]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
1. small bugfix in hf 14a mifare
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M		 20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
f7e3ed82 23static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 24static int traceLen = 0;
25static int rsamples = 0;
f7e3ed82 26static int tracing = TRUE;
534983d7 27static uint32_t iso14a_timeout;
15c4dc5a 28
72934aa3 29// CARD TO READER
30// Sequence D: 11110000 modulation with subcarrier during first half
31// Sequence E: 00001111 modulation with subcarrier during second half
32// Sequence F: 00000000 no modulation with subcarrier
33// READER TO CARD
34// Sequence X: 00001100 drop after half a period
35// Sequence Y: 00000000 no drop
36// Sequence Z: 11000000 drop at start
37#define SEC_D 0xf0
38#define SEC_E 0x0f
39#define SEC_F 0x00
40#define SEC_X 0x0c
41#define SEC_Y 0x00
42#define SEC_Z 0xc0
15c4dc5a 43
f7e3ed82 44static const uint8_t OddByteParity[256] = {
15c4dc5a 45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
58 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
61};
62
63// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
64#define RECV_CMD_OFFSET 3032
65#define RECV_RES_OFFSET 3096
66#define DMA_BUFFER_OFFSET 3160
67#define DMA_BUFFER_SIZE 4096
68#define TRACE_LENGTH 3000
69
534983d7 70uint8_t trigger = 0;
71void iso14a_set_trigger(int enable) {
72 trigger = enable;
73}
74
15c4dc5a 75//-----------------------------------------------------------------------------
76// Generate the parity value for a byte sequence
e30c654b 77//
15c4dc5a 78//-----------------------------------------------------------------------------
20f9a2a1
M		 79byte_t oddparity (const byte_t bt)
80{
81 return OddByteParity[bt];
82}
83
f7e3ed82 84uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 85{
86 int i;
f7e3ed82 87 uint32_t dwPar = 0;
72934aa3 88
15c4dc5a 89 // Generate the encrypted data
90 for (i = 0; i < iLen; i++) {
91 // Save the encrypted parity bit
92 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
93 }
94 return dwPar;
95}
96
534983d7 97void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 98{
99 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
100}
101
ed82636b 102int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 103{
104 // Return when trace is full
105 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 106
15c4dc5a 107 // Trace the random, i'm curious
108 rsamples += iSamples;
109 trace[traceLen++] = ((rsamples >> 0) & 0xff);
110 trace[traceLen++] = ((rsamples >> 8) & 0xff);
111 trace[traceLen++] = ((rsamples >> 16) & 0xff);
112 trace[traceLen++] = ((rsamples >> 24) & 0xff);
113 if (!bReader) {
114 trace[traceLen - 1] |= 0x80;
115 }
116 trace[traceLen++] = ((dwParity >> 0) & 0xff);
117 trace[traceLen++] = ((dwParity >> 8) & 0xff);
118 trace[traceLen++] = ((dwParity >> 16) & 0xff);
119 trace[traceLen++] = ((dwParity >> 24) & 0xff);
120 trace[traceLen++] = iLen;
121 memcpy(trace + traceLen, btBytes, iLen);
122 traceLen += iLen;
123 return TRUE;
124}
125
15c4dc5a 126//-----------------------------------------------------------------------------
127// The software UART that receives commands from the reader, and its state
128// variables.
129//-----------------------------------------------------------------------------
130static struct {
131 enum {
132 STATE_UNSYNCD,
133 STATE_START_OF_COMMUNICATION,
134 STATE_MILLER_X,
135 STATE_MILLER_Y,
136 STATE_MILLER_Z,
137 STATE_ERROR_WAIT
138 } state;
f7e3ed82 139 uint16_t shiftReg;
15c4dc5a 140 int bitCnt;
141 int byteCnt;
142 int byteCntMax;
143 int posCnt;
144 int syncBit;
145 int parityBits;
146 int samples;
147 int highCnt;
148 int bitBuffer;
149 enum {
150 DROP_NONE,
151 DROP_FIRST_HALF,
152 DROP_SECOND_HALF
153 } drop;
f7e3ed82 154 uint8_t *output;
15c4dc5a 155} Uart;
156
6c1e2d95 157static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 158{
159 int error = 0;
160 int bitright;
161
162 if(!Uart.bitBuffer) {
163 Uart.bitBuffer = bit ^ 0xFF0;
164 return FALSE;
165 }
166 else {
167 Uart.bitBuffer <<= 4;
168 Uart.bitBuffer ^= bit;
169 }
170
f7e3ed82 171 int EOC = FALSE;
15c4dc5a 172
173 if(Uart.state != STATE_UNSYNCD) {
174 Uart.posCnt++;
175
176 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
177 bit = 0x00;
178 }
179 else {
180 bit = 0x01;
181 }
182 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
183 bitright = 0x00;
184 }
185 else {
186 bitright = 0x01;
187 }
188 if(bit != bitright) { bit = bitright; }
189
190 if(Uart.posCnt == 1) {
191 // measurement first half bitperiod
192 if(!bit) {
193 Uart.drop = DROP_FIRST_HALF;
194 }
195 }
196 else {
197 // measurement second half bitperiod
198 if(!bit & (Uart.drop == DROP_NONE)) {
199 Uart.drop = DROP_SECOND_HALF;
200 }
201 else if(!bit) {
202 // measured a drop in first and second half
203 // which should not be possible
204 Uart.state = STATE_ERROR_WAIT;
205 error = 0x01;
206 }
207
208 Uart.posCnt = 0;
209
210 switch(Uart.state) {
211 case STATE_START_OF_COMMUNICATION:
212 Uart.shiftReg = 0;
213 if(Uart.drop == DROP_SECOND_HALF) {
214 // error, should not happen in SOC
215 Uart.state = STATE_ERROR_WAIT;
216 error = 0x02;
217 }
218 else {
219 // correct SOC
220 Uart.state = STATE_MILLER_Z;
221 }
222 break;
223
224 case STATE_MILLER_Z:
225 Uart.bitCnt++;
226 Uart.shiftReg >>= 1;
227 if(Uart.drop == DROP_NONE) {
228 // logic '0' followed by sequence Y
229 // end of communication
230 Uart.state = STATE_UNSYNCD;
231 EOC = TRUE;
232 }
233 // if(Uart.drop == DROP_FIRST_HALF) {
234 // Uart.state = STATE_MILLER_Z; stay the same
235 // we see a logic '0' }
236 if(Uart.drop == DROP_SECOND_HALF) {
237 // we see a logic '1'
238 Uart.shiftReg |= 0x100;
239 Uart.state = STATE_MILLER_X;
240 }
241 break;
242
243 case STATE_MILLER_X:
244 Uart.shiftReg >>= 1;
245 if(Uart.drop == DROP_NONE) {
246 // sequence Y, we see a '0'
247 Uart.state = STATE_MILLER_Y;
248 Uart.bitCnt++;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // Would be STATE_MILLER_Z
252 // but Z does not follow X, so error
253 Uart.state = STATE_ERROR_WAIT;
254 error = 0x03;
255 }
256 if(Uart.drop == DROP_SECOND_HALF) {
257 // We see a '1' and stay in state X
258 Uart.shiftReg |= 0x100;
259 Uart.bitCnt++;
260 }
261 break;
262
263 case STATE_MILLER_Y:
264 Uart.bitCnt++;
265 Uart.shiftReg >>= 1;
266 if(Uart.drop == DROP_NONE) {
267 // logic '0' followed by sequence Y
268 // end of communication
269 Uart.state = STATE_UNSYNCD;
270 EOC = TRUE;
271 }
272 if(Uart.drop == DROP_FIRST_HALF) {
273 // we see a '0'
274 Uart.state = STATE_MILLER_Z;
275 }
276 if(Uart.drop == DROP_SECOND_HALF) {
277 // We see a '1' and go to state X
278 Uart.shiftReg |= 0x100;
279 Uart.state = STATE_MILLER_X;
280 }
281 break;
282
283 case STATE_ERROR_WAIT:
284 // That went wrong. Now wait for at least two bit periods
285 // and try to sync again
286 if(Uart.drop == DROP_NONE) {
287 Uart.highCnt = 6;
288 Uart.state = STATE_UNSYNCD;
289 }
290 break;
291
292 default:
293 Uart.state = STATE_UNSYNCD;
294 Uart.highCnt = 0;
295 break;
296 }
297
298 Uart.drop = DROP_NONE;
299
300 // should have received at least one whole byte...
