X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/7f0d5926362d50ed01ea04af95a1e03777fce47c..6dd0ff3035ed40ab47f22d76dbc22942a492dca3:/client/cmdlft55xx.c diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index dfee9aa6..a05838b4 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -7,21 +7,24 @@ // Low frequency T55xx commands //----------------------------------------------------------------------------- +#include "cmdlft55xx.h" + #include #include #include -#include "proxmark3.h" +#include +#include +#include "comms.h" #include "ui.h" #include "graph.h" #include "cmdmain.h" #include "cmdparser.h" #include "cmddata.h" #include "cmdlf.h" -#include "cmdlft55xx.h" #include "util.h" -#include "data.h" #include "lfdemod.h" -#include "cmdhf14a.h" //for getTagInfo +#include "protocols.h" +#include "taginfo.h" #define T55x7_CONFIGURATION_BLOCK 0x00 #define T55x7_PAGE0 0x00 @@ -30,7 +33,7 @@ #define REGULAR_READ_MODE_BLOCK 0xFF // Default configuration -t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE }; +t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = false, .offset = 0x00, .block0 = 0x00, .Q5 = false }; t55xx_conf_block_t Get_t55xx_Config(){ return config; @@ -48,6 +51,7 @@ int usage_t55xx_config(){ PrintAndLog(" i [1] Invert data signal, defaults to normal"); PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream"); PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7"); + PrintAndLog(" ST Set Sequence Terminator on"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx config d FSK - FSK demodulation"); @@ -63,6 +67,8 @@ int usage_t55xx_read(){ PrintAndLog(" p - OPTIONAL password (8 hex characters)"); PrintAndLog(" o - OPTIONAL override safety check"); PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0"); + PrintAndLog(" e - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference"); + PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); PrintAndLog(" ****WARNING****"); PrintAndLog(" Use of read with password on a tag not configured for a pwd"); PrintAndLog(" can damage the tag"); @@ -75,16 +81,19 @@ int usage_t55xx_read(){ return 0; } int usage_t55xx_write(){ - PrintAndLog("Usage: lf t55xx wr [b ] [d ] [p ] [1]"); + PrintAndLog("Usage: lf t55xx write [b ] [d ] [p ] [1] [t]"); PrintAndLog("Options:"); PrintAndLog(" b - block number to write. Between 0-7"); PrintAndLog(" d - 4 bytes of data to write (8 hex characters)"); PrintAndLog(" p - OPTIONAL password 4bytes (8 hex characters)"); PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0"); + PrintAndLog(" t - OPTIONAL test mode write - ****DANGER****"); + PrintAndLog(" e - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference"); + PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); PrintAndLog(""); PrintAndLog("Examples:"); - PrintAndLog(" lf t55xx wr b 3 d 11223344 - write 11223344 to block 3"); - PrintAndLog(" lf t55xx wr b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef"); + PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3"); + PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef"); PrintAndLog(""); return 0; } @@ -127,6 +136,8 @@ int usage_t55xx_detect(){ PrintAndLog("Options:"); PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag."); PrintAndLog(" p - OPTIONAL password (8 hex characters)"); + PrintAndLog(" e - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference"); + PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx detect"); @@ -135,15 +146,29 @@ int usage_t55xx_detect(){ PrintAndLog(""); return 0; } +int usage_t55xx_detectP1(){ + PrintAndLog("Command: Detect Page 1 of a t55xx chip"); + PrintAndLog("Usage: lf t55xx p1detect [1] [p ]"); + PrintAndLog("Options:"); + PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" p - OPTIONAL password (8 hex characters)"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx p1detect"); + PrintAndLog(" lf t55xx p1detect 1"); + PrintAndLog(" lf t55xx p1detect p 11223344"); + PrintAndLog(""); + return 0; +} int usage_t55xx_wakup(){ - PrintAndLog("Usage: lf t55xx wakeup [h] p "); + PrintAndLog("Usage: lf t55xx wakeup [h] "); PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards."); PrintAndLog("Options:"); PrintAndLog(" h - this help"); - PrintAndLog(" p - password 4bytes (8 hex symbols)"); + PrintAndLog(" - [required] password 4bytes (8 hex symbols)"); PrintAndLog(""); PrintAndLog("Examples:"); - PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password"); + PrintAndLog(" lf t55xx wakeup 11223344 - send wakeup password"); return 0; } int usage_t55xx_bruteforce(){ @@ -163,6 +188,25 @@ int usage_t55xx_bruteforce(){ PrintAndLog(""); return 0; } +int usage_t55xx_bruteforce_downlink(){ + PrintAndLog("This command uses A) bruteforce to scan a number range"); + PrintAndLog(" B) a dictionary attack"); + PrintAndLog("Usage: lf t55xx bruteforce [i <*.dic>]"); + PrintAndLog(" password must be 4 bytes (8 hex symbols)"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" r - 4 byte hex value to start and end pwd search at"); + PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>"); + PrintAndLog(" e - OPTIONAL downlink encoding '0' fixed bit length (default)"); + PrintAndLog(" '1' long leading reference, '2' leading zero "); + PrintAndLog(" '3' 1 of 4 coding reference, '4' special - try all downlink modes"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb"); + PrintAndLog(" lf t55xx bruteforce i default_pwd.dic"); + PrintAndLog(""); + return 0; +} int usage_t55xx_wipe(){ PrintAndLog("Usage: lf t55xx wipe [h] [Q5]"); PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block"); @@ -188,12 +232,12 @@ void printT5xxHeader(uint8_t page){ int CmdT55xxSetConfig(const char *Cmd) { uint8_t offset = 0; - char modulation[5] = {0x00}; + char modulation[6] = {0x00}; char tmp = 0x00; uint8_t bitRate = 0; uint8_t rates[9] = {8,16,32,40,50,64,100,128,0}; uint8_t cmdp = 0; - bool errors = FALSE; + bool errors = false; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { tmp = param_getchar(Cmd, cmdp); @@ -212,12 +256,12 @@ int CmdT55xxSetConfig(const char *Cmd) { break; } } - if (i==9) errors = TRUE; + if (i==9) errors = true; } cmdp+=2; break; case 'd': - param_getstr(Cmd, cmdp+1, modulation); + param_getstr(Cmd, cmdp+1, modulation, sizeof(modulation)); cmdp += 2; if ( strcmp(modulation, "FSK" ) == 0) { @@ -252,7 +296,7 @@ int CmdT55xxSetConfig(const char *Cmd) { config.inverted=0; } else { PrintAndLog("Unknown modulation '%s'", modulation); - errors = TRUE; + errors = true; } break; case 'i': @@ -267,12 +311,17 @@ int CmdT55xxSetConfig(const char *Cmd) { break; case 'Q': case 'q': - config.Q5 = TRUE; + config.Q5 = true; + cmdp++; + break; + case 'S': + case 's': + config.ST = true; cmdp++; break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); - errors = TRUE; + errors = true; break; } } @@ -287,12 +336,12 @@ int CmdT55xxSetConfig(const char *Cmd) { return printConfiguration ( config ); } -int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){ +int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){ //Password mode if ( usepwd ) { // try reading the config block and verify that PWD bit is set before doing this! if ( !override ) { - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0; + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0,downlink_mode ) ) return 0; if ( !tryDetectModulation() ) { PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits."); return 0; @@ -306,7 +355,7 @@ int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32 } } - if (!AquireData(page1, block, usepwd, password) ) return 0; + if (!AquireData(page1, block, usepwd, password,downlink_mode) ) return 0; if (!DecodeT55xxBlock()) return 0; char blk[10]={0}; @@ -318,6 +367,8 @@ int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32 int CmdT55xxReadBlock(const char *Cmd) { uint8_t block = REGULAR_READ_MODE_BLOCK; uint32_t password = 0; //default to blank Block 7 + uint8_t downlink_mode = 0; + bool usepwd = false; bool override = false; bool page1 = false; @@ -348,6 +399,12 @@ int CmdT55xxReadBlock(const char *Cmd) { page1 = true; cmdp++; break; + case 'e': + case 'E': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -362,7 +419,7 @@ int CmdT55xxReadBlock(const char *Cmd) { } printT5xxHeader(page1); - return T55xxReadBlock(block, page1, usepwd, override, password); + return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode); } bool DecodeT55xxBlock(){ @@ -370,59 +427,60 @@ bool DecodeT55xxBlock(){ char buf[30] = {0x00}; char *cmdStr = buf; int ans = 0; + bool ST = config.ST; uint8_t bitRate[8] = {8,16,32,40,50,64,100,128}; DemodBufferLen = 0x00; switch( config.modulation ){ case DEMOD_FSK: snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted ); - ans = FSKrawDemod(cmdStr, FALSE); + ans = FSKrawDemod(cmdStr, false); break; case DEMOD_FSK1: case DEMOD_FSK1a: snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted ); - ans = FSKrawDemod(cmdStr, FALSE); + ans = FSKrawDemod(cmdStr, false); break; case DEMOD_FSK2: case DEMOD_FSK2a: snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted ); - ans = FSKrawDemod(cmdStr, FALSE); + ans = FSKrawDemod(cmdStr, false); break; case DEMOD_ASK: snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted ); - ans = ASKDemod(cmdStr, FALSE, FALSE, 1); + ans = ASKDemod_ext(cmdStr, false, false, 1, &ST); break; case DEMOD_PSK1: // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) - save_restoreGB(1); + save_restoreGB(GRAPH_SAVE); CmdLtrim("160"); snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted ); - ans = PSKDemod(cmdStr, FALSE); + ans = PSKDemod(cmdStr, false); //undo trim samples - save_restoreGB(0); + save_restoreGB(GRAPH_RESTORE); break; case DEMOD_PSK2: //inverted won't affect this case DEMOD_PSK3: //not fully implemented // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) - save_restoreGB(1); + save_restoreGB(GRAPH_SAVE); CmdLtrim("160"); snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] ); - ans = PSKDemod(cmdStr, FALSE); + ans = PSKDemod(cmdStr, false); psk1TOpsk2(DemodBuffer, DemodBufferLen); //undo trim samples - save_restoreGB(0); + save_restoreGB(GRAPH_RESTORE); break; case DEMOD_NRZ: snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted ); - ans = NRZrawDemod(cmdStr, FALSE); + ans = NRZrawDemod(cmdStr, false); break; case DEMOD_BI: case DEMOD_BIa: snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted ); - ans = ASKbiphaseDemod(cmdStr, FALSE); + ans = ASKbiphaseDemod(cmdStr, false); break; default: - return FALSE; + return false; } return (bool) ans; } @@ -431,15 +489,16 @@ bool DecodeT5555TraceBlock() { DemodBufferLen = 0x00; // According to datasheet. Always: RF/64, not inverted, Manchester - return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1); + return (bool) ASKDemod("64 0 1", false, false, 1); } int CmdT55xxDetect(const char *Cmd){ - bool errors = FALSE; - bool useGB = FALSE; - bool usepwd = FALSE; + bool errors = false; + bool useGB = false; + bool usepwd = false; uint32_t password = 0; uint8_t cmdp = 0; + uint8_t downlink_mode = 0; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch(param_getchar(Cmd, cmdp)) { @@ -449,14 +508,20 @@ int CmdT55xxDetect(const char *Cmd){ case 'p': case 'P': password = param_get32ex(Cmd, cmdp+1, 0, 16); - usepwd = TRUE; + usepwd = true; cmdp += 2; break; case '1': // use Graphbuffer data - useGB = TRUE; + useGB = true; cmdp++; break; + case 'e': + case 'E': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -466,13 +531,24 @@ int CmdT55xxDetect(const char *Cmd){ if (errors) return usage_t55xx_detect(); if ( !useGB) { - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) ) + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password,downlink_mode) ) return 0; } if ( !tryDetectModulation() ) PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'"); - + else { + // Add downlink mode to reference. + switch (downlink_mode) { + case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break; + case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break; + case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break; + case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break; + // default: + + // No default action + } + } return 1; } @@ -481,130 +557,140 @@ bool tryDetectModulation(){ uint8_t hits = 0; t55xx_conf_block_t tests[15]; int bitRate=0; - uint8_t fc1 = 0, fc2 = 0, clk=0; - - if (GetFskClock("", FALSE, FALSE)){ - fskClocks(&fc1, &fc2, &clk, FALSE); - if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + uint8_t fc1 = 0, fc2 = 0, ans = 0; + int clk = 0, firstClockEdge = 0; + ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge); + if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) { + if ( FSKrawDemod("0 0", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_FSK; if (fc1==8 && fc2 == 5) tests[hits].modulation = DEMOD_FSK1a; else if (fc1==10 && fc2 == 8) tests[hits].modulation = DEMOD_FSK2; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( FSKrawDemod("0 1", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_FSK; if (fc1 == 8 && fc2 == 5) tests[hits].modulation = DEMOD_FSK1; else if (fc1 == 10 && fc2 == 8) tests[hits].modulation = DEMOD_FSK2a; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } else { - clk = GetAskClock("", FALSE, FALSE); + clk = GetAskClock("", false, false); if (clk>0) { - if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + tests[hits].ST = true; + if ( ASKDemod_ext("0 0 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); ++hits; } - if ( ASKDemod("0 1 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + tests[hits].ST = true; + if ( ASKDemod_ext("0 1 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); ++hits; } - if ( ASKbiphaseDemod("0 0 0 2", FALSE) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { + if ( ASKbiphaseDemod("0 0 0 2", false) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { tests[hits].modulation = DEMOD_BI; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { + if ( ASKbiphaseDemod("0 0 1 2", false) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { tests[hits].modulation = DEMOD_BIa; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } - //undo trim from ask - //save_restoreGB(0); - clk = GetNrzClock("", FALSE, FALSE); - if (clk>0) { - if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + clk = GetNrzClock("", false, false); + if (clk>8) { //clock of rf/8 is likely a false positive, so don't use it. + if ( NRZrawDemod("0 0 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_NRZ; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( NRZrawDemod("0 1 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( NRZrawDemod("0 1 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_NRZ; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } - // allow undo - // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) - save_restoreGB(1); - CmdLtrim("160"); - clk = GetPskClock("", FALSE, FALSE); + clk = GetPskClock("", false, false); if (clk>0) { - if ( PSKDemod("0 0 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + // allow undo + save_restoreGB(GRAPH_SAVE); + // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) + CmdLtrim("160"); + if ( PSKDemod("0 0 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_PSK1; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( PSKDemod("0 1 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_PSK1; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } // PSK2 - needs a call to psk1TOpsk2. - if ( PSKDemod("0 0 6", FALSE)) { + if ( PSKDemod("0 0 6", false)) { psk1TOpsk2(DemodBuffer, DemodBufferLen); if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){ tests[hits].modulation = DEMOD_PSK2; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } // inverse waves does not affect this demod // PSK3 - needs a call to psk1TOpsk2. - if ( PSKDemod("0 0 6", FALSE)) { + if ( PSKDemod("0 0 6", false)) { psk1TOpsk2(DemodBuffer, DemodBufferLen); if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){ tests[hits].modulation = DEMOD_PSK3; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } // inverse waves does not affect this demod + //undo trim samples + save_restoreGB(GRAPH_RESTORE); } - //undo trim samples - save_restoreGB(0); } if ( hits == 1) { config.modulation = tests[0].modulation; @@ -613,8 +699,9 @@ bool tryDetectModulation(){ config.offset = tests[0].offset; config.block0 = tests[0].block0; config.Q5 = tests[0].Q5; + config.ST = tests[0].ST; printConfiguration( config ); - return TRUE; + return true; } if ( hits > 1) { @@ -624,68 +711,68 @@ bool tryDetectModulation(){ printConfiguration( tests[i] ); } } - return FALSE; + return false; } bool testModulation(uint8_t mode, uint8_t modread){ switch( mode ){ case DEMOD_FSK: - if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return TRUE; + if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return true; break; case DEMOD_ASK: - if (modread == DEMOD_ASK) return TRUE; + if (modread == DEMOD_ASK) return true; break; case DEMOD_PSK1: - if (modread == DEMOD_PSK1) return TRUE; + if (modread == DEMOD_PSK1) return true; break; case DEMOD_PSK2: - if (modread == DEMOD_PSK2) return TRUE; + if (modread == DEMOD_PSK2) return true; break; case DEMOD_PSK3: - if (modread == DEMOD_PSK3) return TRUE; + if (modread == DEMOD_PSK3) return true; break; case DEMOD_NRZ: - if (modread == DEMOD_NRZ) return TRUE; + if (modread == DEMOD_NRZ) return true; break; case DEMOD_BI: - if (modread == DEMOD_BI) return TRUE; + if (modread == DEMOD_BI) return true; break; case DEMOD_BIa: - if (modread == DEMOD_BIa) return TRUE; + if (modread == DEMOD_BIa) return true; break; default: - return FALSE; + return false; } - return FALSE; + return false; } bool testQ5Modulation(uint8_t mode, uint8_t modread){ switch( mode ){ case DEMOD_FSK: - if (modread >= 4 && modread <= 5) return TRUE; + if (modread >= 4 && modread <= 5) return true; break; case DEMOD_ASK: - if (modread == 0) return TRUE; + if (modread == 0) return true; break; case DEMOD_PSK1: - if (modread == 1) return TRUE; + if (modread == 1) return true; break; case DEMOD_PSK2: - if (modread == 2) return TRUE; + if (modread == 2) return true; break; case DEMOD_PSK3: - if (modread == 3) return TRUE; + if (modread == 3) return true; break; case DEMOD_NRZ: - if (modread == 7) return TRUE; + if (modread == 7) return true; break; case DEMOD_BI: - if (modread == 6) return TRUE; + if (modread == 6) return true; break; default: - return FALSE; + return false; } - return FALSE; + return false; } int convertQ5bitRate(uint8_t bitRateRead) { @@ -699,7 +786,7 @@ int convertQ5bitRate(uint8_t bitRateRead) { bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){ - if ( DemodBufferLen < 64 ) return FALSE; + if ( DemodBufferLen < 64 ) return false; uint8_t si = 0; for (uint8_t idx = 28; idx < 64; idx++){ si = idx; @@ -732,9 +819,9 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){ if (*fndBitRate < 0) continue; *offset = idx; - return TRUE; + return true; } - return FALSE; + return false; } bool testBitRate(uint8_t readRate, uint8_t clk){ @@ -747,7 +834,7 @@ bool testBitRate(uint8_t readRate, uint8_t clk){ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){ - if ( DemodBufferLen < 64 ) return FALSE; + if ( DemodBufferLen < 64 ) return false; uint8_t si = 0; for (uint8_t idx = 28; idx < 64; idx++){ si = idx; @@ -759,34 +846,35 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5) // moved test to here, since this gets most faults first. if ( resv > 0x00) continue; - uint8_t xtRate = PackBits(si, 3, DemodBuffer); si += 3; //extended mode part of rate - int bitRate = PackBits(si, 