index < protocol->dict.len) {
memcpy(
worker->payload,
&protocol->dict.val[worker->index * protocol->data_size],
protocol->data_size);
res = true;
}
break;
default:
break;
}
#if defined(RFID_125_PROTOCOL)
protocol_dict_set_data(
worker->protocols_items, worker->protocol_id, worker->payload, MAX_PAYLOAD_SIZE);
#else
ibutton_key_set_protocol_id(worker->key, worker->protocol_id);
iButtonEditableData data;
ibutton_protocols_get_editable_data(worker->protocols_items, worker->key, &data);
// TODO check data.size logic
data.size = MAX_PAYLOAD_SIZE;
memcpy(data.ptr, worker->payload, MAX_PAYLOAD_SIZE); // data.size);
#endif
return res;
}
static void fuzzer_worker_on_tick_callback(void* context) {
furi_assert(context);
FuzzerWorker* worker = context;
if(worker->treead_running) {
#if defined(RFID_125_PROTOCOL)
lfrfid_worker_stop(worker->proto_worker);
#else
ibutton_worker_stop(worker->proto_worker);
#endif
}
if(!fuzzer_worker_load_key(worker, true)) {
fuzzer_worker_stop(worker);
if(worker->end_callback) {
worker->end_callback(worker->end_context);
}
} else {
if(worker->treead_running) {
#if defined(RFID_125_PROTOCOL)
lfrfid_worker_emulate_start(worker->proto_worker, worker->protocol_id);
#else
ibutton_worker_emulate_start(worker->proto_worker, worker->key);
#endif
}
if(worker->tick_callback) {
worker->tick_callback(worker->tick_context);
}
}
}
void fuzzer_worker_get_current_key(FuzzerWorker* worker, uint8_t* key) {
furi_assert(worker);
furi_assert(worker->protocol);
memcpy(key, worker->payload, worker->protocol->data_size);
}
bool fuzzer_worker_attack_dict(FuzzerWorker* worker, FuzzerProtos protocol_index) {
furi_assert(worker);
worker->protocol = &fuzzer_proto_items[protocol_index];
// TODO iButtonProtocolIdInvalid check
#if defined(RFID_125_PROTOCOL)
worker->protocol_id =
protocol_dict_get_protocol_by_name(worker->protocols_items, worker->protocol->name);
#else
worker->protocol_id =
ibutton_protocols_get_id_by_name(worker->protocols_items, worker->protocol->name);
#endif
worker->attack_type = FuzzerWorkerAttackTypeDefaultDict;
worker->index = 0;
return fuzzer_worker_load_key(worker, false);
}
FuzzerWorker* fuzzer_worker_alloc() {
FuzzerWorker* worker = malloc(sizeof(FuzzerWorker));
#if defined(RFID_125_PROTOCOL)
worker->protocols_items = protocol_dict_alloc(lfrfid_protocols, LFRFIDProtocolMax);
worker->proto_worker = lfrfid_worker_alloc(worker->protocols_items);
#else
worker->protocols_items = ibutton_protocols_alloc();
worker->key = ibutton_key_alloc(ibutton_protocols_get_max_data_size(worker->protocols_items));
worker->proto_worker = ibutton_worker_alloc(worker->protocols_items);
#endif
worker->attack_type = FuzzerWorkerAttackTypeMax;
worker->index = 0;
worker->treead_running = false;
memset(worker->payload, 0x00, sizeof(worker->payload));
worker->timeer_delay = FUZZ_TIME_DELAY_DEFAULT;
worker->timer =
furi_timer_alloc(fuzzer_worker_on_tick_callback, FuriTimerTypePeriodic, worker);
return worker;
}
void fuzzer_worker_free(FuzzerWorker* worker) {
furi_assert(worker);
fuzzer_worker_stop(worker);
furi_timer_free(worker->timer);
#if defined(RFID_125_PROTOCOL)
lfrfid_worker_free(worker->proto_worker);
protocol_dict_free(worker->protocols_items);
#else
ibutton_worker_free(worker->proto_worker);
ibutton_key_free(worker->key);
ibutton_protocols_free(worker->protocols_items);
