X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/3975d477e10caee062f2b491b33dffcfc208ec29..refs/pull/910/head:/client/cmdlft55xx.c?ds=inline diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 348cb229..c64e5ef2 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -7,24 +7,24 @@ // Low frequency T55xx commands //----------------------------------------------------------------------------- +#include "cmdlft55xx.h" + #include #include #include -//#include //not used - marshmellow -#include "proxmark3.h" +#include +#include +#include "comms.h" #include "ui.h" #include "graph.h" #include "cmdmain.h" #include "cmdparser.h" #include "cmddata.h" #include "cmdlf.h" -#include "cmdlft55xx.h" #include "util.h" -#include "data.h" #include "lfdemod.h" -//#include "../common/crc.h" //not used - marshmellow -//#include "../common/iso14443crc.h" //not used - marshmellow -#include "cmdhf14a.h" //for getTagInfo +#include "protocols.h" +#include "taginfo.h" #define T55x7_CONFIGURATION_BLOCK 0x00 #define T55x7_PAGE0 0x00 @@ -33,7 +33,7 @@ #define REGULAR_READ_MODE_BLOCK 0xFF // Default configuration -t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00, .Q5 = FALSE }; +t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = false, .offset = 0x00, .block0 = 0x00, .Q5 = false }; t55xx_conf_block_t Get_t55xx_Config(){ return config; @@ -51,6 +51,7 @@ int usage_t55xx_config(){ PrintAndLog(" i [1] Invert data signal, defaults to normal"); PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream"); PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7"); + PrintAndLog(" ST Set Sequence Terminator on"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx config d FSK - FSK demodulation"); @@ -66,6 +67,8 @@ int usage_t55xx_read(){ PrintAndLog(" p - OPTIONAL password (8 hex characters)"); PrintAndLog(" o - OPTIONAL override safety check"); PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0"); + PrintAndLog(" r - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference"); + PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); PrintAndLog(" ****WARNING****"); PrintAndLog(" Use of read with password on a tag not configured for a pwd"); PrintAndLog(" can damage the tag"); @@ -78,16 +81,19 @@ int usage_t55xx_read(){ return 0; } int usage_t55xx_write(){ - PrintAndLog("Usage: lf t55xx wr [b ] [d ] [p ] [1]"); + PrintAndLog("Usage: lf t55xx write [b ] [d ] [p ] [1] [t]"); PrintAndLog("Options:"); PrintAndLog(" b - block number to write. Between 0-7"); PrintAndLog(" d - 4 bytes of data to write (8 hex characters)"); PrintAndLog(" p - OPTIONAL password 4bytes (8 hex characters)"); PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0"); + PrintAndLog(" t - OPTIONAL test mode write - ****DANGER****"); + PrintAndLog(" r - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference"); + PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); PrintAndLog(""); PrintAndLog("Examples:"); - PrintAndLog(" lf t55xx wr b 3 d 11223344 - write 11223344 to block 3"); - PrintAndLog(" lf t55xx wr b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef"); + PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3"); + PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef"); PrintAndLog(""); return 0; } @@ -130,6 +136,8 @@ int usage_t55xx_detect(){ PrintAndLog("Options:"); PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag."); PrintAndLog(" p - OPTIONAL password (8 hex characters)"); + PrintAndLog(" r - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference"); + PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference"); PrintAndLog(""); PrintAndLog("Examples:"); PrintAndLog(" lf t55xx detect"); @@ -138,15 +146,29 @@ int usage_t55xx_detect(){ PrintAndLog(""); return 0; } +int usage_t55xx_detectP1(){ + PrintAndLog("Command: Detect Page 1 of a t55xx chip"); + PrintAndLog("Usage: lf t55xx p1detect [1] [p ]"); + PrintAndLog("Options:"); + PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag."); + PrintAndLog(" p - OPTIONAL password (8 hex characters)"); + PrintAndLog(""); + PrintAndLog("Examples:"); + PrintAndLog(" lf t55xx p1detect"); + PrintAndLog(" lf t55xx p1detect 1"); + PrintAndLog(" lf t55xx p1detect p 11223344"); + PrintAndLog(""); + return 0; +} int usage_t55xx_wakup(){ - PrintAndLog("Usage: lf t55xx wakeup [h] p "); + PrintAndLog("Usage: lf t55xx wakeup [h] "); PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards."); PrintAndLog("Options:"); PrintAndLog(" h - this help"); - PrintAndLog(" p - password 4bytes (8 hex symbols)"); + PrintAndLog(" - [required] password 4bytes (8 hex symbols)"); PrintAndLog(""); PrintAndLog("Examples:"); - PrintAndLog(" lf t55xx wakeup p 11223344 - send wakeup password"); + PrintAndLog(" lf t55xx wakeup 11223344 - send wakeup password"); return 0; } int usage_t55xx_bruteforce(){ @@ -156,13 +178,16 @@ int usage_t55xx_bruteforce(){ PrintAndLog(" password must be 4 bytes (8 hex symbols)"); PrintAndLog("Options:"); PrintAndLog(" h - this help"); + PrintAndLog(" r - OPTIONAL downlink encoding '0' fixed bit length (default)"); + PrintAndLog(" '1' long leading reference, '2' leading zero "); + PrintAndLog(" '3' 1 of 4 coding reference, '4' special - try all downlink modes"); PrintAndLog(" - 4 byte hex value to start pwd search at"); PrintAndLog(" - 4 byte hex value to end pwd search at"); PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>"); PrintAndLog(""); PrintAndLog("Examples:"); - PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb"); - PrintAndLog(" lf t55xx bruteforce i default_pwd.dic"); + PrintAndLog(" lf t55xx bruteforce [r 2] aaaaaaaa bbbbbbbb"); + PrintAndLog(" lf t55xx bruteforce [r 2] i default_pwd.dic"); PrintAndLog(""); return 0; } @@ -191,12 +216,12 @@ void printT5xxHeader(uint8_t page){ int CmdT55xxSetConfig(const char *Cmd) { uint8_t offset = 0; - char modulation[5] = {0x00}; + char modulation[6] = {0x00}; char tmp = 0x00; uint8_t bitRate = 0; uint8_t rates[9] = {8,16,32,40,50,64,100,128,0}; uint8_t cmdp = 0; - bool errors = FALSE; + bool errors = false; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { tmp = param_getchar(Cmd, cmdp); @@ -215,12 +240,12 @@ int CmdT55xxSetConfig(const char *Cmd) { break; } } - if (i==9) errors = TRUE; + if (i==9) errors = true; } cmdp+=2; break; case 'd': - param_getstr(Cmd, cmdp+1, modulation); + param_getstr(Cmd, cmdp+1, modulation, sizeof(modulation)); cmdp += 2; if ( strcmp(modulation, "FSK" ) == 0) { @@ -255,7 +280,7 @@ int CmdT55xxSetConfig(const char *Cmd) { config.inverted=0; } else { PrintAndLog("Unknown modulation '%s'", modulation); - errors = TRUE; + errors = true; } break; case 'i': @@ -270,32 +295,37 @@ int CmdT55xxSetConfig(const char *Cmd) { break; case 'Q': case 'q': - config.Q5 = TRUE; + config.Q5 = true; + cmdp++; + break; + case 'S': + case 's': + config.ST = true; cmdp++; break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); - errors = TRUE; + errors = true; break; } } // No args - if (cmdp == 0) return printConfiguration( config ); + if (cmdp == 0) return printConfiguration( config); //Validations if (errors) return usage_t55xx_config(); config.block0 = 0; - return printConfiguration ( config ); + return printConfiguration ( config); } -int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password){ +int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){ //Password mode if ( usepwd ) { // try reading the config block and verify that PWD bit is set before doing this! if ( !override ) { - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0 ) ) return 0; + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0,downlink_mode ) ) return 0; if ( !tryDetectModulation() ) { PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits."); return 0; @@ -309,7 +339,7 @@ int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32 } } - if (!AquireData(page1, block, usepwd, password) ) return 0; + if (!AquireData(page1, block, usepwd, password,downlink_mode) ) return 0; if (!DecodeT55xxBlock()) return 0; char blk[10]={0}; @@ -321,6 +351,8 @@ int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32 int CmdT55xxReadBlock(const char *Cmd) { uint8_t block = REGULAR_READ_MODE_BLOCK; uint32_t password = 0; //default to blank Block 7 + uint8_t downlink_mode = 0; + bool usepwd = false; bool override = false; bool page1 = false; @@ -351,6 +383,12 @@ int CmdT55xxReadBlock(const char *Cmd) { page1 = true; cmdp++; break; + case 'r': + case 'R': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -365,7 +403,7 @@ int CmdT55xxReadBlock(const char *Cmd) { } printT5xxHeader(page1); - return T55xxReadBlock(block, page1, usepwd, override, password); + return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode); } bool DecodeT55xxBlock(){ @@ -373,59 +411,60 @@ bool DecodeT55xxBlock(){ char buf[30] = {0x00}; char *cmdStr = buf; int ans = 0; + bool ST = config.ST; uint8_t bitRate[8] = {8,16,32,40,50,64,100,128}; DemodBufferLen = 0x00; switch( config.modulation ){ case DEMOD_FSK: snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted ); - ans = FSKrawDemod(cmdStr, FALSE); + ans = FSKrawDemod(cmdStr, false); break; case DEMOD_FSK1: case DEMOD_FSK1a: snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted ); - ans = FSKrawDemod(cmdStr, FALSE); + ans = FSKrawDemod(cmdStr, false); break; case DEMOD_FSK2: case DEMOD_FSK2a: snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted ); - ans = FSKrawDemod(cmdStr, FALSE); + ans = FSKrawDemod(cmdStr, false); break; case DEMOD_ASK: snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted ); - ans = ASKDemod(cmdStr, FALSE, FALSE, 1); + ans = ASKDemod_ext(cmdStr, false, false, 1, &ST); break; case DEMOD_PSK1: // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) - save_restoreGB(1); + save_restoreGB(GRAPH_SAVE); CmdLtrim("160"); snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted ); - ans = PSKDemod(cmdStr, FALSE); + ans = PSKDemod(cmdStr, false); //undo trim samples - save_restoreGB(0); + save_restoreGB(GRAPH_RESTORE); break; case DEMOD_PSK2: //inverted won't affect this case DEMOD_PSK3: //not fully implemented // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) - save_restoreGB(1); + save_restoreGB(GRAPH_SAVE); CmdLtrim("160"); snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] ); - ans = PSKDemod(cmdStr, FALSE); + ans = PSKDemod(cmdStr, false); psk1TOpsk2(DemodBuffer, DemodBufferLen); //undo trim samples - save_restoreGB(0); + save_restoreGB(GRAPH_RESTORE); break; case DEMOD_NRZ: snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted ); - ans = NRZrawDemod(cmdStr, FALSE); + ans = NRZrawDemod(cmdStr, false); break; case DEMOD_BI: case DEMOD_BIa: snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted ); - ans = ASKbiphaseDemod(cmdStr, FALSE); + ans = ASKbiphaseDemod(cmdStr, false); break; default: - return FALSE; + return false; } return (bool) ans; } @@ -434,15 +473,35 @@ bool DecodeT5555TraceBlock() { DemodBufferLen = 0x00; // According to datasheet. Always: RF/64, not inverted, Manchester - return (bool) ASKDemod("64 0 1", FALSE, FALSE, 1); + return (bool) ASKDemod("64 0 1", false, false, 1); +} + +void T55xx_Print_DownlinkMode (uint8_t downlink_mode) +{ + char Msg[80]; + sprintf (Msg,"Downlink Mode used : "); + + switch (downlink_mode) { + case 0 : strcat (Msg,"default/fixed bit length"); break; + case 1 : strcat (Msg,"long leading reference (r 1)"); break; + case 2 : strcat (Msg,"leading zero reference (r 2)"); break; + case 3 : strcat (Msg,"1 of 4 coding reference (r 3)"); break; + default : + strcat (Msg,"default/fixed bit length"); break; + + } + + PrintAndLog (Msg); + } int CmdT55xxDetect(const char *Cmd){ - bool errors = FALSE; - bool useGB = FALSE; - bool usepwd = FALSE; + bool errors = false; + bool useGB = false; + bool usepwd = false; uint32_t password = 0; uint8_t cmdp = 0; + uint8_t downlink_mode = 0; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch(param_getchar(Cmd, cmdp)) { @@ -452,14 +511,20 @@ int CmdT55xxDetect(const char *Cmd){ case 'p': case 'P': password = param_get32ex(Cmd, cmdp+1, 0, 16); - usepwd = TRUE; + usepwd = true; cmdp += 2; break; case '1': // use Graphbuffer data - useGB = TRUE; + useGB = true; cmdp++; break; + case 'r': + case 'R': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -469,13 +534,16 @@ int CmdT55xxDetect(const char *Cmd){ if (errors) return usage_t55xx_detect(); if ( !useGB) { - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password) ) + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password,downlink_mode) ) return 0; } if ( !tryDetectModulation() ) PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'"); - + else { + // Add downlink mode for reference. + T55xx_Print_DownlinkMode (downlink_mode); + } return 1; } @@ -484,130 +552,140 @@ bool tryDetectModulation(){ uint8_t hits = 0; t55xx_conf_block_t tests[15]; int bitRate=0; - uint8_t fc1 = 0, fc2 = 0, clk=0; - - if (GetFskClock("", FALSE, FALSE)){ - fskClocks(&fc1, &fc2, &clk, FALSE); - if ( FSKrawDemod("0 0", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + uint8_t fc1 = 0, fc2 = 0, ans = 0; + int clk = 0, firstClockEdge = 0; + ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge); + if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) { + if ( FSKrawDemod("0 0", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_FSK; if (fc1==8 && fc2 == 5) tests[hits].modulation = DEMOD_FSK1a; else if (fc1==10 && fc2 == 8) tests[hits].modulation = DEMOD_FSK2; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( FSKrawDemod("0 1", FALSE) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( FSKrawDemod("0 1", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_FSK; if (fc1 == 8 && fc2 == 5) tests[hits].modulation = DEMOD_FSK1; else if (fc1 == 10 && fc2 == 8) tests[hits].modulation = DEMOD_FSK2a; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } else { - clk = GetAskClock("", FALSE, FALSE); + clk = GetAskClock("", false, false); if (clk>0) { - if ( ASKDemod("0 0 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + tests[hits].ST = true; + if ( ASKDemod_ext("0 0 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); ++hits; } - if ( ASKDemod("0 1 1", FALSE, FALSE, 1) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + tests[hits].ST = true; + if ( ASKDemod_ext("0 1 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_ASK; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); ++hits; } - if ( ASKbiphaseDemod("0 0 0 2", FALSE) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { + if ( ASKbiphaseDemod("0 0 0 2", false) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { tests[hits].modulation = DEMOD_BI; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( ASKbiphaseDemod("0 0 1 2", FALSE) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { + if ( ASKbiphaseDemod("0 0 1 2", false) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) { tests[hits].modulation = DEMOD_BIa; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } - //undo trim from ask - //save_restoreGB(0); - clk = GetNrzClock("", FALSE, FALSE); - if (clk>0) { - if ( NRZrawDemod("0 0 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + clk = GetNrzClock("", false, false); + if (clk>8) { //clock of rf/8 is likely a false positive, so don't use it. + if ( NRZrawDemod("0 0 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_NRZ; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( NRZrawDemod("0 1 1", FALSE) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( NRZrawDemod("0 1 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_NRZ; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } - // allow undo - // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) - save_restoreGB(1); - CmdLtrim("160"); - clk = GetPskClock("", FALSE, FALSE); + clk = GetPskClock("", false, false); if (clk>0) { - if ( PSKDemod("0 0 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + // allow undo + save_restoreGB(GRAPH_SAVE); + // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) + CmdLtrim("160"); + if ( PSKDemod("0 0 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_PSK1; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } - if ( PSKDemod("0 1 6", FALSE) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { + if ( PSKDemod("0 1 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) { tests[hits].modulation = DEMOD_PSK1; tests[hits].bitrate = bitRate; - tests[hits].inverted = TRUE; + tests[hits].inverted = true; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } // PSK2 - needs a call to psk1TOpsk2. - if ( PSKDemod("0 0 6", FALSE)) { + if ( PSKDemod("0 0 6", false)) { psk1TOpsk2(DemodBuffer, DemodBufferLen); if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){ tests[hits].modulation = DEMOD_PSK2; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } // inverse waves does not affect this demod // PSK3 - needs a call to psk1TOpsk2. - if ( PSKDemod("0 0 6", FALSE)) { + if ( PSKDemod("0 0 6", false)) { psk1TOpsk2(DemodBuffer, DemodBufferLen); if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){ tests[hits].modulation = DEMOD_PSK3; tests[hits].bitrate = bitRate; - tests[hits].inverted = FALSE; + tests[hits].inverted = false; tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer); + tests[hits].ST = false; ++hits; } } // inverse waves does not affect this demod + //undo trim samples + save_restoreGB(GRAPH_RESTORE); } - //undo trim samples - save_restoreGB(0); } if ( hits == 1) { config.modulation = tests[0].modulation; @@ -616,79 +694,81 @@ bool tryDetectModulation(){ config.offset = tests[0].offset; config.block0 = tests[0].block0; config.Q5 = tests[0].Q5; - printConfiguration( config ); - return TRUE; + config.ST = tests[0].ST; + + printConfiguration( config); + return true; } if ( hits > 1) { PrintAndLog("Found [%d] possible matches for modulation.",hits); for(int i=0; i= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return TRUE; + if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return true; break; case DEMOD_ASK: - if (modread == DEMOD_ASK) return TRUE; + if (modread == DEMOD_ASK) return true; break; case DEMOD_PSK1: - if (modread == DEMOD_PSK1) return TRUE; + if (modread == DEMOD_PSK1) return true; break; case DEMOD_PSK2: - if (modread == DEMOD_PSK2) return TRUE; + if (modread == DEMOD_PSK2) return true; break; case DEMOD_PSK3: - if (modread == DEMOD_PSK3) return TRUE; + if (modread == DEMOD_PSK3) return true; break; case DEMOD_NRZ: - if (modread == DEMOD_NRZ) return TRUE; + if (modread == DEMOD_NRZ) return true; break; case DEMOD_BI: - if (modread == DEMOD_BI) return TRUE; + if (modread == DEMOD_BI) return true; break; case DEMOD_BIa: - if (modread == DEMOD_BIa) return TRUE; + if (modread == DEMOD_BIa) return true; break; default: - return FALSE; + return false; } - return FALSE; + return false; } bool testQ5Modulation(uint8_t mode, uint8_t modread){ switch( mode ){ case DEMOD_FSK: - if (modread >= 4 && modread <= 5) return TRUE; + if (modread >= 4 && modread <= 5) return true; break; case DEMOD_ASK: - if (modread == 0) return TRUE; + if (modread == 0) return true; break; case DEMOD_PSK1: - if (modread == 1) return TRUE; + if (modread == 1) return true; break; case DEMOD_PSK2: - if (modread == 2) return TRUE; + if (modread == 2) return true; break; case DEMOD_PSK3: - if (modread == 3) return TRUE; + if (modread == 3) return true; break; case DEMOD_NRZ: - if (modread == 7) return TRUE; + if (modread == 7) return true; break; case DEMOD_BI: - if (modread == 6) return TRUE; + if (modread == 6) return true; break; default: - return FALSE; + return false; } - return FALSE; + return false; } int convertQ5bitRate(uint8_t bitRateRead) { @@ -702,7 +782,7 @@ int convertQ5bitRate(uint8_t bitRateRead) { bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){ - if ( DemodBufferLen < 64 ) return FALSE; + if ( DemodBufferLen < 64 ) return false; uint8_t si = 0; for (uint8_t idx = 28; idx < 64; idx++){ si = idx; @@ -735,9 +815,9 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){ if (*fndBitRate < 0) continue; *offset = idx; - return TRUE; + return true; } - return FALSE; + return false; } bool testBitRate(uint8_t readRate, uint8_t clk){ @@ -750,7 +830,7 @@ bool testBitRate(uint8_t readRate, uint8_t clk){ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){ - if ( DemodBufferLen < 64 ) return FALSE; + if ( DemodBufferLen < 64 ) return false; uint8_t si = 0; for (uint8_t idx = 28; idx < 64; idx++){ si = idx; @@ -762,34 +842,35 @@ bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5) // moved test to here, since this gets most faults first. if ( resv > 0x00) continue; - uint8_t xtRate = PackBits(si, 3, DemodBuffer); si += 3; //extended mode part of rate - int bitRate = PackBits(si, 3, DemodBuffer); si += 3; //bit rate - if (bitRate > 7) continue; + int bitRate = PackBits(si, 6, DemodBuffer); si += 6; //bit rate (includes extended mode part of rate) uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1; //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //could check psk cr - uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode - uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2; + //uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode + //uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2; //if extended mode - bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? TRUE : FALSE; + bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? true : false; + + if (!extMode) { + if (bitRate > 7) continue; + if (!testBitRate(bitRate, clk)) continue; + } else { //extended mode bitrate = same function to calc bitrate as em4x05 + if (EM4x05_GET_BITRATE(bitRate) != clk) continue; - if (!extMode){ - if (nml01 || nml02 || xtRate) continue; } //test modulation if (!testModulation(mode, modread)) continue; - if (!testBitRate(bitRate, clk)) continue; *fndBitRate = bitRate; *offset = idx; - *Q5 = FALSE; - return TRUE; + *Q5 = false; + return true; } if (testQ5(mode, offset, fndBitRate, clk)) { - *Q5 = TRUE; - return TRUE; + *Q5 = true; + return true; } - return FALSE; + return false; } void printT55xxBlock(const char *blockNum){ @@ -836,9 +917,10 @@ int special(const char *Cmd) { int printConfiguration( t55xx_conf_block_t b){ PrintAndLog("Chip Type : %s", (b.Q5) ? "T5555(Q5)" : "T55x7"); PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) ); - PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate) ); + PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate, (b.block0 & T55x7_X_MODE && (b.block0>>28==6 || b.block0>>28==9))) ); PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" ); PrintAndLog("Offset : %d", b.offset); + PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" ); PrintAndLog("Block0 : 0x%08X", b.block0); PrintAndLog(""); return 0; @@ -846,26 +928,11 @@ int printConfiguration( t55xx_conf_block_t b){ int CmdT55xxWakeUp(const char *Cmd) { uint32_t password = 0; - uint8_t cmdp = 0; - bool errors = true; - while(param_getchar(Cmd, cmdp) != 0x00) { - switch(param_getchar(Cmd, cmdp)) { - case 'h': - case 'H': - return usage_t55xx_wakup(); - case 'p': - case 'P': - password = param_get32ex(Cmd, cmdp+1, 0xFFFFFFFF, 16); - cmdp += 2; - errors = false; - break; - default: - PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); - errors = true; - break; - } - } - if (errors) return usage_t55xx_wakup(); + if ( strlen(Cmd) <= 0 ) return usage_t55xx_wakup(); + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wakup(); + + password = param_get32ex(Cmd, 0, 0, 16); UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}}; clearCommandBuffer(); @@ -878,9 +945,12 @@ int CmdT55xxWriteBlock(const char *Cmd) { uint8_t block = 0xFF; //default to invalid block uint32_t data = 0; //default to blank Block uint32_t password = 0; //default to blank Block 7 + uint32_t downlink_mode = 0; + bool usepwd = false; bool page1 = false; bool gotdata = false; + bool testMode = false; bool errors = false; uint8_t cmdp = 0; while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { @@ -905,10 +975,21 @@ int CmdT55xxWriteBlock(const char *Cmd) { usepwd = true; cmdp += 2; break; + case 't': + case 'T': + testMode = true; + cmdp++; + break; case '1': page1 = true; cmdp++; break; + case 'r': + case 'R': + downlink_mode = param_getchar(Cmd, cmdp+1) - '0'; + if (downlink_mode > 3) downlink_mode = 0; + cmdp +=2; + break; default: PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); errors = true; @@ -925,17 +1006,20 @@ int CmdT55xxWriteBlock(const char *Cmd) { UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}}; UsbCommand resp; c.d.asBytes[0] = (page1) ? 0x2 : 0; - + c.d.asBytes[0] |= (testMode) ? 0x4 : 0; + c.d.asBytes[0] |= (downlink_mode << 3); + char pwdStr[16] = {0}; snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password); PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" ); - + //Password mode if (usepwd) { c.arg[2] = password; c.d.asBytes[0] |= 0x1; } + clearCommandBuffer(); SendCommand(&c); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ @@ -953,7 +1037,7 @@ int CmdT55xxReadTrace(const char *Cmd) { return usage_t55xx_trace(); if (strlen(Cmd)==0) - if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password ) ) + if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password,0 ) ) return 0; if ( config.Q5 ) { @@ -1043,7 +1127,7 @@ void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){ PrintAndLog("-- T55x7 Trace Information ----------------------------------"); PrintAndLog("-------------------------------------------------------------"); PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", data.acl, data.acl); - PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", data.mfc, data.mfc, getTagInfo(data.mfc)); + PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", data.mfc, data.mfc, getManufacturerName(data.mfc)); PrintAndLog(" CID : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid)); PrintAndLog(" ICR IC Revision : %d", data.icr ); PrintAndLog(" Manufactured"); @@ -1117,7 +1201,7 @@ int CmdT55xxInfo(const char *Cmd){ return usage_t55xx_info(); if (strlen(Cmd)==0) - if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password ) ) + if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password,0 ) ) return 1; if (!DecodeT55xxBlock()) return 1; @@ -1149,7 +1233,7 @@ int CmdT55xxInfo(const char *Cmd){ PrintAndLog("-------------------------------------------------------------"); PrintAndLog(" Safer key : %s", GetSaferStr(safer)); PrintAndLog(" reserved : %d", resv); - PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr)); + PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr, extend)); PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No"); PrintAndLog(" Modulation : %s", GetModulationStr(datamod)); PrintAndLog(" PSK clock frequency : %d", pskcf); @@ -1176,7 +1260,7 @@ int CmdT55xxDump(const char *Cmd){ bool override = false; if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump(); - bool usepwd = ( strlen(Cmd) > 0); + bool usepwd = ( strlen(Cmd) > 0); if ( usepwd ){ password = param_get32ex(Cmd, 0, 0, 16); if (param_getchar(Cmd, 1) =='o' ) @@ -1185,20 +1269,21 @@ int CmdT55xxDump(const char *Cmd){ printT5xxHeader(0); for ( uint8_t i = 0; i <8; ++i) - T55xxReadBlock(i, 0, usepwd, override, password); + T55xxReadBlock(i, 0, usepwd, override, password,0); printT5xxHeader(1); for ( uint8_t i = 0; i<4; i++) - T55xxReadBlock(i, 1, usepwd, override, password); + T55xxReadBlock(i, 1, usepwd, override, password,0); return 1; } -int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){ +int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode ){ // arg0 bitmodes: // bit0 = pwdmode // bit1 = page to read from uint8_t arg0 = (page<<1) | pwdmode; + arg0 |= (downlink_mode << 3); UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}}; clearCommandBuffer(); @@ -1207,28 +1292,28 @@ int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password ){ PrintAndLog("command execution time out"); return 0; } - - uint8_t got[12000]; - GetFromBigBuf(got,sizeof(got),0); - WaitForResponse(CMD_ACK,NULL); - setGraphBuf(got, sizeof(got)); + getSamples(12000,true); return 1; } -char * GetBitRateStr(uint32_t id) { +char * GetBitRateStr(uint32_t id, bool xmode) { static char buf[25]; char *retStr = buf; - switch (id) { - case 0: snprintf(retStr,sizeof(buf),"%d - RF/8",id); break; - case 1: snprintf(retStr,sizeof(buf),"%d - RF/16",id); break; - case 2: snprintf(retStr,sizeof(buf),"%d - RF/32",id); break; - case 3: snprintf(retStr,sizeof(buf),"%d - RF/40",id); break; - case 4: snprintf(retStr,sizeof(buf),"%d - RF/50",id); break; - case 5: snprintf(retStr,sizeof(buf),"%d - RF/64",id); break; - case 6: snprintf(retStr,sizeof(buf),"%d - RF/100",id); break; - case 7: snprintf(retStr,sizeof(buf),"%d - RF/128",id); break; - default: snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break; + if (xmode) { //xmode bitrate calc is same as em4x05 calc + snprintf(retStr,sizeof(buf),"%d - RF/%d", id, EM4x05_GET_BITRATE(id)); + } else { + switch (id) { + case 0: snprintf(retStr,sizeof(buf),"%d - RF/8",id); break; + case 1: snprintf(retStr,sizeof(buf),"%d - RF/16",id); break; + case 2: snprintf(retStr,sizeof(buf),"%d - RF/32",id); break; + case 3: snprintf(retStr,sizeof(buf),"%d - RF/40",id); break; + case 4: snprintf(retStr,sizeof(buf),"%d - RF/50",id); break; + case 5: snprintf(retStr,sizeof(buf),"%d - RF/64",id); break; + case 6: snprintf(retStr,sizeof(buf),"%d - RF/100",id); break; + case 7: snprintf(retStr,sizeof(buf),"%d - RF/128",id); break; + default: snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break; + } } return buf; } @@ -1328,8 +1413,7 @@ int CmdResetRead(const char *Cmd) { } uint8_t got[BIGBUF_SIZE-1]; - GetFromBigBuf(got,sizeof(got),0); - WaitForResponse(CMD_ACK,NULL); + GetFromBigBuf(got, sizeof(got), 0, NULL, -1 , 0); setGraphBuf(got, sizeof(got)); return 1; } @@ -1371,23 +1455,38 @@ int CmdT55xxBruteForce(const char *Cmd) { char buf[9]; char filename[FILE_PATH_SIZE]={0}; int keycnt = 0; + int ch; uint8_t stKeyBlock = 20; - uint8_t *keyBlock = NULL, *p; - keyBlock = calloc(stKeyBlock, 6); - if (keyBlock == NULL) return 1; - + uint8_t *keyBlock = NULL, *p = NULL; uint32_t start_password = 0x00000000; //start password uint32_t end_password = 0xFFFFFFFF; //end password bool found = false; - + uint8_t downlink_mode = 0; + bool try_all_dl_modes = false; + uint8_t dl_mode = 0; + uint8_t cmd_offset = 0; + int cmd_opt = 0; + char cmdp = param_getchar(Cmd, 0); + if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce(); + if (cmdp == 'r' || cmdp == 'R') { + downlink_mode = param_getchar(Cmd, 1) - '0'; // get 2nd option, as this is fixed order. + if (downlink_mode == 4) try_all_dl_modes = true; + if (downlink_mode > 3) downlink_mode = 0; + cmd_opt += 2; // To help start/end passwords for range to be found + cmd_offset += 4; // r x To help the string offset for filename start position in cmd + cmdp = param_getchar(Cmd, 2); // get 3rd option, as this is fixed order. + } + + keyBlock = calloc(stKeyBlock, 6); + if (keyBlock == NULL) return 1; if (cmdp == 'i' || cmdp == 'I') { int len = strlen(Cmd+2); if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; - memcpy(filename, Cmd+2, len); + memcpy(filename, Cmd+2+cmd_offset, len); FILE * f = fopen( filename , "r"); @@ -1405,7 +1504,7 @@ int CmdT55xxBruteForce(const char *Cmd) { //The line start with # is comment, skip if( buf[0]=='#' ) continue; - if (!isxdigit(buf[0])) { + if (!isxdigit((unsigned char)buf[0])) { PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf); continue; } @@ -1417,6 +1516,7 @@ int CmdT55xxBruteForce(const char *Cmd) { if (!p) { PrintAndLog("Cannot allocate memory for defaultKeys"); free(keyBlock); + fclose(f); return 2; } keyBlock = p; @@ -1431,6 +1531,7 @@ int CmdT55xxBruteForce(const char *Cmd) { if (keycnt == 0) { PrintAndLog("No keys found in file"); + free(keyBlock); return 1; } PrintAndLog("Loaded %d keys", keycnt); @@ -1440,39 +1541,55 @@ int CmdT55xxBruteForce(const char *Cmd) { for (uint16_t c = 0; c < keycnt; ++c ) { if (ukbhit()) { - getchar(); + ch = getchar(); + (void)ch; printf("\naborted via keyboard!\n"); + free(keyBlock); return 0; } testpwd = bytes_to_num(keyBlock + 4*c, 4); PrintAndLog("Testing %08X", testpwd); + + // Try each downlink_mode if asked to + // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3 + for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){ + if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd, dl_mode)) { + PrintAndLog("Acquiring data from device failed. Quitting"); + free(keyBlock); + return 0; + } - if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) { - PrintAndLog("Aquireing data from device failed. Quitting"); - return 0; - } + found = tryDetectModulation(); - found = tryDetectModulation(); + if ( found ) { + PrintAndLog("Found valid password: [%08X]", testpwd); + free(keyBlock); + + T55xx_Print_DownlinkMode (dl_mode); - if ( found ) { - PrintAndLog("Found valid password: [%08X]", testpwd); - return 0; - } + return 0; + } + if (!try_all_dl_modes) // Exit loop if not trying all downlink modes + dl_mode = 4; + } } PrintAndLog("Password NOT found."); + free(keyBlock); return 0; } // Try to read Block 7, first :) // incremental pwd range search - start_password = param_get32ex(Cmd, 0, 0, 16); - end_password = param_get32ex(Cmd, 1, 0, 16); - - if ( start_password >= end_password ) return usage_t55xx_bruteforce(); + start_password = param_get32ex(Cmd, cmd_opt , 0, 16); + end_password = param_get32ex(Cmd, cmd_opt+1 , 0, 16); + if ( start_password >= end_password ) { + free(keyBlock); + return usage_t55xx_bruteforce(); + } PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password); uint32_t i = start_password; @@ -1482,35 +1599,196 @@ int CmdT55xxBruteForce(const char *Cmd) { printf("."); fflush(stdout); if (ukbhit()) { - getchar(); + ch = getchar(); + (void)ch; printf("\naborted via keyboard!\n"); + free(keyBlock); return 0; } + // Try each downlink_mode if asked to + // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3 + for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++){ + if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,dl_mode)) { + PrintAndLog("Acquiring data from device failed. Quitting"); + free(keyBlock); + return 0; + } + found = tryDetectModulation(); - if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) { - PrintAndLog("Aquireing data from device failed. Quitting"); - return 0; + if (found) break; + if (!try_all_dl_modes) // Exit loop if not trying all downlink modes + dl_mode = 4; } - found = tryDetectModulation(); - if (found) break; i++; } - PrintAndLog(""); - - if (found) + if (found){ PrintAndLog("Found valid password: [%08x]", i); - else + T55xx_Print_DownlinkMode (downlink_mode); + } + else{ + PrintAndLog(""); PrintAndLog("Password NOT found. Last tried: [%08x]", --i); + } + + free(keyBlock); return 0; } +// note length of data returned is different for different chips. +// some return all page 1 (64 bits) and others return just that block (32 bits) +// unfortunately the 64 bits makes this more likely to get a false positive... +bool tryDetectP1(bool getData) { + uint8_t preamble[] = {1,1,1,0,0,0,0,0,0,0,0,1,0,1,0,1}; + size_t startIdx = 0; + uint8_t fc1 = 0, fc2 = 0, ans = 0; + int clk = 0, firstClockEdge = 0; + bool st = true; + + if ( getData ) { + if ( !AquireData(T55x7_PAGE1, 1, false, 0,0) ) + return false; + } + + // try fsk clock detect. if successful it cannot be any other type of modulation... (in theory...) + ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge); + if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) { + if ( FSKrawDemod("0 0", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( FSKrawDemod("0 1", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + return false; + } + + // try psk clock detect. if successful it cannot be any other type of modulation... (in theory...) + clk = GetPskClock("", false, false); + if (clk>0) { + // allow undo + // save_restoreGB(1); + // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise) + //CmdLtrim("160"); + if ( PSKDemod("0 0 6", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + //save_restoreGB(0); + return true; + } + if ( PSKDemod("0 1 6", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + //save_restoreGB(0); + return true; + } + // PSK2 - needs a call to psk1TOpsk2. + if ( PSKDemod("0 0 6", false)) { + psk1TOpsk2(DemodBuffer, DemodBufferLen); + if (preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + //save_restoreGB(0); + return true; + } + } // inverse waves does not affect PSK2 demod + //undo trim samples + //save_restoreGB(0); + // no other modulation clocks = 2 or 4 so quit searching + if (fc1 != 8) return false; + } + + // try ask clock detect. it could be another type even if successful. + clk = GetAskClock("", false, false); + if (clk>0) { + if ( ASKDemod_ext("0 0 1", false, false, 1, &st) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + st = true; + if ( ASKDemod_ext("0 1 1", false, false, 1, &st) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( ASKbiphaseDemod("0 0 0 2", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( ASKbiphaseDemod("0 0 1 2", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + } + + // try NRZ clock detect. it could be another type even if successful. + clk = GetNrzClock("", false, false); //has the most false positives :( + if (clk>0) { + if ( NRZrawDemod("0 0 1", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + if ( NRZrawDemod("0 1 1", false) && + preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) && + (DemodBufferLen == 32 || DemodBufferLen == 64) ) { + return true; + } + } + return false; +} +// does this need to be a callable command? +int CmdT55xxDetectPage1(const char *Cmd){ + bool errors = false; + bool useGB = false; + bool usepwd = false; + uint32_t password = 0; + uint8_t cmdp = 0; + + while(param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch(param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_t55xx_detectP1(); + case 'p': + case 'P': + password = param_get32ex(Cmd, cmdp+1, 0, 16); + usepwd = true; + cmdp += 2; + break; + case '1': + // use Graphbuffer data + useGB = true; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + if (errors) return usage_t55xx_detectP1(); + + if ( !useGB ) { + if ( !AquireData(T55x7_PAGE1, 1, usepwd, password,0) ) + return false; + } + bool success = tryDetectP1(false); + if (success) PrintAndLog("T55xx chip found!"); + return success; +} static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, - {"bruteforce",CmdT55xxBruteForce,0, " [i <*.dic>] Simple bruteforce attack to find password"}, + {"bruteforce",CmdT55xxBruteForce,0, " [i <*.dic>] Simple bruteforce attack to find password"}, {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"}, {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."}, + {"p1detect", CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"}, {"read", CmdT55xxReadBlock, 0, "b p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"}, {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"}, {"write", CmdT55xxWriteBlock,0, "b d p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},