]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
initialize graph cursors to avoid crashing (issue 21)
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
f89c7050 2// Merlok - June 2011
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
17
15c4dc5a 18#include "iso14443crc.h"
534983d7 19#include "iso14443a.h"
20f9a2a1
M		 20#include "crapto1.h"
21#include "mifareutil.h"
15c4dc5a 22
f7e3ed82 23static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 24static int traceLen = 0;
25static int rsamples = 0;
f7e3ed82 26static int tracing = TRUE;
534983d7 27static uint32_t iso14a_timeout;
15c4dc5a 28
8f51ddb0 29// CARD TO READER - manchester
72934aa3 30// Sequence D: 11110000 modulation with subcarrier during first half
31// Sequence E: 00001111 modulation with subcarrier during second half
32// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 33// READER TO CARD - miller
72934aa3 34// Sequence X: 00001100 drop after half a period
35// Sequence Y: 00000000 no drop
36// Sequence Z: 11000000 drop at start
37#define SEC_D 0xf0
38#define SEC_E 0x0f
39#define SEC_F 0x00
40#define SEC_X 0x0c
41#define SEC_Y 0x00
42#define SEC_Z 0xc0
15c4dc5a 43
f7e3ed82 44static const uint8_t OddByteParity[256] = {
15c4dc5a 45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
58 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
59 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
60 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
61};
62
534983d7 63uint8_t trigger = 0;
64void iso14a_set_trigger(int enable) {
65 trigger = enable;
66}
67
8556b852
M		 68void iso14a_clear_tracelen(void) {
69 traceLen = 0;
70}
71void iso14a_set_tracing(int enable) {
72 tracing = enable;
73}
74
15c4dc5a 75//-----------------------------------------------------------------------------
76// Generate the parity value for a byte sequence
e30c654b 77//
15c4dc5a 78//-----------------------------------------------------------------------------
20f9a2a1
M		 79byte_t oddparity (const byte_t bt)
80{
81 return OddByteParity[bt];
82}
83
f7e3ed82 84uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 85{
86 int i;
f7e3ed82 87 uint32_t dwPar = 0;
72934aa3 88
15c4dc5a 89 // Generate the encrypted data
90 for (i = 0; i < iLen; i++) {
91 // Save the encrypted parity bit
92 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
93 }
94 return dwPar;
95}
96
534983d7 97void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 98{
99 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
100}
101
ed82636b 102int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 103{
104 // Return when trace is full
105 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 106
15c4dc5a 107 // Trace the random, i'm curious
108 rsamples += iSamples;
109 trace[traceLen++] = ((rsamples >> 0) & 0xff);
110 trace[traceLen++] = ((rsamples >> 8) & 0xff);
111 trace[traceLen++] = ((rsamples >> 16) & 0xff);
112 trace[traceLen++] = ((rsamples >> 24) & 0xff);
113 if (!bReader) {
114 trace[traceLen - 1] |= 0x80;
115 }
116 trace[traceLen++] = ((dwParity >> 0) & 0xff);
117 trace[traceLen++] = ((dwParity >> 8) & 0xff);
118 trace[traceLen++] = ((dwParity >> 16) & 0xff);
119 trace[traceLen++] = ((dwParity >> 24) & 0xff);
120 trace[traceLen++] = iLen;
121 memcpy(trace + traceLen, btBytes, iLen);
122 traceLen += iLen;
123 return TRUE;
124}
125
15c4dc5a 126//-----------------------------------------------------------------------------
127// The software UART that receives commands from the reader, and its state
128// variables.
129//-----------------------------------------------------------------------------
130static struct {
131 enum {
132 STATE_UNSYNCD,
133 STATE_START_OF_COMMUNICATION,
134 STATE_MILLER_X,
135 STATE_MILLER_Y,
136 STATE_MILLER_Z,
137 STATE_ERROR_WAIT
138 } state;
f7e3ed82 139 uint16_t shiftReg;
15c4dc5a 140 int bitCnt;
141 int byteCnt;
142 int byteCntMax;
143 int posCnt;
144 int syncBit;
145 int parityBits;
146 int samples;
147 int highCnt;
148 int bitBuffer;
149 enum {
150 DROP_NONE,
151 DROP_FIRST_HALF,
152 DROP_SECOND_HALF
153 } drop;
f7e3ed82 154 uint8_t *output;
15c4dc5a 155} Uart;
156
6c1e2d95 157static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 158{
159 int error = 0;
160 int bitright;
161
162 if(!Uart.bitBuffer) {
163 Uart.bitBuffer = bit ^ 0xFF0;
164 return FALSE;
165 }
166 else {
167 Uart.bitBuffer <<= 4;
168 Uart.bitBuffer ^= bit;
169 }
170
f7e3ed82 171 int EOC = FALSE;
15c4dc5a 172
173 if(Uart.state != STATE_UNSYNCD) {
174 Uart.posCnt++;
175
176 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
177 bit = 0x00;
178 }
179 else {
180 bit = 0x01;
181 }
182 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
183 bitright = 0x00;
184 }
185 else {
186 bitright = 0x01;
187 }
188 if(bit != bitright) { bit = bitright; }
189
190 if(Uart.posCnt == 1) {
191 // measurement first half bitperiod
192 if(!bit) {
193 Uart.drop = DROP_FIRST_HALF;
194 }
195 }
196 else {
197 // measurement second half bitperiod
198 if(!bit & (Uart.drop == DROP_NONE)) {
199 Uart.drop = DROP_SECOND_HALF;
200 }
201 else if(!bit) {
202 // measured a drop in first and second half
203 // which should not be possible
204 Uart.state = STATE_ERROR_WAIT;
205 error = 0x01;
206 }
207
208 Uart.posCnt = 0;
209
210 switch(Uart.state) {
211 case STATE_START_OF_COMMUNICATION:
212 Uart.shiftReg = 0;
213 if(Uart.drop == DROP_SECOND_HALF) {
214 // error, should not happen in SOC
215 Uart.state = STATE_ERROR_WAIT;
216 error = 0x02;
217 }
218 else {
219 // correct SOC
220 Uart.state = STATE_MILLER_Z;
221 }
222 break;
223
224 case STATE_MILLER_Z:
225 Uart.bitCnt++;
226 Uart.shiftReg >>= 1;
227 if(Uart.drop == DROP_NONE) {
228 // logic '0' followed by sequence Y
229 // end of communication
230 Uart.state = STATE_UNSYNCD;
231 EOC = TRUE;
232 }
233 // if(Uart.drop == DROP_FIRST_HALF) {
234 // Uart.state = STATE_MILLER_Z; stay the same
235 // we see a logic '0' }
236 if(Uart.drop == DROP_SECOND_HALF) {
237 // we see a logic '1'
238 Uart.shiftReg |= 0x100;
239 Uart.state = STATE_MILLER_X;
240 }
241 break;
242
243 case STATE_MILLER_X:
244 Uart.shiftReg >>= 1;
245 if(Uart.drop == DROP_NONE) {
246 // sequence Y, we see a '0'
247 Uart.state = STATE_MILLER_Y;
248 Uart.bitCnt++;
249 }
250 if(Uart.drop == DROP_FIRST_HALF) {
251 // Would be STATE_MILLER_Z
252 // but Z does not follow X, so error
253 Uart.state = STATE_ERROR_WAIT;
254 error = 0x03;
255 }
256 if(Uart.drop == DROP_SECOND_HALF) {
257 // We see a '1' and stay in state X
258 Uart.shiftReg |= 0x100;
259 Uart.bitCnt++;
260 }
261 break;
262
263 case STATE_MILLER_Y:
264 Uart.bitCnt++;
265 Uart.shiftReg >>= 1;
266 if(Uart.drop == DROP_NONE) {
267 // logic '0' followed by sequence Y
268 // end of communication
269 Uart.state = STATE_UNSYNCD;
270 EOC = TRUE;
271 }
272 if(Uart.drop == DROP_FIRST_HALF) {
273 // we see a '0'
274 Uart.state = STATE_MILLER_Z;
275 }
276 if(Uart.drop == DROP_SECOND_HALF) {
277 // We see a '1' and go to state X
278 Uart.shiftReg |= 0x100;
279 Uart.state = STATE_MILLER_X;
280 }
281 break;
282
283 case STATE_ERROR_WAIT:
284 // That went wrong. Now wait for at least two bit periods
285 // and try to sync again
286 if(Uart.drop == DROP_NONE) {
287 Uart.highCnt = 6;
288 Uart.state = STATE_UNSYNCD;
289 }
290 break;
291
292 default:
293 Uart.state = STATE_UNSYNCD;
294 Uart.highCnt = 0;
295 break;
296 }
297
298 Uart.drop = DROP_NONE;
299
300 // should have received at least one whole byte...
301 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
302 return TRUE;
303 }
304
305 if(Uart.bitCnt == 9) {
306 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
307 Uart.byteCnt++;
308
309 Uart.parityBits <<= 1;
310 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
311
312 if(EOC) {
313 // when End of Communication received and
314 // all data bits processed..
315 return TRUE;
316 }
317 Uart.bitCnt = 0;
318 }
319
320 /*if(error) {
321 Uart.output[Uart.byteCnt] = 0xAA;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = error & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
328 Uart.byteCnt++;
329 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
330 Uart.byteCnt++;
331 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
332 Uart.byteCnt++;
333 Uart.output[Uart.byteCnt] = 0xAA;
334 Uart.byteCnt++;
335 return TRUE;
336 }*/
337 }
338
339 }
340 else {
341 bit = Uart.bitBuffer & 0xf0;
342 bit >>= 4;
343 bit ^= 0x0F;
344 if(bit) {
345 // should have been high or at least (4 * 128) / fc
346 // according to ISO this should be at least (9 * 128 + 20) / fc
347 if(Uart.highCnt == 8) {
348 // we went low, so this could be start of communication
349 // it turns out to be safer to choose a less significant
350 // syncbit... so we check whether the neighbour also represents the drop
351 Uart.posCnt = 1; // apparently we are busy with our first half bit period
352 Uart.syncBit = bit & 8;
353 Uart.samples = 3;
354 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
355 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
356 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
357 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
358 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 359 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 360 Uart.syncBit = 8;
361
362 // the first half bit period is expected in next sample
363 Uart.posCnt = 0;
364 Uart.samples = 3;
365 }
366 }
367 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
368
369 Uart.syncBit <<= 4;
370 Uart.state = STATE_START_OF_COMMUNICATION;
371 Uart.drop = DROP_FIRST_HALF;
372 Uart.bitCnt = 0;
373 Uart.byteCnt = 0;
374 Uart.parityBits = 0;
375 error = 0;
376 }
377 else {
378 Uart.highCnt = 0;
379 }
380 }
381 else {
382 if(Uart.highCnt < 8) {
383 Uart.highCnt++;
384 }
385 }
386 }
387
388 return FALSE;
389}
390
391//=============================================================================
392// ISO 14443 Type A - Manchester
393//=============================================================================
394
395static struct {
396 enum {
397 DEMOD_UNSYNCD,
398 DEMOD_START_OF_COMMUNICATION,
399 DEMOD_MANCHESTER_D,
400 DEMOD_MANCHESTER_E,
401 DEMOD_MANCHESTER_F,
402 DEMOD_ERROR_WAIT
403 } state;
404 int bitCount;
405 int posCount;
406 int syncBit;
407 int parityBits;
f7e3ed82 408 uint16_t shiftReg;
15c4dc5a 409 int buffer;
410 int buff;
411 int samples;
412 int len;
413 enum {
414 SUB_NONE,
415 SUB_FIRST_HALF,
416 SUB_SECOND_HALF
417 } sub;
f7e3ed82 418 uint8_t *output;
15c4dc5a 419} Demod;
420
6c1e2d95 421static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 422{
423 int bit;
424 int modulation;
425 int error = 0;
426
427 if(!Demod.buff) {
428 Demod.buff = 1;
429 Demod.buffer = v;
430 return FALSE;
431 }
432 else {
433 bit = Demod.buffer;
434 Demod.buffer = v;
435 }
436
437 if(Demod.state==DEMOD_UNSYNCD) {
438 Demod.output[Demod.len] = 0xfa;
439 Demod.syncBit = 0;
440 //Demod.samples = 0;
441 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 442
443 if(bit & 0x08) {
444 Demod.syncBit = 0x08;
15c4dc5a 445 }
15c4dc5a 446
2f2d9fc5 447 if(bit & 0x04) {
448 if(Demod.syncBit) {
449 bit <<= 4;
450 }
451 Demod.syncBit = 0x04;
452 }
15c4dc5a 453
2f2d9fc5 454 if(bit & 0x02) {
455 if(Demod.syncBit) {
456 bit <<= 2;
15c4dc5a 457 }
2f2d9fc5 458 Demod.syncBit = 0x02;
15c4dc5a 459 }
15c4dc5a 460
593924e7 461 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 462 Demod.syncBit = 0x01;
463 }
464
15c4dc5a 465 if(Demod.syncBit) {
466 Demod.len = 0;
467 Demod.state = DEMOD_START_OF_COMMUNICATION;
468 Demod.sub = SUB_FIRST_HALF;
469 Demod.bitCount = 0;
470 Demod.shiftReg = 0;
471 Demod.parityBits = 0;
472 Demod.samples = 0;
473 if(Demod.posCount) {
534983d7 474 if(trigger) LED_A_OFF();
15c4dc5a 475 switch(Demod.syncBit) {
476 case 0x08: Demod.samples = 3; break;
477 case 0x04: Demod.samples = 2; break;
478 case 0x02: Demod.samples = 1; break;
479 case 0x01: Demod.samples = 0; break;
480 }
481 }
482 error = 0;
483 }
484 }
485 else {
486 //modulation = bit & Demod.syncBit;
487 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
488
489 Demod.samples += 4;
490
491 if(Demod.posCount==0) {
492 Demod.posCount = 1;
493 if(modulation) {
494 Demod.sub = SUB_FIRST_HALF;
495 }
496 else {
497 Demod.sub = SUB_NONE;
498 }
499 }
500 else {
501 Demod.posCount = 0;
502 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
503 if(Demod.state!=DEMOD_ERROR_WAIT) {
504 Demod.state = DEMOD_ERROR_WAIT;
505 Demod.output[Demod.len] = 0xaa;
506 error = 0x01;
507 }
508 }
509 else if(modulation) {
510 Demod.sub = SUB_SECOND_HALF;
511 }
512
513 switch(Demod.state) {
514 case DEMOD_START_OF_COMMUNICATION:
515 if(Demod.sub == SUB_FIRST_HALF) {
516 Demod.state = DEMOD_MANCHESTER_D;
517 }
518 else {
519 Demod.output[Demod.len] = 0xab;
520 Demod.state = DEMOD_ERROR_WAIT;
521 error = 0x02;
522 }
523 break;
524
525 case DEMOD_MANCHESTER_D:
526 case DEMOD_MANCHESTER_E:
527 if(Demod.sub == SUB_FIRST_HALF) {
528 Demod.bitCount++;
529 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
530 Demod.state = DEMOD_MANCHESTER_D;
531 }
532 else if(Demod.sub == SUB_SECOND_HALF) {
533 Demod.bitCount++;
534 Demod.shiftReg >>= 1;
535 Demod.state = DEMOD_MANCHESTER_E;
536 }
537 else {
538 Demod.state = DEMOD_MANCHESTER_F;
539 }
540 break;
541
542 case DEMOD_MANCHESTER_F:
543 // Tag response does not need to be a complete byte!
544 if(Demod.len > 0 || Demod.bitCount > 0) {
545 if(Demod.bitCount > 0) {
546 Demod.shiftReg >>= (9 - Demod.bitCount);
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549 // No parity bit, so just shift a 0
550 Demod.parityBits <<= 1;
551 }
552
553 Demod.state = DEMOD_UNSYNCD;
554 return TRUE;
555 }
556 else {
557 Demod.output[Demod.len] = 0xad;
558 Demod.state = DEMOD_ERROR_WAIT;
559 error = 0x03;
560 }
561 break;
562
563 case DEMOD_ERROR_WAIT:
564 Demod.state = DEMOD_UNSYNCD;
565 break;
566
567 default:
568 Demod.output[Demod.len] = 0xdd;
569 Demod.state = DEMOD_UNSYNCD;
570 break;
571 }
572
573 if(Demod.bitCount>=9) {
574 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
575 Demod.len++;
576
577 Demod.parityBits <<= 1;
578 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
579
580 Demod.bitCount = 0;
581 Demod.shiftReg = 0;
582 }
583
584 /*if(error) {
585 Demod.output[Demod.len] = 0xBB;
586 Demod.len++;
587 Demod.output[Demod.len] = error & 0xFF;
588 Demod.len++;
589 Demod.output[Demod.len] = 0xBB;
590 Demod.len++;
591 Demod.output[Demod.len] = bit & 0xFF;
592 Demod.len++;
593 Demod.output[Demod.len] = Demod.buffer & 0xFF;
594 Demod.len++;
595 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
596 Demod.len++;
597 Demod.output[Demod.len] = 0xBB;
598 Demod.len++;
599 return TRUE;
600 }*/
601
602 }
603
604 } // end (state != UNSYNCED)
605
606 return FALSE;
607}
608
609//=============================================================================
610// Finally, a `sniffer' for ISO 14443 Type A
611// Both sides of communication!
612//=============================================================================
613
614//-----------------------------------------------------------------------------
615// Record the sequence of commands sent by the reader to the tag, with
616// triggering so that we start recording at the point that the tag is moved
617// near the reader.
618//-----------------------------------------------------------------------------
6c1e2d95 619void RAMFUNC SnoopIso14443a(void)
15c4dc5a 620{
621// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
622// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
623// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
624// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
625// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
626
627 // We won't start recording the frames that we acquire until we trigger;
628 // a good trigger condition to get started is probably when we see a
629 // response from the tag.
7e758047 630 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 631
632 // The command (reader -> tag) that we're receiving.
633 // The length of a received command will in most cases be no more than 18 bytes.
634 // So 32 should be enough!
f7e3ed82 635 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 636 // The response (tag -> reader) that we're receiving.
f7e3ed82 637 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 638
639 // As we receive stuff, we copy it from receivedCmd or receivedResponse
640 // into trace, along with its length and other annotations.
f7e3ed82 641 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 642
643 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 644
645 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 646 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 647 int lastRxCounter;
f7e3ed82 648 int8_t *upTo;
15c4dc5a 649 int smpl;
650 int maxBehindBy = 0;
651
652 // Count of samples received so far, so that we can include timing
653 // information in the trace buffer.
654 int samples = 0;
cee5a30d 655 int rsamples = 0;
15c4dc5a 656
657 memset(trace, 0x44, RECV_CMD_OFFSET);
658
659 // Set up the demodulator for tag -> reader responses.
660 Demod.output = receivedResponse;
661 Demod.len = 0;
662 Demod.state = DEMOD_UNSYNCD;
663
7e758047 664 // Setup for the DMA.
665 FpgaSetupSsc();
666 upTo = dmaBuf;
667 lastRxCounter = DMA_BUFFER_SIZE;
668 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
669
15c4dc5a 670 // And the reader -> tag commands
671 memset(&Uart, 0, sizeof(Uart));
672 Uart.output = receivedCmd;
673 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
674 Uart.state = STATE_UNSYNCD;
675
676 // And put the FPGA in the appropriate mode
677 // Signal field is off with the appropriate LED
678 LED_D_OFF();
679 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
680 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
681
15c4dc5a 682
683 // And now we loop, receiving samples.
684 for(;;) {
7e758047 685 LED_A_ON();
686 WDT_HIT();
15c4dc5a 687 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
688 (DMA_BUFFER_SIZE-1);
689 if(behindBy > maxBehindBy) {
690 maxBehindBy = behindBy;
691 if(behindBy > 400) {
7e758047 692 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 693 goto done;
694 }
695 }
696 if(behindBy < 1) continue;
697
7e758047 698 LED_A_OFF();
15c4dc5a 699 smpl = upTo[0];
700 upTo++;
701 lastRxCounter -= 1;
702 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
703 upTo -= DMA_BUFFER_SIZE;
704 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 705 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 706 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
707 }
708
709 samples += 4;
7e758047 710 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 711 rsamples = samples - Uart.samples;
72934aa3 712 LED_C_ON();
7e758047 713 if(triggered) {
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 718 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 722 trace[traceLen++] = Uart.byteCnt;
723 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
724 traceLen += Uart.byteCnt;
725 if(traceLen > TRACE_LENGTH) break;
726 }
727 /* And ready to receive another command. */
728 Uart.state = STATE_UNSYNCD;
729 /* And also reset the demod code, which might have been */
730 /* false-triggered by the commands from the reader. */
731 Demod.state = DEMOD_UNSYNCD;
7e758047 732 LED_B_OFF();
15c4dc5a 733 }
7e758047 734
735 if(ManchesterDecoding(smpl & 0x0F)) {
736 rsamples = samples - Demod.samples;
737 LED_B_ON();
738
739 // timestamp, as a count of samples
740 trace[traceLen++] = ((rsamples >> 0) & 0xff);
741 trace[traceLen++] = ((rsamples >> 8) & 0xff);
742 trace[traceLen++] = ((rsamples >> 16) & 0xff);
743 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
744 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
745 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
746 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
747 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
748 // length
749 trace[traceLen++] = Demod.len;
750 memcpy(trace+traceLen, receivedResponse, Demod.len);
751 traceLen += Demod.len;
752 if(traceLen > TRACE_LENGTH) break;
753
754 triggered = TRUE;
15c4dc5a 755
756 // And ready to receive another response.
757 memset(&Demod, 0, sizeof(Demod));
758 Demod.output = receivedResponse;
759 Demod.state = DEMOD_UNSYNCD;
7e758047 760 LED_C_OFF();
761 }
15c4dc5a 762
763 if(BUTTON_PRESS()) {
764 DbpString("cancelled_a");
765 goto done;
766 }
767 }
768
769 DbpString("COMMAND FINISHED");
770
15c4dc5a 771done:
772 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
13d8c68d 773 Dbprintf("maxBehindBy=%x, Uart.state=%x, Uart.byteCnt=%x", maxBehindBy, Uart.state, Uart.byteCnt);
774 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
15c4dc5a 775 LED_A_OFF();
776 LED_B_OFF();
777 LED_C_OFF();
778 LED_D_OFF();
779}
780
15c4dc5a 781//-----------------------------------------------------------------------------
782// Prepare tag messages
783//-----------------------------------------------------------------------------
8f51ddb0 784static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 785{
8f51ddb0 786 int i;
15c4dc5a 787
8f51ddb0 788 ToSendReset();
15c4dc5a 789
790 // Correction bit, might be removed when not needed
791 ToSendStuffBit(0);
792 ToSendStuffBit(0);
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(1); // 1
796 ToSendStuffBit(0);
797 ToSendStuffBit(0);
798 ToSendStuffBit(0);
8f51ddb0 799
15c4dc5a 800 // Send startbit
72934aa3 801 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 802
8f51ddb0
M		 803 for(i = 0; i < len; i++) {
804 int j;
805 uint8_t b = cmd[i];
15c4dc5a 806
807 // Data bits
15c4dc5a 808 for(j = 0; j < 8; j++) {
15c4dc5a 809 if(b & 1) {
72934aa3 810 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 811 } else {
72934aa3 812 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M		 813 }
814 b >>= 1;
815 }
15c4dc5a 816
0014cb46 817 // Get the parity bit
8f51ddb0
M		 818 if ((dwParity >> i) & 0x01) {
819 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 820 } else {
72934aa3 821 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 822 }
8f51ddb0 823 }
15c4dc5a 824
8f51ddb0
M		 825 // Send stopbit
826 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 827
8f51ddb0
M		 828 // Convert from last byte pos to length
829 ToSendMax++;
8f51ddb0
M		 830}
831
832static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
833 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 834}
835
836//-----------------------------------------------------------------------------
837// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
838//-----------------------------------------------------------------------------
8f51ddb0 839static void CodeStrangeAnswerAsTag()
15c4dc5a 840{
841 int i;
842
843 ToSendReset();
844
845 // Correction bit, might be removed when not needed
846 ToSendStuffBit(0);
847 ToSendStuffBit(0);
848 ToSendStuffBit(0);
849 ToSendStuffBit(0);
850 ToSendStuffBit(1); // 1
851 ToSendStuffBit(0);
852 ToSendStuffBit(0);
853 ToSendStuffBit(0);
854
855 // Send startbit
72934aa3 856 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 857
858 // 0
72934aa3 859 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 860
861 // 0
72934aa3 862 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 863
864 // 1
72934aa3 865 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 866
867 // Send stopbit
72934aa3 868 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 869
870 // Flush the buffer in FPGA!!
871 for(i = 0; i < 5; i++) {
72934aa3 872 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 873 }
874
875 // Convert from last byte pos to length
876 ToSendMax++;
8f51ddb0 877}
15c4dc5a 878
8f51ddb0
M		 879static void Code4bitAnswerAsTag(uint8_t cmd)
880{
881 int i;
882
883 ToSendReset();
884
885 // Correction bit, might be removed when not needed
886 ToSendStuffBit(0);
887 ToSendStuffBit(0);
888 ToSendStuffBit(0);
889 ToSendStuffBit(0);
890 ToSendStuffBit(1); // 1
891 ToSendStuffBit(0);
892 ToSendStuffBit(0);
893 ToSendStuffBit(0);
894
895 // Send startbit
896 ToSend[++ToSendMax] = SEC_D;
897
898 uint8_t b = cmd;
899 for(i = 0; i < 4; i++) {
900 if(b & 1) {
901 ToSend[++ToSendMax] = SEC_D;
902 } else {
903 ToSend[++ToSendMax] = SEC_E;
904 }
905 b >>= 1;
906 }
907
908 // Send stopbit
909 ToSend[++ToSendMax] = SEC_F;
910
911 // Flush the buffer in FPGA!!
912 for(i = 0; i < 5; i++) {
913 ToSend[++ToSendMax] = SEC_F;
914 }
915
916 // Convert from last byte pos to length
917 ToSendMax++;
15c4dc5a 918}
919
920//-----------------------------------------------------------------------------
921// Wait for commands from reader
922// Stop when button is pressed
923// Or return TRUE when command is captured
924//-----------------------------------------------------------------------------
f7e3ed82 925static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 926{
927 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
928 // only, since we are receiving, not transmitting).
