]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlfem4x.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
BUG: the lf read now uses "getbigbuffer" which the offset from where the data start...
[proxmark3-svn] / client / cmdlfem4x.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <inttypes.h>
14 #include "proxmark3.h"
15 #include "ui.h"
16 #include "graph.h"
17 #include "cmdmain.h"
18 #include "cmdparser.h"
19 #include "cmddata.h"
20 #include "cmdlf.h"
21 #include "cmdlfem4x.h"
22 #include "util.h"
23 #include "data.h"
24 #define LF_TRACE_BUFF_SIZE 12000
25
26 char *global_em410xId;
27
28 static int CmdHelp(const char *Cmd);
29
30 /* Read the ID of an EM410x tag.
31 * Format:
32 * 1111 1111 1 <-- standard non-repeatable header
33 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
34 * ....
35 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
36 * 0 <-- stop bit, end of tag
37 */
38 int CmdEM410xRead(const char *Cmd)
39 {
40 int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low;
41 int parity[4];
42 char id[11];
43 char id2[11];
44 int retested = 0;
45 uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
46 high = low = 0;
47
48 /* Detect high and lows and clock */
49 for (i = 0; i < GraphTraceLen; i++)
50 {
51 if (GraphBuffer[i] > high)
52 high = GraphBuffer[i];
53 else if (GraphBuffer[i] < low)
54 low = GraphBuffer[i];
55 }
56
57 /* get clock */
58 clock = GetClock(Cmd, high, 0);
59
60 /* parity for our 4 columns */
61 parity[0] = parity[1] = parity[2] = parity[3] = 0;
62 header = rows = 0;
63
64 /* manchester demodulate */
65 bit = bit2idx = 0;
66 for (i = 0; i < (int)(GraphTraceLen / clock); i++)
67 {
68 hithigh = 0;
69 hitlow = 0;
70 first = 1;
71
72 /* Find out if we hit both high and low peaks */
73 for (j = 0; j < clock; j++)
74 {
75 if (GraphBuffer[(i * clock) + j] == high)
76 hithigh = 1;
77 else if (GraphBuffer[(i * clock) + j] == low)
78 hitlow = 1;
79
80 /* it doesn't count if it's the first part of our read
81 because it's really just trailing from the last sequence */
82 if (first && (hithigh || hitlow))
83 hithigh = hitlow = 0;
84 else
85 first = 0;
86
87 if (hithigh && hitlow)
88 break;
89 }
90
91 /* If we didn't hit both high and low peaks, we had a bit transition */
92 if (!hithigh || !hitlow)
93 bit ^= 1;
94
95 BitStream[bit2idx++] = bit;
96 }
97
98 retest:
99 /* We go till 5 before the graph ends because we'll get that far below */
100 for (i = 1; i < bit2idx - 5; i++)
101 {
102 /* Step 2: We have our header but need our tag ID */
103 if (header == 9 && rows < 10)
104 {
105 /* Confirm parity is correct */
106 if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4])
107 {
108 /* Read another byte! */
109 sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3]));
110 sprintf(id2+rows, "%x", (8 * BitStream[i+3]) + (4 * BitStream[i+2]) + (2 * BitStream[i+1]) + (1 * BitStream[i]));
111 rows++;
112
113 /* Keep parity info */
114 parity[0] ^= BitStream[i];
115 parity[1] ^= BitStream[i+1];
116 parity[2] ^= BitStream[i+2];
117 parity[3] ^= BitStream[i+3];
118
119 /* Move 4 bits ahead */
120 i += 4;
121 }
122
123 /* Damn, something wrong! reset */
124 else
125 {
126 PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i);
127
128 /* Start back rows * 5 + 9 header bits, -1 to not start at same place */
129 i -= 9 + (5 * rows) - 5;
130
131 rows = header = 0;
132 }
133 }
134
135 /* Step 3: Got our 40 bits! confirm column parity */
136 else if (rows == 10)
137 {
138 /* We need to make sure our 4 bits of parity are correct and we have a stop bit */
139 if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] &&
140 BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] &&
141 BitStream[i+4] == 0)
142 {
143 /* Sweet! */
144 PrintAndLog("EM410x Tag ID: %s", id);
145 PrintAndLog("Unique Tag ID: %s", id2);
146
147 global_em410xId = id;
148
149 /* Stop any loops */
150 return 1;
151 }
152
153 /* Crap! Incorrect parity or no stop bit, start all over */
154 else
155 {
156 rows = header = 0;
157
158 /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */
159 i -= 59;
160 }
161 }
162
163 /* Step 1: get our header */
164 else if (header < 9)
165 {
166 /* Need 9 consecutive 1's */
167 if (BitStream[i] == 1)
168 header++;
169
170 /* We don't have a header, not enough consecutive 1 bits */
171 else
172 header = 0;
173 }
174 }
175
176 /* if we've already retested after flipping bits, return */
177 if (retested++){
178 return 0;
179 }
180
181 /* if this didn't work, try flipping bits */
182 for (i = 0; i < bit2idx; i++)
183 BitStream[i] ^= 1;
184
185 goto retest;
186 }
187
188 /* emulate an EM410X tag
189 * Format:
190 * 1111 1111 1 <-- standard non-repeatable header
191 * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID
192 * ....
193 * CCCC <-- each bit here is parity for the 10 bits above in corresponding column
194 * 0 <-- stop bit, end of tag
195 */
196 int CmdEM410xSim(const char *Cmd)
197 {
198 int i, n, j, h, binary[4], parity[4];
199
200 /* clock is 64 in EM410x tags */
201 int clock = 64;
202
203 /* clear our graph */
204 ClearGraph(0);
205
206 /* write it out a few times */
207 for (h = 0; h < 4; h++)
208 {
209 /* write 9 start bits */
210 for (i = 0; i < 9; i++)
211 AppendGraph(0, clock, 1);
212
213 /* for each hex char */
214 parity[0] = parity[1] = parity[2] = parity[3] = 0;
215 for (i = 0; i < 10; i++)
216 {
217 /* read each hex char */
218 sscanf(&Cmd[i], "%1x", &n);
219 for (j = 3; j >= 0; j--, n/= 2)
220 binary[j] = n % 2;
221
222 /* append each bit */
223 AppendGraph(0, clock, binary[0]);
224 AppendGraph(0, clock, binary[1]);
225 AppendGraph(0, clock, binary[2]);
226 AppendGraph(0, clock, binary[3]);
227
228 /* append parity bit */
229 AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
230
231 /* keep track of column parity */
232 parity[0] ^= binary[0];
233 parity[1] ^= binary[1];
234 parity[2] ^= binary[2];
235 parity[3] ^= binary[3];
236 }
237
238 /* parity columns */
239 AppendGraph(0, clock, parity[0]);
240 AppendGraph(0, clock, parity[1]);
241 AppendGraph(0, clock, parity[2]);
242 AppendGraph(0, clock, parity[3]);
243
244 /* stop bit */
245 AppendGraph(0, clock, 0);
246 }
247
248 /* modulate that biatch */
249 CmdManchesterMod("");
250
251 /* booyah! */
252 RepaintGraphWindow();
253
254 CmdLFSim("");
255 return 0;
256 }
257
258 /* Function is equivalent of lf read + data samples + em410xread
259 * looped until an EM410x tag is detected
260 *
261 * Why is CmdSamples("16000")?
