mirror of
https://github.com/Proxmark/proxmark3.git
synced 2024-09-21 23:36:51 +08:00
update em4x05/em4x69 cmds
@iceman1001 s updates + some of my own. still more to do: -auto demod responses -figure out config block -figure out block 0 info / serial # in block 1 -figure out block 3 protection data -add dump all blocks cmd
This commit is contained in:
parent
f1e6629b11
commit
7666f4608e
|
@ -1017,10 +1017,10 @@ void UsbPacketReceived(uint8_t *packet, int len)
|
|||
WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
|
||||
break;
|
||||
case CMD_EM4X_READ_WORD:
|
||||
EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
|
||||
EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
|
||||
break;
|
||||
case CMD_EM4X_WRITE_WORD:
|
||||
EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
|
||||
EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
|
||||
break;
|
||||
case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
|
||||
CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
|
||||
|
|
|
@ -88,7 +88,7 @@ void T55xxWakeUp(uint32_t Pwd);
|
|||
void TurnReadLFOn();
|
||||
//void T55xxReadTrace(void);
|
||||
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
|
||||
void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
|
||||
void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
|
||||
void Cotag(uint32_t arg0);
|
||||
|
||||
/// iso14443.h
|
||||
|
|
|
@ -684,7 +684,7 @@ void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
|
|||
for (i=0; i<size; i++){
|
||||
askSimBit(BitStream[i]^invert, &n, clk, encoding);
|
||||
}
|
||||
if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for biphase phase)
|
||||
if (encoding==0 && BitStream[0]==BitStream[size-1]){ //run a second set inverted (for ask/raw || biphase phase)
|
||||
for (i=0; i<size; i++){
|
||||
askSimBit(BitStream[i]^invert^1, &n, clk, encoding);
|
||||
}
|
||||
|
@ -1358,7 +1358,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
|
|||
//Config for Indala (RF/32;PSK1 with RF/2;Maxblock=7)
|
||||
data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (7 << T55x7_MAXBLOCK_SHIFT);
|
||||
//TODO add selection of chip for Q5 or T55x7
|
||||
// data[0] = (((32-2)/2)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
|
||||
// data[0] = (((32-2)>>1)<<T5555_BITRATE_SHIFT) | T5555_MODULATION_PSK1 | 7 << T5555_MAXBLOCK_SHIFT;
|
||||
WriteT55xx(data, 0, 8);
|
||||
//Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
|
||||
// T5567WriteBlock(0x603E10E2,0);
|
||||
|
@ -1367,7 +1367,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
|
|||
// clone viking tag to T55xx
|
||||
void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
|
||||
uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
|
||||
if (Q5) data[0] = (32 << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
|
||||
if (Q5) data[0] = ( ((32-2)>>1) << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
|
||||
// Program the data blocks for supplied ID and the block 0 config
|
||||
WriteT55xx(data, 0, 3);
|
||||
LED_D_OFF();
|
||||
|
@ -1571,8 +1571,6 @@ void SendForward(uint8_t fwd_bit_count) {
|
|||
fwd_write_ptr = forwardLink_data;
|
||||
fwd_bit_sz = fwd_bit_count;
|
||||
|
||||
LED_D_ON();
|
||||
|
||||
// Set up FPGA, 125kHz
|
||||
LFSetupFPGAForADC(95, true);
|
||||
|
||||
|
@ -1580,7 +1578,7 @@ void SendForward(uint8_t fwd_bit_count) {
|
|||
fwd_bit_sz--; //prepare next bit modulation
|
||||
fwd_write_ptr++;
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
|
||||
SpinDelayUs(55*8); //55 cycles off (8us each)for 4305
|
||||
SpinDelayUs(56*8); //55 cycles off (8us each)for 4305
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
|
||||
SpinDelayUs(16*8); //16 cycles on (8us each)
|
||||
|
||||
|
@ -1591,9 +1589,9 @@ void SendForward(uint8_t fwd_bit_count) {
|
|||
else {
|
||||
//These timings work for 4469/4269/4305 (with the 55*8 above)
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
|
||||
SpinDelayUs(23*8); //16-4 cycles off (8us each)
|
||||
SpinDelayUs(20*8); //16-4 cycles off (8us each) //23
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);//field on
|
||||
SpinDelayUs(9*8); //16 cycles on (8us each)
|
||||
SpinDelayUs(12*8); //16 cycles on (8us each) //9
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1615,13 +1613,11 @@ void EM4xLogin(uint32_t Password) {
|
|||
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
|
||||
|
||||
uint8_t fwd_bit_count;
|
||||
uint8_t *dest = BigBuf_get_addr();
|
||||
uint16_t bufferlength = BigBuf_max_traceLen();
|
||||
uint32_t i = 0;
|
||||
|
||||
// Clear destination buffer before sending the command
|
||||
BigBuf_Clear_ext(false);
|
||||
|
||||
LED_A_ON();
|
||||
//If password mode do login
|
||||
if (PwdMode == 1) EM4xLogin(Pwd);
|
||||
|
||||
|
@ -1629,36 +1625,28 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
|
|||
fwd_bit_count = Prepare_Cmd( FWD_CMD_READ );
|
||||
fwd_bit_count += Prepare_Addr( Address );
|
||||
|
||||
// Connect the A/D to the peak-detected low-frequency path.
|
||||
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
|
||||
// Now set up the SSC to get the ADC samples that are now streaming at us.
|
||||
FpgaSetupSsc();
|
||||
|
||||
SendForward(fwd_bit_count);
|
||||
|
||||
// Now do the acquisition
|
||||
i = 0;
|
||||
for(;;) {
|
||||
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) {
|
||||
AT91C_BASE_SSC->SSC_THR = 0x43;
|
||||
}
|
||||
if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY) {
|
||||
dest[i] = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
i++;
|
||||
if (i >= bufferlength) break;
|
||||
}
|
||||
}
|
||||
DoAcquisition_config(TRUE);
|
||||
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
|
||||
LED_A_OFF();
|
||||
cmd_send(CMD_ACK,0,0,0,0,0);
|
||||
LED_D_OFF();
|
||||
}
|
||||
|
||||
void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
|
||||
|
||||
void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
|
||||
|
||||
bool PwdMode = (flag & 0xF);
|
||||
uint8_t Address = (flag >> 8) & 0xFF;
|
||||
uint8_t fwd_bit_count;
|
||||
|
||||
//clear buffer now so it does not interfere with timing later
|
||||
BigBuf_Clear_ext(false);
|
||||
|
||||
LED_A_ON();
|
||||
//If password mode do login
|
||||
if (PwdMode == 1) EM4xLogin(Pwd);
|
||||
if (PwdMode) EM4xLogin(Pwd);
|
||||
|
||||
forward_ptr = forwardLink_data;
|
||||
fwd_bit_count = Prepare_Cmd( FWD_CMD_WRITE );
|
||||
|
@ -1669,8 +1657,13 @@ void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode
|
|||
|
||||
//Wait for write to complete
|
||||
SpinDelay(20);
|
||||
|
||||
//Capture response if one exists
|
||||
DoAcquisition_config(TRUE);
|
||||
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
|
||||
LED_D_OFF();
|
||||
LED_A_OFF();
|
||||
cmd_send(CMD_ACK,0,0,0,0,0);
|
||||
}
|
||||
/*
|
||||
Reading a COTAG.
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
#include "cmdparser.h"
|
||||
#include "cmddata.h"
|
||||
#include "cmdlf.h"
|
||||
#include "cmdmain.h"
|
||||
#include "cmdlfem4x.h"
|
||||
#include "lfdemod.h"
|
||||
|
||||
|
@ -285,7 +286,7 @@ uint32_t OutputEM4x50_Block(uint8_t *BitStream, size_t size, bool verbose, bool
|
|||
}
|
||||
return code;
|
||||
}
|
||||
/* Read the transmitted data of an EM4x50 tag
|
||||
/* Read the transmitted data of an EM4x50 tag from the graphbuffer
|
||||
* Format:
|
||||
*
|
||||
* XXXXXXXX [row parity bit (even)] <- 8 bits plus parity
|
||||
|
@ -498,53 +499,122 @@ int CmdEM4x50Read(const char *Cmd)
|
|||
return EM4x50Read(Cmd, true);
|
||||
}
|
||||
|
||||
int CmdReadWord(const char *Cmd)
|
||||
{
|
||||
int Word = -1; //default to invalid word
|
||||
UsbCommand c;
|
||||
int usage_lf_em_read(void) {
|
||||
PrintAndLog("Read EM4x05/EM4x69. Tag must be on antenna. ");
|
||||
PrintAndLog("");
|
||||
PrintAndLog("Usage: lf em readword [h] <address> <pwd>");
|
||||
PrintAndLog("Options:");
|
||||
PrintAndLog(" h - this help");
|
||||
PrintAndLog(" address - memory address to read. (0-15)");
|
||||
PrintAndLog(" pwd - password (hex) (optional)");
|
||||
PrintAndLog("samples:");
|
||||
PrintAndLog(" lf em readword 1");
|
||||
PrintAndLog(" lf em readword 1 11223344");
|
||||
return 0;
|
||||
}
|
||||
int CmdReadWord(const char *Cmd) {
|
||||
int addr, pwd;
|
||||
bool usePwd = false;
|
||||
uint8_t ctmp = param_getchar(Cmd, 0);
|
||||
if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_read();
|
||||
|
||||
addr = param_get8ex(Cmd, 0, -1, 10);
|
||||
pwd = param_get32ex(Cmd, 1, -1, 16);
|
||||
|
||||
sscanf(Cmd, "%d", &Word);
|
||||
|
||||
if ( (Word > 15) | (Word < 0) ) {
|
||||
PrintAndLog("Word must be between 0 and 15");
|
||||
if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) {
|
||||
PrintAndLog("Address must be between 0 and 15");
|
||||
return 1;
|
||||
}
|
||||
if ( pwd == -1 )
|
||||
PrintAndLog("Reading address %d", addr);
|
||||
else {
|
||||
usePwd = true;
|
||||
PrintAndLog("Reading address %d | password %08X", addr, pwd);
|
||||
}
|
||||
|
||||
PrintAndLog("Reading word %d", Word);
|
||||
|
||||
c.cmd = CMD_EM4X_READ_WORD;
|
||||
c.d.asBytes[0] = 0x0; //Normal mode
|
||||
c.arg[0] = 0;
|
||||
c.arg[1] = Word;
|
||||
c.arg[2] = 0;
|
||||
SendCommand(&c);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CmdReadWordPWD(const char *Cmd)
|
||||
{
|
||||
int Word = -1; //default to invalid word
|
||||
int Password = 0xFFFFFFFF; //default to blank password
|
||||
UsbCommand c;
|
||||
|
||||
sscanf(Cmd, "%d %x", &Word, &Password);
|
||||
|
||||
if ( (Word > 15) | (Word < 0) ) {
|
||||
PrintAndLog("Word must be between 0 and 15");
|
||||
return 1;
|
||||
}
|
||||
|
||||
PrintAndLog("Reading word %d with password %08X", Word, Password);
|
||||
|
||||
c.cmd = CMD_EM4X_READ_WORD;
|
||||
c.d.asBytes[0] = 0x1; //Password mode
|
||||
c.arg[0] = 0;
|
||||
c.arg[1] = Word;
|
||||
c.arg[2] = Password;
|
||||
UsbCommand c = {CMD_EM4X_READ_WORD, {addr, pwd, usePwd}};
|
||||
clearCommandBuffer();
|
||||
SendCommand(&c);
|
||||
UsbCommand resp;
|
||||
if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)){
|
||||
PrintAndLog("Command timed out");
|
||||
return -1;
|
||||
}
|
||||
|
||||
uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
|
||||
GetFromBigBuf(got, sizeof(got), 0);
|
||||
if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {
|
||||
PrintAndLog("command execution time out");
|
||||
return 0;
|
||||
}
|
||||
setGraphBuf(got, sizeof(got));
|
||||
//todo: demodulate read data
|
||||
return 1;
|
||||
}
|
||||
|
||||
int usage_lf_em_write(void) {
|
||||
PrintAndLog("Write EM4x05/EM4x69. Tag must be on antenna. ");
|
||||
PrintAndLog("");
|
||||
PrintAndLog("Usage: lf em writeword [h] <address> <data> <pwd>");
|
||||
PrintAndLog("Options:");
|
||||
PrintAndLog(" h - this help");
|
||||
PrintAndLog(" address - memory address to write to. (0-15)");
|
||||
PrintAndLog(" data - data to write (hex)");
|
||||
PrintAndLog(" pwd - password (hex) (optional)");
|
||||
PrintAndLog("samples:");
|
||||
PrintAndLog(" lf em writeword 1");
|
||||
PrintAndLog(" lf em writeword 1 deadc0de 11223344");
|
||||
return 0;
|
||||
}
|
||||
int CmdWriteWord(const char *Cmd) {
|
||||
uint8_t ctmp = param_getchar(Cmd, 0);
|
||||
if ( strlen(Cmd) == 0 || ctmp == 'H' || ctmp == 'h' ) return usage_lf_em_write();
|
||||
|
||||
bool usePwd = false;
|
||||
|
||||
int addr = 16; // default to invalid address
|
||||
int data = 0xFFFFFFFF; // default to blank data
|
||||
int pwd = 0xFFFFFFFF; // default to blank password
|
||||
|
||||
addr = param_get8ex(Cmd, 0, -1, 10);
|
||||
data = param_get32ex(Cmd, 1, -1, 16);
|
||||
pwd = param_get32ex(Cmd, 2, -1, 16);
|
||||
|
||||
|
||||
if ( (addr > 15) || (addr < 0 ) || ( addr == -1) ) {
|
||||
PrintAndLog("Address must be between 0 and 15");
|
||||
return 1;
|
||||
}
|
||||
if ( pwd == -1 )
|
||||
PrintAndLog("Writing address %d data %08X", addr, data);
|
||||
else {
|
||||
usePwd = true;
|
||||
PrintAndLog("Writing address %d data %08X using password %08X", addr, data, pwd);
|
||||
}
|
||||
|
||||
uint16_t flag = (addr << 8 ) | usePwd;
|
||||
|
||||
UsbCommand c = {CMD_EM4X_WRITE_WORD, {flag, data, pwd}};
|
||||
clearCommandBuffer();
|
||||
SendCommand(&c);
|
||||
UsbCommand resp;
|
||||
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
|
||||
PrintAndLog("Error occurred, device did not respond during write operation.");
|
||||
return -1;
|
||||
}
|
||||
//get response if there is one
|
||||
uint8_t got[6000]; // 8 bit preamble + 32 bit word response (max clock (128) * 40bits = 5120 samples)
|
||||
GetFromBigBuf(got, sizeof(got), 0);
|
||||
if ( !WaitForResponseTimeout(CMD_ACK, NULL, 8000) ) {
|
||||
PrintAndLog("command execution time out");
|
||||
return 0;
|
||||
}
|
||||
setGraphBuf(got, sizeof(got));
|
||||
//todo: check response for 00001010 then write data for write confirmation!
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
int CmdWriteWord(const char *Cmd)
|
||||
{
|
||||
int Word = 16; //default to invalid block
|
||||
|
@ -593,7 +663,7 @@ int CmdWriteWordPWD(const char *Cmd)
|
|||
SendCommand(&c);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*/
|
||||
static command_t CommandTable[] =
|
||||
{
|
||||
{"help", CmdHelp, 1, "This help"},
|
||||
|
@ -603,11 +673,11 @@ static command_t CommandTable[] =
|
|||
{"em410xwatch", CmdEM410xWatch, 0, "['h'] -- Watches for EM410x 125/134 kHz tags (option 'h' for 134)"},
|
||||
{"em410xspoof", CmdEM410xWatchnSpoof, 0, "['h'] --- Watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)" },
|
||||
{"em410xwrite", CmdEM410xWrite, 0, "<UID> <'0' T5555> <'1' T55x7> [clock rate] -- Write EM410x UID to T5555(Q5) or T55x7 tag, optionally setting clock rate"},
|
||||
{"em4x50read", CmdEM4x50Read, 1, "Extract data from EM4x50 tag"},
|
||||
{"readword", CmdReadWord, 1, "<Word> -- Read EM4xxx word data"},
|
||||
{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
|
||||
{"writeword", CmdWriteWord, 1, "<Data> <Word> -- Write EM4xxx word data"},
|
||||
{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
|
||||
{"em4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
|
||||
{"readword", CmdReadWord, 1, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
|
||||
//{"readwordPWD", CmdReadWordPWD, 1, "<Word> <Password> -- Read EM4xxx word data in password mode"},
|
||||
{"writeword", CmdWriteWord, 1, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
|
||||
//{"writewordPWD", CmdWriteWordPWD, 1, "<Data> <Word> <Password> -- Write EM4xxx word data in password mode"},
|
||||
{NULL, NULL, 0, NULL}
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue