]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfem4x.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
BUG: don't try to fix things that ain't broken.. or not. My try for a fix ended...
[proxmark3-svn] / client / cmdlfem4x.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <inttypes.h>
14 #include "proxmark3.h"
15 #include "ui.h"
16 #include "graph.h"
17 #include "cmdmain.h"
18 #include "cmdparser.h"
19 #include "cmddata.h"
20 #include "cmdlf.h"
21 #include "cmdlfem4x.h"
22 #include "util.h"
23 #include "data.h"
24 #define LF_TRACE_BUFF_SIZE 12000
25 #define LF_BITSSTREAM_LEN 1000
26
27 char *global_em410xId;
28
29 static int CmdHelp(const char *Cmd);
30
31 /* Read the ID of an EM410x tag.
32 * Format:
33 * 1111 1111 1 <-- standard non-repeatable header
34 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
35 * ....
36 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
37 * 0 <-- stop bit, end of tag
38 */
39 int CmdEM410xRead(const char *Cmd)
40 {
41 int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low;
42 int parity[4];
43 char id[11];
44 char id2[11];
45 int retested = 0;
46 uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
47 high = low = 0;
48
49 /* Detect high and lows and clock */
50 for (i = 0; i < GraphTraceLen; i++)
51 {
52 if (GraphBuffer[i] > high)
53 high = GraphBuffer[i];
54 else if (GraphBuffer[i] < low)
55 low = GraphBuffer[i];
56 }
57
58 /* get clock */
59 clock = GetClock(Cmd, high, 0);
60
61 /* parity for our 4 columns */
62 parity[0] = parity[1] = parity[2] = parity[3] = 0;
63 header = rows = 0;
64
65 /* manchester demodulate */
66 bit = bit2idx = 0;
67 for (i = 0; i < (int)(GraphTraceLen / clock); i++)
68 {
69 hithigh = 0;
70 hitlow = 0;
71 first = 1;
72
73 /* Find out if we hit both high and low peaks */
74 for (j = 0; j < clock; j++)
75 {
76 if (GraphBuffer[(i * clock) + j] == high)
77 hithigh = 1;
78 else if (GraphBuffer[(i * clock) + j] == low)
79 hitlow = 1;
80
81 /* it doesn't count if it's the first part of our read
82 because it's really just trailing from the last sequence */
83 if (first && (hithigh || hitlow))
84 hithigh = hitlow = 0;
85 else
86 first = 0;
87
88 if (hithigh && hitlow)
89 break;
90 }
91
92 /* If we didn't hit both high and low peaks, we had a bit transition */
93 if (!hithigh || !hitlow)
94 bit ^= 1;
95
96 BitStream[bit2idx++] = bit;
97 }
98
99 retest:
100 /* We go till 5 before the graph ends because we'll get that far below */
101 for (i = 0; i < bit2idx - 5; i++)
102 {
103 /* Step 2: We have our header but need our tag ID */
104 if (header == 9 && rows < 10)
105 {
106 /* Confirm parity is correct */
107 if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
108 {
109 /* Read another byte! */
110 sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
111 sprintf(id2+rows, "%x", (8 * BitStream[i+3]) + (4 * BitStream[i+2]) + (2 * BitStream[i+1]) + (1 * BitStream[i]));
112 rows++;
113
114 /* Keep parity info */
115 parity[0] ^= BitStream[i];
116 parity[1] ^= BitStream[i+1];
117 parity[2] ^= BitStream[i+2];
118 parity[3] ^= BitStream[i+3];
119
120 /* Move 4 bits ahead */
121 i += 4;
122 }
123
124 /* Damn, something wrong! reset */
125 else
126 {
127 PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i);
128
129 /* Start back rows * 5 + 9 header bits, -1 to not start at same place */
130 i -= 9 + (5 * rows) -5;
131
132 rows = header = 0;
133 }
134 }
135
136 /* Step 3: Got our 40 bits! confirm column parity */
