From 4c08477ef71d29641c59ad7b5589ccbab1d3e565 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 16 Sep 2019 11:33:05 +0200 Subject: [PATCH] chg: 'lf indala clone' - refactored , uses NG --- armsrc/appmain.c | 11 ------ armsrc/lfops.c | 31 +--------------- armsrc/lfops.h | 2 -- client/cmdlfindala.c | 86 +++++++++++++++++++++++++++++++++++--------- client/util.c | 2 +- include/pm3_cmd.h | 11 ++++-- 6 files changed, 80 insertions(+), 63 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 058a4709e..06ea02e50 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -769,17 +769,6 @@ static void PacketReceived(PacketCommandNG *packet) { SimulateTagLowFrequencyBidir(packet->oldarg[0], packet->oldarg[1]); break; } - case CMD_LF_INDALA_CLONE: { - CopyIndala64toT55x7(packet->data.asDwords[0], packet->data.asDwords[1]); - break; - } - case CMD_LF_INDALA224_CLONE: { - CopyIndala224toT55x7( - packet->data.asDwords[0], packet->data.asDwords[1], packet->data.asDwords[2], packet->data.asDwords[3], - packet->data.asDwords[4], packet->data.asDwords[5], packet->data.asDwords[6] - ); - break; - } case CMD_LF_T55XX_READBL: { struct p { uint32_t password; diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 47c8011f8..fd1fa36e1 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -1712,7 +1712,7 @@ void T55xxWriteBlock(uint8_t *data) { c->flags &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0 LED_A_ON(); - T55xx_SendCMD(c->data, c->pwd, c->flags | (c->blockno << 9)) ; //, false); + T55xx_SendCMD(c->data, c->pwd, c->flags | (c->blockno << 9)); // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550, // so wait a little more) @@ -1744,7 +1744,6 @@ void T55xxWriteBlock(uint8_t *data) { // turn field off FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - // cmd_send(CMD_ACK,0,0,0,0,0); reply_ng(CMD_LF_T55XX_WRITEBL, PM3_SUCCESS, NULL, 0); LED_A_OFF(); } @@ -2049,34 +2048,6 @@ void CopyIOtoT55x7(uint32_t hi, uint32_t lo) { LED_D_OFF(); } -// Clone Indala 64-bit tag by UID to T55x7 -void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) { - //Program the 2 data blocks for supplied 64bit UID - // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2) - uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo}; - //TODO add selection of chip for Q5 or T55x7 - // data[0] = T5555_SET_BITRATE(32 | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT; - LED_D_ON(); - WriteT55xx(data, 0, 3); - //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data) - // T5567WriteBlock(0x603E1042,0); - LED_D_OFF(); -} -// Clone Indala 224-bit tag by UID to T55x7 -void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) { - //Program the 7 data blocks for supplied 224bit UID - uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7}; - // and the block 0 for Indala224 format - //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7) - data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT); - //TODO add selection of chip for Q5 or T55x7 - // data[0] = T5555_SET_BITRATE(32 | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT; - LED_D_ON(); - WriteT55xx(data, 0, 8); - //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data) - // T5567WriteBlock(0x603E10E2,0); - LED_D_OFF(); -} // clone viking tag to T55xx void CopyVikingtoT55xx(uint8_t *blocks, uint8_t Q5) { diff --git a/armsrc/lfops.h b/armsrc/lfops.h index 99d1b29eb..a88f05800 100644 --- a/armsrc/lfops.h +++ b/armsrc/lfops.h @@ -46,8 +46,6 @@ void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567 void CopyVikingtoT55xx(uint8_t *blocks, uint8_t Q5); void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo); -void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7 -void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7 void T55xxResetRead(uint8_t flags); //id T55xxWriteBlock(uint32_t data, uint8_t blockno, uint32_t pwd, uint8_t flags); void T55xxWriteBlock(uint8_t *data); diff --git a/client/cmdlfindala.c b/client/cmdlfindala.c index 8d62e37ae..da13766db 100644 --- a/client/cmdlfindala.c +++ b/client/cmdlfindala.c @@ -25,6 +25,8 @@ #include "lfdemod.h" // parityTest, bitbytes_to_byte #include "cmddata.h" #include "cmdlf.h" // lf_read +#include "protocols.h" // t55 defines +#include "cmdlft55xx.h" // verifywrite static int CmdHelp(const char *Cmd); @@ -439,10 +441,12 @@ static int CmdIndalaSim(const char *Cmd) { return PM3_SUCCESS; } -// iceman - needs refactoring static int CmdIndalaClone(const char *Cmd) { bool isLongUid = false; + uint32_t blocks[8] = {0}; + uint8_t max = 0; + uint8_t data[7 * 4]; int datalen = 0; @@ -466,27 +470,77 @@ static int CmdIndalaClone(const char *Cmd) { CLIGetHexWithReturn(2, data, &datalen); CLIParserFree(); +/* + //TODO add selection of chip for Q5 or T55x7 + + // data[0] = T5555_SET_BITRATE(32 | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT; + //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data) + // T5567WriteBlock(0x603E10E2,0); + + // data[0] = T5555_SET_BITRATE(32 | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT; + //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data) + // T5567WriteBlock(0x603E1042,0); +*/ + if (isLongUid) { + // config for Indala (RF/32;PSK2 with RF/2;Maxblock=7) PrintAndLogEx(INFO, "Preparing to clone Indala 224bit tag with RawID %s", sprint_hex(data, datalen)); - uint32_t blocks[7] = {0}; - blocks[0] = bytes_to_num(data, 4); - blocks[1] = bytes_to_num(data + 4, 4); - blocks[2] = bytes_to_num(data + 8, 4); - blocks[3] = bytes_to_num(data + 12, 4); - blocks[4] = bytes_to_num(data + 16, 4); - blocks[5] = bytes_to_num(data + 20, 4); - blocks[6] = bytes_to_num(data + 24, 4); - clearCommandBuffer(); - SendCommandOLD(CMD_LF_INDALA224_CLONE, 0, 0, 0, blocks, sizeof(blocks)); + blocks[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT); + blocks[1] = bytes_to_num(data, 4); + blocks[2] = bytes_to_num(data + 4, 4); + blocks[3] = bytes_to_num(data + 8, 4); + blocks[4] = bytes_to_num(data + 12, 4); + blocks[5] = bytes_to_num(data + 16, 4); + blocks[6] = bytes_to_num(data + 20, 4); + blocks[7] = bytes_to_num(data + 24, 4); + max = 8; } else { + // config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2) PrintAndLogEx(INFO, "Preparing to clone Indala 64bit tag with RawID %s", sprint_hex(data, datalen)); - uint32_t blocks[2] = {0}; - blocks[0] = bytes_to_num(data, 4); - blocks[1] = bytes_to_num(data + 4, 4); - clearCommandBuffer(); - SendCommandOLD(CMD_LF_INDALA_CLONE, 0, 0, 0, datawords, sizeof(datawords)); + blocks[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT); + blocks[1] = bytes_to_num(data, 4); + blocks[2] = bytes_to_num(data + 4, 4); + max = 3; } + print_blocks(blocks, max); + + uint8_t res = 0; + PacketResponseNG resp; + + // fast push mode + conn.block_after_ACK = true; + for (uint8_t i = 0; i < max; i++) { + if (i == max - 1) { + // Disable fast mode on last packet + conn.block_after_ACK = false; + } + clearCommandBuffer(); + t55xx_write_block_t ng; + ng.data = blocks[i]; + ng.pwd = 0; + ng.blockno = i; + ng.flags = 0; + + SendCommandNG(CMD_LF_T55XX_WRITEBL, (uint8_t *)&ng, sizeof(ng)); + if (!WaitForResponseTimeout(CMD_LF_T55XX_WRITEBL, &resp, T55XX_WRITE_TIMEOUT)) { + PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation."); + return PM3_ETIMEOUT; + } + + if (i == 0) { + SetConfigWithBlock0(blocks[0]); + if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) ) + continue; + } + + if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false) + res++; + } + + if ( res == 0 ) + PrintAndLogEx(SUCCESS, "Success writing to tag"); + return PM3_SUCCESS; } diff --git a/client/util.c b/client/util.c index 6877e8835..55b114fdb 100644 --- a/client/util.c +++ b/client/util.c @@ -390,7 +390,7 @@ void print_blocks(uint32_t *data, size_t len) { PrintAndLogEx(ERR, "..empty data"); } else { for (uint8_t i = 0; i < len; i++) - PrintAndLogEx(SUCCESS, " %02d | 0x%08X", i, data[i]); + PrintAndLogEx(SUCCESS, " %02d | %08X", i, data[i]); } } diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index d79433fcf..4982f4a60 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -242,6 +242,14 @@ typedef struct { uint8_t keytype; } PACKED mfc_eload_t; +typedef struct { + uint8_t status; + uint8_t CSN[8]; + uint8_t CONFIG[8]; + uint8_t CC[8]; + uint8_t AIA[8]; +} PACKED iclass_reader_t; + // For the bootloader #define CMD_DEVICE_INFO 0x0000 #define CMD_SETUP_WRITE 0x0001 @@ -345,9 +353,6 @@ typedef struct { #define CMD_SET_ADC_MUX 0x020F #define CMD_LF_HID_CLONE 0x0210 #define CMD_LF_EM410X_WRITE 0x0211 -#define CMD_LF_INDALA_CLONE 0x0212 -// for 224 bits UID -#define CMD_LF_INDALA224_CLONE 0x0213 #define CMD_LF_T55XX_READBL 0x0214 #define CMD_LF_T55XX_WRITEBL 0x0215 #define CMD_LF_T55XX_RESET_READ 0x0216