From 7666f4608e8ade0ada08777d1cc33469c5d9471d Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Sun, 12 Feb 2017 23:59:44 -0500 Subject: [PATCH] update em4x05/em4x69 cmds @iceman1001 s updates + some of my own. still more to do: -auto demod responses -figure out config block -figure out block 0 info / serial # in block 1 -figure out block 3 protection data -add dump all blocks cmd --- armsrc/appmain.c | 4 +- armsrc/apps.h | 2 +- armsrc/lfops.c | 57 ++++++++---------- client/cmdlfem4x.c | 144 +++++++++++++++++++++++++++++++++------------ 4 files changed, 135 insertions(+), 72 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index ec133c7a..03855172 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1017,10 +1017,10 @@ void UsbPacketReceived(uint8_t *packet, int len) WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]); break; case CMD_EM4X_READ_WORD: - EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]); + EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]); break; case CMD_EM4X_WRITE_WORD: - EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); + EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]); break; case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation CmdAWIDdemodFSK(c->arg[0], 0, 0, 1); diff --git a/armsrc/apps.h b/armsrc/apps.h index cbe3b239..8d51335b 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -88,7 +88,7 @@ void T55xxWakeUp(uint32_t Pwd); void TurnReadLFOn(); //void T55xxReadTrace(void); void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode); -void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode); +void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd); void Cotag(uint32_t arg0); /// iso14443.h diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 0a8ce3a9..1d18c709 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -684,7 +684,7 @@ void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream) for (i=0; i>1)<>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT; // Program the data blocks for supplied ID and the block 0 config WriteT55xx(data, 0, 3); LED_D_OFF(); @@ -1571,8 +1571,6 @@ void SendForward(uint8_t fwd_bit_count) { fwd_write_ptr = forwardLink_data; fwd_bit_sz = fwd_bit_count; - LED_D_ON(); - // Set up FPGA, 125kHz LFSetupFPGAForADC(95, true); @@ -1580,7 +1578,7 @@ void SendForward(uint8_t fwd_bit_count) { fwd_bit_sz--; //prepare next bit modulation fwd_write_ptr++; FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off - SpinDelayUs(55*8); //55 cycles off (8us each)for 4305 + SpinDelayUs(56*8); //55 cycles off (8us each)for 4305 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on SpinDelayUs(16*8); //16 cycles on (8us each) @@ -1591,9 +1589,9 @@ void SendForward(uint8_t fwd_bit_count) { else { //These timings work for 4469/4269/4305 (with the 55*8 above) FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off - SpinDelayUs(23*8); //16-4 cycles off (8us each) + SpinDelayUs(20*8); //16-4 cycles off (8us each) //23 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on - SpinDelayUs(9*8); //16 cycles on (8us each) + SpinDelayUs(12*8); //16 cycles on (8us each) //9 } } } @@ -1615,13 +1613,11 @@ void EM4xLogin(uint32_t Password) { void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { uint8_t fwd_bit_count; - uint8_t *dest = BigBuf_get_addr(); - uint16_t bufferlength = BigBuf_max_traceLen(); - uint32_t i = 0; // Clear destination buffer before sending the command BigBuf_Clear_ext(false); + LED_A_ON(); //If password mode do login if (PwdMode == 1) EM4xLogin(Pwd); @@ -1629,36 +1625,28 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { fwd_bit_count = Prepare_Cmd( FWD_CMD_READ ); fwd_bit_count += Prepare_Addr( Address ); - // Connect the A/D to the peak-detected low-frequency path. - SetAdcMuxFor(GPIO_MUXSEL_LOPKD); - // Now set up the SSC to get the ADC samples that are now streaming at us. - FpgaSetupSsc(); - SendForward(fwd_bit_count); // Now do the acquisition - i = 0; - for(;;) { - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { - AT91C_BASE_SSC->SSC_THR = 0x43; - } - if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) { - dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - i++; - if (i >= bufferlength) break; - } - } + DoAcquisition_config(TRUE); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off + LED_A_OFF(); cmd_send(CMD_ACK,0,0,0,0,0); - LED_D_OFF(); } -void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) { - +void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) { + + bool PwdMode = (flag & 0xF); + uint8_t Address = (flag >> 8) & 0xFF; uint8_t fwd_bit_count; + //clear buffer now so it does not interfere with timing later + BigBuf_Clear_ext(false); + + LED_A_ON(); //If password mode do login - if (PwdMode == 1) EM4xLogin(Pwd); + if (PwdMode) EM4xLogin(Pwd); forward_ptr = forwardLink_data; fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE ); @@ -1669,8 +1657,13 @@ void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode //Wait for write to complete SpinDelay(20); + + //Capture response if one exists + DoAcquisition_config(TRUE); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off - LED_D_OFF(); + LED_A_OFF(); + cmd_send(CMD_ACK,0,0,0,0,0); } /* Reading a COTAG. diff --git a/client/cmdlfem4x.c b/client/cmdlfem4x.c index aa0fc856..aa568e9e 100644 --- a/client/cmdlfem4x.c +++ b/client/cmdlfem4x.c @@ -18,6 +18,7 @@ #include "cmdparser.h" #include "cmddata.h" #include "cmdlf.h" +#include "cmdmain.h" #include "cmdlfem4x.h" #include "lfdemod.h" @@ -285,7 +286,7 @@ uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool } return code; } -/* Read the transmitted data of an EM4x50 tag +/* Read the transmitted data of an EM4x50 tag from the graphbuffer * Format: * * XXXXXXXX [row parity bit (even)] <- 8 bits plus parity @@ -498,53 +499,122 @@ int CmdEM4x50Read(const char *Cmd) return EM4x50Read(Cmd, true); } -int CmdReadWord(const char *Cmd) -{ - int Word = -1; //default to invalid word - UsbCommand c; - - sscanf(Cmd, "%d", &Word); +int usage_lf_em_read(void) { + PrintAndLog("Read EM4x05/EM4x69. Tag must be on antenna. "); + PrintAndLog(""); + PrintAndLog("Usage: lf em readword [h]
"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" address - memory address to read. (0-15)"); + PrintAndLog(" pwd - password (hex) (optional)"); + PrintAndLog("samples:"); + PrintAndLog(" lf em readword 1"); + PrintAndLog(" lf em readword 1 11223344"); + return 0; +} +int CmdReadWord(const char *Cmd) { + int addr, pwd; + bool usePwd = false; + uint8_t ctmp = param_getchar(Cmd, 0); + if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read(); + + addr = param_get8ex(Cmd, 0, -1, 10); + pwd = param_get32ex(Cmd, 1, -1, 16); - if ( (Word > 15) | (Word < 0) ) { - PrintAndLog("Word must be between 0 and 15"); + if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) { + PrintAndLog("Address must be between 0 and 15"); return 1; } + if ( pwd == -1 ) + PrintAndLog("Reading address %d", addr); + else { + usePwd = true; + PrintAndLog("Reading address %d | password %08X", addr, pwd); + } - PrintAndLog("Reading word %d", Word); - - c.cmd = CMD_EM4X_READ_WORD; - c.d.asBytes[0] = 0x0; //Normal mode - c.arg[0] = 0; - c.arg[1] = Word; - c.arg[2] = 0; + UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}}; + clearCommandBuffer(); SendCommand(&c); - return 0; + UsbCommand resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){ + PrintAndLog("Command timed out"); + return -1; + } + + uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples) + GetFromBigBuf(got, sizeof(got), 0); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) { + PrintAndLog("command execution time out"); + return 0; + } + setGraphBuf(got, sizeof(got)); + //todo: demodulate read data + return 1; } -int CmdReadWordPWD(const char *Cmd) -{ - int Word = -1; //default to invalid word - int Password = 0xFFFFFFFF; //default to blank password - UsbCommand c; +int usage_lf_em_write(void) { + PrintAndLog("Write EM4x05/EM4x69. Tag must be on antenna. "); + PrintAndLog(""); + PrintAndLog("Usage: lf em writeword [h]
"); + PrintAndLog("Options:"); + PrintAndLog(" h - this help"); + PrintAndLog(" address - memory address to write to. (0-15)"); + PrintAndLog(" data - data to write (hex)"); + PrintAndLog(" pwd - password (hex) (optional)"); + PrintAndLog("samples:"); + PrintAndLog(" lf em writeword 1"); + PrintAndLog(" lf em writeword 1 deadc0de 11223344"); + return 0; +} +int CmdWriteWord(const char *Cmd) { + uint8_t ctmp = param_getchar(Cmd, 0); + if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_write(); - sscanf(Cmd, "%d %x", &Word, &Password); + bool usePwd = false; + + int addr = 16; // default to invalid address + int data = 0xFFFFFFFF; // default to blank data + int pwd = 0xFFFFFFFF; // default to blank password - if ( (Word > 15) | (Word < 0) ) { - PrintAndLog("Word must be between 0 and 15"); + addr = param_get8ex(Cmd, 0, -1, 10); + data = param_get32ex(Cmd, 1, -1, 16); + pwd = param_get32ex(Cmd, 2, -1, 16); + + + if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) { + PrintAndLog("Address must be between 0 and 15"); return 1; } + if ( pwd == -1 ) + PrintAndLog("Writing address %d data %08X", addr, data); + else { + usePwd = true; + PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd); + } - PrintAndLog("Reading word %d with password %08X", Word, Password); + uint16_t flag = (addr << 8 ) | usePwd; - c.cmd = CMD_EM4X_READ_WORD; - c.d.asBytes[0] = 0x1; //Password mode - c.arg[0] = 0; - c.arg[1] = Word; - c.arg[2] = Password; + UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}}; + clearCommandBuffer(); SendCommand(&c); + UsbCommand resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){ + PrintAndLog("Error occurred, device did not respond during write operation."); + return -1; + } + //get response if there is one + uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples) + GetFromBigBuf(got, sizeof(got), 0); + if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) { + PrintAndLog("command execution time out"); + return 0; + } + setGraphBuf(got, sizeof(got)); + //todo: check response for 00001010 then write data for write confirmation! return 0; } +/* int CmdWriteWord(const char *Cmd) { int Word = 16; //default to invalid block @@ -593,7 +663,7 @@ int CmdWriteWordPWD(const char *Cmd) SendCommand(&c); return 0; } - +*/ static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, @@ -603,11 +673,11 @@ static command_t CommandTable[] = {"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"}, {"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" }, {"em410xwrite", CmdEM410xWrite, 0, " <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"}, - {"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"}, - {"readword", CmdReadWord, 1, " -- Read EM4xxx word data"}, - {"readwordPWD", CmdReadWordPWD, 1, " -- Read EM4xxx word data in password mode"}, - {"writeword", CmdWriteWord, 1, " -- Write EM4xxx word data"}, - {"writewordPWD", CmdWriteWordPWD, 1, " -- Write EM4xxx word data in password mode"}, + {"em4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"}, + {"readword", CmdReadWord, 1, " (pwd) -- Read EM4x05/EM4x69 word data"}, + //{"readwordPWD", CmdReadWordPWD, 1, " -- Read EM4xxx word data in password mode"}, + {"writeword", CmdWriteWord, 1, " (pwd) -- Write EM4x05/EM4x69 word data"}, + //{"writewordPWD", CmdWriteWordPWD, 1, " -- Write EM4xxx word data in password mode"}, {NULL, NULL, 0, NULL} }; -- 2.39.5