137 else if (rows == 10)
138 {
139 /* We need to make sure our 4 bits of parity are correct and we have a stop bit */
140 if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] &&
141 BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] &&
142 BitStream[i+4] == 0)
143 {
144 /* Sweet! */
145 PrintAndLog("EM410x Tag ID: %s", id);
146 PrintAndLog("Unique Tag ID: %s", id2);
147
148 global_em410xId = id;
149
150 /* Stop any loops */
151 return 1;
152 }
153
154 /* Crap! Incorrect parity or no stop bit, start all over */
155 else
156 {
157 rows = header = 0;
158
159 /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */
160 i -= 59;
161 }
162 }
163
164 /* Step 1: get our header */
165 else if (header < 9)
166 {
167 /* Need 9 consecutive 1's */
168 if (BitStream[i] == 1)
169 header++;
170
171 /* We don't have a header, not enough consecutive 1 bits */
172 else
173 header = 0;
174 }
175 }
176
177 /* if we've already retested after flipping bits, return */
178 if (retested++){
179 return 0;
180 }
181
182 /* if this didn't work, try flipping bits */
183 for (i = 0; i < bit2idx; i++)
184 BitStream[i] ^= 1;
185
186 goto retest;
187 }
188
189 /* emulate an EM410X tag
190 * Format:
191 * 1111 1111 1 <-- standard non-repeatable header
192 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
193 * ....
194 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
195 * 0 <-- stop bit, end of tag
196 */
197 int CmdEM410xSim(const char *Cmd)
198 {
199 int i, n, j, binary[4], parity[4];
200
201 char cmdp = param_getchar(Cmd, 0);
202 uint8_t uid[5] = {0x00};
203
204 if (cmdp == 'h' || cmdp == 'H') {
205 PrintAndLog("Usage: lf em4x sim <UID>");
206 PrintAndLog("");
207 PrintAndLog(" sample: lf em4x sim 0F0368568B");
208 return 0;
209 }
210
211 if (param_gethex(Cmd, 0, uid, 10)) {
212 PrintAndLog("UID must include 10 HEX symbols");
213 return 0;
214 }
215
216 PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X", uid[0],uid[1],uid[2],uid[3],uid[4]);
217 PrintAndLog("Press pm3-button to about simulation");
218
219 /* clock is 64 in EM410x tags */
220 int clock = 64;
221
222 /* clear our graph */
223 ClearGraph(0);
224
225 /* write 9 start bits */
226 for (i = 0; i < 9; i++)
227 AppendGraph(0, clock, 1);
228
229 /* for each hex char */
230 parity[0] = parity[1] = parity[2] = parity[3] = 0;
231 for (i = 0; i < 10; i++)
232 {
233 /* read each hex char */
234 sscanf(&Cmd[i], "%1x", &n);
235 for (j = 3; j >= 0; j--, n/= 2)
236 binary[j] = n % 2;
237
238 /* append each bit */
239 AppendGraph(0, clock, binary[0]);
240 AppendGraph(0, clock, binary[1]);
241 AppendGraph(0, clock, binary[2]);
242 AppendGraph(0, clock, binary[3]);
243
244 /* append parity bit */
245 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
246
247 /* keep track of column parity */
248 parity[0] ^= binary[0];
249 parity[1] ^= binary[1];
250 parity[2] ^= binary[2];
251 parity[3] ^= binary[3];
252 }
253
254 /* parity columns */
255 AppendGraph(0, clock, parity[0]);
256 AppendGraph(0, clock, parity[1]);
257 AppendGraph(0, clock, parity[2]);
258 AppendGraph(0, clock, parity[3]);
259
260 /* stop bit */
261 AppendGraph(0, clock, 0);
262
263 //CmdManchesterMod("64");
264
265 /* booyah! */
266 RepaintGraphWindow();
267
268 CmdLFSim("");
269 return 0;
270 }
271
272 /* Function is equivalent of lf read + data samples + em410xread
273 * looped until an EM410x tag is detected
274 *
275 * Why is CmdSamples("16000")?
276 * TBD: Auto-grow sample size based on detected sample rate. IE: If the
277 * rate gets lower, then grow the number of samples
278 * Changed by martin, 4000 x 4 = 16000,
279 * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
280
281 */
282 int CmdEM410xWatch(const char *Cmd)
283 {
284 int read_h = (*Cmd == 'h');
285 do
286 {
287 if (ukbhit()) {
288 printf("\naborted via keyboard!\n");
289 break;
290 }
291
292 CmdLFRead(read_h ? "h" : "");
293 CmdSamples("6000");
294
295 } while (
296 !CmdEM410xRead("")
297 );
298 return 0;
299 }
300
301 int CmdEM410xWatchnSpoof(const char *Cmd)
302 {
303 CmdEM410xWatch(Cmd);
304 PrintAndLog("# Replaying : %s",global_em410xId);
305 CmdEM410xSim(global_em410xId);
306 return 0;
307 }
308
309 /* Read the transmitted data of an EM4x50 tag
310 * Format:
311 *
312 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
313 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
314 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
315 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
316 * CCCCCCCC <- column parity bits
317 * 0 <- stop bit
318 * LW <- Listen Window
319 *
320 * This pattern repeats for every block of data being transmitted.
321 * Transmission starts with two Listen Windows (LW - a modulated
322 * pattern of 320 cycles each (32/32/128/64/64)).
323 *
324 * Note that this data may or may not be the UID. It is whatever data
325 * is stored in the blocks defined in the control word First and Last
326 * Word Read values. UID is stored in block 32.
327 */
328 int CmdEM4x50Read(const char *Cmd)
329 {
330 int i, j, startblock, skip, block, start, end, low, high;
331 bool complete= false;
332 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
333 char tmp[6];
334
335 high= low= 0;
336 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
337
338 /* first get high and low values */
339 for (i = 0; i < GraphTraceLen; i++)
340 {
341 if (GraphBuffer[i] > high)
342 high = GraphBuffer[i];
343 else if (GraphBuffer[i] < low)
344 low = GraphBuffer[i];
345 }
346
347 /* populate a buffer with pulse lengths */
348 i= 0;
349 j= 0;
350 while (i < GraphTraceLen)
351 {
352 // measure from low to low
353 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
354 ++i;
355 start= i;
356 while ((GraphBuffer[i] < high) && (i<GraphTraceLen))
357 ++i;
358 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
359 ++i;
360 if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
361 break;
362 }
363 tmpbuff[j++]= i - start;
364 }
365
366 /* look for data start - should be 2 pairs of LW (pulses of 192,128) */
367 start= -1;
368 skip= 0;
369 for (i= 0; i < j - 4 ; ++i)
370 {
371 skip += tmpbuff[i];
372 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
373 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
374 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
375 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
376 {
377 start= i + 3;
378 break;
379 }
380 }
381 startblock= i + 3;
382
383 /* skip over the remainder of the LW */
384 skip += tmpbuff[i+1]+tmpbuff[i+2];
385 while (skip < MAX_GRAPH_TRACE_LEN && GraphBuffer[skip] > low)
386 ++skip;
387 skip += 8;
388
389 /* now do it again to find the end */
390 end= start;
391 for (i += 3; i < j - 4 ; ++i)
392 {
393 end += tmpbuff[i];
394 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
395 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
396 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
397 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
398 {
399 complete= true;
400 break;
401 }
402 }
403
404 if (start >= 0)
405 PrintAndLog("Found data at sample: %i",skip);
406 else
407 {
408 PrintAndLog("No data found!");
409 PrintAndLog("Try again with more samples.");
410 return 0;
411 }
412
413 if (!complete)
414 {
415 PrintAndLog("*** Warning!");
416 PrintAndLog("Partial data - no end found!");
417 PrintAndLog("Try again with more samples.");
418 }
419
420 /* get rid of leading crap */
421 sprintf(tmp,"%i",skip);
422 CmdLtrim(tmp);
423
424 /* now work through remaining buffer printing out data blocks */
425 block= 0;
426 i= startblock;
427 while (block < 6)
428 {
429 PrintAndLog("Block %i:", block);
430 // mandemod routine needs to be split so we can call it for data
431 // just print for now for debugging
432 CmdManchesterDemod("i 64");
433 skip= 0;
434 /* look for LW before start of next block */
435 for ( ; i < j - 4 ; ++i)
436 {
437 skip += tmpbuff[i];
438 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
439 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
440 break;
441 }
442 while (GraphBuffer[skip] > low)
443 ++skip;
444 skip += 8;
445 sprintf(tmp,"%i",skip);
446 CmdLtrim(tmp);
447 start += skip;
448 block++;
449 }
450 return 0;
451 }
452
453 int CmdEM410xWrite(const char *Cmd)
454 {
455 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
456 int card = 0xFF; // invalid card value
457 unsigned int clock = 0; // invalid clock value
458
459 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
460
461 // Check ID
462 if (id == 0xFFFFFFFFFFFFFFFF) {
463 PrintAndLog("Error! ID is required.\n");
464 return 0;
465 }
466 if (id >= 0x10000000000) {
467 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
468 return 0;
469 }
470
471 // Check Card
472 if (card == 0xFF) {
473 PrintAndLog("Error! Card type required.\n");
474 return 0;
475 }
476 if (card < 0) {
477 PrintAndLog("Error! Bad card type selected.\n");
478 return 0;
479 }
480
481 // Check Clock
482 if (card == 1)
483 {
484 // Default: 64
485 if (clock == 0)
486 clock = 64;
487
488 // Allowed clock rates: 16, 32 and 64
489 if ((clock != 16) && (clock != 32) && (clock != 64)) {
490 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32 and 64.\n", clock);
491 return 0;
492 }
493 }
494 else if (clock != 0)
495 {
496 PrintAndLog("Error! Clock rate is only supported on T55x7 tags.\n");
497 return 0;
498 }
499
500 if (card == 1) {
501 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
502 // NOTE: We really should pass the clock in as a separate argument, but to
503 // provide for backwards-compatibility for older firmware, and to avoid
504 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
505 // the clock rate in bits 8-15 of the card value
506 card = (card & 0xFF) | (((uint64_t)clock << 8) & 0xFF00);
507 }
508 else if (card == 0)
509 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
510 else {
511 PrintAndLog("Error! Bad card type selected.\n");
512 return 0;
513 }
514
515 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
516 SendCommand(&c);
517
518 return 0;
519 }
520
521 int CmdReadWord(const char *Cmd)
522 {
523 int Word = -1; //default to invalid word
524 UsbCommand c;
525
526 sscanf(Cmd, "%d", &Word);
527
528 if ( (Word > 15) | (Word < 0) ) {
529 PrintAndLog("Word must be between 0 and 15");
530 return 1;
531 }
532
533 PrintAndLog("Reading word %d", Word);
534
535 c.cmd = CMD_EM4X_READ_WORD;
536 c.d.asBytes[0] = 0x0; //Normal mode
537 c.arg[0] = 0;
538 c.arg[1] = Word;
539 c.arg[2] = 0;
540 SendCommand(&c);
541 WaitForResponse(CMD_ACK, NULL);
542
543 uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};
544
545 GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
546 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
547
548 for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {
549 GraphBuffer[j] = ((int)data[j]);
550 }
551 GraphTraceLen = LF_TRACE_BUFF_SIZE;
552
553 uint8_t bits[LF_BITSSTREAM_LEN] = {0x00};
554 uint8_t * bitstream = bits;
555 manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream,LF_BITSSTREAM_LEN);
556 RepaintGraphWindow();
557 return 0;
558 }
559
560 int CmdReadWordPWD(const char *Cmd)
561 {
562 int Word = -1; //default to invalid word
563 int Password = 0xFFFFFFFF; //default to blank password
564 UsbCommand c;
565
566 sscanf(Cmd, "%d %x", &Word, &Password);
567
568 if ( (Word > 15) | (Word < 0) ) {
569 PrintAndLog("Word must be between 0 and 15");
570 return 1;
571 }
572
573 PrintAndLog("Reading word %d with password %08X", Word, Password);
574
575 c.cmd = CMD_EM4X_READ_WORD;
576 c.d.asBytes[0] = 0x1; //Password mode
577 c.arg[0] = 0;
578 c.arg[1] = Word;
579 c.arg[2] = Password;
580 SendCommand(&c);
581 WaitForResponse(CMD_ACK, NULL);
582
583 uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};
584
585 GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
586 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
587
588 for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {
589 GraphBuffer[j] = ((int)data[j]);
590 }
591 GraphTraceLen = LF_TRACE_BUFF_SIZE;
592
593 uint8_t bits[LF_BITSSTREAM_LEN] = {0x00};
594 uint8_t * bitstream = bits;
595 manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream, LF_BITSSTREAM_LEN);
596 RepaintGraphWindow();
597 return 0;
598 }
599
600 int CmdWriteWord(const char *Cmd)
601 {
602 int Word = 16; //default to invalid block
603 int Data = 0xFFFFFFFF; //default to blank data
604 UsbCommand c;
605
606 sscanf(Cmd, "%x %d", &Data, &Word);
607
608 if (Word > 15) {
609 PrintAndLog("Word must be between 0 and 15");
610 return 1;
611 }
612
613 PrintAndLog("Writing word %d with data %08X", Word, Data);
614
615 c.cmd = CMD_EM4X_WRITE_WORD;
616 c.d.asBytes[0] = 0x0; //Normal mode
617 c.arg[0] = Data;
618 c.arg[1] = Word;
619 c.arg[2] = 0;
620 SendCommand(&c);
621 return 0;
622 }
623
624 int CmdWriteWordPWD(const char *Cmd)
625 {
626 int Word = 16; //default to invalid word
627 int Data = 0xFFFFFFFF; //default to blank data
628 int Password = 0xFFFFFFFF; //default to blank password
629 UsbCommand c;
630
631 sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
632
633 if (Word > 15) {
634 PrintAndLog("Word must be between 0 and 15");
635 return 1;
636 }
637
638 PrintAndLog("Writing word %d with data %08X and password %08X", Word, Data, Password);
639
640 c.cmd = CMD_EM4X_WRITE_WORD;
641 c.d.asBytes[0] = 0x1; //Password mode
642 c.arg[0] = Data;
643 c.arg[1] = Word;
644 c.arg[2] = Password;
645 SendCommand(&c);
646 return 0;
647 }
648
649 static command_t CommandTable[] =
650 {
651 {"help", CmdHelp, 1, "This help"},
652
653 {"410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"},
654 {"410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
655 {"replay", MWRem4xReplay, 0, "Watches for tag and simulates manchester encoded em4x tag"},
656 {"410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
657 {"410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
658 {"410xwrite", CmdEM410xWrite, 1, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
659 {"4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
660 {"rd", CmdReadWord, 1, "<Word 1-15> -- Read EM4xxx word data"},
661 {"rdpwd", CmdReadWordPWD, 1, "<Word 1-15> <Password> -- Read EM4xxx word data in password mode "},
662 {"wr", CmdWriteWord, 1, "<Data> <Word 1-15> -- Write EM4xxx word data"},
663 {"wrpwd", CmdWriteWordPWD, 1, "<Data> <Word 1-15> <Password> -- Write EM4xxx word data in password mode"},
664 {NULL, NULL, 0, NULL}
665 };
666
667
668 //Confirms the parity of a bitstream as well as obtaining the data (TagID) from within the appropriate memory space.
669 //Arguments:
670 // Pointer to a string containing the desired bitsream
671 // Pointer to a string that will receive the decoded tag ID
672 // Length of the bitsream pointed at in the first argument, char* _strBitStream
673 //Retuns:
674 //1 Parity confirmed
675 //0 Parity not confirmed
676 int ConfirmEm410xTagParity( char* _strBitStream, char* pID, int LengthOfBitstream )
677 {
678 int i = 0;
679 int rows = 0;
680 int Parity[4] = {0x00};
681 char ID[11] = {0x00};
682 int k = 0;
683 int BitStream[70] = {0x00};
684 int counter = 0;
685 //prepare variables
686 for ( i = 0; i <= LengthOfBitstream; i++)
687 {
688 if (_strBitStream[i] == '1')
689 {
690 k =1;
691 memcpy(&BitStream[i], &k,4);
692 }
693 else if (_strBitStream[i] == '0')
694 {
695 k = 0;
696 memcpy(&BitStream[i], &k,4);
697 }
698 }
699 while ( counter < 2 )
700 {
701 //set/reset variables and counters
702 memset(ID,0x00,sizeof(ID));
703 memset(Parity,0x00,sizeof(Parity));
704 rows = 0;
705 for ( i = 9; i <= LengthOfBitstream; i++)
706 {
707 if ( rows < 10 )
708 {
709 if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
710 {
711 sprintf(ID+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
712 rows++;
713 /* Keep parity info and move four bits ahead*/
714 Parity[0] ^= BitStream[i];
715 Parity[1] ^= BitStream[i+1];
716 Parity[2] ^= BitStream[i+2];
717 Parity[3] ^= BitStream[i+3];
718 i += 4;
719 }
720 }
721 if ( rows == 10 )
722 {
723 if ( BitStream[i] == Parity[0] && BitStream[i+1] == Parity[1] &&
724 BitStream[i+2] == Parity[2] && BitStream[i+3] == Parity[3] &&
725 BitStream[i+4] == 0)
726 {
727 memcpy(pID,ID,strlen(ID));
728 return 1;
729 }
730 }
731 }
732 printf("[PARITY ->]Failed. Flipping Bits, and rechecking parity for bitstream:\n[PARITY ->]");
733 for (k = 0; k < LengthOfBitstream; k++)
734 {
735 BitStream[k] ^= 1;
736 printf("%i", BitStream[k]);
737 }
738 puts(" ");
739 counter++;
740 }
741 return 0;
742 }
743 //Reads and demodulates an em410x RFID tag. It further allows slight modification to the decoded bitstream
744 //Once a suitable bitstream has been identified, and if needed, modified, it is replayed. Allowing emulation of the
745 //"stolen" rfid tag.
746 //No meaningful returns or arguments.
747 int MWRem4xReplay(const char* Cmd)
748 {
749 // //header traces
750 // static char ArrayTraceZero[] = { '0','0','0','0','0','0','0','0','0' };
751 // static char ArrayTraceOne[] = { '1','1','1','1','1','1','1','1','1' };
752 // //local string variables
753 // char strClockRate[10] = {0x00};
754 // char strAnswer[4] = {0x00};
755 // char strTempBufferMini[2] = {0x00};
756 // //our outbound bit-stream
757 // char strSimulateBitStream[65] = {0x00};
758 // //integers
759 // int iClockRate = 0;
760 // int needle = 0;
761 // int j = 0;
762 // int iFirstHeaderOffset = 0x00000000;
763 // int numManchesterDemodBits=0;
764 // //boolean values
765 // bool bInverted = false;
766 // //pointers to strings. memory will be allocated.
