Merge pull request #2629 from pingu2211/hf-mifare-refacor
[RRG-proxmark3.git] / client / luascripts / lf_em_tearoff.lua
blobc26979d9a30351953745f55494aaf873d5716b3d
1 local getopt = require('getopt')
2 local ansicolors = require('ansicolors')
4 copyright = 'Iceman'
5 author = 'Iceman'
6 version = 'v0.9.9'
7 desc = [[
8 This is scripts loops though a tear attack and reads expected value.
9 ]]
10 example = [[
11 1. script run tearoff -n 2 -s 200 -e 400 -a 5
13 usage = [[
14 script run tearoff [-h] [-n <steps us>] [-a <addr>] [-p <pwd>] [-s <start us>] [-e <end us>] [-r <read>] [-w <write>]
16 arguments = [[
17 -h This help
18 -n <steps us> steps in milliseconds for each tearoff
19 -a <addr> address to target on card
20 -p <pwd> (optional) use a password
21 -s <delay us> initial start delay
22 -e <delay us> end delay, must be larger than start delay
23 -r <read value> 4 hex bytes value to be read
24 -w <write value> 4 hex bytes value to be written
25 end
28 ---
29 -- This is only meant to be used when errors occur
30 local function oops(err)
31 print('ERROR:', err)
32 core.clearCommandBuffer()
33 return nil, err
34 end
35 ---
36 -- Usage help
37 local function help()
38 print(copyright)
39 print(author)
40 print(version)
41 print(desc)
42 print(ansicolors.cyan..'Usage'..ansicolors.reset)
43 print(usage)
44 print(ansicolors.cyan..'Arguments'..ansicolors.reset)
45 print(arguments)
46 print(ansicolors.cyan..'Example usage'..ansicolors.reset)
47 print(example)
48 end
50 local function main(args)
52 --[[
53 Basically do the following,
55 1. hw tear
56 2. lf em 4x05_write
57 3. lf em 4x05_read
59 The first two commands doesn't need a feedback from the system, so going with core.console commands.
60 Since the read needs demodulation of signal I opted to add that function from cmdlfem4x.c to the core lua scripting
61 core.em4x05_read(addr, password)
63 --]]
64 local n, addr, password, sd, ed, wr_value, rd_value
66 for o, a in getopt.getopt(args, 'he:s:a:p:n:r:w:') do
67 if o == 'h' then return help() end
68 if o == 'n' then n = a end
69 if o == 'a' then addr = a end
70 if o == 'p' then password = a end
71 if o == 'e' then ed = tonumber(a) end
72 if o == 's' then sd = tonumber(a) end
73 if o == 'w' then wr_value = a end
74 if o == 'r' then rd_value = a end
75 end
77 rd_value = rd_value or 'FFFFFFFF'
78 wr_value = wr_value or 'FFFFFFFF'
79 addr = addr or 5
80 password = password or ''
81 n = n or 2
82 sd = sd or 2000
83 ed = ed or 2100
85 if password ~= '' and #password ~= 8 then
86 return oops('password must be 4 hex bytes')
87 end
89 if #wr_value ~= 8 then
90 return oops('write value must be 4 hex bytes')
91 end
93 if #rd_value ~= 8 then
94 return oops('read value must be 4 hex bytes')
95 end
97 if sd > ed then
98 return oops('start delay can\'t be larger than end delay', sd, ed)
99 end
101 print('Starting EM4x05 tear off')
102 print('target addr', addr)
103 if password then
104 print('target pwd', password)
106 print('target stepping', n)
107 print('target delay', sd ,ed)
108 print('read value', rd_value)
109 print('write value', wr_value)
111 local res_tear = 0
112 local res_nowrite = 0
114 local set_tearoff_delay = 'hw tearoff --delay %d'
115 local enable_tearoff = 'hw tearoff --on'
117 local wr_template = 'lf em 4x05 write --addr %s --data %s --pwd %s'
119 -- init addr to value
120 core.console(wr_template:format(addr, wr_value, password))
122 if sd == ed then
123 ed = n
124 n = 0
127 for step = sd, ed, n do
129 io.flush()
130 if core.kbd_enter_pressed() then
131 print("aborted by user")
132 break
135 core.clearCommandBuffer()
137 -- reset addr to known value, if not locked into.
138 if n ~= 0 then
139 c = wr_template:format(addr, wr_value, password)
140 core.console(c)
143 local c = set_tearoff_delay:format(step)
144 core.console(c);
145 core.console(enable_tearoff)
147 c = wr_template:format(addr, wr_value, password)
148 core.console(c)
150 local word, err = core.em4x05_read(addr, password)
151 if err then
152 return oops(err)
155 local wordstr = ('%08X'):format(word)
157 if wordstr ~= wr_value then
158 if wordstr ~= rd_value then
159 print((ansicolors.red..'TEAR OFF occurred:'..ansicolors.reset..' %08X'):format(word))
160 res_tear = res_tear + 1
161 else
162 print((ansicolors.cyan..'TEAR OFF occurred:'..ansicolors.reset..' %08X'):format(word))
163 res_nowrite = res_nowrite + 1
165 else
166 print((ansicolors.green..'Good write occurred:'..ansicolors.reset..' %08X'):format(word))
171 --[[
172 In the future, we may implement so that scripts are invoked directly
173 into a 'main' function, instead of being executed blindly. For future
174 compatibility, I have done so, but I invoke my main from here.
175 --]]
176 main(args)