]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
added better tracing capabilities, fixed some reader issues
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M		 20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
534983d7 23static uint32_t iso14a_timeout;
1e262141 24uint8_t *trace = (uint8_t *) BigBuf;
25int traceLen = 0;
26int rsamples = 0;
27int tracing = TRUE;
28uint8_t trigger = 0;
15c4dc5a 29
8f51ddb0 30// CARD TO READER - manchester
72934aa3 31// Sequence D: 11110000 modulation with subcarrier during first half
32// Sequence E: 00001111 modulation with subcarrier during second half
33// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 34// READER TO CARD - miller
72934aa3 35// Sequence X: 00001100 drop after half a period
36// Sequence Y: 00000000 no drop
37// Sequence Z: 11000000 drop at start
38#define SEC_D 0xf0
39#define SEC_E 0x0f
40#define SEC_F 0x00
41#define SEC_X 0x0c
42#define SEC_Y 0x00
43#define SEC_Z 0xc0
15c4dc5a 44
1e262141 45const uint8_t OddByteParity[256] = {
15c4dc5a 46 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
62};
63
1e262141 64
534983d7 65void iso14a_set_trigger(int enable) {
66 trigger = enable;
67}
68
8556b852
M		 69void iso14a_clear_tracelen(void) {
70 traceLen = 0;
71}
72void iso14a_set_tracing(int enable) {
73 tracing = enable;
74}
75
15c4dc5a 76//-----------------------------------------------------------------------------
77// Generate the parity value for a byte sequence
e30c654b 78//
15c4dc5a 79//-----------------------------------------------------------------------------
20f9a2a1
M		 80byte_t oddparity (const byte_t bt)
81{
82 return OddByteParity[bt];
83}
84
f7e3ed82 85uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 86{
87 int i;
f7e3ed82 88 uint32_t dwPar = 0;
72934aa3 89
15c4dc5a 90 // Generate the encrypted data
91 for (i = 0; i < iLen; i++) {
92 // Save the encrypted parity bit
93 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
94 }
95 return dwPar;
96}
97
534983d7 98void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 99{
100 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
101}
102
1e262141 103// The function LogTrace() is also used by the iClass implementation in iClass.c
ed82636b 104int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 105{
106 // Return when trace is full
81cd0474 107 if (traceLen >= TRACE_SIZE) return FALSE;
e30c654b 108
15c4dc5a 109 // Trace the random, i'm curious
110 rsamples += iSamples;
111 trace[traceLen++] = ((rsamples >> 0) & 0xff);
112 trace[traceLen++] = ((rsamples >> 8) & 0xff);
113 trace[traceLen++] = ((rsamples >> 16) & 0xff);
114 trace[traceLen++] = ((rsamples >> 24) & 0xff);
115 if (!bReader) {
116 trace[traceLen - 1] |= 0x80;
117 }
118 trace[traceLen++] = ((dwParity >> 0) & 0xff);
119 trace[traceLen++] = ((dwParity >> 8) & 0xff);
120 trace[traceLen++] = ((dwParity >> 16) & 0xff);
121 trace[traceLen++] = ((dwParity >> 24) & 0xff);
122 trace[traceLen++] = iLen;
123 memcpy(trace + traceLen, btBytes, iLen);
124 traceLen += iLen;
125 return TRUE;
126}
127
15c4dc5a 128//-----------------------------------------------------------------------------
129// The software UART that receives commands from the reader, and its state
130// variables.
131//-----------------------------------------------------------------------------
132static struct {
133 enum {
134 STATE_UNSYNCD,
135 STATE_START_OF_COMMUNICATION,
136 STATE_MILLER_X,
137 STATE_MILLER_Y,
138 STATE_MILLER_Z,
139 STATE_ERROR_WAIT
140 } state;
f7e3ed82 141 uint16_t shiftReg;
15c4dc5a 142 int bitCnt;
143 int byteCnt;
144 int byteCntMax;
145 int posCnt;
146 int syncBit;
147 int parityBits;
148 int samples;
149 int highCnt;
150 int bitBuffer;
151 enum {
152 DROP_NONE,
153 DROP_FIRST_HALF,
154 DROP_SECOND_HALF
155 } drop;
f7e3ed82 156 uint8_t *output;
15c4dc5a 157} Uart;
158
6c1e2d95 159static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 160{
9f693930 161 //int error = 0;
15c4dc5a 162 int bitright;
163
164 if(!Uart.bitBuffer) {
165 Uart.bitBuffer = bit ^ 0xFF0;
166 return FALSE;
167 }
168 else {
169 Uart.bitBuffer <<= 4;
170 Uart.bitBuffer ^= bit;
171 }
172
f7e3ed82 173 int EOC = FALSE;
15c4dc5a 174
175 if(Uart.state != STATE_UNSYNCD) {
176 Uart.posCnt++;
177
178 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
179 bit = 0x00;
180 }
181 else {
182 bit = 0x01;
183 }
184 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
185 bitright = 0x00;
186 }
187 else {
188 bitright = 0x01;
189 }
190 if(bit != bitright) { bit = bitright; }
191
192 if(Uart.posCnt == 1) {
193 // measurement first half bitperiod
194 if(!bit) {
195 Uart.drop = DROP_FIRST_HALF;
196 }
197 }
198 else {
199 // measurement second half bitperiod
200 if(!bit & (Uart.drop == DROP_NONE)) {
201 Uart.drop = DROP_SECOND_HALF;
202 }
203 else if(!bit) {
204 // measured a drop in first and second half
205 // which should not be possible
206 Uart.state = STATE_ERROR_WAIT;
9f693930 207 //error = 0x01;
15c4dc5a 208 }
209
210 Uart.posCnt = 0;
211
212 switch(Uart.state) {
213 case STATE_START_OF_COMMUNICATION:
214 Uart.shiftReg = 0;
215 if(Uart.drop == DROP_SECOND_HALF) {
216 // error, should not happen in SOC
217 Uart.state = STATE_ERROR_WAIT;
9f693930 218 //error = 0x02;
15c4dc5a 219 }
220 else {
221 // correct SOC
222 Uart.state = STATE_MILLER_Z;
223 }
224 break;
225
226 case STATE_MILLER_Z:
227 Uart.bitCnt++;
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // logic '0' followed by sequence Y
231 // end of communication
232 Uart.state = STATE_UNSYNCD;
233 EOC = TRUE;
234 }
235 // if(Uart.drop == DROP_FIRST_HALF) {
236 // Uart.state = STATE_MILLER_Z; stay the same
237 // we see a logic '0' }
238 if(Uart.drop == DROP_SECOND_HALF) {
239 // we see a logic '1'
240 Uart.shiftReg |= 0x100;
241 Uart.state = STATE_MILLER_X;
242 }
243 break;
244
245 case STATE_MILLER_X:
246 Uart.shiftReg >>= 1;
247 if(Uart.drop == DROP_NONE) {
248 // sequence Y, we see a '0'
249 Uart.state = STATE_MILLER_Y;
250 Uart.bitCnt++;
251 }
252 if(Uart.drop == DROP_FIRST_HALF) {
253 // Would be STATE_MILLER_Z
254 // but Z does not follow X, so error
255 Uart.state = STATE_ERROR_WAIT;
9f693930 256 //error = 0x03;
15c4dc5a 257 }
258 if(Uart.drop == DROP_SECOND_HALF) {
259 // We see a '1' and stay in state X
260 Uart.shiftReg |= 0x100;
261 Uart.bitCnt++;
262 }
263 break;
264
265 case STATE_MILLER_Y:
266 Uart.bitCnt++;
267 Uart.shiftReg >>= 1;
268 if(Uart.drop == DROP_NONE) {
269 // logic '0' followed by sequence Y
270 // end of communication
271 Uart.state = STATE_UNSYNCD;
272 EOC = TRUE;
273 }
274 if(Uart.drop == DROP_FIRST_HALF) {
275 // we see a '0'
276 Uart.state = STATE_MILLER_Z;
277 }
278 if(Uart.drop == DROP_SECOND_HALF) {
279 // We see a '1' and go to state X
280 Uart.shiftReg |= 0x100;
281 Uart.state = STATE_MILLER_X;
282 }
283 break;
284
285 case STATE_ERROR_WAIT:
286 // That went wrong. Now wait for at least two bit periods
287 // and try to sync again
288 if(Uart.drop == DROP_NONE) {
289 Uart.highCnt = 6;
290 Uart.state = STATE_UNSYNCD;
291 }
292 break;
293
294 default:
295 Uart.state = STATE_UNSYNCD;
296 Uart.highCnt = 0;
297 break;
298 }
299
300 Uart.drop = DROP_NONE;
301
302 // should have received at least one whole byte...
303 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
304 return TRUE;
305 }
306
307 if(Uart.bitCnt == 9) {
308 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
309 Uart.byteCnt++;
310
311 Uart.parityBits <<= 1;
312 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
313
314 if(EOC) {
315 // when End of Communication received and
316 // all data bits processed..
317 return TRUE;
318 }
319 Uart.bitCnt = 0;
320 }
321
322 /*if(error) {
323 Uart.output[Uart.byteCnt] = 0xAA;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = error & 0xFF;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = 0xAA;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
334 Uart.byteCnt++;
335 Uart.output[Uart.byteCnt] = 0xAA;
336 Uart.byteCnt++;
337 return TRUE;
338 }*/
339 }
340
341 }
342 else {
343 bit = Uart.bitBuffer & 0xf0;
344 bit >>= 4;
345 bit ^= 0x0F;
346 if(bit) {
347 // should have been high or at least (4 * 128) / fc
348 // according to ISO this should be at least (9 * 128 + 20) / fc
349 if(Uart.highCnt == 8) {
350 // we went low, so this could be start of communication
351 // it turns out to be safer to choose a less significant
352 // syncbit... so we check whether the neighbour also represents the drop
353 Uart.posCnt = 1; // apparently we are busy with our first half bit period
354 Uart.syncBit = bit & 8;
355 Uart.samples = 3;
356 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
357 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
359 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
360 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 361 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 362 Uart.syncBit = 8;
363
364 // the first half bit period is expected in next sample
365 Uart.posCnt = 0;
366 Uart.samples = 3;
367 }
368 }
369 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
370
371 Uart.syncBit <<= 4;
372 Uart.state = STATE_START_OF_COMMUNICATION;
373 Uart.drop = DROP_FIRST_HALF;
374 Uart.bitCnt = 0;
375 Uart.byteCnt = 0;
376 Uart.parityBits = 0;
9f693930 377 //error = 0;
15c4dc5a 378 }
379 else {
380 Uart.highCnt = 0;
381 }
382 }
383 else {
384 if(Uart.highCnt < 8) {
385 Uart.highCnt++;
386 }
387 }
388 }
389
390 return FALSE;
391}
392
393//=============================================================================
394// ISO 14443 Type A - Manchester
395//=============================================================================
396
397static struct {
398 enum {
399 DEMOD_UNSYNCD,
400 DEMOD_START_OF_COMMUNICATION,
401 DEMOD_MANCHESTER_D,
402 DEMOD_MANCHESTER_E,
403 DEMOD_MANCHESTER_F,
404 DEMOD_ERROR_WAIT
405 } state;
406 int bitCount;
407 int posCount;
408 int syncBit;
409 int parityBits;
f7e3ed82 410 uint16_t shiftReg;
15c4dc5a 411 int buffer;
412 int buff;
413 int samples;
414 int len;
415 enum {
416 SUB_NONE,
417 SUB_FIRST_HALF,
418 SUB_SECOND_HALF
419 } sub;
f7e3ed82 420 uint8_t *output;
15c4dc5a 421} Demod;
422
6c1e2d95 423static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 424{
425 int bit;
426 int modulation;
9f693930 427 //int error = 0;
15c4dc5a 428
429 if(!Demod.buff) {
430 Demod.buff = 1;
431 Demod.buffer = v;
432 return FALSE;
433 }
434 else {
435 bit = Demod.buffer;
436 Demod.buffer = v;
437 }
438
439 if(Demod.state==DEMOD_UNSYNCD) {
440 Demod.output[Demod.len] = 0xfa;
441 Demod.syncBit = 0;
442 //Demod.samples = 0;
443 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 444
445 if(bit & 0x08) {
446 Demod.syncBit = 0x08;
15c4dc5a 447 }
15c4dc5a 448
2f2d9fc5 449 if(bit & 0x04) {
450 if(Demod.syncBit) {
451 bit <<= 4;
452 }
453 Demod.syncBit = 0x04;
454 }
15c4dc5a 455
2f2d9fc5 456 if(bit & 0x02) {
457 if(Demod.syncBit) {
458 bit <<= 2;
15c4dc5a 459 }
2f2d9fc5 460 Demod.syncBit = 0x02;
15c4dc5a 461 }
15c4dc5a 462
593924e7 463 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 464 Demod.syncBit = 0x01;
465 }
466
15c4dc5a 467 if(Demod.syncBit) {
468 Demod.len = 0;
469 Demod.state = DEMOD_START_OF_COMMUNICATION;
470 Demod.sub = SUB_FIRST_HALF;
471 Demod.bitCount = 0;
472 Demod.shiftReg = 0;
473 Demod.parityBits = 0;
474 Demod.samples = 0;
475 if(Demod.posCount) {
534983d7 476 if(trigger) LED_A_OFF();
15c4dc5a 477 switch(Demod.syncBit) {
478 case 0x08: Demod.samples = 3; break;
479 case 0x04: Demod.samples = 2; break;
480 case 0x02: Demod.samples = 1; break;
481 case 0x01: Demod.samples = 0; break;
482 }
483 }
9f693930 484 //error = 0;
15c4dc5a 485 }
486 }
487 else {
488 //modulation = bit & Demod.syncBit;
489 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
490
491 Demod.samples += 4;
492
493 if(Demod.posCount==0) {
494 Demod.posCount = 1;
495 if(modulation) {
496 Demod.sub = SUB_FIRST_HALF;
497 }
498 else {
499 Demod.sub = SUB_NONE;
500 }
501 }
502 else {
503 Demod.posCount = 0;
504 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
505 if(Demod.state!=DEMOD_ERROR_WAIT) {
506 Demod.state = DEMOD_ERROR_WAIT;
507 Demod.output[Demod.len] = 0xaa;
9f693930 508 //error = 0x01;
15c4dc5a 509 }
510 }
511 else if(modulation) {
512 Demod.sub = SUB_SECOND_HALF;
513 }
514
515 switch(Demod.state) {
516 case DEMOD_START_OF_COMMUNICATION:
517 if(Demod.sub == SUB_FIRST_HALF) {
518 Demod.state = DEMOD_MANCHESTER_D;
519 }
520 else {
521 Demod.output[Demod.len] = 0xab;
522 Demod.state = DEMOD_ERROR_WAIT;
9f693930 523 //error = 0x02;
15c4dc5a 524 }
525 break;
526
527 case DEMOD_MANCHESTER_D:
528 case DEMOD_MANCHESTER_E:
529 if(Demod.sub == SUB_FIRST_HALF) {
530 Demod.bitCount++;
531 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
532 Demod.state = DEMOD_MANCHESTER_D;
533 }
534 else if(Demod.sub == SUB_SECOND_HALF) {
535 Demod.bitCount++;
536 Demod.shiftReg >>= 1;
537 Demod.state = DEMOD_MANCHESTER_E;
538 }
539 else {
540 Demod.state = DEMOD_MANCHESTER_F;
541 }
542 break;
543
544 case DEMOD_MANCHESTER_F:
545 // Tag response does not need to be a complete byte!
546 if(Demod.len > 0 || Demod.bitCount > 0) {
547 if(Demod.bitCount > 0) {
548 Demod.shiftReg >>= (9 - Demod.bitCount);
549 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
550 Demod.len++;
551 // No parity bit, so just shift a 0
552 Demod.parityBits <<= 1;
553 }
554
555 Demod.state = DEMOD_UNSYNCD;
556 return TRUE;
557 }
558 else {
559 Demod.output[Demod.len] = 0xad;
560 Demod.state = DEMOD_ERROR_WAIT;
9f693930 561 //error = 0x03;
15c4dc5a 562 }
563 break;
564
565 case DEMOD_ERROR_WAIT:
566 Demod.state = DEMOD_UNSYNCD;
567 break;
568
569 default:
570 Demod.output[Demod.len] = 0xdd;
571 Demod.state = DEMOD_UNSYNCD;
572 break;
573 }
574
575 if(Demod.bitCount>=9) {
576 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
577 Demod.len++;
578
579 Demod.parityBits <<= 1;
580 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
581
582 Demod.bitCount = 0;
583 Demod.shiftReg = 0;
584 }
585
586 /*if(error) {
587 Demod.output[Demod.len] = 0xBB;
588 Demod.len++;
589 Demod.output[Demod.len] = error & 0xFF;
590 Demod.len++;
591 Demod.output[Demod.len] = 0xBB;
592 Demod.len++;
593 Demod.output[Demod.len] = bit & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.buffer & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
598 Demod.len++;
599 Demod.output[Demod.len] = 0xBB;
600 Demod.len++;
601 return TRUE;
602 }*/
603
604 }
605
606 } // end (state != UNSYNCED)
607
608 return FALSE;
609}
610
611//=============================================================================
612// Finally, a `sniffer' for ISO 14443 Type A
613// Both sides of communication!
614//=============================================================================
615
616//-----------------------------------------------------------------------------
617// Record the sequence of commands sent by the reader to the tag, with
618// triggering so that we start recording at the point that the tag is moved
619// near the reader.
620//-----------------------------------------------------------------------------
6c1e2d95 621void RAMFUNC SnoopIso14443a(void)
15c4dc5a 622{
623// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
624// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
625// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
626// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
81cd0474 627// #define TRACE_SIZE 2000 // original (working as of 21/2/09) values
15c4dc5a 628
629 // We won't start recording the frames that we acquire until we trigger;
630 // a good trigger condition to get started is probably when we see a
631 // response from the tag.
7e758047 632 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 633
634 // The command (reader -> tag) that we're receiving.
635 // The length of a received command will in most cases be no more than 18 bytes.
636 // So 32 should be enough!
f7e3ed82 637 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 638 // The response (tag -> reader) that we're receiving.
f7e3ed82 639 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 640
641 // As we receive stuff, we copy it from receivedCmd or receivedResponse
642 // into trace, along with its length and other annotations.
f7e3ed82 643 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 644
645 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 646
647 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 648 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 649 int lastRxCounter;
f7e3ed82 650 int8_t *upTo;
15c4dc5a 651 int smpl;
652 int maxBehindBy = 0;
653
654 // Count of samples received so far, so that we can include timing
655 // information in the trace buffer.
656 int samples = 0;
cee5a30d 657 int rsamples = 0;
15c4dc5a 658
81cd0474 659 memset(trace, 0x44, TRACE_SIZE);
15c4dc5a 660
661 // Set up the demodulator for tag -> reader responses.
662 Demod.output = receivedResponse;
663 Demod.len = 0;
664 Demod.state = DEMOD_UNSYNCD;
665
7e758047 666 // Setup for the DMA.
667 FpgaSetupSsc();
668 upTo = dmaBuf;
669 lastRxCounter = DMA_BUFFER_SIZE;
670 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
671
15c4dc5a 672 // And the reader -> tag commands
673 memset(&Uart, 0, sizeof(Uart));
674 Uart.output = receivedCmd;
675 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
676 Uart.state = STATE_UNSYNCD;
677
678 // And put the FPGA in the appropriate mode
679 // Signal field is off with the appropriate LED
680 LED_D_OFF();
681 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
682 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
683
15c4dc5a 684
685 // And now we loop, receiving samples.
686 for(;;) {
7e758047 687 LED_A_ON();
688 WDT_HIT();
15c4dc5a 689 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
690 (DMA_BUFFER_SIZE-1);
691 if(behindBy > maxBehindBy) {
692 maxBehindBy = behindBy;
693 if(behindBy > 400) {
7e758047 694 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 695 goto done;
696 }
697 }
698 if(behindBy < 1) continue;
699
7e758047 700 LED_A_OFF();
15c4dc5a 701 smpl = upTo[0];
702 upTo++;
703 lastRxCounter -= 1;
704 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
705 upTo -= DMA_BUFFER_SIZE;
706 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 707 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 708 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
709 }
710
711 samples += 4;
7e758047 712 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 713 rsamples = samples - Uart.samples;
72934aa3 714 LED_C_ON();
7e758047 715 if(triggered) {
716 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 717 trace[traceLen++] = ((rsamples >> 8) & 0xff);
718 trace[traceLen++] = ((rsamples >> 16) & 0xff);
719 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 720 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
722 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
723 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 724 trace[traceLen++] = Uart.byteCnt;
725 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
726 traceLen += Uart.byteCnt;
81cd0474 727 if(traceLen > TRACE_SIZE) break;
72934aa3 728 }
729 /* And ready to receive another command. */
730 Uart.state = STATE_UNSYNCD;
731 /* And also reset the demod code, which might have been */
732 /* false-triggered by the commands from the reader. */
733 Demod.state = DEMOD_UNSYNCD;
7e758047 734 LED_B_OFF();
15c4dc5a 735 }
7e758047 736
737 if(ManchesterDecoding(smpl & 0x0F)) {
738 rsamples = samples - Demod.samples;
739 LED_B_ON();
740
741 // timestamp, as a count of samples
742 trace[traceLen++] = ((rsamples >> 0) & 0xff);
743 trace[traceLen++] = ((rsamples >> 8) & 0xff);
744 trace[traceLen++] = ((rsamples >> 16) & 0xff);
745 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
748 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
749 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
750 // length
751 trace[traceLen++] = Demod.len;
752 memcpy(trace+traceLen, receivedResponse, Demod.len);
753 traceLen += Demod.len;
81cd0474 754 if(traceLen > TRACE_SIZE) break;
7e758047 755
756 triggered = TRUE;
15c4dc5a 757
758 // And ready to receive another response.
759 memset(&Demod, 0, sizeof(Demod));
760 Demod.output = receivedResponse;
761 Demod.state = DEMOD_UNSYNCD;
7e758047 762 LED_C_OFF();
763 }
15c4dc5a 764
765 if(BUTTON_PRESS()) {
766 DbpString("cancelled_a");
767 goto done;
768 }
769 }
770
771 DbpString("COMMAND FINISHED");
772
15c4dc5a 773done:
774 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
13d8c68d 775 Dbprintf("maxBehindBy=%x, Uart.state=%x, Uart.byteCnt=%x", maxBehindBy, Uart.state, Uart.byteCnt);
776 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
15c4dc5a 777 LED_A_OFF();
778 LED_B_OFF();
779 LED_C_OFF();
780 LED_D_OFF();
781}
782
15c4dc5a 783//-----------------------------------------------------------------------------
784// Prepare tag messages
785//-----------------------------------------------------------------------------
8f51ddb0 786static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 787{
8f51ddb0 788 int i;
15c4dc5a 789
8f51ddb0 790 ToSendReset();
15c4dc5a 791
792 // Correction bit, might be removed when not needed
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(1); // 1
798 ToSendStuffBit(0);
799 ToSendStuffBit(0);
800 ToSendStuffBit(0);
8f51ddb0 801
15c4dc5a 802 // Send startbit
72934aa3 803 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 804
8f51ddb0
M		 805 for(i = 0; i < len; i++) {
806 int j;
807 uint8_t b = cmd[i];
15c4dc5a 808
809 // Data bits
15c4dc5a 810 for(j = 0; j < 8; j++) {
15c4dc5a 811 if(b & 1) {
72934aa3 812 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 813 } else {
72934aa3 814 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M		 815 }
816 b >>= 1;
817 }
15c4dc5a 818
0014cb46 819 // Get the parity bit
8f51ddb0
M		 820 if ((dwParity >> i) & 0x01) {
821 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 822 } else {
72934aa3 823 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 824 }
8f51ddb0 825 }
15c4dc5a 826
8f51ddb0
M		 827 // Send stopbit
828 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 829
8f51ddb0
M		 830 // Convert from last byte pos to length
831 ToSendMax++;
8f51ddb0
M		 832}
833
834static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
835 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 836}
837
838//-----------------------------------------------------------------------------
839// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
840//-----------------------------------------------------------------------------
8f51ddb0 841static void CodeStrangeAnswerAsTag()
15c4dc5a 842{
843 int i;
844
845 ToSendReset();
846
847 // Correction bit, might be removed when not needed
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(1); // 1
853 ToSendStuffBit(0);
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856
857 // Send startbit
72934aa3 858 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 859
860 // 0
72934aa3 861 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 862
863 // 0
72934aa3 864 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 865
866 // 1
72934aa3 867 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 868
869 // Send stopbit
72934aa3 870 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 871
872 // Flush the buffer in FPGA!!
873 for(i = 0; i < 5; i++) {
72934aa3 874 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 875 }
876
877 // Convert from last byte pos to length
878 ToSendMax++;
8f51ddb0 879}
15c4dc5a 880
8f51ddb0
M		 881static void Code4bitAnswerAsTag(uint8_t cmd)
882{
883 int i;
884
885 ToSendReset();
886
887 // Correction bit, might be removed when not needed
888 ToSendStuffBit(0);
889 ToSendStuffBit(0);
890 ToSendStuffBit(0);
891 ToSendStuffBit(0);
892 ToSendStuffBit(1); // 1
893 ToSendStuffBit(0);
894 ToSendStuffBit(0);
895 ToSendStuffBit(0);
896
897 // Send startbit
898 ToSend[++ToSendMax] = SEC_D;
899
900 uint8_t b = cmd;
901 for(i = 0; i < 4; i++) {
902 if(b & 1) {
903 ToSend[++ToSendMax] = SEC_D;
904 } else {
905 ToSend[++ToSendMax] = SEC_E;
906 }
907 b >>= 1;
908 }
909
910 // Send stopbit
911 ToSend[++ToSendMax] = SEC_F;
912
913 // Flush the buffer in FPGA!!
914 for(i = 0; i < 5; i++) {
915 ToSend[++ToSendMax] = SEC_F;
916 }
917
918 // Convert from last byte pos to length
919 ToSendMax++;
15c4dc5a 920}
921
922//-----------------------------------------------------------------------------
923// Wait for commands from reader
924// Stop when button is pressed
925// Or return TRUE when command is captured
926//-----------------------------------------------------------------------------
f7e3ed82 927static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 928{
929 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
930 // only, since we are receiving, not transmitting).
931 // Signal field is off with the appropriate LED
932 LED_D_OFF();
933 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
934
935 // Now run a `software UART' on the stream of incoming samples.
936 Uart.output = received;
937 Uart.byteCntMax = maxLen;
938 Uart.state = STATE_UNSYNCD;
939
940 for(;;) {
941 WDT_HIT();
942
943 if(BUTTON_PRESS()) return FALSE;
944
945 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
946 AT91C_BASE_SSC->SSC_THR = 0x00;
947 }
948 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 949 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 950 if(MillerDecoding((b & 0xf0) >> 4)) {
951 *len = Uart.byteCnt;
952 return TRUE;
953 }
954 if(MillerDecoding(b & 0x0f)) {
955 *len = Uart.byteCnt;
956 return TRUE;
957 }
958 }
959 }
960}
9ca155ba 961static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
15c4dc5a 962
963//-----------------------------------------------------------------------------
964// Main loop of simulated tag: receive commands from reader, decide what
965// response to send, and send it.
966//-----------------------------------------------------------------------------
81cd0474 967void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd)
15c4dc5a 968{
81cd0474 969 // Enable and clear the trace
970 tracing = TRUE;
971 traceLen = 0;
972 memset(trace, 0x44, TRACE_SIZE);
973
15c4dc5a 974 // This function contains the tag emulation
81cd0474 975 uint8_t sak;
976
977 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
978 uint8_t response1[2];
979
980 switch (tagType) {
981 case 1: { // MIFARE Classic
982 // Says: I am Mifare 1k - original line
983 response1[0] = 0x04;
984 response1[1] = 0x00;
985 sak = 0x08;
986 } break;
987 case 2: { // MIFARE Ultralight
988 // Says: I am a stupid memory tag, no crypto
989 response1[0] = 0x04;
990 response1[1] = 0x00;
991 sak = 0x00;
992 } break;
993 case 3: { // MIFARE DESFire
994 // Says: I am a DESFire tag, ph33r me
995 response1[0] = 0x04;
996 response1[1] = 0x03;
997 sak = 0x20;
998 } break;
999 case 4: { // ISO/IEC 14443-4
1000 // Says: I am a javacard (JCOP)
1001 response1[0] = 0x04;
1002 response1[1] = 0x00;
1003 sak = 0x28;
1004 } break;
1005 default: {
1006 Dbprintf("Error: unkown tagtype (%d)",tagType);
1007 return;
1008 } break;
1009 }
1010
1011 // The second response contains the (mandatory) first 24 bits of the UID
1012 uint8_t response2[5];
1013
1014 // Check if the uid uses the (optional) part
1015 uint8_t response2a[5];
1016 if (uid_2nd) {
1017 response2[0] = 0x88;
1018 num_to_bytes(uid_1st,3,response2+1);
1019 num_to_bytes(uid_2nd,4,response2a);
1020 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1021
1022 // Configure the ATQA and SAK accordingly
1023 response1[0] |= 0x40;
1024 sak |= 0x04;
1025 } else {
1026 num_to_bytes(uid_1st,4,response2);
1027 // Configure the ATQA and SAK accordingly
1028 response1[0] &= 0xBF;
1029 sak &= 0xFB;
1030 }
1031
1032 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1033 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1034
1035 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1036 uint8_t response3[3];
1037 response3[0] = sak;
1038 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1039
1040 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1041 uint8_t response3a[3];
1042 response3a[0] = sak & 0xFB;
1043 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1044
1045
1046/*
1047 // Check if the uid uses the (optional) second part
1048 if (uid_2nd) {
1049 // Configure the ATQA and SAK accordingly
1050 response1[0] |= 0x40;
1051 sak |= 0x04;
1052 }
1053*/
1054
1055//static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
1056
15c4dc5a 1057
1058 // Prepare protocol messages
f7e3ed82 1059 // static const uint8_t cmd1[] = { 0x26 };
1060// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 1061//
81cd0474 1062// uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
f7e3ed82 1063// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 1064
1065 // UID response
f7e3ed82 1066 // static const uint8_t cmd2[] = { 0x93, 0x20 };
1067 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 1068
15c4dc5a 1069// my desfire
81cd0474 1070// uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 1071
1072
1073// When reader selects us during cascade1 it will send cmd3
f7e3ed82 1074//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
81cd0474 1075//uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
1076//ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
15c4dc5a 1077
1078// send cascade2 2nd half of UID
81cd0474 1079//static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 1080// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
1081
15c4dc5a 1082// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 1083//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
81cd0474 1084//uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
1085//ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
15c4dc5a 1086
f7e3ed82 1087 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 1088
f7e3ed82 1089 uint8_t *resp;
15c4dc5a 1090 int respLen;
1091
81cd0474 1092 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
15c4dc5a 1093 // This will need
1094 // 144 data bits (18 * 8)
1095 // 18 parity bits
1096 // 2 Start and stop
1097 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1098 // 1 just for the case
1099 // ----------- +
1100 // 166
1101 //
1102 // 166 bytes, since every bit that needs to be send costs us a byte
1103 //
1104
15c4dc5a 1105 // Respond with card type
81cd0474 1106 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
15c4dc5a 1107 int resp1Len;
1108
1109 // Anticollision cascade1 - respond with uid
81cd0474 1110 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166);
15c4dc5a 1111 int resp2Len;
1112
1113 // Anticollision cascade2 - respond with 2nd half of uid if asked
1114 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1115 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1116 int resp2aLen;
1117
1118 // Acknowledge select - cascade 1
81cd0474 1119 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2));
15c4dc5a 1120 int resp3Len;
1121
1122 // Acknowledge select - cascade 2
81cd0474 1123 uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3));
15c4dc5a 1124 int resp3aLen;
1125
1126 // Response to a read request - not implemented atm
81cd0474 1127 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4));
15c4dc5a 1128 int resp4Len;
1129
1130 // Authenticate response - nonce
81cd0474 1131 uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5));
15c4dc5a 1132 int resp5Len;
1133
81cd0474 1134 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1135// uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1136 int len;
1137
9f693930
GY		 1138 //int i;
1139 //int u;
1140 //uint8_t b;
15c4dc5a 1141
1142 // To control where we are in the protocol
1143 int order = 0;
1144 int lastorder;
1145
1146 // Just to allow some checks
1147 int happened = 0;
1148 int happened2 = 0;
1149
81cd0474 1150 int cmdsRecvd = 0;
1151 uint8_t* respdata = NULL;
1152 int respsize = 0;
1153 uint8_t nack = 0x04;
15c4dc5a 1154
9f693930 1155 //int fdt_indicator;
15c4dc5a 1156
81cd0474 1157 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
15c4dc5a 1158
1159 // Prepare the responses of the anticollision phase
1160 // there will be not enough time to do this at the moment the reader sends it REQA
1161
1162 // Answer to request
1163 CodeIso14443aAsTag(response1, sizeof(response1));
1164 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1165
1166 // Send our UID (cascade 1)
1167 CodeIso14443aAsTag(response2, sizeof(response2));
1168 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1169
1170 // Answer to select (cascade1)
1171 CodeIso14443aAsTag(response3, sizeof(response3));
1172 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1173
1174 // Send the cascade 2 2nd part of the uid
1175 CodeIso14443aAsTag(response2a, sizeof(response2a));
1176 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1177
1178 // Answer to select (cascade 2)
1179 CodeIso14443aAsTag(response3a, sizeof(response3a));
1180 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1181
1182 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1183 CodeStrangeAnswerAsTag();
15c4dc5a 1184 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1185
1186 // Authentication answer (random nonce)
1187 CodeIso14443aAsTag(response5, sizeof(response5));
1188 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1189
1190 // We need to listen to the high-frequency, peak-detected path.
1191 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1192 FpgaSetupSsc();
1193
1194 cmdsRecvd = 0;
1195
1196 LED_A_ON();
1197 for(;;) {
1198
81cd0474 1199 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
15c4dc5a 1200 DbpString("button press");
1201 break;
1202 }
1203 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1204 // Okay, look at the command now.
1205 lastorder = order;
9f693930 1206 //i = 1; // first byte transmitted
15c4dc5a 1207 if(receivedCmd[0] == 0x26) {
1208 // Received a REQUEST
1209 resp = resp1; respLen = resp1Len; order = 1;
81cd0474 1210 respdata = response1;
1211 respsize = sizeof(response1);
15c4dc5a 1212 //DbpString("Hello request from reader:");
1213 } else if(receivedCmd[0] == 0x52) {
1214 // Received a WAKEUP
1215 resp = resp1; respLen = resp1Len; order = 6;
1216// //DbpString("Wakeup request from reader:");
81cd0474 1217 respdata = response1;
1218 respsize = sizeof(response1);
15c4dc5a 1219 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1220 // Received request for UID (cascade 1)
1221 resp = resp2; respLen = resp2Len; order = 2;
1222// DbpString("UID (cascade 1) request from reader:");
1223// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1224 respdata = response2;
1225 respsize = sizeof(response2);
15c4dc5a 1226 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1227 // Received request for UID (cascade 2)
1228 resp = resp2a; respLen = resp2aLen; order = 20;
1229// DbpString("UID (cascade 2) request from reader:");
1230// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1231 respdata = response2a;
1232 respsize = sizeof(response2a);
15c4dc5a 1233
1234 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1235 // Received a SELECT
1236 resp = resp3; respLen = resp3Len; order = 3;
1237// DbpString("Select (cascade 1) request from reader:");
1238// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1239 respdata = response3;
1240 respsize = sizeof(response3);
15c4dc5a 1241
1242 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1243 // Received a SELECT
1244 resp = resp3a; respLen = resp3aLen; order = 30;
1245// DbpString("Select (cascade 2) request from reader:");
1246// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1247 respdata = response3a;
1248 respsize = sizeof(response3a);
15c4dc5a 1249
1250 } else if(receivedCmd[0] == 0x30) {
1251 // Received a READ
1252 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1253 Dbprintf("Read request from reader: %x %x %x",
1254 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1255 respdata = &nack;
1256 respsize = sizeof(nack); // 4-bit answer
15c4dc5a 1257
1258 } else if(receivedCmd[0] == 0x50) {
1259 // Received a HALT
1260 resp = resp1; respLen = 0; order = 5; // Do nothing
1261 DbpString("Reader requested we HALT!:");
81cd0474 1262 respdata = NULL;
1263 respsize = 0;
15c4dc5a 1264
1265 } else if(receivedCmd[0] == 0x60) {
1266 // Received an authentication request
1267 resp = resp5; respLen = resp5Len; order = 7;
1268 Dbprintf("Authenticate request from reader: %x %x %x",
1269 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1270 respdata = NULL;
1271 respsize = 0;
15c4dc5a 1272
1273 } else if(receivedCmd[0] == 0xE0) {
1274 // Received a RATS request
1275 resp = resp1; respLen = 0;order = 70;
1276 Dbprintf("RATS request from reader: %x %x %x",
1277 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1278 respdata = NULL;
1279 respsize = 0;
1280 } else {
1281 // Never seen this command before
1282 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
20f9a2a1 1283 len,
15c4dc5a 1284 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M		 1285 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1286 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1287 // Do not respond
1288 resp = resp1; respLen = 0; order = 0;
81cd0474 1289 respdata = NULL;
1290 respsize = 0;
1291 }
15c4dc5a 1292
1293 // Count number of wakeups received after a halt
1294 if(order == 6 && lastorder == 5) { happened++; }
1295
1296 // Count number of other messages after a halt
1297 if(order != 6 && lastorder == 5) { happened2++; }
1298
1299 // Look at last parity bit to determine timing of answer
1300 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1301 // 1236, so correction bit needed
9f693930 1302 //i = 0;
15c4dc5a 1303 }
1304
15c4dc5a 1305
1306 if(cmdsRecvd > 999) {
1307 DbpString("1000 commands later...");
1308 break;
1309 }
1310 else {
1311 cmdsRecvd++;
1312 }
1313
81cd0474 1314 if(respLen > 0) {
1315 //----------------------------
1316 //u = 0;
1317 //b = 0x00;
1318 //fdt_indicator = FALSE;
1319 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1320 }
1321
1322 if (tracing) {
1323 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
1324 if (respdata != NULL) {
1325 LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1326 }
4ab4336a 1327 if(traceLen > TRACE_SIZE) {
1328 DbpString("Trace full");
1329 break;
1330 }
81cd0474 1331 }
15c4dc5a 1332
81cd0474 1333 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
9ca155ba 1334/* // Modulate Manchester
15c4dc5a 1335 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1336 AT91C_BASE_SSC->SSC_THR = 0x00;
1337 FpgaSetupSsc();
1338
1339 // ### Transmit the response ###
1340 u = 0;
1341 b = 0x00;
1342 fdt_indicator = FALSE;
1343 for(;;) {
1344 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1345 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1346 (void)b;
1347 }
1348 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1349 if(i > respLen) {
1350 b = 0x00;
1351 u++;
1352 } else {
1353 b = resp[i];
1354 i++;
1355 }
1356 AT91C_BASE_SSC->SSC_THR = b;
1357
1358 if(u > 4) {
1359 break;
1360 }
1361 }
1362 if(BUTTON_PRESS()) {
1363 break;
1364 }
1365 }
9ca155ba 1366*/
15c4dc5a 1367 }
1368
1369 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1370 LED_A_OFF();
1371}
1372
1373//-----------------------------------------------------------------------------
1374// Transmit the command (to the tag) that was placed in ToSend[].
1375//-----------------------------------------------------------------------------
f7e3ed82 1376static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1377{
1378 int c;
e30c654b 1379
15c4dc5a 1380 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1381
15c4dc5a 1382 if (wait)
1383 if(*wait < 10)
1384 *wait = 10;
e30c654b 1385
15c4dc5a 1386 for(c = 0; c < *wait;) {
1387 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1388 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1389 c++;
1390 }
1391 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1392 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1393 (void)r;
1394 }
1395 WDT_HIT();
1396 }
e30c654b 1397
15c4dc5a 1398 c = 0;
1399 for(;;) {
1400 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1401 AT91C_BASE_SSC->SSC_THR = cmd[c];
1402 c++;
1403 if(c >= len) {
1404 break;
1405 }
1406 }
1407 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1408 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1409 (void)r;
1410 }
1411 WDT_HIT();
1412 }
1413 if (samples) *samples = (c + *wait) << 3;
1414}
1415
15c4dc5a 1416//-----------------------------------------------------------------------------
1417// Code a 7-bit command without parity bit
1418// This is especially for 0x26 and 0x52 (REQA and WUPA)
1419//-----------------------------------------------------------------------------
f7e3ed82 1420void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1421{
1422 int j;
1423 int last;
f7e3ed82 1424 uint8_t b;
15c4dc5a 1425
1426 ToSendReset();
1427
1428 // Start of Communication (Seq. Z)
72934aa3 1429 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1430 last = 0;
1431
1432 b = bt;
1433 for(j = 0; j < 7; j++) {
1434 if(b & 1) {
1435 // Sequence X
72934aa3 1436 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1437 last = 1;
1438 } else {
1439 if(last == 0) {
1440 // Sequence Z
72934aa3 1441 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1442 }
1443 else {
1444 // Sequence Y
72934aa3 1445 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1446 last = 0;
1447 }
1448 }
1449 b >>= 1;
1450 }
1451
1452 // End of Communication
1453 if(last == 0) {
1454 // Sequence Z
72934aa3 1455 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1456 }
1457 else {
1458 // Sequence Y
72934aa3 1459 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1460 last = 0;
1461 }
1462 // Sequence Y
72934aa3 1463 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1464
1465 // Just to be sure!
72934aa3 1466 ToSend[++ToSendMax] = SEC_Y;
1467 ToSend[++ToSendMax] = SEC_Y;
1468 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1469
1470 // Convert from last character reference to length
1471 ToSendMax++;
1472}
1473
1474//-----------------------------------------------------------------------------
1475// Prepare reader command to send to FPGA
e30c654b 1476//
15c4dc5a 1477//-----------------------------------------------------------------------------
f7e3ed82 1478void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1479{
1480 int i, j;
1481 int last;
f7e3ed82 1482 uint8_t b;
e30c654b 1483
15c4dc5a 1484 ToSendReset();
e30c654b 1485
15c4dc5a 1486 // Start of Communication (Seq. Z)
72934aa3 1487 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1488 last = 0;
e30c654b 1489
15c4dc5a 1490 // Generate send structure for the data bits
1491 for (i = 0; i < len; i++) {
1492 // Get the current byte to send
1493 b = cmd[i];
e30c654b 1494
15c4dc5a 1495 for (j = 0; j < 8; j++) {
1496 if (b & 1) {
1497 // Sequence X
72934aa3 1498 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1499 last = 1;
1500 } else {
1501 if (last == 0) {
1502 // Sequence Z
72934aa3 1503 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1504 } else {
1505 // Sequence Y
72934aa3 1506 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1507 last = 0;
1508 }
1509 }
1510 b >>= 1;
1511 }
e30c654b 1512
15c4dc5a 1513 // Get the parity bit
1514 if ((dwParity >> i) & 0x01) {
1515 // Sequence X
72934aa3 1516 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1517 last = 1;
1518 } else {
1519 if (last == 0) {
1520 // Sequence Z
72934aa3 1521 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1522 } else {
1523 // Sequence Y
72934aa3 1524 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1525 last = 0;
1526 }
1527 }
1528 }
e30c654b 1529
15c4dc5a 1530 // End of Communication
1531 if (last == 0) {
1532 // Sequence Z
72934aa3 1533 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1534 } else {
1535 // Sequence Y
72934aa3 1536 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1537 last = 0;
1538 }
1539 // Sequence Y
72934aa3 1540 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1541
15c4dc5a 1542 // Just to be sure!
72934aa3 1543 ToSend[++ToSendMax] = SEC_Y;
1544 ToSend[++ToSendMax] = SEC_Y;
1545 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1546
15c4dc5a 1547 // Convert from last character reference to length
1548 ToSendMax++;
1549}
1550
9ca155ba
M		 1551//-----------------------------------------------------------------------------
1552// Wait for commands from reader
1553// Stop when button is pressed (return 1) or field was gone (return 2)
1554// Or return 0 when command is captured
1555//-----------------------------------------------------------------------------
1556static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1557{
1558 *len = 0;
1559
1560 uint32_t timer = 0, vtime = 0;
1561 int analogCnt = 0;
1562 int analogAVG = 0;
1563
1564 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1565 // only, since we are receiving, not transmitting).
1566 // Signal field is off with the appropriate LED
1567 LED_D_OFF();
1568 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1569
1570 // Set ADC to read field strength
1571 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1572 AT91C_BASE_ADC->ADC_MR =
1573 ADC_MODE_PRESCALE(32) |
1574 ADC_MODE_STARTUP_TIME(16) |
1575 ADC_MODE_SAMPLE_HOLD_TIME(8);
1576 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1577 // start ADC
1578 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1579
1580 // Now run a 'software UART' on the stream of incoming samples.
1581 Uart.output = received;
1582 Uart.byteCntMax = maxLen;
1583 Uart.state = STATE_UNSYNCD;
1584
1585 for(;;) {
1586 WDT_HIT();
1587
1588 if (BUTTON_PRESS()) return 1;
1589
1590 // test if the field exists
1591 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1592 analogCnt++;
1593 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1594 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1595 if (analogCnt >= 32) {
1596 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1597 vtime = GetTickCount();
1598 if (!timer) timer = vtime;
1599 // 50ms no field --> card to idle state
1600 if (vtime - timer > 50) return 2;
1601 } else
1602 if (timer) timer = 0;
1603 analogCnt = 0;
1604 analogAVG = 0;
1605 }
1606 }
1607 // transmit none
1608 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1609 AT91C_BASE_SSC->SSC_THR = 0x00;
1610 }
1611 // receive and test the miller decoding
1612 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1613 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1614 if(MillerDecoding((b & 0xf0) >> 4)) {
1615 *len = Uart.byteCnt;
8f51ddb0 1616 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M		 1617 return 0;
1618 }
1619 if(MillerDecoding(b & 0x0f)) {
1620 *len = Uart.byteCnt;
8f51ddb0 1621 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M		 1622 return 0;
1623 }
1624 }
1625 }
1626}
1627
1628static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1629{
1630 int i, u = 0;
1631 uint8_t b = 0;
1632
1633 // Modulate Manchester
1634 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1635 AT91C_BASE_SSC->SSC_THR = 0x00;
1636 FpgaSetupSsc();
1637
1638 // include correction bit
1639 i = 1;
1640 if((Uart.parityBits & 0x01) || correctionNeeded) {
1641 // 1236, so correction bit needed
1642 i = 0;
1643 }
1644
1645 // send cycle
1646 for(;;) {
1647 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1648 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1649 (void)b;
1650 }
1651 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1652 if(i > respLen) {
8f51ddb0 1653 b = 0xff; // was 0x00
9ca155ba
M		 1654 u++;
1655 } else {
1656 b = resp[i];
1657 i++;
1658 }
1659 AT91C_BASE_SSC->SSC_THR = b;
1660
1661 if(u > 4) break;
1662 }
1663 if(BUTTON_PRESS()) {
1664 break;
1665 }
1666 }
1667
1668 return 0;
1669}
1670
8f51ddb0
M		 1671int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1672 Code4bitAnswerAsTag(resp);
0a39986e 1673 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1674 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1675 return res;
9ca155ba
M		 1676}
1677
8f51ddb0
M		 1678int EmSend4bit(uint8_t resp){
1679 return EmSend4bitEx(resp, 0);
1680}
1681
1682int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1683 CodeIso14443aAsTagPar(resp, respLen, par);
1684 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1685 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1686 return res;
1687}
1688
1689int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1690 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1691}
1692
1693int EmSendCmd(uint8_t *resp, int respLen){
1694 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1695}
1696
1697int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1698 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M		 1699}
1700
15c4dc5a 1701//-----------------------------------------------------------------------------
1702// Wait a certain time for tag response
1703// If a response is captured return TRUE
1704// If it takes to long return FALSE
1705//-----------------------------------------------------------------------------
f7e3ed82 1706static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1707{
1708 // buffer needs to be 512 bytes
1709 int c;
1710
1711 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1712 // only, since we are receiving, not transmitting).
1713 // Signal field is on with the appropriate LED
1714 LED_D_ON();
1715 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1716
534983d7 1717 // Now get the answer from the card
1718 Demod.output = receivedResponse;
1719 Demod.len = 0;
1720 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1721
f7e3ed82 1722 uint8_t b;
15c4dc5a 1723 if (elapsed) *elapsed = 0;
1724
1725 c = 0;
1726 for(;;) {
534983d7 1727 WDT_HIT();
15c4dc5a 1728
534983d7 1729 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1730 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1731 if (elapsed) (*elapsed)++;
534983d7 1732 }
1733 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1734 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1735 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1736 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1737 *samples = ((c - 1) << 3) + 4;
1738 return TRUE;
1739 }
1740 if(ManchesterDecoding(b & 0x0f)) {
1741 *samples = c << 3;
1742 return TRUE;
1743 }
534983d7 1744 }
1745 }
15c4dc5a 1746}
1747
f7e3ed82 1748void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1749{
1750 int wait = 0;
1751 int samples = 0;
1752
1753 ShortFrameFromReader(*bt);
e30c654b 1754
15c4dc5a 1755 // Select the card
e30c654b 1756 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1757
15c4dc5a 1758 // Store reader command in buffer
1759 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1760}
1761
f7e3ed82 1762void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1763{
1764 int wait = 0;
1765 int samples = 0;
e30c654b 1766
15c4dc5a 1767 // This is tied to other size changes
f7e3ed82 1768 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1769 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1770
15c4dc5a 1771 // Select the card
e30c654b 1772 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1773 if(trigger)
1774 LED_A_ON();
e30c654b 1775
15c4dc5a 1776 // Store reader command in buffer
1777 if (tracing) LogTrace(frame,len,0,par,TRUE);
1778}
1779
1780
f7e3ed82 1781void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1782{
1783 // Generate parity and redirect
1784 ReaderTransmitPar(frame,len,GetParity(frame,len));
1785}
1786
f7e3ed82 1787int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1788{
1789 int samples = 0;
20f9a2a1 1790 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1791 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1792 if(samples == 0) return FALSE;
1793 return Demod.len;
15c4dc5a 1794}
1795
f89c7050
M		 1796int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1797{
1798 int samples = 0;
1799 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1800 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1801 *parptr = Demod.parityBits;
1802 if(samples == 0) return FALSE;
1803 return Demod.len;
1804}
1805
7e758047 1806/* performs iso14443a anticolision procedure
534983d7 1807 * fills the uid pointer unless NULL
1808 * fills resp_data unless NULL */
20f9a2a1
M		 1809int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1810 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1811 uint8_t sel_all[] = { 0x93,0x20 };
1812 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1813 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1814
7e758047 1815 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1816
534983d7 1817 uint8_t sak = 0x04; // cascade uid
1818 int cascade_level = 0;
1819
7e758047 1820 int len;
20f9a2a1
M		 1821
1822 // clear uid
1823 memset(uid_ptr, 0, 8);
15c4dc5a 1824
7e758047 1825 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1826 ReaderTransmitShort(wupa);
1827 // Receive the ATQA
1828 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1829
534983d7 1830 if(resp_data)
1831 memcpy(resp_data->atqa, resp, 2);
1832
534983d7 1833 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1834 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1835 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1836 for(; sak & 0x04; cascade_level++)
7e758047 1837 {
534983d7 1838 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1839 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1840
1841 // SELECT_ALL
1842 ReaderTransmit(sel_all,sizeof(sel_all));
1843 if (!ReaderReceive(resp)) return 0;
1844 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M		 1845
1846 // calculate crypto UID
1847 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1848
7e758047 1849 // Construct SELECT UID command
534983d7 1850 memcpy(sel_uid+2,resp,5);
1851 AppendCrc14443a(sel_uid,7);
1852 ReaderTransmit(sel_uid,sizeof(sel_uid));
1853
7e758047 1854 // Receive the SAK
1855 if (!ReaderReceive(resp)) return 0;
534983d7 1856 sak = resp[0];
7e758047 1857 }
534983d7 1858 if(resp_data) {
1859 resp_data->sak = sak;
1860 resp_data->ats_len = 0;
1861 }
20f9a2a1
M		 1862 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1863 if (uid_ptr[0] == 0x88) {
1864 memcpy(uid_ptr, uid_ptr + 1, 7);
1865 uid_ptr[7] = 0;
1866 }
534983d7 1867
1868 if( (sak & 0x20) == 0)
7e758047 1869 return 2; // non iso14443a compliant tag
534983d7 1870
7e758047 1871 // Request for answer to select
20f9a2a1
M		 1872 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1873 AppendCrc14443a(rats, 2);
1874 ReaderTransmit(rats, sizeof(rats));
1875
1876 if (!(len = ReaderReceive(resp))) return 0;
1877
534983d7 1878 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1879 resp_data->ats_len = len;
1880 }
20f9a2a1 1881
7e758047 1882 return 1;
1883}
15c4dc5a 1884
7e758047 1885void iso14443a_setup() {
1886 // Setup SSC
1887 FpgaSetupSsc();
1888 // Start from off (no field generated)
1889 // Signal field is off with the appropriate LED
1890 LED_D_OFF();
1891 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1892 SpinDelay(200);
15c4dc5a 1893
7e758047 1894 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1895
7e758047 1896 // Now give it time to spin up.
1897 // Signal field is on with the appropriate LED
1898 LED_D_ON();
1899 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1900 SpinDelay(200);
534983d7 1901
1902 iso14a_timeout = 2048; //default
7e758047 1903}
15c4dc5a 1904
534983d7 1905int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1906 uint8_t real_cmd[cmd_len+4];
1907 real_cmd[0] = 0x0a; //I-Block
1908 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1909 memcpy(real_cmd+2, cmd, cmd_len);
1910 AppendCrc14443a(real_cmd,cmd_len+2);
1911
1912 ReaderTransmit(real_cmd, cmd_len+4);
1913 size_t len = ReaderReceive(data);
1914 if(!len)
1915 return -1; //DATA LINK ERROR
1916
1917 return len;
1918}
1919
1920
7e758047 1921//-----------------------------------------------------------------------------
1922// Read an ISO 14443a tag. Send out commands and store answers.
