1 local getopt
= require('getopt')
2 local ansicolors
= require('ansicolors')
8 This is scripts loops though a tear attack and reads expected value.
11 1. script run tearoff -n 2 -s 200 -e 400 -a 5
14 script run tearoff [-h] [-n <steps us>] [-a <addr>] [-p <pwd>] [-s <start us>] [-e <end us>] [-r <read>] [-w <write>]
18 -n <steps us> steps in milliseconds for each tearoff
19 -a <addr> address to target on card
20 -p <pwd> (optional) use a password
21 -s <delay us> initial start delay
22 -e <delay us> end delay, must be larger than start delay
23 -r <read value> 4 hex bytes value to be read
24 -w <write value> 4 hex bytes value to be written
29 -- This is only meant to be used when errors occur
30 local function oops(err
)
32 core
.clearCommandBuffer()
42 print(ansicolors
.cyan
..'Usage'..ansicolors
.reset
)
44 print(ansicolors
.cyan
..'Arguments'..ansicolors
.reset
)
46 print(ansicolors
.cyan
..'Example usage'..ansicolors
.reset
)
50 local function main(args
)
53 Basically do the following,
59 The first two commands doesn't need a feedback from the system, so going with core.console commands.
60 Since the read needs demodulation of signal I opted to add that function from cmdlfem4x.c to the core lua scripting
61 core.em4x05_read(addr, password)
64 local n
, addr
, password
, sd
, ed
, wr_value
, rd_value
66 for o
, a
in getopt
.getopt(args
, 'he:s:a:p:n:r:w:') do
67 if o
== 'h' then return help() end
68 if o
== 'n' then n
= a
end
69 if o
== 'a' then addr
= a
end
70 if o
== 'p' then password
= a
end
71 if o
== 'e' then ed
= tonumber(a
) end
72 if o
== 's' then sd
= tonumber(a
) end
73 if o
== 'w' then wr_value
= a
end
74 if o
== 'r' then rd_value
= a
end
77 rd_value
= rd_value
or 'FFFFFFFF'
78 wr_value
= wr_value
or 'FFFFFFFF'
80 password
= password
or ''
85 if password
~= '' and #password
~= 8 then
86 return oops('password must be 4 hex bytes')
89 if #wr_value
~= 8 then
90 return oops('write value must be 4 hex bytes')
93 if #rd_value
~= 8 then
94 return oops('read value must be 4 hex bytes')
98 return oops('start delay can\'t be larger than end delay', sd
, ed
)
101 print('Starting EM4x05 tear off')
102 print('target addr', addr
)
104 print('target pwd', password
)
106 print('target stepping', n
)
107 print('target delay', sd
,ed
)
108 print('read value', rd_value
)
109 print('write value', wr_value
)
112 local res_nowrite
= 0
114 local set_tearoff_delay
= 'hw tearoff --delay %d'
115 local enable_tearoff
= 'hw tearoff --on'
117 local wr_template
= 'lf em 4x05 write --addr %s --data %s --pwd %s'
119 -- init addr to value
120 core
.console(wr_template
:format(addr
, wr_value
, password
))
127 for step
= sd
, ed
, n
do
130 if core
.kbd_enter_pressed() then
131 print("aborted by user")
135 core
.clearCommandBuffer()
137 -- reset addr to known value, if not locked into.
139 c
= wr_template
:format(addr
, wr_value
, password
)
143 local c
= set_tearoff_delay
:format(step
)
145 core
.console(enable_tearoff
)
147 c
= wr_template
:format(addr
, wr_value
, password
)
150 local word
, err
= core
.em4x05_read(addr
, password
)
155 local wordstr
= ('%08X'):format(word
)
157 if wordstr
~= wr_value
then
158 if wordstr
~= rd_value
then
159 print((ansicolors
.red
..'TEAR OFF occurred:'..ansicolors
.reset
..' %08X'):format(word
))
160 res_tear
= res_tear
+ 1
162 print((ansicolors
.cyan
..'TEAR OFF occurred:'..ansicolors
.reset
..' %08X'):format(word
))
163 res_nowrite
= res_nowrite
+ 1
166 print((ansicolors
.green
..'Good write occurred:'..ansicolors
.reset
..' %08X'):format(word
))
172 In the future, we may implement so that scripts are invoked directly
173 into a 'main' function, instead of being executed blindly. For future
174 compatibility, I have done so, but I invoke my main from here.