]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfem4x.c
projects / proxmark3-svn / blob
? search:


35df80ab79e3784c7291b264b915e3fb6397e594
[proxmark3-svn] / client / cmdlfem4x.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <inttypes.h>
14 #include "cmdlfem4x.h"
15 #include "proxmark3.h"
16 #include "ui.h"
17 #include "util.h"
18 #include "data.h"
19 #include "graph.h"
20 #include "cmdparser.h"
21 #include "cmddata.h"
22 #include "cmdlf.h"
23 #include "cmdmain.h"
24 #include "lfdemod.h"
25 #include "protocols.h"
26 #include "util_posix.h"
27
28 uint64_t g_em410xId=0;
29
30 static int CmdHelp(const char *Cmd);
31 void ConstructEM410xEmulGraph(const char *uid,const uint8_t clock);
32
33 int CmdEMdemodASK(const char *Cmd)
34 {
35 char cmdp = param_getchar(Cmd, 0);
36 int findone = (cmdp == '1') ? 1 : 0;
37 UsbCommand c={CMD_EM410X_DEMOD};
38 c.arg[0]=findone;
39 SendCommand(&c);
40 return 0;
41 }
42
43 //by marshmellow
44 //print 64 bit EM410x ID in multiple formats
45 void printEM410x(uint32_t hi, uint64_t id)
46 {
47 if (id || hi){
48 uint64_t iii=1;
49 uint64_t id2lo=0;
50 uint32_t ii=0;
51 uint32_t i=0;
52 for (ii=5; ii>0;ii--){
53 for (i=0;i<8;i++){
54 id2lo=(id2lo<<1LL) | ((id & (iii << (i+((ii-1)*8)))) >> (i+((ii-1)*8)));
55 }
56 }
57 if (hi){
58 //output 88 bit em id
59 PrintAndLog("\nEM TAG ID : %06X%016" PRIX64, hi, id);
60 } else{
61 //output 40 bit em id
62 PrintAndLog("\nEM TAG ID : %010" PRIX64, id);
63 PrintAndLog("\nPossible de-scramble patterns");
64 PrintAndLog("Unique TAG ID : %010" PRIX64, id2lo);
65 PrintAndLog("HoneyWell IdentKey {");
66 PrintAndLog("DEZ 8 : %08" PRIu64,id & 0xFFFFFF);
67 PrintAndLog("DEZ 10 : %010" PRIu64,id & 0xFFFFFFFF);
68 PrintAndLog("DEZ 5.5 : %05lld.%05" PRIu64,(id>>16LL) & 0xFFFF,(id & 0xFFFF));
69 PrintAndLog("DEZ 3.5A : %03lld.%05" PRIu64,(id>>32ll),(id & 0xFFFF));
70 PrintAndLog("DEZ 3.5B : %03lld.%05" PRIu64,(id & 0xFF000000) >> 24,(id & 0xFFFF));
71 PrintAndLog("DEZ 3.5C : %03lld.%05" PRIu64,(id & 0xFF0000) >> 16,(id & 0xFFFF));
72 PrintAndLog("DEZ 14/IK2 : %014" PRIu64,id);
73 PrintAndLog("DEZ 15/IK3 : %015" PRIu64,id2lo);
74 PrintAndLog("DEZ 20/ZK : %02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64 "%02" PRIu64,
75 (id2lo & 0xf000000000) >> 36,
76 (id2lo & 0x0f00000000) >> 32,
77 (id2lo & 0x00f0000000) >> 28,
78 (id2lo & 0x000f000000) >> 24,
79 (id2lo & 0x0000f00000) >> 20,
80 (id2lo & 0x00000f0000) >> 16,
81 (id2lo & 0x000000f000) >> 12,
82 (id2lo & 0x0000000f00) >> 8,
83 (id2lo & 0x00000000f0) >> 4,
84 (id2lo & 0x000000000f)
85 );
86 uint64_t paxton = (((id>>32) << 24) | (id & 0xffffff)) + 0x143e00;
87 PrintAndLog("}\nOther : %05" PRIu64 "_%03" PRIu64 "_%08" PRIu64 "",(id&0xFFFF),((id>>16LL) & 0xFF),(id & 0xFFFFFF));
88 PrintAndLog("Pattern Paxton : %" PRIu64 " [0x%" PRIX64 "]", paxton, paxton);
89
90 uint32_t p1id = (id & 0xFFFFFF);
91 uint8_t arr[32] = {0x00};
92 int i =0;
93 int j = 23;
94 for (; i < 24; ++i, --j ){
95 arr[i] = (p1id >> i) & 1;
96 }
97
98 uint32_t p1 = 0;
99
100 p1 |= arr[23] << 21;
101 p1 |= arr[22] << 23;
102 p1 |= arr[21] << 20;
103 p1 |= arr[20] << 22;
104
105 p1 |= arr[19] << 18;
106 p1 |= arr[18] << 16;
107 p1 |= arr[17] << 19;
108 p1 |= arr[16] << 17;
109
110 p1 |= arr[15] << 13;
111 p1 |= arr[14] << 15;
112 p1 |= arr[13] << 12;
113 p1 |= arr[12] << 14;
114
115 p1 |= arr[11] << 6;
116 p1 |= arr[10] << 2;
117 p1 |= arr[9] << 7;
118 p1 |= arr[8] << 1;
119
120 p1 |= arr[7] << 0;
121 p1 |= arr[6] << 8;
122 p1 |= arr[5] << 11;
123 p1 |= arr[4] << 3;
124
125 p1 |= arr[3] << 10;
126 p1 |= arr[2] << 4;
127 p1 |= arr[1] << 5;
128 p1 |= arr[0] << 9;
129 PrintAndLog("Pattern 1 : %d [0x%X]", p1, p1);
130
131 uint16_t sebury1 = id & 0xFFFF;
132 uint8_t sebury2 = (id >> 16) & 0x7F;
133 uint32_t sebury3 = id & 0x7FFFFF;
134 PrintAndLog("Pattern Sebury : %d %d %d [0x%X 0x%X 0x%X]", sebury1, sebury2, sebury3, sebury1, sebury2, sebury3);
135 }
136 }
137 return;
138 }
139
140 /* Read the ID of an EM410x tag.
141 * Format:
142 * 1111 1111 1 <-- standard non-repeatable header
143 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
144 * ....
145 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
146 * 0 <-- stop bit, end of tag
147 */
148 int AskEm410xDecode(bool verbose, uint32_t *hi, uint64_t *lo )
149 {
150 size_t idx = 0;
151 uint8_t BitStream[512]={0};
152 size_t BitLen = sizeof(BitStream);
153 if ( !getDemodBuf(BitStream, &BitLen) ) return 0;
154
155 if (Em410xDecode(BitStream, &BitLen, &idx, hi, lo)) {
156 //set GraphBuffer for clone or sim command
157 setDemodBuf(DemodBuffer, (BitLen==40) ? 64 : 128, idx+1);
158 setClockGrid(g_DemodClock, g_DemodStartIdx + ((idx+1)*g_DemodClock));
159
160 if (g_debugMode) {
161 PrintAndLog("DEBUG: idx: %d, Len: %d, Printing Demod Buffer:", idx, BitLen);
162 printDemodBuff();
163 }
164 if (verbose) {
165 PrintAndLog("EM410x pattern found: ");
166 printEM410x(*hi, *lo);
167 g_em410xId = *lo;
168 }
169 return 1;
170 }
171 return 0;
172 }
173
174 //askdemod then call Em410xdecode
175 int AskEm410xDemod(const char *Cmd, uint32_t *hi, uint64_t *lo, bool verbose)
176 {
177 bool st = true;
178 if (!ASKDemod_ext(Cmd, false, false, 1, &st)) return 0;
179 return AskEm410xDecode(verbose, hi, lo);
180 }
181
182 //by marshmellow
183 //takes 3 arguments - clock, invert and maxErr as integers
184 //attempts to demodulate ask while decoding manchester
185 //prints binary found and saves in graphbuffer for further commands
186 int CmdAskEM410xDemod(const char *Cmd)
187 {
188 char cmdp = param_getchar(Cmd, 0);
189 if (strlen(Cmd) > 10 || cmdp == 'h' || cmdp == 'H') {
190 PrintAndLog("Usage: lf em 410xdemod [clock] <0|1> [maxError]");
191 PrintAndLog(" [set clock as integer] optional, if not set, autodetect.");
192 PrintAndLog(" <invert>, 1 for invert output");
193 PrintAndLog(" [set maximum allowed errors], default = 100.");
194 PrintAndLog("");
195 PrintAndLog(" sample: lf em 410xdemod = demod an EM410x Tag ID from GraphBuffer");
196 PrintAndLog(" : lf em 410xdemod 32 = demod an EM410x Tag ID from GraphBuffer using a clock of RF/32");
197 PrintAndLog(" : lf em 410xdemod 32 1 = demod an EM410x Tag ID from GraphBuffer using a clock of RF/32 and inverting data");
198 PrintAndLog(" : lf em 410xdemod 1 = demod an EM410x Tag ID from GraphBuffer while inverting data");
199 PrintAndLog(" : lf em 410xdemod 64 1 0 = demod an EM410x Tag ID from GraphBuffer using a clock of RF/64 and inverting data and allowing 0 demod errors");
200 return 0;
201 }
202 uint64_t lo = 0;
203 uint32_t hi = 0;
204 return AskEm410xDemod(Cmd, &hi, &lo, true);
205 }
206
207 int usage_lf_em410x_sim(void) {
208 PrintAndLog("Simulating EM410x tag");
209 PrintAndLog("");
210 PrintAndLog("Usage: lf em 410xsim [h] <uid> <clock>");
211 PrintAndLog("Options:");
212 PrintAndLog(" h - this help");
213 PrintAndLog(" uid - uid (10 HEX symbols)");
214 PrintAndLog(" clock - clock (32|64) (optional)");
215 PrintAndLog("samples:");
216 PrintAndLog(" lf em 410xsim 0F0368568B");
217 PrintAndLog(" lf em 410xsim 0F0368568B 32");
218 return 0;
219 }
220
221 // Construct the graph for emulating an EM410X tag
222 void ConstructEM410xEmulGraph(const char *uid,const uint8_t clock)
223 {
224 int i, n, j, binary[4], parity[4];
225 /* clear our graph */
226 ClearGraph(0);
227
228 /* write 9 start bits */
229 for (i = 0; i < 9; i++)
230 AppendGraph(0, clock, 1);
231
232 /* for each hex char */
233 parity[0] = parity[1] = parity[2] = parity[3] = 0;
234 for (i = 0; i < 10; i++){
235 /* read each hex char */
236 sscanf(&uid[i], "%1x", &n);
237 for (j = 3; j >= 0; j--, n/= 2)
238 binary[j] = n % 2;
239
240 /* append each bit */
241 AppendGraph(0, clock, binary[0]);
242 AppendGraph(0, clock, binary[1]);
243 AppendGraph(0, clock, binary[2]);
244 AppendGraph(0, clock, binary[3]);
245
246 /* append parity bit */
247 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
248
249 /* keep track of column parity */
250 parity[0] ^= binary[0];
251 parity[1] ^= binary[1];
252 parity[2] ^= binary[2];
253 parity[3] ^= binary[3];
254 }
255
256 /* parity columns */
257 AppendGraph(0, clock, parity[0]);
258 AppendGraph(0, clock, parity[1]);
259 AppendGraph(0, clock, parity[2]);
260 AppendGraph(0, clock, parity[3]);
261
262 /* stop bit */
263 AppendGraph(1, clock, 0);
264 }
265
266 // emulate an EM410X tag
267 int CmdEM410xSim(const char *Cmd)
268 {
269 char cmdp = param_getchar(Cmd, 0);
270 uint8_t uid[5] = {0x00};
271
272 if (cmdp == 'h' || cmdp == 'H') return usage_lf_em410x_sim();
273 /* clock is 64 in EM410x tags */
274 uint8_t clock = 64;
275
276 if (param_gethex(Cmd, 0, uid, 10)) {
277 PrintAndLog("UID must include 10 HEX symbols");
278 return 0;
279 }
280 param_getdec(Cmd,1, &clock);