1923//
1924//-----------------------------------------------------------------------------
534983d7 1925void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1926{
534983d7 1927 iso14a_command_t param = c->arg[0];
1928 uint8_t * cmd = c->d.asBytes;
1929 size_t len = c->arg[1];
e30c654b 1930
534983d7 1931 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1932
534983d7 1933 if(param & ISO14A_CONNECT) {
1934 iso14443a_setup();
20f9a2a1 1935 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1936 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1937 }
e30c654b 1938
534983d7 1939 if(param & ISO14A_SET_TIMEOUT) {
1940 iso14a_timeout = c->arg[2];
1941 }
e30c654b 1942
534983d7 1943 if(param & ISO14A_SET_TIMEOUT) {
1944 iso14a_timeout = c->arg[2];
1945 }
e30c654b 1946
534983d7 1947 if(param & ISO14A_APDU) {
1948 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1949 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1950 }
e30c654b 1951
534983d7 1952 if(param & ISO14A_RAW) {
1953 if(param & ISO14A_APPEND_CRC) {
1954 AppendCrc14443a(cmd,len);
1955 len += 2;
15c4dc5a 1956 }
534983d7 1957 ReaderTransmit(cmd,len);
1958 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1959 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1960 }
15c4dc5a 1961
534983d7 1962 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1963
534983d7 1964 if(param & ISO14A_NO_DISCONNECT)
1965 return;
15c4dc5a 1966
15c4dc5a 1967 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1968 LEDsoff();
15c4dc5a 1969}
15c4dc5a 1970//-----------------------------------------------------------------------------
1971// Read an ISO 14443a tag. Send out commands and store answers.
1972//
1973//-----------------------------------------------------------------------------
f7e3ed82 1974void ReaderMifare(uint32_t parameter)
15c4dc5a 1975{
15c4dc5a 1976 // Mifare AUTH
f7e3ed82 1977 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1978 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1979
f89c7050
M		 1980 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1981 traceLen = 0;
1982 tracing = false;
e30c654b 1983
7e758047 1984 iso14443a_setup();
e30c654b 1985
15c4dc5a 1986 LED_A_ON();
1987 LED_B_OFF();
1988 LED_C_OFF();
e30c654b 1989
f89c7050
M		 1990 byte_t nt_diff = 0;
1991 LED_A_OFF();
1992 byte_t par = 0;
9f693930 1993 //byte_t par_mask = 0xff;
f89c7050
M		 1994 byte_t par_low = 0;
1995 int led_on = TRUE;
50193c1e 1996 uint8_t uid[8];
f89c7050 1997 uint32_t cuid;
e30c654b 1998
f89c7050
M		 1999 tracing = FALSE;
2000 byte_t nt[4] = {0,0,0,0};
f397b5cc 2001 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M		 2002 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
2003 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 2004 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 2005 int isOK = 0, isNULL = 0;
f397b5cc 2006
f89c7050
M		 2007 while(TRUE)
2008 {
50193c1e 2009 LED_C_ON();
f89c7050
M		 2010 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2011 SpinDelay(200);
2012 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 2013 LED_C_OFF();
e30c654b 2014
f89c7050
M		 2015 // Test if the action was cancelled
2016 if(BUTTON_PRESS()) {
2017 break;
2018 }
e30c654b 2019
f89c7050 2020 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 2021
f89c7050
M		 2022 // Transmit MIFARE_CLASSIC_AUTH
2023 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 2024
f89c7050
M		 2025 // Receive the (16 bit) "random" nonce
2026 if (!ReaderReceive(receivedAnswer)) continue;
2027 memcpy(nt, receivedAnswer, 4);
e30c654b 2028
f89c7050
M		 2029 // Transmit reader nonce and reader answer
2030 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 2031
f89c7050
M		 2032 // Receive 4 bit answer
2033 if (ReaderReceive(receivedAnswer))
2034 {
f397b5cc
M		 2035 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
2036
db389d52 2037 isNULL = (nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0);
50193c1e
M		 2038 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
2039
f89c7050
M		 2040 if (nt_diff == 0)
2041 {
2042 LED_A_ON();
2043 memcpy(nt_attacked, nt, 4);
9f693930 2044 //par_mask = 0xf8;
f89c7050
M		 2045 par_low = par & 0x07;
2046 }
15c4dc5a 2047
f89c7050
M		 2048 led_on = !led_on;
2049 if(led_on) LED_B_ON(); else LED_B_OFF();
2050 par_list[nt_diff] = par;
2051 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 2052
f89c7050
M		 2053 // Test if the information is complete
2054 if (nt_diff == 0x07) {
2055 isOK = 1;
2056 break;
2057 }
2058
2059 nt_diff = (nt_diff + 1) & 0x07;
2060 mf_nr_ar[3] = nt_diff << 5;
2061 par = par_low;
2062 } else {
2063 if (nt_diff == 0)
2064 {
2065 par++;
2066 } else {
2067 par = (((par >> 3) + 1) << 3) | par_low;
2068 }
2069 }
2070 }
e30c654b 2071
f89c7050
M		 2072 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
2073 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
2074 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 2075
f89c7050
M		 2076 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2077 memcpy(ack.d.asBytes + 0, uid, 4);
2078 memcpy(ack.d.asBytes + 4, nt, 4);
2079 memcpy(ack.d.asBytes + 8, par_list, 8);
2080 memcpy(ack.d.asBytes + 16, ks_list, 8);
2081
2082 LED_B_ON();
2083 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2084 LED_B_OFF();
2085
2086 // Thats it...
15c4dc5a 2087 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2088 LEDsoff();
f89c7050
M		 2089 tracing = TRUE;
2090
f397b5cc 2091 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M		 2092}
2093
20f9a2a1
M		 2094
2095//-----------------------------------------------------------------------------
2096// MIFARE 1K simulate.
2097//
2098//-----------------------------------------------------------------------------
2099void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2100{
50193c1e 2101 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2102 int _7BUID = 0;
9ca155ba 2103 int vHf = 0; // in mV
9f693930 2104 //int nextCycleTimeout = 0;
8f51ddb0 2105 int res;
51969283 2106// uint32_t timer = 0;
0a39986e
M		 2107 uint32_t selTimer = 0;
2108 uint32_t authTimer = 0;
2109 uint32_t par = 0;
9ca155ba 2110 int len = 0;
8f51ddb0 2111 uint8_t cardWRBL = 0;
9ca155ba
M		 2112 uint8_t cardAUTHSC = 0;
2113 uint8_t cardAUTHKEY = 0xff; // no authentication
9f693930 2114 //uint32_t cardRn = 0;
51969283 2115 uint32_t cardRr = 0;
9ca155ba 2116 uint32_t cuid = 0;
9f693930 2117 //uint32_t rn_enc = 0;
51969283 2118 uint32_t ans = 0;
0014cb46
M		 2119 uint32_t cardINTREG = 0;
2120 uint8_t cardINTBLOCK = 0;
9ca155ba
M		 2121 struct Crypto1State mpcs = {0, 0};
2122 struct Crypto1State *pcs;
2123 pcs = &mpcs;
2124
8f51ddb0
M		 2125 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2126 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2127
8556b852 2128 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2129
0a39986e
M		 2130 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2131 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2132
0a39986e 2133 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2134 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2135
0014cb46
M		 2136 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2137// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2138 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2139
0a39986e
M		 2140 // clear trace
2141 traceLen = 0;
2142 tracing = true;
51969283
M		 2143
2144 // Authenticate response - nonce
2145 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2146
8556b852
M		 2147 // get UID from emul memory
2148 emlGetMemBt(receivedCmd, 7, 1);
2149 _7BUID = !(receivedCmd[0] == 0x00);
2150 if (!_7BUID) { // ---------- 4BUID
2151 rATQA[0] = 0x04;
2152
2153 emlGetMemBt(rUIDBCC1, 0, 4);
2154 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2155 } else { // ---------- 7BUID
2156 rATQA[0] = 0x44;
2157
2158 rUIDBCC1[0] = 0x88;
2159 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2160 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2161 emlGetMemBt(rUIDBCC2, 3, 4);
2162 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2163 }
2164
9ca155ba 2165// -------------------------------------- test area
50193c1e 2166
9ca155ba 2167// -------------------------------------- END test area
8f51ddb0
M		 2168 // start mkseconds counter
2169 StartCountUS();
9ca155ba
M		 2170
2171 // We need to listen to the high-frequency, peak-detected path.
2172 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2173 FpgaSetupSsc();
2174
2175 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2176 SpinDelay(200);
2177
0014cb46 2178 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M		 2179 // calibrate mkseconds counter
2180 GetDeltaCountUS();
9ca155ba
M		 2181 while (true) {
2182 WDT_HIT();
9ca155ba 2183
8f51ddb0
M		 2184 if(BUTTON_PRESS()) {
2185 break;
2186 }
2187
9ca155ba
M		 2188 // find reader field
2189 // Vref = 3300mV, and an 10:1 voltage divider on the input
2190 // can measure voltages up to 33000 mV
2191 if (cardSTATE == MFEMUL_NOFIELD) {
2192 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2193 if (vHf > MF_MINFIELDV) {
0014cb46 2194 cardSTATE_TO_IDLE();
9ca155ba
M		 2195 LED_A_ON();
2196 }
2197 }
2198
2199 if (cardSTATE != MFEMUL_NOFIELD) {
81cd0474 2200 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
9ca155ba
M		 2201 if (res == 2) {
2202 cardSTATE = MFEMUL_NOFIELD;
2203 LEDsoff();
2204 continue;
2205 }
2206 if(res) break;
2207 }
2208
9f693930 2209 //nextCycleTimeout = 0;
8f51ddb0 2210
9ca155ba 2211// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M		 2212
2213 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2214 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M		 2215 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2216 selTimer = GetTickCount();
2217 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2218 cardSTATE = MFEMUL_SELECT1;
2219
2220 // init crypto block
2221 LED_B_OFF();
2222 LED_C_OFF();
2223 crypto1_destroy(pcs);
2224 cardAUTHKEY = 0xff;
2225 }
2226 }
9ca155ba 2227
50193c1e
M		 2228 switch (cardSTATE) {
2229 case MFEMUL_NOFIELD:{
2230 break;
2231 }
9ca155ba 2232 case MFEMUL_HALTED:{
0a39986e 2233 break;
9ca155ba 2234 }
50193c1e
M		 2235 case MFEMUL_IDLE:{
2236 break;
2237 }
2238 case MFEMUL_SELECT1:{
9ca155ba
M		 2239 // select all
2240 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2241 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2242 break;
9ca155ba
M		 2243 }
2244
2245 // select card
0a39986e
M		 2246 if (len == 9 &&
2247 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M		 2248 if (!_7BUID)
2249 EmSendCmd(rSAK, sizeof(rSAK));
2250 else
2251 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M		 2252
2253 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M		 2254 if (!_7BUID) {
2255 cardSTATE = MFEMUL_WORK;
0014cb46
M		 2256 LED_B_ON();
2257 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2258 break;
8556b852
M		 2259 } else {
2260 cardSTATE = MFEMUL_SELECT2;
2261 break;
2262 }
9ca155ba
M		 2263 }
2264
50193c1e
M		 2265 break;
2266 }
2267 case MFEMUL_SELECT2:{
0014cb46
M		 2268 if (!len) break;
2269
8556b852 2270 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2271 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M		 2272 break;
2273 }
9ca155ba 2274
8556b852
M		 2275 // select 2 card
2276 if (len == 9 &&
2277 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2278 EmSendCmd(rSAK, sizeof(rSAK));
2279
2280 cuid = bytes_to_num(rUIDBCC2, 4);
2281 cardSTATE = MFEMUL_WORK;
2282 LED_B_ON();
0014cb46 2283 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M		 2284 break;
2285 }
0014cb46
M		 2286
2287 // i guess there is a command). go into the work state.
2288 if (len != 4) break;
2289 cardSTATE = MFEMUL_WORK;
2290 goto lbWORK;
50193c1e
M		 2291 }
2292 case MFEMUL_AUTH1:{
9ca155ba 2293 if (len == 8) {
51969283 2294 // --- crypto
9f693930
GY		 2295 //rn_enc = bytes_to_num(receivedCmd, 4);
2296 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
51969283
M		 2297 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2298 // test if auth OK
2299 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M		 2300 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2301 cardSTATE_TO_IDLE();
51969283
M		 2302 break;
2303 }
2304 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2305 num_to_bytes(ans, 4, rAUTH_AT);
2306 // --- crypto
2307 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M		 2308 cardSTATE = MFEMUL_AUTH2;
2309 } else {
0014cb46 2310 cardSTATE_TO_IDLE();
9ca155ba 2311 }
0a39986e 2312 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M		 2313 }
2314 case MFEMUL_AUTH2:{
9ca155ba 2315 LED_C_ON();
0a39986e 2316 cardSTATE = MFEMUL_WORK;
0014cb46 2317 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M		 2318 break;
2319 }
9ca155ba 2320 case MFEMUL_WORK:{
0014cb46 2321lbWORK: if (len == 0) break;
0a39986e 2322
51969283
M		 2323 if (cardAUTHKEY == 0xff) {
2324 // first authentication
2325 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2326 authTimer = GetTickCount();
2327
2328 cardAUTHSC = receivedCmd[1] / 4; // received block num
2329 cardAUTHKEY = receivedCmd[0] - 0x60;
2330
2331 // --- crypto
2332 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2333 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2334 num_to_bytes(nonce, 4, rAUTH_AT);
2335 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2336 // --- crypto
2337
2338// last working revision
2339// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2340// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2341
2342 cardSTATE = MFEMUL_AUTH1;
9f693930 2343 //nextCycleTimeout = 10;
51969283
M		 2344 break;
2345 }
2346 } else {
2347 // decrypt seqence
2348 mf_crypto1_decrypt(pcs, receivedCmd, len);
2349
2350 // nested authentication
2351 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2352 authTimer = GetTickCount();
2353
2354 cardAUTHSC = receivedCmd[1] / 4; // received block num
2355 cardAUTHKEY = receivedCmd[0] - 0x60;
2356
2357 // --- crypto
2358 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2359 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2360 num_to_bytes(ans, 4, rAUTH_AT);
2361 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2362 // --- crypto
2363
2364 cardSTATE = MFEMUL_AUTH1;
9f693930 2365 //nextCycleTimeout = 10;
51969283
M		 2366 break;
2367 }
2368 }
0a39986e 2369
8f51ddb0
M		 2370 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2371 // BUT... ACK --> NACK
2372 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2373 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2374 break;
2375 }
2376
2377 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2378 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2379 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2380 break;
0a39986e
M		 2381 }
2382
2383 // read block
2384 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2385 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M		 2386 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2387 break;
2388 }
2389 emlGetMem(response, receivedCmd[1], 1);
2390 AppendCrc14443a(response, 16);
2391 mf_crypto1_encrypt(pcs, response, 18, &par);
2392 EmSendCmdPar(response, 18, par);
0a39986e
M		 2393 break;
2394 }
2395
2396 // write block
2397 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2398 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M		 2399 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2400 break;
2401 }
2402 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
9f693930 2403 //nextCycleTimeout = 50;
8f51ddb0
M		 2404 cardSTATE = MFEMUL_WRITEBL2;
2405 cardWRBL = receivedCmd[1];
0a39986e 2406 break;
9ca155ba 2407 }
8f51ddb0 2408
0014cb46
M		 2409 // works with cardINTREG
2410
2411 // increment, decrement, restore
2412 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2413 if (receivedCmd[1] >= 16 * 4 ||
2414 receivedCmd[1] / 4 != cardAUTHSC ||
2415 emlCheckValBl(receivedCmd[1])) {
2416 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2417 break;
2418 }
2419 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2420 if (receivedCmd[0] == 0xC1)
2421 cardSTATE = MFEMUL_INTREG_INC;
2422 if (receivedCmd[0] == 0xC0)
2423 cardSTATE = MFEMUL_INTREG_DEC;
2424 if (receivedCmd[0] == 0xC2)
2425 cardSTATE = MFEMUL_INTREG_REST;
2426 cardWRBL = receivedCmd[1];
2427
2428 break;
2429 }
2430
2431
2432 // transfer
2433 if (len == 4 && receivedCmd[0] == 0xB0) {
2434 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2435 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2436 break;
2437 }
2438
2439 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2440 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2441 else
2442 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2443
2444 break;
2445 }
2446
9ca155ba 2447 // halt
0a39986e 2448 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2449 LED_B_OFF();
0a39986e 2450 LED_C_OFF();
0014cb46
M		 2451 cardSTATE = MFEMUL_HALTED;
2452 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2453 break;
9ca155ba 2454 }
51969283 2455
8f51ddb0
M		 2456 // command not allowed
2457 if (len == 4) {
2458 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2459 break;
2460 }
51969283
M		 2461
2462 // case break
2463 break;
8f51ddb0
M		 2464 }
2465 case MFEMUL_WRITEBL2:{
2466 if (len == 18){
2467 mf_crypto1_decrypt(pcs, receivedCmd, len);
2468 emlSetMem(receivedCmd, cardWRBL, 1);
2469 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2470 cardSTATE = MFEMUL_WORK;
2471 break;
51969283 2472 } else {
0014cb46 2473 cardSTATE_TO_IDLE();
51969283 2474 break;
8f51ddb0 2475 }
8f51ddb0 2476 break;
50193c1e 2477 }
0014cb46
M		 2478
2479 case MFEMUL_INTREG_INC:{
2480 mf_crypto1_decrypt(pcs, receivedCmd, len);
2481 memcpy(&ans, receivedCmd, 4);
2482 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2483 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2484 cardSTATE_TO_IDLE();
2485 break;
2486 }
2487 cardINTREG = cardINTREG + ans;
2488 cardSTATE = MFEMUL_WORK;
2489 break;
2490 }
2491 case MFEMUL_INTREG_DEC:{
2492 mf_crypto1_decrypt(pcs, receivedCmd, len);
2493 memcpy(&ans, receivedCmd, 4);
2494 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2495 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2496 cardSTATE_TO_IDLE();
2497 break;
2498 }
2499 cardINTREG = cardINTREG - ans;
2500 cardSTATE = MFEMUL_WORK;
2501 break;
2502 }
2503 case MFEMUL_INTREG_REST:{
2504 mf_crypto1_decrypt(pcs, receivedCmd, len);
2505 memcpy(&ans, receivedCmd, 4);
2506 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2507 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2508 cardSTATE_TO_IDLE();
2509 break;
2510 }
2511 cardSTATE = MFEMUL_WORK;
2512 break;
2513 }
50193c1e
M		 2514
2515 }
2516
2517 }
2518
9ca155ba
M		 2519 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2520 LEDsoff();
2521
0a39986e 2522 // add trace trailer
8f51ddb0 2523 memset(rAUTH_NT, 0x44, 4);
0a39986e
M		 2524 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2525
0014cb46 2526 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2527}
Proxmark3 GIT tracking
Impressum, Datenschutz