search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2654 from Antiklesys/master
[RRG-proxmark3.git] / client / src / cmdlfsecurakey.c
blob3d61887e57c073813fe87acc8e1ff2d7e8f145fb
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // Low frequency Securakey tag commands
17 // ASK/Manchester, RF/40, 96 bits long (unknown cs)
18 //-----------------------------------------------------------------------------
19 #include "cmdlfsecurakey.h"
20 #include <string.h> // memcpy
21 #include <ctype.h> // tolower
22 #include "commonutil.h" // ARRAYLEN
23 #include "cmdparser.h" // command_t
24 #include "comms.h"
25 #include "ui.h"
26 #include "cmddata.h"
27 #include "cmdlf.h"
28 #include "lfdemod.h" // preamble test
29 #include "parity.h" // for wiegand parity test
30 #include "protocols.h" // t55xx defines
31 #include "cmdlft55xx.h" // clone..
32 #include "cliparser.h"
33 #include "cmdlfem4x05.h" // EM defines
34
35 static int CmdHelp(const char *Cmd);
36
37 //see ASKDemod for what args are accepted
38 int demodSecurakey(bool verbose) {
39 (void) verbose; // unused so far
40
41 //ASK / Manchester
42 bool st = false;
43 if (ASKDemod_ext(40, 0, 0, 0, false, false, false, 1, &st) != PM3_SUCCESS) {
44 PrintAndLogEx(DEBUG, "DEBUG: Error - Securakey: ASK/Manchester Demod failed");
45 return PM3_ESOFT;
46 }
47 if (st)
48 return PM3_ESOFT;
49
50 size_t size = g_DemodBufferLen;
51 int ans = detectSecurakey(g_DemodBuffer, &size);
52 if (ans < 0) {
53 if (ans == -1)
54 PrintAndLogEx(DEBUG, "DEBUG: Error - Securakey: too few bits found");
55 else if (ans == -2)
56 PrintAndLogEx(DEBUG, "DEBUG: Error - Securakey: preamble not found");
57 else if (ans == -3)
58 PrintAndLogEx(DEBUG, "DEBUG: Error - Securakey: Size not correct: %zu", size);
59 else
60 PrintAndLogEx(DEBUG, "DEBUG: Error - Securakey: ans: %d", ans);
61 return PM3_ESOFT;
62 }
63 setDemodBuff(g_DemodBuffer, 96, ans);
64 setClockGrid(g_DemodClock, g_DemodStartIdx + (ans * g_DemodClock));
65
66 //got a good demod
67 uint32_t raw1 = bytebits_to_byte(g_DemodBuffer, 32);
68 uint32_t raw2 = bytebits_to_byte(g_DemodBuffer + 32, 32);
69 uint32_t raw3 = bytebits_to_byte(g_DemodBuffer + 64, 32);
70
71 // 26 bit format
72 // preamble ??bitlen reserved EPx xxxxxxxy yyyyyyyy yyyyyyyOP CS? CS2?
73 // 0111111111 0 01011010 0 00000000 0 00000010 0 00110110 0 00111110 0 01100010 0 00001111 0 01100000 0 00000000 0 0000
74
75 // 32 bit format
76 // preamble ??bitlen reserved EPxxxxxxx xxxxxxxy yyyyyyyy yyyyyyyOP CS? CS2?
77 // 0111111111 0 01100000 0 00000000 0 10000100 0 11001010 0 01011011 0 01010110 0 00010110 0 11100000 0 00000000 0 0000
78
79 // x = FC?
80 // y = card #
81 // standard wiegand parities.
82 // unknown checksum 11 bits? at the end
83 uint8_t bits_no_spacer[85];
84 memcpy(bits_no_spacer, g_DemodBuffer + 11, 85);
85
86 // remove marker bits (0's every 9th digit after preamble) (pType = 3 (always 0s))
87 size = removeParity(bits_no_spacer, 0, 9, 3, 85);
88 if (size != 85 - 9) {
89 PrintAndLogEx(DEBUG, "DEBUG: Error removeParity: %zu", size);
90 return 0;
91 }
92
93 uint8_t bitLen = (uint8_t)bytebits_to_byte(bits_no_spacer + 2, 6);
94 uint32_t fc = 0, lWiegand = 0, rWiegand = 0;
95 if (bitLen > 40) { //securakey's max bitlen is 40 bits...
96 PrintAndLogEx(DEBUG, "DEBUG: Error bitLen too long: %u", bitLen);
97 return PM3_ESOFT;
98 }
99 // get left 1/2 wiegand & right 1/2 wiegand (for parity test and wiegand print)
100 lWiegand = bytebits_to_byte(bits_no_spacer + 48 - bitLen, bitLen / 2);
101 rWiegand = bytebits_to_byte(bits_no_spacer + 48 - bitLen + bitLen / 2, bitLen / 2);
102 // get FC
103 fc = bytebits_to_byte(bits_no_spacer + 49 - bitLen, bitLen - 2 - 16);
104
105 // test bitLen
106 if (bitLen != 26 && bitLen != 32)
107 PrintAndLogEx(NORMAL, "***unknown securakey bitLen - share with forum***");
108
109 uint32_t cardid = bytebits_to_byte(bits_no_spacer + 8 + 23, 16);
110 // test parities - evenparity32 looks to add an even parity returns 0 if already even...
111 bool parity = !evenparity32(lWiegand) && !oddparity32(rWiegand);
112
113 PrintAndLogEx(SUCCESS, "Securakey - len: " _GREEN_("%u") " FC: " _GREEN_("0x%X")" Card: " _GREEN_("%u") ", Raw: %08X%08X%08X", bitLen, fc, cardid, raw1, raw2, raw3);
114 if (bitLen <= 32)
115 PrintAndLogEx(SUCCESS, "Wiegand: " _GREEN_("%08X") " parity ( %s )", (lWiegand << (bitLen / 2)) | rWiegand, parity ? _GREEN_("ok") : _RED_("fail"));
116
117 if (verbose) {
118 PrintAndLogEx(INFO, "\nHow the FC translates to printed FC is unknown");
119 PrintAndLogEx(INFO, "How the checksum is calculated is unknown");
120 PrintAndLogEx(INFO, "Help the community identify this format further\nby sharing your tag on the pm3 forum or discord");
121 }
122 return PM3_SUCCESS;
123 }
124
125 static int CmdSecurakeyDemod(const char *Cmd) {
126 CLIParserContext *ctx;
127 CLIParserInit(&ctx, "lf securakey demod",
128 "Try to find Securakey preamble, if found decode / descramble data",
129 "lf securakey demod"
130 );
131
132 void *argtable[] = {
133 arg_param_begin,
134 arg_param_end
135 };
136 CLIExecWithReturn(ctx, Cmd, argtable, true);
137 CLIParserFree(ctx);
138 return demodSecurakey(true);
139 }
140
141 static int CmdSecurakeyReader(const char *Cmd) {
142 CLIParserContext *ctx;
143 CLIParserInit(&ctx, "lf securakey reader",
144 "read a Securakey tag",
145 "lf securakey reader -@ -> continuous reader mode"
146 );
147
148 void *argtable[] = {
149 arg_param_begin,
150 arg_lit0("@", NULL, "optional - continuous reader mode"),
151 arg_param_end
152 };
153 CLIExecWithReturn(ctx, Cmd, argtable, true);
154 bool cm = arg_get_lit(ctx, 1);
155 CLIParserFree(ctx);
156
157 if (cm) {
158 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
159 }
160
161 do {
162 lf_read(false, 8000);
163 demodSecurakey(!cm);
164 } while (cm && !kbd_enter_pressed());
165
166 return PM3_SUCCESS;
167 }
168
169 static int CmdSecurakeyClone(const char *Cmd) {
170
171 CLIParserContext *ctx;
172 CLIParserInit(&ctx, "lf securakey clone",
173 "clone a Securakey tag to a T55x7, Q5/T5555 or EM4305/4469 tag.",
174 "lf securakey clone --raw 7FCB400001ADEA5344300000 -> encode for T55x7 tag\n"
175 "lf securakey clone --raw 7FCB400001ADEA5344300000 --q5 -> encode for Q5/T5555 tag\n"
176 "lf securakey clone --raw 7FCB400001ADEA5344300000 --em -> encode for EM4305/4469"
177 );
178
179 void *argtable[] = {
180 arg_param_begin,
181 arg_str1("r", "raw", "<hex>", "raw hex data. 12 bytes"),
182 arg_lit0(NULL, "q5", "optional - specify writing to Q5/T5555 tag"),
183 arg_lit0(NULL, "em", "optional - specify writing to EM4305/4469 tag"),
184 arg_param_end
185 };
186 CLIExecWithReturn(ctx, Cmd, argtable, false);
187
188 int raw_len = 0;
189 // skip first block, 3*4 = 12 bytes left
190 uint8_t raw[12] = {0};
191 CLIGetHexWithReturn(ctx, 1, raw, &raw_len);
192 bool q5 = arg_get_lit(ctx, 2);
193 bool em = arg_get_lit(ctx, 3);
194 CLIParserFree(ctx);
195
196 if (q5 && em) {
197 PrintAndLogEx(FAILED, "Can't specify both Q5 and EM4305 at the same time");
198 return PM3_EINVARG;
199 }
200
201 if (raw_len != 12) {
202 PrintAndLogEx(ERR, "Data must be 12 bytes (24 HEX characters) %d", raw_len);
203 return PM3_EINVARG;
204 }
205
206 uint32_t blocks[4];
207 for (uint8_t i = 1; i < ARRAYLEN(blocks); i++) {
208 blocks[i] = bytes_to_num(raw + ((i - 1) * 4), sizeof(uint32_t));
209 }
210
211 //Securakey - compat mode, ASK/Man, data rate 40, 3 data blocks
212 blocks[0] = T55x7_MODULATION_MANCHESTER | T55x7_BITRATE_RF_40 | 3 << T55x7_MAXBLOCK_SHIFT;
213 char cardtype[16] = {"T55x7"};
214 // Q5
215 if (q5) {
216 blocks[0] = T5555_FIXED | T5555_MODULATION_MANCHESTER | T5555_SET_BITRATE(40) | T5555_ST_TERMINATOR | 3 << T5555_MAXBLOCK_SHIFT;
217 snprintf(cardtype, sizeof(cardtype), "Q5/T5555");
218 }
219
220 // EM4305
221 if (em) {
222 blocks[0] = EM4305_SECURAKEY_CONFIG_BLOCK;
223 snprintf(cardtype, sizeof(cardtype), "EM4305/4469");
224 }
225
226 PrintAndLogEx(INFO, "Preparing to clone Securakey to " _YELLOW_("%s") " with raw hex", cardtype);
227 print_blocks(blocks, ARRAYLEN(blocks));
228
229 int res;
230 if (em) {
231 res = em4x05_clone_tag(blocks, ARRAYLEN(blocks), 0, false);
232 } else {
233 res = clone_t55xx_tag(blocks, ARRAYLEN(blocks));
234 }
235 PrintAndLogEx(SUCCESS, "Done!");
236 PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`lf securakey reader`") " to verify");
237 return res;
238 }
239
240 static int CmdSecurakeySim(const char *Cmd) {
241
242 CLIParserContext *ctx;
243 CLIParserInit(&ctx, "lf securakey sim",
244 "Enables simulation of secura card with specified card number.\n"
245 "Simulation runs until the button is pressed or another USB command is issued.",
246 "lf securakey sim --raw 7FCB400001ADEA5344300000"
247 );
248
249 void *argtable[] = {
250 arg_param_begin,
251 arg_str0("r", "raw", "<hex>", " raw hex data. 12 bytes"),
252 arg_param_end
253 };
254 CLIExecWithReturn(ctx, Cmd, argtable, false);
255
256 int raw_len = 0;
257 // skip first block, 3*4 = 12 bytes left
258 uint8_t raw[12] = {0};
259 CLIGetHexWithReturn(ctx, 1, raw, &raw_len);
260 CLIParserFree(ctx);
261
262 if (raw_len != 12) {
263 PrintAndLogEx(ERR, "Data must be 12 bytes (24 HEX characters) %d", raw_len);
264 return PM3_EINVARG;
265 }
266
267 PrintAndLogEx(SUCCESS, "Simulating SecuraKey - raw " _YELLOW_("%s"), sprint_hex_inrow(raw, sizeof(raw)));
268
269 uint8_t bs[sizeof(raw) * 8];
270 bytes_to_bytebits(raw, sizeof(raw), bs);
271
272 lf_asksim_t *payload = calloc(1, sizeof(lf_asksim_t) + sizeof(bs));
273 payload->encoding = 1;
274 payload->invert = 0;
275 payload->separator = 0;
276 payload->clock = 40;
277 memcpy(payload->data, bs, sizeof(bs));
278
279 clearCommandBuffer();
280 SendCommandNG(CMD_LF_ASK_SIMULATE, (uint8_t *)payload, sizeof(lf_asksim_t) + sizeof(bs));
281 free(payload);
282
283 PacketResponseNG resp;
284 WaitForResponse(CMD_LF_ASK_SIMULATE, &resp);
285
286 PrintAndLogEx(INFO, "Done!");
287 if (resp.status != PM3_EOPABORTED) {
288 return resp.status;
289 }
290 return PM3_SUCCESS;
291 }
292
293 static command_t CommandTable[] = {
294 {"help", CmdHelp, AlwaysAvailable, "This help"},
295 {"demod", CmdSecurakeyDemod, AlwaysAvailable, "demodulate an Securakey tag from the GraphBuffer"},
296 {"reader", CmdSecurakeyReader, IfPm3Lf, "attempt to read and extract tag data"},
297 {"clone", CmdSecurakeyClone, IfPm3Lf, "clone Securakey tag to T55x7, Q5/T5555 or EM4305/4469"},
298 {"sim", CmdSecurakeySim, IfPm3Lf, "simulate Securakey tag"},
299 {NULL, NULL, NULL, NULL}
300 };
301
302 static int CmdHelp(const char *Cmd) {
303 (void)Cmd; // Cmd is not used so far
304 CmdsHelp(CommandTable);
305 return PM3_SUCCESS;
306 }
307
308 int CmdLFSecurakey(const char *Cmd) {
309 clearCommandBuffer();
310 return CmdsParse(CommandTable, Cmd);
311 }
312
313 // by marshmellow
314 // find Securakey preamble in already demoded data
315 int detectSecurakey(uint8_t *dest, size_t *size) {
316 if (*size < 96) return -1; //make sure buffer has data
317 size_t startIdx = 0;
318 uint8_t preamble[] = {0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1};
319 if (!preambleSearch(dest, preamble, sizeof(preamble), size, &startIdx))
320 return -2; //preamble not found
321 if (*size != 96) return -3; //wrong demoded size
322 //return start position
323 return (int)startIdx;
324 }
325
Proxmark3 - the RFID research Swiss army knife. Iceman firmware