chg: 'lf indala clone' - refactored , uses NG

armsrc/appmain.c

@@ -769,17 +769,6 @@ static void PacketReceived(PacketCommandNG *packet) {
             SimulateTagLowFrequencyBidir(packet->oldarg[0], packet->oldarg[1]);
             break;
         }
-        case CMD_LF_INDALA_CLONE: {
-            CopyIndala64toT55x7(packet->data.asDwords[0], packet->data.asDwords[1]);
-            break;
-        }
-        case CMD_LF_INDALA224_CLONE: {
-            CopyIndala224toT55x7(
-                packet->data.asDwords[0], packet->data.asDwords[1], packet->data.asDwords[2], packet->data.asDwords[3],
-                packet->data.asDwords[4], packet->data.asDwords[5], packet->data.asDwords[6]
-            );
-            break;
-        }
         case CMD_LF_T55XX_READBL: {
             struct p {
                 uint32_t password;

armsrc/lfops.c

@@ -1712,7 +1712,7 @@ void T55xxWriteBlock(uint8_t *data) {
     c->flags &= (0xff ^ 0x40); // Called for a write, so ensure it is clear/0
 
     LED_A_ON();
-    T55xx_SendCMD(c->data, c->pwd, c->flags | (c->blockno << 9)) ; //, false);
+    T55xx_SendCMD(c->data, c->pwd, c->flags | (c->blockno << 9));
 
     // Perform write (nominal is 5.6 ms for T55x7 and 18ms for E5550,
     // so wait a little more)
@@ -1744,7 +1744,6 @@ void T55xxWriteBlock(uint8_t *data) {
     // turn field off
     FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
 
-    // cmd_send(CMD_ACK,0,0,0,0,0);
     reply_ng(CMD_LF_T55XX_WRITEBL, PM3_SUCCESS, NULL, 0);
     LED_A_OFF();
 }
@@ -2049,34 +2048,6 @@ void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
     LED_D_OFF();
 }
 
-// Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
-    //Program the 2 data blocks for supplied 64bit UID
-    // and the Config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)
-    uint32_t data[] = { T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
-    //TODO add selection of chip for Q5 or T55x7
-    // data[0] = T5555_SET_BITRATE(32 | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
-    LED_D_ON();
-    WriteT55xx(data, 0, 3);
-    //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
-    // T5567WriteBlock(0x603E1042,0);
-    LED_D_OFF();
-}
-// Clone Indala 224-bit tag by UID to T55x7
-void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
-    //Program the 7 data blocks for supplied 224bit UID
-    uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
-    // and the block 0 for Indala224 format
-    //Config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
-    data[0] = T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
-    //TODO add selection of chip for Q5 or T55x7
-    // data[0] =  T5555_SET_BITRATE(32 | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
-    LED_D_ON();
-    WriteT55xx(data, 0, 8);
-    //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
-    // T5567WriteBlock(0x603E10E2,0);
-    LED_D_OFF();
-}
 // clone viking tag to T55xx
 void CopyVikingtoT55xx(uint8_t *blocks, uint8_t Q5) {
   

armsrc/lfops.h

@@ -46,8 +46,6 @@ void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
 void CopyVikingtoT55xx(uint8_t *blocks, uint8_t Q5);
 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
-void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
-void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
 void T55xxResetRead(uint8_t flags);
 //id T55xxWriteBlock(uint32_t data, uint8_t blockno, uint32_t pwd, uint8_t flags);
 void T55xxWriteBlock(uint8_t *data);

client/cmdlfindala.c

@@ -25,6 +25,8 @@
 #include "lfdemod.h"    // parityTest, bitbytes_to_byte
 #include "cmddata.h"
 #include "cmdlf.h"      // lf_read
+#include "protocols.h"  // t55 defines
+#include "cmdlft55xx.h" // verifywrite
 
 static int CmdHelp(const char *Cmd);
 
@@ -439,10 +441,12 @@ static int CmdIndalaSim(const char *Cmd) {
     return PM3_SUCCESS;
 }
 
-// iceman - needs refactoring
 static int CmdIndalaClone(const char *Cmd) {
 
     bool isLongUid = false;
+    uint32_t blocks[8] = {0};          
+    uint8_t max = 0;
+
     uint8_t data[7 * 4];
     int datalen = 0;
 
@@ -466,27 +470,77 @@ static int CmdIndalaClone(const char *Cmd) {
     CLIGetHexWithReturn(2, data, &datalen);
     CLIParserFree();
 
+/*
+    //TODO add selection of chip for Q5 or T55x7
+    
+    // data[0] =  T5555_SET_BITRATE(32 | T5555_MODULATION_PSK2 | 7 << T5555_MAXBLOCK_SHIFT;
+    //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=7;Inverse data)
+    // T5567WriteBlock(0x603E10E2,0);
+    
+    // data[0] = T5555_SET_BITRATE(32 | T5555_MODULATION_PSK1 | 2 << T5555_MAXBLOCK_SHIFT;
+    //Alternative config for Indala (Extended mode;RF/32;PSK1 with RF/2;Maxblock=2;Inverse data)
+    // T5567WriteBlock(0x603E1042,0);    
+*/
+
     if (isLongUid) {
+        // config for Indala (RF/32;PSK2 with RF/2;Maxblock=7)
         PrintAndLogEx(INFO, "Preparing to clone Indala 224bit tag with RawID %s", sprint_hex(data, datalen));
-        uint32_t blocks[7] = {0};
-        blocks[0] = bytes_to_num(data, 4);
-        blocks[1] = bytes_to_num(data +  4, 4);
-        blocks[2] = bytes_to_num(data +  8, 4);
-        blocks[3] = bytes_to_num(data + 12, 4);
-        blocks[4] = bytes_to_num(data + 16, 4);
-        blocks[5] = bytes_to_num(data + 20, 4);
-        blocks[6] = bytes_to_num(data + 24, 4);
-        clearCommandBuffer();
-        SendCommandOLD(CMD_LF_INDALA224_CLONE, 0, 0, 0, blocks, sizeof(blocks));
+        blocks[0] =  T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK2 | (7 << T55x7_MAXBLOCK_SHIFT);
+        blocks[1] = bytes_to_num(data, 4);
+        blocks[2] = bytes_to_num(data +  4, 4);
+        blocks[3] = bytes_to_num(data +  8, 4);
+        blocks[4] = bytes_to_num(data + 12, 4);
+        blocks[5] = bytes_to_num(data + 16, 4);
+        blocks[6] = bytes_to_num(data + 20, 4);
+        blocks[7] = bytes_to_num(data + 24, 4);
+        max = 8;
     } else {
+        // config for Indala 64 format (RF/32;PSK1 with RF/2;Maxblock=2)        
         PrintAndLogEx(INFO, "Preparing to clone Indala 64bit tag with RawID %s", sprint_hex(data, datalen));
-        uint32_t blocks[2] = {0};
-        blocks[0] = bytes_to_num(data, 4);
-        blocks[1] = bytes_to_num(data + 4, 4);
-        clearCommandBuffer();
-        SendCommandOLD(CMD_LF_INDALA_CLONE, 0, 0, 0, datawords, sizeof(datawords));
+        blocks[0] =  T55x7_BITRATE_RF_32 | T55x7_MODULATION_PSK1 | (2 << T55x7_MAXBLOCK_SHIFT);
+        blocks[1] = bytes_to_num(data, 4);
+        blocks[2] = bytes_to_num(data + 4, 4);
+        max = 3;
     }
 
+    print_blocks(blocks, max);
+
+    uint8_t res = 0;
+    PacketResponseNG resp;
+
+    // fast push mode
+    conn.block_after_ACK = true;
+    for (uint8_t i = 0; i < max; i++) {
+        if (i == max - 1) {
+            // Disable fast mode on last packet
+            conn.block_after_ACK = false;
+        }
+        clearCommandBuffer();
+        t55xx_write_block_t ng;
+        ng.data = blocks[i];
+        ng.pwd = 0;
+        ng.blockno = i;
+        ng.flags = 0;
+
+        SendCommandNG(CMD_LF_T55XX_WRITEBL, (uint8_t *)&ng, sizeof(ng));
+        if (!WaitForResponseTimeout(CMD_LF_T55XX_WRITEBL, &resp, T55XX_WRITE_TIMEOUT)) {
+            PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation.");
+            return PM3_ETIMEOUT;
+        }
+
+        if (i == 0) {
+            SetConfigWithBlock0(blocks[0]);
+            if ( t55xxAquireAndCompareBlock0(false, 0, blocks[0], false) )
+                continue;
+        }
+        
+        if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blocks[i]) == false)
+            res++;
+    }
+
+    if ( res == 0 )
+        PrintAndLogEx(SUCCESS, "Success writing to tag");
+
     return PM3_SUCCESS;
 }
 

client/util.c

@@ -390,7 +390,7 @@ void print_blocks(uint32_t *data, size_t len) {
         PrintAndLogEx(ERR, "..empty data");
     } else {
         for (uint8_t i = 0; i < len; i++)
-            PrintAndLogEx(SUCCESS, " %02d | 0x%08X", i, data[i]);
+            PrintAndLogEx(SUCCESS, " %02d | %08X", i, data[i]);
     }
 }
 

include/pm3_cmd.h

@@ -242,6 +242,14 @@ typedef struct {
     uint8_t keytype;
 } PACKED mfc_eload_t;
 
+typedef struct {
+    uint8_t status;
+    uint8_t CSN[8];
+    uint8_t CONFIG[8];
+    uint8_t CC[8];
+    uint8_t AIA[8];
+} PACKED iclass_reader_t;
+
 // For the bootloader
 #define CMD_DEVICE_INFO                                                   0x0000
 #define CMD_SETUP_WRITE                                                   0x0001
@@ -345,9 +353,6 @@ typedef struct {
 #define CMD_SET_ADC_MUX                                                   0x020F
 #define CMD_LF_HID_CLONE                                                  0x0210
 #define CMD_LF_EM410X_WRITE                                               0x0211
-#define CMD_LF_INDALA_CLONE                                               0x0212
-// for 224 bits UID
-#define CMD_LF_INDALA224_CLONE                                            0x0213
 #define CMD_LF_T55XX_READBL                                               0x0214
 #define CMD_LF_T55XX_WRITEBL                                              0x0215
 #define CMD_LF_T55XX_RESET_READ                                           0x0216