## [unreleased][unreleased]
### Added
+- `lf t55xx resetread` added reset then read command - should allow determining start
+of stream transmissions (marshmellow)
+- `lf t55xx wakeup` added wake with password (AOR) to allow lf search or standard lf read after (iceman, marshmellow)
- `hf iclass managekeys` to save, load and manage iclass keys. (adjusted most commands to accept a loaded key in memory) (marshmellow)
- `hf iclass readblk` to select, authenticate, and read 1 block from an iclass card (marshmellow)
- `hf iclass writeblk` to select, authenticate, and write 1 block to an iclass card (or picopass) (marshmellow + others)
- Added 'hw status'. This command makes the ARM print out some runtime information. (holiman)
- Added 'hw ping'. This command just sends a usb packets and checks if the pm3 is responsive. Can be used to abort certain operations which supports abort over usb. (holiman)
- Added `data hex2bin` and `data bin2hex` for command line conversion between binary and hexadecimal (holiman)
+ - Added 'hf snoop'. This command take digitalized signal from FPGA and put in BigBuffer. (pwpiwi + enio)
+ - Added Topaz (NFC type 1) protocol support ('hf topaz reader', 'hf list topaz', 'hf 14a raw -T', 'hf topaz snoop'). (piwi)
+ - Added option c to 'hf list' (mark CRC bytes) (piwi)
### Changed
+- Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow)
+- Adjusted lf t55xx write input variables (marshmellow)
+- Adjusted lf t55xx read with password safety check and warning text and adjusted the input variables (marshmellow & iceman)
+- Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate.
+- Adjusted timings for t55xx commands. more reliable now. (marshmellow & iceman)
+- `lf cmdread` adjusted input methods and added help text (marshmellow & iceman)
- changed `lf config t <threshold>` to be 0 - 128 and will trigger on + or - threshold value (marshmellow)
- `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to muliple pages for the larger tags yet)
- Revised workflow for StandAloneMode14a (Craig Young)
// clear ALL of BigBuf
void BigBuf_Clear(void)
+{
+ BigBuf_Clear_ext(true);
+}
+// clear ALL of BigBuf
+void BigBuf_Clear_ext(bool verbose)
{
memset(BigBuf,0,BIGBUF_SIZE);
- Dbprintf("Buffer cleared (%i bytes)",BIGBUF_SIZE);
+ if (verbose)
+ Dbprintf("Buffer cleared (%i bytes)",BIGBUF_SIZE);
}
traceLen += iLen;
// parity bytes
- if (parity != NULL && iLen != 0) {
- memcpy(trace + traceLen, parity, num_paritybytes);
+ if (iLen != 0) {
+ if (parity != NULL) {
+ memcpy(trace + traceLen, parity, num_paritybytes);
+ } else {
+ memset(trace + traceLen, 0x00, num_paritybytes);
+ }
}
traceLen += num_paritybytes;
return TRUE;
}
+
+
// Emulator memory
uint8_t emlSet(uint8_t *data, uint32_t offset, uint32_t length){
uint8_t* mem = BigBuf_get_EM_addr();
#remove one of the following defines and comment out the relevant line
#in the next section to remove that particular feature from compilation
- APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE \
+ APP_CFLAGS = -DWITH_ISO14443a_StandAlone -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -DWITH_CRC -DON_DEVICE -DWITH_HFSNOOP \
-fno-strict-aliasing -ffunction-sections -fdata-sections
#-DWITH_LCD
#SRC_LCD = fonts.c LCD.c
-SRC_LF = lfops.c hitag2.c lfsampling.c
+SRC_LF = lfops.c hitag2.c lfsampling.c pcf7931.c lfdemod.c protocols.c
SRC_ISO15693 = iso15693.c iso15693tools.c
SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c
SRC_ISO14443b = iso14443b.c
# These are to be compiled in ARM mode
ARMSRC = fpgaloader.c \
legicrf.c \
- lfdemod.c \
$(SRC_ISO14443a) \
$(SRC_ISO14443b) \
$(SRC_CRAPTO1) \
legic_prng.c \
iclass.c \
BigBuf.c \
- optimized_cipher.c
+ optimized_cipher.c \
+ hfsnoop.c
# Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
include ../common/Makefile.common
#include "lfsampling.h"
#include "BigBuf.h"
#include "mifareutil.h"
+#include "pcf7931.h"
#ifdef WITH_LCD
#include "LCD.h"
#endif
CmdIOdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_IO_CLONE_TAG:
- CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]);
+ CopyIOtoT55x7(c->arg[0], c->arg[1]);
break;
case CMD_EM410X_DEMOD:
CmdEM410xdemod(c->arg[0], 0, 0, 1);
CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
break;
case CMD_T55XX_READ_BLOCK:
- T55xxReadBlock(c->arg[1], c->arg[2],c->d.asBytes[0]);
+ T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
break;
case CMD_T55XX_WRITE_BLOCK:
T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
- cmd_send(CMD_ACK,0,0,0,0,0);
break;
- case CMD_T55XX_READ_TRACE:
- T55xxReadTrace();
+ case CMD_T55XX_WAKEUP:
+ T55xxWakeUp(c->arg[0]);
+ break;
+ case CMD_T55XX_RESET_READ:
+ T55xxResetRead();
break;
case CMD_PCF7931_READ:
ReadPCF7931();
- cmd_send(CMD_ACK,0,0,0,0,0);
break;
case CMD_PCF7931_WRITE:
- WritePCF7931(c->d.asDwords[0],c->d.asDwords[1],c->d.asDwords[2],c->d.asDwords[3],c->d.asDwords[4],c->d.asDwords[5],c->d.asDwords[6], c->d.asDwords[9], c->d.asDwords[7]-128,c->d.asDwords[8]-128, c->arg[0], c->arg[1], c->arg[2]);
+ WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
break;
case CMD_EM4X_READ_WORD:
EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
break;
case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
- break;
+ break;
#endif
#ifdef WITH_HITAG
iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
break;
#endif
+ #ifdef WITH_HFSNOOP
+ case CMD_HF_SNIFFER:
+ HfSnoop(c->arg[0], c->arg[1]);
+ break;
+ #endif
case CMD_BUFF_CLEAR:
BigBuf_Clear();
AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
// PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
- AT91C_PMC_PRES_CLK_4;
+ AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
// Reset SPI
extern bool averaging;
void AcquireRawAdcSamples125k(int divisor);
-void ModThenAcquireRawAdcSamples125k(int delay_off,int period_0,int period_1,uint8_t *command);
+void ModThenAcquireRawAdcSamples125k(uint32_t delay_off, uint32_t period_0, uint32_t period_1, uint8_t *command);
void ReadTItag(void);
void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc);
void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26
void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol);
void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
-void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an ioProx card to T5557/T5567
+void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567
void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
-void CopyIndala64toT55x7(int hi, int lo); // Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7); // Clone Indala 224-bit tag by UID to T55x7
+void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
+void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
+void T55xxResetRead(void);
void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode);
-void T55xxReadBlock(uint32_t Block, uint32_t Pwd, uint8_t PwdMode );
-void T55xxReadTrace(void);
-int DemodPCF7931(uint8_t **outBlocks);
-int IsBlock0PCF7931(uint8_t *Block);
-int IsBlock1PCF7931(uint8_t *Block);
-void ReadPCF7931();
-void SendCmdPCF7931(uint32_t * tab);
-bool AddBytePCF7931(uint8_t byte, uint32_t * tab, int32_t l, int32_t p);
-bool AddBitPCF7931(bool b, uint32_t * tab, int32_t l, int32_t p);
-bool AddPatternPCF7931(uint32_t a, uint32_t b, uint32_t c, uint32_t * tab);
-void WritePCF7931(uint8_t pass1, uint8_t pass2, uint8_t pass3, uint8_t pass4, uint8_t pass5, uint8_t pass6, uint8_t pass7, uint16_t init_delay, int32_t l, int32_t p, uint8_t address, uint8_t byte, uint8_t data);
+void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd);
+void T55xxWakeUp(uint32_t Pwd);
+void TurnReadLFOn();
+//void T55xxReadTrace(void);
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len);
/// util.h
+ void HfSnoop(int , int);
#endif
#define ISO15693_READ_MULTI_SECSTATUS 0x2C
- #define ISO_14443A 0
- #define ICLASS 1
- #define ISO_14443B 2
+ // Topaz command set:
+ #define TOPAZ_REQA 0x26 // Request
+ #define TOPAZ_WUPA 0x52 // WakeUp
+ #define TOPAZ_RID 0x78 // Read ID
+ #define TOPAZ_RALL 0x00 // Read All (all bytes)
+ #define TOPAZ_READ 0x01 // Read (a single byte)
+ #define TOPAZ_WRITE_E 0x53 // Write-with-erase (a single byte)
+ #define TOPAZ_WRITE_NE 0x1a // Write-no-erase (a single byte)
+ // additional commands for Dynamic Memory Model
+ #define TOPAZ_RSEG 0x10 // Read segment
+ #define TOPAZ_READ8 0x02 // Read (eight bytes)
+ #define TOPAZ_WRITE_E8 0x54 // Write-with-erase (eight bytes)
+ #define TOPAZ_WRITE_NE8 0x1B // Write-no-erase (eight bytes)
+
+
+ #define ISO_14443A 0
+ #define ICLASS 1
+ #define ISO_14443B 2
+ #define TOPAZ 3
//-- Picopass fuses
#define FUSE_FPERS 0x80
#define FUSE_FPROD0 0x02
#define FUSE_RA 0x01
-
void printIclassDumpInfo(uint8_t* iclass_dump);
void getMemConfig(uint8_t mem_cfg, uint8_t chip_cfg, uint8_t *max_blk, uint8_t *app_areas, uint8_t *kb);
-#endif // PROTOCOLS_H
+/* T55x7 configuration register definitions */
+#define T55x7_POR_DELAY 0x00000001
+#define T55x7_ST_TERMINATOR 0x00000008
+#define T55x7_PWD 0x00000010
+#define T55x7_MAXBLOCK_SHIFT 5
+#define T55x7_AOR 0x00000200
+#define T55x7_PSKCF_RF_2 0
+#define T55x7_PSKCF_RF_4 0x00000400
+#define T55x7_PSKCF_RF_8 0x00000800
+#define T55x7_MODULATION_DIRECT 0
+#define T55x7_MODULATION_PSK1 0x00001000
+#define T55x7_MODULATION_PSK2 0x00002000
+#define T55x7_MODULATION_PSK3 0x00003000
+#define T55x7_MODULATION_FSK1 0x00004000
+#define T55x7_MODULATION_FSK2 0x00005000
+#define T55x7_MODULATION_FSK1a 0x00006000
+#define T55x7_MODULATION_FSK2a 0x00007000
+#define T55x7_MODULATION_MANCHESTER 0x00008000
+#define T55x7_MODULATION_BIPHASE 0x00010000
+#define T55x7_MODULATION_DIPHASE 0x00018000
+#define T55x7_BITRATE_RF_8 0
+#define T55x7_BITRATE_RF_16 0x00040000
+#define T55x7_BITRATE_RF_32 0x00080000
+#define T55x7_BITRATE_RF_40 0x000C0000
+#define T55x7_BITRATE_RF_50 0x00100000
+#define T55x7_BITRATE_RF_64 0x00140000
+#define T55x7_BITRATE_RF_100 0x00180000
+#define T55x7_BITRATE_RF_128 0x001C0000
+
+/* T5555 (Q5) configuration register definitions */
+#define T5555_ST_TERMINATOR 0x00000001
+#define T5555_MAXBLOCK_SHIFT 0x00000001
+#define T5555_MODULATION_MANCHESTER 0
+#define T5555_MODULATION_PSK1 0x00000010
+#define T5555_MODULATION_PSK2 0x00000020
+#define T5555_MODULATION_PSK3 0x00000030
+#define T5555_MODULATION_FSK1 0x00000040
+#define T5555_MODULATION_FSK2 0x00000050
+#define T5555_MODULATION_BIPHASE 0x00000060
+#define T5555_MODULATION_DIRECT 0x00000070
+#define T5555_INVERT_OUTPUT 0x00000080
+#define T5555_PSK_RF_2 0
+#define T5555_PSK_RF_4 0x00000100
+#define T5555_PSK_RF_8 0x00000200
+#define T5555_USE_PWD 0x00000400
+#define T5555_USE_AOR 0x00000800
+#define T5555_BITRATE_SHIFT 12 //(RF=2n+2) ie 64=2*0x1F+2 or n = (RF-2)/2
+#define T5555_FAST_WRITE 0x00004000
+#define T5555_PAGE_SELECT 0x00008000
+
+uint32_t GetT55xxClockBit(uint32_t clock);
+
+#endif
+// PROTOCOLS_H
#define CMD_INDALA_CLONE_TAG_L 0x0213
#define CMD_T55XX_READ_BLOCK 0x0214
#define CMD_T55XX_WRITE_BLOCK 0x0215
-#define CMD_T55XX_READ_TRACE 0x0216
+#define CMD_T55XX_RESET_READ 0x0216
#define CMD_PCF7931_READ 0x0217
#define CMD_PCF7931_WRITE 0x0222
#define CMD_EM4X_READ_WORD 0x0218
#define CMD_ASK_SIM_TAG 0x021F
#define CMD_PSK_SIM_TAG 0x0220
#define CMD_AWID_DEMOD_FSK 0x0221
+#define CMD_T55XX_WAKEUP 0x0224
/* CMD_SET_ADC_MUX: ext1 is 0 for lopkd, 1 for loraw, 2 for hipkd, 3 for hiraw */
#define CMD_MIFARE_DESFIRE_INFO 0x072d
#define CMD_MIFARE_DESFIRE 0x072e
+ #define CMD_HF_SNIFFER 0x0800
+
#define CMD_UNKNOWN 0xFFFF
projects / proxmark3-svn / commitdiff