#remove one of the following defines and comment out the relevant line
#in the next section to remove that particular feature from compilation
-APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE \
+APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \
-fno-strict-aliasing -ffunction-sections -fdata-sections
#-DWITH_LCD
#SRC_LCD = fonts.c LCD.c
-SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c
+SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c lfdemod.c protocols.c
SRC_ISO15693 = iso15693.c iso15693tools.c
SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c
SRC_ISO14443b = iso14443b.c
# These are to be compiled in ARM mode
ARMSRC = fpgaloader.c \
legicrf.c \
- lfdemod.c \
$(SRC_ISO14443a) \
$(SRC_ISO14443b) \
$(SRC_CRAPTO1) \
legic_prng.c \
iclass.c \
BigBuf.c \
- optimized_cipher.c
+ optimized_cipher.c \
+ hfsnoop.c
# Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
include ../common/Makefile.common
case CMD_T55XX_WRITE_BLOCK:
T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
- case CMD_T55XX_READ_TRACE:
- T55xxReadTrace();
- break;
case CMD_T55XX_WAKEUP:
T55xxWakeUp(c->arg[0]);
break;
iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
break;
#endif
+#ifdef WITH_HFSNOOP
+ case CMD_HF_SNIFFER:
+ HfSnoop(c->arg[0], c->arg[1]);
+ break;
+#endif
case CMD_BUFF_CLEAR:
BigBuf_Clear();
AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
// PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
- AT91C_PMC_PRES_CLK_4;
+ AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
// Reset SPI
void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
-void CopyIndala64toT55x7(int hi, int lo); // Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7); // Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode);
void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd);
-void T55xxReadTrace(void);
void T55xxWakeUp(uint32_t Pwd);
void TurnReadLFOn();
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len);
/// util.h
+void HfSnoop(int , int);
#endif
#define FPGA_MAJOR_MODE_HF_READER_RX_XCORR (1<<5)
#define FPGA_MAJOR_MODE_HF_SIMULATOR (2<<5)
#define FPGA_MAJOR_MODE_HF_ISO14443A (3<<5)
+#define FPGA_MAJOR_MODE_HF_SNOOP (4<<5)
// BOTH
#define FPGA_MAJOR_MODE_OFF (7<<5)
// Options for LF_ADC
--- /dev/null
+#include "proxmark3.h"
+#include "apps.h"
+#include "BigBuf.h"
+#include "util.h"
+
+static void RAMFUNC optimizedSnoop(void);
+
+static void RAMFUNC optimizedSnoop(void)
+{
+ BigBuf_free();
+ int n = BigBuf_max_traceLen() / sizeof(uint16_t); // take all memory
+
+ uint16_t *dest = (uint16_t *)BigBuf_get_addr();
+ uint16_t *destend = dest + n;
+
+ AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame mode, 16 bits per word
+ // Reading data loop
+ while(dest <= destend)
+ {
+ if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)
+ {
+ *dest = (uint16_t)(AT91C_BASE_SSC->SSC_RHR);
+ dest = dest + 1;
+ }
+ }
+ //Resetting Frame mode (First set in fpgaloader.c)
+ AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0);
+}
+
+void HfSnoop(int samplesToSkip, int triggersToSkip)
+{
+ Dbprintf("Skipping first %d sample pairs, Skipping %d triggers.\n", samplesToSkip, triggersToSkip);
+ bool trigger_cnt;
+ LED_D_ON();
+ // Select correct configs
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ // Set up the synchronous serial port
+ FpgaSetupSsc();
+ // connect Demodulated Signal to ADC:
+ SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP);
+ SpinDelay(100);
+
+ AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame Mode For better performance on high speed data transfer.
+
+ trigger_cnt = 0;
+ uint16_t r = 0;
+ while(!BUTTON_PRESS()) {
+ WDT_HIT();
+ if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+ r = (uint16_t)AT91C_BASE_SSC->SSC_RHR;
+ if (!(trigger_cnt == triggersToSkip) && ( (r >> 8) >= 240))
+ {
+ Dbprintf("Trigger kicked! Value: %d.", r >> 8);
+ trigger_cnt++;
+ break;
+ }
+ }
+ }
+ if(!BUTTON_PRESS()) {
+ Dbprintf("Trigger kicked! Value: %d, Dumping Samples Hispeed now.", r >> 8);
+ int waitcount = samplesToSkip; // lets wait 40000 ticks of pck0
+ while(waitcount != 0) {
+ if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+ waitcount--;
+ }
+ }
+
+ optimizedSnoop();
+ }
+
+ DbpString("HF Snoop end");
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LED_D_OFF();
+}
+
#include "string.h"
#include "lfdemod.h"
#include "lfsampling.h"
-#include "usb_cdc.h"
-
+#include "protocols.h"
+#include "usb_cdc.h" //test
/**
* Function to do a modulation and then get samples.
/*------------------------------
* T5555/T5557/T5567 routines
*------------------------------
- */
-
-/* T55x7 configuration register definitions */
-#define T55x7_POR_DELAY 0x00000001
-#define T55x7_ST_TERMINATOR 0x00000008
-#define T55x7_PWD 0x00000010
-#define T55x7_MAXBLOCK_SHIFT 5
-#define T55x7_AOR 0x00000200
-#define T55x7_PSKCF_RF_2 0
-#define T55x7_PSKCF_RF_4 0x00000400
-#define T55x7_PSKCF_RF_8 0x00000800
-#define T55x7_MODULATION_DIRECT 0
-#define T55x7_MODULATION_PSK1 0x00001000
-#define T55x7_MODULATION_PSK2 0x00002000
-#define T55x7_MODULATION_PSK3 0x00003000
-#define T55x7_MODULATION_FSK1 0x00004000
-#define T55x7_MODULATION_FSK2 0x00005000
-#define T55x7_MODULATION_FSK1a 0x00006000
-#define T55x7_MODULATION_FSK2a 0x00007000
-#define T55x7_MODULATION_MANCHESTER 0x00008000
-#define T55x7_MODULATION_BIPHASE 0x00010000
-#define T55x7_MODULATION_DIPHASE 0x00018000
-//#define T55x7_MODULATION_BIPHASE57 0x00011000
-#define T55x7_BITRATE_RF_8 0
-#define T55x7_BITRATE_RF_16 0x00040000
-#define T55x7_BITRATE_RF_32 0x00080000
-#define T55x7_BITRATE_RF_40 0x000C0000
-#define T55x7_BITRATE_RF_50 0x00100000
-#define T55x7_BITRATE_RF_64 0x00140000
-#define T55x7_BITRATE_RF_100 0x00180000
-#define T55x7_BITRATE_RF_128 0x001C0000
-
-/* T5555 (Q5) configuration register definitions */
-#define T5555_ST_TERMINATOR 0x00000001
-#define T5555_MAXBLOCK_SHIFT 0x00000001
-#define T5555_MODULATION_MANCHESTER 0
-#define T5555_MODULATION_PSK1 0x00000010
-#define T5555_MODULATION_PSK2 0x00000020
-#define T5555_MODULATION_PSK3 0x00000030
-#define T5555_MODULATION_FSK1 0x00000040
-#define T5555_MODULATION_FSK2 0x00000050
-#define T5555_MODULATION_BIPHASE 0x00000060
-#define T5555_MODULATION_DIRECT 0x00000070
-#define T5555_INVERT_OUTPUT 0x00000080
-#define T5555_PSK_RF_2 0
-#define T5555_PSK_RF_4 0x00000100
-#define T5555_PSK_RF_8 0x00000200
-#define T5555_USE_PWD 0x00000400
-#define T5555_USE_AOR 0x00000800
-#define T5555_BITRATE_SHIFT 12
-#define T5555_FAST_WRITE 0x00004000
-#define T5555_PAGE_SELECT 0x00008000
-
-/*
- * Relevant times in microsecond
+ * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
+ *
+ * Relevant communication times in microsecond
* To compensate antenna falling times shorten the write times
* and enlarge the gap ones.
* Q5 tags seems to have issues when these values changes.
void TurnReadLFOn(int delay) {
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// Give it a bit of time for the resonant antenna to settle.
- SpinDelayUs(delay); //155*8 //50*8
+
+ // measure antenna strength.
+ //int adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
+ // where to save it
+
+ SpinDelayUs(delay);
}
// Write one bit to card
void T55xxWriteBit(int bit) {
- FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
if (!bit)
- SpinDelayUs(WRITE_0);
+ TurnReadLFOn(WRITE_0);
else
- SpinDelayUs(WRITE_1);
+ TurnReadLFOn(WRITE_1);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelayUs(WRITE_GAP);
}
// Write one card block in page 0, no lock
-void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode) {
+void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
LED_A_ON();
-
+ bool PwdMode = arg & 0x1;
+ uint8_t Page = (arg & 0x2)>>1;
uint32_t i = 0;
// Set up FPGA, 125kHz
// Opcode 10
T55xxWriteBit(1);
- T55xxWriteBit(0); //Page 0
-
+ T55xxWriteBit(Page); //Page 0
if (PwdMode){
// Send Pwd
for (i = 0x80000000; i != 0; i >>= 1)
// Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
// so wait a little more)
TurnReadLFOn(20 * 1000);
+ //could attempt to do a read to confirm write took
+ // as the tag should repeat back the new block
+ // until it is reset, but to confirm it we would
+ // need to know the current block 0 config mode
// turn field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK,0,0,0,0,0);
LED_A_OFF();
- LED_B_OFF();
}
// Read one card block in page 0
void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
LED_A_ON();
- uint8_t PwdMode = arg0 & 0x01;
- uint8_t Page = arg0 & 0x02;
+ bool PwdMode = arg0 & 0x1;
+ uint8_t Page = (arg0 & 0x2) >> 1;
uint32_t i = 0;
+ bool RegReadMode = (Block == 0xFF);
//clear buffer now so it does not interfere with timing later
BigBuf_Clear_ext(false);
//make sure block is at max 7
Block &= 0x7;
- // Set up FPGA, 125kHz
+ // Set up FPGA, 125kHz to power up the tag
LFSetupFPGAForADC(95, true);
- // Trigger T55x7 Direct Access Mode
+ // Trigger T55x7 Direct Access Mode with start gap
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelayUs(START_GAP);
- // Opcode 10
+ // Opcode 1[page]
T55xxWriteBit(1);
T55xxWriteBit(Page); //Page 0
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Pwd & i);
}
-
// Send a zero bit separation
T55xxWriteBit(0);
- // Send Block number
+ // Send Block number (if direct access mode)
+ if (!RegReadMode)
for (i = 0x04; i != 0; i >>= 1)
T55xxWriteBit(Block & i);
// Acquisition
doT55x7Acquisition();
- // turn field off
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ // Turn the field off
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
cmd_send(CMD_ACK,0,0,0,0,0);
LED_A_OFF();
- LED_B_OFF();
-}
-
-// Read card traceability data (page 1)
-void T55xxReadTrace(void){
- // LED_A_ON();
-
- // uint8_t PwdMode = arg0 & 0xFF;
- // uint32_t i = 0;
-
- // //clear buffer now so it does not interfere with timing later
- // BigBuf_Clear_ext(false);
-
- // // Set up FPGA, 125kHz
- // LFSetupFPGAForADC(95, true);
-
- // // Trigger T55x7 Direct Access Mode
- // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
- // SpinDelayUs(START_GAP);
-
- // // Opcode 11
- // T55xxWriteBit(1);
- // T55xxWriteBit(1); //Page 1
-
- // if (PwdMode){
- // // Send Pwd
- // for (i = 0x80000000; i != 0; i >>= 1)
- // T55xxWriteBit(Pwd & i);
- // }
-
- // // Send a zero bit separation
- // T55xxWriteBit(0);
-
- // // Turn field on to read the response
- // TurnReadLFOn(READ_GAP);
-
- // // Acquisition
- // doT55x7Acquisition();
-
- // // turn field off
- // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
- // cmd_send(CMD_ACK,0,0,0,0,0);
- // LED_A_OFF();
- // LED_B_OFF();
}
void T55xxWakeUp(uint32_t Pwd){
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Pwd & i);
- // Turn field on to read the response
+ // Turn and leave field on to let the begin repeating transmission
TurnReadLFOn(20*1000);
}
/*-------------- Cloning routines -----------*/
+
+void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
+ // write last block first and config block last (if included)
+ for (uint8_t i = numblocks; i > startblock; i--)
+ T55xxWriteBlock(blockdata[i-1],i-1,0,0);
+}
+
// Copy HID id to card and setup block 0 config
-void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT)
-{
- int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
- int last_block = 0;
+void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
+ uint32_t data[] = {0,0,0,0,0,0,0};
+ //int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
+ uint8_t last_block = 0;
if (longFMT){
// Ensure no more than 84 bits supplied
}
// Build the 6 data blocks for supplied 84bit ID
last_block = 6;
- data1 = 0x1D96A900; // load preamble (1D) & long format identifier (9E manchester encoded)
- for (int i=0;i<4;i++) {
- if (hi2 & (1<<(19-i)))
- data1 |= (1<<(((3-i)*2)+1)); // 1 -> 10
- else
- data1 |= (1<<((3-i)*2)); // 0 -> 01
- }
-
- data2 = 0;
- for (int i=0;i<16;i++) {
- if (hi2 & (1<<(15-i)))
- data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data2 |= (1<<((15-i)*2)); // 0 -> 01
- }
-
- data3 = 0;
- for (int i=0;i<16;i++) {
- if (hi & (1<<(31-i)))
- data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data3 |= (1<<((15-i)*2)); // 0 -> 01
- }
-
- data4 = 0;
- for (int i=0;i<16;i++) {
- if (hi & (1<<(15-i)))
- data4 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data4 |= (1<<((15-i)*2)); // 0 -> 01
- }
-
- data5 = 0;
- for (int i=0;i<16;i++) {
- if (lo & (1<<(31-i)))
- data5 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data5 |= (1<<((15-i)*2)); // 0 -> 01
- }
-
- data6 = 0;
- for (int i=0;i<16;i++) {
- if (lo & (1<<(15-i)))
- data6 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data6 |= (1<<((15-i)*2)); // 0 -> 01
- }
- }
- else {
+ // load preamble (1D) & long format identifier (9E manchester encoded)
+ data[1] = 0x1D96A900 | manchesterEncode2Bytes((hi2 >> 16) & 0xF);
+ // load raw id from hi2, hi, lo to data blocks (manchester encoded)
+ data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
+ data[3] = manchesterEncode2Bytes(hi >> 16);
+ data[4] = manchesterEncode2Bytes(hi & 0xFFFF);
+ data[5] = manchesterEncode2Bytes(lo >> 16);
+ data[6] = manchesterEncode2Bytes(lo & 0xFFFF);
+ } else {
// Ensure no more than 44 bits supplied
if (hi>0xFFF) {
DbpString("Tags can only have 44 bits.");
return;
}
-
// Build the 3 data blocks for supplied 44bit ID
last_block = 3;
-
- data1 = 0x1D000000; // load preamble
-
- for (int i=0;i<12;i++) {
- if (hi & (1<<(11-i)))
- data1 |= (1<<(((11-i)*2)+1)); // 1 -> 10
- else
- data1 |= (1<<((11-i)*2)); // 0 -> 01
- }
-
- data2 = 0;
- for (int i=0;i<16;i++) {
- if (lo & (1<<(31-i)))
- data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data2 |= (1<<((15-i)*2)); // 0 -> 01
- }
-
- data3 = 0;
- for (int i=0;i<16;i++) {
- if (lo & (1<<(15-i)))
- data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10
- else
- data3 |= (1<<((15-i)*2)); // 0 -> 01
- }
+ // load preamble
+ data[1] = 0x1D000000 | manchesterEncode2Bytes(hi & 0xFFF);
+ data[2] = manchesterEncode2Bytes(lo >> 16);
+ data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
}
+ // load chip config block
+ data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT;
LED_D_ON();
// Program the data blocks for supplied ID
// and the block 0 for HID format
- T55xxWriteBlock(data1,1,0,0);
- T55xxWriteBlock(data2,2,0,0);
- T55xxWriteBlock(data3,3,0,0);
-
- if (longFMT) { // if long format there are 6 blocks
- T55xxWriteBlock(data4,4,0,0);
- T55xxWriteBlock(data5,5,0,0);
- T55xxWriteBlock(data6,6,0,0);
- }
-
- // Config for HID (RF/50, FSK2a, Maxblock=3 for short/6 for long)
- T55xxWriteBlock(T55x7_BITRATE_RF_50 |
- T55x7_MODULATION_FSK2a |
- last_block << T55x7_MAXBLOCK_SHIFT,
- 0,0,0);
+ WriteT55xx(data, 0, last_block+1);
LED_D_OFF();
void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT)
{
- int data1=0, data2=0; //up to six blocks for long format
-
- data1 = hi; // load preamble
- data2 = lo;
+ uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
LED_D_ON();
// Program the data blocks for supplied ID
- // and the block 0 for HID format
- T55xxWriteBlock(data1,1,0,0);
- T55xxWriteBlock(data2,2,0,0);
+ // and the block 0 config
+ WriteT55xx(data, 0, 3);
- //Config Block
- T55xxWriteBlock(0x00147040,0,0,0);
LED_D_OFF();
DbpString("DONE!");
}
+// Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
+ //Program the 2 data blocks for supplied 64bit UID
+ // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
+ uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
+ WriteT55xx(data, 0, 3);
+ //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
+ // T5567WriteBlock(0x603E1042,0);
+ DbpString("DONE!");
+}
+// Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7)
+{
+ //Program the 7 data blocks for supplied 224bit UID
+ uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
+ // and the block 0 for Indala224 format
+ //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
+ data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
+ WriteT55xx(data, 0, 8);
+ //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
+ // T5567WriteBlock(0x603E10E2,0);
+ DbpString("DONE!");
+}
+
// Define 9bit header for EM410x tags
#define EM410X_HEADER 0x1FF
#define EM410X_ID_LENGTH 40
LED_D_ON();
// Write EM410x ID
- T55xxWriteBlock((uint32_t)(id >> 32), 1, 0, 0);
- T55xxWriteBlock((uint32_t)id, 2, 0, 0);
-
- // Config for EM410x (RF/64, Manchester, Maxblock=2)
+ uint32_t data[] = {0, id>>32, id & 0xFFFF};
if (card) {
- // Clock rate is stored in bits 8-15 of the card value
clock = (card & 0xFF00) >> 8;
+ clock = (clock == 0) ? 64 : clock;
Dbprintf("Clock rate: %d", clock);
- switch (clock) {
- case 50:
- clock = T55x7_BITRATE_RF_50;
- case 40:
- clock = T55x7_BITRATE_RF_40;
- case 32:
- clock = T55x7_BITRATE_RF_32;
- break;
- case 16:
- clock = T55x7_BITRATE_RF_16;
- break;
- case 0:
- // A value of 0 is assumed to be 64 for backwards-compatibility
- // Fall through...
- case 64:
- clock = T55x7_BITRATE_RF_64;
- break;
- default:
+ clock = GetT55xxClockBit(clock);
+ if (clock == 0) {
Dbprintf("Invalid clock rate: %d", clock);
return;
}
- // Writing configuration for T55x7 tag
- T55xxWriteBlock(clock |
- T55x7_MODULATION_MANCHESTER |
- 2 << T55x7_MAXBLOCK_SHIFT,
- 0, 0, 0);
+ data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT);
+ } else {
+ data[0] = (0x1F << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
}
- else
- // Writing configuration for T5555(Q5) tag
- T55xxWriteBlock(0x1F << T5555_BITRATE_SHIFT |
- T5555_MODULATION_MANCHESTER |
- 2 << T5555_MAXBLOCK_SHIFT,
- 0, 0, 0);
+
+ WriteT55xx(data, 0, 3);
LED_D_OFF();
Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555",
(uint32_t)(id >> 32), (uint32_t)id);
}
-// Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala64toT55x7(int hi, int lo)
-{
- //Program the 2 data blocks for supplied 64bit UID
- // and the block 0 for Indala64 format
- T55xxWriteBlock(hi,1,0,0);
- T55xxWriteBlock(lo,2,0,0);
- //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=2)
- T55xxWriteBlock(T55x7_BITRATE_RF_32 |
- T55x7_MODULATION_PSK1 |
- 2 << T55x7_MAXBLOCK_SHIFT,
- 0, 0, 0);
- //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
- // T5567WriteBlock(0x603E1042,0);
-
- DbpString("DONE!");
-}
-
-void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
-{
- //Program the 7 data blocks for supplied 224bit UID
- // and the block 0 for Indala224 format
- T55xxWriteBlock(uid1,1,0,0);
- T55xxWriteBlock(uid2,2,0,0);
- T55xxWriteBlock(uid3,3,0,0);
- T55xxWriteBlock(uid4,4,0,0);
- T55xxWriteBlock(uid5,5,0,0);
- T55xxWriteBlock(uid6,6,0,0);
- T55xxWriteBlock(uid7,7,0,0);
- //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
- T55xxWriteBlock(T55x7_BITRATE_RF_32 |
- T55x7_MODULATION_PSK1 |
- 7 << T55x7_MAXBLOCK_SHIFT,
- 0,0,0);
- //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
- // T5567WriteBlock(0x603E10E2,0);
-
- DbpString("DONE!");
-}
-
//-----------------------------------
// EM4469 / EM4305 routines
//-----------------------------------
void doT55x7Acquisition(void){
#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..)
- #define T55xx_UPPER_THRESHOLD 128+40 // 50
+ #define T55xx_READ_UPPER_THRESHOLD 128+40 // 50
#define T55xx_READ_TOL 5
- #define T55xx_LOWER_THRESHOLD 128-40 //-50
uint8_t *dest = BigBuf_get_addr();
uint16_t bufsize = BigBuf_max_traceLen();
if ( bufsize > T55xx_SAMPLES_SIZE )
bufsize = T55xx_SAMPLES_SIZE;
+ //int adcval = 0;
uint16_t i = 0;
bool startFound = false;
bool highFound = false;
- uint8_t sample = 0;
+ uint8_t curSample = 0;
uint8_t firstSample = 0;
- while(!BUTTON_PRESS()) {
+ uint16_t skipCnt = 0;
+ while(!BUTTON_PRESS() && skipCnt<1000) {
WDT_HIT();
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
- AT91C_BASE_SSC->SSC_THR = 0x00;
+ AT91C_BASE_SSC->SSC_THR = 0x43;
LED_D_ON();
}
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
- sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+ curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
LED_D_OFF();
// find first high sample
- if (!startFound && sample > T55xx_UPPER_THRESHOLD) {
- if (sample > firstSample)
- firstSample = sample;
- highFound = TRUE;
+ if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) {
+ if (curSample > firstSample)
+ firstSample = curSample;
+ highFound = true;
} else if (!highFound) {
+ skipCnt++;
continue;
}
// skip until samples begin to change
- if (startFound || sample < firstSample - T55xx_READ_TOL){
+ if (startFound || curSample < firstSample-T55xx_READ_TOL){
if (!startFound)
dest[i++] = firstSample;
- startFound = TRUE;
- dest[i++] = sample;
-
- // exit condition.
- if (i >= bufsize) break;
+ startFound = true;
+ dest[i++] = curSample;
+ if (i >= bufsize-1) break;
}
}
+
}
-}
\ No newline at end of file
+}
+
\ No newline at end of file
return 0;
}
+int CmdHFSnoop(const char *Cmd)
+{
+ char * pEnd;
+ UsbCommand c = {CMD_HF_SNIFFER, {strtol(Cmd, &pEnd,0),strtol(pEnd, &pEnd,0),0}};
+ SendCommand(&c);
+ return 0;
+}
+
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
{"tune", CmdHFTune, 0, "Continuously measure HF antenna tuning"},
{"list", CmdHFList, 1, "List protocol data in trace buffer"},
{"search", CmdHFSearch, 1, "Search for known HF tags [preliminary]"},
+ {"snoop", CmdHFSnoop, 0, "<samples to skip (10000)> <triggers to skip (1)> Generic LF/HF Snoop in Testing stage"},
{NULL, NULL, 0, NULL}
};
c.d.asBytes[0] = keylength;
memcpy(c.d.asBytes+1, key, keylength);
-
+ clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
return 0;
}
+int usage_hf_mfu_ucauth(void) {
+ PrintAndLog("Usage: hf mfu cauth k <key number>");
+ PrintAndLog(" 0 (default): 3DES standard key");
+ PrintAndLog(" 1 : all 0x00 key");
+ PrintAndLog(" 2 : 0x00-0x0F key");
+ PrintAndLog(" 3 : nfc key");
+ PrintAndLog(" 4 : all 0x01 key");
+ PrintAndLog(" 5 : all 0xff key");
+ PrintAndLog(" 6 : 0x00-0xFF key");
+ PrintAndLog("\n sample : hf mfu cauth k");
+ PrintAndLog(" : hf mfu cauth k 3");
+ return 0;
+}
+
+int usage_hf_mfu_ucsetpwd(void) {
+ PrintAndLog("Usage: hf mfu setpwd <password (32 hex symbols)>");
+ PrintAndLog(" [password] - (32 hex symbols)");
+ PrintAndLog("");
+ PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
+ PrintAndLog("");
+ return 0;
+}
+
+int usage_hf_mfu_ucsetuid(void) {
+ PrintAndLog("Usage: hf mfu setuid <uid (14 hex symbols)>");
+ PrintAndLog(" [uid] - (14 hex symbols)");
+ PrintAndLog("\nThis only works for Magic Ultralight tags.");
+ PrintAndLog("");
+ PrintAndLog("sample: hf mfu setuid 11223344556677");
+ PrintAndLog("");
+ return 0;
+}
+
+int usage_hf_mfu_gendiverse(void){
+ PrintAndLog("Usage: hf mfu gen <uid (8 hex symbols)>");
+ PrintAndLog("");
+ PrintAndLog("sample: hf mfu gen 11223344");
+ PrintAndLog("");
+ return 0;
+}
+
//
+
// Mifare Ultralight / Ultralight-C / Ultralight-EV1
// Read and Dump Card Contents, using auto detection of tag size.
int CmdHF14AMfUDump(const char *Cmd){
// Ultralight C Methods
//-------------------------------------------------------------------------------
+
//
// Ultralight C Authentication Demo {currently uses hard-coded key}
//
errors = true;
}
- if (cmdp == 'h' || cmdp == 'H')
- errors = true;
+ if (cmdp == 'h' || cmdp == 'H') errors = true;
- if (errors) {
- PrintAndLog("Usage: hf mfu cauth k <key number>");
- PrintAndLog(" 0 (default): 3DES standard key");
- PrintAndLog(" 1 : all 0x00 key");
- PrintAndLog(" 2 : 0x00-0x0F key");
- PrintAndLog(" 3 : nfc key");
- PrintAndLog(" 4 : all 0x01 key");
- PrintAndLog(" 5 : all 0xff key");
- PrintAndLog(" 6 : 0x00-0xFF key");
- PrintAndLog("\n sample : hf mfu cauth k");
- PrintAndLog(" : hf mfu cauth k 3");
- return 0;
- }
+ if (errors) return usage_hf_mfu_ucauth();
uint8_t *key = default_3des_keys[keyNo];
if (ulc_authentication(key, true))
int CmdHF14AMfucSetPwd(const char *Cmd){
uint8_t pwd[16] = {0x00};
-
char cmdp = param_getchar(Cmd, 0);
- if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
- PrintAndLog("Usage: hf mfu setpwd <password (32 hex symbols)>");
- PrintAndLog(" [password] - (32 hex symbols)");
- PrintAndLog("");
- PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f");
- PrintAndLog("");
- return 0;
- }
+ if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetpwd();
if (param_gethex(Cmd, 0, pwd, 32)) {
PrintAndLog("Password must include 32 HEX symbols");
SendCommand(&c);
UsbCommand resp;
-
if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
if ( (resp.arg[0] & 0xff) == 1)
PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16));
else {
PrintAndLog("command execution time out");
return 1;
- }
-
+ }
return 0;
}
UsbCommand resp;
uint8_t uid[7] = {0x00};
char cmdp = param_getchar(Cmd, 0);
-
- if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
- PrintAndLog("Usage: hf mfu setuid <uid (14 hex symbols)>");
- PrintAndLog(" [uid] - (14 hex symbols)");
- PrintAndLog("\nThis only works for Magic Ultralight tags.");
- PrintAndLog("");
- PrintAndLog("sample: hf mfu setuid 11223344556677");
- PrintAndLog("");
- return 0;
- }
-
+ if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetuid();
+
if (param_gethex(Cmd, 0, uid, 14)) {
PrintAndLog("UID must include 14 HEX symbols");
return 1;
}
int CmdHF14AMfuGenDiverseKeys(const char *Cmd){
+
+ uint8_t uid[4];
+
+ char cmdp = param_getchar(Cmd, 0);
+ if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_gendiverse();
+
+ if (param_gethex(Cmd, 0, uid, 8)) {
+ PrintAndLog("UID must include 8 HEX symbols");
+ return 1;
+ }
uint8_t iv[8] = { 0x00 };
- uint8_t block = 0x07;
+ uint8_t block = 0x01;
- // UL-EV1
- //04 57 b6 e2 05 3f 80 UID
- //4a f8 4b 19 PWD
- uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E };
uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 };
uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 };
uint8_t dkeyA[8] = { 0x00 };
, divkey // output
);
- PrintAndLog("3DES version");
+ PrintAndLog("-- 3DES version");
PrintAndLog("Masterkey :\t %s", sprint_hex(masterkey,sizeof(masterkey)));
PrintAndLog("UID :\t %s", sprint_hex(uid, sizeof(uid)));
- PrintAndLog("Sector :\t %0d", block);
+ PrintAndLog("block :\t %0d", block);
PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA)));
PrintAndLog("Message :\t %s", sprint_hex(mix, sizeof(mix)));
PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6));
-
- PrintAndLog("\n DES version");
for (int i=0; i < sizeof(mifarekeyA); ++i){
dkeyA[i] = (mifarekeyA[i] << 1) & 0xff;
, newpwd // output
);
+ PrintAndLog("\n-- DES version");
PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA)));
PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB)));
PrintAndLog("Mifare ABA :\t %s", sprint_hex(dmkey, sizeof(dmkey)));
PrintAndLog("Mifare Pwd :\t %s", sprint_hex(newpwd, sizeof(newpwd)));
+ // next. from the diversify_key method.
return 0;
}
// static uint8_t * diversify_key(uint8_t * key){
- // for(int i=0; i<16; i++){
- // if(i<=6) key[i]^=cuid[i];
- // if(i>6) key[i]^=cuid[i%7];
- // }
+
// return key;
// }
#include "../common/iso14443crc.h"\r
#include "cmdhf14a.h"\r
\r
-#define CONFIGURATION_BLOCK 0x00\r
-#define TRACE_BLOCK 0x01\r
+#define T55x7_CONFIGURATION_BLOCK 0x00\r
+#define T55x7_PAGE0 0x00\r
+#define T55x7_PAGE1 0x01\r
#define T55x7_PWD 0x00000010\r
+#define REGULAR_READ_MODE_BLOCK 0xFF\r
\r
// Default configuration\r
t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00};\r
return 0;\r
}\r
int usage_t55xx_read(){\r
- PrintAndLog("Usage: lf t55xx read b <block> p <password> <override_safety>");\r
+ PrintAndLog("Usage: lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");\r
PrintAndLog("Options:");\r
- PrintAndLog(" b <block>, block number to read. Between 0-7");\r
- PrintAndLog(" p <password>, OPTIONAL password 4bytes (8 hex symbols)");\r
- PrintAndLog(" o, OPTIONAL override safety check");\r
+ PrintAndLog(" b <block> - block number to read. Between 0-7");\r
+ PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
+ PrintAndLog(" o - OPTIONAL override safety check");\r
+ PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");\r
PrintAndLog(" ****WARNING****");\r
PrintAndLog(" Use of read with password on a tag not configured for a pwd");\r
PrintAndLog(" can damage the tag");\r
return 0;\r
}\r
int usage_t55xx_write(){\r
- PrintAndLog("Usage: lf t55xx write <block> <data> [password]");\r
+ PrintAndLog("Usage: lf t55xx wr [b <block>] [d <data>] [p <password>] [1]");\r
PrintAndLog("Options:");\r
- PrintAndLog(" <block>, block number to write. Between 0-7");\r
- PrintAndLog(" <data>, 4 bytes of data to write (8 hex symbols)");\r
- PrintAndLog(" [password], OPTIONAL password 4bytes (8 hex symbols)");\r
+ PrintAndLog(" b <block> - block number to write. Between 0-7");\r
+ PrintAndLog(" d <data> - 4 bytes of data to write (8 hex characters)");\r
+ PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");\r
+ PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
- PrintAndLog(" lf t55xx write 3 11223344 - write 11223344 to block 3");\r
- PrintAndLog(" lf t55xx write 3 11223344 feedbeef - write 11223344 to block 3 password feedbeef");\r
+ PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3");\r
+ PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");\r
PrintAndLog("");\r
return 0;\r
}\r
int usage_t55xx_trace() {\r
PrintAndLog("Usage: lf t55xx trace [1]");\r
PrintAndLog("Options:");\r
- PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");\r
+ PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx trace");\r
int usage_t55xx_info() {\r
PrintAndLog("Usage: lf t55xx info [1]");\r
PrintAndLog("Options:");\r
- PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");\r
+ PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx info");\r
return 0;\r
}\r
int usage_t55xx_dump(){\r
- PrintAndLog("Usage: lf t55xx dump <password>");\r
+ PrintAndLog("Usage: lf t55xx dump <password> [o]");\r
PrintAndLog("Options:");\r
- PrintAndLog(" <password>, OPTIONAL password 4bytes (8 hex symbols)");\r
+ PrintAndLog(" <password> - OPTIONAL password 4bytes (8 hex symbols)");\r
+ PrintAndLog(" o - OPTIONAL override, force pwd read despite danger to card");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx dump");\r
- PrintAndLog(" lf t55xx dump feedbeef");\r
+ PrintAndLog(" lf t55xx dump feedbeef o");\r
PrintAndLog("");\r
return 0;\r
}\r
int usage_t55xx_detect(){\r
PrintAndLog("Usage: lf t55xx detect [1]");\r
PrintAndLog("Options:");\r
- PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");\r
+ PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");\r
PrintAndLog("");\r
PrintAndLog("Examples:");\r
PrintAndLog(" lf t55xx detect");\r
char tmp = 0x00;\r
uint8_t bitRate = 0;\r
uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
- while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
- {\r
+ while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
tmp = param_getchar(Cmd, cmdp);\r
switch(tmp)\r
{\r
return printConfiguration ( config );\r
}\r
\r
+int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){\r
+ //Password mode\r
+ if ( usepwd ) {\r
+ // try reading the config block and verify that PWD bit is set before doing this!\r
+ if ( !override ) {\r
+ \r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;\r
+ \r
+ if ( !tryDetectModulation() ) {\r
+ PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");\r
+ return 0;\r
+ } else {\r
+ PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password..."); \r
+ usepwd = false;\r
+ page1 = false;\r
+ }\r
+ } else {\r
+ PrintAndLog("Safety Check Overriden - proceeding despite risk");\r
+ }\r
+ }\r
+\r
+ if (!AquireData(page1, block, usepwd, password) ) return 0;\r
+ if (!DecodeT55xxBlock()) return 0;\r
+\r
+ char blk[10]={0};\r
+ sprintf(blk,"%d", block);\r
+ printT55xxBlock(blk); \r
+ return 1;\r
+}\r
+\r
int CmdT55xxReadBlock(const char *Cmd) {\r
- uint8_t block = 255;\r
+ uint8_t block = REGULAR_READ_MODE_BLOCK;\r
uint32_t password = 0; //default to blank Block 7\r
- bool usepwd = FALSE;\r
- bool override = FALSE; \r
- bool errors = FALSE;\r
+ bool usepwd = false;\r
+ bool override = false;\r
+ bool page1 = false;\r
+ bool errors = false;\r
uint8_t cmdp = 0;\r
while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
switch(param_getchar(Cmd, cmdp)) {\r
break;\r
case 'p':\r
case 'P':\r
- password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16);\r
- usepwd = TRUE;\r
+ password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ usepwd = true;\r
cmdp += 2;\r
break;\r
+ case '1':\r
+ page1 = true;\r
+ cmdp++;\r
+ break;\r
default:\r
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
errors = true;\r
}\r
if (errors) return usage_t55xx_read();\r
\r
- if ( block > 7 ) {\r
+ if (block > 7 && block != REGULAR_READ_MODE_BLOCK ) {\r
PrintAndLog("Block must be between 0 and 7");\r
- return 1;\r
- } \r
-\r
- UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, password}};\r
-\r
- //Password mode\r
- if ( usepwd ) {\r
- \r
- // try reading the config block and verify that PWD bit is set before doing this!\r
- if ( !override ) {\r
- AquireData( CONFIGURATION_BLOCK );\r
- if ( !tryDetectModulation() ) {\r
- PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");\r
- return 1;\r
- } else { \r
- PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password..."); \r
- }\r
- } else { \r
- PrintAndLog("Safety Check Overriden - proceeding despite risk");\r
- c.arg[0] = usepwd;\r
- }\r
- }\r
-\r
- clearCommandBuffer();\r
- SendCommand(&c);\r
- if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
- PrintAndLog("command execution time out");\r
- return 2;\r
+ return 0;\r
}\r
- \r
- uint8_t got[12000];\r
- GetFromBigBuf(got,sizeof(got),0);\r
- WaitForResponse(CMD_ACK,NULL);\r
- setGraphBuf(got, sizeof(got));\r
-\r
- if (!DecodeT55xxBlock()) return 3;\r
- \r
- char blk[10]={0};\r
- sprintf(blk,"%d", block); \r
- printT55xxBlock(blk);\r
- return 0;\r
+ PrintAndLog("Reading Page %d:", page1); \r
+ PrintAndLog("blk | hex data | binary");\r
+ return T55xxReadBlock(block, page1, usepwd, override, password);\r
}\r
\r
bool DecodeT55xxBlock(){\r
uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
DemodBufferLen = 0x00;\r
\r
- //trim 1/2 a clock from beginning\r
- //snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 );\r
- //CmdLtrim(cmdStr);\r
switch( config.modulation ){\r
case DEMOD_FSK:\r
snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );\r
\r
int CmdT55xxDetect(const char *Cmd){\r
\r
+ bool override = false;\r
+ //bool pwdmode = false;\r
+\r
+ uint32_t password = 0; //default to blank Block 7\r
+ bool usepwd = ( strlen(Cmd) > 0); \r
+ if ( usepwd ){\r
+ password = param_get32ex(Cmd, 0, 0, 16);\r
+ if (param_getchar(Cmd, 1) =='o' )\r
+ override = true;\r
+ }\r
+\r
char cmdp = param_getchar(Cmd, 0);\r
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect();\r
\r
- if (strlen(Cmd)==0)\r
- AquireData( CONFIGURATION_BLOCK );\r
+ if (strlen(Cmd)==0) {\r
+ password = param_get32ex(Cmd, 0, 0, 16);\r
+ if (param_getchar(Cmd, 1) =='o' ) override = true;\r
+ }\r
\r
+ if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
+ return 0;\r
+ \r
if ( !tryDetectModulation() )\r
PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
\r
- return 0;\r
+ return 1;\r
}\r
\r
// detect configuration?\r
bool tryDetectModulation(){\r
- //char cmdStr[8] = {0};\r
uint8_t hits = 0;\r
t55xx_conf_block_t tests[15];\r
int bitRate=0;\r
save_restoreGB(1);\r
if (GetFskClock("", FALSE, FALSE)){ \r
fskClocks(&fc1, &fc2, &clk, FALSE);\r
- //sprintf(cmdStr,"%d", clk/2);\r
- //CmdLtrim(cmdStr);\r
if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate)){\r
tests[hits].modulation = DEMOD_FSK;\r
if (fc1==8 && fc2 == 5)\r
} else {\r
clk = GetAskClock("", FALSE, FALSE);\r
if (clk>0) {\r
- //sprintf(cmdStr,"%d", clk/2);\r
- //CmdLtrim(cmdStr);\r
if ( ASKDemod("0 0 0", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate)) {\r
tests[hits].modulation = DEMOD_ASK;\r
tests[hits].bitrate = bitRate;\r
save_restoreGB(0);\r
clk = GetNrzClock("", FALSE, FALSE);\r
if (clk>0) {\r
- //sprintf(cmdStr,"%d", clk/2);\r
- //CmdLtrim(cmdStr);\r
if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate)) {\r
tests[hits].modulation = DEMOD_NRZ;\r
tests[hits].bitrate = bitRate;\r
save_restoreGB(0);\r
clk = GetPskClock("", FALSE, FALSE);\r
if (clk>0) {\r
- //PrintAndLog("clk %d",clk);\r
- //sprintf(cmdStr,"%d", clk/2);\r
- //CmdLtrim(cmdStr); \r
if ( PSKDemod("0 0 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate)) {\r
tests[hits].modulation = DEMOD_PSK1;\r
tests[hits].bitrate = bitRate;\r
return 0;\r
}\r
\r
+int CmdT55xxWakeUp(const char *Cmd) {\r
+ uint32_t password = 0;\r
+ uint8_t cmdp = 0;\r
+ bool errors = false;\r
+ while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'h':\r
+ case 'H':\r
+ return usage_t55xx_wakup();\r
+ case 'p':\r
+ case 'P':\r
+ password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ cmdp += 2;\r
+ errors = false;\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = true;\r
+ break;\r
+ }\r
+ }\r
+ if (errors) return usage_t55xx_wakup();\r
+\r
+ UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
+ PrintAndLog("Wake up command sent. Try read now");\r
+ return 0;\r
+}\r
+\r
int CmdT55xxWriteBlock(const char *Cmd) {\r
- int block = 8; //default to invalid block\r
- int data = 0xFFFFFFFF; //default to blank Block \r
- int password = 0xFFFFFFFF; //default to blank Block 7\r
- \r
- char cmdp = param_getchar(Cmd, 0);\r
- if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_write();\r
- \r
- int res = sscanf(Cmd, "%d %x %x",&block, &data, &password);\r
- \r
- if ( res < 2 || res > 3) {\r
- usage_t55xx_write();\r
- return 1;\r
+ uint8_t block = 0xFF; //default to invalid block\r
+ uint32_t data = 0; //default to blank Block \r
+ uint32_t password = 0; //default to blank Block 7\r
+ bool usepwd = false;\r
+ bool page1 = false; \r
+ bool gotdata = false;\r
+ bool errors = false;\r
+ uint8_t cmdp = 0;\r
+ while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'h':\r
+ case 'H':\r
+ return usage_t55xx_write();\r
+ case 'b':\r
+ case 'B':\r
+ errors |= param_getdec(Cmd, cmdp+1, &block);\r
+ cmdp += 2;\r
+ break;\r
+ case 'd':\r
+ case 'D':\r
+ data = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ gotdata = true;\r
+ cmdp += 2;\r
+ break;\r
+ case 'p':\r
+ case 'P':\r
+ password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+ usepwd = true;\r
+ cmdp += 2;\r
+ break;\r
+ case '1':\r
+ page1 = true;\r
+ cmdp++;\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = true;\r
+ break;\r
+ }\r
}\r
+ if (errors || !gotdata) return usage_t55xx_write();\r
\r
if (block > 7) {\r
PrintAndLog("Block number must be between 0 and 7");\r
- return 1;\r
+ return 0;\r
}\r
\r
UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};\r
UsbCommand resp;\r
- c.d.asBytes[0] = 0x0; \r
+ c.d.asBytes[0] = (page1) ? 0x2 : 0; \r
\r
- PrintAndLog("Writing to block: %d data : 0x%08X", block, data);\r
+ PrintAndLog("Writing to page: %d block: %d data : 0x%08X", page1, block, data);\r
\r
//Password mode\r
- if (res == 3) {\r
+ if (usepwd) {\r
c.arg[2] = password;\r
- c.d.asBytes[0] = 0x1; \r
+ c.d.asBytes[0] |= 0x1; \r
PrintAndLog("pwd : 0x%08X", password);\r
}\r
clearCommandBuffer();\r
SendCommand(&c);\r
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
- return -1;\r
- }\r
return 0;\r
+ }\r
+ return 1;\r
}\r
\r
int CmdT55xxReadTrace(const char *Cmd) {\r
char cmdp = param_getchar(Cmd, 0);\r
- \r
+ bool pwdmode = false;\r
+ uint32_t password = 0; \r
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
\r
if (strlen(Cmd)==0)\r
- AquireData( TRACE_BLOCK );\r
+ if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
+ return 0;\r
\r
- if (!DecodeT55xxBlock()) return 1;\r
+ if (!DecodeT55xxBlock()) return 0;\r
\r
- if ( !DemodBufferLen) return 1;\r
+ if ( !DemodBufferLen) return 0;\r
\r
RepaintGraphWindow();\r
uint8_t repeat = 0;\r
if (config.offset > 5) \r
repeat = 32;\r
uint8_t si = config.offset+repeat;\r
- uint32_t bl0 = PackBits(si, 32, DemodBuffer);\r
- uint32_t bl1 = PackBits(si+32, 32, DemodBuffer);\r
+ uint32_t bl1 = PackBits(si, 32, DemodBuffer);\r
+ uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);\r
\r
uint32_t acl = PackBits(si, 8, DemodBuffer); si += 8;\r
uint32_t mfc = PackBits(si, 8, DemodBuffer); si += 8;\r
\r
if ( acl != 0xE0 ) {\r
PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
- return 1;\r
+ return 0;\r
}\r
\r
PrintAndLog("");\r
PrintAndLog(" Die Number : %d", dw);\r
PrintAndLog("-------------------------------------------------------------");\r
PrintAndLog(" Raw Data - Page 1");\r
- PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
- PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
+ PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+ PrintAndLog(" Block 2 : 0x%08X %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
PrintAndLog("-------------------------------------------------------------");\r
\r
/*\r
Normal mode\r
Extended mode\r
*/\r
+ bool pwdmode = false;\r
+ uint32_t password = 0;\r
char cmdp = param_getchar(Cmd, 0);\r
\r
if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
\r
if (strlen(Cmd)==0)\r
- AquireData( CONFIGURATION_BLOCK );\r
+ if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
+ return 1;\r
\r
if (!DecodeT55xxBlock()) return 1;\r
\r
\r
int CmdT55xxDump(const char *Cmd){\r
\r
- char s[20] = {0x00};\r
- uint8_t pwd[4] = {0x00};\r
- char cmdp = param_getchar(Cmd, 0);\r
+ uint32_t password = 0;\r
+ bool override = false;\r
+ char cmdp = param_getchar(Cmd, 0); \r
if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();\r
\r
- bool hasPwd = ( strlen(Cmd) > 0); \r
- if ( hasPwd ){\r
- if (param_gethex(Cmd, 0, pwd, 8)) {\r
- PrintAndLog("password must include 8 HEX symbols");\r
- return 1;\r
- }\r
+ bool usepwd = ( strlen(Cmd) > 0); \r
+ if ( usepwd ){\r
+ password = param_get32ex(Cmd, 0, 0, 16);\r
+ if (param_getchar(Cmd, 1) =='o' )\r
+ override = true;\r
}\r
\r
- for ( int i = 0; i <8; ++i){\r
- memset(s,0,sizeof(s));\r
- if ( hasPwd ) {\r
- sprintf(s,"%d %02x%02x%02x%02x", i, pwd[0],pwd[1],pwd[2],pwd[3]);\r
- } else {\r
- sprintf(s,"%d", i);\r
- }\r
- CmdT55xxReadBlock(s);\r
+ PrintAndLog("Reading Page 0:"); \r
+ PrintAndLog("blk | hex data | binary");\r
+ for ( uint8_t i = 0; i < 8; ++i){\r
+ T55xxReadBlock(i, 0, usepwd, override, password);\r
}\r
- return 0;\r
+ PrintAndLog("Reading Page 1:"); \r
+ PrintAndLog("blk | hex data | binary");\r
+ for ( uint8_t i = 0; i < 4; i++){\r
+ T55xxReadBlock(i, 1, usepwd, override, password); \r
+ }\r
+ return 1;\r
}\r
\r
-int AquireData( uint8_t block ){\r
- \r
- uint32_t password = 0;\r
- UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, 0, password}};\r
- \r
- if ( block == CONFIGURATION_BLOCK ) {\r
- c.arg[0] = 0x00 | 0x01;\r
- }\r
- else if (block == TRACE_BLOCK ) {\r
- c.arg[0] = 0x02 | 0x01;\r
- }\r
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
+ // arg0 bitmodes:\r
+ // bit0 = pwdmode\r
+ // bit1 = page to read from\r
+ uint8_t arg0 = (page<<1) | pwdmode;\r
+ UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
\r
clearCommandBuffer();\r
SendCommand(&c);\r
if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
PrintAndLog("command execution time out");\r
- return 1;\r
+ return 0;\r
}\r
\r
uint8_t got[12000];\r
GetFromBigBuf(got,sizeof(got),0);\r
WaitForResponse(CMD_ACK,NULL);\r
- setGraphBuf(got, 12000);\r
- return 0;\r
+ setGraphBuf(got, sizeof(got));\r
+ return 1;\r
}\r
\r
char * GetBitRateStr(uint32_t id){\r
\r
}\r
\r
-int CmdT55xxWakeUp(const char *Cmd) {\r
- uint32_t password = 0;\r
- uint8_t cmdp = 0;\r
- bool errors = false;\r
- while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
- switch(param_getchar(Cmd, cmdp)) {\r
- case 'h':\r
- case 'H':\r
- return usage_t55xx_wakup();\r
- case 'p':\r
- case 'P':\r
- password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16);\r
- cmdp+=2;\r
- break;\r
- default:\r
- PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
- errors = true;\r
- break;\r
- }\r
- }\r
- if (errors) return usage_t55xx_wakup();\r
-\r
- UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};\r
- clearCommandBuffer();\r
- SendCommand(&c);\r
- PrintAndLog("Wake up command sent. Try read now");\r
- return 0;\r
-}\r
-\r
/*\r
uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){\r
\r
{"help", CmdHelp, 1, "This help"},\r
{"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
{"detect", CmdT55xxDetect, 0, "[1] Try detecting the tag modulation from reading the configuration block."},\r
- {"read", CmdT55xxReadBlock, 0, "<block> [password] -- Read T55xx block data (page 0) [optional password]"},\r
- {"write", CmdT55xxWriteBlock,0, "<block> <data> [password] -- Write T55xx block data (page 0) [optional password]"},\r
+ {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data (page 0) [optional password]"},\r
+ {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data (page 0) [optional password]"},\r
{"trace", CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},\r
{"info", CmdT55xxInfo, 0, "[1] Show T55xx configuration data (page 0/ blk 0)"},\r
- {"dump", CmdT55xxDump, 0, "[password] Dump T55xx card block 0-7. [optional password]"},\r
+ {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. [optional password]"},\r
{"special", special, 0, "Show block changes with 64 different offsets"},\r
{"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
- \r
{NULL, NULL, 0, NULL}\r
};\r
\r
bool tryDetectModulation();\r
bool test(uint8_t mode, uint8_t *offset, int *fndBitRate);\r
int special(const char *Cmd);\r
-int AquireData( uint8_t block );\r
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password );\r
\r
#endif\r
#define CMD_MIFARE_DESFIRE 0x072e
#define CMD_MIFARE_COLLECT_NONCES 0x072f
+
+#define CMD_HF_SNIFFER 0x0800
#define CMD_UNKNOWN 0xFFFF
CMD_INDALA_CLONE_TAG_L = 0x0213,
CMD_T55XX_READ_BLOCK = 0x0214,
CMD_T55XX_WRITE_BLOCK = 0x0215,
- CMD_T55XX_READ_TRACE = 0x0216,
+ --//CMD_T55XX_READ_TRACE = 0x0216,
CMD_PCF7931_READ = 0x0217,
CMD_PCF7931_WRITE = 0x0223,
CMD_EM4X_READ_WORD = 0x0218,
CMD_MIFARE_DES_READER = 0x072c,
CMD_MIFARE_DESFIRE_INFO = 0x072d,
CMD_MIFARE_DESFIRE = 0x072e,
-
+ CMD_HF_SNIFFER = 0x0800,
+
CMD_UNKNOWN = 0xFFFF,
}
const char *data = luaL_checklstring(L, 1, &size);
if(size != sizeof(UsbCommand))
{
- printf("Got data size %d, expected %d" , size, sizeof(UsbCommand));
+ printf("Got data size %d, expected %d" , (int) size,(int) sizeof(UsbCommand));
lua_pushstring(L,"Wrong data size");
return 1;
}
INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES)
-CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -std=c99 $(APP_CFLAGS) -Os
+#-Wunused -Wsign-compare -Wtype-limits -Wuninitialized -Wno-deprecated -Wstrict-aliasing -Wpointer-arith -Wpointer-arith -Wformat-nonliteral -Winit-self -Wparentheses -Wunreachable-code
+CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -Wunused -std=c99 $(APP_CFLAGS) -Os
LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n
LIBS = -lgcc
return bestErr;
}
+uint32_t manchesterEncode2Bytes(uint16_t datain) {
+ uint32_t output = 0;
+ uint8_t curBit = 0;
+ for (uint8_t i=0; i<16; i++) {
+ curBit = (datain >> (15-i) & 1);
+ output |= (1<<(((15-i)*2)+curBit));
+ }
+ return output;
+}
+
//by marshmellow
//encode binary data into binary manchester
int ManchesterEncode(uint8_t *BitStream, size_t size)
uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo);
int fskdemod(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t invert, uint8_t fchigh, uint8_t fclow);
int getHiLo(uint8_t *BitStream, size_t size, int *high, int *low, uint8_t fuzzHi, uint8_t fuzzLo);
+uint32_t manchesterEncode2Bytes(uint16_t datain);
int ManchesterEncode(uint8_t *BitStream, size_t size);
int manrawdecode(uint8_t *BitStream, size_t *size, uint8_t invert);
int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr);
#include <stdint.h>
#include <stdarg.h>
#include "protocols.h"
+
+// ATA55xx shared presets & routines
+uint32_t GetT55xxClockBit(uint32_t clock) {
+ switch (clock) {
+ case 128:
+ return T55x7_BITRATE_RF_128;
+ case 100:
+ return T55x7_BITRATE_RF_100;
+ case 64:
+ return T55x7_BITRATE_RF_64;
+ case 50:
+ return T55x7_BITRATE_RF_50;
+ case 40:
+ return T55x7_BITRATE_RF_40;
+ case 32:
+ return T55x7_BITRATE_RF_32;
+ case 16:
+ return T55x7_BITRATE_RF_16;
+ case 8:
+ return T55x7_BITRATE_RF_8;
+ default:
+ return 0;
+ }
+}
+
#ifndef ON_DEVICE
#include "ui.h"
#define prnt PrintAndLog
-#endif
-
-
+// iclass / picopass chip config structures and shared routines
typedef struct {
uint8_t app_limit; //[8]
uint8_t otp[2]; //[9-10]
}picopass_hdr;
-
-//#define prnt printf
-/*void prnt(char *fmt,...)
-{
- va_list argptr;
- va_start(argptr, fmt);
- vprintf(fmt, argptr);
- printf(" "); // cleaning prompt
- va_end(argptr);
- printf("\n");
-}
-*/
-uint8_t isset(uint8_t val, uint8_t mask)
-{
+uint8_t isset(uint8_t val, uint8_t mask) {
return (val & mask);
}
return !(val & mask);
}
-void fuse_config(const picopass_hdr *hdr)
-{
+void fuse_config(const picopass_hdr *hdr) {
uint8_t fuses = hdr->conf.fuses;
if (isset(fuses,FUSE_FPERS))prnt(" Mode: Personalization [Programmable]");
}
}
-void mem_app_config(const picopass_hdr *hdr)
-{
+void mem_app_config(const picopass_hdr *hdr) {
uint8_t mem = hdr->conf.mem_config;
uint8_t chip = hdr->conf.chip_config;
uint8_t applimit = hdr->conf.app_limit;
prnt(" AA1: blocks 06-%02X", applimit);
prnt(" AA2: blocks %02X-%02X", applimit+1, max_blk);
}
-void print_picopass_info(const picopass_hdr *hdr)
-{
+void print_picopass_info(const picopass_hdr *hdr) {
fuse_config(hdr);
mem_app_config(hdr);
}
-void printIclassDumpInfo(uint8_t* iclass_dump)
-{
-// picopass_hdr hdr;
-// memcpy(&hdr, iclass_dump, sizeof(picopass_hdr));
+void printIclassDumpInfo(uint8_t* iclass_dump) {
print_picopass_info((picopass_hdr *) iclass_dump);
}
/*
-void test()
-{
+void test() {
picopass_hdr hdr = {0x27,0xaf,0x48,0x01,0xf9,0xff,0x12,0xe0,0x12,0xff,0xff,0xff,0x7f,0x1f,0xff,0x3c};
prnt("Picopass configuration:");
print_picopass_info(&hdr);
}
-int main(int argc, char *argv[])
-{
+int main(int argc, char *argv[]) {
test();
return 0;
}
*/
+
+#endif
+//ON_DEVICE
void printIclassDumpInfo(uint8_t* iclass_dump);
void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb);
-#endif // PROTOCOLS_H
+/* T55x7 configuration register definitions */
+#define T55x7_POR_DELAY 0x00000001
+#define T55x7_ST_TERMINATOR 0x00000008
+#define T55x7_PWD 0x00000010
+#define T55x7_MAXBLOCK_SHIFT 5
+#define T55x7_AOR 0x00000200
+#define T55x7_PSKCF_RF_2 0
+#define T55x7_PSKCF_RF_4 0x00000400
+#define T55x7_PSKCF_RF_8 0x00000800
+#define T55x7_MODULATION_DIRECT 0
+#define T55x7_MODULATION_PSK1 0x00001000
+#define T55x7_MODULATION_PSK2 0x00002000
+#define T55x7_MODULATION_PSK3 0x00003000
+#define T55x7_MODULATION_FSK1 0x00004000
+#define T55x7_MODULATION_FSK2 0x00005000
+#define T55x7_MODULATION_FSK1a 0x00006000
+#define T55x7_MODULATION_FSK2a 0x00007000
+#define T55x7_MODULATION_MANCHESTER 0x00008000
+#define T55x7_MODULATION_BIPHASE 0x00010000
+#define T55x7_MODULATION_DIPHASE 0x00018000
+#define T55x7_BITRATE_RF_8 0
+#define T55x7_BITRATE_RF_16 0x00040000
+#define T55x7_BITRATE_RF_32 0x00080000
+#define T55x7_BITRATE_RF_40 0x000C0000
+#define T55x7_BITRATE_RF_50 0x00100000
+#define T55x7_BITRATE_RF_64 0x00140000
+#define T55x7_BITRATE_RF_100 0x00180000
+#define T55x7_BITRATE_RF_128 0x001C0000
+
+/* T5555 (Q5) configuration register definitions */
+#define T5555_ST_TERMINATOR 0x00000001
+#define T5555_MAXBLOCK_SHIFT 0x00000001
+#define T5555_MODULATION_MANCHESTER 0
+#define T5555_MODULATION_PSK1 0x00000010
+#define T5555_MODULATION_PSK2 0x00000020
+#define T5555_MODULATION_PSK3 0x00000030
+#define T5555_MODULATION_FSK1 0x00000040
+#define T5555_MODULATION_FSK2 0x00000050
+#define T5555_MODULATION_BIPHASE 0x00000060
+#define T5555_MODULATION_DIRECT 0x00000070
+#define T5555_INVERT_OUTPUT 0x00000080
+#define T5555_PSK_RF_2 0
+#define T5555_PSK_RF_4 0x00000100
+#define T5555_PSK_RF_8 0x00000200
+#define T5555_USE_PWD 0x00000400
+#define T5555_USE_AOR 0x00000800
+#define T5555_BITRATE_SHIFT 12
+#define T5555_FAST_WRITE 0x00004000
+#define T5555_PAGE_SELECT 0x00008000
+
+uint32_t GetT55xxClockBit(uint32_t clock);
+
+#endif
+// PROTOCOLS_H
$(DELETE) $@
$(XILINX_TOOLS_PREFIX)xst -ifn xst_hf.scr
-fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v
+fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v hi_sniffer.v
$(DELETE) $@
$(XILINX_TOOLS_PREFIX)xst -ifn xst_lf.scr
`include "hi_read_rx_xcorr.v"
`include "hi_simulate.v"
`include "hi_iso14443a.v"
+`include "hi_sniffer.v"
`include "util.v"
module fpga_hf(
hi_simulate_mod_type
);
+hi_sniffer he(
+ pck0, ck_1356meg, ck_1356megb,
+ he_pwr_lo, he_pwr_hi, he_pwr_oe1, he_pwr_oe2, he_pwr_oe3, he_pwr_oe4,
+ adc_d, he_adc_clk,
+ he_ssp_frame, he_ssp_din, ssp_dout, he_ssp_clk,
+ cross_hi, cross_lo,
+ he_dbg,
+ hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop, hi_read_rx_xcorr_quarter
+);
+
// Major modes:
// 000 -- HF reader, transmitting to tag; modulation depth selectable
// 001 -- HF reader, receiving from tag, correlating as it goes; frequency selectable
// 010 -- HF simulated tag
// 011 -- HF ISO14443-A
+// 100 -- HF Snoop
// 111 -- everything off
-mux8 mux_ssp_clk (major_mode, ssp_clk, ht_ssp_clk, hrxc_ssp_clk, hs_ssp_clk, hisn_ssp_clk, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_ssp_din (major_mode, ssp_din, ht_ssp_din, hrxc_ssp_din, hs_ssp_din, hisn_ssp_din, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_ssp_frame (major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe1 (major_mode, pwr_oe1, ht_pwr_oe1, hrxc_pwr_oe1, hs_pwr_oe1, hisn_pwr_oe1, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe2 (major_mode, pwr_oe2, ht_pwr_oe2, hrxc_pwr_oe2, hs_pwr_oe2, hisn_pwr_oe2, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe3 (major_mode, pwr_oe3, ht_pwr_oe3, hrxc_pwr_oe3, hs_pwr_oe3, hisn_pwr_oe3, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_oe4 (major_mode, pwr_oe4, ht_pwr_oe4, hrxc_pwr_oe4, hs_pwr_oe4, hisn_pwr_oe4, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_lo (major_mode, pwr_lo, ht_pwr_lo, hrxc_pwr_lo, hs_pwr_lo, hisn_pwr_lo, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_pwr_hi (major_mode, pwr_hi, ht_pwr_hi, hrxc_pwr_hi, hs_pwr_hi, hisn_pwr_hi, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_adc_clk (major_mode, adc_clk, ht_adc_clk, hrxc_adc_clk, hs_adc_clk, hisn_adc_clk, 1'b0, 1'b0, 1'b0, 1'b0);
-mux8 mux_dbg (major_mode, dbg, ht_dbg, hrxc_dbg, hs_dbg, hisn_dbg, 1'b0, 1'b0, 1'b0, 1'b0);
+mux8 mux_ssp_clk (major_mode, ssp_clk, ht_ssp_clk, hrxc_ssp_clk, hs_ssp_clk, hisn_ssp_clk, he_ssp_clk, 1'b0, 1'b0, 1'b0);
+mux8 mux_ssp_din (major_mode, ssp_din, ht_ssp_din, hrxc_ssp_din, hs_ssp_din, hisn_ssp_din, he_ssp_din, 1'b0, 1'b0, 1'b0);
+mux8 mux_ssp_frame (major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, he_ssp_frame, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe1 (major_mode, pwr_oe1, ht_pwr_oe1, hrxc_pwr_oe1, hs_pwr_oe1, hisn_pwr_oe1, he_pwr_oe1, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe2 (major_mode, pwr_oe2, ht_pwr_oe2, hrxc_pwr_oe2, hs_pwr_oe2, hisn_pwr_oe2, he_pwr_oe2, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe3 (major_mode, pwr_oe3, ht_pwr_oe3, hrxc_pwr_oe3, hs_pwr_oe3, hisn_pwr_oe3, he_pwr_oe3, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_oe4 (major_mode, pwr_oe4, ht_pwr_oe4, hrxc_pwr_oe4, hs_pwr_oe4, hisn_pwr_oe4, he_pwr_oe4, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_lo (major_mode, pwr_lo, ht_pwr_lo, hrxc_pwr_lo, hs_pwr_lo, hisn_pwr_lo, he_pwr_lo, 1'b0, 1'b0, 1'b0);
+mux8 mux_pwr_hi (major_mode, pwr_hi, ht_pwr_hi, hrxc_pwr_hi, hs_pwr_hi, hisn_pwr_hi, he_pwr_hi, 1'b0, 1'b0, 1'b0);
+mux8 mux_adc_clk (major_mode, adc_clk, ht_adc_clk, hrxc_adc_clk, hs_adc_clk, hisn_adc_clk, he_adc_clk, 1'b0, 1'b0, 1'b0);
+mux8 mux_dbg (major_mode, dbg, ht_dbg, hrxc_dbg, hs_dbg, hisn_dbg, he_dbg, 1'b0, 1'b0, 1'b0);
// In all modes, let the ADC's outputs be enabled.
assign adc_noe = 1'b0;
--- /dev/null
+
+module hi_sniffer(
+ pck0, ck_1356meg, ck_1356megb,
+ pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4,
+ adc_d, adc_clk,
+ ssp_frame, ssp_din, ssp_dout, ssp_clk,
+ cross_hi, cross_lo,
+ dbg,
+ xcorr_is_848, snoop, xcorr_quarter_freq // not used.
+);
+ input pck0, ck_1356meg, ck_1356megb;
+ output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4;
+ input [7:0] adc_d;
+ output adc_clk;
+ input ssp_dout;
+ output ssp_frame, ssp_din, ssp_clk;
+ input cross_hi, cross_lo;
+ output dbg;
+ input xcorr_is_848, snoop, xcorr_quarter_freq; // not used.
+
+// We are only snooping, all off.
+assign pwr_hi = 1'b0;// ck_1356megb & (~snoop);
+assign pwr_oe1 = 1'b0;
+assign pwr_oe2 = 1'b0;
+assign pwr_oe3 = 1'b0;
+assign pwr_oe4 = 1'b0;
+
+reg ssp_clk = 1'b0;
+reg ssp_frame;
+reg adc_clk;
+reg [7:0] adc_d_out = 8'd0;
+reg [7:0] ssp_cnt = 8'd0;
+reg [7:0] pck_divider = 8'd0;
+reg ant_lo = 1'b0;
+reg bit_to_send = 1'b0;
+
+always @(ck_1356meg, pck0) // should synthetisize to a mux..
+ begin
+ adc_clk = ck_1356meg;
+ ssp_clk = ~ck_1356meg;
+ end
+
+reg [7:0] cnt_test = 8'd0; // test
+
+always @(posedge pck0)
+begin
+ ant_lo <= 1'b0;
+end
+
+always @(posedge ssp_clk) // ~1356 (hf)
+begin
+ if(ssp_cnt[7:0] == 8'd255) // SSP counter for divides.
+ ssp_cnt[7:0] <= 8'd0;
+ else
+ ssp_cnt <= ssp_cnt + 1;
+
+ if((ssp_cnt[2:0] == 3'b000) && !ant_lo) // To set frame length
+ begin
+ adc_d_out[7:0] = adc_d; // disable for test
+ bit_to_send = adc_d_out[0];
+ ssp_frame <= 1'b1;
+ end
+ else
+ begin
+ adc_d_out[6:0] = adc_d_out[7:1];
+ adc_d_out[7] = 1'b0; // according to old lf_read.v comment prevents gliches if not set.
+ bit_to_send = adc_d_out[0];
+ ssp_frame <= 1'b0;
+ end
+end
+
+assign ssp_din = bit_to_send && !ant_lo;//bit_to_send && !ant_lo; // && .. not needed i guess?
+
+assign pwr_lo = ant_lo;
+
+
+endmodule
#define CMD_MIFARE_COLLECT_NONCES 0x072f
+#define CMD_HF_SNIFFER 0x0800
+
#define CMD_UNKNOWN 0xFFFF