diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6791e748a..416f063b9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
+ - Added lf em function: 4x50_sread (@tharexde)
- Added lf em functions: 4x50_info, 4x50_write, 4x50_write_password (@tharexde)
- Fix em4x50 demodulation error (@tharexde)
- Fix `hf mfdes` authentification issues, DES working (@bkerler)
diff --git a/armsrc/appmain.c b/armsrc/appmain.c
index ad02eae2f..604d44c34 100644
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@@ -1019,6 +1019,11 @@ static void PacketReceived(PacketCommandNG *packet) {
em4x50_write_password((em4x50_data_t *)packet->data.asBytes);
break;
}
+ case CMD_LF_EM4X50_SREAD: {
+ em4x50_sread((em4x50_data_t *)packet->data.asBytes);
+ break;
+ }
+
#endif
#ifdef WITH_ISO15693
diff --git a/armsrc/em4x50.c b/armsrc/em4x50.c
index b9295e9ed..cfbfb9fe0 100644
--- a/armsrc/em4x50.c
+++ b/armsrc/em4x50.c
@@ -604,7 +604,9 @@ static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) {
}
}
+//==============================================================================
// login function
+//==============================================================================
static bool login(uint8_t password[4]) {
@@ -631,7 +633,9 @@ static bool login(uint8_t password[4]) {
return false;
}
+//==============================================================================
// reset function
+//==============================================================================
static bool reset(void) {
@@ -653,7 +657,9 @@ static bool reset(void) {
return false;
}
+//==============================================================================
// read functions
+//==============================================================================
static bool standard_read(int *now) {
@@ -754,7 +760,52 @@ void em4x50_info(em4x50_data_t *etd) {
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
}
+void em4x50_sread(em4x50_data_t *etd) {
+
+ // reads in two different ways:
+ // - using "selective read mode" -> bidirectional communication
+ // - using "standard read mode" -> unidirectional communication (read
+ // data that tag transmits "voluntarily")
+
+ bool bsuccess = false, blogin = false;
+ int now = 0;
+ uint8_t status = 0;
+ uint8_t addresses[] = {0x00, 0x00, 0x00, 0x00};
+
+ init_tag();
+ em4x50_setup_read();
+
+ // set gHigh and gLow
+ get_signalproperties();
+
+ if (etd->addr_given) {
+
+ // selective read mode
+
+ // try to login with given password
+ if (etd->pwd_given)
+ blogin = login(etd->password);
+
+ // only one word has to be read -> first word read = last word read
+ addresses[2] = addresses[3] = etd->address;
+ bsuccess = selective_read(addresses);
+
+ } else {
+
+ // standard read mode
+ bsuccess = standard_read(&now);
+
+ }
+
+ status = (now << 2) + (bsuccess << 1) + blogin;
+
+ lf_finalize();
+ reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
+}
+
+//==============================================================================
// write functions
+//==============================================================================
static bool write(uint8_t word[4], uint8_t address) {
@@ -864,7 +915,7 @@ void em4x50_write(em4x50_data_t *etd) {
if (etd->pwd_given)
blogin &= login(etd->password);
- // perform a selective read
+ // call a selective read
addresses[2] = addresses[3] = etd->address;
if (selective_read(addresses)) {
diff --git a/armsrc/em4x50.h b/armsrc/em4x50.h
index 746ca4811..aecaea78e 100644
--- a/armsrc/em4x50.h
+++ b/armsrc/em4x50.h
@@ -20,5 +20,6 @@ typedef struct {
void em4x50_info(em4x50_data_t *etd);
void em4x50_write(em4x50_data_t *etd);
void em4x50_write_password(em4x50_data_t *etd);
+void em4x50_sread(em4x50_data_t *etd);
#endif /* EM4X50_H */
diff --git a/client/src/cmdlfem4x.c b/client/src/cmdlfem4x.c
index a94882cb6..ef8cbdc13 100644
--- a/client/src/cmdlfem4x.c
+++ b/client/src/cmdlfem4x.c
@@ -1759,6 +1759,7 @@ static command_t CommandTable[] = {
{"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"},
{"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"},
{"4x50_write_password", CmdEM4x50WritePassword, IfPm3Lf, "change passwword of EM4x50 tag"},
+ {"4x50_sread", CmdEM4x50SRead, IfPm3Lf, "read word data from EM4x50 on device"},
{NULL, NULL, NULL, NULL}
};
diff --git a/client/src/cmdlfem4x50.c b/client/src/cmdlfem4x50.c
index 1f4420c5b..cee6ece71 100644
--- a/client/src/cmdlfem4x50.c
+++ b/client/src/cmdlfem4x50.c
@@ -15,33 +15,6 @@
#include "commonutil.h"
#include "em4x50.h"
-#define EM4X50_NO_WORDS 34
-
-// special words
-#define EM4X50_DEVICE_PASSWORD 0
-#define EM4X50_PROTECTION 1
-#define EM4X50_CONTROL 2
-#define EM4X50_DEVICE_SERIAL 32
-#define EM4X50_DEVICE_ID 33
-
-// control word (word = 4 bytes)
-#define FIRST_WORD_READ 0 // first byte
-#define LAST_WORD_READ 1 // second byte
-#define CONFIG_BLOCK 2 // third byte
-#define PASSWORD_CHECK 0x80 // first bit in third byte
-#define READ_AFTER_WRITE 0x40 // second bit in third byte
-
-// protection word
-#define FIRST_WORD_READ_PROTECTED 0 // first byte
-#define LAST_WORD_READ_PROTECTED 1 // second byte
-#define FIRST_WORD_WRITE_INHIBITED 2 // third byte
-#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte
-
-// misc
-#define STATUS_SUCCESS 0x2
-#define STATUS_LOGIN 0x1
-#define NO_CHARS_MAX 400
-
int usage_lf_em4x50_info(void) {
PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna.");
PrintAndLogEx(NORMAL, "");
@@ -81,6 +54,19 @@ int usage_lf_em4x50_write_password(void) {
PrintAndLogEx(NORMAL, " lf em 4x50_write_password p 11223344 n 01020304");
return PM3_SUCCESS;
}
+int usage_lf_em4x50_sread(void) {
+ PrintAndLogEx(NORMAL, "Read EM4x50 word(s). Tag must be on antenna. ");
+ PrintAndLogEx(NORMAL, "");
+ PrintAndLogEx(NORMAL, "Usage: lf em 4x50_sread [h] a
p ");
+ PrintAndLogEx(NORMAL, "Options:");
+ PrintAndLogEx(NORMAL, " h - this help");
+ PrintAndLogEx(NORMAL, " a - memory address to read (dec) (optional)");
+ PrintAndLogEx(NORMAL, " p - password (hex) (optional)");
+ PrintAndLogEx(NORMAL, "Examples:");
+ PrintAndLogEx(NORMAL, " lf em 4x50_sread");
+ PrintAndLogEx(NORMAL, " lf em 4x50_sread a 2 p 00000000");
+ return PM3_SUCCESS;
+}
static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) {
@@ -121,13 +107,13 @@ static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t
}
// check column parities
- words[i].col_parity = byte[i*7+5] ;
+ words[i].col_parity = byte[i*7+5];
for (int j = 0; j < 8; j++) {
words[i].cparity[j] = (((words[i].col_parity >> (7-j)) & 1) == c[j]) ? true : false;
if (!words[i].cparity[j])
- words[i].parity = false;
+ words[i].parity = false;
}
// check stop bit
@@ -204,7 +190,7 @@ static void print_bit_table(const em4x50_word_t word) {
string[0] = '\0';
}
-static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
+static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
// print available information for given word from fwr to lwr, i.e.
// bit table + summary lines with hex notation of word (msb + lsb)
@@ -220,6 +206,7 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
print_bit_table(words[i]);
// final result
+ string[0] = '\0';
sprintf(pstring, "\n word[%i] msb: " _GREEN_("0x"), i);
strcat(string, pstring);
@@ -237,8 +224,6 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
}
PrintAndLogEx(NORMAL,string);
-
- string[0] = '\0';
}
}
@@ -251,7 +236,7 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd,
char pstring[NO_CHARS_MAX] = {0}, string[NO_CHARS_MAX] = {0};
bool bpwd_given = etd->pwd_given;
- bool bsuccess = resp->status & STATUS_SUCCESS;
+ bool bsuccess = (resp->status & STATUS_SUCCESS) >> 1;
bool blogin = resp->status & STATUS_LOGIN;
prepare_result(data, 0, EM4X50_NO_WORDS - 1, words);
@@ -455,7 +440,7 @@ int CmdEM4x50Info(const char *Cmd) {
// print result
print_info_result(&resp, &etd, verbose);
- success = resp.status & STATUS_SUCCESS;
+ success = (resp.status & STATUS_SUCCESS) >> 1;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}
@@ -464,7 +449,7 @@ static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd)
// display result of writing operation in structured format
bool pwd_given = etd->pwd_given;
- bool success = resp->status & STATUS_SUCCESS;
+ bool success = (resp->status & STATUS_SUCCESS) >> 1;
bool login = resp->status & STATUS_LOGIN;
uint8_t *data = resp->data.asBytes;
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
@@ -574,7 +559,7 @@ int CmdEM4x50Write(const char *Cmd) {
// get, prepare and print response
print_write_result(&resp, &etd);
- success = resp.status & STATUS_SUCCESS;
+ success = (resp.status & STATUS_SUCCESS) >> 1;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}
@@ -661,3 +646,144 @@ int CmdEM4x50WritePassword(const char *Cmd) {
return ((bool)resp.status) ? PM3_SUCCESS : PM3_ESOFT;
}
+
+static void print_sread_result(PacketResponseNG *resp, const em4x50_data_t *etd) {
+
+ // display result of writing operation in structured format
+
+ bool addr_given = etd->addr_given;
+ bool pwd_given = etd->pwd_given;
+ bool login = resp->status & STATUS_LOGIN;
+ bool success = (resp->status & STATUS_SUCCESS) >> 1;
+ int now = (resp->status & STATUS_NO_WORDS) >> 2;
+ char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
+ uint8_t *data = resp->data.asBytes;
+ em4x50_word_t word;
+
+ if (!success) {
+
+ sprintf(pstring, "\n reading " _RED_("failed"));
+ strcat(string, pstring);
+
+ PrintAndLogEx(NORMAL,"%s\n", string);
+
+ } else {
+
+ if (addr_given) {
+
+ // selective read mode
+
+ prepare_result(data, etd->address, etd->address, &word);
+ print_result(&word, etd->address, etd->address);
+
+ string[0] = '\0';
+ sprintf(pstring, "\n reading " _GREEN_("ok "));
+ strcat(string, pstring);
+
+ if (pwd_given) {
+ if (login) {
+ sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)",
+ etd->password[0], etd->password[1],
+ etd->password[2], etd->password[3]);
+ strcat(string, pstring);
+ } else {
+ sprintf(pstring, "(login failed)");
+ strcat(string, pstring);
+ }
+ } else {
+ sprintf(pstring, "(no login)");
+ strcat(string, pstring);
+ }
+
+ } else {
+
+ //standard read mode
+
+ prepare_result(data, 0, now - 1, &word);
+ print_result(&word, 0, now - 1);
+
+ string[0] = '\0';
+ sprintf(pstring, "\n reading " _GREEN_("ok "));
+ strcat(string, pstring);
+
+ if (pwd_given) {
+ sprintf(pstring, "(standard read mode, password ignored)");
+ strcat(string, pstring);
+ } else {
+ sprintf(pstring, "(standard read mode)");
+ strcat(string, pstring);
+ }
+ }
+
+ PrintAndLogEx(NORMAL,"%s\n", string);
+ }
+}
+
+int CmdEM4x50SRead(const char *Cmd) {
+