262 * TBD: Auto-grow sample size based on detected sample rate. IE: If the
263 * rate gets lower, then grow the number of samples
264 * Changed by martin, 4000 x 4 = 16000,
265 * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
266
267 */
268 int CmdEM410xWatch(const char *Cmd)
269 {
270 int read_h = (*Cmd == 'h');
271 do
272 {
273 CmdLFRead(read_h ? "h" : "");
274 CmdSamples("16000");
275 } while (
276 !CmdEM410xRead("")
277 );
278 return 0;
279 }
280
281 int CmdEM410xWatchnSpoof(const char *Cmd)
282 {
283 CmdEM410xWatch(Cmd);
284 PrintAndLog("# Replaying : %s",global_em410xId);
285 CmdEM410xSim(global_em410xId);
286 return 0;
287 }
288
289 /* Read the transmitted data of an EM4x50 tag
290 * Format:
291 *
292 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
293 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
294 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
295 * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
296 * CCCCCCCC <- column parity bits
297 * 0 <- stop bit
298 * LW <- Listen Window
299 *
300 * This pattern repeats for every block of data being transmitted.
301 * Transmission starts with two Listen Windows (LW - a modulated
302 * pattern of 320 cycles each (32/32/128/64/64)).
303 *
304 * Note that this data may or may not be the UID. It is whatever data
305 * is stored in the blocks defined in the control word First and Last
306 * Word Read values. UID is stored in block 32.
307 */
308 int CmdEM4x50Read(const char *Cmd)
309 {
310 int i, j, startblock, skip, block, start, end, low, high;
311 bool complete= false;
312 int tmpbuff[MAX_GRAPH_TRACE_LEN / 64];
313 char tmp[6];
314
315 high= low= 0;
316 memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64);
317
318 /* first get high and low values */
319 for (i = 0; i < GraphTraceLen; i++)
320 {
321 if (GraphBuffer[i] > high)
322 high = GraphBuffer[i];
323 else if (GraphBuffer[i] < low)
324 low = GraphBuffer[i];
325 }
326
327 /* populate a buffer with pulse lengths */
328 i= 0;
329 j= 0;
330 while (i < GraphTraceLen)
331 {
332 // measure from low to low
333 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
334 ++i;
335 start= i;
336 while ((GraphBuffer[i] < high) && (i<GraphTraceLen))
337 ++i;
338 while ((GraphBuffer[i] > low) && (i<GraphTraceLen))
339 ++i;
340 if (j>(MAX_GRAPH_TRACE_LEN/64)) {
341 break;
342 }
343 tmpbuff[j++]= i - start;
344 }
345
346 /* look for data start - should be 2 pairs of LW (pulses of 192,128) */
347 start= -1;
348 skip= 0;
349 for (i= 0; i < j - 4 ; ++i)
350 {
351 skip += tmpbuff[i];
352 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
353 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
354 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
355 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
356 {
357 start= i + 3;
358 break;
359 }
360 }
361 startblock= i + 3;
362
363 /* skip over the remainder of the LW */
364 skip += tmpbuff[i+1]+tmpbuff[i+2];
365 while (skip < MAX_GRAPH_TRACE_LEN && GraphBuffer[skip] > low)
366 ++skip;
367 skip += 8;
368
369 /* now do it again to find the end */
370 end= start;
371 for (i += 3; i < j - 4 ; ++i)
372 {
373 end += tmpbuff[i];
374 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
375 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
376 if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194)
377 if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130)
378 {
379 complete= true;
380 break;
381 }
382 }
383
384 if (start >= 0)
385 PrintAndLog("Found data at sample: %i",skip);
386 else
387 {
388 PrintAndLog("No data found!");
389 PrintAndLog("Try again with more samples.");
390 return 0;
391 }
392
393 if (!complete)
394 {
395 PrintAndLog("*** Warning!");
396 PrintAndLog("Partial data - no end found!");
397 PrintAndLog("Try again with more samples.");
398 }
399
400 /* get rid of leading crap */
401 sprintf(tmp,"%i",skip);
402 CmdLtrim(tmp);
403
404 /* now work through remaining buffer printing out data blocks */
405 block= 0;
406 i= startblock;
407 while (block < 6)
408 {
409 PrintAndLog("Block %i:", block);
410 // mandemod routine needs to be split so we can call it for data
411 // just print for now for debugging
412 CmdManchesterDemod("i 64");
413 skip= 0;
414 /* look for LW before start of next block */
415 for ( ; i < j - 4 ; ++i)
416 {
417 skip += tmpbuff[i];
418 if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194)
419 if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130)
420 break;
421 }
422 while (GraphBuffer[skip] > low)
423 ++skip;
424 skip += 8;
425 sprintf(tmp,"%i",skip);
426 CmdLtrim(tmp);
427 start += skip;
428 block++;
429 }
430 return 0;
431 }
432
433 int CmdEM410xWrite(const char *Cmd)
434 {
435 uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value
436 int card = 0xFF; // invalid card value
437 unsigned int clock = 0; // invalid clock value
438
439 sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock);
440
441 // Check ID
442 if (id == 0xFFFFFFFFFFFFFFFF) {
443 PrintAndLog("Error! ID is required.\n");
444 return 0;
445 }
446 if (id >= 0x10000000000) {
447 PrintAndLog("Error! Given EM410x ID is longer than 40 bits.\n");
448 return 0;
449 }
450
451 // Check Card
452 if (card == 0xFF) {
453 PrintAndLog("Error! Card type required.\n");
454 return 0;
455 }
456 if (card < 0) {
457 PrintAndLog("Error! Bad card type selected.\n");
458 return 0;
459 }
460
461 // Check Clock
462 if (card == 1)
463 {
464 // Default: 64
465 if (clock == 0)
466 clock = 64;
467
468 // Allowed clock rates: 16, 32 and 64
469 if ((clock != 16) && (clock != 32) && (clock != 64)) {
470 PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32 and 64.\n", clock);
471 return 0;
472 }
473 }
474 else if (clock != 0)
475 {
476 PrintAndLog("Error! Clock rate is only supported on T55x7 tags.\n");
477 return 0;
478 }
479
480 if (card == 1) {
481 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64 " (clock rate: %d)", "T55x7", id, clock);
482 // NOTE: We really should pass the clock in as a separate argument, but to
483 // provide for backwards-compatibility for older firmware, and to avoid
484 // having to add another argument to CMD_EM410X_WRITE_TAG, we just store
485 // the clock rate in bits 8-15 of the card value
486 card = (card & 0xFF) | (((uint64_t)clock << 8) & 0xFF00);
487 }
488 else if (card == 0)
489 PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock);
490 else {
491 PrintAndLog("Error! Bad card type selected.\n");
492 return 0;
493 }
494
495 UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}};
496 SendCommand(&c);
497
498 return 0;
499 }
500
501 int CmdReadWord(const char *Cmd)
502 {
503 int Word = -1; //default to invalid word
504 UsbCommand c;
505
506 sscanf(Cmd, "%d", &Word);
507
508 if ( (Word > 15) | (Word < 0) ) {
509 PrintAndLog("Word must be between 0 and 15");
510 return 1;
511 }
512
513 PrintAndLog("Reading word %d", Word);
514
515 c.cmd = CMD_EM4X_READ_WORD;
516 c.d.asBytes[0] = 0x0; //Normal mode
517 c.arg[0] = 0;
518 c.arg[1] = Word;
519 c.arg[2] = 0;
520 SendCommand(&c);
521 WaitForResponse(CMD_ACK, NULL);
522
523 uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};
524
525 GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
526 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
527
528 for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {
529 GraphBuffer[j] = ((int)data[j]);
530 }
531 GraphTraceLen = LF_TRACE_BUFF_SIZE;
532
533 uint8_t bits[1000] = {0x00};
534 uint8_t * bitstream = bits;
535 manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream);
536 RepaintGraphWindow();
537 return 0;
538 }
539
540 int CmdReadWordPWD(const char *Cmd)
541 {
542 int Word = -1; //default to invalid word
543 int Password = 0xFFFFFFFF; //default to blank password
544 UsbCommand c;
545
546 sscanf(Cmd, "%d %x", &Word, &Password);
547
548 if ( (Word > 15) | (Word < 0) ) {
549 PrintAndLog("Word must be between 0 and 15");
550 return 1;
551 }
552
553 PrintAndLog("Reading word %d with password %08X", Word, Password);
554
555 c.cmd = CMD_EM4X_READ_WORD;
556 c.d.asBytes[0] = 0x1; //Password mode
557 c.arg[0] = 0;
558 c.arg[1] = Word;
559 c.arg[2] = Password;
560 SendCommand(&c);
561 WaitForResponse(CMD_ACK, NULL);
562
563 uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00};
564
565 GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset..
566 WaitForResponseTimeout(CMD_ACK,NULL, 1500);
567
568 for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) {
569 GraphBuffer[j] = ((int)data[j]);
570 }
571 GraphTraceLen = LF_TRACE_BUFF_SIZE;
572
573 uint8_t bits[1000] = {0x00};
574 uint8_t * bitstream = bits;
575
576 manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream);
577 RepaintGraphWindow();
578 return 0;
579 }
580
581 int CmdWriteWord(const char *Cmd)
582 {
583 int Word = 16; //default to invalid block
584 int Data = 0xFFFFFFFF; //default to blank data
585 UsbCommand c;
586
587 sscanf(Cmd, "%x %d", &Data, &Word);
588
589 if (Word > 15) {
590 PrintAndLog("Word must be between 0 and 15");
591 return 1;
592 }
593
594 PrintAndLog("Writting word %d with data %08X", Word, Data);
595
596 c.cmd = CMD_EM4X_WRITE_WORD;
597 c.d.asBytes[0] = 0x0; //Normal mode
598 c.arg[0] = Data;
599 c.arg[1] = Word;
600 c.arg[2] = 0;
601 SendCommand(&c);
602 return 0;
603 }
604
605 int CmdWriteWordPWD(const char *Cmd)
606 {
607 int Word = 8; //default to invalid word
608 int Data = 0xFFFFFFFF; //default to blank data
609 int Password = 0xFFFFFFFF; //default to blank password
610 UsbCommand c;
611
612 sscanf(Cmd, "%x %d %x", &Data, &Word, &Password);
613
614 if (Word > 15) {
615 PrintAndLog("Word must be between 0 and 15");
616 return 1;
617 }
618
619 PrintAndLog("Writting word %d with data %08X and password %08X", Word, Data, Password);
620
621 c.cmd = CMD_EM4X_WRITE_WORD;
622 c.d.asBytes[0] = 0x1; //Password mode
623 c.arg[0] = Data;
624 c.arg[1] = Word;
625 c.arg[2] = Password;
626 SendCommand(&c);
627 return 0;
628 }
629
630 static command_t CommandTable[] =
631 {
632 {"help", CmdHelp, 1, "This help"},
633 {"410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"},
634 {"410xsim", CmdEM410xSim, 0, "<UID> -- Simulate EM410x tag"},
635 {"410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
636 {"410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
637 {"410xwrite", CmdEM410xWrite, 1, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
638 {"4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
639 {"rd", CmdReadWord, 1, "<Word 1-15> -- Read EM4xxx word data"},
640 {"rdpwd", CmdReadWordPWD, 1, "<Word 1-15> <Password> -- Read EM4xxx word data in password mode "},
641 {"wr", CmdWriteWord, 1, "<Data> <Word 1-15> -- Write EM4xxx word data"},
642 {"wrpwd", CmdWriteWordPWD, 1, "<Data> <Word 1-15> <Password> -- Write EM4xxx word data in password mode"},
643 {NULL, NULL, 0, NULL}
644 };
645
646 int CmdLFEM4X(const char *Cmd)
647 {
648 CmdsParse(CommandTable, Cmd);
649 return 0;
650 }
651
652 int CmdHelp(const char *Cmd)
653 {
654 CmdsHelp(CommandTable);
655 return 0;
656 }
Proxmark3 GIT tracking
Impressum, Datenschutz