From 69f42a0593bcb5b52fabe358668358390b4af056 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Fri, 14 Jul 2017 08:04:46 -0400 Subject: [PATCH] add lf PAC/Stanley tag read (#354) lf pac read - read from antenna and demod lf pac demod - demodulate from graphbuffer fix typo in securakey --- CHANGELOG.md | 4 +- client/cmdlf.c | 8 ++++ client/cmdlfpac.c | 100 ++++++++++++++++++++++++++++++++++++++++ client/cmdlfpac.h | 17 +++++++ client/cmdlfsecurakey.c | 2 +- 5 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 client/cmdlfpac.c create mode 100644 client/cmdlfpac.h diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fdda88b..f34b78f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,9 +11,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ### Fixed ### Added +- Added PAC/Stanley detection to lf search (marshmellow) +- Added lf pac demod and lf pac read - extracts the raw blocks from a PAC/Stanley tag (marshmellow) - Added hf mf c* commands compatibity for 4k and gen1b backdoor (Fl0-0) - Added backdoor detection for gen1b magic s70/4k tag (Fl0-0) -- Added data fsktonrz, a fsk cleaning/demodulating routine for weak fsk signal. Note: follow this up with a `data rawdemod nr` to finish demoding your signal. +- Added data fsktonrz, a fsk cleaning/demodulating routine for weak fsk signal. Note: follow this up with a `data rawdemod nr` to finish demoding your signal. (marshmellow) - Added lf em 410xbrute, LF EM410x reader bruteforce attack by simulating UIDs from a file (Fl0-0) ## [3.0.1][2017-06-08] diff --git a/client/cmdlf.c b/client/cmdlf.c index 79bcee0b..28b758b6 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -45,6 +45,7 @@ #include "cmdlfjablotron.h" //for jablotron menu #include "cmdlfnoralsy.h"// for noralsy menu #include "cmdlfsecurakey.h"//for securakey menu +#include "cmdlfpac.h" // for pac menu bool g_lf_threshold_set = false; static int CmdHelp(const char *Cmd); @@ -1055,6 +1056,12 @@ int CmdLFfind(const char *Cmd) return CheckChipType(cmdp); } + ans=CmdPacDemod(""); + if (ans>0) { + PrintAndLog("\nValid PAC/Stanley ID Found!"); + return CheckChipType(cmdp); + } + PrintAndLog("\nNo Known Tags Found!\n"); if (testRaw=='u' || testRaw=='U') { //ans=CheckChipType(cmdp); @@ -1105,6 +1112,7 @@ static command_t CommandTable[] = {"jablotron", CmdLFJablotron, 1, "{ Jablotron RFIDs... }"}, {"nexwatch", CmdLFNexWatch, 1, "{ NexWatch RFIDs... }"}, {"noralsy", CmdLFNoralsy, 1, "{ Noralsy RFIDs... }"}, + {"pac", CmdLFPac, 1, "{ PAC/Stanley RFIDs... }"}, {"paradox", CmdLFParadox, 1, "{ Paradox RFIDs... }"}, {"presco", CmdLFPresco, 1, "{ Presco RFIDs... }"}, {"pcf7931", CmdLFPCF7931, 1, "{ PCF7931 CHIPs... }"}, diff --git a/client/cmdlfpac.c b/client/cmdlfpac.c new file mode 100644 index 00000000..ef6b394b --- /dev/null +++ b/client/cmdlfpac.c @@ -0,0 +1,100 @@ +//----------------------------------------------------------------------------- +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency Stanley/PAC tag commands +// NRZ, RF/32, 128 bits long (unknown cs) +//----------------------------------------------------------------------------- +#include "cmdlfpac.h" +#include +#include +#include "proxmark3.h" +#include "ui.h" +#include "util.h" +#include "graph.h" +#include "cmdparser.h" +#include "cmddata.h" +#include "cmdmain.h" +#include "cmdlf.h" +#include "lfdemod.h" // preamble test + +static int CmdHelp(const char *Cmd); + +// by marshmellow +// find PAC preamble in already demoded data +int PacFind(uint8_t *dest, size_t *size) { + if (*size < 128) return -1; //make sure buffer has data + size_t startIdx = 0; + uint8_t preamble[] = {1,1,1,1,1,1,1,1,0,0,1,0,0,0,0,0,0,1,0}; + if (!preambleSearch(dest, preamble, sizeof(preamble), size, &startIdx)) + return -2; //preamble not found + if (*size != 128) return -3; //wrong demoded size + //return start position + return (int)startIdx; +} + +//see NRZDemod for what args are accepted +int CmdPacDemod(const char *Cmd) { + + //NRZ + if (!NRZrawDemod(Cmd, false)) { + if (g_debugMode) PrintAndLog("DEBUG: Error - PAC: NRZ Demod failed"); + return 0; + } + size_t size = DemodBufferLen; + int ans = PacFind(DemodBuffer, &size); + if (ans < 0) { + if (g_debugMode) { + if (ans == -1) + PrintAndLog("DEBUG: Error - PAC: too few bits found"); + else if (ans == -2) + PrintAndLog("DEBUG: Error - PAC: preamble not found"); + else if (ans == -3) + PrintAndLog("DEBUG: Error - PAC: Size not correct: %d", size); + else + PrintAndLog("DEBUG: Error - PAC: ans: %d", ans); + } + return 0; + } + setDemodBuf(DemodBuffer, 128, ans); + setClockGrid(g_DemodClock, g_DemodStartIdx + (ans*g_DemodClock)); + + //got a good demod + uint32_t raw1 = bytebits_to_byte(DemodBuffer , 32); + uint32_t raw2 = bytebits_to_byte(DemodBuffer+32, 32); + uint32_t raw3 = bytebits_to_byte(DemodBuffer+64, 32); + uint32_t raw4 = bytebits_to_byte(DemodBuffer+96, 32); + + // preamble then appears to have marker bits of "10" CS? + // 11111111001000000 10 01001100 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 10001100 10 100000001 + // unknown checksum 9 bits at the end + + PrintAndLog("PAC/Stanley Tag Found -- Raw: %08X%08X%08X%08X", raw1 ,raw2, raw3, raw4); + PrintAndLog("\nHow the Raw ID is translated by the reader is unknown"); + return 1; +} + +int CmdPacRead(const char *Cmd) { + lf_read(true, 4096*2 + 20); + return CmdPacDemod(Cmd); +} + +static command_t CommandTable[] = { + {"help", CmdHelp, 1, "This help"}, + {"demod", CmdPacDemod,1, "Attempt to read and extract tag data from the GraphBuffer"}, + {"read", CmdPacRead, 0, "Attempt to read and extract tag data from the antenna"}, + {NULL, NULL, 0, NULL} +}; + +int CmdLFPac(const char *Cmd) { + clearCommandBuffer(); + CmdsParse(CommandTable, Cmd); + return 0; +} + +int CmdHelp(const char *Cmd) { + CmdsHelp(CommandTable); + return 0; +} diff --git a/client/cmdlfpac.h b/client/cmdlfpac.h new file mode 100644 index 00000000..99b35a53 --- /dev/null +++ b/client/cmdlfpac.h @@ -0,0 +1,17 @@ +//----------------------------------------------------------------------------- +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency Securakey tag commands +//----------------------------------------------------------------------------- +#ifndef CMDLFPAC_H__ +#define CMDLFPAC_H__ + +extern int CmdLFPac(const char *Cmd); +extern int CmdPacRead(const char *Cmd); +extern int CmdPacDemod(const char *Cmd); + +#endif + diff --git a/client/cmdlfsecurakey.c b/client/cmdlfsecurakey.c index 8085eedc..8ae81250 100644 --- a/client/cmdlfsecurakey.c +++ b/client/cmdlfsecurakey.c @@ -44,7 +44,7 @@ int CmdSecurakeyDemod(const char *Cmd) { //ASK / Manchester bool st = false; if (!ASKDemod_ext("40 0 0", false, false, 1, &st)) { - if (g_debugMode) PrintAndLog("DEBUG: Error - Noralsy: ASK/Manchester Demod failed"); + if (g_debugMode) PrintAndLog("DEBUG: Error - Securakey: ASK/Manchester Demod failed"); return 0; } if (st) return 0; -- 2.39.5