search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
recover_pk.py: replace secp192r1 by prime192v1
[RRG-proxmark3.git] / armsrc / em4x50.c
blob095ae4240ec43114da92fe3cd6959d4311b5e398
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // Low frequency EM4x50 commands
17 //-----------------------------------------------------------------------------
18
19 #include "fpgaloader.h"
20 #include "ticks.h"
21 #include "dbprint.h"
22 #include "lfsampling.h"
23 #include "lfadc.h"
24 #include "lfdemod.h"
25 #include "commonutil.h"
26 #include "em4x50.h"
27 #include "BigBuf.h"
28 #include "spiffs.h"
29 #include "appmain.h" // tear
30 #include "bruteforce.h"
31
32 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
33 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
34 // EM4x50 units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
35 // T0 = TIMER_CLOCK1 / 125000 = 192
36
37 #define T0 192
38
39 // conversions (carrier frequency 125 kHz):
40 // 1 us = 1.5 ticks
41 // 1 cycle = 1 period = 8 us = 12 ticks
42 // 1 bit = 64 cycles = 768 ticks = 512 us (for Opt64)
43 #define CYCLES2TICKS 12
44 #define CYCLES2MUSEC 8
45
46 // given in cycles/periods
47 #define EM4X50_T_TAG_QUARTER_PERIOD 16
48 #define EM4X50_T_TAG_HALF_PERIOD 32
49 #define EM4X50_T_TAG_THREE_QUARTER_PERIOD 48
50 #define EM4X50_T_TAG_FULL_PERIOD 64
51 #define EM4X50_T_TAG_TPP 64
52 #define EM4X50_T_TAG_TWA 64
53 #define EM4X50_T_TAG_TINIT 2112
54 #define EM4X50_T_TAG_TWEE 3200
55 #define EM4X50_T_TAG_WAITING_FOR_SIGNAL 75
56 #define EM4X50_T_WAITING_FOR_DBLLIW 1550
57 #define EM4X50_T_WAITING_FOR_ACK 4
58 #define EM4X50_T_TOLERANCE 8
59 #define EM4X50_T_ZERO_DETECTION 3
60
61 // timeout values (empirical) for simulation mode (may vary with regard to reader)
62 #define EM4X50_T_SIMULATION_TIMEOUT_READ 600
63 #define EM4X50_T_SIMULATION_TIMEOUT_WAIT 50
64
65 // the following value (pulses) seems to be critical; if it's too low
66 //(e.g. < 120) some cards are no longer readable although they're ok
67 #define EM4X50_T_WAITING_FOR_SNGLLIW 140
68
69 // div
70 #define EM4X50_TAG_WORD 45
71 #define EM4X50_TAG_MAX_NO_BYTES 136
72 #define EM4X50_TIMEOUT_PULSE_EVAL 2500
73
74 uint8_t g_High = 190;
75 uint8_t g_Low = 60;
76
77 // indication whether a previous login has been successful, so operations
78 // that require authentication can be handled
79 bool g_Login = false;
80 // WritePassword process in simulation mode is handled in a different way
81 // compared to operations like read, write, login, so it is necessary to
82 // to be able to identfiy it
83 bool g_WritePasswordProcess = false;
84 // if reader sends a different password than "expected" -> save it
85 uint32_t g_Password = 0;
86
87 // extract and check parities
88 // return result of parity check and extracted plain data
89 static bool extract_parities(uint64_t word, uint32_t *data) {
90
91 uint8_t row_parities = 0x0, col_parities = 0x0;
92 uint8_t row_parities_calculated = 0x0, col_parities_calculated = 0x0;
93
94 *data = 0x0;
95
96 // extract plain data (32 bits) from raw word (45 bits)
97 for (int i = 0; i < 4; i++) {
98 *data <<= 8;
99 *data |= (word >> ((4 - i) * 9 + 1)) & 0xFF;
100 }
101
102 // extract row parities (4 bits + stop bit) from raw word (45 bits)
103 for (int i = 0; i < 5; i++) {
104 row_parities <<= 1;
105 row_parities |= (word >> ((4 - i) * 9)) & 0x1;
106 }
107
108 // extract col_parities (8 bits, no stop bit) from raw word (45 bits)
109 col_parities = (word >> 1) & 0xFF;
110
111 // check extracted parities against extracted data
112
113 // calculate row parities from data
114 for (int i = 0; i < 4; i++) {
115 row_parities_calculated <<= 1;
116 for (int j = 0; j < 8; j++) {
117 row_parities_calculated ^= (*data >> ((3 - i) * 8 + (7 - j))) & 0x1;
118 }
119 }
120
121 // add stop bit (always zero)
122 row_parities_calculated <<= 1;
123
124 // calculate column parities from data
125 for (int i = 0; i < 8; i++) {
126 col_parities_calculated <<= 1;
127 for (int j = 0; j < 4; j++) {
128 col_parities_calculated ^= (*data >> ((3 - j) * 8 + (7 - i))) & 0x1;
129 }
130 }
131
132 if ((row_parities == row_parities_calculated) && (col_parities == col_parities_calculated)) {
133 return true;
134 }
135 return false;
136 }
137
138 void em4x50_setup_read(void) {
139
140 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
141 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
142
143 StartTicks();
144
145 // 50ms for the resonant antenna to settle.
146 WaitMS(50);
147
148 // Now set up the SSC to get the ADC samples that are now streaming at us.
149 FpgaSetupSsc(FPGA_MAJOR_MODE_LF_READER);
150
151 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);
152
153 // Connect the A/D to the peak-detected low-frequency path.
154 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
155
156 // Steal this pin from the SSP (SPI communication channel with fpga) and
157 // use it to control the modulation
158 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
159 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
160
161 // Disable modulation at default, which means enable the field
162 LOW(GPIO_SSC_DOUT);
163
164 // Watchdog hit
165 WDT_HIT();
166 }
167
168 void em4x50_setup_sim(void) {
169 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
170 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
171 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, LF_DIVISOR_125);
172
173 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK;
174 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
175 AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK;
176
177 StartTicks();
178
179 // Watchdog hit
180 WDT_HIT();
181 }
182
183 // calculate signal properties (mean amplitudes) from measured data:
184 // 32 amplitudes (maximum values) -> mean amplitude value -> g_High -> g_Low
185 static bool get_signalproperties(void) {
186
187 bool signal_found = false;
188 int no_periods = 32, pct = 75, noise = 140;
189 uint8_t sample_ref = 127;
190 uint8_t sample_max_mean = 0;
191 uint8_t sample_max[no_periods];
192 uint32_t sample_max_sum = 0;
193 memset(sample_max, 0x00, sizeof(sample_max));
194
195 // wait until signal/noise > 1 (max. 32 periods)
196 for (int i = 0; i < EM4X50_T_TAG_WAITING_FOR_SIGNAL; i++) {
197
198 if (BUTTON_PRESS()) return false;
199
200 // about 2 samples per bit period
201 WaitUS(EM4X50_T_TAG_HALF_PERIOD * CYCLES2MUSEC);
202
203 // ignore first samples
204 if ((i > SIGNAL_IGNORE_FIRST_SAMPLES) && (AT91C_BASE_SSC->SSC_RHR > noise)) {
205 signal_found = true;
206 break;
207 }
208 }
209
210 if (signal_found == false) {
211 return false;
212 }
213
214 // calculate mean maximum value of 32 periods, each period has a length of
215 // 3 single "full periods" to eliminate the influence of a listen window
216 for (int i = 0; i < no_periods; i++) {
217
218 uint32_t tval = GetTicks();
219 while (GetTicks() - tval < 12 * 3 * EM4X50_T_TAG_FULL_PERIOD) {
220
221 if (BUTTON_PRESS()) return false;
222
223 volatile uint8_t sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
224 if (sample > sample_max[i])
225 sample_max[i] = sample;
226
227 }
228
229 sample_max_sum += sample_max[i];
230 }
231
232 sample_max_mean = sample_max_sum / no_periods;
233
234 // set global envelope variables
235 g_High = sample_ref + pct * (sample_max_mean - sample_ref) / 100;
236 g_Low = sample_ref - pct * (sample_max_mean - sample_ref) / 100;
237
238 return true;
239 }
240
241 // returns true if bit is undefined by evaluating a single sample within
242 // a bit period (given there is no LIW, ACK or NAK)
243 // This function is used for identifying a listen window in functions
244 // "find_double_listen_window" and "check_ack"
245 static bool invalid_bit(void) {
246
247 // get sample at 3/4 of bit period
248 WaitUS(EM4X50_T_TAG_THREE_QUARTER_PERIOD * CYCLES2MUSEC);
249
250 uint8_t sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
251
252 // wait until end of bit period
253 WaitUS(EM4X50_T_TAG_QUARTER_PERIOD * CYCLES2MUSEC);
254
255 // bit in "undefined" state?
