search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2654 from Antiklesys/master
[RRG-proxmark3.git] / client / src / cmdlft55xx.c
blob48c2fa7a797f07608e9e3300325cca3d587610f8
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // Low frequency T55xx commands
17 //-----------------------------------------------------------------------------
18
19 // ensure localtime_r is available even with -std=c99; must be included before
20 #if !defined(_WIN32)
21 #define _POSIX_C_SOURCE 200112L
22 #endif
23
24 #include "cmdlft55xx.h"
25 #include <ctype.h>
26 #include <time.h> // MingW
27 #include "cmdparser.h" // command_t
28 #include "comms.h"
29 #include "commonutil.h"
30 #include "protocols.h"
31 #include "proxgui.h"
32 #include "graph.h"
33 #include "cmddata.h"
34 #include "lfdemod.h"
35 #include "cmdhf14a.h" // for getTagInfo
36 #include "fileutils.h" // loadDictionary
37 #include "util_posix.h"
38 #include "cmdlf.h" // for lf sniff
39 #include "generator.h"
40 #include "cliparser.h" // cliparsing
41
42 // Some defines for readability
43 #define T55XX_DLMODE_FIXED 0 // Default Mode
44 #define T55XX_DLMODE_LLR 1 // Long Leading Reference
45 #define T55XX_DLMODE_LEADING_ZERO 2 // Leading Zero
46 #define T55XX_DLMODE_1OF4 3 // 1 of 4
47 // #define T55XX_LONGLEADINGREFERENCE 4 // Value to tell Write Bit to send long reference
48 #define T55XX_DLMODE_ALL 4 // Tell help to show 'r 4' for all dl modes
49 #define T55XX_DLMODE_SINGLE 5 // Tell help file NOT to show 'r 4' (not available)
50
51 #define T55XX_PrintConfig true
52 #define T55XX_DontPrintConfig false
53
54 //static uint8_t bit_rates[9] = {8, 16, 32, 40, 50, 64, 100, 128, 0};
55
56 // Default configuration
57 static t55xx_conf_block_t config = {
58 .modulation = DEMOD_ASK,
59 .inverted = false,
60 .offset = 0x00,
61 .block0 = 0x00,
62 .block0Status = NOTSET,
63 .Q5 = false,
64 .usepwd = false,
65 .downlink_mode = refFixedBit
66 };
67
68 static t55xx_memory_item_t cardmem[T55x7_BLOCK_COUNT] = {{0}};
69 /*
70 #define DC(x) ((x) + 128)
71
72 static bool t55xx_is_valid_block0(uint32_t block, uint8_t rfclk, uint8_t pskcf) {
73
74 if (block == 0x00) {
75 return false;
76 }
77
78 // Master key = 6 or 9
79 if ((((block >> 28)& 0xF) != 0x0) &&
80 (((block >> 28)& 0xF) != 0x6) &&
81 (((block >> 28)& 0xF) != 0x9)) {
82 return false;
83 }
84
85 // X Mode
86 if ( ((block >> 17) & 1) && ((((block >> 28) & 0xf) == 0x6) || (((block >> 28) & 0xf) == 0x9)) ) {
87 // X mode fixed 0 bits
88 if ((block & 0x0F000000) != 0x00) {
89 return false;
90 }
91 } else {
92 // / Basic Mode fixed 0 bits
93 if ((block & 0x0FE00106) != 0x00) {
94 return false;
95 }
96 }
97
98 // Modulation
99 if ( (((block >> 12) & 0x1F) != 0x00) && // Direct
100 (((block >> 12) & 0x1F) != 0x01) && // PSK1
101 (((block >> 12) & 0x1F) != 0x02) && // PSK2
102 (((block >> 12) & 0x1F) != 0x03) && // PSK3
103 (((block >> 12) & 0x1F) != 0x04) && // FSK1
104 (((block >> 12) & 0x1F) != 0x05) && // FSK2
105 (((block >> 12) & 0x1F) != 0x06) && // FSK1a
106 (((block >> 12) & 0x1F) != 0x07) && // FSK2a
107 (((block >> 12) & 0x1F) != 0x08) && // Manchester
108 (((block >> 12) & 0x1F) != 0x10) && // Bi-phase
109 (((block >> 12) & 0x1F) != 0x18) ) { // Reserved
110 return false;
111 }
112
113 PrintAndLogEx(DEBUG, "suggested block... %08x", block);
114
115 // check pskcf
116 if ((pskcf <= 3) && (((block >> 10) & 0x3) != pskcf)) {
117 PrintAndLogEx(DEBUG, "fail 6 - %u %u", pskcf, (block >> 10) & 0x3);
118 return false;
119 }
120
121 uint8_t testSpeed;
122
123 // check rfclk
124 if ((((block >> 17) & 1) == 1) && ((((block >> 28) & 0xf) == 0x6) || (((block >> 28) & 0xf) == 0x9)) ){ // X mode speedBits
125 testSpeed = (((block >> 18) & 0x3F) * 2) + 2;
126 } else {
127 uint8_t basicSpeeds[] = {8,16,32,40,50,64,100,128};
128 testSpeed = basicSpeeds[(block >> 18) & 0x7];
129 }
130
131 if (testSpeed != rfclk) {
132 PrintAndLogEx(DEBUG, "fail 7 - %u %u ", testSpeed , rfclk);
133 return false;
134 }
135 return true;
136 }
137
138 static void t55xx_psk1_demod (int *data, uint8_t rfclk, uint8_t pskcf, uint32_t *block) {
139
140 if ((rfclk < 8) || (rfclk > 128)) {
141 return;
142 }
143
144 switch (pskcf) {
145 case 0: {
146 pskcf = 2;
147 break;
148 }
149 case 1: {
150 pskcf = 4;
151 break;
152 }
153 case 2: {
154 pskcf = 8;
155 break;
156 }
157 default: {
158 break;
159 }
160 }
161
162 int startOffset = 1; // where to start reading data samples
163 int sampleCount = 0; // Counter for 1 bit of samples
164 int samples0, samples1; // Number of High even and odd bits in a sample.
165 int startBitOffset = 1; // which bit to start at e.g. for rf/32 1 33 65 ...
166 int bitCount = 0;
167 uint32_t myblock = 0;
168 int offset;
169 uint8_t drift = 0;
170 uint8_t tuneOffset = 0;
171
172 drift = (rfclk % pskcf); // 50 2 = 1 50 4 = 2
173
174 // locate first "0" - high transisiton for correct start offset
175 while (DC(data[startOffset]) <= (DC(data[startOffset - 1]) + 5)) {
176 // sampleToggle ^= 1;
177 startOffset++;
178 }
179
180 // Start sample may be 1 off due to sample alignment with chip modulation
181 // so seach for the first lower value, and adjust as needed
182 if (pskcf == 2) {
183
184 tuneOffset = startOffset + 1;
185
186 while (DC(data[tuneOffset]) >= (DC(data[tuneOffset - 1]) + 5)) {
187 tuneOffset++;
188 }
189
190 if ((tuneOffset - startOffset - 1) % 2) {
191 startOffset++;
192 }
193 }
194
195 uint8_t pskcfidx = 0;
196
197 // Get the offset to the first sample of the data block
198 offset = (rfclk * startBitOffset) + startOffset;
199
200 pskcfidx = (drift / 2);
201 pskcfidx = pskcfidx % pskcf;
202
203 // while data my be in the settle period of sampling
204 // First 18 - 24 bits not usable for reference only
205 while (offset < 20) {
206 offset += (32 * rfclk);
207 }
208
209 // Read 1 block of data
210 for (bitCount = 0; bitCount < 32; bitCount++) {
211
212 samples0 = 0;
213 samples1 = 0;
214
215 // Get 1 bit of data
216 for (sampleCount = 0; sampleCount < rfclk; sampleCount++){
217 // Count number of even and odd high bits at center to edge
218 switch (pskcf) {
219 case 2: {
220
221 // if current sample is high
222 if (DC(data[offset]) > DC(data[offset + 1])) {
223 if (pskcfidx == 0) {
224 samples0++;
225 } else {
226 samples1++;
227 }
228 }
229 break;
230 }
231 case 4: {
232
233 // only check pskcf 2nd bit x 1 x x
234 if (pskcfidx == 1) {
235
236 // if current sample is high
237 if (DC(data[offset]) > DC(data[offset + 2])) {
238 samples0++;
239 } else {
240 samples1++;
241 }
242 }
243 break;
244 }
245 case 8: {
246
247 if (pskcfidx == 3) { // x x x 1 x x x x // 00041840 : FFFBE7BF
248
249 // if current sample is high
250 if (DC(data[offset]) > DC(data[offset + 4])) {
251 samples0++;
252 } else {
253 samples1++;
254 }
255 }
256 break;
257 }
258 default: {
259 break;
260 }
261 }
262
263 // If at bit boundary (after first bit) then adjust phase check for drift
264 if ((sampleCount > 0) && (sampleCount % rfclk) == 0) {
265 pskcfidx -= drift;
266 }
267
268 offset++;
269 pskcfidx++;
270 pskcfidx = pskcfidx % pskcf;
271 }
272
273 myblock <<= 1;
274 if (samples1 > samples0) {
275 myblock++;
276 }
277 }
278
279 *block = myblock;
280 }
281
282 static void t55xx_psk2_demod (int *data, uint8_t rfclk, uint8_t pskcf, uint32_t *block) {
283 // decode PSK
284 t55xx_psk1_demod (data, rfclk, pskcf, block);
285
286 uint32_t new_block = 0;
287 uint8_t prev_phase = 1;
288
289 // Convert to PSK2
290 for (int8_t bit = 31; bit >= 0; bit--) {
291
292 new_block <<= 1;
293
294 if (((*block >> bit) & 1) != prev_phase) {
295 new_block++;
296 }
297
298 prev_phase = ((*block >> bit) & 1);
299 }
300
301 *block = new_block;
302 }
303
304 static void t55xx_search_config_psk(int *d, int pskV) {
305
306 for (uint8_t pskcf = 0; pskcf < 3; pskcf++) {
307
308 for (uint8_t speedBits = 0; speedBits < 64; speedBits++) {
309
310 uint8_t rfclk = rfclk = (2 * speedBits) + 2;
311 uint32_t block = 0;
312
313 if (pskV == 1) {
314 t55xx_psk1_demod (d, rfclk, pskcf, &block);
315 }
316
317 if (pskV == 2) {
318 t55xx_psk2_demod (d, rfclk, pskcf, &block);
319 }
320
321 if (t55xx_is_valid_block0(block, rfclk, pskcf)) {
322 PrintAndLogEx(SUCCESS, "Valid config block [%08X] - rfclk [%d] - pskcf [%d]", block, rfclk, pskcf);
323 }
324 }
325 }
326 }
327 */
328
329 t55xx_conf_block_t Get_t55xx_Config(void) {
330 return config;
331 }
332
333 void Set_t55xx_Config(t55xx_conf_block_t conf) {
334 config = conf;
335 }
336
337 static int CmdHelp(const char *Cmd);
338
339 static void arg_add_t55xx_downloadlink(void *at[], uint8_t *idx, uint8_t show, uint8_t dl_mode_def) {
340 const size_t r_count = 56;
341 const size_t r_len = r_count * sizeof(uint8_t);
342
343 char *r0 = (char *)calloc(r_count, sizeof(uint8_t));
344 char *r1 = (char *)calloc(r_count, sizeof(uint8_t));
345 char *r2 = (char *)calloc(r_count, sizeof(uint8_t));
346 char *r3 = (char *)calloc(r_count, sizeof(uint8_t));
347
348 snprintf(r0, r_len, "downlink - fixed bit length %s", (dl_mode_def == 0) ? "(detected def)" : "");
349 snprintf(r1, r_len, "downlink - long leading reference %s", (dl_mode_def == 1) ? "(detected def)" : "");
350 snprintf(r2, r_len, "downlink - leading zero %s", (dl_mode_def == 2) ? "(detected def)" : "");
351 snprintf(r3, r_len, "downlink - 1 of 4 coding reference %s", (dl_mode_def == 3) ? "(detected def)" : "");
352
353 uint8_t n = *idx;
354 at[n++] = arg_lit0(NULL, "r0", r0);
355 at[n++] = arg_lit0(NULL, "r1", r1);
356 at[n++] = arg_lit0(NULL, "r2", r2);
357 at[n++] = arg_lit0(NULL, "r3", r3);
358
359 if (show == T55XX_DLMODE_ALL) {
360 char *r4 = (char *)calloc(r_count, sizeof(uint8_t));
361 snprintf(r4, r_len, "try all downlink modes %s", (dl_mode_def == 4) ? "(def)" : "");
362 at[n++] = arg_lit0(NULL, "all", r4);
363 }
364 at[n++] = arg_param_end;
365 *idx = n;
366 }
367
368 static int CmdT55xxCloneHelp(const char *Cmd) {
369 CLIParserContext *ctx;
370 CLIParserInit(&ctx, "lf t55xx clonehelp",
371 "Display a list of available commands for cloning specific techs on T5xx tags",
372 "lf t55xx clonehelp"
373 );
374 void *argtable[] = {
375 arg_param_begin,
376 arg_param_end
377 };
378 CLIExecWithReturn(ctx, Cmd, argtable, true);
379 CLIParserFree(ctx);
380 PrintAndLogEx(NORMAL, "For cloning specific techs on T55xx tags, see commands available in corresponding LF sub-menus, e.g.:");
381 PrintAndLogEx(NORMAL, _GREEN_("lf awid clone"));
382 PrintAndLogEx(NORMAL, _GREEN_("lf destron clone"));
383 PrintAndLogEx(NORMAL, _GREEN_("lf em 410x clone"));
384 // todo: implement restore
385 // PrintAndLogEx(NORMAL, _GREEN_("lf em 4x05 write"));
386 // PrintAndLogEx(NORMAL, _GREEN_("lf em 4x50 restore"));
387 PrintAndLogEx(NORMAL, _GREEN_("lf fdxb clone"));
388 PrintAndLogEx(NORMAL, _GREEN_("lf gallagher clone"));
389 PrintAndLogEx(NORMAL, _GREEN_("lf gproxii clone"));
390 PrintAndLogEx(NORMAL, _GREEN_("lf hid clone"));
391 // todo: implement restore
392 // PrintAndLogEx(NORMAL, _GREEN_("lf hitag clone"));
393 PrintAndLogEx(NORMAL, _GREEN_("lf idteck clone"));
394 PrintAndLogEx(NORMAL, _GREEN_("lf indala clone"));
395 PrintAndLogEx(NORMAL, _GREEN_("lf io clone"));
396 PrintAndLogEx(NORMAL, _GREEN_("lf jablotron clone"));
397 PrintAndLogEx(NORMAL, _GREEN_("lf keri clone"));
398 PrintAndLogEx(NORMAL, _GREEN_("lf motorola clone"));
399 PrintAndLogEx(NORMAL, _GREEN_("lf nedap clone"));
400 PrintAndLogEx(NORMAL, _GREEN_("lf nexwatch clone"));
401 PrintAndLogEx(NORMAL, _GREEN_("lf noralsy clone"));
402 PrintAndLogEx(NORMAL, _GREEN_("lf pac clone"));
403 PrintAndLogEx(NORMAL, _GREEN_("lf paradox clone"));
404 PrintAndLogEx(NORMAL, _GREEN_("lf presco clone"));
405 PrintAndLogEx(NORMAL, _GREEN_("lf pyramid clone"));
406 PrintAndLogEx(NORMAL, _GREEN_("lf securakey clone"));
407 PrintAndLogEx(NORMAL, _GREEN_("lf viking clone"));
408 PrintAndLogEx(NORMAL, _GREEN_("lf visa2000 clone"));
409 return PM3_SUCCESS;
410 }
411
412 static void T55x7_SaveBlockData(uint8_t idx, uint32_t data) {
413 if (idx < T55x7_BLOCK_COUNT) {
414 cardmem[idx].valid = true;
415 cardmem[idx].blockdata = data;
416 }
417 }
418 static void T55x7_ClearAllBlockData(void) {
419 for (uint8_t idx = 0; idx < T55x7_BLOCK_COUNT; idx++) {
420 cardmem[idx].valid = false;
421 cardmem[idx].blockdata = 0x00;
422 }
423 }
424
425 int clone_t55xx_tag(uint32_t *blockdata, uint8_t numblocks) {
426
427 if (blockdata == NULL)
428 return PM3_EINVARG;
429 if (numblocks < 1 || numblocks > 8)
430 return PM3_EINVARG;
431
432 PacketResponseNG resp;
433
434 // fast push mode
435 g_conn.block_after_ACK = true;
436
437 for (int8_t i = 0; i < numblocks; i++) {
438
439 // Disable fast mode on last packet
440 if (i == numblocks - 1) {
441 g_conn.block_after_ACK = false;
442 }
443
444 clearCommandBuffer();
445
446 t55xx_write_block_t ng;
447 ng.data = blockdata[i];
448 ng.pwd = 0;
449 ng.blockno = i;
450 ng.flags = 0;
451
452 SendCommandNG(CMD_LF_T55XX_WRITEBL, (uint8_t *)&ng, sizeof(ng));
453 if (!WaitForResponseTimeout(CMD_LF_T55XX_WRITEBL, &resp, T55XX_WRITE_TIMEOUT)) {
454 PrintAndLogEx(ERR, "Error occurred, device did not respond during write operation.");
455 return PM3_ETIMEOUT;
456 }
457 }
458
459 uint8_t res = 0;
460 for (int8_t i = 0; i < numblocks; i++) {
461
462 if (i == 0) {
463 SetConfigWithBlock0(blockdata[0]);
464 if (t55xxAcquireAndCompareBlock0(false, 0, blockdata[0], false))
465 continue;
466 }
467
468 if (t55xxVerifyWrite(i, 0, false, false, 0, 0xFF, blockdata[i]) == false)
469 res++;
470 }
471
472 if (res == 0)
473 PrintAndLogEx(SUCCESS, "Data written and verified");
474
475 return PM3_SUCCESS;
476 }
477
478 static bool t55xxProtect(bool lock, bool usepwd, uint8_t override, uint32_t password, uint8_t downlink_mode, uint32_t new_password) {
479
480 PrintAndLogEx(INFO, "Checking current configuration");
481
482 bool testmode = false;
483 uint32_t block0 = 0;
484
485 int res = T55xxReadBlockEx(T55x7_CONFIGURATION_BLOCK, T55x7_PAGE0, usepwd, override, password, downlink_mode, false);
486 if (res != PM3_SUCCESS) {
487 PrintAndLogEx(WARNING, "Failed to read block0, use " _YELLOW_("`p`") " password parameter?");
488 return false;
489 }
490
491 if (GetT55xxBlockData(&block0) == false) {
492 PrintAndLogEx(DEBUG, "ERROR decoded block0 == %08x", block0);
493 return false;
494 }
495 PrintAndLogEx(DEBUG, "OK read block0 == %08x", block0);
496
497
498 bool isPwdBitAlreadySet = (block0 >> (32 - 28) & 1);
499 if (isPwdBitAlreadySet) {
500 PrintAndLogEx(INFO, "PWD bit is already set");
501 usepwd = true;
502 }
503
504 // set / clear pwd bit
505 if (lock) {
506 block0 |= 1 << 4;
507 } else {
508 block0 &= ~(1 << 4);
509 }
510
511 // write new password
512 if (t55xxWrite(T55x7_PWD_BLOCK, T55x7_PAGE0, usepwd, testmode, password, downlink_mode, new_password) != PM3_SUCCESS) {
513 PrintAndLogEx(ERR, "Failed to write new password");
514 return false;
515 } else {
516 PrintAndLogEx(SUCCESS, "Wrote new password");
517 }
518
519 // validate new password
520 uint32_t curr_password = (isPwdBitAlreadySet) ? new_password : password;
521
522 if (t55xxVerifyWrite(T55x7_PWD_BLOCK, T55x7_PAGE0, usepwd, override, curr_password, downlink_mode, new_password) == false) {
523 PrintAndLogEx(WARNING, "Failed to validate the password write. aborting.");
524 return false;
525 } else {
526 PrintAndLogEx(SUCCESS, "Validated new password");
527 }
528
529 // write config
530 if (t55xxWrite(T55x7_CONFIGURATION_BLOCK, T55x7_PAGE0, usepwd, testmode, curr_password, downlink_mode, block0) != PM3_SUCCESS) {
531 PrintAndLogEx(ERR, "Failed to write modified configuration block %08X", block0);
532 return false;
533 } else {
534 PrintAndLogEx(SUCCESS, "Wrote modified configuration block");
535 }
536
537 // validate new config. If all went well, card should now demand pwd, hence override = 0.
538 override = 0;
539 if (t55xxVerifyWrite(T55x7_CONFIGURATION_BLOCK, T55x7_PAGE0, true, override, new_password, downlink_mode, block0) == false) {
540 PrintAndLogEx(WARNING, "Failed to validate pwd bit set on configuration block. aborting.");
541 return false;
542 } else {
543 PrintAndLogEx(SUCCESS, "New configuration block " _YELLOW_("%08X")" password " _YELLOW_("%08X"), block0, new_password);
544 PrintAndLogEx(SUCCESS, "Success, tag is locked");
545 return true;
546 }
547 }
548
549 bool t55xxAcquireAndCompareBlock0(bool usepwd, uint32_t password, uint32_t known_block0, bool verbose) {
550
551 if (verbose)
552 PrintAndLogEx(INFO, "Block0 write detected, running `detect` to see if validation is possible");
553
554 for (uint8_t m = 0; m < 4; m++) {
555 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, m) == false) {
556 continue;
557 }
558
559 if (DecodeT55xxBlock() == false) {
560 continue;
561 }
562
563 for (size_t i = 0; i < g_DemodBufferLen - 32; i++) {
564 uint32_t tmp = PackBits(i, 32, g_DemodBuffer);
565 if (tmp == known_block0) {
566 config.offset = i;
567 config.downlink_mode = m;
568 return true;
569 }
570 }
571 }
572 return false;
573 }
574
575 bool t55xxAcquireAndDetect(bool usepwd, uint32_t password, uint32_t known_block0, bool verbose) {
576
577 if (verbose)
578 PrintAndLogEx(INFO, "Block0 write detected, running `detect` to see if validation is possible");
579
580 for (uint8_t m = 0; m < 4; m++) {
581 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, m) == false)
582 continue;
583
584 if (t55xxTryDetectModulationEx(m, verbose, known_block0, (usepwd) ? password : -1) == false)
585 continue;
586
587 config.downlink_mode = m;
588 return true;
589 }
590 config.usepwd = false; // unknown so assume no password
591 config.pwd = 0x00;
592 return false;
593 }
594
595 bool t55xxVerifyWrite(uint8_t block, bool page1, bool usepwd, uint8_t override, uint32_t password, uint8_t downlink_mode, uint32_t data) {
596
597 uint32_t read_data = 0;
598
599 if (downlink_mode == 0xFF)
600 downlink_mode = config.downlink_mode;
601
602 int res = T55xxReadBlockEx(block, page1, usepwd, override, password, downlink_mode, false);
603 if (res == PM3_SUCCESS) {
604
605 if (GetT55xxBlockData(&read_data) == false)
606 return false;
607
608 } else if (res == PM3_EWRONGANSWER) {
609
610 // couldn't decode. Lets see if this was a block 0 write and try read/detect it auto.
611 // this messes up with ppl config..
612 if (block == 0 && page1 == false) {
613
614 if (t55xxAcquireAndDetect(usepwd, password, data, true) == false)
615 return false;
616
617 return t55xxVerifyWrite(block, page1, usepwd, 2, password, config.downlink_mode, data);
618 }
619 }
620
621 return (read_data == data);
622 }
623
624 int t55xxWrite(uint8_t block, bool page1, bool usepwd, bool testMode, uint32_t password, uint8_t downlink_mode, uint32_t data) {
625
626 uint8_t flags;
627 flags = (usepwd) ? 0x1 : 0;
628 flags |= (page1) ? 0x2 : 0;
629 flags |= (testMode) ? 0x4 : 0;
630 flags |= (downlink_mode << 3);
631
632 /*
633 OLD style
634 arg0 = data, (4 bytes)
635 arg1 = block (1 byte)
636 arg2 = password (4 bytes)
637 flags = data[0] (1 byte)
638
639 new style
640 uses struct in pm3_cmd.h
641 */
642 t55xx_write_block_t ng;
643 ng.data = data;
644 ng.pwd = password;
645 ng.blockno = block;
646 ng.flags = flags;
647
648 PacketResponseNG resp;
649 clearCommandBuffer();
650 SendCommandNG(CMD_LF_T55XX_WRITEBL, (uint8_t *)&ng, sizeof(ng));
651 if (!WaitForResponseTimeout(CMD_LF_T55XX_WRITEBL, &resp, 2000)) {
652 PrintAndLogEx(ERR, "Error occurred, device did not ACK write operation.");
653 return PM3_ETIMEOUT;
654 }
655 return resp.status;
656 }
657
658 void printT5xxHeader(uint8_t page) {
659 PrintAndLogEx(NORMAL, "");
660 PrintAndLogEx(SUCCESS, _YELLOW_("Page %d"), page);
661 PrintAndLogEx(SUCCESS, "blk | hex data | binary | ascii");
662 PrintAndLogEx(SUCCESS, "----+----------+----------------------------------+-------");
663 }
664
665 void SetConfigWithBlock0(uint32_t block0) {
666 SetConfigWithBlock0Ex(block0, 0, false);
667 }
668 void SetConfigWithBlock0Ex(uint32_t block0, uint8_t offset, bool Q5) {
669 // T55x7
670 uint32_t extend = (block0 >> (32 - 15)) & 0x01;
671 uint32_t dbr;
672 if (extend)
673 dbr = (block0 >> (32 - 14)) & 0x3F;
674 else
675 dbr = (block0 >> (32 - 14)) & 0x07;
676
677 uint32_t datamod = (block0 >> (32 - 20)) & 0x1F;
678 bool pwd = (bool)((block0 >> (32 - 28)) & 0x01);
679 bool sst = (bool)((block0 >> (32 - 29)) & 0x01);
680 bool inv = (bool)((block0 >> (32 - 31)) & 0x01);
681
682 config.modulation = datamod;
683 config.bitrate = dbr;
684
685 // FSK1a, FSK2a
686 if (datamod == DEMOD_FSK1a || datamod == DEMOD_FSK2a || datamod == DEMOD_BIa)
687 config.inverted = 1;
688 else
689 config.inverted = inv;
690
691 config.Q5 = Q5;
692 config.ST = sst;
693 config.usepwd = pwd;
694 config.offset = offset;
695 config.block0 = block0;
696 }
697
698 static int CmdT55xxSetConfig(const char *Cmd) {
699 // No args
700 if (strlen(Cmd) == 0) {
701 PrintAndLogEx(INFO, "--- " _CYAN_("current t55xx config") " --------------------------");
702 return printConfiguration(config);
703 }
704
705 CLIParserContext *ctx;
706 CLIParserInit(&ctx, "lf t55xx config",
707 "Set/Get T55XX configuration of the pm3 client. Like modulation, inverted, offset, rate etc.\n"
708 "Offset is start position to decode data.",
709 "lf t55xx config --FSK --> FSK demodulation\n"
710 "lf t55xx config --FSK -i --> FSK demodulation, inverse data\n"
711 "lf t55xx config --FSK -i -o 3 --> FSK demodulation, inverse data, offset 3\n"
712 );
713
714 // 1 (help) + 19 (user specified params) + (5 T55XX_DLMODE_SINGLE)
715 void *argtable[1 + 12 + 6 + 5] = {
716 arg_param_begin,
717 arg_lit0(NULL, "FSK", "set demodulation FSK"),
718 arg_lit0(NULL, "FSK1", "set demodulation FSK 1"),
719 arg_lit0(NULL, "FSK1A", "set demodulation FSK 1a (inv)"),
720 arg_lit0(NULL, "FSK2", "set demodulation FSK 2"),
721 arg_lit0(NULL, "FSK2A", "set demodulation FSK 2a (inv)"),
722 arg_lit0(NULL, "ASK", "set demodulation ASK"),
723 arg_lit0(NULL, "PSK1", "set demodulation PSK 1"),
724 arg_lit0(NULL, "PSK2", "set demodulation PSK 2"),
725 arg_lit0(NULL, "PSK3", "set demodulation PSK 3"),
726 arg_lit0(NULL, "NRZ", "set demodulation NRZ"),
727 arg_lit0(NULL, "BI", "set demodulation Biphase"),
728 arg_lit0(NULL, "BIA", "set demodulation Diphase (inverted biphase)"),
729 arg_lit0("i", "inv", "set/reset data signal inversion"),
730 arg_lit0(NULL, "q5", "set/reset as Q5/T5555 chip instead of T55x7"),
731 arg_lit0(NULL, "st", "set/reset Sequence Terminator on"),
732 arg_int0(NULL, "rate", "<dec>", "set bitrate <8|16|32|40|50|64|100|128>"),
733 arg_str0("c", "blk0", "<hex>", "set configuration from a block0 (4 hex bytes)"),
734 arg_int0("o", "offset", "<0-255>", "set offset, where data should start decode in bitstream "),
735 };
736
737 uint8_t idx = 19;
738 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
739 CLIExecWithReturn(ctx, Cmd, argtable, true);
740
741 idx = 1;
742 bool mods[12];
743 int verify_mods = 0;
744 while (idx - 1 < sizeof(mods)) {
745 mods[idx - 1] = arg_get_lit(ctx, idx);
746 verify_mods += mods[idx - 1];
747 idx++;
748 }
749
750 // Not these flags are used to Toggle the values.
751 // If not flag then don't set or reset, leave as is since the call may just be be setting a different value.
752 bool invert = arg_get_lit(ctx, idx++);
753 bool use_q5 = arg_get_lit(ctx, idx++);
754 bool use_st = arg_get_lit(ctx, idx++);
755
756 int bitrate = arg_get_int_def(ctx, idx, -1);
757 idx++;
758
759 bool gotconf = false;
760 uint32_t block0 = 0;
761 int res = arg_get_u32_hexstr_def_nlen(ctx, idx++, 0, &block0, 4, true);
762 if (res == 0 || res == 2) {
763 PrintAndLogEx(ERR, "block0 data must be 4 hex bytes");
764 CLIParserFree(ctx);
765 return PM3_EINVARG;
766 }
767 if (res == 1) {
768 gotconf = true;
769 }
770
771 int offset = arg_get_int_def(ctx, idx, -1);
772 idx++;
773
774 bool r0 = arg_get_lit(ctx, idx++);
775 bool r1 = arg_get_lit(ctx, idx++);
776 bool r2 = arg_get_lit(ctx, idx++);
777 bool r3 = arg_get_lit(ctx, idx++);
778 CLIParserFree(ctx);
779
780 // validate user specified downlink mode
781 if ((r0 + r1 + r2 + r3) > 1) {
782 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
783 return PM3_EINVARG;
784 }
785
786 // validate user specified modulation FSK,FSK1,...BIA
787 if (verify_mods > 1) {
788 PrintAndLogEx(FAILED, "Error multiple demodulations, select one");
789 return PM3_EINVARG;
790 }
791
792 // validate user specified bitrate
793
794 if (bitrate != -1) {
795 uint8_t rates[9] = {8, 16, 32, 40, 50, 64, 100, 128, 0};
796 uint8_t i = 0;
797 for (; i < ARRAYLEN(rates); i++) {
798 if (rates[i] == bitrate) {
799 config.bitrate = i;
800 config.block0 = ((config.block0 & ~(0x1c0000)) | (i << 18));
801 break;
802 }
803 }
804 if (i == 9) {
805 PrintAndLogEx(FAILED, "Error select a valid bitrate");
806 return PM3_EINVARG;
807 }
808 }
809
810 // validate user specified offset
811 if (offset > -1 && offset < 0x100) {
812 config.offset = offset;
813 }
814
815 // validate user specific T5555 / Q5 - use the flag to toggle between T5577 and Q5
816 config.Q5 ^= use_q5;
817
818 // validate user specific sequence terminator
819 // if use_st flag was supplied, then toggle and update the config block0; if not supplied skip the config block0 update.
820 if (use_st) {
821 config.ST ^= use_st;
822 config.block0 = ((config.block0 & ~(0x8)) | (config.ST << 3));
823 }
824
825 // validate user specific invert
826 // In theory this should also be set in the config block 0; butit requries the extend mode config, which will change other things.
827 // as such, leave in user config for decoding the data until a full fix can be added.
828 // use the flag to toggle if invert is on or off.
829 config.inverted ^= invert;
830
831 // validate user specific downlink mode
832 uint8_t downlink_mode = config.downlink_mode;
833 if (r0)
834 downlink_mode = refFixedBit;
835 else if (r1)
836 downlink_mode = refLongLeading;
837 else if (r2)
838 downlink_mode = refLeading0;
839 else if (r3)
840 downlink_mode = ref1of4;
841
842 config.downlink_mode = downlink_mode;
843
844 // validate user specific modulation
845 if (mods[0]) {
846 config.modulation = DEMOD_FSK;
847 } else if (mods[1]) {
848 config.modulation = DEMOD_FSK1;
849 config.inverted = 0;
850 } else if (mods[2]) {
851 config.modulation = DEMOD_FSK1a;
852 config.inverted = 1;
853 } else if (mods[3]) {
854 config.modulation = DEMOD_FSK2;
855 config.inverted = 0;
856 } else if (mods[4]) {
857 config.modulation = DEMOD_FSK2a;
858 config.inverted = 1;
859 } else if (mods[5]) {
860 config.modulation = DEMOD_ASK;
861 } else if (mods[6]) {
862 config.modulation = DEMOD_PSK1;
863 } else if (mods[7]) {
864 config.modulation = DEMOD_PSK2;
865 } else if (mods[8]) {
866 config.modulation = DEMOD_PSK3;
867 } else if (mods[9]) {
868 config.modulation = DEMOD_NRZ;
869 } else if (mods[10]) {
870 config.modulation = DEMOD_BI;
871 config.inverted = 0;
872 } else if (mods[11]) {
873 config.modulation = DEMOD_BIa;
874 config.inverted = 1;
875 }
876
877 config.block0 = ((config.block0 & ~(0x1f000)) | (config.modulation << 12));
878
879 config.block0Status = USERSET;
880 if (gotconf) {
881 SetConfigWithBlock0Ex(block0, config.offset, config.Q5);
882 }
883
884 PrintAndLogEx(INFO, "--- " _CYAN_("current t55xx config") " --------------------------");
885 return printConfiguration(config);
886 }
887 int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, uint8_t override, uint32_t password, uint8_t downlink_mode) {
888 return T55xxReadBlockEx(block, page1, usepwd, override, password, downlink_mode, true);
889 }
890
891 int T55xxReadBlockEx(uint8_t block, bool page1, bool usepwd, uint8_t override, uint32_t password, uint8_t downlink_mode, bool verbose) {
892 //Password mode
893 if (usepwd) {
894 // try reading the config block and verify that PWD bit is set before doing this!
895 // override = 1 (override and display)
896 // override = 2 (override and no display)
897 if (override == 0) {
898 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0, downlink_mode) == false)
899 return PM3_ERFTRANS;
900
901 if (t55xxTryDetectModulationEx(downlink_mode, false, 0, password) == false) {
902 PrintAndLogEx(WARNING, "Safety check: Could not detect if PWD bit is set in config block. Exits.");
903 PrintAndLogEx(HINT, "Consider using the override parameter to force read.");
904 return PM3_EWRONGANSWER;
905 } else {
906 PrintAndLogEx(WARNING, "Safety check: PWD bit is NOT set in config block. Reading without password...");
907 usepwd = false;
908 page1 = false; // ??
909 }
910 } else if (override == 1) {
911 PrintAndLogEx(INFO, "Safety check overridden - proceeding despite risk");
912 }
913 }
914
915 if (AcquireData(page1, block, usepwd, password, downlink_mode) == false)
916 return PM3_ERFTRANS;
917
918 if (DecodeT55xxBlock() == false)
919 return PM3_EWRONGANSWER;
920
921 if (verbose)
922 printT55xxBlock(block, page1);
923
924 return PM3_SUCCESS;
925 }
926
927 static int CmdT55xxReadBlock(const char *Cmd) {
928 CLIParserContext *ctx;
929 CLIParserInit(&ctx, "lf t55xx read",
930 "Read T55xx block data. This commands defaults to page 0.\n\n"
931 _RED_(" * * * WARNING * * *") "\n"
932 _CYAN_("Use of read with password on a tag not configured") "\n"
933 _CYAN_("for a password can damage the tag") "\n"
934 _RED_(" * * * * * * * * * *"),
935 "lf t55xx read -b 0 --> read data from block 0\n"
936 "lf t55xx read -b 0 --pwd 01020304 --> read data from block 0, pwd 01020304\n"
937 "lf t55xx read -b 0 --pwd 01020304 -o --> read data from block 0, pwd 01020304, override\n"
938 );
939
940 // 1 (help) + 4(four user specified params) + (5 T55XX_DLMODE_SINGLE)
941 void *argtable[5 + 5] = {
942 arg_param_begin,
943 arg_int1("b", "blk", "<0-7>", "block number to read"),
944 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
945 arg_lit0("o", "override", "override safety check"),
946 arg_lit0(NULL, "pg1", "read page 1"),
947 };
948 uint8_t idx = 5;
949 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
950 CLIExecWithReturn(ctx, Cmd, argtable, true);
951
952 int block = arg_get_int_def(ctx, 1, REGULAR_READ_MODE_BLOCK);
953
954 bool usepwd = false;
955 uint32_t password = 0;
956 int res = arg_get_u32_hexstr_def_nlen(ctx, 2, 0, &password, 4, true);
957 if (res == 0 || res == 2) {
958 PrintAndLogEx(ERR, "Password should be 4 hex bytes");
959 CLIParserFree(ctx);
960 return PM3_EINVARG;
961 }
962 if (res == 1) {
963 usepwd = true;
964 }
965
966 uint8_t override = arg_get_lit(ctx, 3);
967 bool page1 = arg_get_lit(ctx, 4);
968
969 bool r0 = arg_get_lit(ctx, 5);
970 bool r1 = arg_get_lit(ctx, 6);
971 bool r2 = arg_get_lit(ctx, 7);
972 bool r3 = arg_get_lit(ctx, 8);
973 CLIParserFree(ctx);
974
975 if ((r0 + r1 + r2 + r3) > 1) {
976 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
977 return PM3_EINVARG;
978 }
979
980 uint8_t downlink_mode = config.downlink_mode;
981 if (r0)
982 downlink_mode = refFixedBit;
983 else if (r1)
984 downlink_mode = refLongLeading;
985 else if (r2)
986 downlink_mode = refLeading0;
987 else if (r3)
988 downlink_mode = ref1of4;
989
990 if (block > 7 && block != REGULAR_READ_MODE_BLOCK) {
991 PrintAndLogEx(NORMAL, "Block must be between 0 and 7");
992 return PM3_ESOFT;
993 }
994
995 printT5xxHeader(page1);
996 return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode);
997 }
998
999 bool DecodeT55xxBlock(void) {
1000
1001 int ans = 0;
1002 bool ST = config.ST;
1003 uint8_t bitRate[8] = {8, 16, 32, 40, 50, 64, 100, 128};
1004 g_DemodBufferLen = 0x00;
1005
1006 switch (config.modulation) {
1007 case DEMOD_FSK:
1008 ans = FSKrawDemod(bitRate[config.bitrate], config.inverted, 0, 0, false);
1009 break;
1010 case DEMOD_FSK1:
1011 case DEMOD_FSK1a:
1012 ans = FSKrawDemod(bitRate[config.bitrate], config.inverted, 8, 5, false);
1013 break;
1014 case DEMOD_FSK2:
1015 case DEMOD_FSK2a:
1016 ans = FSKrawDemod(bitRate[config.bitrate], config.inverted, 10, 8, false);
1017 break;
1018 case DEMOD_ASK:
1019 ans = ASKDemod_ext(bitRate[config.bitrate], config.inverted, 1, 0, false, false, false, 1, &ST);
1020 break;
1021 case DEMOD_PSK1:
1022 ans = PSKDemod(bitRate[config.bitrate], config.inverted, 6, false);
1023 break;
1024 case DEMOD_PSK2: //inverted won't affect this
1025 case DEMOD_PSK3: //not fully implemented
1026 ans = PSKDemod(bitRate[config.bitrate], 0, 6, false);
1027 psk1TOpsk2(g_DemodBuffer, g_DemodBufferLen);
1028 break;
1029 case DEMOD_NRZ:
1030 ans = NRZrawDemod(bitRate[config.bitrate], config.inverted, 1, false);
1031 break;
1032 case DEMOD_BI:
1033 case DEMOD_BIa:
1034 ans = ASKbiphaseDemod(0, bitRate[config.bitrate], config.inverted, 1, false);
1035 break;
1036 default:
1037 return false;
1038 }
1039 return (ans == PM3_SUCCESS);
1040 }
1041
1042 static bool DecodeT5555TraceBlock(void) {
1043 g_DemodBufferLen = 0x00;
1044
1045 // According to datasheet. Always: RF/64, not inverted, Manchester
1046 bool st = false;
1047 return (ASKDemod_ext(64, 0, 1, 0, false, false, false, 1, &st) == PM3_SUCCESS);
1048 }
1049
1050 // sanity check. Don't use proxmark if it is offline and you didn't specify useGraphbuf
1051 static int SanityOfflineCheck(bool useGraphBuffer) {
1052 if (!useGraphBuffer && !g_session.pm3_present) {
1053 PrintAndLogEx(WARNING, "Your proxmark3 device is offline. Specify [1] to use graphbuffer data instead");
1054 return PM3_ENODATA;
1055 }
1056 return PM3_SUCCESS;
1057 }
1058
1059 static void T55xx_Print_DownlinkMode(uint8_t downlink_mode) {
1060 char msg[80];
1061 snprintf(msg, sizeof(msg), "Downlink Mode used : ");
1062
1063 switch (downlink_mode) {
1064 case 1 :
1065 strcat(msg, _YELLOW_("long leading reference"));
1066 break;
1067 case 2 :
1068 strcat(msg, _YELLOW_("leading zero reference"));
1069 break;
1070 case 3 :
1071 strcat(msg, _YELLOW_("1 of 4 coding reference"));
1072 break;
1073 default :
1074 strcat(msg, _YELLOW_("default/fixed bit length"));
1075 break;
1076 }
1077
1078 PrintAndLogEx(SUCCESS, msg);
1079 }
1080
1081 static int CmdT55xxWakeUp(const char *Cmd) {
1082 CLIParserContext *ctx;
1083 CLIParserInit(&ctx, "lf t55xx wakeup",
1084 "This commands sends the Answer-On-Request command and leaves the readerfield ON afterwards",
1085 "lf t55xx wakeup -p 11223344 --> send wakeup with password\n"
1086 );
1087
1088 // 1 (help) + 2 (two user specified params) + (5 T55XX_DLMODE_SINGLE)
1089 void *argtable[3 + 5] = {
1090 arg_param_begin,
1091 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
1092 arg_lit0("v", "verbose", "verbose output"),
1093 };
1094 uint8_t idx = 3;
1095 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
1096 CLIExecWithReturn(ctx, Cmd, argtable, true);
1097
1098 uint32_t password = 0;
1099 int res = arg_get_u32_hexstr_def_nlen(ctx, 2, 0, &password, 4, true);
1100 if (res == 0 || res == 2) {
1101 PrintAndLogEx(ERR, "Password should be 4 hex bytes");
1102 CLIParserFree(ctx);
1103 return PM3_EINVARG;
1104 }
1105
1106 bool verbose = arg_get_lit(ctx, 2);
1107 bool r0 = arg_get_lit(ctx, 3);
1108 bool r1 = arg_get_lit(ctx, 4);
1109 bool r2 = arg_get_lit(ctx, 5);
1110 bool r3 = arg_get_lit(ctx, 6);
1111 CLIParserFree(ctx);
1112
1113 if ((r0 + r1 + r2 + r3) > 1) {
1114 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
1115 return PM3_EINVARG;
1116 }
1117
1118 uint8_t downlink_mode = config.downlink_mode;
1119 if (r0)
1120 downlink_mode = refFixedBit;
1121 else if (r1)
1122 downlink_mode = refLongLeading;
1123 else if (r2)
1124 downlink_mode = refLeading0;
1125 else if (r3)
1126 downlink_mode = ref1of4;
1127
1128 struct p {
1129 uint32_t password;
1130 uint8_t flags;
1131 } PACKED payload;
1132
1133 payload.password = password;
1134 payload.flags = (downlink_mode << 3);
1135
1136 clearCommandBuffer();
1137 SendCommandNG(CMD_LF_T55XX_WAKEUP, (uint8_t *)&payload, sizeof(payload));
1138 if (WaitForResponseTimeout(CMD_LF_T55XX_WAKEUP, NULL, 1000) == false) {
1139 PrintAndLogEx(WARNING, "command execution time out");
1140 return PM3_ETIMEOUT;
1141 }
1142
1143 if (verbose)
1144 PrintAndLogEx(SUCCESS, "Wake up command sent. Try read now");
1145
1146 return PM3_SUCCESS;
1147 }
1148
1149 static int CmdT55xxDetect(const char *Cmd) {
1150 CLIParserContext *ctx;
1151 CLIParserInit(&ctx, "lf t55xx detect",
1152 "Try detecting the tag modulation from reading the configuration block",
1153 "lf t55xx detect\n"
1154 "lf t55xx detect -1\n"
1155 "lf t55xx detect -p 11223344\n"
1156 );
1157
1158 // 1 (help) + 2 (two user specified params) + (6 T55XX_DLMODE_ALL)
1159 void *argtable[3 + 6] = {
1160 arg_param_begin,
1161 arg_lit0("1", NULL, "extract using data from graphbuffer"),
1162 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
1163 };
1164 uint8_t idx = 3;
1165 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_ALL, config.downlink_mode);
1166 CLIExecWithReturn(ctx, Cmd, argtable, true);
1167
1168 bool use_gb = arg_get_lit(ctx, 1);
1169
1170 bool usepwd = false;
1171 uint64_t password = -1;
1172 uint32_t tmp_pwd = 0;
1173 int res = arg_get_u32_hexstr_def_nlen(ctx, 2, 0, &tmp_pwd, 4, true);
1174 if (res == 0 || res == 2) {
1175 PrintAndLogEx(ERR, "Password should be 4 hex bytes");
1176 CLIParserFree(ctx);
1177 return PM3_EINVARG;
1178 }
1179 if (res == 1) {
1180 usepwd = true;
1181 password = tmp_pwd;
1182 }
1183
1184 bool r0 = arg_get_lit(ctx, 3);
1185 bool r1 = arg_get_lit(ctx, 4);
1186 bool r2 = arg_get_lit(ctx, 5);
1187 bool r3 = arg_get_lit(ctx, 6);
1188 bool ra = arg_get_lit(ctx, 7);
1189 CLIParserFree(ctx);
1190
1191 if ((r0 + r1 + r2 + r3 + ra) > 1) {
1192 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
1193 return PM3_EINVARG;
1194 }
1195
1196 bool try_all_dl_modes = false;
1197 uint8_t downlink_mode = config.downlink_mode;
1198 if (r0)
1199 downlink_mode = refFixedBit;
1200 else if (r1)
1201 downlink_mode = refLongLeading;
1202 else if (r2)
1203 downlink_mode = refLeading0;
1204 else if (r3)
1205 downlink_mode = ref1of4;
1206 else // This will set the default to user all d/l modes which will cover the ra flag as well.
1207 try_all_dl_modes = true;
1208
1209 bool found = false;
1210
1211 // Setup the 90ms time value to sleep for after the wake, to allow delay init to complete (~70ms)
1212 struct timespec sleepperiod;
1213 sleepperiod.tv_sec = 0;
1214 sleepperiod.tv_nsec = 90000000;
1215
1216 // detect called so clear data blocks
1217 T55x7_ClearAllBlockData();
1218
1219 // sanity check.
1220 if (SanityOfflineCheck(use_gb) != PM3_SUCCESS)
1221 return PM3_ESOFT;
1222
1223 if (use_gb == false) {
1224
1225 char wakecmd[20] = { 0x00 };
1226 snprintf(wakecmd, sizeof(wakecmd), "-p %08" PRIx64, password);
1227
1228 bool usewake = false;
1229 bool try_with_pwd = false;
1230 // do ... while not found and not yet tried with wake (for AOR or Init Delay)
1231 do {
1232 // do ... while to check without password then loop back if password supplied
1233 do {
1234 if (try_all_dl_modes) {
1235 // Loop from 1st d/l mode refFixedBit to the last d/l mode ref1of4
1236 for (uint8_t m = refFixedBit; m <= ref1of4; m++) {
1237 if (usewake) {
1238 // call wake
1239 if (try_with_pwd)
1240 CmdT55xxWakeUp(wakecmd);
1241 else
1242 CmdT55xxWakeUp("");
1243 // sleep 90 ms
1244 nanosleep(&sleepperiod, &sleepperiod);
1245 }
1246
1247 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, (try_with_pwd && usepwd), password, m) == false)
1248 continue;
1249
1250 if (t55xxTryDetectModulationEx(m, T55XX_PrintConfig, 0, (try_with_pwd && usepwd) ? password : -1) == false)
1251 continue;
1252
1253 found = true;
1254 break;
1255 }
1256 } else {
1257 if (usewake) {
1258 // call wake
1259 if (try_with_pwd)
1260 CmdT55xxWakeUp(wakecmd);
1261 else
1262 CmdT55xxWakeUp("");
1263 // sleep 90 ms
1264 nanosleep(&sleepperiod, &sleepperiod);
1265 }
1266
1267 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, downlink_mode)) {
1268 found = t55xxTryDetectModulationEx(downlink_mode, T55XX_PrintConfig, 0, (usepwd) ? password : -1);
1269 }
1270 }
1271
1272 // toggle so we loop back if not found and try with pwd
1273 if (found == false && usepwd)
1274 try_with_pwd = !try_with_pwd;
1275
1276 // force exit as detect block has been found
1277 if (found)
1278 try_with_pwd = false;
1279
1280 } while (try_with_pwd);
1281 // Toggle so we loop back and try with wakeup.
1282 usewake = !usewake;
1283 } while (found == false && usewake);
1284 } else {
1285 found = t55xxTryDetectModulation(downlink_mode, T55XX_PrintConfig);
1286 }
1287
1288 if (found == false) {
1289 config.usepwd = false;
1290 config.pwd = 0x00;
1291 PrintAndLogEx(WARNING, "Could not detect modulation automatically. Try setting it manually with " _YELLOW_("\'lf t55xx config\'"));
1292 }
1293
1294 return PM3_SUCCESS;
1295 }
1296
1297 // detect configuration?
1298 bool t55xxTryDetectModulation(uint8_t downlink_mode, bool print_config) {
1299 return t55xxTryDetectModulationEx(downlink_mode, print_config, 0, -1);
1300 }
1301
1302 bool t55xxTryDetectModulationEx(uint8_t downlink_mode, bool print_config, uint32_t wanted_conf, uint64_t pwd) {
1303
1304 t55xx_conf_block_t tests[15];
1305 int bitRate = 0, clk = 0, firstClockEdge = 0;
1306 uint8_t hits = 0, fc1 = 0, fc2 = 0, ans = 0;
1307
1308 ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, &firstClockEdge);
1309
1310 if (ans && ((fc1 == 10 && fc2 == 8) || (fc1 == 8 && fc2 == 5))) {
1311 if ((FSKrawDemod(0, 0, 0, 0, false) == PM3_SUCCESS) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1312 tests[hits].modulation = DEMOD_FSK;
1313 if (fc1 == 8 && fc2 == 5)
1314 tests[hits].modulation = DEMOD_FSK1a;
1315 else if (fc1 == 10 && fc2 == 8)
1316 tests[hits].modulation = DEMOD_FSK2;
1317 tests[hits].bitrate = bitRate;
1318 tests[hits].inverted = false;
1319 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1320 tests[hits].ST = false;
1321 tests[hits].downlink_mode = downlink_mode;
1322 ++hits;
1323 }
1324 if ((FSKrawDemod(0, 1, 0, 0, false) == PM3_SUCCESS) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1325 tests[hits].modulation = DEMOD_FSK;
1326 if (fc1 == 8 && fc2 == 5)
1327 tests[hits].modulation = DEMOD_FSK1;
1328 else if (fc1 == 10 && fc2 == 8)
1329 tests[hits].modulation = DEMOD_FSK2a;
1330 tests[hits].bitrate = bitRate;
1331 tests[hits].inverted = true;
1332 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1333 tests[hits].ST = false;
1334 tests[hits].downlink_mode = downlink_mode;
1335 ++hits;
1336 }
1337 } else {
1338 clk = GetAskClock("", false);
1339 if (clk > 0) {
1340 tests[hits].ST = true;
1341 // "0 0 1 " == clock auto, invert false, maxError 1.
1342 // false = no verbose
1343 // false = no emSearch
1344 // 1 = Ask/Man
1345 // st = true
1346 if ((ASKDemod_ext(0, 0, 1, 0, false, false, false, 1, &tests[hits].ST) == PM3_SUCCESS) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1347 tests[hits].modulation = DEMOD_ASK;
1348 tests[hits].bitrate = bitRate;
1349 tests[hits].inverted = false;
1350 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1351 tests[hits].downlink_mode = downlink_mode;
1352 ++hits;
1353 }
1354 tests[hits].ST = true;
1355 // "0 0 1 " == clock auto, invert true, maxError 1.
1356 // false = no verbose
1357 // false = no emSearch
1358 // 1 = Ask/Man
1359 // st = true
1360 if ((ASKDemod_ext(0, 1, 1, 0, false, false, false, 1, &tests[hits].ST) == PM3_SUCCESS) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1361 tests[hits].modulation = DEMOD_ASK;
1362 tests[hits].bitrate = bitRate;
1363 tests[hits].inverted = true;
1364 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1365 tests[hits].downlink_mode = downlink_mode;
1366 ++hits;
1367 }
1368 if ((ASKbiphaseDemod(0, 0, 0, 2, false) == PM3_SUCCESS) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1369 tests[hits].modulation = DEMOD_BI;
1370 tests[hits].bitrate = bitRate;
1371 tests[hits].inverted = false;
1372 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1373 tests[hits].ST = false;
1374 tests[hits].downlink_mode = downlink_mode;
1375 ++hits;
1376 }
1377 if ((ASKbiphaseDemod(0, 0, 1, 2, false) == PM3_SUCCESS) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1378 tests[hits].modulation = DEMOD_BIa;
1379 tests[hits].bitrate = bitRate;
1380 tests[hits].inverted = true;
1381 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1382 tests[hits].ST = false;
1383 tests[hits].downlink_mode = downlink_mode;
1384 ++hits;
1385 }
1386 }
1387 clk = GetNrzClock("", false);
1388 if (clk > 8) { //clock of rf/8 is likely a false positive, so don't use it.
1389 if ((NRZrawDemod(0, 0, 1, false) == PM3_SUCCESS) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1390 tests[hits].modulation = DEMOD_NRZ;
1391 tests[hits].bitrate = bitRate;
1392 tests[hits].inverted = false;
1393 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1394 tests[hits].ST = false;
1395 tests[hits].downlink_mode = downlink_mode;
1396 ++hits;
1397 }
1398
1399 if ((NRZrawDemod(0, 1, 1, false) == PM3_SUCCESS) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1400 tests[hits].modulation = DEMOD_NRZ;
1401 tests[hits].bitrate = bitRate;
1402 tests[hits].inverted = true;
1403 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1404 tests[hits].ST = false;
1405 tests[hits].downlink_mode = downlink_mode;
1406 ++hits;
1407 }
1408 }
1409
1410 clk = GetPskClock("", false);
1411 if (clk > 0) {
1412 // allow undo
1413 buffer_savestate_t saveState = save_bufferS32(g_GraphBuffer, g_GraphTraceLen);
1414 saveState.offset = g_GridOffset;
1415 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
1416 CmdLtrim("-i 160");
1417 if ((PSKDemod(0, 0, 6, false) == PM3_SUCCESS) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1418 tests[hits].modulation = DEMOD_PSK1;
1419 tests[hits].bitrate = bitRate;
1420 tests[hits].inverted = false;
1421 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1422 tests[hits].ST = false;
1423 tests[hits].downlink_mode = downlink_mode;
1424 ++hits;
1425 }
1426 if ((PSKDemod(0, 1, 6, false) == PM3_SUCCESS) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1427 tests[hits].modulation = DEMOD_PSK1;
1428 tests[hits].bitrate = bitRate;
1429 tests[hits].inverted = true;
1430 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1431 tests[hits].ST = false;
1432 tests[hits].downlink_mode = downlink_mode;
1433 ++hits;
1434 }
1435 //ICEMAN: are these PSKDemod calls needed?
1436 // PSK2 - needs a call to psk1TOpsk2.
1437 if (PSKDemod(0, 0, 6, false) == PM3_SUCCESS) {
1438 psk1TOpsk2(g_DemodBuffer, g_DemodBufferLen);
1439 if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1440 tests[hits].modulation = DEMOD_PSK2;
1441 tests[hits].bitrate = bitRate;
1442 tests[hits].inverted = false;
1443 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1444 tests[hits].ST = false;
1445 tests[hits].downlink_mode = downlink_mode;
1446 ++hits;
1447 }
1448 } // inverse waves does not affect this demod
1449 // PSK3 - needs a call to psk1TOpsk2.
1450 if (PSKDemod(0, 0, 6, false) == PM3_SUCCESS) {
1451 psk1TOpsk2(g_DemodBuffer, g_DemodBufferLen);
1452 if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
1453 tests[hits].modulation = DEMOD_PSK3;
1454 tests[hits].bitrate = bitRate;
1455 tests[hits].inverted = false;
1456 tests[hits].block0 = PackBits(tests[hits].offset, 32, g_DemodBuffer);
1457 tests[hits].ST = false;
1458 tests[hits].downlink_mode = downlink_mode;
1459 ++hits;
1460 }
1461 } // inverse waves does not affect this demod
1462 //undo trim samples
1463 restore_bufferS32(saveState, g_GraphBuffer);
1464 g_GridOffset = saveState.offset;
1465 // t55xx_search_config_psk(g_GraphBuffer, 1);
1466 // t55xx_search_config_psk(g_GraphBuffer, 2);
1467 }
1468 }
1469 if (hits == 1) {
1470 config.modulation = tests[0].modulation;
1471 config.bitrate = tests[0].bitrate;
1472 config.inverted = tests[0].inverted;
1473 config.offset = tests[0].offset;
1474 config.block0 = tests[0].block0;
1475 config.Q5 = tests[0].Q5;
1476 config.ST = tests[0].ST;
1477 config.downlink_mode = downlink_mode;
1478 if (pwd != -1) {
1479 config.usepwd = true;
1480 config.pwd = pwd & 0xffffffff;
1481 }
1482
1483 config.block0Status = AUTODETECT;
1484 if (print_config)
1485 printConfiguration(config);
1486
1487 return true;
1488 }
1489
1490 bool retval = false;
1491 if (hits > 1) {
1492 PrintAndLogEx(SUCCESS, "Found [%d] possible matches for modulation.", hits);
1493 for (int i = 0; i < hits; ++i) {
1494
1495 bool wanted = false;
1496 if (wanted_conf > 0)
1497 wanted = (wanted_conf == tests[i].block0);
1498
1499 retval = testKnownConfigBlock(tests[i].block0);
1500 if (retval || wanted) {
1501 PrintAndLogEx(NORMAL, "--[%d]--------------- << selected this", i + 1);
1502 config.modulation = tests[i].modulation;
1503 config.bitrate = tests[i].bitrate;
1504 config.inverted = tests[i].inverted;
1505 config.offset = tests[i].offset;
1506 config.block0 = tests[i].block0;
1507 config.Q5 = tests[i].Q5;
1508 config.ST = tests[i].ST;
1509 config.downlink_mode = tests[i].downlink_mode;
1510
1511 if (pwd != -1) {
1512 config.usepwd = true;
1513 config.pwd = pwd & 0xffffffff;
1514 }
1515 } else {
1516 PrintAndLogEx(NORMAL, "--[%d]---------------", i + 1);
1517 }
1518
1519 config.block0Status = AUTODETECT;
1520 if (print_config)
1521 printConfiguration(tests[i]);
1522 }
1523 }
1524 return retval;
1525 }
1526
1527 bool testKnownConfigBlock(uint32_t block0) {
1528 switch (block0) {
1529 case T55X7_DEFAULT_CONFIG_BLOCK:
1530 case T55X7_RAW_CONFIG_BLOCK:
1531 case T55X7_EM_UNIQUE_CONFIG_BLOCK:
1532 case T55X7_FDXB_CONFIG_BLOCK:
1533 case T55X7_FDXB_2_CONFIG_BLOCK:
1534 case T55X7_HID_26_CONFIG_BLOCK:
1535 case T55X7_PYRAMID_CONFIG_BLOCK:
1536 case T55X7_INDALA_64_CONFIG_BLOCK:
1537 case T55X7_INDALA_224_CONFIG_BLOCK:
1538 case T55X7_GUARDPROXII_CONFIG_BLOCK:
1539 case T55X7_VIKING_CONFIG_BLOCK:
1540 case T55X7_NORALSY_CONFIG_BLOCK:
1541 case T55X7_IOPROX_CONFIG_BLOCK:
1542 case T55X7_PRESCO_CONFIG_BLOCK:
1543 case T55X7_NEDAP_64_CONFIG_BLOCK:
1544 case T55X7_NEDAP_128_CONFIG_BLOCK:
1545 case T55X7_VISA2000_CONFIG_BLOCK:
1546 case T55X7_SECURAKEY_CONFIG_BLOCK:
1547 case T55X7_PAC_CONFIG_BLOCK:
1548 case T55X7_VERICHIP_CONFIG_BLOCK:
1549 case T55X7_KERI_CONFIG_BLOCK:
1550 case T55X7_NEXWATCH_CONFIG_BLOCK:
1551 case T55X7_JABLOTRON_CONFIG_BLOCK:
1552 case T55X7_PYRONIX_CONFIG_BLOCK:
1553 return true;
1554 }
1555 return false;
1556 }
1557
1558 bool GetT55xxBlockData(uint32_t *blockdata) {
1559
1560 if (g_DemodBufferLen == 0)
1561 return false;
1562
1563 uint8_t idx = config.offset;
1564
1565 if (idx + 32 > g_DemodBufferLen) {
1566 PrintAndLogEx(WARNING, "The configured offset %d is too big. Possible offset: %zu)", idx, g_DemodBufferLen - 32);
1567 return false;
1568 }
1569
1570 *blockdata = PackBits(0, 32, g_DemodBuffer + idx);
1571 return true;
1572 }
1573
1574 void printT55xxBlock(uint8_t blockNum, bool page1) {
1575
1576 uint32_t val = 0;
1577 if (GetT55xxBlockData(&val) == false)
1578 return;
1579
1580 uint8_t bytes[4] = {0};
1581 num_to_bytes(val, 4, bytes);
1582
1583 T55x7_SaveBlockData((page1) ? blockNum + 8 : blockNum, val);
1584
1585 PrintAndLogEx(SUCCESS, " %02d | %08X | %s | %s", blockNum, val, sprint_bytebits_bin(g_DemodBuffer + config.offset, 32), sprint_ascii(bytes, 4));
1586 }
1587
1588 static bool testModulation(uint8_t mode, uint8_t modread) {
1589 switch (mode) {
1590 case DEMOD_FSK:
1591 if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return true;
1592 break;
1593 case DEMOD_ASK:
1594 if (modread == DEMOD_ASK) return true;
1595 break;
1596 case DEMOD_PSK1:
1597 if (modread == DEMOD_PSK1) return true;
1598 break;
1599 case DEMOD_PSK2:
1600 if (modread == DEMOD_PSK2) return true;
1601 break;
1602 case DEMOD_PSK3:
1603 if (modread == DEMOD_PSK3) return true;
1604 break;
1605 case DEMOD_NRZ:
1606 if (modread == DEMOD_NRZ) return true;
1607 break;
1608 case DEMOD_BI:
1609 if (modread == DEMOD_BI) return true;
1610 break;
1611 case DEMOD_BIa:
1612 if (modread == DEMOD_BIa) return true;
1613 break;
1614 default:
1615 return false;
1616 }
1617 return false;
1618 }
1619
1620 static bool testQ5Modulation(uint8_t mode, uint8_t modread) {
1621 switch (mode) {
1622 case DEMOD_FSK:
1623 if (modread >= 4 && modread <= 5) return true;
1624 break;
1625 case DEMOD_ASK:
1626 if (modread == 0) return true;
1627 break;
1628 case DEMOD_PSK1:
1629 if (modread == 1) return true;
1630 break;
1631 case DEMOD_PSK2:
1632 if (modread == 2) return true;
1633 break;
1634 case DEMOD_PSK3:
1635 if (modread == 3) return true;
1636 break;
1637 case DEMOD_NRZ:
1638 if (modread == 7) return true;
1639 break;
1640 case DEMOD_BI:
1641 if (modread == 6) return true;
1642 break;
1643 default:
1644 return false;
1645 }
1646 return false;
1647 }
1648
1649 static int convertQ5bitRate(uint8_t bitRateRead) {
1650 const uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
1651 for (int i = 0; i < 8; i++)
1652 if (expected[i] == bitRateRead)
1653 return i;
1654
1655 return -1;
1656 }
1657
1658 static bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk) {
1659
1660 if (g_DemodBufferLen < 64) return false;
1661
1662 for (uint8_t idx = 28; idx < 64; idx++) {
1663 uint8_t si = idx;
1664 if (PackBits(si, 28, g_DemodBuffer) == 0x00) continue;
1665
1666 uint8_t safer = PackBits(si, 4, g_DemodBuffer);
1667 si += 4; //master key
1668 uint8_t resv = PackBits(si, 8, g_DemodBuffer);
1669 si += 8;
1670 // 2nibble must be zeroed.
1671 if (safer != 0x6 && safer != 0x9) continue;
1672 if (resv > 0x00) continue;
1673 //uint8_t pageSel = PackBits(si, 1, g_DemodBuffer); si += 1;
1674 //uint8_t fastWrite = PackBits(si, 1, g_DemodBuffer); si += 1;
1675 si += 1 + 1;
1676 int bitRate = PackBits(si, 6, g_DemodBuffer) * 2 + 2;
1677 si += 6; //bit rate
1678 if (bitRate > 128 || bitRate < 8) continue;
1679
1680 //uint8_t AOR = PackBits(si, 1, g_DemodBuffer); si += 1;
1681 //uint8_t PWD = PackBits(si, 1, g_DemodBuffer); si += 1;
1682 //uint8_t pskcr = PackBits(si, 2, g_DemodBuffer); si += 2; //could check psk cr
1683 //uint8_t inverse = PackBits(si, 1, g_DemodBuffer); si += 1;
1684 si += 1 + 1 + 2 + 1;
1685 uint8_t modread = PackBits(si, 3, g_DemodBuffer);
1686 si += 3;
1687 uint8_t maxBlk = PackBits(si, 3, g_DemodBuffer);
1688 si += 3;
1689 //uint8_t ST = PackBits(si, 1, g_DemodBuffer); si += 1;
1690 if (maxBlk == 0) continue;
1691
1692 //test modulation
1693 if (!testQ5Modulation(mode, modread)) continue;
1694 if (bitRate != clk) continue;
1695
1696 *fndBitRate = convertQ5bitRate(bitRate);
1697 if (*fndBitRate < 0) continue;
1698
1699 *offset = idx;
1700
1701 return true;
1702 }
1703 return false;
1704 }
1705
1706 static bool testBitRate(uint8_t readRate, uint8_t clk) {
1707 const uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
1708 if (expected[readRate] == clk)
1709 return true;
1710
1711 return false;
1712 }
1713
1714 bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5) {
1715
1716 if (g_DemodBufferLen < 64) {
1717 return false;
1718 }
1719
1720 for (uint8_t idx = 28; idx < 64; idx++) {
1721
1722 uint8_t si = idx;
1723
1724 if (PackBits(si, 28, g_DemodBuffer) == 0x00) {
1725 continue;
1726 }
1727
1728 uint8_t safer = PackBits(si, 4, g_DemodBuffer);
1729 si += 4; //master key
1730 uint8_t resv = PackBits(si, 4, g_DemodBuffer);
1731 si += 4; //was 7 & +=7+3 //should be only 4 bits if extended mode
1732 // 2nibble must be zeroed.
1733 // moved test to here, since this gets most faults first.
1734
1735 if (resv > 0x00) {
1736 continue;
1737 }
1738
1739 int bitRate = PackBits(si, 6, g_DemodBuffer);
1740 si += 6; //bit rate (includes extended mode part of rate)
1741 uint8_t extend = PackBits(si, 1, g_DemodBuffer);
1742 si += 1; //bit 15 extended mode
1743 uint8_t modread = PackBits(si, 5, g_DemodBuffer);
1744 si += 5 + 2 + 1;
1745 //uint8_t pskcr = PackBits(si, 2, g_DemodBuffer); si += 2+1; //could check psk cr
1746 //uint8_t nml01 = PackBits(si, 1, g_DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode
1747 //uint8_t nml02 = PackBits(si, 2, g_DemodBuffer); si += 2;
1748
1749 //if extended mode
1750 bool extMode = ((safer == 0x6 || safer == 0x9) && extend) ? true : false;
1751
1752 if (extMode == false) {
1753
1754 if (bitRate > 7) {
1755 continue;
1756 }
1757
1758 if (testBitRate(bitRate, clk) == false) {
1759 continue;
1760 }
1761
1762 } else { //extended mode bitrate = same function to calc bitrate as em4x05
1763 if (EM4x05_GET_BITRATE(bitRate) != clk) {
1764 continue;
1765 }
1766 }
1767
1768 //test modulation
1769 if (testModulation(mode, modread) == false) {
1770 continue;
1771 }
1772
1773 *fndBitRate = bitRate;
1774 *offset = idx;
1775 *Q5 = false;
1776 return true;
1777 }
1778
1779 if (testQ5(mode, offset, fndBitRate, clk)) {
1780 *Q5 = true;
1781 return true;
1782 }
1783 return false;
1784 }
1785
1786 int CmdT55xxSpecial(const char *Cmd) {
1787
1788 CLIParserContext *ctx;
1789 CLIParserInit(&ctx, "lf t55xx special",
1790 "Show block changes with 64 different offsets, data taken from DemodBuffer.",
1791 "lf t55xx special\n"
1792 );
1793
1794 void *argtable[] = {
1795 arg_param_begin,
1796 arg_param_end
1797 };
1798 CLIExecWithReturn(ctx, Cmd, argtable, true);
1799 CLIParserFree(ctx);
1800
1801 uint8_t bits[32] = {0x00};
1802
1803 PrintAndLogEx(NORMAL, "OFFSET | DATA | BINARY | ASCII");
1804 PrintAndLogEx(NORMAL, "-------+-------+-------------------------------------+------");
1805 int i, j = 0;
1806 for (; j < 64; ++j) {
1807
1808 for (i = 0; i < 32; ++i)
1809 bits[i] = g_DemodBuffer[j + i];
1810
1811 uint32_t blockData = PackBits(0, 32, bits);
1812
1813 PrintAndLogEx(NORMAL, "%02d | 0x%08X | %s", j, blockData, sprint_bytebits_bin(bits, 32));
1814 }
1815 return PM3_SUCCESS;
1816 }
1817
1818 int printConfiguration(t55xx_conf_block_t b) {
1819 PrintAndLogEx(INFO, " Chip type......... " _GREEN_("%s"), (b.Q5) ? "Q5/T5555" : "T55x7");
1820 PrintAndLogEx(INFO, " Modulation........ " _GREEN_("%s"), GetSelectedModulationStr(b.modulation));
1821 PrintAndLogEx(INFO, " Bit rate.......... %s", GetBitRateStr(b.bitrate, (b.block0 & T55x7_X_MODE && (b.block0 >> 28 == 6 || b.block0 >> 28 == 9))));
1822 PrintAndLogEx(INFO, " Inverted.......... %s", (b.inverted) ? _GREEN_("Yes") : "No");
1823 PrintAndLogEx(INFO, " Offset............ %d", b.offset);
1824 PrintAndLogEx(INFO, " Seq. terminator... %s", (b.ST) ? _GREEN_("Yes") : "No");
1825 PrintAndLogEx(INFO, " Block0............ %08X %s", b.block0, GetConfigBlock0Source(b.block0Status));
1826 PrintAndLogEx(INFO, " Downlink mode..... %s", GetDownlinkModeStr(b.downlink_mode));
1827 PrintAndLogEx(INFO, " Password set...... %s", (b.usepwd) ? _RED_("Yes") : _GREEN_("No"));
1828 if (b.usepwd) {
1829 PrintAndLogEx(INFO, " Password.......... %08X", b.pwd);
1830 }
1831 PrintAndLogEx(NORMAL, "");
1832 return PM3_SUCCESS;
1833 }
1834
1835 static int CmdT55xxWriteBlock(const char *Cmd) {
1836 CLIParserContext *ctx;
1837 CLIParserInit(&ctx, "lf t55xx write",
1838 "Write T55xx block data",
1839 "lf t55xx write -b 3 -d 11223344 --> write 11223344 to block 3\n"
1840 "lf t55xx write -b 3 -d 11223344 --pwd 01020304 --> write 11223344 to block 3, pwd 01020304\n"
1841 "lf t55xx write -b 3 -d 11223344 --pwd 01020304 --verify --> write 11223344 to block 3 and try validating write"
1842 );
1843
1844 // 1 (help) + 6 (six user specified params) + (5 T55XX_DLMODE_SINGLE)
1845 void *argtable[7 + 5] = {
1846 arg_param_begin,
1847 arg_int1("b", "blk", "<0-7>", "block number to write"),
1848 arg_str0("d", "data", "<hex>", "data to write (4 hex bytes)"),
1849 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
1850 arg_lit0("t", "tm", "test mode write ( " _RED_("danger") " )"),
1851 arg_lit0(NULL, "pg1", "write page 1"),
1852 arg_lit0(NULL, "verify", "try validate data afterward"),
1853 };
1854 uint8_t idx = 7;
1855 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
1856 CLIExecWithReturn(ctx, Cmd, argtable, true);
1857
1858 int block = arg_get_int_def(ctx, 1, REGULAR_READ_MODE_BLOCK);
1859
1860 uint32_t data = 0; // default to blank Block
1861 int res = arg_get_u32_hexstr_def_nlen(ctx, 2, 0, &data, 4, true);
1862 if (res == 0 || res == 2) {
1863 PrintAndLogEx(ERR, "data must be 4 hex bytes");
1864 CLIParserFree(ctx);
1865 return PM3_EINVARG;
1866 }
1867
1868 bool usepwd = false;
1869 uint32_t password = 0; // default to blank Block 7
1870 res = arg_get_u32_hexstr_def_nlen(ctx, 3, 0, &password, 4, true);
1871 if (res == 0 || res == 2) {
1872 PrintAndLogEx(ERR, "Password should be 4 hex bytes");
1873 CLIParserFree(ctx);
1874 return PM3_EINVARG;
1875 }
1876 if (res == 1) {
1877 usepwd = true;
1878 }
1879
1880 bool testmode = arg_get_lit(ctx, 4);
1881 bool page1 = arg_get_lit(ctx, 5);
1882 bool validate = arg_get_lit(ctx, 6);
1883
1884 bool r0 = arg_get_lit(ctx, 7);
1885 bool r1 = arg_get_lit(ctx, 8);
1886 bool r2 = arg_get_lit(ctx, 9);
1887 bool r3 = arg_get_lit(ctx, 10);
1888 CLIParserFree(ctx);
1889
1890 if ((r0 + r1 + r2 + r3) > 1) {
1891 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
1892 return PM3_EINVARG;
1893 }
1894
1895 uint8_t downlink_mode = config.downlink_mode;
1896 if (r0)
1897 downlink_mode = refFixedBit;
1898 else if (r1)
1899 downlink_mode = refLongLeading;
1900 else if (r2)
1901 downlink_mode = refLeading0;
1902 else if (r3)
1903 downlink_mode = ref1of4;
1904
1905 if (block > 7 && block != REGULAR_READ_MODE_BLOCK) {
1906 PrintAndLogEx(NORMAL, "Block must be between 0 and 7");
1907 return PM3_ESOFT;
1908 }
1909
1910 char pwdstr[16] = {0};
1911 snprintf(pwdstr, sizeof(pwdstr), "pwd: 0x%08X", password);
1912
1913 PrintAndLogEx(INFO, "Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdstr : "");
1914
1915 if (t55xxWrite(block, page1, usepwd, testmode, password, downlink_mode, data) != PM3_SUCCESS) {
1916 PrintAndLogEx(ERR, "Write failed");
1917 return PM3_ESOFT;
1918 }
1919
1920 if (validate) {
1921 bool isOK = t55xxVerifyWrite(block, page1, usepwd, 1, password, downlink_mode, data);
1922 if (isOK)
1923 PrintAndLogEx(SUCCESS, "Write OK, validation successful");
1924 else
1925 PrintAndLogEx(WARNING, "Write could not validate the written data");
1926 }
1927
1928 return PM3_SUCCESS;
1929 }
1930
1931 static int CmdT55xxDangerousRaw(const char *Cmd) {
1932 CLIParserContext *ctx;
1933 CLIParserInit(&ctx, "lf t55xx dangerraw",
1934 "This command allows to emit arbitrary raw commands on T5577 and cut the field after arbitrary duration.\n"
1935 "Uncontrolled usage can easily write an invalid configuration, activate lock bits,\n"
1936 "OTP bit, password protection bit, deactivate test-mode, lock your card forever.\n"
1937 _RED_("WARNING:") _CYAN_(" this may lock definitively the tag in an unusable state!"),
1938 "lf t55xx dangerraw -d 01000000000000010000100000000100000000 -t 3200\n"
1939 );
1940
1941 void *argtable[] = {
1942 arg_param_begin,
1943 arg_str1("d", "data", NULL, "raw bit string"),
1944 arg_int1("t", "time", "<us>", "<0 - 200000> time in microseconds before dropping the field"),
1945 arg_param_end
1946 };
1947 CLIExecWithReturn(ctx, Cmd, argtable, true);
1948
1949 // supports only default downlink mode
1950 t55xx_test_block_t ng;
1951 ng.time = 0;
1952 ng.bitlen = 0;
1953 memset(ng.data, 0x00, sizeof(ng.data));
1954
1955 uint8_t bin[129] = {0};
1956 int bin_len = sizeof(bin) - 1; // CLIGetStrWithReturn does not guarantee string to be null-terminated
1957 CLIGetStrWithReturn(ctx, 1, bin, &bin_len);
1958
1959 ng.time = arg_get_int_def(ctx, 2, 0);
1960 CLIParserFree(ctx);
1961
1962 if (ng.time == 0 || ng.time > 200000) {
1963 PrintAndLogEx(ERR, "Timing off 1..200000 limits, got %i", ng.time);
1964 return PM3_EINVARG;
1965 }
1966
1967 int bs_len = binstr_2_binarray(ng.data, (char *)bin, bin_len);
1968 if (bs_len == 0) {
1969 return PM3_EINVARG;
1970 }
1971
1972 ng.bitlen = bs_len;
1973
1974 PacketResponseNG resp;
1975 clearCommandBuffer();
1976 SendCommandNG(CMD_LF_T55XX_DANGERRAW, (uint8_t *)&ng, sizeof(ng));
1977 if (!WaitForResponseTimeout(CMD_LF_T55XX_DANGERRAW, &resp, 2000)) {
1978 PrintAndLogEx(ERR, "Error occurred, device did not ACK write operation.");
1979 return PM3_ETIMEOUT;
1980 }
1981 return resp.status;
1982 }
1983
1984 static int CmdT55xxReadTrace(const char *Cmd) {
1985
1986 CLIParserContext *ctx;
1987 CLIParserInit(&ctx, "lf t55xx trace",
1988 "Show T55x7 configuration data (page 0/ blk 0) from reading the configuration block",
1989 "lf t55xx trace\n"
1990 "lf t55xx trace -1"
1991 );
1992
1993 // 1 (help) + 1 (one user specified params) + (5 T55XX_DLMODE_SINGLE)
1994 void *argtable[2 + 5] = {
1995 arg_param_begin,
1996 arg_lit0("1", NULL, "extract using data from graphbuffer"),
1997 };
1998 uint8_t idx = 2;
1999 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
2000 CLIExecWithReturn(ctx, Cmd, argtable, true);
2001
2002 bool use_gb = arg_get_lit(ctx, 1);
2003
2004 bool r0 = arg_get_lit(ctx, 2);
2005 bool r1 = arg_get_lit(ctx, 3);
2006 bool r2 = arg_get_lit(ctx, 4);
2007 bool r3 = arg_get_lit(ctx, 5);
2008 CLIParserFree(ctx);
2009
2010 if ((r0 + r1 + r2 + r3) > 1) {
2011 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
2012 return PM3_EINVARG;
2013 }
2014
2015 uint8_t downlink_mode = config.downlink_mode;
2016 if (r0)
2017 downlink_mode = refFixedBit;
2018 else if (r1)
2019 downlink_mode = refLongLeading;
2020 else if (r2)
2021 downlink_mode = refLeading0;
2022 else if (r3)
2023 downlink_mode = ref1of4;
2024
2025 if (use_gb == false) {
2026 // sanity check.
2027 if (SanityOfflineCheck(false) != PM3_SUCCESS) return PM3_ENODATA;
2028
2029 bool pwdmode = false;
2030 uint32_t password = 0;
2031
2032 // REGULAR_READ_MODE_BLOCK - yields correct Page 1 Block 2 data i.e. + 32 bit offset.
2033 if (!AcquireData(T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password, downlink_mode))
2034 return PM3_ENODATA;
2035 }
2036
2037 if (config.Q5) {
2038 if (DecodeT5555TraceBlock() == false) {
2039 return PM3_ESOFT;
2040 }
2041 } else {
2042 if (DecodeT55xxBlock() == false) {
2043 return PM3_ESOFT;
2044 }
2045 }
2046
2047 if (g_DemodBufferLen == 0) {
2048 return PM3_ESOFT;
2049 }
2050
2051 RepaintGraphWindow();
2052 uint8_t repeat = (config.offset > 5) ? 32 : 0;
2053
2054 uint8_t si = config.offset + repeat;
2055 uint32_t bl1 = PackBits(si, 32, g_DemodBuffer);
2056 uint32_t bl2 = PackBits(si + 32, 32, g_DemodBuffer);
2057
2058 if (config.Q5) {
2059 uint32_t hdr = PackBits(si, 9, g_DemodBuffer);
2060 si += 9;
2061
2062 if (hdr != 0x1FF) {
2063 PrintAndLogEx(FAILED, "Invalid Q5/T5555 Trace data header (expected 0x1FF, found %X)", hdr);
2064 return PM3_ESOFT;
2065 }
2066
2067 t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw = 0};
2068
2069 data.icr = PackBits(si, 2, g_DemodBuffer);
2070 si += 2;
2071 data.lotidc = 'Z' - PackBits(si, 2, g_DemodBuffer);
2072 si += 3;
2073
2074 data.lotid = PackBits(si, 4, g_DemodBuffer);
2075 si += 5;
2076 data.lotid <<= 4;
2077 data.lotid |= PackBits(si, 4, g_DemodBuffer);
2078 si += 5;
2079 data.lotid <<= 4;
2080 data.lotid |= PackBits(si, 4, g_DemodBuffer);
2081 si += 5;
2082 data.lotid <<= 4;
2083 data.lotid |= PackBits(si, 4, g_DemodBuffer);
2084 si += 5;
2085 data.lotid <<= 1;
2086 data.lotid |= PackBits(si, 1, g_DemodBuffer);
2087 si += 1;
2088
2089 data.wafer = PackBits(si, 3, g_DemodBuffer);
2090 si += 4;
2091 data.wafer <<= 2;
2092 data.wafer |= PackBits(si, 2, g_DemodBuffer);
2093 si += 2;
2094
2095 data.dw = PackBits(si, 2, g_DemodBuffer);
2096 si += 3;
2097 data.dw <<= 4;
2098 data.dw |= PackBits(si, 4, g_DemodBuffer);
2099 si += 5;
2100 data.dw <<= 4;
2101 data.dw |= PackBits(si, 4, g_DemodBuffer);
2102 si += 5;
2103 data.dw <<= 4;
2104 data.dw |= PackBits(si, 4, g_DemodBuffer);
2105
2106 printT5555Trace(data, repeat);
2107
2108 } else {
2109
2110 t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0, .lotid = 0, .wafer = 0, .dw = 0};
2111
2112 data.acl = PackBits(si, 8, g_DemodBuffer);
2113 si += 8;
2114 if (data.acl != 0xE0) {
2115 PrintAndLogEx(FAILED, "The modulation is most likely wrong since the ACL is not 0xE0. ");
2116 return PM3_ESOFT;
2117 }
2118
2119 data.mfc = PackBits(si, 8, g_DemodBuffer);
2120 si += 8;
2121 data.cid = PackBits(si, 5, g_DemodBuffer);
2122 si += 5;
2123 data.icr = PackBits(si, 3, g_DemodBuffer);
2124 si += 3;
2125 data.year = PackBits(si, 4, g_DemodBuffer);
2126 si += 4;
2127 data.quarter = PackBits(si, 2, g_DemodBuffer);
2128 si += 2;
2129 data.lotid = PackBits(si, 14, g_DemodBuffer);
2130 si += 14;
2131 data.wafer = PackBits(si, 5, g_DemodBuffer);
2132 si += 5;
2133 data.dw = PackBits(si, 15, g_DemodBuffer);
2134
2135 struct tm *ct, tm_buf;
2136 time_t now = time(NULL);
2137 #if defined(_WIN32)
2138 ct = localtime_s(&tm_buf, &now) == 0 ? &tm_buf : NULL;
2139 #else
2140 ct = localtime_r(&now, &tm_buf);
2141 #endif
2142
2143 if (ct != NULL && (data.year > ct->tm_year - 110))
2144 data.year += 2000;
2145 else
2146 data.year += 2010;
2147
2148 printT55x7Trace(data, repeat);
2149 }
2150 return PM3_SUCCESS;
2151 }
2152
2153 void printT55x7Trace(t55x7_tracedata_t data, uint8_t repeat) {
2154 PrintAndLogEx(INFO, "--- " _CYAN_("T55x7 Trace Information") " ----------------------------------");
2155 PrintAndLogEx(INFO, " ACL Allocation class (ISO/IEC 15963-1) : 0x%02X ( %d )", data.acl, data.acl);
2156 PrintAndLogEx(INFO, " MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X ( %d ) - %s", data.mfc, data.mfc, getTagInfo(data.mfc));
2157 PrintAndLogEx(INFO, " CID : 0x%02X ( %d ) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));
2158 PrintAndLogEx(INFO, " ICR IC Revision : %d", data.icr);
2159 PrintAndLogEx(INFO, " Manufactured");
2160 PrintAndLogEx(INFO, " Year/Quarter... %d/%d", data.year, data.quarter);
2161 PrintAndLogEx(INFO, " Lot ID......... %d", data.lotid);
2162 PrintAndLogEx(INFO, " Wafer number... %d", data.wafer);
2163 PrintAndLogEx(INFO, " Die Number..... %d", data.dw);
2164 PrintAndLogEx(INFO, "-------------------------------------------------------------");
2165 PrintAndLogEx(INFO, " Raw Data - Page 1");
2166 PrintAndLogEx(INFO, " Block 1... %08X - %s", data.bl1, sprint_bytebits_bin(g_DemodBuffer + config.offset + repeat, 32));
2167 PrintAndLogEx(INFO, " Block 2... %08X - %s", data.bl2, sprint_bytebits_bin(g_DemodBuffer + config.offset + repeat + 32, 32));
2168 PrintAndLogEx(NORMAL, "");
2169
2170 /*
2171 Trace info.
2172 M1, M2 has the about ATMEL definition of trace data.
2173 M3 has unique format following industry defacto standard with row/col parity
2174
2175 TRACE - BLOCK O
2176 Bits Definition HEX
2177 1-8 ACL Allocation class (ISO/IEC 15963-1) 0xE0
2178 9-16 MFC Manufacturer ID (ISO/IEC 7816-6) 0x15 Atmel Corporation
2179 17-21 CID 0x1 = Atmel ATA5577M1
2180 0x2 = Atmel ATA5577M2
2181 0x3 = Atmel ATA5577M3
2182 22-24 ICR IC revision
2183 25-28 YEAR (BCD encoded) 9 (= 2009)
2184 29-30 QUARTER 1,2,3,4
2185 31-32 LOT ID
2186
2187 TRACE - BLOCK 1
2188 1-12 LOT ID
2189 13-17 Wafer number
2190 18-32 DW, die number sequential
2191
2192
2193 Startup times (FC)
2194 M1, M2 = 192
2195 M3 = 128
2196 */
2197 }
2198
2199 void printT5555Trace(t5555_tracedata_t data, uint8_t repeat) {
2200 PrintAndLogEx(INFO, "--- " _CYAN_("Q5/T5555 Trace Information") " ---------------------------");
2201 PrintAndLogEx(INFO, " ICR IC Revision.... %d", data.icr);
2202 PrintAndLogEx(INFO, " Lot ID......... %c%d", data.lotidc, data.lotid);
2203 PrintAndLogEx(INFO, " Wafer number... %d", data.wafer);
2204 PrintAndLogEx(INFO, " Die Number..... %d", data.dw);
2205 PrintAndLogEx(INFO, "-------------------------------------------------------------");
2206 PrintAndLogEx(INFO, " Raw Data - Page 1");
2207 PrintAndLogEx(INFO, " Block 1... %08X - %s", data.bl1, sprint_bytebits_bin(g_DemodBuffer + config.offset + repeat, 32));
2208 PrintAndLogEx(INFO, " Block 2... %08X - %s", data.bl2, sprint_bytebits_bin(g_DemodBuffer + config.offset + repeat + 32, 32));
2209
2210 /*
2211 ** Q5 **
2212 TRACE - BLOCK O and BLOCK1
2213 Bits Definition HEX
2214 1-9 Header 0x1FF
2215 10-11 IC Revision
2216 12-13 Lot ID char
2217 15-35 Lot ID (NB parity)
2218 36-41 Wafer number (NB parity)
2219 42-58 DW, die number sequential (NB parity)
2220 60-63 Parity bits
2221 64 Always zero
2222 */
2223 }
2224
2225 static void printT5x7KnownBlock0(uint32_t b0) {
2226
2227 char s[40];
2228 memset(s, 0, sizeof(s));
2229
2230 switch (b0) {
2231 case T55X7_DEFAULT_CONFIG_BLOCK:
2232 snprintf(s, sizeof(s) - strlen(s), "T55x7 Default ");
2233 break;
2234 case T55X7_RAW_CONFIG_BLOCK:
2235 snprintf(s + strlen(s), sizeof(s) - strlen(s), "T55x7 Raw ");
2236 break;
2237 case T55X7_EM_UNIQUE_CONFIG_BLOCK:
2238 snprintf(s + strlen(s), sizeof(s) - strlen(s), "EM unique, Paxton ");
2239 break;
2240 case T55X7_FDXB_2_CONFIG_BLOCK:
2241 case T55X7_FDXB_CONFIG_BLOCK:
2242 snprintf(s + strlen(s), sizeof(s) - strlen(s), "FDXB ");
2243 break;
2244 case T55X7_HID_26_CONFIG_BLOCK:
2245 snprintf(s + strlen(s), sizeof(s) - strlen(s), "HID 26b (ProxCard), Paradox, AWID ");
2246 break;
2247 case T55X7_PYRAMID_CONFIG_BLOCK:
2248 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Pyramid ");
2249 break;
2250 case T55X7_INDALA_64_CONFIG_BLOCK:
2251 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Indala 64, Motorola, Idteck");
2252 break;
2253 case T55X7_INDALA_224_CONFIG_BLOCK:
2254 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Indala 224 ");
2255 break;
2256 case T55X7_GUARDPROXII_CONFIG_BLOCK:
2257 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Guard Prox II ");
2258 break;
2259 case T55X7_VIKING_CONFIG_BLOCK:
2260 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Viking ");
2261 break;
2262 case T55X7_NORALSY_CONFIG_BLOCK:
2263 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Noralys ");
2264 break;
2265 case T55X7_IOPROX_CONFIG_BLOCK:
2266 snprintf(s + strlen(s), sizeof(s) - strlen(s), "IO Prox ");
2267 break;
2268 case T55X7_PRESCO_CONFIG_BLOCK:
2269 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Presco ");
2270 break;
2271 case T55X7_NEDAP_64_CONFIG_BLOCK:
2272 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Nedap 64 ");
2273 break;
2274 case T55X7_NEDAP_128_CONFIG_BLOCK:
2275 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Nedap 128 ");
2276 break;
2277 case T55X7_PAC_CONFIG_BLOCK:
2278 snprintf(s + strlen(s), sizeof(s) - strlen(s), "PAC/Stanley ");
2279 break;
2280 case T55X7_VERICHIP_CONFIG_BLOCK:
2281 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Verichip ");
2282 break;
2283 case T55X7_VISA2000_CONFIG_BLOCK:
2284 snprintf(s + strlen(s), sizeof(s) - strlen(s), "VISA2000 ");
2285 break;
2286 case T55X7_JABLOTRON_CONFIG_BLOCK:
2287 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Jablotron ");
2288 break;
2289 case T55X7_KERI_CONFIG_BLOCK:
2290 snprintf(s + strlen(s), sizeof(s) - strlen(s), "KERI ");
2291 break;
2292 case T55X7_SECURAKEY_CONFIG_BLOCK:
2293 snprintf(s + strlen(s), sizeof(s) - strlen(s), "SecuraKey ");
2294 break;
2295 case T55X7_NEXWATCH_CONFIG_BLOCK:
2296 snprintf(s + strlen(s), sizeof(s) - strlen(s), "NexWatch, Quadrakey ");
2297 break;
2298 case T55X7_PYRONIX_CONFIG_BLOCK:
2299 snprintf(s + strlen(s), sizeof(s) - strlen(s), "Pyronix ");
2300 break;
2301 default:
2302 break;
2303 }
2304
2305 if (strlen(s) > 0) {
2306 PrintAndLogEx(SUCCESS, "Config block match : " _YELLOW_("%s"), s);
2307 }
2308 }
2309
2310 static int CmdT55xxInfo(const char *Cmd) {
2311 CLIParserContext *ctx;
2312 CLIParserInit(&ctx, "lf t55xx info",
2313 "Show T55x7 configuration data (page 0/ blk 0) from reading the configuration block\n"
2314 "from tag. Use `-c` to specify a config block data to be used instead of reading tag.",
2315 "lf t55xx info\n"
2316 "lf t55xx info -1\n"
2317 "lf t55xx info -p 11223344\n"
2318 "lf t55xx info -c 00083040\n"
2319 "lf t55xx info -c 6001805A --q5"
2320 );
2321
2322 // 1 (help) + 4 (four user specified params) + (5 T55XX_DLMODE_SINGLE)
2323 void *argtable[5 + 5] = {
2324 arg_param_begin,
2325 arg_lit0("1", NULL, "extract using data from graphbuffer"),
2326 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
2327 arg_str0("c", "blk0", "<hex>", "use these data instead (4 hex bytes)"),
2328 arg_lit0(NULL, "q5", "interprete provided data as T5555/Q5 config"),
2329 };
2330 uint8_t idx = 5;
2331 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
2332 CLIExecWithReturn(ctx, Cmd, argtable, true);
2333
2334 bool use_gb = arg_get_lit(ctx, 1);
2335
2336 bool usepwd = false;
2337 uint32_t password = 0;
2338 int res = arg_get_u32_hexstr_def_nlen(ctx, 2, 0, &password, 4, true);
2339 if (res == 0 || res == 2) {
2340 PrintAndLogEx(ERR, "Password must be 4 hex bytes");
2341 CLIParserFree(ctx);
2342 return PM3_EINVARG;
2343 }
2344 if (res == 1) {
2345 usepwd = true;
2346 }
2347
2348 bool gotdata = false;
2349 uint32_t block0 = 0;
2350 res = arg_get_u32_hexstr_def_nlen(ctx, 3, 0, &block0, 4, true);
2351 if (res == 0 || res == 2) {
2352 PrintAndLogEx(ERR, "block0 data must be 4 hex bytes");
2353 CLIParserFree(ctx);
2354 return PM3_EINVARG;
2355 }
2356 if (res == 1) {
2357 gotdata = true;
2358 }
2359
2360 bool dataasq5 = arg_get_lit(ctx, 4);
2361
2362 bool r0 = arg_get_lit(ctx, 5);
2363 bool r1 = arg_get_lit(ctx, 6);
2364 bool r2 = arg_get_lit(ctx, 7);
2365 bool r3 = arg_get_lit(ctx, 8);
2366 CLIParserFree(ctx);
2367
2368 if (gotdata && use_gb) {
2369 PrintAndLogEx(FAILED, "Must select one of user supplied data and use graphbuffer");
2370 return PM3_EINVARG;
2371 }
2372
2373 if (dataasq5 && gotdata == false) {
2374 PrintAndLogEx(FAILED, "Must specify user supplied Q5 data");
2375 return PM3_EINVARG;
2376 }
2377
2378 if ((r0 + r1 + r2 + r3) > 1) {
2379 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
2380 return PM3_EINVARG;
2381 }
2382
2383 uint8_t downlink_mode = config.downlink_mode;
2384 if (r0)
2385 downlink_mode = refFixedBit;
2386 else if (r1)
2387 downlink_mode = refLongLeading;
2388 else if (r2)
2389 downlink_mode = refLeading0;
2390 else if (r3)
2391 downlink_mode = ref1of4;
2392
2393
2394 /*
2395 Page 0 Block 0 Configuration data.
2396 Normal mode
2397 Extended mode
2398 */
2399
2400 if (use_gb == false && gotdata == false) {
2401 // sanity check.
2402 if (SanityOfflineCheck(false) != PM3_SUCCESS) {
2403 return PM3_ENODATA;
2404 }
2405
2406 if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password, downlink_mode)) {
2407 return PM3_ENODATA;
2408 }
2409 }
2410
2411 if (gotdata == false) {
2412 if (DecodeT55xxBlock() == false) {
2413 return PM3_ESOFT;
2414 }
2415
2416 // too little space to start with
2417 if (g_DemodBufferLen < 32 + config.offset) {
2418 return PM3_ESOFT;
2419 }
2420
2421 //PrintAndLogEx(NORMAL, "Offset+32 ==%d\n DemodLen == %d", config.offset + 32, g_DemodBufferLen);
2422 block0 = PackBits(config.offset, 32, g_DemodBuffer);
2423 }
2424
2425 PrintAndLogEx(NORMAL, "");
2426 if (((!gotdata) && config.Q5) || (gotdata && dataasq5)) {
2427 uint32_t header = (block0 >> (32 - 12)) & 0xFFF;
2428 uint32_t ps = (block0 >> (32 - 13)) & 0x01;
2429 uint32_t fw = (block0 >> (32 - 14)) & 0x01;
2430 uint32_t dbr = (block0 >> (32 - 20)) & 0x3F;
2431 uint32_t aor = (block0 >> (32 - 21)) & 0x01;
2432 uint32_t pwd = (block0 >> (32 - 22)) & 0x01;
2433 uint32_t pskcf = (block0 >> (32 - 24)) & 0x03;
2434 uint32_t inv = (block0 >> (32 - 25)) & 0x01;
2435 uint32_t datamod = (block0 >> (32 - 28)) & 0x07;
2436 uint32_t maxblk = (block0 >> (32 - 31)) & 0x07;
2437 uint32_t st = block0 & 0x01;
2438 PrintAndLogEx(INFO, "--- " _CYAN_("Q5 Configuration & Information") " ------------");
2439 PrintAndLogEx(INFO, " Header : 0x%03X%s", header, (header != 0x600) ? _RED_(" - Warning") : "");
2440 PrintAndLogEx(INFO, " Page select : %d", ps);
2441 PrintAndLogEx(INFO, " Fast Write : %s", (fw) ? _GREEN_("Yes") : "No");
2442 PrintAndLogEx(INFO, " Data bit rate : %s", GetBitRateStr(dbr, 1));
2443 PrintAndLogEx(INFO, " AOR - Answer on Request : %s", (aor) ? _GREEN_("Yes") : "No");
2444 PrintAndLogEx(INFO, " Password mode : %s", (pwd) ? _GREEN_("Yes") : "No");
2445 PrintAndLogEx(INFO, " PSK clock frequency : %s", GetPskCfStr(pskcf, 1));
2446 PrintAndLogEx(INFO, " Inverse data : %s", (inv) ? _GREEN_("Yes") : "No");
2447 PrintAndLogEx(INFO, " Modulation : %s", GetQ5ModulationStr(datamod));
2448 PrintAndLogEx(INFO, " Max block : %d", maxblk);
2449 PrintAndLogEx(INFO, " Sequence Terminator : %s", (st) ? _GREEN_("Yes") : "No");
2450 } else {
2451 uint32_t safer = (block0 >> (32 - 4)) & 0x0F;
2452 uint32_t extend = (block0 >> (32 - 15)) & 0x01;
2453 uint32_t resv, dbr;
2454 if (extend) {
2455 resv = (block0 >> (32 - 8)) & 0x0F;
2456 dbr = (block0 >> (32 - 14)) & 0x3F;
2457 } else {
2458 resv = (block0 >> (32 - 11)) & 0x7F;
2459 dbr = (block0 >> (32 - 14)) & 0x07;
2460 }
2461 uint32_t datamod = (block0 >> (32 - 20)) & 0x1F;
2462 uint32_t pskcf = (block0 >> (32 - 22)) & 0x03;
2463 uint32_t aor = (block0 >> (32 - 23)) & 0x01;
2464 uint32_t otp = (block0 >> (32 - 24)) & 0x01;
2465 uint32_t maxblk = (block0 >> (32 - 27)) & 0x07;
2466 uint32_t pwd = (block0 >> (32 - 28)) & 0x01;
2467 uint32_t sst = (block0 >> (32 - 29)) & 0x01;
2468 uint32_t fw = (block0 >> (32 - 30)) & 0x01;
2469 uint32_t inv = (block0 >> (32 - 31)) & 0x01;
2470 uint32_t por = (block0 >> (32 - 32)) & 0x01;
2471
2472 PrintAndLogEx(INFO, "--- " _CYAN_("T55x7 Configuration & Information") " ---------");
2473 PrintAndLogEx(INFO, " Safer key : %s", GetSaferStr(safer));
2474 PrintAndLogEx(INFO, " reserved : %d", resv);
2475 PrintAndLogEx(INFO, " Data bit rate : %s", GetBitRateStr(dbr, extend));
2476 PrintAndLogEx(INFO, " eXtended mode : %s", (extend) ? _YELLOW_("Yes - Warning") : "No");
2477 PrintAndLogEx(INFO, " Modulation : %s", GetModulationStr(datamod, extend));
2478 PrintAndLogEx(INFO, " PSK clock frequency : %s", GetPskCfStr(pskcf, 0));
2479 PrintAndLogEx(INFO, " AOR - Answer on Request : %s", (aor) ? _GREEN_("Yes") : "No");
2480 PrintAndLogEx(INFO, " OTP - One Time Pad : %s", (otp) ? ((extend) ? _YELLOW_("Yes - Warning") : _RED_("Yes - Warning")) : "No");
2481 PrintAndLogEx(INFO, " Max block : %d", maxblk);
2482 PrintAndLogEx(INFO, " Password mode : %s", (pwd) ? _GREEN_("Yes") : "No");
2483 PrintAndLogEx(INFO, " Sequence %-12s : %s", (extend) ? "Start Marker" : "Terminator", (sst) ? _GREEN_("Yes") : "No");
2484 PrintAndLogEx(INFO, " Fast Write : %s", (fw) ? ((extend) ? _GREEN_("Yes") : _RED_("Yes - Warning")) : "No");
2485 PrintAndLogEx(INFO, " Inverse data : %s", (inv) ? ((extend) ? _GREEN_("Yes") : _RED_("Yes - Warning")) : "No");
2486 PrintAndLogEx(INFO, " POR-Delay : %s", (por) ? _GREEN_("Yes") : "No");
2487 }
2488 PrintAndLogEx(INFO, "-------------------------------------------------------------");
2489 PrintAndLogEx(INFO, " Raw Data - Page 0, block 0");
2490 if (gotdata)
2491 PrintAndLogEx(INFO, " " _GREEN_("%08X"), block0);
2492 else
2493 PrintAndLogEx(INFO, " " _GREEN_("%08X") " - %s", block0, sprint_bytebits_bin(g_DemodBuffer + config.offset, 32));
2494
2495 if (((!gotdata) && (!config.Q5)) || (gotdata && (!dataasq5))) {
2496 PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint") " ------------");
2497 printT5x7KnownBlock0(block0);
2498 }
2499
2500 PrintAndLogEx(NORMAL, "");
2501 //PrintAndLogEx(INFO, "-------------------------------------------------------------");
2502 return PM3_SUCCESS;
2503 }
2504
2505 static int CmdT55xxDump(const char *Cmd) {
2506
2507 CLIParserContext *ctx;
2508 CLIParserInit(&ctx, "lf t55xx dump",
2509 "This command dumps a T55xx card Page 0 block 0-7.\n"
2510 "It will create two files (bin/json)",
2511 "lf t55xx dump\n"
2512 "lf t55xx dump -p aabbccdd --override\n"
2513 "lf t55xx dump -f my_lf_dump"
2514 );
2515
2516 // 1 (help) + 4 (two user specified params) + (5 T55XX_DLMODE_SINGLE)
2517 void *argtable[5 + 5] = {
2518 arg_param_begin,
2519 arg_str0("f", "file", "<fn>", "filename (default is generated on blk 0)"),
2520 arg_lit0("o", "override", "override, force pwd read despite danger to card"),
2521 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
2522 arg_lit0(NULL, "ns", "no save to file"),
2523 };
2524 uint8_t idx = 5;
2525 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, T55XX_DLMODE_SINGLE);
2526 CLIExecWithReturn(ctx, Cmd, argtable, true);
2527
2528 int fnlen = 0;
2529 char filename[FILE_PATH_SIZE] = {0};
2530 CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
2531
2532 uint8_t override = arg_get_lit(ctx, 2) ? 1 : 0;
2533
2534 bool usepwd = false;
2535 uint32_t password = 0;
2536 int res = arg_get_u32_hexstr_def_nlen(ctx, 3, 0, &password, 4, true);
2537 if (res == 0 || res == 2) {
2538 PrintAndLogEx(ERR, "Password should be 4 hex bytes");
2539 CLIParserFree(ctx);
2540 return PM3_EINVARG;
2541 }
2542 if (res == 1) {
2543 usepwd = true;
2544 }
2545
2546 bool nosave = arg_get_lit(ctx, 4);
2547
2548 bool r0 = arg_get_lit(ctx, 5);
2549 bool r1 = arg_get_lit(ctx, 6);
2550 bool r2 = arg_get_lit(ctx, 7);
2551 bool r3 = arg_get_lit(ctx, 8);
2552 CLIParserFree(ctx);
2553
2554 if ((r0 + r1 + r2 + r3) > 1) {
2555 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
2556 return PM3_EINVARG;
2557 }
2558
2559 uint8_t downlink_mode = config.downlink_mode;
2560 if (r0)
2561 downlink_mode = refFixedBit;
2562 else if (r1)
2563 downlink_mode = refLongLeading;
2564 else if (r2)
2565 downlink_mode = refLeading0;
2566 else if (r3)
2567 downlink_mode = ref1of4;
2568
2569 bool success = true;
2570
2571 PrintAndLogEx(NORMAL, "");
2572 PrintAndLogEx(INFO, "------------------------- " _CYAN_("T55xx tag memory") " -----------------------------");
2573
2574 // Due to the few different T55xx cards and number of blocks supported
2575 // will save the dump file if ALL page 0 is OK
2576 printT5xxHeader(0);
2577 for (uint8_t i = 0; i < 8; ++i) {
2578 if (T55xxReadBlock(i, 0, usepwd, override, password, downlink_mode) != PM3_SUCCESS) {
2579 success = false;
2580 }
2581
2582 // only show override warning on the first block read
2583 if (override == 1) {
2584 override++;
2585 }
2586 }
2587 printT5xxHeader(1);
2588 for (uint8_t i = 0; i < 4; i++) {
2589 if (T55xxReadBlock(i, 1, usepwd, override, password, downlink_mode) != PM3_SUCCESS) {
2590 T55x7_SaveBlockData(8 + i, 0x00);
2591 }
2592 }
2593
2594 if (nosave) {
2595 PrintAndLogEx(INFO, "Called with no save option");
2596 PrintAndLogEx(NORMAL, "");
2597 return PM3_SUCCESS;
2598 }
2599
2600 // all ok, save dump to file
2601 if (success) {
2602
2603 // set default filename, if not set by user
2604 if (strlen(filename) == 0) {
2605 strcpy(filename, "lf-t55xx");
2606 for (uint8_t i = 1; i <= 7; i++) {
2607 if ((cardmem[i].blockdata != 0x00) && (cardmem[i].blockdata != 0xFFFFFFFF)) {
2608 snprintf(filename + strlen(filename), sizeof(filename) - strlen(filename), "-%08X", cardmem[i].blockdata);
2609 } else {
2610 break;
2611 }
2612 }
2613 strcat(filename, "-dump");
2614 }
2615
2616 // Swap endian so the files match the txt display
2617 uint32_t data[T55x7_BLOCK_COUNT] = {0};
2618
2619 for (int i = 0; i < T55x7_BLOCK_COUNT; i++) {
2620 data[i] = BSWAP_32(cardmem[i].blockdata);
2621 }
2622
2623 pm3_save_dump(filename, (uint8_t *)data, (T55x7_BLOCK_COUNT * sizeof(uint32_t)), jsfT55x7);
2624 }
2625
2626 return PM3_SUCCESS;
2627 }
2628
2629 static int CmdT55xxRestore(const char *Cmd) {
2630 CLIParserContext *ctx;
2631 CLIParserInit(&ctx, "lf t55xx restore",
2632 "Restore T55xx card page 0/1 n blocks from (bin/eml/json) dump file",
2633 "lf t55xx restore -f lf-t55xx-00148040-dump.bin"
2634 );
2635
2636 void *argtable[] = {
2637 arg_param_begin,
2638 arg_str0("f", "file", "<fn>", "Specify a filename for dump file"),
2639 arg_str0("p", "pwd", "<hex>", "password if target card has password set (4 hex bytes)"),
2640 arg_param_end
2641 };
2642 CLIExecWithReturn(ctx, Cmd, argtable, false);
2643
2644 int fnlen = 0;
2645 char filename[FILE_PATH_SIZE] = {0};
2646 CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
2647
2648 bool usepwd = false;
2649 uint32_t password = 0;
2650 int res = arg_get_u32_hexstr_def_nlen(ctx, 2, 0, &password, 4, true);
2651 if (res == 0 || res == 2) {
2652 PrintAndLogEx(ERR, "Password should be 4 hex bytes");
2653 CLIParserFree(ctx);
2654 return PM3_EINVARG;
2655 }
2656 if (res == 1) {
2657 usepwd = true;
2658 }
2659 CLIParserFree(ctx);
2660
2661 if (fnlen == 0) {
2662 PrintAndLogEx(ERR, "Must specify a filename");
2663 return PM3_EINVARG;
2664 }
2665
2666 // read dump file
2667 uint32_t *dump = NULL;
2668 size_t bytes_read = 0;
2669 res = pm3_load_dump(filename, (void **)&dump, &bytes_read, (T55x7_BLOCK_COUNT * 4));
2670 if (res != PM3_SUCCESS) {
2671 return res;
2672 }
2673
2674 if (bytes_read != (T55x7_BLOCK_COUNT * 4)) {
2675 free(dump);
2676 PrintAndLogEx(FAILED, "wrong length of dump file. Expected 48 bytes, got %zu", bytes_read);
2677 return PM3_EFILE;
2678 }
2679
2680 // 12 blocks * 4 bytes per block
2681 // this part creates strings to call "lf t55 write" command.
2682 PrintAndLogEx(INFO, "Starting to write...");
2683
2684 uint8_t downlink_mode;
2685 char wcmd[100];
2686 char pwdopt [14] = {0}; // p XXXXXXXX
2687
2688 if (usepwd) {
2689 snprintf(pwdopt, sizeof(pwdopt), "-p %08X", password);
2690 }
2691
2692 uint8_t idx;
2693 // Restore endien for writing to card
2694 for (idx = 0; idx < 12; idx++) {
2695 dump[idx] = BSWAP_32(dump[idx]);
2696 }
2697
2698 // Have data ready, lets write
2699 // Order
2700 // write blocks 1..7 page 0
2701 // write blocks 1..3 page 1
2702 // update downlink mode (if needed) and write b 0
2703 downlink_mode = 0;
2704 if ((((dump[11] >> 28) & 0xF) == 6) || (((dump[11] >> 28) & 0xF) == 9))
2705 downlink_mode = (dump[11] >> 10) & 3;
2706
2707 // write out blocks 1-7 page 0
2708 for (idx = 1; idx <= 7; idx++) {
2709 snprintf(wcmd, sizeof(wcmd), "-b %d -d %08X %s", idx, dump[idx], pwdopt);
2710
2711 if (CmdT55xxWriteBlock(wcmd) != PM3_SUCCESS) {
2712 PrintAndLogEx(WARNING, "Warning: error writing blk %d", idx);
2713 }
2714 }
2715
2716 // if password was set on the "blank" update as we may have just changed it
2717 if (usepwd) {
2718 snprintf(pwdopt, sizeof(pwdopt), "-p %08X", dump[7]);
2719 }
2720
2721 // write out blocks 1-3 page 1
2722 for (idx = 9; idx <= 11; idx++) {
2723 snprintf(wcmd, sizeof(wcmd), "-b %d --pg1 -d %08X %s", idx - 8, dump[idx], pwdopt);
2724
2725 if (CmdT55xxWriteBlock(wcmd) != PM3_SUCCESS) {
2726 PrintAndLogEx(WARNING, "Warning: error writing blk %d", idx);
2727 }
2728 }
2729
2730 // Update downlink mode for the page 0 config write.
2731 config.downlink_mode = downlink_mode;
2732
2733 // Write the page 0 config
2734 snprintf(wcmd, sizeof(wcmd), "-b 0 -d %08X %s", dump[0], pwdopt);
2735 if (CmdT55xxWriteBlock(wcmd) != PM3_SUCCESS) {
2736 PrintAndLogEx(WARNING, "Warning: error writing blk 0");
2737 }
2738 free(dump);
2739 PrintAndLogEx(INFO, "Done!");
2740 return PM3_SUCCESS;
2741 }
2742 /*
2743 static int CmdT55xxRestore(const char *Cmd) {
2744
2745 uint32_t password = 0;
2746 uint8_t override = 0;
2747 uint8_t downlink_mode = config.downlink_mode;
2748 bool usepwd = false;
2749 bool errors = false;
2750 uint8_t cmdp = 0;
2751
2752 while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
2753 switch (tolower(param_getchar(Cmd, cmdp))) {
2754 case 'h':
2755 return usage_t55xx_restore();
2756 case 'r':
2757 downlink_mode = param_get8ex(Cmd, cmdp + 1, 0, 10);
2758 if (downlink_mode > 3)
2759 downlink_mode = 0;
2760
2761 cmdp += 2;
2762 break;
2763 case 'p':
2764 password = param_get32ex(Cmd, cmdp + 1, 0, 16);
2765 usepwd = true;
2766 cmdp += 2;
2767 break;
2768 case 'o':
2769 override = 1;
2770 cmdp++;
2771 break;
2772 default:
2773 PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
2774 errors = true;
2775 break;
2776 }
2777 }
2778 if (errors) return usage_t55xx_restore();
2779
2780 PrintAndLogEx(INFO, "Work in progress. To be implemented");
2781 if (usepwd || password || override ) {
2782
2783 }
2784 // load file name (json/eml/bin)
2785
2786 // Print dump data?
2787
2788 uint32_t res = PM3_SUCCESS;
2789
2790 // page0.
2791 // res = clone_t55xx_tag(blockdata, numblocks);
2792
2793 return res;
2794 }
2795 */
2796 bool AcquireData(uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode) {
2797 // arg0 bitmodes:
2798 // b0 = pwdmode
2799 // b1 = page to read from
2800 // b2 = brute_mem (armside function)
2801 // arg1: which block to read
2802 // arg2: password
2803 struct p {
2804 uint32_t password;
2805 uint8_t blockno;
2806 uint8_t page;
2807 bool pwdmode;
2808 uint8_t downlink_mode;
2809 } PACKED;
2810 struct p payload;
2811 payload.password = password;
2812 payload.blockno = block;
2813 payload.page = page & 0x1;
2814 payload.pwdmode = pwdmode;
2815 payload.downlink_mode = downlink_mode;
2816
2817 clearCommandBuffer();
2818 SendCommandNG(CMD_LF_T55XX_READBL, (uint8_t *)&payload, sizeof(payload));
2819 if (!WaitForResponseTimeout(CMD_LF_T55XX_READBL, NULL, 2500)) {
2820 PrintAndLogEx(WARNING, "command execution time out");
2821 return false;
2822 }
2823
2824 getSamples(12000, false);
2825 bool ok = !getSignalProperties()->isnoise;
2826
2827 config.usepwd = pwdmode;
2828 return ok;
2829 }
2830
2831 char *GetPskCfStr(uint32_t id, bool q5) {
2832 static char buf[40];
2833 char *retStr = buf;
2834 switch (id) {
2835 case 0:
2836 snprintf(retStr, sizeof(buf), "%u - RF/2", id);
2837 break;
2838 case 1:
2839 snprintf(retStr, sizeof(buf), "%u - RF/4", id);
2840 break;
2841 case 2:
2842 snprintf(retStr, sizeof(buf), "%u - RF/8", id);
2843 break;
2844 case 3:
2845 if (q5)
2846 snprintf(retStr, sizeof(buf), "%u - RF/8", id);
2847 else
2848 snprintf(retStr, sizeof(buf), "%u - " _RED_("(Unknown)"), id);
2849 break;
2850 default:
2851 snprintf(retStr, sizeof(buf), "%u - " _RED_("(Unknown)"), id);
2852 break;
2853 }
2854 return buf;
2855 }
2856
2857 char *GetBitRateStr(uint32_t id, bool xmode) {
2858 static char buf[35];
2859
2860 char *retStr = buf;
2861 if (xmode) { //xmode bitrate calc is same as em4x05 calc
2862 snprintf(retStr, sizeof(buf), "%u - RF/%u", id, EM4x05_GET_BITRATE(id));
2863 } else {
2864 switch (id) {
2865 case 0:
2866 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/8"), id);
2867 break;
2868 case 1:
2869 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/16"), id);
2870 break;
2871 case 2:
2872 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/32"), id);
2873 break;
2874 case 3:
2875 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/40"), id);
2876 break;
2877 case 4:
2878 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/50"), id);
2879 break;
2880 case 5:
2881 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/64"), id);
2882 break;
2883 case 6:
2884 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/100"), id);
2885 break;
2886 case 7:
2887 snprintf(retStr, sizeof(buf), "%u - "_GREEN_("RF/128"), id);
2888 break;
2889 default:
2890 snprintf(retStr, sizeof(buf), "%u - " _RED_("(Unknown)"), id);
2891 break;
2892 }
2893 }
2894 return buf;
2895 }
2896
2897 char *GetSaferStr(uint32_t id) {
2898 static char buf[40];
2899 char *retStr = buf;
2900
2901 snprintf(retStr, sizeof(buf), "%u", id);
2902 if (id == 6) {
2903 snprintf(retStr, sizeof(buf), "%u - " _YELLOW_("passwd"), id);
2904 }
2905 if (id == 9) {
2906 snprintf(retStr, sizeof(buf), "%u - " _YELLOW_("testmode"), id);
2907 }
2908
2909 return buf;
2910 }
2911
2912 char *GetModulationStr(uint32_t id, bool xmode) {
2913 static char buf[60];
2914 char *retStr = buf;
2915
2916 switch (id) {
2917 case 0:
2918 snprintf(retStr, sizeof(buf), "%u - DIRECT (ASK/NRZ)", id);
2919 break;
2920 case 1:
2921 snprintf(retStr, sizeof(buf), "%u - PSK 1 phase change when input changes", id);
2922 break;
2923 case 2:
2924 snprintf(retStr, sizeof(buf), "%u - PSK 2 phase change on bitclk if input high", id);
2925 break;
2926 case 3:
2927 snprintf(retStr, sizeof(buf), "%u - PSK 3 phase change on rising edge of input", id);
2928 break;
2929 case 4:
2930 snprintf(retStr, sizeof(buf), "%u - FSK 1 RF/8 RF/5", id);
2931 break;
2932 case 5:
2933 snprintf(retStr, sizeof(buf), "%u - FSK 2 RF/8 RF/10", id);
2934 break;
2935 case 6:
2936 snprintf(retStr, sizeof(buf), "%u - %s RF/5 RF/8", id, (xmode) ? "FSK 1a" : _YELLOW_("FSK 1a"));
2937 break;
2938 case 7:
2939 snprintf(retStr, sizeof(buf), "%u - %s RF/10 RF/8", id, (xmode) ? "FSK 2a" : _YELLOW_("FSK 2a"));
2940 break;
2941 case 8:
2942 snprintf(retStr, sizeof(buf), "%u - Manchester", id);
2943 break;
2944 case 16:
2945 snprintf(retStr, sizeof(buf), "%u - Biphase", id);
2946 break;
2947 case 24:
2948 snprintf(retStr, sizeof(buf), "%u - %s", id, (xmode) ? "Biphase a - AKA Conditional Dephase Encoding(CDP)" : _YELLOW_("Reserved"));
2949 break;
2950 default:
2951 snprintf(retStr, sizeof(buf), "0x%02X " _RED_("(Unknown)"), id);
2952 break;
2953 }
2954 return buf;
2955 }
2956
2957 char *GetDownlinkModeStr(uint8_t downlink_mode) {
2958 static char buf[30];
2959 char *retStr = buf;
2960
2961 switch (downlink_mode) {
2962 case T55XX_DLMODE_FIXED :
2963 snprintf(retStr, sizeof(buf), "default/fixed bit length");
2964 break;
2965 case T55XX_DLMODE_LLR :
2966 snprintf(retStr, sizeof(buf), "long leading reference");
2967 break;
2968 case T55XX_DLMODE_LEADING_ZERO :
2969 snprintf(retStr, sizeof(buf), "leading zero reference");
2970 break;
2971 case T55XX_DLMODE_1OF4 :
2972 snprintf(retStr, sizeof(buf), "1 of 4 coding reference");
2973 break;
2974 default:
2975 snprintf(retStr, sizeof(buf), _RED_("(Unknown)"));
2976 break;
2977 }
2978 return buf;
2979 }
2980
2981 char *GetQ5ModulationStr(uint32_t id) {
2982 static char buf[60];
2983 char *retStr = buf;
2984
2985 switch (id) {
2986 case 0:
2987 snprintf(retStr, sizeof(buf), "%u - Manchester", id);
2988 break;
2989 case 1:
2990 snprintf(retStr, sizeof(buf), "%u - PSK 1 phase change when input changes", id);
2991 break;
2992 case 2:
2993 snprintf(retStr, sizeof(buf), "%u - PSK 2 phase change on bitclk if input high", id);
2994 break;
2995 case 3:
2996 snprintf(retStr, sizeof(buf), "%u - PSK 3 phase change on rising edge of input", id);
2997 break;
2998 case 4:
2999 snprintf(retStr, sizeof(buf), "%u - FSK 1a RF/5 RF/8", id);
3000 break;
3001 case 5:
3002 snprintf(retStr, sizeof(buf), "%u - FSK 2a RF/10 RF/8", id);
3003 break;
3004 case 6:
3005 snprintf(retStr, sizeof(buf), "%u - Biphase", id);
3006 break;
3007 case 7:
3008 snprintf(retStr, sizeof(buf), "%u - NRZ / Direct", id);
3009 break;
3010 }
3011 return buf;
3012 }
3013
3014 char *GetModelStrFromCID(uint32_t cid) {
3015
3016 static char buf[10];
3017 char *retStr = buf;
3018
3019 if (cid == 1) snprintf(retStr, sizeof(buf), "ATA5577M1");
3020 if (cid == 2) snprintf(retStr, sizeof(buf), "ATA5577M2");
3021 if (cid == 3) snprintf(retStr, sizeof(buf), "ATA5577M3");
3022 return buf;
3023 }
3024
3025 char *GetConfigBlock0Source(uint8_t id) {
3026
3027 static char buf[40];
3028 char *retStr = buf;
3029
3030 switch (id) {
3031 case AUTODETECT:
3032 snprintf(retStr, sizeof(buf), _YELLOW_("(auto detect)"));
3033 break;
3034 case USERSET:
3035 snprintf(retStr, sizeof(buf), _YELLOW_("(user set)"));
3036 break;
3037 case TAGREAD:
3038 snprintf(retStr, sizeof(buf), _GREEN_("(tag read)"));
3039 break;
3040 default:
3041 snprintf(retStr, sizeof(buf), _RED_("(n/a)"));
3042 break;
3043 }
3044 return buf;
3045 }
3046
3047 char *GetSelectedModulationStr(uint8_t id) {
3048
3049 static char buf[20];
3050 char *retStr = buf;
3051
3052 switch (id) {
3053 case DEMOD_FSK:
3054 snprintf(retStr, sizeof(buf), "FSK");
3055 break;
3056 case DEMOD_FSK1:
3057 snprintf(retStr, sizeof(buf), "FSK1");
3058 break;
3059 case DEMOD_FSK1a:
3060 snprintf(retStr, sizeof(buf), "FSK1a");
3061 break;
3062 case DEMOD_FSK2:
3063 snprintf(retStr, sizeof(buf), "FSK2");
3064 break;
3065 case DEMOD_FSK2a:
3066 snprintf(retStr, sizeof(buf), "FSK2a");
3067 break;
3068 case DEMOD_ASK:
3069 snprintf(retStr, sizeof(buf), "ASK");
3070 break;
3071 case DEMOD_NRZ:
3072 snprintf(retStr, sizeof(buf), "DIRECT/NRZ");
3073 break;
3074 case DEMOD_PSK1:
3075 snprintf(retStr, sizeof(buf), "PSK1");
3076 break;
3077 case DEMOD_PSK2:
3078 snprintf(retStr, sizeof(buf), "PSK2");
3079 break;
3080 case DEMOD_PSK3:
3081 snprintf(retStr, sizeof(buf), "PSK3");
3082 break;
3083 case DEMOD_BI:
3084 snprintf(retStr, sizeof(buf), "BIPHASE");
3085 break;
3086 case DEMOD_BIa:
3087 snprintf(retStr, sizeof(buf), "BIPHASEa - (CDP)");
3088 break;
3089 default:
3090 snprintf(retStr, sizeof(buf), _RED_("(Unknown)"));
3091 break;
3092 }
3093 return buf;
3094 }
3095
3096 /*
3097 static void t55x7_create_config_block(int tagtype) {
3098
3099 // T55X7_DEFAULT_CONFIG_BLOCK, T55X7_RAW_CONFIG_BLOCK
3100 // T55X7_EM_UNIQUE_CONFIG_BLOCK, T55X7_FDXB_CONFIG_BLOCK,
3101 // T55X7_FDXB_CONFIG_BLOCK, T55X7_HID_26_CONFIG_BLOCK, T55X7_INDALA_64_CONFIG_BLOCK, T55X7_INDALA_224_CONFIG_BLOCK
3102 // T55X7_GUARDPROXII_CONFIG_BLOCK, T55X7_VIKING_CONFIG_BLOCK, T55X7_NORALYS_CONFIG_BLOCK, T55X7_IOPROX_CONFIG_BLOCK
3103 static char buf[60];
3104 char *retStr = buf;
3105
3106 switch (tagtype) {
3107 case 0:
3108 snprintf(retStr, sizeof(buf), "%08X - T55X7 Default", T55X7_DEFAULT_CONFIG_BLOCK);
3109 break;
3110 case 1:
3111 snprintf(retStr, sizeof(buf), "%08X - T55X7 Raw", T55X7_RAW_CONFIG_BLOCK);
3112 break;
3113 case 2:
3114 snprintf(retStr, sizeof(buf), "%08X - Q5/T5555 Default", T5555_DEFAULT_CONFIG_BLOCK);
3115 break;
3116 default:
3117 break;
3118 }
3119 PrintAndLogEx(NORMAL, buf);
3120 }
3121 */
3122
3123 static int CmdResetRead(const char *Cmd) {
3124
3125 CLIParserContext *ctx;
3126 CLIParserInit(&ctx, "lf t55xx resetread",
3127 "Send Reset Cmd then `lf read` the stream to attempt\n"
3128 "to identify the start of it (needs a demod and/or plot after)",
3129 "lf t55xx resetread"
3130 );
3131
3132 // 1 (help) + 0(one user specified params) + (5 T55XX_DLMODE_SINGLE)
3133 void *argtable[2 + 5] = {
3134 arg_param_begin,
3135 arg_lit0("1", NULL, "extract using data from graphbuffer"),
3136 };
3137 uint8_t idx = 2;
3138 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
3139 CLIExecWithReturn(ctx, Cmd, argtable, true);
3140
3141 bool r0 = arg_get_lit(ctx, 1);
3142 bool r1 = arg_get_lit(ctx, 2);
3143 bool r2 = arg_get_lit(ctx, 3);
3144 bool r3 = arg_get_lit(ctx, 4);
3145 CLIParserFree(ctx);
3146
3147 if ((r0 + r1 + r2 + r3) > 1) {
3148 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
3149 return PM3_EINVARG;
3150 }
3151
3152 uint8_t downlink_mode = config.downlink_mode;
3153 if (r0)
3154 downlink_mode = refFixedBit;
3155 else if (r1)
3156 downlink_mode = refLongLeading;
3157 else if (r2)
3158 downlink_mode = refLeading0;
3159 else if (r3)
3160 downlink_mode = ref1of4;
3161
3162 uint8_t flags = downlink_mode << 3;
3163
3164 PrintAndLogEx(INFO, "Sending reset command...");
3165
3166 PacketResponseNG resp;
3167 clearCommandBuffer();
3168 SendCommandNG(CMD_LF_T55XX_RESET_READ, &flags, sizeof(flags));
3169 if (WaitForResponseTimeout(CMD_LF_T55XX_RESET_READ, &resp, 2500) == false) {
3170 PrintAndLogEx(WARNING, "command execution time out");
3171 return PM3_ETIMEOUT;
3172 }
3173
3174 if (resp.status == PM3_SUCCESS) {
3175
3176 uint16_t gotsize = g_pm3_capabilities.bigbuf_size - 1;
3177 uint8_t *got = calloc(gotsize, sizeof(uint8_t));
3178 if (got == NULL) {
3179 PrintAndLogEx(WARNING, "failed to allocate memory");
3180 return PM3_EMALLOC;
3181 }
3182
3183 PrintAndLogEx(INFO, "Downloading samples...");
3184 if (!GetFromDevice(BIG_BUF, got, gotsize, 0, NULL, 0, NULL, 2500, false)) {
3185 PrintAndLogEx(WARNING, "command execution time out");
3186 free(got);
3187 return PM3_ETIMEOUT;
3188 }
3189 setGraphBuffer(got, gotsize);
3190 free(got);
3191 }
3192
3193 PrintAndLogEx(INFO, "Done!");
3194 return PM3_SUCCESS;
3195 }
3196
3197 static int CmdT55xxWipe(const char *Cmd) {
3198 CLIParserContext *ctx;
3199 CLIParserInit(&ctx, "lf t55xx wipe",
3200 "This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block",
3201 "lf t55xx wipe -> wipes a T55x7 tag, config block 0x000880E0\n"
3202 "lf t55xx wipe --q5 -> wipes a Q5/T5555 tag, config block 0x6001F004\n"
3203 "lf t55xx wipe -p 11223344 -> wipes a T55x7 tag, config block 0x000880E0, using pwd"
3204 );
3205
3206 // 1 (help) + 3 (three user specified params) + (5 T55XX_DLMODE_SINGLE)
3207 void *argtable[4 + 5] = {
3208 arg_param_begin,
3209 arg_str0("c", "cfg", "<hex>", "configuration block0 (4 hex bytes)"),
3210 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
3211 arg_lit0(NULL, "q5", "specify writing to Q5/T5555 tag using dedicated config block"),
3212 };
3213 uint8_t idx = 4;
3214 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
3215 CLIExecWithReturn(ctx, Cmd, argtable, true);
3216
3217 bool usepwd = false, gotconf = false;
3218 uint32_t block0 = 0;
3219 int res = arg_get_u32_hexstr_def(ctx, 1, 0, &block0);
3220 if (res == 1) {
3221 gotconf = true;
3222 }
3223 if (res == 2) {
3224 CLIParserFree(ctx);
3225 PrintAndLogEx(WARNING, "config block needs to be 4 hex bytes");
3226 return PM3_EINVARG;
3227 }
3228
3229 uint32_t password = 0;
3230 res = arg_get_u32_hexstr_def(ctx, 2, 0x51243648, &password);
3231 if (res) {
3232 usepwd = true;
3233 }
3234
3235 if (res == 2) {
3236 PrintAndLogEx(WARNING, "Password should be 4 bytes, using default pwd");
3237 }
3238
3239 bool Q5 = arg_get_lit(ctx, 3);
3240 CLIParserFree(ctx);
3241
3242 PrintAndLogEx(INFO, "Target " _YELLOW_("%s")" tag", (Q5) ? "Q5/T5555" : "T55x7");
3243
3244 // default config blocks.
3245 if (gotconf == false) {
3246 block0 = (Q5) ? 0x6001F004 : 0x000880E0;
3247 }
3248
3249 if (usepwd)
3250 PrintAndLogEx(INFO, "Using password " _GREEN_("%08X"), password);
3251
3252 char msg[80] = {0};
3253 if (gotconf)
3254 snprintf(msg, sizeof(msg), "User provided configuration block " _GREEN_("%08X"), block0);
3255 else
3256 snprintf(msg, sizeof(msg), "Default configuration block " _GREEN_("%08X"), block0);
3257
3258 PrintAndLogEx(INFO, "%s\n", msg);
3259
3260 PrintAndLogEx(INFO, "Begin wiping...");
3261
3262 // Creating cmd string for write block :)
3263 char wcmd[36] = {0};
3264 char *pwcmd = wcmd;
3265
3266 snprintf(pwcmd, sizeof(wcmd), "-b 0 ");
3267
3268 if (usepwd) {
3269 snprintf(pwcmd + strlen(wcmd), sizeof(wcmd) - strlen(wcmd), "-p %08x ", password);
3270 }
3271 snprintf(pwcmd + strlen(wcmd), sizeof(wcmd) - strlen(wcmd), "-d %08X", block0);
3272
3273 if (CmdT55xxWriteBlock(pwcmd) != PM3_SUCCESS)
3274 PrintAndLogEx(WARNING, "Warning: error writing blk 0");
3275
3276 for (uint8_t blk = 1; blk < 8; blk++) {
3277
3278 snprintf(pwcmd, sizeof(wcmd), "-b %d -d 00000000", blk);
3279
3280 if (CmdT55xxWriteBlock(pwcmd) != PM3_SUCCESS)
3281 PrintAndLogEx(WARNING, "Warning: error writing blk %d", blk);
3282
3283 memset(wcmd, 0x00, sizeof(wcmd));
3284 }
3285
3286 // Check and rest t55xx downlink mode.
3287 if (config.downlink_mode != T55XX_DLMODE_FIXED) { // Detect found a different mode so card must support
3288 snprintf(pwcmd, sizeof(wcmd), "-b 3 --pg1 -d 00000000");
3289 if (CmdT55xxWriteBlock(pwcmd) != PM3_SUCCESS) {
3290 PrintAndLogEx(WARNING, "Warning: failed writing block 3 page 1 (config)");
3291 }
3292 memset(wcmd, 0x00, sizeof(wcmd));
3293 }
3294 return PM3_SUCCESS;
3295 }
3296
3297 static bool IsCancelled(void) {
3298 if (kbd_enter_pressed()) {
3299 PrintAndLogEx(WARNING, "\naborted via keyboard!\n");
3300 return true;
3301 }
3302 return false;
3303 }
3304
3305 // load a default pwd file.
3306 static int CmdT55xxChkPwds(const char *Cmd) {
3307 CLIParserContext *ctx;
3308 CLIParserInit(&ctx, "lf t55xx chk",
3309 "This command uses a dictionary attack.\n"
3310 "For some cloners, try '--em' for known pwdgen algo.\n"
3311 "Try to reading Page 0 block 7 before.\n"
3312 _RED_("WARNING:") _CYAN_(" this may brick non-password protected chips!"),
3313 "lf t55xx chk -m -> use dictionary from flash memory (RDV4)\n"
3314 "lf t55xx chk -f my_dictionary_pwds -> loads a default keys dictionary file\n"
3315 "lf t55xx chk --em aa11223344 -> try known pwdgen algo from some cloners based on EM4100 ID"
3316 );
3317
3318 /*
3319 Calculate size of argtable accordingly:
3320 1 (help) + 3 (three user specified params) + ( 5 or 6 T55XX_DLMODE)
3321 start index to call arg_add_t55xx_downloadlink() is 4 (1 + 3) given the above sample
3322 */
3323
3324 // 1 (help) + 3 (three user specified params) + (6 T55XX_DLMODE_ALL)
3325 void *argtable[4 + 6] = {
3326 arg_param_begin,
3327 arg_lit0("m", "fm", "use dictionary from flash memory (RDV4)"),
3328 arg_str0("f", "file", "<fn>", "file name"),
3329 arg_str0(NULL, "em", "<hex>", "EM4100 ID (5 hex bytes)"),
3330 };
3331 uint8_t idx = 4;
3332 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_ALL, T55XX_DLMODE_ALL);
3333 CLIExecWithReturn(ctx, Cmd, argtable, true);
3334
3335 bool from_flash = arg_get_lit(ctx, 1);
3336
3337 int fnlen = 0;
3338 char filename[FILE_PATH_SIZE] = {0};
3339 CLIParamStrToBuf(arg_get_str(ctx, 2), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
3340
3341 // White cloner password based on EM4100 ID
3342 bool use_calc_password = false;
3343 uint32_t card_password = 0x00;
3344 uint64_t cardid = 0;
3345 int res = arg_get_u64_hexstr_def_nlen(ctx, 3, 0x00, &cardid, 5, true);
3346 if (res == 1) {
3347 use_calc_password = true;
3348 uint32_t calc = cardid & 0xFFFFFFFF;
3349 card_password = lf_t55xx_white_pwdgen(calc);
3350 }
3351 if (res == 2) {
3352 CLIParserFree(ctx);
3353 PrintAndLogEx(WARNING, "EM4100 ID must be 5 hex bytes");
3354 return PM3_EINVARG;
3355 }
3356 if (res == 0) {
3357 CLIParserFree(ctx);
3358 return PM3_EINVARG;
3359 }
3360
3361 bool r0 = arg_get_lit(ctx, 4);
3362 bool r1 = arg_get_lit(ctx, 5);
3363 bool r2 = arg_get_lit(ctx, 6);
3364 bool r3 = arg_get_lit(ctx, 7);
3365 bool ra = arg_get_lit(ctx, 8);
3366 CLIParserFree(ctx);
3367
3368 if ((r0 + r1 + r2 + r3 + ra) > 1) {
3369 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
3370 return PM3_EINVARG;
3371 }
3372
3373 uint8_t downlink_mode = refFixedBit; // Password checks should always start with default/fixed bit unluess requested by user for specific mode
3374 // if (r0 || ra) // ra should start downlink mode ad fixed bit to loop through all modes correctly
3375 // downlink_mode = refFixedBit;
3376 // else
3377 if (r1)
3378 downlink_mode = refLongLeading;
3379 else if (r2)
3380 downlink_mode = refLeading0;
3381 else if (r3)
3382 downlink_mode = ref1of4;
3383
3384 bool use_pwd_file = true; // Assume we are going to use a file, unless turned off later.
3385
3386 if (strlen(filename) == 0) {
3387 snprintf(filename, sizeof(filename), "t55xx_default_pwds");
3388 }
3389
3390 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
3391 PrintAndLogEx(NORMAL, "");
3392 /*
3393 // block 7, page1 = false, usepwd = false, override = false, pwd = 00000000
3394 if ( T55xxReadBlock(7, false, false, false, 0x00000000) == PM3_SUCCESS) {
3395
3396 // now try to validate it..
3397 PrintAndLogEx(WARNING, "\n Block 7 was readable");
3398 return PM3_SUCCESS;
3399 }
3400 */
3401
3402 bool found = false;
3403
3404 uint64_t t1 = msclock();
3405 uint8_t flags = downlink_mode << 3;
3406
3407 if (from_flash) {
3408 use_pwd_file = false; // turn of local password file since we are checking from flash.
3409 clearCommandBuffer();
3410 SendCommandNG(CMD_LF_T55XX_CHK_PWDS, &flags, sizeof(flags));
3411 PacketResponseNG resp;
3412
3413 uint8_t timeout = 0;
3414 while (!WaitForResponseTimeout(CMD_LF_T55XX_CHK_PWDS, &resp, 2000)) {
3415 timeout++;
3416 PrintAndLogEx(NORMAL, "." NOLF);
3417 if (timeout > 180) {
3418 PrintAndLogEx(WARNING, "\nno response from Proxmark3. Aborting...");
3419 return PM3_ENODATA;
3420 }
3421 }
3422 PrintAndLogEx(NORMAL, "");
3423 struct p {
3424 bool found;
3425 uint32_t candidate;
3426 } PACKED;
3427 struct p *packet = (struct p *)resp.data.asBytes;
3428
3429 if (packet->found) {
3430 PrintAndLogEx(SUCCESS, "\nfound a candidate [ " _YELLOW_("%08"PRIX32) " ]", packet->candidate);
3431
3432 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, packet->candidate, downlink_mode)) {
3433 found = t55xxTryDetectModulationEx(downlink_mode, T55XX_PrintConfig, 0, packet->candidate);
3434 if (found) {
3435 PrintAndLogEx(SUCCESS, "found valid password [ " _GREEN_("%08"PRIX32) " ]", packet->candidate);
3436
3437 } else {
3438 PrintAndLogEx(WARNING, "check pwd failed");
3439 }
3440 } else {
3441 PrintAndLogEx(WARNING, "check pwd failed");
3442 }
3443 } else {
3444 PrintAndLogEx(WARNING, "check pwd failed");
3445 }
3446 goto out;
3447 }
3448
3449 // to try each downlink mode for each password
3450 int dl_mode;
3451
3452 // try calculated password
3453 if (use_calc_password) {
3454
3455 PrintAndLogEx(INFO, "testing %08"PRIX32" generated ", card_password);
3456 for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) {
3457
3458 if (!AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, card_password, dl_mode)) {
3459 continue;
3460 }
3461
3462 found = t55xxTryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, card_password);
3463 if (found) {
3464 PrintAndLogEx(SUCCESS, "found valid password : [ " _GREEN_("%08"PRIX32) " ]", card_password);
3465 break;
3466 }
3467
3468 if (ra == false)
3469 break;
3470 }
3471 }
3472
3473 if ((found == false) && use_pwd_file) {
3474 uint32_t keycount = 0;
3475 uint8_t *keyblock = NULL;
3476
3477 res = loadFileDICTIONARY_safe(filename, (void **) &keyblock, 4, &keycount);
3478 if (res != PM3_SUCCESS || keycount == 0 || keyblock == NULL) {
3479 PrintAndLogEx(WARNING, "no keys found in file");
3480 if (keyblock != NULL)
3481 free(keyblock);
3482
3483 return PM3_ESOFT;
3484 }
3485
3486 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
3487
3488 for (uint32_t c = 0; c < keycount && found == false; ++c) {
3489
3490 if (!g_session.pm3_present) {
3491 PrintAndLogEx(WARNING, "device offline\n");
3492 free(keyblock);
3493 return PM3_ENODATA;
3494 }
3495
3496 if (IsCancelled()) {
3497 free(keyblock);
3498 return PM3_EOPABORTED;
3499 }
3500
3501 uint32_t curr_password = bytes_to_num(keyblock + 4 * c, 4);
3502
3503 PrintAndLogEx(INFO, "testing %08"PRIX32, curr_password);
3504 for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++) {
3505 // If acquire fails, then we still need to check if we are only trying a single downlink mode.
3506 // If we continue on fail, it will skip that test and try the next downlink mode; thus slowing down the check
3507 // when on a single downlink mode is wanted.
3508 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, curr_password, dl_mode)) {
3509 found = t55xxTryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, curr_password);
3510 if (found) {
3511 PrintAndLogEx(SUCCESS, "found valid password: [ " _GREEN_("%08"PRIX32) " ]", curr_password);
3512 break;
3513 }
3514 }
3515 if (ra == false) // Exit loop if not trying all downlink modes
3516 break;
3517 }
3518 }
3519
3520 free(keyblock);
3521 }
3522
3523 if (found == false)
3524 PrintAndLogEx(WARNING, "failed to find password");
3525
3526 out:
3527 t1 = msclock() - t1;
3528 PrintAndLogEx(SUCCESS, "\ntime in check pwd " _YELLOW_("%.0f") " seconds\n", (float)t1 / 1000.0);
3529 return PM3_SUCCESS;
3530 }
3531
3532 // Bruteforce - incremental password range search
3533 static int CmdT55xxBruteForce(const char *Cmd) {
3534 CLIParserContext *ctx;
3535 CLIParserInit(&ctx, "lf t55xx bruteforce",
3536 "This command uses bruteforce to scan a number range.\n"
3537 "Try reading Page 0, block 7 before.\n\n"
3538 _RED_("WARNING") _CYAN_(" this may brick non-password protected chips!"),
3539 "lf t55xx bruteforce --r2 -s aaaaaa77 -e aaaaaa99\n"
3540 );
3541
3542 // 1 (help) + 2 (two user specified params) + (6 T55XX_DLMODE_ALL)
3543 void *argtable[3 + 6] = {
3544 arg_param_begin,
3545 arg_str1("s", "start", "<hex>", "search start password (4 hex bytes)"),
3546 arg_str1("e", "end", "<hex>", "search end password (4 hex bytes)"),
3547 };
3548 uint8_t idx = 3;
3549 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_ALL, T55XX_DLMODE_ALL);
3550 CLIExecWithReturn(ctx, Cmd, argtable, true);
3551
3552 uint32_t start_password = 0;
3553 int res = arg_get_u32_hexstr_def(ctx, 1, 0, &start_password);
3554 if (res == 2) {
3555 CLIParserFree(ctx);
3556 PrintAndLogEx(FAILED, "start password should be 4 bytes");
3557 return PM3_EINVARG;
3558 }
3559
3560 uint32_t end_password = 0xFFFFFFFF;
3561 res = arg_get_u32_hexstr_def(ctx, 2, 0xFFFFFFFF, &end_password);
3562 if (res == 2) {
3563 CLIParserFree(ctx);
3564 PrintAndLogEx(FAILED, "end password should be 4 bytes");
3565 return PM3_EINVARG;
3566 }
3567
3568 bool r0 = arg_get_lit(ctx, 3);
3569 bool r1 = arg_get_lit(ctx, 4);
3570 bool r2 = arg_get_lit(ctx, 5);
3571 bool r3 = arg_get_lit(ctx, 6);
3572 bool ra = arg_get_lit(ctx, 7);
3573 CLIParserFree(ctx);
3574
3575 if ((r0 + r1 + r2 + r3 + ra) > 1) {
3576 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
3577 return PM3_EINVARG;
3578 }
3579
3580 uint8_t downlink_mode = refFixedBit; // if no downlink mode suppliled use fixed bit/default as the is the most common
3581 // Since we don't know the password the config.downlink mode is of little value.
3582 // if (r0 || ra) // if try all (ra) then start at fixed bit for correct try all
3583 // downlink_mode = refFixedBit;
3584 // else
3585 if (r1)
3586 downlink_mode = refLongLeading;
3587 else if (r2)
3588 downlink_mode = refLeading0;
3589 else if (r3)
3590 downlink_mode = ref1of4;
3591
3592 uint32_t curr = 0;
3593 uint8_t found = 0; // > 0 if found xx1 xx downlink needed, 1 found
3594
3595 if (start_password > end_password) {
3596 PrintAndLogEx(FAILED, "Error, start larger then end password");
3597 return PM3_EINVARG;
3598 }
3599
3600 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
3601 PrintAndLogEx(INFO, "Search password range [%08X -> %08X]", start_password, end_password);
3602
3603 uint64_t t1 = msclock();
3604 curr = start_password;
3605
3606 while (found == 0) {
3607
3608 PrintAndLogEx(NORMAL, "." NOLF);
3609
3610 if (IsCancelled()) {
3611 return PM3_EOPABORTED;
3612 }
3613
3614 found = t55xx_try_one_password(curr, downlink_mode, ra);
3615
3616 if (curr == end_password)
3617 break;
3618
3619 curr++;
3620 }
3621
3622 PrintAndLogEx(NORMAL, "");
3623
3624 if (found) {
3625 if (curr != end_password) {
3626 PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr - 1);
3627 } else
3628 PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr);
3629 T55xx_Print_DownlinkMode((found >> 1) & 3);
3630 } else
3631 PrintAndLogEx(WARNING, "Bruteforce failed, last tried: [ " _YELLOW_("%08X") " ]", curr);
3632
3633 t1 = msclock() - t1;
3634 PrintAndLogEx(SUCCESS, "\ntime in bruteforce " _YELLOW_("%.0f") " seconds\n", (float)t1 / 1000.0);
3635 return PM3_SUCCESS;
3636 }
3637
3638 uint8_t t55xx_try_one_password(uint32_t password, uint8_t downlink_mode, bool try_all_dl_modes) {
3639
3640 PrintAndLogEx(INFO, "Trying password %08X", password);
3641
3642 // ensure 0-3
3643 downlink_mode = (downlink_mode & 3);
3644
3645 // check if dl mode 4 and loop if needed
3646 for (uint8_t dl_mode = downlink_mode; dl_mode < 4; dl_mode++) {
3647
3648 if (AcquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, password, dl_mode)) {
3649 // if (getSignalProperties()->isnoise == false) {
3650 // } else {
3651 if (t55xxTryDetectModulationEx(dl_mode, T55XX_PrintConfig, 0, password)) {
3652 return 1 + (dl_mode << 1);
3653 }
3654 // }
3655 }
3656 if (try_all_dl_modes == false) {
3657 break;
3658 }
3659 }
3660 return 0;
3661 }
3662
3663 static int CmdT55xxRecoverPW(const char *Cmd) {
3664 CLIParserContext *ctx;
3665 CLIParserInit(&ctx, "lf t55xx recoverpw",
3666 "This command uses a few tricks to try to recover mangled password.\n"
3667 "Try reading Page 0, block 7 before.\n\n"
3668 _RED_("WARNING") _CYAN_(" this may brick non-password protected chips!"),
3669 "lf t55xx recoverpw\n"
3670 "lf t55xx recoverpw -p 11223344\n"
3671 "lf t55xx recoverpw -p 11223344 --r3\n"
3672 );
3673
3674 // 1 (help) + 1 (one user specified params) + (6 T55XX_DLMODE_ALL)
3675 void *argtable[2 + 6] = {
3676 arg_param_begin,
3677 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
3678 };
3679 uint8_t idx = 2;
3680 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_ALL, T55XX_DLMODE_ALL);
3681 CLIExecWithReturn(ctx, Cmd, argtable, true);
3682
3683 uint32_t orig_password = 0;
3684 int res = arg_get_u32_hexstr_def(ctx, 1, 0x51243648, &orig_password);
3685 if (res == 2) {
3686 PrintAndLogEx(INFO, "Password should be 4 bytes, using default pwd instead");
3687 }
3688
3689 bool r0 = arg_get_lit(ctx, 2);
3690 bool r1 = arg_get_lit(ctx, 3);
3691 bool r2 = arg_get_lit(ctx, 4);
3692 bool r3 = arg_get_lit(ctx, 5);
3693 bool ra = arg_get_lit(ctx, 6);
3694 CLIParserFree(ctx);
3695
3696 if ((r0 + r1 + r2 + r3 + ra) > 1) {
3697 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
3698 return PM3_EINVARG;
3699 }
3700
3701 uint8_t downlink_mode = config.downlink_mode;
3702 if (r0)
3703 downlink_mode = refFixedBit;
3704 else if (r1)
3705 downlink_mode = refLongLeading;
3706 else if (r2)
3707 downlink_mode = refLeading0;
3708 else if (r3)
3709 downlink_mode = ref1of4;
3710
3711 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
3712
3713 int bit = 0;
3714 uint32_t curr_password = 0x0;
3715 uint32_t prev_password = 0xffffffff;
3716 uint32_t mask = 0x0;
3717 uint8_t found = 0;
3718
3719 // first try fliping each bit in the expected password
3720 while (bit < 32) {
3721 curr_password = orig_password ^ (1u << bit);
3722 found = t55xx_try_one_password(curr_password, downlink_mode, ra);
3723 if (found > 0) // xx1 for found xx = dl mode used
3724 goto out;
3725
3726 bit++;
3727
3728 if (IsCancelled())
3729 return PM3_EOPABORTED;
3730 }
3731
3732 // now try to use partial original password, since block 7 should have been completely
3733 // erased during the write sequence and it is possible that only partial password has been
3734 // written
3735 // not sure from which end the bit bits are written, so try from both ends
3736 // from low bit to high bit
3737 bit = 0;
3738 while (bit < 32) {
3739 mask += (1u << bit);
3740 curr_password = orig_password & mask;
3741 // if updated mask didn't change the password, don't try it again
3742 if (prev_password == curr_password) {
3743 bit++;
3744 continue;
3745 }
3746
3747 found = t55xx_try_one_password(curr_password, downlink_mode, ra);
3748 if (found > 0)
3749 goto out;
3750
3751 bit++;
3752 prev_password = curr_password;
3753
3754 if (IsCancelled())
3755 return PM3_EOPABORTED;
3756 }
3757
3758 // from high bit to low
3759 bit = 0;
3760 mask = 0xffffffff;
3761 while (bit < 32) {
3762 mask -= (1u << bit);
3763 curr_password = orig_password & mask;
3764 // if updated mask didn't change the password, don't try it again
3765 if (prev_password == curr_password) {
3766 bit++;
3767 continue;
3768 }
3769 found = t55xx_try_one_password(curr_password, downlink_mode, ra);
3770 if (found > 0)
3771 goto out;
3772
3773 bit++;
3774 prev_password = curr_password;
3775
3776 if (IsCancelled())
3777 return PM3_EOPABORTED;
3778 }
3779
3780 out:
3781 PrintAndLogEx(NORMAL, "");
3782
3783 if (found > 0) {
3784 PrintAndLogEx(SUCCESS, "Found valid password: [ " _GREEN_("%08X") " ]", curr_password);
3785 T55xx_Print_DownlinkMode((found >> 1) & 3);
3786 } else {
3787 PrintAndLogEx(FAILED, "Recover password failed");
3788 }
3789 return PM3_SUCCESS;
3790 }
3791
3792 // note length of data returned is different for different chips.
3793 // some return all page 1 (64 bits) and others return just that block (32 bits)
3794 // unfortunately the 64 bits makes this more likely to get a false positive...
3795 bool tryDetectP1(bool getData) {
3796 uint8_t preamble_atmel[] = {1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1};
3797 uint8_t preamble_silicon[] = {1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1};
3798 size_t startIdx = 0;
3799 uint8_t fc1 = 0, fc2 = 0, ans = 0;
3800 int clk = 0, firstClockEdge = 0;
3801 bool st = true;
3802
3803 if (getData) {
3804 if (!AcquireData(T55x7_PAGE1, T55x7_TRACE_BLOCK1, false, 0, 0))
3805 return false;
3806 }
3807
3808 // try fsk clock detect. if successful it cannot be any other type of modulation... (in theory...)
3809 ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, &firstClockEdge);
3810 if (ans && ((fc1 == 10 && fc2 == 8) || (fc1 == 8 && fc2 == 5))) {
3811
3812 if (FSKrawDemod(0, 0, 0, 0, false) == PM3_SUCCESS) {
3813 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3814 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3815 return true;
3816 }
3817
3818 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3819 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3820 return true;
3821 }
3822 }
3823
3824 if (FSKrawDemod(0, 1, 0, 0, false) == PM3_SUCCESS) {
3825 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3826 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3827 return true;
3828 }
3829
3830 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3831 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3832 return true;
3833 }
3834 }
3835 return false;
3836 }
3837
3838 // try ask clock detect. it could be another type even if successful.
3839 clk = GetAskClock("", false);
3840 if (clk > 0) {
3841 if (ASKDemod_ext(0, 0, 1, 0, false, false, false, 1, &st) == PM3_SUCCESS) {
3842
3843 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3844 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3845 return true;
3846 }
3847
3848 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3849 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3850 return true;
3851 }
3852 }
3853
3854 st = true;
3855 if (ASKDemod_ext(0, 1, 1, 0, false, false, false, 1, &st) == PM3_SUCCESS) {
3856 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3857 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3858 return true;
3859 }
3860
3861 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3862 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3863 return true;
3864 }
3865 }
3866
3867 if (ASKbiphaseDemod(0, 0, 0, 2, false) == PM3_SUCCESS) {
3868 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3869 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3870 return true;
3871 }
3872
3873 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3874 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3875 return true;
3876 }
3877 }
3878
3879 if (ASKbiphaseDemod(0, 0, 1, 2, false) == PM3_SUCCESS) {
3880 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3881 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3882 return true;
3883 }
3884
3885 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3886 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3887 return true;
3888 }
3889 }
3890 }
3891
3892 // try NRZ clock detect. it could be another type even if successful.
3893 clk = GetNrzClock("", false); //has the most false positives :(
3894 if (clk > 0) {
3895 if (NRZrawDemod(0, 0, 1, false) == PM3_SUCCESS) {
3896 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3897 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3898 return true;
3899 }
3900
3901 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3902 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3903 return true;
3904 }
3905 }
3906
3907 if (NRZrawDemod(0, 1, 1, false) == PM3_SUCCESS) {
3908 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3909 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3910 return true;
3911 }
3912
3913 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3914 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3915 return true;
3916 }
3917 }
3918 }
3919
3920 // Fewer card uses PSK
3921 // try psk clock detect. if successful it cannot be any other type of modulation... (in theory...)
3922 clk = GetPskClock("", false);
3923 if (clk > 0) {
3924 // allow undo
3925 // save_restoreGB(GRAPH_SAVE);
3926 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
3927 //CmdLtrim("-i 160");
3928 if (PSKDemod(0, 0, 6, false) == PM3_SUCCESS) {
3929 //save_restoreGB(GRAPH_RESTORE);
3930 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3931 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3932 return true;
3933 }
3934
3935 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3936 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3937 return true;
3938 }
3939 }
3940
3941 if (PSKDemod(0, 1, 6, false) == PM3_SUCCESS) {
3942 //save_restoreGB(GRAPH_RESTORE);
3943 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3944 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3945 return true;
3946 }
3947
3948 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3949 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3950 return true;
3951 }
3952 }
3953
3954 // PSK2 - needs a call to psk1TOpsk2.
3955 if (PSKDemod(0, 0, 6, false) == PM3_SUCCESS) {
3956 psk1TOpsk2(g_DemodBuffer, g_DemodBufferLen);
3957
3958 //save_restoreGB(GRAPH_RESTORE);
3959 if (preambleSearchEx(g_DemodBuffer, preamble_atmel, sizeof(preamble_atmel), &g_DemodBufferLen, &startIdx, false) &&
3960 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3961 return true;
3962 }
3963
3964 if (preambleSearchEx(g_DemodBuffer, preamble_silicon, sizeof(preamble_silicon), &g_DemodBufferLen, &startIdx, false) &&
3965 (g_DemodBufferLen == 32 || g_DemodBufferLen == 64)) {
3966 return true;
3967 }
3968 } // inverse waves does not affect PSK2 demod
3969 //undo trim samples
3970 //save_restoreGB(GRAPH_RESTORE);
3971 // no other modulation clocks = 2 or 4 so quit searching
3972 if (fc1 != 8) {
3973 return false;
3974 }
3975 }
3976 return false;
3977 }
3978 // does this need to be a callable command?
3979 static int CmdT55xxDetectPage1(const char *Cmd) {
3980 CLIParserContext *ctx;
3981 CLIParserInit(&ctx, "lf t55xx p1detect",
3982 "Detect Page 1 of a T55xx chip",
3983 "lf t55xx p1detect\n"
3984 "lf t55xx p1detect -1\n"
3985 "lf t55xx p1detect -p 11223344 --r3\n"
3986 );
3987
3988 // 1 (help) + 2 (two user specified params) + (5 T55XX_DLMODE_SINGLE)
3989 void *argtable[3 + 5] = {
3990 arg_param_begin,
3991 arg_lit0("1", NULL, "extract using data from graphbuffer"),
3992 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
3993 };
3994 uint8_t idx = 3;
3995 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
3996 CLIExecWithReturn(ctx, Cmd, argtable, true);
3997
3998 bool use_graphbuf = arg_get_lit(ctx, 1);
3999
4000 bool usepwd = false;
4001 uint32_t password = 0;
4002 int res = arg_get_u32_hexstr_def(ctx, 2, 0, &password);
4003 if (res == 2) {
4004 PrintAndLogEx(INFO, "Password should be 4 hex bytes");
4005 CLIParserFree(ctx);
4006 return PM3_EINVARG;
4007 } else if (res == 1) {
4008 usepwd = true;
4009 }
4010
4011 bool r0 = arg_get_lit(ctx, 3);
4012 bool r1 = arg_get_lit(ctx, 4);
4013 bool r2 = arg_get_lit(ctx, 5);
4014 bool r3 = arg_get_lit(ctx, 6);
4015 CLIParserFree(ctx);
4016
4017 if ((r0 + r1 + r2 + r3) > 1) {
4018 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
4019 return PM3_EINVARG;
4020 }
4021
4022 uint8_t downlink_mode = config.downlink_mode;
4023 if (r0)
4024 downlink_mode = refFixedBit;
4025 else if (r1)
4026 downlink_mode = refLongLeading;
4027 else if (r2)
4028 downlink_mode = refLeading0;
4029 else if (r3)
4030 downlink_mode = ref1of4;
4031
4032 bool try_all_dl_modes = true;
4033
4034 //ICEMAN STRANGE
4035 if (downlink_mode == 4)
4036 try_all_dl_modes = true;
4037 if (downlink_mode < 4)
4038 try_all_dl_modes = false;
4039
4040 if (downlink_mode > 3)
4041 downlink_mode = 0;
4042
4043 bool found = false;
4044 uint8_t found_mode = 0;
4045
4046 if (use_graphbuf == false) {
4047 for (uint8_t dl_mode = downlink_mode; dl_mode < 4; dl_mode++) {
4048
4049 if (AcquireData(T55x7_PAGE1, T55x7_TRACE_BLOCK1, usepwd, password, dl_mode) == false)
4050 continue;
4051
4052 if (tryDetectP1(false)) {
4053 found = true;
4054 found_mode = dl_mode;
4055 break;
4056 } else {
4057 found = false;
4058 }
4059
4060 if (try_all_dl_modes == false) {
4061 break;
4062 }
4063 }
4064 } else {
4065 found = tryDetectP1(false);
4066 }
4067
4068 if (found) {
4069 PrintAndLogEx(SUCCESS, "T55xx chip found!");
4070 T55xx_Print_DownlinkMode(found_mode);
4071 } else
4072 PrintAndLogEx(WARNING, "Could not detect modulation automatically. Try setting it manually with " _YELLOW_("\'lf t55xx config\'"));
4073
4074 return PM3_SUCCESS;
4075 }
4076
4077 static int CmdT55xxSetDeviceConfig(const char *Cmd) {
4078 CLIParserContext *ctx;
4079 CLIParserInit(&ctx, "lf t55xx deviceconfig",
4080 "Sets t55x7 timings for direct commands.\n"
4081 "The timings are set here in Field Clocks (FC) which is converted to (US) on device.",
4082 "lf t55xx deviceconfig -a 29 -b 17 -c 15 -d 47 -e 15 -> default T55XX\n"
4083 "lf t55xx deviceconfig -a 55 -b 14 -c 21 -d 30 -> default EM4305"
4084 );
4085
4086 // 1 (help) + 9 (nine user specified params) + (5 T55XX_DLMODE_SINGLE)
4087 void *argtable[10 + 5] = {
4088 arg_param_begin,
4089 arg_int0("a", NULL, "<8..255>", "Set start gap"),
4090 arg_int0("b", NULL, "<8..255>", "Set write gap"),
4091 arg_int0("c", NULL, "<8..255>", "Set write ZERO gap"),
4092 arg_int0("d", NULL, "<8..255>", "Set write ONE gap"),
4093 arg_int0("e", NULL, "<8..255>", "Set read gap"),
4094 arg_int0("f", NULL, "<8..255>", "Set write TWO gap (1 of 4 only)"),
4095 arg_int0("g", NULL, "<8..255>", "Set write THREE gap (1 of 4 only)"),
4096 arg_lit0("p", "persist", "persist to flash memory (RDV4)"),
4097 arg_lit0("z", NULL, "Set default t55x7 timings (use `-p` to save if required)"),
4098 };
4099 uint8_t idx = 10;
4100 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
4101 CLIExecWithReturn(ctx, Cmd, argtable, false);
4102
4103 uint8_t startgap = arg_get_int(ctx, 1);
4104 uint8_t writegap = arg_get_int(ctx, 2);
4105 uint8_t write0 = arg_get_int(ctx, 3);
4106 uint8_t write1 = arg_get_int(ctx, 4);
4107 uint8_t readgap = arg_get_int(ctx, 5);
4108 uint8_t write2 = arg_get_int(ctx, 6);
4109 uint8_t write3 = arg_get_int(ctx, 7);
4110 bool shall_persist = arg_get_lit(ctx, 8);
4111 bool set_defaults = arg_get_lit(ctx, 9);
4112 bool r0 = arg_get_lit(ctx, 10);
4113 bool r1 = arg_get_lit(ctx, 11);
4114 bool r2 = arg_get_lit(ctx, 12);
4115 bool r3 = arg_get_lit(ctx, 13);
4116 CLIParserFree(ctx);
4117
4118 if ((r0 + r1 + r2 + r3) > 1) {
4119 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
4120 return PM3_EINVARG;
4121 }
4122
4123 uint8_t downlink_mode = 0;
4124 if (r0)
4125 downlink_mode = refFixedBit;
4126 else if (r1)
4127 downlink_mode = refLongLeading;
4128 else if (r2)
4129 downlink_mode = refLeading0;
4130 else if (r3)
4131 downlink_mode = ref1of4;
4132
4133 t55xx_configurations_t configurations = {{{0}, {0}, {0}, {0}}};
4134
4135 if (set_defaults) {
4136 // fixed bit length
4137 configurations.m[T55XX_DLMODE_FIXED].start_gap = 29 * 8;
4138 configurations.m[T55XX_DLMODE_FIXED].write_gap = 17 * 8;
4139 configurations.m[T55XX_DLMODE_FIXED].write_0 = 15 * 8;
4140 configurations.m[T55XX_DLMODE_FIXED].write_1 = 47 * 8;
4141 configurations.m[T55XX_DLMODE_FIXED].read_gap = 15 * 8;
4142 configurations.m[T55XX_DLMODE_FIXED].write_2 = 0;
4143 configurations.m[T55XX_DLMODE_FIXED].write_3 = 0;
4144
4145 // long leading reference
4146 configurations.m[T55XX_DLMODE_LLR].start_gap = 29 * 8;
4147 configurations.m[T55XX_DLMODE_LLR].write_gap = 17 * 8;
4148 configurations.m[T55XX_DLMODE_LLR].write_0 = 15 * 8;
4149 configurations.m[T55XX_DLMODE_LLR].write_1 = 47 * 8;
4150 configurations.m[T55XX_DLMODE_LLR].read_gap = 15 * 8;
4151 configurations.m[T55XX_DLMODE_LLR].write_2 = 0;
4152 configurations.m[T55XX_DLMODE_LLR].write_3 = 0;
4153
4154 // leading zero
4155 configurations.m[T55XX_DLMODE_LEADING_ZERO].start_gap = 29 * 8;
4156 configurations.m[T55XX_DLMODE_LEADING_ZERO].write_gap = 17 * 8;
4157 configurations.m[T55XX_DLMODE_LEADING_ZERO].write_0 = 15 * 8;
4158 configurations.m[T55XX_DLMODE_LEADING_ZERO].write_1 = 40 * 8;
4159 configurations.m[T55XX_DLMODE_LEADING_ZERO].read_gap = 15 * 8;
4160 configurations.m[T55XX_DLMODE_LEADING_ZERO].write_2 = 0;
4161 configurations.m[T55XX_DLMODE_LEADING_ZERO].write_3 = 0;
4162
4163 // 1 of 4 coding reference
4164 configurations.m[T55XX_DLMODE_1OF4].start_gap = 29 * 8;
4165 configurations.m[T55XX_DLMODE_1OF4].write_gap = 17 * 8;
4166 configurations.m[T55XX_DLMODE_1OF4].write_0 = 15 * 8;
4167 configurations.m[T55XX_DLMODE_1OF4].write_1 = 31 * 8;
4168 configurations.m[T55XX_DLMODE_1OF4].read_gap = 15 * 8;
4169 configurations.m[T55XX_DLMODE_1OF4].write_2 = 47 * 8;
4170 configurations.m[T55XX_DLMODE_1OF4].write_3 = 63 * 8;
4171
4172 } else {
4173 configurations.m[downlink_mode].start_gap = startgap * 8;
4174 configurations.m[downlink_mode].write_gap = writegap * 8;
4175 configurations.m[downlink_mode].write_0 = write0 * 8;
4176 configurations.m[downlink_mode].write_1 = write1 * 8;
4177 configurations.m[downlink_mode].read_gap = readgap * 8;
4178 configurations.m[downlink_mode].write_2 = write2 * 8;
4179 configurations.m[downlink_mode].write_3 = write3 * 8;
4180 }
4181
4182 clearCommandBuffer();
4183 SendCommandMIX(CMD_LF_T55XX_SET_CONFIG, shall_persist, 0, 0, &configurations, sizeof(t55xx_configurations_t));
4184 return PM3_SUCCESS;
4185 }
4186
4187 static int CmdT55xxProtect(const char *Cmd) {
4188
4189 CLIParserContext *ctx;
4190 CLIParserInit(&ctx, "lf t55xx protect",
4191 "This command sets the pwd bit on T5577.\n"
4192 _RED_("WARNING") _CYAN_(" this locks the tag!"),
4193 "lf t55xx protect -n 01020304 -> sets new pwd 01020304\n"
4194 "lf t55xx protect -p 11223344 -n 00000000 -> use pwd 11223344, sets new pwd 00000000"
4195 );
4196
4197 // 1 (help) + 3 (three user specified params) + (5 T55XX_DLMODE_SINGLE)
4198 void *argtable[4 + 5] = {
4199 arg_param_begin,
4200 arg_lit0("o", "override", "override safety check"),
4201 arg_str0("p", "pwd", "<hex>", "password (4 hex bytes)"),
4202 arg_str1("n", "new", "<hex>", "new password (4 hex bytes)"),
4203 };
4204 uint8_t idx = 4;
4205 arg_add_t55xx_downloadlink(argtable, &idx, T55XX_DLMODE_SINGLE, config.downlink_mode);
4206 CLIExecWithReturn(ctx, Cmd, argtable, true);
4207
4208 uint8_t override = 0;
4209 if (arg_get_lit(ctx, 1))
4210 override = 2;
4211
4212 uint32_t password = 0;
4213 bool usepwd = false;
4214 int res = arg_get_u32_hexstr_def(ctx, 2, 0, &password);
4215 if (res == 2) {
4216 CLIParserFree(ctx);
4217 PrintAndLogEx(FAILED, "Error parsing password bytes");
4218 return PM3_EINVARG;
4219 } else if (res == 1) {
4220 usepwd = true;
4221 override = 1;
4222 }
4223
4224 uint32_t new_password = 0;
4225 res = arg_get_u32_hexstr_def(ctx, 3, 0, &new_password);
4226 if (res == 2) {
4227 CLIParserFree(ctx);
4228 PrintAndLogEx(FAILED, "Error parsing new password bytes");
4229 return PM3_EINVARG;
4230 } else if (res == 0) {
4231 PrintAndLogEx(FAILED, "Must specify new password param");
4232 CLIParserFree(ctx);
4233 return PM3_EINVARG;
4234 }
4235
4236 bool r0 = arg_get_lit(ctx, 4);
4237 bool r1 = arg_get_lit(ctx, 5);
4238 bool r2 = arg_get_lit(ctx, 6);
4239 bool r3 = arg_get_lit(ctx, 7);
4240 CLIParserFree(ctx);
4241
4242 if ((r0 + r1 + r2 + r3) > 1) {
4243 PrintAndLogEx(FAILED, "Error multiple downlink encoding");
4244 return PM3_EINVARG;
4245 }
4246
4247 uint8_t downlink_mode = config.downlink_mode;
4248 if (r0)
4249 downlink_mode = refFixedBit;
4250 else if (r1)
4251 downlink_mode = refLongLeading;
4252 else if (r2)
4253 downlink_mode = refLeading0;
4254 else if (r3)
4255 downlink_mode = ref1of4;
4256
4257 // sanity check.
4258 if (SanityOfflineCheck(false) != PM3_SUCCESS)
4259 return PM3_ESOFT;
4260
4261 // lock
4262 if (t55xxProtect(true, usepwd, override, password, downlink_mode, new_password) == false) {
4263 PrintAndLogEx(WARNING, "Command failed. Did you run " _YELLOW_("`lf t55xx detect`") " before?");
4264 return PM3_ESOFT;
4265 }
4266 return PM3_SUCCESS;
4267 }
4268
4269 // if the difference between a and b is less then or eq to d i.e. does a = b +/- d
4270 #define APPROX_EQ(a, b, d) ((abs(a - b) <= d) ? true : false)
4271
4272 static uint8_t t55sniff_get_packet(const int *pulseBuffer, char *data, uint8_t width0, uint8_t width1, uint8_t tolerance) {
4273 int i = 0;
4274 bool ok = true;
4275 uint8_t len = 0;
4276
4277 while (ok && (i < 73)) { // 70 bits max Fixed bit packet
4278 if (APPROX_EQ(width0, pulseBuffer[i], tolerance)) {
4279 data[len++] = '0';
4280 i++;
4281 continue;
4282 }
4283 if (APPROX_EQ(width1, pulseBuffer[i], tolerance)) {
4284 data[len++] = '1';
4285 i++;
4286 continue;
4287 }
4288
4289 ok = false;
4290 }
4291 data[len] = 0x00;
4292 return len;
4293 }
4294
4295 static uint8_t t55sniff_trim_samples(int *pulseBuffer, int *pulseIdx, uint8_t len) {
4296 for (uint8_t i = 0; i < (80 - len); i++) {
4297 pulseBuffer[i] = pulseBuffer[i + len];
4298 }
4299
4300 *pulseIdx -= len;
4301 return PM3_SUCCESS;
4302 }
4303
4304 static int CmdT55xxSniff(const char *Cmd) {
4305 CLIParserContext *ctx;
4306 CLIParserInit(&ctx, "lf t55xx sniff",
4307 "Sniff LF t55xx based trafic and decode possible cmd / blocks.\n"
4308 "Lower tolerance means tighter pulses. ",
4309 "lf t55xx sniff\n"
4310 "lf t55xx sniff -1 -t 2 -> use buffer with tolerance of 2\n"
4311 "lf t55xx sniff -1 --zero 7 --one 14 -> use buffer, zero pulse width 7, one pulse width 15"
4312 );
4313
4314 void *argtable[] = {
4315 arg_param_begin,
4316 arg_lit0("1", NULL, "extract using data from graphbuffer"),
4317 arg_int0("t", "tol", "<dec>", "set tolerance level (default 5)"),
4318 // arg_int0(NULL, "signal", "<dec>", "set minimum signal level (default 20)"),
4319 arg_int0("o", "one", "<dec>", "set samples width for ONE pulse (default auto)"),
4320 arg_int0("z", "zero", "<dec>", "set samples width for ZERO pulse (default auto)"),
4321 arg_param_end
4322 };
4323 CLIExecWithReturn(ctx, Cmd, argtable, true);
4324 bool use_graphbuf = arg_get_lit(ctx, 1);
4325 uint8_t tolerance = arg_get_int_def(ctx, 2, 5);
4326 int opt_width1 = arg_get_int_def(ctx, 3, -1);
4327 int opt_width0 = arg_get_int_def(ctx, 4, -1);
4328 CLIParserFree(ctx);
4329
4330 if (opt_width0 == 0) {
4331 PrintAndLogEx(ERR, "Must call with --zero larger than 0");
4332 return PM3_EINVARG;
4333 }
4334 if (opt_width1 == 0) {
4335 PrintAndLogEx(ERR, "Must call with --one larger than 0");
4336 return PM3_EINVARG;
4337 }
4338
4339 if (opt_width0 > 0 && opt_width1 == -1) {
4340 PrintAndLogEx(ERR, _RED_("Missing sample width for ONE"));
4341 return PM3_EINVARG;
4342 }
4343
4344 if (opt_width1 > 0 && opt_width0 == -1) {
4345 PrintAndLogEx(ERR, _RED_("Missing sample width for ZERO"));
4346 return PM3_EINVARG;
4347 }
4348
4349 uint8_t width1 = 0;
4350 uint8_t width0 = 0;
4351
4352 if (opt_width0 > -1)
4353 width0 = (uint8_t)opt_width0 & 0xFF;
4354
4355 if (opt_width1 > -1)
4356 width1 = (uint8_t)opt_width1 & 0xFF;
4357
4358
4359
4360 /*
4361 Notes:
4362 T55xx packet lengths (1 of 4 needs to be checked)
4363 -----------------------------------------------
4364 | Default | LL 0 | Leading 0 | 1 of 4 |
4365 ----------------------------------------------------------------|
4366 | Standard Write | 38 | 39 | 39 | 40 |
4367 | Protect Write | 70 | 71 | 73 | 74 |
4368 | AOR | 34 | 35 | 37 | 38 |
4369 | Standard Read | 5 | 6 | 7 | 8 |
4370 | Protect Read | 38 | 39 | 41 | 42 |
4371 | Regular Read | 2 | 3 | 3 | 4 |
4372 | Reset | 2 | 3 | 3 | 4 |
4373 ----------------------------------------------------------------
4374
4375 T55xx bit widths (decimation 1) - Expected, but may vary a little
4376 Reference 0 for LL0 and Leading 0 can be longer
4377 -----------------------------------------------
4378 | Default | LL 0 | Leading 0 | 1 of 4 |
4379 ----------------------------------------------------|
4380 | 0 | 16 - 32 | 9 - 33 | 5 - 80 | tbc |
4381 | 1 | 48 - 64 | 41 - 72 | 21 - 96 | tbc |
4382 ----------------------------------------------------
4383 00 01 10 11
4384 */
4385
4386 uint8_t page, blockAddr;
4387 size_t idx = 0;
4388 uint32_t usedPassword, blockData;
4389 int pulseSamples = 0, pulseIdx = 0;
4390 char pwdText[100];
4391 char dataText[100];
4392 int pulseBuffer[80] = { 0 }; // max should be 73 +/- - Holds Pulse widths
4393 char data[80]; // linked to pulseBuffer. - Holds 0/1 from pulse widths
4394
4395 // setup and sample data from Proxmark
4396 // if not directed to existing sample/graphbuffer
4397 if (use_graphbuf == false) {
4398
4399 // make loop to call sniff with skip samples..
4400 // then build it up by adding
4401 CmdLFSniff("");
4402
4403 }
4404
4405 // Headings
4406 PrintAndLogEx(NORMAL, "");
4407 PrintAndLogEx(INFO, _CYAN_("T55xx command detection"));
4408 PrintAndLogEx(SUCCESS, "Downlink mode | password | Data | blk | page | 0 | 1 | raw");
4409 PrintAndLogEx(SUCCESS, "------------------------+------------+----------+-----+------+-----+-----+-------------------------------------------------------------------------------");
4410
4411 idx = 0;
4412 // loop though sample buffer
4413 while (idx < g_GraphTraceLen) {
4414
4415 int minWidth = 1000;
4416 int maxWidth = 0;
4417 data[0] = 0;
4418 bool have_data = false;
4419 const char *modeText = "Default";
4420 strncpy(pwdText, " ", sizeof(pwdText));
4421 strncpy(dataText, " ", sizeof(dataText));
4422
4423 if (pulseSamples == 0) {
4424 idx++;
4425 }
4426
4427 // find high
4428 while ((idx < g_GraphTraceLen) && (g_GraphBuffer[idx] < 0)) {
4429 idx++;
4430 }
4431
4432 // count high samples
4433 pulseSamples = 0;
4434 while ((idx < g_GraphTraceLen) && (g_GraphBuffer[idx] > 0)) { // last bit seems to be high to zero, but can vary in width..
4435 pulseSamples++;
4436 idx++;
4437 }
4438
4439 if (pulseSamples > 0) {
4440 pulseBuffer[pulseIdx++] = pulseSamples;
4441 if (pulseIdx > 79) { // make room for next sample - if not used by now, it won't be.
4442 t55sniff_trim_samples(pulseBuffer, &pulseIdx, 1);
4443 }
4444
4445 // Check Samples for valid packets;
4446 // We should find (outside of leading bits) we have a packet of "1" and "0" at same widths.
4447 if (pulseIdx >= 6) {// min size for a read - ignoring 1of4 10 0 <adr>
4448
4449 // We auto find widths
4450 if ((width0 == 0) && (width1 == 0)) {
4451 // We ignore bit 0 for the moment as it may be a ref. pulse, so check last
4452 uint32_t ii = 2;
4453 minWidth = pulseBuffer[1];
4454 maxWidth = pulseBuffer[1];
4455 bool done = false;
4456
4457 while ((!done) && (ii < pulseIdx) && ((maxWidth <= minWidth) || (APPROX_EQ(minWidth, maxWidth, tolerance)))) { // min should be 8, 16-32 more normal
4458 if (pulseBuffer[ii] + 3 < minWidth) {
4459 minWidth = pulseBuffer[ii];
4460 done = true;
4461 }
4462 if (pulseBuffer[ii] - 1 > maxWidth) {
4463 maxWidth = pulseBuffer[ii];
4464 done = true;
4465 }
4466 ii++;
4467 }
4468 } else {
4469 minWidth = width0;
4470 maxWidth = width1;
4471 }
4472 }
4473
4474 // out of bounds... min max far enough appart and minWidth is large enough
4475 if (((maxWidth - minWidth) < 6) || (minWidth < 6)) // min 8 +/-
4476 continue;
4477
4478 // At this point we should have
4479 // - a min of 6 samples
4480 // - the 0 and 1 sample widths
4481 // - min 0 and min separations (worst case)
4482 // No max checks done (yet) as have seen samples > then specs in use.
4483
4484 // Check first bit.
4485
4486 // Long leading 0
4487 if (have_data == false && (APPROX_EQ(pulseBuffer[0], 136 + minWidth, tolerance) && APPROX_EQ(pulseBuffer[1], maxWidth, tolerance))) {
4488 // printf ("Long Leading 0 - not yet handled | have 1 First bit | Min : %-3d - Max : %-3d : diff : %d\n",minWidth,maxWidth, maxWidth-minWidth);
4489 continue;
4490 }
4491
4492 // Fixed bit - Default
4493 if (have_data == false && (APPROX_EQ(pulseBuffer[0], maxWidth, tolerance))) {
4494 uint16_t dataLen = t55sniff_get_packet(pulseBuffer, data, minWidth, maxWidth, tolerance);
4495
4496 // if ((dataLen == 39) )
4497 // printf ("Fixed | Data end of 80 samples | offset : %llu - datalen %-2d - data : %s --- - Bit 0 width : %d\n",idx,dataLen,data,pulseBuffer[0]);
4498
4499 if (data[0] == '0') { // should never get here..
4500 data[0] = 0;
4501 } else {
4502
4503 // Default Read
4504 if (dataLen == 6) {
4505 t55sniff_trim_samples(pulseBuffer, &pulseIdx, 4); // left 1 or 2 samples seemed to help
4506
4507 page = data[1] - '0';
4508 blockAddr = 0;
4509 for (uint8_t i = 3; i < 6; i++) {
4510 blockAddr <<= 1;
4511 if (data[i] == '1') {
4512 blockAddr |= 1;
4513 }
4514 }
4515 blockData = 0;
4516 have_data = true;
4517 modeText = "Default Read";
4518 }
4519
4520 // Password Write
4521 if (dataLen == 70) {
4522 t55sniff_trim_samples(pulseBuffer, &pulseIdx, 70);
4523
4524 page = data[1] - '0';
4525 usedPassword = 0;
4526 for (uint8_t i = 2; i <= 33; i++) {
4527 usedPassword <<= 1;
4528 if (data[i] == '1') {
4529 usedPassword |= 1;
4530 }
4531 }
4532
4533 // Lock bit 34
4534 blockData = 0;
4535 for (uint8_t i = 35; i <= 66; i++) {
4536 blockData <<= 1;
4537 if (data[i] == '1') {
4538 blockData |= 1;
4539 }
4540 }
4541
4542 blockAddr = 0;
4543 for (uint8_t i = 67; i <= 69; i++) {
4544 blockAddr <<= 1;
4545 if (data[i] == '1') {
4546 blockAddr |= 1;
4547 }
4548 }
4549 have_data = true;
4550 modeText = "Default pwd write";
4551 snprintf(pwdText, sizeof(pwdText), " %08X", usedPassword);
4552 snprintf(dataText, sizeof(dataText), "%08X", blockData);
4553 }
4554
4555 // Default Write or password read ???
4556 // the most confusing command.
4557 // if the token is with a password - all is OK,
4558 // if not - read command with a password will lead to write the shifted password to the memory and:
4559 // IF the most bit of the data is `1` ----> IT LEADS TO LOCK this block of the memory
4560 if (dataLen == 38) {
4561 t55sniff_trim_samples(pulseBuffer, &pulseIdx, 38);
4562
4563 page = data[1] - '0';
4564 usedPassword = 0;
4565 blockData = 0;
4566 for (uint8_t i = 3; i <= 34; i++) {
4567 blockData <<= 1;
4568 if (data[i] == '1') {
4569 blockData |= 1;
4570 }
4571 }
4572
4573 for (uint8_t i = 2; i <= 33; i++) {
4574 usedPassword <<= 1;
4575 if (data[i] == '1') {
4576 usedPassword |= 1;
4577 }
4578 }
4579
4580 blockAddr = 0;
4581 for (uint8_t i = 35; i <= 37; i++) {
4582 blockAddr <<= 1;
4583 if (data[i] == '1') {
4584 blockAddr |= 1;
4585 }
4586 }
4587 have_data = true;
4588 modeText = "Default write/pwd read";
4589 snprintf(pwdText, sizeof(pwdText), "[%08X]", usedPassword);
4590 snprintf(dataText, sizeof(dataText), "%08X", blockData);
4591 }
4592 }
4593 }
4594
4595 // Leading 0
4596 if (have_data == false && (APPROX_EQ(pulseBuffer[0], minWidth, tolerance))) {
4597 // leading 0 (should = 0 width)
4598 // 1 of 4 (leads with 00)
4599 uint16_t dataLen = t55sniff_get_packet(pulseBuffer, data, minWidth, maxWidth, tolerance);
4600 // **** Should check to 0 to be actual 0 as well i.e. 01 .... data ....
4601 if ((data[0] == '0') && (data[1] == '1')) {
4602 if (dataLen == 73) {
4603 t55sniff_trim_samples(pulseBuffer, &pulseIdx, 73);
4604
4605 page = data[2] - '0';
4606 usedPassword = 0;
4607 for (uint8_t i = 5; i <= 36; i++) {
4608 usedPassword <<= 1;
4609 if (data[i] == '1') {
4610 usedPassword |= 1;
4611 }
4612 }
4613
4614 blockData = 0;
4615 for (uint8_t i = 38; i <= 69; i++) {
4616 blockData <<= 1;
4617 if (data[i] == '1') {
4618 blockData |= 1;
4619 }
4620 }
4621
4622 blockAddr = 0;
4623 for (uint8_t i = 70; i <= 72; i++) {
4624 blockAddr <<= 1;
4625 if (data[i] == '1') {
4626 blockAddr |= 1;
4627 }
4628 }
4629
4630 have_data = true;
4631 modeText = "Leading 0 pwd write";
4632 snprintf(pwdText, sizeof(pwdText), " %08X", usedPassword);
4633 snprintf(dataText, sizeof(dataText), "%08X", blockData);
4634 }
4635 }
4636 }
4637 }
4638
4639 // Print results
4640 if (have_data) {
4641 if (blockAddr == 7) {
4642 PrintAndLogEx(SUCCESS, "%-22s | "_GREEN_("%10s")" | "_YELLOW_("%8s")" | "_YELLOW_("%d")" | "_GREEN_("%d")" | %3d | %3d | %s"
4643 , modeText
4644 , pwdText
4645 , dataText
4646 , blockAddr
4647 , page
4648 , minWidth
4649 , maxWidth
4650 , data
4651 );
4652 } else {
4653 PrintAndLogEx(SUCCESS, "%-22s | "_GREEN_("%10s")" | "_GREEN_("%8s")" | "_GREEN_("%d")" | "_GREEN_("%d")" | %3d | %3d | %s"
4654 , modeText
4655 , pwdText
4656 , dataText
4657 , blockAddr
4658 , page
4659 , minWidth
4660 , maxWidth
4661 , data
4662 );
4663 }
4664 }
4665 }
4666
4667 // footer
4668 PrintAndLogEx(SUCCESS, "-----------------------------------------------------------------------------------------------------------------------------------------------------");
4669 PrintAndLogEx(NORMAL, "");
4670 return PM3_SUCCESS;
4671 }
4672
4673 static command_t CommandTable[] = {
4674 {"-----------", CmdHelp, AlwaysAvailable, "---------------------------- " _CYAN_("notice") " -----------------------------"},
4675 {"", CmdHelp, AlwaysAvailable, "Remember to run `" _YELLOW_("lf t55xx detect") "` first whenever a new card"},
4676 {"", CmdHelp, AlwaysAvailable, "is placed on the Proxmark3 or the config block changed."},
4677 {"", CmdHelp, AlwaysAvailable, ""},
4678 {"help", CmdHelp, AlwaysAvailable, "This help"},
4679 {"-----------", CmdHelp, AlwaysAvailable, "--------------------- " _CYAN_("operations") " ---------------------"},
4680 {"clonehelp", CmdT55xxCloneHelp, IfPm3Lf, "Shows the available clone commands"},
4681 {"config", CmdT55xxSetConfig, AlwaysAvailable, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
4682 {"dangerraw", CmdT55xxDangerousRaw, IfPm3Lf, "Sends raw bitstream. Dangerous, do not use!!"},
4683 {"detect", CmdT55xxDetect, AlwaysAvailable, "Try detecting the tag modulation from reading the configuration block"},
4684 {"deviceconfig", CmdT55xxSetDeviceConfig, IfPm3Lf, "Set/Get T55XX device configuration"},
4685 {"dump", CmdT55xxDump, IfPm3Lf, "Dump T55xx card Page 0 block 0-7"},
4686 {"info", CmdT55xxInfo, AlwaysAvailable, "Show T55x7 configuration data (page 0/ blk 0)"},
4687 {"p1detect", CmdT55xxDetectPage1, IfPm3Lf, "Try detecting if this is a t55xx tag by reading page 1"},
4688 {"read", CmdT55xxReadBlock, IfPm3Lf, "Read T55xx block data"},
4689 {"resetread", CmdResetRead, IfPm3Lf, "Send Reset Cmd then lf read the stream to attempt to identify the start of it"},
4690 {"restore", CmdT55xxRestore, IfPm3Lf, "Restore T55xx card Page 0 / Page 1 blocks"},
4691 {"trace", CmdT55xxReadTrace, AlwaysAvailable, "Show T55x7 traceability data (page 1/ blk 0-1)"},
4692 {"wakeup", CmdT55xxWakeUp, IfPm3Lf, "Send AOR wakeup command"},
4693 {"write", CmdT55xxWriteBlock, IfPm3Lf, "Write T55xx block data"},
4694 {"-----------", CmdHelp, AlwaysAvailable, "--------------------- " _CYAN_("recovery") " ---------------------"},
4695 {"bruteforce", CmdT55xxBruteForce, IfPm3Lf, "Simple bruteforce attack to find password"},
4696 {"chk", CmdT55xxChkPwds, IfPm3Lf, "Check passwords"},
4697 {"protect", CmdT55xxProtect, IfPm3Lf, "Password protect tag"},
4698 {"recoverpw", CmdT55xxRecoverPW, IfPm3Lf, "Try to recover from bad password write from a cloner"},
4699 {"sniff", CmdT55xxSniff, AlwaysAvailable, "Attempt to recover T55xx commands from sample buffer"},
4700 {"special", CmdT55xxSpecial, IfPm3Lf, "Show block changes with 64 different offsets"},
4701 {"wipe", CmdT55xxWipe, IfPm3Lf, "Wipe a T55xx tag and set defaults (will destroy any data on tag)"},
4702 {NULL, NULL, NULL, NULL}
4703 };
4704
4705 static int CmdHelp(const char *Cmd) {
4706 (void)Cmd; // Cmd is not used so far
4707 CmdsHelp(CommandTable);
4708 return PM3_SUCCESS;
4709 }
4710
4711 int CmdLFT55XX(const char *Cmd) {
4712 clearCommandBuffer();
4713 return CmdsParse(CommandTable, Cmd);
4714 }
4715
4716
4717 /*
4718
4719 one of
4720 // Leading 0
4721 lf t55 write -b 3 --pg1 -d 90000800
4722
4723 // 1 of 4
4724 lf t55 write -b 3 --pg1 -d 90000C00
4725
4726
4727 T55xx clone card lock: block 3 page 1 0x00000020 00000000 00000000 00000000 00100000
4728
4729 (this bit in any combo seems to lock the card)
4730
4731 You can have other data in the block write, but if that single bit is set "1" the entire card locks in its current state; no know way to unlock
4732
4733 */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware