search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
textual
[RRG-proxmark3.git] / client / src / cmdhflto.c
blob2ea818b0bdfdd1385e584afda43212523a58b49b
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2019 iceman
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // LTO-CM commands
9 // LTO Cartridge memory
10 //-----------------------------------------------------------------------------
11 #include "cmdhflto.h"
12 #include <stdio.h>
13 #include <string.h>
14 #include <ctype.h>
15 #include <inttypes.h>
16 #include "cliparser.h"
17 #include "cmdparser.h" // command_t
18 #include "comms.h"
19 #include "cmdtrace.h"
20 #include "crc16.h"
21 #include "ui.h"
22 #include "cmdhf14a.h"
23 #include "protocols.h"
24 #include "fileutils.h" // saveFile
25 #include "commonutil.h" // ARRAYLEN
26 /*
27 iceman notes
28 We can't dump LTO 5 or 6 tags yet since we don't have a datasheet.
29 If you have access to datasheet, le me know!
30
31 CM size xx field indicate size in units of 1024b
32
33 LTO w Type info 00 01 has 101 blocks.
34 LTO w Type info 00 02 has 95 blocks.
35 LTO w Type info 00 03 has 255 blocks.
36 LTO w Type info 00 xx has NN blocks.
37 */
38 #define CM_MEM_MAX_SIZE 0x1FE0 // (32byte/block * 255block = 8160byte)
39
40 // todo: vendor mapping table..
41
42 // structure and database for uid -> tagtype lookups
43 typedef struct cm_page_s {
44 uint16_t pageid;
45 uint16_t len;
46 const char *name;
47 const char *desc;
48 } cm_page_t;
49
50 static const cm_page_t cm_page_map[] = {
51 { 0x001, 64, "Cartridge Manufacture's information", "" },
52 { 0x002, 64, "Media Manufacture's information", "" },
53 { 0x101, 64, "Initialisation Data", "" },
54 { 0x102, 48, "Tape Write Data", "" },
55 { 0x103, 1552, "Tape Directory", "" },
56 { 0x104, 64, "EOD Information", "" },
57 { 0x105, 32, "Cartidge Status and Tape Alert Flags", "" },
58 { 0x106, 384, "Mechanism Related", "" },
59 { 0x107, 128, "Suspended Append Writes", "" },
60 { 0x108, 64, "Usage Information 0", "" },
61 { 0x109, 64, "Usage Information 1", "" },
62 { 0x10A, 64, "Usage Information 2", "" },
63 { 0x10B, 64, "Usage Information 3", "" },
64 { 0x200, 1056, "Application Specific", "" },
65 { 0xFFC, 0, "Pad", "Used to reserve space for future Pages, and to align some Pages to 16-byte / 32-byte boundaries" },
66 { 0xFFD, 0, "Defect", "Used to indicate that the LTO CM contains defective memory locations in that area" },
67 { 0xFFE, 0, "Empty", "Indicates an empty table" },
68 { 0xFFF, 0, "EOPT", "End Of Page Table" },
69 { 0x000, 0, "no page info available", "" } // must be the last entry
70 };
71
72 /*
73 static uint16_t get_page_len(uint16_t pageid) {
74 for (uint8_t i = 0; i < ARRAYLEN(cm_page_map ); ++i) {
75 if (pageid == cm_page_map[i].pageid) {
76 return cm_page_map[i].len;
77 }
78 }
79 //No match, return default
80 return 0;
81 }
82 */
83
84 static const char *get_page_name(uint16_t pageid) {
85 for (uint8_t i = 0; i < ARRAYLEN(cm_page_map); ++i) {
86 if (pageid == cm_page_map[i].pageid) {
87 return cm_page_map[i].name;
88 }
89 }
90 //No match, return default
91 return cm_page_map[ARRAYLEN(cm_page_map) - 1].name;
92 }
93
94 static int CmdHelp(const char *Cmd);
95
96 static void lto_switch_off_field(void) {
97 SetISODEPState(ISODEP_INACTIVE);
98 SendCommandMIX(CMD_HF_ISO14443A_READER, 0, 0, 0, NULL, 0);
99 }
100
101 static void lto_switch_on_field(void) {
102 SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT | ISO14A_NO_SELECT | ISO14A_NO_DISCONNECT | ISO14A_NO_RATS, 0, 0, NULL, 0);
103 }
104
105 // send a raw LTO-CM command, returns the length of the response (0 in case of error)
106 static int lto_send_cmd_raw(uint8_t *cmd, uint8_t len, uint8_t *response, uint16_t *response_len, bool addcrc, bool is7bits, bool verbose) {
107
108 uint64_t arg0 = ISO14A_RAW | ISO14A_NO_DISCONNECT | ISO14A_NO_RATS;
109 uint32_t arg1;
110
111 if (addcrc) {
112 arg0 |= ISO14A_APPEND_CRC;
113 }
114
115 if (is7bits) {
116 arg1 = 7 << 16;
117 } else {
118 arg1 = 0;
119 }
120
121 arg1 |= len;
122
123 SendCommandMIX(CMD_HF_ISO14443A_READER, arg0, arg1, 0, cmd, len);
124 PacketResponseNG resp;
125
126 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
127 if (verbose) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
128 return PM3_ETIMEOUT;
129 }
130
131 if (resp.oldarg[0] == *response_len) {
132 *response_len = resp.oldarg[0];
133 if (*response_len > 0) {
134 memcpy(response, resp.data.asBytes, *response_len);
135 }
136 } else {
137 if (verbose) PrintAndLogEx(WARNING, "Wrong response length (%d != %" PRIu64 ")", *response_len, resp.oldarg[0]);
138 return PM3_ESOFT;
139 }
140
141 return PM3_SUCCESS;
142 }
143
144 // select a LTO-CM tag. Send WUPA and RID.
145 static int lto_select(uint8_t *id_response, uint8_t id_len, uint8_t *type_response, bool verbose) {
146 // Todo: implement anticollision
147
148 uint8_t resp[] = {0, 0};
149 uint16_t resp_len;
150 uint8_t wupa_cmd[] = {LTO_REQ_STANDARD};
151 uint8_t select_sn_cmd[] = {LTO_SELECT, 0x20};
152 uint8_t select_cmd[] = {LTO_SELECT, 0x70, 0, 0, 0, 0, 0};
153
154 resp_len = 2;
155 int status = lto_send_cmd_raw(wupa_cmd, sizeof(wupa_cmd), type_response, &resp_len, false, true, verbose);
156 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
157 return PM3_ESOFT; // WUPA failed
158 }
159
160 resp_len = id_len;
161 status = lto_send_cmd_raw(select_sn_cmd, sizeof(select_sn_cmd), id_response, &resp_len, false, false, verbose);
162 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
163 return PM3_EWRONGANSWER; // REQUEST SERIAL NUMBER failed
164 }
165
166 memcpy(select_cmd + 2, id_response, sizeof(select_cmd) - 2);
167 resp_len = 1;
168 status = lto_send_cmd_raw(select_cmd, sizeof(select_cmd), resp, &resp_len, true, false, verbose);
169 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
170 return PM3_EWRONGANSWER; // SELECT failed
171 }
172
173 // tag is now INIT and SELECTED.
