RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

ADD: @marshmellow42 's fixex and resetread t55x7

Browse source
This commit is contained in:
iceman1001 2015-11-02 20:46:17 +01:00
parent f5d2e7f7df
commit 94422fa23f
13 changed files with 113 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
CHANGELOG.md
View file

@ -7,7 +7,9 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
--
### Added
- `lf t55xx read w` added wake with password then read following stream option to standard t55xx read commands (marshmellow)
- `lf t55xx resetread` added reset then read command - should allow determining start
of stream transmissions (marshmellow)
- `lf t55xx wakeup` added wake with password (AOR) to allow lf search or standard lf read after (iceman, marshmellow)
- `hf mf eload u` added an ultralight/ntag option. (marshmellow)
- `hf iclass managekeys` to save, load and manage iclass keys. (adjusted most commands to accept a loaded key in memory) (marshmellow)
- `hf iclass readblk` to select, authenticate, and read 1 block from an iclass card (marshmellow)
@ -22,9 +24,11 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Added `data hex2bin` and `data bin2hex` for command line conversion between binary and hexadecimal (holiman)
### Changed
- added lf t5xx read with password safety check and warning text
- Adjusted lf t55xx dump to allow overriding the safety check and warning text (marshmellow)
- Adjusted lf t55xx write input variables (marshmellow)
- Adjusted lf t55xx read with password safety check and warning text and adjusted the input variables (marshmellow & iceman)
- Adjusted LF FSK demod to account for cross threshold fluctuations (898 count waves will adjust the 9 to 8 now...) more accurate.
- Adjusted timings for t55xx commands. more reliable now.
- Adjusted timings for t55xx commands. more reliable now. (marshmellow & iceman)
- `lf cmdread` adjusted input methods and added help text (marshmellow & iceman)
- changed `lf config t <threshold>` to be 0 - 128 and will trigger on + or - threshold value (marshmellow)
- `hf iclass dump` cli options - can now dump AA1 and AA2 with different keys in one run (does not go to muliple pages for the larger tags yet)

5
armsrc/appmain.c
View file

@ -951,7 +951,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
CmdIOdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_IO_CLONE_TAG:
CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]);
CopyIOtoT55x7(c->arg[0], c->arg[1]);
break;
case CMD_EM410X_DEMOD:
CmdEM410xdemod(c->arg[0], 0, 0, 1);
@ -988,6 +988,9 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_T55XX_WAKEUP:
T55xxWakeUp(c->arg[0]);
break;
case CMD_T55XX_RESET_READ:
T55xxResetRead();
break;
case CMD_PCF7931_READ:
ReadPCF7931();
break;

3
armsrc/apps.h
View file

@ -82,12 +82,13 @@ void CmdHIDdemodFSK(int findone, int *high, int *low, int ledcontrol);
void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realtime demodulation mode for AWID26
void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol);
void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an ioProx card to T5557/T5567
void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567
void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
void T55xxResetRead(void);
void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t PwdMode);
void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd);
void T55xxWakeUp(uint32_t Pwd);

4
armsrc/iso14443a.c
View file

@ -2542,8 +2542,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
//uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
//uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
uint8_t rSAK1[] = {0x04, 0xda, 0x17};
uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};

63
armsrc/lfops.c
View file

@ -1051,7 +1051,7 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
}
/*------------------------------
* T5555/T5557/T5567 routines
* T5555/T5557/T5567/T5577 routines
*------------------------------
* NOTE: T55x7/T5555 configuration register definitions moved to protocols.h
*
@ -1102,8 +1102,37 @@ void T55xxWriteBit(int bit) {
SpinDelayUs(WRITE_GAP);
}
// Send T5577 reset command then read stream (see if we can identify the start of the stream)
void T55xxResetRead(void) {
LED_A_ON();
//clear buffer now so it does not interfere with timing later
BigBuf_Clear_ext(false);
// Set up FPGA, 125kHz
LFSetupFPGAForADC(95, true);
// Trigger T55x7 in mode.
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelayUs(START_GAP);
// reset tag - op code 00
T55xxWriteBit(0);
T55xxWriteBit(0);
// Turn field on to read the response
TurnReadLFOn(READ_GAP);
// Acquisition
doT55x7Acquisition(BigBuf_max_traceLen());
// Turn the field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
cmd_send(CMD_ACK,0,0,0,0,0);
LED_A_OFF();
}
// Write one card block in page 0, no lock
void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
void T55xxWriteBlockExt(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
LED_A_ON();
bool PwdMode = arg & 0x1;
uint8_t Page = (arg & 0x2)>>1;
@ -1145,10 +1174,15 @@ void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
// turn field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
cmd_send(CMD_ACK,0,0,0,0,0);
LED_A_OFF();
}
// Write one card block in page 0, no lock
void T55xxWriteBlock(uint32_t Data, uint32_t Block, uint32_t Pwd, uint8_t arg) {
T55xxWriteBlockExt(Data, Block, Pwd, arg);
cmd_send(CMD_ACK,0,0,0,0,0);
}
// Read one card block in page 0
void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
LED_A_ON();
@ -1191,7 +1225,7 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
TurnReadLFOn(READ_GAP);
// Acquisition
doT55x7Acquisition();
doT55x7Acquisition(12000);
// Turn the field off
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
@ -1226,8 +1260,10 @@ void T55xxWakeUp(uint32_t Pwd){
void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
// write last block first and config block last (if included)
for (uint8_t i = numblocks; i > startblock; i--)
T55xxWriteBlock(blockdata[i-1],i-1,0,0);
for (uint8_t i = numblocks+startblock; i > startblock; i--) {
//Dbprintf("write- Blk: %d, d:%08X",i-1,blockdata[i-1]);
T55xxWriteBlockExt(blockdata[i-1],i-1,0,0);
}
}
// Copy HID id to card and setup block 0 config
@ -1245,7 +1281,7 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
// Build the 6 data blocks for supplied 84bit ID
last_block = 6;
// load preamble (1D) & long format identifier (9E manchester encoded)
data[1] = 0x1D96A900 | manchesterEncode2Bytes((hi2 >> 16) & 0xF);
data[1] = 0x1D96A900 | (manchesterEncode2Bytes((hi2 >> 16) & 0xF) & 0xFF);
// load raw id from hi2, hi, lo to data blocks (manchester encoded)
data[2] = manchesterEncode2Bytes(hi2 & 0xFFFF);
data[3] = manchesterEncode2Bytes(hi >> 16);
@ -1261,7 +1297,7 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
// Build the 3 data blocks for supplied 44bit ID
last_block = 3;
// load preamble
data[1] = 0x1D000000 | manchesterEncode2Bytes(hi & 0xFFF);
data[1] = 0x1D000000 | (manchesterEncode2Bytes(hi) & 0xFFFFFF);
data[2] = manchesterEncode2Bytes(lo >> 16);
data[3] = manchesterEncode2Bytes(lo & 0xFFFF);
}
@ -1278,8 +1314,7 @@ void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
DbpString("DONE!");
}
void CopyIOtoT55x7(uint32_t hi, uint32_t lo, uint8_t longFMT)
{
void CopyIOtoT55x7(uint32_t hi, uint32_t lo) {
uint32_t data[] = {T55x7_BITRATE_RF_64 | T55x7_MODULATION_FSK2a | (2 << T55x7_MAXBLOCK_SHIFT), hi, lo};
LED_D_ON();
@ -1303,8 +1338,7 @@ void CopyIndala64toT55x7(uint32_t hi, uint32_t lo) {
DbpString("DONE!");
}
// Clone Indala 224-bit tag by UID to T55x7
void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7)
{
void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7) {
//Program the 7 data blocks for supplied 224bit UID
uint32_t data[] = {0, uid1, uid2, uid3, uid4, uid5, uid6, uid7};
// and the block 0 for Indala224 format
@ -1320,8 +1354,7 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
#define EM410X_HEADER 0x1FF
#define EM410X_ID_LENGTH 40
void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
{
void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
int i, id_bit;
uint64_t id = EM410X_HEADER;
uint64_t rev_id = 0; // reversed ID
@ -1381,7 +1414,7 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
LED_D_ON();
// Write EM410x ID
uint32_t data[] = {0, id>>32, id & 0xFFFF};
uint32_t data[] = {0, id>>32, id & 0xFFFFFFFF};
if (card) {
clock = (card & 0xFF00) >> 8;
clock = (clock == 0) ? 64 : clock;

20
armsrc/lfsampling.c
View file

@ -252,19 +252,17 @@ uint32_t SnoopLF() {
* acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds
* the data is collected in BigBuf.
**/
void doT55x7Acquisition(void){
void doT55x7Acquisition(size_t sample_size) {
#define T55xx_SAMPLES_SIZE 12000 // 32 x 32 x 10 (32 bit times numofblock (7), times clock skip..)
#define T55xx_READ_UPPER_THRESHOLD 128+40 // 50
#define T55xx_READ_UPPER_THRESHOLD 128+40 // 40 grph
#define T55xx_READ_TOL 5
uint8_t *dest = BigBuf_get_addr();
uint16_t bufsize = BigBuf_max_traceLen();
if ( bufsize > T55xx_SAMPLES_SIZE )
bufsize = T55xx_SAMPLES_SIZE;
if ( bufsize > sample_size )
bufsize = sample_size;
//int adcval = 0;
uint16_t i = 0;
bool startFound = false;
bool highFound = false;
@ -281,7 +279,7 @@ void doT55x7Acquisition(void){
curSample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
LED_D_OFF();
// find first high sample
// skip until the first high sample above threshold
if (!startFound && curSample > T55xx_READ_UPPER_THRESHOLD) {
if (curSample > firstSample)
firstSample = curSample;
@ -291,16 +289,18 @@ void doT55x7Acquisition(void){
continue;
}
// skip until samples begin to change
// skip until first high samples begin to change
if (startFound || curSample < firstSample-T55xx_READ_TOL){
if (!startFound)
// if just found start - recover last sample
if (!startFound) {
dest[i++] = firstSample;
startFound = true;
}
// collect samples
dest[i++] = curSample;
if (i >= bufsize-1) break;
}
}
}
}

2
armsrc/lfsampling.h
View file

@ -5,7 +5,7 @@
* acquisition of T55x7 LF signal. Similart to other LF, but adjusted with @marshmellows thresholds
* the data is collected in BigBuf.
**/
void doT55x7Acquisition(void);
void doT55x7Acquisition(size_t sample_size);
/**
* Initializes the FPGA for reader-mode (field on), and acquires the samples.

34
client/cmdlft55xx.c
View file

@ -35,6 +35,13 @@
// Default configuration
t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = FALSE, .offset = 0x00, .block0 = 0x00};
t55xx_conf_block_t Get_t55xx_Config(){
return config;
}
void Set_t55xx_Config(t55xx_conf_block_t conf){
config = conf;
}
int usage_t55xx_config(){
PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>]");
PrintAndLog("Options:");
@ -550,7 +557,7 @@ bool tryDetectModulation(){
bool testModulation(uint8_t mode, uint8_t modread){
switch( mode ){
case DEMOD_FSK:
if (modread > 3 && modread < 8) return TRUE;
if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return TRUE;
break;
case DEMOD_ASK:
if (modread == DEMOD_ASK) return TRUE;
@ -1178,16 +1185,35 @@ uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){
return tmp;
}
*/
int CmdResetRead(const char *Cmd) {
UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};
clearCommandBuffer();
SendCommand(&c);
if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
PrintAndLog("command execution time out");
return 0;
}
uint8_t got[BIGBUF_SIZE-1];
GetFromBigBuf(got,sizeof(got),0);
WaitForResponse(CMD_ACK,NULL);
setGraphBuf(got, sizeof(got));
return 1;
}
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
{"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
{"detect", CmdT55xxDetect, 0, "[1] Try detecting the tag modulation from reading the configuration block."},
{"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data (page 0) [optional password]"},
{"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data (page 0) [optional password]"},
{"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
{"resetread",CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
{"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},
{"trace", CmdT55xxReadTrace, 0, "[1] Show T55xx traceability data (page 1/ blk 0-1)"},
{"info", CmdT55xxInfo, 0, "[1] Show T55xx configuration data (page 0/ blk 0)"},
{"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. [optional password]"},
{"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
{"special", special, 0, "Show block changes with 64 different offsets"},
{"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},
{NULL, NULL, 0, NULL}

