]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
1. Mifare read block command
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
534983d7 3// Hagen Fritsch - June 2010
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
15c4dc5a 8//-----------------------------------------------------------------------------
bd20f8f4 9// Routines to support ISO 14443 type A.
10//-----------------------------------------------------------------------------
11
e30c654b 12#include "proxmark3.h"
15c4dc5a 13#include "apps.h"
f7e3ed82 14#include "util.h"
9ab7a6c7 15#include "string.h"
16
15c4dc5a 17#include "iso14443crc.h"
534983d7 18#include "iso14443a.h"
20f9a2a1
M		 19#include "crapto1.h"
20#include "mifareutil.h"
15c4dc5a 21
f7e3ed82 22static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 23static int traceLen = 0;
24static int rsamples = 0;
f7e3ed82 25static int tracing = TRUE;
534983d7 26static uint32_t iso14a_timeout;
15c4dc5a 27
72934aa3 28// CARD TO READER
29// Sequence D: 11110000 modulation with subcarrier during first half
30// Sequence E: 00001111 modulation with subcarrier during second half
31// Sequence F: 00000000 no modulation with subcarrier
32// READER TO CARD
33// Sequence X: 00001100 drop after half a period
34// Sequence Y: 00000000 no drop
35// Sequence Z: 11000000 drop at start
36#define SEC_D 0xf0
37#define SEC_E 0x0f
38#define SEC_F 0x00
39#define SEC_X 0x0c
40#define SEC_Y 0x00
41#define SEC_Z 0xc0
15c4dc5a 42
f7e3ed82 43static const uint8_t OddByteParity[256] = {
15c4dc5a 44 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
45 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
48 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
51 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
56 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
59 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
60};
61
62// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
63#define RECV_CMD_OFFSET 3032
64#define RECV_RES_OFFSET 3096
65#define DMA_BUFFER_OFFSET 3160
66#define DMA_BUFFER_SIZE 4096
67#define TRACE_LENGTH 3000
68
534983d7 69uint8_t trigger = 0;
70void iso14a_set_trigger(int enable) {
71 trigger = enable;
72}
73
15c4dc5a 74//-----------------------------------------------------------------------------
75// Generate the parity value for a byte sequence
e30c654b 76//
15c4dc5a 77//-----------------------------------------------------------------------------
20f9a2a1
M		 78byte_t oddparity (const byte_t bt)
79{
80 return OddByteParity[bt];
81}
82
f7e3ed82 83uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 84{
85 int i;
f7e3ed82 86 uint32_t dwPar = 0;
72934aa3 87
15c4dc5a 88 // Generate the encrypted data
89 for (i = 0; i < iLen; i++) {
90 // Save the encrypted parity bit
91 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
92 }
93 return dwPar;
94}
95
534983d7 96void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 97{
98 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
99}
100
ed82636b 101int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 102{
103 // Return when trace is full
104 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 105
15c4dc5a 106 // Trace the random, i'm curious
107 rsamples += iSamples;
108 trace[traceLen++] = ((rsamples >> 0) & 0xff);
109 trace[traceLen++] = ((rsamples >> 8) & 0xff);
110 trace[traceLen++] = ((rsamples >> 16) & 0xff);
111 trace[traceLen++] = ((rsamples >> 24) & 0xff);
112 if (!bReader) {
113 trace[traceLen - 1] |= 0x80;
114 }
115 trace[traceLen++] = ((dwParity >> 0) & 0xff);
116 trace[traceLen++] = ((dwParity >> 8) & 0xff);
117 trace[traceLen++] = ((dwParity >> 16) & 0xff);
118 trace[traceLen++] = ((dwParity >> 24) & 0xff);
119 trace[traceLen++] = iLen;
120 memcpy(trace + traceLen, btBytes, iLen);
121 traceLen += iLen;
122 return TRUE;
123}
124
15c4dc5a 125//-----------------------------------------------------------------------------
126// The software UART that receives commands from the reader, and its state
127// variables.
128//-----------------------------------------------------------------------------
129static struct {
130 enum {
131 STATE_UNSYNCD,
132 STATE_START_OF_COMMUNICATION,
133 STATE_MILLER_X,
134 STATE_MILLER_Y,
135 STATE_MILLER_Z,
136 STATE_ERROR_WAIT
137 } state;
f7e3ed82 138 uint16_t shiftReg;
15c4dc5a 139 int bitCnt;
140 int byteCnt;
141 int byteCntMax;
142 int posCnt;
143 int syncBit;
144 int parityBits;
145 int samples;
146 int highCnt;
147 int bitBuffer;
148 enum {
149 DROP_NONE,
150 DROP_FIRST_HALF,
151 DROP_SECOND_HALF
152 } drop;
f7e3ed82 153 uint8_t *output;
15c4dc5a 154} Uart;
155
6c1e2d95 156static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 157{
158 int error = 0;
159 int bitright;
160
161 if(!Uart.bitBuffer) {
162 Uart.bitBuffer = bit ^ 0xFF0;
163 return FALSE;
164 }
165 else {
166 Uart.bitBuffer <<= 4;
167 Uart.bitBuffer ^= bit;
168 }
169
f7e3ed82 170 int EOC = FALSE;
15c4dc5a 171
172 if(Uart.state != STATE_UNSYNCD) {
173 Uart.posCnt++;
174
175 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
176 bit = 0x00;
177 }
178 else {
179 bit = 0x01;
180 }
181 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
182 bitright = 0x00;
183 }
184 else {
185 bitright = 0x01;
186 }
187 if(bit != bitright) { bit = bitright; }
188
189 if(Uart.posCnt == 1) {
190 // measurement first half bitperiod
191 if(!bit) {
192 Uart.drop = DROP_FIRST_HALF;
193 }
194 }
195 else {
196 // measurement second half bitperiod
197 if(!bit & (Uart.drop == DROP_NONE)) {
198 Uart.drop = DROP_SECOND_HALF;
199 }
200 else if(!bit) {
201 // measured a drop in first and second half
202 // which should not be possible
203 Uart.state = STATE_ERROR_WAIT;
204 error = 0x01;
205 }
206
207 Uart.posCnt = 0;
208
209 switch(Uart.state) {
210 case STATE_START_OF_COMMUNICATION:
211 Uart.shiftReg = 0;
212 if(Uart.drop == DROP_SECOND_HALF) {
213 // error, should not happen in SOC
214 Uart.state = STATE_ERROR_WAIT;
215 error = 0x02;
216 }
217 else {
218 // correct SOC
219 Uart.state = STATE_MILLER_Z;
220 }
221 break;
222
223 case STATE_MILLER_Z:
224 Uart.bitCnt++;
225 Uart.shiftReg >>= 1;
226 if(Uart.drop == DROP_NONE) {
227 // logic '0' followed by sequence Y
228 // end of communication
229 Uart.state = STATE_UNSYNCD;
230 EOC = TRUE;
231 }
232 // if(Uart.drop == DROP_FIRST_HALF) {
233 // Uart.state = STATE_MILLER_Z; stay the same
234 // we see a logic '0' }
235 if(Uart.drop == DROP_SECOND_HALF) {
236 // we see a logic '1'
237 Uart.shiftReg |= 0x100;
238 Uart.state = STATE_MILLER_X;
239 }
240 break;
241
242 case STATE_MILLER_X:
243 Uart.shiftReg >>= 1;
244 if(Uart.drop == DROP_NONE) {
245 // sequence Y, we see a '0'
246 Uart.state = STATE_MILLER_Y;
247 Uart.bitCnt++;
248 }
249 if(Uart.drop == DROP_FIRST_HALF) {
250 // Would be STATE_MILLER_Z
251 // but Z does not follow X, so error
252 Uart.state = STATE_ERROR_WAIT;
253 error = 0x03;
254 }
255 if(Uart.drop == DROP_SECOND_HALF) {
256 // We see a '1' and stay in state X
257 Uart.shiftReg |= 0x100;
258 Uart.bitCnt++;
259 }
260 break;
261
262 case STATE_MILLER_Y:
263 Uart.bitCnt++;
264 Uart.shiftReg >>= 1;
265 if(Uart.drop == DROP_NONE) {
266 // logic '0' followed by sequence Y
267 // end of communication
268 Uart.state = STATE_UNSYNCD;
269 EOC = TRUE;
270 }
271 if(Uart.drop == DROP_FIRST_HALF) {
272 // we see a '0'
273 Uart.state = STATE_MILLER_Z;
274 }
275 if(Uart.drop == DROP_SECOND_HALF) {
276 // We see a '1' and go to state X
277 Uart.shiftReg |= 0x100;
278 Uart.state = STATE_MILLER_X;
279 }
280 break;
281
282 case STATE_ERROR_WAIT:
283 // That went wrong. Now wait for at least two bit periods
284 // and try to sync again
285 if(Uart.drop == DROP_NONE) {
286 Uart.highCnt = 6;
287 Uart.state = STATE_UNSYNCD;
288 }
289 break;
290
291 default:
292 Uart.state = STATE_UNSYNCD;
293 Uart.highCnt = 0;
294 break;
295 }
296
297 Uart.drop = DROP_NONE;
298
299 // should have received at least one whole byte...
300 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
301 return TRUE;
302 }
303
304 if(Uart.bitCnt == 9) {
305 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
306 Uart.byteCnt++;
307
308 Uart.parityBits <<= 1;
309 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
310
311 if(EOC) {
312 // when End of Communication received and
313 // all data bits processed..
314 return TRUE;
315 }
316 Uart.bitCnt = 0;
317 }
318
319 /*if(error) {
320 Uart.output[Uart.byteCnt] = 0xAA;
321 Uart.byteCnt++;
322 Uart.output[Uart.byteCnt] = error & 0xFF;
323 Uart.byteCnt++;
324 Uart.output[Uart.byteCnt] = 0xAA;
325 Uart.byteCnt++;
326 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
327 Uart.byteCnt++;
328 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
329 Uart.byteCnt++;
330 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
331 Uart.byteCnt++;
332 Uart.output[Uart.byteCnt] = 0xAA;
333 Uart.byteCnt++;
334 return TRUE;
335 }*/
336 }
337
338 }
339 else {
340 bit = Uart.bitBuffer & 0xf0;
341 bit >>= 4;
342 bit ^= 0x0F;
343 if(bit) {
344 // should have been high or at least (4 * 128) / fc
345 // according to ISO this should be at least (9 * 128 + 20) / fc
346 if(Uart.highCnt == 8) {
347 // we went low, so this could be start of communication
348 // it turns out to be safer to choose a less significant
349 // syncbit... so we check whether the neighbour also represents the drop
350 Uart.posCnt = 1; // apparently we are busy with our first half bit period
351 Uart.syncBit = bit & 8;
352 Uart.samples = 3;
353 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
354 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
355 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
356 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
357 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 358 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 359 Uart.syncBit = 8;
360
361 // the first half bit period is expected in next sample
362 Uart.posCnt = 0;
363 Uart.samples = 3;
364 }
365 }
366 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
367
368 Uart.syncBit <<= 4;
369 Uart.state = STATE_START_OF_COMMUNICATION;
370 Uart.drop = DROP_FIRST_HALF;
371 Uart.bitCnt = 0;
372 Uart.byteCnt = 0;
373 Uart.parityBits = 0;
374 error = 0;
375 }
376 else {
377 Uart.highCnt = 0;
378 }
379 }
380 else {
381 if(Uart.highCnt < 8) {
382 Uart.highCnt++;
383 }
384 }
385 }
386
387 return FALSE;
388}
389
390//=============================================================================
391// ISO 14443 Type A - Manchester
392//=============================================================================
393
394static struct {
395 enum {
396 DEMOD_UNSYNCD,
397 DEMOD_START_OF_COMMUNICATION,
398 DEMOD_MANCHESTER_D,
399 DEMOD_MANCHESTER_E,
400 DEMOD_MANCHESTER_F,
401 DEMOD_ERROR_WAIT
402 } state;
403 int bitCount;
404 int posCount;
405 int syncBit;
406 int parityBits;
f7e3ed82 407 uint16_t shiftReg;
15c4dc5a 408 int buffer;
409 int buff;
410 int samples;
411 int len;
412 enum {
413 SUB_NONE,
414 SUB_FIRST_HALF,
415 SUB_SECOND_HALF
416 } sub;
f7e3ed82 417 uint8_t *output;
15c4dc5a 418} Demod;
419
6c1e2d95 420static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 421{
422 int bit;
423 int modulation;
424 int error = 0;
425
426 if(!Demod.buff) {
427 Demod.buff = 1;
428 Demod.buffer = v;
429 return FALSE;
430 }
431 else {
432 bit = Demod.buffer;
433 Demod.buffer = v;
434 }
435
436 if(Demod.state==DEMOD_UNSYNCD) {
437 Demod.output[Demod.len] = 0xfa;
438 Demod.syncBit = 0;
439 //Demod.samples = 0;
440 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 441
442 if(bit & 0x08) {
443 Demod.syncBit = 0x08;
15c4dc5a 444 }
15c4dc5a 445
2f2d9fc5 446 if(bit & 0x04) {
447 if(Demod.syncBit) {
448 bit <<= 4;
449 }
450 Demod.syncBit = 0x04;
451 }
15c4dc5a 452
2f2d9fc5 453 if(bit & 0x02) {
454 if(Demod.syncBit) {
455 bit <<= 2;
15c4dc5a 456 }
2f2d9fc5 457 Demod.syncBit = 0x02;
15c4dc5a 458 }
15c4dc5a 459
593924e7 460 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 461 Demod.syncBit = 0x01;
462 }
463
15c4dc5a 464 if(Demod.syncBit) {
465 Demod.len = 0;
466 Demod.state = DEMOD_START_OF_COMMUNICATION;
467 Demod.sub = SUB_FIRST_HALF;
468 Demod.bitCount = 0;
469 Demod.shiftReg = 0;
470 Demod.parityBits = 0;
471 Demod.samples = 0;
472 if(Demod.posCount) {
534983d7 473 if(trigger) LED_A_OFF();
15c4dc5a 474 switch(Demod.syncBit) {
475 case 0x08: Demod.samples = 3; break;
476 case 0x04: Demod.samples = 2; break;
477 case 0x02: Demod.samples = 1; break;
478 case 0x01: Demod.samples = 0; break;
479 }
480 }
481 error = 0;
482 }
483 }
484 else {
485 //modulation = bit & Demod.syncBit;
486 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
487
488 Demod.samples += 4;
489
490 if(Demod.posCount==0) {
491 Demod.posCount = 1;
492 if(modulation) {
493 Demod.sub = SUB_FIRST_HALF;
494 }
495 else {
496 Demod.sub = SUB_NONE;
497 }
498 }
499 else {
500 Demod.posCount = 0;
501 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
502 if(Demod.state!=DEMOD_ERROR_WAIT) {
503 Demod.state = DEMOD_ERROR_WAIT;
504 Demod.output[Demod.len] = 0xaa;
505 error = 0x01;
506 }
507 }
508 else if(modulation) {
509 Demod.sub = SUB_SECOND_HALF;
510 }
511
512 switch(Demod.state) {
513 case DEMOD_START_OF_COMMUNICATION:
514 if(Demod.sub == SUB_FIRST_HALF) {
515 Demod.state = DEMOD_MANCHESTER_D;
516 }
517 else {
518 Demod.output[Demod.len] = 0xab;
519 Demod.state = DEMOD_ERROR_WAIT;
520 error = 0x02;
521 }
522 break;
523
524 case DEMOD_MANCHESTER_D:
525 case DEMOD_MANCHESTER_E:
526 if(Demod.sub == SUB_FIRST_HALF) {
527 Demod.bitCount++;
528 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
529 Demod.state = DEMOD_MANCHESTER_D;
530 }
531 else if(Demod.sub == SUB_SECOND_HALF) {
532 Demod.bitCount++;
533 Demod.shiftReg >>= 1;
534 Demod.state = DEMOD_MANCHESTER_E;
535 }
536 else {
537 Demod.state = DEMOD_MANCHESTER_F;
538 }
539 break;
540
541 case DEMOD_MANCHESTER_F:
542 // Tag response does not need to be a complete byte!
543 if(Demod.len > 0 || Demod.bitCount > 0) {
544 if(Demod.bitCount > 0) {
545 Demod.shiftReg >>= (9 - Demod.bitCount);
546 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
547 Demod.len++;
548 // No parity bit, so just shift a 0
549 Demod.parityBits <<= 1;
550 }
551
552 Demod.state = DEMOD_UNSYNCD;
553 return TRUE;
554 }
555 else {
556 Demod.output[Demod.len] = 0xad;
557 Demod.state = DEMOD_ERROR_WAIT;
558 error = 0x03;
559 }
560 break;
561
562 case DEMOD_ERROR_WAIT:
563 Demod.state = DEMOD_UNSYNCD;
564 break;
565
566 default:
567 Demod.output[Demod.len] = 0xdd;
568 Demod.state = DEMOD_UNSYNCD;
569 break;
570 }
571
572 if(Demod.bitCount>=9) {
573 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
574 Demod.len++;
575
576 Demod.parityBits <<= 1;
577 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
578
579 Demod.bitCount = 0;
580 Demod.shiftReg = 0;
581 }
582
583 /*if(error) {
584 Demod.output[Demod.len] = 0xBB;
585 Demod.len++;
586 Demod.output[Demod.len] = error & 0xFF;
587 Demod.len++;
588 Demod.output[Demod.len] = 0xBB;
589 Demod.len++;
590 Demod.output[Demod.len] = bit & 0xFF;
591 Demod.len++;
592 Demod.output[Demod.len] = Demod.buffer & 0xFF;
593 Demod.len++;
594 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
595 Demod.len++;
596 Demod.output[Demod.len] = 0xBB;
597 Demod.len++;
598 return TRUE;
599 }*/
600
601 }
602
603 } // end (state != UNSYNCED)
604
605 return FALSE;
606}
607
608//=============================================================================
609// Finally, a `sniffer' for ISO 14443 Type A
610// Both sides of communication!
611//=============================================================================
612
613//-----------------------------------------------------------------------------
614// Record the sequence of commands sent by the reader to the tag, with
615// triggering so that we start recording at the point that the tag is moved
616// near the reader.
617//-----------------------------------------------------------------------------
6c1e2d95 618void RAMFUNC SnoopIso14443a(void)
15c4dc5a 619{
620// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
621// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
622// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
623// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
624// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
625
626 // We won't start recording the frames that we acquire until we trigger;
627 // a good trigger condition to get started is probably when we see a
628 // response from the tag.
7e758047 629 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 630
631 // The command (reader -> tag) that we're receiving.
632 // The length of a received command will in most cases be no more than 18 bytes.
633 // So 32 should be enough!
f7e3ed82 634 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 635 // The response (tag -> reader) that we're receiving.
f7e3ed82 636 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 637
638 // As we receive stuff, we copy it from receivedCmd or receivedResponse
639 // into trace, along with its length and other annotations.
f7e3ed82 640 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 641
642 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 643
644 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 645 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 646 int lastRxCounter;
f7e3ed82 647 int8_t *upTo;
15c4dc5a 648 int smpl;
649 int maxBehindBy = 0;
650
651 // Count of samples received so far, so that we can include timing
652 // information in the trace buffer.
653 int samples = 0;
cee5a30d 654 int rsamples = 0;
15c4dc5a 655
656 memset(trace, 0x44, RECV_CMD_OFFSET);
657
658 // Set up the demodulator for tag -> reader responses.
659 Demod.output = receivedResponse;
660 Demod.len = 0;
661 Demod.state = DEMOD_UNSYNCD;
662
7e758047 663 // Setup for the DMA.
664 FpgaSetupSsc();
665 upTo = dmaBuf;
666 lastRxCounter = DMA_BUFFER_SIZE;
667 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
668
15c4dc5a 669 // And the reader -> tag commands
670 memset(&Uart, 0, sizeof(Uart));
671 Uart.output = receivedCmd;
672 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
673 Uart.state = STATE_UNSYNCD;
674
675 // And put the FPGA in the appropriate mode
676 // Signal field is off with the appropriate LED
677 LED_D_OFF();
678 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
679 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
680
15c4dc5a 681
682 // And now we loop, receiving samples.
683 for(;;) {
7e758047 684 LED_A_ON();
685 WDT_HIT();
15c4dc5a 686 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
687 (DMA_BUFFER_SIZE-1);
688 if(behindBy > maxBehindBy) {
689 maxBehindBy = behindBy;
690 if(behindBy > 400) {
7e758047 691 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 692 goto done;
693 }
694 }
695 if(behindBy < 1) continue;
696
7e758047 697 LED_A_OFF();
15c4dc5a 698 smpl = upTo[0];
699 upTo++;
700 lastRxCounter -= 1;
701 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
702 upTo -= DMA_BUFFER_SIZE;
703 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 704 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 705 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
706 }
707
708 samples += 4;
7e758047 709 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 710 rsamples = samples - Uart.samples;
72934aa3 711 LED_C_ON();
7e758047 712 if(triggered) {
713 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 714 trace[traceLen++] = ((rsamples >> 8) & 0xff);
715 trace[traceLen++] = ((rsamples >> 16) & 0xff);
716 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 717 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
718 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
719 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 721 trace[traceLen++] = Uart.byteCnt;
722 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
723 traceLen += Uart.byteCnt;
724 if(traceLen > TRACE_LENGTH) break;
725 }
726 /* And ready to receive another command. */
727 Uart.state = STATE_UNSYNCD;
728 /* And also reset the demod code, which might have been */
729 /* false-triggered by the commands from the reader. */
730 Demod.state = DEMOD_UNSYNCD;
7e758047 731 LED_B_OFF();
15c4dc5a 732 }
7e758047 733
734 if(ManchesterDecoding(smpl & 0x0F)) {
735 rsamples = samples - Demod.samples;
736 LED_B_ON();
737
738 // timestamp, as a count of samples
739 trace[traceLen++] = ((rsamples >> 0) & 0xff);
740 trace[traceLen++] = ((rsamples >> 8) & 0xff);
741 trace[traceLen++] = ((rsamples >> 16) & 0xff);
742 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
743 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
744 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
745 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
747 // length
748 trace[traceLen++] = Demod.len;
749 memcpy(trace+traceLen, receivedResponse, Demod.len);
750 traceLen += Demod.len;
751 if(traceLen > TRACE_LENGTH) break;
752
753 triggered = TRUE;
15c4dc5a 754
755 // And ready to receive another response.
756 memset(&Demod, 0, sizeof(Demod));
757 Demod.output = receivedResponse;
758 Demod.state = DEMOD_UNSYNCD;
7e758047 759 LED_C_OFF();
760 }
15c4dc5a 761
762 if(BUTTON_PRESS()) {
763 DbpString("cancelled_a");
764 goto done;
765 }
766 }
767
768 DbpString("COMMAND FINISHED");
769
770 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
771 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
772
773done:
774 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
775 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
776 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
777 LED_A_OFF();
778 LED_B_OFF();
779 LED_C_OFF();
780 LED_D_OFF();
781}
782
15c4dc5a 783//-----------------------------------------------------------------------------
784// Prepare tag messages
785//-----------------------------------------------------------------------------
f7e3ed82 786static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 787{
788 int i;
789 int oddparity;
790
791 ToSendReset();
792
793 // Correction bit, might be removed when not needed
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798 ToSendStuffBit(1); // 1
799 ToSendStuffBit(0);
800 ToSendStuffBit(0);
801 ToSendStuffBit(0);
802
803 // Send startbit
72934aa3 804 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 805
806 for(i = 0; i < len; i++) {
807 int j;
f7e3ed82 808 uint8_t b = cmd[i];
15c4dc5a 809
810 // Data bits
811 oddparity = 0x01;
812 for(j = 0; j < 8; j++) {
813 oddparity ^= (b & 1);
814 if(b & 1) {
72934aa3 815 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 816 } else {
72934aa3 817 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 818 }
819 b >>= 1;
820 }
821
822 // Parity bit
823 if(oddparity) {
72934aa3 824 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 825 } else {
72934aa3 826 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 827 }
828 }
829
830 // Send stopbit
72934aa3 831 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 832
833 // Flush the buffer in FPGA!!
834 for(i = 0; i < 5; i++) {
72934aa3 835 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 836 }
837
838 // Convert from last byte pos to length
839 ToSendMax++;
840
841 // Add a few more for slop
842 ToSend[ToSendMax++] = 0x00;
843 ToSend[ToSendMax++] = 0x00;
844 //ToSendMax += 2;
845}
846
847//-----------------------------------------------------------------------------
848// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
849//-----------------------------------------------------------------------------
850static void CodeStrangeAnswer()
851{
852 int i;
853
854 ToSendReset();
855
856 // Correction bit, might be removed when not needed
857 ToSendStuffBit(0);
858 ToSendStuffBit(0);
859 ToSendStuffBit(0);
860 ToSendStuffBit(0);
861 ToSendStuffBit(1); // 1
862 ToSendStuffBit(0);
863 ToSendStuffBit(0);
864 ToSendStuffBit(0);
865
866 // Send startbit
72934aa3 867 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 868
869 // 0
72934aa3 870 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 871
872 // 0
72934aa3 873 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 874
875 // 1
72934aa3 876 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 877
878 // Send stopbit
72934aa3 879 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 880
881 // Flush the buffer in FPGA!!
882 for(i = 0; i < 5; i++) {
72934aa3 883 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 884 }
885
886 // Convert from last byte pos to length
887 ToSendMax++;
888
889 // Add a few more for slop
890 ToSend[ToSendMax++] = 0x00;
891 ToSend[ToSendMax++] = 0x00;
892 //ToSendMax += 2;
893}
894
895//-----------------------------------------------------------------------------
896// Wait for commands from reader
897// Stop when button is pressed
898// Or return TRUE when command is captured
899//-----------------------------------------------------------------------------
f7e3ed82 900static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 901{
902 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
903 // only, since we are receiving, not transmitting).
904 // Signal field is off with the appropriate LED
905 LED_D_OFF();
906 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
907
908 // Now run a `software UART' on the stream of incoming samples.
909 Uart.output = received;
910 Uart.byteCntMax = maxLen;
911 Uart.state = STATE_UNSYNCD;
912
913 for(;;) {
914 WDT_HIT();
915
916 if(BUTTON_PRESS()) return FALSE;
917
918 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
919 AT91C_BASE_SSC->SSC_THR = 0x00;
920 }
921 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 922 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 923 if(MillerDecoding((b & 0xf0) >> 4)) {
924 *len = Uart.byteCnt;
925 return TRUE;
926 }
927 if(MillerDecoding(b & 0x0f)) {
928 *len = Uart.byteCnt;
929 return TRUE;
930 }
931 }
932 }
933}
934
935//-----------------------------------------------------------------------------
936// Main loop of simulated tag: receive commands from reader, decide what
937// response to send, and send it.
938//-----------------------------------------------------------------------------
939void SimulateIso14443aTag(int tagType, int TagUid)
940{
941 // This function contains the tag emulation
942
943 // Prepare protocol messages
f7e3ed82 944 // static const uint8_t cmd1[] = { 0x26 };
945// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 946//
f7e3ed82 947 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
948// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 949
950 // UID response
f7e3ed82 951 // static const uint8_t cmd2[] = { 0x93, 0x20 };
952 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 953
15c4dc5a 954// my desfire
f7e3ed82 955 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 956
957
958// When reader selects us during cascade1 it will send cmd3
f7e3ed82 959//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
960uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 961ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
962
963// send cascade2 2nd half of UID
f7e3ed82 964static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 965// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
966
15c4dc5a 967// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 968//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
969uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 970ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
971
f7e3ed82 972 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 973
f7e3ed82 974 uint8_t *resp;
15c4dc5a 975 int respLen;
976
977 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
978 // This will need
979 // 144 data bits (18 * 8)
980 // 18 parity bits
981 // 2 Start and stop
982 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
983 // 1 just for the case
984 // ----------- +
985 // 166
986 //
987 // 166 bytes, since every bit that needs to be send costs us a byte
988 //
989
15c4dc5a 990 // Respond with card type
f7e3ed82 991 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 992 int resp1Len;
993
994 // Anticollision cascade1 - respond with uid
f7e3ed82 995 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 996 int resp2Len;
997
998 // Anticollision cascade2 - respond with 2nd half of uid if asked
999 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1000 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1001 int resp2aLen;
1002
1003 // Acknowledge select - cascade 1
f7e3ed82 1004 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1005 int resp3Len;
1006
1007 // Acknowledge select - cascade 2
f7e3ed82 1008 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1009 int resp3aLen;
1010
1011 // Response to a read request - not implemented atm
f7e3ed82 1012 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1013 int resp4Len;
1014
1015 // Authenticate response - nonce
f7e3ed82 1016 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1017 int resp5Len;
1018
f7e3ed82 1019 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1020 int len;
1021
1022 int i;
1023 int u;
f7e3ed82 1024 uint8_t b;
15c4dc5a 1025
1026 // To control where we are in the protocol
1027 int order = 0;
1028 int lastorder;
1029
1030 // Just to allow some checks
1031 int happened = 0;
1032 int happened2 = 0;
1033
1034 int cmdsRecvd = 0;
1035
f7e3ed82 1036 int fdt_indicator;
15c4dc5a 1037
1038 memset(receivedCmd, 0x44, 400);
1039
1040 // Prepare the responses of the anticollision phase
1041 // there will be not enough time to do this at the moment the reader sends it REQA
1042
1043 // Answer to request
1044 CodeIso14443aAsTag(response1, sizeof(response1));
1045 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1046
1047 // Send our UID (cascade 1)
1048 CodeIso14443aAsTag(response2, sizeof(response2));
1049 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1050
1051 // Answer to select (cascade1)
1052 CodeIso14443aAsTag(response3, sizeof(response3));
1053 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1054
1055 // Send the cascade 2 2nd part of the uid
1056 CodeIso14443aAsTag(response2a, sizeof(response2a));
1057 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1058
1059 // Answer to select (cascade 2)
1060 CodeIso14443aAsTag(response3a, sizeof(response3a));
1061 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1062
1063 // Strange answer is an example of rare message size (3 bits)
1064 CodeStrangeAnswer();
1065 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1066
1067 // Authentication answer (random nonce)
1068 CodeIso14443aAsTag(response5, sizeof(response5));
1069 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1070
1071 // We need to listen to the high-frequency, peak-detected path.
1072 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1073 FpgaSetupSsc();
1074
1075 cmdsRecvd = 0;
1076
1077 LED_A_ON();
1078 for(;;) {
1079
1080 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1081 DbpString("button press");
1082 break;
1083 }
1084 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1085 // Okay, look at the command now.
1086 lastorder = order;
1087 i = 1; // first byte transmitted
1088 if(receivedCmd[0] == 0x26) {
1089 // Received a REQUEST
1090 resp = resp1; respLen = resp1Len; order = 1;
1091 //DbpString("Hello request from reader:");
1092 } else if(receivedCmd[0] == 0x52) {
1093 // Received a WAKEUP
1094 resp = resp1; respLen = resp1Len; order = 6;
1095// //DbpString("Wakeup request from reader:");
1096
1097 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1098 // Received request for UID (cascade 1)
1099 resp = resp2; respLen = resp2Len; order = 2;
1100// DbpString("UID (cascade 1) request from reader:");
1101// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1102
1103
1104 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1105 // Received request for UID (cascade 2)
1106 resp = resp2a; respLen = resp2aLen; order = 20;
1107// DbpString("UID (cascade 2) request from reader:");
1108// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1109
1110
1111 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1112 // Received a SELECT
1113 resp = resp3; respLen = resp3Len; order = 3;
1114// DbpString("Select (cascade 1) request from reader:");
1115// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1116
1117
1118 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1119 // Received a SELECT
1120 resp = resp3a; respLen = resp3aLen; order = 30;
1121// DbpString("Select (cascade 2) request from reader:");
1122// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1123
1124
1125 } else if(receivedCmd[0] == 0x30) {
1126 // Received a READ
1127 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1128 Dbprintf("Read request from reader: %x %x %x",
1129 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1130
1131
1132 } else if(receivedCmd[0] == 0x50) {
1133 // Received a HALT
1134 resp = resp1; respLen = 0; order = 5; // Do nothing
1135 DbpString("Reader requested we HALT!:");
1136
1137 } else if(receivedCmd[0] == 0x60) {
1138 // Received an authentication request
1139 resp = resp5; respLen = resp5Len; order = 7;
1140 Dbprintf("Authenticate request from reader: %x %x %x",
1141 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1142
1143 } else if(receivedCmd[0] == 0xE0) {
1144 // Received a RATS request
1145 resp = resp1; respLen = 0;order = 70;
1146 Dbprintf("RATS request from reader: %x %x %x",
1147 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1148 } else {
1149 // Never seen this command before
20f9a2a1
M		 1150 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1151 len,
15c4dc5a 1152 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M		 1153 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1154 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1155 // Do not respond
1156 resp = resp1; respLen = 0; order = 0;
1157 }
1158
1159 // Count number of wakeups received after a halt
1160 if(order == 6 && lastorder == 5) { happened++; }
1161
1162 // Count number of other messages after a halt
1163 if(order != 6 && lastorder == 5) { happened2++; }
1164
1165 // Look at last parity bit to determine timing of answer
1166 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1167 // 1236, so correction bit needed
1168 i = 0;
1169 }
1170
1171 memset(receivedCmd, 0x44, 32);
1172
1173 if(cmdsRecvd > 999) {
1174 DbpString("1000 commands later...");
1175 break;
1176 }
1177 else {
1178 cmdsRecvd++;
1179 }
1180
1181 if(respLen <= 0) continue;
1182
1183 // Modulate Manchester
1184 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1185 AT91C_BASE_SSC->SSC_THR = 0x00;
1186 FpgaSetupSsc();
1187
1188 // ### Transmit the response ###
1189 u = 0;
1190 b = 0x00;
1191 fdt_indicator = FALSE;
1192 for(;;) {
1193 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1194 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1195 (void)b;
1196 }
1197 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1198 if(i > respLen) {
1199 b = 0x00;
1200 u++;
1201 } else {
1202 b = resp[i];
1203 i++;
1204 }
1205 AT91C_BASE_SSC->SSC_THR = b;
1206
1207 if(u > 4) {
1208 break;
1209 }
1210 }
1211 if(BUTTON_PRESS()) {
1212 break;
1213 }
1214 }
1215
1216 }
1217
1218 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1219 LED_A_OFF();
1220}
1221
1222//-----------------------------------------------------------------------------
1223// Transmit the command (to the tag) that was placed in ToSend[].
1224//-----------------------------------------------------------------------------
f7e3ed82 1225static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1226{
1227 int c;
e30c654b 1228
15c4dc5a 1229 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1230
15c4dc5a 1231 if (wait)
1232 if(*wait < 10)
1233 *wait = 10;
e30c654b 1234
15c4dc5a 1235 for(c = 0; c < *wait;) {
1236 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1237 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1238 c++;
1239 }
1240 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1241 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1242 (void)r;
1243 }
1244 WDT_HIT();
1245 }
e30c654b 1246
15c4dc5a 1247 c = 0;
1248 for(;;) {
1249 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1250 AT91C_BASE_SSC->SSC_THR = cmd[c];
1251 c++;
1252 if(c >= len) {
1253 break;
1254 }
1255 }
1256 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1257 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1258 (void)r;
1259 }
1260 WDT_HIT();
1261 }
1262 if (samples) *samples = (c + *wait) << 3;
1263}
1264
15c4dc5a 1265//-----------------------------------------------------------------------------
1266// Code a 7-bit command without parity bit
1267// This is especially for 0x26 and 0x52 (REQA and WUPA)
1268//-----------------------------------------------------------------------------
f7e3ed82 1269void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1270{
1271 int j;
1272 int last;
f7e3ed82 1273 uint8_t b;
15c4dc5a 1274
1275 ToSendReset();
1276
1277 // Start of Communication (Seq. Z)
72934aa3 1278 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1279 last = 0;
1280
1281 b = bt;
1282 for(j = 0; j < 7; j++) {
1283 if(b & 1) {
1284 // Sequence X
72934aa3 1285 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1286 last = 1;
1287 } else {
1288 if(last == 0) {
1289 // Sequence Z
72934aa3 1290 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1291 }
1292 else {
1293 // Sequence Y
72934aa3 1294 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1295 last = 0;
1296 }
1297 }
1298 b >>= 1;
1299 }
1300
1301 // End of Communication
1302 if(last == 0) {
1303 // Sequence Z
72934aa3 1304 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1305 }
1306 else {
1307 // Sequence Y
72934aa3 1308 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1309 last = 0;
1310 }
1311 // Sequence Y
72934aa3 1312 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1313
1314 // Just to be sure!
72934aa3 1315 ToSend[++ToSendMax] = SEC_Y;
1316 ToSend[++ToSendMax] = SEC_Y;
1317 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1318
1319 // Convert from last character reference to length
1320 ToSendMax++;
1321}
1322
1323//-----------------------------------------------------------------------------
1324// Prepare reader command to send to FPGA
e30c654b 1325//
15c4dc5a 1326//-----------------------------------------------------------------------------
f7e3ed82 1327void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1328{
1329 int i, j;
1330 int last;
f7e3ed82 1331 uint8_t b;
e30c654b 1332
15c4dc5a 1333 ToSendReset();
e30c654b 1334
15c4dc5a 1335 // Start of Communication (Seq. Z)
72934aa3 1336 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1337 last = 0;
e30c654b 1338
15c4dc5a 1339 // Generate send structure for the data bits
1340 for (i = 0; i < len; i++) {
1341 // Get the current byte to send
1342 b = cmd[i];
e30c654b 1343
15c4dc5a 1344 for (j = 0; j < 8; j++) {
1345 if (b & 1) {
1346 // Sequence X
72934aa3 1347 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1348 last = 1;
1349 } else {
1350 if (last == 0) {
1351 // Sequence Z
72934aa3 1352 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1353 } else {
1354 // Sequence Y
72934aa3 1355 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1356 last = 0;
1357 }
1358 }
1359 b >>= 1;
1360 }
e30c654b 1361
15c4dc5a 1362 // Get the parity bit
1363 if ((dwParity >> i) & 0x01) {
1364 // Sequence X
72934aa3 1365 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1366 last = 1;
1367 } else {
1368 if (last == 0) {
1369 // Sequence Z
72934aa3 1370 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1371 } else {
1372 // Sequence Y
72934aa3 1373 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1374 last = 0;
1375 }
1376 }
1377 }
e30c654b 1378
15c4dc5a 1379 // End of Communication
1380 if (last == 0) {
1381 // Sequence Z
72934aa3 1382 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1383 } else {
1384 // Sequence Y
72934aa3 1385 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1386 last = 0;
1387 }
1388 // Sequence Y
72934aa3 1389 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1390
15c4dc5a 1391 // Just to be sure!
72934aa3 1392 ToSend[++ToSendMax] = SEC_Y;
1393 ToSend[++ToSendMax] = SEC_Y;
1394 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1395
15c4dc5a 1396 // Convert from last character reference to length
1397 ToSendMax++;
1398}
1399
1400//-----------------------------------------------------------------------------
1401// Wait a certain time for tag response
1402// If a response is captured return TRUE
1403// If it takes to long return FALSE
1404//-----------------------------------------------------------------------------
f7e3ed82 1405static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1406{
1407 // buffer needs to be 512 bytes
1408 int c;
1409
1410 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1411 // only, since we are receiving, not transmitting).
1412 // Signal field is on with the appropriate LED
1413 LED_D_ON();
1414 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1415
534983d7 1416 // Now get the answer from the card
1417 Demod.output = receivedResponse;
1418 Demod.len = 0;
1419 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1420
f7e3ed82 1421 uint8_t b;
15c4dc5a 1422 if (elapsed) *elapsed = 0;
1423
1424 c = 0;
1425 for(;;) {
534983d7 1426 WDT_HIT();
15c4dc5a 1427
534983d7 1428 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1429 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1430 if (elapsed) (*elapsed)++;
534983d7 1431 }
1432 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1433 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1434 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1435 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1436 *samples = ((c - 1) << 3) + 4;
1437 return TRUE;
1438 }
1439 if(ManchesterDecoding(b & 0x0f)) {
1440 *samples = c << 3;
1441 return TRUE;
1442 }
534983d7 1443 }
1444 }
15c4dc5a 1445}
1446
f7e3ed82 1447void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1448{
1449 int wait = 0;
1450 int samples = 0;
1451
1452 ShortFrameFromReader(*bt);
e30c654b 1453
15c4dc5a 1454 // Select the card
e30c654b 1455 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1456
15c4dc5a 1457 // Store reader command in buffer
1458 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1459}
1460
f7e3ed82 1461void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1462{
1463 int wait = 0;
1464 int samples = 0;
e30c654b 1465
15c4dc5a 1466 // This is tied to other size changes
f7e3ed82 1467 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1468 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1469
15c4dc5a 1470 // Select the card
e30c654b 1471 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1472 if(trigger)
1473 LED_A_ON();
e30c654b 1474
15c4dc5a 1475 // Store reader command in buffer
1476 if (tracing) LogTrace(frame,len,0,par,TRUE);
1477}
1478
1479
f7e3ed82 1480void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1481{
1482 // Generate parity and redirect
1483 ReaderTransmitPar(frame,len,GetParity(frame,len));
1484}
1485
f7e3ed82 1486int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1487{
1488 int samples = 0;
20f9a2a1 1489 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1490 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1491 if(samples == 0) return FALSE;
1492 return Demod.len;
15c4dc5a 1493}
1494
7e758047 1495/* performs iso14443a anticolision procedure
534983d7 1496 * fills the uid pointer unless NULL
1497 * fills resp_data unless NULL */
20f9a2a1
M		 1498int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1499 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1500 uint8_t sel_all[] = { 0x93,0x20 };
1501 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1502 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1503
7e758047 1504 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
20f9a2a1 1505 //uint8_t* uid = resp + 7;
15c4dc5a 1506
534983d7 1507 uint8_t sak = 0x04; // cascade uid
1508 int cascade_level = 0;
1509
7e758047 1510 int len;
20f9a2a1
M		 1511
1512 // clear uid
1513 memset(uid_ptr, 0, 8);
15c4dc5a 1514
7e758047 1515 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1516 ReaderTransmitShort(wupa);
1517 // Receive the ATQA
1518 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1519
534983d7 1520 if(resp_data)
1521 memcpy(resp_data->atqa, resp, 2);
1522
20f9a2a1
M		 1523 //ReaderTransmit(sel_all,sizeof(sel_all)); --- avoid duplicate SELECT request
1524 //if(!ReaderReceive(uid)) return 0;
15c4dc5a 1525
534983d7 1526 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1527 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1528 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1529 for(; sak & 0x04; cascade_level++)
7e758047 1530 {
534983d7 1531 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1532 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1533
1534 // SELECT_ALL
1535 ReaderTransmit(sel_all,sizeof(sel_all));
1536 if (!ReaderReceive(resp)) return 0;
1537 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M		 1538
1539 // calculate crypto UID
1540 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1541
7e758047 1542 // Construct SELECT UID command
534983d7 1543 memcpy(sel_uid+2,resp,5);
1544 AppendCrc14443a(sel_uid,7);
1545 ReaderTransmit(sel_uid,sizeof(sel_uid));
1546
7e758047 1547 // Receive the SAK
1548 if (!ReaderReceive(resp)) return 0;
534983d7 1549 sak = resp[0];
7e758047 1550 }
534983d7 1551 if(resp_data) {
1552 resp_data->sak = sak;
1553 resp_data->ats_len = 0;
1554 }
20f9a2a1
M		 1555 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1556 if (uid_ptr[0] == 0x88) {
1557 memcpy(uid_ptr, uid_ptr + 1, 7);
1558 uid_ptr[7] = 0;
1559 }
534983d7 1560
1561 if( (sak & 0x20) == 0)
7e758047 1562 return 2; // non iso14443a compliant tag
534983d7 1563
7e758047 1564 // Request for answer to select
20f9a2a1
M		 1565 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1566 AppendCrc14443a(rats, 2);
1567 ReaderTransmit(rats, sizeof(rats));
1568
1569 if (!(len = ReaderReceive(resp))) return 0;
1570
534983d7 1571 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1572 resp_data->ats_len = len;
1573 }
20f9a2a1 1574
7e758047 1575 return 1;
1576}
15c4dc5a 1577
7e758047 1578void iso14443a_setup() {
1579 // Setup SSC
1580 FpgaSetupSsc();
1581 // Start from off (no field generated)
1582 // Signal field is off with the appropriate LED
1583 LED_D_OFF();
1584 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1585 SpinDelay(200);
15c4dc5a 1586
7e758047 1587 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1588
7e758047 1589 // Now give it time to spin up.
1590 // Signal field is on with the appropriate LED
1591 LED_D_ON();
1592 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1593 SpinDelay(200);
534983d7 1594
1595 iso14a_timeout = 2048; //default
7e758047 1596}
15c4dc5a 1597
534983d7 1598int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1599 uint8_t real_cmd[cmd_len+4];
1600 real_cmd[0] = 0x0a; //I-Block
1601 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1602 memcpy(real_cmd+2, cmd, cmd_len);
1603 AppendCrc14443a(real_cmd,cmd_len+2);
1604
1605 ReaderTransmit(real_cmd, cmd_len+4);
1606 size_t len = ReaderReceive(data);
1607 if(!len)
1608 return -1; //DATA LINK ERROR
1609
1610 return len;
1611}
1612
1613
7e758047 1614//-----------------------------------------------------------------------------
1615// Read an ISO 14443a tag. Send out commands and store answers.
1616//
1617//-----------------------------------------------------------------------------
534983d7 1618void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1619{
534983d7 1620 iso14a_command_t param = c->arg[0];
1621 uint8_t * cmd = c->d.asBytes;
1622 size_t len = c->arg[1];
e30c654b 1623
534983d7 1624 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1625
534983d7 1626 if(param & ISO14A_CONNECT) {
1627 iso14443a_setup();
20f9a2a1 1628 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1629 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1630 }
e30c654b 1631
534983d7 1632 if(param & ISO14A_SET_TIMEOUT) {
1633 iso14a_timeout = c->arg[2];
1634 }
e30c654b 1635
534983d7 1636 if(param & ISO14A_SET_TIMEOUT) {
1637 iso14a_timeout = c->arg[2];
1638 }
e30c654b 1639
534983d7 1640 if(param & ISO14A_APDU) {
1641 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1642 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1643 }
e30c654b 1644
534983d7 1645 if(param & ISO14A_RAW) {
1646 if(param & ISO14A_APPEND_CRC) {
1647 AppendCrc14443a(cmd,len);
1648 len += 2;
15c4dc5a 1649 }
534983d7 1650 ReaderTransmit(cmd,len);
1651 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1652 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1653 }
15c4dc5a 1654
534983d7 1655 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1656
534983d7 1657 if(param & ISO14A_NO_DISCONNECT)
1658 return;
15c4dc5a 1659
15c4dc5a 1660 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1661 LEDsoff();
15c4dc5a 1662}
15c4dc5a 1663//-----------------------------------------------------------------------------
1664// Read an ISO 14443a tag. Send out commands and store answers.
1665//
1666//-----------------------------------------------------------------------------
f7e3ed82 1667void ReaderMifare(uint32_t parameter)
15c4dc5a 1668{
15c4dc5a 1669 // Mifare AUTH
f7e3ed82 1670 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1671 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1672
f7e3ed82 1673 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1674 traceLen = 0;
1675 tracing = false;
e30c654b 1676
7e758047 1677 iso14443a_setup();
e30c654b 1678
15c4dc5a 1679 LED_A_ON();
1680 LED_B_OFF();
1681 LED_C_OFF();
e30c654b 1682
15c4dc5a 1683 byte_t nt_diff = 0;
1684 LED_A_OFF();
1685 byte_t par = 0;
1686 byte_t par_mask = 0xff;
1687 byte_t par_low = 0;
f7e3ed82 1688 int led_on = TRUE;
e30c654b 1689
15c4dc5a 1690 tracing = FALSE;
1691 byte_t nt[4];
1692 byte_t nt_attacked[4];
1693 byte_t par_list[8];
1694 byte_t ks_list[8];
1695 num_to_bytes(parameter,4,nt_attacked);
1696
1697 while(TRUE)
1698 {
1699 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1700 SpinDelay(200);
1701 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1702
15c4dc5a 1703 // Test if the action was cancelled
1704 if(BUTTON_PRESS()) {
1705 break;
1706 }
e30c654b 1707
20f9a2a1 1708 if(!iso14443a_select_card(NULL, NULL, NULL)) continue;
e30c654b 1709
15c4dc5a 1710 // Transmit MIFARE_CLASSIC_AUTH
1711 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1712
15c4dc5a 1713 // Receive the (16 bit) "random" nonce
1714 if (!ReaderReceive(receivedAnswer)) continue;
1715 memcpy(nt,receivedAnswer,4);
1716
1717 // Transmit reader nonce and reader answer
1718 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1719
15c4dc5a 1720 // Receive 4 bit answer
1721 if (ReaderReceive(receivedAnswer))
1722 {
e30c654b 1723 if (nt_diff == 0)
15c4dc5a 1724 {
1725 LED_A_ON();
1726 memcpy(nt_attacked,nt,4);
1727 par_mask = 0xf8;
1728 par_low = par & 0x07;
1729 }
1730
1731 if (memcmp(nt,nt_attacked,4) != 0) continue;
1732
1733 led_on = !led_on;
1734 if(led_on) LED_B_ON(); else LED_B_OFF();
1735 par_list[nt_diff] = par;
1736 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1737
15c4dc5a 1738 // Test if the information is complete
1739 if (nt_diff == 0x07) break;
e30c654b 1740
15c4dc5a 1741 nt_diff = (nt_diff+1) & 0x07;
1742 mf_nr_ar[3] = nt_diff << 5;
1743 par = par_low;
1744 } else {
1745 if (nt_diff == 0)
1746 {
1747 par++;
1748 } else {
1749 par = (((par>>3)+1) << 3) | par_low;
1750 }
1751 }
1752 }
e30c654b 1753
72934aa3 1754 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1755 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1756 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
e30c654b 1757
15c4dc5a 1758 // Thats it...
1759 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1760 LEDsoff();
1761 tracing = TRUE;
20f9a2a1
M		 1762
1763 DbpString("COMMAND FINISHED");
1764
1765 Dbprintf("nt=%x", (int)nt[0]);
1766}
1767
1768//-----------------------------------------------------------------------------
1769// Select, Authenticaate, Read an MIFARE tag.
1770// read block
1771//-----------------------------------------------------------------------------
1772void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1773{
1774 // params
1775 uint8_t blockNo = arg0;
1776 uint8_t keyType = arg1;
1777 uint64_t ui64Key = 0;
1778 ui64Key = bytes_to_num(datain, 6);
1779
1780 // variables
1781 byte_t isOK = 0;
1782 byte_t dataoutbuf[16];
1783 uint8_t uid[7];
1784 uint32_t cuid;
1785 struct Crypto1State mpcs = {0, 0};
1786 struct Crypto1State *pcs;
1787 pcs = &mpcs;
1788
1789 // clear trace
1790 traceLen = 0;
1791// tracing = false;
1792
1793 iso14443a_setup();
1794
1795 LED_A_ON();
1796 LED_B_OFF();
1797 LED_C_OFF();
1798
1799 while (true) {
1800 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1801 Dbprintf("Can't select card");
1802 break;
1803 };
1804
1805 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
1806 Dbprintf("Auth error");
1807 break;
1808 };
1809
1810 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
1811 Dbprintf("Read block error");
1812 break;
1813 };
1814
1815 if(mifare_classic_halt(pcs, cuid)) {
1816 Dbprintf("Halt error");
1817 break;
1818 };
1819
1820 isOK = 1;
1821 break;
1822 }
1823
1824 // ----------------------------- crypto1 destroy
1825 crypto1_destroy(pcs);
1826
1827// DbpString("READ BLOCK FINISHED");
1828
1829 // add trace trailer
1830 uid[0] = 0xff;
1831 uid[1] = 0xff;
1832 uid[2] = 0xff;
1833 uid[3] = 0xff;
1834 LogTrace(uid, 4, 0, 0, TRUE);
1835
1836 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1837 memcpy(ack.d.asBytes, dataoutbuf, 16);
1838
1839 LED_B_ON();
1840 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1841 LED_B_OFF();
1842
1843
1844 // Thats it...
1845 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1846 LEDsoff();
1847// tracing = TRUE;
1848
1849}
1850
1851//-----------------------------------------------------------------------------
1852// Select, Authenticaate, Read an MIFARE tag.
1853// read sector (data = 4 x 16 bytes = 64 bytes)
1854//-----------------------------------------------------------------------------
1855void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1856{
1857 // params
1858 uint8_t sectorNo = arg0;
1859 uint8_t keyType = arg1;
1860 uint64_t ui64Key = 0;
1861 ui64Key = bytes_to_num(datain, 6);
1862
1863 // variables
1864 byte_t isOK = 0;
1865 byte_t dataoutbuf[16 * 4];
1866 uint8_t uid[8];
1867 uint32_t cuid;
1868 struct Crypto1State mpcs = {0, 0};
1869 struct Crypto1State *pcs;
1870 pcs = &mpcs;
1871
1872 // clear trace
1873 traceLen = 0;
1874// tracing = false;
1875
1876 iso14443a_setup();
1877
1878 LED_A_ON();
1879 LED_B_OFF();
1880 LED_C_OFF();
1881
1882 while (true) {
1883 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1884 Dbprintf("Can't select card");
1885 break;
1886 };
1887
1888 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, 0)) {
1889 Dbprintf("Auth error");
1890 break;
1891 };
1892
1893 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
1894 Dbprintf("Read block 0 error");
1895 break;
1896 };
1897 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
1898 Dbprintf("Read block 1 error");
1899 break;
1900 };
1901 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
1902 Dbprintf("Read block 2 error");
1903 break;
1904 };
1905 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
1906 Dbprintf("Read block 3 error");
1907 break;
1908 };
1909
1910 if(mifare_classic_halt(pcs, cuid)) {
1911 Dbprintf("Halt error");
1912 break;
1913 };
1914
1915 isOK = 1;
1916 break;
1917 }
1918
1919 // ----------------------------- crypto1 destroy
1920 crypto1_destroy(pcs);
1921
1922// DbpString("READ BLOCK FINISHED");
1923
1924 // add trace trailer
1925 uid[0] = 0xff;
1926 uid[1] = 0xff;
1927 uid[2] = 0xff;
1928 uid[3] = 0xff;
1929 LogTrace(uid, 4, 0, 0, TRUE);
1930
1931 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1932 memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
1933
1934 LED_B_ON();
1935 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1936
1937 SpinDelay(100);
1938
1939 memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
1940 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1941 LED_B_OFF();
1942
1943 // Thats it...
1944 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1945 LEDsoff();
1946// tracing = TRUE;
1947
1948}
1949
1950//-----------------------------------------------------------------------------
1951// Select, Authenticaate, Read an MIFARE tag.
1952// read block
1953//-----------------------------------------------------------------------------
1954void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1955{
1956 // params
1957 uint8_t blockNo = arg0;
1958 uint8_t keyType = arg1;
1959 uint64_t ui64Key = 0;
1960 byte_t blockdata[16];
1961
1962 ui64Key = bytes_to_num(datain, 6);
1963 memcpy(blockdata, datain + 10, 16);
1964
1965 // variables
1966 byte_t isOK = 0;
1967 uint8_t uid[8];
1968 uint32_t cuid;
1969 struct Crypto1State mpcs = {0, 0};
1970 struct Crypto1State *pcs;
1971 pcs = &mpcs;
1972
1973 // clear trace
1974 traceLen = 0;
1975// tracing = false;
1976
1977 iso14443a_setup();
1978
1979 LED_A_ON();
1980 LED_B_OFF();
1981 LED_C_OFF();
1982
1983 while (true) {
1984 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1985 Dbprintf("Can't select card");
1986 break;
1987 };
1988
1989 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
1990 Dbprintf("Auth error");
1991 break;
1992 };
1993
1994 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
1995 Dbprintf("Write block error");
1996 break;
1997 };
1998
1999 if(mifare_classic_halt(pcs, cuid)) {
2000 Dbprintf("Halt error");
2001 break;
2002 };
2003
2004 isOK = 1;
2005 break;
2006 }
2007
2008 // ----------------------------- crypto1 destroy
2009 crypto1_destroy(pcs);
2010
2011// DbpString("WRITE BLOCK FINISHED");
2012
2013 // add trace trailer
2014 uid[0] = 0xff;
2015 uid[1] = 0xff;
2016 uid[2] = 0xff;
2017 uid[3] = 0xff;
2018 LogTrace(uid, 4, 0, 0, TRUE);
2019
2020 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2021
2022 LED_B_ON();
2023 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2024 LED_B_OFF();
2025
2026
2027 // Thats it...
2028 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2029 LEDsoff();
2030// tracing = TRUE;
2031
2032}
2033
2034//-----------------------------------------------------------------------------
2035// MIFARE nested authentication.
2036//
2037//-----------------------------------------------------------------------------
2038void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2039{
2040 // params
2041 uint8_t blockNo = arg0;
2042 uint8_t keyType = arg1;
2043 uint64_t ui64Key = 0;
2044
2045 ui64Key = bytes_to_num(datain, 6);
2046
2047 // variables
2048 byte_t isOK = 0;
2049 uint8_t uid[8];
2050 uint32_t cuid;
2051 uint8_t dataoutbuf[16];
2052 struct Crypto1State mpcs = {0, 0};
2053 struct Crypto1State *pcs;
2054 pcs = &mpcs;
2055
2056 // clear trace
2057 traceLen = 0;
2058// tracing = false;
2059
2060 iso14443a_setup();
2061
2062 LED_A_ON();
2063 LED_B_OFF();
2064 LED_C_OFF();
2065
2066 while (true) {
2067 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2068 Dbprintf("Can't select card");
2069 break;
2070 };
2071
2072 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
2073 Dbprintf("Auth error");
2074 break;
2075 };
2076
2077 // nested authenticate block = (blockNo + 1)
2078 if(mifare_classic_auth(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, keyType, ui64Key, 1)) {
2079 Dbprintf("Auth error");
2080 break;
2081 };
2082
2083 if(mifare_classic_readblock(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, dataoutbuf)) {
2084 Dbprintf("Read block error");
2085 break;
2086 };
2087
2088 if(mifare_classic_halt(pcs, (uint32_t)bytes_to_num(uid, 4))) {
2089 Dbprintf("Halt error");
2090 break;
2091 };
2092
2093 isOK = 1;
2094 break;
2095 }
2096
2097 // ----------------------------- crypto1 destroy
2098 crypto1_destroy(pcs);
2099
2100 DbpString("NESTED FINISHED");
2101
2102 // add trace trailer
2103 uid[0] = 0xff;
2104 uid[1] = 0xff;
2105 uid[2] = 0xff;
2106 uid[3] = 0xff;
2107 LogTrace(uid, 4, 0, 0, TRUE);
2108
2109 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2110 memcpy(ack.d.asBytes, dataoutbuf, 16);
2111
2112 LED_B_ON();
2113 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2114 LED_B_OFF();
2115
2116 // Thats it...
2117 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2118 LEDsoff();
2119// tracing = TRUE;
2120
2121}
2122
2123//-----------------------------------------------------------------------------
2124// MIFARE 1K simulate.
2125//
2126//-----------------------------------------------------------------------------
2127void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2128{
15c4dc5a 2129}
Proxmark3 GIT tracking
Impressum, Datenschutz