FIX: a define which was wrong

[proxmark3-svn] / client / cmdlft55xx.c

diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c
index b33c165a283186588c17e3f0732a79630e14ca29..bc30d7e3b18546192c2a04bb068d16212b33983d 100644 (file)
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -21,53 +21,78 @@
 #include "util.h"\r
 #include "data.h"\r
 #include "lfdemod.h"\r
 #include "util.h"\r
 #include "data.h"\r
 #include "lfdemod.h"\r

-#include "../common/crc.h"\r
-#include "../common/iso14443crc.h"\r
+#include "cmdhf14a.h" //for getTagInfo\r
+\r
+#define T55x7_CONFIGURATION_BLOCK 0x00\r
+#define T55x7_PAGE0 0x00\r
+#define T55x7_PAGE1 0x01\r
+#define T55x7_PWD      0x00000010\r
+#define REGULAR_READ_MODE_BLOCK 0xFF\r

 \r
 // Default configuration\r
 \r
 // Default configuration\r

-t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inversed = FALSE, .offset = 0x00, .block0 = 0x00};\r
+t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
+\r
+t55xx_conf_block_t Get_t55xx_Config(){\r
+       return config;\r
+}\r
+void Set_t55xx_Config(t55xx_conf_block_t conf){\r
+       config = conf;\r
+}\r

 \r
 int usage_t55xx_config(){\r
 \r
 int usage_t55xx_config(){\r

-       PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>]");\r
-       PrintAndLog("Options:        ");\r
+       PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
+       PrintAndLog("Options:");\r

        PrintAndLog("       h                        This help");\r
        PrintAndLog("       h                        This help");\r

-       PrintAndLog("       d <FSK|ASK|PSK|NZ|BI>    Set demodulation FSK / ASK / PSK / NZ / Biphase");\r
-       PrintAndLog("       i [1]                    Inverse data signal, defaults to normal");\r
-       PrintAndLog("       o [offset]               Set offset, where data should start decode in bitstream");\r
+       PrintAndLog("       b <8|16|32|40|50|64|100|128>     Set bitrate");\r
+       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
+       PrintAndLog("       i [1]                            Invert data signal, defaults to normal");\r
+       PrintAndLog("       o [offset]                       Set offset, where data should start decode in bitstream");\r
+       PrintAndLog("       Q5                            Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       ST                            Set Sequence Terminator on");\r

        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
        PrintAndLog("      lf t55xx config d FSK i 1      - FSK demodulation, inverse data");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
        PrintAndLog("      lf t55xx config d FSK i 1      - FSK demodulation, inverse data");\r

-       PrintAndLog("      lf t55xx config d FSK i 1 o 3  - FSK demodulation, inverse data, offset=3,start from bitpos 3 to decode data");\r
+       PrintAndLog("      lf t55xx config d FSK i 1 o 3  - FSK demodulation, inverse data, offset=3,start from position 3 to decode data");\r

        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_read(){\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_read(){\r

-       PrintAndLog("Usage:  lf t55xx read <block> <password>");\r
-    PrintAndLog("     <block>, block number to read. Between 0-7");\r
-    PrintAndLog("     <password>, OPTIONAL password (8 hex characters)");\r
+       PrintAndLog("Usage:  lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     b <block>    - block number to read. Between 0-7");\r
+       PrintAndLog("     p <password> - OPTIONAL password (8 hex characters)");\r
+       PrintAndLog("     o            - OPTIONAL override safety check");\r
+       PrintAndLog("     1            - OPTIONAL read Page 1 instead of Page 0");\r
+       PrintAndLog("     ****WARNING****");\r
+       PrintAndLog("     Use of read with password on a tag not configured for a pwd");\r
+       PrintAndLog("     can damage the tag");\r

     PrintAndLog("");\r
        PrintAndLog("Examples:");\r
     PrintAndLog("");\r
        PrintAndLog("Examples:");\r

-    PrintAndLog("      lf t55xx read 0           - read data from block 0");\r
-       PrintAndLog("      lf t55xx read 0 feedbeef  - read data from block 0 password feedbeef");\r
+    PrintAndLog("      lf t55xx read b 0                               - read data from block 0");\r
+       PrintAndLog("      lf t55xx read b 0 p feedbeef         - read data from block 0 password feedbeef");\r
+       PrintAndLog("      lf t55xx read b 0 p feedbeef o       - read data from block 0 password feedbeef safety check");\r

        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_write(){\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_write(){\r

-       PrintAndLog("Usage:  lf t55xx wr <block> <data> [password]");\r
-    PrintAndLog("     <block>, block number to read. Between 0-7");\r
-       PrintAndLog("     <data>,  4 bytes of data to write (8 hex characters)");\r
-    PrintAndLog("     [password], OPTIONAL password 4bytes (8 hex characters)");\r
+       PrintAndLog("Usage:  lf t55xx wr [b <block>] [d <data>] [p <password>] [1]");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     b <block>    - block number to write. Between 0-7");\r
+       PrintAndLog("     d <data>     - 4 bytes of data to write (8 hex characters)");\r
+       PrintAndLog("     p <password> - OPTIONAL password 4bytes (8 hex characters)");\r
+       PrintAndLog("     1            - OPTIONAL write Page 1 instead of Page 0");\r

     PrintAndLog("");\r
        PrintAndLog("Examples:");\r
     PrintAndLog("");\r
        PrintAndLog("Examples:");\r

-    PrintAndLog("      lf t55xx wd 3 11223344           - write 11223344 to block 3");\r
-       PrintAndLog("      lf t55xx wd 3 11223344 feedbeef  - write 11223344 to block 3 password feedbeef");\r
+       PrintAndLog("      lf t55xx write b 3 d 11223344            - write 11223344 to block 3");\r
+       PrintAndLog("      lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");\r

        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_trace() {\r
        PrintAndLog("Usage:  lf t55xx trace [1]");\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_trace() {\r
        PrintAndLog("Usage:  lf t55xx trace [1]");\r

-       PrintAndLog("     [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r

        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx trace");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx trace");\r


@@ -77,7 +102,8 @@ int usage_t55xx_trace() {
 }\r
 int usage_t55xx_info() {\r
        PrintAndLog("Usage:  lf t55xx info [1]");\r
 }\r
 int usage_t55xx_info() {\r
        PrintAndLog("Usage:  lf t55xx info [1]");\r

-       PrintAndLog("     [graph buffer data], if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r

        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx info");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx info");\r


@@ -86,35 +112,87 @@ int usage_t55xx_info() {
        return 0;\r
 }\r
 int usage_t55xx_dump(){\r
        return 0;\r
 }\r
 int usage_t55xx_dump(){\r

-       PrintAndLog("Usage:  lf t55xx dump <password>");\r
-    PrintAndLog("     <password>, OPTIONAL password 4bytes (8 hex symbols)");\r
+       PrintAndLog("Usage:  lf t55xx dump <password> [o]");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     <password>  - OPTIONAL password 4bytes (8 hex symbols)");\r
+       PrintAndLog("     o           - OPTIONAL override, force pwd read despite danger to card");\r

        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx dump");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx dump");\r

-       PrintAndLog("      lf t55xx dump feedbeef");\r
+       PrintAndLog("      lf t55xx dump feedbeef o");\r

        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_detect(){\r
        PrintAndLog("");\r
        return 0;\r
 }\r
 int usage_t55xx_detect(){\r

-       PrintAndLog("Usage:  lf t55xx detect");\r
+       PrintAndLog("Usage:  lf t55xx detect [1] [p <password>]");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     p <password>  - OPTIONAL password (8 hex characters)");\r

        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx detect");\r
        PrintAndLog("      lf t55xx detect 1");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx detect");\r
        PrintAndLog("      lf t55xx detect 1");\r

+       PrintAndLog("      lf t55xx detect p 11223344");\r

        PrintAndLog("");\r
        return 0;\r
 }\r
        PrintAndLog("");\r
        return 0;\r
 }\r

-\r
+int usage_t55xx_wakup(){\r
+       PrintAndLog("Usage:  lf t55xx wakeup [h] p <password>");\r
+       PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards.");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h                     - this help");\r
+    PrintAndLog("     p <password>     - password 4bytes (8 hex symbols)");\r
+    PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+    PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
+       return 0;\r
+}\r
+int usage_t55xx_bruteforce(){\r
+       PrintAndLog("This command uses A) bruteforce to scan a number range");\r
+       PrintAndLog("                  B) a dictionary attack");\r
+    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+    PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h                     - this help");\r
+       PrintAndLog("     <start_pwd> - 4 byte hex value to start pwd search at");\r
+       PrintAndLog("     <end_pwd>   - 4 byte hex value to end pwd search at");\r
+    PrintAndLog("     i <*.dic>        - loads a default keys dictionary file <*.dic>");\r
+    PrintAndLog("");\r
+    PrintAndLog("Examples:");\r
+    PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+       PrintAndLog("       lf t55xx bruteforce i default_pwd.dic");\r
+    PrintAndLog("");\r
+    return 0;\r
+}\r
+int usage_t55xx_wipe(){\r
+       PrintAndLog("Usage:  lf t55xx wipe [h] [Q5]");\r
+       PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h     - this help");\r
+       PrintAndLog("     Q5  - indicates to use the T5555 (Q5) default configuration block");\r
+    PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+    PrintAndLog("      lf t55xx wipe   -  wipes a t55x7 tag,    config block 0x000880E0");\r
+       PrintAndLog("      lf t55xx wipe Q5 -  wipes a t5555 Q5 tag, config block 0x6001F004");\r
+       return 0;\r
+}\r

 static int CmdHelp(const char *Cmd);\r
 \r
 static int CmdHelp(const char *Cmd);\r
 \r

-int CmdT55xxSetConfig(const char *Cmd){\r
+void printT5xxHeader(uint8_t page){\r
+       PrintAndLog("Reading Page %d:", page);  \r
+       PrintAndLog("blk | hex data | binary");\r
+       PrintAndLog("----+----------+---------------------------------");       \r
+}\r
+\r
+int CmdT55xxSetConfig(const char *Cmd) {\r

 \r
        uint8_t offset = 0;\r
 \r
        uint8_t offset = 0;\r

-       bool errors = FALSE;\r
-       uint8_t cmdp = 0;\r
-       char modulation[4] = {0x00};\r
+       char modulation[5] = {0x00};\r

        char tmp = 0x00;\r
        char tmp = 0x00;\r

-       \r
+       uint8_t bitRate = 0;\r
+       uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
+       uint8_t cmdp = 0;\r
+       bool errors = FALSE;\r

        while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
        {\r
                tmp = param_getchar(Cmd, cmdp);\r
        while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
        {\r
                tmp = param_getchar(Cmd, cmdp);\r


