]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfem4x.c
CHG: according to measureement by @wilrn the actual timing for receiving tag data...
[proxmark3-svn] / client / cmdlfem4x.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <inttypes.h>
14 #include "cmdlfem4x.h"
15
16 char *global_em410xId;
17
18 static int CmdHelp(const char *Cmd);
19
20 int CmdEMdemodASK(const char *Cmd)
21 {
22 char cmdp = param_getchar(Cmd, 0);
23 int findone = (cmdp == '1') ? 1 : 0;
24 UsbCommand c={CMD_EM410X_DEMOD};
25 c.arg[0]=findone;
26 SendCommand(&c);
27 return 0;
28 }
29
30 /* Read the ID of an EM410x tag.
31 * Format:
32 * 1111 1111 1 <-- standard non-repeatable header
33 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
34 * ....
35 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
36 * 0 <-- stop bit, end of tag
37 */
38 int CmdEM410xRead(const char *Cmd)
39 {
40 uint32_t hi=0;
41 uint64_t lo=0;
42
43 if(!AskEm410xDemod("", &hi, &lo, false)) return 0;
44 PrintAndLog("EM410x pattern found: ");
45 printEM410x(hi, lo);
46 if (hi){
47 PrintAndLog ("EM410x XL pattern found");
48 return 0;
49 }
50 char id[12] = {0x00};
51 //sprintf(id, "%010llx",lo);
52 sprintf(id, "%010"PRIu64, lo);
53
54 global_em410xId = id;
55 return 1;
56 }
57
58 // emulate an EM410X tag
59 int CmdEM410xSim(const char *Cmd)
60 {
61 int i, n, j, binary[4], parity[4];
62
63 char cmdp = param_getchar(Cmd, 0);
64 uint8_t uid[5] = {0x00};
65
66 if (cmdp == 'h' || cmdp == 'H') {
67 PrintAndLog("Usage: lf em4x em410xsim <UID> <clock>");
68 PrintAndLog("");
69 PrintAndLog(" sample: lf em4x em410xsim 0F0368568B");
70 return 0;
71 }
72 /* clock is 64 in EM410x tags */
73 uint8_t clock = 64;
74
75 if (param_gethex(Cmd, 0, uid, 10)) {
76 PrintAndLog("UID must include 10 HEX symbols");
77 return 0;
78 }
79 param_getdec(Cmd, 1, &clock);
80
81 PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X clock: %d", uid[0],uid[1],uid[2],uid[3],uid[4],clock);
82 PrintAndLog("Press pm3-button to about simulation");
83
84
85 /* clear our graph */
86 ClearGraph(0);
87
88 /* write 9 start bits */
89 for (i = 0; i < 9; i++)
90 AppendGraph(0, clock, 1);
91
92 /* for each hex char */
93 parity[0] = parity[1] = parity[2] = parity[3] = 0;
94 for (i = 0; i < 10; i++)
95 {
96 /* read each hex char */
97 sscanf(&Cmd[i], "%1x", &n);
98 for (j = 3; j >= 0; j--, n/= 2)
99 binary[j] = n % 2;
100
101 /* append each bit */
102 AppendGraph(0, clock, binary[0]);
103 AppendGraph(0, clock, binary[1]);
104 AppendGraph(0, clock, binary[2]);
105 AppendGraph(0, clock, binary[3]);
106
107 /* append parity bit */
108 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
109
110 /* keep track of column parity */
111 parity[0] ^= binary[0];
112 parity[1] ^= binary[1];
113 parity[2] ^= binary[2];
114 parity[3] ^= binary[3];
115 }
116
117 /* parity columns */
118 AppendGraph(0, clock, parity[0]);
119 AppendGraph(0, clock, parity[1]);
120 AppendGraph(0, clock, parity[2]);
121 AppendGraph(0, clock, parity[3]);
122
123 /* stop bit */
124 AppendGraph(1, clock, 0);
125
126 CmdLFSim("0"); //240 start_gap.
127 return 0;
128 }
129
130 /* Function is equivalent of lf read + data samples + em410xread
131 * looped until an EM410x tag is detected
132 *
133 * Why is CmdSamples("16000")?
