linux patch by Wil
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M
20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
f7e3ed82 23static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 24static int traceLen = 0;
25static int rsamples = 0;
f7e3ed82 26static int tracing = TRUE;
534983d7 27static uint32_t iso14a_timeout;
15c4dc5a 28
72934aa3 29// CARD TO READER
30// Sequence D: 11110000 modulation with subcarrier during first half
31// Sequence E: 00001111 modulation with subcarrier during second half
32// Sequence F: 00000000 no modulation with subcarrier
33// READER TO CARD
34// Sequence X: 00001100 drop after half a period
35// Sequence Y: 00000000 no drop
36// Sequence Z: 11000000 drop at start
37#define SEC_D 0xf0
38#define SEC_E 0x0f
39#define SEC_F 0x00
40#define SEC_X 0x0c
41#define SEC_Y 0x00
42#define SEC_Z 0xc0
15c4dc5a 43
f7e3ed82 44static const uint8_t OddByteParity[256] = {
15c4dc5a 45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
58 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
61};
62
63// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
64#define RECV_CMD_OFFSET 3032
65#define RECV_RES_OFFSET 3096
66#define DMA_BUFFER_OFFSET 3160
67#define DMA_BUFFER_SIZE 4096
68#define TRACE_LENGTH 3000
69
534983d7 70uint8_t trigger = 0;
71void iso14a_set_trigger(int enable) {
72 trigger = enable;
73}
74
15c4dc5a 75//-----------------------------------------------------------------------------
76// Generate the parity value for a byte sequence
e30c654b 77//
15c4dc5a 78//-----------------------------------------------------------------------------
20f9a2a1
M
79byte_t oddparity (const byte_t bt)
80{
81 return OddByteParity[bt];
82}
83
f7e3ed82 84uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 85{
86 int i;
f7e3ed82 87 uint32_t dwPar = 0;
72934aa3 88
15c4dc5a 89 // Generate the encrypted data
90 for (i = 0; i < iLen; i++) {
91 // Save the encrypted parity bit
92 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
93 }
94 return dwPar;
95}
96
534983d7 97void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 98{
99 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
100}
101
ed82636b 102int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 103{
104 // Return when trace is full
105 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 106
15c4dc5a 107 // Trace the random, i'm curious
108 rsamples += iSamples;
109 trace[traceLen++] = ((rsamples >> 0) & 0xff);
110 trace[traceLen++] = ((rsamples >> 8) & 0xff);
111 trace[traceLen++] = ((rsamples >> 16) & 0xff);
112 trace[traceLen++] = ((rsamples >> 24) & 0xff);
113 if (!bReader) {
114 trace[traceLen - 1] |= 0x80;
115 }
116 trace[traceLen++] = ((dwParity >> 0) & 0xff);
117 trace[traceLen++] = ((dwParity >> 8) & 0xff);
118 trace[traceLen++] = ((dwParity >> 16) & 0xff);
119 trace[traceLen++] = ((dwParity >> 24) & 0xff);
120 trace[traceLen++] = iLen;
121 memcpy(trace + traceLen, btBytes, iLen);
122 traceLen += iLen;
123 return TRUE;
124}
125
15c4dc5a 126//-----------------------------------------------------------------------------
127// The software UART that receives commands from the reader, and its state
128// variables.
129//-----------------------------------------------------------------------------
130static struct {
131 enum {
132 STATE_UNSYNCD,
133 STATE_START_OF_COMMUNICATION,
134 STATE_MILLER_X,
135 STATE_MILLER_Y,
136 STATE_MILLER_Z,
137 STATE_ERROR_WAIT
138 } state;
f7e3ed82 139 uint16_t shiftReg;
15c4dc5a 140 int bitCnt;
141 int byteCnt;
142 int byteCntMax;
143 int posCnt;
144 int syncBit;
145 int parityBits;
146 int samples;
147 int highCnt;
148 int bitBuffer;
149 enum {
150 DROP_NONE,
151 DROP_FIRST_HALF,
152 DROP_SECOND_HALF
153 } drop;
f7e3ed82 154 uint8_t *output;
15c4dc5a 155} Uart;
156
6c1e2d95 157static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 158{
159 int error = 0;
160 int bitright;
161
162 if(!Uart.bitBuffer) {
163 Uart.bitBuffer = bit ^ 0xFF0;
164 return FALSE;
165 }
166 else {
167 Uart.bitBuffer <<= 4;
168 Uart.bitBuffer ^= bit;
169 }
170
f7e3ed82 171 int EOC = FALSE;
15c4dc5a 172
173 if(Uart.state != STATE_UNSYNCD) {
174 Uart.posCnt++;
175
176 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
177 bit = 0x00;
178 }
179 else {
180 bit = 0x01;
181 }
182 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
183 bitright = 0x00;
184 }
185 else {
186 bitright = 0x01;
187 }
188 if(bit != bitright) { bit = bitright; }
189
190 if(Uart.posCnt == 1) {
191 // measurement first half bitperiod
192 if(!bit) {
193 Uart.drop = DROP_FIRST_HALF;
194 }
195 }
196 else {
197 // measurement second half bitperiod
198 if(!bit & (Uart.drop == DROP_NONE)) {
199 Uart.drop = DROP_SECOND_HALF;
200 }
201 else if(!bit) {
202 // measured a drop in first and second half
203 // which should not be possible
204 Uart.state = STATE_ERROR_WAIT;
205 error = 0x01;
206 }
207
208 Uart.posCnt = 0;
209
210 switch(Uart.state) {
211 case STATE_START_OF_COMMUNICATION:
212 Uart.shiftReg = 0;
213 if(Uart.drop == DROP_SECOND_HALF) {
214 // error, should not happen in SOC
215 Uart.state = STATE_ERROR_WAIT;
216 error = 0x02;
217 }
218 else {
219 // correct SOC
220 Uart.state = STATE_MILLER_Z;
221 }
222 break;
223
224 case STATE_MILLER_Z:
225 Uart.bitCnt++;
226 Uart.shiftReg >>= 1;
227 if(Uart.drop == DROP_NONE) {
228 // logic '0' followed by sequence Y
229 // end of communication
230 Uart.state = STATE_UNSYNCD;
231 EOC = TRUE;
232 }
233 // if(Uart.drop == DROP_FIRST_HALF) {
234 // Uart.state = STATE_MILLER_Z; stay the same
235 // we see a logic '0' }
236 if(Uart.drop == DROP_SECOND_HALF) {
237 // we see a logic '1'
238 Uart.shiftReg |= 0x100;
239 Uart.state = STATE_MILLER_X;
240 }
241 break;
242
243 case STATE_MILLER_X:
244 Uart.shiftReg >>= 1;
245 if(Uart.drop == DROP_NONE) {
246 // sequence Y, we see a '0'
247 Uart.state = STATE_MILLER_Y;
248 Uart.bitCnt++;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // Would be STATE_MILLER_Z
252 // but Z does not follow X, so error
253 Uart.state = STATE_ERROR_WAIT;
254 error = 0x03;
255 }
256 if(Uart.drop == DROP_SECOND_HALF) {
257 // We see a '1' and stay in state X
258 Uart.shiftReg |= 0x100;
259 Uart.bitCnt++;
260 }
261 break;
262
263 case STATE_MILLER_Y:
264 Uart.bitCnt++;
265 Uart.shiftReg >>= 1;
266 if(Uart.drop == DROP_NONE) {
267 // logic '0' followed by sequence Y
268 // end of communication
269 Uart.state = STATE_UNSYNCD;
270 EOC = TRUE;
271 }
272 if(Uart.drop == DROP_FIRST_HALF) {
273 // we see a '0'
274 Uart.state = STATE_MILLER_Z;
275 }
276 if(Uart.drop == DROP_SECOND_HALF) {
277 // We see a '1' and go to state X
278 Uart.shiftReg |= 0x100;
279 Uart.state = STATE_MILLER_X;
280 }
281 break;
282
283 case STATE_ERROR_WAIT:
284 // That went wrong. Now wait for at least two bit periods
285 // and try to sync again
286 if(Uart.drop == DROP_NONE) {
287 Uart.highCnt = 6;
288 Uart.state = STATE_UNSYNCD;
289 }
290 break;
291
292 default:
293 Uart.state = STATE_UNSYNCD;
294 Uart.highCnt = 0;
295 break;
296 }
297
298 Uart.drop = DROP_NONE;
299
300 // should have received at least one whole byte...
301 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
302 return TRUE;
303 }
304
305 if(Uart.bitCnt == 9) {
306 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
307 Uart.byteCnt++;
308
309 Uart.parityBits <<= 1;
310 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
311
312 if(EOC) {
313 // when End of Communication received and
314 // all data bits processed..
315 return TRUE;
316 }
317 Uart.bitCnt = 0;
318 }
319
320 /*if(error) {
321 Uart.output[Uart.byteCnt] = 0xAA;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = error & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = 0xAA;
334 Uart.byteCnt++;
335 return TRUE;
336 }*/
337 }
338
339 }
340 else {
341 bit = Uart.bitBuffer & 0xf0;
342 bit >>= 4;
343 bit ^= 0x0F;
344 if(bit) {
345 // should have been high or at least (4 * 128) / fc
346 // according to ISO this should be at least (9 * 128 + 20) / fc
347 if(Uart.highCnt == 8) {
348 // we went low, so this could be start of communication
349 // it turns out to be safer to choose a less significant
350 // syncbit... so we check whether the neighbour also represents the drop
351 Uart.posCnt = 1; // apparently we are busy with our first half bit period
352 Uart.syncBit = bit & 8;
353 Uart.samples = 3;
354 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
355 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
356 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
357 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 359 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 360 Uart.syncBit = 8;
361
362 // the first half bit period is expected in next sample
363 Uart.posCnt = 0;
364 Uart.samples = 3;
365 }
366 }
367 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
368
369 Uart.syncBit <<= 4;
370 Uart.state = STATE_START_OF_COMMUNICATION;
371 Uart.drop = DROP_FIRST_HALF;
372 Uart.bitCnt = 0;
373 Uart.byteCnt = 0;
374 Uart.parityBits = 0;
375 error = 0;
376 }
377 else {
378 Uart.highCnt = 0;
379 }
380 }
381 else {
382 if(Uart.highCnt < 8) {
383 Uart.highCnt++;
384 }
385 }
386 }
387
388 return FALSE;
389}
390
391//=============================================================================
392// ISO 14443 Type A - Manchester
393//=============================================================================
394
395static struct {
396 enum {
397 DEMOD_UNSYNCD,
398 DEMOD_START_OF_COMMUNICATION,
399 DEMOD_MANCHESTER_D,
400 DEMOD_MANCHESTER_E,
401 DEMOD_MANCHESTER_F,
402 DEMOD_ERROR_WAIT
403 } state;
404 int bitCount;
405 int posCount;
406 int syncBit;
407 int parityBits;
f7e3ed82 408 uint16_t shiftReg;
15c4dc5a 409 int buffer;
410 int buff;
411 int samples;
412 int len;
413 enum {
414 SUB_NONE,
415 SUB_FIRST_HALF,
416 SUB_SECOND_HALF
417 } sub;
f7e3ed82 418 uint8_t *output;
15c4dc5a 419} Demod;
420
6c1e2d95 421static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 422{
423 int bit;
424 int modulation;
425 int error = 0;
426
427 if(!Demod.buff) {
428 Demod.buff = 1;
429 Demod.buffer = v;
430 return FALSE;
431 }
432 else {
433 bit = Demod.buffer;
434 Demod.buffer = v;
435 }
436
437 if(Demod.state==DEMOD_UNSYNCD) {
438 Demod.output[Demod.len] = 0xfa;
439 Demod.syncBit = 0;
440 //Demod.samples = 0;
441 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 442
443 if(bit & 0x08) {
444 Demod.syncBit = 0x08;
15c4dc5a 445 }
15c4dc5a 446
2f2d9fc5 447 if(bit & 0x04) {
448 if(Demod.syncBit) {
449 bit <<= 4;
450 }
451 Demod.syncBit = 0x04;
452 }
15c4dc5a 453
2f2d9fc5 454 if(bit & 0x02) {
455 if(Demod.syncBit) {
456 bit <<= 2;
15c4dc5a 457 }
2f2d9fc5 458 Demod.syncBit = 0x02;
15c4dc5a 459 }
15c4dc5a 460
593924e7 461 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 462 Demod.syncBit = 0x01;
463 }
464
15c4dc5a 465 if(Demod.syncBit) {
466 Demod.len = 0;
467 Demod.state = DEMOD_START_OF_COMMUNICATION;
468 Demod.sub = SUB_FIRST_HALF;
469 Demod.bitCount = 0;
470 Demod.shiftReg = 0;
471 Demod.parityBits = 0;
472 Demod.samples = 0;
473 if(Demod.posCount) {
534983d7 474 if(trigger) LED_A_OFF();
15c4dc5a 475 switch(Demod.syncBit) {
476 case 0x08: Demod.samples = 3; break;
477 case 0x04: Demod.samples = 2; break;
478 case 0x02: Demod.samples = 1; break;
479 case 0x01: Demod.samples = 0; break;
480 }
481 }
482 error = 0;
483 }
484 }
485 else {
486 //modulation = bit & Demod.syncBit;
487 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
488
489 Demod.samples += 4;
490
491 if(Demod.posCount==0) {
492 Demod.posCount = 1;
493 if(modulation) {
494 Demod.sub = SUB_FIRST_HALF;
495 }
496 else {
497 Demod.sub = SUB_NONE;
498 }
499 }
500 else {
501 Demod.posCount = 0;
502 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
503 if(Demod.state!=DEMOD_ERROR_WAIT) {
504 Demod.state = DEMOD_ERROR_WAIT;
505 Demod.output[Demod.len] = 0xaa;
506 error = 0x01;
507 }
508 }
509 else if(modulation) {
510 Demod.sub = SUB_SECOND_HALF;
511 }
512
513 switch(Demod.state) {
514 case DEMOD_START_OF_COMMUNICATION:
515 if(Demod.sub == SUB_FIRST_HALF) {
516 Demod.state = DEMOD_MANCHESTER_D;
517 }
518 else {
519 Demod.output[Demod.len] = 0xab;
520 Demod.state = DEMOD_ERROR_WAIT;
521 error = 0x02;
522 }
523 break;
524
525 case DEMOD_MANCHESTER_D:
526 case DEMOD_MANCHESTER_E:
527 if(Demod.sub == SUB_FIRST_HALF) {
528 Demod.bitCount++;
529 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
530 Demod.state = DEMOD_MANCHESTER_D;
531 }
532 else if(Demod.sub == SUB_SECOND_HALF) {
533 Demod.bitCount++;
534 Demod.shiftReg >>= 1;
535 Demod.state = DEMOD_MANCHESTER_E;
536 }
537 else {
538 Demod.state = DEMOD_MANCHESTER_F;
539 }
540 break;
541
542 case DEMOD_MANCHESTER_F:
543 // Tag response does not need to be a complete byte!
544 if(Demod.len > 0 || Demod.bitCount > 0) {
545 if(Demod.bitCount > 0) {
546 Demod.shiftReg >>= (9 - Demod.bitCount);
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549 // No parity bit, so just shift a 0
550 Demod.parityBits <<= 1;
551 }
552
553 Demod.state = DEMOD_UNSYNCD;
554 return TRUE;
555 }
556 else {
557 Demod.output[Demod.len] = 0xad;
558 Demod.state = DEMOD_ERROR_WAIT;
559 error = 0x03;
560 }
561 break;
562
563 case DEMOD_ERROR_WAIT:
564 Demod.state = DEMOD_UNSYNCD;
565 break;
566
567 default:
568 Demod.output[Demod.len] = 0xdd;
569 Demod.state = DEMOD_UNSYNCD;
570 break;
571 }
572
573 if(Demod.bitCount>=9) {
574 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
575 Demod.len++;
576
577 Demod.parityBits <<= 1;
578 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
579
580 Demod.bitCount = 0;
581 Demod.shiftReg = 0;
582 }
583
584 /*if(error) {
585 Demod.output[Demod.len] = 0xBB;
586 Demod.len++;
587 Demod.output[Demod.len] = error & 0xFF;
588 Demod.len++;
589 Demod.output[Demod.len] = 0xBB;
590 Demod.len++;
591 Demod.output[Demod.len] = bit & 0xFF;
592 Demod.len++;
593 Demod.output[Demod.len] = Demod.buffer & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = 0xBB;
598 Demod.len++;
599 return TRUE;
600 }*/
601
602 }
603
604 } // end (state != UNSYNCED)
605
606 return FALSE;
607}
608
609//=============================================================================
610// Finally, a `sniffer' for ISO 14443 Type A
611// Both sides of communication!
612//=============================================================================
613
614//-----------------------------------------------------------------------------
615// Record the sequence of commands sent by the reader to the tag, with
616// triggering so that we start recording at the point that the tag is moved
617// near the reader.
618//-----------------------------------------------------------------------------
6c1e2d95 619void RAMFUNC SnoopIso14443a(void)
15c4dc5a 620{
621// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
622// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
623// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
624// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
625// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
626
627 // We won't start recording the frames that we acquire until we trigger;
628 // a good trigger condition to get started is probably when we see a
629 // response from the tag.
7e758047 630 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 631
632 // The command (reader -> tag) that we're receiving.
633 // The length of a received command will in most cases be no more than 18 bytes.
634 // So 32 should be enough!
f7e3ed82 635 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 636 // The response (tag -> reader) that we're receiving.
f7e3ed82 637 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 638
639 // As we receive stuff, we copy it from receivedCmd or receivedResponse
640 // into trace, along with its length and other annotations.
f7e3ed82 641 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 642
643 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 644
645 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 646 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 647 int lastRxCounter;
f7e3ed82 648 int8_t *upTo;
15c4dc5a 649 int smpl;
650 int maxBehindBy = 0;
651
652 // Count of samples received so far, so that we can include timing
653 // information in the trace buffer.
654 int samples = 0;
cee5a30d 655 int rsamples = 0;
15c4dc5a 656
657 memset(trace, 0x44, RECV_CMD_OFFSET);
658
659 // Set up the demodulator for tag -> reader responses.
660 Demod.output = receivedResponse;
661 Demod.len = 0;
662 Demod.state = DEMOD_UNSYNCD;
663
7e758047 664 // Setup for the DMA.
665 FpgaSetupSsc();
666 upTo = dmaBuf;
667 lastRxCounter = DMA_BUFFER_SIZE;
668 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
669
15c4dc5a 670 // And the reader -> tag commands
671 memset(&Uart, 0, sizeof(Uart));
672 Uart.output = receivedCmd;
673 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
674 Uart.state = STATE_UNSYNCD;
675
676 // And put the FPGA in the appropriate mode
677 // Signal field is off with the appropriate LED
678 LED_D_OFF();
679 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
680 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
681
15c4dc5a 682
683 // And now we loop, receiving samples.
684 for(;;) {
7e758047 685 LED_A_ON();
686 WDT_HIT();
15c4dc5a 687 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
688 (DMA_BUFFER_SIZE-1);
689 if(behindBy > maxBehindBy) {
690 maxBehindBy = behindBy;
691 if(behindBy > 400) {
7e758047 692 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 693 goto done;
694 }
695 }
696 if(behindBy < 1) continue;
697
7e758047 698 LED_A_OFF();
15c4dc5a 699 smpl = upTo[0];
700 upTo++;
701 lastRxCounter -= 1;
702 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
703 upTo -= DMA_BUFFER_SIZE;
704 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 705 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 706 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
707 }
708
709 samples += 4;
7e758047 710 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 711 rsamples = samples - Uart.samples;
72934aa3 712 LED_C_ON();
7e758047 713 if(triggered) {
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 718 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 722 trace[traceLen++] = Uart.byteCnt;
723 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
724 traceLen += Uart.byteCnt;
725 if(traceLen > TRACE_LENGTH) break;
726 }
727 /* And ready to receive another command. */
728 Uart.state = STATE_UNSYNCD;
729 /* And also reset the demod code, which might have been */
730 /* false-triggered by the commands from the reader. */
731 Demod.state = DEMOD_UNSYNCD;
7e758047 732 LED_B_OFF();
15c4dc5a 733 }
7e758047 734
735 if(ManchesterDecoding(smpl & 0x0F)) {
736 rsamples = samples - Demod.samples;
737 LED_B_ON();
738
739 // timestamp, as a count of samples
740 trace[traceLen++] = ((rsamples >> 0) & 0xff);
741 trace[traceLen++] = ((rsamples >> 8) & 0xff);
742 trace[traceLen++] = ((rsamples >> 16) & 0xff);
743 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
744 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
745 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
748 // length
749 trace[traceLen++] = Demod.len;
750 memcpy(trace+traceLen, receivedResponse, Demod.len);
751 traceLen += Demod.len;
752 if(traceLen > TRACE_LENGTH) break;
753
754 triggered = TRUE;
15c4dc5a 755
756 // And ready to receive another response.
757 memset(&Demod, 0, sizeof(Demod));
758 Demod.output = receivedResponse;
759 Demod.state = DEMOD_UNSYNCD;
7e758047 760 LED_C_OFF();
761 }
15c4dc5a 762
763 if(BUTTON_PRESS()) {
764 DbpString("cancelled_a");
765 goto done;
766 }
767 }
768
769 DbpString("COMMAND FINISHED");
770
771 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
772 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
773
774done:
775 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
776 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
777 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
778 LED_A_OFF();
779 LED_B_OFF();
780 LED_C_OFF();
781 LED_D_OFF();
782}
783
15c4dc5a 784//-----------------------------------------------------------------------------
785// Prepare tag messages
786//-----------------------------------------------------------------------------
f7e3ed82 787static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 788{
789 int i;
790 int oddparity;
791
792 ToSendReset();
793
794 // Correction bit, might be removed when not needed
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798 ToSendStuffBit(0);
799 ToSendStuffBit(1); // 1
800 ToSendStuffBit(0);
801 ToSendStuffBit(0);
802 ToSendStuffBit(0);
803
804 // Send startbit
72934aa3 805 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 806
807 for(i = 0; i < len; i++) {
808 int j;
f7e3ed82 809 uint8_t b = cmd[i];
15c4dc5a 810
811 // Data bits
812 oddparity = 0x01;
813 for(j = 0; j < 8; j++) {
814 oddparity ^= (b & 1);
815 if(b & 1) {
72934aa3 816 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 817 } else {
72934aa3 818 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 819 }
820 b >>= 1;
821 }
822
823 // Parity bit
824 if(oddparity) {
72934aa3 825 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 826 } else {
72934aa3 827 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 828 }
829 }
830
831 // Send stopbit
72934aa3 832 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 833
834 // Flush the buffer in FPGA!!
835 for(i = 0; i < 5; i++) {
72934aa3 836 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 837 }
838
839 // Convert from last byte pos to length
840 ToSendMax++;
841
842 // Add a few more for slop
843 ToSend[ToSendMax++] = 0x00;
844 ToSend[ToSendMax++] = 0x00;
845 //ToSendMax += 2;
846}
847
848//-----------------------------------------------------------------------------
849// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
850//-----------------------------------------------------------------------------
851static void CodeStrangeAnswer()
852{
853 int i;
854
855 ToSendReset();
856
857 // Correction bit, might be removed when not needed
858 ToSendStuffBit(0);
859 ToSendStuffBit(0);
860 ToSendStuffBit(0);
861 ToSendStuffBit(0);
862 ToSendStuffBit(1); // 1
863 ToSendStuffBit(0);
864 ToSendStuffBit(0);
865 ToSendStuffBit(0);
866
867 // Send startbit
72934aa3 868 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 869
870 // 0
72934aa3 871 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 872
873 // 0
72934aa3 874 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 875
876 // 1
72934aa3 877 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 878
879 // Send stopbit
72934aa3 880 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 881
882 // Flush the buffer in FPGA!!
883 for(i = 0; i < 5; i++) {
72934aa3 884 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 885 }
886
887 // Convert from last byte pos to length
888 ToSendMax++;
889
890 // Add a few more for slop
891 ToSend[ToSendMax++] = 0x00;
892 ToSend[ToSendMax++] = 0x00;
893 //ToSendMax += 2;
894}
895
896//-----------------------------------------------------------------------------
897// Wait for commands from reader
898// Stop when button is pressed
899// Or return TRUE when command is captured
900//-----------------------------------------------------------------------------
f7e3ed82 901static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 902{
903 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
904 // only, since we are receiving, not transmitting).
905 // Signal field is off with the appropriate LED
906 LED_D_OFF();
907 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
908
909 // Now run a `software UART' on the stream of incoming samples.
910 Uart.output = received;
911 Uart.byteCntMax = maxLen;
912 Uart.state = STATE_UNSYNCD;
913
914 for(;;) {
915 WDT_HIT();
916
917 if(BUTTON_PRESS()) return FALSE;
918
919 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
920 AT91C_BASE_SSC->SSC_THR = 0x00;
921 }
922 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 923 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 924 if(MillerDecoding((b & 0xf0) >> 4)) {
925 *len = Uart.byteCnt;
926 return TRUE;
927 }
928 if(MillerDecoding(b & 0x0f)) {
929 *len = Uart.byteCnt;
930 return TRUE;
931 }
932 }
933 }
934}
935
936//-----------------------------------------------------------------------------
937// Main loop of simulated tag: receive commands from reader, decide what
938// response to send, and send it.
939//-----------------------------------------------------------------------------
940void SimulateIso14443aTag(int tagType, int TagUid)
941{
942 // This function contains the tag emulation
943
944 // Prepare protocol messages
f7e3ed82 945 // static const uint8_t cmd1[] = { 0x26 };
946// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 947//
f7e3ed82 948 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
949// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 950
951 // UID response
f7e3ed82 952 // static const uint8_t cmd2[] = { 0x93, 0x20 };
953 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 954
15c4dc5a 955// my desfire
f7e3ed82 956 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 957
958
959// When reader selects us during cascade1 it will send cmd3
f7e3ed82 960//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
961uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 962ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
963
964// send cascade2 2nd half of UID
f7e3ed82 965static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 966// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
967
15c4dc5a 968// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 969//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
970uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 971ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
972
f7e3ed82 973 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 974
f7e3ed82 975 uint8_t *resp;
15c4dc5a 976 int respLen;
977
978 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
979 // This will need
980 // 144 data bits (18 * 8)
981 // 18 parity bits
982 // 2 Start and stop
983 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
984 // 1 just for the case
985 // ----------- +
986 // 166
987 //
988 // 166 bytes, since every bit that needs to be send costs us a byte
989 //
990
15c4dc5a 991 // Respond with card type
f7e3ed82 992 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 993 int resp1Len;
994
995 // Anticollision cascade1 - respond with uid
f7e3ed82 996 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 997 int resp2Len;
998
999 // Anticollision cascade2 - respond with 2nd half of uid if asked
1000 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1001 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1002 int resp2aLen;
1003
1004 // Acknowledge select - cascade 1
f7e3ed82 1005 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1006 int resp3Len;
1007
1008 // Acknowledge select - cascade 2
f7e3ed82 1009 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1010 int resp3aLen;
1011
1012 // Response to a read request - not implemented atm
f7e3ed82 1013 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1014 int resp4Len;
1015
1016 // Authenticate response - nonce
f7e3ed82 1017 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1018 int resp5Len;
1019
f7e3ed82 1020 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1021 int len;
1022
1023 int i;
1024 int u;
f7e3ed82 1025 uint8_t b;
15c4dc5a 1026
1027 // To control where we are in the protocol
1028 int order = 0;
1029 int lastorder;
1030
1031 // Just to allow some checks
1032 int happened = 0;
1033 int happened2 = 0;
1034
1035 int cmdsRecvd = 0;
1036
f7e3ed82 1037 int fdt_indicator;
15c4dc5a 1038
1039 memset(receivedCmd, 0x44, 400);
1040
1041 // Prepare the responses of the anticollision phase
1042 // there will be not enough time to do this at the moment the reader sends it REQA
1043
1044 // Answer to request
1045 CodeIso14443aAsTag(response1, sizeof(response1));
1046 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1047
1048 // Send our UID (cascade 1)
1049 CodeIso14443aAsTag(response2, sizeof(response2));
1050 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1051
1052 // Answer to select (cascade1)
1053 CodeIso14443aAsTag(response3, sizeof(response3));
1054 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1055
1056 // Send the cascade 2 2nd part of the uid
1057 CodeIso14443aAsTag(response2a, sizeof(response2a));
1058 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1059
1060 // Answer to select (cascade 2)
1061 CodeIso14443aAsTag(response3a, sizeof(response3a));
1062 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1063
1064 // Strange answer is an example of rare message size (3 bits)
1065 CodeStrangeAnswer();
1066 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1067
1068 // Authentication answer (random nonce)
1069 CodeIso14443aAsTag(response5, sizeof(response5));
1070 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1071
1072 // We need to listen to the high-frequency, peak-detected path.
1073 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1074 FpgaSetupSsc();
1075
1076 cmdsRecvd = 0;
1077
1078 LED_A_ON();
1079 for(;;) {
1080
1081 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1082 DbpString("button press");
1083 break;
1084 }
1085 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1086 // Okay, look at the command now.
1087 lastorder = order;
1088 i = 1; // first byte transmitted
1089 if(receivedCmd[0] == 0x26) {
1090 // Received a REQUEST
1091 resp = resp1; respLen = resp1Len; order = 1;
1092 //DbpString("Hello request from reader:");
1093 } else if(receivedCmd[0] == 0x52) {
1094 // Received a WAKEUP
1095 resp = resp1; respLen = resp1Len; order = 6;
1096// //DbpString("Wakeup request from reader:");
1097
1098 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1099 // Received request for UID (cascade 1)
1100 resp = resp2; respLen = resp2Len; order = 2;
1101// DbpString("UID (cascade 1) request from reader:");
1102// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1103
1104
1105 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1106 // Received request for UID (cascade 2)
1107 resp = resp2a; respLen = resp2aLen; order = 20;
1108// DbpString("UID (cascade 2) request from reader:");
1109// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1110
1111
1112 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1113 // Received a SELECT
1114 resp = resp3; respLen = resp3Len; order = 3;
1115// DbpString("Select (cascade 1) request from reader:");
1116// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1117
1118
1119 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1120 // Received a SELECT
1121 resp = resp3a; respLen = resp3aLen; order = 30;
1122// DbpString("Select (cascade 2) request from reader:");
1123// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124
1125
1126 } else if(receivedCmd[0] == 0x30) {
1127 // Received a READ
1128 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1129 Dbprintf("Read request from reader: %x %x %x",
1130 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1131
1132
1133 } else if(receivedCmd[0] == 0x50) {
1134 // Received a HALT
1135 resp = resp1; respLen = 0; order = 5; // Do nothing
1136 DbpString("Reader requested we HALT!:");
1137
1138 } else if(receivedCmd[0] == 0x60) {
1139 // Received an authentication request
1140 resp = resp5; respLen = resp5Len; order = 7;
1141 Dbprintf("Authenticate request from reader: %x %x %x",
1142 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144 } else if(receivedCmd[0] == 0xE0) {
1145 // Received a RATS request
1146 resp = resp1; respLen = 0;order = 70;
1147 Dbprintf("RATS request from reader: %x %x %x",
1148 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1149 } else {
1150 // Never seen this command before
20f9a2a1
M
1151 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1152 len,
15c4dc5a 1153 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M
1154 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1155 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1156 // Do not respond
1157 resp = resp1; respLen = 0; order = 0;
1158 }
1159
1160 // Count number of wakeups received after a halt
1161 if(order == 6 && lastorder == 5) { happened++; }
1162
1163 // Count number of other messages after a halt
1164 if(order != 6 && lastorder == 5) { happened2++; }
1165
1166 // Look at last parity bit to determine timing of answer
1167 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1168 // 1236, so correction bit needed
1169 i = 0;
1170 }
1171
1172 memset(receivedCmd, 0x44, 32);
1173
1174 if(cmdsRecvd > 999) {
1175 DbpString("1000 commands later...");
1176 break;
1177 }
1178 else {
1179 cmdsRecvd++;
1180 }
1181
1182 if(respLen <= 0) continue;
1183
1184 // Modulate Manchester
1185 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1186 AT91C_BASE_SSC->SSC_THR = 0x00;
1187 FpgaSetupSsc();
1188
1189 // ### Transmit the response ###
1190 u = 0;
1191 b = 0x00;
1192 fdt_indicator = FALSE;
1193 for(;;) {
1194 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1195 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1196 (void)b;
1197 }
1198 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1199 if(i > respLen) {
1200 b = 0x00;
1201 u++;
1202 } else {
1203 b = resp[i];
1204 i++;
1205 }
1206 AT91C_BASE_SSC->SSC_THR = b;
1207
1208 if(u > 4) {
1209 break;
1210 }
1211 }
1212 if(BUTTON_PRESS()) {
1213 break;
1214 }
1215 }
1216
1217 }
1218
1219 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1220 LED_A_OFF();
1221}
1222
1223//-----------------------------------------------------------------------------
1224// Transmit the command (to the tag) that was placed in ToSend[].
1225//-----------------------------------------------------------------------------
f7e3ed82 1226static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1227{
1228 int c;
e30c654b 1229
15c4dc5a 1230 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1231
15c4dc5a 1232 if (wait)
1233 if(*wait < 10)
1234 *wait = 10;
e30c654b 1235
15c4dc5a 1236 for(c = 0; c < *wait;) {
1237 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1238 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1239 c++;
1240 }
1241 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1242 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1243 (void)r;
1244 }
1245 WDT_HIT();
1246 }
e30c654b 1247
15c4dc5a 1248 c = 0;
1249 for(;;) {
1250 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1251 AT91C_BASE_SSC->SSC_THR = cmd[c];
1252 c++;
1253 if(c >= len) {
1254 break;
1255 }
1256 }
1257 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1258 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1259 (void)r;
1260 }
1261 WDT_HIT();
1262 }
1263 if (samples) *samples = (c + *wait) << 3;
1264}
1265
15c4dc5a 1266//-----------------------------------------------------------------------------
1267// Code a 7-bit command without parity bit
1268// This is especially for 0x26 and 0x52 (REQA and WUPA)
1269//-----------------------------------------------------------------------------
f7e3ed82 1270void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1271{
1272 int j;
1273 int last;
f7e3ed82 1274 uint8_t b;
15c4dc5a 1275
1276 ToSendReset();
1277
1278 // Start of Communication (Seq. Z)
72934aa3 1279 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1280 last = 0;
1281
1282 b = bt;
1283 for(j = 0; j < 7; j++) {
1284 if(b & 1) {
1285 // Sequence X
72934aa3 1286 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1287 last = 1;
1288 } else {
1289 if(last == 0) {
1290 // Sequence Z
72934aa3 1291 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1292 }
1293 else {
1294 // Sequence Y
72934aa3 1295 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1296 last = 0;
1297 }
1298 }
1299 b >>= 1;
1300 }
1301
1302 // End of Communication
1303 if(last == 0) {
1304 // Sequence Z
72934aa3 1305 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1306 }
1307 else {
1308 // Sequence Y
72934aa3 1309 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1310 last = 0;
1311 }
1312 // Sequence Y
72934aa3 1313 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1314
1315 // Just to be sure!
72934aa3 1316 ToSend[++ToSendMax] = SEC_Y;
1317 ToSend[++ToSendMax] = SEC_Y;
1318 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1319
1320 // Convert from last character reference to length
1321 ToSendMax++;
1322}
1323
1324//-----------------------------------------------------------------------------
1325// Prepare reader command to send to FPGA
e30c654b 1326//
15c4dc5a 1327//-----------------------------------------------------------------------------
f7e3ed82 1328void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1329{
1330 int i, j;
1331 int last;
f7e3ed82 1332 uint8_t b;
e30c654b 1333
15c4dc5a 1334 ToSendReset();
e30c654b 1335
15c4dc5a 1336 // Start of Communication (Seq. Z)
72934aa3 1337 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1338 last = 0;
e30c654b 1339
15c4dc5a 1340 // Generate send structure for the data bits
1341 for (i = 0; i < len; i++) {
1342 // Get the current byte to send
1343 b = cmd[i];
e30c654b 1344
15c4dc5a 1345 for (j = 0; j < 8; j++) {
1346 if (b & 1) {
1347 // Sequence X
72934aa3 1348 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1349 last = 1;
1350 } else {
1351 if (last == 0) {
1352 // Sequence Z
72934aa3 1353 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1354 } else {
1355 // Sequence Y
72934aa3 1356 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1357 last = 0;
1358 }
1359 }
1360 b >>= 1;
1361 }
e30c654b 1362
15c4dc5a 1363 // Get the parity bit
1364 if ((dwParity >> i) & 0x01) {
1365 // Sequence X
72934aa3 1366 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1367 last = 1;
1368 } else {
1369 if (last == 0) {
1370 // Sequence Z
72934aa3 1371 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1372 } else {
1373 // Sequence Y
72934aa3 1374 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1375 last = 0;
1376 }
1377 }
1378 }
e30c654b 1379
15c4dc5a 1380 // End of Communication
1381 if (last == 0) {
1382 // Sequence Z
72934aa3 1383 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1384 } else {
1385 // Sequence Y
72934aa3 1386 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1387 last = 0;
1388 }
1389 // Sequence Y
72934aa3 1390 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1391
15c4dc5a 1392 // Just to be sure!
72934aa3 1393 ToSend[++ToSendMax] = SEC_Y;
1394 ToSend[++ToSendMax] = SEC_Y;
1395 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1396
15c4dc5a 1397 // Convert from last character reference to length
1398 ToSendMax++;
1399}
1400
1401//-----------------------------------------------------------------------------
1402// Wait a certain time for tag response
1403// If a response is captured return TRUE
1404// If it takes to long return FALSE
1405//-----------------------------------------------------------------------------
f7e3ed82 1406static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1407{
1408 // buffer needs to be 512 bytes
1409 int c;
1410
1411 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1412 // only, since we are receiving, not transmitting).
1413 // Signal field is on with the appropriate LED
1414 LED_D_ON();
1415 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1416
534983d7 1417 // Now get the answer from the card
1418 Demod.output = receivedResponse;
1419 Demod.len = 0;
1420 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1421
f7e3ed82 1422 uint8_t b;
15c4dc5a 1423 if (elapsed) *elapsed = 0;
1424
1425 c = 0;
1426 for(;;) {
534983d7 1427 WDT_HIT();
15c4dc5a 1428
534983d7 1429 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1430 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1431 if (elapsed) (*elapsed)++;
534983d7 1432 }
1433 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1434 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1435 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1436 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1437 *samples = ((c - 1) << 3) + 4;
1438 return TRUE;
1439 }
1440 if(ManchesterDecoding(b & 0x0f)) {
1441 *samples = c << 3;
1442 return TRUE;
1443 }
534983d7 1444 }
1445 }
15c4dc5a 1446}
1447
f7e3ed82 1448void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1449{
1450 int wait = 0;
1451 int samples = 0;
1452
1453 ShortFrameFromReader(*bt);
e30c654b 1454
15c4dc5a 1455 // Select the card
e30c654b 1456 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1457
15c4dc5a 1458 // Store reader command in buffer
1459 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1460}
1461
f7e3ed82 1462void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1463{
1464 int wait = 0;
1465 int samples = 0;
e30c654b 1466
15c4dc5a 1467 // This is tied to other size changes
f7e3ed82 1468 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1469 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1470
15c4dc5a 1471 // Select the card
e30c654b 1472 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1473 if(trigger)
1474 LED_A_ON();
e30c654b 1475
15c4dc5a 1476 // Store reader command in buffer
1477 if (tracing) LogTrace(frame,len,0,par,TRUE);
1478}
1479
1480
f7e3ed82 1481void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1482{
1483 // Generate parity and redirect
1484 ReaderTransmitPar(frame,len,GetParity(frame,len));
1485}
1486
f7e3ed82 1487int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1488{
1489 int samples = 0;
20f9a2a1 1490 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1491 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1492 if(samples == 0) return FALSE;
1493 return Demod.len;
15c4dc5a 1494}
1495
f89c7050
M
1496int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1497{
1498 int samples = 0;
1499 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1500 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1501 *parptr = Demod.parityBits;
1502 if(samples == 0) return FALSE;
1503 return Demod.len;
1504}
1505
7e758047 1506/* performs iso14443a anticolision procedure
534983d7 1507 * fills the uid pointer unless NULL
1508 * fills resp_data unless NULL */
20f9a2a1
M
1509int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1510 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1511 uint8_t sel_all[] = { 0x93,0x20 };
1512 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1513 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1514
7e758047 1515 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1516
534983d7 1517 uint8_t sak = 0x04; // cascade uid
1518 int cascade_level = 0;
1519
7e758047 1520 int len;
20f9a2a1
M
1521
1522 // clear uid
1523 memset(uid_ptr, 0, 8);
15c4dc5a 1524
7e758047 1525 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1526 ReaderTransmitShort(wupa);
1527 // Receive the ATQA
1528 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1529
534983d7 1530 if(resp_data)
1531 memcpy(resp_data->atqa, resp, 2);
1532
534983d7 1533 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1534 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1535 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1536 for(; sak & 0x04; cascade_level++)
7e758047 1537 {
534983d7 1538 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1539 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1540
1541 // SELECT_ALL
1542 ReaderTransmit(sel_all,sizeof(sel_all));
1543 if (!ReaderReceive(resp)) return 0;
1544 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M
1545
1546 // calculate crypto UID
1547 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1548
7e758047 1549 // Construct SELECT UID command
534983d7 1550 memcpy(sel_uid+2,resp,5);
1551 AppendCrc14443a(sel_uid,7);
1552 ReaderTransmit(sel_uid,sizeof(sel_uid));
1553
7e758047 1554 // Receive the SAK
1555 if (!ReaderReceive(resp)) return 0;
534983d7 1556 sak = resp[0];
7e758047 1557 }
534983d7 1558 if(resp_data) {
1559 resp_data->sak = sak;
1560 resp_data->ats_len = 0;
1561 }
20f9a2a1
M
1562 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1563 if (uid_ptr[0] == 0x88) {
1564 memcpy(uid_ptr, uid_ptr + 1, 7);
1565 uid_ptr[7] = 0;
1566 }
534983d7 1567
1568 if( (sak & 0x20) == 0)
7e758047 1569 return 2; // non iso14443a compliant tag
534983d7 1570
7e758047 1571 // Request for answer to select
20f9a2a1
M
1572 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1573 AppendCrc14443a(rats, 2);
1574 ReaderTransmit(rats, sizeof(rats));
1575
1576 if (!(len = ReaderReceive(resp))) return 0;
1577
534983d7 1578 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1579 resp_data->ats_len = len;
1580 }
20f9a2a1 1581
7e758047 1582 return 1;
1583}
15c4dc5a 1584
7e758047 1585void iso14443a_setup() {
1586 // Setup SSC
1587 FpgaSetupSsc();
1588 // Start from off (no field generated)
1589 // Signal field is off with the appropriate LED
1590 LED_D_OFF();
1591 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1592 SpinDelay(200);
15c4dc5a 1593
7e758047 1594 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1595
7e758047 1596 // Now give it time to spin up.
1597 // Signal field is on with the appropriate LED
1598 LED_D_ON();
1599 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1600 SpinDelay(200);
534983d7 1601
1602 iso14a_timeout = 2048; //default
7e758047 1603}
15c4dc5a 1604
534983d7 1605int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1606 uint8_t real_cmd[cmd_len+4];
1607 real_cmd[0] = 0x0a; //I-Block
1608 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1609 memcpy(real_cmd+2, cmd, cmd_len);
1610 AppendCrc14443a(real_cmd,cmd_len+2);
1611
1612 ReaderTransmit(real_cmd, cmd_len+4);
1613 size_t len = ReaderReceive(data);
1614 if(!len)
1615 return -1; //DATA LINK ERROR
1616
1617 return len;
1618}
1619
1620
7e758047 1621//-----------------------------------------------------------------------------
1622// Read an ISO 14443a tag. Send out commands and store answers.
1623//
1624//-----------------------------------------------------------------------------
534983d7 1625void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1626{
534983d7 1627 iso14a_command_t param = c->arg[0];
1628 uint8_t * cmd = c->d.asBytes;
1629 size_t len = c->arg[1];
e30c654b 1630
534983d7 1631 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1632
534983d7 1633 if(param & ISO14A_CONNECT) {
1634 iso14443a_setup();
20f9a2a1 1635 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1636 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1637 }
e30c654b 1638
534983d7 1639 if(param & ISO14A_SET_TIMEOUT) {
1640 iso14a_timeout = c->arg[2];
1641 }
e30c654b 1642
534983d7 1643 if(param & ISO14A_SET_TIMEOUT) {
1644 iso14a_timeout = c->arg[2];
1645 }
e30c654b 1646
534983d7 1647 if(param & ISO14A_APDU) {
1648 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1649 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1650 }
e30c654b 1651
534983d7 1652 if(param & ISO14A_RAW) {
1653 if(param & ISO14A_APPEND_CRC) {
1654 AppendCrc14443a(cmd,len);
1655 len += 2;
15c4dc5a 1656 }
534983d7 1657 ReaderTransmit(cmd,len);
1658 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1659 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1660 }
15c4dc5a 1661
534983d7 1662 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1663
534983d7 1664 if(param & ISO14A_NO_DISCONNECT)
1665 return;
15c4dc5a 1666
15c4dc5a 1667 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1668 LEDsoff();
15c4dc5a 1669}
15c4dc5a 1670//-----------------------------------------------------------------------------
1671// Read an ISO 14443a tag. Send out commands and store answers.
1672//
1673//-----------------------------------------------------------------------------
f7e3ed82 1674void ReaderMifare(uint32_t parameter)
15c4dc5a 1675{
15c4dc5a 1676 // Mifare AUTH
f7e3ed82 1677 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1678 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1679
f89c7050
M
1680 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1681 traceLen = 0;
1682 tracing = false;
e30c654b 1683
7e758047 1684 iso14443a_setup();
e30c654b 1685
15c4dc5a 1686 LED_A_ON();
1687 LED_B_OFF();
1688 LED_C_OFF();
e30c654b 1689
f89c7050
M
1690 byte_t nt_diff = 0;
1691 LED_A_OFF();
1692 byte_t par = 0;
1693 byte_t par_mask = 0xff;
1694 byte_t par_low = 0;
1695 int led_on = TRUE;
50193c1e 1696 uint8_t uid[8];
f89c7050 1697 uint32_t cuid;
e30c654b 1698
f89c7050
M
1699 tracing = FALSE;
1700 byte_t nt[4] = {0,0,0,0};
f397b5cc 1701 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M
1702 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1703 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 1704 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 1705 int isOK = 0, isNULL = 0;
f397b5cc 1706
f89c7050
M
1707 while(TRUE)
1708 {
50193c1e 1709 LED_C_ON();
f89c7050
M
1710 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1711 SpinDelay(200);
1712 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 1713 LED_C_OFF();
e30c654b 1714
f89c7050
M
1715 // Test if the action was cancelled
1716 if(BUTTON_PRESS()) {
1717 break;
1718 }
e30c654b 1719
f89c7050 1720 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 1721
f89c7050
M
1722 // Transmit MIFARE_CLASSIC_AUTH
1723 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 1724
f89c7050
M
1725 // Receive the (16 bit) "random" nonce
1726 if (!ReaderReceive(receivedAnswer)) continue;
1727 memcpy(nt, receivedAnswer, 4);
e30c654b 1728
f89c7050
M
1729 // Transmit reader nonce and reader answer
1730 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 1731
f89c7050
M
1732 // Receive 4 bit answer
1733 if (ReaderReceive(receivedAnswer))
1734 {
f397b5cc
M
1735 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1736
50193c1e
M
1737 isNULL = (nt_attacked[0] = 0) && (nt_attacked[1] = 0) && (nt_attacked[2] = 0) && (nt_attacked[3] = 0);
1738 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1739
f89c7050
M
1740 if (nt_diff == 0)
1741 {
1742 LED_A_ON();
1743 memcpy(nt_attacked, nt, 4);
1744 par_mask = 0xf8;
1745 par_low = par & 0x07;
1746 }
15c4dc5a 1747
f89c7050
M
1748 led_on = !led_on;
1749 if(led_on) LED_B_ON(); else LED_B_OFF();
1750 par_list[nt_diff] = par;
1751 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 1752
f89c7050
M
1753 // Test if the information is complete
1754 if (nt_diff == 0x07) {
1755 isOK = 1;
1756 break;
1757 }
1758
1759 nt_diff = (nt_diff + 1) & 0x07;
1760 mf_nr_ar[3] = nt_diff << 5;
1761 par = par_low;
1762 } else {
1763 if (nt_diff == 0)
1764 {
1765 par++;
1766 } else {
1767 par = (((par >> 3) + 1) << 3) | par_low;
1768 }
1769 }
1770 }
e30c654b 1771
f89c7050
M
1772 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1773 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1774 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 1775
f89c7050
M
1776 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1777 memcpy(ack.d.asBytes + 0, uid, 4);
1778 memcpy(ack.d.asBytes + 4, nt, 4);
1779 memcpy(ack.d.asBytes + 8, par_list, 8);
1780 memcpy(ack.d.asBytes + 16, ks_list, 8);
1781
1782 LED_B_ON();
1783 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1784 LED_B_OFF();
1785
1786 // Thats it...
15c4dc5a 1787 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1788 LEDsoff();
f89c7050
M
1789 tracing = TRUE;
1790
f397b5cc 1791 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M
1792}
1793
1794//-----------------------------------------------------------------------------
1795// Select, Authenticaate, Read an MIFARE tag.
1796// read block
1797//-----------------------------------------------------------------------------
1798void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1799{
1800 // params
1801 uint8_t blockNo = arg0;
1802 uint8_t keyType = arg1;
1803 uint64_t ui64Key = 0;
1804 ui64Key = bytes_to_num(datain, 6);
1805
1806 // variables
4abe4f58
M
1807 byte_t isOK = 0;
1808 byte_t dataoutbuf[16];
50193c1e 1809 uint8_t uid[8];
20f9a2a1 1810 uint32_t cuid;
4abe4f58 1811 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M
1812 struct Crypto1State *pcs;
1813 pcs = &mpcs;
1814
1815 // clear trace
4abe4f58
M
1816 traceLen = 0;
1817// tracing = false;
20f9a2a1
M
1818
1819 iso14443a_setup();
1820
1821 LED_A_ON();
1822 LED_B_OFF();
1823 LED_C_OFF();
1824
1825 while (true) {
1826 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 1827 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M
1828 break;
1829 };
1830
4abe4f58 1831 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
f397b5cc 1832 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
20f9a2a1
M
1833 break;
1834 };
1835
1836 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
f397b5cc 1837 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
20f9a2a1
M
1838 break;
1839 };
1840
1841 if(mifare_classic_halt(pcs, cuid)) {
f397b5cc 1842 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
20f9a2a1
M
1843 break;
1844 };
1845
1846 isOK = 1;
1847 break;
1848 }
1849
1850 // ----------------------------- crypto1 destroy
1851 crypto1_destroy(pcs);
1852
f397b5cc 1853 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
20f9a2a1
M
1854
1855 // add trace trailer
1856 uid[0] = 0xff;
1857 uid[1] = 0xff;
1858 uid[2] = 0xff;
1859 uid[3] = 0xff;
4abe4f58 1860 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M
1861
1862 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1863 memcpy(ack.d.asBytes, dataoutbuf, 16);
1864
1865 LED_B_ON();
1866 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
4abe4f58 1867 LED_B_OFF();
20f9a2a1
M
1868
1869
1870 // Thats it...
1871 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1872 LEDsoff();
1873// tracing = TRUE;
1874
1875}
1876
1877//-----------------------------------------------------------------------------
1878// Select, Authenticaate, Read an MIFARE tag.
1879// read sector (data = 4 x 16 bytes = 64 bytes)
1880//-----------------------------------------------------------------------------
1881void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1882{
1883 // params
1884 uint8_t sectorNo = arg0;
1885 uint8_t keyType = arg1;
1886 uint64_t ui64Key = 0;
1887 ui64Key = bytes_to_num(datain, 6);
1888
1889 // variables
4abe4f58
M
1890 byte_t isOK = 0;
1891 byte_t dataoutbuf[16 * 4];
20f9a2a1
M
1892 uint8_t uid[8];
1893 uint32_t cuid;
4abe4f58 1894 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M
1895 struct Crypto1State *pcs;
1896 pcs = &mpcs;
1897
1898 // clear trace
4abe4f58
M
1899 traceLen = 0;
1900// tracing = false;
20f9a2a1
M
1901
1902 iso14443a_setup();
1903
1904 LED_A_ON();
1905 LED_B_OFF();
1906 LED_C_OFF();
1907
1908 while (true) {
1909 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 1910 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M
1911 break;
1912 };
1913
4abe4f58 1914 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
f397b5cc 1915 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
20f9a2a1
M
1916 break;
1917 };
1918
1919 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
f397b5cc 1920 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error");
20f9a2a1
M
1921 break;
1922 };
1923 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
f397b5cc 1924 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error");
20f9a2a1
M
1925 break;
1926 };
1927 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
f397b5cc 1928 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error");
20f9a2a1
M
1929 break;
1930 };
1931 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
f397b5cc 1932 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error");
20f9a2a1
M
1933 break;
1934 };
1935
1936 if(mifare_classic_halt(pcs, cuid)) {
f397b5cc 1937 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
20f9a2a1
M
1938 break;
1939 };
1940
1941 isOK = 1;
1942 break;
1943 }
1944
1945 // ----------------------------- crypto1 destroy
1946 crypto1_destroy(pcs);
1947
f397b5cc 1948 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
20f9a2a1
M
1949
1950 // add trace trailer
1951 uid[0] = 0xff;
1952 uid[1] = 0xff;
1953 uid[2] = 0xff;
1954 uid[3] = 0xff;
4abe4f58 1955 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M
1956
1957 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1958 memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
1959
1960 LED_B_ON();
1961 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1962
1963 SpinDelay(100);
1964
1965 memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
1966 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1967 LED_B_OFF();
1968
4abe4f58 1969 // Thats it...
20f9a2a1
M
1970 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1971 LEDsoff();
1972// tracing = TRUE;
1973
1974}
1975
1976//-----------------------------------------------------------------------------
1977// Select, Authenticaate, Read an MIFARE tag.
1978// read block
1979//-----------------------------------------------------------------------------
1980void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1981{
4abe4f58 1982 // params
20f9a2a1
M
1983 uint8_t blockNo = arg0;
1984 uint8_t keyType = arg1;
1985 uint64_t ui64Key = 0;
4abe4f58 1986 byte_t blockdata[16];
20f9a2a1
M
1987
1988 ui64Key = bytes_to_num(datain, 6);
1989 memcpy(blockdata, datain + 10, 16);
1990
1991 // variables
4abe4f58 1992 byte_t isOK = 0;
20f9a2a1
M
1993 uint8_t uid[8];
1994 uint32_t cuid;
4abe4f58 1995 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M
1996 struct Crypto1State *pcs;
1997 pcs = &mpcs;
1998
1999 // clear trace
4abe4f58 2000 traceLen = 0;
20f9a2a1
M
2001// tracing = false;
2002
2003 iso14443a_setup();
2004
2005 LED_A_ON();
2006 LED_B_OFF();
2007 LED_C_OFF();
2008
2009 while (true) {
f397b5cc
M
2010 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2011 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M
2012 break;
2013 };
2014
4abe4f58 2015 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
f397b5cc 2016 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
20f9a2a1
M
2017 break;
2018 };
2019
2020 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
f397b5cc 2021 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
20f9a2a1
M
2022 break;
2023 };
2024
2025 if(mifare_classic_halt(pcs, cuid)) {
f397b5cc 2026 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
20f9a2a1
M
2027 break;
2028 };
2029
2030 isOK = 1;
2031 break;
2032 }
2033
2034 // ----------------------------- crypto1 destroy
2035 crypto1_destroy(pcs);
2036
f397b5cc 2037 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
20f9a2a1
M
2038
2039 // add trace trailer
2040 uid[0] = 0xff;
2041 uid[1] = 0xff;
2042 uid[2] = 0xff;
2043 uid[3] = 0xff;
4abe4f58 2044 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M
2045
2046 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2047
2048 LED_B_ON();
2049 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2050 LED_B_OFF();
2051
2052
4abe4f58 2053 // Thats it...
20f9a2a1
M
2054 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2055 LEDsoff();
2056// tracing = TRUE;
2057
2058}
2059
f89c7050
M
2060// Return 1 if the nonce is invalid else return 0
2061int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
2062 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
2063 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
2064 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
2065}
2066
2067
20f9a2a1
M
2068//-----------------------------------------------------------------------------
2069// MIFARE nested authentication.
2070//
2071//-----------------------------------------------------------------------------
f397b5cc 2072void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
20f9a2a1 2073{
4abe4f58 2074 // params
20f9a2a1
M
2075 uint8_t blockNo = arg0;
2076 uint8_t keyType = arg1;
f397b5cc
M
2077 uint8_t targetBlockNo = arg2 & 0xff;
2078 uint8_t targetKeyType = (arg2 >> 8) & 0xff;
20f9a2a1
M
2079 uint64_t ui64Key = 0;
2080
2081 ui64Key = bytes_to_num(datain, 6);
2082
2083 // variables
50193c1e 2084 int rtr, i, j, m, len;
f89c7050 2085 int davg, dmin, dmax;
20f9a2a1 2086 uint8_t uid[8];
f89c7050
M
2087 uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;
2088 uint8_t par_array[4];
f397b5cc
M
2089 nestedVector nvector[NES_MAX_INFO + 1][10];
2090 int nvectorcount[NES_MAX_INFO + 1];
f89c7050 2091 int ncount = 0;
50193c1e 2092 UsbCommand ack = {CMD_ACK, {0, 0, 0}};
4abe4f58 2093 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M
2094 struct Crypto1State *pcs;
2095 pcs = &mpcs;
f89c7050 2096 uint8_t* receivedAnswer = mifare_get_bigbufptr();
20f9a2a1 2097
f397b5cc
M
2098 //init
2099 for (i = 0; i < NES_MAX_INFO + 1; i++) nvectorcount[i] = 11; // 11 - empty block;
2100
20f9a2a1 2101 // clear trace
4abe4f58 2102 traceLen = 0;
f89c7050 2103 tracing = false;
f397b5cc 2104
20f9a2a1
M
2105 iso14443a_setup();
2106
2107 LED_A_ON();
f89c7050 2108 LED_B_ON();
20f9a2a1
M
2109 LED_C_OFF();
2110
f89c7050
M
2111 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2112 SpinDelay(200);
2113
2114 davg = dmax = 0;
2115 dmin = 2000;
2116
2117 // test nonce distance
2118 for (rtr = 0; rtr < 10; rtr++) {
2119 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2120 SpinDelay(100);
2121 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2122
2123 // Test if the action was cancelled
2124 if(BUTTON_PRESS()) {
2125 break;
2126 }
2127
20f9a2a1 2128 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 2129 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M
2130 break;
2131 };
2132
f89c7050 2133 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
f397b5cc 2134 if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
20f9a2a1
M
2135 break;
2136 };
2137
f89c7050 2138 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2)) {
f397b5cc 2139 if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error");
20f9a2a1
M
2140 break;
2141 };
2142
f89c7050
M
2143 nttmp = prng_successor(nt1, 500);
2144 for (i = 501; i < 2000; i++) {
2145 nttmp = prng_successor(nttmp, 1);
2146 if (nttmp == nt2) break;
2147 }
2148
2149 if (i != 2000) {
2150 davg += i;
2151 if (dmin > i) dmin = i;
2152 if (dmax < i) dmax = i;
f397b5cc 2153 if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2=%08x distance=%d", rtr, nt1, nt2, i);
f89c7050
M
2154 }
2155 }
2156
2157 if (rtr == 0) return;
2158
2159 davg = davg / rtr;
f397b5cc 2160 if (MF_DBGLEVEL >= 3) Dbprintf("distance: min=%d max=%d avg=%d", dmin, dmax, davg);
f89c7050
M
2161
2162 LED_B_OFF();
2163
f397b5cc 2164// -------------------------------------------------------------------------------------------------
f89c7050
M
2165
2166 LED_C_ON();
2167
2168 // get crypted nonces for target sector
f397b5cc
M
2169 for (rtr = 0; rtr < NS_RETRIES_GETNONCE; rtr++) {
2170 if (MF_DBGLEVEL >= 4) Dbprintf("------------------------------");
f89c7050
M
2171
2172 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2173 SpinDelay(100);
2174 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2175
2176 // Test if the action was cancelled
2177 if(BUTTON_PRESS()) {
2178 break;
2179 }
2180
2181 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 2182 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
f89c7050
M
2183 break;
2184 };
2185
2186 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
f397b5cc 2187 if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
20f9a2a1
M
2188 break;
2189 };
2190
f89c7050 2191 // nested authentication
50193c1e 2192 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par);
f89c7050 2193 if (len != 4) {
f397b5cc 2194 if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error len=%d", len);
20f9a2a1
M
2195 break;
2196 };
f89c7050
M
2197
2198 nt2 = bytes_to_num(receivedAnswer, 4);
f397b5cc 2199 if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par);
f89c7050
M
2200
2201 // Parity validity check
2202 for (i = 0; i < 4; i++) {
2203 par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3));
2204 par = par << 1;
2205 }
2206
2207 ncount = 0;
f397b5cc 2208 for (m = dmin - NS_TOLERANCE; m < dmax + NS_TOLERANCE; m++) {
f89c7050
M
2209 nttest = prng_successor(nt1, m);
2210 ks1 = nt2 ^ nttest;
2211
f89c7050
M
2212 if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){
2213
f397b5cc
M
2214 nvector[NES_MAX_INFO][ncount].nt = nttest;
2215 nvector[NES_MAX_INFO][ncount].ks1 = ks1;
f89c7050 2216 ncount++;
f397b5cc
M
2217 nvectorcount[NES_MAX_INFO] = ncount;
2218 if (MF_DBGLEVEL >= 4) Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest);
f89c7050
M
2219 }
2220
2221 }
2222
2223 // select vector with length less than got
f397b5cc
M
2224 if (nvectorcount[NES_MAX_INFO] != 0) {
2225 m = NES_MAX_INFO;
2226
2227 for (i = 0; i < NES_MAX_INFO; i++)
2228 if (nvectorcount[i] > 10) {
2229 m = i;
2230 break;
2231 }
2232
2233 if (m == NES_MAX_INFO)
2234 for (i = 0; i < NES_MAX_INFO; i++)
2235 if (nvectorcount[NES_MAX_INFO] < nvectorcount[i]) {
2236 m = i;
2237 break;
2238 }
2239
2240 if (m != NES_MAX_INFO) {
50193c1e 2241 for (i = 0; i < nvectorcount[m]; i++) {
f397b5cc 2242 nvector[m][i] = nvector[NES_MAX_INFO][i];
50193c1e 2243 }
f397b5cc 2244 nvectorcount[m] = nvectorcount[NES_MAX_INFO];
f89c7050 2245 }
f89c7050 2246 }
20f9a2a1 2247 }
f89c7050
M
2248
2249 LED_C_OFF();
20f9a2a1
M
2250
2251 // ----------------------------- crypto1 destroy
2252 crypto1_destroy(pcs);
2253
20f9a2a1
M
2254 // add trace trailer
2255 uid[0] = 0xff;
2256 uid[1] = 0xff;
2257 uid[2] = 0xff;
2258 uid[3] = 0xff;
4abe4f58 2259 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1 2260
f397b5cc
M
2261 for (i = 0; i < NES_MAX_INFO; i++) {
2262 if (nvectorcount[i] > 10) continue;
2263
50193c1e
M
2264 for (j = 0; j < nvectorcount[i]; j += 5) {
2265 ncount = nvectorcount[i] - j;
2266 if (ncount > 5) ncount = 5;
2267
2268 ack.arg[0] = 0; // isEOF = 0
2269 ack.arg[1] = ncount;
2270 ack.arg[2] = targetBlockNo + (targetKeyType * 0x100);
2271 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
2272
2273 memcpy(ack.d.asBytes, &cuid, 4);
2274 for (m = 0; m < ncount; m++) {
2275 memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4);
2276 memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4);
2277 }
f89c7050 2278
50193c1e
M
2279 LED_B_ON();
2280 SpinDelay(100);
2281 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2282 LED_B_OFF();
2283 }
f89c7050
M
2284 }
2285
2286 // finalize list
50193c1e
M
2287 ack.arg[0] = 1; // isEOF = 1
2288 ack.arg[1] = 0;
2289 ack.arg[2] = 0;
2290 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
20f9a2a1
M
2291
2292 LED_B_ON();
50193c1e 2293 SpinDelay(300);
20f9a2a1
M
2294 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2295 LED_B_OFF();
2296
f397b5cc 2297 if (MF_DBGLEVEL >= 4) DbpString("NESTED FINISHED");
f89c7050 2298
4abe4f58 2299 // Thats it...
20f9a2a1
M
2300 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2301 LEDsoff();
f397b5cc
M
2302
2303 tracing = TRUE;
2304}
2305
2306//-----------------------------------------------------------------------------
2307// MIFARE check keys. key count up to 8.
2308//
2309//-----------------------------------------------------------------------------
2310void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2311{
2312 // params
2313 uint8_t blockNo = arg0;
2314 uint8_t keyType = arg1;
2315 uint8_t keyCount = arg2;
2316 uint64_t ui64Key = 0;
2317
2318 // variables
2319 int i;
2320 byte_t isOK = 0;
2321 uint8_t uid[8];
2322 uint32_t cuid;
2323 struct Crypto1State mpcs = {0, 0};
2324 struct Crypto1State *pcs;
2325 pcs = &mpcs;
2326
2327 // clear debug level
2328 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
2329 MF_DBGLEVEL = MF_DBG_NONE;
2330
2331 // clear trace
2332 traceLen = 0;
2333 tracing = TRUE;
2334
2335 iso14443a_setup();
2336
2337 LED_A_ON();
2338 LED_B_OFF();
2339 LED_C_OFF();
2340
2341 SpinDelay(300);
2342 for (i = 0; i < keyCount; i++) {
2343 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2344 SpinDelay(100);
2345 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2346
2347 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2348 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
2349 break;
2350 };
2351
2352 ui64Key = bytes_to_num(datain + i * 6, 6);
2353 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
2354 continue;
2355 };
2356
2357 isOK = 1;
2358 break;
2359 }
2360
2361 // ----------------------------- crypto1 destroy
2362 crypto1_destroy(pcs);
2363
2364 // add trace trailer
2365 uid[0] = 0xff;
2366 uid[1] = 0xff;
2367 uid[2] = 0xff;
2368 uid[3] = 0xff;
2369 LogTrace(uid, 4, 0, 0, TRUE);
2370
2371 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2372 if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6);
2373
2374 LED_B_ON();
2375 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2376 LED_B_OFF();
2377
2378 // Thats it...
2379 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2380 LEDsoff();
20f9a2a1 2381
f397b5cc
M
2382 // restore debug level
2383 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
20f9a2a1
M
2384}
2385
2386//-----------------------------------------------------------------------------
2387// MIFARE 1K simulate.
2388//
2389//-----------------------------------------------------------------------------
2390void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2391{
50193c1e
M
2392 int cardSTATE = MFEMUL_NOFIELD;
2393
2394 while (true) {
2395
2396 if(BUTTON_PRESS()) {
2397 break;
2398 }
2399
2400 switch (cardSTATE) {
2401 case MFEMUL_NOFIELD:{
2402 break;
2403 }
2404 case MFEMUL_IDLE:{
2405 break;
2406 }
2407 case MFEMUL_SELECT1:{
2408 break;
2409 }
2410 case MFEMUL_SELECT2:{
2411 break;
2412 }
2413 case MFEMUL_AUTH1:{
2414 break;
2415 }
2416 case MFEMUL_AUTH2:{
2417 break;
2418 }
2419 case MFEMUL_HALTED:{
2420 break;
2421 }
2422
2423 }
2424
2425 }
2426
15c4dc5a 2427}
Impressum, Datenschutz