ADD: @marshmellow42 's fixes for Q5, t55xx, fskclock,

ADD: got tired of always writing wrong "hf 14a list", so I hooked it back up to call the "hf list" with argument. Things becomes smoother that way.
2024-09-20 15:26:13 +08:00 · 2015-12-16 11:01:46 +01:00 · 2015-12-16 11:01:46 +01:00 · 9332b857ff
parent 2b1f4228c2
commit 9332b857ff
10 changed files with 104 additions and 112 deletions
--- a/armsrc/lfops.c
+++ b/armsrc/lfops.c
@ -400,7 +400,7 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
 	for(;;) {
 		//wait until SSC_CLK goes HIGH
 		while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
-			if(BUTTON_PRESS() || usb_poll_validate_length() ) {
+			if(BUTTON_PRESS() || !usb_poll_validate_length() ) {
 				DbpString("Stopped");
 				return;
 			}
@ -417,7 +417,7 @@ void SimulateTagLowFrequency(int period, int gap, int ledcontrol)
 		//wait until SSC_CLK goes LOW
 		while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) {
-			if( BUTTON_PRESS() || usb_poll_validate_length() ) {
+			if( BUTTON_PRESS() || !usb_poll_validate_length() ) {
 				DbpString("Stopped");
 				return;
 			}
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -1043,7 +1043,7 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
 	FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-	//emlSetMem(datain, arg0, arg1); // data, block num, blocks count	 
+	if (arg2==0) arg2 = 16; // backwards compat... default bytewidth
 	emlSetMem_xt(datain, arg0, arg1, arg2); // data, block num, blocks count, block byte width
 }
@ -1187,8 +1187,8 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
 		if(!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("Can't select card");
 			OnErrorMagic(MAGIC_UID);
-		};
+		}
-	};
+	}
 	// wipe tag, fill it with zeros
 	if (workFlags & MAGIC_WIPE){
@ -1196,14 +1196,14 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
 		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wupC1 error");
 			OnErrorMagic(MAGIC_WIPE);
-		};
+		}
 		ReaderTransmit(wipeC, sizeof(wipeC), NULL);
 		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wipeC error");
 			OnErrorMagic(MAGIC_WIPE);
-		};
+		}
-	};	
+	}	
 	// write block
 	if (workFlags & MAGIC_WUPC) {
@ -1211,19 +1211,19 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
 		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wupC1 error");
 			OnErrorMagic(MAGIC_WUPC);
-		};
+		}
 		ReaderTransmit(wupC2, sizeof(wupC2), NULL);
 		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("wupC2 error");
 			OnErrorMagic(MAGIC_WUPC);
-		};
+		}
 	}
 	if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_WRITEBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("write block send command error");
 		OnErrorMagic(4);
-	};
+	}
 	memcpy(data, datain, 16);
 	AppendCrc14443a(data, 16);
@ -1232,7 +1232,7 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
 	if ((ReaderReceive(receivedAnswer, receivedAnswerPar) != 1) || (receivedAnswer[0] != 0x0a)) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR)	Dbprintf("write block send data error");
 		OnErrorMagic(0);
-	};	
+	}	
 	if (workFlags & MAGIC_OFF) 
 		mifare_classic_halt_ex(NULL);
@ -1271,20 +1271,20 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
 		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");
 			OnErrorMagic(MAGIC_WUPC);
-		};
+		}
 		ReaderTransmit(wupC2, sizeof(wupC2), NULL);
 		if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
 			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC2 error");
 			OnErrorMagic(MAGIC_WUPC);
-		};
+		}
 	}
 	// read block		
 	if ((mifare_sendcmd_short(NULL, 0, ISO14443A_CMD_READBLOCK, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 18)) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("read block send command error");
 		OnErrorMagic(0);
-	};
+	}
 	memcpy(data, receivedAnswer, sizeof(data));
@ -1309,19 +1309,19 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint8_t *datain){
 void MifareCIdent(){
 	// variables
-	byte_t isOK = 1;	
+	bool isOK = true;	
 	uint8_t receivedAnswer[1];
 	uint8_t receivedAnswerPar[1];
 	ReaderTransmitBitsPar(wupC1,7,0, NULL);
 	if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-		isOK = 0;
+		isOK = false;
-	};
+	}
 	ReaderTransmit(wupC2, sizeof(wupC2), NULL);
 	if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
-		isOK = 0;
+		isOK = false;
-	};
+	}
 	// removed the if,  since some magic tags misbehavies and send an answer to it.
 	mifare_classic_halt(NULL, 0);
--- a/client/cmddata.c
+++ b/client/cmddata.c
@ -947,11 +947,10 @@ int FSKrawDemod(const char *Cmd, bool verbose)
 	//set defaults
 	//set options from parameters entered with the command
-	rfLen = param_get8ex(Cmd, 0, 0, 10);
+	rfLen = param_get8(Cmd, 0);
-	invert = param_get8ex(Cmd, 1, 0, 10);
+	invert = param_get8(Cmd, 1);
-	fchigh = param_get8ex(Cmd, 2, 0, 10);
+	fchigh = param_get8(Cmd, 2);
-	fclow = param_get8ex(Cmd, 3, 0, 10);
+	fclow = param_get8(Cmd, 3);
 	if (strlen(Cmd)>0 && strlen(Cmd)<=2) {
 		 if (rfLen==1){
 			invert = 1;   //if invert option only is used
@ -963,16 +962,16 @@ int FSKrawDemod(const char *Cmd, bool verbose)
 	size_t BitLen = getFromGraphBuf(BitStream);
 	if (BitLen==0) return 0;
 	//get field clock lengths
-	uint16_t fcs=0;
+	uint8_t fc1=0, fc2=0, rf1=0;
 	if (!fchigh || !fclow) {
-		fcs = countFC(BitStream, BitLen, 1);
+		uint8_t ans = fskClocks(&fc1, &fc2, &rf1, false);
-		if (!fcs) {
+		if (ans == 0) {
-			fchigh = 10;
+			if (g_debugMode) PrintAndLog("\nError: cannot detect valid fsk field clocks");			
-			fclow = 8;
+			return 0; // can't detect field clock
 		} else {
 			fchigh = (fcs >> 8) & 0x00FF;
 			fclow = fcs & 0x00FF;
 		}
 		fchigh = fc1;
 		fclow = fc2;
 		if (rfLen == 0) rfLen = rf1;
 	}
 	//get bit clock length
 	if (!rfLen){
--- a/client/cmdhf14a.c
+++ b/client/cmdhf14a.c
@ -25,6 +25,7 @@
 #include "mifare.h"
 #include "cmdhfmfu.h"
 #include "nonce2key/nonce2key.h"
 #include "cmdhf.h"
 #define llx PRIx64
@ -171,7 +172,8 @@ int usage_hf_14a_raw(void){
 int CmdHF14AList(const char *Cmd)
 {
-	PrintAndLog("Deprecated command, use 'hf list 14a' instead");
+	//PrintAndLog("Deprecated command, use 'hf list 14a' instead");
 	CmdHFList("14a");
 	return 0;
 }
--- a/client/cmdhficlass.c
+++ b/client/cmdhficlass.c
@ -32,6 +32,7 @@
 #include "protocols.h"
 #include "usb_cmd.h"
 #include "cmdhfmfu.h"
 #include "cmdhf.h"
 #define llX PRIx64
@ -62,7 +63,8 @@ int xorbits_8(uint8_t val) {
 }
 int CmdHFiClassList(const char *Cmd) {
-	PrintAndLog("Deprecated command, use 'hf list iclass' instead");
+	//PrintAndLog("Deprecated command, use 'hf list iclass' instead");
 	CmdHFList("iclass");
 	return 0;
 }
--- a/client/cmdhfmfu.c
+++ b/client/cmdhfmfu.c
@ -1252,24 +1252,26 @@ int usage_hf_mfu_eload(void) {
 	PrintAndLog("Usage:  hf mfu eload u <file name w/o `.eml`> [numblocks]");
 	PrintAndLog("  Options:");
 	PrintAndLog("    h          : this help");	
-	PrintAndLog("    u          : UL");
+	PrintAndLog("    u          : UL (required)");
-	PrintAndLog("    numblocks  : number of blocks to load from eml file");		
+	PrintAndLog("    [filename] : without `.eml` (required)");	
 	PrintAndLog("    numblocks  : number of blocks to load from eml file (optional)");
 	PrintAndLog("");
 	PrintAndLog("  sample: hf mfu eload u filename");
 	PrintAndLog("          hf mfu eload u filename 57");
-	return 0;
+			return 0;
 }
 int usage_hf_mfu_sim(void) {
 	PrintAndLog("\nEmulating Ultralight tag from emulator memory\n");
 	PrintAndLog("\nBe sure to load the emulator memory first!\n");
 	PrintAndLog("Usage: hf mfu sim t 7 u <uid>");
-	PrintAndLog("  Options : ");
+	PrintAndLog("  Options:");
-	PrintAndLog("    h     : this help");
+	PrintAndLog("    h       : this help");
-	PrintAndLog("    t     : 7 = NTAG or Ultralight sim");
+	PrintAndLog("    t 7     : 7 = NTAG or Ultralight sim (required)");
-	PrintAndLog("    u     : 4 or 7 byte UID");
+	PrintAndLog("    u <uid> : 4 or 7 byte UID (optional)");
 	PrintAndLog("\n   sample : hf mfu sim t 7");
 	PrintAndLog("          : hf mfu sim t 7 u 1122344556677\n");
 	return 0;
 }
@ -1469,12 +1471,6 @@ int CmdHF14AMfUDump(const char *Cmd){
 	// add keys to block dump
 	if (hasAuthKey) {
 		if (!swapEndian){
 			authKeyPtr = SwapEndian64(authenticationkey, dataLen, (dataLen == 16) ? 8 : 4);
 		} else {
 			authKeyPtr = authenticationkey;
 		}
 		if (tagtype & UL_C){ //add 4 pages
 			memcpy(data + Pages*4, authKeyPtr, dataLen);
 			Pages += dataLen/4;  
@ -1486,7 +1482,7 @@ int CmdHF14AMfUDump(const char *Cmd){
 	uint8_t	get_pack[] = {0,0};
 	iso14a_card_select_t card;
 	//attempt to read pack
-	if (!ul_auth_select( &card, tagtype, true, authKeyPtr, get_pack, sizeof(get_pack))) {
+	if (!ul_auth_select( &card, tagtype, hasAuthKey, authKeyPtr, get_pack, sizeof(get_pack))) {
 		//reset pack
 		get_pack[0]=0;
 		get_pack[1]=0;
@ -1537,7 +1533,7 @@ int CmdHF14AMfUDump(const char *Cmd){
 	PrintAndLog("GetVer-2| %s|   | %.4s", sprint_hex(dump_file_data+4, 4), dump_file_data+4);
 	PrintAndLog("TBD     | 00 00       |   | ");
 	PrintAndLog("Tearing |    %s|   | %.3s", sprint_hex(dump_file_data+10, 3), dump_file_data+10);
-	PrintAndLog("Pack    |    %s   |    | %.2s", sprint_hex(dump_file_data+13, 2), dump_file_data+13);
+	PrintAndLog("Pack    |    %s   |   | %.2s", sprint_hex(dump_file_data+13, 2), dump_file_data+13);
 	PrintAndLog("TBD     |          00 |   | ");
 	PrintAndLog("Sig-1   | %s|   | %.4s", sprint_hex(dump_file_data+16, 4), dump_file_data+16);
 	PrintAndLog("Sig-2   | %s|   | %.4s", sprint_hex(dump_file_data+20, 4), dump_file_data+20);
@ -1619,7 +1615,7 @@ int CmdHF14AMfUDump(const char *Cmd){
 	fwrite( dump_file_data, 1, Pages*4 + DUMP_PREFIX_LENGTH, fout );
 	fclose(fout);
-	PrintAndLog("Dumped %d pages, wrote %d bytes to %s", Pages+12, (Pages+12)*4, filename);
+	PrintAndLog("Dumped %d pages, wrote %d bytes to %s", Pages+(DUMP_PREFIX_LENGTH/4), Pages*4 + DUMP_PREFIX_LENGTH, filename);
 	return 0;
 }
@ -1776,14 +1772,13 @@ int CmdHF14AMfucSetPwd(const char *Cmd){
 	UsbCommand resp;
 	if (WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
-		if ( (resp.arg[0] & 0xff) == 1)
+		if ( (resp.arg[0] & 0xff) == 1) {
 			PrintAndLog("Ultralight-C new password: %s", sprint_hex(pwd,16));
-		else{
+		} else {
 			PrintAndLog("Failed writing at block %d", resp.arg[1] & 0xff);
 			return 1;
 		}
-	}
+	} else {
 	else {
 		PrintAndLog("command execution time out");
 		return 1;
 	}	
--- a/client/cmdhftopaz.c
+++ b/client/cmdhftopaz.c
@ -21,6 +21,7 @@
 #include "proxmark3.h"
 #include "iso14443crc.h"
 #include "protocols.h"
 #include "cmdhf.h"
 #define TOPAZ_MAX_MEMORY	2048
@ -33,7 +34,6 @@ static struct {
 	uint8_t *dynamic_reserved_areas;
 } topaz_tag;
 static void topaz_switch_on_field(void)
 {
 	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT | ISO14A_NO_SELECT | ISO14A_NO_DISCONNECT | ISO14A_TOPAZMODE, 0, 0}};
@ -252,8 +252,7 @@ static void topaz_print_NDEF(uint8_t *data)
 }
-int CmdHFTopazReader(const char *Cmd)
+int CmdHFTopazReader(const char *Cmd) {
 {
 	int status;
 	uint8_t atqa[2];
 	uint8_t rid_response[8];
@ -367,24 +366,23 @@ int CmdHFTopazReader(const char *Cmd)
 	return 0;
 }
-
+int CmdHFTopazSim(const char *Cmd) {
 int CmdHFTopazSim(const char *Cmd)
 {
 	PrintAndLog("not yet implemented");
 	return 0;
 }
-
+int CmdHFTopazCmdRaw(const char *Cmd) {
 int CmdHFTopazCmdRaw(const char *Cmd)
 {
 	PrintAndLog("not yet implemented");
 	return 0;
 }
 int CmdHFTopazList(const char *Cmd) {
 	CmdHFList("topaz");
 	return 0;
 }
 static int CmdHelp(const char *Cmd);
 static command_t CommandTable[] = 
 {
 	{"help",	CmdHelp,			1, "This help"},
@ -392,10 +390,10 @@ static command_t CommandTable[] =
 	{"sim",		CmdHFTopazSim,		0, "<UID> -- Simulate Topaz tag"},
 	{"sniff",	CmdHF14ASniff,		0, "Sniff Topaz reader-tag communication"},
 	{"raw",		CmdHFTopazCmdRaw,	0, "Send raw hex data to tag"},
 	{"list",	CmdHFTopazList,		0, "[Deprecated] List Topaz history"},
 	{NULL,		NULL,				0, NULL}
 };
 int CmdHFTopaz(const char *Cmd) {
 	// flush
 	WaitForResponseTimeout(CMD_ACK,NULL,100);
--- a/client/cmdhftopaz.h
+++ b/client/cmdhftopaz.h
@ -12,5 +12,9 @@
 #define CMDHFTOPAZ_H__
 int CmdHFTopaz(const char *Cmd);
 int CmdHFTopazReader(const char *Cmd);
 int CmdHFTopazSim(const char *Cmd);
 int CmdHFTopazCmdRaw(const char *Cmd);
 int CmdHFTopazList(const char *Cmd);
 #endif
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@ -150,12 +150,14 @@ int usage_t55xx_wakup(){
 	return 0;
 }
 int usage_t55xx_bruteforce(){
    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
    PrintAndLog("       password must be 4 bytes (8 hex symbols)");
 	PrintAndLog("This command uses A) bruteforce to scan a number range");
 	PrintAndLog("                  B) a dictionary attack");
    PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
    PrintAndLog("       password must be 4 bytes (8 hex symbols)");
 	PrintAndLog("Options:");
 	PrintAndLog("     h			- this help");
 	PrintAndLog("     <start_pwd> - 4 byte hex value to start pwd search at");
 	PrintAndLog("     <end_pwd>   - 4 byte hex value to end pwd search at");
    PrintAndLog("     i <*.dic>	- loads a default keys dictionary file <*.dic>");
    PrintAndLog("");
    PrintAndLog("Examples:");
@ -181,7 +183,6 @@ int CmdT55xxSetConfig(const char *Cmd) {
 	uint8_t bitRate = 0;
 	uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};
 	uint8_t cmdp = 0;
 	config.Q5 = FALSE;
 	bool errors = FALSE;
 	while(param_getchar(Cmd, cmdp) != 0x00 && !errors)
 	{
@ -384,11 +385,12 @@ bool DecodeT55xxBlock(){
 			ans = ASKDemod(cmdStr, FALSE, FALSE, 1);
 			break;
 		case DEMOD_PSK1:
-			// skip first 16 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
+			// skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
 			save_restoreGB(1);
 			CmdLtrim("160");
 			snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );
 			ans = PSKDemod(cmdStr, FALSE);
 			//undo trim samples
 			save_restoreGB(0);
 			break;
 		case DEMOD_PSK2: //inverted won't affect this
@ -399,7 +401,8 @@ bool DecodeT55xxBlock(){
 			snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );
 			ans = PSKDemod(cmdStr, FALSE);
 			psk1TOpsk2(DemodBuffer, DemodBufferLen);
-			save_restoreGB(1);
+			//undo trim samples
 			save_restoreGB(0);
 			break;
 		case DEMOD_NRZ:
 			snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
@ -417,7 +420,6 @@ bool DecodeT55xxBlock(){
 }
 int CmdT55xxDetect(const char *Cmd){
 	bool errors = FALSE;
 	bool useGB = FALSE;
 	bool usepwd = FALSE;
@ -465,7 +467,6 @@ bool tryDetectModulation(){
 	t55xx_conf_block_t tests[15];
 	int bitRate=0;
 	uint8_t fc1 = 0, fc2 = 0, clk=0;
 	save_restoreGB(1);
 	if (GetFskClock("", FALSE, FALSE)){ 
 		fskClocks(&fc1, &fc2, &clk, FALSE);
@ -486,7 +487,6 @@ bool tryDetectModulation(){
 				tests[hits].modulation = DEMOD_FSK1;
 			else if (fc1 == 10 && fc2 == 8)
 				tests[hits].modulation = DEMOD_FSK2a;
 			tests[hits].bitrate = bitRate;
 			tests[hits].inverted = TRUE;
 			tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
@ -525,7 +525,7 @@ bool tryDetectModulation(){
 			}
 		}
 		//undo trim from ask
-		save_restoreGB(0);
+		//save_restoreGB(0);
 		clk = GetNrzClock("", FALSE, FALSE);
 		if (clk>0) {
 			if ( NRZrawDemod("0 0 1", FALSE)  && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
@ -545,9 +545,9 @@ bool tryDetectModulation(){
 			}
 		}
-		//undo trim from nrz
+		// allow undo
 		save_restoreGB(0);
 		// skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
 		save_restoreGB(1);
 		CmdLtrim("160");
 		clk = GetPskClock("", FALSE, FALSE);
 		if (clk>0) {
@ -588,14 +588,16 @@ bool tryDetectModulation(){
 				}
 			} // inverse waves does not affect this demod
 		}
 		//undo trim samples
 		save_restoreGB(0);
 	}		
 	save_restoreGB(0);	
 	if ( hits == 1) {
 		config.modulation = tests[0].modulation;
 		config.bitrate = tests[0].bitrate;
 		config.inverted = tests[0].inverted;
 		config.offset = tests[0].offset;
 		config.block0 = tests[0].block0;
 		config.Q5 = tests[0].Q5;
 		printConfiguration( config );
 		return TRUE;
 	}
@ -671,6 +673,15 @@ bool testQ5Modulation(uint8_t	mode, uint8_t	modread){
 	return FALSE;
 }
 int convertQ5bitRate(uint8_t bitRateRead) {
 	uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
 	for (int i=0; i<8; i++)
 		if (expected[i] == bitRateRead)
 			return i;
 	return -1;
 }
 bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t	clk){
 	if ( DemodBufferLen < 64 ) return FALSE;
@ -682,12 +693,12 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t	clk){
 		uint8_t safer     = PackBits(si, 4, DemodBuffer); si += 4;     //master key
 		uint8_t resv      = PackBits(si, 8, DemodBuffer); si += 8;
 		// 2nibble must be zeroed.
-		if (safer != 0x6) continue;
+		if (safer != 0x6 && safer != 0x9) continue;
 		if ( resv > 0x00) continue;
 		//uint8_t	pageSel   = PackBits(si, 1, DemodBuffer); si += 1;
 		//uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;
 		si += 1+1;
-		int bitRate       = PackBits(si, 5, DemodBuffer)*2 + 2; si += 5;     //bit rate
+		int bitRate       = PackBits(si, 6, DemodBuffer)*2 + 2; si += 6;     //bit rate
 		if (bitRate > 128 || bitRate < 8) continue;
 		//uint8_t AOR       = PackBits(si, 1, DemodBuffer); si += 1;   
@ -702,7 +713,8 @@ bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t	clk){
 		//test modulation
 		if (!testQ5Modulation(mode, modread)) continue;
 		if (bitRate != clk) continue;
-		*fndBitRate = bitRate;
+		*fndBitRate = convertQ5bitRate(bitRate);
 		if (*fndBitRate < 0) continue;
 		*offset = idx;
 		return TRUE;
@ -1117,35 +1129,16 @@ char * GetBitRateStr(uint32_t id){
 	char *retStr = buf;
 		switch (id){
-		case 0: 
+		case 0:   snprintf(retStr,sizeof(buf),"%d - RF/8",id);   break;
-			snprintf(retStr,sizeof(buf),"%d - RF/8",id);
+		case 1:   snprintf(retStr,sizeof(buf),"%d - RF/16",id);  break;
-			break;
+		case 2:   snprintf(retStr,sizeof(buf),"%d - RF/32",id);  break;
-		case 1:
+		case 3:   snprintf(retStr,sizeof(buf),"%d - RF/40",id);  break;
-			snprintf(retStr,sizeof(buf),"%d - RF/16",id);
+		case 4:   snprintf(retStr,sizeof(buf),"%d - RF/50",id);  break;
-			break;
+		case 5:   snprintf(retStr,sizeof(buf),"%d - RF/64",id);  break;
-		case 2:		
+		case 6:   snprintf(retStr,sizeof(buf),"%d - RF/100",id); break;
-			snprintf(retStr,sizeof(buf),"%d - RF/32",id);
+		case 7:   snprintf(retStr,sizeof(buf),"%d - RF/128",id); break;
-			break;
+		default:  snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break;
 		case 3:
 			snprintf(retStr,sizeof(buf),"%d - RF/40",id);
 			break;
 		case 4:
 			snprintf(retStr,sizeof(buf),"%d - RF/50",id);
 			break;
 		case 5:
 			snprintf(retStr,sizeof(buf),"%d - RF/64",id);
 			break;
 		case 6:
 			snprintf(retStr,sizeof(buf),"%d - RF/100",id);
 			break;
 		case 7:
 			snprintf(retStr,sizeof(buf),"%d - RF/128",id);
 			break;
 		default:
 			snprintf(retStr,sizeof(buf),"%d - (Unknown)",id);
 			break;
 		}
 	return buf;
 }
@ -1476,7 +1469,7 @@ int CmdT55xxBruteForce(const char *Cmd) {
 static command_t CommandTable[] = {
 	{"help",		CmdHelp,           1, "This help"},
-	{"bruteforce",	CmdT55xxBruteForce,0, "Simple bruteforce attack to find password"},
+	{"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
 	{"config",		CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
 	{"detect",		CmdT55xxDetect,    1, "[1] Try detecting the tag modulation from reading the configuration block."},
 	{"dump",		CmdT55xxDump,      0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
--- a/client/util.c
+++ b/client/util.c
@ -140,7 +140,7 @@ char *sprint_bin_break(const uint8_t *data, const size_t len, const uint8_t brea
 	for (size_t out_index=0; out_index < max_len; out_index++) {
 		// set character
 		sprintf(tmp++, "%u", data[in_index]);
-		// check if a line break is needed
+		// check if a line break is needed and we have room to print it in our array
 		if ( (breaks > 0) && !((in_index+1) % breaks) && (out_index+1 != max_len) ) {
 			// increment and print line break
 			out_index++;
@ -195,7 +195,6 @@ void num_to_bytebits(uint64_t	n, size_t len, uint8_t *dest) {
 // up to 64 bytes or 512 bits
 uint8_t *SwapEndian64(const uint8_t *src, const size_t len, const uint8_t blockSize){
 	static uint8_t buf[64];
 	//uint8_t buf[64];
 	memset(buf, 0x00, 64);
 	uint8_t *tmp = buf;
 	for (uint8_t block=0; block < (uint8_t)(len/blockSize); block++){