CHG: "hf legic write" - now writes on the limits better.

[proxmark3-svn] / client / cmdlft55xx.c
diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c

index 21406fc8831ad369994fc6f19dfd126f617bd561..28149efff6f02268c7c050e20e7ea344b94aac3b 100644 (file)
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -10,7 +10,6 @@
  #include <stdio.h>\r
  #include <string.h>\r
  #include <inttypes.h>\r
  #include <stdio.h>\r
  #include <string.h>\r
  #include <inttypes.h>\r
-#include <time.h>\r
  #include "proxmark3.h"\r
  #include "ui.h"\r
  #include "graph.h"\r
  #include "proxmark3.h"\r
  #include "ui.h"\r
  #include "graph.h"\r
@@ -22,9 +21,7 @@
  #include "util.h"\r
  #include "data.h"\r
  #include "lfdemod.h"\r
  #include "util.h"\r
  #include "data.h"\r
  #include "lfdemod.h"\r
-#include "../common/crc.h"\r
-#include "../common/iso14443crc.h"\r
-#include "cmdhf14a.h"\r
+#include "cmdhf14a.h" //for getTagInfo\r
  \r
  #define T55x7_CONFIGURATION_BLOCK 0x00\r
  #define T55x7_PAGE0 0x00\r
  \r
  #define T55x7_CONFIGURATION_BLOCK 0x00\r
  #define T55x7_PAGE0 0x00\r
@@ -45,12 +42,13 @@ void Set_t55xx_Config(t55xx_conf_block_t conf){
  int usage_t55xx_config(){\r
         PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
         PrintAndLog("Options:");\r
  int usage_t55xx_config(){\r
         PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("       h                        This help");\r
-       PrintAndLog("       b <8|16|32|40|50|64|100|128>     Set bitrate");\r
-       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
-       PrintAndLog("       i [1]                            Invert data signal, defaults to normal");\r
-       PrintAndLog("       o [offset]                       Set offset, where data should start decode in bitstream");\r
-       PrintAndLog("       Q5                            Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       h                                - This help");\r
+       PrintAndLog("       b <8|16|32|40|50|64|100|128>     - Set bitrate");\r
+       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  - Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
+       PrintAndLog("       i [1]                            - Invert data signal, defaults to normal");\r
+       PrintAndLog("       o [offset]                       - Set offset, where data should start decode in bitstream");\r
+       PrintAndLog("       Q5                               - Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       ST                               - Set Sequence Terminator on");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
@@ -94,7 +92,7 @@ int usage_t55xx_write(){
  int usage_t55xx_trace() {\r
         PrintAndLog("Usage:  lf t55xx trace [1]");\r
         PrintAndLog("Options:");\r
  int usage_t55xx_trace() {\r
         PrintAndLog("Usage:  lf t55xx trace [1]");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx trace");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx trace");\r
@@ -105,7 +103,7 @@ int usage_t55xx_trace() {
  int usage_t55xx_info() {\r
         PrintAndLog("Usage:  lf t55xx info [1]");\r
         PrintAndLog("Options:");\r
  int usage_t55xx_info() {\r
         PrintAndLog("Usage:  lf t55xx info [1]");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx info");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx info");\r
@@ -126,13 +124,15 @@ int usage_t55xx_dump(){
         return 0;\r
  }\r
  int usage_t55xx_detect(){\r
         return 0;\r
  }\r
  int usage_t55xx_detect(){\r
-       PrintAndLog("Usage:  lf t55xx detect [1]");\r
+       PrintAndLog("Usage:  lf t55xx detect [1] [p <password>]");\r
         PrintAndLog("Options:");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     p <password>  - OPTIONAL password (8 hex characters)");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx detect");\r
         PrintAndLog("      lf t55xx detect 1");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx detect");\r
         PrintAndLog("      lf t55xx detect 1");\r
+       PrintAndLog("      lf t55xx detect p 11223344");\r
         PrintAndLog("");\r
         return 0;\r
  }\r
         PrintAndLog("");\r
         return 0;\r
  }\r
@@ -147,7 +147,50 @@ int usage_t55xx_wakup(){
      PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
         return 0;\r
  }\r
      PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
         return 0;\r
  }\r
-\r
+int usage_t55xx_bruteforce(){\r
+       PrintAndLog("This command uses A) bruteforce to scan a number range");\r
+       PrintAndLog("                  B) a dictionary attack");\r
+    PrintAndLog("Usage: lf t55xx bruteforce [h] <start password> <end password> [i <*.dic>]");\r
+    PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h                     - this help");\r
+       PrintAndLog("     <start_pwd> - 4 byte hex value to start pwd search at");\r
+       PrintAndLog("     <end_pwd>   - 4 byte hex value to end pwd search at");\r
+    PrintAndLog("     i <*.dic>        - loads a default keys dictionary file <*.dic>");\r
+    PrintAndLog("");\r
+    PrintAndLog("Examples:");\r
+    PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+       PrintAndLog("       lf t55xx bruteforce i default_pwd.dic");\r
+    PrintAndLog("");\r
+    return 0;\r
+}\r
+int usage_t55xx_recoverpw(){\r
+       PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+       PrintAndLog("WARNING: this may brick non-password protected chips!");\r
+       PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
+       PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("       default password is 51243648, used by many cloners");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h           - this help");\r
+       PrintAndLog("     [password]  - 4 byte hex value of password written by cloner");\r
+       PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+       PrintAndLog("       lf t55xx recoverpw");\r
+       PrintAndLog("       lf t55xx recoverpw 51243648");\r
+       PrintAndLog("");\r
+       return 0;\r
+}int usage_t55xx_wipe(){\r
+       PrintAndLog("Usage:  lf t55xx wipe [h] [Q5]");\r
+       PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h     - this help");\r
+       PrintAndLog("     Q5  - indicates to use the T5555 (Q5) default configuration block");\r
+    PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+    PrintAndLog("      lf t55xx wipe   -  wipes a t55x7 tag,    config block 0x000880E0");\r
+       PrintAndLog("      lf t55xx wipe Q5 -  wipes a t5555 Q5 tag, config block 0x6001F004");\r
+       return 0;\r
+}\r
  static int CmdHelp(const char *Cmd);\r
  \r
  void printT5xxHeader(uint8_t page){\r
  static int CmdHelp(const char *Cmd);\r
  \r
  void printT5xxHeader(uint8_t page){\r
@@ -164,7 +207,6 @@ int CmdT55xxSetConfig(const char *Cmd) {
         uint8_t bitRate = 0;\r
         uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
         uint8_t cmdp = 0;\r
         uint8_t bitRate = 0;\r
         uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
         uint8_t cmdp = 0;\r
-       config.Q5 = FALSE;\r
         bool errors = FALSE;\r
         while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
         {\r
         bool errors = FALSE;\r
         while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
         {\r
@@ -242,6 +284,11 @@ int CmdT55xxSetConfig(const char *Cmd) {
                         config.Q5 = TRUE;\r
                         cmdp++;\r
                         break;\r
                         config.Q5 = TRUE;\r
                         cmdp++;\r
                         break;\r
+               case 'S':\r
+               case 's':               \r
+                       config.ST = TRUE;\r
+                       cmdp++;\r
+                       break;\r
                 default:\r
                         PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                         errors = TRUE;\r
                 default:\r
                         PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                         errors = TRUE;\r
@@ -344,6 +391,7 @@ bool DecodeT55xxBlock(){
         char buf[30] = {0x00};\r
         char *cmdStr = buf;\r
         int ans = 0;\r
         char buf[30] = {0x00};\r
         char *cmdStr = buf;\r
         int ans = 0;\r
+       bool ST = config.ST;\r
         uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
         DemodBufferLen = 0x00;\r
  \r
         uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
         DemodBufferLen = 0x00;\r
  \r
@@ -364,21 +412,27 @@ bool DecodeT55xxBlock(){
                         break;\r
                 case DEMOD_ASK:\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
                         break;\r
                 case DEMOD_ASK:\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
-                       ans = ASKDemod(cmdStr, FALSE, FALSE, 1);\r
+                       ans = ASKDemod_ext(cmdStr, FALSE, FALSE, 1, &ST);\r
                         break;\r
                 case DEMOD_PSK1:\r
                         // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                         break;\r
                 case DEMOD_PSK1:\r
                         // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
                         CmdLtrim("160");\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
                         ans = PSKDemod(cmdStr, FALSE);\r
                         CmdLtrim("160");\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
                         ans = PSKDemod(cmdStr, FALSE);\r
+                       //undo trim samples\r
+                       save_restoreGB(0);\r
                         break;\r
                 case DEMOD_PSK2: //inverted won't affect this\r
                 case DEMOD_PSK3: //not fully implemented\r
                         // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                         break;\r
                 case DEMOD_PSK2: //inverted won't affect this\r
                 case DEMOD_PSK3: //not fully implemented\r
                         // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
                         CmdLtrim("160");\r
                         snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
                         ans = PSKDemod(cmdStr, FALSE);\r
                         psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
                         CmdLtrim("160");\r
                         snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
                         ans = PSKDemod(cmdStr, FALSE);\r
                         psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+                       //undo trim samples\r
+                       save_restoreGB(0);\r
                         break;\r
                 case DEMOD_NRZ:\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
                         break;\r
                 case DEMOD_NRZ:\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
@@ -395,34 +449,65 @@ bool DecodeT55xxBlock(){
         return (bool) ans;\r
  }\r
  \r
         return (bool) ans;\r
  }\r
  \r
-int CmdT55xxDetect(const char *Cmd){\r
-\r
-       //bool override = false;\r
-       //bool pwdmode = false;\r
+bool DecodeT5555TraceBlock() {\r
+       DemodBufferLen = 0x00;\r
+       \r
+       // According to datasheet. Always: RF/64, not inverted, Manchester\r
+       return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1);\r
+}\r
  \r
  \r
-       uint32_t password = 0; //default to blank Block 7\r
-       bool usepwd = ( strlen(Cmd) > 0);       \r
-       if ( usepwd ){\r
-               password = param_get32ex(Cmd, 0, 0, 16);\r
-               // if (param_getchar(Cmd, 1) =='o' )\r
-                       // override = true;\r
+// sanity check. Don't use proxmark if it is offline and you didn't specify useGraphbuf\r
+static int SanityOfflineCheck( bool useGraphBuffer ){\r
+       if ( !useGraphBuffer && offline) {\r
+               PrintAndLog("Your proxmark3 device is offline. Specify [1] to use graphbuffer data instead");\r
+               return 0;\r
         }\r
         }\r
+       return 1;\r
+}\r
  \r
  \r
-       char cmdp = param_getchar(Cmd, 0);\r
-       if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect();\r
+int CmdT55xxDetect(const char *Cmd){\r
+       bool errors = FALSE;\r
+       bool useGB = FALSE;\r
+       bool usepwd = FALSE;\r
+       uint32_t password = 0;\r
+       uint8_t cmdp = 0;\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_t55xx_detect();\r
+               case 'p':\r
+               case 'P':\r
+                       password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       usepwd = TRUE;\r
+                       cmdp += 2;\r
+                       break;\r
+               case '1':\r
+                       // use Graphbuffer data\r
+                       useGB = TRUE;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r
+       }\r
+       if (errors) return usage_t55xx_detect();\r
         \r
         \r
-       if (strlen(Cmd)==0) {\r
-               password = param_get32ex(Cmd, 0, 0, 16);\r
-               //if (param_getchar(Cmd, 1) =='o' ) override = true;\r
+       // sanity check.\r
+       if (!SanityOfflineCheck(useGB)) return 1;\r
+       \r
+       if ( !useGB) {\r
+               if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
+                       return 1;\r
         }\r
         }\r
-\r
-       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
-               return 0;\r
-               \r
+       \r
         if ( !tryDetectModulation() )\r
                 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
  \r
         if ( !tryDetectModulation() )\r
                 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
  \r
-       return 1;\r
+       return 0;\r
  }\r
  \r
  // detect configuration?\r
  }\r
  \r
  // detect configuration?\r
@@ -431,7 +516,6 @@ bool tryDetectModulation(){
         t55xx_conf_block_t tests[15];\r
         int bitRate=0;\r
         uint8_t fc1 = 0, fc2 = 0, clk=0;\r
         t55xx_conf_block_t tests[15];\r
         int bitRate=0;\r
         uint8_t fc1 = 0, fc2 = 0, clk=0;\r
-       save_restoreGB(1);\r
         \r
         if (GetFskClock("", FALSE, FALSE)){ \r
                 fskClocks(&fc1, &fc2, &clk, FALSE);\r
         \r
         if (GetFskClock("", FALSE, FALSE)){ \r
                 fskClocks(&fc1, &fc2, &clk, FALSE);\r
@@ -444,6 +528,7 @@ bool tryDetectModulation(){
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = FALSE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = FALSE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r
                         ++hits;\r
                 }\r
                 if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                         ++hits;\r
                 }\r
                 if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -452,23 +537,35 @@ bool tryDetectModulation(){
                                 tests[hits].modulation = DEMOD_FSK1;\r
                         else if (fc1 == 10 && fc2 == 8)\r
                                 tests[hits].modulation = DEMOD_FSK2a;\r
                                 tests[hits].modulation = DEMOD_FSK1;\r
                         else if (fc1 == 10 && fc2 == 8)\r
                                 tests[hits].modulation = DEMOD_FSK2a;\r
-\r
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = TRUE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = TRUE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r
                         ++hits;\r
                 }\r
         } else {\r
                 clk = GetAskClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
                         ++hits;\r
                 }\r
         } else {\r
                 clk = GetAskClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
-                       if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert false, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
+                       if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 ++hits;\r
                         }\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 ++hits;\r
                         }\r
-                       if ( ASKDemod("0 1 1", FALSE, FALSE, 1)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert true, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
+                       if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
@@ -480,6 +577,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                         if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
                                 ++hits;\r
                         }\r
                         if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
@@ -487,11 +585,12 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                 }\r
                 //undo trim from ask\r
                                 ++hits;\r
                         }\r
                 }\r
                 //undo trim from ask\r
-               save_restoreGB(0);\r
+               //save_restoreGB(0);\r
                 clk = GetNrzClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
                         if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                 clk = GetNrzClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
                         if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -499,6 +598,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
  \r
                                 ++hits;\r
                         }\r
  \r
@@ -507,13 +607,14 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                 }\r
                 \r
                                 ++hits;\r
                         }\r
                 }\r
                 \r
-               //undo trim from nrz\r
-               save_restoreGB(0);\r
+               // allow undo\r
                 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+               save_restoreGB(1);\r
                 CmdLtrim("160");\r
                 clk = GetPskClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
                 CmdLtrim("160");\r
                 clk = GetPskClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
@@ -522,6 +623,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                         if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                 ++hits;\r
                         }\r
                         if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -529,6 +631,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                         // PSK2 - needs a call to psk1TOpsk2.\r
                                 ++hits;\r
                         }\r
                         // PSK2 - needs a call to psk1TOpsk2.\r
@@ -539,6 +642,7 @@ bool tryDetectModulation(){
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
@@ -550,18 +654,22 @@ bool tryDetectModulation(){
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
                 }\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
                 }\r
+               //undo trim samples\r
+               save_restoreGB(0);\r
         }               \r
         }               \r
-       save_restoreGB(0);      \r
         if ( hits == 1) {\r
                 config.modulation = tests[0].modulation;\r
                 config.bitrate = tests[0].bitrate;\r
                 config.inverted = tests[0].inverted;\r
                 config.offset = tests[0].offset;\r
                 config.block0 = tests[0].block0;\r
         if ( hits == 1) {\r
                 config.modulation = tests[0].modulation;\r
                 config.bitrate = tests[0].bitrate;\r
                 config.inverted = tests[0].inverted;\r
                 config.offset = tests[0].offset;\r
                 config.block0 = tests[0].block0;\r
+               config.Q5 = tests[0].Q5;\r
+               config.ST = tests[0].ST;\r
                 printConfiguration( config );\r
                 return TRUE;\r
         }\r
                 printConfiguration( config );\r
                 return TRUE;\r
         }\r
@@ -637,6 +745,15 @@ bool testQ5Modulation(uint8_t      mode, uint8_t   modread){
         return FALSE;\r
  }\r
  \r
         return FALSE;\r
  }\r
  \r
+int convertQ5bitRate(uint8_t bitRateRead) {\r
+       uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};\r
+       for (int i=0; i<8; i++)\r
+               if (expected[i] == bitRateRead)\r
+                       return i;\r
+\r
+       return -1;\r
+}\r
+\r
  bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t    clk){\r
  \r
         if ( DemodBufferLen < 64 ) return FALSE;\r
  bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t    clk){\r
  \r
         if ( DemodBufferLen < 64 ) return FALSE;\r
@@ -648,12 +765,12 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t       clk){
                 uint8_t safer     = PackBits(si, 4, DemodBuffer); si += 4;     //master key\r
                 uint8_t resv      = PackBits(si, 8, DemodBuffer); si += 8;\r
                 // 2nibble must be zeroed.\r
                 uint8_t safer     = PackBits(si, 4, DemodBuffer); si += 4;     //master key\r
                 uint8_t resv      = PackBits(si, 8, DemodBuffer); si += 8;\r
                 // 2nibble must be zeroed.\r
-               if (safer != 0x6) continue;\r
+               if (safer != 0x6 && safer != 0x9) continue;\r
                 if ( resv > 0x00) continue;\r
                 //uint8_t       pageSel   = PackBits(si, 1, DemodBuffer); si += 1;\r
                 //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;\r
                 si += 1+1;\r
                 if ( resv > 0x00) continue;\r
                 //uint8_t       pageSel   = PackBits(si, 1, DemodBuffer); si += 1;\r
                 //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;\r
                 si += 1+1;\r
-               int bitRate       = PackBits(si, 5, DemodBuffer)*2 + 2; si += 5;     //bit rate\r
+               int bitRate       = PackBits(si, 6, DemodBuffer)*2 + 2; si += 6;     //bit rate\r
                 if (bitRate > 128 || bitRate < 8) continue;\r
  \r
                 //uint8_t AOR       = PackBits(si, 1, DemodBuffer); si += 1;   \r
                 if (bitRate > 128 || bitRate < 8) continue;\r
  \r
                 //uint8_t AOR       = PackBits(si, 1, DemodBuffer); si += 1;   \r
@@ -668,7 +785,8 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){
                 //test modulation\r
                 if (!testQ5Modulation(mode, modread)) continue;\r
                 if (bitRate != clk) continue;\r
                 //test modulation\r
                 if (!testQ5Modulation(mode, modread)) continue;\r
                 if (bitRate != clk) continue;\r
-               *fndBitRate = bitRate;\r
+               *fndBitRate = convertQ5bitRate(bitRate);\r
+               if (*fndBitRate < 0) continue;\r
                 *offset = idx;\r
  \r
                 return TRUE;\r
                 *offset = idx;\r
  \r
                 return TRUE;\r
@@ -704,14 +822,14 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5)
                 uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
                 uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
                 //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
                 uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
                 uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
                 //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
-               uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
-               uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
+               //uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
+               //uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
                 \r
                 //if extended mode\r
                 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
  \r
                 if (!extMode){\r
                 \r
                 //if extended mode\r
                 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
  \r
                 if (!extMode){\r
-                       if (nml01 || nml02 || xtRate) continue;\r
+                       if (xtRate) continue;  //nml01 || nml02 ||  caused issues on noralys tags\r
                 }\r
                 //test modulation\r
                 if (!testModulation(mode, modread)) continue;\r
                 }\r
                 //test modulation\r
                 if (!testModulation(mode, modread)) continue;\r
@@ -775,6 +893,7 @@ int printConfiguration( t55xx_conf_block_t b){
         PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
         PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r
         PrintAndLog("Offset     : %d", b.offset);\r
         PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
         PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r
         PrintAndLog("Offset     : %d", b.offset);\r
+       PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" );\r
         PrintAndLog("Block0     : 0x%08X", b.block0);\r
         PrintAndLog("");\r
         return 0;\r
         PrintAndLog("Block0     : 0x%08X", b.block0);\r
         PrintAndLog("");\r
         return 0;\r
@@ -887,61 +1006,114 @@ int CmdT55xxReadTrace(const char *Cmd) {
         uint32_t password = 0;  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
  \r
         uint32_t password = 0;  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
  \r
-       if (strlen(Cmd)==0)\r
+       if (strlen(Cmd)==0) {\r
+               // sanity check.\r
+               if (!SanityOfflineCheck(FALSE)) return 1;\r
+\r
                 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
                 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
-                       return 0;\r
-       \r
-       if (!DecodeT55xxBlock()) return 0;\r
+                       return 1;\r
+       }\r
  \r
  \r
-       if ( !DemodBufferLen) return 0;\r
+       if ( config.Q5 ){\r
+               if (!DecodeT5555TraceBlock()) return 1;\r
+       } else {\r
+               if (!DecodeT55xxBlock()) return 1;\r
+       }\r
+       \r
+       if ( !DemodBufferLen ) return 1;\r
         \r
         RepaintGraphWindow();\r
         \r
         RepaintGraphWindow();\r
-       uint8_t repeat = 0;\r
-       if (config.offset > 5) \r
-               repeat = 32;\r
-       uint8_t si = config.offset+repeat;\r
-       uint32_t bl1     = PackBits(si, 32, DemodBuffer);\r
-       uint32_t bl2     = PackBits(si+32, 32, DemodBuffer);\r
+       uint8_t repeat = (config.offset > 5) ? 32 : 0;\r
         \r
         \r
-       uint32_t acl     = PackBits(si, 8,  DemodBuffer); si += 8;\r
-       uint32_t mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
-       uint32_t cid     = PackBits(si, 5,  DemodBuffer); si += 5;\r
-       uint32_t icr     = PackBits(si, 3,  DemodBuffer); si += 3;\r
-       uint32_t year    = PackBits(si, 4,  DemodBuffer); si += 4;\r
-       uint32_t quarter = PackBits(si, 2,  DemodBuffer); si += 2;\r
-       uint32_t lotid   = PackBits(si, 14, DemodBuffer); si += 14;\r
-       uint32_t wafer   = PackBits(si, 5,  DemodBuffer); si += 5;\r
-       uint32_t dw      = PackBits(si, 15, DemodBuffer); \r
+       uint8_t si = config.offset + repeat;\r
+       uint32_t bl1 = PackBits(si, 32, DemodBuffer);\r
+       uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);        \r
         \r
         \r
-       time_t t = time(NULL);\r
-       struct tm tm = *localtime(&t);\r
-       if ( year > tm.tm_year-110)\r
-               year += 2000;\r
-       else\r
-               year += 2010;\r
+       if (config.Q5) {\r
+               uint32_t hdr = PackBits(si, 9,  DemodBuffer); si += 9;\r
+    \r
+               if (hdr != 0x1FF) {\r
+                 PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);\r
+                 return 1;\r
+               }\r
+    \r
+               t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};\r
+                       \r
+               data.icr     = PackBits(si, 2,  DemodBuffer); si += 2;\r
+               data.lotidc  = 'Z' - PackBits(si, 2,  DemodBuffer); si += 3;\r
+               \r
+               data.lotid   = PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 1;\r
+               data.lotid  |= PackBits(si, 1,  DemodBuffer); si += 1;\r
+               \r
+               data.wafer   = PackBits(si, 3,  DemodBuffer); si += 4;\r
+               data.wafer <<= 2;\r
+               data.wafer  |= PackBits(si, 2,  DemodBuffer); si += 2;\r
+               \r
+               data.dw      = PackBits(si, 2,  DemodBuffer); si += 3;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+       \r
+               printT5555Trace(data, repeat);\r
+               \r
+       } else {\r
+       \r
+               t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0,  .lotid = 0, .wafer = 0, .dw = 0};\r
+               \r
+               data.acl = PackBits(si, 8,  DemodBuffer); si += 8;\r
+               if ( data.acl != 0xE0 ) {\r
+                       PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
+                       return 1;\r
+               }\r
  \r
  \r
-       if (config.Q5) PrintAndLog("*** Warning *** Info read off a Q5 will not work as expected");\r
-       if ( acl != 0xE0 ) {\r
-               PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
-               return 0;\r
+               data.mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
+               data.cid     = PackBits(si, 5,  DemodBuffer); si += 5;\r
+               data.icr     = PackBits(si, 3,  DemodBuffer); si += 3;\r
+               data.year    = PackBits(si, 4,  DemodBuffer); si += 4;\r
+               data.quarter = PackBits(si, 2,  DemodBuffer); si += 2;\r
+               data.lotid   = PackBits(si, 14, DemodBuffer); si += 14;\r
+               data.wafer   = PackBits(si, 5,  DemodBuffer); si += 5;\r
+               data.dw      = PackBits(si, 15, DemodBuffer); \r
+\r