174 return PM3_SUCCESS;
175 }
176
177 static int lto_rdbl(uint8_t blk, uint8_t *block_response, uint8_t *block_cnt_response, bool verbose) {
178
179 uint16_t resp_len = 18;
180 uint8_t rdbl_cmd[] = {0x30, blk};
181 uint8_t rdbl_cnt_cmd[] = {0x80};
182
183 int status = lto_send_cmd_raw(rdbl_cmd, sizeof(rdbl_cmd), block_response, &resp_len, true, false, verbose);
184 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
185 return PM3_EWRONGANSWER; // READ BLOCK failed
186 }
187
188 status = lto_send_cmd_raw(rdbl_cnt_cmd, sizeof(rdbl_cnt_cmd), block_cnt_response, &resp_len, false, false, verbose);
189 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
190 return PM3_EWRONGANSWER; // READ BLOCK CONTINUE failed
191 }
192
193 return PM3_SUCCESS;
194 }
195
196 static int CmdHfLTOInfo(const char *Cmd) {
197 CLIParserContext *ctx;
198 CLIParserInit(&ctx, "hf lto info",
199 "Get info from LTO tags",
200 "hf lto info");
201
202 void *argtable[] = {
203 arg_param_begin,
204 arg_param_end
205 };
206 CLIExecWithReturn(ctx, Cmd, argtable, true);
207 CLIParserFree(ctx);
208 return infoLTO(true);
209 }
210
211 static const char *lto_print_size(uint8_t ti) {
212 switch (ti) {
213 case 1:
214 return "101 blocks / 3232 bytes";
215 case 2:
216 return "95 blocks / 3040 bytes";
217 case 3:
218 return "255 blocks / 8160 bytes";
219 default :
220 return "unknown";
221 }
222 }
223
224 static void lto_print_ci(uint8_t *d) {
225 uint32_t sn = (bytes_to_num(d, 4) & 0x0FFFFFFF);
226 PrintAndLogEx(INFO, "CM Serial number... " _YELLOW_("%u"), sn);
227 PrintAndLogEx(INFO, "Manufacture Id..... " _YELLOW_("%u"), (d[3] >> 4));
228 PrintAndLogEx(INFO, "CM Size............ " _YELLOW_("%u") " ( 1024 x %u bytes )", d[5], d[5]);
229 PrintAndLogEx(INFO, "Type............... " _YELLOW_("%s"), sprint_hex_inrow(d + 6, 2));
230 PrintAndLogEx(INFO, "Manufacture info... " _YELLOW_("%s"), sprint_hex_inrow(d + 8, 24));
231 }
232
233 static void lto_print_cmwi(uint8_t *d) {
234
235 PrintAndLogEx(NORMAL, "");
236 PrintAndLogEx(INFO, "--- " _CYAN_("LTO CM Write-Inhibit") " --------------------------");
237 PrintAndLogEx(INFO, "Raw");
238 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 4));
239 PrintAndLogEx(INFO, "Last write-inhibited block#... " _YELLOW_("%u"), d[0]);
240 PrintAndLogEx(INFO, "Block 1 protected flag........ %s", (d[1] == 0) ? _GREEN_("uninitialised cartridge") : (d[1] == 1) ? "initialised cartridge" : "n/a");
241 PrintAndLogEx(INFO, "Reserved for future use....... " _YELLOW_("%s"), sprint_hex_inrow(d + 2, 2));
242 }
243
244 static void lto_print_cmpt(uint8_t *d) {
245 // Block Address: B0 = integer part of [ (start address + offset) ÷ 32 ]
246 // Word Address: w = mod(start address + offset, 32 ) ÷ 2
247
248 PrintAndLogEx(NORMAL, "");
249 PrintAndLogEx(INFO, "--- " _CYAN_("Page Descriptor Table") " ----------------------------------------");
250 PrintAndLogEx(INFO, "Raw");
251 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 28));
252 PrintAndLogEx(INFO, " ^^^^^^^^ CRC-32");
253 PrintAndLogEx(INFO, "------------------------------------------------------------------");
254 PrintAndLogEx(INFO, " start ");
255 PrintAndLogEx(INFO, " # | ver | id | address | name ");
256 PrintAndLogEx(INFO, "---+-----+-----+---------+----------------------------------------");
257
258 uint8_t p = 0;
259 for (uint8_t i = 0; i < 24; i += 4) {
260
261 uint8_t page_vs = d[i] >> 4;
262 uint16_t page_id = ((d[i] & 0x0F) << 8) | d[i + 1];
263 uint16_t sa = (d[i + 2] << 8 | d[i + 3]);
264 PrintAndLogEx(INFO, " %u | %u | %03x | 0x%04X | %s", p, page_vs, page_id, sa, get_page_name(page_id));
265 p++;
266 }
267 PrintAndLogEx(INFO, "---+-----+-----+---------+----------------------------------------");
268 PrintAndLogEx(INFO, "# Pages found... %u", p);
269 }
270
271 static void lto_print_cmi(uint8_t *d) {
272
273 uint16_t page_id = (d[0] << 8) | d[1];
274 uint16_t page_len = (d[2] << 8) | d[3];
275
276 char man[8 + 1];
277 memcpy(man, (char *)d + 4, 8);
278
279 char serial[10 + 1];
280 memcpy(serial, (char *)d + 12, 10);
281
282 uint16_t cart_type = (d[22] << 8) | d[23];
283 char dom[8 + 1];
284 memcpy(dom, (char *)d + 24, 8);
285
286 uint16_t tape_len = (d[32] << 8) | d[33];
287 uint16_t tape_thick = (d[34] << 8) | d[35];
288 uint16_t empty_reel = (d[36] << 8) | d[37];
289 uint16_t hub_radius = (d[38] << 8) | d[39];
290 uint16_t full_reel = (d[40] << 8) | d[41];
291 uint16_t max_media_speed = (d[42] << 8) | d[43];
292 char lic[4 + 1];
293 memcpy(lic, (char *)d + 44, 4);
294
295 char cmuse[12 + 1];
296 memcpy(cmuse, (char *)d + 48, 12);
297
298 // uint32_t crc = bytes_to_num(d+60, 4);
299
300 PrintAndLogEx(NORMAL, "");
301 PrintAndLogEx(INFO, "--- " _CYAN_("Cartridge Manufacturer's information") " --------------------------");
302 PrintAndLogEx(INFO, "Raw");
303 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 32));
304 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d + 32, 32));
305 PrintAndLogEx(INFO, " ^^^^^^^^ CRC-32");
306 PrintAndLogEx(INFO, "Page id.................. ..." _YELLOW_("0x%04x"), page_id);
307 PrintAndLogEx(INFO, "Page len.................... " _YELLOW_("%u"), page_len);
308 PrintAndLogEx(INFO, "Cartridge Manufacturer...... " _YELLOW_("%s"), man);
309 PrintAndLogEx(INFO, "Serial number............... " _YELLOW_("%s"), serial);
310 PrintAndLogEx(INFO, "Cartridge type.............. " _YELLOW_("0x%02x"), cart_type);
311 PrintAndLogEx(INFO, "Date of manufacture......... " _YELLOW_("%s"), dom);
312 PrintAndLogEx(INFO, "Tape len.................... " _YELLOW_("%u"), tape_len);
313 PrintAndLogEx(INFO, "Tape thickness.............. " _YELLOW_("%u"), tape_thick);
314 PrintAndLogEx(INFO, "Empty reel inertia.......... " _YELLOW_("%u") " %s", empty_reel, (empty_reel == 7270) ? "( def )" : "");
315 PrintAndLogEx(INFO, "Hub radius.................. " _YELLOW_("%u") " %s", hub_radius, (hub_radius == 22528) ? "( def )" : "");
316 PrintAndLogEx(INFO, "Full reel pack radius....... " _YELLOW_("%u") " / 0x%04x", full_reel, full_reel);
317 PrintAndLogEx(INFO, "Maximum media speed......... " _YELLOW_("%u"), max_media_speed);
318 PrintAndLogEx(INFO, "License code................ " _YELLOW_("%s"), lic);
319 PrintAndLogEx(INFO, "Cartridge manufacture use... " _YELLOW_("%s"), cmuse);
320 }
321
322 static void lto_print_mmi(uint8_t *d) {
323 PrintAndLogEx(NORMAL, "");
324 PrintAndLogEx(INFO, "--- " _CYAN_("Media Manufacturer's information") " --------------------------");
325 PrintAndLogEx(INFO, "Raw");
326 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 32));
327 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d + 32, 32));
328 PrintAndLogEx(INFO, " ^^^^^^^^ CRC-32");
329
330
331 uint16_t page_id = (d[0] << 8) | d[1];
332 uint16_t page_len = (d[2] << 8) | d[3];
333
334 char man[48 + 1];
335 memcpy(man, (char *)d + 4, 48);
336 PrintAndLogEx(INFO, "Page id.................... " _YELLOW_("0x%04x"), page_id);
337 PrintAndLogEx(INFO, "Page len................... " _YELLOW_("%u"), page_len);
338 PrintAndLogEx(INFO, "Servowriter Manufacturer... " _YELLOW_("%s"), man);
339 }
340
341 // common pages
342 // - pad page
343 // - defect page
344 // Unprotected pages
345 // - initialisation data (64b)
346 // - Cartridge Status and Tape Alert Flags (64b)
347 // - Usage Information (4*64b , 256b)
348 // - Tape Write Pass (48b)
349 // - Tape Directory (16*xx) (max 1536b)
350 // - EOD Information (64b)
351 // - Mechanism Related (384b)
352 // - Application Specific Data (1056b)
353 // - Suspended Append Writes (128b)
354
355 int infoLTO(bool verbose) {
356
357 clearCommandBuffer();
358 lto_switch_on_field();
359
360 uint8_t serial_number[5];
361 uint8_t serial_len = sizeof(serial_number);
362 uint8_t type_info[2];
363
364 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
365 if (verbose == false) {
366 if (ret_val == PM3_SUCCESS) {
367 PrintAndLogEx(INFO, "UID......... " _YELLOW_("%s"), sprint_hex_inrow(serial_number, sizeof(serial_number)));
368 }
369 lto_switch_off_field();
370 return ret_val;
371 }
372
373 if (ret_val == PM3_SUCCESS) {
374 PrintAndLogEx(NORMAL, "");
375 PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") " ---------------------------");
376 PrintAndLogEx(INFO, "UID......... " _YELLOW_("%s"), sprint_hex_inrow(serial_number, sizeof(serial_number)));
377 PrintAndLogEx(INFO, "Type info... " _YELLOW_("%s"), sprint_hex_inrow(type_info, sizeof(type_info)));
378 PrintAndLogEx(INFO, "Memory...... " _YELLOW_("%s"), lto_print_size(type_info[1]));
379 if (type_info[1] > 3) {
380 PrintAndLogEx(INFO, "Unknown LTO tag, report to @iceman!");
381 }
382
383 PrintAndLogEx(NORMAL, "");
384 PrintAndLogEx(INFO, "--- " _CYAN_("LTO Cartridge Information") " -----------------");
385
386 // read block 0
387 uint8_t d00_d15[18];
388 uint8_t d16_d31[18];
389 if (lto_rdbl(0, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
390 uint8_t b0[32];
391 memcpy(b0, d00_d15, 16);
392 memcpy(b0 + 16, d16_d31, 16);
393 lto_print_ci(b0);
394 }
395 // read block 1
396 if (lto_rdbl(1, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
397 uint8_t b1[32];
398 memcpy(b1, d00_d15, 16);
399 memcpy(b1 + 16, d16_d31, 16);
400 lto_print_cmwi(b1);
401 lto_print_cmpt(b1 + 4);
402 }
403 // read block 2 - cartidge manufacture information
404 if (lto_rdbl(2, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
405 uint8_t b2_3[64];
406 memcpy(b2_3, d00_d15, 16);
407 memcpy(b2_3 + 16, d16_d31, 16);
408
409 if (lto_rdbl(3, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
410 memcpy(b2_3 + 32, d00_d15, 16);
411 memcpy(b2_3 + 48, d16_d31, 16);
412 lto_print_cmi(b2_3);
413 }
414 }
415
416 if (lto_rdbl(4, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
417 uint8_t b2_3[64];
418 memcpy(b2_3, d00_d15, 16);
419 memcpy(b2_3 + 16, d16_d31, 16);
420
421 if (lto_rdbl(5, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
422 memcpy(b2_3 + 32, d00_d15, 16);
423 memcpy(b2_3 + 48, d16_d31, 16);
424 lto_print_mmi(b2_3);
425 }
426 }
427
428
429 }
430 PrintAndLogEx(NORMAL, "");
431 lto_switch_off_field();
432 return ret_val;
433 }
434
435 static int CmdHfLTOList(const char *Cmd) {
436 return CmdTraceListAlias(Cmd, "hf lto", "lto");
437 }
438
439 int rdblLTO(uint8_t st_blk, uint8_t end_blk, bool verbose) {
440
441 clearCommandBuffer();
442 lto_switch_on_field();
443
444 uint8_t serial_number[5];
445 uint8_t serial_len = sizeof(serial_number);
446 uint8_t type_info[2];
447 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
448
449 if (ret_val != PM3_SUCCESS) {
450 lto_switch_off_field();
451 return ret_val;
452 }
453
454 uint8_t block_data_d00_d15[18];
455 uint8_t block_data_d16_d31[18];
456 uint8_t block_data[32];
457
458 for (uint8_t i = st_blk; i < end_blk + 1; i++) {
459
460 ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose);
461
462 if (ret_val == PM3_SUCCESS) {
463
464 memcpy(block_data, block_data_d00_d15, 16);
465 memcpy(block_data + 16, block_data_d16_d31, 16);
466 PrintAndLogEx(SUCCESS, "BLK %03d: " _YELLOW_("%s"), i, sprint_hex_inrow(block_data, sizeof(block_data)));
467 } else {
468 lto_switch_off_field();
469 return ret_val;
470 }
471 }
472
473 lto_switch_off_field();
474 return ret_val;
475 }
476
477 static int CmdHfLTOReadBlock(const char *Cmd) {
478 CLIParserContext *ctx;
479 CLIParserInit(&ctx, "hf lto rdbl",
480 "Reead blocks from LTO tag",
481 "hf lto rdbl --first 0 --last 254");
482
483 void *argtable[] = {
484 arg_param_begin,
485 arg_int0(NULL, "first", "<dec>", "The first block number to read as an integer"),
486 arg_int0(NULL, "last", "<dec>", "The last block number to read as an integer"),
487 arg_param_end
488 };
489 CLIExecWithReturn(ctx, Cmd, argtable, true);
490
491 int startblock = arg_get_int_def(ctx, 1, 0);
492 int endblock = arg_get_int_def(ctx, 2, 254);
493
494 CLIParserFree(ctx);
495
496 //Validations
497 if (endblock < startblock) {
498 PrintAndLogEx(ERR, "First block must be less than last block");
499 return PM3_EINVARG;
500 }
501
502 return rdblLTO(startblock, endblock, true);
503 }
504
505 static int lto_wrbl(uint8_t blk, uint8_t *data, bool verbose) {
506
507 uint8_t resp[] = {0, 0};
508 uint16_t resp_len = 1;
509 uint8_t wrbl_cmd[] = {0xA0, blk};
510 uint8_t wrbl_d00_d15[16];
511 uint8_t wrbl_d16_d31[16];
512
513 memcpy(wrbl_d00_d15, data, 16);
514 memcpy(wrbl_d16_d31, data + 16, 16);
515
516 int status = lto_send_cmd_raw(wrbl_cmd, sizeof(wrbl_cmd), resp, &resp_len, true, false, verbose);
517 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
518 return PM3_EWRONGANSWER; // WRITE BLOCK failed
519 }
520
521 status = lto_send_cmd_raw(wrbl_d00_d15, sizeof(wrbl_d00_d15), resp, &resp_len, true, false, verbose);
522 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
523 return PM3_EWRONGANSWER; // WRITE BLOCK failed
524 }
525
526 status = lto_send_cmd_raw(wrbl_d16_d31, sizeof(wrbl_d16_d31), resp, &resp_len, true, false, verbose);
527 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
528 return PM3_EWRONGANSWER; // WRITE BLOCK failed
529 }
530
531 return PM3_SUCCESS;
532 }
533
534 int wrblLTO(uint8_t blk, uint8_t *data, bool verbose) {
535
536 clearCommandBuffer();
537 lto_switch_on_field();
538
539 uint8_t serial_number[5];
540 uint8_t serial_len = sizeof(serial_number);
541 uint8_t type_info[2];
542 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
543
544 if (ret_val != PM3_SUCCESS) {
545 lto_switch_off_field();
546 return ret_val;
547 }
548
549 ret_val = lto_wrbl(blk, data, verbose);
550 lto_switch_off_field();
551
552 if (ret_val == PM3_SUCCESS) {
553 PrintAndLogEx(SUCCESS, "BLK %03d: " _YELLOW_("write success"), blk);
554 } else {
555 PrintAndLogEx(WARNING, "BLK %03d: write error. Maybe this is a read-only block address.", blk);
556 }
557
558 return ret_val;
559 }
560
561 static int CmdHfLTOWriteBlock(const char *Cmd) {
562 CLIParserContext *ctx;
563 CLIParserInit(&ctx, "hf lto wrbl",
564 "Write data to block on LTO tag",
565 "hf lto wrbl --block 128 -d 0001020304050607080910111213141516171819202122232425262728293031");
566
567 void *argtable[] = {
568 arg_param_begin,
569 arg_str1("d", "data", "<hex>", "32 bytes of data to write (64 hex symbols, no spaces)"),
570 arg_int1(NULL, "block", "<dec>", "The block number to write to as an integer"),
571 arg_param_end
572 };
573 CLIExecWithReturn(ctx, Cmd, argtable, false);
574
575 int block_data_len = 0;
576 uint8_t block_data[32] = {0};
577
578 CLIGetHexWithReturn(ctx, 1, block_data, &block_data_len);
579
580 if (block_data_len != 32) {
581 PrintAndLogEx(ERR, "Block data is incorrect length");
582 CLIParserFree(ctx);
583 return PM3_EINVARG;
584 }
585
586 int blk = arg_get_int_def(ctx, 2, 0);
587
588 CLIParserFree(ctx);
589
590 int res = wrblLTO(blk, block_data, true);
591 if (res == PM3_SUCCESS)
592 PrintAndLogEx(HINT, "Try use 'hf lto rdbl' for verification");
593
594 return res;
595 }
596
597 int dumpLTO(uint8_t *dump, bool verbose) {
598
599 clearCommandBuffer();
600 lto_switch_on_field();
601
602 uint8_t serial_number[5];
603 uint8_t serial_len = sizeof(serial_number);
604 uint8_t type_info[2];
605 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
606
607 if (ret_val != PM3_SUCCESS) {
608 lto_switch_off_field();
609 return ret_val;
610 }
611 // 0003 == 255 blocks x 32 = 8160 bytes
612 // 0002 == 95 blocks x 32 = 3040 bytes
613 // 0001 == 101 blocks x 32 = 3232 bytes
614 uint8_t blocks = 0xFF;
615 if (type_info[1] == 0x01) {
616 blocks = 0x65;
617 } else if (type_info[1] == 0x02) {
618 blocks = 0x5F;
619 }
620 PrintAndLogEx(SUCCESS, "Found LTO tag w " _YELLOW_("%s") " memory", lto_print_size(type_info[1]));
621
622 uint8_t block_data_d00_d15[18];
623 uint8_t block_data_d16_d31[18];
624
625 for (uint8_t i = 0; i < blocks; i++) {
626
627 ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose);
628
629 if (ret_val == PM3_SUCCESS) {
630 // remove CRCs
631 memcpy(dump + i * 32, block_data_d00_d15, 16);
632 memcpy(dump + (i * 32) + 16, block_data_d16_d31, 16);
633 } else {
634 lto_switch_off_field();
635 return ret_val;
636 }
637 PrintAndLogEx(INPLACE, "...reading block %d", i);
638 fflush(stdout);
639 }
640
641 lto_switch_off_field();
642 return ret_val;
643 }
644
645 static int CmdHfLTODump(const char *Cmd) {
646 CLIParserContext *ctx;
647 CLIParserInit(&ctx, "hf lto dump",
648 "Dump data from LTO tag",
649 "hf lto dump -f myfile");
650
651 void *argtable[] = {
652 arg_param_begin,
653 arg_str0("f", "file", "<filename>", "specify a filename for dumpfile"),
654 arg_param_end
655 };
656 CLIExecWithReturn(ctx, Cmd, argtable, true);
657
658 int fnlen = 0;
659 char filename[FILE_PATH_SIZE] = {0};
660 CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
661 CLIParserFree(ctx);
662
663 uint32_t dump_len = CM_MEM_MAX_SIZE;
664 uint8_t *dump = calloc(dump_len, sizeof(uint8_t));
665 if (!dump) {
666 PrintAndLogEx(ERR, "error, cannot allocate memory");
667 return PM3_EMALLOC;
668 }
669
670 int ret_val = dumpLTO(dump, true);
671 PrintAndLogEx(NORMAL, "");
672 if (ret_val != PM3_SUCCESS) {
673 free(dump);
674 return ret_val;
675 }
676
677 if (strlen(filename) == 0) {
678 char *fptr = filename;
679 fptr += sprintf(fptr, "hf-lto-");
680 FillFileNameByUID(fptr, dump, "-dump", 5);
681 }
682 saveFile(filename, ".bin", dump, dump_len);
683 saveFileEML(filename, dump, dump_len, 32);
684 free(dump);
685 return PM3_SUCCESS;
686 }
687
688 int restoreLTO(uint8_t *dump, bool verbose) {
689
690 clearCommandBuffer();
691 lto_switch_on_field();
692
693 uint8_t type_info[2];
694 uint8_t serial_number[5];
695 uint8_t serial_len = sizeof(serial_number);
696 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
697
698 if (ret_val != PM3_SUCCESS) {
699 lto_switch_off_field();
700 return ret_val;
701 }
702
703 uint8_t block_data[32] = {0};
704
705 //Block address 0 and 1 are read-only
706 for (uint8_t blk = 2; blk < 255; blk++) {
707
708 memcpy(block_data, dump + (blk * 32), 32);
709
710 ret_val = lto_wrbl(blk, block_data, verbose);
711
712 if (ret_val == PM3_SUCCESS) {
713 PrintAndLogEx(SUCCESS, "Block %03d - " _YELLOW_("write success"), blk);
714 } else {
715 lto_switch_off_field();
716 return ret_val;
717 }
718 }
719
720 lto_switch_off_field();
721 return ret_val;
722 }
723
724 static int CmdHfLTRestore(const char *Cmd) {
725 CLIParserContext *ctx;
726 CLIParserInit(&ctx, "hf lto restore",
727 "Restore data from dumpfile to LTO tag",
728 "hf lto restore -f hf-lto-92C7842CFF.bin|.eml");
729
730 void *argtable[] = {
731 arg_param_begin,
732 arg_str1("f", "file", "<filename>", "specify a filename for dumpfile"),
733 arg_param_end
734 };
735 CLIExecWithReturn(ctx, Cmd, argtable, false);
736
737 int fnlen = 0;
738 char filename[FILE_PATH_SIZE] = {0};
739 CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
740
741 CLIParserFree(ctx);
742
743 size_t dump_len = 0;
744 char *lowstr = str_dup(filename);
745 str_lower(lowstr);
746
747 if (str_endswith(lowstr, ".bin")) {
748
749 uint8_t *dump = NULL;
750 if (loadFile_safe(filename, "", (void **)&dump, &dump_len) == PM3_SUCCESS) {
751 restoreLTO(dump, true);
752 }
753 free(dump);
754
755 } else if (str_endswith(lowstr, ".eml")) {
756
757 uint8_t *dump = NULL;
758 if (loadFileEML_safe(filename, (void **)&dump, &dump_len) == PM3_SUCCESS) {
759 restoreLTO(dump, true);
760 }
761 free(dump);
762
763 } else {
764 PrintAndLogEx(WARNING, "Warning: invalid dump filename " _YELLOW_("%s") " to restore", filename);
765 }
766 free(lowstr);
767 return PM3_SUCCESS;
768 }
769
770 static command_t CommandTable[] = {
771 {"help", CmdHelp, AlwaysAvailable, "This help"},
772 {"dump", CmdHfLTODump, IfPm3Iso14443a, "Dump LTO-CM tag to file"},
773 {"restore", CmdHfLTRestore, IfPm3Iso14443a, "Restore dump file to LTO-CM tag"},
774 {"info", CmdHfLTOInfo, IfPm3Iso14443a, "Tag information"},
775 {"rdbl", CmdHfLTOReadBlock, IfPm3Iso14443a, "Read block"},
776 {"wrbl", CmdHfLTOWriteBlock, IfPm3Iso14443a, "Write block"},
777 {"list", CmdHfLTOList, AlwaysAvailable, "List LTO-CM history"},
778 {NULL, NULL, NULL, NULL}
779 };
780
781 static int CmdHelp(const char *Cmd) {
782 (void)Cmd; // Cmd is not used so far
783 CmdsHelp(CommandTable);
784 return PM3_SUCCESS;
785 }
786
787 int CmdHFLTO(const char *Cmd) {
788 clearCommandBuffer();
789 return CmdsParse(CommandTable, Cmd);
790 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware