From 69f42a0593bcb5b52fabe358668358390b4af056 Mon Sep 17 00:00:00 2001
From: marshmellow42 <marshmellow42@users.noreply.github.com>
Date: Fri, 14 Jul 2017 08:04:46 -0400
Subject: [PATCH 1/1] add lf PAC/Stanley tag read (#354)

lf pac read - read from antenna and demod
lf pac demod - demodulate from graphbuffer
fix typo in securakey
---
 CHANGELOG.md            |   4 +-
 client/cmdlf.c          |   8 ++++
 client/cmdlfpac.c       | 100 ++++++++++++++++++++++++++++++++++++++++
 client/cmdlfpac.h       |  17 +++++++
 client/cmdlfsecurakey.c |   2 +-
 5 files changed, 129 insertions(+), 2 deletions(-)
 create mode 100644 client/cmdlfpac.c
 create mode 100644 client/cmdlfpac.h

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6fdda88b..f34b78f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,9 +11,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
 ### Fixed
 
 ### Added
+- Added PAC/Stanley detection to lf search (marshmellow)
+- Added lf pac demod and lf pac read - extracts the raw blocks from a PAC/Stanley tag (marshmellow)
 - Added hf mf c* commands compatibity for 4k and gen1b backdoor (Fl0-0)
 - Added backdoor detection for gen1b magic s70/4k tag (Fl0-0)
-- Added data fsktonrz, a fsk cleaning/demodulating routine for weak fsk signal. Note: follow this up with a `data rawdemod nr` to finish demoding your signal.
+- Added data fsktonrz, a fsk cleaning/demodulating routine for weak fsk signal. Note: follow this up with a `data rawdemod nr` to finish demoding your signal. (marshmellow)
 - Added lf em 410xbrute, LF EM410x reader bruteforce attack by simulating UIDs from a file (Fl0-0)
 
 ## [3.0.1][2017-06-08]
diff --git a/client/cmdlf.c b/client/cmdlf.c
index 79bcee0b..28b758b6 100644
--- a/client/cmdlf.c
+++ b/client/cmdlf.c
@@ -45,6 +45,7 @@
 #include "cmdlfjablotron.h" //for jablotron menu
 #include "cmdlfnoralsy.h"// for noralsy menu
 #include "cmdlfsecurakey.h"//for securakey menu
+#include "cmdlfpac.h"    // for pac menu
 
 bool g_lf_threshold_set = false;
 static int CmdHelp(const char *Cmd);
@@ -1055,6 +1056,12 @@ int CmdLFfind(const char *Cmd)
 		return CheckChipType(cmdp);
 	}
 
+	ans=CmdPacDemod("");
+	if (ans>0) {
+		PrintAndLog("\nValid PAC/Stanley ID Found!");
+		return CheckChipType(cmdp);		
+	}
+
 	PrintAndLog("\nNo Known Tags Found!\n");
 	if (testRaw=='u' || testRaw=='U') {
 		//ans=CheckChipType(cmdp);
@@ -1105,6 +1112,7 @@ static command_t CommandTable[] =
 	{"jablotron",   CmdLFJablotron,     1, "{ Jablotron RFIDs...         }"},
 	{"nexwatch",    CmdLFNexWatch,      1, "{ NexWatch RFIDs...          }"},
 	{"noralsy",     CmdLFNoralsy,       1, "{ Noralsy RFIDs...           }"},
+	{"pac",         CmdLFPac,           1, "{ PAC/Stanley RFIDs...       }"},
 	{"paradox",     CmdLFParadox,       1, "{ Paradox RFIDs...           }"},
 	{"presco",      CmdLFPresco,        1, "{ Presco RFIDs...            }"},
 	{"pcf7931",     CmdLFPCF7931,       1, "{ PCF7931 CHIPs...           }"},
diff --git a/client/cmdlfpac.c b/client/cmdlfpac.c
new file mode 100644
index 00000000..ef6b394b
--- /dev/null
+++ b/client/cmdlfpac.c
@@ -0,0 +1,100 @@
+//-----------------------------------------------------------------------------
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Low frequency Stanley/PAC tag commands
+// NRZ, RF/32, 128 bits long (unknown cs)
+//-----------------------------------------------------------------------------
+#include "cmdlfpac.h"
+#include <string.h>
+#include <inttypes.h>
+#include "proxmark3.h"
+#include "ui.h"
+#include "util.h"
+#include "graph.h"
+#include "cmdparser.h"
+#include "cmddata.h"
+#include "cmdmain.h"
+#include "cmdlf.h"
+#include "lfdemod.h"    // preamble test
+
+static int CmdHelp(const char *Cmd);
+
+// by marshmellow
+// find PAC preamble in already demoded data
+int PacFind(uint8_t *dest, size_t *size) {
+	if (*size < 128) return -1; //make sure buffer has data
+	size_t startIdx = 0;
+	uint8_t preamble[] = {1,1,1,1,1,1,1,1,0,0,1,0,0,0,0,0,0,1,0};
+	if (!preambleSearch(dest, preamble, sizeof(preamble), size, &startIdx))
+		return -2; //preamble not found
+	if (*size != 128) return -3; //wrong demoded size
+	//return start position
+	return (int)startIdx;
+}
+
+//see NRZDemod for what args are accepted
+int CmdPacDemod(const char *Cmd) {
+
+	//NRZ
+	if (!NRZrawDemod(Cmd, false)) {
+		if (g_debugMode) PrintAndLog("DEBUG: Error - PAC: NRZ Demod failed");
+		return 0;
+	}
+	size_t size = DemodBufferLen;
+	int ans = PacFind(DemodBuffer, &size);
+	if (ans < 0) {
+		if (g_debugMode) {
+			if (ans == -1)
+				PrintAndLog("DEBUG: Error - PAC: too few bits found");
+			else if (ans == -2)
+				PrintAndLog("DEBUG: Error - PAC: preamble not found");
+			else if (ans == -3)
+				PrintAndLog("DEBUG: Error - PAC: Size not correct: %d", size);
+			else
+				PrintAndLog("DEBUG: Error - PAC: ans: %d", ans);
+		}
+		return 0;
+	}
+	setDemodBuf(DemodBuffer, 128, ans);
+	setClockGrid(g_DemodClock, g_DemodStartIdx + (ans*g_DemodClock));
+
+	//got a good demod
+	uint32_t raw1 = bytebits_to_byte(DemodBuffer   , 32);
+	uint32_t raw2 = bytebits_to_byte(DemodBuffer+32, 32);
+	uint32_t raw3 = bytebits_to_byte(DemodBuffer+64, 32);
+	uint32_t raw4 = bytebits_to_byte(DemodBuffer+96, 32);
+
+	// preamble     then appears to have marker bits of "10"                                                                                                                                       CS?    
+	// 11111111001000000 10 01001100 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 00001101 10 10001100 10 100000001
+	// unknown checksum 9 bits at the end
+	
+	PrintAndLog("PAC/Stanley Tag Found -- Raw: %08X%08X%08X%08X", raw1 ,raw2, raw3, raw4);
+	PrintAndLog("\nHow the Raw ID is translated by the reader is unknown");
+	return 1;
+}
+
+int CmdPacRead(const char *Cmd) {
+	lf_read(true, 4096*2 + 20);
+	return CmdPacDemod(Cmd);
+}
+
+static command_t CommandTable[] = {
+	{"help",  CmdHelp,    1, "This help"},
+	{"demod", CmdPacDemod,1, "Attempt to read and extract tag data from the GraphBuffer"},
+	{"read",  CmdPacRead, 0, "Attempt to read and extract tag data from the antenna"},
+	{NULL, NULL, 0, NULL}
+};
+
+int CmdLFPac(const char *Cmd) {
+	clearCommandBuffer();
+	CmdsParse(CommandTable, Cmd);
+	return 0;
+}
+
+int CmdHelp(const char *Cmd) {
+	CmdsHelp(CommandTable);
+	return 0;
+}
diff --git a/client/cmdlfpac.h b/client/cmdlfpac.h
new file mode 100644
index 00000000..99b35a53
--- /dev/null
+++ b/client/cmdlfpac.h
@@ -0,0 +1,17 @@
+//-----------------------------------------------------------------------------
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Low frequency Securakey tag commands
+//-----------------------------------------------------------------------------
+#ifndef CMDLFPAC_H__
+#define CMDLFPAC_H__
+
+extern int CmdLFPac(const char *Cmd);
+extern int CmdPacRead(const char *Cmd);
+extern int CmdPacDemod(const char *Cmd);
+
+#endif
+
diff --git a/client/cmdlfsecurakey.c b/client/cmdlfsecurakey.c
index 8085eedc..8ae81250 100644
--- a/client/cmdlfsecurakey.c
+++ b/client/cmdlfsecurakey.c
@@ -44,7 +44,7 @@ int CmdSecurakeyDemod(const char *Cmd) {
 	//ASK / Manchester
 	bool st = false;
 	if (!ASKDemod_ext("40 0 0", false, false, 1, &st)) {
-		if (g_debugMode) PrintAndLog("DEBUG: Error - Noralsy: ASK/Manchester Demod failed");
+		if (g_debugMode) PrintAndLog("DEBUG: Error - Securakey: ASK/Manchester Demod failed");
 		return 0;
 	}
 	if (st) return 0;
-- 
2.39.5