+ // envoke reading
+ // - without option -> standard read mode
+ // - with given address (option a) (and optional password if address is
+ // read protected) -> selective read mode
+
+ bool errors = false, success = false;
+ uint8_t cmdp = 0;
+ em4x50_data_t etd;
+ PacketResponseNG resp;
+
+ // init
+ etd.pwd_given = false;
+ etd.addr_given = false;
+
+ while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
+
+ switch (tolower(param_getchar(Cmd, cmdp))) {
+ case 'h':
+ return usage_lf_em4x50_sread();
+
+ case 'p':
+ if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
+ PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
+ return PM3_EINVARG;
+ }
+ etd.pwd_given = true;
+ cmdp += 2;
+ break;
+
+ case 'a':
+ param_getdec(Cmd, cmdp + 1, &etd.address);
+
+ // validation
+ if (etd.address <= 0 || etd.address >= EM4X50_NO_WORDS) {
+ PrintAndLogEx(FAILED, "\n error, address has to be in range [1-33]\n");
+ return PM3_EINVARG;
+ }
+ etd.addr_given = true;
+ cmdp += 2;
+ break;
+
+ default:
+ PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
+ errors = true;
+ break;
+ }
+ }
+
+ if (errors)
+ return usage_lf_em4x50_sread();
+
+ clearCommandBuffer();
+ SendCommandNG(CMD_LF_EM4X50_SREAD, (uint8_t *)&etd, sizeof(etd));
+
+
+ if (!WaitForResponse(CMD_ACK, &resp)) {
+ PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n");
+ return PM3_ETIMEOUT;
+ }
+
+ // get, prepare and print response
+ print_sread_result(&resp, &etd);
+
+ success = (resp.status & STATUS_SUCCESS) >> 1;
+ return (success) ? PM3_SUCCESS : PM3_ESOFT;
+}
diff --git a/client/src/cmdlfem4x50.h b/client/src/cmdlfem4x50.h
index 732d05d5b..8f4b63a4f 100644
--- a/client/src/cmdlfem4x50.h
+++ b/client/src/cmdlfem4x50.h
@@ -14,9 +14,11 @@
int usage_lf_em4x50_info(void);
int usage_lf_em4x50_write(void);
int usage_lf_em4x50_write_password(void);
+int usage_lf_em4x50_sread(void);
int CmdEM4x50Info(const char *Cmd);
int CmdEM4x50Write(const char *Cmd);
int CmdEM4x50WritePassword(const char *Cmd);
+int CmdEM4x50SRead(const char *Cmd);
#endif
diff --git a/include/em4x50.h b/include/em4x50.h
index 11b2509b7..ddda32f7f 100644
--- a/include/em4x50.h
+++ b/include/em4x50.h
@@ -11,9 +11,36 @@
#ifndef EM4X50_H__
#define EM4X50_H__
+#define EM4X50_NO_WORDS 34
+
+// special words
+#define EM4X50_DEVICE_PASSWORD 0
+#define EM4X50_PROTECTION 1
+#define EM4X50_CONTROL 2
+#define EM4X50_DEVICE_SERIAL 32
+#define EM4X50_DEVICE_ID 33
+
+// control word (word = 4 bytes)
+#define FIRST_WORD_READ 0 // first byte
+#define LAST_WORD_READ 1 // second byte
+#define CONFIG_BLOCK 2 // third byte
+#define PASSWORD_CHECK 0x80 // first bit in third byte
+#define READ_AFTER_WRITE 0x40 // second bit in third byte
+
+// protection word
+#define FIRST_WORD_READ_PROTECTED 0 // first byte
+#define LAST_WORD_READ_PROTECTED 1 // second byte
+#define FIRST_WORD_WRITE_INHIBITED 2 // third byte
+#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte
+
+// misc
+#define STATUS_NO_WORDS 0xfc
+#define STATUS_SUCCESS 0x2
+#define STATUS_LOGIN 0x1
+#define NO_CHARS_MAX 400
+
typedef struct {
- bool fwr_given;
- bool lwr_given;
+ bool addr_given;
bool pwd_given;
bool newpwd_given;
uint8_t password[4];
diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h
index 125db9a7f..05c42dfd8 100644
--- a/include/pm3_cmd.h
+++ b/include/pm3_cmd.h
@@ -405,6 +405,7 @@ typedef struct {
#define CMD_LF_EM4X50_INFO 0x0240
#define CMD_LF_EM4X50_WRITE 0x0241
#define CMD_LF_EM4X50_WRITE_PASSWORD 0x0242
+#define CMD_LF_EM4X50_SREAD 0x0243
// Sampling configuration for LF reader/sniffer
#define CMD_LF_SAMPLING_SET_CONFIG 0x021D
#define CMD_LF_FSK_SIMULATE 0x021E