From 3726df62a485447b8971ba7d262defc5c3765847 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 16 Sep 2019 11:11:54 +0200 Subject: [PATCH] chg: enhanced verify t55xx write. We set config to the cloned block0, whats left is to identify the offset, which we try to do. --- client/cmdlfawid.c | 15 ++++++++ client/cmdlffdx.c | 15 ++++++++ client/cmdlfguard.c | 15 ++++++++ client/cmdlfindala.c | 24 ++++++------ client/cmdlfjablotron.c | 15 ++++++++ client/cmdlfkeri.c | 14 +++++++ client/cmdlfnedap.c | 35 +++++++++--------- client/cmdlfnedap.h | 13 +++++++ client/cmdlfnoralsy.c | 9 +++-- client/cmdlfpresco.c | 13 +++---- client/cmdlfpyramid.c | 8 ++-- client/cmdlft55xx.c | 82 ++++++++++++++++++++++++++++++----------- client/cmdlft55xx.h | 3 ++ client/cmdlfvisa2000.c | 10 +++-- 14 files changed, 202 insertions(+), 69 deletions(-) diff --git a/client/cmdlfawid.c b/client/cmdlfawid.c index 2360906a4..934335c64 100644 --- a/client/cmdlfawid.c +++ b/client/cmdlfawid.c @@ -26,6 +26,7 @@ #include "cmdlf.h" // lf read #include "protocols.h" // for T55xx config register definitions #include "util_posix.h" +#include "cmdlft55xx.h" // verifywrite static int CmdHelp(const char *Cmd); /* @@ -414,6 +415,7 @@ static int CmdAWIDClone(const char *Cmd) { PrintAndLogEx(INFO, "Preparing to clone AWID %u to T55x7 with FC: %u, CN: %u", fmtlen, fc, cn); print_blocks(blocks, 4); + uint8_t res = 0; PacketResponseNG resp; // fast push mode @@ -437,7 +439,20 @@ static int CmdAWIDClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; } + + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + return PM3_SUCCESS; } diff --git a/client/cmdlffdx.c b/client/cmdlffdx.c index 2e48918fb..233783b33 100644 --- a/client/cmdlffdx.c +++ b/client/cmdlffdx.c @@ -24,6 +24,7 @@ #include "crc16.h" // for checksum crc-16_ccitt #include "protocols.h" // for T55xx config register definitions #include "lfdemod.h" // parityTest +#include "cmdlft55xx.h" // verifywrite /* FDX-B ISO11784/85 demod (aka animal tag) BIPHASE, inverted, rf/32, with preamble of 00000000001 (128bits) @@ -296,6 +297,7 @@ static int CmdFdxClone(const char *Cmd) { PrintAndLogEx(INFO, "Preparing to clone FDX-B to T55x7 with animal ID: %04u-%"PRIu64, countryid, animalid); print_blocks(blocks, 5); + uint8_t res = 0; PacketResponseNG resp; // fast push mode @@ -318,7 +320,20 @@ static int CmdFdxClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; } + + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + return PM3_SUCCESS; } diff --git a/client/cmdlfguard.c b/client/cmdlfguard.c index 22f7141fc..036597f0f 100644 --- a/client/cmdlfguard.c +++ b/client/cmdlfguard.c @@ -21,6 +21,7 @@ #include "cmdlf.h" #include "protocols.h" // for T55xx config register definitions #include "lfdemod.h" // parityTest +#include "cmdlft55xx.h" // verifywrite static int CmdHelp(const char *Cmd); @@ -183,6 +184,7 @@ static int CmdGuardClone(const char *Cmd) { PrintAndLogEx(INFO, "Preparing to clone Guardall to T55x7 with Facility Code: %u, Card Number: %u", facilitycode, cardnumber); print_blocks(blocks, 4); + uint8_t res = 0; PacketResponseNG resp; // fast push mode @@ -205,7 +207,20 @@ static int CmdGuardClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; } + + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + return PM3_SUCCESS; } diff --git a/client/cmdlfindala.c b/client/cmdlfindala.c index 3fd3be59e..8d62e37ae 100644 --- a/client/cmdlfindala.c +++ b/client/cmdlfindala.c @@ -468,21 +468,21 @@ static int CmdIndalaClone(const