]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlft55xx.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Cleanup Code
[proxmark3-svn] / client / cmdlft55xx.c
1 //-----------------------------------------------------------------------------
2 //
3 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
4 // at your option, any later version. See the LICENSE.txt file for the text of
5 // the license.
6 //-----------------------------------------------------------------------------
7 // Low frequency T55xx commands
8 //-----------------------------------------------------------------------------
9
10 #include "cmdlft55xx.h"
11
12 #include <stdio.h>
13 #include <string.h>
14 #include <inttypes.h>
15 #include <ctype.h>
16 #include <time.h>
17 #include "comms.h"
18 #include "ui.h"
19 #include "graph.h"
20 #include "cmdmain.h"
21 #include "cmdparser.h"
22 #include "cmddata.h"
23 #include "cmdlf.h"
24 #include "util.h"
25 #include "lfdemod.h"
26 #include "protocols.h"
27 #include "taginfo.h"
28
29 #define T55x7_CONFIGURATION_BLOCK 0x00
30 #define T55x7_PAGE0 0x00
31 #define T55x7_PAGE1 0x01
32 //#define T55x7_PWD 0x00000010
33 #define REGULAR_READ_MODE_BLOCK 0xFF
34
35 // Default configuration
36 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = false, .offset = 0x00, .block0 = 0x00, .Q5 = false };
37
38 t55xx_conf_block_t Get_t55xx_Config(){
39 return config;
40 }
41 void Set_t55xx_Config(t55xx_conf_block_t conf){
42 config = conf;
43 }
44
45 int usage_t55xx_config(){
46 PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");
47 PrintAndLog("Options:");
48 PrintAndLog(" h This help");
49 PrintAndLog(" b <8|16|32|40|50|64|100|128> Set bitrate");
50 PrintAndLog(" d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");
51 PrintAndLog(" i [1] Invert data signal, defaults to normal");
52 PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream");
53 PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7");
54 PrintAndLog(" ST Set Sequence Terminator on");
55 PrintAndLog("");
56 PrintAndLog("Examples:");
57 PrintAndLog(" lf t55xx config d FSK - FSK demodulation");
58 PrintAndLog(" lf t55xx config d FSK i 1 - FSK demodulation, inverse data");
59 PrintAndLog(" lf t55xx config d FSK i 1 o 3 - FSK demodulation, inverse data, offset=3,start from position 3 to decode data");
60 PrintAndLog("");
61 return 0;
62 }
63 int usage_t55xx_read(){
64 PrintAndLog("Usage: lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");
65 PrintAndLog("Options:");
66 PrintAndLog(" b <block> - block number to read. Between 0-7");
67 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
68 PrintAndLog(" o - OPTIONAL override safety check");
69 PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");
70 PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
71 PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference");
72 PrintAndLog(" ****WARNING****");
73 PrintAndLog(" Use of read with password on a tag not configured for a pwd");
74 PrintAndLog(" can damage the tag");
75 PrintAndLog("");
76 PrintAndLog("Examples:");
77 PrintAndLog(" lf t55xx read b 0 - read data from block 0");
78 PrintAndLog(" lf t55xx read b 0 p feedbeef - read data from block 0 password feedbeef");
79 PrintAndLog(" lf t55xx read b 0 p feedbeef o - read data from block 0 password feedbeef safety check");
80 PrintAndLog("");
81 return 0;
82 }
83 int usage_t55xx_write(){
84 PrintAndLog("Usage: lf t55xx write [b <block>] [d <data>] [p <password>] [1] [t]");
85 PrintAndLog("Options:");
86 PrintAndLog(" b <block> - block number to write. Between 0-7");
87 PrintAndLog(" d <data> - 4 bytes of data to write (8 hex characters)");
88 PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");
89 PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");
90 PrintAndLog(" t - OPTIONAL test mode write - ****DANGER****");
91 PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
92 PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference");
93 PrintAndLog("");
94 PrintAndLog("Examples:");
95 PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3");
96 PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");
97 PrintAndLog("");
98 return 0;
99 }
100 int usage_t55xx_trace() {
101 PrintAndLog("Usage: lf t55xx trace [1]");
102 PrintAndLog("Options:");
103 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
104 PrintAndLog("");
105 PrintAndLog("Examples:");
106 PrintAndLog(" lf t55xx trace");
107 PrintAndLog(" lf t55xx trace 1");
108 PrintAndLog("");
109 return 0;
110 }
111 int usage_t55xx_info() {
112 PrintAndLog("Usage: lf t55xx info [1]");
113 PrintAndLog("Options:");
114 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
115 PrintAndLog("");
116 PrintAndLog("Examples:");
117 PrintAndLog(" lf t55xx info");
118 PrintAndLog(" lf t55xx info 1");
119 PrintAndLog("");
120 return 0;
121 }
122 int usage_t55xx_dump(){
123 PrintAndLog("Usage: lf t55xx dump <password> [o]");
124 PrintAndLog("Options:");
125 PrintAndLog(" <password> - OPTIONAL password 4bytes (8 hex symbols)");
126 PrintAndLog(" o - OPTIONAL override, force pwd read despite danger to card");
127 PrintAndLog("");
128 PrintAndLog("Examples:");
129 PrintAndLog(" lf t55xx dump");
130 PrintAndLog(" lf t55xx dump feedbeef o");
131 PrintAndLog("");
132 return 0;
133 }
134 int usage_t55xx_detect(){
135 PrintAndLog("Usage: lf t55xx detect [1] [p <password>]");
136 PrintAndLog("Options:");
137 PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
138 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
139 PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
140 PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference");
141 PrintAndLog("");
142 PrintAndLog("Examples:");
143 PrintAndLog(" lf t55xx detect");
144 PrintAndLog(" lf t55xx detect 1");
145 PrintAndLog(" lf t55xx detect p 11223344");
146 PrintAndLog("");
147 return 0;
148 }
149 int usage_t55xx_detectP1(){
150 PrintAndLog("Command: Detect Page 1 of a t55xx chip");
151 PrintAndLog("Usage: lf t55xx p1detect [1] [p <password>]");
152 PrintAndLog("Options:");
153 PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
154 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
155 PrintAndLog("");
156 PrintAndLog("Examples:");
157 PrintAndLog(" lf t55xx p1detect");
158 PrintAndLog(" lf t55xx p1detect 1");
159 PrintAndLog(" lf t55xx p1detect p 11223344");
160 PrintAndLog("");
161 return 0;
162 }
163 int usage_t55xx_wakup(){
164 PrintAndLog("Usage: lf t55xx wakeup [h] <password>");
165 PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards.");
166 PrintAndLog("Options:");
167 PrintAndLog(" h - this help");
168 PrintAndLog(" <password> - [required] password 4bytes (8 hex symbols)");
169 PrintAndLog("");
170 PrintAndLog("Examples:");
171 PrintAndLog(" lf t55xx wakeup 11223344 - send wakeup password");
172 return 0;
173 }
174 int usage_t55xx_bruteforce(){
175 PrintAndLog("This command uses A) bruteforce to scan a number range");
176 PrintAndLog(" B) a dictionary attack");
177 PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
178 PrintAndLog(" password must be 4 bytes (8 hex symbols)");
179 PrintAndLog("Options:");
180 PrintAndLog(" h - this help");
181 PrintAndLog(" r <mode> - OPTIONAL downlink encoding '0' fixed bit length (default)");
182 PrintAndLog(" '1' long leading reference, '2' leading zero ");
183 PrintAndLog(" '3' 1 of 4 coding reference, '4' special - try all downlink modes");
184 PrintAndLog(" <start_pwd> - 4 byte hex value to start pwd search at");
185 PrintAndLog(" <end_pwd> - 4 byte hex value to end pwd search at");
186 PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");
187 PrintAndLog("");
188 PrintAndLog("Examples:");
189 PrintAndLog(" lf t55xx bruteforce [r 2] aaaaaaaa bbbbbbbb");
190 PrintAndLog(" lf t55xx bruteforce [r 2] i default_pwd.dic");
191 PrintAndLog("");
192 return 0;
193 }
194 int usage_t55xx_wipe(){
195 PrintAndLog("Usage: lf t55xx wipe [h] [Q5]");
196 PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");
197 PrintAndLog("Options:");
198 PrintAndLog(" h - this help");
199 PrintAndLog(" Q5 - indicates to use the T5555 (Q5) default configuration block");
200 PrintAndLog("");
201 PrintAndLog("Examples:");
202 PrintAndLog(" lf t55xx wipe - wipes a t55x7 tag, config block 0x000880E0");
203 PrintAndLog(" lf t55xx wipe Q5 - wipes a t5555 Q5 tag, config block 0x6001F004");
204 return 0;
205 }
206
207
208 static int CmdHelp(const char *Cmd);
209
210 void printT5xxHeader(uint8_t page){
