From 1d0ccbe04b6d04cc4e05aeb9bbcb7b7fa0cfdbd1 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 27 Oct 2015 21:47:21 +0100 Subject: [PATCH] ADD: added the "hf snoop" patch original from @Enio, rearranged by @Etmatrix. ADD: added the "t55x7" refactoring by @marshmellow42 --- armsrc/Makefile | 8 +- armsrc/appmain.c | 10 +- armsrc/apps.h | 6 +- armsrc/fpgaloader.h | 1 + armsrc/hfsnoop.c | 76 +++++++ armsrc/lfops.c | 392 +++++++++-------------------------- armsrc/lfsampling.c | 36 ++-- client/cmdhf.c | 9 + client/cmdhfmfdes.c | 2 +- client/cmdhfmfu.c | 116 ++++++----- client/cmdlft55xx.c | 388 ++++++++++++++++++---------------- client/cmdlft55xx.h | 2 +- client/hid-flasher/usb_cmd.h | 2 + client/lualibs/commands.lua | 5 +- client/scripting.c | 2 +- common/Makefile.common | 3 +- common/lfdemod.c | 10 + common/lfdemod.h | 1 + common/protocols.c | 67 +++--- common/protocols.h | 55 ++++- fpga/Makefile | 2 +- fpga/fpga_hf.v | 34 ++- fpga/hi_sniffer.v | 77 +++++++ include/usb_cmd.h | 2 + 24 files changed, 703 insertions(+), 603 deletions(-) create mode 100644 armsrc/hfsnoop.c create mode 100644 fpga/hi_sniffer.v diff --git a/armsrc/Makefile b/armsrc/Makefile index b6b80c12..ddcff33b 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -10,12 +10,12 @@ APP_INCLUDES = apps.h #remove one of the following defines and comment out the relevant line #in the next section to remove that particular feature from compilation -APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE \ +APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \ -fno-strict-aliasing -ffunction-sections -fdata-sections #-DWITH_LCD #SRC_LCD = fonts.c LCD.c -SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c +SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c lfdemod.c protocols.c SRC_ISO15693 = iso15693.c iso15693tools.c SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c SRC_ISO14443b = iso14443b.c @@ -52,7 +52,6 @@ THUMBSRC = start.c \ # These are to be compiled in ARM mode ARMSRC = fpgaloader.c \ legicrf.c \ - lfdemod.c \ $(SRC_ISO14443a) \ $(SRC_ISO14443b) \ $(SRC_CRAPTO1) \ @@ -60,7 +59,8 @@ ARMSRC = fpgaloader.c \ legic_prng.c \ iclass.c \ BigBuf.c \ - optimized_cipher.c + optimized_cipher.c \ + hfsnoop.c # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC include ../common/Makefile.common diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 8b8f2594..b4eab733 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -985,9 +985,6 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_T55XX_WRITE_BLOCK: T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); break; - case CMD_T55XX_READ_TRACE: - T55xxReadTrace(); - break; case CMD_T55XX_WAKEUP: T55xxWakeUp(c->arg[0]); break; @@ -1236,6 +1233,11 @@ void UsbPacketReceived(uint8_t *packet, int len) iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes); break; #endif +#ifdef WITH_HFSNOOP + case CMD_HF_SNIFFER: + HfSnoop(c->arg[0], c->arg[1]); + break; +#endif case CMD_BUFF_CLEAR: BigBuf_Clear(); @@ -1372,7 +1374,7 @@ void __attribute__((noreturn)) AppMain(void) AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0; // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK | - AT91C_PMC_PRES_CLK_4; + AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0; // Reset SPI diff --git a/armsrc/apps.h b/armsrc/apps.h index 7039ab5b..556581f8 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -86,11 +86,10 @@ void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an ioPro void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo); -void CopyIndala64toT55x7(int hi, int lo); // Clone Indala 64-bit tag by UID to T55x7 -void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7); // Clone Indala 224-bit tag by UID to T55x7 +void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7 +void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7 void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode); void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd); -void T55xxReadTrace(void); void T55xxWakeUp(uint32_t Pwd); void TurnReadLFOn(); void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode); @@ -208,5 +207,6 @@ bool cmd_receive(UsbCommand* cmd); bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len); /// util.h +void HfSnoop(int , int); #endif diff --git a/armsrc/fpgaloader.h b/armsrc/fpgaloader.h index 52d6c677..35f7e37c 100644 --- a/armsrc/fpgaloader.h +++ b/armsrc/fpgaloader.h @@ -43,6 +43,7 @@ void SetAdcMuxFor(uint32_t whichGpio); #define FPGA_MAJOR_MODE_HF_READER_RX_XCORR (1<<5) #define FPGA_MAJOR_MODE_HF_SIMULATOR (2<<5) #define FPGA_MAJOR_MODE_HF_ISO14443A (3<<5) +#define FPGA_MAJOR_MODE_HF_SNOOP (4<<5) // BOTH #define FPGA_MAJOR_MODE_OFF (7<<5) // Options for LF_ADC diff --git a/armsrc/hfsnoop.c b/armsrc/hfsnoop.c new file mode 100644 index 00000000..b7d69013 --- /dev/null +++ b/armsrc/hfsnoop.c @@ -0,0 +1,76 @@ +#include "proxmark3.h" +#include "apps.h" +#include "BigBuf.h" +#include "util.h" + +static void RAMFUNC optimizedSnoop(void); + +static void RAMFUNC optimizedSnoop(void) +{ + BigBuf_free(); + int n = BigBuf_max_traceLen() / sizeof(uint16_t); // take all memory + + uint16_t *dest = (uint16_t *)BigBuf_get_addr(); + uint16_t *destend = dest + n; + + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame mode, 16 bits per word + // Reading data loop + while(dest <= destend) + { + if(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) + { + *dest = (uint16_t)(AT91C_BASE_SSC->SSC_RHR); + dest = dest + 1; + } + } + //Resetting Frame mode (First set in fpgaloader.c) + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(8) | AT91C_SSC_MSBF | SSC_FRAME_MODE_WORDS_PER_TRANSFER(0); +} + +void HfSnoop(int samplesToSkip, int triggersToSkip) +{ + Dbprintf("Skipping first %d sample pairs, Skipping %d triggers.\n", samplesToSkip, triggersToSkip); + bool trigger_cnt; + LED_D_ON(); + // Select correct configs + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + // Set up the synchronous serial port + FpgaSetupSsc(); + // connect Demodulated Signal to ADC: + SetAdcMuxFor(GPIO_MUXSEL_HIPKD); + FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SNOOP); + SpinDelay(100); + + AT91C_BASE_SSC->SSC_RFMR = SSC_FRAME_MODE_BITS_IN_WORD(16); // Setting Frame Mode For better performance on high speed data transfer. + + trigger_cnt = 0; + uint16_t r = 0; + while(!BUTTON_PRESS()) { + WDT_HIT(); + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + r = (uint16_t)AT91C_BASE_SSC->SSC_RHR; + if (!(trigger_cnt == triggersToSkip) && ( (r >> 8) >= 240)) + { + Dbprintf("Trigger kicked! Value: %d.", r >> 8); + trigger_cnt++; + break; + } + } + } + if(!BUTTON_PRESS()) { + Dbprintf("Trigger kicked! Value: %d, Dumping Samples Hispeed now.", r >> 8); + int waitcount = samplesToSkip; // lets wait 40000 ticks of pck0 + while(waitcount != 0) { + if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { + waitcount--; + } + } + + optimizedSnoop(); + } + + DbpString("HF Snoop end"); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + LED_D_OFF(); +} + diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 1d452fd3..0472122a 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -16,8 +16,8 @@ #include "string.h" #include "lfdemod.h" #include "lfsampling.h" -#include "usb_cdc.h" - +#include "protocols.h" +#include "usb_cdc.h" //test /** * Function to do a modulation and then get samples. @@ -1053,61 +1053,9 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) /*------------------------------ * T5555/T5557/T5567 routines *------------------------------ - */ - -/* T55x7 configuration register definitions */ -#define T55x7_POR_DELAY 0x00000001 -#define T55x7_ST_TERMINATOR 0x00000008 -#define T55x7_PWD 0x00000010 -#define T55x7_MAXBLOCK_SHIFT 5 -#define T55x7_AOR 0x00000200 -#define T55x7_PSKCF_RF_2 0 -#define T55x7_PSKCF_RF_4 0x00000400 -#define T55x7_PSKCF_RF_8 0x00000800 -#define T55x7_MODULATION_DIRECT 0 -#define T55x7_MODULATION_PSK1 0x00001000 -#define T55x7_MODULATION_PSK2 0x00002000 -#define T55x7_MODULATION_PSK3 0x00003000 -#define T55x7_MODULATION_FSK1 0x00004000 -#define T55x7_MODULATION_FSK2 0x00005000 -#define T55x7_MODULATION_FSK1a 0x00006000 -#define T55x7_MODULATION_FSK2a 0x00007000 -#define T55x7_MODULATION_MANCHESTER 0x00008000 -#define T55x7_MODULATION_BIPHASE 0x00010000 -#define T55x7_MODULATION_DIPHASE 0x00018000 -//#define T55x7_MODULATION_BIPHASE57 0x00011000 -#define T55x7_BITRATE_RF_8 0 -#define T55x7_BITRATE_RF_16 0x00040000 -#define T55x7_BITRATE_RF_32 0x00080000 -#define T55x7_BITRATE_RF_40 0x000C0000 -#define T55x7_BITRATE_RF_50 0x00100000 -#define T55x7_BITRATE_RF_64 0x00140000 -#define T55x7_BITRATE_RF_100 0x00180000 -#define T55x7_BITRATE_RF_128 0x001C0000 - -/* T5555 (Q5) configuration register definitions */ -#define T5555_ST_TERMINATOR 0x00000001 -#define T5555_MAXBLOCK_SHIFT 0x00000001 -#define T5555_MODULATION_MANCHESTER 0 -#define T5555_MODULATION_PSK1 0x00000010 -#define T5555_MODULATION_PSK2 0x00000020 -#define T5555_MODULATION_PSK3 0x00000030 -#define T5555_MODULATION_FSK1 0x00000040 -#define T5555_MODULATION_FSK2 0x00000050 -#define T5555_MODULATION_BIPHASE 0x00000060 -#define T5555_MODULATION_DIRECT 0x00000070 -#define T5555_INVERT_OUTPUT 0x00000080 -#define T5555_PSK_RF_2 0 -#define T5555_PSK_RF_4 0x00000100 -#define T5555_PSK_RF_8 0x00000200 -#define T5555_USE_PWD 0x00000400 -#define T5555_USE_AOR 0x00000800 -#define T5555_BITRATE_SHIFT 12 -#define T5555_FAST_WRITE 0x00004000 -#define T5555_PAGE_SELECT 0x00008000 - -/* - * Relevant times in microsecond + * NOTE: T55x7/T5555 configuration register definitions moved to protocols.h + * + * Relevant communication times in microsecond * To compensate antenna falling times shorten the write times * and enlarge the gap ones. * Q5 tags seems to have issues when these values changes. @@ -1136,24 +1084,29 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) void TurnReadLFOn(int delay) { FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); // Give it a bit of time for the resonant antenna to settle. - SpinDelayUs(delay); //155*8 //50*8 + + // measure antenna strength. + //int adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10); + // where to save it + + SpinDelayUs(delay); } // Write one bit to card void T55xxWriteBit(int bit) { - FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); if (!bit) - SpinDelayUs(WRITE_0); + TurnReadLFOn(WRITE_0); else - SpinDelayUs(WRITE_1); + TurnReadLFOn(WRITE_1); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(WRITE_GAP); } // Write one card block in page 0, no lock -void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode) { +void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) { LED_A_ON(); - + bool PwdMode = arg & 0x1; + uint8_t Page = (arg & 0x2)>>1; uint32_t i = 0; // Set up FPGA, 125kHz @@ -1165,8 +1118,7 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod // Opcode 10 T55xxWriteBit(1); - T55xxWriteBit(0); //Page 0 - + T55xxWriteBit(Page); //Page 0 if (PwdMode){ // Send Pwd for (i = 0x80000000; i != 0; i >>= 1) @@ -1186,20 +1138,24 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMod // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550, // so wait a little more) TurnReadLFOn(20 * 1000); + //could attempt to do a read to confirm write took + // as the tag should repeat back the new block + // until it is reset, but to confirm it we would + // need to know the current block 0 config mode // turn field off FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); cmd_send(CMD_ACK,0,0,0,0,0); LED_A_OFF(); - LED_B_OFF(); } // Read one card block in page 0 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) { LED_A_ON(); - uint8_t PwdMode = arg0 & 0x01; - uint8_t Page = arg0 & 0x02; + bool PwdMode = arg0 & 0x1; + uint8_t Page = (arg0 & 0x2) >> 1; uint32_t i = 0; + bool RegReadMode = (Block == 0xFF); //clear buffer now so it does not interfere with timing later BigBuf_Clear_ext(false); @@ -1207,14 +1163,14 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) { //make sure block is at max 7 Block &= 0x7; - // Set up FPGA, 125kHz + // Set up FPGA, 125kHz to power up the tag LFSetupFPGAForADC(95, true); - // Trigger T55x7 Direct Access Mode + // Trigger T55x7 Direct Access Mode with start gap FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); SpinDelayUs(START_GAP); - // Opcode 10 + // Opcode 1[page] T55xxWriteBit(1); T55xxWriteBit(Page); //Page 0 @@ -1223,11 +1179,11 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) { for (i = 0x80000000; i != 0; i >>= 1) T55xxWriteBit(Pwd & i); } - // Send a zero bit separation T55xxWriteBit(0); - // Send Block number + // Send Block number (if direct access mode) + if (!RegReadMode) for (i = 0x04; i != 0; i >>= 1) T55xxWriteBit(Block & i); @@ -1237,54 +1193,10 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) { // Acquisition doT55x7Acquisition(); - // turn field off - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + // Turn the field off + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off cmd_send(CMD_ACK,0,0,0,0,0); LED_A_OFF(); - LED_B_OFF(); -} - -// Read card traceability data (page 1) -void T55xxReadTrace(void){ - // LED_A_ON(); - - // uint8_t PwdMode = arg0 & 0xFF; - // uint32_t i = 0; - - // //clear buffer now so it does not interfere with timing later - // BigBuf_Clear_ext(false); - - // // Set up FPGA, 125kHz - // LFSetupFPGAForADC(95, true); - - // // Trigger T55x7 Direct Access Mode - // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - // SpinDelayUs(START_GAP); - - // // Opcode 11 - // T55xxWriteBit(1); - // T55xxWriteBit(1); //Page 1 - - // if (PwdMode){ - // // Send Pwd - // for (i = 0x80000000; i != 0; i >>= 1) - // T55xxWriteBit(Pwd & i); - // } - - // // Send a zero bit separation - // T55xxWriteBit(0); - - // // Turn field on to read the response - // TurnReadLFOn(READ_GAP); - - // // Acquisition - // doT55x7Acquisition(); - - // // turn field off - // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - // cmd_send(CMD_ACK,0,0,0,0,0); - // LED_A_OFF(); - // LED_B_OFF(); } void T55xxWakeUp(uint32_t Pwd){ @@ -1306,16 +1218,23 @@ void T55xxWakeUp(uint32_t Pwd){ for (i = 0x80000000; i != 0; i >>= 1) T55xxWriteBit(Pwd & i); - // Turn field on to read the response + // Turn and leave field on to let the begin repeating transmission TurnReadLFOn(20*1000); } /*-------------- Cloning routines -----------*/ + +void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) { + // write last block first and config block last (if included) + for (uint8_t i = numblocks; i > startblock; i--) + T55xxWriteBlock(blockdata[i-1],i-1,0,0); +} + // Copy HID id to card and setup block 0 config -void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) -{ - int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format - int last_block = 0; +void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) { + uint32_t data[] = {0,0,0,0,0,0,0}; + //int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format + uint8_t last_block = 0; if (longFMT){ // Ensure no more than 84 bits supplied @@ -1325,108 +1244,34 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) } // Build the 6 data blocks for supplied 84bit ID last_block = 6; - data1 = 0x1D96A900; // load preamble (1D) & long format identifier (9E manchester encoded) - for (int i=0;i<4;i++) { - if (hi2 & (1<<(19-i))) - data1 |= (1<<(((3-i)*2)+1)); // 1 -> 10 - else - data1 |= (1<<((3-i)*2)); // 0 -> 01 - } - - data2 = 0; - for (int i=0;i<16;i++) { - if (hi2 & (1<<(15-i))) - data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data2 |= (1<<((15-i)*2)); // 0 -> 01 - } - - data3 = 0; - for (int i=0;i<16;i++) { - if (hi & (1<<(31-i))) - data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data3 |= (1<<((15-i)*2)); // 0 -> 01 - } - - data4 = 0; - for (int i=0;i<16;i++) { - if (hi & (1<<(15-i))) - data4 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data4 |= (1<<((15-i)*2)); // 0 -> 01 - } - - data5 = 0; - for (int i=0;i<16;i++) { - if (lo & (1<<(31-i))) - data5 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data5 |= (1<<((15-i)*2)); // 0 -> 01 - } - - data6 = 0; - for (int i=0;i<16;i++) { - if (lo & (1<<(15-i))) - data6 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data6 |= (1<<((15-i)*2)); // 0 -> 01 - } - } - else { + // load preamble (1D) & long format identifier (9E manchester encoded) + data[1] = 0x1D96A900 | manchesterEncode2Bytes((hi2 >> 16) & 0xF); + // load raw id from hi2, hi, lo to data blocks (manchester encoded) + data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF); + data[3] = manchesterEncode2Bytes(hi >> 16); + data[4] = manchesterEncode2Bytes(hi & 0xFFFF); + data[5] = manchesterEncode2Bytes(lo >> 16); + data[6] = manchesterEncode2Bytes(lo & 0xFFFF); + } else { // Ensure no more than 44 bits supplied if (hi>0xFFF) { DbpString("Tags can only have 44 bits."); return; } - // Build the 3 data blocks for supplied 44bit ID last_block = 3; - - data1 = 0x1D000000; // load preamble - - for (int i=0;i<12;i++) { - if (hi & (1<<(11-i))) - data1 |= (1<<(((11-i)*2)+1)); // 1 -> 10 - else - data1 |= (1<<((11-i)*2)); // 0 -> 01 - } - - data2 = 0; - for (int i=0;i<16;i++) { - if (lo & (1<<(31-i))) - data2 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data2 |= (1<<((15-i)*2)); // 0 -> 01 - } - - data3 = 0; - for (int i=0;i<16;i++) { - if (lo & (1<<(15-i))) - data3 |= (1<<(((15-i)*2)+1)); // 1 -> 10 - else - data3 |= (1<<((15-i)*2)); // 0 -> 01 - } + // load preamble + data[1] = 0x1D000000 | manchesterEncode2Bytes(hi & 0xFFF); + data[2] = manchesterEncode2Bytes(lo >> 16); + data[3] = manchesterEncode2Bytes(lo & 0xFFFF); } + // load chip config block + data[0] = T55x7_BITRATE_RF_50 | T55x7_MODULATION_FSK2a | last_block << T55x7_MAXBLOCK_SHIFT; LED_D_ON(); // Program the data blocks for supplied ID // and the block 0 for HID format - T55xxWriteBlock(data1,1,0,0); - T55xxWriteBlock(data2,2,0,0); - T55xxWriteBlock(data3,3,0,0); - - if (longFMT) { // if long format there are 6 blocks - T55xxWriteBlock(data4,4,0,0); - T55xxWriteBlock(data5,5,0,0); - T55xxWriteBlock(data6,6,0,0); - } - - // Config for HID (RF/50, FSK2a, Maxblock=3 for short/6 for long) - T55xxWriteBlock(T55x7_BITRATE_RF_50 | - T55x7_MODULATION_FSK2a | - last_block << T55x7_MAXBLOCK_SHIFT, - 0,0,0); + WriteT55xx(data, 0, last_block+1); LED_D_OFF(); @@ -1435,24 +1280,42 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT) { - int data1=0, data2=0; //up to six blocks for long format - - data1 = hi; // load preamble - data2 = lo; + uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo}; LED_D_ON(); // Program the data blocks for supplied ID - // and the block 0 for HID format - T55xxWriteBlock(data1,1,0,0); - T55xxWriteBlock(data2,2,0,0); + // and the block 0 config + WriteT55xx(data, 0, 3); - //Config Block - T55xxWriteBlock(0x00147040,0,0,0); LED_D_OFF(); DbpString("DONE!"); } +// Clone Indala 64-bit tag by UID to T55x7 +void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) { + //Program the 2 data blocks for supplied 64bit UID + // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2) + uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo}; + WriteT55xx(data, 0, 3); + //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data) + // T5567WriteBlock(0x603E1042,0); + DbpString("DONE!"); +} +// Clone Indala 224-bit tag by UID to T55x7 +void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) +{ + //Program the 7 data blocks for supplied 224bit UID + uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7}; + // and the block 0 for Indala224 format + //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7) + data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT); + WriteT55xx(data, 0, 8); + //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data) + // T5567WriteBlock(0x603E10E2,0); + DbpString("DONE!"); +} + // Define 9bit header for EM410x tags #define EM410X_HEADER 0x1FF #define EM410X_ID_LENGTH 40 @@ -1518,94 +1381,29 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) LED_D_ON(); // Write EM410x ID - T55xxWriteBlock((uint32_t)(id >> 32), 1, 0, 0); - T55xxWriteBlock((uint32_t)id, 2, 0, 0); - - // Config for EM410x (RF/64, Manchester, Maxblock=2) + uint32_t data[] = {0, id>>32, id & 0xFFFF}; if (card) { - // Clock rate is stored in bits 8-15 of the card value clock = (card & 0xFF00) >> 8; + clock = (clock == 0) ? 64 : clock; Dbprintf("Clock rate: %d", clock); - switch (clock) { - case 50: - clock = T55x7_BITRATE_RF_50; - case 40: - clock = T55x7_BITRATE_RF_40; - case 32: - clock = T55x7_BITRATE_RF_32; - break; - case 16: - clock = T55x7_BITRATE_RF_16; - break; - case 0: - // A value of 0 is assumed to be 64 for backwards-compatibility - // Fall through... - case 64: - clock = T55x7_BITRATE_RF_64; - break; - default: + clock = GetT55xxClockBit(clock); + if (clock == 0) { Dbprintf("Invalid clock rate: %d", clock); return; } - // Writing configuration for T55x7 tag - T55xxWriteBlock(clock | - T55x7_MODULATION_MANCHESTER | - 2 << T55x7_MAXBLOCK_SHIFT, - 0, 0, 0); + data[0] = clock | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT); + } else { + data[0] = (0x1F << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT); } - else - // Writing configuration for T5555(Q5) tag - T55xxWriteBlock(0x1F << T5555_BITRATE_SHIFT | - T5555_MODULATION_MANCHESTER | - 2 << T5555_MAXBLOCK_SHIFT, - 0, 0, 0); + + WriteT55xx(data, 0, 3); LED_D_OFF(); Dbprintf("Tag %s written with 0x%08x%08x\n", card ? "T55x7":"T5555", (uint32_t)(id >> 32), (uint32_t)id); } -// Clone Indala 64-bit tag by UID to T55x7 -void CopyIndala64toT55x7(int hi, int lo) -{ - //Program the 2 data blocks for supplied 64bit UID - // and the block 0 for Indala64 format - T55xxWriteBlock(hi,1,0,0); - T55xxWriteBlock(lo,2,0,0); - //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=2) - T55xxWriteBlock(T55x7_BITRATE_RF_32 | - T55x7_MODULATION_PSK1 | - 2 << T55x7_MAXBLOCK_SHIFT, - 0, 0, 0); - //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data) - // T5567WriteBlock(0x603E1042,0); - - DbpString("DONE!"); -} - -void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7) -{ - //Program the 7 data blocks for supplied 224bit UID - // and the block 0 for Indala224 format - T55xxWriteBlock(uid1,1,0,0); - T55xxWriteBlock(uid2,2,0,0); - T55xxWriteBlock(uid3,3,0,0); - T55xxWriteBlock(uid4,4,0,0); - T55xxWriteBlock(uid5,5,0,0); - T55xxWriteBlock(uid6,6,0,0); - T55xxWriteBlock(uid7,7,0,0); - //Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7) - T55xxWriteBlock(T55x7_BITRATE_RF_32 | - T55x7_MODULATION_PSK1 | - 7 << T55x7_MAXBLOCK_SHIFT, - 0,0,0); - //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data) - // T5567WriteBlock(0x603E10E2,0); - - DbpString("DONE!"); -} - //----------------------------------- // EM4469 / EM4305 routines //----------------------------------- diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index 83579cca..2a763a50 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -255,9 +255,8 @@ uint32_t SnoopLF() { void doT55x7Acquisition(void){ #define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..) - #define T55xx_UPPER_THRESHOLD 128+40 // 50 + #define T55xx_READ_UPPER_THRESHOLD 128+40 // 50 #define T55xx_READ_TOL 5 - #define T55xx_LOWER_THRESHOLD 128-40 //-50 uint8_t *dest = BigBuf_get_addr(); uint16_t bufsize = BigBuf_max_traceLen(); @@ -265,40 +264,43 @@ void doT55x7Acquisition(void){ if ( bufsize > T55xx_SAMPLES_SIZE ) bufsize = T55xx_SAMPLES_SIZE; + //int adcval = 0; uint16_t i = 0; bool startFound = false; bool highFound = false; - uint8_t sample = 0; + uint8_t curSample = 0; uint8_t firstSample = 0; - while(!BUTTON_PRESS()) { + uint16_t skipCnt = 0; + while(!BUTTON_PRESS() && skipCnt<1000) { WDT_HIT(); if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { - AT91C_BASE_SSC->SSC_THR = 0x00; + AT91C_BASE_SSC->SSC_THR = 0x43; LED_D_ON(); } if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { - sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; LED_D_OFF(); // find first high sample - if (!startFound && sample > T55xx_UPPER_THRESHOLD) { - if (sample > firstSample) - firstSample = sample; - highFound = TRUE; + if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) { + if (curSample > firstSample) + firstSample = curSample; + highFound = true; } else if (!highFound) { + skipCnt++; continue; } // skip until samples begin to change - if (startFound || sample < firstSample - T55xx_READ_TOL){ + if (startFound || curSample < firstSample-T55xx_READ_TOL){ if (!startFound) dest[i++] = firstSample; - startFound = TRUE; - dest[i++] = sample; - - // exit condition. - if (i >= bufsize) break; + startFound = true; + dest[i++] = curSample; + if (i >= bufsize-1) break; } } + } -} \ No newline at end of file +} + \ No newline at end of file diff --git a/client/cmdhf.c b/client/cmdhf.c index 4a871586..d0b1f01c 100644 --- a/client/cmdhf.c +++ b/client/cmdhf.c @@ -736,6 +736,14 @@ int CmdHFSearch(const char *Cmd){ return 0; } +int CmdHFSnoop(const char *Cmd) +{ + char * pEnd; + UsbCommand c = {CMD_HF_SNIFFER, {strtol(Cmd, &pEnd,0),strtol(pEnd, &pEnd,0),0}}; + SendCommand(&c); + return 0; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, @@ -752,6 +760,7 @@ static command_t CommandTable[] = {"tune", CmdHFTune, 0, "Continuously measure HF antenna tuning"}, {"list", CmdHFList, 1, "List protocol data in trace buffer"}, {"search", CmdHFSearch, 1, "Search for known HF tags [preliminary]"}, + {"snoop", CmdHFSnoop, 0, " Generic LF/HF Snoop in Testing stage"}, {NULL, NULL, 0, NULL} }; diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index fd06791f..4aeeffd9 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -611,7 +611,7 @@ int CmdHF14ADesAuth(const char *Cmd){ c.d.asBytes[0] = keylength; memcpy(c.d.asBytes+1, key, keylength); - + clearCommandBuffer(); SendCommand(&c); UsbCommand resp; diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index 5bb9a91e..07609339 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -1209,7 +1209,49 @@ int usage_hf_mfu_eload(void) { return 0; } +int usage_hf_mfu_ucauth(void) { + PrintAndLog("Usage: hf mfu cauth k "); + PrintAndLog(" 0 (default): 3DES standard key"); + PrintAndLog(" 1 : all 0x00 key"); + PrintAndLog(" 2 : 0x00-0x0F key"); + PrintAndLog(" 3 : nfc key"); + PrintAndLog(" 4 : all 0x01 key"); + PrintAndLog(" 5 : all 0xff key"); + PrintAndLog(" 6 : 0x00-0xFF key"); + PrintAndLog("\n sample : hf mfu cauth k"); + PrintAndLog(" : hf mfu cauth k 3"); + return 0; +} + +int usage_hf_mfu_ucsetpwd(void) { + PrintAndLog("Usage: hf mfu setpwd "); + PrintAndLog(" [password] - (32 hex symbols)"); + PrintAndLog(""); + PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f"); + PrintAndLog(""); + return 0; +} + +int usage_hf_mfu_ucsetuid(void) { + PrintAndLog("Usage: hf mfu setuid "); + PrintAndLog(" [uid] - (14 hex symbols)"); + PrintAndLog("\nThis only works for Magic Ultralight tags."); + PrintAndLog(""); + PrintAndLog("sample: hf mfu setuid 11223344556677"); + PrintAndLog(""); + return 0; +} + +int usage_hf_mfu_gendiverse(void){ + PrintAndLog("Usage: hf mfu gen "); + PrintAndLog(""); + PrintAndLog("sample: hf mfu gen 11223344"); + PrintAndLog(""); + return 0; +} + // + // Mifare Ultralight / Ultralight-C / Ultralight-EV1 // Read and Dump Card Contents, using auto detection of tag size. int CmdHF14AMfUDump(const char *Cmd){ @@ -1455,6 +1497,7 @@ int CmdHF14AMfUDump(const char *Cmd){ // Ultralight C Methods //------------------------------------------------------------------------------- + // // Ultralight C Authentication Demo {currently uses hard-coded key} // @@ -1472,22 +1515,9 @@ int CmdHF14AMfucAuth(const char *Cmd){ errors = true; } - if (cmdp == 'h' || cmdp == 'H') - errors = true; + if (cmdp == 'h' || cmdp == 'H') errors = true; - if (errors) { - PrintAndLog("Usage: hf mfu cauth k "); - PrintAndLog(" 0 (default): 3DES standard key"); - PrintAndLog(" 1 : all 0x00 key"); - PrintAndLog(" 2 : 0x00-0x0F key"); - PrintAndLog(" 3 : nfc key"); - PrintAndLog(" 4 : all 0x01 key"); - PrintAndLog(" 5 : all 0xff key"); - PrintAndLog(" 6 : 0x00-0xFF key"); - PrintAndLog("\n sample : hf mfu cauth k"); - PrintAndLog(" : hf mfu cauth k 3"); - return 0; - } + if (errors) return usage_hf_mfu_ucauth(); uint8_t *key = default_3des_keys[keyNo]; if (ulc_authentication(key, true)) @@ -1601,17 +1631,9 @@ int CmdTestDES(const char * cmd) int CmdHF14AMfucSetPwd(const char *Cmd){ uint8_t pwd[16] = {0x00}; - char cmdp = param_getchar(Cmd, 0); - if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') { - PrintAndLog("Usage: hf mfu setpwd "); - PrintAndLog(" [password] - (32 hex symbols)"); - PrintAndLog(""); - PrintAndLog("sample: hf mfu setpwd 000102030405060708090a0b0c0d0e0f"); - PrintAndLog(""); - return 0; - } + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetpwd(); if (param_gethex(Cmd, 0, pwd, 32)) { PrintAndLog("Password must include 32 HEX symbols"); @@ -1624,7 +1646,6 @@ int CmdHF14AMfucSetPwd(const char *Cmd){ SendCommand(&c); UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { if ( (resp.arg[0] & 0xff) == 1) PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16)); @@ -1636,8 +1657,7 @@ int CmdHF14AMfucSetPwd(const char *Cmd){ else { PrintAndLog("command execution time out"); return 1; - } - + } return 0; } @@ -1650,17 +1670,8 @@ int CmdHF14AMfucSetUid(const char *Cmd){ UsbCommand resp; uint8_t uid[7] = {0x00}; char cmdp = param_getchar(Cmd, 0); - - if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') { - PrintAndLog("Usage: hf mfu setuid "); - PrintAndLog(" [uid] - (14 hex symbols)"); - PrintAndLog("\nThis only works for Magic Ultralight tags."); - PrintAndLog(""); - PrintAndLog("sample: hf mfu setuid 11223344556677"); - PrintAndLog(""); - return 0; - } - + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_ucsetuid(); + if (param_gethex(Cmd, 0, uid, 14)) { PrintAndLog("UID must include 14 HEX symbols"); return 1; @@ -1724,14 +1735,20 @@ int CmdHF14AMfucSetUid(const char *Cmd){ } int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ + + uint8_t uid[4]; + + char cmdp = param_getchar(Cmd, 0); + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_hf_mfu_gendiverse(); + + if (param_gethex(Cmd, 0, uid, 8)) { + PrintAndLog("UID must include 8 HEX symbols"); + return 1; + } uint8_t iv[8] = { 0x00 }; - uint8_t block = 0x07; + uint8_t block = 0x01; - // UL-EV1 - //04 57 b6 e2 05 3f 80 UID - //4a f8 4b 19 PWD - uint8_t uid[] = { 0xF4,0xEA, 0x54, 0x8E }; uint8_t mifarekeyA[] = { 0xA0,0xA1,0xA2,0xA3,0xA4,0xA5 }; uint8_t mifarekeyB[] = { 0xB0,0xB1,0xB2,0xB3,0xB4,0xB5 }; uint8_t dkeyA[8] = { 0x00 }; @@ -1760,15 +1777,13 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ , divkey // output ); - PrintAndLog("3DES version"); + PrintAndLog("-- 3DES version"); PrintAndLog("Masterkey :\t %s", sprint_hex(masterkey,sizeof(masterkey))); PrintAndLog("UID :\t %s", sprint_hex(uid, sizeof(uid))); - PrintAndLog("Sector :\t %0d", block); + PrintAndLog("block :\t %0d", block); PrintAndLog("Mifare key :\t %s", sprint_hex(mifarekeyA, sizeof(mifarekeyA))); PrintAndLog("Message :\t %s", sprint_hex(mix, sizeof(mix))); PrintAndLog("Diversified key: %s", sprint_hex(divkey+1, 6)); - - PrintAndLog("\n DES version"); for (int i=0; i < sizeof(mifarekeyA); ++i){ dkeyA[i] = (mifarekeyA[i] << 1) & 0xff; @@ -1798,20 +1813,19 @@ int CmdHF14AMfuGenDiverseKeys(const char *Cmd){ , newpwd // output ); + PrintAndLog("\n-- DES version"); PrintAndLog("Mifare dkeyA :\t %s", sprint_hex(dkeyA, sizeof(dkeyA))); PrintAndLog("Mifare dkeyB :\t %s", sprint_hex(dkeyB, sizeof(dkeyB))); PrintAndLog("Mifare ABA :\t %s", sprint_hex(dmkey, sizeof(dmkey))); PrintAndLog("Mifare Pwd :\t %s", sprint_hex(newpwd, sizeof(newpwd))); + // next. from the diversify_key method. return 0; } // static uint8_t * diversify_key(uint8_t * key){ - // for(int i=0; i<16; i++){ - // if(i<=6) key[i]^=cuid[i]; - // if(i>6) key[i]^=cuid[i%7]; - // } + // return key; // } diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index f3add53d..100170e3 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -26,9 +26,11 @@ #include "../common/iso14443crc.h" #include "cmdhf14a.h" -#define CONFIGURATION_BLOCK 0x00 -#define TRACE_BLOCK 0x01 +#define T55x7_CONFIGURATION_BLOCK 0x00 +#define T55x7_PAGE0 0x00 +#define T55x7_PAGE1 0x01 #define T55x7_PWD 0x00000010 +#define REGULAR_READ_MODE_BLOCK 0xFF // Default configuration t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00}; @@ -50,11 +52,12 @@ int usage_t55xx_config(){ return 0; } int usage_t55xx_read(){ - PrintAndLog("Usage: lf t55xx read b p "); + PrintAndLog("Usage: lf t55xx read [b ] [p ] "); PrintAndLog("Options:"); - PrintAndLog(" b , block number to read. Between 0-7"); - PrintAndLog(" p , OPTIONAL password 4bytes (8 hex symbols)"); - PrintAndLog(" o, OPTIONAL override safety check"); + PrintAndLog(" b - block number to read. Between 0-7"); + PrintAndLog(" p - OPTIONAL password (8 hex characters)"); + PrintAndLog(" o - OPTIONAL override safety check"); + PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0"); PrintAndLog(" ****WARNING****"); PrintAndLog(" Use of read with password on a tag not configured for a pwd"); PrintAndLog(" can damage the tag"); @@ -67,22 +70,23 @@ int usage_t55xx_read(){ return 0; } int usage_t55xx_write(){ - PrintAndLog("Usage: lf t55xx write [password]"); + PrintAndLog("Usage: lf t55xx wr [b ] [d ] [p ] [1]"); PrintAndLog("Options:"); - PrintAndLog(" , block number to write. Between 0-7"); - PrintAndLog(" , 4 bytes of data to write (8 hex symbols)"); - PrintAndLog(" [password], OPTIONAL password 4bytes (8 hex symbols)"); + PrintAndLog(" b - block number to write. Between 0-7"); + PrintAndLog(" d - 4 bytes of data to write (8 hex characters)"); + PrintAndLog(" p - OPTIONAL password 4bytes (8 hex characters)"); + PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0"); PrintAndLog(""); PrintAndLog("Examples:"); - PrintAndLog(" lf t55xx write 3 11223344 - write 11223344 to block 3"); - PrintAndLog(" lf t55xx write 3 11223344 feedbeef - write 11223344 to block 3 password feedbeef"); + PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3"); + PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef"); PrintAndLog(""); return 0; } int usage_t55xx_trace() { PrintAndLog("Usage: lf t55xx trace [1]"); PrintAndLog("Options:"); - PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag."); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx trace"); @@ -93,7 +97,7 @@ int usage_t55xx_trace() { int usage_t55xx_info() { PrintAndLog("Usage: lf t55xx info [1]"); PrintAndLog("Options:"); - PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag."); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx info"); @@ -102,20 +106,21 @@ int usage_t55xx_info() { return 0; } int usage_t55xx_dump(){ - PrintAndLog("Usage: lf t55xx dump "); + PrintAndLog("Usage: lf t55xx dump [o]"); PrintAndLog("Options:"); - PrintAndLog(" , OPTIONAL password 4bytes (8 hex symbols)"); + PrintAndLog(" - OPTIONAL password 4bytes (8 hex symbols)"); + PrintAndLog(" o - OPTIONAL override, force pwd read despite danger to card"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx dump"); - PrintAndLog(" lf t55xx dump feedbeef"); + PrintAndLog(" lf t55xx dump feedbeef o"); PrintAndLog(""); return 0; } int usage_t55xx_detect(){ PrintAndLog("Usage: lf t55xx detect [1]"); PrintAndLog("Options:"); - PrintAndLog(" [graph buffer data], if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag."); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx detect"); @@ -146,8 +151,7 @@ int CmdT55xxSetConfig(const char *Cmd) { char tmp = 0x00; uint8_t bitRate = 0; uint8_t rates[9] = {8,16,32,40,50,64,100,128,0}; - while(param_getchar(Cmd, cmdp) != 0x00 && !errors) - { + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { tmp = param_getchar(Cmd, cmdp); switch(tmp) { @@ -234,12 +238,43 @@ int CmdT55xxSetConfig(const char *Cmd) { return printConfiguration ( config ); } +int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){ + //Password mode + if ( usepwd ) { + // try reading the config block and verify that PWD bit is set before doing this! + if ( !override ) { + + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0; + + if ( !tryDetectModulation() ) { + PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits."); + return 0; + } else { + PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password..."); + usepwd = false; + page1 = false; + } + } else { + PrintAndLog("Safety Check Overriden - proceeding despite risk"); + } + } + + if (!AquireData(page1, block, usepwd, password) ) return 0; + if (!DecodeT55xxBlock()) return 0; + + char blk[10]={0}; + sprintf(blk,"%d", block); + printT55xxBlock(blk); + return 1; +} + int CmdT55xxReadBlock(const char *Cmd) { - uint8_t block = 255; + uint8_t block = REGULAR_READ_MODE_BLOCK; uint32_t password = 0; //default to blank Block 7 - bool usepwd = FALSE; - bool override = FALSE; - bool errors = FALSE; + bool usepwd = false; + bool override = false; + bool page1 = false; + bool errors = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch(param_getchar(Cmd, cmdp)) { @@ -258,10 +293,14 @@ int CmdT55xxReadBlock(const char *Cmd) { break; case 'p': case 'P': - password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16); - usepwd = TRUE; + password = param_get32ex(Cmd, cmdp+1, 0, 16); + usepwd = true; cmdp += 2; break; + case '1': + page1 = true; + cmdp++; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -270,49 +309,13 @@ int CmdT55xxReadBlock(const char *Cmd) { } if (errors) return usage_t55xx_read(); - if ( block > 7 ) { + if (block > 7 && block != REGULAR_READ_MODE_BLOCK ) { PrintAndLog("Block must be between 0 and 7"); - return 1; - } - - UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, password}}; - - //Password mode - if ( usepwd ) { - - // try reading the config block and verify that PWD bit is set before doing this! - if ( !override ) { - AquireData( CONFIGURATION_BLOCK ); - if ( !tryDetectModulation() ) { - PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits."); - return 1; - } else { - PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password..."); - } - } else { - PrintAndLog("Safety Check Overriden - proceeding despite risk"); - c.arg[0] = usepwd; - } - } - - clearCommandBuffer(); - SendCommand(&c); - if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) { - PrintAndLog("command execution time out"); - return 2; + return 0; } - - uint8_t got[12000]; - GetFromBigBuf(got,sizeof(got),0); - WaitForResponse(CMD_ACK,NULL); - setGraphBuf(got, sizeof(got)); - - if (!DecodeT55xxBlock()) return 3; - - char blk[10]={0}; - sprintf(blk,"%d", block); - printT55xxBlock(blk); - return 0; + PrintAndLog("Reading Page %d:", page1); + PrintAndLog("blk | hex data | binary"); + return T55xxReadBlock(block, page1, usepwd, override, password); } bool DecodeT55xxBlock(){ @@ -323,9 +326,6 @@ bool DecodeT55xxBlock(){ uint8_t bitRate[8] = {8,16,32,40,50,64,100,128}; DemodBufferLen = 0x00; - //trim 1/2 a clock from beginning - //snprintf(cmdStr, sizeof(buf),"%d", bitRate[config.bitrate]/2 ); - //CmdLtrim(cmdStr); switch( config.modulation ){ case DEMOD_FSK: snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted ); @@ -372,21 +372,36 @@ bool DecodeT55xxBlock(){ int CmdT55xxDetect(const char *Cmd){ + bool override = false; + //bool pwdmode = false; + + uint32_t password = 0; //default to blank Block 7 + bool usepwd = ( strlen(Cmd) > 0); + if ( usepwd ){ + password = param_get32ex(Cmd, 0, 0, 16); + if (param_getchar(Cmd, 1) =='o' ) + override = true; + } + char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_detect(); - if (strlen(Cmd)==0) - AquireData( CONFIGURATION_BLOCK ); + if (strlen(Cmd)==0) { + password = param_get32ex(Cmd, 0, 0, 16); + if (param_getchar(Cmd, 1) =='o' ) override = true; + } + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) ) + return 0; + if ( !tryDetectModulation() ) PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'"); - return 0; + return 1; } // detect configuration? bool tryDetectModulation(){ - //char cmdStr[8] = {0}; uint8_t hits = 0; t55xx_conf_block_t tests[15]; int bitRate=0; @@ -394,8 +409,6 @@ bool tryDetectModulation(){ save_restoreGB(1); if (GetFskClock("", FALSE, FALSE)){ fskClocks(&fc1, &fc2, &clk, FALSE); - //sprintf(cmdStr,"%d", clk/2); - //CmdLtrim(cmdStr); if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate)){ tests[hits].modulation = DEMOD_FSK; if (fc1==8 && fc2 == 5) @@ -422,8 +435,6 @@ bool tryDetectModulation(){ } else { clk = GetAskClock("", FALSE, FALSE); if (clk>0) { - //sprintf(cmdStr,"%d", clk/2); - //CmdLtrim(cmdStr); if ( ASKDemod("0 0 0", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; @@ -457,8 +468,6 @@ bool tryDetectModulation(){ save_restoreGB(0); clk = GetNrzClock("", FALSE, FALSE); if (clk>0) { - //sprintf(cmdStr,"%d", clk/2); - //CmdLtrim(cmdStr); if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate)) { tests[hits].modulation = DEMOD_NRZ; tests[hits].bitrate = bitRate; @@ -480,9 +489,6 @@ bool tryDetectModulation(){ save_restoreGB(0); clk = GetPskClock("", FALSE, FALSE); if (clk>0) { - //PrintAndLog("clk %d",clk); - //sprintf(cmdStr,"%d", clk/2); - //CmdLtrim(cmdStr); if ( PSKDemod("0 0 1", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate)) { tests[hits].modulation = DEMOD_PSK1; tests[hits].bitrate = bitRate; @@ -700,66 +706,126 @@ int printConfiguration( t55xx_conf_block_t b){ return 0; } +int CmdT55xxWakeUp(const char *Cmd) { + uint32_t password = 0; + uint8_t cmdp = 0; + bool errors = false; + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_t55xx_wakup(); + case 'p': + case 'P': + password = param_get32ex(Cmd, cmdp+1, 0, 16); + cmdp += 2; + errors = false; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + if (errors) return usage_t55xx_wakup(); + + UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}}; + clearCommandBuffer(); + SendCommand(&c); + PrintAndLog("Wake up command sent. Try read now"); + return 0; +} + int CmdT55xxWriteBlock(const char *Cmd) { - int block = 8; //default to invalid block - int data = 0xFFFFFFFF; //default to blank Block - int password = 0xFFFFFFFF; //default to blank Block 7 - - char cmdp = param_getchar(Cmd, 0); - if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_write(); - - int res = sscanf(Cmd, "%d %x %x",&block, &data, &password); - - if ( res < 2 || res > 3) { - usage_t55xx_write(); - return 1; + uint8_t block = 0xFF; //default to invalid block + uint32_t data = 0; //default to blank Block + uint32_t password = 0; //default to blank Block 7 + bool usepwd = false; + bool page1 = false; + bool gotdata = false; + bool errors = false; + uint8_t cmdp = 0; + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_t55xx_write(); + case 'b': + case 'B': + errors |= param_getdec(Cmd, cmdp+1, &block); + cmdp += 2; + break; + case 'd': + case 'D': + data = param_get32ex(Cmd, cmdp+1, 0, 16); + gotdata = true; + cmdp += 2; + break; + case 'p': + case 'P': + password = param_get32ex(Cmd, cmdp+1, 0, 16); + usepwd = true; + cmdp += 2; + break; + case '1': + page1 = true; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } } + if (errors || !gotdata) return usage_t55xx_write(); if (block > 7) { PrintAndLog("Block number must be between 0 and 7"); - return 1; + return 0; } UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}}; UsbCommand resp; - c.d.asBytes[0] = 0x0; + c.d.asBytes[0] = (page1) ? 0x2 : 0; - PrintAndLog("Writing to block: %d data : 0x%08X", block, data); + PrintAndLog("Writing to page: %d block: %d data : 0x%08X", page1, block, data); //Password mode - if (res == 3) { + if (usepwd) { c.arg[2] = password; - c.d.asBytes[0] = 0x1; + c.d.asBytes[0] |= 0x1; PrintAndLog("pwd : 0x%08X", password); } clearCommandBuffer(); SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)"); - return -1; - } return 0; + } + return 1; } int CmdT55xxReadTrace(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); - + bool pwdmode = false; + uint32_t password = 0; if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace(); if (strlen(Cmd)==0) - AquireData( TRACE_BLOCK ); + if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) ) + return 0; - if (!DecodeT55xxBlock()) return 1; + if (!DecodeT55xxBlock()) return 0; - if ( !DemodBufferLen) return 1; + if ( !DemodBufferLen) return 0; RepaintGraphWindow(); uint8_t repeat = 0; if (config.offset > 5) repeat = 32; uint8_t si = config.offset+repeat; - uint32_t bl0 = PackBits(si, 32, DemodBuffer); - uint32_t bl1 = PackBits(si+32, 32, DemodBuffer); + uint32_t bl1 = PackBits(si, 32, DemodBuffer); + uint32_t bl2 = PackBits(si+32, 32, DemodBuffer); uint32_t acl = PackBits(si, 8, DemodBuffer); si += 8; uint32_t mfc = PackBits(si, 8, DemodBuffer); si += 8; @@ -780,7 +846,7 @@ int CmdT55xxReadTrace(const char *Cmd) { if ( acl != 0xE0 ) { PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. "); - return 1; + return 0; } PrintAndLog(""); @@ -797,8 +863,8 @@ int CmdT55xxReadTrace(const char *Cmd) { PrintAndLog(" Die Number : %d", dw); PrintAndLog("-------------------------------------------------------------"); PrintAndLog(" Raw Data - Page 1"); - PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset+repeat,32) ); - PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat+32,32) ); + PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) ); + PrintAndLog(" Block 2 : 0x%08X %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) ); PrintAndLog("-------------------------------------------------------------"); /* @@ -827,12 +893,15 @@ int CmdT55xxInfo(const char *Cmd){ Normal mode Extended mode */ + bool pwdmode = false; + uint32_t password = 0; char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info(); if (strlen(Cmd)==0) - AquireData( CONFIGURATION_BLOCK ); + if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) ) + return 1; if (!DecodeT55xxBlock()) return 1; @@ -883,55 +952,50 @@ int CmdT55xxInfo(const char *Cmd){ int CmdT55xxDump(const char *Cmd){ - char s[20] = {0x00}; - uint8_t pwd[4] = {0x00}; - char cmdp = param_getchar(Cmd, 0); + uint32_t password = 0; + bool override = false; + char cmdp = param_getchar(Cmd, 0); if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump(); - bool hasPwd = ( strlen(Cmd) > 0); - if ( hasPwd ){ - if (param_gethex(Cmd, 0, pwd, 8)) { - PrintAndLog("password must include 8 HEX symbols"); - return 1; - } + bool usepwd = ( strlen(Cmd) > 0); + if ( usepwd ){ + password = param_get32ex(Cmd, 0, 0, 16); + if (param_getchar(Cmd, 1) =='o' ) + override = true; } - for ( int i = 0; i <8; ++i){ - memset(s,0,sizeof(s)); - if ( hasPwd ) { - sprintf(s,"%d %02x%02x%02x%02x", i, pwd[0],pwd[1],pwd[2],pwd[3]); - } else { - sprintf(s,"%d", i); - } - CmdT55xxReadBlock(s); + PrintAndLog("Reading Page 0:"); + PrintAndLog("blk | hex data | binary"); + for ( uint8_t i = 0; i < 8; ++i){ + T55xxReadBlock(i, 0, usepwd, override, password); } - return 0; + PrintAndLog("Reading Page 1:"); + PrintAndLog("blk | hex data | binary"); + for ( uint8_t i = 0; i < 4; i++){ + T55xxReadBlock(i, 1, usepwd, override, password); + } + return 1; } -int AquireData( uint8_t block ){ - - uint32_t password = 0; - UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, 0, password}}; - - if ( block == CONFIGURATION_BLOCK ) { - c.arg[0] = 0x00 | 0x01; - } - else if (block == TRACE_BLOCK ) { - c.arg[0] = 0x02 | 0x01; - } +int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){ + // arg0 bitmodes: + // bit0 = pwdmode + // bit1 = page to read from + uint8_t arg0 = (page<<1) | pwdmode; + UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}}; clearCommandBuffer(); SendCommand(&c); if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) { PrintAndLog("command execution time out"); - return 1; + return 0; } uint8_t got[12000]; GetFromBigBuf(got,sizeof(got),0); WaitForResponse(CMD_ACK,NULL); - setGraphBuf(got, 12000); - return 0; + setGraphBuf(got, sizeof(got)); + return 1; } char * GetBitRateStr(uint32_t id){ @@ -1099,35 +1163,6 @@ void t55x7_create_config_block( int tagtype ){ } -int CmdT55xxWakeUp(const char *Cmd) { - uint32_t password = 0; - uint8_t cmdp = 0; - bool errors = false; - while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { - switch(param_getchar(Cmd, cmdp)) { - case 'h': - case 'H': - return usage_t55xx_wakup(); - case 'p': - case 'P': - password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16); - cmdp+=2; - break; - default: - PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); - errors = true; - break; - } - } - if (errors) return usage_t55xx_wakup(); - - UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}}; - clearCommandBuffer(); - SendCommand(&c); - PrintAndLog("Wake up command sent. Try read now"); - return 0; -} - /* uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){ @@ -1148,14 +1183,13 @@ static command_t CommandTable[] = {"help", CmdHelp, 1, "This help"}, {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, {"detect", CmdT55xxDetect, 0, "[1] Try detecting the tag modulation from reading the configuration block."}, - {"read", CmdT55xxReadBlock, 0, " [password] -- Read T55xx block data (page 0) [optional password]"}, - {"write", CmdT55xxWriteBlock,0, " [password] -- Write T55xx block data (page 0) [optional password]"}, + {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data (page 0) [optional password]"}, + {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data (page 0) [optional password]"}, {"trace", CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"}, {"info", CmdT55xxInfo, 0, "[1] Show T55xx configuration data (page 0/ blk 0)"}, - {"dump", CmdT55xxDump, 0, "[password] Dump T55xx card block 0-7. [optional password]"}, + {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. [optional password]"}, {"special", special, 0, "Show block changes with 64 different offsets"}, {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"}, - {NULL, NULL, 0, NULL} }; diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index 0fe1b0be..ac188963 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -82,6 +82,6 @@ bool DecodeT55xxBlock(); bool tryDetectModulation(); bool test(uint8_t mode, uint8_t *offset, int *fndBitRate); int special(const char *Cmd); -int AquireData( uint8_t block ); +int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ); #endif diff --git a/client/hid-flasher/usb_cmd.h b/client/hid-flasher/usb_cmd.h index b662b929..739e2447 100644 --- a/client/hid-flasher/usb_cmd.h +++ b/client/hid-flasher/usb_cmd.h @@ -196,6 +196,8 @@ typedef struct{ #define CMD_MIFARE_DESFIRE 0x072e #define CMD_MIFARE_COLLECT_NONCES 0x072f + +#define CMD_HF_SNIFFER 0x0800 #define CMD_UNKNOWN 0xFFFF diff --git a/client/lualibs/commands.lua b/client/lualibs/commands.lua index dd5544cb..5ff64bb5 100644 --- a/client/lualibs/commands.lua +++ b/client/lualibs/commands.lua @@ -44,7 +44,7 @@ local _commands = { CMD_INDALA_CLONE_TAG_L = 0x0213, CMD_T55XX_READ_BLOCK = 0x0214, CMD_T55XX_WRITE_BLOCK = 0x0215, - CMD_T55XX_READ_TRACE = 0x0216, + --//CMD_T55XX_READ_TRACE = 0x0216, CMD_PCF7931_READ = 0x0217, CMD_PCF7931_WRITE = 0x0223, CMD_EM4X_READ_WORD = 0x0218, @@ -157,7 +157,8 @@ local _commands = { CMD_MIFARE_DES_READER = 0x072c, CMD_MIFARE_DESFIRE_INFO = 0x072d, CMD_MIFARE_DESFIRE = 0x072e, - + CMD_HF_SNIFFER = 0x0800, + CMD_UNKNOWN = 0xFFFF, } diff --git a/client/scripting.c b/client/scripting.c index 63d7f44e..5d9ce55a 100644 --- a/client/scripting.c +++ b/client/scripting.c @@ -53,7 +53,7 @@ static int l_SendCommand(lua_State *L){ const char *data = luaL_checklstring(L, 1, &size); if(size != sizeof(UsbCommand)) { - printf("Got data size %d, expected %d" , size, sizeof(UsbCommand)); + printf("Got data size %d, expected %d" , (int) size,(int) sizeof(UsbCommand)); lua_pushstring(L,"Wrong data size"); return 1; } diff --git a/common/Makefile.common b/common/Makefile.common index 98ff4d0d..72ad0758 100644 --- a/common/Makefile.common +++ b/common/Makefile.common @@ -67,7 +67,8 @@ VPATH = . ../common ../fpga ../zlib INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gpio.h ../include/usb_cmd.h $(APP_INCLUDES) -CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -std=c99 $(APP_CFLAGS) -Os +#-Wunused -Wsign-compare -Wtype-limits -Wuninitialized -Wno-deprecated -Wstrict-aliasing -Wpointer-arith -Wpointer-arith -Wformat-nonliteral -Winit-self -Wparentheses -Wunreachable-code +CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -Wunused -std=c99 $(APP_CFLAGS) -Os LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n LIBS = -lgcc diff --git a/common/lfdemod.c b/common/lfdemod.c index 0f8dd452..9a4051c9 100644 --- a/common/lfdemod.c +++ b/common/lfdemod.c @@ -282,6 +282,16 @@ int manrawdecode(uint8_t * BitStream, size_t *size, uint8_t invert) return bestErr; } +uint32_t manchesterEncode2Bytes(uint16_t datain) { + uint32_t output = 0; + uint8_t curBit = 0; + for (uint8_t i=0; i<16; i++) { + curBit = (datain >> (15-i) & 1); + output |= (1<<(((15-i)*2)+curBit)); + } + return output; +} + //by marshmellow //encode binary data into binary manchester int ManchesterEncode(uint8_t *BitStream, size_t size) diff --git a/common/lfdemod.h b/common/lfdemod.h index 3b807b56..75820199 100644 --- a/common/lfdemod.h +++ b/common/lfdemod.h @@ -30,6 +30,7 @@ int DetectStrongAskClock(uint8_t dest[], size_t size, uint8_t high, uint8_t uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo); int fskdemod(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t invert, uint8_t fchigh, uint8_t fclow); int getHiLo(uint8_t *BitStream, size_t size, int *high, int *low, uint8_t fuzzHi, uint8_t fuzzLo); +uint32_t manchesterEncode2Bytes(uint16_t datain); int ManchesterEncode(uint8_t *BitStream, size_t size); int manrawdecode(uint8_t *BitStream, size_t *size, uint8_t invert); int nrzRawDemod(uint8_t *dest, size_t *size, int *clk, int *invert, int maxErr); diff --git a/common/protocols.c b/common/protocols.c index 0a523da3..ee8abadd 100644 --- a/common/protocols.c +++ b/common/protocols.c @@ -3,13 +3,36 @@ #include #include #include "protocols.h" + +// ATA55xx shared presets & routines +uint32_t GetT55xxClockBit(uint32_t clock) { + switch (clock) { + case 128: + return T55x7_BITRATE_RF_128; + case 100: + return T55x7_BITRATE_RF_100; + case 64: + return T55x7_BITRATE_RF_64; + case 50: + return T55x7_BITRATE_RF_50; + case 40: + return T55x7_BITRATE_RF_40; + case 32: + return T55x7_BITRATE_RF_32; + case 16: + return T55x7_BITRATE_RF_16; + case 8: + return T55x7_BITRATE_RF_8; + default: + return 0; + } +} + #ifndef ON_DEVICE #include "ui.h" #define prnt PrintAndLog -#endif - - +// iclass / picopass chip config structures and shared routines typedef struct { uint8_t app_limit; //[8] uint8_t otp[2]; //[9-10] @@ -31,20 +54,7 @@ typedef struct { }picopass_hdr; - -//#define prnt printf -/*void prnt(char *fmt,...) -{ - va_list argptr; - va_start(argptr, fmt); - vprintf(fmt, argptr); - printf(" "); // cleaning prompt - va_end(argptr); - printf("\n"); -} -*/ -uint8_t isset(uint8_t val, uint8_t mask) -{ +uint8_t isset(uint8_t val, uint8_t mask) { return (val & mask); } @@ -52,8 +62,7 @@ uint8_t notset(uint8_t val, uint8_t mask){ return !(val & mask); } -void fuse_config(const picopass_hdr *hdr) -{ +void fuse_config(const picopass_hdr *hdr) { uint8_t fuses = hdr->conf.fuses; if (isset(fuses,FUSE_FPERS))prnt(" Mode: Personalization [Programmable]"); @@ -104,8 +113,7 @@ void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t * } } -void mem_app_config(const picopass_hdr *hdr) -{ +void mem_app_config(const picopass_hdr *hdr) { uint8_t mem = hdr->conf.mem_config; uint8_t chip = hdr->conf.chip_config; uint8_t applimit = hdr->conf.app_limit; @@ -118,28 +126,25 @@ void mem_app_config(const picopass_hdr *hdr) prnt(" AA1: blocks 06-%02X", applimit); prnt(" AA2: blocks %02X-%02X", applimit+1, max_blk); } -void print_picopass_info(const picopass_hdr *hdr) -{ +void print_picopass_info(const picopass_hdr *hdr) { fuse_config(hdr); mem_app_config(hdr); } -void printIclassDumpInfo(uint8_t* iclass_dump) -{ -// picopass_hdr hdr; -// memcpy(&hdr, iclass_dump, sizeof(picopass_hdr)); +void printIclassDumpInfo(uint8_t* iclass_dump) { print_picopass_info((picopass_hdr *) iclass_dump); } /* -void test() -{ +void test() { picopass_hdr hdr = {0x27,0xaf,0x48,0x01,0xf9,0xff,0x12,0xe0,0x12,0xff,0xff,0xff,0x7f,0x1f,0xff,0x3c}; prnt("Picopass configuration:"); print_picopass_info(&hdr); } -int main(int argc, char *argv[]) -{ +int main(int argc, char *argv[]) { test(); return 0; } */ + +#endif +//ON_DEVICE diff --git a/common/protocols.h b/common/protocols.h index e676cbfe..d20c95fc 100644 --- a/common/protocols.h +++ b/common/protocols.h @@ -267,4 +267,57 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. void printIclassDumpInfo(uint8_t* iclass_dump); void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb); -#endif // PROTOCOLS_H +/* T55x7 configuration register definitions */ +#define T55x7_POR_DELAY 0x00000001 +#define T55x7_ST_TERMINATOR 0x00000008 +#define T55x7_PWD 0x00000010 +#define T55x7_MAXBLOCK_SHIFT 5 +#define T55x7_AOR 0x00000200 +#define T55x7_PSKCF_RF_2 0 +#define T55x7_PSKCF_RF_4 0x00000400 +#define T55x7_PSKCF_RF_8 0x00000800 +#define T55x7_MODULATION_DIRECT 0 +#define T55x7_MODULATION_PSK1 0x00001000 +#define T55x7_MODULATION_PSK2 0x00002000 +#define T55x7_MODULATION_PSK3 0x00003000 +#define T55x7_MODULATION_FSK1 0x00004000 +#define T55x7_MODULATION_FSK2 0x00005000 +#define T55x7_MODULATION_FSK1a 0x00006000 +#define T55x7_MODULATION_FSK2a 0x00007000 +#define T55x7_MODULATION_MANCHESTER 0x00008000 +#define T55x7_MODULATION_BIPHASE 0x00010000 +#define T55x7_MODULATION_DIPHASE 0x00018000 +#define T55x7_BITRATE_RF_8 0 +#define T55x7_BITRATE_RF_16 0x00040000 +#define T55x7_BITRATE_RF_32 0x00080000 +#define T55x7_BITRATE_RF_40 0x000C0000 +#define T55x7_BITRATE_RF_50 0x00100000 +#define T55x7_BITRATE_RF_64 0x00140000 +#define T55x7_BITRATE_RF_100 0x00180000 +#define T55x7_BITRATE_RF_128 0x001C0000 + +/* T5555 (Q5) configuration register definitions */ +#define T5555_ST_TERMINATOR 0x00000001 +#define T5555_MAXBLOCK_SHIFT 0x00000001 +#define T5555_MODULATION_MANCHESTER 0 +#define T5555_MODULATION_PSK1 0x00000010 +#define T5555_MODULATION_PSK2 0x00000020 +#define T5555_MODULATION_PSK3 0x00000030 +#define T5555_MODULATION_FSK1 0x00000040 +#define T5555_MODULATION_FSK2 0x00000050 +#define T5555_MODULATION_BIPHASE 0x00000060 +#define T5555_MODULATION_DIRECT 0x00000070 +#define T5555_INVERT_OUTPUT 0x00000080 +#define T5555_PSK_RF_2 0 +#define T5555_PSK_RF_4 0x00000100 +#define T5555_PSK_RF_8 0x00000200 +#define T5555_USE_PWD 0x00000400 +#define T5555_USE_AOR 0x00000800 +#define T5555_BITRATE_SHIFT 12 +#define T5555_FAST_WRITE 0x00004000 +#define T5555_PAGE_SELECT 0x00008000 + +uint32_t GetT55xxClockBit(uint32_t clock); + +#endif +// PROTOCOLS_H diff --git a/fpga/Makefile b/fpga/Makefile index fad2ff04..e58d6fc4 100644 --- a/fpga/Makefile +++ b/fpga/Makefile @@ -9,7 +9,7 @@ fpga_hf.ngc: fpga_hf.v fpga.ucf xst_hf.scr util.v hi_simulate.v hi_read_tx.v hi_ $(DELETE) $@ $(XILINX_TOOLS_PREFIX)xst -ifn xst_hf.scr -fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v +fpga_lf.ngc: fpga_lf.v fpga.ucf xst_lf.scr util.v clk_divider.v lo_edge_detect.v lo_read.v lo_passthru.v lp20khz_1MSa_iir_filter.v min_max_tracker.v lf_edge_detect.v hi_sniffer.v $(DELETE) $@ $(XILINX_TOOLS_PREFIX)xst -ifn xst_lf.scr diff --git a/fpga/fpga_hf.v b/fpga/fpga_hf.v index 8a465e75..264e1b0c 100644 --- a/fpga/fpga_hf.v +++ b/fpga/fpga_hf.v @@ -17,6 +17,7 @@ `include "hi_read_rx_xcorr.v" `include "hi_simulate.v" `include "hi_iso14443a.v" +`include "hi_sniffer.v" `include "util.v" module fpga_hf( @@ -122,25 +123,36 @@ hi_iso14443a hisn( hi_simulate_mod_type ); +hi_sniffer he( + pck0, ck_1356meg, ck_1356megb, + he_pwr_lo, he_pwr_hi, he_pwr_oe1, he_pwr_oe2, he_pwr_oe3, he_pwr_oe4, + adc_d, he_adc_clk, + he_ssp_frame, he_ssp_din, ssp_dout, he_ssp_clk, + cross_hi, cross_lo, + he_dbg, + hi_read_rx_xcorr_848, hi_read_rx_xcorr_snoop, hi_read_rx_xcorr_quarter +); + // Major modes: // 000 -- HF reader, transmitting to tag; modulation depth selectable // 001 -- HF reader, receiving from tag, correlating as it goes; frequency selectable // 010 -- HF simulated tag // 011 -- HF ISO14443-A +// 100 -- HF Snoop // 111 -- everything off -mux8 mux_ssp_clk (major_mode, ssp_clk, ht_ssp_clk, hrxc_ssp_clk, hs_ssp_clk, hisn_ssp_clk, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_ssp_din (major_mode, ssp_din, ht_ssp_din, hrxc_ssp_din, hs_ssp_din, hisn_ssp_din, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_ssp_frame (major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe1 (major_mode, pwr_oe1, ht_pwr_oe1, hrxc_pwr_oe1, hs_pwr_oe1, hisn_pwr_oe1, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe2 (major_mode, pwr_oe2, ht_pwr_oe2, hrxc_pwr_oe2, hs_pwr_oe2, hisn_pwr_oe2, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe3 (major_mode, pwr_oe3, ht_pwr_oe3, hrxc_pwr_oe3, hs_pwr_oe3, hisn_pwr_oe3, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_oe4 (major_mode, pwr_oe4, ht_pwr_oe4, hrxc_pwr_oe4, hs_pwr_oe4, hisn_pwr_oe4, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_lo (major_mode, pwr_lo, ht_pwr_lo, hrxc_pwr_lo, hs_pwr_lo, hisn_pwr_lo, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_pwr_hi (major_mode, pwr_hi, ht_pwr_hi, hrxc_pwr_hi, hs_pwr_hi, hisn_pwr_hi, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_adc_clk (major_mode, adc_clk, ht_adc_clk, hrxc_adc_clk, hs_adc_clk, hisn_adc_clk, 1'b0, 1'b0, 1'b0, 1'b0); -mux8 mux_dbg (major_mode, dbg, ht_dbg, hrxc_dbg, hs_dbg, hisn_dbg, 1'b0, 1'b0, 1'b0, 1'b0); +mux8 mux_ssp_clk (major_mode, ssp_clk, ht_ssp_clk, hrxc_ssp_clk, hs_ssp_clk, hisn_ssp_clk, he_ssp_clk, 1'b0, 1'b0, 1'b0); +mux8 mux_ssp_din (major_mode, ssp_din, ht_ssp_din, hrxc_ssp_din, hs_ssp_din, hisn_ssp_din, he_ssp_din, 1'b0, 1'b0, 1'b0); +mux8 mux_ssp_frame (major_mode, ssp_frame, ht_ssp_frame, hrxc_ssp_frame, hs_ssp_frame, hisn_ssp_frame, he_ssp_frame, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe1 (major_mode, pwr_oe1, ht_pwr_oe1, hrxc_pwr_oe1, hs_pwr_oe1, hisn_pwr_oe1, he_pwr_oe1, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe2 (major_mode, pwr_oe2, ht_pwr_oe2, hrxc_pwr_oe2, hs_pwr_oe2, hisn_pwr_oe2, he_pwr_oe2, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe3 (major_mode, pwr_oe3, ht_pwr_oe3, hrxc_pwr_oe3, hs_pwr_oe3, hisn_pwr_oe3, he_pwr_oe3, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_oe4 (major_mode, pwr_oe4, ht_pwr_oe4, hrxc_pwr_oe4, hs_pwr_oe4, hisn_pwr_oe4, he_pwr_oe4, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_lo (major_mode, pwr_lo, ht_pwr_lo, hrxc_pwr_lo, hs_pwr_lo, hisn_pwr_lo, he_pwr_lo, 1'b0, 1'b0, 1'b0); +mux8 mux_pwr_hi (major_mode, pwr_hi, ht_pwr_hi, hrxc_pwr_hi, hs_pwr_hi, hisn_pwr_hi, he_pwr_hi, 1'b0, 1'b0, 1'b0); +mux8 mux_adc_clk (major_mode, adc_clk, ht_adc_clk, hrxc_adc_clk, hs_adc_clk, hisn_adc_clk, he_adc_clk, 1'b0, 1'b0, 1'b0); +mux8 mux_dbg (major_mode, dbg, ht_dbg, hrxc_dbg, hs_dbg, hisn_dbg, he_dbg, 1'b0, 1'b0, 1'b0); // In all modes, let the ADC's outputs be enabled. assign adc_noe = 1'b0; diff --git a/fpga/hi_sniffer.v b/fpga/hi_sniffer.v new file mode 100644 index 00000000..f9d8ba93 --- /dev/null +++ b/fpga/hi_sniffer.v @@ -0,0 +1,77 @@ + +module hi_sniffer( + pck0, ck_1356meg, ck_1356megb, + pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4, + adc_d, adc_clk, + ssp_frame, ssp_din, ssp_dout, ssp_clk, + cross_hi, cross_lo, + dbg, + xcorr_is_848, snoop, xcorr_quarter_freq // not used. +); + input pck0, ck_1356meg, ck_1356megb; + output pwr_lo, pwr_hi, pwr_oe1, pwr_oe2, pwr_oe3, pwr_oe4; + input [7:0] adc_d; + output adc_clk; + input ssp_dout; + output ssp_frame, ssp_din, ssp_clk; + input cross_hi, cross_lo; + output dbg; + input xcorr_is_848, snoop, xcorr_quarter_freq; // not used. + +// We are only snooping, all off. +assign pwr_hi = 1'b0;// ck_1356megb & (~snoop); +assign pwr_oe1 = 1'b0; +assign pwr_oe2 = 1'b0; +assign pwr_oe3 = 1'b0; +assign pwr_oe4 = 1'b0; + +reg ssp_clk = 1'b0; +reg ssp_frame; +reg adc_clk; +reg [7:0] adc_d_out = 8'd0; +reg [7:0] ssp_cnt = 8'd0; +reg [7:0] pck_divider = 8'd0; +reg ant_lo = 1'b0; +reg bit_to_send = 1'b0; + +always @(ck_1356meg, pck0) // should synthetisize to a mux.. + begin + adc_clk = ck_1356meg; + ssp_clk = ~ck_1356meg; + end + +reg [7:0] cnt_test = 8'd0; // test + +always @(posedge pck0) +begin + ant_lo <= 1'b0; +end + +always @(posedge ssp_clk) // ~1356 (hf) +begin + if(ssp_cnt[7:0] == 8'd255) // SSP counter for divides. + ssp_cnt[7:0] <= 8'd0; + else + ssp_cnt <= ssp_cnt + 1; + + if((ssp_cnt[2:0] == 3'b000) && !ant_lo) // To set frame length + begin + adc_d_out[7:0] = adc_d; // disable for test + bit_to_send = adc_d_out[0]; + ssp_frame <= 1'b1; + end + else + begin + adc_d_out[6:0] = adc_d_out[7:1]; + adc_d_out[7] = 1'b0; // according to old lf_read.v comment prevents gliches if not set. + bit_to_send = adc_d_out[0]; + ssp_frame <= 1'b0; + end +end + +assign ssp_din = bit_to_send && !ant_lo;//bit_to_send && !ant_lo; // && .. not needed i guess? + +assign pwr_lo = ant_lo; + + +endmodule diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 114e6d08..547043a2 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -200,6 +200,8 @@ typedef struct{ #define CMD_MIFARE_COLLECT_NONCES 0x072f +#define CMD_HF_SNIFFER 0x0800 + #define CMD_UNKNOWN 0xFFFF -- 2.39.5