929 // Signal field is off with the appropriate LED
930 LED_D_OFF();
931 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
932
933 // Now run a `software UART' on the stream of incoming samples.
934 Uart.output = received;
935 Uart.byteCntMax = maxLen;
936 Uart.state = STATE_UNSYNCD;
937
938 for(;;) {
939 WDT_HIT();
940
941 if(BUTTON_PRESS()) return FALSE;
942
943 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
944 AT91C_BASE_SSC->SSC_THR = 0x00;
945 }
946 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 947 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 948 if(MillerDecoding((b & 0xf0) >> 4)) {
949 *len = Uart.byteCnt;
950 return TRUE;
951 }
952 if(MillerDecoding(b & 0x0f)) {
953 *len = Uart.byteCnt;
954 return TRUE;
955 }
956 }
957 }
958}
9ca155ba 959static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
15c4dc5a 960
961//-----------------------------------------------------------------------------
962// Main loop of simulated tag: receive commands from reader, decide what
963// response to send, and send it.
964//-----------------------------------------------------------------------------
965void SimulateIso14443aTag(int tagType, int TagUid)
966{
967 // This function contains the tag emulation
968
969 // Prepare protocol messages
f7e3ed82 970 // static const uint8_t cmd1[] = { 0x26 };
971// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 972//
f7e3ed82 973 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
974// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 975
976 // UID response
f7e3ed82 977 // static const uint8_t cmd2[] = { 0x93, 0x20 };
978 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 979
15c4dc5a 980// my desfire
f7e3ed82 981 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 982
983
984// When reader selects us during cascade1 it will send cmd3
f7e3ed82 985//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
986uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 987ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
988
989// send cascade2 2nd half of UID
f7e3ed82 990static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 991// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
992
15c4dc5a 993// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 994//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
995uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 996ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
997
f7e3ed82 998 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 999
f7e3ed82 1000 uint8_t *resp;
15c4dc5a 1001 int respLen;
1002
1003 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
1004 // This will need
1005 // 144 data bits (18 * 8)
1006 // 18 parity bits
1007 // 2 Start and stop
1008 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1009 // 1 just for the case
1010 // ----------- +
1011 // 166
1012 //
1013 // 166 bytes, since every bit that needs to be send costs us a byte
1014 //
1015
15c4dc5a 1016 // Respond with card type
f7e3ed82 1017 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 1018 int resp1Len;
1019
1020 // Anticollision cascade1 - respond with uid
f7e3ed82 1021 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 1022 int resp2Len;
1023
1024 // Anticollision cascade2 - respond with 2nd half of uid if asked
1025 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1026 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1027 int resp2aLen;
1028
1029 // Acknowledge select - cascade 1
f7e3ed82 1030 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1031 int resp3Len;
1032
1033 // Acknowledge select - cascade 2
f7e3ed82 1034 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1035 int resp3aLen;
1036
1037 // Response to a read request - not implemented atm
f7e3ed82 1038 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1039 int resp4Len;
1040
1041 // Authenticate response - nonce
f7e3ed82 1042 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1043 int resp5Len;
1044
f7e3ed82 1045 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1046 int len;
1047
1048 int i;
1049 int u;
f7e3ed82 1050 uint8_t b;
15c4dc5a 1051
1052 // To control where we are in the protocol
1053 int order = 0;
1054 int lastorder;
1055
1056 // Just to allow some checks
1057 int happened = 0;
1058 int happened2 = 0;
1059
1060 int cmdsRecvd = 0;
1061
f7e3ed82 1062 int fdt_indicator;
15c4dc5a 1063
1064 memset(receivedCmd, 0x44, 400);
1065
1066 // Prepare the responses of the anticollision phase
1067 // there will be not enough time to do this at the moment the reader sends it REQA
1068
1069 // Answer to request
1070 CodeIso14443aAsTag(response1, sizeof(response1));
1071 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1072
1073 // Send our UID (cascade 1)
1074 CodeIso14443aAsTag(response2, sizeof(response2));
1075 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1076
1077 // Answer to select (cascade1)
1078 CodeIso14443aAsTag(response3, sizeof(response3));
1079 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1080
1081 // Send the cascade 2 2nd part of the uid
1082 CodeIso14443aAsTag(response2a, sizeof(response2a));
1083 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1084
1085 // Answer to select (cascade 2)
1086 CodeIso14443aAsTag(response3a, sizeof(response3a));
1087 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1088
1089 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1090 CodeStrangeAnswerAsTag();
15c4dc5a 1091 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1092
1093 // Authentication answer (random nonce)
1094 CodeIso14443aAsTag(response5, sizeof(response5));
1095 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1096
1097 // We need to listen to the high-frequency, peak-detected path.
1098 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1099 FpgaSetupSsc();
1100
1101 cmdsRecvd = 0;
1102
1103 LED_A_ON();
1104 for(;;) {
1105
1106 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1107 DbpString("button press");
1108 break;
1109 }
1110 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1111 // Okay, look at the command now.
1112 lastorder = order;
1113 i = 1; // first byte transmitted
1114 if(receivedCmd[0] == 0x26) {
1115 // Received a REQUEST
1116 resp = resp1; respLen = resp1Len; order = 1;
1117 //DbpString("Hello request from reader:");
1118 } else if(receivedCmd[0] == 0x52) {
1119 // Received a WAKEUP
1120 resp = resp1; respLen = resp1Len; order = 6;
1121// //DbpString("Wakeup request from reader:");
1122
1123 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1124 // Received request for UID (cascade 1)
1125 resp = resp2; respLen = resp2Len; order = 2;
1126// DbpString("UID (cascade 1) request from reader:");
1127// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1128
1129
1130 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1131 // Received request for UID (cascade 2)
1132 resp = resp2a; respLen = resp2aLen; order = 20;
1133// DbpString("UID (cascade 2) request from reader:");
1134// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1135
1136
1137 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1138 // Received a SELECT
1139 resp = resp3; respLen = resp3Len; order = 3;
1140// DbpString("Select (cascade 1) request from reader:");
1141// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1142
1143
1144 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1145 // Received a SELECT
1146 resp = resp3a; respLen = resp3aLen; order = 30;
1147// DbpString("Select (cascade 2) request from reader:");
1148// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1149
1150
1151 } else if(receivedCmd[0] == 0x30) {
1152 // Received a READ
1153 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1154 Dbprintf("Read request from reader: %x %x %x",
1155 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1156
1157
1158 } else if(receivedCmd[0] == 0x50) {
1159 // Received a HALT
1160 resp = resp1; respLen = 0; order = 5; // Do nothing
1161 DbpString("Reader requested we HALT!:");
1162
1163 } else if(receivedCmd[0] == 0x60) {
1164 // Received an authentication request
1165 resp = resp5; respLen = resp5Len; order = 7;
1166 Dbprintf("Authenticate request from reader: %x %x %x",
1167 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1168
1169 } else if(receivedCmd[0] == 0xE0) {
1170 // Received a RATS request
1171 resp = resp1; respLen = 0;order = 70;
1172 Dbprintf("RATS request from reader: %x %x %x",
1173 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1174 } else {
1175 // Never seen this command before
20f9a2a1
M		 1176 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1177 len,
15c4dc5a 1178 receivedCmd[0], receivedCmd[1], receivedCmd[2],
20f9a2a1
M		 1179 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1180 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
15c4dc5a 1181 // Do not respond
1182 resp = resp1; respLen = 0; order = 0;
1183 }
1184
1185 // Count number of wakeups received after a halt
1186 if(order == 6 && lastorder == 5) { happened++; }
1187
1188 // Count number of other messages after a halt
1189 if(order != 6 && lastorder == 5) { happened2++; }
1190
1191 // Look at last parity bit to determine timing of answer
1192 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1193 // 1236, so correction bit needed
1194 i = 0;
1195 }
1196
1197 memset(receivedCmd, 0x44, 32);
1198
1199 if(cmdsRecvd > 999) {
1200 DbpString("1000 commands later...");
1201 break;
1202 }
1203 else {
1204 cmdsRecvd++;
1205 }
1206
1207 if(respLen <= 0) continue;
9ca155ba
M		 1208 //----------------------------
1209 u = 0;
1210 b = 0x00;
1211 fdt_indicator = FALSE;
15c4dc5a 1212
9ca155ba
M		 1213 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1214/* // Modulate Manchester
15c4dc5a 1215 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1216 AT91C_BASE_SSC->SSC_THR = 0x00;
1217 FpgaSetupSsc();
1218
1219 // ### Transmit the response ###
1220 u = 0;
1221 b = 0x00;
1222 fdt_indicator = FALSE;
1223 for(;;) {
1224 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1225 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1226 (void)b;
1227 }
1228 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1229 if(i > respLen) {
1230 b = 0x00;
1231 u++;
1232 } else {
1233 b = resp[i];
1234 i++;
1235 }
1236 AT91C_BASE_SSC->SSC_THR = b;
1237
1238 if(u > 4) {
1239 break;
1240 }
1241 }
1242 if(BUTTON_PRESS()) {
1243 break;
1244 }
1245 }
9ca155ba 1246*/
15c4dc5a 1247 }
1248
1249 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1250 LED_A_OFF();
1251}
1252
1253//-----------------------------------------------------------------------------
1254// Transmit the command (to the tag) that was placed in ToSend[].
1255//-----------------------------------------------------------------------------
f7e3ed82 1256static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1257{
1258 int c;
e30c654b 1259
15c4dc5a 1260 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1261
15c4dc5a 1262 if (wait)
1263 if(*wait < 10)
1264 *wait = 10;
e30c654b 1265
15c4dc5a 1266 for(c = 0; c < *wait;) {
1267 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1268 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1269 c++;
1270 }
1271 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1272 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1273 (void)r;
1274 }
1275 WDT_HIT();
1276 }
e30c654b 1277
15c4dc5a 1278 c = 0;
1279 for(;;) {
1280 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1281 AT91C_BASE_SSC->SSC_THR = cmd[c];
1282 c++;
1283 if(c >= len) {
1284 break;
1285 }
1286 }
1287 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1288 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1289 (void)r;
1290 }
1291 WDT_HIT();
1292 }
1293 if (samples) *samples = (c + *wait) << 3;
1294}
1295
15c4dc5a 1296//-----------------------------------------------------------------------------
1297// Code a 7-bit command without parity bit
1298// This is especially for 0x26 and 0x52 (REQA and WUPA)
1299//-----------------------------------------------------------------------------
f7e3ed82 1300void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1301{
1302 int j;
1303 int last;
f7e3ed82 1304 uint8_t b;
15c4dc5a 1305
1306 ToSendReset();
1307
1308 // Start of Communication (Seq. Z)
72934aa3 1309 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1310 last = 0;
1311
1312 b = bt;
1313 for(j = 0; j < 7; j++) {
1314 if(b & 1) {
1315 // Sequence X
72934aa3 1316 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1317 last = 1;
1318 } else {
1319 if(last == 0) {
1320 // Sequence Z
72934aa3 1321 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1322 }
1323 else {
1324 // Sequence Y
72934aa3 1325 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1326 last = 0;
1327 }
1328 }
1329 b >>= 1;
1330 }
1331
1332 // End of Communication
1333 if(last == 0) {
1334 // Sequence Z
72934aa3 1335 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1336 }
1337 else {
1338 // Sequence Y
72934aa3 1339 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1340 last = 0;
1341 }
1342 // Sequence Y
72934aa3 1343 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1344
1345 // Just to be sure!
72934aa3 1346 ToSend[++ToSendMax] = SEC_Y;
1347 ToSend[++ToSendMax] = SEC_Y;
1348 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1349
1350 // Convert from last character reference to length
1351 ToSendMax++;
1352}
1353
1354//-----------------------------------------------------------------------------
1355// Prepare reader command to send to FPGA
e30c654b 1356//
15c4dc5a 1357//-----------------------------------------------------------------------------
f7e3ed82 1358void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1359{
1360 int i, j;
1361 int last;
f7e3ed82 1362 uint8_t b;
e30c654b 1363
15c4dc5a 1364 ToSendReset();
e30c654b 1365
15c4dc5a 1366 // Start of Communication (Seq. Z)
72934aa3 1367 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1368 last = 0;
e30c654b 1369
15c4dc5a 1370 // Generate send structure for the data bits
1371 for (i = 0; i < len; i++) {
1372 // Get the current byte to send
1373 b = cmd[i];
e30c654b 1374
15c4dc5a 1375 for (j = 0; j < 8; j++) {
1376 if (b & 1) {
1377 // Sequence X
72934aa3 1378 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1379 last = 1;
1380 } else {
1381 if (last == 0) {
1382 // Sequence Z
72934aa3 1383 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1384 } else {
1385 // Sequence Y
72934aa3 1386 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1387 last = 0;
1388 }
1389 }
1390 b >>= 1;
1391 }
e30c654b 1392
15c4dc5a 1393 // Get the parity bit
1394 if ((dwParity >> i) & 0x01) {
1395 // Sequence X
72934aa3 1396 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1397 last = 1;
1398 } else {
1399 if (last == 0) {
1400 // Sequence Z
72934aa3 1401 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1402 } else {
1403 // Sequence Y
72934aa3 1404 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1405 last = 0;
1406 }
1407 }
1408 }
e30c654b 1409
15c4dc5a 1410 // End of Communication
1411 if (last == 0) {
1412 // Sequence Z
72934aa3 1413 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1414 } else {
1415 // Sequence Y
72934aa3 1416 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1417 last = 0;
1418 }
1419 // Sequence Y
72934aa3 1420 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1421
15c4dc5a 1422 // Just to be sure!
72934aa3 1423 ToSend[++ToSendMax] = SEC_Y;
1424 ToSend[++ToSendMax] = SEC_Y;
1425 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1426
15c4dc5a 1427 // Convert from last character reference to length
1428 ToSendMax++;
1429}
1430
9ca155ba
M		 1431//-----------------------------------------------------------------------------
1432// Wait for commands from reader
1433// Stop when button is pressed (return 1) or field was gone (return 2)
1434// Or return 0 when command is captured
1435//-----------------------------------------------------------------------------
1436static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1437{
1438 *len = 0;
1439
1440 uint32_t timer = 0, vtime = 0;
1441 int analogCnt = 0;
1442 int analogAVG = 0;
1443
1444 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1445 // only, since we are receiving, not transmitting).
1446 // Signal field is off with the appropriate LED
1447 LED_D_OFF();
1448 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1449
1450 // Set ADC to read field strength
1451 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1452 AT91C_BASE_ADC->ADC_MR =
1453 ADC_MODE_PRESCALE(32) |
1454 ADC_MODE_STARTUP_TIME(16) |
1455 ADC_MODE_SAMPLE_HOLD_TIME(8);
1456 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1457 // start ADC
1458 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1459
1460 // Now run a 'software UART' on the stream of incoming samples.
1461 Uart.output = received;
1462 Uart.byteCntMax = maxLen;
1463 Uart.state = STATE_UNSYNCD;
1464
1465 for(;;) {
1466 WDT_HIT();
1467
1468 if (BUTTON_PRESS()) return 1;
1469
1470 // test if the field exists
1471 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1472 analogCnt++;
1473 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1474 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1475 if (analogCnt >= 32) {
1476 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1477 vtime = GetTickCount();
1478 if (!timer) timer = vtime;
1479 // 50ms no field --> card to idle state
1480 if (vtime - timer > 50) return 2;
1481 } else
1482 if (timer) timer = 0;
1483 analogCnt = 0;
1484 analogAVG = 0;
1485 }
1486 }
1487 // transmit none
1488 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1489 AT91C_BASE_SSC->SSC_THR = 0x00;
1490 }
1491 // receive and test the miller decoding
1492 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1493 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1494 if(MillerDecoding((b & 0xf0) >> 4)) {
1495 *len = Uart.byteCnt;
8f51ddb0 1496 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M		 1497 return 0;
1498 }
1499 if(MillerDecoding(b & 0x0f)) {
1500 *len = Uart.byteCnt;
8f51ddb0 1501 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M		 1502 return 0;
1503 }
1504 }
1505 }
1506}
1507
1508static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1509{
1510 int i, u = 0;
1511 uint8_t b = 0;
1512
1513 // Modulate Manchester
1514 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1515 AT91C_BASE_SSC->SSC_THR = 0x00;
1516 FpgaSetupSsc();
1517
1518 // include correction bit
1519 i = 1;
1520 if((Uart.parityBits & 0x01) || correctionNeeded) {
1521 // 1236, so correction bit needed
1522 i = 0;
1523 }
1524
1525 // send cycle
1526 for(;;) {
1527 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1528 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1529 (void)b;
1530 }
1531 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1532 if(i > respLen) {
8f51ddb0 1533 b = 0xff; // was 0x00
9ca155ba
M		 1534 u++;
1535 } else {
1536 b = resp[i];
1537 i++;
1538 }
1539 AT91C_BASE_SSC->SSC_THR = b;
1540
1541 if(u > 4) break;
1542 }
1543 if(BUTTON_PRESS()) {
1544 break;
1545 }
1546 }
1547
1548 return 0;
1549}
1550
8f51ddb0
M		 1551int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1552 Code4bitAnswerAsTag(resp);
0a39986e 1553 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1554 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1555 return res;
9ca155ba
M		 1556}
1557
8f51ddb0
M		 1558int EmSend4bit(uint8_t resp){
1559 return EmSend4bitEx(resp, 0);
1560}
1561
1562int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1563 CodeIso14443aAsTagPar(resp, respLen, par);
1564 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1565 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1566 return res;
1567}
1568
1569int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1570 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1571}
1572
1573int EmSendCmd(uint8_t *resp, int respLen){
1574 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1575}
1576
1577int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1578 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M		 1579}
1580
15c4dc5a 1581//-----------------------------------------------------------------------------
1582// Wait a certain time for tag response
1583// If a response is captured return TRUE
1584// If it takes to long return FALSE
1585//-----------------------------------------------------------------------------
f7e3ed82 1586static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1587{
1588 // buffer needs to be 512 bytes
1589 int c;
1590
1591 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1592 // only, since we are receiving, not transmitting).
1593 // Signal field is on with the appropriate LED
1594 LED_D_ON();
1595 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1596
534983d7 1597 // Now get the answer from the card
1598 Demod.output = receivedResponse;
1599 Demod.len = 0;
1600 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1601
f7e3ed82 1602 uint8_t b;
15c4dc5a 1603 if (elapsed) *elapsed = 0;
1604
1605 c = 0;
1606 for(;;) {
534983d7 1607 WDT_HIT();
15c4dc5a 1608
534983d7 1609 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1610 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1611 if (elapsed) (*elapsed)++;
534983d7 1612 }
1613 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1614 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1615 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1616 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1617 *samples = ((c - 1) << 3) + 4;
1618 return TRUE;
1619 }
1620 if(ManchesterDecoding(b & 0x0f)) {
1621 *samples = c << 3;
1622 return TRUE;
1623 }
534983d7 1624 }
1625 }
15c4dc5a 1626}
1627
f7e3ed82 1628void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1629{
1630 int wait = 0;
1631 int samples = 0;
1632
1633 ShortFrameFromReader(*bt);
e30c654b 1634
15c4dc5a 1635 // Select the card
e30c654b 1636 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1637
15c4dc5a 1638 // Store reader command in buffer
1639 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1640}
1641
f7e3ed82 1642void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1643{
1644 int wait = 0;
1645 int samples = 0;
e30c654b 1646
15c4dc5a 1647 // This is tied to other size changes
f7e3ed82 1648 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1649 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1650
15c4dc5a 1651 // Select the card
e30c654b 1652 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1653 if(trigger)
1654 LED_A_ON();
e30c654b 1655
15c4dc5a 1656 // Store reader command in buffer
1657 if (tracing) LogTrace(frame,len,0,par,TRUE);
1658}
1659
1660
f7e3ed82 1661void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1662{
1663 // Generate parity and redirect
1664 ReaderTransmitPar(frame,len,GetParity(frame,len));
1665}
1666
f7e3ed82 1667int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1668{
1669 int samples = 0;
20f9a2a1 1670 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1671 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1672 if(samples == 0) return FALSE;
1673 return Demod.len;
15c4dc5a 1674}
1675
f89c7050
M		 1676int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1677{
1678 int samples = 0;
1679 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1680 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1681 *parptr = Demod.parityBits;
1682 if(samples == 0) return FALSE;
1683 return Demod.len;
1684}
1685
7e758047 1686/* performs iso14443a anticolision procedure
534983d7 1687 * fills the uid pointer unless NULL
1688 * fills resp_data unless NULL */
20f9a2a1
M		 1689int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, uint32_t * cuid_ptr) {
1690 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
f7e3ed82 1691 uint8_t sel_all[] = { 0x93,0x20 };
1692 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1693 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1694
7e758047 1695 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1696
534983d7 1697 uint8_t sak = 0x04; // cascade uid
1698 int cascade_level = 0;
1699
7e758047 1700 int len;
20f9a2a1
M		 1701
1702 // clear uid
1703 memset(uid_ptr, 0, 8);
15c4dc5a 1704
7e758047 1705 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1706 ReaderTransmitShort(wupa);
1707 // Receive the ATQA
1708 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1709
534983d7 1710 if(resp_data)
1711 memcpy(resp_data->atqa, resp, 2);
1712
534983d7 1713 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1714 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1715 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1716 for(; sak & 0x04; cascade_level++)
7e758047 1717 {
534983d7 1718 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1719 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1720
1721 // SELECT_ALL
1722 ReaderTransmit(sel_all,sizeof(sel_all));
1723 if (!ReaderReceive(resp)) return 0;
1724 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
20f9a2a1
M		 1725
1726 // calculate crypto UID
1727 if(cuid_ptr) *cuid_ptr = bytes_to_num(resp, 4);
e30c654b 1728
7e758047 1729 // Construct SELECT UID command
534983d7 1730 memcpy(sel_uid+2,resp,5);
1731 AppendCrc14443a(sel_uid,7);
1732 ReaderTransmit(sel_uid,sizeof(sel_uid));
1733
7e758047 1734 // Receive the SAK
1735 if (!ReaderReceive(resp)) return 0;
534983d7 1736 sak = resp[0];
7e758047 1737 }
534983d7 1738 if(resp_data) {
1739 resp_data->sak = sak;
1740 resp_data->ats_len = 0;
1741 }
20f9a2a1
M		 1742 //-- this byte not UID, it CT. http://www.nxp.com/documents/application_note/AN10927.pdf page 3
1743 if (uid_ptr[0] == 0x88) {
1744 memcpy(uid_ptr, uid_ptr + 1, 7);
1745 uid_ptr[7] = 0;
1746 }
534983d7 1747
1748 if( (sak & 0x20) == 0)
7e758047 1749 return 2; // non iso14443a compliant tag
534983d7 1750
7e758047 1751 // Request for answer to select
20f9a2a1
M		 1752 if(resp_data) { // JCOP cards - if reader sent RATS then there is no MIFARE session at all!!!
1753 AppendCrc14443a(rats, 2);
1754 ReaderTransmit(rats, sizeof(rats));
1755
1756 if (!(len = ReaderReceive(resp))) return 0;
1757
534983d7 1758 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1759 resp_data->ats_len = len;
1760 }
20f9a2a1 1761
7e758047 1762 return 1;
1763}
15c4dc5a 1764
7e758047 1765void iso14443a_setup() {
1766 // Setup SSC
1767 FpgaSetupSsc();
1768 // Start from off (no field generated)
1769 // Signal field is off with the appropriate LED
1770 LED_D_OFF();
1771 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1772 SpinDelay(200);
15c4dc5a 1773
7e758047 1774 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1775
7e758047 1776 // Now give it time to spin up.
1777 // Signal field is on with the appropriate LED
1778 LED_D_ON();
1779 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1780 SpinDelay(200);
534983d7 1781
1782 iso14a_timeout = 2048; //default
7e758047 1783}
15c4dc5a 1784
534983d7 1785int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1786 uint8_t real_cmd[cmd_len+4];
1787 real_cmd[0] = 0x0a; //I-Block
1788 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1789 memcpy(real_cmd+2, cmd, cmd_len);
1790 AppendCrc14443a(real_cmd,cmd_len+2);
1791
1792 ReaderTransmit(real_cmd, cmd_len+4);
1793 size_t len = ReaderReceive(data);
1794 if(!len)
1795 return -1; //DATA LINK ERROR
1796
1797 return len;
1798}
1799
1800
7e758047 1801//-----------------------------------------------------------------------------
1802// Read an ISO 14443a tag. Send out commands and store answers.
1803//
1804//-----------------------------------------------------------------------------
534983d7 1805void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1806{
534983d7 1807 iso14a_command_t param = c->arg[0];
1808 uint8_t * cmd = c->d.asBytes;
1809 size_t len = c->arg[1];
e30c654b 1810
534983d7 1811 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1812
534983d7 1813 if(param & ISO14A_CONNECT) {
1814 iso14443a_setup();
20f9a2a1 1815 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12), NULL);
534983d7 1816 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1817 }
e30c654b 1818
534983d7 1819 if(param & ISO14A_SET_TIMEOUT) {
1820 iso14a_timeout = c->arg[2];
1821 }
e30c654b 1822
534983d7 1823 if(param & ISO14A_SET_TIMEOUT) {
1824 iso14a_timeout = c->arg[2];
1825 }
e30c654b 1826
534983d7 1827 if(param & ISO14A_APDU) {
1828 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1829 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1830 }
e30c654b 1831
534983d7 1832 if(param & ISO14A_RAW) {
1833 if(param & ISO14A_APPEND_CRC) {
1834 AppendCrc14443a(cmd,len);
1835 len += 2;
15c4dc5a 1836 }
534983d7 1837 ReaderTransmit(cmd,len);
1838 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1839 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1840 }
15c4dc5a 1841
534983d7 1842 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1843
534983d7 1844 if(param & ISO14A_NO_DISCONNECT)
1845 return;
15c4dc5a 1846
15c4dc5a 1847 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1848 LEDsoff();
15c4dc5a 1849}
15c4dc5a 1850//-----------------------------------------------------------------------------
1851// Read an ISO 14443a tag. Send out commands and store answers.
1852//
1853//-----------------------------------------------------------------------------
f7e3ed82 1854void ReaderMifare(uint32_t parameter)
15c4dc5a 1855{
15c4dc5a 1856 // Mifare AUTH
f7e3ed82 1857 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
f89c7050 1858 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1859
f89c7050
M		 1860 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1861 traceLen = 0;
1862 tracing = false;
e30c654b 1863
7e758047 1864 iso14443a_setup();
e30c654b 1865
15c4dc5a 1866 LED_A_ON();
1867 LED_B_OFF();
1868 LED_C_OFF();
e30c654b 1869
f89c7050
M		 1870 byte_t nt_diff = 0;
1871 LED_A_OFF();
1872 byte_t par = 0;
1873 byte_t par_mask = 0xff;
1874 byte_t par_low = 0;
1875 int led_on = TRUE;
50193c1e 1876 uint8_t uid[8];
f89c7050 1877 uint32_t cuid;
e30c654b 1878
f89c7050
M		 1879 tracing = FALSE;
1880 byte_t nt[4] = {0,0,0,0};
f397b5cc 1881 byte_t nt_attacked[4], nt_noattack[4];
f89c7050
M		 1882 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1883 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
f397b5cc 1884 num_to_bytes(parameter, 4, nt_noattack);
50193c1e 1885 int isOK = 0, isNULL = 0;
f397b5cc 1886
f89c7050
M		 1887 while(TRUE)
1888 {
50193c1e 1889 LED_C_ON();
f89c7050
M		 1890 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1891 SpinDelay(200);
1892 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
50193c1e 1893 LED_C_OFF();
e30c654b 1894
f89c7050
M		 1895 // Test if the action was cancelled
1896 if(BUTTON_PRESS()) {
1897 break;
1898 }
e30c654b 1899
f89c7050 1900 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 1901
f89c7050
M		 1902 // Transmit MIFARE_CLASSIC_AUTH
1903 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 1904
f89c7050
M		 1905 // Receive the (16 bit) "random" nonce
1906 if (!ReaderReceive(receivedAnswer)) continue;
1907 memcpy(nt, receivedAnswer, 4);
e30c654b 1908
f89c7050
M		 1909 // Transmit reader nonce and reader answer
1910 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar),par);
15c4dc5a 1911
f89c7050
M		 1912 // Receive 4 bit answer
1913 if (ReaderReceive(receivedAnswer))
1914 {
f397b5cc
M		 1915 if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1916
db389d52 1917 isNULL = (nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0);
50193c1e
M		 1918 if ( (isNULL != 0 ) && (memcmp(nt, nt_attacked, 4) != 0) ) continue;
1919
f89c7050
M		 1920 if (nt_diff == 0)
1921 {
1922 LED_A_ON();
1923 memcpy(nt_attacked, nt, 4);
1924 par_mask = 0xf8;
1925 par_low = par & 0x07;
1926 }
15c4dc5a 1927
f89c7050
M		 1928 led_on = !led_on;
1929 if(led_on) LED_B_ON(); else LED_B_OFF();
1930 par_list[nt_diff] = par;
1931 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
e30c654b 1932
f89c7050
M		 1933 // Test if the information is complete
1934 if (nt_diff == 0x07) {
1935 isOK = 1;
1936 break;
1937 }
1938
1939 nt_diff = (nt_diff + 1) & 0x07;
1940 mf_nr_ar[3] = nt_diff << 5;
1941 par = par_low;
1942 } else {
1943 if (nt_diff == 0)
1944 {
1945 par++;
1946 } else {
1947 par = (((par >> 3) + 1) << 3) | par_low;
1948 }
1949 }
1950 }
e30c654b 1951
f89c7050
M		 1952 LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
1953 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
1954 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
e30c654b 1955
f89c7050
M		 1956 UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
1957 memcpy(ack.d.asBytes + 0, uid, 4);
1958 memcpy(ack.d.asBytes + 4, nt, 4);
1959 memcpy(ack.d.asBytes + 8, par_list, 8);
1960 memcpy(ack.d.asBytes + 16, ks_list, 8);
1961
1962 LED_B_ON();
1963 UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
1964 LED_B_OFF();
1965
1966 // Thats it...
15c4dc5a 1967 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1968 LEDsoff();
f89c7050
M		 1969 tracing = TRUE;
1970
f397b5cc 1971 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
20f9a2a1
M		 1972}
1973
20f9a2a1
M		 1974
1975//-----------------------------------------------------------------------------
1976// MIFARE 1K simulate.
1977//
1978//-----------------------------------------------------------------------------
1979void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
1980{
50193c1e 1981 int cardSTATE = MFEMUL_NOFIELD;
8556b852 1982 int _7BUID = 0;
9ca155ba 1983 int vHf = 0; // in mV
8f51ddb0
M		 1984 int nextCycleTimeout = 0;
1985 int res;
51969283 1986// uint32_t timer = 0;
0a39986e
M		 1987 uint32_t selTimer = 0;
1988 uint32_t authTimer = 0;
1989 uint32_t par = 0;
9ca155ba 1990 int len = 0;
8f51ddb0 1991 uint8_t cardWRBL = 0;
9ca155ba
M		 1992 uint8_t cardAUTHSC = 0;
1993 uint8_t cardAUTHKEY = 0xff; // no authentication
51969283
M		 1994 uint32_t cardRn = 0;
1995 uint32_t cardRr = 0;
9ca155ba 1996 uint32_t cuid = 0;
51969283
M		 1997 uint32_t rn_enc = 0;
1998 uint32_t ans = 0;
0014cb46
M		 1999 uint32_t cardINTREG = 0;
2000 uint8_t cardINTBLOCK = 0;
9ca155ba
M		 2001 struct Crypto1State mpcs = {0, 0};
2002 struct Crypto1State *pcs;
2003 pcs = &mpcs;
2004
8f51ddb0
M		 2005 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2006 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2007
8556b852 2008 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2009
0a39986e
M		 2010 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2011 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2012
0a39986e 2013 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2014 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2015
0014cb46
M		 2016 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2017// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2018 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2019
0a39986e
M		 2020 // clear trace
2021 traceLen = 0;
2022 tracing = true;
51969283
M		 2023
2024 // Authenticate response - nonce
2025 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2026
8556b852
M		 2027 // get UID from emul memory
2028 emlGetMemBt(receivedCmd, 7, 1);
2029 _7BUID = !(receivedCmd[0] == 0x00);
2030 if (!_7BUID) { // ---------- 4BUID
2031 rATQA[0] = 0x04;
2032
2033 emlGetMemBt(rUIDBCC1, 0, 4);
2034 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2035 } else { // ---------- 7BUID
2036 rATQA[0] = 0x44;
2037
2038 rUIDBCC1[0] = 0x88;
2039 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2040 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2041 emlGetMemBt(rUIDBCC2, 3, 4);
2042 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2043 }
2044
9ca155ba 2045// -------------------------------------- test area
50193c1e 2046
9ca155ba 2047// -------------------------------------- END test area
8f51ddb0
M		 2048 // start mkseconds counter
2049 StartCountUS();
9ca155ba
M		 2050
2051 // We need to listen to the high-frequency, peak-detected path.
2052 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2053 FpgaSetupSsc();
2054
2055 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2056 SpinDelay(200);
2057
0014cb46 2058 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M		 2059 // calibrate mkseconds counter
2060 GetDeltaCountUS();
9ca155ba
M		 2061 while (true) {
2062 WDT_HIT();
9ca155ba 2063
8f51ddb0
M		 2064 if(BUTTON_PRESS()) {
2065 break;
2066 }
2067
9ca155ba
M		 2068 // find reader field
2069 // Vref = 3300mV, and an 10:1 voltage divider on the input
2070 // can measure voltages up to 33000 mV
2071 if (cardSTATE == MFEMUL_NOFIELD) {
2072 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2073 if (vHf > MF_MINFIELDV) {
0014cb46 2074 cardSTATE_TO_IDLE();
9ca155ba
M		 2075 LED_A_ON();
2076 }
2077 }
2078
2079 if (cardSTATE != MFEMUL_NOFIELD) {
8f51ddb0 2080 res = EmGetCmd(receivedCmd, &len, 100); // (+ nextCycleTimeout)
9ca155ba
M		 2081 if (res == 2) {
2082 cardSTATE = MFEMUL_NOFIELD;
2083 LEDsoff();
2084 continue;
2085 }
2086 if(res) break;
2087 }
2088
8f51ddb0
M		 2089 nextCycleTimeout = 0;
2090
9ca155ba 2091// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M		 2092
2093 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2094 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M		 2095 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2096 selTimer = GetTickCount();
2097 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2098 cardSTATE = MFEMUL_SELECT1;
2099
2100 // init crypto block
2101 LED_B_OFF();
2102 LED_C_OFF();
2103 crypto1_destroy(pcs);
2104 cardAUTHKEY = 0xff;
2105 }
2106 }
9ca155ba 2107
50193c1e
M		 2108 switch (cardSTATE) {
2109 case MFEMUL_NOFIELD:{
2110 break;
2111 }
9ca155ba 2112 case MFEMUL_HALTED:{
0a39986e 2113 break;
9ca155ba 2114 }
50193c1e
M		 2115 case MFEMUL_IDLE:{
2116 break;
2117 }
2118 case MFEMUL_SELECT1:{
9ca155ba
M		 2119 // select all
2120 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2121 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2122 break;
9ca155ba
M		 2123 }
2124
2125 // select card
0a39986e
M		 2126 if (len == 9 &&
2127 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M		 2128 if (!_7BUID)
2129 EmSendCmd(rSAK, sizeof(rSAK));
2130 else
2131 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M		 2132
2133 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M		 2134 if (!_7BUID) {
2135 cardSTATE = MFEMUL_WORK;
0014cb46
M		 2136 LED_B_ON();
2137 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2138 break;
8556b852
M		 2139 } else {
2140 cardSTATE = MFEMUL_SELECT2;
2141 break;
2142 }
9ca155ba
M		 2143 }
2144
50193c1e
M		 2145 break;
2146 }
2147 case MFEMUL_SELECT2:{
0014cb46
M		 2148 if (!len) break;
2149
8556b852 2150 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2151 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M		 2152 break;
2153 }
9ca155ba 2154
8556b852
M		 2155 // select 2 card
2156 if (len == 9 &&
2157 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2158 EmSendCmd(rSAK, sizeof(rSAK));
2159
2160 cuid = bytes_to_num(rUIDBCC2, 4);
2161 cardSTATE = MFEMUL_WORK;
2162 LED_B_ON();
0014cb46 2163 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M		 2164 break;
2165 }
0014cb46
M		 2166
2167 // i guess there is a command). go into the work state.
2168 if (len != 4) break;
2169 cardSTATE = MFEMUL_WORK;
2170 goto lbWORK;
50193c1e
M		 2171 }
2172 case MFEMUL_AUTH1:{
9ca155ba 2173 if (len == 8) {
51969283
M		 2174 // --- crypto
2175 rn_enc = bytes_to_num(receivedCmd, 4);
2176 cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
2177 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2178 // test if auth OK
2179 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M		 2180 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2181 cardSTATE_TO_IDLE();
51969283
M		 2182 break;
2183 }
2184 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2185 num_to_bytes(ans, 4, rAUTH_AT);
2186 // --- crypto
2187 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M		 2188 cardSTATE = MFEMUL_AUTH2;
2189 } else {
0014cb46 2190 cardSTATE_TO_IDLE();
9ca155ba 2191 }
0a39986e 2192 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M		 2193 }
2194 case MFEMUL_AUTH2:{
9ca155ba 2195 LED_C_ON();
0a39986e 2196 cardSTATE = MFEMUL_WORK;
0014cb46 2197 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M		 2198 break;
2199 }
9ca155ba 2200 case MFEMUL_WORK:{
0014cb46 2201lbWORK: if (len == 0) break;
0a39986e 2202
51969283
M		 2203 if (cardAUTHKEY == 0xff) {
2204 // first authentication
2205 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2206 authTimer = GetTickCount();
2207
2208 cardAUTHSC = receivedCmd[1] / 4; // received block num
2209 cardAUTHKEY = receivedCmd[0] - 0x60;
2210
2211 // --- crypto
2212 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2213 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2214 num_to_bytes(nonce, 4, rAUTH_AT);
2215 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2216 // --- crypto
2217
2218// last working revision
2219// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2220// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2221
2222 cardSTATE = MFEMUL_AUTH1;
2223 nextCycleTimeout = 10;
2224 break;
2225 }
2226 } else {
2227 // decrypt seqence
2228 mf_crypto1_decrypt(pcs, receivedCmd, len);
2229
2230 // nested authentication
2231 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2232 authTimer = GetTickCount();
2233
2234 cardAUTHSC = receivedCmd[1] / 4; // received block num
2235 cardAUTHKEY = receivedCmd[0] - 0x60;
2236
2237 // --- crypto
2238 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2239 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2240 num_to_bytes(ans, 4, rAUTH_AT);
2241 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2242 // --- crypto
2243
2244 cardSTATE = MFEMUL_AUTH1;
2245 nextCycleTimeout = 10;
2246 break;
2247 }
2248 }
0a39986e 2249
8f51ddb0
M		 2250 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2251 // BUT... ACK --> NACK
2252 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2253 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2254 break;
2255 }
2256
2257 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2258 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2259 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2260 break;
0a39986e
M		 2261 }
2262
2263 // read block
2264 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2265 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M		 2266 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2267 break;
2268 }
2269 emlGetMem(response, receivedCmd[1], 1);
2270 AppendCrc14443a(response, 16);
2271 mf_crypto1_encrypt(pcs, response, 18, &par);
2272 EmSendCmdPar(response, 18, par);
0a39986e
M		 2273 break;
2274 }
2275
2276 // write block
2277 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2278 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M		 2279 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2280 break;
2281 }
2282 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2283 nextCycleTimeout = 50;
2284 cardSTATE = MFEMUL_WRITEBL2;
2285 cardWRBL = receivedCmd[1];
0a39986e 2286 break;
9ca155ba 2287 }
8f51ddb0 2288
0014cb46
M		 2289 // works with cardINTREG
2290
2291 // increment, decrement, restore
2292 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2293 if (receivedCmd[1] >= 16 * 4 ||
2294 receivedCmd[1] / 4 != cardAUTHSC ||
2295 emlCheckValBl(receivedCmd[1])) {
2296 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2297 break;
2298 }
2299 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2300 if (receivedCmd[0] == 0xC1)
2301 cardSTATE = MFEMUL_INTREG_INC;
2302 if (receivedCmd[0] == 0xC0)
2303 cardSTATE = MFEMUL_INTREG_DEC;
2304 if (receivedCmd[0] == 0xC2)
2305 cardSTATE = MFEMUL_INTREG_REST;
2306 cardWRBL = receivedCmd[1];
2307
2308 break;
2309 }
2310
2311
2312 // transfer
2313 if (len == 4 && receivedCmd[0] == 0xB0) {
2314 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2315 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2316 break;
2317 }
2318
2319 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2320 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2321 else
2322 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2323
2324 break;
2325 }
2326
9ca155ba 2327 // halt
0a39986e 2328 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2329 LED_B_OFF();
0a39986e 2330 LED_C_OFF();
0014cb46
M		 2331 cardSTATE = MFEMUL_HALTED;
2332 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2333 break;
9ca155ba 2334 }
51969283 2335
8f51ddb0
M		 2336 // command not allowed
2337 if (len == 4) {
2338 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2339 break;
2340 }
51969283
M		 2341
2342 // case break
2343 break;
8f51ddb0
M		 2344 }
2345 case MFEMUL_WRITEBL2:{
2346 if (len == 18){
2347 mf_crypto1_decrypt(pcs, receivedCmd, len);
2348 emlSetMem(receivedCmd, cardWRBL, 1);
2349 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2350 cardSTATE = MFEMUL_WORK;
2351 break;
51969283 2352 } else {
0014cb46 2353 cardSTATE_TO_IDLE();
51969283 2354 break;
8f51ddb0 2355 }
8f51ddb0 2356 break;
50193c1e 2357 }
0014cb46
M		 2358
2359 case MFEMUL_INTREG_INC:{
2360 mf_crypto1_decrypt(pcs, receivedCmd, len);
2361 memcpy(&ans, receivedCmd, 4);
2362 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2363 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2364 cardSTATE_TO_IDLE();
2365 break;
2366 }
2367 cardINTREG = cardINTREG + ans;
2368 cardSTATE = MFEMUL_WORK;
2369 break;
2370 }
2371 case MFEMUL_INTREG_DEC:{
2372 mf_crypto1_decrypt(pcs, receivedCmd, len);
2373 memcpy(&ans, receivedCmd, 4);
2374 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2375 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2376 cardSTATE_TO_IDLE();
2377 break;
2378 }
2379 cardINTREG = cardINTREG - ans;
2380 cardSTATE = MFEMUL_WORK;
2381 break;
2382 }
2383 case MFEMUL_INTREG_REST:{
2384 mf_crypto1_decrypt(pcs, receivedCmd, len);
2385 memcpy(&ans, receivedCmd, 4);
2386 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2387 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2388 cardSTATE_TO_IDLE();
2389 break;
2390 }
2391 cardSTATE = MFEMUL_WORK;
2392 break;
2393 }
50193c1e
M		 2394
2395 }
2396
2397 }
2398
9ca155ba
M		 2399 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2400 LEDsoff();
2401
0a39986e 2402 // add trace trailer
8f51ddb0 2403 memset(rAUTH_NT, 0x44, 4);
0a39986e
M		 2404 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2405
0014cb46 2406 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2407}
Proxmark3 GIT tracking
Impressum, Datenschutz