projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
iso14a cleanup and implement RATS [Hagen Fritsch]
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
bd20f8f4 3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
15c4dc5a 7//-----------------------------------------------------------------------------
bd20f8f4 8// Routines to support ISO 14443 type A.
9//-----------------------------------------------------------------------------
10
e30c654b 11#include "proxmark3.h"
15c4dc5a 12#include "apps.h"
f7e3ed82 13#include "util.h"
9ab7a6c7 14#include "string.h"
15
15c4dc5a 16#include "iso14443crc.h"
17
f7e3ed82 18static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 19static int traceLen = 0;
20static int rsamples = 0;
f7e3ed82 21static int tracing = TRUE;
15c4dc5a 22
72934aa3 23// CARD TO READER
24// Sequence D: 11110000 modulation with subcarrier during first half
25// Sequence E: 00001111 modulation with subcarrier during second half
26// Sequence F: 00000000 no modulation with subcarrier
27// READER TO CARD
28// Sequence X: 00001100 drop after half a period
29// Sequence Y: 00000000 no drop
30// Sequence Z: 11000000 drop at start
31#define SEC_D 0xf0
32#define SEC_E 0x0f
33#define SEC_F 0x00
34#define SEC_X 0x0c
35#define SEC_Y 0x00
36#define SEC_Z 0xc0
15c4dc5a 37
f7e3ed82 38static const uint8_t OddByteParity[256] = {
15c4dc5a 39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
55};
56
57// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
58#define RECV_CMD_OFFSET 3032
59#define RECV_RES_OFFSET 3096
60#define DMA_BUFFER_OFFSET 3160
61#define DMA_BUFFER_SIZE 4096
62#define TRACE_LENGTH 3000
63
64//-----------------------------------------------------------------------------
65// Generate the parity value for a byte sequence
e30c654b 66//
15c4dc5a 67//-----------------------------------------------------------------------------
f7e3ed82 68uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 69{
70 int i;
f7e3ed82 71 uint32_t dwPar = 0;
72934aa3 72
15c4dc5a 73 // Generate the encrypted data
74 for (i = 0; i < iLen; i++) {
75 // Save the encrypted parity bit
76 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
77 }
78 return dwPar;
79}
80
f7e3ed82 81static void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 82{
83 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
84}
85
ed82636b 86int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 87{
88 // Return when trace is full
89 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 90
15c4dc5a 91 // Trace the random, i'm curious
92 rsamples += iSamples;
93 trace[traceLen++] = ((rsamples >> 0) & 0xff);
94 trace[traceLen++] = ((rsamples >> 8) & 0xff);
95 trace[traceLen++] = ((rsamples >> 16) & 0xff);
96 trace[traceLen++] = ((rsamples >> 24) & 0xff);
97 if (!bReader) {
98 trace[traceLen - 1] |= 0x80;
99 }
100 trace[traceLen++] = ((dwParity >> 0) & 0xff);
101 trace[traceLen++] = ((dwParity >> 8) & 0xff);
102 trace[traceLen++] = ((dwParity >> 16) & 0xff);
103 trace[traceLen++] = ((dwParity >> 24) & 0xff);
104 trace[traceLen++] = iLen;
105 memcpy(trace + traceLen, btBytes, iLen);
106 traceLen += iLen;
107 return TRUE;
108}
109
15c4dc5a 110//-----------------------------------------------------------------------------
111// The software UART that receives commands from the reader, and its state
112// variables.
113//-----------------------------------------------------------------------------
114static struct {
115 enum {
116 STATE_UNSYNCD,
117 STATE_START_OF_COMMUNICATION,
118 STATE_MILLER_X,
119 STATE_MILLER_Y,
120 STATE_MILLER_Z,
121 STATE_ERROR_WAIT
122 } state;
f7e3ed82 123 uint16_t shiftReg;
15c4dc5a 124 int bitCnt;
125 int byteCnt;
126 int byteCntMax;
127 int posCnt;
128 int syncBit;
129 int parityBits;
130 int samples;
131 int highCnt;
132 int bitBuffer;
133 enum {
134 DROP_NONE,
135 DROP_FIRST_HALF,
136 DROP_SECOND_HALF
137 } drop;
f7e3ed82 138 uint8_t *output;
15c4dc5a 139} Uart;
140
f7e3ed82 141static int MillerDecoding(int bit)
15c4dc5a 142{
143 int error = 0;
144 int bitright;
145
146 if(!Uart.bitBuffer) {
147 Uart.bitBuffer = bit ^ 0xFF0;
148 return FALSE;
149 }
150 else {
151 Uart.bitBuffer <<= 4;
152 Uart.bitBuffer ^= bit;
153 }
154
f7e3ed82 155 int EOC = FALSE;
15c4dc5a 156
157 if(Uart.state != STATE_UNSYNCD) {
158 Uart.posCnt++;
159
160 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
161 bit = 0x00;
162 }
163 else {
164 bit = 0x01;
165 }
166 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
167 bitright = 0x00;
168 }
169 else {
170 bitright = 0x01;
171 }
172 if(bit != bitright) { bit = bitright; }
173
174 if(Uart.posCnt == 1) {
175 // measurement first half bitperiod
176 if(!bit) {
177 Uart.drop = DROP_FIRST_HALF;
178 }
179 }
180 else {
181 // measurement second half bitperiod
182 if(!bit & (Uart.drop == DROP_NONE)) {
183 Uart.drop = DROP_SECOND_HALF;
184 }
185 else if(!bit) {
186 // measured a drop in first and second half
187 // which should not be possible
188 Uart.state = STATE_ERROR_WAIT;
189 error = 0x01;
190 }
191
192 Uart.posCnt = 0;
193
194 switch(Uart.state) {
195 case STATE_START_OF_COMMUNICATION:
196 Uart.shiftReg = 0;
197 if(Uart.drop == DROP_SECOND_HALF) {
198 // error, should not happen in SOC
199 Uart.state = STATE_ERROR_WAIT;
200 error = 0x02;
201 }
202 else {
203 // correct SOC
204 Uart.state = STATE_MILLER_Z;
205 }
206 break;
207
208 case STATE_MILLER_Z:
209 Uart.bitCnt++;
210 Uart.shiftReg >>= 1;
211 if(Uart.drop == DROP_NONE) {
212 // logic '0' followed by sequence Y
213 // end of communication
214 Uart.state = STATE_UNSYNCD;
215 EOC = TRUE;
216 }
217 // if(Uart.drop == DROP_FIRST_HALF) {
218 // Uart.state = STATE_MILLER_Z; stay the same
219 // we see a logic '0' }
220 if(Uart.drop == DROP_SECOND_HALF) {
221 // we see a logic '1'
222 Uart.shiftReg |= 0x100;
223 Uart.state = STATE_MILLER_X;
224 }
225 break;
226
227 case STATE_MILLER_X:
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // sequence Y, we see a '0'
231 Uart.state = STATE_MILLER_Y;
232 Uart.bitCnt++;
233 }
234 if(Uart.drop == DROP_FIRST_HALF) {
235 // Would be STATE_MILLER_Z
236 // but Z does not follow X, so error
237 Uart.state = STATE_ERROR_WAIT;
238 error = 0x03;
239 }
240 if(Uart.drop == DROP_SECOND_HALF) {
241 // We see a '1' and stay in state X
242 Uart.shiftReg |= 0x100;
243 Uart.bitCnt++;
244 }
245 break;
246
247 case STATE_MILLER_Y:
248 Uart.bitCnt++;
249 Uart.shiftReg >>= 1;
250 if(Uart.drop == DROP_NONE) {
251 // logic '0' followed by sequence Y
252 // end of communication
253 Uart.state = STATE_UNSYNCD;
254 EOC = TRUE;
255 }
256 if(Uart.drop == DROP_FIRST_HALF) {
257 // we see a '0'
258 Uart.state = STATE_MILLER_Z;
259 }
260 if(Uart.drop == DROP_SECOND_HALF) {
261 // We see a '1' and go to state X
262 Uart.shiftReg |= 0x100;
263 Uart.state = STATE_MILLER_X;
264 }
265 break;
266
267 case STATE_ERROR_WAIT:
268 // That went wrong. Now wait for at least two bit periods
269 // and try to sync again
270 if(Uart.drop == DROP_NONE) {
271 Uart.highCnt = 6;
272 Uart.state = STATE_UNSYNCD;
273 }
274 break;
275
276 default:
277 Uart.state = STATE_UNSYNCD;
278 Uart.highCnt = 0;
279 break;
280 }
281
282 Uart.drop = DROP_NONE;
283
284 // should have received at least one whole byte...
285 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
286 return TRUE;
287 }
288
289 if(Uart.bitCnt == 9) {
290 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
291 Uart.byteCnt++;
292
293 Uart.parityBits <<= 1;
294 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
295
296 if(EOC) {
297 // when End of Communication received and
298 // all data bits processed..
299 return TRUE;
300 }
301 Uart.bitCnt = 0;
302 }
303
304 /*if(error) {
305 Uart.output[Uart.byteCnt] = 0xAA;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = error & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 return TRUE;
320 }*/
321 }
322
323 }
324 else {
325 bit = Uart.bitBuffer & 0xf0;
326 bit >>= 4;
327 bit ^= 0x0F;
328 if(bit) {
329 // should have been high or at least (4 * 128) / fc
330 // according to ISO this should be at least (9 * 128 + 20) / fc
331 if(Uart.highCnt == 8) {
332 // we went low, so this could be start of communication
333 // it turns out to be safer to choose a less significant
334 // syncbit... so we check whether the neighbour also represents the drop
335 Uart.posCnt = 1; // apparently we are busy with our first half bit period
336 Uart.syncBit = bit & 8;
337 Uart.samples = 3;
338 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
339 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
340 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
341 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
343 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
344 Uart.syncBit = 8;
345
346 // the first half bit period is expected in next sample
347 Uart.posCnt = 0;
348 Uart.samples = 3;
349 }
350 }
351 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
352
353 Uart.syncBit <<= 4;
354 Uart.state = STATE_START_OF_COMMUNICATION;
355 Uart.drop = DROP_FIRST_HALF;
356 Uart.bitCnt = 0;
357 Uart.byteCnt = 0;
358 Uart.parityBits = 0;
359 error = 0;
360 }
361 else {
362 Uart.highCnt = 0;
363 }
364 }
365 else {
366 if(Uart.highCnt < 8) {
367 Uart.highCnt++;
368 }
369 }
370 }
371
372 return FALSE;
373}
374
375//=============================================================================
376// ISO 14443 Type A - Manchester
377//=============================================================================
378
379static struct {
380 enum {
381 DEMOD_UNSYNCD,
382 DEMOD_START_OF_COMMUNICATION,
383 DEMOD_MANCHESTER_D,
384 DEMOD_MANCHESTER_E,
385 DEMOD_MANCHESTER_F,
386 DEMOD_ERROR_WAIT
387 } state;
388 int bitCount;
389 int posCount;
390 int syncBit;
391 int parityBits;
f7e3ed82 392 uint16_t shiftReg;
15c4dc5a 393 int buffer;
394 int buff;
395 int samples;
396 int len;
397 enum {
398 SUB_NONE,
399 SUB_FIRST_HALF,
400 SUB_SECOND_HALF
401 } sub;
f7e3ed82 402 uint8_t *output;
15c4dc5a 403} Demod;
404
f7e3ed82 405static int ManchesterDecoding(int v)
15c4dc5a 406{
407 int bit;
408 int modulation;
409 int error = 0;
410
411 if(!Demod.buff) {
412 Demod.buff = 1;
413 Demod.buffer = v;
414 return FALSE;
415 }
416 else {
417 bit = Demod.buffer;
418 Demod.buffer = v;
419 }
420
421 if(Demod.state==DEMOD_UNSYNCD) {
422 Demod.output[Demod.len] = 0xfa;
423 Demod.syncBit = 0;
424 //Demod.samples = 0;
425 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
426 if(bit & 0x08) { Demod.syncBit = 0x08; }
427 if(!Demod.syncBit) {
428 if(bit & 0x04) { Demod.syncBit = 0x04; }
429 }
430 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
431 if(!Demod.syncBit) {
432 if(bit & 0x02) { Demod.syncBit = 0x02; }
433 }
434 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
435 if(!Demod.syncBit) {
436 if(bit & 0x01) { Demod.syncBit = 0x01; }
437
438 if(Demod.syncBit & (Demod.buffer & 0x08)) {
439 Demod.syncBit = 0x08;
440
441 // The first half bitperiod is expected in next sample
442 Demod.posCount = 0;
443 Demod.output[Demod.len] = 0xfb;
444 }
445 }
446 else if(bit & 0x01) { Demod.syncBit = 0x01; }
447
448 if(Demod.syncBit) {
449 Demod.len = 0;
450 Demod.state = DEMOD_START_OF_COMMUNICATION;
451 Demod.sub = SUB_FIRST_HALF;
452 Demod.bitCount = 0;
453 Demod.shiftReg = 0;
454 Demod.parityBits = 0;
455 Demod.samples = 0;
456 if(Demod.posCount) {
457 switch(Demod.syncBit) {
458 case 0x08: Demod.samples = 3; break;
459 case 0x04: Demod.samples = 2; break;
460 case 0x02: Demod.samples = 1; break;
461 case 0x01: Demod.samples = 0; break;
462 }
463 }
464 error = 0;
465 }
466 }
467 else {
468 //modulation = bit & Demod.syncBit;
469 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
470
471 Demod.samples += 4;
472
473 if(Demod.posCount==0) {
474 Demod.posCount = 1;
475 if(modulation) {
476 Demod.sub = SUB_FIRST_HALF;
477 }
478 else {
479 Demod.sub = SUB_NONE;
480 }
481 }
482 else {
483 Demod.posCount = 0;
484 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
485 if(Demod.state!=DEMOD_ERROR_WAIT) {
486 Demod.state = DEMOD_ERROR_WAIT;
487 Demod.output[Demod.len] = 0xaa;
488 error = 0x01;
489 }
490 }
491 else if(modulation) {
492 Demod.sub = SUB_SECOND_HALF;
493 }
494
495 switch(Demod.state) {
496 case DEMOD_START_OF_COMMUNICATION:
497 if(Demod.sub == SUB_FIRST_HALF) {
498 Demod.state = DEMOD_MANCHESTER_D;
499 }
500 else {
501 Demod.output[Demod.len] = 0xab;
502 Demod.state = DEMOD_ERROR_WAIT;
503 error = 0x02;
504 }
505 break;
506
507 case DEMOD_MANCHESTER_D:
508 case DEMOD_MANCHESTER_E:
509 if(Demod.sub == SUB_FIRST_HALF) {
510 Demod.bitCount++;
511 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
512 Demod.state = DEMOD_MANCHESTER_D;
513 }
514 else if(Demod.sub == SUB_SECOND_HALF) {
515 Demod.bitCount++;
516 Demod.shiftReg >>= 1;
517 Demod.state = DEMOD_MANCHESTER_E;
518 }
519 else {
520 Demod.state = DEMOD_MANCHESTER_F;
521 }
522 break;
523
524 case DEMOD_MANCHESTER_F:
525 // Tag response does not need to be a complete byte!
526 if(Demod.len > 0 || Demod.bitCount > 0) {
527 if(Demod.bitCount > 0) {
528 Demod.shiftReg >>= (9 - Demod.bitCount);
529 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
530 Demod.len++;
531 // No parity bit, so just shift a 0
532 Demod.parityBits <<= 1;
533 }
534
535 Demod.state = DEMOD_UNSYNCD;
536 return TRUE;
537 }
538 else {
539 Demod.output[Demod.len] = 0xad;
540 Demod.state = DEMOD_ERROR_WAIT;
541 error = 0x03;
542 }
543 break;
544
545 case DEMOD_ERROR_WAIT:
546 Demod.state = DEMOD_UNSYNCD;
547 break;
548
549 default:
550 Demod.output[Demod.len] = 0xdd;
551 Demod.state = DEMOD_UNSYNCD;
552 break;
553 }
554
555 if(Demod.bitCount>=9) {
556 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
557 Demod.len++;
558
559 Demod.parityBits <<= 1;
560 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
561
562 Demod.bitCount = 0;
563 Demod.shiftReg = 0;
564 }
565
566 /*if(error) {
567 Demod.output[Demod.len] = 0xBB;
568 Demod.len++;
569 Demod.output[Demod.len] = error & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = 0xBB;
572 Demod.len++;
573 Demod.output[Demod.len] = bit & 0xFF;
574 Demod.len++;
575 Demod.output[Demod.len] = Demod.buffer & 0xFF;
576 Demod.len++;
577 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
578 Demod.len++;
579 Demod.output[Demod.len] = 0xBB;
580 Demod.len++;
581 return TRUE;
582 }*/
583
584 }
585
586 } // end (state != UNSYNCED)
587
588 return FALSE;
589}
590
591//=============================================================================
592// Finally, a `sniffer' for ISO 14443 Type A
593// Both sides of communication!
594//=============================================================================
595
596//-----------------------------------------------------------------------------
597// Record the sequence of commands sent by the reader to the tag, with
598// triggering so that we start recording at the point that the tag is moved
599// near the reader.
600//-----------------------------------------------------------------------------
601void SnoopIso14443a(void)
602{
603// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
604// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
605// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
606// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
607// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
608
609 // We won't start recording the frames that we acquire until we trigger;
610 // a good trigger condition to get started is probably when we see a
611 // response from the tag.
7e758047 612 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 613
614 // The command (reader -> tag) that we're receiving.
615 // The length of a received command will in most cases be no more than 18 bytes.
616 // So 32 should be enough!
f7e3ed82 617 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 618 // The response (tag -> reader) that we're receiving.
f7e3ed82 619 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 620
621 // As we receive stuff, we copy it from receivedCmd or receivedResponse
622 // into trace, along with its length and other annotations.
f7e3ed82 623 //uint8_t *trace = (uint8_t *)BigBuf;
15c4dc5a 624 //int traceLen = 0;
625
626 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 627 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 628 int lastRxCounter;
f7e3ed82 629 int8_t *upTo;
15c4dc5a 630 int smpl;
631 int maxBehindBy = 0;
632
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 int samples = 0;
636 int rsamples = 0;
637
638 memset(trace, 0x44, RECV_CMD_OFFSET);
639
640 // Set up the demodulator for tag -> reader responses.
641 Demod.output = receivedResponse;
642 Demod.len = 0;
643 Demod.state = DEMOD_UNSYNCD;
644
7e758047 645 // Setup for the DMA.
646 FpgaSetupSsc();
647 upTo = dmaBuf;
648 lastRxCounter = DMA_BUFFER_SIZE;
649 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
650
15c4dc5a 651 // And the reader -> tag commands
652 memset(&Uart, 0, sizeof(Uart));
653 Uart.output = receivedCmd;
654 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
655 Uart.state = STATE_UNSYNCD;
656
657 // And put the FPGA in the appropriate mode
658 // Signal field is off with the appropriate LED
659 LED_D_OFF();
660 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
661 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
662
15c4dc5a 663
664 // And now we loop, receiving samples.
665 for(;;) {
7e758047 666 LED_A_ON();
667 WDT_HIT();
15c4dc5a 668 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
669 (DMA_BUFFER_SIZE-1);
670 if(behindBy > maxBehindBy) {
671 maxBehindBy = behindBy;
672 if(behindBy > 400) {
7e758047 673 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 674 goto done;
675 }
676 }
677 if(behindBy < 1) continue;
678
7e758047 679 LED_A_OFF();
15c4dc5a 680 smpl = upTo[0];
681 upTo++;
682 lastRxCounter -= 1;
683 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
684 upTo -= DMA_BUFFER_SIZE;
685 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 686 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 687 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
688 }
689
690 samples += 4;
7e758047 691 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 692 rsamples = samples - Uart.samples;
72934aa3 693 LED_C_ON();
7e758047 694 if(triggered) {
695 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 696 trace[traceLen++] = ((rsamples >> 8) & 0xff);
697 trace[traceLen++] = ((rsamples >> 16) & 0xff);
698 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 699 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
700 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
701 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
702 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 703 trace[traceLen++] = Uart.byteCnt;
704 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
705 traceLen += Uart.byteCnt;
706 if(traceLen > TRACE_LENGTH) break;
707 }
708 /* And ready to receive another command. */
709 Uart.state = STATE_UNSYNCD;
710 /* And also reset the demod code, which might have been */
711 /* false-triggered by the commands from the reader. */
712 Demod.state = DEMOD_UNSYNCD;
7e758047 713 LED_B_OFF();
15c4dc5a 714 }
7e758047 715
716 if(ManchesterDecoding(smpl & 0x0F)) {
717 rsamples = samples - Demod.samples;
718 LED_B_ON();
719
720 // timestamp, as a count of samples
721 trace[traceLen++] = ((rsamples >> 0) & 0xff);
722 trace[traceLen++] = ((rsamples >> 8) & 0xff);
723 trace[traceLen++] = ((rsamples >> 16) & 0xff);
724 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
725 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
726 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
727 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
728 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
729 // length
730 trace[traceLen++] = Demod.len;
731 memcpy(trace+traceLen, receivedResponse, Demod.len);
732 traceLen += Demod.len;
733 if(traceLen > TRACE_LENGTH) break;
734
735 triggered = TRUE;
15c4dc5a 736
737 // And ready to receive another response.
738 memset(&Demod, 0, sizeof(Demod));
739 Demod.output = receivedResponse;
740 Demod.state = DEMOD_UNSYNCD;
7e758047 741 LED_C_OFF();
742 }
15c4dc5a 743
744 if(BUTTON_PRESS()) {
745 DbpString("cancelled_a");
746 goto done;
747 }
748 }
749
750 DbpString("COMMAND FINISHED");
751
752 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
753 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
754
755done:
756 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
757 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
758 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
759 LED_A_OFF();
760 LED_B_OFF();
761 LED_C_OFF();
762 LED_D_OFF();
763}
764
15c4dc5a 765//-----------------------------------------------------------------------------
766// Prepare tag messages
767//-----------------------------------------------------------------------------
f7e3ed82 768static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 769{
770 int i;
771 int oddparity;
772
773 ToSendReset();
774
775 // Correction bit, might be removed when not needed
776 ToSendStuffBit(0);
777 ToSendStuffBit(0);
778 ToSendStuffBit(0);
779 ToSendStuffBit(0);
780 ToSendStuffBit(1); // 1
781 ToSendStuffBit(0);
782 ToSendStuffBit(0);
783 ToSendStuffBit(0);
784
785 // Send startbit
72934aa3 786 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 787
788 for(i = 0; i < len; i++) {
789 int j;
f7e3ed82 790 uint8_t b = cmd[i];
15c4dc5a 791
792 // Data bits
793 oddparity = 0x01;
794 for(j = 0; j < 8; j++) {
795 oddparity ^= (b & 1);
796 if(b & 1) {
72934aa3 797 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 798 } else {
72934aa3 799 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 800 }
801 b >>= 1;
802 }
803
804 // Parity bit
805 if(oddparity) {
72934aa3 806 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 807 } else {
72934aa3 808 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 809 }
810 }
811
812 // Send stopbit
72934aa3 813 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 814
815 // Flush the buffer in FPGA!!
816 for(i = 0; i < 5; i++) {
72934aa3 817 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 818 }
819
820 // Convert from last byte pos to length
821 ToSendMax++;
822
823 // Add a few more for slop
824 ToSend[ToSendMax++] = 0x00;
825 ToSend[ToSendMax++] = 0x00;
826 //ToSendMax += 2;
827}
828
829//-----------------------------------------------------------------------------
830// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
831//-----------------------------------------------------------------------------
832static void CodeStrangeAnswer()
833{
834 int i;
835
836 ToSendReset();
837
838 // Correction bit, might be removed when not needed
839 ToSendStuffBit(0);
840 ToSendStuffBit(0);
841 ToSendStuffBit(0);
842 ToSendStuffBit(0);
843 ToSendStuffBit(1); // 1
844 ToSendStuffBit(0);
845 ToSendStuffBit(0);
846 ToSendStuffBit(0);
847
848 // Send startbit
72934aa3 849 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 850
851 // 0
72934aa3 852 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 853
854 // 0
72934aa3 855 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 856
857 // 1
72934aa3 858 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 859
860 // Send stopbit
72934aa3 861 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 862
863 // Flush the buffer in FPGA!!
864 for(i = 0; i < 5; i++) {
72934aa3 865 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 866 }
867
868 // Convert from last byte pos to length
869 ToSendMax++;
870
871 // Add a few more for slop
872 ToSend[ToSendMax++] = 0x00;
873 ToSend[ToSendMax++] = 0x00;
874 //ToSendMax += 2;
875}
876
877//-----------------------------------------------------------------------------
878// Wait for commands from reader
879// Stop when button is pressed
880// Or return TRUE when command is captured
881//-----------------------------------------------------------------------------
f7e3ed82 882static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 883{
884 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
885 // only, since we are receiving, not transmitting).
886 // Signal field is off with the appropriate LED
887 LED_D_OFF();
888 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
889
890 // Now run a `software UART' on the stream of incoming samples.
891 Uart.output = received;
892 Uart.byteCntMax = maxLen;
893 Uart.state = STATE_UNSYNCD;
894
895 for(;;) {
896 WDT_HIT();
897
898 if(BUTTON_PRESS()) return FALSE;
899
900 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
901 AT91C_BASE_SSC->SSC_THR = 0x00;
902 }
903 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 904 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 905 if(MillerDecoding((b & 0xf0) >> 4)) {
906 *len = Uart.byteCnt;
907 return TRUE;
908 }
909 if(MillerDecoding(b & 0x0f)) {
910 *len = Uart.byteCnt;
911 return TRUE;
912 }
913 }
914 }
915}
916
917//-----------------------------------------------------------------------------
918// Main loop of simulated tag: receive commands from reader, decide what
919// response to send, and send it.
920//-----------------------------------------------------------------------------
921void SimulateIso14443aTag(int tagType, int TagUid)
922{
923 // This function contains the tag emulation
924
925 // Prepare protocol messages
f7e3ed82 926 // static const uint8_t cmd1[] = { 0x26 };
927// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 928//
f7e3ed82 929 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
930// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 931
932 // UID response
f7e3ed82 933 // static const uint8_t cmd2[] = { 0x93, 0x20 };
934 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 935
15c4dc5a 936// my desfire
f7e3ed82 937 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 938
939
940// When reader selects us during cascade1 it will send cmd3
f7e3ed82 941//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
942uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 943ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
944
945// send cascade2 2nd half of UID
f7e3ed82 946static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 947// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
948
15c4dc5a 949// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 950//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
951uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 952ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
953
f7e3ed82 954 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 955
f7e3ed82 956 uint8_t *resp;
15c4dc5a 957 int respLen;
958
959 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
960 // This will need
961 // 144 data bits (18 * 8)
962 // 18 parity bits
963 // 2 Start and stop
964 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
965 // 1 just for the case
966 // ----------- +
967 // 166
968 //
969 // 166 bytes, since every bit that needs to be send costs us a byte
970 //
971
15c4dc5a 972 // Respond with card type
f7e3ed82 973 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 974 int resp1Len;
975
976 // Anticollision cascade1 - respond with uid
f7e3ed82 977 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 978 int resp2Len;
979
980 // Anticollision cascade2 - respond with 2nd half of uid if asked
981 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 982 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 983 int resp2aLen;
984
985 // Acknowledge select - cascade 1
f7e3ed82 986 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 987 int resp3Len;
988
989 // Acknowledge select - cascade 2
f7e3ed82 990 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 991 int resp3aLen;
992
993 // Response to a read request - not implemented atm
f7e3ed82 994 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 995 int resp4Len;
996
997 // Authenticate response - nonce
f7e3ed82 998 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 999 int resp5Len;
1000
f7e3ed82 1001 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1002 int len;
1003
1004 int i;
1005 int u;
f7e3ed82 1006 uint8_t b;
15c4dc5a 1007
1008 // To control where we are in the protocol
1009 int order = 0;
1010 int lastorder;
1011
1012 // Just to allow some checks
1013 int happened = 0;
1014 int happened2 = 0;
1015
1016 int cmdsRecvd = 0;
1017
f7e3ed82 1018 int fdt_indicator;
15c4dc5a 1019
1020 memset(receivedCmd, 0x44, 400);
1021
1022 // Prepare the responses of the anticollision phase
1023 // there will be not enough time to do this at the moment the reader sends it REQA
1024
1025 // Answer to request
1026 CodeIso14443aAsTag(response1, sizeof(response1));
1027 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1028
1029 // Send our UID (cascade 1)
1030 CodeIso14443aAsTag(response2, sizeof(response2));
1031 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1032
1033 // Answer to select (cascade1)
1034 CodeIso14443aAsTag(response3, sizeof(response3));
1035 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1036
1037 // Send the cascade 2 2nd part of the uid
1038 CodeIso14443aAsTag(response2a, sizeof(response2a));
1039 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1040
1041 // Answer to select (cascade 2)
1042 CodeIso14443aAsTag(response3a, sizeof(response3a));
1043 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1044
1045 // Strange answer is an example of rare message size (3 bits)
1046 CodeStrangeAnswer();
1047 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1048
1049 // Authentication answer (random nonce)
1050 CodeIso14443aAsTag(response5, sizeof(response5));
1051 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1052
1053 // We need to listen to the high-frequency, peak-detected path.
1054 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1055 FpgaSetupSsc();
1056
1057 cmdsRecvd = 0;
1058
1059 LED_A_ON();
1060 for(;;) {
1061
1062 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1063 DbpString("button press");
1064 break;
1065 }
1066 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1067 // Okay, look at the command now.
1068 lastorder = order;
1069 i = 1; // first byte transmitted
1070 if(receivedCmd[0] == 0x26) {
1071 // Received a REQUEST
1072 resp = resp1; respLen = resp1Len; order = 1;
1073 //DbpString("Hello request from reader:");
1074 } else if(receivedCmd[0] == 0x52) {
1075 // Received a WAKEUP
1076 resp = resp1; respLen = resp1Len; order = 6;
1077// //DbpString("Wakeup request from reader:");
1078
1079 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1080 // Received request for UID (cascade 1)
1081 resp = resp2; respLen = resp2Len; order = 2;
1082// DbpString("UID (cascade 1) request from reader:");
1083// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1084
1085
1086 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1087 // Received request for UID (cascade 2)
1088 resp = resp2a; respLen = resp2aLen; order = 20;
1089// DbpString("UID (cascade 2) request from reader:");
1090// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1091
1092
1093 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1094 // Received a SELECT
1095 resp = resp3; respLen = resp3Len; order = 3;
1096// DbpString("Select (cascade 1) request from reader:");
1097// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1098
1099
1100 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1101 // Received a SELECT
1102 resp = resp3a; respLen = resp3aLen; order = 30;
1103// DbpString("Select (cascade 2) request from reader:");
1104// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1105
1106
1107 } else if(receivedCmd[0] == 0x30) {
1108 // Received a READ
1109 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1110 Dbprintf("Read request from reader: %x %x %x",
1111 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1112
1113
1114 } else if(receivedCmd[0] == 0x50) {
1115 // Received a HALT
1116 resp = resp1; respLen = 0; order = 5; // Do nothing
1117 DbpString("Reader requested we HALT!:");
1118
1119 } else if(receivedCmd[0] == 0x60) {
1120 // Received an authentication request
1121 resp = resp5; respLen = resp5Len; order = 7;
1122 Dbprintf("Authenticate request from reader: %x %x %x",
1123 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124
1125 } else if(receivedCmd[0] == 0xE0) {
1126 // Received a RATS request
1127 resp = resp1; respLen = 0;order = 70;
1128 Dbprintf("RATS request from reader: %x %x %x",
1129 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1130 } else {
1131 // Never seen this command before
1132 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1133 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1134 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1135 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1136 // Do not respond
1137 resp = resp1; respLen = 0; order = 0;
1138 }
1139
1140 // Count number of wakeups received after a halt
1141 if(order == 6 && lastorder == 5) { happened++; }
1142
1143 // Count number of other messages after a halt
1144 if(order != 6 && lastorder == 5) { happened2++; }
1145
1146 // Look at last parity bit to determine timing of answer
1147 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1148 // 1236, so correction bit needed
1149 i = 0;
1150 }
1151
1152 memset(receivedCmd, 0x44, 32);
1153
1154 if(cmdsRecvd > 999) {
1155 DbpString("1000 commands later...");
1156 break;
1157 }
1158 else {
1159 cmdsRecvd++;
1160 }
1161
1162 if(respLen <= 0) continue;
1163
1164 // Modulate Manchester
1165 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1166 AT91C_BASE_SSC->SSC_THR = 0x00;
1167 FpgaSetupSsc();
1168
1169 // ### Transmit the response ###
1170 u = 0;
1171 b = 0x00;
1172 fdt_indicator = FALSE;
1173 for(;;) {
1174 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1175 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1176 (void)b;
1177 }
1178 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1179 if(i > respLen) {
1180 b = 0x00;
1181 u++;
1182 } else {
1183 b = resp[i];
1184 i++;
1185 }
1186 AT91C_BASE_SSC->SSC_THR = b;
1187
1188 if(u > 4) {
1189 break;
1190 }
1191 }
1192 if(BUTTON_PRESS()) {
1193 break;
1194 }
1195 }
1196
1197 }
1198
1199 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1200 LED_A_OFF();
1201}
1202
1203//-----------------------------------------------------------------------------
1204// Transmit the command (to the tag) that was placed in ToSend[].
1205//-----------------------------------------------------------------------------
f7e3ed82 1206static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1207{
1208 int c;
e30c654b 1209
15c4dc5a 1210 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1211
15c4dc5a 1212 if (wait)
1213 if(*wait < 10)
1214 *wait = 10;
e30c654b 1215
15c4dc5a 1216 for(c = 0; c < *wait;) {
1217 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1218 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1219 c++;
1220 }
1221 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1222 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1223 (void)r;
1224 }
1225 WDT_HIT();
1226 }
e30c654b 1227
15c4dc5a 1228 c = 0;
1229 for(;;) {
1230 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1231 AT91C_BASE_SSC->SSC_THR = cmd[c];
1232 c++;
1233 if(c >= len) {
1234 break;
1235 }
1236 }
1237 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1238 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1239 (void)r;
1240 }
1241 WDT_HIT();
1242 }
1243 if (samples) *samples = (c + *wait) << 3;
1244}
1245
15c4dc5a 1246//-----------------------------------------------------------------------------
1247// Code a 7-bit command without parity bit
1248// This is especially for 0x26 and 0x52 (REQA and WUPA)
1249//-----------------------------------------------------------------------------
f7e3ed82 1250void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1251{
1252 int j;
1253 int last;
f7e3ed82 1254 uint8_t b;
15c4dc5a 1255
1256 ToSendReset();
1257
1258 // Start of Communication (Seq. Z)
72934aa3 1259 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1260 last = 0;
1261
1262 b = bt;
1263 for(j = 0; j < 7; j++) {
1264 if(b & 1) {
1265 // Sequence X
72934aa3 1266 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1267 last = 1;
1268 } else {
1269 if(last == 0) {
1270 // Sequence Z
72934aa3 1271 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1272 }
1273 else {
1274 // Sequence Y
72934aa3 1275 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1276 last = 0;
1277 }
1278 }
1279 b >>= 1;
1280 }
1281
1282 // End of Communication
1283 if(last == 0) {
1284 // Sequence Z
72934aa3 1285 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1286 }
1287 else {
1288 // Sequence Y
72934aa3 1289 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1290 last = 0;
1291 }
1292 // Sequence Y
72934aa3 1293 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1294
1295 // Just to be sure!
72934aa3 1296 ToSend[++ToSendMax] = SEC_Y;
1297 ToSend[++ToSendMax] = SEC_Y;
1298 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1299
1300 // Convert from last character reference to length
1301 ToSendMax++;
1302}
1303
1304//-----------------------------------------------------------------------------
1305// Prepare reader command to send to FPGA
e30c654b 1306//
15c4dc5a 1307//-----------------------------------------------------------------------------
f7e3ed82 1308void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1309{
1310 int i, j;
1311 int last;
f7e3ed82 1312 uint8_t b;
e30c654b 1313
15c4dc5a 1314 ToSendReset();
e30c654b 1315
15c4dc5a 1316 // Start of Communication (Seq. Z)
72934aa3 1317 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1318 last = 0;
e30c654b 1319
15c4dc5a 1320 // Generate send structure for the data bits
1321 for (i = 0; i < len; i++) {
1322 // Get the current byte to send
1323 b = cmd[i];
e30c654b 1324
15c4dc5a 1325 for (j = 0; j < 8; j++) {
1326 if (b & 1) {
1327 // Sequence X
72934aa3 1328 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1329 last = 1;
1330 } else {
1331 if (last == 0) {
1332 // Sequence Z
72934aa3 1333 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1334 } else {
1335 // Sequence Y
72934aa3 1336 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1337 last = 0;
1338 }
1339 }
1340 b >>= 1;
1341 }
e30c654b 1342
15c4dc5a 1343 // Get the parity bit
1344 if ((dwParity >> i) & 0x01) {
1345 // Sequence X
72934aa3 1346 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1347 last = 1;
1348 } else {
1349 if (last == 0) {
1350 // Sequence Z
72934aa3 1351 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1352 } else {
1353 // Sequence Y
72934aa3 1354 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1355 last = 0;
1356 }
1357 }
1358 }
e30c654b 1359
15c4dc5a 1360 // End of Communication
1361 if (last == 0) {
1362 // Sequence Z
72934aa3 1363 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1364 } else {
1365 // Sequence Y
72934aa3 1366 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1367 last = 0;
1368 }
1369 // Sequence Y
72934aa3 1370 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1371
15c4dc5a 1372 // Just to be sure!
72934aa3 1373 ToSend[++ToSendMax] = SEC_Y;
1374 ToSend[++ToSendMax] = SEC_Y;
1375 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1376
15c4dc5a 1377 // Convert from last character reference to length
1378 ToSendMax++;
1379}
1380
1381//-----------------------------------------------------------------------------
1382// Wait a certain time for tag response
1383// If a response is captured return TRUE
1384// If it takes to long return FALSE
1385//-----------------------------------------------------------------------------
f7e3ed82 1386static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1387{
1388 // buffer needs to be 512 bytes
1389 int c;
1390
1391 // Set FPGA mode to "reader listen mode", no modulation (listen
1392 // only, since we are receiving, not transmitting).
1393 // Signal field is on with the appropriate LED
1394 LED_D_ON();
1395 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1396
1397 // Now get the answer from the card
1398 Demod.output = receivedResponse;
1399 Demod.len = 0;
1400 Demod.state = DEMOD_UNSYNCD;
1401
f7e3ed82 1402 uint8_t b;
15c4dc5a 1403 if (elapsed) *elapsed = 0;
1404
1405 c = 0;
1406 for(;;) {
1407 WDT_HIT();
1408
1409 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1410 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1411 if (elapsed) (*elapsed)++;
1412 }
1413 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
7e758047 1414 if(c < 2048) { c++; } else { return FALSE; }
f7e3ed82 1415 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1416 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1417 *samples = ((c - 1) << 3) + 4;
1418 return TRUE;
1419 }
1420 if(ManchesterDecoding(b & 0x0f)) {
1421 *samples = c << 3;
1422 return TRUE;
1423 }
1424 }
1425 }
1426}
1427
f7e3ed82 1428void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1429{
1430 int wait = 0;
1431 int samples = 0;
1432
1433 ShortFrameFromReader(*bt);
e30c654b 1434
15c4dc5a 1435 // Select the card
e30c654b 1436 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1437
15c4dc5a 1438 // Store reader command in buffer
1439 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1440}
1441
f7e3ed82 1442void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1443{
1444 int wait = 0;
1445 int samples = 0;
e30c654b 1446
15c4dc5a 1447 // This is tied to other size changes
f7e3ed82 1448 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1449 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1450
15c4dc5a 1451 // Select the card
e30c654b 1452 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1453
15c4dc5a 1454 // Store reader command in buffer
1455 if (tracing) LogTrace(frame,len,0,par,TRUE);
1456}
1457
1458
f7e3ed82 1459void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1460{
1461 // Generate parity and redirect
1462 ReaderTransmitPar(frame,len,GetParity(frame,len));
1463}
1464
f7e3ed82 1465int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1466{
1467 int samples = 0;
1468 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1469 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1470 if(samples == 0) return FALSE;
1471 return Demod.len;
15c4dc5a 1472}
1473
7e758047 1474/* performs iso14443a anticolision procedure
1475 * fills the uid pointer */
1476int iso14443a_select_card(uint8_t * uid_ptr) {
f7e3ed82 1477 uint8_t wupa[] = { 0x52 };
1478 uint8_t sel_all[] = { 0x93,0x20 };
1479 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1480 uint8_t sel_all_c2[] = { 0x95,0x20 };
1481 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1482 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1483
7e758047 1484 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1485 uint8_t* uid = resp + 7;
15c4dc5a 1486
7e758047 1487 int len;
15c4dc5a 1488
7e758047 1489 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1490 ReaderTransmitShort(wupa);
1491 // Receive the ATQA
1492 if(!ReaderReceive(resp)) return 0;
1493 // if(*(uint16_t *) resp == 0x4403) MIFARE_CLASSIC
1494 // if(*(uint16_t *) resp == 0x0400) MIFARE_DESFIRE
15c4dc5a 1495
7e758047 1496 ReaderTransmit(sel_all,sizeof(sel_all)); // SELECT_ALL
1497 if(!ReaderReceive(uid)) return 0;
15c4dc5a 1498
7e758047 1499 // Construct SELECT UID command
1500 // First copy the 5 bytes (Mifare Classic) after the 93 70
1501 memcpy(sel_uid+2,uid,5);
1502 // Secondly compute the two CRC bytes at the end
1503 AppendCrc14443a(sel_uid,7);
15c4dc5a 1504
7e758047 1505 ReaderTransmit(sel_uid,sizeof(sel_uid));
1506 // Receive the SAK
1507 if (!ReaderReceive(resp)) return 0;
e30c654b 1508
7e758047 1509 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1510 // which case we need to make a cascade 2 request and select - this is a long UID
1511 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1512 if (resp[0] &= 0x04)
1513 {
1514 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1515 if (!ReaderReceive(uid+5)) return 0;
e30c654b 1516
7e758047 1517 // Construct SELECT UID command
1518 memcpy(sel_uid_c2+2,uid+5,5);
1519 AppendCrc14443a(sel_uid_c2,7);
1520 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1521 // Receive the SAK
1522 if (!ReaderReceive(resp)) return 0;
1523 }
1524 if(uid_ptr) memcpy(uid_ptr, uid, 10);
1525 if( (resp[0] & 0x20) == 0)
1526 return 2; // non iso14443a compliant tag
1527 // Request for answer to select
1528 AppendCrc14443a(rats, 2);
1529 ReaderTransmit(rats, sizeof(rats));
1530 if (!(len = ReaderReceive(resp))) return 0;
1531 return 1;
1532}
15c4dc5a 1533
7e758047 1534void iso14443a_setup() {
1535 // Setup SSC
1536 FpgaSetupSsc();
1537 // Start from off (no field generated)
1538 // Signal field is off with the appropriate LED
1539 LED_D_OFF();
1540 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1541 SpinDelay(200);
15c4dc5a 1542
7e758047 1543 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1544
7e758047 1545 // Now give it time to spin up.
1546 // Signal field is on with the appropriate LED
1547 LED_D_ON();
1548 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1549 SpinDelay(200);
1550}
15c4dc5a 1551
7e758047 1552//-----------------------------------------------------------------------------
1553// Read an ISO 14443a tag. Send out commands and store answers.
1554//
1555//-----------------------------------------------------------------------------
1556void ReaderIso14443a(uint32_t parameter)
1557{
e30c654b 1558
7e758047 1559 // Mifare AUTH
1560 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1561// uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
15c4dc5a 1562
7e758047 1563 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1564 traceLen = 0;
e30c654b 1565
7e758047 1566 iso14443a_setup();
e30c654b 1567
7e758047 1568 LED_A_ON();
1569 LED_B_OFF();
1570 LED_C_OFF();
e30c654b 1571
7e758047 1572 while(traceLen < TRACE_LENGTH)
1573 {
1574 // Test if the action was cancelled
1575 if(BUTTON_PRESS()) break;
e30c654b 1576
7e758047 1577 if(!iso14443a_select_card(NULL)) {
1578 DbpString("iso14443a setup failed");
1579 break;
15c4dc5a 1580 }
1581
7e758047 1582 // Transmit MIFARE_CLASSIC_AUTH
1583 ReaderTransmit(mf_auth,sizeof(mf_auth));
15c4dc5a 1584
7e758047 1585 // Receive the (16 bit) "random" nonce
1586 if (!ReaderReceive(receivedAnswer)) continue;
15c4dc5a 1587 }
1588
7e758047 1589 // Thats it...
15c4dc5a 1590 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1591 LEDsoff();
1592 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1593 DbpString("ready..");
1594}
1595
1596//-----------------------------------------------------------------------------
1597// Read an ISO 14443a tag. Send out commands and store answers.
1598//
1599//-----------------------------------------------------------------------------
f7e3ed82 1600void ReaderMifare(uint32_t parameter)
15c4dc5a 1601{
15c4dc5a 1602 // Mifare AUTH
f7e3ed82 1603 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1604 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1605
f7e3ed82 1606 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1607 traceLen = 0;
1608 tracing = false;
e30c654b 1609
7e758047 1610 iso14443a_setup();
e30c654b 1611
15c4dc5a 1612 LED_A_ON();
1613 LED_B_OFF();
1614 LED_C_OFF();
e30c654b 1615
15c4dc5a 1616 byte_t nt_diff = 0;
1617 LED_A_OFF();
1618 byte_t par = 0;
1619 byte_t par_mask = 0xff;
1620 byte_t par_low = 0;
f7e3ed82 1621 int led_on = TRUE;
e30c654b 1622
15c4dc5a 1623 tracing = FALSE;
1624 byte_t nt[4];
1625 byte_t nt_attacked[4];
1626 byte_t par_list[8];
1627 byte_t ks_list[8];
1628 num_to_bytes(parameter,4,nt_attacked);
1629
1630 while(TRUE)
1631 {
1632 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1633 SpinDelay(200);
1634 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1635
15c4dc5a 1636 // Test if the action was cancelled
1637 if(BUTTON_PRESS()) {
1638 break;
1639 }
e30c654b 1640
7e758047 1641 if(!iso14443a_select_card(NULL)) continue;
e30c654b 1642
15c4dc5a 1643 // Transmit MIFARE_CLASSIC_AUTH
1644 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1645
15c4dc5a 1646 // Receive the (16 bit) "random" nonce
1647 if (!ReaderReceive(receivedAnswer)) continue;
1648 memcpy(nt,receivedAnswer,4);
1649
1650 // Transmit reader nonce and reader answer
1651 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1652
15c4dc5a 1653 // Receive 4 bit answer
1654 if (ReaderReceive(receivedAnswer))
1655 {
e30c654b 1656 if (nt_diff == 0)
15c4dc5a 1657 {
1658 LED_A_ON();
1659 memcpy(nt_attacked,nt,4);
1660 par_mask = 0xf8;
1661 par_low = par & 0x07;
1662 }
1663
1664 if (memcmp(nt,nt_attacked,4) != 0) continue;
1665
1666 led_on = !led_on;
1667 if(led_on) LED_B_ON(); else LED_B_OFF();
1668 par_list[nt_diff] = par;
1669 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1670
15c4dc5a 1671 // Test if the information is complete
1672 if (nt_diff == 0x07) break;
e30c654b 1673
15c4dc5a 1674 nt_diff = (nt_diff+1) & 0x07;
1675 mf_nr_ar[3] = nt_diff << 5;
1676 par = par_low;
1677 } else {
1678 if (nt_diff == 0)
1679 {
1680 par++;
1681 } else {
1682 par = (((par>>3)+1) << 3) | par_low;
1683 }
1684 }
1685 }
e30c654b 1686
72934aa3 1687 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1688 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1689 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
e30c654b 1690
15c4dc5a 1691 // Thats it...
1692 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1693 LEDsoff();
1694 tracing = TRUE;
1695}
Proxmark3 GIT tracking
Impressum, Datenschutz