+               time_t t = time(NULL);\r
+               struct tm tm = *localtime(&t);\r
+               if ( data.year > tm.tm_year-110)\r
+                       data.year += 2000;\r
+               else\r
+                       data.year += 2010;\r
+\r
+               printT55x7Trace(data, repeat);\r
         }\r
         }\r
-       PrintAndLog("");\r
-       PrintAndLog("-- T55xx Trace Information ----------------------------------");\r
+       return 0;\r
+}\r
+\r
+void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T55x7 Trace Information ----------------------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
-       PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", acl, acl);\r
-       PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", mfc, mfc, getTagInfo(mfc));\r
-       PrintAndLog(" CID                                     : 0x%02X (%d) - %s", cid, cid, GetModelStrFromCID(cid));\r
-       PrintAndLog(" ICR IC Revision                         : %d",icr );\r
+       PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", data.acl, data.acl);\r
+       PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));\r
+       PrintAndLog(" CID                                     : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));\r
+       PrintAndLog(" ICR IC Revision                         : %d", data.icr );\r
         PrintAndLog(" Manufactured");\r
         PrintAndLog(" Manufactured");\r
-       PrintAndLog("     Year/Quarter : %d/%d",year, quarter);\r
-       PrintAndLog("     Lot ID       : %d", lotid );\r
-       PrintAndLog("     Wafer number : %d", wafer);\r
-       PrintAndLog("     Die Number   : %d", dw);\r
+       PrintAndLog("     Year/Quarter : %d/%d", data.year, data.quarter);\r
+       PrintAndLog("     Lot ID       : %d", data.lotid );\r
+       PrintAndLog("     Wafer number : %d", data.wafer);\r
+       PrintAndLog("     Die Number   : %d", data.dw);\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" Raw Data - Page 1");\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" Raw Data - Page 1");\r
-       PrintAndLog("     Block 1  : 0x%08X  %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
-       PrintAndLog("     Block 2  : 0x%08X  %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
-       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog("     Block 1  : 0x%08X  %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+       PrintAndLog("     Block 2  : 0x%08X  %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
+       PrintAndLog("-------------------------------------------------------------");   \r
  \r
         /*\r
         TRACE - BLOCK O\r
  \r
         /*\r
         TRACE - BLOCK O\r
@@ -959,10 +1131,36 @@ int CmdT55xxReadTrace(const char *Cmd) {
                 13-17   Wafer number\r
                 18-32   DW,  die number sequential\r
         */\r
                 13-17   Wafer number\r
                 18-32   DW,  die number sequential\r
         */\r
+}\r
+\r
+void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");\r
+       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog(" ICR IC Revision  : %d", data.icr );       \r
+       PrintAndLog("     Lot          : %c%d", data.lotidc, data.lotid);\r
+       PrintAndLog("     Wafer number : %d", data.wafer);\r
+       PrintAndLog("     Die Number   : %d", data.dw);\r
+       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog(" Raw Data - Page 1");\r
+       PrintAndLog("     Block 1  : 0x%08X  %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+       PrintAndLog("     Block 2  : 0x%08X  %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
         \r
         \r
-  return 0;\r
+       /*\r
+               ** Q5 **\r
+               TRACE - BLOCK O and BLOCK1\r
+               Bits    Definition                              HEX\r
+               1-9             Header                  0x1FF\r
+               10-11 IC Revision\r
+               12-13 Lot ID char\r
+               15-35 Lot ID (NB parity)\r
+               36-41 Wafer number (NB parity)\r
+               42-58 DW, die number sequential (NB parity)\r
+               60-63 Parity bits\r
+               64    Always zero\r
+       */\r
  }\r
  \r
  }\r
  \r
+//need to add Q5 info...\r
  int CmdT55xxInfo(const char *Cmd){\r
         /*\r
                 Page 0 Block 0 Configuration data.\r
  int CmdT55xxInfo(const char *Cmd){\r
         /*\r
                 Page 0 Block 0 Configuration data.\r
@@ -975,17 +1173,24 @@ int CmdT55xxInfo(const char *Cmd){
  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
         \r
  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
         \r
-       if (strlen(Cmd)==0)\r
+       if (strlen(Cmd)==0){\r
+                               // sanity check.\r
+               if (!SanityOfflineCheck(FALSE)) return 1;\r
+               \r
                 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
                         return 1;\r
                 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
                         return 1;\r
+       }\r
  \r
         if (!DecodeT55xxBlock()) return 1;\r
  \r
  \r
         if (!DecodeT55xxBlock()) return 1;\r
  \r
+       // too little space to start with\r
         if ( DemodBufferLen < 32) return 1;\r
  \r
         if ( DemodBufferLen < 32) return 1;\r
  \r
+       // \r
+       PrintAndLog("Offset+32 ==%d\n DemodLen == %d", config.offset + 32,DemodBufferLen );\r
+\r
         uint8_t si = config.offset;\r
         uint8_t si = config.offset;\r
-       uint32_t bl0      = PackBits(si, 32, DemodBuffer);\r
-       \r
+       uint32_t bl0      = PackBits(si, 32, DemodBuffer);      \r
         uint32_t safer    = PackBits(si, 4, DemodBuffer); si += 4;      \r
         uint32_t resv     = PackBits(si, 7, DemodBuffer); si += 7;\r
         uint32_t dbr      = PackBits(si, 3, DemodBuffer); si += 3;\r
         uint32_t safer    = PackBits(si, 4, DemodBuffer); si += 4;      \r
         uint32_t resv     = PackBits(si, 7, DemodBuffer); si += 7;\r
         uint32_t dbr      = PackBits(si, 3, DemodBuffer); si += 3;\r
@@ -1000,9 +1205,10 @@ int CmdT55xxInfo(const char *Cmd){
         uint32_t fw       = PackBits(si, 1, DemodBuffer); si += 1;\r
         uint32_t inv      = PackBits(si, 1, DemodBuffer); si += 1;      \r
         uint32_t por      = PackBits(si, 1, DemodBuffer); si += 1;\r
         uint32_t fw       = PackBits(si, 1, DemodBuffer); si += 1;\r
         uint32_t inv      = PackBits(si, 1, DemodBuffer); si += 1;      \r
         uint32_t por      = PackBits(si, 1, DemodBuffer); si += 1;\r
+       \r
         if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
         PrintAndLog("");\r
         if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
         PrintAndLog("");\r
-       PrintAndLog("-- T55xx Configuration & Tag Information --------------------");\r
+       PrintAndLog("-- T55x7 Configuration & Tag Information --------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
         PrintAndLog(" reserved                  : %d", resv);\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
         PrintAndLog(" reserved                  : %d", resv);\r
@@ -1053,8 +1259,11 @@ int CmdT55xxDump(const char *Cmd){
  \r
  int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
         // arg0 bitmodes:\r
  \r
  int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
         // arg0 bitmodes:\r
-       // bit0 = pwdmode\r
-       // bit1 = page to read from\r
+       //      bit0 = pwdmode\r
+       //      bit1 = page to read from\r
+       // arg1: which block to read\r
+       // arg2: password\r
+       \r
         uint8_t arg0 = (page<<1) | pwdmode;\r
         UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
         \r
         uint8_t arg0 = (page<<1) | pwdmode;\r
         UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
         \r
@@ -1077,35 +1286,16 @@ char * GetBitRateStr(uint32_t id){
  \r
         char *retStr = buf;\r
                 switch (id){\r
  \r
         char *retStr = buf;\r
                 switch (id){\r
-               case 0: \r
-                       snprintf(retStr,sizeof(buf),"%d - RF/8",id);\r
-                       break;\r
-               case 1:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/16",id);\r
-                       break;\r
-               case 2:         \r
-                       snprintf(retStr,sizeof(buf),"%d - RF/32",id);\r
-                       break;\r
-               case 3:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/40",id);\r
-                       break;\r
-               case 4:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/50",id);\r
-                       break;\r
-               case 5:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/64",id);\r
-                       break;\r
-               case 6:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/100",id);\r
-                       break;\r
-               case 7:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/128",id);\r
-                       break;\r
-               default:\r
-                       snprintf(retStr,sizeof(buf),"%d - (Unknown)",id);\r
-                       break;\r
+               case 0:   snprintf(retStr,sizeof(buf),"%d - RF/8",id);   break;\r
+               case 1:   snprintf(retStr,sizeof(buf),"%d - RF/16",id);  break;\r
+               case 2:   snprintf(retStr,sizeof(buf),"%d - RF/32",id);  break;\r
+               case 3:   snprintf(retStr,sizeof(buf),"%d - RF/40",id);  break;\r
+               case 4:   snprintf(retStr,sizeof(buf),"%d - RF/50",id);  break;\r
+               case 5:   snprintf(retStr,sizeof(buf),"%d - RF/64",id);  break;\r
+               case 6:   snprintf(retStr,sizeof(buf),"%d - RF/100",id); break;\r
+               case 7:   snprintf(retStr,sizeof(buf),"%d - RF/128",id); break;\r
+               default:  snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break;\r
                 }\r
                 }\r
-\r
         return buf;\r
  }\r
  \r
         return buf;\r
  }\r
  \r
@@ -1129,45 +1319,19 @@ char * GetModulationStr( uint32_t id){
         char *retStr = buf;\r
         \r
         switch (id){\r
         char *retStr = buf;\r
         \r
         switch (id){\r
-               case 0: \r
-                       snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id);\r
-                       break;\r
-               case 1:\r
-                       snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id);\r
-                       break;\r
-               case 2:         \r
-                       snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id);\r
-                       break;\r
-               case 3:\r
-                       snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id);\r
-                       break;\r
-               case 4:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8  RF/5",id);\r
-                       break;\r
-               case 5:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8  RF/10",id);\r
-                       break;\r
-               case 6:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5  RF/8",id);\r
-                       break;\r
-               case 7:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10  RF/8",id);\r
-                       break;\r
-               case 8:\r
-                       snprintf(retStr,sizeof(buf),"%d - Manchester",id);\r
-                       break;\r
-               case 16:\r
-                       snprintf(retStr,sizeof(buf),"%d - Biphase",id);\r
-                       break;\r
-               case 0x18:\r
-                       snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id);\r
-                       break;\r
-               case 17:\r
-                       snprintf(retStr,sizeof(buf),"%d - Reserved",id);\r
-                       break;\r
-               default:\r
-                       snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id);\r
-                       break;\r
+               case 0: snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id); break;\r
+               case 1: snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id); break;\r
+               case 2: snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id); break;\r
+               case 3: snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id); break;\r
+               case 4: snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8  RF/5",id); break;\r
+               case 5: snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8  RF/10",id); break;\r
+               case 6: snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5  RF/8",id); break;\r
+               case 7: snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10  RF/8",id); break;\r
+               case 8: snprintf(retStr,sizeof(buf),"%d - Manchester",id); break;\r
+               case 16: snprintf(retStr,sizeof(buf),"%d - Biphase",id); break;\r
+               case 0x18:snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id); break;\r
+               case 17: snprintf(retStr,sizeof(buf),"%d - Reserved",id); break;\r
+               default: snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id); break;\r
                 }\r
         return buf;\r
  }\r
                 }\r
         return buf;\r
  }\r
@@ -1188,45 +1352,19 @@ char * GetSelectedModulationStr( uint8_t id){
         char *retStr = buf;\r
  \r
         switch (id){\r
         char *retStr = buf;\r
  \r
         switch (id){\r
-               case DEMOD_FSK:\r
-                       snprintf(retStr,sizeof(buf),"FSK");\r
-                       break;\r
-               case DEMOD_FSK1:\r
-                       snprintf(retStr,sizeof(buf),"FSK1");\r
-                       break;\r
-               case DEMOD_FSK1a:\r
-                       snprintf(retStr,sizeof(buf),"FSK1a");\r
-                       break;\r
-               case DEMOD_FSK2:\r
-                       snprintf(retStr,sizeof(buf),"FSK2");\r
-                       break;\r
-               case DEMOD_FSK2a:\r
-                       snprintf(retStr,sizeof(buf),"FSK2a");\r
-                       break;\r
-               case DEMOD_ASK:         \r
-                       snprintf(retStr,sizeof(buf),"ASK");\r
-                       break;\r
-               case DEMOD_NRZ:\r
-                       snprintf(retStr,sizeof(buf),"DIRECT/NRZ");\r
-                       break;\r
-               case DEMOD_PSK1:\r
-                       snprintf(retStr,sizeof(buf),"PSK1");\r
-                       break;\r
-               case DEMOD_PSK2:\r
-                       snprintf(retStr,sizeof(buf),"PSK2");\r
-                       break;\r
-               case DEMOD_PSK3:\r
-                       snprintf(retStr,sizeof(buf),"PSK3");\r
-                       break;\r
-               case DEMOD_BI:\r
-                       snprintf(retStr,sizeof(buf),"BIPHASE");\r
-                       break;\r
-               case DEMOD_BIa:\r
-                       snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)");\r
-                       break;\r
-               default:\r
-                       snprintf(retStr,sizeof(buf),"(Unknown)");\r
-                       break;\r
+               case DEMOD_FSK: snprintf(retStr,sizeof(buf),"FSK");     break;\r
+               case DEMOD_FSK1: snprintf(retStr,sizeof(buf),"FSK1"); break;\r
+               case DEMOD_FSK1a: snprintf(retStr,sizeof(buf),"FSK1a"); break;\r
+               case DEMOD_FSK2: snprintf(retStr,sizeof(buf),"FSK2"); break;\r
+               case DEMOD_FSK2a: snprintf(retStr,sizeof(buf),"FSK2a"); break;\r
+               case DEMOD_ASK: snprintf(retStr,sizeof(buf),"ASK"); break;\r
+               case DEMOD_NRZ: snprintf(retStr,sizeof(buf),"DIRECT/NRZ"); break;\r
+               case DEMOD_PSK1: snprintf(retStr,sizeof(buf),"PSK1"); break;\r
+               case DEMOD_PSK2: snprintf(retStr,sizeof(buf),"PSK2"); break;\r
+               case DEMOD_PSK3: snprintf(retStr,sizeof(buf),"PSK3"); break;\r
+               case DEMOD_BI: snprintf(retStr,sizeof(buf),"BIPHASE"); break;\r
+               case DEMOD_BIa: snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)"); break;\r
+               default: snprintf(retStr,sizeof(buf),"(Unknown)"); break;\r
                 }\r
         return buf;\r
  }\r
                 }\r
         return buf;\r
  }\r
@@ -1242,9 +1380,10 @@ void t55x7_create_config_block( int tagtype ){
         static char buf[60];\r
         char *retStr = buf;\r
         \r
         static char buf[60];\r
         char *retStr = buf;\r
         \r
-       switch (id){\r
+       switch (tagtype){\r
                 case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
                 case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
                 case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
                 case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
+               case 2: snprintf(retStr, sizeof(buf),"%08X - T5555 Q5 Default", T5555_DEFAULT_CONFIG_BLOCK); break;\r
                 default:\r
                         break;\r
         }\r
                 default:\r
                         break;\r
         }\r
@@ -1267,56 +1406,310 @@ int CmdResetRead(const char *Cmd) {
         setGraphBuf(got, sizeof(got));\r
         return 1;\r
  }\r
         setGraphBuf(got, sizeof(got));\r
         return 1;\r
  }\r
-\r
+// ADD T5555 (Q5) Default config block\r
  int CmdT55xxWipe(const char *Cmd) {\r
         char writeData[20] = {0};\r
         char *ptrData = writeData;\r
  int CmdT55xxWipe(const char *Cmd) {\r
         char writeData[20] = {0};\r
         char *ptrData = writeData;\r
-       \r
+       char cmdp = param_getchar(Cmd, 0);      \r
+       if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();\r
+\r
+       bool Q5 = (cmdp == 'q' || cmdp == 'Q');\r
+\r
+       // Try with the default password to reset block 0\r
+       // With a pwd should work even if pwd bit not set\r
         PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
         PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+               \r
+       if ( Q5 ){\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
+       } else {\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
+       }\r
         \r
         \r
-       //try with the default password to reset block 0  (with a pwd should work even if pwd bit not set)\r
-       snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
-       \r
-       if (!CmdT55xxWriteBlock(ptrData))\r
-               PrintAndLog("Error writing blk 0");\r
+       if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
         \r
         for (uint8_t blk = 1; blk<8; blk++) {\r
                 \r
                 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
                 \r
         \r
         for (uint8_t blk = 1; blk<8; blk++) {\r
                 \r
                 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
                 \r
-               if (!CmdT55xxWriteBlock(ptrData)) \r
-                       PrintAndLog("Error writing blk %d", blk);\r
+               if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk %d", blk);\r
+               \r
+               memset(writeData,0x00, sizeof(writeData));\r
+       }\r
+       return 0;\r
+}\r
+\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+       \r
+       // load a default pwd file.\r
+       char buf[9];\r
+       char filename[FILE_PATH_SIZE]={0};\r
+       int     keycnt = 0;\r
+       int ch;\r
+       uint8_t stKeyBlock = 20;\r
+       uint8_t *keyBlock = NULL, *p = NULL;\r
+    uint32_t start_password = 0x00000000; //start password\r
+    uint32_t end_password   = 0xFFFFFFFF; //end   password\r
+    bool found = false;\r
+\r
+    char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+       keyBlock = calloc(stKeyBlock, 6);\r
+       if (keyBlock == NULL) return 1;\r
+\r
+       if (cmdp == 'i' || cmdp == 'I') {\r
+       \r
+               int len = strlen(Cmd+2);\r
+               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               memcpy(filename, Cmd+2, len);\r
+       \r
+               FILE * f = fopen( filename , "r");\r
+               \r
+               if ( !f ) {\r
+                       PrintAndLog("File: %s: not found or locked.", filename);\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }                       \r
+                       \r
+               while( fgets(buf, sizeof(buf), f) ){\r
+                       if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+               \r
+                       while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
+                       \r
+                       //The line start with # is comment, skip\r
+                       if( buf[0]=='#' ) continue;\r
+\r
+                       if (!isxdigit(buf[0])){\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+                               continue;\r
+                       }\r
+                       \r
+                       buf[8] = 0;\r
+\r
+                       if ( stKeyBlock - keycnt < 2) {\r
+                               p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+                               if (!p) {\r
+                                       PrintAndLog("Cannot allocate memory for defaultKeys");\r
+                                       free(keyBlock);\r
+                                       fclose(f);\r
+                                       return 2;\r
+                               }\r
+                               keyBlock = p;\r
+                       }\r
+                       memset(keyBlock + 4 * keycnt, 0, 4);\r
+                       num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+                       keycnt++;\r
+                       memset(buf, 0, sizeof(buf));\r
+               }               \r
+               fclose(f);\r
+               \r
+               if (keycnt == 0) {\r
+                       PrintAndLog("No keys found in file");\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loaded %d keys", keycnt);\r
+               \r
+               // loop\r
+               uint64_t testpwd = 0x00;\r
+               for (uint16_t c = 0; c < keycnt; ++c ) {\r
+       \r
+                       if (ukbhit()) {\r
+                               ch = getchar();\r
+                               (void)ch;\r
+                               printf("\naborted via keyboard!\n");\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       }\r
