]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf15.c
Tested by changing the master key from the default to a custom value
[proxmark3-svn] / client / cmdhf15.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 // Modified 2010-2012 by <adrian -at- atrox.at>
4 // Modified 2012 by <vsza at vsza.hu>
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // High frequency ISO15693 commands
11 //-----------------------------------------------------------------------------
12 // There are three basic operation modes, depending on which device (proxmark/pc)
13 // the signal processing, (de)modulation, transmission protocol and logic is done.
14 // Mode 1:
15 // All steps are done on the proxmark, the output of the commands is returned via
16 // USB-debug-print commands.
17 // Mode 2:
18 // The protocol is done on the PC, passing only Iso15693 data frames via USB. This
19 // allows direct communication with a tag on command level
20 // Mode 3:
21 // The proxmark just samples the antenna and passes this "analog" data via USB to
22 // the client. Signal Processing & decoding is done on the pc. This is the slowest
23 // variant, but offers the possibility to analyze the waveforms directly.
24
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <stdint.h>
29 //#include "proxusb.h"
30 #include "proxmark3.h"
31 #include "data.h"
32 #include "graph.h"
33 #include "ui.h"
34 #include "cmdparser.h"
35 #include "cmdhf15.h"
36 #include "../common/iso15693tools.h"
37 #include "cmdmain.h"
38
39 #define FrameSOF Iso15693FrameSOF
40 #define Logic0 Iso15693Logic0
41 #define Logic1 Iso15693Logic1
42 #define FrameEOF Iso15693FrameEOF
43
44 #define Crc(data,datalen) Iso15693Crc(data,datalen)
45 #define AddCrc(data,datalen) Iso15693AddCrc(data,datalen)
46 #define sprintUID(target,uid) Iso15693sprintUID(target,uid)
47 #define TRACE_BUFF_SIZE 12000
48
49 // structure and database for uid -> tagtype lookups
50 typedef struct {
51 uint64_t uid;
52 int mask; // how many MSB bits used
53 char* desc;
54 } productName;
55
56
57 const productName uidmapping[] = {
58 // UID, #significant Bits, "Vendor(+Product)"
59 { 0xE001000000000000LL, 16, "Motorola" },
60 { 0xE002000000000000LL, 16, "ST Microelectronics" },
61 { 0xE003000000000000LL, 16, "Hitachi" },
62 { 0xE004000000000000LL, 16, "NXP(Philips)" },
63 { 0xE004010000000000LL, 24, "NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)" },
64 { 0xE004020000000000LL, 24, "NXP(Philips); IC SL2 ICS53/ICS54(SLI-S) ICS5302/ICS5402(SLIX-S)" },
65 { 0xE004030000000000LL, 24, "NXP(Philips); IC SL2 ICS50/ICS51(SLI-L) ICS5002/ICS5102(SLIX-L)" },
66 { 0xE005000000000000LL, 16, "Infineon" },
67 { 0xE005400000000000LL, 24, "Infineon; 56x32bit" },
68 { 0xE006000000000000LL, 16, "Cylinc" },
69 { 0xE007000000000000LL, 16, "Texas Instrument; " },
70 { 0xE007000000000000LL, 20, "Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit" },
71 { 0xE007100000000000LL, 20, "Texas Instrument; Tag-it HF-I Plus Chip; 64x32bit" },
72 { 0xE007800000000000LL, 23, "Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)" },
73 { 0xE007C00000000000LL, 23, "Texas Instrument; Tag-it HF-I Standard; 8x32bit" },
74 { 0xE007C40000000000LL, 23, "Texas Instrument; Tag-it HF-I Pro; 8x23bit; password" },
75 { 0xE008000000000000LL, 16, "Fujitsu" },
76 { 0xE009000000000000LL, 16, "Matsushita" },
77 { 0xE00A000000000000LL, 16, "NEC" },
78 { 0xE00B000000000000LL, 16, "Oki Electric" },
79 { 0xE00C000000000000LL, 16, "Toshiba" },
80 { 0xE00D000000000000LL, 16, "Mitsubishi" },
81 { 0xE00E000000000000LL, 16, "Samsung" },
82 { 0xE00F000000000000LL, 16, "Hyundai" },
83 { 0xE010000000000000LL, 16, "LG-Semiconductors" },
84 { 0xE012000000000000LL, 16, "HID Corporation" },
85 { 0xE016000000000000LL, 16, "EM-Marin SA (Skidata)" },
86 { 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
87 { 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
88 { 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
89 { 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },
90 { 0,0,"no tag-info available" } // must be the last entry
91 };
92
93
94 // fast method to just read the UID of a tag (collission detection not supported)
95 // *buf should be large enough to fit the 64bit uid
96 // returns 1 if suceeded
97 int getUID(uint8_t *buf)
98 {
99 UsbCommand resp;
100 uint8_t *recv;
101 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
102 uint8_t *req=c.d.asBytes;
103 int reqlen=0;
104
105 for (int retry=0;retry<3; retry++) { // don't give up the at the first try
106
107 req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
108 ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1;
109 req[1]=ISO15_CMD_INVENTORY;
110 req[2]=0; // mask length
111 reqlen=AddCrc(req,3);
112 c.arg[0]=reqlen;
113
114 SendCommand(&c);
115
116 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
117 recv = resp.d.asBytes;
118 if (resp.arg[0]>=12 && ISO15_CRC_CHECK==Crc(recv,12)) {
119 memcpy(buf,&recv[2],8);
120 return 1;
121 }
122 }
123 } // retry
124 return 0;
125 }
126
127
128
129 // get a product description based on the UID
130 // uid[8] tag uid
131 // returns description of the best match
132 static char* getTagInfo(uint8_t *uid) {
133 uint64_t myuid,mask;
134 int i=0, best=-1;
135 memcpy(&myuid,uid,sizeof(uint64_t));
136 while (uidmapping[i].mask>0) {
137 mask=(~0LL) <<(64-uidmapping[i].mask);
138 if ((myuid & mask) == uidmapping[i].uid) {
139 if (best==-1) {
140 best=i;
141 } else {
142 if (uidmapping[i].mask>uidmapping[best].mask) {
143 best=i;
144 }
145 }
146 }
147 i++;
148 }
149
150 if (best>=0) return uidmapping[best].desc;
151
152 return uidmapping[i].desc;
153 }
154
155
156 // return a clear-text message to an errorcode
157 static char* TagErrorStr(uint8_t error) {
158 switch (error) {
159 case 0x01: return "The command is not supported";
160 case 0x02: return "The command is not recognised";
161 case 0x03: return "The option is not supported.";
162 case 0x0f: return "Unknown error.";
163 case 0x10: return "The specified block is not available (doesn’t exist).";
164 case 0x11: return "The specified block is already -locked and thus cannot be locked again";
165 case 0x12: return "The specified block is locked and its content cannot be changed.";
166 case 0x13: return "The specified block was not successfully programmed.";
167 case 0x14: return "The specified block was not successfully locked.";
168 default: return "Reserved for Future Use or Custom command error.";
169 }
170 }
171
172
173 // Mode 3
174 int CmdHF15Demod(const char *Cmd)
175 {
176 // The sampling rate is 106.353 ksps/s, for T = 18.8 us
177
178 int i, j;
179 int max = 0, maxPos = 0;
180
181 int skip = 4;
182
183 if (GraphTraceLen < 1000) return 0;
184
185 // First, correlate for SOF
186 for (i = 0; i < 100; i++) {
187 int corr = 0;
188 for (j = 0; j < arraylen(FrameSOF); j += skip) {
189 corr += FrameSOF[j] * GraphBuffer[i + (j / skip)];
190 }
191 if (corr > max) {
192 max = corr;
193 maxPos = i;
194 }
195 }
196 PrintAndLog("SOF at %d, correlation %d", maxPos,
197 max / (arraylen(FrameSOF) / skip));
198
199 i = maxPos + arraylen(FrameSOF) / skip;
200 int k = 0;
201 uint8_t outBuf[20];
202 memset(outBuf, 0, sizeof(outBuf));
203 uint8_t mask = 0x01;
204 for (;;) {
205 int corr0 = 0, corr1 = 0, corrEOF = 0;
206 for (j = 0; j < arraylen(Logic0); j += skip) {
207 corr0 += Logic0[j] * GraphBuffer[i + (j / skip)];
208 }
209 for (j = 0; j < arraylen(Logic1); j += skip) {
210 corr1 += Logic1[j] * GraphBuffer[i + (j / skip)];
211 }
212 for (j = 0; j < arraylen(FrameEOF); j += skip) {
213 corrEOF += FrameEOF[j] * GraphBuffer[i + (j / skip)];
214 }
215 // Even things out by the length of the target waveform.
216 corr0 *= 4;
217 corr1 *= 4;
218
219 if (corrEOF > corr1 && corrEOF > corr0) {
220 PrintAndLog("EOF at %d", i);
221 break;
222 } else if (corr1 > corr0) {
223 i += arraylen(Logic1) / skip;
224 outBuf[k] |= mask;
225 } else {
226 i += arraylen(Logic0) / skip;
227 }
228 mask <<= 1;
229 if (mask == 0) {
230 k++;
231 mask = 0x01;
232 }
233 if ((i + (int)arraylen(FrameEOF)) >= GraphTraceLen) {
234 PrintAndLog("ran off end!");
235 break;
236 }
237 }
238 if (mask != 0x01) {
239 PrintAndLog("error, uneven octet! (discard extra bits!)");
240 PrintAndLog(" mask=%02x", mask);
241 }
242 PrintAndLog("%d octets", k);
243
244 for (i = 0; i < k; i++) {
245 PrintAndLog("# %2d: %02x ", i, outBuf[i]);
246 }
247 PrintAndLog("CRC=%04x", Iso15693Crc(outBuf, k - 2));
248 return 0;
249 }
250
251
252
253 // * Acquire Samples as Reader (enables carrier, sends inquiry)
254 int CmdHF15Read(const char *Cmd)
255 {
256 UsbCommand c = {CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693};
257 SendCommand(&c);
258
259 uint8_t data[TRACE_BUFF_SIZE] = {0x00};
260
261 GetFromBigBuf(data,TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
262 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
263
264 for (int j = 0; j < TRACE_BUFF_SIZE; j++) {
265 GraphBuffer[j] = ((int)data[j]) ;
266 }
267 GraphTraceLen = TRACE_BUFF_SIZE;
268 RepaintGraphWindow();
269 return 0;
270 }
271
272 // Record Activity without enabeling carrier
273 int CmdHF15Record(const char *Cmd)
274 {
275 UsbCommand c = {CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693};
276 SendCommand(&c);
277
278 uint8_t data[TRACE_BUFF_SIZE] = {0x00};
279
280 GetFromBigBuf(data,TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
281 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
282
283 for (int j = 0; j < TRACE_BUFF_SIZE; j++) {
284 GraphBuffer[j] = ((int)data[j]) ;
285 }
286 GraphTraceLen = TRACE_BUFF_SIZE;
287 RepaintGraphWindow();
288 return 0;
289 }
290
291 int CmdHF15Reader(const char *Cmd)
292 {
293 UsbCommand c = {CMD_READER_ISO_15693, {strtol(Cmd, NULL, 0), 0, 0}};
294 SendCommand(&c);
295 return 0;
296 }
297
298 // Simulation is still not working very good
299 int CmdHF15Sim(const char *Cmd)
300 {
301 char cmdp = param_getchar(Cmd, 0);
302 uint8_t uid[8] = {0x00};
303
304 //E0 16 24 00 00 00 00 00
305 if (cmdp == 'h' || cmdp == 'H') {
306 PrintAndLog("Usage: hf 15 sim <UID>");
307 PrintAndLog("");
308 PrintAndLog(" sample: hf 15 sim E016240000000000");
309 return 0;
310 }
311
312 if (param_gethex(Cmd, 0, uid, 16)) {
313 PrintAndLog("UID must include 16 HEX symbols");
314 return 0;
315 }
316
317 PrintAndLog("Starting simulating UID %02X %02X %02X %02X %02X %02X %02X %02X",
318 uid[0],uid[1],uid[2],uid[3],uid[4], uid[5], uid[6], uid[7]);
319
320 UsbCommand c = {CMD_SIMTAG_ISO_15693, {0, 0, 0}};
321 memcpy(c.d.asBytes,uid,8);
322
323 SendCommand(&c);
324 return 0;
325 }
326
327 // finds the AFI (Application Family Idendifier) of a card, by trying all values
328 // (There is no standard way of reading the AFI, allthough some tags support this)
329 int CmdHF15Afi(const char *Cmd)
330 {
331 UsbCommand c = {CMD_ISO_15693_FIND_AFI, {strtol(Cmd, NULL, 0), 0, 0}};
332 SendCommand(&c);
333 return 0;
334 }
335
336 // Reads all memory pages
337 int CmdHF15DumpMem(const char*Cmd) {
338 UsbCommand resp;
339 uint8_t uid[8];
340 uint8_t *recv=NULL;
341 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
342 uint8_t *req=c.d.asBytes;
343 int reqlen=0;
344 int blocknum=0;
345 char output[80];
346
347 if (!getUID(uid)) {
348 PrintAndLog("No Tag found.");
349 return 0;
350 }
351
352 PrintAndLog("Reading memory from tag UID=%s",sprintUID(NULL,uid));
353 PrintAndLog("Tag Info: %s",getTagInfo(uid));
354
355 for (int retry=0; retry<5; retry++) {
356
357 req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
358 ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
359 req[1]=ISO15_CMD_READ;
360 memcpy(&req[2],uid,8);
361 req[10]=blocknum;
362 reqlen=AddCrc(req,11);
363 c.arg[0]=reqlen;
364
365 SendCommand(&c);
366
367 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
368 recv = resp.d.asBytes;
369 if (ISO15_CRC_CHECK==Crc(recv,resp.arg[0])) {
370 if (!(recv[0] & ISO15_RES_ERROR)) {
371 retry=0;
372 *output=0; // reset outputstring
373 sprintf(output, "Block %02x ",blocknum);
374 for ( int i=1; i<resp.arg[0]-2; i++) { // data in hex
375 sprintf(output+strlen(output),"%02X ",recv[i]);
376 }
377 strcat(output," ");
378 for ( int i=1; i<resp.arg[0]-2; i++) { // data in cleaned ascii
379 sprintf(output+strlen(output),"%c",(recv[i]>31 && recv[i]<127)?recv[i]:'.');
380 }
381 PrintAndLog("%s",output);
382 blocknum++;
383 // PrintAndLog("bn=%i",blocknum);
384 } else {
385 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
386 return 0;
387 }
388 } // else PrintAndLog("crc");
389 } // else PrintAndLog("r null");
390 } // retry
391 // TODO: need fix
392 // if (resp.arg[0]<3)
393 // PrintAndLog("Lost Connection");
394 // else if (ISO15_CRC_CHECK!=Crc(resp.d.asBytes,resp.arg[0]))
395 // PrintAndLog("CRC Failed");
396 // else
397 // PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
398 return 0;
399 }
400
401
402 // "HF 15" interface
403
404 static command_t CommandTable15[] =
405 {
406 {"help", CmdHF15Help, 1, "This help"},
407 {"demod", CmdHF15Demod, 1, "Demodulate ISO15693 from tag"},
408 {"read", CmdHF15Read, 0, "Read HF tag (ISO 15693)"},
409 {"record", CmdHF15Record, 0, "Record Samples (ISO 15693)"}, // atrox
410 {"reader", CmdHF15Reader, 0, "Act like an ISO15693 reader"},
411 {"sim", CmdHF15Sim, 0, "Fake an ISO15693 tag"},
412 {"cmd", CmdHF15Cmd, 0, "Send direct commands to ISO15693 tag"},
413 {"findafi", CmdHF15Afi, 0, "Brute force AFI of an ISO15693 tag"},
414 {"dumpmemory", CmdHF15DumpMem, 0, "Read all memory pages of an ISO15693 tag"},
415 {NULL, NULL, 0, NULL}
416 };
417
418 int CmdHF15(const char *Cmd)
419 {
420 CmdsParse(CommandTable15, Cmd);
421 return 0;
422 }
423
424 int CmdHF15Help(const char *Cmd)
425 {
426 CmdsHelp(CommandTable15);
427 return 0;
428 }
429
430
431 // "HF 15 Cmd" Interface
432 // Allows direct communication with the tag on command level
433
434 int CmdHF15CmdInquiry(const char *Cmd)
435 {
436 UsbCommand resp;
437 uint8_t *recv;
438 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
439 uint8_t *req=c.d.asBytes;
440 int reqlen=0;
441
442 req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
443 ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1;
444 req[1]=ISO15_CMD_INVENTORY;
445 req[2]=0; // mask length
446 reqlen=AddCrc(req,3);
447 c.arg[0]=reqlen;
448
449 SendCommand(&c);
450
451 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
452 if (resp.arg[0]>=12) {
453 recv = resp.d.asBytes;
454 PrintAndLog("UID=%s",sprintUID(NULL,&recv[2]));
455 PrintAndLog("Tag Info: %s",getTagInfo(&recv[2]));
456 } else {
457 PrintAndLog("Response to short, just %i bytes. No tag?\n",resp.arg[0]);
458 }
459 } else {
460 PrintAndLog("timeout.");
461 }
462 return 0;
463 }
464
465
466 // Turns debugging on(1)/off(0)
467 int CmdHF15CmdDebug( const char *cmd) {
468 int debug=atoi(cmd);
469 if (strlen(cmd)<1) {
470 PrintAndLog("Usage: hf 15 cmd debug <0|1>");
471 PrintAndLog(" 0 no debugging");
472 PrintAndLog(" 1 turn debugging on");
473 return 0;
474 }
475
476 UsbCommand c = {CMD_ISO_15693_DEBUG, {debug, 0, 0}};
477 SendCommand(&c);
478 return 0;
479 }
480
481
482 int CmdHF15CmdRaw (const char *cmd) {
483 UsbCommand resp;
484 uint8_t *recv;
485 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
486 int reply=1;
487 int fast=1;
488 int crc=0;
489 char buf[5]="";
490 int i=0;
491 uint8_t data[100];
492 unsigned int datalen=0, temp;
493 char *hexout;
494
495
496 if (strlen(cmd)<3) {
497 PrintAndLog("Usage: hf 15 cmd raw [-r] [-2] [-c] <0A 0B 0C ... hex>");
498 PrintAndLog(" -r do not read response");
499 PrintAndLog(" -2 use slower '1 out of 256' mode");
500 PrintAndLog(" -c calculate and append CRC");
501 PrintAndLog(" Tip: turn on debugging for verbose output");
502 return 0;
503 }
504
505 // strip
506 while (*cmd==' ' || *cmd=='\t') cmd++;
507
508 while (cmd[i]!='\0') {
509 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
510 if (cmd[i]=='-') {
511 switch (cmd[i+1]) {
