diff --git a/CHANGELOG.md b/CHANGELOG.md index 899d79a53..6791e748a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added lf em functions: 4x50_info, 4x50_write, 4x50_write_password (@tharexde) - Fix em4x50 demodulation error (@tharexde) - Fix `hf mfdes` authentification issues, DES working (@bkerler) - Add Android cross-compilation to client cmake (@dxl, @doegox) diff --git a/armsrc/Makefile b/armsrc/Makefile index f4eb19963..1bbbf2ba7 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -63,6 +63,12 @@ else SRC_HITAG = endif +ifneq (,$(findstring WITH_EM4x50,$(APP_CFLAGS))) + SRC_EM4x50 = em4x50.c +else + SRC_EM4x50 = +endif + ifneq (,$(findstring WITH_LCD,$(APP_CFLAGS))) SRC_LCD = fonts.c LCD.c else @@ -99,6 +105,7 @@ THUMBSRC = start.c \ $(SRC_SMARTCARD) \ $(SRC_FPC) \ $(SRC_HITAG) \ + $(SRC_EM4x50) \ $(SRC_SPIFFS) \ $(SRC_ISO14443a) \ $(SRC_ISO14443b) \ diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 5c82ebbe8..ad02eae2f 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -29,6 +29,7 @@ #include "felica.h" #include "hitag2.h" #include "hitagS.h" +#include "em4x50.h" #include "iclass.h" #include "legicrfsim.h" #include "epa.h" @@ -454,6 +455,11 @@ static void SendCapabilities(void) { #else capabilities.compiled_with_hitag = false; #endif +#ifdef WITH_EM4x50 + capabilities.compiled_with_em4x50 = true; +#else + capabilities.compiled_with_em4x50 = false; +#endif #ifdef WITH_HFSNIFF capabilities.compiled_with_hfsniff = true; #else @@ -1000,6 +1006,21 @@ static void PacketReceived(PacketCommandNG *packet) { } #endif +#ifdef WITH_EM4x50 + case CMD_LF_EM4X50_INFO: { + em4x50_info((em4x50_data_t *)packet->data.asBytes); + break; + } + case CMD_LF_EM4X50_WRITE: { + em4x50_write((em4x50_data_t *)packet->data.asBytes); + break; + } + case CMD_LF_EM4X50_WRITE_PASSWORD: { + em4x50_write_password((em4x50_data_t *)packet->data.asBytes); + break; + } +#endif + #ifdef WITH_ISO15693 case CMD_HF_ISO15693_ACQ_RAW_ADC: { AcquireRawAdcSamplesIso15693(); diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c new file mode 100644 index 000000000..b9295e9ed --- /dev/null +++ b/armsrc/em4x50.c @@ -0,0 +1,911 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#include "fpgaloader.h" +#include "ticks.h" +#include "dbprint.h" +#include "lfadc.h" +#include "commonutil.h" +#include "em4x50.h" + +// 4 data bytes +// + byte with row parities +// + column parity byte +// + byte with stop bit + +static em4x50_tag_t tag = { + .sectors = { + [0] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // password + [1] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // protection word + [2] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // control word + [3] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [4] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [5] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [7] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [9] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [10] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [11] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [12] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [13] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [14] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [15] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [17] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [18] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [19] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [20] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [21] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [22] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [23] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [24] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [25] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [26] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [27] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [28] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [29] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [30] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [31] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device serial number + [33] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device identification + }, +}; + +// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK) +// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz +// EM4x50 units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier) +// T0 = TIMER_CLOCK1 / 125000 = 192 + +#ifndef T0 +#define T0 192 +#endif + +#define EM4X50_T_TAG_QUARTER_PERIOD 16 +#define EM4X50_T_TAG_HALF_PERIOD 32 +#define EM4X50_T_TAG_THREE_QUARTER_PERIOD 48 +#define EM4X50_T_TAG_FULL_PERIOD 64 +#define EM4X50_T_WAITING_FOR_LIW 500 +#define EM4X50_T_TAG_TPP 64 +#define EM4X50_T_TAG_TWA 64 + +#define EM4X50_TAG_TOLERANCE 8 +#define EM4X50_TAG_WORD 45 + +#define EM4X50_BIT_0 0 +#define EM4X50_BIT_1 1 +#define EM4X50_BIT_OTHER 2 + +#define EM4X50_COMMAND_LOGIN 0x01 +#define EM4X50_COMMAND_RESET 0x80 +#define EM4X50_COMMAND_WRITE 0x12 +#define EM4X50_COMMAND_WRITE_PASSWORD 0x11 +#define EM4X50_COMMAND_SELECTIVE_READ 0x0A + +#define FPGA_TIMER_0 0 + +int gHigh = 0; +int gLow = 0; + +// auxiliary functions + +static void init_tag(void) { + + // initialize global tag structure + + for (int i = 0; i < 34; i++) + for (int j = 0; j < 7; j++) + tag.sectors[i][j] = 0x00; +} + +static uint8_t bits2byte(uint8_t *bits, int length) { + + // converts separate bits into a single "byte" + + uint8_t byte = 0; + + for (int i = 0; i < length; i++) { + + byte |= bits[i]; + + if (i != length-1) + byte <<= 1; + } + + return byte; +} + +static void msb2lsb_word(uint8_t *word) { + + // reorders given according to EM4x50 datasheet (msb -> lsb) + + uint8_t buff[4]; + + buff[0] = reflect8(word[3]); + buff[1] = reflect8(word[2]); + buff[2] = reflect8(word[1]); + buff[3] = reflect8(word[0]); + + word[0] = buff[0]; + word[1] = buff[1]; + word[2] = buff[2]; + word[3] = buff[3]; +} + +static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) { + + // split "raw" word into data, row and column parity bits and stop bit and + // save them in global tag structure + + uint8_t row_parity[4]; + uint8_t col_parity[8]; + + // data and row parities + for (int i = 0; i < 4; i++) { + tag.sectors[pos][i] = bits2byte(&bits[9*i],8); + row_parity[i] = bits[9*i+8]; + } + + tag.sectors[pos][4] = bits2byte(row_parity,4); + + // column parities + for (int i = 0; i < 8; i++) + col_parity[i] = bits[36+i]; + + tag.sectors[pos][5] = bits2byte(col_parity,8); + + // stop bit + tag.sectors[pos][6] = bits[44]; +} + +static void wait_timer(int timer, uint32_t period) { + + // do nothing for using timer + + if (timer == FPGA_TIMER_0) { + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < period); + + } else { + + AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC1->TC_CV < period); + + } +} + +static void em4x50_setup_read(void) { + + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + + // 50ms for the resonant antenna to settle. + SpinDelay(50); + // Now set up the SSC to get the ADC samples that are now streaming at us. + FpgaSetupSsc(); + // start a 1.5ticks is 1us + StartTicks(); + + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); + + // Connect the A/D to the peak-detected low-frequency path. + SetAdcMuxFor(GPIO_MUXSEL_LOPKD); + + // Steal this pin from the SSP (SPI communication channel with fpga) and + // use it to control the modulation + AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT; + AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; + + // Disable modulation at default, which means enable the field + LOW(GPIO_SSC_DOUT); + + // Enable Peripheral Clock for + // TIMER_CLOCK0, used to measure exact timing before answering + // TIMER_CLOCK1, used to capture edges of the tag frames + AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1); + AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME; + + // Disable timer during configuration + AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; + AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; + + // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers + AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK; + + // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers + AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK; + + // Enable and reset counters + AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; + AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; + + // synchronized startup procedure + while (AT91C_BASE_TC0->TC_CV > 0) {}; // wait until TC1 returned to zero + + // Watchdog hit + WDT_HIT(); +} + +// functions for "reader" use case + +static void get_signalproperties(void) { + + // calculate signal properties (mean amplitudes) from measured data: + // 32 amplitudes (maximum values) -> mean amplitude value -> gHigh -> gLow + + int no_periods = 32, pct = 75, noise = 140; + uint8_t sample = 0, sample_ref = 127; + uint8_t sample_max_mean = 0; + uint8_t sample_max[no_periods]; + uint32_t sample_max_sum = 0; + + // wait until signal/noise > 1 + while (AT91C_BASE_SSC->SSC_RHR < noise); + + // calculate mean maximum value of 32 periods, each period has a length of + // 3 single "full periods" to eliminate the influence of a listen window + for (int i = 0; i < no_periods; i++) { + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < T0 * 3 * EM4X50_T_TAG_FULL_PERIOD) { + + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + if (sample > sample_max[i]) + sample_max[i] = sample; + + } + + sample_max_sum += sample_max[i]; + } + + sample_max_mean = sample_max_sum / no_periods; + + // set global envelope variables + gHigh = sample_ref + pct * (sample_max_mean - sample_ref) / 100; + gLow = sample_ref - pct * (sample_max_mean - sample_ref) / 100; + +} + +static int get_next_bit(void) { + + // returns bit value (or EM4X50_BIT_OTHER -> no bit pattern) by evaluating + // a single sample within a bit period (given there is no LIW, ACK or NAK) + // This function is not used for decoding, it is only used for identifying + // a listen window (return value = EM4X50_BIT_OTHER) in functions + // "find_double_listen_window" and "check_ack" + + uint8_t sample; + + // get sample at 3/4 of bit period + wait_timer(0, T0 * EM4X50_T_TAG_THREE_QUARTER_PERIOD); + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + // wait until end of bit period + wait_timer(0, T0 * EM4X50_T_TAG_QUARTER_PERIOD); + + // decide wether "0" or "1" + if (sample > gHigh) + return EM4X50_BIT_0; + else if (sample < gLow) + return EM4X50_BIT_1; + + return EM4X50_BIT_OTHER; +} + +static uint32_t get_pulse_length(void) { + + // iterates pulse length (low -> high -> low) + + uint8_t sample = 0; + + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + while (sample > gLow) + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; + + while (sample < gHigh) + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + while (sample > gLow) + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + return (uint32_t)AT91C_BASE_TC1->TC_CV; +} + +static bool check_pulse_length(uint32_t pl, int length) { + + // check if pulse length corresponds to given length + + if ((pl >= T0 * (length - EM4X50_TAG_TOLERANCE)) & + (pl <= T0 * (length + EM4X50_TAG_TOLERANCE))) + return true; + else + return false; +} + +static void em4x50_send_bit(int bit) { + + // send single bit according to EM4x50 application note and datasheet + + // reset clock for the next bit + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + + if (bit == 0) { + + // disable modulation (drop the field) for 7 cycles of carrier + // period (Opt64) + LOW(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * 7); + + // enable modulation (activates the field) for remaining first + // half of bit period + HIGH(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_HALF_PERIOD); + + // disable modulation for second half of bit period + LOW(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD); + + } else { + + // bit = "1" means disable modulation for full bit period + LOW(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD); + } +} + +static void em4x50_send_byte(uint8_t byte) { + + // send byte (without parity) + + for (int i = 0; i < 8; i++) + em4x50_send_bit((byte >> (7-i)) & 1); + +} + +static void em4x50_send_byte_with_parity(uint8_t byte) { + + // send byte followed by its (equal) parity bit + + int parity = 0, bit = 0; + + for (int i = 0; i < 8; i++) { + bit = (byte >> (7-i)) & 1; + em4x50_send_bit(bit); + parity ^= bit; + } + + em4x50_send_bit(parity); +} + +static void em4x50_send_word(const uint8_t bytes[4]) { + + // send 32 bit word with parity bits according to EM4x50 datasheet + + for (int i = 0; i < 4; i++) + em4x50_send_byte_with_parity(bytes[i]); + + // send column parities + em4x50_send_byte(bytes[0] ^ bytes[1] ^ bytes[2] ^ bytes[3]); + + // send final stop bit (always "0") + em4x50_send_bit(0); +} + +static bool find_double_listen_window(bool bcommand) { + + // find two successive listen windows that indicate the beginning of + // data transmission + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_WAITING_FOR_LIW) { + + // identification of listen window is done via evaluation of + // pulse lengths + if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) { + + if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // first listen window found + + if (bcommand) { + + // data transmission from card has to be stopped, because + // a commamd shall be issued + + // unfortunately the posititon in listen window (where + // command request has to be sent) has gone, so if a + // second window follows - sync on this to issue a command + + // skip the next bit... + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_FULL_PERIOD); + + // ...and check if the following bit does make sense + // (if not it is the correct position within the second + // listen window) + if (get_next_bit() == EM4X50_BIT_OTHER) { + + // send RM for request mode + em4x50_send_bit(0); + em4x50_send_bit(0); + + return true; + } + + } + + if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) { + + // return although second listen window consists of one + // more bit period but this period is necessary for + // evaluating further pulse lengths + return true; + } + } + } + } + + return false; +} + +static bool request_receive_mode(void) { + + // To issue a command we have to find a listen window first. + // Because identification and sychronization at the same time is not + // possible when using pulse lengths a double listen window is used. + + bool bcommand = true; + + return find_double_listen_window(bcommand); +} + +static bool check_ack(bool bliw) { + + // returns true if signal structue corresponds to ACK, anything else is + // counted as NAK (-> false) + // Only relevant for pasword writing function: + // If is true then within the single listen window right after the + // ack signal a RM request has to be sent. + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < T0 * 4 * EM4X50_T_TAG_FULL_PERIOD) { + + if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // The received signal is either ACK or NAK. + + if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // Now the signal must be ACK. + + if (!bliw) { + + return true; + + } else { + + // send RM request after ack signal + + // wait for 2 bits (remaining "bit" of ACK signal + first + // "bit" of listen window) + wait_timer(FPGA_TIMER_0, T0 * 2 * EM4X50_T_TAG_FULL_PERIOD); + + // check for listen window (if first bit cannot be inerpreted + // as a valid bit it must belong to a listen window) + if (get_next_bit() == EM4X50_BIT_OTHER) { + + // send RM for request mode + em4x50_send_bit(0); + em4x50_send_bit(0); + + return true; + } + } + } + } + } + + return false; +} + +static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) { + + // decodes one word by evaluating pulse lengths and previous bit; + // word must have 45 bits in total: + // 32 data bits + 4 row parity bits + 8 column parity bits + 1 stop bit + + bool bbitchange = false; + int i = 0; + uint32_t pl = 0; + + // initial bit value depends on last pulse length of listen window + pl = get_pulse_length(); + if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) { + + // pulse length = 1.5 + bits[0] = 1; + + } else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length = 2 + bits[0] = 0; + bbitchange = true; + + } else { + + // pulse length = 2.5 + bits[0] = 0; + bits[1] = 1; + i++; + } + + // identify remaining bits based on pulse lengths + // between two listen windows only pulse lengths of 1, 1.5 and 2 are possible + while (true) { + + i++; + pl = get_pulse_length(); + + if (check_pulse_length(pl, EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length = 1 -> keep former bit value + bits[i] = bits[i-1]; + + } else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) { + + // pulse length = 1.5 -> decision on bit change + + if (bbitchange) { + + // if number of pulse lengths with 1.5 periods is even -> add bit + bits[i] = (bits[i-1] == 1) ? 1 : 0; + + // pulse length of 1.5 changes bit value + bits[i+1] = (bits[i] == 1) ? 0 : 1; + i++; + + // next time add only one bit + bbitchange = false; + + } else { + + bits[i] = (bits[i-1] == 1) ? 0 : 1; + + // next time two bits have to be added + bbitchange = true; + } + + } else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length of 2 means: adding 2 bits "01" + bits[i] = 0; + bits[i+1] = 1; + i++; + + } else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length of 3 indicates listen window -> clear last + // bit (= 0) and return + return --i; + + } + } +} + +// login function + +static bool login(uint8_t password[4]) { + + // simple login to EM4x50, + // used in operations that require authentication + + if (request_receive_mode ()) { + + // send login command + em4x50_send_byte_with_parity(EM4X50_COMMAND_LOGIN); + + // send password + em4x50_send_word(password); + + // check if ACK is returned + if (check_ack(false)) + return true; + + } else { + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); + } + + return false; +} + +// reset function + +static bool reset(void) { + + // resets EM4x50 tag (used by write function) + + if (request_receive_mode ()) { + + // send login command + em4x50_send_byte_with_parity(EM4X50_COMMAND_RESET); + + if (check_ack(false)) + return true; + + } else { + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); + } + + return false; +} + +// read functions + +static bool standard_read(int *now) { + + // reads data that tag transmits when exposed to reader field + // (standard read mode); number of read words is saved in + + int fwr = *now; + uint8_t bits[EM4X50_TAG_WORD] = {0}; + + // start with the identification of two succsessive listening windows + if (find_double_listen_window(false)) { + + // read and save words until following double listen window is detected + while (get_word_from_bitstream(bits) == EM4X50_TAG_WORD) + save_word((*now)++, bits); + + // number of detected words + *now -= fwr; + + return true; + + } else { + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("didn't find a listen window"); + } + + return false; +} + +static bool selective_read(uint8_t addresses[4]) { + + // reads from "first word read" (fwr = addresses[3]) to "last word read" + // (lwr = addresses[2]) + // result is verified by "standard read mode" + + int fwr = addresses[3]; // first word read + int lwr = addresses[2]; // last word read + int now = fwr; // number of words + + if (request_receive_mode()) { + + // send selective read command + em4x50_send_byte_with_parity(EM4X50_COMMAND_SELECTIVE_READ); + + // send address data + em4x50_send_word(addresses); + + // look for ACK sequence + if (check_ack(false)) + + // save and verify via standard read mode (compare number of words) + if (standard_read(&now)) + if (now == (lwr - fwr + 1)) + return true; + + } else { + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); + } + + return false; +} + +void em4x50_info(em4x50_data_t *etd) { + + // collects as much information as possible via selective read mode + // if no password is given -> try with standard password "0x00000000" + // otherwise continue without login + + bool bsuccess = false, blogin = false; + uint8_t status = 0; + uint8_t addresses[] = {0x00, 0x00, 0x21, 0x00}; // fwr = 0, lwr = 33 + uint8_t password[] = {0x00, 0x00, 0x00, 0x00}; // default password + + init_tag(); + em4x50_setup_read(); + + // set gHigh and gLow + get_signalproperties(); + + if (etd->pwd_given) { + + // try to login with given password + blogin = login(etd->password); + + } else { + + // if no password is given, try to login with "0x00000000" + blogin = login(password); + + } + + bsuccess = selective_read(addresses); + + status = (bsuccess << 1) + blogin; + + lf_finalize(); + reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238); +} + +// write functions + +static bool write(uint8_t word[4], uint8_t address) { + + // writes to specified
+ + if (request_receive_mode()) { + + // send write command + em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE); + + // send address data + em4x50_send_byte_with_parity(address); + + // send data + em4x50_send_word(word); + + // wait for T0 * EM4X50_T_TAG_TWA (write access time) + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA); + + // look for ACK sequence + if (check_ack(false)) { + + // now EM4x50 needs T0 * EM4X50_T_TAG_TWEE (EEPROM write time) + // for saving data and should return with ACK + if (check_ack(false)) + return true; + + } + + } else { + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); + } + + return false; +} + +static bool write_password(uint8_t password[4], uint8_t new_password[4]) { + + // changes password from to + + if (request_receive_mode()) { + + // send write password command + em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE_PASSWORD); + + // send address data + em4x50_send_word(password); + + // wait for T0 * EM4x50_T_TAG_TPP (processing pause time) + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TPP); + + // look for ACK sequence and send rm request + // during following listen window + if (check_ack(true)) { + + // send new password + em4x50_send_word(new_password); + + // wait for T0 * EM4X50_T_TAG_TWA (write access time) + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA); + + if (check_ack(false)) + if (check_ack(false)) + return true; + + } + + } else { + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); + } + + return false; +} + +void em4x50_write(em4x50_data_t *etd) { + + // write operation process for EM4x50 tag, + // single word is written to given address, verified by selective read operation + + bool bsuccess = false, blogin = false; + uint8_t status = 0; + uint8_t word[4] = {0x00, 0x00, 0x00, 0x00}; + uint8_t addresses[4] = {0x00, 0x00, 0x00, 0x00}; + + init_tag(); + em4x50_setup_read(); + + // set gHigh and gLow + get_signalproperties(); + + // reorder word according to datasheet + msb2lsb_word(etd->word); + + // if password is given try to login first + if (etd->pwd_given) + blogin = login(etd->password); + + // write word to given address + if (write(etd->word, etd->address)) { + + // to verify result reset EM4x50 + if (reset()) { + + // if password is given login + if (etd->pwd_given) + blogin &= login(etd->password); + + // perform a selective read + addresses[2] = addresses[3] = etd->address; + if (selective_read(addresses)) { + + // compare with given word + word[0] = tag.sectors[etd->address][0]; + word[1] = tag.sectors[etd->address][1]; + word[2] = tag.sectors[etd->address][2]; + word[3] = tag.sectors[etd->address][3]; + msb2lsb_word(word); + + bsuccess = true; + for (int i = 0; i < 4; i++) + bsuccess &= (word[i] == etd->word[i]) ? true : false; + + } + } + } + + status = (bsuccess << 1) + blogin; + + lf_finalize(); + reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238); +} + +void em4x50_write_password(em4x50_data_t *etd) { + + // sinmple change of password + + bool bsuccess = false; + + init_tag(); + em4x50_setup_read(); + + // set gHigh and gLow + get_signalproperties(); + + // login and change password + if (login(etd->password)) { + bsuccess = write_password(etd->password, etd->new_password); + } + + lf_finalize(); + reply_ng(CMD_ACK, bsuccess, 0, 0); +} diff --git a/armsrc/em4x50.h b/armsrc/em4x50.h new file mode 100644 index 000000000..746ca4811 --- /dev/null +++ b/armsrc/em4x50.h @@ -0,0 +1,24 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#ifndef EM4X50_H +#define EM4X50_H + +#include "../include/em4x50.h" + +typedef struct { + uint8_t sectors[34][7]; +} em4x50_tag_t; + +void em4x50_info(em4x50_data_t *etd); +void em4x50_write(em4x50_data_t *etd); +void em4x50_write_password(em4x50_data_t *etd); + +#endif /* EM4X50_H */ diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index 3529754a5..2850053e6 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -240,6 +240,7 @@ set (TARGET_SOURCES ${PM3_ROOT}/client/src/cmdlfawid.c ${PM3_ROOT}/client/src/cmdlfcotag.c ${PM3_ROOT}/client/src/cmdlfem4x.c + ${PM3_ROOT}/client/src/cmdlfem4x50.c ${PM3_ROOT}/client/src/cmdlffdx.c ${PM3_ROOT}/client/src/cmdlfgallagher.c ${PM3_ROOT}/client/src/cmdlfguard.c diff --git a/client/Makefile b/client/Makefile index 3bd059318..a4e8b193d 100644 --- a/client/Makefile +++ b/client/Makefile @@ -439,6 +439,7 @@ SRCS = aidsearch.c \ cmdlfawid.c \ cmdlfcotag.c \ cmdlfem4x.c \ + cmdlfem4x50.c \ cmdlffdx.c \ cmdlfguard.c \ cmdlfgallagher.c \ diff --git a/client/src/cmdlfem4x.c b/client/src/cmdlfem4x.c index 9d7cdd8b6..a94882cb6 100644 --- a/client/src/cmdlfem4x.c +++ b/client/src/cmdlfem4x.c @@ -9,6 +9,7 @@ //----------------------------------------------------------------------------- #include "cmdlfem4x.h" +#include "cmdlfem4x50.h" #include #include @@ -149,20 +150,6 @@ static int usage_lf_em4x50_read(void) { PrintAndLogEx(NORMAL, " lf em 4x50_read 1 11223344"); return PM3_SUCCESS; } -static int usage_lf_em4x50_write(void) { - PrintAndLogEx(NORMAL, "Write EM 4x50/4x69. Tag must be on antenna. "); - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h]
"); - PrintAndLogEx(NORMAL, "Options:"); - PrintAndLogEx(NORMAL, " h - this help"); - PrintAndLogEx(NORMAL, " address - memory address to write to. (0-15)"); - PrintAndLogEx(NORMAL, " data - data to write (hex)"); - PrintAndLogEx(NORMAL, " pwd - password (hex) (optional)"); - PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de"); - PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de 11223344"); - return PM3_SUCCESS; -} //////////////// 4205 / 4305 commands static int usage_lf_em4x05_dump(void) { @@ -1052,16 +1039,6 @@ static int CmdEM4x50Read(const char *Cmd) { return EM4x50Read(Cmd, true); } -static int CmdEM4x50Write(const char *Cmd) { - uint8_t ctmp = tolower(param_getchar(Cmd, 0)); - if (ctmp == 'h') return usage_lf_em4x50_write(); - PrintAndLogEx(NORMAL, "no implemented yet"); -// -// PrintAndLogEx(SUCCESS, "Done"); -// PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf em 4x50_read`") " to verify"); - return PM3_SUCCESS; -} - static int CmdEM4x50Dump(const char *Cmd) { uint8_t ctmp = tolower(param_getchar(Cmd, 0)); if (ctmp == 'h') return usage_lf_em4x50_dump(); @@ -1779,7 +1756,9 @@ static command_t CommandTable[] = { {"4x50_demod", CmdEM4x50Demod, AlwaysAvailable, "demodulate a EM4x50 tag from the GraphBuffer"}, {"4x50_dump", CmdEM4x50Dump, IfPm3Lf, "dump EM4x50 tag"}, {"4x50_read", CmdEM4x50Read, IfPm3Lf, "read word data from EM4x50"}, + {"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"}, {"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"}, + {"4x50_write_password", CmdEM4x50WritePassword, IfPm3Lf, "change passwword of EM4x50 tag"}, {NULL, NULL, NULL, NULL} }; diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c new file mode 100644 index 000000000..1f4420c5b --- /dev/null +++ b/client/src/cmdlfem4x50.c @@ -0,0 +1,663 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#include "cmdlfem4x50.h" +#include +#include "fileutils.h" +#include "comms.h" +#include "commonutil.h" +#include "em4x50.h" + +#define EM4X50_NO_WORDS 34 + +// special words +#define EM4X50_DEVICE_PASSWORD 0 +#define EM4X50_PROTECTION 1 +#define EM4X50_CONTROL 2 +#define EM4X50_DEVICE_SERIAL 32 +#define EM4X50_DEVICE_ID 33 + +// control word (word = 4 bytes) +#define FIRST_WORD_READ 0 // first byte +#define LAST_WORD_READ 1 // second byte +#define CONFIG_BLOCK 2 // third byte +#define PASSWORD_CHECK 0x80 // first bit in third byte +#define READ_AFTER_WRITE 0x40 // second bit in third byte + +// protection word +#define FIRST_WORD_READ_PROTECTED 0 // first byte +#define LAST_WORD_READ_PROTECTED 1 // second byte +#define FIRST_WORD_WRITE_INHIBITED 2 // third byte +#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte + +// misc +#define STATUS_SUCCESS 0x2 +#define STATUS_LOGIN 0x1 +#define NO_CHARS_MAX 400 + +int usage_lf_em4x50_info(void) { + PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna."); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Usage: lf em 4x50_info [h] [v] [p ]"); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h - this help"); + PrintAndLogEx(NORMAL, " v - verbose output"); + PrintAndLogEx(NORMAL, " p - password (hex) (optional)"); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " lf em 4x50_info"); + PrintAndLogEx(NORMAL, " lf em 4x50_info p fa225de1\n"); + PrintAndLogEx(NORMAL, " lf em 4x50_info v p fa225de1\n"); + return PM3_SUCCESS; +} +int usage_lf_em4x50_write(void) { + PrintAndLogEx(NORMAL, "Write EM4x50 word. Tag must be on antenna. "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h] a
w "); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h - this help"); + PrintAndLogEx(NORMAL, " a - memory address to write to (dec)"); + PrintAndLogEx(NORMAL, " w - word to write (hex)"); + PrintAndLogEx(NORMAL, " p - password (hex) (optional)"); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " lf em 4x50_write a 3 w deadc0de"); + return PM3_SUCCESS; +} +int usage_lf_em4x50_write_password(void) { + PrintAndLogEx(NORMAL, "Write EM4x50 password. Tag must be on antenna. "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write_password [h] p n "); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h - this help"); + PrintAndLogEx(NORMAL, " p - password (hex)"); + PrintAndLogEx(NORMAL, " n - new password (hex)"); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " lf em 4x50_write_password p 11223344 n 01020304"); + return PM3_SUCCESS; +} + +static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) { + + // restructure received result in "em4x50_word_t" structure and check all + // parities including stop bit; result of each check is stored in structure + + int p = 0, c[8] = {0, 0, 0, 0, 0, 0, 0, 0}; + + for (int i = fwr; i <= lwr; i++) { + + words[i].stopparity = true; + words[i].parity = true; + + for (int j = 0; j < 8; j++) + c[j] = 0; + + for (int j = 0; j < 4; j++) { + words[i].byte[j] = byte[i*7+j]; + words[i].row_parity[j] = (byte[i*7+4] >> (3-j)) & 1; + + // collect parities + p = 0; + + for (int k = 0; k < 8; k++) { + + // row parity + p ^= (words[i].byte[j] >> k) & 1; + + // column parity + c[k] ^= (words[i].byte[j] >> (7-k)) & 1; + } + + // check row parities + words[i].rparity[j] = (words[i].row_parity[j] == p) ? true : false; + + if (!words[i].rparity[j]) + words[i].parity = false; + } + + // check column parities + words[i].col_parity = byte[i*7+5] ; + + for (int j = 0; j < 8; j++) { + words[i].cparity[j] = (((words[i].col_parity >> (7-j)) & 1) == c[j]) ? true : false; + + if (!words[i].cparity[j]) + words[i].parity = false; + } + + // check stop bit + words[i].stopbit = byte[i*7+6] & 1; + + if (words[i].stopbit == 1) + words[i].stopparity = false; + + } +} + +static void print_bit_table(const em4x50_word_t word) { + + // generate output in table form for each word including parities, stop + // bit, result of parity checks and hex notation of each row in msb/lsb + // notation + // individual parity errors will be highlighted in red + + int bit = 0; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; + + // print binary data + for (int j = 0; j < 4; j++) { + + strcat(string, " "); + + // lsb notation + for (int k = 0; k < 8; k++) { + sprintf(pstring, "%i", (word.byte[j] >> (7-k)) & 1); + strcat(string, pstring); + } + + strcat(string, " | "); + + // binary row parities + hex bytes of word + sprintf(pstring, (word.rparity[j]) ? "%i" : _RED_("%i"), word.row_parity[j]); + strcat(string, pstring); + + if (j == 0) + sprintf(pstring, " msb: 0x%02x lsb: 0x%02x", word.byte[j], reflect8(word.byte[j])); + else + sprintf(pstring, " 0x%02x 0x%02x", word.byte[j], reflect8(word.byte[j])); + + strcat(string, pstring); + PrintAndLogEx(NORMAL,string); + + string[0] = '\0'; + } + + strcat(string, " ------------ --------------------\n "); + + // binary column parities + for (int k = 0; k < 8; k++) { + + bit = (word.col_parity >> (7-k)) & 1; + + // if column parity is false -> highlight bit in red + sprintf(pstring, (word.cparity[k]) ? "%i" : _RED_("%i"), bit); + strcat(string, pstring); + } + + // binary stop bit + strcat(string, " | "); + sprintf(pstring, (word.stopparity) ? "%i" : _RED_("%i"), word.stopbit); + strcat(pstring, " parities "); + strcat(string, pstring); + + // parities passed/failed + sprintf(pstring, (word.parity) ? _GREEN_("ok") : _RED_("failed")); + strcat(string, pstring); + + PrintAndLogEx(NORMAL,string); + + string[0] = '\0'; +} + +static void print_result(const em4x50_word_t *words, int fwr, int lwr) { + + // print available information for given word from fwr to lwr, i.e. + // bit table + summary lines with hex notation of word (msb + lsb) + + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; + + for (int i = fwr; i <= lwr; i++) { + + // blank line before each bit table + PrintAndLogEx(NORMAL, ""); + + // print bit table + print_bit_table(words[i]); + + // final result + sprintf(pstring, "\n word[%i] msb: " _GREEN_("0x"), i); + strcat(string, pstring); + + for (int j = 0; j < 4; j++) { + sprintf(pstring, _GREEN_("%02x"), words[i].byte[j]); + strcat(string, pstring); + } + + sprintf(pstring, "\n word[%i] lsb: 0x", i); + strcat(string, pstring); + + for (int j = 0; j < 4; j++) { + sprintf(pstring, "%02x", reflect8(words[i].byte[3-j])); + strcat(string, pstring); + } + + PrintAndLogEx(NORMAL,string); + + string[0] = '\0'; + } +} + +static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bool bverbose) { + + // display all information of info result in structured format + + uint8_t *data = resp->data.asBytes; + em4x50_word_t words[EM4X50_NO_WORDS]; + char pstring[NO_CHARS_MAX] = {0}, string[NO_CHARS_MAX] = {0}; + + bool bpwd_given = etd->pwd_given; + bool bsuccess = resp->status & STATUS_SUCCESS; + bool blogin = resp->status & STATUS_LOGIN; + + prepare_result(data, 0, EM4X50_NO_WORDS - 1, words); + + bool bpwc = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & PASSWORD_CHECK; + bool braw = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & READ_AFTER_WRITE; + int fwr = reflect8(words[EM4X50_CONTROL].byte[FIRST_WORD_READ]); + int lwr = reflect8(words[EM4X50_CONTROL].byte[LAST_WORD_READ]); + int fwrp = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_READ_PROTECTED]); + int lwrp = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_READ_PROTECTED]); + int fwwi = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_WRITE_INHIBITED]); + int lwwi = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_WRITE_INHIBITED]); + + // data section + PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:")); + + if (bverbose) { + + // detailed data section + print_result(words, 0, EM4X50_NO_WORDS - 1); + + } else { + + // condensed data section + for (int i = 0; i < EM4X50_NO_WORDS; i++) { + + sprintf(pstring, " word[%2i]: ", i); + strcat(string, pstring); + + for (int j = 0; j < 4; j++) { + sprintf(pstring, "%02x", words[i].byte[j]); + strcat(string, pstring); + } + + switch(i) { + case EM4X50_DEVICE_PASSWORD: + sprintf(pstring, _YELLOW_(" password, write only")); + break; + case EM4X50_PROTECTION: + sprintf(pstring, _YELLOW_(" protection word, write inhibited")); + break; + case EM4X50_CONTROL: + sprintf(pstring, _YELLOW_(" control word, write inhibited")); + break; + case EM4X50_DEVICE_SERIAL: + sprintf(pstring, _YELLOW_(" device serial number, read only")); + break; + case EM4X50_DEVICE_ID: + sprintf(pstring, _YELLOW_(" device identification, read only")); + break; + default: + sprintf(pstring, " user data"); + break; + } + + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + } + } + + // configuration section + PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 configuration")); + PrintAndLogEx(NORMAL," control: | protection:"); + + sprintf(pstring, " first word read: %3i |", fwr); + strcat(string, pstring); + sprintf(pstring, " first word read protected: %3i", fwrp); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + sprintf(pstring, " last word read: %3i |", lwr); + strcat(string, pstring); + sprintf(pstring, " last word read protected: %3i", lwrp); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + sprintf(pstring, " password check: %3s |", (bpwc) ? "on" : "off"); + strcat(string, pstring); + sprintf(pstring, " first word write inhibited: %3i", fwwi); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + sprintf(pstring, " read after write: %3s |", (braw) ? "on" : "off"); + strcat(string, pstring); + sprintf(pstring, " last word write inhibited: %3i", lwwi); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + PrintAndLogEx(NORMAL, "\n zero values may indicate read protection!"); + + // status line + sprintf(pstring, " reading "); + strcat(string, pstring); + + if (!bsuccess) { + + sprintf(pstring, _RED_("failed")); + strcat(string, pstring); + + } else { + + sprintf(pstring, _GREEN_("ok ")); + strcat(string, pstring); + + if (blogin) { + + if (bpwd_given) { + + sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)", + etd->password[0], etd->password[1], + etd->password[2], etd->password[3]); + strcat(string, pstring); + + } else { + + sprintf(pstring, "(login with default password 0x00000000)"); + strcat(string, pstring); + + } + + } else { + + if (bpwd_given) { + + sprintf(pstring, "(login failed)"); + strcat(string, pstring); + + } else { + + sprintf(pstring, "(no login)"); + strcat(string, pstring); + + } + } + + } + + PrintAndLogEx(NORMAL,"%s\n", string); +} + +int CmdEM4x50Info(const char *Cmd) { + + // envoke reading of a EM4x50 tag which has to be on the antenna because + // decoding is done by the device (not on client side) + + bool errors = false, verbose = false, success = false; + uint8_t cmdp = 0; + em4x50_data_t etd; + PacketResponseNG resp; + + // init + etd.pwd_given = false; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch (tolower(param_getchar(Cmd, cmdp))) { + + case 'h': + return usage_lf_em4x50_info(); + + case 'p': + if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } + etd.pwd_given = true; + cmdp += 2; + break; + + case 'v': + verbose = true; + cmdp += 1; + break; + + default: + PrintAndLogEx(WARNING, " Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + // validation + if (errors) + return usage_lf_em4x50_info(); + + // call info command + clearCommandBuffer(); + SendCommandNG(CMD_LF_EM4X50_INFO, (uint8_t *)&etd, sizeof(etd)); + + + // get result + if (!WaitForResponse(CMD_ACK, &resp)) { + PrintAndLogEx(WARNING, " timeout while waiting for reply."); + return PM3_ETIMEOUT; + } + + // print result + print_info_result(&resp, &etd, verbose); + + success = resp.status & STATUS_SUCCESS; + return (success) ? PM3_SUCCESS : PM3_ESOFT; +} + +static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) { + + // display result of writing operation in structured format + + bool pwd_given = etd->pwd_given; + bool success = resp->status & STATUS_SUCCESS; + bool login = resp->status & STATUS_LOGIN; + uint8_t *data = resp->data.asBytes; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; + em4x50_word_t word; + + if (!success) { + + sprintf(pstring, "\n writing " _RED_("failed")); + strcat(string, pstring); + + } else { + + prepare_result(data, etd->address, etd->address, &word); + print_result(&word, etd->address, etd->address); + + sprintf(pstring, "\n writing " _GREEN_("ok ")); + strcat(string, pstring); + + if (pwd_given) { + + if (login) { + sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)", + etd->password[0], etd->password[1], + etd->password[2], etd->password[3]); + strcat(string, pstring); + } else { + sprintf(pstring, "(login failed)"); + strcat(string, pstring); + } + + } else { + sprintf(pstring, "(no login)"); + strcat(string, pstring); + } + } + + PrintAndLogEx(NORMAL,"%s\n", string); +} + +int CmdEM4x50Write(const char *Cmd) { + + // envoke writing a single word (32 bit) to a EM4x50 tag + + bool errors = false, bword = false, baddr = false, success = false; + uint8_t cmdp = 0; + em4x50_data_t etd; + PacketResponseNG resp; + + // init + etd.pwd_given = false; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + + switch (tolower(param_getchar(Cmd, cmdp))) { + case 'h': + return usage_lf_em4x50_write(); + + case 'p': + if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } + etd.pwd_given = true; + cmdp += 2; + break; + + case 'w': + if (param_gethex(Cmd, cmdp + 1, etd.word, 8)) { + PrintAndLogEx(FAILED, "\n word has to be 8 hex symbols\n"); + return PM3_EINVARG; + } + bword = true; + cmdp += 2; + break; + + case 'a': + param_getdec(Cmd, cmdp + 1, &etd.address); + + // validation + if (etd.address < 1 || etd.address > 31) { + PrintAndLogEx(FAILED, "\n error, address has to be in range [1-31]\n"); + return PM3_EINVARG; + } + baddr = true; + cmdp += 2; + break; + + default: + PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + if (errors || !bword || !baddr) + return usage_lf_em4x50_write(); + + clearCommandBuffer(); + SendCommandNG(CMD_LF_EM4X50_WRITE, (uint8_t *)&etd, sizeof(etd)); + + + if (!WaitForResponse(CMD_ACK, &resp)) { + PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); + return PM3_ETIMEOUT; + } + + // get, prepare and print response + print_write_result(&resp, &etd); + + success = resp.status & STATUS_SUCCESS; + return (success) ? PM3_SUCCESS : PM3_ESOFT; +} + +static void print_write_password_result(PacketResponseNG *resp, const em4x50_data_t *etd) { + + // display result of password changing operation + + bool success = resp->status; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; + + if (!success) { + + sprintf(pstring, "\n writing new password " _RED_("failed")); + strcat(string, pstring); + + } else { + + sprintf(pstring, "\n writing new password " _GREEN_("ok")); + strcat(string, pstring); + } + + PrintAndLogEx(NORMAL,"%s\n", string); +} + +int CmdEM4x50WritePassword(const char *Cmd) { + + // envokes changing the password of EM4x50 tag + + bool errors = false, bpwd = false, bnpwd = false; + uint8_t cmdp = 0; + em4x50_data_t etd; + PacketResponseNG resp; + + // init + etd.pwd_given = false; + etd.newpwd_given = false; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + + switch (tolower(param_getchar(Cmd, cmdp))) { + case 'h': + return usage_lf_em4x50_write_password(); + + case 'p': + if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } + bpwd = true; + etd.pwd_given = true; + cmdp += 2; + break; + + case 'n': + if (param_gethex(Cmd, cmdp + 1, etd.new_password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } + bnpwd = true; + etd.newpwd_given = true; + cmdp += 2; + break; + + default: + PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + if (errors || !bpwd || !bnpwd) + return usage_lf_em4x50_write_password(); + + clearCommandBuffer(); + SendCommandNG(CMD_LF_EM4X50_WRITE_PASSWORD, (uint8_t *)&etd, sizeof(etd)); + + if (!WaitForResponse(CMD_ACK, &resp)) { + PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); + return PM3_ETIMEOUT; + } + + // get, prepare and print response + print_write_password_result(&resp, &etd); + + return ((bool)resp.status) ? PM3_SUCCESS : PM3_ESOFT; +} diff --git a/client/src/cmdlfem4x50.h b/client/src/cmdlfem4x50.h new file mode 100644 index 000000000..732d05d5b --- /dev/null +++ b/client/src/cmdlfem4x50.h @@ -0,0 +1,22 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#ifndef CMDLFEM4X50_H__ +#define CMDLFEM4X50_H__ + +int usage_lf_em4x50_info(void); +int usage_lf_em4x50_write(void); +int usage_lf_em4x50_write_password(void); + +int CmdEM4x50Info(const char *Cmd); +int CmdEM4x50Write(const char *Cmd); +int CmdEM4x50WritePassword(const char *Cmd); + +#endif diff --git a/common_arm/Makefile.hal b/common_arm/Makefile.hal index 455672e5f..0ae8b2d19 100644 --- a/common_arm/Makefile.hal +++ b/common_arm/Makefile.hal @@ -81,7 +81,8 @@ endif # common LF support PLATFORM_DEFS += \ -DWITH_LF \ - -DWITH_HITAG + -DWITH_HITAG \ + -DWITH_EM4x50 # common HF support PLATFORM_DEFS += \ diff --git a/include/em4x50.h b/include/em4x50.h new file mode 100644 index 000000000..11b2509b7 --- /dev/null +++ b/include/em4x50.h @@ -0,0 +1,37 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 structs +//----------------------------------------------------------------------------- + +#ifndef EM4X50_H__ +#define EM4X50_H__ + +typedef struct { + bool fwr_given; + bool lwr_given; + bool pwd_given; + bool newpwd_given; + uint8_t password[4]; + uint8_t new_password[4]; + uint8_t addresses[4]; + uint8_t address; + uint8_t word[4]; +} em4x50_data_t; + +typedef struct { + uint8_t byte[4]; + uint8_t row_parity[4]; + uint8_t col_parity; + uint8_t stopbit; + bool rparity[4]; + bool cparity[8]; + bool stopparity; + bool parity; +} em4x50_word_t; + +#endif /* EM4X50_H__ */ diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index ecdef4b86..125db9a7f 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -187,6 +187,7 @@ typedef struct { // lf bool compiled_with_lf : 1; bool compiled_with_hitag : 1; + bool compiled_with_em4x50 : 1; // hf bool compiled_with_hfsniff : 1; bool compiled_with_hfplot : 1; @@ -401,6 +402,9 @@ typedef struct { #define CMD_LF_EM4X_WRITEWORD 0x0219 #define CMD_LF_IO_WATCH 0x021A #define CMD_LF_EM410X_WATCH 0x021C +#define CMD_LF_EM4X50_INFO 0x0240 +#define CMD_LF_EM4X50_WRITE 0x0241 +#define CMD_LF_EM4X50_WRITE_PASSWORD 0x0242 // Sampling configuration for LF reader/sniffer #define CMD_LF_SAMPLING_SET_CONFIG 0x021D #define CMD_LF_FSK_SIMULATE 0x021E