]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfem4x.c
Small fixes,
[proxmark3-svn] / client / cmdlfem4x.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <inttypes.h>
14 #include "proxmark3.h"
15 #include "ui.h"
16 #include "graph.h"
17 #include "cmdmain.h"
18 #include "cmdparser.h"
19 #include "cmddata.h"
20 #include "cmdlf.h"
21 #include "cmdlfem4x.h"
22 #include "util.h"
23 #include "data.h"
24 #define LF_TRACE_BUFF_SIZE 12000
25
26 char *global_em410xId;
27
28 static int CmdHelp(const char *Cmd);
29
30 /* Read the ID of an EM410x tag.
31 * Format:
32 * 1111 1111 1 <-- standard non-repeatable header
33 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
34 * ....
35 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
36 * 0 <-- stop bit, end of tag
37 */
38 int CmdEM410xRead(const char *Cmd)
39 {
40 int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low;
41 int parity[4];
42 char id[11];
43 char id2[11];
44 int retested = 0;
45 uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
46 high = low = 0;
47
48 /* Detect high and lows and clock */
49 for (i = 0; i < GraphTraceLen; i++)
50 {
51 if (GraphBuffer[i] > high)
52 high = GraphBuffer[i];
53 else if (GraphBuffer[i] < low)
54 low = GraphBuffer[i];
55 }
56
57 /* get clock */
58 clock = GetClock(Cmd, high, 0);
59
60 /* parity for our 4 columns */
61 parity[0] = parity[1] = parity[2] = parity[3] = 0;
62 header = rows = 0;
63
64 /* manchester demodulate */
65 bit = bit2idx = 0;
66 for (i = 0; i < (int)(GraphTraceLen / clock); i++)
67 {
68 hithigh = 0;
69 hitlow = 0;
70 first = 1;
71
72 /* Find out if we hit both high and low peaks */
73 for (j = 0; j < clock; j++)
74 {
75 if (GraphBuffer[(i * clock) + j] == high)
76 hithigh = 1;
77 else if (GraphBuffer[(i * clock) + j] == low)
78 hitlow = 1;
79
80 /* it doesn't count if it's the first part of our read
81 because it's really just trailing from the last sequence */
82 if (first && (hithigh || hitlow))
83 hithigh = hitlow = 0;
84 else
85 first = 0;
86
87 if (hithigh && hitlow)
88 break;
89 }
90
91 /* If we didn't hit both high and low peaks, we had a bit transition */
92 if (!hithigh || !hitlow)
93 bit ^= 1;
94
95 BitStream[bit2idx++] = bit;
96 }
97
98 retest:
99 /* We go till 5 before the graph ends because we'll get that far below */
100 for (i = 1; i < bit2idx - 5; i++)
101 {
102 /* Step 2: We have our header but need our tag ID */
103 if (header == 9 && rows < 10)
104 {
105 /* Confirm parity is correct */
106 if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
107 {
108 /* Read another byte! */
109 sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
110 sprintf(id2+rows, "%x", (8 * BitStream[i+3]) + (4 * BitStream[i+2]) + (2 * BitStream[i+1]) + (1 * BitStream[i]));
111 rows++;
112
113 /* Keep parity info */
114 parity[0] ^= BitStream[i];
115 parity[1] ^= BitStream[i+1];
116 parity[2] ^= BitStream[i+2];
117 parity[3] ^= BitStream[i+3];
118
119 /* Move 4 bits ahead */
120 i += 4;
121 }
122
123 /* Damn, something wrong! reset */
124 else
125 {
126 PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i);
127
128 /* Start back rows * 5 + 9 header bits, -1 to not start at same place */
129 i -= 9 + (5 * rows) - 5;
130
131 rows = header = 0;
132 }
133 }
134
135 /* Step 3: Got our 40 bits! confirm column parity */
136 else if (rows == 10)
137 {
138 /* We need to make sure our 4 bits of parity are correct and we have a stop bit */
139 if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] &&
140 BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] &&
141 BitStream[i+4] == 0)
142 {
143 /* Sweet! */
144 PrintAndLog("EM410x Tag ID: %s", id);
145 PrintAndLog("Unique Tag ID: %s", id2);
146
147 global_em410xId = id;
148
149 /* Stop any loops */
150 return 1;
151 }
152
153 /* Crap! Incorrect parity or no stop bit, start all over */
154 else
155 {
156 rows = header = 0;
157
158 /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */
159 i -= 59;
160 }
161 }
162
163 /* Step 1: get our header */
164 else if (header < 9)
165 {
166 /* Need 9 consecutive 1's */
167 if (BitStream[i] == 1)
168 header++;
169
170 /* We don't have a header, not enough consecutive 1 bits */
171 else
172 header = 0;
173 }
174 }
175
176 /* if we've already retested after flipping bits, return */
177 if (retested++){
178 return 0;
179 }
180
181 /* if this didn't work, try flipping bits */
182 for (i = 0; i < bit2idx; i++)
183 BitStream[i] ^= 1;
184
185 goto retest;
186 }
187
188 /* emulate an EM410X tag
189 * Format:
190 * 1111 1111 1 <-- standard non-repeatable header
191 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
192 * ....
