]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bitsync fix 2. Gerhard
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
534983d7 3// Hagen Fritsch - June 2010
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
15c4dc5a 8//-----------------------------------------------------------------------------
bd20f8f4 9// Routines to support ISO 14443 type A.
10//-----------------------------------------------------------------------------
11
e30c654b 12#include "proxmark3.h"
15c4dc5a 13#include "apps.h"
f7e3ed82 14#include "util.h"
9ab7a6c7 15#include "string.h"
16
15c4dc5a 17#include "iso14443crc.h"
534983d7 18#include "iso14443a.h"
15c4dc5a 19
f7e3ed82 20static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 21static int traceLen = 0;
22static int rsamples = 0;
f7e3ed82 23static int tracing = TRUE;
534983d7 24static uint32_t iso14a_timeout;
15c4dc5a 25
72934aa3 26// CARD TO READER
27// Sequence D: 11110000 modulation with subcarrier during first half
28// Sequence E: 00001111 modulation with subcarrier during second half
29// Sequence F: 00000000 no modulation with subcarrier
30// READER TO CARD
31// Sequence X: 00001100 drop after half a period
32// Sequence Y: 00000000 no drop
33// Sequence Z: 11000000 drop at start
34#define SEC_D 0xf0
35#define SEC_E 0x0f
36#define SEC_F 0x00
37#define SEC_X 0x0c
38#define SEC_Y 0x00
39#define SEC_Z 0xc0
15c4dc5a 40
f7e3ed82 41static const uint8_t OddByteParity[256] = {
15c4dc5a 42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
58};
59
60// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
61#define RECV_CMD_OFFSET 3032
62#define RECV_RES_OFFSET 3096
63#define DMA_BUFFER_OFFSET 3160
64#define DMA_BUFFER_SIZE 4096
65#define TRACE_LENGTH 3000
66
534983d7 67uint8_t trigger = 0;
68void iso14a_set_trigger(int enable) {
69 trigger = enable;
70}
71
15c4dc5a 72//-----------------------------------------------------------------------------
73// Generate the parity value for a byte sequence
e30c654b 74//
15c4dc5a 75//-----------------------------------------------------------------------------
f7e3ed82 76uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 77{
78 int i;
f7e3ed82 79 uint32_t dwPar = 0;
72934aa3 80
15c4dc5a 81 // Generate the encrypted data
82 for (i = 0; i < iLen; i++) {
83 // Save the encrypted parity bit
84 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
85 }
86 return dwPar;
87}
88
534983d7 89void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 90{
91 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
92}
93
ed82636b 94int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 95{
96 // Return when trace is full
97 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 98
15c4dc5a 99 // Trace the random, i'm curious
100 rsamples += iSamples;
101 trace[traceLen++] = ((rsamples >> 0) & 0xff);
102 trace[traceLen++] = ((rsamples >> 8) & 0xff);
103 trace[traceLen++] = ((rsamples >> 16) & 0xff);
104 trace[traceLen++] = ((rsamples >> 24) & 0xff);
105 if (!bReader) {
106 trace[traceLen - 1] |= 0x80;
107 }
108 trace[traceLen++] = ((dwParity >> 0) & 0xff);
109 trace[traceLen++] = ((dwParity >> 8) & 0xff);
110 trace[traceLen++] = ((dwParity >> 16) & 0xff);
111 trace[traceLen++] = ((dwParity >> 24) & 0xff);
112 trace[traceLen++] = iLen;
113 memcpy(trace + traceLen, btBytes, iLen);
114 traceLen += iLen;
115 return TRUE;
116}
117
15c4dc5a 118//-----------------------------------------------------------------------------
119// The software UART that receives commands from the reader, and its state
120// variables.
121//-----------------------------------------------------------------------------
122static struct {
123 enum {
124 STATE_UNSYNCD,
125 STATE_START_OF_COMMUNICATION,
126 STATE_MILLER_X,
127 STATE_MILLER_Y,
128 STATE_MILLER_Z,
129 STATE_ERROR_WAIT
130 } state;
f7e3ed82 131 uint16_t shiftReg;
15c4dc5a 132 int bitCnt;
133 int byteCnt;
134 int byteCntMax;
135 int posCnt;
136 int syncBit;
137 int parityBits;
138 int samples;
139 int highCnt;
140 int bitBuffer;
141 enum {
142 DROP_NONE,
143 DROP_FIRST_HALF,
144 DROP_SECOND_HALF
145 } drop;
f7e3ed82 146 uint8_t *output;
15c4dc5a 147} Uart;
148
6c1e2d95 149static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 150{
151 int error = 0;
152 int bitright;
153
154 if(!Uart.bitBuffer) {
155 Uart.bitBuffer = bit ^ 0xFF0;
156 return FALSE;
157 }
158 else {
159 Uart.bitBuffer <<= 4;
160 Uart.bitBuffer ^= bit;
161 }
162
f7e3ed82 163 int EOC = FALSE;
15c4dc5a 164
165 if(Uart.state != STATE_UNSYNCD) {
166 Uart.posCnt++;
167
168 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
169 bit = 0x00;
170 }
171 else {
172 bit = 0x01;
173 }
174 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
175 bitright = 0x00;
176 }
177 else {
178 bitright = 0x01;
179 }
180 if(bit != bitright) { bit = bitright; }
181
182 if(Uart.posCnt == 1) {
183 // measurement first half bitperiod
184 if(!bit) {
185 Uart.drop = DROP_FIRST_HALF;
186 }
187 }
188 else {
189 // measurement second half bitperiod
190 if(!bit & (Uart.drop == DROP_NONE)) {
191 Uart.drop = DROP_SECOND_HALF;
192 }
193 else if(!bit) {
194 // measured a drop in first and second half
195 // which should not be possible
196 Uart.state = STATE_ERROR_WAIT;
197 error = 0x01;
198 }
199
200 Uart.posCnt = 0;
201
202 switch(Uart.state) {
203 case STATE_START_OF_COMMUNICATION:
204 Uart.shiftReg = 0;
205 if(Uart.drop == DROP_SECOND_HALF) {
206 // error, should not happen in SOC
207 Uart.state = STATE_ERROR_WAIT;
208 error = 0x02;
209 }
210 else {
211 // correct SOC
212 Uart.state = STATE_MILLER_Z;
213 }
214 break;
215
216 case STATE_MILLER_Z:
217 Uart.bitCnt++;
218 Uart.shiftReg >>= 1;
219 if(Uart.drop == DROP_NONE) {
220 // logic '0' followed by sequence Y
221 // end of communication
222 Uart.state = STATE_UNSYNCD;
223 EOC = TRUE;
224 }
225 // if(Uart.drop == DROP_FIRST_HALF) {
226 // Uart.state = STATE_MILLER_Z; stay the same
227 // we see a logic '0' }
228 if(Uart.drop == DROP_SECOND_HALF) {
229 // we see a logic '1'
230 Uart.shiftReg |= 0x100;
231 Uart.state = STATE_MILLER_X;
232 }
233 break;
234
235 case STATE_MILLER_X:
236 Uart.shiftReg >>= 1;
237 if(Uart.drop == DROP_NONE) {
238 // sequence Y, we see a '0'
239 Uart.state = STATE_MILLER_Y;
240 Uart.bitCnt++;
241 }
242 if(Uart.drop == DROP_FIRST_HALF) {
243 // Would be STATE_MILLER_Z
244 // but Z does not follow X, so error
245 Uart.state = STATE_ERROR_WAIT;
246 error = 0x03;
247 }
248 if(Uart.drop == DROP_SECOND_HALF) {
249 // We see a '1' and stay in state X
250 Uart.shiftReg |= 0x100;
251 Uart.bitCnt++;
252 }
253 break;
254
255 case STATE_MILLER_Y:
256 Uart.bitCnt++;
257 Uart.shiftReg >>= 1;
258 if(Uart.drop == DROP_NONE) {
259 // logic '0' followed by sequence Y
260 // end of communication
261 Uart.state = STATE_UNSYNCD;
262 EOC = TRUE;
263 }
264 if(Uart.drop == DROP_FIRST_HALF) {
265 // we see a '0'
266 Uart.state = STATE_MILLER_Z;
267 }
268 if(Uart.drop == DROP_SECOND_HALF) {
269 // We see a '1' and go to state X
270 Uart.shiftReg |= 0x100;
271 Uart.state = STATE_MILLER_X;
272 }
273 break;
274
275 case STATE_ERROR_WAIT:
276 // That went wrong. Now wait for at least two bit periods
277 // and try to sync again
278 if(Uart.drop == DROP_NONE) {
279 Uart.highCnt = 6;
280 Uart.state = STATE_UNSYNCD;
281 }
282 break;
283
284 default:
285 Uart.state = STATE_UNSYNCD;
286 Uart.highCnt = 0;
287 break;
288 }
289
290 Uart.drop = DROP_NONE;
291
292 // should have received at least one whole byte...
293 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
294 return TRUE;
295 }
296
297 if(Uart.bitCnt == 9) {
298 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
299 Uart.byteCnt++;
300
301 Uart.parityBits <<= 1;
302 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
303
304 if(EOC) {
305 // when End of Communication received and
306 // all data bits processed..
307 return TRUE;
308 }
309 Uart.bitCnt = 0;
310 }
311
312 /*if(error) {
313 Uart.output[Uart.byteCnt] = 0xAA;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = error & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
320 Uart.byteCnt++;
321 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 return TRUE;
328 }*/
329 }
330
331 }
332 else {
333 bit = Uart.bitBuffer & 0xf0;
334 bit >>= 4;
335 bit ^= 0x0F;
336 if(bit) {
337 // should have been high or at least (4 * 128) / fc
338 // according to ISO this should be at least (9 * 128 + 20) / fc
339 if(Uart.highCnt == 8) {
340 // we went low, so this could be start of communication
341 // it turns out to be safer to choose a less significant
342 // syncbit... so we check whether the neighbour also represents the drop
343 Uart.posCnt = 1; // apparently we are busy with our first half bit period
344 Uart.syncBit = bit & 8;
345 Uart.samples = 3;
346 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
347 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
348 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
349 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
350 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 351 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 352 Uart.syncBit = 8;
353
354 // the first half bit period is expected in next sample
355 Uart.posCnt = 0;
356 Uart.samples = 3;
357 }
358 }
359 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
360
361 Uart.syncBit <<= 4;
362 Uart.state = STATE_START_OF_COMMUNICATION;
363 Uart.drop = DROP_FIRST_HALF;
364 Uart.bitCnt = 0;
365 Uart.byteCnt = 0;
366 Uart.parityBits = 0;
367 error = 0;
368 }
369 else {
370 Uart.highCnt = 0;
371 }
372 }
373 else {
374 if(Uart.highCnt < 8) {
375 Uart.highCnt++;
376 }
377 }
378 }
379
380 return FALSE;
381}
382
383//=============================================================================
384// ISO 14443 Type A - Manchester
385//=============================================================================
386
387static struct {
388 enum {
389 DEMOD_UNSYNCD,
390 DEMOD_START_OF_COMMUNICATION,
391 DEMOD_MANCHESTER_D,
392 DEMOD_MANCHESTER_E,
393 DEMOD_MANCHESTER_F,
394 DEMOD_ERROR_WAIT
395 } state;
396 int bitCount;
397 int posCount;
398 int syncBit;
399 int parityBits;
f7e3ed82 400 uint16_t shiftReg;
15c4dc5a 401 int buffer;
402 int buff;
403 int samples;
404 int len;
405 enum {
406 SUB_NONE,
407 SUB_FIRST_HALF,
408 SUB_SECOND_HALF
409 } sub;
f7e3ed82 410 uint8_t *output;
15c4dc5a 411} Demod;
412
6c1e2d95 413static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 414{
415 int bit;
416 int modulation;
417 int error = 0;
418
419 if(!Demod.buff) {
420 Demod.buff = 1;
421 Demod.buffer = v;
422 return FALSE;
423 }
424 else {
425 bit = Demod.buffer;
426 Demod.buffer = v;
427 }
428
429 if(Demod.state==DEMOD_UNSYNCD) {
430 Demod.output[Demod.len] = 0xfa;
431 Demod.syncBit = 0;
432 //Demod.samples = 0;
433 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 434
435 if(bit & 0x08) {
436 Demod.syncBit = 0x08;
15c4dc5a 437 }
15c4dc5a 438
2f2d9fc5 439 if(bit & 0x04) {
440 if(Demod.syncBit) {
441 bit <<= 4;
442 }
443 Demod.syncBit = 0x04;
444 }
15c4dc5a 445
2f2d9fc5 446 if(bit & 0x02) {
447 if(Demod.syncBit) {
448 bit <<= 2;
15c4dc5a 449 }
2f2d9fc5 450 Demod.syncBit = 0x02;
15c4dc5a 451 }
15c4dc5a 452
593924e7 453 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 454 Demod.syncBit = 0x01;
455 }
456
15c4dc5a 457 if(Demod.syncBit) {
458 Demod.len = 0;
459 Demod.state = DEMOD_START_OF_COMMUNICATION;
460 Demod.sub = SUB_FIRST_HALF;
461 Demod.bitCount = 0;
462 Demod.shiftReg = 0;
463 Demod.parityBits = 0;
464 Demod.samples = 0;
465 if(Demod.posCount) {
534983d7 466 if(trigger) LED_A_OFF();
15c4dc5a 467 switch(Demod.syncBit) {
468 case 0x08: Demod.samples = 3; break;
469 case 0x04: Demod.samples = 2; break;
470 case 0x02: Demod.samples = 1; break;
471 case 0x01: Demod.samples = 0; break;
472 }
473 }
474 error = 0;
475 }
476 }
477 else {
478 //modulation = bit & Demod.syncBit;
479 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
480
481 Demod.samples += 4;
482
483 if(Demod.posCount==0) {
484 Demod.posCount = 1;
485 if(modulation) {
486 Demod.sub = SUB_FIRST_HALF;
487 }
488 else {
489 Demod.sub = SUB_NONE;
490 }
491 }
492 else {
493 Demod.posCount = 0;
494 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
495 if(Demod.state!=DEMOD_ERROR_WAIT) {
496 Demod.state = DEMOD_ERROR_WAIT;
497 Demod.output[Demod.len] = 0xaa;
498 error = 0x01;
499 }
500 }
501 else if(modulation) {
502 Demod.sub = SUB_SECOND_HALF;
503 }
504
505 switch(Demod.state) {
506 case DEMOD_START_OF_COMMUNICATION:
507 if(Demod.sub == SUB_FIRST_HALF) {
508 Demod.state = DEMOD_MANCHESTER_D;
509 }
510 else {
511 Demod.output[Demod.len] = 0xab;
512 Demod.state = DEMOD_ERROR_WAIT;
513 error = 0x02;
514 }
515 break;
516
517 case DEMOD_MANCHESTER_D:
518 case DEMOD_MANCHESTER_E:
519 if(Demod.sub == SUB_FIRST_HALF) {
520 Demod.bitCount++;
521 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
522 Demod.state = DEMOD_MANCHESTER_D;
523 }
524 else if(Demod.sub == SUB_SECOND_HALF) {
525 Demod.bitCount++;
526 Demod.shiftReg >>= 1;
527 Demod.state = DEMOD_MANCHESTER_E;
528 }
529 else {
530 Demod.state = DEMOD_MANCHESTER_F;
531 }
532 break;
533
534 case DEMOD_MANCHESTER_F:
535 // Tag response does not need to be a complete byte!
536 if(Demod.len > 0 || Demod.bitCount > 0) {
537 if(Demod.bitCount > 0) {
538 Demod.shiftReg >>= (9 - Demod.bitCount);
539 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
540 Demod.len++;
541 // No parity bit, so just shift a 0
542 Demod.parityBits <<= 1;
543 }
544
545 Demod.state = DEMOD_UNSYNCD;
546 return TRUE;
547 }
548 else {
549 Demod.output[Demod.len] = 0xad;
550 Demod.state = DEMOD_ERROR_WAIT;
551 error = 0x03;
552 }
553 break;
554
555 case DEMOD_ERROR_WAIT:
556 Demod.state = DEMOD_UNSYNCD;
557 break;
558
559 default:
560 Demod.output[Demod.len] = 0xdd;
561 Demod.state = DEMOD_UNSYNCD;
562 break;
563 }
564
565 if(Demod.bitCount>=9) {
566 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
567 Demod.len++;
568
569 Demod.parityBits <<= 1;
570 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
571
572 Demod.bitCount = 0;
573 Demod.shiftReg = 0;
574 }
575
576 /*if(error) {
577 Demod.output[Demod.len] = 0xBB;
578 Demod.len++;
579 Demod.output[Demod.len] = error & 0xFF;
580 Demod.len++;
581 Demod.output[Demod.len] = 0xBB;
582 Demod.len++;
583 Demod.output[Demod.len] = bit & 0xFF;
584 Demod.len++;
585 Demod.output[Demod.len] = Demod.buffer & 0xFF;
586 Demod.len++;
587 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
588 Demod.len++;
589 Demod.output[Demod.len] = 0xBB;
590 Demod.len++;
591 return TRUE;
592 }*/
593
594 }
595
596 } // end (state != UNSYNCED)
597
598 return FALSE;
599}
600
601//=============================================================================
602// Finally, a `sniffer' for ISO 14443 Type A
603// Both sides of communication!
604//=============================================================================
605
606//-----------------------------------------------------------------------------
607// Record the sequence of commands sent by the reader to the tag, with
608// triggering so that we start recording at the point that the tag is moved
609// near the reader.
610//-----------------------------------------------------------------------------
6c1e2d95 611void RAMFUNC SnoopIso14443a(void)
15c4dc5a 612{
613// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
614// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
615// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
616// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
617// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
618
619 // We won't start recording the frames that we acquire until we trigger;
620 // a good trigger condition to get started is probably when we see a
621 // response from the tag.
7e758047 622 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 623
624 // The command (reader -> tag) that we're receiving.
625 // The length of a received command will in most cases be no more than 18 bytes.
626 // So 32 should be enough!
f7e3ed82 627 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 628 // The response (tag -> reader) that we're receiving.
f7e3ed82 629 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 630
631 // As we receive stuff, we copy it from receivedCmd or receivedResponse
632 // into trace, along with its length and other annotations.
f7e3ed82 633 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 634
635 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 636
637 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 638 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 639 int lastRxCounter;
f7e3ed82 640 int8_t *upTo;
15c4dc5a 641 int smpl;
642 int maxBehindBy = 0;
643
644 // Count of samples received so far, so that we can include timing
645 // information in the trace buffer.
646 int samples = 0;
647 int rsamples = 0;
648
649 memset(trace, 0x44, RECV_CMD_OFFSET);
650
651 // Set up the demodulator for tag -> reader responses.
652 Demod.output = receivedResponse;
653 Demod.len = 0;
654 Demod.state = DEMOD_UNSYNCD;
655
7e758047 656 // Setup for the DMA.
657 FpgaSetupSsc();
658 upTo = dmaBuf;
659 lastRxCounter = DMA_BUFFER_SIZE;
660 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
661
15c4dc5a 662 // And the reader -> tag commands
663 memset(&Uart, 0, sizeof(Uart));
664 Uart.output = receivedCmd;
665 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
666 Uart.state = STATE_UNSYNCD;
667
668 // And put the FPGA in the appropriate mode
669 // Signal field is off with the appropriate LED
670 LED_D_OFF();
671 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
672 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
673
15c4dc5a 674
675 // And now we loop, receiving samples.
676 for(;;) {
7e758047 677 LED_A_ON();
678 WDT_HIT();
15c4dc5a 679 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
680 (DMA_BUFFER_SIZE-1);
681 if(behindBy > maxBehindBy) {
682 maxBehindBy = behindBy;
683 if(behindBy > 400) {
7e758047 684 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 685 goto done;
686 }
687 }
688 if(behindBy < 1) continue;
689
7e758047 690 LED_A_OFF();
15c4dc5a 691 smpl = upTo[0];
692 upTo++;
693 lastRxCounter -= 1;
694 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
695 upTo -= DMA_BUFFER_SIZE;
696 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 697 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 698 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
699 }
700
701 samples += 4;
7e758047 702 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 703 rsamples = samples - Uart.samples;
72934aa3 704 LED_C_ON();
7e758047 705 if(triggered) {
706 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 707 trace[traceLen++] = ((rsamples >> 8) & 0xff);
708 trace[traceLen++] = ((rsamples >> 16) & 0xff);
709 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 710 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
711 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
712 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
713 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 714 trace[traceLen++] = Uart.byteCnt;
715 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
716 traceLen += Uart.byteCnt;
717 if(traceLen > TRACE_LENGTH) break;
718 }
719 /* And ready to receive another command. */
720 Uart.state = STATE_UNSYNCD;
721 /* And also reset the demod code, which might have been */
722 /* false-triggered by the commands from the reader. */
723 Demod.state = DEMOD_UNSYNCD;
7e758047 724 LED_B_OFF();
15c4dc5a 725 }
7e758047 726
727 if(ManchesterDecoding(smpl & 0x0F)) {
728 rsamples = samples - Demod.samples;
729 LED_B_ON();
730
731 // timestamp, as a count of samples
732 trace[traceLen++] = ((rsamples >> 0) & 0xff);
733 trace[traceLen++] = ((rsamples >> 8) & 0xff);
734 trace[traceLen++] = ((rsamples >> 16) & 0xff);
735 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
736 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
737 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
738 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
739 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
740 // length
741 trace[traceLen++] = Demod.len;
742 memcpy(trace+traceLen, receivedResponse, Demod.len);
743 traceLen += Demod.len;
744 if(traceLen > TRACE_LENGTH) break;
745
746 triggered = TRUE;
15c4dc5a 747
748 // And ready to receive another response.
749 memset(&Demod, 0, sizeof(Demod));
750 Demod.output = receivedResponse;
751 Demod.state = DEMOD_UNSYNCD;
7e758047 752 LED_C_OFF();
753 }
15c4dc5a 754
755 if(BUTTON_PRESS()) {
756 DbpString("cancelled_a");
757 goto done;
758 }
759 }
760
761 DbpString("COMMAND FINISHED");
762
763 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
764 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
765
766done:
767 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
768 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
769 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
770 LED_A_OFF();
771 LED_B_OFF();
772 LED_C_OFF();
773 LED_D_OFF();
774}
775
15c4dc5a 776//-----------------------------------------------------------------------------
777// Prepare tag messages
778//-----------------------------------------------------------------------------
f7e3ed82 779static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 780{
781 int i;
782 int oddparity;
783
784 ToSendReset();
785
786 // Correction bit, might be removed when not needed
787 ToSendStuffBit(0);
788 ToSendStuffBit(0);
789 ToSendStuffBit(0);
790 ToSendStuffBit(0);
791 ToSendStuffBit(1); // 1
792 ToSendStuffBit(0);
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795
796 // Send startbit
72934aa3 797 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 798
799 for(i = 0; i < len; i++) {
800 int j;
f7e3ed82 801 uint8_t b = cmd[i];
15c4dc5a 802
803 // Data bits
804 oddparity = 0x01;
805 for(j = 0; j < 8; j++) {
806 oddparity ^= (b & 1);
807 if(b & 1) {
72934aa3 808 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 809 } else {
72934aa3 810 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 811 }
812 b >>= 1;
813 }
814
815 // Parity bit
816 if(oddparity) {
72934aa3 817 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 818 } else {
72934aa3 819 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 820 }
821 }
822
823 // Send stopbit
72934aa3 824 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 825
826 // Flush the buffer in FPGA!!
827 for(i = 0; i < 5; i++) {
72934aa3 828 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 829 }
830
831 // Convert from last byte pos to length
832 ToSendMax++;
833
834 // Add a few more for slop
835 ToSend[ToSendMax++] = 0x00;
836 ToSend[ToSendMax++] = 0x00;
837 //ToSendMax += 2;
838}
839
840//-----------------------------------------------------------------------------
841// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
842//-----------------------------------------------------------------------------
843static void CodeStrangeAnswer()
844{
845 int i;
846
847 ToSendReset();
848
849 // Correction bit, might be removed when not needed
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(0);
853 ToSendStuffBit(0);
854 ToSendStuffBit(1); // 1
855 ToSendStuffBit(0);
856 ToSendStuffBit(0);
857 ToSendStuffBit(0);
858
859 // Send startbit
72934aa3 860 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 861
862 // 0
72934aa3 863 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 864
865 // 0
72934aa3 866 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 867
868 // 1
72934aa3 869 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 870
871 // Send stopbit
72934aa3 872 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 873
874 // Flush the buffer in FPGA!!
875 for(i = 0; i < 5; i++) {
72934aa3 876 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 877 }
878
879 // Convert from last byte pos to length
880 ToSendMax++;
881
882 // Add a few more for slop
883 ToSend[ToSendMax++] = 0x00;
884 ToSend[ToSendMax++] = 0x00;
885 //ToSendMax += 2;
886}
887
888//-----------------------------------------------------------------------------
889// Wait for commands from reader
890// Stop when button is pressed
891// Or return TRUE when command is captured
892//-----------------------------------------------------------------------------
f7e3ed82 893static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 894{
895 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
896 // only, since we are receiving, not transmitting).
897 // Signal field is off with the appropriate LED
898 LED_D_OFF();
899 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
900
901 // Now run a `software UART' on the stream of incoming samples.
902 Uart.output = received;
903 Uart.byteCntMax = maxLen;
904 Uart.state = STATE_UNSYNCD;
905
906 for(;;) {
907 WDT_HIT();
908
909 if(BUTTON_PRESS()) return FALSE;
910
911 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
912 AT91C_BASE_SSC->SSC_THR = 0x00;
913 }
914 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 915 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 916 if(MillerDecoding((b & 0xf0) >> 4)) {
917 *len = Uart.byteCnt;
918 return TRUE;
919 }
920 if(MillerDecoding(b & 0x0f)) {
921 *len = Uart.byteCnt;
922 return TRUE;
923 }
924 }
925 }
926}
927
928//-----------------------------------------------------------------------------
929// Main loop of simulated tag: receive commands from reader, decide what
930// response to send, and send it.
931//-----------------------------------------------------------------------------
932void SimulateIso14443aTag(int tagType, int TagUid)
933{
934 // This function contains the tag emulation
935
936 // Prepare protocol messages
f7e3ed82 937 // static const uint8_t cmd1[] = { 0x26 };
938// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 939//
f7e3ed82 940 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
941// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 942
943 // UID response
f7e3ed82 944 // static const uint8_t cmd2[] = { 0x93, 0x20 };
945 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 946
15c4dc5a 947// my desfire
f7e3ed82 948 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 949
950
951// When reader selects us during cascade1 it will send cmd3
f7e3ed82 952//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
953uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 954ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
955
956// send cascade2 2nd half of UID
f7e3ed82 957static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 958// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
959
15c4dc5a 960// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 961//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
962uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 963ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
964
f7e3ed82 965 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 966
f7e3ed82 967 uint8_t *resp;
15c4dc5a 968 int respLen;
969
970 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
971 // This will need
972 // 144 data bits (18 * 8)
973 // 18 parity bits
974 // 2 Start and stop
975 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
976 // 1 just for the case
977 // ----------- +
978 // 166
979 //
980 // 166 bytes, since every bit that needs to be send costs us a byte
981 //
982
15c4dc5a 983 // Respond with card type
f7e3ed82 984 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 985 int resp1Len;
986
987 // Anticollision cascade1 - respond with uid
f7e3ed82 988 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 989 int resp2Len;
990
991 // Anticollision cascade2 - respond with 2nd half of uid if asked
992 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 993 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 994 int resp2aLen;
995
996 // Acknowledge select - cascade 1
f7e3ed82 997 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 998 int resp3Len;
999
1000 // Acknowledge select - cascade 2
f7e3ed82 1001 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1002 int resp3aLen;
1003
1004 // Response to a read request - not implemented atm
f7e3ed82 1005 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1006 int resp4Len;
1007
1008 // Authenticate response - nonce
f7e3ed82 1009 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1010 int resp5Len;
1011
f7e3ed82 1012 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1013 int len;
1014
1015 int i;
1016 int u;
f7e3ed82 1017 uint8_t b;
15c4dc5a 1018
1019 // To control where we are in the protocol
1020 int order = 0;
1021 int lastorder;
1022
1023 // Just to allow some checks
1024 int happened = 0;
1025 int happened2 = 0;
1026
1027 int cmdsRecvd = 0;
1028
f7e3ed82 1029 int fdt_indicator;
15c4dc5a 1030
1031 memset(receivedCmd, 0x44, 400);
1032
1033 // Prepare the responses of the anticollision phase
1034 // there will be not enough time to do this at the moment the reader sends it REQA
1035
1036 // Answer to request
1037 CodeIso14443aAsTag(response1, sizeof(response1));
1038 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1039
1040 // Send our UID (cascade 1)
1041 CodeIso14443aAsTag(response2, sizeof(response2));
1042 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1043
1044 // Answer to select (cascade1)
1045 CodeIso14443aAsTag(response3, sizeof(response3));
1046 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1047
1048 // Send the cascade 2 2nd part of the uid
1049 CodeIso14443aAsTag(response2a, sizeof(response2a));
1050 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1051
1052 // Answer to select (cascade 2)
1053 CodeIso14443aAsTag(response3a, sizeof(response3a));
1054 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1055
1056 // Strange answer is an example of rare message size (3 bits)
1057 CodeStrangeAnswer();
1058 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1059
1060 // Authentication answer (random nonce)
1061 CodeIso14443aAsTag(response5, sizeof(response5));
1062 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1063
1064 // We need to listen to the high-frequency, peak-detected path.
1065 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1066 FpgaSetupSsc();
1067
1068 cmdsRecvd = 0;
1069
1070 LED_A_ON();
1071 for(;;) {
1072
1073 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1074 DbpString("button press");
1075 break;
1076 }
1077 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1078 // Okay, look at the command now.
1079 lastorder = order;
1080 i = 1; // first byte transmitted
1081 if(receivedCmd[0] == 0x26) {
1082 // Received a REQUEST
1083 resp = resp1; respLen = resp1Len; order = 1;
1084 //DbpString("Hello request from reader:");
1085 } else if(receivedCmd[0] == 0x52) {
1086 // Received a WAKEUP
1087 resp = resp1; respLen = resp1Len; order = 6;
1088// //DbpString("Wakeup request from reader:");
1089
1090 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1091 // Received request for UID (cascade 1)
1092 resp = resp2; respLen = resp2Len; order = 2;
1093// DbpString("UID (cascade 1) request from reader:");
1094// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1095
1096
1097 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1098 // Received request for UID (cascade 2)
1099 resp = resp2a; respLen = resp2aLen; order = 20;
1100// DbpString("UID (cascade 2) request from reader:");
1101// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1102
1103
1104 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1105 // Received a SELECT
1106 resp = resp3; respLen = resp3Len; order = 3;
1107// DbpString("Select (cascade 1) request from reader:");
1108// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1109
1110
1111 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1112 // Received a SELECT
1113 resp = resp3a; respLen = resp3aLen; order = 30;
1114// DbpString("Select (cascade 2) request from reader:");
1115// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1116
1117
1118 } else if(receivedCmd[0] == 0x30) {
1119 // Received a READ
1120 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1121 Dbprintf("Read request from reader: %x %x %x",
1122 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1123
1124
1125 } else if(receivedCmd[0] == 0x50) {
1126 // Received a HALT
1127 resp = resp1; respLen = 0; order = 5; // Do nothing
1128 DbpString("Reader requested we HALT!:");
1129
1130 } else if(receivedCmd[0] == 0x60) {
1131 // Received an authentication request
1132 resp = resp5; respLen = resp5Len; order = 7;
1133 Dbprintf("Authenticate request from reader: %x %x %x",
1134 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1135
1136 } else if(receivedCmd[0] == 0xE0) {
1137 // Received a RATS request
1138 resp = resp1; respLen = 0;order = 70;
1139 Dbprintf("RATS request from reader: %x %x %x",
1140 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1141 } else {
1142 // Never seen this command before
1143 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1144 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1145 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1146 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1147 // Do not respond
1148 resp = resp1; respLen = 0; order = 0;
1149 }
1150
1151 // Count number of wakeups received after a halt
1152 if(order == 6 && lastorder == 5) { happened++; }
1153
1154 // Count number of other messages after a halt
1155 if(order != 6 && lastorder == 5) { happened2++; }
1156
1157 // Look at last parity bit to determine timing of answer
1158 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1159 // 1236, so correction bit needed
1160 i = 0;
1161 }
1162
1163 memset(receivedCmd, 0x44, 32);
1164
1165 if(cmdsRecvd > 999) {
1166 DbpString("1000 commands later...");
1167 break;
1168 }
1169 else {
1170 cmdsRecvd++;
1171 }
1172
1173 if(respLen <= 0) continue;
1174
1175 // Modulate Manchester
1176 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1177 AT91C_BASE_SSC->SSC_THR = 0x00;
1178 FpgaSetupSsc();
1179
1180 // ### Transmit the response ###
1181 u = 0;
1182 b = 0x00;
1183 fdt_indicator = FALSE;
1184 for(;;) {
1185 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1186 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1187 (void)b;
1188 }
1189 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1190 if(i > respLen) {
1191 b = 0x00;
1192 u++;
1193 } else {
1194 b = resp[i];
1195 i++;
1196 }
1197 AT91C_BASE_SSC->SSC_THR = b;
1198
1199 if(u > 4) {
1200 break;
1201 }
1202 }
1203 if(BUTTON_PRESS()) {
1204 break;
1205 }
1206 }
1207
1208 }
1209
1210 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1211 LED_A_OFF();
1212}
1213
1214//-----------------------------------------------------------------------------
1215// Transmit the command (to the tag) that was placed in ToSend[].
1216//-----------------------------------------------------------------------------
f7e3ed82 1217static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1218{
1219 int c;
e30c654b 1220
15c4dc5a 1221 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1222
15c4dc5a 1223 if (wait)
1224 if(*wait < 10)
1225 *wait = 10;
e30c654b 1226
15c4dc5a 1227 for(c = 0; c < *wait;) {
1228 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1229 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1230 c++;
1231 }
1232 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1233 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1234 (void)r;
1235 }
1236 WDT_HIT();
1237 }
e30c654b 1238
15c4dc5a 1239 c = 0;
1240 for(;;) {
1241 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1242 AT91C_BASE_SSC->SSC_THR = cmd[c];
1243 c++;
1244 if(c >= len) {
1245 break;
1246 }
1247 }
1248 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1249 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1250 (void)r;
1251 }
1252 WDT_HIT();
1253 }
1254 if (samples) *samples = (c + *wait) << 3;
1255}
1256
15c4dc5a 1257//-----------------------------------------------------------------------------
1258// Code a 7-bit command without parity bit
1259// This is especially for 0x26 and 0x52 (REQA and WUPA)
1260//-----------------------------------------------------------------------------
f7e3ed82 1261void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1262{
1263 int j;
1264 int last;
f7e3ed82 1265 uint8_t b;
15c4dc5a 1266
1267 ToSendReset();
1268
1269 // Start of Communication (Seq. Z)
72934aa3 1270 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1271 last = 0;
1272
1273 b = bt;
1274 for(j = 0; j < 7; j++) {
1275 if(b & 1) {
1276 // Sequence X
72934aa3 1277 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1278 last = 1;
1279 } else {
1280 if(last == 0) {
1281 // Sequence Z
72934aa3 1282 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1283 }
1284 else {
1285 // Sequence Y
72934aa3 1286 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1287 last = 0;
1288 }
1289 }
1290 b >>= 1;
1291 }
1292
1293 // End of Communication
1294 if(last == 0) {
1295 // Sequence Z
72934aa3 1296 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1297 }
1298 else {
1299 // Sequence Y
72934aa3 1300 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1301 last = 0;
1302 }
1303 // Sequence Y
72934aa3 1304 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1305
1306 // Just to be sure!
72934aa3 1307 ToSend[++ToSendMax] = SEC_Y;
1308 ToSend[++ToSendMax] = SEC_Y;
1309 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1310
1311 // Convert from last character reference to length
1312 ToSendMax++;
1313}
1314
1315//-----------------------------------------------------------------------------
1316// Prepare reader command to send to FPGA
e30c654b 1317//
15c4dc5a 1318//-----------------------------------------------------------------------------
f7e3ed82 1319void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1320{
1321 int i, j;
1322 int last;
f7e3ed82 1323 uint8_t b;
e30c654b 1324
15c4dc5a 1325 ToSendReset();
e30c654b 1326
15c4dc5a 1327 // Start of Communication (Seq. Z)
72934aa3 1328 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1329 last = 0;
e30c654b 1330
15c4dc5a 1331 // Generate send structure for the data bits
1332 for (i = 0; i < len; i++) {
1333 // Get the current byte to send
1334 b = cmd[i];
e30c654b 1335
15c4dc5a 1336 for (j = 0; j < 8; j++) {
1337 if (b & 1) {
1338 // Sequence X
72934aa3 1339 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1340 last = 1;
1341 } else {
1342 if (last == 0) {
1343 // Sequence Z
72934aa3 1344 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1345 } else {
1346 // Sequence Y
72934aa3 1347 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1348 last = 0;
1349 }
1350 }
1351 b >>= 1;
1352 }
e30c654b 1353
15c4dc5a 1354 // Get the parity bit
1355 if ((dwParity >> i) & 0x01) {
1356 // Sequence X
72934aa3 1357 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1358 last = 1;
1359 } else {
1360 if (last == 0) {
1361 // Sequence Z
72934aa3 1362 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1363 } else {
1364 // Sequence Y
72934aa3 1365 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1366 last = 0;
1367 }
1368 }
1369 }
e30c654b 1370
15c4dc5a 1371 // End of Communication
1372 if (last == 0) {
1373 // Sequence Z
72934aa3 1374 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1375 } else {
1376 // Sequence Y
72934aa3 1377 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1378 last = 0;
1379 }
1380 // Sequence Y
72934aa3 1381 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1382
15c4dc5a 1383 // Just to be sure!
72934aa3 1384 ToSend[++ToSendMax] = SEC_Y;
1385 ToSend[++ToSendMax] = SEC_Y;
1386 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1387
15c4dc5a 1388 // Convert from last character reference to length
1389 ToSendMax++;
1390}
1391
1392//-----------------------------------------------------------------------------
1393// Wait a certain time for tag response
1394// If a response is captured return TRUE
1395// If it takes to long return FALSE
1396//-----------------------------------------------------------------------------
f7e3ed82 1397static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1398{
1399 // buffer needs to be 512 bytes
1400 int c;
1401
1402 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1403 // only, since we are receiving, not transmitting).
1404 // Signal field is on with the appropriate LED
1405 LED_D_ON();
1406 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1407
534983d7 1408 // Now get the answer from the card
1409 Demod.output = receivedResponse;
1410 Demod.len = 0;
1411 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1412
f7e3ed82 1413 uint8_t b;
15c4dc5a 1414 if (elapsed) *elapsed = 0;
1415
1416 c = 0;
1417 for(;;) {
534983d7 1418 WDT_HIT();
15c4dc5a 1419
534983d7 1420 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1421 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1422 if (elapsed) (*elapsed)++;
534983d7 1423 }
1424 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1425 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1426 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1427 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1428 *samples = ((c - 1) << 3) + 4;
1429 return TRUE;
1430 }
1431 if(ManchesterDecoding(b & 0x0f)) {
1432 *samples = c << 3;
1433 return TRUE;
1434 }
534983d7 1435 }
1436 }
15c4dc5a 1437}
1438
f7e3ed82 1439void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1440{
1441 int wait = 0;
1442 int samples = 0;
1443
1444 ShortFrameFromReader(*bt);
e30c654b 1445
15c4dc5a 1446 // Select the card
e30c654b 1447 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1448
15c4dc5a 1449 // Store reader command in buffer
1450 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1451}
1452
f7e3ed82 1453void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1454{
1455 int wait = 0;
1456 int samples = 0;
e30c654b 1457
15c4dc5a 1458 // This is tied to other size changes
f7e3ed82 1459 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1460 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1461
15c4dc5a 1462 // Select the card
e30c654b 1463 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1464 if(trigger)
1465 LED_A_ON();
e30c654b 1466
15c4dc5a 1467 // Store reader command in buffer
1468 if (tracing) LogTrace(frame,len,0,par,TRUE);
1469}
1470
1471
f7e3ed82 1472void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1473{
1474 // Generate parity and redirect
1475 ReaderTransmitPar(frame,len,GetParity(frame,len));
1476}
1477
f7e3ed82 1478int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1479{
1480 int samples = 0;
1481 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1482 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1483 if(samples == 0) return FALSE;
1484 return Demod.len;
15c4dc5a 1485}
1486
7e758047 1487/* performs iso14443a anticolision procedure
534983d7 1488 * fills the uid pointer unless NULL
1489 * fills resp_data unless NULL */
1490int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
f7e3ed82 1491 uint8_t wupa[] = { 0x52 };
1492 uint8_t sel_all[] = { 0x93,0x20 };
1493 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1494 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1495
7e758047 1496 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1497 uint8_t* uid = resp + 7;
15c4dc5a 1498
534983d7 1499 uint8_t sak = 0x04; // cascade uid
1500 int cascade_level = 0;
1501
7e758047 1502 int len;
15c4dc5a 1503
7e758047 1504 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1505 ReaderTransmitShort(wupa);
1506 // Receive the ATQA
1507 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1508
534983d7 1509 if(resp_data)
1510 memcpy(resp_data->atqa, resp, 2);
1511
1512 ReaderTransmit(sel_all,sizeof(sel_all));
7e758047 1513 if(!ReaderReceive(uid)) return 0;
15c4dc5a 1514
534983d7 1515 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1516 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1517 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1518 for(; sak & 0x04; cascade_level++)
7e758047 1519 {
534983d7 1520 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1521 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1522
1523 // SELECT_ALL
1524 ReaderTransmit(sel_all,sizeof(sel_all));
1525 if (!ReaderReceive(resp)) return 0;
1526 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
e30c654b 1527
7e758047 1528 // Construct SELECT UID command
534983d7 1529 memcpy(sel_uid+2,resp,5);
1530 AppendCrc14443a(sel_uid,7);
1531 ReaderTransmit(sel_uid,sizeof(sel_uid));
1532
7e758047 1533 // Receive the SAK
1534 if (!ReaderReceive(resp)) return 0;
534983d7 1535 sak = resp[0];
7e758047 1536 }
534983d7 1537 if(resp_data) {
1538 resp_data->sak = sak;
1539 resp_data->ats_len = 0;
1540 }
1541
1542 if( (sak & 0x20) == 0)
7e758047 1543 return 2; // non iso14443a compliant tag
534983d7 1544
7e758047 1545 // Request for answer to select
1546 AppendCrc14443a(rats, 2);
1547 ReaderTransmit(rats, sizeof(rats));
1548 if (!(len = ReaderReceive(resp))) return 0;
534983d7 1549 if(resp_data) {
1550 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1551 resp_data->ats_len = len;
1552 }
1553
7e758047 1554 return 1;
1555}
15c4dc5a 1556
7e758047 1557void iso14443a_setup() {
1558 // Setup SSC
1559 FpgaSetupSsc();
1560 // Start from off (no field generated)
1561 // Signal field is off with the appropriate LED
1562 LED_D_OFF();
1563 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1564 SpinDelay(200);
15c4dc5a 1565
7e758047 1566 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1567
7e758047 1568 // Now give it time to spin up.
1569 // Signal field is on with the appropriate LED
1570 LED_D_ON();
1571 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1572 SpinDelay(200);
534983d7 1573
1574 iso14a_timeout = 2048; //default
7e758047 1575}
15c4dc5a 1576
534983d7 1577int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1578 uint8_t real_cmd[cmd_len+4];
1579 real_cmd[0] = 0x0a; //I-Block
1580 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1581 memcpy(real_cmd+2, cmd, cmd_len);
1582 AppendCrc14443a(real_cmd,cmd_len+2);
1583
1584 ReaderTransmit(real_cmd, cmd_len+4);
1585 size_t len = ReaderReceive(data);
1586 if(!len)
1587 return -1; //DATA LINK ERROR
1588
1589 return len;
1590}
1591
1592
7e758047 1593//-----------------------------------------------------------------------------
1594// Read an ISO 14443a tag. Send out commands and store answers.
1595//
1596//-----------------------------------------------------------------------------
534983d7 1597void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1598{
534983d7 1599 iso14a_command_t param = c->arg[0];
1600 uint8_t * cmd = c->d.asBytes;
1601 size_t len = c->arg[1];
e30c654b 1602
534983d7 1603 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1604
534983d7 1605 if(param & ISO14A_CONNECT) {
1606 iso14443a_setup();
1607 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12));
1608 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1609 }
e30c654b 1610
534983d7 1611 if(param & ISO14A_SET_TIMEOUT) {
1612 iso14a_timeout = c->arg[2];
1613 }
e30c654b 1614
534983d7 1615 if(param & ISO14A_SET_TIMEOUT) {
1616 iso14a_timeout = c->arg[2];
1617 }
e30c654b 1618
534983d7 1619 if(param & ISO14A_APDU) {
1620 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1621 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1622 }
e30c654b 1623
534983d7 1624 if(param & ISO14A_RAW) {
1625 if(param & ISO14A_APPEND_CRC) {
1626 AppendCrc14443a(cmd,len);
1627 len += 2;
15c4dc5a 1628 }
534983d7 1629 ReaderTransmit(cmd,len);
1630 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1631 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1632 }
15c4dc5a 1633
534983d7 1634 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1635
534983d7 1636 if(param & ISO14A_NO_DISCONNECT)
1637 return;
15c4dc5a 1638
15c4dc5a 1639 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1640 LEDsoff();
15c4dc5a 1641}
15c4dc5a 1642//-----------------------------------------------------------------------------
1643// Read an ISO 14443a tag. Send out commands and store answers.
1644//
1645//-----------------------------------------------------------------------------
f7e3ed82 1646void ReaderMifare(uint32_t parameter)
15c4dc5a 1647{
15c4dc5a 1648 // Mifare AUTH
f7e3ed82 1649 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1650 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1651
f7e3ed82 1652 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1653 traceLen = 0;
1654 tracing = false;
e30c654b 1655
7e758047 1656 iso14443a_setup();
e30c654b 1657
15c4dc5a 1658 LED_A_ON();
1659 LED_B_OFF();
1660 LED_C_OFF();
e30c654b 1661
15c4dc5a 1662 byte_t nt_diff = 0;
1663 LED_A_OFF();
1664 byte_t par = 0;
1665 byte_t par_mask = 0xff;
1666 byte_t par_low = 0;
f7e3ed82 1667 int led_on = TRUE;
e30c654b 1668
15c4dc5a 1669 tracing = FALSE;
1670 byte_t nt[4];
1671 byte_t nt_attacked[4];
1672 byte_t par_list[8];
1673 byte_t ks_list[8];
1674 num_to_bytes(parameter,4,nt_attacked);
1675
1676 while(TRUE)
1677 {
1678 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1679 SpinDelay(200);
1680 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1681
15c4dc5a 1682 // Test if the action was cancelled
1683 if(BUTTON_PRESS()) {
1684 break;
1685 }
e30c654b 1686
534983d7 1687 if(!iso14443a_select_card(NULL, NULL)) continue;
e30c654b 1688
15c4dc5a 1689 // Transmit MIFARE_CLASSIC_AUTH
1690 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1691
15c4dc5a 1692 // Receive the (16 bit) "random" nonce
1693 if (!ReaderReceive(receivedAnswer)) continue;
1694 memcpy(nt,receivedAnswer,4);
1695
1696 // Transmit reader nonce and reader answer
1697 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1698
15c4dc5a 1699 // Receive 4 bit answer
1700 if (ReaderReceive(receivedAnswer))
1701 {
e30c654b 1702 if (nt_diff == 0)
15c4dc5a 1703 {
1704 LED_A_ON();
1705 memcpy(nt_attacked,nt,4);
1706 par_mask = 0xf8;
1707 par_low = par & 0x07;
1708 }
1709
1710 if (memcmp(nt,nt_attacked,4) != 0) continue;
1711
1712 led_on = !led_on;
1713 if(led_on) LED_B_ON(); else LED_B_OFF();
1714 par_list[nt_diff] = par;
1715 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1716
15c4dc5a 1717 // Test if the information is complete
1718 if (nt_diff == 0x07) break;
e30c654b 1719
15c4dc5a 1720 nt_diff = (nt_diff+1) & 0x07;
1721 mf_nr_ar[3] = nt_diff << 5;
1722 par = par_low;
1723 } else {
1724 if (nt_diff == 0)
1725 {
1726 par++;
1727 } else {
1728 par = (((par>>3)+1) << 3) | par_low;
1729 }
1730 }
1731 }
e30c654b 1732
72934aa3 1733 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1734 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1735 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
e30c654b 1736
15c4dc5a 1737 // Thats it...
1738 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1739 LEDsoff();
1740 tracing = TRUE;
1741}
Proxmark3 GIT tracking
Impressum, Datenschutz