## [unreleased][unreleased]
### Added
+ - Added lf pyramid commands (iceman)
+ - Added lf presco commands - some bits not fully understood... (iceman)
- Added experimental HitagS support (Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg)
see https://media.ccc.de/v/32c3-7166-sicherheit_von_125khz_transpondern_am_beispiel_hitag_s
English video available
- `lf t55xx wipe` - sets t55xx back to factory defaults
- Added viking demod to `lf search` (marshmellow)
- `data askvikingdemod` demod viking id tag from graphbuffer (marshmellow)
- - `lf t55xx resetread` added reset then read command - should allow determining start
- of stream transmissions (marshmellow)
+ - `lf t55xx resetread` added reset then read command - should allow determining start of stream transmissions (marshmellow)
- `lf t55xx wakeup` added wake with password (AOR) to allow lf search or standard lf read after (iceman, marshmellow)
- `hf iclass managekeys` to save, load and manage iclass keys. (adjusted most commands to accept a loaded key in memory) (marshmellow)
- `hf iclass readblk` to select, authenticate, and read 1 block from an iclass card (marshmellow)
- Added 'hf snoop'. This command take digitalized signal from FPGA and put in BigBuffer. (pwpiwi + enio)
- Added Topaz (NFC type 1) protocol support ('hf topaz reader', 'hf list topaz', 'hf 14a raw -T', 'hf topaz snoop'). (piwi)
- Added option c to 'hf list' (mark CRC bytes) (piwi)
+- Added option `l` or `h` to `hw tune` to save time and unnecessary fpga writes if you are only interested in lf or hf.
### Changed
- - Added `[l] <length>` option to data printdemodbuffer
- - Adjusted lf awid clone to optionally clone to Q5 tags
- - Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7
- - Adjusted all lf NRZ demods - works more accurately and consistently (as long as you have strong signal)
- - Adjusted lf pskindalademod to reduce false positive reads.
- - Small adjustments to psk, nrz, and ask clock detect routines - more reliable.
- - Adjusted lf em410x em410xsim to accept a clock argument
+ - Fixed bug in lf biphase sim - `lf simask b` (and any tagtype that relies on it - gproxii...) (marshmellow)
+ - Fixed bug in lf viking clone/sim (iceman)
+ - Fixed broken `data askedgedetect` (marshmellow)
+ - Adjusted hf mf sim command (marshmellow)
+ added auto run mfkey32 to extract all keys
+ also added f parameter to allow attacking with UIDs from a file (implies x and i parameters)
+ also added e parameter to allow adding the extracted keys to emulator memory for the next simulation
+ added 10 byte uid option
+ - Added `[l] <length>` option to data printdemodbuffer (marshmellow)
+ - Adjusted lf awid clone to optionally clone to Q5 tags (marshmellow)
+ - Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7 (marshmellow)
+ - Adjusted all lf NRZ demods - works more accurately and consistently (as long as you have strong signal) (marshmellow)
+ - Adjusted lf pskindalademod to reduce false positive reads. (marshmellow)
+ - Small adjustments to psk, nrz, and ask clock detect routines - more reliable. (marshmellow)
+ - Adjusted lf em410x em410xsim to accept a clock argument (marshmellow)
- Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow)
- Adjusted lf t55xx write input variables (marshmellow)
- Adjusted lf t55xx read with password safety check and warning text and adjusted the input variables (marshmellow & iceman)
- - Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate.
+ - Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate. (marshmellow)
- Adjusted timings for t55xx commands. more reliable now. (marshmellow & iceman)
- `lf cmdread` adjusted input methods and added help text (marshmellow & iceman)
- changed `lf config t <threshold>` to be 0 - 128 and will trigger on + or - threshold value (marshmellow)
- - `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to multiple pages for the larger tags yet)
+ - `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to multiple pages for the larger tags yet) (marshmellow)
- Revised workflow for StandAloneMode14a (Craig Young)
- EPA functions (`hf epa`) now support both ISO 14443-A and 14443-B cards (frederikmoellers)
- 'hw version' only talks to ARM at startup, after that the info is cached. (pwpiwi)
#include "iso14443a.h"
#endif
- #define abs(x) ( ((x)<0) ? -(x) : (x) )
-
//=============================================================================
// A buffer where we can queue things up to be sent through the FPGA, for
// any purpose (fake tag, as reader, whatever). We go MSB first, since that
return (a + 15) >> 5;
}
-void MeasureAntennaTuning(void)
+void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
{
- uint8_t LF_Results[256];
- int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
- int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
-
- LED_B_ON();
+ int i, adcval = 0, peak = 0;
/*
* Sweeps the useful LF range of the proxmark from
* the resonating frequency of your LF antenna
* ( hopefully around 95 if it is tuned to 125kHz!)
*/
-
- FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+ FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
for (i=255; i>=19; i--) {
- WDT_HIT();
+ WDT_HIT();
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
SpinDelay(20);
adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
- if (i==95) vLf125 = adcval; // voltage at 125Khz
- if (i==89) vLf134 = adcval; // voltage at 134Khz
+ if (i==95) *vLf125 = adcval; // voltage at 125Khz
+ if (i==89) *vLf134 = adcval; // voltage at 134Khz
LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
if(LF_Results[i] > peak) {
- peakv = adcval;
+ *peakv = adcval;
peak = LF_Results[i];
- peakf = i;
+ *peakf = i;
//ptr = i;
}
}
for (i=18; i >= 0; i--) LF_Results[i] = 0;
-
- LED_A_ON();
+
+ return;
+}
+
+void MeasureAntennaTuningHfOnly(int *vHf)
+{
// Let the FPGA drive the high-frequency antenna around 13.56 MHz.
- FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ LED_A_ON();
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
SpinDelay(20);
- vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
+ *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
+ LED_A_OFF();
+
+ return;
+}
+
+void MeasureAntennaTuning(int mode)
+{
+ uint8_t LF_Results[256] = {0};
+ int peakv = 0, peakf = 0;
+ int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
+
+ LED_B_ON();
+
+ if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
+ // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
+ MeasureAntennaTuningHfOnly(&vHf);
+ MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
+ } else {
+ if (mode & FLAG_TUNE_LF) {
+ MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
+ }
+ if (mode & FLAG_TUNE_HF) {
+ MeasureAntennaTuningHfOnly(&vHf);
+ }
+ }
cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
- LED_A_OFF();
LED_B_OFF();
return;
}
if (limit != HF_ONLY) {
if(mode == 1) {
- if (abs(lf_av - lf_baseline) > REPORT_CHANGE)
+ if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
LED_D_ON();
else
LED_D_OFF();
lf_av_new = AvgAdc(ADC_CHAN_LF);
// see if there's a significant change
- if(abs(lf_av - lf_av_new) > REPORT_CHANGE) {
+ if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
lf_av = lf_av_new;
if (lf_av > lf_max)
if (limit != LF_ONLY) {
if (mode == 1){
- if (abs(hf_av - hf_baseline) > REPORT_CHANGE)
+ if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
LED_B_ON();
else
LED_B_OFF();
hf_av_new = AvgAdc(ADC_CHAN_HF);
// see if there's a significant change
- if(abs(hf_av - hf_av_new) > REPORT_CHANGE) {
+ if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
hf_av = hf_av_new;
if (hf_av > hf_max)
break;
case CMD_MEASURE_ANTENNA_TUNING:
- MeasureAntennaTuning();
+ MeasureAntennaTuning(c->arg[0]);
break;
case CMD_MEASURE_ANTENNA_TUNING_HF:
// Data and Graph commands
//-----------------------------------------------------------------------------
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <limits.h>
- #include "proxmark3.h"
- #include "data.h"
- #include "ui.h"
- #include "graph.h"
- #include "cmdparser.h"
+ #include <stdio.h> // also included in util.h
+ #include <string.h> // also included in util.h
+ #include <limits.h> // for CmdNorm INT_MIN && INT_MAX
+ #include "data.h" // also included in util.h
+ #include "cmddata.h"
#include "util.h"
#include "cmdmain.h"
- #include "cmddata.h"
- #include "lfdemod.h"
- #include "usb_cmd.h"
- #include "crc.h"
- #include "crc16.h"
- #include "loclass/cipherutils.h"
+ #include "proxmark3.h"
+ #include "ui.h" // for show graph controls
+ #include "graph.h" // for graph data
+ #include "cmdparser.h"// already included in cmdmain.h
+ #include "usb_cmd.h" // already included in cmdmain.h and proxmark3.h
+ #include "lfdemod.h" // for demod code
+ #include "crc.h" // for pyramid checksum maxim
+ #include "crc16.h" // for FDXB demod checksum
+ #include "loclass/cipherutils.h" // for decimating samples in getsamples
uint8_t DemodBuffer[MAX_DEMOD_BUF_LEN];
uint8_t g_debugMode=0;
int CmdG_Prox_II_Demod(const char *Cmd)
{
if (!ASKbiphaseDemod(Cmd, FALSE)){
- if (g_debugMode) PrintAndLog("ASKbiphaseDemod failed 1st try");
+ if (g_debugMode) PrintAndLog("Error gProxII: ASKbiphaseDemod failed 1st try");
return 0;
}
size_t size = DemodBufferLen;
if (g_debugMode) PrintAndLog("Error gProxII_Demod");
return 0;
}
- //got a good demod
- uint32_t ByteStream[65] = {0x00};
+ //got a good demod of 96 bits
+ uint8_t ByteStream[8] = {0x00};
uint8_t xorKey=0;
- uint8_t keyCnt=0;
- uint8_t bitCnt=0;
- uint8_t ByteCnt=0;
- size_t startIdx = ans + 6; //start after preamble
- for (size_t idx = 0; idx<size-6; idx++){
- if ((idx+1) % 5 == 0){
- //spacer bit - should be 0
