fix one too small
[RRG-proxmark3.git] / client / src / cmdhflto.c
blob6ffe115c036d05fff05b74df4c979f9e653f48d6
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // LTO-CM commands
17 // LTO Cartridge memory
18 //-----------------------------------------------------------------------------
19 #include "cmdhflto.h"
20 #include <stdio.h>
21 #include <string.h>
22 #include <ctype.h>
23 #include <inttypes.h>
24 #include "cliparser.h"
25 #include "cmdparser.h" // command_t
26 #include "comms.h"
27 #include "cmdtrace.h"
28 #include "crc16.h"
29 #include "ui.h"
30 #include "cmdhf14a.h"
31 #include "protocols.h"
32 #include "fileutils.h" // saveFile
33 #include "commonutil.h" // ARRAYLEN
35 iceman notes
36 We can't dump LTO 5 or 6 tags yet since we don't have a datasheet.
37 If you have access to datasheet, le me know!
39 CM size xx field indicate size in units of 1024b
41 LTO w Type info 00 01 has 101 blocks.
42 LTO w Type info 00 02 has 95 blocks.
43 LTO w Type info 00 03 has 255 blocks.
44 LTO w Type info 00 xx has NN blocks.
46 #define CM_MEM_MAX_SIZE 0x1FE0 // (32byte/block * 255block = 8160byte)
48 // todo: vendor mapping table..
50 // structure and database for uid -> tagtype lookups
51 typedef struct cm_page_s {
52 uint16_t pageid;
53 uint16_t len;
54 const char *name;
55 const char *desc;
56 } cm_page_t;
58 static const cm_page_t cm_page_map[] = {
59 { 0x001, 64, "Cartridge Manufacture's information", "" },
60 { 0x002, 64, "Media Manufacture's information", "" },
61 { 0x101, 64, "Initialisation Data", "" },
62 { 0x102, 48, "Tape Write Data", "" },
63 { 0x103, 1552, "Tape Directory", "" },
64 { 0x104, 64, "EOD Information", "" },
65 { 0x105, 32, "Cartidge Status and Tape Alert Flags", "" },
66 { 0x106, 384, "Mechanism Related", "" },
67 { 0x107, 128, "Suspended Append Writes", "" },
68 { 0x108, 64, "Usage Information 0", "" },
69 { 0x109, 64, "Usage Information 1", "" },
70 { 0x10A, 64, "Usage Information 2", "" },
71 { 0x10B, 64, "Usage Information 3", "" },
72 { 0x200, 1056, "Application Specific", "" },
73 { 0xFFC, 0, "Pad", "Used to reserve space for future Pages, and to align some Pages to 16-byte / 32-byte boundaries" },
74 { 0xFFD, 0, "Defect", "Used to indicate that the LTO CM contains defective memory locations in that area" },
75 { 0xFFE, 0, "Empty", "Indicates an empty table" },
76 { 0xFFF, 0, "EOPT", "End Of Page Table" },
77 { 0x000, 0, "no page info available", "" } // must be the last entry
81 static uint16_t get_page_len(uint16_t pageid) {
82 for (uint8_t i = 0; i < ARRAYLEN(cm_page_map ); ++i) {
83 if (pageid == cm_page_map[i].pageid) {
84 return cm_page_map[i].len;
87 //No match, return default
88 return 0;
92 static const char *get_page_name(uint16_t pageid) {
93 for (uint8_t i = 0; i < ARRAYLEN(cm_page_map); ++i) {
94 if (pageid == cm_page_map[i].pageid) {
95 return cm_page_map[i].name;
98 //No match, return default
99 return cm_page_map[ARRAYLEN(cm_page_map) - 1].name;
102 static int CmdHelp(const char *Cmd);
104 static void lto_switch_off_field(void) {
105 SetISODEPState(ISODEP_INACTIVE);
106 SendCommandMIX(CMD_HF_ISO14443A_READER, 0, 0, 0, NULL, 0);
109 static void lto_switch_on_field(void) {
110 SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT | ISO14A_NO_SELECT | ISO14A_NO_DISCONNECT | ISO14A_NO_RATS, 0, 0, NULL, 0);
113 // send a raw LTO-CM command, returns the length of the response (0 in case of error)
114 static int lto_send_cmd_raw(uint8_t *cmd, uint8_t len, uint8_t *response, uint16_t *response_len, bool addcrc, bool is7bits, bool verbose) {
116 uint64_t arg0 = ISO14A_RAW | ISO14A_NO_DISCONNECT | ISO14A_NO_RATS;
117 uint32_t arg1;
119 if (addcrc) {
120 arg0 |= ISO14A_APPEND_CRC;
123 if (is7bits) {
124 arg1 = 7 << 16;
125 } else {
126 arg1 = 0;
129 arg1 |= len;
131 SendCommandMIX(CMD_HF_ISO14443A_READER, arg0, arg1, 0, cmd, len);
132 PacketResponseNG resp;
134 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
135 if (verbose) PrintAndLogEx(WARNING, "timeout while waiting for reply.");
136 return PM3_ETIMEOUT;
139 if (resp.oldarg[0] == *response_len) {
140 *response_len = resp.oldarg[0];
141 if (*response_len > 0) {
142 memcpy(response, resp.data.asBytes, *response_len);
144 } else {
145 if (verbose) PrintAndLogEx(WARNING, "Wrong response length (%d != %" PRIu64 ")", *response_len, resp.oldarg[0]);
146 return PM3_ESOFT;
149 return PM3_SUCCESS;
152 // select a LTO-CM tag. Send WUPA and RID.
153 static int lto_select(uint8_t *id_response, uint8_t id_len, uint8_t *type_response, bool verbose) {
154 // Todo: implement anticollision
156 uint8_t resp[] = {0, 0};
157 uint16_t resp_len;
158 uint8_t wupa_cmd[] = {LTO_REQ_STANDARD};
159 uint8_t select_sn_cmd[] = {LTO_SELECT, 0x20};
160 uint8_t select_cmd[] = {LTO_SELECT, 0x70, 0, 0, 0, 0, 0};
162 resp_len = 2;
163 int status = lto_send_cmd_raw(wupa_cmd, sizeof(wupa_cmd), type_response, &resp_len, false, true, verbose);
164 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
165 return PM3_ESOFT; // WUPA failed
168 resp_len = id_len;
169 status = lto_send_cmd_raw(select_sn_cmd, sizeof(select_sn_cmd), id_response, &resp_len, false, false, verbose);
170 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
171 return PM3_EWRONGANSWER; // REQUEST SERIAL NUMBER failed
174 memcpy(select_cmd + 2, id_response, sizeof(select_cmd) - 2);
175 resp_len = 1;
176 status = lto_send_cmd_raw(select_cmd, sizeof(select_cmd), resp, &resp_len, true, false, verbose);
177 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
178 return PM3_EWRONGANSWER; // SELECT failed
181 // tag is now INIT and SELECTED.
182 return PM3_SUCCESS;
185 static int lto_rdbl(uint8_t blk, uint8_t *block_response, uint8_t *block_cnt_response, bool verbose) {
187 uint16_t resp_len = 18;
188 uint8_t rdbl_cmd[] = {0x30, blk};
189 uint8_t rdbl_cnt_cmd[] = {0x80};
191 int status = lto_send_cmd_raw(rdbl_cmd, sizeof(rdbl_cmd), block_response, &resp_len, true, false, verbose);
192 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
193 return PM3_EWRONGANSWER; // READ BLOCK failed
196 status = lto_send_cmd_raw(rdbl_cnt_cmd, sizeof(rdbl_cnt_cmd), block_cnt_response, &resp_len, false, false, verbose);
197 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
198 return PM3_EWRONGANSWER; // READ BLOCK CONTINUE failed
201 return PM3_SUCCESS;
205 static int lto_rdbl_ext(uint16_t blk, uint8_t *block_response, uint8_t *block_cnt_response, bool verbose) {
207 if (blk && 0x) {
208 blk &= 0xFE;
211 uint16_t resp_len = 18;
212 uint8_t rdbl_ext_cmd[] = {0x21 , blk & 0xFF, (blk >> 8) & 0xFF};
213 uint8_t rdbl_cnt_cmd[] = {0x80};
215 int status = lto_send_cmd_raw(rdbl_ext_cmd, sizeof(rdbl_ext_cmd), block_response, &resp_len, true, false, verbose);
216 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
217 return PM3_EWRONGANSWER; // READ BLOCK failed
220 status = lto_send_cmd_raw(rdbl_cnt_cmd, sizeof(rdbl_cnt_cmd), block_cnt_response, &resp_len, false, false, verbose);
221 if (status == PM3_ETIMEOUT || status == PM3_ESOFT) {
222 return PM3_EWRONGANSWER; // READ BLOCK CONTINUE failed
225 return PM3_SUCCESS;
229 static int CmdHfLTOInfo(const char *Cmd) {
230 CLIParserContext *ctx;
231 CLIParserInit(&ctx, "hf lto info",
232 "Get info from LTO tags",
233 "hf lto info");
235 void *argtable[] = {
236 arg_param_begin,
237 arg_param_end
239 CLIExecWithReturn(ctx, Cmd, argtable, true);
240 CLIParserFree(ctx);
241 return infoLTO(true);
244 static const char *lto_print_size(uint8_t ti) {
245 switch (ti) {
246 case 1:
247 return "101 blocks / 3232 bytes";
248 case 2:
249 return "95 blocks / 3040 bytes";
250 case 3:
251 return "255 blocks / 8160 bytes";
252 default :
253 return "unknown";
257 static void lto_print_ci(uint8_t *d) {
258 uint32_t sn = (bytes_to_num(d, 4) & 0x0FFFFFFF);
259 PrintAndLogEx(INFO, "CM Serial number... " _YELLOW_("%u"), sn);
260 PrintAndLogEx(INFO, "Manufacture Id..... " _YELLOW_("%u"), (d[3] >> 4));
261 PrintAndLogEx(INFO, "CM Size............ " _YELLOW_("%u") " ( 1024 x %u bytes )", d[5], d[5]);
262 PrintAndLogEx(INFO, "Type............... " _YELLOW_("%s"), sprint_hex_inrow(d + 6, 2));
263 PrintAndLogEx(INFO, "Manufacture info... " _YELLOW_("%s"), sprint_hex_inrow(d + 8, 24));
266 static void lto_print_cmwi(uint8_t *d) {
268 PrintAndLogEx(NORMAL, "");
269 PrintAndLogEx(INFO, "--- " _CYAN_("LTO CM Write-Inhibit") " --------------------------");
270 PrintAndLogEx(INFO, "Raw");
271 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 4));
272 PrintAndLogEx(INFO, "Last write-inhibited block#... " _YELLOW_("%u"), d[0]);
273 PrintAndLogEx(INFO, "Block 1 protected flag........ %s", (d[1] == 0) ? _GREEN_("uninitialised cartridge") : (d[1] == 1) ? "initialised cartridge" : "n/a");
274 PrintAndLogEx(INFO, "Reserved for future use....... " _YELLOW_("%s"), sprint_hex_inrow(d + 2, 2));
277 static void lto_print_cmpt(uint8_t *d) {
278 // Block Address: B0 = integer part of [ (start address + offset) ÷ 32 ]
279 // Word Address: w = mod(start address + offset, 32 ) ÷ 2
281 PrintAndLogEx(NORMAL, "");
282 PrintAndLogEx(INFO, "--- " _CYAN_("Page Descriptor Table") " ----------------------------------------");
283 PrintAndLogEx(INFO, "Raw");
284 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 28));
285 PrintAndLogEx(INFO, " ^^^^^^^^ CRC-32");
286 PrintAndLogEx(INFO, "------------------------------------------------------------------");
287 PrintAndLogEx(INFO, " start ");
288 PrintAndLogEx(INFO, " # | ver | id | address | name ");
289 PrintAndLogEx(INFO, "---+-----+-----+---------+----------------------------------------");
291 uint8_t p = 0;
292 for (uint8_t i = 0; i < 24; i += 4) {
294 uint8_t page_vs = d[i] >> 4;
295 uint16_t page_id = ((d[i] & 0x0F) << 8) | d[i + 1];
296 uint16_t sa = (d[i + 2] << 8 | d[i + 3]);
297 PrintAndLogEx(INFO, " %u | %u | %03x | 0x%04X | %s", p, page_vs, page_id, sa, get_page_name(page_id));
298 p++;
300 PrintAndLogEx(INFO, "---+-----+-----+---------+----------------------------------------");
301 PrintAndLogEx(INFO, "# Pages found... %u", p);
304 static void lto_print_cmi(uint8_t *d) {
306 uint16_t page_id = (d[0] << 8) | d[1];
307 uint16_t page_len = (d[2] << 8) | d[3];
309 char man[8 + 1];
310 memcpy(man, (char *)d + 4, 8);
312 char serial[10 + 1];
313 memcpy(serial, (char *)d + 12, 10);
315 uint16_t cart_type = (d[22] << 8) | d[23];
316 char dom[8 + 1];
317 memcpy(dom, (char *)d + 24, 8);
319 uint16_t tape_len = (d[32] << 8) | d[33];
320 uint16_t tape_thick = (d[34] << 8) | d[35];
321 uint16_t empty_reel = (d[36] << 8) | d[37];
322 uint16_t hub_radius = (d[38] << 8) | d[39];
323 uint16_t full_reel = (d[40] << 8) | d[41];
324 uint16_t max_media_speed = (d[42] << 8) | d[43];
325 char lic[4 + 1];
326 memcpy(lic, (char *)d + 44, 4);
328 char cmuse[12 + 1];
329 memcpy(cmuse, (char *)d + 48, 12);
331 // uint32_t crc = bytes_to_num(d+60, 4);
333 PrintAndLogEx(NORMAL, "");
334 PrintAndLogEx(INFO, "--- " _CYAN_("Cartridge Manufacturer's information") " --------------------------");
335 PrintAndLogEx(INFO, "Raw");
336 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 32));
337 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d + 32, 32));
338 PrintAndLogEx(INFO, " ^^^^^^^^ CRC-32");
339 PrintAndLogEx(INFO, "Page id.................. ..." _YELLOW_("0x%04x"), page_id);
340 PrintAndLogEx(INFO, "Page len.................... " _YELLOW_("%u"), page_len);
341 PrintAndLogEx(INFO, "Cartridge Manufacturer...... " _YELLOW_("%s"), man);
342 PrintAndLogEx(INFO, "Serial number............... " _YELLOW_("%s"), serial);
343 PrintAndLogEx(INFO, "Cartridge type.............. " _YELLOW_("0x%02x"), cart_type);
344 PrintAndLogEx(INFO, "Date of manufacture......... " _YELLOW_("%s"), dom);
345 PrintAndLogEx(INFO, "Tape len.................... " _YELLOW_("%u"), tape_len);
346 PrintAndLogEx(INFO, "Tape thickness.............. " _YELLOW_("%u"), tape_thick);
347 PrintAndLogEx(INFO, "Empty reel inertia.......... " _YELLOW_("%u") " %s", empty_reel, (empty_reel == 7270) ? "( def )" : "");
348 PrintAndLogEx(INFO, "Hub radius.................. " _YELLOW_("%u") " %s", hub_radius, (hub_radius == 22528) ? "( def )" : "");
349 PrintAndLogEx(INFO, "Full reel pack radius....... " _YELLOW_("%u") " / 0x%04x", full_reel, full_reel);
350 PrintAndLogEx(INFO, "Maximum media speed......... " _YELLOW_("%u"), max_media_speed);
351 PrintAndLogEx(INFO, "License code................ " _YELLOW_("%s"), lic);
352 PrintAndLogEx(INFO, "Cartridge manufacture use... " _YELLOW_("%s"), cmuse);
355 static void lto_print_mmi(uint8_t *d) {
356 PrintAndLogEx(NORMAL, "");
357 PrintAndLogEx(INFO, "--- " _CYAN_("Media Manufacturer's information") " --------------------------");
358 PrintAndLogEx(INFO, "Raw");
359 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d, 32));
360 PrintAndLogEx(INFO, " " _YELLOW_("%s"), sprint_hex_inrow(d + 32, 32));
361 PrintAndLogEx(INFO, " ^^^^^^^^ CRC-32");
364 uint16_t page_id = (d[0] << 8) | d[1];
365 uint16_t page_len = (d[2] << 8) | d[3];
367 char man[48 + 1];
368 memcpy(man, (char *)d + 4, 48);
369 PrintAndLogEx(INFO, "Page id.................... " _YELLOW_("0x%04x"), page_id);
370 PrintAndLogEx(INFO, "Page len................... " _YELLOW_("%u"), page_len);
371 PrintAndLogEx(INFO, "Servowriter Manufacturer... " _YELLOW_("%s"), man);
374 // common pages
375 // - pad page
376 // - defect page
377 // Unprotected pages
378 // - initialisation data (64b)
379 // - Cartridge Status and Tape Alert Flags (64b)
380 // - Usage Information (4*64b , 256b)
381 // - Tape Write Pass (48b)
382 // - Tape Directory (16*xx) (max 1536b)
383 // - EOD Information (64b)
384 // - Mechanism Related (384b)
385 // - Application Specific Data (1056b)
386 // - Suspended Append Writes (128b)
388 static int CmdHFLTOReader(const char *Cmd) {
390 CLIParserContext *ctx;
391 CLIParserInit(&ctx, "hf lto reader",
392 "Act as a LTO-CM reader. Look for LTO-CM tags until Enter or the pm3 button is pressed",
393 "hf lto reader -@ -> continuous reader mode"
396 void *argtable[] = {
397 arg_param_begin,
398 arg_lit0("@", NULL, "optional - continuous reader mode"),
399 arg_param_end
401 CLIExecWithReturn(ctx, Cmd, argtable, true);
402 bool cm = arg_get_lit(ctx, 1);
403 CLIParserFree(ctx);
405 if (cm) {
406 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
409 return reader_lto(cm, true);
412 int reader_lto(bool loop, bool verbose) {
414 int ret = PM3_SUCCESS;
416 do {
417 uint8_t serial[5] = {0};
418 uint8_t serial_len = sizeof(serial);
419 uint8_t type_info[2] = {0};
421 lto_switch_off_field();
422 lto_switch_on_field();
423 clearCommandBuffer();
425 ret = lto_select(serial, serial_len, type_info, verbose);
426 if (loop) {
427 if (ret != PM3_SUCCESS) {
428 continue;
432 if (ret == PM3_SUCCESS) {
434 if (loop == false) {
435 PrintAndLogEx(NORMAL, "");
438 PrintAndLogEx(INFO, "UID......... " _GREEN_("%s"), sprint_hex_inrow(serial, sizeof(serial)));
441 } while (loop && kbd_enter_pressed() == false);
443 lto_switch_off_field();
444 return ret;
447 int infoLTO(bool verbose) {
449 clearCommandBuffer();
450 lto_switch_on_field();
452 uint8_t serial_number[5];
453 uint8_t serial_len = sizeof(serial_number);
454 uint8_t type_info[2];
456 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
457 if (verbose == false) {
458 if (ret_val == PM3_SUCCESS) {
459 PrintAndLogEx(NORMAL, "");
460 PrintAndLogEx(INFO, "UID......... " _YELLOW_("%s"), sprint_hex_inrow(serial_number, sizeof(serial_number)));
462 lto_switch_off_field();
463 return ret_val;
466 if (ret_val == PM3_SUCCESS) {
467 PrintAndLogEx(NORMAL, "");
468 PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") " ---------------------------");
469 PrintAndLogEx(INFO, "UID......... " _YELLOW_("%s"), sprint_hex_inrow(serial_number, sizeof(serial_number)));
470 PrintAndLogEx(INFO, "Type info... " _YELLOW_("%s"), sprint_hex_inrow(type_info, sizeof(type_info)));
471 PrintAndLogEx(INFO, "Memory...... " _YELLOW_("%s"), lto_print_size(type_info[1]));
472 if (type_info[1] > 3) {
473 PrintAndLogEx(INFO, "Unknown LTO tag, report to @iceman!");
476 PrintAndLogEx(NORMAL, "");
477 PrintAndLogEx(INFO, "--- " _CYAN_("LTO Cartridge Information") " -----------------");
479 // read block 0
480 uint8_t d00_d15[18];
481 uint8_t d16_d31[18];
482 if (lto_rdbl(0, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
483 uint8_t b0[32];
484 memcpy(b0, d00_d15, 16);
485 memcpy(b0 + 16, d16_d31, 16);
486 lto_print_ci(b0);
488 // read block 1
489 if (lto_rdbl(1, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
490 uint8_t b1[32];
491 memcpy(b1, d00_d15, 16);
492 memcpy(b1 + 16, d16_d31, 16);
493 lto_print_cmwi(b1);
494 lto_print_cmpt(b1 + 4);
496 // read block 2 - cartidge manufacture information
497 if (lto_rdbl(2, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
498 uint8_t b2_3[64];
499 memcpy(b2_3, d00_d15, 16);
500 memcpy(b2_3 + 16, d16_d31, 16);
502 if (lto_rdbl(3, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
503 memcpy(b2_3 + 32, d00_d15, 16);
504 memcpy(b2_3 + 48, d16_d31, 16);
505 lto_print_cmi(b2_3);
509 if (lto_rdbl(4, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
510 uint8_t b2_3[64];
511 memcpy(b2_3, d00_d15, 16);
512 memcpy(b2_3 + 16, d16_d31, 16);
514 if (lto_rdbl(5, d00_d15, d16_d31, verbose) == PM3_SUCCESS) {
515 memcpy(b2_3 + 32, d00_d15, 16);
516 memcpy(b2_3 + 48, d16_d31, 16);
517 lto_print_mmi(b2_3);
523 PrintAndLogEx(NORMAL, "");
524 lto_switch_off_field();
525 return ret_val;
528 static int CmdHfLTOList(const char *Cmd) {
529 return CmdTraceListAlias(Cmd, "hf lto", "lto -c");
532 int rdblLTO(uint8_t st_blk, uint8_t end_blk, bool verbose) {
534 clearCommandBuffer();
535 lto_switch_on_field();
537 uint8_t serial_number[5];
538 uint8_t serial_len = sizeof(serial_number);
539 uint8_t type_info[2];
540 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
542 if (ret_val != PM3_SUCCESS) {
543 lto_switch_off_field();
544 return ret_val;
547 uint8_t block_data_d00_d15[18];
548 uint8_t block_data_d16_d31[18];
549 uint8_t block_data[32];
551 for (uint8_t i = st_blk; i < end_blk + 1; i++) {
553 ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose);
555 if (ret_val == PM3_SUCCESS) {
557 memcpy(block_data, block_data_d00_d15, 16);
558 memcpy(block_data + 16, block_data_d16_d31, 16);
559 PrintAndLogEx(SUCCESS, "BLK %03d: " _YELLOW_("%s"), i, sprint_hex_inrow(block_data, sizeof(block_data)));
560 } else {
561 lto_switch_off_field();
562 return ret_val;
566 lto_switch_off_field();
567 return ret_val;
570 static int CmdHfLTOReadBlock(const char *Cmd) {
571 CLIParserContext *ctx;
572 CLIParserInit(&ctx, "hf lto rdbl",
573 "Reead blocks from LTO tag",
574 "hf lto rdbl --first 0 --last 254");
576 void *argtable[] = {
577 arg_param_begin,
578 arg_int0(NULL, "first", "<dec>", "The first block number to read as an integer"),
579 arg_int0(NULL, "last", "<dec>", "The last block number to read as an integer"),
580 arg_param_end
582 CLIExecWithReturn(ctx, Cmd, argtable, true);
584 int startblock = arg_get_int_def(ctx, 1, 0);
585 int endblock = arg_get_int_def(ctx, 2, 254);
587 CLIParserFree(ctx);
589 //Validations
590 if (endblock < startblock) {
591 PrintAndLogEx(ERR, "First block must be less than last block");
592 return PM3_EINVARG;
595 return rdblLTO(startblock, endblock, true);
598 static int lto_wrbl(uint8_t blk, uint8_t *data, bool verbose) {
600 uint8_t resp[] = {0, 0};
601 uint16_t resp_len = 1;
602 uint8_t wrbl_cmd[] = {0xA0, blk};
603 uint8_t wrbl_d00_d15[16];
604 uint8_t wrbl_d16_d31[16];
606 memcpy(wrbl_d00_d15, data, 16);
607 memcpy(wrbl_d16_d31, data + 16, 16);
609 int status = lto_send_cmd_raw(wrbl_cmd, sizeof(wrbl_cmd), resp, &resp_len, true, false, verbose);
610 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
611 return PM3_EWRONGANSWER; // WRITE BLOCK failed
614 status = lto_send_cmd_raw(wrbl_d00_d15, sizeof(wrbl_d00_d15), resp, &resp_len, true, false, verbose);
615 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
616 return PM3_EWRONGANSWER; // WRITE BLOCK failed
619 status = lto_send_cmd_raw(wrbl_d16_d31, sizeof(wrbl_d16_d31), resp, &resp_len, true, false, verbose);
620 if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) {
621 return PM3_EWRONGANSWER; // WRITE BLOCK failed
624 return PM3_SUCCESS;
627 int wrblLTO(uint8_t blk, uint8_t *data, bool verbose) {
629 clearCommandBuffer();
630 lto_switch_on_field();
632 uint8_t serial_number[5];
633 uint8_t serial_len = sizeof(serial_number);
634 uint8_t type_info[2];
635 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
637 if (ret_val != PM3_SUCCESS) {
638 lto_switch_off_field();
639 return ret_val;
642 ret_val = lto_wrbl(blk, data, verbose);
643 lto_switch_off_field();
645 if (ret_val == PM3_SUCCESS) {
646 PrintAndLogEx(SUCCESS, "BLK %03d: " _YELLOW_("write success"), blk);
647 } else {
648 PrintAndLogEx(WARNING, "BLK %03d: write error. Maybe this is a read-only block address.", blk);
651 return ret_val;
654 static int CmdHfLTOWriteBlock(const char *Cmd) {
655 CLIParserContext *ctx;
656 CLIParserInit(&ctx, "hf lto wrbl",
657 "Write data to block on LTO tag",
658 "hf lto wrbl --blk 128 -d 0001020304050607080910111213141516171819202122232425262728293031");
660 void *argtable[] = {
661 arg_param_begin,
662 arg_str1("d", "data", "<hex>", "32 bytes of data to write (64 hex symbols, no spaces)"),
663 arg_int1(NULL, "blk", "<dec>", "The block number to write to as an integer"),
664 arg_param_end
666 CLIExecWithReturn(ctx, Cmd, argtable, false);
668 int block_data_len = 0;
669 uint8_t block_data[32] = {0};
671 CLIGetHexWithReturn(ctx, 1, block_data, &block_data_len);
673 if (block_data_len != 32) {
674 PrintAndLogEx(ERR, "Block data is incorrect length");
675 CLIParserFree(ctx);
676 return PM3_EINVARG;
679 int blk = arg_get_int_def(ctx, 2, 0);
681 CLIParserFree(ctx);
683 int res = wrblLTO(blk, block_data, true);
684 if (res == PM3_SUCCESS)
685 PrintAndLogEx(HINT, "Try use 'hf lto rdbl' for verification");
687 return res;
690 int dumpLTO(uint8_t *dump, bool verbose) {
692 clearCommandBuffer();
693 lto_switch_on_field();
695 uint8_t serial_number[5];
696 uint8_t serial_len = sizeof(serial_number);
697 uint8_t type_info[2];
698 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
700 if (ret_val != PM3_SUCCESS) {
701 lto_switch_off_field();
702 return ret_val;
704 // 0003 == 255 blocks x 32 = 8160 bytes
705 // 0002 == 95 blocks x 32 = 3040 bytes
706 // 0001 == 101 blocks x 32 = 3232 bytes
707 uint8_t blocks = 0xFF;
708 if (type_info[1] == 0x01) {
709 blocks = 0x65;
710 } else if (type_info[1] == 0x02) {
711 blocks = 0x5F;
713 PrintAndLogEx(SUCCESS, "Found LTO tag w " _YELLOW_("%s") " memory", lto_print_size(type_info[1]));
715 uint8_t block_data_d00_d15[18];
716 uint8_t block_data_d16_d31[18];
718 for (uint8_t i = 0; i < blocks; i++) {
720 ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose);
722 if (ret_val == PM3_SUCCESS) {
723 // remove CRCs
724 memcpy(dump + i * 32, block_data_d00_d15, 16);
725 memcpy(dump + (i * 32) + 16, block_data_d16_d31, 16);
726 } else {
727 lto_switch_off_field();
728 return ret_val;
730 PrintAndLogEx(INPLACE, "...reading block %d", i);
731 fflush(stdout);
734 lto_switch_off_field();
735 return ret_val;
738 static int CmdHfLTODump(const char *Cmd) {
739 CLIParserContext *ctx;
740 CLIParserInit(&ctx, "hf lto dump",
741 "Dump data from LTO tag",
742 "hf lto dump -f myfile");
744 void *argtable[] = {
745 arg_param_begin,
746 arg_str0("f", "file", "<fn>", "specify a filename for dumpfile"),
747 arg_param_end
749 CLIExecWithReturn(ctx, Cmd, argtable, true);
751 int fnlen = 0;
752 char filename[FILE_PATH_SIZE] = {0};
753 CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
754 CLIParserFree(ctx);
756 uint32_t dump_len = CM_MEM_MAX_SIZE;
757 uint8_t *dump = calloc(dump_len, sizeof(uint8_t));
758 if (!dump) {
759 PrintAndLogEx(ERR, "error, cannot allocate memory");
760 return PM3_EMALLOC;
763 int ret_val = dumpLTO(dump, true);
764 PrintAndLogEx(NORMAL, "");
765 if (ret_val != PM3_SUCCESS) {
766 free(dump);
767 return ret_val;
770 if (strlen(filename) == 0) {
771 char *fptr = filename + snprintf(filename, sizeof(filename), "hf-lto-");
772 FillFileNameByUID(fptr, dump, "-dump", 5);
774 pm3_save_dump(filename, dump, dump_len, jsfLto);
775 free(dump);
776 return PM3_SUCCESS;
779 int restoreLTO(uint8_t *dump, bool verbose) {
781 clearCommandBuffer();
782 lto_switch_on_field();
784 uint8_t type_info[2];
785 uint8_t serial_number[5];
786 uint8_t serial_len = sizeof(serial_number);
787 int ret_val = lto_select(serial_number, serial_len, type_info, verbose);
789 if (ret_val != PM3_SUCCESS) {
790 lto_switch_off_field();
791 return ret_val;
794 uint8_t block_data[32] = {0};
796 //Block address 0 and 1 are read-only
797 for (uint8_t blk = 2; blk < 255; blk++) {
799 memcpy(block_data, dump + (blk * 32), 32);
801 ret_val = lto_wrbl(blk, block_data, verbose);
803 if (ret_val == PM3_SUCCESS) {
804 PrintAndLogEx(SUCCESS, "Block %03d - " _YELLOW_("write success"), blk);
805 } else {
806 lto_switch_off_field();
807 return ret_val;
811 lto_switch_off_field();
812 return ret_val;
815 static int CmdHfLTRestore(const char *Cmd) {
816 CLIParserContext *ctx;
817 CLIParserInit(&ctx, "hf lto restore",
818 "Restore data from dumpfile to LTO tag",
819 "hf lto restore -f hf-lto-92C7842CFF.bin|.eml");
821 void *argtable[] = {
822 arg_param_begin,
823 arg_str1("f", "file", "<fn>", "specify a filename for dumpfile"),
824 arg_param_end
826 CLIExecWithReturn(ctx, Cmd, argtable, false);
828 int fnlen = 0;
829 char filename[FILE_PATH_SIZE] = {0};
830 CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
832 CLIParserFree(ctx);
834 size_t dump_len = 0;
835 char *lowstr = str_dup(filename);
836 str_lower(lowstr);
838 if (str_endswith(lowstr, ".bin")) {
840 uint8_t *dump = NULL;
841 if (loadFile_safe(filename, "", (void **)&dump, &dump_len) == PM3_SUCCESS) {
842 restoreLTO(dump, true);
844 free(dump);
846 } else if (str_endswith(lowstr, ".eml")) {
848 uint8_t *dump = NULL;
849 if (loadFileEML_safe(filename, (void **)&dump, &dump_len) == PM3_SUCCESS) {
850 restoreLTO(dump, true);
852 free(dump);
854 } else {
855 PrintAndLogEx(WARNING, "Warning: invalid dump filename " _YELLOW_("%s") " to restore", filename);
857 free(lowstr);
858 return PM3_SUCCESS;
861 static command_t CommandTable[] = {
862 {"help", CmdHelp, AlwaysAvailable, "This help"},
863 {"dump", CmdHfLTODump, IfPm3Iso14443a, "Dump LTO-CM tag to file"},
864 {"info", CmdHfLTOInfo, IfPm3Iso14443a, "Tag information"},
865 {"list", CmdHfLTOList, AlwaysAvailable, "List LTO-CM history"},
866 {"rdbl", CmdHfLTOReadBlock, IfPm3Iso14443a, "Read block"},
867 {"reader", CmdHFLTOReader, IfPm3Iso14443a, "Act like a LTO-CM reader"},
868 {"restore", CmdHfLTRestore, IfPm3Iso14443a, "Restore dump file to LTO-CM tag"},
869 {"wrbl", CmdHfLTOWriteBlock, IfPm3Iso14443a, "Write block"},
870 {NULL, NULL, NULL, NULL}
873 static int CmdHelp(const char *Cmd) {
874 (void)Cmd; // Cmd is not used so far
875 CmdsHelp(CommandTable);
876 return PM3_SUCCESS;
879 int CmdHFLTO(const char *Cmd) {
880 clearCommandBuffer();
881 return CmdsParse(CommandTable, Cmd);