From: iceman1001 Date: Wed, 4 Feb 2015 10:48:36 +0000 (+0100) Subject: prepare to update the LF T55XX commands X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/385f398740895f512abc90ea5a00a9be82bf115b prepare to update the LF T55XX commands --- diff --git a/armsrc/apps.h b/armsrc/apps.h index 39ee3211..c8802dc1 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -20,6 +20,7 @@ #include #include "../common/crc32.h" #include "BigBuf.h" +#include "../include/hitag2.h" extern const uint8_t OddByteParity[256]; extern int rsamples; // = 0; @@ -116,9 +117,9 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc); void AcquireTiType(void); void AcquireRawBitsTI(void); void SimulateTagLowFrequency( uint16_t period, uint32_t gap, uint8_t ledcontrol); -void SimulateTagLowFrequencyA(int period, int gap); +//void SimulateTagLowFrequencyA(int period, int gap); -void CmdHIDsimTAG(int hi, int lo, uint8_t ledcontrol); +void CmdHIDsimTAG(int hi, int lo, int ledcontrol); void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol); void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol); void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol); diff --git a/armsrc/epa.c b/armsrc/epa.c index a04b7628..7bff9f19 100644 --- a/armsrc/epa.c +++ b/armsrc/epa.c @@ -15,6 +15,7 @@ #include "epa.h" #include "../common/cmd.h" + // Protocol and Parameter Selection Request // use regular (1x) speed in both directions // CRC is already included diff --git a/armsrc/iso14443a.h b/armsrc/iso14443a.h index 771a6f59..02604935 100644 --- a/armsrc/iso14443a.h +++ b/armsrc/iso14443a.h @@ -13,6 +13,7 @@ #ifndef __ISO14443A_H #define __ISO14443A_H #include "../include/common.h" +#include "../include/mifare.h" #include "mifaresniff.h" typedef struct { diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 7b6fa97a..98045d81 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -82,8 +82,10 @@ void LFSetupFPGAForADC(int divisor, bool lf_field) // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); + // Give it a bit of time for the resonant antenna to settle. - SpinDelay(50); + SpinDelay(150); + // Now set up the SSC to get the ADC samples that are now streaming at us. FpgaSetupSsc(); } @@ -465,7 +467,7 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc) DbpString("Now use tiread to check"); } -void SimulateTagLowFrequency(int period, int gap, int ledcontrol) +void SimulateTagLowFrequency(uint16_t period, uint32_t gap, uint8_t ledcontrol) { int i; uint8_t *tab = BigBuf_get_addr(); @@ -897,10 +899,20 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) * To compensate antenna falling times shorten the write times * and enlarge the gap ones. */ -#define START_GAP 250 -#define WRITE_GAP 160 -#define WRITE_0 144 // 192 -#define WRITE_1 400 // 432 for T55x7; 448 for E5550 +#define START_GAP 30*8 // 10 - 50fc 250 +#define WRITE_GAP 20*8 // 8 - 30fc +#define WRITE_0 24*8 // 16 - 31fc 24fc 192 +#define WRITE_1 54*8 // 48 - 63fc 54fc 432 for T55x7; 448 for E5550 + +// VALUES TAKEN FROM EM4x function: SendForward +// START_GAP = 440; (55*8) cycles at 125Khz (8us = 1cycle) +// WRITE_GAP = 128; (16*8) +// WRITE_1 = 256 32*8; (32*8) + +// These timings work for 4469/4269/4305 (with the 55*8 above) +// WRITE_0 = 23*8 , 9*8 SpinDelayUs(23*8); + +#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..) // Write one bit to card void T55xxWriteBit(int bit) @@ -908,7 +920,7 @@ void T55xxWriteBit(int bit) FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - if (bit == 0) + if (!bit) SpinDelayUs(WRITE_0); else SpinDelayUs(WRITE_1); @@ -919,16 +931,11 @@ void T55xxWriteBit(int bit) // Write one card block in page 0, no lock void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode) { - //unsigned int i; //enio adjustment 12/10/14 - uint32_t i; - - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + uint32_t i = 0; - // Give it a bit of time for the resonant antenna to settle. - // And for the tag to fully power up - SpinDelay(150); + // Set up