From 13d77ef964cefe68750873d5268299a53c9e22a5 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Sun, 22 Mar 2015 15:28:48 -0400 Subject: [PATCH 1/1] lf t5 read plus lf demod adjustments lf t5xx commands updated from ICEMAN lf em410x commands updated lf search bug fix for 2 args test scripts from iceman lf demod: better ask clock detection with Strong fully clipped waves better ask raw demod with strong fully clipped waves fsk demod add back in skipped bits during demod nrz demod add back in skipped bits during demod --- armsrc/lfops.c | 95 ++- client/cmddata.c | 203 +++-- client/cmddata.h | 2 + client/cmdlf.c | 12 +- client/cmdlfem4x.c | 181 +---- client/cmdlft55xx.c | 1140 ++++++++++++++++++++++++++--- client/cmdlft55xx.h | 55 +- client/scripts/test_t55x7_ask.lua | 139 ++++ client/scripts/test_t55x7_bi.lua | 133 ++++ client/scripts/test_t55x7_fsk.lua | 139 ++++ client/scripts/test_t55x7_psk.lua | 99 ++- client/scripts/tracetest.lua | 26 +- common/lfdemod.c | 254 ++++--- common/lfdemod.h | 2 + 14 files changed, 1944 insertions(+), 536 deletions(-) create mode 100644 client/scripts/test_t55x7_ask.lua create mode 100644 client/scripts/test_t55x7_bi.lua create mode 100644 client/scripts/test_t55x7_fsk.lua diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 2a5573d1..94cfafdf 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -1030,10 +1030,12 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) * To compensate antenna falling times shorten the write times * and enlarge the gap ones. */ -#define START_GAP 250 -#define WRITE_GAP 160 -#define WRITE_0 144 // 192 -#define WRITE_1 400 // 432 for T55x7; 448 for E5550 +#define START_GAP 50*8 // 10 - 50fc 250 +#define WRITE_GAP 20*8 // - 30fc 160 +#define WRITE_0 24*8 // 16 - 63fc 54fc 144 +#define WRITE_1 54*8 // 48 - 63fc 54fc 432 for T55x7; 448 for E5550 //400 + +#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..) // Write one bit to card void T55xxWriteBit(int bit) @@ -1052,7 +1054,6 @@ void T55xxWriteBit(int bit) // Write one card block in page 0, no lock void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode) { - //unsigned int i; //enio adjustment 12/10/14 uint32_t i; FpgaDownloadAndGo(FPGA_BITSTREAM_LF); @@ -1061,7 +1062,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod // Give it a bit of time for the resonant antenna to settle. // And for the tag to fully power up - SpinDelay(150); + //SpinDelay(150); // Now start writting FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); @@ -1094,30 +1095,28 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); } +void TurnReadLFOn(){ + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + // Give it a bit of time for the resonant antenna to settle. + SpinDelayUs(8*150); +} + + // Read one card block in page 0 void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) { + uint32_t i = 0; uint8_t *dest = BigBuf_get_addr(); - //int m=0, i=0; //enio adjustment 12/10/14 - uint32_t m=0, i=0; - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - m = BigBuf_max_traceLen(); - // Clear destination buffer before sending the command - memset(dest, 128, m); - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); + uint16_t bufferlength = BigBuf_max_traceLen(); + if ( bufferlength > T55xx_SAMPLES_SIZE ) + bufferlength = T55xx_SAMPLES_SIZE; - LED_D_ON(); - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - - // Give it a bit of time for the resonant antenna to settle. - // And for the tag to fully power up - SpinDelay(150); + // Clear destination buffer before sending the command + memset(dest, 0x80, bufferlength); - // Now start writting + // Set up FPGA, 125kHz + // Wait for config.. (192+8190xPOW)x8 == 67ms + LFSetupFPGAForADC(0, true); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(START_GAP); @@ -1136,53 +1135,40 @@ void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode) T55xxWriteBit(Block & i); // Turn field on to read the response - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); - + TurnReadLFOn(); // Now do the acquisition i = 0; for(;;) { if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = 0x43; + LED_D_ON(); } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - // we don't care about actual value, only if it's more or less than a - // threshold essentially we capture zero crossings for later analysis - // if(dest[i] < 127) dest[i] = 0; else dest[i] = 1; i++; - if (i >= m) break; + LED_D_OFF(); + if (i >= bufferlength) break; } } + cmd_send(CMD_ACK,0,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); - DbpString("DONE!"); } // Read card traceability data (page 1) void T55xxReadTrace(void){ + + uint32_t i = 0; uint8_t *dest = BigBuf_get_addr(); - int m=0, i=0; + uint16_t bufferlength = BigBuf_max_traceLen(); + if ( bufferlength > T55xx_SAMPLES_SIZE ) + bufferlength= T55xx_SAMPLES_SIZE; - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); - m = BigBuf_max_traceLen(); // Clear destination buffer before sending the command - memset(dest, 128, m); - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - - LED_D_ON(); - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + memset(dest, 0x80, bufferlength); - // Give it a bit of time for the resonant antenna to settle. - // And for the tag to fully power up - SpinDelay(150); - - // Now start writting + LFSetupFPGAForADC(0, true); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(START_GAP); @@ -1191,25 +1177,26 @@ void T55xxReadTrace(void){ T55xxWriteBit(1); //Page 1 // Turn field on to read the response - FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + TurnReadLFOn(); // Now do the acquisition - i = 0; for(;;) { if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = 0x43; + LED_D_ON(); } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; i++; - if (i >= m) break; + LED_D_OFF(); + + if (i >= bufferlength) break; } } + cmd_send(CMD_ACK,0,0,0,0,0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off LED_D_OFF(); - DbpString("DONE!"); } /*-------------- Cloning routines -----------*/ diff --git a/client/cmddata.c b/client/cmddata.c index a3d58523..8017d169 100644 --- a/client/cmddata.c +++ b/client/cmddata.c @@ -33,6 +33,12 @@ static int CmdHelp(const char *Cmd); //by marshmellow void setDemodBuf(uint8_t *buff, size_t size, size_t startIdx) { + if (buff == NULL) + return; + + if ( size >= MAX_DEMOD_BUF_LEN) + size = MAX_DEMOD_BUF_LEN; + size_t i = 0; for (; i < size; i++){ DemodBuffer[i]=buff[startIdx++]; @@ -279,18 +285,101 @@ void printEM410x(uint32_t hi, uint64_t id) //output 40 bit em id PrintAndLog("EM TAG ID : %010llx", id); PrintAndLog("Unique TAG ID: %010llx", id2lo); + PrintAndLog(""); + PrintAndLog("Possible de-scramble patterns"); + PrintAndLog("HoneyWell IdentKey"); PrintAndLog("DEZ 8 : %08lld",id & 0xFFFFFF); - PrintAndLog("DEZ 10 : %010lld",id & 0xFFFFFF); + PrintAndLog("DEZ 10 : %010lld",id & 0xFFFFFFFF); PrintAndLog("DEZ 5.5 : %05lld.%05lld",(id>>16LL) & 0xFFFF,(id & 0xFFFF)); PrintAndLog("DEZ 3.5A : %03lld.%05lld",(id>>32ll),(id & 0xFFFF)); + PrintAndLog("DEZ 3.5B : %03lld.%05lld",(id & 0xFF000000) >> 24,(id & 0xFFFF)); + PrintAndLog("DEZ 3.5C : %03lld.%05lld",(id & 0xFF0000) >> 16,(id & 0xFFFF)); PrintAndLog("DEZ 14/IK2 : %014lld",id); PrintAndLog("DEZ 15/IK3 : %015lld",id2lo); PrintAndLog("Other : %05lld_%03lld_%08lld",(id&0xFFFF),((id>>16LL) & 0xFF),(id & 0xFFFFFF)); + PrintAndLog("DEZ 20/ZK : %02lld%02lld%02lld%02lld%02lld%02lld%02lld%02lld%02lld%02lld", + (id2lo & 0xf000000000) >> 36, + (id2lo & 0x0f00000000) >> 32, + (id2lo & 0x00f0000000) >> 28, + (id2lo & 0x000f000000) >> 24, + (id2lo & 0x0000f00000) >> 20, + (id2lo & 0x00000f0000) >> 16, + (id2lo & 0x000000f000) >> 12, + (id2lo & 0x0000000f00) >> 8, + (id2lo & 0x00000000f0) >> 4, + (id2lo & 0x000000000f) + ); + + PrintAndLog(""); + uint64_t paxton = (((id>>32) << 24) | (id & 0xffffff)) + 0x143e00; + PrintAndLog("Pattern Paxton : %0d", paxton); + + uint32_t p1id = (id & 0xFFFFFF); + uint8_t arr[32] = {0x00}; + int i =0; + int j = 23; + for (; i < 24; ++i, --j ){ + arr[i] = (p1id >> i) & 1; + } + + uint32_t p1 = 0; + + p1 |= arr[23] << 21; + p1 |= arr[22] << 23; + p1 |= arr[21] << 20; + p1 |= arr[20] << 22; + + p1 |= arr[19] << 18; + p1 |= arr[18] << 16; + p1 |= arr[17] << 19; + p1 |= arr[16] << 17; + + p1 |= arr[15] << 13; + p1 |= arr[14] << 15; + p1 |= arr[13] << 12; + p1 |= arr[12] << 14; + + p1 |= arr[11] << 6; + p1 |= arr[10] << 2; + p1 |= arr[9] << 7; + p1 |= arr[8] << 1; + + p1 |= arr[7] << 0; + p1 |= arr[6] << 8; + p1 |= arr[5] << 11; + p1 |= arr[4] << 3; + + p1 |= arr[3] << 10; + p1 |= arr[2] << 4; + p1 |= arr[1] << 5; + p1 |= arr[0] << 9; + PrintAndLog("Pattern 1 : 0x%X - %d", p1, p1); + + uint16_t sebury1 = id & 0xFFFF; + uint8_t sebury2 = (id >> 16) & 0x7F; + uint32_t sebury3 = id & 0x7FFFFF; + PrintAndLog("Pattern Sebury : %d %d %d (hex: %X %X %X)", sebury1, sebury2, sebury3, sebury1, sebury2, sebury3); } } return; } + +int AskEm410xDemod(const char *Cmd, uint32_t *hi, uint64_t *lo) +{ + int ans = ASKmanDemod(Cmd, FALSE, FALSE); + if (!ans) return 0; + + size_t idx=0; + if (Em410xDecode(DemodBuffer,(size_t *) &DemodBufferLen, &idx, hi, lo)){ + if (g_debugMode){ + PrintAndLog("DEBUG: idx: %d, Len: %d, Printing Demod Buffer:", idx, DemodBufferLen); + printDemodBuff(); + } + return 1; + } + return 0; +} //by marshmellow //takes 3 arguments - clock, invert and maxErr as integers //attempts to demodulate ask while decoding manchester @@ -311,17 +400,9 @@ int CmdAskEM410xDemod(const char *Cmd) PrintAndLog(" : data askem410xdemod 64 1 0 = demod an EM410x Tag ID from GraphBuffer using a clock of RF/64 and inverting data and allowing 0 demod errors"); return 0; } - int ans = ASKmanDemod(Cmd, FALSE, FALSE); - if (!ans) return 0; - - uint64_t lo =0; - uint32_t hi =0; - size_t idx=0; - if (Em410xDecode(DemodBuffer,(size_t *) &DemodBufferLen, &idx, &hi, &lo)){ - if (g_debugMode){ - PrintAndLog("DEBUG: idx: %d, Len: %d, Printing Demod Buffer:", idx, DemodBufferLen); - printDemodBuff(); - } + uint32_t hi; + uint64_t lo; + if (AskEm410xDemod(Cmd, &hi, &lo)) { PrintAndLog("EM410x pattern found: "); printEM410x(hi, lo); return 1; @@ -1859,21 +1940,19 @@ int NRZrawDemod(const char *Cmd, bool verbose) int errCnt=0; errCnt = nrzRawDemod(BitStream, &BitLen, &clk, &invert, maxErr); if (errCnt > maxErr){ - if (g_debugMode==1 && verbose) PrintAndLog("Too many errors found, clk: %d, invert: %d, numbits: %d, errCnt: %d",clk,invert,BitLen,errCnt); + if (g_debugMode) PrintAndLog("Too many errors found, clk: %d, invert: %d, numbits: %d, errCnt: %d",clk,invert,BitLen,errCnt); return 0; } if (errCnt<0|| BitLen<16){ //throw away static - allow 1 and -1 (in case of threshold command first) - if (g_debugMode==1 && verbose) PrintAndLog("no data found, clk: %d, invert: %d, numbits: %d, errCnt: %d",clk,invert,BitLen,errCnt); + if (g_debugMode) PrintAndLog("no data found, clk: %d, invert: %d, numbits: %d, errCnt: %d",clk,invert,BitLen,errCnt); return 0; } - PrintAndLog("Tried NRZ Demod using Clock: %d - invert: %d - Bits Found: %d",clk,invert,BitLen); + if (verbose || g_debugMode) PrintAndLog("Tried NRZ Demod using Clock: %d - invert: %d - Bits Found: %d",clk,invert,BitLen); //prime demod buffer for output setDemodBuf(BitStream,BitLen,0); - if (errCnt>0 && verbose){ - PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt); - } - if (verbose) { + if (errCnt>0 && (verbose || g_debugMode)) PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt); + if (verbose || g_debugMode) { PrintAndLog("NRZ demoded bitstream:"); // Now output the bitstream to the scrollback by line of 16 bits printDemodBuff(); @@ -2652,60 +2731,52 @@ int CmdZerocrossings(const char *Cmd) static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"amp", CmdAmp, 1, "Amplify peaks"}, + {"help", CmdHelp, 1, "This help"}, + {"amp", CmdAmp, 1, "Amplify peaks"}, //{"askdemod", Cmdaskdemod, 1, "<0 or 1> -- Attempt to demodulate simple ASK tags"}, - {"askedgedetect", CmdAskEdgeDetect, 1, "[threshold] Adjust Graph for manual ask demod using length of sample differences to detect the edge of a wave (default = 25)"}, - {"askem410xdemod",CmdAskEM410xDemod, 1, "[clock] [invert<0|1>] [maxErr] -- Demodulate an EM410x tag from GraphBuffer (args optional)"}, - {"askgproxiidemod",CmdG_Prox_II_Demod,1, "Demodulate a G Prox II tag from GraphBuffer"}, - //{"askmandemod", Cmdaskmandemod, 1, "[clock] [invert<0|1>] [maxErr] -- Attempt to demodulate ASK/Manchester tags and output binary (args optional)"}, - //{"askrawdemod", Cmdaskrawdemod, 1, "[clock] [invert<0|1>] -- Attempt to demodulate ASK tags and output bin (args optional)"}, - {"autocorr", CmdAutoCorr, 1, "[window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)"}, + {"askedgedetect", CmdAskEdgeDetect, 1, "[threshold] Adjust Graph for manual ask demod using length of sample differences to detect the edge of a wave (default = 25)"}, + {"askem410xdemod", CmdAskEM410xDemod, 1, "[clock] [invert<0|1>] [maxErr] -- Demodulate an EM410x tag from GraphBuffer (args optional)"}, + {"askgproxiidemod", CmdG_Prox_II_Demod, 1, "Demodulate a G Prox II tag from GraphBuffer"}, + {"autocorr", CmdAutoCorr, 1, "[window length] [g] -- Autocorrelation over window - g to save back to GraphBuffer (overwrite)"}, {"biphaserawdecode",CmdBiphaseDecodeRaw,1,"[offset] [invert<0|1>] Biphase decode bin stream in DemodBuffer (offset = 0|1 bits to shift the decode start)"}, - {"bitsamples", CmdBitsamples, 0, "Get raw samples as bitstring"}, + {"bitsamples", CmdBitsamples, 0, "Get raw samples as bitstring"}, //{"bitstream", CmdBitstream, 1, "[clock rate] -- Convert waveform into a bitstream"}, - {"buffclear", CmdBuffClear, 1, "Clear sample buffer and graph window"}, - {"dec", CmdDec, 1, "Decimate samples"}, - {"detectclock", CmdDetectClockRate, 1, "[modulation] Detect clock rate of wave in GraphBuffer (options: 'a','f','n','p' for ask, fsk, nrz, psk respectively)"}, + {"buffclear", CmdBuffClear, 1, "Clear sample buffer and graph window"}, + {"dec", CmdDec, 1, "Decimate samples"}, + {"detectclock", CmdDetectClockRate, 1, "[modulation] Detect clock rate of wave in GraphBuffer (options: 'a','f','n','p' for ask, fsk, nrz, psk respectively)"}, //{"fskdemod", CmdFSKdemod, 1, "Demodulate graph window as a HID FSK"}, - {"fskawiddemod", CmdFSKdemodAWID, 1, "Demodulate an AWID FSK tag from GraphBuffer"}, + {"fskawiddemod", CmdFSKdemodAWID, 1, "Demodulate an AWID FSK tag from GraphBuffer"}, //{"fskfcdetect", CmdFSKfcDetect, 1, "Try to detect the Field Clock of an FSK wave"}, - {"fskhiddemod", CmdFSKdemodHID, 1, "Demodulate a HID FSK tag from GraphBuffer"}, - {"fskiodemod", CmdFSKdemodIO, 1, "Demodulate an IO Prox FSK tag from GraphBuffer"}, - {"fskpyramiddemod",CmdFSKdemodPyramid,1, "Demodulate a Pyramid FSK tag from GraphBuffer"}, - {"fskparadoxdemod",CmdFSKdemodParadox,1, "Demodulate a Paradox FSK tag from GraphBuffer"}, - //{"fskrawdemod", CmdFSKrawdemod, 1, "[clock rate] [invert] [rchigh] [rclow] Demodulate graph window from FSK to bin (clock = 50)(invert = 1|0)(rchigh = 10)(rclow=8)"}, - {"getbitstream", CmdGetBitStream, 1, "Convert GraphBuffer's >=1 values to 1 and <1 to 0"}, - {"grid", CmdGrid, 1, " -- overlay grid on graph window, use zero value to turn off either"}, - {"hexsamples", CmdHexsamples, 0, " [] -- Dump big buffer as hex bytes"}, - {"hide", CmdHide, 1, "Hide graph window"}, - {"hpf", CmdHpf, 1, "Remove DC offset from trace"}, - {"load", CmdLoad, 1, " -- Load trace (to graph window"}, - {"ltrim", CmdLtrim, 1, " -- Trim samples from left of trace"}, - {"rtrim", CmdRtrim, 1, " -- Trim samples from right of trace"}, + {"fskhiddemod", CmdFSKdemodHID, 1, "Demodulate a HID FSK tag from GraphBuffer"}, + {"fskiodemod", CmdFSKdemodIO, 1, "Demodulate an IO Prox FSK tag from GraphBuffer"}, + {"fskpyramiddemod", CmdFSKdemodPyramid, 1, "Demodulate a Pyramid FSK tag from GraphBuffer"}, + {"fskparadoxdemod", CmdFSKdemodParadox, 1, "Demodulate a Paradox FSK tag from GraphBuffer"}, + {"getbitstream", CmdGetBitStream, 1, "Convert GraphBuffer's >=1 values to 1 and <1 to 0"}, + {"grid", CmdGrid, 1, " -- overlay grid on graph window, use zero value to turn off either"}, + {"hexsamples", CmdHexsamples, 0, " [] -- Dump big buffer as hex bytes"}, + {"hide", CmdHide, 1, "Hide graph window"}, + {"hpf", CmdHpf, 1, "Remove DC offset from trace"}, + {"load", CmdLoad, 1, " -- Load trace (to graph window"}, + {"ltrim", CmdLtrim, 1, " -- Trim samples from left of trace"}, + {"rtrim", CmdRtrim, 1, " -- Trim samples from right of trace"}, //{"mandemod", CmdManchesterDemod, 1, "[i] [clock rate] -- Manchester demodulate binary stream (option 'i' to invert output)"}, - {"manrawdecode", Cmdmandecoderaw, 1, "Manchester decode binary stream in DemodBuffer"}, - {"manmod", CmdManchesterMod, 1, "[clock rate] -- Manchester modulate a binary stream"}, - {"norm", CmdNorm, 1, "Normalize max/min to +/-128"}, - //{"nrzdetectclock",CmdDetectNRZClockRate, 1, "Detect ASK, PSK, or NRZ clock rate"}, - //{"nrzrawdemod", CmdNRZrawDemod, 1, "[clock] [invert<0|1>] [maxErr] -- Attempt to demodulate nrz tags and output binary (args optional)"}, - {"plot", CmdPlot, 1, "Show graph window (hit 'h' in window for keystroke help)"}, - //{"pskdetectclock",CmdDetectPSKClockRate, 1, "Detect ASK, PSK, or NRZ clock rate"}, - {"printdemodbuffer",CmdPrintDemodBuff,1, "[x] -- print the data in the DemodBuffer - 'x' for hex output"}, - {"pskindalademod",CmdIndalaDecode, 1, "[clock] [invert<0|1>] -- Demodulate an indala tag (PSK1) from GraphBuffer (args optional)"}, - //{"psk1rawdemod", CmdPSK1rawDemod, 1, "[clock] [invert<0|1>] [maxErr] -- Attempt to demodulate psk1 tags and output binary (args optional)"}, - //{"psk2rawdemod", CmdPSK2rawDemod, 1, "[clock] [invert<0|1>] [maxErr] -- Attempt to demodulate psk2 tags and output binary (args optional)"}, - {"rawdemod", CmdRawDemod, 1, "[modulation] ... -see help (h option) -- Demodulate the data in the GraphBuffer and output binary"}, - {"samples", CmdSamples, 0, "[512 - 40000] -- Get raw samples for graph window (GraphBuffer)"}, - {"save", CmdSave, 1, " -- Save trace (from graph window)"}, - {"scale", CmdScale, 1, " -- Set cursor display scale"}, - {"setdebugmode", CmdSetDebugMode, 1, "<0|1> -- Turn on or off Debugging Mode for demods"}, - {"shiftgraphzero",CmdGraphShiftZero, 1, " -- Shift 0 for Graphed wave + or - shift value"}, + {"manrawdecode", Cmdmandecoderaw, 1, "Manchester decode binary stream in DemodBuffer"}, + {"manmod", CmdManchesterMod, 1, "[clock rate] -- Manchester modulate a binary stream"}, + {"norm", CmdNorm, 1, "Normalize max/min to +/-128"}, + {"plot", CmdPlot, 1, "Show graph window (hit 'h' in window for keystroke help)"}, + {"printdemodbuffer",CmdPrintDemodBuff, 1, "[x] -- print the data in the DemodBuffer - 'x' for hex output"}, + {"pskindalademod", CmdIndalaDecode, 1, "[clock] [invert<0|1>] -- Demodulate an indala tag (PSK1) from GraphBuffer (args optional)"}, + {"rawdemod", CmdRawDemod, 1, "[modulation] ... -see help (h option) -- Demodulate the data in the GraphBuffer and output binary"}, + {"samples", CmdSamples, 0, "[512 - 40000] -- Get raw samples for graph window (GraphBuffer)"}, + {"save", CmdSave, 1, " -- Save trace (from graph window)"}, + {"scale", CmdScale, 1, " -- Set cursor display scale"}, + {"setdebugmode", CmdSetDebugMode, 1, "<0|1> -- Turn on or off Debugging Mode for demods"}, + {"shiftgraphzero", CmdGraphShiftZero, 1, " -- Shift 0 for Graphed wave + or - shift value"}, //{"threshold", CmdThreshold, 1, " -- Maximize/minimize every value in the graph window depending on threshold"}, - {"dirthreshold", CmdDirectionalThreshold, 1, " -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev."}, - {"tune", CmdTuneSamples, 0, "Get hw tune samples for graph window"}, - {"undec", CmdUndec, 1, "Un-decimate samples by 2"}, - {"zerocrossings", CmdZerocrossings, 1, "Count time between zero-crossings"}, + {"dirthreshold", CmdDirectionalThreshold, 1, " -- Max rising higher up-thres/ Min falling lower down-thres, keep rest as prev."}, + {"tune", CmdTuneSamples, 0, "Get hw tune samples for graph window"}, + {"undec", CmdUndec, 1, "Un-decimate samples by 2"}, + {"zerocrossings", CmdZerocrossings, 1, "Count time between zero-crossings"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmddata.h b/client/cmddata.h index 831d35f3..052bce06 100644 --- a/client/cmddata.h +++ b/client/cmddata.h @@ -63,12 +63,14 @@ int CmdThreshold(const char *Cmd); int CmdDirectionalThreshold(const char *Cmd); int CmdZerocrossings(const char *Cmd); int CmdIndalaDecode(const char *Cmd); +int AskEm410xDemod(const char *Cmd, uint32_t *hi, uint64_t *lo); int ASKbiphaseDemod(const char *Cmd, bool verbose); int ASKmanDemod(const char *Cmd, bool verbose, bool emSearch); int ASKrawDemod(const char *Cmd, bool verbose); int FSKrawDemod(const char *Cmd, bool verbose); int PSKDemod(const char *Cmd, bool verbose); int NRZrawDemod(const char *Cmd, bool verbose); +void printEM410x(uint32_t hi, uint64_t id); #define MAX_DEMOD_BUF_LEN (1024*128) extern uint8_t DemodBuffer[MAX_DEMOD_BUF_LEN]; diff --git a/client/cmdlf.c b/client/cmdlf.c index 039a33d5..4a1ee519 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -1016,7 +1016,7 @@ int CmdLFfind(const char *Cmd) int ans=0; char cmdp = param_getchar(Cmd, 0); char testRaw = param_getchar(Cmd, 1); - if (strlen(Cmd) > 2 || cmdp == 'h' || cmdp == 'H') { + if (strlen(Cmd) > 3 || cmdp == 'h' || cmdp == 'H') { PrintAndLog("Usage: lf search <0|1> [u]"); PrintAndLog(" , if not set, try reading data from tag."); PrintAndLog(" [Search for Unknown tags] , if not set, reads only known tags."); @@ -1037,50 +1037,60 @@ int CmdLFfind(const char *Cmd) return 0; } if (cmdp == 'u' || cmdp == 'U') testRaw = 'u'; + PrintAndLog("NOTE: some demods output possible binary\n if it finds something that looks like a tag"); PrintAndLog("False Positives ARE possible\n"); PrintAndLog("\nChecking for known tags:\n"); + ans=CmdFSKdemodIO(""); if (ans>0) { PrintAndLog("\nValid IO Prox ID Found!"); return 1; } + ans=CmdFSKdemodPyramid(""); if (ans>0) { PrintAndLog("\nValid Pyramid ID Found!"); return 1; } + ans=CmdFSKdemodParadox(""); if (ans>0) { PrintAndLog("\nValid Paradox ID Found!"); return 1; } + ans=CmdFSKdemodAWID(""); if (ans>0) { PrintAndLog("\nValid AWID ID Found!"); return 1; } + ans=CmdFSKdemodHID(""); if (ans>0) { PrintAndLog("\nValid HID Prox ID Found!"); return 1; } + //add psk and indala ans=CmdIndalaDecode(""); if (ans>0) { PrintAndLog("\nValid Indala ID Found!"); return 1; } + ans=CmdAskEM410xDemod(""); if (ans>0) { PrintAndLog("\nValid EM410x ID Found!"); return 1; } + ans=CmdG_Prox_II_Demod(""); if (ans>0) { PrintAndLog("\nValid G Prox II ID Found!"); return 1; } + PrintAndLog("\nNo Known Tags Found!