]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
PCF7931: improved read code and implemented a simple password bruteforce (#745)
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
12
b8e461ff 13#include <stdarg.h>
14
902cb3c0 15#include "usb_cdc.h"
16#include "cmd.h"
e30c654b 17#include "proxmark3.h"
15c4dc5a 18#include "apps.h"
472345da 19#include "fpga.h"
f7e3ed82 20#include "util.h"
9ab7a6c7 21#include "printf.h"
22#include "string.h"
15c4dc5a 23#include "legicrf.h"
1b902aa0 24#include "legicrfsim.h"
b8e461ff 25#include "hitag2.h"
26#include "hitagS.h"
31abe49f 27#include "lfsampling.h"
3000dc4e 28#include "BigBuf.h"
c89274cc 29#include "mifareutil.h"
d10e08ae 30#include "pcf7931.h"
050aa18b 31#include "i2c.h"
15c4dc5a 32#ifdef WITH_LCD
902cb3c0 33 #include "LCD.h"
15c4dc5a 34#endif
43591e64 35
15c4dc5a 36
e46fe044 37// Craig Young - 14a stand-alone code
854fdf15 38#ifdef WITH_ISO14443a
e46fe044
CY		 39 #include "iso14443a.h"
40#endif
41
15c4dc5a 42//=============================================================================
43// A buffer where we can queue things up to be sent through the FPGA, for
44// any purpose (fake tag, as reader, whatever). We go MSB first, since that
45// is the order in which they go out on the wire.
46//=============================================================================
47
6a1f2d82 48#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
49uint8_t ToSend[TOSEND_BUFFER_SIZE];
15c4dc5a 50int ToSendMax;
51static int ToSendBit;
52struct common_area common_area __attribute__((section(".commonarea")));
53
15c4dc5a 54void ToSendReset(void)
55{
56 ToSendMax = -1;
57 ToSendBit = 8;
58}
59
60void ToSendStuffBit(int b)
61{
62 if(ToSendBit >= 8) {
63 ToSendMax++;
64 ToSend[ToSendMax] = 0;
65 ToSendBit = 0;
66 }
67
68 if(b) {
69 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
70 }
71
72 ToSendBit++;
73
6a1f2d82 74 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 75 ToSendBit = 0;
76 DbpString("ToSendStuffBit overflowed!");
77 }
78}
79
80//=============================================================================
81// Debug print functions, to go out over USB, to the usual PC-side client.
82//=============================================================================
83
84void DbpString(char *str)
85{
9440213d 86 byte_t len = strlen(str);
87 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
15c4dc5a 88}
89
90#if 0
91void DbpIntegers(int x1, int x2, int x3)
92{
902cb3c0 93 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 94}
95#endif
96
97void Dbprintf(const char *fmt, ...) {
98// should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128];
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
e30c654b 105
15c4dc5a 106 DbpString(output_string);
107}
108
9455b51c 109// prints HEX & ASCII
d19929cb 110void Dbhexdump(int len, uint8_t *d, bool bAsci) {
9455b51c 111 int l=0,i;
112 char ascii[9];
d19929cb 113
9455b51c 114 while (len>0) {
115 if (len>8) l=8;
116 else l=len;
117
118 memcpy(ascii,d,l);
d19929cb 119 ascii[l]=0;
9455b51c 120
121 // filter safe ascii
d19929cb 122 for (i=0;i<l;i++)
9455b51c 123 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 124
125 if (bAsci) {
126 Dbprintf("%-8s %*D",ascii,l,d," ");
127 } else {
128 Dbprintf("%*D",l,d," ");
129 }
130
9455b51c 131 len-=8;
132 d+=8;
133 }
134}
135
15c4dc5a 136//-----------------------------------------------------------------------------
137// Read an ADC channel and block till it completes, then return the result
138// in ADC units (0 to 1023). Also a routine to average 32 samples and
139// return that.
140//-----------------------------------------------------------------------------
141static int ReadAdc(int ch)
2d51da38 142{
3b692427 143 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
050aa18b 144 // AMPL_HI is a high impedance (10MOhm || 1MOhm) output, the input capacitance of the ADC is 12pF (typical). This results in a time constant
9b32625c 145 // of RC = (0.91MOhm) * 12pF = 10.9us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
3b692427 146 //
147 // The maths are:
148 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
149 //
9b32625c 150 // v_cap = v_in * (1 - exp(-SHTIM/RC)) = v_in * (1 - exp(-40us/10.9us)) = v_in * 0,97 (i.e. an error of 3%)
15c4dc5a 151
2d51da38
I		 152 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
153 AT91C_BASE_ADC->ADC_MR =
9b32625c 154 ADC_MODE_PRESCALE(63) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
155 ADC_MODE_STARTUP_TIME(1) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
156 ADC_MODE_SAMPLE_HOLD_TIME(15); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
3b692427 157
2d51da38
I		 158 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
159 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
15c4dc5a 160
2d51da38
I		 161 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
162
050aa18b 163 return AT91C_BASE_ADC->ADC_CDR[ch] & 0x3ff;
15c4dc5a 164}
165
9ca155ba 166int AvgAdc(int ch) // was static - merlok
15c4dc5a 167{
168 int i;
169 int a = 0;
170
171 for(i = 0; i < 32; i++) {
172 a += ReadAdc(ch);
173 }
174
175 return (a + 15) >> 5;
176}
177
050aa18b 178static int AvgAdc_Voltage_HF(void)
179{
180 int AvgAdc_Voltage_Low, AvgAdc_Voltage_High;
181
182 AvgAdc_Voltage_Low= (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
183 // if voltage range is about to be exceeded, use high voltage ADC channel if available (RDV40 only)
184 if (AvgAdc_Voltage_Low > MAX_ADC_HF_VOLTAGE_LOW - 300) {
185 AvgAdc_Voltage_High = (MAX_ADC_HF_VOLTAGE_HIGH * AvgAdc(ADC_CHAN_HF_HIGH)) >> 10;
186 if (AvgAdc_Voltage_High >= AvgAdc_Voltage_Low) {
187 return AvgAdc_Voltage_High;
188 }
189 }
190 return AvgAdc_Voltage_Low;
191}
192
193static int AvgAdc_Voltage_LF(void)
194{
195 return (MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10;
196}
197
fdcfbdcc 198void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
15c4dc5a 199{
9b32625c 200 int i, adcval = 0, peak = 0;
15c4dc5a 201
202/*
203 * Sweeps the useful LF range of the proxmark from
204 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
205 * read the voltage in the antenna, the result left
206 * in the buffer is a graph which should clearly show
207 * the resonating frequency of your LF antenna
208 * ( hopefully around 95 if it is tuned to 125kHz!)
209 */
fdcfbdcc
RAB		 210
211 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 212 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2d51da38
I		 213 SpinDelay(50);
214
2bdd68c3 215 for (i=255; i>=19; i--) {
fdcfbdcc 216 WDT_HIT();
15c4dc5a 217 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
218 SpinDelay(20);
050aa18b 219 adcval = AvgAdc_Voltage_LF();
fdcfbdcc
RAB		 220 if (i==95) *vLf125 = adcval; // voltage at 125Khz
221 if (i==89) *vLf134 = adcval; // voltage at 134Khz
15c4dc5a 222
2d51da38 223 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
2bdd68c3 224 if(LF_Results[i] > peak) {
fdcfbdcc 225 *peakv = adcval;
2bdd68c3 226 peak = LF_Results[i];
fdcfbdcc 227 *peakf = i;
9f693930 228 //ptr = i;
15c4dc5a 229 }
230 }
231
2bdd68c3 232 for (i=18; i >= 0; i--) LF_Results[i] = 0;
fdcfbdcc
RAB		 233
234 return;
235}
236
237void MeasureAntennaTuningHfOnly(int *vHf)
238{
15c4dc5a 239 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
fdcfbdcc
RAB		 240 LED_A_ON();
241 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 242 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
243 SpinDelay(20);
050aa18b 244 *vHf = AvgAdc_Voltage_HF();
fdcfbdcc 245 LED_A_OFF();
fdcfbdcc
RAB		 246 return;
247}
248
249void MeasureAntennaTuning(int mode)
250{
251 uint8_t LF_Results[256] = {0};
252 int peakv = 0, peakf = 0;
253 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
254
255 LED_B_ON();
256
257 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
258 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
259 MeasureAntennaTuningHfOnly(&vHf);
260 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
261 } else {
262 if (mode & FLAG_TUNE_LF) {
263 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
264 }
265 if (mode & FLAG_TUNE_HF) {
266 MeasureAntennaTuningHfOnly(&vHf);
267 }
268 }
15c4dc5a 269
d040cb90 270 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125>>1 | (vLf134>>1<<16), vHf, peakf | (peakv>>1<<16), LF_Results, 256);
d19929cb 271 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2bdd68c3 272 LED_B_OFF();
273 return;
15c4dc5a 274}
275
276void MeasureAntennaTuningHf(void)
277{
278 int vHf = 0; // in mV
279
280 DbpString("Measuring HF antenna, press button to exit");
281
3b692427 282 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
283 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
284 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
285
15c4dc5a 286 for (;;) {
050aa18b 287 SpinDelay(500);
288 vHf = AvgAdc_Voltage_HF();
e30c654b 289
15c4dc5a 290 Dbprintf("%d mV",vHf);
291 if (BUTTON_PRESS()) break;
292 }
293 DbpString("cancelled");
3b692427 294
295 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
296
15c4dc5a 297}
298
299
15c4dc5a 300void ReadMem(int addr)
301{
f7e3ed82 302 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 303
304 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
305 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
306}
307
308/* osimage version information is linked in */
309extern struct version_information version_information;
310/* bootrom version information is pointed to from _bootphase1_version_pointer */
0fa01ec7 311extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
472345da 312
050aa18b 313
15c4dc5a 314void SendVersion(void)
315{
8e074056 316 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
317 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 318
319 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 320 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
321 * pointer, then use it.
322 */
323 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
324 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
8e074056 325 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 326 } else {
327 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
8e074056 328 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 329 }
e30c654b 330
15c4dc5a 331 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
8e074056 332 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 333
472345da 334 for (int i = 0; i < fpga_bitstream_num; i++) {
335 strncat(VersionString, fpga_version_information[i], sizeof(VersionString) - strlen(VersionString) - 1);
050aa18b 336 strncat(VersionString, "\n", sizeof(VersionString) - strlen(VersionString) - 1);
472345da 337 }
050aa18b 338
339 // test availability of SmartCard slot
340 if (I2C_is_available()) {
341 strncat(VersionString, "SmartCard Slot: available\n", sizeof(VersionString) - strlen(VersionString) - 1);
342 } else {
343 strncat(VersionString, "SmartCard Slot: not available\n", sizeof(VersionString) - strlen(VersionString) - 1);
344 }
345
e6153040 346 // Send Chip ID and used flash memory
0fa01ec7 347 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
348 uint32_t compressed_data_section_size = common_area.arg1;
8e074056 349 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 350}
351
bfb01844 352// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
353// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
67b7d6fa 354void printUSBSpeed(void)
bfb01844 355{
356 Dbprintf("USB Speed:");
67b7d6fa 357 Dbprintf(" Sending USB packets to client...");
bfb01844 358
67b7d6fa 359 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
bfb01844 360 uint8_t *test_data = BigBuf_get_addr();
67b7d6fa 361 uint32_t end_time;
bfb01844 362
67b7d6fa 363 uint32_t start_time = end_time = GetTickCount();
364 uint32_t bytes_transferred = 0;
365
bfb01844 366 LED_B_ON();
67b7d6fa 367 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
368 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
369 end_time = GetTickCount();
370 bytes_transferred += USB_CMD_DATA_SIZE;
bfb01844 371 }
372 LED_B_OFF();
373
67b7d6fa 374 Dbprintf(" Time elapsed: %dms", end_time - start_time);
375 Dbprintf(" Bytes transferred: %d", bytes_transferred);
376 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
377 1000 * bytes_transferred / (end_time - start_time));
bfb01844 378
379}
380
c89274cc
CY		 381/**
382 * Prints runtime information about the PM3.
383**/
67b7d6fa 384void SendStatus(void)
c89274cc
CY		 385{
386 BigBuf_print_status();
387 Fpga_print_status();
43591e64 388#ifdef WITH_SMARTCARD
389 I2C_print_status();
390#endif
c89274cc 391 printConfig(); //LF Sampling config
67b7d6fa 392 printUSBSpeed();
c89274cc 393 Dbprintf("Various");
43591e64 394 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
395 Dbprintf(" ToSendMax..........%d", ToSendMax);
396 Dbprintf(" ToSendBit..........%d", ToSendBit);
bfb01844 397
398 cmd_send(CMD_ACK,1,0,0,0,0);
c89274cc 399}
15c4dc5a 400
a2937cea 401#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF_StandAlone)
15c4dc5a 402
15c4dc5a 403#define OPTS 2
404
86a83668
MHS		 405void StandAloneMode()
406{
407 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 408 // Oooh pretty -- notify user we're in elite samy mode now
409 LED(LED_RED, 200);
410 LED(LED_ORANGE, 200);
411 LED(LED_GREEN, 200);
412 LED(LED_ORANGE, 200);
413 LED(LED_RED, 200);
414 LED(LED_ORANGE, 200);
415 LED(LED_GREEN, 200);
416 LED(LED_ORANGE, 200);
417 LED(LED_RED, 200);
418
86a83668
MHS		 419}
420
421#endif
422
423
424
425#ifdef WITH_ISO14443a_StandAlone
426void StandAloneMode14a()
427{
428 StandAloneMode();
429 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
430
15c4dc5a 431 int selected = 0;
44964fd1 432 bool playing = false, GotoRecord = false, GotoClone = false;
433 bool cardRead[OPTS] = {false};
86a83668
MHS		 434 uint8_t readUID[10] = {0};
435 uint32_t uid_1st[OPTS]={0};
436 uint32_t uid_2nd[OPTS]={0};
c89274cc
CY		 437 uint32_t uid_tmp1 = 0;
438 uint32_t uid_tmp2 = 0;
439 iso14a_card_select_t hi14a_card[OPTS];
15c4dc5a 440
15c4dc5a 441 LED(selected + 1, 0);
442
443 for (;;)
444 {
6e82300d 445 usb_poll();
86a83668 446 WDT_HIT();
15c4dc5a 447 SpinDelay(300);
448
44964fd1 449 if (GotoRecord || !cardRead[selected])
15c4dc5a 450 {
44964fd1 451 GotoRecord = false;
15c4dc5a 452 LEDsoff();
453 LED(selected + 1, 0);
454 LED(LED_RED2, 0);
455
456 // record
86a83668 457 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
15c4dc5a 458 /* need this delay to prevent catching some weird data */
459 SpinDelay(500);
86a83668
MHS		 460 /* Code for reading from 14a tag */
461 uint8_t uid[10] ={0};
462 uint32_t cuid;
463 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
15c4dc5a 464
86a83668
MHS		 465 for ( ; ; )
466 {
467 WDT_HIT();
c89274cc
CY		 468 if (BUTTON_PRESS()) {
469 if (cardRead[selected]) {
470 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
471 break;
472 }
473 else if (cardRead[(selected+1)%OPTS]) {
474 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
475 selected = (selected+1)%OPTS;
44964fd1 476 break;
c89274cc
CY		 477 }
478 else {
479 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
480 SpinDelay(300);
481 }
482 }
c04a4b60 483 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
86a83668
MHS		 484 continue;
485 else
486 {
487 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
488 memcpy(readUID,uid,10*sizeof(uint8_t));
c89274cc 489 uint8_t *dst = (uint8_t *)&uid_tmp1;
86a83668
MHS		 490 // Set UID byte order
491 for (int i=0; i<4; i++)
492 dst[i] = uid[3-i];
c89274cc 493 dst = (uint8_t *)&uid_tmp2;
86a83668
MHS		 494 for (int i=0; i<4; i++)
495 dst[i] = uid[7-i];
c89274cc
CY		 496 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
497 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
498 }
499 else {
500 if (uid_tmp2) {
501 Dbprintf("Bank[%d] received a 7-byte UID",selected);
502 uid_1st[selected] = (uid_tmp1)>>8;
503 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
504 }
505 else {
506 Dbprintf("Bank[%d] received a 4-byte UID",selected);
507 uid_1st[selected] = uid_tmp1;
508 uid_2nd[selected] = uid_tmp2;
509 }
510 break;
511 }
86a83668
MHS		 512 }
513 }
c89274cc
CY		 514 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
515 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
86a83668
MHS		 516 LEDsoff();
517 LED(LED_GREEN, 200);
518 LED(LED_ORANGE, 200);
519 LED(LED_GREEN, 200);
520 LED(LED_ORANGE, 200);
15c4dc5a 521
522 LEDsoff();
523 LED(selected + 1, 0);
15c4dc5a 524
c89274cc 525 // Next state is replay:
44964fd1 526 playing = true;
3fe4ff4f 527
44964fd1 528 cardRead[selected] = true;
86a83668 529 }
c89274cc 530 /* MF Classic UID clone */
44964fd1 531 else if (GotoClone)
3fe4ff4f 532 {
44964fd1 533 GotoClone=false;
c89274cc
CY		 534 LEDsoff();
535 LED(selected + 1, 0);
536 LED(LED_ORANGE, 250);
3fe4ff4f 537
3fe4ff4f 538
c89274cc
CY		 539 // record
540 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
3fe4ff4f 541
c89274cc
CY		 542 // wait for button to be released
543 while(BUTTON_PRESS())
544 {
545 // Delay cloning until card is in place
546 WDT_HIT();
547 }
548 Dbprintf("Starting clone. [Bank: %u]", selected);
549 // need this delay to prevent catching some weird data
550 SpinDelay(500);
551 // Begin clone function here:
552 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
553 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
554 memcpy(c.d.asBytes, data, 16);
555 SendCommand(&c);
556
557 Block read is similar:
558 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
559 We need to imitate that call with blockNo 0 to set a uid.
560
561 The get and set commands are handled in this file:
562 // Work with "magic Chinese" card
563 case CMD_MIFARE_CSETBLOCK:
564 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
565 break;
566 case CMD_MIFARE_CGETBLOCK:
567 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
568 break;
569
570 mfCSetUID provides example logic for UID set workflow:
571 -Read block0 from card in field with MifareCGetBlock()
572 -Configure new values without replacing reserved bytes
573 memcpy(block0, uid, 4); // Copy UID bytes from byte array
574 // Mifare UID BCC
575 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
576 Bytes 5-7 are reserved SAK and ATQA for mifare classic
577 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
578 */
579 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
580 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
581 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
582 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
583 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
44964fd1 584 playing = true;
c89274cc
CY		 585 }
586 else {
587 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
588 memcpy(newBlock0,oldBlock0,16);
589 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
590
591 newBlock0[0] = uid_1st[selected]>>24;
592 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
593 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
594 newBlock0[3] = 0xFF & (uid_1st[selected]);
595 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
596 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
597 MifareCSetBlock(0, 0xFF,0, newBlock0);
598 MifareCGetBlock(0x3F, 1, 0, testBlock0);
599 if (memcmp(testBlock0,newBlock0,16)==0)
600 {
601 DbpString("Cloned successfull!");
44964fd1 602 cardRead[selected] = false; // Only if the card was cloned successfully should we clear it
603 playing = false;
604 GotoRecord = true;
c89274cc
CY		 605 selected = (selected+1) % OPTS;
606 }
607 else {
608 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
44964fd1 609 playing = true;
c89274cc
CY		 610 }
611 }
612 LEDsoff();
613 LED(selected + 1, 0);
15c4dc5a 614
86a83668 615 }
15c4dc5a 616 // Change where to record (or begin playing)
44964fd1 617 else if (playing) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
15c4dc5a 618 {
15c4dc5a 619 LEDsoff();
620 LED(selected + 1, 0);
621
622 // Begin transmitting
44964fd1 623 LED(LED_GREEN, 0);
624 DbpString("Playing");
625 for ( ; ; ) {
626 WDT_HIT();
627 int button_action = BUTTON_HELD(1000);
628 if (button_action == 0) { // No button action, proceed with sim
629 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
630 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
631 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
632 DbpString("Mifare Classic");
633 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
c89274cc 634 }
44964fd1 635 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
636 DbpString("Mifare Ultralight");
637 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
15c4dc5a 638 }
44964fd1 639 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
640 DbpString("Mifare DESFire");
641 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
642 }
643 else {
644 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
645 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
c89274cc 646 }
c89274cc 647 }
44964fd1 648 else if (button_action == BUTTON_SINGLE_CLICK) {
649 selected = (selected + 1) % OPTS;
650 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
651 GotoRecord = true;
652 break;
653 }
654 else if (button_action == BUTTON_HOLD) {
655 Dbprintf("Playtime over. Begin cloning...");
656 GotoClone = true;
657 break;
658 }
659 WDT_HIT();
15c4dc5a 660 }
44964fd1 661
662 /* We pressed a button so ignore it here with a delay */
663 SpinDelay(300);
664 LEDsoff();
665 LED(selected + 1, 0);
15c4dc5a 666 }
667 }
668}
a2937cea 669#elif WITH_LF_StandAlone
86a83668
MHS		 670// samy's sniff and repeat routine
671void SamyRun()
e46fe044 672{
86a83668
MHS		 673 StandAloneMode();
674 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
e46fe044 675
53e2f2fa 676 int tops[OPTS], high[OPTS], low[OPTS];
15c4dc5a 677 int selected = 0;
678 int playing = 0;
3fe4ff4f 679 int cardRead = 0;
15c4dc5a 680
681 // Turn on selected LED
682 LED(selected + 1, 0);
683
684 for (;;)
685 {
6e82300d 686 usb_poll();
86a83668 687 WDT_HIT();
15c4dc5a 688
689 // Was our button held down or pressed?
690 int button_pressed = BUTTON_HELD(1000);
691 SpinDelay(300);
692
693 // Button was held for a second, begin recording
3fe4ff4f 694 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 695 {
696 LEDsoff();
697 LED(selected + 1, 0);
698 LED(LED_RED2, 0);
699
700 // record
701 DbpString("Starting recording");
702
703 // wait for button to be released
704 while(BUTTON_PRESS())
705 WDT_HIT();
706
707 /* need this delay to prevent catching some weird data */
708 SpinDelay(500);
709
53e2f2fa 710 CmdHIDdemodFSK(1, &tops[selected], &high[selected], &low[selected], 0);
711 if (tops[selected] > 0)
712 Dbprintf("Recorded %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
713 else
714 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 715
716 LEDsoff();
717 LED(selected + 1, 0);
718 // Finished recording
719
720 // If we were previously playing, set playing off
721 // so next button push begins playing what we recorded
722 playing = 0;
3fe4ff4f 723
724 cardRead = 1;
725
726 }
727
728 else if (button_pressed > 0 && cardRead == 1)
729 {
730 LEDsoff();
731 LED(selected + 1, 0);
732 LED(LED_ORANGE, 0);
733
734 // record
53e2f2fa 735 if (tops[selected] > 0)
736 Dbprintf("Cloning %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
737 else
738 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 739
740 // wait for button to be released
741 while(BUTTON_PRESS())
742 WDT_HIT();
743
744 /* need this delay to prevent catching some weird data */
745 SpinDelay(500);
746
5f84531b 747 CopyHIDtoT55x7(tops[selected] & 0x000FFFFF, high[selected], low[selected], (tops[selected] != 0 && ((high[selected]& 0xFFFFFFC0) != 0)), 0x1D);
53e2f2fa 748 if (tops[selected] > 0)
749 Dbprintf("Cloned %x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
750 else
751 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 752
753 LEDsoff();
754 LED(selected + 1, 0);
755 // Finished recording
756
757 // If we were previously playing, set playing off
758 // so next button push begins playing what we recorded
759 playing = 0;
760
761 cardRead = 0;
762
15c4dc5a 763 }
764
765 // Change where to record (or begin playing)
766 else if (button_pressed)
767 {
768 // Next option if we were previously playing
769 if (playing)
770 selected = (selected + 1) % OPTS;
771 playing = !playing;
772
773 LEDsoff();
774 LED(selected + 1, 0);
775
776 // Begin transmitting
777 if (playing)
778 {
779 LED(LED_GREEN, 0);
780 DbpString("Playing");
781 // wait for button to be released
782 while(BUTTON_PRESS())
783 WDT_HIT();
53e2f2fa 784 if (tops[selected] > 0)
785 Dbprintf("%x %x%08x%08x", selected, tops[selected], high[selected], low[selected]);
786 else
787 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
788
789 CmdHIDsimTAG(tops[selected], high[selected], low[selected], 0);
15c4dc5a 790 DbpString("Done playing");
791 if (BUTTON_HELD(1000) > 0)
792 {
793 DbpString("Exiting");
794 LEDsoff();
795 return;
796 }
797
798 /* We pressed a button so ignore it here with a delay */
799 SpinDelay(300);
800
801 // when done, we're done playing, move to next option
802 selected = (selected + 1) % OPTS;
803 playing = !playing;
804 LEDsoff();
805 LED(selected + 1, 0);
806 }
807 else
808 while(BUTTON_PRESS())
809 WDT_HIT();
810 }
811 }
812}
15c4dc5a 813
e46fe044 814#endif
15c4dc5a 815/*
816OBJECTIVE
817Listen and detect an external reader. Determine the best location
818for the antenna.
819
820INSTRUCTIONS:
821Inside the ListenReaderField() function, there is two mode.
822By default, when you call the function, you will enter mode 1.
823If you press the PM3 button one time, you will enter mode 2.
824If you press the PM3 button a second time, you will exit the function.
825
826DESCRIPTION OF MODE 1:
827This mode just listens for an external reader field and lights up green
828for HF and/or red for LF. This is the original mode of the detectreader
829function.
830
831DESCRIPTION OF MODE 2:
832This mode will visually represent, using the LEDs, the actual strength of the
833current compared to the maximum current detected. Basically, once you know
834what kind of external reader is present, it will help you spot the best location to place
835your antenna. You will probably not get some good results if there is a LF and a HF reader
836at the same place! :-)
837
838LIGHT SCHEME USED:
839*/
840static const char LIGHT_SCHEME[] = {
841 0x0, /* ---- | No field detected */
842 0x1, /* X--- | 14% of maximum current detected */
843 0x2, /* -X-- | 29% of maximum current detected */
844 0x4, /* --X- | 43% of maximum current detected */
845 0x8, /* ---X | 57% of maximum current detected */
846 0xC, /* --XX | 71% of maximum current detected */
847 0xE, /* -XXX | 86% of maximum current detected */
848 0xF, /* XXXX | 100% of maximum current detected */
849};
850static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
851
852void ListenReaderField(int limit)
853{
050aa18b 854 int lf_av, lf_av_new=0, lf_baseline= 0, lf_max;
855 int hf_av, hf_av_new=0, hf_baseline= 0, hf_max;
15c4dc5a 856 int mode=1, display_val, display_max, i;
857
050aa18b 858#define LF_ONLY 1
859#define HF_ONLY 2
860#define REPORT_CHANGE_PERCENT 5 // report new values only if they have changed at least by REPORT_CHANGE_PERCENT
861#define MIN_HF_FIELD 300 // in mode 1 signal HF field greater than MIN_HF_FIELD above baseline
862#define MIN_LF_FIELD 1200 // in mode 1 signal LF field greater than MIN_LF_FIELD above baseline
3b692427 863
864
865 // switch off FPGA - we don't want to measure our own signal
866 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
867 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 868
869 LEDsoff();
870
050aa18b 871 lf_av = lf_max = AvgAdc_Voltage_LF();
15c4dc5a 872
873 if(limit != HF_ONLY) {
050aa18b 874 Dbprintf("LF 125/134kHz Baseline: %dmV", lf_av);
15c4dc5a 875 lf_baseline = lf_av;
876 }
877
050aa18b 878 hf_av = hf_max = AvgAdc_Voltage_HF();
879
15c4dc5a 880 if (limit != LF_ONLY) {
050aa18b 881 Dbprintf("HF 13.56MHz Baseline: %dmV", hf_av);
15c4dc5a 882 hf_baseline = hf_av;
883 }
884
885 for(;;) {
050aa18b 886 SpinDelay(500);
15c4dc5a 887 if (BUTTON_PRESS()) {
15c4dc5a 888 switch (mode) {
889 case 1:
890 mode=2;
891 DbpString("Signal Strength Mode");
892 break;
893 case 2:
894 default:
895 DbpString("Stopped");
896 LEDsoff();
897 return;
898 break;
899 }
050aa18b 900 while (BUTTON_PRESS());
15c4dc5a 901 }
902 WDT_HIT();
903
904 if (limit != HF_ONLY) {
3b692427 905 if(mode == 1) {
050aa18b 906 if (lf_av - lf_baseline > MIN_LF_FIELD)
3b692427 907 LED_D_ON();
908 else
909 LED_D_OFF();
15c4dc5a 910 }
e30c654b 911
050aa18b 912 lf_av_new = AvgAdc_Voltage_LF();
15c4dc5a 913 // see if there's a significant change
050aa18b 914 if (ABS((lf_av - lf_av_new)*100/(lf_av?lf_av:1)) > REPORT_CHANGE_PERCENT) {
915 Dbprintf("LF 125/134kHz Field Change: %5dmV", lf_av_new);
15c4dc5a 916 lf_av = lf_av_new;
917 if (lf_av > lf_max)
918 lf_max = lf_av;
15c4dc5a 919 }
920 }
921
922 if (limit != LF_ONLY) {
923 if (mode == 1){
050aa18b 924 if (hf_av - hf_baseline > MIN_HF_FIELD)
3b692427 925 LED_B_ON();
926 else
927 LED_B_OFF();
15c4dc5a 928 }
e30c654b 929
050aa18b 930 hf_av_new = AvgAdc_Voltage_HF();
931
15c4dc5a 932 // see if there's a significant change
050aa18b 933 if (ABS((hf_av - hf_av_new)*100/(hf_av?hf_av:1)) > REPORT_CHANGE_PERCENT) {
934 Dbprintf("HF 13.56MHz Field Change: %5dmV", hf_av_new);
15c4dc5a 935 hf_av = hf_av_new;
936 if (hf_av > hf_max)
937 hf_max = hf_av;
15c4dc5a 938 }
939 }
e30c654b 940
15c4dc5a 941 if(mode == 2) {
942 if (limit == LF_ONLY) {
943 display_val = lf_av;
944 display_max = lf_max;
945 } else if (limit == HF_ONLY) {
946 display_val = hf_av;
947 display_max = hf_max;
948 } else { /* Pick one at random */
949 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
950 display_val = hf_av;
951 display_max = hf_max;
952 } else {
953 display_val = lf_av;
954 display_max = lf_max;
955 }
956 }
957 for (i=0; i<LIGHT_LEN; i++) {
958 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
959 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
960 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
961 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
962 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
963 break;
964 }
965 }
966 }
967 }
968}
969
f7e3ed82 970void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 971{
972 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 973
902cb3c0 974// Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
975
15c4dc5a 976 switch(c->cmd) {
977#ifdef WITH_LF
31abe49f
MHS		 978 case CMD_SET_LF_SAMPLING_CONFIG:
979 setSamplingConfig((sample_config *) c->d.asBytes);
980 break;
15c4dc5a 981 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
b9957414 982 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
15c4dc5a 983 break;
15c4dc5a 984 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
985 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
986 break;
b014c96d 987 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 988 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 989 break;
7e67e42f 990 case CMD_HID_DEMOD_FSK:
be59094d 991 CmdHIDdemodFSK(c->arg[0], 0, 0, 0, 1);
7e67e42f 992 break;
993 case CMD_HID_SIM_TAG:
be59094d 994 CmdHIDsimTAG(c->arg[0], c->arg[1], c->arg[2], 1);
7e67e42f 995 break;
abd6112f 996 case CMD_FSK_SIM_TAG:
997 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
998 break;
999 case CMD_ASK_SIM_TAG:
1000 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1001 break;
872e3d4d 1002 case CMD_PSK_SIM_TAG:
1003 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1004 break;
1005 case CMD_HID_CLONE_TAG:
5f84531b
SS		 1006 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x1D);
1007 break;
1008 case CMD_PARADOX_CLONE_TAG:
1009 // Paradox cards are the same as HID, with a different preamble, so we can reuse the same function
1010 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0], 0x0F);
7e67e42f 1011 break;
a1f3bb12 1012 case CMD_IO_DEMOD_FSK:
3fe4ff4f 1013 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 1014 break;
3fe4ff4f 1015 case CMD_IO_CLONE_TAG:
9f669cb2 1016 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 1017 break;
66707a3b 1018 case CMD_EM410X_DEMOD:
1019 CmdEM410xdemod(c->arg[0], 0, 0, 1);
1020 break;
2d4eae76 1021 case CMD_EM410X_WRITE_TAG:
1022 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
1023 break;
7e67e42f 1024 case CMD_READ_TI_TYPE:
1025 ReadTItag();
1026 break;
1027 case CMD_WRITE_TI_TYPE:
1028 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
1029 break;
1030 case CMD_SIMULATE_TAG_125K:
31d1caa5 1031 LED_A_ON();
7e67e42f 1032 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
31d1caa5 1033 LED_A_OFF();
7e67e42f 1034 break;
1035 case CMD_LF_SIMULATE_BIDIR:
1036 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
1037 break;
3fe4ff4f 1038 case CMD_INDALA_CLONE_TAG:
2414f978 1039 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
1040 break;
3fe4ff4f 1041 case CMD_INDALA_CLONE_TAG_L:
2414f978 1042 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1043 break;
1c611bbd 1044 case CMD_T55XX_READ_BLOCK:
8e99ec25 1045 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1046 break;
1047 case CMD_T55XX_WRITE_BLOCK:
1048 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1049 break;
be2d41b7 1050 case CMD_T55XX_WAKEUP:
1051 T55xxWakeUp(c->arg[0]);
1c611bbd 1052 break;
66837a03 1053 case CMD_T55XX_RESET_READ:
1054 T55xxResetRead();
1055 break;
3fe4ff4f 1056 case CMD_PCF7931_READ:
1c611bbd 1057 ReadPCF7931();
1c611bbd 1058 break;
dc4300ba 1059 case CMD_PCF7931_WRITE:
d10e08ae 1060 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
dc4300ba 1061 break;
818e15b0
S		 1062 case CMD_PCF7931_BRUTEFORCE:
1063 BruteForcePCF7931(c->arg[0], (c->arg[1] & 0xFF), c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128);
1064 break;
1c611bbd 1065 case CMD_EM4X_READ_WORD:
7666f460 1066 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1c611bbd 1067 break;
1068 case CMD_EM4X_WRITE_WORD:
7666f460 1069 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1070 break;
dbf6e824
CY		 1071 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1072 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
7cfc777b 1073 break;
709665b5 1074 case CMD_VIKING_CLONE_TAG:
1075 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1076 break;
e04475c4 1077 case CMD_COTAG:
1078 Cotag(c->arg[0]);
1079 break;
15c4dc5a 1080#endif
1081
d19929cb 1082#ifdef WITH_HITAG
1083 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1084 SnoopHitag(c->arg[0]);
1085 break;
1086 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1087 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1088 break;
1089 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1090 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1091 break;
4e12287d
RS		 1092 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1093 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1094 break;
1095 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
7b6e3205 1096 check_challenges_cmd((bool)c->arg[0], (byte_t*)c->d.asBytes, (uint8_t)c->arg[1]);
4e12287d
RS		 1097 break;
1098 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
7b6e3205 1099 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], false);
1100 break;
1101 case CMD_READ_HITAG_S_BLK:
1102 ReadHitagSCmd((hitag_function)c->arg[0], (hitag_data*)c->d.asBytes, (uint8_t)c->arg[1], (uint8_t)c->arg[2], true);
4e12287d
RS		 1103 break;
1104 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
52244230
HJ		 1105 if ((hitag_function)c->arg[0] < 10) {
1106 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1107 }
1108 else if ((hitag_function)c->arg[0] >= 10) {
1109 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1110 }
4e12287d 1111 break;
d19929cb 1112#endif
f168b263 1113
15c4dc5a 1114#ifdef WITH_ISO15693
1115 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1116 AcquireRawAdcSamplesIso15693();
1117 break;
9455b51c 1118 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1119 RecordRawAdcSamplesIso15693();
1120 break;
1121
1122 case CMD_ISO_15693_COMMAND:
1123 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1124 break;
1125
1126 case CMD_ISO_15693_FIND_AFI:
1127 BruteforceIso15693Afi(c->arg[0]);
1128 break;
1129
1130 case CMD_ISO_15693_DEBUG:
1131 SetDebugIso15693(c->arg[0]);
1132 break;
15c4dc5a 1133
15c4dc5a 1134 case CMD_READER_ISO_15693:
1135 ReaderIso15693(c->arg[0]);
1136 break;
7e67e42f 1137 case CMD_SIMTAG_ISO_15693:
3fe4ff4f 1138 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1139 break;
15c4dc5a 1140#endif
1141
7e67e42f 1142#ifdef WITH_LEGICRF
1143 case CMD_SIMULATE_TAG_LEGIC_RF:
1b902aa0 1144 LegicRfSimulate(c->arg[0]);
7e67e42f 1145 break;
3612a8a8 1146
7e67e42f 1147 case CMD_WRITER_LEGIC_RF:
1148 LegicRfWriter(c->arg[1], c->arg[0]);
1149 break;
3612a8a8 1150
15c4dc5a 1151 case CMD_READER_LEGIC_RF:
1152 LegicRfReader(c->arg[0], c->arg[1]);
1153 break;
15c4dc5a 1154#endif
1155
1156#ifdef WITH_ISO14443b
15c4dc5a 1157 case CMD_READ_SRI512_TAG:
51d4f6f1 1158 ReadSTMemoryIso14443b(0x0F);
15c4dc5a 1159 break;
7e67e42f 1160 case CMD_READ_SRIX4K_TAG:
51d4f6f1 1161 ReadSTMemoryIso14443b(0x7F);
7e67e42f 1162 break;
132a0217 1163 case CMD_SNOOP_ISO_14443B:
51d4f6f1 1164 SnoopIso14443b();
7e67e42f 1165 break;
132a0217 1166 case CMD_SIMULATE_TAG_ISO_14443B:
51d4f6f1 1167 SimulateIso14443bTag();
7e67e42f 1168 break;
7cf3ef20 1169 case CMD_ISO_14443B_COMMAND:
1170 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1171 break;
15c4dc5a 1172#endif
1173
1174#ifdef WITH_ISO14443a
7e67e42f 1175 case CMD_SNOOP_ISO_14443a:
5cd9ec01 1176 SnoopIso14443a(c->arg[0]);
7e67e42f 1177 break;
15c4dc5a 1178 case CMD_READER_ISO_14443a:
902cb3c0 1179 ReaderIso14443a(c);
15c4dc5a 1180 break;
7e67e42f 1181 case CMD_SIMULATE_TAG_ISO_14443a:
28afbd2b 1182 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1183 break;
3fe4ff4f 1184
5acd09bd 1185 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1186 EPA_PACE_Collect_Nonce(c);
5acd09bd 1187 break;
3bb07d96
FM		 1188 case CMD_EPA_PACE_REPLAY:
1189 EPA_PACE_Replay(c);
1190 break;
7e67e42f 1191
15c4dc5a 1192 case CMD_READER_MIFARE:
f168b263 1193 ReaderMifare(c->arg[0]);
15c4dc5a 1194 break;
20f9a2a1
M		 1195 case CMD_MIFARE_READBL:
1196 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1197 break;
981bd429 1198 case CMD_MIFAREU_READBL:
f168b263 1199 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1200 break;
8258f409 1201 case CMD_MIFAREUC_AUTH:
1202 MifareUC_Auth(c->arg[0],c->d.asBytes);
a631936e 1203 break;
981bd429 1204 case CMD_MIFAREU_READCARD:
75377d29 1205 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1206 break;
f168b263 1207 case CMD_MIFAREUC_SETPWD:
1208 MifareUSetPwd(c->arg[0], c->d.asBytes);
1209 break;
20f9a2a1
M		 1210 case CMD_MIFARE_READSC:
1211 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1212 break;
1213 case CMD_MIFARE_WRITEBL:
1214 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1215 break;
4973f23d 1216 //case CMD_MIFAREU_WRITEBL_COMPAT:
1217 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1218 //break;
981bd429 1219 case CMD_MIFAREU_WRITEBL:
4973f23d 1220 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
f168b263 1221 break;
c48c4d78 1222 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1223 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1224 break;
20f9a2a1
M		 1225 case CMD_MIFARE_NESTED:
1226 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M		 1227 break;
1228 case CMD_MIFARE_CHKKEYS:
1229 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M		 1230 break;
1231 case CMD_SIMULATE_MIFARE_CARD:
1232 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1233 break;
8556b852
M		 1234
1235 // emulator
1236 case CMD_MIFARE_SET_DBGMODE:
1237 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1238 break;
1239 case CMD_MIFARE_EML_MEMCLR:
1240 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1241 break;
1242 case CMD_MIFARE_EML_MEMSET:
1243 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1244 break;
1245 case CMD_MIFARE_EML_MEMGET:
1246 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1247 break;
1248 case CMD_MIFARE_EML_CARDLOAD:
1249 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M		 1250 break;
1251
1252 // Work with "magic Chinese" card
3a05a1e7
OM		 1253 case CMD_MIFARE_CWIPE:
1254 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1255 break;
3fe4ff4f 1256 case CMD_MIFARE_CSETBLOCK:
0675f200 1257 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
545a1f38 1258 break;
3fe4ff4f 1259 case CMD_MIFARE_CGETBLOCK:
545a1f38 1260 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
8556b852 1261 break;
3fe4ff4f 1262 case CMD_MIFARE_CIDENT:
1263 MifareCIdent();
1264 break;
b62a5a84
M		 1265
1266 // mifare sniffer
1267 case CMD_MIFARE_SNIFFER:
5cd9ec01 1268 SniffMifare(c->arg[0]);
b62a5a84 1269 break;
a631936e 1270
20f9a2a1
M		 1271#endif
1272
7e67e42f 1273#ifdef WITH_ICLASS
cee5a30d 1274 // Makes use of ISO14443a FPGA Firmware
1275 case CMD_SNOOP_ICLASS:
1276 SnoopIClass();
1277 break;
1e262141 1278 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1279 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1280 break;
1281 case CMD_READER_ICLASS:
1282 ReaderIClass(c->arg[0]);
1283 break;
c3963755 1284 case CMD_READER_ICLASS_REPLAY:
aa53efc3 1285 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
c3963755 1286 break;
aa53efc3 1287 case CMD_ICLASS_EML_MEMSET:
e80aeb96
MHS		 1288 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1289 break;
aa53efc3 1290 case CMD_ICLASS_WRITEBLOCK:
3ac22ee1 1291 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1292 break;
1293 case CMD_ICLASS_READCHECK: // auth step 1
1294 iClass_ReadCheck(c->arg[0], c->arg[1]);
aa53efc3 1295 break;
1296 case CMD_ICLASS_READBLOCK:
3ac22ee1 1297 iClass_ReadBlk(c->arg[0]);
aa53efc3 1298 break;
3ac22ee1 1299 case CMD_ICLASS_AUTHENTICATION: //check
aa53efc3 1300 iClass_Authentication(c->d.asBytes);
1301 break;
1302 case CMD_ICLASS_DUMP:
3ac22ee1 1303 iClass_Dump(c->arg[0], c->arg[1]);
aa53efc3 1304 break;
1305 case CMD_ICLASS_CLONE:
3ac22ee1 1306 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
aa53efc3 1307 break;
cee5a30d 1308#endif
0472d76d 1309#ifdef WITH_HFSNOOP
1310 case CMD_HF_SNIFFER:
1311 HfSnoop(c->arg[0], c->arg[1]);
1312 break;
1313#endif
43591e64 1314#ifdef WITH_SMARTCARD
1315 case CMD_SMART_ATR: {
1316 SmartCardAtr();
1317 break;
1318 }
1319 case CMD_SMART_SETCLOCK:{
1320 SmartCardSetClock(c->arg[0]);
1321 break;
1322 }
1323 case CMD_SMART_RAW: {
1324 SmartCardRaw(c->arg[0], c->arg[1], c->d.asBytes);
1325 break;
1326 }
1327 case CMD_SMART_UPLOAD: {
1328 // upload file from client
1329 uint8_t *mem = BigBuf_get_addr();
1330 memcpy( mem + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1331 cmd_send(CMD_ACK,1,0,0,0,0);
1332 break;
1333 }
1334 case CMD_SMART_UPGRADE: {
1335 SmartCardUpgrade(c->arg[0]);
1336 break;
1337 }
1338#endif
cee5a30d 1339
7e67e42f 1340 case CMD_BUFF_CLEAR:
117d9ec2 1341 BigBuf_Clear();
15c4dc5a 1342 break;
15c4dc5a 1343
1344 case CMD_MEASURE_ANTENNA_TUNING:
fdcfbdcc 1345 MeasureAntennaTuning(c->arg[0]);
15c4dc5a 1346 break;
1347
1348 case CMD_MEASURE_ANTENNA_TUNING_HF:
1349 MeasureAntennaTuningHf();
1350 break;
1351
1352 case CMD_LISTEN_READER_FIELD:
1353 ListenReaderField(c->arg[0]);
1354 break;
1355
15c4dc5a 1356 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1357 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1358 SpinDelay(200);
1359 LED_D_OFF(); // LED D indicates field ON or OFF
1360 break;
1361
1c611bbd 1362 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
902cb3c0 1363
1c611bbd 1364 LED_B_ON();
117d9ec2 1365 uint8_t *BigBuf = BigBuf_get_addr();
1c611bbd 1366 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1367 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1368 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1369 }
1370 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1371 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1372 LED_B_OFF();
1c611bbd 1373 break;
15c4dc5a 1374
1375 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
8c8317a5 1376 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1377 // to be able to use this one for uploading data to device
1378 // arg1 = 0 upload for LF usage
1379 // 1 upload for HF usage
1380 if (c->arg[1] == 0)
1381 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1382 else
1383 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1384
117d9ec2 1385 uint8_t *b = BigBuf_get_addr();
3fe4ff4f 1386 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1387 cmd_send(CMD_ACK,0,0,0,0,0);
1388 break;
1389 }
15c4dc5a 1390 case CMD_READ_MEM:
1391 ReadMem(c->arg[0]);
1392 break;
1393
1394 case CMD_SET_LF_DIVISOR:
8c8317a5 1395 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1396 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1397 break;
1398
1399 case CMD_SET_ADC_MUX:
1400 switch(c->arg[0]) {
1401 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1402 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1403 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1404 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1405 }
1406 break;
1407
1408 case CMD_VERSION:
1409 SendVersion();
1410 break;
c89274cc 1411 case CMD_STATUS:
67b7d6fa 1412 SendStatus();
c89274cc
CY		 1413 break;
1414 case CMD_PING:
1415 cmd_send(CMD_ACK,0,0,0,0,0);
1416 break;
15c4dc5a 1417#ifdef WITH_LCD
1418 case CMD_LCD_RESET:
1419 LCDReset();
1420 break;
1421 case CMD_LCD:
1422 LCDSend(c->arg[0]);
1423 break;
1424#endif
1425 case CMD_SETUP_WRITE:
1426 case CMD_FINISH_WRITE:
1c611bbd 1427 case CMD_HARDWARE_RESET:
1428 usb_disable();
15c4dc5a 1429 SpinDelay(1000);
1430 SpinDelay(1000);
1431 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1432 for(;;) {
1433 // We're going to reset, and the bootrom will take control.
1434 }
1c611bbd 1435 break;
15c4dc5a 1436
1c611bbd 1437 case CMD_START_FLASH:
15c4dc5a 1438 if(common_area.flags.bootrom_present) {
1439 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1440 }
1c611bbd 1441 usb_disable();
15c4dc5a 1442 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1443 for(;;);
1c611bbd 1444 break;
e30c654b 1445
15c4dc5a 1446 case CMD_DEVICE_INFO: {
902cb3c0 1447 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1448 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1449 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1450 break;
1451 }
1452 default:
15c4dc5a 1453 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1454 break;
15c4dc5a 1455 }
1456}
1457
1458void __attribute__((noreturn)) AppMain(void)
1459{
1460 SpinDelay(100);
9e8255d4 1461 clear_trace();
15c4dc5a 1462 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1463 /* Initialize common area */
1464 memset(&common_area, 0, sizeof(common_area));
1465 common_area.magic = COMMON_AREA_MAGIC;
1466 common_area.version = 1;
1467 }
1468 common_area.flags.osimage_present = 1;
1469
1470 LED_D_OFF();
1471 LED_C_OFF();
1472 LED_B_OFF();
1473 LED_A_OFF();
1474
3fe4ff4f 1475 // Init USB device
050aa18b 1476 usb_enable();
15c4dc5a 1477
1478 // The FPGA gets its clock from us from PCK0 output, so set that up.
1479 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1480 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1481 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1482 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1483 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
0472d76d 1484 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1485 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1486
1487 // Reset SPI
1488 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1489 // Reset SSC
1490 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1491
1492 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1493 // (the HF version by default)
1494 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1495
9ca155ba 1496 StartTickCount();
902cb3c0 1497
15c4dc5a 1498#ifdef WITH_LCD
15c4dc5a 1499 LCDInit();
15c4dc5a 1500#endif
1501
902cb3c0 1502 byte_t rx[sizeof(UsbCommand)];
1503 size_t rx_len;
1504
15c4dc5a 1505 for(;;) {
902cb3c0 1506 if (usb_poll()) {
1507 rx_len = usb_read(rx,sizeof(UsbCommand));
1508 if (rx_len) {
1509 UsbPacketReceived(rx,rx_len);
1510 }
1511 }
15c4dc5a 1512 WDT_HIT();
1513
a2937cea 1514#ifdef WITH_LF_StandAlone
e46fe044 1515#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1516 if (BUTTON_HELD(1000) > 0)
1517 SamyRun();
e46fe044
CY		 1518#endif
1519#endif
1520#ifdef WITH_ISO14443a
1521#ifdef WITH_ISO14443a_StandAlone
1522 if (BUTTON_HELD(1000) > 0)
1523 StandAloneMode14a();
1524#endif
15c4dc5a 1525#endif
1526 }
1527}
Proxmark3 GIT tracking
Impressum, Datenschutz