- if (DemodBuffer[startIdx+idx] != 0) {
- if (g_debugMode) PrintAndLog("Error spacer not 0: %u, pos: %u", (unsigned int)DemodBuffer[startIdx+idx],(unsigned int)(startIdx+idx));
- return 0;
- }
- continue;
- }
- if (keyCnt<8){ //lsb first
- xorKey = xorKey | (DemodBuffer[startIdx+idx]<<keyCnt);
- keyCnt++;
- if (keyCnt==8 && g_debugMode) PrintAndLog("xorKey Found: %02x", (unsigned int)xorKey);
- continue;
- }
- //lsb first
- ByteStream[ByteCnt] = ByteStream[ByteCnt] | (DemodBuffer[startIdx+idx]<<bitCnt);
- bitCnt++;
- if (bitCnt % 8 == 0){
- if (g_debugMode) PrintAndLog("byte %u: %02x", (unsigned int)ByteCnt, ByteStream[ByteCnt]);
- bitCnt=0;
- ByteCnt++;
- }
+ size_t startIdx = ans + 6; //start after 6 bit preamble
+
+ uint8_t bits_no_spacer[90];
+ //so as to not mess with raw DemodBuffer copy to a new sample array
+ memcpy(bits_no_spacer, DemodBuffer + startIdx, 90);
+ // remove the 18 (90/5=18) parity bits (down to 72 bits (96-6-18=72))
+ size_t bitLen = removeParity(bits_no_spacer, 0, 5, 3, 90); //source, startloc, paritylen, ptype, length_to_run
+ if (bitLen != 72) {
+ if (g_debugMode) PrintAndLog("Error gProxII: spacer removal did not produce 72 bits: %u, start: %u", bitLen, startIdx);
+ return 0;
}
- for (uint8_t i = 0; i < ByteCnt; i++){
- ByteStream[i] ^= xorKey; //xor
- if (g_debugMode) PrintAndLog("byte %u after xor: %02x", (unsigned int)i, ByteStream[i]);
+ // get key and then get all 8 bytes of payload decoded
+ xorKey = (uint8_t)bytebits_to_byteLSBF(bits_no_spacer, 8);
+ for (size_t idx = 0; idx < 8; idx++) {
+ ByteStream[idx] = ((uint8_t)bytebits_to_byteLSBF(bits_no_spacer+8 + (idx*8),8)) ^ xorKey;
+ if (g_debugMode) PrintAndLog("byte %u after xor: %02x", (unsigned int)idx, ByteStream[idx]);
}
- //now ByteStream contains 64 bytes of decrypted raw tag data
+ //now ByteStream contains 8 Bytes (64 bits) of decrypted raw tag data
//
uint8_t fmtLen = ByteStream[0]>>2;
uint32_t FC = 0;
uint32_t Card = 0;
+ //get raw 96 bits to print
uint32_t raw1 = bytebits_to_byte(DemodBuffer+ans,32);
uint32_t raw2 = bytebits_to_byte(DemodBuffer+ans+32, 32);
uint32_t raw3 = bytebits_to_byte(DemodBuffer+ans+64, 32);
if (fmtLen==36){
FC = ((ByteStream[3] & 0x7F)<<7) | (ByteStream[4]>>1);
Card = ((ByteStream[4]&1)<<19) | (ByteStream[5]<<11) | (ByteStream[6]<<3) | (ByteStream[7]>>5);
- PrintAndLog("G-Prox-II Found: FmtLen %d, FC %d, Card %d", fmtLen, FC, Card);
+ PrintAndLog("G-Prox-II Found: FmtLen %d, FC %u, Card %u", (int)fmtLen, FC, Card);
} else if(fmtLen==26){
FC = ((ByteStream[3] & 0x7F)<<1) | (ByteStream[4]>>7);
Card = ((ByteStream[4]&0x7F)<<9) | (ByteStream[5]<<1) | (ByteStream[6]>>7);
- PrintAndLog("G-Prox-II Found: FmtLen %d, FC %d, Card %d",(unsigned int)fmtLen,FC,Card);
+ PrintAndLog("G-Prox-II Found: FmtLen %d, FC %u, Card %u", (int)fmtLen, FC, Card);
} else {
PrintAndLog("Unknown G-Prox-II Fmt Found: FmtLen %d",(int)fmtLen);
+ PrintAndLog("Decoded Raw: %s", sprint_hex(ByteStream, 8));
}
PrintAndLog("Raw: %08x%08x%08x", raw1,raw2,raw3);
setDemodBuf(DemodBuffer+ans, 96, 0);
uint8_t factor = param_get8ex(Cmd, 0,2, 10);
//We have memory, don't we?
