]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - client/cmdlft55xx.c
projects / proxmark3-svn / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
textual fix.
[proxmark3-svn] / client / cmdlft55xx.c
... / ...
CommitLineData
1//-----------------------------------------------------------------------------\r
2//\r
3// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
4// at your option, any later version. See the LICENSE.txt file for the text of\r
5// the license.\r
6//-----------------------------------------------------------------------------\r
7// Low frequency T55xx commands\r
8//-----------------------------------------------------------------------------\r
9\r
10#include <stdio.h>\r
11#include <string.h>\r
12#include <inttypes.h>\r
13#include <time.h>\r
14#include "proxmark3.h"\r
15#include "ui.h"\r
16#include "graph.h"\r
17#include "cmdmain.h"\r
18#include "cmdparser.h"\r
19#include "cmddata.h"\r
20#include "cmdlf.h"\r
21#include "cmdlft55xx.h"\r
22#include "util.h"\r
23#include "data.h"\r
24#include "lfdemod.h"\r
25#include "../common/crc.h"\r
26#include "../common/iso14443crc.h"\r
27#include "cmdhf14a.h"\r
28\r
29#define T55x7_CONFIGURATION_BLOCK 0x00\r
30#define T55x7_PAGE0 0x00\r
31#define T55x7_PAGE1 0x01\r
32#define T55x7_PWD 0x00000010\r
33#define REGULAR_READ_MODE_BLOCK 0xFF\r
34\r
35// Default configuration\r
36t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
37\r
38t55xx_conf_block_t Get_t55xx_Config(){\r
39 return config;\r
40}\r
41void Set_t55xx_Config(t55xx_conf_block_t conf){\r
42 config = conf;\r
43}\r
44\r
45int usage_t55xx_config(){\r
46 PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
47 PrintAndLog("Options:");\r
48 PrintAndLog(" h This help");\r
49 PrintAndLog(" b <8|16|32|40|50|64|100|128> Set bitrate");\r
50 PrintAndLog(" d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
51 PrintAndLog(" i [1] Invert data signal, defaults to normal");\r
52 PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream");\r
53 PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7");\r
54 PrintAndLog("");\r
55 PrintAndLog("Examples:");\r
56 PrintAndLog(" lf t55xx config d FSK - FSK demodulation");\r
57 PrintAndLog(" lf t55xx config d FSK i 1 - FSK demodulation, inverse data");\r
58 PrintAndLog(" lf t55xx config d FSK i 1 o 3 - FSK demodulation, inverse data, offset=3,start from position 3 to decode data");\r
59 PrintAndLog("");\r
60 return 0;\r
61}\r
62int usage_t55xx_read(){\r
63 PrintAndLog("Usage: lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");\r
64 PrintAndLog("Options:");\r
65 PrintAndLog(" b <block> - block number to read. Between 0-7");\r
66 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
67 PrintAndLog(" o - OPTIONAL override safety check");\r
68 PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");\r
69 PrintAndLog(" ****WARNING****");\r
70 PrintAndLog(" Use of read with password on a tag not configured for a pwd");\r
71 PrintAndLog(" can damage the tag");\r
72 PrintAndLog("");\r
73 PrintAndLog("Examples:");\r
74 PrintAndLog(" lf t55xx read b 0 - read data from block 0");\r
75 PrintAndLog(" lf t55xx read b 0 p feedbeef - read data from block 0 password feedbeef");\r
76 PrintAndLog(" lf t55xx read b 0 p feedbeef o - read data from block 0 password feedbeef safety check");\r
77 PrintAndLog("");\r
78 return 0;\r
79}\r
80int usage_t55xx_write(){\r
81 PrintAndLog("Usage: lf t55xx wr [b <block>] [d <data>] [p <password>] [1]");\r
82 PrintAndLog("Options:");\r
83 PrintAndLog(" b <block> - block number to write. Between 0-7");\r
84 PrintAndLog(" d <data> - 4 bytes of data to write (8 hex characters)");\r
85 PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");\r
86 PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");\r
87 PrintAndLog("");\r
88 PrintAndLog("Examples:");\r
89 PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3");\r
90 PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");\r
91 PrintAndLog("");\r
92 return 0;\r
93}\r
94int usage_t55xx_trace() {\r
95 PrintAndLog("Usage: lf t55xx trace [1]");\r
96 PrintAndLog("Options:");\r
97 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");\r
98 PrintAndLog("");\r
99 PrintAndLog("Examples:");\r
100 PrintAndLog(" lf t55xx trace");\r
101 PrintAndLog(" lf t55xx trace 1");\r
102 PrintAndLog("");\r
103 return 0;\r
104}\r
105int usage_t55xx_info() {\r
106 PrintAndLog("Usage: lf t55xx info [1]");\r
107 PrintAndLog("Options:");\r
108 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");\r
109 PrintAndLog("");\r
110 PrintAndLog("Examples:");\r
111 PrintAndLog(" lf t55xx info");\r
112 PrintAndLog(" lf t55xx info 1");\r
113 PrintAndLog("");\r
114 return 0;\r
115}\r
116int usage_t55xx_dump(){\r
117 PrintAndLog("Usage: lf t55xx dump <password> [o]");\r
118 PrintAndLog("Options:");\r
119 PrintAndLog(" <password> - OPTIONAL password 4bytes (8 hex symbols)");\r
120 PrintAndLog(" o - OPTIONAL override, force pwd read despite danger to card");\r
121 PrintAndLog("");\r
122 PrintAndLog("Examples:");\r
123 PrintAndLog(" lf t55xx dump");\r
124 PrintAndLog(" lf t55xx dump feedbeef o");\r
125 PrintAndLog("");\r
126 return 0;\r
127}\r
128int usage_t55xx_detect(){\r
129 PrintAndLog("Usage: lf t55xx detect [1] [p <password>]");\r
130 PrintAndLog("Options:");\r
131 PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");\r
132 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");\r
133 PrintAndLog("");\r
134 PrintAndLog("Examples:");\r
135 PrintAndLog(" lf t55xx detect");\r
136 PrintAndLog(" lf t55xx detect 1");\r
137 PrintAndLog(" lf t55xx detect p 11223344");\r
138 PrintAndLog("");\r
139 return 0;\r
140}\r
141int usage_t55xx_wakup(){\r
142 PrintAndLog("Usage: lf t55xx wakeup [h] p <password>");\r
143 PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards.");\r
144 PrintAndLog("Options:");\r
145 PrintAndLog(" h - this help");\r
146 PrintAndLog(" p <password> - password 4bytes (8 hex symbols)");\r
147 PrintAndLog("");\r
148 PrintAndLog("Examples:");\r
149 PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password");\r
150 return 0;\r
151}\r
152int usage_t55xx_bruteforce(){\r
153 PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password>");\r
154 PrintAndLog(" password must be 4 bytes (8 hex symbols)");\r
155 PrintAndLog("Examples:");\r
156 PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
157 PrintAndLog("");\r
158 return 0;\r
159}\r
160\r
161static int CmdHelp(const char *Cmd);\r
162\r
163void printT5xxHeader(uint8_t page){\r
164 PrintAndLog("Reading Page %d:", page); \r
165 PrintAndLog("blk | hex data | binary");\r
166 PrintAndLog("----+----------+---------------------------------"); \r
167}\r
168\r
169int CmdT55xxSetConfig(const char *Cmd) {\r
170\r
171 uint8_t offset = 0;\r
172 char modulation[5] = {0x00};\r
173 char tmp = 0x00;\r
174 uint8_t bitRate = 0;\r
175 uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
176 uint8_t cmdp = 0;\r
177 config.Q5 = FALSE;\r
178 bool errors = FALSE;\r
179 while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
180 {\r
181 tmp = param_getchar(Cmd, cmdp);\r
182 switch(tmp)\r
183 {\r
184 case 'h':\r
185 case 'H':\r
186 return usage_t55xx_config();\r
187 case 'b':\r
188 errors |= param_getdec(Cmd, cmdp+1, &bitRate);\r
189 if ( !errors){\r
190 uint8_t i = 0;\r
191 for (; i < 9; i++){\r
192 if (rates[i]==bitRate) {\r
193 config.bitrate = i;\r
194 break;\r
195 }\r
196 }\r
197 if (i==9) errors = TRUE;\r
198 }\r
199 cmdp+=2;\r
200 break;\r
201 case 'd':\r
202 param_getstr(Cmd, cmdp+1, modulation);\r
203 cmdp += 2;\r
204\r
205 if ( strcmp(modulation, "FSK" ) == 0) {\r
206 config.modulation = DEMOD_FSK;\r
207 } else if ( strcmp(modulation, "FSK1" ) == 0) {\r
208 config.modulation = DEMOD_FSK1;\r
209 config.inverted=1;\r
210 } else if ( strcmp(modulation, "FSK1a" ) == 0) {\r
211 config.modulation = DEMOD_FSK1a;\r
212 config.inverted=0;\r
213 } else if ( strcmp(modulation, "FSK2" ) == 0) {\r
214 config.modulation = DEMOD_FSK2;\r
215 config.inverted=0;\r
216 } else if ( strcmp(modulation, "FSK2a" ) == 0) {\r
217 config.modulation = DEMOD_FSK2a;\r
218 config.inverted=1;\r
219 } else if ( strcmp(modulation, "ASK" ) == 0) {\r
220 config.modulation = DEMOD_ASK;\r
221 } else if ( strcmp(modulation, "NRZ" ) == 0) {\r
222 config.modulation = DEMOD_NRZ;\r
223 } else if ( strcmp(modulation, "PSK1" ) == 0) {\r
224 config.modulation = DEMOD_PSK1;\r
225 } else if ( strcmp(modulation, "PSK2" ) == 0) {\r
226 config.modulation = DEMOD_PSK2;\r
227 } else if ( strcmp(modulation, "PSK3" ) == 0) {\r
228 config.modulation = DEMOD_PSK3;\r
229 } else if ( strcmp(modulation, "BIa" ) == 0) {\r
230 config.modulation = DEMOD_BIa;\r
231 config.inverted=1;\r
232 } else if ( strcmp(modulation, "BI" ) == 0) {\r
233 config.modulation = DEMOD_BI;\r
234 config.inverted=0;\r
235 } else {\r
236 PrintAndLog("Unknown modulation '%s'", modulation);\r
237 errors = TRUE;\r
238 }\r
239 break;\r
240 case 'i':\r
241 config.inverted = param_getchar(Cmd,cmdp+1) == '1';\r
242 cmdp+=2;\r
243 break;\r
244 case 'o':\r
245 errors |= param_getdec(Cmd, cmdp+1, &offset);\r
246 if ( !errors )\r
247 config.offset = offset;\r
248 cmdp+=2;\r
249 break;\r
250 case 'Q':\r
251 case 'q': \r
252 config.Q5 = TRUE;\r
253 cmdp++;\r
254 break;\r
255 default:\r
256 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
257 errors = TRUE;\r
258 break;\r
259 }\r
260 }\r
261\r
262 // No args\r
263 if (cmdp == 0) return printConfiguration( config );\r
264\r
265 //Validations\r
266 if (errors) return usage_t55xx_config();\r
267\r
268 config.block0 = 0;\r
269 return printConfiguration ( config );\r
270}\r
271\r
272int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){\r
273 //Password mode\r
274 if ( usepwd ) {\r
275 // try reading the config block and verify that PWD bit is set before doing this!\r
276 if ( !override ) {\r
277 \r
278 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;\r
279 \r
280 if ( !tryDetectModulation() ) {\r
281 PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");\r
282 return 0;\r
283 } else {\r
284 PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password..."); \r
285 usepwd = false;\r
286 page1 = false;\r
287 }\r
288 } else {\r
289 PrintAndLog("Safety Check Overriden - proceeding despite risk");\r
290 }\r
291 }\r
292\r
293 if (!AquireData(page1, block, usepwd, password) ) return 0;\r
294 if (!DecodeT55xxBlock()) return 0;\r
295\r
296 char blk[10]={0};\r
297 sprintf(blk,"%02d", block);\r
298 printT55xxBlock(blk); \r
299 return 1;\r
300}\r
301\r
302int CmdT55xxReadBlock(const char *Cmd) {\r
303 uint8_t block = REGULAR_READ_MODE_BLOCK;\r
304 uint32_t password = 0; //default to blank Block 7\r
305 bool usepwd = false;\r
306 bool override = false;\r
307 bool page1 = false;\r
308 bool errors = false;\r
309 uint8_t cmdp = 0;\r
310 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
311 switch(param_getchar(Cmd, cmdp)) {\r
312 case 'h':\r
313 case 'H':\r
314 return usage_t55xx_read();\r
315 case 'b':\r
316 case 'B':\r
317 errors |= param_getdec(Cmd, cmdp+1, &block);\r
318 cmdp += 2;\r
319 break;\r
320 case 'o':\r
321 case 'O':\r
322 override = TRUE;\r
323 cmdp++;\r
324 break;\r
325 case 'p':\r
326 case 'P':\r
327 password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
328 usepwd = true;\r
329 cmdp += 2;\r
330 break;\r
331 case '1':\r
332 page1 = true;\r
333 cmdp++;\r
334 break;\r
335 default:\r
336 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
337 errors = true;\r
338 break;\r
339 }\r
340 }\r
341 if (errors) return usage_t55xx_read();\r
342\r
343 if (block > 7 && block != REGULAR_READ_MODE_BLOCK ) {\r
344 PrintAndLog("Block must be between 0 and 7");\r
345 return 0;\r
346 }\r
347\r
348 printT5xxHeader(page1);\r
349 return T55xxReadBlock(block, page1, usepwd, override, password);\r
350}\r
351\r
352bool DecodeT55xxBlock(){\r
353 \r
354 char buf[30] = {0x00};\r
355 char *cmdStr = buf;\r
356 int ans = 0;\r
357 uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
358 DemodBufferLen = 0x00;\r
359\r
360 switch( config.modulation ){\r
361 case DEMOD_FSK:\r
362 snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );\r
363 ans = FSKrawDemod(cmdStr, FALSE);\r
364 break;\r
365 case DEMOD_FSK1:\r
366 case DEMOD_FSK1a:\r
367 snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted );\r
368 ans = FSKrawDemod(cmdStr, FALSE);\r
369 break;\r
370 case DEMOD_FSK2:\r
371 case DEMOD_FSK2a:\r
372 snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted );\r
373 ans = FSKrawDemod(cmdStr, FALSE);\r
374 break;\r
375 case DEMOD_ASK:\r
376 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
377 ans = ASKDemod(cmdStr, FALSE, FALSE, 1);\r
378 break;\r
379 case DEMOD_PSK1:\r
380 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
381 CmdLtrim("160");\r
382 snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
383 ans = PSKDemod(cmdStr, FALSE);\r
384 break;\r
385 case DEMOD_PSK2: //inverted won't affect this\r
386 case DEMOD_PSK3: //not fully implemented\r
387 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
388 CmdLtrim("160");\r
389 snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
390 ans = PSKDemod(cmdStr, FALSE);\r
391 psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
392 break;\r
393 case DEMOD_NRZ:\r
394 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
395 ans = NRZrawDemod(cmdStr, FALSE);\r
396 break;\r
397 case DEMOD_BI:\r
398 case DEMOD_BIa:\r
399 snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted );\r
400 ans = ASKbiphaseDemod(cmdStr, FALSE);\r
401 break;\r
402 default:\r
403 return FALSE;\r
404 }\r
405 return (bool) ans;\r
406}\r
407\r
408int CmdT55xxDetect(const char *Cmd){\r
409\r
410 bool errors = FALSE;\r
411 bool useGB = FALSE;\r
412 bool usepwd = FALSE;\r
413 uint32_t password = 0;\r
414 uint8_t cmdp = 0;\r
415\r
416 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
417 switch(param_getchar(Cmd, cmdp)) {\r
418 case 'h':\r
419 case 'H':\r
420 return usage_t55xx_detect();\r
421 case 'p':\r
422 case 'P':\r
423 password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
424 usepwd = TRUE;\r
425 cmdp += 2;\r
426 break;\r
427 case '1':\r
428 // use Graphbuffer data\r
429 useGB = TRUE;\r
430 cmdp++;\r
431 break;\r
432 default:\r
433 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
434 errors = true;\r
435 break;\r
436 }\r
437 }\r
438 if (errors) return usage_t55xx_detect();\r
439 \r
440 if ( !useGB) {\r
441 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
442 return 0;\r
443 }\r
444 \r
445 if ( !tryDetectModulation() )\r
446 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
447\r
448 return 1;\r
449}\r
450\r
451// detect configuration?\r
452bool tryDetectModulation(){\r
453 uint8_t hits = 0;\r
454 t55xx_conf_block_t tests[15];\r
455 int bitRate=0;\r
456 uint8_t fc1 = 0, fc2 = 0, clk=0;\r
457 save_restoreGB(1);\r
458 \r
459 if (GetFskClock("", FALSE, FALSE)){ \r
460 fskClocks(&fc1, &fc2, &clk, FALSE);\r
461 if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){\r
462 tests[hits].modulation = DEMOD_FSK;\r
463 if (fc1==8 && fc2 == 5)\r
464 tests[hits].modulation = DEMOD_FSK1a;\r
465 else if (fc1==10 && fc2 == 8)\r
466 tests[hits].modulation = DEMOD_FSK2;\r
467 tests[hits].bitrate = bitRate;\r
468 tests[hits].inverted = FALSE;\r
469 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
470 ++hits;\r
471 }\r
472 if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
473 tests[hits].modulation = DEMOD_FSK;\r
474 if (fc1 == 8 && fc2 == 5)\r
475 tests[hits].modulation = DEMOD_FSK1;\r
476 else if (fc1 == 10 && fc2 == 8)\r
477 tests[hits].modulation = DEMOD_FSK2a;\r
478\r
479 tests[hits].bitrate = bitRate;\r
480 tests[hits].inverted = TRUE;\r
481 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
482 ++hits;\r
483 }\r
484 } else {\r
485 clk = GetAskClock("", FALSE, FALSE);\r
486 if (clk>0) {\r
487 if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
488 tests[hits].modulation = DEMOD_ASK;\r
489 tests[hits].bitrate = bitRate;\r
490 tests[hits].inverted = FALSE;\r
491 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
492 ++hits;\r
493 }\r
494 if ( ASKDemod("0 1 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
495 tests[hits].modulation = DEMOD_ASK;\r
496 tests[hits].bitrate = bitRate;\r
497 tests[hits].inverted = TRUE;\r
498 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
499 ++hits;\r
500 }\r
501 if ( ASKbiphaseDemod("0 0 0 2", FALSE) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
502 tests[hits].modulation = DEMOD_BI;\r
503 tests[hits].bitrate = bitRate;\r
504 tests[hits].inverted = FALSE;\r
505 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
506 ++hits;\r
507 }\r
508 if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
509 tests[hits].modulation = DEMOD_BIa;\r
510 tests[hits].bitrate = bitRate;\r
511 tests[hits].inverted = TRUE;\r
512 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
513 ++hits;\r
514 }\r
515 }\r
516 //undo trim from ask\r
517 save_restoreGB(0);\r
518 clk = GetNrzClock("", FALSE, FALSE);\r
519 if (clk>0) {\r
520 if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
521 tests[hits].modulation = DEMOD_NRZ;\r
522 tests[hits].bitrate = bitRate;\r
523 tests[hits].inverted = FALSE;\r
524 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
525 ++hits;\r
526 }\r
527\r
528 if ( NRZrawDemod("0 1 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
529 tests[hits].modulation = DEMOD_NRZ;\r
530 tests[hits].bitrate = bitRate;\r
531 tests[hits].inverted = TRUE;\r
532 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
533 ++hits;\r
534 }\r
535 }\r
536 \r
537 //undo trim from nrz\r
538 save_restoreGB(0);\r
539 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
540 CmdLtrim("160");\r
541 clk = GetPskClock("", FALSE, FALSE);\r
542 if (clk>0) {\r
543 if ( PSKDemod("0 0 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
544 tests[hits].modulation = DEMOD_PSK1;\r
545 tests[hits].bitrate = bitRate;\r
546 tests[hits].inverted = FALSE;\r
547 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
548 ++hits;\r
549 }\r
550 if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
551 tests[hits].modulation = DEMOD_PSK1;\r
552 tests[hits].bitrate = bitRate;\r
553 tests[hits].inverted = TRUE;\r
554 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
555 ++hits;\r
556 }\r
557 // PSK2 - needs a call to psk1TOpsk2.\r
558 if ( PSKDemod("0 0 6", FALSE)) {\r
559 psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
560 if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){\r
561 tests[hits].modulation = DEMOD_PSK2;\r
562 tests[hits].bitrate = bitRate;\r
563 tests[hits].inverted = FALSE;\r
564 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
565 ++hits;\r
566 }\r
567 } // inverse waves does not affect this demod\r
568 // PSK3 - needs a call to psk1TOpsk2.\r
569 if ( PSKDemod("0 0 6", FALSE)) {\r
570 psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
571 if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){\r
572 tests[hits].modulation = DEMOD_PSK3;\r
573 tests[hits].bitrate = bitRate;\r
574 tests[hits].inverted = FALSE;\r
575 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
576 ++hits;\r
577 }\r
578 } // inverse waves does not affect this demod\r
579 }\r
580 } \r
581 save_restoreGB(0); \r
582 if ( hits == 1) {\r
583 config.modulation = tests[0].modulation;\r
584 config.bitrate = tests[0].bitrate;\r
585 config.inverted = tests[0].inverted;\r
586 config.offset = tests[0].offset;\r
587 config.block0 = tests[0].block0;\r
588 printConfiguration( config );\r
589 return TRUE;\r
590 }\r
591 \r
592 if ( hits > 1) {\r
593 PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
594 for(int i=0; i<hits; ++i){\r
595 PrintAndLog("--[%d]---------------", i+1);\r
596 printConfiguration( tests[i] );\r
597 }\r
598 }\r
599 return FALSE;\r
600}\r
601\r
602bool testModulation(uint8_t mode, uint8_t modread){\r
603 switch( mode ){\r
604 case DEMOD_FSK:\r
605 if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return TRUE;\r
606 break;\r
607 case DEMOD_ASK:\r
608 if (modread == DEMOD_ASK) return TRUE;\r
609 break;\r
610 case DEMOD_PSK1:\r
611 if (modread == DEMOD_PSK1) return TRUE;\r
612 break;\r
613 case DEMOD_PSK2:\r
614 if (modread == DEMOD_PSK2) return TRUE;\r
615 break;\r
616 case DEMOD_PSK3:\r
617 if (modread == DEMOD_PSK3) return TRUE;\r
618 break;\r
619 case DEMOD_NRZ:\r
620 if (modread == DEMOD_NRZ) return TRUE;\r
621 break;\r
622 case DEMOD_BI:\r
623 if (modread == DEMOD_BI) return TRUE;\r
624 break;\r
625 case DEMOD_BIa:\r
626 if (modread == DEMOD_BIa) return TRUE;\r
627 break; \r
628 default:\r
629 return FALSE;\r
630 }\r
631 return FALSE;\r
632}\r
633\r
634bool testQ5Modulation(uint8_t mode, uint8_t modread){\r
635 switch( mode ){\r
636 case DEMOD_FSK:\r
637 if (modread >= 4 && modread <= 5) return TRUE;\r
638 break;\r
639 case DEMOD_ASK:\r
640 if (modread == 0) return TRUE;\r
641 break;\r
642 case DEMOD_PSK1:\r
643 if (modread == 1) return TRUE;\r
644 break;\r
645 case DEMOD_PSK2:\r
646 if (modread == 2) return TRUE;\r
647 break;\r
648 case DEMOD_PSK3:\r
649 if (modread == 3) return TRUE;\r
650 break;\r
651 case DEMOD_NRZ:\r
652 if (modread == 7) return TRUE;\r
653 break;\r
654 case DEMOD_BI:\r
655 if (modread == 6) return TRUE;\r
656 break;\r
657 default:\r
658 return FALSE;\r
659 }\r
660 return FALSE;\r
661}\r
662\r
663bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){\r
664\r
665 if ( DemodBufferLen < 64 ) return FALSE;\r
666 uint8_t si = 0;\r
667 for (uint8_t idx = 28; idx < 64; idx++){\r
668 si = idx;\r
669 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;\r
670\r
671 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key\r
672 uint8_t resv = PackBits(si, 8, DemodBuffer); si += 8;\r
673 // 2nibble must be zeroed.\r
674 if (safer != 0x6) continue;\r
675 if ( resv > 0x00) continue;\r
676 //uint8_t pageSel = PackBits(si, 1, DemodBuffer); si += 1;\r
677 //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;\r
678 si += 1+1;\r
679 int bitRate = PackBits(si, 5, DemodBuffer)*2 + 2; si += 5; //bit rate\r
680 if (bitRate > 128 || bitRate < 8) continue;\r
681\r
682 //uint8_t AOR = PackBits(si, 1, DemodBuffer); si += 1; \r
683 //uint8_t PWD = PackBits(si, 1, DemodBuffer); si += 1; \r
684 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2; //could check psk cr\r
685 //uint8_t inverse = PackBits(si, 1, DemodBuffer); si += 1;\r
686 si += 1+1+2+1;\r
687 uint8_t modread = PackBits(si, 3, DemodBuffer); si += 3;\r
688 uint8_t maxBlk = PackBits(si, 3, DemodBuffer); si += 3;\r
689 //uint8_t ST = PackBits(si, 1, DemodBuffer); si += 1;\r
690 if (maxBlk == 0) continue;\r
691 //test modulation\r
692 if (!testQ5Modulation(mode, modread)) continue;\r
693 if (bitRate != clk) continue;\r
694 *fndBitRate = bitRate;\r
695 *offset = idx;\r
696\r
697 return TRUE;\r
698 }\r
699 return FALSE;\r
700}\r
701\r
702bool testBitRate(uint8_t readRate, uint8_t clk){\r
703 uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};\r
704 if (expected[readRate] == clk)\r
705 return true;\r
706\r
707 return false;\r
708}\r
709\r
710bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){\r
711\r
712 if ( DemodBufferLen < 64 ) return FALSE;\r
713 uint8_t si = 0;\r
714 for (uint8_t idx = 28; idx < 64; idx++){\r
715 si = idx;\r
716 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;\r
717\r
718 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key\r
719 uint8_t resv = PackBits(si, 4, DemodBuffer); si += 4; //was 7 & +=7+3 //should be only 4 bits if extended mode\r
720 // 2nibble must be zeroed.\r
721 // moved test to here, since this gets most faults first.\r
722 if ( resv > 0x00) continue;\r
723\r
724 uint8_t xtRate = PackBits(si, 3, DemodBuffer); si += 3; //extended mode part of rate\r
725 int bitRate = PackBits(si, 3, DemodBuffer); si += 3; //bit rate\r
726 if (bitRate > 7) continue;\r
727 uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode\r
728 uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
729 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //could check psk cr\r
730 uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode\r
731 uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2;\r
732 \r
733 //if extended mode\r
734 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
735\r
736 if (!extMode){\r
737 if (nml01 || nml02 || xtRate) continue;\r
738 }\r
739 //test modulation\r
740 if (!testModulation(mode, modread)) continue;\r
741 if (!testBitRate(bitRate, clk)) continue;\r
742 *fndBitRate = bitRate;\r
743 *offset = idx;\r
744 *Q5 = FALSE;\r
745 return TRUE;\r
746 }\r
747 if (testQ5(mode, offset, fndBitRate, clk)) {\r
748 *Q5 = TRUE;\r
749 return TRUE;\r
750 }\r
751 return FALSE;\r
752}\r
753\r
754void printT55xxBlock(const char *blockNum){\r
755 \r
756 uint8_t i = config.offset;\r
757 uint8_t endpos = 32 + i;\r
758 uint32_t blockData = 0;\r
759 uint8_t bits[64] = {0x00};\r
760\r
761 if ( !DemodBufferLen) return;\r
762\r
763 if ( endpos > DemodBufferLen){\r
764 PrintAndLog("The configured offset %d is too big. Possible offset: %d)", i, DemodBufferLen-32);\r
765 return;\r
766 }\r
767\r
768 for (; i < endpos; ++i)\r
769 bits[i - config.offset] = DemodBuffer[i];\r
770\r
771 blockData = PackBits(0, 32, bits);\r
772\r
773 PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));\r
774}\r
775\r
776int special(const char *Cmd) {\r
777 uint32_t blockData = 0;\r
778 uint8_t bits[32] = {0x00};\r
779\r
780 PrintAndLog("OFFSET | DATA | BINARY");\r
781 PrintAndLog("----------------------------------------------------");\r
782 int i,j = 0;\r
783 for (; j < 64; ++j){\r
784 \r
785 for (i = 0; i < 32; ++i)\r
786 bits[i]=DemodBuffer[j+i];\r
787 \r
788 blockData = PackBits(0, 32, bits);\r
789 \r
790 PrintAndLog("%02d | 0x%08X | %s",j , blockData, sprint_bin(bits,32)); \r
791 }\r
792 return 0;\r
793}\r
794\r
795int printConfiguration( t55xx_conf_block_t b){\r
796 PrintAndLog("Chip Type : %s", (b.Q5) ? "T5555(Q5)" : "T55x7");\r
797 PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) );\r
798 PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate) );\r
799 PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" );\r
800 PrintAndLog("Offset : %d", b.offset);\r
801 PrintAndLog("Block0 : 0x%08X", b.block0);\r
802 PrintAndLog("");\r
803 return 0;\r
804}\r
805\r
806int CmdT55xxWakeUp(const char *Cmd) {\r
807 uint32_t password = 0;\r
808 uint8_t cmdp = 0;\r
809 bool errors = false;\r
810 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
811 switch(param_getchar(Cmd, cmdp)) {\r
812 case 'h':\r
813 case 'H':\r
814 return usage_t55xx_wakup();\r
815 case 'p':\r
816 case 'P':\r
817 password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
818 cmdp += 2;\r
819 errors = false;\r
820 break;\r
821 default:\r
822 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
823 errors = true;\r
824 break;\r
825 }\r
826 }\r
827 if (errors) return usage_t55xx_wakup();\r
828\r
829 UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};\r
830 clearCommandBuffer();\r
831 SendCommand(&c);\r
832 PrintAndLog("Wake up command sent. Try read now");\r
833 return 0;\r
834}\r
835\r
836int CmdT55xxWriteBlock(const char *Cmd) {\r
837 uint8_t block = 0xFF; //default to invalid block\r
838 uint32_t data = 0; //default to blank Block \r
839 uint32_t password = 0; //default to blank Block 7\r
840 bool usepwd = false;\r
841 bool page1 = false; \r
842 bool gotdata = false;\r
843 bool errors = false;\r
844 uint8_t cmdp = 0;\r
845 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
846 switch(param_getchar(Cmd, cmdp)) {\r
847 case 'h':\r
848 case 'H':\r
849 return usage_t55xx_write();\r
850 case 'b':\r
851 case 'B':\r
852 errors |= param_getdec(Cmd, cmdp+1, &block);\r
853 cmdp += 2;\r
854 break;\r
855 case 'd':\r
856 case 'D':\r
857 data = param_get32ex(Cmd, cmdp+1, 0, 16);\r
858 gotdata = true;\r
859 cmdp += 2;\r
860 break;\r
861 case 'p':\r
862 case 'P':\r
863 password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
864 usepwd = true;\r
865 cmdp += 2;\r
866 break;\r
867 case '1':\r
868 page1 = true;\r
869 cmdp++;\r
870 break;\r
871 default:\r
872 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
873 errors = true;\r
874 break;\r
875 }\r
876 }\r
877 if (errors || !gotdata) return usage_t55xx_write();\r
878\r
879 if (block > 7) {\r
880 PrintAndLog("Block number must be between 0 and 7");\r
881 return 0;\r
882 }\r
883 \r
884 UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};\r
885 UsbCommand resp;\r
886 c.d.asBytes[0] = (page1) ? 0x2 : 0; \r
887\r
888 char pwdStr[16] = {0};\r
889 snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);\r
890 \r
891 PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" );\r
892\r
893 //Password mode\r
894 if (usepwd) {\r
895 c.arg[2] = password;\r
896 c.d.asBytes[0] |= 0x1; \r
897 }\r
898 clearCommandBuffer();\r
899 SendCommand(&c);\r
900 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
901 PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
902 return 0;\r
903 }\r
904 return 1;\r
905}\r
906\r
907int CmdT55xxReadTrace(const char *Cmd) {\r
908 char cmdp = param_getchar(Cmd, 0);\r
909 bool pwdmode = false;\r
910 uint32_t password = 0; \r
911 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
912\r
913 if (strlen(Cmd)==0)\r
914 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
915 return 0;\r
916 \r
917 if (!DecodeT55xxBlock()) return 0;\r
918\r
919 if ( !DemodBufferLen) return 0;\r
920 \r
921 RepaintGraphWindow();\r
922 uint8_t repeat = 0;\r
923 if (config.offset > 5) \r
924 repeat = 32;\r
925 uint8_t si = config.offset+repeat;\r
926 uint32_t bl1 = PackBits(si, 32, DemodBuffer);\r
927 uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);\r
928 \r
929 uint32_t acl = PackBits(si, 8, DemodBuffer); si += 8;\r
930 uint32_t mfc = PackBits(si, 8, DemodBuffer); si += 8;\r
931 uint32_t cid = PackBits(si, 5, DemodBuffer); si += 5;\r
932 uint32_t icr = PackBits(si, 3, DemodBuffer); si += 3;\r
933 uint32_t year = PackBits(si, 4, DemodBuffer); si += 4;\r
934 uint32_t quarter = PackBits(si, 2, DemodBuffer); si += 2;\r
935 uint32_t lotid = PackBits(si, 14, DemodBuffer); si += 14;\r
936 uint32_t wafer = PackBits(si, 5, DemodBuffer); si += 5;\r
937 uint32_t dw = PackBits(si, 15, DemodBuffer); \r
938 \r
939 time_t t = time(NULL);\r
940 struct tm tm = *localtime(&t);\r
941 if ( year > tm.tm_year-110)\r
942 year += 2000;\r
943 else\r
944 year += 2010;\r
945\r
946 if (config.Q5) PrintAndLog("*** Warning *** Info read off a Q5 will not work as expected");\r
947 if ( acl != 0xE0 ) {\r
948 PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
949 return 0;\r
950 }\r
951 PrintAndLog("");\r
952 PrintAndLog("-- T55xx Trace Information ----------------------------------");\r
953 PrintAndLog("-------------------------------------------------------------");\r
954 PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", acl, acl);\r
955 PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", mfc, mfc, getTagInfo(mfc));\r
956 PrintAndLog(" CID : 0x%02X (%d) - %s", cid, cid, GetModelStrFromCID(cid));\r
957 PrintAndLog(" ICR IC Revision : %d",icr );\r
958 PrintAndLog(" Manufactured");\r
959 PrintAndLog(" Year/Quarter : %d/%d",year, quarter);\r
960 PrintAndLog(" Lot ID : %d", lotid );\r
961 PrintAndLog(" Wafer number : %d", wafer);\r
962 PrintAndLog(" Die Number : %d", dw);\r
963 PrintAndLog("-------------------------------------------------------------");\r
964 PrintAndLog(" Raw Data - Page 1");\r
965 PrintAndLog(" Block 1 : 0x%08X %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
966 PrintAndLog(" Block 2 : 0x%08X %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
967 PrintAndLog("-------------------------------------------------------------");\r
968\r
969 /*\r
970 TRACE - BLOCK O\r
971 Bits Definition HEX\r
972 1-8 ACL Allocation class (ISO/IEC 15963-1) 0xE0 \r
973 9-16 MFC Manufacturer ID (ISO/IEC 7816-6) 0x15 Atmel Corporation\r
974 17-21 CID 0x1 = Atmel ATA5577M1 0x2 = Atmel ATA5577M2 \r
975 22-24 ICR IC revision\r
976 25-28 YEAR (BCD encoded) 9 (= 2009)\r
977 29-30 QUARTER 1,2,3,4 \r
978 31-32 LOT ID\r
979 \r
980 TRACE - BLOCK 1\r
981 1-12 LOT ID \r
982 13-17 Wafer number\r
983 18-32 DW, die number sequential\r
984 */\r
985 \r
986 return 0;\r
987}\r
988\r
989int CmdT55xxInfo(const char *Cmd){\r
990 /*\r
991 Page 0 Block 0 Configuration data.\r
992 Normal mode\r
993 Extended mode\r
994 */\r
995 bool pwdmode = false;\r
996 uint32_t password = 0;\r
997 char cmdp = param_getchar(Cmd, 0);\r
998\r
999 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
1000 \r
1001 if (strlen(Cmd)==0)\r
1002 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
1003 return 1;\r
1004\r
1005 if (!DecodeT55xxBlock()) return 1;\r
1006\r
1007 if ( DemodBufferLen < 32) return 1;\r
1008\r
1009 uint8_t si = config.offset;\r
1010 uint32_t bl0 = PackBits(si, 32, DemodBuffer);\r
1011 \r
1012 uint32_t safer = PackBits(si, 4, DemodBuffer); si += 4; \r
1013 uint32_t resv = PackBits(si, 7, DemodBuffer); si += 7;\r
1014 uint32_t dbr = PackBits(si, 3, DemodBuffer); si += 3;\r
1015 uint32_t extend = PackBits(si, 1, DemodBuffer); si += 1;\r
1016 uint32_t datamod = PackBits(si, 5, DemodBuffer); si += 5;\r
1017 uint32_t pskcf = PackBits(si, 2, DemodBuffer); si += 2;\r
1018 uint32_t aor = PackBits(si, 1, DemodBuffer); si += 1; \r
1019 uint32_t otp = PackBits(si, 1, DemodBuffer); si += 1; \r
1020 uint32_t maxblk = PackBits(si, 3, DemodBuffer); si += 3;\r
1021 uint32_t pwd = PackBits(si, 1, DemodBuffer); si += 1; \r
1022 uint32_t sst = PackBits(si, 1, DemodBuffer); si += 1; \r
1023 uint32_t fw = PackBits(si, 1, DemodBuffer); si += 1;\r
1024 uint32_t inv = PackBits(si, 1, DemodBuffer); si += 1; \r
1025 uint32_t por = PackBits(si, 1, DemodBuffer); si += 1;\r
1026 if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
1027 PrintAndLog("");\r
1028 PrintAndLog("-- T55xx Configuration & Tag Information --------------------");\r
1029 PrintAndLog("-------------------------------------------------------------");\r
1030 PrintAndLog(" Safer key : %s", GetSaferStr(safer));\r
1031 PrintAndLog(" reserved : %d", resv);\r
1032 PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr));\r
1033 PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No");\r
1034 PrintAndLog(" Modulation : %s", GetModulationStr(datamod));\r
1035 PrintAndLog(" PSK clock frequency : %d", pskcf);\r
1036 PrintAndLog(" AOR - Answer on Request : %s", (aor) ? "Yes":"No");\r
1037 PrintAndLog(" OTP - One Time Pad : %s", (otp) ? "Yes - Warning":"No" );\r
1038 PrintAndLog(" Max block : %d", maxblk);\r
1039 PrintAndLog(" Password mode : %s", (pwd) ? "Yes":"No");\r
1040 PrintAndLog(" Sequence Start Terminator : %s", (sst) ? "Yes":"No");\r
1041 PrintAndLog(" Fast Write : %s", (fw) ? "Yes":"No");\r
1042 PrintAndLog(" Inverse data : %s", (inv) ? "Yes":"No");\r
1043 PrintAndLog(" POR-Delay : %s", (por) ? "Yes":"No");\r
1044 PrintAndLog("-------------------------------------------------------------");\r
1045 PrintAndLog(" Raw Data - Page 0");\r
1046 PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset,32) );\r
1047 PrintAndLog("-------------------------------------------------------------");\r
1048 \r
1049 return 0;\r
1050}\r
1051\r
1052int CmdT55xxDump(const char *Cmd){\r
1053\r
1054 uint32_t password = 0;\r
1055 bool override = false;\r
1056 char cmdp = param_getchar(Cmd, 0); \r
1057 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();\r
1058\r
1059 bool usepwd = ( strlen(Cmd) > 0); \r
1060 if ( usepwd ){\r
1061 password = param_get32ex(Cmd, 0, 0, 16);\r
1062 if (param_getchar(Cmd, 1) =='o' )\r
1063 override = true;\r
1064 }\r
1065 \r
1066 printT5xxHeader(0);\r
1067 for ( uint8_t i = 0; i < 8; ++i)\r
1068 T55xxReadBlock(i, 0, usepwd, override, password);\r
1069\r
1070 printT5xxHeader(1);\r
1071 for ( uint8_t i = 0; i < 4; i++)\r
1072 T55xxReadBlock(i, 1, usepwd, override, password); \r
1073\r
1074 return 1;\r
1075}\r
1076\r
1077int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
1078 // arg0 bitmodes:\r
1079 // bit0 = pwdmode\r
1080 // bit1 = page to read from\r
1081 uint8_t arg0 = (page<<1) | pwdmode;\r
1082 UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
1083 \r
1084 clearCommandBuffer();\r
1085 SendCommand(&c);\r
1086 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
1087 PrintAndLog("command execution time out");\r
1088 return 0;\r
1089 }\r
1090\r
1091 uint8_t got[12000];\r
1092 GetFromBigBuf(got,sizeof(got),0);\r
1093 WaitForResponse(CMD_ACK,NULL);\r
1094 setGraphBuf(got, sizeof(got));\r
1095 return 1;\r
1096}\r
1097\r
1098char * GetBitRateStr(uint32_t id){\r
1099 static char buf[25];\r
1100\r
1101 char *retStr = buf;\r
1102 switch (id){\r
1103 case 0: \r
1104 snprintf(retStr,sizeof(buf),"%d - RF/8",id);\r
1105 break;\r
1106 case 1:\r
1107 snprintf(retStr,sizeof(buf),"%d - RF/16",id);\r
1108 break;\r
1109 case 2: \r
1110 snprintf(retStr,sizeof(buf),"%d - RF/32",id);\r
1111 break;\r
1112 case 3:\r
1113 snprintf(retStr,sizeof(buf),"%d - RF/40",id);\r
1114 break;\r
1115 case 4:\r
1116 snprintf(retStr,sizeof(buf),"%d - RF/50",id);\r
1117 break;\r
1118 case 5:\r
1119 snprintf(retStr,sizeof(buf),"%d - RF/64",id);\r
1120 break;\r
1121 case 6:\r
1122 snprintf(retStr,sizeof(buf),"%d - RF/100",id);\r
1123 break;\r
1124 case 7:\r
1125 snprintf(retStr,sizeof(buf),"%d - RF/128",id);\r
1126 break;\r
1127 default:\r
1128 snprintf(retStr,sizeof(buf),"%d - (Unknown)",id);\r
1129 break;\r
1130 }\r
1131\r
1132 return buf;\r
1133}\r
1134\r
1135char * GetSaferStr(uint32_t id){\r
1136 static char buf[40];\r
1137 char *retStr = buf;\r
1138 \r
1139 snprintf(retStr,sizeof(buf),"%d",id);\r
1140 if (id == 6) {\r
1141 snprintf(retStr,sizeof(buf),"%d - passwd",id);\r
1142 }\r
1143 if (id == 9 ){\r
1144 snprintf(retStr,sizeof(buf),"%d - testmode",id);\r
1145 }\r
1146 \r
1147 return buf;\r
1148}\r
1149\r
1150char * GetModulationStr( uint32_t id){\r
1151 static char buf[60];\r
1152 char *retStr = buf;\r
1153 \r
1154 switch (id){\r
1155 case 0: \r
1156 snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id);\r
1157 break;\r
1158 case 1:\r
1159 snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id);\r
1160 break;\r
1161 case 2: \r
1162 snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id);\r
1163 break;\r
1164 case 3:\r
1165 snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id);\r
1166 break;\r
1167 case 4:\r
1168 snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8 RF/5",id);\r
1169 break;\r
1170 case 5:\r
1171 snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8 RF/10",id);\r
1172 break;\r
1173 case 6:\r
1174 snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5 RF/8",id);\r
1175 break;\r
1176 case 7:\r
1177 snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10 RF/8",id);\r
1178 break;\r
1179 case 8:\r
1180 snprintf(retStr,sizeof(buf),"%d - Manchester",id);\r
1181 break;\r
1182 case 16:\r
1183 snprintf(retStr,sizeof(buf),"%d - Biphase",id);\r
1184 break;\r
1185 case 0x18:\r
1186 snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id);\r
1187 break;\r
1188 case 17:\r
1189 snprintf(retStr,sizeof(buf),"%d - Reserved",id);\r
1190 break;\r
1191 default:\r
1192 snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id);\r
1193 break;\r
1194 }\r
1195 return buf;\r
1196}\r
1197\r
1198char * GetModelStrFromCID(uint32_t cid){\r
1199 \r
1200 static char buf[10];\r
1201 char *retStr = buf;\r
1202 \r
1203 if (cid == 1) snprintf(retStr, sizeof(buf),"ATA5577M1");\r
1204 if (cid == 2) snprintf(retStr, sizeof(buf),"ATA5577M2"); \r
1205 return buf;\r
1206}\r
1207\r
1208char * GetSelectedModulationStr( uint8_t id){\r
1209\r
1210 static char buf[20];\r
1211 char *retStr = buf;\r
1212\r
1213 switch (id){\r
1214 case DEMOD_FSK:\r
1215 snprintf(retStr,sizeof(buf),"FSK");\r
1216 break;\r
1217 case DEMOD_FSK1:\r
1218 snprintf(retStr,sizeof(buf),"FSK1");\r
1219 break;\r
1220 case DEMOD_FSK1a:\r
1221 snprintf(retStr,sizeof(buf),"FSK1a");\r
1222 break;\r
1223 case DEMOD_FSK2:\r
1224 snprintf(retStr,sizeof(buf),"FSK2");\r
1225 break;\r
1226 case DEMOD_FSK2a:\r
1227 snprintf(retStr,sizeof(buf),"FSK2a");\r
1228 break;\r
1229 case DEMOD_ASK: \r
1230 snprintf(retStr,sizeof(buf),"ASK");\r
1231 break;\r
1232 case DEMOD_NRZ:\r
1233 snprintf(retStr,sizeof(buf),"DIRECT/NRZ");\r
1234 break;\r
1235 case DEMOD_PSK1:\r
1236 snprintf(retStr,sizeof(buf),"PSK1");\r
1237 break;\r
1238 case DEMOD_PSK2:\r
1239 snprintf(retStr,sizeof(buf),"PSK2");\r
1240 break;\r
1241 case DEMOD_PSK3:\r
1242 snprintf(retStr,sizeof(buf),"PSK3");\r
1243 break;\r
1244 case DEMOD_BI:\r
1245 snprintf(retStr,sizeof(buf),"BIPHASE");\r
1246 break;\r
1247 case DEMOD_BIa:\r
1248 snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)");\r
1249 break;\r
1250 default:\r
1251 snprintf(retStr,sizeof(buf),"(Unknown)");\r
1252 break;\r
1253 }\r
1254 return buf;\r
1255}\r
1256\r
1257void t55x7_create_config_block( int tagtype ){\r
1258\r
1259 /*\r
1260 T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK\r
1261 T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK,\r
1262 T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK \r
1263 T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK, T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK \r
1264 */\r
1265 static char buf[60];\r
1266 char *retStr = buf;\r
1267 \r
1268 switch (tagtype){\r
1269 case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
1270 case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
1271 default:\r
1272 break;\r
1273 }\r
1274 PrintAndLog(buf);\r
1275}\r
1276\r
1277int CmdResetRead(const char *Cmd) {\r
1278 UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
1279\r
1280 clearCommandBuffer();\r
1281 SendCommand(&c);\r
1282 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
1283 PrintAndLog("command execution time out");\r
1284 return 0;\r
1285 }\r
1286\r
1287 uint8_t got[BIGBUF_SIZE-1];\r
1288 GetFromBigBuf(got,sizeof(got),0);\r
1289 WaitForResponse(CMD_ACK,NULL);\r
1290 setGraphBuf(got, sizeof(got));\r
1291 return 1;\r
1292}\r
1293\r
1294int CmdT55xxWipe(const char *Cmd) {\r
1295 char writeData[20] = {0};\r
1296 char *ptrData = writeData;\r
1297 \r
1298 PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
1299 \r
1300 //try with the default password to reset block 0 (with a pwd should work even if pwd bit not set)\r
1301 snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
1302 \r
1303 if (!CmdT55xxWriteBlock(ptrData))\r
1304 PrintAndLog("Error writing blk 0");\r
1305 \r
1306 for (uint8_t blk = 1; blk<8; blk++) {\r
1307 \r
1308 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
1309 \r
1310 if (!CmdT55xxWriteBlock(ptrData)) \r
1311 PrintAndLog("Error writing blk %d", blk);\r
1312 \r
1313 memset(writeData, sizeof(writeData), 0x00);\r
1314 }\r
1315 return 0;\r
1316}\r
1317\r
1318int CmdT55xxBruteForce(const char *Cmd) {\r
1319 uint32_t start_password = 0x00000000; //start password\r
1320 uint32_t end_password = 0xFFFFFFFF; //end password\r
1321\r
1322 bool found = false;\r
1323 char cmdp = param_getchar(Cmd, 0);\r
1324 if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
1325\r
1326 start_password = param_get32ex(Cmd, 0, 0, 16);\r
1327 end_password = param_get32ex(Cmd, 1, 0, 16);\r
1328 \r
1329 if ( start_password >= end_password ) return usage_t55xx_bruteforce();\r
1330 \r
1331 PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
1332 \r
1333 uint32_t i = start_password;\r
1334\r
1335 while ((!found) && (i <= end_password)){\r
1336\r
1337 AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i);\r
1338 found = tryDetectModulation();\r
1339 \r
1340 if (found)\r
1341 break;\r
1342 \r
1343 if ((i % 0x100) == 0) printf("[%08x], ",i);\r
1344\r
1345 i++;\r
1346 }\r
1347 \r
1348 PrintAndLog("");\r
1349 \r
1350 if (found)\r
1351 PrintAndLog("Password found [%08x]", i);\r
1352 else\r
1353 PrintAndLog("Password NOT found. Last tried: [%08x]", i);\r
1354 return 0;\r
1355}\r
1356\r
1357static command_t CommandTable[] = {\r
1358 {"help", CmdHelp, 1, "This help"},\r
1359 {"bruteforce", CmdT55xxBruteForce,0, "Simple bruteforce attack to find password"},\r
1360 {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
1361 {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
1362 {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
1363 {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
1364 {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
1365 {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
1366 {"special", special, 0, "Show block changes with 64 different offsets"}, \r
1367 {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
1368 {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},\r
1369 {"wipe", CmdT55xxWipe, 0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
1370 {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
1371 {NULL, NULL, 0, NULL}\r
1372};\r
1373\r
1374int CmdLFT55XX(const char *Cmd) {\r
1375 CmdsParse(CommandTable, Cmd);\r
1376 return 0;\r
1377}\r
1378\r
1379int CmdHelp(const char *Cmd) {\r
1380 CmdsHelp(CommandTable);\r
1381 return 0;\r
1382}\r
Proxmark3 GIT tracking
Impressum, Datenschutz