@@ -123,229 +201,439 @@ int CmdT55xxSetConfig(const char *Cmd){
                case 'h':\r
                case 'H':\r
                        return usage_t55xx_config();\r
                case 'h':\r
                case 'H':\r
                        return usage_t55xx_config();\r

+               case 'b':\r
+                       errors |= param_getdec(Cmd, cmdp+1, &bitRate);\r
+                       if ( !errors){\r
+                               uint8_t i = 0;\r
+                               for (; i < 9; i++){\r
+                                       if (rates[i]==bitRate) {\r
+                                               config.bitrate = i;\r
+                                               break;\r
+                                       }\r
+                               }\r
+                               if (i==9) errors = TRUE;\r
+                       }\r
+                       cmdp+=2;\r
+                       break;\r

                case 'd':\r
                        param_getstr(Cmd, cmdp+1, modulation);\r
                        cmdp += 2;\r
                case 'd':\r
                        param_getstr(Cmd, cmdp+1, modulation);\r
                        cmdp += 2;\r

-                       \r
-                       if ( strcmp(modulation, "FSK" ) == 0)       config.modulation = DEMOD_FSK;\r
-                       else if ( strcmp(modulation, "ASK" ) == 0)  config.modulation = DEMOD_ASK;\r
-                       else if ( strcmp(modulation, "PSK" ) == 0)  config.modulation = DEMOD_PSK;\r
-                       else if ( strcmp(modulation, "NZ" ) == 0)       config.modulation = DEMOD_NZR;\r
-                       else if ( strcmp(modulation, "BI" ) == 0)       config.modulation = DEMOD_BI;\r
-                       else {\r
+\r
+                       if ( strcmp(modulation, "FSK" ) == 0) {\r
+                               config.modulation = DEMOD_FSK;\r
+                       } else if ( strcmp(modulation, "FSK1" ) == 0) {\r
+                               config.modulation = DEMOD_FSK1;\r
+                               config.inverted=1;\r
+                       } else if ( strcmp(modulation, "FSK1a" ) == 0) {\r
+                               config.modulation = DEMOD_FSK1a;\r
+                               config.inverted=0;\r
+                       } else if ( strcmp(modulation, "FSK2" ) == 0) {\r
+                               config.modulation = DEMOD_FSK2;\r
+                               config.inverted=0;\r
+                       } else if ( strcmp(modulation, "FSK2a" ) == 0) {\r
+                               config.modulation = DEMOD_FSK2a;\r
+                               config.inverted=1;\r
+                       } else if ( strcmp(modulation, "ASK" ) == 0) {\r
+                               config.modulation = DEMOD_ASK;\r
+                       } else if ( strcmp(modulation, "NRZ" ) == 0) {\r
+                               config.modulation = DEMOD_NRZ;\r
+                       } else if ( strcmp(modulation, "PSK1" ) == 0) {\r
+                               config.modulation = DEMOD_PSK1;\r
+                       } else if ( strcmp(modulation, "PSK2" ) == 0) {\r
+                               config.modulation = DEMOD_PSK2;\r
+                       } else if ( strcmp(modulation, "PSK3" ) == 0) {\r
+                               config.modulation = DEMOD_PSK3;\r
+                       } else if ( strcmp(modulation, "BIa" ) == 0) {\r
+                               config.modulation = DEMOD_BIa;\r
+                               config.inverted=1;\r
+                       } else if ( strcmp(modulation, "BI" ) == 0) {\r
+                               config.modulation = DEMOD_BI;\r
+                               config.inverted=0;\r
+                       } else {\r

                                PrintAndLog("Unknown modulation '%s'", modulation);\r
                                errors = TRUE;\r
                        }\r
                        break;\r
                case 'i':\r
                                PrintAndLog("Unknown modulation '%s'", modulation);\r
                                errors = TRUE;\r
                        }\r
                        break;\r
                case 'i':\r

-                       config.inversed = param_getchar(Cmd,cmdp+1) == '1';\r
+                       config.inverted = param_getchar(Cmd,cmdp+1) == '1';\r

                        cmdp+=2;\r
                        break;\r
                case 'o':\r
                        cmdp+=2;\r
                        break;\r
                case 'o':\r

-                       errors |= param_getdec(Cmd, cmdp+1,&offset);\r
+                       errors |= param_getdec(Cmd, cmdp+1, &offset);\r

                        if ( !errors )\r
                                config.offset = offset;\r
                        if ( !errors )\r
                                config.offset = offset;\r

-                       cmdp += 2;\r
+                       cmdp+=2;\r
+                       break;\r
+               case 'Q':\r
+               case 'q':               \r
+                       config.Q5 = TRUE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'S':\r
+               case 's':               \r
+                       config.ST = TRUE;\r
+                       cmdp++;\r

                        break;\r
                default:\r
                        PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                        errors = TRUE;\r
                        break;\r
                }\r
                        break;\r
                default:\r
                        PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                        errors = TRUE;\r
                        break;\r
                }\r

-               \r
-               PrintAndLog(" %c  %d  [%d]", param_getchar(Cmd, cmdp) , errors, cmdp);\r
-       }\r
-       // No args\r
-       if (cmdp == 0) {\r
-               printConfiguration( config );\r
-               return 0;\r

        }\r
        }\r

-       //Validations\r
-       if (errors)\r
-               return usage_t55xx_config();\r
- \r
-       config.block0 = 0;\r
-       printConfiguration( config );\r
-       return 0;\r
-}\r

 \r
 \r

-int CmdT55xxReadBlock(const char *Cmd)\r
-{\r
-       int block = -1;\r
-       int password = 0xFFFFFFFF; //default to blank Block 7\r
+       // No args\r
+       if (cmdp == 0) return printConfiguration( config );\r

 \r
 \r

-       char cmdp = param_getchar(Cmd, 0);\r
-       if (cmdp == 'h' || cmdp == 'H')\r
-               return usage_t55xx_read();\r
+       //Validations\r
+       if (errors) return usage_t55xx_config();\r

 \r
 \r

-       int res = sscanf(Cmd, "%d %x", &block, &password);\r
+       config.block0 = 0;\r
+       return printConfiguration ( config );\r
+}\r

 \r
 \r

-       if ( res < 1 || res > 2 )\r
-               return usage_t55xx_read();\r
+int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){\r
+       //Password mode\r
+       if ( usepwd ) {\r
+               // try reading the config block and verify that PWD bit is set before doing this!\r
+               if ( !override ) {\r
+                       \r
+                       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0;\r
+                       \r
+                       if ( !tryDetectModulation() ) {\r
+                               PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");\r
+                               return 0;\r
+                       } else {\r
+                               PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password...");   \r
+                               usepwd = false;\r
+                               page1 = false;\r
+                       }\r
+               } else {\r
+                       PrintAndLog("Safety Check Overriden - proceeding despite risk");\r
+               }\r
+       }\r

 \r
 \r

-       \r
-       if ((block < 0) | (block > 7)) {\r
-               PrintAndLog("Block must be between 0 and 7");\r
-               return 1;\r
-       }       \r
+       if (!AquireData(page1, block, usepwd, password) ) return 0;\r
+       if (!DecodeT55xxBlock()) return 0;\r

 \r
 \r

-       UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, block, 0}};\r
-       c.d.asBytes[0] = 0x0; \r
+       char blk[10]={0};\r
+       sprintf(blk,"%02d", block);\r
+       printT55xxBlock(blk);   \r
+       return 1;\r
+}\r

 \r
 \r

-       //Password mode\r
-       if ( res == 2 ) {\r
-               c.arg[2] = password;\r
-               c.d.asBytes[0] = 0x1; \r
+int CmdT55xxReadBlock(const char *Cmd) {\r
+       uint8_t block = REGULAR_READ_MODE_BLOCK;\r
+       uint32_t password = 0; //default to blank Block 7\r
+       bool usepwd = false;\r
+       bool override = false;\r
+       bool page1 = false;\r
+       bool errors = false;\r
+       uint8_t cmdp = 0;\r
+       while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_t55xx_read();\r
+               case 'b':\r
+               case 'B':\r
+                       errors |= param_getdec(Cmd, cmdp+1, &block);\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'o':\r
+               case 'O':\r
+                       override = TRUE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'p':\r
+               case 'P':\r
+                       password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       usepwd = true;\r
+                       cmdp += 2;\r
+                       break;\r
+               case '1':\r
+                       page1 = true;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r

        }\r
        }\r

+       if (errors) return usage_t55xx_read();\r

 \r
 \r

-       SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
-               PrintAndLog("command execution time out");\r
-               return 2;\r
+       if (block > 7 && block != REGULAR_READ_MODE_BLOCK       ) {\r
+               PrintAndLog("Block must be between 0 and 7");\r
+               return 0;\r

        }\r
        }\r

-       \r
-       uint8_t got[12000];\r
-       GetFromBigBuf(got,sizeof(got),0);\r
-       WaitForResponse(CMD_ACK,NULL);\r
-       setGraphBuf(got, 12000);\r

 \r
 \r

-       DecodeT55xxBlock();\r
-       printT55xxBlock("");\r
-       return 0;\r
+       printT5xxHeader(page1);\r
+       return T55xxReadBlock(block, page1, usepwd, override, password);\r

 }\r
 \r
 }\r
 \r

-void DecodeT55xxBlock(){\r
+bool DecodeT55xxBlock(){\r

        \r
        \r

-       char buf[6] = {0x00};\r
+       char buf[30] = {0x00};\r

        char *cmdStr = buf;\r
        char *cmdStr = buf;\r

-\r
-       // clearing the DemodBuffer.\r
+       int ans = 0;\r
+       bool ST = config.ST;\r
+       uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r

        DemodBufferLen = 0x00;\r
        DemodBufferLen = 0x00;\r

-       \r
-       // use the configuration\r
+\r

        switch( config.modulation ){\r
        switch( config.modulation ){\r

-               case 1:\r
-                       sprintf(cmdStr,"0 %d", config.inversed );\r
-                       FSKrawDemod(cmdStr, FALSE);\r
+               case DEMOD_FSK:\r
+                       snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );\r
+                       ans = FSKrawDemod(cmdStr, FALSE);\r
+                       break;\r
+               case DEMOD_FSK1:\r
+               case DEMOD_FSK1a:\r
+                       snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted );\r
+                       ans = FSKrawDemod(cmdStr, FALSE);\r

                        break;\r
                        break;\r

-               case 2:\r
-                       sprintf(cmdStr,"0 %d 1", config.inversed );\r
-                       ASKmanDemod(cmdStr, FALSE, FALSE);\r
+               case DEMOD_FSK2:\r
+               case DEMOD_FSK2a:\r
+                       snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted );\r
+                       ans = FSKrawDemod(cmdStr, FALSE);\r

                        break;\r
                        break;\r

-               case 3:\r
-                       sprintf(cmdStr,"0 %d 1", config.inversed );\r
-                       PSKDemod(cmdStr, FALSE);\r
+               case DEMOD_ASK:\r
+                       snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
+                       ans = ASKDemod_ext(cmdStr, FALSE, FALSE, 1, &ST);\r

                        break;\r
                        break;\r

-               case 4:\r
-                       sprintf(cmdStr,"0 %d 1", config.inversed );\r
-                       NRZrawDemod(cmdStr, FALSE);\r
+               case DEMOD_PSK1:\r
+                       // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
+                       CmdLtrim("160");\r
+                       snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
+                       ans = PSKDemod(cmdStr, FALSE);\r
+                       //undo trim samples\r
+                       save_restoreGB(0);\r

                        break;\r
                        break;\r

-               case 5:\r
-                       //BiphaseRawDecode("0",FALSE);\r
+               case DEMOD_PSK2: //inverted won't affect this\r
+               case DEMOD_PSK3: //not fully implemented\r
+                       // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
+                       CmdLtrim("160");\r
+                       snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
+                       ans = PSKDemod(cmdStr, FALSE);\r
+                       psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+                       //undo trim samples\r
+                       save_restoreGB(0);\r
+                       break;\r
+               case DEMOD_NRZ:\r
+                       snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
+                       ans = NRZrawDemod(cmdStr, FALSE);\r
+                       break;\r
+               case DEMOD_BI:\r
+               case DEMOD_BIa:\r
+                       snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted );\r
+                       ans = ASKbiphaseDemod(cmdStr, FALSE);\r

                        break;\r
                default:\r
                        break;\r
                default:\r

-               return;\r
+                       return FALSE;\r

        }\r
        }\r

+       return (bool) ans;\r

 }\r
 \r
 }\r
 \r

-int CmdT55xxDetect(const char *Cmd){\r
-       char cmdp = param_getchar(Cmd, 0);\r
-       if (cmdp == 'h' || cmdp == 'H')\r
-               return usage_t55xx_detect();\r
+bool DecodeT5555TraceBlock() {\r
+       DemodBufferLen = 0x00;\r

        \r
        \r

-       // read block 0, Page 0. Configuration.\r
-       UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, 0, 0}};\r
-       c.d.asBytes[0] = 0x0; \r
+       // According to datasheet. Always: RF/64, not inverted, Manchester\r
+       return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1);\r
+}\r

 \r
 \r

-       //Password mode\r
-       // if ( res == 2 ) {\r
-               // c.arg[2] = password;\r
-               // c.d.asBytes[0] = 0x1; \r
-       // }\r

 \r
 \r

-       SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
-               PrintAndLog("command execution time out");\r
-               return FALSE;\r
+int CmdT55xxDetect(const char *Cmd){\r
+       bool errors = FALSE;\r
+       bool useGB = FALSE;\r
+       bool usepwd = FALSE;\r
+       uint32_t password = 0;\r
+       uint8_t cmdp = 0;\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_t55xx_detect();\r
+               case 'p':\r
+               case 'P':\r
+                       password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       usepwd = TRUE;\r
+                       cmdp += 2;\r
+                       break;\r
+               case '1':\r
+                       // use Graphbuffer data\r
+                       useGB = TRUE;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r

        }\r
        }\r

+       if (errors) return usage_t55xx_detect();\r

        \r
        \r

-       uint8_t got[12000];\r
-       GetFromBigBuf(got,sizeof(got),0);\r
-       WaitForResponse(CMD_ACK,NULL);\r
-       setGraphBuf(got, 12000);\r
+       if ( !useGB) {\r
+               if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
+                       return 0;\r
+       }\r

        \r
        \r

-       if ( !tryDetectModulation() ){\r
+       if ( !tryDetectModulation() )\r

                PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
                PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r

-       }\r
-       return 0;\r
+\r
+       return 1;\r

 }\r
 \r
 // detect configuration?\r
 bool tryDetectModulation(){\r
 }\r
 \r
 // detect configuration?\r
 bool tryDetectModulation(){\r

-       \r

        uint8_t hits = 0;\r
        uint8_t hits = 0;\r

-       t55xx_conf_block_t tests[10];\r
+       t55xx_conf_block_t tests[15];\r
+       int bitRate=0;\r
+       uint8_t fc1 = 0, fc2 = 0, clk=0;\r

        \r
        if (GetFskClock("", FALSE, FALSE)){ \r
        \r
        if (GetFskClock("", FALSE, FALSE)){ \r

-               if ( FSKrawDemod("0 0", FALSE) && test()){\r
+               fskClocks(&fc1, &fc2, &clk, FALSE);\r
+               if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){\r

                        tests[hits].modulation = DEMOD_FSK;\r
                        tests[hits].modulation = DEMOD_FSK;\r

-                       tests[hits].inversed = FALSE;\r
+                       if (fc1==8 && fc2 == 5)\r
+                               tests[hits].modulation = DEMOD_FSK1a;\r
+                       else if (fc1==10 && fc2 == 8)\r
+                               tests[hits].modulation = DEMOD_FSK2;\r
+                       tests[hits].bitrate = bitRate;\r
+                       tests[hits].inverted = FALSE;\r
+                       tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r

                        ++hits;\r
                }\r
                        ++hits;\r
                }\r

-               if ( FSKrawDemod("0 1", FALSE) && test()) {\r
+               if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r

                        tests[hits].modulation = DEMOD_FSK;\r
                        tests[hits].modulation = DEMOD_FSK;\r

-                       tests[hits].inversed = TRUE;\r
+                       if (fc1 == 8 && fc2 == 5)\r
+                               tests[hits].modulation = DEMOD_FSK1;\r
+                       else if (fc1 == 10 && fc2 == 8)\r
+                               tests[hits].modulation = DEMOD_FSK2a;\r
+                       tests[hits].bitrate = bitRate;\r
+                       tests[hits].inverted = TRUE;\r
+                       tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r

                        ++hits;\r
                        ++hits;\r

+               }\r
+       } else {\r
+               clk = GetAskClock("", FALSE, FALSE);\r
+               if (clk>0) {\r
+                       tests[hits].ST = TRUE;\r
+                       if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                               tests[hits].modulation = DEMOD_ASK;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = FALSE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               ++hits;\r

                        }\r
                        }\r

-    } else {\r
-               if ( ASKmanDemod("0 0 1", FALSE, FALSE) && test()) {\r
-                       tests[hits].modulation = DEMOD_ASK;\r
-                       tests[hits].inversed = FALSE;\r
-                       ++hits;\r
+                       tests[hits].ST = TRUE;\r
+                       if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                               tests[hits].modulation = DEMOD_ASK;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = TRUE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               ++hits;\r

                        }\r
                        }\r

-\r
-               if ( ASKmanDemod("0 1 1", FALSE, FALSE)  && test()) {\r
-                       tests[hits].modulation = DEMOD_ASK;\r
-                       tests[hits].inversed = TRUE;\r
-                       ++hits;\r
+                       if ( ASKbiphaseDemod("0 0 0 2", FALSE) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
+                               tests[hits].modulation = DEMOD_BI;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = FALSE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
+                               ++hits;\r
+                       }\r
+                       if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
+                               tests[hits].modulation = DEMOD_BIa;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = TRUE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
+                               ++hits;\r

                        }\r
                        }\r

-               \r
-               if ( NRZrawDemod("0 0 1", FALSE)  && test()) {\r
-                       tests[hits].modulation = DEMOD_NZR;\r
-                       tests[hits].inversed = FALSE;\r
-                       ++hits;\r

                }\r
                }\r

+               //undo trim from ask\r
+               //save_restoreGB(0);\r
+               clk = GetNrzClock("", FALSE, FALSE);\r
+               if (clk>0) {\r
+                       if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                               tests[hits].modulation = DEMOD_NRZ;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = FALSE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
+                               ++hits;\r
+                       }\r

 \r
 \r

-               if ( NRZrawDemod("0 1 1", FALSE)  && test()) {\r
-                       tests[hits].modulation = DEMOD_NZR;\r
-                       tests[hits].inversed = TRUE;\r
-                       ++hits;\r
+                       if ( NRZrawDemod("0 1 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                               tests[hits].modulation = DEMOD_NRZ;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = TRUE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
+                               ++hits;\r

                        }\r
                        }\r

-               \r
-               if ( PSKDemod("0 0 1", FALSE) && test()) {\r
-                       tests[hits].modulation = DEMOD_PSK;\r
-                       tests[hits].inversed = FALSE;\r
-                       ++hits;\r

                }\r
                \r
                }\r
                \r

-               if ( PSKDemod("0 1 1", FALSE) && test()) {\r
-                       tests[hits].modulation = DEMOD_PSK;\r
-                       tests[hits].inversed = TRUE;\r
-                       ++hits;\r
+               // allow undo\r
+               // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+               save_restoreGB(1);\r
+               CmdLtrim("160");\r
+               clk = GetPskClock("", FALSE, FALSE);\r
+               if (clk>0) {\r
+                       if ( PSKDemod("0 0 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                               tests[hits].modulation = DEMOD_PSK1;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = FALSE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
+                               ++hits;\r
+                       }\r
+                       if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                               tests[hits].modulation = DEMOD_PSK1;\r
+                               tests[hits].bitrate = bitRate;\r
+                               tests[hits].inverted = TRUE;\r
+                               tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
+                               ++hits;\r
+                       }\r
+                       // PSK2 - needs a call to psk1TOpsk2.\r
+                       if ( PSKDemod("0 0 6", FALSE)) {\r
+                               psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+                               if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){\r
+                                       tests[hits].modulation = DEMOD_PSK2;\r
+                                       tests[hits].bitrate = bitRate;\r
+                                       tests[hits].inverted = FALSE;\r
+                                       tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
+                                       ++hits;\r
+                               }\r
+                       } // inverse waves does not affect this demod\r
+                       // PSK3 - needs a call to psk1TOpsk2.\r
+                       if ( PSKDemod("0 0 6", FALSE)) {\r
+                               psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+                               if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){\r
+                                       tests[hits].modulation = DEMOD_PSK3;\r
+                                       tests[hits].bitrate = bitRate;\r
+                                       tests[hits].inverted = FALSE;\r
+                                       tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
+                                       ++hits;\r
+                               }\r
+                       } // inverse waves does not affect this demod\r

                }\r
                }\r

-               //PSK2?\r
-               // if (!BiphaseRawDecode("0",FALSE)  && test()) {\r
-               //      tests[++hits].modulation = DEMOD_BI;\r
-               //      tests[hits].inversed = FALSE;\r
-               //}\r
-               // if (!BiphaseRawDecode("1",FALSE) && test()) {\r
-               //      tests[++hits].modulation = DEMOD_BI;\r
-               //      tests[hits].inversed = TRUE;\r
-               // }\r
+               //undo trim samples\r
+               save_restoreGB(0);\r

        }               \r
        if ( hits == 1) {\r
                config.modulation = tests[0].modulation;\r
        }               \r
        if ( hits == 1) {\r
                config.modulation = tests[0].modulation;\r

-               config.inversed = tests[0].inversed;\r
+               config.bitrate = tests[0].bitrate;\r
+               config.inverted = tests[0].inverted;\r
+               config.offset = tests[0].offset;\r
+               config.block0 = tests[0].block0;\r
+               config.Q5 = tests[0].Q5;\r
+               config.ST = tests[0].ST;\r

                printConfiguration( config );\r
                return TRUE;\r
        }\r
                printConfiguration( config );\r
                return TRUE;\r
        }\r


@@ -360,185 +648,433 @@ bool tryDetectModulation(){
        return FALSE;\r
 }\r
 \r
        return FALSE;\r
 }\r
 \r

-bool test(){\r
+bool testModulation(uint8_t mode, uint8_t modread){\r
+       switch( mode ){\r
+               case DEMOD_FSK:\r
+                       if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return TRUE;\r
+                       break;\r
+               case DEMOD_ASK:\r
+                       if (modread == DEMOD_ASK) return TRUE;\r
+                       break;\r
+               case DEMOD_PSK1:\r
+                       if (modread == DEMOD_PSK1) return TRUE;\r
+                       break;\r
+               case DEMOD_PSK2:\r
+                       if (modread == DEMOD_PSK2) return TRUE;\r
+                       break;\r
+               case DEMOD_PSK3:\r
+                       if (modread == DEMOD_PSK3) return TRUE;\r
+                       break;\r
+               case DEMOD_NRZ:\r
+                       if (modread == DEMOD_NRZ) return TRUE;\r
+                       break;\r
+               case DEMOD_BI:\r
+                       if (modread == DEMOD_BI) return TRUE;\r
+                       break;\r
+               case DEMOD_BIa:\r
+                       if (modread == DEMOD_BIa) return TRUE;\r
+                       break;          \r
+               default:\r
+                       return FALSE;\r
+       }\r
+       return FALSE;\r
+}\r

 \r
 \r

-       if ( !DemodBufferLen) \r
-               return false;\r
-       \r
-       if ( PackBits(0, 32, DemodBuffer) == 0x00 )\r
-               return FALSE;\r
-       \r
+bool testQ5Modulation(uint8_t  mode, uint8_t   modread){\r
+       switch( mode ){\r
+               case DEMOD_FSK:\r
+                       if (modread >= 4 && modread <= 5) return TRUE;\r
+                       break;\r
+               case DEMOD_ASK:\r
+                       if (modread == 0) return TRUE;\r
+                       break;\r
+               case DEMOD_PSK1:\r
+                       if (modread == 1) return TRUE;\r
+                       break;\r
+               case DEMOD_PSK2:\r
+                       if (modread == 2) return TRUE;\r
+                       break;\r
+               case DEMOD_PSK3:\r
+                       if (modread == 3) return TRUE;\r
+                       break;\r
+               case DEMOD_NRZ:\r
+                       if (modread == 7) return TRUE;\r
+                       break;\r
+               case DEMOD_BI:\r
+                       if (modread == 6) return TRUE;\r
+                       break;\r
+               default:\r
+                       return FALSE;\r
+       }\r
+       return FALSE;\r
+}\r
+\r
+int convertQ5bitRate(uint8_t bitRateRead) {\r
+       uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};\r
+       for (int i=0; i<8; i++)\r
+               if (expected[i] == bitRateRead)\r
+                       return i;\r
+\r
+       return -1;\r
+}\r
+\r
+bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t    clk){\r
+\r
+       if ( DemodBufferLen < 64 ) return FALSE;\r

        uint8_t si = 0;\r
        uint8_t si = 0;\r

-       \r
-       uint8_t safer    = PackBits(si, 4, DemodBuffer); si += 4;       \r
-       uint8_t resv     = PackBits(si, 7, DemodBuffer); si += 7+3;\r
-       uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;\r
+       for (uint8_t idx = 28; idx < 64; idx++){\r
+               si = idx;\r
+               if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;\r

 \r
 \r

-       //PrintAndLog("test: %X %X %X ", safer, resv, extend);\r
-       \r
-       // 2nibble must be zeroed.\r
-       if ( resv > 0x00) return FALSE;\r
+               uint8_t safer     = PackBits(si, 4, DemodBuffer); si += 4;     //master key\r
+               uint8_t resv      = PackBits(si, 8, DemodBuffer); si += 8;\r
+               // 2nibble must be zeroed.\r
+               if (safer != 0x6 && safer != 0x9) continue;\r
+               if ( resv > 0x00) continue;\r
+               //uint8_t       pageSel   = PackBits(si, 1, DemodBuffer); si += 1;\r
+               //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;\r
+               si += 1+1;\r
+               int bitRate       = PackBits(si, 6, DemodBuffer)*2 + 2; si += 6;     //bit rate\r
+               if (bitRate > 128 || bitRate < 8) continue;\r

 \r
 \r

-       if ( safer == 0x6 || safer == 0x9){\r
-               if ( extend == 0x00)\r
-                       return TRUE;\r
+               //uint8_t AOR       = PackBits(si, 1, DemodBuffer); si += 1;   \r
+               //uint8_t PWD       = PackBits(si, 1, DemodBuffer); si += 1; \r
+               //uint8_t pskcr     = PackBits(si, 2, DemodBuffer); si += 2;  //could check psk cr\r
+               //uint8_t inverse   = PackBits(si, 1, DemodBuffer); si += 1;\r
+               si += 1+1+2+1;\r
+               uint8_t modread   = PackBits(si, 3, DemodBuffer); si += 3;\r
+               uint8_t maxBlk    = PackBits(si, 3, DemodBuffer); si += 3;\r
+               //uint8_t ST        = PackBits(si, 1, DemodBuffer); si += 1;\r
+               if (maxBlk == 0) continue;\r
+               //test modulation\r
+               if (!testQ5Modulation(mode, modread)) continue;\r
+               if (bitRate != clk) continue;\r
+               *fndBitRate = convertQ5bitRate(bitRate);\r
+               if (*fndBitRate < 0) continue;\r
+               *offset = idx;\r
+\r
+               return TRUE;\r

        }\r
        }\r

-       if ( resv== 0x00) return TRUE;\r

        return FALSE;\r
 }\r
 \r
        return FALSE;\r
 }\r
 \r

-void printT55xxBlock(const char *demodStr){\r
+bool testBitRate(uint8_t readRate, uint8_t clk){\r
+       uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};\r
+       if (expected[readRate] == clk)\r
+               return true;\r
+\r
+       return false;\r
+}\r
+\r
+bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){\r
+\r
+       if ( DemodBufferLen < 64 ) return FALSE;\r
+       uint8_t si = 0;\r
+       for (uint8_t idx = 28; idx < 64; idx++){\r
+               si = idx;\r
+               if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;\r
+\r
+               uint8_t safer    = PackBits(si, 4, DemodBuffer); si += 4;     //master key\r
+               uint8_t resv     = PackBits(si, 4, DemodBuffer); si += 4;     //was 7 & +=7+3 //should be only 4 bits if extended mode\r
+               // 2nibble must be zeroed.\r
+               // moved test to here, since this gets most faults first.\r
+               if ( resv > 0x00) continue;\r
+\r
+               uint8_t xtRate   = PackBits(si, 3, DemodBuffer); si += 3;     //extended mode part of rate\r
+               int bitRate  = PackBits(si, 3, DemodBuffer); si += 3;     //bit rate\r
+               if (bitRate > 7) continue;\r
+               uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
+               uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
+               //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
+               //uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
+               //uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
+               \r
+               //if extended mode\r
+               bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
+\r
+               if (!extMode){\r
+                       if (xtRate) continue;  //nml01 || nml02 ||  caused issues on noralys tags\r
+               }\r
+               //test modulation\r
+               if (!testModulation(mode, modread)) continue;\r
+               if (!testBitRate(bitRate, clk)) continue;\r
+               *fndBitRate = bitRate;\r
+               *offset = idx;\r
+               *Q5 = FALSE;\r
+               return TRUE;\r
+       }\r
+       if (testQ5(mode, offset, fndBitRate, clk)) {\r
+               *Q5 = TRUE;\r
+               return TRUE;\r
+       }\r
+       return FALSE;\r
+}\r
+\r
+void printT55xxBlock(const char *blockNum){\r

        \r
        \r

+       uint8_t i = config.offset;\r
+       uint8_t endpos = 32 + i;\r

        uint32_t blockData = 0;\r
        uint8_t bits[64] = {0x00};\r
        uint32_t blockData = 0;\r
        uint8_t bits[64] = {0x00};\r

-               \r
-       if ( !DemodBufferLen) \r
-               return;\r
-       \r
-       if ( config.offset > DemodBufferLen){\r
-               PrintAndLog("The configured offset is to big. (%d > %d)", config.offset, DemodBufferLen);\r
+\r
+       if ( !DemodBufferLen) return;\r
+\r
+       if ( endpos > DemodBufferLen){\r
+               PrintAndLog("The configured offset %d is too big. Possible offset: %d)", i, DemodBufferLen-32);\r

                return;\r
        }\r
                return;\r
        }\r

-       \r
-       int i = config.offset;\r
-       int pos = 32 + config.offset;\r
-    for (; i < pos; ++i)\r
-               bits[i - config.offset]=DemodBuffer[i];\r
-       \r
+\r
+       for (; i < endpos; ++i)\r
+               bits[i - config.offset] = DemodBuffer[i];\r
+\r

        blockData = PackBits(0, 32, bits);\r
        blockData = PackBits(0, 32, bits);\r

-       PrintAndLog("0x%08X  %s [%s]", blockData, sprint_bin(bits,32), demodStr);\r
+\r
+       PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));\r

 }\r
 \r
 int special(const char *Cmd) {\r
        uint32_t blockData = 0;\r
        uint8_t bits[32] = {0x00};\r
 \r
 }\r
 \r
 int special(const char *Cmd) {\r
        uint32_t blockData = 0;\r
        uint8_t bits[32] = {0x00};\r
 \r

-       PrintAndLog("[OFFSET] [DATA] [BINARY]");\r
+       PrintAndLog("OFFSET | DATA  | BINARY");\r

        PrintAndLog("----------------------------------------------------");\r
        int i,j = 0;\r
        PrintAndLog("----------------------------------------------------");\r
        int i,j = 0;\r

-       for (; j < 128; ++j){\r
+       for (; j < 64; ++j){\r

                \r
                for (i = 0; i < 32; ++i)\r
                        bits[i]=DemodBuffer[j+i];\r
        \r
                blockData = PackBits(0, 32, bits);\r
                \r
                for (i = 0; i < 32; ++i)\r
                        bits[i]=DemodBuffer[j+i];\r
        \r
                blockData = PackBits(0, 32, bits);\r

-               PrintAndLog("[%d] 0x%08X  %s",j , blockData, sprint_bin(bits,32));      \r
+               \r
+               PrintAndLog("%02d | 0x%08X | %s",j , blockData, sprint_bin(bits,32));   \r

        }\r
        }\r

-       \r

        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r

-void printConfiguration( t55xx_conf_block_t b){\r
+int printConfiguration( t55xx_conf_block_t b){\r
+       PrintAndLog("Chip Type  : %s", (b.Q5) ? "T5555(Q5)" : "T55x7");\r

        PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) );\r
        PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) );\r

-       PrintAndLog("Inverted   : %s", (b.inversed) ? "Yes" : "No" );\r
+       PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
+       PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r

        PrintAndLog("Offset     : %d", b.offset);\r
        PrintAndLog("Offset     : %d", b.offset);\r

-       PrintAndLog("Block0     : %08X", b.block0);\r
+       PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" );\r
+       PrintAndLog("Block0     : 0x%08X", b.block0);\r

        PrintAndLog("");\r
        PrintAndLog("");\r

+       return 0;\r

 }\r
 \r
 }\r
 \r

-int CmdT55xxWriteBlock(const char *Cmd)\r
-{\r
-       int block = 8; //default to invalid block\r
-       int data = 0xFFFFFFFF; //default to blank Block \r
-       int password = 0xFFFFFFFF; //default to blank Block 7\r
-       \r
-       char cmdp = param_getchar(Cmd, 0);\r
-       if (cmdp == 'h' || cmdp == 'H') {\r
-               usage_t55xx_write();\r
-               return 0;\r
+int CmdT55xxWakeUp(const char *Cmd) {\r
+       uint32_t password = 0;\r
+       uint8_t cmdp = 0;\r
+       bool errors = false;\r
+       while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_t55xx_wakup();\r
+               case 'p':\r
+               case 'P':\r
+                       password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       cmdp += 2;\r
+                       errors = false;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r

        }\r
        }\r

-  \r
-       int res = sscanf(Cmd, "%d %x %x",&block, &data, &password);\r
-       \r
-       if ( res < 2 || res > 3) {\r
-               usage_t55xx_write();\r
-               return 1;\r
+       if (errors) return usage_t55xx_wakup();\r
+\r
+       UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};\r
+       clearCommandBuffer();\r
+       SendCommand(&c);\r
+       PrintAndLog("Wake up command sent. Try read now");\r
+       return 0;\r
+}\r
+\r
+int CmdT55xxWriteBlock(const char *Cmd) {\r
+       uint8_t block = 0xFF; //default to invalid block\r
+       uint32_t data = 0; //default to blank Block \r
+       uint32_t password = 0; //default to blank Block 7\r
+       bool usepwd = false;\r
+       bool page1 = false;     \r
+       bool gotdata = false;\r
+       bool errors = false;\r
+       uint8_t cmdp = 0;\r
+       while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_t55xx_write();\r
+               case 'b':\r
+               case 'B':\r
+                       errors |= param_getdec(Cmd, cmdp+1, &block);\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'd':\r
+               case 'D':\r
+                       data = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       gotdata = true;\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'p':\r
+               case 'P':\r
+                       password = param_get32ex(Cmd, cmdp+1, 0, 16);\r
+                       usepwd = true;\r
+                       cmdp += 2;\r
+                       break;\r
+               case '1':\r
+                       page1 = true;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r

        }\r
        }\r

+       if (errors || !gotdata) return usage_t55xx_write();\r

 \r
        if (block > 7) {\r
 \r
        if (block > 7) {\r

-               PrintAndLog("Block must be between 0 and 7");\r
-               return 1;\r
+               PrintAndLog("Block number must be between 0 and 7");\r
+               return 0;\r

        }\r
        \r
        UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};\r
        }\r
        \r
        UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};\r

-       c.d.asBytes[0] = 0x0; \r
+       UsbCommand resp;\r
+       c.d.asBytes[0] = (page1) ? 0x2 : 0; \r

 \r
 \r

-       PrintAndLog("Writing to T55x7");\r
-       PrintAndLog("block : %d", block);\r
-       PrintAndLog("data  : 0x%08X", data);\r
+       char pwdStr[16] = {0};\r
+       snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);\r
+       \r
+       PrintAndLog("Writing page %d  block: %02d  data: 0x%08X %s", page1, block, data,  (usepwd) ? pwdStr : "" );\r

 \r
        //Password mode\r
 \r
        //Password mode\r

-       if (res == 3) {\r
+       if (usepwd) {\r

                c.arg[2] = password;\r
                c.arg[2] = password;\r

-               c.d.asBytes[0] = 0x1; \r
-               PrintAndLog("pwd   : 0x%08X", password);\r
+               c.d.asBytes[0] |= 0x1; \r

        }\r
        }\r

+       clearCommandBuffer();\r

        SendCommand(&c);\r
        SendCommand(&c);\r

-       return 0;\r
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
+               PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
+               return 0;\r
+       }\r
+       return 1;\r

 }\r
 \r
 }\r
 \r

-int CmdT55xxReadTrace(const char *Cmd)\r
-{\r
+int CmdT55xxReadTrace(const char *Cmd) {\r

        char cmdp = param_getchar(Cmd, 0);\r
        char cmdp = param_getchar(Cmd, 0);\r

-       \r
-       if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') \r
-               return usage_t55xx_trace();\r
+       bool pwdmode = false;\r
+       uint32_t password = 0;  \r
+       if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r

 \r
 \r

-       if ( strlen(Cmd)==0){\r
-       \r
-               UsbCommand c = {CMD_T55XX_READ_TRACE, {0, 0, 0}};\r
-               SendCommand(&c);\r
-               if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
-                       PrintAndLog("command execution time out");\r
-                       return 1;\r
-               }\r
+       if (strlen(Cmd)==0)\r
+               if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
+                       return 0;\r

 \r
 \r

-               uint8_t got[12000];\r
-               GetFromBigBuf(got,sizeof(got),0);\r
-               WaitForResponse(CMD_ACK,NULL);\r
-               setGraphBuf(got, 12000);\r
+       if ( config.Q5 ){\r
+               if (!DecodeT5555TraceBlock()) return 0;\r
+       } else {\r
+               if (!DecodeT55xxBlock()) return 0;\r

        }\r
        \r
        }\r
        \r

-       DecodeT55xxBlock();\r
-\r
-       if ( !DemodBufferLen) \r
-               return 2;\r
+       if ( !DemodBufferLen ) return 0;\r

        \r
        RepaintGraphWindow();\r
        \r
        RepaintGraphWindow();\r

-\r
-       uint8_t si = config.offset;\r
-       uint32_t bl0     = PackBits(si, 32, DemodBuffer);\r
-       uint32_t bl1     = PackBits(si+32, 32, DemodBuffer);\r
+       uint8_t repeat = (config.offset > 5) ? 32 : 0;\r

        \r
        \r

-       uint32_t acl     = PackBits(si,  8, DemodBuffer); si += 8;\r
-       uint32_t mfc     = PackBits(si, 8, DemodBuffer); si += 8;\r
-       uint32_t cid     = PackBits(si, 5, DemodBuffer); si += 5;\r
-       uint32_t icr     = PackBits(si, 3, DemodBuffer); si += 3;\r
-       uint32_t year    = PackBits(si, 4, DemodBuffer); si += 4;\r
-       uint32_t quarter = PackBits(si, 2, DemodBuffer); si += 2;\r
-       uint32_t lotid    = PackBits(si, 12, DemodBuffer); si += 12;\r
-       uint32_t wafer   = PackBits(si, 5, DemodBuffer); si += 5;\r
-       uint32_t dw      = PackBits(si, 15, DemodBuffer); \r
+       uint8_t si = config.offset + repeat;\r
+       uint32_t bl1 = PackBits(si, 32, DemodBuffer);\r
+       uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);        \r

        \r
        \r

-       year += 2000;\r
+       if (config.Q5) {\r
+               uint32_t hdr = PackBits(si, 9,  DemodBuffer); si += 9;\r
+    \r
+               if (hdr != 0x1FF) {\r
+                 PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);\r
+                 return 0;\r
+               }\r
+    \r
+               t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};\r
+                       \r
+               data.icr     = PackBits(si, 2,  DemodBuffer); si += 2;\r
+               data.lotidc  = 'Z' - PackBits(si, 2,  DemodBuffer); si += 3;\r
+               \r
+               data.lotid   = PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 1;\r
+               data.lotid  |= PackBits(si, 1,  DemodBuffer); si += 1;\r
+               \r
+               data.wafer   = PackBits(si, 3,  DemodBuffer); si += 4;\r
+               data.wafer <<= 2;\r
+               data.wafer  |= PackBits(si, 2,  DemodBuffer); si += 2;\r
+               \r
+               data.dw      = PackBits(si, 2,  DemodBuffer); si += 3;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r

        \r
        \r

-       PrintAndLog("");\r
-       PrintAndLog("-- T55xx Trace Information ----------------------------------");\r
+               printT5555Trace(data, repeat);\r
+               \r
+       } else {\r
+       \r
+               t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0,  .lotid = 0, .wafer = 0, .dw = 0};\r
+               \r
+               data.acl = PackBits(si, 8,  DemodBuffer); si += 8;\r
+               if ( data.acl != 0xE0 ) {\r
+                       PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
+                       return 0;\r
+               }\r
+\r
+               data.mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
+               data.cid     = PackBits(si, 5,  DemodBuffer); si += 5;\r
+               data.icr     = PackBits(si, 3,  DemodBuffer); si += 3;\r
+               data.year    = PackBits(si, 4,  DemodBuffer); si += 4;\r
+               data.quarter = PackBits(si, 2,  DemodBuffer); si += 2;\r
+               data.lotid   = PackBits(si, 14, DemodBuffer); si += 14;\r
+               data.wafer   = PackBits(si, 5,  DemodBuffer); si += 5;\r
+               data.dw      = PackBits(si, 15, DemodBuffer); \r
+\r
+               time_t t = time(NULL);\r
+               struct tm tm = *localtime(&t);\r
+               if ( data.year > tm.tm_year-110)\r
+                       data.year += 2000;\r
+               else\r
+                       data.year += 2010;\r
+\r
+               printT55x7Trace(data, repeat);\r
+       }\r
+       return 0;\r
+}\r
+\r
+void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T55x7 Trace Information ----------------------------------");\r

        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog("-------------------------------------------------------------");\r

-       PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", acl, acl);\r
-       PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d)", mfc, mfc);\r
-       PrintAndLog(" CID                                     : 0x%02X (%d)", cid, cid);\r
-       PrintAndLog(" ICR IC Revision                         : %d",icr );\r
+       PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", data.acl, data.acl);\r
+       PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));\r
+       PrintAndLog(" CID                                     : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));\r
+       PrintAndLog(" ICR IC Revision                         : %d", data.icr );\r

        PrintAndLog(" Manufactured");\r
        PrintAndLog(" Manufactured");\r

-       PrintAndLog("     Year/Quarter : %d/%d",year, quarter );\r
-       PrintAndLog("     Lot ID       : %d", lotid );\r
-       PrintAndLog("     Wafer number : %d", wafer);\r
-       PrintAndLog("     Die Number   : %d", dw);\r
+       PrintAndLog("     Year/Quarter : %d/%d", data.year, data.quarter);\r
+       PrintAndLog("     Lot ID       : %d", data.lotid );\r
+       PrintAndLog("     Wafer number : %d", data.wafer);\r
+       PrintAndLog("     Die Number   : %d", data.dw);\r

        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Raw Data - Page 1");\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Raw Data - Page 1");\r

-       PrintAndLog("     Block 0  : 0x%08X  %s", bl0, sprint_bin(DemodBuffer+5,32) );\r
-       PrintAndLog("     Block 1  : 0x%08X  %s", bl1, sprint_bin(DemodBuffer+37,32) );\r
-       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog("     Block 1  : 0x%08X  %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+       PrintAndLog("     Block 2  : 0x%08X  %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
+       PrintAndLog("-------------------------------------------------------------");   \r
+\r

        /*\r
        TRACE - BLOCK O\r
                Bits    Definition                                                              HEX\r
        /*\r
        TRACE - BLOCK O\r
                Bits    Definition                                                              HEX\r


@@ -555,54 +1091,62 @@ int CmdT55xxReadTrace(const char *Cmd)
                13-17   Wafer number\r
                18-32   DW,  die number sequential\r
        */\r
                13-17   Wafer number\r
                18-32   DW,  die number sequential\r
        */\r

+}\r
+\r
+void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");\r
+       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog(" ICR IC Revision  : %d", data.icr );       \r
+       PrintAndLog("     Lot          : %c%d", data.lotidc, data.lotid);\r
+       PrintAndLog("     Wafer number : %d", data.wafer);\r
+       PrintAndLog("     Die Number   : %d", data.dw);\r
+       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog(" Raw Data - Page 1");\r
+       PrintAndLog("     Block 1  : 0x%08X  %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+       PrintAndLog("     Block 2  : 0x%08X  %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r

        \r
        \r

-  return 0;\r
+       /*\r
+               ** Q5 **\r
+               TRACE - BLOCK O and BLOCK1\r
+               Bits    Definition                              HEX\r
+               1-9             Header                  0x1FF\r
+               10-11 IC Revision\r
+               12-13 Lot ID char\r
+               15-35 Lot ID (NB parity)\r
+               36-41 Wafer number (NB parity)\r
+               42-58 DW, die number sequential (NB parity)\r
+               60-63 Parity bits\r
+               64    Always zero\r
+       */\r

 }\r
 \r
 }\r
 \r

+//need to add Q5 info...\r

 int CmdT55xxInfo(const char *Cmd){\r
        /*\r
                Page 0 Block 0 Configuration data.\r
                Normal mode\r
                Extended mode\r
        */\r
 int CmdT55xxInfo(const char *Cmd){\r
        /*\r
                Page 0 Block 0 Configuration data.\r
                Normal mode\r
                Extended mode\r
        */\r

+       bool pwdmode = false;\r
+       uint32_t password = 0;\r

        char cmdp = param_getchar(Cmd, 0);\r
 \r
        char cmdp = param_getchar(Cmd, 0);\r
 \r

-       if (cmdp == 'h' || cmdp == 'H')\r
-               return usage_t55xx_info();\r
+       if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r

        \r
        \r

-       if (strlen(Cmd)==0){\r
-               \r
-               // read block 0, Page 0. Configuration.\r
-               UsbCommand c = {CMD_T55XX_READ_BLOCK, {0, 0, 0}};\r
-               c.d.asBytes[0] = 0x0; \r
-\r
-               //Password mode\r
-               // if ( res == 2 ) {\r
-                       // c.arg[2] = password;\r
-                       // c.d.asBytes[0] = 0x1; \r
-               // }\r
-\r
-               SendCommand(&c);\r
-               if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
-                       PrintAndLog("command execution time out");\r
+       if (strlen(Cmd)==0)\r
+               if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r

                        return 1;\r
                        return 1;\r

-               }\r

 \r
 \r

-               uint8_t got[12000];\r
-               GetFromBigBuf(got,sizeof(got),0);\r
-               WaitForResponse(CMD_ACK,NULL);\r
-               setGraphBuf(got, 12000);\r
-       }\r
-       \r
-       DecodeT55xxBlock();\r
+       if (!DecodeT55xxBlock()) return 1;\r
+\r
+       // too little space to start with\r
+       if ( DemodBufferLen < 32) return 1;\r
+\r
+       // \r
+       PrintAndLog("Offset+32 ==%d\n DemodLen == %d", config.offset + 32,DemodBufferLen );\r

 \r
 \r

-       if ( !DemodBufferLen) \r
-               return 2;\r
-       \r
-       \r

        uint8_t si = config.offset;\r
        uint8_t si = config.offset;\r

-       uint32_t bl0      = PackBits(si, 32, DemodBuffer);\r
-       \r
+       uint32_t bl0      = PackBits(si, 32, DemodBuffer);      \r

        uint32_t safer    = PackBits(si, 4, DemodBuffer); si += 4;      \r
        uint32_t resv     = PackBits(si, 7, DemodBuffer); si += 7;\r
        uint32_t dbr      = PackBits(si, 3, DemodBuffer); si += 3;\r
        uint32_t safer    = PackBits(si, 4, DemodBuffer); si += 4;      \r
        uint32_t resv     = PackBits(si, 7, DemodBuffer); si += 7;\r
        uint32_t dbr      = PackBits(si, 3, DemodBuffer); si += 3;\r


@@ -617,16 +1161,17 @@ int CmdT55xxInfo(const char *Cmd){
        uint32_t fw       = PackBits(si, 1, DemodBuffer); si += 1;\r
        uint32_t inv      = PackBits(si, 1, DemodBuffer); si += 1;      \r
        uint32_t por      = PackBits(si, 1, DemodBuffer); si += 1;\r
        uint32_t fw       = PackBits(si, 1, DemodBuffer); si += 1;\r
        uint32_t inv      = PackBits(si, 1, DemodBuffer); si += 1;      \r
        uint32_t por      = PackBits(si, 1, DemodBuffer); si += 1;\r

-               \r
+       \r
+       if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r

        PrintAndLog("");\r
        PrintAndLog("");\r

-       PrintAndLog("-- T55xx Configuration & Tag Information --------------------");\r
+       PrintAndLog("-- T55x7 Configuration & Tag Information --------------------");\r

        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
        PrintAndLog(" reserved                  : %d", resv);\r
        PrintAndLog(" Data bit rate             : %s", GetBitRateStr(dbr));\r
        PrintAndLog(" eXtended mode             : %s", (extend) ? "Yes - Warning":"No");\r
        PrintAndLog(" Modulation                : %s", GetModulationStr(datamod));\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
        PrintAndLog(" reserved                  : %d", resv);\r
        PrintAndLog(" Data bit rate             : %s", GetBitRateStr(dbr));\r
        PrintAndLog(" eXtended mode             : %s", (extend) ? "Yes - Warning":"No");\r
        PrintAndLog(" Modulation                : %s", GetModulationStr(datamod));\r

-       PrintAndLog(" PSK clock freq            : %d", pskcf);\r
+       PrintAndLog(" PSK clock frequency       : %d", pskcf);\r

        PrintAndLog(" AOR - Answer on Request   : %s", (aor) ? "Yes":"No");\r
        PrintAndLog(" OTP - One Time Pad        : %s", (otp) ? "Yes - Warning":"No" );\r
        PrintAndLog(" Max block                 : %d", maxblk);\r
        PrintAndLog(" AOR - Answer on Request   : %s", (aor) ? "Yes":"No");\r
        PrintAndLog(" OTP - One Time Pad        : %s", (otp) ? "Yes - Warning":"No" );\r
        PrintAndLog(" Max block                 : %d", maxblk);\r


@@ -637,7 +1182,7 @@ int CmdT55xxInfo(const char *Cmd){
        PrintAndLog(" POR-Delay                 : %s", (por) ? "Yes":"No");\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Raw Data - Page 0");\r
        PrintAndLog(" POR-Delay                 : %s", (por) ? "Yes":"No");\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Raw Data - Page 0");\r

-       PrintAndLog("     Block 0  : 0x%08X  %s", bl0, sprint_bin(DemodBuffer+5,32) );\r
+       PrintAndLog("     Block 0  : 0x%08X  %s", bl0, sprint_bin(DemodBuffer+config.offset,32) );\r

        PrintAndLog("-------------------------------------------------------------");\r
        \r
        return 0;\r
        PrintAndLog("-------------------------------------------------------------");\r
        \r
        return 0;\r


@@ -645,194 +1190,389 @@ int CmdT55xxInfo(const char *Cmd){
 \r
 int CmdT55xxDump(const char *Cmd){\r
 \r
 \r
 int CmdT55xxDump(const char *Cmd){\r
 \r

-       char s[20] = {0x00};\r
-       uint8_t pwd[4] = {0x00};\r
+       uint32_t password = 0;\r
+       bool override = false;\r
+       char cmdp = param_getchar(Cmd, 0);      \r
+       if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();\r

 \r
 \r

-       char cmdp = param_getchar(Cmd, 0);\r
-       if ( cmdp == 'h' || cmdp == 'H') {\r
-               usage_t55xx_dump();\r
-               return 0;\r
+       bool usepwd = ( strlen(Cmd) > 0);       \r
+       if ( usepwd ){\r
+               password = param_get32ex(Cmd, 0, 0, 16);\r
+               if (param_getchar(Cmd, 1) =='o' )\r
+                       override = true;\r

        }\r
        }\r

+       \r
+       printT5xxHeader(0);\r
+       for ( uint8_t i = 0; i < 8; ++i)\r
+               T55xxReadBlock(i, 0, usepwd, override, password);\r

 \r
 \r

-       bool hasPwd = ( strlen(Cmd) > 0);       \r
-       if ( hasPwd ){\r
-               if (param_gethex(Cmd, 0, pwd, 8)) {\r
-                       PrintAndLog("password must include 8 HEX symbols");\r
-                       return 1;\r
-               }\r
-       }\r
+       printT5xxHeader(1);\r
+       for ( uint8_t   i = 0; i < 4; i++)\r
+               T55xxReadBlock(i, 1, usepwd, override, password);               \r
+\r
+       return 1;\r
+}\r
+\r
+int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
+       // arg0 bitmodes:\r
+       // bit0 = pwdmode\r
+       // bit1 = page to read from\r
+       uint8_t arg0 = (page<<1) | pwdmode;\r
+       UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r

        \r
        \r

-       for ( int i = 0; i <8; ++i){\r
-               memset(s,0,sizeof(s));\r
-               if ( hasPwd ) {\r
-                       sprintf(s,"%d %02x%02x%02x%02x", i, pwd[0],pwd[1],pwd[2],pwd[3]);\r
-               } else {\r
-                       sprintf(s,"%d", i);\r
-               }\r
-               CmdT55xxReadBlock(s);\r
+       clearCommandBuffer();\r
+       SendCommand(&c);\r
+       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+               PrintAndLog("command execution time out");\r
+               return 0;\r

        }\r
        }\r

-       return 0;\r
+\r
+       uint8_t got[12000];\r
+       GetFromBigBuf(got,sizeof(got),0);\r
+       WaitForResponse(CMD_ACK,NULL);\r
+       setGraphBuf(got, sizeof(got));\r
+       return 1;\r

 }\r
 \r
 char * GetBitRateStr(uint32_t id){\r
 }\r
 \r
 char * GetBitRateStr(uint32_t id){\r

-       static char buf[40];\r
+       static char buf[25];\r
+\r

        char *retStr = buf;\r
                switch (id){\r
        char *retStr = buf;\r
                switch (id){\r

-               case 0: \r
-                       sprintf(retStr,"%d - RF/8",id);\r
-                       break;\r
-               case 1:\r
-                       sprintf(retStr,"%d - RF/16",id);\r
-                       break;\r
-               case 2:         \r
-                       sprintf(retStr,"%d - RF/32",id);\r
-                       break;\r
-               case 3:\r
-                       sprintf(retStr,"%d - RF/40",id);\r
-                       break;\r
-               case 4:\r
-                       sprintf(retStr,"%d - RF/50",id);\r
-                       break;\r
-               case 5:\r
-                       sprintf(retStr,"%d - RF/64",id);\r
-                       break;\r
-               case 6:\r
-                       sprintf(retStr,"%d - RF/100",id);\r
-                       break;\r
-               case 7:\r
-                       sprintf(retStr,"%d - RF/128",id);\r
-                       break;\r
-               default:\r
-                       sprintf(retStr,"%d - (Unknown)",id);\r
-                       break;\r
+               case 0:   snprintf(retStr,sizeof(buf),"%d - RF/8",id);   break;\r
+               case 1:   snprintf(retStr,sizeof(buf),"%d - RF/16",id);  break;\r
+               case 2:   snprintf(retStr,sizeof(buf),"%d - RF/32",id);  break;\r
+               case 3:   snprintf(retStr,sizeof(buf),"%d - RF/40",id);  break;\r
+               case 4:   snprintf(retStr,sizeof(buf),"%d - RF/50",id);  break;\r
+               case 5:   snprintf(retStr,sizeof(buf),"%d - RF/64",id);  break;\r
+               case 6:   snprintf(retStr,sizeof(buf),"%d - RF/100",id); break;\r
+               case 7:   snprintf(retStr,sizeof(buf),"%d - RF/128",id); break;\r
+               default:  snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break;\r

                }\r
                }\r

-\r

        return buf;\r
 }\r
 \r
 char * GetSaferStr(uint32_t id){\r
        return buf;\r
 }\r
 \r
 char * GetSaferStr(uint32_t id){\r

-       static char buf[40];\r
+       static char buf[40];\r

        char *retStr = buf;\r
        \r
        char *retStr = buf;\r
        \r

-       sprintf(retStr,"%d",id);\r
+       snprintf(retStr,sizeof(buf),"%d",id);\r

        if (id == 6) {\r
        if (id == 6) {\r

-               sprintf(retStr,"%d - passwd",id);\r
+               snprintf(retStr,sizeof(buf),"%d - passwd",id);\r

        }\r
        if (id == 9 ){\r
        }\r
        if (id == 9 ){\r

-               sprintf(retStr,"%d - testmode",id);\r
+               snprintf(retStr,sizeof(buf),"%d - testmode",id);\r

        }\r
        \r
        return buf;\r
 }\r
        }\r
        \r
        return buf;\r
 }\r

+\r

 char * GetModulationStr( uint32_t id){\r
 char * GetModulationStr( uint32_t id){\r

-       static char buf[40];\r
+       static char buf[60];\r

        char *retStr = buf;\r
        \r
        switch (id){\r
        char *retStr = buf;\r
        \r
        switch (id){\r

-               case 0: \r
-                       sprintf(retStr,"%d - DIRECT (ASK/NRZ)",id);\r
-                       break;\r
-               case 1:\r
-                       sprintf(retStr,"%d - PSK 1 phase change when input changes",id);\r
-                       break;\r
-               case 2:         \r
-                       sprintf(retStr,"%d - PSK 2 phase change on bitclk if input high",id);\r
-                       break;\r
-               case 3:\r
-                       sprintf(retStr,"%d - PSK 3 phase change on rising edge of input",id);\r
-                       break;\r
-               case 4:\r
-                       sprintf(retStr,"%d - FSK 1 RF/8  RF/5",id);\r
-                       break;\r
-               case 5:\r
-                       sprintf(retStr,"%d - FSK 2 RF/8  RF/10",id);\r
-                       break;\r
-               case 6:\r
-                       sprintf(retStr,"%d - FSK 1a RF/5  RF/8",id);\r
-                       break;\r
-               case 7:\r
-                       sprintf(retStr,"%d - FSK 2a RF/10  RF/8",id);\r
-                       break;\r
-               case 8:\r
-                       sprintf(retStr,"%d - Manschester",id);\r
-                       break;\r
-               case 16:\r
-                       sprintf(retStr,"%d - Biphase",id);\r
-                       break;\r
-               case 17:\r
-                       sprintf(retStr,"%d - Reserved",id);\r
-                       break;\r
-               default:\r
-                       sprintf(retStr,"0x%02X (Unknown)",id);\r
-                       break;\r
+               case 0: snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id); break;\r
+               case 1: snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id); break;\r
+               case 2: snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id); break;\r
+               case 3: snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id); break;\r
+               case 4: snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8  RF/5",id); break;\r
+               case 5: snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8  RF/10",id); break;\r
+               case 6: snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5  RF/8",id); break;\r
+               case 7: snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10  RF/8",id); break;\r
+               case 8: snprintf(retStr,sizeof(buf),"%d - Manchester",id); break;\r
+               case 16: snprintf(retStr,sizeof(buf),"%d - Biphase",id); break;\r
+               case 0x18:snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id); break;\r
+               case 17: snprintf(retStr,sizeof(buf),"%d - Reserved",id); break;\r
+               default: snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id); break;\r

                }\r
        return buf;\r
 }\r
 \r
                }\r
        return buf;\r
 }\r
 \r

+char * GetModelStrFromCID(uint32_t cid){\r
+               \r
+       static char buf[10];\r
+       char *retStr = buf;\r
+       \r
+       if (cid == 1) snprintf(retStr, sizeof(buf),"ATA5577M1");\r
+       if (cid == 2) snprintf(retStr, sizeof(buf),"ATA5577M2");        \r
+       return buf;\r
+}\r
+\r

 char * GetSelectedModulationStr( uint8_t id){\r
 \r
 char * GetSelectedModulationStr( uint8_t id){\r
 \r

-       static char buf[16];\r
+       static char buf[20];\r

        char *retStr = buf;\r
        char *retStr = buf;\r

-       \r
+\r

        switch (id){\r
        switch (id){\r

-               case DEMOD_FSK:\r
-                       sprintf(retStr,"FSK (%d)",id);\r
-                       break;\r
-               case DEMOD_ASK:         \r
-                       sprintf(retStr,"ASK (%d)",id);\r
-                       break;\r
-               case DEMOD_NZR:\r
-                       sprintf(retStr,"DIRECT/NRZ (%d)",id);\r
-                       break;\r
-               case DEMOD_PSK:\r
-                       sprintf(retStr,"PSK (%d)",id);\r
-                       break;\r
-               case DEMOD_BI:\r
-                       sprintf(retStr,"BIPHASE (%d)",id);\r
-                       break;\r
-               default:\r
-                       sprintf(retStr,"(Unknown)");\r
-                       break;\r
+               case DEMOD_FSK: snprintf(retStr,sizeof(buf),"FSK");     break;\r
+               case DEMOD_FSK1: snprintf(retStr,sizeof(buf),"FSK1"); break;\r
+               case DEMOD_FSK1a: snprintf(retStr,sizeof(buf),"FSK1a"); break;\r
+               case DEMOD_FSK2: snprintf(retStr,sizeof(buf),"FSK2"); break;\r
+               case DEMOD_FSK2a: snprintf(retStr,sizeof(buf),"FSK2a"); break;\r
+               case DEMOD_ASK: snprintf(retStr,sizeof(buf),"ASK"); break;\r
+               case DEMOD_NRZ: snprintf(retStr,sizeof(buf),"DIRECT/NRZ"); break;\r
+               case DEMOD_PSK1: snprintf(retStr,sizeof(buf),"PSK1"); break;\r
+               case DEMOD_PSK2: snprintf(retStr,sizeof(buf),"PSK2"); break;\r
+               case DEMOD_PSK3: snprintf(retStr,sizeof(buf),"PSK3"); break;\r
+               case DEMOD_BI: snprintf(retStr,sizeof(buf),"BIPHASE"); break;\r
+               case DEMOD_BIa: snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)"); break;\r
+               default: snprintf(retStr,sizeof(buf),"(Unknown)"); break;\r

                }\r
        return buf;\r
 }\r
 \r
                }\r
        return buf;\r
 }\r
 \r

-uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){\r
+void t55x7_create_config_block( int tagtype ){\r
+\r
+       /*\r
+     T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK\r
+     T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK,\r
+        T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK \r
+        T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK,     T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK   \r
+       */\r
+       static char buf[60];\r
+       char *retStr = buf;\r
+       \r
+       switch (tagtype){\r
+               case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
+               case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
+               case 2: snprintf(retStr, sizeof(buf),"%08X - T5555 Q5 Default", T5555_DEFAULT_CONFIG_BLOCK); break;\r
+               default:\r
+                       break;\r
+       }\r
+       PrintAndLog(buf);\r
+}\r
+\r
+int CmdResetRead(const char *Cmd) {\r
+       UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
+\r
+       clearCommandBuffer();\r
+       SendCommand(&c);\r
+       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+               PrintAndLog("command execution time out");\r
+               return 0;\r
+       }\r
+\r
+       uint8_t got[BIGBUF_SIZE-1];\r
+       GetFromBigBuf(got,sizeof(got),0);\r
+       WaitForResponse(CMD_ACK,NULL);\r
+       setGraphBuf(got, sizeof(got));\r
+       return 1;\r
+}\r
+// ADD T5555 (Q5) Default config block\r
+int CmdT55xxWipe(const char *Cmd) {\r
+       char writeData[20] = {0};\r
+       char *ptrData = writeData;\r
+       char cmdp = param_getchar(Cmd, 0);      \r
+       if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();\r
+\r
+       bool Q5 = (cmdp == 'q' || cmdp == 'Q');\r
+\r
+       // Try with the default password to reset block 0\r
+       // With a pwd should work even if pwd bit not set\r
+       PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+               \r
+       if ( Q5 ){\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
+       } else {\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
+       }\r
+       \r
+       if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
+       \r
+       for (uint8_t blk = 1; blk<8; blk++) {\r
+               \r
+               snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
+               \r
+               if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk %d", blk);\r
+               \r
+               memset(writeData,0x00, sizeof(writeData));\r
+       }\r
+       return 0;\r
+}\r
+\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+       \r
+       // load a default pwd file.\r
+       char buf[9];\r
+       char filename[FILE_PATH_SIZE]={0};\r
+       int     keycnt = 0;\r
+       int ch;\r
+       uint8_t stKeyBlock = 20;\r
+       uint8_t *keyBlock = NULL, *p = NULL;\r
+    uint32_t start_password = 0x00000000; //start password\r
+    uint32_t end_password   = 0xFFFFFFFF; //end   password\r
+    bool found = false;\r
+\r
+    char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+       keyBlock = calloc(stKeyBlock, 6);\r
+       if (keyBlock == NULL) return 1;\r
+\r
+       if (cmdp == 'i' || cmdp == 'I') {\r
+       \r
+               int len = strlen(Cmd+2);\r
+               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               memcpy(filename, Cmd+2, len);\r

        \r
        \r

-       int i = start;\r
-       int j = len-1;\r
-       if (len > 32) {\r
+               FILE * f = fopen( filename , "r");\r
+               \r
+               if ( !f ) {\r
+                       PrintAndLog("File: %s: not found or locked.", filename);\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }                       \r
+                       \r
+               while( fgets(buf, sizeof(buf), f) ){\r
+                       if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
+               \r
+                       while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
+                       \r
+                       //The line start with # is comment, skip\r
+                       if( buf[0]=='#' ) continue;\r
+\r
+                       if (!isxdigit(buf[0])){\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+                               continue;\r
+                       }\r
+                       \r
+                       buf[8] = 0;\r
+\r
+                       if ( stKeyBlock - keycnt < 2) {\r
+                               p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+                               if (!p) {\r
+                                       PrintAndLog("Cannot allocate memory for defaultKeys");\r
+                                       free(keyBlock);\r
+                                       fclose(f);\r
+                                       return 2;\r
+                               }\r
+                               keyBlock = p;\r
+                       }\r
+                       memset(keyBlock + 4 * keycnt, 0, 4);\r
+                       num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
+                       keycnt++;\r
+                       memset(buf, 0, sizeof(buf));\r
+               }               \r
+               fclose(f);\r
+               \r
+               if (keycnt == 0) {\r
+                       PrintAndLog("No keys found in file");\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loaded %d keys", keycnt);\r
+               \r
+               // loop\r
+               uint64_t testpwd = 0x00;\r
+               for (uint16_t c = 0; c < keycnt; ++c ) {\r
+       \r
+                       if (ukbhit()) {\r
+                               ch = getchar();\r
+                               (void)ch;\r
+                               printf("\naborted via keyboard!\n");\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       }\r
+               \r
+                       testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+                       PrintAndLog("Testing %08X", testpwd);\r
+                       \r
+                       \r
+                       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+                               PrintAndLog("Aquireing data from device failed. Quitting");\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       }\r
+                       \r
+                       found = tryDetectModulation();\r
+\r
+                       if ( found ) {\r
+                               PrintAndLog("Found valid password: [%08X]", testpwd);\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       } \r
+               }\r
+               PrintAndLog("Password NOT found.");\r
+               free(keyBlock);\r

                return 0;\r
        }\r
                return 0;\r
        }\r

-       uint32_t tmp = 0;\r
-       for (; j >= 0; --j, ++i){\r
-               tmp     |= bits[i] << j;\r
-       }\r
-       return tmp;\r
-}\r
-\r
-static command_t CommandTable[] =\r
-{\r
-  {"help",   CmdHelp,           1, "This help"},\r
-  {"config", CmdT55xxSetConfig, 1, "Set T55XX config for modulation, inversed data"},\r
-  {"detect", CmdT55xxDetect,    0, "Try detecting the tag modulation from reading the configuration block."},\r
-  {"read",   CmdT55xxReadBlock, 0, "<block> [password] -- Read T55xx block data (page 0) [optional password]"},\r
-  {"write",  CmdT55xxWriteBlock,0, "<block> <data> [password] -- Write T55xx block data (page 0) [optional password]"},\r
-  {"trace",  CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},\r
-  {"info",   CmdT55xxInfo,      0, "[1] Show T55xx configuration data (page 0/ blk 0)"},\r
-  {"dump",   CmdT55xxDump,      0, "[password] Dump T55xx card block 0-7. [optional password]"},\r
-  {"special", special,           0, "Shows how a datablock changes with 32 different offsets"},\r
-  {NULL, NULL, 0, NULL}\r
+       \r
+       // Try to read Block 7, first :)\r
+       \r
+       // incremental pwd range search\r
+    start_password = param_get32ex(Cmd, 0, 0, 16);\r
+       end_password = param_get32ex(Cmd, 1, 0, 16);\r
+       \r
+       if ( start_password >= end_password ) {\r
+               free(keyBlock);\r
+               return usage_t55xx_bruteforce();\r
+       }\r
+       \r
+    PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+       \r
+    uint32_t i = start_password;\r
+\r
+    while ((!found) && (i <= end_password)){\r
+\r
+               printf(".");\r
+               fflush(stdout);\r
+               if (ukbhit()) {\r
+                       ch = getchar();\r
+                       (void)ch;\r
+                       printf("\naborted via keyboard!\n");\r
+                       free(keyBlock);\r
+                       return 0;\r
+               }\r
+                       \r
+               if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+                       PrintAndLog("Aquireing data from device failed. Quitting");\r
+                       free(keyBlock);\r
+                       return 0;\r
+               }\r
+               found = tryDetectModulation();\r
+        \r
+               if (found) break;\r
+               i++;\r
+    }\r
+    \r
+    PrintAndLog("");\r
+       \r
+    if (found)\r
+               PrintAndLog("Found valid password: [%08x]", i);\r
+    else\r
+               PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+       free(keyBlock);\r
+    return 0;\r
+}\r
+\r
+static command_t CommandTable[] = {\r
+       {"help",                CmdHelp,           1, "This help"},\r
+       {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+       {"config",              CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+       {"detect",              CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+       {"dump",                CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+       {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+       {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+       {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+       {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
+       {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+       {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
+       {"wipe",                CmdT55xxWipe,      0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+       {"write",               CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+       {NULL, NULL, 0, NULL}\r

 };\r
 \r
 };\r
 \r

-int CmdLFT55XX(const char *Cmd)\r
-{\r
-  CmdsParse(CommandTable, Cmd);\r
-  return 0;\r
+int CmdLFT55XX(const char *Cmd) {\r
+       clearCommandBuffer();\r
+       CmdsParse(CommandTable, Cmd);\r
+       return 0;\r

 }\r
 \r
 }\r
 \r

-int CmdHelp(const char *Cmd)\r
-{\r
-  CmdsHelp(CommandTable);\r
-  return 0;\r
+int CmdHelp(const char *Cmd) {\r
+       CmdsHelp(CommandTable);\r
+       return 0;\r

 }\r
 }\r