[proxmark3-svn] / client / cmdlfem4x.c

//-----------------------------------------------------------------------------
// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include <inttypes.h>
#include "cmdlfem4x.h"

char *global_em410xId;

static int CmdHelp(const char *Cmd);

int CmdEMdemodASK(const char *Cmd)
{
	char cmdp = param_getchar(Cmd, 0);
	int findone = (cmdp == '1') ? 1 : 0;
	UsbCommand c={CMD_EM410X_DEMOD};
	c.arg[0]=findone;
	SendCommand(&c);
	return 0;
}

/* Read the ID of an EM410x tag.
 * Format:
 *   1111 1111 1           <-- standard non-repeatable header
 *   XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
 *   ....
 *   CCCC                  <-- each bit here is parity for the 10 bits above in corresponding column
 *   0                     <-- stop bit, end of tag
 */
int CmdEM410xRead(const char *Cmd)
{
	uint32_t hi=0;
	uint64_t lo=0;

	if(!AskEm410xDemod("", &hi, &lo, false)) return 0;
	PrintAndLog("EM410x pattern found: ");
	printEM410x(hi, lo);
	if (hi){
		PrintAndLog ("EM410x XL pattern found");
		return 0;
	}
	char id[12] = {0x00};
	//sprintf(id, "%010llx",lo);
	 sprintf(id, "%010"PRIu64, lo);	
	
	global_em410xId = id;
	return 1;
}

// emulate an EM410X tag
int CmdEM410xSim(const char *Cmd)
{
	int i, n, j, binary[4], parity[4];

	char cmdp = param_getchar(Cmd, 0);
	uint8_t uid[5] = {0x00};

	if (cmdp == 'h' || cmdp == 'H') {
		PrintAndLog("Usage:  lf em4x em410xsim <UID> <clock>");
		PrintAndLog("");
		PrintAndLog("     sample: lf em4x em410xsim 0F0368568B");
		return 0;
	}
	/* clock is 64 in EM410x tags */
	uint8_t clock = 64;

	if (param_gethex(Cmd, 0, uid, 10)) {
		PrintAndLog("UID must include 10 HEX symbols");
		return 0;
	}
	param_getdec(Cmd, 1, &clock);
	
	PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X  clock: %d", uid[0],uid[1],uid[2],uid[3],uid[4],clock);
	PrintAndLog("Press pm3-button to about simulation");


	/* clear our graph */
	ClearGraph(0);

		/* write 9 start bits */
		for (i = 0; i < 9; i++)
			AppendGraph(0, clock, 1);

		/* for each hex char */
		parity[0] = parity[1] = parity[2] = parity[3] = 0;
		for (i = 0; i < 10; i++)
		{
			/* read each hex char */
			sscanf(&Cmd[i], "%1x", &n);
			for (j = 3; j >= 0; j--, n/= 2)
				binary[j] = n % 2;

			/* append each bit */
			AppendGraph(0, clock, binary[0]);
			AppendGraph(0, clock, binary[1]);
			AppendGraph(0, clock, binary[2]);
			AppendGraph(0, clock, binary[3]);

			/* append parity bit */
			AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);

			/* keep track of column parity */
			parity[0] ^= binary[0];
			parity[1] ^= binary[1];
			parity[2] ^= binary[2];
			parity[3] ^= binary[3];
		}

		/* parity columns */
		AppendGraph(0, clock, parity[0]);
		AppendGraph(0, clock, parity[1]);
		AppendGraph(0, clock, parity[2]);
		AppendGraph(0, clock, parity[3]);

		/* stop bit */
	AppendGraph(1, clock, 0);
 
	CmdLFSim("0"); //240 start_gap.
	return 0;
}

/* Function is equivalent of lf read + data samples + em410xread
 * looped until an EM410x tag is detected 
 * 
 * Why is CmdSamples("16000")?
 *  TBD: Auto-grow sample size based on detected sample rate.  IE: If the
 *       rate gets lower, then grow the number of samples
 *  Changed by martin, 4000 x 4 = 16000, 
 *  see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
*/
int CmdEM410xWatch(const char *Cmd)
{
	do {
		if (ukbhit()) {
			printf("\naborted via keyboard!\n");
			break;
		}
		
		CmdLFRead("s");
		getSamples("8201",true); //capture enough to get 2 complete preambles (4096*2+9)	
	} while (!CmdEM410xRead(""));

	return 0;
}

//currently only supports manchester modulations
int CmdEM410xWatchnSpoof(const char *Cmd)
{
	CmdEM410xWatch(Cmd);
	PrintAndLog("# Replaying captured ID: %s",global_em410xId);
	CmdLFaskSim("");
	return 0;
}

int CmdEM410xWrite(const char *Cmd)
{
	uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
	int card = 0xFF; // invalid card value
	uint32_t clock = 0; // invalid clock value

	sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);

	// Check ID
	if (id == 0xFFFFFFFFFFFFFFFF) {
		PrintAndLog("Error! ID is required.\n");
		return 0;
	}
	if (id >= 0x10000000000) {
		PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
		return 0;
	}

	// Check Card
	if (card == 0xFF) {
		PrintAndLog("Error! Card type required.\n");
		return 0;
	}
	if (card < 0) {
		PrintAndLog("Error! Bad card type selected.\n");
		return 0;
	}

	// Check Clock
		// Default: 64
	if (clock == 0)
		clock = 64;