4
client/cmdlft55xx.h
View file

@ -60,6 +60,9 @@ typedef struct {
RF_128 = 0x07,
} bitrate;
} t55xx_conf_block_t;
t55xx_conf_block_t Get_t55xx_Config();
void Set_t55xx_Config(t55xx_conf_block_t conf);
int CmdLFT55XX(const char *Cmd);
int CmdT55xxSetConfig(const char *Cmd);
@ -68,6 +71,7 @@ int CmdT55xxWriteBlock(const char *Cmd);
int CmdT55xxReadTrace(const char *Cmd);
int CmdT55xxInfo(const char *Cmd);
int CmdT55xxDetect(const char *Cmd);
int CmdResetRead(const char *Cmd);
char * GetBitRateStr(uint32_t id);
char * GetSaferStr(uint32_t id);

2
client/hid-flasher/usb_cmd.h
View file

@ -85,7 +85,7 @@ typedef struct{
#define CMD_INDALA_CLONE_TAG_L 0x0213
#define CMD_T55XX_READ_BLOCK 0x0214
#define CMD_T55XX_WRITE_BLOCK 0x0215
#define CMD_T55XX_READ_TRACE 0x0216
#define CMD_T55XX_RESET_READ 0x0216
#define CMD_T55XX_WAKEUP 0x0224
#define CMD_PCF7931_READ 0x0217

2
client/lualibs/commands.lua
View file

@ -44,7 +44,7 @@ local _commands = {
CMD_INDALA_CLONE_TAG_L = 0x0213,
CMD_T55XX_READ_BLOCK = 0x0214,
CMD_T55XX_WRITE_BLOCK = 0x0215,
--//CMD_T55XX_READ_TRACE = 0x0216,
CMD_T55XX_RESET_READ = 0x0216,
CMD_PCF7931_READ = 0x0217,
CMD_PCF7931_WRITE = 0x0223,
CMD_EM4X_READ_WORD = 0x0218,

4
common/lfdemod.h
View file

@ -27,7 +27,6 @@ uint8_t detectFSKClk(uint8_t *BitStream, size_t size, uint8_t fcHigh, uint8_t f
int DetectNRZClock(uint8_t dest[], size_t size, int clock);
int DetectPSKClock(uint8_t dest[], size_t size, int clock);
int DetectStrongAskClock(uint8_t dest[], size_t size, uint8_t high, uint8_t low);
uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo);
int fskdemod(uint8_t *dest, size_t size, uint8_t rfLen, uint8_t invert, uint8_t fchigh, uint8_t fclow);
int getHiLo(uint8_t *BitStream, size_t size, int *high, int *low, uint8_t fuzzHi, uint8_t fuzzLo);
uint32_t manchesterEncode2Bytes(uint16_t datain);
@ -42,8 +41,9 @@ void psk1TOpsk2(uint8_t *BitStream, size_t size);
size_t removeParity(uint8_t *BitStream, size_t startIdx, uint8_t pLen, uint8_t pType, size_t bLen);
//tag specific
int FDXBdemodBI(uint8_t *dest, size_t *size);
int AWIDdemodFSK(uint8_t *dest, size_t *size);
uint8_t Em410xDecode(uint8_t *BitStream, size_t *size, size_t *startIdx, uint32_t *hi, uint64_t *lo);
int FDXBdemodBI(uint8_t *dest, size_t *size);
int gProxII_Demod(uint8_t BitStream[], size_t *size);
int HIDdemodFSK(uint8_t *dest, size_t *size, uint32_t *hi2, uint32_t *hi, uint32_t *lo);
int IOdemodFSK(uint8_t *dest, size_t size);

2
include/usb_cmd.h
View file

@ -85,7 +85,7 @@ typedef struct{
#define CMD_INDALA_CLONE_TAG_L 0x0213
#define CMD_T55XX_READ_BLOCK 0x0214
#define CMD_T55XX_WRITE_BLOCK 0x0215
#define CMD_T55XX_READ_TRACE 0x0216
#define CMD_T55XX_RESET_READ 0x0216
#define CMD_PCF7931_READ 0x0217
#define CMD_PCF7931_WRITE 0x0223
#define CMD_EM4X_READ_WORD 0x0218