From 2de26056ce3650d8ae48f30bf657e27b3669a0a3 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Sun, 23 Jun 2019 07:43:56 -0400 Subject: [PATCH 1/1] add lf em 4x05protect plus lf config s option (#833) * add "samples to skip" for lf config (mainly for lf snoop) * add lf em 4x05protect command to write protection on em4x05 chips * fix spacing * and remove old comment git added back in.. * update changelog * fix flags - only need 1 bit --- CHANGELOG.md | 2 + armsrc/appmain.c | 3 ++ armsrc/apps.h | 1 + armsrc/lfops.c | 81 ++++++++++++++++++++++++++++--- armsrc/lfsampling.c | 20 +++++--- client/cmdlf.c | 34 +++++++------ client/cmdlfem4x.c | 114 ++++++++++++++++++++++++++++++++++++++++++++ include/usb_cmd.h | 2 + 8 files changed, 231 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 399f87f9..cb508cd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - `hf 15 sim` now works as expected (piwi) ### Added +- Added `lf config s xxxx` option to allow skipping x samples before capture (marshmellow) +- Added `lf em 4x05protect` to support changing protection blocks on em4x05 chips (marshmellow) - Support Standard Communication Mode in HITAG S - Added `hf emv scan` - commands for scan EMV card and dump data to json file (Merlok) - `hf mfp` group of commands (Merlok) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 37328a50..5169383e 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1088,6 +1088,9 @@ void UsbPacketReceived(uint8_t *packet, int len) case CMD_EM4X_WRITE_WORD: EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]); break; + case CMD_EM4X_PROTECT: + EM4xProtect(c->arg[0], c->arg[1], c->arg[2]); + break; case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation CmdAWIDdemodFSK(c->arg[0], 0, 0, 1); break; diff --git a/armsrc/apps.h b/armsrc/apps.h index d1c885ab..4d9a1482 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -89,6 +89,7 @@ void TurnReadLFOn(); //void T55xxReadTrace(void); void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode); void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd); +void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd); void Cotag(uint32_t arg0); /// iso14443.h diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 81fdd7a6..ed207dbb 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -1198,10 +1198,45 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) * and enlarge the gap ones. * Q5 tags seems to have issues when these values changes. */ -#define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc) -#define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc) -#define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) -#define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550 + +/* Q5 timing datasheet: + * Type | MIN | Typical | Max | + * Start_Gap | 10*8 | ? | 50*8 | + * Write_Gap Normal mode | 8*8 | 14*8 | 20*8 | + * Write_Gap Fast Mode | 8*8 | ? | 20*8 | + * Write_0 Normal mode | 16*8 | 24*8 | 32*8 | + * Write_1 Normal mode | 48*8 | 56*8 | 64*8 | + * Write_0 Fast Mode | 8*8 | 12*8 | 16*8 | + * Write_1 Fast Mode | 24*8 | 28*8 | 32*8 | +*/ + +/* T5557 timing datasheet: + * Type | MIN | Typical | Max | + * Start_Gap | 10*8 | ? | 50*8 | + * Write_Gap Normal mode | 8*8 |50-150us | 30*8 | + * Write_Gap Fast Mode | 8*8 | ? | 20*8 | + * Write_0 Normal mode | 16*8 | 24*8 | 31*8 | + * Write_1 Normal mode | 48*8 | 54*8 | 63*8 | + * Write_0 Fast Mode | 8*8 | 12*8 | 15*8 | + * Write_1 Fast Mode | 24*8 | 28*8 | 31*8 | +*/ + +/* T5577C timing datasheet for Fixed-Bit-Length protocol (defualt): + * Type | MIN | Typical | Max | + * Start_Gap | 8*8 | 15*8 | 50*8 | + * Write_Gap Normal mode | 8*8 | 10*8 | 20*8 | + * Write_Gap Fast Mode | 8*8 | 10*8 | 20*8 | + * Write_0 Normal mode | 16*8 | 24*8 | 32*8 | + * Write_1 Normal mode | 48*8 | 56*8 | 64*8 | + * Write_0 Fast Mode | 8*8 | 12*8 | 16*8 | + * Write_1 Fast Mode | 24*8 | 28*8 | 32*8 | +*/ + +//note startgap must be sent after tag has been powered up for more than 3ms (per T5557 ds) +#define START_GAP 31*8 //31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc) - T5557: 10*8 to 50*8 +#define WRITE_GAP 20*8 //20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc) - T5557: 8*8 to 30*8 typ 50-150us +#define WRITE_0 18*8 //18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) - T5557: 16*8 to 31*8 typ 24*8 +#define WRITE_1 50*8 //50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) - T5557: 48*8 to 63*8 typ 54*8 432 for T55x7; 448 for E5550 #define READ_GAP 15*8 void TurnReadLFOn(int delay) { @@ -1355,7 +1390,7 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) { T55xxWriteBit(1); T55xxWriteBit(Page); //Page 0 - if (PwdMode){ + if (PwdMode) { // Send Pwd for (i = 0x80000000; i != 0; i >>= 1) T55xxWriteBit(Pwd & i); @@ -1614,6 +1649,7 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) { #define FWD_CMD_WRITE 0xA #define FWD_CMD_READ 0x9 #define FWD_CMD_DISABLE 0x5 +#define FWD_CMD_PROTECT 0x3 uint8_t forwardLink_data[64]; //array of forwarded bits uint8_t * forward_ptr; //ptr for forward message preparation @@ -1783,7 +1819,7 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) { - bool PwdMode = (flag & 0xF); + bool PwdMode = (flag & 0x1); uint8_t Address = (flag >> 8) & 0xFF; uint8_t fwd_bit_count; @@ -1813,6 +1849,39 @@ void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) { LED_A_OFF(); cmd_send(CMD_ACK,0,0,0,0,0); } + +void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd) { + + bool PwdMode = (flag & 0x1); + uint8_t fwd_bit_count; + + //clear buffer now so it does not interfere with timing later + BigBuf_Clear_ext(false); + + LED_A_ON(); + StartTicks(); + //If password mode do login + if (PwdMode) EM4xLogin(Pwd); + + forward_ptr = forwardLink_data; + fwd_bit_count = Prepare_Cmd( FWD_CMD_PROTECT ); + + //unsure if this needs the full packet config... + fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 ); + + SendForward(fwd_bit_count); + + //Wait for write to complete + //SpinDelay(10); + + WaitUS(6500); + //Capture response if one exists + DoPartialAcquisition(20, true, 6000, 1000); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off + LED_A_OFF(); + cmd_send(CMD_ACK,0,0,0,0,0); +} /* Reading a COTAG. diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index 03bccf41..e53d0205 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -14,7 +14,7 @@ #include "usb_cdc.h" // for usb_poll_validate_length #include "fpgaloader.h" -sample_config config = { 1, 8, 1, 95, 0 } ; +sample_config config = { 1, 8, 1, 95, 0, 0 } ; void printConfig() { @@ -24,6 +24,7 @@ void printConfig() Dbprintf(" [d] decimation: %d ", config.decimation); Dbprintf(" [a] averaging: %d ", config.averaging); Dbprintf(" [t] trigger threshold: %d ", config.trigger_threshold); + Dbprintf(" [s] samples to skip: %d ", config.samples_to_skip); } @@ -34,7 +35,7 @@ void printConfig() * Other functions may read samples and ignore the sampling config, * such as functions to read the UID from a prox tag or similar. * - * Values set to '0' implies no change (except for averaging) + * Values set to '0' implies no change (except for averaging, threshold, samples_to_skip) * @brief setSamplingConfig * @param sc */ @@ -44,6 +45,7 @@ void setSamplingConfig(sample_config *sc) if(sc->bits_per_sample!= 0) config.bits_per_sample= sc->bits_per_sample; if(sc->decimation!= 0) config.decimation= sc->decimation; if(sc->trigger_threshold != -1) config.trigger_threshold= sc->trigger_threshold; + if(sc->samples_to_skip != -1) config.samples_to_skip = sc->samples_to_skip; config.averaging= sc->averaging; if(config.bits_per_sample > 8) config.bits_per_sample = 8; @@ -119,7 +121,7 @@ void LFSetupFPGAForADC(int divisor, bool lf_field) * @param silent - is true, now outputs are made. If false, dbprints the status * @return the number of bits occupied by the samples. */ -uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after) +uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip) { //. uint8_t *dest = BigBuf_get_addr(); @@ -141,6 +143,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag uint32_t sample_total_numbers =0 ; uint32_t sample_total_saved =0 ; uint32_t cancel_counter = 0; + uint32_t samples_skipped = 0; while(!BUTTON_PRESS() && !usb_poll_validate_length() ) { WDT_HIT(); @@ -160,6 +163,10 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag continue; } trigger_threshold = 0; + if (samples_to_skip > samples_skipped) { + samples_skipped++; + continue; + } sample_total_numbers++; if(averaging) @@ -218,7 +225,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag */ uint32_t DoAcquisition_default(int trigger_threshold, bool silent) { - return DoAcquisition(1,8,0,trigger_threshold,silent,0,0); + return DoAcquisition(1,8,0,trigger_threshold,silent,0,0,0); } uint32_t DoAcquisition_config(bool silent, int sample_size) { @@ -228,11 +235,12 @@ uint32_t DoAcquisition_config(bool silent, int sample_size) ,config.trigger_threshold ,silent ,sample_size - ,0); + ,0 + ,config.samples_to_skip); } uint32_t DoPartialAcquisition(int trigger_threshold, bool silent, int sample_size, int cancel_after) { - return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after); + return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after,0); } uint32_t ReadLF(bool activeField, bool silent, int sample_size) diff --git a/client/cmdlf.c b/client/cmdlf.c index 12d30663..f661e518 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -224,24 +224,25 @@ int usage_lf_config(void) { PrintAndLog("Usage: lf config [H|] [b ] [d ] [a 0|1]"); PrintAndLog("Options: "); - PrintAndLog(" h This help"); - PrintAndLog(" L Low frequency (125 KHz)"); - PrintAndLog(" H High frequency (134 KHz)"); - PrintAndLog(" q Manually set divisor. 88-> 134 KHz, 95-> 125 KHz"); - PrintAndLog(" b Sets resolution of bits per sample. Default (max): 8"); - PrintAndLog(" d Sets decimation. A value of N saves only 1 in N samples. Default: 1"); - PrintAndLog(" a [0|1] Averaging - if set, will average the stored sample value when decimating. Default: 1"); - PrintAndLog(" t Sets trigger threshold. 0 means no threshold (range: 0-128)"); + PrintAndLog(" h This help"); + PrintAndLog(" L Low frequency (125 KHz)"); + PrintAndLog(" H High frequency (134 KHz)"); + PrintAndLog(" q Manually set divisor. 88-> 134 KHz, 95-> 125 KHz"); + PrintAndLog(" b Sets resolution of bits per sample. Default (max): 8"); + PrintAndLog(" d Sets decimation. A value of N saves only 1 in N samples. Default: 1"); + PrintAndLog(" a [0|1] Averaging - if set, will average the stored sample value when decimating. Default: 1"); + PrintAndLog(" t Sets trigger threshold. 0 means no threshold (range: 0-128)"); + PrintAndLog(" s Sets a number of samples to skip before capture. Default: 0"); PrintAndLog("Examples:"); PrintAndLog(" lf config b 8 L"); - PrintAndLog(" Samples at 125KHz, 8bps."); + PrintAndLog(" Samples at 125KHz, 8bps."); PrintAndLog(" lf config H b 4 d 3"); - PrintAndLog(" Samples at 134KHz, averages three samples into one, stored with "); - PrintAndLog(" a resolution of 4 bits per sample."); + PrintAndLog(" Samples at 134KHz, averages three samples into one, stored with "); + PrintAndLog(" a resolution of 4 bits per sample."); PrintAndLog(" lf read"); - PrintAndLog(" Performs a read (active field)"); + PrintAndLog(" Performs a read (active field)"); PrintAndLog(" lf snoop"); - PrintAndLog(" Performs a snoop (no active field)"); + PrintAndLog(" Performs a snoop (no active field)"); return 0; } @@ -255,6 +256,7 @@ int CmdLFSetConfig(const char *Cmd) bool errors = false; int trigger_threshold =-1;//Means no change uint8_t unsigned_trigg = 0; + int samples_to_skip = -1; uint8_t cmdp =0; while(param_getchar(Cmd, cmdp) != 0x00) @@ -295,6 +297,10 @@ int CmdLFSetConfig(const char *Cmd) averaging = param_getchar(Cmd,cmdp+1) == '1'; cmdp+=2; break; + case 's': + samples_to_skip = param_get32ex(Cmd,cmdp+1,0,10); + cmdp+=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = 1; @@ -316,7 +322,7 @@ int CmdLFSetConfig(const char *Cmd) if(bps >> 4) bps = 8; sample_config config = { - decimation,bps,averaging,divisor,trigger_threshold + decimation,bps,averaging,divisor,trigger_threshold,samples_to_skip }; //Averaging is a flag on high-bit of arg[1] UsbCommand c = {CMD_SET_LF_SAMPLING_CONFIG}; diff --git a/client/cmdlfem4x.c b/client/cmdlfem4x.c index cdaeb5ed..d1bde911 100644 --- a/client/cmdlfem4x.c +++ b/client/cmdlfem4x.c @@ -1161,6 +1161,119 @@ int CmdEM4x05WriteWord(const char *Cmd) { return EM4x05WriteWord(addr, data, pwd, usePwd, swap, invert); } +int usage_lf_em_protect(void) { + PrintAndLog("Protect EM4x05. Tag must be on antenna. "); + PrintAndLog(""); + PrintAndLog("Usage: lf em 4x05protect [h] d p [s] [i]"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" d - data to write (hex)"); + PrintAndLog(" p - password (hex) (optional)"); + PrintAndLog(" s - swap the data bit order before write"); + PrintAndLog(" i - invert the data bits before write"); + PrintAndLog("samples:"); + PrintAndLog(" lf em 4x05protect d 11223344"); + PrintAndLog(" lf em 4x05protect p deadc0de d 11223344 s i"); + return 0; +} + +int EM4x05Protect(uint32_t data, uint32_t pwd, bool usePwd, bool swap, bool invert) { + if (swap) data = SwapBits(data, 32); + + if (invert) data ^= 0xFFFFFFFF; + + if ( !usePwd ) { + PrintAndLog("Writing Protect data %08X", data); + } else { + PrintAndLog("Writing Protect data %08X using password %08X", data, pwd); + } + + uint16_t flag = usePwd; + + UsbCommand c = {CMD_EM4X_PROTECT, {flag, data, pwd}}; + clearCommandBuffer(); + SendCommand(&c); + UsbCommand resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){ + PrintAndLog("Error occurred, device did not respond during protect operation."); + return -1; + } + if ( !downloadSamplesEM() ) { + return -1; + } + //check response for 00001010 for write confirmation! + //attempt demod: + uint32_t dummy = 0; + int result = demodEM4x05resp(&dummy,false); + if (result == 1) { + PrintAndLog("Protect Verified"); + } else { + PrintAndLog("Protect could not be verified"); + } + return result; +} + +int CmdEM4x05ProtectWrite(const char *Cmd) { + bool errors = false; + bool usePwd = false; + uint32_t data = 0xFFFFFFFF; + uint32_t pwd = 0xFFFFFFFF; + bool swap = false; + bool invert = false; + bool gotData = false; + char cmdp = 0; + while(param_getchar(Cmd, cmdp) != 0x00) + { + switch(param_getchar(Cmd, cmdp)) + { + case 'h': + case 'H': + return usage_lf_em_write(); + case 'd': + case 'D': + data = param_get32ex(Cmd, cmdp+1, 0, 16); + gotData = true; + cmdp += 2; + break; + case 'i': + case 'I': + invert = true; + cmdp++; + break; + case 'p': + case 'P': + pwd = param_get32ex(Cmd, cmdp+1, 1, 16); + if (pwd == 1) { + PrintAndLog("invalid pwd"); + errors = true; + } + usePwd = true; + cmdp += 2; + break; + case 's': + case 'S': + swap = true; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + if(errors) break; + } + //Validations + if(errors) return usage_lf_em_protect(); + + if ( strlen(Cmd) == 0 ) return usage_lf_em_protect(); + + if (!gotData) { + PrintAndLog("You must enter the data you want to write"); + return usage_lf_em_protect(); + } + return EM4x05Protect(data, pwd, usePwd, swap, invert); +} + void printEM4x05config(uint32_t wordData) { uint16_t datarate = EM4x05_GET_BITRATE(wordData); uint8_t encoder = ((wordData >> 6) & 0xF); @@ -1345,6 +1458,7 @@ static command_t CommandTable[] = {"4x05info", CmdEM4x05info, 0, "(pwd) -- Get info from EM4x05/EM4x69 tag"}, {"4x05readword", CmdEM4x05ReadWord, 0, " (pwd) -- Read EM4x05/EM4x69 word data"}, {"4x05writeword", CmdEM4x05WriteWord, 0, " (pwd) -- Write EM4x05/EM4x69 word data"}, + {"4x05protect", CmdEM4x05ProtectWrite, 0, " (pwd) -- Write Protection to EM4x05"}, {"4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"}, {NULL, NULL, 0, NULL} }; diff --git a/include/usb_cmd.h b/include/usb_cmd.h index 9ef929b9..82981acf 100644 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@ -41,6 +41,7 @@ typedef struct{ bool averaging; int divisor; int trigger_threshold; + int samples_to_skip; } sample_config; // For the bootloader @@ -116,6 +117,7 @@ typedef struct{ #define CMD_T55XX_WAKEUP 0x0224 #define CMD_COTAG 0x0225 #define CMD_PARADOX_CLONE_TAG 0x0226 +#define CMD_EM4X_PROTECT 0x0228 // For the 13.56 MHz tags #define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300 -- 2.39.5