char *Cmd) { if (isLongUid) { PrintAndLogEx(INFO, "Preparing to clone Indala 224bit tag with RawID %s", sprint_hex(data, datalen)); - uint32_t datawords[7] = {0}; - datawords[0] = bytes_to_num(data, 4); - datawords[1] = bytes_to_num(data + 4, 4); - datawords[2] = bytes_to_num(data + 8, 4); - datawords[3] = bytes_to_num(data + 12, 4); - datawords[4] = bytes_to_num(data + 16, 4); - datawords[5] = bytes_to_num(data + 20, 4); - datawords[6] = bytes_to_num(data + 24, 4); + uint32_t blocks[7] = {0}; + blocks[0] = bytes_to_num(data, 4); + blocks[1] = bytes_to_num(data + 4, 4); + blocks[2] = bytes_to_num(data + 8, 4); + blocks[3] = bytes_to_num(data + 12, 4); + blocks[4] = bytes_to_num(data + 16, 4); + blocks[5] = bytes_to_num(data + 20, 4); + blocks[6] = bytes_to_num(data + 24, 4); clearCommandBuffer(); - SendCommandOLD(CMD_LF_INDALA224_CLONE, 0, 0, 0, datawords, sizeof(datawords)); + SendCommandOLD(CMD_LF_INDALA224_CLONE, 0, 0, 0, blocks, sizeof(blocks)); } else { PrintAndLogEx(INFO, "Preparing to clone Indala 64bit tag with RawID %s", sprint_hex(data, datalen)); - uint32_t datawords[2] = {0}; - datawords[0] = bytes_to_num(data, 4); - datawords[1] = bytes_to_num(data + 4, 4); + uint32_t blocks[2] = {0}; + blocks[0] = bytes_to_num(data, 4); + blocks[1] = bytes_to_num(data + 4, 4); clearCommandBuffer(); SendCommandOLD(CMD_LF_INDALA_CLONE, 0, 0, 0, datawords, sizeof(datawords)); } diff --git a/client/cmdlfjablotron.c b/client/cmdlfjablotron.c index 9cc663895..919610293 100644 --- a/client/cmdlfjablotron.c +++ b/client/cmdlfjablotron.c @@ -24,6 +24,7 @@ #include "cmdlf.h" #include "protocols.h" // for T55xx config register definitions #include "lfdemod.h" // parityTest +#include "cmdlft55xx.h" // verifywrite static int CmdHelp(const char *Cmd); @@ -170,6 +171,7 @@ static int CmdJablotronClone(const char *Cmd) { PrintAndLogEx(INFO, "Preparing to clone Jablotron to T55x7 with FullCode: %"PRIx64, fullcode); print_blocks(blocks, 3); + uint8_t res = 0; PacketResponseNG resp; // fast push mode @@ -192,7 +194,20 @@ static int CmdJablotronClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; } + + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + return PM3_SUCCESS; } diff --git a/client/cmdlfkeri.c b/client/cmdlfkeri.c index 384aad0b6..9f01f2f7f 100644 --- a/client/cmdlfkeri.c +++ b/client/cmdlfkeri.c @@ -22,6 +22,7 @@ #include "cmdlf.h" #include "protocols.h" // for T55xx config register definitions #include "lfdemod.h" // preamble test +#include "cmdlft55xx.h" // verifywrite static int CmdHelp(const char *Cmd); @@ -159,6 +160,7 @@ static int CmdKeriClone(const char *Cmd) { blocks[2] = data & 0xFFFFFFFF; print_blocks(blocks, 3); + uint8_t res = 0; PacketResponseNG resp; // fast push mode @@ -181,8 +183,20 @@ static int CmdKeriClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; } + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + return PM3_SUCCESS; } diff --git a/client/cmdlfnedap.c b/client/cmdlfnedap.c index 3a4ebd131..ec2837d7a 100644 --- a/client/cmdlfnedap.c +++ b/client/cmdlfnedap.c @@ -9,20 +9,6 @@ #include "cmdlfnedap.h" -#include - -#include -#include - -#include "cmdparser.h" // command_t -#include "comms.h" -#include "crc16.h" -#include "cmdlft55xx.h" -#include "ui.h" -#include "cmddata.h" -#include "cmdlf.h" -#include "lfdemod.h" - #define FIXED_71 0x71 #define FIXED_40 0x40 #define UNKNOWN_A 0x00 @@ -469,6 +455,7 @@ int CmdLFNedapClone(const char *Cmd) { PrintAndLogEx(SUCCESS, "Preparing to clone NEDAP to T55x7"); print_blocks(blocks, max); + uint8_t res = 0; PacketResponseNG resp; // fast push mode @@ -490,10 +477,24 @@ int CmdLFNedapClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; + } + + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + else { + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(INFO, "The block 0 was changed (eXtended) which can be hard to detect."); + PrintAndLogEx(INFO, " Configure it manually " _YELLOW_("`lf t55xx config b 64 d BI i 1 o 32`")); } - PrintAndLogEx(NORMAL, "\n"); - PrintAndLogEx(INFO, "The block 0 was changed (eXtended) which can be hard to detect."); - PrintAndLogEx(INFO, " Configure it manually " _YELLOW_("`lf t55xx config b 64 d BI i 1 o 32`")); return PM3_SUCCESS; } diff --git a/client/cmdlfnedap.h b/client/cmdlfnedap.h index fda0e130e..74fdd30fb 100644 --- a/client/cmdlfnedap.h +++ b/client/cmdlfnedap.h @@ -11,6 +11,19 @@ #include "common.h" +#include + +#include +#include +#include "cmdparser.h" // command_t +#include "comms.h" +#include "crc16.h" +#include "cmdlft55xx.h" // verifywrite +#include "ui.h" +#include "cmddata.h" +#include "cmdlf.h" +#include "lfdemod.h" + int CmdLFNedap(const char *Cmd); int demodNedap(void); diff --git a/client/cmdlfnoralsy.c b/client/cmdlfnoralsy.c index 146c6b350..2d9481782 100644 --- a/client/cmdlfnoralsy.c +++ b/client/cmdlfnoralsy.c @@ -177,13 +177,14 @@ static int CmdNoralsyClone(const char *Cmd) { return PM3_ETIMEOUT; } - // write block0, needs a detect. - if (i == 0) - t55xxAquireAndDetect(false, 0, blocks[i], false); + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) res++; - } if ( res == 0 ) diff --git a/client/cmdlfpresco.c b/client/cmdlfpresco.c index a9c74d9ac..39587c5ea 100644 --- a/client/cmdlfpresco.c +++ b/client/cmdlfpresco.c @@ -144,16 +144,15 @@ static int CmdPrescoClone(const char *Cmd) { return PM3_ETIMEOUT; } - // write block0, needs a detect. if (i == 0) { - printf("enter detect "); - bool ok = t55xxAquireAndDetect(false, 0, blocks[i], false); - printf(" b0 = '%c' \n", (ok) ? 'Y':'N'); + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; } - if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) { + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) res++; - printf(" i = %d \n", i); - } + } if ( res == 0 ) diff --git a/client/cmdlfpyramid.c b/client/cmdlfpyramid.c index d0f116bf4..90e5c23d7 100644 --- a/client/cmdlfpyramid.c +++ b/client/cmdlfpyramid.c @@ -254,9 +254,11 @@ static int CmdPyramidClone(const char *Cmd) { return PM3_ETIMEOUT; } - // write block0, needs a detect. - if (i == 0) - t55xxAquireAndDetect(false, 0, blocks[i], false); + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) res++; diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 1afa169c9..06dac9c24 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -405,6 +405,32 @@ static bool t55xxProtect(bool lock, bool usepwd, uint8_t override, uint32_t pass } } +bool t55xxAquireAndCompareBlock0(bool usepwd, uint32_t password, uint32_t known_block0, bool verbose) { + + if (verbose) + PrintAndLogEx(INFO, "Block0 write detected, running `detect` to see if validation is possible"); + + for ( uint8_t m = 0; m < 4; m++) { + if (AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, m) == false) { + continue; + } + + if (DecodeT55xxBlock() == false) { + continue; + } + + for( uint16_t i = 0; DemodBufferLen - 32; i++) { + uint32_t tmp = PackBits(i, 32, DemodBuffer); + if ( tmp == known_block0 ) { + config.offset = i; + config.downlink_mode = m; + return true; + } + } + } + return false; +} + bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0, bool verbose) { if (verbose) @@ -417,6 +443,7 @@ bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0, if (tryDetectModulationEx(m, verbose, known_block0) == false) continue; + config.downlink_mode = m; return true; } return false; @@ -491,6 +518,36 @@ void printT5xxHeader(uint8_t page) { PrintAndLogEx(SUCCESS, "----+----------+----------------------------------+-------"); } +void SetConfigWithBlock0(uint32_t block0) { + // T55x7 + uint32_t extend = (block0 >> (32 - 15)) & 0x01; + uint32_t dbr; + if (extend) + dbr = (block0 >> (32 - 14)) & 0x3F; + else + dbr = (block0 >> (32 - 14)) & 0x07; + + uint32_t datamod = (block0 >> (32 - 20)) & 0x1F; + bool pwd = (bool)((block0 >> (32 - 28)) & 0x01); + bool sst = (bool)((block0 >> (32 - 29)) & 0x01); + bool inv = (bool)((block0 >> (32 - 31)) & 0x01); + + config.modulation = datamod; + config.bitrate = dbr; + + // FSK1a, FSK2a + if ( datamod == DEMOD_FSK1a || datamod == DEMOD_FSK2a || datamod == DEMOD_BIa ) + config.inverted = 1; + else + config.inverted = inv; + + config.Q5 = 0; + config.ST = sst; + config.usepwd = pwd; + config.offset = 0; + config.block0 = block0; +} + static int CmdT55xxSetConfig(const char *Cmd) { // No args @@ -621,30 +678,11 @@ static int CmdT55xxSetConfig(const char *Cmd) { if ( gotconf ) { - // Q5 - - + // Q5 - to be implemented + // T55x7 - uint32_t extend = (block0 >> (32 - 15)) & 0x01; - uint32_t dbr; - if (extend) - dbr = (block0 >> (32 - 14)) & 0x3F; - else - dbr = (block0 >> (32 - 14)) & 0x07; + SetConfigWithBlock0(block0); - uint32_t datamod = (block0 >> (32 - 20)) & 0x1F; - bool pwd = (bool)((block0 >> (32 - 28)) & 0x01); - bool sst = (bool)((block0 >> (32 - 29)) & 0x01); - bool inv = (bool)((block0 >> (32 - 31)) & 0x01); - - config.modulation = datamod; - config.bitrate = dbr; - config.inverted = inv; - config.Q5 = 0; - config.ST = sst; - config.usepwd = pwd; - config.offset = 0; - config.block0 = block0; } else { config.block0 = 0; } diff --git a/client/cmdlft55xx.h b/client/cmdlft55xx.h index f388a39af..182377deb 100644 --- a/client/cmdlft55xx.h +++ b/client/cmdlft55xx.h @@ -131,6 +131,8 @@ void Set_t55xx_Config(t55xx_conf_block_t conf); int CmdLFT55XX(const char *Cmd); +void SetConfigWithBlock0(uint32_t block0); + char *GetPskCfStr(uint32_t id, bool q5); char *GetBitRateStr(uint32_t id, bool xmode); char *GetSaferStr(uint32_t id); @@ -143,6 +145,7 @@ void printT5xxHeader(uint8_t page); void printT55xxBlock(uint8_t blockNum); int printConfiguration(t55xx_conf_block_t b); +bool t55xxAquireAndCompareBlock0(bool usepwd, uint32_t password, uint32_t known_block0, bool verbose); bool t55xxAquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0, bool verbose); bool t55xxVerifyWrite( uint8_t block, bool page1, bool usepwd, uint8_t override, uint32_t password, uint8_t downlink_mode, uint32_t data); int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, uint8_t override, uint32_t password, uint8_t downlink_mode); diff --git a/client/cmdlfvisa2000.c b/client/cmdlfvisa2000.c index 51cedb925..f23a7c5a8 100644 --- a/client/cmdlfvisa2000.c +++ b/client/cmdlfvisa2000.c @@ -189,11 +189,13 @@ static int CmdVisa2kClone(const char *Cmd) { PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); return PM3_ETIMEOUT; - } + } - // write block0, needs a detect. - if (i == 0) - t55xxAquireAndDetect(false, 0, blocks[i], false); + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) res++;