]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhf15.c
target and bitstream back to front!
[proxmark3-svn] / client / cmdhf15.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2010 iZsh <izsh at fail0verflow.com>
3 // Modified 2010-2012 by <adrian -at- atrox.at>
4 // Modified 2012 by <vsza at vsza.hu>
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // High frequency ISO15693 commands
11 //-----------------------------------------------------------------------------
12 // There are three basic operation modes, depending on which device (proxmark/pc)
13 // the signal processing, (de)modulation, transmission protocol and logic is done.
14 // Mode 1:
15 // All steps are done on the proxmark, the output of the commands is returned via
16 // USB-debug-print commands.
17 // Mode 2:
18 // The protocol is done on the PC, passing only Iso15693 data frames via USB. This
19 // allows direct communication with a tag on command level
20 // Mode 3:
21 // The proxmark just samples the antenna and passes this "analog" data via USB to
22 // the client. Signal Processing & decoding is done on the pc. This is the slowest
23 // variant, but offers the possibility to analyze the waveforms directly.
24
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <stdint.h>
29 #include "proxusb.h"
30 #include "data.h"
31 #include "graph.h"
32 #include "ui.h"
33 #include "cmdparser.h"
34 #include "cmdhf15.h"
35 #include "iso15693tools.h"
36 #include "cmdmain.h"
37
38 #define FrameSOF Iso15693FrameSOF
39 #define Logic0 Iso15693Logic0
40 #define Logic1 Iso15693Logic1
41 #define FrameEOF Iso15693FrameEOF
42
43 #define Crc(data,datalen) Iso15693Crc(data,datalen)
44 #define AddCrc(data,datalen) Iso15693AddCrc(data,datalen)
45 #define sprintUID(target,uid) Iso15693sprintUID(target,uid)
46
47 static int CmdHelp(const char *Cmd);
48
49 // structure and database for uid -> tagtype lookups
50 typedef struct {
51 uint64_t uid;
52 int mask; // how many MSB bits used
53 char* desc;
54 } productName;
55
56
57 const productName uidmapping[] = {
58 // UID, #significant Bits, "Vendor(+Product)"
59 { 0xE001000000000000LL, 16, "Motorola" },
60 { 0xE002000000000000LL, 16, "ST Microelectronics" },
61 { 0xE003000000000000LL, 16, "Hitachi" },
62 { 0xE004000000000000LL, 16, "Philips" },
63 { 0xE004010000000000LL, 24, "Philips; IC SL2 ICS20" },
64 { 0xE005000000000000LL, 16, "Infineon" },
65 { 0xE005400000000000LL, 24, "Infineon; 56x32bit" },
66 { 0xE006000000000000LL, 16, "Cylinc" },
67 { 0xE007000000000000LL, 16, "Texas Instrument; " },
68 { 0xE007000000000000LL, 20, "Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit" },
69 { 0xE007100000000000LL, 20, "Texas Instrument; Tag-it HF-I Plus Chip; 64x32bit" },
70 { 0xE007800000000000LL, 23, "Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)" },
71 { 0xE007C00000000000LL, 23, "Texas Instrument; Tag-it HF-I Standard; 8x32bit" },
72 { 0xE007C40000000000LL, 23, "Texas Instrument; Tag-it HF-I Pro; 8x23bit; password" },
73 { 0xE008000000000000LL, 16, "Fujitsu" },
74 { 0xE009000000000000LL, 16, "Matsushita" },
75 { 0xE00A000000000000LL, 16, "NEC" },
76 { 0xE00B000000000000LL, 16, "Oki Electric" },
77 { 0xE00C000000000000LL, 16, "Toshiba" },
78 { 0xE00D000000000000LL, 16, "Mitsubishi" },
79 { 0xE00E000000000000LL, 16, "Samsung" },
80 { 0xE00F000000000000LL, 16, "Hyundai" },
81 { 0xE010000000000000LL, 16, "LG-Semiconductors" },
82 { 0xE012000000000000LL, 16, "HID Corporation" },
83 { 0xE016000000000000LL, 16, "EM-Marin SA (Skidata)" },
84 { 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
85 { 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
86 { 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
