diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c index ec3c48f9a..5f76bb7ad 100644 --- a/armsrc/hitagS.c +++ b/armsrc/hitagS.c @@ -289,7 +289,7 @@ static void hitag_reader_send_bit(int bit, bool ledcontrol) { if (ledcontrol) LED_A_ON(); // Reset clock for the next bit AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; - while (AT91C_BASE_TC0->TC_CV > 0); + while (AT91C_BASE_TC0->TC_CV != 0); // Binary puls length modulation (BPLM) is used to encode the data stream // This means that a transmission of a one takes longer than that of a zero @@ -334,7 +334,7 @@ static void hitag_reader_send_frame(const uint8_t *frame, size_t frame_len, bool } // send EOF AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG; - while (AT91C_BASE_TC0->TC_CV > 0); + while (AT91C_BASE_TC0->TC_CV != 0); HIGH(GPIO_SSC_DOUT); // Wait for 4-10 times the carrier period @@ -362,14 +362,10 @@ static void hts_init_clock(void) { // TC1: Capture mode, clock source = MCK/32 (TIMER_CLOCK3), TIOA is external trigger, // external trigger falling edge, set RA on falling edge of TIOA. AT91C_BASE_TC1->TC_CMR = - AT91C_TC_CLKS_TIMER_DIV3_CLOCK | - AT91C_TC_ETRGEDG_FALLING | // external trigger on falling edge - AT91C_TC_ABETRG | // TIOA is used as an external trigger. - AT91C_TC_LDRA_FALLING | // load RA on on falling edge - AT91C_TC_ACPA_CLEAR | // RA comperator clears TIOA (carry bit) - AT91C_TC_ASWTRG_SET; // SWTriger sets TIOA (carry bit) - - AT91C_BASE_TC1->TC_RA = 1; // clear carry bit on next clock cycle + AT91C_TC_CLKS_TIMER_DIV3_CLOCK | // MCK/32 (TIMER_CLOCK3) + AT91C_TC_ETRGEDG_FALLING | // external trigger on falling edge + AT91C_TC_ABETRG | // TIOA is used as an external trigger + AT91C_TC_LDRA_FALLING; // load RA on on falling edge // Enable and reset counters AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; @@ -377,7 +373,7 @@ static void hts_init_clock(void) { // synchronized startup procedure // In theory, with MCK/32, we shouldn't be waiting longer than 32 instruction statements, right? - while (AT91C_BASE_TC0->TC_CV > 0) {}; // wait until TC0 returned to zero + while (AT91C_BASE_TC0->TC_CV != 0) {}; // wait until TC0 returned to zero } @@ -440,13 +436,9 @@ static void hts_set_frame_modulation(void) { */ static void hts_handle_reader_command(uint8_t *rx, const size_t rxlen, uint8_t *tx, size_t *txlen) { - uint8_t rx_air[HITAG_FRAME_LEN]; uint64_t state; unsigned char crc; - // Copy the (original) received frame how it is send over the air - memcpy(rx_air, rx, nbytes(rxlen)); - // Reset the transmission frame length *txlen = 0; @@ -612,7 +604,7 @@ static void hts_handle_reader_command(uint8_t *rx, const size_t rxlen, //write page, write block, read page or read block command received if ((rx[0] & 0xf0) == HITAGS_READ_PAGE) { //read page //send page data - uint8_t page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16); + uint8_t page = ((rx[0] & 0x0f) << 4) + ((rx[1] & 0xf0) >> 4); *txlen = 32; tx[0] = tag.pages[page][0]; tx[1] = tag.pages[page][1]; @@ -643,7 +635,7 @@ static void hts_handle_reader_command(uint8_t *rx, const size_t rxlen, } else if ((rx[0] & 0xf0) == HITAGS_READ_BLOCK) { //read block - uint8_t page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16); + uint8_t page = ((rx[0] & 0x0f) << 4) + ((rx[1] & 0xf0) >> 4); *txlen = 32 * 4; //send page,...,page+3 data @@ -673,7 +665,7 @@ static void hts_handle_reader_command(uint8_t *rx, const size_t rxlen, } else if ((rx[0] & 0xf0) == HITAGS_WRITE_PAGE) { //write page - uint8_t page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16); + uint8_t page = ((rx[0] & 0x0f) << 4) + ((rx[1] & 0xf0) >> 4); if ((tag.LCON && page == 1) || (tag.LKP && (page == 2 || page == 3))) { @@ -689,7 +681,7 @@ static void hts_handle_reader_command(uint8_t *rx, const size_t rxlen, } else if ((rx[0] & 0xf0) == HITAGS_WRITE_BLOCK) { //write block - uint8_t page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16); + uint8_t page = ((rx[0] & 0x0f) << 4) + ((rx[1] & 0xf0) >> 4); hts_set_frame_modulation(); if (page % 4 != 0 || page == 0) { @@ -723,8 +715,7 @@ void hts_simulate(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol) { int response = 0, overflow = 0; uint8_t rx[HITAG_FRAME_LEN]; size_t rxlen = 0; - uint8_t txbuf[HITAG_FRAME_LEN]; - uint8_t *tx = txbuf; + uint8_t tx[HITAG_FRAME_LEN]; size_t txlen = 0; // Reset the received frame, frame count and timing info @@ -746,13 +737,6 @@ void hts_simulate(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol) { // read tag data into memory if (tag_mem_supplied) { - - for (int i = 0; i < 16; i++) { - for (int j = 0; j < 4; j++) { - tag.pages[i][j] = 0x0; - } - } - DbpString("Loading hitag S memory..."); memcpy((uint8_t *)tag.pages, data, 4 * 64); } else { @@ -888,7 +872,7 @@ void hts_simulate(bool tag_mem_supplied, const uint8_t *data, bool ledcontrol) { AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG; // synchronized startup procedure - while (AT91C_BASE_TC0->TC_CV > 0); // wait until TC0 returned to zero + while (AT91C_BASE_TC0->TC_CV != 0); // wait until TC0 returned to zero while ((BUTTON_PRESS() == false) && (data_available() == false)) { @@ -997,7 +981,7 @@ static void hts_receive_frame(uint8_t *rx, size_t sizeofrx, size_t *rxlen, uint3 // Dbprintf("TC0_CV:%i TC1_CV:%i TC1_RA:%i", AT91C_BASE_TC0->TC_CV, AT91C_BASE_TC1->TC_CV ,AT91C_BASE_TC1->TC_RA); - // Receive frame, watch for at most T0*HITAG_T_PROG_MAX periods + // Receive tag frame, watch for at most T0*HITAG_T_PROG_MAX periods while (AT91C_BASE_TC0->TC_CV < (T0 * HITAG_T_PROG_MAX)) { // Check if falling edge in tag modulation is detected @@ -1129,7 +1113,7 @@ static void hts_send_receive(const uint8_t *tx, size_t txlen, uint8_t *rx, size_ if (ac_seq) { // Tag Response is AC encoded - // We used UID Request Advanced, meaning AC SEQ header is 111. + // We used UID Request Advanced, meaning AC SEQ SOF is 111. for (int i = 7; i < rxlen; i += 2) { rx[k / 8] |= response_bit[i] << (7 - (k % 8)); diff --git a/client/src/cmdlfem410x.c b/client/src/cmdlfem410x.c index 1cff87be3..7a01807ff 100644 --- a/client/src/cmdlfem410x.c +++ b/client/src/cmdlfem410x.c @@ -785,7 +785,7 @@ static int CmdEM410xClone(const char *Cmd) { } packet.cmd = WHTSF_82xx; - memcpy(packet.pwd, (uint8_t[]) {0xBB, 0xDD, 0x33, 0x99}, 4); + memcpy(packet.pwd, "\xBB\xDD\x33\x99", 4); SendCommandNG(CMD_LF_HITAGS_WRITE, (uint8_t *)&packet, sizeof(packet)); if (WaitForResponseTimeout(CMD_LF_HITAGS_WRITE, &resp, 4000) == false) { PrintAndLogEx(WARNING, "timeout while waiting for reply."); diff --git a/client/src/cmdlfhitaghts.c b/client/src/cmdlfhitaghts.c index e364fccff..b53178e52 100644 --- a/client/src/cmdlfhitaghts.c +++ b/client/src/cmdlfhitaghts.c @@ -102,7 +102,7 @@ static int CmdLFHitagSRead(const char *Cmd) { " 8268/8310 password mode: \n" " - default password BBDD3399\n", " lf hitag hts rdbl -> Hitag S/8211, plain mode\n" - " lf hitag hts rdbl --8 -k BBDD3399 -> 8268/8310, password mode\n" + " lf hitag hts rdbl --82xx -k BBDD3399 -> 8268/8310, password mode\n" " lf hitag hts rdbl --nrar 0102030411223344 -> Hitag S, challenge mode\n" " lf hitag hts rdbl --crypto -> Hitag S, crypto mode, def key\n" " lf hitag hts rdbl -k 4F4E4D494B52 -> Hitag S, crypto mode\n\n" @@ -187,8 +187,6 @@ static int CmdLFHitagSRead(const char *Cmd) { lf_hitag_data_t packet; memset(&packet, 0, sizeof(packet)); - int pm3cmd = CMD_LF_HITAGS_READ; - if (use_nrar) { packet.cmd = RHTSF_CHALLENGE; memcpy(packet.NrAr, nrar, sizeof(packet.NrAr)); @@ -205,10 +203,10 @@ static int CmdLFHitagSRead(const char *Cmd) { } clearCommandBuffer(); - SendCommandNG(pm3cmd, (uint8_t *) &packet, sizeof(packet)); + SendCommandNG(CMD_LF_HITAGS_READ, (uint8_t *) &packet, sizeof(packet)); PacketResponseNG resp; - if (WaitForResponseTimeout(pm3cmd, &resp, 2000) == false) { + if (WaitForResponseTimeout(CMD_LF_HITAGS_READ, &resp, 2000) == false) { PrintAndLogEx(WARNING, "timeout while waiting for reply."); SendCommandNG(CMD_BREAK_LOOP, NULL, 0); return PM3_ETIMEOUT; @@ -226,7 +224,7 @@ static int CmdLFHitagSRead(const char *Cmd) { uint8_t *data = resp.data.asBytes; - hitags_config_t config = hitags_config_unpack(data + HITAGS_PAGE_SIZE); + hitags_config_t config = hitags_config_unpack(&data[HITAGS_PAGE_SIZE * HITAGS_CONFIG_PADR]); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") " ---------------------------"); @@ -254,7 +252,7 @@ static int CmdLFHitagSWrite(const char *Cmd) { " 8268/8310 password mode: \n" " - default password BBDD3399\n", " lf hitag hts wrbl -p 6 -d 01020304 -> Hitag S/8211, plain mode\n" - " lf hitag hts wrbl -p 6 -d 01020304 --8 -k BBDD3399 -> 8268/8310, password mode\n" + " lf hitag hts wrbl -p 6 -d 01020304 --82xx -k BBDD3399 -> 8268/8310, password mode\n" " lf hitag hts wrbl -p 6 -d 01020304 --nrar 0102030411223344 -> Hitag S, challenge mode\n" " lf hitag hts wrbl -p 6 -d 01020304 --crypto -> Hitag S, crypto mode, default key\n" " lf hitag hts wrbl -p 6 -d 01020304 -k 4F4E4D494B52 -> Hitag S, crypto mode\n\n" @@ -263,7 +261,7 @@ static int CmdLFHitagSWrite(const char *Cmd) { void *argtable[] = { arg_param_begin, arg_str0(NULL, "nrar", "", "nonce / answer writer, 8 hex bytes"), - arg_lit0(NULL, "8", "8268/8310 mode"), + arg_lit0("8", "82xx", "8268/8310 mode"), arg_lit0(NULL, "crypto", "crypto mode"), arg_str0("k", "key", "", "pwd or key, 4 or 6 hex bytes"), arg_int1("p", "page", "", "page address to write to"), @@ -327,7 +325,7 @@ static int CmdLFHitagSWrite(const char *Cmd) { use_crypto = true; } if ((key_len == 0) && use_82xx) { - memcpy(key, (uint8_t[]) {0xBB, 0xDD, 0x33, 0x99}, 4); + memcpy(key, "\xBB\xDD\x33\x99", 4); key_len = 4; } if ((key_len == 0) && use_crypto) { diff --git a/include/hitag.h b/include/hitag.h index 48a0030f3..7cd4ad283 100644 --- a/include/hitag.h +++ b/include/hitag.h @@ -27,6 +27,7 @@ #define HITAG_PASSWORD_SIZE 4 #define HITAG_UID_SIZE 4 #define HITAG_BLOCK_SIZE 4 + #define HITAG2_MAX_BLOCKS 8 #define HITAG2_MAX_BYTE_SIZE (HITAG2_MAX_BLOCKS * HITAG_BLOCK_SIZE) @@ -34,9 +35,10 @@ #define HITAGS_CRYPTOKEY_SIZE 6 #define HITAGS_UID_SIZE 4 #define HITAGS_PAGE_SIZE 4 -#define HITAGS_BLOCK_SIZE 4 +#define HITAGS_BLOCK_SIZE 16 #define HITAGS_MAX_PAGES 64 #define HITAGS_MAX_BYTE_SIZE (HITAGS_MAX_PAGES * HITAGS_PAGE_SIZE) +#define HITAGS_CONFIG_PADR 1 // need to see which limits these cards has #define HITAG1_MAX_BYTE_SIZE 64