]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bring snooper into line with new command format
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
bd20f8f4 3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
15c4dc5a 7//-----------------------------------------------------------------------------
bd20f8f4 8// Routines to support ISO 14443 type A.
9//-----------------------------------------------------------------------------
10
e30c654b 11#include "proxmark3.h"
15c4dc5a 12#include "apps.h"
f7e3ed82 13#include "util.h"
9ab7a6c7 14#include "string.h"
15
15c4dc5a 16#include "iso14443crc.h"
17
f7e3ed82 18static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 19static int traceLen = 0;
20static int rsamples = 0;
f7e3ed82 21static int tracing = TRUE;
15c4dc5a 22
72934aa3 23// CARD TO READER
24// Sequence D: 11110000 modulation with subcarrier during first half
25// Sequence E: 00001111 modulation with subcarrier during second half
26// Sequence F: 00000000 no modulation with subcarrier
27// READER TO CARD
28// Sequence X: 00001100 drop after half a period
29// Sequence Y: 00000000 no drop
30// Sequence Z: 11000000 drop at start
31#define SEC_D 0xf0
32#define SEC_E 0x0f
33#define SEC_F 0x00
34#define SEC_X 0x0c
35#define SEC_Y 0x00
36#define SEC_Z 0xc0
15c4dc5a 37
f7e3ed82 38static const uint8_t OddByteParity[256] = {
15c4dc5a 39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
55};
56
57// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
58#define RECV_CMD_OFFSET 3032
59#define RECV_RES_OFFSET 3096
60#define DMA_BUFFER_OFFSET 3160
61#define DMA_BUFFER_SIZE 4096
62#define TRACE_LENGTH 3000
63
64//-----------------------------------------------------------------------------
65// Generate the parity value for a byte sequence
e30c654b 66//
15c4dc5a 67//-----------------------------------------------------------------------------
f7e3ed82 68uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 69{
70 int i;
f7e3ed82 71 uint32_t dwPar = 0;
72934aa3 72
15c4dc5a 73 // Generate the encrypted data
74 for (i = 0; i < iLen; i++) {
75 // Save the encrypted parity bit
76 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
77 }
78 return dwPar;
79}
80
f7e3ed82 81static void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 82{
83 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
84}
85
ed82636b 86int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 87{
88 // Return when trace is full
89 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 90
15c4dc5a 91 // Trace the random, i'm curious
92 rsamples += iSamples;
93 trace[traceLen++] = ((rsamples >> 0) & 0xff);
94 trace[traceLen++] = ((rsamples >> 8) & 0xff);
95 trace[traceLen++] = ((rsamples >> 16) & 0xff);
96 trace[traceLen++] = ((rsamples >> 24) & 0xff);
97 if (!bReader) {
98 trace[traceLen - 1] |= 0x80;
99 }
100 trace[traceLen++] = ((dwParity >> 0) & 0xff);
101 trace[traceLen++] = ((dwParity >> 8) & 0xff);
102 trace[traceLen++] = ((dwParity >> 16) & 0xff);
103 trace[traceLen++] = ((dwParity >> 24) & 0xff);
104 trace[traceLen++] = iLen;
105 memcpy(trace + traceLen, btBytes, iLen);
106 traceLen += iLen;
107 return TRUE;
108}
109
15c4dc5a 110//-----------------------------------------------------------------------------
111// The software UART that receives commands from the reader, and its state
112// variables.
113//-----------------------------------------------------------------------------
114static struct {
115 enum {
116 STATE_UNSYNCD,
117 STATE_START_OF_COMMUNICATION,
118 STATE_MILLER_X,
119 STATE_MILLER_Y,
120 STATE_MILLER_Z,
121 STATE_ERROR_WAIT
122 } state;
f7e3ed82 123 uint16_t shiftReg;
15c4dc5a 124 int bitCnt;
125 int byteCnt;
126 int byteCntMax;
127 int posCnt;
128 int syncBit;
129 int parityBits;
130 int samples;
131 int highCnt;
132 int bitBuffer;
133 enum {
134 DROP_NONE,
135 DROP_FIRST_HALF,
136 DROP_SECOND_HALF
137 } drop;
f7e3ed82 138 uint8_t *output;
15c4dc5a 139} Uart;
140
f7e3ed82 141static int MillerDecoding(int bit)
15c4dc5a 142{
143 int error = 0;
144 int bitright;
145
146 if(!Uart.bitBuffer) {
147 Uart.bitBuffer = bit ^ 0xFF0;
148 return FALSE;
149 }
150 else {
151 Uart.bitBuffer <<= 4;
152 Uart.bitBuffer ^= bit;
153 }
154
f7e3ed82 155 int EOC = FALSE;
15c4dc5a 156
157 if(Uart.state != STATE_UNSYNCD) {
158 Uart.posCnt++;
159
160 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
161 bit = 0x00;
162 }
163 else {
164 bit = 0x01;
165 }
166 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
167 bitright = 0x00;
168 }
169 else {
170 bitright = 0x01;
171 }
172 if(bit != bitright) { bit = bitright; }
173
174 if(Uart.posCnt == 1) {
175 // measurement first half bitperiod
176 if(!bit) {
177 Uart.drop = DROP_FIRST_HALF;
178 }
179 }
180 else {
181 // measurement second half bitperiod
182 if(!bit & (Uart.drop == DROP_NONE)) {
183 Uart.drop = DROP_SECOND_HALF;
184 }
185 else if(!bit) {
186 // measured a drop in first and second half
187 // which should not be possible
188 Uart.state = STATE_ERROR_WAIT;
189 error = 0x01;
190 }
191
192 Uart.posCnt = 0;
193
194 switch(Uart.state) {
195 case STATE_START_OF_COMMUNICATION:
196 Uart.shiftReg = 0;
197 if(Uart.drop == DROP_SECOND_HALF) {
198 // error, should not happen in SOC
199 Uart.state = STATE_ERROR_WAIT;
200 error = 0x02;
201 }
202 else {
203 // correct SOC
204 Uart.state = STATE_MILLER_Z;
205 }
206 break;
207
208 case STATE_MILLER_Z:
209 Uart.bitCnt++;
210 Uart.shiftReg >>= 1;
211 if(Uart.drop == DROP_NONE) {
212 // logic '0' followed by sequence Y
213 // end of communication
214 Uart.state = STATE_UNSYNCD;
215 EOC = TRUE;
216 }
217 // if(Uart.drop == DROP_FIRST_HALF) {
218 // Uart.state = STATE_MILLER_Z; stay the same
219 // we see a logic '0' }
220 if(Uart.drop == DROP_SECOND_HALF) {
221 // we see a logic '1'
222 Uart.shiftReg |= 0x100;
223 Uart.state = STATE_MILLER_X;
224 }
225 break;
226
227 case STATE_MILLER_X:
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // sequence Y, we see a '0'
231 Uart.state = STATE_MILLER_Y;
232 Uart.bitCnt++;
233 }
234 if(Uart.drop == DROP_FIRST_HALF) {
235 // Would be STATE_MILLER_Z
236 // but Z does not follow X, so error
237 Uart.state = STATE_ERROR_WAIT;
238 error = 0x03;
239 }
240 if(Uart.drop == DROP_SECOND_HALF) {
241 // We see a '1' and stay in state X
242 Uart.shiftReg |= 0x100;
243 Uart.bitCnt++;
244 }
245 break;
246
247 case STATE_MILLER_Y:
248 Uart.bitCnt++;
249 Uart.shiftReg >>= 1;
250 if(Uart.drop == DROP_NONE) {
251 // logic '0' followed by sequence Y
252 // end of communication
253 Uart.state = STATE_UNSYNCD;
254 EOC = TRUE;
255 }
256 if(Uart.drop == DROP_FIRST_HALF) {
257 // we see a '0'
258 Uart.state = STATE_MILLER_Z;
259 }
260 if(Uart.drop == DROP_SECOND_HALF) {
261 // We see a '1' and go to state X
262 Uart.shiftReg |= 0x100;
263 Uart.state = STATE_MILLER_X;
264 }
265 break;
266
267 case STATE_ERROR_WAIT:
268 // That went wrong. Now wait for at least two bit periods
269 // and try to sync again
270 if(Uart.drop == DROP_NONE) {
271 Uart.highCnt = 6;
272 Uart.state = STATE_UNSYNCD;
273 }
274 break;
275
276 default:
277 Uart.state = STATE_UNSYNCD;
278 Uart.highCnt = 0;
279 break;
280 }
281
282 Uart.drop = DROP_NONE;
283
284 // should have received at least one whole byte...
285 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
286 return TRUE;
287 }
288
289 if(Uart.bitCnt == 9) {
290 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
291 Uart.byteCnt++;
292
293 Uart.parityBits <<= 1;
294 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
295
296 if(EOC) {
297 // when End of Communication received and
298 // all data bits processed..
299 return TRUE;
300 }
301 Uart.bitCnt = 0;
302 }
303
304 /*if(error) {
305 Uart.output[Uart.byteCnt] = 0xAA;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = error & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 return TRUE;
320 }*/
321 }
322
323 }
324 else {
325 bit = Uart.bitBuffer & 0xf0;
326 bit >>= 4;
327 bit ^= 0x0F;
328 if(bit) {
329 // should have been high or at least (4 * 128) / fc
330 // according to ISO this should be at least (9 * 128 + 20) / fc
331 if(Uart.highCnt == 8) {
332 // we went low, so this could be start of communication
333 // it turns out to be safer to choose a less significant
334 // syncbit... so we check whether the neighbour also represents the drop
335 Uart.posCnt = 1; // apparently we are busy with our first half bit period
336 Uart.syncBit = bit & 8;
337 Uart.samples = 3;
338 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
339 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
340 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
341 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
343 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
344 Uart.syncBit = 8;
345
346 // the first half bit period is expected in next sample
347 Uart.posCnt = 0;
348 Uart.samples = 3;
349 }
350 }
351 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
352
353 Uart.syncBit <<= 4;
354 Uart.state = STATE_START_OF_COMMUNICATION;
355 Uart.drop = DROP_FIRST_HALF;
356 Uart.bitCnt = 0;
357 Uart.byteCnt = 0;
358 Uart.parityBits = 0;
359 error = 0;
360 }
361 else {
362 Uart.highCnt = 0;
363 }
364 }
365 else {
366 if(Uart.highCnt < 8) {
367 Uart.highCnt++;
368 }
369 }
370 }
371
372 return FALSE;
373}
374
375//=============================================================================
376// ISO 14443 Type A - Manchester
377//=============================================================================
378
379static struct {
380 enum {
381 DEMOD_UNSYNCD,
382 DEMOD_START_OF_COMMUNICATION,
383 DEMOD_MANCHESTER_D,
384 DEMOD_MANCHESTER_E,
385 DEMOD_MANCHESTER_F,
386 DEMOD_ERROR_WAIT
387 } state;
388 int bitCount;
389 int posCount;
390 int syncBit;
391 int parityBits;
f7e3ed82 392 uint16_t shiftReg;
15c4dc5a 393 int buffer;
394 int buff;
395 int samples;
396 int len;
397 enum {
398 SUB_NONE,
399 SUB_FIRST_HALF,
400 SUB_SECOND_HALF
401 } sub;
f7e3ed82 402 uint8_t *output;
15c4dc5a 403} Demod;
404
f7e3ed82 405static int ManchesterDecoding(int v)
15c4dc5a 406{
407 int bit;
408 int modulation;
409 int error = 0;
410
411 if(!Demod.buff) {
412 Demod.buff = 1;
413 Demod.buffer = v;
414 return FALSE;
415 }
416 else {
417 bit = Demod.buffer;
418 Demod.buffer = v;
419 }
420
421 if(Demod.state==DEMOD_UNSYNCD) {
422 Demod.output[Demod.len] = 0xfa;
423 Demod.syncBit = 0;
424 //Demod.samples = 0;
425 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
426 if(bit & 0x08) { Demod.syncBit = 0x08; }
427 if(!Demod.syncBit) {
428 if(bit & 0x04) { Demod.syncBit = 0x04; }
429 }
430 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
431 if(!Demod.syncBit) {
432 if(bit & 0x02) { Demod.syncBit = 0x02; }
433 }
434 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
435 if(!Demod.syncBit) {
436 if(bit & 0x01) { Demod.syncBit = 0x01; }
437
438 if(Demod.syncBit & (Demod.buffer & 0x08)) {
439 Demod.syncBit = 0x08;
440
441 // The first half bitperiod is expected in next sample
442 Demod.posCount = 0;
443 Demod.output[Demod.len] = 0xfb;
444 }
445 }
446 else if(bit & 0x01) { Demod.syncBit = 0x01; }
447
448 if(Demod.syncBit) {
449 Demod.len = 0;
450 Demod.state = DEMOD_START_OF_COMMUNICATION;
451 Demod.sub = SUB_FIRST_HALF;
452 Demod.bitCount = 0;
453 Demod.shiftReg = 0;
454 Demod.parityBits = 0;
455 Demod.samples = 0;
456 if(Demod.posCount) {
457 switch(Demod.syncBit) {
458 case 0x08: Demod.samples = 3; break;
459 case 0x04: Demod.samples = 2; break;
460 case 0x02: Demod.samples = 1; break;
461 case 0x01: Demod.samples = 0; break;
462 }
463 }
464 error = 0;
465 }
466 }
467 else {
468 //modulation = bit & Demod.syncBit;
469 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
470
471 Demod.samples += 4;
472
473 if(Demod.posCount==0) {
474 Demod.posCount = 1;
475 if(modulation) {
476 Demod.sub = SUB_FIRST_HALF;
477 }
478 else {
479 Demod.sub = SUB_NONE;
480 }
481 }
482 else {
483 Demod.posCount = 0;
484 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
485 if(Demod.state!=DEMOD_ERROR_WAIT) {
486 Demod.state = DEMOD_ERROR_WAIT;
487 Demod.output[Demod.len] = 0xaa;
488 error = 0x01;
489 }
490 }
491 else if(modulation) {
492 Demod.sub = SUB_SECOND_HALF;
493 }
494
495 switch(Demod.state) {
496 case DEMOD_START_OF_COMMUNICATION:
497 if(Demod.sub == SUB_FIRST_HALF) {
498 Demod.state = DEMOD_MANCHESTER_D;
499 }
500 else {
501 Demod.output[Demod.len] = 0xab;
502 Demod.state = DEMOD_ERROR_WAIT;
503 error = 0x02;
504 }
505 break;
506
507 case DEMOD_MANCHESTER_D:
508 case DEMOD_MANCHESTER_E:
509 if(Demod.sub == SUB_FIRST_HALF) {
510 Demod.bitCount++;
511 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
512 Demod.state = DEMOD_MANCHESTER_D;
513 }
514 else if(Demod.sub == SUB_SECOND_HALF) {
515 Demod.bitCount++;
516 Demod.shiftReg >>= 1;
517 Demod.state = DEMOD_MANCHESTER_E;
518 }
519 else {
520 Demod.state = DEMOD_MANCHESTER_F;
521 }
522 break;
523
524 case DEMOD_MANCHESTER_F:
525 // Tag response does not need to be a complete byte!
526 if(Demod.len > 0 || Demod.bitCount > 0) {
527 if(Demod.bitCount > 0) {
528 Demod.shiftReg >>= (9 - Demod.bitCount);
529 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
530 Demod.len++;
531 // No parity bit, so just shift a 0
532 Demod.parityBits <<= 1;
533 }
534
535 Demod.state = DEMOD_UNSYNCD;
536 return TRUE;
537 }
538 else {
539 Demod.output[Demod.len] = 0xad;
540 Demod.state = DEMOD_ERROR_WAIT;
541 error = 0x03;
542 }
543 break;
544
545 case DEMOD_ERROR_WAIT:
546 Demod.state = DEMOD_UNSYNCD;
547 break;
548
549 default:
550 Demod.output[Demod.len] = 0xdd;
551 Demod.state = DEMOD_UNSYNCD;
552 break;
553 }
554
555 if(Demod.bitCount>=9) {
556 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
557 Demod.len++;
558
559 Demod.parityBits <<= 1;
560 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
561
562 Demod.bitCount = 0;
563 Demod.shiftReg = 0;
564 }
565
566 /*if(error) {
567 Demod.output[Demod.len] = 0xBB;
568 Demod.len++;
569 Demod.output[Demod.len] = error & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = 0xBB;
572 Demod.len++;
573 Demod.output[Demod.len] = bit & 0xFF;
574 Demod.len++;
575 Demod.output[Demod.len] = Demod.buffer & 0xFF;
576 Demod.len++;
577 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
578 Demod.len++;
579 Demod.output[Demod.len] = 0xBB;
580 Demod.len++;
581 return TRUE;
582 }*/
583
584 }
585
586 } // end (state != UNSYNCED)
587
588 return FALSE;
589}
590
591//=============================================================================
592// Finally, a `sniffer' for ISO 14443 Type A
593// Both sides of communication!
594//=============================================================================
595
596//-----------------------------------------------------------------------------
597// Record the sequence of commands sent by the reader to the tag, with
598// triggering so that we start recording at the point that the tag is moved
599// near the reader.
600//-----------------------------------------------------------------------------
601void SnoopIso14443a(void)
602{
603// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
604// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
605// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
606// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
607// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
608
609 // We won't start recording the frames that we acquire until we trigger;
610 // a good trigger condition to get started is probably when we see a
611 // response from the tag.
f7e3ed82 612 int triggered = TRUE; // FALSE to wait first for card
15c4dc5a 613
614 // The command (reader -> tag) that we're receiving.
615 // The length of a received command will in most cases be no more than 18 bytes.
616 // So 32 should be enough!
f7e3ed82 617 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 618 // The response (tag -> reader) that we're receiving.
f7e3ed82 619 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 620
621 // As we receive stuff, we copy it from receivedCmd or receivedResponse
622 // into trace, along with its length and other annotations.
f7e3ed82 623 //uint8_t *trace = (uint8_t *)BigBuf;
15c4dc5a 624 //int traceLen = 0;
625
626 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 627 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 628 int lastRxCounter;
f7e3ed82 629 int8_t *upTo;
15c4dc5a 630 int smpl;
631 int maxBehindBy = 0;
632
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 int samples = 0;
636 int rsamples = 0;
637
638 memset(trace, 0x44, RECV_CMD_OFFSET);
639
640 // Set up the demodulator for tag -> reader responses.
641 Demod.output = receivedResponse;
642 Demod.len = 0;
643 Demod.state = DEMOD_UNSYNCD;
644
645 // And the reader -> tag commands
646 memset(&Uart, 0, sizeof(Uart));
647 Uart.output = receivedCmd;
648 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
649 Uart.state = STATE_UNSYNCD;
650
651 // And put the FPGA in the appropriate mode
652 // Signal field is off with the appropriate LED
653 LED_D_OFF();
654 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
655 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
656
657 // Setup for the DMA.
658 FpgaSetupSsc();
659 upTo = dmaBuf;
660 lastRxCounter = DMA_BUFFER_SIZE;
f7e3ed82 661 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 662
663 LED_A_ON();
664
665 // And now we loop, receiving samples.
666 for(;;) {
667 WDT_HIT();
668 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
669 (DMA_BUFFER_SIZE-1);
670 if(behindBy > maxBehindBy) {
671 maxBehindBy = behindBy;
672 if(behindBy > 400) {
673 DbpString("blew circular buffer!");
674 goto done;
675 }
676 }
677 if(behindBy < 1) continue;
678
679 smpl = upTo[0];
680 upTo++;
681 lastRxCounter -= 1;
682 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
683 upTo -= DMA_BUFFER_SIZE;
684 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 685 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 686 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
687 }
688
689 samples += 4;
15c4dc5a 690 if(MillerDecoding((smpl & 0xF0) >> 4)) {
691 rsamples = samples - Uart.samples;
72934aa3 692 LED_C_ON();
693 if(triggered) {
694 trace[traceLen++] = ((rsamples >> 0) & 0xff);
695 trace[traceLen++] = ((rsamples >> 8) & 0xff);
696 trace[traceLen++] = ((rsamples >> 16) & 0xff);
697 trace[traceLen++] = ((rsamples >> 24) & 0xff);
698 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
699 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
700 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
701 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
702 trace[traceLen++] = Uart.byteCnt;
703 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
704 traceLen += Uart.byteCnt;
705 if(traceLen > TRACE_LENGTH) break;
706 }
707 /* And ready to receive another command. */
708 Uart.state = STATE_UNSYNCD;
709 /* And also reset the demod code, which might have been */
710 /* false-triggered by the commands from the reader. */
711 Demod.state = DEMOD_UNSYNCD;
712 LED_B_OFF();
15c4dc5a 713 }
714 if(ManchesterDecoding(smpl & 0x0F)) {
715 rsamples = samples - Demod.samples;
716 LED_B_ON();
717
718 // timestamp, as a count of samples
719 trace[traceLen++] = ((rsamples >> 0) & 0xff);
720 trace[traceLen++] = ((rsamples >> 8) & 0xff);
721 trace[traceLen++] = ((rsamples >> 16) & 0xff);
722 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
723 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
724 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
725 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
726 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
727 // length
728 trace[traceLen++] = Demod.len;
729 memcpy(trace+traceLen, receivedResponse, Demod.len);
730 traceLen += Demod.len;
731 if(traceLen > TRACE_LENGTH) break;
732
733 triggered = TRUE;
734
735 // And ready to receive another response.
736 memset(&Demod, 0, sizeof(Demod));
737 Demod.output = receivedResponse;
738 Demod.state = DEMOD_UNSYNCD;
739 LED_C_OFF();
740 }
741
742 if(BUTTON_PRESS()) {
743 DbpString("cancelled_a");
744 goto done;
745 }
746 }
747
748 DbpString("COMMAND FINISHED");
749
750 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
751 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
752
753done:
754 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
755 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
756 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
757 LED_A_OFF();
758 LED_B_OFF();
759 LED_C_OFF();
760 LED_D_OFF();
761}
762
15c4dc5a 763//-----------------------------------------------------------------------------
764// Prepare tag messages
765//-----------------------------------------------------------------------------
f7e3ed82 766static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 767{
768 int i;
769 int oddparity;
770
771 ToSendReset();
772
773 // Correction bit, might be removed when not needed
774 ToSendStuffBit(0);
775 ToSendStuffBit(0);
776 ToSendStuffBit(0);
777 ToSendStuffBit(0);
778 ToSendStuffBit(1); // 1
779 ToSendStuffBit(0);
780 ToSendStuffBit(0);
781 ToSendStuffBit(0);
782
783 // Send startbit
72934aa3 784 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 785
786 for(i = 0; i < len; i++) {
787 int j;
f7e3ed82 788 uint8_t b = cmd[i];
15c4dc5a 789
790 // Data bits
791 oddparity = 0x01;
792 for(j = 0; j < 8; j++) {
793 oddparity ^= (b & 1);
794 if(b & 1) {
72934aa3 795 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 796 } else {
72934aa3 797 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 798 }
799 b >>= 1;
800 }
801
802 // Parity bit
803 if(oddparity) {
72934aa3 804 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 805 } else {
72934aa3 806 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 807 }
808 }
809
810 // Send stopbit
72934aa3 811 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 812
813 // Flush the buffer in FPGA!!
814 for(i = 0; i < 5; i++) {
72934aa3 815 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 816 }
817
818 // Convert from last byte pos to length
819 ToSendMax++;
820
821 // Add a few more for slop
822 ToSend[ToSendMax++] = 0x00;
823 ToSend[ToSendMax++] = 0x00;
824 //ToSendMax += 2;
825}
826
827//-----------------------------------------------------------------------------
828// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
829//-----------------------------------------------------------------------------
830static void CodeStrangeAnswer()
831{
832 int i;
833
834 ToSendReset();
835
836 // Correction bit, might be removed when not needed
837 ToSendStuffBit(0);
838 ToSendStuffBit(0);
839 ToSendStuffBit(0);
840 ToSendStuffBit(0);
841 ToSendStuffBit(1); // 1
842 ToSendStuffBit(0);
843 ToSendStuffBit(0);
844 ToSendStuffBit(0);
845
846 // Send startbit
72934aa3 847 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 848
849 // 0
72934aa3 850 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 851
852 // 0
72934aa3 853 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 854
855 // 1
72934aa3 856 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 857
858 // Send stopbit
72934aa3 859 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 860
861 // Flush the buffer in FPGA!!
862 for(i = 0; i < 5; i++) {
72934aa3 863 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 864 }
865
866 // Convert from last byte pos to length
867 ToSendMax++;
868
869 // Add a few more for slop
870 ToSend[ToSendMax++] = 0x00;
871 ToSend[ToSendMax++] = 0x00;
872 //ToSendMax += 2;
873}
874
875//-----------------------------------------------------------------------------
876// Wait for commands from reader
877// Stop when button is pressed
878// Or return TRUE when command is captured
879//-----------------------------------------------------------------------------
f7e3ed82 880static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 881{
882 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
883 // only, since we are receiving, not transmitting).
884 // Signal field is off with the appropriate LED
885 LED_D_OFF();
886 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
887
888 // Now run a `software UART' on the stream of incoming samples.
889 Uart.output = received;
890 Uart.byteCntMax = maxLen;
891 Uart.state = STATE_UNSYNCD;
892
893 for(;;) {
894 WDT_HIT();
895
896 if(BUTTON_PRESS()) return FALSE;
897
898 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
899 AT91C_BASE_SSC->SSC_THR = 0x00;
900 }
901 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 902 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 903 if(MillerDecoding((b & 0xf0) >> 4)) {
904 *len = Uart.byteCnt;
905 return TRUE;
906 }
907 if(MillerDecoding(b & 0x0f)) {
908 *len = Uart.byteCnt;
909 return TRUE;
910 }
911 }
912 }
913}
914
915//-----------------------------------------------------------------------------
916// Main loop of simulated tag: receive commands from reader, decide what
917// response to send, and send it.
918//-----------------------------------------------------------------------------
919void SimulateIso14443aTag(int tagType, int TagUid)
920{
921 // This function contains the tag emulation
922
923 // Prepare protocol messages
f7e3ed82 924 // static const uint8_t cmd1[] = { 0x26 };
925// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 926//
f7e3ed82 927 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
928// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 929
930 // UID response
f7e3ed82 931 // static const uint8_t cmd2[] = { 0x93, 0x20 };
932 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 933
15c4dc5a 934// my desfire
f7e3ed82 935 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 936
937
938// When reader selects us during cascade1 it will send cmd3
f7e3ed82 939//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
940uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 941ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
942
943// send cascade2 2nd half of UID
f7e3ed82 944static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 945// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
946
15c4dc5a 947// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 948//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
949uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 950ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
951
f7e3ed82 952 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 953
f7e3ed82 954 uint8_t *resp;
15c4dc5a 955 int respLen;
956
957 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
958 // This will need
959 // 144 data bits (18 * 8)
960 // 18 parity bits
961 // 2 Start and stop
962 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
963 // 1 just for the case
964 // ----------- +
965 // 166
966 //
967 // 166 bytes, since every bit that needs to be send costs us a byte
968 //
969
15c4dc5a 970 // Respond with card type
f7e3ed82 971 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 972 int resp1Len;
973
974 // Anticollision cascade1 - respond with uid
f7e3ed82 975 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 976 int resp2Len;
977
978 // Anticollision cascade2 - respond with 2nd half of uid if asked
979 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 980 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 981 int resp2aLen;
982
983 // Acknowledge select - cascade 1
f7e3ed82 984 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 985 int resp3Len;
986
987 // Acknowledge select - cascade 2
f7e3ed82 988 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 989 int resp3aLen;
990
991 // Response to a read request - not implemented atm
f7e3ed82 992 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 993 int resp4Len;
994
995 // Authenticate response - nonce
f7e3ed82 996 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 997 int resp5Len;
998
f7e3ed82 999 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1000 int len;
1001
1002 int i;
1003 int u;
f7e3ed82 1004 uint8_t b;
15c4dc5a 1005
1006 // To control where we are in the protocol
1007 int order = 0;
1008 int lastorder;
1009
1010 // Just to allow some checks
1011 int happened = 0;
1012 int happened2 = 0;
1013
1014 int cmdsRecvd = 0;
1015
f7e3ed82 1016 int fdt_indicator;
15c4dc5a 1017
1018 memset(receivedCmd, 0x44, 400);
1019
1020 // Prepare the responses of the anticollision phase
1021 // there will be not enough time to do this at the moment the reader sends it REQA
1022
1023 // Answer to request
1024 CodeIso14443aAsTag(response1, sizeof(response1));
1025 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1026
1027 // Send our UID (cascade 1)
1028 CodeIso14443aAsTag(response2, sizeof(response2));
1029 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1030
1031 // Answer to select (cascade1)
1032 CodeIso14443aAsTag(response3, sizeof(response3));
1033 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1034
1035 // Send the cascade 2 2nd part of the uid
1036 CodeIso14443aAsTag(response2a, sizeof(response2a));
1037 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1038
1039 // Answer to select (cascade 2)
1040 CodeIso14443aAsTag(response3a, sizeof(response3a));
1041 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1042
1043 // Strange answer is an example of rare message size (3 bits)
1044 CodeStrangeAnswer();
1045 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1046
1047 // Authentication answer (random nonce)
1048 CodeIso14443aAsTag(response5, sizeof(response5));
1049 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1050
1051 // We need to listen to the high-frequency, peak-detected path.
1052 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1053 FpgaSetupSsc();
1054
1055 cmdsRecvd = 0;
1056
1057 LED_A_ON();
1058 for(;;) {
1059
1060 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1061 DbpString("button press");
1062 break;
1063 }
1064 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1065 // Okay, look at the command now.
1066 lastorder = order;
1067 i = 1; // first byte transmitted
1068 if(receivedCmd[0] == 0x26) {
1069 // Received a REQUEST
1070 resp = resp1; respLen = resp1Len; order = 1;
1071 //DbpString("Hello request from reader:");
1072 } else if(receivedCmd[0] == 0x52) {
1073 // Received a WAKEUP
1074 resp = resp1; respLen = resp1Len; order = 6;
1075// //DbpString("Wakeup request from reader:");
1076
1077 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1078 // Received request for UID (cascade 1)
1079 resp = resp2; respLen = resp2Len; order = 2;
1080// DbpString("UID (cascade 1) request from reader:");
1081// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1082
1083
1084 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1085 // Received request for UID (cascade 2)
1086 resp = resp2a; respLen = resp2aLen; order = 20;
1087// DbpString("UID (cascade 2) request from reader:");
1088// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1089
1090
1091 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1092 // Received a SELECT
1093 resp = resp3; respLen = resp3Len; order = 3;
1094// DbpString("Select (cascade 1) request from reader:");
1095// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1096
1097
1098 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1099 // Received a SELECT
1100 resp = resp3a; respLen = resp3aLen; order = 30;
1101// DbpString("Select (cascade 2) request from reader:");
1102// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1103
1104
1105 } else if(receivedCmd[0] == 0x30) {
1106 // Received a READ
1107 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1108 Dbprintf("Read request from reader: %x %x %x",
1109 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1110
1111
1112 } else if(receivedCmd[0] == 0x50) {
1113 // Received a HALT
1114 resp = resp1; respLen = 0; order = 5; // Do nothing
1115 DbpString("Reader requested we HALT!:");
1116
1117 } else if(receivedCmd[0] == 0x60) {
1118 // Received an authentication request
1119 resp = resp5; respLen = resp5Len; order = 7;
1120 Dbprintf("Authenticate request from reader: %x %x %x",
1121 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1122
1123 } else if(receivedCmd[0] == 0xE0) {
1124 // Received a RATS request
1125 resp = resp1; respLen = 0;order = 70;
1126 Dbprintf("RATS request from reader: %x %x %x",
1127 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1128 } else {
1129 // Never seen this command before
1130 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1131 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1132 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1133 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1134 // Do not respond
1135 resp = resp1; respLen = 0; order = 0;
1136 }
1137
1138 // Count number of wakeups received after a halt
1139 if(order == 6 && lastorder == 5) { happened++; }
1140
1141 // Count number of other messages after a halt
1142 if(order != 6 && lastorder == 5) { happened2++; }
1143
1144 // Look at last parity bit to determine timing of answer
1145 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1146 // 1236, so correction bit needed
1147 i = 0;
1148 }
1149
1150 memset(receivedCmd, 0x44, 32);
1151
1152 if(cmdsRecvd > 999) {
1153 DbpString("1000 commands later...");
1154 break;
1155 }
1156 else {
1157 cmdsRecvd++;
1158 }
1159
1160 if(respLen <= 0) continue;
1161
1162 // Modulate Manchester
1163 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1164 AT91C_BASE_SSC->SSC_THR = 0x00;
1165 FpgaSetupSsc();
1166
1167 // ### Transmit the response ###
1168 u = 0;
1169 b = 0x00;
1170 fdt_indicator = FALSE;
1171 for(;;) {
1172 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1173 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1174 (void)b;
1175 }
1176 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1177 if(i > respLen) {
1178 b = 0x00;
1179 u++;
1180 } else {
1181 b = resp[i];
1182 i++;
1183 }
1184 AT91C_BASE_SSC->SSC_THR = b;
1185
1186 if(u > 4) {
1187 break;
1188 }
1189 }
1190 if(BUTTON_PRESS()) {
1191 break;
1192 }
1193 }
1194
1195 }
1196
1197 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1198 LED_A_OFF();
1199}
1200
1201//-----------------------------------------------------------------------------
1202// Transmit the command (to the tag) that was placed in ToSend[].
1203//-----------------------------------------------------------------------------
f7e3ed82 1204static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1205{
1206 int c;
e30c654b 1207
15c4dc5a 1208 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1209
15c4dc5a 1210 if (wait)
1211 if(*wait < 10)
1212 *wait = 10;
e30c654b 1213
15c4dc5a 1214 for(c = 0; c < *wait;) {
1215 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1216 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1217 c++;
1218 }
1219 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1220 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1221 (void)r;
1222 }
1223 WDT_HIT();
1224 }
e30c654b 1225
15c4dc5a 1226 c = 0;
1227 for(;;) {
1228 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1229 AT91C_BASE_SSC->SSC_THR = cmd[c];
1230 c++;
1231 if(c >= len) {
1232 break;
1233 }
1234 }
1235 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1236 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1237 (void)r;
1238 }
1239 WDT_HIT();
1240 }
1241 if (samples) *samples = (c + *wait) << 3;
1242}
1243
15c4dc5a 1244//-----------------------------------------------------------------------------
1245// Code a 7-bit command without parity bit
1246// This is especially for 0x26 and 0x52 (REQA and WUPA)
1247//-----------------------------------------------------------------------------
f7e3ed82 1248void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1249{
1250 int j;
1251 int last;
f7e3ed82 1252 uint8_t b;
15c4dc5a 1253
1254 ToSendReset();
1255
1256 // Start of Communication (Seq. Z)
72934aa3 1257 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1258 last = 0;
1259
1260 b = bt;
1261 for(j = 0; j < 7; j++) {
1262 if(b & 1) {
1263 // Sequence X
72934aa3 1264 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1265 last = 1;
1266 } else {
1267 if(last == 0) {
1268 // Sequence Z
72934aa3 1269 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1270 }
1271 else {
1272 // Sequence Y
72934aa3 1273 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1274 last = 0;
1275 }
1276 }
1277 b >>= 1;
1278 }
1279
1280 // End of Communication
1281 if(last == 0) {
1282 // Sequence Z
72934aa3 1283 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1284 }
1285 else {
1286 // Sequence Y
72934aa3 1287 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1288 last = 0;
1289 }
1290 // Sequence Y
72934aa3 1291 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1292
1293 // Just to be sure!
72934aa3 1294 ToSend[++ToSendMax] = SEC_Y;
1295 ToSend[++ToSendMax] = SEC_Y;
1296 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1297
1298 // Convert from last character reference to length
1299 ToSendMax++;
1300}
1301
1302//-----------------------------------------------------------------------------
1303// Prepare reader command to send to FPGA
e30c654b 1304//
15c4dc5a 1305//-----------------------------------------------------------------------------
f7e3ed82 1306void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1307{
1308 int i, j;
1309 int last;
f7e3ed82 1310 uint8_t b;
e30c654b 1311
15c4dc5a 1312 ToSendReset();
e30c654b 1313
15c4dc5a 1314 // Start of Communication (Seq. Z)
72934aa3 1315 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1316 last = 0;
e30c654b 1317
15c4dc5a 1318 // Generate send structure for the data bits
1319 for (i = 0; i < len; i++) {
1320 // Get the current byte to send
1321 b = cmd[i];
e30c654b 1322
15c4dc5a 1323 for (j = 0; j < 8; j++) {
1324 if (b & 1) {
1325 // Sequence X
72934aa3 1326 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1327 last = 1;
1328 } else {
1329 if (last == 0) {
1330 // Sequence Z
72934aa3 1331 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1332 } else {
1333 // Sequence Y
72934aa3 1334 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1335 last = 0;
1336 }
1337 }
1338 b >>= 1;
1339 }
e30c654b 1340
15c4dc5a 1341 // Get the parity bit
1342 if ((dwParity >> i) & 0x01) {
1343 // Sequence X
72934aa3 1344 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1345 last = 1;
1346 } else {
1347 if (last == 0) {
1348 // Sequence Z
72934aa3 1349 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1350 } else {
1351 // Sequence Y
72934aa3 1352 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1353 last = 0;
1354 }
1355 }
1356 }
e30c654b 1357
15c4dc5a 1358 // End of Communication
1359 if (last == 0) {
1360 // Sequence Z
72934aa3 1361 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1362 } else {
1363 // Sequence Y
72934aa3 1364 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1365 last = 0;
1366 }
1367 // Sequence Y
72934aa3 1368 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1369
15c4dc5a 1370 // Just to be sure!
72934aa3 1371 ToSend[++ToSendMax] = SEC_Y;
1372 ToSend[++ToSendMax] = SEC_Y;
1373 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1374
15c4dc5a 1375 // Convert from last character reference to length
1376 ToSendMax++;
1377}
1378
1379//-----------------------------------------------------------------------------
1380// Wait a certain time for tag response
1381// If a response is captured return TRUE
1382// If it takes to long return FALSE
1383//-----------------------------------------------------------------------------
f7e3ed82 1384static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1385{
1386 // buffer needs to be 512 bytes
1387 int c;
1388
1389 // Set FPGA mode to "reader listen mode", no modulation (listen
1390 // only, since we are receiving, not transmitting).
1391 // Signal field is on with the appropriate LED
1392 LED_D_ON();
1393 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1394
1395 // Now get the answer from the card
1396 Demod.output = receivedResponse;
1397 Demod.len = 0;
1398 Demod.state = DEMOD_UNSYNCD;
1399
f7e3ed82 1400 uint8_t b;
15c4dc5a 1401 if (elapsed) *elapsed = 0;
1402
1403 c = 0;
1404 for(;;) {
1405 WDT_HIT();
1406
1407 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1408 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1409 if (elapsed) (*elapsed)++;
1410 }
1411 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1412 if(c < 512) { c++; } else { return FALSE; }
f7e3ed82 1413 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1414 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1415 *samples = ((c - 1) << 3) + 4;
1416 return TRUE;
1417 }
1418 if(ManchesterDecoding(b & 0x0f)) {
1419 *samples = c << 3;
1420 return TRUE;
1421 }
1422 }
1423 }
1424}
1425
f7e3ed82 1426void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1427{
1428 int wait = 0;
1429 int samples = 0;
1430
1431 ShortFrameFromReader(*bt);
e30c654b 1432
15c4dc5a 1433 // Select the card
e30c654b 1434 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1435
15c4dc5a 1436 // Store reader command in buffer
1437 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1438}
1439
f7e3ed82 1440void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1441{
1442 int wait = 0;
1443 int samples = 0;
e30c654b 1444
15c4dc5a 1445 // This is tied to other size changes
f7e3ed82 1446 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1447 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1448
15c4dc5a 1449 // Select the card
e30c654b 1450 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1451
15c4dc5a 1452 // Store reader command in buffer
1453 if (tracing) LogTrace(frame,len,0,par,TRUE);
1454}
1455
1456
f7e3ed82 1457void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1458{
1459 // Generate parity and redirect
1460 ReaderTransmitPar(frame,len,GetParity(frame,len));
1461}
1462
f7e3ed82 1463int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1464{
1465 int samples = 0;
1466 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1467 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1468 return TRUE;
1469}
1470
1471//-----------------------------------------------------------------------------
1472// Read an ISO 14443a tag. Send out commands and store answers.
1473//
1474//-----------------------------------------------------------------------------
f7e3ed82 1475void ReaderIso14443a(uint32_t parameter)
15c4dc5a 1476{
1477 // Anticollision
f7e3ed82 1478 uint8_t wupa[] = { 0x52 };
1479 uint8_t sel_all[] = { 0x93,0x20 };
1480 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1481 uint8_t sel_all_c2[] = { 0x95,0x20 };
1482 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
15c4dc5a 1483
1484 // Mifare AUTH
f7e3ed82 1485 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1486// uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
e30c654b 1487
f7e3ed82 1488 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1489 traceLen = 0;
1490
1491 // Setup SSC
1492 FpgaSetupSsc();
1493
1494 // Start from off (no field generated)
1495 // Signal field is off with the appropriate LED
1496 LED_D_OFF();
1497 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1498 SpinDelay(200);
1499
1500 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
15c4dc5a 1501
1502 // Now give it time to spin up.
1503 // Signal field is on with the appropriate LED
1504 LED_D_ON();
1505 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1506 SpinDelay(200);
1507
1508 LED_A_ON();
1509 LED_B_OFF();
1510 LED_C_OFF();
1511
1512 while(traceLen < TRACE_LENGTH)
1513 {
1514 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1515 ReaderTransmitShort(wupa);
e30c654b 1516
15c4dc5a 1517 // Test if the action was cancelled
1518 if(BUTTON_PRESS()) {
1519 break;
1520 }
e30c654b 1521
15c4dc5a 1522 // Receive the ATQA
1523 if (!ReaderReceive(receivedAnswer)) continue;
1524
1525 // Transmit SELECT_ALL
1526 ReaderTransmit(sel_all,sizeof(sel_all));
1527
1528 // Receive the UID
1529 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1530
15c4dc5a 1531 // Construct SELECT UID command
1532 // First copy the 5 bytes (Mifare Classic) after the 93 70
1533 memcpy(sel_uid+2,receivedAnswer,5);
1534 // Secondly compute the two CRC bytes at the end
1535 AppendCrc14443a(sel_uid,7);
1536
1537 // Transmit SELECT_UID
1538 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1539
15c4dc5a 1540 // Receive the SAK
1541 if (!ReaderReceive(receivedAnswer)) continue;
1542
1543 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1544 // which case we need to make a cascade 2 request and select - this is a long UID
e30c654b 1545 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
15c4dc5a 1546 if (receivedAnswer[0] &= 0x04)
1547 {
1548 // Transmit SELECT_ALL
1549 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
e30c654b 1550
15c4dc5a 1551 // Receive the UID
1552 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1553
15c4dc5a 1554 // Construct SELECT UID command
1555 memcpy(sel_uid_c2+2,receivedAnswer,5);
1556 // Secondly compute the two CRC bytes at the end
1557 AppendCrc14443a(sel_uid_c2,7);
e30c654b 1558
15c4dc5a 1559 // Transmit SELECT_UID
1560 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
e30c654b 1561
15c4dc5a 1562 // Receive the SAK
1563 if (!ReaderReceive(receivedAnswer)) continue;
1564 }
1565
1566 // Transmit MIFARE_CLASSIC_AUTH
1567 ReaderTransmit(mf_auth,sizeof(mf_auth));
1568
1569 // Receive the (16 bit) "random" nonce
1570 if (!ReaderReceive(receivedAnswer)) continue;
1571 }
1572
1573 // Thats it...
1574 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1575 LEDsoff();
1576 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1577 DbpString("ready..");
1578}
1579
1580//-----------------------------------------------------------------------------
1581// Read an ISO 14443a tag. Send out commands and store answers.
1582//
1583//-----------------------------------------------------------------------------
f7e3ed82 1584void ReaderMifare(uint32_t parameter)
15c4dc5a 1585{
e30c654b 1586
15c4dc5a 1587 // Anticollision
f7e3ed82 1588 uint8_t wupa[] = { 0x52 };
1589 uint8_t sel_all[] = { 0x93,0x20 };
1590 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1591
15c4dc5a 1592 // Mifare AUTH
f7e3ed82 1593 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1594 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1595
f7e3ed82 1596 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1597 traceLen = 0;
1598 tracing = false;
e30c654b 1599
15c4dc5a 1600 // Setup SSC
1601 FpgaSetupSsc();
e30c654b 1602
15c4dc5a 1603 // Start from off (no field generated)
1604 // Signal field is off with the appropriate LED
1605 LED_D_OFF();
1606 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1607 SpinDelay(200);
e30c654b 1608
15c4dc5a 1609 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1610
15c4dc5a 1611 // Now give it time to spin up.
1612 // Signal field is on with the appropriate LED
1613 LED_D_ON();
1614 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1615 SpinDelay(200);
e30c654b 1616
15c4dc5a 1617 LED_A_ON();
1618 LED_B_OFF();
1619 LED_C_OFF();
e30c654b 1620
15c4dc5a 1621 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1622 ReaderTransmitShort(wupa);
1623 // Receive the ATQA
1624 ReaderReceive(receivedAnswer);
1625 // Transmit SELECT_ALL
1626 ReaderTransmit(sel_all,sizeof(sel_all));
1627 // Receive the UID
1628 ReaderReceive(receivedAnswer);
1629 // Construct SELECT UID command
1630 // First copy the 5 bytes (Mifare Classic) after the 93 70
1631 memcpy(sel_uid+2,receivedAnswer,5);
1632 // Secondly compute the two CRC bytes at the end
1633 AppendCrc14443a(sel_uid,7);
e30c654b 1634
15c4dc5a 1635 byte_t nt_diff = 0;
1636 LED_A_OFF();
1637 byte_t par = 0;
1638 byte_t par_mask = 0xff;
1639 byte_t par_low = 0;
f7e3ed82 1640 int led_on = TRUE;
e30c654b 1641
15c4dc5a 1642 tracing = FALSE;
1643 byte_t nt[4];
1644 byte_t nt_attacked[4];
1645 byte_t par_list[8];
1646 byte_t ks_list[8];
1647 num_to_bytes(parameter,4,nt_attacked);
1648
1649 while(TRUE)
1650 {
1651 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1652 SpinDelay(200);
1653 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1654
15c4dc5a 1655 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1656 ReaderTransmitShort(wupa);
e30c654b 1657
15c4dc5a 1658 // Test if the action was cancelled
1659 if(BUTTON_PRESS()) {
1660 break;
1661 }
e30c654b 1662
15c4dc5a 1663 // Receive the ATQA
1664 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1665
15c4dc5a 1666 // Transmit SELECT_ALL
1667 ReaderTransmit(sel_all,sizeof(sel_all));
e30c654b 1668
15c4dc5a 1669 // Receive the UID
1670 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1671
15c4dc5a 1672 // Transmit SELECT_UID
1673 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1674
15c4dc5a 1675 // Receive the SAK
1676 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1677
15c4dc5a 1678 // Transmit MIFARE_CLASSIC_AUTH
1679 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1680
15c4dc5a 1681 // Receive the (16 bit) "random" nonce
1682 if (!ReaderReceive(receivedAnswer)) continue;
1683 memcpy(nt,receivedAnswer,4);
1684
1685 // Transmit reader nonce and reader answer
1686 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1687
15c4dc5a 1688 // Receive 4 bit answer
1689 if (ReaderReceive(receivedAnswer))
1690 {
e30c654b 1691 if (nt_diff == 0)
15c4dc5a 1692 {
1693 LED_A_ON();
1694 memcpy(nt_attacked,nt,4);
1695 par_mask = 0xf8;
1696 par_low = par & 0x07;
1697 }
1698
1699 if (memcmp(nt,nt_attacked,4) != 0) continue;
1700
1701 led_on = !led_on;
1702 if(led_on) LED_B_ON(); else LED_B_OFF();
1703 par_list[nt_diff] = par;
1704 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1705
15c4dc5a 1706 // Test if the information is complete
1707 if (nt_diff == 0x07) break;
e30c654b 1708
15c4dc5a 1709 nt_diff = (nt_diff+1) & 0x07;
1710 mf_nr_ar[3] = nt_diff << 5;
1711 par = par_low;
1712 } else {
1713 if (nt_diff == 0)
1714 {
1715 par++;
1716 } else {
1717 par = (((par>>3)+1) << 3) | par_low;
1718 }
1719 }
1720 }
e30c654b 1721
72934aa3 1722 LogTrace(sel_uid+2,4,0,GetParity(sel_uid+2,4),TRUE);
1723 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1724 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1725 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
e30c654b 1726
15c4dc5a 1727 // Thats it...
1728 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1729 LEDsoff();
1730 tracing = TRUE;
1731}
Proxmark3 GIT tracking
Impressum, Datenschutz