301 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
302 return TRUE;
303 }
304
305 if(Uart.bitCnt == 9) {
306 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
307 Uart.byteCnt++;
308
309 Uart.parityBits <<= 1;
310 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
311
312 if(EOC) {
313 // when End of Communication received and
314 // all data bits processed..
315 return TRUE;
316 }
317 Uart.bitCnt = 0;
318 }
319
320 /*if(error) {
321 Uart.output[Uart.byteCnt] = 0xAA;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = error & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = 0xAA;
334 Uart.byteCnt++;
335 return TRUE;
336 }*/
337 }
338
339 }
340 else {
341 bit = Uart.bitBuffer & 0xf0;
342 bit >>= 4;
343 bit ^= 0x0F;
344 if(bit) {
345 // should have been high or at least (4 * 128) / fc
346 // according to ISO this should be at least (9 * 128 + 20) / fc
347 if(Uart.highCnt == 8) {
348 // we went low, so this could be start of communication
349 // it turns out to be safer to choose a less significant
350 // syncbit... so we check whether the neighbour also represents the drop
351 Uart.posCnt = 1; // apparently we are busy with our first half bit period
352 Uart.syncBit = bit & 8;
353 Uart.samples = 3;
354 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
355 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
356 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
357 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 359 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 360 Uart.syncBit = 8;
361
362 // the first half bit period is expected in next sample
363 Uart.posCnt = 0;
364 Uart.samples = 3;
365 }
366 }
367 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
368
369 Uart.syncBit <<= 4;
370 Uart.state = STATE_START_OF_COMMUNICATION;
371 Uart.drop = DROP_FIRST_HALF;
372 Uart.bitCnt = 0;
373 Uart.byteCnt = 0;
374 Uart.parityBits = 0;
375 error = 0;
376 }
377 else {
378 Uart.highCnt = 0;
379 }
380 }
381 else {
382 if(Uart.highCnt < 8) {
383 Uart.highCnt++;
384 }
385 }
386 }
387
388 return FALSE;
389}
390
391//=============================================================================
392// ISO 14443 Type A - Manchester
393//=============================================================================
394
395static struct {
396 enum {
397 DEMOD_UNSYNCD,
398 DEMOD_START_OF_COMMUNICATION,
399 DEMOD_MANCHESTER_D,
400 DEMOD_MANCHESTER_E,
401 DEMOD_MANCHESTER_F,
402 DEMOD_ERROR_WAIT
403 } state;
404 int bitCount;
405 int posCount;
406 int syncBit;
407 int parityBits;
f7e3ed82 408 uint16_t shiftReg;
15c4dc5a 409 int buffer;
410 int buff;
411 int samples;
412 int len;
413 enum {
414 SUB_NONE,
415 SUB_FIRST_HALF,
416 SUB_SECOND_HALF
417 } sub;
f7e3ed82 418 uint8_t *output;
15c4dc5a 419} Demod;
420
6c1e2d95 421static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 422{
423 int bit;
424 int modulation;
425 int error = 0;
426
427 if(!Demod.buff) {
428 Demod.buff = 1;
429 Demod.buffer = v;
430 return FALSE;
431 }
432 else {
433 bit = Demod.buffer;
434 Demod.buffer = v;
435 }
436
437 if(Demod.state==DEMOD_UNSYNCD) {
438 Demod.output[Demod.len] = 0xfa;
439 Demod.syncBit = 0;
440 //Demod.samples = 0;
441 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 442
443 if(bit & 0x08) {
444 Demod.syncBit = 0x08;
15c4dc5a 445 }
15c4dc5a 446
2f2d9fc5 447 if(bit & 0x04) {
448 if(Demod.syncBit) {
449 bit <<= 4;
450 }
451 Demod.syncBit = 0x04;
452 }
15c4dc5a 453
2f2d9fc5 454 if(bit & 0x02) {
455 if(Demod.syncBit) {
456 bit <<= 2;
15c4dc5a 457 }
2f2d9fc5 458 Demod.syncBit = 0x02;
15c4dc5a 459 }
15c4dc5a 460
593924e7 461 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 462 Demod.syncBit = 0x01;
463 }
464
15c4dc5a 465 if(Demod.syncBit) {
466 Demod.len = 0;
467 Demod.state = DEMOD_START_OF_COMMUNICATION;
468 Demod.sub = SUB_FIRST_HALF;
469 Demod.bitCount = 0;
470 Demod.shiftReg = 0;
471 Demod.parityBits = 0;
472 Demod.samples = 0;
473 if(Demod.posCount) {
534983d7 474 if(trigger) LED_A_OFF();
15c4dc5a 475 switch(Demod.syncBit) {
476 case 0x08: Demod.samples = 3; break;
477 case 0x04: Demod.samples = 2; break;
478 case 0x02: Demod.samples = 1; break;
479 case 0x01: Demod.samples = 0; break;
480 }
481 }
482 error = 0;
483 }
484 }
485 else {
486 //modulation = bit & Demod.syncBit;
487 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
488
489 Demod.samples += 4;
490
491 if(Demod.posCount==0) {
492 Demod.posCount = 1;
493 if(modulation) {
494 Demod.sub = SUB_FIRST_HALF;
495 }
496 else {
497 Demod.sub = SUB_NONE;
498 }
499 }
500 else {
501 Demod.posCount = 0;
502 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
503 if(Demod.state!=DEMOD_ERROR_WAIT) {
504 Demod.state = DEMOD_ERROR_WAIT;
505 Demod.output[Demod.len] = 0xaa;
506 error = 0x01;
507 }
508 }
509 else if(modulation) {
510 Demod.sub = SUB_SECOND_HALF;
511 }
512
513 switch(Demod.state) {
514 case DEMOD_START_OF_COMMUNICATION:
515 if(Demod.sub == SUB_FIRST_HALF) {
516 Demod.state = DEMOD_MANCHESTER_D;
517 }
518 else {
519 Demod.output[Demod.len] = 0xab;
520 Demod.state = DEMOD_ERROR_WAIT;
521 error = 0x02;
522 }
523 break;
524
525 case DEMOD_MANCHESTER_D:
526 case DEMOD_MANCHESTER_E:
527 if(Demod.sub == SUB_FIRST_HALF) {
528 Demod.bitCount++;
529 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
530 Demod.state = DEMOD_MANCHESTER_D;
531 }
532 else if(Demod.sub == SUB_SECOND_HALF) {
533 Demod.bitCount++;
534 Demod.shiftReg >>= 1;
535 Demod.state = DEMOD_MANCHESTER_E;
536 }
537 else {
538 Demod.state = DEMOD_MANCHESTER_F;
539 }
540 break;
541
542 case DEMOD_MANCHESTER_F:
543 // Tag response does not need to be a complete byte!
544 if(Demod.len > 0 || Demod.bitCount > 0) {
545 if(Demod.bitCount > 0) {
546 Demod.shiftReg >>= (9 - Demod.bitCount);
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549 // No parity bit, so just shift a 0
550 Demod.parityBits <<= 1;
551 }
552
553 Demod.state = DEMOD_UNSYNCD;
554 return TRUE;
555 }
556 else {
557 Demod.output[Demod.len] = 0xad;
558 Demod.state = DEMOD_ERROR_WAIT;
559 error = 0x03;
560 }
561 break;
562
563 case DEMOD_ERROR_WAIT:
564 Demod.state = DEMOD_UNSYNCD;
565 break;
566
567 default:
568 Demod.output[Demod.len] = 0xdd;
569 Demod.state = DEMOD_UNSYNCD;
570 break;
571 }
572
573 if(Demod.bitCount>=9) {
574 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
575 Demod.len++;
576
577 Demod.parityBits <<= 1;
578 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
579
580 Demod.bitCount = 0;
581 Demod.shiftReg = 0;
582 }
583
584 /*if(error) {
585 Demod.output[Demod.len] = 0xBB;
586 Demod.len++;
587 Demod.output[Demod.len] = error & 0xFF;
588 Demod.len++;
589 Demod.output[Demod.len] = 0xBB;
590 Demod.len++;
591 Demod.output[Demod.len] = bit & 0xFF;
592 Demod.len++;
593 Demod.output[Demod.len] = Demod.buffer & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = 0xBB;
598 Demod.len++;
599 return TRUE;
600 }*/
601
602 }
603
604 } // end (state != UNSYNCED)
605
606 return FALSE;
607}
608
609//=============================================================================
610// Finally, a `sniffer' for ISO 14443 Type A
611// Both sides of communication!
612//=============================================================================
613
614//-----------------------------------------------------------------------------
615// Record the sequence of commands sent by the reader to the tag, with
616// triggering so that we start recording at the point that the tag is moved
617// near the reader.
618//-----------------------------------------------------------------------------
6c1e2d95 619void RAMFUNC SnoopIso14443a(void)
15c4dc5a 620{
621// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
622// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
623// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
624// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
625// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
626
627 // We won't start recording the frames that we acquire until we trigger;
628 // a good trigger condition to get started is probably when we see a
629 // response from the tag.
7e758047 630 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 631
632 // The command (reader -> tag) that we're receiving.
633 // The length of a received command will in most cases be no more than 18 bytes.
634 // So 32 should be enough!
f7e3ed82 635 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 636 // The response (tag -> reader) that we're receiving.
f7e3ed82 637 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 638
639 // As we receive stuff, we copy it from receivedCmd or receivedResponse
640 // into trace, along with its length and other annotations.
f7e3ed82 641 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 642
643 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 644
645 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 646 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 647 int lastRxCounter;
f7e3ed82 648 int8_t *upTo;
15c4dc5a 649 int smpl;
650 int maxBehindBy = 0;
651
652 // Count of samples received so far, so that we can include timing
653 // information in the trace buffer.
654 int samples = 0;
cee5a30d 655 int rsamples = 0;
15c4dc5a 656
657 memset(trace, 0x44, RECV_CMD_OFFSET);
658
659 // Set up the demodulator for tag -> reader responses.
660 Demod.output = receivedResponse;
661 Demod.len = 0;
662 Demod.state = DEMOD_UNSYNCD;
663
7e758047 664 // Setup for the DMA.
665 FpgaSetupSsc();
666 upTo = dmaBuf;
667 lastRxCounter = DMA_BUFFER_SIZE;
668 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
669
15c4dc5a 670 // And the reader -> tag commands
671 memset(&Uart, 0, sizeof(Uart));
672 Uart.output = receivedCmd;
673 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
674 Uart.state = STATE_UNSYNCD;
675
676 // And put the FPGA in the appropriate mode
677 // Signal field is off with the appropriate LED
678 LED_D_OFF();
679 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
680 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
681
15c4dc5a 682
683 // And now we loop, receiving samples.
684 for(;;) {
7e758047 685 LED_A_ON();
686 WDT_HIT();
15c4dc5a 687 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
688 (DMA_BUFFER_SIZE-1);
689 if(behindBy > maxBehindBy) {
690 maxBehindBy = behindBy;
691 if(behindBy > 400) {
7e758047 692 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 693 goto done;
694 }
695 }
696 if(behindBy < 1) continue;
697
7e758047 698 LED_A_OFF();
15c4dc5a 699 smpl = upTo[0];
700 upTo++;
701 lastRxCounter -= 1;
702 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
703 upTo -= DMA_BUFFER_SIZE;
704 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 705 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 706 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
707 }
708
709 samples += 4;
7e758047 710 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 711 rsamples = samples - Uart.samples;
72934aa3 712 LED_C_ON();
7e758047 713 if(triggered) {
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 718 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 722 trace[traceLen++] = Uart.byteCnt;
723 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
724 traceLen += Uart.byteCnt;
725 if(traceLen > TRACE_LENGTH) break;
726 }
727 /* And ready to receive another command. */
728 Uart.state = STATE_UNSYNCD;
729 /* And also reset the demod code, which might have been */
730 /* false-triggered by the commands from the reader. */
731 Demod.state = DEMOD_UNSYNCD;
7e758047 732 LED_B_OFF();
15c4dc5a 733 }
7e758047 734
735 if(ManchesterDecoding(smpl & 0x0F)) {
736 rsamples = samples - Demod.samples;
737 LED_B_ON();
738
739 // timestamp, as a count of samples
740 trace[traceLen++] = ((rsamples >> 0) & 0xff);
741 trace[traceLen++] = ((rsamples >> 8) & 0xff);
742 trace[traceLen++] = ((rsamples >> 16) & 0xff);
743 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
744 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
745 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
748 // length
749 trace[traceLen++] = Demod.len;
750 memcpy(trace+traceLen, receivedResponse, Demod.len);
751 traceLen += Demod.len;
752 if(traceLen > TRACE_LENGTH) break;
753
754 triggered = TRUE;
15c4dc5a 755
756 // And ready to receive another response.
757 memset(&Demod, 0, sizeof(Demod));
758 Demod.output = receivedResponse;
759 Demod.state = DEMOD_UNSYNCD;
7e758047 760 LED_C_OFF();
761 }
15c4dc5a 762
763 if(BUTTON_PRESS()) {
764 DbpString("cancelled_a");
765 goto done;
766 }
767 }
768
769 DbpString("COMMAND FINISHED");
770
771 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
772 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
773
774done:
775 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
776 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
777 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
778 LED_A_OFF();
779 LED_B_OFF();
780 LED_C_OFF();
781 LED_D_OFF();
782}
783
15c4dc5a 784//-----------------------------------------------------------------------------
785// Prepare tag messages
786//-----------------------------------------------------------------------------
f7e3ed82 787static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 788{
789 int i;
790 int oddparity;
791
792 ToSendReset();
793
794 // Correction bit, might be removed when not needed
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798 ToSendStuffBit(0);
799 ToSendStuffBit(1); // 1
800 ToSendStuffBit(0);
801 ToSendStuffBit(0);
802 ToSendStuffBit(0);
803
804 // Send startbit
72934aa3 805 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 806
807 for(i = 0; i < len; i++) {
808 int j;
f7e3ed82 809 uint8_t b = cmd[i];
15c4dc5a 810
811 // Data bits
812 oddparity = 0x01;
813 for(j = 0; j < 8; j++) {
814 oddparity ^= (b & 1);
815 if(b & 1) {
72934aa3 816 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 817 } else {
72934aa3 818 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 819 }
820 b >>= 1;
821 }
822
823 // Parity bit
824 if(oddparity) {
72934aa3 825 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 826 } else {
72934aa3 827 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 828 }
829 }
830
831 // Send stopbit
72934aa3 832 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 833
834 // Flush the buffer in FPGA!!
835 for(i = 0; i < 5; i++) {
72934aa3 836 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 837 }
838
839 // Convert from last byte pos to length
840 ToSendMax++;
841
842 // Add a few more for slop
843 ToSend[ToSendMax++] = 0x00;
844 ToSend[ToSendMax++] = 0x00;
845 //ToSendMax += 2;
846}
847
848//-----------------------------------------------------------------------------
849// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
850//-----------------------------------------------------------------------------
851static void CodeStrangeAnswer()
852{
853 int i;
854
855 ToSendReset();
856
857 // Correction bit, might be removed when not needed
858 ToSendStuffBit(0);
859 ToSendStuffBit(0);
860 ToSendStuffBit(0);
861 ToSendStuffBit(0);
862 ToSendStuffBit(1); // 1
863 ToSendStuffBit(0);
864 ToSendStuffBit(0);
865 ToSendStuffBit(0);
866
867 // Send startbit
72934aa3 868 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 869
870 // 0
72934aa3 871 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 872
873 // 0
72934aa3 874 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 875
876 // 1
72934aa3 877 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 878
879 // Send stopbit
72934aa3 880 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 881
882 // Flush the buffer in FPGA!!
883 for(i = 0; i < 5; i++) {
72934aa3 884 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 885 }
886
887 // Convert from last byte pos to length
888 ToSendMax++;
889
890 // Add a few more for slop
891 ToSend[ToSendMax++] = 0x00;
892 ToSend[ToSendMax++] = 0x00;
893 //ToSendMax += 2;
894}
895
896//-----------------------------------------------------------------------------
897// Wait for commands from reader
898// Stop when button is pressed
899// Or return TRUE when command is captured
900//-----------------------------------------------------------------------------
f7e3ed82 901static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 902{
903 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
904 // only, since we are receiving, not transmitting).
905 // Signal field is off with the appropriate LED
906 LED_D_OFF();
907 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
908
909 // Now run a `software UART' on the stream of incoming samples.
910 Uart.output = received;
911 Uart.byteCntMax = maxLen;
912 Uart.state = STATE_UNSYNCD;
913
914 for(;;) {
915 WDT_HIT();
916
917 if(BUTTON_PRESS()) return FALSE;
918
919 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
920 AT91C_BASE_SSC->SSC_THR = 0x00;
921 }
922 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 923 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 924 if(MillerDecoding((b & 0xf0) >> 4)) {
925 *len = Uart.byteCnt;
926 return TRUE;
927 }
928 if(MillerDecoding(b & 0x0f)) {
929 *len = Uart.byteCnt;
930 return TRUE;
931 }
932 }
933 }
934}
935
936//-----------------------------------------------------------------------------
937// Main loop of simulated tag: receive commands from reader, decide what
938// response to send, and send it.
939//-----------------------------------------------------------------------------
940void SimulateIso14443aTag(int tagType, int TagUid)
941{
942 // This function contains the tag emulation
943
944 // Prepare protocol messages
f7e3ed82 945 // static const uint8_t cmd1[] = { 0x26 };
946// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 947//
f7e3ed82 948 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
949// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 950
951 // UID response
f7e3ed82 952 // static const uint8_t cmd2[] = { 0x93, 0x20 };
953 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 954
15c4dc5a 955// my desfire
f7e3ed82 956 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 957
958
959// When reader selects us during cascade1 it will send cmd3
f7e3ed82 960//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
961uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 962ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
963
964// send cascade2 2nd half of UID
f7e3ed82 965static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 966// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
967
15c4dc5a 968// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 969//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
970uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 971ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
972
f7e3ed82 973 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 974
f7e3ed82 975 uint8_t *resp;
15c4dc5a 976 int respLen;
977
978 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
979 // This will need
980 // 144 data bits (18 * 8)
981 // 18 parity bits
982 // 2 Start and stop
983 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
984 // 1 just for the case
985 // ----------- +
986 // 166
987 //
988 // 166 bytes, since every bit that needs to be send costs us a byte
989 //
990
15c4dc5a 991 // Respond with card type
f7e3ed82 992 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 993 int resp1Len;
994
995 // Anticollision cascade1 - respond with uid
f7e3ed82 996 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 997 int resp2Len;
998
999 // Anticollision cascade2 - respond with 2nd half of uid if asked
1000 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1001 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1002 int resp2aLen;
1003
1004 // Acknowledge select - cascade 1
f7e3ed82 1005 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1006 int resp3Len;
1007
1008 // Acknowledge select - cascade 2
f7e3ed82 1009 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1010 int resp3aLen;
1011
1012 // Response to a read request - not implemented atm
f7e3ed82 1013 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1014 int resp4Len;
1015
1016 // Authenticate response - nonce
f7e3ed82 1017 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1018 int resp5Len;
1019
f7e3ed82 1020 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1021 int len;
1022
1023 int i;
1024 int u;
f7e3ed82 1025 uint8_t b;
15c4dc5a 1026
1027 // To control where we are in the protocol
1028 int order = 0;
1029 int lastorder;
1030
1031 // Just to allow some checks
1032 int happened = 0;
1033 int happened2 = 0;
1034
1035 int cmdsRecvd = 0;
1036
f7e3ed82 1037 int fdt_indicator;
15c4dc5a 1038
1039 memset(receivedCmd, 0x44, 400);
1040
1041 // Prepare the responses of the anticollision phase
1042 // there will be not enough time to do this at the moment the reader sends it REQA
1043
1044 // Answer to request
1045 CodeIso14443aAsTag(response1, sizeof(response1));
1046 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1047
1048 // Send our UID (cascade 1)
1049 CodeIso14443aAsTag(response2, sizeof(response2));
1050 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1051
1052 // Answer to select (cascade1)
1053 CodeIso14443aAsTag(response3, sizeof(response3));
1054 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1055
1056 // Send the cascade 2 2nd part of the uid
1057 CodeIso14443aAsTag(response2a, sizeof(response2a));
1058 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1059
1060 // Answer to select (cascade 2)
1061 CodeIso14443aAsTag(response3a, sizeof(response3a));
1062 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1063
1064 // Strange answer is an example of rare message size (3 bits)
1065 CodeStrangeAnswer();
1066 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1067
1068 // Authentication answer (random nonce)
1069 CodeIso14443aAsTag(response5, sizeof(response5));
1070 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1071
1072 // We need to listen to the high-frequency, peak-detected path.
1073 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1074 FpgaSetupSsc();
1075
1076 cmdsRecvd = 0;
1077
1078 LED_A_ON();
1079 for(;;) {
1080
1081 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1082 DbpString("button press");
1083 break;
1084 }
1085 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1086 // Okay, look at the command now.
1087 lastorder = order;
1088 i = 1; // first byte transmitted
1089 if(receivedCmd[0] == 0x26) {
1090 // Received a REQUEST
1091 resp = resp1; respLen = resp1Len; order = 1;
1092 //DbpString("Hello request from reader:");
1093 } else if(receivedCmd[0] == 0x52) {
1094 // Received a WAKEUP
1095 resp = resp1; respLen = resp1Len; order = 6;
1096// //DbpString("Wakeup request from reader:");
1097
1098 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1099 // Received request for UID (cascade 1)
1100 resp = resp2; respLen = resp2Len; order = 2;
1101// DbpString("UID (cascade 1) request from reader:");
1102// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1103
1104
1105 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1106 // Received request for UID (cascade 2)
1107 resp = resp2a; respLen = resp2aLen; order = 20;
1108// DbpString("UID (cascade 2) request from reader:");
1109// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1110
1111
1112 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1113 // Received a SELECT
1114 resp = resp3; respLen = resp3Len; order = 3;
1115// DbpString("Select (cascade 1) request from reader:");
1116// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1117
1118
1119 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1120 // Received a SELECT
1121 resp = resp3a; respLen = resp3aLen; order = 30;
1122// DbpString("Select (cascade 2) request from reader:");
1123// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124
1125
1126 } else if(receivedCmd[0] == 0x30) {
1127 // Received a READ
1128 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1129 Dbprintf("Read request from reader: %x %x %x",
1130 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1131
1132
1133 } else if(receivedCmd[0] == 0x50) {
1134 // Received a HALT
1135 resp = resp1; respLen = 0; order = 5; // Do nothing
1136 DbpString("Reader requested we HALT!:");
1137
1138 } else if(receivedCmd[0] == 0x60) {
1139 // Received an authentication request
1140 resp = resp5; respLen = resp5Len; order = 7;
1141 Dbprintf("Authenticate request from reader: %x %x %x",
1142 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144 } else if(receivedCmd[0] == 0xE0) {
1145 // Received a RATS request
1146 resp = resp1; respLen = 0;order = 70;
1147 Dbprintf("RATS request from reader: %x %x %x",
1148 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1149 } else {
1150 // Never seen this command before
20f9a2a1
M		 1151 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1152 len,
15c4dc5a 1153 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M		 1154 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1155 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1156 // Do not respond
1157 resp = resp1; respLen = 0; order = 0;
1158 }
1159
1160 // Count number of wakeups received after a halt
1161 if(order == 6 && lastorder == 5) { happened++; }
1162
1163 // Count number of other messages after a halt
1164 if(order != 6 && lastorder == 5) { happened2++; }
1165
1166 // Look at last parity bit to determine timing of answer
1167 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1168 // 1236, so correction bit needed
1169 i = 0;
1170 }
1171
1172 memset(receivedCmd, 0x44, 32);
1173
1174 if(cmdsRecvd > 999) {
1175 DbpString("1000 commands later...");
1176 break;
1177 }
1178 else {
1179 cmdsRecvd++;
1180 }
1181
1182 if(respLen <= 0) continue;
1183
1184 // Modulate Manchester
1185 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1186 AT91C_BASE_SSC->SSC_THR = 0x00;
1187 FpgaSetupSsc();
1188
1189 // ### Transmit the response ###
1190 u = 0;
1191 b = 0x00;
1192 fdt_indicator = FALSE;
1193 for(;;) {
1194 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1195 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1196 (void)b;
1197 }
1198 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1199 if(i > respLen) {
1200 b = 0x00;
1201 u++;
1202 } else {
1203 b = resp[i];
1204 i++;
1205 }
1206 AT91C_BASE_SSC->SSC_THR = b;
1207
1208 if(u > 4) {
1209 break;
1210 }
1211 }
1212 if(BUTTON_PRESS()) {
1213 break;
1214 }
1215 }
1216
1217 }
1218
1219 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1220 LED_A_OFF();
1221}
1222
1223//-----------------------------------------------------------------------------
1224// Transmit the command (to the tag) that was placed in ToSend[].
1225//-----------------------------------------------------------------------------
f7e3ed82 1226static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1227{
1228 int c;
e30c654b 1229
15c4dc5a 1230 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1231
15c4dc5a 1232 if (wait)
1233 if(*wait < 10)
1234 *wait = 10;
e30c654b 1235
15c4dc5a 1236 for(c = 0; c < *wait;) {
1237 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1238 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1239 c++;
1240 }
1241 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1242 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1243 (void)r;
1244 }
1245 WDT_HIT();
1246 }
e30c654b 1247
15c4dc5a 1248 c = 0;
1249 for(;;) {
1250 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1251 AT91C_BASE_SSC->SSC_THR = cmd[c];
1252 c++;
1253 if(c >= len) {
1254 break;
1255 }
1256 }
1257 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1258 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1259 (void)r;
1260 }
1261 WDT_HIT();
1262 }
1263 if (samples) *samples = (c + *wait) << 3;
1264}
1265
15c4dc5a 1266//-----------------------------------------------------------------------------
1267// Code a 7-bit command without parity bit
1268// This is especially for 0x26 and 0x52 (REQA and WUPA)
1269//-----------------------------------------------------------------------------
f7e3ed82 1270void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1271{
1272 int j;
1273 int last;
f7e3ed82 1274 uint8_t b;
15c4dc5a 1275
1276 ToSendReset();
1277
1278 // Start of Communication (Seq. Z)
72934aa3 1279 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1280 last = 0;
1281
1282 b = bt;
1283 for(j = 0; j < 7; j++) {
1284 if(b & 1) {
1285 // Sequence X
72934aa3 1286 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1287 last = 1;
1288 } else {
1289 if(last == 0) {
1290 // Sequence Z
72934aa3 1291 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1292 }
1293 else {
1294 // Sequence Y
72934aa3 1295 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1296 last = 0;
1297 }
1298 }
1299 b >>= 1;
1300 }
1301
1302 // End of Communication
1303 if(last == 0) {
1304 // Sequence Z
72934aa3 1305 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1306 }
1307 else {
1308 // Sequence Y
72934aa3 1309 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1310 last = 0;
1311 }
1312 // Sequence Y
72934aa3 1313 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1314
1315 // Just to be sure!
72934aa3 1316 ToSend[++ToSendMax] = SEC_Y;
1317 ToSend[++ToSendMax] = SEC_Y;
1318 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1319
1320 // Convert from last character reference to length
1321 ToSendMax++;
1322}
1323
1324//-----------------------------------------------------------------------------
1325// Prepare reader command to send to FPGA
e30c654b 1326//
15c4dc5a 1327//-----------------------------------------------------------------------------
f7e3ed82 1328void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1329{
1330 int i, j;
1331 int last;
f7e3ed82 1332 uint8_t b;
e30c654b 1333
15c4dc5a 1334 ToSendReset();
e30c654b 1335
15c4dc5a 1336 // Start of Communication (Seq. Z)
72934aa3 1337 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1338 last = 0;
e30c654b 1339
15c4dc5a 1340 // Generate send structure for the data bits
1341 for (i = 0; i < len; i++) {
1342 // Get the current byte to send
1343 b = cmd[i];
e30c654b 1344
15c4dc5a 1345 for (j = 0; j < 8; j++) {
1346 if (b & 1) {
1347 // Sequence X
72934aa3 1348 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1349 last = 1;
1350 } else {
1351 if (last == 0) {
1352 // Sequence Z
72934aa3 1353 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1354 } else {
1355 // Sequence Y
72934aa3 1356 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1357 last = 0;
1358 }
1359 }
1360 b >>= 1;
1361 }
e30c654b 1362
15c4dc5a 1363 // Get the parity bit
1364 if ((dwParity >> i) & 0x01) {
1365 // Sequence X
72934aa3 1366 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1367 last = 1;
1368 } else {
1369 if (last == 0) {
1370 // Sequence Z
72934aa3 1371 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1372 } else {
1373 // Sequence Y
72934aa3 1374 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1375 last = 0;
1376 }
1377 }
1378 }
e30c654b 1379
15c4dc5a 1380 // End of Communication
1381 if (last == 0) {
1382 // Sequence Z
72934aa3 1383 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1384 } else {
1385 // Sequence Y
72934aa3 1386 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1387 last = 0;
1388 }
1389 // Sequence Y
72934aa3 1390 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1391
15c4dc5a 1392 // Just to be sure!
72934aa3 1393 ToSend[++ToSendMax] = SEC_Y;
1394 ToSend[++ToSendMax] = SEC_Y;
1395 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1396
15c4dc5a 1397 // Convert from last character reference to length
1398 ToSendMax++;
1399}
1400
1401//-----------------------------------------------------------------------------
1402// Wait a certain time for tag response
1403// If a response is captured return TRUE
1404// If it takes to long return FALSE
1405//-----------------------------------------------------------------------------
f7e3ed82 1406static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1407{
1408 // buffer needs to be 512 bytes
1409 int c;
1410
1411 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1412 // only, since we are receiving, not transmitting).
1413 // Signal field is on with the appropriate LED
1414 LED_D_ON();
1415 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1416
534983d7 1417 // Now get the answer from the card
1418 Demod.output = receivedResponse;
1419 Demod.len = 0;
1420 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1421
f7e3ed82 1422 uint8_t b;
15c4dc5a 1423 if (elapsed) *elapsed = 0;
1424
1425 c = 0;
1426 for(;;) {
534983d7 1427 WDT_HIT();
15c4dc5a 1428
534983d7 1429 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1430 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1431 if (elapsed) (*elapsed)++;
534983d7 1432 }
1433 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1434 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1435 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1436 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1437 *samples = ((c - 1) << 3) + 4;
1438 return TRUE;
1439 }
1440 if(ManchesterDecoding(b & 0x0f)) {
1441 *samples = c << 3;
1442 return TRUE;
1443 }
534983d7 1444 }
1445 }
15c4dc5a 1446}
1447
f7e3ed82 1448void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1449{
1450 int wait = 0;
1451 int samples = 0;
1452
1453 ShortFrameFromReader(*bt);
e30c654b 1454
15c4dc5a 1455 // Select the card
e30c654b 1456 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1457
15c4dc5a 1458 // Store reader command in buffer
1459 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1460}
1461
f7e3ed82 1462void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1463{
1464 int wait = 0;
1465 int samples = 0;
e30c654b 1466
15c4dc5a 1467 // This is tied to other size changes
f7e3ed82 1468 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1469 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1470
15c4dc5a 1471 // Select the card
e30c654b 1472 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1473 if(trigger)
1474 LED_A_ON();
e30c654b 1475
15c4dc5a 1476 // Store reader command in buffer
1477 if (tracing) LogTrace(frame,len,0,par,TRUE);
1478}
1479
1480
f7e3ed82 1481void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1482{
1483 // Generate parity and redirect
1484 ReaderTransmitPar(frame,len,GetParity(frame,len));
1485}
1486
f7e3ed82 1487int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1488{
1489 int samples = 0;
20f9a2a1 1490 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1491 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1492 if(samples == 0) return FALSE;
1493 return Demod.len;
15c4dc5a 1494}
1495
f89c7050
M		 1496int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1497{
1498 int samples = 0;
1499 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1500 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1501 *parptr = Demod.parityBits;
1502 if(samples == 0) return FALSE;
1503 return Demod.len;
1504}
1505
7e758047 1506/* performs iso14443a anticolision procedure
534983d7 1507 * fills the uid pointer unless NULL
1508 * fills resp_data unless NULL */
20f9a2a1
M		 1509int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1510 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1511 uint8_t sel_all[] = { 0x93,0x20 };
1512 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1513 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1514
7e758047 1515 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1516
534983d7 1517 uint8_t sak = 0x04; // cascade uid
1518 int cascade_level = 0;
1519
7e758047 1520 int len;
20f9a2a1
M		 1521
1522 // clear uid
1523 memset(uid_ptr, 0, 8);
15c4dc5a 1524
7e758047 1525 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1526 ReaderTransmitShort(wupa);
1527 // Receive the ATQA
1528 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1529
534983d7 1530 if(resp_data)
1531 memcpy(resp_data->atqa, resp, 2);
1532
534983d7 1533 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1534 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1535 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1536 for(; sak & 0x04; cascade_level++)
7e758047 1537 {
534983d7 1538 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1539 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1540
1541 // SELECT_ALL
1542 ReaderTransmit(sel_all,sizeof(sel_all));
1543 if (!ReaderReceive(resp)) return 0;
1544 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M		 1545
1546 // calculate crypto UID
1547 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1548
7e758047 1549 // Construct SELECT UID command
534983d7 1550 memcpy(sel_uid+2,resp,5);
1551 AppendCrc14443a(sel_uid,7);
1552 ReaderTransmit(sel_uid,sizeof(sel_uid));
1553
7e758047 1554 // Receive the SAK
1555 if (!ReaderReceive(resp)) return 0;
534983d7 1556 sak = resp[0];
7e758047 1557 }
534983d7 1558 if(resp_data) {
1559 resp_data->sak = sak;
1560 resp_data->ats_len = 0;
1561 }
20f9a2a1
M		 1562 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1563 if (uid_ptr[0] == 0x88) {
1564 memcpy(uid_ptr, uid_ptr + 1, 7);
1565 uid_ptr[7] = 0;
1566 }
534983d7 1567
1568 if( (sak & 0x20) == 0)
7e758047 1569 return 2; // non iso14443a compliant tag
534983d7 1570
7e758047 1571 // Request for answer to select
20f9a2a1
M		 1572 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1573 AppendCrc14443a(rats, 2);
1574 ReaderTransmit(rats, sizeof(rats));
1575
1576 if (!(len = ReaderReceive(resp))) return 0;
1577
534983d7 1578 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1579 resp_data->ats_len = len;
1580 }
20f9a2a1 1581
7e758047 1582 return 1;
1583}
15c4dc5a 1584
7e758047 1585void iso14443a_setup() {
1586 // Setup SSC
1587 FpgaSetupSsc();
1588 // Start from off (no field generated)
1589 // Signal field is off with the appropriate LED
1590 LED_D_OFF();
1591 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1592 SpinDelay(200);
15c4dc5a 1593
7e758047 1594 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1595
7e758047 1596 // Now give it time to spin up.
1597 // Signal field is on with the appropriate LED
1598 LED_D_ON();
1599 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1600 SpinDelay(200);
534983d7 1601
1602 iso14a_timeout = 2048; //default
7e758047 1603}
15c4dc5a 1604
534983d7 1605int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1606 uint8_t real_cmd[cmd_len+4];
1607 real_cmd[0] = 0x0a; //I-Block
1608 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1609 memcpy(real_cmd+2, cmd, cmd_len);
1610 AppendCrc14443a(real_cmd,cmd_len+2);
1611
1612 ReaderTransmit(real_cmd, cmd_len+4);
1613 size_t len = ReaderReceive(data);
1614 if(!len)
1615 return -1; //DATA LINK ERROR
1616
1617 return len;
1618}
1619
1620
7e758047 1621//-----------------------------------------------------------------------------
1622// Read an ISO 14443a tag. Send out commands and store answers.
1623//
1624//-----------------------------------------------------------------------------
534983d7 1625void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1626{
534983d7 1627 iso14a_command_t param = c->arg[0];
1628 uint8_t * cmd = c->d.asBytes;
1629 size_t len = c->arg[1];
e30c654b 1630
534983d7 1631 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1632
534983d7 1633 if(param & ISO14A_CONNECT) {
1634 iso14443a_setup();
20f9a2a1 1635 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1636 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1637 }
e30c654b 1638
534983d7 1639 if(param & ISO14A_SET_TIMEOUT) {
1640 iso14a_timeout = c->arg[2];
1641 }
e30c654b 1642
534983d7 1643 if(param & ISO14A_SET_TIMEOUT) {
1644 iso14a_timeout = c->arg[2];
1645 }
e30c654b 1646
534983d7 1647 if(param & ISO14A_APDU) {
1648 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1649 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1650 }
e30c654b 1651
534983d7 1652 if(param & ISO14A_RAW) {
1653 if(param & ISO14A_APPEND_CRC) {
1654 AppendCrc14443a(cmd,len);
1655 len += 2;
15c4dc5a 1656 }
534983d7 1657 ReaderTransmit(cmd,len);
1658 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1659 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1660 }
15c4dc5a 1661
534983d7 1662 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1663
534983d7 1664 if(param & ISO14A_NO_DISCONNECT)
1665 return;
15c4dc5a 1666
15c4dc5a 1667 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1668 LEDsoff();
15c4dc5a 1669}
15c4dc5a 1670//-----------------------------------------------------------------------------
1671// Read an ISO 14443a tag. Send out commands and store answers.
1672//
1673//-----------------------------------------------------------------------------
f7e3ed82 1674void ReaderMifare(uint32_t parameter)
15c4dc5a 1675{
15c4dc5a 1676 // Mifare AUTH
f7e3ed82 1677 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1678 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1679
f89c7050
M		 1680 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1681 traceLen = 0;
1682 tracing = false;
e30c654b 1683
7e758047 1684 iso14443a_setup();
e30c654b 1685
15c4dc5a 1686 LED_A_ON();
1687 LED_B_OFF();
1688 LED_C_OFF();
e30c654b 1689
f89c7050
M		 1690 byte_t nt_diff = 0;
1691 LED_A_OFF();
1692 byte_t par = 0;
1693 byte_t par_mask = 0xff;
1694 byte_t par_low = 0;
1695 int led_on = TRUE;
50193c1e 1696 uint8_t uid[8];
f89c7050 1697 uint32_t cuid;
e30c654b 1698
f89c7050
M		 1699 tracing = FALSE;
1700 byte_t nt[4] = {0,0,0,0};
1701 byte_t nt_attacked[4];
1702 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1703 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
1704 num_to_bytes(parameter, 4, nt_attacked);
50193c1e 1705 int isOK = 0, isNULL = 0;
f89c7050
M		 1706
1707 while(TRUE)
1708 {
50193c1e 1709 LED_C_ON();
f89c7050
M		 1710 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1711 SpinDelay(200);
1712 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 1713 LED_C_OFF();
e30c654b 1714
f89c7050
M		 1715 // Test if the action was cancelled
1716 if(BUTTON_PRESS()) {
1717 break;
1718 }
e30c654b 1719
f89c7050 1720 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 1721
f89c7050
M		 1722 // Transmit MIFARE_CLASSIC_AUTH
1723 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 1724
f89c7050
M		 1725 // Receive the (16 bit) "random" nonce
1726 if (!ReaderReceive(receivedAnswer)) continue;
1727 memcpy(nt, receivedAnswer, 4);
e30c654b 1728
f89c7050
M		 1729 // Transmit reader nonce and reader answer
1730 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 1731
f89c7050
M		 1732 // Receive 4 bit answer
1733 if (ReaderReceive(receivedAnswer))
1734 {
50193c1e
M		 1735 isNULL = (nt_attacked[0] = 0) && (nt_attacked[1] = 0) && (nt_attacked[2] = 0) && (nt_attacked[3] = 0);
1736 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1737
f89c7050
M		 1738 if (nt_diff == 0)
1739 {
1740 LED_A_ON();
1741 memcpy(nt_attacked, nt, 4);
1742 par_mask = 0xf8;
1743 par_low = par & 0x07;
1744 }
15c4dc5a 1745
f89c7050
M		 1746 led_on = !led_on;
1747 if(led_on) LED_B_ON(); else LED_B_OFF();
1748 par_list[nt_diff] = par;
1749 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 1750
f89c7050
M		 1751 // Test if the information is complete
1752 if (nt_diff == 0x07) {
1753 isOK = 1;
1754 break;
1755 }
1756
1757 nt_diff = (nt_diff + 1) & 0x07;
1758 mf_nr_ar[3] = nt_diff << 5;
1759 par = par_low;
1760 } else {
1761 if (nt_diff == 0)
1762 {
1763 par++;
1764 } else {
1765 par = (((par >> 3) + 1) << 3) | par_low;
1766 }
1767 }
1768 }
e30c654b 1769
f89c7050
M		 1770 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1771 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1772 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 1773
f89c7050
M		 1774 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1775 memcpy(ack.d.asBytes + 0, uid, 4);
1776 memcpy(ack.d.asBytes + 4, nt, 4);
1777 memcpy(ack.d.asBytes + 8, par_list, 8);
1778 memcpy(ack.d.asBytes + 16, ks_list, 8);
1779
1780 LED_B_ON();
1781 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1782 LED_B_OFF();
1783
1784 // Thats it...
15c4dc5a 1785 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1786 LEDsoff();
f89c7050
M		 1787 tracing = TRUE;
1788
1789// DbpString("COMMAND mifare FINISHED");
20f9a2a1
M		 1790}
1791
1792//-----------------------------------------------------------------------------
1793// Select, Authenticaate, Read an MIFARE tag.
1794// read block
1795//-----------------------------------------------------------------------------
1796void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1797{
1798 // params
1799 uint8_t blockNo = arg0;
1800 uint8_t keyType = arg1;
1801 uint64_t ui64Key = 0;
1802 ui64Key = bytes_to_num(datain, 6);
1803
1804 // variables
4abe4f58
M		 1805 byte_t isOK = 0;
1806 byte_t dataoutbuf[16];
50193c1e 1807 uint8_t uid[8];
20f9a2a1 1808 uint32_t cuid;
4abe4f58 1809 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 1810 struct Crypto1State *pcs;
1811 pcs = &mpcs;
1812
1813 // clear trace
4abe4f58
M		 1814 traceLen = 0;
1815// tracing = false;
20f9a2a1
M		 1816
1817 iso14443a_setup();
1818
1819 LED_A_ON();
1820 LED_B_OFF();
1821 LED_C_OFF();
1822
1823 while (true) {
1824 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1825 Dbprintf("Can't select card");
1826 break;
1827 };
1828
4abe4f58 1829 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
20f9a2a1
M		 1830 Dbprintf("Auth error");
1831 break;
1832 };
1833
1834 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
1835 Dbprintf("Read block error");
1836 break;
1837 };
1838
1839 if(mifare_classic_halt(pcs, cuid)) {
1840 Dbprintf("Halt error");
1841 break;
1842 };
1843
1844 isOK = 1;
1845 break;
1846 }
1847
1848 // ----------------------------- crypto1 destroy
1849 crypto1_destroy(pcs);
1850
1851// DbpString("READ BLOCK FINISHED");
1852
1853 // add trace trailer
1854 uid[0] = 0xff;
1855 uid[1] = 0xff;
1856 uid[2] = 0xff;
1857 uid[3] = 0xff;
4abe4f58 1858 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M		 1859
1860 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1861 memcpy(ack.d.asBytes, dataoutbuf, 16);
1862
1863 LED_B_ON();
1864 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
4abe4f58 1865 LED_B_OFF();
20f9a2a1
M		 1866
1867
1868 // Thats it...
1869 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1870 LEDsoff();
1871// tracing = TRUE;
1872
1873}
1874
1875//-----------------------------------------------------------------------------
1876// Select, Authenticaate, Read an MIFARE tag.
1877// read sector (data = 4 x 16 bytes = 64 bytes)
1878//-----------------------------------------------------------------------------
1879void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1880{
1881 // params
1882 uint8_t sectorNo = arg0;
1883 uint8_t keyType = arg1;
1884 uint64_t ui64Key = 0;
1885 ui64Key = bytes_to_num(datain, 6);
1886
1887 // variables
4abe4f58
M		 1888 byte_t isOK = 0;
1889 byte_t dataoutbuf[16 * 4];
20f9a2a1
M		 1890 uint8_t uid[8];
1891 uint32_t cuid;
4abe4f58 1892 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 1893 struct Crypto1State *pcs;
1894 pcs = &mpcs;
1895
1896 // clear trace
4abe4f58
M		 1897 traceLen = 0;
1898// tracing = false;
20f9a2a1
M		 1899
1900 iso14443a_setup();
1901
1902 LED_A_ON();
1903 LED_B_OFF();
1904 LED_C_OFF();
1905
1906 while (true) {
1907 if(!iso14443a_select_card(uid, NULL, &cuid)) {
1908 Dbprintf("Can't select card");
1909 break;
1910 };
1911
4abe4f58 1912 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
20f9a2a1
M		 1913 Dbprintf("Auth error");
1914 break;
1915 };
1916
1917 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
1918 Dbprintf("Read block 0 error");
1919 break;
1920 };
1921 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
1922 Dbprintf("Read block 1 error");
1923 break;
1924 };
1925 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
1926 Dbprintf("Read block 2 error");
1927 break;
1928 };
1929 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
1930 Dbprintf("Read block 3 error");
1931 break;
1932 };
1933
1934 if(mifare_classic_halt(pcs, cuid)) {
1935 Dbprintf("Halt error");
1936 break;
1937 };
1938
1939 isOK = 1;
1940 break;
1941 }
1942
1943 // ----------------------------- crypto1 destroy
1944 crypto1_destroy(pcs);
1945
1946// DbpString("READ BLOCK FINISHED");
1947
1948 // add trace trailer
1949 uid[0] = 0xff;
1950 uid[1] = 0xff;
1951 uid[2] = 0xff;
1952 uid[3] = 0xff;
4abe4f58 1953 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M		 1954
1955 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1956 memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
1957
1958 LED_B_ON();
1959 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1960
1961 SpinDelay(100);
1962
1963 memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
1964 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1965 LED_B_OFF();
1966
4abe4f58 1967 // Thats it...
20f9a2a1
M		 1968 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1969 LEDsoff();
1970// tracing = TRUE;
1971
1972}
1973
1974//-----------------------------------------------------------------------------
1975// Select, Authenticaate, Read an MIFARE tag.
1976// read block
1977//-----------------------------------------------------------------------------
1978void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1979{
4abe4f58 1980 // params
20f9a2a1
M		 1981 uint8_t blockNo = arg0;
1982 uint8_t keyType = arg1;
1983 uint64_t ui64Key = 0;
4abe4f58 1984 byte_t blockdata[16];
20f9a2a1
M		 1985
1986 ui64Key = bytes_to_num(datain, 6);
1987 memcpy(blockdata, datain + 10, 16);
1988
1989 // variables
4abe4f58 1990 byte_t isOK = 0;
20f9a2a1
M		 1991 uint8_t uid[8];
1992 uint32_t cuid;
4abe4f58 1993 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 1994 struct Crypto1State *pcs;
1995 pcs = &mpcs;
1996
1997 // clear trace
4abe4f58 1998 traceLen = 0;
20f9a2a1
M		 1999// tracing = false;
2000
2001 iso14443a_setup();
2002
2003 LED_A_ON();
2004 LED_B_OFF();
2005 LED_C_OFF();
2006
2007 while (true) {
2008 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2009 Dbprintf("Can't select card");
2010 break;
2011 };
2012
4abe4f58 2013 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
20f9a2a1
M		 2014 Dbprintf("Auth error");
2015 break;
2016 };
2017
2018 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
2019 Dbprintf("Write block error");
2020 break;
2021 };
2022
2023 if(mifare_classic_halt(pcs, cuid)) {
2024 Dbprintf("Halt error");
2025 break;
2026 };
2027
2028 isOK = 1;
2029 break;
2030 }
2031
2032 // ----------------------------- crypto1 destroy
2033 crypto1_destroy(pcs);
2034
2035// DbpString("WRITE BLOCK FINISHED");
2036
2037 // add trace trailer
2038 uid[0] = 0xff;
2039 uid[1] = 0xff;
2040 uid[2] = 0xff;
2041 uid[3] = 0xff;
4abe4f58 2042 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M		 2043
2044 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2045
2046 LED_B_ON();
2047 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2048 LED_B_OFF();
2049
2050
4abe4f58 2051 // Thats it...
20f9a2a1
M		 2052 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2053 LEDsoff();
2054// tracing = TRUE;
2055
2056}
2057
f89c7050
M		 2058// Return 1 if the nonce is invalid else return 0
2059int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
2060 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
2061 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
2062 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
2063}
2064
2065
20f9a2a1
M		 2066//-----------------------------------------------------------------------------
2067// MIFARE nested authentication.
2068//
2069//-----------------------------------------------------------------------------
2070void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2071{
4abe4f58 2072 // params
20f9a2a1
M		 2073 uint8_t blockNo = arg0;
2074 uint8_t keyType = arg1;
2075 uint64_t ui64Key = 0;
2076
2077 ui64Key = bytes_to_num(datain, 6);
2078
2079 // variables
f89c7050 2080 uint8_t targetBlockNo = blockNo + 1;
50193c1e
M		 2081 uint8_t targetKeyType = keyType;
2082 int rtr, i, j, m, len;
f89c7050 2083 int davg, dmin, dmax;
20f9a2a1 2084 uint8_t uid[8];
f89c7050
M		 2085 uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;
2086 uint8_t par_array[4];
2087 nestedVector nvector[3][10];
2088 int nvectorcount[3] = {10, 10, 10};
2089 int ncount = 0;
50193c1e 2090 UsbCommand ack = {CMD_ACK, {0, 0, 0}};
4abe4f58 2091 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 2092 struct Crypto1State *pcs;
2093 pcs = &mpcs;
f89c7050 2094 uint8_t* receivedAnswer = mifare_get_bigbufptr();
20f9a2a1
M		 2095
2096 // clear trace
4abe4f58 2097 traceLen = 0;
f89c7050 2098 tracing = false;
20f9a2a1
M		 2099
2100 iso14443a_setup();
2101
2102 LED_A_ON();
f89c7050 2103 LED_B_ON();
20f9a2a1
M		 2104 LED_C_OFF();
2105
f89c7050
M		 2106 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2107 SpinDelay(200);
2108
2109 davg = dmax = 0;
2110 dmin = 2000;
2111
2112 // test nonce distance
2113 for (rtr = 0; rtr < 10; rtr++) {
2114 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2115 SpinDelay(100);
2116 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2117
2118 // Test if the action was cancelled
2119 if(BUTTON_PRESS()) {
2120 break;
2121 }
2122
20f9a2a1
M		 2123 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2124 Dbprintf("Can't select card");
2125 break;
2126 };
2127
f89c7050
M		 2128 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
2129 Dbprintf("Auth1 error");
20f9a2a1
M		 2130 break;
2131 };
2132
f89c7050
M		 2133 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2)) {
2134 Dbprintf("Auth2 error");
20f9a2a1
M		 2135 break;
2136 };
2137
f89c7050
M		 2138 nttmp = prng_successor(nt1, 500);
2139 for (i = 501; i < 2000; i++) {
2140 nttmp = prng_successor(nttmp, 1);
2141 if (nttmp == nt2) break;
2142 }
2143
2144 if (i != 2000) {
2145 davg += i;
2146 if (dmin > i) dmin = i;
2147 if (dmax < i) dmax = i;
2148// Dbprintf("r=%d nt1=%08x nt2=%08x distance=%d", rtr, nt1, nt2, i);
2149 }
2150 }
2151
2152 if (rtr == 0) return;
2153
2154 davg = davg / rtr;
2155 Dbprintf("distance: min=%d max=%d avg=%d", dmin, dmax, davg);
2156
2157 LED_B_OFF();
2158
2159 tracing = true;
2160
2161 LED_C_ON();
2162
2163 // get crypted nonces for target sector
50193c1e
M		 2164 for (rtr = 0; rtr < 2; rtr++) {
2165// Dbprintf("------------------------------");
f89c7050
M		 2166
2167 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2168 SpinDelay(100);
2169 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2170
2171 // Test if the action was cancelled
2172 if(BUTTON_PRESS()) {
2173 break;
2174 }
2175
2176 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2177 Dbprintf("Can't select card");
2178 break;
2179 };
2180
2181 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
2182 Dbprintf("Auth1 error");
20f9a2a1
M		 2183 break;
2184 };
2185
f89c7050 2186 // nested authentication
50193c1e 2187 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par);
f89c7050
M		 2188 if (len != 4) {
2189 Dbprintf("Auth2 error len=%d", len);
20f9a2a1
M		 2190 break;
2191 };
f89c7050
M		 2192
2193 nt2 = bytes_to_num(receivedAnswer, 4);
50193c1e 2194// Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par);
20f9a2a1 2195
f89c7050
M		 2196// ----------------------- test
2197/* uint32_t d_nt, d_ks1, d_ks2, d_ks3, reader_challenge;
2198 byte_t ar[4];
2199
2200 ar[0] = 0x55;
2201 ar[1] = 0x41;
2202 ar[2] = 0x49;
2203 ar[3] = 0x92;
2204
2205 crypto1_destroy(pcs);
2206 crypto1_create(pcs, ui64Key);
2207
2208 // decrypt nt with help of new key
2209 d_nt = crypto1_word(pcs, nt2 ^ cuid, 1) ^ nt2;
2210
2211 reader_challenge = d_nt;//(uint32_t)bytes_to_num(ar, 4);
2212 d_ks1 = crypto1_word(pcs, reader_challenge, 0);
2213 d_ks2 = crypto1_word(pcs, 0, 0);
2214 d_ks3 = crypto1_word(pcs, 0,0);
2215
2216 Dbprintf("TST: ks1=%08x nt=%08x", d_ks1, d_nt);*/
2217// ----------------------- test
2218
2219 // Parity validity check
2220 for (i = 0; i < 4; i++) {
2221 par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3));
2222 par = par << 1;
2223 }
2224
2225 ncount = 0;
2226 for (m = dmin - 10; m < dmax + 10; m++) {
2227 nttest = prng_successor(nt1, m);
2228 ks1 = nt2 ^ nttest;
2229
2230//-------------------------------------- test
2231/* if (nttest == d_nt){
2232 Dbprintf("nttest=d_nt! m=%d ks1=%08x nttest=%08x", m, ks1, nttest);
2233 }*/
2234//-------------------------------------- test
2235 if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){
2236
2237 nvector[2][ncount].nt = nttest;
2238 nvector[2][ncount].ks1 = ks1;
2239 ncount++;
2240 nvectorcount[2] = ncount;
2241
50193c1e 2242// Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest);
f89c7050
M		 2243 }
2244
2245 }
2246
2247 // select vector with length less than got
50193c1e
M		 2248 if (nvectorcount[2] != 0) {
2249 m = 2;
2250 if (nvectorcount[2] < nvectorcount[1]) m = 1;
2251 if (nvectorcount[2] < nvectorcount[0]) m = 0;
2252 if (m != 2) {
2253 for (i = 0; i < nvectorcount[m]; i++) {
2254 nvector[m][i] = nvector[2][i];
2255 }
2256 nvectorcount[m] = nvectorcount[2];
f89c7050 2257 }
f89c7050
M		 2258 }
2259
50193c1e 2260// Dbprintf("vector count: 1=%d 2=%d 3=%d", nvectorcount[0], nvectorcount[1], nvectorcount[2]);
20f9a2a1 2261 }
f89c7050
M		 2262
2263 LED_C_OFF();
2264
20f9a2a1
M		 2265
2266 // ----------------------------- crypto1 destroy
2267 crypto1_destroy(pcs);
2268
20f9a2a1
M		 2269 // add trace trailer
2270 uid[0] = 0xff;
2271 uid[1] = 0xff;
2272 uid[2] = 0xff;
2273 uid[3] = 0xff;
4abe4f58 2274 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1 2275
f89c7050 2276 for (i = 0; i < 2; i++) {
50193c1e
M		 2277 for (j = 0; j < nvectorcount[i]; j += 5) {
2278 ncount = nvectorcount[i] - j;
2279 if (ncount > 5) ncount = 5;
2280
2281 ack.arg[0] = 0; // isEOF = 0
2282 ack.arg[1] = ncount;
2283 ack.arg[2] = targetBlockNo + (targetKeyType * 0x100);
2284 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
2285
2286 memcpy(ack.d.asBytes, &cuid, 4);
2287 for (m = 0; m < ncount; m++) {
2288 memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4);
2289 memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4);
2290 }
f89c7050 2291
50193c1e
M		 2292 LED_B_ON();
2293 SpinDelay(100);
2294 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2295 LED_B_OFF();
2296 }
f89c7050
M		 2297 }
2298
2299 // finalize list
50193c1e
M		 2300 ack.arg[0] = 1; // isEOF = 1
2301 ack.arg[1] = 0;
2302 ack.arg[2] = 0;
2303 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
20f9a2a1
M		 2304
2305 LED_B_ON();
50193c1e 2306 SpinDelay(300);
20f9a2a1
M		 2307 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2308 LED_B_OFF();
2309
f89c7050
M		 2310 DbpString("NESTED FINISHED");
2311
4abe4f58 2312 // Thats it...
20f9a2a1
M		 2313 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2314 LEDsoff();
2315// tracing = TRUE;
2316
2317}
2318
2319//-----------------------------------------------------------------------------
2320// MIFARE 1K simulate.
2321//
2322//-----------------------------------------------------------------------------
2323void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2324{
50193c1e
M		 2325 int cardSTATE = MFEMUL_NOFIELD;
2326
2327 while (true) {
2328
2329 if(BUTTON_PRESS()) {
2330 break;
2331 }
2332
2333 switch (cardSTATE) {
2334 case MFEMUL_NOFIELD:{
2335 break;
2336 }
2337 case MFEMUL_IDLE:{
2338 break;
2339 }
2340 case MFEMUL_SELECT1:{
2341 break;
2342 }
2343 case MFEMUL_SELECT2:{
2344 break;
2345 }
2346 case MFEMUL_AUTH1:{
2347 break;
2348 }
2349 case MFEMUL_AUTH2:{
2350 break;
2351 }
2352 case MFEMUL_HALTED:{
2353 break;
2354 }
2355
2356 }
2357
2358 }
2359
15c4dc5a 2360}
Proxmark3 GIT tracking
Impressum, Datenschutz