github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-03-12 04:35:36 -07:00
Code Issues Packages Projects Releases Wiki Activity

add lf em 4x05protect plus lf config s option ()

Browse Source 
* add "samples to skip" for lf config (mainly for lf snoop)
* add lf em 4x05protect command to write protection on em4x05 chips
* fix spacing
* and remove old comment git added back in..
* update changelog
* fix flags - only need 1 bit
This commit is contained in:
marshmellow42 2019-06-23 07:43:56 -04:00 committed by pwpiwi
parent b8dd1ef649
commit 2de26056ce
8 changed files with 231 additions and 26 deletions

2
CHANGELOG.md

@ -16,6 +16,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- `hf 15 sim` now works as expected (piwi)
### Added
- Added `lf config s xxxx` option to allow skipping x samples before capture (marshmellow)
- Added `lf em 4x05protect` to support changing protection blocks on em4x05 chips (marshmellow)
- Support Standard Communication Mode in HITAG S
- Added `hf emv scan` - commands for scan EMV card and dump data to json file (Merlok)
- `hf mfp` group of commands (Merlok)

3
armsrc/appmain.c

@ -1088,6 +1088,9 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_EM4X_WRITE_WORD:
EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
break;
case CMD_EM4X_PROTECT:
EM4xProtect(c->arg[0], c->arg[1], c->arg[2]);
break;
case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
break;

1
armsrc/apps.h

@ -89,6 +89,7 @@ void TurnReadLFOn();
//void T55xxReadTrace(void);
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd);
void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd);
void Cotag(uint32_t arg0);
/// iso14443.h

81
armsrc/lfops.c

@ -1198,10 +1198,45 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
* and enlarge the gap ones.
* Q5 tags seems to have issues when these values changes.
*/
#define START_GAP 31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc)
#define WRITE_GAP 20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc)
#define WRITE_0 18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
#define WRITE_1 50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) 432 for T55x7; 448 for E5550
/* Q5 timing datasheet:
* Type | MIN | Typical | Max |
* Start_Gap | 10*8 | ? | 50*8 |
* Write_Gap Normal mode | 8*8 | 14*8 | 20*8 |
* Write_Gap Fast Mode | 8*8 | ? | 20*8 |
* Write_0 Normal mode | 16*8 | 24*8 | 32*8 |
* Write_1 Normal mode | 48*8 | 56*8 | 64*8 |
* Write_0 Fast Mode | 8*8 | 12*8 | 16*8 |
* Write_1 Fast Mode | 24*8 | 28*8 | 32*8 |
*/
/* T5557 timing datasheet:
* Type | MIN | Typical | Max |
* Start_Gap | 10*8 | ? | 50*8 |
* Write_Gap Normal mode | 8*8 |50-150us | 30*8 |
* Write_Gap Fast Mode | 8*8 | ? | 20*8 |
* Write_0 Normal mode | 16*8 | 24*8 | 31*8 |
* Write_1 Normal mode | 48*8 | 54*8 | 63*8 |
* Write_0 Fast Mode | 8*8 | 12*8 | 15*8 |
* Write_1 Fast Mode | 24*8 | 28*8 | 31*8 |
*/
/* T5577C timing datasheet for Fixed-Bit-Length protocol (defualt):
* Type | MIN | Typical | Max |
* Start_Gap | 8*8 | 15*8 | 50*8 |
* Write_Gap Normal mode | 8*8 | 10*8 | 20*8 |
* Write_Gap Fast Mode | 8*8 | 10*8 | 20*8 |
* Write_0 Normal mode | 16*8 | 24*8 | 32*8 |
* Write_1 Normal mode | 48*8 | 56*8 | 64*8 |
* Write_0 Fast Mode | 8*8 | 12*8 | 16*8 |
* Write_1 Fast Mode | 24*8 | 28*8 | 32*8 |
*/
//note startgap must be sent after tag has been powered up for more than 3ms (per T5557 ds)
#define START_GAP 31*8 //31*8 // was 250 // SPEC: 1*8 to 50*8 - typ 15*8 (or 15fc) - T5557: 10*8 to 50*8
#define WRITE_GAP 20*8 //20*8 // was 160 // SPEC: 1*8 to 20*8 - typ 10*8 (or 10fc) - T5557: 8*8 to 30*8 typ 50-150us
#define WRITE_0 18*8 //18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc) - T5557: 16*8 to 31*8 typ 24*8
#define WRITE_1 50*8 //50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc) - T5557: 48*8 to 63*8 typ 54*8 432 for T55x7; 448 for E5550
#define READ_GAP 15*8
void TurnReadLFOn(int delay) {
@ -1355,7 +1390,7 @@ void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd) {
T55xxWriteBit(1);
T55xxWriteBit(Page); //Page 0
if (PwdMode){
if (PwdMode) {
// Send Pwd
for (i = 0x80000000; i != 0; i >>= 1)
T55xxWriteBit(Pwd & i);
@ -1614,6 +1649,7 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo) {
#define FWD_CMD_WRITE 0xA
#define FWD_CMD_READ 0x9
#define FWD_CMD_DISABLE 0x5
#define FWD_CMD_PROTECT 0x3
uint8_t forwardLink_data[64]; //array of forwarded bits
uint8_t * forward_ptr; //ptr for forward message preparation
@ -1783,7 +1819,7 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode) {
void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
bool PwdMode = (flag & 0xF);
bool PwdMode = (flag & 0x1);
uint8_t Address = (flag >> 8) & 0xFF;
uint8_t fwd_bit_count;
@ -1813,6 +1849,39 @@ void EM4xWriteWord(uint32_t flag, uint32_t Data, uint32_t Pwd) {
LED_A_OFF();
cmd_send(CMD_ACK,0,0,0,0,0);
}
void EM4xProtect(uint32_t flag, uint32_t Data, uint32_t Pwd) {
bool PwdMode = (flag & 0x1);
uint8_t fwd_bit_count;
//clear buffer now so it does not interfere with timing later
BigBuf_Clear_ext(false);
LED_A_ON();
StartTicks();
//If password mode do login
if (PwdMode) EM4xLogin(Pwd);
forward_ptr = forwardLink_data;
fwd_bit_count = Prepare_Cmd( FWD_CMD_PROTECT );
//unsure if this needs the full packet config...
fwd_bit_count += Prepare_Data( Data&0xFFFF, Data>>16 );
SendForward(fwd_bit_count);
//Wait for write to complete
//SpinDelay(10);
WaitUS(6500);
//Capture response if one exists
DoPartialAcquisition(20, true, 6000, 1000);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
LED_A_OFF();
cmd_send(CMD_ACK,0,0,0,0,0);
}
/*
Reading a COTAG.

20
armsrc/lfsampling.c

@ -14,7 +14,7 @@
#include "usb_cdc.h" // for usb_poll_validate_length
#include "fpgaloader.h"
sample_config config = { 1, 8, 1, 95, 0 } ;
sample_config config = { 1, 8, 1, 95, 0, 0 } ;
void printConfig()
{
@ -24,6 +24,7 @@ void printConfig()
Dbprintf(" [d] decimation: %d ", config.decimation);
Dbprintf(" [a] averaging: %d ", config.averaging);
Dbprintf(" [t] trigger threshold: %d ", config.trigger_threshold);
Dbprintf(" [s] samples to skip: %d ", config.samples_to_skip);
}
@ -34,7 +35,7 @@ void printConfig()
* Other functions may read samples and ignore the sampling config,
* such as functions to read the UID from a prox tag or similar.
*
* Values set to '0' implies no change (except for averaging)
* Values set to '0' implies no change (except for averaging, threshold, samples_to_skip)
* @brief setSamplingConfig
* @param sc
*/
@ -44,6 +45,7 @@ void setSamplingConfig(sample_config *sc)
if(sc->bits_per_sample!= 0) config.bits_per_sample= sc->bits_per_sample;
if(sc->decimation!= 0) config.decimation= sc->decimation;
if(sc->trigger_threshold != -1) config.trigger_threshold= sc->trigger_threshold;
if(sc->samples_to_skip != -1) config.samples_to_skip = sc->samples_to_skip;
config.averaging= sc->averaging;
if(config.bits_per_sample > 8) config.bits_per_sample = 8;
@ -119,7 +121,7 @@ void LFSetupFPGAForADC(int divisor, bool lf_field)
* @param silent - is true, now outputs are made. If false, dbprints the status
* @return the number of bits occupied by the samples.
*/
uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after)
uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averaging, int trigger_threshold, bool silent, int bufsize, int cancel_after, int samples_to_skip)
{
//.
uint8_t *dest = BigBuf_get_addr();
@ -141,6 +143,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
uint32_t sample_total_numbers =0 ;
uint32_t sample_total_saved =0 ;
uint32_t cancel_counter = 0;
uint32_t samples_skipped = 0;
while(!BUTTON_PRESS() && !usb_poll_validate_length() ) {
WDT_HIT();
@ -160,6 +163,10 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
continue;
}
trigger_threshold = 0;
if (samples_to_skip > samples_skipped) {
samples_skipped++;
continue;
}
sample_total_numbers++;
if(averaging)
@ -218,7 +225,7 @@ uint32_t DoAcquisition(uint8_t decimation, uint32_t bits_per_sample, bool averag
*/
uint32_t DoAcquisition_default(int trigger_threshold, bool silent)
{
return DoAcquisition(1,8,0,trigger_threshold,silent,0,0);
return DoAcquisition(1,8,0,trigger_threshold,silent,0,0,0);
}
uint32_t DoAcquisition_config(bool silent, int sample_size)
{
@ -228,11 +235,12 @@ uint32_t DoAcquisition_config(bool silent, int sample_size)
,config.trigger_threshold
,silent
,sample_size
,0);
,0
,config.samples_to_skip);
}
uint32_t DoPartialAcquisition(int trigger_threshold, bool silent, int sample_size, int cancel_after) {
return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after);
return DoAcquisition(1,8,0,trigger_threshold,silent,sample_size,cancel_after,0);
}
uint32_t ReadLF(bool activeField, bool silent, int sample_size)

8
client/cmdlf.c

@ -232,6 +232,7 @@ int usage_lf_config(void)
PrintAndLog(" d <decim> Sets decimation. A value of N saves only 1 in N samples. Default: 1");
PrintAndLog(" a [0|1] Averaging - if set, will average the stored sample value when decimating. Default: 1");
PrintAndLog(" t <threshold> Sets trigger threshold. 0 means no threshold (range: 0-128)");
PrintAndLog(" s <smplstoskip> Sets a number of samples to skip before capture. Default: 0");
PrintAndLog("Examples:");
PrintAndLog(" lf config b 8 L");
PrintAndLog(" Samples at 125KHz, 8bps.");
@ -255,6 +256,7 @@ int CmdLFSetConfig(const char *Cmd)
bool errors = false;
int trigger_threshold =-1;//Means no change
uint8_t unsigned_trigg = 0;
int samples_to_skip = -1;
uint8_t cmdp =0;
while(param_getchar(Cmd, cmdp) != 0x00)
@ -295,6 +297,10 @@ int CmdLFSetConfig(const char *Cmd)
averaging = param_getchar(Cmd,cmdp+1) == '1';
cmdp+=2;
break;
case 's':
samples_to_skip = param_get32ex(Cmd,cmdp+1,0,10);
cmdp+=2;
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = 1;
@ -316,7 +322,7 @@ int CmdLFSetConfig(const char *Cmd)
if(bps >> 4) bps = 8;
sample_config config = {
decimation,bps,averaging,divisor,trigger_threshold
decimation,bps,averaging,divisor,trigger_threshold,samples_to_skip
};
//Averaging is a flag on high-bit of arg[1]
UsbCommand c = {CMD_SET_LF_SAMPLING_CONFIG};

114
client/cmdlfem4x.c

@ -1161,6 +1161,119 @@ int CmdEM4x05WriteWord(const char *Cmd) {
return EM4x05WriteWord(addr, data, pwd, usePwd, swap, invert);
}
int usage_lf_em_protect(void) {
PrintAndLog("Protect EM4x05. Tag must be on antenna. ");
PrintAndLog("");
PrintAndLog("Usage: lf em 4x05protect [h] d <data> p <pwd> [s] [i]");
PrintAndLog("Options:");
PrintAndLog(" h - this help");
PrintAndLog(" d <data> - data to write (hex)");
PrintAndLog(" p <pwd> - password (hex) (optional)");
PrintAndLog(" s - swap the data bit order before write");
PrintAndLog(" i - invert the data bits before write");
PrintAndLog("samples:");
PrintAndLog(" lf em 4x05protect d 11223344");
PrintAndLog(" lf em 4x05protect p deadc0de d 11223344 s i");
return 0;
}
int EM4x05Protect(uint32_t data, uint32_t pwd, bool usePwd, bool swap, bool invert) {
if (swap) data = SwapBits(data, 32);
if (invert) data ^= 0xFFFFFFFF;
if ( !usePwd ) {
PrintAndLog("Writing Protect data %08X", data);
} else {
PrintAndLog("Writing Protect data %08X using password %08X", data, pwd);
}
uint16_t flag = usePwd;
UsbCommand c = {CMD_EM4X_PROTECT, {flag, data, pwd}};
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)){
PrintAndLog("Error occurred, device did not respond during protect operation.");
return -1;
}
if ( !downloadSamplesEM() ) {
return -1;
}
//check response for 00001010 for write confirmation!
//attempt demod:
uint32_t dummy = 0;
int result = demodEM4x05resp(&dummy,false);
if (result == 1) {
PrintAndLog("Protect Verified");
} else {
PrintAndLog("Protect could not be verified");
}
return result;
}
int CmdEM4x05ProtectWrite(const char *Cmd) {
bool errors = false;
bool usePwd = false;
uint32_t data = 0xFFFFFFFF;
uint32_t pwd = 0xFFFFFFFF;
bool swap = false;
bool invert = false;
bool gotData = false;
char cmdp = 0;
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
{
case 'h':
case 'H':
return usage_lf_em_write();
case 'd':
case 'D':
data = param_get32ex(Cmd, cmdp+1, 0, 16);
gotData = true;
cmdp += 2;
break;
case 'i':
case 'I':
invert = true;
cmdp++;
break;
case 'p':
case 'P':
pwd = param_get32ex(Cmd, cmdp+1, 1, 16);
if (pwd == 1) {
PrintAndLog("invalid pwd");
errors = true;
}
usePwd = true;
cmdp += 2;
break;
case 's':
case 'S':
swap = true;
cmdp++;
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true;
break;
}
if(errors) break;
}
//Validations
if(errors) return usage_lf_em_protect();
if ( strlen(Cmd) == 0 ) return usage_lf_em_protect();
if (!gotData) {
PrintAndLog("You must enter the data you want to write");
return usage_lf_em_protect();
}
return EM4x05Protect(data, pwd, usePwd, swap, invert);
}
void printEM4x05config(uint32_t wordData) {
uint16_t datarate = EM4x05_GET_BITRATE(wordData);
uint8_t encoder = ((wordData >> 6) & 0xF);
@ -1345,6 +1458,7 @@ static command_t CommandTable[] =
{"4x05info", CmdEM4x05info, 0, "(pwd) -- Get info from EM4x05/EM4x69 tag"},
{"4x05readword", CmdEM4x05ReadWord, 0, "<Word> (pwd) -- Read EM4x05/EM4x69 word data"},
{"4x05writeword", CmdEM4x05WriteWord, 0, "<Word> <data> (pwd) -- Write EM4x05/EM4x69 word data"},
{"4x05protect", CmdEM4x05ProtectWrite, 0, "<data> (pwd) -- Write Protection to EM4x05"},
{"4x50read", CmdEM4x50Read, 1, "demod data from EM4x50 tag from the graph buffer"},
{NULL, NULL, 0, NULL}
};

2
include/usb_cmd.h

@ -41,6 +41,7 @@ typedef struct{
bool averaging;
int divisor;
int trigger_threshold;
int samples_to_skip;
} sample_config;
// For the bootloader
@ -116,6 +117,7 @@ typedef struct{
#define CMD_T55XX_WAKEUP 0x0224
#define CMD_COTAG 0x0225
#define CMD_PARADOX_CLONE_TAG 0x0226
#define CMD_EM4X_PROTECT 0x0228
// For the 13.56 MHz tags
#define CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693 0x0300