]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
0. its alpha version!!!
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M		 20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
f7e3ed82 23static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 24static int traceLen = 0;
25static int rsamples = 0;
f7e3ed82 26static int tracing = TRUE;
534983d7 27static uint32_t iso14a_timeout;
15c4dc5a 28
72934aa3 29// CARD TO READER
30// Sequence D: 11110000 modulation with subcarrier during first half
31// Sequence E: 00001111 modulation with subcarrier during second half
32// Sequence F: 00000000 no modulation with subcarrier
33// READER TO CARD
34// Sequence X: 00001100 drop after half a period
35// Sequence Y: 00000000 no drop
36// Sequence Z: 11000000 drop at start
37#define SEC_D 0xf0
38#define SEC_E 0x0f
39#define SEC_F 0x00
40#define SEC_X 0x0c
41#define SEC_Y 0x00
42#define SEC_Z 0xc0
15c4dc5a 43
f7e3ed82 44static const uint8_t OddByteParity[256] = {
15c4dc5a 45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
58 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
61};
62
63// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
64#define RECV_CMD_OFFSET 3032
65#define RECV_RES_OFFSET 3096
66#define DMA_BUFFER_OFFSET 3160
67#define DMA_BUFFER_SIZE 4096
68#define TRACE_LENGTH 3000
69
534983d7 70uint8_t trigger = 0;
71void iso14a_set_trigger(int enable) {
72 trigger = enable;
73}
74
15c4dc5a 75//-----------------------------------------------------------------------------
76// Generate the parity value for a byte sequence
e30c654b 77//
15c4dc5a 78//-----------------------------------------------------------------------------
20f9a2a1
M		 79byte_t oddparity (const byte_t bt)
80{
81 return OddByteParity[bt];
82}
83
f7e3ed82 84uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 85{
86 int i;
f7e3ed82 87 uint32_t dwPar = 0;
72934aa3 88
15c4dc5a 89 // Generate the encrypted data
90 for (i = 0; i < iLen; i++) {
91 // Save the encrypted parity bit
92 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
93 }
94 return dwPar;
95}
96
534983d7 97void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 98{
99 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
100}
101
ed82636b 102int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 103{
104 // Return when trace is full
105 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 106
15c4dc5a 107 // Trace the random, i'm curious
108 rsamples += iSamples;
109 trace[traceLen++] = ((rsamples >> 0) & 0xff);
110 trace[traceLen++] = ((rsamples >> 8) & 0xff);
111 trace[traceLen++] = ((rsamples >> 16) & 0xff);
112 trace[traceLen++] = ((rsamples >> 24) & 0xff);
113 if (!bReader) {
114 trace[traceLen - 1] |= 0x80;
115 }
116 trace[traceLen++] = ((dwParity >> 0) & 0xff);
117 trace[traceLen++] = ((dwParity >> 8) & 0xff);
118 trace[traceLen++] = ((dwParity >> 16) & 0xff);
119 trace[traceLen++] = ((dwParity >> 24) & 0xff);
120 trace[traceLen++] = iLen;
121 memcpy(trace + traceLen, btBytes, iLen);
122 traceLen += iLen;
123 return TRUE;
124}
125
15c4dc5a 126//-----------------------------------------------------------------------------
127// The software UART that receives commands from the reader, and its state
128// variables.
129//-----------------------------------------------------------------------------
130static struct {
131 enum {
132 STATE_UNSYNCD,
133 STATE_START_OF_COMMUNICATION,
134 STATE_MILLER_X,
135 STATE_MILLER_Y,
136 STATE_MILLER_Z,
137 STATE_ERROR_WAIT
138 } state;
f7e3ed82 139 uint16_t shiftReg;
15c4dc5a 140 int bitCnt;
141 int byteCnt;
142 int byteCntMax;
143 int posCnt;
144 int syncBit;
145 int parityBits;
146 int samples;
147 int highCnt;
148 int bitBuffer;
149 enum {
150 DROP_NONE,
151 DROP_FIRST_HALF,
152 DROP_SECOND_HALF
153 } drop;
f7e3ed82 154 uint8_t *output;
15c4dc5a 155} Uart;
156
6c1e2d95 157static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 158{
159 int error = 0;
160 int bitright;
161
162 if(!Uart.bitBuffer) {
163 Uart.bitBuffer = bit ^ 0xFF0;
164 return FALSE;
165 }
166 else {
167 Uart.bitBuffer <<= 4;
168 Uart.bitBuffer ^= bit;
169 }
170
f7e3ed82 171 int EOC = FALSE;
15c4dc5a 172
173 if(Uart.state != STATE_UNSYNCD) {
174 Uart.posCnt++;
175
176 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
177 bit = 0x00;
178 }
179 else {
180 bit = 0x01;
181 }
182 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
183 bitright = 0x00;
184 }
185 else {
186 bitright = 0x01;
187 }
188 if(bit != bitright) { bit = bitright; }
189
190 if(Uart.posCnt == 1) {
191 // measurement first half bitperiod
192 if(!bit) {
193 Uart.drop = DROP_FIRST_HALF;
194 }
195 }
196 else {
197 // measurement second half bitperiod
198 if(!bit & (Uart.drop == DROP_NONE)) {
199 Uart.drop = DROP_SECOND_HALF;
200 }
201 else if(!bit) {
202 // measured a drop in first and second half
203 // which should not be possible
204 Uart.state = STATE_ERROR_WAIT;
205 error = 0x01;
206 }
207
208 Uart.posCnt = 0;
209
210 switch(Uart.state) {
211 case STATE_START_OF_COMMUNICATION:
212 Uart.shiftReg = 0;
213 if(Uart.drop == DROP_SECOND_HALF) {
214 // error, should not happen in SOC
215 Uart.state = STATE_ERROR_WAIT;
216 error = 0x02;
217 }
218 else {
219 // correct SOC
220 Uart.state = STATE_MILLER_Z;
221 }
222 break;
223
224 case STATE_MILLER_Z:
225 Uart.bitCnt++;
226 Uart.shiftReg >>= 1;
227 if(Uart.drop == DROP_NONE) {
228 // logic '0' followed by sequence Y
229 // end of communication
230 Uart.state = STATE_UNSYNCD;
231 EOC = TRUE;
232 }
233 // if(Uart.drop == DROP_FIRST_HALF) {
234 // Uart.state = STATE_MILLER_Z; stay the same
235 // we see a logic '0' }
236 if(Uart.drop == DROP_SECOND_HALF) {
237 // we see a logic '1'
238 Uart.shiftReg |= 0x100;
239 Uart.state = STATE_MILLER_X;
240 }
241 break;
242
243 case STATE_MILLER_X:
244 Uart.shiftReg >>= 1;
245 if(Uart.drop == DROP_NONE) {
246 // sequence Y, we see a '0'
247 Uart.state = STATE_MILLER_Y;
248 Uart.bitCnt++;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // Would be STATE_MILLER_Z
252 // but Z does not follow X, so error
253 Uart.state = STATE_ERROR_WAIT;
254 error = 0x03;
255 }
256 if(Uart.drop == DROP_SECOND_HALF) {
257 // We see a '1' and stay in state X
258 Uart.shiftReg |= 0x100;
259 Uart.bitCnt++;
260 }
261 break;
262
263 case STATE_MILLER_Y:
264 Uart.bitCnt++;
265 Uart.shiftReg >>= 1;
266 if(Uart.drop == DROP_NONE) {
267 // logic '0' followed by sequence Y
268 // end of communication
269 Uart.state = STATE_UNSYNCD;
270 EOC = TRUE;
271 }
272 if(Uart.drop == DROP_FIRST_HALF) {
273 // we see a '0'
274 Uart.state = STATE_MILLER_Z;
275 }
276 if(Uart.drop == DROP_SECOND_HALF) {
277 // We see a '1' and go to state X
278 Uart.shiftReg |= 0x100;
279 Uart.state = STATE_MILLER_X;
280 }
281 break;
282
283 case STATE_ERROR_WAIT:
284 // That went wrong. Now wait for at least two bit periods
285 // and try to sync again
286 if(Uart.drop == DROP_NONE) {
287 Uart.highCnt = 6;
288 Uart.state = STATE_UNSYNCD;
289 }
290 break;
291
292 default:
293 Uart.state = STATE_UNSYNCD;
294 Uart.highCnt = 0;
295 break;
296 }
297
298 Uart.drop = DROP_NONE;
299
300 // should have received at least one whole byte...
301 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
302 return TRUE;
303 }
304
305 if(Uart.bitCnt == 9) {
306 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
307 Uart.byteCnt++;
308
309 Uart.parityBits <<= 1;
310 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
311
312 if(EOC) {
313 // when End of Communication received and
314 // all data bits processed..
315 return TRUE;
316 }
317 Uart.bitCnt = 0;
318 }
319
320 /*if(error) {
321 Uart.output[Uart.byteCnt] = 0xAA;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = error & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = 0xAA;
334 Uart.byteCnt++;
335 return TRUE;
336 }*/
337 }
338
339 }
340 else {
341 bit = Uart.bitBuffer & 0xf0;
342 bit >>= 4;
343 bit ^= 0x0F;
344 if(bit) {
345 // should have been high or at least (4 * 128) / fc
346 // according to ISO this should be at least (9 * 128 + 20) / fc
347 if(Uart.highCnt == 8) {
348 // we went low, so this could be start of communication
349 // it turns out to be safer to choose a less significant
350 // syncbit... so we check whether the neighbour also represents the drop
351 Uart.posCnt = 1; // apparently we are busy with our first half bit period
352 Uart.syncBit = bit & 8;
353 Uart.samples = 3;
354 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
355 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
356 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
357 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 359 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 360 Uart.syncBit = 8;
361
362 // the first half bit period is expected in next sample
363 Uart.posCnt = 0;
364 Uart.samples = 3;
365 }
366 }
367 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
368
369 Uart.syncBit <<= 4;
370 Uart.state = STATE_START_OF_COMMUNICATION;
371 Uart.drop = DROP_FIRST_HALF;
372 Uart.bitCnt = 0;
373 Uart.byteCnt = 0;
374 Uart.parityBits = 0;
375 error = 0;
376 }
377 else {
378 Uart.highCnt = 0;
379 }
380 }
381 else {
382 if(Uart.highCnt < 8) {
383 Uart.highCnt++;
384 }
385 }
386 }
387
388 return FALSE;
389}
390
391//=============================================================================
392// ISO 14443 Type A - Manchester
393//=============================================================================
394
395static struct {
396 enum {
397 DEMOD_UNSYNCD,
398 DEMOD_START_OF_COMMUNICATION,
399 DEMOD_MANCHESTER_D,
400 DEMOD_MANCHESTER_E,
401 DEMOD_MANCHESTER_F,
402 DEMOD_ERROR_WAIT
403 } state;
404 int bitCount;
405 int posCount;
406 int syncBit;
407 int parityBits;
f7e3ed82 408 uint16_t shiftReg;
15c4dc5a 409 int buffer;
410 int buff;
411 int samples;
412 int len;
413 enum {
414 SUB_NONE,
415 SUB_FIRST_HALF,
416 SUB_SECOND_HALF
417 } sub;
f7e3ed82 418 uint8_t *output;
15c4dc5a 419} Demod;
420
6c1e2d95 421static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 422{
423 int bit;
424 int modulation;
425 int error = 0;
426
427 if(!Demod.buff) {
428 Demod.buff = 1;
429 Demod.buffer = v;
430 return FALSE;
431 }
432 else {
433 bit = Demod.buffer;
434 Demod.buffer = v;
435 }
436
437 if(Demod.state==DEMOD_UNSYNCD) {
438 Demod.output[Demod.len] = 0xfa;
439 Demod.syncBit = 0;
440 //Demod.samples = 0;
441 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 442
443 if(bit & 0x08) {
444 Demod.syncBit = 0x08;
15c4dc5a 445 }
15c4dc5a 446
2f2d9fc5 447 if(bit & 0x04) {
448 if(Demod.syncBit) {
449 bit <<= 4;
450 }
451 Demod.syncBit = 0x04;
452 }
15c4dc5a 453
2f2d9fc5 454 if(bit & 0x02) {
455 if(Demod.syncBit) {
456 bit <<= 2;
15c4dc5a 457 }
2f2d9fc5 458 Demod.syncBit = 0x02;
15c4dc5a 459 }
15c4dc5a 460
593924e7 461 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 462 Demod.syncBit = 0x01;
463 }
464
15c4dc5a 465 if(Demod.syncBit) {
466 Demod.len = 0;
467 Demod.state = DEMOD_START_OF_COMMUNICATION;
468 Demod.sub = SUB_FIRST_HALF;
469 Demod.bitCount = 0;
470 Demod.shiftReg = 0;
471 Demod.parityBits = 0;
472 Demod.samples = 0;
473 if(Demod.posCount) {
534983d7 474 if(trigger) LED_A_OFF();
15c4dc5a 475 switch(Demod.syncBit) {
476 case 0x08: Demod.samples = 3; break;
477 case 0x04: Demod.samples = 2; break;
478 case 0x02: Demod.samples = 1; break;
479 case 0x01: Demod.samples = 0; break;
480 }
481 }
482 error = 0;
483 }
484 }
485 else {
486 //modulation = bit & Demod.syncBit;
487 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
488
489 Demod.samples += 4;
490
491 if(Demod.posCount==0) {
492 Demod.posCount = 1;
493 if(modulation) {
494 Demod.sub = SUB_FIRST_HALF;
495 }
496 else {
497 Demod.sub = SUB_NONE;
498 }
499 }
500 else {
501 Demod.posCount = 0;
502 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
503 if(Demod.state!=DEMOD_ERROR_WAIT) {
504 Demod.state = DEMOD_ERROR_WAIT;
505 Demod.output[Demod.len] = 0xaa;
506 error = 0x01;
507 }
508 }
509 else if(modulation) {
510 Demod.sub = SUB_SECOND_HALF;
511 }
512
513 switch(Demod.state) {
514 case DEMOD_START_OF_COMMUNICATION:
515 if(Demod.sub == SUB_FIRST_HALF) {
516 Demod.state = DEMOD_MANCHESTER_D;
517 }
518 else {
519 Demod.output[Demod.len] = 0xab;
520 Demod.state = DEMOD_ERROR_WAIT;
521 error = 0x02;
522 }
523 break;
524
525 case DEMOD_MANCHESTER_D:
526 case DEMOD_MANCHESTER_E:
527 if(Demod.sub == SUB_FIRST_HALF) {
528 Demod.bitCount++;
529 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
530 Demod.state = DEMOD_MANCHESTER_D;
531 }
532 else if(Demod.sub == SUB_SECOND_HALF) {
533 Demod.bitCount++;
534 Demod.shiftReg >>= 1;
535 Demod.state = DEMOD_MANCHESTER_E;
536 }
537 else {
538 Demod.state = DEMOD_MANCHESTER_F;
539 }
540 break;
541
542 case DEMOD_MANCHESTER_F:
543 // Tag response does not need to be a complete byte!
544 if(Demod.len > 0 || Demod.bitCount > 0) {
545 if(Demod.bitCount > 0) {
546 Demod.shiftReg >>= (9 - Demod.bitCount);
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549 // No parity bit, so just shift a 0
550 Demod.parityBits <<= 1;
551 }
552
553 Demod.state = DEMOD_UNSYNCD;
554 return TRUE;
555 }
556 else {
557 Demod.output[Demod.len] = 0xad;
558 Demod.state = DEMOD_ERROR_WAIT;
559 error = 0x03;
560 }
561 break;
562
563 case DEMOD_ERROR_WAIT:
564 Demod.state = DEMOD_UNSYNCD;
565 break;
566
567 default:
568 Demod.output[Demod.len] = 0xdd;
569 Demod.state = DEMOD_UNSYNCD;
570 break;
571 }
572
573 if(Demod.bitCount>=9) {
574 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
575 Demod.len++;
576
577 Demod.parityBits <<= 1;
578 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
579
580 Demod.bitCount = 0;
581 Demod.shiftReg = 0;
582 }
583
584 /*if(error) {
585 Demod.output[Demod.len] = 0xBB;
586 Demod.len++;
587 Demod.output[Demod.len] = error & 0xFF;
588 Demod.len++;
589 Demod.output[Demod.len] = 0xBB;
590 Demod.len++;
591 Demod.output[Demod.len] = bit & 0xFF;
592 Demod.len++;
593 Demod.output[Demod.len] = Demod.buffer & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = 0xBB;
598 Demod.len++;
599 return TRUE;
600 }*/
601
602 }
603
604 } // end (state != UNSYNCED)
605
606 return FALSE;
607}
608
609//=============================================================================
610// Finally, a `sniffer' for ISO 14443 Type A
611// Both sides of communication!
612//=============================================================================
613
614//-----------------------------------------------------------------------------
615// Record the sequence of commands sent by the reader to the tag, with
616// triggering so that we start recording at the point that the tag is moved
617// near the reader.
618//-----------------------------------------------------------------------------
6c1e2d95 619void RAMFUNC SnoopIso14443a(void)
15c4dc5a 620{
621// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
622// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
623// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
624// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
625// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
626
627 // We won't start recording the frames that we acquire until we trigger;
628 // a good trigger condition to get started is probably when we see a
629 // response from the tag.
7e758047 630 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 631
632 // The command (reader -> tag) that we're receiving.
633 // The length of a received command will in most cases be no more than 18 bytes.
634 // So 32 should be enough!
f7e3ed82 635 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 636 // The response (tag -> reader) that we're receiving.
f7e3ed82 637 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 638
639 // As we receive stuff, we copy it from receivedCmd or receivedResponse
640 // into trace, along with its length and other annotations.
f7e3ed82 641 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 642
643 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 644
645 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 646 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 647 int lastRxCounter;
f7e3ed82 648 int8_t *upTo;
15c4dc5a 649 int smpl;
650 int maxBehindBy = 0;
651
652 // Count of samples received so far, so that we can include timing
653 // information in the trace buffer.
654 int samples = 0;
cee5a30d 655 int rsamples = 0;
15c4dc5a 656
657 memset(trace, 0x44, RECV_CMD_OFFSET);
658
659 // Set up the demodulator for tag -> reader responses.
660 Demod.output = receivedResponse;
661 Demod.len = 0;
662 Demod.state = DEMOD_UNSYNCD;
663
7e758047 664 // Setup for the DMA.
665 FpgaSetupSsc();
666 upTo = dmaBuf;
667 lastRxCounter = DMA_BUFFER_SIZE;
668 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
669
15c4dc5a 670 // And the reader -> tag commands
671 memset(&Uart, 0, sizeof(Uart));
672 Uart.output = receivedCmd;
673 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
674 Uart.state = STATE_UNSYNCD;
675
676 // And put the FPGA in the appropriate mode
677 // Signal field is off with the appropriate LED
678 LED_D_OFF();
679 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
680 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
681
15c4dc5a 682
683 // And now we loop, receiving samples.
684 for(;;) {
7e758047 685 LED_A_ON();
686 WDT_HIT();
15c4dc5a 687 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
688 (DMA_BUFFER_SIZE-1);
689 if(behindBy > maxBehindBy) {
690 maxBehindBy = behindBy;
691 if(behindBy > 400) {
7e758047 692 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 693 goto done;
694 }
695 }
696 if(behindBy < 1) continue;
697
7e758047 698 LED_A_OFF();
15c4dc5a 699 smpl = upTo[0];
700 upTo++;
701 lastRxCounter -= 1;
702 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
703 upTo -= DMA_BUFFER_SIZE;
704 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 705 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 706 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
707 }
708
709 samples += 4;
7e758047 710 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 711 rsamples = samples - Uart.samples;
72934aa3 712 LED_C_ON();
7e758047 713 if(triggered) {
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 718 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 722 trace[traceLen++] = Uart.byteCnt;
723 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
724 traceLen += Uart.byteCnt;
725 if(traceLen > TRACE_LENGTH) break;
726 }
727 /* And ready to receive another command. */
728 Uart.state = STATE_UNSYNCD;
729 /* And also reset the demod code, which might have been */
730 /* false-triggered by the commands from the reader. */
731 Demod.state = DEMOD_UNSYNCD;
7e758047 732 LED_B_OFF();
15c4dc5a 733 }
7e758047 734
735 if(ManchesterDecoding(smpl & 0x0F)) {
736 rsamples = samples - Demod.samples;
737 LED_B_ON();
738
739 // timestamp, as a count of samples
740 trace[traceLen++] = ((rsamples >> 0) & 0xff);
741 trace[traceLen++] = ((rsamples >> 8) & 0xff);
742 trace[traceLen++] = ((rsamples >> 16) & 0xff);
743 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
744 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
745 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
748 // length
749 trace[traceLen++] = Demod.len;
750 memcpy(trace+traceLen, receivedResponse, Demod.len);
751 traceLen += Demod.len;
752 if(traceLen > TRACE_LENGTH) break;
753
754 triggered = TRUE;
15c4dc5a 755
756 // And ready to receive another response.
757 memset(&Demod, 0, sizeof(Demod));
758 Demod.output = receivedResponse;
759 Demod.state = DEMOD_UNSYNCD;
7e758047 760 LED_C_OFF();
761 }
15c4dc5a 762
763 if(BUTTON_PRESS()) {
764 DbpString("cancelled_a");
765 goto done;
766 }
767 }
768
769 DbpString("COMMAND FINISHED");
770
771 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
772 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
773
774done:
775 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
776 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
777 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
778 LED_A_OFF();
779 LED_B_OFF();
780 LED_C_OFF();
781 LED_D_OFF();
782}
783
15c4dc5a 784//-----------------------------------------------------------------------------
785// Prepare tag messages
786//-----------------------------------------------------------------------------
f7e3ed82 787static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 788{
789 int i;
790 int oddparity;
791
792 ToSendReset();
793
794 // Correction bit, might be removed when not needed
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798 ToSendStuffBit(0);
799 ToSendStuffBit(1); // 1
800 ToSendStuffBit(0);
801 ToSendStuffBit(0);
802 ToSendStuffBit(0);
803
804 // Send startbit
72934aa3 805 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 806
807 for(i = 0; i < len; i++) {
808 int j;
f7e3ed82 809 uint8_t b = cmd[i];
15c4dc5a 810
811 // Data bits
812 oddparity = 0x01;
813 for(j = 0; j < 8; j++) {
814 oddparity ^= (b & 1);
815 if(b & 1) {
72934aa3 816 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 817 } else {
72934aa3 818 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 819 }
820 b >>= 1;
821 }
822
823 // Parity bit
824 if(oddparity) {
72934aa3 825 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 826 } else {
72934aa3 827 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 828 }
829 }
830
831 // Send stopbit
72934aa3 832 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 833
834 // Flush the buffer in FPGA!!
835 for(i = 0; i < 5; i++) {
72934aa3 836 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 837 }
838
839 // Convert from last byte pos to length
840 ToSendMax++;
841
842 // Add a few more for slop
843 ToSend[ToSendMax++] = 0x00;
844 ToSend[ToSendMax++] = 0x00;
845 //ToSendMax += 2;
846}
847
848//-----------------------------------------------------------------------------
849// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
850//-----------------------------------------------------------------------------
851static void CodeStrangeAnswer()
852{
853 int i;
854
855 ToSendReset();
856
857 // Correction bit, might be removed when not needed
858 ToSendStuffBit(0);
859 ToSendStuffBit(0);
860 ToSendStuffBit(0);
861 ToSendStuffBit(0);
862 ToSendStuffBit(1); // 1
863 ToSendStuffBit(0);
864 ToSendStuffBit(0);
865 ToSendStuffBit(0);
866
867 // Send startbit
72934aa3 868 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 869
870 // 0
72934aa3 871 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 872
873 // 0
72934aa3 874 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 875
876 // 1
72934aa3 877 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 878
879 // Send stopbit
72934aa3 880 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 881
882 // Flush the buffer in FPGA!!
883 for(i = 0; i < 5; i++) {
72934aa3 884 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 885 }
886
887 // Convert from last byte pos to length
888 ToSendMax++;
889
890 // Add a few more for slop
891 ToSend[ToSendMax++] = 0x00;
892 ToSend[ToSendMax++] = 0x00;
893 //ToSendMax += 2;
894}
895
896//-----------------------------------------------------------------------------
897// Wait for commands from reader
898// Stop when button is pressed
899// Or return TRUE when command is captured
900//-----------------------------------------------------------------------------
f7e3ed82 901static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 902{
903 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
904 // only, since we are receiving, not transmitting).
905 // Signal field is off with the appropriate LED
906 LED_D_OFF();
907 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
908
909 // Now run a `software UART' on the stream of incoming samples.
910 Uart.output = received;
911 Uart.byteCntMax = maxLen;
912 Uart.state = STATE_UNSYNCD;
913
914 for(;;) {
915 WDT_HIT();
916
917 if(BUTTON_PRESS()) return FALSE;
918
919 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
920 AT91C_BASE_SSC->SSC_THR = 0x00;
921 }
922 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 923 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 924 if(MillerDecoding((b & 0xf0) >> 4)) {
925 *len = Uart.byteCnt;
926 return TRUE;
927 }
928 if(MillerDecoding(b & 0x0f)) {
929 *len = Uart.byteCnt;
930 return TRUE;
931 }
932 }
933 }
934}
9ca155ba 935static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
15c4dc5a 936
937//-----------------------------------------------------------------------------
938// Main loop of simulated tag: receive commands from reader, decide what
939// response to send, and send it.
940//-----------------------------------------------------------------------------
941void SimulateIso14443aTag(int tagType, int TagUid)
942{
943 // This function contains the tag emulation
944
945 // Prepare protocol messages
f7e3ed82 946 // static const uint8_t cmd1[] = { 0x26 };
947// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 948//
f7e3ed82 949 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
950// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 951
952 // UID response
f7e3ed82 953 // static const uint8_t cmd2[] = { 0x93, 0x20 };
954 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 955
15c4dc5a 956// my desfire
f7e3ed82 957 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 958
959
960// When reader selects us during cascade1 it will send cmd3
f7e3ed82 961//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
962uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 963ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
964
965// send cascade2 2nd half of UID
f7e3ed82 966static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 967// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
968
15c4dc5a 969// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 970//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
971uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 972ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
973
f7e3ed82 974 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 975
f7e3ed82 976 uint8_t *resp;
15c4dc5a 977 int respLen;
978
979 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
980 // This will need
981 // 144 data bits (18 * 8)
982 // 18 parity bits
983 // 2 Start and stop
984 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
985 // 1 just for the case
986 // ----------- +
987 // 166
988 //
989 // 166 bytes, since every bit that needs to be send costs us a byte
990 //
991
15c4dc5a 992 // Respond with card type
f7e3ed82 993 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 994 int resp1Len;
995
996 // Anticollision cascade1 - respond with uid
f7e3ed82 997 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 998 int resp2Len;
999
1000 // Anticollision cascade2 - respond with 2nd half of uid if asked
1001 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1002 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1003 int resp2aLen;
1004
1005 // Acknowledge select - cascade 1
f7e3ed82 1006 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1007 int resp3Len;
1008
1009 // Acknowledge select - cascade 2
f7e3ed82 1010 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1011 int resp3aLen;
1012
1013 // Response to a read request - not implemented atm
f7e3ed82 1014 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1015 int resp4Len;
1016
1017 // Authenticate response - nonce
f7e3ed82 1018 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1019 int resp5Len;
1020
f7e3ed82 1021 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1022 int len;
1023
1024 int i;
1025 int u;
f7e3ed82 1026 uint8_t b;
15c4dc5a 1027
1028 // To control where we are in the protocol
1029 int order = 0;
1030 int lastorder;
1031
1032 // Just to allow some checks
1033 int happened = 0;
1034 int happened2 = 0;
1035
1036 int cmdsRecvd = 0;
1037
f7e3ed82 1038 int fdt_indicator;
15c4dc5a 1039
1040 memset(receivedCmd, 0x44, 400);
1041
1042 // Prepare the responses of the anticollision phase
1043 // there will be not enough time to do this at the moment the reader sends it REQA
1044
1045 // Answer to request
1046 CodeIso14443aAsTag(response1, sizeof(response1));
1047 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1048
1049 // Send our UID (cascade 1)
1050 CodeIso14443aAsTag(response2, sizeof(response2));
1051 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1052
1053 // Answer to select (cascade1)
1054 CodeIso14443aAsTag(response3, sizeof(response3));
1055 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1056
1057 // Send the cascade 2 2nd part of the uid
1058 CodeIso14443aAsTag(response2a, sizeof(response2a));
1059 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1060
1061 // Answer to select (cascade 2)
1062 CodeIso14443aAsTag(response3a, sizeof(response3a));
1063 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1064
1065 // Strange answer is an example of rare message size (3 bits)
1066 CodeStrangeAnswer();
1067 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1068
1069 // Authentication answer (random nonce)
1070 CodeIso14443aAsTag(response5, sizeof(response5));
1071 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1072
1073 // We need to listen to the high-frequency, peak-detected path.
1074 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1075 FpgaSetupSsc();
1076
1077 cmdsRecvd = 0;
1078
1079 LED_A_ON();
1080 for(;;) {
1081
1082 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1083 DbpString("button press");
1084 break;
1085 }
1086 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1087 // Okay, look at the command now.
1088 lastorder = order;
1089 i = 1; // first byte transmitted
1090 if(receivedCmd[0] == 0x26) {
1091 // Received a REQUEST
1092 resp = resp1; respLen = resp1Len; order = 1;
1093 //DbpString("Hello request from reader:");
1094 } else if(receivedCmd[0] == 0x52) {
1095 // Received a WAKEUP
1096 resp = resp1; respLen = resp1Len; order = 6;
1097// //DbpString("Wakeup request from reader:");
1098
1099 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1100 // Received request for UID (cascade 1)
1101 resp = resp2; respLen = resp2Len; order = 2;
1102// DbpString("UID (cascade 1) request from reader:");
1103// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1104
1105
1106 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1107 // Received request for UID (cascade 2)
1108 resp = resp2a; respLen = resp2aLen; order = 20;
1109// DbpString("UID (cascade 2) request from reader:");
1110// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1111
1112
1113 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1114 // Received a SELECT
1115 resp = resp3; respLen = resp3Len; order = 3;
1116// DbpString("Select (cascade 1) request from reader:");
1117// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1118
1119
1120 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1121 // Received a SELECT
1122 resp = resp3a; respLen = resp3aLen; order = 30;
1123// DbpString("Select (cascade 2) request from reader:");
1124// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1125
1126
1127 } else if(receivedCmd[0] == 0x30) {
1128 // Received a READ
1129 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1130 Dbprintf("Read request from reader: %x %x %x",
1131 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1132
1133
1134 } else if(receivedCmd[0] == 0x50) {
1135 // Received a HALT
1136 resp = resp1; respLen = 0; order = 5; // Do nothing
1137 DbpString("Reader requested we HALT!:");
1138
1139 } else if(receivedCmd[0] == 0x60) {
1140 // Received an authentication request
1141 resp = resp5; respLen = resp5Len; order = 7;
1142 Dbprintf("Authenticate request from reader: %x %x %x",
1143 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1144
1145 } else if(receivedCmd[0] == 0xE0) {
1146 // Received a RATS request
1147 resp = resp1; respLen = 0;order = 70;
1148 Dbprintf("RATS request from reader: %x %x %x",
1149 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1150 } else {
1151 // Never seen this command before
20f9a2a1
M		 1152 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1153 len,
15c4dc5a 1154 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M		 1155 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1156 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1157 // Do not respond
1158 resp = resp1; respLen = 0; order = 0;
1159 }
1160
1161 // Count number of wakeups received after a halt
1162 if(order == 6 && lastorder == 5) { happened++; }
1163
1164 // Count number of other messages after a halt
1165 if(order != 6 && lastorder == 5) { happened2++; }
1166
1167 // Look at last parity bit to determine timing of answer
1168 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1169 // 1236, so correction bit needed
1170 i = 0;
1171 }
1172
1173 memset(receivedCmd, 0x44, 32);
1174
1175 if(cmdsRecvd > 999) {
1176 DbpString("1000 commands later...");
1177 break;
1178 }
1179 else {
1180 cmdsRecvd++;
1181 }
1182
1183 if(respLen <= 0) continue;
9ca155ba
M		 1184 //----------------------------
1185 u = 0;
1186 b = 0x00;
1187 fdt_indicator = FALSE;
15c4dc5a 1188
9ca155ba
M		 1189 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1190/* // Modulate Manchester
15c4dc5a 1191 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1192 AT91C_BASE_SSC->SSC_THR = 0x00;
1193 FpgaSetupSsc();
1194
1195 // ### Transmit the response ###
1196 u = 0;
1197 b = 0x00;
1198 fdt_indicator = FALSE;
1199 for(;;) {
1200 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1201 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1202 (void)b;
1203 }
1204 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1205 if(i > respLen) {
1206 b = 0x00;
1207 u++;
1208 } else {
1209 b = resp[i];
1210 i++;
1211 }
1212 AT91C_BASE_SSC->SSC_THR = b;
1213
1214 if(u > 4) {
1215 break;
1216 }
1217 }
1218 if(BUTTON_PRESS()) {
1219 break;
1220 }
1221 }
9ca155ba 1222*/
15c4dc5a 1223 }
1224
1225 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1226 LED_A_OFF();
1227}
1228
1229//-----------------------------------------------------------------------------
1230// Transmit the command (to the tag) that was placed in ToSend[].
1231//-----------------------------------------------------------------------------
f7e3ed82 1232static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1233{
1234 int c;
e30c654b 1235
15c4dc5a 1236 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1237
15c4dc5a 1238 if (wait)
1239 if(*wait < 10)
1240 *wait = 10;
e30c654b 1241
15c4dc5a 1242 for(c = 0; c < *wait;) {
1243 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1244 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1245 c++;
1246 }
1247 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1248 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1249 (void)r;
1250 }
1251 WDT_HIT();
1252 }
e30c654b 1253
15c4dc5a 1254 c = 0;
1255 for(;;) {
1256 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1257 AT91C_BASE_SSC->SSC_THR = cmd[c];
1258 c++;
1259 if(c >= len) {
1260 break;
1261 }
1262 }
1263 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1264 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1265 (void)r;
1266 }
1267 WDT_HIT();
1268 }
1269 if (samples) *samples = (c + *wait) << 3;
1270}
1271
15c4dc5a 1272//-----------------------------------------------------------------------------
1273// Code a 7-bit command without parity bit
1274// This is especially for 0x26 and 0x52 (REQA and WUPA)
1275//-----------------------------------------------------------------------------
f7e3ed82 1276void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1277{
1278 int j;
1279 int last;
f7e3ed82 1280 uint8_t b;
15c4dc5a 1281
1282 ToSendReset();
1283
1284 // Start of Communication (Seq. Z)
72934aa3 1285 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1286 last = 0;
1287
1288 b = bt;
1289 for(j = 0; j < 7; j++) {
1290 if(b & 1) {
1291 // Sequence X
72934aa3 1292 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1293 last = 1;
1294 } else {
1295 if(last == 0) {
1296 // Sequence Z
72934aa3 1297 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1298 }
1299 else {
1300 // Sequence Y
72934aa3 1301 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1302 last = 0;
1303 }
1304 }
1305 b >>= 1;
1306 }
1307
1308 // End of Communication
1309 if(last == 0) {
1310 // Sequence Z
72934aa3 1311 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1312 }
1313 else {
1314 // Sequence Y
72934aa3 1315 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1316 last = 0;
1317 }
1318 // Sequence Y
72934aa3 1319 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1320
1321 // Just to be sure!
72934aa3 1322 ToSend[++ToSendMax] = SEC_Y;
1323 ToSend[++ToSendMax] = SEC_Y;
1324 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1325
1326 // Convert from last character reference to length
1327 ToSendMax++;
1328}
1329
1330//-----------------------------------------------------------------------------
1331// Prepare reader command to send to FPGA
e30c654b 1332//
15c4dc5a 1333//-----------------------------------------------------------------------------
f7e3ed82 1334void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1335{
1336 int i, j;
1337 int last;
f7e3ed82 1338 uint8_t b;
e30c654b 1339
15c4dc5a 1340 ToSendReset();
e30c654b 1341
15c4dc5a 1342 // Start of Communication (Seq. Z)
72934aa3 1343 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1344 last = 0;
e30c654b 1345
15c4dc5a 1346 // Generate send structure for the data bits
1347 for (i = 0; i < len; i++) {
1348 // Get the current byte to send
1349 b = cmd[i];
e30c654b 1350
15c4dc5a 1351 for (j = 0; j < 8; j++) {
1352 if (b & 1) {
1353 // Sequence X
72934aa3 1354 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1355 last = 1;
1356 } else {
1357 if (last == 0) {
1358 // Sequence Z
72934aa3 1359 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1360 } else {
1361 // Sequence Y
72934aa3 1362 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1363 last = 0;
1364 }
1365 }
1366 b >>= 1;
1367 }
e30c654b 1368
15c4dc5a 1369 // Get the parity bit
1370 if ((dwParity >> i) & 0x01) {
1371 // Sequence X
72934aa3 1372 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1373 last = 1;
1374 } else {
1375 if (last == 0) {
1376 // Sequence Z
72934aa3 1377 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1378 } else {
1379 // Sequence Y
72934aa3 1380 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1381 last = 0;
1382 }
1383 }
1384 }
e30c654b 1385
15c4dc5a 1386 // End of Communication
1387 if (last == 0) {
1388 // Sequence Z
72934aa3 1389 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1390 } else {
1391 // Sequence Y
72934aa3 1392 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1393 last = 0;
1394 }
1395 // Sequence Y
72934aa3 1396 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1397
15c4dc5a 1398 // Just to be sure!
72934aa3 1399 ToSend[++ToSendMax] = SEC_Y;
1400 ToSend[++ToSendMax] = SEC_Y;
1401 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1402
15c4dc5a 1403 // Convert from last character reference to length
1404 ToSendMax++;
1405}
1406
9ca155ba
M		 1407//-----------------------------------------------------------------------------
1408// Wait for commands from reader
1409// Stop when button is pressed (return 1) or field was gone (return 2)
1410// Or return 0 when command is captured
1411//-----------------------------------------------------------------------------
1412static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1413{
1414 *len = 0;
1415
1416 uint32_t timer = 0, vtime = 0;
1417 int analogCnt = 0;
1418 int analogAVG = 0;
1419
1420 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1421 // only, since we are receiving, not transmitting).
1422 // Signal field is off with the appropriate LED
1423 LED_D_OFF();
1424 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1425
1426 // Set ADC to read field strength
1427 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1428 AT91C_BASE_ADC->ADC_MR =
1429 ADC_MODE_PRESCALE(32) |
1430 ADC_MODE_STARTUP_TIME(16) |
1431 ADC_MODE_SAMPLE_HOLD_TIME(8);
1432 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1433 // start ADC
1434 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1435
1436 // Now run a 'software UART' on the stream of incoming samples.
1437 Uart.output = received;
1438 Uart.byteCntMax = maxLen;
1439 Uart.state = STATE_UNSYNCD;
1440
1441 for(;;) {
1442 WDT_HIT();
1443
1444 if (BUTTON_PRESS()) return 1;
1445
1446 // test if the field exists
1447 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1448 analogCnt++;
1449 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1450 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1451 if (analogCnt >= 32) {
1452 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1453 vtime = GetTickCount();
1454 if (!timer) timer = vtime;
1455 // 50ms no field --> card to idle state
1456 if (vtime - timer > 50) return 2;
1457 } else
1458 if (timer) timer = 0;
1459 analogCnt = 0;
1460 analogAVG = 0;
1461 }
1462 }
1463 // transmit none
1464 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1465 AT91C_BASE_SSC->SSC_THR = 0x00;
1466 }
1467 // receive and test the miller decoding
1468 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1469 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1470 if(MillerDecoding((b & 0xf0) >> 4)) {
1471 *len = Uart.byteCnt;
1472 return 0;
1473 }
1474 if(MillerDecoding(b & 0x0f)) {
1475 *len = Uart.byteCnt;
1476 return 0;
1477 }
1478 }
1479 }
1480}
1481
1482static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1483{
1484 int i, u = 0;
1485 uint8_t b = 0;
1486
1487 // Modulate Manchester
1488 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1489 AT91C_BASE_SSC->SSC_THR = 0x00;
1490 FpgaSetupSsc();
1491
1492 // include correction bit
1493 i = 1;
1494 if((Uart.parityBits & 0x01) || correctionNeeded) {
1495 // 1236, so correction bit needed
1496 i = 0;
1497 }
1498
1499 // send cycle
1500 for(;;) {
1501 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1502 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1503 (void)b;
1504 }
1505 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1506 if(i > respLen) {
1507 b = 0x00;
1508 u++;
1509 } else {
1510 b = resp[i];
1511 i++;
1512 }
1513 AT91C_BASE_SSC->SSC_THR = b;
1514
1515 if(u > 4) break;
1516 }
1517 if(BUTTON_PRESS()) {
1518 break;
1519 }
1520 }
1521
1522 return 0;
1523}
1524
1525static int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1526 CodeIso14443aAsTag(resp, respLen);
1527 return EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1528}
1529
1530static int EmSendCmd(uint8_t *resp, int respLen){
1531 return EmSendCmdEx(resp, respLen, 0);
1532}
1533
15c4dc5a 1534//-----------------------------------------------------------------------------
1535// Wait a certain time for tag response
1536// If a response is captured return TRUE
1537// If it takes to long return FALSE
1538//-----------------------------------------------------------------------------
f7e3ed82 1539static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1540{
1541 // buffer needs to be 512 bytes
1542 int c;
1543
1544 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1545 // only, since we are receiving, not transmitting).
1546 // Signal field is on with the appropriate LED
1547 LED_D_ON();
1548 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1549
534983d7 1550 // Now get the answer from the card
1551 Demod.output = receivedResponse;
1552 Demod.len = 0;
1553 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1554
f7e3ed82 1555 uint8_t b;
15c4dc5a 1556 if (elapsed) *elapsed = 0;
1557
1558 c = 0;
1559 for(;;) {
534983d7 1560 WDT_HIT();
15c4dc5a 1561
534983d7 1562 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1563 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1564 if (elapsed) (*elapsed)++;
534983d7 1565 }
1566 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1567 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1568 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1569 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1570 *samples = ((c - 1) << 3) + 4;
1571 return TRUE;
1572 }
1573 if(ManchesterDecoding(b & 0x0f)) {
1574 *samples = c << 3;
1575 return TRUE;
1576 }
534983d7 1577 }
1578 }
15c4dc5a 1579}
1580
f7e3ed82 1581void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1582{
1583 int wait = 0;
1584 int samples = 0;
1585
1586 ShortFrameFromReader(*bt);
e30c654b 1587
15c4dc5a 1588 // Select the card
e30c654b 1589 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1590
15c4dc5a 1591 // Store reader command in buffer
1592 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1593}
1594
f7e3ed82 1595void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1596{
1597 int wait = 0;
1598 int samples = 0;
e30c654b 1599
15c4dc5a 1600 // This is tied to other size changes
f7e3ed82 1601 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1602 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1603
15c4dc5a 1604 // Select the card
e30c654b 1605 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1606 if(trigger)
1607 LED_A_ON();
e30c654b 1608
15c4dc5a 1609 // Store reader command in buffer
1610 if (tracing) LogTrace(frame,len,0,par,TRUE);
1611}
1612
1613
f7e3ed82 1614void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1615{
1616 // Generate parity and redirect
1617 ReaderTransmitPar(frame,len,GetParity(frame,len));
1618}
1619
f7e3ed82 1620int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1621{
1622 int samples = 0;
20f9a2a1 1623 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1624 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1625 if(samples == 0) return FALSE;
1626 return Demod.len;
15c4dc5a 1627}
1628
f89c7050
M		 1629int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1630{
1631 int samples = 0;
1632 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1633 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1634 *parptr = Demod.parityBits;
1635 if(samples == 0) return FALSE;
1636 return Demod.len;
1637}
1638
7e758047 1639/* performs iso14443a anticolision procedure
534983d7 1640 * fills the uid pointer unless NULL
1641 * fills resp_data unless NULL */
20f9a2a1
M		 1642int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1643 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1644 uint8_t sel_all[] = { 0x93,0x20 };
1645 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1646 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1647
7e758047 1648 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1649
534983d7 1650 uint8_t sak = 0x04; // cascade uid
1651 int cascade_level = 0;
1652
7e758047 1653 int len;
20f9a2a1
M		 1654
1655 // clear uid
1656 memset(uid_ptr, 0, 8);
15c4dc5a 1657
7e758047 1658 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1659 ReaderTransmitShort(wupa);
1660 // Receive the ATQA
1661 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1662
534983d7 1663 if(resp_data)
1664 memcpy(resp_data->atqa, resp, 2);
1665
534983d7 1666 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1667 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1668 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1669 for(; sak & 0x04; cascade_level++)
7e758047 1670 {
534983d7 1671 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1672 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1673
1674 // SELECT_ALL
1675 ReaderTransmit(sel_all,sizeof(sel_all));
1676 if (!ReaderReceive(resp)) return 0;
1677 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M		 1678
1679 // calculate crypto UID
1680 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1681
7e758047 1682 // Construct SELECT UID command
534983d7 1683 memcpy(sel_uid+2,resp,5);
1684 AppendCrc14443a(sel_uid,7);
1685 ReaderTransmit(sel_uid,sizeof(sel_uid));
1686
7e758047 1687 // Receive the SAK
1688 if (!ReaderReceive(resp)) return 0;
534983d7 1689 sak = resp[0];
7e758047 1690 }
534983d7 1691 if(resp_data) {
1692 resp_data->sak = sak;
1693 resp_data->ats_len = 0;
1694 }
20f9a2a1
M		 1695 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1696 if (uid_ptr[0] == 0x88) {
1697 memcpy(uid_ptr, uid_ptr + 1, 7);
1698 uid_ptr[7] = 0;
1699 }
534983d7 1700
1701 if( (sak & 0x20) == 0)
7e758047 1702 return 2; // non iso14443a compliant tag
534983d7 1703
7e758047 1704 // Request for answer to select
20f9a2a1
M		 1705 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1706 AppendCrc14443a(rats, 2);
1707 ReaderTransmit(rats, sizeof(rats));
1708
1709 if (!(len = ReaderReceive(resp))) return 0;
1710
534983d7 1711 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1712 resp_data->ats_len = len;
1713 }
20f9a2a1 1714
7e758047 1715 return 1;
1716}
15c4dc5a 1717
7e758047 1718void iso14443a_setup() {
1719 // Setup SSC
1720 FpgaSetupSsc();
1721 // Start from off (no field generated)
1722 // Signal field is off with the appropriate LED
1723 LED_D_OFF();
1724 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1725 SpinDelay(200);
15c4dc5a 1726
7e758047 1727 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1728
7e758047 1729 // Now give it time to spin up.
1730 // Signal field is on with the appropriate LED
1731 LED_D_ON();
1732 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1733 SpinDelay(200);
534983d7 1734
1735 iso14a_timeout = 2048; //default
7e758047 1736}
15c4dc5a 1737
534983d7 1738int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1739 uint8_t real_cmd[cmd_len+4];
1740 real_cmd[0] = 0x0a; //I-Block
1741 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1742 memcpy(real_cmd+2, cmd, cmd_len);
1743 AppendCrc14443a(real_cmd,cmd_len+2);
1744
1745 ReaderTransmit(real_cmd, cmd_len+4);
1746 size_t len = ReaderReceive(data);
1747 if(!len)
1748 return -1; //DATA LINK ERROR
1749
1750 return len;
1751}
1752
1753
7e758047 1754//-----------------------------------------------------------------------------
1755// Read an ISO 14443a tag. Send out commands and store answers.
1756//
1757//-----------------------------------------------------------------------------
534983d7 1758void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1759{
534983d7 1760 iso14a_command_t param = c->arg[0];
1761 uint8_t * cmd = c->d.asBytes;
1762 size_t len = c->arg[1];
e30c654b 1763
534983d7 1764 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1765
534983d7 1766 if(param & ISO14A_CONNECT) {
1767 iso14443a_setup();
20f9a2a1 1768 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1769 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1770 }
e30c654b 1771
534983d7 1772 if(param & ISO14A_SET_TIMEOUT) {
1773 iso14a_timeout = c->arg[2];
1774 }
e30c654b 1775
534983d7 1776 if(param & ISO14A_SET_TIMEOUT) {
1777 iso14a_timeout = c->arg[2];
1778 }
e30c654b 1779
534983d7 1780 if(param & ISO14A_APDU) {
1781 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1782 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1783 }
e30c654b 1784
534983d7 1785 if(param & ISO14A_RAW) {
1786 if(param & ISO14A_APPEND_CRC) {
1787 AppendCrc14443a(cmd,len);
1788 len += 2;
15c4dc5a 1789 }
534983d7 1790 ReaderTransmit(cmd,len);
1791 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1792 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1793 }
15c4dc5a 1794
534983d7 1795 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1796
534983d7 1797 if(param & ISO14A_NO_DISCONNECT)
1798 return;
15c4dc5a 1799
15c4dc5a 1800 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1801 LEDsoff();
15c4dc5a 1802}
15c4dc5a 1803//-----------------------------------------------------------------------------
1804// Read an ISO 14443a tag. Send out commands and store answers.
1805//
1806//-----------------------------------------------------------------------------
f7e3ed82 1807void ReaderMifare(uint32_t parameter)
15c4dc5a 1808{
15c4dc5a 1809 // Mifare AUTH
f7e3ed82 1810 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1811 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1812
f89c7050
M		 1813 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1814 traceLen = 0;
1815 tracing = false;
e30c654b 1816
7e758047 1817 iso14443a_setup();
e30c654b 1818
15c4dc5a 1819 LED_A_ON();
1820 LED_B_OFF();
1821 LED_C_OFF();
e30c654b 1822
f89c7050
M		 1823 byte_t nt_diff = 0;
1824 LED_A_OFF();
1825 byte_t par = 0;
1826 byte_t par_mask = 0xff;
1827 byte_t par_low = 0;
1828 int led_on = TRUE;
50193c1e 1829 uint8_t uid[8];
f89c7050 1830 uint32_t cuid;
e30c654b 1831
f89c7050
M		 1832 tracing = FALSE;
1833 byte_t nt[4] = {0,0,0,0};
f397b5cc 1834 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M		 1835 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1836 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 1837 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 1838 int isOK = 0, isNULL = 0;
f397b5cc 1839
f89c7050
M		 1840 while(TRUE)
1841 {
50193c1e 1842 LED_C_ON();
f89c7050
M		 1843 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1844 SpinDelay(200);
1845 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 1846 LED_C_OFF();
e30c654b 1847
f89c7050
M		 1848 // Test if the action was cancelled
1849 if(BUTTON_PRESS()) {
1850 break;
1851 }
e30c654b 1852
f89c7050 1853 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 1854
f89c7050
M		 1855 // Transmit MIFARE_CLASSIC_AUTH
1856 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 1857
f89c7050
M		 1858 // Receive the (16 bit) "random" nonce
1859 if (!ReaderReceive(receivedAnswer)) continue;
1860 memcpy(nt, receivedAnswer, 4);
e30c654b 1861
f89c7050
M		 1862 // Transmit reader nonce and reader answer
1863 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 1864
f89c7050
M		 1865 // Receive 4 bit answer
1866 if (ReaderReceive(receivedAnswer))
1867 {
f397b5cc
M		 1868 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1869
50193c1e
M		 1870 isNULL = (nt_attacked[0] = 0) && (nt_attacked[1] = 0) && (nt_attacked[2] = 0) && (nt_attacked[3] = 0);
1871 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1872
f89c7050
M		 1873 if (nt_diff == 0)
1874 {
1875 LED_A_ON();
1876 memcpy(nt_attacked, nt, 4);
1877 par_mask = 0xf8;
1878 par_low = par & 0x07;
1879 }
15c4dc5a 1880
f89c7050
M		 1881 led_on = !led_on;
1882 if(led_on) LED_B_ON(); else LED_B_OFF();
1883 par_list[nt_diff] = par;
1884 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 1885
f89c7050
M		 1886 // Test if the information is complete
1887 if (nt_diff == 0x07) {
1888 isOK = 1;
1889 break;
1890 }
1891
1892 nt_diff = (nt_diff + 1) & 0x07;
1893 mf_nr_ar[3] = nt_diff << 5;
1894 par = par_low;
1895 } else {
1896 if (nt_diff == 0)
1897 {
1898 par++;
1899 } else {
1900 par = (((par >> 3) + 1) << 3) | par_low;
1901 }
1902 }
1903 }
e30c654b 1904
f89c7050
M		 1905 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1906 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1907 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 1908
f89c7050
M		 1909 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1910 memcpy(ack.d.asBytes + 0, uid, 4);
1911 memcpy(ack.d.asBytes + 4, nt, 4);
1912 memcpy(ack.d.asBytes + 8, par_list, 8);
1913 memcpy(ack.d.asBytes + 16, ks_list, 8);
1914
1915 LED_B_ON();
1916 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1917 LED_B_OFF();
1918
1919 // Thats it...
15c4dc5a 1920 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1921 LEDsoff();
f89c7050
M		 1922 tracing = TRUE;
1923
f397b5cc 1924 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M		 1925}
1926
1927//-----------------------------------------------------------------------------
1928// Select, Authenticaate, Read an MIFARE tag.
1929// read block
1930//-----------------------------------------------------------------------------
1931void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1932{
1933 // params
1934 uint8_t blockNo = arg0;
1935 uint8_t keyType = arg1;
1936 uint64_t ui64Key = 0;
1937 ui64Key = bytes_to_num(datain, 6);
1938
1939 // variables
4abe4f58
M		 1940 byte_t isOK = 0;
1941 byte_t dataoutbuf[16];
50193c1e 1942 uint8_t uid[8];
20f9a2a1 1943 uint32_t cuid;
4abe4f58 1944 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 1945 struct Crypto1State *pcs;
1946 pcs = &mpcs;
1947
1948 // clear trace
4abe4f58
M		 1949 traceLen = 0;
1950// tracing = false;
20f9a2a1
M		 1951
1952 iso14443a_setup();
1953
1954 LED_A_ON();
1955 LED_B_OFF();
1956 LED_C_OFF();
1957
1958 while (true) {
1959 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 1960 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M		 1961 break;
1962 };
1963
4abe4f58 1964 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
f397b5cc 1965 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
20f9a2a1
M		 1966 break;
1967 };
1968
1969 if(mifare_classic_readblock(pcs, cuid, blockNo, dataoutbuf)) {
f397b5cc 1970 if (MF_DBGLEVEL >= 1) Dbprintf("Read block error");
20f9a2a1
M		 1971 break;
1972 };
1973
1974 if(mifare_classic_halt(pcs, cuid)) {
f397b5cc 1975 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
20f9a2a1
M		 1976 break;
1977 };
1978
1979 isOK = 1;
1980 break;
1981 }
1982
1983 // ----------------------------- crypto1 destroy
1984 crypto1_destroy(pcs);
1985
f397b5cc 1986 if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");
20f9a2a1
M		 1987
1988 // add trace trailer
1989 uid[0] = 0xff;
1990 uid[1] = 0xff;
1991 uid[2] = 0xff;
1992 uid[3] = 0xff;
4abe4f58 1993 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M		 1994
1995 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1996 memcpy(ack.d.asBytes, dataoutbuf, 16);
1997
1998 LED_B_ON();
1999 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
4abe4f58 2000 LED_B_OFF();
20f9a2a1
M		 2001
2002
2003 // Thats it...
2004 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2005 LEDsoff();
2006// tracing = TRUE;
2007
2008}
2009
2010//-----------------------------------------------------------------------------
2011// Select, Authenticaate, Read an MIFARE tag.
2012// read sector (data = 4 x 16 bytes = 64 bytes)
2013//-----------------------------------------------------------------------------
2014void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2015{
2016 // params
2017 uint8_t sectorNo = arg0;
2018 uint8_t keyType = arg1;
2019 uint64_t ui64Key = 0;
2020 ui64Key = bytes_to_num(datain, 6);
2021
2022 // variables
4abe4f58
M		 2023 byte_t isOK = 0;
2024 byte_t dataoutbuf[16 * 4];
20f9a2a1
M		 2025 uint8_t uid[8];
2026 uint32_t cuid;
4abe4f58 2027 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 2028 struct Crypto1State *pcs;
2029 pcs = &mpcs;
2030
2031 // clear trace
4abe4f58
M		 2032 traceLen = 0;
2033// tracing = false;
20f9a2a1
M		 2034
2035 iso14443a_setup();
2036
2037 LED_A_ON();
2038 LED_B_OFF();
2039 LED_C_OFF();
2040
2041 while (true) {
2042 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 2043 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M		 2044 break;
2045 };
2046
4abe4f58 2047 if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
f397b5cc 2048 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
20f9a2a1
M		 2049 break;
2050 };
2051
2052 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 0, dataoutbuf + 16 * 0)) {
f397b5cc 2053 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 0 error");
20f9a2a1
M		 2054 break;
2055 };
2056 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 1, dataoutbuf + 16 * 1)) {
f397b5cc 2057 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 1 error");
20f9a2a1
M		 2058 break;
2059 };
2060 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 2, dataoutbuf + 16 * 2)) {
f397b5cc 2061 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 2 error");
20f9a2a1
M		 2062 break;
2063 };
2064 if(mifare_classic_readblock(pcs, cuid, sectorNo * 4 + 3, dataoutbuf + 16 * 3)) {
f397b5cc 2065 if (MF_DBGLEVEL >= 1) Dbprintf("Read block 3 error");
20f9a2a1
M		 2066 break;
2067 };
2068
2069 if(mifare_classic_halt(pcs, cuid)) {
f397b5cc 2070 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
20f9a2a1
M		 2071 break;
2072 };
2073
2074 isOK = 1;
2075 break;
2076 }
2077
2078 // ----------------------------- crypto1 destroy
2079 crypto1_destroy(pcs);
2080
f397b5cc 2081 if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");
20f9a2a1
M		 2082
2083 // add trace trailer
2084 uid[0] = 0xff;
2085 uid[1] = 0xff;
2086 uid[2] = 0xff;
2087 uid[3] = 0xff;
4abe4f58 2088 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M		 2089
2090 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2091 memcpy(ack.d.asBytes, dataoutbuf, 16 * 2);
2092
2093 LED_B_ON();
2094 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2095
2096 SpinDelay(100);
2097
2098 memcpy(ack.d.asBytes, dataoutbuf + 16 * 2, 16 * 2);
2099 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2100 LED_B_OFF();
2101
4abe4f58 2102 // Thats it...
20f9a2a1
M		 2103 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2104 LEDsoff();
2105// tracing = TRUE;
2106
2107}
2108
2109//-----------------------------------------------------------------------------
2110// Select, Authenticaate, Read an MIFARE tag.
2111// read block
2112//-----------------------------------------------------------------------------
2113void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2114{
4abe4f58 2115 // params
20f9a2a1
M		 2116 uint8_t blockNo = arg0;
2117 uint8_t keyType = arg1;
2118 uint64_t ui64Key = 0;
4abe4f58 2119 byte_t blockdata[16];
20f9a2a1
M		 2120
2121 ui64Key = bytes_to_num(datain, 6);
2122 memcpy(blockdata, datain + 10, 16);
2123
2124 // variables
4abe4f58 2125 byte_t isOK = 0;
20f9a2a1
M		 2126 uint8_t uid[8];
2127 uint32_t cuid;
4abe4f58 2128 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 2129 struct Crypto1State *pcs;
2130 pcs = &mpcs;
2131
2132 // clear trace
4abe4f58 2133 traceLen = 0;
20f9a2a1
M		 2134// tracing = false;
2135
2136 iso14443a_setup();
2137
2138 LED_A_ON();
2139 LED_B_OFF();
2140 LED_C_OFF();
2141
2142 while (true) {
f397b5cc
M		 2143 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2144 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M		 2145 break;
2146 };
2147
4abe4f58 2148 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
f397b5cc 2149 if (MF_DBGLEVEL >= 1) Dbprintf("Auth error");
20f9a2a1
M		 2150 break;
2151 };
2152
2153 if(mifare_classic_writeblock(pcs, cuid, blockNo, blockdata)) {
f397b5cc 2154 if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");
20f9a2a1
M		 2155 break;
2156 };
2157
2158 if(mifare_classic_halt(pcs, cuid)) {
f397b5cc 2159 if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
20f9a2a1
M		 2160 break;
2161 };
2162
2163 isOK = 1;
2164 break;
2165 }
2166
2167 // ----------------------------- crypto1 destroy
2168 crypto1_destroy(pcs);
2169
f397b5cc 2170 if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");
20f9a2a1
M		 2171
2172 // add trace trailer
2173 uid[0] = 0xff;
2174 uid[1] = 0xff;
2175 uid[2] = 0xff;
2176 uid[3] = 0xff;
4abe4f58 2177 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1
M		 2178
2179 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2180
2181 LED_B_ON();
2182 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2183 LED_B_OFF();
2184
2185
4abe4f58 2186 // Thats it...
20f9a2a1
M		 2187 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2188 LEDsoff();
2189// tracing = TRUE;
2190
2191}
2192
f89c7050
M		 2193// Return 1 if the nonce is invalid else return 0
2194int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, byte_t * parity) {
2195 return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
2196 (oddparity((Nt >> 16) & 0xFF) == ((parity[1]) ^ oddparity((NtEnc >> 16) & 0xFF) ^ BIT(Ks1,8))) & \
2197 (oddparity((Nt >> 8) & 0xFF) == ((parity[2]) ^ oddparity((NtEnc >> 8) & 0xFF) ^ BIT(Ks1,0)))) ? 1 : 0;
2198}
2199
2200
20f9a2a1
M		 2201//-----------------------------------------------------------------------------
2202// MIFARE nested authentication.
2203//
2204//-----------------------------------------------------------------------------
f397b5cc 2205void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
20f9a2a1 2206{
4abe4f58 2207 // params
20f9a2a1
M		 2208 uint8_t blockNo = arg0;
2209 uint8_t keyType = arg1;
f397b5cc
M		 2210 uint8_t targetBlockNo = arg2 & 0xff;
2211 uint8_t targetKeyType = (arg2 >> 8) & 0xff;
20f9a2a1
M		 2212 uint64_t ui64Key = 0;
2213
2214 ui64Key = bytes_to_num(datain, 6);
2215
2216 // variables
50193c1e 2217 int rtr, i, j, m, len;
f89c7050 2218 int davg, dmin, dmax;
20f9a2a1 2219 uint8_t uid[8];
f89c7050
M		 2220 uint32_t cuid, nt1, nt2, nttmp, nttest, par, ks1;
2221 uint8_t par_array[4];
f397b5cc
M		 2222 nestedVector nvector[NES_MAX_INFO + 1][10];
2223 int nvectorcount[NES_MAX_INFO + 1];
f89c7050 2224 int ncount = 0;
50193c1e 2225 UsbCommand ack = {CMD_ACK, {0, 0, 0}};
4abe4f58 2226 struct Crypto1State mpcs = {0, 0};
20f9a2a1
M		 2227 struct Crypto1State *pcs;
2228 pcs = &mpcs;
f89c7050 2229 uint8_t* receivedAnswer = mifare_get_bigbufptr();
20f9a2a1 2230
f397b5cc
M		 2231 //init
2232 for (i = 0; i < NES_MAX_INFO + 1; i++) nvectorcount[i] = 11; // 11 - empty block;
2233
20f9a2a1 2234 // clear trace
4abe4f58 2235 traceLen = 0;
f89c7050 2236 tracing = false;
f397b5cc 2237
20f9a2a1
M		 2238 iso14443a_setup();
2239
2240 LED_A_ON();
f89c7050 2241 LED_B_ON();
20f9a2a1
M		 2242 LED_C_OFF();
2243
f89c7050
M		 2244 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2245 SpinDelay(200);
2246
2247 davg = dmax = 0;
2248 dmin = 2000;
2249
2250 // test nonce distance
2251 for (rtr = 0; rtr < 10; rtr++) {
2252 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2253 SpinDelay(100);
2254 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2255
2256 // Test if the action was cancelled
2257 if(BUTTON_PRESS()) {
2258 break;
2259 }
2260
20f9a2a1 2261 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 2262 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
20f9a2a1
M		 2263 break;
2264 };
2265
f89c7050 2266 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
f397b5cc 2267 if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
20f9a2a1
M		 2268 break;
2269 };
2270
f89c7050 2271 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2)) {
f397b5cc 2272 if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error");
20f9a2a1
M		 2273 break;
2274 };
2275
f89c7050
M		 2276 nttmp = prng_successor(nt1, 500);
2277 for (i = 501; i < 2000; i++) {
2278 nttmp = prng_successor(nttmp, 1);
2279 if (nttmp == nt2) break;
2280 }
2281
2282 if (i != 2000) {
2283 davg += i;
2284 if (dmin > i) dmin = i;
2285 if (dmax < i) dmax = i;
f397b5cc 2286 if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2=%08x distance=%d", rtr, nt1, nt2, i);
f89c7050
M		 2287 }
2288 }
2289
2290 if (rtr == 0) return;
2291
2292 davg = davg / rtr;
f397b5cc 2293 if (MF_DBGLEVEL >= 3) Dbprintf("distance: min=%d max=%d avg=%d", dmin, dmax, davg);
f89c7050
M		 2294
2295 LED_B_OFF();
2296
f397b5cc 2297// -------------------------------------------------------------------------------------------------
f89c7050
M		 2298
2299 LED_C_ON();
2300
2301 // get crypted nonces for target sector
f397b5cc
M		 2302 for (rtr = 0; rtr < NS_RETRIES_GETNONCE; rtr++) {
2303 if (MF_DBGLEVEL >= 4) Dbprintf("------------------------------");
f89c7050
M		 2304
2305 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2306 SpinDelay(100);
2307 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2308
2309 // Test if the action was cancelled
2310 if(BUTTON_PRESS()) {
2311 break;
2312 }
2313
2314 if(!iso14443a_select_card(uid, NULL, &cuid)) {
f397b5cc 2315 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
f89c7050
M		 2316 break;
2317 };
2318
2319 if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
f397b5cc 2320 if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
20f9a2a1
M		 2321 break;
2322 };
2323
f89c7050 2324 // nested authentication
50193c1e 2325 len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par);
f89c7050 2326 if (len != 4) {
f397b5cc 2327 if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error len=%d", len);
20f9a2a1
M		 2328 break;
2329 };
f89c7050
M		 2330
2331 nt2 = bytes_to_num(receivedAnswer, 4);
f397b5cc 2332 if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par);
f89c7050
M		 2333
2334 // Parity validity check
2335 for (i = 0; i < 4; i++) {
2336 par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3));
2337 par = par << 1;
2338 }
2339
2340 ncount = 0;
f397b5cc 2341 for (m = dmin - NS_TOLERANCE; m < dmax + NS_TOLERANCE; m++) {
f89c7050
M		 2342 nttest = prng_successor(nt1, m);
2343 ks1 = nt2 ^ nttest;
2344
f89c7050
M		 2345 if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){
2346
f397b5cc
M		 2347 nvector[NES_MAX_INFO][ncount].nt = nttest;
2348 nvector[NES_MAX_INFO][ncount].ks1 = ks1;
f89c7050 2349 ncount++;
f397b5cc
M		 2350 nvectorcount[NES_MAX_INFO] = ncount;
2351 if (MF_DBGLEVEL >= 4) Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest);
f89c7050
M		 2352 }
2353
2354 }
2355
2356 // select vector with length less than got
f397b5cc
M		 2357 if (nvectorcount[NES_MAX_INFO] != 0) {
2358 m = NES_MAX_INFO;
2359
2360 for (i = 0; i < NES_MAX_INFO; i++)
2361 if (nvectorcount[i] > 10) {
2362 m = i;
2363 break;
2364 }
2365
2366 if (m == NES_MAX_INFO)
2367 for (i = 0; i < NES_MAX_INFO; i++)
2368 if (nvectorcount[NES_MAX_INFO] < nvectorcount[i]) {
2369 m = i;
2370 break;
2371 }
2372
2373 if (m != NES_MAX_INFO) {
50193c1e 2374 for (i = 0; i < nvectorcount[m]; i++) {
f397b5cc 2375 nvector[m][i] = nvector[NES_MAX_INFO][i];
50193c1e 2376 }
f397b5cc 2377 nvectorcount[m] = nvectorcount[NES_MAX_INFO];
f89c7050 2378 }
f89c7050 2379 }
20f9a2a1 2380 }
f89c7050
M		 2381
2382 LED_C_OFF();
20f9a2a1
M		 2383
2384 // ----------------------------- crypto1 destroy
2385 crypto1_destroy(pcs);
2386
20f9a2a1
M		 2387 // add trace trailer
2388 uid[0] = 0xff;
2389 uid[1] = 0xff;
2390 uid[2] = 0xff;
2391 uid[3] = 0xff;
4abe4f58 2392 LogTrace(uid, 4, 0, 0, TRUE);
20f9a2a1 2393
f397b5cc
M		 2394 for (i = 0; i < NES_MAX_INFO; i++) {
2395 if (nvectorcount[i] > 10) continue;
2396
50193c1e
M		 2397 for (j = 0; j < nvectorcount[i]; j += 5) {
2398 ncount = nvectorcount[i] - j;
2399 if (ncount > 5) ncount = 5;
2400
2401 ack.arg[0] = 0; // isEOF = 0
2402 ack.arg[1] = ncount;
2403 ack.arg[2] = targetBlockNo + (targetKeyType * 0x100);
2404 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
2405
2406 memcpy(ack.d.asBytes, &cuid, 4);
2407 for (m = 0; m < ncount; m++) {
2408 memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4);
2409 memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4);
2410 }
f89c7050 2411
50193c1e
M		 2412 LED_B_ON();
2413 SpinDelay(100);
2414 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2415 LED_B_OFF();
2416 }
f89c7050
M		 2417 }
2418
2419 // finalize list
50193c1e
M		 2420 ack.arg[0] = 1; // isEOF = 1
2421 ack.arg[1] = 0;
2422 ack.arg[2] = 0;
2423 memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
20f9a2a1
M		 2424
2425 LED_B_ON();
50193c1e 2426 SpinDelay(300);
20f9a2a1
M		 2427 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2428 LED_B_OFF();
2429
f397b5cc 2430 if (MF_DBGLEVEL >= 4) DbpString("NESTED FINISHED");
f89c7050 2431
4abe4f58 2432 // Thats it...
20f9a2a1
M		 2433 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2434 LEDsoff();
f397b5cc
M		 2435
2436 tracing = TRUE;
2437}
2438
2439//-----------------------------------------------------------------------------
2440// MIFARE check keys. key count up to 8.
2441//
2442//-----------------------------------------------------------------------------
2443void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2444{
2445 // params
2446 uint8_t blockNo = arg0;
2447 uint8_t keyType = arg1;
2448 uint8_t keyCount = arg2;
2449 uint64_t ui64Key = 0;
2450
2451 // variables
2452 int i;
2453 byte_t isOK = 0;
2454 uint8_t uid[8];
2455 uint32_t cuid;
2456 struct Crypto1State mpcs = {0, 0};
2457 struct Crypto1State *pcs;
2458 pcs = &mpcs;
2459
2460 // clear debug level
2461 int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
2462 MF_DBGLEVEL = MF_DBG_NONE;
2463
2464 // clear trace
2465 traceLen = 0;
2466 tracing = TRUE;
2467
2468 iso14443a_setup();
2469
2470 LED_A_ON();
2471 LED_B_OFF();
2472 LED_C_OFF();
2473
2474 SpinDelay(300);
2475 for (i = 0; i < keyCount; i++) {
2476 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2477 SpinDelay(100);
2478 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
2479
2480 if(!iso14443a_select_card(uid, NULL, &cuid)) {
2481 if (OLD_MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
2482 break;
2483 };
2484
2485 ui64Key = bytes_to_num(datain + i * 6, 6);
2486 if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
2487 continue;
2488 };
2489
2490 isOK = 1;
2491 break;
2492 }
2493
2494 // ----------------------------- crypto1 destroy
2495 crypto1_destroy(pcs);
2496
2497 // add trace trailer
2498 uid[0] = 0xff;
2499 uid[1] = 0xff;
2500 uid[2] = 0xff;
2501 uid[3] = 0xff;
2502 LogTrace(uid, 4, 0, 0, TRUE);
2503
2504 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
2505 if (isOK) memcpy(ack.d.asBytes, datain + i * 6, 6);
2506
2507 LED_B_ON();
2508 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
2509 LED_B_OFF();
2510
2511 // Thats it...
2512 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2513 LEDsoff();
20f9a2a1 2514
f397b5cc
M		 2515 // restore debug level
2516 MF_DBGLEVEL = OLD_MF_DBGLEVEL;
20f9a2a1
M		 2517}
2518
2519//-----------------------------------------------------------------------------
2520// MIFARE 1K simulate.
2521//
2522//-----------------------------------------------------------------------------
2523void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2524{
50193c1e 2525 int cardSTATE = MFEMUL_NOFIELD;
9ca155ba
M		 2526 int vHf = 0; // in mV
2527 int res;
2528 uint32_t timer = 0;
2529 int len = 0;
2530 uint8_t cardAUTHSC = 0;
2531 uint8_t cardAUTHKEY = 0xff; // no authentication
2532 uint32_t cuid = 0;
2533 struct Crypto1State mpcs = {0, 0};
2534 struct Crypto1State *pcs;
2535 pcs = &mpcs;
2536
2537 uint64_t key64 = 0xffffffffffffULL;
2538
2539 uint8_t* receivedCmd = mifare_get_bigbufptr();
2540
2541 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k
2542
2543 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2544 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
2545
2546 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
2547
2548 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2549
2550// -------------------------------------- test area
50193c1e 2551
50193c1e 2552
9ca155ba
M		 2553// -------------------------------------- END test area
2554
2555 // We need to listen to the high-frequency, peak-detected path.
2556 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2557 FpgaSetupSsc();
2558
2559 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2560 SpinDelay(200);
2561
2562Dbprintf("--> start");
2563 while (true) {
2564 WDT_HIT();
2565// timer = GetTickCount();
2566// Dbprintf("time: %d", GetTickCount() - timer);
2567
2568 // find reader field
2569 // Vref = 3300mV, and an 10:1 voltage divider on the input
2570 // can measure voltages up to 33000 mV
2571 if (cardSTATE == MFEMUL_NOFIELD) {
2572 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2573 if (vHf > MF_MINFIELDV) {
2574 cardSTATE = MFEMUL_IDLE;
2575 LED_A_ON();
2576 }
2577 }
2578
2579 if (cardSTATE != MFEMUL_NOFIELD) {
2580 res = EmGetCmd(receivedCmd, &len, 100);
2581 if (res == 2) {
2582 cardSTATE = MFEMUL_NOFIELD;
2583 LEDsoff();
2584 continue;
2585 }
2586 if(res) break;
2587 }
2588
50193c1e 2589 if(BUTTON_PRESS()) {
9ca155ba
M		 2590 break;
2591 }
50193c1e 2592
9ca155ba
M		 2593// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
2594
50193c1e
M		 2595 switch (cardSTATE) {
2596 case MFEMUL_NOFIELD:{
2597 break;
2598 }
9ca155ba
M		 2599 case MFEMUL_HALTED:{
2600 // WUP request
2601 if (!(len == 1 && receivedCmd[0] == 0x52)) break;
2602 }
50193c1e 2603 case MFEMUL_IDLE:{
9ca155ba
M		 2604 // REQ or WUP request
2605 if (len == 1 && (receivedCmd[0] == 0x26 || receivedCmd[0] == 0x52)) {
2606timer = GetTickCount();
2607 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2608 cardSTATE = MFEMUL_SELECT1;
2609
2610 // init crypto block
2611 crypto1_destroy(pcs);
2612 cardAUTHKEY = 0xff;
2613 }
50193c1e
M		 2614 break;
2615 }
2616 case MFEMUL_SELECT1:{
9ca155ba
M		 2617 // select all
2618 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2619 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
2620
2621 if (rUIDBCC1[0] == 0x88) {
2622 cardSTATE = MFEMUL_SELECT2;
2623 }
2624 }
2625
2626 // select card
2627 if (len == 9 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70)) {
2628 EmSendCmd(rSAK, sizeof(rSAK));
2629
2630 cuid = bytes_to_num(rUIDBCC1, 4);
2631 cardSTATE = MFEMUL_WORK;
2632 LED_B_ON();
2633Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - timer);
2634 }
2635
50193c1e
M		 2636 break;
2637 }
2638 case MFEMUL_SELECT2:{
9ca155ba
M		 2639 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
2640
2641 cuid = bytes_to_num(rUIDBCC2, 4);
2642 cardSTATE = MFEMUL_WORK;
2643 LED_B_ON();
2644Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - timer);
50193c1e
M		 2645 break;
2646 }
2647 case MFEMUL_AUTH1:{
9ca155ba
M		 2648if (len) Dbprintf("au1 len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
2649 if (len == 8) {
2650
2651 }
50193c1e
M		 2652 break;
2653 }
2654 case MFEMUL_AUTH2:{
9ca155ba
M		 2655
2656 LED_C_ON();
2657Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - timer);
50193c1e
M		 2658 break;
2659 }
9ca155ba
M		 2660 case MFEMUL_WORK:{
2661 // auth
2662 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2663timer = GetTickCount();
2664 crypto1_create(pcs, key64);
2665// if (cardAUTHKEY == 0xff) { // first auth
2666 crypto1_word(pcs, cuid ^ bytes_to_num(rAUTH_NT, 4), 0); // uid ^ nonce
2667// } else { // nested auth
2668// }
2669
2670 EmSendCmd(rAUTH_NT, sizeof(rAUTH_NT));
2671 cardAUTHSC = receivedCmd[1];
2672 cardAUTHKEY = receivedCmd[0] - 0x60;
2673 cardSTATE = MFEMUL_AUTH1;
2674 }
2675
2676 // halt
2677 if (len == 4 && (receivedCmd[0] == 0x50 || receivedCmd[0] == 0x00)) {
2678 cardSTATE = MFEMUL_HALTED;
2679 LED_B_OFF();
2680 }
50193c1e
M		 2681 break;
2682 }
2683
2684 }
2685
2686 }
2687
9ca155ba
M		 2688 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2689 LEDsoff();
2690
2691 DbpString("Emulator stopped.");
15c4dc5a 2692}
Proxmark3 GIT tracking
Impressum, Datenschutz