767 // char* pstrInvertBitStream = 0x00000000;
768 // char* pTempBuffer = 0x00000000;
769 // char* pID = 0x00000000;
770 // char* strBitStreamBuffer = 0x00000000;
771
772
773 // puts("###################################");
774 // puts("#### Em4x Replay ##");
775 // puts("#### R.A.M. June 2013 ##");
776 // puts("###################################");
777 // //initialize
778 // CmdLFRead("");
779 // //Collect ourselves 10,000 samples
780 // CmdSamples("10000");
781 // puts("[->]preforming ASK demodulation\n");
782 // //demodulate ask
783 // Cmdaskdemod("0");
784 // iClockRate = DetectClock(0);
785 // sprintf(strClockRate, "%i\n",iClockRate);
786 // printf("[->]Detected ClockRate: %s\n", strClockRate);
787
788 // //If detected clock rate is something completely unreasonable, dont go ahead
789 // if ( iClockRate < 0xFFFE )
790 // {
791 // pTempBuffer = (char*)malloc(MAX_GRAPH_TRACE_LEN);
792 // if (pTempBuffer == 0x00000000)
793 // return 0;
794 // memset(pTempBuffer,0x00,MAX_GRAPH_TRACE_LEN);
795 // //Preform manchester de-modulation and display in a single line.
796 // numManchesterDemodBits = CmdManchesterDemod( strClockRate );
797 // //note: numManchesterDemodBits is set above in CmdManchesterDemod()
798 // if ( numManchesterDemodBits == 0 )
799 // return 0;
800 // strBitStreamBuffer = malloc(numManchesterDemodBits+1);
801 // if ( strBitStreamBuffer == 0x00000000 )
802 // return 0;
803 // memset(strBitStreamBuffer, 0x00, (numManchesterDemodBits+1));
804 // //fill strBitStreamBuffer with demodulated, string formatted bits.
805 // for ( j = 0; j <= numManchesterDemodBits; j++ )
806 // {
807 // sprintf(strTempBufferMini, "%i",BitStream[j]);
808 // strcat(strBitStreamBuffer,strTempBufferMini);
809 // }
810 // printf("[->]Demodulated Bitstream: \n%s\n", strBitStreamBuffer);
811 // //Reset counter and select most probable bit stream
812 // j = 0;
813 // while ( j < numManchesterDemodBits )
814 // {
815 // memset(strSimulateBitStream,0x00,64);
816 // //search for header of nine (9) 0's : 000000000 or nine (9) 1's : 1111 1111 1
817 // if ( ( strncmp(strBitStreamBuffer+j, ArrayTraceZero, sizeof(ArrayTraceZero)) == 0 ) ||
818 // ( strncmp(strBitStreamBuffer+j, ArrayTraceOne, sizeof(ArrayTraceOne)) == 0 ) )
819 // {
820 // iFirstHeaderOffset = j;
821 // memcpy(strSimulateBitStream, strBitStreamBuffer+j,64);
822 // printf("[->]Offset of Header");
823 // if ( strncmp(strBitStreamBuffer+iFirstHeaderOffset, "0", 1) == 0 )
824 // printf("'%s'", ArrayTraceZero );
825 // else
826 // printf("'%s'", ArrayTraceOne );
827 // printf(": %i\nHighlighted string : %s\n",iFirstHeaderOffset,strSimulateBitStream);
828 // //allow us to escape loop or choose another frame
829 // puts("[<-]Are we happy with this sample? [Y]es/[N]o");
830 // gets(strAnswer);
831 // if ( ( strncmp(strAnswer,"y",1) == 0 ) || ( strncmp(strAnswer,"Y",1) == 0 ) )
832 // {
833 // j = numManchesterDemodBits+1;
834 // break;
835 // }
836 // }
837 // j++;
838 // }
839 // }
840 // else return 0;
841
842 // //Do we want the buffer inverted?
