This is the major changes made to the HITAG2 commands. Its heavly bas…

…ed on RFIDLers implementation and its been converted to work with Proxmark3. Special thanks to @kevsecurity for his amazing implementations of the Gone in 360 Seconds paper by Roel, Flavio & Balasch. Thanks to @AdamLaurie for his RFIDler project. It wouldnt been doable without it.
RfidResearchGroup · Apr 22, 2024 · c8849af · c8849af
1 parent fc2a3dd
commit c8849af
Show file tree

Hide file tree

Showing 20 changed files with 2,688 additions and 693 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+- Changed `lf hitag dump --nrar` - now supports attack 1 from "gone in 360 seconds" paper. Thanks @kevsecurity! (@iceman1001)
+- Added `lf hitag selftest` - converted from RFIDLers selftest (@iceman1001)
+- Added `lf hitag chk` - dictionary attack against card (@iceman1001)
+- Added `lf hitag lookup` - verify collected challenges aginst dictionary (@iceman1001)
 - Updated windows workflow to use latest setup-wsl script (@iceman1001)
 - Added a micro second clock in the client (@iceman1001)
 - Fix `hf mfdes read` - buffer overflow when reading large files (@iceman1001)

diff --git a/armsrc/Makefile b/armsrc/Makefile
@@ -71,7 +71,7 @@ else
 endif
 
 ifneq (,$(findstring WITH_HITAG,$(APP_CFLAGS)))
-    SRC_HITAG = hitag2_crypto.c hitag2.c hitagS.c
+    SRC_HITAG = hitag2_crypto.c hitag2.c hitagS.c hitag2_crack.c
     APP_CFLAGS += -I../common/hitag2
 else
     SRC_HITAG =

diff --git a/armsrc/appmain.c b/armsrc/appmain.c
@@ -40,6 +40,7 @@
 #include "thinfilm.h"
 #include "felica.h"
 #include "hitag2.h"
+#include "hitag2_crack.h"
 #include "hitagS.h"
 #include "em4x50.h"
 #include "em4x70.h"
@@ -1131,42 +1132,61 @@ static void PacketReceived(PacketCommandNG *packet) {
 #ifdef WITH_HITAG
         case CMD_LF_HITAG_SNIFF: { // Eavesdrop Hitag tag, args = type
             SniffHitag2(true);
-//            SniffHitag2(packet->oldarg[0]);
+            //hitag_sniff();
             reply_ng(CMD_LF_HITAG_SNIFF, PM3_SUCCESS, NULL, 0);
             break;
         }
         case CMD_LF_HITAG_SIMULATE: { // Simulate Hitag tag, args = memory content
             SimulateHitag2(true);
+            break;        
+        }
+        case CMD_LF_HITAG2_CRACK: {
+            lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
+            ht2_crack(payload->NrAr);
             break;
         }
         case CMD_LF_HITAG_READER: { // Reader for Hitag tags, args = type and function
-            ReaderHitag((hitag_function)packet->oldarg[0], (hitag_data *)packet->data.asBytes, true);
+            lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
+
+            switch (payload->cmd) {
+                case RHT2F_UID_ONLY: {
+                    ht2_read_uid(NULL, true, true, false);
+                    break;
+                }
+                default: {
+                    ReaderHitag(payload, true);
+                    break;
+                }
+            }
             break;
         }
         case CMD_LF_HITAGS_SIMULATE: { // Simulate Hitag s tag, args = memory content
             SimulateHitagSTag((bool)packet->oldarg[0], packet->data.asBytes, true);
             break;
         }
         case CMD_LF_HITAGS_TEST_TRACES: { // Tests every challenge within the given file
-            Hitag_check_challenges(packet->data.asBytes, packet->oldarg[0], true);
+            Hitag_check_challenges(packet->data.asBytes, packet->length, true);
             break;
         }
-        case CMD_LF_HITAGS_READ: { //Reader for only Hitag S tags, args = key or challenge
-            ReadHitagS((hitag_function)packet->oldarg[0], (hitag_data *)packet->data.asBytes, true);
+        case CMD_LF_HITAGS_READ: { // Reader for only Hitag S tags, args = key or challenge
+            lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
+            ReadHitagS(payload, true);
             break;
         }
-        case CMD_LF_HITAGS_WRITE: { //writer for Hitag tags args=data to write,page and key or challenge
-            if ((hitag_function)packet->oldarg[0] < 10) {
-                WritePageHitagS((hitag_function)packet->oldarg[0], (hitag_data *)packet->data.asBytes, packet->oldarg[2], true);
-            } else {
-                WriterHitag((hitag_function)packet->oldarg[0], (hitag_data *)packet->data.asBytes, packet->oldarg[2], true);
-            }
+        case CMD_LF_HITAGS_WRITE: {
+            lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
+            WritePageHitagS(payload, true);
+            break;
+        }
+        case CMD_LF_HITAG2_WRITE: {
+            lf_hitag_data_t *payload = (lf_hitag_data_t *) packet->data.asBytes;
+            WriterHitag(payload, true);
             break;
         }
         case CMD_LF_HITAG_ELOAD: {
             lf_hitag_t *payload = (lf_hitag_t *) packet->data.asBytes;
             uint8_t *mem = BigBuf_get_EM_addr();
-            memcpy((uint8_t *)mem, payload->data, payload->len);
+            memcpy(mem, payload->data, payload->len);
             break;
         }
 #endif