]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlft55xx.c
FIX: the lfsampling.c for t55xx had a tendecy to enter a neverending loop. Moved...
[proxmark3-svn] / client / cmdlft55xx.c
1 //-----------------------------------------------------------------------------
2 //
3 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
4 // at your option, any later version. See the LICENSE.txt file for the text of
5 // the license.
6 //-----------------------------------------------------------------------------
7 // Low frequency T55xx commands
8 //-----------------------------------------------------------------------------
9
10 #include <stdio.h>
11 #include <string.h>
12 #include <inttypes.h>
13 #include <time.h>
14 #include "proxmark3.h"
15 #include "ui.h"
16 #include "graph.h"
17 #include "cmdmain.h"
18 #include "cmdparser.h"
19 #include "cmddata.h"
20 #include "cmdlf.h"
21 #include "cmdlft55xx.h"
22 #include "util.h"
23 #include "data.h"
24 #include "lfdemod.h"
25 #include "../common/crc.h"
26 #include "../common/iso14443crc.h"
27 #include "cmdhf14a.h"
28
29 #define T55x7_CONFIGURATION_BLOCK 0x00
30 #define T55x7_PAGE0 0x00
31 #define T55x7_PAGE1 0x01
32 #define T55x7_PWD 0x00000010
33 #define REGULAR_READ_MODE_BLOCK 0xFF
34
35 // Default configuration
36 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };
37
38 t55xx_conf_block_t Get_t55xx_Config(){
39 return config;
40 }
41 void Set_t55xx_Config(t55xx_conf_block_t conf){
42 config = conf;
43 }
44
45 int usage_t55xx_config(){
46 PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");
47 PrintAndLog("Options:");
48 PrintAndLog(" h This help");
49 PrintAndLog(" b <8|16|32|40|50|64|100|128> Set bitrate");
50 PrintAndLog(" d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");
51 PrintAndLog(" i [1] Invert data signal, defaults to normal");
52 PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream");
53 PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7");
54 PrintAndLog("");
55 PrintAndLog("Examples:");
56 PrintAndLog(" lf t55xx config d FSK - FSK demodulation");
57 PrintAndLog(" lf t55xx config d FSK i 1 - FSK demodulation, inverse data");
58 PrintAndLog(" lf t55xx config d FSK i 1 o 3 - FSK demodulation, inverse data, offset=3,start from position 3 to decode data");
59 PrintAndLog("");
60 return 0;
61 }
62 int usage_t55xx_read(){
63 PrintAndLog("Usage: lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");
64 PrintAndLog("Options:");
65 PrintAndLog(" b <block> - block number to read. Between 0-7");
66 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
67 PrintAndLog(" o - OPTIONAL override safety check");
68 PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");
69 PrintAndLog(" ****WARNING****");
70 PrintAndLog(" Use of read with password on a tag not configured for a pwd");
71 PrintAndLog(" can damage the tag");
72 PrintAndLog("");
73 PrintAndLog("Examples:");
74 PrintAndLog(" lf t55xx read b 0 - read data from block 0");
75 PrintAndLog(" lf t55xx read b 0 p feedbeef - read data from block 0 password feedbeef");
76 PrintAndLog(" lf t55xx read b 0 p feedbeef o - read data from block 0 password feedbeef safety check");
77 PrintAndLog("");
78 return 0;
79 }
80 int usage_t55xx_write(){
81 PrintAndLog("Usage: lf t55xx wr [b <block>] [d <data>] [p <password>] [1]");
82 PrintAndLog("Options:");
83 PrintAndLog(" b <block> - block number to write. Between 0-7");
84 PrintAndLog(" d <data> - 4 bytes of data to write (8 hex characters)");
85 PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");
86 PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");
87 PrintAndLog("");
88 PrintAndLog("Examples:");
89 PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3");
90 PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");
91 PrintAndLog("");
92 return 0;
93 }
94 int usage_t55xx_trace() {
95 PrintAndLog("Usage: lf t55xx trace [1]");
96 PrintAndLog("Options:");
97 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
98 PrintAndLog("");
99 PrintAndLog("Examples:");
100 PrintAndLog(" lf t55xx trace");
101 PrintAndLog(" lf t55xx trace 1");
102 PrintAndLog("");
103 return 0;
104 }
105 int usage_t55xx_info() {
106 PrintAndLog("Usage: lf t55xx info [1]");
107 PrintAndLog("Options:");
108 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
109 PrintAndLog("");
110 PrintAndLog("Examples:");
111 PrintAndLog(" lf t55xx info");
112 PrintAndLog(" lf t55xx info 1");
113 PrintAndLog("");
114 return 0;
115 }
116 int usage_t55xx_dump(){
117 PrintAndLog("Usage: lf t55xx dump <password> [o]");
118 PrintAndLog("Options:");
119 PrintAndLog(" <password> - OPTIONAL password 4bytes (8 hex symbols)");
120 PrintAndLog(" o - OPTIONAL override, force pwd read despite danger to card");
121 PrintAndLog("");
122 PrintAndLog("Examples:");
123 PrintAndLog(" lf t55xx dump");
124 PrintAndLog(" lf t55xx dump feedbeef o");
125 PrintAndLog("");
126 return 0;
127 }
128 int usage_t55xx_detect(){
129 PrintAndLog("Usage: lf t55xx detect [1] [p <password>]");
130 PrintAndLog("Options:");
131 PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
132 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
133 PrintAndLog("");
134 PrintAndLog("Examples:");
135 PrintAndLog(" lf t55xx detect");
136 PrintAndLog(" lf t55xx detect 1");
137 PrintAndLog(" lf t55xx detect p 11223344");
138 PrintAndLog("");
139 return 0;
140 }
141 int usage_t55xx_wakup(){
142 PrintAndLog("Usage: lf t55xx wakeup [h] p <password>");
143 PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards.");
144 PrintAndLog("Options:");
145 PrintAndLog(" h - this help");
146 PrintAndLog(" p <password> - password 4bytes (8 hex symbols)");
147 PrintAndLog("");
148 PrintAndLog("Examples:");
149 PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password");
150 return 0;
151 }
152 int usage_t55xx_bruteforce(){
153 PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
154 PrintAndLog(" password must be 4 bytes (8 hex symbols)");
155 PrintAndLog("Options:");
156 PrintAndLog(" h - this help");
157 PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");
158 PrintAndLog("");
159 PrintAndLog("Examples:");
160 PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");
161 PrintAndLog(" lf t55xx bruteforce i mykeys.dic");
162 PrintAndLog("");
163 return 0;
164 }
165
166 static int CmdHelp(const char *Cmd);
167
168 void printT5xxHeader(uint8_t page){
169 PrintAndLog("Reading Page %d:", page);
170 PrintAndLog("blk | hex data | binary");
171 PrintAndLog("----+----------+---------------------------------");
172 }
173
174 int CmdT55xxSetConfig(const char *Cmd) {
175
176 uint8_t offset = 0;
177 char modulation[5] = {0x00};
178 char tmp = 0x00;
179 uint8_t bitRate = 0;
180 uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};
181 uint8_t cmdp = 0;
182 config.Q5 = FALSE;
183 bool errors = FALSE;
184 while(param_getchar(Cmd, cmdp) != 0x00 && !errors)
185 {
186 tmp = param_getchar(Cmd, cmdp);
187 switch(tmp)
188 {
189 case 'h':
190 case 'H':
191 return usage_t55xx_config();
192 case 'b':
193 errors |= param_getdec(Cmd, cmdp+1, &bitRate);
194 if ( !errors){
195 uint8_t i = 0;
196 for (; i < 9; i++){
197 if (rates[i]==bitRate) {
198 config.bitrate = i;
199 break;
200 }
201 }
202 if (i==9) errors = TRUE;
203 }
204 cmdp+=2;
205 break;
206 case 'd':
207 param_getstr(Cmd, cmdp+1, modulation);
208 cmdp += 2;
209
210 if ( strcmp(modulation, "FSK" ) == 0) {
211 config.modulation = DEMOD_FSK;
212 } else if ( strcmp(modulation, "FSK1" ) == 0) {
213 config.modulation = DEMOD_FSK1;
214 config.inverted=1;
215 } else if ( strcmp(modulation, "FSK1a" ) == 0) {
216 config.modulation = DEMOD_FSK1a;
217 config.inverted=0;
218 } else if ( strcmp(modulation, "FSK2" ) == 0) {
219 config.modulation = DEMOD_FSK2;
220 config.inverted=0;
221 } else if ( strcmp(modulation, "FSK2a" ) == 0) {
222 config.modulation = DEMOD_FSK2a;
223 config.inverted=1;
224 } else if ( strcmp(modulation, "ASK" ) == 0) {
225 config.modulation = DEMOD_ASK;
226 } else if ( strcmp(modulation, "NRZ" ) == 0) {
227 config.modulation = DEMOD_NRZ;
228 } else if ( strcmp(modulation, "PSK1" ) == 0) {
229 config.modulation = DEMOD_PSK1;
230 } else if ( strcmp(modulation, "PSK2" ) == 0) {
231 config.modulation = DEMOD_PSK2;
232 } else if ( strcmp(modulation, "PSK3" ) == 0) {
233 config.modulation = DEMOD_PSK3;
234 } else if ( strcmp(modulation, "BIa" ) == 0) {
235 config.modulation = DEMOD_BIa;
236 config.inverted=1;
237 } else if ( strcmp(modulation, "BI" ) == 0) {
238 config.modulation = DEMOD_BI;
239 config.inverted=0;
240 } else {
241 PrintAndLog("Unknown modulation '%s'", modulation);
242 errors = TRUE;
243 }
244 break;
245 case 'i':
246 config.inverted = param_getchar(Cmd,cmdp+1) == '1';
247 cmdp+=2;
248 break;
249 case 'o':
250 errors |= param_getdec(Cmd, cmdp+1, &offset);
251 if ( !errors )
252 config.offset = offset;
253 cmdp+=2;
254 break;
255 case 'Q':
256 case 'q':
257 config.Q5 = TRUE;
258 cmdp++;
259 break;
260 default:
261 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
262 errors = TRUE;
263 break;
264 }
265 }
266
267 // No args
268 if (cmdp == 0) return printConfiguration( config );
269
270 //Validations
271 if (errors) return usage_t55xx_config();
272
273 config.block0 = 0;
274 return printConfiguration ( config );
275 }
276
277 int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){
278 //Password mode
279 if ( usepwd ) {
280 // try reading the config block and verify that PWD bit is set before doing this!
281 if ( !override ) {
282
283 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;
284
285 if ( !tryDetectModulation() ) {
286 PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");
287 return 0;
288 } else {
289 PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password...");
290 usepwd = false;
291 page1 = false;
292 }
293 } else {
294 PrintAndLog("Safety Check Overriden - proceeding despite risk");
295 }
296 }
297
298 if (!AquireData(page1, block, usepwd, password) ) return 0;
299 if (!DecodeT55xxBlock()) return 0;
300
301 char blk[10]={0};
302 sprintf(blk,"%02d", block);
303 printT55xxBlock(blk);
304 return 1;
305 }
306
307 int CmdT55xxReadBlock(const char *Cmd) {
308 uint8_t block = REGULAR_READ_MODE_BLOCK;
309 uint32_t password = 0; //default to blank Block 7
310 bool usepwd = false;
311 bool override = false;
312 bool page1 = false;
313 bool errors = false;
314 uint8_t cmdp = 0;
315 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
316 switch(param_getchar(Cmd, cmdp)) {
317 case 'h':
318 case 'H':
319 return usage_t55xx_read();
320 case 'b':
321 case 'B':
322 errors |= param_getdec(Cmd, cmdp+1, &block);
323 cmdp += 2;
324 break;
325 case 'o':
326 case 'O':
327 override = TRUE;
328 cmdp++;
329 break;
330 case 'p':
331 case 'P':
332 password = param_get32ex(Cmd, cmdp+1, 0, 16);
333 usepwd = true;
334 cmdp += 2;
335 break;
336 case '1':
337 page1 = true;
338 cmdp++;
339 break;
340 default:
341 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
342 errors = true;
343 break;
344 }
345 }
346 if (errors) return usage_t55xx_read();
347
348 if (block > 7 && block != REGULAR_READ_MODE_BLOCK ) {
349 PrintAndLog("Block must be between 0 and 7");
350 return 0;
351 }
352
353 printT5xxHeader(page1);
354 return T55xxReadBlock(block, page1, usepwd, override, password);
355 }
356
357 bool DecodeT55xxBlock(){
358
359 char buf[30] = {0x00};
360 char *cmdStr = buf;
361 int ans = 0;
362 uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};
363 DemodBufferLen = 0x00;
364
365 switch( config.modulation ){
366 case DEMOD_FSK:
367 snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );
368 ans = FSKrawDemod(cmdStr, FALSE);
369 break;
370 case DEMOD_FSK1:
371 case DEMOD_FSK1a:
372 snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted );
373 ans = FSKrawDemod(cmdStr, FALSE);
374 break;
375 case DEMOD_FSK2:
376 case DEMOD_FSK2a:
377 snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted );
378 ans = FSKrawDemod(cmdStr, FALSE);
379 break;
380 case DEMOD_ASK:
381 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
382 ans = ASKDemod(cmdStr, FALSE, FALSE, 1);
383 break;
384 case DEMOD_PSK1:
385 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
386 CmdLtrim("160");
387 snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );
388 ans = PSKDemod(cmdStr, FALSE);
389 break;
390 case DEMOD_PSK2: //inverted won't affect this
391 case DEMOD_PSK3: //not fully implemented
392 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
393 CmdLtrim("160");
394 snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );
395 ans = PSKDemod(cmdStr, FALSE);
396 psk1TOpsk2(DemodBuffer, DemodBufferLen);
397 break;
398 case DEMOD_NRZ:
399 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
400 ans = NRZrawDemod(cmdStr, FALSE);
401 break;
402 case DEMOD_BI:
403 case DEMOD_BIa:
404 snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted );
405 ans = ASKbiphaseDemod(cmdStr, FALSE);
406 break;
407 default:
408 return FALSE;
409 }
410 return (bool) ans;
411 }
412
413 int CmdT55xxDetect(const char *Cmd){
414
415 bool errors = FALSE;
416 bool useGB = FALSE;
417 bool usepwd = FALSE;
418 uint32_t password = 0;
419 uint8_t cmdp = 0;
420
421 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
422 switch(param_getchar(Cmd, cmdp)) {
423 case 'h':
424 case 'H':
425 return usage_t55xx_detect();
426 case 'p':
427 case 'P':
428 password = param_get32ex(Cmd, cmdp+1, 0, 16);
429 usepwd = TRUE;
430 cmdp += 2;
431 break;
432 case '1':
433 // use Graphbuffer data
434 useGB = TRUE;
435 cmdp++;
436 break;
437 default:
438 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
439 errors = true;
440 break;
441 }
442 }
443 if (errors) return usage_t55xx_detect();
444
445 if ( !useGB) {
446 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )
447 return 0;
448 }
449
450 if ( !tryDetectModulation() )
451 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");
452
453 return 1;
454 }
455
456 // detect configuration?
457 bool tryDetectModulation(){
458 uint8_t hits = 0;
459 t55xx_conf_block_t tests[15];
460 int bitRate=0;
461 uint8_t fc1 = 0, fc2 = 0, clk=0;
462 save_restoreGB(1);
463
464 if (GetFskClock("", FALSE, FALSE)){
465 fskClocks(&fc1, &fc2, &clk, FALSE);
466 if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
467 tests[hits].modulation = DEMOD_FSK;
468 if (fc1==8 && fc2 == 5)
469 tests[hits].modulation = DEMOD_FSK1a;
470 else if (fc1==10 && fc2 == 8)
471 tests[hits].modulation = DEMOD_FSK2;
472 tests[hits].bitrate = bitRate;
473 tests[hits].inverted = FALSE;
474 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
475 ++hits;
476 }
477 if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
478 tests[hits].modulation = DEMOD_FSK;
479 if (fc1 == 8 && fc2 == 5)
480 tests[hits].modulation = DEMOD_FSK1;
481 else if (fc1 == 10 && fc2 == 8)
482 tests[hits].modulation = DEMOD_FSK2a;
483
484 tests[hits].bitrate = bitRate;
485 tests[hits].inverted = TRUE;
486 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
487 ++hits;
488 }
489 } else {
490 clk = GetAskClock("", FALSE, FALSE);
491 if (clk>0) {
492 if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
493 tests[hits].modulation = DEMOD_ASK;
494 tests[hits].bitrate = bitRate;
495 tests[hits].inverted = FALSE;
496 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
497 ++hits;
498 }
499 if ( ASKDemod("0 1 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
500 tests[hits].modulation = DEMOD_ASK;
501 tests[hits].bitrate = bitRate;
502 tests[hits].inverted = TRUE;
503 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
504 ++hits;
505 }
506 if ( ASKbiphaseDemod("0 0 0 2", FALSE) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {
507 tests[hits].modulation = DEMOD_BI;
508 tests[hits].bitrate = bitRate;
509 tests[hits].inverted = FALSE;
510 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
511 ++hits;
512 }
513 if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {
514 tests[hits].modulation = DEMOD_BIa;
515 tests[hits].bitrate = bitRate;
516 tests[hits].inverted = TRUE;
517 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
518 ++hits;
519 }
520 }
521 //undo trim from ask
522 save_restoreGB(0);
523 clk = GetNrzClock("", FALSE, FALSE);
524 if (clk>0) {
525 if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
526 tests[hits].modulation = DEMOD_NRZ;
527 tests[hits].bitrate = bitRate;
528 tests[hits].inverted = FALSE;
529 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
530 ++hits;
531 }
532
533 if ( NRZrawDemod("0 1 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
534 tests[hits].modulation = DEMOD_NRZ;
535 tests[hits].bitrate = bitRate;
536 tests[hits].inverted = TRUE;
537 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
538 ++hits;
539 }
540 }
541
542 //undo trim from nrz
543 save_restoreGB(0);
544 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
545 CmdLtrim("160");
546 clk = GetPskClock("", FALSE, FALSE);
547 if (clk>0) {
548 if ( PSKDemod("0 0 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
549 tests[hits].modulation = DEMOD_PSK1;
550 tests[hits].bitrate = bitRate;
551 tests[hits].inverted = FALSE;
552 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
553 ++hits;
554 }
555 if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
556 tests[hits].modulation = DEMOD_PSK1;
557 tests[hits].bitrate = bitRate;
558 tests[hits].inverted = TRUE;
559 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
560 ++hits;
561 }
562 // PSK2 - needs a call to psk1TOpsk2.
563 if ( PSKDemod("0 0 6", FALSE)) {
564 psk1TOpsk2(DemodBuffer, DemodBufferLen);
565 if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
566 tests[hits].modulation = DEMOD_PSK2;
567 tests[hits].bitrate = bitRate;
568 tests[hits].inverted = FALSE;
569 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
570 ++hits;
571 }
572 } // inverse waves does not affect this demod
573 // PSK3 - needs a call to psk1TOpsk2.
574 if ( PSKDemod("0 0 6", FALSE)) {
575 psk1TOpsk2(DemodBuffer, DemodBufferLen);
576 if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
577 tests[hits].modulation = DEMOD_PSK3;
578 tests[hits].bitrate = bitRate;
579 tests[hits].inverted = FALSE;
580 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
581 ++hits;
582 }
583 } // inverse waves does not affect this demod
584 }
585 }
586 save_restoreGB(0);
587 if ( hits == 1) {
588 config.modulation = tests[0].modulation;
589 config.bitrate = tests[0].bitrate;
590 config.inverted = tests[0].inverted;
591 config.offset = tests[0].offset;
592 config.block0 = tests[0].block0;
593 printConfiguration( config );
594 return TRUE;
595 }
596
597 if ( hits > 1) {
598 PrintAndLog("Found [%d] possible matches for modulation.",hits);
599 for(int i=0; i<hits; ++i){
600 PrintAndLog("--[%d]---------------", i+1);
601 printConfiguration( tests[i] );
602 }
603 }
604 return FALSE;
605 }
606
607 bool testModulation(uint8_t mode, uint8_t modread){
608 switch( mode ){
609 case DEMOD_FSK:
610 if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return TRUE;
611 break;
612 case DEMOD_ASK:
613 if (modread == DEMOD_ASK) return TRUE;
614 break;
615 case DEMOD_PSK1:
616 if (modread == DEMOD_PSK1) return TRUE;
617 break;
618 case DEMOD_PSK2:
619 if (modread == DEMOD_PSK2) return TRUE;
620 break;
621 case DEMOD_PSK3:
622 if (modread == DEMOD_PSK3) return TRUE;
623 break;
624 case DEMOD_NRZ:
625 if (modread == DEMOD_NRZ) return TRUE;
626 break;
627 case DEMOD_BI:
628 if (modread == DEMOD_BI) return TRUE;
629 break;
630 case DEMOD_BIa:
631 if (modread == DEMOD_BIa) return TRUE;
632 break;
633 default:
634 return FALSE;
635 }
636 return FALSE;
637 }
638
639 bool testQ5Modulation(uint8_t mode, uint8_t modread){
640 switch( mode ){
641 case DEMOD_FSK:
642 if (modread >= 4 && modread <= 5) return TRUE;
643 break;
644 case DEMOD_ASK:
645 if (modread == 0) return TRUE;
646 break;
647 case DEMOD_PSK1:
648 if (modread == 1) return TRUE;
649 break;
650 case DEMOD_PSK2:
651 if (modread == 2) return TRUE;
652 break;
653 case DEMOD_PSK3:
654 if (modread == 3) return TRUE;
655 break;
656 case DEMOD_NRZ:
657 if (modread == 7) return TRUE;
658 break;
659 case DEMOD_BI:
660 if (modread == 6) return TRUE;
661 break;
662 default:
663 return FALSE;
664 }
665 return FALSE;
666 }
667
668 bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){
669
670 if ( DemodBufferLen < 64 ) return FALSE;
671 uint8_t si = 0;
672 for (uint8_t idx = 28; idx < 64; idx++){
673 si = idx;
674 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;
675
676 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key
677 uint8_t resv = PackBits(si, 8, DemodBuffer); si += 8;
678 // 2nibble must be zeroed.
679 if (safer != 0x6) continue;
680 if ( resv > 0x00) continue;
681 //uint8_t pageSel = PackBits(si, 1, DemodBuffer); si += 1;
682 //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;
683 si += 1+1;
684 int bitRate = PackBits(si, 5, DemodBuffer)*2 + 2; si += 5; //bit rate
685 if (bitRate > 128 || bitRate < 8) continue;
686
687 //uint8_t AOR = PackBits(si, 1, DemodBuffer); si += 1;
688 //uint8_t PWD = PackBits(si, 1, DemodBuffer); si += 1;
689 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2; //could check psk cr
690 //uint8_t inverse = PackBits(si, 1, DemodBuffer); si += 1;
691 si += 1+1+2+1;
692 uint8_t modread = PackBits(si, 3, DemodBuffer); si += 3;
693 uint8_t maxBlk = PackBits(si, 3, DemodBuffer); si += 3;
694 //uint8_t ST = PackBits(si, 1, DemodBuffer); si += 1;
695 if (maxBlk == 0) continue;
696 //test modulation
697 if (!testQ5Modulation(mode, modread)) continue;
698 if (bitRate != clk) continue;
699 *fndBitRate = bitRate;
700 *offset = idx;
701
702 return TRUE;
703 }
704 return FALSE;
705 }
706
707 bool testBitRate(uint8_t readRate, uint8_t clk){
708 uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
709 if (expected[readRate] == clk)
710 return true;
711
712 return false;
713 }
714
715 bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){
716
717 if ( DemodBufferLen < 64 ) return FALSE;
718 uint8_t si = 0;
719 for (uint8_t idx = 28; idx < 64; idx++){
720 si = idx;
721 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;
722
723 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key
724 uint8_t resv = PackBits(si, 4, DemodBuffer); si += 4; //was 7 & +=7+3 //should be only 4 bits if extended mode
725 // 2nibble must be zeroed.
726 // moved test to here, since this gets most faults first.
727 if ( resv > 0x00) continue;
728
729 uint8_t xtRate = PackBits(si, 3, DemodBuffer); si += 3; //extended mode part of rate
730 int bitRate = PackBits(si, 3, DemodBuffer); si += 3; //bit rate
731 if (bitRate > 7) continue;
732 uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode
733 uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1;
734 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //could check psk cr
735 uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode
736 uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2;
737
738 //if extended mode
739 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;
740
741 if (!extMode){
742 if (nml01 || nml02 || xtRate) continue;
743 }
744 //test modulation
745 if (!testModulation(mode, modread)) continue;
746 if (!testBitRate(bitRate, clk)) continue;
747 *fndBitRate = bitRate;
748 *offset = idx;
749 *Q5 = FALSE;
750 return TRUE;
751 }
752 if (testQ5(mode, offset, fndBitRate, clk)) {
753 *Q5 = TRUE;
754 return TRUE;
755 }
756 return FALSE;
757 }
758
759 void printT55xxBlock(const char *blockNum){
760
761 uint8_t i = config.offset;
762 uint8_t endpos = 32 + i;
763 uint32_t blockData = 0;
764 uint8_t bits[64] = {0x00};
765
766 if ( !DemodBufferLen) return;
767
768 if ( endpos > DemodBufferLen){
769 PrintAndLog("The configured offset %d is too big. Possible offset: %d)", i, DemodBufferLen-32);
770 return;
771 }
772
773 for (; i < endpos; ++i)
774 bits[i - config.offset] = DemodBuffer[i];
775
776 blockData = PackBits(0, 32, bits);
777
778 PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));
779 }
780
781 int special(const char *Cmd) {
782 uint32_t blockData = 0;
783 uint8_t bits[32] = {0x00};
784
785 PrintAndLog("OFFSET | DATA | BINARY");
786 PrintAndLog("----------------------------------------------------");
787 int i,j = 0;
788 for (; j < 64; ++j){
789
790 for (i = 0; i < 32; ++i)
791 bits[i]=DemodBuffer[j+i];
792
793 blockData = PackBits(0, 32, bits);
794
795 PrintAndLog("%02d | 0x%08X | %s",j , blockData, sprint_bin(bits,32));
796 }
797 return 0;
798 }
799
800 int printConfiguration( t55xx_conf_block_t b){
801 PrintAndLog("Chip Type : %s", (b.Q5) ? "T5555(Q5)" : "T55x7");
802 PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) );
803 PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate) );
804 PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" );
805 PrintAndLog("Offset : %d", b.offset);
806 PrintAndLog("Block0 : 0x%08X", b.block0);
807 PrintAndLog("");
808 return 0;
809 }
810
811 int CmdT55xxWakeUp(const char *Cmd) {
812 uint32_t password = 0;
813 uint8_t cmdp = 0;
814 bool errors = false;
815 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
816 switch(param_getchar(Cmd, cmdp)) {
817 case 'h':
818 case 'H':
819 return usage_t55xx_wakup();
820 case 'p':
821 case 'P':
822 password = param_get32ex(Cmd, cmdp+1, 0, 16);
823 cmdp += 2;
824 errors = false;
825 break;
826 default:
827 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
828 errors = true;
829 break;
830 }
831 }
832 if (errors) return usage_t55xx_wakup();
833
834 UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};
835 clearCommandBuffer();
836 SendCommand(&c);
837 PrintAndLog("Wake up command sent. Try read now");
838 return 0;
839 }
840
841 int CmdT55xxWriteBlock(const char *Cmd) {
842 uint8_t block = 0xFF; //default to invalid block
843 uint32_t data = 0; //default to blank Block
844 uint32_t password = 0; //default to blank Block 7
845 bool usepwd = false;
846 bool page1 = false;
847 bool gotdata = false;
848 bool errors = false;
849 uint8_t cmdp = 0;
850 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
851 switch(param_getchar(Cmd, cmdp)) {
852 case 'h':
853 case 'H':
854 return usage_t55xx_write();
855 case 'b':
856 case 'B':
857 errors |= param_getdec(Cmd, cmdp+1, &block);
858 cmdp += 2;
859 break;
860 case 'd':
861 case 'D':
862 data = param_get32ex(Cmd, cmdp+1, 0, 16);
863 gotdata = true;
864 cmdp += 2;
865 break;
866 case 'p':
867 case 'P':
868 password = param_get32ex(Cmd, cmdp+1, 0, 16);
869 usepwd = true;
870 cmdp += 2;
871 break;
872 case '1':
873 page1 = true;
874 cmdp++;
875 break;
876 default:
877 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
878 errors = true;
879 break;
880 }
881 }
882 if (errors || !gotdata) return usage_t55xx_write();
883
884 if (block > 7) {
885 PrintAndLog("Block number must be between 0 and 7");
886 return 0;
887 }
888
889 UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};
890 UsbCommand resp;
891 c.d.asBytes[0] = (page1) ? 0x2 : 0;
892
893 char pwdStr[16] = {0};
894 snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);
895
896 PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" );
897
898 //Password mode
899 if (usepwd) {
900 c.arg[2] = password;
901 c.d.asBytes[0] |= 0x1;
902 }
903 clearCommandBuffer();
904 SendCommand(&c);
905 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
906 PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");
907 return 0;
908 }
909 return 1;
910 }
911
912 int CmdT55xxReadTrace(const char *Cmd) {
913 char cmdp = param_getchar(Cmd, 0);
914 bool pwdmode = false;
915 uint32_t password = 0;
916 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();
917
918 if (strlen(Cmd)==0)
919 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )
920 return 0;
921
922 if (!DecodeT55xxBlock()) return 0;
923
924 if ( !DemodBufferLen) return 0;
925
926 RepaintGraphWindow();
927 uint8_t repeat = 0;
928 if (config.offset > 5)
929 repeat = 32;
930 uint8_t si = config.offset+repeat;
931 uint32_t bl1 = PackBits(si, 32, DemodBuffer);
932 uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);
933
934 uint32_t acl = PackBits(si, 8, DemodBuffer); si += 8;
935 uint32_t mfc = PackBits(si, 8, DemodBuffer); si += 8;
936 uint32_t cid = PackBits(si, 5, DemodBuffer); si += 5;
937 uint32_t icr = PackBits(si, 3, DemodBuffer); si += 3;
938 uint32_t year = PackBits(si, 4, DemodBuffer); si += 4;
939 uint32_t quarter = PackBits(si, 2, DemodBuffer); si += 2;
