From 56bbb25a4114df189f66dc8c14d233187e40b042 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 2 May 2016 13:42:06 +0200 Subject: [PATCH] ADD: started with a NEDAP demod, read, clone and sim functionality. The encrypted part is not solveabled today. --- client/Makefile | 1 + client/cmdlf.c | 1 + client/cmdlf.h | 1 + client/cmdlfnedap.c | 244 ++++++++++++++++++++++++++++++++++++++++++++ client/cmdlfnedap.h | 33 ++++++ common/lfdemod.c | 12 +++ common/lfdemod.h | 1 + 7 files changed, 293 insertions(+) create mode 100644 client/cmdlfnedap.c create mode 100644 client/cmdlfnedap.h diff --git a/client/Makefile b/client/Makefile index 4f90463fe..f79d76988 100644 --- a/client/Makefile +++ b/client/Makefile @@ -119,6 +119,7 @@ CMDSRCS = nonce2key/crapto1.c \ cmdlfpresco.c \ cmdlfpyramid.c \ cmdlfguard.c \ + cmdlfnedap.c \ pm3_binlib.c \ scripting.c \ cmdscript.c \ diff --git a/client/cmdlf.c b/client/cmdlf.c index 23c8a1ce7..09bd5a1ab 100644 --- a/client/cmdlf.c +++ b/client/cmdlf.c @@ -1192,6 +1192,7 @@ static command_t CommandTable[] = {"hid", CmdLFHID, 1, "{ HID RFIDs... }"}, {"hitag", CmdLFHitag, 1, "{ HITAG RFIDs... }"}, {"io", CmdLFIO, 1, "{ IOPROX RFIDs... }"}, + {"nedap", CmdLFNedap, 1, "{ NEDAP RFIDs... }"}, {"pcf7931", CmdLFPCF7931, 1, "{ PCF7931 RFIDs... }"}, {"presco", CmdLFPresco, 1, "{ Presco RFIDs... }"}, {"pyramid", CmdLFPyramid, 1, "{ Farpointe/Pyramid RFIDs... }"}, diff --git a/client/cmdlf.h b/client/cmdlf.h index 1bb941621..d04f96793 100644 --- a/client/cmdlf.h +++ b/client/cmdlf.h @@ -36,6 +36,7 @@ #include "cmdlfpyramid.h"// for pyramid menu #include "cmdlfviking.h" // for viking menu #include "cmdlfguard.h" // for GuardAll menu +#include "cmdlfnedap.h" // for NEDAP menu int CmdLF(const char *Cmd); diff --git a/client/cmdlfnedap.c b/client/cmdlfnedap.c new file mode 100644 index 000000000..bae9d85ea --- /dev/null +++ b/client/cmdlfnedap.c @@ -0,0 +1,244 @@ +//----------------------------------------------------------------------------- +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency NEDAP tag commands +//----------------------------------------------------------------------------- +#include +#include +#include "cmdlfnedap.h" +static int CmdHelp(const char *Cmd); + +int usage_lf_nedap_clone(void){ + PrintAndLog("clone a NEDAP tag to a T55x7 tag."); + PrintAndLog(""); + PrintAndLog("Usage: lf nedap clone "); + PrintAndLog("Options :"); + PrintAndLog(" : 24-bit value card number"); +// PrintAndLog(" Q5 : optional - clone to Q5 (T5555) instead of T55x7 chip"); + PrintAndLog(""); + PrintAndLog("Sample : lf nedap clone 112233"); + return 0; +} + +int usage_lf_nedap_sim(void) { + PrintAndLog("Enables simulation of NEDAP card with specified card number."); + PrintAndLog("Simulation runs until the button is pressed or another USB command is issued."); + PrintAndLog(""); + PrintAndLog("Usage: lf nedap sim "); + PrintAndLog("Options :"); + PrintAndLog(" : 24-bit value card number"); + PrintAndLog(""); + PrintAndLog("Sample : lf nedap sim 112233"); + return 0; +} + +int GetNedapBits(uint32_t cn, uint8_t *nedapBits) { + + uint8_t pre[128]; + memset(pre, 0x00, sizeof(pre)); + + // preamble 1111 1111 10 = 0XF8 + num_to_bytebits(0xF8, 10, pre); + + // fixed tagtype code? 0010 1101 = 0x2D + num_to_bytebits(0x2D, 8, pre+10); + + // 46 encrypted bits - UNKNOWN ALGO + // -- 16 bits checksum. Should be 4x4 checksum, based on UID and 2 constant values. + // -- 30 bits undocumented? + num_to_bytebits(cn, 46, pre+18); + + //----from this part, the UID in clear text, with a 1bit ZERO as separator between bytes. + pre[64] = 0; + + // cardnumber + num_to_bytebits(cn, 24, pre+64); + + pre[73] = 0; + pre[82] = 0; + pre[91] = 0; + pre[100] = 0; + pre[109] = 0; + pre[118] = 0; + + // add paritybits (bitsource, dest, sourcelen, paritylen, parityType (odd, even,) + addParity(pre+64, pre+64, 128, 8, 1); +//1111111110001011010000010110100011001001000010110101001101011001000110011010010000000000100001110001001000000001000101011100111 + return 1; +} + +//NEDAP demod - ASK/Biphase, RF/64 with preamble of 1111111110 (always a 128 bit data stream) +//print NEDAP Prox ID, encoding, encrypted ID, +int CmdFSKdemodNedap(const char *Cmd) { + //raw ask demod no start bit finding just get binary from wave + uint8_t BitStream[MAX_GRAPH_TRACE_LEN]={0}; + size_t size = getFromGraphBuf(BitStream); + if (size==0) return 0; + + //get binary from fsk wave + int idx = NedapDemod(BitStream, &size); + if (idx < 0){ + if (g_debugMode){ + if (idx == -5) + PrintAndLog("DEBUG: Error - not enough samples"); + else if (idx == -1) + PrintAndLog("DEBUG: Error - only noise found"); + else if (idx == -2) + PrintAndLog("DEBUG: Error - problem during ASK/Biphase demod"); + else if (idx == -3) + PrintAndLog("DEBUG: Error - Size not correct: %d", size); + else if (idx == -4) + PrintAndLog("DEBUG: Error - NEDAP preamble not found"); + else + PrintAndLog("DEBUG: Error - idx: %d",idx); + } + return 0; + } + +/* Index map +0 10 20 30 40 50 64 +| | | | | | | + preamble enc tag type encrypted uid d 33 d 90 p 04 d 71 d 40 d 45 d E7 P +1111111110 00101101000001011 0100011001001000010110101001101011001 0 00110011 0 10010000 0 00000100 0 01110001 0 01000000 0 01000101 0 11100111 1 + uid2 uid1 uid0 I I R R + Tag ID is 049033 + I = Identical on all tags + R = Random ? + UID2, UID1, UID0 == card number +*/ + + //get raw ID before removing parities + uint32_t rawLo = bytebits_to_byte(BitStream+idx+96,32); + uint32_t rawHi = bytebits_to_byte(BitStream+idx+64,32); + uint32_t rawHi2 = bytebits_to_byte(BitStream+idx+32,32); + uint32_t rawHi3 = bytebits_to_byte(BitStream+idx,32); + setDemodBuf(BitStream,128,idx); + + // ok valid card found! + uint32_t cardnum = bytebits_to_byte(BitStream+81, 16); + PrintAndLog("NEDAP ID Found - Card: %d - Raw: %08x%08x%08x%08x", cardnum, rawHi3, rawHi2, rawHi, rawLo); + + if (g_debugMode){ + PrintAndLog("DEBUG: idx: %d, Len: %d, Printing Demod Buffer:", idx, 128); + printDemodBuff(); + } + return 1; +} + + +int CmdLFNedapRead(const char *Cmd) { + CmdLFRead("s"); + getSamples("30000",false); + return CmdFSKdemodNedap(""); +} +/* +int CmdLFNedapClone(const char *Cmd) { + + char cmdp = param_getchar(Cmd, 0); + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_nedap_clone(); + + uint32_t cardnumber=0, cn = 0; + uint32_t blocks[5]; + uint8_t i; + uint8_t bs[128]; + memset(bs, 0x00, sizeof(bs)); + + if (sscanf(Cmd, "%u", &cn ) != 1) return usage_lf_nedap_clone(); + + cardnumber = (cn & 0x00FFFFFF); + + if ( !GetNedapBits(cardnumber, bs)) { + PrintAndLog("Error with tag bitstream generation."); + return 1; + } + + ((ASK/biphase data rawdemod ab 0 64 1 0 + //NEDAP - compat mode, ASK/Biphase, data rate 64, 4 data blocks + blocks[0] = T55x7_MODULATION_BIPHASE | T55x7_BITRATE_RF_64 | 4< clone nedap tag"}, + {"sim", CmdLFNedapSim, 0, " simulate nedap tag"}, + {NULL, NULL, 0, NULL} +}; + +int CmdLFNedap(const char *Cmd) { + clearCommandBuffer(); + CmdsParse(CommandTable, Cmd); + return 0; +} + +int CmdHelp(const char *Cmd) { + CmdsHelp(CommandTable); + return 0; +} diff --git a/client/cmdlfnedap.h b/client/cmdlfnedap.h new file mode 100644 index 000000000..bead83719 --- /dev/null +++ b/client/cmdlfnedap.h @@ -0,0 +1,33 @@ +//----------------------------------------------------------------------------- +// +// This code is licensed to you under the terms of the GNU GPL, version 2 or, +// at your option, any later version. See the LICENSE.txt file for the text of +// the license. +//----------------------------------------------------------------------------- +// Low frequency T55xx commands +//----------------------------------------------------------------------------- +#ifndef CMDLFNEDAP_H__ +#define CMDLFNEDAP_H__ +#include "proxmark3.h" +#include "ui.h" +#include "util.h" +#include "graph.h" +#include "cmdparser.h" +#include "cmddata.h" +#include "cmdmain.h" +#include "cmdlf.h" +#include "protocols.h" // for T55xx config register definitions +#include "lfdemod.h" // parityTest +#include "crc.h" + +int CmdLFNedap(const char *Cmd); +int CmdFSKdemodNedap(const char *Cmd); +int CmdLFNedapRead(const char *Cmd); +//int CmdLFNedapClone(const char *Cmd); +int CmdLFNedapSim(const char *Cmd); + +int usage_lf_nedap_read(void); +//int usage_lf_nedap_clone(void); +int usage_lf_nedap_sim(void); +#endif + diff --git a/common/lfdemod.c b/common/lfdemod.c index f27ffff35..3bc246a3e 100644 --- a/common/lfdemod.c +++ b/common/lfdemod.c @@ -764,6 +764,18 @@ int PyramiddemodFSK(uint8_t *dest, size_t *size) return (int)startIdx; } +// find presco preamble 0x10D in already demoded data +int NedapDemod(uint8_t *dest, size_t *size) { + //make sure buffer has data + if (*size < 128) return -3; + size_t startIdx = 0; + uint8_t preamble[] = {1,1,1,1,1,1,1,1,1,0}; + uint8_t errChk = preambleSearch(dest, preamble, sizeof(preamble), size, &startIdx); + if (errChk == 0) return -4; //preamble not found + //return start position + return (int) startIdx; +} + // by marshmellow // to detect a wave that has heavily clipped (clean) samples uint8_t DetectCleanAskWave(uint8_t dest[], size_t size, uint8_t high, uint8_t low) diff --git a/common/lfdemod.h b/common/lfdemod.h index 56c758ae7..9895434c9 100644 --- a/common/lfdemod.h +++ b/common/lfdemod.h @@ -55,4 +55,5 @@ int ParadoxdemodFSK(uint8_t *dest, size_t *size, uint32_t *hi2, uint32_t *hi, ui int PyramiddemodFSK(uint8_t *dest, size_t *size); int VikingDemod_AM(uint8_t *dest, size_t *size); int PrescoDemod(uint8_t *dest, size_t *size); +int NedapDemod(uint8_t *dest, size_t *size); #endif