134 * TBD: Auto-grow sample size based on detected sample rate. IE: If the
135 * rate gets lower, then grow the number of samples
136 * Changed by martin, 4000 x 4 = 16000,
137 * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
138 */
139 int CmdEM410xWatch(const char *Cmd)
140 {
141 do {
142 if (ukbhit()) {
143 printf("\naborted via keyboard!\n");
144 break;
145 }
146
147 CmdLFRead("s");
148 getSamples("8201",true); //capture enough to get 2 complete preambles (4096*2+9)
149 } while (!CmdEM410xRead(""));
150
151 return 0;
152 }
153
154 //currently only supports manchester modulations
155 int CmdEM410xWatchnSpoof(const char *Cmd)
156 {
157 CmdEM410xWatch(Cmd);
158 PrintAndLog("# Replaying captured ID: %s",global_em410xId);
159 CmdLFaskSim("");
160 return 0;
161 }
162
163 int CmdEM410xWrite(const char *Cmd)
164 {
165 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
166 int card = 0xFF; // invalid card value
167 uint32_t clock = 0; // invalid clock value
168
169 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
170
171 // Check ID
172 if (id == 0xFFFFFFFFFFFFFFFF) {
173 PrintAndLog("Error! ID is required.\n");
174 return 0;
175 }
176 if (id >= 0x10000000000) {
177 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
178 return 0;
179 }
180
181 // Check Card
182 if (card == 0xFF) {
183 PrintAndLog("Error! Card type required.\n");
184 return 0;
185 }
186 if (card < 0) {
187 PrintAndLog("Error! Bad card type selected.\n");
188 return 0;
189 }
190
191 // Check Clock
192 // Default: 64
193 if (clock == 0)
194 clock = 64;
195
196 // Allowed clock rates: 16, 32, 40 and 64
197 if ((clock != 16) && (clock != 32) && (clock != 64) && (clock != 40)) {
198 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32, 40 and 64.\n", clock);
199 return 0;
200 }
201
202 if (card == 1) {
203 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
204 // NOTE: We really should pass the clock in as a separate argument, but to
205 // provide for backwards-compatibility for older firmware, and to avoid
206 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
207 // the clock rate in bits 8-15 of the card value
208 card = (card & 0xFF) | ((clock << 8) & 0xFF00);
209 } else if (card == 0) {
210 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
211 card = (card & 0xFF) | ((clock << 8) & 0xFF00);
212 } else {
213 PrintAndLog("Error! Bad card type selected.\n");
214 return 0;
215 }
216
217 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
218 SendCommand(&c);
219 return 0;
220 }
221
222 bool EM_EndParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
223 {
224 if (rows*cols>size) return false;
225 uint8_t colP=0;
226 //assume last col is a parity and do not test
227 for (uint8_t colNum = 0; colNum < cols-1; colNum++) {
228 for (uint8_t rowNum = 0; rowNum < rows; rowNum++) {
229 colP ^= BitStream[(rowNum*cols)+colNum];
230 }
231 if (colP != pType) return false;
232 }
233 return true;
234 }
235
236 bool EM_ByteParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
237 {
238 if (rows*cols>size) return false;
239 uint8_t rowP=0;
240 //assume last row is a parity row and do not test
241 for (uint8_t rowNum = 0; rowNum < rows-1; rowNum++) {
242 for (uint8_t colNum = 0; colNum < cols; colNum++) {
243 rowP ^= BitStream[(rowNum*cols)+colNum];
244 }
245 if (rowP != pType) return false;
246 }
247 return true;
248 }
249
250 uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool pTest)
251 {
252 if (size<45) return 0;
253 uint32_t code = bytebits_to_byte(BitStream,8);
254 code = code<<8 | bytebits_to_byte(BitStream+9,8);
255 code = code<<8 | bytebits_to_byte(BitStream+18,8);
256 code = code<<8 | bytebits_to_byte(BitStream+27,8);
257 if (verbose || g_debugMode){
258 for (uint8_t i = 0; i<5; i++){
259 if (i == 4) PrintAndLog(""); //parity byte spacer
260 PrintAndLog("%d%d%d%d%d%d%d%d %d -> 0x%02x",
261 BitStream[i*9],
262 BitStream[i*9+1],
263 BitStream[i*9+2],
264 BitStream[i*9+3],
265 BitStream[i*9+4],
266 BitStream[i*9+5],
267 BitStream[i*9+6],
268 BitStream[i*9+7],
269 BitStream[i*9+8],
270 bytebits_to_byte(BitStream+i*9,8)
271 );
272 }
273 if (pTest)
274 PrintAndLog("Parity Passed");
275 else
276 PrintAndLog("Parity Failed");
277 }
278 return code;
279 }
280 /* Read the transmitted data of an EM4x50 tag
281 * Format:
282 *
283 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
284 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
285 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
286 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
287 * CCCCCCCC <- column parity bits
288 * 0 <- stop bit
289 * LW <- Listen Window
290 *
291 * This pattern repeats for every block of data being transmitted.
292 * Transmission starts with two Listen Windows (LW - a modulated
293 * pattern of 320 cycles each (32/32/128/64/64)).
294 *
295 * Note that this data may or may not be the UID. It is whatever data
296 * is stored in the blocks defined in the control word First and Last
297 * Word Read values. UID is stored in block 32.
298 */
299 //completed by Marshmellow
300 int EM4x50Read(const char *Cmd, bool verbose)
301 {
302 uint8_t fndClk[] = {8,16,32,40,50,64,128};
303 int clk = 0;
304 int invert = 0;
305 int tol = 0;
306 int i, j, startblock, skip, block, start, end, low, high, minClk;
307 bool complete = false;
308 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
309 uint32_t Code[6];
310 char tmp[6];
311 char tmp2[20];
312 int phaseoff;
313 high = low = 0;
314 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
315
316 // get user entry if any
317 sscanf(Cmd, "%i %i", &clk, &invert);
318
319 // save GraphBuffer - to restore it later
320 save_restoreGB(1);
321
322 // first get high and low values
323 for (i = 0; i < GraphTraceLen; i++) {
324 if (GraphBuffer[i] > high)
325 high = GraphBuffer[i];
326 else if (GraphBuffer[i] < low)
327 low = GraphBuffer[i];
328 }
329
330 i = 0;
331 j = 0;
332 minClk = 255;
333 // get to first full low to prime loop and skip incomplete first pulse
334 while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
335 ++i;
336 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
337 ++i;
338 skip = i;
339
340 // populate tmpbuff buffer with pulse lengths
341 while (i < GraphTraceLen) {
342 // measure from low to low
343 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
344 ++i;
345 start= i;
346 while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
347 ++i;
348 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
349 ++i;
350 if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
351 break;
352 }
353 tmpbuff[j++]= i - start;
354 if (i-start < minClk && i < GraphTraceLen) {
355 minClk = i - start;
356 }
357 }
358 // set clock
359 if (!clk) {
360 for (uint8_t clkCnt = 0; clkCnt<7; clkCnt++) {
361 tol = fndClk[clkCnt]/8;
362 if (minClk >= fndClk[clkCnt]-tol && minClk <= fndClk[clkCnt]+1) {
363 clk=fndClk[clkCnt];
364 break;
365 }
366 }
367 if (!clk) return 0;
368 } else tol = clk/8;
369
370 // look for data start - should be 2 pairs of LW (pulses of clk*3,clk*2)
371 start = -1;
372 for (i= 0; i < j - 4 ; ++i) {
373 skip += tmpbuff[i];
374 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks
375 if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks
376 if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
377 if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
378 {
379 start= i + 4;
380 break;
381 }
382 }
383 startblock = i + 4;
384
385 // skip over the remainder of LW
386 skip += tmpbuff[i+1] + tmpbuff[i+2] + clk;
387 if (tmpbuff[i+3]>clk)
388 phaseoff = tmpbuff[i+3]-clk;
389 else
390 phaseoff = 0;
391 // now do it again to find the end
392 end = skip;
393 for (i += 3; i < j - 4 ; ++i) {
394 end += tmpbuff[i];
395 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks
396 if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks
397 if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
398 if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
399 {
400 complete= true;
401 break;
402 }
403 }
404 end = i;
405 // report back
406 if (verbose || g_debugMode) {
407 if (start >= 0) {
408 PrintAndLog("\nNote: one block = 50 bits (32 data, 12 parity, 6 marker)");
409 } else {
410 PrintAndLog("No data found!, clock tried:%d",clk);
411 PrintAndLog("Try again with more samples.");
412 PrintAndLog(" or after a 'data askedge' command to clean up the read");
413 return 0;
414 }
415 } else if (start < 0) return 0;
416 start = skip;
417 snprintf(tmp2, sizeof(tmp2),"%d %d 1000 %d", clk, invert, clk*47);
418 // get rid of leading crap
419 snprintf(tmp, sizeof(tmp), "%i", skip);
420 CmdLtrim(tmp);
421 bool pTest;
422 bool AllPTest = true;
423 // now work through remaining buffer printing out data blocks
424 block = 0;
425 i = startblock;
426 while (block < 6) {
427 if (verbose || g_debugMode) PrintAndLog("\nBlock %i:", block);
428 skip = phaseoff;
429
430 // look for LW before start of next block
431 for ( ; i < j - 4 ; ++i) {
432 skip += tmpbuff[i];
433 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol)
434 if (tmpbuff[i+1] >= clk-tol)
435 break;
436 }
437 if (i >= j-4) break; //next LW not found
438 skip += clk;
439 if (tmpbuff[i+1]>clk)
440 phaseoff = tmpbuff[i+1]-clk;
441 else
442 phaseoff = 0;
443 i += 2;
444 if (ASKDemod(tmp2, false, false, 1) < 1) {
445 save_restoreGB(0);
446 return 0;
447 }
448 //set DemodBufferLen to just one block
449 DemodBufferLen = skip/clk;
450 //test parities
451 pTest = EM_ByteParityTest(DemodBuffer,DemodBufferLen,5,9,0);
452 pTest &= EM_EndParityTest(DemodBuffer,DemodBufferLen,5,9,0);
453 AllPTest &= pTest;
454 //get output
455 Code[block] = OutputEM4x50_Block(DemodBuffer,DemodBufferLen,verbose, pTest);
456 if (g_debugMode) PrintAndLog("\nskipping %d samples, bits:%d", skip, skip/clk);
457 //skip to start of next block
458 snprintf(tmp,sizeof(tmp),"%i",skip);
459 CmdLtrim(tmp);
460 block++;
461 if (i >= end) break; //in case chip doesn't output 6 blocks
462 }
463 //print full code:
464 if (verbose || g_debugMode || AllPTest){
465 if (!complete) {
466 PrintAndLog("*** Warning!");
467 PrintAndLog("Partial data - no end found!");
468 PrintAndLog("Try again with more samples.");
469 }
470 PrintAndLog("Found data at sample: %i - using clock: %i", start, clk);
471 end = block;
472 for (block=0; block < end; block++){
473 PrintAndLog("Block %d: %08x",block,Code[block]);
474 }
475 if (AllPTest) {
476 PrintAndLog("Parities Passed");
477 } else {
478 PrintAndLog("Parities Failed");
479 PrintAndLog("Try cleaning the read samples with 'data askedge'");
480 }
481 }
482
483 //restore GraphBuffer
484 save_restoreGB(0);
485 return (int)AllPTest;
486 }
487
488 int CmdEM4x50Read(const char *Cmd)
489 {
490 return EM4x50Read(Cmd, true);
491 }
492
493 int CmdReadWord(const char *Cmd)
494 {
495 int Word = -1; //default to invalid word
496 UsbCommand c;
497
498 sscanf(Cmd, "%d", &Word);
499
500 if ( (Word > 15) | (Word < 0) ) {
501 PrintAndLog("Word must be between 0 and 15");
502 return 1;
503 }
504
505 PrintAndLog("Reading word %d", Word);
506
507 c.cmd = CMD_EM4X_READ_WORD;
508 c.d.asBytes[0] = 0x0; //Normal mode
509 c.arg[0] = 0;
510 c.arg[1] = Word;
511 c.arg[2] = 0;
512 SendCommand(&c);
513 return 0;
514 }
515
516 int CmdReadWordPWD(const char *Cmd)
517 {
518 int Word = -1; //default to invalid word
519 int Password = 0xFFFFFFFF; //default to blank password
520 UsbCommand c;
521
522 sscanf(Cmd, "%d %x", &Word, &Password);
523
524 if ( (Word > 15) | (Word < 0) ) {
525 PrintAndLog("Word must be between 0 and 15");
526 return 1;
527 }
528
529 PrintAndLog("Reading word %d with password %08X", Word, Password);
530
531 c.cmd = CMD_EM4X_READ_WORD;
532 c.d.asBytes[0] = 0x1; //Password mode
533 c.arg[0] = 0;
534 c.arg[1] = Word;
535 c.arg[2] = Password;
536 SendCommand(&c);
537 return 0;
538 }
539
540 int CmdWriteWord(const char *Cmd)
541 {
542 int Word = 16; //default to invalid block
543 int Data = 0xFFFFFFFF; //default to blank data
544 UsbCommand c;
545
546 sscanf(Cmd, "%x %d", &Data, &Word);
547
548 if (Word > 15) {
549 PrintAndLog("Word must be between 0 and 15");
550 return 1;
551 }
552
553 PrintAndLog("Writing word %d with data %08X", Word, Data);
554
555 c.cmd = CMD_EM4X_WRITE_WORD;
556 c.d.asBytes[0] = 0x0; //Normal mode
557 c.arg[0] = Data;
558 c.arg[1] = Word;
559 c.arg[2] = 0;
560 SendCommand(&c);
561 return 0;
562 }
563
564 int CmdWriteWordPWD(const char *Cmd)
565 {
566 int Word = 16; //default to invalid word
567 int Data = 0xFFFFFFFF; //default to blank data
568 int Password = 0xFFFFFFFF; //default to blank password
569 UsbCommand c;
570
571 sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
572
573 if (Word > 15) {
574 PrintAndLog("Word must be between 0 and 15");
575 return 1;
576 }
577
578 PrintAndLog("Writing word %d with data %08X and password %08X", Word, Data, Password);
579
580 c.cmd = CMD_EM4X_WRITE_WORD;
581 c.d.asBytes[0] = 0x1; //Password mode
582 c.arg[0] = Data;
583 c.arg[1] = Word;
584 c.arg[2] = Password;
585 SendCommand(&c);
586 return 0;
587 }
588
589 static command_t CommandTable[] =
590 {
591 {"help", CmdHelp, 1, "This help"},
592 {"em410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"},
593 {"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag in GraphBuffer"},
594 {"em410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
595 {"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
596 {"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
597 {"em410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
598 {"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
599 {"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
600 {"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
601 {"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
602 {"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
603 {NULL, NULL, 0, NULL}
604 };
605
606 int CmdLFEM4X(const char *Cmd) {
607 clearCommandBuffer();
608 CmdsParse(CommandTable, Cmd);
609 return 0;
610 }
611
612 int CmdHelp(const char *Cmd) {
613 CmdsHelp(CommandTable);
614 return 0;
615 }
Impressum, Datenschutz