#endif
free(worker);
}
void fuzzer_worker_start(FuzzerWorker* worker, uint8_t timer_dellay) {
furi_assert(worker);
if(worker->attack_type < FuzzerWorkerAttackTypeMax) {
worker->timeer_delay = timer_dellay;
furi_timer_start(worker->timer, furi_ms_to_ticks(timer_dellay * 100));
worker->treead_running = true;
#if defined(RFID_125_PROTOCOL)
lfrfid_worker_start_thread(worker->proto_worker);
lfrfid_worker_emulate_start(worker->proto_worker, worker->protocol_id);
#else
ibutton_worker_start_thread(worker->proto_worker);
ibutton_worker_emulate_start(worker->proto_worker, worker->key);
#endif
}
}
void fuzzer_worker_stop(FuzzerWorker* worker) {
furi_assert(worker);
furi_timer_stop(worker->timer);
if(worker->treead_running) {
#if defined(RFID_125_PROTOCOL)
lfrfid_worker_stop(worker->proto_worker);
lfrfid_worker_stop_thread(worker->proto_worker);
#else
ibutton_worker_stop(worker->proto_worker);
ibutton_worker_stop_thread(worker->proto_worker);
#endif
worker->treead_running = false;
}
// TODO anything else
}
void fuzzer_worker_set_uid_chaged_callback(
FuzzerWorker* worker,
FuzzerWorkerUidChagedCallback callback,
void* context) {
furi_assert(worker);
worker->tick_callback = callback;
worker->tick_context = context;
}
void fuzzer_worker_set_end_callback(
FuzzerWorker* worker,
FuzzerWorkerEndCallback callback,
void* context) {
furi_assert(worker);
worker->end_callback = callback;
worker->end_context = context;
}

40
applications/external/pacs_fuzzer/lib/worker/fake_worker.h vendored Normal file
View File

@@ -0,0 +1,40 @@
#pragma once
#include <stdbool.h>
#include "protocol.h"
typedef enum {
FuzzerWorkerAttackTypeDefaultDict = 0,
FuzzerWorkerAttackTypeLoadFile,
FuzzerWorkerAttackTypeLoadFileCustomUids,
FuzzerWorkerAttackTypeMax,
} FuzzerWorkerAttackType;
typedef void (*FuzzerWorkerUidChagedCallback)(void* context);
typedef void (*FuzzerWorkerEndCallback)(void* context);
typedef struct FuzzerWorker FuzzerWorker;
FuzzerWorker* fuzzer_worker_alloc();
void fuzzer_worker_free(FuzzerWorker* worker);
void fuzzer_worker_start(FuzzerWorker* worker, uint8_t timer_dellay);
void fuzzer_worker_stop(FuzzerWorker* worker);
bool fuzzer_worker_attack_dict(FuzzerWorker* worker, FuzzerProtos protocol_index);
void fuzzer_worker_get_current_key(FuzzerWorker* worker, uint8_t* key);
void fuzzer_worker_set_uid_chaged_callback(
FuzzerWorker* worker,
FuzzerWorkerUidChagedCallback callback,
void* context);
void fuzzer_worker_set_end_callback(
FuzzerWorker* worker,
FuzzerWorkerEndCallback callback,
void* context);

214
applications/external/pacs_fuzzer/lib/worker/protocol.c vendored Normal file
View File

@@ -0,0 +1,214 @@
#include "protocol.h"
// #######################
// ## Ibutton Protocols ##
// #######################
#define DS1990_DATA_SIZE (8)
#define Metakom_DATA_SIZE (4)
#define Cyfral_DATA_SIZE (2)
const uint8_t uid_list_ds1990[][DS1990_DATA_SIZE] = {
{0x01, 0xBE, 0x40, 0x11, 0x5A, 0x36, 0x00, 0xE1}, // код универсального ключа, для Vizit
{0x01, 0xBE, 0x40, 0x11, 0x5A, 0x56, 0x00, 0xBB}, //- проверен работает
{0x01, 0xBE, 0x40, 0x11, 0x00, 0x00, 0x00, 0x77}, //- проверен работает
{0x01, 0xBE, 0x40, 0x11, 0x0A, 0x00, 0x00, 0x1D}, //- проверен работает Визит иногда КЕЙМАНЫ
{0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x2F}, //- проверен(метаком, цифрал, ВИЗИТ).
