RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-22 00:06:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3 from RfidResearchGroup/master

Browse source 
Updated from upstream
This commit is contained in:
DXL 2020-06-24 16:49:33 +08:00 committed by GitHub
parent e4aff42bbe 0bcec9a3fb
commit 3e870ac05b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
28 changed files with 1935 additions and 198 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Added lf em functions: 4x50_info, 4x50_write, 4x50_write_password (@tharexde)
- Fix em4x50 demodulation error (@tharexde)
- Fix `hf mfdes` authentification issues, DES working (@bkerler)
- Add Android cross-compilation to client cmake (@dxl, @doegox)

2
README.md
View file

@ -33,7 +33,7 @@
|[Notes on external flash](/doc/ext_flash_notes.md)|[Notes on loclass](/doc/loclass_notes.md)|[Notes on Coverity Scan Config & Run](/doc/md/Development/Coverity-Scan-Config-%26-Run.md)|
|[Notes on file formats used with Proxmark3](/doc/extensions_notes.md)|[Notes on MFU binary format](/doc/mfu_binary_format_notes.md)|[Notes on FPGA & ARM](/doc/fpga_arm_notes.md)|
|[Developing standalone mode](/armsrc/Standalone/readme.md)|[Wiki about standalone mode](https://github.com/RfidResearchGroup/proxmark3/wiki/Standalone-mode)||
|[Notes on Color usage](/doc/colors_notes.md)||
|[Notes on Color usage](/doc/colors_notes.md)|[Makefile vs CMake](/doc/md/Development/Makefile-vs-CMake.md)|
## Build for non-RDV4 Proxmark3 platforms

7
armsrc/Makefile
View file

@ -63,6 +63,12 @@ else
SRC_HITAG =
endif
ifneq (,$(findstring WITH_EM4x50,$(APP_CFLAGS)))
SRC_EM4x50 = em4x50.c
else
SRC_EM4x50 =
endif
ifneq (,$(findstring WITH_LCD,$(APP_CFLAGS)))
SRC_LCD = fonts.c LCD.c
else
@ -99,6 +105,7 @@ THUMBSRC = start.c \
$(SRC_SMARTCARD) \
$(SRC_FPC) \
$(SRC_HITAG) \
$(SRC_EM4x50) \
$(SRC_SPIFFS) \
$(SRC_ISO14443a) \
$(SRC_ISO14443b) \

10
armsrc/Standalone/lf_em4100rswb.c
View file

@ -39,7 +39,6 @@
#include "proxmark3_arm.h"
#include "appmain.h"
#include "fpgaloader.h"
#include "lfops.h"
#include "util.h"
#include "dbprint.h"
#include "ticks.h"
@ -48,6 +47,7 @@
#include "spiffs.h"
#include "inttypes.h"
#include "parity.h"
#include "lfops.h"
#ifdef WITH_FLASH
#include "flashmem.h"
@ -205,7 +205,7 @@ static void PrintFcAndCardNum(uint64_t lowData) {
Dbprintf("[=] READ TAG ID: %"PRIx64" - FC: %u - Card: %u", lowData, fc, cardnum);
}
static int ButeEMTag(uint64_t originalCard, int slot) {
static int BruteEMTag(uint64_t originalCard, int slot) {
int speed_count = 4;
int direction = 1;
@ -256,7 +256,7 @@ static int ExecuteMode(int mode, int slot) {
//default first mode is simulate
case LF_RWSB_MODE_READ:
Dbprintf("[=] >> Read mode started <<");
CmdEM410xdemod(1, &high[slot], &low[slot]);
lf_em410x_watch(1, &high[slot], &low[slot]);
LED_Update(mode, slot);
Dbprintf("[=] >> Tag found. Saving. <<");
FlashLEDs(100, 5);
@ -272,11 +272,11 @@ static int ExecuteMode(int mode, int slot) {
return LF_RWSB_UNKNOWN_RESULT;
case LF_RWSB_MODE_WRITE:
Dbprintf("[!!] >> Write mode started <<");
WriteEM410x(LF_RWSB_T55XX_TYPE, (uint32_t)(low[slot] >> 32), (uint32_t)(low[slot] & 0xffffffff));
copy_em410x_to_t55xx(LF_RWSB_T55XX_TYPE, LF_CLOCK, (uint32_t)(low[slot] >> 32), (uint32_t)(low[slot] & 0xffffffff));
return LF_RWSB_UNKNOWN_RESULT;
case LF_RWSB_MODE_BRUTE:
Dbprintf("[=] >> Bruteforce mode started <<");
return ButeEMTag(low[slot], slot);
return BruteEMTag(low[slot], slot);
}
return LF_RWSB_UNKNOWN_RESULT;
}

78
armsrc/Standalone/lf_em4100rwc.c
View file

@ -48,7 +48,7 @@ void ModInfo(void) {
DbpString(" LF EM4100 read/write/clone mode");
}
static uint64_t ReversQuads(uint64_t bits) {
static uint64_t rev_quads(uint64_t bits) {
uint64_t result = 0;
for (int i = 0; i < 16; i++) {
result += ((bits >> (60 - 4 * i)) & 0xf) << (4 * i);
@ -56,35 +56,41 @@ static uint64_t ReversQuads(uint64_t bits) {
return result >> 24;
}
static void FillBuff(uint8_t bit) {
static void fillbuff(uint8_t bit) {
memset(bba + buflen, bit, CLOCK / 2);
buflen += (CLOCK / 2);
memset(bba + buflen, bit ^ 1, CLOCK / 2);
buflen += (CLOCK / 2);
}
static void ConstructEM410xEmulBuf(uint64_t id) {
static void construct_EM410x_emul(uint64_t id) {
int i, j, binary[4], parity[4];
int binary[4] = {0};
int parity[4] = {0};
buflen = 0;
for (i = 0; i < 9; i++)
FillBuff(1);
parity[0] = parity[1] = parity[2] = parity[3] = 0;
for (i = 0; i < 10; i++) {
for (j = 3; j >= 0; j--, id /= 2)
for (uint8_t i = 0; i < 9; i++)
fillbuff(1);
for (uint8_t i = 0; i < 10; i++) {
for (uint8_t j = 3; j > 0; j--, id /= 2)
binary[j] = id % 2;
for (j = 0; j < 4; j++)
FillBuff(binary[j]);
FillBuff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
for (j = 0; j < 4; j++)
for (uint8_t j = 0; j < 4; j++)
fillbuff(binary[j]);
fillbuff(binary[0] ^ binary[1] ^ binary[2] ^ binary[3]);
for (uint8_t j = 0; j < 4; j++)
parity[j] ^= binary[j];
}
for (j = 0; j < 4; j++)
FillBuff(parity[j]);
FillBuff(0);
for (uint8_t j = 0; j < 4; j++)
fillbuff(parity[j]);
fillbuff(0);
}
static void LED_Slot(int i) {
static void led_slot(int i) {
LEDsoff();
if (slots_count > 4) {
LED(i % MAX_IND, 0); //binary indication, usefully for slots_count > 4
@ -93,8 +99,8 @@ static void LED_Slot(int i) {
}
}
static void FlashLEDs(uint32_t speed, uint8_t times) {
for (int i = 0; i < times * 2; i++) {
static void flash_leds(uint32_t speed, uint8_t times) {
for (uint16_t i = 0; i < times * 2; i++) {
LED_A_INV();
LED_B_INV();
LED_C_INV();
@ -132,24 +138,28 @@ void RunMod(void) {
uint8_t state = 0;
slots_count = ARRAYLEN(low);
bba = BigBuf_get_addr();
LED_Slot(selected);
led_slot(selected);
for (;;) {
WDT_HIT();
if (data_available()) break;
int button_pressed = BUTTON_HELD(1000);
SpinDelay(300);
switch (state) {
case 0:
// Select mode
if (button_pressed == BUTTON_HOLD) {
// Long press - switch to simulate mode
SpinUp(100);
LED_Slot(selected);
led_slot(selected);
state = 2;
} else if (button_pressed == BUTTON_SINGLE_CLICK) {
// Click - switch to next slot
selected = (selected + 1) % slots_count;
LED_Slot(selected);
led_slot(selected);
}
break;
case 1:
@ -157,12 +167,12 @@ void RunMod(void) {
if (button_pressed == BUTTON_HOLD) {
// Long press - switch to read mode
SpinUp(100);
LED_Slot(selected);
led_slot(selected);
state = 3;
} else if (button_pressed == BUTTON_SINGLE_CLICK) {
// Click - exit to select mode
CmdEM410xdemod(1, &high[selected], &low[selected]);
FlashLEDs(100, 5);
lf_em410x_watch(1, &high[selected], &low[selected]);
flash_leds(100, 5);
#ifdef WITH_FLASH
SaveIDtoFlash(selected, low[selected]);
#endif
@ -174,15 +184,17 @@ void RunMod(void) {
if (button_pressed == BUTTON_HOLD) {
// Long press - switch to read mode
SpinDown(100);
LED_Slot(selected);
led_slot(selected);
state = 1;
} else if (button_pressed == BUTTON_SINGLE_CLICK) {
// Click - start simulating. Click again to exit from simulate mode
LED_Slot(selected);
ConstructEM410xEmulBuf(ReversQuads(low[selected]));
FlashLEDs(100, 5);
led_slot(selected);
construct_EM410x_emul(rev_quads(low[selected]));
flash_leds(100, 5);
SimulateTagLowFrequency(buflen, 0, 1);
LED_Slot(selected);
led_slot(selected);
state = 0; // Switch to select mode
}
break;
@ -191,12 +203,12 @@ void RunMod(void) {
if (button_pressed == BUTTON_HOLD) {
// Long press - switch to select mode
SpinDown(100);
LED_Slot(selected);
led_slot(selected);
state = 0;
} else if (button_pressed == BUTTON_SINGLE_CLICK) {
// Click - write ID to tag
WriteEM410x(0, (uint32_t)(low[selected] >> 32), (uint32_t)(low[selected] & 0xffffffff));
LED_Slot(selected);
copy_em410x_to_t55xx(0, CLOCK, (uint32_t)(low[selected] >> 32), (uint32_t)(low[selected] & 0xffffffff));
led_slot(selected);
state = 0; // Switch to select mode
}
break;

2
armsrc/Standalone/lf_hidbrute.c
View file

@ -75,7 +75,7 @@ void RunMod(void) {
// record
DbpString("[=] starting recording");
CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
lf_hid_watch(1, &high[selected], &low[selected]);
Dbprintf("[=] recorded %x %x %08x", selected, high[selected], low[selected]);
LEDsoff();

5
armsrc/Standalone/lf_proxbrute.c
View file

@ -56,9 +56,8 @@ void RunMod(void) {
DbpString("[=] starting recording");
// findone, high, low, no ledcontrol (A)
CmdHIDdemodFSK(1, &high, &low, 0);
// findone, high, low
lf_hid_watch(1, &high, &low);
Dbprintf("[=] recorded | %x%08x", high, low);

2
armsrc/Standalone/lf_samyrun.c
View file

@ -77,7 +77,7 @@ void RunMod(void) {
// findone, high, low, no ledcontrol (A)
uint32_t hi = 0, lo = 0;
CmdHIDdemodFSK(1, &hi, &lo, 0);
lf_hid_watch(1, &hi, &lo);
high[selected] = hi;
low[selected] = lo;

21
armsrc/appmain.c
View file

@ -29,6 +29,7 @@
#include "felica.h"
#include "hitag2.h"
#include "hitagS.h"
#include "em4x50.h"
#include "iclass.h"
#include "legicrfsim.h"
#include "epa.h"
@ -454,6 +455,11 @@ static void SendCapabilities(void) {
#else
capabilities.compiled_with_hitag = false;
#endif
#ifdef WITH_EM4x50
capabilities.compiled_with_em4x50 = true;
#else
capabilities.compiled_with_em4x50 = false;
#endif
#ifdef WITH_HFSNIFF
capabilities.compiled_with_hfsniff = true;
#else
@ -1000,6 +1006,21 @@ static void PacketReceived(PacketCommandNG *packet) {
}
#endif
#ifdef WITH_EM4x50
case CMD_LF_EM4X50_INFO: {
em4x50_info((em4x50_data_t *)packet->data.asBytes);
break;
}
case CMD_LF_EM4X50_WRITE: {
em4x50_write((em4x50_data_t *)packet->data.asBytes);
break;
}
case CMD_LF_EM4X50_WRITE_PASSWORD: {
em4x50_write_password((em4x50_data_t *)packet->data.asBytes);
break;
}
#endif
#ifdef WITH_ISO15693
case CMD_HF_ISO15693_ACQ_RAW_ADC: {
AcquireRawAdcSamplesIso15693();

911
armsrc/em4x50.c Normal file
View file

@ -0,0 +1,911 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2020 tharexde
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x50 commands
//-----------------------------------------------------------------------------
#include "fpgaloader.h"
#include "ticks.h"
#include "dbprint.h"
#include "lfadc.h"
#include "commonutil.h"
#include "em4x50.h"
// 4 data bytes
// + byte with row parities
// + column parity byte
// + byte with stop bit
static em4x50_tag_t tag = {
.sectors = {
[0] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // password
[1] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // protection word
[2] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // control word
[3] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[4] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[5] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[7] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[9] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[10] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[11] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[12] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[13] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[14] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[15] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[17] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[18] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[19] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[20] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[21] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[22] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[23] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[24] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[25] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[26] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[27] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[28] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[29] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[30] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[31] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // user
[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device serial number
[33] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, // device identification
},
};
// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
// EM4x50 units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
// T0 = TIMER_CLOCK1 / 125000 = 192
#ifndef T0
#define T0 192
#endif
#define EM4X50_T_TAG_QUARTER_PERIOD 16
#define EM4X50_T_TAG_HALF_PERIOD 32
#define EM4X50_T_TAG_THREE_QUARTER_PERIOD 48
#define EM4X50_T_TAG_FULL_PERIOD 64
#define EM4X50_T_WAITING_FOR_LIW 500
#define EM4X50_T_TAG_TPP 64
#define EM4X50_T_TAG_TWA 64
#define EM4X50_TAG_TOLERANCE 8
#define EM4X50_TAG_WORD 45
#define EM4X50_BIT_0 0
#define EM4X50_BIT_1 1
#define EM4X50_BIT_OTHER 2
#define EM4X50_COMMAND_LOGIN 0x01
#define EM4X50_COMMAND_RESET 0x80
#define EM4X50_COMMAND_WRITE 0x12
#define EM4X50_COMMAND_WRITE_PASSWORD 0x11
#define EM4X50_COMMAND_SELECTIVE_READ 0x0A
#define FPGA_TIMER_0 0
int gHigh = 0;
int gLow = 0;
// auxiliary functions
static void init_tag(void) {
// initialize global tag structure
for (int i = 0; i < 34; i++)
for (int j = 0; j < 7; j++)
tag.sectors[i][j] = 0x00;
}
static uint8_t bits2byte(uint8_t *bits, int length) {
// converts <length> separate bits into a single "byte"
uint8_t byte = 0;
for (int i = 0; i < length; i++) {
byte |= bits[i];
if (i != length-1)
byte <<= 1;
}
return byte;
}
static void msb2lsb_word(uint8_t *word) {
// reorders given <word> according to EM4x50 datasheet (msb -> lsb)
uint8_t buff[4];
buff[0] = reflect8(word[3]);
buff[1] = reflect8(word[2]);
buff[2] = reflect8(word[1]);
buff[3] = reflect8(word[0]);
word[0] = buff[0];
word[1] = buff[1];
word[2] = buff[2];
word[3] = buff[3];
}
static void save_word(int pos, uint8_t bits[EM4X50_TAG_WORD]) {
// split "raw" word into data, row and column parity bits and stop bit and
// save them in global tag structure
uint8_t row_parity[4];
uint8_t col_parity[8];
// data and row parities
for (int i = 0; i < 4; i++) {
tag.sectors[pos][i] = bits2byte(&bits[9*i],8);
row_parity[i] = bits[9*i+8];
}
tag.sectors[pos][4] = bits2byte(row_parity,4);
// column parities
for (int i = 0; i < 8; i++)
col_parity[i] = bits[36+i];
tag.sectors[pos][5] = bits2byte(col_parity,8);
// stop bit
tag.sectors[pos][6] = bits[44];
}
static void wait_timer(int timer, uint32_t period) {
// do nothing for <period> using timer <timer>
if (timer == FPGA_TIMER_0) {
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
while (AT91C_BASE_TC0->TC_CV < period);
} else {
AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
while (AT91C_BASE_TC1->TC_CV < period);
}
}
static void em4x50_setup_read(void) {
FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
// 50ms for the resonant antenna to settle.
SpinDelay(50);
// Now set up the SSC to get the ADC samples that are now streaming at us.
FpgaSetupSsc();
// start a 1.5ticks is 1us
StartTicks();
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);
// Connect the A/D to the peak-detected low-frequency path.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
// Steal this pin from the SSP (SPI communication channel with fpga) and
// use it to control the modulation
AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
// Disable modulation at default, which means enable the field
LOW(GPIO_SSC_DOUT);
// Enable Peripheral Clock for
// TIMER_CLOCK0, used to measure exact timing before answering
// TIMER_CLOCK1, used to capture edges of the tag frames
AT91C_BASE_PMC->PMC_PCER |= (1 << AT91C_ID_TC0) | (1 << AT91C_ID_TC1);
AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
// Disable timer during configuration
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
// TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
// TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
// Enable and reset counters
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
// synchronized startup procedure
while (AT91C_BASE_TC0->TC_CV > 0) {}; // wait until TC1 returned to zero
// Watchdog hit
WDT_HIT();
}
// functions for "reader" use case
static void get_signalproperties(void) {
// calculate signal properties (mean amplitudes) from measured data:
// 32 amplitudes (maximum values) -> mean amplitude value -> gHigh -> gLow
int no_periods = 32, pct = 75, noise = 140;
uint8_t sample = 0, sample_ref = 127;
uint8_t sample_max_mean = 0;
uint8_t sample_max[no_periods];
uint32_t sample_max_sum = 0;
// wait until signal/noise > 1
while (AT91C_BASE_SSC->SSC_RHR < noise);
// calculate mean maximum value of 32 periods, each period has a length of
// 3 single "full periods" to eliminate the influence of a listen window
for (int i = 0; i < no_periods; i++) {
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
while (AT91C_BASE_TC0->TC_CV < T0 * 3 * EM4X50_T_TAG_FULL_PERIOD) {
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
if (sample > sample_max[i])
sample_max[i] = sample;
}
sample_max_sum += sample_max[i];
}
sample_max_mean = sample_max_sum / no_periods;
// set global envelope variables
gHigh = sample_ref + pct * (sample_max_mean - sample_ref) / 100;
gLow = sample_ref - pct * (sample_max_mean - sample_ref) / 100;
}
static int get_next_bit(void) {
// returns bit value (or EM4X50_BIT_OTHER -> no bit pattern) by evaluating
// a single sample within a bit period (given there is no LIW, ACK or NAK)
// This function is not used for decoding, it is only used for identifying
// a listen window (return value = EM4X50_BIT_OTHER) in functions
// "find_double_listen_window" and "check_ack"
uint8_t sample;
// get sample at 3/4 of bit period
wait_timer(0, T0 * EM4X50_T_TAG_THREE_QUARTER_PERIOD);
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
// wait until end of bit period
wait_timer(0, T0 * EM4X50_T_TAG_QUARTER_PERIOD);
// decide wether "0" or "1"
if (sample > gHigh)
return EM4X50_BIT_0;
else if (sample < gLow)
return EM4X50_BIT_1;
return EM4X50_BIT_OTHER;
}
static uint32_t get_pulse_length(void) {
// iterates pulse length (low -> high -> low)
uint8_t sample = 0;
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
while (sample > gLow)
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
while (sample < gHigh)
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
while (sample > gLow)
sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
return (uint32_t)AT91C_BASE_TC1->TC_CV;
}
static bool check_pulse_length(uint32_t pl, int length) {
// check if pulse length <pl> corresponds to given length <length>
if ((pl >= T0 * (length - EM4X50_TAG_TOLERANCE)) &
(pl <= T0 * (length + EM4X50_TAG_TOLERANCE)))
return true;
else
return false;
}
static void em4x50_send_bit(int bit) {
// send single bit according to EM4x50 application note and datasheet
// reset clock for the next bit
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
if (bit == 0) {
// disable modulation (drop the field) for 7 cycles of carrier
// period (Opt64)
LOW(GPIO_SSC_DOUT);
while (AT91C_BASE_TC0->TC_CV < T0 * 7);
// enable modulation (activates the field) for remaining first
// half of bit period
HIGH(GPIO_SSC_DOUT);
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_HALF_PERIOD);
// disable modulation for second half of bit period
LOW(GPIO_SSC_DOUT);
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD);
} else {
// bit = "1" means disable modulation for full bit period
LOW(GPIO_SSC_DOUT);
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_TAG_FULL_PERIOD);
}
}
static void em4x50_send_byte(uint8_t byte) {
// send byte (without parity)
for (int i = 0; i < 8; i++)
em4x50_send_bit((byte >> (7-i)) & 1);
}
static void em4x50_send_byte_with_parity(uint8_t byte) {
// send byte followed by its (equal) parity bit
int parity = 0, bit = 0;
for (int i = 0; i < 8; i++) {
bit = (byte >> (7-i)) & 1;
em4x50_send_bit(bit);
parity ^= bit;
}
em4x50_send_bit(parity);
}
static void em4x50_send_word(const uint8_t bytes[4]) {
// send 32 bit word with parity bits according to EM4x50 datasheet
for (int i = 0; i < 4; i++)
em4x50_send_byte_with_parity(bytes[i]);
// send column parities
em4x50_send_byte(bytes[0] ^ bytes[1] ^ bytes[2] ^ bytes[3]);
// send final stop bit (always "0")
em4x50_send_bit(0);
}
static bool find_double_listen_window(bool bcommand) {
// find two successive listen windows that indicate the beginning of
// data transmission
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
while (AT91C_BASE_TC0->TC_CV < T0 * EM4X50_T_WAITING_FOR_LIW) {
// identification of listen window is done via evaluation of
// pulse lengths
if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
// first listen window found
if (bcommand) {
// data transmission from card has to be stopped, because
// a commamd shall be issued
// unfortunately the posititon in listen window (where
// command request has to be sent) has gone, so if a
// second window follows - sync on this to issue a command
// skip the next bit...
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_FULL_PERIOD);
// ...and check if the following bit does make sense
// (if not it is the correct position within the second
// listen window)
if (get_next_bit() == EM4X50_BIT_OTHER) {
// send RM for request mode
em4x50_send_bit(0);
em4x50_send_bit(0);
return true;
}
}
if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
// return although second listen window consists of one
// more bit period but this period is necessary for
// evaluating further pulse lengths
return true;
}
}
}
}
return false;
}
static bool request_receive_mode(void) {
// To issue a command we have to find a listen window first.
// Because identification and sychronization at the same time is not
// possible when using pulse lengths a double listen window is used.
bool bcommand = true;
return find_double_listen_window(bcommand);
}
static bool check_ack(bool bliw) {
// returns true if signal structue corresponds to ACK, anything else is
// counted as NAK (-> false)
// Only relevant for pasword writing function:
// If <bliw> is true then within the single listen window right after the
// ack signal a RM request has to be sent.
AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
while (AT91C_BASE_TC0->TC_CV < T0 * 4 * EM4X50_T_TAG_FULL_PERIOD) {
if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
// The received signal is either ACK or NAK.
if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
// Now the signal must be ACK.
if (!bliw) {
return true;
} else {
// send RM request after ack signal
// wait for 2 bits (remaining "bit" of ACK signal + first
// "bit" of listen window)
wait_timer(FPGA_TIMER_0, T0 * 2 * EM4X50_T_TAG_FULL_PERIOD);
// check for listen window (if first bit cannot be inerpreted
// as a valid bit it must belong to a listen window)
if (get_next_bit() == EM4X50_BIT_OTHER) {
// send RM for request mode
em4x50_send_bit(0);
em4x50_send_bit(0);
return true;
}
}
}
}
}
return false;
}
static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) {
// decodes one word by evaluating pulse lengths and previous bit;
// word must have 45 bits in total:
// 32 data bits + 4 row parity bits + 8 column parity bits + 1 stop bit
bool bbitchange = false;
int i = 0;
uint32_t pl = 0;
// initial bit value depends on last pulse length of listen window
pl = get_pulse_length();
if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) {
// pulse length = 1.5
bits[0] = 1;
} else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) {
// pulse length = 2
bits[0] = 0;
bbitchange = true;
} else {
// pulse length = 2.5
bits[0] = 0;
bits[1] = 1;
i++;
}
// identify remaining bits based on pulse lengths
// between two listen windows only pulse lengths of 1, 1.5 and 2 are possible
while (true) {
i++;
pl = get_pulse_length();
if (check_pulse_length(pl, EM4X50_T_TAG_FULL_PERIOD)) {
// pulse length = 1 -> keep former bit value
bits[i] = bits[i-1];
} else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) {
// pulse length = 1.5 -> decision on bit change
if (bbitchange) {
// if number of pulse lengths with 1.5 periods is even -> add bit
bits[i] = (bits[i-1] == 1) ? 1 : 0;
// pulse length of 1.5 changes bit value
bits[i+1] = (bits[i] == 1) ? 0 : 1;
i++;
// next time add only one bit
bbitchange = false;
} else {
bits[i] = (bits[i-1] == 1) ? 0 : 1;
// next time two bits have to be added
bbitchange = true;
}
} else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) {
// pulse length of 2 means: adding 2 bits "01"
bits[i] = 0;
bits[i+1] = 1;
i++;
} else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_FULL_PERIOD)) {
// pulse length of 3 indicates listen window -> clear last
// bit (= 0) and return
return --i;
}
}
}
// login function
static bool login(uint8_t password[4]) {
// simple login to EM4x50,
// used in operations that require authentication
if (request_receive_mode ()) {
// send login command
em4x50_send_byte_with_parity(EM4X50_COMMAND_LOGIN);
// send password
em4x50_send_word(password);
// check if ACK is returned
if (check_ack(false))
return true;
} else {
if (DBGLEVEL >= DBG_ERROR)
Dbprintf("error in command request");
}
return false;
}
// reset function
static bool reset(void) {
// resets EM4x50 tag (used by write function)
if (request_receive_mode ()) {
// send login command
em4x50_send_byte_with_parity(EM4X50_COMMAND_RESET);
if (check_ack(false))
return true;
} else {
if (DBGLEVEL >= DBG_ERROR)
Dbprintf("error in command request");
}
return false;
}
// read functions
static bool standard_read(int *now) {
// reads data that tag transmits when exposed to reader field
// (standard read mode); number of read words is saved in <now>
int fwr = *now;
uint8_t bits[EM4X50_TAG_WORD] = {0};
// start with the identification of two succsessive listening windows
if (find_double_listen_window(false)) {
// read and save words until following double listen window is detected
while (get_word_from_bitstream(bits) == EM4X50_TAG_WORD)
save_word((*now)++, bits);
// number of detected words
*now -= fwr;
return true;
} else {
if (DBGLEVEL >= DBG_ERROR)
Dbprintf("didn't find a listen window");
}
return false;
}
static bool selective_read(uint8_t addresses[4]) {
// reads from "first word read" (fwr = addresses[3]) to "last word read"
// (lwr = addresses[2])
// result is verified by "standard read mode"
int fwr = addresses[3]; // first word read
int lwr = addresses[2]; // last word read
int now = fwr; // number of words
if (request_receive_mode()) {
// send selective read command
em4x50_send_byte_with_parity(EM4X50_COMMAND_SELECTIVE_READ);
// send address data
em4x50_send_word(addresses);
// look for ACK sequence
if (check_ack(false))
// save and verify via standard read mode (compare number of words)
if (standard_read(&now))
if (now == (lwr - fwr + 1))
return true;
} else {
if (DBGLEVEL >= DBG_ERROR)
Dbprintf("error in command request");
}
return false;
}
void em4x50_info(em4x50_data_t *etd) {
// collects as much information as possible via selective read mode
// if no password is given -> try with standard password "0x00000000"
// otherwise continue without login
bool bsuccess = false, blogin = false;
uint8_t status = 0;
uint8_t addresses[] = {0x00, 0x00, 0x21, 0x00}; // fwr = 0, lwr = 33
uint8_t password[] = {0x00, 0x00, 0x00, 0x00}; // default password
init_tag();
em4x50_setup_read();
// set gHigh and gLow
get_signalproperties();
if (etd->pwd_given) {
// try to login with given password
blogin = login(etd->password);
} else {
// if no password is given, try to login with "0x00000000"
blogin = login(password);
}
bsuccess = selective_read(addresses);
status = (bsuccess << 1) + blogin;
lf_finalize();
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
}
// write functions
static bool write(uint8_t word[4], uint8_t address) {
// writes <word> to specified <address>
if (request_receive_mode()) {
// send write command
em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE);
// send address data
em4x50_send_byte_with_parity(address);
// send data
em4x50_send_word(word);
// wait for T0 * EM4X50_T_TAG_TWA (write access time)
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA);
// look for ACK sequence
if (check_ack(false)) {
// now EM4x50 needs T0 * EM4X50_T_TAG_TWEE (EEPROM write time)
// for saving data and should return with ACK
if (check_ack(false))
return true;
}
} else {
if (DBGLEVEL >= DBG_ERROR)
Dbprintf("error in command request");
}
return false;
}
static bool write_password(uint8_t password[4], uint8_t new_password[4]) {
// changes password from <password> to <new_password>
if (request_receive_mode()) {
// send write password command
em4x50_send_byte_with_parity(EM4X50_COMMAND_WRITE_PASSWORD);
// send address data
em4x50_send_word(password);
// wait for T0 * EM4x50_T_TAG_TPP (processing pause time)
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TPP);
// look for ACK sequence and send rm request
// during following listen window
if (check_ack(true)) {
// send new password
em4x50_send_word(new_password);
// wait for T0 * EM4X50_T_TAG_TWA (write access time)
wait_timer(FPGA_TIMER_0, T0 * EM4X50_T_TAG_TWA);
if (check_ack(false))
if (check_ack(false))
return true;
}
} else {
if (DBGLEVEL >= DBG_ERROR)
Dbprintf("error in command request");
}
return false;
}
void em4x50_write(em4x50_data_t *etd) {
// write operation process for EM4x50 tag,
// single word is written to given address, verified by selective read operation
bool bsuccess = false, blogin = false;
uint8_t status = 0;
uint8_t word[4] = {0x00, 0x00, 0x00, 0x00};
uint8_t addresses[4] = {0x00, 0x00, 0x00, 0x00};
init_tag();
em4x50_setup_read();
// set gHigh and gLow
get_signalproperties();
// reorder word according to datasheet
msb2lsb_word(etd->word);
// if password is given try to login first
if (etd->pwd_given)
blogin = login(etd->password);
// write word to given address
if (write(etd->word, etd->address)) {
// to verify result reset EM4x50
if (reset()) {
// if password is given login
if (etd->pwd_given)
blogin &= login(etd->password);
// perform a selective read
addresses[2] = addresses[3] = etd->address;
if (selective_read(addresses)) {
// compare with given word
word[0] = tag.sectors[etd->address][0];
word[1] = tag.sectors[etd->address][1];
word[2] = tag.sectors[etd->address][2];
word[3] = tag.sectors[etd->address][3];
msb2lsb_word(word);
bsuccess = true;
for (int i = 0; i < 4; i++)
bsuccess &= (word[i] == etd->word[i]) ? true : false;
}
}
}
status = (bsuccess << 1) + blogin;
lf_finalize();
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
}
void em4x50_write_password(em4x50_data_t *etd) {
// sinmple change of password
bool bsuccess = false;
init_tag();
em4x50_setup_read();
// set gHigh and gLow
get_signalproperties();
// login and change password
if (login(etd->password)) {
bsuccess = write_password(etd->password, etd->new_password);
}
lf_finalize();
reply_ng(CMD_ACK, bsuccess, 0, 0);
}

24
armsrc/em4x50.h Normal file
View file

@ -0,0 +1,24 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2020 tharexde
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x50 commands
//-----------------------------------------------------------------------------
#ifndef EM4X50_H
#define EM4X50_H
#include "../include/em4x50.h"
typedef struct {
uint8_t sectors[34][7];
} em4x50_tag_t;
void em4x50_info(em4x50_data_t *etd);
void em4x50_write(em4x50_data_t *etd);
void em4x50_write_password(em4x50_data_t *etd);
#endif /* EM4X50_H */

52
armsrc/hitag2.c
View file

@ -36,7 +36,7 @@
#include "lfsampling.h"
#include "lfdemod.h"
#include "commonutil.h"
#include "appmain.h"
#define test_bit(data, i) (*(data + (i/8)) >> (7-(i % 8))) & 1
#define set_bit(data, i) *(data + (i/8)) |= (1 << (7-(i % 8)))
@ -1002,15 +1002,20 @@ void SniffHitag2(void) {
size_t periods = 0;
uint8_t periods_bytes[4];
int16_t checked = 0;
// int16_t checked = 0;
/*bool waiting_for_first_edge = true;*/
LED_C_ON();
uint32_t signal_size = 10000;
while (!BUTTON_PRESS()) {
// use malloc
initSampleBufferEx(&signal_size, false);
WDT_HIT();
/*
// only every 1000th times, in order to save time when collecting samples.
if (checked == 1000) {
if (data_available()) {
@ -1021,13 +1026,14 @@ void SniffHitag2(void) {
}
}
++checked;
*/
// Receive frame, watch for at most T0*EOF periods
// lf_reset_counter();
// Wait "infinite" for reader modulation
periods = lf_detect_gap(20000);
periods = lf_detect_gap(10000);
// Test if we detected the first reader modulation edge
if (periods != 0) {
@ -1042,7 +1048,6 @@ void SniffHitag2(void) {
num_to_bytes(periods, 4, periods_bytes);
LogTrace(periods_bytes, 4, 0, 0, NULL, true);
}
}
lf_finalize();
@ -1064,7 +1069,7 @@ void SimulateHitag2(bool tag_mem_supplied, uint8_t *data) {
int response = 0;
uint8_t rx[HITAG_FRAME_LEN] = {0};
size_t rxlen = 0;
uint8_t tx[HITAG_FRAME_LEN];
uint8_t tx[HITAG_FRAME_LEN] = {0};
size_t txlen = 0;
auth_table_len = 0;
@ -1108,8 +1113,11 @@ void SimulateHitag2(bool tag_mem_supplied, uint8_t *data) {
// int16_t checked = 0;
// SIMULATE
uint32_t signal_size = 10000;
while (BUTTON_PRESS() == false) {
while (!BUTTON_PRESS()) {
// use malloc
initSampleBufferEx(&signal_size, true);
LED_D_ON();
@ -1283,9 +1291,9 @@ void ReaderHitag(hitag_function htf, hitag_data *htd) {
uint32_t command_start = 0, command_duration = 0;
uint32_t response_start = 0, response_duration = 0;
uint8_t rx[HITAG_FRAME_LEN];
uint8_t rx[HITAG_FRAME_LEN] = {0};
size_t rxlen = 0;
uint8_t txbuf[HITAG_FRAME_LEN];
uint8_t txbuf[HITAG_FRAME_LEN] = {0};
uint8_t *tx = txbuf;
size_t txlen = 0;
@ -1430,12 +1438,17 @@ void ReaderHitag(hitag_function htf, hitag_data *htd) {
size_t nrzs = 0;
int16_t checked = 0;
while (!bStop && !BUTTON_PRESS()) {
uint32_t signal_size = 10000;
while (bStop == false && BUTTON_PRESS() == false) {
// use malloc
initSampleBufferEx(&signal_size, true);
WDT_HIT();
// only every 1000th times, in order to save time when collecting samples.
if (checked == 1000) {
if (checked == 4000) {
if (data_available()) {
checked = -1;
break;
@ -1615,13 +1628,13 @@ void ReaderHitag(hitag_function htf, hitag_data *htd) {
}
// Pack the response into a byte array
for (size_t i = 5; i < nrzs; i++) {
for (size_t i = 5; i < nrzs && rxlen < (sizeof(rx) << 3); i++) {
uint8_t bit = nrz_samples[i];
if (bit > 1) { // When Manchester detects impossible symbol it writes "7"
DBG Dbprintf("Error in Manchester decoding, abort");
break;
}
rx[rxlen / 8] |= bit << (7 - (rxlen % 8));
rx[rxlen >> 3] |= bit << (7 - (rxlen % 8));
rxlen++;
}
@ -1756,10 +1769,14 @@ void WriterHitag(hitag_function htf, hitag_data *htd, int page) {
size_t nrzs = 0;
int16_t checked = 0;
while (!bStop && !BUTTON_PRESS()) {
uint32_t signal_size = 10000;
while (bStop == false && BUTTON_PRESS() == false) {
// only every 1000th times, in order to save time when collecting samples.
if (checked == 1000) {
// use malloc
initSampleBufferEx(&signal_size, true);
// only every 4000th times, in order to save time when collecting samples.
if (checked == 4000) {
if (data_available()) {
checked = -1;
break;
@ -1920,12 +1937,13 @@ void WriterHitag(hitag_function htf, hitag_data *htd, int page) {
}
// Pack the response into a byte array
for (size_t i = 5; i < nrzs; i++) {
for (size_t i = 5; i < nrzs && rxlen < (sizeof(rx) << 3); i++) {
uint8_t bit = nrz_samples[i];
if (bit > 1) { // When Manchester detects impossible symbol it writes "7"
break;
}
rx[rxlen / 8] |= bit << (7 - (rxlen % 8));
// >> 3 instead of div by 8
rx[rxlen >> 3] |= bit << (7 - (rxlen % 8));
rxlen++;
}

50
armsrc/lfadc.c
View file

@ -11,6 +11,7 @@
#include "fpgaloader.h"
#include "ticks.h"
#include "dbprint.h"
#include "appmain.h"
// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
@ -72,27 +73,11 @@ void lf_sample_mean(void) {
static size_t lf_count_edge_periods_ex(size_t max, bool wait, bool detect_gap) {
size_t periods = 0;
volatile uint8_t adc_val;
uint8_t avg_peak = adc_avg + 3, avg_through = adc_avg - 3;
// int16_t checked = 0;
while (!BUTTON_PRESS()) {
// only every 100th times, in order to save time when collecting samples.
/*
if (checked == 1000) {
if (data_available()) {
break;
} else {
checked = 0;
}
}
++checked;
*/
WDT_HIT();
while (BUTTON_PRESS() == false) {
if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
adc_val = AT91C_BASE_SSC->SSC_RHR;
volatile uint8_t adc_val = AT91C_BASE_SSC->SSC_RHR;
periods++;
if (g_logging) logSampleSimple(adc_val);
@ -105,6 +90,7 @@ static size_t lf_count_edge_periods_ex(size_t max, bool wait, bool detect_gap) {
if (adc_val == 0) {
return periods;
}
} else {
// Trigger on a modulation swap by observing an edge change
if (rising_edge) {
@ -125,6 +111,7 @@ static size_t lf_count_edge_periods_ex(size_t max, bool wait, bool detect_gap) {
if (periods >= max) return 0;
}
}
if (g_logging) logSampleSimple(0xFF);
return 0;
}
@ -161,6 +148,7 @@ bool lf_get_reader_modulation(void) {
}
void lf_wait_periods(size_t periods) {
// wait detect gap
lf_count_edge_periods_ex(periods, true, false);
}
@ -250,23 +238,22 @@ void lf_finalize(void) {
}
size_t lf_detect_field_drop(size_t max) {
/*
size_t periods = 0;
// int16_t checked = 0;
while (!BUTTON_PRESS()) {
while (BUTTON_PRESS() == false) {
/*
// only every 1000th times, in order to save time when collecting samples.
if (checked == 1000) {
if (data_available()) {
checked = -1;
break;
} else {
checked = 0;
}
}
++checked;
*/
// // only every 1000th times, in order to save time when collecting samples.
// if (checked == 4000) {
// if (data_available()) {
// checked = -1;
// break;
// } else {
// checked = 0;
// }
// }
// ++checked;
WDT_HIT();
@ -284,6 +271,7 @@ size_t lf_detect_field_drop(size_t max) {
if (periods == max) return 0;
}
}
*/
return 0;
}

108
armsrc/lfsampling.c
View file

@ -16,6 +16,7 @@
#include "util.h"
#include "lfdemod.h"
#include "string.h" // memset
#include "appmain.h" // print stack
/*
Default LF config is set to:
@ -29,6 +30,12 @@ Default LF config is set to:
*/
static sample_config config = { 1, 8, 1, LF_DIVISOR_125, 0, 0, 1} ;
// Holds bit packed struct of samples.
static BitstreamOut data = {0, 0, 0};
// internal struct to keep track of samples gathered
static sampling_t samples = {0, 0, 0, 0};
void printConfig(void) {
uint32_t d = config.divisor;
DbpString(_CYAN_("LF Sampling config"));
@ -38,6 +45,18 @@ void printConfig(void) {
Dbprintf(" [a] averaging...........%s", (config.averaging) ? "Yes" : "No");
Dbprintf(" [t] trigger threshold...%d", config.trigger_threshold);
Dbprintf(" [s] samples to skip.....%d ", config.samples_to_skip);
DbpString(_CYAN_("LF Sampling Stack"));
print_stack_usage();
}
void printSamples(void) {
DbpString(_CYAN_("LF Sampling memory"));
Dbprintf(" decimation counter.....%d ", samples.dec_counter);
Dbprintf(" sum.....%u ", samples.sum);
Dbprintf(" counter.....%u ", samples.counter);
Dbprintf(" total saved.....%u ", samples.total_saved);
print_stack_usage();
}
/**
@ -99,12 +118,6 @@ static void pushBit(BitstreamOut *stream, uint8_t bit) {
stream->numbits++;
}
// Holds bit packed struct of samples.
static BitstreamOut data = {0, 0, 0};
// internal struct to keep track of samples gathered
static sampling_t samples = {0, 0, 0, 0};
void initSampleBuffer(uint32_t *sample_size) {
initSampleBufferEx(sample_size, false);
}
@ -116,9 +129,7 @@ void initSampleBufferEx(uint32_t *sample_size, bool use_malloc) {
}
BigBuf_free();
// We can't erase the buffer now, it would drastically delay the acquisition
if (use_malloc) {
if (*sample_size == 0) {
@ -141,7 +152,7 @@ void initSampleBufferEx(uint32_t *sample_size, bool use_malloc) {
//
samples.dec_counter = 0;
samples.sum = 0;
samples.counter = 0;
samples.counter = *sample_size;
samples.total_saved = 0;
}
@ -157,13 +168,13 @@ void logSample(uint8_t sample, uint8_t decimation, uint8_t bits_per_sample, bool
if (!data.buffer) return;
if (bits_per_sample == 0) bits_per_sample = 1;
// keep track of total gather samples regardless how many was discarded.
if (samples.counter-- == 0) return;
if (bits_per_sample == 0) bits_per_sample = 1;
if (bits_per_sample > 8) bits_per_sample = 8;
if (decimation == 0) decimation = 1;
// keep track of total gather samples regardless how many was discarded.
samples.counter++;
if (avg) {
samples.sum += sample;
}
@ -224,6 +235,7 @@ void LFSetupFPGAForADC(int divisor, bool reader_field) {
// Connect the A/D to the peak-detected low-frequency path.
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
// 50ms for the resonant antenna to settle.
if (reader_field)
SpinDelay(50);
@ -255,6 +267,11 @@ uint32_t DoAcquisition(uint8_t decimation, uint8_t bits_per_sample, bool avg, in
initSampleBuffer(&sample_size);
if (DBGLEVEL >= DBG_DEBUG) {
Dbprintf("lf sampling - after init");
printSamples();
}
uint32_t cancel_counter = 0;
int16_t checked = 0;
@ -262,7 +279,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint8_t bits_per_sample, bool avg, in
// only every 1000th times, in order to save time when collecting samples.
// interruptible only when logging not yet triggered
if ((checked == 2000) && (trigger_threshold > 0)) {
if ((checked == 4000) && (trigger_threshold > 0)) {
if (data_available()) {
checked = -1;
break;
@ -306,7 +323,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint8_t bits_per_sample, bool avg, in
if (samples.total_saved >= sample_size) break;
}
}
if (checked == -1 && verbose) {
Dbprintf("lf sampling aborted");
}
@ -397,10 +414,19 @@ void doT55x7Acquisition(size_t sample_size) {
bool lowFound = false;
uint16_t checker = 0;
if (DBGLEVEL >= DBG_DEBUG) {
Dbprintf("doT55x7Acquisition - after init");
print_stack_usage();
}
while (skipCnt < 1000 && (i < bufsize)) {
if (checker == 1000) {
if (BUTTON_PRESS() || data_available())
if (BUTTON_PRESS())
break;
if (checker == 4000) {
if (data_available())
break;
else
checker = 0;
@ -462,21 +488,24 @@ void doT55x7Acquisition(size_t sample_size) {
void doCotagAcquisition(size_t sample_size) {
uint8_t *dest = BigBuf_get_addr();
uint16_t bufsize = BigBuf_max_traceLen();
if (bufsize > sample_size)
bufsize = sample_size;
uint16_t bufsize = MIN(sample_size, BigBuf_max_traceLen());
dest[0] = 0;
uint8_t firsthigh = 0, firstlow = 0;
uint16_t i = 0;
uint16_t noise_counter = 0;
uint16_t checker = 0;
uint16_t i = 0, noise_counter = 0, checker = 0;
if (DBGLEVEL >= DBG_DEBUG) {
Dbprintf("doCotagAcquisition - after init");
print_stack_usage();
}
while ((i < bufsize) && (noise_counter < (COTAG_T1 << 1))) {
if (checker == 1000) {
if (BUTTON_PRESS() || data_available())
if (BUTTON_PRESS())
break;
if (checker == 4000) {
if (data_available())
break;
else
checker = 0;
@ -530,21 +559,26 @@ void doCotagAcquisition(size_t sample_size) {
uint32_t doCotagAcquisitionManchester(void) {
uint8_t *dest = BigBuf_get_addr();
uint16_t bufsize = BigBuf_max_traceLen();
if (bufsize > COTAG_BITS)
bufsize = COTAG_BITS;
uint16_t bufsize = MIN(COTAG_BITS, BigBuf_max_traceLen());
dest[0] = 0;
uint8_t firsthigh = 0, firstlow = 0;
uint16_t sample_counter = 0, period = 0;
uint8_t curr = 0, prev = 0;
uint16_t noise_counter = 0;
uint16_t checker = 0;
uint16_t sample_counter = 0, period = 0;
uint16_t noise_counter = 0, checker = 0;
if (DBGLEVEL >= DBG_DEBUG) {
Dbprintf("doCotagAcquisitionManchester - after init");
print_stack_usage();
}
while ((sample_counter < bufsize) && (noise_counter < (COTAG_T1 << 1))) {
if (checker == 1000) {
if (BUTTON_PRESS() || data_available())
if (BUTTON_PRESS())
break;
if (checker == 4000) {
if ( data_available())
break;
else
checker = 0;

1
armsrc/lfsampling.h
View file

@ -100,5 +100,6 @@ void setSamplingConfig(sample_config *sc);
sample_config *getSamplingConfig(void);
void printConfig(void);
void printSamples(void);
#endif // __LFSAMPLING_H

42
client/CMakeLists.txt
View file

@ -63,18 +63,23 @@ if (NOT SKIPPYTHON EQUAL 1)
pkg_search_module(PYTHON3EMBED QUIET python3-embed)
endif (NOT SKIPPYTHON EQUAL 1)
# If build on android cross, we need to init source and build.
if (ANDROID)
# If cross-compiled, we need to init source and build.
if (CMAKE_TOOLCHAIN_FILE)
set(CFLAGS_EXTERNAL_LIB "CFLAGS=--target=${CMAKE_C_COMPILER_TARGET} -w")
set(EMBED_READLINE ON)
set(EMBED_BZIP2 ON)
endif (CMAKE_TOOLCHAIN_FILE)
if (EMBED_READLINE OR EMBED_BZIP2)
include(ExternalProject)
endif (ANDROID)
endif (EMBED_READLINE OR EMBED_BZIP2)
if (NOT SKIPREADLINE EQUAL 1)
if (APPLE)
find_path(READLINE_INCLUDE_DIRS readline/readline.h /usr/local/opt/readline/include /opt/local/include /opt/include /usr/local/include /usr/include NO_DEFAULT_PATH)
find_library(READLINE_LIBRARIES readline /usr/local/opt/readline/lib /opt/local/lib /opt/lib /usr/local/lib /usr/lib NO_DEFAULT_PATH)
endif (APPLE)
if (ANDROID)
if (EMBED_READLINE)
ExternalProject_Add(ncurses
URL http://ftp.gnu.org/pub/gnu/ncurses/ncurses-6.0.tar.gz
PREFIX deps/ncurses
@ -100,10 +105,10 @@ if (NOT SKIPREADLINE EQUAL 1)
ExternalProject_Add_StepTargets(readline configure build install)
set(READLINE_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR}/deps/readline/src/)
set(READLINE_LIBRARIES ${CMAKE_CURRENT_BINARY_DIR}/deps/readline/src/readline/libreadline.a ${CMAKE_CURRENT_BINARY_DIR}/deps/ncurses/src/ncurses/lib/libtinfo.a)
else (ANDROID)
else (EMBED_READLINE)
find_path(READLINE_INCLUDE_DIRS readline/readline.h)
find_library(READLINE_LIBRARIES readline)
endif (ANDROID)
endif (EMBED_READLINE)
if (READLINE_INCLUDE_DIRS AND READLINE_LIBRARIES)
set(READLINE_FOUND ON)
endif (READLINE_INCLUDE_DIRS AND READLINE_LIBRARIES)
@ -122,7 +127,7 @@ if (NOT SKIPJANSSONSYSTEM EQUAL 1)
endif (JANSSON_INCLUDE_DIRS AND JANSSON_LIBRARIES)
endif (NOT SKIPJANSSONSYSTEM EQUAL 1)
if(ANDROID)
if(EMBED_BZIP2)
set(BZIP2_BUILD_DIR ${CMAKE_CURRENT_BINARY_DIR}/deps/bzip2/src/bzip2)
ExternalProject_Add(bzip2
GIT_REPOSITORY https://android.googlesource.com/platform/external/bzip2
@ -139,9 +144,9 @@ if(ANDROID)
set(BZIP2_INCLUDE_DIRS ${CMAKE_CURRENT_BINARY_DIR}/deps/bzip2/src/bzip2)
set(BZIP2_LIBRARIES ${CMAKE_CURRENT_BINARY_DIR}/deps/bzip2/src/bzip2/libbz2.a)
set(BZIP2_FOUND ON)
else()
else(EMBED_BZIP2)
find_package (BZip2 REQUIRED)
endif(ANDROID)
endif(EMBED_BZIP2)
if (NOT SKIPWHEREAMISYSTEM EQUAL 1)
find_path(WHEREAMI_INCLUDE_DIRS whereami.h)
@ -240,6 +245,7 @@ set (TARGET_SOURCES
${PM3_ROOT}/client/src/cmdlfawid.c
${PM3_ROOT}/client/src/cmdlfcotag.c
${PM3_ROOT}/client/src/cmdlfem4x.c
${PM3_ROOT}/client/src/cmdlfem4x50.c
${PM3_ROOT}/client/src/cmdlffdx.c
${PM3_ROOT}/client/src/cmdlfgallagher.c
${PM3_ROOT}/client/src/cmdlfguard.c
@ -392,6 +398,12 @@ else (SKIPBT EQUAL 1)
endif (BLUEZ_FOUND)
endif(SKIPBT EQUAL 1)
if (EMBED_BZIP2)
message("Bzip2 library: embedded")
else (EMBED_BZIP2)
message("Bzip2 library: system library found")
endif (EMBED_BZIP2)
if (SKIPJANSSONSYSTEM EQUAL 1)
message("Jansson library: local library forced")
else (SKIPJANSSONSYSTEM EQUAL 1)
@ -418,7 +430,11 @@ if (SKIPREADLINE EQUAL 1)
message("Readline library: skipped")
else (SKIPREADLINE EQUAL 1)
if (READLINE_FOUND)
message("Readline library: enabled")
if (EMBED_READLINE)
message("Readline library: embedded")
else (EMBED_READLINE)
message("Readline library: system library found")
endif (EMBED_READLINE)
else (READLINE_FOUND)
message("Readline library: Readline not found, disabled")
endif (READLINE_FOUND)
@ -442,12 +458,14 @@ add_executable(proxmark3
)
target_compile_options(proxmark3 PUBLIC -Wall -Werror -O3)
if (ANDROID)
if (EMBED_READLINE)
if (NOT SKIPREADLINE EQUAL 1)
add_dependencies(proxmark3 ncurses readline)
endif (NOT SKIPREADLINE EQUAL 1)
endif (EMBED_READLINE)
if (EMBED_BZIP2)
add_dependencies(proxmark3 bzip2)
endif (ANDROID)
endif (EMBED_BZIP2)
if (MINGW)
# Mingw uses by default Microsoft printf, we want the GNU printf (e.g. for %z)

1
client/Makefile
View file

@ -439,6 +439,7 @@ SRCS = aidsearch.c \
cmdlfawid.c \
cmdlfcotag.c \
cmdlfem4x.c \
cmdlfem4x50.c \
cmdlffdx.c \
cmdlfguard.c \
cmdlfgallagher.c \

27
client/src/cmdhfmfdes.c
View file

@ -1240,15 +1240,14 @@ static int handler_desfire_signature(uint8_t *signature, size_t *signature_len)
}
// --- KEY SETTING
static int desfire_print_keysetting(uint8_t key_settings, mifare_des_authalgo_t algo) {
static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys, int algo) {
PrintAndLogEx(SUCCESS, " AID Key settings : 0x%02x", key_settings);
// 2 MSB denotes
const char *str = " Max key number and type : %d, " _YELLOW_("%s");
if (algo == MFDES_ALGO_DES) PrintAndLogEx(SUCCESS, str, "(3)DES");
else if (algo == MFDES_ALGO_AES) PrintAndLogEx(SUCCESS, str, "AES");
else if (algo == MFDES_ALGO_3K3DES) PrintAndLogEx(SUCCESS, str, "3K3DES");
if (algo == MFDES_ALGO_DES) PrintAndLogEx(SUCCESS, str, num_keys & 0x3F, "(3)DES");
else if (algo == MFDES_ALGO_AES) PrintAndLogEx(SUCCESS, str, num_keys & 0x3F, "AES");
else if (algo == MFDES_ALGO_3K3DES) PrintAndLogEx(SUCCESS, str, num_keys & 0x3F, "3K3DES");
//PrintAndLogEx(SUCCESS, " Max number of keys in AID : %d", num_keys & 0x3F);
PrintAndLogEx(INFO, "-------------------------------------------------------------");
@ -1449,14 +1448,14 @@ static int handler_desfire_select_application(uint8_t *aid) {
return PM3_SUCCESS;
}
static int key_setting_to_algo(uint8_t aid[3], uint8_t *key_setting, mifare_des_authalgo_t *algo) {
static int key_setting_to_algo(uint8_t aid[3], uint8_t *key_setting, mifare_des_authalgo_t *algo, uint8_t *num_keys) {
int res = handler_desfire_select_application(aid);
if (res != PM3_SUCCESS) return res;
uint8_t num_keys = 0;
res = handler_desfire_getkeysettings(key_setting, &num_keys);
*num_keys = 0;
res = handler_desfire_getkeysettings(key_setting, num_keys);
if (res == PM3_SUCCESS) {
switch (num_keys >> 6) {
switch (*num_keys >> 6) {
case 0:
*algo = MFDES_ALGO_DES;
break;
@ -1863,8 +1862,8 @@ static int getKeySettings(uint8_t *aid) {
// KEY Settings - AMK
uint8_t num_keys = 0;
uint8_t key_setting = 0;
mifare_des_authalgo_t algo;
res = key_setting_to_algo(aid, &key_setting, &algo);
mifare_des_authalgo_t algo=MFDES_ALGO_DES;
res = key_setting_to_algo(aid, &key_setting, &algo, &num_keys);
if (res == PM3_SUCCESS) {
// number of Master keys (0x01)
@ -1915,10 +1914,10 @@ static int getKeySettings(uint8_t *aid) {
// KEY Settings - AMK
uint8_t num_keys = 0;
uint8_t key_setting = 0;
mifare_des_authalgo_t algo;
res = key_setting_to_algo(aid, &key_setting, &algo);
mifare_des_authalgo_t algo=MFDES_ALGO_DES;
res = key_setting_to_algo(aid, &key_setting, &algo, &num_keys);
if (res == PM3_SUCCESS) {
desfire_print_keysetting(key_setting, algo);
desfire_print_keysetting(key_setting, num_keys, algo);
} else {
PrintAndLogEx(WARNING, _RED_(" Can't read Application Master key settings"));
}

27
client/src/cmdlfem4x.c
View file

@ -9,6 +9,7 @@
//-----------------------------------------------------------------------------
#include "cmdlfem4x.h"
#include "cmdlfem4x50.h"
#include <stdio.h>
#include <string.h>
@ -149,20 +150,6 @@ static int usage_lf_em4x50_read(void) {
PrintAndLogEx(NORMAL, " lf em 4x50_read 1 11223344");
return PM3_SUCCESS;
}
static int usage_lf_em4x50_write(void) {
PrintAndLogEx(NORMAL, "Write EM 4x50/4x69. Tag must be on antenna. ");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h] <address> <data> <pwd>");
PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help");
PrintAndLogEx(NORMAL, " address - memory address to write to. (0-15)");
PrintAndLogEx(NORMAL, " data - data to write (hex)");
PrintAndLogEx(NORMAL, " pwd - password (hex) (optional)");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de");
PrintAndLogEx(NORMAL, " lf em 4x50_write 1 deadc0de 11223344");
return PM3_SUCCESS;
}
//////////////// 4205 / 4305 commands
static int usage_lf_em4x05_dump(void) {
@ -1052,16 +1039,6 @@ static int CmdEM4x50Read(const char *Cmd) {
return EM4x50Read(Cmd, true);
}
static int CmdEM4x50Write(const char *Cmd) {
uint8_t ctmp = tolower(param_getchar(Cmd, 0));
if (ctmp == 'h') return usage_lf_em4x50_write();
PrintAndLogEx(NORMAL, "no implemented yet");
//
// PrintAndLogEx(SUCCESS, "Done");
// PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf em 4x50_read`") " to verify");
return PM3_SUCCESS;
}
static int CmdEM4x50Dump(const char *Cmd) {
uint8_t ctmp = tolower(param_getchar(Cmd, 0));
if (ctmp == 'h') return usage_lf_em4x50_dump();
@ -1779,7 +1756,9 @@ static command_t CommandTable[] = {
{"4x50_demod", CmdEM4x50Demod, AlwaysAvailable, "demodulate a EM4x50 tag from the GraphBuffer"},
{"4x50_dump", CmdEM4x50Dump, IfPm3Lf, "dump EM4x50 tag"},
{"4x50_read", CmdEM4x50Read, IfPm3Lf, "read word data from EM4x50"},
{"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"},
{"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"},
{"4x50_write_password", CmdEM4x50WritePassword, IfPm3Lf, "change passwword of EM4x50 tag"},
{NULL, NULL, NULL, NULL}
};

663
client/src/cmdlfem4x50.c Normal file
View file

@ -0,0 +1,663 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2020 tharexde
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x50 commands
//-----------------------------------------------------------------------------
#include "cmdlfem4x50.h"
#include <ctype.h>
#include "fileutils.h"
#include "comms.h"
#include "commonutil.h"
#include "em4x50.h"
#define EM4X50_NO_WORDS 34
// special words
#define EM4X50_DEVICE_PASSWORD 0
#define EM4X50_PROTECTION 1
#define EM4X50_CONTROL 2
#define EM4X50_DEVICE_SERIAL 32
#define EM4X50_DEVICE_ID 33
// control word (word = 4 bytes)
#define FIRST_WORD_READ 0 // first byte
#define LAST_WORD_READ 1 // second byte
#define CONFIG_BLOCK 2 // third byte
#define PASSWORD_CHECK 0x80 // first bit in third byte
#define READ_AFTER_WRITE 0x40 // second bit in third byte
// protection word
#define FIRST_WORD_READ_PROTECTED 0 // first byte
#define LAST_WORD_READ_PROTECTED 1 // second byte
#define FIRST_WORD_WRITE_INHIBITED 2 // third byte
#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte
// misc
#define STATUS_SUCCESS 0x2
#define STATUS_LOGIN 0x1
#define NO_CHARS_MAX 400
int usage_lf_em4x50_info(void) {
PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna.");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_info [h] [v] [p <pwd>]");
PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help");
PrintAndLogEx(NORMAL, " v - verbose output");
PrintAndLogEx(NORMAL, " p <pwd> - password (hex) (optional)");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " lf em 4x50_info");
PrintAndLogEx(NORMAL, " lf em 4x50_info p fa225de1\n");
PrintAndLogEx(NORMAL, " lf em 4x50_info v p fa225de1\n");
return PM3_SUCCESS;
}
int usage_lf_em4x50_write(void) {
PrintAndLogEx(NORMAL, "Write EM4x50 word. Tag must be on antenna. ");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write [h] a <address> w <data>");
PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help");
PrintAndLogEx(NORMAL, " a <addr> - memory address to write to (dec)");
PrintAndLogEx(NORMAL, " w <word> - word to write (hex)");
PrintAndLogEx(NORMAL, " p <pwd> - password (hex) (optional)");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " lf em 4x50_write a 3 w deadc0de");
return PM3_SUCCESS;
}
int usage_lf_em4x50_write_password(void) {
PrintAndLogEx(NORMAL, "Write EM4x50 password. Tag must be on antenna. ");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_write_password [h] p <pwd> n <pwd>");
PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help");
PrintAndLogEx(NORMAL, " p <pwd> - password (hex)");
PrintAndLogEx(NORMAL, " n <pwd> - new password (hex)");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " lf em 4x50_write_password p 11223344 n 01020304");
return PM3_SUCCESS;
}
static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) {
// restructure received result in "em4x50_word_t" structure and check all
// parities including stop bit; result of each check is stored in structure
int p = 0, c[8] = {0, 0, 0, 0, 0, 0, 0, 0};
for (int i = fwr; i <= lwr; i++) {
words[i].stopparity = true;
words[i].parity = true;
for (int j = 0; j < 8; j++)
c[j] = 0;
for (int j = 0; j < 4; j++) {
words[i].byte[j] = byte[i*7+j];
words[i].row_parity[j] = (byte[i*7+4] >> (3-j)) & 1;
// collect parities
p = 0;
for (int k = 0; k < 8; k++) {
// row parity
p ^= (words[i].byte[j] >> k) & 1;
// column parity
c[k] ^= (words[i].byte[j] >> (7-k)) & 1;
}
// check row parities
words[i].rparity[j] = (words[i].row_parity[j] == p) ? true : false;
if (!words[i].rparity[j])
words[i].parity = false;
}
// check column parities
words[i].col_parity = byte[i*7+5] ;
for (int j = 0; j < 8; j++) {
words[i].cparity[j] = (((words[i].col_parity >> (7-j)) & 1) == c[j]) ? true : false;
if (!words[i].cparity[j])
words[i].parity = false;
}
// check stop bit
words[i].stopbit = byte[i*7+6] & 1;
if (words[i].stopbit == 1)
words[i].stopparity = false;
}
}
static void print_bit_table(const em4x50_word_t word) {
// generate output in table form for each word including parities, stop
// bit, result of parity checks and hex notation of each row in msb/lsb
// notation
// individual parity errors will be highlighted in red
int bit = 0;
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
// print binary data
for (int j = 0; j < 4; j++) {
strcat(string, " ");
// lsb notation
for (int k = 0; k < 8; k++) {
sprintf(pstring, "%i", (word.byte[j] >> (7-k)) & 1);
strcat(string, pstring);
}
strcat(string, " | ");
// binary row parities + hex bytes of word
sprintf(pstring, (word.rparity[j]) ? "%i" : _RED_("%i"), word.row_parity[j]);
strcat(string, pstring);
if (j == 0)
sprintf(pstring, " msb: 0x%02x lsb: 0x%02x", word.byte[j], reflect8(word.byte[j]));
else
sprintf(pstring, " 0x%02x 0x%02x", word.byte[j], reflect8(word.byte[j]));
strcat(string, pstring);
PrintAndLogEx(NORMAL,string);
string[0] = '\0';
}
strcat(string, " ------------ --------------------\n ");
// binary column parities
for (int k = 0; k < 8; k++) {
bit = (word.col_parity >> (7-k)) & 1;
// if column parity is false -> highlight bit in red
sprintf(pstring, (word.cparity[k]) ? "%i" : _RED_("%i"), bit);
strcat(string, pstring);
}
// binary stop bit
strcat(string, " | ");
sprintf(pstring, (word.stopparity) ? "%i" : _RED_("%i"), word.stopbit);
strcat(pstring, " parities ");
strcat(string, pstring);
// parities passed/failed
sprintf(pstring, (word.parity) ? _GREEN_("ok") : _RED_("failed"));
strcat(string, pstring);
PrintAndLogEx(NORMAL,string);
string[0] = '\0';
}
static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
// print available information for given word from fwr to lwr, i.e.
// bit table + summary lines with hex notation of word (msb + lsb)
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
for (int i = fwr; i <= lwr; i++) {
// blank line before each bit table
PrintAndLogEx(NORMAL, "");
// print bit table
print_bit_table(words[i]);
// final result
sprintf(pstring, "\n word[%i] msb: " _GREEN_("0x"), i);
strcat(string, pstring);
for (int j = 0; j < 4; j++) {
sprintf(pstring, _GREEN_("%02x"), words[i].byte[j]);
strcat(string, pstring);
}
sprintf(pstring, "\n word[%i] lsb: 0x", i);
strcat(string, pstring);
for (int j = 0; j < 4; j++) {
sprintf(pstring, "%02x", reflect8(words[i].byte[3-j]));
strcat(string, pstring);
}
PrintAndLogEx(NORMAL,string);
string[0] = '\0';
}
}
static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd, bool bverbose) {
// display all information of info result in structured format
uint8_t *data = resp->data.asBytes;
em4x50_word_t words[EM4X50_NO_WORDS];
char pstring[NO_CHARS_MAX] = {0}, string[NO_CHARS_MAX] = {0};
bool bpwd_given = etd->pwd_given;
bool bsuccess = resp->status & STATUS_SUCCESS;
bool blogin = resp->status & STATUS_LOGIN;
prepare_result(data, 0, EM4X50_NO_WORDS - 1, words);
bool bpwc = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & PASSWORD_CHECK;
bool braw = words[EM4X50_CONTROL].byte[CONFIG_BLOCK] & READ_AFTER_WRITE;
int fwr = reflect8(words[EM4X50_CONTROL].byte[FIRST_WORD_READ]);
int lwr = reflect8(words[EM4X50_CONTROL].byte[LAST_WORD_READ]);
int fwrp = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_READ_PROTECTED]);
int lwrp = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_READ_PROTECTED]);
int fwwi = reflect8(words[EM4X50_PROTECTION].byte[FIRST_WORD_WRITE_INHIBITED]);
int lwwi = reflect8(words[EM4X50_PROTECTION].byte[LAST_WORD_WRITE_INHIBITED]);
// data section
PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 data:"));
if (bverbose) {
// detailed data section
print_result(words, 0, EM4X50_NO_WORDS - 1);
} else {
// condensed data section
for (int i = 0; i < EM4X50_NO_WORDS; i++) {
sprintf(pstring, " word[%2i]: ", i);
strcat(string, pstring);
for (int j = 0; j < 4; j++) {
sprintf(pstring, "%02x", words[i].byte[j]);
strcat(string, pstring);
}
switch(i) {
case EM4X50_DEVICE_PASSWORD:
sprintf(pstring, _YELLOW_(" password, write only"));
break;
case EM4X50_PROTECTION:
sprintf(pstring, _YELLOW_(" protection word, write inhibited"));
break;
case EM4X50_CONTROL:
sprintf(pstring, _YELLOW_(" control word, write inhibited"));
break;
case EM4X50_DEVICE_SERIAL:
sprintf(pstring, _YELLOW_(" device serial number, read only"));
break;
case EM4X50_DEVICE_ID:
sprintf(pstring, _YELLOW_(" device identification, read only"));
break;
default:
sprintf(pstring, " user data");
break;
}
strcat(string, pstring);
PrintAndLogEx(NORMAL,"%s", string);
string[0] = '\0';
}
}
// configuration section
PrintAndLogEx(NORMAL, _YELLOW_("\n em4x50 configuration"));
PrintAndLogEx(NORMAL," control: | protection:");
sprintf(pstring, " first word read: %3i |", fwr);
strcat(string, pstring);
sprintf(pstring, " first word read protected: %3i", fwrp);
strcat(string, pstring);
PrintAndLogEx(NORMAL,"%s", string);
string[0] = '\0';
sprintf(pstring, " last word read: %3i |", lwr);
strcat(string, pstring);
sprintf(pstring, " last word read protected: %3i", lwrp);
strcat(string, pstring);
PrintAndLogEx(NORMAL,"%s", string);
string[0] = '\0';
sprintf(pstring, " password check: %3s |", (bpwc) ? "on" : "off");
strcat(string, pstring);
sprintf(pstring, " first word write inhibited: %3i", fwwi);
strcat(string, pstring);
PrintAndLogEx(NORMAL,"%s", string);
string[0] = '\0';
sprintf(pstring, " read after write: %3s |", (braw) ? "on" : "off");
strcat(string, pstring);
sprintf(pstring, " last word write inhibited: %3i", lwwi);
strcat(string, pstring);
PrintAndLogEx(NORMAL,"%s", string);
string[0] = '\0';
PrintAndLogEx(NORMAL, "\n zero values may indicate read protection!");
// status line
sprintf(pstring, " reading ");
strcat(string, pstring);
if (!bsuccess) {
sprintf(pstring, _RED_("failed"));
strcat(string, pstring);
} else {
sprintf(pstring, _GREEN_("ok "));
strcat(string, pstring);
if (blogin) {
if (bpwd_given) {
sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)",
etd->password[0], etd->password[1],
etd->password[2], etd->password[3]);
strcat(string, pstring);
} else {
sprintf(pstring, "(login with default password 0x00000000)");
strcat(string, pstring);
}
} else {
if (bpwd_given) {
sprintf(pstring, "(login failed)");
strcat(string, pstring);
} else {
sprintf(pstring, "(no login)");
strcat(string, pstring);
}
}
}
PrintAndLogEx(NORMAL,"%s\n", string);
}
int CmdEM4x50Info(const char *Cmd) {
// envoke reading of a EM4x50 tag which has to be on the antenna because
// decoding is done by the device (not on client side)
bool errors = false, verbose = false, success = false;
uint8_t cmdp = 0;
em4x50_data_t etd;
PacketResponseNG resp;
// init
etd.pwd_given = false;
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) {
case 'h':
return usage_lf_em4x50_info();
case 'p':
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
return PM3_EINVARG;
}
etd.pwd_given = true;
cmdp += 2;
break;
case 'v':
verbose = true;
cmdp += 1;
break;
default:
PrintAndLogEx(WARNING, " Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true;
break;
}
}
// validation
if (errors)
return usage_lf_em4x50_info();
// call info command
clearCommandBuffer();
SendCommandNG(CMD_LF_EM4X50_INFO, (uint8_t *)&etd, sizeof(etd));
// get result
if (!WaitForResponse(CMD_ACK, &resp)) {
PrintAndLogEx(WARNING, " timeout while waiting for reply.");
return PM3_ETIMEOUT;
}
// print result
print_info_result(&resp, &etd, verbose);
success = resp.status & STATUS_SUCCESS;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}
static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd) {
// display result of writing operation in structured format
bool pwd_given = etd->pwd_given;
bool success = resp->status & STATUS_SUCCESS;
bool login = resp->status & STATUS_LOGIN;
uint8_t *data = resp->data.asBytes;
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
em4x50_word_t word;
if (!success) {
sprintf(pstring, "\n writing " _RED_("failed"));
strcat(string, pstring);
} else {
prepare_result(data, etd->address, etd->address, &word);
print_result(&word, etd->address, etd->address);
sprintf(pstring, "\n writing " _GREEN_("ok "));
strcat(string, pstring);
if (pwd_given) {
if (login) {
sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)",
etd->password[0], etd->password[1],
etd->password[2], etd->password[3]);
strcat(string, pstring);
} else {
sprintf(pstring, "(login failed)");
strcat(string, pstring);
}
} else {
sprintf(pstring, "(no login)");
strcat(string, pstring);
}
}
PrintAndLogEx(NORMAL,"%s\n", string);
}
int CmdEM4x50Write(const char *Cmd) {
// envoke writing a single word (32 bit) to a EM4x50 tag
bool errors = false, bword = false, baddr = false, success = false;
uint8_t cmdp = 0;
em4x50_data_t etd;
PacketResponseNG resp;
// init
etd.pwd_given = false;
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) {
case 'h':
return usage_lf_em4x50_write();
case 'p':
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
return PM3_EINVARG;
}
etd.pwd_given = true;
cmdp += 2;
break;
case 'w':
if (param_gethex(Cmd, cmdp + 1, etd.word, 8)) {
PrintAndLogEx(FAILED, "\n word has to be 8 hex symbols\n");
return PM3_EINVARG;
}
bword = true;
cmdp += 2;
break;
case 'a':
param_getdec(Cmd, cmdp + 1, &etd.address);
// validation
if (etd.address < 1 || etd.address > 31) {
PrintAndLogEx(FAILED, "\n error, address has to be in range [1-31]\n");
return PM3_EINVARG;
}
baddr = true;
cmdp += 2;
break;
default:
PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
break;
}
}
if (errors || !bword || !baddr)
return usage_lf_em4x50_write();
clearCommandBuffer();
SendCommandNG(CMD_LF_EM4X50_WRITE, (uint8_t *)&etd, sizeof(etd));
if (!WaitForResponse(CMD_ACK, &resp)) {
PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n");
return PM3_ETIMEOUT;
}
// get, prepare and print response
print_write_result(&resp, &etd);
success = resp.status & STATUS_SUCCESS;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}
static void print_write_password_result(PacketResponseNG *resp, const em4x50_data_t *etd) {
// display result of password changing operation
bool success = resp->status;
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
if (!success) {
sprintf(pstring, "\n writing new password " _RED_("failed"));
strcat(string, pstring);
} else {
sprintf(pstring, "\n writing new password " _GREEN_("ok"));
strcat(string, pstring);
}
PrintAndLogEx(NORMAL,"%s\n", string);
}
int CmdEM4x50WritePassword(const char *Cmd) {
// envokes changing the password of EM4x50 tag
bool errors = false, bpwd = false, bnpwd = false;
uint8_t cmdp = 0;
em4x50_data_t etd;
PacketResponseNG resp;
// init
etd.pwd_given = false;
etd.newpwd_given = false;
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) {
case 'h':
return usage_lf_em4x50_write_password();
case 'p':
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
return PM3_EINVARG;
}
bpwd = true;
etd.pwd_given = true;
cmdp += 2;
break;
case 'n':
if (param_gethex(Cmd, cmdp + 1, etd.new_password, 8)) {
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
return PM3_EINVARG;
}
bnpwd = true;
etd.newpwd_given = true;
cmdp += 2;
break;
default:
PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
break;
}
}
if (errors || !bpwd || !bnpwd)
return usage_lf_em4x50_write_password();
clearCommandBuffer();
SendCommandNG(CMD_LF_EM4X50_WRITE_PASSWORD, (uint8_t *)&etd, sizeof(etd));
if (!WaitForResponse(CMD_ACK, &resp)) {
PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n");
return PM3_ETIMEOUT;
}
// get, prepare and print response
print_write_password_result(&resp, &etd);
return ((bool)resp.status) ? PM3_SUCCESS : PM3_ESOFT;
}

22
client/src/cmdlfem4x50.h Normal file
View file

@ -0,0 +1,22 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2020 tharexde
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x50 commands
//-----------------------------------------------------------------------------
#ifndef CMDLFEM4X50_H__
#define CMDLFEM4X50_H__
int usage_lf_em4x50_info(void);
int usage_lf_em4x50_write(void);
int usage_lf_em4x50_write_password(void);
int CmdEM4x50Info(const char *Cmd);
int CmdEM4x50Write(const char *Cmd);
int CmdEM4x50WritePassword(const char *Cmd);
#endif

2
client/src/cmdlfhitag.c
View file

@ -584,7 +584,7 @@ static int CmdLFHitagReader(const char *Cmd) {
clearCommandBuffer();
SendCommandMIX(cmd, htf, 0, 0, &htd, sizeof(htd));
PacketResponseNG resp;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 4000)) {
if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) {
PrintAndLogEx(WARNING, "timeout while waiting for reply.");
return PM3_ETIMEOUT;
}

4
client/src/cmdtrace.c
View file

@ -199,7 +199,7 @@ static uint16_t printTraceLine(uint16_t tracepos, uint16_t traceLen, uint8_t *tr
if (tracepos + TRACELOG_HDR_LEN + data_len + TRACELOG_PARITY_LEN(hdr) > traceLen) {
return traceLen;
}
uint8_t *frame = hdr->frame;
uint8_t *parityBytes = hdr->frame + data_len;
@ -495,7 +495,7 @@ static int CmdTraceLoad(const char *Cmd) {
g_traceLen = (long)len;
PrintAndLogEx(SUCCESS, "Recorded Activity (TraceLen = " _YELLOW_("%lu") " bytes) loaded from " _YELLOW_("%s"), g_traceLen, filename);
PrintAndLogEx(SUCCESS, "Recorded Activity (TraceLen = " _YELLOW_("%lu") " bytes)", g_traceLen);
return PM3_SUCCESS;
}

3
common_arm/Makefile.hal
View file

@ -81,7 +81,8 @@ endif
# common LF support
PLATFORM_DEFS += \
-DWITH_LF \
-DWITH_HITAG
-DWITH_HITAG \
-DWITH_EM4x50
# common HF support
PLATFORM_DEFS += \

4
doc/md/Development/Makefile-vs-CMake.md
View file

@ -26,7 +26,7 @@ At the moment both are maintained because they don't perfectly overlap yet.
| bluez detection | pc | pkg_search_module | |
| `SKIPBT` | yes | yes | |
| dep bzip2 | sys | sys | |
| bzip2 detection | **none** | find_package, Android:gitclone | |
| bzip2 detection | **none** | find_package, Cross:gitclone | |
| dep cliparser | in_deps | in_deps | |
| dep hardnested | in_deps | in_deps | |
| hardn arch autodetect | `uname -m` =? 86 or amd64; `$(CC) -E -mavx512f`? +AVX512` | `CMAKE_SYSTEM_PROCESSOR` =? x86 or x86_64 or i686 or AMD64 (1) | (1) currently it always includes AVX512 on Intel arch |
@ -53,7 +53,7 @@ At the moment both are maintained because they don't perfectly overlap yet.
| Qt detection | pc(qt5)/pc(qt4)/`QTDIR`(1) (2) | find_package(qt5) (3) | (1) if `QTDIR`: hardcode path (2) OSX: pkg-config hook for Brew (3) OSX: add search path|
| `SKIPQT` | yes | yes | |
| dep readline | sys | sys | |
| readline detection | **none** (1) | find*(2), Android:getzip | (1) OSX: hardcoded path (2) additional paths for OSX |
| readline detection | **none** (1) | find*(2), Cross:getzip | (1) OSX: hardcoded path (2) additional paths for OSX |
| `SKIPREADLINE` | yes | yes | CLI not fully functional without Readline |
| dep reveng | in_deps | in_deps | |
| `SKIPREVENGTEST` | yes(1) | **no**(2) | (1) e.g. if cross-compilation (2) tests aren't compiled/ran with cmake |

37
include/em4x50.h Normal file
View file

@ -0,0 +1,37 @@
//-----------------------------------------------------------------------------
// Copyright (C) 2020 tharexde
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Low frequency EM4x50 structs
//-----------------------------------------------------------------------------
#ifndef EM4X50_H__
#define EM4X50_H__
typedef struct {
bool fwr_given;
bool lwr_given;
bool pwd_given;
bool newpwd_given;
uint8_t password[4];
uint8_t new_password[4];
uint8_t addresses[4];
uint8_t address;
uint8_t word[4];
} em4x50_data_t;
typedef struct {
uint8_t byte[4];
uint8_t row_parity[4];
uint8_t col_parity;
uint8_t stopbit;
bool rparity[4];
bool cparity[8];
bool stopparity;
bool parity;
} em4x50_word_t;
#endif /* EM4X50_H__ */

4
include/pm3_cmd.h
View file

@ -187,6 +187,7 @@ typedef struct {
// lf
bool compiled_with_lf : 1;
bool compiled_with_hitag : 1;
bool compiled_with_em4x50 : 1;
// hf
bool compiled_with_hfsniff : 1;
bool compiled_with_hfplot : 1;
@ -401,6 +402,9 @@ typedef struct {
#define CMD_LF_EM4X_WRITEWORD 0x0219
#define CMD_LF_IO_WATCH 0x021A
#define CMD_LF_EM410X_WATCH 0x021C
#define CMD_LF_EM4X50_INFO 0x0240
#define CMD_LF_EM4X50_WRITE 0x0241
#define CMD_LF_EM4X50_WRITE_PASSWORD 0x0242
// Sampling configuration for LF reader/sniffer
#define CMD_LF_SAMPLING_SET_CONFIG 0x021D
#define CMD_LF_FSK_SIMULATE 0x021E

23
tools/hitag2crack/crack5/ht2crack5.c
View file

@ -330,7 +330,6 @@ static void *find_state(void *thread_d) {
const bitslice_value_t filter4 = f_c_bs(filter4_0, filter4_1, filter4_2, filter4_3, filter4_4);
bitslice_t results4;
results4.value = results3.value & (filter4 ^ keystream[4].value);
if (results4.bytes64[0] == 0
&& results4.bytes64[1] == 0
&& results4.bytes64[2] == 0
@ -339,7 +338,9 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 56].value = lfsr_bs(8);
const bitslice_value_t filter5_3 = f_b_bs(state[-2 + 33].value, state[-2 + 34].value, state[-2 + 36].value, state[-2 + 38].value);
const bitslice_value_t filter10_4 = f_a_bs(state[-2 + 44].value, state[-2 + 53].value, state[-2 + 54].value, state[-2 + 56].value);
const bitslice_value_t filter12_2 = f_b_bs(state[-2 + 29].value, state[-2 + 33].value, state[-2 + 35].value, state[-2 + 38].value);
for (uint8_t i5 = 0; i5 < (1 << bits[5]); i5++) {
@ -358,8 +359,9 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 57].value = lfsr_bs(9);
const bitslice_value_t filter6_3 = f_b_bs(state[-2 + 34].value, state[-2 + 35].value, state[-2 + 37].value, state[-2 + 39].value);
const bitslice_value_t filter11_4 = f_a_bs(state[-2 + 45].value, state[-2 + 54].value, state[-2 + 55].value, state[-2 + 57].value);
for (uint8_t i6 = 0; i6 < (1 << bits[6]); i6++) {
state[-2 + 40].value = ((bool)(i6 & 0x1)) ? bs_ones.value : bs_zeroes.value;
// 0xffe7ffffffff
@ -376,8 +378,9 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 58].value = lfsr_bs(10);
const bitslice_value_t filter7_3 = f_b_bs(state[-2 + 35].value, state[-2 + 36].value, state[-2 + 38].value, state[-2 + 40].value);
const bitslice_value_t filter12_4 = f_a_bs(state[-2 + 46].value, state[-2 + 55].value, state[-2 + 56].value, state[-2 + 58].value);
for (uint8_t i7 = 0; i7 < (1 << bits[7]); i7++) {
state[-2 + 41].value = ((bool)(i7 & 0x1)) ? bs_ones.value : bs_zeroes.value;
// 0xfff7ffffffff
@ -393,16 +396,14 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 59].value = lfsr_bs(11);
const bitslice_value_t filter8_3 = f_b_bs(state[-2 + 36].value, state[-2 + 37].value, state[-2 + 39].value, state[-2 + 41].value);
const bitslice_value_t filter10_3 = f_b_bs(state[-2 + 38].value, state[-2 + 39].value, state[-2 + 41].value, state[-2 + 43].value);
const bitslice_value_t filter12_3 = f_b_bs(state[-2 + 40].value, state[-2 + 41].value, state[-2 + 43].value, state[-2 + 45].value);
for (uint8_t i8 = 0; i8 < (1 << bits[8]); i8++) {
state[-2 + 42].value = ((bool)(i8 & 0x1)) ? bs_ones.value : bs_zeroes.value;
// 0xffffffffffff
const bitslice_value_t filter8_4 = f_a_bs(state[-2 + 42].value, state[-2 + 51].value, state[-2 + 52].value, state[-2 + 54].value);
const bitslice_value_t filter9_3 = f_b_bs(state[-2 + 37].value, state[-2 + 38].value, state[-2 + 40].value, state[-2 + 42].value);
const bitslice_value_t filter11_3 = f_b_bs(state[-2 + 39].value, state[-2 + 40].value, state[-2 + 42].value, state[-2 + 44].value);
const bitslice_value_t filter8 = f_c_bs(filter8_0, filter8_1, filter8_2, filter8_3, filter8_4);
bitslice_t results8;
results8.value = results7.value & (filter8 ^ keystream[8].value);
@ -415,6 +416,7 @@ static void *find_state(void *thread_d) {
continue;
}
const bitslice_value_t filter9_3 = f_b_bs(state[-2 + 37].value, state[-2 + 38].value, state[-2 + 40].value, state[-2 + 42].value);
const bitslice_value_t filter9 = f_c_bs(filter9_0, filter9_1, filter9_2, filter9_3, filter9_4);
results8.value &= (filter9 ^ keystream[9].value);
@ -425,8 +427,7 @@ static void *find_state(void *thread_d) {
) {
continue;
}
state[-2 + 56].value = lfsr_bs(8);
const bitslice_value_t filter10_4 = f_a_bs(state[-2 + 44].value, state[-2 + 53].value, state[-2 + 54].value, state[-2 + 56].value);
const bitslice_value_t filter10 = f_c_bs(filter10_0, filter10_1, filter10_2, filter10_3, filter10_4);
results8.value &= (filter10 ^ keystream[10].value);
@ -438,8 +439,7 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 57].value = lfsr_bs(9);
const bitslice_value_t filter11_4 = f_a_bs(state[-2 + 45].value, state[-2 + 54].value, state[-2 + 55].value, state[-2 + 57].value);
const bitslice_value_t filter11_3 = f_b_bs(state[-2 + 39].value, state[-2 + 40].value, state[-2 + 42].value, state[-2 + 44].value);
const bitslice_value_t filter11 = f_c_bs(filter11_0, filter11_1, filter11_2, filter11_3, filter11_4);
results8.value &= (filter11 ^ keystream[11].value);
@ -451,8 +451,6 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 58].value = lfsr_bs(10);
const bitslice_value_t filter12_4 = f_a_bs(state[-2 + 46].value, state[-2 + 55].value, state[-2 + 56].value, state[-2 + 58].value);
const bitslice_value_t filter12 = f_c_bs(filter12_0, filter12_1, filter12_2, filter12_3, filter12_4);
results8.value &= (filter12 ^ keystream[12].value);
@ -464,7 +462,6 @@ static void *find_state(void *thread_d) {
continue;
}
state[-2 + 59].value = lfsr_bs(11);
const bitslice_value_t filter13_0 = f_a_bs(state[-2 + 15].value, state[-2 + 16].value, state[-2 + 18].value, state[-2 + 19].value);
const bitslice_value_t filter13_1 = f_b_bs(state[-2 + 21].value, state[-2 + 25].value, state[-2 + 27].value, state[-2 + 28].value);
const bitslice_value_t filter13_2 = f_b_bs(state[-2 + 30].value, state[-2 + 34].value, state[-2 + 36].value, state[-2 + 39].value);