ADD: @marshmellow's fixes to awid, viking and T55x7

ADD: 'lf t55xx detect' now can be called with a password.
ADD: trying to add the read counter and increase counter commands for ntag sim.

armsrc/appmain.c

@@ -1007,10 +1007,8 @@ void UsbPacketReceived(uint8_t *packet, int len)
 			CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
 			break;
         case CMD_VIKING_CLONE_TAG:
-            CopyViKingtoT55x7(c->arg[0],c->arg[1]);
+			CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
             break;
-
-    
 #endif
 
 #ifdef WITH_HITAG

armsrc/apps.h

@@ -74,6 +74,7 @@ void WriteTItag(uint32_t idhi, uint32_t idlo, uint16_t crc);
 void AcquireTiType(void);
 void AcquireRawBitsTI(void);
 void SimulateTagLowFrequency(int period, int gap, int ledcontrol);
+void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
 void CmdHIDsimTAG(int hi, int lo, int ledcontrol);
 void CmdFSKsimTAG(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
 void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream);
@@ -83,21 +84,19 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol); // Realt
 void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol);
 void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol);
 void CopyIOtoT55x7(uint32_t hi, uint32_t lo); // Clone an ioProx card to T5557/T5567
-void SimulateTagLowFrequencyBidir(int divisor, int max_bitlen);
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT); // Clone an HID card to T5557/T5567
+void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5);
 void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo);
 void CopyIndala64toT55x7(uint32_t hi, uint32_t lo); // Clone Indala 64-bit tag by UID to T55x7
 void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t uid4, uint32_t uid5, uint32_t uid6, uint32_t uid7); // Clone Indala 224-bit tag by UID to T55x7
 void T55xxResetRead(void);
-void T55xxWriteBlock(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t arg);
-void T55xxWriteBlockExt(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t arg);
+void T55xxWriteBlock(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t PwdMode);
+void T55xxWriteBlockExt(uint32_t Data, uint8_t Block, uint32_t Pwd, uint8_t PwdMode);
 void T55xxReadBlock(uint16_t arg0, uint8_t Block, uint32_t Pwd);
 void T55xxWakeUp(uint32_t Pwd);
 void TurnReadLFOn();
 void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
-void CopyViKingtoT55x7(uint32_t block1,uint32_t block2);
-
 
 /// iso14443.h
 void SimulateIso14443bTag(void);

armsrc/iso14443a.c

@@ -1,4 +1,4 @@
-//-----------------------------------------------------------------------------
+ //-----------------------------------------------------------------------------
 // Merlok - June 2011, 2012
 // Gerhard de Koning Gans - May 2008
 // Hagen Fritsch - June 2010
@@ -939,6 +939,7 @@ bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
 //-----------------------------------------------------------------------------
 void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 {
+	uint32_t counters[] = {0,0,0};
 	//Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
 	// This can be used in a reader-only attack.
 	// (it can also be retrieved via 'hf 14a list', but hey...
@@ -1182,7 +1183,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 				// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
 				p_response = NULL;
 			}
-		} else if(receivedCmd[0] == 0x3A) {	// Received a FAST READ (ranged read) -- just returns all zeros.
+		} else if(receivedCmd[0] == 0x3A) {	// Received a FAST READ (ranged read)
 				
 				uint8_t emdata[MAX_FRAME_SIZE];
 				int start =  receivedCmd[1] * 4;
@@ -1202,15 +1203,19 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 				AppendCrc14443a(data, sizeof(data)-2);
 				EmSendCmdEx(data,sizeof(data),false);
 				p_response = NULL;					
-		} else if(receivedCmd[0] == 0x39 && tagType == 7) {	// Received a READ COUNTER -- 
-				uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
-				EmSendCmdEx(data,sizeof(data),false);				
-				p_response = NULL;
-		} else if(receivedCmd[0] == 0xA5 && tagType == 7) {	// Received a INC COUNTER -- 
+		} else if (receivedCmd[0] == 0x39 && tagType == 7) {	// Received a READ COUNTER -- 
+			uint8_t counter = receivedCmd[1];
+			uint32_t value = counters[counter];
+			uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
+			AppendCrc14443a(data, sizeof(data)-2);
+			EmSendCmdEx(data,sizeof(data),false);				
+			p_response = NULL;
+		} else if (receivedCmd[0] == 0xA5 && tagType == 7) {	// Received a INC COUNTER -- 
 			// number of counter
-			//uint8_t counter = receivedCmd[1];
-			//uint32_t val = bytes_to_num(receivedCmd+2,4);
-			
+			uint8_t counter = receivedCmd[1];
+			uint32_t val = bytes_to_num(receivedCmd+2,4);
+			counters[counter] = val;
+		
 			// send ACK
 			uint8_t ack[] = {0x0a};
 			EmSendCmdEx(ack,sizeof(ack),false);

armsrc/lfops.c

@@ -839,7 +839,7 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 		size = 50*128*2; //big enough to catch 2 sequences of largest format
 		idx = AWIDdemodFSK(dest, &size);
 		
-		if (idx>0 && size==96){
+		if (idx<=0 || size!=96) continue;
 	        // Index map
 	        // 0            10            20            30              40            50              60
 	        // |            |             |             |               |             |               |
@@ -859,6 +859,7 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 	        uint32_t rawHi2 = bytebits_to_byte(dest+idx,32);
 
 	        size = removeParity(dest, idx+8, 4, 1, 88);
+		if (size != 66) continue;
 	        // ok valid card found!
 
 	        // Index map
@@ -900,7 +901,6 @@ void CmdAWIDdemodFSK(int findone, int *high, int *low, int ledcontrol)
 				return;
 			}
 			// reset
-		}
 		idx = 0;
 		WDT_HIT();
 	}
@@ -1267,7 +1267,6 @@ void WriteT55xx(uint32_t *blockdata, uint8_t startblock, uint8_t numblocks) {
 // Copy HID id to card and setup block 0 config
 void CopyHIDtoT55x7(uint32_t hi2, uint32_t hi, uint32_t lo, uint8_t longFMT) {
 	uint32_t data[] = {0,0,0,0,0,0,0};
-	//int data1=0, data2=0, data3=0, data4=0, data5=0, data6=0; //up to six blocks for long format
 	uint8_t last_block = 0;
 
 	if (longFMT){
@@ -1357,6 +1356,15 @@ void CopyIndala224toT55x7(uint32_t uid1, uint32_t uid2, uint32_t uid3, uint32_t
 	//	T5567WriteBlock(0x603E10E2,0);
 	DbpString("DONE!");
 }
+// clone viking tag to T55xx
+void CopyVikingtoT55xx(uint32_t block1, uint32_t block2, uint8_t Q5) {
+	uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
+	if (Q5) data[0] = (32 << T5555_BITRATE_SHIFT) | T5555_MODULATION_MANCHESTER | 2 << T5555_MAXBLOCK_SHIFT;
+	// Program the data blocks for supplied ID and the block 0 config
+	WriteT55xx(data, 0, 3);
+	LED_D_OFF();
+	cmd_send(CMD_ACK,0,0,0,0,0);
+}
 
 // Define 9bit header for EM410x tags
 #define EM410X_HEADER		0x1FF
@@ -1657,12 +1665,3 @@ void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode
 	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off
 	LED_D_OFF();
 }
-
-void CopyViKingtoT55x7(uint32_t block1, uint32_t block2) {
-
-	uint32_t data[] = {T55x7_BITRATE_RF_32 | T55x7_MODULATION_MANCHESTER | (2 << T55x7_MAXBLOCK_SHIFT), block1, block2};
-	// Program the data blocks for supplied ID and the block 0 config
-	WriteT55xx(data, 0, 3);
-	LED_D_OFF();
-}
-