256 if (sample <= g_High && sample >= g_Low)
257 return true;
258
259 return false;
260 }
261
262 static uint32_t get_pulse_length(void) {
263
264 int32_t timeout = EM4X50_TIMEOUT_PULSE_EVAL, tval = 0;
265
266 // iterates pulse lengths (low -> high -> low)
267
268 volatile uint8_t sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
269
270 while (sample > g_Low && (timeout--))
271 sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
272
273 if (timeout <= 0)
274 return 0;
275
276 tval = GetTicks();
277 timeout = EM4X50_TIMEOUT_PULSE_EVAL;
278
279 while (sample < g_High && (timeout--))
280 sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
281
282 if (timeout <= 0)
283 return 0;
284
285 timeout = EM4X50_TIMEOUT_PULSE_EVAL;
286 while (sample > g_Low && (timeout--))
287 sample = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
288
289 if (timeout <= 0)
290 return 0;
291
292 return GetTicks() - tval;
293
294 }
295
296 // check if pulse length <pl> corresponds to given length <length>
297 static bool check_pulse_length(uint32_t pl, int length) {
298 return ((pl >= (length - EM4X50_T_TOLERANCE) * CYCLES2TICKS) &&
299 (pl <= (length + EM4X50_T_TOLERANCE) * CYCLES2TICKS));
300 }
301
302 // send single bit according to EM4x50 application note and datasheet
303 static void em4x50_reader_send_bit(int bit) {
304
305 // reset clock for the next bit
306 uint32_t tval = GetTicks();
307
308 if (bit == 0) {
309
310 // disable modulation (activate the field) for 7 cycles of carrier
311 // period (Opt64)
312 LOW(GPIO_SSC_DOUT);
313 while (GetTicks() - tval < 7 * CYCLES2TICKS);
314
315 // enable modulation (drop the field) for remaining first
316 // half of bit period
317 HIGH(GPIO_SSC_DOUT);
318 while (GetTicks() - tval < EM4X50_T_TAG_HALF_PERIOD * CYCLES2TICKS);
319
320 // disable modulation for second half of bit period
321 LOW(GPIO_SSC_DOUT);
322 while (GetTicks() - tval < EM4X50_T_TAG_FULL_PERIOD * CYCLES2TICKS);
323
324 } else {
325
326 // bit = "1" means disable modulation for full bit period
327 LOW(GPIO_SSC_DOUT);
328 while (GetTicks() - tval < EM4X50_T_TAG_FULL_PERIOD * CYCLES2TICKS);
329 }
330 }
331
332 // send byte (without parity)
333 static void em4x50_reader_send_byte(uint8_t byte) {
334 for (int i = 0; i < 8; i++) {
335 em4x50_reader_send_bit((byte >> (7 - i)) & 1);
336 }
337 }
338
339 // send byte followed by its (even) parity bit
340 static void em4x50_reader_send_byte_with_parity(uint8_t byte) {
341 int parity = 0;
342
343 for (int i = 0; i < 8; i++) {
344 int bit = (byte >> (7 - i)) & 1;
345 em4x50_reader_send_bit(bit);
346 parity ^= bit;
347 }
348
349 em4x50_reader_send_bit(parity);
350 }
351
352 // send 32 bit word with parity bits according to EM4x50 datasheet
353 // word hast be sent in msb notation
354 static void em4x50_reader_send_word(const uint32_t word) {
355 uint8_t bytes[4] = {0x0, 0x0, 0x0, 0x0};
356
357 for (int i = 0; i < 4; i++) {
358 bytes[i] = (word >> (24 - (8 * i))) & 0xFF;
359 em4x50_reader_send_byte_with_parity(bytes[i]);
360 }
361
362 // send column parities
363 em4x50_reader_send_byte(bytes[0] ^ bytes[1] ^ bytes[2] ^ bytes[3]);
364
365 // send final stop bit (always "0")
366 em4x50_reader_send_bit(0);
367 }
368
369 // find single listen window
370 static bool find_single_listen_window(void) {
371 int cnt_pulses = 0;
372
373 while (cnt_pulses < EM4X50_T_WAITING_FOR_SNGLLIW) {
374
375 // identification of listen window is done via evaluation of
376 // pulse lengths
377 if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
378
379 if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
380
381 // found listen window
382 return true;
383 }
384 }
385 cnt_pulses++;
386 }
387
388 return false;
389 }
390
391 // find two successive listen windows that indicate the beginning of
392 // data transmission
393 // double listen window to be detected within 1600 pulses -> worst case
394 // reason: first detectable double listen window after 34 words
395 // -> 34 words + 34 single listen windows -> about 1600 pulses
396 static int find_double_listen_window(bool bcommand) {
397 int cnt_pulses = 0;
398
399 while (cnt_pulses < EM4X50_T_WAITING_FOR_DBLLIW) {
400
401 if (BUTTON_PRESS()) {
402 return PM3_EOPABORTED;
403 }
404
405 // identification of listen window is done via evaluation of
406 // pulse lengths
407 if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
408
409 if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
410
411 // first listen window found
412
413 if (bcommand) {
414
415 // data transmission from card has to be stopped, because
416 // a commamd shall be issued
417
418 // unfortunately the position in listen window (where
419 // command request has to be sent) has gone, so if a
420 // second window follows - sync on this to issue a command
421
422 // skip the next bit...
423 WaitUS(EM4X50_T_TAG_FULL_PERIOD * CYCLES2MUSEC);
424
425 // ...and check if the following bit does make sense
426 // (if not it is the correct position within the second
427 // listen window)
428 if (invalid_bit()) {
429
430 // send RM for request mode
431 em4x50_reader_send_bit(0);
432 em4x50_reader_send_bit(0);
433
434 return PM3_SUCCESS;
435 }
436
437 }
438
439 if (check_pulse_length(get_pulse_length(), 3 * EM4X50_T_TAG_FULL_PERIOD)) {
440
441 // return although second listen window consists of one
442 // more bit period but this period is necessary for
443 // evaluating further pulse lengths
444 return PM3_SUCCESS;
445 }
446 }
447 }
448 cnt_pulses++;
449 }
450
451 return PM3_EFAILED;
452 }
453
454 // function is used to check whether a tag on the proxmark is an
455 // EM4x50 tag or not -> speed up "lf search" process
456 static bool find_em4x50_tag(void) {
457 return find_single_listen_window();
458 }
459
460 // To issue a command we have to find a listen window first.
461 // Because identification and synchronization at the same time is not
462 // possible when using pulse lengths a double listen window is used.
463 static int request_receive_mode(void) {
464 return find_double_listen_window(true);
465 }
466
467 // returns true if signal structue corresponds to ACK, anything else is
468 // counted as NAK (-> false)
469 // Only relevant for password writing function:
470 // If <bliw> is true then within the single listen window right after the
471 // ack signal a RM request has to be sent.
472 static bool check_ack(bool bliw) {
473 int count_cycles = 0;
474 while (count_cycles < EM4X50_T_WAITING_FOR_ACK) {
475 if (BUTTON_PRESS())
476 return false;
477
478 if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
479
480 // The received signal is either ACK or NAK.
481
482 if (check_pulse_length(get_pulse_length(), 2 * EM4X50_T_TAG_FULL_PERIOD)) {
483
484 // Now the signal must be ACK.
485
486 if (!bliw) {
487
488 return true;
489
490 } else {
491
492 // send RM request after ack signal
493
494 // wait for 2 bits (remaining "bit" of ACK signal + first
495 // "bit" of listen window)
496 WaitUS(2 * EM4X50_T_TAG_FULL_PERIOD * CYCLES2MUSEC);
497
498 // check for listen window (if first bit cannot be interpreted
499 // as a valid bit it must belong to a listen window)
500 if (invalid_bit()) {
501
502 // send RM for request mode
503 em4x50_reader_send_bit(0);
504 em4x50_reader_send_bit(0);
505
506 return true;
507 }
508 }
509 } else {
510
511 // It's NAK -> stop searching
512 break;
513 }
514 }
515 count_cycles++;
516 }
517
518 return false;
519 }
520
521 // decodes one word by evaluating pulse lengths and previous bit;
522 // word must have 45 bits in total:
523 // 32 data bits + 4 row parity bits + 8 column parity bits + 1 stop bit
524 static int get_word_from_bitstream(uint32_t *data) {
525 bool bitchange = false;
526 int cnt = 0;
527 uint32_t pl = 0;
528 uint64_t word = 0x0;
529
530 *data = 0x0;
531
532 // initial bit value depends on last pulse length of listen window
533 pl = get_pulse_length();
534 if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) {
535
536 // pulse length = 1.5
537 word = 0x1;
538
539 } else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) {
540
541 // pulse length = 2
542 bitchange = true;
543
544 } else {
545
546 // pulse length = 2.5
547 word = 0x1;
548 cnt++;
549 }
550
551 // identify remaining bits based on pulse lengths
552 // between two listen windows only pulse lengths of 1, 1.5 and 2 are possible
553 while (BUTTON_PRESS() == false) {
554
555 cnt++;
556 word <<= 1;
557
558 pl = get_pulse_length();
559
560 if (check_pulse_length(pl, EM4X50_T_TAG_FULL_PERIOD)) {
561
562 // pulse length = 1 -> keep former bit value
563 word |= (word >> 1) & 0x1;
564
565 } else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_HALF_PERIOD)) {
566
567 // pulse length = 1.5 -> decision on bit change
568
569 if (bitchange) {
570
571 // if number of pulse lengths with 1.5 periods is even -> add bit
572 word |= (word >> 1) & 0x1;
573 word <<= 1;
574
575 // pulse length of 1.5 changes bit value
576 word |= ((word >> 1) & 0x1) ^ 0x1;
577 cnt++;
578
579 // next time add only one bit
580 bitchange = false;
581
582 } else {
583
584 word |= ((word >> 1) & 0x1) ^ 0x1;
585
586 // next time two bits have to be added
587 bitchange = true;
588 }
589
590 } else if (check_pulse_length(pl, 2 * EM4X50_T_TAG_FULL_PERIOD)) {
591
592 // pulse length of 2 means: adding 2 bits "01"
593 cnt++;
594
595 word <<= 1;
596 word |= 0x1;
597
598 } else if (check_pulse_length(pl, 3 * EM4X50_T_TAG_FULL_PERIOD)) {
599
600 // pulse length of 3 indicates listen window -> clear last
601 // bit (= 0) and return (without parities)
602 word >>= 2;
603 return (extract_parities(word, data)) ? --cnt : 0;
604 }
605 }
606
607 return PM3_EOPABORTED;
608 }
609
610 // simple login to EM4x50,
611 // used in operations that require authentication
612 static int login(uint32_t password) {
613 if (request_receive_mode() == PM3_SUCCESS) {
614
615 // send login command
616 em4x50_reader_send_byte_with_parity(EM4X50_COMMAND_LOGIN);
617
618 // send password
619 em4x50_reader_send_word(password);
620
621 WaitUS(EM4X50_T_TAG_TPP * CYCLES2MUSEC);
622
623 // check if ACK is returned
624 if (check_ack(false))
625 return PM3_SUCCESS;
626
627 } else {
628 if (g_dbglevel >= DBG_DEBUG)
629 Dbprintf("error in command request");
630 }
631
632 return PM3_EFAILED;
633 }
634
635 // searching for password using chosen bruteforce algorithm
636 static bool brute(const em4x50_data_t *etd, uint32_t *pwd) {
637
638 generator_context_t ctx;
639 bool pwd_found = false;
640 int generator_ret = 0;
641 int cnt = 0;
642
643 bf_generator_init(&ctx, etd->bruteforce_mode, BF_KEY_SIZE_32);
644
645 if (etd->bruteforce_mode == BF_MODE_CHARSET) {
646 bf_generator_set_charset(&ctx, etd->bruteforce_charset);
647 } else if (etd->bruteforce_mode == BF_MODE_RANGE) {
648 ctx.range_low = etd->password1;
649 ctx.range_high = etd->password2;
650 }
651
652 while ((generator_ret = bf_generate(&ctx)) == BF_GENERATOR_NEXT) {
653 *pwd = bf_get_key32(&ctx);
654
655 WDT_HIT();
656
657 if (login(*pwd) == PM3_SUCCESS) {
658
659 pwd_found = true;
660
661 // to be safe login 5 more times
662 for (int i = 0; i < 5; i++) {
663 if (login(*pwd) != PM3_SUCCESS) {
664 pwd_found = false;
665 break;
666 }
667 }
668
669 if (pwd_found)
670 break;
671 }
672
673 // print password every 500 iterations
674 if ((++cnt % 500) == 0) {
675
676 // print header
677 if (cnt == 500) {
678 Dbprintf("|---------+------------+------------|");
679 Dbprintf("| no. | pwd (msb) | pwd (lsb) |");
680 Dbprintf("|---------+------------+------------|");
681 }
682
683 // print data
684 Dbprintf("|%8i | 0x%08x | 0x%08x |", cnt, reflect32(*pwd), *pwd);
685 }
686
687 if (BUTTON_PRESS())
688 break;
689
690 }
691
692 // print footer
693 if (cnt >= 500)
694 Dbprintf("|---------+------------+------------|");
695
696 return pwd_found;
697 }
698
699 // login into EM4x50
700 void em4x50_login(const uint32_t *password, bool ledcontrol) {
701 em4x50_setup_read();
702
703 int status = PM3_EFAILED;
704 if (ledcontrol) LED_C_ON();
705 if (get_signalproperties() && find_em4x50_tag()) {
706 if (ledcontrol) {
707 LED_C_OFF();
708 LED_D_ON();
709 }
710 status = login(*password);
711 }
712
713 if (ledcontrol) LEDsoff();
714 lf_finalize(ledcontrol);
715 reply_ng(CMD_LF_EM4X50_LOGIN, status, NULL, 0);
716 }
717
718 // invoke password search
719 void em4x50_brute(const em4x50_data_t *etd, bool ledcontrol) {
720 em4x50_setup_read();
721
722 bool bsuccess = false;
723 uint32_t pwd = 0x0;
724 if (ledcontrol) LED_C_ON();
725 if (get_signalproperties() && find_em4x50_tag()) {
726 if (ledcontrol) {
727 LED_C_OFF();
728 LED_D_ON();
729 }
730 bsuccess = brute(etd, &pwd);
731 }
732
733 if (ledcontrol) LEDsoff();
734 lf_finalize(ledcontrol);
735 reply_ng(CMD_LF_EM4X50_BRUTE, bsuccess ? PM3_SUCCESS : PM3_EFAILED, (uint8_t *)(&pwd), sizeof(pwd));
736 }
737
738 // check passwords from dictionary content in flash memory
739 void em4x50_chk(const char *filename, bool ledcontrol) {
740 int status = PM3_EFAILED;
741 uint32_t pwd = 0x0;
742
743 #ifdef WITH_FLASH
744
745 BigBuf_free();
746
747 int changed = rdv40_spiffs_lazy_mount();
748 uint16_t pwd_count = 0;
749 uint32_t size = size_in_spiffs(filename);
750 pwd_count = size / 4;
751 uint8_t *pwds = BigBuf_malloc(size);
752
753 rdv40_spiffs_read_as_filetype(filename, pwds, size, RDV40_SPIFFS_SAFETY_SAFE);
754
755 if (changed)
756 rdv40_spiffs_lazy_unmount();
757
758 em4x50_setup_read();
759
760 // set g_High and g_Low
761 if (ledcontrol) LED_C_ON();
762 if (get_signalproperties() && find_em4x50_tag()) {
763
764 if (ledcontrol) {
765 LED_C_OFF();
766 LED_D_ON();
767 }
768
769 // try to login with current password
770 for (int i = 0; i < pwd_count; i++) {
771
772 // manual interruption
773 if (BUTTON_PRESS()) {
774 status = PM3_EOPABORTED;
775 break;
776 }
777
778 // get next password
779 pwd = 0x0;
780 for (int j = 0; j < 4; j++)
781 pwd |= (*(pwds + 4 * i + j)) << ((3 - j) * 8);
782
783 if ((status = login(pwd)) == PM3_SUCCESS) {
784 SpinUp(50);
785 SpinDown(50);
786 break;
787 }
788 }
789 }
790
791 BigBuf_free();
792
793 #endif
794
795 if (ledcontrol) LEDsoff();
796 lf_finalize(ledcontrol);
797 reply_ng(CMD_LF_EM4X50_CHK, status, (uint8_t *)&pwd, sizeof(pwd));
798 }
799
800 // resets EM4x50 tag (used by write function)
801 static int reset(void) {
802 if (request_receive_mode() == PM3_SUCCESS) {
803
804 // send reset command
805 em4x50_reader_send_byte_with_parity(EM4X50_COMMAND_RESET);
806
807 if (check_ack(false))
808 return PM3_SUCCESS;
809
810 } else {
811 if (g_dbglevel >= DBG_DEBUG)
812 Dbprintf("error in command request");
813 }
814
815 return PM3_EFAILED;
816 }
817
818 // reads data that tag transmits when exposed to reader field
819 // (standard read mode); number of read words is saved in <now>
820 int standard_read(int *now, uint32_t *words) {
821
822 int fwr = *now, res = PM3_EFAILED;
823
824 // start with the identification of two successive listening windows
825 if ((res = find_double_listen_window(false)) == PM3_SUCCESS) {
826
827 // read and save words until following double listen window is detected
828 res = get_word_from_bitstream(&words[*now]);
829 while (res == EM4X50_TAG_WORD) {
830 (*now)++;
831 res = get_word_from_bitstream(&words[*now]);
832 }
833
834 // number of detected words
835 *now -= fwr;
836
837 } else {
838 if (g_dbglevel >= DBG_DEBUG)
839 Dbprintf("didn't find a listen window");
840 }
841
842 return res;
843 }
844
845 // reads from "first word read" (fwr) to "last word read" (lwr)
846 // result is verified by "standard read mode"
847 static int selective_read(uint32_t addresses, uint32_t *words) {
848
849 int status = PM3_EFAILED;
850 uint8_t fwr = addresses & 0xFF; // first word read (first byte)
851 uint8_t lwr = (addresses >> 8) & 0xFF; // last word read (second byte)
852 int now = fwr; // number of words
853
854 if (request_receive_mode() == PM3_SUCCESS) {
855
856 // send selective read command
857 em4x50_reader_send_byte_with_parity(EM4X50_COMMAND_SELECTIVE_READ);
858
859 // send address data
860 em4x50_reader_send_word(addresses);
861
862 // look for ACK sequence
863 if (check_ack(false))
864
865 // save and verify via standard read mode (compare number of words)
866 if ((status = standard_read(&now, words)) == PM3_SUCCESS)
867 if (now == (lwr - fwr + 1))
868 return status;
869
870 } else {
871 if (g_dbglevel >= DBG_DEBUG)
872 Dbprintf("error in command request");
873 }
874
875 return status;
876 }
877
878 // reads by using "selective read mode" -> bidirectional communication
879 void em4x50_read(const em4x50_data_t *etd, bool ledcontrol) {
880 int status = PM3_EFAILED;
881 uint32_t words[EM4X50_NO_WORDS] = {0x0};
882
883 em4x50_setup_read();
884
885 // set g_High and g_Low
886 if (ledcontrol) LED_C_ON();
887 if (get_signalproperties() && find_em4x50_tag()) {
888
889 if (ledcontrol) {
890 LED_C_OFF();
891 LED_D_ON();
892 }
893
894 bool blogin = true;
895
896 // try to login with given password
897 if (etd->pwd_given)
898 blogin = (login(etd->password1) == PM3_SUCCESS);
899
900 // only one word has to be read -> first word read = last word read
901 if (blogin)
902 status = selective_read(etd->addresses, words);
903 }
904
905 if (ledcontrol) LEDsoff();
906 LOW(GPIO_SSC_DOUT);
907 lf_finalize(ledcontrol);
908 reply_ng(CMD_LF_EM4X50_READ, status, (uint8_t *)words, EM4X50_TAG_MAX_NO_BYTES);
909 }
910
911 // collects as much information as possible via selective read mode
912 void em4x50_info(const em4x50_data_t *etd, bool ledcontrol) {
913 int status = PM3_EFAILED;
914 uint32_t words[EM4X50_NO_WORDS] = {0x0};
915
916 em4x50_setup_read();
917
918 if (ledcontrol) LED_C_ON();
919 if (get_signalproperties() && find_em4x50_tag()) {
920 if (ledcontrol) {
921 LED_C_OFF();
922 LED_D_ON();
923 }
924
925 bool blogin = true;
926 // login with given password
927 if (etd->pwd_given)
928 blogin = (login(etd->password1) == PM3_SUCCESS);
929
930 if (blogin) {
931 // read addresses from fwr = 0 to lwr = 33 (0x21)
932 status = selective_read(0x00002100, words);
933 }
934 }
935
936 if (ledcontrol) LEDsoff();
937 lf_finalize(ledcontrol);
938 reply_ng(CMD_LF_EM4X50_INFO, status, (uint8_t *)words, EM4X50_TAG_MAX_NO_BYTES);
939 }
940
941 // reads data that tag transmits "voluntarily" -> standard read mode
942 void em4x50_reader(bool ledcontrol) {
943
944 int now = 0;
945 uint32_t words[EM4X50_NO_WORDS] = {0x0};
946
947 em4x50_setup_read();
948
949 if (ledcontrol) LED_C_ON();
950 if (get_signalproperties() && find_em4x50_tag()) {
951 if (ledcontrol) {
952 LED_C_OFF();
953 LED_D_ON();
954 }
955 standard_read(&now, words);
956 }
957
958 if (ledcontrol) LEDsoff();
959 LOW(GPIO_SSC_DOUT);
960 lf_finalize(ledcontrol);
961 reply_ng(CMD_LF_EM4X50_READER, now, (uint8_t *)words, 4 * now);
962 }
963
964 // writes <word> to specified <addresses>
965 static int write(uint32_t word, uint32_t addresses) {
966
967 if (request_receive_mode() == PM3_SUCCESS) {
968
969 // send write command
970 em4x50_reader_send_byte_with_parity(EM4X50_COMMAND_WRITE);
971
972 // send address data
973 em4x50_reader_send_byte_with_parity(addresses & 0xFF);
974
975 // send data
976 em4x50_reader_send_word(word);
977
978 if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occurred
979 reply_ng(CMD_LF_EM4X50_WRITE, PM3_ETEAROFF, NULL, 0);
980 return PM3_ETEAROFF;
981 } else {
982
983 // wait for T0 * EM4X50_T_TAG_TWA (write access time)
984 WaitUS(EM4X50_T_TAG_TWA * CYCLES2MUSEC);
985
986 // look for ACK sequence
987 if (check_ack(false)) {
988
989 // now EM4x50 needs T0 * EM4X50_T_TAG_TWEE (EEPROM write time = 3.2ms = 50 * 64 periods)
990 // for saving data and should return with ACK
991 for (int i = 0; i < 50; i++) {
992 WaitUS(EM4X50_T_TAG_FULL_PERIOD * CYCLES2MUSEC);
993 }
994
995 if (check_ack(false))
996 return PM3_SUCCESS;
997 }
998 }
999 } else {
1000 if (g_dbglevel >= DBG_DEBUG)
1001 Dbprintf("error in command request");
1002 }
1003
1004 return PM3_EFAILED;
1005 }
1006
1007 // changes password from <password> to <new_password>
1008 static int write_password(uint32_t password, uint32_t new_password) {
1009 if (request_receive_mode() == PM3_SUCCESS) {
1010
1011 // send write password command
1012 em4x50_reader_send_byte_with_parity(EM4X50_COMMAND_WRITE_PASSWORD);
1013
1014 // send address data
1015 em4x50_reader_send_word(password);
1016
1017 if (tearoff_hook() == PM3_ETEAROFF) { // tearoff occurred
1018 reply_ng(CMD_LF_EM4X50_WRITE, PM3_ETEAROFF, NULL, 0);
1019 return PM3_ETEAROFF;
1020 } else {
1021
1022 // wait for T0 * EM4x50_T_TAG_TPP (processing pause time)
1023 WaitUS(EM4X50_T_TAG_TPP * CYCLES2MUSEC);
1024
1025 // look for ACK sequence and send rm request
1026 // during following listen window
1027 if (check_ack(true)) {
1028
1029 // send new password
1030 em4x50_reader_send_word(new_password);
1031
1032 // wait for T0 * EM4X50_T_TAG_TWA (write access time)
1033 WaitUS(EM4X50_T_TAG_TWA * CYCLES2MUSEC);
1034
1035 if (check_ack(false)) {
1036
1037 // now EM4x50 needs T0 * EM4X50_T_TAG_TWEE (EEPROM write time = 3.2ms = 50 * 64 periods)
1038 // for saving data and should return with ACK
1039 for (int i = 0; i < 50; i++) {
1040 WaitUS(EM4X50_T_TAG_FULL_PERIOD * CYCLES2MUSEC);
1041 }
1042
1043 if (check_ack(false))
1044 return PM3_SUCCESS;
1045 }
1046 }
1047 }
1048 } else {
1049 if (g_dbglevel >= DBG_DEBUG)
1050 Dbprintf("error in command request");
1051 }
1052
1053 return PM3_EFAILED;
1054 }
1055
1056 // write operation process for EM4x50 tag,
1057 // single word is written to given address, verified by selective read operation
1058 // wrong password -> return with PM3_EFAILED
1059 void em4x50_write(const em4x50_data_t *etd, bool ledcontrol) {
1060 int status = PM3_EFAILED;
1061 uint32_t words[EM4X50_NO_WORDS] = {0x0};
1062
1063 em4x50_setup_read();
1064
1065 if (ledcontrol) LED_C_ON();
1066 if (get_signalproperties() && find_em4x50_tag()) {
1067
1068 if (ledcontrol) {
1069 LED_C_OFF();
1070 LED_D_ON();
1071 }
1072
1073 // if password is given try to login first
1074 status = PM3_SUCCESS;
1075 if (etd->pwd_given)
1076 status = login(etd->password1);
1077
1078 if (status == PM3_SUCCESS) {
1079
1080 // write word to given address
1081 status = write(etd->word, etd->addresses);
1082 if (status == PM3_ETEAROFF) {
1083 lf_finalize(ledcontrol);
1084 return;
1085 }
1086
1087 if (status == PM3_SUCCESS) {
1088
1089 // to verify result reset EM4x50
1090 status = reset();
1091 if (status == PM3_SUCCESS) {
1092
1093 // if password is given renew login after reset
1094 if (etd->pwd_given)
1095 status = login(etd->password1);
1096
1097 if (status == PM3_SUCCESS) {
1098
1099 // call a selective read
1100 status = selective_read(etd->addresses, words);
1101 if (status == PM3_SUCCESS) {
1102
1103 // compare result with given word
1104 if (words[etd->addresses & 0xFF] != reflect32(etd->word))
1105 status = PM3_EFAILED;
1106 }
1107 }
1108 }
1109 }
1110 }
1111 }
1112
1113 if (ledcontrol) LEDsoff();
1114 lf_finalize(ledcontrol);
1115 reply_ng(CMD_LF_EM4X50_WRITE, status, (uint8_t *)words, EM4X50_TAG_MAX_NO_BYTES);
1116 }
1117
1118 // simple change of password
1119 void em4x50_writepwd(const em4x50_data_t *etd, bool ledcontrol) {
1120 int status = PM3_EFAILED;
1121
1122 em4x50_setup_read();
1123
1124 if (ledcontrol) LED_C_ON();
1125 if (get_signalproperties() && find_em4x50_tag()) {
1126
1127 if (ledcontrol) {
1128 LED_C_OFF();
1129 LED_D_ON();
1130 }
1131
1132 // login and change password
1133 if (login(etd->password1) == PM3_SUCCESS) {
1134
1135 status = write_password(etd->password1, etd->password2);
1136 if (status == PM3_ETEAROFF) {
1137 lf_finalize(ledcontrol);
1138 return;
1139 }
1140 }
1141 }
1142
1143 if (ledcontrol) LEDsoff();
1144 lf_finalize(ledcontrol);
1145 reply_ng(CMD_LF_EM4X50_WRITEPWD, status, NULL, 0);
1146 }
1147
1148 // send bit in receive mode by counting carrier cycles
1149 static void em4x50_sim_send_bit(uint8_t bit) {
1150
1151 uint16_t timeout = EM4X50_T_SIMULATION_TIMEOUT_READ;
1152
1153 for (int t = 0; t < EM4X50_T_TAG_FULL_PERIOD; t++) {
1154
1155 // wait until SSC_CLK goes HIGH
1156 // used as a simple detection of a reader field?
1157 while ((timeout--) && !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));
1158
1159 if (timeout == 0) {
1160 return;
1161 }
1162 timeout = EM4X50_T_SIMULATION_TIMEOUT_READ;
1163
1164 if (bit)
1165 OPEN_COIL();
1166 else
1167 SHORT_COIL();
1168
1169 //wait until SSC_CLK goes LOW
1170 while ((timeout--) && (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));
1171 if (timeout == 0) {
1172 return;
1173 }
1174 timeout = EM4X50_T_SIMULATION_TIMEOUT_READ;
1175
1176 if (t == EM4X50_T_TAG_HALF_PERIOD)
1177 bit ^= 1;
1178
1179 }
1180 }
1181
1182 // send byte in receive mode either with or without parity check (even)
1183 static void em4x50_sim_send_byte(uint8_t byte, bool paritycheck) {
1184
1185 // send byte
1186 for (int i = 0; i < 8; i++) {
1187 em4x50_sim_send_bit((byte >> (7 - i)) & 1);
1188 }
1189
1190 if (paritycheck) {
1191
1192 uint8_t parity = 0x0;
1193
1194 for (int i = 0; i < 8; i++) {
1195 parity ^= (byte >> i) & 1;
1196 }
1197
1198 em4x50_sim_send_bit(parity);
1199 }
1200 }
1201
1202 // send complete word in receive mode (including all parity checks)
1203 static void em4x50_sim_send_word(uint32_t word) {
1204
1205 uint8_t cparity = 0x00;
1206
1207 // word has tobe sent in msb, not lsb
1208 word = reflect32(word);
1209
1210 // 4 bytes each with even row parity bit
1211 for (int i = 0; i < 4; i++) {
1212 em4x50_sim_send_byte((word >> ((3 - i) * 8)) & 0xFF, true);
1213 }
1214
1215 // column parity
1216 for (int i = 0; i < 8; i++) {
1217 cparity <<= 1;
1218 for (int j = 0; j < 4; j++) {
1219 cparity ^= (((word >> ((3 - j) * 8)) & 0xFF) >> (7 - i)) & 1;
1220 }
1221 }
1222 em4x50_sim_send_byte(cparity, false);
1223
1224 // stop bit
1225 em4x50_sim_send_bit(0);
1226 }
1227
1228 // wait for <maxperiods> pulses of carrier frequency
1229 static void wait_cycles(int maxperiods) {
1230
1231 int period = 0, timeout = EM4X50_T_SIMULATION_TIMEOUT_WAIT;
1232
1233 while (period < maxperiods) {
1234
1235 while ((timeout--) && !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));
1236 if (timeout <= 0) {
1237 return;
1238 }
1239 timeout = EM4X50_T_SIMULATION_TIMEOUT_WAIT;
1240
1241 while ((timeout--) && (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));
1242 if (timeout <= 0) {
1243 return;
1244 }
1245 timeout = EM4X50_T_SIMULATION_TIMEOUT_WAIT;
1246
1247 period++;
1248 }
1249 }
1250
1251 // read single bit in simulation mode
1252 static int em4x50_sim_read_bit(void) {
1253
1254 int cycles = 0;
1255 int timeout = EM4X50_T_SIMULATION_TIMEOUT_READ;
1256
1257 // wait 16 cycles to make sure there is no field when reading a "0" bit
1258 uint32_t waitval = GetTicks();
1259 while (GetTicks() - waitval < EM4X50_T_TAG_QUARTER_PERIOD * CYCLES2TICKS);
1260
1261 while (cycles < EM4X50_T_TAG_THREE_QUARTER_PERIOD) {
1262
1263 // wait until reader field disappears
1264 while ((timeout--) && !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));
1265 if (timeout <= 0) {
1266 return PM3_ETIMEOUT;
1267 }
1268 timeout = EM4X50_T_SIMULATION_TIMEOUT_READ;
1269
1270 // now check until reader switches on carrier field
1271 uint32_t tval = GetTicks();
1272 while ((timeout--) && (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) {
1273
1274 if (timeout <= 0) {
1275 return PM3_ETIMEOUT;
1276 }
1277
1278 // check if current cycle takes longer than "usual""
1279 if (GetTicks() - tval > EM4X50_T_ZERO_DETECTION * CYCLES2TICKS) {
1280
1281 // gap detected; wait until reader field is switched on again
1282 while ((timeout--) && (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK));
1283
1284 if (timeout <= 0) {
1285 return PM3_ETIMEOUT;
1286 }
1287
1288 // now we have a reference "position", from here it will take
1289 // slightly less than 32 cycles until the end of the bit period
1290 wait_cycles(28);
1291
1292 // end of bit period is reached; return with bit value "0"
1293 // (cf. datasheet)
1294 return 0;
1295 }
1296 }
1297 timeout = EM4X50_T_SIMULATION_TIMEOUT_READ;
1298
1299 // no gap detected, i.e. reader field is still up;
1300 // continue with counting cycles
1301 cycles++;
1302 }
1303
1304 // reached 64 cycles (= EM4X50_T_TAG_FULL_PERIOD) -> return bit value "1"
1305 return 1;
1306 }
1307
1308 // read byte in simulation mode either with or without parity check (even)
1309 static bool em4x50_sim_read_byte(uint8_t *byte, bool paritycheck) {
1310
1311 for (int i = 0; i < 8; i++) {
1312 *byte <<= 1;
1313 *byte |= em4x50_sim_read_bit();
1314 }
1315
1316 if (paritycheck) {
1317
1318 int pval = em4x50_sim_read_bit();
1319 uint8_t parity = 0;
1320
1321 for (int i = 0; i < 8; i++) {
1322 parity ^= ((*byte) >> i) & 1;
1323 }
1324
1325 if (parity != pval) {
1326 return false;
1327 }
1328 }
1329
1330 return true;
1331 }
1332
1333 // read complete word in simulation mode
1334 static bool em4x50_sim_read_word(uint32_t *word) {
1335
1336 uint8_t stop_bit = 0;
1337 uint8_t parities = 0, parities_calculated = 0;
1338 uint8_t bytes[4] = {0};
1339
1340 // read plain data
1341 for (int i = 0; i < 4; i++) {
1342 em4x50_sim_read_byte(&bytes[i], true);
1343 }
1344
1345 // read column parities and stop bit
1346 em4x50_sim_read_byte(&parities, false);
1347 stop_bit = em4x50_sim_read_bit();
1348
1349 // calculate column parities from data
1350 for (int i = 0; i < 8; i++) {
1351 parities_calculated <<= 1;
1352 for (int j = 0; j < 4; j++) {
1353 parities_calculated ^= (bytes[j] >> (7 - i)) & 1;
1354 }
1355 }
1356
1357 *word = BYTES2UINT32_BE(bytes);
1358
1359 // check parities
1360 if ((parities == parities_calculated) && (stop_bit == 0)) {
1361 return true;
1362 }
1363
1364 return false;
1365 }
1366
1367 // check if reader requests receive mode (rm) by sending two zeros
1368 static int check_rm_request(const uint32_t *tag, bool ledcontrol) {
1369
1370 // look for first zero
1371 int bit = em4x50_sim_read_bit();
1372 if (bit == 0) {
1373
1374 // look for second zero
1375 bit = em4x50_sim_read_bit();
1376 if (bit == 0) {
1377
1378 if (ledcontrol) LED_C_ON();
1379
1380 // if command before was EM4X50_COMMAND_WRITE_PASSWORD
1381 // switch to separate process
1382 if (g_WritePasswordProcess) {
1383 return EM4X50_COMMAND_WRITE_PASSWORD;
1384 } else {
1385 // read mode request detected, get command from reader
1386 uint8_t command = 0;
1387 em4x50_sim_read_byte(&command, true);
1388 return command;
1389 }
1390 }
1391 }
1392
1393 return (bit != PM3_ETIMEOUT) ? PM3_SUCCESS : PM3_ETIMEOUT;
1394 }
1395
1396 // send single listen window in simulation mode
1397 static int em4x50_sim_send_listen_window(const uint32_t *tag, bool ledcontrol) {
1398
1399 SHORT_COIL();
1400 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1401
1402 OPEN_COIL();
1403 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1404
1405 SHORT_COIL();
1406 wait_cycles(2 * EM4X50_T_TAG_FULL_PERIOD);
1407
1408 OPEN_COIL();
1409 int command = check_rm_request(tag, ledcontrol);
1410 if (command != PM3_SUCCESS) {
1411 return command;
1412 }
1413
1414 SHORT_COIL();
1415 wait_cycles(EM4X50_T_TAG_FULL_PERIOD);
1416
1417 return PM3_SUCCESS;
1418 }
1419
1420 // send ack
1421 static void em4x50_sim_send_ack(void) {
1422
1423 SHORT_COIL();
1424 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1425
1426 OPEN_COIL();
1427 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1428
1429 SHORT_COIL();
1430 wait_cycles(3 * EM4X50_T_TAG_HALF_PERIOD);
1431
1432 OPEN_COIL();
1433 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1434
1435 SHORT_COIL();
1436 wait_cycles(3 * EM4X50_T_TAG_HALF_PERIOD);
1437
1438 OPEN_COIL();
1439 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1440
1441 SHORT_COIL();
1442 }
1443
1444 // send nak
1445 static void em4x50_sim_send_nak(void) {
1446
1447 SHORT_COIL();
1448 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1449
1450 OPEN_COIL();
1451 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1452
1453 SHORT_COIL();
1454 wait_cycles(3 * EM4X50_T_TAG_HALF_PERIOD);
1455
1456 OPEN_COIL();
1457 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1458
1459 SHORT_COIL();
1460 wait_cycles(EM4X50_T_TAG_FULL_PERIOD);
1461
1462 OPEN_COIL();
1463 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1464
1465 SHORT_COIL();
1466 wait_cycles(EM4X50_T_TAG_HALF_PERIOD);
1467 }
1468
1469 // standard read mode process (simulation mode)
1470 static int em4x50_sim_handle_standard_read_command(const uint32_t *tag, bool ledcontrol) {
1471
1472 // extract control data
1473 int fwr = reflect32(tag[EM4X50_CONTROL]) & 0xFF; // first word read
1474 int lwr = (reflect32(tag[EM4X50_CONTROL]) >> 8) & 0xFF; // last word read
1475 // extract protection data:
1476 // first word read protected
1477 int fwrp = reflect32(tag[EM4X50_PROTECTION]) & 0xFF;
1478 // last word read protected
1479 int lwrp = (reflect32(tag[EM4X50_PROTECTION]) >> 8) & 0xFF;
1480
1481 while ((BUTTON_PRESS() == false) && (data_available() == false)) {
1482
1483 WDT_HIT();
1484
1485 int res = em4x50_sim_send_listen_window(tag, ledcontrol);
1486
1487 if (res != PM3_SUCCESS) {
1488 return res;
1489 }
1490
1491 for (int i = fwr; i <= lwr; i++) {
1492
1493 res = em4x50_sim_send_listen_window(tag, ledcontrol);
1494 if (res != PM3_SUCCESS) {
1495 return res;
1496 }
1497
1498 if ((g_Login == false) && (i >= fwrp) && (i <= lwrp)) {
1499 em4x50_sim_send_word(0x00);
1500 } else {
1501 em4x50_sim_send_word(reflect32(tag[i]));
1502 }
1503 }
1504 }
1505
1506 return PM3_EOPABORTED;
1507 }
1508
1509 // selective read mode process (simulation mode)
1510 static int em4x50_sim_handle_selective_read_command(const uint32_t *tag, bool ledcontrol) {
1511
1512 // read password
1513 uint32_t address = 0;
1514 bool addr = em4x50_sim_read_word(&address);
1515
1516 // processing pause time (corresponds to a "1" bit)
1517 em4x50_sim_send_bit(1);
1518
1519 if (addr) {
1520 em4x50_sim_send_ack();
1521 } else {
1522 em4x50_sim_send_nak();
1523 return EM4X50_COMMAND_STANDARD_READ;
1524 }
1525
1526 // extract control data
1527 int fwr = address & 0xFF; // first word read
1528 int lwr = (address >> 8) & 0xFF; // last word read
1529
1530 // extract protection data:
1531 // first word read protected
1532 int fwrp = reflect32(tag[EM4X50_PROTECTION]) & 0xFF;
1533 // last word read protected
1534 int lwrp = (reflect32(tag[EM4X50_PROTECTION]) >> 8) & 0xFF;
1535
1536 while ((BUTTON_PRESS() == false) && (data_available() == false)) {
1537
1538 WDT_HIT();
1539
1540 int command = em4x50_sim_send_listen_window(tag, ledcontrol);
1541 if (command != PM3_SUCCESS) {
1542 return command;
1543 }
1544
1545 for (int i = fwr; i <= lwr; i++) {
1546
1547 command = em4x50_sim_send_listen_window(tag, ledcontrol);
1548 if (command != PM3_SUCCESS) {
1549 return command;
1550 }
1551
1552 // if not authenticated do not send read protected words
1553 if ((g_Login == false) && (i >= fwrp) && (i <= lwrp)) {
1554 em4x50_sim_send_word(0x00);
1555 } else {
1556 em4x50_sim_send_word(reflect32(tag[i]));
1557 }
1558 }
1559 }
1560
1561 return PM3_EOPABORTED;
1562 }
1563
1564 // login process (simulation mode)
1565 static int em4x50_sim_handle_login_command(const uint32_t *tag, bool ledcontrol) {
1566
1567 // read password
1568 uint32_t password = 0;
1569 bool pwd = em4x50_sim_read_word(&password);
1570
1571 // processing pause time (corresponds to a "1" bit)
1572 em4x50_sim_send_bit(1);
1573
1574 if (pwd && (password == reflect32(tag[EM4X50_DEVICE_PASSWORD]))) {
1575 em4x50_sim_send_ack();
1576 g_Login = true;
1577 if (ledcontrol) LED_D_ON();
1578 } else {
1579 em4x50_sim_send_nak();
1580 g_Login = false;
1581 if (ledcontrol) LED_D_OFF();
1582
1583 // save transmitted password (to be used in standalone mode)
1584 g_Password = password;
1585 }
1586 // continue with standard read mode
1587 return EM4X50_COMMAND_STANDARD_READ;
1588 }
1589
1590 // reset process (simulation mode)
1591 static int em4x50_sim_handle_reset_command(const uint32_t *tag, bool ledcontrol) {
1592
1593 // processing pause time (corresponds to a "1" bit)
1594 em4x50_sim_send_bit(1);
1595
1596 // send ACK
1597 em4x50_sim_send_ack();
1598 g_Login = false;
1599 if (ledcontrol) LED_D_OFF();
1600
1601 // wait for initialization (tinit)
1602 wait_cycles(EM4X50_T_TAG_TINIT);
1603
1604 // continue with standard read mode
1605 return EM4X50_COMMAND_STANDARD_READ;
1606 }
1607
1608 // write process (simulation mode)
1609 static int em4x50_sim_handle_write_command(uint32_t *tag, bool ledcontrol) {
1610
1611 // read address
1612 uint8_t address = 0;
1613 bool addr = em4x50_sim_read_byte(&address, true);
1614 // read data
1615 uint32_t data = 0;
1616 bool word = em4x50_sim_read_word(&data);
1617
1618 // write access time
1619 wait_cycles(EM4X50_T_TAG_TWA);
1620
1621 if ((addr == false) || (word == false)) {
1622 em4x50_sim_send_nak();
1623 return EM4X50_COMMAND_STANDARD_READ;
1624 }
1625
1626 // extract necessary control data
1627 bool raw = (tag[EM4X50_CONTROL] >> CONFIG_BLOCK) & READ_AFTER_WRITE;
1628 // extract protection data:
1629 // first word write protected
1630 int fwwp = reflect8((tag[EM4X50_PROTECTION] >> 24) & 0xFF);
1631 // last word write protected
1632 int lwwp = reflect8((tag[EM4X50_PROTECTION] >> 16) & 0xFF);
1633
1634 switch (address) {
1635
1636 case EM4X50_DEVICE_PASSWORD:
1637 em4x50_sim_send_nak();
1638 return EM4X50_COMMAND_STANDARD_READ;
1639 break;
1640
1641 case EM4X50_PROTECTION:
1642 if (g_Login) {
1643 tag[address] = reflect32(data);
1644 em4x50_sim_send_ack();
1645 } else {
1646 em4x50_sim_send_nak();
1647 return EM4X50_COMMAND_STANDARD_READ;
1648 }
1649 break;
1650
1651 case EM4X50_CONTROL:
1652 if (g_Login) {
1653 tag[address] = reflect32(data);
1654 em4x50_sim_send_ack();
1655 } else {
1656 em4x50_sim_send_nak();
1657 return EM4X50_COMMAND_STANDARD_READ;
1658 }
1659 break;
1660
1661 case EM4X50_DEVICE_SERIAL:
1662 em4x50_sim_send_nak();
1663 return EM4X50_COMMAND_STANDARD_READ;
1664 break;
1665
1666 case EM4X50_DEVICE_ID:
1667 em4x50_sim_send_nak();
1668 return EM4X50_COMMAND_STANDARD_READ;
1669 break;
1670
1671 default:
1672 if ((address >= fwwp) && (address <= lwwp)) {
1673 if (g_Login) {
1674 tag[address] = reflect32(data);
1675 em4x50_sim_send_ack();
1676 } else {
1677 em4x50_sim_send_nak();
1678 return EM4X50_COMMAND_STANDARD_READ;
1679 }
1680 } else {
1681 tag[address] = reflect32(data);
1682 em4x50_sim_send_ack();
1683 }
1684 break;
1685 }
1686
1687 // EEPROM write time
1688 // strange: need some sort of 'waveform correction', otherwise ack signal
1689 // will not be detected; sending a single "1" as last "bit" of Twee
1690 // seems to solve the problem
1691 wait_cycles(EM4X50_T_TAG_TWEE - EM4X50_T_TAG_FULL_PERIOD);
1692 em4x50_sim_send_bit(1);
1693 em4x50_sim_send_ack();
1694
1695 // if "read after write" (raw) bit is set, send written data once
1696 if (raw) {
1697 int command = em4x50_sim_send_listen_window(tag, ledcontrol);
1698 if (command != PM3_SUCCESS) {
1699 return command;
1700 }
1701
1702 command = em4x50_sim_send_listen_window(tag, ledcontrol);
1703 if (command != PM3_SUCCESS) {
1704 return command;
1705 }
1706
1707 em4x50_sim_send_word(tag[address]);
1708 }
1709
1710 // continue with standard read mode
1711 return EM4X50_COMMAND_STANDARD_READ;
1712 }
1713
1714 // write password process (simulation mode)
1715 static int em4x50_sim_handle_writepwd_command(uint32_t *tag, bool ledcontrol) {
1716
1717 bool pwd = false;
1718
1719 g_WritePasswordProcess = true;
1720
1721 // read password
1722 uint32_t act_password = 0;
1723 pwd = em4x50_sim_read_word(&act_password);
1724
1725 // processing pause time tpp (corresponds to a "1" bit)
1726 em4x50_sim_send_bit(1);
1727
1728 if (pwd && (act_password == reflect32(tag[EM4X50_DEVICE_PASSWORD]))) {
1729 em4x50_sim_send_ack();
1730 g_Login = true;
1731 } else {
1732 em4x50_sim_send_nak();
1733 g_Login = false;
1734 g_WritePasswordProcess = false;
1735
1736 // save transmitted password (to be used in standalone mode)
1737 g_Password = act_password;
1738
1739 return EM4X50_COMMAND_STANDARD_READ;
1740 }
1741
1742 int command = em4x50_sim_send_listen_window(tag, ledcontrol);
1743 g_WritePasswordProcess = false;
1744 if (command != EM4X50_COMMAND_WRITE_PASSWORD) {
1745 return command;
1746 }
1747
1748 // read new password
1749 uint32_t new_password = 0;
1750 pwd = em4x50_sim_read_word(&new_password);
1751
1752 // write access time twa
1753 wait_cycles(EM4X50_T_TAG_TWA);
1754
1755 if (pwd) {
1756 em4x50_sim_send_ack();
1757 tag[EM4X50_DEVICE_PASSWORD] = reflect32(new_password);
1758 g_Password = new_password;
1759 } else {
1760 em4x50_sim_send_nak();
1761 return EM4X50_COMMAND_STANDARD_READ;
1762 }
1763
1764 // EEPROM write time
1765 // strange: need some sort of 'waveform correction', otherwise ack signal
1766 // will not be detected; sending a single "1" as last part of Twee
1767 // seems to solve the problem
1768 wait_cycles(EM4X50_T_TAG_TWEE - EM4X50_T_TAG_FULL_PERIOD);
1769 em4x50_sim_send_bit(1);
1770 em4x50_sim_send_ack();
1771
1772 // continue with standard read mode
1773 return EM4X50_COMMAND_STANDARD_READ;
1774 }
1775
1776 void em4x50_handle_commands(int *command, uint32_t *tag, bool ledcontrol) {
1777
1778 switch (*command) {
1779
1780 case EM4X50_COMMAND_LOGIN:
1781 *command = em4x50_sim_handle_login_command(tag, ledcontrol);
1782 break;
1783
1784 case EM4X50_COMMAND_RESET:
1785 *command = em4x50_sim_handle_reset_command(tag, ledcontrol);
1786 break;
1787
1788 case EM4X50_COMMAND_WRITE:
1789 *command = em4x50_sim_handle_write_command(tag, ledcontrol);
1790 break;
1791
1792 case EM4X50_COMMAND_WRITE_PASSWORD:
1793 *command = em4x50_sim_handle_writepwd_command(tag, ledcontrol);
1794 break;
1795
1796 case EM4X50_COMMAND_SELECTIVE_READ:
1797 *command = em4x50_sim_handle_selective_read_command(tag, ledcontrol);
1798 break;
1799
1800 case EM4X50_COMMAND_STANDARD_READ:
1801 if (ledcontrol) LED_C_OFF();
1802 *command = em4x50_sim_handle_standard_read_command(tag, ledcontrol);
1803 break;
1804
1805 // bit errors during reading may lead to unknown commands
1806 // -> continue with standard read mode
1807 default:
1808 *command = EM4X50_COMMAND_STANDARD_READ;
1809 break;
1810 }
1811 }
1812
1813 // simulate uploaded data in emulator memory
1814 // LED C -> reader command has been detected
1815 // LED D -> operations that require authentication are possible
1816 void em4x50_sim(const uint32_t *password, bool ledcontrol) {
1817
1818 int command = PM3_ENODATA;
1819
1820 uint8_t *em4x50_mem = BigBuf_get_EM_addr();
1821 uint32_t tag[EM4X50_NO_WORDS] = {0x0};
1822
1823 for (int i = 0; i < EM4X50_NO_WORDS; i++)
1824 tag[i] = bytes_to_num(em4x50_mem + (i * 4), 4);
1825
1826 // via eload uploaded dump usually does not contain a password
1827 if (tag[EM4X50_DEVICE_PASSWORD] == 0) {
1828 tag[EM4X50_DEVICE_PASSWORD] = reflect32(*password);
1829 }
1830
1831 // only if valid em4x50 data (e.g. uid == serial)
1832 if (tag[EM4X50_DEVICE_SERIAL] != tag[EM4X50_DEVICE_ID]) {
1833
1834 // init
1835 if (ledcontrol) LEDsoff();
1836 em4x50_setup_sim();
1837 g_Login = false;
1838 g_WritePasswordProcess = false;
1839
1840 // start with initial command = standard read mode
1841 command = EM4X50_COMMAND_STANDARD_READ;
1842
1843 for (;;) {
1844
1845 em4x50_handle_commands(&command, tag, ledcontrol);
1846
1847 // stop if key (pm3 button or enter key) has been pressed
1848 if (command == PM3_EOPABORTED) {
1849 break;
1850 }
1851
1852 // if timeout (e.g. no reader field) continue with standard read
1853 // mode and reset former authentication
1854 if (command == PM3_ETIMEOUT) {
1855 command = EM4X50_COMMAND_STANDARD_READ;
1856 g_Login = false;
1857 if (ledcontrol) LED_D_OFF();
1858 }
1859 }
1860 }
1861
1862 BigBuf_free();
1863 lf_finalize(ledcontrol);
1864 reply_ng(CMD_LF_EM4X50_SIM, command, NULL, 0);
1865 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware