X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/c2d25819d8c55b568814da61d116fda9b4ad53d1..b1d615df78a3c258f2568a07fcc4d0d9ca4ab921:/client/cmdlfem4x.c diff --git a/client/cmdlfem4x.c b/client/cmdlfem4x.c index 0449e34a..2cf8f569 100644 --- a/client/cmdlfem4x.c +++ b/client/cmdlfem4x.c @@ -8,25 +8,21 @@ // Low frequency EM4x commands //----------------------------------------------------------------------------- -#include -#include -#include -#include "proxmark3.h" -#include "ui.h" -#include "graph.h" -#include "cmdmain.h" -#include "cmdparser.h" -#include "cmddata.h" -#include "cmdlf.h" #include "cmdlfem4x.h" -#include "util.h" -#include "data.h" -#define LF_TRACE_BUFF_SIZE 12000 -char *global_em410xId; +uint64_t g_em410xid = 0; static int CmdHelp(const char *Cmd); +int CmdEMdemodASK(const char *Cmd) +{ + char cmdp = param_getchar(Cmd, 0); + uint8_t findone = (cmdp == '1') ? 1 : 0; + UsbCommand c = {CMD_EM410X_DEMOD, {findone, 0, 0}}; + SendCommand(&c); + return 0; +} + /* Read the ID of an EM410x tag. * Format: * 1111 1111 1 <-- standard non-repeatable header @@ -37,222 +33,100 @@ static int CmdHelp(const char *Cmd); */ int CmdEM410xRead(const char *Cmd) { - int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low; - int parity[4]; - char id[11]; - char id2[11]; - int retested = 0; - uint8_t BitStream[MAX_GRAPH_TRACE_LEN]; - high = low = 0; - - /* Detect high and lows and clock */ - for (i = 0; i < GraphTraceLen; i++) - { - if (GraphBuffer[i] > high) - high = GraphBuffer[i]; - else if (GraphBuffer[i] < low) - low = GraphBuffer[i]; - } - - /* get clock */ - clock = GetClock(Cmd, high, 0); - - /* parity for our 4 columns */ - parity[0] = parity[1] = parity[2] = parity[3] = 0; - header = rows = 0; - - /* manchester demodulate */ - bit = bit2idx = 0; - for (i = 0; i < (int)(GraphTraceLen / clock); i++) - { - hithigh = 0; - hitlow = 0; - first = 1; - - /* Find out if we hit both high and low peaks */ - for (j = 0; j < clock; j++) - { - if (GraphBuffer[(i * clock) + j] == high) - hithigh = 1; - else if (GraphBuffer[(i * clock) + j] == low) - hitlow = 1; - - /* it doesn't count if it's the first part of our read - because it's really just trailing from the last sequence */ - if (first && (hithigh || hitlow)) - hithigh = hitlow = 0; - else - first = 0; - - if (hithigh && hitlow) - break; - } - - /* If we didn't hit both high and low peaks, we had a bit transition */ - if (!hithigh || !hitlow) - bit ^= 1; - - BitStream[bit2idx++] = bit; - } - -retest: - /* We go till 5 before the graph ends because we'll get that far below */ - for (i = 1; i < bit2idx - 5; i++) - { - /* Step 2: We have our header but need our tag ID */ - if (header == 9 && rows < 10) - { - /* Confirm parity is correct */ - if ((BitStream[i] ^ BitStream[i+1] ^ BitStream[i+2] ^ BitStream[i+3]) == BitStream[i+4]) - { - /* Read another byte! */ - sprintf(id+rows, "%x", (8 * BitStream[i]) + (4 * BitStream[i+1]) + (2 * BitStream[i+2]) + (1 * BitStream[i+3])); - sprintf(id2+rows, "%x", (8 * BitStream[i+3]) + (4 * BitStream[i+2]) + (2 * BitStream[i+1]) + (1 * BitStream[i])); - rows++; - - /* Keep parity info */ - parity[0] ^= BitStream[i]; - parity[1] ^= BitStream[i+1]; - parity[2] ^= BitStream[i+2]; - parity[3] ^= BitStream[i+3]; - - /* Move 4 bits ahead */ - i += 4; - } - - /* Damn, something wrong! reset */ - else - { - PrintAndLog("Thought we had a valid tag but failed at word %d (i=%d)", rows + 1, i); - - /* Start back rows * 5 + 9 header bits, -1 to not start at same place */ - i -= 9 + (5 * rows) - 5; - - rows = header = 0; - } - } - - /* Step 3: Got our 40 bits! confirm column parity */ - else if (rows == 10) - { - /* We need to make sure our 4 bits of parity are correct and we have a stop bit */ - if (BitStream[i] == parity[0] && BitStream[i+1] == parity[1] && - BitStream[i+2] == parity[2] && BitStream[i+3] == parity[3] && - BitStream[i+4] == 0) - { - /* Sweet! */ - PrintAndLog("EM410x Tag ID: %s", id); - PrintAndLog("Unique Tag ID: %s", id2); - - global_em410xId = id; - - /* Stop any loops */ - return 1; - } - - /* Crap! Incorrect parity or no stop bit, start all over */ - else - { - rows = header = 0; - - /* Go back 59 bits (9 header bits + 10 rows at 4+1 parity) */ - i -= 59; - } - } - - /* Step 1: get our header */ - else if (header < 9) - { - /* Need 9 consecutive 1's */ - if (BitStream[i] == 1) - header++; - - /* We don't have a header, not enough consecutive 1 bits */ - else - header = 0; - } - } - - /* if we've already retested after flipping bits, return */ - if (retested++){ - return 0; + uint32_t hi=0; + uint64_t lo=0; + + if(!AskEm410xDemod("", &hi, &lo, false)) return 0; + PrintAndLog("EM410x pattern found: "); + printEM410x(hi, lo); + if (hi){ + PrintAndLog ("EM410x XL pattern found"); + return 0; } + g_em410xid = lo; + return 1; +} - /* if this didn't work, try flipping bits */ - for (i = 0; i < bit2idx; i++) - BitStream[i] ^= 1; - goto retest; +int usage_lf_em410x_sim(void) { + PrintAndLog("Simulating EM410x tag"); + PrintAndLog(""); + PrintAndLog("Usage: lf em4x em410xsim [h] "); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" uid - uid (10 HEX symbols)"); + PrintAndLog(" clock - clock (32|64) (optional)"); + PrintAndLog("samples:"); + PrintAndLog(" lf em4x em410xsim 0F0368568B"); + PrintAndLog(" lf em4x em410xsim 0F0368568B 32"); + return 0; } -/* emulate an EM410X tag - * Format: - * 1111 1111 1 <-- standard non-repeatable header - * XXXX [row parity bit] <-- 10 rows of 5 bits for our 40 bit tag ID - * .... - * CCCC <-- each bit here is parity for the 10 bits above in corresponding column - * 0 <-- stop bit, end of tag - */ +// emulate an EM410X tag int CmdEM410xSim(const char *Cmd) { - int i, n, j, h, binary[4], parity[4]; - - /* clock is 64 in EM410x tags */ - int clock = 64; - - /* clear our graph */ - ClearGraph(0); - - /* write it out a few times */ - for (h = 0; h < 4; h++) - { - /* write 9 start bits */ - for (i = 0; i < 9; i++) - AppendGraph(0, clock, 1); - - /* for each hex char */ - parity[0] = parity[1] = parity[2] = parity[3] = 0; - for (i = 0; i < 10; i++) - { - /* read each hex char */ - sscanf(&Cmd[i], "%1x", &n); - for (j = 3; j >= 0; j--, n/= 2) - binary[j] = n % 2; - - /* append each bit */ - AppendGraph(0, clock, binary[0]); - AppendGraph(0, clock, binary[1]); - AppendGraph(0, clock, binary[2]); - AppendGraph(0, clock, binary[3]); - - /* append parity bit */ - AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); - - /* keep track of column parity */ - parity[0] ^= binary[0]; - parity[1] ^= binary[1]; - parity[2] ^= binary[2]; - parity[3] ^= binary[3]; - } - - /* parity columns */ - AppendGraph(0, clock, parity[0]); - AppendGraph(0, clock, parity[1]); - AppendGraph(0, clock, parity[2]); - AppendGraph(0, clock, parity[3]); - - /* stop bit */ - AppendGraph(0, clock, 0); - } - - /* modulate that biatch */ - CmdManchesterMod(""); - - /* booyah! */ - RepaintGraphWindow(); - - CmdLFSim(""); - return 0; + int i, n, j, binary[4], parity[4]; + uint8_t uid[5] = {0x00}; + + char cmdp = param_getchar(Cmd, 0); + if (cmdp == 'h' || cmdp == 'H') return usage_lf_em410x_sim(); + + /* clock is 64 in EM410x tags */ + uint8_t clock = 64; + + if (param_gethex(Cmd, 0, uid, 10)) { + PrintAndLog("UID must include 10 HEX symbols"); + return 0; + } + + param_getdec(Cmd, 1, &clock); + + PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X clock: %d", uid[0],uid[1],uid[2],uid[3],uid[4],clock); + PrintAndLog("Press pm3-button to about simulation"); + + /* clear our graph */ + ClearGraph(0); + + /* write 9 start bits */ + for (i = 0; i < 9; i++) + AppendGraph(0, clock, 1); + + /* for each hex char */ + parity[0] = parity[1] = parity[2] = parity[3] = 0; + for (i = 0; i < 10; i++) + { + /* read each hex char */ + sscanf(&Cmd[i], "%1x", &n); + for (j = 3; j >= 0; j--, n/= 2) + binary[j] = n % 2; + + /* append each bit */ + AppendGraph(0, clock, binary[0]); + AppendGraph(0, clock, binary[1]); + AppendGraph(0, clock, binary[2]); + AppendGraph(0, clock, binary[3]); + + /* append parity bit */ + AppendGraph(0, clock, binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); + + /* keep track of column parity */ + parity[0] ^= binary[0]; + parity[1] ^= binary[1]; + parity[2] ^= binary[2]; + parity[3] ^= binary[3]; + } + + /* parity columns */ + AppendGraph(0, clock, parity[0]); + AppendGraph(0, clock, parity[1]); + AppendGraph(0, clock, parity[2]); + AppendGraph(0, clock, parity[3]); + + /* stop bit */ + AppendGraph(1, clock, 0); + + CmdLFSim("0"); //240 start_gap. + return 0; } /* Function is equivalent of lf read + data samples + em410xread @@ -263,178 +137,38 @@ int CmdEM410xSim(const char *Cmd) * rate gets lower, then grow the number of samples * Changed by martin, 4000 x 4 = 16000, * see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235 - */ int CmdEM410xWatch(const char *Cmd) { - int read_h = (*Cmd == 'h'); - do - { - CmdLFRead(read_h ? "h" : ""); - CmdSamples("16000"); - } while ( - !CmdEM410xRead("") - ); + do { + if (ukbhit()) { + printf("\naborted via keyboard!\n"); + break; + } + + CmdLFRead("s"); + getSamples("8201",true); //capture enough to get 2 complete preambles (4096*2+9) + } while (!CmdEM410xRead("")); + return 0; } +//currently only supports manchester modulations +// todo: helptext int CmdEM410xWatchnSpoof(const char *Cmd) { + // loops if the captured ID was in XL-format. CmdEM410xWatch(Cmd); - PrintAndLog("# Replaying : %s",global_em410xId); - CmdEM410xSim(global_em410xId); - return 0; -} - -/* Read the transmitted data of an EM4x50 tag - * Format: - * - * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity - * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity - * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity - * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity - * CCCCCCCC <- column parity bits - * 0 <- stop bit - * LW <- Listen Window - * - * This pattern repeats for every block of data being transmitted. - * Transmission starts with two Listen Windows (LW - a modulated - * pattern of 320 cycles each (32/32/128/64/64)). - * - * Note that this data may or may not be the UID. It is whatever data - * is stored in the blocks defined in the control word First and Last - * Word Read values. UID is stored in block 32. - */ -int CmdEM4x50Read(const char *Cmd) -{ - int i, j, startblock, skip, block, start, end, low, high; - bool complete= false; - int tmpbuff[MAX_GRAPH_TRACE_LEN / 64]; - char tmp[6]; - - high= low= 0; - memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64); - - /* first get high and low values */ - for (i = 0; i < GraphTraceLen; i++) - { - if (GraphBuffer[i] > high) - high = GraphBuffer[i]; - else if (GraphBuffer[i] < low) - low = GraphBuffer[i]; - } - - /* populate a buffer with pulse lengths */ - i= 0; - j= 0; - while (i < GraphTraceLen) - { - // measure from low to low - while ((GraphBuffer[i] > low) && (i low) && (i(MAX_GRAPH_TRACE_LEN/64)) { - break; - } - tmpbuff[j++]= i - start; - } - - /* look for data start - should be 2 pairs of LW (pulses of 192,128) */ - start= -1; - skip= 0; - for (i= 0; i < j - 4 ; ++i) - { - skip += tmpbuff[i]; - if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194) - if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130) - if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194) - if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130) - { - start= i + 3; - break; - } - } - startblock= i + 3; - - /* skip over the remainder of the LW */ - skip += tmpbuff[i+1]+tmpbuff[i+2]; - while (skip < MAX_GRAPH_TRACE_LEN && GraphBuffer[skip] > low) - ++skip; - skip += 8; - - /* now do it again to find the end */ - end= start; - for (i += 3; i < j - 4 ; ++i) - { - end += tmpbuff[i]; - if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194) - if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130) - if (tmpbuff[i+2] >= 190 && tmpbuff[i+2] <= 194) - if (tmpbuff[i+3] >= 126 && tmpbuff[i+3] <= 130) - { - complete= true; - break; - } - } - - if (start >= 0) - PrintAndLog("Found data at sample: %i",skip); - else - { - PrintAndLog("No data found!"); - PrintAndLog("Try again with more samples."); - return 0; - } - - if (!complete) - { - PrintAndLog("*** Warning!"); - PrintAndLog("Partial data - no end found!"); - PrintAndLog("Try again with more samples."); - } - - /* get rid of leading crap */ - sprintf(tmp,"%i",skip); - CmdLtrim(tmp); - - /* now work through remaining buffer printing out data blocks */ - block= 0; - i= startblock; - while (block < 6) - { - PrintAndLog("Block %i:", block); - // mandemod routine needs to be split so we can call it for data - // just print for now for debugging - CmdManchesterDemod("i 64"); - skip= 0; - /* look for LW before start of next block */ - for ( ; i < j - 4 ; ++i) - { - skip += tmpbuff[i]; - if (tmpbuff[i] >= 190 && tmpbuff[i] <= 194) - if (tmpbuff[i+1] >= 126 && tmpbuff[i+1] <= 130) - break; - } - while (GraphBuffer[skip] > low) - ++skip; - skip += 8; - sprintf(tmp,"%i",skip); - CmdLtrim(tmp); - start += skip; - block++; - } - return 0; + PrintAndLog("# Replaying captured ID: %llu", g_em410xid); + CmdLFaskSim(""); + return 0; } int CmdEM410xWrite(const char *Cmd) { - uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value - int card = 0xFF; // invalid card value - unsigned int clock = 0; // invalid clock value + uint64_t id = 0xFFFFFFFFFFFFFFFF; // invalid id value + int card = 0xFF; // invalid card value + uint32_t clock = 0; // invalid clock value sscanf(Cmd, "%" PRIx64 " %d %d", &id, &card, &clock); @@ -459,21 +193,13 @@ int CmdEM410xWrite(const char *Cmd) } // Check Clock - if (card == 1) - { // Default: 64 - if (clock == 0) - clock = 64; + if (clock == 0) + clock = 64; - // Allowed clock rates: 16, 32 and 64 - if ((clock != 16) && (clock != 32) && (clock != 64)) { - PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32 and 64.\n", clock); - return 0; - } - } - else if (clock != 0) - { - PrintAndLog("Error! Clock rate is only supported on T55x7 tags.\n"); + // Allowed clock rates: 16, 32, 40 and 64 + if ((clock != 16) && (clock != 32) && (clock != 64) && (clock != 40)) { + PrintAndLog("Error! Clock rate %d not valid. Supported clock rates are 16, 32, 40 and 64.\n", clock); return 0; } @@ -483,174 +209,435 @@ int CmdEM410xWrite(const char *Cmd) // provide for backwards-compatibility for older firmware, and to avoid // having to add another argument to CMD_EM410X_WRITE_TAG, we just store // the clock rate in bits 8-15 of the card value - card = (card & 0xFF) | (((uint64_t)clock << 8) & 0xFF00); - } - else if (card == 0) + card = (card & 0xFF) | ((clock << 8) & 0xFF00); + } else if (card == 0) { PrintAndLog("Writing %s tag with UID 0x%010" PRIx64, "T5555", id, clock); - else { + card = (card & 0xFF) | ((clock << 8) & 0xFF00); + } else { PrintAndLog("Error! Bad card type selected.\n"); return 0; } - UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}}; - SendCommand(&c); - - return 0; + UsbCommand c = {CMD_EM410X_WRITE_TAG, {card, (uint32_t)(id >> 32), (uint32_t)id}}; + SendCommand(&c); + return 0; } -int CmdReadWord(const char *Cmd) +bool EM_EndParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType) { - int Word = -1; //default to invalid word - UsbCommand c; - - sscanf(Cmd, "%d", &Word); - - if ( (Word > 15) | (Word < 0) ) { - PrintAndLog("Word must be between 0 and 15"); - return 1; + if (rows*cols>size) return false; + uint8_t colP=0; + //assume last col is a parity and do not test + for (uint8_t colNum = 0; colNum < cols-1; colNum++) { + for (uint8_t rowNum = 0; rowNum < rows; rowNum++) { + colP ^= BitStream[(rowNum*cols)+colNum]; + } + if (colP != pType) return false; } - - PrintAndLog("Reading word %d", Word); - - c.cmd = CMD_EM4X_READ_WORD; - c.d.asBytes[0] = 0x0; //Normal mode - c.arg[0] = 0; - c.arg[1] = Word; - c.arg[2] = 0; - SendCommand(&c); - WaitForResponse(CMD_ACK, NULL); - - uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00}; - - GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset.. - WaitForResponseTimeout(CMD_ACK,NULL, 1500); + return true; +} - for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) { - GraphBuffer[j] = ((int)data[j]); +bool EM_ByteParityTest(uint8_t *BitStream, size_t size, uint8_t rows, uint8_t cols, uint8_t pType) +{ + if (rows*cols>size) return false; + uint8_t rowP=0; + //assume last row is a parity row and do not test + for (uint8_t rowNum = 0; rowNum < rows-1; rowNum++) { + for (uint8_t colNum = 0; colNum < cols; colNum++) { + rowP ^= BitStream[(rowNum*cols)+colNum]; + } + if (rowP != pType) return false; } - GraphTraceLen = LF_TRACE_BUFF_SIZE; - - uint8_t bits[1000] = {0x00}; - uint8_t * bitstream = bits; - manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream); - RepaintGraphWindow(); - return 0; + return true; } -int CmdReadWordPWD(const char *Cmd) +uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool pTest) { - int Word = -1; //default to invalid word - int Password = 0xFFFFFFFF; //default to blank password - UsbCommand c; - - sscanf(Cmd, "%d %x", &Word, &Password); + if (size<45) return 0; + + uint32_t code = bytebits_to_byte(BitStream,8); + code = code<<8 | bytebits_to_byte(BitStream+9,8); + code = code<<8 | bytebits_to_byte(BitStream+18,8); + code = code<<8 | bytebits_to_byte(BitStream+27,8); + + if (verbose || g_debugMode){ + for (uint8_t i = 0; i<5; i++){ + if (i == 4) PrintAndLog(""); //parity byte spacer + PrintAndLog("%d%d%d%d%d%d%d%d %d -> 0x%02x", + BitStream[i*9], + BitStream[i*9+1], + BitStream[i*9+2], + BitStream[i*9+3], + BitStream[i*9+4], + BitStream[i*9+5], + BitStream[i*9+6], + BitStream[i*9+7], + BitStream[i*9+8], + bytebits_to_byte(BitStream+i*9,8) + ); + } + if (pTest) + PrintAndLog("Parity Passed"); + else + PrintAndLog("Parity Failed"); + } + return code; +} +/* Read the transmitted data of an EM4x50 tag + * Format: + * + * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity + * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity + * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity + * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity + * CCCCCCCC <- column parity bits + * 0 <- stop bit + * LW <- Listen Window + * + * This pattern repeats for every block of data being transmitted. + * Transmission starts with two Listen Windows (LW - a modulated + * pattern of 320 cycles each (32/32/128/64/64)). + * + * Note that this data may or may not be the UID. It is whatever data + * is stored in the blocks defined in the control word First and Last + * Word Read values. UID is stored in block 32. + */ + //completed by Marshmellow +int EM4x50Read(const char *Cmd, bool verbose) +{ + /* + char buf[30] = {0x00}; + char *cmdStr = buf; + int ans = 0; + bool ST = config.ST; + uint8_t bitRate[8] = {8,16,32,40,50,64,100,128}; + DemodBufferLen = 0x00; + snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted ); + ans = ASKDemod_ext(cmdStr, FALSE, FALSE, 1, &ST); + snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted ); + ans = ASKbiphaseDemod(cmdStr, FALSE); + */ + + uint8_t fndClk[] = {8,16,32,40,50,64,128}; + int clk = 0; + int invert = 0; + int tol = 0; + int i, j, startblock, skip, block, start, end, low, high, minClk; + bool complete = false; + int tmpbuff[MAX_GRAPH_TRACE_LEN / 64]; + uint32_t Code[6]; + char tmp[6]; + char tmp2[20]; + int phaseoff; + high = low = 0; + memset(tmpbuff, 0, MAX_GRAPH_TRACE_LEN / 64); + + // get user entry if any + sscanf(Cmd, "%i %i", &clk, &invert); + + // save GraphBuffer - to restore it later + save_restoreGB(1); + + // first get high and low values + for (i = 0; i < GraphTraceLen; i++) { + if (GraphBuffer[i] > high) + high = GraphBuffer[i]; + else if (GraphBuffer[i] < low) + low = GraphBuffer[i]; + } - if ( (Word > 15) | (Word < 0) ) { - PrintAndLog("Word must be between 0 and 15"); - return 1; + i = 0; + j = 0; + minClk = 255; + // get to first full low to prime loop and skip incomplete first pulse + while ((GraphBuffer[i] < high) && (i < GraphTraceLen)) + ++i; + while ((GraphBuffer[i] > low) && (i < GraphTraceLen)) + ++i; + skip = i; + + // populate tmpbuff buffer with pulse lengths + while (i < GraphTraceLen) { + // measure from low to low + while ((GraphBuffer[i] > low) && (i < GraphTraceLen)) + ++i; + start= i; + while ((GraphBuffer[i] < high) && (i < GraphTraceLen)) + ++i; + while ((GraphBuffer[i] > low) && (i < GraphTraceLen)) + ++i; + if (j>=(MAX_GRAPH_TRACE_LEN/64)) { + break; + } + tmpbuff[j++]= i - start; + if (i-start < minClk && i < GraphTraceLen) { + minClk = i - start; + } } - - PrintAndLog("Reading word %d with password %08X", Word, Password); - - c.cmd = CMD_EM4X_READ_WORD; - c.d.asBytes[0] = 0x1; //Password mode - c.arg[0] = 0; - c.arg[1] = Word; - c.arg[2] = Password; - SendCommand(&c); - WaitForResponse(CMD_ACK, NULL); + // set clock + if (!clk) { + for (uint8_t clkCnt = 0; clkCnt<7; clkCnt++) { + tol = fndClk[clkCnt]/8; + if (minClk >= fndClk[clkCnt]-tol && minClk <= fndClk[clkCnt]+1) { + clk=fndClk[clkCnt]; + break; + } + } + if (!clk) { + PrintAndLog("ERROR: EM4x50 - didn't find a clock"); + return 0; + } + } else tol = clk/8; + + // look for data start - should be 2 pairs of LW (pulses of clk*3,clk*2) + start = -1; + for (i= 0; i < j - 4 ; ++i) { + skip += tmpbuff[i]; + if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks + if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks + if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks + if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following + { + start= i + 4; + break; + } + } + startblock = i + 4; + + // skip over the remainder of LW + skip += tmpbuff[i+1] + tmpbuff[i+2] + clk; + if (tmpbuff[i+3]>clk) + phaseoff = tmpbuff[i+3]-clk; + else + phaseoff = 0; + // now do it again to find the end + end = skip; + for (i += 3; i < j - 4 ; ++i) { + end += tmpbuff[i]; + if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) //3 clocks + if (tmpbuff[i+1] >= clk*2-tol && tmpbuff[i+1] <= clk*2+tol) //2 clocks + if (tmpbuff[i+2] >= clk*3-tol && tmpbuff[i+2] <= clk*3+tol) //3 clocks + if (tmpbuff[i+3] >= clk-tol) //1.5 to 2 clocks - depends on bit following + { + complete= true; + break; + } + } + end = i; + // report back + if (verbose || g_debugMode) { + if (start >= 0) { + PrintAndLog("\nNote: one block = 50 bits (32 data, 12 parity, 6 marker)"); + } else { + PrintAndLog("No data found!, clock tried:%d",clk); + PrintAndLog("Try again with more samples."); + PrintAndLog(" or after a 'data askedge' command to clean up the read"); + return 0; + } + } else if (start < 0) return 0; + start = skip; + snprintf(tmp2, sizeof(tmp2),"%d %d 1000 %d", clk, invert, clk*47); + // get rid of leading crap + snprintf(tmp, sizeof(tmp), "%i", skip); + CmdLtrim(tmp); + bool pTest; + bool AllPTest = true; + // now work through remaining buffer printing out data blocks + block = 0; + i = startblock; + while (block < 6) { + if (verbose || g_debugMode) PrintAndLog("\nBlock %i:", block); + skip = phaseoff; - uint8_t data[LF_TRACE_BUFF_SIZE] = {0x00}; + // look for LW before start of next block + for ( ; i < j - 4 ; ++i) { + skip += tmpbuff[i]; + if (tmpbuff[i] >= clk*3-tol && tmpbuff[i] <= clk*3+tol) + if (tmpbuff[i+1] >= clk-tol) + break; + } + if (i >= j-4) break; //next LW not found + skip += clk; + if (tmpbuff[i+1]>clk) + phaseoff = tmpbuff[i+1]-clk; + else + phaseoff = 0; + i += 2; + if (ASKDemod(tmp2, false, false, 1) < 1) { + save_restoreGB(0); + return 0; + } + //set DemodBufferLen to just one block + DemodBufferLen = skip/clk; + //test parities + pTest = EM_ByteParityTest(DemodBuffer,DemodBufferLen,5,9,0); + pTest &= EM_EndParityTest(DemodBuffer,DemodBufferLen,5,9,0); + AllPTest &= pTest; + //get output + Code[block] = OutputEM4x50_Block(DemodBuffer,DemodBufferLen,verbose, pTest); + if (g_debugMode) PrintAndLog("\nskipping %d samples, bits:%d", skip, skip/clk); + //skip to start of next block + snprintf(tmp,sizeof(tmp),"%i",skip); + CmdLtrim(tmp); + block++; + if (i >= end) break; //in case chip doesn't output 6 blocks + } + //print full code: + if (verbose || g_debugMode || AllPTest){ + if (!complete) { + PrintAndLog("*** Warning!"); + PrintAndLog("Partial data - no end found!"); + PrintAndLog("Try again with more samples."); + } + PrintAndLog("Found data at sample: %i - using clock: %i", start, clk); + end = block; + for (block=0; block < end; block++){ + PrintAndLog("Block %d: %08x",block,Code[block]); + } + if (AllPTest) { + PrintAndLog("Parities Passed"); + } else { + PrintAndLog("Parities Failed"); + PrintAndLog("Try cleaning the read samples with 'data askedge'"); + } + } + + //restore GraphBuffer + save_restoreGB(0); + return (int)AllPTest; +} - GetFromBigBuf(data,LF_TRACE_BUFF_SIZE,3560); //3560 -- should be offset.. - WaitForResponseTimeout(CMD_ACK,NULL, 1500); +int CmdEM4x50Read(const char *Cmd) { + return EM4x50Read(Cmd, true); +} - for (int j = 0; j < LF_TRACE_BUFF_SIZE; j++) { - GraphBuffer[j] = ((int)data[j]); +int usage_lf_em_read(void) { + PrintAndLog("Read EM4x50. Tag must be on antenna. "); + PrintAndLog(""); + PrintAndLog("Usage: lf em readword [h]
"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" address - memory address to read. (0-15)"); + PrintAndLog(" pwd - password (hex) (optional)"); + PrintAndLog("samples:"); + PrintAndLog(" lf em readword 1"); + PrintAndLog(" lf em readword 1 11223344"); + return 0; +} +int CmdReadWord(const char *Cmd) { + int addr, pwd; + bool usePwd = false; + uint8_t ctmp = param_getchar(Cmd, 0); + if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read(); + + addr = param_get8ex(Cmd, 0, -1, 10); + pwd = param_get32ex(Cmd, 1, -1, 16); + + if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) { + PrintAndLog("Address must be between 0 and 15"); + return 1; + } + if ( pwd == -1 ) + PrintAndLog("Reading address %d", addr); + else { + usePwd = true; + PrintAndLog("Reading address %d | password %08X", addr, pwd); } - GraphTraceLen = LF_TRACE_BUFF_SIZE; - uint8_t bits[1000] = {0x00}; - uint8_t * bitstream = bits; + UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}}; + clearCommandBuffer(); + SendCommand(&c); + UsbCommand resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){ + PrintAndLog("Command timed out"); + return -1; + } - manchester_decode(GraphBuffer, LF_TRACE_BUFF_SIZE, bitstream); - RepaintGraphWindow(); - return 0; + //uint8_t got[12288]; + uint8_t got[30000]; + GetFromBigBuf(got, sizeof(got), 0); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) { + PrintAndLog("command execution time out"); + return 0; + } + setGraphBuf(got, sizeof(got)); + return 1; } -int CmdWriteWord(const char *Cmd) -{ - int Word = 16; //default to invalid block - int Data = 0xFFFFFFFF; //default to blank data - UsbCommand c; - - sscanf(Cmd, "%x %d", &Data, &Word); - - if (Word > 15) { - PrintAndLog("Word must be between 0 and 15"); - return 1; - } - - PrintAndLog("Writting word %d with data %08X", Word, Data); - - c.cmd = CMD_EM4X_WRITE_WORD; - c.d.asBytes[0] = 0x0; //Normal mode - c.arg[0] = Data; - c.arg[1] = Word; - c.arg[2] = 0; - SendCommand(&c); - return 0; +int usage_lf_em_write(void) { + PrintAndLog("Write EM4x50. Tag must be on antenna. "); + PrintAndLog(""); + PrintAndLog("Usage: lf em writeword [h]
"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" address - memory address to write to. (0-15)"); + PrintAndLog(" data - data to write (hex)"); + PrintAndLog(" pwd - password (hex) (optional)"); + PrintAndLog("samples:"); + PrintAndLog(" lf em writeword 1"); + PrintAndLog(" lf em writeword 1 deadc0de 11223344"); + return 0; } - -int CmdWriteWordPWD(const char *Cmd) -{ - int Word = 8; //default to invalid word - int Data = 0xFFFFFFFF; //default to blank data - int Password = 0xFFFFFFFF; //default to blank password - UsbCommand c; - - sscanf(Cmd, "%x %d %x", &Data, &Word, &Password); - - if (Word > 15) { - PrintAndLog("Word must be between 0 and 15"); - return 1; - } - - PrintAndLog("Writting word %d with data %08X and password %08X", Word, Data, Password); - - c.cmd = CMD_EM4X_WRITE_WORD; - c.d.asBytes[0] = 0x1; //Password mode - c.arg[0] = Data; - c.arg[1] = Word; - c.arg[2] = Password; - SendCommand(&c); - return 0; +int CmdWriteWord(const char *Cmd) { + uint8_t ctmp = param_getchar(Cmd, 0); + if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_write(); + + bool usePwd = false; + + int addr = 16; // default to invalid address + int data = 0xFFFFFFFF; // default to blank data + int pwd = 0xFFFFFFFF; // default to blank password + + addr = param_get8ex(Cmd, 0, -1, 10); + data = param_get32ex(Cmd, 1, -1, 16); + pwd = param_get32ex(Cmd, 2, -1, 16); + + + if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) { + PrintAndLog("Address must be between 0 and 15"); + return 1; + } + if ( pwd == -1 ) + PrintAndLog("Writing address %d data %08X", addr, data); + else { + usePwd = true; + PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd); + } + + uint16_t flag = (addr << 8 ) | usePwd; + + UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}}; + clearCommandBuffer(); + SendCommand(&c); + UsbCommand resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ + PrintAndLog("Error occurred, device did not respond during write operation."); + return -1; + } + return 0; } -static command_t CommandTable[] = -{ - {"help", CmdHelp, 1, "This help"}, - {"410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag"}, - {"410xsim", CmdEM410xSim, 0, " -- Simulate EM410x tag"}, - {"410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"}, - {"410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" }, - {"410xwrite", CmdEM410xWrite, 1, " <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"}, - {"4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"}, - {"rd", CmdReadWord, 1, " -- Read EM4xxx word data"}, - {"rdpwd", CmdReadWordPWD, 1, " -- Read EM4xxx word data in password mode "}, - {"wr", CmdWriteWord, 1, " -- Write EM4xxx word data"}, - {"wrpwd", CmdWriteWordPWD, 1, " -- Write EM4xxx word data in password mode"}, - {NULL, NULL, 0, NULL} +static command_t CommandTable[] = { + {"help", CmdHelp, 1, "This help"}, + {"em410xdemod", CmdEMdemodASK, 0, "[findone] -- Extract ID from EM410x tag (option 0 for continuous loop, 1 for only 1 tag)"}, + {"em410xread", CmdEM410xRead, 1, "[clock rate] -- Extract ID from EM410x tag in GraphBuffer"}, + {"em410xsim", CmdEM410xSim, 0, " -- Simulate EM410x tag"}, + {"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"}, + {"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" }, + {"em410xwrite", CmdEM410xWrite, 0, " <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"}, + {"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"}, + {"readword", CmdReadWord, 1, "Read EM4xxx data"}, + {"writeword", CmdWriteWord, 1, "Write EM4xxx data"}, + {NULL, NULL, 0, NULL} }; -int CmdLFEM4X(const char *Cmd) -{ - CmdsParse(CommandTable, Cmd); - return 0; +int CmdLFEM4X(const char *Cmd) { + clearCommandBuffer(); + CmdsParse(CommandTable, Cmd); + return 0; } -int CmdHelp(const char *Cmd) -{ - CmdsHelp(CommandTable); - return 0; +int CmdHelp(const char *Cmd) { + CmdsHelp(CommandTable); + return 0; }