RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-21 07:46:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #822 from tharexde/dev-em4x50_sread

Browse source 
EM4x50 function "sread" (standard/selective read)
This commit is contained in:
Iceman 2020-06-29 10:10:53 +02:00 committed by GitHub
parent f57a304362 81cd478883
commit 7df20bc61e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 254 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Added lf em function: 4x50_sread (@tharexde)
- Added lf em functions: 4x50_info, 4x50_write, 4x50_write_password (@tharexde)
- Fix em4x50 demodulation error (@tharexde)
- Fix `hf mfdes` authentification issues, DES working (@bkerler)

5
armsrc/appmain.c
View file

@ -1019,6 +1019,11 @@ static void PacketReceived(PacketCommandNG *packet) {
em4x50_write_password((em4x50_data_t *)packet->data.asBytes);
break;
}
case CMD_LF_EM4X50_SREAD: {
em4x50_sread((em4x50_data_t *)packet->data.asBytes);
break;
}
#endif
#ifdef WITH_ISO15693

53
armsrc/em4x50.c
View file

@ -604,7 +604,9 @@ static int get_word_from_bitstream(uint8_t bits[EM4X50_TAG_WORD]) {
}
}
//==============================================================================
// login function
//==============================================================================
static bool login(uint8_t password[4]) {
@ -631,7 +633,9 @@ static bool login(uint8_t password[4]) {
return false;
}
//==============================================================================
// reset function
//==============================================================================
static bool reset(void) {
@ -653,7 +657,9 @@ static bool reset(void) {
return false;
}
//==============================================================================
// read functions
//==============================================================================
static bool standard_read(int *now) {
@ -754,7 +760,52 @@ void em4x50_info(em4x50_data_t *etd) {
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
}
void em4x50_sread(em4x50_data_t *etd) {
// reads in two different ways:
// - using "selective read mode" -> bidirectional communication
// - using "standard read mode" -> unidirectional communication (read
// data that tag transmits "voluntarily")
bool bsuccess = false, blogin = false;
int now = 0;
uint8_t status = 0;
uint8_t addresses[] = {0x00, 0x00, 0x00, 0x00};
init_tag();
em4x50_setup_read();
// set gHigh and gLow
get_signalproperties();
if (etd->addr_given) {
// selective read mode
// try to login with given password
if (etd->pwd_given)
blogin = login(etd->password);
// only one word has to be read -> first word read = last word read
addresses[2] = addresses[3] = etd->address;
bsuccess = selective_read(addresses);
} else {
// standard read mode
bsuccess = standard_read(&now);
}
status = (now << 2) + (bsuccess << 1) + blogin;
lf_finalize();
reply_ng(CMD_ACK, status, (uint8_t *)tag.sectors, 238);
}
//==============================================================================
// write functions
//==============================================================================
static bool write(uint8_t word[4], uint8_t address) {
@ -864,7 +915,7 @@ void em4x50_write(em4x50_data_t *etd) {
if (etd->pwd_given)
blogin &= login(etd->password);
// perform a selective read
// call a selective read
addresses[2] = addresses[3] = etd->address;
if (selective_read(addresses)) {

1
armsrc/em4x50.h
View file

@ -20,5 +20,6 @@ typedef struct {
void em4x50_info(em4x50_data_t *etd);
void em4x50_write(em4x50_data_t *etd);
void em4x50_write_password(em4x50_data_t *etd);
void em4x50_sread(em4x50_data_t *etd);
#endif /* EM4X50_H */

1
client/src/cmdlfem4x.c
View file

@ -1759,6 +1759,7 @@ static command_t CommandTable[] = {
{"4x50_info", CmdEM4x50Info, IfPm3Lf, "read complete data from EM4x50"},
{"4x50_write", CmdEM4x50Write, IfPm3Lf, "write word data to EM4x50"},
{"4x50_write_password", CmdEM4x50WritePassword, IfPm3Lf, "change passwword of EM4x50 tag"},
{"4x50_sread", CmdEM4x50SRead, IfPm3Lf, "read word data from EM4x50 on device"},
{NULL, NULL, NULL, NULL}
};

198
client/src/cmdlfem4x50.c
View file

@ -15,33 +15,6 @@
#include "commonutil.h"
#include "em4x50.h"
#define EM4X50_NO_WORDS 34
// special words
#define EM4X50_DEVICE_PASSWORD 0
#define EM4X50_PROTECTION 1
#define EM4X50_CONTROL 2
#define EM4X50_DEVICE_SERIAL 32
#define EM4X50_DEVICE_ID 33
// control word (word = 4 bytes)
#define FIRST_WORD_READ 0 // first byte
#define LAST_WORD_READ 1 // second byte
#define CONFIG_BLOCK 2 // third byte
#define PASSWORD_CHECK 0x80 // first bit in third byte
#define READ_AFTER_WRITE 0x40 // second bit in third byte
// protection word
#define FIRST_WORD_READ_PROTECTED 0 // first byte
#define LAST_WORD_READ_PROTECTED 1 // second byte
#define FIRST_WORD_WRITE_INHIBITED 2 // third byte
#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte
// misc
#define STATUS_SUCCESS 0x2
#define STATUS_LOGIN 0x1
#define NO_CHARS_MAX 400
int usage_lf_em4x50_info(void) {
PrintAndLogEx(NORMAL, "Read all information of EM4x50. Tag nust be on antenna.");
PrintAndLogEx(NORMAL, "");
@ -81,6 +54,19 @@ int usage_lf_em4x50_write_password(void) {
PrintAndLogEx(NORMAL, " lf em 4x50_write_password p 11223344 n 01020304");
return PM3_SUCCESS;
}
int usage_lf_em4x50_sread(void) {
PrintAndLogEx(NORMAL, "Read EM4x50 word(s). Tag must be on antenna. ");
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(NORMAL, "Usage: lf em 4x50_sread [h] a <address> p <pwd>");
PrintAndLogEx(NORMAL, "Options:");
PrintAndLogEx(NORMAL, " h - this help");
PrintAndLogEx(NORMAL, " a <addr> - memory address to read (dec) (optional)");
PrintAndLogEx(NORMAL, " p <pwd> - password (hex) (optional)");
PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, " lf em 4x50_sread");
PrintAndLogEx(NORMAL, " lf em 4x50_sread a 2 p 00000000");
return PM3_SUCCESS;
}
static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t *words) {
@ -121,13 +107,13 @@ static void prepare_result(const uint8_t *byte, int fwr, int lwr, em4x50_word_t
}
// check column parities
words[i].col_parity = byte[i*7+5] ;
words[i].col_parity = byte[i*7+5];
for (int j = 0; j < 8; j++) {
words[i].cparity[j] = (((words[i].col_parity >> (7-j)) & 1) == c[j]) ? true : false;
if (!words[i].cparity[j])
words[i].parity = false;
words[i].parity = false;
}
// check stop bit
@ -204,7 +190,7 @@ static void print_bit_table(const em4x50_word_t word) {
string[0] = '\0';
}
static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
// print available information for given word from fwr to lwr, i.e.
// bit table + summary lines with hex notation of word (msb + lsb)
@ -220,6 +206,7 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
print_bit_table(words[i]);
// final result
string[0] = '\0';
sprintf(pstring, "\n word[%i] msb: " _GREEN_("0x"), i);
strcat(string, pstring);
@ -237,8 +224,6 @@ static void print_result(const em4x50_word_t *words, int fwr, int lwr) {
}
PrintAndLogEx(NORMAL,string);
string[0] = '\0';
}
}
@ -251,7 +236,7 @@ static void print_info_result(PacketResponseNG *resp, const em4x50_data_t *etd,
char pstring[NO_CHARS_MAX] = {0}, string[NO_CHARS_MAX] = {0};
bool bpwd_given = etd->pwd_given;
bool bsuccess = resp->status & STATUS_SUCCESS;
bool bsuccess = (resp->status & STATUS_SUCCESS) >> 1;
bool blogin = resp->status & STATUS_LOGIN;
prepare_result(data, 0, EM4X50_NO_WORDS - 1, words);
@ -455,7 +440,7 @@ int CmdEM4x50Info(const char *Cmd) {
// print result
print_info_result(&resp, &etd, verbose);
success = resp.status & STATUS_SUCCESS;
success = (resp.status & STATUS_SUCCESS) >> 1;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}
@ -464,7 +449,7 @@ static void print_write_result(PacketResponseNG *resp, const em4x50_data_t *etd)
// display result of writing operation in structured format
bool pwd_given = etd->pwd_given;
bool success = resp->status & STATUS_SUCCESS;
bool success = (resp->status & STATUS_SUCCESS) >> 1;
bool login = resp->status & STATUS_LOGIN;
uint8_t *data = resp->data.asBytes;
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
@ -574,7 +559,7 @@ int CmdEM4x50Write(const char *Cmd) {
// get, prepare and print response
print_write_result(&resp, &etd);
success = resp.status & STATUS_SUCCESS;
success = (resp.status & STATUS_SUCCESS) >> 1;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}
@ -661,3 +646,144 @@ int CmdEM4x50WritePassword(const char *Cmd) {
return ((bool)resp.status) ? PM3_SUCCESS : PM3_ESOFT;
}
static void print_sread_result(PacketResponseNG *resp, const em4x50_data_t *etd) {
// display result of writing operation in structured format
bool addr_given = etd->addr_given;
bool pwd_given = etd->pwd_given;
bool login = resp->status & STATUS_LOGIN;
bool success = (resp->status & STATUS_SUCCESS) >> 1;
int now = (resp->status & STATUS_NO_WORDS) >> 2;
char string[NO_CHARS_MAX] = {0}, pstring[NO_CHARS_MAX] = {0};
uint8_t *data = resp->data.asBytes;
em4x50_word_t word;
if (!success) {
sprintf(pstring, "\n reading " _RED_("failed"));
strcat(string, pstring);
PrintAndLogEx(NORMAL,"%s\n", string);
} else {
if (addr_given) {
// selective read mode
prepare_result(data, etd->address, etd->address, &word);
print_result(&word, etd->address, etd->address);
string[0] = '\0';
sprintf(pstring, "\n reading " _GREEN_("ok "));
strcat(string, pstring);
if (pwd_given) {
if (login) {
sprintf(pstring, "(login with password 0x%02x%02x%02x%02x)",
etd->password[0], etd->password[1],
etd->password[2], etd->password[3]);
strcat(string, pstring);
} else {
sprintf(pstring, "(login failed)");
strcat(string, pstring);
}
} else {
sprintf(pstring, "(no login)");
strcat(string, pstring);
}
} else {
//standard read mode
prepare_result(data, 0, now - 1, &word);
print_result(&word, 0, now - 1);
string[0] = '\0';
sprintf(pstring, "\n reading " _GREEN_("ok "));
strcat(string, pstring);
if (pwd_given) {
sprintf(pstring, "(standard read mode, password ignored)");
strcat(string, pstring);
} else {
sprintf(pstring, "(standard read mode)");
strcat(string, pstring);
}
}
PrintAndLogEx(NORMAL,"%s\n", string);
}
}
int CmdEM4x50SRead(const char *Cmd) {
// envoke reading
// - without option -> standard read mode
// - with given address (option a) (and optional password if address is
// read protected) -> selective read mode
bool errors = false, success = false;
uint8_t cmdp = 0;
em4x50_data_t etd;
PacketResponseNG resp;
// init
etd.pwd_given = false;
etd.addr_given = false;
while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
switch (tolower(param_getchar(Cmd, cmdp))) {
case 'h':
return usage_lf_em4x50_sread();
case 'p':
if (param_gethex(Cmd, cmdp + 1, etd.password, 8)) {
PrintAndLogEx(FAILED, "\n password has to be 8 hex symbols\n");
return PM3_EINVARG;
}
etd.pwd_given = true;
cmdp += 2;
break;
case 'a':
param_getdec(Cmd, cmdp + 1, &etd.address);
// validation
if (etd.address <= 0 || etd.address >= EM4X50_NO_WORDS) {
PrintAndLogEx(FAILED, "\n error, address has to be in range [1-33]\n");
return PM3_EINVARG;
}
etd.addr_given = true;
cmdp += 2;
break;
default:
PrintAndLogEx(WARNING, "\n Unknown parameter '%c'\n", param_getchar(Cmd, cmdp));
errors = true;
break;
}
}
if (errors)
return usage_lf_em4x50_sread();
clearCommandBuffer();
SendCommandNG(CMD_LF_EM4X50_SREAD, (uint8_t *)&etd, sizeof(etd));
if (!WaitForResponse(CMD_ACK, &resp)) {
PrintAndLogEx(WARNING, "\n timeout while waiting for reply.\n");
return PM3_ETIMEOUT;
}
// get, prepare and print response
print_sread_result(&resp, &etd);
success = (resp.status & STATUS_SUCCESS) >> 1;
return (success) ? PM3_SUCCESS : PM3_ESOFT;
}

2
client/src/cmdlfem4x50.h
View file

@ -14,9 +14,11 @@
int usage_lf_em4x50_info(void);
int usage_lf_em4x50_write(void);
int usage_lf_em4x50_write_password(void);
int usage_lf_em4x50_sread(void);
int CmdEM4x50Info(const char *Cmd);
int CmdEM4x50Write(const char *Cmd);
int CmdEM4x50WritePassword(const char *Cmd);
int CmdEM4x50SRead(const char *Cmd);
#endif

31
include/em4x50.h
View file

@ -11,9 +11,36 @@
#ifndef EM4X50_H__
#define EM4X50_H__
#define EM4X50_NO_WORDS 34
// special words
#define EM4X50_DEVICE_PASSWORD 0
#define EM4X50_PROTECTION 1
#define EM4X50_CONTROL 2
#define EM4X50_DEVICE_SERIAL 32
#define EM4X50_DEVICE_ID 33
// control word (word = 4 bytes)
#define FIRST_WORD_READ 0 // first byte
#define LAST_WORD_READ 1 // second byte
#define CONFIG_BLOCK 2 // third byte
#define PASSWORD_CHECK 0x80 // first bit in third byte
#define READ_AFTER_WRITE 0x40 // second bit in third byte
// protection word
#define FIRST_WORD_READ_PROTECTED 0 // first byte
#define LAST_WORD_READ_PROTECTED 1 // second byte
#define FIRST_WORD_WRITE_INHIBITED 2 // third byte
#define LAST_WORD_WRITE_INHIBITED 3 // fourth byte
// misc
#define STATUS_NO_WORDS 0xfc
#define STATUS_SUCCESS 0x2
#define STATUS_LOGIN 0x1
#define NO_CHARS_MAX 400
typedef struct {
bool fwr_given;
bool lwr_given;
bool addr_given;
bool pwd_given;
bool newpwd_given;
uint8_t password[4];

1
include/pm3_cmd.h
View file

@ -405,6 +405,7 @@ typedef struct {
#define CMD_LF_EM4X50_INFO 0x0240
#define CMD_LF_EM4X50_WRITE 0x0241
#define CMD_LF_EM4X50_WRITE_PASSWORD 0x0242
#define CMD_LF_EM4X50_SREAD 0x0243
// Sampling configuration for LF reader/sniffer
#define CMD_LF_SAMPLING_SET_CONFIG 0x021D
#define CMD_LF_FSK_SIMULATE 0x021E