search

RfidResearchGroup / proxmark3

Iceman Fork - Proxmark3
http://www.icedev.se
GNU General Public License v3.0
3.99k stars 1.05k forks source link

"lf em 410x brute" reading on wrong memory location: #2511

Closed sueppchen closed 1 month ago

sueppchen commented 1 month ago

when I start lf em 410x brute with file its output is

usb] pm3 --> lf em 410x brute -f /tmp/ids.txt [+] Loaded 4096 EM Tag IDs from /tmp/ids.txt, pause delay:1000 ms [=] Bruteforce 1 / 4096: simulating EM Tag ID AE17110000 [=] ............ [=] Bruteforce 2 / 4096: simulating EM Tag ID AE17110001 [=] ............ [=] Bruteforce 3 / 4096: simulating EM Tag ID AE17110002 [=] ............ [=] Bruteforce 4 / 4096: simulating EM Tag ID AE17110003 [=] ............ [=] Bruteforce 5 / 4096: simulating EM Tag ID AE171100B1 [=] ............ [=] Bruteforce 6 / 4096: simulating EM Tag ID 6E00000000 [=] ............ [=] Bruteforce 7 / 4096: simulating EM Tag ID 0000C00700 [=] ............ [=] Bruteforce 8 / 4096: simulating EM Tag ID 7013720000 [=] ............ [=] Bruteforce 9 / 4096: simulating EM Tag ID C007007013 [=] ............ [=] Bruteforce 10 / 4096: simulating EM Tag ID 72000000BE [=] ............ [=] Bruteforce 11 / 4096: simulating EM Tag ID 0370137200 [=] ............ [=] Bruteforce 12 / 4096: simulating EM Tag ID 0000BE0370 [=] ............ [=] Bruteforce 13 / 4096: simulating EM Tag ID 137200000C [=] ............ [=] Bruteforce 14 / 4096: simulating EM Tag ID AE1711000D [=] ............ [=] Bruteforce 15 / 4096: simulating EM Tag ID AE1711000E [=] ............ [=] Bruteforce 16 / 4096: simulating EM Tag ID AE1711000F [=] ............ [=] Bruteforce 17 / 4096: simulating EM Tag ID AE17110010 [=] ............ [=] Bruteforce 18 / 4096: simulating EM Tag ID AE17110011 [=] ............ [!] ⚠️ aborted via keyboard!

but the file contents are

$:/tmp$ head ids.txt -n 20 AE17110000 AE17110001 AE17110002 AE17110003 AE17110004 AE17110005 AE17110006 AE17110007 AE17110008 AE17110009 AE1711000A AE1711000B AE1711000C AE1711000D AE1711000E AE1711000F AE17110010 AE17110011 AE17110012 AE17110013 -- > shorted here < --

sometimes the client crashes with memory access error, sometimes it works, but gives strange output

MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 65% used )

Client.... Iceman/master/v4.18994-65-g805dc99b9-dirty 2024-09-15 22:40:40
Bootrom... Iceman/master/v4.18994-65-g805dc99b9-dirty-suspect 2024-09-15 22:15:06 
OS........ Iceman/master/v4.18994-65-g805dc99b9-dirty-suspect 2024-09-15 22:40:44 
Target.... PM3 GENERIC

OS = ubuntu 22.4

any suggestions how to fix?

greetz sueppchen

iceman1001 commented 1 month ago

Sounds like a bug to me. Haven't run this 4x01 brute in quite some years.

sueppchen commented 1 month ago

i've never used this because it is ... lets say litle old fashioned. but AEG ebikes with its PROKEY anti theft use it.

the bug must be somewhere in file cmdlfem410x.c

in line 536 ff or in line 596 loop until line 606

when I shorten the list to 1024 entries it quits with Loaded 1024 EM Tag IDs from /home/sueppchen/software/_dev/nfc/proxmark/short.txt, pause delay:1000 ms [=] Bruteforce 1 / 1024: simulating EM Tag ID AE17110000 malloc(): unaligned tcache chunk detected /usr/local/bin/pm3: Zeile 249: 341022 Abgebrochen $CLIENT "$@"

when I shorten the list to 512 entries it works with the first 4 and then reads garbage from memory same with 256

when shorted to 249 it works... 249 is a strange number in the digital world.

maybe that helps to find the bug

iceman1001 commented 1 month ago

Pull latest and see if the bug is fixed.