search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix one too small
[RRG-proxmark3.git] / client / src / cmdlfparadox.c
blob70906b58dc9b7913264244b0ef8fa0ef752eb127
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // Low frequency Paradox tag commands
17 // FSK2a, rf/50, 96 bits (completely known)
18 //-----------------------------------------------------------------------------
19 #include "cmdlfparadox.h"
20 #include <stdio.h>
21 #include <string.h>
22 #include <stdlib.h>
23 #include "commonutil.h" // ARRAYLEN
24 #include "cmdparser.h" // command_t
25 #include "comms.h"
26 #include "ui.h"
27 #include "graph.h"
28 #include "cmddata.h"
29 #include "cmdlf.h"
30 #include "lfdemod.h"
31 #include "protocols.h" // t55xx defines
32 #include "cmdlft55xx.h" // clone..
33 #include "crc.h" // maxim
34 #include "cmdlfem4x05.h" //
35 #include "cliparser.h"
36
37 static int CmdHelp(const char *Cmd);
38
39 static const uint8_t paradox_lut[] = {
40 0xDB, 0xFC, 0x3F, 0xC5, 0x50, 0x14, 0x05, 0x47,
41 0x9F, 0xED, 0x7D, 0x59, 0x22, 0x84, 0x21, 0x4E,
42 0x39, 0x48, 0x12, 0x88, 0x53, 0xDE, 0xBB, 0xE4,
43 0xB4, 0x2D, 0x4D, 0x55, 0xCA, 0xBE, 0xA3, 0xE2
44 };
45 // FC:108, Card01827
46 // 00000000 01101100 00000111 00100011
47 // hex(0xED xor 0x7D xor 0x22 xor 0x84 xor 0xDE xor 0xBB xor 0xE4 xor 0x4D xor 0xA3 xor 0xE2 xor 0x47) 0xFC
48
49 #define PARADOX_PREAMBLE_LEN 8
50
51 // by marshmellow
52 // Paradox Prox demod - FSK2a RF/50 with preamble of 00001111 (then manchester encoded)
53 // print full Paradox Prox ID and some bit format details if found
54
55 // This function will calculate the bitstream for a paradox card and place the result in bs.
56 // It returns the calculated CRC from the fc and cn.
57 // CRC calculation by mwalker33
58 static uint8_t GetParadoxBits(const uint32_t fc, const uint32_t cn, unsigned int *bs) {
59
60 uint8_t manchester[13] = { 0x00 }; // check size needed
61 uint32_t t1;
62
63 manchester[0] = 0x0F; // preamble
64 manchester[1] = 0x05; // Leading zeros - Note: from this byte on, is part of the CRC calculation
65 manchester[2] = 0x55; // Leading zeros its 4 bits out for the CRC, so we need to move
66 manchester[3] = 0x55; // Leading zeros back 4 bits once we have the crc (done below)
67
68 // add FC
69 t1 = manchesterEncode2Bytes(fc);
70 manchester[4] = (t1 >> 8) & 0xFF;
71 manchester[5] = t1 & 0xFF;
72
73 // add cn
74 t1 = manchesterEncode2Bytes(cn);
75 manchester[6] = (t1 >> 24) & 0xFF;
76 manchester[7] = (t1 >> 16) & 0xFF;
77 manchester[8] = (t1 >> 8) & 0xFF;
78 manchester[9] = t1 & 0xFF;
79
80 uint8_t crc = (CRC8Maxim(manchester + 1, 9) ^ 0x6) & 0xFF;
81
82 // add crc
83 t1 = manchesterEncode2Bytes(crc);
84 manchester[10] = (t1 >> 8) & 0xFF;
85 manchester[11] = t1 & 0xFF;
86
87 // move left 4 bits left 4 bits - Now that we have the CRC we need to re-align the data.
88 for (int i = 1; i < 12; i++)
89 manchester[i] = (manchester[i] << 4) + (manchester[i + 1] >> 4);
90
91 // Add trailing 1010 (11)
92 manchester[11] |= (1 << 3);
93 manchester[11] |= (1 << 1);
94
95 // move into tag blocks
96
97 for (int i = 0; i < 12; i++)
98 bs[1 + (i / 4)] += (manchester[i] << (8 * (3 - i % 4)));
99
100 return crc;
101 }
102
103 int demodParadox(bool verbose, bool oldChksum) {
104 (void) verbose; // unused so far
105 //raw fsk demod no manchester decoding no start bit finding just get binary from wave
106 uint8_t *bits = calloc(MAX_GRAPH_TRACE_LEN, sizeof(uint8_t));
107 if (bits == NULL) {
108 PrintAndLogEx(FAILED, "failed to allocate memory");
109 return PM3_EMALLOC;
110 }
111 size_t size = getFromGraphBuffer(bits);
112 if (size == 0) {
113 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox not enough samples");
114 free(bits);
115 return PM3_ESOFT;
116 }
117
118 int wave_idx = 0;
119 //get binary from fsk wave
120 int idx = detectParadox(bits, &size, &wave_idx);
121 if (idx < 0) {
122 if (idx == -1)
123 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox not enough samples");
124 else if (idx == -2)
125 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox just noise detected");
126 else if (idx == -3)
127 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox problem during FSK demod");
128 else if (idx == -4)
129 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox preamble not found");
130 else
131 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox error demoding fsk %d", idx);
132
133 free(bits);
134 return PM3_ESOFT;
135 }
136
137 uint8_t *b = bits + idx;
138 uint8_t rawhex[12] = {0};
139 for (uint8_t i = 0, m = 0, p = 1; i < 96; i++) {
140
141 // convert hex
142 rawhex[m] <<= 1;
143 rawhex[m] |= (*b & 1);
144 b++;
145
146 if (p == 8) {
147 m++;
148 p = 1;
149 } else {
150 p++;
151 }
152 }
153
154 uint32_t hi2 = 0, hi = 0, lo = 0;
155 uint8_t errors = 0;
156
157 // Remove manchester encoding from FSK bits, skip pre
158 for (uint32_t i = idx + PARADOX_PREAMBLE_LEN; i < (idx + 96); i += 2) {
159
160 // not manchester data
161 if (bits[i] == bits[i + 1]) {
162 PrintAndLogEx(DEBUG, "Error Manchester at %u", i);
163 errors++;
164 }
165
166 hi2 = (hi2 << 1) | (hi >> 31);
167 hi = (hi << 1) | (lo >> 31);
168 lo <<= 1;
169
170 if (bits[i] && !bits[i + 1]) {
171 lo |= 1; // 10
172 }
173 }
174
175 if (errors) {
176 PrintAndLogEx(DEBUG, "Total Manchester Errors... %u", errors);
177 }
178
179 setDemodBuff(bits, size, idx);
180 setClockGrid(50, wave_idx + (idx * 50));
181
182 if (hi2 == 0 && hi == 0 && lo == 0) {
183 PrintAndLogEx(DEBUG, "DEBUG: Error - Paradox no value found");
184 free(bits);
185 return PM3_ESOFT;
186 }
187
188 uint32_t fc = ((hi & 0x3) << 6) | (lo >> 26);
189 uint32_t cardnum = (lo >> 10) & 0xFFFF;
190 uint8_t chksum = (lo >> 2) & 0xFF;
191 if (oldChksum) {
192 // Calc CRC & Checksum
193 // 000088f0b - FC: 8 - Card: 36619 - Checksum: 05 - RAW: 0f55555559595aa559a5566a
194 // checksum?
195 uint8_t calc_chksum = 0x47;
196 uint8_t pos = 0;
197 for (uint8_t i = 0; i < 8; i++) {
198
199 uint8_t ice = rawhex[i + 1];
200 for (uint8_t j = 0x80; j > 0; j >>= 2) {
201
202 if (ice & j) {
203 calc_chksum ^= paradox_lut[pos];
204 }
205 pos++;
206 }
207 }
208 uint32_t crc = CRC8Maxim(rawhex + 1, 8);
209 PrintAndLogEx(INFO, " FSK/MAN raw : %s", sprint_hex(rawhex, sizeof(rawhex)));
210 PrintAndLogEx(INFO, " raw : %s = (maxim crc8) %02x == %02x", sprint_hex(rawhex + 1, 8), crc,
211 calc_chksum);
212 // PrintAndLogEx(DEBUG, " OTHER sample CRC-8/MAXIM : 55 55 69 A5 55 6A 59 5A = FC");
213 }
214 uint32_t rawLo = bytebits_to_byte(bits + idx + 64, 32);
215 uint32_t rawHi = bytebits_to_byte(bits + idx + 32, 32);
216 uint32_t rawHi2 = bytebits_to_byte(bits + idx, 32);
217
218 uint32_t blocks[4] = {0};
219 uint8_t crc = GetParadoxBits(fc, cardnum, blocks);
220 if (chksum != crc)
221 PrintAndLogEx(ERR, "CRC Error! Calculated CRC is " _GREEN_("%d") " but card CRC is " _RED_("%d") ".", crc, chksum);
222
223
224 PrintAndLogEx(INFO, "Paradox - ID: " _GREEN_("%x%08x") " FC: " _GREEN_("%d") " Card: " _GREEN_("%d") ", Checksum: %02x, Raw: %08x%08x%08x",
225 hi >> 10,
226 (hi & 0x3) << 26 | (lo >> 10),
227 fc,
228 cardnum,
229 chksum,
230 rawHi2,
231 rawHi,
232 rawLo
233 );
234
235 PrintAndLogEx(DEBUG, "DEBUG: Paradox idx: %d, len: %zu, Printing DemodBuffer:", idx, size);
236 if (g_debugMode) {
237 printDemodBuff(0, false, false, false);
238 }
239
240 free(bits);
241 return PM3_SUCCESS;
242 }
243
244 static int CmdParadoxDemod(const char *Cmd) {
245 CLIParserContext *ctx;
246 CLIParserInit(&ctx, "lf paradox demod",
247 "Try to find Paradox preamble, if found decode / descramble data",
248 "lf paradox demod --old -> Display previous checksum version"
249 );
250
251 void *argtable[] = {
252 arg_param_begin,
253 arg_lit0(NULL, "old", "optional - Display previous checksum version"),
254 arg_param_end
255 };
256 CLIExecWithReturn(ctx, Cmd, argtable, true);
257 bool old = arg_get_lit(ctx, 1);
258 CLIParserFree(ctx);
259 return demodParadox(true, old);
260 }
261
262 static int CmdParadoxReader(const char *Cmd) {
263 CLIParserContext *ctx;
264 CLIParserInit(&ctx, "lf paradox reader",
265 "read a Paradox tag",
266 "lf paradox reader -@ -> continuous reader mode\n"
267 "lf paradox reader --old -> Display previous checksum version"
268 );
269
270 void *argtable[] = {
271 arg_param_begin,
272 arg_lit0("@", NULL, "optional - continuous reader mode"),
273 arg_lit0(NULL, "old", "optional - Display previous checksum version"),
274 arg_param_end
275 };
276 CLIExecWithReturn(ctx, Cmd, argtable, true);
277 bool cm = arg_get_lit(ctx, 1);
278 bool old = arg_get_lit(ctx, 2);
279 CLIParserFree(ctx);
280
281 if (cm) {
282 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
283 }
284
285 do {
286 lf_read(false, 10000);
287 demodParadox(!cm, old);
288 } while (cm && !kbd_enter_pressed());
289
290 return PM3_SUCCESS;
291 }
292
293 static int CmdParadoxClone(const char *Cmd) {
294
295 CLIParserContext *ctx;
296 CLIParserInit(&ctx, "lf paradox clone",
297 "clone a paradox tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
298 "lf paradox clone --fc 96 --cn 40426 -> encode for T55x7 tag with fc and cn\n"
299 "lf paradox clone --raw 0f55555695596a6a9999a59a -> encode for T55x7 tag\n"
300 "lf paradox clone --raw 0f55555695596a6a9999a59a --q5 -> encode for Q5/T5555 tag\n"
301 "lf paradox clone --raw 0f55555695596a6a9999a59a --em -> encode for EM4305/4469"
302 );
303
304 void *argtable[] = {
305 arg_param_begin,
306 arg_str0("r", "raw", "<hex>", "raw hex data. 12 bytes max"),
307 arg_u64_0(NULL, "fc", "<dec>", "facility code"),
308 arg_u64_0(NULL, "cn", "<dec>", "card number"),
309 arg_lit0(NULL, "q5", "optional - specify writing to Q5/T5555 tag"),
310 arg_lit0(NULL, "em", "optional - specify writing to EM4305/4469 tag"),
311 arg_param_end
312 };
313 CLIExecWithReturn(ctx, Cmd, argtable, false);
314
315 int raw_len = 0;
316 // skip first block, 3*4 = 12 bytes left
317 uint8_t raw[12] = {0};
318 CLIGetHexWithReturn(ctx, 1, raw, &raw_len);
319
320 uint32_t fc = arg_get_u32_def(ctx, 2, 0);
321 uint32_t cn = arg_get_u32_def(ctx, 3, 0);
322 bool q5 = arg_get_lit(ctx, 4);
323 bool em = arg_get_lit(ctx, 5);
324 CLIParserFree(ctx);
325
326 if (q5 && em) {
327 PrintAndLogEx(FAILED, "Can't specify both Q5 and EM4305 at the same time");
328 return PM3_EINVARG;
329 }
330
331 if ((fc || cn) && raw_len != 0) {
332 PrintAndLogEx(FAILED, "Can't specify both FC/CN and RAW at the same time");
333 return PM3_EINVARG;
334 }
335
336 if (fc > 999 || cn > 99999) {
337 PrintAndLogEx(FAILED, "FC has a max value of 999 and CN has a max value of 99999");
338 return PM3_EINVARG;
339 }
340
341 uint32_t blocks[4] = {0};
342
343 if (raw_len != 0) {
344 if (raw_len != 12) {
345 PrintAndLogEx(ERR, "Data must be 12 bytes (24 HEX characters) %d", raw_len);
346 return PM3_EINVARG;
347 }
348
349 for (uint8_t i = 1; i < ARRAYLEN(blocks); i++) {
350 blocks[i] = bytes_to_num(raw + ((i - 1) * 4), sizeof(uint32_t));
351 }
352 } else {
353 //This function generates the bitstream and puts it in blocks. it returns the crc, but we don't need it here
354 GetParadoxBits(fc, cn, blocks);
355 }
356
357 // Paradox - FSK2a, data rate 50, 3 data blocks
358 blocks[0] = T55x7_MODULATION_FSK2a | T55x7_BITRATE_RF_50 | 3 << T55x7_MAXBLOCK_SHIFT;
359 char cardtype[16] = {"T55x7"};
360 // Q5
361 if (q5) {
362 blocks[0] = T5555_FIXED | T5555_INVERT_OUTPUT | T5555_MODULATION_FSK2 | T5555_SET_BITRATE(50) | T5555_ST_TERMINATOR | 3 << T5555_MAXBLOCK_SHIFT;
363 snprintf(cardtype, sizeof(cardtype), "Q5/T5555");
364 }
365
366 // EM4305
367 if (em) {
368 PrintAndLogEx(WARNING, "Beware some EM4305 tags don't support FSK and datarate = RF/50, check your tag copy!");
369 blocks[0] = EM4305_PARADOX_CONFIG_BLOCK;
370 // invert FSK data
371 for (uint8_t i = 1; i < ARRAYLEN(blocks); i++) {
372 blocks[i] = blocks[i] ^ 0xFFFFFFFF;
373 }
374 snprintf(cardtype, sizeof(cardtype), "EM4305/4469");
375 }
376
377 PrintAndLogEx(INFO, "Preparing to clone Paradox to " _YELLOW_("%s") " with raw hex", cardtype);
378 print_blocks(blocks, ARRAYLEN(blocks));
379
380 int res;
381 if (em) {
382 res = em4x05_clone_tag(blocks, ARRAYLEN(blocks), 0, false);
383 } else {
384 res = clone_t55xx_tag(blocks, ARRAYLEN(blocks));
385 }
386 PrintAndLogEx(SUCCESS, "Done");
387 PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf paradox read`") " to verify");
388 return res;
389 }
390
391 static int CmdParadoxSim(const char *Cmd) {
392
393 CLIParserContext *ctx;
394 CLIParserInit(&ctx, "lf paradox sim",
395 "Enables simulation of paradox card with specified card number.\n"
396 "Simulation runs until the button is pressed or another USB command is issued.",
397 "lf paradox sim --raw 0f55555695596a6a9999a59a -> simulate tag\n"
398 "lf paradox sim --fc 96 --cn 40426 -> simulate tag with fc and cn\n"
399 );
400
401 void *argtable[] = {
402 arg_param_begin,
403 arg_str0("r", "raw", "<hex>", "raw hex data. 12 bytes"),
404 arg_u64_0(NULL, "fc", "<dec>", "facility code"),
405 arg_u64_0(NULL, "cn", "<dec>", "card number"),
406 arg_param_end
407 };
408 CLIExecWithReturn(ctx, Cmd, argtable, false);
409
410 int raw_len = 0;
411 // skip first block, 3*4 = 12 bytes left
412 uint8_t raw[12] = {0};
413 CLIGetHexWithReturn(ctx, 1, raw, &raw_len);
414
415 uint32_t fc = arg_get_u32_def(ctx, 2, 0);
416 uint32_t cn = arg_get_u32_def(ctx, 3, 0);
417 CLIParserFree(ctx);
418
419 if ((fc || cn) && raw_len != 0) {
420 PrintAndLogEx(FAILED, "Can't specify both FC/CN and RAW at the same time");
421 return PM3_EINVARG;
422 }
423
424 if (fc > 999 || cn > 99999) {
425 PrintAndLogEx(FAILED, "FC has a max value of 999 and CN has a max value of 99999");
426 return PM3_EINVARG;
427 }
428 if (raw_len != 0) {
429 if (raw_len != 12) {
430 PrintAndLogEx(ERR, "Data must be 12 bytes (24 HEX characters) %d", raw_len);
431 return PM3_EINVARG;
432 }
433 } else {
434 uint32_t blocks[4] = {0};
435 GetParadoxBits(fc, cn, blocks);
436 for (uint8_t i = 1; i < ARRAYLEN(blocks); i++) {
437 num_to_bytes(blocks[i], sizeof(uint32_t), raw + ((i - 1) * 4));
438 }
439 }
440 PrintAndLogEx(SUCCESS, "Simulating Paradox - raw " _YELLOW_("%s"), sprint_hex_inrow(raw, sizeof(raw)));
441
442 uint8_t bs[sizeof(raw) * 8];
443 bytes_to_bytebits(raw, sizeof(raw), bs);
444
445 // Paradox uses: fcHigh: 10, fcLow: 8, clk: 50, invert: 1 FSK2a
446 uint8_t clk = 50, high = 10, low = 8;
447
448 lf_fsksim_t *payload = calloc(1, sizeof(lf_fsksim_t) + sizeof(bs));
449 payload->fchigh = high;
450 payload->fclow = low;
451 payload->separator = 0;
452 payload->clock = clk;
453 memcpy(payload->data, bs, sizeof(bs));
454
455 clearCommandBuffer();
456 SendCommandNG(CMD_LF_FSK_SIMULATE, (uint8_t *)payload, sizeof(lf_fsksim_t) + sizeof(bs));
457 free(payload);
458
459 PacketResponseNG resp;
460 WaitForResponse(CMD_LF_FSK_SIMULATE, &resp);
461
462 PrintAndLogEx(INFO, "Done!");
463 if (resp.status != PM3_EOPABORTED) {
464 return resp.status;
465 }
466 return PM3_SUCCESS;
467 }
468
469
470 static command_t CommandTable[] = {
471 {"help", CmdHelp, AlwaysAvailable, "This help"},
472 {"demod", CmdParadoxDemod, AlwaysAvailable, "demodulate a Paradox FSK tag from the GraphBuffer"},
473 {"reader", CmdParadoxReader, IfPm3Lf, "attempt to read and extract tag data"},
474 {"clone", CmdParadoxClone, IfPm3Lf, "clone paradox tag to T55x7, Q5/T5555 or EM4305/4469"},
475 {"sim", CmdParadoxSim, IfPm3Lf, "simulate paradox tag"},
476 {NULL, NULL, NULL, NULL}
477 };
478
479 static int CmdHelp(const char *Cmd) {
480 (void)Cmd; // Cmd is not used so far
481 CmdsHelp(CommandTable);
482 return PM3_SUCCESS;
483 }
484
485 int CmdLFParadox(const char *Cmd) {
486 clearCommandBuffer();
487 return CmdsParse(CommandTable, Cmd);
488 }
489
490 // loop to get raw paradox waveform then FSK demodulate the TAG ID from it
491 int detectParadox(uint8_t *dest, size_t *size, int *wave_start_idx) {
492 //make sure buffer has data
493 if (*size < 96 * 50) return -1;
494
495 if (getSignalProperties()->isnoise) return -2;
496
497 // FSK demodulator
498 *size = fskdemod(dest, *size, 50, 1, 10, 8, wave_start_idx); // paradox fsk2a
499
500 //did we get a good demod?
501 if (*size < 96) return -3;
502
503 // 00001111 bit pattern represent start of frame, 01 pattern represents a 0 and 10 represents a 1
504 size_t idx = 0;
505 uint8_t preamble[] = {0, 0, 0, 0, 1, 1, 1, 1};
506 if (!preambleSearch(dest, preamble, sizeof(preamble), size, &idx))
507 return -4; //preamble not found
508
509 return (int)idx;
510 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware