]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fixed a lot of simulation issues
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M		 20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
534983d7 23static uint32_t iso14a_timeout;
1e262141 24uint8_t *trace = (uint8_t *) BigBuf;
25int traceLen = 0;
26int rsamples = 0;
27int tracing = TRUE;
28uint8_t trigger = 0;
15c4dc5a 29
8f51ddb0 30// CARD TO READER - manchester
72934aa3 31// Sequence D: 11110000 modulation with subcarrier during first half
32// Sequence E: 00001111 modulation with subcarrier during second half
33// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 34// READER TO CARD - miller
72934aa3 35// Sequence X: 00001100 drop after half a period
36// Sequence Y: 00000000 no drop
37// Sequence Z: 11000000 drop at start
38#define SEC_D 0xf0
39#define SEC_E 0x0f
40#define SEC_F 0x00
41#define SEC_X 0x0c
42#define SEC_Y 0x00
43#define SEC_Z 0xc0
15c4dc5a 44
1e262141 45const uint8_t OddByteParity[256] = {
15c4dc5a 46 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
62};
63
1e262141 64
534983d7 65void iso14a_set_trigger(int enable) {
66 trigger = enable;
67}
68
8556b852
M		 69void iso14a_clear_tracelen(void) {
70 traceLen = 0;
71}
72void iso14a_set_tracing(int enable) {
73 tracing = enable;
74}
75
15c4dc5a 76//-----------------------------------------------------------------------------
77// Generate the parity value for a byte sequence
e30c654b 78//
15c4dc5a 79//-----------------------------------------------------------------------------
20f9a2a1
M		 80byte_t oddparity (const byte_t bt)
81{
82 return OddByteParity[bt];
83}
84
f7e3ed82 85uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 86{
87 int i;
f7e3ed82 88 uint32_t dwPar = 0;
72934aa3 89
15c4dc5a 90 // Generate the encrypted data
91 for (i = 0; i < iLen; i++) {
92 // Save the encrypted parity bit
93 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
94 }
95 return dwPar;
96}
97
534983d7 98void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 99{
100 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
101}
102
1e262141 103// The function LogTrace() is also used by the iClass implementation in iClass.c
ed82636b 104int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 105{
106 // Return when trace is full
81cd0474 107 if (traceLen >= TRACE_SIZE) return FALSE;
e30c654b 108
15c4dc5a 109 // Trace the random, i'm curious
110 rsamples += iSamples;
111 trace[traceLen++] = ((rsamples >> 0) & 0xff);
112 trace[traceLen++] = ((rsamples >> 8) & 0xff);
113 trace[traceLen++] = ((rsamples >> 16) & 0xff);
114 trace[traceLen++] = ((rsamples >> 24) & 0xff);
115 if (!bReader) {
116 trace[traceLen - 1] |= 0x80;
117 }
118 trace[traceLen++] = ((dwParity >> 0) & 0xff);
119 trace[traceLen++] = ((dwParity >> 8) & 0xff);
120 trace[traceLen++] = ((dwParity >> 16) & 0xff);
121 trace[traceLen++] = ((dwParity >> 24) & 0xff);
122 trace[traceLen++] = iLen;
123 memcpy(trace + traceLen, btBytes, iLen);
124 traceLen += iLen;
125 return TRUE;
126}
127
15c4dc5a 128//-----------------------------------------------------------------------------
129// The software UART that receives commands from the reader, and its state
130// variables.
131//-----------------------------------------------------------------------------
132static struct {
133 enum {
134 STATE_UNSYNCD,
135 STATE_START_OF_COMMUNICATION,
136 STATE_MILLER_X,
137 STATE_MILLER_Y,
138 STATE_MILLER_Z,
139 STATE_ERROR_WAIT
140 } state;
f7e3ed82 141 uint16_t shiftReg;
15c4dc5a 142 int bitCnt;
143 int byteCnt;
144 int byteCntMax;
145 int posCnt;
146 int syncBit;
147 int parityBits;
148 int samples;
149 int highCnt;
150 int bitBuffer;
151 enum {
152 DROP_NONE,
153 DROP_FIRST_HALF,
154 DROP_SECOND_HALF
155 } drop;
f7e3ed82 156 uint8_t *output;
15c4dc5a 157} Uart;
158
6c1e2d95 159static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 160{
9f693930 161 //int error = 0;
15c4dc5a 162 int bitright;
163
164 if(!Uart.bitBuffer) {
165 Uart.bitBuffer = bit ^ 0xFF0;
166 return FALSE;
167 }
168 else {
169 Uart.bitBuffer <<= 4;
170 Uart.bitBuffer ^= bit;
171 }
172
f7e3ed82 173 int EOC = FALSE;
15c4dc5a 174
175 if(Uart.state != STATE_UNSYNCD) {
176 Uart.posCnt++;
177
178 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
179 bit = 0x00;
180 }
181 else {
182 bit = 0x01;
183 }
184 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
185 bitright = 0x00;
186 }
187 else {
188 bitright = 0x01;
189 }
190 if(bit != bitright) { bit = bitright; }
191
192 if(Uart.posCnt == 1) {
193 // measurement first half bitperiod
194 if(!bit) {
195 Uart.drop = DROP_FIRST_HALF;
196 }
197 }
198 else {
199 // measurement second half bitperiod
200 if(!bit & (Uart.drop == DROP_NONE)) {
201 Uart.drop = DROP_SECOND_HALF;
202 }
203 else if(!bit) {
204 // measured a drop in first and second half
205 // which should not be possible
206 Uart.state = STATE_ERROR_WAIT;
9f693930 207 //error = 0x01;
15c4dc5a 208 }
209
210 Uart.posCnt = 0;
211
212 switch(Uart.state) {
213 case STATE_START_OF_COMMUNICATION:
214 Uart.shiftReg = 0;
215 if(Uart.drop == DROP_SECOND_HALF) {
216 // error, should not happen in SOC
217 Uart.state = STATE_ERROR_WAIT;
9f693930 218 //error = 0x02;
15c4dc5a 219 }
220 else {
221 // correct SOC
222 Uart.state = STATE_MILLER_Z;
223 }
224 break;
225
226 case STATE_MILLER_Z:
227 Uart.bitCnt++;
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // logic '0' followed by sequence Y
231 // end of communication
232 Uart.state = STATE_UNSYNCD;
233 EOC = TRUE;
234 }
235 // if(Uart.drop == DROP_FIRST_HALF) {
236 // Uart.state = STATE_MILLER_Z; stay the same
237 // we see a logic '0' }
238 if(Uart.drop == DROP_SECOND_HALF) {
239 // we see a logic '1'
240 Uart.shiftReg |= 0x100;
241 Uart.state = STATE_MILLER_X;
242 }
243 break;
244
245 case STATE_MILLER_X:
246 Uart.shiftReg >>= 1;
247 if(Uart.drop == DROP_NONE) {
248 // sequence Y, we see a '0'
249 Uart.state = STATE_MILLER_Y;
250 Uart.bitCnt++;
251 }
252 if(Uart.drop == DROP_FIRST_HALF) {
253 // Would be STATE_MILLER_Z
254 // but Z does not follow X, so error
255 Uart.state = STATE_ERROR_WAIT;
9f693930 256 //error = 0x03;
15c4dc5a 257 }
258 if(Uart.drop == DROP_SECOND_HALF) {
259 // We see a '1' and stay in state X
260 Uart.shiftReg |= 0x100;
261 Uart.bitCnt++;
262 }
263 break;
264
265 case STATE_MILLER_Y:
266 Uart.bitCnt++;
267 Uart.shiftReg >>= 1;
268 if(Uart.drop == DROP_NONE) {
269 // logic '0' followed by sequence Y
270 // end of communication
271 Uart.state = STATE_UNSYNCD;
272 EOC = TRUE;
273 }
274 if(Uart.drop == DROP_FIRST_HALF) {
275 // we see a '0'
276 Uart.state = STATE_MILLER_Z;
277 }
278 if(Uart.drop == DROP_SECOND_HALF) {
279 // We see a '1' and go to state X
280 Uart.shiftReg |= 0x100;
281 Uart.state = STATE_MILLER_X;
282 }
283 break;
284
285 case STATE_ERROR_WAIT:
286 // That went wrong. Now wait for at least two bit periods
287 // and try to sync again
288 if(Uart.drop == DROP_NONE) {
289 Uart.highCnt = 6;
290 Uart.state = STATE_UNSYNCD;
291 }
292 break;
293
294 default:
295 Uart.state = STATE_UNSYNCD;
296 Uart.highCnt = 0;
297 break;
298 }
299
300 Uart.drop = DROP_NONE;
301
302 // should have received at least one whole byte...
303 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
304 return TRUE;
305 }
306
307 if(Uart.bitCnt == 9) {
308 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
309 Uart.byteCnt++;
310
311 Uart.parityBits <<= 1;
312 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
313
314 if(EOC) {
315 // when End of Communication received and
316 // all data bits processed..
317 return TRUE;
318 }
319 Uart.bitCnt = 0;
320 }
321
322 /*if(error) {
323 Uart.output[Uart.byteCnt] = 0xAA;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = error & 0xFF;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = 0xAA;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
334 Uart.byteCnt++;
335 Uart.output[Uart.byteCnt] = 0xAA;
336 Uart.byteCnt++;
337 return TRUE;
338 }*/
339 }
340
341 }
342 else {
343 bit = Uart.bitBuffer & 0xf0;
344 bit >>= 4;
345 bit ^= 0x0F;
346 if(bit) {
347 // should have been high or at least (4 * 128) / fc
348 // according to ISO this should be at least (9 * 128 + 20) / fc
349 if(Uart.highCnt == 8) {
350 // we went low, so this could be start of communication
351 // it turns out to be safer to choose a less significant
352 // syncbit... so we check whether the neighbour also represents the drop
353 Uart.posCnt = 1; // apparently we are busy with our first half bit period
354 Uart.syncBit = bit & 8;
355 Uart.samples = 3;
356 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
357 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
359 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
360 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 361 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 362 Uart.syncBit = 8;
363
364 // the first half bit period is expected in next sample
365 Uart.posCnt = 0;
366 Uart.samples = 3;
367 }
368 }
369 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
370
371 Uart.syncBit <<= 4;
372 Uart.state = STATE_START_OF_COMMUNICATION;
373 Uart.drop = DROP_FIRST_HALF;
374 Uart.bitCnt = 0;
375 Uart.byteCnt = 0;
376 Uart.parityBits = 0;
9f693930 377 //error = 0;
15c4dc5a 378 }
379 else {
380 Uart.highCnt = 0;
381 }
382 }
383 else {
384 if(Uart.highCnt < 8) {
385 Uart.highCnt++;
386 }
387 }
388 }
389
390 return FALSE;
391}
392
393//=============================================================================
394// ISO 14443 Type A - Manchester
395//=============================================================================
396
397static struct {
398 enum {
399 DEMOD_UNSYNCD,
400 DEMOD_START_OF_COMMUNICATION,
401 DEMOD_MANCHESTER_D,
402 DEMOD_MANCHESTER_E,
403 DEMOD_MANCHESTER_F,
404 DEMOD_ERROR_WAIT
405 } state;
406 int bitCount;
407 int posCount;
408 int syncBit;
409 int parityBits;
f7e3ed82 410 uint16_t shiftReg;
15c4dc5a 411 int buffer;
412 int buff;
413 int samples;
414 int len;
415 enum {
416 SUB_NONE,
417 SUB_FIRST_HALF,
418 SUB_SECOND_HALF
419 } sub;
f7e3ed82 420 uint8_t *output;
15c4dc5a 421} Demod;
422
6c1e2d95 423static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 424{
425 int bit;
426 int modulation;
9f693930 427 //int error = 0;
15c4dc5a 428
429 if(!Demod.buff) {
430 Demod.buff = 1;
431 Demod.buffer = v;
432 return FALSE;
433 }
434 else {
435 bit = Demod.buffer;
436 Demod.buffer = v;
437 }
438
439 if(Demod.state==DEMOD_UNSYNCD) {
440 Demod.output[Demod.len] = 0xfa;
441 Demod.syncBit = 0;
442 //Demod.samples = 0;
443 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 444
445 if(bit & 0x08) {
446 Demod.syncBit = 0x08;
15c4dc5a 447 }
15c4dc5a 448
2f2d9fc5 449 if(bit & 0x04) {
450 if(Demod.syncBit) {
451 bit <<= 4;
452 }
453 Demod.syncBit = 0x04;
454 }
15c4dc5a 455
2f2d9fc5 456 if(bit & 0x02) {
457 if(Demod.syncBit) {
458 bit <<= 2;
15c4dc5a 459 }
2f2d9fc5 460 Demod.syncBit = 0x02;
15c4dc5a 461 }
15c4dc5a 462
593924e7 463 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 464 Demod.syncBit = 0x01;
465 }
466
15c4dc5a 467 if(Demod.syncBit) {
468 Demod.len = 0;
469 Demod.state = DEMOD_START_OF_COMMUNICATION;
470 Demod.sub = SUB_FIRST_HALF;
471 Demod.bitCount = 0;
472 Demod.shiftReg = 0;
473 Demod.parityBits = 0;
474 Demod.samples = 0;
475 if(Demod.posCount) {
534983d7 476 if(trigger) LED_A_OFF();
15c4dc5a 477 switch(Demod.syncBit) {
478 case 0x08: Demod.samples = 3; break;
479 case 0x04: Demod.samples = 2; break;
480 case 0x02: Demod.samples = 1; break;
481 case 0x01: Demod.samples = 0; break;
482 }
483 }
9f693930 484 //error = 0;
15c4dc5a 485 }
486 }
487 else {
488 //modulation = bit & Demod.syncBit;
489 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
490
491 Demod.samples += 4;
492
493 if(Demod.posCount==0) {
494 Demod.posCount = 1;
495 if(modulation) {
496 Demod.sub = SUB_FIRST_HALF;
497 }
498 else {
499 Demod.sub = SUB_NONE;
500 }
501 }
502 else {
503 Demod.posCount = 0;
504 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
505 if(Demod.state!=DEMOD_ERROR_WAIT) {
506 Demod.state = DEMOD_ERROR_WAIT;
507 Demod.output[Demod.len] = 0xaa;
9f693930 508 //error = 0x01;
15c4dc5a 509 }
510 }
511 else if(modulation) {
512 Demod.sub = SUB_SECOND_HALF;
513 }
514
515 switch(Demod.state) {
516 case DEMOD_START_OF_COMMUNICATION:
517 if(Demod.sub == SUB_FIRST_HALF) {
518 Demod.state = DEMOD_MANCHESTER_D;
519 }
520 else {
521 Demod.output[Demod.len] = 0xab;
522 Demod.state = DEMOD_ERROR_WAIT;
9f693930 523 //error = 0x02;
15c4dc5a 524 }
525 break;
526
527 case DEMOD_MANCHESTER_D:
528 case DEMOD_MANCHESTER_E:
529 if(Demod.sub == SUB_FIRST_HALF) {
530 Demod.bitCount++;
531 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
532 Demod.state = DEMOD_MANCHESTER_D;
533 }
534 else if(Demod.sub == SUB_SECOND_HALF) {
535 Demod.bitCount++;
536 Demod.shiftReg >>= 1;
537 Demod.state = DEMOD_MANCHESTER_E;
538 }
539 else {
540 Demod.state = DEMOD_MANCHESTER_F;
541 }
542 break;
543
544 case DEMOD_MANCHESTER_F:
545 // Tag response does not need to be a complete byte!
546 if(Demod.len > 0 || Demod.bitCount > 0) {
547 if(Demod.bitCount > 0) {
548 Demod.shiftReg >>= (9 - Demod.bitCount);
549 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
550 Demod.len++;
551 // No parity bit, so just shift a 0
552 Demod.parityBits <<= 1;
553 }
554
555 Demod.state = DEMOD_UNSYNCD;
556 return TRUE;
557 }
558 else {
559 Demod.output[Demod.len] = 0xad;
560 Demod.state = DEMOD_ERROR_WAIT;
9f693930 561 //error = 0x03;
15c4dc5a 562 }
563 break;
564
565 case DEMOD_ERROR_WAIT:
566 Demod.state = DEMOD_UNSYNCD;
567 break;
568
569 default:
570 Demod.output[Demod.len] = 0xdd;
571 Demod.state = DEMOD_UNSYNCD;
572 break;
573 }
574
575 if(Demod.bitCount>=9) {
576 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
577 Demod.len++;
578
579 Demod.parityBits <<= 1;
580 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
581
582 Demod.bitCount = 0;
583 Demod.shiftReg = 0;
584 }
585
586 /*if(error) {
587 Demod.output[Demod.len] = 0xBB;
588 Demod.len++;
589 Demod.output[Demod.len] = error & 0xFF;
590 Demod.len++;
591 Demod.output[Demod.len] = 0xBB;
592 Demod.len++;
593 Demod.output[Demod.len] = bit & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.buffer & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
598 Demod.len++;
599 Demod.output[Demod.len] = 0xBB;
600 Demod.len++;
601 return TRUE;
602 }*/
603
604 }
605
606 } // end (state != UNSYNCED)
607
608 return FALSE;
609}
610
611//=============================================================================
612// Finally, a `sniffer' for ISO 14443 Type A
613// Both sides of communication!
614//=============================================================================
615
616//-----------------------------------------------------------------------------
617// Record the sequence of commands sent by the reader to the tag, with
618// triggering so that we start recording at the point that the tag is moved
619// near the reader.
620//-----------------------------------------------------------------------------
6c1e2d95 621void RAMFUNC SnoopIso14443a(void)
15c4dc5a 622{
623// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
624// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
625// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
626// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
81cd0474 627// #define TRACE_SIZE 2000 // original (working as of 21/2/09) values
15c4dc5a 628
629 // We won't start recording the frames that we acquire until we trigger;
630 // a good trigger condition to get started is probably when we see a
631 // response from the tag.
7e758047 632 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 633
634 // The command (reader -> tag) that we're receiving.
635 // The length of a received command will in most cases be no more than 18 bytes.
636 // So 32 should be enough!
f7e3ed82 637 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 638 // The response (tag -> reader) that we're receiving.
f7e3ed82 639 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 640
641 // As we receive stuff, we copy it from receivedCmd or receivedResponse
642 // into trace, along with its length and other annotations.
f7e3ed82 643 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 644
645 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 646
647 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 648 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 649 int lastRxCounter;
f7e3ed82 650 int8_t *upTo;
15c4dc5a 651 int smpl;
652 int maxBehindBy = 0;
653
654 // Count of samples received so far, so that we can include timing
655 // information in the trace buffer.
656 int samples = 0;
cee5a30d 657 int rsamples = 0;
15c4dc5a 658
81cd0474 659 memset(trace, 0x44, TRACE_SIZE);
15c4dc5a 660
661 // Set up the demodulator for tag -> reader responses.
662 Demod.output = receivedResponse;
663 Demod.len = 0;
664 Demod.state = DEMOD_UNSYNCD;
665
7e758047 666 // Setup for the DMA.
667 FpgaSetupSsc();
668 upTo = dmaBuf;
669 lastRxCounter = DMA_BUFFER_SIZE;
670 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
671
15c4dc5a 672 // And the reader -> tag commands
673 memset(&Uart, 0, sizeof(Uart));
674 Uart.output = receivedCmd;
675 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
676 Uart.state = STATE_UNSYNCD;
677
678 // And put the FPGA in the appropriate mode
679 // Signal field is off with the appropriate LED
680 LED_D_OFF();
681 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
682 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
683
15c4dc5a 684
685 // And now we loop, receiving samples.
686 for(;;) {
7e758047 687 LED_A_ON();
688 WDT_HIT();
15c4dc5a 689 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
690 (DMA_BUFFER_SIZE-1);
691 if(behindBy > maxBehindBy) {
692 maxBehindBy = behindBy;
693 if(behindBy > 400) {
7e758047 694 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 695 goto done;
696 }
697 }
698 if(behindBy < 1) continue;
699
7e758047 700 LED_A_OFF();
15c4dc5a 701 smpl = upTo[0];
702 upTo++;
703 lastRxCounter -= 1;
704 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
705 upTo -= DMA_BUFFER_SIZE;
706 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 707 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 708 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
709 }
710
711 samples += 4;
7e758047 712 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 713 rsamples = samples - Uart.samples;
72934aa3 714 LED_C_ON();
7e758047 715 if(triggered) {
716 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 717 trace[traceLen++] = ((rsamples >> 8) & 0xff);
718 trace[traceLen++] = ((rsamples >> 16) & 0xff);
719 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 720 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
722 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
723 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 724 trace[traceLen++] = Uart.byteCnt;
725 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
726 traceLen += Uart.byteCnt;
81cd0474 727 if(traceLen > TRACE_SIZE) break;
72934aa3 728 }
729 /* And ready to receive another command. */
730 Uart.state = STATE_UNSYNCD;
731 /* And also reset the demod code, which might have been */
732 /* false-triggered by the commands from the reader. */
733 Demod.state = DEMOD_UNSYNCD;
7e758047 734 LED_B_OFF();
15c4dc5a 735 }
7e758047 736
737 if(ManchesterDecoding(smpl & 0x0F)) {
738 rsamples = samples - Demod.samples;
739 LED_B_ON();
740
741 // timestamp, as a count of samples
742 trace[traceLen++] = ((rsamples >> 0) & 0xff);
743 trace[traceLen++] = ((rsamples >> 8) & 0xff);
744 trace[traceLen++] = ((rsamples >> 16) & 0xff);
745 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
748 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
749 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
750 // length
751 trace[traceLen++] = Demod.len;
752 memcpy(trace+traceLen, receivedResponse, Demod.len);
753 traceLen += Demod.len;
81cd0474 754 if(traceLen > TRACE_SIZE) break;
7e758047 755
756 triggered = TRUE;
15c4dc5a 757
758 // And ready to receive another response.
759 memset(&Demod, 0, sizeof(Demod));
760 Demod.output = receivedResponse;
761 Demod.state = DEMOD_UNSYNCD;
7e758047 762 LED_C_OFF();
763 }
15c4dc5a 764
765 if(BUTTON_PRESS()) {
766 DbpString("cancelled_a");
767 goto done;
768 }
769 }
770
771 DbpString("COMMAND FINISHED");
772
15c4dc5a 773done:
774 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
13d8c68d 775 Dbprintf("maxBehindBy=%x, Uart.state=%x, Uart.byteCnt=%x", maxBehindBy, Uart.state, Uart.byteCnt);
776 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
15c4dc5a 777 LED_A_OFF();
778 LED_B_OFF();
779 LED_C_OFF();
780 LED_D_OFF();
781}
782
15c4dc5a 783//-----------------------------------------------------------------------------
784// Prepare tag messages
785//-----------------------------------------------------------------------------
8f51ddb0 786static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 787{
8f51ddb0 788 int i;
15c4dc5a 789
8f51ddb0 790 ToSendReset();
15c4dc5a 791
792 // Correction bit, might be removed when not needed
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(1); // 1
798 ToSendStuffBit(0);
799 ToSendStuffBit(0);
800 ToSendStuffBit(0);
8f51ddb0 801
15c4dc5a 802 // Send startbit
72934aa3 803 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 804
8f51ddb0
M		 805 for(i = 0; i < len; i++) {
806 int j;
807 uint8_t b = cmd[i];
15c4dc5a 808
809 // Data bits
15c4dc5a 810 for(j = 0; j < 8; j++) {
15c4dc5a 811 if(b & 1) {
72934aa3 812 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 813 } else {
72934aa3 814 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M		 815 }
816 b >>= 1;
817 }
15c4dc5a 818
0014cb46 819 // Get the parity bit
8f51ddb0
M		 820 if ((dwParity >> i) & 0x01) {
821 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 822 } else {
72934aa3 823 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 824 }
8f51ddb0 825 }
15c4dc5a 826
8f51ddb0
M		 827 // Send stopbit
828 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 829
8f51ddb0
M		 830 // Convert from last byte pos to length
831 ToSendMax++;
8f51ddb0
M		 832}
833
834static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
835 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 836}
837
838//-----------------------------------------------------------------------------
839// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
840//-----------------------------------------------------------------------------
8f51ddb0 841static void CodeStrangeAnswerAsTag()
15c4dc5a 842{
843 int i;
844
845 ToSendReset();
846
847 // Correction bit, might be removed when not needed
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(1); // 1
853 ToSendStuffBit(0);
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856
857 // Send startbit
72934aa3 858 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 859
860 // 0
72934aa3 861 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 862
863 // 0
72934aa3 864 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 865
866 // 1
72934aa3 867 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 868
869 // Send stopbit
72934aa3 870 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 871
872 // Flush the buffer in FPGA!!
873 for(i = 0; i < 5; i++) {
72934aa3 874 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 875 }
876
877 // Convert from last byte pos to length
878 ToSendMax++;
8f51ddb0 879}
15c4dc5a 880
8f51ddb0
M		 881static void Code4bitAnswerAsTag(uint8_t cmd)
882{
883 int i;
884
885 ToSendReset();
886
887 // Correction bit, might be removed when not needed
888 ToSendStuffBit(0);
889 ToSendStuffBit(0);
890 ToSendStuffBit(0);
891 ToSendStuffBit(0);
892 ToSendStuffBit(1); // 1
893 ToSendStuffBit(0);
894 ToSendStuffBit(0);
895 ToSendStuffBit(0);
896
897 // Send startbit
898 ToSend[++ToSendMax] = SEC_D;
899
900 uint8_t b = cmd;
901 for(i = 0; i < 4; i++) {
902 if(b & 1) {
903 ToSend[++ToSendMax] = SEC_D;
904 } else {
905 ToSend[++ToSendMax] = SEC_E;
906 }
907 b >>= 1;
908 }
909
910 // Send stopbit
911 ToSend[++ToSendMax] = SEC_F;
912
913 // Flush the buffer in FPGA!!
914 for(i = 0; i < 5; i++) {
915 ToSend[++ToSendMax] = SEC_F;
916 }
917
918 // Convert from last byte pos to length
919 ToSendMax++;
15c4dc5a 920}
921
922//-----------------------------------------------------------------------------
923// Wait for commands from reader
924// Stop when button is pressed
925// Or return TRUE when command is captured
926//-----------------------------------------------------------------------------
f7e3ed82 927static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 928{
929 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
930 // only, since we are receiving, not transmitting).
931 // Signal field is off with the appropriate LED
932 LED_D_OFF();
933 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
934
935 // Now run a `software UART' on the stream of incoming samples.
936 Uart.output = received;
937 Uart.byteCntMax = maxLen;
938 Uart.state = STATE_UNSYNCD;
939
940 for(;;) {
941 WDT_HIT();
942
943 if(BUTTON_PRESS()) return FALSE;
944
945 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
946 AT91C_BASE_SSC->SSC_THR = 0x00;
947 }
948 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 949 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 950 if(MillerDecoding((b & 0xf0) >> 4)) {
951 *len = Uart.byteCnt;
952 return TRUE;
953 }
954 if(MillerDecoding(b & 0x0f)) {
955 *len = Uart.byteCnt;
956 return TRUE;
957 }
958 }
959 }
960}
9ca155ba 961static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
15c4dc5a 962
963//-----------------------------------------------------------------------------
964// Main loop of simulated tag: receive commands from reader, decide what
965// response to send, and send it.
966//-----------------------------------------------------------------------------
81cd0474 967void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd)
15c4dc5a 968{
81cd0474 969 // Enable and clear the trace
970 tracing = TRUE;
971 traceLen = 0;
972 memset(trace, 0x44, TRACE_SIZE);
973
15c4dc5a 974 // This function contains the tag emulation
81cd0474 975 uint8_t sak;
976
977 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
978 uint8_t response1[2];
979
980 switch (tagType) {
981 case 1: { // MIFARE Classic
982 // Says: I am Mifare 1k - original line
983 response1[0] = 0x04;
984 response1[1] = 0x00;
985 sak = 0x08;
986 } break;
987 case 2: { // MIFARE Ultralight
988 // Says: I am a stupid memory tag, no crypto
989 response1[0] = 0x04;
990 response1[1] = 0x00;
991 sak = 0x00;
992 } break;
993 case 3: { // MIFARE DESFire
994 // Says: I am a DESFire tag, ph33r me
995 response1[0] = 0x04;
996 response1[1] = 0x03;
997 sak = 0x20;
998 } break;
999 case 4: { // ISO/IEC 14443-4
1000 // Says: I am a javacard (JCOP)
1001 response1[0] = 0x04;
1002 response1[1] = 0x00;
1003 sak = 0x28;
1004 } break;
1005 default: {
1006 Dbprintf("Error: unkown tagtype (%d)",tagType);
1007 return;
1008 } break;
1009 }
1010
1011 // The second response contains the (mandatory) first 24 bits of the UID
1012 uint8_t response2[5];
1013
1014 // Check if the uid uses the (optional) part
1015 uint8_t response2a[5];
1016 if (uid_2nd) {
1017 response2[0] = 0x88;
1018 num_to_bytes(uid_1st,3,response2+1);
1019 num_to_bytes(uid_2nd,4,response2a);
1020 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1021
1022 // Configure the ATQA and SAK accordingly
1023 response1[0] |= 0x40;
1024 sak |= 0x04;
1025 } else {
1026 num_to_bytes(uid_1st,4,response2);
1027 // Configure the ATQA and SAK accordingly
1028 response1[0] &= 0xBF;
1029 sak &= 0xFB;
1030 }
1031
1032 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1033 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1034
1035 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1036 uint8_t response3[3];
1037 response3[0] = sak;
1038 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1039
1040 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1041 uint8_t response3a[3];
1042 response3a[0] = sak & 0xFB;
1043 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1044
1045
1046/*
1047 // Check if the uid uses the (optional) second part
1048 if (uid_2nd) {
1049 // Configure the ATQA and SAK accordingly
1050 response1[0] |= 0x40;
1051 sak |= 0x04;
1052 }
1053*/
1054
1055//static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
1056
15c4dc5a 1057
1058 // Prepare protocol messages
f7e3ed82 1059 // static const uint8_t cmd1[] = { 0x26 };
1060// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 1061//
81cd0474 1062// uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
f7e3ed82 1063// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 1064
1065 // UID response
f7e3ed82 1066 // static const uint8_t cmd2[] = { 0x93, 0x20 };
1067 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 1068
15c4dc5a 1069// my desfire
81cd0474 1070// uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 1071
1072
1073// When reader selects us during cascade1 it will send cmd3
f7e3ed82 1074//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
81cd0474 1075//uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
1076//ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
15c4dc5a 1077
1078// send cascade2 2nd half of UID
81cd0474 1079//static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 1080// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
1081
15c4dc5a 1082// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 1083//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
81cd0474 1084//uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
1085//ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
15c4dc5a 1086
f7e3ed82 1087 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 1088
f7e3ed82 1089 uint8_t *resp;
15c4dc5a 1090 int respLen;
1091
81cd0474 1092 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
15c4dc5a 1093 // This will need
1094 // 144 data bits (18 * 8)
1095 // 18 parity bits
1096 // 2 Start and stop
1097 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1098 // 1 just for the case
1099 // ----------- +
1100 // 166
1101 //
1102 // 166 bytes, since every bit that needs to be send costs us a byte
1103 //
1104
15c4dc5a 1105 // Respond with card type
81cd0474 1106 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
15c4dc5a 1107 int resp1Len;
1108
1109 // Anticollision cascade1 - respond with uid
81cd0474 1110 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166);
15c4dc5a 1111 int resp2Len;
1112
1113 // Anticollision cascade2 - respond with 2nd half of uid if asked
1114 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1115 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1116 int resp2aLen;
1117
1118 // Acknowledge select - cascade 1
81cd0474 1119 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2));
15c4dc5a 1120 int resp3Len;
1121
1122 // Acknowledge select - cascade 2
81cd0474 1123 uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3));
15c4dc5a 1124 int resp3aLen;
1125
1126 // Response to a read request - not implemented atm
81cd0474 1127 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4));
15c4dc5a 1128 int resp4Len;
1129
1130 // Authenticate response - nonce
81cd0474 1131 uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5));
15c4dc5a 1132 int resp5Len;
1133
81cd0474 1134 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1135// uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1136 int len;
1137
9f693930
GY		 1138 //int i;
1139 //int u;
1140 //uint8_t b;
15c4dc5a 1141
1142 // To control where we are in the protocol
1143 int order = 0;
1144 int lastorder;
1145
1146 // Just to allow some checks
1147 int happened = 0;
1148 int happened2 = 0;
1149
81cd0474 1150 int cmdsRecvd = 0;
1151 uint8_t* respdata = NULL;
1152 int respsize = 0;
1153 uint8_t nack = 0x04;
15c4dc5a 1154
9f693930 1155 //int fdt_indicator;
15c4dc5a 1156
81cd0474 1157 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
15c4dc5a 1158
1159 // Prepare the responses of the anticollision phase
1160 // there will be not enough time to do this at the moment the reader sends it REQA
1161
1162 // Answer to request
1163 CodeIso14443aAsTag(response1, sizeof(response1));
1164 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1165
1166 // Send our UID (cascade 1)
1167 CodeIso14443aAsTag(response2, sizeof(response2));
1168 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1169
1170 // Answer to select (cascade1)
1171 CodeIso14443aAsTag(response3, sizeof(response3));
1172 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1173
1174 // Send the cascade 2 2nd part of the uid
1175 CodeIso14443aAsTag(response2a, sizeof(response2a));
1176 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1177
1178 // Answer to select (cascade 2)
1179 CodeIso14443aAsTag(response3a, sizeof(response3a));
1180 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1181
1182 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1183 CodeStrangeAnswerAsTag();
15c4dc5a 1184 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1185
1186 // Authentication answer (random nonce)
1187 CodeIso14443aAsTag(response5, sizeof(response5));
1188 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1189
1190 // We need to listen to the high-frequency, peak-detected path.
1191 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1192 FpgaSetupSsc();
1193
1194 cmdsRecvd = 0;
1195
1196 LED_A_ON();
1197 for(;;) {
1198
81cd0474 1199 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
15c4dc5a 1200 DbpString("button press");
1201 break;
1202 }
1203 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1204 // Okay, look at the command now.
1205 lastorder = order;
9f693930 1206 //i = 1; // first byte transmitted
15c4dc5a 1207 if(receivedCmd[0] == 0x26) {
1208 // Received a REQUEST
1209 resp = resp1; respLen = resp1Len; order = 1;
81cd0474 1210 respdata = response1;
1211 respsize = sizeof(response1);
15c4dc5a 1212 //DbpString("Hello request from reader:");
1213 } else if(receivedCmd[0] == 0x52) {
1214 // Received a WAKEUP
1215 resp = resp1; respLen = resp1Len; order = 6;
1216// //DbpString("Wakeup request from reader:");
81cd0474 1217 respdata = response1;
1218 respsize = sizeof(response1);
15c4dc5a 1219 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1220 // Received request for UID (cascade 1)
1221 resp = resp2; respLen = resp2Len; order = 2;
1222// DbpString("UID (cascade 1) request from reader:");
1223// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1224 respdata = response2;
1225 respsize = sizeof(response2);
15c4dc5a 1226 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1227 // Received request for UID (cascade 2)
1228 resp = resp2a; respLen = resp2aLen; order = 20;
1229// DbpString("UID (cascade 2) request from reader:");
1230// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1231 respdata = response2a;
1232 respsize = sizeof(response2a);
15c4dc5a 1233
1234 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1235 // Received a SELECT
1236 resp = resp3; respLen = resp3Len; order = 3;
1237// DbpString("Select (cascade 1) request from reader:");
1238// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1239 respdata = response3;
1240 respsize = sizeof(response3);
15c4dc5a 1241
1242 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1243 // Received a SELECT
1244 resp = resp3a; respLen = resp3aLen; order = 30;
1245// DbpString("Select (cascade 2) request from reader:");
1246// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1247 respdata = response3a;
1248 respsize = sizeof(response3a);
15c4dc5a 1249
1250 } else if(receivedCmd[0] == 0x30) {
1251 // Received a READ
1252 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1253 Dbprintf("Read request from reader: %x %x %x",
1254 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1255 respdata = &nack;
1256 respsize = sizeof(nack); // 4-bit answer
15c4dc5a 1257
1258 } else if(receivedCmd[0] == 0x50) {
1259 // Received a HALT
1260 resp = resp1; respLen = 0; order = 5; // Do nothing
1261 DbpString("Reader requested we HALT!:");
81cd0474 1262 respdata = NULL;
1263 respsize = 0;
15c4dc5a 1264
1265 } else if(receivedCmd[0] == 0x60) {
1266 // Received an authentication request
1267 resp = resp5; respLen = resp5Len; order = 7;
1268 Dbprintf("Authenticate request from reader: %x %x %x",
1269 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1270 respdata = NULL;
1271 respsize = 0;
15c4dc5a 1272
1273 } else if(receivedCmd[0] == 0xE0) {
1274 // Received a RATS request
1275 resp = resp1; respLen = 0;order = 70;
1276 Dbprintf("RATS request from reader: %x %x %x",
1277 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
81cd0474 1278 respdata = NULL;
1279 respsize = 0;
1280 } else {
1281 // Never seen this command before
1282 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
20f9a2a1 1283 len,
15c4dc5a 1284 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M		 1285 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1286 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1287 // Do not respond
1288 resp = resp1; respLen = 0; order = 0;
81cd0474 1289 respdata = NULL;
1290 respsize = 0;
1291 }
15c4dc5a 1292
1293 // Count number of wakeups received after a halt
1294 if(order == 6 && lastorder == 5) { happened++; }
1295
1296 // Count number of other messages after a halt
1297 if(order != 6 && lastorder == 5) { happened2++; }
1298
1299 // Look at last parity bit to determine timing of answer
1300 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1301 // 1236, so correction bit needed
9f693930 1302 //i = 0;
15c4dc5a 1303 }
1304
15c4dc5a 1305
1306 if(cmdsRecvd > 999) {
1307 DbpString("1000 commands later...");
1308 break;
1309 }
1310 else {
1311 cmdsRecvd++;
1312 }
1313
81cd0474 1314 if(respLen > 0) {
1315 //----------------------------
1316 //u = 0;
1317 //b = 0x00;
1318 //fdt_indicator = FALSE;
1319 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1320 }
1321
1322 if (tracing) {
1323 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
1324 if (respdata != NULL) {
1325 LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1326 }
1327 }
15c4dc5a 1328
81cd0474 1329 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
9ca155ba 1330/* // Modulate Manchester
15c4dc5a 1331 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1332 AT91C_BASE_SSC->SSC_THR = 0x00;
1333 FpgaSetupSsc();
1334
1335 // ### Transmit the response ###
1336 u = 0;
1337 b = 0x00;
1338 fdt_indicator = FALSE;
1339 for(;;) {
1340 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1341 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1342 (void)b;
1343 }
1344 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1345 if(i > respLen) {
1346 b = 0x00;
1347 u++;
1348 } else {
1349 b = resp[i];
1350 i++;
1351 }
1352 AT91C_BASE_SSC->SSC_THR = b;
1353
1354 if(u > 4) {
1355 break;
1356 }
1357 }
1358 if(BUTTON_PRESS()) {
1359 break;
1360 }
1361 }
9ca155ba 1362*/
15c4dc5a 1363 }
1364
1365 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1366 LED_A_OFF();
1367}
1368
1369//-----------------------------------------------------------------------------
1370// Transmit the command (to the tag) that was placed in ToSend[].
1371//-----------------------------------------------------------------------------
f7e3ed82 1372static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1373{
1374 int c;
e30c654b 1375
15c4dc5a 1376 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1377
15c4dc5a 1378 if (wait)
1379 if(*wait < 10)
1380 *wait = 10;
e30c654b 1381
15c4dc5a 1382 for(c = 0; c < *wait;) {
1383 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1384 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1385 c++;
1386 }
1387 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1388 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1389 (void)r;
1390 }
1391 WDT_HIT();
1392 }
e30c654b 1393
15c4dc5a 1394 c = 0;
1395 for(;;) {
1396 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1397 AT91C_BASE_SSC->SSC_THR = cmd[c];
1398 c++;
1399 if(c >= len) {
1400 break;
1401 }
1402 }
1403 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1404 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1405 (void)r;
1406 }
1407 WDT_HIT();
1408 }
1409 if (samples) *samples = (c + *wait) << 3;
1410}
1411
15c4dc5a 1412//-----------------------------------------------------------------------------
1413// Code a 7-bit command without parity bit
1414// This is especially for 0x26 and 0x52 (REQA and WUPA)
1415//-----------------------------------------------------------------------------
f7e3ed82 1416void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1417{
1418 int j;
1419 int last;
f7e3ed82 1420 uint8_t b;
15c4dc5a 1421
1422 ToSendReset();
1423
1424 // Start of Communication (Seq. Z)
72934aa3 1425 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1426 last = 0;
1427
1428 b = bt;
1429 for(j = 0; j < 7; j++) {
1430 if(b & 1) {
1431 // Sequence X
72934aa3 1432 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1433 last = 1;
1434 } else {
1435 if(last == 0) {
1436 // Sequence Z
72934aa3 1437 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1438 }
1439 else {
1440 // Sequence Y
72934aa3 1441 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1442 last = 0;
1443 }
1444 }
1445 b >>= 1;
1446 }
1447
1448 // End of Communication
1449 if(last == 0) {
1450 // Sequence Z
72934aa3 1451 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1452 }
1453 else {
1454 // Sequence Y
72934aa3 1455 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1456 last = 0;
1457 }
1458 // Sequence Y
72934aa3 1459 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1460
1461 // Just to be sure!
72934aa3 1462 ToSend[++ToSendMax] = SEC_Y;
1463 ToSend[++ToSendMax] = SEC_Y;
1464 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1465
1466 // Convert from last character reference to length
1467 ToSendMax++;
1468}
1469
1470//-----------------------------------------------------------------------------
1471// Prepare reader command to send to FPGA
e30c654b 1472//
15c4dc5a 1473//-----------------------------------------------------------------------------
f7e3ed82 1474void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1475{
1476 int i, j;
1477 int last;
f7e3ed82 1478 uint8_t b;
e30c654b 1479
15c4dc5a 1480 ToSendReset();
e30c654b 1481
15c4dc5a 1482 // Start of Communication (Seq. Z)
72934aa3 1483 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1484 last = 0;
e30c654b 1485
15c4dc5a 1486 // Generate send structure for the data bits
1487 for (i = 0; i < len; i++) {
1488 // Get the current byte to send
1489 b = cmd[i];
e30c654b 1490
15c4dc5a 1491 for (j = 0; j < 8; j++) {
1492 if (b & 1) {
1493 // Sequence X
72934aa3 1494 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1495 last = 1;
1496 } else {
1497 if (last == 0) {
1498 // Sequence Z
72934aa3 1499 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1500 } else {
1501 // Sequence Y
72934aa3 1502 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1503 last = 0;
1504 }
1505 }
1506 b >>= 1;
1507 }
e30c654b 1508
15c4dc5a 1509 // Get the parity bit
1510 if ((dwParity >> i) & 0x01) {
1511 // Sequence X
72934aa3 1512 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1513 last = 1;
1514 } else {
1515 if (last == 0) {
1516 // Sequence Z
72934aa3 1517 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1518 } else {
1519 // Sequence Y
72934aa3 1520 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1521 last = 0;
1522 }
1523 }
1524 }
e30c654b 1525
15c4dc5a 1526 // End of Communication
1527 if (last == 0) {
1528 // Sequence Z
72934aa3 1529 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1530 } else {
1531 // Sequence Y
72934aa3 1532 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1533 last = 0;
1534 }
1535 // Sequence Y
72934aa3 1536 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1537
15c4dc5a 1538 // Just to be sure!
72934aa3 1539 ToSend[++ToSendMax] = SEC_Y;
1540 ToSend[++ToSendMax] = SEC_Y;
1541 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1542
15c4dc5a 1543 // Convert from last character reference to length
1544 ToSendMax++;
1545}
1546
9ca155ba
M		 1547//-----------------------------------------------------------------------------
1548// Wait for commands from reader
1549// Stop when button is pressed (return 1) or field was gone (return 2)
1550// Or return 0 when command is captured
1551//-----------------------------------------------------------------------------
1552static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1553{
1554 *len = 0;
1555
1556 uint32_t timer = 0, vtime = 0;
1557 int analogCnt = 0;
1558 int analogAVG = 0;
1559
1560 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1561 // only, since we are receiving, not transmitting).
1562 // Signal field is off with the appropriate LED
1563 LED_D_OFF();
1564 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1565
1566 // Set ADC to read field strength
1567 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1568 AT91C_BASE_ADC->ADC_MR =
1569 ADC_MODE_PRESCALE(32) |
1570 ADC_MODE_STARTUP_TIME(16) |
1571 ADC_MODE_SAMPLE_HOLD_TIME(8);
1572 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1573 // start ADC
1574 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1575
1576 // Now run a 'software UART' on the stream of incoming samples.
1577 Uart.output = received;
1578 Uart.byteCntMax = maxLen;
1579 Uart.state = STATE_UNSYNCD;
1580
1581 for(;;) {
1582 WDT_HIT();
1583
1584 if (BUTTON_PRESS()) return 1;
1585
1586 // test if the field exists
1587 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1588 analogCnt++;
1589 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1590 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1591 if (analogCnt >= 32) {
1592 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1593 vtime = GetTickCount();
1594 if (!timer) timer = vtime;
1595 // 50ms no field --> card to idle state
1596 if (vtime - timer > 50) return 2;
1597 } else
1598 if (timer) timer = 0;
1599 analogCnt = 0;
1600 analogAVG = 0;
1601 }
1602 }
1603 // transmit none
1604 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1605 AT91C_BASE_SSC->SSC_THR = 0x00;
1606 }
1607 // receive and test the miller decoding
1608 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1609 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1610 if(MillerDecoding((b & 0xf0) >> 4)) {
1611 *len = Uart.byteCnt;
8f51ddb0 1612 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M		 1613 return 0;
1614 }
1615 if(MillerDecoding(b & 0x0f)) {
1616 *len = Uart.byteCnt;
8f51ddb0 1617 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M		 1618 return 0;
1619 }
1620 }
1621 }
1622}
1623
1624static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1625{
1626 int i, u = 0;
1627 uint8_t b = 0;
1628
1629 // Modulate Manchester
1630 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1631 AT91C_BASE_SSC->SSC_THR = 0x00;
1632 FpgaSetupSsc();
1633
1634 // include correction bit
1635 i = 1;
1636 if((Uart.parityBits & 0x01) || correctionNeeded) {
1637 // 1236, so correction bit needed
1638 i = 0;
1639 }
1640
1641 // send cycle
1642 for(;;) {
1643 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1644 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1645 (void)b;
1646 }
1647 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1648 if(i > respLen) {
8f51ddb0 1649 b = 0xff; // was 0x00
9ca155ba
M		 1650 u++;
1651 } else {
1652 b = resp[i];
1653 i++;
1654 }
1655 AT91C_BASE_SSC->SSC_THR = b;
1656
1657 if(u > 4) break;
1658 }
1659 if(BUTTON_PRESS()) {
1660 break;
1661 }
1662 }
1663
1664 return 0;
1665}
1666
8f51ddb0
M		 1667int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1668 Code4bitAnswerAsTag(resp);
0a39986e 1669 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1670 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1671 return res;
9ca155ba
M		 1672}
1673
8f51ddb0
M		 1674int EmSend4bit(uint8_t resp){
1675 return EmSend4bitEx(resp, 0);
1676}
1677
1678int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1679 CodeIso14443aAsTagPar(resp, respLen, par);
1680 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1681 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1682 return res;
1683}
1684
1685int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1686 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1687}
1688
1689int EmSendCmd(uint8_t *resp, int respLen){
1690 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1691}
1692
1693int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1694 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M		 1695}
1696
15c4dc5a 1697//-----------------------------------------------------------------------------
1698// Wait a certain time for tag response
1699// If a response is captured return TRUE
1700// If it takes to long return FALSE
1701//-----------------------------------------------------------------------------
f7e3ed82 1702static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1703{
1704 // buffer needs to be 512 bytes
1705 int c;
1706
1707 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1708 // only, since we are receiving, not transmitting).
1709 // Signal field is on with the appropriate LED
1710 LED_D_ON();
1711 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1712
534983d7 1713 // Now get the answer from the card
1714 Demod.output = receivedResponse;
1715 Demod.len = 0;
1716 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1717
f7e3ed82 1718 uint8_t b;
15c4dc5a 1719 if (elapsed) *elapsed = 0;
1720
1721 c = 0;
1722 for(;;) {
534983d7 1723 WDT_HIT();
15c4dc5a 1724
534983d7 1725 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1726 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1727 if (elapsed) (*elapsed)++;
534983d7 1728 }
1729 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1730 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1731 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1732 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1733 *samples = ((c - 1) << 3) + 4;
1734 return TRUE;
1735 }
1736 if(ManchesterDecoding(b & 0x0f)) {
1737 *samples = c << 3;
1738 return TRUE;
1739 }
534983d7 1740 }
1741 }
15c4dc5a 1742}
1743
f7e3ed82 1744void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1745{
1746 int wait = 0;
1747 int samples = 0;
1748
1749 ShortFrameFromReader(*bt);
e30c654b 1750
15c4dc5a 1751 // Select the card
e30c654b 1752 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1753
15c4dc5a 1754 // Store reader command in buffer
1755 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1756}
1757
f7e3ed82 1758void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1759{
1760 int wait = 0;
1761 int samples = 0;
e30c654b 1762
15c4dc5a 1763 // This is tied to other size changes
f7e3ed82 1764 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1765 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1766
15c4dc5a 1767 // Select the card
e30c654b 1768 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1769 if(trigger)
1770 LED_A_ON();
e30c654b 1771
15c4dc5a 1772 // Store reader command in buffer
1773 if (tracing) LogTrace(frame,len,0,par,TRUE);
1774}
1775
1776
f7e3ed82 1777void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1778{
1779 // Generate parity and redirect
1780 ReaderTransmitPar(frame,len,GetParity(frame,len));
1781}
1782
f7e3ed82 1783int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1784{
1785 int samples = 0;
20f9a2a1 1786 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1787 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1788 if(samples == 0) return FALSE;
1789 return Demod.len;
15c4dc5a 1790}
1791
f89c7050
M		 1792int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1793{
1794 int samples = 0;
1795 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1796 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1797 *parptr = Demod.parityBits;
1798 if(samples == 0) return FALSE;
1799 return Demod.len;
1800}
1801
7e758047 1802/* performs iso14443a anticolision procedure
534983d7 1803 * fills the uid pointer unless NULL
1804 * fills resp_data unless NULL */
20f9a2a1
M		 1805int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1806 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1807 uint8_t sel_all[] = { 0x93,0x20 };
1808 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1809 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1810
7e758047 1811 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1812
534983d7 1813 uint8_t sak = 0x04; // cascade uid
1814 int cascade_level = 0;
1815
7e758047 1816 int len;
20f9a2a1
M		 1817
1818 // clear uid
1819 memset(uid_ptr, 0, 8);
15c4dc5a 1820
7e758047 1821 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1822 ReaderTransmitShort(wupa);
1823 // Receive the ATQA
1824 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1825
534983d7 1826 if(resp_data)
1827 memcpy(resp_data->atqa, resp, 2);
1828
534983d7 1829 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1830 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1831 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1832 for(; sak & 0x04; cascade_level++)
7e758047 1833 {
534983d7 1834 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1835 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1836
1837 // SELECT_ALL
1838 ReaderTransmit(sel_all,sizeof(sel_all));
1839 if (!ReaderReceive(resp)) return 0;
1840 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M		 1841
1842 // calculate crypto UID
1843 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1844
7e758047 1845 // Construct SELECT UID command
534983d7 1846 memcpy(sel_uid+2,resp,5);
1847 AppendCrc14443a(sel_uid,7);
1848 ReaderTransmit(sel_uid,sizeof(sel_uid));
1849
7e758047 1850 // Receive the SAK
1851 if (!ReaderReceive(resp)) return 0;
534983d7 1852 sak = resp[0];
7e758047 1853 }
534983d7 1854 if(resp_data) {
1855 resp_data->sak = sak;
1856 resp_data->ats_len = 0;
1857 }
20f9a2a1
M		 1858 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1859 if (uid_ptr[0] == 0x88) {
1860 memcpy(uid_ptr, uid_ptr + 1, 7);
1861 uid_ptr[7] = 0;
1862 }
534983d7 1863
1864 if( (sak & 0x20) == 0)
7e758047 1865 return 2; // non iso14443a compliant tag
534983d7 1866
7e758047 1867 // Request for answer to select
20f9a2a1
M		 1868 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1869 AppendCrc14443a(rats, 2);
1870 ReaderTransmit(rats, sizeof(rats));
1871
1872 if (!(len = ReaderReceive(resp))) return 0;
1873
534983d7 1874 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1875 resp_data->ats_len = len;
1876 }
20f9a2a1 1877
7e758047 1878 return 1;
1879}
15c4dc5a 1880
7e758047 1881void iso14443a_setup() {
1882 // Setup SSC
1883 FpgaSetupSsc();
1884 // Start from off (no field generated)
1885 // Signal field is off with the appropriate LED
1886 LED_D_OFF();
1887 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1888 SpinDelay(200);
15c4dc5a 1889
7e758047 1890 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1891
7e758047 1892 // Now give it time to spin up.
1893 // Signal field is on with the appropriate LED
1894 LED_D_ON();
1895 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1896 SpinDelay(200);
534983d7 1897
1898 iso14a_timeout = 2048; //default
7e758047 1899}
15c4dc5a 1900
534983d7 1901int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1902 uint8_t real_cmd[cmd_len+4];
1903 real_cmd[0] = 0x0a; //I-Block
1904 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1905 memcpy(real_cmd+2, cmd, cmd_len);
1906 AppendCrc14443a(real_cmd,cmd_len+2);
1907
1908 ReaderTransmit(real_cmd, cmd_len+4);
1909 size_t len = ReaderReceive(data);
1910 if(!len)
1911 return -1; //DATA LINK ERROR
1912
1913 return len;
1914}
1915
1916
7e758047 1917//-----------------------------------------------------------------------------
1918// Read an ISO 14443a tag. Send out commands and store answers.
1919//
1920//-----------------------------------------------------------------------------
534983d7 1921void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1922{
534983d7 1923 iso14a_command_t param = c->arg[0];
1924 uint8_t * cmd = c->d.asBytes;
1925 size_t len = c->arg[1];
e30c654b 1926
534983d7 1927 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1928
534983d7 1929 if(param & ISO14A_CONNECT) {
1930 iso14443a_setup();
20f9a2a1 1931 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1932 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1933 }
e30c654b 1934
534983d7 1935 if(param & ISO14A_SET_TIMEOUT) {
1936 iso14a_timeout = c->arg[2];
1937 }
e30c654b 1938
534983d7 1939 if(param & ISO14A_SET_TIMEOUT) {
1940 iso14a_timeout = c->arg[2];
1941 }
e30c654b 1942
534983d7 1943 if(param & ISO14A_APDU) {
1944 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1945 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1946 }
e30c654b 1947
534983d7 1948 if(param & ISO14A_RAW) {
1949 if(param & ISO14A_APPEND_CRC) {
1950 AppendCrc14443a(cmd,len);
1951 len += 2;
15c4dc5a 1952 }
534983d7 1953 ReaderTransmit(cmd,len);
1954 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1955 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1956 }
15c4dc5a 1957
534983d7 1958 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1959
534983d7 1960 if(param & ISO14A_NO_DISCONNECT)
1961 return;
15c4dc5a 1962
15c4dc5a 1963 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1964 LEDsoff();
15c4dc5a 1965}
15c4dc5a 1966//-----------------------------------------------------------------------------
1967// Read an ISO 14443a tag. Send out commands and store answers.
1968//
1969//-----------------------------------------------------------------------------
f7e3ed82 1970void ReaderMifare(uint32_t parameter)
15c4dc5a 1971{
15c4dc5a 1972 // Mifare AUTH
f7e3ed82 1973 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1974 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1975
f89c7050
M		 1976 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1977 traceLen = 0;
1978 tracing = false;
e30c654b 1979
7e758047 1980 iso14443a_setup();
e30c654b 1981
15c4dc5a 1982 LED_A_ON();
1983 LED_B_OFF();
1984 LED_C_OFF();
e30c654b 1985
f89c7050
M		 1986 byte_t nt_diff = 0;
1987 LED_A_OFF();
1988 byte_t par = 0;
9f693930 1989 //byte_t par_mask = 0xff;
f89c7050
M		 1990 byte_t par_low = 0;
1991 int led_on = TRUE;
50193c1e 1992 uint8_t uid[8];
f89c7050 1993 uint32_t cuid;
e30c654b 1994
f89c7050
M		 1995 tracing = FALSE;
1996 byte_t nt[4] = {0,0,0,0};
f397b5cc 1997 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M		 1998 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1999 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 2000 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 2001 int isOK = 0, isNULL = 0;
f397b5cc 2002
f89c7050
M		 2003 while(TRUE)
2004 {
50193c1e 2005 LED_C_ON();
f89c7050
M		 2006 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2007 SpinDelay(200);
2008 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 2009 LED_C_OFF();
e30c654b 2010
f89c7050
M		 2011 // Test if the action was cancelled
2012 if(BUTTON_PRESS()) {
2013 break;
2014 }
e30c654b 2015
f89c7050 2016 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 2017
f89c7050
M		 2018 // Transmit MIFARE_CLASSIC_AUTH
2019 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 2020
f89c7050
M		 2021 // Receive the (16 bit) "random" nonce
2022 if (!ReaderReceive(receivedAnswer)) continue;
2023 memcpy(nt, receivedAnswer, 4);
e30c654b 2024
f89c7050
M		 2025 // Transmit reader nonce and reader answer
2026 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 2027
f89c7050
M		 2028 // Receive 4 bit answer
2029 if (ReaderReceive(receivedAnswer))
2030 {
f397b5cc
M		 2031 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
2032
db389d52 2033 isNULL = (nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0);
50193c1e
M		 2034 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
2035
f89c7050
M		 2036 if (nt_diff == 0)
2037 {
2038 LED_A_ON();
2039 memcpy(nt_attacked, nt, 4);
9f693930 2040 //par_mask = 0xf8;
f89c7050
M		 2041 par_low = par & 0x07;
2042 }
15c4dc5a 2043
f89c7050
M		 2044 led_on = !led_on;
2045 if(led_on) LED_B_ON(); else LED_B_OFF();
2046 par_list[nt_diff] = par;
2047 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 2048
f89c7050
M		 2049 // Test if the information is complete
2050 if (nt_diff == 0x07) {
2051 isOK = 1;
2052 break;
2053 }
2054
2055 nt_diff = (nt_diff + 1) & 0x07;
2056 mf_nr_ar[3] = nt_diff << 5;
2057 par = par_low;
2058 } else {
2059 if (nt_diff == 0)
2060 {
2061 par++;
2062 } else {
2063 par = (((par >> 3) + 1) << 3) | par_low;
2064 }
2065 }
2066 }
e30c654b 2067
f89c7050
M		 2068 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
2069 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
2070 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 2071
f89c7050
M		 2072 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2073 memcpy(ack.d.asBytes + 0, uid, 4);
2074 memcpy(ack.d.asBytes + 4, nt, 4);
2075 memcpy(ack.d.asBytes + 8, par_list, 8);
2076 memcpy(ack.d.asBytes + 16, ks_list, 8);
2077
2078 LED_B_ON();
2079 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2080 LED_B_OFF();
2081
2082 // Thats it...
15c4dc5a 2083 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2084 LEDsoff();
f89c7050
M		 2085 tracing = TRUE;
2086
f397b5cc 2087 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M		 2088}
2089
20f9a2a1
M		 2090
2091//-----------------------------------------------------------------------------
2092// MIFARE 1K simulate.
2093//
2094//-----------------------------------------------------------------------------
2095void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2096{
50193c1e 2097 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2098 int _7BUID = 0;
9ca155ba 2099 int vHf = 0; // in mV
9f693930 2100 //int nextCycleTimeout = 0;
8f51ddb0 2101 int res;
51969283 2102// uint32_t timer = 0;
0a39986e
M		 2103 uint32_t selTimer = 0;
2104 uint32_t authTimer = 0;
2105 uint32_t par = 0;
9ca155ba 2106 int len = 0;
8f51ddb0 2107 uint8_t cardWRBL = 0;
9ca155ba
M		 2108 uint8_t cardAUTHSC = 0;
2109 uint8_t cardAUTHKEY = 0xff; // no authentication
9f693930 2110 //uint32_t cardRn = 0;
51969283 2111 uint32_t cardRr = 0;
9ca155ba 2112 uint32_t cuid = 0;
9f693930 2113 //uint32_t rn_enc = 0;
51969283 2114 uint32_t ans = 0;
0014cb46
M		 2115 uint32_t cardINTREG = 0;
2116 uint8_t cardINTBLOCK = 0;
9ca155ba
M		 2117 struct Crypto1State mpcs = {0, 0};
2118 struct Crypto1State *pcs;
2119 pcs = &mpcs;
2120
8f51ddb0
M		 2121 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2122 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2123
8556b852 2124 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2125
0a39986e
M		 2126 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2127 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2128
0a39986e 2129 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2130 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2131
0014cb46
M		 2132 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2133// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2134 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2135
0a39986e
M		 2136 // clear trace
2137 traceLen = 0;
2138 tracing = true;
51969283
M		 2139
2140 // Authenticate response - nonce
2141 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2142
8556b852
M		 2143 // get UID from emul memory
2144 emlGetMemBt(receivedCmd, 7, 1);
2145 _7BUID = !(receivedCmd[0] == 0x00);
2146 if (!_7BUID) { // ---------- 4BUID
2147 rATQA[0] = 0x04;
2148
2149 emlGetMemBt(rUIDBCC1, 0, 4);
2150 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2151 } else { // ---------- 7BUID
2152 rATQA[0] = 0x44;
2153
2154 rUIDBCC1[0] = 0x88;
2155 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2156 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2157 emlGetMemBt(rUIDBCC2, 3, 4);
2158 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2159 }
2160
9ca155ba 2161// -------------------------------------- test area
50193c1e 2162
9ca155ba 2163// -------------------------------------- END test area
8f51ddb0
M		 2164 // start mkseconds counter
2165 StartCountUS();
9ca155ba
M		 2166
2167 // We need to listen to the high-frequency, peak-detected path.
2168 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2169 FpgaSetupSsc();
2170
2171 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2172 SpinDelay(200);
2173
0014cb46 2174 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M		 2175 // calibrate mkseconds counter
2176 GetDeltaCountUS();
9ca155ba
M		 2177 while (true) {
2178 WDT_HIT();
9ca155ba 2179
8f51ddb0
M		 2180 if(BUTTON_PRESS()) {
2181 break;
2182 }
2183
9ca155ba
M		 2184 // find reader field
2185 // Vref = 3300mV, and an 10:1 voltage divider on the input
2186 // can measure voltages up to 33000 mV
2187 if (cardSTATE == MFEMUL_NOFIELD) {
2188 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2189 if (vHf > MF_MINFIELDV) {
0014cb46 2190 cardSTATE_TO_IDLE();
9ca155ba
M		 2191 LED_A_ON();
2192 }
2193 }
2194
2195 if (cardSTATE != MFEMUL_NOFIELD) {
81cd0474 2196 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
9ca155ba
M		 2197 if (res == 2) {
2198 cardSTATE = MFEMUL_NOFIELD;
2199 LEDsoff();
2200 continue;
2201 }
2202 if(res) break;
2203 }
2204
9f693930 2205 //nextCycleTimeout = 0;
8f51ddb0 2206
9ca155ba 2207// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M		 2208
2209 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2210 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M		 2211 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2212 selTimer = GetTickCount();
2213 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2214 cardSTATE = MFEMUL_SELECT1;
2215
2216 // init crypto block
2217 LED_B_OFF();
2218 LED_C_OFF();
2219 crypto1_destroy(pcs);
2220 cardAUTHKEY = 0xff;
2221 }
2222 }
9ca155ba 2223
50193c1e
M		 2224 switch (cardSTATE) {
2225 case MFEMUL_NOFIELD:{
2226 break;
2227 }
9ca155ba 2228 case MFEMUL_HALTED:{
0a39986e 2229 break;
9ca155ba 2230 }
50193c1e
M		 2231 case MFEMUL_IDLE:{
2232 break;
2233 }
2234 case MFEMUL_SELECT1:{
9ca155ba
M		 2235 // select all
2236 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2237 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2238 break;
9ca155ba
M		 2239 }
2240
2241 // select card
0a39986e
M		 2242 if (len == 9 &&
2243 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M		 2244 if (!_7BUID)
2245 EmSendCmd(rSAK, sizeof(rSAK));
2246 else
2247 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M		 2248
2249 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M		 2250 if (!_7BUID) {
2251 cardSTATE = MFEMUL_WORK;
0014cb46
M		 2252 LED_B_ON();
2253 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2254 break;
8556b852
M		 2255 } else {
2256 cardSTATE = MFEMUL_SELECT2;
2257 break;
2258 }
9ca155ba
M		 2259 }
2260
50193c1e
M		 2261 break;
2262 }
2263 case MFEMUL_SELECT2:{
0014cb46
M		 2264 if (!len) break;
2265
8556b852 2266 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2267 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M		 2268 break;
2269 }
9ca155ba 2270
8556b852
M		 2271 // select 2 card
2272 if (len == 9 &&
2273 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2274 EmSendCmd(rSAK, sizeof(rSAK));
2275
2276 cuid = bytes_to_num(rUIDBCC2, 4);
2277 cardSTATE = MFEMUL_WORK;
2278 LED_B_ON();
0014cb46 2279 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M		 2280 break;
2281 }
0014cb46
M		 2282
2283 // i guess there is a command). go into the work state.
2284 if (len != 4) break;
2285 cardSTATE = MFEMUL_WORK;
2286 goto lbWORK;
50193c1e
M		 2287 }
2288 case MFEMUL_AUTH1:{
9ca155ba 2289 if (len == 8) {
51969283 2290 // --- crypto
9f693930
GY		 2291 //rn_enc = bytes_to_num(receivedCmd, 4);
2292 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
51969283
M		 2293 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2294 // test if auth OK
2295 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M		 2296 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2297 cardSTATE_TO_IDLE();
51969283
M		 2298 break;
2299 }
2300 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2301 num_to_bytes(ans, 4, rAUTH_AT);
2302 // --- crypto
2303 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M		 2304 cardSTATE = MFEMUL_AUTH2;
2305 } else {
0014cb46 2306 cardSTATE_TO_IDLE();
9ca155ba 2307 }
0a39986e 2308 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M		 2309 }
2310 case MFEMUL_AUTH2:{
9ca155ba 2311 LED_C_ON();
0a39986e 2312 cardSTATE = MFEMUL_WORK;
0014cb46 2313 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M		 2314 break;
2315 }
9ca155ba 2316 case MFEMUL_WORK:{
0014cb46 2317lbWORK: if (len == 0) break;
0a39986e 2318
51969283
M		 2319 if (cardAUTHKEY == 0xff) {
2320 // first authentication
2321 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2322 authTimer = GetTickCount();
2323
2324 cardAUTHSC = receivedCmd[1] / 4; // received block num
2325 cardAUTHKEY = receivedCmd[0] - 0x60;
2326
2327 // --- crypto
2328 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2329 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2330 num_to_bytes(nonce, 4, rAUTH_AT);
2331 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2332 // --- crypto
2333
2334// last working revision
2335// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2336// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2337
2338 cardSTATE = MFEMUL_AUTH1;
9f693930 2339 //nextCycleTimeout = 10;
51969283
M		 2340 break;
2341 }
2342 } else {
2343 // decrypt seqence
2344 mf_crypto1_decrypt(pcs, receivedCmd, len);
2345
2346 // nested authentication
2347 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2348 authTimer = GetTickCount();
2349
2350 cardAUTHSC = receivedCmd[1] / 4; // received block num
2351 cardAUTHKEY = receivedCmd[0] - 0x60;
2352
2353 // --- crypto
2354 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2355 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2356 num_to_bytes(ans, 4, rAUTH_AT);
2357 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2358 // --- crypto
2359
2360 cardSTATE = MFEMUL_AUTH1;
9f693930 2361 //nextCycleTimeout = 10;
51969283
M		 2362 break;
2363 }
2364 }
0a39986e 2365
8f51ddb0
M		 2366 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2367 // BUT... ACK --> NACK
2368 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2369 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2370 break;
2371 }
2372
2373 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2374 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2375 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2376 break;
0a39986e
M		 2377 }
2378
2379 // read block
2380 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2381 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M		 2382 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2383 break;
2384 }
2385 emlGetMem(response, receivedCmd[1], 1);
2386 AppendCrc14443a(response, 16);
2387 mf_crypto1_encrypt(pcs, response, 18, &par);
2388 EmSendCmdPar(response, 18, par);
0a39986e
M		 2389 break;
2390 }
2391
2392 // write block
2393 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2394 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M		 2395 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2396 break;
2397 }
2398 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
9f693930 2399 //nextCycleTimeout = 50;
8f51ddb0
M		 2400 cardSTATE = MFEMUL_WRITEBL2;
2401 cardWRBL = receivedCmd[1];
0a39986e 2402 break;
9ca155ba 2403 }
8f51ddb0 2404
0014cb46
M		 2405 // works with cardINTREG
2406
2407 // increment, decrement, restore
2408 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2409 if (receivedCmd[1] >= 16 * 4 ||
2410 receivedCmd[1] / 4 != cardAUTHSC ||
2411 emlCheckValBl(receivedCmd[1])) {
2412 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2413 break;
2414 }
2415 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2416 if (receivedCmd[0] == 0xC1)
2417 cardSTATE = MFEMUL_INTREG_INC;
2418 if (receivedCmd[0] == 0xC0)
2419 cardSTATE = MFEMUL_INTREG_DEC;
2420 if (receivedCmd[0] == 0xC2)
2421 cardSTATE = MFEMUL_INTREG_REST;
2422 cardWRBL = receivedCmd[1];
2423
2424 break;
2425 }
2426
2427
2428 // transfer
2429 if (len == 4 && receivedCmd[0] == 0xB0) {
2430 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2431 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2432 break;
2433 }
2434
2435 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2436 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2437 else
2438 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2439
2440 break;
2441 }
2442
9ca155ba 2443 // halt
0a39986e 2444 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2445 LED_B_OFF();
0a39986e 2446 LED_C_OFF();
0014cb46
M		 2447 cardSTATE = MFEMUL_HALTED;
2448 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2449 break;
9ca155ba 2450 }
51969283 2451
8f51ddb0
M		 2452 // command not allowed
2453 if (len == 4) {
2454 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2455 break;
2456 }
51969283
M		 2457
2458 // case break
2459 break;
8f51ddb0
M		 2460 }
2461 case MFEMUL_WRITEBL2:{
2462 if (len == 18){
2463 mf_crypto1_decrypt(pcs, receivedCmd, len);
2464 emlSetMem(receivedCmd, cardWRBL, 1);
2465 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2466 cardSTATE = MFEMUL_WORK;
2467 break;
51969283 2468 } else {
0014cb46 2469 cardSTATE_TO_IDLE();
51969283 2470 break;
8f51ddb0 2471 }
8f51ddb0 2472 break;
50193c1e 2473 }
0014cb46
M		 2474
2475 case MFEMUL_INTREG_INC:{
2476 mf_crypto1_decrypt(pcs, receivedCmd, len);
2477 memcpy(&ans, receivedCmd, 4);
2478 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2479 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2480 cardSTATE_TO_IDLE();
2481 break;
2482 }
2483 cardINTREG = cardINTREG + ans;
2484 cardSTATE = MFEMUL_WORK;
2485 break;
2486 }
2487 case MFEMUL_INTREG_DEC:{
2488 mf_crypto1_decrypt(pcs, receivedCmd, len);
2489 memcpy(&ans, receivedCmd, 4);
2490 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2491 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2492 cardSTATE_TO_IDLE();
2493 break;
2494 }
2495 cardINTREG = cardINTREG - ans;
2496 cardSTATE = MFEMUL_WORK;
2497 break;
2498 }
2499 case MFEMUL_INTREG_REST:{
2500 mf_crypto1_decrypt(pcs, receivedCmd, len);
2501 memcpy(&ans, receivedCmd, 4);
2502 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2503 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2504 cardSTATE_TO_IDLE();
2505 break;
2506 }
2507 cardSTATE = MFEMUL_WORK;
2508 break;
2509 }
50193c1e
M		 2510
2511 }
2512
2513 }
2514
9ca155ba
M		 2515 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2516 LEDsoff();
2517
0a39986e 2518 // add trace trailer
8f51ddb0 2519 memset(rAUTH_NT, 0x44, 4);
0a39986e
M		 2520 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2521
0014cb46 2522 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2523}
Proxmark3 GIT tracking
Impressum, Datenschutz