]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfem4x.c
ADD: `analyse nuid` - generates NUID 4byte from a UID 7byte. Mifare Classic Ev1...
[proxmark3-svn] / client / cmdlfem4x.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x commands
9 //-----------------------------------------------------------------------------
10
11 #include "cmdlfem4x.h"
12
13 uint64_t g_em410xid = 0;
14
15 static int CmdHelp(const char *Cmd);
16
17 int usage_lf_em410x_sim(void) {
18 PrintAndLog("Simulating EM410x tag");
19 PrintAndLog("");
20 PrintAndLog("Usage: lf em 410xsim [h] <uid> <clock>");
21 PrintAndLog("Options:");
22 PrintAndLog(" h - this help");
23 PrintAndLog(" uid - uid (10 HEX symbols)");
24 PrintAndLog(" clock - clock (32|64) (optional)");
25 PrintAndLog("samples:");
26 PrintAndLog(" lf em 410xsim 0F0368568B");
27 PrintAndLog(" lf em 410xsim 0F0368568B 32");
28 return 0;
29 }
30
31 int CmdEMdemodASK(const char *Cmd)
32 {
33 char cmdp = param_getchar(Cmd, 0);
34 uint8_t findone = (cmdp == '1') ? 1 : 0;
35 UsbCommand c = {CMD_EM410X_DEMOD, {findone, 0, 0}};
36 SendCommand(&c);
37 return 0;
38 }
39
40 /* Read the ID of an EM410x tag.
41 * Format:
42 * 1111 1111 1 <-- standard non-repeatable header
43 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
44 * ....
45 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
46 * 0 <-- stop bit, end of tag
47 */
48 int CmdEM410xRead(const char *Cmd)
49 {
50 uint32_t hi = 0;
51 uint64_t lo = 0;
52
53 if(!AskEm410xDemod("", &hi, &lo, false)) return 0;
54
55 printEM410x(hi, lo);
56 g_em410xid = lo;
57 return 1;
58 }
59
60 // emulate an EM410X tag
61 int CmdEM410xSim(const char *Cmd)
62 {
63 int i, n, j, binary[4], parity[4];
64 uint8_t uid[5] = {0x00};
65
66 char cmdp = param_getchar(Cmd, 0);
67 if (cmdp == 'h' || cmdp == 'H') return usage_lf_em410x_sim();
68
69 /* clock is 64 in EM410x tags */
70 uint8_t clock = 64;
71
72 if (param_gethex(Cmd, 0, uid, 10)) {
73 PrintAndLog("UID must include 10 HEX symbols");
74 return 0;
75 }
76
77 param_getdec(Cmd, 1, &clock);
78
79 PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X clock: %d", uid[0],uid[1],uid[2],uid[3],uid[4],clock);
80 PrintAndLog("Press pm3-button to about simulation");
81
82 /* clear our graph */
83 ClearGraph(0);
84
85 /* write 9 start bits */
86 for (i = 0; i < 9; i++)
87 AppendGraph(0, clock, 1);
88
89 /* for each hex char */
90 parity[0] = parity[1] = parity[2] = parity[3] = 0;
91 for (i = 0; i < 10; i++)
92 {
93 /* read each hex char */
94 sscanf(&Cmd[i], "%1x", &n);
95 for (j = 3; j >= 0; j--, n/= 2)
96 binary[j] = n % 2;
97
98 /* append each bit */
99 AppendGraph(0, clock, binary[0]);
100 AppendGraph(0, clock, binary[1]);
101 AppendGraph(0, clock, binary[2]);
102 AppendGraph(0, clock, binary[3]);
103
104 /* append parity bit */
105 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
106
107 /* keep track of column parity */
108 parity[0] ^= binary[0];
109 parity[1] ^= binary[1];
110 parity[2] ^= binary[2];
111 parity[3] ^= binary[3];
112 }
113
114 /* parity columns */
115 AppendGraph(0, clock, parity[0]);
116 AppendGraph(0, clock, parity[1]);
117 AppendGraph(0, clock, parity[2]);
118 AppendGraph(0, clock, parity[3]);
119
120 /* stop bit */
121 AppendGraph(1, clock, 0);
122
123 CmdLFSim("0"); //240 start_gap.
124 return 0;
125 }
126
127 /* Function is equivalent of lf read + data samples + em410xread
128 * looped until an EM410x tag is detected
129 *
130 * Why is CmdSamples("16000")?
131 * TBD: Auto-grow sample size based on detected sample rate. IE: If the
132 * rate gets lower, then grow the number of samples
133 * Changed by martin, 4000 x 4 = 16000,
134 * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
135 */
136 int CmdEM410xWatch(const char *Cmd) {
137 do {
138 if (ukbhit()) {
139 printf("\naborted via keyboard!\n");
140 break;
141 }
142 CmdLFRead("s");
143 getSamples("6144",true);
144 } while (!CmdEM410xRead(""));
145 return 0;
146 }
147
148 //currently only supports manchester modulations
149 // todo: helptext
150 int CmdEM410xWatchnSpoof(const char *Cmd)
151 {
152 // loops if the captured ID was in XL-format.
153 CmdEM410xWatch(Cmd);
154 PrintAndLog("# Replaying captured ID: %" PRIu64 , g_em410xid);
155 CmdLFaskSim("");
156 return 0;
157 }
158
159 int CmdEM410xWrite(const char *Cmd)
160 {
161 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
162 int card = 0xFF; // invalid card value
163 uint32_t clock = 0; // invalid clock value
164
165 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
166
167 // Check ID
168 if (id == 0xFFFFFFFFFFFFFFFF) {
169 PrintAndLog("Error! ID is required.\n");
170 return 0;
171 }
172 if (id >= 0x10000000000) {
173 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
174 return 0;
175 }
176
177 // Check Card
178 if (card == 0xFF) {
179 PrintAndLog("Error! Card type required.\n");
180 return 0;
181 }
182 if (card < 0) {
183 PrintAndLog("Error! Bad card type selected.\n");
184 return 0;
185 }
186
187 // Check Clock
188 // Default: 64
189 if (clock == 0)
190 clock = 64;
191
192 // Allowed clock rates: 16, 32, 40 and 64
193 if ((clock != 16) && (clock != 32) && (clock != 64) && (clock != 40)) {
194 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32, 40 and 64.\n", clock);
195 return 0;
196 }
197
198 if (card == 1) {
199 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
200 // NOTE: We really should pass the clock in as a separate argument, but to
201 // provide for backwards-compatibility for older firmware, and to avoid
202 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
203 // the clock rate in bits 8-15 of the card value
204 card = (card & 0xFF) | ((clock << 8) & 0xFF00);
205 } else if (card == 0) {
206 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
207 card = (card & 0xFF) | ((clock << 8) & 0xFF00);
208 } else {
209 PrintAndLog("Error! Bad card type selected.\n");
210 return 0;
211 }
212
213 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
214 SendCommand(&c);
215 return 0;
216 }
217
218 bool EM_EndParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
219 {
220 if (rows*cols>size) return FALSE;
221 uint8_t colP=0;
222 //assume last col is a parity and do not test
223 for (uint8_t colNum = 0; colNum < cols-1; colNum++) {
224 for (uint8_t rowNum = 0; rowNum < rows; rowNum++) {
225 colP ^= BitStream[(rowNum*cols)+colNum];
226 }
227 if (colP != pType) return FALSE;
228 }
229 return TRUE;
230 }
231
232 bool EM_ByteParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
233 {
234 if (rows*cols>size) return FALSE;
235 uint8_t rowP=0;
236 //assume last row is a parity row and do not test
237 for (uint8_t rowNum = 0; rowNum < rows-1; rowNum++) {
238 for (uint8_t colNum = 0; colNum < cols; colNum++) {
239 rowP ^= BitStream[(rowNum*cols)+colNum];
240 }
241 if (rowP != pType) return FALSE;
242 }
243 return TRUE;
244 }
245
246 // EM word parity test.
247 // 9*5 = 45 bits in total
248 // 012345678|r1
249 // 012345678|r2
250 // 012345678|r3
251 // 012345678|r4
252 // ------------
253 //c012345678| 0
254 // |- must be zero
255
256 bool EMwordparitytest(uint8_t *bits){
257
258 // last row/col parity must be 0
259 if (bits[44] != 0 ) return FALSE;
260
261 // col parity check
262 uint8_t c1 = bytebits_to_byte(bits, 8) ^ bytebits_to_byte(bits+9, 8) ^ bytebits_to_byte(bits+18, 8) ^ bytebits_to_byte(bits+27, 8);
263 uint8_t c2 = bytebits_to_byte(bits+36, 8);
264 if ( c1 != c2 ) return FALSE;
265
266 // row parity check
267 uint8_t rowP = 0;
268 for ( uint8_t i = 0; i < 36; ++i ) {
269
270 rowP ^= bits[i];
271 if ( i>0 && (i % 9) == 0) {
272
273 if ( rowP != EVEN )
274 return FALSE;
275
276 rowP = 0;
277 }
278 }
279 // all checks ok.
280 return TRUE;
281 }
282
283
284 //////////////// 4050 / 4450 commands
285 int usage_lf_em4x50_dump(void) {
286 PrintAndLog("Dump EM4x50/EM4x69. Tag must be on antenna. ");
287 PrintAndLog("");
288 PrintAndLog("Usage: lf em 4x50dump [h] <pwd>");
289 PrintAndLog("Options:");
290 PrintAndLog(" h - this help");
291 PrintAndLog(" pwd - password (hex) (optional)");
292 PrintAndLog("samples:");
293 PrintAndLog(" lf em 4x50dump");
294 PrintAndLog(" lf em 4x50dump 11223344");
295 return 0;
296 }
297 int usage_lf_em4x50_read(void) {
298 PrintAndLog("Read EM 4x50/EM4x69. Tag must be on antenna. ");
299 PrintAndLog("");
300 PrintAndLog("Usage: lf em 4x50read [h] <address> <pwd>");
301 PrintAndLog("Options:");
302 PrintAndLog(" h - this help");
303 PrintAndLog(" address - memory address to read. (0-15)");
304 PrintAndLog(" pwd - password (hex) (optional)");
305 PrintAndLog("samples:");
306 PrintAndLog(" lf em 4x50read 1");
307 PrintAndLog(" lf em 4x50read 1 11223344");
308 return 0;
309 }
310 int usage_lf_em4x50_write(void) {
311 PrintAndLog("Write EM 4x50/4x69. Tag must be on antenna. ");
312 PrintAndLog("");
313 PrintAndLog("Usage: lf em 4x50write [h] <address> <data> <pwd>");
314 PrintAndLog("Options:");
315 PrintAndLog(" h - this help");
316 PrintAndLog(" address - memory address to write to. (0-15)");
317 PrintAndLog(" data - data to write (hex)");
318 PrintAndLog(" pwd - password (hex) (optional)");
319 PrintAndLog("samples:");
320 PrintAndLog(" lf em 4x50write 1 deadc0de");
321 PrintAndLog(" lf em 4x50write 1 deadc0de 11223344");
322 return 0;
323 }
324
325 uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool pTest)
326 {
327 if (size<45) return 0;
328
329 uint32_t code = bytebits_to_byte(BitStream,8);
330 code = code<<8 | bytebits_to_byte(BitStream+9,8);
331 code = code<<8 | bytebits_to_byte(BitStream+18,8);
332 code = code<<8 | bytebits_to_byte(BitStream+27,8);
333
334 if (verbose || g_debugMode){
335 for (uint8_t i = 0; i<5; i++){
336 if (i == 4) PrintAndLog(""); //parity byte spacer
337 PrintAndLog("%d%d%d%d%d%d%d%d %d -> 0x%02x",
338 BitStream[i*9],
339 BitStream[i*9+1],
340 BitStream[i*9+2],
341 BitStream[i*9+3],
342 BitStream[i*9+4],
343 BitStream[i*9+5],
344 BitStream[i*9+6],
345 BitStream[i*9+7],
346 BitStream[i*9+8],
347 bytebits_to_byte(BitStream+i*9,8)
348 );
349 }
350 if (pTest)
351 PrintAndLog("Parity Passed");
352 else
353 PrintAndLog("Parity Failed");
354 }
355 return code;
356 }
357
358
359 /* Read the transmitted data of an EM4x50 tag from the graphbuffer
360 * Format:
361 *
362 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
363 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
364 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
365 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
366 * CCCCCCCC <- column parity bits
367 * 0 <- stop bit
368 * LW <- Listen Window
369 *
370 * This pattern repeats for every block of data being transmitted.
371 * Transmission starts with two Listen Windows (LW - a modulated
372 * pattern of 320 cycles each (32/32/128/64/64)).
373 *
374 * Note that this data may or may not be the UID. It is whatever data
375 * is stored in the blocks defined in the control word First and Last
376 * Word Read values. UID is stored in block 32.
377 */
378 //completed by Marshmellow
379 int EM4x50Read(const char *Cmd, bool verbose) {
380 uint8_t fndClk[] = {8,16,32,40,50,64,128};
381 int clk = 0;
382 int invert = 0;
383 int tol = 0;
384 int i, j, startblock, skip, block, start, end, low, high, minClk;
385 bool complete = false;
386 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
387 uint32_t Code[6];
388 char tmp[6];
389 char tmp2[20];
390 int phaseoff;
391 high = low = 0;
392 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
393
394 // get user entry if any
395 sscanf(Cmd, "%i %i", &clk, &invert);
396
397 // save GraphBuffer - to restore it later
398 save_restoreGB(1);
399
400 // first get high and low values
401 for (i = 0; i < GraphTraceLen; i++) {
402 if (GraphBuffer[i] > high)
403 high = GraphBuffer[i];
404 else if (GraphBuffer[i] < low)
405 low = GraphBuffer[i];
406 }
407
408 i = 0;
409 j = 0;
410 minClk = 255;
411 // get to first full low to prime loop and skip incomplete first pulse
412 while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
413 ++i;
414 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
415 ++i;
416 skip = i;
417
418 // populate tmpbuff buffer with pulse lengths
419 while (i < GraphTraceLen) {
420 // measure from low to low
421 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
422 ++i;
423 start= i;
424 while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
425 ++i;
426 while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
427 ++i;
428 if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
429 break;
430 }
431 tmpbuff[j++]= i - start;
432 if (i-start < minClk && i < GraphTraceLen) {
433 minClk = i - start;
434 }
435 }
436 // set clock
437 if (!clk) {
438 for (uint8_t clkCnt = 0; clkCnt<7; clkCnt++) {
439 tol = fndClk[clkCnt]/8;
440 if (minClk >= fndClk[clkCnt]-tol && minClk <= fndClk[clkCnt]+1) {
441 clk=fndClk[clkCnt];
442 break;
443 }
444 }
445 if (!clk) {
446 if (verbose || g_debugMode) PrintAndLog("ERROR: EM4x50 - didn't find a clock");
447 return 0;
448 }
449 } else tol = clk/8;
450
451 // look for data start - should be 2 pairs of LW (pulses of clk*3,clk*2)
452 start = -1;
453 for (i= 0; i < j - 4 ; ++i) {
454 skip += tmpbuff[i];
455 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks
456 if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks
457 if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
458 if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
459 {
460 start= i + 4;
461 break;
462 }
463 }
464 startblock = i + 4;
465
466 // skip over the remainder of LW
467 skip += tmpbuff[i+1] + tmpbuff[i+2] + clk;
468 if (tmpbuff[i+3]>clk)
469 phaseoff = tmpbuff[i+3]-clk;
470 else
471 phaseoff = 0;
472 // now do it again to find the end
473 end = skip;
474 for (i += 3; i < j - 4 ; ++i) {
475 end += tmpbuff[i];
476 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks
477 if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks
478 if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
479 if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
480 {
481 complete= true;
482 break;
483 }
484 }
485 end = i;
486 // report back
487 if (verbose || g_debugMode) {
488 if (start >= 0) {
489 PrintAndLog("\nNote: one block = 50 bits (32 data, 12 parity, 6 marker)");
490 } else {
491 PrintAndLog("No data found!, clock tried:%d",clk);
492 PrintAndLog("Try again with more samples.");
493 PrintAndLog(" or after a 'data askedge' command to clean up the read");
494 return 0;
495 }
496 } else if (start < 0) return 0;
497 start = skip;
498 snprintf(tmp2, sizeof(tmp2),"%d %d 1000 %d", clk, invert, clk*47);
499 // get rid of leading crap
500 snprintf(tmp, sizeof(tmp), "%i", skip);
501 CmdLtrim(tmp);
502 bool pTest;
503 bool AllPTest = true;
504 // now work through remaining buffer printing out data blocks
505 block = 0;
506 i = startblock;
507 while (block < 6) {
508 if (verbose || g_debugMode) PrintAndLog("\nBlock %i:", block);
509 skip = phaseoff;
510
511 // look for LW before start of next block
512 for ( ; i < j - 4 ; ++i) {
513 skip += tmpbuff[i];
514 if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol)
515 if (tmpbuff[i+1] >= clk-tol)
516 break;
517 }
518 if (i >= j-4) break; //next LW not found
519 skip += clk;
520 if (tmpbuff[i+1]>clk)
521 phaseoff = tmpbuff[i+1]-clk;
522 else
523 phaseoff = 0;
524 i += 2;
525 if (ASKDemod(tmp2, false, false, 1) < 1) {
526 save_restoreGB(0);
527 return 0;
528 }
529 //set DemodBufferLen to just one block
530 DemodBufferLen = skip/clk;
531 //test parities
532 pTest = EM_ByteParityTest(DemodBuffer,DemodBufferLen,5,9,0);
533 pTest &= EM_EndParityTest(DemodBuffer,DemodBufferLen,5,9,0);
534 AllPTest &= pTest;
535 //get output
536 Code[block] = OutputEM4x50_Block(DemodBuffer,DemodBufferLen,verbose, pTest);
537 if (g_debugMode) PrintAndLog("\nskipping %d samples, bits:%d", skip, skip/clk);
538 //skip to start of next block
539 snprintf(tmp,sizeof(tmp),"%i",skip);
540 CmdLtrim(tmp);
541 block++;
542 if (i >= end) break; //in case chip doesn't output 6 blocks
543 }
544 //print full code:
545 if (verbose || g_debugMode || AllPTest){
546 if (!complete) {
547 PrintAndLog("*** Warning!");
548 PrintAndLog("Partial data - no end found!");
549 PrintAndLog("Try again with more samples.");
550 }
551 PrintAndLog("Found data at sample: %i - using clock: %i", start, clk);
552 end = block;
553 for (block=0; block < end; block++){
554 PrintAndLog("Block %d: %08x",block,Code[block]);
555 }
556 if (AllPTest) {
557 PrintAndLog("Parities Passed");
558 } else {
559 PrintAndLog("Parities Failed");
560 PrintAndLog("Try cleaning the read samples with 'data askedge'");
561 }
562 }
563
564 //restore GraphBuffer
565 save_restoreGB(0);
566 return (int)AllPTest;
567 }
568
569 int CmdEM4x50Read(const char *Cmd) {
570 uint8_t ctmp = param_getchar(Cmd, 0);
571 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x50_read();
572 return EM4x50Read(Cmd, true);
573 }
574 int CmdEM4x50Write(const char *Cmd){
575 uint8_t ctmp = param_getchar(Cmd, 0);
576 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x50_write();
577 PrintAndLog("no implemented yet");
578 return 0;
579 }
580 int CmdEM4x50Dump(const char *Cmd){
581 uint8_t ctmp = param_getchar(Cmd, 0);
582 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x50_dump();
583 PrintAndLog("no implemented yet");
584 return 0;
585 }
586
587 #define EM_PREAMBLE_LEN 6
588 // download samples from device and copy to Graphbuffer
589 bool downloadSamplesEM(){
590
591 // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
592 uint8_t got[6000];
593 GetFromBigBuf(got, sizeof(got), 0);
594 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {
595 PrintAndLog("command execution time out");
596 return FALSE;
597 }
598 setGraphBuf(got, sizeof(got));
599 return TRUE;
600 }
601
602 // em_demod
603 bool doPreambleSearch(size_t *startIdx){
604
605 // sanity check
606 if ( DemodBufferLen < EM_PREAMBLE_LEN) {
607 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305 demodbuffer too small");
608 return FALSE;
609 }
610
611 // set size to 20 to only test first 14 positions for the preamble
612 size_t size = (20 > DemodBufferLen) ? DemodBufferLen : 20;
613 *startIdx = 0;
614 // skip first two 0 bits as they might have been missed in the demod
615 uint8_t preamble[EM_PREAMBLE_LEN] = {0,0,1,0,1,0};
616
617 if ( !preambleSearchEx(DemodBuffer, preamble, EM_PREAMBLE_LEN, &size, startIdx, TRUE)) {
618 if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305 preamble not found :: %d", *startIdx);
619 return FALSE;
620 }
621 return TRUE;
622 }
623
624 bool detectFSK(){
625 // detect fsk clock
626 if (!GetFskClock("", FALSE, FALSE)) {
627 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: FSK clock failed");
628 return FALSE;
629 }
630 // demod
631 int ans = FSKrawDemod("0 0", FALSE);
632 if (!ans) {
633 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: FSK Demod failed");
634 return FALSE;
635 }
636 return TRUE;
637 }
638 // PSK clocks should be easy to detect ( but difficult to demod a non-repeating pattern... )
639 bool detectPSK(){
640 int ans = GetPskClock("", FALSE, FALSE);
641 if (ans <= 0) {
642 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: PSK clock failed");
643 return FALSE;
644 }
645 //demod
646 //try psk1 -- 0 0 6 (six errors?!?)
647 ans = PSKDemod("0 0 6", FALSE);
648 if (!ans) {
649 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: PSK1 Demod failed");
650
651 //try psk1 inverted
652 ans = PSKDemod("0 1 6", FALSE);
653 if (!ans) {
654 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: PSK1 inverted Demod failed");
655 return FALSE;
656 }
657 }
658 // either PSK1 or PSK1 inverted is ok from here.
659 // lets check PSK2 later.
660 return TRUE;
661 }
662 // try manchester - NOTE: ST only applies to T55x7 tags.
663 bool detectASK_MAN(){
664 bool stcheck = FALSE;
665 int ans = ASKDemod_ext("0 0 0", FALSE, FALSE, 1, &stcheck);
666 if (!ans) {
667 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: ASK/Manchester Demod failed");
668 return FALSE;
669 }
670 return TRUE;
671 }
672 bool detectASK_BI(){
673 int ans = ASKbiphaseDemod("0 0 1", FALSE);
674 if (!ans) {
675 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: ASK/biphase normal demod failed");
676
677 ans = ASKbiphaseDemod("0 1 1", FALSE);
678 if (!ans) {
679 if (g_debugMode) PrintAndLog("DEBUG: Error - EM: ASK/biphase inverted demod failed");
680 return FALSE;
681 }
682 }
683 return TRUE;
684 }
685
686 // param: idx - start index in demoded data.
687 bool setDemodBufferEM(uint32_t *word, size_t idx){
688
689 //test for even parity bits.
690 uint8_t parity[45] = {0};
691 memcpy( parity, DemodBuffer, 45);
692 if (!EMwordparitytest(parity) ){
693 PrintAndLog("DEBUG: Error - EM Parity tests failed");
694 return FALSE;
695 }
696
697 // test for even parity bits and remove them. (leave out the end row of parities so 36 bits)
698 if (!removeParity(DemodBuffer, idx + EM_PREAMBLE_LEN, 9, 0, 36)) {
699 if (g_debugMode) PrintAndLog("DEBUG: Error - EM, failed removing parity");
700 return FALSE;
701 }
702 setDemodBuf(DemodBuffer, 32, 0);
703 *word = bytebits_to_byteLSBF(DemodBuffer, 32);
704 return TRUE;
705 }
706
707 // FSK, PSK, ASK/MANCHESTER, ASK/BIPHASE, ASK/DIPHASE
708 // should cover 90% of known used configs
709 // the rest will need to be manually demoded for now...
710 bool demodEM4x05resp(uint32_t *word) {
711 size_t idx = 0;
712 *word = 0;
713 if (detectASK_MAN() && doPreambleSearch( &idx ))
714 return setDemodBufferEM(word, idx);
715
716 if (detectASK_BI() && doPreambleSearch( &idx ))
717 return setDemodBufferEM(word, idx);
718
719 if (detectFSK() && doPreambleSearch( &idx ))
720 return setDemodBufferEM(word, idx);
721
722 if (detectPSK()) {
723 if (doPreambleSearch( &idx ))
724 return setDemodBufferEM(word, idx);
725
726 psk1TOpsk2(DemodBuffer, DemodBufferLen);
727 if (doPreambleSearch( &idx ))
728 return setDemodBufferEM(word, idx);
729 }
730 return FALSE;
731 }
732
733 //////////////// 4205 / 4305 commands
734 int usage_lf_em4x05_dump(void) {
735 PrintAndLog("Dump EM4x05/EM4x69. Tag must be on antenna. ");
736 PrintAndLog("");
737 PrintAndLog("Usage: lf em 4x05dump [h] <pwd>");
738 PrintAndLog("Options:");
739 PrintAndLog(" h - this help");
740 PrintAndLog(" pwd - password (hex) (optional)");
741 PrintAndLog("samples:");
742 PrintAndLog(" lf em 4x05dump");
743 PrintAndLog(" lf em 4x05dump 11223344");
744 return 0;
745 }
746 int usage_lf_em4x05_read(void) {
747 PrintAndLog("Read EM4x05/EM4x69. Tag must be on antenna. ");
748 PrintAndLog("");
749 PrintAndLog("Usage: lf em 4x05read [h] <address> <pwd>");
750 PrintAndLog("Options:");
751 PrintAndLog(" h - this help");
752 PrintAndLog(" address - memory address to read. (0-15)");
753 PrintAndLog(" pwd - password (hex) (optional)");
754 PrintAndLog("samples:");
755 PrintAndLog(" lf em 4x05read 1");
756 PrintAndLog(" lf em 4x05read 1 11223344");
757 return 0;
758 }
759 int usage_lf_em4x05_write(void) {
760 PrintAndLog("Write EM4x05/4x69. Tag must be on antenna. ");
761 PrintAndLog("");
762 PrintAndLog("Usage: lf em 4x05write [h] <address> <data> <pwd>");
763 PrintAndLog("Options:");
764 PrintAndLog(" h - this help");
765 PrintAndLog(" address - memory address to write to. (0-15)");
766 PrintAndLog(" data - data to write (hex)");
767 PrintAndLog(" pwd - password (hex) (optional)");
768 PrintAndLog("samples:");
769 PrintAndLog(" lf em 4x05write 1 deadc0de");
770 PrintAndLog(" lf em 4x05write 1 deadc0de 11223344");
771 return 0;
772 }
773 int usage_lf_em4x05_info(void) {
774 PrintAndLog("Tag information EM4205/4305/4469//4569 tags. Tag must be on antenna.");
775 PrintAndLog("");
776 PrintAndLog("Usage: lf em 4x05info [h] <pwd>");
777 PrintAndLog("Options:");
778 PrintAndLog(" h - this help");
779 PrintAndLog(" pwd - password (hex) (optional)");
780 PrintAndLog("samples:");
781 PrintAndLog(" lf em 4x05info");
782 PrintAndLog(" lf em 4x05info deadc0de");
783 return 0;
784 }
785
786 int EM4x05ReadWord_ext(uint8_t addr, uint32_t pwd, bool usePwd, uint32_t *word) {
787 UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}};
788 clearCommandBuffer();
789 SendCommand(&c);
790 UsbCommand resp;
791 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){
792 PrintAndLog("Command timed out");
793 return -1;
794 }
795 if ( !downloadSamplesEM() ) {
796 return -1;
797 }
798 int testLen = (GraphTraceLen < 1000) ? GraphTraceLen : 1000;
799 if (graphJustNoise(GraphBuffer, testLen)) {
800 PrintAndLog("no tag found");
801 return -1;
802 }
803 return demodEM4x05resp(word);
804 }
805
806 int CmdEM4x05Dump(const char *Cmd) {
807 uint8_t addr = 0;
808 uint32_t pwd = 0;
809 bool usePwd = false;
810 uint8_t ctmp = param_getchar(Cmd, 0);
811 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x05_dump();
812
813 // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
814 pwd = param_get32ex(Cmd, 0, 1, 16);
815
816 if ( pwd != 1 )
817 usePwd = true;
818
819 int success = 1;
820 uint32_t word = 0;
821 PrintAndLog("Addr | data | ascii");
822 PrintAndLog("-----+--------+------");
823 for (; addr < 16; addr++) {
824
825 if (addr == 2) {
826 if (usePwd) {
827 PrintAndLog(" %02u | %08X", addr, pwd, word );
828 } else {
829 PrintAndLog(" 02 | cannot read");
830 }
831 } else {
832 success &= EM4x05ReadWord_ext(addr, pwd, usePwd, &word);
833 }
834 }
835
836 return success;
837 }
838
839 int CmdEM4x05Read(const char *Cmd) {
840 uint8_t addr;
841 uint32_t pwd;
842 bool usePwd = false;
843 uint8_t ctmp = param_getchar(Cmd, 0);
844 if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x05_read();
845
846 addr = param_get8ex(Cmd, 0, 50, 10);
847 pwd = param_get32ex(Cmd, 1, 1, 16);
848
849 if (addr > 15) {
850 PrintAndLog("Address must be between 0 and 15");
851 return 1;
852 }
853 if ( pwd == 1 ) {
854 PrintAndLog("Reading address %02u", addr);
855 }
856 else {
857 usePwd = true;
858 PrintAndLog("Reading address %02u | password %08X", addr, pwd);
859 }
860
861 uint32_t word = 0;
862 int isOk = EM4x05ReadWord_ext(addr, pwd, usePwd, &word);
863 if (isOk)
864 PrintAndLog("Address %02d | %08X - %s", addr, word, (addr > 13) ? "Lock" : "");
865 else
866 PrintAndLog("Read Address %02d | failed",addr);
867 return isOk;
868 }
869
870 int CmdEM4x05Write(const char *Cmd) {
871 uint8_t ctmp = param_getchar(Cmd, 0);
872 if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x05_write();
873
874 bool usePwd = false;
875 uint8_t addr = 50; // default to invalid address
876 uint32_t data = 0; // default to blank data
877 uint32_t pwd = 1; // default to blank password
878
879 addr = param_get8ex(Cmd, 0, 50, 10);
880 data = param_get32ex(Cmd, 1, 0, 16);
881 pwd = param_get32ex(Cmd, 2, 1, 16);
882
883 if ( addr > 15 ) {
884 PrintAndLog("Address must be between 0 and 15");
885 return 1;
886 }
887 if ( pwd == 1 )
888 PrintAndLog("Writing address %d data %08X", addr, data);
889 else {
890 usePwd = true;
891 PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd);
892 }
893
894 uint16_t flag = (addr << 8 ) | usePwd;
895
896 UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}};
897 clearCommandBuffer();
898 SendCommand(&c);
899 UsbCommand resp;
900 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){
901 PrintAndLog("Error occurred, device did not respond during write operation.");
902 return -1;
903 }
904
905 if (!downloadSamplesEM())
906 return -1;
907
908 //need 0 bits demoded (after preamble) to verify write cmd
909 uint32_t dummy = 0;
910 int isOk = demodEM4x05resp(&dummy);
911 if (isOk)
912 PrintAndLog("Write Verified");
913 else
914 PrintAndLog("Write could not be verified");
915 return isOk;
916 }
917
918 void printEM4x05config(uint32_t wordData) {
919 uint16_t datarate = (((wordData & 0x3F)+1)*2);
920 uint8_t encoder = ((wordData >> 6) & 0xF);
921 char enc[14];
922 memset(enc,0,sizeof(enc));
923
924 uint8_t PSKcf = (wordData >> 10) & 0x3;
925 char cf[10];
926 memset(cf,0,sizeof(cf));
927 uint8_t delay = (wordData >> 12) & 0x3;
928 char cdelay[33];
929 memset(cdelay,0,sizeof(cdelay));
930 uint8_t LWR = (wordData >> 14) & 0xF; //last word read
931
932 switch (encoder) {
933 case 0: snprintf(enc,sizeof(enc),"NRZ"); break;
934 case 1: snprintf(enc,sizeof(enc),"Manchester"); break;
935 case 2: snprintf(enc,sizeof(enc),"Biphase"); break;
936 case 3: snprintf(enc,sizeof(enc),"Miller"); break;
937 case 4: snprintf(enc,sizeof(enc),"PSK1"); break;
938 case 5: snprintf(enc,sizeof(enc),"PSK2"); break;
939 case 6: snprintf(enc,sizeof(enc),"PSK3"); break;
940 case 7: snprintf(enc,sizeof(enc),"Unknown"); break;
941 case 8: snprintf(enc,sizeof(enc),"FSK1"); break;
942 case 9: snprintf(enc,sizeof(enc),"FSK2"); break;
943 default: snprintf(enc,sizeof(enc),"Unknown"); break;
944 }
945
946 switch (PSKcf) {
947 case 0: snprintf(cf,sizeof(cf),"RF/2"); break;
948 case 1: snprintf(cf,sizeof(cf),"RF/8"); break;
949 case 2: snprintf(cf,sizeof(cf),"RF/4"); break;
950 case 3: snprintf(cf,sizeof(cf),"unknown"); break;
951 }
952
953 switch (delay) {
954 case 0: snprintf(cdelay, sizeof(cdelay),"no delay"); break;
955 case 1: snprintf(cdelay, sizeof(cdelay),"BP/8 or 1/8th bit period delay"); break;
956 case 2: snprintf(cdelay, sizeof(cdelay),"BP/4 or 1/4th bit period delay"); break;
957 case 3: snprintf(cdelay, sizeof(cdelay),"no delay"); break;
958 }
959 PrintAndLog("ConfigWord: %08X (Word 4)\n", wordData);
960 PrintAndLog("Config Breakdown:", wordData);
961 PrintAndLog(" Data Rate: %02u | RF/%u", wordData & 0x3F, datarate);
962 PrintAndLog(" Encoder: %u | %s", encoder, enc);
963 PrintAndLog(" PSK CF: %u | %s", PSKcf, cf);
964 PrintAndLog(" Delay: %u | %s", delay, cdelay);
965 PrintAndLog(" LastWordR: %02u | Address of last word for default read", LWR);
966 PrintAndLog(" ReadLogin: %u | Read Login is %s", (wordData & 0x40000)>>18, (wordData & 0x40000) ? "Required" : "Not Required");
967 PrintAndLog(" ReadHKL: %u | Read Housekeeping Words Login is %s", (wordData & 0x80000)>>19, (wordData & 0x80000) ? "Required" : "Not Required");
968 PrintAndLog("WriteLogin: %u | Write Login is %s", (wordData & 0x100000)>>20, (wordData & 0x100000) ? "Required" : "Not Required");
969 PrintAndLog(" WriteHKL: %u | Write Housekeeping Words Login is %s", (wordData & 0x200000)>>21, (wordData & 0x200000) ? "Required" : "Not Required");
970 PrintAndLog(" R.A.W.: %u | Read After Write is %s", (wordData & 0x400000)>>22, (wordData & 0x400000) ? "On" : "Off");
971 PrintAndLog(" Disable: %u | Disable Command is %s", (wordData & 0x800000)>>23, (wordData & 0x800000) ? "Accepted" : "Not Accepted");
972 PrintAndLog(" R.T.F.: %u | Reader Talk First is %s", (wordData & 0x1000000)>>24, (wordData & 0x1000000) ? "Enabled" : "Disabled");
973 PrintAndLog(" Pigeon: %u | Pigeon Mode is %s\n", (wordData & 0x4000000)>>26, (wordData & 0x4000000) ? "Enabled" : "Disabled");
974 }
975
976 void printEM4x05info(uint32_t block0, uint32_t serial) {
977
978 uint8_t chipType = (block0 >> 1) & 0xF;
979 uint8_t cap = (block0 >> 5) & 3;
980 uint16_t custCode = (block0 >> 9) & 0x3FF;
981
982 switch (chipType) {
983 case 9: PrintAndLog("\n Chip Type: %u | EM4305", chipType); break;
984 case 8: PrintAndLog("\n Chip Type: %u | EM4205", chipType); break;
985 case 4: PrintAndLog(" Chip Type: %u | Unknown", chipType); break;
986 case 2: PrintAndLog(" Chip Type: %u | EM4469", chipType); break;
987 //add more here when known
988 default: PrintAndLog(" Chip Type: %u Unknown", chipType); break;
989 }
990
991 switch (cap) {
992 case 3: PrintAndLog(" Cap Type: %u | 330pF",cap); break;
993 case 2: PrintAndLog(" Cap Type: %u | %spF",cap, (chipType==2)? "75":"210"); break;
994 case 1: PrintAndLog(" Cap Type: %u | 250pF",cap); break;
995 case 0: PrintAndLog(" Cap Type: %u | no resonant capacitor",cap); break;
996 default: PrintAndLog(" Cap Type: %u | unknown",cap); break;
997 }
998
999 PrintAndLog(" Cust Code: %03u | %s", custCode, (custCode == 0x200) ? "Default": "Unknown");
1000 if (serial != 0)
1001 PrintAndLog("\n Serial #: %08X\n", serial);
1002 }
1003
1004 void printEM4x05ProtectionBits(uint32_t word) {
1005 for (uint8_t i = 0; i < 15; i++) {
1006 PrintAndLog(" Word: %02u | %s", i, (((1 << i) & word ) || i < 2) ? "Is Write Locked" : "Is Not Write Locked");
1007 if (i==14)
1008 PrintAndLog(" Word: %02u | %s", i+1, (((1 << i) & word ) || i < 2) ? "Is Write Locked" : "Is Not Write Locked");
1009 }
1010 }
1011
1012 //quick test for EM4x05/EM4x69 tag
1013 bool EM4x05IsBlock0(uint32_t *word) {
1014 return EM4x05ReadWord_ext(0, 0, FALSE, word);
1015 }
1016
1017 int CmdEM4x05Info(const char *Cmd) {
1018 #define EM_SERIAL_BLOCK 1
1019 #define EM_CONFIG_BLOCK 4
1020 #define EM_PROT1_BLOCK 14
1021 #define EM_PROT2_BLOCK 15
1022 uint32_t pwd;
1023 uint32_t word = 0, block0 = 0, serial = 0;
1024 bool usePwd = false;
1025 uint8_t ctmp = param_getchar(Cmd, 0);
1026 if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em4x05_info();
1027
1028 // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
1029 pwd = param_get32ex(Cmd, 0, 1, 16);
1030
1031 if ( pwd != 1 )
1032 usePwd = true;
1033
1034 // read word 0 (chip info)
1035 // block 0 can be read even without a password.
1036 if ( !EM4x05IsBlock0(&block0) )
1037 return -1;
1038
1039 // read word 1 (serial #) doesn't need pwd
1040 // continue if failed, .. non blocking fail.
1041 EM4x05ReadWord_ext(EM_SERIAL_BLOCK, 0, false, &serial);
1042 printEM4x05info(block0, serial);
1043
1044 // read word 4 (config block)
1045 // needs password if one is set
1046 if ( EM4x05ReadWord_ext(EM_CONFIG_BLOCK, pwd, usePwd, &word) != 1 )
1047 return 0;
1048
1049 printEM4x05config(word);
1050
1051 // read word 14 and 15 to see which is being used for the protection bits
1052 if ( EM4x05ReadWord_ext(EM_PROT1_BLOCK, pwd, usePwd, &word) != 1 ) {
1053 return 0;
1054 }
1055 // if status bit says this is not the used protection word
1056 if (!(word & 0x8000)) {
1057 if ( EM4x05ReadWord_ext(EM_PROT2_BLOCK, pwd, usePwd, &word) != 1 )
1058 return 0;
1059 }
1060 //something went wrong
1061 if (!(word & 0x8000)) return 0;
1062 printEM4x05ProtectionBits(word);
1063 return 1;
1064 }
1065
1066 static command_t CommandTable[] = {
1067 {"help", CmdHelp, 1, "This help"},
1068 {"410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"},
1069 {"410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag in GraphBuffer"},
1070 {"410xsim", CmdEM410xSim, 0, "simulate EM410x tag"},
1071 {"410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
1072 {"410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
1073 {"410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
1074 {"4x05dump", CmdEM4x05Dump, 0, "dump EM4205/4305 tag"},
1075 {"4x05info", CmdEM4x05Info, 0, "tag information EM4x05/EM4x69"},
1076 {"4x05read", CmdEM4x05Read, 0, "read word data from EM4205/4305"},
1077 {"4x05write", CmdEM4x05Write, 0, "write word data to EM4205/4305"},
1078 {"4x50read", CmdEM4x50Read, 0, "read word data from EM4x50"},
1079 {"4x50write", CmdEM4x50Write, 0, "write word data to EM4x50"},
1080 {"4x50dump", CmdEM4x50Dump, 0, "dump EM4x50 tag"},
1081 {NULL, NULL, 0, NULL}
1082 };
1083
1084 int CmdLFEM4X(const char *Cmd) {
1085 clearCommandBuffer();
1086 CmdsParse(CommandTable, Cmd);
1087 return 0;
1088 }
1089
1090 int CmdHelp(const char *Cmd) {
1091 CmdsHelp(CommandTable);
1092 return 0;
1093 }
Impressum, Datenschutz