940 uint32_t lotid = PackBits(si, 14, DemodBuffer); si += 14;
941 uint32_t wafer = PackBits(si, 5, DemodBuffer); si += 5;
942 uint32_t dw = PackBits(si, 15, DemodBuffer);
943
944 time_t t = time(NULL);
945 struct tm tm = *localtime(&t);
946 if ( year > tm.tm_year-110)
947 year += 2000;
948 else
949 year += 2010;
950
951 if (config.Q5) PrintAndLog("*** Warning *** Info read off a Q5 will not work as expected");
952 if ( acl != 0xE0 ) {
953 PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");
954 return 0;
955 }
956 PrintAndLog("");
957 PrintAndLog("-- T55xx Trace Information ----------------------------------");
958 PrintAndLog("-------------------------------------------------------------");
959 PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", acl, acl);
960 PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", mfc, mfc, getTagInfo(mfc));
961 PrintAndLog(" CID : 0x%02X (%d) - %s", cid, cid, GetModelStrFromCID(cid));
962 PrintAndLog(" ICR IC Revision : %d",icr );
963 PrintAndLog(" Manufactured");
964 PrintAndLog(" Year/Quarter : %d/%d",year, quarter);
965 PrintAndLog(" Lot ID : %d", lotid );
966 PrintAndLog(" Wafer number : %d", wafer);
967 PrintAndLog(" Die Number : %d", dw);
968 PrintAndLog("-------------------------------------------------------------");
969 PrintAndLog(" Raw Data - Page 1");
970 PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );
971 PrintAndLog(" Block 2 : 0x%08X %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
972 PrintAndLog("-------------------------------------------------------------");
973
974 /*
975 TRACE - BLOCK O
976 Bits Definition HEX
977 1-8 ACL Allocation class (ISO/IEC 15963-1) 0xE0
978 9-16 MFC Manufacturer ID (ISO/IEC 7816-6) 0x15 Atmel Corporation
979 17-21 CID 0x1 = Atmel ATA5577M1 0x2 = Atmel ATA5577M2
980 22-24 ICR IC revision
981 25-28 YEAR (BCD encoded) 9 (= 2009)
982 29-30 QUARTER 1,2,3,4
983 31-32 LOT ID
984
985 TRACE - BLOCK 1
986 1-12 LOT ID
987 13-17 Wafer number
988 18-32 DW, die number sequential
989 */
990
991 return 0;
992 }
993
994 int CmdT55xxInfo(const char *Cmd){
995 /*
996 Page 0 Block 0 Configuration data.
997 Normal mode
998 Extended mode
999 */
1000 bool pwdmode = false;
1001 uint32_t password = 0;
1002 char cmdp = param_getchar(Cmd, 0);
1003
1004 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();
1005
1006 if (strlen(Cmd)==0)
1007 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )
1008 return 1;
1009
1010 if (!DecodeT55xxBlock()) return 1;
1011
1012 if ( DemodBufferLen < 32) return 1;
1013
1014 uint8_t si = config.offset;
1015 uint32_t bl0 = PackBits(si, 32, DemodBuffer);
1016
1017 uint32_t safer = PackBits(si, 4, DemodBuffer); si += 4;
1018 uint32_t resv = PackBits(si, 7, DemodBuffer); si += 7;
1019 uint32_t dbr = PackBits(si, 3, DemodBuffer); si += 3;
1020 uint32_t extend = PackBits(si, 1, DemodBuffer); si += 1;
1021 uint32_t datamod = PackBits(si, 5, DemodBuffer); si += 5;
1022 uint32_t pskcf = PackBits(si, 2, DemodBuffer); si += 2;
1023 uint32_t aor = PackBits(si, 1, DemodBuffer); si += 1;
1024 uint32_t otp = PackBits(si, 1, DemodBuffer); si += 1;
1025 uint32_t maxblk = PackBits(si, 3, DemodBuffer); si += 3;
1026 uint32_t pwd = PackBits(si, 1, DemodBuffer); si += 1;
1027 uint32_t sst = PackBits(si, 1, DemodBuffer); si += 1;
1028 uint32_t fw = PackBits(si, 1, DemodBuffer); si += 1;
1029 uint32_t inv = PackBits(si, 1, DemodBuffer); si += 1;
1030 uint32_t por = PackBits(si, 1, DemodBuffer); si += 1;
1031 if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");
1032 PrintAndLog("");
1033 PrintAndLog("-- T55xx Configuration & Tag Information --------------------");
1034 PrintAndLog("-------------------------------------------------------------");
1035 PrintAndLog(" Safer key : %s", GetSaferStr(safer));
1036 PrintAndLog(" reserved : %d", resv);
1037 PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr));
1038 PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No");
1039 PrintAndLog(" Modulation : %s", GetModulationStr(datamod));
1040 PrintAndLog(" PSK clock frequency : %d", pskcf);
1041 PrintAndLog(" AOR - Answer on Request : %s", (aor) ? "Yes":"No");
1042 PrintAndLog(" OTP - One Time Pad : %s", (otp) ? "Yes - Warning":"No" );
1043 PrintAndLog(" Max block : %d", maxblk);
1044 PrintAndLog(" Password mode : %s", (pwd) ? "Yes":"No");
1045 PrintAndLog(" Sequence Start Terminator : %s", (sst) ? "Yes":"No");
1046 PrintAndLog(" Fast Write : %s", (fw) ? "Yes":"No");
1047 PrintAndLog(" Inverse data : %s", (inv) ? "Yes":"No");
1048 PrintAndLog(" POR-Delay : %s", (por) ? "Yes":"No");
1049 PrintAndLog("-------------------------------------------------------------");
1050 PrintAndLog(" Raw Data - Page 0");
1051 PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset,32) );
1052 PrintAndLog("-------------------------------------------------------------");
1053
1054 return 0;
1055 }
1056
1057 int CmdT55xxDump(const char *Cmd){
1058
1059 uint32_t password = 0;
1060 bool override = false;
1061 char cmdp = param_getchar(Cmd, 0);
1062 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();
1063
1064 bool usepwd = ( strlen(Cmd) > 0);
1065 if ( usepwd ){
1066 password = param_get32ex(Cmd, 0, 0, 16);
1067 if (param_getchar(Cmd, 1) =='o' )
1068 override = true;
1069 }
1070
1071 printT5xxHeader(0);
1072 for ( uint8_t i = 0; i < 8; ++i)
1073 T55xxReadBlock(i, 0, usepwd, override, password);
1074
1075 printT5xxHeader(1);
1076 for ( uint8_t i = 0; i < 4; i++)
1077 T55xxReadBlock(i, 1, usepwd, override, password);
1078
1079 return 1;
1080 }
1081
1082 int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){
1083 // arg0 bitmodes:
1084 // bit0 = pwdmode
1085 // bit1 = page to read from
1086 uint8_t arg0 = (page<<1) | pwdmode;
1087 UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};
1088
1089 clearCommandBuffer();
1090 SendCommand(&c);
1091 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
1092 PrintAndLog("command execution time out");
1093 return 0;
1094 }
1095
1096 uint8_t got[12000];