3, DemodBuffer); si += 3; //bit rate - if (bitRate > 7) continue; + int bitRate = PackBits(si, 6, DemodBuffer); si += 6; //bit rate (includes extended mode part of rate) uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1; //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //could check psk cr - uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode - uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2; + //uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode + //uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2; //if extended mode - bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE; + bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? true : false; + + if (!extMode) { + if (bitRate > 7) continue; + if (!testBitRate(bitRate, clk)) continue; + } else { //extended mode bitrate = same function to calc bitrate as em4x05 + if (EM4x05_GET_BITRATE(bitRate) != clk) continue; - if (!extMode){ - if (nml01 || nml02 || xtRate) continue; } //test modulation if (!testModulation(mode, modread)) continue; - if (!testBitRate(bitRate, clk)) continue; *fndBitRate = bitRate; *offset = idx; - *Q5 = FALSE; - return TRUE; + *Q5 = false; + return true; } if (testQ5(mode, offset, fndBitRate, clk)) { - *Q5 = TRUE; - return TRUE; + *Q5 = true; + return true; } - return FALSE; + return false; } void printT55xxBlock(const char *blockNum){ @@ -833,9 +921,10 @@ int special(const char *Cmd) { int printConfiguration( t55xx_conf_block_t b){ PrintAndLog("Chip Type : %s", (b.Q5) ? "T5555(Q5)" : "T55x7"); PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) ); - PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate) ); + PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate, (b.block0 & T55x7_X_MODE && (b.block0>>28==6 || b.block0>>28==9))) ); PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" ); PrintAndLog("Offset : %d", b.offset); + PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" ); PrintAndLog("Block0 : 0x%08X", b.block0); PrintAndLog(""); return 0; @@ -843,26 +932,11 @@ int printConfiguration( t55xx_conf_block_t b){ int CmdT55xxWakeUp(const char *Cmd) { uint32_t password = 0; - uint8_t cmdp = 0; - bool errors = true; - while(param_getchar(Cmd, cmdp) != 0x00) { - switch(param_getchar(Cmd, cmdp)) { - case 'h': - case 'H': - return usage_t55xx_wakup(); - case 'p': - case 'P': - password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16); - cmdp += 2; - errors = false; - break; - default: - PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); - errors = true; - break; - } - } - if (errors) return usage_t55xx_wakup(); + if ( strlen(Cmd) <= 0 ) return usage_t55xx_wakup(); + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wakup(); + + password = param_get32ex(Cmd, 0, 0, 16); UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}}; clearCommandBuffer(); @@ -875,9 +949,12 @@ int CmdT55xxWriteBlock(const char *Cmd) { uint8_t block = 0xFF; //default to invalid block uint32_t data = 0; //default to blank Block uint32_t password = 0; //default to blank Block 7 + uint32_t downlink_mode = 0; + bool usepwd = false; bool page1 = false; bool gotdata = false; + bool testMode = false; bool errors = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { @@ -902,10 +979,21 @@ int CmdT55xxWriteBlock(const char *Cmd) { usepwd = true; cmdp += 2; break; + case 't': + case 'T': + testMode = true; + cmdp++; + break; case '1': page1 = true; cmdp++; break; + case 'e': + case 'E': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -922,17 +1010,20 @@ int CmdT55xxWriteBlock(const char *Cmd) { UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}}; UsbCommand resp; c.d.asBytes[0] = (page1) ? 0x2 : 0; - + c.d.asBytes[0] |= (testMode) ? 0x4 : 0; + c.d.asBytes[0] |= (downlink_mode << 3); + char pwdStr[16] = {0}; snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password); PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" ); - + //Password mode if (usepwd) { c.arg[2] = password; c.d.asBytes[0] |= 0x1; } + clearCommandBuffer(); SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ @@ -950,7 +1041,7 @@ int CmdT55xxReadTrace(const char *Cmd) { return usage_t55xx_trace(); if (strlen(Cmd)==0) - if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) ) + if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password,0 ) ) return 0; if ( config.Q5 ) { @@ -1040,7 +1131,7 @@ void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){ PrintAndLog("-- T55x7 Trace Information ----------------------------------"); PrintAndLog("-------------------------------------------------------------"); PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", data.acl, data.acl); - PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc)); + PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", data.mfc, data.mfc, getManufacturerName(data.mfc)); PrintAndLog(" CID : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid)); PrintAndLog(" ICR IC Revision : %d", data.icr ); PrintAndLog(" Manufactured"); @@ -1114,7 +1205,7 @@ int CmdT55xxInfo(const char *Cmd){ return usage_t55xx_info(); if (strlen(Cmd)==0) - if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) ) + if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password,0 ) ) return 1; if (!DecodeT55xxBlock()) return 1; @@ -1146,7 +1237,7 @@ int CmdT55xxInfo(const char *Cmd){ PrintAndLog("-------------------------------------------------------------"); PrintAndLog(" Safer key : %s", GetSaferStr(safer)); PrintAndLog(" reserved : %d", resv); - PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr)); + PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr, extend)); PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No"); PrintAndLog(" Modulation : %s", GetModulationStr(datamod)); PrintAndLog(" PSK clock frequency : %d", pskcf); @@ -1173,7 +1264,7 @@ int CmdT55xxDump(const char *Cmd){ bool override = false; if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump(); - bool usepwd = ( strlen(Cmd) > 0); + bool usepwd = ( strlen(Cmd) > 0); if ( usepwd ){ password = param_get32ex(Cmd, 0, 0, 16); if (param_getchar(Cmd, 1) =='o' ) @@ -1182,20 +1273,21 @@ int CmdT55xxDump(const char *Cmd){ printT5xxHeader(0); for ( uint8_t i = 0; i <8; ++i) - T55xxReadBlock(i, 0, usepwd, override, password); + T55xxReadBlock(i, 0, usepwd, override, password,0); printT5xxHeader(1); for ( uint8_t i = 0; i<4; i++) - T55xxReadBlock(i, 1, usepwd, override, password); + T55xxReadBlock(i, 1, usepwd, override, password,0); return 1; } -int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){ +int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode ){ // arg0 bitmodes: // bit0 = pwdmode // bit1 = page to read from uint8_t arg0 = (page<<1) | pwdmode; + arg0 |= (downlink_mode << 3); UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}}; clearCommandBuffer(); @@ -1204,28 +1296,28 @@ int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){ PrintAndLog("command execution time out"); return 0; } - - uint8_t got[12000]; - GetFromBigBuf(got,sizeof(got),0); - WaitForResponse(CMD_ACK,NULL); - setGraphBuf(got, sizeof(got)); + getSamples(12000,true); return 1; } -char * GetBitRateStr(uint32_t id) { +char * GetBitRateStr(uint32_t id, bool xmode) { static char buf[25]; char *retStr = buf; - switch (id) { - case 0: snprintf(retStr,sizeof(buf),"%d - RF/8",id); break; - case 1: snprintf(retStr,sizeof(buf),"%d - RF/16",id); break; - case 2: snprintf(retStr,sizeof(buf),"%d - RF/32",id); break; - case 3: snprintf(retStr,sizeof(buf),"%d - RF/40",id); break; - case 4: snprintf(retStr,sizeof(buf),"%d - RF/50",id); break; - case 5: snprintf(retStr,sizeof(buf),"%d - RF/64",id); break; - case 6: snprintf(retStr,sizeof(buf),"%d - RF/100",id); break; - case 7: snprintf(retStr,sizeof(buf),"%d - RF/128",id); break; - default: snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break; + if (xmode) { //xmode bitrate calc is same as em4x05 calc + snprintf(retStr,sizeof(buf),"%d - RF/%d", id, EM4x05_GET_BITRATE(id)); + } else { + switch (id) { + case 0: snprintf(retStr,sizeof(buf),"%d - RF/8",id); break; + case 1: snprintf(retStr,sizeof(buf),"%d - RF/16",id); break; + case 2: snprintf(retStr,sizeof(buf),"%d - RF/32",id); break; + case 3: snprintf(retStr,sizeof(buf),"%d - RF/40",id); break; + case 4: snprintf(retStr,sizeof(buf),"%d - RF/50",id); break; + case 5: snprintf(retStr,sizeof(buf),"%d - RF/64",id); break; + case 6: snprintf(retStr,sizeof(buf),"%d - RF/100",id); break; + case 7: snprintf(retStr,sizeof(buf),"%d - RF/128",id); break; + default: snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break; + } } return buf; } @@ -1325,8 +1417,7 @@ int CmdResetRead(const char *Cmd) { } uint8_t got[BIGBUF_SIZE-1]; - GetFromBigBuf(got,sizeof(got),0); - WaitForResponse(CMD_ACK,NULL); + GetFromBigBuf(got, sizeof(got), 0, NULL, -1 , 0); setGraphBuf(got, sizeof(got)); return 1; } @@ -1368,6 +1459,7 @@ int CmdT55xxBruteForce(const char *Cmd) { char buf[9]; char filename[FILE_PATH_SIZE]={0}; int keycnt = 0; + uint8_t downlink_mode = 0; int ch; uint8_t stKeyBlock = 20; uint8_t *keyBlock = NULL, *p = NULL; @@ -1403,7 +1495,7 @@ int CmdT55xxBruteForce(const char *Cmd) { //The line start with # is comment, skip if( buf[0]=='#' ) continue; - if (!isxdigit(buf[0])) { + if (!isxdigit((unsigned char)buf[0])) { PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf); continue; } @@ -1451,7 +1543,7 @@ int CmdT55xxBruteForce(const char *Cmd) { PrintAndLog("Testing %08X", testpwd); - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) { + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,downlink_mode)) { PrintAndLog("Aquireing data from device failed. Quitting"); free(keyBlock); return 0; @@ -1496,7 +1588,7 @@ int CmdT55xxBruteForce(const char *Cmd) { return 0; } - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) { + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) { PrintAndLog("Aquireing data from device failed. Quitting"); free(keyBlock); return 0; @@ -1518,11 +1610,394 @@ int CmdT55xxBruteForce(const char *Cmd) { return 0; } +int CmdT55xxBruteForce_downlink(const char *Cmd) { + + // load a default pwd file. + char buf[9]; + char filename[FILE_PATH_SIZE]={0}; + int keycnt = 0; + uint8_t downlink_mode = 0; + int ch; + uint8_t stKeyBlock = 20; + uint8_t *keyBlock = NULL, *p = NULL; + uint32_t start_password = 0x00000000; //start password + uint32_t end_password = 0xFFFFFFFF; //end password + bool found = false; + uint8_t cmdp = 0; + int cmd_offset = 0; + int errors = 0; + int len; + bool use_file = false; + bool use_range = false; + bool try_all_dl_modes = false; + uint8_t dl_mode = 0; + + keyBlock = calloc(stKeyBlock, 6); + if (keyBlock == NULL) return 1; + + PrintAndLog("New Downlink Supprt"); + + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_t55xx_bruteforce_downlink(); + case 'e': + case 'E': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode == 4) try_all_dl_modes = true; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + cmd_offset += 4; + PrintAndLog ("DL Mode : %d",downlink_mode); + break; + case 'i': + case 'I': + if (use_range) { + PrintAndLog ("use Range or File"); + return 0; + } + use_file = true; + len = strlen(Cmd+2); + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + memcpy(filename, Cmd+cmd_offset+2, len); + cmdp += 2; + // PrintAndLog (" File : [%s]",filename); + break; + case 'r': + case 'R': + if (use_file) { + PrintAndLog ("use Range or File"); + return 0; + } + use_range = true; // = param_get32ex(Cmd, cmdp+1, 0, 16); + start_password = param_get32ex(Cmd, cmdp+1, 0, 16); + end_password = param_get32ex(Cmd, cmdp+2, 0, 16); + cmdp += 3; + cmd_offset += 20; // 8 + 8 + 1 + 1 + 1 + // PrintAndLog (" Range : [%0X] - [%0X]",start_password,end_password); + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + +// if (cmdp == 'i' || cmdp == 'I') { + + if (use_file) + { + FILE * f = fopen( filename , "r"); + + if ( !f ) { + PrintAndLog("File: %s: not found or locked.", filename); + free(keyBlock); + return 1; + } + + while( fgets(buf, sizeof(buf), f) ) { + if (strlen(buf) < 8 || buf[7] == '\n') continue; + + while (fgetc(f) != '\n' && !feof(f)) ; //goto next line + + //The line start with # is comment, skip + if( buf[0]=='#' ) continue; + + if (!isxdigit((unsigned char)buf[0])) { + PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf); + continue; + } + + buf[8] = 0; + + if ( stKeyBlock - keycnt < 2) { + p = realloc(keyBlock, 6*(stKeyBlock+=10)); + if (!p) { + PrintAndLog("Cannot allocate memory for defaultKeys"); + free(keyBlock); + fclose(f); + return 2; + } + keyBlock = p; + } + memset(keyBlock + 4 * keycnt, 0, 4); + num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt); + PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4)); + keycnt++; + memset(buf, 0, sizeof(buf)); + } + fclose(f); + + if (keycnt == 0) { + PrintAndLog("No keys found in file"); + free(keyBlock); + return 1; + } + PrintAndLog("Loaded %d keys", keycnt); + + // loop + uint64_t testpwd = 0x00; + for (uint16_t c = 0; c < keycnt; ++c ) { + + if (ukbhit()) { + ch = getchar(); + (void)ch; + printf("\naborted via keyboard!\n"); + free(keyBlock); + return 0; + } + + testpwd = bytes_to_num(keyBlock + 4*c, 4); + + PrintAndLog("Testing %08X", testpwd); + + // Try each downlink_mode of asked to + // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3 + for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) + { + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,dl_mode)) { + PrintAndLog("Aquireing data from device failed. Quitting"); + free(keyBlock); + return 0; + } + + found = tryDetectModulation(); + + if ( found ) { + PrintAndLog("Found valid password: [%08X]", testpwd); + free(keyBlock); + // Add downlink mode to reference. + switch (dl_mode) { + case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break; + case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break; + case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break; + case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break; + } + return 0; + } + if (!try_all_dl_modes) // Exit loop + dl_mode = 4; + } + } + PrintAndLog("Password NOT found."); + free(keyBlock); + return 0; + } + + if (use_range) + { + // incremental pwd range search + // start_password = param_get32ex(Cmd, 0, 0, 16); + // end_password = param_get32ex(Cmd, 1, 0, 16); + + if ( start_password >= end_password ) { + free(keyBlock); + return usage_t55xx_bruteforce_downlink(); + } + PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password); + + uint32_t i = start_password; + + while ((!found) && (i <= end_password)) { + + printf("."); + fflush(stdout); + if (ukbhit()) { + ch = getchar(); + (void)ch; + printf("\naborted via keyboard!\n"); + free(keyBlock); + return 0; + } + + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) { + PrintAndLog("Aquireing data from device failed. Quitting"); + free(keyBlock); + return 0; + } + found = tryDetectModulation(); + + if (found) break; + i++; + } + + PrintAndLog(""); + + if (found) { + PrintAndLog("Found valid password: [%08x]", i); + // Add downlink mode to reference. + switch (downlink_mode) { + case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break; + case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break; + case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break; + case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break; + } + } + else + PrintAndLog("Password NOT found. Last tried: [%08x]", --i); + + free(keyBlock); + } + return 0; +} + +// note length of data returned is different for different chips. +// some return all page 1 (64 bits) and others return just that block (32 bits) +// unfortunately the 64 bits makes this more likely to get a false positive... +bool tryDetectP1(bool getData) { + uint8_t preamble[] = {1,1,1,0,0,0,0,0,0,0,0,1,0,1,0,1}; + size_t startIdx = 0; + uint8_t fc1 = 0, fc2 = 0, ans = 0; + int clk = 0, firstClockEdge = 0; + bool st = true; + + if ( getData ) { + if ( !AquireData(T55x7_PAGE1, 1, false, 0,0) ) + return false; + } + + // try fsk clock detect. if successful it cannot be any other type of modulation... (in theory...) + ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge); + if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) { + if ( FSKrawDemod("0 0", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( FSKrawDemod("0 1", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + return false; + } + + // try psk clock detect. if successful it cannot be any other type of modulation... (in theory...) + clk = GetPskClock("", false, false); + if (clk>0) { + // allow undo + // save_restoreGB(1); + // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) + //CmdLtrim("160"); + if ( PSKDemod("0 0 6", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + //save_restoreGB(0); + return true; + } + if ( PSKDemod("0 1 6", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + //save_restoreGB(0); + return true; + } + // PSK2 - needs a call to psk1TOpsk2. + if ( PSKDemod("0 0 6", false)) { + psk1TOpsk2(DemodBuffer, DemodBufferLen); + if (preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + //save_restoreGB(0); + return true; + } + } // inverse waves does not affect PSK2 demod + //undo trim samples + //save_restoreGB(0); + // no other modulation clocks = 2 or 4 so quit searching + if (fc1 != 8) return false; + } + + // try ask clock detect. it could be another type even if successful. + clk = GetAskClock("", false, false); + if (clk>0) { + if ( ASKDemod_ext("0 0 1", false, false, 1, &st) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + st = true; + if ( ASKDemod_ext("0 1 1", false, false, 1, &st) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( ASKbiphaseDemod("0 0 0 2", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( ASKbiphaseDemod("0 0 1 2", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + } + + // try NRZ clock detect. it could be another type even if successful. + clk = GetNrzClock("", false, false); //has the most false positives :( + if (clk>0) { + if ( NRZrawDemod("0 0 1", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( NRZrawDemod("0 1 1", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + } + return false; +} +// does this need to be a callable command? +int CmdT55xxDetectPage1(const char *Cmd){ + bool errors = false; + bool useGB = false; + bool usepwd = false; + uint32_t password = 0; + uint8_t cmdp = 0; + + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_t55xx_detectP1(); + case 'p': + case 'P': + password = param_get32ex(Cmd, cmdp+1, 0, 16); + usepwd = true; + cmdp += 2; + break; + case '1': + // use Graphbuffer data + useGB = true; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + if (errors) return usage_t55xx_detectP1(); + + if ( !useGB ) { + if ( !AquireData(T55x7_PAGE1, 1, usepwd, password,0) ) + return false; + } + bool success = tryDetectP1(false); + if (success) PrintAndLog("T55xx chip found!"); + return success; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, - {"bruteforce",CmdT55xxBruteForce,0, " [i <*.dic>] Simple bruteforce attack to find password"}, + {"bruteforce",CmdT55xxBruteForce,0, " [i <*.dic>] Simple bruteforce attack to find password"}, + {"bruteforcedl",CmdT55xxBruteForce_downlink,0, "r [i <*.dic>] [e ] Simple bruteforce attack to find password"}, {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."}, + {"p1detect", CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"}, {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"}, {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"}, {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},