From b99f7213e857ff70c1c1f50ad39485bdef2476c1 Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:30:18 +0200 Subject: [PATCH 01/51] added EM4x50 info function --- include/pm3_cmd.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index 3cafb9df1..e2087d0f4 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -187,6 +187,7 @@ typedef struct { // lf bool compiled_with_lf : 1; bool compiled_with_hitag : 1; + bool compiled_with_em4x50 : 1; // hf bool compiled_with_hfsniff : 1; bool compiled_with_hfplot : 1; @@ -401,6 +402,7 @@ typedef struct { #define CMD_LF_EM4X_WRITEWORD 0x0219 #define CMD_LF_IO_DEMOD 0x021A #define CMD_LF_EM410X_DEMOD 0x021C +#define CMD_LF_EM4X50_INFO 0x0240 // Sampling configuration for LF reader/sniffer #define CMD_LF_SAMPLING_SET_CONFIG 0x021D #define CMD_LF_FSK_SIMULATE 0x021E From 1adc0de21d3e01a81ada1b78bae76a2d82ee694c Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:30:50 +0200 Subject: [PATCH 02/51] added EM4x50 info function --- include/em4x50.h | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 include/em4x50.h diff --git a/include/em4x50.h b/include/em4x50.h new file mode 100644 index 000000000..11b2509b7 --- /dev/null +++ b/include/em4x50.h @@ -0,0 +1,37 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 structs +//----------------------------------------------------------------------------- + +#ifndef EM4X50_H__ +#define EM4X50_H__ + +typedef struct { + bool fwr_given; + bool lwr_given; + bool pwd_given; + bool newpwd_given; + uint8_t password[4]; + uint8_t new_password[4]; + uint8_t addresses[4]; + uint8_t address; + uint8_t word[4]; +} em4x50_data_t; + +typedef struct { + uint8_t byte[4]; + uint8_t row_parity[4]; + uint8_t col_parity; + uint8_t stopbit; + bool rparity[4]; + bool cparity[8]; + bool stopparity; + bool parity; +} em4x50_word_t; + +#endif /* EM4X50_H__ */ From 6cd927d6d487934070b3af681c9a8e0f83a1c08c Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:31:15 +0200 Subject: [PATCH 03/51] added EM4x50 info function --- common_arm/Makefile.hal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common_arm/Makefile.hal b/common_arm/Makefile.hal index 455672e5f..0ae8b2d19 100644 --- a/common_arm/Makefile.hal +++ b/common_arm/Makefile.hal @@ -81,7 +81,8 @@ endif # common LF support PLATFORM_DEFS += \ -DWITH_LF \ - -DWITH_HITAG + -DWITH_HITAG \ + -DWITH_EM4x50 # common HF support PLATFORM_DEFS += \ From dfe6941a8d02b0d00de0316c80d99820117680a0 Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:31:27 +0200 Subject: [PATCH 04/51] added EM4x50 info function --- client/src/cmdlfem4x.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/src/cmdlfem4x.c b/client/src/cmdlfem4x.c index ebb3fe2e4..a43e624a4 100644 --- a/client/src/cmdlfem4x.c +++ b/client/src/cmdlfem4x.c @@ -9,6 +9,7 @@ //----------------------------------------------------------------------------- #include "cmdlfem4x.h" +#include "cmdlfem4x50.h" #include #include @@ -1765,6 +1766,7 @@ static command_t CommandTable[] = { {"4x50_dump", CmdEM4x50Dump, IfPm3Lf, "dump EM4x50 tag"}, {"4x50_read", CmdEM4x50Read, IfPm3Lf, "read word data from EM4x50"}, {"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"}, + {"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"}, {NULL, NULL, NULL, NULL} }; From 79b20a35c1b30a454fa8374411fb9c11d099423f Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:31:34 +0200 Subject: [PATCH 05/51] added EM4x50 info function --- client/src/cmdlfem4x50.c | 441 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 441 insertions(+) create mode 100644 client/src/cmdlfem4x50.c diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c new file mode 100644 index 000000000..74432c36c --- /dev/null +++ b/client/src/cmdlfem4x50.c @@ -0,0 +1,441 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#include "cmdlfem4x50.h" +#include +#include "fileutils.h" +#include "comms.h" +#include "em4x50.h" + +#define EM4x50_FCT_STDREAD 0 +#define EM4x50_FCT_LOGIN 1 +#define EM4x50_FCT_WRITE 2 + +int usage_lf_em4x50_info(void) { + PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna."); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Usage: lf em 4x50_info [h] [v] [p ]"); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h - this help"); + PrintAndLogEx(NORMAL, " v - verbose output"); + PrintAndLogEx(NORMAL, " p - password (hex) (optional)"); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " lf em 4x50_info"); + PrintAndLogEx(NORMAL, " lf em 4x50_info p fa225de1\n"); + PrintAndLogEx(NORMAL, " lf em 4x50_info v p fa225de1\n"); + return PM3_SUCCESS; +} + +static uint8_t msb2lsb(uint8_t byte) { + + // convert given byte (msb) into lsb format + + uint8_t tmp = 0; + + for (int i = 0; i < 8; i++) + tmp |= ((byte >> (7-i)) & 1) << i; + + return tmp; +} + +static bool check_bit_in_byte(uint8_t pos, uint8_t byte) { + + // return true if bit at position is "1" + + return (((byte >> pos) & 1) == 1) ? true : false; +} + +static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) { + + // restructure received result in "em4x50_word_t" structure and check all + // parities including stop bit; result of each check is stored in structure + + int p = 0, c[8] = {0, 0, 0, 0, 0, 0, 0, 0}; + + for (int i = fwr; i <= lwr; i++) { + + words[i].stopparity = true; + words[i].parity = true; + + for (int j = 0; j < 8; j++) + c[j] = 0; + + for (int j = 0; j < 4; j++) { + words[i].byte[j] = byte[i*7+j]; + words[i].row_parity[j] = (byte[i*7+4] >> (3-j)) & 1; + + // collect parities + p = 0; + + for (int k = 0; k < 8; k++) { + + // row parity + p ^= (words[i].byte[j] >> k) & 1; + + // column parity + c[k] ^= (words[i].byte[j] >> (7-k)) & 1; + } + + // check row parities + words[i].rparity[j] = (words[i].row_parity[j] == p) ? true : false; + + if (!words[i].rparity[j]) + words[i].parity = false; + } + + // check column parities + words[i].col_parity = byte[i*7+5] ; + + for (int j = 0; j < 8; j++) { + words[i].cparity[j] = (((words[i].col_parity >> (7-j)) & 1) == c[j]) ? true : false; + + if (!words[i].cparity[j]) + words[i].parity = false; + } + + // check stop bit + words[i].stopbit = byte[i*7+6] & 1; + + if (words[i].stopbit == 1) + words[i].stopparity = false; + + } +} + +static void print_bit_table(const em4x50_word_t word) { + + // generate output in table form for each word including parities, stop + // bit, result of parity checks and hex notation of each row in msb/lsb + // notation + // individual parity errors will be highlighted in red + + int bit = 0; + char string[400] = {0}; + char pstring[100] = {0}; + + // print binary data + for (int j = 0; j < 4; j++) { + + strcat(string, " "); + + // lsb notation + for (int k = 0; k < 8; k++) { + sprintf(pstring, "%i", (word.byte[j] >> (7-k)) & 1); + strcat(string, pstring); + } + + strcat(string, " | "); + + // binary row parities + hex bytes of word + sprintf(pstring, (word.rparity[j]) ? "%i" : _RED_("%i"), word.row_parity[j]); + strcat(string, pstring); + + if (j == 0) + sprintf(pstring, " msb: 0x%02x lsb: 0x%02x", word.byte[j], msb2lsb(word.byte[j])); + else + sprintf(pstring, " 0x%02x 0x%02x", word.byte[j], msb2lsb(word.byte[j])); + + strcat(string, pstring); + PrintAndLogEx(NORMAL,string); + + string[0] = '\0'; + } + + strcat(string, " ------------ --------------------\n "); + + // binary column parities + for (int k = 0; k < 8; k++) { + + bit = (word.col_parity >> (7-k)) & 1; + + // if column parity is false -> highlight bit in red + sprintf(pstring, (word.cparity[k]) ? "%i" : _RED_("%i"), bit); + strcat(string, pstring); + } + + // binary stop bit + strcat(string, " | "); + sprintf(pstring, (word.stopparity) ? "%i" : _RED_("%i"), word.stopbit); + strcat(pstring, " parities "); + strcat(string, pstring); + + // parities passed/failed + sprintf(pstring, (word.parity) ? _GREEN_("passed") : _RED_("failed")); + strcat(string, pstring); + + PrintAndLogEx(NORMAL,string); + + string[0] = '\0'; +} + +static void print_result(const em4x50_word_t *words, int fwr, int lwr) { + + // print available information for given word from fwr to lwr, i.e. + // bit table + summary lines with hex notation of word (msb + lsb) + + char string[400] = {0}; + char pstring[100] = {0}; + + for (int i = fwr; i <= lwr; i++) { + + // blank line before each bit table + PrintAndLogEx(NORMAL, ""); + + // print bit table + print_bit_table(words[i]); + + // final result + sprintf(pstring, "\n word[%i] msb: " _BLUE_("0x"), i); + strcat(string, pstring); + + for (int j = 0; j < 4; j++) { + sprintf(pstring, _BLUE_("%02x"), words[i].byte[j]); + strcat(string, pstring); + } + + sprintf(pstring, "\n word[%i] lsb: " _BLUE_("0x"), i); + strcat(string, pstring); + + for (int j = 0; j < 4; j++) { + sprintf(pstring, _BLUE_("%02x"), msb2lsb(words[i].byte[3-j])); + strcat(string, pstring); + } + + PrintAndLogEx(NORMAL,string); + + string[0] = '\0'; + } +} + +static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bool bverbose) { + + // displays all information info result in structured format + + bool bpwd_given = etd->pwd_given; + bool bsuccess = (bool)resp->oldarg[0]; + bool blogin = (bool)resp->oldarg[1]; + bool bpwc, braw; + int fwr, lwr, fwrp, lwrp, fwwi, lwwi; + uint8_t *data = resp->data.asBytes; + em4x50_word_t words[34]; + char pstring[100] = {0}; + char string[200] = {0}; + + prepare_result(data, 0, 33, words); + + bpwc = check_bit_in_byte(7, words[2].byte[2]); // password check + braw = check_bit_in_byte(6, words[2].byte[2]); // read after write + fwr = msb2lsb(words[2].byte[0]); // first word read + lwr = msb2lsb(words[2].byte[1]); // last word read + fwrp = msb2lsb(words[1].byte[0]); // first word read protected + lwrp = msb2lsb(words[1].byte[1]); // last word read protected + fwwi = msb2lsb(words[1].byte[2]); // first word write inhibited + lwwi = msb2lsb(words[1].byte[3]); // last word write inhibited + + // data section + PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:")); + + if (bverbose) { + + // detailed data section + print_result(words, 0, 33); + + } else { + + // condensed data section + for (int i = 0; i <= 33; i++) { + + sprintf(pstring, " word[%2i]: ", i); + strcat(string, pstring); + + for (int j = 0; j < 4; j++) { + sprintf(pstring, "%02x", words[i].byte[j]); + strcat(string, pstring); + } + + switch(i) { + case 0: + sprintf(pstring, _BLUE_(" password, write only")); + break; + case 1: + sprintf(pstring, _BLUE_(" protection word, write inhibited")); + break; + case 2: + sprintf(pstring, _BLUE_(" control word, write inhibited")); + break; + case 32: + sprintf(pstring, _BLUE_(" device serial number, read only")); + break; + case 33: + sprintf(pstring, _BLUE_(" device identification, read only")); + break; + default: + sprintf(pstring, " user data"); + break; + } + + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + } + } + + // configuration section + PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 configuration")); + PrintAndLogEx(NORMAL," control: | protection:"); + + sprintf(pstring, " first word read: %3i |", fwr); + strcat(string, pstring); + sprintf(pstring, " first word read protected: %3i", fwrp); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + sprintf(pstring, " last word read: %3i |", lwr); + strcat(string, pstring); + sprintf(pstring, " last word read protected: %3i", lwrp); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + sprintf(pstring, " password check: %3s |", (bpwc) ? "on" : "off"); + strcat(string, pstring); + sprintf(pstring, " first word write inhibited: %3i", fwwi); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + sprintf(pstring, " read after write: %3s |", (braw) ? "on" : "off"); + strcat(string, pstring); + sprintf(pstring, " last word write inhibited: %3i", lwwi); + strcat(string, pstring); + PrintAndLogEx(NORMAL,"%s", string); + string[0] = '\0'; + + PrintAndLogEx(NORMAL, "\n Zero values may indicate read protection!"); + + // status line + sprintf(pstring, "\n reading "); + strcat(string, pstring); + + if (!bsuccess) { + + sprintf(pstring, _RED_("failed")); + strcat(string, pstring); + + } else { + + sprintf(pstring, _GREEN_("successful ")); + strcat(string, pstring); + + if (blogin) { + + if (bpwd_given) { + + sprintf(pstring, "(login with 0x%02x%02x%02x%02x)", + etd->password[0], etd->password[1], + etd->password[2], etd->password[3]); + strcat(string, pstring); + + } else { + + sprintf(pstring, "(login with default password)"); + strcat(string, pstring); + + } + + } else { + + if (bpwd_given) { + + sprintf(pstring, "(login failed)"); + strcat(string, pstring); + + } else { + + sprintf(pstring, "(no login)"); + strcat(string, pstring); + + } + } + + } + + PrintAndLogEx(NORMAL,"%s\n", string); +} + +int CmdEM4x50Info(const char *Cmd) { + + // envokes reading of a EM4x50 tag which has to be on the antenna because + // decoding is done by the device (not on client side) + + bool errors = false, verbose = false; + char password[20] = {0x00}, tmpbuff[3]; + uint8_t cmdp = 0; + em4x50_data_t etd; + PacketResponseNG resp; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch (tolower(param_getchar(Cmd, cmdp))) { + + case 'h': + return usage_lf_em4x50_info(); + + case 'p': + param_getstr(Cmd, cmdp + 1, password, sizeof(password)); + + // validation + if (strlen(password) != 8) { + + PrintAndLogEx(WARNING, "\n error, password has to be 4 bytes\n"); + errors = true; + break; + } + + // prepare given password + etd.pwd_given = true; + for (int i = 0; i < 4; i++) + sscanf(strncpy(tmpbuff, password+2*i, 2), "%2hhx", &etd.password[i]); + + cmdp += 2; + break; + + case 'v': + verbose = true; + cmdp += 1; + break; + + default: + PrintAndLogEx(WARNING, " Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + // validation + if (errors) { + return usage_lf_em4x50_info(); + } + + // call info command + clearCommandBuffer(); + SendCommandMIX(CMD_LF_EM4X50_INFO, 0, 0, 0, &etd, sizeof(etd)); + + // get result + if (!WaitForResponse(CMD_ACK, &resp)) { + PrintAndLogEx(WARNING, " timeout while waiting for reply."); + return PM3_ESOFT; + } + + // prepare result + print_info_result(&resp, &etd, verbose); + + return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; +} From 2b1bfc58f9f05dc77c7a070423b8d5297e9c019d Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:31:43 +0200 Subject: [PATCH 06/51] added EM4x50 info function --- client/src/cmdlfem4x50.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 client/src/cmdlfem4x50.h diff --git a/client/src/cmdlfem4x50.h b/client/src/cmdlfem4x50.h new file mode 100644 index 000000000..3868e6113 --- /dev/null +++ b/client/src/cmdlfem4x50.h @@ -0,0 +1,18 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#ifndef CMDLFEM4X50_H__ +#define CMDLFEM4X50_H__ + +int usage_lf_em4x50_info(void); + +int CmdEM4x50Info(const char *Cmd); + +#endif From e707ceb906aeae6ae8c3ebfcd532a54f41f14776 Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:32:11 +0200 Subject: [PATCH 07/51] added EM4x50 info function --- client/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/client/Makefile b/client/Makefile index 3bd059318..a4e8b193d 100644 --- a/client/Makefile +++ b/client/Makefile @@ -439,6 +439,7 @@ SRCS = aidsearch.c \ cmdlfawid.c \ cmdlfcotag.c \ cmdlfem4x.c \ + cmdlfem4x50.c \ cmdlffdx.c \ cmdlfguard.c \ cmdlfgallagher.c \ From ffec9d5a1846e59f7ed86d9786b64f5c6c6e017a Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:32:23 +0200 Subject: [PATCH 08/51] added EM4x50 info function --- armsrc/Makefile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/armsrc/Makefile b/armsrc/Makefile index f4eb19963..1bbbf2ba7 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -63,6 +63,12 @@ else SRC_HITAG = endif +ifneq (,$(findstring WITH_EM4x50,$(APP_CFLAGS))) + SRC_EM4x50 = em4x50.c +else + SRC_EM4x50 = +endif + ifneq (,$(findstring WITH_LCD,$(APP_CFLAGS))) SRC_LCD = fonts.c LCD.c else @@ -99,6 +105,7 @@ THUMBSRC = start.c \ $(SRC_SMARTCARD) \ $(SRC_FPC) \ $(SRC_HITAG) \ + $(SRC_EM4x50) \ $(SRC_SPIFFS) \ $(SRC_ISO14443a) \ $(SRC_ISO14443b) \ From 1fe83eaf254ec39f8537d20f21742deb9eebf8e5 Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:32:34 +0200 Subject: [PATCH 09/51] added EM4x50 info function --- armsrc/appmain.