1097 GetFromBigBuf(got,sizeof(got),0);
1098 WaitForResponse(CMD_ACK,NULL);
1099 setGraphBuf(got, sizeof(got));
1100 return 1;
1101 }
1102
1103 char * GetBitRateStr(uint32_t id){
1104 static char buf[25];
1105
1106 char *retStr = buf;
1107 switch (id){
1108 case 0:
1109 snprintf(retStr,sizeof(buf),"%d - RF/8",id);
1110 break;
1111 case 1:
1112 snprintf(retStr,sizeof(buf),"%d - RF/16",id);
1113 break;
1114 case 2:
1115 snprintf(retStr,sizeof(buf),"%d - RF/32",id);
1116 break;
1117 case 3:
1118 snprintf(retStr,sizeof(buf),"%d - RF/40",id);
1119 break;
1120 case 4:
1121 snprintf(retStr,sizeof(buf),"%d - RF/50",id);
1122 break;
1123 case 5:
1124 snprintf(retStr,sizeof(buf),"%d - RF/64",id);
1125 break;
1126 case 6:
1127 snprintf(retStr,sizeof(buf),"%d - RF/100",id);
1128 break;
1129 case 7:
1130 snprintf(retStr,sizeof(buf),"%d - RF/128",id);
1131 break;
1132 default:
1133 snprintf(retStr,sizeof(buf),"%d - (Unknown)",id);
1134 break;
1135 }
1136
1137 return buf;
1138 }
1139
1140 char * GetSaferStr(uint32_t id){
1141 static char buf[40];
1142 char *retStr = buf;
1143
1144 snprintf(retStr,sizeof(buf),"%d",id);
1145 if (id == 6) {
1146 snprintf(retStr,sizeof(buf),"%d - passwd",id);
1147 }
1148 if (id == 9 ){
1149 snprintf(retStr,sizeof(buf),"%d - testmode",id);
1150 }
1151
1152 return buf;
1153 }
1154
1155 char * GetModulationStr( uint32_t id){
1156 static char buf[60];
1157 char *retStr = buf;
1158
1159 switch (id){
1160 case 0:
1161 snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id);
1162 break;
1163 case 1:
1164 snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id);
1165 break;
1166 case 2:
1167 snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id);
1168 break;
1169 case 3:
1170 snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id);
1171 break;
1172 case 4:
1173 snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8 RF/5",id);
1174 break;
1175 case 5:
1176 snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8 RF/10",id);
1177 break;
1178 case 6:
1179 snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5 RF/8",id);
1180 break;
1181 case 7:
1182 snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10 RF/8",id);
1183 break;
1184 case 8:
1185 snprintf(retStr,sizeof(buf),"%d - Manchester",id);
1186 break;
1187 case 16:
1188 snprintf(retStr,sizeof(buf),"%d - Biphase",id);
1189 break;
1190 case 0x18:
1191 snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id);
1192 break;
1193 case 17:
1194 snprintf(retStr,sizeof(buf),"%d - Reserved",id);
1195 break;
1196 default:
1197 snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id);
1198 break;
1199 }
1200 return buf;
1201 }
1202
1203 char * GetModelStrFromCID(uint32_t cid){
1204
1205 static char buf[10];
1206 char *retStr = buf;
1207
1208 if (cid == 1) snprintf(retStr, sizeof(buf),"ATA5577M1");
1209 if (cid == 2) snprintf(retStr, sizeof(buf),"ATA5577M2");
1210 return buf;
1211 }
1212
1213 char * GetSelectedModulationStr( uint8_t id){
1214
1215 static char buf[20];
1216 char *retStr = buf;
1217
1218 switch (id){
1219 case DEMOD_FSK:
1220 snprintf(retStr,sizeof(buf),"FSK");
1221 break;
1222 case DEMOD_FSK1:
1223 snprintf(retStr,sizeof(buf),"FSK1");
1224 break;
1225 case DEMOD_FSK1a:
1226 snprintf(retStr,sizeof(buf),"FSK1a");
1227 break;
1228 case DEMOD_FSK2:
1229 snprintf(retStr,sizeof(buf),"FSK2");
1230 break;
1231 case DEMOD_FSK2a:
1232 snprintf(retStr,sizeof(buf),"FSK2a");
1233 break;
1234 case DEMOD_ASK:
1235 snprintf(retStr,sizeof(buf),"ASK");
1236 break;
1237 case DEMOD_NRZ:
1238 snprintf(retStr,sizeof(buf),"DIRECT/NRZ");
1239 break;
1240 case DEMOD_PSK1:
1241 snprintf(retStr,sizeof(buf),"PSK1");
1242 break;
1243 case DEMOD_PSK2:
1244 snprintf(retStr,sizeof(buf),"PSK2");
1245 break;
1246 case DEMOD_PSK3:
1247 snprintf(retStr,sizeof(buf),"PSK3");
1248 break;
1249 case DEMOD_BI:
1250 snprintf(retStr,sizeof(buf),"BIPHASE");
1251 break;
1252 case DEMOD_BIa:
1253 snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)");
1254 break;
1255 default:
1256 snprintf(retStr,sizeof(buf),"(Unknown)");
1257 break;
1258 }
1259 return buf;
1260 }
1261
1262 void t55x7_create_config_block( int tagtype ){
1263
1264 /*
1265 T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK
1266 T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK,
1267 T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK
1268 T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK, T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK
1269 */
1270 static char buf[60];
1271 char *retStr = buf;
1272
1273 switch (tagtype){
1274 case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;
1275 case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;
1276 default:
1277 break;
1278 }
1279 PrintAndLog(buf);
1280 }
1281
1282 int CmdResetRead(const char *Cmd) {
1283 UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};
1284
1285 clearCommandBuffer();
1286 SendCommand(&c);
1287 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
1288 PrintAndLog("command execution time out");
1289 return 0;
1290 }
1291
1292 uint8_t got[BIGBUF_SIZE-1];
1293 GetFromBigBuf(got,sizeof(got),0);
1294 WaitForResponse(CMD_ACK,NULL);
1295 setGraphBuf(got, sizeof(got));
1296 return 1;
1297 }
1298
1299 int CmdT55xxWipe(const char *Cmd) {
1300 char writeData[20] = {0};
1301 char *ptrData = writeData;
1302
1303 PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");
1304
1305 //try with the default password to reset block 0 (with a pwd should work even if pwd bit not set)
1306 snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");
1307
1308 if (!CmdT55xxWriteBlock(ptrData))
1309 PrintAndLog("Error writing blk 0");
1310
1311 for (uint8_t blk = 1; blk<8; blk++) {
1312
1313 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);
1314
1315 if (!CmdT55xxWriteBlock(ptrData))
1316 PrintAndLog("Error writing blk %d", blk);
1317
1318 memset(writeData, sizeof(writeData), 0x00);
1319 }
1320 return 0;
1321 }
1322
1323 int CmdT55xxBruteForce(const char *Cmd) {
1324
1325 // load a default pwd file.
1326 char buf[9];
1327 char filename[FILE_PATH_SIZE]={0};
1328 int keycnt = 0;
1329 uint8_t stKeyBlock = 20;
1330 uint8_t *keyBlock = NULL, *p;
1331 keyBlock = calloc(stKeyBlock, 6);
1332 if (keyBlock == NULL) return 1;
1333
1334 uint32_t start_password = 0x00000000; //start password
1335 uint32_t end_password = 0xFFFFFFFF; //end password
1336 bool found = false;
1337
1338 char cmdp = param_getchar(Cmd, 0);
1339 if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
1340
1341 if (cmdp == 'i' || cmdp == 'I') {
1342
1343 int len = strlen(Cmd+2);
1344 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
1345 memcpy(filename, Cmd+2, len);
1346
1347 FILE * f = fopen( filename , "r");
1348
1349 if ( !f ) {
1350 PrintAndLog("File: %s: not found or locked.", filename);
1351 free(keyBlock);
1352 return 1;
1353 }
1354
1355 while( fgets(buf, sizeof(buf), f) ){
1356 if (strlen(buf) < 8 || buf[7] == '\n') continue;
1357
1358 while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
1359
1360 //The line start with # is comment, skip
1361 if( buf[0]=='#' ) continue;
1362
1363 if (!isxdigit(buf[0])){
1364 PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);
1365 continue;
1366 }
1367
1368 buf[8] = 0;
1369
1370 if ( stKeyBlock - keycnt < 2) {
1371 p = realloc(keyBlock, 6*(stKeyBlock+=10));
1372 if (!p) {
1373 PrintAndLog("Cannot allocate memory for defaultKeys");
1374 free(keyBlock);
1375 return 2;
1376 }
1377 keyBlock = p;
1378 }
1379 memset(keyBlock + 4 * keycnt, 0, 4);
1380 num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);
1381 PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));
1382 keycnt++;
1383 memset(buf, 0, sizeof(buf));
1384 }
1385 fclose(f);
1386
1387 if (keycnt == 0) {
1388 PrintAndLog("No keys found in file");
1389 return 1;
1390 }
1391 PrintAndLog("Loaded %d keys", keycnt);
1392
1393 // loop
1394 uint64_t testpwd = 0x00;
1395 for (uint16_t c = 0; c < keycnt; ++c ) {
1396
1397 testpwd = bytes_to_num(keyBlock + 4*c, 4);
1398
1399 PrintAndLog("Testing %08X", testpwd);
1400
1401
1402 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {
1403 PrintAndLog("Aquireing data from device failed. Quitting");
1404 return 0;
1405 }
1406
1407 found = tryDetectModulation();
1408
1409 if ( found ) {
1410 PrintAndLog("Found valid password: [%08X]", testpwd);
1411 return 0;
1412 }
1413 }
1414 PrintAndLog("Password NOT found.");
1415 return 0;
1416 }
1417
1418 // Try to read Block 7, first :)
1419
1420 // incremental pwd range search
1421 start_password = param_get32ex(Cmd, 0, 0, 16);
1422 end_password = param_get32ex(Cmd, 1, 0, 16);
1423
1424 if ( start_password >= end_password ) return usage_t55xx_bruteforce();
1425
1426 PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);
1427
1428 uint32_t i = start_password;
1429
1430 while ((!found) && (i <= end_password)){
1431
1432 if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {
1433 PrintAndLog("Aquireing data from device failed. Quitting");
1434 return 0;
1435 }
1436 found = tryDetectModulation();
1437
1438 if (found)
1439 break;
1440
1441 if ((i % 0x100) == 0) printf("[%08x], ",i);
1442
1443 i++;
1444 }
1445
1446 PrintAndLog("");
1447
1448 if (found)
1449 PrintAndLog("Found valid password: [%08x]", i);
1450 else
1451 PrintAndLog("Password NOT found. Last tried: [%08x]", i);
1452 return 0;
1453 }
1454
1455 static command_t CommandTable[] = {
1456 {"help", CmdHelp, 1, "This help"},
1457 {"bruteforce", CmdT55xxBruteForce,0, "Simple bruteforce attack to find password"},
1458 {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
1459 {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},
1460 {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
1461 {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},
1462 {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
1463 {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
1464 {"special", special, 0, "Show block changes with 64 different offsets"},
1465 {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},
1466 {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},
1467 {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},
1468 {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},
1469 {NULL, NULL, 0, NULL}
1470 };
1471
1472 int CmdLFT55XX(const char *Cmd) {
1473 CmdsParse(CommandTable, Cmd);
1474 return 0;
1475 }
1476
1477 int CmdHelp(const char *Cmd) {
1478 CmdsHelp(CommandTable);
1479 return 0;
1480 }
Impressum, Datenschutz