search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
textual
[RRG-proxmark3.git] / client / src / cmdlfem4x70.c
blob5c7d0d06a7734448aec995f3e6ee72f388e4c5b9
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2020 sirloins
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4x70 commands
9 //-----------------------------------------------------------------------------
10
11 #include "cmdlfem4x70.h"
12 #include <ctype.h>
13 #include "cmdparser.h" // command_t
14 #include "cliparser.h"
15 #include "fileutils.h"
16 #include "commonutil.h"
17 #include "em4x70.h"
18
19 #define LOCKBIT_0 BITMASK(6)
20 #define LOCKBIT_1 BITMASK(7)
21
22 #define INDEX_TO_BLOCK(x) (((32-x)/2)-1)
23
24 static int CmdHelp(const char *Cmd);
25
26 static void print_info_result(const uint8_t *data) {
27
28 PrintAndLogEx(NORMAL, "");
29 PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") " ---------------------------");
30 PrintAndLogEx(INFO, "-----------------------------------------------");
31
32 PrintAndLogEx(INFO, "Block | data | info");
33 PrintAndLogEx(INFO, "------+----------+-----------------------------");
34
35 // Print out each section as memory map in datasheet
36
37 // Start with UM2
38 for (int i = 0; i < 8; i += 2) {
39 PrintAndLogEx(INFO, " %2d | %02X %02X | UM2", INDEX_TO_BLOCK(i), data[31 - i], data[31 - i - 1]);
40 }
41 PrintAndLogEx(INFO, "------+----------+-----------------------------");
42
43 // Print PIN (will never have data)
44 for (int i = 8; i < 12; i += 2) {
45 PrintAndLogEx(INFO, " %2d | -- -- | PIN write only", INDEX_TO_BLOCK(i));
46 }
47 PrintAndLogEx(INFO, "------+----------+-----------------------------");
48
49 // Print Crypt Key (will never have data)
50 for (int i = 12; i < 24; i += 2) {
51 PrintAndLogEx(INFO, " %2d | -- -- | KEY write-only", INDEX_TO_BLOCK(i));
52 }
53 PrintAndLogEx(INFO, "------+----------+-----------------------------");
54
55 // Print ID
56 for (int i = 24; i < 28; i += 2) {
57 PrintAndLogEx(INFO, " %2d | %02X %02X | ID", INDEX_TO_BLOCK(i), data[31 - i], data[31 - i - 1]);
58 }
59 PrintAndLogEx(INFO, "------+----------+-----------------------------");
60
61 // Print UM1
62 for (int i = 28; i < 32; i += 2) {
63 PrintAndLogEx(INFO, " %2d | %02X %02X | UM1", INDEX_TO_BLOCK(i), data[31 - i], data[31 - i - 1]);
64 }
65 PrintAndLogEx(INFO, "------+----------+-----------------------------");
66
67 PrintAndLogEx(INFO, "");
68 PrintAndLogEx(INFO, "Tag ID: %02X %02X %02X %02X", data[7], data[6], data[5], data[4]);
69 PrintAndLogEx(INFO, "Lockbit 0: %d", (data[3] & LOCKBIT_0) ? 1 : 0);
70 PrintAndLogEx(INFO, "Lockbit 1: %d", (data[3] & LOCKBIT_1) ? 1 : 0);
71 PrintAndLogEx(INFO, "Tag is %s.", (data[3] & LOCKBIT_0) ? _RED_("LOCKED") : _GREEN_("UNLOCKED"));
72 PrintAndLogEx(NORMAL, "");
73
74 }
75
76 int em4x70_info(void) {
77
78 em4x70_data_t edata = {
79 .parity = false // TODO: try both? or default to true
80 };
81
82 clearCommandBuffer();
83 SendCommandNG(CMD_LF_EM4X70_INFO, (uint8_t *)&edata, sizeof(edata));
84
85 PacketResponseNG resp;
86 if (!WaitForResponseTimeout(CMD_LF_EM4X70_INFO, &resp, TIMEOUT)) {
87 PrintAndLogEx(WARNING, "(em4x70) Timeout while waiting for reply.");
88 return PM3_ETIMEOUT;
89 }
90
91 if (resp.status) {
92 print_info_result(resp.data.asBytes);
93 return PM3_SUCCESS;
94 }
95
96 return PM3_ESOFT;
97 }
98
99 //quick test for EM4x70 tag
100 bool detect_4x70_block(void) {
101
102 return em4x70_info() == PM3_SUCCESS;
103 }
104