\n"); if (testRaw=='u' || testRaw=='U'){ //test unknown tag formats (raw mode) diff --git a/client/cmdlfem4x.c b/client/cmdlfem4x.c index f6671bcd..5faf4801 100644 --- a/client/cmdlfem4x.c +++ b/client/cmdlfem4x.c @@ -43,163 +43,23 @@ int CmdEMdemodASK(const char *Cmd) */ int CmdEM410xRead(const char *Cmd) { - int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low; - int parity[4]; - char id[11] = {0x00}; - char id2[11] = {0x00}; - int retested = 0; - uint8_t BitStream[MAX_GRAPH_TRACE_LEN]; - high = low = 0; - - /* Detect high and lows and clock */ - for (i = 0; i < GraphTraceLen; i++) - { - if (GraphBuffer[i] > high) - high = GraphBuffer[i]; - else if (GraphBuffer[i] < low) - low = GraphBuffer[i]; - } - - /* get clock */ - clock = GetAskClock(Cmd, false, false); - - /* parity for our 4 columns */ - parity[0] = parity[1] = parity[2] = parity[3] = 0; - header = rows = 0; - - // manchester demodulate - bit = bit2idx = 0; - for (i = 0; i < (int)(GraphTraceLen / clock); i++) - { - hithigh = 0; - hitlow = 0; - first = 1; - - /* Find out if we hit both high and low peaks */ - for (j = 0; j < clock; j++) - { - if (GraphBuffer[(i * clock) + j] >= high) - hithigh = 1; - else if (GraphBuffer[(i * clock) + j] <= low) - hitlow = 1; - - /* it doesn't count if it's the first part of our read - because it's really just trailing from the last sequence */ - if (first && (hithigh || hitlow)) - hithigh = hitlow = 0; - else - first = 0; - - if (hithigh && hitlow) - break; - } - - /* If we didn't hit both high and low peaks, we had a bit transition */ - if (!hithigh || !hitlow) - bit ^= 1; - - BitStream[bit2idx++] = bit; - } - -retest: - /* We go till 5 before the graph ends because we'll get that far below */ - for (i = 1; i < bit2idx - 5; i++) - { - /* Step 2: We have our header but need our tag ID */ - if (header == 9 && rows < 10) - { - /* Confirm parity is correct */ - if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4]) - { - /* Read another byte! */ - sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3])); - sprintf(id2+rows, "%x", (8 * BitStream[i+3]) + (4 * BitStream[i+2]) + (2 * BitStream[i+1]) + (1 * BitStream[i])); - rows++; - - /* Keep parity info */ - parity[0] ^= BitStream[i]; - parity[1] ^= BitStream[i+1]; - parity[2] ^= BitStream[i+2]; - parity[3] ^= BitStream[i+3]; - - /* Move 4 bits ahead */ - i += 4; - } - - /* Damn, something wrong! reset */ - else - { - PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i); - - /* Start back rows * 5 + 9 header bits, -1 to not start at same place */ - i -= 9 + (5 * rows) - 5; - - rows = header = 0; - } - } - - /* Step 3: Got our 40 bits! confirm column parity */ - else if (rows == 10) - { - /* We need to make sure our 4 bits of parity are correct and we have a stop bit */ - if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] && - BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] && - BitStream[i+4] == 0) - { - /* Sweet! */ - PrintAndLog("EM410x Tag ID: %s", id); - PrintAndLog("Unique Tag ID: %s", id2); - - global_em410xId = id; - - /* Stop any loops */ - return 1; - } - - /* Crap! Incorrect parity or no stop bit, start all over */ - else - { - rows = header = 0; - - /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */ - i -= 59; - } - } - - /* Step 1: get our header */ - else if (header < 9) - { - /* Need 9 consecutive 1's */ - if (BitStream[i] == 1) - header++; - - /* We don't have a header, not enough consecutive 1 bits */ - else - header = 0; - } - } - - /* if we've already retested after flipping bits, return */ - if (retested++){ - PrintAndLog("Failed to decode"); + uint32_t hi=0; + uint64_t lo=0; + + if(!AskEm410xDemod("", &hi, &lo)) return 0; + PrintAndLog("EM410x pattern found: "); + printEM410x(hi, lo); + if (hi){ + PrintAndLog ("EM410x XL pattern found"); return 0; - } - - /* if this didn't work, try flipping bits */ - for (i = 0; i < bit2idx; i++) - BitStream[i] ^= 1; - - goto retest; + } + char id[11] = {0x00}; + sprintf(id, "%010x", lo); + global_em410xId = id; + return 1; } -/* emulate an EM410X tag - * Format: - * 1111 1111 1 <-- standard non-repeatable header - * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID - * .... - * CCCC <-- each bit here is parity for the 10 bits above in corresponding column - * 0 <-- stop bit, end of tag - */ +// emulate an EM410X tag int CmdEM410xSim(const char *Cmd) { int i, n, j, binary[4], parity[4]; @@ -282,27 +142,24 @@ int CmdEM410xSim(const char *Cmd) */ int CmdEM410xWatch(const char *Cmd) { - char cmdp = param_getchar(Cmd, 0); - int read_h = (cmdp == 'h'); do { if (ukbhit()) { printf("\naborted via keyboard!\n"); break; } - CmdLFRead(read_h ? "h" : ""); + CmdLFRead(""); CmdSamples("6000"); - } while ( - !CmdEM410xRead("") - ); + } while (!CmdEM410xRead("")); + return 0; } int CmdEM410xWatchnSpoof(const char *Cmd) { CmdEM410xWatch(Cmd); - PrintAndLog("# Replaying : %s",global_em410xId); - CmdEM410xSim(global_em410xId); + PrintAndLog("# Replaying captured ID: %s",global_em410xId); + CmdLFaskSim(""); return 0; } diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index a719c7ad..57540bd8 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -13,128 +13,1098 @@ #include "proxmark3.h" #include "ui.h" #include "graph.h" +#include "cmdmain.h" #include "cmdparser.h" #include "cmddata.h" #include "cmdlf.h" #include "cmdlft55xx.h" +#include "util.h" +#include "data.h" +#include "lfdemod.h" +#include "../common/crc.h" +#include "../common/iso14443crc.h" +#include "cmdhf14a.h" + +#define CONFIGURATION_BLOCK 0x00 +#define TRACE_BLOCK 0x01 + +// Default configuration +t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00}; + +int usage_t55xx_config(){ + PrintAndLog("Usage: lf t55xx config [d ] [i 1] [o ]"); + PrintAndLog("Options: "); + PrintAndLog(" h This help"); + PrintAndLog(" b <8|16|32|40|50|64|100|128> Set bitrate"); + PrintAndLog(" d Set demodulation FSK / ASK / PSK / NZ / Biphase / Biphase A"); + PrintAndLog(" i [1] Invert data signal, defaults to normal"); + PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx config d FSK - FSK demodulation"); + PrintAndLog(" lf t55xx config d FSK i 1 - FSK demodulation, inverse data"); + PrintAndLog(" lf t55xx config d FSK i 1 o 3 - FSK demodulation, inverse data, offset=3,start from position 3 to decode data"); + PrintAndLog(""); + return 0; +} +int usage_t55xx_read(){ + PrintAndLog("Usage: lf t55xx read "); + PrintAndLog(" , block number to read. Between 0-7"); + PrintAndLog(" , OPTIONAL password (8 hex characters)"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx read 0 - read data from block 0"); + PrintAndLog(" lf t55xx read 0 feedbeef - read data from block 0 password feedbeef"); + PrintAndLog(""); + return 0; +} +int usage_t55xx_write(){ + PrintAndLog("Usage: lf t55xx wr [password]"); + PrintAndLog(" , block number to read. Between 0-7"); + PrintAndLog(" , 4 bytes of data to write (8 hex characters)"); + PrintAndLog(" [password], OPTIONAL password 4bytes (8 hex characters)"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx wd 3 11223344 - write 11223344 to block 3"); + PrintAndLog(" lf t55xx wd 3 11223344 feedbeef - write 11223344 to block 3 password feedbeef"); + PrintAndLog(""); + return 0; +} +int usage_t55xx_trace() { + PrintAndLog("Usage: lf t55xx trace [1]"); + PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx trace"); + PrintAndLog(" lf t55xx trace 1"); + PrintAndLog(""); + return 0; +} +int usage_t55xx_info() { + PrintAndLog("Usage: lf t55xx info [1]"); + PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx info"); + PrintAndLog(" lf t55xx info 1"); + PrintAndLog(""); + return 0; +} +int usage_t55xx_dump(){ + PrintAndLog("Usage: lf t55xx dump "); + PrintAndLog(" , OPTIONAL password 4bytes (8 hex symbols)"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx dump"); + PrintAndLog(" lf t55xx dump feedbeef"); + PrintAndLog(""); + return 0; +} +int usage_t55xx_detect(){ + PrintAndLog("Usage: lf t55xx detect"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx detect"); + PrintAndLog(" lf t55xx detect 1"); + PrintAndLog(""); + return 0; +} static int CmdHelp(const char *Cmd); +int CmdT55xxSetConfig(const char *Cmd) { -int CmdReadBlk(const char *Cmd) -{ - int Block = 8; //default to invalid block - UsbCommand c; + uint8_t offset = 0; + bool errors = FALSE; + uint8_t cmdp = 0; + char modulation[5] = {0x00}; + char tmp = 0x00; + uint8_t bitRate = 0; + uint8_t rates[9] = {8,16,32,40,50,64,100,128,0}; + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) + { + tmp = param_getchar(Cmd, cmdp); + switch(tmp) + { + case 'h': + case 'H': + return usage_t55xx_config(); + case 'b': + errors |= param_getdec(Cmd, cmdp+1, &bitRate); + if ( !errors){ + uint8_t i = 0; + for (; i < 9; i++){ + if (rates[i]==bitRate) { + config.bitrate = i; + break; + } + } + if (i==9) errors = TRUE; + } + cmdp+=2; + break; + case 'd': + param_getstr(Cmd, cmdp+1, modulation); + cmdp += 2; - sscanf(Cmd, "%d", &Block); + if ( strcmp(modulation, "FSK" ) == 0) + config.modulation = DEMOD_FSK; + else if ( strcmp(modulation, "FSK1" ) == 0) + config.modulation = DEMOD_FSK1; + else if ( strcmp(modulation, "FSK1a" ) == 0) + config.modulation = DEMOD_FSK1a; + else if ( strcmp(modulation, "FSK2" ) == 0) + config.modulation = DEMOD_FSK2; + else if ( strcmp(modulation, "FSK2a" ) == 0) + config.modulation = DEMOD_FSK2a; + else if ( strcmp(modulation, "ASK" ) == 0) + config.modulation = DEMOD_ASK; + else if ( strcmp(modulation, "NRZ" ) == 0) + config.modulation = DEMOD_NRZ; + else if ( strcmp(modulation, "PSK1" ) == 0) + config.modulation = DEMOD_PSK1; + else if ( strcmp(modulation, "PSK2" ) == 0) + config.modulation = DEMOD_PSK2; + else if ( strcmp(modulation, "PSK3" ) == 0) + config.modulation = DEMOD_PSK3; + else if ( strcmp(modulation, "BIa" ) == 0) + config.modulation = DEMOD_BIa; + else if ( strcmp(modulation, "BI" ) == 0) + config.modulation = DEMOD_BI; + else { + PrintAndLog("Unknown modulation '%s'", modulation); + errors = TRUE; + } + break; + case 'i': + config.inverted = param_getchar(Cmd,cmdp+1) == '1'; + cmdp+=2; + break; + case 'o': + errors |= param_getdec(Cmd, cmdp+1, &offset); + if ( !errors ) + config.offset = offset; + cmdp+=2; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = TRUE; + break; + } + } - if (Block > 7) { - PrintAndLog("Block must be between 0 and 7"); - return 1; - } + // No args + if (cmdp == 0) { + printConfiguration( config ); + return 0; + } + //Validations + if (errors) + return usage_t55xx_config(); - PrintAndLog("Reading block %d", Block); + config.block0 = 0; + printConfiguration ( config ); + return 0; +} - c.cmd = CMD_T55XX_READ_BLOCK; - c.d.asBytes[0] = 0x0; //Normal mode - c.arg[0] = 0; - c.arg[1] = Block; - c.arg[2] = 0; - SendCommand(&c); - return 0; +int CmdT55xxReadBlock(const char *Cmd) { + int block = -1; + int password = 0xFFFFFFFF; //default to blank Block 7 + + char cmdp = param_getchar(Cmd, 0); + if (cmdp == 'h' || cmdp == 'H') + return usage_t55xx_read(); + + int res = sscanf(Cmd, "%d %x", &block, &password); + + if ( res < 1 || res > 2 ) + return usage_t55xx_read(); + + + if ((block < 0) | (block > 7)) { + PrintAndLog("Block must be between 0 and 7"); + return 1; + } + + UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, 0}}; + c.d.asBytes[0] = 0x0; + + //Password mode + if ( res == 2 ) { + c.arg[2] = password; + c.d.asBytes[0] = 0x1; + } + + SendCommand(&c); + if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) { + PrintAndLog("command execution time out"); + return 2; + } + + uint8_t got[12000]; + GetFromBigBuf(got,sizeof(got),0); + WaitForResponse(CMD_ACK,NULL); + setGraphBuf(got, 12000); + DemodBufferLen=0; + if (!DecodeT55xxBlock()) return 0; + char blk[10]={0}; + sprintf(blk,"%d", block); + printT55xxBlock(blk); + return 0; } -int CmdReadBlkPWD(const char *Cmd) -{ - int Block = 8; //default to invalid block - int Password = 0xFFFFFFFF; //default to blank Block 7 - UsbCommand c; +bool DecodeT55xxBlock(){ + + char buf[8] = {0x00}; + char *cmdStr = buf; + int ans = 0; + uint8_t bitRate[8] = {8,16,32,40,50,64,100,128}; - sscanf(Cmd, "%d %x", &Block, &Password); + DemodBufferLen = 0x00; - if (Block > 7) { - PrintAndLog("Block must be between 0 and 7"); - return 1; - } + switch( config.modulation ){ + case DEMOD_FSK: + //CmdLtrim("26"); + sprintf(cmdStr,"%d", bitRate[config.bitrate]/2 ); + CmdLtrim(cmdStr); + sprintf(cmdStr,"%d %d", bitRate[config.bitrate], config.inverted ); + ans = FSKrawDemod(cmdStr, FALSE); + break; + case DEMOD_FSK1: + //CmdLtrim("26"); + sprintf(cmdStr,"%d", bitRate[config.bitrate]/2 ); + CmdLtrim(cmdStr); + sprintf(cmdStr,"%d 1 8 5", bitRate[config.bitrate] ); + ans = FSKrawDemod(cmdStr, FALSE); + break; + case DEMOD_FSK1a: + //CmdLtrim("26"); + sprintf(cmdStr,"%d", bitRate[config.bitrate]/2 ); + CmdLtrim(cmdStr); + sprintf(cmdStr,"%d 0 8 5", bitRate[config.bitrate] ); + ans = FSKrawDemod(cmdStr, FALSE); + break; + case DEMOD_FSK2: + //CmdLtrim("26"); + sprintf(cmdStr,"%d", bitRate[config.bitrate]/2 ); + CmdLtrim(cmdStr); + sprintf(cmdStr,"%d 0 10 8", bitRate[config.bitrate] ); + ans = FSKrawDemod(cmdStr, FALSE); + break; + case DEMOD_FSK2a: + //CmdLtrim("26"); + sprintf(cmdStr,"%d", bitRate[config.bitrate]/2 ); + CmdLtrim(cmdStr); + sprintf(cmdStr,"%d 1 10 8", bitRate[config.bitrate] ); + ans = FSKrawDemod(cmdStr, FALSE); + break; + case DEMOD_ASK: + sprintf(cmdStr,"%d %d 1", bitRate[config.bitrate], config.inverted ); + ans = ASKmanDemod(cmdStr, FALSE, FALSE); + break; + case DEMOD_PSK1: + sprintf(cmdStr,"%d %d 1", bitRate[config.bitrate], config.inverted ); + ans = PSKDemod(cmdStr, FALSE); + break; + case DEMOD_PSK2: + sprintf(cmdStr,"%d 1", bitRate[config.bitrate] ); + ans = PSKDemod(cmdStr, FALSE); + psk1TOpsk2(DemodBuffer, DemodBufferLen); + break; + case DEMOD_PSK3: + sprintf(cmdStr,"%d %d 1", bitRate[config.bitrate], config.inverted ); + ans = PSKDemod(cmdStr, FALSE); + psk1TOpsk2(DemodBuffer, DemodBufferLen); + break; + case DEMOD_NRZ: + sprintf(cmdStr,"%d %d 1", bitRate[config.bitrate], config.inverted ); + ans = NRZrawDemod(cmdStr, FALSE); + break; + case DEMOD_BI: + sprintf(cmdStr,"0 %d 0 1", bitRate[config.bitrate] ); + ans = ASKbiphaseDemod(cmdStr, FALSE); + break; + case DEMOD_BIa: + sprintf(cmdStr,"0 %d 1 1", bitRate[config.bitrate] ); + ans = ASKbiphaseDemod(cmdStr, FALSE); + break; + default: + return FALSE; + } + return (bool) ans; +} - PrintAndLog("Reading block %d with password %08X", Block, Password); +int CmdT55xxDetect(const char *Cmd){ - c.cmd = CMD_T55XX_READ_BLOCK; - c.d.asBytes[0] = 0x1; //Password mode - c.arg[0] = 0; - c.arg[1] = Block; - c.arg[2] = Password; - SendCommand(&c); - return 0; + char cmdp = param_getchar(Cmd, 0); + if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') + return usage_t55xx_detect(); + + if (strlen(Cmd)==0) + AquireData( CONFIGURATION_BLOCK ); + + if ( !tryDetectModulation() ) + PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'"); + + return 0; } -int CmdWriteBlk(const char *Cmd) -{ - int Block = 8; //default to invalid block - int Data = 0xFFFFFFFF; //default to blank Block - UsbCommand c; +// detect configuration? +bool tryDetectModulation(){ + char cmdStr[8] = {0}; + uint8_t hits = 0; + t55xx_conf_block_t tests[15]; + + if (GetFskClock("", FALSE, FALSE)){ + uint8_t fc1 = 0, fc2 = 0, clk=0; + fskClocks(&fc1, &fc2, &clk, FALSE); + sprintf(cmdStr,"%d", clk/2); + CmdLtrim(cmdStr); + if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset)){ + tests[hits].modulation = DEMOD_FSK; + if (fc1==8 && fc2 == 5) + tests[hits].modulation = DEMOD_FSK1a; + else if (fc1==10 && fc2 == 8) + tests[hits].modulation = DEMOD_FSK2; - sscanf(Cmd, "%x %d", &Data, &Block); + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_FSK; + if (fc1==8 && fc2 == 5) + tests[hits].modulation = DEMOD_FSK1; + else if (fc1==10 && fc2 == 8) + tests[hits].modulation = DEMOD_FSK2a; - if (Block > 7) { - PrintAndLog("Block must be between 0 and 7"); - return 1; - } + tests[hits].inverted = TRUE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + } else { + if ( ASKmanDemod("0 0 1", FALSE, FALSE) && test(DEMOD_ASK, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_ASK; + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } - PrintAndLog("Writting block %d with data %08X", Block, Data); + if ( ASKmanDemod("0 1 1", FALSE, FALSE) && test(DEMOD_ASK, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_ASK; + tests[hits].inverted = TRUE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + + if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_NRZ; + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } - c.cmd = CMD_T55XX_WRITE_BLOCK; - c.d.asBytes[0] = 0x0; //Normal mode - c.arg[0] = Data; - c.arg[1] = Block; - c.arg[2] = 0; - SendCommand(&c); - return 0; + if ( NRZrawDemod("0 1 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_NRZ; + tests[hits].inverted = TRUE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + + if ( PSKDemod("0 0 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_PSK1; + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + + if ( PSKDemod("0 1 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset)) { + tests[hits].modulation = DEMOD_PSK1; + tests[hits].inverted = TRUE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + + // PSK2 - needs a call to psk1TOpsk2. + if ( PSKDemod("0 0 1", FALSE)) { + psk1TOpsk2(DemodBuffer, DemodBufferLen); + if (test(DEMOD_PSK2, &tests[hits].offset)){ + tests[hits].modulation = DEMOD_PSK2; + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + } // inverse waves does not affect this demod + + // PSK3 - needs a call to psk1TOpsk2. + if ( PSKDemod("0 0 1", FALSE)) { + psk1TOpsk2(DemodBuffer, DemodBufferLen); + if (test(DEMOD_PSK3, &tests[hits].offset)){ + tests[hits].modulation = DEMOD_PSK3; + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + } // inverse waves does not affect this demod + + if ( ASKbiphaseDemod("0 0 0 1", FALSE) && test(DEMOD_BI, &tests[hits].offset) ) { + tests[hits].modulation = DEMOD_BI; + tests[hits].inverted = FALSE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + if ( ASKbiphaseDemod("0 0 1 1", FALSE) && test(DEMOD_BIa, &tests[hits].offset) ) { + tests[hits].modulation = DEMOD_BIa; + tests[hits].inverted = TRUE; + tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + ++hits; + } + } + if ( hits == 1) { + config.modulation = tests[0].modulation; + config.inverted = tests[0].inverted; + config.offset = tests[0].offset; + config.block0 = tests[0].block0; + printConfiguration( config ); + return TRUE; + } + + if ( hits > 1) { + PrintAndLog("Found [%d] possible matches for modulation.",hits); + for(int i=0; i 3 && modread < 8) return TRUE; + break; + case DEMOD_ASK: + if (modread == DEMOD_ASK) return TRUE; + break; + case DEMOD_PSK1: + if (modread == DEMOD_PSK1) return TRUE; + break; + case DEMOD_PSK2: + if (modread == DEMOD_PSK2) return TRUE; + break; + case DEMOD_PSK3: + if (modread == DEMOD_PSK3) return TRUE; + break; + case DEMOD_NRZ: + if (modread == DEMOD_NRZ) return TRUE; + break; + case DEMOD_BI: + if (modread == DEMOD_BI) return TRUE; + break; + case DEMOD_BIa: + if (modread == DEMOD_BIa) return TRUE; + break; + default: + return FALSE; + } + return FALSE; +} + +bool testBitRate(uint8_t readRate, uint8_t mod){ + uint8_t expected[8] = {8, 16, 32, 40, 50, 64, 100, 128}; + uint8_t detRate = 0; + switch( mod ){ + case DEMOD_FSK: + detRate = GetFskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_FSK1: + detRate = GetFskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_FSK1a: + detRate = GetFskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_FSK2: + detRate = GetFskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_FSK2a: + detRate = GetFskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_ASK: + detRate = GetAskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_PSK1: + detRate = GetPskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_PSK2: + detRate = GetPskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_PSK3: + detRate = GetPskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_NRZ: + detRate = GetNrzClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + case DEMOD_BI: + detRate = GetAskClock("",FALSE, FALSE); + if (expected[readRate] == detRate) { + config.bitrate = readRate; + return TRUE; + } + break; + default: + return FALSE; + } + return FALSE; +} + +bool test(uint8_t mode, uint8_t *offset){ + + if ( !DemodBufferLen) return FALSE; + uint8_t si = 0; + for (uint8_t idx = 0; idx < 64; idx++){ + si = idx; + if ( PackBits(si, 32, DemodBuffer) == 0x00 ) continue; + + uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key + uint8_t resv = PackBits(si, 4, DemodBuffer); si += 4; //was 7 & +=7+3 //should be only 4 bits if extended mode + // 2nibble must be zeroed. + // moved test to here, since this gets most faults first. + if ( resv > 0x00) continue; + + uint8_t xtRate = PackBits(si, 3, DemodBuffer); si += 3; //new + uint8_t bitRate = PackBits(si, 3, DemodBuffer); si += 3; //new could check bit rate + uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode + uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1; //new + //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //new could check psk cr + uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24 , 30, 31 could be tested for 0 if not extended mode + uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2; + + //if extended mode + bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE; + + if (!extMode){ + if (nml01 || nml02 || xtRate) continue; + } + //test modulation + if (!testModulation(mode, modread)) continue; + + *offset = idx; + if (!testBitRate(bitRate, mode)) continue; + return TRUE; + } + return FALSE; } -int CmdWriteBlkPWD(const char *Cmd) +void printT55xxBlock(const char *demodStr){ + + uint8_t i = config.offset; + uint8_t endpos = 32 + i; + uint32_t blockData = 0; + uint8_t bits[64] = {0x00}; + + if ( !DemodBufferLen) return; + + if ( endpos > DemodBufferLen){ + PrintAndLog("The configured offset %d is too big. Possible offset: %d)", i, DemodBufferLen-32); + return; + } + + for (; i < endpos; ++i) + bits[i - config.offset]=DemodBuffer[i]; + + blockData = PackBits(0, 32, bits); + PrintAndLog("0x%08X %s [%s]", blockData, sprint_bin(bits,32), demodStr); +} + +int special(const char *Cmd) { + uint32_t blockData = 0; + uint8_t bits[32] = {0x00}; + + PrintAndLog("[OFFSET] [DATA] [BINARY]"); + PrintAndLog("----------------------------------------------------"); + int i,j = 0; + for (; j < 64; ++j){ + + for (i = 0; i < 32; ++i) + bits[i]=DemodBuffer[j+i]; + + blockData = PackBits(0, 32, bits); + + PrintAndLog("[%02d] 0x%08X %s",j , blockData, sprint_bin(bits,32)); + } + return 0; +} + +void printConfiguration( t55xx_conf_block_t b){ + PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) ); + PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate) ); + PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" ); + PrintAndLog("Offset : %d", b.offset); + PrintAndLog("Block0 : 0x%08X", b.block0); + PrintAndLog(""); +} + +int CmdT55xxWriteBlock(const char *Cmd) { - int Block = 8; //default to invalid block - int Data = 0xFFFFFFFF; //default to blank Block - int Password = 0xFFFFFFFF; //default to blank Block 7 - UsbCommand c; - - sscanf(Cmd, "%x %d %x", &Data, &Block, &Password); - - if (Block > 7) { - PrintAndLog("Block must be between 0 and 7"); - return 1; - } - - PrintAndLog("Writting block %d with data %08X and password %08X", Block, Data, Password); - - c.cmd = CMD_T55XX_WRITE_BLOCK; - c.d.asBytes[0] = 0x1; //Password mode - c.arg[0] = Data; - c.arg[1] = Block; - c.arg[2] = Password; - SendCommand(&c); - return 0; + int block = 8; //default to invalid block + int data = 0xFFFFFFFF; //default to blank Block + int password = 0xFFFFFFFF; //default to blank Block 7 + + char cmdp = param_getchar(Cmd, 0); + if (cmdp == 'h' || cmdp == 'H') { + usage_t55xx_write(); + return 0; + } + + int res = sscanf(Cmd, "%d %x %x",&block, &data, &password); + + if ( res < 2 || res > 3) { + usage_t55xx_write(); + return 1; + } + + if (block > 7) { + PrintAndLog("Block number must be between 0 and 7"); + return 1; + } + + UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}}; + c.d.asBytes[0] = 0x0; + + PrintAndLog("Writing to block: %d data : 0x%08X", block, data); + + //Password mode + if (res == 3) { + c.arg[2] = password; + c.d.asBytes[0] = 0x1; + PrintAndLog("pwd : 0x%08X", password); + } + SendCommand(&c); + return 0; } -int CmdReadTrace(const char *Cmd) +int CmdT55xxReadTrace(const char *Cmd) { + char cmdp = param_getchar(Cmd, 0); + + if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') + return usage_t55xx_trace(); + + if (strlen(Cmd)==0) + AquireData( TRACE_BLOCK ); + + if (!DecodeT55xxBlock()) return 1; - PrintAndLog("Reading traceability data"); + if ( !DemodBufferLen) return 1; + + RepaintGraphWindow(); + uint8_t repeat = 0; + if (config.offset > 5) + repeat = 32; + uint8_t si = config.offset+repeat; + uint32_t bl0 = PackBits(si, 32, DemodBuffer); + uint32_t bl1 = PackBits(si+32, 32, DemodBuffer); + + uint32_t acl = PackBits(si, 8, DemodBuffer); si += 8; + uint32_t mfc = PackBits(si, 8, DemodBuffer); si += 8; + uint32_t cid = PackBits(si, 5, DemodBuffer); si += 5; + uint32_t icr = PackBits(si, 3, DemodBuffer); si += 3; + uint32_t year = PackBits(si, 4, DemodBuffer); si += 4; + uint32_t quarter = PackBits(si, 2, DemodBuffer); si += 2; + uint32_t lotid = PackBits(si, 12, DemodBuffer); si += 12; + uint32_t wafer = PackBits(si, 5, DemodBuffer); si += 5; + uint32_t dw = PackBits(si, 15, DemodBuffer); + + year += 2000; + + PrintAndLog(""); + PrintAndLog("-- T55xx Trace Information ----------------------------------"); + PrintAndLog("-------------------------------------------------------------"); + PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", acl, acl); + PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", mfc, mfc, getTagInfo(mfc)); + PrintAndLog(" CID : 0x%02X (%d) - %s", cid, cid, GetModelStrFromCID(cid)); + PrintAndLog(" ICR IC Revision : %d",icr ); + PrintAndLog(" Manufactured"); + PrintAndLog(" Year/Quarter : %d/%d",year, quarter ); + PrintAndLog(" Lot ID : %d", lotid ); + PrintAndLog(" Wafer number : %d", wafer); + PrintAndLog(" Die Number : %d", dw); + PrintAndLog("-------------------------------------------------------------"); + PrintAndLog(" Raw Data - Page 1"); + PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset+repeat,32) ); + PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat+32,32) ); + PrintAndLog("-------------------------------------------------------------"); - UsbCommand c = {CMD_T55XX_READ_TRACE, {0, 0, 0}}; - SendCommand(&c); + if ( acl != 0xE0 ) + PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. "); + /* + TRACE - BLOCK O + Bits Definition HEX + 1-8 ACL Allocation class (ISO/IEC 15963-1) 0xE0 + 9-16 MFC Manufacturer ID (ISO/IEC 7816-6) 0x15 Atmel Corporation + 17-21 CID 0x1 = Atmel ATA5577M1 0x2 = Atmel ATA5577M2 + 22-24 ICR IC revision + 25-28 YEAR (BCD encoded) 9 (= 2009) + 29-30 QUARTER 1,2,3,4 + 31-32 LOT ID + + TRACE - BLOCK 1 + 1-12 LOT ID + 13-17 Wafer number + 18-32 DW, die number sequential + */ + return 0; } +int CmdT55xxInfo(const char *Cmd){ + /* + Page 0 Block 0 Configuration data. + Normal mode + Extended mode + */ + char cmdp = param_getchar(Cmd, 0); + + if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') + return usage_t55xx_info(); + + if (strlen(Cmd)==0) + AquireData( CONFIGURATION_BLOCK ); + + if (!DecodeT55xxBlock()) return 1; + + if ( !DemodBufferLen) return 1; + + uint8_t si = config.offset; + uint32_t bl0 = PackBits(si, 32, DemodBuffer); + + uint32_t safer = PackBits(si, 4, DemodBuffer); si += 4; + uint32_t resv = PackBits(si, 7, DemodBuffer); si += 7; + uint32_t dbr = PackBits(si, 3, DemodBuffer); si += 3; + uint32_t extend = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t datamod = PackBits(si, 5, DemodBuffer); si += 5; + uint32_t pskcf = PackBits(si, 2, DemodBuffer); si += 2; + uint32_t aor = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t otp = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t maxblk = PackBits(si, 3, DemodBuffer); si += 3; + uint32_t pwd = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t sst = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t fw = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t inv = PackBits(si, 1, DemodBuffer); si += 1; + uint32_t por = PackBits(si, 1, DemodBuffer); si += 1; + + PrintAndLog(""); + PrintAndLog("-- T55xx Configuration & Tag Information --------------------"); + PrintAndLog("-------------------------------------------------------------"); + PrintAndLog(" Safer key : %s", GetSaferStr(safer)); + PrintAndLog(" reserved : %d", resv); + PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr)); + PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No"); + PrintAndLog(" Modulation : %s", GetModulationStr(datamod)); + PrintAndLog(" PSK clock frequency : %d", pskcf); + PrintAndLog(" AOR - Answer on Request : %s", (aor) ? "Yes":"No"); + PrintAndLog(" OTP - One Time Pad : %s", (otp) ? "Yes - Warning":"No" ); + PrintAndLog(" Max block : %d", maxblk); + PrintAndLog(" Password mode : %s", (pwd) ? "Yes":"No"); + PrintAndLog(" Sequence Start Terminator : %s", (sst) ? "Yes":"No"); + PrintAndLog(" Fast Write : %s", (fw) ? "Yes":"No"); + PrintAndLog(" Inverse data : %s", (inv) ? "Yes":"No"); + PrintAndLog(" POR-Delay : %s", (por) ? "Yes":"No"); + PrintAndLog("-------------------------------------------------------------"); + PrintAndLog(" Raw Data - Page 0"); + PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset,32) ); + PrintAndLog("-------------------------------------------------------------"); + + return 0; +} + +int CmdT55xxDump(const char *Cmd){ + + char s[20] = {0x00}; + uint8_t pwd[4] = {0x00}; + + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'h' || cmdp == 'H') { + usage_t55xx_dump(); + return 0; + } + + bool hasPwd = ( strlen(Cmd) > 0); + if ( hasPwd ){ + if (param_gethex(Cmd, 0, pwd, 8)) { + PrintAndLog("password must include 8 HEX symbols"); + return 1; + } + } + + for ( int i = 0; i <8; ++i){ + memset(s,0,sizeof(s)); + if ( hasPwd ) { + sprintf(s,"%d %02x%02x%02x%02x", i, pwd[0],pwd[1],pwd[2],pwd[3]); + } else { + sprintf(s,"%d", i); + } + CmdT55xxReadBlock(s); + } + return 0; +} + +int AquireData( uint8_t block ){ + + UsbCommand c; + + if ( block == CONFIGURATION_BLOCK ) + c.cmd = CMD_T55XX_READ_BLOCK; + else if (block == TRACE_BLOCK ) + c.cmd = CMD_T55XX_READ_TRACE; + + c.arg[0] = 0x00; + c.arg[1] = 0x00; + c.arg[2] = 0x00; + c.d.asBytes[0] = 0x0; + + //Password mode + // if ( res == 2 ) { + // c.arg[2] = password; + // c.d.asBytes[0] = 0x1; + // } + + SendCommand(&c); + if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) { + PrintAndLog("command execution time out"); + return 1; + } + + uint8_t got[12000]; + GetFromBigBuf(got,sizeof(got),0); + WaitForResponse(CMD_ACK,NULL); + setGraphBuf(got, 12000); + return 0; +} + +char * GetBitRateStr(uint32_t id){ + static char buf[40]; + char *retStr = buf; + switch (id){ + case 0: + sprintf(retStr,"%d - RF/8",id); + break; + case 1: + sprintf(retStr,"%d - RF/16",id); + break; + case 2: + sprintf(retStr,"%d - RF/32",id); + break; + case 3: + sprintf(retStr,"%d - RF/40",id); + break; + case 4: + sprintf(retStr,"%d - RF/50",id); + break; + case 5: + sprintf(retStr,"%d - RF/64",id); + break; + case 6: + sprintf(retStr,"%d - RF/100",id); + break; + case 7: + sprintf(retStr,"%d - RF/128",id); + break; + default: + sprintf(retStr,"%d - (Unknown)",id); + break; + } + + return buf; +} + +char * GetSaferStr(uint32_t id){ + static char buf[40]; + char *retStr = buf; + + sprintf(retStr,"%d",id); + if (id == 6) { + sprintf(retStr,"%d - passwd",id); + } + if (id == 9 ){ + sprintf(retStr,"%d - testmode",id); + } + + return buf; +} +char * GetModulationStr( uint32_t id){ + static char buf[40]; + char *retStr = buf; + + switch (id){ + case 0: + sprintf(retStr,"%d - DIRECT (ASK/NRZ)",id); + break; + case 1: + sprintf(retStr,"%d - PSK 1 phase change when input changes",id); + break; + case 2: + sprintf(retStr,"%d - PSK 2 phase change on bitclk if input high",id); + break; + case 3: + sprintf(retStr,"%d - PSK 3 phase change on rising edge of input",id); + break; + case 4: + sprintf(retStr,"%d - FSK 1 RF/8 RF/5",id); + break; + case 5: + sprintf(retStr,"%d - FSK 2 RF/8 RF/10",id); + break; + case 6: + sprintf(retStr,"%d - FSK 1a RF/5 RF/8",id); + break; + case 7: + sprintf(retStr,"%d - FSK 2a RF/10 RF/8",id); + break; + case 8: + sprintf(retStr,"%d - Manschester",id); + break; + case 16: + sprintf(retStr,"%d - Biphase",id); + break; + case 0x18: + sprintf(retStr,"%d - Biphase a",id); + break; + case 17: + sprintf(retStr,"%d - Reserved",id); + break; + default: + sprintf(retStr,"0x%02X (Unknown)",id); + break; + } + return buf; +} + +char * GetModelStrFromCID(uint32_t cid){ + + static char buf[10]; + char *retStr = buf; + + if (cid == 1) sprintf(retStr,"ATA5577M1"); + if (cid == 2) sprintf(retStr,"ATA5577M2"); + return buf; +} + +char * GetSelectedModulationStr( uint8_t id){ + + static char buf[16]; + char *retStr = buf; + + switch (id){ + case DEMOD_FSK: + sprintf(retStr,"FSK"); + break; + case DEMOD_FSK1: + sprintf(retStr,"FSK1"); + break; + case DEMOD_FSK1a: + sprintf(retStr,"FSK1a"); + break; + case DEMOD_FSK2: + sprintf(retStr,"FSK2"); + break; + case DEMOD_FSK2a: + sprintf(retStr,"FSK2a"); + break; + case DEMOD_ASK: + sprintf(retStr,"ASK"); + break; + case DEMOD_NRZ: + sprintf(retStr,"DIRECT/NRZ"); + break; + case DEMOD_PSK1: + sprintf(retStr,"PSK1"); + break; + case DEMOD_PSK2: + sprintf(retStr,"PSK2"); + break; + case DEMOD_PSK3: + sprintf(retStr,"PSK3"); + break; + case DEMOD_BI: + sprintf(retStr,"BIPHASE"); + break; + case DEMOD_BIa: + sprintf(retStr,"BIPHASEa"); + break; + default: + sprintf(retStr,"(Unknown)"); + break; + } + return buf; +} + +uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){ + + int i = start; + int j = len-1; + + if (len > 32) return 0; + + uint32_t tmp = 0; + for (; j >= 0; --j, ++i) + tmp |= bits[i] << j; + + return tmp; +} + static command_t CommandTable[] = { - {"help", CmdHelp, 1, "This help"}, - {"readblock", CmdReadBlk, 1, " -- Read T55xx block data (page 0)"}, - {"readblockPWD", CmdReadBlkPWD, 1, " -- Read T55xx block data in password mode(page 0)"}, - {"writeblock", CmdWriteBlk, 1, " -- Write T55xx block data (page 0)"}, - {"writeblockPWD", CmdWriteBlkPWD, 1, " -- Write T55xx block data in password mode(page 0)"}, - {"readtrace", CmdReadTrace, 1, "Read T55xx traceability data (page 1)"}, + {"help", CmdHelp, 1, "This help"}, + {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, + {"detect", CmdT55xxDetect, 0, "[1] Try detecting the tag modulation from reading the configuration block."}, + {"read", CmdT55xxReadBlock, 0, " [password] -- Read T55xx block data (page 0) [optional password]"}, + {"write", CmdT55xxWriteBlock,0, " [password] -- Write T55xx block data (page 0) [optional password]"}, + {"trace", CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"}, + {"info", CmdT55xxInfo, 0, "[1] Show T55xx configuration data (page 0/ blk 0)"}, + {"dump", CmdT55xxDump, 0, "[password] Dump T55xx card block 0-7. [optional password]"}, + {"special", special, 0, "Show block changes with 64 different offsets"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index 25503e87..a64b1eda 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -10,12 +10,57 @@ #ifndef CMDLFT55XX_H__ #define CMDLFT55XX_H__ +typedef struct { + enum { + DEMOD_NRZ = 0x00, + DEMOD_PSK1 = 0x01, + DEMOD_PSK2 = 0x02, + DEMOD_PSK3 = 0x03, + DEMOD_FSK1 = 0x04, + DEMOD_FSK1a = 0x05, + DEMOD_FSK2 = 0x06, + DEMOD_FSK2a = 0x07, + DEMOD_FSK = 0xF0, //generic FSK (auto detect FCs) + DEMOD_ASK = 0x08, + DEMOD_BI = 0x10, + DEMOD_BIa = 0x18, + } modulation; + bool inverted; + uint8_t offset; + uint32_t block0; + enum { + RF_8 = 0x00, + RF_16 = 0x01, + RF_32 = 0x02, + RF_40 = 0x03, + RF_50 = 0x04, + RF_64 = 0x05, + RF_100 = 0x06, + RF_128 = 0x07, + } bitrate; +} t55xx_conf_block_t; + int CmdLFT55XX(const char *Cmd); +int CmdT55xxSetConfig(const char *Cmd); +int CmdT55xxReadBlock(const char *Cmd); +int CmdT55xxWriteBlock(const char *Cmd); +int CmdT55xxReadTrace(const char *Cmd); +int CmdT55xxInfo(const char *Cmd); +int CmdT55xxDetect(const char *Cmd); + +char * GetBitRateStr(uint32_t id); +char * GetSaferStr(uint32_t id); +char * GetModulationStr( uint32_t id); +char * GetModelStrFromCID(uint32_t cid); +char * GetSelectedModulationStr( uint8_t id); +uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bitstream); +void printT55xxBlock(const char *demodStr); +void printConfiguration( t55xx_conf_block_t b); -int CmdReadBlk(const char *Cmd); -int CmdReadBlkPWD(const char *Cmd); -int CmdWriteBlk(const char *Cmd); -int CmdWriteBLkPWD(const char *Cmd); -int CmdReadTrace(const char *Cmd); +bool DecodeT55xxBlock(); +bool tryDetectModulation(); +bool test(uint8_t mode, uint8_t *offset); +int special(const char *Cmd); +int AquireData( uint8_t block ); #endif diff --git a/client/scripts/test_t55x7_ask.lua b/client/scripts/test_t55x7_ask.lua new file mode 100644 index 00000000..569d4260 --- /dev/null +++ b/client/scripts/test_t55x7_ask.lua @@ -0,0 +1,139 @@ +local cmds = require('commands') +local getopt = require('getopt') +local bin = require('bin') +local utils = require('utils') + +local format=string.format +local floor=math.floor + +example =[[ + 1. script run test_t55x7_ask +]] +author = "Iceman" +usage = "script run test_t55x7_ask" +desc =[[ +This script will program a T55x7 TAG with the configuration: block 0x00 data 0x000100 +The outlined procedure is as following: + +--ASK + 00 00 80 40 +-- max 2 +-- manchester +-- bit rate + +"lf t55xx write 0 00008040" +"lf t55xx detect" +"lf t55xx info" + +Loop: + change the configuretion block 0 with: + -xx 00 xxxx = RF/8 + -xx 04 xxxx = RF/16 + -xx 08 xxxx = RF/32 + -xx 0C xxxx = RF/40 + -xx 10 xxxx = RF/50 + -xx 14 xxxx = RF/64 + -xx 18 xxxx = RF/100 + -xx 1C xxxx = RF/128 + + +testsuit for the ASK/MANCHESTER demod + +Arguments: + -h : this help +]] + +local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds +local DEBUG = true -- the debug flag + +--BLOCK 0 = 00008040 ASK / MAN +local config1 = '00' +local config2 = '8040' + +local procedurecmds = { + [1] = '%s%02X%s', + [2] = 'lf t55xx detect', + [3] = 'lf t55xx info', +} +--- +-- A debug printout-function +function dbg(args) + if not DEBUG then + return + end + + if type(args) == "table" then + local i = 1 + while args[i] do + dbg(args[i]) + i = i+1 + end + else + print("###", args) + end +end +--- +-- This is only meant to be used when errors occur +function oops(err) + print("ERROR: ",err) +end +--- +-- Usage help +function help() + print(desc) + print("Example usage") + print(example) +end +-- +-- Exit message +function ExitMsg(msg) + print( string.rep('--',20) ) + print( string.rep('--',20) ) + print(msg) + print() +end + +function test() + local y + for y = 0x0, 0x1d, 0x4 do + for _ = 1, #procedurecmds do + local pcmd = procedurecmds[_] + + if #pcmd == 0 then + + elseif _ == 1 then + + local config = pcmd:format(config1, y, config2) + dbg(('lf t55xx write 0 %s'):format(config)) + config = tonumber(config,16) + + local writecmd = Command:new{cmd = cmds.CMD_T55XX_WRITE_BLOCK, arg1 = config} + local err = core.SendCommand(writecmd:getBytes()) + if err then return oops(err) end + local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT) + + else + dbg(pcmd) + core.console( pcmd ) + end + end + core.clearCommandBuffer() + end + print( string.rep('--',20) ) +end + +local function main(args) + + print( string.rep('--',20) ) + print( string.rep('--',20) ) + + -- Arguments for the script + for o, arg in getopt.getopt(args, 'h') do + if o == "h" then return help() end + end + + core.clearCommandBuffer() + test() + print( string.rep('--',20) ) +end +main(args) \ No newline at end of file diff --git a/client/scripts/test_t55x7_bi.lua b/client/scripts/test_t55x7_bi.lua new file mode 100644 index 00000000..a1793ba6 --- /dev/null +++ b/client/scripts/test_t55x7_bi.lua @@ -0,0 +1,133 @@ +local cmds = require('commands') +local getopt = require('getopt') +local bin = require('bin') +local utils = require('utils') + +example =[[ + 1. script run test_t55x7_bi +]] +author = "Iceman" +usage = "script run test_t55x7_bi" +desc =[[ +This script will program a T55x7 TAG with the configuration: block 0x00 data 0x00010040 +The outlined procedure is as following: + +--BIPHASE 00010040 +-- + +"lf t55xx write 0 00010040" +"lf t55xx detect" +"lf t55xx info" + +Loop: + change the configuretion block 0 with: + -xx01xxxx = RF/8 + -xx05xxxx = RF/16 + -xx09xxxx = RF/32 + -xx0Dxxxx = RF/40 + -xx11xxxx = RF/50 + -xx15xxxx = RF/64 + -xx19xxxx = RF/100 + -xx1Dxxxx = RF/128 + + +testsuit for the BIPHASE demod + +Arguments: + -h : this help +]] + +local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds +local DEBUG = true -- the debug flag + +--BLOCK 0 = 00010040 BIPHASE +local config1 = '00' +local config2 = '0040' + +local procedurecmds = { + [1] = '%s%02X%s', + [2] = 'lf t55xx detect', + [3] = 'lf t55xx info', +} +--- +-- A debug printout-function +function dbg(args) + if not DEBUG then + return + end + + if type(args) == "table" then + local i = 1 + while args[i] do + dbg(args[i]) + i = i+1 + end + else + print("###", args) + end +end +--- +-- This is only meant to be used when errors occur +function oops(err) + print("ERROR: ",err) +end +--- +-- Usage help +function help() + print(desc) + print("Example usage") + print(example) +end +-- +-- Exit message +function ExitMsg(msg) + print( string.rep('--',20) ) + print( string.rep('--',20) ) + print(msg) + print() +end + +function test() + local y + for y = 1, 0x1D, 4 do + for _ = 1, #procedurecmds do + local pcmd = procedurecmds[_] + + if #pcmd == 0 then + + elseif _ == 1 then + + local config = pcmd:format(config1, y, config2) + dbg(('lf t55xx wr 0 %s'):format(config)) + + config = tonumber(config,16) + local writecmd = Command:new{cmd = cmds.CMD_T55XX_WRITE_BLOCK, arg1 = config} + local err = core.SendCommand(writecmd:getBytes()) + if err then return oops(err) end + local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT) + else + dbg(pcmd) + core.console( pcmd ) + end + end + core.clearCommandBuffer() + end + print( string.rep('--',20) ) + +end + +local function main(args) + + print( string.rep('--',20) ) + print( string.rep('--',20) ) + + -- Arguments for the script + for o, arg in getopt.getopt(args, 'h') do + if o == "h" then return help() end + end + + core.clearCommandBuffer() + test() + print( string.rep('--',20) ) +end +main(args) diff --git a/client/scripts/test_t55x7_fsk.lua b/client/scripts/test_t55x7_fsk.lua new file mode 100644 index 00000000..f42dd147 --- /dev/null +++ b/client/scripts/test_t55x7_fsk.lua @@ -0,0 +1,139 @@ +local cmds = require('commands') +local getopt = require('getopt') +local bin = require('bin') +local utils = require('utils') + +example =[[ + 1. script run test_t55x7_fsk +]] +author = "Iceman" +usage = "script run test_t55x7_fsk" +desc =[[ +This script will program a T55x7 TAG with the configuration: block 0x00 data 0x000100 +The outlined procedure is as following: + +--ASK + 00 00 80 40 +-- max 2 blocks +-- FSK1 +-- bit rate + +"lf t55xx write 0 00007040" +"lf t55xx detect" +"lf t55xx info" + +Loop: + change the configuretion block 0 with: + -xx 00 xxxx = RF/8 + -xx 04 xxxx = RF/16 + -xx 08 xxxx = RF/32 + -xx 0C xxxx = RF/40 + -xx 10 xxxx = RF/50 + -xx 14 xxxx = RF/64 + -xx 18 xxxx = RF/100 + -xx 1C xxxx = RF/128 + + +testsuit for the ASK/MANCHESTER demod + +Arguments: + -h : this help +]] + +local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds +local DEBUG = true -- the debug flag + +--BLOCK 0 = 00008040 FSK +local config1 = '00' +local config2 = '040' + +local procedurecmds = { + [1] = '%s%02X%X%s', + [2] = 'lf t55xx detect', + [3] = 'lf t55xx info', +} +--- +-- A debug printout-function +function dbg(args) + if not DEBUG then + return + end + + if type(args) == "table" then + local i = 1 + while args[i] do + dbg(args[i]) + i = i+1 + end + else + print("###", args) + end +end +--- +-- This is only meant to be used when errors occur +function oops(err) + print("ERROR: ",err) +end +--- +-- Usage help +function help() + print(desc) + print("Example usage") + print(example) +end +-- +-- Exit message +function ExitMsg(msg) + print( string.rep('--',20) ) + print( string.rep('--',20) ) + print(msg) + print() +end + +function test(modulation) + local y + for y = 0x0, 0x1d, 0x4 do + for _ = 1, #procedurecmds do + local pcmd = procedurecmds[_] + + if #pcmd == 0 then + + elseif _ == 1 then + + local config = pcmd:format(config1, y, modulation, config2) + dbg(('lf t55xx write 0 %s'):format(config)) + + config = tonumber(config,16) + local writecmd = Command:new{cmd = cmds.CMD_T55XX_WRITE_BLOCK, arg1 = config} + local err = core.SendCommand(writecmd:getBytes()) + if err then return oops(err) end + local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT) + + else + dbg(pcmd) + core.console( pcmd ) + end + end + core.clearCommandBuffer() + end + print( string.rep('--',20) ) +end + +local function main(args) + + print( string.rep('--',20) ) + print( string.rep('--',20) ) + + -- Arguments for the script + for o, arg in getopt.getopt(args, 'h') do + if o == "h" then return help() end + end + + core.clearCommandBuffer() + test(4) + test(5) + test(6) + test(7) + print( string.rep('--',20) ) +end +main(args) \ No newline at end of file diff --git a/client/scripts/test_t55x7_psk.lua b/client/scripts/test_t55x7_psk.lua index 1b964094..766d853f 100644 --- a/client/scripts/test_t55x7_psk.lua +++ b/client/scripts/test_t55x7_psk.lua @@ -2,15 +2,14 @@ local cmds = require('commands') local getopt = require('getopt') local bin = require('bin') local utils = require('utils') -local dumplib = require('html_dumplib') example =[[ - 1. script run tracetest - 2. script run tracetest -o + 1. script run test_t55x7_psk + 2. script run test_t55x7_psk -o ]] author = "Iceman" -usage = "script run test_t55x7_psk -o " +usage = "script run test_t55x7_psk" desc =[[ This script will program a T55x7 TAG with the configuration: block 0x00 data 0x00088040 The outlined procedure is as following: @@ -39,26 +38,34 @@ In all 12 individual test for the PSK demod Arguments: -h : this help - -o : logfile name ]] local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds local DEBUG = true -- the debug flag - ---BLOCK 0 = 00088040 -local config1 = '0008' -local config2 = '40' +-- local procedurecmds = { + -- [1] = '%s%s%s%s', + -- [2] = 'lf read', + -- --[3] = '', + -- [3] = 'data samples', + -- [4] = 'data pskdetectclock', + -- [5] = 'data psknrzrawdemod', + -- [6] = 'data pskindalademod', +-- } + +-- --BLOCK 0 = 00 08 80 40 PSK + -- ----------- + -- 08------- bitrate + -- 8----- modulation PSK1 + -- 0---- PSK ClockRate + -- 40 max 2 blocks + local procedurecmds = { - [1] = '%s%s%s%s', - [2] = 'lf read', + [1] = '00%02X%X%X40', + [2] = 'lf t55xx detect', --[3] = '', - [3] = 'data samples', - [4] = 'data pskdetectclock', - [5] = 'data psknrzrawdemod', - [6] = 'data pskindalademod', + [3] = 'lf t55xx info', } - --- -- A debug printout-function function dbg(args) @@ -97,45 +104,35 @@ function ExitMsg(msg) print() end -function pskTest(modulation) - local y - for y = 0, 8, 4 do - for _ = 1, #procedurecmds do +function test(modulation) + local bitrate + local clockrate + for bitrate = 0x0, 0x1d, 0x4 do + + for clockrate = 0,8,4 do local cmd = procedurecmds[_] - - if #cmd == 0 then - + + if #cmd == 0 then + elseif _ == 1 then dbg("Writing to T55x7 TAG") - - local configdata = cmd:format( config1, modulation , y, config2) - - dbg( configdata) + + local config = cmd:format(bitrate, modulation, clockrate) + dbg(('lf t55xx write 0 %s'):format(config)) - local writecommand = Command:new{cmd = cmds.CMD_T55XX_WRITE_BLOCK, arg1 = configdata ,arg2 = 0, arg3 = 0} + config = tonumber(config,16) + local writecommand = Command:new{cmd = cmds.CMD_T55XX_WRITE_BLOCK, arg1 = config ,arg2 = 0, arg3 = 0} local err = core.SendCommand(writecommand:getBytes()) if err then return oops(err) end local response = core.WaitForResponseTimeout(cmds.CMD_ACK,TIMEOUT) - - if response then - local count,cmd,arg0 = bin.unpack('LL',response) - if(arg0==1) then - dbg("Writing success") - else - return nil, "Couldn't read block.." - end - end - else dbg(cmd) core.console( cmd ) end end - core.clearCommandBuffer() end print( string.rep('--',20) ) - end local function main(args) @@ -143,31 +140,17 @@ local function main(args) print( string.rep('--',20) ) print( string.rep('--',20) ) - local outputTemplate = os.date("testpsk_%Y-%m-%d_%H%M%S") - -- Arguments for the script - for o, arg in getopt.getopt(args, 'ho:') do + for o, arg in getopt.getopt(args, 'h') do if o == "h" then return help() end - if o == "o" then outputTemplate = arg end end core.clearCommandBuffer() - pskTest(1) - pskTest(2) - pskTest(3) - pskTest(8) + test(1) --PSK1 + -- test(2) --PSK2 + -- test(3) --PSK3 print( string.rep('--',20) ) end main(args) - --- Where it iterates over - -- xxxx8xxx = PSK RF/2 with Manchester modulation - -- xxxx1xxx = PSK RF/2 with PSK1 modulation (phase change when input changes) - -- xxxx2xxx = PSK RF/2 with PSk2 modulation (phase change on bitclk if input high) - -- xxxx3xxx = PSK RF/2 with PSk3 modulation (phase change on rising edge of input) - - -- XXXXX0XX = PSK RF/2 - -- XXXXX4XX = PSK RF/4 - -- XXXXX8XX = PSK RF/8 \ No newline at end of file diff --git a/client/scripts/tracetest.lua b/client/scripts/tracetest.lua index e4a9215c..ae4055ae 100644 --- a/client/scripts/tracetest.lua +++ b/client/scripts/tracetest.lua @@ -6,19 +6,20 @@ local dumplib = require('html_dumplib') example =[[ 1. script run tracetest - 2. script run tracetest -o - ]] author = "Iceman" -usage = "script run tracetest -o " +usage = "script run tracetest" desc =[[ This script will load several traces files in ../traces/ folder and do "data load" -"lf search" +"lf search 1 u" + +The following tracefiles will be loaded: + em*.pm3 + m*.pm3 Arguments: -h : this help - -o : logfile name ]] local TIMEOUT = 2000 -- Shouldn't take longer than 2 seconds @@ -71,14 +72,14 @@ local function main(args) local tracesEM = "find '../traces/' -iname 'em*.pm3' -type f" local tracesMOD = "find '../traces/' -iname 'm*.pm3' -type f" + local write2File = false local outputTemplate = os.date("testtest_%Y-%m-%d_%H%M%S") -- Arguments for the script - for o, arg in getopt.getopt(args, 'ho:') do + for o, arg in getopt.getopt(args, 'h') do if o == "h" then return help() end - if o == "o" then outputTemplate = arg end end - + core.clearCommandBuffer() local files = {} @@ -97,7 +98,7 @@ local function main(args) end p.close(); - local cmdLFSEARCH = "lf search 1" + local cmdLFSEARCH = "lf search 1 u" -- main loop io.write('Starting to test traces > ') @@ -119,13 +120,6 @@ local function main(args) end io.write('\n') - -- Write dump to files - if not DEBUG then - local bar = dumplib.SaveAsText(emldata, outputTemplate..'.txt') - print(("Wrote output to: %s"):format(bar)) - end - - -- Show info print( string.rep('--',20) ) end diff --git a/common/lfdemod.c b/common/lfdemod.c index 46ac4924..5b0bc29d 100644 --- a/common/lfdemod.c +++ b/common/lfdemod.c @@ -75,51 +75,6 @@ uint8_t preambleSearch(uint8_t *BitStream, uint8_t *preamble, size_t pLen, size_ return 0; } - -//by marshmellow -//takes 1s and 0s and searches for EM410x format - output EM ID -uint64_t Em410xDecodeOld(uint8_t *BitStream, size_t *size, size_t *startIdx) -{ - //no arguments needed - built this way in case we want this to be a direct call from "data " cmds in the future - // otherwise could be a void with no arguments - //set defaults - uint64_t lo=0; - uint32_t i = 0; - if (BitStream[1]>1){ //allow only 1s and 0s - // PrintAndLog("no data found"); - return 0; - } - // 111111111 bit pattern represent start of frame - uint8_t preamble[] = {1,1,1,1,1,1,1,1,1}; - uint32_t idx = 0; - uint32_t parityBits = 0; - uint8_t errChk = 0; - *startIdx = 0; - for (uint8_t extraBitChk=0; extraBitChk<5; extraBitChk++){ - errChk = preambleSearch(BitStream+extraBitChk+*startIdx, preamble, sizeof(preamble), size, startIdx); - if (errChk == 0) return 0; - idx = *startIdx + 9; - for (i=0; i<10;i++){ //loop through 10 sets of 5 bits (50-10p = 40 bits) - parityBits = bytebits_to_byte(BitStream+(i*5)+idx,5); - //check even parity - if (parityTest(parityBits, 5, 0) == 0){ - //parity failed try next bit (in the case of 1111111111) but last 9 = preamble - startIdx++; - errChk = 0; - break; - } - //set uint64 with ID from BitStream - for (uint8_t ii=0; ii<4; ii++){ - lo = (lo << 1LL) | (BitStream[(i*5)+ii+idx]); - } - } - if (errChk != 0) return lo; - //skip last 5 bit parity test for simplicity. - // *size = 64; - } - return 0; -} - //by marshmellow //takes 1s and 0s and searches for EM410x format - output EM ID uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo) @@ -143,6 +98,7 @@ uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_ errChk = preambleSearch(BitStream+extraBitChk+*startIdx, preamble, sizeof(preamble), size, startIdx); if (errChk == 0) return 0; if (*size>64) FmtLen = 22; + if (*size<64) return 0; idx = *startIdx + 9; for (i=0; i= high && waveHigh){ + smplCnt++; + } else if (BinStream[i] <= low && !waveHigh){ + smplCnt++; + } else { //not high or low or a transition + if (smplCnt > clk-(clk/4)) { //full clock + if (smplCnt > clk + (clk/4)) { //too many samples + errCnt++; + BinStream[bitCnt++]=77; + } else if (waveHigh) { + BinStream[bitCnt++] = invert; + BinStream[bitCnt++] = invert; + } else if (!waveHigh) { + BinStream[bitCnt++] = invert ^ 1; + BinStream[bitCnt++] = invert ^ 1; + } + waveHigh ^= 1; + smplCnt = 0; + } else if (smplCnt > (clk/2) - (clk/5)) { + if (waveHigh) { + BinStream[bitCnt++] = invert; + } else if (!waveHigh) { + BinStream[bitCnt++] = invert ^ 1; + } + waveHigh ^= 1; + smplCnt = 0; + } else if (!bitCnt) { + //first bit + waveHigh = (BinStream[i] >= high); + smplCnt = 1; + } else { + //transition bit? ignore + } + } + } + *size = bitCnt; + return errCnt; +} + //by marshmellow //takes 3 arguments - clock, invert and maxErr as integers //attempts to demodulate ask only @@ -423,15 +421,22 @@ int askrawdemod(uint8_t *BinStream, size_t *size, int *clk, int *invert, int max if (*clk==0) return -1; if (start<0) return -1; if (*invert != 0 && *invert != 1) *invert =0; + if (amp==1) askAmp(BinStream, *size); + uint32_t initLoopMax = 200; if (initLoopMax > *size) initLoopMax=*size; // Detect high and lows - //25% fuzz in case highs and lows aren't clipped [marshmellow] + //25% clip in case highs and lows aren't clipped [marshmellow] + uint8_t clip = 75; int high, low, ans; - if (amp==1) askAmp(BinStream, *size); - ans = getHiLo(BinStream, initLoopMax, &high, &low, 75, 75); + ans = getHiLo(BinStream, initLoopMax, &high, &low, clip, clip); if (ans<1) return -1; //just noise + if (DetectCleanAskWave(BinStream, *size, high, low)) { + //PrintAndLog("Clean"); + return cleanAskRawDemod(BinStream, size, *clk, *invert, high, low); + } + //PrintAndLog("DEBUG - valid high: %d - valid low: %d",high,low); int lastBit = 0; //set first clock check uint32_t bitnum = 0; //output counter @@ -443,12 +448,13 @@ int askrawdemod(uint8_t *BinStream, size_t *size, int *clk, int *invert, int max uint32_t gLen = *size; if (gLen > 500) gLen=500; //if 0 errors allowed then only try first 2 clock cycles as we want a low tolerance - if (!maxErr) gLen=*clk*2; + if (!maxErr) gLen = *clk * 2; uint8_t errCnt =0; uint32_t bestStart = *size; uint32_t bestErrCnt = maxErr; //(*size/1000); uint8_t midBit=0; uint16_t MaxBits=1000; + //PrintAndLog("DEBUG - lastbit - %d",lastBit); //loop to find first wave that works for (iii=start; iii < gLen; ++iii){ @@ -619,7 +625,9 @@ size_t fsk_wave_demod(uint8_t * dest, size_t size, uint8_t fchigh, uint8_t fclow //do nothing with extra garbage } else if ((idx-last_transition) < (fchigh-1)) { //6-8 = 8 waves dest[numBits]=1; - } else { //9+ = 10 waves + } else if ((idx-last_transition) > (fchigh+1) && !numBits) { //12 + and first bit = garbage + //do nothing with beginning garbage + } else { //9+ = 10 waves dest[numBits]=0; } last_transition = idx; @@ -643,18 +651,31 @@ size_t aggregate_bits(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t maxCons uint32_t idx=0; size_t numBits=0; uint32_t n=1; - + float lowWaves = (((float)(rfLen))/((float)fclow)); + float highWaves = (((float)(rfLen))/((float)fchigh)); for( idx=1; idx < size; idx++) { if (dest[idx]==lastval) { n++; continue; } + n++; //if lastval was 1, we have a 1->0 crossing - if ( dest[idx-1]==1 ) { - n=myround2((float)(n+1)/((float)(rfLen)/(float)fclow)); - } else {// 0->1 crossing - n=myround2((float)(n+1)/((float)(rfLen-1)/(float)fchigh)); //-1 for fudge factor + if (dest[idx-1]==1) { + if (!numBits && n < (uint8_t)lowWaves) { + n=0; + lastval = dest[idx]; + continue; + } + n=myround2(((float)n)/lowWaves); + } else {// 0->1 crossing + //test first bitsample too small + if (!numBits && n < (uint8_t)highWaves) { + n=0; + lastval = dest[idx]; + continue; + } + n = myround2(((float)n)/highWaves); //-1 for fudge factor } if (n == 0) n = 1; @@ -670,6 +691,17 @@ size_t aggregate_bits(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t maxCons n=0; lastval=dest[idx]; }//end for + + // if valid extra bits at the end were all the same frequency - add them in + if (n > lowWaves && n > highWaves) { + if (dest[idx-2]==1) { + n=myround2((float)(n+1)/((float)(rfLen)/(float)fclow)); + } else { + n=myround2((float)(n+1)/((float)(rfLen-1)/(float)fchigh)); //-1 for fudge factor + } + memset(dest, dest[idx-1]^invert , n); + numBits += n; + } return numBits; } //by marshmellow (from holiman's base) @@ -858,18 +890,64 @@ uint8_t DetectCleanAskWave(uint8_t dest[], size_t size, int high, int low) { uint8_t allPeaks=1; uint16_t cntPeaks=0; - for (size_t i=20; i<255; i++){ + for (size_t i=30; i<255; i++){ if (dest[i]>low && dest[i]190) return 1; + if (cntPeaks>210) return 1; } return allPeaks; } +int DetectStrongAskClock(uint8_t dest[], size_t size) +{ + int clk[]={0,8,16,32,40,50,64,100,128,256}; + size_t idx = 40; + uint8_t high=0; + size_t cnt = 0; + size_t highCnt = 0; + size_t highCnt2 = 0; + for (;idx < size; idx++){ + if (dest[idx]>128) { + if (!high){ + high=1; + if (cnt > highCnt){ + if (highCnt != 0) highCnt2 = highCnt; + highCnt = cnt; + } else if (cnt > highCnt2) { + highCnt2 = cnt; + } + cnt=1; + } else { + cnt++; + } + } else if (dest[idx] <= 128){ + if (high) { + high=0; + if (cnt > highCnt) { + if (highCnt != 0) highCnt2 = highCnt; + highCnt = cnt; + } else if (cnt > highCnt2) { + highCnt2 = cnt; + } + cnt=1; + } else { + cnt++; + } + } + } + for (idx=8; idx>0; idx--){ + if (clk[idx] >= highCnt && clk[idx] <= highCnt+2) + return clk[idx]; + if (clk[idx] >= highCnt2 && clk[idx] <= highCnt2+2) + return clk[idx]; + } + return -1; +} + // by marshmellow // not perfect especially with lower clocks or VERY good antennas (heavy wave clipping) // maybe somehow adjust peak trimming value based on samples to fix? @@ -892,24 +970,14 @@ int DetectASKClock(uint8_t dest[], size_t size, int *clock, int maxErr) //test for large clean peaks if (DetectCleanAskWave(dest, size, peak, low)==1){ - uint16_t fcTest=0; - uint8_t mostFC=0; - fcTest=countFC(dest, size, &mostFC); - uint8_t fc1 = fcTest >> 8; - uint8_t fc2 = fcTest & 0xFF; - - for (i=0; i<8; i++){ - if (clk[i] == fc1) { - *clock=fc1; - return 0; - } - if (clk[i] == fc2) { - *clock=fc2; + int ans = DetectStrongAskClock(dest, size); + for (i=7; i>0; i--){ + if (clk[i] == ans) { + *clock=ans; return 0; } } } - int ii; int clkCnt; int tol = 0; @@ -923,6 +991,7 @@ int DetectASKClock(uint8_t dest[], size_t size, int *clock, int maxErr) }else{ tol=0; } + if (!maxErr) loopCnt=clk[clkCnt]*2; bestErr[clkCnt]=1000; //try lining up the peaks by moving starting point (try first 256) for (ii=0; ii < loopCnt; ii++){ @@ -1242,11 +1311,10 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) *clk = DetectNRZClock(dest, *size, *clk); if (*clk==0) return -2; uint32_t i; - int high, low, ans; - ans = getHiLo(dest, 1260, &high, &low, 75, 75); //25% fuzz on high 25% fuzz on low - if (ans<1) return -2; //just noise - uint32_t gLen = 256; + uint32_t gLen = 4096; if (gLen>*size) gLen = *size; + int high, low; + if (getHiLo(dest, gLen, &high, &low, 75, 75) < 1) return -3; //25% fuzz on high 25% fuzz on low int lastBit = 0; //set first clock check uint32_t bitnum = 0; //output counter uint8_t tol = 1; //clock tolerance adjust - waves will be accepted as within the clock if they fall + or - this value + clock from last valid wave @@ -1256,6 +1324,8 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) uint32_t bestErrCnt = maxErr+1; uint32_t bestPeakCnt = 0; uint32_t bestPeakStart=0; + uint8_t bestFirstPeakHigh=0; + uint8_t firstPeakHigh=0; uint8_t curBit=0; uint8_t bitHigh=0; uint8_t errBitHigh=0; @@ -1265,6 +1335,8 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) //loop to find first wave that works - align to clock for (iii=0; iii < gLen; ++iii){ if ((dest[iii]>=high) || (dest[iii]<=low)){ + if (dest[iii]>=high) firstPeakHigh=1; + else firstPeakHigh=0; lastBit=iii-*clk; peakCnt=0; errCnt=0; @@ -1315,6 +1387,7 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) //possible good read if (errCnt == 0){ //bestStart = iii; + bestFirstPeakHigh=firstPeakHigh; bestErrCnt = errCnt; bestPeakCnt = peakCnt; bestPeakStart = iii; @@ -1325,6 +1398,7 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) //bestStart = iii; } if (peakCnt > bestPeakCnt){ + bestFirstPeakHigh=firstPeakHigh; bestPeakCnt=peakCnt; bestPeakStart=iii; } @@ -1337,6 +1411,8 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) iii=bestPeakStart; lastBit=bestPeakStart-*clk; bitnum=0; + memset(dest, bestFirstPeakHigh^1, bestPeakStart / *clk); + bitnum += (bestPeakStart / *clk); for (i = iii; i < *size; ++i) { //if we found a high bar and we are at a clock bit if ((dest[i] >= high ) && (i>=lastBit+*clk-tol && i<=lastBit+*clk+tol)){ @@ -1386,12 +1462,12 @@ int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr) *size=bitnum; } else{ *size=bitnum; - return -1; + return bestErrCnt; } if (bitnum>16){ *size=bitnum; - } else return -1; + } else return -5; return errCnt; } @@ -1689,7 +1765,7 @@ int pskRawDemod(uint8_t dest[], size_t *size, int *clock, int *invert) errCnt=0; size_t numBits=0; //set skipped bits - memset(dest+numBits,curPhase^1,firstFullWave / *clock); + memset(dest,curPhase^1,firstFullWave / *clock); numBits += (firstFullWave / *clock); dest[numBits++] = curPhase; //set first read bit for (i = firstFullWave+fullWaveLen-1; i < *size-3; i++){ diff --git a/common/lfdemod.h b/common/lfdemod.h index 8e10a7df..46e2bdd5 100644 --- a/common/lfdemod.h +++ b/common/lfdemod.h @@ -16,6 +16,7 @@ #include int DetectASKClock(uint8_t dest[], size_t size, int *clock, int maxErr); +uint8_t DetectCleanAskWave(uint8_t dest[], size_t size, int high, int low); int askmandemod(uint8_t *BinStream, size_t *size, int *clk, int *invert, int maxErr); uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo); //uint64_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx); @@ -47,5 +48,6 @@ uint8_t justNoise(uint8_t *BitStream, size_t size); uint8_t countPSK_FC(uint8_t *BitStream, size_t size); int pskRawDemod(uint8_t dest[], size_t *size, int *clock, int *invert); int DetectPSKClock(uint8_t dest[], size_t size, int clock); +void askAmp(uint8_t *BitStream, size_t size); #endif -- 2.39.5