843 // memset(strAnswer, 0x00, sizeof(strAnswer));
844 // printf("[<-]Do you wish to invert the highlighted bitstream? [Y]es/[N]o\n");
845 // gets(strAnswer);
846 // if ( ( strncmp("y", strAnswer,1) == 0 ) || ( strncmp("Y", strAnswer, 1 ) == 0 ) )
847 // {
848 // //allocate heap memory
849 // pstrInvertBitStream = (char*)malloc(numManchesterDemodBits);
850 // if ( pstrInvertBitStream != 0x00000000 )
851 // {
852 // memset(pstrInvertBitStream,0x00,numManchesterDemodBits);
853 // bInverted = true;
854 // //Invert Bitstream
855 // for ( needle = 0; needle <= numManchesterDemodBits; needle++ )
856 // {
857 // if (strSimulateBitStream[needle] == '0')
858 // strcat(pstrInvertBitStream,"1");
859 // else if (strSimulateBitStream[needle] == '1')
860 // strcat(pstrInvertBitStream,"0");
861 // }
862 // printf("[->]Inverted bitstream: %s\n", pstrInvertBitStream);
863 // }
864 // }
865 // //Confirm parity of selected string
866 // pID = (char*)malloc(11);
867 // if (pID != 0x00000000)
868 // {
869 // memset(pID, 0x00, 11);
870 // if (ConfirmEm410xTagParity(strSimulateBitStream,pID, 64) == 1)
871 // {
872 // printf("[->]Parity confirmed for selected bitstream!\n");
873 // printf("[->]Tag ID was detected as: [hex]:%s\n",pID );
874 // }
875 // else
876 // printf("[->]Parity check failed for the selected bitstream!\n");
877 // }
878
879 // //Spoof
880 // memset(strAnswer, 0x00, sizeof(strAnswer));
881 // printf("[<-]Do you wish to continue with the EM4x simulation? [Y]es/[N]o\n");
882 // gets(strAnswer);
883 // if ( ( strncmp(strAnswer,"y",1) == 0 ) || ( strncmp(strAnswer,"Y",1) == 0 ) )
884 // {
885 // strcat(pTempBuffer, strClockRate);
886 // strcat(pTempBuffer, " ");
887 // if (bInverted == true)
888 // strcat(pTempBuffer,pstrInvertBitStream);
889 // if (bInverted == false)
890 // strcat(pTempBuffer,strSimulateBitStream);
891 // //inform the user
892 // puts("[->]Starting simulation now: \n");
893 // //Simulate tag with prepared buffer.
894 // CmdLFSimManchester(pTempBuffer);
895 // }
896 // else if ( ( strcmp("n", strAnswer) == 0 ) || ( strcmp("N", strAnswer ) == 0 ) )
897 // printf("[->]Exiting procedure now...\n");
898 // else
899 // printf("[->]Erroneous selection\nExiting procedure now....\n");
900
901 // //Clean up -- Exit function
902 // //clear memory, then release pointer.
903 // if ( pstrInvertBitStream != 0x00000000 )
904 // {
905 // memset(pstrInvertBitStream,0x00,numManchesterDemodBits);
906 // free(pstrInvertBitStream);
907 // }
908 // if ( pTempBuffer != 0x00000000 )
909 // {
910 // memset(pTempBuffer,0x00,MAX_GRAPH_TRACE_LEN);
911 // free(pTempBuffer);
912 // }
913 // if ( pID != 0x00000000 )
914 // {
915 // memset(pID,0x00,11);
916 // free(pID);
917 // }
918 // if ( strBitStreamBuffer != 0x00000000 )
919 // {
920 // memset(strBitStreamBuffer,0x00,numManchesterDemodBits);
921 // free(strBitStreamBuffer);
922 // }
923 return 0;
924 }
925
926 int CmdLFEM4X(const char *Cmd)
927 {
928 CmdsParse(CommandTable, Cmd);
929 return 0;
930 }
931
932 int CmdHelp(const char *Cmd)
933 {
934 CmdsHelp(CommandTable);
935 return 0;
936 }
Proxmark3 GIT tracking
Impressum, Datenschutz