]> cvs.zerfleddert.de Git - proxmark3-svn/commitdiff
add lf em 4x05protect plus lf config s option (#833)
authormarshmellow42 <marshmellow42@users.noreply.github.com>
Sun, 23 Jun 2019 11:43:56 +0000 (07:43 -0400)
committerpwpiwi <pwpiwi@users.noreply.github.com>
Sun, 23 Jun 2019 11:43:55 +0000 (13:43 +0200)
* add "samples to skip" for lf config (mainly for lf snoop)
* add lf em 4x05protect command to write protection on em4x05 chips
* fix spacing
* and remove old comment git added back in..
* update changelog
* fix flags - only need 1 bit

CHANGELOG.md
armsrc/appmain.c
armsrc/apps.h
armsrc/lfops.c
armsrc/lfsampling.c
client/cmdlf.c
client/cmdlfem4x.c
include/usb_cmd.h

index 399f87f9ff88b7e695c2c229e4890412edbaf254..cb508cd906867f081f0aa08513bbf6a2e45061b4 100644 (file)
@@ -16,6 +16,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 - `hf 15 sim` now works as expected (piwi)
 
 ### Added
+- Added `lf config s xxxx` option to allow skipping x samples before capture (marshmellow)
+- Added `lf em 4x05protect` to support changing protection blocks on em4x05 chips (marshmellow)
 - Support Standard Communication Mode in HITAG S
 - Added `hf emv scan` - commands for scan EMV card and dump data to json file (Merlok)
 - `hf mfp` group of commands (Merlok)
index 37328a506ce5492ba545da5da9b985508ea4e7b0..5169383ee20112af9f9e3d93a83f3188a7abde72 100644 (file)
@@ -1088,6 +1088,9 @@ void UsbPacketReceived(uint8_t *packet, int len)
                case CMD_EM4X_WRITE_WORD:
                        EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
                        break;
+               case CMD_EM4X_PROTECT:
+                       EM4xProtect(c->arg[0], c->arg[1], c->arg[2]);
+                       break;
                case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
                        CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
                        break;
index d1c885ab0af17bc24a686a4b3098a0c8d6bad3de..4d9a1482c02aa920d2a5c2ad654447abf49ec9ec 100644 (file)
@@ -89,6 +89,7 @@ void TurnReadLFOn();
 //void T55xxReadTrace(void);
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
+void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd);
 void Cotag(uint32_t arg0);
 
 /// iso14443.h
index 81fdd7a66c5cb8c1169af608624f0d45ab23d66d..ed207dbb39122eb4bc13f2f27828dca820f77c06 100644 (file)
@@ -1198,10 +1198,45 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
  * and enlarge the gap ones.
  * Q5 tags seems to have issues when these values changes. 
  */
-#define START_GAP 31*8 // was 250 // SPEC:  1*8 to 50*8 - typ 15*8 (or 15fc)
-#define WRITE_GAP 20*8 // was 160 // SPEC:  1*8 to 20*8 - typ 10*8 (or 10fc)
-#define WRITE_0   18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
-#define WRITE_1   50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc)  432 for T55x7; 448 for E5550
+
+/* Q5 timing datasheet:
+ * Type                  |  MIN   | Typical |  Max   |
+ * Start_Gap             |  10*8  |    ?    |  50*8  |
+ * Write_Gap Normal mode |   8*8  |   14*8  |  20*8  | 
+ * Write_Gap Fast Mode   |   8*8  |    ?    |  20*8  |
+ * Write_0   Normal mode |  16*8  |   24*8  |  32*8  |
+ * Write_1   Normal mode |  48*8  |   56*8  |  64*8  |
+ * Write_0   Fast Mode   |   8*8  |   12*8  |  16*8  |
+ * Write_1   Fast Mode   |  24*8  |   28*8  |  32*8  |
+*/
+
+/* T5557 timing datasheet:
+ * Type                  |  MIN   | Typical |  Max   |
+ * Start_Gap             |  10*8  |    ?    |  50*8  |
+ * Write_Gap Normal mode |   8*8  |50-150us |  30*8  | 
+ * Write_Gap Fast Mode   |   8*8  |    ?    |  20*8  |
+ * Write_0   Normal mode |  16*8  |   24*8  |  31*8  | 
+ * Write_1   Normal mode |  48*8  |   54*8  |  63*8  | 
+ * Write_0   Fast Mode   |   8*8  |   12*8  |  15*8  |
+ * Write_1   Fast Mode   |  24*8  |   28*8  |  31*8  |
+*/
+
+/* T5577C timing datasheet for Fixed-Bit-Length protocol (defualt):
+ * Type                  |  MIN   | Typical |  Max   |
+ * Start_Gap             |   8*8  |   15*8  |  50*8  |
+ * Write_Gap Normal mode |   8*8  |   10*8  |  20*8  | 
+ * Write_Gap Fast Mode   |   8*8  |   10*8  |  20*8  |
+ * Write_0   Normal mode |  16*8  |   24*8  |  32*8  | 
+ * Write_1   Normal mode |  48*8  |   56*8  |  64*8  | 
+ * Write_0   Fast Mode   |   8*8  |   12*8  |  16*8  |
+ * Write_1   Fast Mode   |  24*8  |   28*8  |  32*8  |
+*/
+
+//note startgap must be sent after tag has been powered up for more than 3ms (per T5557 ds)
+#define START_GAP 31*8 //31*8 // was 250 // SPEC:  1*8 to 50*8 - typ 15*8 (or 15fc) - T5557: 10*8 to 50*8 
+#define WRITE_GAP 20*8 //20*8 // was 160 // SPEC:  1*8 to 20*8 - typ 10*8 (or 10fc) - T5557:  8*8 to 30*8 typ 50-150us
+#define WRITE_0   18*8 //18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) - T5557: 16*8 to 31*8 typ 24*8
+#define WRITE_1   50*8 //50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) - T5557: 48*8 to 63*8 typ 54*8       432 for T55x7; 448 for E5550
 #define READ_GAP  15*8 
 
 void TurnReadLFOn(int delay) {
@@ -1355,7 +1390,7 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
        T55xxWriteBit(1);
        T55xxWriteBit(Page); //Page 0
 
-       if (PwdMode){
+       if (PwdMode) {
                // Send Pwd
                for (i = 0x80000000; i != 0; i >>= 1)
                        T55xxWriteBit(Pwd & i);
@@ -1614,6 +1649,7 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
 #define FWD_CMD_WRITE 0xA
 #define FWD_CMD_READ 0x9
 #define FWD_CMD_DISABLE 0x5
+#define FWD_CMD_PROTECT 0x3
 
 uint8_t forwardLink_data[64]; //array of forwarded bits
 uint8_t * forward_ptr; //ptr for forward message preparation
@@ -1783,7 +1819,7 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
 
 void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
        
-       bool PwdMode = (flag & 0xF);
+       bool PwdMode = (flag & 0x1);
        uint8_t Address = (flag >> 8) & 0xFF;
        uint8_t fwd_bit_count;
 
@@ -1813,6 +1849,39 @@ void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
        LED_A_OFF();
        cmd_send(CMD_ACK,0,0,0,0,0);
 }
+
+void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd) {
+       
+       bool PwdMode = (flag & 0x1);
+       uint8_t fwd_bit_count;
+
+       //clear buffer now so it does not interfere with timing later
+       BigBuf_Clear_ext(false);
+
+       LED_A_ON();
+       StartTicks();
+       //If password mode do login
+       if (PwdMode) EM4xLogin(Pwd);
+
+       forward_ptr = forwardLink_data;
+       fwd_bit_count = Prepare_Cmd( FWD_CMD_PROTECT );
+
+       //unsure if this needs the full packet config...
+       fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
+
+       SendForward(fwd_bit_count);
+
+       //Wait for write to complete
+       //SpinDelay(10);
+
+       WaitUS(6500);
+       //Capture response if one exists
+       DoPartialAcquisition(20, true, 6000, 1000);
+
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
+       LED_A_OFF();
+       cmd_send(CMD_ACK,0,0,0,0,0);
+}
 /*
 Reading a COTAG.
 
index 03bccf41a7bbd151fac373b593ec7b24934c0740..e53d02056e057c89aef2d01d04830ad087cd8ea2 100644 (file)
@@ -14,7 +14,7 @@
 #include "usb_cdc.h"   // for usb_poll_validate_length
 #include "fpgaloader.h"
 
-sample_config config = { 1, 8, 1, 95, 0 } ;
+sample_config config = { 1, 8, 1, 95, 0, 0 } ;
 
 void printConfig()
 {
@@ -24,6 +24,7 @@ void printConfig()
        Dbprintf("  [d] decimation:        %d ", config.decimation);
        Dbprintf("  [a] averaging:         %d ", config.averaging);
        Dbprintf("  [t] trigger threshold: %d ", config.trigger_threshold);
+       Dbprintf("  [s] samples to skip:   %d ", config.samples_to_skip);
 }
 
 
@@ -34,7 +35,7 @@ void printConfig()
  * Other functions may read samples and ignore the sampling config,
  * such as functions to read the UID from a prox tag or similar.
  *
- * Values set to '0' implies no change (except for averaging)
+ * Values set to '0' implies no change (except for averaging, threshold, samples_to_skip)
  * @brief setSamplingConfig
  * @param sc
  */
@@ -44,6 +45,7 @@ void setSamplingConfig(sample_config *sc)
        if(sc->bits_per_sample!= 0) config.bits_per_sample= sc->bits_per_sample;
        if(sc->decimation!= 0) config.decimation= sc->decimation;
        if(sc->trigger_threshold != -1) config.trigger_threshold= sc->trigger_threshold;
+       if(sc->samples_to_skip != -1) config.samples_to_skip = sc->samples_to_skip;
 
        config.averaging= sc->averaging;
        if(config.bits_per_sample > 8)  config.bits_per_sample = 8;
@@ -119,7 +121,7 @@ void LFSetupFPGAForADC(int divisor, bool lf_field)
  * @param silent - is true, now outputs are made. If false, dbprints the status
  * @return the number of bits occupied by the samples.
  */
-uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after)
+uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
 {
        //.
        uint8_t *dest = BigBuf_get_addr();
@@ -141,6 +143,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
        uint32_t sample_total_numbers =0 ;
        uint32_t sample_total_saved =0 ;
        uint32_t cancel_counter = 0;
+       uint32_t samples_skipped = 0;
 
        while(!BUTTON_PRESS() && !usb_poll_validate_length() ) {
                WDT_HIT();
@@ -160,6 +163,10 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
                                continue;
                        }
                        trigger_threshold = 0;
+                       if (samples_to_skip > samples_skipped) {
+                               samples_skipped++;
+                               continue;
+                       }
                        sample_total_numbers++;
 
                        if(averaging)
@@ -218,7 +225,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
  */
 uint32_t DoAcquisition_default(int trigger_threshold, bool silent)
 {
-       return DoAcquisition(1,8,0,trigger_threshold,silent,0,0);
+       return DoAcquisition(1,8,0,trigger_threshold,silent,0,0,0);
 }
 uint32_t DoAcquisition_config(bool silent, int sample_size)
 {
@@ -228,11 +235,12 @@ uint32_t DoAcquisition_config(bool silent, int sample_size)
                                  ,config.trigger_threshold
                                  ,silent
                                  ,sample_size
-                                 ,0);
+                                 ,0
+                                 ,config.samples_to_skip);
 }
 
 uint32_t DoPartialAcquisition(int trigger_threshold, bool silent, int sample_size, int cancel_after) {
-       return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after);
+       return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after,0);
 }
 
 uint32_t ReadLF(bool activeField, bool silent, int sample_size)
index 12d306630fc7e2d3bdab6aa0c1f54bfd481fc3c6..f661e518282031c61e0b40f357cdbd37501ca486 100644 (file)
@@ -224,24 +224,25 @@ int usage_lf_config(void)
 {
        PrintAndLog("Usage: lf config [H|<divisor>] [b <bps>] [d <decim>] [a 0|1]");
        PrintAndLog("Options:        ");
-       PrintAndLog("       h             This help");
-       PrintAndLog("       L             Low frequency (125 KHz)");
-       PrintAndLog("       H             High frequency (134 KHz)");
-       PrintAndLog("       q <divisor>   Manually set divisor. 88-> 134 KHz, 95-> 125 KHz");
-       PrintAndLog("       b <bps>       Sets resolution of bits per sample. Default (max): 8");
-       PrintAndLog("       d <decim>     Sets decimation. A value of N saves only 1 in N samples. Default: 1");
-       PrintAndLog("       a [0|1]       Averaging - if set, will average the stored sample value when decimating. Default: 1");
-       PrintAndLog("       t <threshold> Sets trigger threshold. 0 means no threshold (range: 0-128)");
+       PrintAndLog("       h               This help");
+       PrintAndLog("       L               Low frequency (125 KHz)");
+       PrintAndLog("       H               High frequency (134 KHz)");
+       PrintAndLog("       q <divisor>     Manually set divisor. 88-> 134 KHz, 95-> 125 KHz");
+       PrintAndLog("       b <bps>         Sets resolution of bits per sample. Default (max): 8");
+       PrintAndLog("       d <decim>       Sets decimation. A value of N saves only 1 in N samples. Default: 1");
+       PrintAndLog("       a [0|1]         Averaging - if set, will average the stored sample value when decimating. Default: 1");
+       PrintAndLog("       t <threshold>   Sets trigger threshold. 0 means no threshold (range: 0-128)");
+       PrintAndLog("       s <smplstoskip> Sets a number of samples to skip before capture. Default: 0");
        PrintAndLog("Examples:");
        PrintAndLog("      lf config b 8 L");
-       PrintAndLog("                    Samples at 125KHz, 8bps.");
+       PrintAndLog("                       Samples at 125KHz, 8bps.");
        PrintAndLog("      lf config H b 4 d 3");
-       PrintAndLog("                    Samples at 134KHz, averages three samples into one, stored with ");
-       PrintAndLog("                    a resolution of 4 bits per sample.");
+       PrintAndLog("                       Samples at 134KHz, averages three samples into one, stored with ");
+       PrintAndLog("                       a resolution of 4 bits per sample.");
        PrintAndLog("      lf read");
-       PrintAndLog("                    Performs a read (active field)");
+       PrintAndLog("                       Performs a read (active field)");
        PrintAndLog("      lf snoop");
-       PrintAndLog("                    Performs a snoop (no active field)");
+       PrintAndLog("                       Performs a snoop (no active field)");
        return 0;
 }
 
@@ -255,6 +256,7 @@ int CmdLFSetConfig(const char *Cmd)
        bool errors = false;
        int trigger_threshold =-1;//Means no change
        uint8_t unsigned_trigg = 0;
+       int samples_to_skip = -1;
 
        uint8_t cmdp =0;
        while(param_getchar(Cmd, cmdp) != 0x00)
@@ -295,6 +297,10 @@ int CmdLFSetConfig(const char *Cmd)
                        averaging = param_getchar(Cmd,cmdp+1) == '1';
                        cmdp+=2;
                        break;
+               case 's':
+                       samples_to_skip = param_get32ex(Cmd,cmdp+1,0,10);
+                       cmdp+=2;
+                       break;
                default:
                        PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
                        errors = 1;
@@ -316,7 +322,7 @@ int CmdLFSetConfig(const char *Cmd)
        if(bps >> 4) bps = 8;
 
        sample_config config = {
-               decimation,bps,averaging,divisor,trigger_threshold
+               decimation,bps,averaging,divisor,trigger_threshold,samples_to_skip
        };
        //Averaging is a flag on high-bit of arg[1]
        UsbCommand c = {CMD_SET_LF_SAMPLING_CONFIG};
index cdaeb5ed282f30d5b10bc045d2d5beaf63a3cf51..d1bde91184e73e7a256dac95b227cd7c41ef4807 100644 (file)
@@ -1161,6 +1161,119 @@ int CmdEM4x05WriteWord(const char *Cmd) {
        return EM4x05WriteWord(addr, data, pwd, usePwd, swap, invert);
 }
 
+int usage_lf_em_protect(void) {
+       PrintAndLog("Protect EM4x05.  Tag must be on antenna. ");
+       PrintAndLog("");
+       PrintAndLog("Usage:  lf em 4x05protect [h] d <data> p <pwd> [s] [i]");
+       PrintAndLog("Options:");
+       PrintAndLog("       h           - this help");
+       PrintAndLog("       d <data>    - data to write (hex)");
+       PrintAndLog("       p <pwd>     - password (hex) (optional)");
+       PrintAndLog("       s           - swap the data bit order before write");
+       PrintAndLog("       i           - invert the data bits before write");
+       PrintAndLog("samples:");
+       PrintAndLog("      lf em 4x05protect d 11223344");
+       PrintAndLog("      lf em 4x05protect p deadc0de d 11223344 s i");
+       return 0;
+}
+
+int EM4x05Protect(uint32_t data, uint32_t pwd, bool usePwd, bool swap, bool invert) {
+       if (swap) data = SwapBits(data, 32);
+
+       if (invert) data ^= 0xFFFFFFFF;
+
+       if ( !usePwd ) {
+               PrintAndLog("Writing Protect data %08X", data);
+       } else {
+               PrintAndLog("Writing Protect data %08X using password %08X", data, pwd);
+       }
+
+       uint16_t flag = usePwd;
+
+       UsbCommand c = {CMD_EM4X_PROTECT, {flag, data, pwd}};
+       clearCommandBuffer();
+       SendCommand(&c);
+       UsbCommand resp;
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){
+               PrintAndLog("Error occurred, device did not respond during protect operation.");
+               return -1;
+       }
+       if ( !downloadSamplesEM() ) {
+               return -1;
+       }
+       //check response for 00001010 for write confirmation!
+       //attempt demod:
+       uint32_t dummy = 0;
+       int result = demodEM4x05resp(&dummy,false);
+       if (result == 1) {
+               PrintAndLog("Protect Verified");
+       } else {
+               PrintAndLog("Protect could not be verified");
+       }
+       return result;
+}
+
+int CmdEM4x05ProtectWrite(const char *Cmd) {
+       bool errors = false;
+       bool usePwd = false;
+       uint32_t data = 0xFFFFFFFF;
+       uint32_t pwd = 0xFFFFFFFF;
+       bool swap = false;
+       bool invert = false;
+       bool gotData = false;
+       char cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_lf_em_write();
+               case 'd':
+               case 'D':
+                       data = param_get32ex(Cmd, cmdp+1, 0, 16);
+                       gotData = true;
+                       cmdp += 2;
+                       break;
+               case 'i':
+               case 'I':
+                       invert = true;
+                       cmdp++;
+                       break;
+               case 'p':
+               case 'P':
+                       pwd = param_get32ex(Cmd, cmdp+1, 1, 16);
+                       if (pwd == 1) {
+                               PrintAndLog("invalid pwd");
+                               errors = true;
+                       }
+                       usePwd = true;
+                       cmdp += 2;
+                       break;
+               case 's':
+               case 'S':
+                       swap = true;
+                       cmdp++;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
+               }
+               if(errors) break;
+       }
+       //Validations
+       if(errors) return usage_lf_em_protect();
+
+       if ( strlen(Cmd) == 0 ) return usage_lf_em_protect();
+
+       if (!gotData) {
+               PrintAndLog("You must enter the data you want to write");
+               return usage_lf_em_protect();
+       }
+       return EM4x05Protect(data, pwd, usePwd, swap, invert);
+}
+
 void printEM4x05config(uint32_t wordData) {
        uint16_t datarate = EM4x05_GET_BITRATE(wordData);
        uint8_t encoder = ((wordData >> 6) & 0xF);
@@ -1345,6 +1458,7 @@ static command_t CommandTable[] =
        {"4x05info",  CmdEM4x05info, 0, "(pwd) -- Get info from EM4x05/EM4x69 tag"},
        {"4x05readword",  CmdEM4x05ReadWord, 0, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
        {"4x05writeword", CmdEM4x05WriteWord, 0, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
+       {"4x05protect",   CmdEM4x05ProtectWrite, 0, "<data> (pwd) -- Write Protection to EM4x05"},
        {"4x50read",  CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
        {NULL, NULL, 0, NULL}
 };
index 9ef929b918e3f1c6fd23f032cfefb1d0d39c3907..82981acf01ff5d23722822ea6b42fc16345ad024 100644 (file)
@@ -41,6 +41,7 @@ typedef struct{
        bool averaging;
        int divisor;
        int trigger_threshold;
+       int samples_to_skip;
 } sample_config;
 
 // For the bootloader
@@ -116,6 +117,7 @@ typedef struct{
 #define CMD_T55XX_WAKEUP                                                  0x0224
 #define CMD_COTAG                                                         0x0225
 #define CMD_PARADOX_CLONE_TAG                                             0x0226
+#define CMD_EM4X_PROTECT                                                  0x0228
 
 // For the 13.56 MHz tags
 #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693                             0x0300
Impressum, Datenschutz