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 80eb673f2..0d05222de 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -29,6 +29,7 @@ #include "felica.h" #include "hitag2.h" #include "hitagS.h" +#include "em4x50.h" #include "iclass.h" #include "legicrfsim.h" #include "epa.h" @@ -448,6 +449,11 @@ static void SendCapabilities(void) { #else capabilities.compiled_with_hitag = false; #endif +#ifdef WITH_EM4x50 + capabilities.compiled_with_em4x50 = true; +#else + capabilities.compiled_with_em4x50 = false; +#endif #ifdef WITH_HFSNIFF capabilities.compiled_with_hfsniff = true; #else @@ -983,6 +989,13 @@ static void PacketReceived(PacketCommandNG *packet) { } #endif +#ifdef WITH_EM4x50 + case CMD_LF_EM4X50_INFO: { + em4x50_info((em4x50_data_t *)packet->data.asBytes); + break; + } +#endif + #ifdef WITH_ISO15693 case CMD_HF_ISO15693_ACQ_RAW_ADC: { AcquireRawAdcSamplesIso15693(); From f5ff2c12ebf83e5ea31e74f2d30b25780e33b8fb Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:32:44 +0200 Subject: [PATCH 10/51] added EM4x50 info function --- armsrc/em4x50.h | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 armsrc/em4x50.h diff --git a/armsrc/em4x50.h b/armsrc/em4x50.h new file mode 100644 index 000000000..76e9b7525 --- /dev/null +++ b/armsrc/em4x50.h @@ -0,0 +1,22 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#ifndef EM4X50_H +#define EM4X50_H + +#include "../include/em4x50.h" + +typedef struct { + uint8_t sectors[34][7]; +} em4x50_tag_t; + +void em4x50_info(em4x50_data_t *etd); + +#endif /* EM4X50_H */ From ef9ccde512b7dc6a0a82a2ed2038b28946bd8e03 Mon Sep 17 00:00:00 2001 From: tharexde Date: Mon, 15 Jun 2020 14:32:51 +0200 Subject: [PATCH 11/51] added EM4x50 info function --- armsrc/em4x50.c | 672 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 672 insertions(+) create mode 100644 armsrc/em4x50.c diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c new file mode 100644 index 000000000..ba4a1b89d --- /dev/null +++ b/armsrc/em4x50.c @@ -0,0 +1,672 @@ +//----------------------------------------------------------------------------- +// Copyright (C) 2020 tharexde +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency EM4x50 commands +//----------------------------------------------------------------------------- + +#include "fpgaloader.h" +#include "ticks.h" +#include "dbprint.h" +#include "lfadc.h" +#include "em4x50.h" + +// 4 data bytes +// + byte with row parities +// + column parity byte +// + byte with stop bit + +static em4x50_tag_t tag = { + .sectors = { + [0] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // password + [1] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // protection word + [2] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // control word + [3] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [4] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [5] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [7] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [9] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [10] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [11] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [12] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [13] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [14] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [15] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [17] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [18] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [19] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [20] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [21] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [22] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [23] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [24] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [25] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [26] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [27] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [28] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [29] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [30] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [31] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user + [32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device serial number + [33] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device identification + }, +}; + +// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK) +// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz +// EM4x50 units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier) +// T0 = TIMER_CLOCK1 / 125000 = 192 + +#ifndef T0 +#define T0 192 +#endif + +#define EM4X50_T_TAG_QUARTER_PERIOD 16 +#define EM4X50_T_TAG_HALF_PERIOD 32 +#define EM4X50_T_TAG_THREE_QUARTER_PERIOD 48 +#define EM4X50_T_TAG_FULL_PERIOD 64 +#define EM4X50_T_WAITING_FOR_LIW 500 + +#define EM4X50_TAG_TOLERANCE 8 +#define EM4X50_TAG_WORD 45 + +#define EM4X50_BIT_0 0 +#define EM4X50_BIT_1 1 +#define EM4X50_BIT_OTHER 2 + +#define EM4X50_COMMAND_LOGIN 0x01 +#define EM4X50_COMMAND_WRITE 0x12 +#define EM4X50_COMMAND_SELECTIVE_READ 0x0A + +#define FPGA_TIMER_0 0 + +// auxiliary functions + +static void init_tag(void) { + + // initialize global tag structure + + for (int i = 0; i < 34; i++) + for (int j = 0; j < 7; j++) + tag.sectors[i][j] = 0x00; +} + +static uint8_t bits2byte(uint8_t bits[8], int length) { + + // converts separate bits into a single "byte" + + uint8_t byte = 0; + + for (int i = 0; i < length; i++) { + + byte |= bits[i]; + + if (i != length-1) + byte <<= 1; + } + + return byte; +} + +static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) { + + // split "raw" word into data, row and column parity bits and stop bit and + // save them in global tag structure + + uint8_t row_parity[4]; + uint8_t col_parity[8]; + + // data and row parities + for (int i = 0; i < 4; i++) { + tag.sectors[pos][i] = bits2byte(&bits[9*i],8); + row_parity[i] = bits[9*i+8]; + } + + tag.sectors[pos][4] = bits2byte(row_parity,4); + + // column parities + for (int i = 0; i < 8; i++) + col_parity[i] = bits[36+i]; + + tag.sectors[pos][5] = bits2byte(col_parity,8); + + // stop bit + tag.sectors[pos][6] = bits[44]; +} + +static void wait_timer(int timer, uint32_t period) { + + // do nothing for using timer + + if (timer == FPGA_TIMER_0) { + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < period); + + } else { + + AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC1->TC_CV < period); + + } +} + +static void em4x50_setup_read(void) { + + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + + FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD); + + // 50ms for the resonant antenna to settle. + SpinDelay(50); + // Now set up the SSC to get the ADC samples that are now streaming at us. + FpgaSetupSsc(); + // start a 1.5ticks is 1us + StartTicks(); + + FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125); + + // Connect the A/D to the peak-detected low-frequency path. + SetAdcMuxFor(GPIO_MUXSEL_LOPKD); + + // Steal this pin from the SSP (SPI communication channel with fpga) and + // use it to control the modulation + AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT; + AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; + + // Disable modulation at default, which means enable the field + LOW(GPIO_SSC_DOUT); + + // Enable Peripheral Clock for + // TIMER_CLOCK0, used to measure exact timing before answering + // TIMER_CLOCK1, used to capture edges of the tag frames + AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1); + AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME; // wofür ist das? + + // Disable timer during configuration + AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; + AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS; + + // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers + AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK; + + // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers + AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK; + + // Enable and reset counters + AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; + AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; + + // synchronized startup procedure + while (AT91C_BASE_TC0->TC_CV > 0) {}; // wait until TC1 returned to zero + + // Watchdog hit + WDT_HIT(); +} + +// functions for "reader" use case + +static int get_next_bit(void) { + + // returns bit value (or EM4X50_BIT_OTHER -> no bit pattern) by evaluating + // a single sample within a bit period (given there is no LIW, ACK or NAK) + // This function is not used for decoding, it is only used for identifying + // a listen window (return value = EM4X50_BIT_OTHER) in functions + // "find_double_listen_window" and "check_ack" + + int dhigh = 230; // 90% of maximum sample value (255) + int dlow = 25; // 10% of maximum sample value (255) + uint8_t sample; + + // get sample at 3/4 of bit period + wait_timer(0, T0 * EM4X50_T_TAG_THREE_QUARTER_PERIOD); + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + // wait until end of bit period + wait_timer(0, T0 * EM4X50_T_TAG_QUARTER_PERIOD); + + // decide wether "0" or "1" + if (sample > dhigh) + return EM4X50_BIT_0; + else if (sample < dlow) + return EM4X50_BIT_1; + + return EM4X50_BIT_OTHER; +} + +static uint32_t get_pulse_length(void) { + + // + + uint8_t sample = 0, high = 192, low = 64; + + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + while (sample > low) + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; + + while (sample < high) + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + while (sample > low) + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + return (uint32_t)AT91C_BASE_TC1->TC_CV; +} + +static bool check_pulse_length(uint32_t pl, int length) { + + // check if pulse length corresponds to given length + + if ((pl >= T0 * (length - EM4X50_TAG_TOLERANCE)) & + (pl <= T0 * (length + EM4X50_TAG_TOLERANCE))) + return true; + else + return false; +} + +static void em4x50_send_bit(int bit) { + + // send single bit according to EM4x50 application note and datasheet + + // reset clock for the next bit + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + + if (bit == 0) { + + // disable modulation (drop the field) for 7 cycles of carrier + // period (Opt64) + LOW(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * 7); + + // enable modulation (activates the field) for remaining first + // half of bit period + HIGH(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_HALF_PERIOD); + + // disable modulation for second half of bit period + LOW(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD); + + } else { + + // bit = "1" means disable modulation for full bit period + LOW(GPIO_SSC_DOUT); + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD); + } +} + +static void em4x50_send_byte(uint8_t byte) { + + // send byte (without parity) + + int mask = 0x80; + + for (int i = 0; i < 8; i++) { + + if ((byte & mask) == 0) + em4x50_send_bit(0); + else + em4x50_send_bit(1); + + mask >>= 1; + } +} + +static void em4x50_send_byte_with_parity(uint8_t byte) { + + // send byte followed by its (equal) parity bit + + int parity = 0; + int mask = 0x80; + + for (int i = 0; i < 8; i++) { + + if ((byte & mask) == 0) { + em4x50_send_bit(0); + parity ^= 0; + } else { + em4x50_send_bit(1); + parity ^= 1; + } + + mask >>= 1; + } + + em4x50_send_bit(parity); +} + +static void em4x50_send_word(const uint8_t bytes[4]) { + + // send 32 bit word with parity bits according to EM4x50 datasheet + + for (int i = 0; i < 4; i++) + em4x50_send_byte_with_parity(bytes[i]); + + // send column parities + em4x50_send_byte(bytes[0] ^ bytes[1] ^ bytes[2] ^ bytes[3]); + + // send final stop bit (always "0") + em4x50_send_bit(0); +} + +static bool find_double_listen_window(bool bcommand) { + + // find two successive listen windows that indicate the beginning of + // data transmission + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_WAITING_FOR_LIW) { + + // identification of listen window is done via evaluation of + // pulse lengths + if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) { + + if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // first listen window found + + if (bcommand) { + + // data transmission from card has to be stopped, because + // a commamd shall be issued + + // unfortunately the posititon in listen window (where + // command request has to be sent) has gone, so if a + // second window follows - sync on this to issue a command + + // skip the next bit... + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_FULL_PERIOD); + + // ...and check if the following bit does make sense + // (if not it is the correct position within the second + // listen window) + if (get_next_bit() == EM4X50_BIT_OTHER) { + + // send RM for request mode + em4x50_send_bit(0); + em4x50_send_bit(0); + + return true; + } + + } + + if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) { + + // return although second listen window consists of one + // more bit period but this period is necessary for + // evaluating further pulse lengths + return true; + } + } + } + } + + return false; +} + +static bool request_receive_mode(void) { + + // To issue a command we have to find a listen window first. + // Because identification and sychronization at the same time is not + // possible when using pulse lengths a double listen window is used. + + bool bcommand = true; + + return find_double_listen_window(bcommand); +} + +static bool check_ack(bool bliw) { + + // returns true if signal structue corresponds to ACK, anything else is + // counted as NAK (-> false) + // Only relevant for pasword writing function: + // If is true then within the single listen window right after the + // ack signal a RM request has to be sent. + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < T0 * 4 * EM4X50_T_TAG_FULL_PERIOD) { + + if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // The received signal is either ACK or NAK. + + if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // Now the signal must be ACK. + + if (!bliw) { + + return true; + + } else { + + // send RM request after ack signal + + // wait for 2 bits (remaining "bit" of ACK signal + first + // "bit" of listen window) + wait_timer(FPGA_TIMER_0, T0 * 2 * EM4X50_T_TAG_FULL_PERIOD); + + // check for listen window (if first bit cannot be inerpreted + // as a valid bit it must belong to a listen window) + if (get_next_bit() == EM4X50_BIT_OTHER) { + + // send RM for request mode + em4x50_send_bit(0); + em4x50_send_bit(0); + + return true; + } + } + } + } + } + + return false; +} + +static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) { + + // decodes one word by evaluating pulse lengths and previous bit; + // word must have 45 bits in total: + // 32 data bits + 4 row parity bits + 8 column parity bits + 1 stop bit + + bool bbitchange = false; + int i = 0; + uint32_t pl = 0; + + // initial bit value depends on last pulse length of listen window + pl = get_pulse_length(); + if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) { + + // pulse length = 1.5 + bits[0] = 1; + + } else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length = 2 + bits[0] = 0; + bbitchange = true; + + } else { + + // pulse length = 2.5 + bits[0] = 0; + bits[1] = 1; + i++; + } + + // identify remaining bits based on pulse lengths + // between two listen windows only pulse lengths of 1, 1.5 and 2 are possible + while (true) { + + i++; + pl = get_pulse_length(); + + if (check_pulse_length(pl, EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length = 1 -> keep former bit value + bits[i] = bits[i-1]; + + } else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) { + + // pulse length = 1.5 -> decision on bit change + + if (bbitchange) { + + // if number of pulse lengths with 1.5 periods is even -> add bit + bits[i] = (bits[i-1] == 1) ? 1 : 0; + + // pulse length of 1.5 changes bit value + bits[i+1] = (bits[i] == 1) ? 0 : 1; + i++; + + // next time add only one bit + bbitchange = false; + + } else { + + bits[i] = (bits[i-1] == 1) ? 0 : 1; + + // next time two bits have to be added + bbitchange = true; + } + + } else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length of 2 means: adding 2 bits "01" + bits[i] = 0; + bits[i+1] = 1; + i++; + + } else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_FULL_PERIOD)) { + + // pulse length of 3 indicates listen window -> clear last + // bit (= 0) and return + return --i; + + } + } +} + +// login function + +static bool login(uint8_t password[4]) { + + if (request_receive_mode ()) { + + // send login command + em4x50_send_byte_with_parity(EM4X50_COMMAND_LOGIN); + + // send password + em4x50_send_word(password); + + // check if ACK is returned + if (check_ack(false)) + return true; + + } else { + Dbprintf("error in command request"); + } + + return false; +} + +// read functions + +static bool standard_read(int *now) { + + // reads data that tag transmits when exposed to reader field + // (standard read mode); number of read words is saved in + + uint8_t bits[EM4X50_TAG_WORD] = {0}; + + // start with the identification of two succsessive listening windows + if (find_double_listen_window(false)) { + + // read and save words until following double listen window is detected + while (get_word_from_bitstream(bits) == EM4X50_TAG_WORD) + save_word((*now)++, bits); + + return true; + + } else { + Dbprintf("didn't find a listen window"); + } + + return false; +} + +static bool selective_read(uint8_t addresses[4]) { + + // reads from "first word read" (fwr = addresses[3]) to "last word read" + // (lwr = addresses[2]) + // result is verified by "standard read mode" result + + int fwr = addresses[3]; // first word read + int lwr = addresses[2]; // last word read + int now = 0; // number of words + + if (request_receive_mode()) { + + // send selective read command + em4x50_send_byte_with_parity(EM4X50_COMMAND_SELECTIVE_READ); + + // send address data + em4x50_send_word(addresses); + + // look for ACK sequence + if (check_ack(false)) + + // save and verifiy via standard read mode (compare number of words) + if (standard_read(&now)) + if (now == (lwr - fwr + 1)) + return true; + + } else { + Dbprintf("error in command request"); + } + + return false; +} + +void em4x50_info(em4x50_data_t *etd) { + + // collects as much information as possible via selective read mode + // if no password is given -> try with standard password "0x00000000" + // otherwise continue without login + + bool bsuccess = false, blogin = false; + uint8_t addresses[] = {0x00, 0x00, 0x21, 0x00}; // fwr = 0, lwr = 33 + uint8_t password[] = {0x00, 0x00, 0x00, 0x00}; // default password + + init_tag(); + em4x50_setup_read(); + + + if (etd->pwd_given) { + + // try to login with given password + blogin = login(etd->password); + + } else { + + // if no password is given, try to login with "0x00000000" + blogin = login(password); + + } + + bsuccess = selective_read(addresses); + + lf_finalize(); + reply_mix(CMD_ACK, bsuccess, blogin, 0, (uint8_t *)tag.sectors, 238); +} From b1b6f0d8b748f8cd8d1261db15fe3a8f265e32ca Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:24:35 +0200 Subject: [PATCH 12/51] added write and write_password functions --- armsrc/em4x50.c | 215 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 210 insertions(+), 5 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index ba4a1b89d..9e7f0c57f 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -72,6 +72,8 @@ static em4x50_tag_t tag = { #define EM4X50_T_TAG_THREE_QUARTER_PERIOD 48 #define EM4X50_T_TAG_FULL_PERIOD 64 #define EM4X50_T_WAITING_FOR_LIW 500 +#define EM4X50_T_TAG_TPP 64 +#define EM4X50_T_TAG_TWA 64 #define EM4X50_TAG_TOLERANCE 8 #define EM4X50_TAG_WORD 45 @@ -81,7 +83,9 @@ static em4x50_tag_t tag = { #define EM4X50_BIT_OTHER 2 #define EM4X50_COMMAND_LOGIN 0x01 +#define EM4X50_COMMAND_RESET 0x80 #define EM4X50_COMMAND_WRITE 0x12 +#define EM4X50_COMMAND_WRITE_PASSWORD 0x11 #define EM4X50_COMMAND_SELECTIVE_READ 0x0A #define FPGA_TIMER_0 0 @@ -114,6 +118,35 @@ static uint8_t bits2byte(uint8_t bits[8], int length) { return byte; } +static uint8_t msb2lsb(uint8_t byte) { + + // returns byte with bit positions in reverse order + + uint8_t tmp = 0; + + for (int i = 0; i < 8; i++) + tmp |= ((byte >> (7-i)) & 1) << i; + + return tmp; +} + +static void msb2lsb_word(uint8_t *word) { + + // reorders given according to EM4x50 datasheet (msb -> lsb) + + uint8_t buff[4]; + + buff[0] = msb2lsb(word[3]); + buff[1] = msb2lsb(word[2]); + buff[2] = msb2lsb(word[1]); + buff[3] = msb2lsb(word[0]); + + word[0] = buff[0]; + word[1] = buff[1]; + word[2] = buff[2]; + word[3] = buff[3]; +} + static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) { // split "raw" word into data, row and column parity bits and stop bit and @@ -242,7 +275,7 @@ static int get_next_bit(void) { static uint32_t get_pulse_length(void) { - // + // iterates pulse length (low -> high -> low) uint8_t sample = 0, high = 192, low = 64; @@ -562,6 +595,9 @@ static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) { static bool login(uint8_t password[4]) { + // simple login to EM4x50, + // used in operations that require authentication + if (request_receive_mode ()) { // send login command @@ -581,6 +617,27 @@ static bool login(uint8_t password[4]) { return false; } +// reset function + +static bool reset(void) { + + // resets EM4x50 tag (used by write function) + + if (request_receive_mode ()) { + + // send login command + em4x50_send_byte_with_parity(EM4X50_COMMAND_RESET); + + if (check_ack(false)) + return true; + + } else { + Dbprintf("error in command request"); + } + + return false; +} + // read functions static bool standard_read(int *now) { @@ -588,6 +645,7 @@ static bool standard_read(int *now) { // reads data that tag transmits when exposed to reader field // (standard read mode); number of read words is saved in + int fwr = *now; uint8_t bits[EM4X50_TAG_WORD] = {0}; // start with the identification of two succsessive listening windows @@ -597,6 +655,9 @@ static bool standard_read(int *now) { while (get_word_from_bitstream(bits) == EM4X50_TAG_WORD) save_word((*now)++, bits); + // number of detected words + *now -= fwr; + return true; } else { @@ -610,11 +671,11 @@ static bool selective_read(uint8_t addresses[4]) { // reads from "first word read" (fwr = addresses[3]) to "last word read" // (lwr = addresses[2]) - // result is verified by "standard read mode" result + // result is verified by "standard read mode" int fwr = addresses[3]; // first word read int lwr = addresses[2]; // last word read - int now = 0; // number of words + int now = fwr; // number of words if (request_receive_mode()) { @@ -627,11 +688,11 @@ static bool selective_read(uint8_t addresses[4]) { // look for ACK sequence if (check_ack(false)) - // save and verifiy via standard read mode (compare number of words) + // save and verify via standard read mode (compare number of words) if (standard_read(&now)) if (now == (lwr - fwr + 1)) return true; - + } else { Dbprintf("error in command request"); } @@ -670,3 +731,147 @@ void em4x50_info(em4x50_data_t *etd) { lf_finalize(); reply_mix(CMD_ACK, bsuccess, blogin, 0, (uint8_t *)tag.sectors, 238); } + +// write functions + +static bool write(uint8_t word[4], uint8_t address) { + + // writes to specified
+ + if (request_receive_mode()) { + + // send selective read command + em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE); + + // send address data + em4x50_send_byte_with_parity(address); + + // send data + em4x50_send_word(word); + + // wait for T0 * EM4X50_T_TAG_TWA (write access time) + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA); + + // look for ACK sequence + if (check_ack(false)) { + + // now EM4x50 needs T0 * EM4X50_T_TAG_TWEE (EEPROM write time) + // for saving data and should return with ACK + if (check_ack(false)) + return true; + + } + + } else { + Dbprintf("error in command request"); + } + + return false; +} + +static bool write_password(uint8_t password[4], uint8_t new_password[4]) { + + // changes password from to + + if (request_receive_mode()) { + + // send selective read command + em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE_PASSWORD); + + // send address data + em4x50_send_word(password); + + // wait for T0 * EM4x50_T_TAG_TPP (processing pause time) + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TPP); + + // look for ACK sequence and send rm request + // during following listen window + if (check_ack(true)) { + + // send new password + em4x50_send_word(new_password); + + // wait for T0 * EM4X50_T_TAG_TWA (write access time) + wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA); + + if (check_ack(false)) + if (check_ack(false)) + return true; + + } + + } else { + Dbprintf("error in command request"); + } + + return false; +} + +void em4x50_write(em4x50_data_t *etd) { + + // write operation process for EM4x50 tag, + // single word is written to given address, verified by selective read operation + + bool bsuccess = true, blogin = false; + uint8_t word[4] = {0x00, 0x00, 0x00, 0x00}; + uint8_t addresses[4] = {0x00, 0x00, 0x00, 0x00}; + + init_tag(); + em4x50_setup_read(); + + // reorder word according to datasheet + msb2lsb_word(etd->word); + + // if password is given try to login first + if (etd->pwd_given) + blogin = login(etd->password); + + // write word to given address + if (write(etd->word, etd->address)) { + + // to verify result reset EM4x50 + if (reset()) { + + // if password is given login + if (etd->pwd_given) + blogin &= login(etd->password); + + // perform a selective read + addresses[2] = addresses[3] = etd->address; + if (selective_read(addresses)) { + + // compare with given word + word[0] = tag.sectors[etd->address][0]; + word[1] = tag.sectors[etd->address][1]; + word[2] = tag.sectors[etd->address][2]; + word[3] = tag.sectors[etd->address][3]; + msb2lsb_word(word); + + for (int i = 0; i < 4; i++) + bsuccess &= (word[i] == etd->word[i]) ? true : false; + + } + } + } + + lf_finalize(); + reply_mix(CMD_ACK, bsuccess, blogin, 0, (uint8_t *)tag.sectors, 238); +} + +void em4x50_write_password(em4x50_data_t *etd) { + + // sinmple change of password + + bool bsuccess = false; + + init_tag(); + em4x50_setup_read(); + + // login and change password + if (login(etd->password)) { + bsuccess = write_password(etd->password, etd->new_password); + } + + lf_finalize(); + reply_mix(CMD_ACK, bsuccess, 0, 0, 0, 0); +} From f930e78650d85ea5f29d0e5456fb03665c00092a Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:24:44 +0200 Subject: [PATCH 13/51] added write and write_password functions --- armsrc/em4x50.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/armsrc/em4x50.h b/armsrc/em4x50.h index 76e9b7525..746ca4811 100644 --- a/armsrc/em4x50.h +++ b/armsrc/em4x50.h @@ -18,5 +18,7 @@ typedef struct { } em4x50_tag_t; void em4x50_info(em4x50_data_t *etd); +void em4x50_write(em4x50_data_t *etd); +void em4x50_write_password(em4x50_data_t *etd); #endif /* EM4X50_H */ From bf85108f2fd643da6b666ba72528cf2afb8f47c3 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:25:07 +0200 Subject: [PATCH 14/51] added write and write_password functions --- armsrc/appmain.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 0d05222de..81c6a233a 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -994,6 +994,14 @@ static void PacketReceived(PacketCommandNG *packet) { em4x50_info((em4x50_data_t *)packet->data.asBytes); break; } + case CMD_LF_EM4X50_WRITE: { + em4x50_write((em4x50_data_t *)packet->data.asBytes); + break; + } + case CMD_LF_EM4X50_WRITE_PASSWORD: { + em4x50_write_password((em4x50_data_t *)packet->data.asBytes); + break; + } #endif #ifdef WITH_ISO15693 From 0ddcab51aa0dc2f99ac1981ae6d8abd6fe3453e1 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:25:17 +0200 Subject: [PATCH 15/51] added write and write_password functions --- client/src/cmdlfem4x50.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/client/src/cmdlfem4x50.h b/client/src/cmdlfem4x50.h index 3868e6113..732d05d5b 100644 --- a/client/src/cmdlfem4x50.h +++ b/client/src/cmdlfem4x50.h @@ -12,7 +12,11 @@ #define CMDLFEM4X50_H__ int usage_lf_em4x50_info(void); +int usage_lf_em4x50_write(void); +int usage_lf_em4x50_write_password(void); int CmdEM4x50Info(const char *Cmd); +int CmdEM4x50Write(const char *Cmd); +int CmdEM4x50WritePassword(const char *Cmd); #endif From 4023c2b8f9ecb41f32976ac61daa289fdf823bd0 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:25:27 +0200 Subject: [PATCH 16/51] added write and write_password functions --- client/src/cmdlfem4x50.c | 289 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 284 insertions(+), 5 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 74432c36c..b20e420cc 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -32,6 +32,31 @@ int usage_lf_em4x50_info(void) { PrintAndLogEx(NORMAL, " lf em 4x50_info v p fa225de1\n"); return PM3_SUCCESS; } +int usage_lf_em4x50_write(void) { + PrintAndLogEx(NORMAL, "Write EM4x50 word. Tag must be on antenna. "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h] a
w "); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h - this help"); + PrintAndLogEx(NORMAL, " a - memory address to write to (dec)"); + PrintAndLogEx(NORMAL, " w - word to write (hex)"); + PrintAndLogEx(NORMAL, " p - password (hex) (optional)"); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " lf em 4x50_write a 3 w deadc0de"); + return PM3_SUCCESS; +} +int usage_lf_em4x50_write_password(void) { + PrintAndLogEx(NORMAL, "Write EM4x50 password. Tag must be on antenna. "); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write_password [h] p n "); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h - this help"); + PrintAndLogEx(NORMAL, " p - password (hex)"); + PrintAndLogEx(NORMAL, " n - new password (hex)"); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " lf em 4x50_write_password p 11223344 n 01020304"); + return PM3_SUCCESS; +} static uint8_t msb2lsb(uint8_t byte) { @@ -216,7 +241,7 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) { static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bool bverbose) { - // displays all information info result in structured format + // display all information info result in structured format bool bpwd_given = etd->pwd_given; bool bsuccess = (bool)resp->oldarg[0]; @@ -319,10 +344,10 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, PrintAndLogEx(NORMAL,"%s", string); string[0] = '\0'; - PrintAndLogEx(NORMAL, "\n Zero values may indicate read protection!"); + PrintAndLogEx(NORMAL, "\n zero values may indicate read protection!"); // status line - sprintf(pstring, "\n reading "); + sprintf(pstring, " reading "); strcat(string, pstring); if (!bsuccess) { @@ -346,7 +371,7 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, } else { - sprintf(pstring, "(login with default password)"); + sprintf(pstring, "(login with default password 0x00000000)"); strcat(string, pstring); } @@ -373,7 +398,7 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, int CmdEM4x50Info(const char *Cmd) { - // envokes reading of a EM4x50 tag which has to be on the antenna because + // envoke reading of a EM4x50 tag which has to be on the antenna because // decoding is done by the device (not on client side) bool errors = false, verbose = false; @@ -382,6 +407,9 @@ int CmdEM4x50Info(const char *Cmd) { em4x50_data_t etd; PacketResponseNG resp; + // init + etd.pwd_given = false; + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { switch (tolower(param_getchar(Cmd, cmdp))) { @@ -439,3 +467,254 @@ int CmdEM4x50Info(const char *Cmd) { return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; } + +static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) { + + // display result of writing operation in structured format + + bool pwd_given = etd->pwd_given; + bool success = (bool)resp->oldarg[0]; + bool login = (bool)resp->oldarg[1]; + uint8_t *data = resp->data.asBytes; + char string[400] = {0}; + char pstring[100] = {0}; + em4x50_word_t word[1]; + + if (!success) { + + sprintf(pstring, "\n writing " _RED_("failed")); + strcat(string, pstring); + + } else { + + prepare_result(data, etd->address, etd->address, &word[0]); + print_result(word, etd->address, etd->address); + + sprintf(pstring, "\n writing " _GREEN_("successful ")); + strcat(string, pstring); + + if (pwd_given) { + + if (login) { + sprintf(pstring, "(login with 0x%02x%02x%02x%02x)", + etd->password[0], etd->password[1], + etd->password[2], etd->password[3]); + strcat(string, pstring); + } else { + sprintf(pstring, "(login failed)"); + strcat(string, pstring); + } + + } else { + sprintf(pstring, "(no login)"); + strcat(string, pstring); + } + } + + PrintAndLogEx(NORMAL,"%s\n", string); +} + +int CmdEM4x50Write(const char *Cmd) { + + // envoke writing a single word (32 bit) to a EM4x50 tag + + bool errors = false, baddress = false, bword = false; + char password[20] = {0x00}, word[20] = {0x00}, tmpbuff[3]; + int address = 0; + uint8_t cmdp = 0; + em4x50_data_t etd; + PacketResponseNG resp; + + // init + etd.pwd_given = false; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + + switch (tolower(param_getchar(Cmd, cmdp))) { + case 'h': + return usage_lf_em4x50_write(); + + case 'p': + param_getstr(Cmd, cmdp + 1, password, sizeof(password)); + + // validation + if (strlen(password) != 8) { + PrintAndLogEx(WARNING, "\n error, password has to be 4 bytes\n"); + errors = true; + break; + } + + // prepare given password + etd.pwd_given = true; + for (int i = 0; i < 4; i++) + sscanf(strncpy(tmpbuff, password+2*i, 2), "%2hhx", &etd.password[i]); + + cmdp += 2; + break; + + case 'w': + param_getstr(Cmd, cmdp + 1, word, sizeof(word)); + + // validation + if (strlen(word) != 8) { + PrintAndLogEx(WARNING, "\n error, word has to be 4 bytes\n"); + errors = true; + break; + } else { + bword = true; + } + + // prepare given word + for (int i = 0; i < 4; i++) + sscanf(strncpy(tmpbuff, word+2*i, 2), "%2hhx", &etd.word[i]); + + cmdp += 2; + break; + + case 'a': + param_getstr(Cmd, cmdp + 1, tmpbuff, sizeof(address)); + address = atoi(tmpbuff); + + // validation + if (address < 1 || address > 31) { + PrintAndLogEx(WARNING, "\n error, address has to be in range [1-31]\n"); + errors = true; + break; + } else { + baddress = true; + } + + etd.address = address; + + cmdp += 2; + break; + + default: + PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + if (errors || !baddress || !bword) + return usage_lf_em4x50_write(); + + clearCommandBuffer(); + SendCommandMIX(CMD_LF_EM4X50_WRITE, 0, 0, 0, &etd, sizeof(etd)); + + if (!WaitForResponse(CMD_ACK, &resp)) { + PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); + return PM3_ESOFT; + } + + // get, prepare and print response + print_write_result(&resp, &etd); + + return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; +} + +static void print_write_password_result(PacketResponseNG *resp, const em4x50_data_t *etd) { + + // display result of password changing operation + + bool success = (bool)resp->oldarg[0]; + char string[400] = {0}; + char pstring[100] = {0}; + + if (!success) { + + sprintf(pstring, "\n writing new password " _RED_("failed")); + strcat(string, pstring); + + } else { + + sprintf(pstring, "\n writing new password " _GREEN_("successful")); + strcat(string, pstring); + } + + PrintAndLogEx(NORMAL,"%s\n", string); +} + +int CmdEM4x50WritePassword(const char *Cmd) { + + // envokes changing the password of EM4x50 tag + + bool errors = false, bpwd = false, bnewpwd = false; + char password[20] = {0x00}, new_password[20] = {0x00}, tmpbuff[3]; + uint8_t cmdp = 0; + em4x50_data_t etd; + PacketResponseNG resp; + + // init + etd.pwd_given = false; + etd.newpwd_given = false; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + + switch (tolower(param_getchar(Cmd, cmdp))) { + case 'h': + return usage_lf_em4x50_write_password(); + + case 'p': + param_getstr(Cmd, cmdp + 1, password, sizeof(password)); + + // validation + if (strlen(password) != 8) { + PrintAndLogEx(WARNING, "\n error, passwords has to be 4 bytes\n"); + errors = true; + break; + } else { + bpwd = true; + } + + // prepare given password + etd.pwd_given = true; + for (int i = 0; i < 4; i++) + sscanf(strncpy(tmpbuff, password+2*i, 2), "%2hhx", &etd.password[i]); + + cmdp += 2; + break; + + case 'n': + param_getstr(Cmd, cmdp + 1, new_password, sizeof(new_password)); + + // validation + if (strlen(new_password) != 8) { + PrintAndLogEx(WARNING, "\n error, passwords have to be 4 bytes\n"); + errors = true; + break; + } else { + bnewpwd = true; + } + + // prepare given password + etd.newpwd_given = true; + for (int i = 0; i < 4; i++) + sscanf(strncpy(tmpbuff, new_password+2*i, 2), "%2hhx", &etd.new_password[i]); + + cmdp += 2; + break; + + default: + PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + if (errors || !bpwd || !bnewpwd) + return usage_lf_em4x50_write_password(); + + clearCommandBuffer(); + SendCommandMIX(CMD_LF_EM4X50_WRITE_PASSWORD, 0, 0, 0, &etd, sizeof(etd)); + + if (!WaitForResponse(CMD_ACK, &resp)) { + PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); + return PM3_ESOFT; + } + + // get, prepare and print response + print_write_password_result(&resp, &etd); + + return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; +} From cfeb869dabac5c295b3631f09db7357bf59f31b0 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:26:28 +0200 Subject: [PATCH 17/51] added write and write_password functions --- include/pm3_cmd.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index e2087d0f4..d8336bd65 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -403,6 +403,8 @@ typedef struct { #define CMD_LF_IO_DEMOD 0x021A #define CMD_LF_EM410X_DEMOD 0x021C #define CMD_LF_EM4X50_INFO 0x0240 +#define CMD_LF_EM4X50_WRITE 0x0241 +#define CMD_LF_EM4X50_WRITE_PASSWORD 0x0242 // Sampling configuration for LF reader/sniffer #define CMD_LF_SAMPLING_SET_CONFIG 0x021D #define CMD_LF_FSK_SIMULATE 0x021E From e81999da1a652e7b97b856af31b4b0d235c279d0 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:28:09 +0200 Subject: [PATCH 18/51] added write and write_password functions --- client/src/cmdlfem4x.c | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/client/src/cmdlfem4x.c b/client/src/cmdlfem4x.c index a43e624a4..a241488ae 100644 --- a/client/src/cmdlfem4x.c +++ b/client/src/cmdlfem4x.c @@ -139,20 +139,6 @@ static int usage_lf_em4x50_read(void) { PrintAndLogEx(NORMAL, " lf em 4x50_read 1 11223344"); return PM3_SUCCESS; } -static int usage_lf_em4x50_write(void) { - PrintAndLogEx(NORMAL, "Write EM 4x50/4x69. Tag must be on antenna. "); - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h]
"); - PrintAndLogEx(NORMAL, "Options:"); - PrintAndLogEx(NORMAL, " h - this help"); - PrintAndLogEx(NORMAL, " address - memory address to write to. (0-15)"); - PrintAndLogEx(NORMAL, " data - data to write (hex)"); - PrintAndLogEx(NORMAL, " pwd - password (hex) (optional)"); - PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de"); - PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de 11223344"); - return PM3_SUCCESS; -} //////////////// 4205 / 4305 commands static int usage_lf_em4x05_dump(void) { @@ -1039,16 +1025,6 @@ static int CmdEM4x50Read(const char *Cmd) { return EM4x50Read(Cmd, true); } -static int CmdEM4x50Write(const char *Cmd) { - uint8_t ctmp = tolower(param_getchar(Cmd, 0)); - if (ctmp == 'h') return usage_lf_em4x50_write(); - PrintAndLogEx(NORMAL, "no implemented yet"); -// -// PrintAndLogEx(SUCCESS, "Done"); -// PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf em 4x50_read`") " to verify"); - return PM3_SUCCESS; -} - static int CmdEM4x50Dump(const char *Cmd) { uint8_t ctmp = tolower(param_getchar(Cmd, 0)); if (ctmp == 'h') return usage_lf_em4x50_dump(); @@ -1765,8 +1741,9 @@ static command_t CommandTable[] = { {"4x50_demod", CmdEM4x50Demod, AlwaysAvailable, "demodulate a EM4x50 tag from the GraphBuffer"}, {"4x50_dump", CmdEM4x50Dump, IfPm3Lf, "dump EM4x50 tag"}, {"4x50_read", CmdEM4x50Read, IfPm3Lf, "read word data from EM4x50"}, - {"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"}, {"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"}, + {"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"}, + {"4x50_write_password", CmdEM4x50WritePassword, IfPm3Lf, "change passwword of EM4x50 tag"}, {NULL, NULL, NULL, NULL} }; From 187a1cdd9670fd684963b01a110e2ad6b737bf89 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 16 Jun 2020 23:28:43 +0200 Subject: [PATCH 19/51] added info, write and write_password functions --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 899d79a53..6791e748a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Added lf em functions: 4x50_info, 4x50_write, 4x50_write_password (@tharexde) - Fix em4x50 demodulation error (@tharexde) - Fix `hf mfdes` authentification issues, DES working (@bkerler) - Add Android cross-compilation to client cmake (@dxl, @doegox) From 5cb732d620cce62f045edb903a0d3ce39a412b9e Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:06:57 +0200 Subject: [PATCH 20/51] simplified functions for byte sending --- armsrc/em4x50.c | 34 +++++++++------------------------- 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 9e7f0c57f..3feed884b 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -341,39 +341,23 @@ static void em4x50_send_byte(uint8_t byte) { // send byte (without parity) - int mask = 0x80; + for (int i = 0; i < 8; i++) + em4x50_send_bit((byte >> (7-i)) & 1); - for (int i = 0; i < 8; i++) { - - if ((byte & mask) == 0) - em4x50_send_bit(0); - else - em4x50_send_bit(1); - - mask >>= 1; - } } static void em4x50_send_byte_with_parity(uint8_t byte) { // send byte followed by its (equal) parity bit - int parity = 0; - int mask = 0x80; - - for (int i = 0; i < 8; i++) { - - if ((byte & mask) == 0) { - em4x50_send_bit(0); - parity ^= 0; - } else { - em4x50_send_bit(1); - parity ^= 1; - } - - mask >>= 1; - } + int parity = 0, bit = 0; + for (int i = 0; i < 8; i++) { + bit = (byte >> (7-i)) & 1; + em4x50_send_bit(bit); + parity ^= bit; + } + em4x50_send_bit(parity); } From 8e29bb7a563ea849821f8589a9f49f9396866793 Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:08:02 +0200 Subject: [PATCH 21/51] deleted german comment --- armsrc/em4x50.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 3feed884b..60f271c21 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -220,7 +220,7 @@ static void em4x50_setup_read(void) { // TIMER_CLOCK0, used to measure exact timing before answering // TIMER_CLOCK1, used to capture edges of the tag frames AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1); - AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME; // wofür ist das? + AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME; // Disable timer during configuration AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS; From d68434742974517923f703c2e2d1f2550f7f0ec6 Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:13:13 +0200 Subject: [PATCH 22/51] changed timeout return value from PM3_ESOFT to PM3_ETIMEOUT --- client/src/cmdlfem4x50.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index b20e420cc..52f6355f1 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -459,7 +459,7 @@ int CmdEM4x50Info(const char *Cmd) { // get result if (!WaitForResponse(CMD_ACK, &resp)) { PrintAndLogEx(WARNING, " timeout while waiting for reply."); - return PM3_ESOFT; + return PM3_ETIMEOUT; } // prepare result @@ -604,7 +604,7 @@ int CmdEM4x50Write(const char *Cmd) { if (!WaitForResponse(CMD_ACK, &resp)) { PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); - return PM3_ESOFT; + return PM3_ETIMEOUT; } // get, prepare and print response @@ -710,7 +710,7 @@ int CmdEM4x50WritePassword(const char *Cmd) { if (!WaitForResponse(CMD_ACK, &resp)) { PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); - return PM3_ESOFT; + return PM3_ETIMEOUT; } // get, prepare and print response From 25b0c2e1eb701663e968a77f9fd893b0a8ace187 Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:20:10 +0200 Subject: [PATCH 23/51] replaced blue color by green or yellow --- client/src/cmdlfem4x50.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 52f6355f1..a3deb1417 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -217,19 +217,19 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) { print_bit_table(words[i]); // final result - sprintf(pstring, "\n word[%i] msb: " _BLUE_("0x"), i); + sprintf(pstring, "\n word[%i] msb: " _GREEN_("0x"), i); strcat(string, pstring); for (int j = 0; j < 4; j++) { - sprintf(pstring, _BLUE_("%02x"), words[i].byte[j]); + sprintf(pstring, _GREEN_("%02x"), words[i].byte[j]); strcat(string, pstring); } - sprintf(pstring, "\n word[%i] lsb: " _BLUE_("0x"), i); + sprintf(pstring, "\n word[%i] lsb: " _GREEN_("0x"), i); strcat(string, pstring); for (int j = 0; j < 4; j++) { - sprintf(pstring, _BLUE_("%02x"), msb2lsb(words[i].byte[3-j])); + sprintf(pstring, _GREEN_("%02x"), msb2lsb(words[i].byte[3-j])); strcat(string, pstring); } @@ -287,19 +287,19 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, switch(i) { case 0: - sprintf(pstring, _BLUE_(" password, write only")); + sprintf(pstring, _YELLOW_(" password, write only")); break; case 1: - sprintf(pstring, _BLUE_(" protection word, write inhibited")); + sprintf(pstring, _YELLOW_(" protection word, write inhibited")); break; case 2: - sprintf(pstring, _BLUE_(" control word, write inhibited")); + sprintf(pstring, _YELLOW_(" control word, write inhibited")); break; case 32: - sprintf(pstring, _BLUE_(" device serial number, read only")); + sprintf(pstring, _YELLOW_(" device serial number, read only")); break; case 33: - sprintf(pstring, _BLUE_(" device identification, read only")); + sprintf(pstring, _YELLOW_(" device identification, read only")); break; default: sprintf(pstring, " user data"); From 572cc7c63e0b95cefa152370bfbcce10941ea2b4 Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:22:03 +0200 Subject: [PATCH 24/51] replaced "passed" by "ok" --- client/src/cmdlfem4x50.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index a3deb1417..522cece58 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -192,7 +192,7 @@ static void print_bit_table(const em4x50_word_t word) { strcat(string, pstring); // parities passed/failed - sprintf(pstring, (word.parity) ? _GREEN_("passed") : _RED_("failed")); + sprintf(pstring, (word.parity) ? _GREEN_("ok") : _RED_("failed")); strcat(string, pstring); PrintAndLogEx(NORMAL,string); From 601da777ad2719eb3cc413a5bf1c46be2b10df47 Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:38:49 +0200 Subject: [PATCH 25/51] replaced function msb2lsb(...) by already existing function reflect8(...) --- armsrc/em4x50.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 60f271c21..eb2704a2c 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -12,6 +12,7 @@ #include "ticks.h" #include "dbprint.h" #include "lfadc.h" +#include "commonutil.h" #include "em4x50.h" // 4 data bytes @@ -118,28 +119,16 @@ static uint8_t bits2byte(uint8_t bits[8], int length) { return byte; } -static uint8_t msb2lsb(uint8_t byte) { - - // returns byte with bit positions in reverse order - - uint8_t tmp = 0; - - for (int i = 0; i < 8; i++) - tmp |= ((byte >> (7-i)) & 1) << i; - - return tmp; -} - static void msb2lsb_word(uint8_t *word) { // reorders given according to EM4x50 datasheet (msb -> lsb) uint8_t buff[4]; - buff[0] = msb2lsb(word[3]); - buff[1] = msb2lsb(word[2]); - buff[2] = msb2lsb(word[1]); - buff[3] = msb2lsb(word[0]); + buff[0] = reflect8(word[3]); + buff[1] = reflect8(word[2]); + buff[2] = reflect8(word[1]); + buff[3] = reflect8(word[0]); word[0] = buff[0]; word[1] = buff[1]; From daa39dff0ebcedcc2e1a1deff3625899ac5271e8 Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:39:00 +0200 Subject: [PATCH 26/51] replaced function msb2lsb(...) by already existing function reflect8(...) --- client/src/cmdlfem4x50.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 522cece58..28f4f124e 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -12,6 +12,7 @@ #include #include "fileutils.h" #include "comms.h" +#include "commonutil.h" #include "em4x50.h" #define EM4x50_FCT_STDREAD 0 @@ -58,6 +59,7 @@ int usage_lf_em4x50_write_password(void) { return PM3_SUCCESS; } +/* static uint8_t msb2lsb(uint8_t byte) { // convert given byte (msb) into lsb format @@ -69,7 +71,7 @@ static uint8_t msb2lsb(uint8_t byte) { return tmp; } - +*/ static bool check_bit_in_byte(uint8_t pos, uint8_t byte) { // return true if bit at position is "1" @@ -163,9 +165,9 @@ static void print_bit_table(const em4x50_word_t word) { strcat(string, pstring); if (j == 0) - sprintf(pstring, " msb: 0x%02x lsb: 0x%02x", word.byte[j], msb2lsb(word.byte[j])); + sprintf(pstring, " msb: 0x%02x lsb: 0x%02x", word.byte[j], reflect8(word.byte[j])); else - sprintf(pstring, " 0x%02x 0x%02x", word.byte[j], msb2lsb(word.byte[j])); + sprintf(pstring, " 0x%02x 0x%02x", word.byte[j], reflect8(word.byte[j])); strcat(string, pstring); PrintAndLogEx(NORMAL,string); @@ -229,7 +231,7 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) { strcat(string, pstring); for (int j = 0; j < 4; j++) { - sprintf(pstring, _GREEN_("%02x"), msb2lsb(words[i].byte[3-j])); + sprintf(pstring, _GREEN_("%02x"), reflect8(words[i].byte[3-j])); strcat(string, pstring); } @@ -257,12 +259,12 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bpwc = check_bit_in_byte(7, words[2].byte[2]); // password check braw = check_bit_in_byte(6, words[2].byte[2]); // read after write - fwr = msb2lsb(words[2].byte[0]); // first word read - lwr = msb2lsb(words[2].byte[1]); // last word read - fwrp = msb2lsb(words[1].byte[0]); // first word read protected - lwrp = msb2lsb(words[1].byte[1]); // last word read protected - fwwi = msb2lsb(words[1].byte[2]); // first word write inhibited - lwwi = msb2lsb(words[1].byte[3]); // last word write inhibited + fwr = reflect8(words[2].byte[0]); // first word read + lwr = reflect8(words[2].byte[1]); // last word read + fwrp = reflect8(words[1].byte[0]); // first word read protected + lwrp = reflect8(words[1].byte[1]); // last word read protected + fwwi = reflect8(words[1].byte[2]); // first word write inhibited + lwwi = reflect8(words[1].byte[3]); // last word write inhibited // data section PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:")); From 0d61572f6dc5821c90ba4f1916dc43f35ca7906f Mon Sep 17 00:00:00 2001 From: tharexde Date: Wed, 17 Jun 2020 23:50:52 +0200 Subject: [PATCH 27/51] replaced old "SendCommandMIX" by "SendCommandNG" --- client/src/cmdlfem4x50.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 28f4f124e..6a17796cd 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -456,7 +456,8 @@ int CmdEM4x50Info(const char *Cmd) { // call info command clearCommandBuffer(); - SendCommandMIX(CMD_LF_EM4X50_INFO, 0, 0, 0, &etd, sizeof(etd)); + SendCommandNG(CMD_LF_EM4X50_INFO, (uint8_t *)&etd, sizeof(etd)); + // get result if (!WaitForResponse(CMD_ACK, &resp)) { @@ -602,7 +603,8 @@ int CmdEM4x50Write(const char *Cmd) { return usage_lf_em4x50_write(); clearCommandBuffer(); - SendCommandMIX(CMD_LF_EM4X50_WRITE, 0, 0, 0, &etd, sizeof(etd)); + SendCommandNG(CMD_LF_EM4X50_WRITE, (uint8_t *)&etd, sizeof(etd)); + if (!WaitForResponse(CMD_ACK, &resp)) { PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); @@ -708,7 +710,7 @@ int CmdEM4x50WritePassword(const char *Cmd) { return usage_lf_em4x50_write_password(); clearCommandBuffer(); - SendCommandMIX(CMD_LF_EM4X50_WRITE_PASSWORD, 0, 0, 0, &etd, sizeof(etd)); + SendCommandNG(CMD_LF_EM4X50_WRITE_PASSWORD, (uint8_t *)&etd, sizeof(etd)); if (!WaitForResponse(CMD_ACK, &resp)) { PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n"); From 9393ecc823112a233e0e15a8bac2b1d18ba811a0 Mon Sep 17 00:00:00 2001 From: tharexde Date: Thu, 18 Jun 2020 00:07:40 +0200 Subject: [PATCH 28/51] added debug level for error messages --- armsrc/em4x50.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index eb2704a2c..692b17419 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -584,7 +584,8 @@ static bool login(uint8_t password[4]) { return true; } else { - Dbprintf("error in command request"); + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); } return false; @@ -605,7 +606,8 @@ static bool reset(void) { return true; } else { - Dbprintf("error in command request"); + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); } return false; @@ -634,7 +636,8 @@ static bool standard_read(int *now) { return true; } else { - Dbprintf("didn't find a listen window"); + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("didn't find a listen window"); } return false; @@ -667,7 +670,8 @@ static bool selective_read(uint8_t addresses[4]) { return true; } else { - Dbprintf("error in command request"); + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); } return false; @@ -736,7 +740,8 @@ static bool write(uint8_t word[4], uint8_t address) { } } else { - Dbprintf("error in command request"); + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); } return false; @@ -774,7 +779,8 @@ static bool write_password(uint8_t password[4], uint8_t new_password[4]) { } } else { - Dbprintf("error in command request"); + if (DBGLEVEL >= DBG_ERROR) + Dbprintf("error in command request"); } return false; From 171bf6912bfeb405e6fb00aaada5641874008893 Mon Sep 17 00:00:00 2001 From: tharexde Date: Thu, 18 Jun 2020 13:53:25 +0200 Subject: [PATCH 29/51] deleted function msb2lsb --- client/src/cmdlfem4x50.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 6a17796cd..44103da05 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -59,19 +59,6 @@ int usage_lf_em4x50_write_password(void) { return PM3_SUCCESS; } -/* -static uint8_t msb2lsb(uint8_t byte) { - - // convert given byte (msb) into lsb format - - uint8_t tmp = 0; - - for (int i = 0; i < 8; i++) - tmp |= ((byte >> (7-i)) & 1) << i; - - return tmp; -} -*/ static bool check_bit_in_byte(uint8_t pos, uint8_t byte) { // return true if bit at position is "1" From 0840c0d5d1054bcb2c5931eee57b4a145f1cf0f2 Mon Sep 17 00:00:00 2001 From: tharexde Date: Thu, 18 Jun 2020 19:28:44 +0200 Subject: [PATCH 30/51] changed bits[8] to *bits --- armsrc/em4x50.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 692b17419..25e7caf4f 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -102,7 +102,7 @@ static void init_tag(void) { tag.sectors[i][j] = 0x00; } -static uint8_t bits2byte(uint8_t bits[8], int length) { +static uint8_t bits2byte(uint8_t *bits, int length) { // converts separate bits into a single "byte" From d8d56d9e74cbf210ff048df8cda153b6b3dcb949 Mon Sep 17 00:00:00 2001 From: tharexde Date: Fri, 19 Jun 2020 01:19:01 +0200 Subject: [PATCH 31/51] corrected comments used param_gethex(...) and param_getdec(...) instead of scanf and strncpy constructs --- client/src/cmdlfem4x50.c | 124 ++++++++++----------------------------- 1 file changed, 32 insertions(+), 92 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 44103da05..f1ffdf828 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -391,7 +391,6 @@ int CmdEM4x50Info(const char *Cmd) { // decoding is done by the device (not on client side) bool errors = false, verbose = false; - char password[20] = {0x00}, tmpbuff[3]; uint8_t cmdp = 0; em4x50_data_t etd; PacketResponseNG resp; @@ -406,21 +405,11 @@ int CmdEM4x50Info(const char *Cmd) { return usage_lf_em4x50_info(); case 'p': - param_getstr(Cmd, cmdp + 1, password, sizeof(password)); - - // validation - if (strlen(password) != 8) { - - PrintAndLogEx(WARNING, "\n error, password has to be 4 bytes\n"); - errors = true; - break; - } - - // prepare given password + if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } etd.pwd_given = true; - for (int i = 0; i < 4; i++) - sscanf(strncpy(tmpbuff, password+2*i, 2), "%2hhx", &etd.password[i]); - cmdp += 2; break; @@ -437,9 +426,8 @@ int CmdEM4x50Info(const char *Cmd) { } // validation - if (errors) { + if (errors) return usage_lf_em4x50_info(); - } // call info command clearCommandBuffer(); @@ -508,9 +496,7 @@ int CmdEM4x50Write(const char *Cmd) { // envoke writing a single word (32 bit) to a EM4x50 tag - bool errors = false, baddress = false, bword = false; - char password[20] = {0x00}, word[20] = {0x00}, tmpbuff[3]; - int address = 0; + bool errors = false, bword = false, baddr = false; uint8_t cmdp = 0; em4x50_data_t etd; PacketResponseNG resp; @@ -525,57 +511,32 @@ int CmdEM4x50Write(const char *Cmd) { return usage_lf_em4x50_write(); case 'p': - param_getstr(Cmd, cmdp + 1, password, sizeof(password)); - - // validation - if (strlen(password) != 8) { - PrintAndLogEx(WARNING, "\n error, password has to be 4 bytes\n"); - errors = true; - break; - } - - // prepare given password + if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } etd.pwd_given = true; - for (int i = 0; i < 4; i++) - sscanf(strncpy(tmpbuff, password+2*i, 2), "%2hhx", &etd.password[i]); - cmdp += 2; break; case 'w': - param_getstr(Cmd, cmdp + 1, word, sizeof(word)); - - // validation - if (strlen(word) != 8) { - PrintAndLogEx(WARNING, "\n error, word has to be 4 bytes\n"); - errors = true; - break; - } else { - bword = true; + if (param_gethex(Cmd, cmdp + 1, etd.word, 8)) { + PrintAndLogEx(FAILED, "\n word has to be 8 hex symbols\n"); + return PM3_EINVARG; } - - // prepare given word - for (int i = 0; i < 4; i++) - sscanf(strncpy(tmpbuff, word+2*i, 2), "%2hhx", &etd.word[i]); - + bword = true; cmdp += 2; break; case 'a': - param_getstr(Cmd, cmdp + 1, tmpbuff, sizeof(address)); - address = atoi(tmpbuff); - + param_getdec(Cmd, cmdp + 1, &etd.address); + // validation - if (address < 1 || address > 31) { - PrintAndLogEx(WARNING, "\n error, address has to be in range [1-31]\n"); - errors = true; - break; - } else { - baddress = true; + if (etd.address < 1 || etd.address > 31) { + PrintAndLogEx(FAILED, "\n error, address has to be in range [1-31]\n"); + return PM3_EINVARG; } - - etd.address = address; - + baddr = true; cmdp += 2; break; @@ -586,7 +547,7 @@ int CmdEM4x50Write(const char *Cmd) { } } - if (errors || !baddress || !bword) + if (errors || !bword || !baddr) return usage_lf_em4x50_write(); clearCommandBuffer(); @@ -630,8 +591,7 @@ int CmdEM4x50WritePassword(const char *Cmd) { // envokes changing the password of EM4x50 tag - bool errors = false, bpwd = false, bnewpwd = false; - char password[20] = {0x00}, new_password[20] = {0x00}, tmpbuff[3]; + bool errors = false, bpwd = false, bnpwd = false; uint8_t cmdp = 0; em4x50_data_t etd; PacketResponseNG resp; @@ -647,42 +607,22 @@ int CmdEM4x50WritePassword(const char *Cmd) { return usage_lf_em4x50_write_password(); case 'p': - param_getstr(Cmd, cmdp + 1, password, sizeof(password)); - - // validation - if (strlen(password) != 8) { - PrintAndLogEx(WARNING, "\n error, passwords has to be 4 bytes\n"); - errors = true; - break; - } else { - bpwd = true; + if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; } - - // prepare given password + bpwd = true; etd.pwd_given = true; - for (int i = 0; i < 4; i++) - sscanf(strncpy(tmpbuff, password+2*i, 2), "%2hhx", &etd.password[i]); - cmdp += 2; break; case 'n': - param_getstr(Cmd, cmdp + 1, new_password, sizeof(new_password)); - - // validation - if (strlen(new_password) != 8) { - PrintAndLogEx(WARNING, "\n error, passwords have to be 4 bytes\n"); - errors = true; - break; - } else { - bnewpwd = true; - } - - // prepare given password + if (param_gethex(Cmd, cmdp + 1, etd.new_password, 8)) { + PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n"); + return PM3_EINVARG; + } + bnpwd = true; etd.newpwd_given = true; - for (int i = 0; i < 4; i++) - sscanf(strncpy(tmpbuff, new_password+2*i, 2), "%2hhx", &etd.new_password[i]); - cmdp += 2; break; @@ -693,7 +633,7 @@ int CmdEM4x50WritePassword(const char *Cmd) { } } - if (errors || !bpwd || !bnewpwd) + if (errors || !bpwd || !bnpwd) return usage_lf_em4x50_write_password(); clearCommandBuffer(); From 274996da1f5e3820ce3c208cc8769a2f877fc192 Mon Sep 17 00:00:00 2001 From: tharexde Date: Fri, 19 Jun 2020 01:24:57 +0200 Subject: [PATCH 32/51] corrected comments --- armsrc/em4x50.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 25e7caf4f..5071ac085 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -717,7 +717,7 @@ static bool write(uint8_t word[4], uint8_t address) { if (request_receive_mode()) { - // send selective read command + // send write command em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE); // send address data @@ -753,7 +753,7 @@ static bool write_password(uint8_t password[4], uint8_t new_password[4]) { if (request_receive_mode()) { - // send selective read command + // send write password command em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE_PASSWORD); // send address data From 73dfe44c6f531dd94db38bdd40c036c92494214f Mon Sep 17 00:00:00 2001 From: tharexde Date: Fri, 19 Jun 2020 01:39:12 +0200 Subject: [PATCH 33/51] fixed return value bsuccess, which was true although function calls failed --- armsrc/em4x50.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 5071ac085..7b2260ecd 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -791,7 +791,7 @@ void em4x50_write(em4x50_data_t *etd) { // write operation process for EM4x50 tag, // single word is written to given address, verified by selective read operation - bool bsuccess = true, blogin = false; + bool bsuccess = false, blogin = false; uint8_t word[4] = {0x00, 0x00, 0x00, 0x00}; uint8_t addresses[4] = {0x00, 0x00, 0x00, 0x00}; @@ -826,6 +826,7 @@ void em4x50_write(em4x50_data_t *etd) { word[3] = tag.sectors[etd->address][3]; msb2lsb_word(word); + bsuccess = true; for (int i = 0; i < 4; i++) bsuccess &= (word[i] == etd->word[i]) ? true : false; From de20270532c995ecba1ada768be855868b44c220 Mon Sep 17 00:00:00 2001 From: tharexde Date: Sat, 20 Jun 2020 14:32:57 +0200 Subject: [PATCH 34/51] replaced reply_mix(...) by reply_ng(...) --- armsrc/em4x50.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 7b2260ecd..9a3cb818c 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -684,6 +684,7 @@ void em4x50_info(em4x50_data_t *etd) { // otherwise continue without login bool bsuccess = false, blogin = false; + uint8_t status = 0; uint8_t addresses[] = {0x00, 0x00, 0x21, 0x00}; // fwr = 0, lwr = 33 uint8_t password[] = {0x00, 0x00, 0x00, 0x00}; // default password @@ -705,8 +706,10 @@ void em4x50_info(em4x50_data_t *etd) { bsuccess = selective_read(addresses); + status = (bsuccess << 1) + blogin; + lf_finalize(); - reply_mix(CMD_ACK, bsuccess, blogin, 0, (uint8_t *)tag.sectors, 238); + reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238); } // write functions @@ -792,6 +795,7 @@ void em4x50_write(em4x50_data_t *etd) { // single word is written to given address, verified by selective read operation bool bsuccess = false, blogin = false; + uint8_t status = 0; uint8_t word[4] = {0x00, 0x00, 0x00, 0x00}; uint8_t addresses[4] = {0x00, 0x00, 0x00, 0x00}; @@ -834,8 +838,10 @@ void em4x50_write(em4x50_data_t *etd) { } } + status = (bsuccess << 1) + blogin; + lf_finalize(); - reply_mix(CMD_ACK, bsuccess, blogin, 0, (uint8_t *)tag.sectors, 238); + reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238); } void em4x50_write_password(em4x50_data_t *etd) { @@ -853,5 +859,5 @@ void em4x50_write_password(em4x50_data_t *etd) { } lf_finalize(); - reply_mix(CMD_ACK, bsuccess, 0, 0, 0, 0); + reply_ng(CMD_ACK, bsuccess, 0, 0); } From 9e2e1db6e10edc942b218b8088e62f07facaa783 Mon Sep 17 00:00:00 2001 From: tharexde Date: Sat, 20 Jun 2020 14:33:49 +0200 Subject: [PATCH 35/51] changes due to replaced reply command (reply_mix(...) -> reply_ng(...)) --- client/src/cmdlfem4x50.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index f1ffdf828..ad874618c 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -233,8 +233,8 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, // display all information info result in structured format bool bpwd_given = etd->pwd_given; - bool bsuccess = (bool)resp->oldarg[0]; - bool blogin = (bool)resp->oldarg[1]; + bool bsuccess = (bool)(resp->status & 0x2); + bool blogin = (bool)(resp->status & 0x1); bool bpwc, braw; int fwr, lwr, fwrp, lwrp, fwwi, lwwi; uint8_t *data = resp->data.asBytes; @@ -390,7 +390,7 @@ int CmdEM4x50Info(const char *Cmd) { // envoke reading of a EM4x50 tag which has to be on the antenna because // decoding is done by the device (not on client side) - bool errors = false, verbose = false; + bool errors = false, verbose = false, success = false; uint8_t cmdp = 0; em4x50_data_t etd; PacketResponseNG resp; @@ -440,10 +440,11 @@ int CmdEM4x50Info(const char *Cmd) { return PM3_ETIMEOUT; } - // prepare result + // print result print_info_result(&resp, &etd, verbose); - - return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; + + success = resp.status & 0x2; + return (success) ? PM3_SUCCESS : PM3_ESOFT; } static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) { @@ -451,8 +452,8 @@ static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) // display result of writing operation in structured format bool pwd_given = etd->pwd_given; - bool success = (bool)resp->oldarg[0]; - bool login = (bool)resp->oldarg[1]; + bool success = (bool)(resp->status & 0x2); + bool login = (bool)(resp->status & 0x1); uint8_t *data = resp->data.asBytes; char string[400] = {0}; char pstring[100] = {0}; @@ -496,7 +497,7 @@ int CmdEM4x50Write(const char *Cmd) { // envoke writing a single word (32 bit) to a EM4x50 tag - bool errors = false, bword = false, baddr = false; + bool errors = false, bword = false, baddr = false, success = false; uint8_t cmdp = 0; em4x50_data_t etd; PacketResponseNG resp; @@ -562,14 +563,15 @@ int CmdEM4x50Write(const char *Cmd) { // get, prepare and print response print_write_result(&resp, &etd); - return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; + success = (bool)(resp.status & 0x2); + return (success) ? PM3_SUCCESS : PM3_ESOFT; } static void print_write_password_result(PacketResponseNG *resp, const em4x50_data_t *etd) { // display result of password changing operation - bool success = (bool)resp->oldarg[0]; + bool success = (bool)resp->status; char string[400] = {0}; char pstring[100] = {0}; @@ -647,5 +649,5 @@ int CmdEM4x50WritePassword(const char *Cmd) { // get, prepare and print response print_write_password_result(&resp, &etd); - return ((bool)resp.oldarg[0]) ? PM3_SUCCESS : PM3_ESOFT; + return ((bool)resp.status) ? PM3_SUCCESS : PM3_ESOFT; } From dc698808017d1130fafb284a08722a13eb06f856 Mon Sep 17 00:00:00 2001 From: tharexde Date: Sat, 20 Jun 2020 14:44:24 +0200 Subject: [PATCH 36/51] minor text and color changes --- client/src/cmdlfem4x50.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index ad874618c..5f796a5e3 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -214,11 +214,11 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) { strcat(string, pstring); } - sprintf(pstring, "\n word[%i] lsb: " _GREEN_("0x"), i); + sprintf(pstring, "\n word[%i] lsb: 0x", i); strcat(string, pstring); for (int j = 0; j < 4; j++) { - sprintf(pstring, _GREEN_("%02x"), reflect8(words[i].byte[3-j])); + sprintf(pstring, "%02x", reflect8(words[i].byte[3-j])); strcat(string, pstring); } @@ -346,14 +346,14 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, } else { - sprintf(pstring, _GREEN_("successful ")); + sprintf(pstring, _GREEN_("ok ")); strcat(string, pstring); if (blogin) { if (bpwd_given) { - sprintf(pstring, "(login with 0x%02x%02x%02x%02x)", + sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)", etd->password[0], etd->password[1], etd->password[2], etd->password[3]); strcat(string, pstring); @@ -469,13 +469,13 @@ static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) prepare_result(data, etd->address, etd->address, &word[0]); print_result(word, etd->address, etd->address); - sprintf(pstring, "\n writing " _GREEN_("successful ")); + sprintf(pstring, "\n writing " _GREEN_("ok ")); strcat(string, pstring); if (pwd_given) { if (login) { - sprintf(pstring, "(login with 0x%02x%02x%02x%02x)", + sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)", etd->password[0], etd->password[1], etd->password[2], etd->password[3]); strcat(string, pstring); @@ -582,7 +582,7 @@ static void print_write_password_result(PacketResponseNG *resp, const em4x50_dat } else { - sprintf(pstring, "\n writing new password " _GREEN_("successful")); + sprintf(pstring, "\n writing new password " _GREEN_("ok")); strcat(string, pstring); } From d38711aea69199081b13ed9f613afa317bee3f0a Mon Sep 17 00:00:00 2001 From: tharexde Date: Sat, 20 Jun 2020 15:37:56 +0200 Subject: [PATCH 37/51] added cmdlfem4x50.c --- client/CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index 0de34d58f..16860aeae 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -214,6 +214,7 @@ set (TARGET_SOURCES ${PM3_ROOT}/client/src/cmdlfawid.c ${PM3_ROOT}/client/src/cmdlfcotag.c ${PM3_ROOT}/client/src/cmdlfem4x.c + ${PM3_ROOT}/client/src/cmdlfem4x50.c ${PM3_ROOT}/client/src/cmdlffdx.c ${PM3_ROOT}/client/src/cmdlfgallagher.c ${PM3_ROOT}/client/src/cmdlfguard.c From 26b7c667b718b834c42f123f6efc5c7978153dd5 Mon Sep 17 00:00:00 2001 From: tharexde Date: Sat, 20 Jun 2020 18:38:44 +0200 Subject: [PATCH 38/51] deleted function check_bit_in_byte(...) -> overhead --- client/src/cmdlfem4x50.c | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 5f796a5e3..6b889f969 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -59,13 +59,6 @@ int usage_lf_em4x50_write_password(void) { return PM3_SUCCESS; } -static bool check_bit_in_byte(uint8_t pos, uint8_t byte) { - - // return true if bit at position is "1" - - return (((byte >> pos) & 1) == 1) ? true : false; -} - static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) { // restructure received result in "em4x50_word_t" structure and check all @@ -244,14 +237,14 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, prepare_result(data, 0, 33, words); - bpwc = check_bit_in_byte(7, words[2].byte[2]); // password check - braw = check_bit_in_byte(6, words[2].byte[2]); // read after write - fwr = reflect8(words[2].byte[0]); // first word read - lwr = reflect8(words[2].byte[1]); // last word read - fwrp = reflect8(words[1].byte[0]); // first word read protected - lwrp = reflect8(words[1].byte[1]); // last word read protected - fwwi = reflect8(words[1].byte[2]); // first word write inhibited - lwwi = reflect8(words[1].byte[3]); // last word write inhibited + bpwc = (bool)(words[2].byte[2] & 128); // password check (bit 7) + braw = (bool)(words[2].byte[2] & 64); // read after write (bit 6) + fwr = reflect8(words[2].byte[0]); // first word read + lwr = reflect8(words[2].byte[1]); // last word read + fwrp = reflect8(words[1].byte[0]); // first word read protected + lwrp = reflect8(words[1].byte[1]); // last word read protected + fwwi = reflect8(words[1].byte[2]); // first word write inhibited + lwwi = reflect8(words[1].byte[3]); // last word write inhibited // data section PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:")); From 1a9ca5a1e34fcbee291bfadd2a660e7ac7ae5ac8 Mon Sep 17 00:00:00 2001 From: tharexde Date: Sun, 21 Jun 2020 01:09:47 +0200 Subject: [PATCH 39/51] former hardcoded signal properties (high, low) are now set dynamically by functionalists get_signalproperties(...) --- armsrc/em4x50.c | 66 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 57 insertions(+), 9 deletions(-) diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c index 9a3cb818c..b9295e9ed 100644 --- a/armsrc/em4x50.c +++ b/armsrc/em4x50.c @@ -91,6 +91,9 @@ static em4x50_tag_t tag = { #define FPGA_TIMER_0 0 +int gHigh = 0; +int gLow = 0; + // auxiliary functions static void init_tag(void) { @@ -234,6 +237,45 @@ static void em4x50_setup_read(void) { // functions for "reader" use case +static void get_signalproperties(void) { + + // calculate signal properties (mean amplitudes) from measured data: + // 32 amplitudes (maximum values) -> mean amplitude value -> gHigh -> gLow + + int no_periods = 32, pct = 75, noise = 140; + uint8_t sample = 0, sample_ref = 127; + uint8_t sample_max_mean = 0; + uint8_t sample_max[no_periods]; + uint32_t sample_max_sum = 0; + + // wait until signal/noise > 1 + while (AT91C_BASE_SSC->SSC_RHR < noise); + + // calculate mean maximum value of 32 periods, each period has a length of + // 3 single "full periods" to eliminate the influence of a listen window + for (int i = 0; i < no_periods; i++) { + + AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; + while (AT91C_BASE_TC0->TC_CV < T0 * 3 * EM4X50_T_TAG_FULL_PERIOD) { + + sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; + + if (sample > sample_max[i]) + sample_max[i] = sample; + + } + + sample_max_sum += sample_max[i]; + } + + sample_max_mean = sample_max_sum / no_periods; + + // set global envelope variables + gHigh = sample_ref + pct * (sample_max_mean - sample_ref) / 100; + gLow = sample_ref - pct * (sample_max_mean - sample_ref) / 100; + +} + static int get_next_bit(void) { // returns bit value (or EM4X50_BIT_OTHER -> no bit pattern) by evaluating @@ -242,8 +284,6 @@ static int get_next_bit(void) { // a listen window (return value = EM4X50_BIT_OTHER) in functions // "find_double_listen_window" and "check_ack" - int dhigh = 230; // 90% of maximum sample value (255) - int dlow = 25; // 10% of maximum sample value (255) uint8_t sample; // get sample at 3/4 of bit period @@ -254,9 +294,9 @@ static int get_next_bit(void) { wait_timer(0, T0 * EM4X50_T_TAG_QUARTER_PERIOD); // decide wether "0" or "1" - if (sample > dhigh) + if (sample > gHigh) return EM4X50_BIT_0; - else if (sample < dlow) + else if (sample < gLow) return EM4X50_BIT_1; return EM4X50_BIT_OTHER; @@ -266,19 +306,19 @@ static uint32_t get_pulse_length(void) { // iterates pulse length (low -> high -> low) - uint8_t sample = 0, high = 192, low = 64; + uint8_t sample = 0; sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - while (sample > low) + while (sample > gLow) sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG; - while (sample < high) + while (sample < gHigh) sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; - while (sample > low) + while (sample > gLow) sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR; return (uint32_t)AT91C_BASE_TC1->TC_CV; @@ -690,8 +730,10 @@ void em4x50_info(em4x50_data_t *etd) { init_tag(); em4x50_setup_read(); - + // set gHigh and gLow + get_signalproperties(); + if (etd->pwd_given) { // try to login with given password @@ -802,6 +844,9 @@ void em4x50_write(em4x50_data_t *etd) { init_tag(); em4x50_setup_read(); + // set gHigh and gLow + get_signalproperties(); + // reorder word according to datasheet msb2lsb_word(etd->word); @@ -852,6 +897,9 @@ void em4x50_write_password(em4x50_data_t *etd) { init_tag(); em4x50_setup_read(); + + // set gHigh and gLow + get_signalproperties(); // login and change password if (login(etd->password)) { From 99734474fb5236ca4ba0da7379101b6481ae46c1 Mon Sep 17 00:00:00 2001 From: Aram Verstegen Date: Mon, 22 Jun 2020 22:34:05 +0200 Subject: [PATCH 40/51] Little optimization for hitag2hell attack --- tools/hitag2crack/crack5/ht2crack5.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/tools/hitag2crack/crack5/ht2crack5.c b/tools/hitag2crack/crack5/ht2crack5.c index a92afc854..196f16420 100644 --- a/tools/hitag2crack/crack5/ht2crack5.c +++ b/tools/hitag2crack/crack5/ht2crack5.c @@ -330,7 +330,6 @@ static void *find_state(void *thread_d) { const bitslice_value_t filter4 = f_c_bs(filter4_0, filter4_1, filter4_2, filter4_3, filter4_4); bitslice_t results4; results4.value = results3.value & (filter4 ^ keystream[4].value); - if (results4.bytes64[0] == 0 && results4.bytes64[1] == 0 && results4.bytes64[2] == 0 @@ -339,7 +338,9 @@ static void *find_state(void *thread_d) { continue; } + state[-2 + 56].value = lfsr_bs(8); const bitslice_value_t filter5_3 = f_b_bs(state[-2 + 33].value, state[-2 + 34].value, state[-2 + 36].value, state[-2 + 38].value); + const bitslice_value_t filter10_4 = f_a_bs(state[-2 + 44].value, state[-2 + 53].value, state[-2 + 54].value, state[-2 + 56].value); const bitslice_value_t filter12_2 = f_b_bs(state[-2 + 29].value, state[-2 + 33].value, state[-2 + 35].value, state[-2 + 38].value); for (uint8_t i5 = 0; i5 < (1 << bits[5]); i5++) { @@ -358,8 +359,9 @@ static void *find_state(void *thread_d) { continue; } + state[-2 + 57].value = lfsr_bs(9); const bitslice_value_t filter6_3 = f_b_bs(state[-2 + 34].value, state[-2 + 35].value, state[-2 + 37].value, state[-2 + 39].value); - + const bitslice_value_t filter11_4 = f_a_bs(state[-2 + 45].value, state[-2 + 54].value, state[-2 + 55].value, state[-2 + 57].value); for (uint8_t i6 = 0; i6 < (1 << bits[6]); i6++) { state[-2 + 40].value = ((bool)(i6 & 0x1)) ? bs_ones.value : bs_zeroes.value; // 0xffe7ffffffff @@ -376,8 +378,9 @@ static void *find_state(void *thread_d) { continue; } + state[-2 + 58].value = lfsr_bs(10); const bitslice_value_t filter7_3 = f_b_bs(state[-2 + 35].value, state[-2 + 36].value, state[-2 + 38].value, state[-2 + 40].value); - + const bitslice_value_t filter12_4 = f_a_bs(state[-2 + 46].value, state[-2 + 55].value, state[-2 + 56].value, state[-2 + 58].value); for (uint8_t i7 = 0; i7 < (1 << bits[7]); i7++) { state[-2 + 41].value = ((bool)(i7 & 0x1)) ? bs_ones.value : bs_zeroes.value; // 0xfff7ffffffff @@ -393,16 +396,14 @@ static void *find_state(void *thread_d) { continue; } + state[-2 + 59].value = lfsr_bs(11); const bitslice_value_t filter8_3 = f_b_bs(state[-2 + 36].value, state[-2 + 37].value, state[-2 + 39].value, state[-2 + 41].value); const bitslice_value_t filter10_3 = f_b_bs(state[-2 + 38].value, state[-2 + 39].value, state[-2 + 41].value, state[-2 + 43].value); const bitslice_value_t filter12_3 = f_b_bs(state[-2 + 40].value, state[-2 + 41].value, state[-2 + 43].value, state[-2 + 45].value); - for (uint8_t i8 = 0; i8 < (1 << bits[8]); i8++) { state[-2 + 42].value = ((bool)(i8 & 0x1)) ? bs_ones.value : bs_zeroes.value; // 0xffffffffffff const bitslice_value_t filter8_4 = f_a_bs(state[-2 + 42].value, state[-2 + 51].value, state[-2 + 52].value, state[-2 + 54].value); - const bitslice_value_t filter9_3 = f_b_bs(state[-2 + 37].value, state[-2 + 38].value, state[-2 + 40].value, state[-2 + 42].value); - const bitslice_value_t filter11_3 = f_b_bs(state[-2 + 39].value, state[-2 + 40].value, state[-2 + 42].value, state[-2 + 44].value); const bitslice_value_t filter8 = f_c_bs(filter8_0, filter8_1, filter8_2, filter8_3, filter8_4); bitslice_t results8; results8.value = results7.value & (filter8 ^ keystream[8].value); @@ -415,6 +416,7 @@ static void *find_state(void *thread_d) { continue; } + const bitslice_value_t filter9_3 = f_b_bs(state[-2 + 37].value, state[-2 + 38].value, state[-2 + 40].value, state[-2 + 42].value); const bitslice_value_t filter9 = f_c_bs(filter9_0, filter9_1, filter9_2, filter9_3, filter9_4); results8.value &= (filter9 ^ keystream[9].value); @@ -425,8 +427,7 @@ static void *find_state(void *thread_d) { ) { continue; } - state[-2 + 56].value = lfsr_bs(8); - const bitslice_value_t filter10_4 = f_a_bs(state[-2 + 44].value, state[-2 + 53].value, state[-2 + 54].value, state[-2 + 56].value); + const bitslice_value_t filter10 = f_c_bs(filter10_0, filter10_1, filter10_2, filter10_3, filter10_4); results8.value &= (filter10 ^ keystream[10].value); @@ -438,8 +439,7 @@ static void *find_state(void *thread_d) { continue; } - state[-2 + 57].value = lfsr_bs(9); - const bitslice_value_t filter11_4 = f_a_bs(state[-2 + 45].value, state[-2 + 54].value, state[-2 + 55].value, state[-2 + 57].value); + const bitslice_value_t filter11_3 = f_b_bs(state[-2 + 39].value, state[-2 + 40].value, state[-2 + 42].value, state[-2 + 44].value); const bitslice_value_t filter11 = f_c_bs(filter11_0, filter11_1, filter11_2, filter11_3, filter11_4); results8.value &= (filter11 ^ keystream[11].value); @@ -451,8 +451,6 @@ static void *find_state(void *thread_d) { continue; } - state[-2 + 58].value = lfsr_bs(10); - const bitslice_value_t filter12_4 = f_a_bs(state[-2 + 46].value, state[-2 + 55].value, state[-2 + 56].value, state[-2 + 58].value); const bitslice_value_t filter12 = f_c_bs(filter12_0, filter12_1, filter12_2, filter12_3, filter12_4); results8.value &= (filter12 ^ keystream[12].value); @@ -464,7 +462,6 @@ static void *find_state(void *thread_d) { continue; } - state[-2 + 59].value = lfsr_bs(11); const bitslice_value_t filter13_0 = f_a_bs(state[-2 + 15].value, state[-2 + 16].value, state[-2 + 18].value, state[-2 + 19].value); const bitslice_value_t filter13_1 = f_b_bs(state[-2 + 21].value, state[-2 + 25].value, state[-2 + 27].value, state[-2 + 28].value); const bitslice_value_t filter13_2 = f_b_bs(state[-2 + 30].value, state[-2 + 34].value, state[-2 + 36].value, state[-2 + 39].value); From 3b7d654553cd63a29c1aa235c85342c7e5cbc2e5 Mon Sep 17 00:00:00 2001 From: tharexde Date: Tue, 23 Jun 2020 00:36:19 +0200 Subject: [PATCH 41/51] increased readability by introducing defines --- client/src/cmdlfem4x50.c | 107 +++++++++++++++++++++++---------------- 1 file changed, 62 insertions(+), 45 deletions(-) diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c index 6b889f969..1f4420c5b 100644 --- a/client/src/cmdlfem4x50.c +++ b/client/src/cmdlfem4x50.c @@ -15,9 +15,32 @@ #include "commonutil.h" #include "em4x50.h" -#define EM4x50_FCT_STDREAD 0 -#define EM4x50_FCT_LOGIN 1 -#define EM4x50_FCT_WRITE 2 +#define EM4X50_NO_WORDS 34 + +// special words +#define EM4X50_DEVICE_PASSWORD 0 +#define EM4X50_PROTECTION 1 +#define EM4X50_CONTROL 2 +#define EM4X50_DEVICE_SERIAL 32 +#define EM4X50_DEVICE_ID 33 + +// control word (word = 4 bytes) +#define FIRST_WORD_READ 0 // first byte +#define LAST_WORD_READ 1 // second byte +#define CONFIG_BLOCK 2 // third byte +#define PASSWORD_CHECK 0x80 // first bit in third byte +#define READ_AFTER_WRITE 0x40 // second bit in third byte + +// protection word +#define FIRST_WORD_READ_PROTECTED 0 // first byte +#define LAST_WORD_READ_PROTECTED 1 // second byte +#define FIRST_WORD_WRITE_INHIBITED 2 // third byte +#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte + +// misc +#define STATUS_SUCCESS 0x2 +#define STATUS_LOGIN 0x1 +#define NO_CHARS_MAX 400 int usage_lf_em4x50_info(void) { PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna."); @@ -124,8 +147,7 @@ static void print_bit_table(const em4x50_word_t word) { // individual parity errors will be highlighted in red int bit = 0; - char string[400] = {0}; - char pstring[100] = {0}; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; // print binary data for (int j = 0; j < 4; j++) { @@ -187,8 +209,7 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) { // print available information for given word from fwr to lwr, i.e. // bit table + summary lines with hex notation of word (msb + lsb) - char string[400] = {0}; - char pstring[100] = {0}; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; for (int i = fwr; i <= lwr; i++) { @@ -223,28 +244,26 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) { static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bool bverbose) { - // display all information info result in structured format - - bool bpwd_given = etd->pwd_given; - bool bsuccess = (bool)(resp->status & 0x2); - bool blogin = (bool)(resp->status & 0x1); - bool bpwc, braw; - int fwr, lwr, fwrp, lwrp, fwwi, lwwi; + // display all information of info result in structured format + uint8_t *data = resp->data.asBytes; - em4x50_word_t words[34]; - char pstring[100] = {0}; - char string[200] = {0}; + em4x50_word_t words[EM4X50_NO_WORDS]; + char pstring[NO_CHARS_MAX] = {0}, string[NO_CHARS_MAX] = {0}; - prepare_result(data, 0, 33, words); + bool bpwd_given = etd->pwd_given; + bool bsuccess = resp->status & STATUS_SUCCESS; + bool blogin = resp->status & STATUS_LOGIN; - bpwc = (bool)(words[2].byte[2] & 128); // password check (bit 7) - braw = (bool)(words[2].byte[2] & 64); // read after write (bit 6) - fwr = reflect8(words[2].byte[0]); // first word read - lwr = reflect8(words[2].byte[1]); // last word read - fwrp = reflect8(words[1].byte[0]); // first word read protected - lwrp = reflect8(words[1].byte[1]); // last word read protected - fwwi = reflect8(words[1].byte[2]); // first word write inhibited - lwwi = reflect8(words[1].byte[3]); // last word write inhibited + prepare_result(data, 0, EM4X50_NO_WORDS - 1, words); + + bool bpwc = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & PASSWORD_CHECK; + bool braw = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & READ_AFTER_WRITE; + int fwr = reflect8(words[EM4X50_CONTROL].byte[FIRST_WORD_READ]); + int lwr = reflect8(words[EM4X50_CONTROL].byte[LAST_WORD_READ]); + int fwrp = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_READ_PROTECTED]); + int lwrp = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_READ_PROTECTED]); + int fwwi = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_WRITE_INHIBITED]); + int lwwi = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_WRITE_INHIBITED]); // data section PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:")); @@ -252,12 +271,12 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, if (bverbose) { // detailed data section - print_result(words, 0, 33); + print_result(words, 0, EM4X50_NO_WORDS - 1); } else { // condensed data section - for (int i = 0; i <= 33; i++) { + for (int i = 0; i < EM4X50_NO_WORDS; i++) { sprintf(pstring, " word[%2i]: ", i); strcat(string, pstring); @@ -268,19 +287,19 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, } switch(i) { - case 0: + case EM4X50_DEVICE_PASSWORD: sprintf(pstring, _YELLOW_(" password, write only")); break; - case 1: + case EM4X50_PROTECTION: sprintf(pstring, _YELLOW_(" protection word, write inhibited")); break; - case 2: + case EM4X50_CONTROL: sprintf(pstring, _YELLOW_(" control word, write inhibited")); break; - case 32: + case EM4X50_DEVICE_SERIAL: sprintf(pstring, _YELLOW_(" device serial number, read only")); break; - case 33: + case EM4X50_DEVICE_ID: sprintf(pstring, _YELLOW_(" device identification, read only")); break; default: @@ -436,7 +455,7 @@ int CmdEM4x50Info(const char *Cmd) { // print result print_info_result(&resp, &etd, verbose); - success = resp.status & 0x2; + success = resp.status & STATUS_SUCCESS; return (success) ? PM3_SUCCESS : PM3_ESOFT; } @@ -445,12 +464,11 @@ static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) // display result of writing operation in structured format bool pwd_given = etd->pwd_given; - bool success = (bool)(resp->status & 0x2); - bool login = (bool)(resp->status & 0x1); + bool success = resp->status & STATUS_SUCCESS; + bool login = resp->status & STATUS_LOGIN; uint8_t *data = resp->data.asBytes; - char string[400] = {0}; - char pstring[100] = {0}; - em4x50_word_t word[1]; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; + em4x50_word_t word; if (!success) { @@ -459,8 +477,8 @@ static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) } else { - prepare_result(data, etd->address, etd->address, &word[0]); - print_result(word, etd->address, etd->address); + prepare_result(data, etd->address, etd->address, &word); + print_result(&word, etd->address, etd->address); sprintf(pstring, "\n writing " _GREEN_("ok ")); strcat(string, pstring); @@ -556,7 +574,7 @@ int CmdEM4x50Write(const char *Cmd) { // get, prepare and print response print_write_result(&resp, &etd); - success = (bool)(resp.status & 0x2); + success = resp.status & STATUS_SUCCESS; return (success) ? PM3_SUCCESS : PM3_ESOFT; } @@ -564,9 +582,8 @@ static void print_write_password_result(PacketResponseNG *resp, const em4x50_dat // display result of password changing operation - bool success = (bool)resp->status; - char string[400] = {0}; - char pstring[100] = {0}; + bool success = resp->status; + char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0}; if (!success) { From c551800b0f0e17991fa4aa0955c21668abf278aa Mon Sep 17 00:00:00 2001 From: Monster Date: Tue, 23 Jun 2020 10:34:00 +0300 Subject: [PATCH 42/51] build fix after changes for lf_em4100rswb build fix after changes for lf_em4100rswb --- armsrc/Standalone/lf_em4100rswb.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/armsrc/Standalone/lf_em4100rswb.c b/armsrc/Standalone/lf_em4100rswb.c index dd9fafd6a..14bab8357 100644 --- a/armsrc/Standalone/lf_em4100rswb.c +++ b/armsrc/Standalone/lf_em4100rswb.c @@ -39,7 +39,6 @@ #include "proxmark3_arm.h" #include "appmain.h" #include "fpgaloader.h" -#include "lfops.h" #include "util.h" #include "dbprint.h" #include "ticks.h" @@ -48,6 +47,7 @@ #include "spiffs.h" #include "inttypes.h" #include "parity.h" +#include "lfops.h" #ifdef WITH_FLASH #include "flashmem.h" @@ -68,16 +68,16 @@ // Predefined bruteforce speed // avg: 1s, 1.2s, 1.5s, 2s -int bruteforceSpeedCurrent = 1; -int bruteforceSpeed[] = {10, 12, 14, 16}; +static int bruteforceSpeedCurrent = 1; +static int bruteforceSpeed[] = {10, 12, 14, 16}; // low & high - array for storage IDs. Its length must be equal. // Predefined IDs must be stored in low[]. // In high[] must be nulls -uint64_t low[] = {0, 0, 0, 0}; -uint32_t high[] = {0, 0, 0, 0}; -uint8_t *bba; -int buflen; +static uint64_t low[] = {0, 0, 0, 0}; +static uint32_t high[] = {0, 0, 0, 0}; +static uint8_t *bba; +static int buflen; void ModInfo(void) { DbpString(" LF EM4100 read/sim/write/brute mode"); @@ -205,7 +205,7 @@ static void PrintFcAndCardNum(uint64_t lowData) { Dbprintf("[=] READ TAG ID: %"PRIx64" - FC: %u - Card: %u", lowData, fc, cardnum); } -static int ButeEMTag(uint64_t originalCard, int slot) { +static int BruteEMTag(uint64_t originalCard, int slot) { int speed_count = 4; int direction = 1; @@ -256,7 +256,7 @@ static int ExecuteMode(int mode, int slot) { //default first mode is simulate case LF_RWSB_MODE_READ: Dbprintf("[=] >> Read mode started <<"); - CmdEM410xdemod(1, &high[slot], &low[slot], 0); + lf_em410x_watch(1, &high[slot], &low[slot]); LED_Update(mode, slot); Dbprintf("[=] >> Tag found. Saving. <<"); FlashLEDs(100, 5); @@ -272,11 +272,11 @@ static int ExecuteMode(int mode, int slot) { return LF_RWSB_UNKNOWN_RESULT; case LF_RWSB_MODE_WRITE: Dbprintf("[!!] >> Write mode started <<"); - WriteEM410x(LF_RWSB_T55XX_TYPE, (uint32_t)(low[slot] >> 32), (uint32_t)(low[slot] & 0xffffffff)); + copy_em410x_to_t55xx(LF_RWSB_T55XX_TYPE, LF_CLOCK, (uint32_t)(low[slot] >> 32), (uint32_t)(low[slot] & 0xffffffff)); return LF_RWSB_UNKNOWN_RESULT; case LF_RWSB_MODE_BRUTE: Dbprintf("[=] >> Bruteforce mode started <<"); - return ButeEMTag(low[slot], slot); + return BruteEMTag(low[slot], slot); } return LF_RWSB_UNKNOWN_RESULT; } From e79537ba4690e36d707da52c1420f3cd0d00b880 Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Tue, 23 Jun 2020 10:12:36 +0200 Subject: [PATCH 43/51] cmake tuning --- client/CMakeLists.txt | 41 +++++++++++++++++-------- doc/md/Development/Makefile-vs-CMake.md | 4 +-- 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/client/CMakeLists.txt b/client/CMakeLists.txt index 2850053e6..565bfba14 100644 --- a/client/CMakeLists.txt +++ b/client/CMakeLists.txt @@ -63,18 +63,23 @@ if (NOT SKIPPYTHON EQUAL 1) pkg_search_module(PYTHON3EMBED QUIET python3-embed) endif (NOT SKIPPYTHON EQUAL 1) -# If build on android cross, we need to init source and build. -if (ANDROID) +# If cross-compiled, we need to init source and build. +if (CMAKE_TOOLCHAIN_FILE) set(CFLAGS_EXTERNAL_LIB "CFLAGS=--target=${CMAKE_C_COMPILER_TARGET} -w") + set(EMBED_READLINE ON) + set(EMBED_BZIP2 ON) +endif (CMAKE_TOOLCHAIN_FILE) + +if (EMBED_READLINE OR EMBED_BZIP2) include(ExternalProject) -endif (ANDROID) +endif (EMBED_READLINE OR EMBED_BZIP2) if (NOT SKIPREADLINE EQUAL 1) if (APPLE) find_path(READLINE_INCLUDE_DIRS readline/readline.h /usr/local/opt/readline/include /opt/local/include /opt/include /usr/local/include /usr/include NO_DEFAULT_PATH) find_library(READLINE_LIBRARIES readline /usr/local/opt/readline/lib /opt/local/lib /opt/lib /usr/local/lib /usr/lib NO_DEFAULT_PATH) endif (APPLE) - if (ANDROID) + if (EMBED_READLINE) ExternalProject_Add(ncurses URL http://ftp.gnu.org/pub/gnu/ncurses/ncurses-6.0.tar.gz PREFIX deps/ncurses @@ -100,10 +105,10 @@ if (NOT SKIPREADLINE EQUAL 1) ExternalProject_Add_StepTargets(readline configure build install) set(READLINE_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR}/deps/readline/src/) set(READLINE_LIBRARIES ${CMAKE_CURRENT_BINARY_DIR}/deps/readline/src/readline/libreadline.a ${CMAKE_CURRENT_BINARY_DIR}/deps/ncurses/src/ncurses/lib/libtinfo.a) - else (ANDROID) + else (EMBED_READLINE) find_path(READLINE_INCLUDE_DIRS readline/readline.h) find_library(READLINE_LIBRARIES readline) - endif (ANDROID) + endif (EMBED_READLINE) if (READLINE_INCLUDE_DIRS AND READLINE_LIBRARIES) set(READLINE_FOUND ON) endif (READLINE_INCLUDE_DIRS AND READLINE_LIBRARIES) @@ -122,7 +127,7 @@ if (NOT SKIPJANSSONSYSTEM EQUAL 1) endif (JANSSON_INCLUDE_DIRS AND JANSSON_LIBRARIES) endif (NOT SKIPJANSSONSYSTEM EQUAL 1) -if(ANDROID) +if(EMBED_BZIP2) set(BZIP2_BUILD_DIR ${CMAKE_CURRENT_BINARY_DIR}/deps/bzip2/src/bzip2) ExternalProject_Add(bzip2 GIT_REPOSITORY https://android.googlesource.com/platform/external/bzip2 @@ -139,9 +144,9 @@ if(ANDROID) set(BZIP2_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR}/deps/bzip2/src/bzip2) set(BZIP2_LIBRARIES ${CMAKE_CURRENT_BINARY_DIR}/deps/bzip2/src/bzip2/libbz2.a) set(BZIP2_FOUND ON) -else() +else(EMBED_BZIP2) find_package (BZip2 REQUIRED) -endif(ANDROID) +endif(EMBED_BZIP2) if (NOT SKIPWHEREAMISYSTEM EQUAL 1) find_path(WHEREAMI_INCLUDE_DIRS whereami.h) @@ -393,6 +398,12 @@ else (SKIPBT EQUAL 1) endif (BLUEZ_FOUND) endif(SKIPBT EQUAL 1) +if (EMBED_BZIP2) + message("Bzip2 library: embedded") +else (EMBED_BZIP2) + message("Bzip2 library: system library found") +endif (EMBED_BZIP2) + if (SKIPJANSSONSYSTEM EQUAL 1) message("Jansson library: local library forced") else (SKIPJANSSONSYSTEM EQUAL 1) @@ -419,7 +430,11 @@ if (SKIPREADLINE EQUAL 1) message("Readline library: skipped") else (SKIPREADLINE EQUAL 1) if (READLINE_FOUND) - message("Readline library: enabled") + if (EMBED_READLINE) + message("Readline library: embedded") + else (EMBED_READLINE) + message("Readline library: system library found") + endif (EMBED_READLINE) else (READLINE_FOUND) message("Readline library: Readline not found, disabled") endif (READLINE_FOUND) @@ -443,12 +458,14 @@ add_executable(proxmark3 ) target_compile_options(proxmark3 PUBLIC -Wall -Werror -O3) -if (ANDROID) +if (EMBED_READLINE) if (NOT SKIPREADLINE EQUAL 1) add_dependencies(proxmark3 ncurses readline) endif (NOT SKIPREADLINE EQUAL 1) +endif (EMBED_READLINE) +if (EMBED_BZIP2) add_dependencies(proxmark3 bzip2) -endif (ANDROID) +endif (EMBED_BZIP2) if (MINGW) # Mingw uses by default Microsoft printf, we want the GNU printf (e.g. for %z) diff --git a/doc/md/Development/Makefile-vs-CMake.md b/doc/md/Development/Makefile-vs-CMake.md index 98a7b0dde..649b9beaa 100644 --- a/doc/md/Development/Makefile-vs-CMake.md +++ b/doc/md/Development/Makefile-vs-CMake.md @@ -26,7 +26,7 @@ At the moment both are maintained because they don't perfectly overlap yet. | bluez detection | pc | pkg_search_module | | | `SKIPBT` | yes | yes | | | dep bzip2 | sys | sys | | -| bzip2 detection | **none** | find_package, Android:gitclone | | +| bzip2 detection | **none** | find_package, Cross:gitclone | | | dep cliparser | in_deps | in_deps | | | dep hardnested | in_deps | in_deps | | | hardn arch autodetect | `uname -m` =? 86 or amd64; `$(CC) -E -mavx512f`? +AVX512` | `CMAKE_SYSTEM_PROCESSOR` =? x86 or x86_64 or i686 or AMD64 (1) | (1) currently it always includes AVX512 on Intel arch | @@ -53,7 +53,7 @@ At the moment both are maintained because they don't perfectly overlap yet. | Qt detection | pc(qt5)/pc(qt4)/`QTDIR`(1) (2) | find_package(qt5) (3) | (1) if `QTDIR`: hardcode path (2) OSX: pkg-config hook for Brew (3) OSX: add search path| | `SKIPQT` | yes | yes | | | dep readline | sys | sys | | -| readline detection | **none** (1) | find*(2), Android:getzip | (1) OSX: hardcoded path (2) additional paths for OSX | +| readline detection | **none** (1) | find*(2), Cross:getzip | (1) OSX: hardcoded path (2) additional paths for OSX | | `SKIPREADLINE` | yes | yes | CLI not fully functional without Readline | | dep reveng | in_deps | in_deps | | | `SKIPREVENGTEST` | yes(1) | **no**(2) | (1) e.g. if cross-compilation (2) tests aren't compiled/ran with cmake | From c6c245e771d68a3c1131ab89de2c4a24d0f4825c Mon Sep 17 00:00:00 2001 From: Iceman Date: Tue, 23 Jun 2020 10:53:59 +0200 Subject: [PATCH 44/51] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a1a06699..e77062fff 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ |[Notes on external flash](/doc/ext_flash_notes.md)|[Notes on loclass](/doc/loclass_notes.md)|[Notes on Coverity Scan Config & Run](/doc/md/Development/Coverity-Scan-Config-%26-Run.md)| |[Notes on file formats used with Proxmark3](/doc/extensions_notes.md)|[Notes on MFU binary format](/doc/mfu_binary_format_notes.md)|[Notes on FPGA & ARM](/doc/fpga_arm_notes.md)| |[Developing standalone mode](/armsrc/Standalone/readme.md)|[Wiki about standalone mode](https://github.com/RfidResearchGroup/proxmark3/wiki/Standalone-mode)|| -|[Notes on Color usage](/doc/colors_notes.md)|| +|[Notes on Color usage](/doc/colors_notes.md)|[Makefile vs CMake](/doc/md/Development/Makefile-vs-CMake.md)| ## Build for non-RDV4 Proxmark3 platforms From 1c7de4a8c3310a6f1d3ec92d9f90bc09b519c86b Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 23 Jun 2020 11:13:49 +0200 Subject: [PATCH 45/51] fix: "lf search" / "lf hitag" - no more stack overflow in hitag reader --- armsrc/hitag2.c | 52 +++++++++++++++++++++++++++-------------- armsrc/lfadc.c | 50 +++++++++++++++------------------------ client/src/cmdlfhitag.c | 2 +- 3 files changed, 55 insertions(+), 49 deletions(-) diff --git a/armsrc/hitag2.c b/armsrc/hitag2.c index cf1aa46c1..79b09395f 100644 --- a/armsrc/hitag2.c +++ b/armsrc/hitag2.c @@ -36,7 +36,7 @@ #include "lfsampling.h" #include "lfdemod.h" #include "commonutil.h" - +#include "appmain.h" #define test_bit(data, i) (*(data + (i/8)) >> (7-(i % 8))) & 1 #define set_bit(data, i) *(data + (i/8)) |= (1 << (7-(i % 8))) @@ -1002,15 +1002,20 @@ void SniffHitag2(void) { size_t periods = 0; uint8_t periods_bytes[4]; - int16_t checked = 0; + // int16_t checked = 0; /*bool waiting_for_first_edge = true;*/ LED_C_ON(); + uint32_t signal_size = 10000; while (!BUTTON_PRESS()) { + // use malloc + initSampleBufferEx(&signal_size, false); + WDT_HIT(); +/* // only every 1000th times, in order to save time when collecting samples. if (checked == 1000) { if (data_available()) { @@ -1021,13 +1026,14 @@ void SniffHitag2(void) { } } ++checked; + */ // Receive frame, watch for at most T0*EOF periods // lf_reset_counter(); // Wait "infinite" for reader modulation - periods = lf_detect_gap(20000); + periods = lf_detect_gap(10000); // Test if we detected the first reader modulation edge if (periods != 0) { @@ -1042,7 +1048,6 @@ void SniffHitag2(void) { num_to_bytes(periods, 4, periods_bytes); LogTrace(periods_bytes, 4, 0, 0, NULL, true); } - } lf_finalize(); @@ -1064,7 +1069,7 @@ void SimulateHitag2(bool tag_mem_supplied, uint8_t *data) { int response = 0; uint8_t rx[HITAG_FRAME_LEN] = {0}; size_t rxlen = 0; - uint8_t tx[HITAG_FRAME_LEN]; + uint8_t tx[HITAG_FRAME_LEN] = {0}; size_t txlen = 0; auth_table_len = 0; @@ -1108,8 +1113,11 @@ void SimulateHitag2(bool tag_mem_supplied, uint8_t *data) { // int16_t checked = 0; // SIMULATE + uint32_t signal_size = 10000; + while (BUTTON_PRESS() == false) { - while (!BUTTON_PRESS()) { + // use malloc + initSampleBufferEx(&signal_size, true); LED_D_ON(); @@ -1283,9 +1291,9 @@ void ReaderHitag(hitag_function htf, hitag_data *htd) { uint32_t command_start = 0, command_duration = 0; uint32_t response_start = 0, response_duration = 0; - uint8_t rx[HITAG_FRAME_LEN]; + uint8_t rx[HITAG_FRAME_LEN] = {0}; size_t rxlen = 0; - uint8_t txbuf[HITAG_FRAME_LEN]; + uint8_t txbuf[HITAG_FRAME_LEN] = {0}; uint8_t *tx = txbuf; size_t txlen = 0; @@ -1430,12 +1438,17 @@ void ReaderHitag(hitag_function htf, hitag_data *htd) { size_t nrzs = 0; int16_t checked = 0; - while (!bStop && !BUTTON_PRESS()) { + uint32_t signal_size = 10000; + + while (bStop == false && BUTTON_PRESS() == false) { + + // use malloc + initSampleBufferEx(&signal_size, true); WDT_HIT(); // only every 1000th times, in order to save time when collecting samples. - if (checked == 1000) { + if (checked == 4000) { if (data_available()) { checked = -1; break; @@ -1615,13 +1628,13 @@ void ReaderHitag(hitag_function htf, hitag_data *htd) { } // Pack the response into a byte array - for (size_t i = 5; i < nrzs; i++) { + for (size_t i = 5; i < nrzs && rxlen < (sizeof(rx) << 3); i++) { uint8_t bit = nrz_samples[i]; if (bit > 1) { // When Manchester detects impossible symbol it writes "7" DBG Dbprintf("Error in Manchester decoding, abort"); break; } - rx[rxlen / 8] |= bit << (7 - (rxlen % 8)); + rx[rxlen >> 3] |= bit << (7 - (rxlen % 8)); rxlen++; } @@ -1756,10 +1769,14 @@ void WriterHitag(hitag_function htf, hitag_data *htd, int page) { size_t nrzs = 0; int16_t checked = 0; - while (!bStop && !BUTTON_PRESS()) { + uint32_t signal_size = 10000; + while (bStop == false && BUTTON_PRESS() == false) { - // only every 1000th times, in order to save time when collecting samples. - if (checked == 1000) { + // use malloc + initSampleBufferEx(&signal_size, true); + + // only every 4000th times, in order to save time when collecting samples. + if (checked == 4000) { if (data_available()) { checked = -1; break; @@ -1920,12 +1937,13 @@ void WriterHitag(hitag_function htf, hitag_data *htd, int page) { } // Pack the response into a byte array - for (size_t i = 5; i < nrzs; i++) { + for (size_t i = 5; i < nrzs && rxlen < (sizeof(rx) << 3); i++) { uint8_t bit = nrz_samples[i]; if (bit > 1) { // When Manchester detects impossible symbol it writes "7" break; } - rx[rxlen / 8] |= bit << (7 - (rxlen % 8)); + // >> 3 instead of div by 8 + rx[rxlen >> 3] |= bit << (7 - (rxlen % 8)); rxlen++; } diff --git a/armsrc/lfadc.c b/armsrc/lfadc.c index cec945b20..8c453bdc9 100644 --- a/armsrc/lfadc.c +++ b/armsrc/lfadc.c @@ -11,6 +11,7 @@ #include "fpgaloader.h" #include "ticks.h" #include "dbprint.h" +#include "appmain.h" // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK) // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz @@ -72,27 +73,11 @@ void lf_sample_mean(void) { static size_t lf_count_edge_periods_ex(size_t max, bool wait, bool detect_gap) { size_t periods = 0; - volatile uint8_t adc_val; uint8_t avg_peak = adc_avg + 3, avg_through = adc_avg - 3; -// int16_t checked = 0; - - while (!BUTTON_PRESS()) { - - // only every 100th times, in order to save time when collecting samples. - /* - if (checked == 1000) { - if (data_available()) { - break; - } else { - checked = 0; - } - } - ++checked; - */ - WDT_HIT(); + while (BUTTON_PRESS() == false) { if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { - adc_val = AT91C_BASE_SSC->SSC_RHR; + volatile uint8_t adc_val = AT91C_BASE_SSC->SSC_RHR; periods++; if (g_logging) logSampleSimple(adc_val); @@ -105,6 +90,7 @@ static size_t lf_count_edge_periods_ex(size_t max, bool wait, bool detect_gap) { if (adc_val == 0) { return periods; } + } else { // Trigger on a modulation swap by observing an edge change if (rising_edge) { @@ -125,6 +111,7 @@ static size_t lf_count_edge_periods_ex(size_t max, bool wait, bool detect_gap) { if (periods >= max) return 0; } } + if (g_logging) logSampleSimple(0xFF); return 0; } @@ -161,6 +148,7 @@ bool lf_get_reader_modulation(void) { } void lf_wait_periods(size_t periods) { + // wait detect gap lf_count_edge_periods_ex(periods, true, false); } @@ -250,23 +238,22 @@ void lf_finalize(void) { } size_t lf_detect_field_drop(size_t max) { +/* size_t periods = 0; // int16_t checked = 0; - while (!BUTTON_PRESS()) { + while (BUTTON_PRESS() == false) { - /* - // only every 1000th times, in order to save time when collecting samples. - if (checked == 1000) { - if (data_available()) { - checked = -1; - break; - } else { - checked = 0; - } - } - ++checked; - */ + // // only every 1000th times, in order to save time when collecting samples. + // if (checked == 4000) { + // if (data_available()) { + // checked = -1; + // break; + // } else { + // checked = 0; + // } + // } + // ++checked; WDT_HIT(); @@ -284,6 +271,7 @@ size_t lf_detect_field_drop(size_t max) { if (periods == max) return 0; } } +*/ return 0; } diff --git a/client/src/cmdlfhitag.c b/client/src/cmdlfhitag.c index b05405465..bce0e83a6 100644 --- a/client/src/cmdlfhitag.c +++ b/client/src/cmdlfhitag.c @@ -584,7 +584,7 @@ static int CmdLFHitagReader(const char *Cmd) { clearCommandBuffer(); SendCommandMIX(cmd, htf, 0, 0, &htd, sizeof(htd)); PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) { + if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { PrintAndLogEx(WARNING, "timeout while waiting for reply."); return PM3_ETIMEOUT; } From d9f606d70b6ffa27a4674a7a78f291ff23a34b11 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 23 Jun 2020 11:21:17 +0200 Subject: [PATCH 46/51] more debugstatements --- armsrc/lfsampling.c | 108 +++++++++++++++++++++++++++++--------------- armsrc/lfsampling.h | 1 + 2 files changed, 72 insertions(+), 37 deletions(-) diff --git a/armsrc/lfsampling.c b/armsrc/lfsampling.c index 40ad29f93..f77084b3d 100644 --- a/armsrc/lfsampling.c +++ b/armsrc/lfsampling.c @@ -16,6 +16,7 @@ #include "util.h" #include "lfdemod.h" #include "string.h" // memset +#include "appmain.h" // print stack /* Default LF config is set to: @@ -29,6 +30,12 @@ Default LF config is set to: */ static sample_config config = { 1, 8, 1, LF_DIVISOR_125, 0, 0, 1} ; +// Holds bit packed struct of samples. +static BitstreamOut data = {0, 0, 0}; + +// internal struct to keep track of samples gathered +static sampling_t samples = {0, 0, 0, 0}; + void printConfig(void) { uint32_t d = config.divisor; DbpString(_CYAN_("LF Sampling config")); @@ -38,6 +45,18 @@ void printConfig(void) { Dbprintf(" [a] averaging...........%s", (config.averaging) ? "Yes" : "No"); Dbprintf(" [t] trigger threshold...%d", config.trigger_threshold); Dbprintf(" [s] samples to skip.....%d ", config.samples_to_skip); + + DbpString(_CYAN_("LF Sampling Stack")); + print_stack_usage(); +} + +void printSamples(void) { + DbpString(_CYAN_("LF Sampling memory")); + Dbprintf(" decimation counter.....%d ", samples.dec_counter); + Dbprintf(" sum.....%u ", samples.sum); + Dbprintf(" counter.....%u ", samples.counter); + Dbprintf(" total saved.....%u ", samples.total_saved); + print_stack_usage(); } /** @@ -99,12 +118,6 @@ static void pushBit(BitstreamOut *stream, uint8_t bit) { stream->numbits++; } -// Holds bit packed struct of samples. -static BitstreamOut data = {0, 0, 0}; - -// internal struct to keep track of samples gathered -static sampling_t samples = {0, 0, 0, 0}; - void initSampleBuffer(uint32_t *sample_size) { initSampleBufferEx(sample_size, false); } @@ -116,9 +129,7 @@ void initSampleBufferEx(uint32_t *sample_size, bool use_malloc) { } BigBuf_free(); - // We can't erase the buffer now, it would drastically delay the acquisition - if (use_malloc) { if (*sample_size == 0) { @@ -141,7 +152,7 @@ void initSampleBufferEx(uint32_t *sample_size, bool use_malloc) { // samples.dec_counter = 0; samples.sum = 0; - samples.counter = 0; + samples.counter = *sample_size; samples.total_saved = 0; } @@ -157,13 +168,13 @@ void logSample(uint8_t sample, uint8_t decimation, uint8_t bits_per_sample, bool if (!data.buffer) return; - if (bits_per_sample == 0) bits_per_sample = 1; + // keep track of total gather samples regardless how many was discarded. + if (samples.counter-- == 0) return; + + if (bits_per_sample == 0) bits_per_sample = 1; if (bits_per_sample > 8) bits_per_sample = 8; if (decimation == 0) decimation = 1; - // keep track of total gather samples regardless how many was discarded. - samples.counter++; - if (avg) { samples.sum += sample; } @@ -224,6 +235,7 @@ void LFSetupFPGAForADC(int divisor, bool reader_field) { // Connect the A/D to the peak-detected low-frequency path. SetAdcMuxFor(GPIO_MUXSEL_LOPKD); + // 50ms for the resonant antenna to settle. if (reader_field) SpinDelay(50); @@ -255,6 +267,11 @@ uint32_t DoAcquisition(uint8_t decimation, uint8_t bits_per_sample, bool avg, in initSampleBuffer(&sample_size); + if (DBGLEVEL >= DBG_DEBUG) { + Dbprintf("lf sampling - after init"); + printSamples(); + } + uint32_t cancel_counter = 0; int16_t checked = 0; @@ -262,7 +279,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint8_t bits_per_sample, bool avg, in // only every 1000th times, in order to save time when collecting samples. // interruptible only when logging not yet triggered - if ((checked == 2000) && (trigger_threshold > 0)) { + if ((checked == 4000) && (trigger_threshold > 0)) { if (data_available()) { checked = -1; break; @@ -306,7 +323,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint8_t bits_per_sample, bool avg, in if (samples.total_saved >= sample_size) break; } } - + if (checked == -1 && verbose) { Dbprintf("lf sampling aborted"); } @@ -397,10 +414,19 @@ void doT55x7Acquisition(size_t sample_size) { bool lowFound = false; uint16_t checker = 0; + + if (DBGLEVEL >= DBG_DEBUG) { + Dbprintf("doT55x7Acquisition - after init"); + print_stack_usage(); + } while (skipCnt < 1000 && (i < bufsize)) { - if (checker == 1000) { - if (BUTTON_PRESS() || data_available()) + + if (BUTTON_PRESS()) + break; + + if (checker == 4000) { + if (data_available()) break; else checker = 0; @@ -462,21 +488,24 @@ void doT55x7Acquisition(size_t sample_size) { void doCotagAcquisition(size_t sample_size) { uint8_t *dest = BigBuf_get_addr(); - uint16_t bufsize = BigBuf_max_traceLen(); - - if (bufsize > sample_size) - bufsize = sample_size; + uint16_t bufsize = MIN(sample_size, BigBuf_max_traceLen()); dest[0] = 0; uint8_t firsthigh = 0, firstlow = 0; - uint16_t i = 0; - uint16_t noise_counter = 0; - - uint16_t checker = 0; + uint16_t i = 0, noise_counter = 0, checker = 0; + + if (DBGLEVEL >= DBG_DEBUG) { + Dbprintf("doCotagAcquisition - after init"); + print_stack_usage(); + } while ((i < bufsize) && (noise_counter < (COTAG_T1 << 1))) { - if (checker == 1000) { - if (BUTTON_PRESS() || data_available()) + + if (BUTTON_PRESS()) + break; + + if (checker == 4000) { + if (data_available()) break; else checker = 0; @@ -530,21 +559,26 @@ void doCotagAcquisition(size_t sample_size) { uint32_t doCotagAcquisitionManchester(void) { uint8_t *dest = BigBuf_get_addr(); - uint16_t bufsize = BigBuf_max_traceLen(); - - if (bufsize > COTAG_BITS) - bufsize = COTAG_BITS; + uint16_t bufsize = MIN(COTAG_BITS, BigBuf_max_traceLen()); dest[0] = 0; uint8_t firsthigh = 0, firstlow = 0; - uint16_t sample_counter = 0, period = 0; uint8_t curr = 0, prev = 0; - uint16_t noise_counter = 0; - uint16_t checker = 0; - + uint16_t sample_counter = 0, period = 0; + uint16_t noise_counter = 0, checker = 0; + + if (DBGLEVEL >= DBG_DEBUG) { + Dbprintf("doCotagAcquisitionManchester - after init"); + print_stack_usage(); + } + while ((sample_counter < bufsize) && (noise_counter < (COTAG_T1 << 1))) { - if (checker == 1000) { - if (BUTTON_PRESS() || data_available()) + + if (BUTTON_PRESS()) + break; + + if (checker == 4000) { + if ( data_available()) break; else checker = 0; diff --git a/armsrc/lfsampling.h b/armsrc/lfsampling.h index 44910316d..9b8c4c6b1 100644 --- a/armsrc/lfsampling.h +++ b/armsrc/lfsampling.h @@ -100,5 +100,6 @@ void setSamplingConfig(sample_config *sc); sample_config *getSamplingConfig(void); void printConfig(void); +void printSamples(void); #endif // __LFSAMPLING_H From d06029c63f60cb41f3c2e6caea2ef867f5ff562f Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 23 Jun 2020 11:24:00 +0200 Subject: [PATCH 47/51] textual --- client/src/cmdtrace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/src/cmdtrace.c b/client/src/cmdtrace.c index 5b397805f..1b172bfb3 100644 --- a/client/src/cmdtrace.c +++ b/client/src/cmdtrace.c @@ -199,7 +199,7 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr if (tracepos + TRACELOG_HDR_LEN + data_len + TRACELOG_PARITY_LEN(hdr) > traceLen) { return traceLen; } - + uint8_t *frame = hdr->frame; uint8_t *parityBytes = hdr->frame + data_len; @@ -495,7 +495,7 @@ static int CmdTraceLoad(const char *Cmd) { g_traceLen = (long)len; - PrintAndLogEx(SUCCESS, "Recorded Activity (TraceLen = " _YELLOW_("%lu") " bytes) loaded from " _YELLOW_("%s"), g_traceLen, filename); + PrintAndLogEx(SUCCESS, "Recorded Activity (TraceLen = " _YELLOW_("%lu") " bytes)", g_traceLen); return PM3_SUCCESS; } From 34769f69451b1a43a30f27f365da839337463943 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 23 Jun 2020 12:10:09 +0200 Subject: [PATCH 48/51] fix: lf_em4100rwx --- armsrc/Standalone/lf_em4100rwc.c | 78 ++++++++++++++++++-------------- 1 file changed, 45 insertions(+), 33 deletions(-) diff --git a/armsrc/Standalone/lf_em4100rwc.c b/armsrc/Standalone/lf_em4100rwc.c index 0ae7e7444..c54e54fa2 100644 --- a/armsrc/Standalone/lf_em4100rwc.c +++ b/armsrc/Standalone/lf_em4100rwc.c @@ -48,7 +48,7 @@ void ModInfo(void) { DbpString(" LF EM4100 read/write/clone mode"); } -static uint64_t ReversQuads(uint64_t bits) { +static uint64_t rev_quads(uint64_t bits) { uint64_t result = 0; for (int i = 0; i < 16; i++) { result += ((bits >> (60 - 4 * i)) & 0xf) << (4 * i); @@ -56,35 +56,41 @@ static uint64_t ReversQuads(uint64_t bits) { return result >> 24; } -static void FillBuff(uint8_t bit) { +static void fillbuff(uint8_t bit) { memset(bba + buflen, bit, CLOCK / 2); buflen += (CLOCK / 2); memset(bba + buflen, bit ^ 1, CLOCK / 2); buflen += (CLOCK / 2); } -static void ConstructEM410xEmulBuf(uint64_t id) { +static void construct_EM410x_emul(uint64_t id) { - int i, j, binary[4], parity[4]; + int binary[4] = {0}; + int parity[4] = {0}; buflen = 0; - for (i = 0; i < 9; i++) - FillBuff(1); - parity[0] = parity[1] = parity[2] = parity[3] = 0; - for (i = 0; i < 10; i++) { - for (j = 3; j >= 0; j--, id /= 2) + + for (uint8_t i = 0; i < 9; i++) + fillbuff(1); + + for (uint8_t i = 0; i < 10; i++) { + for (uint8_t j = 3; j > 0; j--, id /= 2) binary[j] = id % 2; - for (j = 0; j < 4; j++) - FillBuff(binary[j]); - FillBuff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); - for (j = 0; j < 4; j++) + + for (uint8_t j = 0; j < 4; j++) + fillbuff(binary[j]); + + fillbuff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]); + for (uint8_t j = 0; j < 4; j++) parity[j] ^= binary[j]; } - for (j = 0; j < 4; j++) - FillBuff(parity[j]); - FillBuff(0); + + for (uint8_t j = 0; j < 4; j++) + fillbuff(parity[j]); + + fillbuff(0); } -static void LED_Slot(int i) { +static void led_slot(int i) { LEDsoff(); if (slots_count > 4) { LED(i % MAX_IND, 0); //binary indication, usefully for slots_count > 4 @@ -93,8 +99,8 @@ static void LED_Slot(int i) { } } -static void FlashLEDs(uint32_t speed, uint8_t times) { - for (int i = 0; i < times * 2; i++) { +static void flash_leds(uint32_t speed, uint8_t times) { + for (uint16_t i = 0; i < times * 2; i++) { LED_A_INV(); LED_B_INV(); LED_C_INV(); @@ -132,24 +138,28 @@ void RunMod(void) { uint8_t state = 0; slots_count = ARRAYLEN(low); bba = BigBuf_get_addr(); - LED_Slot(selected); + led_slot(selected); for (;;) { + WDT_HIT(); + if (data_available()) break; + int button_pressed = BUTTON_HELD(1000); SpinDelay(300); + switch (state) { case 0: // Select mode if (button_pressed == BUTTON_HOLD) { // Long press - switch to simulate mode SpinUp(100); - LED_Slot(selected); + led_slot(selected); state = 2; } else if (button_pressed == BUTTON_SINGLE_CLICK) { // Click - switch to next slot selected = (selected + 1) % slots_count; - LED_Slot(selected); + led_slot(selected); } break; case 1: @@ -157,12 +167,12 @@ void RunMod(void) { if (button_pressed == BUTTON_HOLD) { // Long press - switch to read mode SpinUp(100); - LED_Slot(selected); + led_slot(selected); state = 3; } else if (button_pressed == BUTTON_SINGLE_CLICK) { // Click - exit to select mode - CmdEM410xdemod(1, &high[selected], &low[selected]); - FlashLEDs(100, 5); + lf_em410x_watch(1, &high[selected], &low[selected]); + flash_leds(100, 5); #ifdef WITH_FLASH SaveIDtoFlash(selected, low[selected]); #endif @@ -174,15 +184,17 @@ void RunMod(void) { if (button_pressed == BUTTON_HOLD) { // Long press - switch to read mode SpinDown(100); - LED_Slot(selected); + led_slot(selected); state = 1; } else if (button_pressed == BUTTON_SINGLE_CLICK) { // Click - start simulating. Click again to exit from simulate mode - LED_Slot(selected); - ConstructEM410xEmulBuf(ReversQuads(low[selected])); - FlashLEDs(100, 5); + led_slot(selected); + + construct_EM410x_emul(rev_quads(low[selected])); + flash_leds(100, 5); + SimulateTagLowFrequency(buflen, 0, 1); - LED_Slot(selected); + led_slot(selected); state = 0; // Switch to select mode } break; @@ -191,12 +203,12 @@ void RunMod(void) { if (button_pressed == BUTTON_HOLD) { // Long press - switch to select mode SpinDown(100); - LED_Slot(selected); + led_slot(selected); state = 0; } else if (button_pressed == BUTTON_SINGLE_CLICK) { // Click - write ID to tag - WriteEM410x(0, (uint32_t)(low[selected] >> 32), (uint32_t)(low[selected] & 0xffffffff)); - LED_Slot(selected); + copy_em410x_to_t55xx(0, CLOCK, (uint32_t)(low[selected] >> 32), (uint32_t)(low[selected] & 0xffffffff)); + led_slot(selected); state = 0; // Switch to select mode } break; From e3c9f46425fc5bab1a4ad11190d21ea83d493943 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 23 Jun 2020 12:13:48 +0200 Subject: [PATCH 49/51] fix lf standalones --- armsrc/Standalone/lf_proxbrute.c | 5 ++--- armsrc/Standalone/lf_samyrun.c | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/armsrc/Standalone/lf_proxbrute.c b/armsrc/Standalone/lf_proxbrute.c index b4caf2e3f..67ef436ce 100644 --- a/armsrc/Standalone/lf_proxbrute.c +++ b/armsrc/Standalone/lf_proxbrute.c @@ -56,9 +56,8 @@ void RunMod(void) { DbpString("[=] starting recording"); - - // findone, high, low, no ledcontrol (A) - CmdHIDdemodFSK(1, &high, &low, 0); + // findone, high, low + lf_hid_watch(1, &high, &low); Dbprintf("[=] recorded | %x%08x", high, low); diff --git a/armsrc/Standalone/lf_samyrun.c b/armsrc/Standalone/lf_samyrun.c index 971304918..9646dede3 100644 --- a/armsrc/Standalone/lf_samyrun.c +++ b/armsrc/Standalone/lf_samyrun.c @@ -77,7 +77,7 @@ void RunMod(void) { // findone, high, low, no ledcontrol (A) uint32_t hi = 0, lo = 0; - CmdHIDdemodFSK(1, &hi, &lo, 0); + lf_hid_watch(1, &hi, &lo); high[selected] = hi; low[selected] = lo; From b545109800a2d2aa68af1951c56c340cc252ac67 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 23 Jun 2020 12:14:41 +0200 Subject: [PATCH 50/51] fix more lf standalone --- armsrc/Standalone/lf_hidbrute.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/Standalone/lf_hidbrute.c b/armsrc/Standalone/lf_hidbrute.c index 8c4412ebe..f0d8cae86 100644 --- a/armsrc/Standalone/lf_hidbrute.c +++ b/armsrc/Standalone/lf_hidbrute.c @@ -75,7 +75,7 @@ void RunMod(void) { // record DbpString("[=] starting recording"); - CmdHIDdemodFSK(1, &high[selected], &low[selected], 0); + lf_hid_watch(1, &high[selected], &low[selected]); Dbprintf("[=] recorded %x %x %08x", selected, high[selected], low[selected]); LEDsoff(); From 36fcb8ef2bd9a8a11c6a4a4a28646cb9501daaaf Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Wed, 24 Jun 2020 07:22:03 +0200 Subject: [PATCH 51/51] Fixes num_keys --- client/src/cmdhfmfdes.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 920fcaba8..2adbeae75 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -1240,15 +1240,14 @@ static int handler_desfire_signature(uint8_t *signature, size_t *signature_len) } // --- KEY SETTING -static int desfire_print_keysetting(uint8_t key_settings, mifare_des_authalgo_t algo) { - +static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys, int algo) { PrintAndLogEx(SUCCESS, " AID Key settings : 0x%02x", key_settings); // 2 MSB denotes const char *str = " Max key number and type : %d, " _YELLOW_("%s"); - if (algo == MFDES_ALGO_DES) PrintAndLogEx(SUCCESS, str, "(3)DES"); - else if (algo == MFDES_ALGO_AES) PrintAndLogEx(SUCCESS, str, "AES"); - else if (algo == MFDES_ALGO_3K3DES) PrintAndLogEx(SUCCESS, str, "3K3DES"); + if (algo == MFDES_ALGO_DES) PrintAndLogEx(SUCCESS, str, num_keys & 0x3F, "(3)DES"); + else if (algo == MFDES_ALGO_AES) PrintAndLogEx(SUCCESS, str, num_keys & 0x3F, "AES"); + else if (algo == MFDES_ALGO_3K3DES) PrintAndLogEx(SUCCESS, str, num_keys & 0x3F, "3K3DES"); //PrintAndLogEx(SUCCESS, " Max number of keys in AID : %d", num_keys & 0x3F); PrintAndLogEx(INFO, "-------------------------------------------------------------"); @@ -1449,14 +1448,14 @@ static int handler_desfire_select_application(uint8_t *aid) { return PM3_SUCCESS; } -static int key_setting_to_algo(uint8_t aid[3], uint8_t *key_setting, mifare_des_authalgo_t *algo) { +static int key_setting_to_algo(uint8_t aid[3], uint8_t *key_setting, mifare_des_authalgo_t *algo, uint8_t *num_keys) { int res = handler_desfire_select_application(aid); if (res != PM3_SUCCESS) return res; - uint8_t num_keys = 0; - res = handler_desfire_getkeysettings(key_setting, &num_keys); + *num_keys = 0; + res = handler_desfire_getkeysettings(key_setting, num_keys); if (res == PM3_SUCCESS) { - switch (num_keys >> 6) { + switch (*num_keys >> 6) { case 0: *algo = MFDES_ALGO_DES; break; @@ -1863,8 +1862,8 @@ static int getKeySettings(uint8_t *aid) { // KEY Settings - AMK uint8_t num_keys = 0; uint8_t key_setting = 0; - mifare_des_authalgo_t algo; - res = key_setting_to_algo(aid, &key_setting, &algo); + mifare_des_authalgo_t algo=MFDES_ALGO_DES; + res = key_setting_to_algo(aid, &key_setting, &algo, &num_keys); if (res == PM3_SUCCESS) { // number of Master keys (0x01) @@ -1915,10 +1914,10 @@ static int getKeySettings(uint8_t *aid) { // KEY Settings - AMK uint8_t num_keys = 0; uint8_t key_setting = 0; - mifare_des_authalgo_t algo; - res = key_setting_to_algo(aid, &key_setting, &algo); + mifare_des_authalgo_t algo=MFDES_ALGO_DES; + res = key_setting_to_algo(aid, &key_setting, &algo, &num_keys); if (res == PM3_SUCCESS) { - desfire_print_keysetting(key_setting, algo); + desfire_print_keysetting(key_setting, num_keys, algo); } else { PrintAndLogEx(WARNING, _RED_(" Can't read Application Master key settings")); }