105 int CmdEM4x70Info(const char *Cmd) {
106
107 // envoke reading of a EM4x70 tag which has to be on the antenna because
108 // decoding is done by the device (not on client side)
109
110 em4x70_data_t etd = {0};
111
112 CLIParserContext *ctx;
113
114 CLIParserInit(&ctx, "lf em 4x70 info",
115 "Tag Information EM4x70\n"
116 " Tag variants include ID48 automotive transponder.\n"
117 " ID48 does not use command parity (default).\n"
118 " V4070 and EM4170 do require parity bit.",
119 "lf em 4x70 info\n"
120 "lf em 4x70 info --par -> adds parity bit to command\n"
121 );
122
123 void *argtable[] = {
124 arg_param_begin,
125 arg_lit0(NULL, "par", "Add parity bit when sending commands"),
126 arg_param_end
127 };
128
129 CLIExecWithReturn(ctx, Cmd, argtable, true);
130 etd.parity = arg_get_lit(ctx, 0);
131 CLIParserFree(ctx);
132
133 clearCommandBuffer();
134 SendCommandNG(CMD_LF_EM4X70_INFO, (uint8_t *)&etd, sizeof(etd));
135
136 PacketResponseNG resp;
137 if (!WaitForResponseTimeout(CMD_LF_EM4X70_INFO, &resp, TIMEOUT)) {
138 PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
139 return PM3_ETIMEOUT;
140 }
141
142 if (resp.status) {
143 print_info_result(resp.data.asBytes);
144 return PM3_SUCCESS;
145 }
146
147 PrintAndLogEx(FAILED, "Reading " _RED_("Failed"));
148 return PM3_ESOFT;
149 }
150
151 int CmdEM4x70Write(const char *Cmd) {
152
153 // write one block/word (16 bits) to the tag at given block address (0-15)
154 em4x70_data_t etd = {0};
155
156 CLIParserContext *ctx;
157
158 CLIParserInit(&ctx, "lf em 4x70 write",
159 "Write EM4x70\n",
160 "lf em 4x70 write -b 15 -d c0de -> write 'c0de' to block 15\n"
161 "lf em 4x70 write -b 15 -d c0de --par -> adds parity bit to commands\n"
162 );
163
164 void *argtable[] = {
165 arg_param_begin,
166 arg_lit0(NULL, "par", "Add parity bit when sending commands"),
167 arg_int1("b", "block", "<dec>", "block/word address, dec"),
168 arg_str1("d", "data", "<hex>", "data, 2 bytes"),
169 arg_param_end
170 };
171
172 CLIExecWithReturn(ctx, Cmd, argtable, true);
173
174 etd.parity = arg_get_lit(ctx, 1);
175
176 int addr = arg_get_int(ctx, 2);
177
178 int word_len = 0;
179 uint8_t word[2] = {0x0};
180 CLIGetHexWithReturn(ctx, 3, word, &word_len);
181
182 CLIParserFree(ctx);
183
184 if (addr < 0 || addr >= EM4X70_NUM_BLOCKS) {
185 PrintAndLogEx(FAILED, "block has to be within range [0, 15]");
186 return PM3_EINVARG;
187 }
188
189 if (word_len != 2) {
190 PrintAndLogEx(FAILED, "word/data length must be 2 bytes instead of %d", word_len);
191 return PM3_EINVARG;
192 }
193
194 etd.address = (uint8_t) addr;
195 etd.word = BYTES2UINT16(word);;
196
197 clearCommandBuffer();
198 SendCommandNG(CMD_LF_EM4X70_WRITE, (uint8_t *)&etd, sizeof(etd));
199
200 PacketResponseNG resp;
201 if (!WaitForResponseTimeout(CMD_LF_EM4X70_WRITE, &resp, TIMEOUT)) {
202 PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
203 return PM3_ETIMEOUT;
204 }
205
206 if (resp.status) {
207 print_info_result(resp.data.asBytes);
208 return PM3_SUCCESS;
209 }
210
211 PrintAndLogEx(FAILED, "Writing " _RED_("Failed"));
212 return PM3_ESOFT;
213 }
214
215 int CmdEM4x70Unlock(const char *Cmd) {
216
217 // send pin code to device, unlocking it for writing
218 em4x70_data_t etd = {0};
219
220 CLIParserContext *ctx;
221
222 CLIParserInit(&ctx, "lf em 4x70 unlock",
223 "Unlock EM4x70 by sending PIN\n"
224 "Default pin may be:\n"
225 " AAAAAAAA\n"
226 " 00000000\n",
227 "lf em 4x70 unlock -p 11223344 -> Unlock with PIN\n"
228 "lf em 4x70 unlock -p 11223344 --par -> Unlock with PIN using parity commands\n"
229 );
230
231 void *argtable[] = {
232 arg_param_begin,
233 arg_lit0(NULL, "par", "Add parity bit when sending commands"),
234 arg_str1("p", "pin", "<hex>", "pin, 4 bytes"),
235 arg_param_end
236 };
237
238 CLIExecWithReturn(ctx, Cmd, argtable, true);
239
240 etd.parity = arg_get_lit(ctx, 1);
241
242 int pin_len = 0;
243 uint8_t pin[4] = {0x0};
244
245 CLIGetHexWithReturn(ctx, 2, pin, &pin_len);
246
247 CLIParserFree(ctx);
248
249 if (pin_len != 4) {
250 PrintAndLogEx(FAILED, "PIN length must be 4 bytes instead of %d", pin_len);
251 return PM3_EINVARG;
252 }
253
254 etd.pin = BYTES2UINT32(pin);
255
256 clearCommandBuffer();
257 SendCommandNG(CMD_LF_EM4X70_UNLOCK, (uint8_t *)&etd, sizeof(etd));
258
259 PacketResponseNG resp;
260 if (!WaitForResponseTimeout(CMD_LF_EM4X70_UNLOCK, &resp, TIMEOUT)) {
261 PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
262 return PM3_ETIMEOUT;
263 }
264
265 if (resp.status) {
266 print_info_result(resp.data.asBytes);
267 return PM3_SUCCESS;
268 }
269
270 PrintAndLogEx(FAILED, "Unlocking tag " _RED_("failed"));
271 return PM3_ESOFT;
272 }
273
274 int CmdEM4x70Auth(const char *Cmd) {
275
276 // Authenticate transponder
277 // Send 56-bit random number + pre-computed f(rnd, k) to transponder.
278 // Transponder will respond with a response
279 em4x70_data_t etd = {0};
280
281 CLIParserContext *ctx;
282
283 CLIParserInit(&ctx, "lf em 4x70 auth",
284 "Authenticate against an EM4x70 by sending random number (RN) and F(RN)\n"
285 " If F(RN) is incorrect based on the tag crypt key, the tag will not respond",
286 "lf em 4x70 auth --rnd 45F54ADA252AAC --frn 4866BB70 --> Test authentication, tag will respond if successful\n"
287 );
288
289 void *argtable[] = {
290 arg_param_begin,
291 arg_lit0(NULL, "par", "Add parity bit when sending commands"),
292 arg_str1(NULL, "rnd", "<hex>", "Random 56-bit"),
293 arg_str1(NULL, "frn", "<hex>", "F(RN) 28-bit as 4 hex bytes"),
294 arg_param_end
295 };
296
297 CLIExecWithReturn(ctx, Cmd, argtable, true);
298
299 etd.parity = arg_get_lit(ctx, 1);
300
301 int rnd_len = 7;
302 CLIGetHexWithReturn(ctx, 2, etd.rnd, &rnd_len);
303
304 int frnd_len = 4;
305 CLIGetHexWithReturn(ctx, 3, etd.frnd, &frnd_len);
306
307 CLIParserFree(ctx);
308
309 if (rnd_len != 7) {
310 PrintAndLogEx(FAILED, "Random number length must be 7 bytes instead of %d", rnd_len);
311 return PM3_EINVARG;
312 }
313
314 if (frnd_len != 4) {
315 PrintAndLogEx(FAILED, "F(RN) length must be 4 bytes instead of %d", frnd_len);
316 return PM3_EINVARG;
317 }
318
319 clearCommandBuffer();
320 SendCommandNG(CMD_LF_EM4X70_AUTH, (uint8_t *)&etd, sizeof(etd));
321
322 PacketResponseNG resp;
323 if (!WaitForResponseTimeout(CMD_LF_EM4X70_AUTH, &resp, TIMEOUT)) {
324 PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
325 return PM3_ETIMEOUT;
326 }
327
328 if (resp.status) {
329 // Response is 20-bit from tag
330 PrintAndLogEx(INFO, "Tag Auth Response: %02X %02X %02X", resp.data.asBytes[2], resp.data.asBytes[1], resp.data.asBytes[0]);
331 return PM3_SUCCESS;
332 }
333
334 PrintAndLogEx(FAILED, "TAG Authentication " _RED_("Failed"));
335 return PM3_ESOFT;
336 }
337
338 int CmdEM4x70WritePIN(const char *Cmd) {
339
340 em4x70_data_t etd = {0};
341
342 CLIParserContext *ctx;
343
344 CLIParserInit(&ctx, "lf em 4x70 writepin",
345 "Write PIN\n",
346 "lf em 4x70 writepin -p 11223344 -> Write PIN\n"
347 "lf em 4x70 writepin -p 11223344 --par -> Write PIN using parity commands\n"
348 );
349
350 void *argtable[] = {
351 arg_param_begin,
352 arg_lit0(NULL, "par", "Add parity bit when sending commands"),
353 arg_str1("p", "pin", "<hex>", "pin, 4 bytes"),
354 arg_param_end
355 };
356
357 CLIExecWithReturn(ctx, Cmd, argtable, true);
358
359 etd.parity = arg_get_lit(ctx, 1);
360
361 int pin_len = 0;
362 uint8_t pin[4] = {0x0};
363
364 CLIGetHexWithReturn(ctx, 2, pin, &pin_len);
365
366 CLIParserFree(ctx);
367
368 if (pin_len != 4) {
369 PrintAndLogEx(FAILED, "PIN length must be 4 bytes instead of %d", pin_len);
370 return PM3_EINVARG;
371 }
372
373 etd.pin = BYTES2UINT32(pin);
374
375 clearCommandBuffer();
376 SendCommandNG(CMD_LF_EM4X70_WRITEPIN, (uint8_t *)&etd, sizeof(etd));
377
378 PacketResponseNG resp;
379 if (!WaitForResponseTimeout(CMD_LF_EM4X70_WRITEPIN, &resp, TIMEOUT)) {
380 PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
381 return PM3_ETIMEOUT;
382 }
383
384 if (resp.status) {
385 print_info_result(resp.data.asBytes);
386 PrintAndLogEx(INFO, "Writing new PIN: " _GREEN_("SUCCESS"));
387 return PM3_SUCCESS;
388 }
389
390 PrintAndLogEx(FAILED, "Writing new PIN: " _RED_("FAILED"));
391 return PM3_ESOFT;
392 }
393
394 int CmdEM4x70WriteKey(const char *Cmd) {
395
396 // Write new crypt key to tag
397 em4x70_data_t etd = {0};
398
399 CLIParserContext *ctx;
400
401 CLIParserInit(&ctx, "lf em 4x70 writekey",
402 "Write new 96-bit key to tag\n",
403 "lf em 4x70 writekey -k F32AA98CF5BE4ADFA6D3480B\n"
404 );
405
406 void *argtable[] = {
407 arg_param_begin,
408 arg_lit0(NULL, "par", "Add parity bit when sending commands"),
409 arg_str1("k", "key", "<hex>", "Crypt Key as 12 hex bytes"),
410 arg_param_end
411 };
412
413 CLIExecWithReturn(ctx, Cmd, argtable, true);
414
415 etd.parity = arg_get_lit(ctx, 1);
416
417 int key_len = 12;
418 CLIGetHexWithReturn(ctx, 2, etd.crypt_key, &key_len);
419
420 CLIParserFree(ctx);
421
422 if (key_len != 12) {
423 PrintAndLogEx(FAILED, "Crypt key length must be 12 bytes instead of %d", key_len);
424 return PM3_EINVARG;
425 }
426
427 clearCommandBuffer();
428 SendCommandNG(CMD_LF_EM4X70_WRITEKEY, (uint8_t *)&etd, sizeof(etd));
429
430 PacketResponseNG resp;
431 if (!WaitForResponseTimeout(CMD_LF_EM4X70_WRITEKEY, &resp, TIMEOUT)) {
432 PrintAndLogEx(WARNING, "Timeout while waiting for reply.");
433 return PM3_ETIMEOUT;
434 }
435
436 if (resp.status) {
437 PrintAndLogEx(INFO, "Writing new crypt key: " _GREEN_("SUCCESS"));
438 return PM3_SUCCESS;
439 }
440
441 PrintAndLogEx(FAILED, "Writing new crypt key: " _RED_("FAILED"));
442 return PM3_ESOFT;
443 }
444
445 static command_t CommandTable[] = {
446 {"help", CmdHelp, AlwaysAvailable, "This help"},
447 {"info", CmdEM4x70Info, IfPm3EM4x70, "Tag information EM4x70"},
448 {"write", CmdEM4x70Write, IfPm3EM4x70, "Write EM4x70"},
449 {"unlock", CmdEM4x70Unlock, IfPm3EM4x70, "Unlock EM4x70 for writing"},
450 {"auth", CmdEM4x70Auth, IfPm3EM4x70, "Authenticate EM4x70"},
451 {"writepin", CmdEM4x70WritePIN, IfPm3EM4x70, "Write PIN"},
452 {"writekey", CmdEM4x70WriteKey, IfPm3EM4x70, "Write Crypt Key"},
453 {NULL, NULL, NULL, NULL}
454 };
455
456 static int CmdHelp(const char *Cmd) {
457 (void)Cmd; // Cmd is not used so far
458 CmdsHelp(CommandTable);
459 return PM3_SUCCESS;
460 }
461
462 int CmdLFEM4X70(const char *Cmd) {
463 clearCommandBuffer();
464 return CmdsParse(CommandTable, Cmd);
465 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware