[RDV4] upload dictionary files to flashmemory

iceman · 2019-01-01 18:08:13

In order to facilitate more easy usage of rdv4's flashmemory, I have added some possibilites to upload the dictionary files on to device.
These will be used in a stage 2 when running checkkeys or dictionary attack.
I have adapted @bogito's luascript read_pwd_mem.lua to read this out if the parameter -k is used.

Upload all dictionary files to fixed allocated sections in flashmemory

pm3 --> mem load f default_iclass_keys i
[+] loaded 6 keys from dictionary file default_iclass_keys.dic
[+] Wrote 50 bytes to offset 237568
pm3 --> mem load f default_keys m
[+] loaded 606 keys from dictionary file default_keys.dic
[+] Wrote 3638 bytes to offset 241664
pm3 --> mem load f default_pwd t
[+] loaded 104 keys from dictionary file default_pwd.dic
[+] Wrote 418 bytes to offset 245760

Read out passwords / keys from Flashmemory.

pm3 -->scr run read_pwd_mem -o 237568 -k 8
pm3 -->scr run read_pwd_mem -o 241664 -k 6
pm3 -->scr run read_pwd_mem -o 245760 -k 4

iceman · 2019-01-02 12:08:18

Now hf mf fchk can use the on device dictionary. With tweaks to checking algorithm, the speedups are noticable compared with calling it with the file when used against a tag with known keys. Once the dictionary doesn't contain all keys, it goes slower since it has to check all currently 606 keys.

pm3 --> hf mf fchk 1 m
[-] Chunk: 0.4s | found 32/32 keys (0)
[+] Time in checkkeys (fast): 0.4s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|
vs

pm3 --> hf mf fchk 1 default_keys.dic
[+] Loaded 606 keys from default_keys.dic
[+] Running strategy 1
[-] Chunk: 0.4s | found 32/32 keys (85)
[+] Time in checkkeys (fast): 0.4s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| ffffffffffff | 1 | ffffffffffff | 1 |
|001| ffffffffffff | 1 | ffffffffffff | 1 |
|002| ffffffffffff | 1 | ffffffffffff | 1 |
|003| ffffffffffff | 1 | ffffffffffff | 1 |
|004| ffffffffffff | 1 | ffffffffffff | 1 |
|005| ffffffffffff | 1 | ffffffffffff | 1 |
|006| ffffffffffff | 1 | ffffffffffff | 1 |
|007| ffffffffffff | 1 | ffffffffffff | 1 |
|008| ffffffffffff | 1 | ffffffffffff | 1 |
|009| ffffffffffff | 1 | ffffffffffff | 1 |
|010| ffffffffffff | 1 | ffffffffffff | 1 |
|011| ffffffffffff | 1 | ffffffffffff | 1 |
|012| ffffffffffff | 1 | ffffffffffff | 1 |
|013| ffffffffffff | 1 | ffffffffffff | 1 |
|014| ffffffffffff | 1 | ffffffffffff | 1 |
|015| ffffffffffff | 1 | ffffffffffff | 1 |
|---|----------------|---|----------------|---|

3 second difference

pm3 --> hf mf fchk 1 m
..
[-] Chunk: 5.7s | found 32/32 keys (0)
[+] Time in checkkeys (fast): 5.7s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| fc00018778f7 | 1 | 00000ffe2488 | 1 |
|001| fc00018778f7 | 1 | 00000ffe2488 | 1 |
|002| fc00018778f7 | 1 | 00000ffe2488 | 1 |
|003| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|004| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|005| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|006| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|007| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|008| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|009| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|010| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|011| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|012| 54726176656c | 1 | 776974687573 | 1 |
|013| 54726176656c | 1 | 776974687573 | 1 |
|014| 54726176656c | 1 | 776974687573 | 1 |
|015| 54726176656c | 1 | 776974687573 | 1 |
|---|----------------|---|----------------|---|
vs
pm3 --> hf mf fchk 1 default_keys.dic
[+] Loaded 606 keys from default_keys.dic
[+] Running strategy 1
....
[-] Chunk: 8.6s | found 29/32 keys (85)
[-] Chunk: 0.2s | found 32/32 keys (85)
[+] Time in checkkeys (fast): 8.8s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| fc00018778f7 | 1 | 00000ffe2488 | 1 |
|001| fc00018778f7 | 1 | 00000ffe2488 | 1 |
|002| fc00018778f7 | 1 | 00000ffe2488 | 1 |
|003| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|004| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|005| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|006| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|007| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|008| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|009| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|010| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|011| 0297927c0f77 | 1 | ee0042f88840 | 1 |
|012| 54726176656c | 1 | 776974687573 | 1 |
|013| 54726176656c | 1 | 776974687573 | 1 |
|014| 54726176656c | 1 | 776974687573 | 1 |
|015| 54726176656c | 1 | 776974687573 | 1 |
|---|----------------|---|----------------|---|

9 second difference

pm3 --> hf mf fchk 1 m
......
[-] Chunk: 13.6s | found 32/32 keys (0)
[+] Time in checkkeys (fast): 13.6s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 484558414354 | 1 | a22ae129c013 | 1 |
|001| 484558414354 | 1 | 49fae4e3849f | 1 |
|002| 484558414354 | 1 | 38fcf33072e0 | 1 |
|003| 484558414354 | 1 | 8ad5517b4b18 | 1 |
|004| 484558414354 | 1 | 509359f131b1 | 1 |
|005| 484558414354 | 1 | 6c78928e1317 | 1 |
|006| 484558414354 | 1 | aa0720018738 | 1 |
|007| 484558414354 | 1 | a6cac2886412 | 1 |
|008| 484558414354 | 1 | 62d0c424ed8e | 1 |
|009| 484558414354 | 1 | e64a986a5d94 | 1 |
|010| 484558414354 | 1 | 8fa1d601d0a2 | 1 |
|011| 484558414354 | 1 | 89347350bd36 | 1 |
|012| 484558414354 | 1 | 66d2b7dc39ef | 1 |
|013| 484558414354 | 1 | 6bc1e1ae547d | 1 |
|014| 484558414354 | 1 | 22729a9bd40f | 1 |
|015| 484558414354 | 1 | 484558414354 | 1 |
|---|----------------|---|----------------|---|
vs
pm3 --> hf mf fchk 1 default_keys.dic
[+] Loaded 606 keys from default_keys.dic
[+] Running strategy 1
.
[-] Chunk: 2.9s | found 0/32 keys (85)
.
[-] Chunk: 2.9s | found 0/32 keys (85)
.
[-] Chunk: 2.8s | found 0/32 keys (85)
......
[-] Chunk: 13.3s | found 32/32 keys (85)
[+] Time in checkkeys (fast): 22.0s
|---|----------------|---|----------------|---|
|sec|key A |res|key B |res|
|---|----------------|---|----------------|---|
|000| 484558414354 | 1 | a22ae129c013 | 1 |
|001| 484558414354 | 1 | 49fae4e3849f | 1 |
|002| 484558414354 | 1 | 38fcf33072e0 | 1 |
|003| 484558414354 | 1 | 8ad5517b4b18 | 1 |
|004| 484558414354 | 1 | 509359f131b1 | 1 |
|005| 484558414354 | 1 | 6c78928e1317 | 1 |
|006| 484558414354 | 1 | aa0720018738 | 1 |
|007| 484558414354 | 1 | a6cac2886412 | 1 |
|008| 484558414354 | 1 | 62d0c424ed8e | 1 |
|009| 484558414354 | 1 | e64a986a5d94 | 1 |
|010| 484558414354 | 1 | 8fa1d601d0a2 | 1 |
|011| 484558414354 | 1 | 89347350bd36 | 1 |
|012| 484558414354 | 1 | 66d2b7dc39ef | 1 |
|013| 484558414354 | 1 | 6bc1e1ae547d | 1 |
|014| 484558414354 | 1 | 22729a9bd40f | 1 |
|015| 484558414354 | 1 | 484558414354 | 1 |
|---|----------------|---|----------------|---|

iceman · 2019-01-02 21:45:14

Made a little video about it
https://youtu.be/pvwUx00ka6I

Proxmark3 community

Announcement

#1 2019-01-01 18:08:13

[RDV4] upload dictionary files to flashmemory

#2 2019-01-02 12:08:18

Re: [RDV4] upload dictionary files to flashmemory

#3 2019-01-02 21:45:14

Re: [RDV4] upload dictionary files to flashmemory

Board footer