]> git.zerfleddert.de Git - proxmark3-svn/blame_incremental - client/cmdlfem4x.c
Finishing touches on new mifare classic hack rework
[proxmark3-svn] / client / cmdlfem4x.c
... / ...
CommitLineData
1//-----------------------------------------------------------------------------
2// Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8// Low frequency EM4x commands
9//-----------------------------------------------------------------------------
10
11#include <stdio.h>
12#include <string.h>
13#include <inttypes.h>
14//#include "proxusb.h"
15#include "proxmark3.h"
16#include "ui.h"
17#include "graph.h"
18#include "cmdparser.h"
19#include "cmddata.h"
20#include "cmdlf.h"
21#include "cmdlfem4x.h"
22
23static int CmdHelp(const char *Cmd);
24
25/* Read the ID of an EM410x tag.
26 * Format:
27 * 1111 1111 1 <-- standard non-repeatable header
28 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
29 * ....
30 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
31 * 0 <-- stop bit, end of tag
32 */
33int CmdEM410xRead(const char *Cmd)
34{
35 int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low;
36 int parity[4];
37 char id[11];
38 int retested = 0;
39 uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
40 high = low = 0;
41
42 /* Detect high and lows and clock */
43 for (i = 0; i < GraphTraceLen; i++)
44 {
45 if (GraphBuffer[i] > high)
46 high = GraphBuffer[i];
47 else if (GraphBuffer[i] < low)
48 low = GraphBuffer[i];
49 }
50
51 /* get clock */
52 clock = GetClock(Cmd, high, 0);
53
54 /* parity for our 4 columns */
55 parity[0] = parity[1] = parity[2] = parity[3] = 0;
56 header = rows = 0;
57
58 /* manchester demodulate */
59 bit = bit2idx = 0;
60 for (i = 0; i < (int)(GraphTraceLen / clock); i++)
61 {
62 hithigh = 0;
63 hitlow = 0;
64 first = 1;
65
66 /* Find out if we hit both high and low peaks */
67 for (j = 0; j < clock; j++)
68 {
69 if (GraphBuffer[(i * clock) + j] == high)
70 hithigh = 1;
71 else if (GraphBuffer[(i * clock) + j] == low)
72 hitlow = 1;
73
74 /* it doesn't count if it's the first part of our read
75 because it's really just trailing from the last sequence */
76 if (first && (hithigh || hitlow))
77 hithigh = hitlow = 0;
78 else
79 first = 0;
80
81 if (hithigh && hitlow)
82 break;
83 }
84
85 /* If we didn't hit both high and low peaks, we had a bit transition */
86 if (!hithigh || !hitlow)
87 bit ^= 1;
88
89 BitStream[bit2idx++] = bit;
90 }
91
92retest:
93 /* We go till 5 before the graph ends because we'll get that far below */
94 for (i = 1; i < bit2idx - 5; i++)
95 {
96 /* Step 2: We have our header but need our tag ID */
97 if (header == 9 && rows < 10)
98 {
99 /* Confirm parity is correct */
100 if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
101 {
102 /* Read another byte! */
103 sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
104 rows++;
105
106 /* Keep parity info */
107 parity[0] ^= BitStream[i];
108 parity[1] ^= BitStream[i+1];
109 parity[2] ^= BitStream[i+2];
110 parity[3] ^= BitStream[i+3];
111
112 /* Move 4 bits ahead */
113 i += 4;
114 }
115
116 /* Damn, something wrong! reset */
117 else
118 {
119 PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i);
120
121 /* Start back rows * 5 + 9 header bits, -1 to not start at same place */
122 i -= 9 + (5 * rows) - 5;
123
124 rows = header = 0;
125 }
126 }
127
128 /* Step 3: Got our 40 bits! confirm column parity */
129 else if (rows == 10)
130 {
131 /* We need to make sure our 4 bits of parity are correct and we have a stop bit */
132 if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] &&
133 BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] &&
134 BitStream[i+4] == 0)
135 {
136 /* Sweet! */
137 PrintAndLog("EM410x Tag ID: %s", id);
138
139 /* Stop any loops */
140 return 1;
141 }
142
143 /* Crap! Incorrect parity or no stop bit, start all over */
144 else
145 {
146 rows = header = 0;
147
148 /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */
149 i -= 59;
150 }
151 }
152
153 /* Step 1: get our header */
154 else if (header < 9)
155 {
156 /* Need 9 consecutive 1's */
157 if (BitStream[i] == 1)
158 header++;
159
160 /* We don't have a header, not enough consecutive 1 bits */
161 else
162 header = 0;
163 }
164 }
165
166 /* if we've already retested after flipping bits, return */
167 if (retested++)
168 return 0;
169
170 /* if this didn't work, try flipping bits */
171 for (i = 0; i < bit2idx; i++)
172 BitStream[i] ^= 1;
173
174 goto retest;
175}
176
177/* emulate an EM410X tag
178 * Format:
179 * 1111 1111 1 <-- standard non-repeatable header
180 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
181 * ....