	// Allowed clock rates: 16, 32, 40 and 64
	if ((clock != 16) && (clock != 32) && (clock != 64) && (clock != 40)) {
		PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32, 40 and 64.\n", clock);
		return 0;
	}

	if (card == 1) {
		PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
		// NOTE: We really should pass the clock in as a separate argument, but to
		//   provide for backwards-compatibility for older firmware, and to avoid
		//   having to add another argument to CMD_EM410X_WRITE_TAG, we just store
		//   the clock rate in bits 8-15 of the card value
		card = (card & 0xFF) | ((clock << 8) & 0xFF00);
	}	else if (card == 0) {
		PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
		card = (card & 0xFF) | ((clock << 8) & 0xFF00);
	} else {
		PrintAndLog("Error! Bad card type selected.\n");
		return 0;
	}

	UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
	SendCommand(&c);
	return 0;
}

bool EM_EndParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
{
	if (rows*cols>size) return false;
	uint8_t colP=0;
	//assume last col is a parity and do not test
	for (uint8_t colNum = 0; colNum < cols-1; colNum++) {
		for (uint8_t rowNum = 0; rowNum < rows; rowNum++) {
			colP ^= BitStream[(rowNum*cols)+colNum];
		}
		if (colP != pType) return false;
	}
	return true;
}

bool EM_ByteParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
{
	if (rows*cols>size) return false;
	uint8_t rowP=0;
	//assume last row is a parity row and do not test
	for (uint8_t rowNum = 0; rowNum < rows-1; rowNum++) {
		for (uint8_t colNum = 0; colNum < cols; colNum++) {
			rowP ^= BitStream[(rowNum*cols)+colNum];
		}
		if (rowP != pType) return false;
	}
	return true;
}

uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool pTest)
{
	if (size<45) return 0;
	uint32_t code = bytebits_to_byte(BitStream,8);
	code = code<<8 | bytebits_to_byte(BitStream+9,8);
	code = code<<8 | bytebits_to_byte(BitStream+18,8);
	code = code<<8 | bytebits_to_byte(BitStream+27,8);
	if (verbose || g_debugMode){
		for (uint8_t i = 0; i<5; i++){
			if (i == 4) PrintAndLog(""); //parity byte spacer
			PrintAndLog("%d%d%d%d%d%d%d%d %d -> 0x%02x",
			    BitStream[i*9],
			    BitStream[i*9+1],
			    BitStream[i*9+2],
			    BitStream[i*9+3],
			    BitStream[i*9+4],
			    BitStream[i*9+5],
			    BitStream[i*9+6],
			    BitStream[i*9+7],
			    BitStream[i*9+8],
			    bytebits_to_byte(BitStream+i*9,8)
			);
		}
		if (pTest)
			PrintAndLog("Parity Passed");
		else
			PrintAndLog("Parity Failed");
	}
	return code;
}
/* Read the transmitted data of an EM4x50 tag
 * Format:
 *
 *  XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
 *  XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
 *  XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
 *  XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
 *  CCCCCCCC                         <- column parity bits
 *  0                                <- stop bit
 *  LW                               <- Listen Window
 *
 * This pattern repeats for every block of data being transmitted.
 * Transmission starts with two Listen Windows (LW - a modulated
 * pattern of 320 cycles each (32/32/128/64/64)).
 *
 * Note that this data may or may not be the UID. It is whatever data
 * is stored in the blocks defined in the control word First and Last
 * Word Read values. UID is stored in block 32.
 */
 //completed by Marshmellow
int EM4x50Read(const char *Cmd, bool verbose)
{
	uint8_t fndClk[] = {8,16,32,40,50,64,128};
	int clk = 0; 
	int invert = 0;
	int tol = 0;
	int i, j, startblock, skip, block, start, end, low, high, minClk;
	bool complete = false;
	int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
	uint32_t Code[6];
	char tmp[6];
	char tmp2[20];
	int phaseoff;
	high = low = 0;
	memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);

	// get user entry if any
	sscanf(Cmd, "%i %i", &clk, &invert);
	
	// save GraphBuffer - to restore it later	
	save_restoreGB(1);

	// first get high and low values
	for (i = 0; i < GraphTraceLen; i++) {
		if (GraphBuffer[i] > high)
			high = GraphBuffer[i];
		else if (GraphBuffer[i] < low)
			low = GraphBuffer[i];
	}

	i = 0;
	j = 0;
	minClk = 255;
	// get to first full low to prime loop and skip incomplete first pulse
	while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
		++i;
	while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
		++i;
	skip = i;

	// populate tmpbuff buffer with pulse lengths
	while (i < GraphTraceLen) {
		// measure from low to low
		while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
			++i;
		start= i;
		while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
			++i;
		while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
			++i;
		if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
			break;
		}
		tmpbuff[j++]= i - start;
		if (i-start < minClk && i < GraphTraceLen) {
			minClk = i - start;
		}
	}
	// set clock
	if (!clk) {
		for (uint8_t clkCnt = 0; clkCnt<7; clkCnt++) {
			tol = fndClk[clkCnt]/8;
			if (minClk >= fndClk[clkCnt]-tol && minClk <= fndClk[clkCnt]+1) { 
				clk=fndClk[clkCnt];
				break;
			}
		}
		if (!clk) return 0;
	} else tol = clk/8;

	// look for data start - should be 2 pairs of LW (pulses of clk*3,clk*2)
	start = -1;
	for (i= 0; i < j - 4 ; ++i) {
		skip += tmpbuff[i];
		if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol)  //3 clocks
			if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol)  //2 clocks
				if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
					if (tmpbuff[i+3] >= clk-tol)  //1.5 to 2 clocks - depends on bit following
					{
						start= i + 4;
						break;
					}
	}
	startblock = i + 4;

	// skip over the remainder of LW
	skip += tmpbuff[i+1] + tmpbuff[i+2] + clk;
	if (tmpbuff[i+3]>clk) 
		phaseoff = tmpbuff[i+3]-clk;
	else
		phaseoff = 0;
	// now do it again to find the end
	end = skip;
	for (i += 3; i < j - 4 ; ++i) {
		end += tmpbuff[i];
		if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol)  //3 clocks
			if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol)  //2 clocks
				if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks
					if (tmpbuff[i+3] >= clk-tol)  //1.5 to 2 clocks - depends on bit following
					{
						complete= true;
						break;
					}
	}
	end = i;
	// report back
	if (verbose || g_debugMode) {
		if (start >= 0) {
			PrintAndLog("\nNote: one block = 50 bits (32 data, 12 parity, 6 marker)");
		}	else {
			PrintAndLog("No data found!, clock tried:%d",clk);
			PrintAndLog("Try again with more samples.");
			PrintAndLog("  or after a 'data askedge' command to clean up the read");
			return 0;
		}
	} else if (start < 0) return 0;
	start = skip;
	snprintf(tmp2, sizeof(tmp2),"%d %d 1000 %d", clk, invert, clk*47);
	// get rid of leading crap 
	snprintf(tmp, sizeof(tmp), "%i", skip);
	CmdLtrim(tmp);
	bool pTest;
	bool AllPTest = true;
	// now work through remaining buffer printing out data blocks
	block = 0;
	i = startblock;
	while (block < 6) {
		if (verbose || g_debugMode) PrintAndLog("\nBlock %i:", block);
		skip = phaseoff;
		
		// look for LW before start of next block
		for ( ; i < j - 4 ; ++i) {
			skip += tmpbuff[i];
			if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol)
				if (tmpbuff[i+1] >= clk-tol)
					break;
		}
		if (i >= j-4) break; //next LW not found
		skip += clk;
		if (tmpbuff[i+1]>clk)
			phaseoff = tmpbuff[i+1]-clk;
		else
			phaseoff = 0;
		i += 2;
		if (ASKDemod(tmp2, false, false, 1) < 1) {
			save_restoreGB(0);
			return 0;
		}
		//set DemodBufferLen to just one block
		DemodBufferLen = skip/clk;
		//test parities
		pTest = EM_ByteParityTest(DemodBuffer,DemodBufferLen,5,9,0);	
		pTest &= EM_EndParityTest(DemodBuffer,DemodBufferLen,5,9,0);
		AllPTest &= pTest;
		//get output
		Code[block] = OutputEM4x50_Block(DemodBuffer,DemodBufferLen,verbose, pTest);
		if (g_debugMode) PrintAndLog("\nskipping %d samples, bits:%d", skip, skip/clk);
		//skip to start of next block
		snprintf(tmp,sizeof(tmp),"%i",skip);
		CmdLtrim(tmp);
		block++;
		if (i >= end) break; //in case chip doesn't output 6 blocks
	}
	//print full code:
	if (verbose || g_debugMode || AllPTest){
		if (!complete) {
			PrintAndLog("*** Warning!");
			PrintAndLog("Partial data - no end found!");
			PrintAndLog("Try again with more samples.");
		}
		PrintAndLog("Found data at sample: %i - using clock: %i", start, clk);    
		end = block;
		for (block=0; block < end; block++){
			PrintAndLog("Block %d: %08x",block,Code[block]);
		}
		if (AllPTest) {
			PrintAndLog("Parities Passed");
		} else {
			PrintAndLog("Parities Failed");
			PrintAndLog("Try cleaning the read samples with 'data askedge'");
		}
	}

	//restore GraphBuffer
	save_restoreGB(0);
	return (int)AllPTest;
}

int CmdEM4x50Read(const char *Cmd)
{
	return EM4x50Read(Cmd, true);
}

int CmdReadWord(const char *Cmd)
{
	int Word = -1; //default to invalid word
	UsbCommand c;
	
	sscanf(Cmd, "%d", &Word);
	
	if ( (Word > 15) | (Word < 0) ) {
		PrintAndLog("Word must be between 0 and 15");
		return 1;
	}
	
	PrintAndLog("Reading word %d", Word);
	
	c.cmd = CMD_EM4X_READ_WORD;
	c.d.asBytes[0] = 0x0; //Normal mode
	c.arg[0] = 0;
	c.arg[1] = Word;
	c.arg[2] = 0;
	SendCommand(&c);
	return 0;
}

int CmdReadWordPWD(const char *Cmd)
{
	int Word = -1; //default to invalid word
	int Password = 0xFFFFFFFF; //default to blank password
	UsbCommand c;
	
	sscanf(Cmd, "%d %x", &Word, &Password);
	
	if ( (Word > 15) | (Word < 0) ) {
		PrintAndLog("Word must be between 0 and 15");
		return 1;
	}
	
	PrintAndLog("Reading word %d with password %08X", Word, Password);
	
	c.cmd = CMD_EM4X_READ_WORD;
	c.d.asBytes[0] = 0x1; //Password mode
	c.arg[0] = 0;
	c.arg[1] = Word;
	c.arg[2] = Password;
	SendCommand(&c);
	return 0;
}

int CmdWriteWord(const char *Cmd)
{
	int Word = 16; //default to invalid block
	int Data = 0xFFFFFFFF; //default to blank data
	UsbCommand c;
	
	sscanf(Cmd, "%x %d", &Data, &Word);
	
	if (Word > 15) {
		PrintAndLog("Word must be between 0 and 15");
		return 1;
	}
	
	PrintAndLog("Writing word %d with data %08X", Word, Data);
	
	c.cmd = CMD_EM4X_WRITE_WORD;
	c.d.asBytes[0] = 0x0; //Normal mode
	c.arg[0] = Data;
	c.arg[1] = Word;
	c.arg[2] = 0;
	SendCommand(&c);
	return 0;
}

int CmdWriteWordPWD(const char *Cmd)
{
	int Word = 16; //default to invalid word
	int Data = 0xFFFFFFFF; //default to blank data
	int Password = 0xFFFFFFFF; //default to blank password
	UsbCommand c;
	
	sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
	
	if (Word > 15) {
		PrintAndLog("Word must be between 0 and 15");
		return 1;
	}
	
	PrintAndLog("Writing word %d with data %08X and password %08X", Word, Data, Password);
	
	c.cmd = CMD_EM4X_WRITE_WORD;
	c.d.asBytes[0] = 0x1; //Password mode
	c.arg[0] = Data;
	c.arg[1] = Word;
	c.arg[2] = Password;
	SendCommand(&c);
	return 0;
}

static command_t CommandTable[] =
{
	{"help", CmdHelp, 1, "This help"},
	{"em410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"},  
	{"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag in GraphBuffer"},
	{"em410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
	{"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
	{"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
	{"em410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
	{"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
	{"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
	{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
	{"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
	{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
	{NULL, NULL, 0, NULL}
};

int CmdLFEM4X(const char *Cmd) {
	clearCommandBuffer();
	CmdsParse(CommandTable, Cmd);
	return 0;
}

int CmdHelp(const char *Cmd) {
	CmdsHelp(CommandTable);
	return 0;
}
Commit	Line	Data
a553f267	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// Low frequency EM4x commands
	9	//-----------------------------------------------------------------------------
	10
7fe9b0b7	11	#include <stdio.h>
9e13f875	12	#include <string.h>
ec564290	13	#include <inttypes.h>
7fe9b0b7	14	#include "cmdlfem4x.h"
0ad1a1d4	15
c3bfb9c7	16	char *global_em410xId;
7fe9b0b7	17
	18	static int CmdHelp(const char *Cmd);
	19
66707a3b	20	int CmdEMdemodASK(const char *Cmd)
66707a3b	21	{
3fe4ff4f	22	char cmdp = param_getchar(Cmd, 0);
cc15a118	23	int findone = (cmdp == '1') ? 1 : 0;
23f0a7d8	24	UsbCommand c={CMD_EM410X_DEMOD};
	25	c.arg[0]=findone;
	26	SendCommand(&c);
	27	return 0;
66707a3b	28	}
66707a3b	29
7fe9b0b7	30	/* Read the ID of an EM410x tag.
	31	* Format:
	32	* 1111 1111 1 <-- standard non-repeatable header
	33	* XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
	34	* ....
	35	* CCCC <-- each bit here is parity for the 10 bits above in corresponding column
	36	* 0 <-- stop bit, end of tag
	37	*/
	38	int CmdEM410xRead(const char *Cmd)
	39	{
23f0a7d8	40	uint32_t hi=0;
	41	uint64_t lo=0;
	42
fef74fdc	43	if(!AskEm410xDemod("", &hi, &lo, false)) return 0;
23f0a7d8	44	PrintAndLog("EM410x pattern found: ");
	45	printEM410x(hi, lo);
	46	if (hi){
	47	PrintAndLog ("EM410x XL pattern found");
	48	return 0;
	49	}
	50	char id[12] = {0x00};
43d3f769	51	//sprintf(id, "%010llx",lo);
28093ebc	52	sprintf(id, "%010"PRIu64, lo);
23f0a7d8	53
	54	global_em410xId = id;
	55	return 1;
7fe9b0b7	56	}
7fe9b0b7	57
13d77ef9	58	// emulate an EM410X tag
7fe9b0b7	59	int CmdEM410xSim(const char *Cmd)
7fe9b0b7	60	{
3fe4ff4f	61	int i, n, j, binary[4], parity[4];
	62
	63	char cmdp = param_getchar(Cmd, 0);
	64	uint8_t uid[5] = {0x00};
	65
	66	if (cmdp == 'h' \|\| cmdp == 'H') {
bca71079	67	PrintAndLog("Usage: lf em4x em410xsim <UID> <clock>");
3fe4ff4f	68	PrintAndLog("");
ba765c9e	69	PrintAndLog(" sample: lf em4x em410xsim 0F0368568B");
3fe4ff4f	70	return 0;
3fe4ff4f	71	}
bca71079	72	/* clock is 64 in EM410x tags */
bca71079	73	uint8_t clock = 64;
3fe4ff4f	74
	75	if (param_gethex(Cmd, 0, uid, 10)) {
	76	PrintAndLog("UID must include 10 HEX symbols");
	77	return 0;
	78	}
bca71079	79	param_getdec(Cmd, 1, &clock);
3fe4ff4f	80
bca71079	81	PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X clock: %d", uid[0],uid[1],uid[2],uid[3],uid[4],clock);
3fe4ff4f	82	PrintAndLog("Press pm3-button to about simulation");
7fe9b0b7	83
23f0a7d8	84
	85	/* clear our graph */
	86	ClearGraph(0);
	87
	88	/* write 9 start bits */
	89	for (i = 0; i < 9; i++)
	90	AppendGraph(0, clock, 1);
	91
	92	/* for each hex char */
	93	parity[0] = parity[1] = parity[2] = parity[3] = 0;
	94	for (i = 0; i < 10; i++)
	95	{
	96	/* read each hex char */
	97	sscanf(&Cmd[i], "%1x", &n);
	98	for (j = 3; j >= 0; j--, n/= 2)
	99	binary[j] = n % 2;
	100
	101	/* append each bit */
	102	AppendGraph(0, clock, binary[0]);
	103	AppendGraph(0, clock, binary[1]);
	104	AppendGraph(0, clock, binary[2]);
	105	AppendGraph(0, clock, binary[3]);
	106
	107	/* append parity bit */
	108	AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
	109
	110	/* keep track of column parity */
	111	parity[0] ^= binary[0];
	112	parity[1] ^= binary[1];
	113	parity[2] ^= binary[2];
	114	parity[3] ^= binary[3];
	115	}
	116
	117	/* parity columns */
	118	AppendGraph(0, clock, parity[0]);
	119	AppendGraph(0, clock, parity[1]);
	120	AppendGraph(0, clock, parity[2]);
	121	AppendGraph(0, clock, parity[3]);
	122
	123	/* stop bit */
	124	AppendGraph(1, clock, 0);
3fe4ff4f	125
23f0a7d8	126	CmdLFSim("0"); //240 start_gap.
23f0a7d8	127	return 0;
7fe9b0b7	128	}
7fe9b0b7	129
3fe4ff4f	130	/* Function is equivalent of lf read + data samples + em410xread
	131	* looped until an EM410x tag is detected
	132	*
	133	* Why is CmdSamples("16000")?
	134	* TBD: Auto-grow sample size based on detected sample rate. IE: If the
	135	* rate gets lower, then grow the number of samples
	136	* Changed by martin, 4000 x 4 = 16000,
	137	* see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
3fe4ff4f	138	*/
7fe9b0b7	139	int CmdEM410xWatch(const char *Cmd)
7fe9b0b7	140	{
3fe4ff4f	141	do {
	142	if (ukbhit()) {
	143	printf("\naborted via keyboard!\n");
	144	break;
	145	}
	146
1fbf8956	147	CmdLFRead("s");
2767fc02	148	getSamples("8201",true); //capture enough to get 2 complete preambles (4096*2+9)
13d77ef9	149	} while (!CmdEM410xRead(""));
13d77ef9	150
3fe4ff4f	151	return 0;
7fe9b0b7	152	}
7fe9b0b7	153
23f0a7d8	154	//currently only supports manchester modulations
c3bfb9c7	155	int CmdEM410xWatchnSpoof(const char *Cmd)
	156	{
	157	CmdEM410xWatch(Cmd);
1fbf8956	158	PrintAndLog("# Replaying captured ID: %s",global_em410xId);
	159	CmdLFaskSim("");
	160	return 0;
c3bfb9c7	161	}
c3bfb9c7	162
2d4eae76	163	int CmdEM410xWrite(const char *Cmd)
2d4eae76	164	{
6e984446	165	uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
6e984446	166	int card = 0xFF; // invalid card value
8ce3e4b4	167	uint32_t clock = 0; // invalid clock value
e67b06b7	168
	169	sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
	170
	171	// Check ID
	172	if (id == 0xFFFFFFFFFFFFFFFF) {
	173	PrintAndLog("Error! ID is required.\n");
	174	return 0;
	175	}
	176	if (id >= 0x10000000000) {
	177	PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
	178	return 0;
	179	}
	180
	181	// Check Card
	182	if (card == 0xFF) {
	183	PrintAndLog("Error! Card type required.\n");
	184	return 0;
	185	}
	186	if (card < 0) {
	187	PrintAndLog("Error! Bad card type selected.\n");
	188	return 0;
	189	}
	190
	191	// Check Clock
e67b06b7	192	// Default: 64
8ce3e4b4	193	if (clock == 0)
8ce3e4b4	194	clock = 64;
e67b06b7	195
bca71079	196	// Allowed clock rates: 16, 32, 40 and 64
	197	if ((clock != 16) && (clock != 32) && (clock != 64) && (clock != 40)) {
	198	PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32, 40 and 64.\n", clock);
e67b06b7	199	return 0;
	200	}
	201
	202	if (card == 1) {
	203	PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
	204	// NOTE: We really should pass the clock in as a separate argument, but to
	205	// provide for backwards-compatibility for older firmware, and to avoid
	206	// having to add another argument to CMD_EM410X_WRITE_TAG, we just store
	207	// the clock rate in bits 8-15 of the card value
bca71079	208	card = (card & 0xFF) \| ((clock << 8) & 0xFF00);
bca71079	209	} else if (card == 0) {
e67b06b7	210	PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
bca71079	211	card = (card & 0xFF) \| ((clock << 8) & 0xFF00);
bca71079	212	} else {
e67b06b7	213	PrintAndLog("Error! Bad card type selected.\n");
	214	return 0;
	215	}
2d4eae76	216
6e984446	217	UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
6e984446	218	SendCommand(&c);
6e984446	219	return 0;
6e984446	220	}
2d4eae76	221
23f0a7d8	222	bool EM_EndParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
	223	{
	224	if (rows*cols>size) return false;
	225	uint8_t colP=0;
cc15a118	226	//assume last col is a parity and do not test
23f0a7d8	227	for (uint8_t colNum = 0; colNum < cols-1; colNum++) {
	228	for (uint8_t rowNum = 0; rowNum < rows; rowNum++) {
	229	colP ^= BitStream[(rowNum*cols)+colNum];
	230	}
	231	if (colP != pType) return false;
	232	}
	233	return true;
	234	}
	235
	236	bool EM_ByteParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType)
	237	{
	238	if (rows*cols>size) return false;
	239	uint8_t rowP=0;
	240	//assume last row is a parity row and do not test
	241	for (uint8_t rowNum = 0; rowNum < rows-1; rowNum++) {
	242	for (uint8_t colNum = 0; colNum < cols; colNum++) {
	243	rowP ^= BitStream[(rowNum*cols)+colNum];
	244	}
	245	if (rowP != pType) return false;
	246	}
	247	return true;
	248	}
	249
	250	uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool pTest)
	251	{
	252	if (size<45) return 0;
	253	uint32_t code = bytebits_to_byte(BitStream,8);
	254	code = code<<8 \| bytebits_to_byte(BitStream+9,8);
	255	code = code<<8 \| bytebits_to_byte(BitStream+18,8);
	256	code = code<<8 \| bytebits_to_byte(BitStream+27,8);
	257	if (verbose \|\| g_debugMode){
	258	for (uint8_t i = 0; i<5; i++){
cc15a118	259	if (i == 4) PrintAndLog(""); //parity byte spacer
23f0a7d8	260	PrintAndLog("%d%d%d%d%d%d%d%d %d -> 0x%02x",
	261	BitStream[i*9],
	262	BitStream[i*9+1],
	263	BitStream[i*9+2],
	264	BitStream[i*9+3],
	265	BitStream[i*9+4],
	266	BitStream[i*9+5],
	267	BitStream[i*9+6],
	268	BitStream[i*9+7],
	269	BitStream[i*9+8],
	270	bytebits_to_byte(BitStream+i*9,8)
	271	);
	272	}
	273	if (pTest)
	274	PrintAndLog("Parity Passed");
	275	else
	276	PrintAndLog("Parity Failed");
	277	}
23f0a7d8	278	return code;
23f0a7d8	279	}
7fe9b0b7	280	/* Read the transmitted data of an EM4x50 tag
	281	* Format:
	282	*
	283	* XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
	284	* XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
	285	* XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
	286	* XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
	287	* CCCCCCCC <- column parity bits
	288	* 0 <- stop bit
	289	* LW <- Listen Window
	290	*
	291	* This pattern repeats for every block of data being transmitted.
	292	* Transmission starts with two Listen Windows (LW - a modulated
	293	* pattern of 320 cycles each (32/32/128/64/64)).
	294	*
	295	* Note that this data may or may not be the UID. It is whatever data
	296	* is stored in the blocks defined in the control word First and Last
	297	* Word Read values. UID is stored in block 32.
	298	*/
cc15a118	299	//completed by Marshmellow
23f0a7d8	300	int EM4x50Read(const char *Cmd, bool verbose)
23f0a7d8	301	{
cc15a118	302	uint8_t fndClk[] = {8,16,32,40,50,64,128};
23f0a7d8	303	int clk = 0;
23f0a7d8	304	int invert = 0;
23f0a7d8	305	int tol = 0;
23f0a7d8	306	int i, j, startblock, skip, block, start, end, low, high, minClk;
cc15a118	307	bool complete = false;
23f0a7d8	308	int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
23f0a7d8	309	uint32_t Code[6];
23f0a7d8	310	char tmp[6];
23f0a7d8	311	char tmp2[20];
49bbc60a	312	int phaseoff;
cc15a118	313	high = low = 0;
23f0a7d8	314	memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
cc15a118	315
	316	// get user entry if any
	317	sscanf(Cmd, "%i %i", &clk, &invert);
	318
	319	// save GraphBuffer - to restore it later
	320	save_restoreGB(1);
	321
23f0a7d8	322	// first get high and low values
cc15a118	323	for (i = 0; i < GraphTraceLen; i++) {
23f0a7d8	324	if (GraphBuffer[i] > high)
	325	high = GraphBuffer[i];
	326	else if (GraphBuffer[i] < low)
	327	low = GraphBuffer[i];
	328	}
	329
cc15a118	330	i = 0;
	331	j = 0;
	332	minClk = 255;
	333	// get to first full low to prime loop and skip incomplete first pulse
	334	while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
	335	++i;
	336	while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
	337	++i;
	338	skip = i;
	339
	340	// populate tmpbuff buffer with pulse lengths
	341	while (i < GraphTraceLen) {
23f0a7d8	342	// measure from low to low
cc15a118	343	while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
23f0a7d8	344	++i;
23f0a7d8	345	start= i;
cc15a118	346	while ((GraphBuffer[i] < high) && (i < GraphTraceLen))
23f0a7d8	347	++i;
cc15a118	348	while ((GraphBuffer[i] > low) && (i < GraphTraceLen))
23f0a7d8	349	++i;
	350	if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
	351	break;
	352	}
	353	tmpbuff[j++]= i - start;
cc15a118	354	if (i-start < minClk && i < GraphTraceLen) {
	355	minClk = i - start;
	356	}
23f0a7d8	357	}
23f0a7d8	358	// set clock
cc15a118	359	if (!clk) {
23f0a7d8	360	for (uint8_t clkCnt = 0; clkCnt<7; clkCnt++) {
23f0a7d8	361	tol = fndClk[clkCnt]/8;
cc15a118	362	if (minClk >= fndClk[clkCnt]-tol && minClk <= fndClk[clkCnt]+1) {
23f0a7d8	363	clk=fndClk[clkCnt];
	364	break;
	365	}
	366	}
cc15a118	367	if (!clk) return 0;
6e984446	368	} else tol = clk/8;
23f0a7d8	369
23f0a7d8	370	// look for data start - should be 2 pairs of LW (pulses of clk3,clk2)
cc15a118	371	start = -1;
cc15a118	372	for (i= 0; i < j - 4 ; ++i) {
23f0a7d8	373	skip += tmpbuff[i];
cc15a118	374	if (tmpbuff[i] >= clk3-tol && tmpbuff[i] <= clk3+tol) //3 clocks
	375	if (tmpbuff[i+1] >= clk2-tol && tmpbuff[i+1] <= clk2+tol) //2 clocks
	376	if (tmpbuff[i+2] >= clk3-tol && tmpbuff[i+2] <= clk3+tol) //3 clocks
	377	if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
23f0a7d8	378	{
	379	start= i + 4;
	380	break;
	381	}
	382	}
cc15a118	383	startblock = i + 4;
23f0a7d8	384
23f0a7d8	385	// skip over the remainder of LW
49bbc60a	386	skip += tmpbuff[i+1] + tmpbuff[i+2] + clk;
	387	if (tmpbuff[i+3]>clk)
	388	phaseoff = tmpbuff[i+3]-clk;
	389	else
	390	phaseoff = 0;
23f0a7d8	391	// now do it again to find the end
23f0a7d8	392	end = skip;
cc15a118	393	for (i += 3; i < j - 4 ; ++i) {
23f0a7d8	394	end += tmpbuff[i];
cc15a118	395	if (tmpbuff[i] >= clk3-tol && tmpbuff[i] <= clk3+tol) //3 clocks
	396	if (tmpbuff[i+1] >= clk2-tol && tmpbuff[i+1] <= clk2+tol) //2 clocks
	397	if (tmpbuff[i+2] >= clk3-tol && tmpbuff[i+2] <= clk3+tol) //3 clocks
	398	if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following
23f0a7d8	399	{
	400	complete= true;
	401	break;
	402	}
	403	}
	404	end = i;
	405	// report back
	406	if (verbose \|\| g_debugMode) {
	407	if (start >= 0) {
cc15a118	408	PrintAndLog("\nNote: one block = 50 bits (32 data, 12 parity, 6 marker)");
23f0a7d8	409	} else {
cc15a118	410	PrintAndLog("No data found!, clock tried:%d",clk);
23f0a7d8	411	PrintAndLog("Try again with more samples.");
cc15a118	412	PrintAndLog(" or after a 'data askedge' command to clean up the read");
23f0a7d8	413	return 0;
23f0a7d8	414	}
23f0a7d8	415	} else if (start < 0) return 0;
cc15a118	416	start = skip;
23f0a7d8	417	snprintf(tmp2, sizeof(tmp2),"%d %d 1000 %d", clk, invert, clk*47);
23f0a7d8	418	// get rid of leading crap
cc15a118	419	snprintf(tmp, sizeof(tmp), "%i", skip);
23f0a7d8	420	CmdLtrim(tmp);
23f0a7d8	421	bool pTest;
cc15a118	422	bool AllPTest = true;
23f0a7d8	423	// now work through remaining buffer printing out data blocks
	424	block = 0;
	425	i = startblock;
cc15a118	426	while (block < 6) {
23f0a7d8	427	if (verbose \|\| g_debugMode) PrintAndLog("\nBlock %i:", block);
	428	skip = phaseoff;
	429
	430	// look for LW before start of next block
cc15a118	431	for ( ; i < j - 4 ; ++i) {
23f0a7d8	432	skip += tmpbuff[i];
	433	if (tmpbuff[i] >= clk3-tol && tmpbuff[i] <= clk3+tol)
	434	if (tmpbuff[i+1] >= clk-tol)
	435	break;
	436	}
49bbc60a	437	if (i >= j-4) break; //next LW not found
23f0a7d8	438	skip += clk;
49bbc60a	439	if (tmpbuff[i+1]>clk)
	440	phaseoff = tmpbuff[i+1]-clk;
	441	else
	442	phaseoff = 0;
23f0a7d8	443	i += 2;
fef74fdc	444	if (ASKDemod(tmp2, false, false, 1) < 1) {
cc15a118	445	save_restoreGB(0);
	446	return 0;
	447	}
23f0a7d8	448	//set DemodBufferLen to just one block
	449	DemodBufferLen = skip/clk;
	450	//test parities
	451	pTest = EM_ByteParityTest(DemodBuffer,DemodBufferLen,5,9,0);
	452	pTest &= EM_EndParityTest(DemodBuffer,DemodBufferLen,5,9,0);
	453	AllPTest &= pTest;
	454	//get output
cc15a118	455	Code[block] = OutputEM4x50_Block(DemodBuffer,DemodBufferLen,verbose, pTest);
cc15a118	456	if (g_debugMode) PrintAndLog("\nskipping %d samples, bits:%d", skip, skip/clk);
23f0a7d8	457	//skip to start of next block
	458	snprintf(tmp,sizeof(tmp),"%i",skip);
	459	CmdLtrim(tmp);
	460	block++;
cc15a118	461	if (i >= end) break; //in case chip doesn't output 6 blocks
23f0a7d8	462	}
	463	//print full code:
	464	if (verbose \|\| g_debugMode \|\| AllPTest){
49bbc60a	465	if (!complete) {
	466	PrintAndLog("*** Warning!");
	467	PrintAndLog("Partial data - no end found!");
	468	PrintAndLog("Try again with more samples.");
	469	}
cc15a118	470	PrintAndLog("Found data at sample: %i - using clock: %i", start, clk);
	471	end = block;
	472	for (block=0; block < end; block++){
23f0a7d8	473	PrintAndLog("Block %d: %08x",block,Code[block]);
23f0a7d8	474	}
49bbc60a	475	if (AllPTest) {
23f0a7d8	476	PrintAndLog("Parities Passed");
49bbc60a	477	} else {
23f0a7d8	478	PrintAndLog("Parities Failed");
cc15a118	479	PrintAndLog("Try cleaning the read samples with 'data askedge'");
49bbc60a	480	}
23f0a7d8	481	}
	482
	483	//restore GraphBuffer
	484	save_restoreGB(0);
	485	return (int)AllPTest;
	486	}
	487
7fe9b0b7	488	int CmdEM4x50Read(const char *Cmd)
7fe9b0b7	489	{
23f0a7d8	490	return EM4x50Read(Cmd, true);
2d4eae76	491	}
2d4eae76	492
54a942b0	493	int CmdReadWord(const char *Cmd)
54a942b0	494	{
b915fda3	495	int Word = -1; //default to invalid word
23f0a7d8	496	UsbCommand c;
	497
	498	sscanf(Cmd, "%d", &Word);
	499
b915fda3	500	if ( (Word > 15) \| (Word < 0) ) {
23f0a7d8	501	PrintAndLog("Word must be between 0 and 15");
	502	return 1;
	503	}
	504
	505	PrintAndLog("Reading word %d", Word);
	506
	507	c.cmd = CMD_EM4X_READ_WORD;
	508	c.d.asBytes[0] = 0x0; //Normal mode
	509	c.arg[0] = 0;
	510	c.arg[1] = Word;
	511	c.arg[2] = 0;
	512	SendCommand(&c);
	513	return 0;
54a942b0	514	}
	515
	516	int CmdReadWordPWD(const char *Cmd)
	517	{
b915fda3	518	int Word = -1; //default to invalid word
23f0a7d8	519	int Password = 0xFFFFFFFF; //default to blank password
	520	UsbCommand c;
	521
	522	sscanf(Cmd, "%d %x", &Word, &Password);
	523
b915fda3	524	if ( (Word > 15) \| (Word < 0) ) {
23f0a7d8	525	PrintAndLog("Word must be between 0 and 15");
	526	return 1;
	527	}
	528
	529	PrintAndLog("Reading word %d with password %08X", Word, Password);
	530
	531	c.cmd = CMD_EM4X_READ_WORD;
	532	c.d.asBytes[0] = 0x1; //Password mode
	533	c.arg[0] = 0;
	534	c.arg[1] = Word;
	535	c.arg[2] = Password;
	536	SendCommand(&c);
	537	return 0;
54a942b0	538	}
	539
	540	int CmdWriteWord(const char *Cmd)
	541	{
23f0a7d8	542	int Word = 16; //default to invalid block
	543	int Data = 0xFFFFFFFF; //default to blank data
	544	UsbCommand c;
	545
	546	sscanf(Cmd, "%x %d", &Data, &Word);
	547
	548	if (Word > 15) {
	549	PrintAndLog("Word must be between 0 and 15");
	550	return 1;
	551	}
	552
	553	PrintAndLog("Writing word %d with data %08X", Word, Data);
	554
	555	c.cmd = CMD_EM4X_WRITE_WORD;
	556	c.d.asBytes[0] = 0x0; //Normal mode
	557	c.arg[0] = Data;
	558	c.arg[1] = Word;
	559	c.arg[2] = 0;
	560	SendCommand(&c);
	561	return 0;
54a942b0	562	}
	563
	564	int CmdWriteWordPWD(const char *Cmd)
	565	{
23f0a7d8	566	int Word = 16; //default to invalid word
	567	int Data = 0xFFFFFFFF; //default to blank data
	568	int Password = 0xFFFFFFFF; //default to blank password
	569	UsbCommand c;
	570
	571	sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
	572
	573	if (Word > 15) {
	574	PrintAndLog("Word must be between 0 and 15");
	575	return 1;
	576	}
	577
	578	PrintAndLog("Writing word %d with data %08X and password %08X", Word, Data, Password);
	579
	580	c.cmd = CMD_EM4X_WRITE_WORD;
	581	c.d.asBytes[0] = 0x1; //Password mode
	582	c.arg[0] = Data;
	583	c.arg[1] = Word;
	584	c.arg[2] = Password;
	585	SendCommand(&c);
	586	return 0;
54a942b0	587	}
54a942b0	588
2d4eae76	589	static command_t CommandTable[] =
7fe9b0b7	590	{
23f0a7d8	591	{"help", CmdHelp, 1, "This help"},
23f0a7d8	592	{"em410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"},
8e0cf023	593	{"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag in GraphBuffer"},
23f0a7d8	594	{"em410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
	595	{"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
	596	{"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
8e0cf023	597	{"em410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
23f0a7d8	598	{"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
	599	{"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
	600	{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
	601	{"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
	602	{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
	603	{NULL, NULL, 0, NULL}
7fe9b0b7	604	};
7fe9b0b7	605
4c36581b	606	int CmdLFEM4X(const char *Cmd) {
4c36581b	607	clearCommandBuffer();
23f0a7d8	608	CmdsParse(CommandTable, Cmd);
23f0a7d8	609	return 0;
7fe9b0b7	610	}
7fe9b0b7	611
4c36581b	612	int CmdHelp(const char *Cmd) {
23f0a7d8	613	CmdsHelp(CommandTable);
23f0a7d8	614	return 0;
7fe9b0b7	615	}