]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
BOOTROM CHANGE: Add jump to interrupt handler from Advanced Interrupt Controller.
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
534983d7 3// Hagen Fritsch - June 2010
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
15c4dc5a 8//-----------------------------------------------------------------------------
bd20f8f4 9// Routines to support ISO 14443 type A.
10//-----------------------------------------------------------------------------
11
e30c654b 12#include "proxmark3.h"
15c4dc5a 13#include "apps.h"
f7e3ed82 14#include "util.h"
9ab7a6c7 15#include "string.h"
16
15c4dc5a 17#include "iso14443crc.h"
534983d7 18#include "iso14443a.h"
15c4dc5a 19
f7e3ed82 20static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 21static int traceLen = 0;
22static int rsamples = 0;
f7e3ed82 23static int tracing = TRUE;
534983d7 24static uint32_t iso14a_timeout;
15c4dc5a 25
72934aa3 26// CARD TO READER
27// Sequence D: 11110000 modulation with subcarrier during first half
28// Sequence E: 00001111 modulation with subcarrier during second half
29// Sequence F: 00000000 no modulation with subcarrier
30// READER TO CARD
31// Sequence X: 00001100 drop after half a period
32// Sequence Y: 00000000 no drop
33// Sequence Z: 11000000 drop at start
34#define SEC_D 0xf0
35#define SEC_E 0x0f
36#define SEC_F 0x00
37#define SEC_X 0x0c
38#define SEC_Y 0x00
39#define SEC_Z 0xc0
15c4dc5a 40
f7e3ed82 41static const uint8_t OddByteParity[256] = {
15c4dc5a 42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
58};
59
60// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
61#define RECV_CMD_OFFSET 3032
62#define RECV_RES_OFFSET 3096
63#define DMA_BUFFER_OFFSET 3160
64#define DMA_BUFFER_SIZE 4096
65#define TRACE_LENGTH 3000
66
534983d7 67uint8_t trigger = 0;
68void iso14a_set_trigger(int enable) {
69 trigger = enable;
70}
71
15c4dc5a 72//-----------------------------------------------------------------------------
73// Generate the parity value for a byte sequence
e30c654b 74//
15c4dc5a 75//-----------------------------------------------------------------------------
f7e3ed82 76uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 77{
78 int i;
f7e3ed82 79 uint32_t dwPar = 0;
72934aa3 80
15c4dc5a 81 // Generate the encrypted data
82 for (i = 0; i < iLen; i++) {
83 // Save the encrypted parity bit
84 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
85 }
86 return dwPar;
87}
88
534983d7 89void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 90{
91 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
92}
93
ed82636b 94int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 95{
96 // Return when trace is full
97 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 98
15c4dc5a 99 // Trace the random, i'm curious
100 rsamples += iSamples;
101 trace[traceLen++] = ((rsamples >> 0) & 0xff);
102 trace[traceLen++] = ((rsamples >> 8) & 0xff);
103 trace[traceLen++] = ((rsamples >> 16) & 0xff);
104 trace[traceLen++] = ((rsamples >> 24) & 0xff);
105 if (!bReader) {
106 trace[traceLen - 1] |= 0x80;
107 }
108 trace[traceLen++] = ((dwParity >> 0) & 0xff);
109 trace[traceLen++] = ((dwParity >> 8) & 0xff);
110 trace[traceLen++] = ((dwParity >> 16) & 0xff);
111 trace[traceLen++] = ((dwParity >> 24) & 0xff);
112 trace[traceLen++] = iLen;
113 memcpy(trace + traceLen, btBytes, iLen);
114 traceLen += iLen;
115 return TRUE;
116}
117
15c4dc5a 118//-----------------------------------------------------------------------------
119// The software UART that receives commands from the reader, and its state
120// variables.
121//-----------------------------------------------------------------------------
122static struct {
123 enum {
124 STATE_UNSYNCD,
125 STATE_START_OF_COMMUNICATION,
126 STATE_MILLER_X,
127 STATE_MILLER_Y,
128 STATE_MILLER_Z,
129 STATE_ERROR_WAIT
130 } state;
f7e3ed82 131 uint16_t shiftReg;
15c4dc5a 132 int bitCnt;
133 int byteCnt;
134 int byteCntMax;
135 int posCnt;
136 int syncBit;
137 int parityBits;
138 int samples;
139 int highCnt;
140 int bitBuffer;
141 enum {
142 DROP_NONE,
143 DROP_FIRST_HALF,
144 DROP_SECOND_HALF
145 } drop;
f7e3ed82 146 uint8_t *output;
15c4dc5a 147} Uart;
148
f7e3ed82 149static int MillerDecoding(int bit)
15c4dc5a 150{
151 int error = 0;
152 int bitright;
153
154 if(!Uart.bitBuffer) {
155 Uart.bitBuffer = bit ^ 0xFF0;
156 return FALSE;
157 }
158 else {
159 Uart.bitBuffer <<= 4;
160 Uart.bitBuffer ^= bit;
161 }
162
f7e3ed82 163 int EOC = FALSE;
15c4dc5a 164
165 if(Uart.state != STATE_UNSYNCD) {
166 Uart.posCnt++;
167
168 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
169 bit = 0x00;
170 }
171 else {
172 bit = 0x01;
173 }
174 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
175 bitright = 0x00;
176 }
177 else {
178 bitright = 0x01;
179 }
180 if(bit != bitright) { bit = bitright; }
181
182 if(Uart.posCnt == 1) {
183 // measurement first half bitperiod
184 if(!bit) {
185 Uart.drop = DROP_FIRST_HALF;
186 }
187 }
188 else {
189 // measurement second half bitperiod
190 if(!bit & (Uart.drop == DROP_NONE)) {
191 Uart.drop = DROP_SECOND_HALF;
192 }
193 else if(!bit) {
194 // measured a drop in first and second half
195 // which should not be possible
196 Uart.state = STATE_ERROR_WAIT;
197 error = 0x01;
198 }
199
200 Uart.posCnt = 0;
201
202 switch(Uart.state) {
203 case STATE_START_OF_COMMUNICATION:
204 Uart.shiftReg = 0;
205 if(Uart.drop == DROP_SECOND_HALF) {
206 // error, should not happen in SOC
207 Uart.state = STATE_ERROR_WAIT;
208 error = 0x02;
209 }
210 else {
211 // correct SOC
212 Uart.state = STATE_MILLER_Z;
213 }
214 break;
215
216 case STATE_MILLER_Z:
217 Uart.bitCnt++;
218 Uart.shiftReg >>= 1;
219 if(Uart.drop == DROP_NONE) {
220 // logic '0' followed by sequence Y
221 // end of communication
222 Uart.state = STATE_UNSYNCD;
223 EOC = TRUE;
224 }
225 // if(Uart.drop == DROP_FIRST_HALF) {
226 // Uart.state = STATE_MILLER_Z; stay the same
227 // we see a logic '0' }
228 if(Uart.drop == DROP_SECOND_HALF) {
229 // we see a logic '1'
230 Uart.shiftReg |= 0x100;
231 Uart.state = STATE_MILLER_X;
232 }
233 break;
234
235 case STATE_MILLER_X:
236 Uart.shiftReg >>= 1;
237 if(Uart.drop == DROP_NONE) {
238 // sequence Y, we see a '0'
239 Uart.state = STATE_MILLER_Y;
240 Uart.bitCnt++;
241 }
242 if(Uart.drop == DROP_FIRST_HALF) {
243 // Would be STATE_MILLER_Z
244 // but Z does not follow X, so error
245 Uart.state = STATE_ERROR_WAIT;
246 error = 0x03;
247 }
248 if(Uart.drop == DROP_SECOND_HALF) {
249 // We see a '1' and stay in state X
250 Uart.shiftReg |= 0x100;
251 Uart.bitCnt++;
252 }
253 break;
254
255 case STATE_MILLER_Y:
256 Uart.bitCnt++;
257 Uart.shiftReg >>= 1;
258 if(Uart.drop == DROP_NONE) {
259 // logic '0' followed by sequence Y
260 // end of communication
261 Uart.state = STATE_UNSYNCD;
262 EOC = TRUE;
263 }
264 if(Uart.drop == DROP_FIRST_HALF) {
265 // we see a '0'
266 Uart.state = STATE_MILLER_Z;
267 }
268 if(Uart.drop == DROP_SECOND_HALF) {
269 // We see a '1' and go to state X
270 Uart.shiftReg |= 0x100;
271 Uart.state = STATE_MILLER_X;
272 }
273 break;
274
275 case STATE_ERROR_WAIT:
276 // That went wrong. Now wait for at least two bit periods
277 // and try to sync again
278 if(Uart.drop == DROP_NONE) {
279 Uart.highCnt = 6;
280 Uart.state = STATE_UNSYNCD;
281 }
282 break;
283
284 default:
285 Uart.state = STATE_UNSYNCD;
286 Uart.highCnt = 0;
287 break;
288 }
289
290 Uart.drop = DROP_NONE;
291
292 // should have received at least one whole byte...
293 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
294 return TRUE;
295 }
296
297 if(Uart.bitCnt == 9) {
298 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
299 Uart.byteCnt++;
300
301 Uart.parityBits <<= 1;
302 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
303
304 if(EOC) {
305 // when End of Communication received and
306 // all data bits processed..
307 return TRUE;
308 }
309 Uart.bitCnt = 0;
310 }
311
312 /*if(error) {
313 Uart.output[Uart.byteCnt] = 0xAA;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = error & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
320 Uart.byteCnt++;
321 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 return TRUE;
328 }*/
329 }
330
331 }
332 else {
333 bit = Uart.bitBuffer & 0xf0;
334 bit >>= 4;
335 bit ^= 0x0F;
336 if(bit) {
337 // should have been high or at least (4 * 128) / fc
338 // according to ISO this should be at least (9 * 128 + 20) / fc
339 if(Uart.highCnt == 8) {
340 // we went low, so this could be start of communication
341 // it turns out to be safer to choose a less significant
342 // syncbit... so we check whether the neighbour also represents the drop
343 Uart.posCnt = 1; // apparently we are busy with our first half bit period
344 Uart.syncBit = bit & 8;
345 Uart.samples = 3;
346 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
347 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
348 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
349 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
350 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
351 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
352 Uart.syncBit = 8;
353
354 // the first half bit period is expected in next sample
355 Uart.posCnt = 0;
356 Uart.samples = 3;
357 }
358 }
359 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
360
361 Uart.syncBit <<= 4;
362 Uart.state = STATE_START_OF_COMMUNICATION;
363 Uart.drop = DROP_FIRST_HALF;
364 Uart.bitCnt = 0;
365 Uart.byteCnt = 0;
366 Uart.parityBits = 0;
367 error = 0;
368 }
369 else {
370 Uart.highCnt = 0;
371 }
372 }
373 else {
374 if(Uart.highCnt < 8) {
375 Uart.highCnt++;
376 }
377 }
378 }
379
380 return FALSE;
381}
382
383//=============================================================================
384// ISO 14443 Type A - Manchester
385//=============================================================================
386
387static struct {
388 enum {
389 DEMOD_UNSYNCD,
390 DEMOD_START_OF_COMMUNICATION,
391 DEMOD_MANCHESTER_D,
392 DEMOD_MANCHESTER_E,
393 DEMOD_MANCHESTER_F,
394 DEMOD_ERROR_WAIT
395 } state;
396 int bitCount;
397 int posCount;
398 int syncBit;
399 int parityBits;
f7e3ed82 400 uint16_t shiftReg;
15c4dc5a 401 int buffer;
402 int buff;
403 int samples;
404 int len;
405 enum {
406 SUB_NONE,
407 SUB_FIRST_HALF,
408 SUB_SECOND_HALF
409 } sub;
f7e3ed82 410 uint8_t *output;
15c4dc5a 411} Demod;
412
f7e3ed82 413static int ManchesterDecoding(int v)
15c4dc5a 414{
415 int bit;
416 int modulation;
417 int error = 0;
418
419 if(!Demod.buff) {
420 Demod.buff = 1;
421 Demod.buffer = v;
422 return FALSE;
423 }
424 else {
425 bit = Demod.buffer;
426 Demod.buffer = v;
427 }
428
429 if(Demod.state==DEMOD_UNSYNCD) {
430 Demod.output[Demod.len] = 0xfa;
431 Demod.syncBit = 0;
432 //Demod.samples = 0;
433 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
434 if(bit & 0x08) { Demod.syncBit = 0x08; }
435 if(!Demod.syncBit) {
436 if(bit & 0x04) { Demod.syncBit = 0x04; }
437 }
438 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
439 if(!Demod.syncBit) {
440 if(bit & 0x02) { Demod.syncBit = 0x02; }
441 }
442 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
443 if(!Demod.syncBit) {
444 if(bit & 0x01) { Demod.syncBit = 0x01; }
445
446 if(Demod.syncBit & (Demod.buffer & 0x08)) {
447 Demod.syncBit = 0x08;
448
449 // The first half bitperiod is expected in next sample
450 Demod.posCount = 0;
451 Demod.output[Demod.len] = 0xfb;
452 }
453 }
454 else if(bit & 0x01) { Demod.syncBit = 0x01; }
455
456 if(Demod.syncBit) {
457 Demod.len = 0;
458 Demod.state = DEMOD_START_OF_COMMUNICATION;
459 Demod.sub = SUB_FIRST_HALF;
460 Demod.bitCount = 0;
461 Demod.shiftReg = 0;
462 Demod.parityBits = 0;
463 Demod.samples = 0;
464 if(Demod.posCount) {
534983d7 465 if(trigger) LED_A_OFF();
15c4dc5a 466 switch(Demod.syncBit) {
467 case 0x08: Demod.samples = 3; break;
468 case 0x04: Demod.samples = 2; break;
469 case 0x02: Demod.samples = 1; break;
470 case 0x01: Demod.samples = 0; break;
471 }
472 }
473 error = 0;
474 }
475 }
476 else {
477 //modulation = bit & Demod.syncBit;
478 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
479
480 Demod.samples += 4;
481
482 if(Demod.posCount==0) {
483 Demod.posCount = 1;
484 if(modulation) {
485 Demod.sub = SUB_FIRST_HALF;
486 }
487 else {
488 Demod.sub = SUB_NONE;
489 }
490 }
491 else {
492 Demod.posCount = 0;
493 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
494 if(Demod.state!=DEMOD_ERROR_WAIT) {
495 Demod.state = DEMOD_ERROR_WAIT;
496 Demod.output[Demod.len] = 0xaa;
497 error = 0x01;
498 }
499 }
500 else if(modulation) {
501 Demod.sub = SUB_SECOND_HALF;
502 }
503
504 switch(Demod.state) {
505 case DEMOD_START_OF_COMMUNICATION:
506 if(Demod.sub == SUB_FIRST_HALF) {
507 Demod.state = DEMOD_MANCHESTER_D;
508 }
509 else {
510 Demod.output[Demod.len] = 0xab;
511 Demod.state = DEMOD_ERROR_WAIT;
512 error = 0x02;
513 }
514 break;
515
516 case DEMOD_MANCHESTER_D:
517 case DEMOD_MANCHESTER_E:
518 if(Demod.sub == SUB_FIRST_HALF) {
519 Demod.bitCount++;
520 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
521 Demod.state = DEMOD_MANCHESTER_D;
522 }
523 else if(Demod.sub == SUB_SECOND_HALF) {
524 Demod.bitCount++;
525 Demod.shiftReg >>= 1;
526 Demod.state = DEMOD_MANCHESTER_E;
527 }
528 else {
529 Demod.state = DEMOD_MANCHESTER_F;
530 }
531 break;
532
533 case DEMOD_MANCHESTER_F:
534 // Tag response does not need to be a complete byte!
535 if(Demod.len > 0 || Demod.bitCount > 0) {
536 if(Demod.bitCount > 0) {
537 Demod.shiftReg >>= (9 - Demod.bitCount);
538 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
539 Demod.len++;
540 // No parity bit, so just shift a 0
541 Demod.parityBits <<= 1;
542 }
543
544 Demod.state = DEMOD_UNSYNCD;
545 return TRUE;
546 }
547 else {
548 Demod.output[Demod.len] = 0xad;
549 Demod.state = DEMOD_ERROR_WAIT;
550 error = 0x03;
551 }
552 break;
553
554 case DEMOD_ERROR_WAIT:
555 Demod.state = DEMOD_UNSYNCD;
556 break;
557
558 default:
559 Demod.output[Demod.len] = 0xdd;
560 Demod.state = DEMOD_UNSYNCD;
561 break;
562 }
563
564 if(Demod.bitCount>=9) {
565 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
566 Demod.len++;
567
568 Demod.parityBits <<= 1;
569 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
570
571 Demod.bitCount = 0;
572 Demod.shiftReg = 0;
573 }
574
575 /*if(error) {
576 Demod.output[Demod.len] = 0xBB;
577 Demod.len++;
578 Demod.output[Demod.len] = error & 0xFF;
579 Demod.len++;
580 Demod.output[Demod.len] = 0xBB;
581 Demod.len++;
582 Demod.output[Demod.len] = bit & 0xFF;
583 Demod.len++;
584 Demod.output[Demod.len] = Demod.buffer & 0xFF;
585 Demod.len++;
586 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
587 Demod.len++;
588 Demod.output[Demod.len] = 0xBB;
589 Demod.len++;
590 return TRUE;
591 }*/
592
593 }
594
595 } // end (state != UNSYNCED)
596
597 return FALSE;
598}
599
600//=============================================================================
601// Finally, a `sniffer' for ISO 14443 Type A
602// Both sides of communication!
603//=============================================================================
604
605//-----------------------------------------------------------------------------
606// Record the sequence of commands sent by the reader to the tag, with
607// triggering so that we start recording at the point that the tag is moved
608// near the reader.
609//-----------------------------------------------------------------------------
610void SnoopIso14443a(void)
611{
612// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
613// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
614// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
615// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
616// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
617
618 // We won't start recording the frames that we acquire until we trigger;
619 // a good trigger condition to get started is probably when we see a
620 // response from the tag.
7e758047 621 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 622
623 // The command (reader -> tag) that we're receiving.
624 // The length of a received command will in most cases be no more than 18 bytes.
625 // So 32 should be enough!
f7e3ed82 626 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 627 // The response (tag -> reader) that we're receiving.
f7e3ed82 628 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 629
630 // As we receive stuff, we copy it from receivedCmd or receivedResponse
631 // into trace, along with its length and other annotations.
f7e3ed82 632 //uint8_t *trace = (uint8_t *)BigBuf;
15c4dc5a 633 //int traceLen = 0;
634
635 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 636 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 637 int lastRxCounter;
f7e3ed82 638 int8_t *upTo;
15c4dc5a 639 int smpl;
640 int maxBehindBy = 0;
641
642 // Count of samples received so far, so that we can include timing
643 // information in the trace buffer.
644 int samples = 0;
645 int rsamples = 0;
646
647 memset(trace, 0x44, RECV_CMD_OFFSET);
648
649 // Set up the demodulator for tag -> reader responses.
650 Demod.output = receivedResponse;
651 Demod.len = 0;
652 Demod.state = DEMOD_UNSYNCD;
653
7e758047 654 // Setup for the DMA.
655 FpgaSetupSsc();
656 upTo = dmaBuf;
657 lastRxCounter = DMA_BUFFER_SIZE;
658 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
659
15c4dc5a 660 // And the reader -> tag commands
661 memset(&Uart, 0, sizeof(Uart));
662 Uart.output = receivedCmd;
663 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
664 Uart.state = STATE_UNSYNCD;
665
666 // And put the FPGA in the appropriate mode
667 // Signal field is off with the appropriate LED
668 LED_D_OFF();
669 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
670 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
671
15c4dc5a 672
673 // And now we loop, receiving samples.
674 for(;;) {
7e758047 675 LED_A_ON();
676 WDT_HIT();
15c4dc5a 677 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
678 (DMA_BUFFER_SIZE-1);
679 if(behindBy > maxBehindBy) {
680 maxBehindBy = behindBy;
681 if(behindBy > 400) {
7e758047 682 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 683 goto done;
684 }
685 }
686 if(behindBy < 1) continue;
687
7e758047 688 LED_A_OFF();
15c4dc5a 689 smpl = upTo[0];
690 upTo++;
691 lastRxCounter -= 1;
692 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
693 upTo -= DMA_BUFFER_SIZE;
694 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 695 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 696 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
697 }
698
699 samples += 4;
7e758047 700 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 701 rsamples = samples - Uart.samples;
72934aa3 702 LED_C_ON();
7e758047 703 if(triggered) {
704 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 705 trace[traceLen++] = ((rsamples >> 8) & 0xff);
706 trace[traceLen++] = ((rsamples >> 16) & 0xff);
707 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 708 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
709 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
710 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
711 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 712 trace[traceLen++] = Uart.byteCnt;
713 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
714 traceLen += Uart.byteCnt;
715 if(traceLen > TRACE_LENGTH) break;
716 }
717 /* And ready to receive another command. */
718 Uart.state = STATE_UNSYNCD;
719 /* And also reset the demod code, which might have been */
720 /* false-triggered by the commands from the reader. */
721 Demod.state = DEMOD_UNSYNCD;
7e758047 722 LED_B_OFF();
15c4dc5a 723 }
7e758047 724
725 if(ManchesterDecoding(smpl & 0x0F)) {
726 rsamples = samples - Demod.samples;
727 LED_B_ON();
728
729 // timestamp, as a count of samples
730 trace[traceLen++] = ((rsamples >> 0) & 0xff);
731 trace[traceLen++] = ((rsamples >> 8) & 0xff);
732 trace[traceLen++] = ((rsamples >> 16) & 0xff);
733 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
734 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
735 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
736 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
737 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
738 // length
739 trace[traceLen++] = Demod.len;
740 memcpy(trace+traceLen, receivedResponse, Demod.len);
741 traceLen += Demod.len;
742 if(traceLen > TRACE_LENGTH) break;
743
744 triggered = TRUE;
15c4dc5a 745
746 // And ready to receive another response.
747 memset(&Demod, 0, sizeof(Demod));
748 Demod.output = receivedResponse;
749 Demod.state = DEMOD_UNSYNCD;
7e758047 750 LED_C_OFF();
751 }
15c4dc5a 752
753 if(BUTTON_PRESS()) {
754 DbpString("cancelled_a");
755 goto done;
756 }
757 }
758
759 DbpString("COMMAND FINISHED");
760
761 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
762 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
763
764done:
765 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
766 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
767 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
768 LED_A_OFF();
769 LED_B_OFF();
770 LED_C_OFF();
771 LED_D_OFF();
772}
773
15c4dc5a 774//-----------------------------------------------------------------------------
775// Prepare tag messages
776//-----------------------------------------------------------------------------
f7e3ed82 777static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 778{
779 int i;
780 int oddparity;
781
782 ToSendReset();
783
784 // Correction bit, might be removed when not needed
785 ToSendStuffBit(0);
786 ToSendStuffBit(0);
787 ToSendStuffBit(0);
788 ToSendStuffBit(0);
789 ToSendStuffBit(1); // 1
790 ToSendStuffBit(0);
791 ToSendStuffBit(0);
792 ToSendStuffBit(0);
793
794 // Send startbit
72934aa3 795 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 796
797 for(i = 0; i < len; i++) {
798 int j;
f7e3ed82 799 uint8_t b = cmd[i];
15c4dc5a 800
801 // Data bits
802 oddparity = 0x01;
803 for(j = 0; j < 8; j++) {
804 oddparity ^= (b & 1);
805 if(b & 1) {
72934aa3 806 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 807 } else {
72934aa3 808 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 809 }
810 b >>= 1;
811 }
812
813 // Parity bit
814 if(oddparity) {
72934aa3 815 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 816 } else {
72934aa3 817 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 818 }
819 }
820
821 // Send stopbit
72934aa3 822 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 823
824 // Flush the buffer in FPGA!!
825 for(i = 0; i < 5; i++) {
72934aa3 826 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 827 }
828
829 // Convert from last byte pos to length
830 ToSendMax++;
831
832 // Add a few more for slop
833 ToSend[ToSendMax++] = 0x00;
834 ToSend[ToSendMax++] = 0x00;
835 //ToSendMax += 2;
836}
837
838//-----------------------------------------------------------------------------
839// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
840//-----------------------------------------------------------------------------
841static void CodeStrangeAnswer()
842{
843 int i;
844
845 ToSendReset();
846
847 // Correction bit, might be removed when not needed
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(1); // 1
853 ToSendStuffBit(0);
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856
857 // Send startbit
72934aa3 858 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 859
860 // 0
72934aa3 861 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 862
863 // 0
72934aa3 864 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 865
866 // 1
72934aa3 867 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 868
869 // Send stopbit
72934aa3 870 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 871
872 // Flush the buffer in FPGA!!
873 for(i = 0; i < 5; i++) {
72934aa3 874 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 875 }
876
877 // Convert from last byte pos to length
878 ToSendMax++;
879
880 // Add a few more for slop
881 ToSend[ToSendMax++] = 0x00;
882 ToSend[ToSendMax++] = 0x00;
883 //ToSendMax += 2;
884}
885
886//-----------------------------------------------------------------------------
887// Wait for commands from reader
888// Stop when button is pressed
889// Or return TRUE when command is captured
890//-----------------------------------------------------------------------------
f7e3ed82 891static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 892{
893 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
894 // only, since we are receiving, not transmitting).
895 // Signal field is off with the appropriate LED
896 LED_D_OFF();
897 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
898
899 // Now run a `software UART' on the stream of incoming samples.
900 Uart.output = received;
901 Uart.byteCntMax = maxLen;
902 Uart.state = STATE_UNSYNCD;
903
904 for(;;) {
905 WDT_HIT();
906
907 if(BUTTON_PRESS()) return FALSE;
908
909 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
910 AT91C_BASE_SSC->SSC_THR = 0x00;
911 }
912 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 913 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 914 if(MillerDecoding((b & 0xf0) >> 4)) {
915 *len = Uart.byteCnt;
916 return TRUE;
917 }
918 if(MillerDecoding(b & 0x0f)) {
919 *len = Uart.byteCnt;
920 return TRUE;
921 }
922 }
923 }
924}
925
926//-----------------------------------------------------------------------------
927// Main loop of simulated tag: receive commands from reader, decide what
928// response to send, and send it.
929//-----------------------------------------------------------------------------
930void SimulateIso14443aTag(int tagType, int TagUid)
931{
932 // This function contains the tag emulation
933
934 // Prepare protocol messages
f7e3ed82 935 // static const uint8_t cmd1[] = { 0x26 };
936// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 937//
f7e3ed82 938 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
939// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 940
941 // UID response
f7e3ed82 942 // static const uint8_t cmd2[] = { 0x93, 0x20 };
943 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 944
15c4dc5a 945// my desfire
f7e3ed82 946 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 947
948
949// When reader selects us during cascade1 it will send cmd3
f7e3ed82 950//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
951uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 952ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
953
954// send cascade2 2nd half of UID
f7e3ed82 955static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 956// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
957
15c4dc5a 958// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 959//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
960uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 961ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
962
f7e3ed82 963 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 964
f7e3ed82 965 uint8_t *resp;
15c4dc5a 966 int respLen;
967
968 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
969 // This will need
970 // 144 data bits (18 * 8)
971 // 18 parity bits
972 // 2 Start and stop
973 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
974 // 1 just for the case
975 // ----------- +
976 // 166
977 //
978 // 166 bytes, since every bit that needs to be send costs us a byte
979 //
980
15c4dc5a 981 // Respond with card type
f7e3ed82 982 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 983 int resp1Len;
984
985 // Anticollision cascade1 - respond with uid
f7e3ed82 986 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 987 int resp2Len;
988
989 // Anticollision cascade2 - respond with 2nd half of uid if asked
990 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 991 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 992 int resp2aLen;
993
994 // Acknowledge select - cascade 1
f7e3ed82 995 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 996 int resp3Len;
997
998 // Acknowledge select - cascade 2
f7e3ed82 999 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1000 int resp3aLen;
1001
1002 // Response to a read request - not implemented atm
f7e3ed82 1003 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1004 int resp4Len;
1005
1006 // Authenticate response - nonce
f7e3ed82 1007 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1008 int resp5Len;
1009
f7e3ed82 1010 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1011 int len;
1012
1013 int i;
1014 int u;
f7e3ed82 1015 uint8_t b;
15c4dc5a 1016
1017 // To control where we are in the protocol
1018 int order = 0;
1019 int lastorder;
1020
1021 // Just to allow some checks
1022 int happened = 0;
1023 int happened2 = 0;
1024
1025 int cmdsRecvd = 0;
1026
f7e3ed82 1027 int fdt_indicator;
15c4dc5a 1028
1029 memset(receivedCmd, 0x44, 400);
1030
1031 // Prepare the responses of the anticollision phase
1032 // there will be not enough time to do this at the moment the reader sends it REQA
1033
1034 // Answer to request
1035 CodeIso14443aAsTag(response1, sizeof(response1));
1036 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1037
1038 // Send our UID (cascade 1)
1039 CodeIso14443aAsTag(response2, sizeof(response2));
1040 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1041
1042 // Answer to select (cascade1)
1043 CodeIso14443aAsTag(response3, sizeof(response3));
1044 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1045
1046 // Send the cascade 2 2nd part of the uid
1047 CodeIso14443aAsTag(response2a, sizeof(response2a));
1048 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1049
1050 // Answer to select (cascade 2)
1051 CodeIso14443aAsTag(response3a, sizeof(response3a));
1052 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1053
1054 // Strange answer is an example of rare message size (3 bits)
1055 CodeStrangeAnswer();
1056 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1057
1058 // Authentication answer (random nonce)
1059 CodeIso14443aAsTag(response5, sizeof(response5));
1060 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1061
1062 // We need to listen to the high-frequency, peak-detected path.
1063 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1064 FpgaSetupSsc();
1065
1066 cmdsRecvd = 0;
1067
1068 LED_A_ON();
1069 for(;;) {
1070
1071 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1072 DbpString("button press");
1073 break;
1074 }
1075 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1076 // Okay, look at the command now.
1077 lastorder = order;
1078 i = 1; // first byte transmitted
1079 if(receivedCmd[0] == 0x26) {
1080 // Received a REQUEST
1081 resp = resp1; respLen = resp1Len; order = 1;
1082 //DbpString("Hello request from reader:");
1083 } else if(receivedCmd[0] == 0x52) {
1084 // Received a WAKEUP
1085 resp = resp1; respLen = resp1Len; order = 6;
1086// //DbpString("Wakeup request from reader:");
1087
1088 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1089 // Received request for UID (cascade 1)
1090 resp = resp2; respLen = resp2Len; order = 2;
1091// DbpString("UID (cascade 1) request from reader:");
1092// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1093
1094
1095 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1096 // Received request for UID (cascade 2)
1097 resp = resp2a; respLen = resp2aLen; order = 20;
1098// DbpString("UID (cascade 2) request from reader:");
1099// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1100
1101
1102 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1103 // Received a SELECT
1104 resp = resp3; respLen = resp3Len; order = 3;
1105// DbpString("Select (cascade 1) request from reader:");
1106// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1107
1108
1109 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1110 // Received a SELECT
1111 resp = resp3a; respLen = resp3aLen; order = 30;
1112// DbpString("Select (cascade 2) request from reader:");
1113// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1114
1115
1116 } else if(receivedCmd[0] == 0x30) {
1117 // Received a READ
1118 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1119 Dbprintf("Read request from reader: %x %x %x",
1120 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1121
1122
1123 } else if(receivedCmd[0] == 0x50) {
1124 // Received a HALT
1125 resp = resp1; respLen = 0; order = 5; // Do nothing
1126 DbpString("Reader requested we HALT!:");
1127
1128 } else if(receivedCmd[0] == 0x60) {
1129 // Received an authentication request
1130 resp = resp5; respLen = resp5Len; order = 7;
1131 Dbprintf("Authenticate request from reader: %x %x %x",
1132 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1133
1134 } else if(receivedCmd[0] == 0xE0) {
1135 // Received a RATS request
1136 resp = resp1; respLen = 0;order = 70;
1137 Dbprintf("RATS request from reader: %x %x %x",
1138 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1139 } else {
1140 // Never seen this command before
1141 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1142 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1143 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1144 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1145 // Do not respond
1146 resp = resp1; respLen = 0; order = 0;
1147 }
1148
1149 // Count number of wakeups received after a halt
1150 if(order == 6 && lastorder == 5) { happened++; }
1151
1152 // Count number of other messages after a halt
1153 if(order != 6 && lastorder == 5) { happened2++; }
1154
1155 // Look at last parity bit to determine timing of answer
1156 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1157 // 1236, so correction bit needed
1158 i = 0;
1159 }
1160
1161 memset(receivedCmd, 0x44, 32);
1162
1163 if(cmdsRecvd > 999) {
1164 DbpString("1000 commands later...");
1165 break;
1166 }
1167 else {
1168 cmdsRecvd++;
1169 }
1170
1171 if(respLen <= 0) continue;
1172
1173 // Modulate Manchester
1174 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1175 AT91C_BASE_SSC->SSC_THR = 0x00;
1176 FpgaSetupSsc();
1177
1178 // ### Transmit the response ###
1179 u = 0;
1180 b = 0x00;
1181 fdt_indicator = FALSE;
1182 for(;;) {
1183 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1184 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1185 (void)b;
1186 }
1187 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1188 if(i > respLen) {
1189 b = 0x00;
1190 u++;
1191 } else {
1192 b = resp[i];
1193 i++;
1194 }
1195 AT91C_BASE_SSC->SSC_THR = b;
1196
1197 if(u > 4) {
1198 break;
1199 }
1200 }
1201 if(BUTTON_PRESS()) {
1202 break;
1203 }
1204 }
1205
1206 }
1207
1208 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1209 LED_A_OFF();
1210}
1211
1212//-----------------------------------------------------------------------------
1213// Transmit the command (to the tag) that was placed in ToSend[].
1214//-----------------------------------------------------------------------------
f7e3ed82 1215static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1216{
1217 int c;
e30c654b 1218
15c4dc5a 1219 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1220
15c4dc5a 1221 if (wait)
1222 if(*wait < 10)
1223 *wait = 10;
e30c654b 1224
15c4dc5a 1225 for(c = 0; c < *wait;) {
1226 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1227 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1228 c++;
1229 }
1230 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1231 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1232 (void)r;
1233 }
1234 WDT_HIT();
1235 }
e30c654b 1236
15c4dc5a 1237 c = 0;
1238 for(;;) {
1239 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1240 AT91C_BASE_SSC->SSC_THR = cmd[c];
1241 c++;
1242 if(c >= len) {
1243 break;
1244 }
1245 }
1246 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1247 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1248 (void)r;
1249 }
1250 WDT_HIT();
1251 }
1252 if (samples) *samples = (c + *wait) << 3;
1253}
1254
15c4dc5a 1255//-----------------------------------------------------------------------------
1256// Code a 7-bit command without parity bit
1257// This is especially for 0x26 and 0x52 (REQA and WUPA)
1258//-----------------------------------------------------------------------------
f7e3ed82 1259void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1260{
1261 int j;
1262 int last;
f7e3ed82 1263 uint8_t b;
15c4dc5a 1264
1265 ToSendReset();
1266
1267 // Start of Communication (Seq. Z)
72934aa3 1268 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1269 last = 0;
1270
1271 b = bt;
1272 for(j = 0; j < 7; j++) {
1273 if(b & 1) {
1274 // Sequence X
72934aa3 1275 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1276 last = 1;
1277 } else {
1278 if(last == 0) {
1279 // Sequence Z
72934aa3 1280 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1281 }
1282 else {
1283 // Sequence Y
72934aa3 1284 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1285 last = 0;
1286 }
1287 }
1288 b >>= 1;
1289 }
1290
1291 // End of Communication
1292 if(last == 0) {
1293 // Sequence Z
72934aa3 1294 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1295 }
1296 else {
1297 // Sequence Y
72934aa3 1298 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1299 last = 0;
1300 }
1301 // Sequence Y
72934aa3 1302 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1303
1304 // Just to be sure!
72934aa3 1305 ToSend[++ToSendMax] = SEC_Y;
1306 ToSend[++ToSendMax] = SEC_Y;
1307 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1308
1309 // Convert from last character reference to length
1310 ToSendMax++;
1311}
1312
1313//-----------------------------------------------------------------------------
1314// Prepare reader command to send to FPGA
e30c654b 1315//
15c4dc5a 1316//-----------------------------------------------------------------------------
f7e3ed82 1317void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1318{
1319 int i, j;
1320 int last;
f7e3ed82 1321 uint8_t b;
e30c654b 1322
15c4dc5a 1323 ToSendReset();
e30c654b 1324
15c4dc5a 1325 // Start of Communication (Seq. Z)
72934aa3 1326 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1327 last = 0;
e30c654b 1328
15c4dc5a 1329 // Generate send structure for the data bits
1330 for (i = 0; i < len; i++) {
1331 // Get the current byte to send
1332 b = cmd[i];
e30c654b 1333
15c4dc5a 1334 for (j = 0; j < 8; j++) {
1335 if (b & 1) {
1336 // Sequence X
72934aa3 1337 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1338 last = 1;
1339 } else {
1340 if (last == 0) {
1341 // Sequence Z
72934aa3 1342 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1343 } else {
1344 // Sequence Y
72934aa3 1345 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1346 last = 0;
1347 }
1348 }
1349 b >>= 1;
1350 }
e30c654b 1351
15c4dc5a 1352 // Get the parity bit
1353 if ((dwParity >> i) & 0x01) {
1354 // Sequence X
72934aa3 1355 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1356 last = 1;
1357 } else {
1358 if (last == 0) {
1359 // Sequence Z
72934aa3 1360 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1361 } else {
1362 // Sequence Y
72934aa3 1363 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1364 last = 0;
1365 }
1366 }
1367 }
e30c654b 1368
15c4dc5a 1369 // End of Communication
1370 if (last == 0) {
1371 // Sequence Z
72934aa3 1372 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1373 } else {
1374 // Sequence Y
72934aa3 1375 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1376 last = 0;
1377 }
1378 // Sequence Y
72934aa3 1379 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1380
15c4dc5a 1381 // Just to be sure!
72934aa3 1382 ToSend[++ToSendMax] = SEC_Y;
1383 ToSend[++ToSendMax] = SEC_Y;
1384 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1385
15c4dc5a 1386 // Convert from last character reference to length
1387 ToSendMax++;
1388}
1389
1390//-----------------------------------------------------------------------------
1391// Wait a certain time for tag response
1392// If a response is captured return TRUE
1393// If it takes to long return FALSE
1394//-----------------------------------------------------------------------------
f7e3ed82 1395static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1396{
1397 // buffer needs to be 512 bytes
1398 int c;
1399
1400 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1401 // only, since we are receiving, not transmitting).
1402 // Signal field is on with the appropriate LED
1403 LED_D_ON();
1404 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1405
534983d7 1406 // Now get the answer from the card
1407 Demod.output = receivedResponse;
1408 Demod.len = 0;
1409 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1410
f7e3ed82 1411 uint8_t b;
15c4dc5a 1412 if (elapsed) *elapsed = 0;
1413
1414 c = 0;
1415 for(;;) {
534983d7 1416 WDT_HIT();
15c4dc5a 1417
534983d7 1418 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1419 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1420 if (elapsed) (*elapsed)++;
534983d7 1421 }
1422 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1423 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1424 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1425 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1426 *samples = ((c - 1) << 3) + 4;
1427 return TRUE;
1428 }
1429 if(ManchesterDecoding(b & 0x0f)) {
1430 *samples = c << 3;
1431 return TRUE;
1432 }
534983d7 1433 }
1434 }
15c4dc5a 1435}
1436
f7e3ed82 1437void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1438{
1439 int wait = 0;
1440 int samples = 0;
1441
1442 ShortFrameFromReader(*bt);
e30c654b 1443
15c4dc5a 1444 // Select the card
e30c654b 1445 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1446
15c4dc5a 1447 // Store reader command in buffer
1448 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1449}
1450
f7e3ed82 1451void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1452{
1453 int wait = 0;
1454 int samples = 0;
e30c654b 1455
15c4dc5a 1456 // This is tied to other size changes
f7e3ed82 1457 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1458 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1459
15c4dc5a 1460 // Select the card
e30c654b 1461 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1462 if(trigger)
1463 LED_A_ON();
e30c654b 1464
15c4dc5a 1465 // Store reader command in buffer
1466 if (tracing) LogTrace(frame,len,0,par,TRUE);
1467}
1468
1469
f7e3ed82 1470void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1471{
1472 // Generate parity and redirect
1473 ReaderTransmitPar(frame,len,GetParity(frame,len));
1474}
1475
f7e3ed82 1476int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1477{
1478 int samples = 0;
1479 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1480 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1481 if(samples == 0) return FALSE;
1482 return Demod.len;
15c4dc5a 1483}
1484
7e758047 1485/* performs iso14443a anticolision procedure
534983d7 1486 * fills the uid pointer unless NULL
1487 * fills resp_data unless NULL */
1488int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
f7e3ed82 1489 uint8_t wupa[] = { 0x52 };
1490 uint8_t sel_all[] = { 0x93,0x20 };
1491 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1492 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1493
7e758047 1494 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1495 uint8_t* uid = resp + 7;
15c4dc5a 1496
534983d7 1497 uint8_t sak = 0x04; // cascade uid
1498 int cascade_level = 0;
1499
7e758047 1500 int len;
15c4dc5a 1501
7e758047 1502 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1503 ReaderTransmitShort(wupa);
1504 // Receive the ATQA
1505 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1506
534983d7 1507 if(resp_data)
1508 memcpy(resp_data->atqa, resp, 2);
1509
1510 ReaderTransmit(sel_all,sizeof(sel_all));
7e758047 1511 if(!ReaderReceive(uid)) return 0;
15c4dc5a 1512
534983d7 1513 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1514 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1515 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1516 for(; sak & 0x04; cascade_level++)
7e758047 1517 {
534983d7 1518 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1519 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1520
1521 // SELECT_ALL
1522 ReaderTransmit(sel_all,sizeof(sel_all));
1523 if (!ReaderReceive(resp)) return 0;
1524 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
e30c654b 1525
7e758047 1526 // Construct SELECT UID command
534983d7 1527 memcpy(sel_uid+2,resp,5);
1528 AppendCrc14443a(sel_uid,7);
1529 ReaderTransmit(sel_uid,sizeof(sel_uid));
1530
7e758047 1531 // Receive the SAK
1532 if (!ReaderReceive(resp)) return 0;
534983d7 1533 sak = resp[0];
7e758047 1534 }
534983d7 1535 if(resp_data) {
1536 resp_data->sak = sak;
1537 resp_data->ats_len = 0;
1538 }
1539
1540 if( (sak & 0x20) == 0)
7e758047 1541 return 2; // non iso14443a compliant tag
534983d7 1542
7e758047 1543 // Request for answer to select
1544 AppendCrc14443a(rats, 2);
1545 ReaderTransmit(rats, sizeof(rats));
1546 if (!(len = ReaderReceive(resp))) return 0;
534983d7 1547 if(resp_data) {
1548 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1549 resp_data->ats_len = len;
1550 }
1551
7e758047 1552 return 1;
1553}
15c4dc5a 1554
7e758047 1555void iso14443a_setup() {
1556 // Setup SSC
1557 FpgaSetupSsc();
1558 // Start from off (no field generated)
1559 // Signal field is off with the appropriate LED
1560 LED_D_OFF();
1561 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1562 SpinDelay(200);
15c4dc5a 1563
7e758047 1564 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1565
7e758047 1566 // Now give it time to spin up.
1567 // Signal field is on with the appropriate LED
1568 LED_D_ON();
1569 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1570 SpinDelay(200);
534983d7 1571
1572 iso14a_timeout = 2048; //default
7e758047 1573}
15c4dc5a 1574
534983d7 1575int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1576 uint8_t real_cmd[cmd_len+4];
1577 real_cmd[0] = 0x0a; //I-Block
1578 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1579 memcpy(real_cmd+2, cmd, cmd_len);
1580 AppendCrc14443a(real_cmd,cmd_len+2);
1581
1582 ReaderTransmit(real_cmd, cmd_len+4);
1583 size_t len = ReaderReceive(data);
1584 if(!len)
1585 return -1; //DATA LINK ERROR
1586
1587 return len;
1588}
1589
1590
7e758047 1591//-----------------------------------------------------------------------------
1592// Read an ISO 14443a tag. Send out commands and store answers.
1593//
1594//-----------------------------------------------------------------------------
534983d7 1595void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1596{
534983d7 1597 iso14a_command_t param = c->arg[0];
1598 uint8_t * cmd = c->d.asBytes;
1599 size_t len = c->arg[1];
e30c654b 1600
534983d7 1601 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1602
534983d7 1603 if(param & ISO14A_CONNECT) {
1604 iso14443a_setup();
1605 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12));
1606 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1607 }
e30c654b 1608
534983d7 1609 if(param & ISO14A_SET_TIMEOUT) {
1610 iso14a_timeout = c->arg[2];
1611 }
e30c654b 1612
534983d7 1613 if(param & ISO14A_SET_TIMEOUT) {
1614 iso14a_timeout = c->arg[2];
1615 }
e30c654b 1616
534983d7 1617 if(param & ISO14A_APDU) {
1618 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1619 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1620 }
e30c654b 1621
534983d7 1622 if(param & ISO14A_RAW) {
1623 if(param & ISO14A_APPEND_CRC) {
1624 AppendCrc14443a(cmd,len);
1625 len += 2;
15c4dc5a 1626 }
534983d7 1627 ReaderTransmit(cmd,len);
1628 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1629 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1630 }
15c4dc5a 1631
534983d7 1632 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1633
534983d7 1634 if(param & ISO14A_NO_DISCONNECT)
1635 return;
15c4dc5a 1636
15c4dc5a 1637 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1638 LEDsoff();
15c4dc5a 1639}
15c4dc5a 1640//-----------------------------------------------------------------------------
1641// Read an ISO 14443a tag. Send out commands and store answers.
1642//
1643//-----------------------------------------------------------------------------
f7e3ed82 1644void ReaderMifare(uint32_t parameter)
15c4dc5a 1645{
15c4dc5a 1646 // Mifare AUTH
f7e3ed82 1647 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1648 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1649
f7e3ed82 1650 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1651 traceLen = 0;
1652 tracing = false;
e30c654b 1653
7e758047 1654 iso14443a_setup();
e30c654b 1655
15c4dc5a 1656 LED_A_ON();
1657 LED_B_OFF();
1658 LED_C_OFF();
e30c654b 1659
15c4dc5a 1660 byte_t nt_diff = 0;
1661 LED_A_OFF();
1662 byte_t par = 0;
1663 byte_t par_mask = 0xff;
1664 byte_t par_low = 0;
f7e3ed82 1665 int led_on = TRUE;
e30c654b 1666
15c4dc5a 1667 tracing = FALSE;
1668 byte_t nt[4];
1669 byte_t nt_attacked[4];
1670 byte_t par_list[8];
1671 byte_t ks_list[8];
1672 num_to_bytes(parameter,4,nt_attacked);
1673
1674 while(TRUE)
1675 {
1676 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1677 SpinDelay(200);
1678 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1679
15c4dc5a 1680 // Test if the action was cancelled
1681 if(BUTTON_PRESS()) {
1682 break;
1683 }
e30c654b 1684
534983d7 1685 if(!iso14443a_select_card(NULL, NULL)) continue;
e30c654b 1686
15c4dc5a 1687 // Transmit MIFARE_CLASSIC_AUTH
1688 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1689
15c4dc5a 1690 // Receive the (16 bit) "random" nonce
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 memcpy(nt,receivedAnswer,4);
1693
1694 // Transmit reader nonce and reader answer
1695 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1696
15c4dc5a 1697 // Receive 4 bit answer
1698 if (ReaderReceive(receivedAnswer))
1699 {
e30c654b 1700 if (nt_diff == 0)
15c4dc5a 1701 {
1702 LED_A_ON();
1703 memcpy(nt_attacked,nt,4);
1704 par_mask = 0xf8;
1705 par_low = par & 0x07;
1706 }
1707
1708 if (memcmp(nt,nt_attacked,4) != 0) continue;
1709
1710 led_on = !led_on;
1711 if(led_on) LED_B_ON(); else LED_B_OFF();
1712 par_list[nt_diff] = par;
1713 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1714
15c4dc5a 1715 // Test if the information is complete
1716 if (nt_diff == 0x07) break;
e30c654b 1717
15c4dc5a 1718 nt_diff = (nt_diff+1) & 0x07;
1719 mf_nr_ar[3] = nt_diff << 5;
1720 par = par_low;
1721 } else {
1722 if (nt_diff == 0)
1723 {
1724 par++;
1725 } else {
1726 par = (((par>>3)+1) << 3) | par_low;
1727 }
1728 }
1729 }
e30c654b 1730
72934aa3 1731 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1732 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1733 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
e30c654b 1734
15c4dc5a 1735 // Thats it...
1736 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1737 LEDsoff();
1738 tracing = TRUE;
1739}
Proxmark3 GIT tracking
Impressum, Datenschutz