Proxmark3 community

ghaber

Member

Registered: 2008-10-26

Posts: 11

Reading/Writing a T5567 tag

Hi,

Trying to read a T5567 tag, I have introduced a new function in command.cpp to do the following tasks one after the other:

loread
losamples 4000
askdemod 1
mandemod

The fucntion is:
static void CmdT5567read(char *str)
{
    char *zero = "";
    char *twok = "4000";
    char *one = "1";

    CmdLoread(zero);
    CmdLosamples(twok);
                Cmdaskdemod(one);
    Cmdmanchesterdemod(zero);

}

for some reason it does not work. Prox is answering "bad resp" and the program quits.

The "bad resp" comes from the CmdLosamples function and the c.cmd I get from the ReceiveCommand is 257 (decimal).

Anyone can help me or tell me any other way to do those 4 commands one after the other automatically.

Best Regards

@ghaber

Last edited by ghaber (2009-11-05 19:53:38)

gfox

Member

Registered: 2009-08-07

Posts: 3

Re: Reading/Writing a T5567 tag

the response to loread usually gets handled by UsbCommandReceived(), from the main message loop in ShowGui(). but you don't check that before calling losamples, which means that the response to loread is still queued up. so GetFromBigBuf() complains, because it wasn't expecting that.

ghaber

Member

Registered: 2008-10-26

Posts: 11

Re: Reading/Writing a T5567 tag

Thanks man, it is working now. I will proceed now with the block-read mode.

@ghaber

Last edited by ghaber (2009-11-05 19:54:43)

ghaber

Member

Registered: 2008-10-26

Posts: 11

Re: Reading/Writing a T5567 tag

Hello again,

I am now trying to read and write in this cards (equal to Q5 cards but a little newer). Regular read is done but I am trying to implement direct access (block read) mode before trying to write it, as the way it works is pretty similar.

For doing so, with the direct access command, only the addressed block is repetitively read. Direct access mode is entered by transmitting the page access opcode (“10” or “11”), a single “0” bit and the requested 3-bit block address when the tag is in normal mode.

Data is written to the tag by interrupting the RF field with short field gaps (field on-off keying). To transmit the opcode, there is an start gap. The start gap may need to be longer than subsequent gaps in order to be detected reliably. The time between two gaps encodes the “0” or “1” information to be transmitted (pulse interval encoding). The duration of the gaps is usually 50 μs to 150 μs. The time between two gaps is nominally 24 field clocks for a “0” and 54 field clocks for a “1”.

I know some of you have worked with Q5 cards so you maybe can help me out. I have written the following function but there must be some problem as it does not work, it stays in the loop of "dest[j] = (BYTE)AT91C_BASE_SSC->SSC_RHR;
" forever.

Thanks a lot for your help

@ghaber

//////////////////////////////////////////////////////////////////////////////////////////////////
void ReadBlock1Page1T5567tag()
{
/*RFID readers can send commands and data to the T5557 by interrupting the RF Field in a fixed manner.
All commands to the transponder are initiated by producing a "Start gap". To produce the Start gap the RFID
reader will turn off the field for a period of between 10-50 field cycles. Then to send either 1 or 0 bits the RF field
is turned on again for a period that varies depending on which bit is being transmitted. With a 1 bit the field will
be active for a period between 48 to 63 field cycles, while for a 0 bit the field will be active for a period between
16 to 31 field cycles. Between each bit the RF field is turned off for a period known as the Write Gap, which is
typically between 8 to 30 field cycles in duration.

Read block command
1p 0 2   Addr     0 Read selected Block */
////////////////////

    // T5567 tags charge at 125Khz
    FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
    // Place FPGA in passthrough mode, in this mode the CROSS_LO line
    // connects to SSP_DIN and the SSP_DOUT logic level controls
    // whether we're modulating the antenna (high)
    // or listening to the antenna (low)
    FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_PASSTHRU);
    LED_A_ON();

    // steal this pin from the SSP and use it to control the modulation
    AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
    AT91C_BASE_PIOA->PIO_OER    = GPIO_SSC_DOUT;

    //During initialization, modulation is switch off
    //Stop modulate antenna (field off). Listen
    LOW(GPIO_SSC_DOUT);

    // Card is intitalized
    SpinDelay(50);

    //Start gap: Sgap between 10 and 50 FC that at 125khz is 80-400 Us--> so we take 250
    int Sgap=250;
   
    //Modulate antenna (field on)
    HIGH(GPIO_SSC_DOUT);
    SpinDelayUs(Sgap);    // Start gap

    //To read block 1 of page 1, we send 11 0 001
    WriteT5567bit(1);
    WriteT5567bit(1);
    WriteT5567bit(0);
    WriteT5567bit(0);
    WriteT5567bit(0);
    WriteT5567bit(1);    
   
    //stop modulating antenna and listen
    LOW(GPIO_SSC_DOUT);

    // get tag data into the buffer
    AcquireT5567Type();

    LED_A_OFF();

    FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
}

void AcquireT5567Type(void)
{
    int j,n=1400;
    // clear buffer
    BYTE *dest = (BYTE *)BigBuf;
    memset(dest,0,sizeof(dest));
   
    j= 0;
    for(;;) {
        if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
            dest[j]= (BYTE)AT91C_BASE_SSC->SSC_RHR;
            j++;
            LED_D_OFF();
            if(i >= n) {
                break;
            }
        }
    }
    DbpIntegers(dest[0], dest[1], j);
    // return stolen pin to SSP
    AT91C_BASE_PIOA->PIO_PDR = GPIO_SSC_DOUT;
    AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_DIN | GPIO_SSC_DOUT;

}

void WriteT5567bit(BYTE b)
{

/*
Write gap: Wgap between 8 and 30 FC that at 125khz is 64-240 Us--> so we take 150
“0” data d0 between 16 and 31 FC that at 125khz is 128-248 Us--> so we take 200
“1” data d1 between 48 and 63 FC that at 125khz is 384-504 Us--> so we take 400
*/
    int Wgap=150,d0=200,d1=400;

    // modulate bit out to the antenna
   
        if (b==1) { //HIGH BIT
            // Stop modulate antenna (field off). Listen
            LOW(GPIO_SSC_DOUT);
            SpinDelayUs(d1);
            // modulate antenna
            HIGH(GPIO_SSC_DOUT);
            SpinDelayUs(Wgap);
        } else {    //LOW BIT
            // stop modulating antenna -field off
            LOW(GPIO_SSC_DOUT);
            SpinDelayUs(d0);
            // modulate antenna -field oN
            HIGH(GPIO_SSC_DOUT);
            SpinDelayUs(Wgap);
        }
   
}

henryk

Contributor

Registered: 2009-07-27

Posts: 99

Re: Reading/Writing a T5567 tag

For one, you can never exit this loop since the exit is dependent on i being incremented, but i never changes (actually it's not even defined). But the bigger problem is: you never enable the SSC, so the RXRDY in the SSC status register can never be set. See atmel documentation (doc6175.pdf) or other parts of the proxmark3 source on how to initialize and set  up the SSC for whatever you're trying to accomplish.

ghaber

Member

Registered: 2008-10-26

Posts: 11

Re: Reading/Writing a T5567 tag

Henryk,

The "i" is a typo mistake, in the code is a "j". I will investigate the SSC inizialitation.

Thanks a lot

codysnider

Member

From: Denver, Colorado

Registered: 2010-12-16

Posts: 8

Website

Re: Reading/Writing a T5567 tag

@ghaber

Any luck with getting this to work? I'm using TK5551 tags and have had poor results from nearly everything I've tried despite their being so similar to the T5567 and T5577 tags.