87 { 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },
88 { 0,0,"no tag-info available" } // must be the last entry
89 };
90
91
92 // fast method to just read the UID of a tag (collission detection not supported)
93 // *buf should be large enough to fit the 64bit uid
94 // returns 1 if suceeded
95 int getUID(uint8_t *buf)
96 {
97 UsbCommand *r;
98 uint8_t *recv;
99 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
100 uint8_t *req=c.d.asBytes;
101 int reqlen=0;
102
103 for (int retry=0;retry<3; retry++) { // don't give up the at the first try
104
105 req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
106 ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1;
107 req[1]=ISO15_CMD_INVENTORY;
108 req[2]=0; // mask length
109 reqlen=AddCrc(req,3);
110 c.arg[0]=reqlen;
111
112 SendCommand(&c);
113
114 r=WaitForResponseTimeout(CMD_ACK,1000);
115
116 if (r!=NULL) {
117 recv = r->d.asBytes;
118 if (r->arg[0]>=12 && ISO15_CRC_CHECK==Crc(recv,12)) {
119 memcpy(buf,&recv[2],8);
120 return 1;
121 }
122 }
123 } // retry
124 return 0;
125 }
126
127
128
129 // get a product description based on the UID
130 // uid[8] tag uid
131 // returns description of the best match
132 static char* getTagInfo(uint8_t *uid) {
133 uint64_t myuid,mask;
134 int i=0, best=-1;
135 memcpy(&myuid,uid,sizeof(uint64_t));
136 while (uidmapping[i].mask>0) {
137 mask=(~0LL) <<(64-uidmapping[i].mask);
138 if ((myuid & mask) == uidmapping[i].uid) {
139 if (best==-1) {
140 best=i;
141 } else {
142 if (uidmapping[i].mask>uidmapping[best].mask) {
143 best=i;
144 }
145 }
146 }
147 i++;
148 }
149
150 if (best>=0) return uidmapping[best].desc;
151
152 return uidmapping[i].desc;
153 }
154
155
156 // return a clear-text message to an errorcode
157 static char* TagErrorStr(uint8_t error) {
158 switch (error) {
159 case 0x01: return "The command is not supported";
160 case 0x02: return "The command is not recognised";
161 case 0x03: return "The option is not supported.";
162 case 0x0f: return "Unknown error.";
163 case 0x10: return "The specified block is not available (doesn’t exist).";
164 case 0x11: return "The specified block is already -locked and thus cannot be locked again";
165 case 0x12: return "The specified block is locked and its content cannot be changed.";
166 case 0x13: return "The specified block was not successfully programmed.";
167 case 0x14: return "The specified block was not successfully locked.";
168 default: return "Reserved for Future Use or Custom command error.";
169 }
170 }
171
172
173 // Mode 3
174 int CmdHF15Demod(const char *Cmd)
175 {
176 // The sampling rate is 106.353 ksps/s, for T = 18.8 us
177
178 int i, j;
179 int max = 0, maxPos = 0;
180
181 int skip = 4;
182
183 if (GraphTraceLen < 1000) return 0;
184
185 // First, correlate for SOF
186 for (i = 0; i < 100; i++) {
187 int corr = 0;
188 for (j = 0; j < arraylen(FrameSOF); j += skip) {
189 corr += FrameSOF[j] * GraphBuffer[i + (j / skip)];
190 }
191 if (corr > max) {
192 max = corr;
193 maxPos = i;
194 }
195 }
196 PrintAndLog("SOF at %d, correlation %d", maxPos,
197 max / (arraylen(FrameSOF) / skip));
198
199 i = maxPos + arraylen(FrameSOF) / skip;
200 int k = 0;
201 uint8_t outBuf[20];
202 memset(outBuf, 0, sizeof(outBuf));
203 uint8_t mask = 0x01;
204 for (;;) {
205 int corr0 = 0, corr1 = 0, corrEOF = 0;
206 for (j = 0; j < arraylen(Logic0); j += skip) {
207 corr0 += Logic0[j] * GraphBuffer[i + (j / skip)];
208 }
209 for (j = 0; j < arraylen(Logic1); j += skip) {
210 corr1 += Logic1[j] * GraphBuffer[i + (j / skip)];
211 }
212 for (j = 0; j < arraylen(FrameEOF); j += skip) {
213 corrEOF += FrameEOF[j] * GraphBuffer[i + (j / skip)];
214 }
215 // Even things out by the length of the target waveform.
216 corr0 *= 4;
217 corr1 *= 4;
218
219 if (corrEOF > corr1 && corrEOF > corr0) {
220 PrintAndLog("EOF at %d", i);
221 break;
222 } else if (corr1 > corr0) {
223 i += arraylen(Logic1) / skip;
224 outBuf[k] |= mask;
225 } else {
226 i += arraylen(Logic0) / skip;
227 }
228 mask <<= 1;
229 if (mask == 0) {
230 k++;
231 mask = 0x01;
232 }
233 if ((i + (int)arraylen(FrameEOF)) >= GraphTraceLen) {
234 PrintAndLog("ran off end!");
235 break;
236 }
237 }
238 if (mask != 0x01) {
239 PrintAndLog("error, uneven octet! (discard extra bits!)");
240 PrintAndLog(" mask=%02x", mask);
241 }
242 PrintAndLog("%d octets", k);
243
244 for (i = 0; i < k; i++) {
245 PrintAndLog("# %2d: %02x ", i, outBuf[i]);
246 }
247 PrintAndLog("CRC=%04x", Iso15693Crc(outBuf, k - 2));
248 return 0;
249 }
250
251
252
253 // * Acquire Samples as Reader (enables carrier, sends inquiry)
254 int CmdHF15Read(const char *Cmd)
255 {
256 UsbCommand c = {CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693};
257 SendCommand(&c);
258 return 0;
259 }
260
261 // Record Activity without enabeling carrier
262 int CmdHF15Record(const char *Cmd)
263 {
264 UsbCommand c = {CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693};
265 SendCommand(&c);
266 return 0;
267 }
268
269 int CmdHF15Reader(const char *Cmd)
270 {
271 UsbCommand c = {CMD_READER_ISO_15693, {strtol(Cmd, NULL, 0), 0, 0}};
272 SendCommand(&c);
273 return 0;
274 }
275
276 // Simulation is still not working very good
277 int CmdHF15Sim(const char *Cmd)
278 {
279 UsbCommand c = {CMD_SIMTAG_ISO_15693, {strtol(Cmd, NULL, 0), 0, 0}};
280 SendCommand(&c);
281 return 0;
282 }
283
284 // finds the AFI (Application Family Idendifier) of a card, by trying all values
285 // (There is no standard way of reading the AFI, allthough some tags support this)
286 int CmdHF15Afi(const char *Cmd)
287 {
288 UsbCommand c = {CMD_ISO_15693_FIND_AFI, {strtol(Cmd, NULL, 0), 0, 0}};
289 SendCommand(&c);
290 return 0;
291 }
292
293 // Reads all memory pages
294 int CmdHF15DumpMem(const char*Cmd) {
295 UsbCommand *r;
296 uint8_t uid[8];
297 uint8_t *recv=NULL;
298 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
299 uint8_t *req=c.d.asBytes;
300 int reqlen=0;
301 int blocknum=0;
302 char output[80];
303
304 if (!getUID(uid)) {
305 PrintAndLog("No Tag found.");
306 return 0;
307 }
308
309 PrintAndLog("Reading memory from tag UID=%s",sprintUID(NULL,uid));
310 PrintAndLog("Tag Info: %s",getTagInfo(uid));
311
312 for (int retry=0; retry<5; retry++) {
313
314 req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
315 ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
316 req[1]=ISO15_CMD_READ;
317 memcpy(&req[2],uid,8);
318 req[10]=blocknum;
319 reqlen=AddCrc(req,11);
320 c.arg[0]=reqlen;
321
322 SendCommand(&c);
323
324 r=WaitForResponseTimeout(CMD_ACK,1000);
325
326 if (r!=NULL) {
327 recv = r->d.asBytes;
328 if (ISO15_CRC_CHECK==Crc(recv,r->arg[0])) {
329 if (!(recv[0] & ISO15_RES_ERROR)) {
330 retry=0;
331 *output=0; // reset outputstring
332 sprintf(output, "Block %2i ",blocknum);
333 for ( int i=1; i<r->arg[0]-2; i++) { // data in hex
334 sprintf(output+strlen(output),"%02hX ",recv[i]);
335 }
336 strcat(output," ");
337 for ( int i=1; i<r->arg[0]-2; i++) { // data in cleaned ascii
338 sprintf(output+strlen(output),"%c",(recv[i]>31 && recv[i]<127)?recv[i]:'.');
339 }
340 PrintAndLog("%s",output);
341 blocknum++;
342 // PrintAndLog("bn=%i",blocknum);
343 } else {
344 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
345 return 0;
346 }
347 } // else PrintAndLog("crc");
348 } // else PrintAndLog("r null");
349
350 } // retry
351 if (r && r->arg[0]<3)
352 PrintAndLog("Lost Connection");
353 else if (r && ISO15_CRC_CHECK!=Crc(r->d.asBytes,r->arg[0]))
354 PrintAndLog("CRC Failed");
355 else