                 \r
                 \r
-               memset(writeData, sizeof(writeData), 0x00);\r
+                       testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+                       PrintAndLog("Testing %08X", testpwd);\r
+                       \r
+                       \r
+                       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+                               PrintAndLog("Aquireing data from device failed. Quitting");\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       }\r
+                       \r
+                       found = tryDetectModulation();\r
+\r
+                       if ( found ) {\r
+                               PrintAndLog("Found valid password: [%08X]", testpwd);\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       } \r
+               }\r
+               PrintAndLog("Password NOT found.");\r
+               free(keyBlock);\r
+               return 0;\r
+       }\r
+       \r
+       // Try to read Block 7, first :)\r
+       \r
+       // incremental pwd range search\r
+    start_password = param_get32ex(Cmd, 0, 0, 16);\r
+       end_password = param_get32ex(Cmd, 1, 0, 16);\r
+       \r
+       if ( start_password >= end_password ) {\r
+               free(keyBlock);\r
+               return usage_t55xx_bruteforce();\r
         }\r
         }\r
+       \r
+    PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+       \r
+    uint32_t i = start_password;\r
+\r
+    while ((!found) && (i <= end_password)){\r
+\r
+               printf(".");\r
+               fflush(stdout);\r
+               if (ukbhit()) {\r
+                       ch = getchar();\r
+                       (void)ch;\r
+                       printf("\naborted via keyboard!\n");\r
+                       free(keyBlock);\r
+                       return 0;\r
+               }\r
+                       \r
+               if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+                       PrintAndLog("Aquireing data from device failed. Quitting");\r
+                       free(keyBlock);\r
+                       return 0;\r
+               }\r
+               found = tryDetectModulation();\r
+        \r
+               if (found) break;\r
+               i++;\r
+    }\r
+    \r
+    PrintAndLog("");\r
+       \r
+    if (found)\r
+               PrintAndLog("Found valid password: [%08x]", i);\r
+    else\r
+               PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+       free(keyBlock);\r
+    return 0;\r
+}\r
+\r
+int tryOnePassword(uint32_t password) {\r
+       PrintAndLog("Trying password %08x", password);\r
+       if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+               PrintAndLog("Aquireing data from device failed. Quitting");\r
+               return -1;\r
+       }\r
+\r
+       if (tryDetectModulation())\r
+               return 1;\r
+       else return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+       int bit = 0;\r
+       uint32_t orig_password = 0x0;\r
+       uint32_t curr_password = 0x0;\r
+       uint32_t prev_password = 0xffffffff;\r
+       uint32_t mask = 0x0;\r
+       int found = 0;\r
+\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+       orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+       // first try fliping each bit in the expected password\r
+       while ((found != 1) && (bit < 32)) {\r
+               curr_password = orig_password ^ ( 1 << bit );\r
+               found = tryOnePassword(curr_password);\r
+               if (found == 1)\r
+                       goto done;\r
+               else if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+       }\r
+\r
+       // now try to use partial original password, since block 7 should have been completely\r
+       // erased during the write sequence and it is possible that only partial password has been\r
+       // written\r
+       // not sure from which end the bit bits are written, so try from both ends \r
+       // from low bit to high bit\r
+       bit = 0;\r
+       while ((found != 1) && (bit < 32)) {\r
+               mask += ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == 1)\r
+                       goto done;\r
+               else if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+               prev_password=curr_password;\r
+       }\r
+\r
+       // from high bit to low\r
+       bit = 0;\r
+       mask = 0xffffffff;\r
+       while ((found != 1) && (bit < 32)) {\r
+               mask -= ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == 1)\r
+                       goto done;\r
+               else if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+               prev_password=curr_password;\r
+       }\r
+done:\r
+       PrintAndLog("");\r
+\r
+       if (found == 1)\r
+               PrintAndLog("Found valid password: [%08x]", curr_password);\r
+       else\r
+               PrintAndLog("Password NOT found.");\r
+\r
         return 0;\r
  }\r
  \r
         return 0;\r
  }\r
  \r
-static command_t CommandTable[] =\r
-{\r
-  {"help",   CmdHelp,           1, "This help"},\r
-  {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
-  {"detect", CmdT55xxDetect,    0, "[1] Try detecting the tag modulation from reading the configuration block."},\r
-  {"read",     CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
-  {"resetread",CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
-  {"write",    CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
-  {"trace",    CmdT55xxReadTrace, 0, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
-  {"info",     CmdT55xxInfo,      0, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
-  {"dump",     CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
-  {"special", special,          0, "Show block changes with 64 different offsets"},\r
-  {"wakeup", CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
-  {"wipe",     CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
-  {NULL, NULL, 0, NULL}\r
+static command_t CommandTable[] = {\r
+       {"help",                CmdHelp,           1, "This help"},\r
+       {"bruteforce",  CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+       {"config",              CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+       {"detect",              CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+       {"dump",                CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+       {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+       {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+       {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+       {"recoverpw",   CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},\r
+       {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
+       {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+       {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
+       {"wipe",                CmdT55xxWipe,      0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+       {"write",               CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+       {NULL, NULL, 0, NULL}\r
  };\r
  \r
  };\r
  \r
-int CmdLFT55XX(const char *Cmd)\r
-{\r
-  CmdsParse(CommandTable, Cmd);\r
-  return 0;\r
+int CmdLFT55XX(const char *Cmd) {\r
+       clearCommandBuffer();\r
+       CmdsParse(CommandTable, Cmd);\r
+       return 0;\r
  }\r
  \r
  }\r
  \r
-int CmdHelp(const char *Cmd)\r
-{\r
-  CmdsHelp(CommandTable);\r
-  return 0;\r
+int CmdHelp(const char *Cmd) {\r
+       CmdsHelp(CommandTable);\r
+       return 0;\r
  }\r
  }\r