{0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x9B}, //- проверен Визит, Метакомы, КОНДОР
{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x14}, //???-Открываает 98% Метаком и некоторые Цифрал
{0x01, 0x00, 0x00, 0x00, 0x00, 0x90, 0x19, 0xFF}, //???-Отлично работает на старых домофонах
{0x01, 0x6F, 0x2E, 0x88, 0x8A, 0x00, 0x00, 0x4D}, //???-Открывать что-то должен
{0x01, 0x53, 0xD4, 0xFE, 0x00, 0x00, 0x7E, 0x88}, //???-Cyfral, Metakom
{0x01, 0x53, 0xD4, 0xFE, 0x00, 0x00, 0x00, 0x6F}, //???-домофоны Визит (Vizit) - до 99%
{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3D}, //???-домофоны Cyfral CCD-20 - до 70%
{0x01, 0x00, 0xBE, 0x11, 0xAA, 0x00, 0x00, 0xFB}, //???-домофоны Кейман (KEYMAN)
{0x01, 0x76, 0xB8, 0x2E, 0x0F, 0x00, 0x00, 0x5C}, //???-домофоны Форвард
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // Null bytes
{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x14}, // Only FF
{0x01, 0x78, 0x00, 0x48, 0xFD, 0xFF, 0xFF, 0xD1}, // StarNew Uni5
{0x01, 0xA9, 0xE4, 0x3C, 0x09, 0x00, 0x00, 0xE6}, // Eltis Uni
};
const uint8_t uid_list_metakom[][Metakom_DATA_SIZE] = {
{0x00, 0x00, 0x00, 0x00}, // Null bytes
{0xFF, 0xFF, 0xFF, 0xFF}, // Only FF
{0x11, 0x11, 0x11, 0x11}, // Only 11
{0x22, 0x22, 0x22, 0x22}, // Only 22
{0x33, 0x33, 0x33, 0x33}, // Only 33
{0x44, 0x44, 0x44, 0x44}, // Only 44
{0x55, 0x55, 0x55, 0x55}, // Only 55
{0x66, 0x66, 0x66, 0x66}, // Only 66
{0x77, 0x77, 0x77, 0x77}, // Only 77
{0x88, 0x88, 0x88, 0x88}, // Only 88
{0x99, 0x99, 0x99, 0x99}, // Only 99
{0x12, 0x34, 0x56, 0x78}, // Incremental UID
{0x9A, 0x78, 0x56, 0x34}, // Decremental UID
{0x04, 0xd0, 0x9b, 0x0d}, // ??
{0x34, 0x00, 0x29, 0x3d}, // ??
{0x04, 0xdf, 0x00, 0x00}, // ??
{0xCA, 0xCA, 0xCA, 0xCA}, // ??
};
const uint8_t uid_list_cyfral[][Cyfral_DATA_SIZE] = {
{0x00, 0x00}, // Null bytes
{0xFF, 0xFF}, // Only FF
{0x11, 0x11}, // Only 11
{0x22, 0x22}, // Only 22
{0x33, 0x33}, // Only 33
{0x44, 0x44}, // Only 44
{0x55, 0x55}, // Only 55
{0x66, 0x66}, // Only 66
{0x77, 0x77}, // Only 77
{0x88, 0x88}, // Only 88
{0x99, 0x99}, // Only 99
{0x12, 0x34}, // Incremental UID
{0x56, 0x34}, // Decremental UID
{0xCA, 0xCA}, // ??
{0x8E, 0xC9}, // Elevator code
{0x6A, 0x50}, // VERY fresh code from smartkey
};
// ###########################
// ## Rfid_125khz Protocols ##
// ###########################
#define EM4100_DATA_SIZE (5)
#define HIDProx_DATA_SIZE (6)
#define PAC_DATA_SIZE (4)
#define H10301_DATA_SIZE (3)
const uint8_t uid_list_em4100[][EM4100_DATA_SIZE] = {
{0x00, 0x00, 0x00, 0x00, 0x00}, // Null bytes
{0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, // Only FF
{0x11, 0x11, 0x11, 0x11, 0x11}, // Only 11
{0x22, 0x22, 0x22, 0x22, 0x22}, // Only 22
{0x33, 0x33, 0x33, 0x33, 0x33}, // Only 33
{0x44, 0x44, 0x44, 0x44, 0x44}, // Only 44
{0x55, 0x55, 0x55, 0x55, 0x55}, // Only 55
{0x66, 0x66, 0x66, 0x66, 0x66}, // Only 66
{0x77, 0x77, 0x77, 0x77, 0x77}, // Only 77
{0x88, 0x88, 0x88, 0x88, 0x88}, // Only 88
{0x99, 0x99, 0x99, 0x99, 0x99}, // Only 99
{0x12, 0x34, 0x56, 0x78, 0x9A}, // Incremental UID
{0x9A, 0x78, 0x56, 0x34, 0x12}, // Decremental UID
{0x04, 0xd0, 0x9b, 0x0d, 0x6a}, // From arha
{0x34, 0x00, 0x29, 0x3d, 0x9e}, // From arha
{0x04, 0xdf, 0x00, 0x00, 0x01}, // From arha
{0xCA, 0xCA, 0xCA, 0xCA, 0xCA}, // From arha
};
const uint8_t uid_list_hid[][HIDProx_DATA_SIZE] = {
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // Null bytes
{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, // Only FF
{0x11, 0x11, 0x11, 0x11, 0x11, 0x11}, // Only 11
{0x22, 0x22, 0x22, 0x22, 0x22, 0x22}, // Only 22
{0x33, 0x33, 0x33, 0x33, 0x33, 0x33}, // Only 33
{0x44, 0x44, 0x44, 0x44, 0x44, 0x44}, // Only 44
{0x55, 0x55, 0x55, 0x55, 0x55, 0x55}, // Only 55
{0x66, 0x66, 0x66, 0x66, 0x66, 0x66}, // Only 66
{0x77, 0x77, 0x77, 0x77, 0x77, 0x77}, // Only 77
{0x88, 0x88, 0x88, 0x88, 0x88, 0x88}, // Only 88
{0x99, 0x99, 0x99, 0x99, 0x99, 0x99}, // Only 99
{0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC}, // Incremental UID
{0xBC, 0x9A, 0x78, 0x56, 0x34, 0x12}, // Decremental UID
{0xCA, 0xCA, 0xCA, 0xCA, 0xCA, 0xCA}, // From arha
};
const uint8_t uid_list_pac[][PAC_DATA_SIZE] = {
{0x00, 0x00, 0x00, 0x00}, // Null bytes
{0xFF, 0xFF, 0xFF, 0xFF}, // Only FF
{0x11, 0x11, 0x11, 0x11}, // Only 11
{0x22, 0x22, 0x22, 0x22}, // Only 22
{0x33, 0x33, 0x33, 0x33}, // Only 33
{0x44, 0x44, 0x44, 0x44}, // Only 44
{0x55, 0x55, 0x55, 0x55}, // Only 55
{0x66, 0x66, 0x66, 0x66}, // Only 66
{0x77, 0x77, 0x77, 0x77}, // Only 77
{0x88, 0x88, 0x88, 0x88}, // Only 88
{0x99, 0x99, 0x99, 0x99}, // Only 99
{0x12, 0x34, 0x56, 0x78}, // Incremental UID
{0x9A, 0x78, 0x56, 0x34}, // Decremental UID
{0x04, 0xd0, 0x9b, 0x0d}, // From arha
{0x34, 0x00, 0x29, 0x3d}, // From arha
{0x04, 0xdf, 0x00, 0x00}, // From arha
{0xCA, 0xCA, 0xCA, 0xCA}, // From arha
};
const uint8_t uid_list_h10301[][H10301_DATA_SIZE] = {
{0x00, 0x00, 0x00}, // Null bytes
{0xFF, 0xFF, 0xFF}, // Only FF
{0x11, 0x11, 0x11}, // Only 11
{0x22, 0x22, 0x22}, // Only 22
{0x33, 0x33, 0x33}, // Only 33
{0x44, 0x44, 0x44}, // Only 44
{0x55, 0x55, 0x55}, // Only 55
{0x66, 0x66, 0x66}, // Only 66
{0x77, 0x77, 0x77}, // Only 77
{0x88, 0x88, 0x88}, // Only 88
{0x99, 0x99, 0x99}, // Only 99
{0x12, 0x34, 0x56}, // Incremental UID
{0x56, 0x34, 0x12}, // Decremental UID
{0xCA, 0xCA, 0xCA}, // From arha
};
#if defined(RFID_125_PROTOCOL)
const FuzzerProtocol fuzzer_proto_items[] = {
[EM4100] =
{
.name = "EM4100",
.data_size = EM4100_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_em4100,
.len = sizeof(uid_list_em4100) / EM4100_DATA_SIZE},
},
[HIDProx] =
{
.name = "HIDProx",
.data_size = HIDProx_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_hid,
.len = sizeof(uid_list_hid) / HIDProx_DATA_SIZE},
},
[PAC] =
{
.name = "PAC/Stanley",
.data_size = PAC_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_pac,
.len = sizeof(uid_list_pac) / PAC_DATA_SIZE},
},
[H10301] =
{
.name = "H10301",
.data_size = H10301_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_h10301,
.len = sizeof(uid_list_h10301) / H10301_DATA_SIZE},
},
};
#else
const FuzzerProtocol fuzzer_proto_items[] = {
[DS1990] =
{
.name = "DS1990",
.data_size = DS1990_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_ds1990,
.len = sizeof(uid_list_ds1990) / DS1990_DATA_SIZE},
},
[Metakom] =
{
.name = "Metakom",
.data_size = Metakom_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_metakom,
.len = sizeof(uid_list_metakom) / Metakom_DATA_SIZE},
},
[Cyfral] =
{
.name = "Cyfral",
.data_size = Cyfral_DATA_SIZE,
.dict =
{.val = (const uint8_t*)&uid_list_cyfral,
.len = sizeof(uid_list_cyfral) / Cyfral_DATA_SIZE},
},
};
#endif

57
applications/external/pacs_fuzzer/lib/worker/protocol.h vendored Normal file
View File

@@ -0,0 +1,57 @@
#pragma once
#include <stdint.h>
// #define RFID_125_PROTOCOL
#if defined(RFID_125_PROTOCOL)
#define MAX_PAYLOAD_SIZE 6
#define FUZZ_TIME_DELAY_MIN (5)
#define FUZZ_TIME_DELAY_DEFAULT (10)
#define FUZZ_TIME_DELAY_MAX (70)
#else
#define MAX_PAYLOAD_SIZE 8
#define FUZZ_TIME_DELAY_MIN (4)
#define FUZZ_TIME_DELAY_DEFAULT (8)
#define FUZZ_TIME_DELAY_MAX (80)
#endif
typedef enum {
#if defined(RFID_125_PROTOCOL)
EM4100,
HIDProx,
PAC,
H10301,
#else
DS1990,
Metakom,
Cyfral,
#endif
// Reserved
FuzzerProtoMax,
} FuzzerProtos;
struct ProtoDict {
const uint8_t* val;
const uint8_t len;
};
typedef struct ProtoDict ProtoDict;
struct FuzzerProtocol {
const char* name;
const uint8_t data_size;
const ProtoDict dict;
};
typedef struct FuzzerProtocol FuzzerProtocol;
extern const FuzzerProtocol fuzzer_proto_items[];