github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 13:53:55 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

add: Hitag S tearoff support

Browse source
This commit is contained in:
douniwan5788 2024-09-23 18:45:17 +08:00
commit 142f2e6075
2 changed files with 23 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

18
armsrc/hitagS.c
View file

@ -34,6 +34,7 @@
#include "crc.h" #include "crc.h"
#include "protocols.h" #include "protocols.h"
#include "hitag.h" #include "hitag.h"
#include "appmain.h" // tearoff_hook()
#define CRC_PRESET 0xFF #define CRC_PRESET 0xFF
#define CRC_POLYNOM 0x1D #define CRC_POLYNOM 0x1D
@ -55,6 +56,7 @@ static struct hitagS_tag tag = {
}; };
static uint8_t page_to_be_written = 0; static uint8_t page_to_be_written = 0;
static int block_data_left = 0; static int block_data_left = 0;
static bool enable_page_tearoff = false;
typedef enum modulation { typedef enum modulation {
AC2K = 0, AC2K = 0,
@ -957,7 +959,7 @@ static void hts_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint3
DBG Dbhexdump(ra_i, edges, false); DBG Dbhexdump(ra_i, edges, false);
} }
static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) { static int hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_t sizeofrx, size_t *prxbits, int t_wait, bool ledcontrol, bool ac_seq) {
LogTraceBits(tx, txlen, HITAG_T_WAIT_SC, HITAG_T_WAIT_SC, true); LogTraceBits(tx, txlen, HITAG_T_WAIT_SC, HITAG_T_WAIT_SC, true);
@ -975,6 +977,10 @@ static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_
// Transmit the reader frame // Transmit the reader frame
hitag_reader_send_frame(tx, txlen, ledcontrol); hitag_reader_send_frame(tx, txlen, ledcontrol);
if (enable_page_tearoff && tearoff_hook() == PM3_ETEAROFF) {
return PM3_ETEAROFF;
}
// Enable and reset external trigger in timer for capturing future frames // Enable and reset external trigger in timer for capturing future frames
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
@ -1046,6 +1052,8 @@ static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_
LogTraceBits(rx, k, resptime, resptime, false); LogTraceBits(rx, k, resptime, resptime, false);
} }
*prxbits = k; *prxbits = k;
return PM3_SUCCESS;
} }
static int hts_select_tag(const lf_hitag_data_t *packet, uint8_t *tx, size_t sizeoftx, uint8_t *rx, size_t sizeofrx, int t_wait, bool ledcontrol) { static int hts_select_tag(const lf_hitag_data_t *packet, uint8_t *tx, size_t sizeoftx, uint8_t *rx, size_t sizeofrx, int t_wait, bool ledcontrol) {
@ -1402,7 +1410,13 @@ void hts_write_page(const lf_hitag_data_t *payload, bool ledcontrol) {
crc = CRC8Hitag1Bits(tx, txlen); crc = CRC8Hitag1Bits(tx, txlen);
txlen = concatbits(tx, txlen, &crc, 0, 8); txlen = concatbits(tx, txlen, &crc, 0, 8);
hts_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, false); enable_page_tearoff = g_tearoff_enabled;
if (hts_send_receive(tx, txlen, rx, ARRAYLEN(rx), &rxlen, HITAG_T_WAIT_SC, ledcontrol, false) == PM3_ETEAROFF) {
res = PM3_ETEAROFF;
enable_page_tearoff = false;
goto write_end;
}
if ((rxlen != 2) || (rx[0] >> (8 - 2) != 0x01)) { if ((rxlen != 2) || (rx[0] >> (8 - 2) != 0x01)) {
res = PM3_ESOFT; // write failed res = PM3_ESOFT; // write failed

7
doc/magic_cards_notes.md
View file

@ -205,6 +205,13 @@ This is an "improved" variant of ID82xx chips, bypassing some magic detection in
* Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8268](#id-f8268) when set CON1 AUT bit * Chip is likely a cut down version of Hitag S2048 clone, Characteristics looks exacly same with [8268](#id-f8268) when set CON1 AUT bit
* No password protection * No password protection
* tearoff time
* The OTP bits do not appear to be erased first. Write done time is less than 735µs
* nochange 0-735µs
* bit flip 735-740µs
* wiped 740-3250µs
* bit flip 3250-3350µs
* write done 3350µs+
* page 1 default: `CA 24 00 00` * page 1 default: `CA 24 00 00`
* CON0 RES0 enable some extended TTFM * CON0 RES0 enable some extended TTFM
* TTFM 01: page 4, page 5, page 6 * TTFM 01: page 4, page 5, page 6