211 PrintAndLog("Reading Page %d:", page);
212 PrintAndLog("blk | hex data | binary");
213 PrintAndLog("----+----------+---------------------------------");
214 }
215
216 int CmdT55xxSetConfig(const char *Cmd) {
217
218 uint8_t offset = 0;
219 char modulation[6] = {0x00};
220 char tmp = 0x00;
221 uint8_t bitRate = 0;
222 uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};
223 uint8_t cmdp = 0;
224 bool errors = false;
225 while(param_getchar(Cmd, cmdp) != 0x00 && !errors)
226 {
227 tmp = param_getchar(Cmd, cmdp);
228 switch(tmp)
229 {
230 case 'h':
231 case 'H':
232 return usage_t55xx_config();
233 case 'b':
234 errors |= param_getdec(Cmd, cmdp+1, &bitRate);
235 if ( !errors){
236 uint8_t i = 0;
237 for (; i < 9; i++){
238 if (rates[i]==bitRate) {
239 config.bitrate = i;
240 break;
241 }
242 }
243 if (i==9) errors = true;
244 }
245 cmdp+=2;
246 break;
247 case 'd':
248 param_getstr(Cmd, cmdp+1, modulation, sizeof(modulation));
249 cmdp += 2;
250
251 if ( strcmp(modulation, "FSK" ) == 0) {
252 config.modulation = DEMOD_FSK;
253 } else if ( strcmp(modulation, "FSK1" ) == 0) {
254 config.modulation = DEMOD_FSK1;
255 config.inverted=1;
256 } else if ( strcmp(modulation, "FSK1a" ) == 0) {
257 config.modulation = DEMOD_FSK1a;
258 config.inverted=0;
259 } else if ( strcmp(modulation, "FSK2" ) == 0) {
260 config.modulation = DEMOD_FSK2;
261 config.inverted=0;
262 } else if ( strcmp(modulation, "FSK2a" ) == 0) {
263 config.modulation = DEMOD_FSK2a;
264 config.inverted=1;
265 } else if ( strcmp(modulation, "ASK" ) == 0) {
266 config.modulation = DEMOD_ASK;
267 } else if ( strcmp(modulation, "NRZ" ) == 0) {
268 config.modulation = DEMOD_NRZ;
269 } else if ( strcmp(modulation, "PSK1" ) == 0) {
270 config.modulation = DEMOD_PSK1;
271 } else if ( strcmp(modulation, "PSK2" ) == 0) {
272 config.modulation = DEMOD_PSK2;
273 } else if ( strcmp(modulation, "PSK3" ) == 0) {
274 config.modulation = DEMOD_PSK3;
275 } else if ( strcmp(modulation, "BIa" ) == 0) {
276 config.modulation = DEMOD_BIa;
277 config.inverted=1;
278 } else if ( strcmp(modulation, "BI" ) == 0) {
279 config.modulation = DEMOD_BI;
280 config.inverted=0;
281 } else {
282 PrintAndLog("Unknown modulation '%s'", modulation);
283 errors = true;
284 }
285 break;
286 case 'i':
287 config.inverted = param_getchar(Cmd,cmdp+1) == '1';
288 cmdp+=2;
289 break;
290 case 'o':
291 errors |= param_getdec(Cmd, cmdp+1, &offset);
292 if ( !errors )
293 config.offset = offset;
294 cmdp+=2;
295 break;
296 case 'Q':
297 case 'q':
298 config.Q5 = true;
299 cmdp++;
300 break;
301 case 'S':
302 case 's':
303 config.ST = true;
304 cmdp++;
305 break;
306 default:
307 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
308 errors = true;
309 break;
310 }
311 }
312
313 // No args
314 if (cmdp == 0) return printConfiguration( config );
315
316 //Validations
317 if (errors) return usage_t55xx_config();
318
319 config.block0 = 0;
320 return printConfiguration ( config );
321 }
322
323 int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){
324 //Password mode
325 if ( usepwd ) {
326 // try reading the config block and verify that PWD bit is set before doing this!
327 if ( !override ) {
328 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0,downlink_mode ) ) return 0;
329 if ( !tryDetectModulation() ) {
330 PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");
331 return 0;
332 } else {
333 PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password...");
334 usepwd = false;
335 page1 = false;
336 }
337 } else {
338 PrintAndLog("Safety Check Overriden - proceeding despite risk");
339 }
340 }
341
342 if (!AquireData(page1, block, usepwd, password,downlink_mode) ) return 0;
343 if (!DecodeT55xxBlock()) return 0;
344
345 char blk[10]={0};
346 sprintf(blk,"%d", block);
347 printT55xxBlock(blk);
348 return 1;
349 }
350
351 int CmdT55xxReadBlock(const char *Cmd) {
352 uint8_t block = REGULAR_READ_MODE_BLOCK;
353 uint32_t password = 0; //default to blank Block 7
354 uint8_t downlink_mode = 0;
355
356 bool usepwd = false;
357 bool override = false;
358 bool page1 = false;
359 bool errors = false;
360 uint8_t cmdp = 0;
361 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
362 switch(param_getchar(Cmd, cmdp)) {
363 case 'h':
364 case 'H':
365 return usage_t55xx_read();
366 case 'b':
367 case 'B':
368 errors |= param_getdec(Cmd, cmdp+1, &block);
369 cmdp += 2;
370 break;
371 case 'o':
372 case 'O':
373 override = true;
374 cmdp++;
375 break;
376 case 'p':
377 case 'P':
378 password = param_get32ex(Cmd, cmdp+1, 0, 16);
379 usepwd = true;
380 cmdp += 2;
381 break;
382 case '1':
383 page1 = true;
384 cmdp++;
385 break;
386 case 'r':
387 case 'R':
388 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
389 if (downlink_mode > 3) downlink_mode = 0;
390 cmdp +=2;
391 break;
392 default:
393 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
394 errors = true;
395 break;
396 }
397 }
398 if (errors) return usage_t55xx_read();
399
400 if (block > 7 && block != REGULAR_READ_MODE_BLOCK ) {
401 PrintAndLog("Block must be between 0 and 7");
402 return 0;
403 }
404
405 printT5xxHeader(page1);
406 return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode);
407 }
408
409 bool DecodeT55xxBlock(){
410
411 char buf[30] = {0x00};
412 char *cmdStr = buf;
413 int ans = 0;
414 bool ST = config.ST;
415 uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};
416 DemodBufferLen = 0x00;
417
418 switch( config.modulation ){
419 case DEMOD_FSK:
420 snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );
421 ans = FSKrawDemod(cmdStr, false);
422 break;
423 case DEMOD_FSK1:
424 case DEMOD_FSK1a:
425 snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted );
426 ans = FSKrawDemod(cmdStr, false);
427 break;
428 case DEMOD_FSK2:
429 case DEMOD_FSK2a:
430 snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted );
431 ans = FSKrawDemod(cmdStr, false);
432 break;
433 case DEMOD_ASK:
434 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
435 ans = ASKDemod_ext(cmdStr, false, false, 1, &ST);
436 break;
437 case DEMOD_PSK1:
438 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
439 save_restoreGB(GRAPH_SAVE);
440 CmdLtrim("160");
441 snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );
442 ans = PSKDemod(cmdStr, false);
443 //undo trim samples
444 save_restoreGB(GRAPH_RESTORE);
445 break;
446 case DEMOD_PSK2: //inverted won't affect this
447 case DEMOD_PSK3: //not fully implemented
448 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
449 save_restoreGB(GRAPH_SAVE);
450 CmdLtrim("160");
451 snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );
452 ans = PSKDemod(cmdStr, false);
453 psk1TOpsk2(DemodBuffer, DemodBufferLen);
454 //undo trim samples
455 save_restoreGB(GRAPH_RESTORE);
456 break;
457 case DEMOD_NRZ:
458 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
459 ans = NRZrawDemod(cmdStr, false);
460 break;
461 case DEMOD_BI:
462 case DEMOD_BIa:
463 snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted );
464 ans = ASKbiphaseDemod(cmdStr, false);
465 break;
466 default:
467 return false;
468 }
469 return (bool) ans;
470 }
471
472 bool DecodeT5555TraceBlock() {
473 DemodBufferLen = 0x00;
474
475 // According to datasheet. Always: RF/64, not inverted, Manchester
476 return (bool) ASKDemod("64 0 1", false, false, 1);
477 }
478
479 int CmdT55xxDetect(const char *Cmd){
480 bool errors = false;
481 bool useGB = false;
482 bool usepwd = false;
483 uint32_t password = 0;
484 uint8_t cmdp = 0;
485 uint8_t downlink_mode = 0;
486
487 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
488 switch(param_getchar(Cmd, cmdp)) {
489 case 'h':
490 case 'H':
491 return usage_t55xx_detect();
492 case 'p':
493 case 'P':
494 password = param_get32ex(Cmd, cmdp+1, 0, 16);
495 usepwd = true;
496 cmdp += 2;
497 break;
498 case '1':
499 // use Graphbuffer data
500 useGB = true;
501 cmdp++;
502 break;
503 case 'r':
504 case 'R':
505 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
506 if (downlink_mode > 3) downlink_mode = 0;
507 cmdp +=2;
508 break;
509 default:
510 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
511 errors = true;
512 break;
513 }
514 }
515 if (errors) return usage_t55xx_detect();
516
517 if ( !useGB) {
518 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password,downlink_mode) )
519 return 0;
520 }
521
522 if ( !tryDetectModulation() )
523 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");
524 else {
525 // Add downlink mode to reference.
526 switch (downlink_mode) {
527 case 0 : PrintAndLog ("Downlink : r 0 - default/fixed bit length"); break;
528 case 1 : PrintAndLog ("Downlink : r 1 - long leading reference"); break;
529 case 2 : PrintAndLog ("Downlink : r 2 - leading zero reference"); break;
530 case 3 : PrintAndLog ("Downlink : r 3 - 1 of 4 coding reference"); break;
531 }
532 }
533 return 1;
534 }
535
536 // detect configuration?
537 bool tryDetectModulation(){
538 uint8_t hits = 0;
539 t55xx_conf_block_t tests[15];
540 int bitRate=0;
541 uint8_t fc1 = 0, fc2 = 0, ans = 0;
542 int clk = 0, firstClockEdge = 0;
543 ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge);
544 if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) {
545 if ( FSKrawDemod("0 0", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
546 tests[hits].modulation = DEMOD_FSK;
547 if (fc1==8 && fc2 == 5)
548 tests[hits].modulation = DEMOD_FSK1a;
549 else if (fc1==10 && fc2 == 8)
550 tests[hits].modulation = DEMOD_FSK2;
551 tests[hits].bitrate = bitRate;
552 tests[hits].inverted = false;
553 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
554 tests[hits].ST = false;
555 ++hits;
556 }
557 if ( FSKrawDemod("0 1", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
558 tests[hits].modulation = DEMOD_FSK;
559 if (fc1 == 8 && fc2 == 5)
560 tests[hits].modulation = DEMOD_FSK1;
561 else if (fc1 == 10 && fc2 == 8)
562 tests[hits].modulation = DEMOD_FSK2a;
563 tests[hits].bitrate = bitRate;
564 tests[hits].inverted = true;
565 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
566 tests[hits].ST = false;
567 ++hits;
568 }
569 } else {
570 clk = GetAskClock("", false, false);
571 if (clk>0) {
572 tests[hits].ST = true;
573 if ( ASKDemod_ext("0 0 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
574 tests[hits].modulation = DEMOD_ASK;
575 tests[hits].bitrate = bitRate;
576 tests[hits].inverted = false;
577 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
578 ++hits;
579 }
580 tests[hits].ST = true;
581 if ( ASKDemod_ext("0 1 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
582 tests[hits].modulation = DEMOD_ASK;
583 tests[hits].bitrate = bitRate;
584 tests[hits].inverted = true;
585 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
586 ++hits;
587 }
588 if ( ASKbiphaseDemod("0 0 0 2", false) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {
589 tests[hits].modulation = DEMOD_BI;
590 tests[hits].bitrate = bitRate;
591 tests[hits].inverted = false;
592 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
593 tests[hits].ST = false;
594 ++hits;
595 }
596 if ( ASKbiphaseDemod("0 0 1 2", false) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {
597 tests[hits].modulation = DEMOD_BIa;
598 tests[hits].bitrate = bitRate;
599 tests[hits].inverted = true;
600 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
601 tests[hits].ST = false;
602 ++hits;
603 }
604 }
605 clk = GetNrzClock("", false, false);
606 if (clk>8) { //clock of rf/8 is likely a false positive, so don't use it.
607 if ( NRZrawDemod("0 0 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
608 tests[hits].modulation = DEMOD_NRZ;
609 tests[hits].bitrate = bitRate;
610 tests[hits].inverted = false;
611 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
612 tests[hits].ST = false;
613 ++hits;
614 }
615
616 if ( NRZrawDemod("0 1 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
617 tests[hits].modulation = DEMOD_NRZ;
618 tests[hits].bitrate = bitRate;
619 tests[hits].inverted = true;
620 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
621 tests[hits].ST = false;
622 ++hits;
623 }
624 }
625
626 clk = GetPskClock("", false, false);
627 if (clk>0) {
628 // allow undo
629 save_restoreGB(GRAPH_SAVE);
630 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
631 CmdLtrim("160");
632 if ( PSKDemod("0 0 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
633 tests[hits].modulation = DEMOD_PSK1;
634 tests[hits].bitrate = bitRate;
635 tests[hits].inverted = false;
636 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
637 tests[hits].ST = false;
638 ++hits;
639 }
640 if ( PSKDemod("0 1 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
641 tests[hits].modulation = DEMOD_PSK1;
642 tests[hits].bitrate = bitRate;
643 tests[hits].inverted = true;
644 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
645 tests[hits].ST = false;
646 ++hits;
647 }
648 // PSK2 - needs a call to psk1TOpsk2.
649 if ( PSKDemod("0 0 6", false)) {
650 psk1TOpsk2(DemodBuffer, DemodBufferLen);
651 if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
652 tests[hits].modulation = DEMOD_PSK2;
653 tests[hits].bitrate = bitRate;
654 tests[hits].inverted = false;
655 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
656 tests[hits].ST = false;
657 ++hits;
658 }
659 } // inverse waves does not affect this demod
660 // PSK3 - needs a call to psk1TOpsk2.
661 if ( PSKDemod("0 0 6", false)) {
662 psk1TOpsk2(DemodBuffer, DemodBufferLen);
663 if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
664 tests[hits].modulation = DEMOD_PSK3;
665 tests[hits].bitrate = bitRate;
666 tests[hits].inverted = false;
667 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
668 tests[hits].ST = false;
669 ++hits;
670 }
671 } // inverse waves does not affect this demod
672 //undo trim samples
673 save_restoreGB(GRAPH_RESTORE);
674 }
675 }
676 if ( hits == 1) {
677 config.modulation = tests[0].modulation;
678 config.bitrate = tests[0].bitrate;
679 config.inverted = tests[0].inverted;
680 config.offset = tests[0].offset;
681 config.block0 = tests[0].block0;
682 config.Q5 = tests[0].Q5;
683 config.ST = tests[0].ST;
684 printConfiguration( config );
685 return true;
686 }
687
688 if ( hits > 1) {
689 PrintAndLog("Found [%d] possible matches for modulation.",hits);
690 for(int i=0; i<hits; ++i){
691 PrintAndLog("--[%d]---------------", i+1);
692 printConfiguration( tests[i] );
693 }
694 }
695 return false;
696 }
697
698 bool testModulation(uint8_t mode, uint8_t modread){
699 switch( mode ){
700 case DEMOD_FSK:
701 if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return true;
702 break;
703 case DEMOD_ASK:
704 if (modread == DEMOD_ASK) return true;
705 break;
706 case DEMOD_PSK1:
707 if (modread == DEMOD_PSK1) return true;
708 break;
709 case DEMOD_PSK2:
710 if (modread == DEMOD_PSK2) return true;
711 break;
712 case DEMOD_PSK3:
713 if (modread == DEMOD_PSK3) return true;
714 break;
715 case DEMOD_NRZ:
716 if (modread == DEMOD_NRZ) return true;
717 break;
718 case DEMOD_BI:
719 if (modread == DEMOD_BI) return true;
720 break;
721 case DEMOD_BIa:
722 if (modread == DEMOD_BIa) return true;
723 break;
724 default:
725 return false;
726 }
727 return false;
728 }
729
730 bool testQ5Modulation(uint8_t mode, uint8_t modread){
731 switch( mode ){
732 case DEMOD_FSK:
733 if (modread >= 4 && modread <= 5) return true;
734 break;
735 case DEMOD_ASK:
736 if (modread == 0) return true;
737 break;
738 case DEMOD_PSK1:
739 if (modread == 1) return true;
740 break;
741 case DEMOD_PSK2:
742 if (modread == 2) return true;
743 break;
744 case DEMOD_PSK3:
745 if (modread == 3) return true;
746 break;
747 case DEMOD_NRZ:
748 if (modread == 7) return true;
749 break;
750 case DEMOD_BI:
751 if (modread == 6) return true;
752 break;
753 default:
754 return false;
755 }
756 return false;
757 }
758
759 int convertQ5bitRate(uint8_t bitRateRead) {
760 uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
761 for (int i=0; i<8; i++)
762 if (expected[i] == bitRateRead)
763 return i;
764
765 return -1;
766 }
767
768 bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){
769
770 if ( DemodBufferLen < 64 ) return false;
771 uint8_t si = 0;
772 for (uint8_t idx = 28; idx < 64; idx++){
773 si = idx;
774 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;
775
776 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key
777 uint8_t resv = PackBits(si, 8, DemodBuffer); si += 8;
778 // 2nibble must be zeroed.
779 if (safer != 0x6 && safer != 0x9) continue;
780 if ( resv > 0x00) continue;
781 //uint8_t pageSel = PackBits(si, 1, DemodBuffer); si += 1;
782 //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;
783 si += 1+1;
784 int bitRate = PackBits(si, 6, DemodBuffer)*2 + 2; si += 6; //bit rate
785 if (bitRate > 128 || bitRate < 8) continue;
786
787 //uint8_t AOR = PackBits(si, 1, DemodBuffer); si += 1;
788 //uint8_t PWD = PackBits(si, 1, DemodBuffer); si += 1;
789 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2; //could check psk cr
790 //uint8_t inverse = PackBits(si, 1, DemodBuffer); si += 1;
791 si += 1+1+2+1;
792 uint8_t modread = PackBits(si, 3, DemodBuffer); si += 3;
793 uint8_t maxBlk = PackBits(si, 3, DemodBuffer); si += 3;
794 //uint8_t ST = PackBits(si, 1, DemodBuffer); si += 1;
795 if (maxBlk == 0) continue;
796 //test modulation
797 if (!testQ5Modulation(mode, modread)) continue;
798 if (bitRate != clk) continue;
799 *fndBitRate = convertQ5bitRate(bitRate);
800 if (*fndBitRate < 0) continue;
801 *offset = idx;
802
803 return true;
804 }
805 return false;
806 }
807
808 bool testBitRate(uint8_t readRate, uint8_t clk){
809 uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
810 if (expected[readRate] == clk)
811 return true;
812
813 return false;
814 }
815
816 bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){
817
818 if ( DemodBufferLen < 64 ) return false;
819 uint8_t si = 0;
820 for (uint8_t idx = 28; idx < 64; idx++){
821 si = idx;
822 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;
823
824 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key
825 uint8_t resv = PackBits(si, 4, DemodBuffer); si += 4; //was 7 & +=7+3 //should be only 4 bits if extended mode
826 // 2nibble must be zeroed.
827 // moved test to here, since this gets most faults first.
828 if ( resv > 0x00) continue;
829
830 int bitRate = PackBits(si, 6, DemodBuffer); si += 6; //bit rate (includes extended mode part of rate)
831 uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode
832 uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1;
833 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //could check psk cr
834 //uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode
835 //uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2;
836
837 //if extended mode
838 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? true : false;
839
840 if (!extMode) {
841 if (bitRate > 7) continue;
842 if (!testBitRate(bitRate, clk)) continue;
843 } else { //extended mode bitrate = same function to calc bitrate as em4x05
844 if (EM4x05_GET_BITRATE(bitRate) != clk) continue;
845
846 }
847 //test modulation
848 if (!testModulation(mode, modread)) continue;
849 *fndBitRate = bitRate;
850 *offset = idx;
851 *Q5 = false;
852 return true;
853 }
854 if (testQ5(mode, offset, fndBitRate, clk)) {
855 *Q5 = true;
856 return true;
857 }
858 return false;
859 }
860
861 void printT55xxBlock(const char *blockNum){
862
863 uint8_t i = config.offset;
864 uint8_t endpos = 32 + i;
865 uint32_t blockData = 0;
866 uint8_t bits[64] = {0x00};
867
868 if ( !DemodBufferLen) return;
869
870 if ( endpos > DemodBufferLen){
871 PrintAndLog("The configured offset %d is too big. Possible offset: %d)", i, DemodBufferLen-32);
872 return;
873 }
874
875 for (; i < endpos; ++i)
876 bits[i - config.offset]=DemodBuffer[i];
877
878 blockData = PackBits(0, 32, bits);
879
880 PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));
881 }
882
883 int special(const char *Cmd) {
884 uint32_t blockData = 0;
885 uint8_t bits[32] = {0x00};
886
887 PrintAndLog("OFFSET | DATA | BINARY");
888 PrintAndLog("----------------------------------------------------");
889 int i,j = 0;
890 for (; j < 64; ++j){
891
892 for (i = 0; i < 32; ++i)
893 bits[i]=DemodBuffer[j+i];
894
895 blockData = PackBits(0, 32, bits);
896
897 PrintAndLog(" %02d | 0x%08X | %s",j , blockData, sprint_bin(bits,32));
898 }
899 return 0;
900 }
901
902 int printConfiguration( t55xx_conf_block_t b){
903 PrintAndLog("Chip Type : %s", (b.Q5) ? "T5555(Q5)" : "T55x7");
904 PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) );
905 PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate, (b.block0 & T55x7_X_MODE && (b.block0>>28==6 || b.block0>>28==9))) );
906 PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" );
907 PrintAndLog("Offset : %d", b.offset);
908 PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" );
909 PrintAndLog("Block0 : 0x%08X", b.block0);
910 PrintAndLog("");
911 return 0;
912 }
913
914 int CmdT55xxWakeUp(const char *Cmd) {
915 uint32_t password = 0;
916 if ( strlen(Cmd) <= 0 ) return usage_t55xx_wakup();
917 char cmdp = param_getchar(Cmd, 0);
918 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wakup();
919
920 password = param_get32ex(Cmd, 0, 0, 16);
921
922 UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};
923 clearCommandBuffer();
924 SendCommand(&c);
925 PrintAndLog("Wake up command sent. Try read now");
926 return 0;
927 }
928
929 int CmdT55xxWriteBlock(const char *Cmd) {
930 uint8_t block = 0xFF; //default to invalid block
931 uint32_t data = 0; //default to blank Block
932 uint32_t password = 0; //default to blank Block 7
933 uint32_t downlink_mode = 0;
934
935 bool usepwd = false;
936 bool page1 = false;
937 bool gotdata = false;
938 bool testMode = false;
939 bool errors = false;
940 uint8_t cmdp = 0;
941 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
942 switch(param_getchar(Cmd, cmdp)) {
943 case 'h':
944 case 'H':
945 return usage_t55xx_write();
946 case 'b':
947 case 'B':
948 errors |= param_getdec(Cmd, cmdp+1, &block);
949 cmdp += 2;
950 break;
951 case 'd':
952 case 'D':
953 data = param_get32ex(Cmd, cmdp+1, 0, 16);
954 gotdata = true;
955 cmdp += 2;
956 break;
957 case 'p':
958 case 'P':
959 password = param_get32ex(Cmd, cmdp+1, 0, 16);
960 usepwd = true;
961 cmdp += 2;
962 break;
963 case 't':
964 case 'T':
965 testMode = true;
966 cmdp++;
967 break;
968 case '1':
969 page1 = true;
970 cmdp++;
971 break;
972 case 'r':
973 case 'R':
974 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
975 if (downlink_mode > 3) downlink_mode = 0;
976 cmdp +=2;
977 break;
978 default:
979 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
980 errors = true;
981 break;
982 }
983 }
984 if (errors || !gotdata) return usage_t55xx_write();
985
986 if (block > 7) {
987 PrintAndLog("Block number must be between 0 and 7");
988 return 0;
989 }
990
991 UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};
992 UsbCommand resp;
993 c.d.asBytes[0] = (page1) ? 0x2 : 0;
994 c.d.asBytes[0] |= (testMode) ? 0x4 : 0;
995 c.d.asBytes[0] |= (downlink_mode << 3);
996
997 char pwdStr[16] = {0};
998 snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);
999
1000 PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" );
1001
1002 //Password mode
1003 if (usepwd) {
1004 c.arg[2] = password;
1005 c.d.asBytes[0] |= 0x1;
1006 }
1007
1008 clearCommandBuffer();
1009 SendCommand(&c);
1010 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
1011 PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");
1012 return 0;
1013 }
1014 return 1;
1015 }
1016
1017 int CmdT55xxReadTrace(const char *Cmd) {
1018 char cmdp = param_getchar(Cmd, 0);
1019 bool pwdmode = false;
1020 uint32_t password = 0;
1021 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H')
1022 return usage_t55xx_trace();
1023
1024 if (strlen(Cmd)==0)
1025 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password,0 ) )
1026 return 0;
1027
1028 if ( config.Q5 ) {
1029 if (!DecodeT5555TraceBlock()) return 0;
1030 } else {
1031 if (!DecodeT55xxBlock()) return 0;
1032 }
1033
1034 if ( !DemodBufferLen ) return 0;
1035
1036 RepaintGraphWindow();
1037 uint8_t repeat = (config.offset > 5) ? 32 : 0;
1038
1039 uint8_t si = config.offset+repeat;
1040 uint32_t bl1 = PackBits(si, 32, DemodBuffer);
1041 uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);
1042
1043 if (config.Q5) {
1044 uint32_t hdr = PackBits(si, 9, DemodBuffer); si += 9;
1045
1046 if (hdr != 0x1FF) {
1047 PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);
1048 return 0;
1049 }
1050
1051 t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};
1052
1053 data.icr = PackBits(si, 2, DemodBuffer); si += 2;
1054 data.lotidc = 'Z' - PackBits(si, 2, DemodBuffer); si += 3;
1055
1056 data.lotid = PackBits(si, 4, DemodBuffer); si += 5;
1057 data.lotid <<= 4;
1058 data.lotid |= PackBits(si, 4, DemodBuffer); si += 5;
1059 data.lotid <<= 4;
1060 data.lotid |= PackBits(si, 4, DemodBuffer); si += 5;
1061 data.lotid <<= 4;
1062 data.lotid |= PackBits(si, 4, DemodBuffer); si += 5;
1063 data.lotid <<= 1;
1064 data.lotid |= PackBits(si, 1, DemodBuffer); si += 1;
1065
1066 data.wafer = PackBits(si, 3, DemodBuffer); si += 4;
1067 data.wafer <<= 2;
1068 data.wafer |= PackBits(si, 2, DemodBuffer); si += 2;
1069
1070 data.dw = PackBits(si, 2, DemodBuffer); si += 3;
1071 data.dw <<= 4;
1072 data.dw |= PackBits(si, 4, DemodBuffer); si += 5;
1073 data.dw <<= 4;
1074 data.dw |= PackBits(si, 4, DemodBuffer); si += 5;
1075 data.dw <<= 4;
1076 data.dw |= PackBits(si, 4, DemodBuffer); si += 5;
1077
1078 printT5555Trace(data, repeat);
1079
1080 } else {
1081
1082 t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0, .lotid = 0, .wafer = 0, .dw = 0};
1083
1084 data.acl = PackBits(si, 8, DemodBuffer); si += 8;
1085 if ( data.acl != 0xE0 ) {
1086 PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");
1087 return 0;
1088 }
1089
1090 data.mfc = PackBits(si, 8, DemodBuffer); si += 8;
1091 data.cid = PackBits(si, 5, DemodBuffer); si += 5;
1092 data.icr = PackBits(si, 3, DemodBuffer); si += 3;
1093 data.year = PackBits(si, 4, DemodBuffer); si += 4;
1094 data.quarter = PackBits(si, 2, DemodBuffer); si += 2;
1095 data.lotid = PackBits(si, 14, DemodBuffer); si += 14;
1096 data.wafer = PackBits(si, 5, DemodBuffer); si += 5;
1097 data.dw = PackBits(si, 15, DemodBuffer);
1098
1099 time_t t = time(NULL);
1100 struct tm tm = *localtime(&t);
1101 if ( data.year > tm.tm_year-110)
1102 data.year += 2000;
1103 else
1104 data.year += 2010;
1105
1106 printT55x7Trace(data, repeat);
1107 }
1108 return 0;
1109 }
1110
1111 void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){
1112 PrintAndLog("-- T55x7 Trace Information ----------------------------------");
1113 PrintAndLog("-------------------------------------------------------------");
1114 PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", data.acl, data.acl);
1115 PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", data.mfc, data.mfc, getManufacturerName(data.mfc));
1116 PrintAndLog(" CID : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));
1117 PrintAndLog(" ICR IC Revision : %d", data.icr );
1118 PrintAndLog(" Manufactured");
1119 PrintAndLog(" Year/Quarter : %d/%d", data.year, data.quarter);
1120 PrintAndLog(" Lot ID : %d", data.lotid );
1121 PrintAndLog(" Wafer number : %d", data.wafer);
1122 PrintAndLog(" Die Number : %d", data.dw);
1123 PrintAndLog("-------------------------------------------------------------");
1124 PrintAndLog(" Raw Data - Page 1");
1125 PrintAndLog(" Block 1 : 0x%08X %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );
1126 PrintAndLog(" Block 2 : 0x%08X %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
1127 PrintAndLog("-------------------------------------------------------------");
1128
1129 /*
1130 TRACE - BLOCK O
1131 Bits Definition HEX
1132 1-8 ACL Allocation class (ISO/IEC 15963-1) 0xE0
1133 9-16 MFC Manufacturer ID (ISO/IEC 7816-6) 0x15 Atmel Corporation
1134 17-21 CID 0x1 = Atmel ATA5577M1 0x2 = Atmel ATA5577M2
1135 22-24 ICR IC revision
1136 25-28 YEAR (BCD encoded) 9 (= 2009)
1137 29-30 QUARTER 1,2,3,4
1138 31-32 LOT ID
1139
1140 TRACE - BLOCK 1
1141 1-12 LOT ID
1142 13-17 Wafer number
1143 18-32 DW, die number sequential
1144 */
1145 }
1146
1147 void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){
1148 PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");
1149 PrintAndLog("-------------------------------------------------------------");
1150 PrintAndLog(" ICR IC Revision : %d", data.icr );
1151 PrintAndLog(" Lot : %c%d", data.lotidc, data.lotid);
1152 PrintAndLog(" Wafer number : %d", data.wafer);
1153 PrintAndLog(" Die Number : %d", data.dw);
1154 PrintAndLog("-------------------------------------------------------------");
1155 PrintAndLog(" Raw Data - Page 1");
1156 PrintAndLog(" Block 1 : 0x%08X %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );
1157 PrintAndLog(" Block 2 : 0x%08X %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
1158
1159 /*
1160 ** Q5 **
1161 TRACE - BLOCK O and BLOCK1
1162 Bits Definition HEX
1163 1-9 Header 0x1FF
1164 10-11 IC Revision
1165 12-13 Lot ID char
1166 15-35 Lot ID (NB parity)
1167 36-41 Wafer number (NB parity)
1168 42-58 DW, die number sequential (NB parity)
1169 60-63 Parity bits
1170 64 Always zero
1171 */
1172 }
1173
1174 //need to add Q5 info...
1175 int CmdT55xxInfo(const char *Cmd){
1176 /*
1177 Page 0 Block 0 Configuration data.
1178 Normal mode
1179 Extended mode
1180 */
1181 bool pwdmode = false;
1182 uint32_t password = 0;
1183 char cmdp = param_getchar(Cmd, 0);
1184
1185 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H')
1186 return usage_t55xx_info();
1187
1188 if (strlen(Cmd)==0)
1189 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password,0 ) )
1190 return 1;
1191
1192 if (!DecodeT55xxBlock()) return 1;
1193
1194 // too little space to start with
1195 if ( DemodBufferLen < 32) return 1;
1196
1197 uint8_t si = config.offset;
1198 uint32_t bl0 = PackBits(si, 32, DemodBuffer);
1199
1200 uint32_t safer = PackBits(si, 4, DemodBuffer); si += 4;
1201 uint32_t resv = PackBits(si, 7, DemodBuffer); si += 7;
1202 uint32_t dbr = PackBits(si, 3, DemodBuffer); si += 3;
1203 uint32_t extend = PackBits(si, 1, DemodBuffer); si += 1;
1204 uint32_t datamod = PackBits(si, 5, DemodBuffer); si += 5;
1205 uint32_t pskcf = PackBits(si, 2, DemodBuffer); si += 2;
1206 uint32_t aor = PackBits(si, 1, DemodBuffer); si += 1;
1207 uint32_t otp = PackBits(si, 1, DemodBuffer); si += 1;
1208 uint32_t maxblk = PackBits(si, 3, DemodBuffer); si += 3;
1209 uint32_t pwd = PackBits(si, 1, DemodBuffer); si += 1;
1210 uint32_t sst = PackBits(si, 1, DemodBuffer); si += 1;
1211 uint32_t fw = PackBits(si, 1, DemodBuffer); si += 1;
1212 uint32_t inv = PackBits(si, 1, DemodBuffer); si += 1;
1213 uint32_t por = PackBits(si, 1, DemodBuffer); si += 1;
1214
1215 if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");
1216 PrintAndLog("");
1217 PrintAndLog("-- T55x7 Configuration & Tag Information --------------------");
1218 PrintAndLog("-------------------------------------------------------------");
1219 PrintAndLog(" Safer key : %s", GetSaferStr(safer));
1220 PrintAndLog(" reserved : %d", resv);
1221 PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr, extend));
1222 PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No");
1223 PrintAndLog(" Modulation : %s", GetModulationStr(datamod));
1224 PrintAndLog(" PSK clock frequency : %d", pskcf);
1225 PrintAndLog(" AOR - Answer on Request : %s", (aor) ? "Yes":"No");
1226 PrintAndLog(" OTP - One Time Pad : %s", (otp) ? "Yes - Warning":"No" );
1227 PrintAndLog(" Max block : %d", maxblk);
1228 PrintAndLog(" Password mode : %s", (pwd) ? "Yes":"No");
1229 PrintAndLog(" Sequence Start Terminator : %s", (sst) ? "Yes":"No");
1230 PrintAndLog(" Fast Write : %s", (fw) ? "Yes":"No");
1231 PrintAndLog(" Inverse data : %s", (inv) ? "Yes":"No");
1232 PrintAndLog(" POR-Delay : %s", (por) ? "Yes":"No");
1233 PrintAndLog("-------------------------------------------------------------");
1234 PrintAndLog(" Raw Data - Page 0");
1235 PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset,32) );
1236 PrintAndLog("-------------------------------------------------------------");
1237
1238 return 0;
1239 }
1240
1241 int CmdT55xxDump(const char *Cmd){
1242
1243 uint32_t password = 0;
1244 char cmdp = param_getchar(Cmd, 0);
1245 bool override = false;
1246 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();
1247
1248 bool usepwd = ( strlen(Cmd) > 0);
1249 if ( usepwd ){
1250 password = param_get32ex(Cmd, 0, 0, 16);
1251 if (param_getchar(Cmd, 1) =='o' )
1252 override = true;
1253 }
1254
1255 printT5xxHeader(0);
1256 for ( uint8_t i = 0; i <8; ++i)
1257 T55xxReadBlock(i, 0, usepwd, override, password,0);
1258
1259 printT5xxHeader(1);
1260 for ( uint8_t i = 0; i<4; i++)
1261 T55xxReadBlock(i, 1, usepwd, override, password,0);
1262
1263 return 1;
1264 }
1265
1266 int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode ){
1267 // arg0 bitmodes:
1268 // bit0 = pwdmode
1269 // bit1 = page to read from
1270 uint8_t arg0 = (page<<1) | pwdmode;
1271 arg0 |= (downlink_mode << 3);
1272 UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};
1273
1274 clearCommandBuffer();
1275 SendCommand(&c);
1276 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
1277 PrintAndLog("command execution time out");
1278 return 0;
1279 }
1280 getSamples(12000,true);
1281 return 1;
1282 }
1283
1284 char * GetBitRateStr(uint32_t id, bool xmode) {
1285 static char buf[25];
1286
1287 char *retStr = buf;
1288 if (xmode) { //xmode bitrate calc is same as em4x05 calc
1289 snprintf(retStr,sizeof(buf),"%d - RF/%d", id, EM4x05_GET_BITRATE(id));
1290 } else {
1291 switch (id) {
1292 case 0: snprintf(retStr,sizeof(buf),"%d - RF/8",id); break;
1293 case 1: snprintf(retStr,sizeof(buf),"%d - RF/16",id); break;
1294 case 2: snprintf(retStr,sizeof(buf),"%d - RF/32",id); break;
1295 case 3: snprintf(retStr,sizeof(buf),"%d - RF/40",id); break;
1296 case 4: snprintf(retStr,sizeof(buf),"%d - RF/50",id); break;
1297 case 5: snprintf(retStr,sizeof(buf),"%d - RF/64",id); break;
1298 case 6: snprintf(retStr,sizeof(buf),"%d - RF/100",id); break;
1299 case 7: snprintf(retStr,sizeof(buf),"%d - RF/128",id); break;
1300 default: snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break;
1301 }
1302 }
1303 return buf;
1304 }
1305
1306 char * GetSaferStr(uint32_t id) {
1307 static char buf[40];
1308 char *retStr = buf;
1309
1310 snprintf(retStr,sizeof(buf),"%d",id);
1311 if (id == 6) {
1312 snprintf(retStr,sizeof(buf),"%d - passwd",id);
1313 }
1314 if (id == 9 ){
1315 snprintf(retStr,sizeof(buf),"%d - testmode",id);
1316 }
1317
1318 return buf;
1319 }
1320
1321 char * GetModulationStr( uint32_t id){
1322 static char buf[60];
1323 char *retStr = buf;
1324
1325 switch (id){
1326 case 0: snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id); break;
1327 case 1: snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id); break;
1328 case 2: snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id); break;
1329 case 3: snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id); break;
1330 case 4: snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8 RF/5",id); break;
1331 case 5: snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8 RF/10",id); break;
1332 case 6: snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5 RF/8",id); break;
1333 case 7: snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10 RF/8",id); break;
1334 case 8: snprintf(retStr,sizeof(buf),"%d - Manchester",id); break;
1335 case 16: snprintf(retStr,sizeof(buf),"%d - Biphase",id); break;
1336 case 0x18: snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id); break;
1337 case 17: snprintf(retStr,sizeof(buf),"%d - Reserved",id); break;
1338 default: snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id); break;
1339 }
1340 return buf;
1341 }
1342
1343 char * GetModelStrFromCID(uint32_t cid){
1344
1345 static char buf[10];
1346 char *retStr = buf;
1347
1348 if (cid == 1) snprintf(retStr, sizeof(buf),"ATA5577M1");
1349 if (cid == 2) snprintf(retStr, sizeof(buf),"ATA5577M2");
1350 return buf;
1351 }
1352
1353 char * GetSelectedModulationStr( uint8_t id){
1354
1355 static char buf[20];
1356 char *retStr = buf;
1357
1358 switch (id) {
1359 case DEMOD_FSK: snprintf(retStr,sizeof(buf),"FSK"); break;
1360 case DEMOD_FSK1: snprintf(retStr,sizeof(buf),"FSK1"); break;
1361 case DEMOD_FSK1a: snprintf(retStr,sizeof(buf),"FSK1a"); break;
1362 case DEMOD_FSK2: snprintf(retStr,sizeof(buf),"FSK2"); break;
1363 case DEMOD_FSK2a: snprintf(retStr,sizeof(buf),"FSK2a"); break;
1364 case DEMOD_ASK: snprintf(retStr,sizeof(buf),"ASK"); break;
1365 case DEMOD_NRZ: snprintf(retStr,sizeof(buf),"DIRECT/NRZ"); break;
1366 case DEMOD_PSK1: snprintf(retStr,sizeof(buf),"PSK1"); break;
1367 case DEMOD_PSK2: snprintf(retStr,sizeof(buf),"PSK2"); break;
1368 case DEMOD_PSK3: snprintf(retStr,sizeof(buf),"PSK3"); break;
1369 case DEMOD_BI: snprintf(retStr,sizeof(buf),"BIPHASE"); break;
1370 case DEMOD_BIa: snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)"); break;
1371 default: snprintf(retStr,sizeof(buf),"(Unknown)"); break;
1372 }
1373 return buf;
1374 }
1375
1376 uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){
1377
1378 int i = start;
1379 int j = len-1;
1380
1381 if (len > 32) return 0;
1382
1383 uint32_t tmp = 0;
1384 for (; j >= 0; --j, ++i)
1385 tmp |= bits[i] << j;
1386
1387 return tmp;
1388 }
1389
1390 int CmdResetRead(const char *Cmd) {
1391 UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};
1392
1393 clearCommandBuffer();
1394 SendCommand(&c);
1395 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
1396 PrintAndLog("command execution time out");
1397 return 0;
1398 }
1399
1400 uint8_t got[BIGBUF_SIZE-1];
1401 GetFromBigBuf(got, sizeof(got), 0, NULL, -1 , 0);
1402 setGraphBuf(got, sizeof(got));
1403 return 1;
1404 }
1405
1406 int CmdT55xxWipe(const char *Cmd) {
1407 char writeData[20] = {0};
1408 char *ptrData = writeData;
1409
1410 char cmdp = param_getchar(Cmd, 0);
1411 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();
1412
1413 bool Q5 = (cmdp == 'q' || cmdp == 'Q');
1414
1415 // Try with the default password to reset block 0
1416 // With a pwd should work even if pwd bit not set
1417 PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");
1418
1419 if ( Q5 ){
1420 snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");
1421 } else {
1422 snprintf(ptrData,sizeof(writeData),"b 0 d 00088040 p 0");
1423 }
1424
1425 if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");
1426
1427 for (uint8_t blk = 1; blk<8; blk++) {
1428 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);
1429 if (!CmdT55xxWriteBlock(ptrData))
1430 PrintAndLog("Error writing blk %d", blk);
1431
1432 memset(writeData, 0x00, sizeof(writeData));
1433 }
1434 return 0;
1435 }
1436
1437 int CmdT55xxBruteForce(const char *Cmd) {
1438
1439 // load a default pwd file.
1440 char buf[9];
1441 char filename[FILE_PATH_SIZE]={0};
1442 int keycnt = 0;
1443 int ch;
1444 uint8_t stKeyBlock = 20;
1445 uint8_t *keyBlock = NULL, *p = NULL;
1446 uint32_t start_password = 0x00000000; //start password
1447 uint32_t end_password = 0xFFFFFFFF; //end password
1448 bool found = false;
1449 uint8_t downlink_mode = 0;
1450 bool try_all_dl_modes = false;
1451 uint8_t dl_mode = 0;
1452 uint8_t cmd_offset = 0;
1453 int cmd_opt = 0;
1454
1455 char cmdp = param_getchar(Cmd, 0);
1456
1457 if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
1458 if (cmdp == 'r' || cmdp == 'R') {
1459 downlink_mode = param_getchar(Cmd, 1) - '0'; // get 2nd option, as this is fixed order.
1460 if (downlink_mode == 4) try_all_dl_modes = true;
1461 if (downlink_mode > 3) downlink_mode = 0;
1462 cmd_opt += 2; // To help start/end passwords for range to be found
1463 cmd_offset += 4; // r <sp> x <sp> To help the string offset for filename start position in cmd
1464 cmdp = param_getchar(Cmd, 2); // get 3rd option, as this is fixed order.
1465 }
1466
1467 keyBlock = calloc(stKeyBlock, 6);
1468 if (keyBlock == NULL) return 1;
1469
1470 if (cmdp == 'i' || cmdp == 'I') {
1471
1472 int len = strlen(Cmd+2);
1473 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
1474 memcpy(filename, Cmd+2+cmd_offset, len);
1475
1476 FILE * f = fopen( filename , "r");
1477
1478 if ( !f ) {
1479 PrintAndLog("File: %s: not found or locked.", filename);
1480 free(keyBlock);
1481 return 1;
1482 }
1483
1484 while( fgets(buf, sizeof(buf), f) ) {
1485 if (strlen(buf) < 8 || buf[7] == '\n') continue;
1486
1487 while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
1488
1489 //The line start with # is comment, skip
1490 if( buf[0]=='#' ) continue;
1491
1492 if (!isxdigit((unsigned char)buf[0])) {
1493 PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);
1494 continue;
1495 }
1496
1497 buf[8] = 0;
1498
1499 if ( stKeyBlock - keycnt < 2) {
1500 p = realloc(keyBlock, 6*(stKeyBlock+=10));
1501 if (!p) {
1502 PrintAndLog("Cannot allocate memory for defaultKeys");
1503 free(keyBlock);
1504 fclose(f);
1505 return 2;
1506 }
1507 keyBlock = p;
1508 }
1509 memset(keyBlock + 4 * keycnt, 0, 4);
1510 num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);
1511 PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));
1512 keycnt++;
1513 memset(buf, 0, sizeof(buf));
1514 }
1515 fclose(f);
1516
1517 if (keycnt == 0) {
1518 PrintAndLog("No keys found in file");
1519 free(keyBlock);
1520 return 1;
1521 }
1522 PrintAndLog("Loaded %d keys", keycnt);
1523
1524 // loop
1525 uint64_t testpwd = 0x00;
1526 for (uint16_t c = 0; c < keycnt; ++c ) {
1527
1528 if (ukbhit()) {
1529 ch = getchar();
1530 (void)ch;
1531 printf("\naborted via keyboard!\n");
1532 free(keyBlock);
1533 return 0;
1534 }
1535
1536 testpwd = bytes_to_num(keyBlock + 4*c, 4);
1537
1538 PrintAndLog("Testing %08X", testpwd);
1539
1540 // Try each downlink_mode if asked to
1541 // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3
1542 for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){
1543 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd, dl_mode)) {
1544 PrintAndLog("Aquireing data from device failed. Quitting");
1545 free(keyBlock);
1546 return 0;
1547 }
1548
1549 found = tryDetectModulation();
1550
1551 if ( found ) {
1552 PrintAndLog("Found valid password: [%08X]", testpwd);
1553 free(keyBlock);
1554 switch (dl_mode) {
1555 case 0 : PrintAndLog ("Downlink : r 0 - default/fixed bit length"); break;
1556 case 1 : PrintAndLog ("Downlink : r 1 - long leading reference"); break;
1557 case 2 : PrintAndLog ("Downlink : r 2 - leading zero reference"); break;
1558 case 3 : PrintAndLog ("Downlink : r 3 - 1 of 4 coding reference"); break;
1559 }
1560 return 0;
1561 }
1562 if (!try_all_dl_modes) // Exit loop if not trying all downlink modes
1563 dl_mode = 4;
1564 }
1565 }
1566 PrintAndLog("Password NOT found.");
1567 free(keyBlock);
1568 return 0;
1569 }
1570
1571 // Try to read Block 7, first :)
1572
1573 // incremental pwd range search
1574 start_password = param_get32ex(Cmd, cmd_opt , 0, 16);
1575 end_password = param_get32ex(Cmd, cmd_opt+1 , 0, 16);
1576
1577 if ( start_password >= end_password ) {
1578 free(keyBlock);
1579 return usage_t55xx_bruteforce();
1580 }
1581 PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);
1582
1583 uint32_t i = start_password;
1584
1585 while ((!found) && (i <= end_password)) {
1586
1587 printf(".");
1588 fflush(stdout);
1589 if (ukbhit()) {
1590 ch = getchar();
1591 (void)ch;
1592 printf("\naborted via keyboard!\n");
1593 free(keyBlock);
1594 return 0;
1595 }
1596 // Try each downlink_mode if asked to
1597 // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3
1598 for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){
1599 if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,dl_mode)) {
1600 PrintAndLog("Aquireing data from device failed. Quitting");
1601 free(keyBlock);
1602 return 0;
1603 }
1604 found = tryDetectModulation();
1605
1606 if (found) break;
1607 if (!try_all_dl_modes) // Exit loop if not trying all downlink modes
1608 dl_mode = 4;
1609 }
1610 if (found) break;
1611 i++;
1612 }
1613
1614 if (found){
1615 PrintAndLog("Found valid password: [%08x]", i);
1616 switch (dl_mode) {
1617 case 0 : PrintAndLog ("Downlink : r 0 - default/fixed bit length"); break;
1618 case 1 : PrintAndLog ("Downlink : r 1 - long leading reference"); break;
1619 case 2 : PrintAndLog ("Downlink : r 2 - leading Zero reference"); break;
1620 case 3 : PrintAndLog ("Downlink : r 3 - 1 of 4 coding reference"); break;
1621 }
1622 }
1623 else{
1624 PrintAndLog("");
1625 PrintAndLog("Password NOT found. Last tried: [%08x]", --i);
1626 }
1627
1628 free(keyBlock);
1629 return 0;
1630 }
1631 // note length of data returned is different for different chips.
1632 // some return all page 1 (64 bits) and others return just that block (32 bits)
1633 // unfortunately the 64 bits makes this more likely to get a false positive...
1634 bool tryDetectP1(bool getData) {
1635 uint8_t preamble[] = {1,1,1,0,0,0,0,0,0,0,0,1,0,1,0,1};
1636 size_t startIdx = 0;
1637 uint8_t fc1 = 0, fc2 = 0, ans = 0;
1638 int clk = 0, firstClockEdge = 0;
1639 bool st = true;
1640
1641 if ( getData ) {
1642 if ( !AquireData(T55x7_PAGE1, 1, false, 0,0) )
1643 return false;
1644 }
1645
1646 // try fsk clock detect. if successful it cannot be any other type of modulation... (in theory...)
1647 ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge);
1648 if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) {
1649 if ( FSKrawDemod("0 0", false) &&
1650 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1651 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1652 return true;
1653 }
1654 if ( FSKrawDemod("0 1", false) &&
1655 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1656 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1657 return true;
1658 }
1659 return false;
1660 }
1661
1662 // try psk clock detect. if successful it cannot be any other type of modulation... (in theory...)
1663 clk = GetPskClock("", false, false);
1664 if (clk>0) {
1665 // allow undo
1666 // save_restoreGB(1);
1667 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
1668 //CmdLtrim("160");
1669 if ( PSKDemod("0 0 6", false) &&
1670 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1671 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1672 //save_restoreGB(0);
1673 return true;
1674 }
1675 if ( PSKDemod("0 1 6", false) &&
1676 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1677 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1678 //save_restoreGB(0);
1679 return true;
1680 }
1681 // PSK2 - needs a call to psk1TOpsk2.
1682 if ( PSKDemod("0 0 6", false)) {
1683 psk1TOpsk2(DemodBuffer, DemodBufferLen);
1684 if (preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1685 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1686 //save_restoreGB(0);
1687 return true;
1688 }
1689 } // inverse waves does not affect PSK2 demod
1690 //undo trim samples
1691 //save_restoreGB(0);
1692 // no other modulation clocks = 2 or 4 so quit searching
1693 if (fc1 != 8) return false;
1694 }
1695
1696 // try ask clock detect. it could be another type even if successful.
1697 clk = GetAskClock("", false, false);
1698 if (clk>0) {
1699 if ( ASKDemod_ext("0 0 1", false, false, 1, &st) &&
1700 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1701 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1702 return true;
1703 }
1704 st = true;
1705 if ( ASKDemod_ext("0 1 1", false, false, 1, &st) &&
1706 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1707 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1708 return true;
1709 }
1710 if ( ASKbiphaseDemod("0 0 0 2", false) &&
1711 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1712 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1713 return true;
1714 }
1715 if ( ASKbiphaseDemod("0 0 1 2", false) &&
1716 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1717 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1718 return true;
1719 }
1720 }
1721
1722 // try NRZ clock detect. it could be another type even if successful.
1723 clk = GetNrzClock("", false, false); //has the most false positives :(
1724 if (clk>0) {
1725 if ( NRZrawDemod("0 0 1", false) &&
1726 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1727 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1728 return true;
1729 }
1730 if ( NRZrawDemod("0 1 1", false) &&
1731 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1732 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1733 return true;
1734 }
1735 }
1736 return false;
1737 }
1738 // does this need to be a callable command?
1739 int CmdT55xxDetectPage1(const char *Cmd){
1740 bool errors = false;
1741 bool useGB = false;
1742 bool usepwd = false;
1743 uint32_t password = 0;
1744 uint8_t cmdp = 0;
1745
1746 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
1747 switch(param_getchar(Cmd, cmdp)) {
1748 case 'h':
1749 case 'H':
1750 return usage_t55xx_detectP1();
1751 case 'p':
1752 case 'P':
1753 password = param_get32ex(Cmd, cmdp+1, 0, 16);
1754 usepwd = true;
1755 cmdp += 2;
1756 break;
1757 case '1':
1758 // use Graphbuffer data
1759 useGB = true;
1760 cmdp++;
1761 break;
1762 default:
1763 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1764 errors = true;
1765 break;
1766 }
1767 }
1768 if (errors) return usage_t55xx_detectP1();
1769
1770 if ( !useGB ) {
1771 if ( !AquireData(T55x7_PAGE1, 1, usepwd, password,0) )
1772 return false;
1773 }
1774 bool success = tryDetectP1(false);
1775 if (success) PrintAndLog("T55xx chip found!");
1776 return success;
1777 }
1778
1779 static command_t CommandTable[] = {
1780 {"help", CmdHelp, 1, "This help"},
1781 {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
1782 {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
1783 {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},
1784 {"p1detect", CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"},
1785 {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
1786 {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
1787 {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},
1788 {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},
1789 {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},
1790 {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
1791 {"special", special, 0, "Show block changes with 64 different offsets"},
1792 {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},
1793 {"wipe", CmdT55xxWipe, 0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},
1794 {NULL, NULL, 0, NULL}
1795 };
1796
1797 int CmdLFT55XX(const char *Cmd) {
1798 CmdsParse(CommandTable, Cmd);
1799 return 0;
1800 }
1801
1802 int CmdHelp(const char *Cmd) {
1803 CmdsHelp(CommandTable);
1804 return 0;
1805 }
Proxmark3 GIT tracking
Impressum, Datenschutz