+ return EM4x50Read(Cmd, true);
+}
+
+//**************** Start of EM4x05/EM4x69 Code ************************
+int usage_lf_em_read(void) {
+ PrintAndLog("Read EM4x05/EM4x69. Tag must be on antenna. ");
+ PrintAndLog("");
+ PrintAndLog("Usage: lf em 4x05readword [h] <address> <pwd>");
+ PrintAndLog("Options:");
+ PrintAndLog(" h - this help");
+ PrintAndLog(" address - memory address to read. (0-15)");
+ PrintAndLog(" pwd - password (hex) (optional)");
+ PrintAndLog("samples:");
+ PrintAndLog(" lf em 4x05readword 1");
+ PrintAndLog(" lf em 4x05readword 1 11223344");
+ return 0;
+}
+
+// for command responses from em4x05 or em4x69
+// download samples from device and copy them to the Graphbuffer
+bool downloadSamplesEM() {
+ // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
+ uint8_t got[6000];
+ GetFromBigBuf(got, sizeof(got), 0);
+ if ( !WaitForResponseTimeout(CMD_ACK, NULL, 4000) ) {
+ PrintAndLog("command execution time out");
+ return false;
+ }
+ setGraphBuf(got, sizeof(got));
+ return true;
+}
+
+bool EM4x05testDemodReadData(uint32_t *word, bool readCmd) {
+ // em4x05/em4x69 command response preamble is 00001010
+ // skip first two 0 bits as they might have been missed in the demod
+ uint8_t preamble[] = {0,0,1,0,1,0};
+ size_t startIdx = 0;
+
+ // set size to 20 to only test first 14 positions for the preamble or less if not a read command
+ size_t size = (readCmd) ? 20 : 11;
+ // sanity check
+ size = (size > DemodBufferLen) ? DemodBufferLen : size;
+ // test preamble
+ if ( !preambleSearchEx(DemodBuffer, preamble, sizeof(preamble), &size, &startIdx, true) ) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305 preamble not found :: %d", startIdx);
+ return false;
+ }
+ // if this is a readword command, get the read bytes and test the parities
+ if (readCmd) {
+ if (!EM_EndParityTest(DemodBuffer + startIdx + sizeof(preamble), 45, 5, 9, 0)) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - End Parity check failed");
+ return false;
+ }
+ // test for even parity bits and remove them. (leave out the end row of parities so 36 bits)
+ if ( removeParity(DemodBuffer, startIdx + sizeof(preamble),9,0,36) == 0 ) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - Parity not detected");
+ return false;
+ }
+
+ setDemodBuf(DemodBuffer, 32, 0);
+ //setClockGrid(0,0);
+
+ *word = bytebits_to_byteLSBF(DemodBuffer, 32);
+ }
+ return true;
+}
+
+// FSK, PSK, ASK/MANCHESTER, ASK/BIPHASE, ASK/DIPHASE
+// should cover 90% of known used configs
+// the rest will need to be manually demoded for now...
+int demodEM4x05resp(uint32_t *word, bool readCmd) {
+ int ans = 0;
+
+ // test for FSK wave (easiest to 99% ID)
+ if (GetFskClock("", false, false)) {
+ //valid fsk clocks found
+ ans = FSKrawDemod("0 0", false);
+ if (!ans) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: FSK Demod failed, ans: %d", ans);
+ } else {
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ }
+ }
+ }
+ // PSK clocks should be easy to detect ( but difficult to demod a non-repeating pattern... )
+ ans = GetPskClock("", false, false);
+ if (ans>0) {
+ //try psk1
+ ans = PSKDemod("0 0 6", false);
+ if (!ans) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: PSK1 Demod failed, ans: %d", ans);
+ } else {
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ } else {
+ //try psk2
+ psk1TOpsk2(DemodBuffer, DemodBufferLen);
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ }
+ }
+ //try psk1 inverted
+ ans = PSKDemod("0 1 6", false);
+ if (!ans) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: PSK1 Demod failed, ans: %d", ans);
+ } else {
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ } else {
+ //try psk2
+ psk1TOpsk2(DemodBuffer, DemodBufferLen);
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ }
+ }
+ }
+ }
+ }
+
+ // manchester is more common than biphase... try first
+ bool stcheck = false;
+ // try manchester - NOTE: ST only applies to T55x7 tags.
+ ans = ASKDemod_ext("0,0,1", false, false, 1, &stcheck);
+ if (!ans) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: ASK/Manchester Demod failed, ans: %d", ans);
+ } else {
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ }
+ }
+
+ //try biphase
+ ans = ASKbiphaseDemod("0 0 1", false);
+ if (!ans) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: ASK/biphase Demod failed, ans: %d", ans);
+ } else {
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ }
+ }
+
+ //try diphase (differential biphase or inverted)
+ ans = ASKbiphaseDemod("0 1 1", false);
+ if (!ans) {
+ if (g_debugMode) PrintAndLog("DEBUG: Error - EM4305: ASK/biphase Demod failed, ans: %d", ans);
+ } else {
+ if (EM4x05testDemodReadData(word, readCmd)) {
+ return 1;
+ }
+ }
+
+ return -1;
+}
+
+int EM4x05ReadWord_ext(uint8_t addr, uint32_t pwd, bool usePwd, uint32_t *wordData) {
+ UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}};
+ clearCommandBuffer();
+ SendCommand(&c);
+ UsbCommand resp;
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){
+ PrintAndLog("Command timed out");
+ return -1;
+ }
+ if ( !downloadSamplesEM() ) {
+ return -1;
+ }
+ int testLen = (GraphTraceLen < 1000) ? GraphTraceLen : 1000;
+ if (graphJustNoise(GraphBuffer, testLen)) {
+ return -1;
+ }
+ //attempt demod:
+ return demodEM4x05resp(wordData, true);
+}
+
+int EM4x05ReadWord(uint8_t addr, uint32_t pwd, bool usePwd) {
+ uint32_t wordData = 0;
+ int success = EM4x05ReadWord_ext(addr, pwd, usePwd, &wordData);
+ if (success == 1)
+ PrintAndLog("%s Address %02d | %08X", (addr>13) ? "Lock":" Got",addr,wordData);
+ else
+ PrintAndLog("Read Address %02d | failed",addr);
+
+ return success;
+}
+
+int CmdEM4x05ReadWord(const char *Cmd) {
+ uint8_t addr;
+ uint32_t pwd;
+ bool usePwd = false;
+ uint8_t ctmp = param_getchar(Cmd, 0);
+ if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read();
+
+ addr = param_get8ex(Cmd, 0, 50, 10);
+ // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
+ pwd = param_get32ex(Cmd, 1, 1, 16);
+
+ if ( (addr > 15) ) {
+ PrintAndLog("Address must be between 0 and 15");
+ return 1;
+ }
+ if ( pwd == 1 ) {
+ PrintAndLog("Reading address %02u", addr);
+ } else {
+ usePwd = true;
+ PrintAndLog("Reading address %02u | password %08X", addr, pwd);
+ }
+
+ return EM4x05ReadWord(addr, pwd, usePwd);
+}
+
+int usage_lf_em_dump(void) {
+ PrintAndLog("Dump EM4x05/EM4x69. Tag must be on antenna. ");
+ PrintAndLog("");
+ PrintAndLog("Usage: lf em 4x05dump [h] <pwd>");
+ PrintAndLog("Options:");
+ PrintAndLog(" h - this help");
+ PrintAndLog(" pwd - password (hex) (optional)");
+ PrintAndLog("samples:");
+ PrintAndLog(" lf em 4x05dump");
+ PrintAndLog(" lf em 4x05dump 11223344");
+ return 0;
+}
+
+int CmdEM4x05dump(const char *Cmd) {
+ uint8_t addr = 0;
+ uint32_t pwd;
+ bool usePwd = false;
+ uint8_t ctmp = param_getchar(Cmd, 0);
+ if ( ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_dump();
+
+ // for now use default input of 1 as invalid (unlikely 1 will be a valid password...)
+ pwd = param_get32ex(Cmd, 0, 1, 16);
+
+ if ( pwd != 1 ) {
+ usePwd = true;
+ }
+ int success = 1;
+ for (; addr < 16; addr++) {
+ if (addr == 2) {
+ if (usePwd) {
+ PrintAndLog(" PWD Address %02u | %08X",addr,pwd);
+ } else {
+ PrintAndLog(" PWD Address 02 | cannot read");
+ }
+ } else {
+ success &= EM4x05ReadWord(addr, pwd, usePwd);
+ }
+ }
+
+ return success;
+}
+
+
+int usage_lf_em_write(void) {
+ PrintAndLog("Write EM4x05/EM4x69. Tag must be on antenna. ");
+ PrintAndLog("");
+ PrintAndLog("Usage: lf em 4x05writeword [h] a <address> d <data> p <pwd> [s] [i]");
+ PrintAndLog("Options:");
+ PrintAndLog(" h - this help");
+ PrintAndLog(" a <address> - memory address to write to. (0-15)");
+ PrintAndLog(" d <data> - data to write (hex)");
+ PrintAndLog(" p <pwd> - password (hex) (optional)");
+ PrintAndLog(" s - swap the data bit order before write");
+ PrintAndLog(" i - invert the data bits before write");
+ PrintAndLog("samples:");
+ PrintAndLog(" lf em 4x05writeword a 5 d 11223344");
+ PrintAndLog(" lf em 4x05writeword a 5 p deadc0de d 11223344 s i");
+ return 0;
+}
+
+// note: em4x05 doesn't have a way to invert data output so we must invert the data prior to writing
+// it if invertion is needed. (example FSK2a vs FSK)
+// also em4x05 requires swapping word data when compared to the data used for t55xx chips.
+int EM4x05WriteWord(uint8_t addr, uint32_t data, uint32_t pwd, bool usePwd, bool swap, bool invert) {
+ if (swap) data = SwapBits(data, 32);
+
+ if (invert) data ^= 0xFFFFFFFF;
+
+ if ( (addr > 15) ) {
+ PrintAndLog("Address must be between 0 and 15");
+ return -1;
+ }
+ if ( !usePwd ) {
+ PrintAndLog("Writing address %d data %08X", addr, data);
+ } else {
+ PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd);
+ }
+
+ uint16_t flag = (addr << 8 ) | usePwd;
+
+ UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}};
+ clearCommandBuffer();
+ SendCommand(&c);
+ UsbCommand resp;
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){
+ PrintAndLog("Error occurred, device did not respond during write operation.");
+ return -1;
+ }
+ if ( !downloadSamplesEM() ) {
+ return -1;
+ }
+ //check response for 00001010 for write confirmation!
+ //attempt demod:
+ uint32_t dummy = 0;
+ int result = demodEM4x05resp(&dummy,false);
+ if (result == 1) {
+ PrintAndLog("Write Verified");
+ } else {
+ PrintAndLog("Write could not be verified");
+ }
+ return result;