From 185a45e74908398453594f76b481c19f9680ae81 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Fri, 29 Apr 2022 17:29:28 +0200
Subject: [PATCH] Add support for cloning Viking and EM410x on EM4x05

---
 CHANGELOG.md        |  1 +
 armsrc/lfops.c      | 40 ++++++++++++++++++++--------------------
 include/protocols.h |  1 +
 3 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39ce29b0a..6c8831a09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [unreleased][unreleased]
+ - Added support to clone Viking and EM410x on EM4x05 (@doegox)
  - Fixed `lf config --reset` - averaging is set to 1 rather than 0 (@wh201906)
  - Added standalone mode for sniffing 14b (@jacopo-j)
  - Fixed `hf 14a apdu` - now don't skip first P2 iteration (@iceman1001)
diff --git a/armsrc/lfops.c b/armsrc/lfops.c
index 6b99c876a..b34af1f9e 100644
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@@ -2235,14 +2235,15 @@ static void WriteT55xx(const uint32_t *blockdata, uint8_t startblock, uint8_t nu
         T55xxWriteBlock((uint8_t *)&cmd, ledcontrol);
     }
 }
-/* disabled until verified.
+
 static void WriteEM4x05(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
     for (uint8_t i = numblocks + startblock; i > startblock; i--) {
-        EM4xWriteWord(i - 1, blockdata[i - 1], 0, false);
+        if (i - 1 > 4) {
+            blockdata[i - 1 - startblock] = reflect(blockdata[i - 1 - startblock], 32);
+        }
+        EM4xWriteWord(i - 1, blockdata[i - 1 - startblock], 0, 0, false);
     }
 }
-*/
-
 
 // Copy HID id to card and setup block 0 config
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, bool q5, bool em, bool ledcontrol) {
@@ -2286,22 +2287,23 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT, boo
     if (q5) {
         data[0] = T5555_SET_BITRATE(50) | T5555_MODULATION_FSK2 | T5555_INVERT_OUTPUT | last_block << T5555_MAXBLOCK_SHIFT;
     } else if (em) {
+        // Note: data rate 50 is not supported by EM4x05
         data[0] = (EM4x05_SET_BITRATE(50) | EM4x05_MODULATION_FSK2 | EM4x05_INVERT | EM4x05_SET_NUM_BLOCKS(last_block));
     }
 
     if (ledcontrol) LED_D_ON();
     if (em) {
-        Dbprintf("Clone HID Prox to EM4x05 is untested and disabled until verified");
         if (g_dbglevel == DBG_DEBUG) {
             Dbprintf("# | data ( EM4x05 )");
             Dbprintf("--+----------------");
-            Dbprintf("0 | %08x", data[0]);
-            Dbprintf("1 | %08x", data[1]);
-            Dbprintf("2 | %08x", data[2]);
-            Dbprintf("3 | %08x", data[3]);
+            Dbprintf("4 | %08x", data[0]);
+            Dbprintf("5 | %08x", data[1]);
+            Dbprintf("6 | %08x", data[2]);
+            Dbprintf("7 | %08x", data[3]);
             Dbprintf("--+----------------");
         }
-        //WriteEM4x05(data, 0, last_block + 1);
+        Dbprintf("Clone HID Prox to EM4x05 is untested and disabled until verified");
+        //WriteEM4x05(data, 4, last_block + 1);
     } else {
         WriteT55xx(data, 0, last_block + 1, ledcontrol);
     }
@@ -2324,16 +2326,15 @@ void CopyVikingtoT55xx(uint8_t *blocks, bool q5, bool em, bool ledcontrol) {
 
     // Program the data blocks for supplied ID and the block 0 config
     if (em) {
-        Dbprintf("Clone Viking to EM4x05 is untested and disabled until verified");
         if (g_dbglevel == DBG_DEBUG) {
             Dbprintf("# | data ( EM4x05 )");
             Dbprintf("--+----------------");
-            Dbprintf("0 | %08x", data[0]);
-            Dbprintf("1 | %08x", data[1]);
-            Dbprintf("2 | %08x", data[2]);
+            Dbprintf("4 | %08x", data[0]);
+            Dbprintf("5 | %08x", data[1]);
+            Dbprintf("6 | %08x", data[2]);
             Dbprintf("--+----------------");
         }
-        //WriteEM4x05(data, 0, 3);
+        WriteEM4x05(data, 4, 3);
     } else {
         WriteT55xx(data, 0, 3, ledcontrol);
     }
@@ -2427,16 +2428,15 @@ int copy_em410x_to_t55xx(uint8_t card, uint8_t clock, uint32_t id_hi, uint32_t i
         data[0] = T5555_SET_BITRATE(clock) | T5555_MODULATION_MANCHESTER | (2 << T5555_MAXBLOCK_SHIFT);
     }
     if (card == 2) {
-        Dbprintf("Clone EM410x to EM4x05 is untested and disabled until verified");
         if (g_dbglevel == DBG_DEBUG) {
             Dbprintf("# | data ( EM4x05 )");
             Dbprintf("--+----------------");
-            Dbprintf("0 | %08x", data[0]);
-            Dbprintf("1 | %08x", data[1]);
-            Dbprintf("2 | %08x", data[2]);
+            Dbprintf("4 | %08x", data[0]);
+            Dbprintf("5 | %08x", data[1]);
+            Dbprintf("6 | %08x", data[2]);
             Dbprintf("--+----------------");
         }
-        //WriteEM4x05(data, 0, 3);
+        WriteEM4x05(data, 4, 3);
     } else {
         WriteT55xx(data, 0, 3, ledcontrol);
     }
diff --git a/include/protocols.h b/include/protocols.h
index b13de57ec..3e507b34e 100644
--- a/include/protocols.h
+++ b/include/protocols.h
@@ -593,6 +593,7 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
 
 // em4x05 & em4x69 chip configuration register definitions
 #define EM4x05_GET_BITRATE(x)           ((((x) & 0x3F) * 2) + 2)
+// Note: only data rates 8, 16, 32, 40(*) and 64 are supported. (*) only with EM4305 330pF
 #define EM4x05_SET_BITRATE(x)           (((x) - 2) / 2)
 #define EM4x05_MODULATION_NRZ           0x00000000
 #define EM4x05_MODULATION_MANCHESTER    0x00000040