281
282 PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X clock: %d", uid[0],uid[1],uid[2],uid[3],uid[4],clock);
283 PrintAndLog("Press pm3-button to abort simulation");
284
285 ConstructEM410xEmulGraph(Cmd, clock);
286
287 CmdLFSim("0"); //240 start_gap.
288 return 0;
289 }
290
291 int usage_lf_em410x_brute(void) {
292 PrintAndLog("Bruteforcing by emulating EM410x tag");
293 PrintAndLog("");
294 PrintAndLog("Usage: lf em 410xbrute [h] ids.txt [d 2000] [clock]");
295 PrintAndLog("Options:");
296 PrintAndLog(" h - this help");
297 PrintAndLog(" ids.txt - file with UIDs in HEX format, one per line");
298 PrintAndLog(" d (2000) - pause delay in milliseconds between UIDs simulation, default 1000 ms (optional)");
299 PrintAndLog(" c (32) - clock (32|64), default 64 (optional)");
300 PrintAndLog("samples:");
301 PrintAndLog(" lf em 410xbrute ids.txt");
302 PrintAndLog(" lf em 410xbrute ids.txt c 32");
303 PrintAndLog(" lf em 410xbrute ids.txt d 3000");
304 PrintAndLog(" lf em 410xbrute ids.txt d 3000 32");
305 return 0;
306 }
307
308 int CmdEM410xBrute(const char *Cmd)
309 {
310 char filename[FILE_PATH_SIZE]={0};
311 FILE *f = NULL;
312 char buf[11];
313 uint32_t uidcnt = 0;
314 uint8_t stUidBlock = 20;
315 uint8_t *uidBlock = NULL, *p = NULL;
316 int ch;
317 uint8_t uid[5] = {0x00};
318 /* clock is 64 in EM410x tags */
319 uint8_t clock = 64;
320 /* default pause time: 1 second */
321 uint32_t delay = 1000;
322
323 char cmdp = param_getchar(Cmd, 0);
324
325 if (cmdp == 'h' || cmdp == 'H') return usage_lf_em410x_brute();
326
327
328 cmdp = param_getchar(Cmd, 1);
329
330 if (cmdp == 'd' || cmdp == 'D') {
331 delay = param_get32ex(Cmd, 2, 1000, 10);
332 param_getdec(Cmd, 4, &clock);
333 } else if (cmdp == 'c' || cmdp == 'C') {
334 param_getdec(Cmd, 2, &clock);
335 delay = param_get32ex(Cmd, 4, 1000, 10);
336 }
337
338 param_getstr(Cmd, 0, filename);
339
340 uidBlock = calloc(stUidBlock, 5);
341 if (uidBlock == NULL) return 1;
342
343 if (strlen(filename) > 0) {
344 if ((f = fopen(filename, "r")) == NULL) {
345 PrintAndLog("Error: Could not open UIDs file [%s]",filename);
346 free(uidBlock);
347 return 1;
348 }
349 } else {
350 PrintAndLog("Error: Please specify a filename");
351 free(uidBlock);
352 return 1;
353 }
354
355 while( fgets(buf, sizeof(buf), f) ) {
356 if (strlen(buf) < 10 || buf[9] == '\n') continue;
357 while (fgetc(f) != '\n' && !feof(f)); //goto next line
358
359 //The line start with # is comment, skip
360 if( buf[0]=='#' ) continue;
361
362 if (param_gethex(buf, 0, uid, 10)) {
363 PrintAndLog("UIDs must include 10 HEX symbols");
364 free(uidBlock);
365 fclose(f);
366 return 1;
367 }
368
369 buf[10] = 0;
370
371 if ( stUidBlock - uidcnt < 2) {
372 p = realloc(uidBlock, 5*(stUidBlock+=10));
373 if (!p) {
374 PrintAndLog("Cannot allocate memory for UIDs");
375 free(uidBlock);
376 fclose(f);
377 return 1;
378 }
379 uidBlock = p;
380 }
381 memset(uidBlock + 5 * uidcnt, 0, 5);
382 num_to_bytes(strtoll(buf, NULL, 16), 5, uidBlock + 5*uidcnt);
383 uidcnt++;
384 memset(buf, 0, sizeof(buf));
385 }
386 fclose(f);
387
388 if (uidcnt == 0) {
389 PrintAndLog("No UIDs found in file");
390 free(uidBlock);
391 return 1;
392 }
393 PrintAndLog("Loaded %d UIDs from %s, pause delay: %d ms", uidcnt, filename, delay);
394
395 // loop
396 for(uint32_t c = 0; c < uidcnt; ++c ) {
397 char testuid[11];
398 testuid[10] = 0;
399
400 if (ukbhit()) {
401 ch = getchar();
402 (void)ch;
403 printf("\nAborted via keyboard!\n");
404 free(uidBlock);
405 return 0;
406 }
407
408 sprintf(testuid, "%010lX", bytes_to_num(uidBlock + 5*c, 5));
409 PrintAndLog("Bruteforce %d / %d: simulating UID %s, clock %d", c + 1, uidcnt, testuid, clock);
410
411 ConstructEM410xEmulGraph(testuid, clock);
412
413 CmdLFSim("0"); //240 start_gap.
414
415 msleep(delay);
416 }
417
418 free(uidBlock);
419 return 0;
420 }
421
422
423 /* Function is equivalent of lf read + data samples + em410xread
424 * looped until an EM410x tag is detected
425 *
426 * Why is CmdSamples("16000")?
427 * TBD: Auto-grow sample size based on detected sample rate. IE: If the
428 * rate gets lower, then grow the number of samples
429 * Changed by martin, 4000 x 4 = 16000,
430 * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
431 *
432 * EDIT -- capture enough to get 2 complete preambles at the slowest data rate known to be used (rf/64) (64*64*2+9 = 8201) marshmellow
433 */
434 int CmdEM410xWatch(const char *Cmd)
435 {
436 do {
437 if (ukbhit()) {
438 printf("\naborted via keyboard!\n");
439 break;
440 }
441 lf_read(true, 8201);
442 } while (!CmdAskEM410xDemod(""));
443
444 return 0;
445 }
446
447 //currently only supports manchester modulations
448 int CmdEM410xWatchnSpoof(const char *Cmd)
449 {
450 CmdEM410xWatch(Cmd);
451 PrintAndLog("# Replaying captured ID: %010"PRIx64, g_em410xId);
452 CmdLFaskSim("");
453 return 0;
454 }
455
456 int CmdEM410xWrite(const char *Cmd)
457 {
458 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
459 int card = 0xFF; // invalid card value
460 unsigned int clock = 0; // invalid clock value
461
462 sscanf(Cmd, "%" SCNx64 " %d %d", &id, &card, &clock);
463
464 // Check ID
465 if (id == 0xFFFFFFFFFFFFFFFF) {
466 PrintAndLog("Error! ID is required.\n");
467 return 0;
468 }
469 if (id >= 0x10000000000) {
470 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
471 return 0;
472 }
473
474 // Check Card
475 if (card == 0xFF) {
476 PrintAndLog("Error! Card type required.\n");
477 return 0;
478 }
479 if (card < 0) {
480 PrintAndLog("Error! Bad card type selected.\n");
481 return 0;
482 }
483
484 // Check Clock
485 // Default: 64
486 if (clock == 0)
487 clock = 64;
488
489 // Allowed clock rates: 16, 32, 40 and 64
490 if ((clock != 16) && (clock != 32) && (clock != 64) && (clock != 40)) {
491 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32, 40 and 64.\n", clock);
492 return 0;
493 }
494
495 if (card == 1) {
496 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
497 // NOTE: We really should pass the clock in as a separate argument, but to
498 // provide for backwards-compatibility for older firmware, and to avoid
499 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
500 // the clock rate in bits 8-15 of the card value
501 card = (card & 0xFF) | ((clock << 8) & 0xFF00);
502 } else if (card == 0) {
503 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
504 card = (card & 0xFF) | ((clock << 8) & 0xFF00);
505 } else {
506 PrintAndLog("Error! Bad card type selected.\n");
507 return 0;
508 }
509
510 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
511 SendCommand(&c);
512
513 return 0;
514 }
515
516 //**************** Start of EM4x50 Code ************************
517 bool EM_EndParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
518 {
519 if (rows*cols>size) return false;
520 uint8_t colP=0;
521 //assume last col is a parity and do not test
522 for (uint8_t colNum = 0; colNum < cols-1; colNum++) {
523 for (uint8_t rowNum = 0; rowNum < rows; rowNum++) {
524 colP ^= BitStream[(rowNum*cols)+colNum];
525 }
526 if (colP != pType) return false;
527 }
528 return true;
529 }
530
531 bool EM_ByteParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
532 {
533 if (rows*cols>size) return false;
534 uint8_t rowP=0;
535 //assume last row is a parity row and do not test
536 for (uint8_t rowNum = 0; rowNum < rows-1; rowNum++) {
537 for (uint8_t colNum = 0; colNum < cols; colNum++) {
538 rowP ^= BitStream[(rowNum*cols)+colNum];
539 }
540 if (rowP != pType) return false;
541 }
542 return true;
543 }
544
545 uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool pTest)
546 {
547 if (size<45) return 0;
548 uint32_t code = bytebits_to_byte(BitStream,8);
549 code = code<<8 | bytebits_to_byte(BitStream+9,8);
550 code = code<<8 | bytebits_to_byte(BitStream+18,8);
551 code = code<<8 | bytebits_to_byte(BitStream+27,8);
552 if (verbose || g_debugMode){
553 for (uint8_t i = 0; i<5; i++){
554 if (i == 4) PrintAndLog(""); //parity byte spacer
555 PrintAndLog("%d%d%d%d%d%d%d%d %d -> 0x%02x",
556 BitStream[i*9],
557 BitStream[i*9+1],
558 BitStream[i*9+2],
559 BitStream[i*9+3],
560 BitStream[i*9+4],
561 BitStream[i*9+5],
562 BitStream[i*9+6],
563 BitStream[i*9+7],
564 BitStream[i*9+8],
565 bytebits_to_byte(BitStream+i*9,8)
566 );
567 }
568 if (pTest)
569 PrintAndLog("Parity Passed");
570 else
571 PrintAndLog("Parity Failed");
572 }
573 return code;
574 }
575 /* Read the transmitted data of an EM4x50 tag from the graphbuffer
576 * Format:
577 *
578 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
579 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
580 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
581 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
582 * CCCCCCCC <- column parity bits
583 * 0 <- stop bit
584 * LW <- Listen Window
585 *
586 * This pattern repeats for every block of data being transmitted.
587 * Transmission starts with two Listen Windows (LW - a modulated
588 * pattern of 320 cycles each (32/32/128/64/64)).
589 *
590 * Note that this data may or may not be the UID. It is whatever data
591 * is stored in the blocks defined in the control word First and Last
592 * Word Read values. UID is stored in block 32.
593 */
594 //completed by Marshmellow
595 int EM4x50Read(const char *Cmd, bool verbose)
596 {
597 uint8_t fndClk[] = {8,16,32,40,50,64,128};
598 int clk = 0;
599 int invert = 0;
600 int tol = 0;
601 int i, j, startblock, skip, block, start, end, low, high, minClk;
602 bool complete = false;
603 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
604 uint32_t Code[6];
605 char tmp[6];
606 char tmp2[20];
607 int phaseoff;
608 high = low = 0;
609 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
610
611 // get user entry if any
612 sscanf(Cmd, "%i %i", &clk, &invert);
613
614 // first get high and low values
615 for (i = 0; i < GraphTraceLen; i++) {
616 if (GraphBuffer[i] > high)
617 high = GraphBuffer[i];
618 else if (GraphBuffer[i] < low)
619 low = GraphBuffer[i];
620 }
621
622 i = 0;
623 j = 0;
624 minClk = 255;
625 // get to first full low to prime loop and skip incomplete first pulse
626 while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
627 ++i;
628 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
629 ++i;
630 skip = i;
631
632 // populate tmpbuff buffer with pulse lengths
633 while (i < GraphTraceLen) {
634 // measure from low to low
635 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
636 ++i;
637 start= i;
638 while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
639 ++i;
640 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
641 ++i;
642 if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
643 break;
644 }
645 tmpbuff[j++]= i - start;
646 if (i-start < minClk && i < GraphTraceLen) {
647 minClk = i - start;
648 }
649 }
650 // set clock
651 if (!clk) {
652 for (uint8_t clkCnt = 0; clkCnt<7; clkCnt++) {
653 tol = fndClk[clkCnt]/8;
654 if (minClk >= fndClk[clkCnt]-tol && minClk <= fndClk[clkCnt]+1) {
655 clk=fndClk[clkCnt];
656 break;
657 }
658 }
659 if (!clk) return 0;
660 } else tol = clk/8;
661
662 // look for data start - should be 2 pairs of LW (pulses of clk*3,clk*2)
663 start = -1;
664 for (i= 0; i < j - 4 ; ++i) {
665 skip += tmpbuff[i];
666 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks
667 if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks
668 if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
669 if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
670 {
671 start= i + 4;
672 break;
673 }
674 }
675 startblock = i + 4;
676
677 // skip over the remainder of LW
678 skip += tmpbuff[i+1] + tmpbuff[i+2] + clk;
679 if (tmpbuff[i+3]>clk)
680 phaseoff = tmpbuff[i+3]-clk;
681 else
682 phaseoff = 0;
683 // now do it again to find the end
684 end = skip;
685 for (i += 3; i < j - 4 ; ++i) {
686 end += tmpbuff[i];
687 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks
688 if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks
689 if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
690 if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
691 {
692 complete= true;
693 break;
694 }
695 }
696 end = i;
697 // report back
698 if (verbose || g_debugMode) {
699 if (start >= 0) {
700 PrintAndLog("\nNote: one block = 50 bits (32 data, 12 parity, 6 marker)");
701 } else {
702 PrintAndLog("No data found!, clock tried:%d",clk);
703 PrintAndLog("Try again with more samples.");
704 PrintAndLog(" or after a 'data askedge' command to clean up the read");
705 return 0;
706 }
707 } else if (start < 0) return 0;
708 start = skip;
709 snprintf(tmp2, sizeof(tmp2),"%d %d 1000 %d", clk, invert, clk*47);
710 // save GraphBuffer - to restore it later
711 save_restoreGB(GRAPH_SAVE);
712 // get rid of leading crap
713 snprintf(tmp, sizeof(tmp), "%i", skip);
714 CmdLtrim(tmp);
715 bool pTest;
716 bool AllPTest = true;
717 // now work through remaining buffer printing out data blocks
718 block = 0;
719 i = startblock;
720 while (block < 6) {
721 if (verbose || g_debugMode) PrintAndLog("\nBlock %i:", block);
722 skip = phaseoff;
723
724 // look for LW before start of next block
725 for ( ; i < j - 4 ; ++i) {
726 skip += tmpbuff[i];
727 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol)
728 if (tmpbuff[i+1] >= clk-tol)
729 break;
730 }
731 if (i >= j-4) break; //next LW not found
732 skip += clk;
733 if (tmpbuff[i+1]>clk)
734 phaseoff = tmpbuff[i+1]-clk;
735 else
736 phaseoff = 0;
737 i += 2;
738 if (ASKDemod(tmp2, false, false, 1) < 1) {
739 save_restoreGB(GRAPH_RESTORE);
740 return 0;
741 }
742 //set DemodBufferLen to just one block
743 DemodBufferLen = skip/clk;
744 //test parities
745 pTest = EM_ByteParityTest(DemodBuffer,DemodBufferLen,5,9,0);
746 pTest &= EM_EndParityTest(DemodBuffer,DemodBufferLen,5,9,0);
747 AllPTest &= pTest;
748 //get output
749 Code[block] = OutputEM4x50_Block(DemodBuffer,DemodBufferLen,verbose, pTest);
750 if (g_debugMode) PrintAndLog("\nskipping %d samples, bits:%d", skip, skip/clk);
751 //skip to start of next block
752 snprintf(tmp,sizeof(tmp),"%i",skip);
753 CmdLtrim(tmp);
754 block++;
755 if (i >= end) break; //in case chip doesn't output 6 blocks
756 }
757 //print full code:
758 if (verbose || g_debugMode || AllPTest){
759 if (!complete) {
760 PrintAndLog("*** Warning!");
761 PrintAndLog("Partial data - no end found!");
762 PrintAndLog("Try again with more samples.");
763 }
764 PrintAndLog("Found data at sample: %i - using clock: %i", start, clk);
765 end = block;
766 for (block=0; block < end; block++){
767 PrintAndLog("Block %d: %08x",block,Code[block]);
768 }
769 if (AllPTest) {
770 PrintAndLog("Parities Passed");
771 } else {
772 PrintAndLog("Parities Failed");
773 PrintAndLog("Try cleaning the read samples with 'data askedge'");
774 }
775 }
776
777 //restore GraphBuffer
778 save_restoreGB(GRAPH_RESTORE);
779 return (int)AllPTest;
780 }
781
782 int CmdEM4x50Read(const char *Cmd)
783 {
784 return EM4x50Read(Cmd, true);
785 }
786
787 //**************** Start of EM4x05/EM4x69 Code ************************
788 int usage_lf_em_read(void) {
789 PrintAndLog("Read EM4x05/EM4x69. Tag must be on antenna. ");
790 PrintAndLog("");
791 PrintAndLog("Usage: lf em 4x05readword [h] <address> <pwd>");
792 PrintAndLog("Options:");
793 PrintAndLog(" h - this help");
794 PrintAndLog(" address - memory address to read. (0-15)");
795 PrintAndLog(" pwd - password (hex) (optional)");
796 PrintAndLog("samples:");
797 PrintAndLog(" lf em 4x05readword 1");
798 PrintAndLog(" lf em 4x05readword 1 11223344");
799 return 0;
800 }
801
802 // for command responses from em4x05 or em4x69
803 // download samples from device and copy them to the Graphbuffer
804 bool downloadSamplesEM() {
805 // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
806 uint8_t got[6000];
807 GetFromBigBuf(got, sizeof(got), 0);
808 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 4000) ) {
809 PrintAndLog("command execution time out");
810 return false;
811 }
812 setGraphBuf(got, sizeof(got));
813 return true;
814 }
815
816 bool EM4x05testDemodReadData(uint32_t *word, bool readCmd) {
817 // em4x05/em4x69 command response preamble is 00001010
818 // skip first two 0 bits as they might have been missed in the demod
819 uint8_t preamble[] = {0,0,1,0,1,0};
820 size_t startIdx = 0;
821
822 // set size to 20 to only test first 14 positions for the preamble or less if not a read command
823 size_t size = (readCmd) ? 20 : 11;
824 // sanity check
825 size = (size > DemodBufferLen) ? DemodBufferLen : size;
826 // test preamble
827 if ( !preambleSearchEx(DemodBuffer, preamble, sizeof(preamble), &size, &startIdx, true) ) {
828 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305 preamble not found :: %d", startIdx);
829 return false;
830 }
831 // if this is a readword command, get the read bytes and test the parities
832 if (readCmd) {
833 if (!EM_EndParityTest(DemodBuffer + startIdx + sizeof(preamble), 45, 5, 9, 0)) {
834 if (g_debugMode) PrintAndLog("DEBUG: Error - End Parity check failed");
835 return false;
836 }
837 // test for even parity bits and remove them. (leave out the end row of parities so 36 bits)
838 if ( removeParity(DemodBuffer, startIdx + sizeof(preamble),9,0,36) == 0 ) {
839 if (g_debugMode) PrintAndLog("DEBUG: Error - Parity not detected");
840 return false;
841 }
842
843 setDemodBuf(DemodBuffer, 32, 0);
844 //setClockGrid(0,0);
845
846 *word = bytebits_to_byteLSBF(DemodBuffer, 32);
847 }
848 return true;
849 }
850
851 // FSK, PSK, ASK/MANCHESTER, ASK/BIPHASE, ASK/DIPHASE
852 // should cover 90% of known used configs
853 // the rest will need to be manually demoded for now...
854 int demodEM4x05resp(uint32_t *word, bool readCmd) {
855 int ans = 0;
856
857 // test for FSK wave (easiest to 99% ID)
858 if (GetFskClock("", false, false)) {
859 //valid fsk clocks found
860 ans = FSKrawDemod("0 0", false);
861 if (!ans) {
862 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: FSK Demod failed, ans: %d", ans);
863 } else {
864 if (EM4x05testDemodReadData(word, readCmd)) {
865 return 1;
866 }
867 }
868 }
869 // PSK clocks should be easy to detect ( but difficult to demod a non-repeating pattern... )
870 ans = GetPskClock("", false, false);
871 if (ans>0) {
872 //try psk1
873 ans = PSKDemod("0 0 6", false);
874 if (!ans) {
875 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: PSK1 Demod failed, ans: %d", ans);
876 } else {
877 if (EM4x05testDemodReadData(word, readCmd)) {
878 return 1;
879 } else {
880 //try psk2
881 psk1TOpsk2(DemodBuffer, DemodBufferLen);
882 if (EM4x05testDemodReadData(word, readCmd)) {
883 return 1;
884 }
885 }
886 //try psk1 inverted
887 ans = PSKDemod("0 1 6", false);
888 if (!ans) {
889 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: PSK1 Demod failed, ans: %d", ans);
890 } else {
891 if (EM4x05testDemodReadData(word, readCmd)) {
892 return 1;
893 } else {
894 //try psk2
895 psk1TOpsk2(DemodBuffer, DemodBufferLen);
896 if (EM4x05testDemodReadData(word, readCmd)) {
897 return 1;
898 }
899 }
900 }
901 }
902 }
903
904 // manchester is more common than biphase... try first
905 bool stcheck = false;
906 // try manchester - NOTE: ST only applies to T55x7 tags.
907 ans = ASKDemod_ext("0,0,1", false, false, 1, &stcheck);
908 if (!ans) {
909 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: ASK/Manchester Demod failed, ans: %d", ans);
910 } else {
911 if (EM4x05testDemodReadData(word, readCmd)) {
912 return 1;
913 }
914 }
915
916 //try biphase
917 ans = ASKbiphaseDemod("0 0 1", false);
918 if (!ans) {
919 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: ASK/biphase Demod failed, ans: %d", ans);
920 } else {
921 if (EM4x05testDemodReadData(word, readCmd)) {
922 return 1;
923 }
924 }
925
926 //try diphase (differential biphase or inverted)
927 ans = ASKbiphaseDemod("0 1 1", false);
928 if (!ans) {
929 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: ASK/biphase Demod failed, ans: %d", ans);
930 } else {
931 if (EM4x05testDemodReadData(word, readCmd)) {
932 return 1;
933 }
934 }
935
936 return -1;
937 }
938
939 int EM4x05ReadWord_ext(uint8_t addr, uint32_t pwd, bool usePwd, uint32_t *wordData) {
940 UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}};
941 clearCommandBuffer();
942 SendCommand(&c);
943 UsbCommand resp;
944 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){
945 PrintAndLog("Command timed out");
946 return -1;
947 }
948 if ( !downloadSamplesEM() ) {
949 return -1;
950 }
951 int testLen = (GraphTraceLen < 1000) ? GraphTraceLen : 1000;
952 if (graphJustNoise(GraphBuffer, testLen)) {
953 PrintAndLog("no tag not found");
954 return -1;
955 }
956 //attempt demod:
957 return demodEM4x05resp(wordData, true);
958 }
959
960 int EM4x05ReadWord(uint8_t addr, uint32_t pwd, bool usePwd) {
961 uint32_t wordData = 0;
962 int success = EM4x05ReadWord_ext(addr, pwd, usePwd, &wordData);
963 if (success == 1)
964 PrintAndLog("%s Address %02d | %08X", (addr>13) ? "Lock":" Got",addr,wordData);
965 else
966 PrintAndLog("Read Address %02d | failed",addr);
967
968 return success;
969 }
970
971 int CmdEM4x05ReadWord(const char *Cmd) {
972 uint8_t addr;
973 uint32_t pwd;
974 bool usePwd = false;
975 uint8_t ctmp = param_getchar(Cmd, 0);
976 if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read();
977
978 addr = param_get8ex(Cmd, 0, 50, 10);
979 // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
980 pwd = param_get32ex(Cmd, 1, 1, 16);
981
982 if ( (addr > 15) ) {
983 PrintAndLog("Address must be between 0 and 15");
984 return 1;
985 }
986 if ( pwd == 1 ) {
987 PrintAndLog("Reading address %02u", addr);
988 } else {
989 usePwd = true;
990 PrintAndLog("Reading address %02u | password %08X", addr, pwd);
991 }
992
993 return EM4x05ReadWord(addr, pwd, usePwd);
994 }
995
996 int usage_lf_em_dump(void) {
997 PrintAndLog("Dump EM4x05/EM4x69. Tag must be on antenna. ");
998 PrintAndLog("");
999 PrintAndLog("Usage: lf em 4x05dump [h] <pwd>");
1000 PrintAndLog("Options:");
1001 PrintAndLog(" h - this help");
1002 PrintAndLog(" pwd - password (hex) (optional)");
1003 PrintAndLog("samples:");
1004 PrintAndLog(" lf em 4x05dump");
1005 PrintAndLog(" lf em 4x05dump 11223344");
1006 return 0;
1007 }
1008
1009 int CmdEM4x05dump(const char *Cmd) {
1010 uint8_t addr = 0;
1011 uint32_t pwd;
1012 bool usePwd = false;
1013 uint8_t ctmp = param_getchar(Cmd, 0);
1014 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_dump();
1015
1016 // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
1017 pwd = param_get32ex(Cmd, 0, 1, 16);
1018
1019 if ( pwd != 1 ) {
1020 usePwd = true;
1021 }
1022 int success = 1;
1023 for (; addr < 16; addr++) {
1024 if (addr == 2) {
1025 if (usePwd) {
1026 PrintAndLog(" PWD Address %02u | %08X",addr,pwd);
1027 } else {
1028 PrintAndLog(" PWD Address 02 | cannot read");
1029 }
1030 } else {
1031 success &= EM4x05ReadWord(addr, pwd, usePwd);
1032 }
1033 }
1034
1035 return success;
1036 }
1037
1038
1039 int usage_lf_em_write(void) {
1040 PrintAndLog("Write EM4x05/EM4x69. Tag must be on antenna. ");
1041 PrintAndLog("");
1042 PrintAndLog("Usage: lf em 4x05writeword [h] a <address> d <data> p <pwd> [s] [i]");
1043 PrintAndLog("Options:");
1044 PrintAndLog(" h - this help");
1045 PrintAndLog(" a <address> - memory address to write to. (0-15)");
1046 PrintAndLog(" d <data> - data to write (hex)");
1047 PrintAndLog(" p <pwd> - password (hex) (optional)");
1048 PrintAndLog(" s - swap the data bit order before write");
1049 PrintAndLog(" i - invert the data bits before write");
1050 PrintAndLog("samples:");
1051 PrintAndLog(" lf em 4x05writeword a 5 d 11223344");
1052 PrintAndLog(" lf em 4x05writeword a 5 p deadc0de d 11223344 s i");
1053 return 0;
1054 }
1055
1056 // note: em4x05 doesn't have a way to invert data output so we must invert the data prior to writing
1057 // it if invertion is needed. (example FSK2a vs FSK)
1058 // also em4x05 requires swapping word data when compared to the data used for t55xx chips.
1059 int EM4x05WriteWord(uint8_t addr, uint32_t data, uint32_t pwd, bool usePwd, bool swap, bool invert) {
1060 if (swap) data = SwapBits(data, 32);
1061
1062 if (invert) data ^= 0xFFFFFFFF;
1063
1064 if ( (addr > 15) ) {
1065 PrintAndLog("Address must be between 0 and 15");
1066 return -1;
1067 }
1068 if ( !usePwd ) {
1069 PrintAndLog("Writing address %d data %08X", addr, data);
1070 } else {
1071 PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd);
1072 }
1073
1074 uint16_t flag = (addr << 8 ) | usePwd;
1075
1076 UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}};
1077 clearCommandBuffer();
1078 SendCommand(&c);
1079 UsbCommand resp;
1080 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){
1081 PrintAndLog("Error occurred, device did not respond during write operation.");
1082 return -1;
1083 }
1084 if ( !downloadSamplesEM() ) {
1085 return -1;
1086 }
1087 //check response for 00001010 for write confirmation!
1088 //attempt demod:
1089 uint32_t dummy = 0;
1090 int result = demodEM4x05resp(&dummy,false);
1091 if (result == 1) {
1092 PrintAndLog("Write Verified");
1093 } else {
1094 PrintAndLog("Write could not be verified");
1095 }
1096 return result;
1097 }
1098
1099 int CmdEM4x05WriteWord(const char *Cmd) {
1100 bool errors = false;
1101 bool usePwd = false;
1102 uint32_t data = 0xFFFFFFFF;
1103 uint32_t pwd = 0xFFFFFFFF;
1104 bool swap = false;
1105 bool invert = false;
1106 uint8_t addr = 16; // default to invalid address
1107 bool gotData = false;
1108 char cmdp = 0;
1109 while(param_getchar(Cmd, cmdp) != 0x00)
1110 {
1111 switch(param_getchar(Cmd, cmdp))
1112 {
1113 case 'h':
1114 case 'H':
1115 return usage_lf_em_write();
1116 case 'a':
1117 case 'A':
1118 addr = param_get8ex(Cmd, cmdp+1, 16, 10);
1119 cmdp += 2;
1120 break;
1121 case 'd':
1122 case 'D':
1123 data = param_get32ex(Cmd, cmdp+1, 0, 16);
1124 gotData = true;
1125 cmdp += 2;
1126 break;
1127 case 'i':
1128 case 'I':
1129 invert = true;
1130 cmdp++;
1131 break;
1132 case 'p':
1133 case 'P':
1134 pwd = param_get32ex(Cmd, cmdp+1, 1, 16);
1135 if (pwd == 1) {
1136 PrintAndLog("invalid pwd");
1137 errors = true;
1138 }
1139 usePwd = true;
1140 cmdp += 2;
1141 break;
1142 case 's':
1143 case 'S':
1144 swap = true;
1145 cmdp++;
1146 break;
1147 default:
1148 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1149 errors = true;
1150 break;
1151 }
1152 if(errors) break;
1153 }
1154 //Validations
1155 if(errors) return usage_lf_em_write();
1156
1157 if ( strlen(Cmd) == 0 ) return usage_lf_em_write();
1158
1159 if (!gotData) {
1160 PrintAndLog("You must enter the data you want to write");
1161 return usage_lf_em_write();
1162 }
1163 return EM4x05WriteWord(addr, data, pwd, usePwd, swap, invert);
1164 }
1165
1166 void printEM4x05config(uint32_t wordData) {
1167 uint16_t datarate = EM4x05_GET_BITRATE(wordData);
1168 uint8_t encoder = ((wordData >> 6) & 0xF);
1169 char enc[14];
1170 memset(enc,0,sizeof(enc));
1171
1172 uint8_t PSKcf = (wordData >> 10) & 0x3;
1173 char cf[10];
1174 memset(cf,0,sizeof(cf));
1175 uint8_t delay = (wordData >> 12) & 0x3;
1176 char cdelay[33];
1177 memset(cdelay,0,sizeof(cdelay));
1178 uint8_t numblks = EM4x05_GET_NUM_BLOCKS(wordData);
1179 uint8_t LWR = numblks+5-1; //last word read
1180 switch (encoder) {
1181 case 0: snprintf(enc,sizeof(enc),"NRZ"); break;
1182 case 1: snprintf(enc,sizeof(enc),"Manchester"); break;
1183 case 2: snprintf(enc,sizeof(enc),"Biphase"); break;
1184 case 3: snprintf(enc,sizeof(enc),"Miller"); break;
1185 case 4: snprintf(enc,sizeof(enc),"PSK1"); break;
1186 case 5: snprintf(enc,sizeof(enc),"PSK2"); break;
1187 case 6: snprintf(enc,sizeof(enc),"PSK3"); break;
1188 case 7: snprintf(enc,sizeof(enc),"Unknown"); break;
1189 case 8: snprintf(enc,sizeof(enc),"FSK1"); break;
1190 case 9: snprintf(enc,sizeof(enc),"FSK2"); break;
1191 default: snprintf(enc,sizeof(enc),"Unknown"); break;
1192 }
1193
1194 switch (PSKcf) {
1195 case 0: snprintf(cf,sizeof(cf),"RF/2"); break;
1196 case 1: snprintf(cf,sizeof(cf),"RF/8"); break;
1197 case 2: snprintf(cf,sizeof(cf),"RF/4"); break;
1198 case 3: snprintf(cf,sizeof(cf),"unknown"); break;
1199 }
1200
1201 switch (delay) {
1202 case 0: snprintf(cdelay, sizeof(cdelay),"no delay"); break;
1203 case 1: snprintf(cdelay, sizeof(cdelay),"BP/8 or 1/8th bit period delay"); break;
1204 case 2: snprintf(cdelay, sizeof(cdelay),"BP/4 or 1/4th bit period delay"); break;
1205 case 3: snprintf(cdelay, sizeof(cdelay),"no delay"); break;
1206 }
1207 uint8_t readLogin = (wordData & EM4x05_READ_LOGIN_REQ)>>18;
1208 uint8_t readHKL = (wordData & EM4x05_READ_HK_LOGIN_REQ)>>19;
1209 uint8_t writeLogin = (wordData & EM4x05_WRITE_LOGIN_REQ)>>20;
1210 uint8_t writeHKL = (wordData & EM4x05_WRITE_HK_LOGIN_REQ)>>21;
1211 uint8_t raw = (wordData & EM4x05_READ_AFTER_WRITE)>>22;
1212 uint8_t disable = (wordData & EM4x05_DISABLE_ALLOWED)>>23;
1213 uint8_t rtf = (wordData & EM4x05_READER_TALK_FIRST)>>24;
1214 uint8_t pigeon = (wordData & (1<<26))>>26;
1215 PrintAndLog("ConfigWord: %08X (Word 4)\n", wordData);
1216 PrintAndLog("Config Breakdown:");
1217 PrintAndLog(" Data Rate: %02u | RF/%u", wordData & 0x3F, datarate);
1218 PrintAndLog(" Encoder: %u | %s", encoder, enc);
1219 PrintAndLog(" PSK CF: %u | %s", PSKcf, cf);
1220 PrintAndLog(" Delay: %u | %s", delay, cdelay);
1221 PrintAndLog(" LastWordR: %02u | Address of last word for default read - meaning %u blocks are output", LWR, numblks);
1222 PrintAndLog(" ReadLogin: %u | Read Login is %s", readLogin, readLogin ? "Required" : "Not Required");
1223 PrintAndLog(" ReadHKL: %u | Read Housekeeping Words Login is %s", readHKL, readHKL ? "Required" : "Not Required");
1224 PrintAndLog("WriteLogin: %u | Write Login is %s", writeLogin, writeLogin ? "Required" : "Not Required");
1225 PrintAndLog(" WriteHKL: %u | Write Housekeeping Words Login is %s", writeHKL, writeHKL ? "Required" : "Not Required");
1226 PrintAndLog(" R.A.W.: %u | Read After Write is %s", raw, raw ? "On" : "Off");
1227 PrintAndLog(" Disable: %u | Disable Command is %s", disable, disable ? "Accepted" : "Not Accepted");
1228 PrintAndLog(" R.T.F.: %u | Reader Talk First is %s", rtf, rtf ? "Enabled" : "Disabled");
1229 PrintAndLog(" Pigeon: %u | Pigeon Mode is %s\n", pigeon, pigeon ? "Enabled" : "Disabled");
1230 }
1231
1232 void printEM4x05info(uint8_t chipType, uint8_t cap, uint16_t custCode, uint32_t serial) {
1233 switch (chipType) {
1234 case 9: PrintAndLog("\n Chip Type: %u | EM4305", chipType); break;
1235 case 4: PrintAndLog(" Chip Type: %u | Unknown", chipType); break;
1236 case 2: PrintAndLog(" Chip Type: %u | EM4469", chipType); break;
1237 //add more here when known
1238 default: PrintAndLog(" Chip Type: %u Unknown", chipType); break;
1239 }
1240
1241 switch (cap) {
1242 case 3: PrintAndLog(" Cap Type: %u | 330pF",cap); break;
1243 case 2: PrintAndLog(" Cap Type: %u | %spF",cap, (chipType==2)? "75":"210"); break;
1244 case 1: PrintAndLog(" Cap Type: %u | 250pF",cap); break;
1245 case 0: PrintAndLog(" Cap Type: %u | no resonant capacitor",cap); break;
1246 default: PrintAndLog(" Cap Type: %u | unknown",cap); break;
1247 }
1248
1249 PrintAndLog(" Cust Code: %03u | %s", custCode, (custCode == 0x200) ? "Default": "Unknown");
1250 if (serial != 0) {
1251 PrintAndLog("\n Serial #: %08X\n", serial);
1252 }
1253 }
1254
1255 void printEM4x05ProtectionBits(uint32_t wordData) {
1256 for (uint8_t i = 0; i < 15; i++) {
1257 PrintAndLog(" Word: %02u | %s", i, (((1 << i) & wordData ) || i < 2) ? "Is Write Locked" : "Is Not Write Locked");
1258 if (i==14) {
1259 PrintAndLog(" Word: %02u | %s", i+1, (((1 << i) & wordData ) || i < 2) ? "Is Write Locked" : "Is Not Write Locked");
1260 }
1261 }
1262 }
1263
1264 //quick test for EM4x05/EM4x69 tag
1265 bool EM4x05Block0Test(uint32_t *wordData) {
1266 if (EM4x05ReadWord_ext(0,0,false,wordData) == 1) {
1267 return true;
1268 }
1269 return false;
1270 }
1271
1272 int CmdEM4x05info(const char *Cmd) {
1273 //uint8_t addr = 0;
1274 uint32_t pwd;
1275 uint32_t wordData = 0;
1276 bool usePwd = false;
1277 uint8_t ctmp = param_getchar(Cmd, 0);
1278 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_dump();
1279
1280 // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
1281 pwd = param_get32ex(Cmd, 0, 1, 16);
1282
1283 if ( pwd != 1 ) {
1284 usePwd = true;
1285 }
1286
1287 // read word 0 (chip info)
1288 // block 0 can be read even without a password.
1289 if ( !EM4x05Block0Test(&wordData) )
1290 return -1;
1291
1292 uint8_t chipType = (wordData >> 1) & 0xF;
1293 uint8_t cap = (wordData >> 5) & 3;
1294 uint16_t custCode = (wordData >> 9) & 0x3FF;
1295
1296 // read word 1 (serial #) doesn't need pwd
1297 wordData = 0;
1298 if (EM4x05ReadWord_ext(1, 0, false, &wordData) != 1) {
1299 //failed, but continue anyway...
1300 }
1301 printEM4x05info(chipType, cap, custCode, wordData);
1302
1303 // read word 4 (config block)
1304 // needs password if one is set
1305 wordData = 0;
1306 if ( EM4x05ReadWord_ext(4, pwd, usePwd, &wordData) != 1 ) {
1307 //failed
1308 PrintAndLog("Config block read failed - might be password protected.");
1309 return 0;
1310 }
1311 printEM4x05config(wordData);
1312
1313 // read word 14 and 15 to see which is being used for the protection bits
1314 wordData = 0;
1315 if ( EM4x05ReadWord_ext(14, pwd, usePwd, &wordData) != 1 ) {
1316 //failed
1317 return 0;
1318 }
1319 // if status bit says this is not the used protection word
1320 if (!(wordData & 0x8000)) {
1321 if ( EM4x05ReadWord_ext(15, pwd, usePwd, &wordData) != 1 ) {
1322 //failed
1323 return 0;
1324 }
1325 }
1326 if (!(wordData & 0x8000)) {
1327 //something went wrong
1328 return 0;
1329 }
1330 printEM4x05ProtectionBits(wordData);
1331
1332 return 1;
1333 }
1334
1335
1336 static command_t CommandTable[] =
1337 {
1338 {"help", CmdHelp, 1, "This help"},
1339 {"410xread", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"},
1340 {"410xdemod", CmdAskEM410xDemod, 1, "[clock] [invert<0|1>] [maxErr] -- Demodulate an EM410x tag from GraphBuffer (args optional)"},
1341 {"410xsim", CmdEM410xSim, 0, "<UID> [clock rate] -- Simulate EM410x tag"},
1342 {"410xbrute", CmdEM410xBrute, 0, "ids.txt [d (delay in ms)] [c (clock rate)] -- Bruteforcing by simulating EM410x tags (1 UID/s)"},
1343 {"410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
1344 {"410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
1345 {"410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
1346 {"4x05dump", CmdEM4x05dump, 0, "(pwd) -- Read EM4x05/EM4x69 all word data"},
1347 {"4x05info", CmdEM4x05info, 0, "(pwd) -- Get info from EM4x05/EM4x69 tag"},
1348 {"4x05readword", CmdEM4x05ReadWord, 0, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
1349 {"4x05writeword", CmdEM4x05WriteWord, 0, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
1350 {"4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
1351 {NULL, NULL, 0, NULL}
1352 };
1353
1354 int CmdLFEM4X(const char *Cmd)
1355 {
1356 CmdsParse(CommandTable, Cmd);
1357 return 0;
1358 }
1359
1360 int CmdHelp(const char *Cmd)
1361 {
1362 CmdsHelp(CommandTable);
1363 return 0;
1364 }
Proxmark3 GIT tracking
Impressum, Datenschutz