]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/hitagS.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
iclass.c: speeding up MAC calculation
[proxmark3-svn] / armsrc / hitagS.c
CommitLineData
4e12287d
RS		 1//-----------------------------------------------------------------------------
2// This code is licensed to you under the terms of the GNU GPL, version 2 or,
3// at your option, any later version. See the LICENSE.txt file for the text of
4// the license.
5//-----------------------------------------------------------------------------
6// HitagS emulation (preliminary test version)
7//
8// (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9// <info@os-s.de>
10//-----------------------------------------------------------------------------
11// Some code was copied from Hitag2.c
12//-----------------------------------------------------------------------------
13
14
5866c187 15#include "hitagS.h"
16
4e12287d
RS		 17#include <stdlib.h>
18#include "proxmark3.h"
19#include "apps.h"
20#include "util.h"
5866c187 21#include "hitag.h"
4e12287d
RS		 22#include "string.h"
23#include "BigBuf.h"
fc52fbd4 24#include "fpgaloader.h"
4e12287d
RS		 25
26#define CRC_PRESET 0xFF
27#define CRC_POLYNOM 0x1D
28
5866c187 29#define u8 uint8_t
30#define u32 uint32_t
31#define u64 uint64_t
32#define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
33#define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
34#define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
35#define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
36#define bit(x,n) (((x)>>(n))&1)
37#define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
38#define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
39#define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
4e12287d
RS		 40
41static bool bQuiet;
42static bool bSuccessful;
43static struct hitagS_tag tag;
44static byte_t page_to_be_written = 0;
45static int block_data_left = 0;
46typedef enum modulation {
47 AC2K = 0, AC4K, MC4K, MC8K
48} MOD;
5866c187 49static MOD m = AC2K; //used modulation
4e12287d
RS		 50static uint32_t temp_uid;
51static int temp2 = 0;
5866c187 52static int sof_bits; //number of start-of-frame bits
53static byte_t pwdh0, pwdl0, pwdl1; //password bytes
54static uint32_t rnd = 0x74124485; //randomnumber
4e12287d
RS		 55static int test = 0;
56size_t blocknr;
57bool end=false;
58
59// Single bit Hitag2 functions:
5866c187 60#define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
61static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
62static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
63static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
64#define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
65#define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
66#define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
67#define uf20bs u32
4e12287d
RS		 68
69static u32 f20(const u64 x) {
70 u32 i5;
71
72 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
73 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
74 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
75 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
76 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
77
78 return (ht2_f5c >> i5) & 1;
79}
80static u64 hitag2_round(u64 *state) {
81 u64 x = *state;
82
83 x = (x >> 1)
84 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
85 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
86 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
87 & 1) << 47);
88
89 *state = x;
90 return f20(x);
91}
92static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
93 u32 i;
94 u64 x = ((key & 0xFFFF) << 32) + serial;
95 for (i = 0; i < 32; i++) {
96 x >>= 1;
97 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
98 }
99 return x;
100}
101static u32 hitag2_byte(u64 *x) {
102 u32 i, c;
103
104 for (i = 0, c = 0; i < 8; i++)
105 c += (u32) hitag2_round(x) << (i ^ 7);
106 return c;
107}
108
109// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
110// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
111// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
112// T0 = TIMER_CLOCK1 / 125000 = 192
5866c187 113#define T0 192
4e12287d 114
5866c187 115#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
116#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
4e12287d 117
5866c187 118#define HITAG_FRAME_LEN 20
119#define HITAG_T_STOP 36 /* T_EOF should be > 36 */
120#define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
121#define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
122#define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
4e12287d 123//#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
5866c187 124#define HITAG_T_EOF 80 /* T_EOF should be > 36 */
125#define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
126#define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
127#define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
128
129#define HITAG_T_TAG_ONE_HALF_PERIOD 10
130#define HITAG_T_TAG_TWO_HALF_PERIOD 25
131#define HITAG_T_TAG_THREE_HALF_PERIOD 41
132#define HITAG_T_TAG_FOUR_HALF_PERIOD 57
133
134#define HITAG_T_TAG_HALF_PERIOD 16
135#define HITAG_T_TAG_FULL_PERIOD 32
136
137#define HITAG_T_TAG_CAPTURE_ONE_HALF 13
138#define HITAG_T_TAG_CAPTURE_TWO_HALF 25
139#define HITAG_T_TAG_CAPTURE_THREE_HALF 41
140#define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
4e12287d
RS		 141
142#define DEBUG 0
143
144/*
145 * Implementation of the crc8 calculation from Hitag S
146 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
147 */
148void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
149 *crc ^= data; // crc = crc (exor) data
150 do {
151 if (*crc & 0x80) // if (MSB-CRC == 1)
152 {
153 *crc <<= 1; // CRC = CRC Bit-shift left
154 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
155 } else {
156 *crc <<= 1; // CRC = CRC Bit-shift left
157 }
158 } while (--Bitcount);
159}
160
7b6e3205 161
4e12287d
RS		 162static void hitag_send_bit(int bit) {
163 LED_A_ON();
164 // Reset clock for the next bit
165 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
166
167 switch (m) {
7b6e3205 168 case AC2K:
169 if (bit == 0) {
170 // AC Coding --__
171 HIGH(GPIO_SSC_DOUT);
172 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
173 ;
174 LOW(GPIO_SSC_DOUT);
175 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
176 ;
177 } else {
178 // AC coding -_-_
179 HIGH(GPIO_SSC_DOUT);
180 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
181 ;
182 LOW(GPIO_SSC_DOUT);
183 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
184 ;
185 HIGH(GPIO_SSC_DOUT);
186 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
187 ;
188 LOW(GPIO_SSC_DOUT);
189 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
190 ;;
191 }
192 LED_A_OFF();
193 break;
194 case AC4K:
195 if (bit == 0) {
196 // AC Coding --__
197 HIGH(GPIO_SSC_DOUT);
198 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
199 ;
200 LOW(GPIO_SSC_DOUT);
201 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
202 ;
203 } else {
204 // AC coding -_-_
205 HIGH(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
207 ;
208 LOW(GPIO_SSC_DOUT);
209 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
210 ;
211 HIGH(GPIO_SSC_DOUT);
212 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
213 ;
214 LOW(GPIO_SSC_DOUT);
215 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
216 ;
217 }
218 LED_A_OFF();
219 break;
220 case MC4K:
221 if (bit == 0) {
222 // Manchester: Unloaded, then loaded |__--|
223 LOW(GPIO_SSC_DOUT);
224 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
225 ;
226 HIGH(GPIO_SSC_DOUT);
227 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
228 ;
229 } else {
230 // Manchester: Loaded, then unloaded |--__|
231 HIGH(GPIO_SSC_DOUT);
232 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
233 ;
234 LOW(GPIO_SSC_DOUT);
235 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
236 ;
237 }
238 LED_A_OFF();
239 break;
240 case MC8K:
241 if (bit == 0) {
242 // Manchester: Unloaded, then loaded |__--|
243 LOW(GPIO_SSC_DOUT);
244 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
245 ;
246 HIGH(GPIO_SSC_DOUT);
247 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
248 ;
249 } else {
250 // Manchester: Loaded, then unloaded |--__|
251 HIGH(GPIO_SSC_DOUT);
252 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
253 ;
254 LOW(GPIO_SSC_DOUT);
255 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
256 ;
257 }
258 LED_A_OFF();
259 break;
260 default:
261 break;
4e12287d
RS		 262 }
263}
264
7b6e3205 265static void hitag_tag_send_frame(const byte_t* frame, size_t frame_len) {
4e12287d 266// Send start of frame
4e12287d
RS		 267 for (size_t i = 0; i < sof_bits; i++) {
268 hitag_send_bit(1);
269 }
270
271// Send the content of the frame
272 for (size_t i = 0; i < frame_len; i++) {
273 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
274 }
275// Drop the modulation
276 LOW(GPIO_SSC_DOUT);
277}
278
279static void hitag_reader_send_bit(int bit) {
280//Dbprintf("BIT: %d",bit);
281 LED_A_ON();
282// Reset clock for the next bit
283 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
284
285// Binary puls length modulation (BPLM) is used to encode the data stream
286// This means that a transmission of a one takes longer than that of a zero
287
288// Enable modulation, which means, drop the the field
289 HIGH(GPIO_SSC_DOUT);
290 if (test == 1) {
291 // Wait for 4-10 times the carrier period
292 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
293 ;
5866c187 294 // SpinDelayUs(8*8);
4e12287d
RS		 295
296 // Disable modulation, just activates the field again
297 LOW(GPIO_SSC_DOUT);
298
299 if (bit == 0) {
300 // Zero bit: |_-|
301 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
302 ;
5866c187 303 // SpinDelayUs(16*8);
4e12287d
RS		 304 } else {
305 // One bit: |_--|
306 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
307 ;
5866c187 308 // SpinDelayUs(22*8);
4e12287d
RS		 309 }
310 } else {
311 // Wait for 4-10 times the carrier period
312 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
313 ;
5866c187 314 // SpinDelayUs(8*8);
4e12287d
RS		 315
316 // Disable modulation, just activates the field again
317 LOW(GPIO_SSC_DOUT);
318
319 if (bit == 0) {
320 // Zero bit: |_-|
321 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
322 ;
5866c187 323 // SpinDelayUs(16*8);
4e12287d
RS		 324 } else {
325 // One bit: |_--|
326 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
327 ;
5866c187 328 // SpinDelayUs(22*8);
4e12287d
RS		 329 }
330 }
331
332 LED_A_OFF();
333}
334
335static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
7b6e3205 336 // Send the content of the frame
4e12287d
RS		 337 for (size_t i = 0; i < frame_len; i++) {
338 if (frame[0] == 0xf8) {
339 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
340 }
7b6e3205 341 hitag_reader_send_bit(((frame[i / 8] >> (7 - (i % 8))) & 1));
4e12287d
RS		 342 }
343// Send EOF
344 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
345// Enable modulation, which means, drop the the field
346 HIGH(GPIO_SSC_DOUT);
347// Wait for 4-10 times the carrier period
348 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
349 ;
350// Disable modulation, just activates the field again
351 LOW(GPIO_SSC_DOUT);
352}
353
7b6e3205 354static void hitag_decode_frame_MC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
355 size_t rxlen = 0;
356 bool bSkip = true;
357 int lastbit = 1;
358 int tag_sof = 0;
359 int timing = 1;
360 if (bitRate == 8) {
361 timing = 2;
362 }
363
364 for (int i=0; i < rawLen; i++) {
365 int ra = rawMod[i];
366 if (ra >= HITAG_T_EOF) {
367 if (rxlen != 0) {
368 //DbpString("wierd1?");
369 }
370 tag_sof = sofBits;
371
372 // Capture the T0 periods that have passed since last communication or field drop (reset)
373 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
374 *response = ra - HITAG_T_TAG_HALF_PERIOD;
375 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
376 tag_sof=0;
377 // Manchester coding example |-_|_-|-_| (101)
378 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
379 rxlen++;
380 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
381 rxlen++;
382 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
383 tag_sof=0;
384 // Manchester coding example |_-|...|_-|-_| (0...01)
385 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
386 rxlen++;
387 // We have to skip this half period at start and add the 'one' the second time
388 if (!bSkip) {
389 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
390 rxlen++;
391 }
392 lastbit = !lastbit;
393 bSkip = !bSkip;
394 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
395 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
396 if (tag_sof) {
397 // Ignore bits that are transmitted during SOF
398 tag_sof--;
399 } else {
400 // bit is same as last bit
401 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
402 rxlen++;
403 }
404 } else {
405 // Ignore wierd value, is to small to mean anything
406 }
5866c187 407 }
7b6e3205 408 *rxlenOrg = rxlen;
409}
410
5866c187 411/*
7b6e3205 412static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
413 int tag_sof = 1; //skip start of frame
414 size_t rxlen = 0;
415
416 for (int i=0; i < rawLen; i++) {
417 int ra = rawMod[i];
418 if (ra >= HITAG_T_EOF) {
419 if (rxlen != 0) {
420 //DbpString("wierd1?");
421 }
422 // Capture the T0 periods that have passed since last communication or field drop (reset)
423 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
424 tag_sof = 1;
425 *response = ra - HITAG_T_TAG_HALF_PERIOD;
426 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
427 // AC coding example |--__|--__| means 0
428 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
429 rxlen++;
430 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
431 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
432 rxlen++;
433 i++; //drop next capture
434 }
435 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
436 if (tag_sof) {
437 // Ignore bits that are transmitted during SOF
438 tag_sof--;
439 } else {
440 // AC coding example |-_-_|-_-_| which means 1
441 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
442 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
443 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
444 rxlen++;
445 i++; //drop next capture
446 } else {
447 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
448 }
449 }
450 } else {
451 // Ignore wierd value, is to small to mean anything
452 }
453 }
454 *rxlenOrg = rxlen;
455}
456*/
457
458static void hitag_decode_frame_AC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
459 int tag_sof = 1;
460 size_t rxlen = 0;
461 int timing = 1;
462 if (bitRate == 4) {
463 timing = 2;
464 }
5866c187 465
7b6e3205 466
467 for (int i=0; i < rawLen; i++) {
468 int ra = rawMod[i];
469 if (ra >= HITAG_T_EOF) {
470 if (rxlen != 0) {
471 //DbpString("wierd1?");
472 }
473
474 // Capture the T0 periods that have passed since last communication or field drop (reset)
475 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
476 tag_sof = sofBits;
477 *response = ra - HITAG_T_TAG_HALF_PERIOD;
478 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
479 tag_sof=0;
480
481 // AC coding example |--__|--__| means 0
482 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
483 rxlen++;
484 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
485 tag_sof=0;
486
487 if (rawMod[i-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
488 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
489 if (rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
490 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
491 rxlen++;
492 i++; //drop next capture
493 } else {
494 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
495 }
496 } else {
497 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
498 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
499 rxlen++;
500 }
501 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
502 if (tag_sof) {
503 // Ignore bits that are transmitted during SOF
504 tag_sof--;
505 } else {
506 // AC coding example |-_-_|-_-_| which means 1
507 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
508 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
509 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
510 rxlen++;
511 i++; //drop next capture
512 } else {
513 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
514 }
515 }
516 } else {
517 // Ignore wierd value, is to small to mean anything
518 }
519 }
520 *rxlenOrg = rxlen;
521}
522
523static void hitag_receive_frame(byte_t* rx, size_t* rxlen, int* response) {
524 int rawMod[200] = {0};
525 int rawLen = 0;
526 int i = 0;
527 int sofBits = 0;
528
529 m = MC4K;
530 if (tag.pstate == READY) {
531 switch (tag.mode) {
532 case STANDARD:
533 m = AC2K;
534 sofBits = 1;
535 break;
536 case ADVANCED:
537 m = AC2K;
5866c187 538 sofBits = 5; //3 sof bits but 5 captures
7b6e3205 539 break;
540 case FAST_ADVANCED:
541 m = AC4K;
5866c187 542 sofBits = 5; //3 sof bits but 5 captures
7b6e3205 543 break;
544 default:
545 break;
546 }
547 } else {
548 switch (tag.mode) {
549 case STANDARD:
550 m = MC4K;
551 sofBits = 0; //in theory 1
552 break;
553 case ADVANCED:
554 m = MC4K;
555 sofBits = 5; //in theory 6
556 break;
557 case FAST_ADVANCED:
558 m = MC8K;
559 sofBits = 5; //in theory 6
560 break;
561 default:
562 break;
563 }
564 }
5866c187 565
7b6e3205 566 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
567 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
568
569
570 //first capture timing values
571 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX ) {
572 // Check if rising edge in modulation is detected
573 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
574 // Retrieve the new timing values
575 int ra = (AT91C_BASE_TC1->TC_RA / T0);
576
577 LED_B_ON();
578 // Reset timer every frame, we have to capture the last edge for timing
579 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
580 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
581
582 if (rawLen >= 200) { //avoid exception
583 break;
584 }
585 rawMod[rawLen] = ra;
586 rawLen++;
587
588 // We can break this loop if we received the last bit from a frame
589 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
590 if (rawLen > 2) {
591 if (DEBUG >= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen); }
592 break;
593 }
594 }
595 }
596 }
597
598 if (DEBUG >= 2) {
599 for (i=0; i < rawLen; i+=20) {
5866c187 600 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
7b6e3205 601 rawMod[i],rawMod[i+1],rawMod[i+2],rawMod[i+3], rawMod[i+4],rawMod[i+5],rawMod[i+6],rawMod[i+7],
602 rawMod[i+8],rawMod[i+9],rawMod[i+10],rawMod[i+11], rawMod[i+12],rawMod[i+13],rawMod[i+14],rawMod[i+15],
603 rawMod[i+16],rawMod[i+17],rawMod[i+18],rawMod[i+19]
604 );
605 }
606 }
607
608 switch (m) {
609 // DATA | 1 | 0 | 1 | 1 | 0 |
610 // Manchester |--__|__--|--__|--__|__--|
611 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
5866c187 612 // |<-->|
613 // | T |
7b6e3205 614 case AC2K:
615 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC2K"); }
616 hitag_decode_frame_AC(2, sofBits, rx, rxlen, response, rawMod, rawLen);
617 break;
618 case AC4K:
619 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC4K"); }
620 hitag_decode_frame_AC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
621 break;
622 case MC4K:
623 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC4K"); }
624 hitag_decode_frame_MC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
625 break;
626 case MC8K:
627 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC8K"); }
628 hitag_decode_frame_MC(8, sofBits, rx, rxlen, response, rawMod, rawLen);
629 break;
630 }
631
632 LED_B_OFF();
633 if (DEBUG >= 2) {
634 int rb[200] = {0}; int z = 0;
635 for (i = 0; i < 16; i++) { for (int j = 0; j < 8; j++) {
636 rb[z] = 0;
637 if ((rx[i] & ((1 << 7) >> j)) != 0) { rb[z] = 1; }
638 z++;
639 } }
640 for (i=0; i < z; i+=8) {
641 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb[i],rb[i+1],rb[i+2],rb[i+3],rb[i+4],rb[i+5],rb[i+6],rb[i+7] );
642 }
643 }
644}
645
646static void hitag_start_auth(byte_t* tx, size_t* txlen) {
647 *txlen = 5;
648 switch (tag.mode) {
649 case STANDARD:
650 //00110 - 0x30 - STANDARD MODE
651 memcpy(tx, "\x30", nbytes(*txlen));
652 break;
653 case ADVANCED:
654 //11000 - 0xc0 - Advance Mode
655 memcpy(tx, "\xc0", nbytes(*txlen));
656 break;
657 case FAST_ADVANCED:
658 //TODO!
659 break;
660 default: //STANDARD MODE
661 memcpy(tx, "\x30", nbytes(*txlen));
662 break;
663 }
664 tag.pstate = READY;
665 tag.tstate = NO_OP;
666}
667
668static int hitag_read_page(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int pageNum) {
669 int i, j, z;
670 int response_bit[200];
671 unsigned char mask = 1;
672 unsigned char crc;
673 unsigned char pageData[32];
674
675 if (pageNum >= tag.max_page) {
676 return -1;
677 }
678 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
679 //send read request
680 tag.tstate = READING_PAGE;
681 *txlen = 20;
682 crc = CRC_PRESET;
683 tx[0] = 0xc0 + (pageNum / 16);
684 calc_crc(&crc, tx[0], 8);
685 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
686 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
5866c187 687 tx[2] = 0x00 + (crc % 16) * 16;
7b6e3205 688 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE && *rxlen > 0) {
689 //save received data
690 z = 0;
691 for (i = 0; i < 4; i++) {
692 for (j = 0; j < 8; j++) {
693 response_bit[z] = 0;
694 if ((rx[i] & ((mask << 7) >> j)) != 0) {
695 response_bit[z] = 1;
696 }
697 if (z < 32) {
698 pageData[z] = response_bit[z];
699 }
700
701 z++;
702 }
703 }
704 for (i = 0; i < 4; i++) {
705 tag.pages[pageNum][i] = 0x0;
706 }
707 for (i = 0; i < 4; i++) {
5866c187 708 tag.pages[pageNum][i] += ((pageData[i * 8] << 7) | (pageData[1 + (i * 8)] << 6) |
709 (pageData[2 + (i * 8)] << 5) | (pageData[3 + (i * 8)] << 4) |
710 (pageData[4 + (i * 8)] << 3) | (pageData[5 + (i * 8)] << 2) |
7b6e3205 711 (pageData[6 + (i * 8)]
712 << 1) | pageData[7 + (i * 8)]);
713 }
714 if (tag.auth && tag.LKP && pageNum == 1) {
715 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
716 tag.pages[pageNum][2], tag.pages[pageNum][1], tag.pages[pageNum][0]);
717 } else {
718 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
5866c187 719 tag.pages[pageNum][3], tag.pages[pageNum][2],
7b6e3205 720 tag.pages[pageNum][1], tag.pages[pageNum][0]);
721 }
722
5866c187 723
7b6e3205 724 //display key and password if possible
725 if (pageNum == 1 && tag.auth == 1 && tag.LKP) {
726 if (htf == 02) { //RHTS_KEY
727 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
728 (byte_t)(key >> 8) & 0xff,
729 (byte_t) key & 0xff, pwdl1, pwdl0);
730 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
731 (byte_t)(key >> 40) & 0xff,
732 (byte_t)(key >> 32) & 0xff,
733 (byte_t)(key >> 24) & 0xff,
734 (byte_t)(key >> 16) & 0xff);
735 } else {
736 //if the authentication is done with a challenge the key and password are unknown
737 Dbprintf("Page[ 2]: __ __ __ __");
738 Dbprintf("Page[ 3]: __ __ __ __");
739 }
740 }
741
742 *txlen = 20;
743 crc = CRC_PRESET;
744 tx[0] = 0xc0 + ((pageNum+1) / 16);
745 calc_crc(&crc, tx[0], 8);
746 calc_crc(&crc, 0x00 + (((pageNum+1) % 16) * 16), 4);
747 tx[1] = 0x00 + (((pageNum+1) % 16) * 16) + (crc / 16);
748 tx[2] = 0x00 + (crc % 16) * 16;
749
750 return 1;
751 }
752 return 0;
753}
754
755static int hitag_read_block(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int blockNum) {
756 int i, j, z;
757 int response_bit[200];
758 unsigned char mask = 1;
759 unsigned char crc;
760 unsigned char blockData[128];
761
762 if (blockNum+4 >= tag.max_page) { //block always = 4 pages
763 return -1;
764 }
765
766 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
767 //send read request
768 tag.tstate = READING_BLOCK;
769 *txlen = 20;
770 crc = CRC_PRESET;
771 tx[0] = 0xd0 + (blockNum / 16);
772 calc_crc(&crc, tx[0], 8);
773 calc_crc(&crc, 0x00 + ((blockNum % 16) * 16), 4);
774 tx[1] = 0x00 + ((blockNum % 16) * 16) + (crc / 16);
5866c187 775 tx[2] = 0x00 + (crc % 16) * 16;
7b6e3205 776 } else if (tag.pstate == SELECTED && tag.tstate == READING_BLOCK && *rxlen > 0) {
777 //save received data
778 z = 0;
779 for (i = 0; i < 16; i++) {
780 for (j = 0; j < 8; j++) {
781 response_bit[z] = 0;
782 if ((rx[i] & ((mask << 7) >> j)) != 0) {
783 response_bit[z] = 1;
784 }
785 if (z < 128) {
786 blockData[z] = response_bit[z];
787 }
788 z++;
789 }
790 }
791
792 for (z = 0; z < 4; z++) { //4 pages
793 for (i = 0; i < 4; i++) {
794 tag.pages[blockNum+z][i] = 0x0;
795 }
796 }
797 for (z = 0; z < 4; z++) { //4 pages
798 for (i = 0; i < 4; i++) {
799 j = (i * 8) + (z*32); //bit in page + pageStart
5866c187 800 tag.pages[blockNum+z][i] = ((blockData[j] << 7) | (blockData[1 + j] << 6) |
801 (blockData[2 + j] << 5) | (blockData[3 + j] << 4) |
802 (blockData[4 + j] << 3) | (blockData[5 + j] << 2) |
7b6e3205 803 (blockData[6 + j] << 1) | blockData[7 + j]);
804 }
805 }
806 if (DEBUG) {
5866c187 807 for (z = 0; z < 4; z++) {
7b6e3205 808 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum+z,
5866c187 809 tag.pages[blockNum+z][3], tag.pages[blockNum+z][2],
7b6e3205 810 tag.pages[blockNum+z][1], tag.pages[blockNum+z][0]);
811 }
812 }
813 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum,
814 tag.pages[blockNum][3], tag.pages[blockNum][2], tag.pages[blockNum][1], tag.pages[blockNum][0],
815 tag.pages[blockNum+1][3], tag.pages[blockNum+1][2], tag.pages[blockNum+1][1], tag.pages[blockNum+1][0],
816 tag.pages[blockNum+2][3], tag.pages[blockNum+2][2], tag.pages[blockNum+2][1], tag.pages[blockNum+2][0],
817 tag.pages[blockNum+3][3], tag.pages[blockNum+3][2], tag.pages[blockNum+3][1], tag.pages[blockNum+3][0]);
818
819 *txlen = 20;
820 crc = CRC_PRESET;
821 tx[0] = 0xd0 + ((blockNum+4) / 16);
822 calc_crc(&crc, tx[0], 8);
823 calc_crc(&crc, 0x00 + (((blockNum+4) % 16) * 16), 4);
824 tx[1] = 0x00 + (((blockNum+4) % 16) * 16) + (crc / 16);
825 tx[2] = 0x00 + (crc % 16) * 16;
826
827 return 1;
828 }
829 return 0;
830}
831
832
4e12287d
RS		 833/*
834 * to check if the right uid was selected
835 */
836static int check_select(byte_t* rx, uint32_t uid) {
837 unsigned char resp[48];
838 int i;
839 uint32_t ans = 0x0;
840 for (i = 0; i < 48; i++)
841 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
842 for (i = 0; i < 32; i++)
843 ans += resp[5 + i] << (31 - i);
844 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
845 && rx[4] == 0x65 && rx[5] == 0x38)
846 Dbprintf("got uid %X", ans);*/
847 temp_uid = ans;
848 if (ans == tag.uid)
849 return 1;
850 return 0;
851}
852
853/*
854 * handles all commands from a reader
855 */
856static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
857 byte_t* tx, size_t* txlen) {
858 byte_t rx_air[HITAG_FRAME_LEN];
859 byte_t page;
860 int i;
861 u64 state;
862 unsigned char crc;
863
7b6e3205 864 // Copy the (original) received frame how it is send over the air
4e12287d 865 memcpy(rx_air, rx, nbytes(rxlen));
7b6e3205 866 // Reset the transmission frame length
4e12287d 867 *txlen = 0;
7b6e3205 868 // Try to find out which command was send by selecting on length (in bits)
4e12287d 869 switch (rxlen) {
7b6e3205 870 case 5: {
871 //UID request with a selected response protocol mode
872 tag.pstate = READY;
873 tag.tstate = NO_OP;
874 if ((rx[0] & 0xf0) == 0x30) {
875 Dbprintf("recieved uid request in Standard Mode");
876 tag.mode = STANDARD;
877 sof_bits = 1;
878 m = AC2K;
879 }
880 if ((rx[0] & 0xf0) == 0xc0) {
881 Dbprintf("recieved uid request in ADVANCE Mode");
882 tag.mode = ADVANCED;
883 sof_bits = 3;
884 m = AC2K;
885 }
886 if ((rx[0] & 0xf0) == 0xd0) {
887 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
888 tag.mode = FAST_ADVANCED;
889 sof_bits = 3;
890 m = AC4K;
891 }
892 //send uid as a response
893 *txlen = 32;
894 for (i = 0; i < 4; i++) {
895 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
896 }
4e12287d 897 }
7b6e3205 898 break;
899 case 45: {
900 //select command from reader received
901 if (check_select(rx, tag.uid) == 1) {
902 //if the right tag was selected
903 *txlen = 32;
904 switch (tag.mode) {
905 case STANDARD:
906 Dbprintf("uid selected in Standard Mode");
907 sof_bits = 1;
908 m = MC4K;
909 break;
910 case ADVANCED:
911 Dbprintf("uid selected in ADVANCE Mode");
912 sof_bits = 6;
913 m = MC4K;
914 break;
915 case FAST_ADVANCED:
916 Dbprintf("uid selected in FAST_ADVANCE Mode");
917 sof_bits = 6;
918 m = MC8K;
919 break;
920 default:
921 break;
922 }
4e12287d 923
7b6e3205 924 //send configuration
925 tx[0] = tag.pages[1][3];
926 tx[1] = tag.pages[1][2];
927 tx[2] = tag.pages[1][1];
928 tx[3] = 0xff;
929 if (tag.mode != STANDARD) {
930 *txlen = 40;
931 crc = CRC_PRESET;
932 for (i = 0; i < 4; i++)
933 calc_crc(&crc, tx[i], 8);
934 tx[4] = crc;
935 }
936 }
4e12287d 937 }
4e12287d 938 break;
7b6e3205 939 case 64: {
940 switch (tag.mode) {
4e12287d
RS		 941 case STANDARD:
942 sof_bits = 1;
943 m = MC4K;
944 break;
945 case ADVANCED:
946 sof_bits = 6;
947 m = MC4K;
948 break;
949 case FAST_ADVANCED:
950 sof_bits = 6;
951 m = MC8K;
952 break;
953 default:
954 break;
4e12287d 955 }
4e12287d
RS		 956 //challenge message received
957 Dbprintf("Challenge for UID: %X", temp_uid);
958 temp2++;
4e12287d
RS		 959 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
960 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
961 Dbprintf(
962 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
963 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
4e12287d 964
7b6e3205 965 for (i = 0; i < 4; i++) {
4e12287d 966 hitag2_byte(&state);
7b6e3205 967 }
968
969 *txlen = 32;
4e12287d 970 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
7b6e3205 971 tx[0] = hitag2_byte(&state) ^ tag.pages[1][1];
4e12287d
RS		 972 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
973 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
974 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
975 if (tag.mode != STANDARD) {
976 //add crc8
977 *txlen = 40;
978 crc = CRC_PRESET;
7b6e3205 979 calc_crc(&crc, tag.pages[1][1], 8);
4e12287d
RS		 980 calc_crc(&crc, tag.pwdh0, 8);
981 calc_crc(&crc, tag.pwdl0, 8);
982 calc_crc(&crc, tag.pwdl1, 8);
983 tx[4] = (crc ^ hitag2_byte(&state));
984 }
4e12287d
RS		 985 }
986 case 40:
987 //data received to be written
988 if (tag.tstate == WRITING_PAGE_DATA) {
989 tag.tstate = NO_OP;
7b6e3205 990 tag.pages[page_to_be_written][0] = rx[3];
991 tag.pages[page_to_be_written][1] = rx[2];
992 tag.pages[page_to_be_written][2] = rx[1];
993 tag.pages[page_to_be_written][3] = rx[0];
994
4e12287d
RS		 995 //send ack
996 *txlen = 2;
997 tx[0] = 0x40;
998 page_to_be_written = 0;
999 switch (tag.mode) {
1000 case STANDARD:
1001 sof_bits = 1;
1002 m = MC4K;
1003 break;
1004 case ADVANCED:
1005 sof_bits = 6;
1006 m = MC4K;
1007 break;
1008 case FAST_ADVANCED:
1009 sof_bits = 6;
1010 m = MC8K;
1011 break;
1012 default:
1013 break;
1014 }
1015 } else if (tag.tstate == WRITING_BLOCK_DATA) {
7b6e3205 1016 tag.pages[page_to_be_written][0] = rx[0];
1017 tag.pages[page_to_be_written][1] = rx[1];
1018 tag.pages[page_to_be_written][2] = rx[2];
1019 tag.pages[page_to_be_written][3] = rx[3];
1020
4e12287d
RS		 1021 //send ack
1022 *txlen = 2;
1023 tx[0] = 0x40;
1024 switch (tag.mode) {
1025 case STANDARD:
1026 sof_bits = 1;
1027 m = MC4K;
1028 break;
1029 case ADVANCED:
1030 sof_bits = 6;
1031 m = MC4K;
1032 break;
1033 case FAST_ADVANCED:
1034 sof_bits = 6;
1035 m = MC8K;
1036 break;
1037 default:
1038 break;
1039 }
1040 page_to_be_written++;
1041 block_data_left--;
1042 if (block_data_left == 0) {
1043 tag.tstate = NO_OP;
1044 page_to_be_written = 0;
1045 }
1046 }
1047 break;
1048 case 20: {
1049 //write page, write block, read page or read block command received
7b6e3205 1050 if ((rx[0] & 0xf0) == 0xc0) { //read page
4e12287d
RS		 1051 //send page data
1052 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
7b6e3205 1053 Dbprintf("reading page %d", page);
4e12287d 1054 *txlen = 32;
7b6e3205 1055 tx[0] = tag.pages[page][0];
1056 tx[1] = tag.pages[page][1];
1057 tx[2] = tag.pages[page][2];
1058 tx[3] = tag.pages[page][3];
5866c187 1059
4e12287d
RS		 1060 if (tag.LKP && page == 1)
1061 tx[3] = 0xff;
1062
1063 switch (tag.mode) {
1064 case STANDARD:
1065 sof_bits = 1;
1066 m = MC4K;
1067 break;
1068 case ADVANCED:
1069 sof_bits = 6;
1070 m = MC4K;
1071 break;
1072 case FAST_ADVANCED:
1073 sof_bits = 6;
1074 m = MC8K;
1075 break;
1076 default:
1077 break;
1078 }
1079
1080 if (tag.mode != STANDARD) {
1081 //add crc8
1082 *txlen = 40;
1083 crc = CRC_PRESET;
1084 for (i = 0; i < 4; i++)
1085 calc_crc(&crc, tx[i], 8);
1086 tx[4] = crc;
1087 }
1088
1089 if (tag.LKP && (page == 2 || page == 3)) {
1090 //if reader asks for key or password and the LKP-mark is set do not respond
1091 sof_bits = 0;
1092 *txlen = 0;
1093 }
7b6e3205 1094 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
4e12287d 1095 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
7b6e3205 1096 Dbprintf("reading block %d", page);
4e12287d
RS		 1097 *txlen = 32 * 4;
1098 //send page,...,page+3 data
1099 for (i = 0; i < 4; i++) {
7b6e3205 1100 tx[0 + (i * 4)] = tag.pages[page][0];
1101 tx[1 + (i * 4)] = tag.pages[page][1];
1102 tx[2 + (i * 4)] = tag.pages[page][2];
1103 tx[3 + (i * 4)] = tag.pages[page][3];
4e12287d
RS		 1104 page++;
1105 }
1106
1107 switch (tag.mode) {
7b6e3205 1108 case STANDARD:
1109 sof_bits = 1;
1110 m = MC4K;
1111 break;
1112 case ADVANCED:
1113 sof_bits = 6;
1114 m = MC4K;
1115 break;
1116 case FAST_ADVANCED:
1117 sof_bits = 6;
1118 m = MC8K;
1119 break;
1120 default:
1121 break;
4e12287d
RS		 1122 }
1123
1124 if (tag.mode != STANDARD) {
1125 //add crc8
1126 *txlen = 32 * 4 + 8;
1127 crc = CRC_PRESET;
1128 for (i = 0; i < 16; i++)
1129 calc_crc(&crc, tx[i], 8);
1130 tx[16] = crc;
1131 }
1132
1133 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
1134 sof_bits = 0;
1135 *txlen = 0;
1136 }
7b6e3205 1137 } else if ((rx[0] & 0xf0) == 0x80) { //write page
4e12287d
RS		 1138 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1139
1140 switch (tag.mode) {
1141 case STANDARD:
1142 sof_bits = 1;
1143 m = MC4K;
1144 break;
1145 case ADVANCED:
1146 sof_bits = 6;
1147 m = MC4K;
1148 break;
1149 case FAST_ADVANCED:
1150 sof_bits = 6;
1151 m = MC8K;
1152 break;
1153 default:
1154 break;
1155 }
1156 if ((tag.LCON && page == 1)
1157 || (tag.LKP && (page == 2 || page == 3))) {
1158 //deny
1159 *txlen = 0;
1160 } else {
1161 //allow
1162 *txlen = 2;
1163 tx[0] = 0x40;
1164 page_to_be_written = page;
1165 tag.tstate = WRITING_PAGE_DATA;
1166 }
1167
7b6e3205 1168 } else if ((rx[0] & 0xf0) == 0x90) { //write block
4e12287d
RS		 1169 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
1170 switch (tag.mode) {
1171 case STANDARD:
1172 sof_bits = 1;
1173 m = MC4K;
1174 break;
1175 case ADVANCED:
1176 sof_bits = 6;
1177 m = MC4K;
1178 break;
1179 case FAST_ADVANCED:
1180 sof_bits = 6;
1181 m = MC8K;
1182 break;
1183 default:
1184 break;
1185 }
1186 if (page % 4 != 0 || page == 0) {
1187 //deny
1188 *txlen = 0;
1189 } else {
1190 //allow
1191 *txlen = 2;
1192 tx[0] = 0x40;
1193 page_to_be_written = page;
1194 block_data_left = 4;
1195 tag.tstate = WRITING_BLOCK_DATA;
1196 }
1197 }
1198 }
1199 break;
1200 default:
1201
1202 break;
1203 }
1204}
1205
7b6e3205 1206
4e12287d
RS		 1207/*
1208 * to autenticate to a tag with the given key or challenge
1209 */
5866c187 1210static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx,
7b6e3205 1211 const size_t rxlen, byte_t* tx, size_t* txlen) {
4e12287d 1212 byte_t rx_air[HITAG_FRAME_LEN];
7b6e3205 1213 int response_bit[200] = {0};
4e12287d
RS		 1214 int i, j, z, k;
1215 unsigned char mask = 1;
1216 unsigned char uid[32];
1217 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
1218 unsigned char crc;
1219 u64 state;
1220 byte_t auth_ks[4];
1221 byte_t conf_pages[3];
1222 memcpy(rx_air, rx, nbytes(rxlen));
1223 *txlen = 0;
1224
7b6e3205 1225 if (DEBUG) {
5866c187 1226 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen, (int)tag.pstate);
1227 }
7b6e3205 1228
1229 if (tag.pstate == READY && rxlen >= 32) {
4e12287d
RS		 1230 //received uid
1231 if(end==true) {
1232 Dbprintf("authentication failed!");
1233 return -1;
1234 }
1235 z = 0;
1236 for (i = 0; i < 10; i++) {
1237 for (j = 0; j < 8; j++) {
1238 response_bit[z] = 0;
1239 if ((rx[i] & ((mask << 7) >> j)) != 0)
1240 response_bit[z] = 1;
1241 z++;
1242 }
1243 }
7b6e3205 1244 for (i = 0; i < 32; i++) {
1245 uid[i] = response_bit[i];
4e12287d 1246 }
5866c187 1247
4e12287d
RS		 1248 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
1249 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
1250 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
1251 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
1252 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
1253 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
1254 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
5866c187 1255 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
7b6e3205 1256 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
4e12287d
RS		 1257 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
1258
1259 //select uid
4e12287d
RS		 1260 crc = CRC_PRESET;
1261 calc_crc(&crc, 0x00, 5);
1262 calc_crc(&crc, uid1, 8);
1263 calc_crc(&crc, uid2, 8);
1264 calc_crc(&crc, uid3, 8);
1265 calc_crc(&crc, uid4, 8);
7b6e3205 1266 Dbprintf("crc: %02X", crc);
1267
1268 //resetting response bit
4e12287d
RS		 1269 for (i = 0; i < 100; i++) {
1270 response_bit[i] = 0;
1271 }
7b6e3205 1272
5866c187 1273 //skip the first 5
4e12287d
RS		 1274 for (i = 5; i < 37; i++) {
1275 response_bit[i] = uid[i - 5];
1276 }
7b6e3205 1277 //add crc value
4e12287d
RS		 1278 for (j = 0; j < 8; j++) {
1279 response_bit[i] = 0;
1280 if ((crc & ((mask << 7) >> j)) != 0)
1281 response_bit[i] = 1;
1282 i++;
1283 }
7b6e3205 1284
4e12287d
RS		 1285 k = 0;
1286 for (i = 0; i < 6; i++) {
1287 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1288 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
1289 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
1290 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1291 k += 8;
1292 }
7b6e3205 1293 *txlen = 45;
4e12287d 1294 tag.pstate = INIT;
7b6e3205 1295 } else if (tag.pstate == INIT && rxlen > 24) {
4e12287d
RS		 1296 // received configuration after select command
1297 z = 0;
7b6e3205 1298 for (i = 0; i < 4; i++) {
4e12287d
RS		 1299 for (j = 0; j < 8; j++) {
1300 response_bit[z] = 0;
7b6e3205 1301 if ((rx[i] & ((mask << 7) >> j)) != 0) {
4e12287d 1302 response_bit[z] = 1;
7b6e3205 1303 }
4e12287d
RS		 1304 z++;
1305 }
1306 }
7b6e3205 1307
4e12287d 1308 //check wich memorysize this tag has
7b6e3205 1309 //CON0
1310 if (response_bit[6] == 0 && response_bit[7] == 0)
4e12287d 1311 tag.max_page = 32 / 32;
7b6e3205 1312 if (response_bit[6] == 0 && response_bit[7] == 1)
4e12287d 1313 tag.max_page = 256 / 32;
7b6e3205 1314 if (response_bit[6] == 1 && response_bit[7] == 0)
1315 tag.max_page = 2048 / 32;
1316 if (response_bit[6] == 1 && response_bit[7] == 1) //reserved but some tags got this setting
4e12287d 1317 tag.max_page = 2048 / 32;
7b6e3205 1318
1319 //CON1
1320 tag.auth = response_bit[8];
1321 tag.TTFC = response_bit[9];
1322 //tag.TTFDR in response_bit[10] and response_bit[11]
1323 //tag.TTFM in response_bit[12] and response_bit[13]
1324 tag.LCON = response_bit[14];
1325 tag.LKP = response_bit[15];
5866c187 1326
7b6e3205 1327 //CON2
1328 tag.LCK7 = response_bit[16];
1329 tag.LCK6 = response_bit[17];
1330 tag.LCK5 = response_bit[18];
1331 tag.LCK4 = response_bit[19];
1332 tag.LCK3 = response_bit[20];
1333 tag.LCK2 = response_bit[21];
1334 tag.LCK1 = response_bit[22];
1335 tag.LCK0 = response_bit[23];
1336
1337 if (DEBUG) {
1338 conf_pages[0] = ((response_bit[0] << 7) | (response_bit[1] << 6)
1339 | (response_bit[2] << 5) | (response_bit[3] << 4)
1340 | (response_bit[4] << 3) | (response_bit[5] << 2)
1341 | (response_bit[6] << 1) | response_bit[7]);
1342 conf_pages[1] = ((response_bit[8] << 7) | (response_bit[9] << 6)
1343 | (response_bit[10] << 5) | (response_bit[11] << 4)
1344 | (response_bit[12] << 3) | (response_bit[13] << 2)
1345 | (response_bit[14] << 1) | response_bit[15]);
1346 conf_pages[2] = ((response_bit[16] << 7) | (response_bit[17] << 6)
1347 | (response_bit[18] << 5) | (response_bit[19] << 4)
1348 | (response_bit[20] << 3) | (response_bit[21] << 2)
1349 | (response_bit[22] << 1) | response_bit[23]);
1350 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
1351 Dbprintf("tag.max_page: %d, tag.auth: %d", tag.max_page, tag.auth);
1352 }
1353
4e12287d
RS		 1354 if (tag.auth == 1) {
1355 //if the tag is in authentication mode try the key or challenge
1356 *txlen = 64;
1357 if(end!=true){
1358 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
7b6e3205 1359 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
1360 /*
5866c187 1361 Dbprintf("key: %02X %02X\n\n", key, rev64(key));
1362 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, rev32(tag.uid));
1363 Dbprintf("rnd: %02X %02X\n\n", rnd, rev32(rnd));
7b6e3205 1364 */
4e12287d
RS		 1365 for (i = 0; i < 4; i++) {
1366 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
1367 }
1368 *txlen = 64;
1369 tx[0] = rnd & 0xff;
1370 tx[1] = (rnd >> 8) & 0xff;
1371 tx[2] = (rnd >> 16) & 0xff;
1372 tx[3] = (rnd >> 24) & 0xff;
1373
1374 tx[4] = auth_ks[0];
1375 tx[5] = auth_ks[1];
1376 tx[6] = auth_ks[2];
1377 tx[7] = auth_ks[3];
1378 if (DEBUG)
1379 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
1380 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
1381 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1382 for (i = 0; i < 8; i++)
1383 tx[i]=((NrAr>>(56-(i*8)))&0xff);
1384 }
1385 end=true;
1386 tag.pstate = AUTHENTICATE;
1387 } else {
1388 Dbprintf("authentication failed!");
1389 return -1;
1390 }
1391 } else if (tag.auth == 0) {
1392 tag.pstate = SELECTED;
1393 }
5866c187 1394
7b6e3205 1395 } else if (tag.pstate == AUTHENTICATE && rxlen >= 32) {
4e12287d 1396 //encrypted con2,password received.
4e12287d
RS		 1397 if (DEBUG) {
1398 Dbprintf("UID:::%X", tag.uid);
1399 Dbprintf("RND:::%X", rnd);
1400 }
1401
1402 //decrypt password
1403 pwdh0=0;
1404 pwdl0=0;
1405 pwdl1=0;
7b6e3205 1406 if(htf==02 || htf==04) { //RHTS_KEY //WHTS_KEY
4e12287d 1407 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
7b6e3205 1408 for (i = 0; i < 5; i++) {
4e12287d 1409 hitag2_byte(&state);
7b6e3205 1410 }
1411 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ hitag2_byte(&state);
1412 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ hitag2_byte(&state);
1413 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ hitag2_byte(&state);
1414 if (DEBUG) {
1415 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
1416 }
4e12287d 1417 }
4e12287d
RS		 1418 tag.pstate = SELECTED; //tag is now ready for read/write commands
1419 }
7b6e3205 1420
1421 if (DEBUG) {
5866c187 1422 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag.pstate);
1423 }
7b6e3205 1424
4e12287d 1425 return 0;
4e12287d
RS		 1426}
1427
1428/*
1429 * Emulates a Hitag S Tag with the given data from the .hts file
1430 */
1431void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
1432 int frame_count;
1433 int response;
1434 int overflow;
1435 int i, j;
1436 byte_t rx[HITAG_FRAME_LEN];
1437 size_t rxlen = 0;
4e12287d
RS		 1438 bQuiet = false;
1439 byte_t txbuf[HITAG_FRAME_LEN];
1440 byte_t* tx = txbuf;
1441 size_t txlen = 0;
7b6e3205 1442 uint8_t con0, con1, con2;
4e12287d
RS		 1443 BigBuf_free();
1444
1445// Clean up trace and prepare it for storing frames
44964fd1 1446 set_tracing(true);
4e12287d
RS		 1447 clear_trace();
1448
1449 DbpString("Starting HitagS simulation");
1450 LED_D_ON();
1451
1452 tag.pstate = READY;
1453 tag.tstate = NO_OP;
4e12287d
RS		 1454 //read tag data into memory
1455 if (tag_mem_supplied) {
1456 DbpString("Loading hitagS memory...");
7b6e3205 1457 for (i = 0; i < 64; i++) {
1458 for (j = 0; j < 4; j++) {
1459 tag.pages[i][j] = 0x0;
1460 }
1461 }
1462
5866c187 1463 for (i = 0; i < 64; i++) {
7b6e3205 1464 for (j = 0; j < 4; j++) {
1465 tag.pages[i][j] = data[(i*4)+j];
1466 }
1467 }
4e12287d 1468 }
7b6e3205 1469 tag.uid = (tag.pages[0][3] << 24 | tag.pages[0][2] << 16 | tag.pages[0][1] << 8 | tag.pages[0][0]);
1470 con0 = tag.pages[1][3];
1471 con1 = tag.pages[1][2];
1472 con2 = tag.pages[1][1];
1473 Dbprintf("UID: %X", tag.uid);
4e12287d 1474 Dbprintf("Hitag S simulation started");
7b6e3205 1475
1476 //0x01 plain mode - Reserved, CON2, CON1, CON0
1477 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1478 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1479 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1480
4e12287d 1481 //con0
7b6e3205 1482 tag.max_page = 2048 / 32;
1483 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 1)
1484 tag.max_page = 256 / 32;
1485 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 0)
1486 tag.max_page = 32 / 32;
1487
1488 //CON1
1489 tag.auth = ((con1 & 0x80) == 0x80) ? 1 : 0;
1490 tag.TTFC = ((con1 & 0x40) == 0x40) ? 1 : 0;
1491 //tag.TTFDR in response_bit[10] and response_bit[11]
1492 //tag.TTFM in response_bit[12] and response_bit[13]
1493 tag.LCON = ((con1 & 0x2) == 0x2) ? 1 : 0;
383f4e24 1494 tag.LKP = ((con1 & 0x1) == 0x1) ? 1 : 0;
5866c187 1495
7b6e3205 1496 //CON2
1497 tag.LCK7 = ((con2 & 0x80) == 0x80) ? 1 : 0;
1498 tag.LCK6 = ((con2 & 0x40) == 0x40) ? 1 : 0;
1499 tag.LCK5 = ((con2 & 0x20) == 0x20) ? 1 : 0;
1500 tag.LCK4 = ((con2 & 0x10) == 0x10) ? 1 : 0;
1501 tag.LCK3 = ((con2 & 0x8) == 0x8) ? 1 : 0;
1502 tag.LCK2 = ((con2 & 0x4) == 0x4) ? 1 : 0;
1503 tag.LCK1 = ((con2 & 0x2) == 0x2) ? 1 : 0;
1504 tag.LCK0 = ((con2 & 0x1) == 0x1) ? 1 : 0;
1505
1506 if (tag.auth == 1) {
1507 //TODO check if this working :D
1508 tag.key=(intptr_t)tag.pages[3];
1509 tag.key<<=16;
1510 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
1511 tag.pwdl0=tag.pages[2][3];
1512 tag.pwdl1=tag.pages[2][2];
1513 tag.pwdh0=tag.pages[1][0];
1514 }
1515
1516 // Set up simulator mode, frequency divisor which will drive the FPGA
1517 // and analog mux selection.
4e12287d 1518 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
28598e80 1519 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
4e12287d
RS		 1520 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1521 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1522 RELAY_OFF();
1523
7b6e3205 1524 // Configure output pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1525 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1526 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1527
7b6e3205 1528 // Disable modulation at default, which means release resistance
4e12287d
RS		 1529 LOW(GPIO_SSC_DOUT);
1530
7b6e3205 1531 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1532 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1533
7b6e3205 1534 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
4e12287d
RS		 1535 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1536 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1537
7b6e3205 1538 // Disable timer during configuration
5866c187 1539 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 1540 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1541
5866c187 1542 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1543 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1544
1545 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
7b6e3205 1546 // external trigger rising edge, load RA on rising edge of TIOA.
1547 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
4e12287d 1548
7b6e3205 1549 // Reset the received frame, frame count and timing info
4e12287d
RS		 1550 memset(rx, 0x00, sizeof(rx));
1551 frame_count = 0;
1552 response = 0;
1553 overflow = 0;
1554
7b6e3205 1555 // Enable and reset counter
4e12287d
RS		 1556 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1557
1558 while (!BUTTON_PRESS()) {
1559 // Watchdog hit
1560 WDT_HIT();
1561
1562 // Receive frame, watch for at most T0*EOF periods
7b6e3205 1563 //HITAG_T_WAIT_MAX
4e12287d
RS		 1564 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1565 // Check if rising edge in modulation is detected
1566 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1567 // Retrieve the new timing values
1568 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1569 overflow = 0;
1570
1571 // Reset timer every frame, we have to capture the last edge for timing
1572 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1573
1574 LED_B_ON();
1575
1576 // Capture reader frame
1577 if (ra >= HITAG_T_STOP) {
1578 if (rxlen != 0) {
1579 //DbpString("wierd0?");
1580 }
1581 // Capture the T0 periods that have passed since last communication or field drop (reset)
1582 response = (ra - HITAG_T_LOW);
1583 } else if (ra >= HITAG_T_1_MIN) {
1584 // '1' bit
1585 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1586 rxlen++;
1587 } else if (ra >= HITAG_T_0_MIN) {
1588 // '0' bit
1589 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1590 rxlen++;
1591 } else {
1592 // Ignore wierd value, is to small to mean anything
1593 }
1594 }
1595 }
1596
1597 // Check if frame was captured
1598 if (rxlen > 0) {
1599 frame_count++;
1600 if (!bQuiet) {
1601 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1602 DbpString("Trace full");
1603 clear_trace();
1604 }
1605 }
1606
1607 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1608 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1609
1610 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1611 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1612
1613 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1614 // not that since the clock counts since the rising edge, but T_Wait1 is
1615 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1616 // periods. The gap time T_Low varies (4..10). All timer values are in
1617 // terms of T0 units
7b6e3205 1618 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) { }
4e12287d
RS		 1619
1620 // Send and store the tag answer (if there is any)
1621 if (txlen > 0) {
1622 // Transmit the tag frame
7b6e3205 1623 hitag_tag_send_frame(tx, txlen);
1624
4e12287d
RS		 1625 // Store the frame in the trace
1626 if (!bQuiet) {
1627 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1628 DbpString("Trace full");
1629 clear_trace();
1630 }
1631 }
1632 }
1633
7b6e3205 1634 // Enable and reset external trigger in timer for capturing future frames
1635 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1636
4e12287d
RS		 1637 // Reset the received frame and response timing info
1638 memset(rx, 0x00, sizeof(rx));
1639 response = 0;
1640
4e12287d
RS		 1641 LED_B_OFF();
1642 }
1643 // Reset the frame length
1644 rxlen = 0;
1645 // Save the timer overflow, will be 0 when frame was received
1646 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1647 // Reset the timer to restart while-loop that receives frames
1648 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1649 }
7b6e3205 1650 Dbprintf("Hitag S simulation stopped");
4e12287d
RS		 1651 LED_B_OFF();
1652 LED_D_OFF();
1653 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1654 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1655 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1656}
1657
1658/*
1659 * Authenticates to the Tag with the given key or challenge.
1660 * If the key was given the password will be decrypted.
1661 * Reads every page of a hitag S transpoder.
1662 */
7b6e3205 1663void ReadHitagSintern(hitag_function htf, hitag_data* htd, stype tagMode, int startPage, bool readBlock) {
4e12287d 1664 int frame_count;
7b6e3205 1665 int i;
1666 int sendNum = startPage;
1667 tag.mode = tagMode;
1668
1669 //int i, j, z;
1670 //int response_bit[200];
1671 //unsigned char mask = 1;
1672
4e12287d
RS		 1673 int response;
1674 byte_t rx[HITAG_FRAME_LEN];
1675 size_t rxlen = 0;
1676 byte_t txbuf[HITAG_FRAME_LEN];
1677 byte_t* tx = txbuf;
1678 size_t txlen = 0;
1679 int lastbit;
4e12287d
RS		 1680 int t_wait = HITAG_T_WAIT_MAX;
1681 bool bStop;
1682 bool bQuitTraceFull = false;
7b6e3205 1683
4e12287d 1684 page_to_be_written = 0;
5866c187 1685
4e12287d
RS		 1686 //read given key/challenge
1687 byte_t NrAr_[8];
1688 uint64_t key=0;
1689 uint64_t NrAr=0;
1690 byte_t key_[6];
1691 switch(htf) {
7b6e3205 1692 case 01:
1693 case 03: { //RHTS_CHALLENGE
4e12287d
RS		 1694 DbpString("Authenticating using nr,ar pair:");
1695 memcpy(NrAr_,htd->auth.NrAr,8);
1696 Dbhexdump(8,NrAr_,false);
1697 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
5866c187 1698 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
4e12287d 1699 } break;
7b6e3205 1700 case 02:
1701 case 04: { //RHTS_KEY
4e12287d 1702 DbpString("Authenticating using key:");
5866c187 1703 memcpy(key_,htd->crypto.key,6);
4e12287d
RS		 1704 Dbhexdump(6,key_,false);
1705 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1706 } break;
1707 default: {
1708 Dbprintf("Error , unknown function: %d",htf);
1709 return;
1710 } break;
1711 }
1712
1713
1714
1715 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
5866c187 1716 // Reset the return status
4e12287d
RS		 1717 bSuccessful = false;
1718
5866c187 1719 // Clean up trace and prepare it for storing frames
44964fd1 1720 set_tracing(true);
4e12287d
RS		 1721 clear_trace();
1722
1723 bQuiet = false;
4e12287d
RS		 1724
1725 LED_D_ON();
1726
5866c187 1727 // Configure output and enable pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1728 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1729 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1730
5866c187 1731 // Set fpga in edge detect with reader field, we can modulate as reader now
7b6e3205 1732 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
4e12287d 1733
5866c187 1734 // Set Frequency divisor which will drive the FPGA and analog mux selection
1735 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
4e12287d
RS		 1736 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1737 RELAY_OFF();
1738
5866c187 1739 // Disable modulation at default, which means enable the field
4e12287d
RS		 1740 LOW(GPIO_SSC_DOUT);
1741
5866c187 1742 // Give it a bit of time for the resonant antenna to settle.
4e12287d
RS		 1743 SpinDelay(30);
1744
5866c187 1745 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1746 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1747
5866c187 1748 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
4e12287d
RS		 1749 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1750 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1751
5866c187 1752 // Disable timer during configuration
1753 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 1754 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1755
5866c187 1756 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1757 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1758
1759 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1760 // external trigger rising edge, load RA on falling edge of TIOA.
7b6e3205 1761 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
4e12287d 1762
5866c187 1763 // Enable and reset counters
4e12287d
RS		 1764 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1765 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1766
5866c187 1767 // Reset the received frame, frame count and timing info
4e12287d
RS		 1768 frame_count = 0;
1769 response = 0;
1770 lastbit = 1;
1771 bStop = false;
4e12287d
RS		 1772 t_wait = 200;
1773
1774 while (!bStop && !BUTTON_PRESS()) {
1775 // Watchdog hit
1776 WDT_HIT();
1777
7b6e3205 1778
1779 // Add transmitted frame to total count
1780 if (txlen > 0) {
1781 frame_count++;
1782
1783 if (tag.pstate == READY && rxlen < 1) {
1784 //skip logging starting auths if no response
1785 } else {
1786 if (!bQuiet) {
1787 // Store the frame in the trace
1788 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1789 if (bQuitTraceFull) {
1790 DbpString("Trace full");
1791 break;
1792 } else {
1793 bQuiet = true;
1794 }
1795 }
1796 }
1797 }
1798 }
1799
4e12287d
RS		 1800 // Check if frame was captured and store it
1801 if (rxlen > 0) {
1802 frame_count++;
1803 if (!bQuiet) {
1804 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1805 DbpString("Trace full");
1806 if (bQuitTraceFull) {
1807 break;
1808 } else {
1809 bQuiet = true;
1810 }
1811 }
1812 }
1813 }
1814
1815 // By default reset the transmission buffer
1816 tx = txbuf;
1817 txlen = 0;
1818
7b6e3205 1819 if (DEBUG >= 2) {
5866c187 1820 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count, rxlen, (int)tag.pstate, (int)tag.tstate);
1821 }
7b6e3205 1822
4e12287d
RS		 1823 if (rxlen == 0) {
1824 //start authentication
7b6e3205 1825 hitag_start_auth(tx, &txlen);
4e12287d 1826 } else if (tag.pstate != SELECTED) {
7b6e3205 1827 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1) {
1828 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
4e12287d 1829 bStop = !false;
4e12287d 1830 }
7b6e3205 1831 }
4e12287d 1832
7b6e3205 1833
5866c187 1834
7b6e3205 1835 if (readBlock && tag.pstate == SELECTED && (tag.tstate == READING_BLOCK || tag.tstate == NO_OP) && rxlen > 0) {
1836 i = hitag_read_block(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1837 if (i > 0) { sendNum+=4; }
1838 if (sendNum+4 >= tag.max_page) {
1839 bStop = !false;
1840 }
1841 } else if (!readBlock && tag.pstate == SELECTED && (tag.tstate == READING_PAGE || tag.tstate == NO_OP) && rxlen > 0) {
1842 i = hitag_read_page(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1843 if (i > 0) { sendNum++; }
4e12287d
RS		 1844 if (sendNum >= tag.max_page) {
1845 bStop = !false;
1846 }
1847 }
1848
1849 // Send and store the reader command
1850 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1851 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1852
1853 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1854 // Since the clock counts since the last falling edge, a 'one' means that the
1855 // falling edge occured halfway the period. with respect to this falling edge,
1856 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1857 // All timer values are in terms of T0 units
1858
7b6e3205 1859 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
4e12287d
RS		 1860
1861 // Transmit the reader frame
1862 hitag_reader_send_frame(tx, txlen);
1863
7b6e3205 1864
4e12287d
RS		 1865 // Enable and reset external trigger in timer for capturing future frames
1866 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1867
4e12287d
RS		 1868
1869 // Reset values for receiving frames
1870 memset(rx, 0x00, sizeof(rx));
1871 rxlen = 0;
1872 lastbit = 1;
4e12287d
RS		 1873 response = 0;
1874
5866c187 1875 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1876 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 1877 }
1878 end=false;
1879 LED_B_OFF();
1880 LED_D_OFF();
1881 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1882 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1883 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1884 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1885}
1886
7b6e3205 1887void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock) {
1888 if (tagMode == 1) {
1889 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1890 ReadHitagSintern(htf, htd, ADVANCED, (int)startPage, readBlock);
1891 } else if (tagMode == 2) {
1892 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1893 ReadHitagSintern(htf, htd, FAST_ADVANCED, (int)startPage, readBlock);
1894 } else {
1895 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock, startPage);
1896 ReadHitagSintern(htf, htd, STANDARD, (int)startPage, readBlock);
5866c187 1897 }
7b6e3205 1898}
1899
1900
1901
4e12287d
RS		 1902/*
1903 * Authenticates to the Tag with the given Key or Challenge.
1904 * Writes the given 32Bit data into page_
1905 */
1906void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1907 int frame_count;
1908 int response;
1909 byte_t rx[HITAG_FRAME_LEN];
1910 size_t rxlen = 0;
1911 byte_t txbuf[HITAG_FRAME_LEN];
1912 byte_t* tx = txbuf;
1913 size_t txlen = 0;
1914 int lastbit;
4e12287d
RS		 1915 int t_wait = HITAG_T_WAIT_MAX;
1916 bool bStop;
1917 bool bQuitTraceFull = false;
1918 int page = page_;
1919 unsigned char crc;
1920 byte_t data[4]= {0,0,0,0};
5866c187 1921
4e12287d
RS		 1922 //read given key/challenge, the page and the data
1923 byte_t NrAr_[8];
1924 uint64_t key=0;
1925 uint64_t NrAr=0;
1926 byte_t key_[6];
1927 switch(htf) {
1928 case 03: { //WHTS_CHALLENGE
1929 memcpy(data,htd->auth.data,4);
1930 DbpString("Authenticating using nr,ar pair:");
1931 memcpy(NrAr_,htd->auth.NrAr,8);
1932 Dbhexdump(8,NrAr_,false);
1933 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
5866c187 1934 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
4e12287d
RS		 1935 } break;
1936 case 04: { //WHTS_KEY
1937 memcpy(data,htd->crypto.data,4);
1938 DbpString("Authenticating using key:");
5866c187 1939 memcpy(key_,htd->crypto.key,6);
4e12287d
RS		 1940 Dbhexdump(6,key_,false);
1941 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1942 } break;
1943 default: {
1944 Dbprintf("Error , unknown function: %d",htf);
1945 return;
1946 } break;
1947 }
1948
1949 Dbprintf("Page: %d",page_);
1950 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1951 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
5866c187 1952 // Reset the return status
4e12287d
RS		 1953 bSuccessful = false;
1954
1955 tag.pstate = READY;
1956 tag.tstate = NO_OP;
1957
5866c187 1958 // Clean up trace and prepare it for storing frames
44964fd1 1959 set_tracing(true);
4e12287d
RS		 1960 clear_trace();
1961
1962 bQuiet = false;
4e12287d
RS		 1963
1964 LED_D_ON();
1965
5866c187 1966 // Configure output and enable pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1967 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1968 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1969
5866c187 1970 // Set fpga in edge detect with reader field, we can modulate as reader now
7b6e3205 1971 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
4e12287d 1972
5866c187 1973 // Set Frequency divisor which will drive the FPGA and analog mux selection
4e12287d
RS		 1974 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1975 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1976 RELAY_OFF();
1977
5866c187 1978 // Disable modulation at default, which means enable the field
4e12287d
RS		 1979 LOW(GPIO_SSC_DOUT);
1980
5866c187 1981 // Give it a bit of time for the resonant antenna to settle.
4e12287d
RS		 1982 SpinDelay(30);
1983
5866c187 1984 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1985 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1986
5866c187 1987 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
4e12287d
RS		 1988 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1989 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1990
5866c187 1991 // Disable timer during configuration
1992 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 1993 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1994
5866c187 1995 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1996 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1997
1998 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1999 // external trigger rising edge, load RA on falling edge of TIOA.
4e12287d
RS		 2000 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
2001 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
2002 | AT91C_TC_LDRA_FALLING;
2003
5866c187 2004 // Enable and reset counters
4e12287d
RS		 2005 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2006 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2007
5866c187 2008 // Reset the received frame, frame count and timing info
4e12287d
RS		 2009 frame_count = 0;
2010 response = 0;
2011 lastbit = 1;
2012 bStop = false;
4e12287d
RS		 2013 t_wait = 200;
2014
2015 while (!bStop && !BUTTON_PRESS()) {
2016 // Watchdog hit
2017 WDT_HIT();
2018
2019 // Check if frame was captured and store it
2020 if (rxlen > 0) {
2021 frame_count++;
2022 if (!bQuiet) {
2023 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2024 DbpString("Trace full");
2025 if (bQuitTraceFull) {
2026 break;
2027 } else {
2028 bQuiet = true;
2029 }
2030 }
2031 }
2032 }
2033
2034 //check for valid input
7b6e3205 2035 /*
4e12287d 2036 if (page == 0) {
7b6e3205 2037 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
4e12287d 2038 bStop = !false;
7b6e3205 2039 }*/
2040
4e12287d
RS		 2041
2042 // By default reset the transmission buffer
2043 tx = txbuf;
2044 txlen = 0;
2045
2046 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
2047 //no write access on this page
2048 Dbprintf("no write access on page %d", page_);
2049 bStop = !false;
2050 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
2051 //start the authetication
7b6e3205 2052 //tag.mode = ADVANCED;
2053 tag.mode = STANDARD;
2054 hitag_start_auth(tx, &txlen);
2055 m = AC2K;
4e12287d
RS		 2056 } else if (tag.pstate != SELECTED) {
2057 //try to authenticate with the given key or challenge
7b6e3205 2058 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1) {
4e12287d 2059 bStop = !false;
7b6e3205 2060 }
2061 m = MC4K;
4e12287d 2062 }
7b6e3205 2063
4e12287d
RS		 2064 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
2065 //check if the given page exists
2066 if (page > tag.max_page) {
2067 Dbprintf("page number too big");
2068 bStop = !false;
2069 }
2070 //ask Tag for write permission
2071 tag.tstate = WRITING_PAGE_ACK;
2072 txlen = 20;
2073 crc = CRC_PRESET;
2074 tx[0] = 0x90 + (page / 16);
2075 calc_crc(&crc, tx[0], 8);
2076 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
2077 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
2078 tx[2] = 0x00 + (crc % 16) * 16;
2079 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
7b6e3205 2080 && rxlen == 2 && rx[0] == 0x40) {
4e12287d
RS		 2081 //ACK recieved to write the page. send data
2082 tag.tstate = WRITING_PAGE_DATA;
2083 txlen = 40;
2084 crc = CRC_PRESET;
2085 calc_crc(&crc, data[3], 8);
2086 calc_crc(&crc, data[2], 8);
2087 calc_crc(&crc, data[1], 8);
2088 calc_crc(&crc, data[0], 8);
2089 tx[0] = data[3];
2090 tx[1] = data[2];
2091 tx[2] = data[1];
2092 tx[3] = data[0];
2093 tx[4] = crc;
2094 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
7b6e3205 2095 && rxlen == 2 && rx[0] == 0x40) {
4e12287d
RS		 2096 //received ACK
2097 Dbprintf("Successful!");
2098 bStop = !false;
2099 }
2100
2101 // Send and store the reader command
2102 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2103 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2104
2105 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2106 // Since the clock counts since the last falling edge, a 'one' means that the
2107 // falling edge occured halfway the period. with respect to this falling edge,
2108 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2109 // All timer values are in terms of T0 units
2110
2111 while (AT91C_BASE_TC0->TC_CV
2112 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2113 ;
2114
2115 // Transmit the reader frame
2116 hitag_reader_send_frame(tx, txlen);
2117
2118 // Enable and reset external trigger in timer for capturing future frames
2119 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2120
2121 // Add transmitted frame to total count
2122 if (txlen > 0) {
2123 frame_count++;
2124 if (!bQuiet) {
2125 // Store the frame in the trace
2126 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2127 if (bQuitTraceFull) {
2128 DbpString("Trace full");
2129 break;
2130 } else {
2131 bQuiet = true;
2132 }
2133 }
2134 }
2135 }
2136
2137 // Reset values for receiving frames
2138 memset(rx, 0x00, sizeof(rx));
2139 rxlen = 0;
2140 lastbit = 1;
4e12287d
RS		 2141 response = 0;
2142
7b6e3205 2143 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 2144 }
2145 end=false;
2146 LED_B_OFF();
2147 LED_D_OFF();
2148 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2149 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2150 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2151 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2152}
2153
7b6e3205 2154
4e12287d
RS		 2155/*
2156 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2157 * Displays all Challenges that failed.
2158 * When collecting Challenges to break the key it is possible that some data
2159 * is not received correctly due to Antenna problems. This function
2160 * detects these challenges.
2161 */
7b6e3205 2162void check_challenges_cmd(bool file_given, byte_t* data, uint64_t tagMode) {
4e12287d
RS		 2163 int i, j, z, k;
2164 byte_t uid_byte[4];
2165 int frame_count;
2166 int response;
2167 byte_t rx[HITAG_FRAME_LEN];
2168 byte_t unlocker[60][8];
2169 int u1 = 0;
2170 size_t rxlen = 0;
2171 byte_t txbuf[HITAG_FRAME_LEN];
2172 byte_t* tx = txbuf;
2173 size_t txlen = 0;
2174 int lastbit;
4e12287d
RS		 2175 int t_wait = HITAG_T_WAIT_MAX;
2176 int STATE = 0;
2177 bool bStop;
2178 bool bQuitTraceFull = false;
2179 int response_bit[200];
2180 unsigned char mask = 1;
2181 unsigned char uid[32];
2182 unsigned char crc;
2183
7b6e3205 2184 if (tagMode == 1) {
2185 Dbprintf("check_challenges in mode=ADVANCED");
2186 tag.mode = ADVANCED;
2187 } else if (tagMode == 2) {
2188 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2189 tag.mode = FAST_ADVANCED;
2190 } else {
2191 Dbprintf("check_challenges in mode=STANDARD");
2192 tag.mode = STANDARD;
2193 }
2194
2195
4e12287d 2196 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
5866c187 2197 // Reset the return status
4e12287d
RS		 2198 bSuccessful = false;
2199
5866c187 2200 // Clean up trace and prepare it for storing frames
44964fd1 2201 set_tracing(true);
4e12287d
RS		 2202 clear_trace();
2203
2204 bQuiet = false;
4e12287d
RS		 2205
2206 LED_D_ON();
2207
5866c187 2208 // Configure output and enable pin that is connected to the FPGA (for modulating)
4e12287d
RS		 2209 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
2210 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
2211
5866c187 2212 // Set fpga in edge detect with reader field, we can modulate as reader now
4e12287d
RS		 2213 FpgaWriteConfWord(
2214 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
2215
5866c187 2216 // Set Frequency divisor which will drive the FPGA and analog mux selection
2217 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
4e12287d
RS		 2218 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2219 RELAY_OFF();
2220
5866c187 2221 // Disable modulation at default, which means enable the field
4e12287d
RS		 2222 LOW(GPIO_SSC_DOUT);
2223
5866c187 2224 // Give it a bit of time for the resonant antenna to settle.
4e12287d
RS		 2225 SpinDelay(30);
2226
5866c187 2227 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 2228 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
2229
5866c187 2230 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
4e12287d
RS		 2231 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
2232 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
2233
5866c187 2234 // Disable timer during configuration
2235 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 2236 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2237
5866c187 2238 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
2239 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
2240
2241 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2242 // external trigger rising edge, load RA on falling edge of TIOA.
7b6e3205 2243 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
4e12287d 2244
5866c187 2245 // Enable and reset counters
4e12287d
RS		 2246 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2247 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2248
5866c187 2249 // Reset the received frame, frame count and timing info
4e12287d
RS		 2250 frame_count = 0;
2251 response = 0;
2252 lastbit = 1;
2253 bStop = false;
2254
4e12287d
RS		 2255 t_wait = 200;
2256
2257 if (file_given) {
2258 DbpString("Loading challenges...");
2259 memcpy((byte_t*)unlocker,data,60*8);
2260 }
2261
2262 while (file_given && !bStop && !BUTTON_PRESS()) {
2263 // Watchdog hit
2264 WDT_HIT();
2265
2266 // Check if frame was captured and store it
2267 if (rxlen > 0) {
2268 frame_count++;
2269 if (!bQuiet) {
2270 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2271 DbpString("Trace full");
2272 if (bQuitTraceFull) {
2273 break;
2274 } else {
2275 bQuiet = true;
2276 }
2277 }
2278 }
2279 }
2280
2281 tx = txbuf;
2282 txlen = 0;
2283 if (rxlen == 0) {
7b6e3205 2284 if (STATE == 2) {
4e12287d
RS		 2285 // challenge failed
2286 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2287 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
2288 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
2289 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
2290 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
7b6e3205 2291 }
4e12287d 2292 STATE = 0;
7b6e3205 2293 hitag_start_auth(tx, &txlen);
2294 } else if (rxlen >= 32 && STATE == 0) {
4e12287d
RS		 2295 //received uid
2296 z = 0;
2297 for (i = 0; i < 10; i++) {
2298 for (j = 0; j < 8; j++) {
2299 response_bit[z] = 0;
2300 if ((rx[i] & ((mask << 7) >> j)) != 0)
2301 response_bit[z] = 1;
2302 z++;
2303 }
2304 }
7b6e3205 2305 for (i = 0; i < 32; i++) {
2306 uid[i] = response_bit[i];
4e12287d 2307 }
7b6e3205 2308
4e12287d
RS		 2309 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
2310 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
2311 | (uid[6] << 1) | uid[7];
2312 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
2313 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
2314 | (uid[14] << 1) | uid[15];
2315 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
2316 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
2317 | (uid[22] << 1) | uid[23];
2318 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
2319 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
2320 | (uid[30] << 1) | uid[31];
2321 //Dbhexdump(10, rx, rxlen);
2322 STATE = 1;
2323 txlen = 45;
2324 crc = CRC_PRESET;
2325 calc_crc(&crc, 0x00, 5);
2326 calc_crc(&crc, uid_byte[0], 8);
2327 calc_crc(&crc, uid_byte[1], 8);
2328 calc_crc(&crc, uid_byte[2], 8);
2329 calc_crc(&crc, uid_byte[3], 8);
2330 for (i = 0; i < 100; i++) {
2331 response_bit[i] = 0;
2332 }
2333 for (i = 0; i < 5; i++) {
2334 response_bit[i] = 0;
2335 }
2336 for (i = 5; i < 37; i++) {
2337 response_bit[i] = uid[i - 5];
2338 }
2339 for (j = 0; j < 8; j++) {
2340 response_bit[i] = 0;
2341 if ((crc & ((mask << 7) >> j)) != 0)
2342 response_bit[i] = 1;
2343 i++;
2344 }
2345 k = 0;
2346 for (i = 0; i < 6; i++) {
2347 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2348 | (response_bit[k + 2] << 5)
2349 | (response_bit[k + 3] << 4)
2350 | (response_bit[k + 4] << 3)
2351 | (response_bit[k + 5] << 2)
2352 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2353 k += 8;
2354 }
2355
7b6e3205 2356
2357 tag.pstate = INIT;
2358 } else if (STATE == 1 && rxlen > 24) {
4e12287d
RS		 2359 //received configuration
2360 STATE = 2;
2361 z = 0;
2362 for (i = 0; i < 6; i++) {
2363 for (j = 0; j < 8; j++) {
2364 response_bit[z] = 0;
2365 if ((rx[i] & ((mask << 7) >> j)) != 0)
2366 response_bit[z] = 1;
2367 z++;
2368 }
2369 }
2370 txlen = 64;
2371
2372 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2373 bStop = !false;
2374 for (i = 0; i < 8; i++)
2375 tx[i] = unlocker[u1][i];
2376 u1++;
2377
7b6e3205 2378 tag.pstate = SELECTED;
2379 } else if (STATE == 2 && rxlen >= 32) {
4e12287d
RS		 2380 STATE = 0;
2381 }
2382
2383 // Send and store the reader command
2384 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2385 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2386
2387 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2388 // Since the clock counts since the last falling edge, a 'one' means that the
2389 // falling edge occured halfway the period. with respect to this falling edge,
2390 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2391 // All timer values are in terms of T0 units
7b6e3205 2392 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
4e12287d
RS		 2393
2394 // Transmit the reader frame
2395 hitag_reader_send_frame(tx, txlen);
2396
2397 // Enable and reset external trigger in timer for capturing future frames
2398 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2399
2400 // Add transmitted frame to total count
2401 if (txlen > 0) {
2402 frame_count++;
2403 if (!bQuiet) {
2404 // Store the frame in the trace
2405 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2406 if (bQuitTraceFull) {
2407 DbpString("Trace full");
2408 break;
2409 } else {
2410 bQuiet = true;
2411 }
2412 }
2413 }
2414 }
2415
2416 // Reset values for receiving frames
2417 memset(rx, 0x00, sizeof(rx));
2418 rxlen = 0;
2419 lastbit = 1;
4e12287d
RS		 2420 response = 0;
2421
7b6e3205 2422 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 2423 }
2424 LED_B_OFF();
2425 LED_D_OFF();
2426 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2427 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2428 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2429 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2430}
2431
7b6e3205 2432/**
2433Backward compatibility
2434*/
2435void check_challenges(bool file_given, byte_t* data) {
2436 check_challenges_cmd(file_given, data, 1);
2437}
4e12287d 2438
7b6e3205 2439void ReadHitagS(hitag_function htf, hitag_data* htd) {
2440 ReadHitagSintern(htf, htd, ADVANCED, 0, false);
2441}
Proxmark3 GIT tracking
Impressum, Datenschutz