Add: noPass3.310: new Patch for fw v3.1.0

toniebox-reverse-engineering · Apr 20, 2021 · 79a1c6e · 79a1c6e
1 parent 2c092b8
commit 79a1c6e
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 5 deletions.
diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json
@@ -29,14 +29,14 @@
         "watchdog": true,
         "ofwFix": true,
         "ofwSimBL": true,
-        "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"]
+        "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.310", "noPrivacy.305", "uidCheck.307"]
     },
     "ofw3": {
         "checkHash": true,
         "hashFile": false,
         "watchdog": true,
         "ofwFix": true,
-        "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"]
+        "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.310", "noPrivacy.305", "uidCheck.307"]
     },
     "cfw1": {
         "checkHash": false,

diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.310.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.310.json
@@ -0,0 +1,37 @@
+{
+    "general": {
+        "_desc": "After two failed tag passwords attempts, the box may try it without a password and shut down the rfid for a moment.",
+        "_memPos": "",
+        "_fwVer": "3.1.0+"
+    },
+    "positions": [{
+        "_id": 0,
+        "_name": "rfidFieldRegisterSet?",
+        "offset": 0,
+        "search":  ["??", "b5", "11", "??", "??", "78", "2a", "b9", "??", "??", "??", "??", "4f", "f4", "a9", "50"]
+    },{
+        "_id": 1,
+        "_name": "rfidReset?",
+        "offset": 0,
+        "search":  ["??", "b5", "??", "??", "??", "78", "??", "46", "33", "b1", "00", "22"]
+    },{
+        "_id": 2,
+        "_name": "bne LAB_AfterPwSuccess",
+        "offset": 4,
+        "search":  ["05", "28", "??", "46"],
+        "deasmAddress": true
+    }],
+    "searchAndReplace": [{
+        "search":  ["4f", "f0", "??", "31", "??", "aa", "00", "20", "??", "91", "??", "??", "??", "??", "05", "28",
+            "??", "46", "??", "d1",
+            "??", "49",
+            "??", "48", "??", "??",
+            "??", "??"],
+        "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "00", "26",
+            {"asm":{"instr": "bl", "param":"p0", "length": 4}}, 
+            "10", "20",
+            {"asm":{"instr": "bl", "param":"p1", "length": 4}},
+            {"asm":{"instr": "b", "param":"p2", "length": 2}}
+        ]
+    }]
+}
diff --git a/wiki/OFWPatches.md b/wiki/OFWPatches.md
@@ -14,8 +14,7 @@ Usally the toniebox checks if the tag has exactly 8 blocks. The check allows the
 ### Block count <=8 ([blockCheckRemove.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json) / [blockCheckRemove.308.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.308.json))
 Usally the toniebox checks if the tag has exactly 8 blocks. The check allows the tag to have less than that.
 
-### No privacy password ([noPass3.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json))
-*Deprecated replaced with noPass3.305*
+### No privacy password ([noPass3.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.310.json) / [noPass3.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json))
 Usally doesn't allow tags without the boxine specific or the NXP specific privacy mode password. With the patch you can use tags without having privacy password support (ex. SLIX). It disables the rf field for a moment when the second privacy password failed. This patch uses the new dynamic patching engine to generate dynamic arm asm bytecode.
 
 ### Second privacy password to 00000000 ([secondPwZero.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/secondPwZero.305.json))
@@ -54,5 +53,5 @@ Handy patch to debug the OFW and to verify and test patches.
 Usally doesn't allow tags without the boxine specific or the NXP specific privacy mode password. With the patch you can use tags without having privacy password support (ex. SLIX).
 
 ### No privacy password ([noPass2.308.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass2.308.json))
-*Deprecated replaced with noPass3.305*
+*Deprecated replaced with noPass3*
 Usally doesn't allow tags without the boxine specific or the NXP specific privacy mode password. With the patch you can use tags without having privacy password support (ex. SLIX). It disables the rf field for a moment when the second privacy password failed.