]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add Smartcard functions (RDV4.0) (#646)
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
12
b8e461ff 13#include <stdarg.h>
14
902cb3c0 15#include "usb_cdc.h"
16#include "cmd.h"
e30c654b 17#include "proxmark3.h"
15c4dc5a 18#include "apps.h"
472345da 19#include "fpga.h"
f7e3ed82 20#include "util.h"
9ab7a6c7 21#include "printf.h"
22#include "string.h"
15c4dc5a 23#include "legicrf.h"
b8e461ff 24#include "hitag2.h"
25#include "hitagS.h"
31abe49f 26#include "lfsampling.h"
3000dc4e 27#include "BigBuf.h"
c89274cc 28#include "mifareutil.h"
d10e08ae 29#include "pcf7931.h"
15c4dc5a 30#ifdef WITH_LCD
902cb3c0 31 #include "LCD.h"
15c4dc5a 32#endif
43591e64 33#ifdef WITH_SMARTCARD
34 #include "i2c.h"
35#endif
36
15c4dc5a 37
e46fe044 38// Craig Young - 14a stand-alone code
854fdf15 39#ifdef WITH_ISO14443a
e46fe044
CY		 40 #include "iso14443a.h"
41#endif
42
15c4dc5a 43//=============================================================================
44// A buffer where we can queue things up to be sent through the FPGA, for
45// any purpose (fake tag, as reader, whatever). We go MSB first, since that
46// is the order in which they go out on the wire.
47//=============================================================================
48
6a1f2d82 49#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
50uint8_t ToSend[TOSEND_BUFFER_SIZE];
15c4dc5a 51int ToSendMax;
52static int ToSendBit;
53struct common_area common_area __attribute__((section(".commonarea")));
54
15c4dc5a 55void ToSendReset(void)
56{
57 ToSendMax = -1;
58 ToSendBit = 8;
59}
60
61void ToSendStuffBit(int b)
62{
63 if(ToSendBit >= 8) {
64 ToSendMax++;
65 ToSend[ToSendMax] = 0;
66 ToSendBit = 0;
67 }
68
69 if(b) {
70 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
71 }
72
73 ToSendBit++;
74
6a1f2d82 75 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 76 ToSendBit = 0;
77 DbpString("ToSendStuffBit overflowed!");
78 }
79}
80
81//=============================================================================
82// Debug print functions, to go out over USB, to the usual PC-side client.
83//=============================================================================
84
85void DbpString(char *str)
86{
9440213d 87 byte_t len = strlen(str);
88 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
15c4dc5a 89}
90
91#if 0
92void DbpIntegers(int x1, int x2, int x3)
93{
902cb3c0 94 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 95}
96#endif
97
98void Dbprintf(const char *fmt, ...) {
99// should probably limit size here; oh well, let's just use a big buffer
100 char output_string[128];
101 va_list ap;
102
103 va_start(ap, fmt);
104 kvsprintf(fmt, output_string, 10, ap);
105 va_end(ap);
e30c654b 106
15c4dc5a 107 DbpString(output_string);
108}
109
9455b51c 110// prints HEX & ASCII
d19929cb 111void Dbhexdump(int len, uint8_t *d, bool bAsci) {
9455b51c 112 int l=0,i;
113 char ascii[9];
d19929cb 114
9455b51c 115 while (len>0) {
116 if (len>8) l=8;
117 else l=len;
118
119 memcpy(ascii,d,l);
d19929cb 120 ascii[l]=0;
9455b51c 121
122 // filter safe ascii
d19929cb 123 for (i=0;i<l;i++)
9455b51c 124 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 125
126 if (bAsci) {
127 Dbprintf("%-8s %*D",ascii,l,d," ");
128 } else {
129 Dbprintf("%*D",l,d," ");
130 }
131
9455b51c 132 len-=8;
133 d+=8;
134 }
135}
136
15c4dc5a 137//-----------------------------------------------------------------------------
138// Read an ADC channel and block till it completes, then return the result
139// in ADC units (0 to 1023). Also a routine to average 32 samples and
140// return that.
141//-----------------------------------------------------------------------------
142static int ReadAdc(int ch)
2d51da38 143{
3b692427 144 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
9b32625c 145 // AMPL_HI is are high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
146 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
3b692427 147 //
148 // The maths are:
149 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
150 //
9b32625c 151 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
15c4dc5a 152
2d51da38
I		 153 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
154 AT91C_BASE_ADC->ADC_MR =
9b32625c 155 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
156 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
157 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
3b692427 158
2d51da38
I		 159 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
160 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
15c4dc5a 161
2d51da38
I		 162 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
163
164 return AT91C_BASE_ADC->ADC_CDR[ch];
15c4dc5a 165}
166
9ca155ba 167int AvgAdc(int ch) // was static - merlok
15c4dc5a 168{
169 int i;
170 int a = 0;
171
172 for(i = 0; i < 32; i++) {
173 a += ReadAdc(ch);
174 }
175
176 return (a + 15) >> 5;
177}
178
fdcfbdcc 179void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
15c4dc5a 180{
9b32625c 181 int i, adcval = 0, peak = 0;
15c4dc5a 182
183/*
184 * Sweeps the useful LF range of the proxmark from
185 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
186 * read the voltage in the antenna, the result left
187 * in the buffer is a graph which should clearly show
188 * the resonating frequency of your LF antenna
189 * ( hopefully around 95 if it is tuned to 125kHz!)
190 */
fdcfbdcc
RAB		 191
192 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 193 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2d51da38
I		 194 SpinDelay(50);
195
2bdd68c3 196 for (i=255; i>=19; i--) {
fdcfbdcc 197 WDT_HIT();
15c4dc5a 198 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
199 SpinDelay(20);
3b692427 200 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
fdcfbdcc
RAB		 201 if (i==95) *vLf125 = adcval; // voltage at 125Khz
202 if (i==89) *vLf134 = adcval; // voltage at 134Khz
15c4dc5a 203
2d51da38 204 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
2bdd68c3 205 if(LF_Results[i] > peak) {
fdcfbdcc 206 *peakv = adcval;
2bdd68c3 207 peak = LF_Results[i];
fdcfbdcc 208 *peakf = i;
9f693930 209 //ptr = i;
15c4dc5a 210 }
211 }
212
2bdd68c3 213 for (i=18; i >= 0; i--) LF_Results[i] = 0;
fdcfbdcc
RAB		 214
215 return;
216}
217
218void MeasureAntennaTuningHfOnly(int *vHf)
219{
15c4dc5a 220 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
fdcfbdcc
RAB		 221 LED_A_ON();
222 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 223 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
224 SpinDelay(20);
fdcfbdcc
RAB		 225 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
226 LED_A_OFF();
227
228 return;
229}
230
231void MeasureAntennaTuning(int mode)
232{
233 uint8_t LF_Results[256] = {0};
234 int peakv = 0, peakf = 0;
235 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
236
237 LED_B_ON();
238
239 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
240 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
241 MeasureAntennaTuningHfOnly(&vHf);
242 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
243 } else {
244 if (mode & FLAG_TUNE_LF) {
245 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
246 }
247 if (mode & FLAG_TUNE_HF) {
248 MeasureAntennaTuningHfOnly(&vHf);
249 }
250 }
15c4dc5a 251
d040cb90 252 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
d19929cb 253 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2bdd68c3 254 LED_B_OFF();
255 return;
15c4dc5a 256}
257
258void MeasureAntennaTuningHf(void)
259{
260 int vHf = 0; // in mV
261
262 DbpString("Measuring HF antenna, press button to exit");
263
3b692427 264 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
265 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
266 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
267
15c4dc5a 268 for (;;) {
15c4dc5a 269 SpinDelay(20);
3b692427 270 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
e30c654b 271
15c4dc5a 272 Dbprintf("%d mV",vHf);
273 if (BUTTON_PRESS()) break;
274 }
275 DbpString("cancelled");
3b692427 276
277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
278
15c4dc5a 279}
280
281
15c4dc5a 282void ReadMem(int addr)
283{
f7e3ed82 284 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 285
286 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
287 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
288}
289
290/* osimage version information is linked in */
291extern struct version_information version_information;
292/* bootrom version information is pointed to from _bootphase1_version_pointer */
0fa01ec7 293extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
472345da 294
15c4dc5a 295void SendVersion(void)
296{
8e074056 297 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
298 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 299
300 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 301 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
302 * pointer, then use it.
303 */
304 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
305 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
8e074056 306 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 307 } else {
308 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
8e074056 309 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 310 }
e30c654b 311
15c4dc5a 312 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
8e074056 313 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 314
472345da 315 for (int i = 0; i < fpga_bitstream_num; i++) {
316 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
317 if (i < fpga_bitstream_num - 1) {
318 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
319 }
320 }
0fa01ec7 321
e6153040 322 // Send Chip ID and used flash memory
0fa01ec7 323 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
324 uint32_t compressed_data_section_size = common_area.arg1;
8e074056 325 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 326}
327
bfb01844 328// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
329// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
67b7d6fa 330void printUSBSpeed(void)
bfb01844 331{
332 Dbprintf("USB Speed:");
67b7d6fa 333 Dbprintf(" Sending USB packets to client...");
bfb01844 334
67b7d6fa 335 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
bfb01844 336 uint8_t *test_data = BigBuf_get_addr();
67b7d6fa 337 uint32_t end_time;
bfb01844 338
67b7d6fa 339 uint32_t start_time = end_time = GetTickCount();
340 uint32_t bytes_transferred = 0;
341
bfb01844 342 LED_B_ON();
67b7d6fa 343 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
344 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
345 end_time = GetTickCount();
346 bytes_transferred += USB_CMD_DATA_SIZE;
bfb01844 347 }
348 LED_B_OFF();
349
67b7d6fa 350 Dbprintf(" Time elapsed: %dms", end_time - start_time);
351 Dbprintf(" Bytes transferred: %d", bytes_transferred);
352 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
353 1000 * bytes_transferred / (end_time - start_time));
bfb01844 354
355}
356
c89274cc
CY		 357/**
358 * Prints runtime information about the PM3.
359**/
67b7d6fa 360void SendStatus(void)
c89274cc
CY		 361{
362 BigBuf_print_status();
363 Fpga_print_status();
43591e64 364#ifdef WITH_SMARTCARD
365 I2C_print_status();
366#endif
c89274cc 367 printConfig(); //LF Sampling config
67b7d6fa 368 printUSBSpeed();
c89274cc 369 Dbprintf("Various");
43591e64 370 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
371 Dbprintf(" ToSendMax..........%d", ToSendMax);
372 Dbprintf(" ToSendBit..........%d", ToSendBit);
bfb01844 373
374 cmd_send(CMD_ACK,1,0,0,0,0);
c89274cc 375}
15c4dc5a 376
a2937cea 377#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
15c4dc5a 378
15c4dc5a 379#define OPTS 2
380
86a83668
MHS		 381void StandAloneMode()
382{
383 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 384 // Oooh pretty -- notify user we're in elite samy mode now
385 LED(LED_RED, 200);
386 LED(LED_ORANGE, 200);
387 LED(LED_GREEN, 200);
388 LED(LED_ORANGE, 200);
389 LED(LED_RED, 200);
390 LED(LED_ORANGE, 200);
391 LED(LED_GREEN, 200);
392 LED(LED_ORANGE, 200);
393 LED(LED_RED, 200);
394
86a83668
MHS		 395}
396
397#endif
398
399
400
401#ifdef WITH_ISO14443a_StandAlone
402void StandAloneMode14a()
403{
404 StandAloneMode();
405 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
406
15c4dc5a 407 int selected = 0;
44964fd1 408 bool playing = false, GotoRecord = false, GotoClone = false;
409 bool cardRead[OPTS] = {false};
86a83668
MHS		 410 uint8_t readUID[10] = {0};
411 uint32_t uid_1st[OPTS]={0};
412 uint32_t uid_2nd[OPTS]={0};
c89274cc
CY		 413 uint32_t uid_tmp1 = 0;
414 uint32_t uid_tmp2 = 0;
415 iso14a_card_select_t hi14a_card[OPTS];
15c4dc5a 416
15c4dc5a 417 LED(selected + 1, 0);
418
419 for (;;)
420 {
6e82300d 421 usb_poll();
86a83668 422 WDT_HIT();
15c4dc5a 423 SpinDelay(300);
424
44964fd1 425 if (GotoRecord || !cardRead[selected])
15c4dc5a 426 {
44964fd1 427 GotoRecord = false;
15c4dc5a 428 LEDsoff();
429 LED(selected + 1, 0);
430 LED(LED_RED2, 0);
431
432 // record
86a83668 433 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
15c4dc5a 434 /* need this delay to prevent catching some weird data */
435 SpinDelay(500);
86a83668
MHS		 436 /* Code for reading from 14a tag */
437 uint8_t uid[10] ={0};
438 uint32_t cuid;
439 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
15c4dc5a 440
86a83668
MHS		 441 for ( ; ; )
442 {
443 WDT_HIT();
c89274cc
CY		 444 if (BUTTON_PRESS()) {
445 if (cardRead[selected]) {
446 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
447 break;
448 }
449 else if (cardRead[(selected+1)%OPTS]) {
450 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
451 selected = (selected+1)%OPTS;
44964fd1 452 break;
c89274cc
CY		 453 }
454 else {
455 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
456 SpinDelay(300);
457 }
458 }
c04a4b60 459 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
86a83668
MHS		 460 continue;
461 else
462 {
463 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
464 memcpy(readUID,uid,10*sizeof(uint8_t));
c89274cc 465 uint8_t *dst = (uint8_t *)&uid_tmp1;
86a83668
MHS		 466 // Set UID byte order
467 for (int i=0; i<4; i++)
468 dst[i] = uid[3-i];
c89274cc 469 dst = (uint8_t *)&uid_tmp2;
86a83668
MHS		 470 for (int i=0; i<4; i++)
471 dst[i] = uid[7-i];
c89274cc
CY		 472 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
473 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
474 }
475 else {
476 if (uid_tmp2) {
477 Dbprintf("Bank[%d] received a 7-byte UID",selected);
478 uid_1st[selected] = (uid_tmp1)>>8;
479 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
480 }
481 else {
482 Dbprintf("Bank[%d] received a 4-byte UID",selected);
483 uid_1st[selected] = uid_tmp1;
484 uid_2nd[selected] = uid_tmp2;
485 }
486 break;
487 }
86a83668
MHS		 488 }
489 }
c89274cc
CY		 490 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
491 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
86a83668
MHS		 492 LEDsoff();
493 LED(LED_GREEN, 200);
494 LED(LED_ORANGE, 200);
495 LED(LED_GREEN, 200);
496 LED(LED_ORANGE, 200);
15c4dc5a 497
498 LEDsoff();
499 LED(selected + 1, 0);
15c4dc5a 500
c89274cc 501 // Next state is replay:
44964fd1 502 playing = true;
3fe4ff4f 503
44964fd1 504 cardRead[selected] = true;
86a83668 505 }
c89274cc 506 /* MF Classic UID clone */
44964fd1 507 else if (GotoClone)
3fe4ff4f 508 {
44964fd1 509 GotoClone=false;
c89274cc
CY		 510 LEDsoff();
511 LED(selected + 1, 0);
512 LED(LED_ORANGE, 250);
3fe4ff4f 513
3fe4ff4f 514
c89274cc
CY		 515 // record
516 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
3fe4ff4f 517
c89274cc
CY		 518 // wait for button to be released
519 while(BUTTON_PRESS())
520 {
521 // Delay cloning until card is in place
522 WDT_HIT();
523 }
524 Dbprintf("Starting clone. [Bank: %u]", selected);
525 // need this delay to prevent catching some weird data
526 SpinDelay(500);
527 // Begin clone function here:
528 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
529 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
530 memcpy(c.d.asBytes, data, 16);
531 SendCommand(&c);
532
533 Block read is similar:
534 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
535 We need to imitate that call with blockNo 0 to set a uid.
536
537 The get and set commands are handled in this file:
538 // Work with "magic Chinese" card
539 case CMD_MIFARE_CSETBLOCK:
540 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
541 break;
542 case CMD_MIFARE_CGETBLOCK:
543 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
544 break;
545
546 mfCSetUID provides example logic for UID set workflow:
547 -Read block0 from card in field with MifareCGetBlock()
548 -Configure new values without replacing reserved bytes
549 memcpy(block0, uid, 4); // Copy UID bytes from byte array
550 // Mifare UID BCC
551 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
552 Bytes 5-7 are reserved SAK and ATQA for mifare classic
553 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
554 */
555 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
556 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
557 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
558 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
559 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
44964fd1 560 playing = true;
c89274cc
CY		 561 }
562 else {
563 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
564 memcpy(newBlock0,oldBlock0,16);
565 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
566
567 newBlock0[0] = uid_1st[selected]>>24;
568 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
569 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
570 newBlock0[3] = 0xFF & (uid_1st[selected]);
571 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
572 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
573 MifareCSetBlock(0, 0xFF,0, newBlock0);
574 MifareCGetBlock(0x3F, 1, 0, testBlock0);
575 if (memcmp(testBlock0,newBlock0,16)==0)
576 {
577 DbpString("Cloned successfull!");
44964fd1 578 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
579 playing = false;
580 GotoRecord = true;
c89274cc
CY		 581 selected = (selected+1) % OPTS;
582 }
583 else {
584 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
44964fd1 585 playing = true;
c89274cc
CY		 586 }
587 }
588 LEDsoff();
589 LED(selected + 1, 0);
15c4dc5a 590
86a83668 591 }
15c4dc5a 592 // Change where to record (or begin playing)
44964fd1 593 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
15c4dc5a 594 {
15c4dc5a 595 LEDsoff();
596 LED(selected + 1, 0);
597
598 // Begin transmitting
44964fd1 599 LED(LED_GREEN, 0);
600 DbpString("Playing");
601 for ( ; ; ) {
602 WDT_HIT();
603 int button_action = BUTTON_HELD(1000);
604 if (button_action == 0) { // No button action, proceed with sim
605 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
606 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
607 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
608 DbpString("Mifare Classic");
609 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
c89274cc 610 }
44964fd1 611 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
612 DbpString("Mifare Ultralight");
613 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
15c4dc5a 614 }
44964fd1 615 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
616 DbpString("Mifare DESFire");
617 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
618 }
619 else {
620 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
621 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
c89274cc 622 }
c89274cc 623 }
44964fd1 624 else if (button_action == BUTTON_SINGLE_CLICK) {
625 selected = (selected + 1) % OPTS;
626 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
627 GotoRecord = true;
628 break;
629 }
630 else if (button_action == BUTTON_HOLD) {
631 Dbprintf("Playtime over. Begin cloning...");
632 GotoClone = true;
633 break;
634 }
635 WDT_HIT();
15c4dc5a 636 }
44964fd1 637
638 /* We pressed a button so ignore it here with a delay */
639 SpinDelay(300);
640 LEDsoff();
641 LED(selected + 1, 0);
15c4dc5a 642 }
643 }
644}
a2937cea 645#elif WITH_LF_StandAlone
86a83668
MHS		 646// samy's sniff and repeat routine
647void SamyRun()
e46fe044 648{
86a83668
MHS		 649 StandAloneMode();
650 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
e46fe044 651
86a83668 652 int high[OPTS], low[OPTS];
15c4dc5a 653 int selected = 0;
654 int playing = 0;
3fe4ff4f 655 int cardRead = 0;
15c4dc5a 656
657 // Turn on selected LED
658 LED(selected + 1, 0);
659
660 for (;;)
661 {
6e82300d 662 usb_poll();
86a83668 663 WDT_HIT();
15c4dc5a 664
665 // Was our button held down or pressed?
666 int button_pressed = BUTTON_HELD(1000);
667 SpinDelay(300);
668
669 // Button was held for a second, begin recording
3fe4ff4f 670 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 671 {
672 LEDsoff();
673 LED(selected + 1, 0);
674 LED(LED_RED2, 0);
675
676 // record
677 DbpString("Starting recording");
678
679 // wait for button to be released
680 while(BUTTON_PRESS())
681 WDT_HIT();
682
683 /* need this delay to prevent catching some weird data */
684 SpinDelay(500);
685
686 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
098015eb 687 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 688
689 LEDsoff();
690 LED(selected + 1, 0);
691 // Finished recording
692
693 // If we were previously playing, set playing off
694 // so next button push begins playing what we recorded
695 playing = 0;
3fe4ff4f 696
697 cardRead = 1;
698
699 }
700
701 else if (button_pressed > 0 && cardRead == 1)
702 {
703 LEDsoff();
704 LED(selected + 1, 0);
705 LED(LED_ORANGE, 0);
706
707 // record
098015eb 708 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 709
710 // wait for button to be released
711 while(BUTTON_PRESS())
712 WDT_HIT();
713
714 /* need this delay to prevent catching some weird data */
715 SpinDelay(500);
716
098015eb 717 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
718 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 719
720 LEDsoff();
721 LED(selected + 1, 0);
722 // Finished recording
723
724 // If we were previously playing, set playing off
725 // so next button push begins playing what we recorded
726 playing = 0;
727
728 cardRead = 0;
729
15c4dc5a 730 }
731
732 // Change where to record (or begin playing)
733 else if (button_pressed)
734 {
735 // Next option if we were previously playing
736 if (playing)
737 selected = (selected + 1) % OPTS;
738 playing = !playing;
739
740 LEDsoff();
741 LED(selected + 1, 0);
742
743 // Begin transmitting
744 if (playing)
745 {
746 LED(LED_GREEN, 0);
747 DbpString("Playing");
748 // wait for button to be released
749 while(BUTTON_PRESS())
750 WDT_HIT();
098015eb 751 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 752 CmdHIDsimTAG(high[selected], low[selected], 0);
753 DbpString("Done playing");
754 if (BUTTON_HELD(1000) > 0)
755 {
756 DbpString("Exiting");
757 LEDsoff();
758 return;
759 }
760
761 /* We pressed a button so ignore it here with a delay */
762 SpinDelay(300);
763
764 // when done, we're done playing, move to next option
765 selected = (selected + 1) % OPTS;
766 playing = !playing;
767 LEDsoff();
768 LED(selected + 1, 0);
769 }
770 else
771 while(BUTTON_PRESS())
772 WDT_HIT();
773 }
774 }
775}
15c4dc5a 776
e46fe044 777#endif
15c4dc5a 778/*
779OBJECTIVE
780Listen and detect an external reader. Determine the best location
781for the antenna.
782
783INSTRUCTIONS:
784Inside the ListenReaderField() function, there is two mode.
785By default, when you call the function, you will enter mode 1.
786If you press the PM3 button one time, you will enter mode 2.
787If you press the PM3 button a second time, you will exit the function.
788
789DESCRIPTION OF MODE 1:
790This mode just listens for an external reader field and lights up green
791for HF and/or red for LF. This is the original mode of the detectreader
792function.
793
794DESCRIPTION OF MODE 2:
795This mode will visually represent, using the LEDs, the actual strength of the
796current compared to the maximum current detected. Basically, once you know
797what kind of external reader is present, it will help you spot the best location to place
798your antenna. You will probably not get some good results if there is a LF and a HF reader
799at the same place! :-)
800
801LIGHT SCHEME USED:
802*/
803static const char LIGHT_SCHEME[] = {
804 0x0, /* ---- | No field detected */
805 0x1, /* X--- | 14% of maximum current detected */
806 0x2, /* -X-- | 29% of maximum current detected */
807 0x4, /* --X- | 43% of maximum current detected */
808 0x8, /* ---X | 57% of maximum current detected */
809 0xC, /* --XX | 71% of maximum current detected */
810 0xE, /* -XXX | 86% of maximum current detected */
811 0xF, /* XXXX | 100% of maximum current detected */
812};
813static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
814
815void ListenReaderField(int limit)
816{
3b692427 817 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
818 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
15c4dc5a 819 int mode=1, display_val, display_max, i;
820
3b692427 821#define LF_ONLY 1
822#define HF_ONLY 2
823#define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
824
825
826 // switch off FPGA - we don't want to measure our own signal
827 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
828 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 829
830 LEDsoff();
831
3b692427 832 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
15c4dc5a 833
834 if(limit != HF_ONLY) {
3b692427 835 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
15c4dc5a 836 lf_baseline = lf_av;
837 }
838
3b692427 839 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
15c4dc5a 840
841 if (limit != LF_ONLY) {
3b692427 842 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
15c4dc5a 843 hf_baseline = hf_av;
844 }
845
846 for(;;) {
847 if (BUTTON_PRESS()) {
848 SpinDelay(500);
849 switch (mode) {
850 case 1:
851 mode=2;
852 DbpString("Signal Strength Mode");
853 break;
854 case 2:
855 default:
856 DbpString("Stopped");
857 LEDsoff();
858 return;
859 break;
860 }
861 }
862 WDT_HIT();
863
864 if (limit != HF_ONLY) {
3b692427 865 if(mode == 1) {
cf194819 866 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
3b692427 867 LED_D_ON();
868 else
869 LED_D_OFF();
15c4dc5a 870 }
e30c654b 871
3b692427 872 lf_av_new = AvgAdc(ADC_CHAN_LF);
15c4dc5a 873 // see if there's a significant change
cf194819 874 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
3b692427 875 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
15c4dc5a 876 lf_av = lf_av_new;
877 if (lf_av > lf_max)
878 lf_max = lf_av;
15c4dc5a 879 }
880 }
881
882 if (limit != LF_ONLY) {
883 if (mode == 1){
cf194819 884 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
3b692427 885 LED_B_ON();
886 else
887 LED_B_OFF();
15c4dc5a 888 }
e30c654b 889
3b692427 890 hf_av_new = AvgAdc(ADC_CHAN_HF);
15c4dc5a 891 // see if there's a significant change
cf194819 892 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
3b692427 893 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
15c4dc5a 894 hf_av = hf_av_new;
895 if (hf_av > hf_max)
896 hf_max = hf_av;
15c4dc5a 897 }
898 }
e30c654b 899
15c4dc5a 900 if(mode == 2) {
901 if (limit == LF_ONLY) {
902 display_val = lf_av;
903 display_max = lf_max;
904 } else if (limit == HF_ONLY) {
905 display_val = hf_av;
906 display_max = hf_max;
907 } else { /* Pick one at random */
908 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
909 display_val = hf_av;
910 display_max = hf_max;
911 } else {
912 display_val = lf_av;
913 display_max = lf_max;
914 }
915 }
916 for (i=0; i<LIGHT_LEN; i++) {
917 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
918 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
919 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
920 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
921 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
922 break;
923 }
924 }
925 }
926 }
927}
928
f7e3ed82 929void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 930{
931 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 932
902cb3c0 933// Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
934
15c4dc5a 935 switch(c->cmd) {
936#ifdef WITH_LF
31abe49f
MHS		 937 case CMD_SET_LF_SAMPLING_CONFIG:
938 setSamplingConfig((sample_config *) c->d.asBytes);
939 break;
15c4dc5a 940 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
b9957414 941 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
15c4dc5a 942 break;
15c4dc5a 943 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
944 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
945 break;
b014c96d 946 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 947 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 948 break;
7e67e42f 949 case CMD_HID_DEMOD_FSK:
3fe4ff4f 950 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
7e67e42f 951 break;
952 case CMD_HID_SIM_TAG:
3fe4ff4f 953 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
7e67e42f 954 break;
abd6112f 955 case CMD_FSK_SIM_TAG:
956 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
957 break;
958 case CMD_ASK_SIM_TAG:
959 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
960 break;
872e3d4d 961 case CMD_PSK_SIM_TAG:
962 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
963 break;
964 case CMD_HID_CLONE_TAG:
1c611bbd 965 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
7e67e42f 966 break;
a1f3bb12 967 case CMD_IO_DEMOD_FSK:
3fe4ff4f 968 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 969 break;
3fe4ff4f 970 case CMD_IO_CLONE_TAG:
9f669cb2 971 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 972 break;
66707a3b 973 case CMD_EM410X_DEMOD:
974 CmdEM410xdemod(c->arg[0], 0, 0, 1);
975 break;
2d4eae76 976 case CMD_EM410X_WRITE_TAG:
977 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
978 break;
7e67e42f 979 case CMD_READ_TI_TYPE:
980 ReadTItag();
981 break;
982 case CMD_WRITE_TI_TYPE:
983 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
984 break;
985 case CMD_SIMULATE_TAG_125K:
31d1caa5 986 LED_A_ON();
7e67e42f 987 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
31d1caa5 988 LED_A_OFF();
7e67e42f 989 break;
990 case CMD_LF_SIMULATE_BIDIR:
991 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
992 break;
3fe4ff4f 993 case CMD_INDALA_CLONE_TAG:
2414f978 994 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
995 break;
3fe4ff4f 996 case CMD_INDALA_CLONE_TAG_L:
2414f978 997 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
998 break;
1c611bbd 999 case CMD_T55XX_READ_BLOCK:
8e99ec25 1000 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1001 break;
1002 case CMD_T55XX_WRITE_BLOCK:
1003 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1004 break;
be2d41b7 1005 case CMD_T55XX_WAKEUP:
1006 T55xxWakeUp(c->arg[0]);
1c611bbd 1007 break;
66837a03 1008 case CMD_T55XX_RESET_READ:
1009 T55xxResetRead();
1010 break;
3fe4ff4f 1011 case CMD_PCF7931_READ:
1c611bbd 1012 ReadPCF7931();
1c611bbd 1013 break;
dc4300ba 1014 case CMD_PCF7931_WRITE:
d10e08ae 1015 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
dc4300ba 1016 break;
1c611bbd 1017 case CMD_EM4X_READ_WORD:
7666f460 1018 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1c611bbd 1019 break;
1020 case CMD_EM4X_WRITE_WORD:
7666f460 1021 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1022 break;
dbf6e824
CY		 1023 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1024 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
7cfc777b 1025 break;
709665b5 1026 case CMD_VIKING_CLONE_TAG:
1027 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1028 break;
e04475c4 1029 case CMD_COTAG:
1030 Cotag(c->arg[0]);
1031 break;
15c4dc5a 1032#endif
1033
d19929cb 1034#ifdef WITH_HITAG
1035 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1036 SnoopHitag(c->arg[0]);
1037 break;
1038 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1039 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1040 break;
1041 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1042 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1043 break;
4e12287d
RS		 1044 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1045 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1046 break;
1047 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1048 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1049 break;
1050 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1051 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1052 break;
1053 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
52244230
HJ		 1054 if ((hitag_function)c->arg[0] < 10) {
1055 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1056 }
1057 else if ((hitag_function)c->arg[0] >= 10) {
1058 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1059 }
4e12287d 1060 break;
d19929cb 1061#endif
f168b263 1062
15c4dc5a 1063#ifdef WITH_ISO15693
1064 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1065 AcquireRawAdcSamplesIso15693();
1066 break;
9455b51c 1067 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1068 RecordRawAdcSamplesIso15693();
1069 break;
1070
1071 case CMD_ISO_15693_COMMAND:
1072 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1073 break;
1074
1075 case CMD_ISO_15693_FIND_AFI:
1076 BruteforceIso15693Afi(c->arg[0]);
1077 break;
1078
1079 case CMD_ISO_15693_DEBUG:
1080 SetDebugIso15693(c->arg[0]);
1081 break;
15c4dc5a 1082
15c4dc5a 1083 case CMD_READER_ISO_15693:
1084 ReaderIso15693(c->arg[0]);
1085 break;
7e67e42f 1086 case CMD_SIMTAG_ISO_15693:
3fe4ff4f 1087 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1088 break;
15c4dc5a 1089#endif
1090
7e67e42f 1091#ifdef WITH_LEGICRF
1092 case CMD_SIMULATE_TAG_LEGIC_RF:
1093 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1094 break;
3612a8a8 1095
7e67e42f 1096 case CMD_WRITER_LEGIC_RF:
1097 LegicRfWriter(c->arg[1], c->arg[0]);
1098 break;
3612a8a8 1099
15c4dc5a 1100 case CMD_READER_LEGIC_RF:
1101 LegicRfReader(c->arg[0], c->arg[1]);
1102 break;
15c4dc5a 1103#endif
1104
1105#ifdef WITH_ISO14443b
15c4dc5a 1106 case CMD_READ_SRI512_TAG:
51d4f6f1 1107 ReadSTMemoryIso14443b(0x0F);
15c4dc5a 1108 break;
7e67e42f 1109 case CMD_READ_SRIX4K_TAG:
51d4f6f1 1110 ReadSTMemoryIso14443b(0x7F);
7e67e42f 1111 break;
132a0217 1112 case CMD_SNOOP_ISO_14443B:
51d4f6f1 1113 SnoopIso14443b();
7e67e42f 1114 break;
132a0217 1115 case CMD_SIMULATE_TAG_ISO_14443B:
51d4f6f1 1116 SimulateIso14443bTag();
7e67e42f 1117 break;
7cf3ef20 1118 case CMD_ISO_14443B_COMMAND:
1119 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1120 break;
15c4dc5a 1121#endif
1122
1123#ifdef WITH_ISO14443a
7e67e42f 1124 case CMD_SNOOP_ISO_14443a:
5cd9ec01 1125 SnoopIso14443a(c->arg[0]);
7e67e42f 1126 break;
15c4dc5a 1127 case CMD_READER_ISO_14443a:
902cb3c0 1128 ReaderIso14443a(c);
15c4dc5a 1129 break;
7e67e42f 1130 case CMD_SIMULATE_TAG_ISO_14443a:
28afbd2b 1131 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1132 break;
3fe4ff4f 1133
5acd09bd 1134 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1135 EPA_PACE_Collect_Nonce(c);
5acd09bd 1136 break;
3bb07d96
FM		 1137 case CMD_EPA_PACE_REPLAY:
1138 EPA_PACE_Replay(c);
1139 break;
7e67e42f 1140
15c4dc5a 1141 case CMD_READER_MIFARE:
f168b263 1142 ReaderMifare(c->arg[0]);
15c4dc5a 1143 break;
20f9a2a1
M		 1144 case CMD_MIFARE_READBL:
1145 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1146 break;
981bd429 1147 case CMD_MIFAREU_READBL:
f168b263 1148 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1149 break;
8258f409 1150 case CMD_MIFAREUC_AUTH:
1151 MifareUC_Auth(c->arg[0],c->d.asBytes);
a631936e 1152 break;
981bd429 1153 case CMD_MIFAREU_READCARD:
75377d29 1154 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1155 break;
f168b263 1156 case CMD_MIFAREUC_SETPWD:
1157 MifareUSetPwd(c->arg[0], c->d.asBytes);
1158 break;
20f9a2a1
M		 1159 case CMD_MIFARE_READSC:
1160 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1161 break;
1162 case CMD_MIFARE_WRITEBL:
1163 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1164 break;
4973f23d 1165 //case CMD_MIFAREU_WRITEBL_COMPAT:
1166 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1167 //break;
981bd429 1168 case CMD_MIFAREU_WRITEBL:
4973f23d 1169 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
f168b263 1170 break;
c48c4d78 1171 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1172 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1173 break;
20f9a2a1
M		 1174 case CMD_MIFARE_NESTED:
1175 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M		 1176 break;
1177 case CMD_MIFARE_CHKKEYS:
1178 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M		 1179 break;
1180 case CMD_SIMULATE_MIFARE_CARD:
1181 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1182 break;
8556b852
M		 1183
1184 // emulator
1185 case CMD_MIFARE_SET_DBGMODE:
1186 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1187 break;
1188 case CMD_MIFARE_EML_MEMCLR:
1189 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1190 break;
1191 case CMD_MIFARE_EML_MEMSET:
1192 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1193 break;
1194 case CMD_MIFARE_EML_MEMGET:
1195 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1196 break;
1197 case CMD_MIFARE_EML_CARDLOAD:
1198 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M		 1199 break;
1200
1201 // Work with "magic Chinese" card
3a05a1e7
OM		 1202 case CMD_MIFARE_CWIPE:
1203 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1204 break;
3fe4ff4f 1205 case CMD_MIFARE_CSETBLOCK:
0675f200 1206 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
545a1f38 1207 break;
3fe4ff4f 1208 case CMD_MIFARE_CGETBLOCK:
545a1f38 1209 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
8556b852 1210 break;
3fe4ff4f 1211 case CMD_MIFARE_CIDENT:
1212 MifareCIdent();
1213 break;
b62a5a84
M		 1214
1215 // mifare sniffer
1216 case CMD_MIFARE_SNIFFER:
5cd9ec01 1217 SniffMifare(c->arg[0]);
b62a5a84 1218 break;
a631936e 1219
20f9a2a1
M		 1220#endif
1221
7e67e42f 1222#ifdef WITH_ICLASS
cee5a30d 1223 // Makes use of ISO14443a FPGA Firmware
1224 case CMD_SNOOP_ICLASS:
1225 SnoopIClass();
1226 break;
1e262141 1227 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1228 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1229 break;
1230 case CMD_READER_ICLASS:
1231 ReaderIClass(c->arg[0]);
1232 break;
c3963755 1233 case CMD_READER_ICLASS_REPLAY:
aa53efc3 1234 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
c3963755 1235 break;
aa53efc3 1236 case CMD_ICLASS_EML_MEMSET:
e80aeb96
MHS		 1237 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1238 break;
aa53efc3 1239 case CMD_ICLASS_WRITEBLOCK:
3ac22ee1 1240 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1241 break;
1242 case CMD_ICLASS_READCHECK: // auth step 1
1243 iClass_ReadCheck(c->arg[0], c->arg[1]);
aa53efc3 1244 break;
1245 case CMD_ICLASS_READBLOCK:
3ac22ee1 1246 iClass_ReadBlk(c->arg[0]);
aa53efc3 1247 break;
3ac22ee1 1248 case CMD_ICLASS_AUTHENTICATION: //check
aa53efc3 1249 iClass_Authentication(c->d.asBytes);
1250 break;
1251 case CMD_ICLASS_DUMP:
3ac22ee1 1252 iClass_Dump(c->arg[0], c->arg[1]);
aa53efc3 1253 break;
1254 case CMD_ICLASS_CLONE:
3ac22ee1 1255 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
aa53efc3 1256 break;
cee5a30d 1257#endif
0472d76d 1258#ifdef WITH_HFSNOOP
1259 case CMD_HF_SNIFFER:
1260 HfSnoop(c->arg[0], c->arg[1]);
1261 break;
1262#endif
43591e64 1263#ifdef WITH_SMARTCARD
1264 case CMD_SMART_ATR: {
1265 SmartCardAtr();
1266 break;
1267 }
1268 case CMD_SMART_SETCLOCK:{
1269 SmartCardSetClock(c->arg[0]);
1270 break;
1271 }
1272 case CMD_SMART_RAW: {
1273 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1274 break;
1275 }
1276 case CMD_SMART_UPLOAD: {
1277 // upload file from client
1278 uint8_t *mem = BigBuf_get_addr();
1279 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1280 cmd_send(CMD_ACK,1,0,0,0,0);
1281 break;
1282 }
1283 case CMD_SMART_UPGRADE: {
1284 SmartCardUpgrade(c->arg[0]);
1285 break;
1286 }
1287#endif
cee5a30d 1288
7e67e42f 1289 case CMD_BUFF_CLEAR:
117d9ec2 1290 BigBuf_Clear();
15c4dc5a 1291 break;
15c4dc5a 1292
1293 case CMD_MEASURE_ANTENNA_TUNING:
fdcfbdcc 1294 MeasureAntennaTuning(c->arg[0]);
15c4dc5a 1295 break;
1296
1297 case CMD_MEASURE_ANTENNA_TUNING_HF:
1298 MeasureAntennaTuningHf();
1299 break;
1300
1301 case CMD_LISTEN_READER_FIELD:
1302 ListenReaderField(c->arg[0]);
1303 break;
1304
15c4dc5a 1305 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1306 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1307 SpinDelay(200);
1308 LED_D_OFF(); // LED D indicates field ON or OFF
1309 break;
1310
1c611bbd 1311 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
902cb3c0 1312
1c611bbd 1313 LED_B_ON();
117d9ec2 1314 uint8_t *BigBuf = BigBuf_get_addr();
1c611bbd 1315 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1316 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1317 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1318 }
1319 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1320 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1321 LED_B_OFF();
1c611bbd 1322 break;
15c4dc5a 1323
1324 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
8c8317a5 1325 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1326 // to be able to use this one for uploading data to device
1327 // arg1 = 0 upload for LF usage
1328 // 1 upload for HF usage
1329 if (c->arg[1] == 0)
1330 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1331 else
1332 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1333
117d9ec2 1334 uint8_t *b = BigBuf_get_addr();
3fe4ff4f 1335 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1336 cmd_send(CMD_ACK,0,0,0,0,0);
1337 break;
1338 }
15c4dc5a 1339 case CMD_READ_MEM:
1340 ReadMem(c->arg[0]);
1341 break;
1342
1343 case CMD_SET_LF_DIVISOR:
8c8317a5 1344 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1345 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1346 break;
1347
1348 case CMD_SET_ADC_MUX:
1349 switch(c->arg[0]) {
1350 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1351 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1352 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1353 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1354 }
1355 break;
1356
1357 case CMD_VERSION:
1358 SendVersion();
1359 break;
c89274cc 1360 case CMD_STATUS:
67b7d6fa 1361 SendStatus();
c89274cc
CY		 1362 break;
1363 case CMD_PING:
1364 cmd_send(CMD_ACK,0,0,0,0,0);
1365 break;
15c4dc5a 1366#ifdef WITH_LCD
1367 case CMD_LCD_RESET:
1368 LCDReset();
1369 break;
1370 case CMD_LCD:
1371 LCDSend(c->arg[0]);
1372 break;
1373#endif
1374 case CMD_SETUP_WRITE:
1375 case CMD_FINISH_WRITE:
1c611bbd 1376 case CMD_HARDWARE_RESET:
1377 usb_disable();
15c4dc5a 1378 SpinDelay(1000);
1379 SpinDelay(1000);
1380 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1381 for(;;) {
1382 // We're going to reset, and the bootrom will take control.
1383 }
1c611bbd 1384 break;
15c4dc5a 1385
1c611bbd 1386 case CMD_START_FLASH:
15c4dc5a 1387 if(common_area.flags.bootrom_present) {
1388 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1389 }
1c611bbd 1390 usb_disable();
15c4dc5a 1391 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1392 for(;;);
1c611bbd 1393 break;
e30c654b 1394
15c4dc5a 1395 case CMD_DEVICE_INFO: {
902cb3c0 1396 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1397 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1398 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1399 break;
1400 }
1401 default:
15c4dc5a 1402 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1403 break;
15c4dc5a 1404 }
1405}
1406
1407void __attribute__((noreturn)) AppMain(void)
1408{
1409 SpinDelay(100);
9e8255d4 1410 clear_trace();
15c4dc5a 1411 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1412 /* Initialize common area */
1413 memset(&common_area, 0, sizeof(common_area));
1414 common_area.magic = COMMON_AREA_MAGIC;
1415 common_area.version = 1;
1416 }
1417 common_area.flags.osimage_present = 1;
1418
1419 LED_D_OFF();
1420 LED_C_OFF();
1421 LED_B_OFF();
1422 LED_A_OFF();
1423
3fe4ff4f 1424 // Init USB device
902cb3c0 1425 usb_enable();
15c4dc5a 1426
1427 // The FPGA gets its clock from us from PCK0 output, so set that up.
1428 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1429 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1430 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1431 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1432 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
0472d76d 1433 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1434 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1435
1436 // Reset SPI
1437 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1438 // Reset SSC
1439 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1440
1441 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1442 // (the HF version by default)
1443 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1444
9ca155ba 1445 StartTickCount();
902cb3c0 1446
15c4dc5a 1447#ifdef WITH_LCD
15c4dc5a 1448 LCDInit();
15c4dc5a 1449#endif
1450
902cb3c0 1451 byte_t rx[sizeof(UsbCommand)];
1452 size_t rx_len;
1453
15c4dc5a 1454 for(;;) {
902cb3c0 1455 if (usb_poll()) {
1456 rx_len = usb_read(rx,sizeof(UsbCommand));
1457 if (rx_len) {
1458 UsbPacketReceived(rx,rx_len);
1459 }
1460 }
15c4dc5a 1461 WDT_HIT();
1462
a2937cea 1463#ifdef WITH_LF_StandAlone
e46fe044 1464#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1465 if (BUTTON_HELD(1000) > 0)
1466 SamyRun();
e46fe044
CY		 1467#endif
1468#endif
1469#ifdef WITH_ISO14443a
1470#ifdef WITH_ISO14443a_StandAlone
1471 if (BUTTON_HELD(1000) > 0)
1472 StandAloneMode14a();
1473#endif
15c4dc5a 1474#endif
1475 }
1476}
Proxmark3 GIT tracking
Impressum, Datenschutz