]> git.zerfleddert.de Git - proxmark3-svn/blame - client/cmdlfem4x.c
Fixed memory corruption after reader-attack in armsrc, fixed annoying LED
[proxmark3-svn] / client / cmdlfem4x.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency EM4x commands
9//-----------------------------------------------------------------------------
10
7fe9b0b7 11#include <stdio.h>
9e13f875 12#include <string.h>
ec564290 13#include <inttypes.h>
902cb3c0 14#include "proxmark3.h"
7fe9b0b7 15#include "ui.h"
3fe4ff4f 16#include "util.h"
7fe9b0b7 17#include "graph.h"
18#include "cmdparser.h"
19#include "cmddata.h"
20#include "cmdlf.h"
21#include "cmdlfem4x.h"
22
23static int CmdHelp(const char *Cmd);
24
66707a3b 25int CmdEMdemodASK(const char *Cmd)
26{
3fe4ff4f 27 char cmdp = param_getchar(Cmd, 0);
28 int findone = (cmdp == '1') ? 1 : 0;
66707a3b 29 UsbCommand c={CMD_EM410X_DEMOD};
66707a3b 30 c.arg[0]=findone;
31 SendCommand(&c);
32 return 0;
33}
34
7fe9b0b7 35/* Read the ID of an EM410x tag.
36 * Format:
37 * 1111 1111 1 <-- standard non-repeatable header
38 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
39 * ....
40 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
41 * 0 <-- stop bit, end of tag
42 */
43int CmdEM410xRead(const char *Cmd)
44{
45 int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low;
46 int parity[4];
3fe4ff4f 47 char id[11] = {0x00};
48 char id2[11] = {0x00};
7fe9b0b7 49 int retested = 0;
15cdabd4 50 uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
7fe9b0b7 51 high = low = 0;
52
53 /* Detect high and lows and clock */
54 for (i = 0; i < GraphTraceLen; i++)
55 {
56 if (GraphBuffer[i] > high)
57 high = GraphBuffer[i];
58 else if (GraphBuffer[i] < low)
59 low = GraphBuffer[i];
60 }
61
62 /* get clock */
63 clock = GetClock(Cmd, high, 0);
64
65 /* parity for our 4 columns */
66 parity[0] = parity[1] = parity[2] = parity[3] = 0;
67 header = rows = 0;
68
69 /* manchester demodulate */
70 bit = bit2idx = 0;
71 for (i = 0; i < (int)(GraphTraceLen / clock); i++)
72 {
73 hithigh = 0;
74 hitlow = 0;
75 first = 1;
76
77 /* Find out if we hit both high and low peaks */
78 for (j = 0; j < clock; j++)
79 {
80 if (GraphBuffer[(i * clock) + j] == high)
81 hithigh = 1;
82 else if (GraphBuffer[(i * clock) + j] == low)
83 hitlow = 1;
84
85 /* it doesn't count if it's the first part of our read
86 because it's really just trailing from the last sequence */
87 if (first && (hithigh || hitlow))
88 hithigh = hitlow = 0;
89 else
90 first = 0;
91
92 if (hithigh && hitlow)
93 break;
94 }
95
96 /* If we didn't hit both high and low peaks, we had a bit transition */
97 if (!hithigh || !hitlow)
98 bit ^= 1;
99
100 BitStream[bit2idx++] = bit;
101 }
102
103retest:
104 /* We go till 5 before the graph ends because we'll get that far below */
105 for (i = 1; i < bit2idx - 5; i++)
106 {
107 /* Step 2: We have our header but need our tag ID */
108 if (header == 9 && rows < 10)
109 {
110 /* Confirm parity is correct */
111 if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
112 {
113 /* Read another byte! */
114 sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
cb967ea9 115 sprintf(id2+rows, "%x", (8 * BitStream[i+3]) + (4 * BitStream[i+2]) + (2 * BitStream[i+1]) + (1 * BitStream[i]));
7fe9b0b7 116 rows++;
117
118 /* Keep parity info */
119 parity[0] ^= BitStream[i];
120 parity[1] ^= BitStream[i+1];
121 parity[2] ^= BitStream[i+2];
122 parity[3] ^= BitStream[i+3];
123
124 /* Move 4 bits ahead */
125 i += 4;
126 }
127
128 /* Damn, something wrong! reset */
129 else
130 {
131 PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i);
132
133 /* Start back rows * 5 + 9 header bits, -1 to not start at same place */
134 i -= 9 + (5 * rows) - 5;
135
136 rows = header = 0;
137 }
138 }
139
140 /* Step 3: Got our 40 bits! confirm column parity */
141 else if (rows == 10)
142 {
143 /* We need to make sure our 4 bits of parity are correct and we have a stop bit */
144 if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] &&
145 BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] &&
146 BitStream[i+4] == 0)
147 {
148 /* Sweet! */
149 PrintAndLog("EM410x Tag ID: %s", id);
cb967ea9 150 PrintAndLog("Unique Tag ID: %s", id2);
7fe9b0b7 151
152 /* Stop any loops */
153 return 1;
154 }
155
156 /* Crap! Incorrect parity or no stop bit, start all over */
157 else
158 {
159 rows = header = 0;
160
161 /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */
162 i -= 59;
163 }
164 }
165
166 /* Step 1: get our header */
167 else if (header < 9)
168 {
169 /* Need 9 consecutive 1's */
170 if (BitStream[i] == 1)
171 header++;
172
173 /* We don't have a header, not enough consecutive 1 bits */
174 else
175 header = 0;
176 }
177 }
178
179 /* if we've already retested after flipping bits, return */
180 if (retested++)
181 return 0;
182
183 /* if this didn't work, try flipping bits */
184 for (i = 0; i < bit2idx; i++)
185 BitStream[i] ^= 1;
186
187 goto retest;
188}
189
190/* emulate an EM410X tag
191 * Format:
192 * 1111 1111 1 <-- standard non-repeatable header
193 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
194 * ....
195 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
196 * 0 <-- stop bit, end of tag
197 */
198int CmdEM410xSim(const char *Cmd)
199{
3fe4ff4f 200 int i, n, j, binary[4], parity[4];
201
202 char cmdp = param_getchar(Cmd, 0);
203 uint8_t uid[5] = {0x00};
204
205 if (cmdp == 'h' || cmdp == 'H') {
206 PrintAndLog("Usage: lf em4x 410xsim <UID>");
207 PrintAndLog("");
208 PrintAndLog(" sample: lf em4x 410xsim 0F0368568B");
209 return 0;
210 }
211
212 if (param_gethex(Cmd, 0, uid, 10)) {
213 PrintAndLog("UID must include 10 HEX symbols");
214 return 0;
215 }
216
217 PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X", uid[0],uid[1],uid[2],uid[3],uid[4]);
218 PrintAndLog("Press pm3-button to about simulation");
7fe9b0b7 219
220 /* clock is 64 in EM410x tags */
221 int clock = 64;
222
223 /* clear our graph */
224 ClearGraph(0);
225
7fe9b0b7 226 /* write 9 start bits */
227 for (i = 0; i < 9; i++)
228 AppendGraph(0, clock, 1);
229
230 /* for each hex char */
231 parity[0] = parity[1] = parity[2] = parity[3] = 0;
232 for (i = 0; i < 10; i++)
233 {
234 /* read each hex char */
235 sscanf(&Cmd[i], "%1x", &n);
236 for (j = 3; j >= 0; j--, n/= 2)
237 binary[j] = n % 2;
238
239 /* append each bit */
240 AppendGraph(0, clock, binary[0]);
241 AppendGraph(0, clock, binary[1]);
242 AppendGraph(0, clock, binary[2]);
243 AppendGraph(0, clock, binary[3]);
244
245 /* append parity bit */
246 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
247
248 /* keep track of column parity */
249 parity[0] ^= binary[0];
250 parity[1] ^= binary[1];
251 parity[2] ^= binary[2];
252 parity[3] ^= binary[3];
253 }
254
255 /* parity columns */
256 AppendGraph(0, clock, parity[0]);
257 AppendGraph(0, clock, parity[1]);
258 AppendGraph(0, clock, parity[2]);
259 AppendGraph(0, clock, parity[3]);
260
261 /* stop bit */
3fe4ff4f 262 AppendGraph(1, clock, 0);
263
264 CmdLFSim("240"); //240 start_gap.
7fe9b0b7 265 return 0;
266}
267
3fe4ff4f 268/* Function is equivalent of lf read + data samples + em410xread
269 * looped until an EM410x tag is detected
270 *
271 * Why is CmdSamples("16000")?
272 * TBD: Auto-grow sample size based on detected sample rate. IE: If the
273 * rate gets lower, then grow the number of samples
274 * Changed by martin, 4000 x 4 = 16000,
275 * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
276
277*/
7fe9b0b7 278int CmdEM410xWatch(const char *Cmd)
279{
3fe4ff4f 280 char cmdp = param_getchar(Cmd, 0);
281 int read_h = (cmdp == 'h');
282 do {
283 if (ukbhit()) {
284 printf("\naborted via keyboard!\n");
285 break;
286 }
287
288 CmdLFRead(read_h ? "h" : "");
289 CmdSamples("6000");
290 } while (
291 !CmdEM410xRead("")
292 );
293 return 0;
7fe9b0b7 294}
295
296/* Read the transmitted data of an EM4x50 tag
297 * Format:
298 *
299 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
300 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
301 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
302 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
303 * CCCCCCCC <- column parity bits
304 * 0 <- stop bit
305 * LW <- Listen Window
306 *
307 * This pattern repeats for every block of data being transmitted.
308 * Transmission starts with two Listen Windows (LW - a modulated
309 * pattern of 320 cycles each (32/32/128/64/64)).
310 *
311 * Note that this data may or may not be the UID. It is whatever data
312 * is stored in the blocks defined in the control word First and Last
313 * Word Read values. UID is stored in block 32.
314 */
315int CmdEM4x50Read(const char *Cmd)
316{
31b6e9af 317 int i, j, startblock, skip, block, start, end, low, high;
7fe9b0b7 318 bool complete= false;
319 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
320 char tmp[6];
321
322 high= low= 0;
913d23c6 323 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
7fe9b0b7 324
325 /* first get high and low values */
326 for (i = 0; i < GraphTraceLen; i++)
327 {
328 if (GraphBuffer[i] > high)
329 high = GraphBuffer[i];
330 else if (GraphBuffer[i] < low)
331 low = GraphBuffer[i];
332 }
333
334 /* populate a buffer with pulse lengths */
335 i= 0;
336 j= 0;
337 while (i < GraphTraceLen)
338 {
339 // measure from low to low
340 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
341 ++i;
342 start= i;
343 while ((GraphBuffer[i] < high) && (i<GraphTraceLen))
344 ++i;
345 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
346 ++i;
90e278d3 347 if (j>=(MAX_GRAPH_TRACE_LEN/64)) {
7fe9b0b7 348 break;
349 }
350 tmpbuff[j++]= i - start;
351 }
352
353 /* look for data start - should be 2 pairs of LW (pulses of 192,128) */
354 start= -1;
355 skip= 0;
356 for (i= 0; i < j - 4 ; ++i)
357 {
358 skip += tmpbuff[i];
359 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
360 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
361 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
362 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
363 {
364 start= i + 3;
365 break;
366 }
367 }
368 startblock= i + 3;
369
370 /* skip over the remainder of the LW */
371 skip += tmpbuff[i+1]+tmpbuff[i+2];
372 while (skip < MAX_GRAPH_TRACE_LEN && GraphBuffer[skip] > low)
373 ++skip;
374 skip += 8;
375
376 /* now do it again to find the end */
377 end= start;
378 for (i += 3; i < j - 4 ; ++i)
379 {
380 end += tmpbuff[i];
381 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
382 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
383 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
384 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
385 {
386 complete= true;
387 break;
388 }
389 }
390
391 if (start >= 0)
392 PrintAndLog("Found data at sample: %i",skip);
393 else
394 {
395 PrintAndLog("No data found!");
396 PrintAndLog("Try again with more samples.");
397 return 0;
398 }
399
400 if (!complete)
401 {
402 PrintAndLog("*** Warning!");
403 PrintAndLog("Partial data - no end found!");
404 PrintAndLog("Try again with more samples.");
405 }
406
407 /* get rid of leading crap */
408 sprintf(tmp,"%i",skip);
409 CmdLtrim(tmp);
410
411 /* now work through remaining buffer printing out data blocks */
412 block= 0;
413 i= startblock;
414 while (block < 6)
415 {
416 PrintAndLog("Block %i:", block);
417 // mandemod routine needs to be split so we can call it for data
418 // just print for now for debugging
419 CmdManchesterDemod("i 64");
420 skip= 0;
421 /* look for LW before start of next block */
422 for ( ; i < j - 4 ; ++i)
423 {
424 skip += tmpbuff[i];
425 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
426 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
427 break;
428 }
429 while (GraphBuffer[skip] > low)
430 ++skip;
431 skip += 8;
432 sprintf(tmp,"%i",skip);
433 CmdLtrim(tmp);
434 start += skip;
435 block++;
436 }
437 return 0;
438}
439
2d4eae76 440int CmdEM410xWrite(const char *Cmd)
441{
e67b06b7 442 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
7bb9d33e 443 int card = 0xFF; // invalid card value
e67b06b7 444 unsigned int clock = 0; // invalid clock value
445
446 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
447
448 // Check ID
449 if (id == 0xFFFFFFFFFFFFFFFF) {
450 PrintAndLog("Error! ID is required.\n");
451 return 0;
452 }
453 if (id >= 0x10000000000) {
454 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
455 return 0;
456 }
457
458 // Check Card
459 if (card == 0xFF) {
460 PrintAndLog("Error! Card type required.\n");
461 return 0;
462 }
463 if (card < 0) {
464 PrintAndLog("Error! Bad card type selected.\n");
465 return 0;
466 }
467
468 // Check Clock
469 if (card == 1)
470 {
471 // Default: 64
472 if (clock == 0)
473 clock = 64;
474
475 // Allowed clock rates: 16, 32 and 64
476 if ((clock != 16) && (clock != 32) && (clock != 64)) {
477 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32 and 64.\n", clock);
478 return 0;
479 }
480 }
481 else if (clock != 0)
482 {
483 PrintAndLog("Error! Clock rate is only supported on T55x7 tags.\n");
484 return 0;
485 }
486
487 if (card == 1) {
488 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
489 // NOTE: We really should pass the clock in as a separate argument, but to
490 // provide for backwards-compatibility for older firmware, and to avoid
491 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
492 // the clock rate in bits 8-15 of the card value
493 card = (card & 0xFF) | (((uint64_t)clock << 8) & 0xFF00);
494 }
495 else if (card == 0)
496 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
497 else {
498 PrintAndLog("Error! Bad card type selected.\n");
499 return 0;
500 }
2d4eae76 501
2d4eae76 502 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
503 SendCommand(&c);
504
505 return 0;
506}
507
54a942b0 508int CmdReadWord(const char *Cmd)
509{
510 int Word = 16; //default to invalid word
511 UsbCommand c;
512
513 sscanf(Cmd, "%d", &Word);
514
515 if (Word > 15) {
516 PrintAndLog("Word must be between 0 and 15");
517 return 1;
518 }
519
520 PrintAndLog("Reading word %d", Word);
521
522 c.cmd = CMD_EM4X_READ_WORD;
523 c.d.asBytes[0] = 0x0; //Normal mode
524 c.arg[0] = 0;
525 c.arg[1] = Word;
526 c.arg[2] = 0;
527 SendCommand(&c);
528 return 0;
529}
530
531int CmdReadWordPWD(const char *Cmd)
532{
533 int Word = 16; //default to invalid word
534 int Password = 0xFFFFFFFF; //default to blank password
535 UsbCommand c;
536
537 sscanf(Cmd, "%d %x", &Word, &Password);
538
539 if (Word > 15) {
540 PrintAndLog("Word must be between 0 and 15");
541 return 1;
542 }
543
544 PrintAndLog("Reading word %d with password %08X", Word, Password);
545
546 c.cmd = CMD_EM4X_READ_WORD;
547 c.d.asBytes[0] = 0x1; //Password mode
548 c.arg[0] = 0;
549 c.arg[1] = Word;
550 c.arg[2] = Password;
551 SendCommand(&c);
552 return 0;
553}
554
555int CmdWriteWord(const char *Cmd)
556{
557 int Word = 16; //default to invalid block
558 int Data = 0xFFFFFFFF; //default to blank data
559 UsbCommand c;
560
561 sscanf(Cmd, "%x %d", &Data, &Word);
562
563 if (Word > 15) {
564 PrintAndLog("Word must be between 0 and 15");
565 return 1;
566 }
567
568 PrintAndLog("Writting word %d with data %08X", Word, Data);
569
570 c.cmd = CMD_EM4X_WRITE_WORD;
571 c.d.asBytes[0] = 0x0; //Normal mode
572 c.arg[0] = Data;
573 c.arg[1] = Word;
574 c.arg[2] = 0;
575 SendCommand(&c);
576 return 0;
577}
578
579int CmdWriteWordPWD(const char *Cmd)
580{
581 int Word = 8; //default to invalid word
582 int Data = 0xFFFFFFFF; //default to blank data
583 int Password = 0xFFFFFFFF; //default to blank password
584 UsbCommand c;
585
586 sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
587
588 if (Word > 15) {
589 PrintAndLog("Word must be between 0 and 15");
590 return 1;
591 }
592
593 PrintAndLog("Writting word %d with data %08X and password %08X", Word, Data, Password);
594
595 c.cmd = CMD_EM4X_WRITE_WORD;
596 c.d.asBytes[0] = 0x1; //Password mode
597 c.arg[0] = Data;
598 c.arg[1] = Word;
599 c.arg[2] = Password;
600 SendCommand(&c);
601 return 0;
602}
603
604
605
2d4eae76 606static command_t CommandTable[] =
7fe9b0b7 607{
54a942b0 608 {"help", CmdHelp, 1, "This help"},
4118b74d 609 {"em410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"},
54a942b0 610 {"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"},
611 {"em410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
e67b06b7 612 {"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
613 {"em410xwrite", CmdEM410xWrite, 1, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
54a942b0 614 {"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
615 {"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
616 {"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
617 {"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
618 {"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
7fe9b0b7 619 {NULL, NULL, 0, NULL}
620};
621
622int CmdLFEM4X(const char *Cmd)
623{
624 CmdsParse(CommandTable, Cmd);
625 return 0;
626}
627
628int CmdHelp(const char *Cmd)
629{
630 CmdsHelp(CommandTable);
631 return 0;
632}
Impressum, Datenschutz