search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / armsrc / em4x70.c
blobb1feb83b39f11d5ccb9ad5bbc9282586293a7295
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2020 sirloins based on em4x50
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Low frequency EM4170 commands
9 //-----------------------------------------------------------------------------
10
11 #include "fpgaloader.h"
12 #include "ticks.h"
13 #include "dbprint.h"
14 #include "lfadc.h"
15 #include "commonutil.h"
16 #include "em4x70.h"
17 #include "appmain.h" // tear
18
19 static em4x70_tag_t tag = { 0 };
20
21 // EM4170 requires a parity bit on commands, other variants do not.
22 static bool command_parity = true;
23
24 // Conversion from Ticks to RF periods
25 // 1 us = 1.5 ticks
26 // 1RF Period = 8us = 12 Ticks
27 #define TICKS_PER_FC 12
28
29 // Chip timing from datasheet
30 // Converted into Ticks for timing functions
31 #define EM4X70_T_TAG_QUARTER_PERIOD (8 * TICKS_PER_FC)
32 #define EM4X70_T_TAG_HALF_PERIOD (16 * TICKS_PER_FC)
33 #define EM4X70_T_TAG_THREE_QUARTER_PERIOD (24 * TICKS_PER_FC)
34 #define EM4X70_T_TAG_FULL_PERIOD (32 * TICKS_PER_FC) // 1 Bit Period
35 #define EM4X70_T_TAG_TWA (128 * TICKS_PER_FC) // Write Access Time
36 #define EM4X70_T_TAG_DIV (224 * TICKS_PER_FC) // Divergency Time
37 #define EM4X70_T_TAG_AUTH (4224 * TICKS_PER_FC) // Authentication Time
38 #define EM4X70_T_TAG_WEE (3072 * TICKS_PER_FC) // EEPROM write Time
39 #define EM4X70_T_TAG_TWALB (672 * TICKS_PER_FC) // Write Access Time of Lock Bits
40 #define EM4X70_T_TAG_BITMOD (4 * TICKS_PER_FC) // Initial time to stop modulation when sending 0
41 #define EM4X70_T_TAG_TOLERANCE (8 * TICKS_PER_FC) // Tolerance in RF periods for receive/LIW
42
43 #define EM4X70_T_TAG_TIMEOUT (4 * EM4X70_T_TAG_FULL_PERIOD) // Timeout if we ever get a pulse longer than this
44 #define EM4X70_T_WAITING_FOR_LIW 50 // Pulses to wait for listen window
45 #define EM4X70_T_READ_HEADER_LEN 16 // Read header length (16 bit periods)
46
47 #define EM4X70_COMMAND_RETRIES 5 // Attempts to send/read command
48 #define EM4X70_MAX_RECEIVE_LENGTH 96 // Maximum bits to expect from any command
49
50 /**
51 * These IDs are from the EM4170 datasheet
52 * Some versions of the chip require a
53 * (even) parity bit, others do not
54 */
55 #define EM4X70_COMMAND_ID 0x01
56 #define EM4X70_COMMAND_UM1 0x02
57 #define EM4X70_COMMAND_AUTH 0x03
58 #define EM4X70_COMMAND_PIN 0x04
59 #define EM4X70_COMMAND_WRITE 0x05
60 #define EM4X70_COMMAND_UM2 0x07
61
62 // Constants used to determing high/low state of signal
63 #define EM4X70_NOISE_THRESHOLD 13 // May depend on noise in environment
64 #define HIGH_SIGNAL_THRESHOLD (127 + EM4X70_NOISE_THRESHOLD)
65 #define LOW_SIGNAL_THRESHOLD (127 - EM4X70_NOISE_THRESHOLD)
66
67 #define IS_HIGH(sample) (sample > LOW_SIGNAL_THRESHOLD ? true : false)
68 #define IS_LOW(sample) (sample < HIGH_SIGNAL_THRESHOLD ? true : false)
69
70 // Timing related macros
71 #define IS_TIMEOUT(timeout_ticks) (GetTicks() > timeout_ticks)
72 #define TICKS_ELAPSED(start_ticks) (GetTicks() - start_ticks)
73
74 static uint8_t bits2byte(const uint8_t *bits, int length);
75 static void bits2bytes(const uint8_t *bits, int length, uint8_t *out);
76 static int em4x70_receive(uint8_t *bits, size_t length);
77 static bool find_listen_window(bool command);
78
79 static void init_tag(void) {
80 memset(tag.data, 0x00, ARRAYLEN(tag.data));
81 }
82
83 static void em4x70_setup_read(void) {
84
85 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
86 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
87
88 // 50ms for the resonant antenna to settle.
89 SpinDelay(50);
90
91 // Now set up the SSC to get the ADC samples that are now streaming at us.
92 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER);
93
94 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);
95
96 // Connect the A/D to the peak-detected low-frequency path.
97 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
98
99 // Steal this pin from the SSP (SPI communication channel with fpga) and
100 // use it to control the modulation
101 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
102 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
103
104 // Disable modulation at default, which means enable the field
105 LOW(GPIO_SSC_DOUT);
106
107 // Start the timer
108 StartTicks();
109
110 // Watchdog hit
111 WDT_HIT();
112 }
113
114 static bool get_signalproperties(void) {
115
116 // Simple check to ensure we see a signal above the noise threshold
117 uint32_t no_periods = 32;
118
119 // wait until signal/noise > 1 (max. 32 periods)
120 for (int i = 0; i < EM4X70_T_TAG_FULL_PERIOD * no_periods; i++) {
121
122 // about 2 samples per bit period
123 WaitTicks(EM4X70_T_TAG_HALF_PERIOD);
124
125 if (AT91C_BASE_SSC->SSC_RHR > HIGH_SIGNAL_THRESHOLD) {
126 return true;
127 }
128 }
129 return false;
130 }
131
132 /**
133 * get_falling_pulse_length
134 *
135 * Returns time between falling edge pulse in ticks
136 */
137 static uint32_t get_falling_pulse_length(void) {
138
139 uint32_t timeout = GetTicks() + EM4X70_T_TAG_TIMEOUT;
140
141 while (IS_HIGH(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
142
143 if (IS_TIMEOUT(timeout))
144 return 0;
145
146 uint32_t start_ticks = GetTicks();
147
148 while (IS_LOW(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
149
150 if (IS_TIMEOUT(timeout))
151 return 0;
152
153 while (IS_HIGH(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
154
155 if (IS_TIMEOUT(timeout))
156 return 0;
157
158 return TICKS_ELAPSED(start_ticks);
159 }
160
161 /**
162 * get_rising_pulse_length
163 *
164 * Returns time between rising edge pulse in ticks
165 */
166 static uint32_t get_rising_pulse_length(void) {
167
168 uint32_t timeout = GetTicks() + EM4X70_T_TAG_TIMEOUT;
169
170 while (IS_LOW(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
171
172 if (IS_TIMEOUT(timeout))
173 return 0;
174
175 uint32_t start_ticks = GetTicks();
176
177 while (IS_HIGH(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
178
179 if (IS_TIMEOUT(timeout))
180 return 0;
181
182 while (IS_LOW(AT91C_BASE_SSC->SSC_RHR) && !IS_TIMEOUT(timeout));
183
184 if (IS_TIMEOUT(timeout))
185 return 0;
186
187 return TICKS_ELAPSED(start_ticks);
188
189 }
190
191 static uint32_t get_pulse_length(edge_detection_t edge) {
192
193 if (edge == RISING_EDGE)
194 return get_rising_pulse_length();
195 else if (edge == FALLING_EDGE)
196 return get_falling_pulse_length();
197
198 return 0;
199 }
200
201 static bool check_pulse_length(uint32_t pl, uint32_t length) {
202 // check if pulse length <pl> corresponds to given length <length>
203 return ((pl >= (length - EM4X70_T_TAG_TOLERANCE)) && (pl <= (length + EM4X70_T_TAG_TOLERANCE)));
204 }
205
206 static void em4x70_send_bit(bool bit) {
207
208 // send single bit according to EM4170 application note and datasheet
209 uint32_t start_ticks = GetTicks();
210
211 if (bit == 0) {
212
213 // disable modulation (drop the field) n cycles of carrier
214 LOW(GPIO_SSC_DOUT);
215 while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_BITMOD);
216
217 // enable modulation (activates the field) for remaining first
218 // half of bit period
219 HIGH(GPIO_SSC_DOUT);
220 while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_HALF_PERIOD);
221
222 // disable modulation for second half of bit period
223 LOW(GPIO_SSC_DOUT);
224 while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_FULL_PERIOD);
225
226 } else {
227
228 // bit = "1" means disable modulation for full bit period
229 LOW(GPIO_SSC_DOUT);
230 while (TICKS_ELAPSED(start_ticks) <= EM4X70_T_TAG_FULL_PERIOD);
231 }
232 }
233
234 /**
235 * em4x70_send_nibble
236 *
237 * sends 4 bits of data + 1 bit of parity (with_parity)
238 *
239 */
240 static void em4x70_send_nibble(uint8_t nibble, bool with_parity) {
241 int parity = 0;
242 int msb_bit = 0;
243
244 // Non automotive EM4x70 based tags are 3 bits + 1 parity.
245 // So drop the MSB and send a parity bit instead after the command
246 if (command_parity)
247 msb_bit = 1;
248
249 for (int i = msb_bit; i < 4; i++) {
250 int bit = (nibble >> (3 - i)) & 1;
251 em4x70_send_bit(bit);
252 parity ^= bit;
253 }
254
255 if (with_parity)
256 em4x70_send_bit(parity);
257 }
258
259 static void em4x70_send_byte(uint8_t byte) {
260 // Send byte msb first
261 for (int i = 0; i < 8; i++)
262 em4x70_send_bit((byte >> (7 - i)) & 1);
263 }
264
265 static void em4x70_send_word(const uint16_t word) {
266
267 // Split into nibbles
268 uint8_t nibbles[4];
269 uint8_t j = 0;
270 for (int i = 0; i < 2; i++) {
271 uint8_t byte = (word >> (8 * i)) & 0xff;
272 nibbles[j++] = (byte >> 4) & 0xf;
273 nibbles[j++] = byte & 0xf;
274 }
275
276 // send 16 bit word with parity bits according to EM4x70 datasheet
277 // sent as 4 x nibbles (4 bits + parity)
278 for (int i = 0; i < 4; i++) {
279 em4x70_send_nibble(nibbles[i], true);
280 }
281
282 // send column parities (4 bit)
283 em4x70_send_nibble(nibbles[0] ^ nibbles[1] ^ nibbles[2] ^ nibbles[3], false);
284
285 // send final stop bit (always "0")
286 em4x70_send_bit(0);
287 }
288
289 static bool check_ack(void) {
290 // returns true if signal structue corresponds to ACK, anything else is
291 // counted as NAK (-> false)
292 // ACK 64 + 64
293 // NACK 64 + 48
294 if (check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD) &&
295 check_pulse_length(get_pulse_length(FALLING_EDGE), 2 * EM4X70_T_TAG_FULL_PERIOD)) {
296 // ACK
297 return true;
298 }
299
300 // Othewise it was a NACK or Listen Window
301 return false;
302 }
303
304 static int authenticate(const uint8_t *rnd, const uint8_t *frnd, uint8_t *response) {
305
306 if (find_listen_window(true)) {
307
308 em4x70_send_nibble(EM4X70_COMMAND_AUTH, true);
309
310 // Send 56-bit Random number
311 for (int i = 0; i < 7; i++) {
312 em4x70_send_byte(rnd[i]);
313 }
314
315 // Send 7 x 0's (Diversity bits)
316 for (int i = 0; i < 7; i++) {
317 em4x70_send_bit(0);
318 }
319
320 // Send 28-bit f(RN)
321
322 // Send first 24 bits
323 for (int i = 0; i < 3; i++) {
324 em4x70_send_byte(frnd[i]);
325 }
326
327 // Send last 4 bits (no parity)
328 em4x70_send_nibble((frnd[3] >> 4) & 0xf, false);
329
330 // Receive header, 20-bit g(RN), LIW
331 uint8_t grnd[EM4X70_MAX_RECEIVE_LENGTH] = {0};
332 int num = em4x70_receive(grnd, 20);
333 if (num < 20) {
334 Dbprintf("Auth failed");
335 return PM3_ESOFT;
336 }
337 bits2bytes(grnd, 24, response);
338 return PM3_SUCCESS;
339 }
340
341 return PM3_ESOFT;
342 }
343
344 static int send_pin(const uint32_t pin) {
345
346 // sends pin code for unlocking
347 if (find_listen_window(true)) {
348
349 // send PIN command
350 em4x70_send_nibble(EM4X70_COMMAND_PIN, true);
351
352 // --> Send TAG ID (bytes 4-7)
353 for (int i = 0; i < 4; i++) {
354 em4x70_send_byte(tag.data[7 - i]);
355 }
356
357 // --> Send PIN
358 for (int i = 0; i < 4 ; i++) {
359 em4x70_send_byte((pin >> (i * 8)) & 0xff);
360 }
361
362 // Wait TWALB (write access lock bits)
363 WaitTicks(EM4X70_T_TAG_TWALB);
364
365 // <-- Receive ACK
366 if (check_ack()) {
367
368 // <w> Writes Lock Bits
369 WaitTicks(EM4X70_T_TAG_WEE);
370 // <-- Receive header + ID
371 uint8_t tag_id[EM4X70_MAX_RECEIVE_LENGTH];
372 int num = em4x70_receive(tag_id, 32);
373 if (num < 32) {
374 Dbprintf("Invalid ID Received");
375 return PM3_ESOFT;
376 }
377 bits2bytes(tag_id, num, &tag.data[4]);
378 return PM3_SUCCESS;
379 }
380 }
381
382 return PM3_ESOFT;
383 }
384
385 static int write(const uint16_t word, const uint8_t address) {
386
387 // writes <word> to specified <address>
388 if (find_listen_window(true)) {
389
390 // send write command
391 em4x70_send_nibble(EM4X70_COMMAND_WRITE, true);
392
393 // send address data with parity bit
394 em4x70_send_nibble(address, true);
395
396 // send data word
397 em4x70_send_word(word);
398
399 // Wait TWA
400 WaitTicks(EM4X70_T_TAG_TWA);
401
402 // look for ACK sequence
403 if (check_ack()) {
404
405 // now EM4x70 needs EM4X70_T_TAG_TWEE (EEPROM write time)
406 // for saving data and should return with ACK
407 WaitTicks(EM4X70_T_TAG_WEE);
408 if (check_ack()) {
409
410 return PM3_SUCCESS;
411 }
412 }
413 }
414 return PM3_ESOFT;
415 }
416
417
418 static bool find_listen_window(bool command) {
419
420 int cnt = 0;
421 while (cnt < EM4X70_T_WAITING_FOR_LIW) {
422 /*
423 80 ( 64 + 16 )
424 80 ( 64 + 16 )
425 Flip Polarity
426 96 ( 64 + 32 )
427 64 ( 32 + 16 +16 )*/
428
429 if (check_pulse_length(get_pulse_length(RISING_EDGE), (2 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_HALF_PERIOD) &&
430 check_pulse_length(get_pulse_length(RISING_EDGE), (2 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_HALF_PERIOD) &&
431 check_pulse_length(get_pulse_length(FALLING_EDGE), (2 * EM4X70_T_TAG_FULL_PERIOD) + EM4X70_T_TAG_FULL_PERIOD) &&
432 check_pulse_length(get_pulse_length(FALLING_EDGE), EM4X70_T_TAG_FULL_PERIOD + (2 * EM4X70_T_TAG_HALF_PERIOD))) {
433
434 if (command) {
435 /* Here we are after the 64 duration edge.
436 * em4170 says we need to wait about 48 RF clock cycles.
437 * depends on the delay between tag and us
438 *
439 * I've found between 4-5 quarter periods (32-40) works best
440 */
441 WaitTicks(4 * EM4X70_T_TAG_QUARTER_PERIOD);
442 // Send RM Command
443 em4x70_send_bit(0);
444 em4x70_send_bit(0);
445 }
446 return true;
447 }
448 cnt++;
449 }
450
451 return false;
452 }
453
454 static void bits2bytes(const uint8_t *bits, int length, uint8_t *out) {
455
456 if (length % 8 != 0) {
457 Dbprintf("Should have a multiple of 8 bits, was sent %d", length);
458 }
459
460 int num_bytes = length / 8; // We should have a multiple of 8 here
461
462 for (int i = 1; i <= num_bytes; i++) {
463 out[num_bytes - i] = bits2byte(bits, 8);
464 bits += 8;
465 }
466 }
467
468 static uint8_t bits2byte(const uint8_t *bits, int length) {
469
470 // converts <length> separate bits into a single "byte"
471 uint8_t byte = 0;
472 for (int i = 0; i < length; i++) {
473
474 byte |= bits[i];
475
476 if (i != length - 1)
477 byte <<= 1;
478 }
479
480 return byte;
481 }
482
483 static bool send_command_and_read(uint8_t command, uint8_t *bytes, size_t length) {
484
485 int retries = EM4X70_COMMAND_RETRIES;
486 while (retries) {
487 retries--;
488
489 if (find_listen_window(true)) {
490 uint8_t bits[EM4X70_MAX_RECEIVE_LENGTH] = {0};
491 size_t out_length_bits = length * 8;
492 em4x70_send_nibble(command, command_parity);
493 int len = em4x70_receive(bits, out_length_bits);
494 if (len < out_length_bits) {
495 Dbprintf("Invalid data received length: %d, expected %d", len, out_length_bits);
496 return false;
497 }
498 bits2bytes(bits, len, bytes);
499 return true;
500 }
501 }
502 return false;
503 }
504
505
506
507 /**
508 * em4x70_read_id
509 *
510 * read pre-programmed ID (4 bytes)
511 */
512 static bool em4x70_read_id(void) {
513
514 return send_command_and_read(EM4X70_COMMAND_ID, &tag.data[4], 4);
515
516 }
517
518 /**
519 * em4x70_read_um1
520 *
521 * read user memory 1 (4 bytes including lock bits)
522 */
523 static bool em4x70_read_um1(void) {
524
525 return send_command_and_read(EM4X70_COMMAND_UM1, &tag.data[0], 4);
526
527 }
528
529
530 /**
531 * em4x70_read_um2
532 *
533 * read user memory 2 (8 bytes)
534 */
535 static bool em4x70_read_um2(void) {
536
537 return send_command_and_read(EM4X70_COMMAND_UM2, &tag.data[24], 8);
538
539 }
540
541 static bool find_em4x70_tag(void) {
542 // function is used to check wether a tag on the proxmark is an
543 // EM4170 tag or not -> speed up "lf search" process
544 return find_listen_window(false);
545 }
546
547 static int em4x70_receive(uint8_t *bits, size_t length) {
548
549 uint32_t pl;
550 int bit_pos = 0;
551 edge_detection_t edge = RISING_EDGE;
552 bool foundheader = false;
553
554 // Read out the header
555 // 12 Manchester 1's (may miss some during settle period)
556 // 4 Manchester 0's
557
558 // Skip a few leading 1's as it could be noisy
559 WaitTicks(6 * EM4X70_T_TAG_FULL_PERIOD);
560
561 // wait until we get the transition from 1's to 0's which is 1.5 full windows
562 for (int i = 0; i < EM4X70_T_READ_HEADER_LEN; i++) {
563 pl = get_pulse_length(edge);
564 if (check_pulse_length(pl, 3 * EM4X70_T_TAG_HALF_PERIOD)) {
565 foundheader = true;
566 break;
567 }
568 }
569
570 if (!foundheader) {
571 Dbprintf("Failed to find read header");
572 return 0;
573 }
574
575 // Skip next 3 0's, header check consumes the first 0
576 for (int i = 0; i < 3; i++) {
577 // If pulse length is not 1 bit, then abort early
578 if (!check_pulse_length(get_pulse_length(edge), EM4X70_T_TAG_FULL_PERIOD)) {
579 return 0;
580 }
581 }
582
583 // identify remaining bits based on pulse lengths
584 // between listen windows only pulse lengths of 1, 1.5 and 2 are possible
585 while (bit_pos < length) {
586
587 pl = get_pulse_length(edge);
588
589 if (check_pulse_length(pl, EM4X70_T_TAG_FULL_PERIOD)) {
590
591 // pulse length 1 -> assign bit
592 bits[bit_pos++] = edge == FALLING_EDGE ? 1 : 0;
593
594 } else if (check_pulse_length(pl, 3 * EM4X70_T_TAG_HALF_PERIOD)) {
595
596 // pulse length 1.5 -> 2 bits + flip edge detection
597 if (edge == FALLING_EDGE) {
598 bits[bit_pos++] = 0;
599 bits[bit_pos++] = 0;
600 edge = RISING_EDGE;
601 } else {
602 bits[bit_pos++] = 1;
603 bits[bit_pos++] = 1;
604 edge = FALLING_EDGE;
605 }
606
607 } else if (check_pulse_length(pl, 2 * EM4X70_T_TAG_FULL_PERIOD)) {
608
609 // pulse length of 2 -> two bits
610 if (edge == FALLING_EDGE) {
611 bits[bit_pos++] = 0;
612 bits[bit_pos++] = 1;
613 } else {
614 bits[bit_pos++] = 1;
615 bits[bit_pos++] = 0;
616 }
617
618 } else {
619 // Listen Window, or invalid bit
620 break;
621 }
622 }
623
624 return bit_pos;
625 }
626
627 void em4x70_info(em4x70_data_t *etd) {
628
629 uint8_t status = 0;
630
631 // Support tags with and without command parity bits
632 command_parity = etd->parity;
633
634 init_tag();
635 em4x70_setup_read();
636
637 // Find the Tag
638 if (get_signalproperties() && find_em4x70_tag()) {
639 // Read ID, UM1 and UM2
640 status = em4x70_read_id() && em4x70_read_um1() && em4x70_read_um2();
641 }
642
643 StopTicks();
644 lf_finalize();
645 reply_ng(CMD_LF_EM4X70_INFO, status, tag.data, sizeof(tag.data));
646 }
647
648 void em4x70_write(em4x70_data_t *etd) {
649
650 uint8_t status = 0;
651
652 command_parity = etd->parity;
653
654 init_tag();
655 em4x70_setup_read();
656
657 // Find the Tag
658 if (get_signalproperties() && find_em4x70_tag()) {
659
660 // Write
661 status = write(etd->word, etd->address) == PM3_SUCCESS;
662
663 if (status) {
664 // Read Tag after writing
665 if (em4x70_read_id()) {
666 em4x70_read_um1();
667 em4x70_read_um2();
668 }
669 }
670
671 }
672
673 StopTicks();
674 lf_finalize();
675 reply_ng(CMD_LF_EM4X70_WRITE, status, tag.data, sizeof(tag.data));
676 }
677
678 void em4x70_unlock(em4x70_data_t *etd) {
679
680 uint8_t status = 0;
681
682 command_parity = etd->parity;
683
684 init_tag();
685 em4x70_setup_read();
686
687 // Find the Tag
688 if (get_signalproperties() && find_em4x70_tag()) {
689
690 // Read ID (required for send_pin command)
691 if (em4x70_read_id()) {
692
693 // Send PIN
694 status = send_pin(etd->pin) == PM3_SUCCESS;
695
696 // If the write succeeded, read the rest of the tag
697 if (status) {
698 // Read Tag
699 // ID doesn't change
700 em4x70_read_um1();
701 em4x70_read_um2();
702 }
703 }
704 }
705
706 StopTicks();
707 lf_finalize();
708 reply_ng(CMD_LF_EM4X70_UNLOCK, status, tag.data, sizeof(tag.data));
709 }
710
711 void em4x70_auth(em4x70_data_t *etd) {
712
713 uint8_t status = 0;
714 uint8_t response[3] = {0};
715
716 command_parity = etd->parity;
717
718 init_tag();
719 em4x70_setup_read();
720
721 // Find the Tag
722 if (get_signalproperties() && find_em4x70_tag()) {
723
724 // Authenticate and get tag response
725 status = authenticate(etd->rnd, etd->frnd, response) == PM3_SUCCESS;
726 }
727
728 StopTicks();
729 lf_finalize();
730 reply_ng(CMD_LF_EM4X70_AUTH, status, response, sizeof(response));
731 }
732
733 void em4x70_write_pin(em4x70_data_t *etd) {
734
735 uint8_t status = 0;
736
737 command_parity = etd->parity;
738
739 init_tag();
740 em4x70_setup_read();
741
742 // Find the Tag
743 if (get_signalproperties() && find_em4x70_tag()) {
744
745 // Read ID (required for send_pin command)
746 if (em4x70_read_id()) {
747
748 // Write new PIN
749 if ((write(etd->pin & 0xFFFF, EM4X70_PIN_WORD_UPPER) == PM3_SUCCESS) &&
750 (write((etd->pin >> 16) & 0xFFFF, EM4X70_PIN_WORD_LOWER) == PM3_SUCCESS)) {
751
752 // Now Try to authenticate using the new PIN
753
754 // Send PIN
755 status = send_pin(etd->pin) == PM3_SUCCESS;
756
757 // If the write succeeded, read the rest of the tag
758 if (status) {
759 // Read Tag
760 // ID doesn't change
761 em4x70_read_um1();
762 em4x70_read_um2();
763 }
764 }
765 }
766 }
767
768 StopTicks();
769 lf_finalize();
770 reply_ng(CMD_LF_EM4X70_WRITEPIN, status, tag.data, sizeof(tag.data));
771 }
772
773 void em4x70_write_key(em4x70_data_t *etd) {
774
775 uint8_t status = 0;
776
777 command_parity = etd->parity;
778
779 init_tag();
780 em4x70_setup_read();
781
782 // Find the Tag
783 if (get_signalproperties() && find_em4x70_tag()) {
784
785 // Read ID to ensure we can write to card
786 if (em4x70_read_id()) {
787 status = 1;
788
789 // Write each crypto block
790 for (int i = 0; i < 6; i++) {
791
792 uint16_t key_word = (etd->crypt_key[(i * 2) + 1] << 8) + etd->crypt_key[i * 2];
793 // Write each word, abort if any failure occurs
794 if (write(key_word, 9 - i) != PM3_SUCCESS) {
795 status = 0;
796 break;
797 }
798 }
799 // TODO: Ideally here we would perform a test authentication
800 // to ensure the new key was written correctly. This is
801 // what the datasheet suggests. We can't do that until
802 // we have the crypto algorithm implemented.
803 }
804 }
805
806 StopTicks();
807 lf_finalize();
808 reply_ng(CMD_LF_EM4X70_WRITEKEY, status, tag.data, sizeof(tag.data));
809 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware