ADD: `analyse nuid` - generates NUID 4byte from a UID 7byte. Mifare Classic Ev1...

[proxmark3-svn] / client / cmdlft55xx.c
diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c

index fc76e8983bc4ae195ec34d9fdf539b3912ee1c70..5b650b30d27ffe64370e860b33c62978580de092 100644 (file)
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -6,31 +6,7 @@
  //-----------------------------------------------------------------------------\r
  // Low frequency T55xx commands\r
  //-----------------------------------------------------------------------------\r
  //-----------------------------------------------------------------------------\r
  // Low frequency T55xx commands\r
  //-----------------------------------------------------------------------------\r
-\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <inttypes.h>\r
-#include <time.h>\r
-#include "proxmark3.h"\r
-#include "ui.h"\r
-#include "graph.h"\r
-#include "cmdmain.h"\r
-#include "cmdparser.h"\r
-#include "cmddata.h"\r
-#include "cmdlf.h"\r
  #include "cmdlft55xx.h"\r
  #include "cmdlft55xx.h"\r
-#include "util.h"\r
-#include "data.h"\r
-#include "lfdemod.h"\r
-#include "../common/crc.h"\r
-#include "../common/iso14443crc.h"\r
-#include "cmdhf14a.h"\r
-\r
-#define T55x7_CONFIGURATION_BLOCK 0x00\r
-#define T55x7_PAGE0 0x00\r
-#define T55x7_PAGE1 0x01\r
-#define T55x7_PWD      0x00000010\r
-#define REGULAR_READ_MODE_BLOCK 0xFF\r
  \r
  // Default configuration\r
  t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
  \r
  // Default configuration\r
  t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
@@ -45,12 +21,13 @@ void Set_t55xx_Config(t55xx_conf_block_t conf){
  int usage_t55xx_config(){\r
         PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
         PrintAndLog("Options:");\r
  int usage_t55xx_config(){\r
         PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("       h                        This help");\r
-       PrintAndLog("       b <8|16|32|40|50|64|100|128>     Set bitrate");\r
-       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
-       PrintAndLog("       i [1]                            Invert data signal, defaults to normal");\r
-       PrintAndLog("       o [offset]                       Set offset, where data should start decode in bitstream");\r
-       PrintAndLog("       Q5                            Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       h                                - This help");\r
+       PrintAndLog("       b <8|16|32|40|50|64|100|128>     - Set bitrate");\r
+       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  - Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
+       PrintAndLog("       i [1]                            - Invert data signal, defaults to normal");\r
+       PrintAndLog("       o [offset]                       - Set offset, where data should start decode in bitstream");\r
+       PrintAndLog("       Q5                               - Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       ST                               - Set Sequence Terminator on");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
@@ -94,7 +71,7 @@ int usage_t55xx_write(){
  int usage_t55xx_trace() {\r
         PrintAndLog("Usage:  lf t55xx trace [1]");\r
         PrintAndLog("Options:");\r
  int usage_t55xx_trace() {\r
         PrintAndLog("Usage:  lf t55xx trace [1]");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx trace");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx trace");\r
@@ -105,7 +82,7 @@ int usage_t55xx_trace() {
  int usage_t55xx_info() {\r
         PrintAndLog("Usage:  lf t55xx info [1]");\r
         PrintAndLog("Options:");\r
  int usage_t55xx_info() {\r
         PrintAndLog("Usage:  lf t55xx info [1]");\r
         PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx info");\r
         PrintAndLog("");\r
         PrintAndLog("Examples:");\r
         PrintAndLog("      lf t55xx info");\r
@@ -152,7 +129,8 @@ int usage_t55xx_wakup(){
  int usage_t55xx_bruteforce(){\r
         PrintAndLog("This command uses A) bruteforce to scan a number range");\r
         PrintAndLog("                  B) a dictionary attack");\r
  int usage_t55xx_bruteforce(){\r
         PrintAndLog("This command uses A) bruteforce to scan a number range");\r
         PrintAndLog("                  B) a dictionary attack");\r
-    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");\r
+       PrintAndLog("press 'enter' to cancel the command");\r
+    PrintAndLog("Usage: lf t55xx bruteforce [h] <start password> <end password> [i <*.dic>]");\r
      PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
         PrintAndLog("Options:");\r
         PrintAndLog("     h                     - this help");\r
      PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
         PrintAndLog("Options:");\r
         PrintAndLog("     h                     - this help");\r
@@ -166,13 +144,40 @@ int usage_t55xx_bruteforce(){
      PrintAndLog("");\r
      return 0;\r
  }\r
      PrintAndLog("");\r
      return 0;\r
  }\r
-\r
+int usage_t55xx_recoverpw(){\r
+       PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+       PrintAndLog("press 'enter' to cancel the command");\r
+       PrintAndLog("WARNING: this may brick non-password protected chips!");\r
+       PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
+       PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("       default password is 51243648, used by many cloners");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h           - this help");\r
+       PrintAndLog("     [password]  - 4 byte hex value of password written by cloner");\r
+       PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+       PrintAndLog("       lf t55xx recoverpw");\r
+       PrintAndLog("       lf t55xx recoverpw 51243648");\r
+       PrintAndLog("");\r
+       return 0;\r
+}int usage_t55xx_wipe(){\r
+       PrintAndLog("Usage:  lf t55xx wipe [h] [Q5]");\r
+       PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h     - this help");\r
+       PrintAndLog("     Q5  - indicates to use the T5555 (Q5) default configuration block");\r
+    PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+    PrintAndLog("      lf t55xx wipe   -  wipes a t55x7 tag,    config block 0x000880E0");\r
+       PrintAndLog("      lf t55xx wipe Q5 -  wipes a t5555 Q5 tag, config block 0x6001F004");\r
+       return 0;\r
+}\r
  static int CmdHelp(const char *Cmd);\r
  \r
  void printT5xxHeader(uint8_t page){\r
         PrintAndLog("Reading Page %d:", page);  \r
  static int CmdHelp(const char *Cmd);\r
  \r
  void printT5xxHeader(uint8_t page){\r
         PrintAndLog("Reading Page %d:", page);  \r
-       PrintAndLog("blk | hex data | binary");\r
-       PrintAndLog("----+----------+---------------------------------");       \r
+       PrintAndLog("blk | hex data | binary                           | ascii");\r
+       PrintAndLog("----+----------+----------------------------------+-------");      \r
  }\r
  \r
  int CmdT55xxSetConfig(const char *Cmd) {\r
  }\r
  \r
  int CmdT55xxSetConfig(const char *Cmd) {\r
@@ -260,6 +265,11 @@ int CmdT55xxSetConfig(const char *Cmd) {
                         config.Q5 = TRUE;\r
                         cmdp++;\r
                         break;\r
                         config.Q5 = TRUE;\r
                         cmdp++;\r
                         break;\r
+               case 'S':\r
+               case 's':               \r
+                       config.ST = TRUE;\r
+                       cmdp++;\r
+                       break;\r
                 default:\r
                         PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                         errors = TRUE;\r
                 default:\r
                         PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                         errors = TRUE;\r
@@ -362,6 +372,7 @@ bool DecodeT55xxBlock(){
         char buf[30] = {0x00};\r
         char *cmdStr = buf;\r
         int ans = 0;\r
         char buf[30] = {0x00};\r
         char *cmdStr = buf;\r
         int ans = 0;\r
+       bool ST = config.ST;\r
         uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
         DemodBufferLen = 0x00;\r
  \r
         uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
         DemodBufferLen = 0x00;\r
  \r
@@ -382,7 +393,7 @@ bool DecodeT55xxBlock(){
                         break;\r
                 case DEMOD_ASK:\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
                         break;\r
                 case DEMOD_ASK:\r
                         snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
-                       ans = ASKDemod(cmdStr, FALSE, FALSE, 1);\r
+                       ans = ASKDemod_ext(cmdStr, FALSE, FALSE, 1, &ST);\r
                         break;\r
                 case DEMOD_PSK1:\r
                         // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                         break;\r
                 case DEMOD_PSK1:\r
                         // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
@@ -426,6 +437,14 @@ bool DecodeT5555TraceBlock() {
         return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1);\r
  }\r
  \r
         return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1);\r
  }\r
  \r
+// sanity check. Don't use proxmark if it is offline and you didn't specify useGraphbuf\r
+static int SanityOfflineCheck( bool useGraphBuffer ){\r
+       if ( !useGraphBuffer && offline) {\r
+               PrintAndLog("Your proxmark3 device is offline. Specify [1] to use graphbuffer data instead");\r
+               return 0;\r
+       }\r
+       return 1;\r
+}\r
  \r
  int CmdT55xxDetect(const char *Cmd){\r
         bool errors = FALSE;\r
  \r
  int CmdT55xxDetect(const char *Cmd){\r
         bool errors = FALSE;\r
@@ -458,15 +477,18 @@ int CmdT55xxDetect(const char *Cmd){
         }\r
         if (errors) return usage_t55xx_detect();\r
         \r
         }\r
         if (errors) return usage_t55xx_detect();\r
         \r
+       // sanity check.\r
+       if (!SanityOfflineCheck(useGB)) return 1;\r
+       \r
         if ( !useGB) {\r
                 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
         if ( !useGB) {\r
                 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
-                       return 0;\r
+                       return 1;\r
         }\r
         \r
         if ( !tryDetectModulation() )\r
                 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
  \r
         }\r
         \r
         if ( !tryDetectModulation() )\r
                 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
  \r
-       return 1;\r
+       return 0;\r
  }\r
  \r
  // detect configuration?\r
  }\r
  \r
  // detect configuration?\r
@@ -487,6 +509,7 @@ bool tryDetectModulation(){
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = FALSE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = FALSE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r
                         ++hits;\r
                 }\r
                 if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                         ++hits;\r
                 }\r
                 if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -498,19 +521,32 @@ bool tryDetectModulation(){
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = TRUE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                         tests[hits].bitrate = bitRate;\r
                         tests[hits].inverted = TRUE;\r
                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r
                         ++hits;\r
                 }\r
         } else {\r
                 clk = GetAskClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
                         ++hits;\r
                 }\r
         } else {\r
                 clk = GetAskClock("", FALSE, FALSE);\r
                 if (clk>0) {\r
-                       if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert false, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
+                       if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 ++hits;\r
                         }\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 ++hits;\r
                         }\r
-                       if ( ASKDemod("0 1 1", FALSE, FALSE, 1)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert true, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
+                       if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].modulation = DEMOD_ASK;\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
@@ -522,6 +558,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                         if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
                                 ++hits;\r
                         }\r
                         if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
@@ -529,6 +566,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                 }\r
                                 ++hits;\r
                         }\r
                 }\r
@@ -541,6 +579,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
  \r
                                 ++hits;\r
                         }\r
  \r
@@ -549,6 +588,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                 }\r
                                 ++hits;\r
                         }\r
                 }\r
@@ -564,6 +604,7 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = FALSE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                         if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                 ++hits;\r
                         }\r
                         if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -571,8 +612,10 @@ bool tryDetectModulation(){
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                 tests[hits].bitrate = bitRate;\r
                                 tests[hits].inverted = TRUE;\r
                                 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                 ++hits;\r
                         }\r
                                 ++hits;\r
                         }\r
+                       //ICEMAN: are these PSKDemod calls needed?\r
                         // PSK2 - needs a call to psk1TOpsk2.\r
                         if ( PSKDemod("0 0 6", FALSE)) {\r
                                 psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
                         // PSK2 - needs a call to psk1TOpsk2.\r
                         if ( PSKDemod("0 0 6", FALSE)) {\r
                                 psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
@@ -581,6 +624,7 @@ bool tryDetectModulation(){
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
@@ -592,6 +636,7 @@ bool tryDetectModulation(){
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                         tests[hits].bitrate = bitRate;\r
                                         tests[hits].inverted = FALSE;\r
                                         tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
                                         ++hits;\r
                                 }\r
                         } // inverse waves does not affect this demod\r
@@ -606,17 +651,51 @@ bool tryDetectModulation(){
                 config.offset = tests[0].offset;\r
                 config.block0 = tests[0].block0;\r
                 config.Q5 = tests[0].Q5;\r
                 config.offset = tests[0].offset;\r
                 config.block0 = tests[0].block0;\r
                 config.Q5 = tests[0].Q5;\r
+               config.ST = tests[0].ST;\r
                 printConfiguration( config );\r
                 return TRUE;\r
         }\r
         \r
                 printConfiguration( config );\r
                 return TRUE;\r
         }\r
         \r
+       bool retval = FALSE;\r
         if ( hits > 1) {\r
                 PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
                 for(int i=0; i<hits; ++i){\r
         if ( hits > 1) {\r
                 PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
                 for(int i=0; i<hits; ++i){\r
-                       PrintAndLog("--[%d]---------------", i+1);\r
+                       retval = testKnownConfigBlock(tests[i].block0);\r
+                       if ( retval ) {                         \r
+                               PrintAndLog("--[%d]--------------- << selected this", i+1);\r
+                               config.modulation = tests[i].modulation;\r
+                               config.bitrate = tests[i].bitrate;\r
+                               config.inverted = tests[i].inverted;\r
+                               config.offset = tests[i].offset;\r
+                               config.block0 = tests[i].block0;\r
+                               config.Q5 = tests[i].Q5;\r
+                               config.ST = tests[i].ST;\r
+                       } else {\r
+                               PrintAndLog("--[%d]---------------", i+1);\r
+                       }\r
                         printConfiguration( tests[i] );\r
                 }\r
         }\r
                         printConfiguration( tests[i] );\r
                 }\r
         }\r
+       return retval;\r
+}\r
+\r
+bool testKnownConfigBlock(uint32_t block0) {\r
+       switch(block0){\r
+               case T55X7_DEFAULT_CONFIG_BLOCK:\r
+               case T55X7_RAW_CONFIG_BLOCK:\r
+               case T55X7_EM_UNIQUE_CONFIG_BLOCK:\r
+               case T55X7_FDXB_CONFIG_BLOCK:\r
+               case T55X7_HID_26_CONFIG_BLOCK:\r
+               case T55X7_PYRAMID_CONFIG_BLOCK:\r
+               case T55X7_INDALA_64_CONFIG_BLOCK:\r
+               case T55X7_INDALA_224_CONFIG_BLOCK:\r
+               case T55X7_GUARDPROXII_CONFIG_BLOCK:\r
+               case T55X7_VIKING_CONFIG_BLOCK:\r
+               case T55X7_NORALYS_CONFIG_BLOCK:\r
+               case T55X7_IOPROX_CONFIG_BLOCK:\r
+               case T55X7_PRESCO_CONFIG_BLOCK:\r
+                       return TRUE;\r
+       }\r
         return FALSE;\r
  }\r
  \r
         return FALSE;\r
  }\r
  \r
@@ -758,14 +837,14 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5)
                 uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
                 uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
                 //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
                 uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
                 uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
                 //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
-               uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
-               uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
+               //uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
+               //uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
                 \r
                 //if extended mode\r
                 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
  \r
                 if (!extMode){\r
                 \r
                 //if extended mode\r
                 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
  \r
                 if (!extMode){\r
-                       if (nml01 || nml02 || xtRate) continue;\r
+                       if (xtRate) continue;  //nml01 || nml02 ||  caused issues on noralys tags\r
                 }\r
                 //test modulation\r
                 if (!testModulation(mode, modread)) continue;\r
                 }\r
                 //test modulation\r
                 if (!testModulation(mode, modread)) continue;\r
@@ -800,16 +879,18 @@ void printT55xxBlock(const char *blockNum){
                 bits[i - config.offset] = DemodBuffer[i];\r
  \r
         blockData = PackBits(0, 32, bits);\r
                 bits[i - config.offset] = DemodBuffer[i];\r
  \r
         blockData = PackBits(0, 32, bits);\r
+       uint8_t bytes[4] = {0};\r
+       num_to_bytes(blockData, 4, bytes);\r
  \r
  \r
-       PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));\r
+       PrintAndLog(" %s | %08X | %s | %s", blockNum, blockData, sprint_bin(bits,32), sprint_ascii(bytes,4));\r
  }\r
  \r
  int special(const char *Cmd) {\r
         uint32_t blockData = 0;\r
         uint8_t bits[32] = {0x00};\r
  \r
  }\r
  \r
  int special(const char *Cmd) {\r
         uint32_t blockData = 0;\r
         uint8_t bits[32] = {0x00};\r
  \r
-       PrintAndLog("OFFSET | DATA  | BINARY");\r
-       PrintAndLog("----------------------------------------------------");\r
+       PrintAndLog("OFFSET | DATA  | BINARY                              | ASCII");\r
+       PrintAndLog("-------+-------+-------------------------------------+------");\r
         int i,j = 0;\r
         for (; j < 64; ++j){\r
                 \r
         int i,j = 0;\r
         for (; j < 64; ++j){\r
                 \r
@@ -829,6 +910,7 @@ int printConfiguration( t55xx_conf_block_t b){
         PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
         PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r
         PrintAndLog("Offset     : %d", b.offset);\r
         PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
         PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r
         PrintAndLog("Offset     : %d", b.offset);\r
+       PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" );\r
         PrintAndLog("Block0     : 0x%08X", b.block0);\r
         PrintAndLog("");\r
         return 0;\r
         PrintAndLog("Block0     : 0x%08X", b.block0);\r
         PrintAndLog("");\r
         return 0;\r
@@ -928,7 +1010,7 @@ int CmdT55xxWriteBlock(const char *Cmd) {
         }\r
         clearCommandBuffer();\r
         SendCommand(&c);\r
         }\r
         clearCommandBuffer();\r
         SendCommand(&c);\r
-       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)){\r
                 PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
                 return 0;\r
         }\r
                 PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
                 return 0;\r
         }\r
@@ -941,18 +1023,21 @@ int CmdT55xxReadTrace(const char *Cmd) {
         uint32_t password = 0;  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
  \r
         uint32_t password = 0;  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
  \r
-       if (strlen(Cmd)==0)\r
+       if (strlen(Cmd)==0) {\r
+               // sanity check.\r
+               if (!SanityOfflineCheck(FALSE)) return 1;\r
+\r
                 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
                 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
-                       return 0;\r
+                       return 1;\r
+       }\r
  \r
         if ( config.Q5 ){\r
  \r
         if ( config.Q5 ){\r
-               if (!DecodeT5555TraceBlock()) return 0;\r
-       }\r
-       else {\r
-               if (!DecodeT55xxBlock()) return 0;\r
+               if (!DecodeT5555TraceBlock()) return 1;\r
+       } else {\r
+               if (!DecodeT55xxBlock()) return 1;\r
         }\r
         \r
         }\r
         \r
-       if ( !DemodBufferLen ) return 0;\r
+       if ( !DemodBufferLen ) return 1;\r
         \r
         RepaintGraphWindow();\r
         uint8_t repeat = (config.offset > 5) ? 32 : 0;\r
         \r
         RepaintGraphWindow();\r
         uint8_t repeat = (config.offset > 5) ? 32 : 0;\r
@@ -966,7 +1051,7 @@ int CmdT55xxReadTrace(const char *Cmd) {
      \r
                 if (hdr != 0x1FF) {\r
                   PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);\r
      \r
                 if (hdr != 0x1FF) {\r
                   PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);\r
-                 return 0;\r
+                 return 1;\r
                 }\r
      \r
                 t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};\r
                 }\r
      \r
                 t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};\r
@@ -1000,12 +1085,12 @@ int CmdT55xxReadTrace(const char *Cmd) {
                 \r
         } else {\r
         \r
                 \r
         } else {\r
         \r
-               t55xx_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0,  .lotid = 0, .wafer = 0, .dw = 0};\r
+               t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0,  .lotid = 0, .wafer = 0, .dw = 0};\r
                 \r
                 data.acl = PackBits(si, 8,  DemodBuffer); si += 8;\r
                 if ( data.acl != 0xE0 ) {\r
                         PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
                 \r
                 data.acl = PackBits(si, 8,  DemodBuffer); si += 8;\r
                 if ( data.acl != 0xE0 ) {\r
                         PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
-                       return 0;\r
+                       return 1;\r
                 }\r
  \r
                 data.mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
                 }\r
  \r
                 data.mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
@@ -1024,14 +1109,13 @@ int CmdT55xxReadTrace(const char *Cmd) {
                 else\r
                         data.year += 2010;\r
  \r
                 else\r
                         data.year += 2010;\r
  \r
-               \r
-               printT55xxTrace(data, repeat);\r
+               printT55x7Trace(data, repeat);\r
         }\r
         return 0;\r
  }\r
  \r
         }\r
         return 0;\r
  }\r
  \r
-void printT55xxTrace( t55xx_tracedata_t data, uint8_t repeat ){\r
-       PrintAndLog("-- T55xx Trace Information ----------------------------------");\r
+void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T55x7 Trace Information ----------------------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", data.acl, data.acl);\r
         PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", data.acl, data.acl);\r
         PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));\r
@@ -1065,6 +1149,7 @@ void printT55xxTrace( t55xx_tracedata_t data, uint8_t repeat ){
                 18-32   DW,  die number sequential\r
         */\r
  }\r
                 18-32   DW,  die number sequential\r
         */\r
  }\r
+\r
  void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){\r
         PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
  void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){\r
         PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
@@ -1092,6 +1177,7 @@ void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){
         */\r
  }\r
  \r
         */\r
  }\r
  \r
+//need to add Q5 info...\r
  int CmdT55xxInfo(const char *Cmd){\r
         /*\r
                 Page 0 Block 0 Configuration data.\r
  int CmdT55xxInfo(const char *Cmd){\r
         /*\r
                 Page 0 Block 0 Configuration data.\r
@@ -1104,9 +1190,13 @@ int CmdT55xxInfo(const char *Cmd){
  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
         \r
  \r
         if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
         \r
-       if (strlen(Cmd)==0)\r
+       if (strlen(Cmd)==0){\r
+                               // sanity check.\r
+               if (!SanityOfflineCheck(FALSE)) return 1;\r
+               \r
                 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
                         return 1;\r
                 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
                         return 1;\r
+       }\r
  \r
         if (!DecodeT55xxBlock()) return 1;\r
  \r
  \r
         if (!DecodeT55xxBlock()) return 1;\r
  \r
@@ -1135,7 +1225,7 @@ int CmdT55xxInfo(const char *Cmd){
         \r
         if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
         PrintAndLog("");\r
         \r
         if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
         PrintAndLog("");\r
-       PrintAndLog("-- T55xx Configuration & Tag Information --------------------");\r
+       PrintAndLog("-- T55x7 Configuration & Tag Information --------------------");\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
         PrintAndLog(" reserved                  : %d", resv);\r
         PrintAndLog("-------------------------------------------------------------");\r
         PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
         PrintAndLog(" reserved                  : %d", resv);\r
@@ -1186,21 +1276,26 @@ int CmdT55xxDump(const char *Cmd){
  \r
  int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
         // arg0 bitmodes:\r
  \r
  int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
         // arg0 bitmodes:\r
-       // bit0 = pwdmode\r
-       // bit1 = page to read from\r
+       //      bit0 = pwdmode\r
+       //      bit1 = page to read from\r
+       // arg1: which block to read\r
+       // arg2: password\r
         uint8_t arg0 = (page<<1) | pwdmode;\r
         UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
         uint8_t arg0 = (page<<1) | pwdmode;\r
         UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
-       \r
         clearCommandBuffer();\r
         SendCommand(&c);\r
         clearCommandBuffer();\r
         SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
                 PrintAndLog("command execution time out");\r
                 return 0;\r
         }\r
  \r
                 PrintAndLog("command execution time out");\r
                 return 0;\r
         }\r
  \r
-       uint8_t got[12000];\r
-       GetFromBigBuf(got,sizeof(got),0);\r
-       WaitForResponse(CMD_ACK,NULL);\r
+       //uint8_t got[12288];\r
+       uint8_t got[7679];\r
+       GetFromBigBuf(got, sizeof(got), 0);\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {\r
+               PrintAndLog("command execution time out");\r
+               return 0;\r
+       }\r
         setGraphBuf(got, sizeof(got));\r
         return 1;\r
  }\r
         setGraphBuf(got, sizeof(got));\r
         return 1;\r
  }\r
@@ -1307,7 +1402,7 @@ void t55x7_create_config_block( int tagtype ){
         switch (tagtype){\r
                 case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
                 case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
         switch (tagtype){\r
                 case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
                 case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
-               //case 2: snprintf(retStr, sizeof(buf),"%08X - Q5 Default", Q5_DEFAULT_CONFIG_BLOCK); break;\r
+               case 2: snprintf(retStr, sizeof(buf),"%08X - T5555 Q5 Default", T5555_DEFAULT_CONFIG_BLOCK); break;\r
                 default:\r
                         break;\r
         }\r
                 default:\r
                         break;\r
         }\r
@@ -1316,10 +1411,9 @@ void t55x7_create_config_block( int tagtype ){
  \r
  int CmdResetRead(const char *Cmd) {\r
         UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
  \r
  int CmdResetRead(const char *Cmd) {\r
         UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
-\r
         clearCommandBuffer();\r
         SendCommand(&c);\r
         clearCommandBuffer();\r
         SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
                 PrintAndLog("command execution time out");\r
                 return 0;\r
         }\r
                 PrintAndLog("command execution time out");\r
                 return 0;\r
         }\r
@@ -1334,44 +1428,62 @@ int CmdResetRead(const char *Cmd) {
  int CmdT55xxWipe(const char *Cmd) {\r
         char writeData[20] = {0};\r
         char *ptrData = writeData;\r
  int CmdT55xxWipe(const char *Cmd) {\r
         char writeData[20] = {0};\r
         char *ptrData = writeData;\r
-       \r
+       char cmdp = param_getchar(Cmd, 0);      \r
+       if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();\r
+\r
+       bool Q5 = (cmdp == 'q' || cmdp == 'Q');\r
+\r
+       // Try with the default password to reset block 0\r
+       // With a pwd should work even if pwd bit not set\r
         PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
         PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+               \r
+       if ( Q5 )\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
+       else\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
         \r
         \r
-       //try with the default password to reset block 0  (with a pwd should work even if pwd bit not set)\r
-       snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
-       \r
-       if (!CmdT55xxWriteBlock(ptrData))\r
-               PrintAndLog("Error writing blk 0");\r
+       if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
         \r
         for (uint8_t blk = 1; blk<8; blk++) {\r
                 \r
                 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
                 \r
         \r
         for (uint8_t blk = 1; blk<8; blk++) {\r
                 \r
                 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
                 \r
-               if (!CmdT55xxWriteBlock(ptrData)) \r
-                       PrintAndLog("Error writing blk %d", blk);\r
+               if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk %d", blk);\r
                 \r
                 memset(writeData,0x00, sizeof(writeData));\r
         }\r
         return 0;\r
  }\r
  \r
                 \r
                 memset(writeData,0x00, sizeof(writeData));\r
         }\r
         return 0;\r
  }\r
  \r
+bool IsCancelled(void) {\r
+       if (ukbhit()) {\r
+               int ch = getchar();\r
+               (void)ch;\r
+               printf("\naborted via keyboard!\n");\r
+               return TRUE;\r
+       }\r
+       return FALSE;\r
+}\r
+\r
  int CmdT55xxBruteForce(const char *Cmd) {\r
         \r
         // load a default pwd file.\r
  int CmdT55xxBruteForce(const char *Cmd) {\r
         \r
         // load a default pwd file.\r
-       char buf[9];\r
+       char line[9];\r
         char filename[FILE_PATH_SIZE]={0};\r
         int     keycnt = 0;\r
         uint8_t stKeyBlock = 20;\r
         char filename[FILE_PATH_SIZE]={0};\r
         int     keycnt = 0;\r
         uint8_t stKeyBlock = 20;\r
-       uint8_t *keyBlock = NULL, *p;\r
-       keyBlock = calloc(stKeyBlock, 6);\r
-       if (keyBlock == NULL) return 1;\r
-       \r
+       uint8_t *keyBlock = NULL, *p = NULL;\r
      uint32_t start_password = 0x00000000; //start password\r
      uint32_t end_password   = 0xFFFFFFFF; //end   password\r
      bool found = false;\r
  \r
      uint32_t start_password = 0x00000000; //start password\r
      uint32_t end_password   = 0xFFFFFFFF; //end   password\r
      bool found = false;\r
  \r
+       memset(line, 0, sizeof(line));\r
+       \r
      char cmdp = param_getchar(Cmd, 0);\r
      char cmdp = param_getchar(Cmd, 0);\r
-    if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+       keyBlock = calloc(stKeyBlock, 4);\r
+       if (keyBlock == NULL) return 1;\r
  \r
         if (cmdp == 'i' || cmdp == 'I') {\r
         \r
  \r
         if (cmdp == 'i' || cmdp == 'I') {\r
         \r
@@ -1379,48 +1491,56 @@ int CmdT55xxBruteForce(const char *Cmd) {
                 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
                 memcpy(filename, Cmd+2, len);\r
         \r
                 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
                 memcpy(filename, Cmd+2, len);\r
         \r
-               FILE * f = fopen( filename , "r");\r
-               \r
+               FILE * f = fopen( filename , "r");              \r
                 if ( !f ) {\r
                         PrintAndLog("File: %s: not found or locked.", filename);\r
                         free(keyBlock);\r
                         return 1;\r
                 }                       \r
                 if ( !f ) {\r
                         PrintAndLog("File: %s: not found or locked.", filename);\r
                         free(keyBlock);\r
                         return 1;\r
                 }                       \r
-                       \r
-               while( fgets(buf, sizeof(buf), f) ){\r
-                       if (strlen(buf) < 8 || buf[7] == '\n') continue;\r
                 \r
                 \r
-                       while (fgetc(f) != '\n' && !feof(f)) ;  //goto next line\r
-                       \r
+               while( fgets(line, sizeof(line), f) ){\r
+                       if (strlen(line) < 8 || line[7] == '\n') continue;\r
+               \r
+                       //goto next line\r
+                       while (fgetc(f) != '\n' && !feof(f)) ;\r
+               \r
                         //The line start with # is comment, skip\r
                         //The line start with # is comment, skip\r
-                       if( buf[0]=='#' ) continue;\r
+                       if( line[0]=='#' ) continue;\r
  \r
  \r
-                       if (!isxdigit(buf[0])){\r
-                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);\r
+                       if (!isxdigit(line[0])) {\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", line);\r
                                 continue;\r
                         }\r
                         \r
                                 continue;\r
                         }\r
                         \r
-                       buf[8] = 0;\r
-\r
+                       line[8] = 0;            \r
+                       \r
+                       // realloc keyblock array size.\r
                         if ( stKeyBlock - keycnt < 2) {\r
                         if ( stKeyBlock - keycnt < 2) {\r
-                               p = realloc(keyBlock, 6*(stKeyBlock+=10));\r
+                               p = realloc(keyBlock, 4 * (stKeyBlock += 10));\r
                                 if (!p) {\r
                                         PrintAndLog("Cannot allocate memory for defaultKeys");\r
                                         free(keyBlock);\r
                                 if (!p) {\r
                                         PrintAndLog("Cannot allocate memory for defaultKeys");\r
                                         free(keyBlock);\r
+                                       if (f)\r
+                                               fclose(f);\r
                                         return 2;\r
                                 }\r
                                 keyBlock = p;\r
                         }\r
                                         return 2;\r
                                 }\r
                                 keyBlock = p;\r
                         }\r
+                       // clear mem\r
                         memset(keyBlock + 4 * keycnt, 0, 4);\r
                         memset(keyBlock + 4 * keycnt, 0, 4);\r
-                       num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);\r
-                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));\r
-                       keycnt++;\r
-                       memset(buf, 0, sizeof(buf));\r
+                       \r
+                       num_to_bytes( strtoll(line, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       \r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4 * keycnt, 4) );                       \r
+                       keycnt++;                       \r
+                       memset(line, 0, sizeof(line));\r
                 }               \r
                 }               \r
-               fclose(f);\r
+               if (f)\r
+                       fclose(f);\r
                 \r
                 if (keycnt == 0) {\r
                         PrintAndLog("No keys found in file");\r
                 \r
                 if (keycnt == 0) {\r
                         PrintAndLog("No keys found in file");\r
+                       free(keyBlock);\r
                         return 1;\r
                 }\r
                 PrintAndLog("Loaded %d keys", keycnt);\r
                         return 1;\r
                 }\r
                 PrintAndLog("Loaded %d keys", keycnt);\r
@@ -1428,31 +1548,37 @@ int CmdT55xxBruteForce(const char *Cmd) {
                 // loop\r
                 uint64_t testpwd = 0x00;\r
                 for (uint16_t c = 0; c < keycnt; ++c ) {\r
                 // loop\r
                 uint64_t testpwd = 0x00;\r
                 for (uint16_t c = 0; c < keycnt; ++c ) {\r
-       \r
-                       if (ukbhit()) {\r
-                               getchar();\r
-                               printf("\naborted via keyboard!\n");\r
+\r
+                       if ( offline ) {\r
+                               printf("Device offline\n");\r
+                               free(keyBlock);\r
+                               return  2;\r
+                       }\r
+               \r
+                       if (IsCancelled()) {\r
+                               free(keyBlock);\r
                                 return 0;\r
                         }\r
                 \r
                         testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
  \r
                         PrintAndLog("Testing %08X", testpwd);\r
                                 return 0;\r
                         }\r
                 \r
                         testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
  \r
                         PrintAndLog("Testing %08X", testpwd);\r
-                       \r
-                       \r
+                                               \r
                         if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
                         if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
-                               PrintAndLog("Aquireing data from device failed. Quitting");\r
+                               PrintAndLog("Acquire data from device failed. Quitting");\r
+                               free(keyBlock);\r
                                 return 0;\r
                         }\r
                         \r
                         found = tryDetectModulation();\r
                                 return 0;\r
                         }\r
                         \r
                         found = tryDetectModulation();\r
-\r
                         if ( found ) {\r
                                 PrintAndLog("Found valid password: [%08X]", testpwd);\r
                         if ( found ) {\r
                                 PrintAndLog("Found valid password: [%08X]", testpwd);\r
-                               return 0;\r
+                               //free(keyBlock);\r
+                               //return 0;\r
                         } \r
                 }\r
                 PrintAndLog("Password NOT found.");\r
                         } \r
                 }\r
                 PrintAndLog("Password NOT found.");\r
+               free(keyBlock);\r
                 return 0;\r
         }\r
         \r
                 return 0;\r
         }\r
         \r
@@ -1462,7 +1588,10 @@ int CmdT55xxBruteForce(const char *Cmd) {
      start_password = param_get32ex(Cmd, 0, 0, 16);\r
         end_password = param_get32ex(Cmd, 1, 0, 16);\r
         \r
      start_password = param_get32ex(Cmd, 0, 0, 16);\r
         end_password = param_get32ex(Cmd, 1, 0, 16);\r
         \r
-       if ( start_password >= end_password ) return usage_t55xx_bruteforce();\r
+       if ( start_password >= end_password ) {\r
+               free(keyBlock);\r
+               return usage_t55xx_bruteforce();\r
+       }\r
         \r
      PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
         \r
         \r
      PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
         \r
@@ -1472,14 +1601,15 @@ int CmdT55xxBruteForce(const char *Cmd) {
  \r
                 printf(".");\r
                 fflush(stdout);\r
  \r
                 printf(".");\r
                 fflush(stdout);\r
-               if (ukbhit()) {\r
-                       getchar();\r
-                       printf("\naborted via keyboard!\n");\r
+               \r
+               if (IsCancelled()) {\r
+                       free(keyBlock);\r
                         return 0;\r
                 }\r
                         \r
                 if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
                         return 0;\r
                 }\r
                         \r
                 if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
-                       PrintAndLog("Aquireing data from device failed. Quitting");\r
+                       PrintAndLog("Acquire data from device failed. Quitting");\r
+                       free(keyBlock);\r
                         return 0;\r
                 }\r
                 found = tryDetectModulation();\r
                         return 0;\r
                 }\r
                 found = tryDetectModulation();\r
@@ -1494,32 +1624,123 @@ int CmdT55xxBruteForce(const char *Cmd) {
                 PrintAndLog("Found valid password: [%08x]", i);\r
      else\r
                 PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
                 PrintAndLog("Found valid password: [%08x]", i);\r
      else\r
                 PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+       free(keyBlock);\r
      return 0;\r
  }\r
  \r
      return 0;\r
  }\r
  \r
+int tryOnePassword(uint32_t password) {\r
+       PrintAndLog("Trying password %08x", password);\r
+       if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+               PrintAndLog("Acquire data from device failed. Quitting");\r
+               return -1;\r
+       }\r
+\r
+       if (tryDetectModulation())\r
+               return 1;\r
+       else \r
+               return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+       int bit = 0;\r
+       uint32_t orig_password = 0x0;\r
+       uint32_t curr_password = 0x0;\r
+       uint32_t prev_password = 0xffffffff;\r
+       uint32_t mask = 0x0;\r
+       int found = 0;\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+       orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+       // first try fliping each bit in the expected password\r
+       while (bit < 32) {\r
+               curr_password = orig_password ^ ( 1 << bit );\r
+               found = tryOnePassword(curr_password);\r
+               if (found == -1) return 0;\r
+               bit++;\r
+               \r
+               if (IsCancelled()) return 0;\r
+       }\r
+\r
+       // now try to use partial original password, since block 7 should have been completely\r
+       // erased during the write sequence and it is possible that only partial password has been\r
+       // written\r
+       // not sure from which end the bit bits are written, so try from both ends \r
+       // from low bit to high bit\r
+       bit = 0;\r
+       while (bit < 32) {\r
+               mask += ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == -1) return 0;\r
+               bit++;\r
+               prev_password = curr_password;\r
+               \r
+               if (IsCancelled()) return 0;\r
+       }\r
+\r
+       // from high bit to low\r
+       bit = 0;\r
+       mask = 0xffffffff;\r
+       while (bit < 32) {\r
+               mask -= ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+               prev_password = curr_password;\r
+               \r
+               if (IsCancelled()) return 0;\r
+       }\r
+\r
+       PrintAndLog("");\r
+\r
+       if (found == 1)\r
+               PrintAndLog("Found valid password: [%08x]", curr_password);\r
+       else\r
+               PrintAndLog("Password NOT found.");\r
+\r
+       return 0;\r
+}\r
+\r
  static command_t CommandTable[] = {\r
         {"help",                CmdHelp,           1, "This help"},\r
  static command_t CommandTable[] = {\r
         {"help",                CmdHelp,           1, "This help"},\r
-       {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+       {"bruteforce",  CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
         {"config",              CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
         {"detect",              CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
         {"dump",                CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
         {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
         {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
         {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
         {"config",              CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
         {"detect",              CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
         {"dump",                CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
         {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
         {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
         {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+       {"recoverpw",   CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},\r
         {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
         {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
         {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
         {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
         {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
         {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
-       {"wipe",                CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+       {"wipe",                CmdT55xxWipe,      0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
         {"write",               CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
         {NULL, NULL, 0, NULL}\r
  };\r
  \r
  int CmdLFT55XX(const char *Cmd) {\r
         {"write",               CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
         {NULL, NULL, 0, NULL}\r
  };\r
  \r
  int CmdLFT55XX(const char *Cmd) {\r
-  CmdsParse(CommandTable, Cmd);\r
-  return 0;\r
+       clearCommandBuffer();\r
+       CmdsParse(CommandTable, Cmd);\r
+       return 0;\r
  }\r
  \r
  int CmdHelp(const char *Cmd) {\r
  }\r
  \r
  int CmdHelp(const char *Cmd) {\r
-  CmdsHelp(CommandTable);\r
-  return 0;\r
+       CmdsHelp(CommandTable);\r
+       return 0;\r
  }\r
  }\r