X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/50564be0f809e61f3148fb2f27db035b6362321f..2839f12e8623cb48adf4d9af70212960caefc60d:/client/cmdlfguard.c?ds=sidebyside diff --git a/client/cmdlfguard.c b/client/cmdlfguard.c index b2079d83..ddfd2963 100644 --- a/client/cmdlfguard.c +++ b/client/cmdlfguard.c @@ -6,8 +6,7 @@ //----------------------------------------------------------------------------- // Low frequency Farpoint / Pyramid tag commands //----------------------------------------------------------------------------- -#include -#include + #include "cmdlfguard.h" static int CmdHelp(const char *Cmd); @@ -16,8 +15,9 @@ int usage_lf_guard_clone(void){ PrintAndLog("The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated. "); PrintAndLog("Currently work only on 26bit"); PrintAndLog(""); - PrintAndLog("Usage: lf guard clone "); + PrintAndLog("Usage: lf guard clone "); PrintAndLog("Options :"); + PrintAndLog(" : format length 26|32|36|40"); PrintAndLog(" : 8-bit value facility code"); PrintAndLog(" : 16-bit value card number"); PrintAndLog(""); @@ -31,8 +31,9 @@ int usage_lf_guard_sim(void) { PrintAndLog("The facility-code is 8-bit and the card number is 16-bit. Larger values are truncated."); PrintAndLog("Currently work only on 26bit"); PrintAndLog(""); - PrintAndLog("Usage: lf guard sim "); + PrintAndLog("Usage: lf guard sim "); PrintAndLog("Options :"); + PrintAndLog(" : format length 26|32|36|40"); PrintAndLog(" : 8-bit value facility code"); PrintAndLog(" : 16-bit value card number"); PrintAndLog(""); @@ -40,80 +41,104 @@ int usage_lf_guard_sim(void) { return 0; } - // Works for 26bits. -int GetGuardBits(uint32_t fc, uint32_t cn, uint8_t *guardBits) { +int GetGuardBits(uint8_t fmtlen, uint32_t fc, uint32_t cn, uint8_t *guardBits) { - // Intializes random number generator - time_t t; - srand((unsigned) time(&t)); - + uint8_t xorKey = 0x66; + uint8_t i; uint8_t pre[96]; + uint8_t rawbytes[12]; memset(pre, 0x00, sizeof(pre)); + memset(rawbytes, 0x00, sizeof(rawbytes)); + + // add format length (decimal) + switch (fmtlen) { + case 32: { + rawbytes[1] = (32 << 2); + + break; + } + case 36: { + // FC = ((ByteStream[3] & 0x7F)<<7) | (ByteStream[4]>>1); + // Card = ((ByteStream[4]&1)<<19) | (ByteStream[5]<<11) | (ByteStream[6]<<3) | (ByteStream[7]>>5); + rawbytes[1] = (36 << 2); + // Get 26 wiegand from FacilityCode, CardNumber + uint8_t wiegand[34]; + memset(wiegand, 0x00, sizeof(wiegand)); + num_to_bytebits(fc, 8, wiegand); + num_to_bytebits(cn, 26, wiegand+8); + + // add wiegand parity bits (dest, source, len) + wiegand_add_parity(pre, wiegand, 34); + break; + } + case 40: { + rawbytes[1] = (40 << 2); + break; + } + case 26: + default: { + rawbytes[1] = (26 << 2); + // Get 26 wiegand from FacilityCode, CardNumber + uint8_t wiegand[24]; + memset(wiegand, 0x00, sizeof(wiegand)); + num_to_bytebits(fc, 8, wiegand); + num_to_bytebits(cn, 16, wiegand+8); + + // add wiegand parity bits (dest, source, len) + wiegand_add_parity(pre, wiegand, 24); + break; + } + } + // 2bit checksum, unknown today, + // these two bits are the last ones of rawbyte[1], hence the LSHIFT above. - uint8_t index = 8; - // preamble 6bits - pre[0] = 1; - pre[1] = 1; - pre[2] = 1; - pre[3] = 1; - pre[4] = 1; - //pre[5] = 0; - - // add xor key - uint8_t xorKey = rand() % 0xFF; - num_to_bytebits(xorKey, 8, pre+index); - index += 8; + // xor key + rawbytes[0] = xorKey; - // add format length - // len | hex | bin wiegand pos fc/cn - // 26 | 1A | 0001 1010 - num_to_bytebits(26, 8, pre+index); - // 36 | 24 | 0010 0100 - //num_to_bytebits(36, 8, pre+index); - // 40 | 28 | 0010 1000 - //num_to_bytebits(40, 8, pre+index); - - index += 8; + rawbytes[2] = 1; + rawbytes[3] = 0; - // 2bit checksum - // unknown today. - index += 2; + // add wiegand to rawbytes + for (i = 0; i < 4; ++i) + rawbytes[i+4] = bytebits_to_byte( pre + (i*8), 8); - // Get 26 wiegand from FacilityCode, CardNumber - uint8_t wiegand[24]; - memset(wiegand, 0x00, sizeof(wiegand)); - num_to_bytebits(fc, 8, wiegand); - num_to_bytebits(cn, 16, wiegand+8); - - // add wiegand parity bits (dest, source, len) - wiegand_add_parity(pre+index, wiegand, 24); - - uint8_t tmp = 0, i = 0; - for (i = 2; i < 12; ++i) { - // // xor all bytes - // tmp = xorKey ^ bytebits_to_byte(pre + (i*8), 8); - - // // copy to out.. - // num_to_bytebits(tmp, 8, pre + (i*8) ); - } - - // add spacer bit 0 every 5 + if (g_debugMode) printf(" WIE | %s\n", sprint_hex(rawbytes, sizeof(rawbytes))); - // swap nibbles + // XOR (only works on wiegand stuff) + for (i = 1; i < 12; ++i) + rawbytes[i] ^= xorKey ; + + if (g_debugMode) printf(" XOR | %s \n", sprint_hex(rawbytes, sizeof(rawbytes))); + + // convert rawbytes to bits in pre + for (i = 0; i < 12; ++i) + num_to_bytebitsLSBF( rawbytes[i], 8, pre + (i*8)); + + if (g_debugMode) printf("\n Raw | %s \n", sprint_hex(rawbytes, sizeof(rawbytes))); + if (g_debugMode) printf(" Raw | %s\n", sprint_bin(pre, 64) ); - // copy to outarray - memcpy(guardBits, pre, sizeof(pre)); + // add spacer bit 0 every 4 bits, starting with index 0, + // 12 bytes, 24 nibbles. 24+1 extra bites. 3bytes. ie 9bytes | 1byte xorkey, 8bytes rawdata (64bits, should be enough for a 40bit wiegand) + addParity(pre, guardBits+6, 64, 5, 3); + + // preamble + guardBits[0] = 1; + guardBits[1] = 1; + guardBits[2] = 1; + guardBits[3] = 1; + guardBits[4] = 1; + guardBits[5] = 0; - printf(" | %s\n", sprint_bin(guardBits, 96) ); + if (g_debugMode) printf(" FIN | %s\n", sprint_bin(guardBits, 96) ); return 1; } int CmdGuardRead(const char *Cmd) { CmdLFRead("s"); - getSamples("30000",false); + getSamples("12000", TRUE); return CmdG_Prox_II_Demod(""); } @@ -122,23 +147,25 @@ int CmdGuardClone(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_guard_clone(); - uint32_t facilitycode=0, cardnumber=0, fc = 0, cn = 0; + uint32_t facilitycode = 0, cardnumber = 0, fc = 0, cn = 0, fmtlen = 0; uint8_t i; uint8_t bs[96]; memset(bs, 0x00, sizeof(bs)); //GuardProxII - compat mode, ASK/Biphase, data rate 64, 3 data blocks - uint32_t blocks[5] = {T55x7_MODULATION_BIPHASE | T55x7_BITRATE_RF_64 | 3<>1) << T5555_BITRATE_SHIFT | 3 << T5555_MAXBLOCK_SHIFT; - if (sscanf(Cmd, "%u %u", &fc, &cn ) != 2) return usage_lf_guard_clone(); + if (sscanf(Cmd, "%u %u %u", &fmtlen, &fc, &cn ) != 2) return usage_lf_guard_clone(); + fmtlen &= 0x7f; facilitycode = (fc & 0x000000FF); cardnumber = (cn & 0x0000FFFF); - if ( !GetGuardBits(facilitycode, cardnumber, bs)) { + if ( !GetGuardBits(fmtlen, facilitycode, cardnumber, bs)) { PrintAndLog("Error with tag bitstream generation."); return 1; } @@ -151,21 +178,21 @@ int CmdGuardClone(const char *Cmd) { PrintAndLog("Blk | Data "); PrintAndLog("----+------------"); for ( i = 0; i<4; ++i ) - PrintAndLog(" %02d | %08x", i, blocks[i]); - - // UsbCommand resp; - // UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {0,0,0}}; - - // for ( i = 0; i<5; ++i ) { - // c.arg[0] = blocks[i]; - // c.arg[1] = i; - // clearCommandBuffer(); - // SendCommand(&c); - // if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ - // PrintAndLog("Error occurred, device did not respond during write operation."); - // return -1; - // } - // } + PrintAndLog(" %02d | 0x%08x", i, blocks[i]); + + UsbCommand resp; + UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {0,0,0}}; + + for ( i = 0; i<4; ++i ) { + c.arg[0] = blocks[i]; + c.arg[1] = i; + clearCommandBuffer(); + SendCommand(&c); + if (!WaitForResponseTimeout(CMD_ACK, &resp, T55XX_WRITE_TIMEOUT)){ + PrintAndLog("Error occurred, device did not respond during write operation."); + return -1; + } + } return 0; } @@ -174,31 +201,38 @@ int CmdGuardSim(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_guard_sim(); - uint32_t facilitycode = 0, cardnumber = 0, fc = 0, cn = 0; + uint32_t facilitycode = 0, cardnumber = 0, fc = 0, cn = 0, fmtlen = 0; + uint8_t clock = 64, encoding = 2, separator = 0, invert = 0; uint8_t bs[96]; - size_t size = sizeof(bs); - memset(bs, 0x00, size); + memset(bs, 0x00, sizeof(bs)); - // Pyramid uses: ASK Biphase, clk: 32, invert: 0 - uint64_t arg1, arg2; - arg1 = (10 << 8) + 8; - arg2 = 32 | 0; - - if (sscanf(Cmd, "%u %u", &fc, &cn ) != 2) return usage_lf_guard_sim(); + if (sscanf(Cmd, "%u %u %u", &fmtlen, &fc, &cn ) != 2) return usage_lf_guard_sim(); + fmtlen &= 0x7F; facilitycode = (fc & 0x000000FF); cardnumber = (cn & 0x0000FFFF); - if ( !GetGuardBits(facilitycode, cardnumber, bs)) { + if ( !GetGuardBits(fmtlen, facilitycode, cardnumber, bs)) { PrintAndLog("Error with tag bitstream generation."); return 1; } PrintAndLog("Simulating Guardall - Facility Code: %u, CardNumber: %u", facilitycode, cardnumber ); - + + // Guard uses: clk: 64, invert: 0, encoding: 2 (ASK Biphase) + uint64_t arg1, arg2; + arg1 = (clock << 8) | encoding; + arg2 = (invert << 8) | separator; + + uint8_t rawbytes[12]; + size_t size = sizeof(rawbytes); + for (uint8_t i=0; i < size; ++i){ + rawbytes[i] = bytebits_to_byte( bs + (i*8), 8); + } + UsbCommand c = {CMD_ASK_SIM_TAG, {arg1, arg2, size}}; - memcpy(c.d.asBytes, bs, size); + memcpy(c.d.asBytes, rawbytes, size ); clearCommandBuffer(); SendCommand(&c); return 0;