mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2024-09-22 00:06:13 +08:00
Merge pull request #798 from tharexde/dev_em4x50_info_write
EM4x50 missing functions 4x50_info, 4x50_ write, 4x50_write_password
This commit is contained in:
commit
179bcad27d
|
@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
|
|||
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
|
||||
|
||||
## [unreleased][unreleased]
|
||||
- Added lf em functions: 4x50_info, 4x50_write, 4x50_write_password (@tharexde)
|
||||
- Fix em4x50 demodulation error (@tharexde)
|
||||
- Fix `hf mfdes` authentification issues, DES working (@bkerler)
|
||||
- Add Android cross-compilation to client cmake (@dxl, @doegox)
|
||||
|
|
|
@ -63,6 +63,12 @@ else
|
|||
SRC_HITAG =
|
||||
endif
|
||||
|
||||
ifneq (,$(findstring WITH_EM4x50,$(APP_CFLAGS)))
|
||||
SRC_EM4x50 = em4x50.c
|
||||
else
|
||||
SRC_EM4x50 =
|
||||
endif
|
||||
|
||||
ifneq (,$(findstring WITH_LCD,$(APP_CFLAGS)))
|
||||
SRC_LCD = fonts.c LCD.c
|
||||
else
|
||||
|
@ -99,6 +105,7 @@ THUMBSRC = start.c \
|
|||
$(SRC_SMARTCARD) \
|
||||
$(SRC_FPC) \
|
||||
$(SRC_HITAG) \
|
||||
$(SRC_EM4x50) \
|
||||
$(SRC_SPIFFS) \
|
||||
$(SRC_ISO14443a) \
|
||||
$(SRC_ISO14443b) \
|
||||
|
|
|
@ -29,6 +29,7 @@
|
|||
#include "felica.h"
|
||||
#include "hitag2.h"
|
||||
#include "hitagS.h"
|
||||
#include "em4x50.h"
|
||||
#include "iclass.h"
|
||||
#include "legicrfsim.h"
|
||||
#include "epa.h"
|
||||
|
@ -454,6 +455,11 @@ static void SendCapabilities(void) {
|
|||
#else
|
||||
capabilities.compiled_with_hitag = false;
|
||||
#endif
|
||||
#ifdef WITH_EM4x50
|
||||
capabilities.compiled_with_em4x50 = true;
|
||||
#else
|
||||
capabilities.compiled_with_em4x50 = false;
|
||||
#endif
|
||||
#ifdef WITH_HFSNIFF
|
||||
capabilities.compiled_with_hfsniff = true;
|
||||
#else
|
||||
|
@ -1000,6 +1006,21 @@ static void PacketReceived(PacketCommandNG *packet) {
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef WITH_EM4x50
|
||||
case CMD_LF_EM4X50_INFO: {
|
||||
em4x50_info((em4x50_data_t *)packet->data.asBytes);
|
||||
break;
|
||||
}
|
||||
case CMD_LF_EM4X50_WRITE: {
|
||||
em4x50_write((em4x50_data_t *)packet->data.asBytes);
|
||||
break;
|
||||
}
|
||||
case CMD_LF_EM4X50_WRITE_PASSWORD: {
|
||||
em4x50_write_password((em4x50_data_t *)packet->data.asBytes);
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef WITH_ISO15693
|
||||
case CMD_HF_ISO15693_ACQ_RAW_ADC: {
|
||||
AcquireRawAdcSamplesIso15693();
|
||||
|
|
911
armsrc/em4x50.c
Normal file
911
armsrc/em4x50.c
Normal file
|
@ -0,0 +1,911 @@
|
|||
//-----------------------------------------------------------------------------
|
||||
// Copyright (C) 2020 tharexde
|
||||
//
|
||||
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
||||
// at your option, any later version. See the LICENSE.txt file for the text of
|
||||
// the license.
|
||||
//-----------------------------------------------------------------------------
|
||||
// Low frequency EM4x50 commands
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
#include "fpgaloader.h"
|
||||
#include "ticks.h"
|
||||
#include "dbprint.h"
|
||||
#include "lfadc.h"
|
||||
#include "commonutil.h"
|
||||
#include "em4x50.h"
|
||||
|
||||
// 4 data bytes
|
||||
// + byte with row parities
|
||||
// + column parity byte
|
||||
// + byte with stop bit
|
||||
|
||||
static em4x50_tag_t tag = {
|
||||
.sectors = {
|
||||
[0] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // password
|
||||
[1] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // protection word
|
||||
[2] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // control word
|
||||
[3] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[4] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[5] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[7] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[9] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[10] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[11] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[12] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[13] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[14] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[15] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[17] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[18] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[19] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[20] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[21] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[22] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[23] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[24] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[25] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[26] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[27] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[28] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[29] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[30] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[31] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
|
||||
[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device serial number
|
||||
[33] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device identification
|
||||
},
|
||||
};
|
||||
|
||||
// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
|
||||
// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
|
||||
// EM4x50 units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
|
||||
// T0 = TIMER_CLOCK1 / 125000 = 192
|
||||
|
||||
#ifndef T0
|
||||
#define T0 192
|
||||
#endif
|
||||
|
||||
#define EM4X50_T_TAG_QUARTER_PERIOD 16
|
||||
#define EM4X50_T_TAG_HALF_PERIOD 32
|
||||
#define EM4X50_T_TAG_THREE_QUARTER_PERIOD 48
|
||||
#define EM4X50_T_TAG_FULL_PERIOD 64
|
||||
#define EM4X50_T_WAITING_FOR_LIW 500
|
||||
#define EM4X50_T_TAG_TPP 64
|
||||
#define EM4X50_T_TAG_TWA 64
|
||||
|
||||
#define EM4X50_TAG_TOLERANCE 8
|
||||
#define EM4X50_TAG_WORD 45
|
||||
|
||||
#define EM4X50_BIT_0 0
|
||||
#define EM4X50_BIT_1 1
|
||||
#define EM4X50_BIT_OTHER 2
|
||||
|
||||
#define EM4X50_COMMAND_LOGIN 0x01
|
||||
#define EM4X50_COMMAND_RESET 0x80
|
||||
#define EM4X50_COMMAND_WRITE 0x12
|
||||
#define EM4X50_COMMAND_WRITE_PASSWORD 0x11
|
||||
#define EM4X50_COMMAND_SELECTIVE_READ 0x0A
|
||||
|
||||
#define FPGA_TIMER_0 0
|
||||
|
||||
int gHigh = 0;
|
||||
int gLow = 0;
|
||||
|
||||
// auxiliary functions
|
||||
|
||||
static void init_tag(void) {
|
||||
|
||||
// initialize global tag structure
|
||||
|
||||
for (int i = 0; i < 34; i++)
|
||||
for (int j = 0; j < 7; j++)
|
||||
tag.sectors[i][j] = 0x00;
|
||||
}
|
||||
|
||||
static uint8_t bits2byte(uint8_t *bits, int length) {
|
||||
|
||||
// converts <length> separate bits into a single "byte"
|
||||
|
||||
uint8_t byte = 0;
|
||||
|
||||
for (int i = 0; i < length; i++) {
|
||||
|
||||
byte |= bits[i];
|
||||
|
||||
if (i != length-1)
|
||||
byte <<= 1;
|
||||
}
|
||||
|
||||
return byte;
|
||||
}
|
||||
|
||||
static void msb2lsb_word(uint8_t *word) {
|
||||
|
||||
// reorders given <word> according to EM4x50 datasheet (msb -> lsb)
|
||||
|
||||
uint8_t buff[4];
|
||||
|
||||
buff[0] = reflect8(word[3]);
|
||||
buff[1] = reflect8(word[2]);
|
||||
buff[2] = reflect8(word[1]);
|
||||
buff[3] = reflect8(word[0]);
|
||||
|
||||
word[0] = buff[0];
|
||||
word[1] = buff[1];
|
||||
word[2] = buff[2];
|
||||
word[3] = buff[3];
|
||||
}
|
||||
|
||||
static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) {
|
||||
|
||||
// split "raw" word into data, row and column parity bits and stop bit and
|
||||
// save them in global tag structure
|
||||
|
||||
uint8_t row_parity[4];
|
||||
uint8_t col_parity[8];
|
||||
|
||||
// data and row parities
|
||||
for (int i = 0; i < 4; i++) {
|
||||
tag.sectors[pos][i] = bits2byte(&bits[9*i],8);
|
||||
row_parity[i] = bits[9*i+8];
|
||||
}
|
||||
|
||||
tag.sectors[pos][4] = bits2byte(row_parity,4);
|
||||
|
||||
// column parities
|
||||
for (int i = 0; i < 8; i++)
|
||||
col_parity[i] = bits[36+i];
|
||||
|
||||
tag.sectors[pos][5] = bits2byte(col_parity,8);
|
||||
|
||||
// stop bit
|
||||
tag.sectors[pos][6] = bits[44];
|
||||
}
|
||||
|
||||
static void wait_timer(int timer, uint32_t period) {
|
||||
|
||||
// do nothing for <period> using timer <timer>
|
||||
|
||||
if (timer == FPGA_TIMER_0) {
|
||||
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
|
||||
while (AT91C_BASE_TC0->TC_CV < period);
|
||||
|
||||
} else {
|
||||
|
||||
AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
|
||||
while (AT91C_BASE_TC1->TC_CV < period);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
static void em4x50_setup_read(void) {
|
||||
|
||||
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
|
||||
|
||||
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
|
||||
|
||||
// 50ms for the resonant antenna to settle.
|
||||
SpinDelay(50);
|
||||
// Now set up the SSC to get the ADC samples that are now streaming at us.
|
||||
FpgaSetupSsc();
|
||||
// start a 1.5ticks is 1us
|
||||
StartTicks();
|
||||
|
||||
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);
|
||||
|
||||
// Connect the A/D to the peak-detected low-frequency path.
|
||||
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
|
||||
|
||||
// Steal this pin from the SSP (SPI communication channel with fpga) and
|
||||
// use it to control the modulation
|
||||
AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
|
||||
AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
|
||||
|
||||
// Disable modulation at default, which means enable the field
|
||||
LOW(GPIO_SSC_DOUT);
|
||||
|
||||
// Enable Peripheral Clock for
|
||||
// TIMER_CLOCK0, used to measure exact timing before answering
|
||||
// TIMER_CLOCK1, used to capture edges of the tag frames
|
||||
AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
|
||||
AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
|
||||
|
||||
// Disable timer during configuration
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
|
||||
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
|
||||
|
||||
// TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
|
||||
AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
|
||||
|
||||
// TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
|
||||
AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
|
||||
|
||||
// Enable and reset counters
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
|
||||
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
|
||||
|
||||
// synchronized startup procedure
|
||||
while (AT91C_BASE_TC0->TC_CV > 0) {}; // wait until TC1 returned to zero
|
||||
|
||||
// Watchdog hit
|
||||
WDT_HIT();
|
||||
}
|
||||
|
||||
// functions for "reader" use case
|
||||
|
||||
static void get_signalproperties(void) {
|
||||
|
||||
// calculate signal properties (mean amplitudes) from measured data:
|
||||
// 32 amplitudes (maximum values) -> mean amplitude value -> gHigh -> gLow
|
||||
|
||||
int no_periods = 32, pct = 75, noise = 140;
|
||||
uint8_t sample = 0, sample_ref = 127;
|
||||
uint8_t sample_max_mean = 0;
|
||||
uint8_t sample_max[no_periods];
|
||||
uint32_t sample_max_sum = 0;
|
||||
|
||||
// wait until signal/noise > 1
|
||||
while (AT91C_BASE_SSC->SSC_RHR < noise);
|
||||
|
||||
// calculate mean maximum value of 32 periods, each period has a length of
|
||||
// 3 single "full periods" to eliminate the influence of a listen window
|
||||
for (int i = 0; i < no_periods; i++) {
|
||||
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * 3 * EM4X50_T_TAG_FULL_PERIOD) {
|
||||
|
||||
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
|
||||
if (sample > sample_max[i])
|
||||
sample_max[i] = sample;
|
||||
|
||||
}
|
||||
|
||||
sample_max_sum += sample_max[i];
|
||||
}
|
||||
|
||||
sample_max_mean = sample_max_sum / no_periods;
|
||||
|
||||
// set global envelope variables
|
||||
gHigh = sample_ref + pct * (sample_max_mean - sample_ref) / 100;
|
||||
gLow = sample_ref - pct * (sample_max_mean - sample_ref) / 100;
|
||||
|
||||
}
|
||||
|
||||
static int get_next_bit(void) {
|
||||
|
||||
// returns bit value (or EM4X50_BIT_OTHER -> no bit pattern) by evaluating
|
||||
// a single sample within a bit period (given there is no LIW, ACK or NAK)
|
||||
// This function is not used for decoding, it is only used for identifying
|
||||
// a listen window (return value = EM4X50_BIT_OTHER) in functions
|
||||
// "find_double_listen_window" and "check_ack"
|
||||
|
||||
uint8_t sample;
|
||||
|
||||
// get sample at 3/4 of bit period
|
||||
wait_timer(0, T0 * EM4X50_T_TAG_THREE_QUARTER_PERIOD);
|
||||
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
|
||||
// wait until end of bit period
|
||||
wait_timer(0, T0 * EM4X50_T_TAG_QUARTER_PERIOD);
|
||||
|
||||
// decide wether "0" or "1"
|
||||
if (sample > gHigh)
|
||||
return EM4X50_BIT_0;
|
||||
else if (sample < gLow)
|
||||
return EM4X50_BIT_1;
|
||||
|
||||
return EM4X50_BIT_OTHER;
|
||||
}
|
||||
|
||||
static uint32_t get_pulse_length(void) {
|
||||
|
||||
// iterates pulse length (low -> high -> low)
|
||||
|
||||
uint8_t sample = 0;
|
||||
|
||||
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
|
||||
while (sample > gLow)
|
||||
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
|
||||
AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
|
||||
|
||||
while (sample < gHigh)
|
||||
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
|
||||
while (sample > gLow)
|
||||
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
|
||||
|
||||
return (uint32_t)AT91C_BASE_TC1->TC_CV;
|
||||
}
|
||||
|
||||
static bool check_pulse_length(uint32_t pl, int length) {
|
||||
|
||||
// check if pulse length <pl> corresponds to given length <length>
|
||||
|
||||
if ((pl >= T0 * (length - EM4X50_TAG_TOLERANCE)) &
|
||||
(pl <= T0 * (length + EM4X50_TAG_TOLERANCE)))
|
||||
return true;
|
||||
else
|
||||
return false;
|
||||
}
|
||||
|
||||
static void em4x50_send_bit(int bit) {
|
||||
|
||||
// send single bit according to EM4x50 application note and datasheet
|
||||
|
||||
// reset clock for the next bit
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
|
||||
|
||||
if (bit == 0) {
|
||||
|
||||
// disable modulation (drop the field) for 7 cycles of carrier
|
||||
// period (Opt64)
|
||||
LOW(GPIO_SSC_DOUT);
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * 7);
|
||||
|
||||
// enable modulation (activates the field) for remaining first
|
||||
// half of bit period
|
||||
HIGH(GPIO_SSC_DOUT);
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_HALF_PERIOD);
|
||||
|
||||
// disable modulation for second half of bit period
|
||||
LOW(GPIO_SSC_DOUT);
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD);
|
||||
|
||||
} else {
|
||||
|
||||
// bit = "1" means disable modulation for full bit period
|
||||
LOW(GPIO_SSC_DOUT);
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD);
|
||||
}
|
||||
}
|
||||
|
||||
static void em4x50_send_byte(uint8_t byte) {
|
||||
|
||||
// send byte (without parity)
|
||||
|
||||
for (int i = 0; i < 8; i++)
|
||||
em4x50_send_bit((byte >> (7-i)) & 1);
|
||||
|
||||
}
|
||||
|
||||
static void em4x50_send_byte_with_parity(uint8_t byte) {
|
||||
|
||||
// send byte followed by its (equal) parity bit
|
||||
|
||||
int parity = 0, bit = 0;
|
||||
|
||||
for (int i = 0; i < 8; i++) {
|
||||
bit = (byte >> (7-i)) & 1;
|
||||
em4x50_send_bit(bit);
|
||||
parity ^= bit;
|
||||
}
|
||||
|
||||
em4x50_send_bit(parity);
|
||||
}
|
||||
|
||||
static void em4x50_send_word(const uint8_t bytes[4]) {
|
||||
|
||||
// send 32 bit word with parity bits according to EM4x50 datasheet
|
||||
|
||||
for (int i = 0; i < 4; i++)
|
||||
em4x50_send_byte_with_parity(bytes[i]);
|
||||
|
||||
// send column parities
|
||||
em4x50_send_byte(bytes[0] ^ bytes[1] ^ bytes[2] ^ bytes[3]);
|
||||
|
||||
// send final stop bit (always "0")
|
||||
em4x50_send_bit(0);
|
||||
}
|
||||
|
||||
static bool find_double_listen_window(bool bcommand) {
|
||||
|
||||
// find two successive listen windows that indicate the beginning of
|
||||
// data transmission
|
||||
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_WAITING_FOR_LIW) {
|
||||
|
||||
// identification of listen window is done via evaluation of
|
||||
// pulse lengths
|
||||
if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// first listen window found
|
||||
|
||||
if (bcommand) {
|
||||
|
||||
// data transmission from card has to be stopped, because
|
||||
// a commamd shall be issued
|
||||
|
||||
// unfortunately the posititon in listen window (where
|
||||
// command request has to be sent) has gone, so if a
|
||||
// second window follows - sync on this to issue a command
|
||||
|
||||
// skip the next bit...
|
||||
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_FULL_PERIOD);
|
||||
|
||||
// ...and check if the following bit does make sense
|
||||
// (if not it is the correct position within the second
|
||||
// listen window)
|
||||
if (get_next_bit() == EM4X50_BIT_OTHER) {
|
||||
|
||||
// send RM for request mode
|
||||
em4x50_send_bit(0);
|
||||
em4x50_send_bit(0);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// return although second listen window consists of one
|
||||
// more bit period but this period is necessary for
|
||||
// evaluating further pulse lengths
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool request_receive_mode(void) {
|
||||
|
||||
// To issue a command we have to find a listen window first.
|
||||
// Because identification and sychronization at the same time is not
|
||||
// possible when using pulse lengths a double listen window is used.
|
||||
|
||||
bool bcommand = true;
|
||||
|
||||
return find_double_listen_window(bcommand);
|
||||
}
|
||||
|
||||
static bool check_ack(bool bliw) {
|
||||
|
||||
// returns true if signal structue corresponds to ACK, anything else is
|
||||
// counted as NAK (-> false)
|
||||
// Only relevant for pasword writing function:
|
||||
// If <bliw> is true then within the single listen window right after the
|
||||
// ack signal a RM request has to be sent.
|
||||
|
||||
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
|
||||
while (AT91C_BASE_TC0->TC_CV < T0 * 4 * EM4X50_T_TAG_FULL_PERIOD) {
|
||||
|
||||
if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// The received signal is either ACK or NAK.
|
||||
|
||||
if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// Now the signal must be ACK.
|
||||
|
||||
if (!bliw) {
|
||||
|
||||
return true;
|
||||
|
||||
} else {
|
||||
|
||||
// send RM request after ack signal
|
||||
|
||||
// wait for 2 bits (remaining "bit" of ACK signal + first
|
||||
// "bit" of listen window)
|
||||
wait_timer(FPGA_TIMER_0, T0 * 2 * EM4X50_T_TAG_FULL_PERIOD);
|
||||
|
||||
// check for listen window (if first bit cannot be inerpreted
|
||||
// as a valid bit it must belong to a listen window)
|
||||
if (get_next_bit() == EM4X50_BIT_OTHER) {
|
||||
|
||||
// send RM for request mode
|
||||
em4x50_send_bit(0);
|
||||
em4x50_send_bit(0);
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) {
|
||||
|
||||
// decodes one word by evaluating pulse lengths and previous bit;
|
||||
// word must have 45 bits in total:
|
||||
// 32 data bits + 4 row parity bits + 8 column parity bits + 1 stop bit
|
||||
|
||||
bool bbitchange = false;
|
||||
int i = 0;
|
||||
uint32_t pl = 0;
|
||||
|
||||
// initial bit value depends on last pulse length of listen window
|
||||
pl = get_pulse_length();
|
||||
if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) {
|
||||
|
||||
// pulse length = 1.5
|
||||
bits[0] = 1;
|
||||
|
||||
} else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// pulse length = 2
|
||||
bits[0] = 0;
|
||||
bbitchange = true;
|
||||
|
||||
} else {
|
||||
|
||||
// pulse length = 2.5
|
||||
bits[0] = 0;
|
||||
bits[1] = 1;
|
||||
i++;
|
||||
}
|
||||
|
||||
// identify remaining bits based on pulse lengths
|
||||
// between two listen windows only pulse lengths of 1, 1.5 and 2 are possible
|
||||
while (true) {
|
||||
|
||||
i++;
|
||||
pl = get_pulse_length();
|
||||
|
||||
if (check_pulse_length(pl, EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// pulse length = 1 -> keep former bit value
|
||||
bits[i] = bits[i-1];
|
||||
|
||||
} else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) {
|
||||
|
||||
// pulse length = 1.5 -> decision on bit change
|
||||
|
||||
if (bbitchange) {
|
||||
|
||||
// if number of pulse lengths with 1.5 periods is even -> add bit
|
||||
bits[i] = (bits[i-1] == 1) ? 1 : 0;
|
||||
|
||||
// pulse length of 1.5 changes bit value
|
||||
bits[i+1] = (bits[i] == 1) ? 0 : 1;
|
||||
i++;
|
||||
|
||||
// next time add only one bit
|
||||
bbitchange = false;
|
||||
|
||||
} else {
|
||||
|
||||
bits[i] = (bits[i-1] == 1) ? 0 : 1;
|
||||
|
||||
// next time two bits have to be added
|
||||
bbitchange = true;
|
||||
}
|
||||
|
||||
} else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// pulse length of 2 means: adding 2 bits "01"
|
||||
bits[i] = 0;
|
||||
bits[i+1] = 1;
|
||||
i++;
|
||||
|
||||
} else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_FULL_PERIOD)) {
|
||||
|
||||
// pulse length of 3 indicates listen window -> clear last
|
||||
// bit (= 0) and return
|
||||
return --i;
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// login function
|
||||
|
||||
static bool login(uint8_t password[4]) {
|
||||
|
||||
// simple login to EM4x50,
|
||||
// used in operations that require authentication
|
||||
|
||||
if (request_receive_mode ()) {
|
||||
|
||||
// send login command
|
||||
em4x50_send_byte_with_parity(EM4X50_COMMAND_LOGIN);
|
||||
|
||||
// send password
|
||||
em4x50_send_word(password);
|
||||
|
||||
// check if ACK is returned
|
||||
if (check_ack(false))
|
||||
return true;
|
||||
|
||||
} else {
|
||||
if (DBGLEVEL >= DBG_ERROR)
|
||||
Dbprintf("error in command request");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// reset function
|
||||
|
||||
static bool reset(void) {
|
||||
|
||||
// resets EM4x50 tag (used by write function)
|
||||
|
||||
if (request_receive_mode ()) {
|
||||
|
||||
// send login command
|
||||
em4x50_send_byte_with_parity(EM4X50_COMMAND_RESET);
|
||||
|
||||
if (check_ack(false))
|
||||
return true;
|
||||
|
||||
} else {
|
||||
if (DBGLEVEL >= DBG_ERROR)
|
||||
Dbprintf("error in command request");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// read functions
|
||||
|
||||
static bool standard_read(int *now) {
|
||||
|
||||
// reads data that tag transmits when exposed to reader field
|
||||
// (standard read mode); number of read words is saved in <now>
|
||||
|
||||
int fwr = *now;
|
||||
uint8_t bits[EM4X50_TAG_WORD] = {0};
|
||||
|
||||
// start with the identification of two succsessive listening windows
|
||||
if (find_double_listen_window(false)) {
|
||||
|
||||
// read and save words until following double listen window is detected
|
||||
while (get_word_from_bitstream(bits) == EM4X50_TAG_WORD)
|
||||
save_word((*now)++, bits);
|
||||
|
||||
// number of detected words
|
||||
*now -= fwr;
|
||||
|
||||
return true;
|
||||
|
||||
} else {
|
||||
if (DBGLEVEL >= DBG_ERROR)
|
||||
Dbprintf("didn't find a listen window");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool selective_read(uint8_t addresses[4]) {
|
||||
|
||||
// reads from "first word read" (fwr = addresses[3]) to "last word read"
|
||||
// (lwr = addresses[2])
|
||||
// result is verified by "standard read mode"
|
||||
|
||||
int fwr = addresses[3]; // first word read
|
||||
int lwr = addresses[2]; // last word read
|
||||
int now = fwr; // number of words
|
||||
|
||||
if (request_receive_mode()) {
|
||||
|
||||
// send selective read command
|
||||
em4x50_send_byte_with_parity(EM4X50_COMMAND_SELECTIVE_READ);
|
||||
|
||||
// send address data
|
||||
em4x50_send_word(addresses);
|
||||
|
||||
// look for ACK sequence
|
||||
if (check_ack(false))
|
||||
|
||||
// save and verify via standard read mode (compare number of words)
|
||||
if (standard_read(&now))
|
||||
if (now == (lwr - fwr + 1))
|
||||
return true;
|
||||
|
||||
} else {
|
||||
if (DBGLEVEL >= DBG_ERROR)
|
||||
Dbprintf("error in command request");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
void em4x50_info(em4x50_data_t *etd) {
|
||||
|
||||
// collects as much information as possible via selective read mode
|
||||
// if no password is given -> try with standard password "0x00000000"
|
||||
// otherwise continue without login
|
||||
|
||||
bool bsuccess = false, blogin = false;
|
||||
uint8_t status = 0;
|
||||
uint8_t addresses[] = {0x00, 0x00, 0x21, 0x00}; // fwr = 0, lwr = 33
|
||||
uint8_t password[] = {0x00, 0x00, 0x00, 0x00}; // default password
|
||||
|
||||
init_tag();
|
||||
em4x50_setup_read();
|
||||
|
||||
// set gHigh and gLow
|
||||
get_signalproperties();
|
||||
|
||||
if (etd->pwd_given) {
|
||||
|
||||
// try to login with given password
|
||||
blogin = login(etd->password);
|
||||
|
||||
} else {
|
||||
|
||||
// if no password is given, try to login with "0x00000000"
|
||||
blogin = login(password);
|
||||
|
||||
}
|
||||
|
||||
bsuccess = selective_read(addresses);
|
||||
|
||||
status = (bsuccess << 1) + blogin;
|
||||
|
||||
lf_finalize();
|
||||
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
|
||||
}
|
||||
|
||||
// write functions
|
||||
|
||||
static bool write(uint8_t word[4], uint8_t address) {
|
||||
|
||||
// writes <word> to specified <address>
|
||||
|
||||
if (request_receive_mode()) {
|
||||
|
||||
// send write command
|
||||
em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE);
|
||||
|
||||
// send address data
|
||||
em4x50_send_byte_with_parity(address);
|
||||
|
||||
// send data
|
||||
em4x50_send_word(word);
|
||||
|
||||
// wait for T0 * EM4X50_T_TAG_TWA (write access time)
|
||||
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA);
|
||||
|
||||
// look for ACK sequence
|
||||
if (check_ack(false)) {
|
||||
|
||||
// now EM4x50 needs T0 * EM4X50_T_TAG_TWEE (EEPROM write time)
|
||||
// for saving data and should return with ACK
|
||||
if (check_ack(false))
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
} else {
|
||||
if (DBGLEVEL >= DBG_ERROR)
|
||||
Dbprintf("error in command request");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static bool write_password(uint8_t password[4], uint8_t new_password[4]) {
|
||||
|
||||
// changes password from <password> to <new_password>
|
||||
|
||||
if (request_receive_mode()) {
|
||||
|
||||
// send write password command
|
||||
em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE_PASSWORD);
|
||||
|
||||
// send address data
|
||||
em4x50_send_word(password);
|
||||
|
||||
// wait for T0 * EM4x50_T_TAG_TPP (processing pause time)
|
||||
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TPP);
|
||||
|
||||
// look for ACK sequence and send rm request
|
||||
// during following listen window
|
||||
if (check_ack(true)) {
|
||||
|
||||
// send new password
|
||||
em4x50_send_word(new_password);
|
||||
|
||||
// wait for T0 * EM4X50_T_TAG_TWA (write access time)
|
||||
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA);
|
||||
|
||||
if (check_ack(false))
|
||||
if (check_ack(false))
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
} else {
|
||||
if (DBGLEVEL >= DBG_ERROR)
|
||||
Dbprintf("error in command request");
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
void em4x50_write(em4x50_data_t *etd) {
|
||||
|
||||
// write operation process for EM4x50 tag,
|
||||
// single word is written to given address, verified by selective read operation
|
||||
|
||||
bool bsuccess = false, blogin = false;
|
||||
uint8_t status = 0;
|
||||
uint8_t word[4] = {0x00, 0x00, 0x00, 0x00};
|
||||
uint8_t addresses[4] = {0x00, 0x00, 0x00, 0x00};
|
||||
|
||||
init_tag();
|
||||
em4x50_setup_read();
|
||||
|
||||
// set gHigh and gLow
|
||||
get_signalproperties();
|
||||
|
||||
// reorder word according to datasheet
|
||||
msb2lsb_word(etd->word);
|
||||
|
||||
// if password is given try to login first
|
||||
if (etd->pwd_given)
|
||||
blogin = login(etd->password);
|
||||
|
||||
// write word to given address
|
||||
if (write(etd->word, etd->address)) {
|
||||
|
||||
// to verify result reset EM4x50
|
||||
if (reset()) {
|
||||
|
||||
// if password is given login
|
||||
if (etd->pwd_given)
|
||||
blogin &= login(etd->password);
|
||||
|
||||
// perform a selective read
|
||||
addresses[2] = addresses[3] = etd->address;
|
||||
if (selective_read(addresses)) {
|
||||
|
||||
// compare with given word
|
||||
word[0] = tag.sectors[etd->address][0];
|
||||
word[1] = tag.sectors[etd->address][1];
|
||||
word[2] = tag.sectors[etd->address][2];
|
||||
word[3] = tag.sectors[etd->address][3];
|
||||
msb2lsb_word(word);
|
||||
|
||||
bsuccess = true;
|
||||
for (int i = 0; i < 4; i++)
|
||||
bsuccess &= (word[i] == etd->word[i]) ? true : false;
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
status = (bsuccess << 1) + blogin;
|
||||
|
||||
lf_finalize();
|
||||
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
|
||||
}
|
||||
|
||||
void em4x50_write_password(em4x50_data_t *etd) {
|
||||
|
||||
// sinmple change of password
|
||||
|
||||
bool bsuccess = false;
|
||||
|
||||
init_tag();
|
||||
em4x50_setup_read();
|
||||
|
||||
// set gHigh and gLow
|
||||
get_signalproperties();
|
||||
|
||||
// login and change password
|
||||
if (login(etd->password)) {
|
||||
bsuccess = write_password(etd->password, etd->new_password);
|
||||
}
|
||||
|
||||
lf_finalize();
|
||||
reply_ng(CMD_ACK, bsuccess, 0, 0);
|
||||
}
|
24
armsrc/em4x50.h
Normal file
24
armsrc/em4x50.h
Normal file
|
@ -0,0 +1,24 @@
|
|||
//-----------------------------------------------------------------------------
|
||||
// Copyright (C) 2020 tharexde
|
||||
//
|
||||
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
||||
// at your option, any later version. See the LICENSE.txt file for the text of
|
||||
// the license.
|
||||
//-----------------------------------------------------------------------------
|
||||
// Low frequency EM4x50 commands
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
#ifndef EM4X50_H
|
||||
#define EM4X50_H
|
||||
|
||||
#include "../include/em4x50.h"
|
||||
|
||||
typedef struct {
|
||||
uint8_t sectors[34][7];
|
||||
} em4x50_tag_t;
|
||||
|
||||
void em4x50_info(em4x50_data_t *etd);
|
||||
void em4x50_write(em4x50_data_t *etd);
|
||||
void em4x50_write_password(em4x50_data_t *etd);
|
||||
|
||||
#endif /* EM4X50_H */
|
|
@ -240,6 +240,7 @@ set (TARGET_SOURCES
|
|||
${PM3_ROOT}/client/src/cmdlfawid.c
|
||||
${PM3_ROOT}/client/src/cmdlfcotag.c
|
||||
${PM3_ROOT}/client/src/cmdlfem4x.c
|
||||
${PM3_ROOT}/client/src/cmdlfem4x50.c
|
||||
${PM3_ROOT}/client/src/cmdlffdx.c
|
||||
${PM3_ROOT}/client/src/cmdlfgallagher.c
|
||||
${PM3_ROOT}/client/src/cmdlfguard.c
|
||||
|
|
|
@ -439,6 +439,7 @@ SRCS = aidsearch.c \
|
|||
cmdlfawid.c \
|
||||
cmdlfcotag.c \
|
||||
cmdlfem4x.c \
|
||||
cmdlfem4x50.c \
|
||||
cmdlffdx.c \
|
||||
cmdlfguard.c \
|
||||
cmdlfgallagher.c \
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
//-----------------------------------------------------------------------------
|
||||
|
||||
#include "cmdlfem4x.h"
|
||||
#include "cmdlfem4x50.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
@ -149,20 +150,6 @@ static int usage_lf_em4x50_read(void) {
|
|||
PrintAndLogEx(NORMAL, " lf em 4x50_read 1 11223344");
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
static int usage_lf_em4x50_write(void) {
|
||||
PrintAndLogEx(NORMAL, "Write EM 4x50/4x69. Tag must be on antenna. ");
|
||||
PrintAndLogEx(NORMAL, "");
|
||||
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h] <address> <data> <pwd>");
|
||||
PrintAndLogEx(NORMAL, "Options:");
|
||||
PrintAndLogEx(NORMAL, " h - this help");
|
||||
PrintAndLogEx(NORMAL, " address - memory address to write to. (0-15)");
|
||||
PrintAndLogEx(NORMAL, " data - data to write (hex)");
|
||||
PrintAndLogEx(NORMAL, " pwd - password (hex) (optional)");
|
||||
PrintAndLogEx(NORMAL, "Examples:");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de 11223344");
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
|
||||
//////////////// 4205 / 4305 commands
|
||||
static int usage_lf_em4x05_dump(void) {
|
||||
|
@ -1052,16 +1039,6 @@ static int CmdEM4x50Read(const char *Cmd) {
|
|||
return EM4x50Read(Cmd, true);
|
||||
}
|
||||
|
||||
static int CmdEM4x50Write(const char *Cmd) {
|
||||
uint8_t ctmp = tolower(param_getchar(Cmd, 0));
|
||||
if (ctmp == 'h') return usage_lf_em4x50_write();
|
||||
PrintAndLogEx(NORMAL, "no implemented yet");
|
||||
//
|
||||
// PrintAndLogEx(SUCCESS, "Done");
|
||||
// PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf em 4x50_read`") " to verify");
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
|
||||
static int CmdEM4x50Dump(const char *Cmd) {
|
||||
uint8_t ctmp = tolower(param_getchar(Cmd, 0));
|
||||
if (ctmp == 'h') return usage_lf_em4x50_dump();
|
||||
|
@ -1779,7 +1756,9 @@ static command_t CommandTable[] = {
|
|||
{"4x50_demod", CmdEM4x50Demod, AlwaysAvailable, "demodulate a EM4x50 tag from the GraphBuffer"},
|
||||
{"4x50_dump", CmdEM4x50Dump, IfPm3Lf, "dump EM4x50 tag"},
|
||||
{"4x50_read", CmdEM4x50Read, IfPm3Lf, "read word data from EM4x50"},
|
||||
{"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"},
|
||||
{"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"},
|
||||
{"4x50_write_password", CmdEM4x50WritePassword, IfPm3Lf, "change passwword of EM4x50 tag"},
|
||||
{NULL, NULL, NULL, NULL}
|
||||
};
|
||||
|
||||
|
|
663
client/src/cmdlfem4x50.c
Normal file
663
client/src/cmdlfem4x50.c
Normal file
|
@ -0,0 +1,663 @@
|
|||
//-----------------------------------------------------------------------------
|
||||
// Copyright (C) 2020 tharexde
|
||||
//
|
||||
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
||||
// at your option, any later version. See the LICENSE.txt file for the text of
|
||||
// the license.
|
||||
//-----------------------------------------------------------------------------
|
||||
// Low frequency EM4x50 commands
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
#include "cmdlfem4x50.h"
|
||||
#include <ctype.h>
|
||||
#include "fileutils.h"
|
||||
#include "comms.h"
|
||||
#include "commonutil.h"
|
||||
#include "em4x50.h"
|
||||
|
||||
#define EM4X50_NO_WORDS 34
|
||||
|
||||
// special words
|
||||
#define EM4X50_DEVICE_PASSWORD 0
|
||||
#define EM4X50_PROTECTION 1
|
||||
#define EM4X50_CONTROL 2
|
||||
#define EM4X50_DEVICE_SERIAL 32
|
||||
#define EM4X50_DEVICE_ID 33
|
||||
|
||||
// control word (word = 4 bytes)
|
||||
#define FIRST_WORD_READ 0 // first byte
|
||||
#define LAST_WORD_READ 1 // second byte
|
||||
#define CONFIG_BLOCK 2 // third byte
|
||||
#define PASSWORD_CHECK 0x80 // first bit in third byte
|
||||
#define READ_AFTER_WRITE 0x40 // second bit in third byte
|
||||
|
||||
// protection word
|
||||
#define FIRST_WORD_READ_PROTECTED 0 // first byte
|
||||
#define LAST_WORD_READ_PROTECTED 1 // second byte
|
||||
#define FIRST_WORD_WRITE_INHIBITED 2 // third byte
|
||||
#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte
|
||||
|
||||
// misc
|
||||
#define STATUS_SUCCESS 0x2
|
||||
#define STATUS_LOGIN 0x1
|
||||
#define NO_CHARS_MAX 400
|
||||
|
||||
int usage_lf_em4x50_info(void) {
|
||||
PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna.");
|
||||
PrintAndLogEx(NORMAL, "");
|
||||
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_info [h] [v] [p <pwd>]");
|
||||
PrintAndLogEx(NORMAL, "Options:");
|
||||
PrintAndLogEx(NORMAL, " h - this help");
|
||||
PrintAndLogEx(NORMAL, " v - verbose output");
|
||||
PrintAndLogEx(NORMAL, " p <pwd> - password (hex) (optional)");
|
||||
PrintAndLogEx(NORMAL, "Examples:");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_info");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_info p fa225de1\n");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_info v p fa225de1\n");
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
int usage_lf_em4x50_write(void) {
|
||||
PrintAndLogEx(NORMAL, "Write EM4x50 word. Tag must be on antenna. ");
|
||||
PrintAndLogEx(NORMAL, "");
|
||||
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h] a <address> w <data>");
|
||||
PrintAndLogEx(NORMAL, "Options:");
|
||||
PrintAndLogEx(NORMAL, " h - this help");
|
||||
PrintAndLogEx(NORMAL, " a <addr> - memory address to write to (dec)");
|
||||
PrintAndLogEx(NORMAL, " w <word> - word to write (hex)");
|
||||
PrintAndLogEx(NORMAL, " p <pwd> - password (hex) (optional)");
|
||||
PrintAndLogEx(NORMAL, "Examples:");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_write a 3 w deadc0de");
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
int usage_lf_em4x50_write_password(void) {
|
||||
PrintAndLogEx(NORMAL, "Write EM4x50 password. Tag must be on antenna. ");
|
||||
PrintAndLogEx(NORMAL, "");
|
||||
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write_password [h] p <pwd> n <pwd>");
|
||||
PrintAndLogEx(NORMAL, "Options:");
|
||||
PrintAndLogEx(NORMAL, " h - this help");
|
||||
PrintAndLogEx(NORMAL, " p <pwd> - password (hex)");
|
||||
PrintAndLogEx(NORMAL, " n <pwd> - new password (hex)");
|
||||
PrintAndLogEx(NORMAL, "Examples:");
|
||||
PrintAndLogEx(NORMAL, " lf em 4x50_write_password p 11223344 n 01020304");
|
||||
return PM3_SUCCESS;
|
||||
}
|
||||
|
||||
static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) {
|
||||
|
||||
// restructure received result in "em4x50_word_t" structure and check all
|
||||
// parities including stop bit; result of each check is stored in structure
|
||||
|
||||
int p = 0, c[8] = {0, 0, 0, 0, 0, 0, 0, 0};
|
||||
|
||||
for (int i = fwr; i <= lwr; i++) {
|
||||
|
||||
words[i].stopparity = true;
|
||||
words[i].parity = true;
|
||||
|
||||
for (int j = 0; j < 8; j++)
|
||||
c[j] = 0;
|
||||
|
||||
for (int j = 0; j < 4; j++) {
|
||||
words[i].byte[j] = byte[i*7+j];
|
||||
words[i].row_parity[j] = (byte[i*7+4] >> (3-j)) & 1;
|
||||
|
||||
// collect parities
|
||||
p = 0;
|
||||
|
||||
for (int k = 0; k < 8; k++) {
|
||||
|
||||
// row parity
|
||||
p ^= (words[i].byte[j] >> k) & 1;
|
||||
|
||||
// column parity
|
||||
c[k] ^= (words[i].byte[j] >> (7-k)) & 1;
|
||||
}
|
||||
|
||||
// check row parities
|
||||
words[i].rparity[j] = (words[i].row_parity[j] == p) ? true : false;
|
||||
|
||||
if (!words[i].rparity[j])
|
||||
words[i].parity = false;
|
||||
}
|
||||
|
||||
// check column parities
|
||||
words[i].col_parity = byte[i*7+5] ;
|
||||
|
||||
for (int j = 0; j < 8; j++) {
|
||||
words[i].cparity[j] = (((words[i].col_parity >> (7-j)) & 1) == c[j]) ? true : false;
|
||||
|
||||
if (!words[i].cparity[j])
|
||||
words[i].parity = false;
|
||||
}
|
||||
|
||||
// check stop bit
|
||||
words[i].stopbit = byte[i*7+6] & 1;
|
||||
|
||||
if (words[i].stopbit == 1)
|
||||
words[i].stopparity = false;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
static void print_bit_table(const em4x50_word_t word) {
|
||||
|
||||
// generate output in table form for each word including parities, stop
|
||||
// bit, result of parity checks and hex notation of each row in msb/lsb
|
||||
// notation
|
||||
// individual parity errors will be highlighted in red
|
||||
|
||||
int bit = 0;
|
||||
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
|
||||
|
||||
// print binary data
|
||||
for (int j = 0; j < 4; j++) {
|
||||
|
||||
strcat(string, " ");
|
||||
|
||||
// lsb notation
|
||||
for (int k = 0; k < 8; k++) {
|
||||
sprintf(pstring, "%i", (word.byte[j] >> (7-k)) & 1);
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
strcat(string, " | ");
|
||||
|
||||
// binary row parities + hex bytes of word
|
||||
sprintf(pstring, (word.rparity[j]) ? "%i" : _RED_("%i"), word.row_parity[j]);
|
||||
strcat(string, pstring);
|
||||
|
||||
if (j == 0)
|
||||
sprintf(pstring, " msb: 0x%02x lsb: 0x%02x", word.byte[j], reflect8(word.byte[j]));
|
||||
else
|
||||
sprintf(pstring, " 0x%02x 0x%02x", word.byte[j], reflect8(word.byte[j]));
|
||||
|
||||
strcat(string, pstring);
|
||||
PrintAndLogEx(NORMAL,string);
|
||||
|
||||
string[0] = '\0';
|
||||
}
|
||||
|
||||
strcat(string, " ------------ --------------------\n ");
|
||||
|
||||
// binary column parities
|
||||
for (int k = 0; k < 8; k++) {
|
||||
|
||||
bit = (word.col_parity >> (7-k)) & 1;
|
||||
|
||||
// if column parity is false -> highlight bit in red
|
||||
sprintf(pstring, (word.cparity[k]) ? "%i" : _RED_("%i"), bit);
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
// binary stop bit
|
||||
strcat(string, " | ");
|
||||
sprintf(pstring, (word.stopparity) ? "%i" : _RED_("%i"), word.stopbit);
|
||||
strcat(pstring, " parities ");
|
||||
strcat(string, pstring);
|
||||
|
||||
// parities passed/failed
|
||||
sprintf(pstring, (word.parity) ? _GREEN_("ok") : _RED_("failed"));
|
||||
strcat(string, pstring);
|
||||
|
||||
PrintAndLogEx(NORMAL,string);
|
||||
|
||||
string[0] = '\0';
|
||||
}
|
||||
|
||||
static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
|
||||
|
||||
// print available information for given word from fwr to lwr, i.e.
|
||||
// bit table + summary lines with hex notation of word (msb + lsb)
|
||||
|
||||
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
|
||||
|
||||
for (int i = fwr; i <= lwr; i++) {
|
||||
|
||||
// blank line before each bit table
|
||||
PrintAndLogEx(NORMAL, "");
|
||||
|
||||
// print bit table
|
||||
print_bit_table(words[i]);
|
||||
|
||||
// final result
|
||||
sprintf(pstring, "\n word[%i] msb: " _GREEN_("0x"), i);
|
||||
strcat(string, pstring);
|
||||
|
||||
for (int j = 0; j < 4; j++) {
|
||||
sprintf(pstring, _GREEN_("%02x"), words[i].byte[j]);
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
sprintf(pstring, "\n word[%i] lsb: 0x", i);
|
||||
strcat(string, pstring);
|
||||
|
||||
for (int j = 0; j < 4; j++) {
|
||||
sprintf(pstring, "%02x", reflect8(words[i].byte[3-j]));
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
PrintAndLogEx(NORMAL,string);
|
||||
|
||||
string[0] = '\0';
|
||||
}
|
||||
}
|
||||
|
||||
static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bool bverbose) {
|
||||
|
||||
// display all information of info result in structured format
|
||||
|
||||
uint8_t *data = resp->data.asBytes;
|
||||
em4x50_word_t words[EM4X50_NO_WORDS];
|
||||
char pstring[NO_CHARS_MAX] = {0}, string[NO_CHARS_MAX] = {0};
|
||||
|
||||
bool bpwd_given = etd->pwd_given;
|
||||
bool bsuccess = resp->status & STATUS_SUCCESS;
|
||||
bool blogin = resp->status & STATUS_LOGIN;
|
||||
|
||||
prepare_result(data, 0, EM4X50_NO_WORDS - 1, words);
|
||||
|
||||
bool bpwc = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & PASSWORD_CHECK;
|
||||
bool braw = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & READ_AFTER_WRITE;
|
||||
int fwr = reflect8(words[EM4X50_CONTROL].byte[FIRST_WORD_READ]);
|
||||
int lwr = reflect8(words[EM4X50_CONTROL].byte[LAST_WORD_READ]);
|
||||
int fwrp = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_READ_PROTECTED]);
|
||||
int lwrp = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_READ_PROTECTED]);
|
||||
int fwwi = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_WRITE_INHIBITED]);
|
||||
int lwwi = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_WRITE_INHIBITED]);
|
||||
|
||||
// data section
|
||||
PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:"));
|
||||
|
||||
if (bverbose) {
|
||||
|
||||
// detailed data section
|
||||
print_result(words, 0, EM4X50_NO_WORDS - 1);
|
||||
|
||||
} else {
|
||||
|
||||
// condensed data section
|
||||
for (int i = 0; i < EM4X50_NO_WORDS; i++) {
|
||||
|
||||
sprintf(pstring, " word[%2i]: ", i);
|
||||
strcat(string, pstring);
|
||||
|
||||
for (int j = 0; j < 4; j++) {
|
||||
sprintf(pstring, "%02x", words[i].byte[j]);
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
switch(i) {
|
||||
case EM4X50_DEVICE_PASSWORD:
|
||||
sprintf(pstring, _YELLOW_(" password, write only"));
|
||||
break;
|
||||
case EM4X50_PROTECTION:
|
||||
sprintf(pstring, _YELLOW_(" protection word, write inhibited"));
|
||||
break;
|
||||
case EM4X50_CONTROL:
|
||||
sprintf(pstring, _YELLOW_(" control word, write inhibited"));
|
||||
break;
|
||||
case EM4X50_DEVICE_SERIAL:
|
||||
sprintf(pstring, _YELLOW_(" device serial number, read only"));
|
||||
break;
|
||||
case EM4X50_DEVICE_ID:
|
||||
sprintf(pstring, _YELLOW_(" device identification, read only"));
|
||||
break;
|
||||
default:
|
||||
sprintf(pstring, " user data");
|
||||
break;
|
||||
}
|
||||
|
||||
strcat(string, pstring);
|
||||
PrintAndLogEx(NORMAL,"%s", string);
|
||||
string[0] = '\0';
|
||||
}
|
||||
}
|
||||
|
||||
// configuration section
|
||||
PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 configuration"));
|
||||
PrintAndLogEx(NORMAL," control: | protection:");
|
||||
|
||||
sprintf(pstring, " first word read: %3i |", fwr);
|
||||
strcat(string, pstring);
|
||||
sprintf(pstring, " first word read protected: %3i", fwrp);
|
||||
strcat(string, pstring);
|
||||
PrintAndLogEx(NORMAL,"%s", string);
|
||||
string[0] = '\0';
|
||||
|
||||
sprintf(pstring, " last word read: %3i |", lwr);
|
||||
strcat(string, pstring);
|
||||
sprintf(pstring, " last word read protected: %3i", lwrp);
|
||||
strcat(string, pstring);
|
||||
PrintAndLogEx(NORMAL,"%s", string);
|
||||
string[0] = '\0';
|
||||
|
||||
sprintf(pstring, " password check: %3s |", (bpwc) ? "on" : "off");
|
||||
strcat(string, pstring);
|
||||
sprintf(pstring, " first word write inhibited: %3i", fwwi);
|
||||
strcat(string, pstring);
|
||||
PrintAndLogEx(NORMAL,"%s", string);
|
||||
string[0] = '\0';
|
||||
|
||||
sprintf(pstring, " read after write: %3s |", (braw) ? "on" : "off");
|
||||
strcat(string, pstring);
|
||||
sprintf(pstring, " last word write inhibited: %3i", lwwi);
|
||||
strcat(string, pstring);
|
||||
PrintAndLogEx(NORMAL,"%s", string);
|
||||
string[0] = '\0';
|
||||
|
||||
PrintAndLogEx(NORMAL, "\n zero values may indicate read protection!");
|
||||
|
||||
// status line
|
||||
sprintf(pstring, " reading ");
|
||||
strcat(string, pstring);
|
||||
|
||||
if (!bsuccess) {
|
||||
|
||||
sprintf(pstring, _RED_("failed"));
|
||||
strcat(string, pstring);
|
||||
|
||||
} else {
|
||||
|
||||
sprintf(pstring, _GREEN_("ok "));
|
||||
strcat(string, pstring);
|
||||
|
||||
if (blogin) {
|
||||
|
||||
if (bpwd_given) {
|
||||
|
||||
sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)",
|
||||
etd->password[0], etd->password[1],
|
||||
etd->password[2], etd->password[3]);
|
||||
strcat(string, pstring);
|
||||
|
||||
} else {
|
||||
|
||||
sprintf(pstring, "(login with default password 0x00000000)");
|
||||
strcat(string, pstring);
|
||||
|
||||
}
|
||||
|
||||
} else {
|
||||
|
||||
if (bpwd_given) {
|
||||
|
||||
sprintf(pstring, "(login failed)");
|
||||
strcat(string, pstring);
|
||||
|
||||
} else {
|
||||
|
||||
sprintf(pstring, "(no login)");
|
||||
strcat(string, pstring);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
PrintAndLogEx(NORMAL,"%s\n", string);
|
||||
}
|
||||
|
||||
int CmdEM4x50Info(const char *Cmd) {
|
||||
|
||||
// envoke reading of a EM4x50 tag which has to be on the antenna because
|
||||
// decoding is done by the device (not on client side)
|
||||
|
||||
bool errors = false, verbose = false, success = false;
|
||||
uint8_t cmdp = 0;
|
||||
em4x50_data_t etd;
|
||||
PacketResponseNG resp;
|
||||
|
||||
// init
|
||||
etd.pwd_given = false;
|
||||
|
||||
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
|
||||
switch (tolower(param_getchar(Cmd, cmdp))) {
|
||||
|
||||
case 'h':
|
||||
return usage_lf_em4x50_info();
|
||||
|
||||
case 'p':
|
||||
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
|
||||
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
|
||||
return PM3_EINVARG;
|
||||
}
|
||||
etd.pwd_given = true;
|
||||
cmdp += 2;
|
||||
break;
|
||||
|
||||
case 'v':
|
||||
verbose = true;
|
||||
cmdp += 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
PrintAndLogEx(WARNING, " Unknown parameter '%c'", param_getchar(Cmd, cmdp));
|
||||
errors = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
// validation
|
||||
if (errors)
|
||||
return usage_lf_em4x50_info();
|
||||
|
||||
// call info command
|
||||
clearCommandBuffer();
|
||||
SendCommandNG(CMD_LF_EM4X50_INFO, (uint8_t *)&etd, sizeof(etd));
|
||||
|
||||
|
||||
// get result
|
||||
if (!WaitForResponse(CMD_ACK, &resp)) {
|
||||
PrintAndLogEx(WARNING, " timeout while waiting for reply.");
|
||||
return PM3_ETIMEOUT;
|
||||
}
|
||||
|
||||
// print result
|
||||
print_info_result(&resp, &etd, verbose);
|
||||
|
||||
success = resp.status & STATUS_SUCCESS;
|
||||
return (success) ? PM3_SUCCESS : PM3_ESOFT;
|
||||
}
|
||||
|
||||
static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) {
|
||||
|
||||
// display result of writing operation in structured format
|
||||
|
||||
bool pwd_given = etd->pwd_given;
|
||||
bool success = resp->status & STATUS_SUCCESS;
|
||||
bool login = resp->status & STATUS_LOGIN;
|
||||
uint8_t *data = resp->data.asBytes;
|
||||
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
|
||||
em4x50_word_t word;
|
||||
|
||||
if (!success) {
|
||||
|
||||
sprintf(pstring, "\n writing " _RED_("failed"));
|
||||
strcat(string, pstring);
|
||||
|
||||
} else {
|
||||
|
||||
prepare_result(data, etd->address, etd->address, &word);
|
||||
print_result(&word, etd->address, etd->address);
|
||||
|
||||
sprintf(pstring, "\n writing " _GREEN_("ok "));
|
||||
strcat(string, pstring);
|
||||
|
||||
if (pwd_given) {
|
||||
|
||||
if (login) {
|
||||
sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)",
|
||||
etd->password[0], etd->password[1],
|
||||
etd->password[2], etd->password[3]);
|
||||
strcat(string, pstring);
|
||||
} else {
|
||||
sprintf(pstring, "(login failed)");
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
} else {
|
||||
sprintf(pstring, "(no login)");
|
||||
strcat(string, pstring);
|
||||
}
|
||||
}
|
||||
|
||||
PrintAndLogEx(NORMAL,"%s\n", string);
|
||||
}
|
||||
|
||||
int CmdEM4x50Write(const char *Cmd) {
|
||||
|
||||
// envoke writing a single word (32 bit) to a EM4x50 tag
|
||||
|
||||
bool errors = false, bword = false, baddr = false, success = false;
|
||||
uint8_t cmdp = 0;
|
||||
em4x50_data_t etd;
|
||||
PacketResponseNG resp;
|
||||
|
||||
// init
|
||||
etd.pwd_given = false;
|
||||
|
||||
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
|
||||
|
||||
switch (tolower(param_getchar(Cmd, cmdp))) {
|
||||
case 'h':
|
||||
return usage_lf_em4x50_write();
|
||||
|
||||
case 'p':
|
||||
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
|
||||
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
|
||||
return PM3_EINVARG;
|
||||
}
|
||||
etd.pwd_given = true;
|
||||
cmdp += 2;
|
||||
break;
|
||||
|
||||
case 'w':
|
||||
if (param_gethex(Cmd, cmdp + 1, etd.word, 8)) {
|
||||
PrintAndLogEx(FAILED, "\n word has to be 8 hex symbols\n");
|
||||
return PM3_EINVARG;
|
||||
}
|
||||
bword = true;
|
||||
cmdp += 2;
|
||||
break;
|
||||
|
||||
case 'a':
|
||||
param_getdec(Cmd, cmdp + 1, &etd.address);
|
||||
|
||||
// validation
|
||||
if (etd.address < 1 || etd.address > 31) {
|
||||
PrintAndLogEx(FAILED, "\n error, address has to be in range [1-31]\n");
|
||||
return PM3_EINVARG;
|
||||
}
|
||||
baddr = true;
|
||||
cmdp += 2;
|
||||
break;
|
||||
|
||||
default:
|
||||
PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
|
||||
errors = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (errors || !bword || !baddr)
|
||||
return usage_lf_em4x50_write();
|
||||
|
||||
clearCommandBuffer();
|
||||
SendCommandNG(CMD_LF_EM4X50_WRITE, (uint8_t *)&etd, sizeof(etd));
|
||||
|
||||
|
||||
if (!WaitForResponse(CMD_ACK, &resp)) {
|
||||
PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n");
|
||||
return PM3_ETIMEOUT;
|
||||
}
|
||||
|
||||
// get, prepare and print response
|
||||
print_write_result(&resp, &etd);
|
||||
|
||||
success = resp.status & STATUS_SUCCESS;
|
||||
return (success) ? PM3_SUCCESS : PM3_ESOFT;
|
||||
}
|
||||
|
||||
static void print_write_password_result(PacketResponseNG *resp, const em4x50_data_t *etd) {
|
||||
|
||||
// display result of password changing operation
|
||||
|
||||
bool success = resp->status;
|
||||
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
|
||||
|
||||
if (!success) {
|
||||
|
||||
sprintf(pstring, "\n writing new password " _RED_("failed"));
|
||||
strcat(string, pstring);
|
||||
|
||||
} else {
|
||||
|
||||
sprintf(pstring, "\n writing new password " _GREEN_("ok"));
|
||||
strcat(string, pstring);
|
||||
}
|
||||
|
||||
PrintAndLogEx(NORMAL,"%s\n", string);
|
||||
}
|
||||
|
||||
int CmdEM4x50WritePassword(const char *Cmd) {
|
||||
|
||||
// envokes changing the password of EM4x50 tag
|
||||
|
||||
bool errors = false, bpwd = false, bnpwd = false;
|
||||
uint8_t cmdp = 0;
|
||||
em4x50_data_t etd;
|
||||
PacketResponseNG resp;
|
||||
|
||||
// init
|
||||
etd.pwd_given = false;
|
||||
etd.newpwd_given = false;
|
||||
|
||||
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
|
||||
|
||||
switch (tolower(param_getchar(Cmd, cmdp))) {
|
||||
case 'h':
|
||||
return usage_lf_em4x50_write_password();
|
||||
|
||||
case 'p':
|
||||
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
|
||||
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
|
||||
return PM3_EINVARG;
|
||||
}
|
||||
bpwd = true;
|
||||
etd.pwd_given = true;
|
||||
cmdp += 2;
|
||||
break;
|
||||
|
||||
case 'n':
|
||||
if (param_gethex(Cmd, cmdp + 1, etd.new_password, 8)) {
|
||||
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
|
||||
return PM3_EINVARG;
|
||||
}
|
||||
bnpwd = true;
|
||||
etd.newpwd_given = true;
|
||||
cmdp += 2;
|
||||
break;
|
||||
|
||||
default:
|
||||
PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
|
||||
errors = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (errors || !bpwd || !bnpwd)
|
||||
return usage_lf_em4x50_write_password();
|
||||
|
||||
clearCommandBuffer();
|
||||
SendCommandNG(CMD_LF_EM4X50_WRITE_PASSWORD, (uint8_t *)&etd, sizeof(etd));
|
||||
|
||||
if (!WaitForResponse(CMD_ACK, &resp)) {
|
||||
PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n");
|
||||
return PM3_ETIMEOUT;
|
||||
}
|
||||
|
||||
// get, prepare and print response
|
||||
print_write_password_result(&resp, &etd);
|
||||
|
||||
return ((bool)resp.status) ? PM3_SUCCESS : PM3_ESOFT;
|
||||
}
|
22
client/src/cmdlfem4x50.h
Normal file
22
client/src/cmdlfem4x50.h
Normal file
|
@ -0,0 +1,22 @@
|
|||
//-----------------------------------------------------------------------------
|
||||
// Copyright (C) 2020 tharexde
|
||||
//
|
||||
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
||||
// at your option, any later version. See the LICENSE.txt file for the text of
|
||||
// the license.
|
||||
//-----------------------------------------------------------------------------
|
||||
// Low frequency EM4x50 commands
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
#ifndef CMDLFEM4X50_H__
|
||||
#define CMDLFEM4X50_H__
|
||||
|
||||
int usage_lf_em4x50_info(void);
|
||||
int usage_lf_em4x50_write(void);
|
||||
int usage_lf_em4x50_write_password(void);
|
||||
|
||||
int CmdEM4x50Info(const char *Cmd);
|
||||
int CmdEM4x50Write(const char *Cmd);
|
||||
int CmdEM4x50WritePassword(const char *Cmd);
|
||||
|
||||
#endif
|
|
@ -81,7 +81,8 @@ endif
|
|||
# common LF support
|
||||
PLATFORM_DEFS += \
|
||||
-DWITH_LF \
|
||||
-DWITH_HITAG
|
||||
-DWITH_HITAG \
|
||||
-DWITH_EM4x50
|
||||
|
||||
# common HF support
|
||||
PLATFORM_DEFS += \
|
||||
|
|
37
include/em4x50.h
Normal file
37
include/em4x50.h
Normal file
|
@ -0,0 +1,37 @@
|
|||
//-----------------------------------------------------------------------------
|
||||
// Copyright (C) 2020 tharexde
|
||||
//
|
||||
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
||||
// at your option, any later version. See the LICENSE.txt file for the text of
|
||||
// the license.
|
||||
//-----------------------------------------------------------------------------
|
||||
// Low frequency EM4x50 structs
|
||||
//-----------------------------------------------------------------------------
|
||||
|
||||
#ifndef EM4X50_H__
|
||||
#define EM4X50_H__
|
||||
|
||||
typedef struct {
|
||||
bool fwr_given;
|
||||
bool lwr_given;
|
||||
bool pwd_given;
|
||||
bool newpwd_given;
|
||||
uint8_t password[4];
|
||||
uint8_t new_password[4];
|
||||
uint8_t addresses[4];
|
||||
uint8_t address;
|
||||
uint8_t word[4];
|
||||
} em4x50_data_t;
|
||||
|
||||
typedef struct {
|
||||
uint8_t byte[4];
|
||||
uint8_t row_parity[4];
|
||||
uint8_t col_parity;
|
||||
uint8_t stopbit;
|
||||
bool rparity[4];
|
||||
bool cparity[8];
|
||||
bool stopparity;
|
||||
bool parity;
|
||||
} em4x50_word_t;
|
||||
|
||||
#endif /* EM4X50_H__ */
|
|
@ -187,6 +187,7 @@ typedef struct {
|
|||
// lf
|
||||
bool compiled_with_lf : 1;
|
||||
bool compiled_with_hitag : 1;
|
||||
bool compiled_with_em4x50 : 1;
|
||||
// hf
|
||||
bool compiled_with_hfsniff : 1;
|
||||
bool compiled_with_hfplot : 1;
|
||||
|
@ -401,6 +402,9 @@ typedef struct {
|
|||
#define CMD_LF_EM4X_WRITEWORD 0x0219
|
||||
#define CMD_LF_IO_WATCH 0x021A
|
||||
#define CMD_LF_EM410X_WATCH 0x021C
|
||||
#define CMD_LF_EM4X50_INFO 0x0240
|
||||
#define CMD_LF_EM4X50_WRITE 0x0241
|
||||
#define CMD_LF_EM4X50_WRITE_PASSWORD 0x0242
|
||||
// Sampling configuration for LF reader/sniffer
|
||||
#define CMD_LF_SAMPLING_SET_CONFIG 0x021D
|
||||
#define CMD_LF_FSK_SIMULATE 0x021E
|
||||
|
|
Loading…
Reference in a new issue