]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdlft55xx.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
syntax sugar
[proxmark3-svn] / client / cmdlft55xx.c
diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c
index d864c9ed0ec1fe6075645877abe0edad2200bd43..5b650b30d27ffe64370e860b33c62978580de092 100644 (file)
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -6,31 +6,7 @@
 //-----------------------------------------------------------------------------\r
 // Low frequency T55xx commands\r
 //-----------------------------------------------------------------------------\r
 //-----------------------------------------------------------------------------\r
 // Low frequency T55xx commands\r
 //-----------------------------------------------------------------------------\r
-\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <inttypes.h>\r
-#include <time.h>\r
-#include "proxmark3.h"\r
-#include "ui.h"\r
-#include "graph.h"\r
-#include "cmdmain.h"\r
-#include "cmdparser.h"\r
-#include "cmddata.h"\r
-#include "cmdlf.h"\r
 #include "cmdlft55xx.h"\r
 #include "cmdlft55xx.h"\r
-#include "util.h"\r
-#include "data.h"\r
-#include "lfdemod.h"\r
-#include "../common/crc.h"\r
-#include "../common/iso14443crc.h"\r
-#include "cmdhf14a.h"\r
-\r
-#define T55x7_CONFIGURATION_BLOCK 0x00\r
-#define T55x7_PAGE0 0x00\r
-#define T55x7_PAGE1 0x01\r
-#define T55x7_PWD      0x00000010\r
-#define REGULAR_READ_MODE_BLOCK 0xFF\r
 \r
 // Default configuration\r
 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
 \r
 // Default configuration\r
 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE };\r
@@ -45,12 +21,13 @@ void Set_t55xx_Config(t55xx_conf_block_t conf){
 int usage_t55xx_config(){\r
        PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
        PrintAndLog("Options:");\r
 int usage_t55xx_config(){\r
        PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");\r
        PrintAndLog("Options:");\r
-       PrintAndLog("       h                        This help");\r
-       PrintAndLog("       b <8|16|32|40|50|64|100|128>     Set bitrate");\r
-       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
-       PrintAndLog("       i [1]                            Invert data signal, defaults to normal");\r
-       PrintAndLog("       o [offset]                       Set offset, where data should start decode in bitstream");\r
-       PrintAndLog("       Q5                            Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       h                                - This help");\r
+       PrintAndLog("       b <8|16|32|40|50|64|100|128>     - Set bitrate");\r
+       PrintAndLog("       d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa>  - Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");\r
+       PrintAndLog("       i [1]                            - Invert data signal, defaults to normal");\r
+       PrintAndLog("       o [offset]                       - Set offset, where data should start decode in bitstream");\r
+       PrintAndLog("       Q5                               - Set as Q5(T5555) chip instead of T55x7");\r
+       PrintAndLog("       ST                               - Set Sequence Terminator on");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx config d FSK          - FSK demodulation");\r
@@ -94,7 +71,7 @@ int usage_t55xx_write(){
 int usage_t55xx_trace() {\r
        PrintAndLog("Usage:  lf t55xx trace [1]");\r
        PrintAndLog("Options:");\r
 int usage_t55xx_trace() {\r
        PrintAndLog("Usage:  lf t55xx trace [1]");\r
        PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx trace");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx trace");\r
@@ -105,7 +82,7 @@ int usage_t55xx_trace() {
 int usage_t55xx_info() {\r
        PrintAndLog("Usage:  lf t55xx info [1]");\r
        PrintAndLog("Options:");\r
 int usage_t55xx_info() {\r
        PrintAndLog("Usage:  lf t55xx info [1]");\r
        PrintAndLog("Options:");\r
-       PrintAndLog("     [graph buffer data]  - if set, use Graphbuffer otherwise read data from tag.");\r
+       PrintAndLog("     1             - if set, use Graphbuffer otherwise read data from tag.");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx info");\r
        PrintAndLog("");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx info");\r
@@ -134,7 +111,7 @@ int usage_t55xx_detect(){
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx detect");\r
        PrintAndLog("      lf t55xx detect 1");\r
        PrintAndLog("Examples:");\r
        PrintAndLog("      lf t55xx detect");\r
        PrintAndLog("      lf t55xx detect 1");\r
-       PrintAndLog("      lf t55xx detect 11223344");\r
+       PrintAndLog("      lf t55xx detect 11223344");\r
        PrintAndLog("");\r
        return 0;\r
 }\r
        PrintAndLog("");\r
        return 0;\r
 }\r
@@ -149,13 +126,58 @@ int usage_t55xx_wakup(){
     PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
        return 0;\r
 }\r
     PrintAndLog("      lf t55xx wakeup p 11223344  - send wakeup password");\r
        return 0;\r
 }\r
-\r
+int usage_t55xx_bruteforce(){\r
+       PrintAndLog("This command uses A) bruteforce to scan a number range");\r
+       PrintAndLog("                  B) a dictionary attack");\r
+       PrintAndLog("press 'enter' to cancel the command");\r
+    PrintAndLog("Usage: lf t55xx bruteforce [h] <start password> <end password> [i <*.dic>]");\r
+    PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h                     - this help");\r
+       PrintAndLog("     <start_pwd> - 4 byte hex value to start pwd search at");\r
+       PrintAndLog("     <end_pwd>   - 4 byte hex value to end pwd search at");\r
+    PrintAndLog("     i <*.dic>        - loads a default keys dictionary file <*.dic>");\r
+    PrintAndLog("");\r
+    PrintAndLog("Examples:");\r
+    PrintAndLog("       lf t55xx bruteforce aaaaaaaa bbbbbbbb");\r
+       PrintAndLog("       lf t55xx bruteforce i default_pwd.dic");\r
+    PrintAndLog("");\r
+    return 0;\r
+}\r
+int usage_t55xx_recoverpw(){\r
+       PrintAndLog("This command uses a few tricks to try to recover mangled password");\r
+       PrintAndLog("press 'enter' to cancel the command");\r
+       PrintAndLog("WARNING: this may brick non-password protected chips!");\r
+       PrintAndLog("Usage: lf t55xx recoverpw [password]");\r
+       PrintAndLog("       password must be 4 bytes (8 hex symbols)");\r
+       PrintAndLog("       default password is 51243648, used by many cloners");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h           - this help");\r
+       PrintAndLog("     [password]  - 4 byte hex value of password written by cloner");\r
+       PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+       PrintAndLog("       lf t55xx recoverpw");\r
+       PrintAndLog("       lf t55xx recoverpw 51243648");\r
+       PrintAndLog("");\r
+       return 0;\r
+}int usage_t55xx_wipe(){\r
+       PrintAndLog("Usage:  lf t55xx wipe [h] [Q5]");\r
+       PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");\r
+       PrintAndLog("Options:");\r
+       PrintAndLog("     h     - this help");\r
+       PrintAndLog("     Q5  - indicates to use the T5555 (Q5) default configuration block");\r
+    PrintAndLog("");\r
+       PrintAndLog("Examples:");\r
+    PrintAndLog("      lf t55xx wipe   -  wipes a t55x7 tag,    config block 0x000880E0");\r
+       PrintAndLog("      lf t55xx wipe Q5 -  wipes a t5555 Q5 tag, config block 0x6001F004");\r
+       return 0;\r
+}\r
 static int CmdHelp(const char *Cmd);\r
 \r
 void printT5xxHeader(uint8_t page){\r
        PrintAndLog("Reading Page %d:", page);  \r
 static int CmdHelp(const char *Cmd);\r
 \r
 void printT5xxHeader(uint8_t page){\r
        PrintAndLog("Reading Page %d:", page);  \r
-       PrintAndLog("blk | hex data | binary");\r
-       PrintAndLog("----+----------+---------------------------------");       \r
+       PrintAndLog("blk | hex data | binary                           | ascii");\r
+       PrintAndLog("----+----------+----------------------------------+-------");      \r
 }\r
 \r
 int CmdT55xxSetConfig(const char *Cmd) {\r
 }\r
 \r
 int CmdT55xxSetConfig(const char *Cmd) {\r
@@ -166,7 +188,6 @@ int CmdT55xxSetConfig(const char *Cmd) {
        uint8_t bitRate = 0;\r
        uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
        uint8_t cmdp = 0;\r
        uint8_t bitRate = 0;\r
        uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};\r
        uint8_t cmdp = 0;\r
-       config.Q5 = FALSE;\r
        bool errors = FALSE;\r
        while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
        {\r
        bool errors = FALSE;\r
        while(param_getchar(Cmd, cmdp) != 0x00 && !errors)\r
        {\r
@@ -244,6 +265,11 @@ int CmdT55xxSetConfig(const char *Cmd) {
                        config.Q5 = TRUE;\r
                        cmdp++;\r
                        break;\r
                        config.Q5 = TRUE;\r
                        cmdp++;\r
                        break;\r
+               case 'S':\r
+               case 's':               \r
+                       config.ST = TRUE;\r
+                       cmdp++;\r
+                       break;\r
                default:\r
                        PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                        errors = TRUE;\r
                default:\r
                        PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
                        errors = TRUE;\r
@@ -346,6 +372,7 @@ bool DecodeT55xxBlock(){
        char buf[30] = {0x00};\r
        char *cmdStr = buf;\r
        int ans = 0;\r
        char buf[30] = {0x00};\r
        char *cmdStr = buf;\r
        int ans = 0;\r
+       bool ST = config.ST;\r
        uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
        DemodBufferLen = 0x00;\r
 \r
        uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};\r
        DemodBufferLen = 0x00;\r
 \r
@@ -366,21 +393,27 @@ bool DecodeT55xxBlock(){
                        break;\r
                case DEMOD_ASK:\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
                        break;\r
                case DEMOD_ASK:\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
-                       ans = ASKDemod(cmdStr, FALSE, FALSE, 1);\r
+                       ans = ASKDemod_ext(cmdStr, FALSE, FALSE, 1, &ST);\r
                        break;\r
                case DEMOD_PSK1:\r
                        // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                        break;\r
                case DEMOD_PSK1:\r
                        // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
                        CmdLtrim("160");\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
                        ans = PSKDemod(cmdStr, FALSE);\r
                        CmdLtrim("160");\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );\r
                        ans = PSKDemod(cmdStr, FALSE);\r
+                       //undo trim samples\r
+                       save_restoreGB(0);\r
                        break;\r
                case DEMOD_PSK2: //inverted won't affect this\r
                case DEMOD_PSK3: //not fully implemented\r
                        // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                        break;\r
                case DEMOD_PSK2: //inverted won't affect this\r
                case DEMOD_PSK3: //not fully implemented\r
                        // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+                       save_restoreGB(1);\r
                        CmdLtrim("160");\r
                        snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
                        ans = PSKDemod(cmdStr, FALSE);\r
                        psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
                        CmdLtrim("160");\r
                        snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );\r
                        ans = PSKDemod(cmdStr, FALSE);\r
                        psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
+                       //undo trim samples\r
+                       save_restoreGB(0);\r
                        break;\r
                case DEMOD_NRZ:\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
                        break;\r
                case DEMOD_NRZ:\r
                        snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );\r
@@ -397,8 +430,23 @@ bool DecodeT55xxBlock(){
        return (bool) ans;\r
 }\r
 \r
        return (bool) ans;\r
 }\r
 \r
-int CmdT55xxDetect(const char *Cmd){\r
+bool DecodeT5555TraceBlock() {\r
+       DemodBufferLen = 0x00;\r
+       \r
+       // According to datasheet. Always: RF/64, not inverted, Manchester\r
+       return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1);\r
+}\r
 \r
 \r
+// sanity check. Don't use proxmark if it is offline and you didn't specify useGraphbuf\r
+static int SanityOfflineCheck( bool useGraphBuffer ){\r
+       if ( !useGraphBuffer && offline) {\r
+               PrintAndLog("Your proxmark3 device is offline. Specify [1] to use graphbuffer data instead");\r
+               return 0;\r
+       }\r
+       return 1;\r
+}\r
+\r
+int CmdT55xxDetect(const char *Cmd){\r
        bool errors = FALSE;\r
        bool useGB = FALSE;\r
        bool usepwd = FALSE;\r
        bool errors = FALSE;\r
        bool useGB = FALSE;\r
        bool usepwd = FALSE;\r
@@ -429,15 +477,18 @@ int CmdT55xxDetect(const char *Cmd){
        }\r
        if (errors) return usage_t55xx_detect();\r
        \r
        }\r
        if (errors) return usage_t55xx_detect();\r
        \r
+       // sanity check.\r
+       if (!SanityOfflineCheck(useGB)) return 1;\r
+       \r
        if ( !useGB) {\r
                if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
        if ( !useGB) {\r
                if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) )\r
-                       return 0;\r
+                       return 1;\r
        }\r
        \r
        if ( !tryDetectModulation() )\r
                PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
 \r
        }\r
        \r
        if ( !tryDetectModulation() )\r
                PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");\r
 \r
-       return 1;\r
+       return 0;\r
 }\r
 \r
 // detect configuration?\r
 }\r
 \r
 // detect configuration?\r
@@ -446,7 +497,6 @@ bool tryDetectModulation(){
        t55xx_conf_block_t tests[15];\r
        int bitRate=0;\r
        uint8_t fc1 = 0, fc2 = 0, clk=0;\r
        t55xx_conf_block_t tests[15];\r
        int bitRate=0;\r
        uint8_t fc1 = 0, fc2 = 0, clk=0;\r
-       save_restoreGB(1);\r
        \r
        if (GetFskClock("", FALSE, FALSE)){ \r
                fskClocks(&fc1, &fc2, &clk, FALSE);\r
        \r
        if (GetFskClock("", FALSE, FALSE)){ \r
                fskClocks(&fc1, &fc2, &clk, FALSE);\r
@@ -459,6 +509,7 @@ bool tryDetectModulation(){
                        tests[hits].bitrate = bitRate;\r
                        tests[hits].inverted = FALSE;\r
                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                        tests[hits].bitrate = bitRate;\r
                        tests[hits].inverted = FALSE;\r
                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r
                        ++hits;\r
                }\r
                if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                        ++hits;\r
                }\r
                if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -467,23 +518,35 @@ bool tryDetectModulation(){
                                tests[hits].modulation = DEMOD_FSK1;\r
                        else if (fc1 == 10 && fc2 == 8)\r
                                tests[hits].modulation = DEMOD_FSK2a;\r
                                tests[hits].modulation = DEMOD_FSK1;\r
                        else if (fc1 == 10 && fc2 == 8)\r
                                tests[hits].modulation = DEMOD_FSK2a;\r
-\r
                        tests[hits].bitrate = bitRate;\r
                        tests[hits].inverted = TRUE;\r
                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                        tests[hits].bitrate = bitRate;\r
                        tests[hits].inverted = TRUE;\r
                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                       tests[hits].ST = FALSE;\r
                        ++hits;\r
                }\r
        } else {\r
                clk = GetAskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
                        ++hits;\r
                }\r
        } else {\r
                clk = GetAskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
-                       if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert false, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
+                       if ( ASKDemod_ext("0 0 1", FALSE, FALSE, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                ++hits;\r
                        }\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                ++hits;\r
                        }\r
-                       if ( ASKDemod("0 1 1", FALSE, FALSE, 1)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
+                       tests[hits].ST = TRUE;\r
+                       // "0 0 1 " == clock auto, invert true, maxError 1.\r
+                       // false = no verbose\r
+                       // false = no emSearch\r
+                       // 1 = Ask/Man\r
+                       // st = true\r
+                       if ( ASKDemod_ext("0 1 1", FALSE, FALSE, 1, &tests[hits].ST)  && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].modulation = DEMOD_ASK;\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
@@ -495,6 +558,7 @@ bool tryDetectModulation(){
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                ++hits;\r
                        }\r
                        if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
                                ++hits;\r
                        }\r
                        if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {\r
@@ -502,11 +566,12 @@ bool tryDetectModulation(){
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                ++hits;\r
                        }\r
                }\r
                //undo trim from ask\r
                                ++hits;\r
                        }\r
                }\r
                //undo trim from ask\r
-               save_restoreGB(0);\r
+               //save_restoreGB(0);\r
                clk = GetNrzClock("", FALSE, FALSE);\r
                if (clk>0) {\r
                        if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                clk = GetNrzClock("", FALSE, FALSE);\r
                if (clk>0) {\r
                        if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -514,6 +579,7 @@ bool tryDetectModulation(){
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                ++hits;\r
                        }\r
 \r
                                ++hits;\r
                        }\r
 \r
@@ -522,13 +588,14 @@ bool tryDetectModulation(){
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                ++hits;\r
                        }\r
                }\r
                \r
                                ++hits;\r
                        }\r
                }\r
                \r
-               //undo trim from nrz\r
-               save_restoreGB(0);\r
+               // allow undo\r
                // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
                // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)\r
+               save_restoreGB(1);\r
                CmdLtrim("160");\r
                clk = GetPskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
                CmdLtrim("160");\r
                clk = GetPskClock("", FALSE, FALSE);\r
                if (clk>0) {\r
@@ -537,6 +604,7 @@ bool tryDetectModulation(){
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = FALSE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                ++hits;\r
                        }\r
                        if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
                                ++hits;\r
                        }\r
                        if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {\r
@@ -544,8 +612,10 @@ bool tryDetectModulation(){
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                tests[hits].bitrate = bitRate;\r
                                tests[hits].inverted = TRUE;\r
                                tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                               tests[hits].ST = FALSE;\r
                                ++hits;\r
                        }\r
                                ++hits;\r
                        }\r
+                       //ICEMAN: are these PSKDemod calls needed?\r
                        // PSK2 - needs a call to psk1TOpsk2.\r
                        if ( PSKDemod("0 0 6", FALSE)) {\r
                                psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
                        // PSK2 - needs a call to psk1TOpsk2.\r
                        if ( PSKDemod("0 0 6", FALSE)) {\r
                                psk1TOpsk2(DemodBuffer, DemodBufferLen);\r
@@ -554,6 +624,7 @@ bool tryDetectModulation(){
                                        tests[hits].bitrate = bitRate;\r
                                        tests[hits].inverted = FALSE;\r
                                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                        tests[hits].bitrate = bitRate;\r
                                        tests[hits].inverted = FALSE;\r
                                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
                                        ++hits;\r
                                }\r
                        } // inverse waves does not affect this demod\r
                                        ++hits;\r
                                }\r
                        } // inverse waves does not affect this demod\r
@@ -565,29 +636,66 @@ bool tryDetectModulation(){
                                        tests[hits].bitrate = bitRate;\r
                                        tests[hits].inverted = FALSE;\r
                                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
                                        tests[hits].bitrate = bitRate;\r
                                        tests[hits].inverted = FALSE;\r
                                        tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);\r
+                                       tests[hits].ST = FALSE;\r
                                        ++hits;\r
                                }\r
                        } // inverse waves does not affect this demod\r
                }\r
                                        ++hits;\r
                                }\r
                        } // inverse waves does not affect this demod\r
                }\r
+               //undo trim samples\r
+               save_restoreGB(0);\r
        }               \r
        }               \r
-       save_restoreGB(0);      \r
        if ( hits == 1) {\r
                config.modulation = tests[0].modulation;\r
                config.bitrate = tests[0].bitrate;\r
                config.inverted = tests[0].inverted;\r
                config.offset = tests[0].offset;\r
                config.block0 = tests[0].block0;\r
        if ( hits == 1) {\r
                config.modulation = tests[0].modulation;\r
                config.bitrate = tests[0].bitrate;\r
                config.inverted = tests[0].inverted;\r
                config.offset = tests[0].offset;\r
                config.block0 = tests[0].block0;\r
+               config.Q5 = tests[0].Q5;\r
+               config.ST = tests[0].ST;\r
                printConfiguration( config );\r
                return TRUE;\r
        }\r
        \r
                printConfiguration( config );\r
                return TRUE;\r
        }\r
        \r
+       bool retval = FALSE;\r
        if ( hits > 1) {\r
                PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
                for(int i=0; i<hits; ++i){\r
        if ( hits > 1) {\r
                PrintAndLog("Found [%d] possible matches for modulation.",hits);\r
                for(int i=0; i<hits; ++i){\r
-                       PrintAndLog("--[%d]---------------", i+1);\r
+                       retval = testKnownConfigBlock(tests[i].block0);\r
+                       if ( retval ) {                         \r
+                               PrintAndLog("--[%d]--------------- << selected this", i+1);\r
+                               config.modulation = tests[i].modulation;\r
+                               config.bitrate = tests[i].bitrate;\r
+                               config.inverted = tests[i].inverted;\r
+                               config.offset = tests[i].offset;\r
+                               config.block0 = tests[i].block0;\r
+                               config.Q5 = tests[i].Q5;\r
+                               config.ST = tests[i].ST;\r
+                       } else {\r
+                               PrintAndLog("--[%d]---------------", i+1);\r
+                       }\r
                        printConfiguration( tests[i] );\r
                }\r
        }\r
                        printConfiguration( tests[i] );\r
                }\r
        }\r
+       return retval;\r
+}\r
+\r
+bool testKnownConfigBlock(uint32_t block0) {\r
+       switch(block0){\r
+               case T55X7_DEFAULT_CONFIG_BLOCK:\r
+               case T55X7_RAW_CONFIG_BLOCK:\r
+               case T55X7_EM_UNIQUE_CONFIG_BLOCK:\r
+               case T55X7_FDXB_CONFIG_BLOCK:\r
+               case T55X7_HID_26_CONFIG_BLOCK:\r
+               case T55X7_PYRAMID_CONFIG_BLOCK:\r
+               case T55X7_INDALA_64_CONFIG_BLOCK:\r
+               case T55X7_INDALA_224_CONFIG_BLOCK:\r
+               case T55X7_GUARDPROXII_CONFIG_BLOCK:\r
+               case T55X7_VIKING_CONFIG_BLOCK:\r
+               case T55X7_NORALYS_CONFIG_BLOCK:\r
+               case T55X7_IOPROX_CONFIG_BLOCK:\r
+               case T55X7_PRESCO_CONFIG_BLOCK:\r
+                       return TRUE;\r
+       }\r
        return FALSE;\r
 }\r
 \r
        return FALSE;\r
 }\r
 \r
@@ -652,6 +760,15 @@ bool testQ5Modulation(uint8_t      mode, uint8_t   modread){
        return FALSE;\r
 }\r
 \r
        return FALSE;\r
 }\r
 \r
+int convertQ5bitRate(uint8_t bitRateRead) {\r
+       uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};\r
+       for (int i=0; i<8; i++)\r
+               if (expected[i] == bitRateRead)\r
+                       return i;\r
+\r
+       return -1;\r
+}\r
+\r
 bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t    clk){\r
 \r
        if ( DemodBufferLen < 64 ) return FALSE;\r
 bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t    clk){\r
 \r
        if ( DemodBufferLen < 64 ) return FALSE;\r
@@ -663,12 +780,12 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t       clk){
                uint8_t safer     = PackBits(si, 4, DemodBuffer); si += 4;     //master key\r
                uint8_t resv      = PackBits(si, 8, DemodBuffer); si += 8;\r
                // 2nibble must be zeroed.\r
                uint8_t safer     = PackBits(si, 4, DemodBuffer); si += 4;     //master key\r
                uint8_t resv      = PackBits(si, 8, DemodBuffer); si += 8;\r
                // 2nibble must be zeroed.\r
-               if (safer != 0x6) continue;\r
+               if (safer != 0x6 && safer != 0x9) continue;\r
                if ( resv > 0x00) continue;\r
                //uint8_t       pageSel   = PackBits(si, 1, DemodBuffer); si += 1;\r
                //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;\r
                si += 1+1;\r
                if ( resv > 0x00) continue;\r
                //uint8_t       pageSel   = PackBits(si, 1, DemodBuffer); si += 1;\r
                //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;\r
                si += 1+1;\r
-               int bitRate       = PackBits(si, 5, DemodBuffer)*2 + 2; si += 5;     //bit rate\r
+               int bitRate       = PackBits(si, 6, DemodBuffer)*2 + 2; si += 6;     //bit rate\r
                if (bitRate > 128 || bitRate < 8) continue;\r
 \r
                //uint8_t AOR       = PackBits(si, 1, DemodBuffer); si += 1;   \r
                if (bitRate > 128 || bitRate < 8) continue;\r
 \r
                //uint8_t AOR       = PackBits(si, 1, DemodBuffer); si += 1;   \r
@@ -683,7 +800,8 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){
                //test modulation\r
                if (!testQ5Modulation(mode, modread)) continue;\r
                if (bitRate != clk) continue;\r
                //test modulation\r
                if (!testQ5Modulation(mode, modread)) continue;\r
                if (bitRate != clk) continue;\r
-               *fndBitRate = bitRate;\r
+               *fndBitRate = convertQ5bitRate(bitRate);\r
+               if (*fndBitRate < 0) continue;\r
                *offset = idx;\r
 \r
                return TRUE;\r
                *offset = idx;\r
 \r
                return TRUE;\r
@@ -719,14 +837,14 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5)
                uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
                uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
                //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
                uint8_t extend   = PackBits(si, 1, DemodBuffer); si += 1;     //bit 15 extended mode\r
                uint8_t modread  = PackBits(si, 5, DemodBuffer); si += 5+2+1; \r
                //uint8_t pskcr   = PackBits(si, 2, DemodBuffer); si += 2+1;  //could check psk cr\r
-               uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
-               uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
+               //uint8_t nml01    = PackBits(si, 1, DemodBuffer); si += 1+5;   //bit 24, 30, 31 could be tested for 0 if not extended mode\r
+               //uint8_t nml02    = PackBits(si, 2, DemodBuffer); si += 2;\r
                \r
                //if extended mode\r
                bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
 \r
                if (!extMode){\r
                \r
                //if extended mode\r
                bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE;\r
 \r
                if (!extMode){\r
-                       if (nml01 || nml02 || xtRate) continue;\r
+                       if (xtRate) continue;  //nml01 || nml02 ||  caused issues on noralys tags\r
                }\r
                //test modulation\r
                if (!testModulation(mode, modread)) continue;\r
                }\r
                //test modulation\r
                if (!testModulation(mode, modread)) continue;\r
@@ -761,16 +879,18 @@ void printT55xxBlock(const char *blockNum){
                bits[i - config.offset] = DemodBuffer[i];\r
 \r
        blockData = PackBits(0, 32, bits);\r
                bits[i - config.offset] = DemodBuffer[i];\r
 \r
        blockData = PackBits(0, 32, bits);\r
+       uint8_t bytes[4] = {0};\r
+       num_to_bytes(blockData, 4, bytes);\r
 \r
 \r
-       PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));\r
+       PrintAndLog(" %s | %08X | %s | %s", blockNum, blockData, sprint_bin(bits,32), sprint_ascii(bytes,4));\r
 }\r
 \r
 int special(const char *Cmd) {\r
        uint32_t blockData = 0;\r
        uint8_t bits[32] = {0x00};\r
 \r
 }\r
 \r
 int special(const char *Cmd) {\r
        uint32_t blockData = 0;\r
        uint8_t bits[32] = {0x00};\r
 \r
-       PrintAndLog("OFFSET | DATA  | BINARY");\r
-       PrintAndLog("----------------------------------------------------");\r
+       PrintAndLog("OFFSET | DATA  | BINARY                              | ASCII");\r
+       PrintAndLog("-------+-------+-------------------------------------+------");\r
        int i,j = 0;\r
        for (; j < 64; ++j){\r
                \r
        int i,j = 0;\r
        for (; j < 64; ++j){\r
                \r
@@ -790,6 +910,7 @@ int printConfiguration( t55xx_conf_block_t b){
        PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
        PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r
        PrintAndLog("Offset     : %d", b.offset);\r
        PrintAndLog("Bit Rate   : %s", GetBitRateStr(b.bitrate) );\r
        PrintAndLog("Inverted   : %s", (b.inverted) ? "Yes" : "No" );\r
        PrintAndLog("Offset     : %d", b.offset);\r
+       PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" );\r
        PrintAndLog("Block0     : 0x%08X", b.block0);\r
        PrintAndLog("");\r
        return 0;\r
        PrintAndLog("Block0     : 0x%08X", b.block0);\r
        PrintAndLog("");\r
        return 0;\r
@@ -889,7 +1010,7 @@ int CmdT55xxWriteBlock(const char *Cmd) {
        }\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
        }\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
-       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){\r
+       if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)){\r
                PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
                return 0;\r
        }\r
                PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");\r
                return 0;\r
        }\r
@@ -902,61 +1023,114 @@ int CmdT55xxReadTrace(const char *Cmd) {
        uint32_t password = 0;  \r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
 \r
        uint32_t password = 0;  \r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_trace();\r
 \r
-       if (strlen(Cmd)==0)\r
+       if (strlen(Cmd)==0) {\r
+               // sanity check.\r
+               if (!SanityOfflineCheck(FALSE)) return 1;\r
+\r
                if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
                if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) )\r
-                       return 0;\r
-       \r
-       if (!DecodeT55xxBlock()) return 0;\r
+                       return 1;\r
+       }\r
 \r
 \r
-       if ( !DemodBufferLen) return 0;\r
+       if ( config.Q5 ){\r
+               if (!DecodeT5555TraceBlock()) return 1;\r
+       } else {\r
+               if (!DecodeT55xxBlock()) return 1;\r
+       }\r
+       \r
+       if ( !DemodBufferLen ) return 1;\r
        \r
        RepaintGraphWindow();\r
        \r
        RepaintGraphWindow();\r
-       uint8_t repeat = 0;\r
-       if (config.offset > 5) \r
-               repeat = 32;\r
-       uint8_t si = config.offset+repeat;\r
-       uint32_t bl1     = PackBits(si, 32, DemodBuffer);\r
-       uint32_t bl2     = PackBits(si+32, 32, DemodBuffer);\r
+       uint8_t repeat = (config.offset > 5) ? 32 : 0;\r
        \r
        \r
-       uint32_t acl     = PackBits(si, 8,  DemodBuffer); si += 8;\r
-       uint32_t mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
-       uint32_t cid     = PackBits(si, 5,  DemodBuffer); si += 5;\r
-       uint32_t icr     = PackBits(si, 3,  DemodBuffer); si += 3;\r
-       uint32_t year    = PackBits(si, 4,  DemodBuffer); si += 4;\r
-       uint32_t quarter = PackBits(si, 2,  DemodBuffer); si += 2;\r
-       uint32_t lotid   = PackBits(si, 14, DemodBuffer); si += 14;\r
-       uint32_t wafer   = PackBits(si, 5,  DemodBuffer); si += 5;\r
-       uint32_t dw      = PackBits(si, 15, DemodBuffer); \r
+       uint8_t si = config.offset + repeat;\r
+       uint32_t bl1 = PackBits(si, 32, DemodBuffer);\r
+       uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);        \r
        \r
        \r
-       time_t t = time(NULL);\r
-       struct tm tm = *localtime(&t);\r
-       if ( year > tm.tm_year-110)\r
-               year += 2000;\r
-       else\r
-               year += 2010;\r
+       if (config.Q5) {\r
+               uint32_t hdr = PackBits(si, 9,  DemodBuffer); si += 9;\r
+    \r
+               if (hdr != 0x1FF) {\r
+                 PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);\r
+                 return 1;\r
+               }\r
+    \r
+               t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};\r
+                       \r
+               data.icr     = PackBits(si, 2,  DemodBuffer); si += 2;\r
+               data.lotidc  = 'Z' - PackBits(si, 2,  DemodBuffer); si += 3;\r
+               \r
+               data.lotid   = PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 4;\r
+               data.lotid  |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.lotid <<= 1;\r
+               data.lotid  |= PackBits(si, 1,  DemodBuffer); si += 1;\r
+               \r
+               data.wafer   = PackBits(si, 3,  DemodBuffer); si += 4;\r
+               data.wafer <<= 2;\r
+               data.wafer  |= PackBits(si, 2,  DemodBuffer); si += 2;\r
+               \r
+               data.dw      = PackBits(si, 2,  DemodBuffer); si += 3;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+               data.dw    <<= 4;\r
+               data.dw     |= PackBits(si, 4,  DemodBuffer); si += 5;\r
+       \r
+               printT5555Trace(data, repeat);\r
+               \r
+       } else {\r
+       \r
+               t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0,  .lotid = 0, .wafer = 0, .dw = 0};\r
+               \r
+               data.acl = PackBits(si, 8,  DemodBuffer); si += 8;\r
+               if ( data.acl != 0xE0 ) {\r
+                       PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
+                       return 1;\r
+               }\r
 \r
 \r
-       if (config.Q5) PrintAndLog("*** Warning *** Info read off a Q5 will not work as expected");\r
-       if ( acl != 0xE0 ) {\r
-               PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");\r
-               return 0;\r
+               data.mfc     = PackBits(si, 8,  DemodBuffer); si += 8;\r
+               data.cid     = PackBits(si, 5,  DemodBuffer); si += 5;\r
+               data.icr     = PackBits(si, 3,  DemodBuffer); si += 3;\r
+               data.year    = PackBits(si, 4,  DemodBuffer); si += 4;\r
+               data.quarter = PackBits(si, 2,  DemodBuffer); si += 2;\r
+               data.lotid   = PackBits(si, 14, DemodBuffer); si += 14;\r
+               data.wafer   = PackBits(si, 5,  DemodBuffer); si += 5;\r
+               data.dw      = PackBits(si, 15, DemodBuffer); \r
+\r
+               time_t t = time(NULL);\r
+               struct tm tm = *localtime(&t);\r
+               if ( data.year > tm.tm_year-110)\r
+                       data.year += 2000;\r
+               else\r
+                       data.year += 2010;\r
+\r
+               printT55x7Trace(data, repeat);\r
        }\r
        }\r
-       PrintAndLog("");\r
-       PrintAndLog("-- T55xx Trace Information ----------------------------------");\r
+       return 0;\r
+}\r
+\r
+void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T55x7 Trace Information ----------------------------------");\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog("-------------------------------------------------------------");\r
-       PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", acl, acl);\r
-       PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", mfc, mfc, getTagInfo(mfc));\r
-       PrintAndLog(" CID                                     : 0x%02X (%d) - %s", cid, cid, GetModelStrFromCID(cid));\r
-       PrintAndLog(" ICR IC Revision                         : %d",icr );\r
+       PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1)  : 0x%02X (%d)", data.acl, data.acl);\r
+       PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6)    : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));\r
+       PrintAndLog(" CID                                     : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));\r
+       PrintAndLog(" ICR IC Revision                         : %d", data.icr );\r
        PrintAndLog(" Manufactured");\r
        PrintAndLog(" Manufactured");\r
-       PrintAndLog("     Year/Quarter : %d/%d",year, quarter);\r
-       PrintAndLog("     Lot ID       : %d", lotid );\r
-       PrintAndLog("     Wafer number : %d", wafer);\r
-       PrintAndLog("     Die Number   : %d", dw);\r
+       PrintAndLog("     Year/Quarter : %d/%d", data.year, data.quarter);\r
+       PrintAndLog("     Lot ID       : %d", data.lotid );\r
+       PrintAndLog("     Wafer number : %d", data.wafer);\r
+       PrintAndLog("     Die Number   : %d", data.dw);\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Raw Data - Page 1");\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Raw Data - Page 1");\r
-       PrintAndLog("     Block 1  : 0x%08X  %s", bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
-       PrintAndLog("     Block 2  : 0x%08X  %s", bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
-       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog("     Block 1  : 0x%08X  %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+       PrintAndLog("     Block 2  : 0x%08X  %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
+       PrintAndLog("-------------------------------------------------------------");   \r
 \r
        /*\r
        TRACE - BLOCK O\r
 \r
        /*\r
        TRACE - BLOCK O\r
@@ -974,10 +1148,36 @@ int CmdT55xxReadTrace(const char *Cmd) {
                13-17   Wafer number\r
                18-32   DW,  die number sequential\r
        */\r
                13-17   Wafer number\r
                18-32   DW,  die number sequential\r
        */\r
+}\r
+\r
+void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){\r
+       PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");\r
+       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog(" ICR IC Revision  : %d", data.icr );       \r
+       PrintAndLog("     Lot          : %c%d", data.lotidc, data.lotid);\r
+       PrintAndLog("     Wafer number : %d", data.wafer);\r
+       PrintAndLog("     Die Number   : %d", data.dw);\r
+       PrintAndLog("-------------------------------------------------------------");\r
+       PrintAndLog(" Raw Data - Page 1");\r
+       PrintAndLog("     Block 1  : 0x%08X  %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );\r
+       PrintAndLog("     Block 2  : 0x%08X  %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );\r
        \r
        \r
-  return 0;\r
+       /*\r
+               ** Q5 **\r
+               TRACE - BLOCK O and BLOCK1\r
+               Bits    Definition                              HEX\r
+               1-9             Header                  0x1FF\r
+               10-11 IC Revision\r
+               12-13 Lot ID char\r
+               15-35 Lot ID (NB parity)\r
+               36-41 Wafer number (NB parity)\r
+               42-58 DW, die number sequential (NB parity)\r
+               60-63 Parity bits\r
+               64    Always zero\r
+       */\r
 }\r
 \r
 }\r
 \r
+//need to add Q5 info...\r
 int CmdT55xxInfo(const char *Cmd){\r
        /*\r
                Page 0 Block 0 Configuration data.\r
 int CmdT55xxInfo(const char *Cmd){\r
        /*\r
                Page 0 Block 0 Configuration data.\r
@@ -990,17 +1190,24 @@ int CmdT55xxInfo(const char *Cmd){
 \r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
        \r
 \r
        if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H') return usage_t55xx_info();\r
        \r
-       if (strlen(Cmd)==0)\r
+       if (strlen(Cmd)==0){\r
+                               // sanity check.\r
+               if (!SanityOfflineCheck(FALSE)) return 1;\r
+               \r
                if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
                        return 1;\r
                if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) )\r
                        return 1;\r
+       }\r
 \r
        if (!DecodeT55xxBlock()) return 1;\r
 \r
 \r
        if (!DecodeT55xxBlock()) return 1;\r
 \r
+       // too little space to start with\r
        if ( DemodBufferLen < 32) return 1;\r
 \r
        if ( DemodBufferLen < 32) return 1;\r
 \r
+       // \r
+       PrintAndLog("Offset+32 ==%d\n DemodLen == %d", config.offset + 32,DemodBufferLen );\r
+\r
        uint8_t si = config.offset;\r
        uint8_t si = config.offset;\r
-       uint32_t bl0      = PackBits(si, 32, DemodBuffer);\r
-       \r
+       uint32_t bl0      = PackBits(si, 32, DemodBuffer);      \r
        uint32_t safer    = PackBits(si, 4, DemodBuffer); si += 4;      \r
        uint32_t resv     = PackBits(si, 7, DemodBuffer); si += 7;\r
        uint32_t dbr      = PackBits(si, 3, DemodBuffer); si += 3;\r
        uint32_t safer    = PackBits(si, 4, DemodBuffer); si += 4;      \r
        uint32_t resv     = PackBits(si, 7, DemodBuffer); si += 7;\r
        uint32_t dbr      = PackBits(si, 3, DemodBuffer); si += 3;\r
@@ -1015,9 +1222,10 @@ int CmdT55xxInfo(const char *Cmd){
        uint32_t fw       = PackBits(si, 1, DemodBuffer); si += 1;\r
        uint32_t inv      = PackBits(si, 1, DemodBuffer); si += 1;      \r
        uint32_t por      = PackBits(si, 1, DemodBuffer); si += 1;\r
        uint32_t fw       = PackBits(si, 1, DemodBuffer); si += 1;\r
        uint32_t inv      = PackBits(si, 1, DemodBuffer); si += 1;      \r
        uint32_t por      = PackBits(si, 1, DemodBuffer); si += 1;\r
+       \r
        if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
        PrintAndLog("");\r
        if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");\r
        PrintAndLog("");\r
-       PrintAndLog("-- T55xx Configuration & Tag Information --------------------");\r
+       PrintAndLog("-- T55x7 Configuration & Tag Information --------------------");\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
        PrintAndLog(" reserved                  : %d", resv);\r
        PrintAndLog("-------------------------------------------------------------");\r
        PrintAndLog(" Safer key                 : %s", GetSaferStr(safer));\r
        PrintAndLog(" reserved                  : %d", resv);\r
@@ -1068,21 +1276,26 @@ int CmdT55xxDump(const char *Cmd){
 \r
 int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
        // arg0 bitmodes:\r
 \r
 int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){\r
        // arg0 bitmodes:\r
-       // bit0 = pwdmode\r
-       // bit1 = page to read from\r
+       //      bit0 = pwdmode\r
+       //      bit1 = page to read from\r
+       // arg1: which block to read\r
+       // arg2: password\r
        uint8_t arg0 = (page<<1) | pwdmode;\r
        UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
        uint8_t arg0 = (page<<1) | pwdmode;\r
        UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};\r
-       \r
        clearCommandBuffer();\r
        SendCommand(&c);\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
                PrintAndLog("command execution time out");\r
                return 0;\r
        }\r
 \r
                PrintAndLog("command execution time out");\r
                return 0;\r
        }\r
 \r
-       uint8_t got[12000];\r
-       GetFromBigBuf(got,sizeof(got),0);\r
-       WaitForResponse(CMD_ACK,NULL);\r
+       //uint8_t got[12288];\r
+       uint8_t got[7679];\r
+       GetFromBigBuf(got, sizeof(got), 0);\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {\r
+               PrintAndLog("command execution time out");\r
+               return 0;\r
+       }\r
        setGraphBuf(got, sizeof(got));\r
        return 1;\r
 }\r
        setGraphBuf(got, sizeof(got));\r
        return 1;\r
 }\r
@@ -1092,35 +1305,16 @@ char * GetBitRateStr(uint32_t id){
 \r
        char *retStr = buf;\r
                switch (id){\r
 \r
        char *retStr = buf;\r
                switch (id){\r
-               case 0: \r
-                       snprintf(retStr,sizeof(buf),"%d - RF/8",id);\r
-                       break;\r
-               case 1:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/16",id);\r
-                       break;\r
-               case 2:         \r
-                       snprintf(retStr,sizeof(buf),"%d - RF/32",id);\r
-                       break;\r
-               case 3:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/40",id);\r
-                       break;\r
-               case 4:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/50",id);\r
-                       break;\r
-               case 5:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/64",id);\r
-                       break;\r
-               case 6:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/100",id);\r
-                       break;\r
-               case 7:\r
-                       snprintf(retStr,sizeof(buf),"%d - RF/128",id);\r
-                       break;\r
-               default:\r
-                       snprintf(retStr,sizeof(buf),"%d - (Unknown)",id);\r
-                       break;\r
+               case 0:   snprintf(retStr,sizeof(buf),"%d - RF/8",id);   break;\r
+               case 1:   snprintf(retStr,sizeof(buf),"%d - RF/16",id);  break;\r
+               case 2:   snprintf(retStr,sizeof(buf),"%d - RF/32",id);  break;\r
+               case 3:   snprintf(retStr,sizeof(buf),"%d - RF/40",id);  break;\r
+               case 4:   snprintf(retStr,sizeof(buf),"%d - RF/50",id);  break;\r
+               case 5:   snprintf(retStr,sizeof(buf),"%d - RF/64",id);  break;\r
+               case 6:   snprintf(retStr,sizeof(buf),"%d - RF/100",id); break;\r
+               case 7:   snprintf(retStr,sizeof(buf),"%d - RF/128",id); break;\r
+               default:  snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break;\r
                }\r
                }\r
-\r
        return buf;\r
 }\r
 \r
        return buf;\r
 }\r
 \r
@@ -1144,45 +1338,19 @@ char * GetModulationStr( uint32_t id){
        char *retStr = buf;\r
        \r
        switch (id){\r
        char *retStr = buf;\r
        \r
        switch (id){\r
-               case 0: \r
-                       snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id);\r
-                       break;\r
-               case 1:\r
-                       snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id);\r
-                       break;\r
-               case 2:         \r
-                       snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id);\r
-                       break;\r
-               case 3:\r
-                       snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id);\r
-                       break;\r
-               case 4:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8  RF/5",id);\r
-                       break;\r
-               case 5:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8  RF/10",id);\r
-                       break;\r
-               case 6:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5  RF/8",id);\r
-                       break;\r
-               case 7:\r
-                       snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10  RF/8",id);\r
-                       break;\r
-               case 8:\r
-                       snprintf(retStr,sizeof(buf),"%d - Manchester",id);\r
-                       break;\r
-               case 16:\r
-                       snprintf(retStr,sizeof(buf),"%d - Biphase",id);\r
-                       break;\r
-               case 0x18:\r
-                       snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id);\r
-                       break;\r
-               case 17:\r
-                       snprintf(retStr,sizeof(buf),"%d - Reserved",id);\r
-                       break;\r
-               default:\r
-                       snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id);\r
-                       break;\r
+               case 0: snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id); break;\r
+               case 1: snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id); break;\r
+               case 2: snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id); break;\r
+               case 3: snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id); break;\r
+               case 4: snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8  RF/5",id); break;\r
+               case 5: snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8  RF/10",id); break;\r
+               case 6: snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5  RF/8",id); break;\r
+               case 7: snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10  RF/8",id); break;\r
+               case 8: snprintf(retStr,sizeof(buf),"%d - Manchester",id); break;\r
+               case 16: snprintf(retStr,sizeof(buf),"%d - Biphase",id); break;\r
+               case 0x18:snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id); break;\r
+               case 17: snprintf(retStr,sizeof(buf),"%d - Reserved",id); break;\r
+               default: snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id); break;\r
                }\r
        return buf;\r
 }\r
                }\r
        return buf;\r
 }\r
@@ -1203,45 +1371,19 @@ char * GetSelectedModulationStr( uint8_t id){
        char *retStr = buf;\r
 \r
        switch (id){\r
        char *retStr = buf;\r
 \r
        switch (id){\r
-               case DEMOD_FSK:\r
-                       snprintf(retStr,sizeof(buf),"FSK");\r
-                       break;\r
-               case DEMOD_FSK1:\r
-                       snprintf(retStr,sizeof(buf),"FSK1");\r
-                       break;\r
-               case DEMOD_FSK1a:\r
-                       snprintf(retStr,sizeof(buf),"FSK1a");\r
-                       break;\r
-               case DEMOD_FSK2:\r
-                       snprintf(retStr,sizeof(buf),"FSK2");\r
-                       break;\r
-               case DEMOD_FSK2a:\r
-                       snprintf(retStr,sizeof(buf),"FSK2a");\r
-                       break;\r
-               case DEMOD_ASK:         \r
-                       snprintf(retStr,sizeof(buf),"ASK");\r
-                       break;\r
-               case DEMOD_NRZ:\r
-                       snprintf(retStr,sizeof(buf),"DIRECT/NRZ");\r
-                       break;\r
-               case DEMOD_PSK1:\r
-                       snprintf(retStr,sizeof(buf),"PSK1");\r
-                       break;\r
-               case DEMOD_PSK2:\r
-                       snprintf(retStr,sizeof(buf),"PSK2");\r
-                       break;\r
-               case DEMOD_PSK3:\r
-                       snprintf(retStr,sizeof(buf),"PSK3");\r
-                       break;\r
-               case DEMOD_BI:\r
-                       snprintf(retStr,sizeof(buf),"BIPHASE");\r
-                       break;\r
-               case DEMOD_BIa:\r
-                       snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)");\r
-                       break;\r
-               default:\r
-                       snprintf(retStr,sizeof(buf),"(Unknown)");\r
-                       break;\r
+               case DEMOD_FSK: snprintf(retStr,sizeof(buf),"FSK");     break;\r
+               case DEMOD_FSK1: snprintf(retStr,sizeof(buf),"FSK1"); break;\r
+               case DEMOD_FSK1a: snprintf(retStr,sizeof(buf),"FSK1a"); break;\r
+               case DEMOD_FSK2: snprintf(retStr,sizeof(buf),"FSK2"); break;\r
+               case DEMOD_FSK2a: snprintf(retStr,sizeof(buf),"FSK2a"); break;\r
+               case DEMOD_ASK: snprintf(retStr,sizeof(buf),"ASK"); break;\r
+               case DEMOD_NRZ: snprintf(retStr,sizeof(buf),"DIRECT/NRZ"); break;\r
+               case DEMOD_PSK1: snprintf(retStr,sizeof(buf),"PSK1"); break;\r
+               case DEMOD_PSK2: snprintf(retStr,sizeof(buf),"PSK2"); break;\r
+               case DEMOD_PSK3: snprintf(retStr,sizeof(buf),"PSK3"); break;\r
+               case DEMOD_BI: snprintf(retStr,sizeof(buf),"BIPHASE"); break;\r
+               case DEMOD_BIa: snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)"); break;\r
+               default: snprintf(retStr,sizeof(buf),"(Unknown)"); break;\r
                }\r
        return buf;\r
 }\r
                }\r
        return buf;\r
 }\r
@@ -1260,6 +1402,7 @@ void t55x7_create_config_block( int tagtype ){
        switch (tagtype){\r
                case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
                case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
        switch (tagtype){\r
                case 0: snprintf(retStr, sizeof(buf),"%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK); break;\r
                case 1: snprintf(retStr, sizeof(buf),"%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK); break;\r
+               case 2: snprintf(retStr, sizeof(buf),"%08X - T5555 Q5 Default", T5555_DEFAULT_CONFIG_BLOCK); break;\r
                default:\r
                        break;\r
        }\r
                default:\r
                        break;\r
        }\r
@@ -1268,10 +1411,9 @@ void t55x7_create_config_block( int tagtype ){
 \r
 int CmdResetRead(const char *Cmd) {\r
        UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
 \r
 int CmdResetRead(const char *Cmd) {\r
        UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};\r
-\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
-       if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {\r
+       if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2500) ) {\r
                PrintAndLog("command execution time out");\r
                return 0;\r
        }\r
                PrintAndLog("command execution time out");\r
                return 0;\r
        }\r
@@ -1282,53 +1424,323 @@ int CmdResetRead(const char *Cmd) {
        setGraphBuf(got, sizeof(got));\r
        return 1;\r
 }\r
        setGraphBuf(got, sizeof(got));\r
        return 1;\r
 }\r
-\r
+// ADD T5555 (Q5) Default config block\r
 int CmdT55xxWipe(const char *Cmd) {\r
        char writeData[20] = {0};\r
        char *ptrData = writeData;\r
 int CmdT55xxWipe(const char *Cmd) {\r
        char writeData[20] = {0};\r
        char *ptrData = writeData;\r
-       \r
+       char cmdp = param_getchar(Cmd, 0);      \r
+       if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();\r
+\r
+       bool Q5 = (cmdp == 'q' || cmdp == 'Q');\r
+\r
+       // Try with the default password to reset block 0\r
+       // With a pwd should work even if pwd bit not set\r
        PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
        PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");\r
+               \r
+       if ( Q5 )\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");\r
+       else\r
+               snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
        \r
        \r
-       //try with the default password to reset block 0  (with a pwd should work even if pwd bit not set)\r
-       snprintf(ptrData,sizeof(writeData),"b 0 d 000880E0 p 0");\r
-       \r
-       if (!CmdT55xxWriteBlock(ptrData))\r
-               PrintAndLog("Error writing blk 0");\r
+       if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");\r
        \r
        for (uint8_t blk = 1; blk<8; blk++) {\r
                \r
                snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
                \r
        \r
        for (uint8_t blk = 1; blk<8; blk++) {\r
                \r
                snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);\r
                \r
-               if (!CmdT55xxWriteBlock(ptrData)) \r
-                       PrintAndLog("Error writing blk %d", blk);\r
+               if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk %d", blk);\r
                \r
                \r
-               memset(writeData, sizeof(writeData), 0x00);\r
+               memset(writeData,0x00, sizeof(writeData));\r
        }\r
        return 0;\r
 }\r
 \r
        }\r
        return 0;\r
 }\r
 \r
+bool IsCancelled(void) {\r
+       if (ukbhit()) {\r
+               int ch = getchar();\r
+               (void)ch;\r
+               printf("\naborted via keyboard!\n");\r
+               return TRUE;\r
+       }\r
+       return FALSE;\r
+}\r
+\r
+int CmdT55xxBruteForce(const char *Cmd) {\r
+       \r
+       // load a default pwd file.\r
+       char line[9];\r
+       char filename[FILE_PATH_SIZE]={0};\r
+       int     keycnt = 0;\r
+       uint8_t stKeyBlock = 20;\r
+       uint8_t *keyBlock = NULL, *p = NULL;\r
+    uint32_t start_password = 0x00000000; //start password\r
+    uint32_t end_password   = 0xFFFFFFFF; //end   password\r
+    bool found = false;\r
+\r
+       memset(line, 0, sizeof(line));\r
+       \r
+    char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();\r
+\r
+       keyBlock = calloc(stKeyBlock, 4);\r
+       if (keyBlock == NULL) return 1;\r
+\r
+       if (cmdp == 'i' || cmdp == 'I') {\r
+       \r
+               int len = strlen(Cmd+2);\r
+               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               memcpy(filename, Cmd+2, len);\r
+       \r
+               FILE * f = fopen( filename , "r");              \r
+               if ( !f ) {\r
+                       PrintAndLog("File: %s: not found or locked.", filename);\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }                       \r
+               \r
+               while( fgets(line, sizeof(line), f) ){\r
+                       if (strlen(line) < 8 || line[7] == '\n') continue;\r
+               \r
+                       //goto next line\r
+                       while (fgetc(f) != '\n' && !feof(f)) ;\r
+               \r
+                       //The line start with # is comment, skip\r
+                       if( line[0]=='#' ) continue;\r
+\r
+                       if (!isxdigit(line[0])) {\r
+                               PrintAndLog("File content error. '%s' must include 8 HEX symbols", line);\r
+                               continue;\r
+                       }\r
+                       \r
+                       line[8] = 0;            \r
+                       \r
+                       // realloc keyblock array size.\r
+                       if ( stKeyBlock - keycnt < 2) {\r
+                               p = realloc(keyBlock, 4 * (stKeyBlock += 10));\r
+                               if (!p) {\r
+                                       PrintAndLog("Cannot allocate memory for defaultKeys");\r
+                                       free(keyBlock);\r
+                                       if (f)\r
+                                               fclose(f);\r
+                                       return 2;\r
+                               }\r
+                               keyBlock = p;\r
+                       }\r
+                       // clear mem\r
+                       memset(keyBlock + 4 * keycnt, 0, 4);\r
+                       \r
+                       num_to_bytes( strtoll(line, NULL, 16), 4, keyBlock + 4*keycnt);\r
+                       \r
+                       PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4 * keycnt, 4) );                       \r
+                       keycnt++;                       \r
+                       memset(line, 0, sizeof(line));\r
+               }               \r
+               if (f)\r
+                       fclose(f);\r
+               \r
+               if (keycnt == 0) {\r
+                       PrintAndLog("No keys found in file");\r
+                       free(keyBlock);\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loaded %d keys", keycnt);\r
+               \r
+               // loop\r
+               uint64_t testpwd = 0x00;\r
+               for (uint16_t c = 0; c < keycnt; ++c ) {\r
+\r
+                       if ( offline ) {\r
+                               printf("Device offline\n");\r
+                               free(keyBlock);\r
+                               return  2;\r
+                       }\r
+               \r
+                       if (IsCancelled()) {\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       }\r
+               \r
+                       testpwd = bytes_to_num(keyBlock + 4*c, 4);\r
+\r
+                       PrintAndLog("Testing %08X", testpwd);\r
+                                               \r
+                       if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {\r
+                               PrintAndLog("Acquire data from device failed. Quitting");\r
+                               free(keyBlock);\r
+                               return 0;\r
+                       }\r
+                       \r
+                       found = tryDetectModulation();\r
+                       if ( found ) {\r
+                               PrintAndLog("Found valid password: [%08X]", testpwd);\r
+                               //free(keyBlock);\r
+                               //return 0;\r
+                       } \r
+               }\r
+               PrintAndLog("Password NOT found.");\r
+               free(keyBlock);\r
+               return 0;\r
+       }\r
+       \r
+       // Try to read Block 7, first :)\r
+       \r
+       // incremental pwd range search\r
+    start_password = param_get32ex(Cmd, 0, 0, 16);\r
+       end_password = param_get32ex(Cmd, 1, 0, 16);\r
+       \r
+       if ( start_password >= end_password ) {\r
+               free(keyBlock);\r
+               return usage_t55xx_bruteforce();\r
+       }\r
+       \r
+    PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);\r
+       \r
+    uint32_t i = start_password;\r
+\r
+    while ((!found) && (i <= end_password)){\r
+\r
+               printf(".");\r
+               fflush(stdout);\r
+               \r
+               if (IsCancelled()) {\r
+                       free(keyBlock);\r
+                       return 0;\r
+               }\r
+                       \r
+               if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {\r
+                       PrintAndLog("Acquire data from device failed. Quitting");\r
+                       free(keyBlock);\r
+                       return 0;\r
+               }\r
+               found = tryDetectModulation();\r
+        \r
+               if (found) break;\r
+               i++;\r
+    }\r
+    \r
+    PrintAndLog("");\r
+       \r
+    if (found)\r
+               PrintAndLog("Found valid password: [%08x]", i);\r
+    else\r
+               PrintAndLog("Password NOT found. Last tried: [%08x]", --i);\r
+\r
+       free(keyBlock);\r
+    return 0;\r
+}\r
+\r
+int tryOnePassword(uint32_t password) {\r
+       PrintAndLog("Trying password %08x", password);\r
+       if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, password)) {\r
+               PrintAndLog("Acquire data from device failed. Quitting");\r
+               return -1;\r
+       }\r
+\r
+       if (tryDetectModulation())\r
+               return 1;\r
+       else \r
+               return 0;\r
+}\r
+\r
+int CmdT55xxRecoverPW(const char *Cmd) {\r
+       int bit = 0;\r
+       uint32_t orig_password = 0x0;\r
+       uint32_t curr_password = 0x0;\r
+       uint32_t prev_password = 0xffffffff;\r
+       uint32_t mask = 0x0;\r
+       int found = 0;\r
+       char cmdp = param_getchar(Cmd, 0);\r
+       if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_recoverpw();\r
+\r
+       orig_password = param_get32ex(Cmd, 0, 0x51243648, 16); //password used by handheld cloners\r
+\r
+       // first try fliping each bit in the expected password\r
+       while (bit < 32) {\r
+               curr_password = orig_password ^ ( 1 << bit );\r
+               found = tryOnePassword(curr_password);\r
+               if (found == -1) return 0;\r
+               bit++;\r
+               \r
+               if (IsCancelled()) return 0;\r
+       }\r
+\r
+       // now try to use partial original password, since block 7 should have been completely\r
+       // erased during the write sequence and it is possible that only partial password has been\r
+       // written\r
+       // not sure from which end the bit bits are written, so try from both ends \r
+       // from low bit to high bit\r
+       bit = 0;\r
+       while (bit < 32) {\r
+               mask += ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == -1) return 0;\r
+               bit++;\r
+               prev_password = curr_password;\r
+               \r
+               if (IsCancelled()) return 0;\r
+       }\r
+\r
+       // from high bit to low\r
+       bit = 0;\r
+       mask = 0xffffffff;\r
+       while (bit < 32) {\r
+               mask -= ( 1 << bit );\r
+               curr_password = orig_password & mask;\r
+               // if updated mask didn't change the password, don't try it again\r
+               if (prev_password == curr_password) {\r
+                       bit++;\r
+                       continue;\r
+               }\r
+               found = tryOnePassword(curr_password);\r
+               if (found == -1)\r
+                       return 0;\r
+               bit++;\r
+               prev_password = curr_password;\r
+               \r
+               if (IsCancelled()) return 0;\r
+       }\r
+\r
+       PrintAndLog("");\r
+\r
+       if (found == 1)\r
+               PrintAndLog("Found valid password: [%08x]", curr_password);\r
+       else\r
+               PrintAndLog("Password NOT found.");\r
+\r
+       return 0;\r
+}\r
+\r
 static command_t CommandTable[] = {\r
 static command_t CommandTable[] = {\r
-  {"help",   CmdHelp,           1, "This help"},\r
-  {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
-  {"detect",   CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
-  {"read",     CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
-  {"resetread",CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
-  {"write",    CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
-  {"trace",    CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
-  {"info",     CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
-  {"dump",     CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
-  {"special", special,          0, "Show block changes with 64 different offsets"},\r
-  {"wakeup", CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
-  {"wipe",     CmdT55xxWipe,      0, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
-  {NULL, NULL, 0, NULL}\r
+       {"help",                CmdHelp,           1, "This help"},\r
+       {"bruteforce",  CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},\r
+       {"config",              CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},\r
+       {"detect",              CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},\r
+       {"dump",                CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},\r
+       {"info",                CmdT55xxInfo,      1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},\r
+       {"read",                CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},\r
+       {"resetread",   CmdResetRead,      0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},\r
+       {"recoverpw",   CmdT55xxRecoverPW, 0, "[password] Try to recover from bad password write from a cloner. Only use on PW protected chips!"},\r
+       {"special",             special,           0, "Show block changes with 64 different offsets"},  \r
+       {"trace",               CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},\r
+       {"wakeup",              CmdT55xxWakeUp,    0, "Send AOR wakeup command"},\r
+       {"wipe",                CmdT55xxWipe,      0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},\r
+       {"write",               CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},\r
+       {NULL, NULL, 0, NULL}\r
 };\r
 \r
 int CmdLFT55XX(const char *Cmd) {\r
 };\r
 \r
 int CmdLFT55XX(const char *Cmd) {\r
-  CmdsParse(CommandTable, Cmd);\r
-  return 0;\r
+       clearCommandBuffer();\r
+       CmdsParse(CommandTable, Cmd);\r
+       return 0;\r
 }\r
 \r
 int CmdHelp(const char *Cmd) {\r
 }\r
 \r
 int CmdHelp(const char *Cmd) {\r
-  CmdsHelp(CommandTable);\r
-  return 0;\r
+       CmdsHelp(CommandTable);\r
+       return 0;\r
 }\r
 }\r
Proxmark3 GIT tracking
Impressum, Datenschutz