FPGA, 125kHz + // Wait for config.. (192+8190xPOW)x8 == 67ms + LFSetupFPGAForADC(0, true); // Now start writting FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); @@ -965,26 +972,15 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) { uint8_t *dest = BigBuf_get_addr(); - //int m=0, i=0; //enio adjustment 12/10/14 - uint32_t m=0, i=0; - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - m = BigBuf_max_traceLen(); - // Clear destination buffer before sending the command - memset(dest, 128, m); - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - - LED_D_ON(); - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - - // Give it a bit of time for the resonant antenna to settle. - // And for the tag to fully power up - SpinDelay(150); - - // Now start writting + //uint16_t bufferlength = BigBuf_max_traceLen(); + uint16_t bufferlength = T55xx_SAMPLES_SIZE; + uint32_t i = 0; + // Clear destination buffer before sending the command 0x80 = average. + memset(dest, 0x80, bufferlength); + + // Set up FPGA, 125kHz + // Wait for config.. (192+8190xPOW)x8 == 67ms + LFSetupFPGAForADC(0, true); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(START_GAP); @@ -1003,53 +999,40 @@ void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) T55xxWriteBit(Block & i); // Turn field on to read the response - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + TurnReadLFOn(); // Now do the acquisition i = 0; for(;;) { if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = 0x43; + //AT91C_BASE_SSC->SSC_THR = 0xff; + LED_D_ON(); } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - // we don't care about actual value, only if it's more or less than a - // threshold essentially we capture zero crossings for later analysis - // if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; - i++; - if (i >= m) break; + ++i; + LED_D_OFF(); + if (i >= bufferlength) break; } } + cmd_send(CMD_ACK,0,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); - DbpString("DONE!"); } // Read card traceability data (page 1) void T55xxReadTrace(void){ uint8_t *dest = BigBuf_get_addr(); - int m=0, i=0; - - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - m = BigBuf_max_traceLen(); - // Clear destination buffer before sending the command - memset(dest, 128, m); - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - - LED_D_ON(); - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - - // Give it a bit of time for the resonant antenna to settle. - // And for the tag to fully power up - SpinDelay(150); - - // Now start writting + //uint16_t bufferlength = BigBuf_max_traceLen(); + uint16_t bufferlength = T55xx_SAMPLES_SIZE; + uint32_t i = 0; + + // Clear destination buffer before sending the command 0x80 = average + memset(dest, 0x80, bufferlength); + + LFSetupFPGAForADC(0, true); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(START_GAP); @@ -1058,25 +1041,34 @@ void T55xxReadTrace(void){ T55xxWriteBit(1); //Page 1 // Turn field on to read the response - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + TurnReadLFOn(); // Now do the acquisition - i = 0; for(;;) { if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = 0x43; + LED_D_ON(); } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - i++; - if (i >= m) break; - } - } - + ++i; + LED_D_OFF(); + + if (i >= bufferlength) break; + } + } + + cmd_send(CMD_ACK,0,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); - DbpString("DONE!"); +} + +void TurnReadLFOn(){ + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + // Give it a bit of time for the resonant antenna to settle. + //SpinDelay(30); + SpinDelayUs(8*150); } /*-------------- Cloning routines -----------*/ @@ -1800,9 +1792,14 @@ void EM4xLogin(uint32_t Password) { void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { + uint8_t *dest = BigBuf_get_addr(); + uint16_t bufferlength = BigBuf_max_traceLen(); + uint32_t i = 0; + + // Clear destination buffer before sending the command 0x80 = average. + memset(dest, 