int swap[MAX_GRAPH_TRACE_LEN] = { 0 };
- uint32_t g_index = 0 ,s_index = 0;
- while(g_index < GraphTraceLen && s_index < MAX_GRAPH_TRACE_LEN)
+ uint32_t g_index = 0, s_index = 0;
+ while(g_index < GraphTraceLen && s_index + factor < MAX_GRAPH_TRACE_LEN)
{
int count = 0;
- for(count = 0; count < factor && s_index+count < MAX_GRAPH_TRACE_LEN; count ++)
+ for(count = 0; count < factor && s_index + count < MAX_GRAPH_TRACE_LEN; count++)
swap[s_index+count] = GraphBuffer[g_index];
- s_index+=count;
+
+ s_index += count;
+ g_index++;
}
- memcpy(GraphBuffer,swap, s_index * sizeof(int));
+ memcpy(GraphBuffer, swap, s_index * sizeof(int));
GraphTraceLen = s_index;
RepaintGraphWindow();
return 0;
int CmdAskEdgeDetect(const char *Cmd)
{
int thresLen = 25;
+ int Last = 0;
sscanf(Cmd, "%i", &thresLen);
for(int i = 1; i<GraphTraceLen; i++){
if (GraphBuffer[i]-GraphBuffer[i-1]>=thresLen) //large jump up
- GraphBuffer[i-1] = 127;
+ Last = 127;
else if(GraphBuffer[i]-GraphBuffer[i-1]<=-1*thresLen) //large jump down
- GraphBuffer[i-1] = -127;
+ Last = -127;
+ GraphBuffer[i-1] = Last;
}
RepaintGraphWindow();
return 0;
//get binary from fsk wave
int idx = AWIDdemodFSK(BitStream, &size);
if (idx<=0){
- if (g_debugMode==1){
+ if (g_debugMode){
if (idx == -1)
PrintAndLog("DEBUG: Error - not enough samples");
else if (idx == -2)
size = removeParity(BitStream, idx+8, 4, 1, 88);
if (size != 66){
- if (g_debugMode==1) PrintAndLog("DEBUG: Error - at parity check-tag size does not match AWID format");
+ if (g_debugMode) PrintAndLog("DEBUG: Error - at parity check-tag size does not match AWID format");
return 0;
}
// ok valid card found!
//get binary from fsk wave
int idx = PyramiddemodFSK(BitStream, &size);
if (idx < 0){
- if (g_debugMode==1){
+ if (g_debugMode){
if (idx == -5)
PrintAndLog("DEBUG: Error - not enough samples");
else if (idx == -1)
size = removeParity(BitStream, idx+8, 8, 1, 120);
if (size != 105){
- if (g_debugMode==1)
+ if (g_debugMode)
PrintAndLog("DEBUG: Error at parity check - tag size does not match Pyramid format, SIZE: %d, IDX: %d, hi3: %x",size, idx, rawHi3);
return 0;
}
}
if (!ans){
- if (g_debugMode==1)
+ if (g_debugMode)
PrintAndLog("Error1: %d",ans);
return 0;
}
uint8_t invert=0;
size_t size = DemodBufferLen;
- size_t startIdx = indala26decode(DemodBuffer, &size, &invert);
- if (startIdx < 1 || size > 224) {
- if (g_debugMode==1)
+ int startIdx = indala26decode(DemodBuffer, &size, &invert);
+ if (startIdx < 0 || size > 224) {
+ if (g_debugMode)
PrintAndLog("Error2: %d",ans);
return -1;
}
- setDemodBuf(DemodBuffer, size, startIdx);
+ setDemodBuf(DemodBuffer, size, (size_t)startIdx);
if (invert)
- if (g_debugMode==1)
+ if (g_debugMode)
PrintAndLog("Had to invert bits");
PrintAndLog("BitLen: %d",DemodBufferLen);
int CmdTuneSamples(const char *Cmd)
{
- int timeout = 0;
+ int timeout = 0, arg = FLAG_TUNE_ALL;
+
+ if(*Cmd == 'l') {
+ arg = FLAG_TUNE_LF;
+ } else if (*Cmd == 'h') {
+ arg = FLAG_TUNE_HF;
+ } else if (*Cmd != '\0') {
+ PrintAndLog("use 'tune' or 'tune l' or 'tune h'");
+ return 0;
+ }
+
printf("\nMeasuring antenna characteristics, please wait...");
- UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING};
+ UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING, {arg, 0, 0}};
SendCommand(&c);
UsbCommand resp;
return 0;
}
- int usage_data_hex2bin(){
-
- PrintAndLog("Usage: data bin2hex <binary_digits>");
+ int usage_data_hex2bin() {
+ PrintAndLog("Usage: data hex2bin <hex_digits>");
PrintAndLog(" This function will ignore all non-hexadecimal characters (but stop reading on whitespace)");
return 0;
projects / proxmark3-svn / commitdiff