update em4x05/em4x69 cmds

@iceman1001 s updates + some of my own. still more to do: -auto demod responses -figure out config block -figure out block 0 info / serial # in block 1 -figure out block 3 protection data -add dump all blocks cmd
2025-08-19 12:59:44 -07:00 · 2017-02-12 23:59:44 -05:00 · 2017-02-12 23:59:44 -05:00 · 7666f4608e
commit 7666f4608e
parent f1e6629b11
4 changed files with 144 additions and 81 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -1017,10 +1017,10 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
 			break;
 		case CMD_EM4X_READ_WORD:
-			EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
+			EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
 			break;
 		case CMD_EM4X_WRITE_WORD:
-			EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
+			EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
 			break;
 		case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
 			CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -88,7 +88,7 @@ void T55xxWakeUp(uint32_t Pwd);
 void TurnReadLFOn();
 //void T55xxReadTrace(void);
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
-void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
+void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
 void Cotag(uint32_t arg0);
 /// iso14443.h
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@ -684,7 +684,7 @@ void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
 		for (i=0; i<size; i++){
 			askSimBit(BitStream[i]^invert, &n, clk, encoding);
 		}
-		if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for biphase phase)
+		if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
 			for (i=0; i<size; i++){
 				askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
 			}
@ -1358,7 +1358,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
 	//Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
 	data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
 	//TODO add selection of chip for Q5 or T55x7
-	// data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
+	// data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
 	WriteT55xx(data, 0, 8);
 	//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
 	//	T5567WriteBlock(0x603E10E2,0);
@ -1367,7 +1367,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
 // clone viking tag to T55xx
 void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
 	uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
-	if (Q5) data[0] = (32 << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
+	if (Q5) data[0] = ( ((32-2)>>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
 	// Program the data blocks for supplied ID and the block 0 config
 	WriteT55xx(data, 0, 3);
 	LED_D_OFF();
@ -1571,8 +1571,6 @@ void SendForward(uint8_t fwd_bit_count) {
 	fwd_write_ptr = forwardLink_data;
 	fwd_bit_sz = fwd_bit_count;
 	LED_D_ON();
 	// Set up FPGA, 125kHz
 	LFSetupFPGAForADC(95, true);
@ -1580,7 +1578,7 @@ void SendForward(uint8_t fwd_bit_count) {
 	fwd_bit_sz--; //prepare next bit modulation
 	fwd_write_ptr++;
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-	SpinDelayUs(55*8); //55 cycles off (8us each)for 4305
+	SpinDelayUs(56*8); //55 cycles off (8us each)for 4305
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
 	SpinDelayUs(16*8); //16 cycles on (8us each)
@ -1591,9 +1589,9 @@ void SendForward(uint8_t fwd_bit_count) {
 		else {
 			//These timings work for 4469/4269/4305 (with the 55*8 above)
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-			SpinDelayUs(23*8); //16-4 cycles off (8us each)
+			SpinDelayUs(20*8); //16-4 cycles off (8us each) //23
 			FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
-			SpinDelayUs(9*8); //16 cycles on (8us each)
+			SpinDelayUs(12*8); //16 cycles on (8us each) //9
 		}
 	}
 }
@ -1615,13 +1613,11 @@ void EM4xLogin(uint32_t Password) {
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
 	uint8_t fwd_bit_count;
 	uint8_t *dest = BigBuf_get_addr();
 	uint16_t bufferlength = BigBuf_max_traceLen();
 	uint32_t i = 0;
 	// Clear destination buffer before sending the command
 	BigBuf_Clear_ext(false);
 	LED_A_ON();
 	//If password mode do login
 	if (PwdMode == 1) EM4xLogin(Pwd);
@ -1629,36 +1625,28 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
 	fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
 	fwd_bit_count += Prepare_Addr( Address );
 	// Connect the A/D to the peak-detected low-frequency path.
 	SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
 	// Now set up the SSC to get the ADC samples that are now streaming at us.
 	FpgaSetupSsc();
 	SendForward(fwd_bit_count);
 	// Now do the acquisition
-	i = 0;
+	DoAcquisition_config(TRUE);
-	for(;;) {
+	
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
 			AT91C_BASE_SSC->SSC_THR = 0x43;
 		}
 		if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
 			dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
 			i++;
 			if (i >= bufferlength) break;
 		}
 	}
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	LED_A_OFF();
 	cmd_send(CMD_ACK,0,0,0,0,0);
 	LED_D_OFF();
 }
-void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
+void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
 	bool PwdMode = (flag & 0xF);
 	uint8_t Address = (flag >> 8) & 0xFF;
 	uint8_t fwd_bit_count;
 	//clear buffer now so it does not interfere with timing later
 	BigBuf_Clear_ext(false);
 	LED_A_ON();
 	//If password mode do login
-	if (PwdMode == 1) EM4xLogin(Pwd);
+	if (PwdMode) EM4xLogin(Pwd);
 	forward_ptr = forwardLink_data;
 	fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
@ -1669,8 +1657,13 @@ void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode
 	//Wait for write to complete
 	SpinDelay(20);
 	//Capture response if one exists
 	DoAcquisition_config(TRUE);
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
-	LED_D_OFF();
+	LED_A_OFF();
 	cmd_send(CMD_ACK,0,0,0,0,0);
 }
 /*
 Reading a COTAG.
--- a/client/cmdlfem4x.c
+++ b/client/cmdlfem4x.c
@ -18,6 +18,7 @@
 #include "cmdparser.h"
 #include "cmddata.h"
 #include "cmdlf.h"
 #include "cmdmain.h"
 #include "cmdlfem4x.h"
 #include "lfdemod.h"
@ -285,7 +286,7 @@ uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool
 	}
 	return code;
 }
-/* Read the transmitted data of an EM4x50 tag
+/* Read the transmitted data of an EM4x50 tag from the graphbuffer
 * Format:
 *
 *  XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
@ -498,53 +499,122 @@ int CmdEM4x50Read(const char *Cmd)
 	return EM4x50Read(Cmd, true);
 }
-int CmdReadWord(const char *Cmd)
+int usage_lf_em_read(void) {
-{
+	PrintAndLog("Read EM4x05/EM4x69.  Tag must be on antenna. ");
-	int Word = -1; //default to invalid word
+	PrintAndLog("");
-	UsbCommand c;
+	PrintAndLog("Usage:  lf em readword [h] <address> <pwd>");
 	PrintAndLog("Options:");
 	PrintAndLog("       h         - this help");
 	PrintAndLog("       address   - memory address to read. (0-15)");
 	PrintAndLog("       pwd       - password (hex) (optional)");
 	PrintAndLog("samples:");
 	PrintAndLog("      lf em readword 1");
 	PrintAndLog("      lf em readword 1 11223344");
 	return 0;
 }
 int CmdReadWord(const char *Cmd) {
 	int addr, pwd;
 	bool usePwd = false;
 	uint8_t ctmp = param_getchar(Cmd, 0);
 	if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read();
-	sscanf(Cmd, "%d", &Word);
+	addr = param_get8ex(Cmd, 0, -1, 10);
 	pwd =  param_get32ex(Cmd, 1, -1, 16);
-	if ( (Word > 15) | (Word < 0) ) {
+	if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) {
-		PrintAndLog("Word must be between 0 and 15");
+		PrintAndLog("Address must be between 0 and 15");
 		return 1;
 	}
 	if ( pwd == -1 )
 		PrintAndLog("Reading address %d", addr);
 	else {
 		usePwd = true;
 		PrintAndLog("Reading address %d | password %08X", addr, pwd);
 	}
-	PrintAndLog("Reading word %d", Word);
+	UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}};
-	
+	clearCommandBuffer();
 	c.cmd = CMD_EM4X_READ_WORD;
 	c.d.asBytes[0] = 0x0; //Normal mode
 	c.arg[0] = 0;
 	c.arg[1] = Word;
 	c.arg[2] = 0;
 	SendCommand(&c);
 	return 0;
 }
 int CmdReadWordPWD(const char *Cmd)
 {
 	int Word = -1; //default to invalid word
 	int Password = 0xFFFFFFFF; //default to blank password
 	UsbCommand c;
 	sscanf(Cmd, "%d %x", &Word, &Password);
 	if ( (Word > 15) | (Word < 0) ) {
 		PrintAndLog("Word must be between 0 and 15");
 		return 1;
 	}
 	PrintAndLog("Reading word %d with password %08X", Word, Password);
 	c.cmd = CMD_EM4X_READ_WORD;
 	c.d.asBytes[0] = 0x1; //Password mode
 	c.arg[0] = 0;
 	c.arg[1] = Word;
 	c.arg[2] = Password;
 	SendCommand(&c);
 	UsbCommand resp;	
 	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){
 		PrintAndLog("Command timed out");
 		return -1;
 	}
 	uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
 	GetFromBigBuf(got, sizeof(got), 0);
 	if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {
 		PrintAndLog("command execution time out");
 		return 0;
 	}
 	setGraphBuf(got, sizeof(got));
 	//todo: demodulate read data 
 	return 1;
 }
 int usage_lf_em_write(void) {
 	PrintAndLog("Write EM4x05/EM4x69.  Tag must be on antenna. ");
 	PrintAndLog("");
 	PrintAndLog("Usage:  lf em writeword [h] <address> <data> <pwd>");
 	PrintAndLog("Options:");
 	PrintAndLog("       h         - this help");
 	PrintAndLog("       address   - memory address to write to. (0-15)");
 	PrintAndLog("       data      - data to write (hex)");	
 	PrintAndLog("       pwd       - password (hex) (optional)");
 	PrintAndLog("samples:");
 	PrintAndLog("      lf em writeword 1");
 	PrintAndLog("      lf em writeword 1 deadc0de 11223344");
 	return 0;
 }
 int CmdWriteWord(const char *Cmd) {
 	uint8_t ctmp = param_getchar(Cmd, 0);
 	if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_write();
 	bool usePwd = false;
 	int addr = 16; // default to invalid address
 	int data = 0xFFFFFFFF; // default to blank data
 	int pwd = 0xFFFFFFFF; // default to blank password
 	addr = param_get8ex(Cmd, 0, -1, 10);
 	data = param_get32ex(Cmd, 1, -1, 16);
 	pwd =  param_get32ex(Cmd, 2, -1, 16);
 	if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) {
 		PrintAndLog("Address must be between 0 and 15");
 		return 1;
 	}
 	if ( pwd == -1 )
 		PrintAndLog("Writing address %d data %08X", addr, data);	
 	else {
 		usePwd = true;
 		PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd);		
 	}
 	uint16_t flag = (addr << 8 ) | usePwd;
 	UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}};
 	clearCommandBuffer();
 	SendCommand(&c);
 	UsbCommand resp;	
 	if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
 		PrintAndLog("Error occurred, device did not respond during write operation.");
 		return -1;
 	}
 	//get response if there is one
 	uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
 	GetFromBigBuf(got, sizeof(got), 0);
 	if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {
 		PrintAndLog("command execution time out");
 		return 0;
 	}
 	setGraphBuf(got, sizeof(got));
 	//todo: check response for 00001010 then write data for write confirmation!
 	return 0;
 }
 /*
 int CmdWriteWord(const char *Cmd)
 {
 	int Word = 16; //default to invalid block
@ -593,7 +663,7 @@ int CmdWriteWordPWD(const char *Cmd)
 	SendCommand(&c);
 	return 0;
 }
-
+*/
 static command_t CommandTable[] =
 {
 	{"help", CmdHelp, 1, "This help"},
@ -603,11 +673,11 @@ static command_t CommandTable[] =
 	{"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
 	{"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
 	{"em410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
-	{"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
+	{"em4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
-	{"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
+	{"readword", CmdReadWord, 1, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
-	{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
+	//{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
-	{"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
+	{"writeword", CmdWriteWord, 1, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
-	{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
+	//{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
 	{NULL, NULL, 0, NULL}
 };