0x80, bufferlength); + uint8_t fwd_bit_count; - uint8_t *dest = BigBuf_get_addr(); - int m=0, i=0; //If password mode do login if (PwdMode == 1) EM4xLogin(Pwd); @@ -1811,9 +1808,6 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { fwd_bit_count = Prepare_Cmd( FWD_CMD_READ ); fwd_bit_count += Prepare_Addr( Address ); - m = BigBuf_max_traceLen(); - // Clear destination buffer before sending the command - memset(dest, 128, m); // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); // Now set up the SSC to get the ADC samples that are now streaming at us. @@ -1829,10 +1823,12 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - i++; - if (i >= m) break; - } - } + ++i; + if (i >= bufferlength) break; + } + } + + cmd_send(CMD_ACK,0,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); } diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index f35edaa4..c023d57f 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -65,8 +65,12 @@ int CmdReadBlk(const char *Cmd) int invert = 0; int clk = 0; int block = -1; + int errCnt; + size_t bitlen; + //int decodedBitlen; + uint32_t blockData; uint8_t bits[MAX_GRAPH_TRACE_LEN] = {0x00}; - + sscanf(Cmd, "%d", &block); if ((block > 7) | (block < 0)) { @@ -78,21 +82,21 @@ int CmdReadBlk(const char *Cmd) SendCommand(&c); if ( !WaitForResponseTimeout(CMD_ACK,NULL,1500) ) { PrintAndLog("command execution time out"); - return 1; + return 2; } - CmdSamples(""); + CmdSamples("12000"); - size_t bitlen = getFromGraphBuf(bits); + bitlen = getFromGraphBuf(bits); - int errCnt = askrawdemod(bits, &bitlen, &clk, &invert); + errCnt = askrawdemod(bits, &bitlen, &clk, &invert); //throw away static - allow 1 and -1 (in case of threshold command first) if ( errCnt == -1 || bitlen < 16 ){ PrintAndLog("no data found"); if (g_debugMode) PrintAndLog("errCnt: %d, bitlen: %d, clk: %d, invert: %d", errCnt, bitlen, clk, invert); - return 0; + return 3; } if (g_debugMode) PrintAndLog("Using Clock: %d - invert: %d - Bits Found: %d", clk, invert, bitlen); @@ -100,6 +104,23 @@ int CmdReadBlk(const char *Cmd) //move bits back to DemodBuffer setDemodBuf(bits, bitlen, 0); printBitStream(bits,bitlen); + + // bits has the manchester encoded data. + errCnt = manrawdecode(bits, &bitlen); + if ( errCnt == -1 || bitlen < 16 ){ + PrintAndLog("no data found"); + if (g_debugMode) + PrintAndLog("errCnt: %d, bitlen: %d, clk: %d, invert: %d", errCnt, bitlen, clk, invert); + return 4; + } + + blockData = PackBits(0, 32, bits); + + if ( block < 0) + PrintAndLog(" Decoded : 0x%08X %s", blockData, sprint_bin(bits,32) ); + else + PrintAndLog(" Block %d : 0x%08X %s", block, blockData, sprint_bin(bits,32) ); + return 0; } @@ -391,9 +412,7 @@ int ManchesterDemod(int blockNum){ uint8_t bits[LF_BITSSTREAM_LEN] = {0x00}; uint8_t * bitstream = bits; - //manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream, LF_BITSSTREAM_LEN); manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bits, LF_BITSSTREAM_LEN); - //blockData = PackBits(offset, sizebyte, bitstream); blockData = PackBits(offset, sizebyte, bits); if ( blockNum < 0) @@ -524,7 +543,7 @@ static command_t CommandTable[] = {"trace", CmdReadTrace, 0, "[1] Read T55xx traceability data (page 1/ blk 0-1)"}, {"info", CmdInfo, 0, "[1] Read T55xx configuration data (page 0/ blk 0)"}, {"dump", CmdDump, 0, "[password] Dump T55xx card block 0-7. optional with password"}, - {"fsk", CmdIceFsk, 0, "FSK demod"}, + //{"fsk", CmdIceFsk, 0, "FSK demod"}, {"man", CmdIceManchester, 0, "Manchester demod (with SST)"}, {NULL, NULL, 0, NULL} }; diff --git a/client/ui.c b/client/ui.c index b31f1ead..10ae1310 100644 --- a/client/ui.c +++ b/client/ui.c @@ -213,8 +213,6 @@ int manchester_decode( int * data, const size_t len, uint8_t * dataout, size_t int ManchesterConvertFrom1(const int * data, const size_t len, uint8_t * dataout,int dataoutlen, int clock, int startIndex){ - PrintAndLog(" Path B"); - int i,j, bitindex, lc, tolerance, warnings; warnings = 0; int upperlimit = len*2/clock+8;