512 case 'r':
513 case 'R':
514 reply=0;
515 break;
516 case '2':
517 fast=0;
518 break;
519 case 'c':
520 case 'C':
521 crc=1;
522 break;
523 default:
524 PrintAndLog("Invalid option");
525 return 0;
526 }
527 i+=2;
528 continue;
529 }
530 if ((cmd[i]>='0' && cmd[i]<='9') ||
531 (cmd[i]>='a' && cmd[i]<='f') ||
532 (cmd[i]>='A' && cmd[i]<='F') ) {
533 buf[strlen(buf)+1]=0;
534 buf[strlen(buf)]=cmd[i];
535 i++;
536
537 if (strlen(buf)>=2) {
538 sscanf(buf,"%x",&temp);
539 data[datalen]=(uint8_t)(temp & 0xff);
540 datalen++;
541 *buf=0;
542 }
543 continue;
544 }
545 PrintAndLog("Invalid char on input");
546 return 0;
547 }
548 if (crc) datalen=AddCrc(data,datalen);
549
550 c.arg[0]=datalen;
551 c.arg[1]=fast;
552 c.arg[2]=reply;
553 memcpy(c.d.asBytes,data,datalen);
554
555 SendCommand(&c);
556
557 if (reply) {
558 if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
559 recv = resp.d.asBytes;
560 PrintAndLog("received %i octets",resp.arg[0]);
561 hexout = (char *)malloc(resp.arg[0] * 3 + 1);
562 if (hexout != NULL) {
563 for (int i = 0; i < resp.arg[0]; i++) { // data in hex
564 sprintf(&hexout[i * 3], "%02X ", recv[i]);
565 }
566 PrintAndLog("%s", hexout);
567 free(hexout);
568 }
569 } else {
570 PrintAndLog("timeout while waiting for reply.");
571 }
572
573 } // if reply
574 return 0;
575 }
576
577
578 /**
579 * parses common HF 15 CMD parameters and prepares some data structures
580 * Parameters:
581 * **cmd command line
582 */
583 int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) {
584 int temp;
585 uint8_t *req = c->d.asBytes;
586 uint8_t uid[8] = {0x00};
587 uint32_t reqlen = 0;
588
589 // strip
590 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
591
592 if (strstr(*cmd,"-2")==*cmd) {
593 c->arg[1]=0; // use 1of256
594 (*cmd)+=2;
595 }
596
597 // strip
598 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
599
600 if (strstr(*cmd,"-o")==*cmd) {
601 req[reqlen]=ISO15_REQ_OPTION;
602 (*cmd)+=2;
603 }
604
605 // strip
606 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
607
608 switch (**cmd) {
609 case 0:
610 PrintAndLog("missing addr");
611 return 0;
612 break;
613 case 's':
614 case 'S':
615 // you must have selected the tag earlier
616 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
617 ISO15_REQ_NONINVENTORY | ISO15_REQ_SELECT;
618 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
619 reqlen+=iso15cmdlen;
620 break;
621 case 'u':
622 case 'U':
623 // unaddressed mode may not be supported by all vendors
624 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
625 ISO15_REQ_NONINVENTORY;
626 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
627 reqlen+=iso15cmdlen;
628 break;
629 case '*':
630 // we scan for the UID ourself
631 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
632 ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
633 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
634 reqlen+=iso15cmdlen;
635 if (!getUID(uid)) {
636 PrintAndLog("No Tag found");
637 return 0;
638 }
639 memcpy(req+reqlen,uid,8);
640 PrintAndLog("Detected UID %s",sprintUID(NULL,uid));
641 reqlen+=8;
642 break;
643 default:
644 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
645 ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
646 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
647 reqlen+=iso15cmdlen;
648
649 /* sscanf(cmd,"%hX%hX%hX%hX%hX%hX%hX%hX",
650 (short unsigned int *)&uid[7],(short unsigned int *)&uid[6],
651 (short unsigned int *)&uid[5],(short unsigned int *)&uid[4],
652 (short unsigned int *)&uid[3],(short unsigned int *)&uid[2],
653 (short unsigned int *)&uid[1],(short unsigned int *)&uid[0]); */
654 for (int i=0;i<8 && (*cmd)[i*2] && (*cmd)[i*2+1];i++) { // parse UID
655 sscanf((char[]){(*cmd)[i*2],(*cmd)[i*2+1],0},"%X",&temp);
656 uid[7-i]=temp&0xff;
657 }
658
659 PrintAndLog("Using UID %s",sprintUID(NULL,uid));
660 memcpy(&req[reqlen],&uid[0],8);
661 reqlen+=8;
662 }
663 // skip to next space
664 while (**cmd!=' ' && **cmd!='\t') (*cmd)++;
665 // skip over the space
666 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
667
668 c->arg[0]=reqlen;
669 return 1;
670 }
671
672 /**
673 * Commandline handling: HF15 CMD SYSINFO
674 * get system information from tag/VICC
675 */
676 int CmdHF15CmdSysinfo(const char *Cmd) {
677 UsbCommand resp;
678 uint8_t *recv;
679 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
680 uint8_t *req=c.d.asBytes;
681 int reqlen=0;
682 char cmdbuf[100];
683 char *cmd=cmdbuf;
684 char output[2048]="";
685 int i;
686
687 strncpy(cmd,Cmd,99);
688
689 // usage:
690 if (strlen(cmd)<1) {
691 PrintAndLog("Usage: hf 15 cmd sysinfo [options] <uid|s|u|*>");
692 PrintAndLog(" options:");
693 PrintAndLog(" -2 use slower '1 out of 256' mode");
694 PrintAndLog(" uid (either): ");
695 PrintAndLog(" <8B hex> full UID eg E011223344556677");
696 PrintAndLog(" s selected tag");
697 PrintAndLog(" u unaddressed mode");
698 PrintAndLog(" * scan for tag");
699 PrintAndLog(" start#: page number to start 0-255");
700 PrintAndLog(" count#: number of pages");
701 return 0;
702 }
703
704 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_SYSINFO},1);
705 reqlen=c.arg[0];
706
707 reqlen=AddCrc(req,reqlen);
708 c.arg[0]=reqlen;
709
710 SendCommand(&c);
711
712 if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && resp.arg[0]>2) {
713 recv = resp.d.asBytes;
714 if (ISO15_CRC_CHECK==Crc(recv,resp.arg[0])) {
715 if (!(recv[0] & ISO15_RES_ERROR)) {
716 *output=0; // reset outputstring
717 for ( i=1; i<resp.arg[0]-2; i++) {
718 sprintf(output+strlen(output),"%02X ",recv[i]);
719 }
720 strcat(output,"\n\r");
721 strcat(output,"UID = ");
722 strcat(output,sprintUID(NULL,recv+2));
723 strcat(output,"\n\r");
724 strcat(output,getTagInfo(recv+2)); //ABC
725 strcat(output,"\n\r");
726 i=10;
727 if (recv[1] & 0x01)
728 sprintf(output+strlen(output),"DSFID supported, set to %02X\n\r",recv[i++]);
729 else
730 strcat(output,"DSFID not supported\n\r");
731 if (recv[1] & 0x02)
732 sprintf(output+strlen(output),"AFI supported, set to %03X\n\r",recv[i++]);
733 else
734 strcat(output,"AFI not supported\n\r");
735 if (recv[1] & 0x04) {
736 strcat(output,"Tag provides info on memory layout (vendor dependent)\n\r");
737 sprintf(output+strlen(output)," %i (or %i) bytes/page x %i pages \n\r",
738 (recv[i+1]&0x1F)+1, (recv[i+1]&0x1F), recv[i]+1);
739 i+=2;
740 } else
741 strcat(output,"Tag does not provide information on memory layout\n\r");
742 if (recv[1] & 0x08) sprintf(output+strlen(output),"IC reference given: %02X\n\r",recv[i++]);
743 else strcat(output,"IC reference not given\n\r");
744
745
746 PrintAndLog("%s",output);
747 } else {
748 PrintAndLog("Tag returned Error %i: %s",recv[0],TagErrorStr(recv[0]));
749 }
750 } else {
751 PrintAndLog("CRC failed");
752 }
753 } else {
754 PrintAndLog("timeout: no answer");
755 }
756
757 return 0;
758 }
759
760 /**
761 * Commandline handling: HF15 CMD READMULTI
762 * Read multiple blocks at once (not all tags support this)
763 */
764 int CmdHF15CmdReadmulti(const char *Cmd) {
765 UsbCommand resp;
766 uint8_t *recv;
767 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
768 uint8_t *req=c.d.asBytes;
769 int reqlen=0, pagenum,pagecount;
770 char cmdbuf[100];
771 char *cmd=cmdbuf;
772 char output[2048]="";
773
774 strncpy(cmd,Cmd,99);
775
776 // usage:
777 if (strlen(cmd)<3) {
778 PrintAndLog("Usage: hf 15 cmd readmulti [options] <uid|s|u|*> <start#> <count#>");
779 PrintAndLog(" options:");
780 PrintAndLog(" -2 use slower '1 out of 256' mode");
781 PrintAndLog(" uid (either): ");
782 PrintAndLog(" <8B hex> full UID eg E011223344556677");
783 PrintAndLog(" s selected tag");
784 PrintAndLog(" u unaddressed mode");
785 PrintAndLog(" * scan for tag");
786 PrintAndLog(" start#: page number to start 0-255");
787 PrintAndLog(" count#: number of pages");
788 return 0;
789 }
790
791 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_READMULTI},1);
792 reqlen=c.arg[0];
793
794 pagenum=strtol(cmd,NULL,0);
795
796 // skip to next space
797 while (*cmd!=' ' && *cmd!='\t') cmd++;
798 // skip over the space
799 while (*cmd==' ' || *cmd=='\t') cmd++;
800
801 pagecount=strtol(cmd,NULL,0);
802 if (pagecount>0) pagecount--; // 0 means 1 page, 1 means 2 pages, ...
803
804 req[reqlen++]=(uint8_t)pagenum;
805 req[reqlen++]=(uint8_t)pagecount;
806
807 reqlen=AddCrc(req,reqlen);
808
809 c.arg[0]=reqlen;
810
811 SendCommand(&c);
812
813 if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && resp.arg[0]>2) {
814 recv = resp.d.asBytes;
815 if (ISO15_CRC_CHECK==Crc(recv,resp.arg[0])) {
816 if (!(recv[0] & ISO15_RES_ERROR)) {
817 *output=0; // reset outputstring
818 for ( int i=1; i<resp.arg[0]-2; i++) {
819 sprintf(output+strlen(output),"%02X ",recv[i]);
820 }
821 strcat(output," ");
822 for ( int i=1; i<resp.arg[0]-2; i++) {
823 sprintf(output+strlen(output),"%c",recv[i]>31 && recv[i]<127?recv[i]:'.');
824 }
825 PrintAndLog("%s",output);
826 } else {
827 PrintAndLog("Tag returned Error %i: %s",recv[0],TagErrorStr(recv[0]));
828 }
829 } else {
830 PrintAndLog("CRC failed");
831 }
832 } else {
833 PrintAndLog("no answer");
834 }
835
836 return 0;
837 }
838
839 /**
840 * Commandline handling: HF15 CMD READ
841 * Reads a single Block
842 */
843 int CmdHF15CmdRead(const char *Cmd) {
844 UsbCommand resp;
845 uint8_t *recv;
846 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
847 uint8_t *req=c.d.asBytes;
848 int reqlen=0, pagenum;
849 char cmdbuf[100];
850 char *cmd=cmdbuf;
851 char output[100]="";
852
853 strncpy(cmd,Cmd,99);
854
855 // usage:
856 if (strlen(cmd)<3) {
857 PrintAndLog("Usage: hf 15 cmd read [options] <uid|s|u|*> <page#>");
858 PrintAndLog(" options:");
859 PrintAndLog(" -2 use slower '1 out of 256' mode");
860 PrintAndLog(" uid (either): ");
861 PrintAndLog(" <8B hex> full UID eg E011223344556677");
862 PrintAndLog(" s selected tag");
863 PrintAndLog(" u unaddressed mode");
864 PrintAndLog(" * scan for tag");
865 PrintAndLog(" page#: page number 0-255");
866 return 0;
867 }
868
869 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_READ},1);
870 reqlen=c.arg[0];
871
872 pagenum=strtol(cmd,NULL,0);
873 /*if (pagenum<0) {
874 PrintAndLog("invalid pagenum");
875 return 0;
876 } */
877
878 req[reqlen++]=(uint8_t)pagenum;
879
880 reqlen=AddCrc(req,reqlen);
881
882 c.arg[0]=reqlen;
883
884 SendCommand(&c);
885
886 if (WaitForResponseTimeout(CMD_ACK,&resp,1000) && resp.arg[0]>2) {
887 recv = resp.d.asBytes;
888 if (ISO15_CRC_CHECK==Crc(recv,resp.arg[0])) {
889 if (!(recv[0] & ISO15_RES_ERROR)) {
890 *output=0; // reset outputstring
891 //sprintf(output, "Block %2i ",blocknum);
892 for ( int i=1; i<resp.arg[0]-2; i++) {
893 sprintf(output+strlen(output),"%02X ",recv[i]);
894 }
895 strcat(output," ");
896 for ( int i=1; i<resp.arg[0]-2; i++) {
897 sprintf(output+strlen(output),"%c",recv[i]>31 && recv[i]<127?recv[i]:'.');
898 }
899 PrintAndLog("%s",output);
900 } else {
901 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
902 }
903 } else {
904 PrintAndLog("CRC failed");
905 }
906 } else {
907 PrintAndLog("no answer");
908 }
909
910 return 0;
911 }
912
913
914 /**
915 * Commandline handling: HF15 CMD WRITE
916 * Writes a single Block - might run into timeout, even when successful
917 */
918 int CmdHF15CmdWrite(const char *Cmd) {
919 UsbCommand resp;
920 uint8_t *recv;
921 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
922 uint8_t *req=c.d.asBytes;
923 int reqlen=0, pagenum, temp;
924 char cmdbuf[100];
925 char *cmd=cmdbuf;
926 char *cmd2;
927
928 strncpy(cmd,Cmd,99);
929
930 // usage:
931 if (strlen(cmd)<3) {
932 PrintAndLog("Usage: hf 15 cmd write [options] <uid|s|u|*> <page#> <hexdata>");
933 PrintAndLog(" options:");
934 PrintAndLog(" -2 use slower '1 out of 256' mode");
935 PrintAndLog(" -o set OPTION Flag (needed for TI)");
936 PrintAndLog(" uid (either): ");
937 PrintAndLog(" <8B hex> full UID eg E011223344556677");
938 PrintAndLog(" s selected tag");
939 PrintAndLog(" u unaddressed mode");
940 PrintAndLog(" * scan for tag");
941 PrintAndLog(" page#: page number 0-255");
942 PrintAndLog(" hexdata: data to be written eg AA BB CC DD");
943 return 0;
944 }
945
946 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_WRITE},1);
947 reqlen=c.arg[0];
948
949 // *cmd -> page num ; *cmd2 -> data
950 cmd2=cmd;
951 while (*cmd2!=' ' && *cmd2!='\t' && *cmd2) cmd2++;
952 *cmd2=0;
953 cmd2++;
954
955 pagenum=strtol(cmd,NULL,0);
956 /*if (pagenum<0) {
957 PrintAndLog("invalid pagenum");
958 return 0;
959 } */
960 req[reqlen++]=(uint8_t)pagenum;
961
962
963 while (cmd2[0] && cmd2[1]) { // hexdata, read by 2 hexchars
964 if (*cmd2==' ') {
965 cmd2++;
966 continue;
967 }
968 sscanf((char[]){cmd2[0],cmd2[1],0},"%X",&temp);
969 req[reqlen++]=temp & 0xff;
970 cmd2+=2;
971 }
972
973 reqlen=AddCrc(req,reqlen);
974
975 c.arg[0]=reqlen;
976
977 SendCommand(&c);
978
979 if (WaitForResponseTimeout(CMD_ACK,&resp,2000) && resp.arg[0]>2) {
980 recv = resp.d.asBytes;
981 if (ISO15_CRC_CHECK==Crc(recv,resp.arg[0])) {
982 if (!(recv[0] & ISO15_RES_ERROR)) {
983 PrintAndLog("OK");
984 } else {
985 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
986 }
987 } else {
988 PrintAndLog("CRC failed");
989 }
990 } else {
991 PrintAndLog("timeout: no answer - data may be written anyway");
992 }
993
994 return 0;
995 }
996
997
998
999 static command_t CommandTable15Cmd[] =
1000 {
1001 {"help", CmdHF15CmdHelp, 1, "This Help"},
1002 {"inquiry", CmdHF15CmdInquiry, 0, "Search for tags in range"},
1003 /*
1004 {"select", CmdHF15CmdSelect, 0, "Select an tag with a specific UID for further commands"},
1005 */
1006 {"read", CmdHF15CmdRead, 0, "Read a block"},
1007 {"write", CmdHF15CmdWrite, 0, "Write a block"},
1008 {"readmulti",CmdHF15CmdReadmulti, 0, "Reads multiple Blocks"},
1009 {"sysinfo",CmdHF15CmdSysinfo, 0, "Get Card Information"},
1010 {"raw", CmdHF15CmdRaw, 0, "Send raw hex data to tag"},
1011 {"debug", CmdHF15CmdDebug, 0, "Turn debugging on/off"},
1012 {NULL, NULL, 0, NULL}
1013 };
1014
1015 int CmdHF15Cmd(const char *Cmd)
1016 {
1017 CmdsParse(CommandTable15Cmd, Cmd);
1018 return 0;
1019 }
1020
1021 int CmdHF15CmdHelp(const char *Cmd)
1022 {
1023 CmdsHelp(CommandTable15Cmd);
1024 return 0;
1025 }
1026
Impressum, Datenschutz