182 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
183 * 0 <-- stop bit, end of tag
184 */
185int CmdEM410xSim(const char *Cmd)
186{
187 int i, n, j, h, binary[4], parity[4];
188
189 /* clock is 64 in EM410x tags */
190 int clock = 64;
191
192 /* clear our graph */
193 ClearGraph(0);
194
195 /* write it out a few times */
196 for (h = 0; h < 4; h++)
197 {
198 /* write 9 start bits */
199 for (i = 0; i < 9; i++)
200 AppendGraph(0, clock, 1);
201
202 /* for each hex char */
203 parity[0] = parity[1] = parity[2] = parity[3] = 0;
204 for (i = 0; i < 10; i++)
205 {
206 /* read each hex char */
207 sscanf(&Cmd[i], "%1x", &n);
208 for (j = 3; j >= 0; j--, n/= 2)
209 binary[j] = n % 2;
210
211 /* append each bit */
212 AppendGraph(0, clock, binary[0]);
213 AppendGraph(0, clock, binary[1]);
214 AppendGraph(0, clock, binary[2]);
215 AppendGraph(0, clock, binary[3]);
216
217 /* append parity bit */
218 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
219
220 /* keep track of column parity */
221 parity[0] ^= binary[0];
222 parity[1] ^= binary[1];
223 parity[2] ^= binary[2];
224 parity[3] ^= binary[3];
225 }
226
227 /* parity columns */
228 AppendGraph(0, clock, parity[0]);
229 AppendGraph(0, clock, parity[1]);
230 AppendGraph(0, clock, parity[2]);
231 AppendGraph(0, clock, parity[3]);
232
233 /* stop bit */
234 AppendGraph(0, clock, 0);
235 }
236
237 /* modulate that biatch */
238 CmdManchesterMod("");
239
240 /* booyah! */
241 RepaintGraphWindow();
242
243 CmdLFSim("");
244 return 0;
245}
246
247/* Function is equivalent of loread + losamples + em410xread
248 * looped until an EM410x tag is detected */
249int CmdEM410xWatch(const char *Cmd)
250{
251 int read_h = (*Cmd == 'h');
252 do
253 {
254 CmdLFRead(read_h ? "h" : "");
255 // 2000 samples is OK for clock=64, but not clock=32. Probably want
256 // 8000 for clock=16. Don't want to go too high since old HID driver
257 // is very slow
258 // TBD: Auto-grow sample size based on detected sample rate. IE: If the
259 // rate gets lower, then grow the number of samples
260
261 // Changed by martin, 4000 x 4 = 16000,
262 // see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
263 CmdSamples("16000");
264 } while ( ! CmdEM410xRead(""));
265 return 0;
266}
267
268/* Read the transmitted data of an EM4x50 tag
269 * Format:
270 *
271 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
272 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
273 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
274 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
275 * CCCCCCCC <- column parity bits
276 * 0 <- stop bit
277 * LW <- Listen Window
278 *
279 * This pattern repeats for every block of data being transmitted.
280 * Transmission starts with two Listen Windows (LW - a modulated
281 * pattern of 320 cycles each (32/32/128/64/64)).
282 *
283 * Note that this data may or may not be the UID. It is whatever data
284 * is stored in the blocks defined in the control word First and Last
285 * Word Read values. UID is stored in block 32.
286 */
287int CmdEM4x50Read(const char *Cmd)
288{
289 int i, j, startblock, skip, block, start, end, low, high;
290 bool complete= false;
291 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
292 char tmp[6];
293
294 high= low= 0;
295 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
296
297 /* first get high and low values */
298 for (i = 0; i < GraphTraceLen; i++)
299 {
300 if (GraphBuffer[i] > high)
301 high = GraphBuffer[i];
302 else if (GraphBuffer[i] < low)
303 low = GraphBuffer[i];
304 }
305
306 /* populate a buffer with pulse lengths */
307 i= 0;
308 j= 0;
309 while (i < GraphTraceLen)
310 {
311 // measure from low to low
312 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
313 ++i;
314 start= i;
315 while ((GraphBuffer[i] < high) && (i<GraphTraceLen))
316 ++i;
317 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
318 ++i;
319 if (j>(MAX_GRAPH_TRACE_LEN/64)) {
320 break;
321 }
322 tmpbuff[j++]= i - start;
323 }
324
325 /* look for data start - should be 2 pairs of LW (pulses of 192,128) */
326 start= -1;
327 skip= 0;
328 for (i= 0; i < j - 4 ; ++i)
329 {
330 skip += tmpbuff[i];
331 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
332 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
333 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
334 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
335 {
336 start= i + 3;
337 break;
338 }
339 }
340 startblock= i + 3;
341
342 /* skip over the remainder of the LW */
343 skip += tmpbuff[i+1]+tmpbuff[i+2];
344 while (skip < MAX_GRAPH_TRACE_LEN && GraphBuffer[skip] > low)
345 ++skip;
346 skip += 8;
347
348 /* now do it again to find the end */
349 end= start;
350 for (i += 3; i < j - 4 ; ++i)
351 {
352 end += tmpbuff[i];
353 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
354 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
355 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
356 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
357 {
358 complete= true;
359 break;
360 }
361 }
362
363 if (start >= 0)
364 PrintAndLog("Found data at sample: %i",skip);
365 else
366 {
367 PrintAndLog("No data found!");
368 PrintAndLog("Try again with more samples.");
369 return 0;
370 }
371
372 if (!complete)
373 {
374 PrintAndLog("*** Warning!");
375 PrintAndLog("Partial data - no end found!");
376 PrintAndLog("Try again with more samples.");
377 }
378
379 /* get rid of leading crap */
380 sprintf(tmp,"%i",skip);
381 CmdLtrim(tmp);
382
383 /* now work through remaining buffer printing out data blocks */
384 block= 0;
385 i= startblock;
386 while (block < 6)
387 {
388 PrintAndLog("Block %i:", block);
389 // mandemod routine needs to be split so we can call it for data
390 // just print for now for debugging
391 CmdManchesterDemod("i 64");
392 skip= 0;
393 /* look for LW before start of next block */
394 for ( ; i < j - 4 ; ++i)
395 {
396 skip += tmpbuff[i];
397 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
398 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
399 break;
400 }
401 while (GraphBuffer[skip] > low)
402 ++skip;
403 skip += 8;
404 sprintf(tmp,"%i",skip);
405 CmdLtrim(tmp);
406 start += skip;
407 block++;
408 }
409 return 0;
410}
411
412int CmdEM410xWrite(const char *Cmd)
413{
414 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
415 unsigned int card = 0xFF; // invalid card value
416 unsigned int clock = 0; // invalid clock value
417
418 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
419
420 // Check ID
421 if (id == 0xFFFFFFFFFFFFFFFF) {
422 PrintAndLog("Error! ID is required.\n");
423 return 0;
424 }
425 if (id >= 0x10000000000) {
426 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
427 return 0;
428 }
429
430 // Check Card
431 if (card == 0xFF) {
432 PrintAndLog("Error! Card type required.\n");
433 return 0;
434 }
435 if (card < 0) {
436 PrintAndLog("Error! Bad card type selected.\n");
437 return 0;
438 }
439
440 // Check Clock
441 if (card == 1)
442 {
443 // Default: 64
444 if (clock == 0)
445 clock = 64;
446
447 // Allowed clock rates: 16, 32 and 64
448 if ((clock != 16) && (clock != 32) && (clock != 64)) {
449 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32 and 64.\n", clock);
450 return 0;
451 }
452 }
453 else if (clock != 0)
454 {
455 PrintAndLog("Error! Clock rate is only supported on T55x7 tags.\n");
456 return 0;
457 }
458
459 if (card == 1) {
460 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
461 // NOTE: We really should pass the clock in as a separate argument, but to
462 // provide for backwards-compatibility for older firmware, and to avoid
463 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
464 // the clock rate in bits 8-15 of the card value
465 card = (card & 0xFF) | (((uint64_t)clock << 8) & 0xFF00);
466 }
467 else if (card == 0)
468 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
469 else {
470 PrintAndLog("Error! Bad card type selected.\n");
471 return 0;
472 }
473
474 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
475 SendCommand(&c);
476
477 return 0;
478}
479
480int CmdReadWord(const char *Cmd)
481{
482 int Word = 16; //default to invalid word
483 UsbCommand c;
484
485 sscanf(Cmd, "%d", &Word);
486
487 if (Word > 15) {
488 PrintAndLog("Word must be between 0 and 15");
489 return 1;
490 }
491
492 PrintAndLog("Reading word %d", Word);
493
494 c.cmd = CMD_EM4X_READ_WORD;
495 c.d.asBytes[0] = 0x0; //Normal mode
496 c.arg[0] = 0;
497 c.arg[1] = Word;
498 c.arg[2] = 0;
499 SendCommand(&c);
500 return 0;
501}
502
503int CmdReadWordPWD(const char *Cmd)
504{
505 int Word = 16; //default to invalid word
506 int Password = 0xFFFFFFFF; //default to blank password
507 UsbCommand c;
508
509 sscanf(Cmd, "%d %x", &Word, &Password);
510
511 if (Word > 15) {
512 PrintAndLog("Word must be between 0 and 15");
513 return 1;
514 }
515
516 PrintAndLog("Reading word %d with password %08X", Word, Password);
517
518 c.cmd = CMD_EM4X_READ_WORD;
519 c.d.asBytes[0] = 0x1; //Password mode
520 c.arg[0] = 0;
521 c.arg[1] = Word;
522 c.arg[2] = Password;
523 SendCommand(&c);
524 return 0;
525}
526
527int CmdWriteWord(const char *Cmd)
528{
529 int Word = 16; //default to invalid block
530 int Data = 0xFFFFFFFF; //default to blank data
531 UsbCommand c;
532
533 sscanf(Cmd, "%x %d", &Data, &Word);
534
535 if (Word > 15) {
536 PrintAndLog("Word must be between 0 and 15");
537 return 1;
538 }
539
540 PrintAndLog("Writting word %d with data %08X", Word, Data);
541
542 c.cmd = CMD_EM4X_WRITE_WORD;
543 c.d.asBytes[0] = 0x0; //Normal mode
544 c.arg[0] = Data;
545 c.arg[1] = Word;
546 c.arg[2] = 0;
547 SendCommand(&c);
548 return 0;
549}
550
551int CmdWriteWordPWD(const char *Cmd)
552{
553 int Word = 8; //default to invalid word
554 int Data = 0xFFFFFFFF; //default to blank data
555 int Password = 0xFFFFFFFF; //default to blank password
556 UsbCommand c;
557
558 sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
559
560 if (Word > 15) {
561 PrintAndLog("Word must be between 0 and 15");
562 return 1;
563 }
564
565 PrintAndLog("Writting word %d with data %08X and password %08X", Word, Data, Password);
566
567 c.cmd = CMD_EM4X_WRITE_WORD;
568 c.d.asBytes[0] = 0x1; //Password mode
569 c.arg[0] = Data;
570 c.arg[1] = Word;
571 c.arg[2] = Password;
572 SendCommand(&c);
573 return 0;
574}
575
576
577
578static command_t CommandTable[] =
579{
580 {"help", CmdHelp, 1, "This help"},
581 {"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"},
582 {"em410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
583 {"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
584 {"em410xwrite", CmdEM410xWrite, 1, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
585 {"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
586 {"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
587 {"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
588 {"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
589 {"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
590 {NULL, NULL, 0, NULL}
591};
592
593int CmdLFEM4X(const char *Cmd)
594{
595 CmdsParse(CommandTable, Cmd);
596 return 0;
597}
598
599int CmdHelp(const char *Cmd)
600{
601 CmdsHelp(CommandTable);
602 return 0;
603}
Impressum, Datenschutz