added functionality: dump card memory, save|load card memory.
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M
20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
f7e3ed82 23static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 24static int traceLen = 0;
25static int rsamples = 0;
f7e3ed82 26static int tracing = TRUE;
534983d7 27static uint32_t iso14a_timeout;
15c4dc5a 28
8f51ddb0 29// CARD TO READER - manchester
72934aa3 30// Sequence D: 11110000 modulation with subcarrier during first half
31// Sequence E: 00001111 modulation with subcarrier during second half
32// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 33// READER TO CARD - miller
72934aa3 34// Sequence X: 00001100 drop after half a period
35// Sequence Y: 00000000 no drop
36// Sequence Z: 11000000 drop at start
37#define SEC_D 0xf0
38#define SEC_E 0x0f
39#define SEC_F 0x00
40#define SEC_X 0x0c
41#define SEC_Y 0x00
42#define SEC_Z 0xc0
15c4dc5a 43
f7e3ed82 44static const uint8_t OddByteParity[256] = {
15c4dc5a 45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
58 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
61};
62
534983d7 63uint8_t trigger = 0;
64void iso14a_set_trigger(int enable) {
65 trigger = enable;
66}
67
8556b852
M
68void iso14a_clear_tracelen(void) {
69 traceLen = 0;
70}
71void iso14a_set_tracing(int enable) {
72 tracing = enable;
73}
74
15c4dc5a 75//-----------------------------------------------------------------------------
76// Generate the parity value for a byte sequence
e30c654b 77//
15c4dc5a 78//-----------------------------------------------------------------------------
20f9a2a1
M
79byte_t oddparity (const byte_t bt)
80{
81 return OddByteParity[bt];
82}
83
f7e3ed82 84uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 85{
86 int i;
f7e3ed82 87 uint32_t dwPar = 0;
72934aa3 88
15c4dc5a 89 // Generate the encrypted data
90 for (i = 0; i < iLen; i++) {
91 // Save the encrypted parity bit
92 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
93 }
94 return dwPar;
95}
96
534983d7 97void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 98{
99 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
100}
101
ed82636b 102int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 103{
104 // Return when trace is full
105 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 106
15c4dc5a 107 // Trace the random, i'm curious
108 rsamples += iSamples;
109 trace[traceLen++] = ((rsamples >> 0) & 0xff);
110 trace[traceLen++] = ((rsamples >> 8) & 0xff);
111 trace[traceLen++] = ((rsamples >> 16) & 0xff);
112 trace[traceLen++] = ((rsamples >> 24) & 0xff);
113 if (!bReader) {
114 trace[traceLen - 1] |= 0x80;
115 }
116 trace[traceLen++] = ((dwParity >> 0) & 0xff);
117 trace[traceLen++] = ((dwParity >> 8) & 0xff);
118 trace[traceLen++] = ((dwParity >> 16) & 0xff);
119 trace[traceLen++] = ((dwParity >> 24) & 0xff);
120 trace[traceLen++] = iLen;
121 memcpy(trace + traceLen, btBytes, iLen);
122 traceLen += iLen;
123 return TRUE;
124}
125
15c4dc5a 126//-----------------------------------------------------------------------------
127// The software UART that receives commands from the reader, and its state
128// variables.
129//-----------------------------------------------------------------------------
130static struct {
131 enum {
132 STATE_UNSYNCD,
133 STATE_START_OF_COMMUNICATION,
134 STATE_MILLER_X,
135 STATE_MILLER_Y,
136 STATE_MILLER_Z,
137 STATE_ERROR_WAIT
138 } state;
f7e3ed82 139 uint16_t shiftReg;
15c4dc5a 140 int bitCnt;
141 int byteCnt;
142 int byteCntMax;
143 int posCnt;
144 int syncBit;
145 int parityBits;
146 int samples;
147 int highCnt;
148 int bitBuffer;
149 enum {
150 DROP_NONE,
151 DROP_FIRST_HALF,
152 DROP_SECOND_HALF
153 } drop;
f7e3ed82 154 uint8_t *output;
15c4dc5a 155} Uart;
156
6c1e2d95 157static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 158{
159 int error = 0;
160 int bitright;
161
162 if(!Uart.bitBuffer) {
163 Uart.bitBuffer = bit ^ 0xFF0;
164 return FALSE;
165 }
166 else {
167 Uart.bitBuffer <<= 4;
168 Uart.bitBuffer ^= bit;
169 }
170
f7e3ed82 171 int EOC = FALSE;
15c4dc5a 172
173 if(Uart.state != STATE_UNSYNCD) {
174 Uart.posCnt++;
175
176 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
177 bit = 0x00;
178 }
179 else {
180 bit = 0x01;
181 }
182 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
183 bitright = 0x00;
184 }
185 else {
186 bitright = 0x01;
187 }
188 if(bit != bitright) { bit = bitright; }
189
190 if(Uart.posCnt == 1) {
191 // measurement first half bitperiod
192 if(!bit) {
193 Uart.drop = DROP_FIRST_HALF;
194 }
195 }
196 else {
197 // measurement second half bitperiod
198 if(!bit & (Uart.drop == DROP_NONE)) {
199 Uart.drop = DROP_SECOND_HALF;
200 }
201 else if(!bit) {
202 // measured a drop in first and second half
203 // which should not be possible
204 Uart.state = STATE_ERROR_WAIT;
205 error = 0x01;
206 }
207
208 Uart.posCnt = 0;
209
210 switch(Uart.state) {
211 case STATE_START_OF_COMMUNICATION:
212 Uart.shiftReg = 0;
213 if(Uart.drop == DROP_SECOND_HALF) {
214 // error, should not happen in SOC
215 Uart.state = STATE_ERROR_WAIT;
216 error = 0x02;
217 }
218 else {
219 // correct SOC
220 Uart.state = STATE_MILLER_Z;
221 }
222 break;
223
224 case STATE_MILLER_Z:
225 Uart.bitCnt++;
226 Uart.shiftReg >>= 1;
227 if(Uart.drop == DROP_NONE) {
228 // logic '0' followed by sequence Y
229 // end of communication
230 Uart.state = STATE_UNSYNCD;
231 EOC = TRUE;
232 }
233 // if(Uart.drop == DROP_FIRST_HALF) {
234 // Uart.state = STATE_MILLER_Z; stay the same
235 // we see a logic '0' }
236 if(Uart.drop == DROP_SECOND_HALF) {
237 // we see a logic '1'
238 Uart.shiftReg |= 0x100;
239 Uart.state = STATE_MILLER_X;
240 }
241 break;
242
243 case STATE_MILLER_X:
244 Uart.shiftReg >>= 1;
245 if(Uart.drop == DROP_NONE) {
246 // sequence Y, we see a '0'
247 Uart.state = STATE_MILLER_Y;
248 Uart.bitCnt++;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // Would be STATE_MILLER_Z
252 // but Z does not follow X, so error
253 Uart.state = STATE_ERROR_WAIT;
254 error = 0x03;
255 }
256 if(Uart.drop == DROP_SECOND_HALF) {
257 // We see a '1' and stay in state X
258 Uart.shiftReg |= 0x100;
259 Uart.bitCnt++;
260 }
261 break;
262
263 case STATE_MILLER_Y:
264 Uart.bitCnt++;
265 Uart.shiftReg >>= 1;
266 if(Uart.drop == DROP_NONE) {
267 // logic '0' followed by sequence Y
268 // end of communication
269 Uart.state = STATE_UNSYNCD;
270 EOC = TRUE;
271 }
272 if(Uart.drop == DROP_FIRST_HALF) {
273 // we see a '0'
274 Uart.state = STATE_MILLER_Z;
275 }
276 if(Uart.drop == DROP_SECOND_HALF) {
277 // We see a '1' and go to state X
278 Uart.shiftReg |= 0x100;
279 Uart.state = STATE_MILLER_X;
280 }
281 break;
282
283 case STATE_ERROR_WAIT:
284 // That went wrong. Now wait for at least two bit periods
285 // and try to sync again
286 if(Uart.drop == DROP_NONE) {
287 Uart.highCnt = 6;
288 Uart.state = STATE_UNSYNCD;
289 }
290 break;
291
292 default:
293 Uart.state = STATE_UNSYNCD;
294 Uart.highCnt = 0;
295 break;
296 }
297
298 Uart.drop = DROP_NONE;
299
300 // should have received at least one whole byte...
301 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
302 return TRUE;
303 }
304
305 if(Uart.bitCnt == 9) {
306 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
307 Uart.byteCnt++;
308
309 Uart.parityBits <<= 1;
310 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
311
312 if(EOC) {
313 // when End of Communication received and
314 // all data bits processed..
315 return TRUE;
316 }
317 Uart.bitCnt = 0;
318 }
319
320 /*if(error) {
321 Uart.output[Uart.byteCnt] = 0xAA;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = error & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = 0xAA;
334 Uart.byteCnt++;
335 return TRUE;
336 }*/
337 }
338
339 }
340 else {
341 bit = Uart.bitBuffer & 0xf0;
342 bit >>= 4;
343 bit ^= 0x0F;
344 if(bit) {
345 // should have been high or at least (4 * 128) / fc
346 // according to ISO this should be at least (9 * 128 + 20) / fc
347 if(Uart.highCnt == 8) {
348 // we went low, so this could be start of communication
349 // it turns out to be safer to choose a less significant
350 // syncbit... so we check whether the neighbour also represents the drop
351 Uart.posCnt = 1; // apparently we are busy with our first half bit period
352 Uart.syncBit = bit & 8;
353 Uart.samples = 3;
354 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
355 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
356 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
357 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 359 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 360 Uart.syncBit = 8;
361
362 // the first half bit period is expected in next sample
363 Uart.posCnt = 0;
364 Uart.samples = 3;
365 }
366 }
367 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
368
369 Uart.syncBit <<= 4;
370 Uart.state = STATE_START_OF_COMMUNICATION;
371 Uart.drop = DROP_FIRST_HALF;
372 Uart.bitCnt = 0;
373 Uart.byteCnt = 0;
374 Uart.parityBits = 0;
375 error = 0;
376 }
377 else {
378 Uart.highCnt = 0;
379 }
380 }
381 else {
382 if(Uart.highCnt < 8) {
383 Uart.highCnt++;
384 }
385 }
386 }
387
388 return FALSE;
389}
390
391//=============================================================================
392// ISO 14443 Type A - Manchester
393//=============================================================================
394
395static struct {
396 enum {
397 DEMOD_UNSYNCD,
398 DEMOD_START_OF_COMMUNICATION,
399 DEMOD_MANCHESTER_D,
400 DEMOD_MANCHESTER_E,
401 DEMOD_MANCHESTER_F,
402 DEMOD_ERROR_WAIT
403 } state;
404 int bitCount;
405 int posCount;
406 int syncBit;
407 int parityBits;
f7e3ed82 408 uint16_t shiftReg;
15c4dc5a 409 int buffer;
410 int buff;
411 int samples;
412 int len;
413 enum {
414 SUB_NONE,
415 SUB_FIRST_HALF,
416 SUB_SECOND_HALF
417 } sub;
f7e3ed82 418 uint8_t *output;
15c4dc5a 419} Demod;
420
6c1e2d95 421static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 422{
423 int bit;
424 int modulation;
425 int error = 0;
426
427 if(!Demod.buff) {
428 Demod.buff = 1;
429 Demod.buffer = v;
430 return FALSE;
431 }
432 else {
433 bit = Demod.buffer;
434 Demod.buffer = v;
435 }
436
437 if(Demod.state==DEMOD_UNSYNCD) {
438 Demod.output[Demod.len] = 0xfa;
439 Demod.syncBit = 0;
440 //Demod.samples = 0;
441 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 442
443 if(bit & 0x08) {
444 Demod.syncBit = 0x08;
15c4dc5a 445 }
15c4dc5a 446
2f2d9fc5 447 if(bit & 0x04) {
448 if(Demod.syncBit) {
449 bit <<= 4;
450 }
451 Demod.syncBit = 0x04;
452 }
15c4dc5a 453
2f2d9fc5 454 if(bit & 0x02) {
455 if(Demod.syncBit) {
456 bit <<= 2;
15c4dc5a 457 }
2f2d9fc5 458 Demod.syncBit = 0x02;
15c4dc5a 459 }
15c4dc5a 460
593924e7 461 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 462 Demod.syncBit = 0x01;
463 }
464
15c4dc5a 465 if(Demod.syncBit) {
466 Demod.len = 0;
467 Demod.state = DEMOD_START_OF_COMMUNICATION;
468 Demod.sub = SUB_FIRST_HALF;
469 Demod.bitCount = 0;
470 Demod.shiftReg = 0;
471 Demod.parityBits = 0;
472 Demod.samples = 0;
473 if(Demod.posCount) {
534983d7 474 if(trigger) LED_A_OFF();
15c4dc5a 475 switch(Demod.syncBit) {
476 case 0x08: Demod.samples = 3; break;
477 case 0x04: Demod.samples = 2; break;
478 case 0x02: Demod.samples = 1; break;
479 case 0x01: Demod.samples = 0; break;
480 }
481 }
482 error = 0;
483 }
484 }
485 else {
486 //modulation = bit & Demod.syncBit;
487 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
488
489 Demod.samples += 4;
490
491 if(Demod.posCount==0) {
492 Demod.posCount = 1;
493 if(modulation) {
494 Demod.sub = SUB_FIRST_HALF;
495 }
496 else {
497 Demod.sub = SUB_NONE;
498 }
499 }
500 else {
501 Demod.posCount = 0;
502 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
503 if(Demod.state!=DEMOD_ERROR_WAIT) {
504 Demod.state = DEMOD_ERROR_WAIT;
505 Demod.output[Demod.len] = 0xaa;
506 error = 0x01;
507 }
508 }
509 else if(modulation) {
510 Demod.sub = SUB_SECOND_HALF;
511 }
512
513 switch(Demod.state) {
514 case DEMOD_START_OF_COMMUNICATION:
515 if(Demod.sub == SUB_FIRST_HALF) {
516 Demod.state = DEMOD_MANCHESTER_D;
517 }
518 else {
519 Demod.output[Demod.len] = 0xab;
520 Demod.state = DEMOD_ERROR_WAIT;
521 error = 0x02;
522 }
523 break;
524
525 case DEMOD_MANCHESTER_D:
526 case DEMOD_MANCHESTER_E:
527 if(Demod.sub == SUB_FIRST_HALF) {
528 Demod.bitCount++;
529 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
530 Demod.state = DEMOD_MANCHESTER_D;
531 }
532 else if(Demod.sub == SUB_SECOND_HALF) {
533 Demod.bitCount++;
534 Demod.shiftReg >>= 1;
535 Demod.state = DEMOD_MANCHESTER_E;
536 }
537 else {
538 Demod.state = DEMOD_MANCHESTER_F;
539 }
540 break;
541
542 case DEMOD_MANCHESTER_F:
543 // Tag response does not need to be a complete byte!
544 if(Demod.len > 0 || Demod.bitCount > 0) {
545 if(Demod.bitCount > 0) {
546 Demod.shiftReg >>= (9 - Demod.bitCount);
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549 // No parity bit, so just shift a 0
550 Demod.parityBits <<= 1;
551 }
552
553 Demod.state = DEMOD_UNSYNCD;
554 return TRUE;
555 }
556 else {
557 Demod.output[Demod.len] = 0xad;
558 Demod.state = DEMOD_ERROR_WAIT;
559 error = 0x03;
560 }
561 break;
562
563 case DEMOD_ERROR_WAIT:
564 Demod.state = DEMOD_UNSYNCD;
565 break;
566
567 default:
568 Demod.output[Demod.len] = 0xdd;
569 Demod.state = DEMOD_UNSYNCD;
570 break;
571 }
572
573 if(Demod.bitCount>=9) {
574 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
575 Demod.len++;
576
577 Demod.parityBits <<= 1;
578 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
579
580 Demod.bitCount = 0;
581 Demod.shiftReg = 0;
582 }
583
584 /*if(error) {
585 Demod.output[Demod.len] = 0xBB;
586 Demod.len++;
587 Demod.output[Demod.len] = error & 0xFF;
588 Demod.len++;
589 Demod.output[Demod.len] = 0xBB;
590 Demod.len++;
591 Demod.output[Demod.len] = bit & 0xFF;
592 Demod.len++;
593 Demod.output[Demod.len] = Demod.buffer & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = 0xBB;
598 Demod.len++;
599 return TRUE;
600 }*/
601
602 }
603
604 } // end (state != UNSYNCED)
605
606 return FALSE;
607}
608
609//=============================================================================
610// Finally, a `sniffer' for ISO 14443 Type A
611// Both sides of communication!
612//=============================================================================
613
614//-----------------------------------------------------------------------------
615// Record the sequence of commands sent by the reader to the tag, with
616// triggering so that we start recording at the point that the tag is moved
617// near the reader.
618//-----------------------------------------------------------------------------
6c1e2d95 619void RAMFUNC SnoopIso14443a(void)
15c4dc5a 620{
621// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
622// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
623// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
624// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
625// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
626
627 // We won't start recording the frames that we acquire until we trigger;
628 // a good trigger condition to get started is probably when we see a
629 // response from the tag.
7e758047 630 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 631
632 // The command (reader -> tag) that we're receiving.
633 // The length of a received command will in most cases be no more than 18 bytes.
634 // So 32 should be enough!
f7e3ed82 635 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 636 // The response (tag -> reader) that we're receiving.
f7e3ed82 637 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 638
639 // As we receive stuff, we copy it from receivedCmd or receivedResponse
640 // into trace, along with its length and other annotations.
f7e3ed82 641 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 642
643 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 644
645 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 646 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 647 int lastRxCounter;
f7e3ed82 648 int8_t *upTo;
15c4dc5a 649 int smpl;
650 int maxBehindBy = 0;
651
652 // Count of samples received so far, so that we can include timing
653 // information in the trace buffer.
654 int samples = 0;
cee5a30d 655 int rsamples = 0;
15c4dc5a 656
657 memset(trace, 0x44, RECV_CMD_OFFSET);
658
659 // Set up the demodulator for tag -> reader responses.
660 Demod.output = receivedResponse;
661 Demod.len = 0;
662 Demod.state = DEMOD_UNSYNCD;
663
7e758047 664 // Setup for the DMA.
665 FpgaSetupSsc();
666 upTo = dmaBuf;
667 lastRxCounter = DMA_BUFFER_SIZE;
668 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
669
15c4dc5a 670 // And the reader -> tag commands
671 memset(&Uart, 0, sizeof(Uart));
672 Uart.output = receivedCmd;
673 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
674 Uart.state = STATE_UNSYNCD;
675
676 // And put the FPGA in the appropriate mode
677 // Signal field is off with the appropriate LED
678 LED_D_OFF();
679 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
680 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
681
15c4dc5a 682
683 // And now we loop, receiving samples.
684 for(;;) {
7e758047 685 LED_A_ON();
686 WDT_HIT();
15c4dc5a 687 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
688 (DMA_BUFFER_SIZE-1);
689 if(behindBy > maxBehindBy) {
690 maxBehindBy = behindBy;
691 if(behindBy > 400) {
7e758047 692 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 693 goto done;
694 }
695 }
696 if(behindBy < 1) continue;
697
7e758047 698 LED_A_OFF();
15c4dc5a 699 smpl = upTo[0];
700 upTo++;
701 lastRxCounter -= 1;
702 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
703 upTo -= DMA_BUFFER_SIZE;
704 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 705 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 706 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
707 }
708
709 samples += 4;
7e758047 710 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 711 rsamples = samples - Uart.samples;
72934aa3 712 LED_C_ON();
7e758047 713 if(triggered) {
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 718 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 722 trace[traceLen++] = Uart.byteCnt;
723 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
724 traceLen += Uart.byteCnt;
725 if(traceLen > TRACE_LENGTH) break;
726 }
727 /* And ready to receive another command. */
728 Uart.state = STATE_UNSYNCD;
729 /* And also reset the demod code, which might have been */
730 /* false-triggered by the commands from the reader. */
731 Demod.state = DEMOD_UNSYNCD;
7e758047 732 LED_B_OFF();
15c4dc5a 733 }
7e758047 734
735 if(ManchesterDecoding(smpl & 0x0F)) {
736 rsamples = samples - Demod.samples;
737 LED_B_ON();
738
739 // timestamp, as a count of samples
740 trace[traceLen++] = ((rsamples >> 0) & 0xff);
741 trace[traceLen++] = ((rsamples >> 8) & 0xff);
742 trace[traceLen++] = ((rsamples >> 16) & 0xff);
743 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
744 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
745 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
748 // length
749 trace[traceLen++] = Demod.len;
750 memcpy(trace+traceLen, receivedResponse, Demod.len);
751 traceLen += Demod.len;
752 if(traceLen > TRACE_LENGTH) break;
753
754 triggered = TRUE;
15c4dc5a 755
756 // And ready to receive another response.
757 memset(&Demod, 0, sizeof(Demod));
758 Demod.output = receivedResponse;
759 Demod.state = DEMOD_UNSYNCD;
7e758047 760 LED_C_OFF();
761 }
15c4dc5a 762
763 if(BUTTON_PRESS()) {
764 DbpString("cancelled_a");
765 goto done;
766 }
767 }
768
769 DbpString("COMMAND FINISHED");
770
771 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
772 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
773
774done:
775 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
776 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
777 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
778 LED_A_OFF();
779 LED_B_OFF();
780 LED_C_OFF();
781 LED_D_OFF();
782}
783
15c4dc5a 784//-----------------------------------------------------------------------------
785// Prepare tag messages
786//-----------------------------------------------------------------------------
8f51ddb0 787static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 788{
8f51ddb0
M
789 int i;
790// int oddparity;
15c4dc5a 791
8f51ddb0 792 ToSendReset();
15c4dc5a 793
794 // Correction bit, might be removed when not needed
795 ToSendStuffBit(0);
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798 ToSendStuffBit(0);
799 ToSendStuffBit(1); // 1
800 ToSendStuffBit(0);
801 ToSendStuffBit(0);
802 ToSendStuffBit(0);
8f51ddb0 803
15c4dc5a 804 // Send startbit
72934aa3 805 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 806
8f51ddb0
M
807 for(i = 0; i < len; i++) {
808 int j;
809 uint8_t b = cmd[i];
15c4dc5a 810
811 // Data bits
8f51ddb0 812// oddparity = 0x01;
15c4dc5a 813 for(j = 0; j < 8; j++) {
8f51ddb0 814// oddparity ^= (b & 1);
15c4dc5a 815 if(b & 1) {
72934aa3 816 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 817 } else {
72934aa3 818 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M
819 }
820 b >>= 1;
821 }
15c4dc5a 822
8f51ddb0
M
823 // Get the parity bit
824 if ((dwParity >> i) & 0x01) {
825 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 826 } else {
72934aa3 827 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 828 }
8f51ddb0
M
829
830 // Parity bit
831// if(oddparity) {
832// ToSend[++ToSendMax] = SEC_D;
833// } else {
834// ToSend[++ToSendMax] = SEC_E;
835// }
836
837// if (oddparity != ((dwParity >> i) & 0x01))
838// Dbprintf("par error. i=%d", i);
839 }
15c4dc5a 840
8f51ddb0
M
841 // Send stopbit
842 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 843
844 // Flush the buffer in FPGA!!
845 for(i = 0; i < 5; i++) {
8556b852 846// ToSend[++ToSendMax] = SEC_F;
15c4dc5a 847 }
848
8f51ddb0
M
849 // Convert from last byte pos to length
850 ToSendMax++;
15c4dc5a 851
852 // Add a few more for slop
8f51ddb0
M
853// ToSend[ToSendMax++] = 0x00;
854// ToSend[ToSendMax++] = 0x00;
855}
856
857static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
858 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 859}
860
861//-----------------------------------------------------------------------------
862// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
863//-----------------------------------------------------------------------------
8f51ddb0 864static void CodeStrangeAnswerAsTag()
15c4dc5a 865{
866 int i;
867
868 ToSendReset();
869
870 // Correction bit, might be removed when not needed
871 ToSendStuffBit(0);
872 ToSendStuffBit(0);
873 ToSendStuffBit(0);
874 ToSendStuffBit(0);
875 ToSendStuffBit(1); // 1
876 ToSendStuffBit(0);
877 ToSendStuffBit(0);
878 ToSendStuffBit(0);
879
880 // Send startbit
72934aa3 881 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 882
883 // 0
72934aa3 884 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 885
886 // 0
72934aa3 887 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 888
889 // 1
72934aa3 890 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 891
892 // Send stopbit
72934aa3 893 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 894
895 // Flush the buffer in FPGA!!
896 for(i = 0; i < 5; i++) {
72934aa3 897 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 898 }
899
900 // Convert from last byte pos to length
901 ToSendMax++;
8f51ddb0 902}
15c4dc5a 903
8f51ddb0
M
904static void Code4bitAnswerAsTag(uint8_t cmd)
905{
906 int i;
907
908 ToSendReset();
909
910 // Correction bit, might be removed when not needed
911 ToSendStuffBit(0);
912 ToSendStuffBit(0);
913 ToSendStuffBit(0);
914 ToSendStuffBit(0);
915 ToSendStuffBit(1); // 1
916 ToSendStuffBit(0);
917 ToSendStuffBit(0);
918 ToSendStuffBit(0);
919
920 // Send startbit
921 ToSend[++ToSendMax] = SEC_D;
922
923 uint8_t b = cmd;
924 for(i = 0; i < 4; i++) {
925 if(b & 1) {
926 ToSend[++ToSendMax] = SEC_D;
927 } else {
928 ToSend[++ToSendMax] = SEC_E;
929 }
930 b >>= 1;
931 }
932
933 // Send stopbit
934 ToSend[++ToSendMax] = SEC_F;
935
936 // Flush the buffer in FPGA!!
937 for(i = 0; i < 5; i++) {
938 ToSend[++ToSendMax] = SEC_F;
939 }
940
941 // Convert from last byte pos to length
942 ToSendMax++;
15c4dc5a 943}
944
945//-----------------------------------------------------------------------------
946// Wait for commands from reader
947// Stop when button is pressed
948// Or return TRUE when command is captured
949//-----------------------------------------------------------------------------
f7e3ed82 950static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 951{
952 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
953 // only, since we are receiving, not transmitting).
954 // Signal field is off with the appropriate LED
955 LED_D_OFF();
956 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
957
958 // Now run a `software UART' on the stream of incoming samples.
959 Uart.output = received;
960 Uart.byteCntMax = maxLen;
961 Uart.state = STATE_UNSYNCD;
962
963 for(;;) {
964 WDT_HIT();
965
966 if(BUTTON_PRESS()) return FALSE;
967
968 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
969 AT91C_BASE_SSC->SSC_THR = 0x00;
970 }
971 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 972 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 973 if(MillerDecoding((b & 0xf0) >> 4)) {
974 *len = Uart.byteCnt;
975 return TRUE;
976 }
977 if(MillerDecoding(b & 0x0f)) {
978 *len = Uart.byteCnt;
979 return TRUE;
980 }
981 }
982 }
983}
9ca155ba 984static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
15c4dc5a 985
986//-----------------------------------------------------------------------------
987// Main loop of simulated tag: receive commands from reader, decide what
988// response to send, and send it.
989//-----------------------------------------------------------------------------
990void SimulateIso14443aTag(int tagType, int TagUid)
991{
992 // This function contains the tag emulation
993
994 // Prepare protocol messages
f7e3ed82 995 // static const uint8_t cmd1[] = { 0x26 };
996// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 997//
f7e3ed82 998 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
999// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 1000
1001 // UID response
f7e3ed82 1002 // static const uint8_t cmd2[] = { 0x93, 0x20 };
1003 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 1004
15c4dc5a 1005// my desfire
f7e3ed82 1006 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 1007
1008
1009// When reader selects us during cascade1 it will send cmd3
f7e3ed82 1010//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
1011uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 1012ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1013
1014// send cascade2 2nd half of UID
f7e3ed82 1015static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 1016// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
1017
15c4dc5a 1018// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 1019//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
1020uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 1021ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1022
f7e3ed82 1023 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 1024
f7e3ed82 1025 uint8_t *resp;
15c4dc5a 1026 int respLen;
1027
1028 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
1029 // This will need
1030 // 144 data bits (18 * 8)
1031 // 18 parity bits
1032 // 2 Start and stop
1033 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1034 // 1 just for the case
1035 // ----------- +
1036 // 166
1037 //
1038 // 166 bytes, since every bit that needs to be send costs us a byte
1039 //
1040
15c4dc5a 1041 // Respond with card type
f7e3ed82 1042 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 1043 int resp1Len;
1044
1045 // Anticollision cascade1 - respond with uid
f7e3ed82 1046 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 1047 int resp2Len;
1048
1049 // Anticollision cascade2 - respond with 2nd half of uid if asked
1050 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1051 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1052 int resp2aLen;
1053
1054 // Acknowledge select - cascade 1
f7e3ed82 1055 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1056 int resp3Len;
1057
1058 // Acknowledge select - cascade 2
f7e3ed82 1059 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1060 int resp3aLen;
1061
1062 // Response to a read request - not implemented atm
f7e3ed82 1063 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1064 int resp4Len;
1065
1066 // Authenticate response - nonce
f7e3ed82 1067 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1068 int resp5Len;
1069
f7e3ed82 1070 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1071 int len;
1072
1073 int i;
1074 int u;
f7e3ed82 1075 uint8_t b;
15c4dc5a 1076
1077 // To control where we are in the protocol
1078 int order = 0;
1079 int lastorder;
1080
1081 // Just to allow some checks
1082 int happened = 0;
1083 int happened2 = 0;
1084
1085 int cmdsRecvd = 0;
1086
f7e3ed82 1087 int fdt_indicator;
15c4dc5a 1088
1089 memset(receivedCmd, 0x44, 400);
1090
1091 // Prepare the responses of the anticollision phase
1092 // there will be not enough time to do this at the moment the reader sends it REQA
1093
1094 // Answer to request
1095 CodeIso14443aAsTag(response1, sizeof(response1));
1096 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1097
1098 // Send our UID (cascade 1)
1099 CodeIso14443aAsTag(response2, sizeof(response2));
1100 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1101
1102 // Answer to select (cascade1)
1103 CodeIso14443aAsTag(response3, sizeof(response3));
1104 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1105
1106 // Send the cascade 2 2nd part of the uid
1107 CodeIso14443aAsTag(response2a, sizeof(response2a));
1108 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1109
1110 // Answer to select (cascade 2)
1111 CodeIso14443aAsTag(response3a, sizeof(response3a));
1112 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1113
1114 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1115 CodeStrangeAnswerAsTag();
15c4dc5a 1116 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1117
1118 // Authentication answer (random nonce)
1119 CodeIso14443aAsTag(response5, sizeof(response5));
1120 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1121
1122 // We need to listen to the high-frequency, peak-detected path.
1123 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1124 FpgaSetupSsc();
1125
1126 cmdsRecvd = 0;
1127
1128 LED_A_ON();
1129 for(;;) {
1130
1131 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1132 DbpString("button press");
1133 break;
1134 }
1135 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1136 // Okay, look at the command now.
1137 lastorder = order;
1138 i = 1; // first byte transmitted
1139 if(receivedCmd[0] == 0x26) {
1140 // Received a REQUEST
1141 resp = resp1; respLen = resp1Len; order = 1;
1142 //DbpString("Hello request from reader:");
1143 } else if(receivedCmd[0] == 0x52) {
1144 // Received a WAKEUP
1145 resp = resp1; respLen = resp1Len; order = 6;
1146// //DbpString("Wakeup request from reader:");
1147
1148 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1149 // Received request for UID (cascade 1)
1150 resp = resp2; respLen = resp2Len; order = 2;
1151// DbpString("UID (cascade 1) request from reader:");
1152// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1153
1154
1155 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1156 // Received request for UID (cascade 2)
1157 resp = resp2a; respLen = resp2aLen; order = 20;
1158// DbpString("UID (cascade 2) request from reader:");
1159// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1160
1161
1162 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1163 // Received a SELECT
1164 resp = resp3; respLen = resp3Len; order = 3;
1165// DbpString("Select (cascade 1) request from reader:");
1166// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1167
1168
1169 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1170 // Received a SELECT
1171 resp = resp3a; respLen = resp3aLen; order = 30;
1172// DbpString("Select (cascade 2) request from reader:");
1173// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1174
1175
1176 } else if(receivedCmd[0] == 0x30) {
1177 // Received a READ
1178 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1179 Dbprintf("Read request from reader: %x %x %x",
1180 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1181
1182
1183 } else if(receivedCmd[0] == 0x50) {
1184 // Received a HALT
1185 resp = resp1; respLen = 0; order = 5; // Do nothing
1186 DbpString("Reader requested we HALT!:");
1187
1188 } else if(receivedCmd[0] == 0x60) {
1189 // Received an authentication request
1190 resp = resp5; respLen = resp5Len; order = 7;
1191 Dbprintf("Authenticate request from reader: %x %x %x",
1192 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1193
1194 } else if(receivedCmd[0] == 0xE0) {
1195 // Received a RATS request
1196 resp = resp1; respLen = 0;order = 70;
1197 Dbprintf("RATS request from reader: %x %x %x",
1198 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1199 } else {
1200 // Never seen this command before
20f9a2a1
M
1201 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1202 len,
15c4dc5a 1203 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M
1204 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1205 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1206 // Do not respond
1207 resp = resp1; respLen = 0; order = 0;
1208 }
1209
1210 // Count number of wakeups received after a halt
1211 if(order == 6 && lastorder == 5) { happened++; }
1212
1213 // Count number of other messages after a halt
1214 if(order != 6 && lastorder == 5) { happened2++; }
1215
1216 // Look at last parity bit to determine timing of answer
1217 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1218 // 1236, so correction bit needed
1219 i = 0;
1220 }
1221
1222 memset(receivedCmd, 0x44, 32);
1223
1224 if(cmdsRecvd > 999) {
1225 DbpString("1000 commands later...");
1226 break;
1227 }
1228 else {
1229 cmdsRecvd++;
1230 }
1231
1232 if(respLen <= 0) continue;
9ca155ba
M
1233 //----------------------------
1234 u = 0;
1235 b = 0x00;
1236 fdt_indicator = FALSE;
15c4dc5a 1237
9ca155ba
M
1238 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1239/* // Modulate Manchester
15c4dc5a 1240 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1241 AT91C_BASE_SSC->SSC_THR = 0x00;
1242 FpgaSetupSsc();
1243
1244 // ### Transmit the response ###
1245 u = 0;
1246 b = 0x00;
1247 fdt_indicator = FALSE;
1248 for(;;) {
1249 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1250 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1251 (void)b;
1252 }
1253 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1254 if(i > respLen) {
1255 b = 0x00;
1256 u++;
1257 } else {
1258 b = resp[i];
1259 i++;
1260 }
1261 AT91C_BASE_SSC->SSC_THR = b;
1262
1263 if(u > 4) {
1264 break;
1265 }
1266 }
1267 if(BUTTON_PRESS()) {
1268 break;
1269 }
1270 }
9ca155ba 1271*/
15c4dc5a 1272 }
1273
1274 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1275 LED_A_OFF();
1276}
1277
1278//-----------------------------------------------------------------------------
1279// Transmit the command (to the tag) that was placed in ToSend[].
1280//-----------------------------------------------------------------------------
f7e3ed82 1281static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1282{
1283 int c;
e30c654b 1284
15c4dc5a 1285 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1286
15c4dc5a 1287 if (wait)
1288 if(*wait < 10)
1289 *wait = 10;
e30c654b 1290
15c4dc5a 1291 for(c = 0; c < *wait;) {
1292 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1293 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1294 c++;
1295 }
1296 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1297 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1298 (void)r;
1299 }
1300 WDT_HIT();
1301 }
e30c654b 1302
15c4dc5a 1303 c = 0;
1304 for(;;) {
1305 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1306 AT91C_BASE_SSC->SSC_THR = cmd[c];
1307 c++;
1308 if(c >= len) {
1309 break;
1310 }
1311 }
1312 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1313 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1314 (void)r;
1315 }
1316 WDT_HIT();
1317 }
1318 if (samples) *samples = (c + *wait) << 3;
1319}
1320
15c4dc5a 1321//-----------------------------------------------------------------------------
1322// Code a 7-bit command without parity bit
1323// This is especially for 0x26 and 0x52 (REQA and WUPA)
1324//-----------------------------------------------------------------------------
f7e3ed82 1325void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1326{
1327 int j;
1328 int last;
f7e3ed82 1329 uint8_t b;
15c4dc5a 1330
1331 ToSendReset();
1332
1333 // Start of Communication (Seq. Z)
72934aa3 1334 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1335 last = 0;
1336
1337 b = bt;
1338 for(j = 0; j < 7; j++) {
1339 if(b & 1) {
1340 // Sequence X
72934aa3 1341 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1342 last = 1;
1343 } else {
1344 if(last == 0) {
1345 // Sequence Z
72934aa3 1346 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1347 }
1348 else {
1349 // Sequence Y
72934aa3 1350 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1351 last = 0;
1352 }
1353 }
1354 b >>= 1;
1355 }
1356
1357 // End of Communication
1358 if(last == 0) {
1359 // Sequence Z
72934aa3 1360 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1361 }
1362 else {
1363 // Sequence Y
72934aa3 1364 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1365 last = 0;
1366 }
1367 // Sequence Y
72934aa3 1368 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1369
1370 // Just to be sure!
72934aa3 1371 ToSend[++ToSendMax] = SEC_Y;
1372 ToSend[++ToSendMax] = SEC_Y;
1373 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1374
1375 // Convert from last character reference to length
1376 ToSendMax++;
1377}
1378
1379//-----------------------------------------------------------------------------
1380// Prepare reader command to send to FPGA
e30c654b 1381//
15c4dc5a 1382//-----------------------------------------------------------------------------
f7e3ed82 1383void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1384{
1385 int i, j;
1386 int last;
f7e3ed82 1387 uint8_t b;
e30c654b 1388
15c4dc5a 1389 ToSendReset();
e30c654b 1390
15c4dc5a 1391 // Start of Communication (Seq. Z)
72934aa3 1392 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1393 last = 0;
e30c654b 1394
15c4dc5a 1395 // Generate send structure for the data bits
1396 for (i = 0; i < len; i++) {
1397 // Get the current byte to send
1398 b = cmd[i];
e30c654b 1399
15c4dc5a 1400 for (j = 0; j < 8; j++) {
1401 if (b & 1) {
1402 // Sequence X
72934aa3 1403 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1404 last = 1;
1405 } else {
1406 if (last == 0) {
1407 // Sequence Z
72934aa3 1408 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1409 } else {
1410 // Sequence Y
72934aa3 1411 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1412 last = 0;
1413 }
1414 }
1415 b >>= 1;
1416 }
e30c654b 1417
15c4dc5a 1418 // Get the parity bit
1419 if ((dwParity >> i) & 0x01) {
1420 // Sequence X
72934aa3 1421 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1422 last = 1;
1423 } else {
1424 if (last == 0) {
1425 // Sequence Z
72934aa3 1426 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1427 } else {
1428 // Sequence Y
72934aa3 1429 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1430 last = 0;
1431 }
1432 }
1433 }
e30c654b 1434
15c4dc5a 1435 // End of Communication
1436 if (last == 0) {
1437 // Sequence Z
72934aa3 1438 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1439 } else {
1440 // Sequence Y
72934aa3 1441 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1442 last = 0;
1443 }
1444 // Sequence Y
72934aa3 1445 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1446
15c4dc5a 1447 // Just to be sure!
72934aa3 1448 ToSend[++ToSendMax] = SEC_Y;
1449 ToSend[++ToSendMax] = SEC_Y;
1450 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1451
15c4dc5a 1452 // Convert from last character reference to length
1453 ToSendMax++;
1454}
1455
9ca155ba
M
1456//-----------------------------------------------------------------------------
1457// Wait for commands from reader
1458// Stop when button is pressed (return 1) or field was gone (return 2)
1459// Or return 0 when command is captured
1460//-----------------------------------------------------------------------------
1461static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1462{
1463 *len = 0;
1464
1465 uint32_t timer = 0, vtime = 0;
1466 int analogCnt = 0;
1467 int analogAVG = 0;
1468
1469 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1470 // only, since we are receiving, not transmitting).
1471 // Signal field is off with the appropriate LED
1472 LED_D_OFF();
1473 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1474
1475 // Set ADC to read field strength
1476 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1477 AT91C_BASE_ADC->ADC_MR =
1478 ADC_MODE_PRESCALE(32) |
1479 ADC_MODE_STARTUP_TIME(16) |
1480 ADC_MODE_SAMPLE_HOLD_TIME(8);
1481 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1482 // start ADC
1483 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1484
1485 // Now run a 'software UART' on the stream of incoming samples.
1486 Uart.output = received;
1487 Uart.byteCntMax = maxLen;
1488 Uart.state = STATE_UNSYNCD;
1489
1490 for(;;) {
1491 WDT_HIT();
1492
1493 if (BUTTON_PRESS()) return 1;
1494
1495 // test if the field exists
1496 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1497 analogCnt++;
1498 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1499 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1500 if (analogCnt >= 32) {
1501 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1502 vtime = GetTickCount();
1503 if (!timer) timer = vtime;
1504 // 50ms no field --> card to idle state
1505 if (vtime - timer > 50) return 2;
1506 } else
1507 if (timer) timer = 0;
1508 analogCnt = 0;
1509 analogAVG = 0;
1510 }
1511 }
1512 // transmit none
1513 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1514 AT91C_BASE_SSC->SSC_THR = 0x00;
1515 }
1516 // receive and test the miller decoding
1517 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1518 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1519 if(MillerDecoding((b & 0xf0) >> 4)) {
1520 *len = Uart.byteCnt;
8f51ddb0 1521 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1522 return 0;
1523 }
1524 if(MillerDecoding(b & 0x0f)) {
1525 *len = Uart.byteCnt;
8f51ddb0 1526 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1527 return 0;
1528 }
1529 }
1530 }
1531}
1532
1533static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1534{
1535 int i, u = 0;
1536 uint8_t b = 0;
1537
1538 // Modulate Manchester
1539 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1540 AT91C_BASE_SSC->SSC_THR = 0x00;
1541 FpgaSetupSsc();
1542
1543 // include correction bit
1544 i = 1;
1545 if((Uart.parityBits & 0x01) || correctionNeeded) {
1546 // 1236, so correction bit needed
1547 i = 0;
1548 }
1549
1550 // send cycle
1551 for(;;) {
1552 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1553 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1554 (void)b;
1555 }
1556 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1557 if(i > respLen) {
8f51ddb0 1558 b = 0xff; // was 0x00
9ca155ba
M
1559 u++;
1560 } else {
1561 b = resp[i];
1562 i++;
1563 }
1564 AT91C_BASE_SSC->SSC_THR = b;
1565
1566 if(u > 4) break;
1567 }
1568 if(BUTTON_PRESS()) {
1569 break;
1570 }
1571 }
1572
1573 return 0;
1574}
1575
8f51ddb0
M
1576int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1577 Code4bitAnswerAsTag(resp);
0a39986e 1578 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1579 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1580 return res;
9ca155ba
M
1581}
1582
8f51ddb0
M
1583int EmSend4bit(uint8_t resp){
1584 return EmSend4bitEx(resp, 0);
1585}
1586
1587int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1588 CodeIso14443aAsTagPar(resp, respLen, par);
1589 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1590 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1591 return res;
1592}
1593
1594int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1595 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1596}
1597
1598int EmSendCmd(uint8_t *resp, int respLen){
1599 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1600}
1601
1602int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1603 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M
1604}
1605
15c4dc5a 1606//-----------------------------------------------------------------------------
1607// Wait a certain time for tag response
1608// If a response is captured return TRUE
1609// If it takes to long return FALSE
1610//-----------------------------------------------------------------------------
f7e3ed82 1611static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1612{
1613 // buffer needs to be 512 bytes
1614 int c;
1615
1616 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1617 // only, since we are receiving, not transmitting).
1618 // Signal field is on with the appropriate LED
1619 LED_D_ON();
1620 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1621
534983d7 1622 // Now get the answer from the card
1623 Demod.output = receivedResponse;
1624 Demod.len = 0;
1625 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1626
f7e3ed82 1627 uint8_t b;
15c4dc5a 1628 if (elapsed) *elapsed = 0;
1629
1630 c = 0;
1631 for(;;) {
534983d7 1632 WDT_HIT();
15c4dc5a 1633
534983d7 1634 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1635 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1636 if (elapsed) (*elapsed)++;
534983d7 1637 }
1638 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1639 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1640 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1641 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1642 *samples = ((c - 1) << 3) + 4;
1643 return TRUE;
1644 }
1645 if(ManchesterDecoding(b & 0x0f)) {
1646 *samples = c << 3;
1647 return TRUE;
1648 }
534983d7 1649 }
1650 }
15c4dc5a 1651}
1652
f7e3ed82 1653void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1654{
1655 int wait = 0;
1656 int samples = 0;
1657
1658 ShortFrameFromReader(*bt);
e30c654b 1659
15c4dc5a 1660 // Select the card
e30c654b 1661 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1662
15c4dc5a 1663 // Store reader command in buffer
1664 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1665}
1666
f7e3ed82 1667void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1668{
1669 int wait = 0;
1670 int samples = 0;
e30c654b 1671
15c4dc5a 1672 // This is tied to other size changes
f7e3ed82 1673 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1674 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1675
15c4dc5a 1676 // Select the card
e30c654b 1677 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1678 if(trigger)
1679 LED_A_ON();
e30c654b 1680
15c4dc5a 1681 // Store reader command in buffer
1682 if (tracing) LogTrace(frame,len,0,par,TRUE);
1683}
1684
1685
f7e3ed82 1686void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1687{
1688 // Generate parity and redirect
1689 ReaderTransmitPar(frame,len,GetParity(frame,len));
1690}
1691
f7e3ed82 1692int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1693{
1694 int samples = 0;
20f9a2a1 1695 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1696 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1697 if(samples == 0) return FALSE;
1698 return Demod.len;
15c4dc5a 1699}
1700
f89c7050
M
1701int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1702{
1703 int samples = 0;
1704 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1705 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1706 *parptr = Demod.parityBits;
1707 if(samples == 0) return FALSE;
1708 return Demod.len;
1709}
1710
7e758047 1711/* performs iso14443a anticolision procedure
534983d7 1712 * fills the uid pointer unless NULL
1713 * fills resp_data unless NULL */
20f9a2a1
M
1714int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1715 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1716 uint8_t sel_all[] = { 0x93,0x20 };
1717 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1718 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1719
7e758047 1720 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1721
534983d7 1722 uint8_t sak = 0x04; // cascade uid
1723 int cascade_level = 0;
1724
7e758047 1725 int len;
20f9a2a1
M
1726
1727 // clear uid
1728 memset(uid_ptr, 0, 8);
15c4dc5a 1729
7e758047 1730 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1731 ReaderTransmitShort(wupa);
1732 // Receive the ATQA
1733 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1734
534983d7 1735 if(resp_data)
1736 memcpy(resp_data->atqa, resp, 2);
1737
534983d7 1738 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1739 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1740 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1741 for(; sak & 0x04; cascade_level++)
7e758047 1742 {
534983d7 1743 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1744 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1745
1746 // SELECT_ALL
1747 ReaderTransmit(sel_all,sizeof(sel_all));
1748 if (!ReaderReceive(resp)) return 0;
1749 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M
1750
1751 // calculate crypto UID
1752 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1753
7e758047 1754 // Construct SELECT UID command
534983d7 1755 memcpy(sel_uid+2,resp,5);
1756 AppendCrc14443a(sel_uid,7);
1757 ReaderTransmit(sel_uid,sizeof(sel_uid));
1758
7e758047 1759 // Receive the SAK
1760 if (!ReaderReceive(resp)) return 0;
534983d7 1761 sak = resp[0];
7e758047 1762 }
534983d7 1763 if(resp_data) {
1764 resp_data->sak = sak;
1765 resp_data->ats_len = 0;
1766 }
20f9a2a1
M
1767 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1768 if (uid_ptr[0] == 0x88) {
1769 memcpy(uid_ptr, uid_ptr + 1, 7);
1770 uid_ptr[7] = 0;
1771 }
534983d7 1772
1773 if( (sak & 0x20) == 0)
7e758047 1774 return 2; // non iso14443a compliant tag
534983d7 1775
7e758047 1776 // Request for answer to select
20f9a2a1
M
1777 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1778 AppendCrc14443a(rats, 2);
1779 ReaderTransmit(rats, sizeof(rats));
1780
1781 if (!(len = ReaderReceive(resp))) return 0;
1782
534983d7 1783 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1784 resp_data->ats_len = len;
1785 }
20f9a2a1 1786
7e758047 1787 return 1;
1788}
15c4dc5a 1789
7e758047 1790void iso14443a_setup() {
1791 // Setup SSC
1792 FpgaSetupSsc();
1793 // Start from off (no field generated)
1794 // Signal field is off with the appropriate LED
1795 LED_D_OFF();
1796 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1797 SpinDelay(200);
15c4dc5a 1798
7e758047 1799 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1800
7e758047 1801 // Now give it time to spin up.
1802 // Signal field is on with the appropriate LED
1803 LED_D_ON();
1804 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1805 SpinDelay(200);
534983d7 1806
1807 iso14a_timeout = 2048; //default
7e758047 1808}
15c4dc5a 1809
534983d7 1810int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1811 uint8_t real_cmd[cmd_len+4];
1812 real_cmd[0] = 0x0a; //I-Block
1813 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1814 memcpy(real_cmd+2, cmd, cmd_len);
1815 AppendCrc14443a(real_cmd,cmd_len+2);
1816
1817 ReaderTransmit(real_cmd, cmd_len+4);
1818 size_t len = ReaderReceive(data);
1819 if(!len)
1820 return -1; //DATA LINK ERROR
1821
1822 return len;
1823}
1824
1825
7e758047 1826//-----------------------------------------------------------------------------
1827// Read an ISO 14443a tag. Send out commands and store answers.
1828//
1829//-----------------------------------------------------------------------------
534983d7 1830void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1831{
534983d7 1832 iso14a_command_t param = c->arg[0];
1833 uint8_t * cmd = c->d.asBytes;
1834 size_t len = c->arg[1];
e30c654b 1835
534983d7 1836 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1837
534983d7 1838 if(param & ISO14A_CONNECT) {
1839 iso14443a_setup();
20f9a2a1 1840 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1841 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1842 }
e30c654b 1843
534983d7 1844 if(param & ISO14A_SET_TIMEOUT) {
1845 iso14a_timeout = c->arg[2];
1846 }
e30c654b 1847
534983d7 1848 if(param & ISO14A_SET_TIMEOUT) {
1849 iso14a_timeout = c->arg[2];
1850 }
e30c654b 1851
534983d7 1852 if(param & ISO14A_APDU) {
1853 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1854 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1855 }
e30c654b 1856
534983d7 1857 if(param & ISO14A_RAW) {
1858 if(param & ISO14A_APPEND_CRC) {
1859 AppendCrc14443a(cmd,len);
1860 len += 2;
15c4dc5a 1861 }
534983d7 1862 ReaderTransmit(cmd,len);
1863 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1864 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1865 }
15c4dc5a 1866
534983d7 1867 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1868
534983d7 1869 if(param & ISO14A_NO_DISCONNECT)
1870 return;
15c4dc5a 1871
15c4dc5a 1872 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1873 LEDsoff();
15c4dc5a 1874}
15c4dc5a 1875//-----------------------------------------------------------------------------
1876// Read an ISO 14443a tag. Send out commands and store answers.
1877//
1878//-----------------------------------------------------------------------------
f7e3ed82 1879void ReaderMifare(uint32_t parameter)
15c4dc5a 1880{
15c4dc5a 1881 // Mifare AUTH
f7e3ed82 1882 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1883 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1884
f89c7050
M
1885 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1886 traceLen = 0;
1887 tracing = false;
e30c654b 1888
7e758047 1889 iso14443a_setup();
e30c654b 1890
15c4dc5a 1891 LED_A_ON();
1892 LED_B_OFF();
1893 LED_C_OFF();
e30c654b 1894
f89c7050
M
1895 byte_t nt_diff = 0;
1896 LED_A_OFF();
1897 byte_t par = 0;
1898 byte_t par_mask = 0xff;
1899 byte_t par_low = 0;
1900 int led_on = TRUE;
50193c1e 1901 uint8_t uid[8];
f89c7050 1902 uint32_t cuid;
e30c654b 1903
f89c7050
M
1904 tracing = FALSE;
1905 byte_t nt[4] = {0,0,0,0};
f397b5cc 1906 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M
1907 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1908 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 1909 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 1910 int isOK = 0, isNULL = 0;
f397b5cc 1911
f89c7050
M
1912 while(TRUE)
1913 {
50193c1e 1914 LED_C_ON();
f89c7050
M
1915 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1916 SpinDelay(200);
1917 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 1918 LED_C_OFF();
e30c654b 1919
f89c7050
M
1920 // Test if the action was cancelled
1921 if(BUTTON_PRESS()) {
1922 break;
1923 }
e30c654b 1924
f89c7050 1925 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 1926
f89c7050
M
1927 // Transmit MIFARE_CLASSIC_AUTH
1928 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 1929
f89c7050
M
1930 // Receive the (16 bit) "random" nonce
1931 if (!ReaderReceive(receivedAnswer)) continue;
1932 memcpy(nt, receivedAnswer, 4);
e30c654b 1933
f89c7050
M
1934 // Transmit reader nonce and reader answer
1935 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 1936
f89c7050
M
1937 // Receive 4 bit answer
1938 if (ReaderReceive(receivedAnswer))
1939 {
f397b5cc
M
1940 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1941
50193c1e
M
1942 isNULL = (nt_attacked[0] = 0) && (nt_attacked[1] = 0) && (nt_attacked[2] = 0) && (nt_attacked[3] = 0);
1943 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1944
f89c7050
M
1945 if (nt_diff == 0)
1946 {
1947 LED_A_ON();
1948 memcpy(nt_attacked, nt, 4);
1949 par_mask = 0xf8;
1950 par_low = par & 0x07;
1951 }
15c4dc5a 1952
f89c7050
M
1953 led_on = !led_on;
1954 if(led_on) LED_B_ON(); else LED_B_OFF();
1955 par_list[nt_diff] = par;
1956 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 1957
f89c7050
M
1958 // Test if the information is complete
1959 if (nt_diff == 0x07) {
1960 isOK = 1;
1961 break;
1962 }
1963
1964 nt_diff = (nt_diff + 1) & 0x07;
1965 mf_nr_ar[3] = nt_diff << 5;
1966 par = par_low;
1967 } else {
1968 if (nt_diff == 0)
1969 {
1970 par++;
1971 } else {
1972 par = (((par >> 3) + 1) << 3) | par_low;
1973 }
1974 }
1975 }
e30c654b 1976
f89c7050
M
1977 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1978 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1979 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 1980
f89c7050
M
1981 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1982 memcpy(ack.d.asBytes + 0, uid, 4);
1983 memcpy(ack.d.asBytes + 4, nt, 4);
1984 memcpy(ack.d.asBytes + 8, par_list, 8);
1985 memcpy(ack.d.asBytes + 16, ks_list, 8);
1986
1987 LED_B_ON();
1988 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1989 LED_B_OFF();
1990
1991 // Thats it...
15c4dc5a 1992 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1993 LEDsoff();
f89c7050
M
1994 tracing = TRUE;
1995
f397b5cc 1996 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M
1997}
1998
20f9a2a1
M
1999
2000//-----------------------------------------------------------------------------
2001// MIFARE 1K simulate.
2002//
2003//-----------------------------------------------------------------------------
2004void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2005{
50193c1e 2006 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2007 int _7BUID = 0;
9ca155ba 2008 int vHf = 0; // in mV
8f51ddb0
M
2009 int nextCycleTimeout = 0;
2010 int res;
9ca155ba 2011 uint32_t timer = 0;
0a39986e
M
2012 uint32_t selTimer = 0;
2013 uint32_t authTimer = 0;
2014 uint32_t par = 0;
9ca155ba 2015 int len = 0;
8f51ddb0 2016 uint8_t cardWRBL = 0;
9ca155ba
M
2017 uint8_t cardAUTHSC = 0;
2018 uint8_t cardAUTHKEY = 0xff; // no authentication
2019 uint32_t cuid = 0;
2020 struct Crypto1State mpcs = {0, 0};
2021 struct Crypto1State *pcs;
2022 pcs = &mpcs;
2023
2024 uint64_t key64 = 0xffffffffffffULL;
2025
8f51ddb0
M
2026 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2027 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2028
8556b852 2029 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2030
0a39986e
M
2031 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2032 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2033
0a39986e 2034 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2035 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2036
0a39986e
M
2037 static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
2038 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0a39986e
M
2039
2040 // clear trace
2041 traceLen = 0;
2042 tracing = true;
9ca155ba 2043
8556b852
M
2044 // get UID from emul memory
2045 emlGetMemBt(receivedCmd, 7, 1);
2046 _7BUID = !(receivedCmd[0] == 0x00);
2047 if (!_7BUID) { // ---------- 4BUID
2048 rATQA[0] = 0x04;
2049
2050 emlGetMemBt(rUIDBCC1, 0, 4);
2051 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2052 } else { // ---------- 7BUID
2053 rATQA[0] = 0x44;
2054
2055 rUIDBCC1[0] = 0x88;
2056 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2057 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2058 emlGetMemBt(rUIDBCC2, 3, 4);
2059 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2060 }
2061
9ca155ba 2062// -------------------------------------- test area
50193c1e 2063
0a39986e 2064 // Authenticate response - nonce
8f51ddb0 2065 uint8_t *resp1 = (((uint8_t *)BigBuf) + EML_RESPONSES);
0a39986e 2066 int resp1Len;
8f51ddb0
M
2067// uint8_t *resp2 = (((uint8_t *)BigBuf) + EML_RESPONSES + 200);
2068// int resp2Len;
0a39986e
M
2069 CodeIso14443aAsTag(rAUTH_NT, sizeof(rAUTH_NT));
2070 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
2071
2072 timer = GetTickCount();
2073 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
2074 uint32_t rn_enc = 0x98d76b77; // !!!!!!!!!!!!!!!!!
2075 uint32_t ans = 0;
2076 cuid = bytes_to_num(rUIDBCC1, 4);
8f51ddb0 2077/*
0a39986e
M
2078 crypto1_create(pcs, key64);
2079 crypto1_word(pcs, cuid ^ nonce, 0);
2080 crypto1_word(pcs, rn_enc , 1);
2081 crypto1_word(pcs, 0, 0);
2082 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2083 num_to_bytes(ans, 4, rAUTH_AT);
2084 CodeIso14443aAsTag(rAUTH_AT, sizeof(rAUTH_AT));
2085 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
2086 Dbprintf("crypto auth time: %d", GetTickCount() - timer);
8f51ddb0 2087*/
9ca155ba 2088// -------------------------------------- END test area
8f51ddb0
M
2089 // start mkseconds counter
2090 StartCountUS();
9ca155ba
M
2091
2092 // We need to listen to the high-frequency, peak-detected path.
2093 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2094 FpgaSetupSsc();
2095
2096 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2097 SpinDelay(200);
2098
8556b852 2099 Dbprintf("--> start. 7buid=%d", _7BUID);
8f51ddb0
M
2100 // calibrate mkseconds counter
2101 GetDeltaCountUS();
9ca155ba
M
2102 while (true) {
2103 WDT_HIT();
9ca155ba 2104
8f51ddb0
M
2105 if(BUTTON_PRESS()) {
2106 break;
2107 }
2108
9ca155ba
M
2109 // find reader field
2110 // Vref = 3300mV, and an 10:1 voltage divider on the input
2111 // can measure voltages up to 33000 mV
2112 if (cardSTATE == MFEMUL_NOFIELD) {
2113 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2114 if (vHf > MF_MINFIELDV) {
2115 cardSTATE = MFEMUL_IDLE;
2116 LED_A_ON();
2117 }
2118 }
2119
2120 if (cardSTATE != MFEMUL_NOFIELD) {
8f51ddb0 2121 res = EmGetCmd(receivedCmd, &len, 100); // (+ nextCycleTimeout)
9ca155ba
M
2122 if (res == 2) {
2123 cardSTATE = MFEMUL_NOFIELD;
2124 LEDsoff();
2125 continue;
2126 }
2127 if(res) break;
2128 }
2129
8f51ddb0
M
2130 nextCycleTimeout = 0;
2131
9ca155ba 2132// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M
2133
2134 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2135 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M
2136 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2137 selTimer = GetTickCount();
2138 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2139 cardSTATE = MFEMUL_SELECT1;
2140
2141 // init crypto block
2142 LED_B_OFF();
2143 LED_C_OFF();
2144 crypto1_destroy(pcs);
2145 cardAUTHKEY = 0xff;
2146 }
2147 }
9ca155ba 2148
50193c1e
M
2149 switch (cardSTATE) {
2150 case MFEMUL_NOFIELD:{
2151 break;
2152 }
9ca155ba 2153 case MFEMUL_HALTED:{
0a39986e 2154 break;
9ca155ba 2155 }
50193c1e
M
2156 case MFEMUL_IDLE:{
2157 break;
2158 }
2159 case MFEMUL_SELECT1:{
9ca155ba
M
2160 // select all
2161 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2162 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
9ca155ba
M
2163 }
2164
2165 // select card
0a39986e
M
2166 if (len == 9 &&
2167 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M
2168 if (!_7BUID)
2169 EmSendCmd(rSAK, sizeof(rSAK));
2170 else
2171 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M
2172
2173 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M
2174 if (!_7BUID) {
2175 cardSTATE = MFEMUL_WORK;
2176 } else {
2177 cardSTATE = MFEMUL_SELECT2;
2178 break;
2179 }
9ca155ba 2180 LED_B_ON();
0a39986e 2181 Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
9ca155ba
M
2182 }
2183
50193c1e
M
2184 break;
2185 }
2186 case MFEMUL_SELECT2:{
8556b852 2187 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2188 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M
2189 break;
2190 }
9ca155ba 2191
8556b852
M
2192 // select 2 card
2193 if (len == 9 &&
2194 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2195 EmSendCmd(rSAK, sizeof(rSAK));
2196
2197 cuid = bytes_to_num(rUIDBCC2, 4);
2198 cardSTATE = MFEMUL_WORK;
2199 LED_B_ON();
2200 Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
2201 break;
2202 }
2203 // TODO: goto work state - i guess there is a command
50193c1e
M
2204 break;
2205 }
2206 case MFEMUL_AUTH1:{
9ca155ba 2207 if (len == 8) {
0a39986e
M
2208// ---------------------------------
2209 rn_enc = bytes_to_num(receivedCmd, 4);
2210 crypto1_create(pcs, key64);
2211 crypto1_word(pcs, cuid ^ nonce, 0);
2212 crypto1_word(pcs, rn_enc , 1);
2213 crypto1_word(pcs, 0, 0);
2214 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2215 num_to_bytes(ans, 4, rAUTH_AT);
2216// ---------------------------------
2217 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M
2218 cardSTATE = MFEMUL_AUTH2;
2219 } else {
2220 cardSTATE = MFEMUL_IDLE;
2221 LED_B_OFF();
2222 LED_C_OFF();
9ca155ba 2223 }
0a39986e 2224 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M
2225 }
2226 case MFEMUL_AUTH2:{
0a39986e 2227 // test auth info here...
9ca155ba
M
2228
2229 LED_C_ON();
0a39986e 2230 cardSTATE = MFEMUL_WORK;
8f51ddb0 2231Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M
2232 break;
2233 }
9ca155ba
M
2234 case MFEMUL_WORK:{
2235 // auth
2236 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
8f51ddb0 2237authTimer = GetTickCount();
0a39986e 2238// EmSendCmd(rAUTH_NT, sizeof(rAUTH_NT));
8556b852 2239//SpinDelayUs(190);
0a39986e 2240 EmSendCmd14443aRaw(resp1, resp1Len, 0);
8f51ddb0 2241LogTrace(NULL, 0, GetDeltaCountUS(), 0, TRUE);
0a39986e 2242// crypto1_create(pcs, key64);
9ca155ba 2243// if (cardAUTHKEY == 0xff) { // first auth
0a39986e 2244// crypto1_word(pcs, cuid ^ bytes_to_num(rAUTH_NT, 4), 0); // uid ^ nonce
9ca155ba
M
2245// } else { // nested auth
2246// }
2247
0a39986e 2248 cardAUTHSC = receivedCmd[1] / 4; // received block num
9ca155ba
M
2249 cardAUTHKEY = receivedCmd[0] - 0x60;
2250 cardSTATE = MFEMUL_AUTH1;
8f51ddb0 2251 nextCycleTimeout = 10;
0a39986e
M
2252 break;
2253 }
2254
2255 if (len == 0) break;
2256
2257 // decrypt seqence
8f51ddb0 2258 if (cardAUTHKEY != 0xff) mf_crypto1_decrypt(pcs, receivedCmd, len);
0a39986e 2259
8f51ddb0
M
2260 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2261 // BUT... ACK --> NACK
2262 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2263 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2264 break;
2265 }
2266
2267 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2268 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2269 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2270 break;
0a39986e
M
2271 }
2272
2273 // read block
2274 if (len == 4 && receivedCmd[0] == 0x30) {
8f51ddb0
M
2275 if (receivedCmd[1] >= 16 * 4) {
2276 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2277 break;
2278 }
2279 emlGetMem(response, receivedCmd[1], 1);
2280 AppendCrc14443a(response, 16);
2281 mf_crypto1_encrypt(pcs, response, 18, &par);
2282 EmSendCmdPar(response, 18, par);
0a39986e
M
2283 break;
2284 }
2285
2286 // write block
2287 if (len == 4 && receivedCmd[0] == 0xA0) {
8f51ddb0
M
2288 if (receivedCmd[1] >= 16 * 4) {
2289 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2290 break;
2291 }
2292 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2293 nextCycleTimeout = 50;
2294 cardSTATE = MFEMUL_WRITEBL2;
2295 cardWRBL = receivedCmd[1];
0a39986e 2296 break;
9ca155ba 2297 }
8f51ddb0 2298
9ca155ba 2299 // halt
0a39986e 2300 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba
M
2301 cardSTATE = MFEMUL_HALTED;
2302 LED_B_OFF();
0a39986e
M
2303 LED_C_OFF();
2304 Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
2305 break;
9ca155ba 2306 }
50193c1e 2307 break;
8f51ddb0
M
2308
2309 // command not allowed
2310 if (len == 4) {
2311 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2312 break;
2313 }
2314 }
2315 case MFEMUL_WRITEBL2:{
2316 if (len == 18){
2317 mf_crypto1_decrypt(pcs, receivedCmd, len);
2318 emlSetMem(receivedCmd, cardWRBL, 1);
2319 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2320 cardSTATE = MFEMUL_WORK;
2321 break;
2322 }
2323Dbprintf("err write block: %d len:%d", cardWRBL, len);
2324 break;
50193c1e
M
2325 }
2326
2327 }
2328
2329 }
2330
9ca155ba
M
2331 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2332 LEDsoff();
2333
0a39986e 2334 // add trace trailer
8f51ddb0 2335 memset(rAUTH_NT, 0x44, 4);
0a39986e
M
2336 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2337
9ca155ba 2338 DbpString("Emulator stopped.");
15c4dc5a 2339}
Impressum, Datenschutz