From: Iceman Date: Fri, 12 Aug 2016 11:55:09 +0000 (+0200) Subject: Merge pull request #185 from marshmellow42/master X-Git-Tag: v3.0.0~87 X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/7669409547dcf1148a9651a7a911076a103a6691?hp=-c Merge pull request #185 from marshmellow42/master some lf fixes and hf mf sim attack mode add-ons --- 7669409547dcf1148a9651a7a911076a103a6691 diff --combined CHANGELOG.md index 57fb549a,b50083ab..4b09e461 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@@ -5,6 -5,8 +5,8 @@@ This project uses the changelog in acco ## [unreleased][unreleased] ### Added + - Added lf pyramid commands (iceman) + - Added lf presco commands - some bits not fully understood... (iceman) - Added experimental HitagS support (Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg) see https://media.ccc.de/v/32c3-7166-sicherheit_von_125khz_transpondern_am_beispiel_hitag_s English video available @@@ -16,8 -18,7 +18,7 @@@ - `lf t55xx wipe` - sets t55xx back to factory defaults - Added viking demod to `lf search` (marshmellow) - `data askvikingdemod` demod viking id tag from graphbuffer (marshmellow) - - `lf t55xx resetread` added reset then read command - should allow determining start - of stream transmissions (marshmellow) + - `lf t55xx resetread` added reset then read command - should allow determining start of stream transmissions (marshmellow) - `lf t55xx wakeup` added wake with password (AOR) to allow lf search or standard lf read after (iceman, marshmellow) - `hf iclass managekeys` to save, load and manage iclass keys. (adjusted most commands to accept a loaded key in memory) (marshmellow) - `hf iclass readblk` to select, authenticate, and read 1 block from an iclass card (marshmellow) @@@ -33,24 -34,31 +34,32 @@@ - Added 'hf snoop'. This command take digitalized signal from FPGA and put in BigBuffer. (pwpiwi + enio) - Added Topaz (NFC type 1) protocol support ('hf topaz reader', 'hf list topaz', 'hf 14a raw -T', 'hf topaz snoop'). (piwi) - Added option c to 'hf list' (mark CRC bytes) (piwi) +- Added option `l` or `h` to `hw tune` to save time and unnecessary fpga writes if you are only interested in lf or hf. ### Changed - - Added `[l] ` option to data printdemodbuffer - - Adjusted lf awid clone to optionally clone to Q5 tags - - Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7 - - Adjusted all lf NRZ demods - works more accurately and consistently (as long as you have strong signal) - - Adjusted lf pskindalademod to reduce false positive reads. - - Small adjustments to psk, nrz, and ask clock detect routines - more reliable. - - Adjusted lf em410x em410xsim to accept a clock argument + - Fixed bug in lf biphase sim - `lf simask b` (and any tagtype that relies on it - gproxii...) (marshmellow) + - Fixed bug in lf viking clone/sim (iceman) + - Fixed broken `data askedgedetect` (marshmellow) + - Adjusted hf mf sim command (marshmellow) + added auto run mfkey32 to extract all keys + also added f parameter to allow attacking with UIDs from a file (implies x and i parameters) + also added e parameter to allow adding the extracted keys to emulator memory for the next simulation + added 10 byte uid option + - Added `[l] ` option to data printdemodbuffer (marshmellow) + - Adjusted lf awid clone to optionally clone to Q5 tags (marshmellow) + - Adjusted lf t55xx detect to find Q5 tags (t5555) instead of just t55x7 (marshmellow) + - Adjusted all lf NRZ demods - works more accurately and consistently (as long as you have strong signal) (marshmellow) + - Adjusted lf pskindalademod to reduce false positive reads. (marshmellow) + - Small adjustments to psk, nrz, and ask clock detect routines - more reliable. (marshmellow) + - Adjusted lf em410x em410xsim to accept a clock argument (marshmellow) - Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow) - Adjusted lf t55xx write input variables (marshmellow) - Adjusted lf t55xx read with password safety check and warning text and adjusted the input variables (marshmellow & iceman) - - Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate. + - Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate. (marshmellow) - Adjusted timings for t55xx commands. more reliable now. (marshmellow & iceman) - `lf cmdread` adjusted input methods and added help text (marshmellow & iceman) - changed `lf config t ` to be 0 - 128 and will trigger on + or - threshold value (marshmellow) - - `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to multiple pages for the larger tags yet) + - `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to multiple pages for the larger tags yet) (marshmellow) - Revised workflow for StandAloneMode14a (Craig Young) - EPA functions (`hf epa`) now support both ISO 14443-A and 14443-B cards (frederikmoellers) - 'hw version' only talks to ARM at startup, after that the info is cached. (pwpiwi) diff --combined armsrc/appmain.c index eded359e,ffe6b7f2..aaa41f4a --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@@ -37,8 -37,6 +37,6 @@@ #include "iso14443a.h" #endif - #define abs(x) ( ((x)<0) ? -(x) : (x) ) - //============================================================================= // A buffer where we can queue things up to be sent through the FPGA, for // any purpose (fake tag, as reader, whatever). We go MSB first, since that @@@ -182,9 -180,13 +180,9 @@@ int AvgAdc(int ch) // was static - merl return (a + 15) >> 5; } -void MeasureAntennaTuning(void) +void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[]) { - uint8_t LF_Results[256]; - int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0 - int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV - - LED_B_ON(); + int i, adcval = 0, peak = 0; /* * Sweeps the useful LF range of the proxmark from @@@ -194,67 -196,38 +192,67 @@@ * the resonating frequency of your LF antenna * ( hopefully around 95 if it is tuned to 125kHz!) */ - - FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); for (i=255; i>=19; i--) { - WDT_HIT(); + WDT_HIT(); FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i); SpinDelay(20); adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10); - if (i==95) vLf125 = adcval; // voltage at 125Khz - if (i==89) vLf134 = adcval; // voltage at 134Khz + if (i==95) *vLf125 = adcval; // voltage at 125Khz + if (i==89) *vLf134 = adcval; // voltage at 134Khz LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes if(LF_Results[i] > peak) { - peakv = adcval; + *peakv = adcval; peak = LF_Results[i]; - peakf = i; + *peakf = i; //ptr = i; } } for (i=18; i >= 0; i--) LF_Results[i] = 0; - - LED_A_ON(); + + return; +} + +void MeasureAntennaTuningHfOnly(int *vHf) +{ // Let the FPGA drive the high-frequency antenna around 13.56 MHz. - FpgaDownloadAndGo(FPGA_BITSTREAM_HF); + LED_A_ON(); + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); SpinDelay(20); - vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; + *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10; + LED_A_OFF(); + + return; +} + +void MeasureAntennaTuning(int mode) +{ + uint8_t LF_Results[256] = {0}; + int peakv = 0, peakf = 0; + int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV + + LED_B_ON(); + + if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) { + // Reverse "standard" order if HF already loaded, to avoid unnecessary swap. + MeasureAntennaTuningHfOnly(&vHf); + MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results); + } else { + if (mode & FLAG_TUNE_LF) { + MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results); + } + if (mode & FLAG_TUNE_HF) { + MeasureAntennaTuningHfOnly(&vHf); + } + } cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - LED_A_OFF(); LED_B_OFF(); return; } @@@ -867,7 -840,7 +865,7 @@@ void ListenReaderField(int limit if (limit != HF_ONLY) { if(mode == 1) { - if (abs(lf_av - lf_baseline) > REPORT_CHANGE) + if (ABS(lf_av - lf_baseline) > REPORT_CHANGE) LED_D_ON(); else LED_D_OFF(); @@@ -875,7 -848,7 +873,7 @@@ lf_av_new = AvgAdc(ADC_CHAN_LF); // see if there's a significant change - if(abs(lf_av - lf_av_new) > REPORT_CHANGE) { + if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) { Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10); lf_av = lf_av_new; if (lf_av > lf_max) @@@ -885,7 -858,7 +883,7 @@@ if (limit != LF_ONLY) { if (mode == 1){ - if (abs(hf_av - hf_baseline) > REPORT_CHANGE) + if (ABS(hf_av - hf_baseline) > REPORT_CHANGE) LED_B_ON(); else LED_B_OFF(); @@@ -893,7 -866,7 +891,7 @@@ hf_av_new = AvgAdc(ADC_CHAN_HF); // see if there's a significant change - if(abs(hf_av - hf_av_new) > REPORT_CHANGE) { + if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) { Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10); hf_av = hf_av_new; if (hf_av > hf_max) @@@ -1256,7 -1229,7 +1254,7 @@@ void UsbPacketReceived(uint8_t *packet break; case CMD_MEASURE_ANTENNA_TUNING: - MeasureAntennaTuning(); + MeasureAntennaTuning(c->arg[0]); break; case CMD_MEASURE_ANTENNA_TUNING_HF: diff --combined client/cmddata.c index 394dcbc2,ba161dd8..86dac423 --- a/client/cmddata.c +++ b/client/cmddata.c @@@ -8,23 -8,22 +8,22 @@@ // Data and Graph commands //----------------------------------------------------------------------------- - #include - #include - #include - #include - #include "proxmark3.h" - #include "data.h" - #include "ui.h" - #include "graph.h" - #include "cmdparser.h" + #include // also included in util.h + #include // also included in util.h + #include // for CmdNorm INT_MIN && INT_MAX + #include "data.h" // also included in util.h + #include "cmddata.h" #include "util.h" #include "cmdmain.h" - #include "cmddata.h" - #include "lfdemod.h" - #include "usb_cmd.h" - #include "crc.h" - #include "crc16.h" - #include "loclass/cipherutils.h" + #include "proxmark3.h" + #include "ui.h" // for show graph controls + #include "graph.h" // for graph data + #include "cmdparser.h"// already included in cmdmain.h + #include "usb_cmd.h" // already included in cmdmain.h and proxmark3.h + #include "lfdemod.h" // for demod code + #include "crc.h" // for pyramid checksum maxim + #include "crc16.h" // for FDXB demod checksum + #include "loclass/cipherutils.h" // for decimating samples in getsamples uint8_t DemodBuffer[MAX_DEMOD_BUF_LEN]; uint8_t g_debugMode=0; @@@ -592,7 -591,7 +591,7 @@@ int Cmdaskbiphdemod(const char *Cmd int CmdG_Prox_II_Demod(const char *Cmd) { if (!ASKbiphaseDemod(Cmd, FALSE)){ - if (g_debugMode) PrintAndLog("ASKbiphaseDemod failed 1st try"); + if (g_debugMode) PrintAndLog("Error gProxII: ASKbiphaseDemod failed 1st try"); return 0; } size_t size = DemodBufferLen; @@@ -602,46 -601,32 +601,32 @@@ if (g_debugMode) PrintAndLog("Error gProxII_Demod"); return 0; } - //got a good demod - uint32_t ByteStream[65] = {0x00}; + //got a good demod of 96 bits + uint8_t ByteStream[8] = {0x00}; uint8_t xorKey=0; - uint8_t keyCnt=0; - uint8_t bitCnt=0; - uint8_t ByteCnt=0; - size_t startIdx = ans + 6; //start after preamble - for (size_t idx = 0; idx>2; uint32_t FC = 0; uint32_t Card = 0; + //get raw 96 bits to print uint32_t raw1 = bytebits_to_byte(DemodBuffer+ans,32); uint32_t raw2 = bytebits_to_byte(DemodBuffer+ans+32, 32); uint32_t raw3 = bytebits_to_byte(DemodBuffer+ans+64, 32); @@@ -649,13 -634,14 +634,14 @@@ if (fmtLen==36){ FC = ((ByteStream[3] & 0x7F)<<7) | (ByteStream[4]>>1); Card = ((ByteStream[4]&1)<<19) | (ByteStream[5]<<11) | (ByteStream[6]<<3) | (ByteStream[7]>>5); - PrintAndLog("G-Prox-II Found: FmtLen %d, FC %d, Card %d", fmtLen, FC, Card); + PrintAndLog("G-Prox-II Found: FmtLen %d, FC %u, Card %u", (int)fmtLen, FC, Card); } else if(fmtLen==26){ FC = ((ByteStream[3] & 0x7F)<<1) | (ByteStream[4]>>7); Card = ((ByteStream[4]&0x7F)<<9) | (ByteStream[5]<<1) | (ByteStream[6]>>7); - PrintAndLog("G-Prox-II Found: FmtLen %d, FC %d, Card %d",(unsigned int)fmtLen,FC,Card); + PrintAndLog("G-Prox-II Found: FmtLen %d, FC %u, Card %u", (int)fmtLen, FC, Card); } else { PrintAndLog("Unknown G-Prox-II Fmt Found: FmtLen %d",(int)fmtLen); + PrintAndLog("Decoded Raw: %s", sprint_hex(ByteStream, 8)); } PrintAndLog("Raw: %08x%08x%08x", raw1,raw2,raw3); setDemodBuf(DemodBuffer+ans, 96, 0); @@@ -848,16 -834,18 +834,18 @@@ int CmdUndec(const char *Cmd uint8_t factor = param_get8ex(Cmd, 0,2, 10); //We have memory, don't we? int swap[MAX_GRAPH_TRACE_LEN] = { 0 }; - uint32_t g_index = 0 ,s_index = 0; - while(g_index < GraphTraceLen && s_index < MAX_GRAPH_TRACE_LEN) + uint32_t g_index = 0, s_index = 0; + while(g_index < GraphTraceLen && s_index + factor < MAX_GRAPH_TRACE_LEN) { int count = 0; - for(count = 0; count < factor && s_index+count < MAX_GRAPH_TRACE_LEN; count ++) + for(count = 0; count < factor && s_index + count < MAX_GRAPH_TRACE_LEN; count++) swap[s_index+count] = GraphBuffer[g_index]; - s_index+=count; + + s_index += count; + g_index++; } - memcpy(GraphBuffer,swap, s_index * sizeof(int)); + memcpy(GraphBuffer, swap, s_index * sizeof(int)); GraphTraceLen = s_index; RepaintGraphWindow(); return 0; @@@ -891,13 -879,15 +879,15 @@@ int CmdGraphShiftZero(const char *Cmd int CmdAskEdgeDetect(const char *Cmd) { int thresLen = 25; + int Last = 0; sscanf(Cmd, "%i", &thresLen); for(int i = 1; i=thresLen) //large jump up - GraphBuffer[i-1] = 127; + Last = 127; else if(GraphBuffer[i]-GraphBuffer[i-1]<=-1*thresLen) //large jump down - GraphBuffer[i-1] = -127; + Last = -127; + GraphBuffer[i-1] = Last; } RepaintGraphWindow(); return 0; @@@ -1276,7 -1266,7 +1266,7 @@@ int CmdFSKdemodAWID(const char *Cmd //get binary from fsk wave int idx = AWIDdemodFSK(BitStream, &size); if (idx<=0){ - if (g_debugMode==1){ + if (g_debugMode){ if (idx == -1) PrintAndLog("DEBUG: Error - not enough samples"); else if (idx == -2) @@@ -1314,7 -1304,7 +1304,7 @@@ size = removeParity(BitStream, idx+8, 4, 1, 88); if (size != 66){ - if (g_debugMode==1) PrintAndLog("DEBUG: Error - at parity check-tag size does not match AWID format"); + if (g_debugMode) PrintAndLog("DEBUG: Error - at parity check-tag size does not match AWID format"); return 0; } // ok valid card found! @@@ -1374,7 -1364,7 +1364,7 @@@ int CmdFSKdemodPyramid(const char *Cmd //get binary from fsk wave int idx = PyramiddemodFSK(BitStream, &size); if (idx < 0){ - if (g_debugMode==1){ + if (g_debugMode){ if (idx == -5) PrintAndLog("DEBUG: Error - not enough samples"); else if (idx == -1) @@@ -1430,7 -1420,7 +1420,7 @@@ size = removeParity(BitStream, idx+8, 8, 1, 120); if (size != 105){ - if (g_debugMode==1) + if (g_debugMode) PrintAndLog("DEBUG: Error at parity check - tag size does not match Pyramid format, SIZE: %d, IDX: %d, hi3: %x",size, idx, rawHi3); return 0; } @@@ -1653,21 -1643,21 +1643,21 @@@ int CmdIndalaDecode(const char *Cmd } if (!ans){ - if (g_debugMode==1) + if (g_debugMode) PrintAndLog("Error1: %d",ans); return 0; } uint8_t invert=0; size_t size = DemodBufferLen; - size_t startIdx = indala26decode(DemodBuffer, &size, &invert); - if (startIdx < 1 || size > 224) { - if (g_debugMode==1) + int startIdx = indala26decode(DemodBuffer, &size, &invert); + if (startIdx < 0 || size > 224) { + if (g_debugMode) PrintAndLog("Error2: %d",ans); return -1; } - setDemodBuf(DemodBuffer, size, startIdx); + setDemodBuf(DemodBuffer, size, (size_t)startIdx); if (invert) - if (g_debugMode==1) + if (g_debugMode) PrintAndLog("Had to invert bits"); PrintAndLog("BitLen: %d",DemodBufferLen); @@@ -2048,20 -2038,10 +2038,20 @@@ int CmdSamples(const char *Cmd int CmdTuneSamples(const char *Cmd) { - int timeout = 0; + int timeout = 0, arg = FLAG_TUNE_ALL; + + if(*Cmd == 'l') { + arg = FLAG_TUNE_LF; + } else if (*Cmd == 'h') { + arg = FLAG_TUNE_HF; + } else if (*Cmd != '\0') { + PrintAndLog("use 'tune' or 'tune l' or 'tune h'"); + return 0; + } + printf("\nMeasuring antenna characteristics, please wait..."); - UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING}; + UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING, {arg, 0, 0}}; SendCommand(&c); UsbCommand resp; @@@ -2344,9 -2324,8 +2334,8 @@@ int Cmdbin2hex(const char *Cmd return 0; } - int usage_data_hex2bin(){ - - PrintAndLog("Usage: data bin2hex "); + int usage_data_hex2bin() { + PrintAndLog("Usage: data hex2bin "); PrintAndLog(" This function will ignore all non-hexadecimal characters (but stop reading on whitespace)"); return 0; diff --combined include/usb_cmd.h index 6978a3ad,03a573d5..66e6cf91 --- a/include/usb_cmd.h +++ b/include/usb_cmd.h @@@ -212,10 -212,11 +212,11 @@@ typedef struct //Mifare simulation flags - #define FLAG_INTERACTIVE 0x01 - #define FLAG_4B_UID_IN_DATA 0x02 - #define FLAG_7B_UID_IN_DATA 0x04 - #define FLAG_NR_AR_ATTACK 0x08 + #define FLAG_INTERACTIVE 0x01 + #define FLAG_4B_UID_IN_DATA 0x02 + #define FLAG_7B_UID_IN_DATA 0x04 + #define FLAG_10B_UID_IN_DATA 0x08 + #define FLAG_NR_AR_ATTACK 0x10 //Iclass reader flags @@@ -228,11 -229,6 +229,11 @@@ #define FLAG_ICLASS_READER_CEDITKEY 0x40 +//hw tune args +#define FLAG_TUNE_LF 1 +#define FLAG_TUNE_HF 2 +#define FLAG_TUNE_ALL 3 + // CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions: /* Whether a bootloader that understands the common_area is present */