193 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
194 * 0 <-- stop bit, end of tag
195 */
196 int CmdEM410xSim(const char *Cmd)
197 {
198 int i, n, j, h, binary[4], parity[4];
199
200 /* clock is 64 in EM410x tags */
201 int clock = 64;
202
203 /* clear our graph */
204 ClearGraph(0);
205
206 /* write it out a few times */
207 for (h = 0; h < 4; h++)
208 {
209 /* write 9 start bits */
210 for (i = 0; i < 9; i++)
211 AppendGraph(0, clock, 1);
212
213 /* for each hex char */
214 parity[0] = parity[1] = parity[2] = parity[3] = 0;
215 for (i = 0; i < 10; i++)
216 {
217 /* read each hex char */
218 sscanf(&Cmd[i], "%1x", &n);
219 for (j = 3; j >= 0; j--, n/= 2)
220 binary[j] = n % 2;
221
222 /* append each bit */
223 AppendGraph(0, clock, binary[0]);
224 AppendGraph(0, clock, binary[1]);
225 AppendGraph(0, clock, binary[2]);
226 AppendGraph(0, clock, binary[3]);
227
228 /* append parity bit */
229 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
230
231 /* keep track of column parity */
232 parity[0] ^= binary[0];
233 parity[1] ^= binary[1];
234 parity[2] ^= binary[2];
235 parity[3] ^= binary[3];
236 }
237
238 /* parity columns */
239 AppendGraph(0, clock, parity[0]);
240 AppendGraph(0, clock, parity[1]);
241 AppendGraph(0, clock, parity[2]);
242 AppendGraph(0, clock, parity[3]);
243
244 /* stop bit */
245 AppendGraph(0, clock, 0);
246 }
247
248 /* modulate that biatch */
249 CmdManchesterMod("");
250
251 /* booyah! */
252 RepaintGraphWindow();
253
254 CmdLFSim("");
255 return 0;
256 }
257
258 /* Function is equivalent of loread + losamples + em410xread
259 * looped until an EM410x tag is detected */
260 int CmdEM410xWatch(const char *Cmd)
261 {
262 int read_h = (*Cmd == 'h');
263 //char k;
264 do
265 {
266 CmdLFRead(read_h ? "h" : "");
267 // 2000 samples is OK for clock=64, but not clock=32. Probably want
268 // 8000 for clock=16. Don't want to go too high since old HID driver
269 // is very slow
270 // TBD: Auto-grow sample size based on detected sample rate. IE: If the
271 // rate gets lower, then grow the number of samples
272
273 // Changed by martin, 4000 x 4 = 16000,
274 // see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
275 CmdSamples("16000");
276 } while (
277 !CmdEM410xRead("")
278 );
279 return 0;
280 }
281
282 int CmdEM410xWatchnSpoof(const char *Cmd)
283 {
284 int read_h = (*Cmd == 'h');
285 do
286 {
287 CmdLFRead(read_h ? "h" : "");
288 CmdSamples("16000");
289 } while ( ! CmdEM410xRead(""));
290 PrintAndLog("# Replaying : %s",global_em410xId);
291 CmdEM410xSim(global_em410xId);
292 return 0;
293 }
294
295 /* Read the transmitted data of an EM4x50 tag
296 * Format:
297 *
298 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
299 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
300 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
301 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
302 * CCCCCCCC <- column parity bits
303 * 0 <- stop bit
304 * LW <- Listen Window
305 *
306 * This pattern repeats for every block of data being transmitted.
307 * Transmission starts with two Listen Windows (LW - a modulated
308 * pattern of 320 cycles each (32/32/128/64/64)).
309 *
310 * Note that this data may or may not be the UID. It is whatever data
311 * is stored in the blocks defined in the control word First and Last
312 * Word Read values. UID is stored in block 32.
313 */
314 int CmdEM4x50Read(const char *Cmd)
315 {
316 int i, j, startblock, skip, block, start, end, low, high;
317 bool complete= false;
318 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
319 char tmp[6];
320
321 high= low= 0;
322 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
323
324 /* first get high and low values */
325 for (i = 0; i < GraphTraceLen; i++)
326 {
327 if (GraphBuffer[i] > high)
328 high = GraphBuffer[i];
329 else if (GraphBuffer[i] < low)
330 low = GraphBuffer[i];
331 }
332
333 /* populate a buffer with pulse lengths */
334 i= 0;
335 j= 0;
336 while (i < GraphTraceLen)
337 {
338 // measure from low to low
339 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
340 ++i;
341 start= i;
342 while ((GraphBuffer[i] < high) && (i<GraphTraceLen))
343 ++i;
344 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
345 ++i;
346 if (j>(MAX_GRAPH_TRACE_LEN/64)) {
347 break;
348 }
349 tmpbuff[j++]= i - start;
350 }
351
352 /* look for data start - should be 2 pairs of LW (pulses of 192,128) */
353 start= -1;
354 skip= 0;
355 for (i= 0; i < j - 4 ; ++i)
356 {
357 skip += tmpbuff[i];
358 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
359 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
360 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
361 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
362 {
363 start= i + 3;
364 break;
365 }
366 }
367 startblock= i + 3;
368
369 /* skip over the remainder of the LW */
370 skip += tmpbuff[i+1]+tmpbuff[i+2];
371 while (skip < MAX_GRAPH_TRACE_LEN && GraphBuffer[skip] > low)
372 ++skip;
373 skip += 8;
374
375 /* now do it again to find the end */
376 end= start;
377 for (i += 3; i < j - 4 ; ++i)
378 {
379 end += tmpbuff[i];
380 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
381 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
382 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
383 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
384 {
385 complete= true;
386 break;
387 }
388 }
389
390 if (start >= 0)
391 PrintAndLog("Found data at sample: %i",skip);
392 else
393 {
394 PrintAndLog("No data found!");
395 PrintAndLog("Try again with more samples.");
396 return 0;
397 }
398
399 if (!complete)
400 {
401 PrintAndLog("*** Warning!");
402 PrintAndLog("Partial data - no end found!");
403 PrintAndLog("Try again with more samples.");
404 }
405
406 /* get rid of leading crap */
407 sprintf(tmp,"%i",skip);
408 CmdLtrim(tmp);
409
410 /* now work through remaining buffer printing out data blocks */
411 block= 0;
412 i= startblock;
413 while (block < 6)
414 {
415 PrintAndLog("Block %i:", block);
416 // mandemod routine needs to be split so we can call it for data
417 // just print for now for debugging
418 CmdManchesterDemod("i 64");
419 skip= 0;
420 /* look for LW before start of next block */
421 for ( ; i < j - 4 ; ++i)
422 {
423 skip += tmpbuff[i];
424 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
425 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
426 break;
427 }
428 while (GraphBuffer[skip] > low)
429 ++skip;
430 skip += 8;
431 sprintf(tmp,"%i",skip);
432 CmdLtrim(tmp);
433 start += skip;
434 block++;
435 }
436 return 0;
437 }
438
439 int CmdEM410xWrite(const char *Cmd)
440 {
441 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
442 int card = 0xFF; // invalid card value
443 unsigned int clock = 0; // invalid clock value
444
445 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
446
447 // Check ID
448 if (id == 0xFFFFFFFFFFFFFFFF) {
449 PrintAndLog("Error! ID is required.\n");
450 return 0;
451 }
452 if (id >= 0x10000000000) {
453 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
454 return 0;
455 }
456
457 // Check Card
458 if (card == 0xFF) {
459 PrintAndLog("Error! Card type required.\n");
460 return 0;
461 }
462 if (card < 0) {
463 PrintAndLog("Error! Bad card type selected.\n");
464 return 0;
465 }
466
467 // Check Clock
468 if (card == 1)
469 {
470 // Default: 64
471 if (clock == 0)
472 clock = 64;
473
474 // Allowed clock rates: 16, 32 and 64
475 if ((clock != 16) && (clock != 32) && (clock != 64)) {
476 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32 and 64.\n", clock);
477 return 0;
478 }
479 }
480 else if (clock != 0)
481 {
482 PrintAndLog("Error! Clock rate is only supported on T55x7 tags.\n");
483 return 0;
484 }
485
486 if (card == 1) {
487 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
488 // NOTE: We really should pass the clock in as a separate argument, but to
489 // provide for backwards-compatibility for older firmware, and to avoid
490 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
491 // the clock rate in bits 8-15 of the card value
492 card = (card & 0xFF) | (((uint64_t)clock << 8) & 0xFF00);
493 }
494 else if (card == 0)
495 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
496 else {
497 PrintAndLog("Error! Bad card type selected.\n");
498 return 0;
499 }
500
501 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
502 SendCommand(&c);
503
504 return 0;
505 }
506
507 int CmdReadWord(const char *Cmd)
508 {
509 int Word = -1; //default to invalid word
510 UsbCommand c;
511
512 sscanf(Cmd, "%d", &Word);
513
514 if ( (Word > 15) | (Word < 0) ) {
515 PrintAndLog("Word must be between 0 and 15");
516 return 1;
517 }
518
519 PrintAndLog("Reading word %d", Word);
520
521 c.cmd = CMD_EM4X_READ_WORD;
522 c.d.asBytes[0] = 0x0; //Normal mode
523 c.arg[0] = 0;
524 c.arg[1] = Word;
525 c.arg[2] = 0;
526 SendCommand(&c);
527 WaitForResponse(CMD_ACK, NULL);
528
529 uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};
530
531 GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
532 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
533
534 for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {
535 GraphBuffer[j] = ((int)data[j]);
536 }
537 GraphTraceLen = LF_TRACE_BUFF_SIZE;
538
539 uint8_t bits[1000] = {0x00};
540 uint8_t * bitstream = bits;
541 manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream);
542 RepaintGraphWindow();
543 return 0;
544 }
545
546 int CmdReadWordPWD(const char *Cmd)
547 {
548 int Word = -1; //default to invalid word
549 int Password = 0xFFFFFFFF; //default to blank password
550 UsbCommand c;
551
552 sscanf(Cmd, "%d %x", &Word, &Password);
553
554 if ( (Word > 15) | (Word < 0) ) {
555 PrintAndLog("Word must be between 0 and 15");
556 return 1;
557 }
558
559 PrintAndLog("Reading word %d with password %08X", Word, Password);
560
561 c.cmd = CMD_EM4X_READ_WORD;
562 c.d.asBytes[0] = 0x1; //Password mode
563 c.arg[0] = 0;
564 c.arg[1] = Word;
565 c.arg[2] = Password;
566 SendCommand(&c);
567 WaitForResponse(CMD_ACK, NULL);
568
569 uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};
570
571 GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
572 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
573
574 for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {
575 GraphBuffer[j] = ((int)data[j]);
576 }
577 GraphTraceLen = LF_TRACE_BUFF_SIZE;
578
579 uint8_t bits[1000] = {0x00};
580 uint8_t * bitstream = bits;
581
582 manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream);
583 RepaintGraphWindow();
584 return 0;
585 }
586
587 int CmdWriteWord(const char *Cmd)
588 {
589 int Word = 16; //default to invalid block
590 int Data = 0xFFFFFFFF; //default to blank data
591 UsbCommand c;
592
593 sscanf(Cmd, "%x %d", &Data, &Word);
594
595 if (Word > 15) {
596 PrintAndLog("Word must be between 0 and 15");
597 return 1;
598 }
599
600 PrintAndLog("Writting word %d with data %08X", Word, Data);
601
602 c.cmd = CMD_EM4X_WRITE_WORD;
603 c.d.asBytes[0] = 0x0; //Normal mode
604 c.arg[0] = Data;
605 c.arg[1] = Word;
606 c.arg[2] = 0;
607 SendCommand(&c);
608 return 0;
609 }
610
611 int CmdWriteWordPWD(const char *Cmd)
612 {
613 int Word = 8; //default to invalid word
614 int Data = 0xFFFFFFFF; //default to blank data
615 int Password = 0xFFFFFFFF; //default to blank password
616 UsbCommand c;
617
618 sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
619
620 if (Word > 15) {
621 PrintAndLog("Word must be between 0 and 15");
622 return 1;
623 }
624
625 PrintAndLog("Writting word %d with data %08X and password %08X", Word, Data, Password);
626
627 c.cmd = CMD_EM4X_WRITE_WORD;
628 c.d.asBytes[0] = 0x1; //Password mode
629 c.arg[0] = Data;
630 c.arg[1] = Word;
631 c.arg[2] = Password;
632 SendCommand(&c);
633 return 0;
634 }
635
636 static command_t CommandTable[] =
637 {
638 {"help", CmdHelp, 1, "This help"},
639 {"410read", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"},
640 {"410sim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
641 {"410watch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
642 {"410spoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
643 {"410write", CmdEM410xWrite, 1, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
644 {"4xread", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
645 {"rd", CmdReadWord, 1, "<Word 1-15> -- Read EM4xxx word data"},
646 {"rdpwd", CmdReadWordPWD, 1, "<Word 1-15> <Password> -- Read EM4xxx word data in password mode "},
647 {"wr", CmdWriteWord, 1, "<Data> <Word 1-15> -- Write EM4xxx word data"},
648 {"wrpwd", CmdWriteWordPWD, 1, "<Data> <Word 1-15> <Password> -- Write EM4xxx word data in password mode"},
649 {NULL, NULL, 0, NULL}
650 };
651
652 int CmdLFEM4X(const char *Cmd)
653 {
654 CmdsParse(CommandTable, Cmd);
655 return 0;
656 }
657
658 int CmdHelp(const char *Cmd)
659 {
660 CmdsHelp(CommandTable);
661 return 0;
662 }
Impressum, Datenschutz