356 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
357 return 0;
358 }
359
360
361 // "HF 15" interface
362
363 static command_t CommandTable15[] =
364 {
365 {"help", CmdHF15Help, 1, "This help"},
366 {"demod", CmdHF15Demod, 1, "Demodulate ISO15693 from tag"},
367 {"read", CmdHF15Read, 0, "Read HF tag (ISO 15693)"},
368 {"record", CmdHF15Record, 0, "Record Samples (ISO 15693)"}, // atrox
369 {"reader", CmdHF15Reader, 0, "Act like an ISO15693 reader"},
370 {"sim", CmdHF15Sim, 0, "Fake an ISO15693 tag"},
371 {"cmd", CmdHF15Cmd, 0, "Send direct commands to ISO15693 tag"},
372 {"findafi", CmdHF15Afi, 0, "Brute force AFI of an ISO15693 tag"},
373 {"dumpmemory", CmdHF15DumpMem, 0, "Read all memory pages of an ISO15693 tag"},
374 {NULL, NULL, 0, NULL}
375 };
376
377 int CmdHF15(const char *Cmd)
378 {
379 CmdsParse(CommandTable15, Cmd);
380 return 0;
381 }
382
383 int CmdHF15Help(const char *Cmd)
384 {
385 CmdsHelp(CommandTable15);
386 return 0;
387 }
388
389
390 // "HF 15 Cmd" Interface
391 // Allows direct communication with the tag on command level
392
393 int CmdHF15CmdInquiry(const char *Cmd)
394 {
395 UsbCommand *r;
396 uint8_t *recv;
397 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
398 uint8_t *req=c.d.asBytes;
399 int reqlen=0;
400
401 req[0]= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
402 ISO15_REQ_INVENTORY | ISO15_REQINV_SLOT1;
403 req[1]=ISO15_CMD_INVENTORY;
404 req[2]=0; // mask length
405 reqlen=AddCrc(req,3);
406 c.arg[0]=reqlen;
407
408 SendCommand(&c);
409
410 r=WaitForResponseTimeout(CMD_ACK,1000);
411
412 if (r!=NULL) {
413 if (r->arg[0]>=12) {
414 recv = r->d.asBytes;
415 PrintAndLog("UID=%s",sprintUID(NULL,&recv[2]));
416 PrintAndLog("Tag Info: %s",getTagInfo(&recv[2]));
417 } else {
418 PrintAndLog("Response to short, just %i bytes. No tag?\n",r->arg[0]);
419 }
420 } else {
421 PrintAndLog("timeout.");
422 }
423 return 0;
424 }
425
426
427 // Turns debugging on(1)/off(0)
428 int CmdHF15CmdDebug( const char *cmd) {
429 int debug=atoi(cmd);
430 if (strlen(cmd)<1) {
431 PrintAndLog("Usage: hf 15 cmd debug <0/1>");
432 PrintAndLog(" 0..no debugging output 1..turn debugging on");
433 return 0;
434 }
435
436 UsbCommand c = {CMD_ISO_15693_DEBUG, {debug, 0, 0}};
437 SendCommand(&c);
438 return 0;
439 }
440
441
442 int CmdHF15CmdRaw (const char *cmd) {
443 UsbCommand *r;
444 uint8_t *recv;
445 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
446 int reply=1;
447 int fast=1;
448 int crc=0;
449 char buf[5]="";
450 int i=0;
451 uint8_t data[100];
452 unsigned int datalen=0, temp;
453 char *hexout;
454
455
456 if (strlen(cmd)<3) {
457 PrintAndLog("Usage: hf 15 cmd raw [-r] [-2] [-c] <0A 0B 0C ... hex>");
458 PrintAndLog(" -r do not read response");
459 PrintAndLog(" -2 use slower '1 out of 256' mode");
460 PrintAndLog(" -c calculate and append CRC");
461 PrintAndLog(" Tip: turn on debugging for verbose output");
462 return 0;
463 }
464
465 // strip
466 while (*cmd==' ' || *cmd=='\t') cmd++;
467
468 while (cmd[i]!='\0') {
469 if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
470 if (cmd[i]=='-') {
471 switch (cmd[i+1]) {
472 case 'r':
473 case 'R':
474 reply=0;
475 break;
476 case '2':
477 fast=0;
478 break;
479 case 'c':
480 case 'C':
481 crc=1;
482 break;
483 default:
484 PrintAndLog("Invalid option");
485 return 0;
486 }
487 i+=2;
488 continue;
489 }
490 if ((cmd[i]>='0' && cmd[i]<='9') ||
491 (cmd[i]>='a' && cmd[i]<='f') ||
492 (cmd[i]>='A' && cmd[i]<='F') ) {
493 buf[strlen(buf)+1]=0;
494 buf[strlen(buf)]=cmd[i];
495 i++;
496
497 if (strlen(buf)>=2) {
498 sscanf(buf,"%x",&temp);
499 data[datalen]=(uint8_t)(temp & 0xff);
500 datalen++;
501 *buf=0;
502 }
503 continue;
504 }
505 PrintAndLog("Invalid char on input");
506 return 0;
507 }
508 if (crc) datalen=AddCrc(data,datalen);
509
510 c.arg[0]=datalen;
511 c.arg[1]=fast;
512 c.arg[2]=reply;
513 memcpy(c.d.asBytes,data,datalen);
514
515 SendCommand(&c);
516
517 if (reply) {
518 r=WaitForResponseTimeout(CMD_ACK,1000);
519
520 if (r!=NULL) {
521 recv = r->d.asBytes;
522 PrintAndLog("received %i octets",r->arg[0]);
523 hexout = (char *)malloc(r->arg[0] * 3 + 1);
524 if (hexout != NULL) {
525 for (int i = 0; i < r->arg[0]; i++) { // data in hex
526 sprintf(&hexout[i * 3], "%02hX ", recv[i]);
527 }
528 PrintAndLog("%s", hexout);
529 free(hexout);
530 }
531 } else {
532 PrintAndLog("timeout while waiting for reply.");
533 }
534
535 } // if reply
536 return 0;
537 }
538
539
540 /**
541 * parses common HF 15 CMD parameters and prepares some data structures
542 * Parameters:
543 * **cmd command line
544 */
545 int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) {
546 int temp;
547 uint8_t *req=c->d.asBytes, uid[8];
548 uint32_t reqlen=0;
549
550 // strip
551 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
552
553 if (strstr(*cmd,"-2")==*cmd) {
554 c->arg[1]=0; // use 1of256
555 (*cmd)+=2;
556 }
557
558 // strip
559 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
560
561 if (strstr(*cmd,"-o")==*cmd) {
562 req[reqlen]=ISO15_REQ_OPTION;
563 (*cmd)+=2;
564 }
565
566 // strip
567 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
568
569 switch (**cmd) {
570 case 0:
571 PrintAndLog("missing addr");
572 return 0;
573 break;
574 case 's':
575 case 'S':
576 // you must have selected the tag earlier
577 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
578 ISO15_REQ_NONINVENTORY | ISO15_REQ_SELECT;
579 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
580 reqlen+=iso15cmdlen;
581 break;
582 case 'u':
583 case 'U':
584 // unaddressed mode may not be supported by all vendors
585 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
586 ISO15_REQ_NONINVENTORY;
587 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
588 reqlen+=iso15cmdlen;
589 break;
590 case '*':
591 // we scan for the UID ourself
592 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
593 ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
594 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
595 reqlen+=iso15cmdlen;
596 if (!getUID(uid)) {
597 PrintAndLog("No Tag found");
598 return 0;
599 }
600 memcpy(req+reqlen,uid,8);
601 PrintAndLog("Detected UID %s",sprintUID(NULL,uid));
602 reqlen+=8;
603 break;
604 default:
605 req[reqlen++]|= ISO15_REQ_SUBCARRIER_SINGLE | ISO15_REQ_DATARATE_HIGH |
606 ISO15_REQ_NONINVENTORY | ISO15_REQ_ADDRESS;
607 memcpy(&req[reqlen],&iso15cmd[0],iso15cmdlen);
608 reqlen+=iso15cmdlen;
609
610 /* sscanf(cmd,"%hX%hX%hX%hX%hX%hX%hX%hX",
611 (short unsigned int *)&uid[7],(short unsigned int *)&uid[6],
612 (short unsigned int *)&uid[5],(short unsigned int *)&uid[4],
613 (short unsigned int *)&uid[3],(short unsigned int *)&uid[2],
614 (short unsigned int *)&uid[1],(short unsigned int *)&uid[0]); */
615 for (int i=0;i<8 && (*cmd)[i*2] && (*cmd)[i*2+1];i++) { // parse UID
616 sscanf((char[]){(*cmd)[i*2],(*cmd)[i*2+1],0},"%X",&temp);
617 uid[7-i]=temp&0xff;
618 }
619
620 PrintAndLog("Using UID %s",sprintUID(NULL,uid));
621 memcpy(&req[reqlen],&uid[0],8);
622 reqlen+=8;
623 }
624 // skip to next space
625 while (**cmd!=' ' && **cmd!='\t') (*cmd)++;
626 // skip over the space
627 while (**cmd==' ' || **cmd=='\t') (*cmd)++;
628
629 c->arg[0]=reqlen;
630 return 1;
631 }
632
633 /**
634 * Commandline handling: HF15 CMD SYSINFO
635 * get system information from tag/VICC
636 */
637 int CmdHF15CmdSysinfo(const char *Cmd) {
638 UsbCommand *r;
639 uint8_t *recv;
640 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
641 uint8_t *req=c.d.asBytes;
642 int reqlen=0;
643 char cmdbuf[100];
644 char *cmd=cmdbuf;
645 char output[2048]="";
646 int i;
647
648 strncpy(cmd,Cmd,99);
649
650 // usage:
651 if (strlen(cmd)<1) {
652 PrintAndLog("Usage: hf 15 cmd sysinfo [options] <uid|s|u|*>");
653 PrintAndLog(" options:");
654 PrintAndLog(" -2 use slower '1 out of 256' mode");
655 PrintAndLog(" uid (either): ");
656 PrintAndLog(" <8B hex> full UID eg E011223344556677");
657 PrintAndLog(" s selected tag");
658 PrintAndLog(" u unaddressed mode");
659 PrintAndLog(" * scan for tag");
660 PrintAndLog(" start#: page number to start 0-255");
661 PrintAndLog(" count#: number of pages");
662 return 0;
663 }
664
665 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_SYSINFO},1);
666 reqlen=c.arg[0];
667
668 reqlen=AddCrc(req,reqlen);
669 c.arg[0]=reqlen;
670
671 SendCommand(&c);
672
673 r=WaitForResponseTimeout(CMD_ACK,1000);
674
675 if (r!=NULL && r->arg[0]>2) {
676 recv = r->d.asBytes;
677 if (ISO15_CRC_CHECK==Crc(recv,r->arg[0])) {
678 if (!(recv[0] & ISO15_RES_ERROR)) {
679 *output=0; // reset outputstring
680 for ( i=1; i<r->arg[0]-2; i++) {
681 sprintf(output+strlen(output),"%02hX ",recv[i]);
682 }
683 strcat(output,"\n\r");
684 strcat(output,"UID = ");
685 strcat(output,sprintUID(NULL,recv+2));
686 strcat(output,"\n\r");
687 strcat(output,getTagInfo(recv+2)); //ABC
688 strcat(output,"\n\r");
689 i=10;
690 if (recv[1] & 0x01)
691 sprintf(output+strlen(output),"DSFID supported, set to %02hX\n\r",recv[i++]);
692 else
693 strcat(output,"DSFID not supported\n\r");
694 if (recv[1] & 0x02)
695 sprintf(output+strlen(output),"AFI supported, set to %03hX\n\r",recv[i++]);
696 else
697 strcat(output,"AFI not supported\n\r");
698 if (recv[1] & 0x04) {
699 strcat(output,"Tag provides info on memory layout (vendor dependent)\n\r");
700 sprintf(output+strlen(output)," %i (or %i) bytes/page x %i pages \n\r",
701 (recv[i+1]&0x1F)+1, (recv[i+1]&0x1F), recv[i]+1);
702 i+=2;
703 } else
704 strcat(output,"Tag does not provide information on memory layout\n\r");
705 if (recv[1] & 0x08) sprintf(output+strlen(output),"IC reference given: %02hX\n\r",recv[i++]);
706 else strcat(output,"IC reference not given\n\r");
707
708
709 PrintAndLog("%s",output);
710 } else {
711 PrintAndLog("Tag returned Error %i: %s",recv[0],TagErrorStr(recv[0]));
712 }
713 } else {
714 PrintAndLog("CRC failed");
715 }
716 } else {
717 PrintAndLog("timeout: no answer");
718 }
719
720 return 0;
721 }
722
723 /**
724 * Commandline handling: HF15 CMD READMULTI
725 * Read multiple blocks at once (not all tags support this)
726 */
727 int CmdHF15CmdReadmulti(const char *Cmd) {
728 UsbCommand *r;
729 uint8_t *recv;
730 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
731 uint8_t *req=c.d.asBytes;
732 int reqlen=0, pagenum,pagecount;
733 char cmdbuf[100];
734 char *cmd=cmdbuf;
735 char output[2048]="";
736
737 strncpy(cmd,Cmd,99);
738
739 // usage:
740 if (strlen(cmd)<3) {
741 PrintAndLog("Usage: hf 15 cmd readmulti [options] <uid|s|u|*> <start#> <count#>");
742 PrintAndLog(" options:");
743 PrintAndLog(" -2 use slower '1 out of 256' mode");
744 PrintAndLog(" uid (either): ");
745 PrintAndLog(" <8B hex> full UID eg E011223344556677");
746 PrintAndLog(" s selected tag");
747 PrintAndLog(" u unaddressed mode");
748 PrintAndLog(" * scan for tag");
749 PrintAndLog(" start#: page number to start 0-255");
750 PrintAndLog(" count#: number of pages");
751 return 0;
752 }
753
754 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_READMULTI},1);
755 reqlen=c.arg[0];
756
757 pagenum=strtol(cmd,NULL,0);
758
759 // skip to next space
760 while (*cmd!=' ' && *cmd!='\t') cmd++;
761 // skip over the space
762 while (*cmd==' ' || *cmd=='\t') cmd++;
763
764 pagecount=strtol(cmd,NULL,0);
765 if (pagecount>0) pagecount--; // 0 means 1 page, 1 means 2 pages, ...
766
767 req[reqlen++]=(uint8_t)pagenum;
768 req[reqlen++]=(uint8_t)pagecount;
769
770 reqlen=AddCrc(req,reqlen);
771
772 c.arg[0]=reqlen;
773
774 SendCommand(&c);
775
776 r=WaitForResponseTimeout(CMD_ACK,1000);
777
778 if (r!=NULL && r->arg[0]>2) {
779 recv = r->d.asBytes;
780 if (ISO15_CRC_CHECK==Crc(recv,r->arg[0])) {
781 if (!(recv[0] & ISO15_RES_ERROR)) {
782 *output=0; // reset outputstring
783 for ( int i=1; i<r->arg[0]-2; i++) {
784 sprintf(output+strlen(output),"%02hX ",recv[i]);
785 }
786 strcat(output," ");
787 for ( int i=1; i<r->arg[0]-2; i++) {
788 sprintf(output+strlen(output),"%c",recv[i]>31 && recv[i]<127?recv[i]:'.');
789 }
790 PrintAndLog("%s",output);
791 } else {
792 PrintAndLog("Tag returned Error %i: %s",recv[0],TagErrorStr(recv[0]));
793 }
794 } else {
795 PrintAndLog("CRC failed");
796 }
797 } else {
798 PrintAndLog("no answer");
799 }
800
801 return 0;
802 }
803
804 /**
805 * Commandline handling: HF15 CMD READ
806 * Reads a single Block
807 */
808 int CmdHF15CmdRead(const char *Cmd) {
809 UsbCommand *r;
810 uint8_t *recv;
811 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
812 uint8_t *req=c.d.asBytes;
813 int reqlen=0, pagenum;
814 char cmdbuf[100];
815 char *cmd=cmdbuf;
816 char output[100]="";
817
818 strncpy(cmd,Cmd,99);
819
820 // usage:
821 if (strlen(cmd)<3) {
822 PrintAndLog("Usage: hf 15 cmd read [options] <uid|s|u|*> <page#>");
823 PrintAndLog(" options:");
824 PrintAndLog(" -2 use slower '1 out of 256' mode");
825 PrintAndLog(" uid (either): ");
826 PrintAndLog(" <8B hex> full UID eg E011223344556677");
827 PrintAndLog(" s selected tag");
828 PrintAndLog(" u unaddressed mode");
829 PrintAndLog(" * scan for tag");
830 PrintAndLog(" page#: page number 0-255");
831 return 0;
832 }
833
834 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_READ},1);
835 reqlen=c.arg[0];
836
837 pagenum=strtol(cmd,NULL,0);
838 /*if (pagenum<0) {
839 PrintAndLog("invalid pagenum");
840 return 0;
841 } */
842
843 req[reqlen++]=(uint8_t)pagenum;
844
845 reqlen=AddCrc(req,reqlen);
846
847 c.arg[0]=reqlen;
848
849 SendCommand(&c);
850
851 r=WaitForResponseTimeout(CMD_ACK,1000);
852
853 if (r!=NULL && r->arg[0]>2) {
854 recv = r->d.asBytes;
855 if (ISO15_CRC_CHECK==Crc(recv,r->arg[0])) {
856 if (!(recv[0] & ISO15_RES_ERROR)) {
857 *output=0; // reset outputstring
858 //sprintf(output, "Block %2i ",blocknum);
859 for ( int i=1; i<r->arg[0]-2; i++) {
860 sprintf(output+strlen(output),"%02hX ",recv[i]);
861 }
862 strcat(output," ");
863 for ( int i=1; i<r->arg[0]-2; i++) {
864 sprintf(output+strlen(output),"%c",recv[i]>31 && recv[i]<127?recv[i]:'.');
865 }
866 PrintAndLog("%s",output);
867 } else {
868 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
869 }
870 } else {
871 PrintAndLog("CRC failed");
872 }
873 } else {
874 PrintAndLog("no answer");
875 }
876
877 return 0;
878 }
879
880
881 /**
882 * Commandline handling: HF15 CMD WRITE
883 * Writes a single Block - might run into timeout, even when successful
884 */
885 int CmdHF15CmdWrite(const char *Cmd) {
886 UsbCommand *r;
887 uint8_t *recv;
888 UsbCommand c = {CMD_ISO_15693_COMMAND, {0, 1, 1}}; // len,speed,recv?
889 uint8_t *req=c.d.asBytes;
890 int reqlen=0, pagenum, temp;
891 char cmdbuf[100];
892 char *cmd=cmdbuf;
893 char *cmd2;
894
895 strncpy(cmd,Cmd,99);
896
897 // usage:
898 if (strlen(cmd)<3) {
899 PrintAndLog("Usage: hf 15 cmd write [options] <uid|s|u|*> <page#> <hexdata>");
900 PrintAndLog(" options:");
901 PrintAndLog(" -2 use slower '1 out of 256' mode");
902 PrintAndLog(" -o set OPTION Flag (needed for TI)");
903 PrintAndLog(" uid (either): ");
904 PrintAndLog(" <8B hex> full UID eg E011223344556677");
905 PrintAndLog(" s selected tag");
906 PrintAndLog(" u unaddressed mode");
907 PrintAndLog(" * scan for tag");
908 PrintAndLog(" page#: page number 0-255");
909 PrintAndLog(" hexdata: data to be written eg AA BB CC DD");
910 return 0;
911 }
912
913 prepareHF15Cmd(&cmd, &c,(uint8_t[]){ISO15_CMD_WRITE},1);
914 reqlen=c.arg[0];
915
916 // *cmd -> page num ; *cmd2 -> data
917 cmd2=cmd;
918 while (*cmd2!=' ' && *cmd2!='\t' && *cmd2) cmd2++;
919 *cmd2=0;
920 cmd2++;
921
922 pagenum=strtol(cmd,NULL,0);
923 /*if (pagenum<0) {
924 PrintAndLog("invalid pagenum");
925 return 0;
926 } */
927 req[reqlen++]=(uint8_t)pagenum;
928
929
930 while (cmd2[0] && cmd2[1]) { // hexdata, read by 2 hexchars
931 if (*cmd2==' ') {
932 cmd2++;
933 continue;
934 }
935 sscanf((char[]){cmd2[0],cmd2[1],0},"%X",&temp);
936 req[reqlen++]=temp & 0xff;
937 cmd2+=2;
938 }
939
940 reqlen=AddCrc(req,reqlen);
941
942 c.arg[0]=reqlen;
943
944 SendCommand(&c);
945
946 r=WaitForResponseTimeout(CMD_ACK,2000);
947
948 if (r!=NULL && r->arg[0]>2) {
949 recv = r->d.asBytes;
950 if (ISO15_CRC_CHECK==Crc(recv,r->arg[0])) {
951 if (!(recv[0] & ISO15_RES_ERROR)) {
952 PrintAndLog("OK");
953 } else {
954 PrintAndLog("Tag returned Error %i: %s",recv[1],TagErrorStr(recv[1]));
955 }
956 } else {
957 PrintAndLog("CRC failed");
958 }
959 } else {
960 PrintAndLog("timeout: no answer - data may be written anyway");
961 }
962
963 return 0;
964 }
965
966
967
968 static command_t CommandTable15Cmd[] =
969 {
970 {"help", CmdHF15CmdHelp, 1, "This Help"},
971 {"inquiry", CmdHF15CmdInquiry, 0, "Search for tags in range"},
972 /*
973 {"select", CmdHF15CmdSelect, 0, "Select an tag with a specific UID for further commands"},
974 */
975 {"read", CmdHF15CmdRead, 0, "Read a block"},
976 {"write", CmdHF15CmdWrite, 0, "Write a block"},
977 {"readmulti",CmdHF15CmdReadmulti, 0, "Reads multiple Blocks"},
978 {"sysinfo",CmdHF15CmdSysinfo, 0, "Get Card Information"},
979 {"raw", CmdHF15CmdRaw, 0, "Send raw hex data to tag"},
980 {"debug", CmdHF15CmdDebug, 0, "Turn debugging on/off"},
981 {NULL, NULL, 0, NULL}
982 };
983
984 int CmdHF15Cmd(const char *Cmd)
985 {
986 CmdsParse(CommandTable15Cmd, Cmd);
987 return 0;
988 }
989
990 int CmdHF15CmdHelp(const char *Cmd)
991 {
992 CmdsHelp(CommandTable15Cmd);
993 return 0;
994 }
995
Impressum, Datenschutz