]>
Commit | Line | Data |
---|---|---|
15c4dc5a | 1 | //----------------------------------------------------------------------------- |
15c4dc5a | 2 | // Gerhard de Koning Gans - May 2008 |
534983d7 | 3 | // Hagen Fritsch - June 2010 |
bd20f8f4 | 4 | // |
5 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
6 | // at your option, any later version. See the LICENSE.txt file for the text of | |
7 | // the license. | |
15c4dc5a | 8 | //----------------------------------------------------------------------------- |
bd20f8f4 | 9 | // Routines to support ISO 14443 type A. |
10 | //----------------------------------------------------------------------------- | |
11 | ||
e30c654b | 12 | #include "proxmark3.h" |
15c4dc5a | 13 | #include "apps.h" |
f7e3ed82 | 14 | #include "util.h" |
9ab7a6c7 | 15 | #include "string.h" |
16 | ||
15c4dc5a | 17 | #include "iso14443crc.h" |
534983d7 | 18 | #include "iso14443a.h" |
15c4dc5a | 19 | |
f7e3ed82 | 20 | static uint8_t *trace = (uint8_t *) BigBuf; |
15c4dc5a | 21 | static int traceLen = 0; |
22 | static int rsamples = 0; | |
f7e3ed82 | 23 | static int tracing = TRUE; |
534983d7 | 24 | static uint32_t iso14a_timeout; |
15c4dc5a | 25 | |
72934aa3 | 26 | // CARD TO READER |
27 | // Sequence D: 11110000 modulation with subcarrier during first half | |
28 | // Sequence E: 00001111 modulation with subcarrier during second half | |
29 | // Sequence F: 00000000 no modulation with subcarrier | |
30 | // READER TO CARD | |
31 | // Sequence X: 00001100 drop after half a period | |
32 | // Sequence Y: 00000000 no drop | |
33 | // Sequence Z: 11000000 drop at start | |
34 | #define SEC_D 0xf0 | |
35 | #define SEC_E 0x0f | |
36 | #define SEC_F 0x00 | |
37 | #define SEC_X 0x0c | |
38 | #define SEC_Y 0x00 | |
39 | #define SEC_Z 0xc0 | |
15c4dc5a | 40 | |
f7e3ed82 | 41 | static const uint8_t OddByteParity[256] = { |
15c4dc5a | 42 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, |
43 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
44 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
45 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
46 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
47 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
48 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
49 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
50 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
51 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
52 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
53 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
54 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
55 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
56 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
57 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 | |
58 | }; | |
59 | ||
60 | // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT | |
61 | #define RECV_CMD_OFFSET 3032 | |
62 | #define RECV_RES_OFFSET 3096 | |
63 | #define DMA_BUFFER_OFFSET 3160 | |
64 | #define DMA_BUFFER_SIZE 4096 | |
65 | #define TRACE_LENGTH 3000 | |
66 | ||
534983d7 | 67 | uint8_t trigger = 0; |
68 | void iso14a_set_trigger(int enable) { | |
69 | trigger = enable; | |
70 | } | |
71 | ||
15c4dc5a | 72 | //----------------------------------------------------------------------------- |
73 | // Generate the parity value for a byte sequence | |
e30c654b | 74 | // |
15c4dc5a | 75 | //----------------------------------------------------------------------------- |
f7e3ed82 | 76 | uint32_t GetParity(const uint8_t * pbtCmd, int iLen) |
15c4dc5a | 77 | { |
78 | int i; | |
f7e3ed82 | 79 | uint32_t dwPar = 0; |
72934aa3 | 80 | |
15c4dc5a | 81 | // Generate the encrypted data |
82 | for (i = 0; i < iLen; i++) { | |
83 | // Save the encrypted parity bit | |
84 | dwPar |= ((OddByteParity[pbtCmd[i]]) << i); | |
85 | } | |
86 | return dwPar; | |
87 | } | |
88 | ||
534983d7 | 89 | void AppendCrc14443a(uint8_t* data, int len) |
15c4dc5a | 90 | { |
91 | ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1); | |
92 | } | |
93 | ||
ed82636b | 94 | int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader) |
15c4dc5a | 95 | { |
96 | // Return when trace is full | |
97 | if (traceLen >= TRACE_LENGTH) return FALSE; | |
e30c654b | 98 | |
15c4dc5a | 99 | // Trace the random, i'm curious |
100 | rsamples += iSamples; | |
101 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
102 | trace[traceLen++] = ((rsamples >> 8) & 0xff); | |
103 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
104 | trace[traceLen++] = ((rsamples >> 24) & 0xff); | |
105 | if (!bReader) { | |
106 | trace[traceLen - 1] |= 0x80; | |
107 | } | |
108 | trace[traceLen++] = ((dwParity >> 0) & 0xff); | |
109 | trace[traceLen++] = ((dwParity >> 8) & 0xff); | |
110 | trace[traceLen++] = ((dwParity >> 16) & 0xff); | |
111 | trace[traceLen++] = ((dwParity >> 24) & 0xff); | |
112 | trace[traceLen++] = iLen; | |
113 | memcpy(trace + traceLen, btBytes, iLen); | |
114 | traceLen += iLen; | |
115 | return TRUE; | |
116 | } | |
117 | ||
15c4dc5a | 118 | //----------------------------------------------------------------------------- |
119 | // The software UART that receives commands from the reader, and its state | |
120 | // variables. | |
121 | //----------------------------------------------------------------------------- | |
122 | static struct { | |
123 | enum { | |
124 | STATE_UNSYNCD, | |
125 | STATE_START_OF_COMMUNICATION, | |
126 | STATE_MILLER_X, | |
127 | STATE_MILLER_Y, | |
128 | STATE_MILLER_Z, | |
129 | STATE_ERROR_WAIT | |
130 | } state; | |
f7e3ed82 | 131 | uint16_t shiftReg; |
15c4dc5a | 132 | int bitCnt; |
133 | int byteCnt; | |
134 | int byteCntMax; | |
135 | int posCnt; | |
136 | int syncBit; | |
137 | int parityBits; | |
138 | int samples; | |
139 | int highCnt; | |
140 | int bitBuffer; | |
141 | enum { | |
142 | DROP_NONE, | |
143 | DROP_FIRST_HALF, | |
144 | DROP_SECOND_HALF | |
145 | } drop; | |
f7e3ed82 | 146 | uint8_t *output; |
15c4dc5a | 147 | } Uart; |
148 | ||
6c1e2d95 | 149 | static RAMFUNC int MillerDecoding(int bit) |
15c4dc5a | 150 | { |
151 | int error = 0; | |
152 | int bitright; | |
153 | ||
154 | if(!Uart.bitBuffer) { | |
155 | Uart.bitBuffer = bit ^ 0xFF0; | |
156 | return FALSE; | |
157 | } | |
158 | else { | |
159 | Uart.bitBuffer <<= 4; | |
160 | Uart.bitBuffer ^= bit; | |
161 | } | |
162 | ||
f7e3ed82 | 163 | int EOC = FALSE; |
15c4dc5a | 164 | |
165 | if(Uart.state != STATE_UNSYNCD) { | |
166 | Uart.posCnt++; | |
167 | ||
168 | if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) { | |
169 | bit = 0x00; | |
170 | } | |
171 | else { | |
172 | bit = 0x01; | |
173 | } | |
174 | if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) { | |
175 | bitright = 0x00; | |
176 | } | |
177 | else { | |
178 | bitright = 0x01; | |
179 | } | |
180 | if(bit != bitright) { bit = bitright; } | |
181 | ||
182 | if(Uart.posCnt == 1) { | |
183 | // measurement first half bitperiod | |
184 | if(!bit) { | |
185 | Uart.drop = DROP_FIRST_HALF; | |
186 | } | |
187 | } | |
188 | else { | |
189 | // measurement second half bitperiod | |
190 | if(!bit & (Uart.drop == DROP_NONE)) { | |
191 | Uart.drop = DROP_SECOND_HALF; | |
192 | } | |
193 | else if(!bit) { | |
194 | // measured a drop in first and second half | |
195 | // which should not be possible | |
196 | Uart.state = STATE_ERROR_WAIT; | |
197 | error = 0x01; | |
198 | } | |
199 | ||
200 | Uart.posCnt = 0; | |
201 | ||
202 | switch(Uart.state) { | |
203 | case STATE_START_OF_COMMUNICATION: | |
204 | Uart.shiftReg = 0; | |
205 | if(Uart.drop == DROP_SECOND_HALF) { | |
206 | // error, should not happen in SOC | |
207 | Uart.state = STATE_ERROR_WAIT; | |
208 | error = 0x02; | |
209 | } | |
210 | else { | |
211 | // correct SOC | |
212 | Uart.state = STATE_MILLER_Z; | |
213 | } | |
214 | break; | |
215 | ||
216 | case STATE_MILLER_Z: | |
217 | Uart.bitCnt++; | |
218 | Uart.shiftReg >>= 1; | |
219 | if(Uart.drop == DROP_NONE) { | |
220 | // logic '0' followed by sequence Y | |
221 | // end of communication | |
222 | Uart.state = STATE_UNSYNCD; | |
223 | EOC = TRUE; | |
224 | } | |
225 | // if(Uart.drop == DROP_FIRST_HALF) { | |
226 | // Uart.state = STATE_MILLER_Z; stay the same | |
227 | // we see a logic '0' } | |
228 | if(Uart.drop == DROP_SECOND_HALF) { | |
229 | // we see a logic '1' | |
230 | Uart.shiftReg |= 0x100; | |
231 | Uart.state = STATE_MILLER_X; | |
232 | } | |
233 | break; | |
234 | ||
235 | case STATE_MILLER_X: | |
236 | Uart.shiftReg >>= 1; | |
237 | if(Uart.drop == DROP_NONE) { | |
238 | // sequence Y, we see a '0' | |
239 | Uart.state = STATE_MILLER_Y; | |
240 | Uart.bitCnt++; | |
241 | } | |
242 | if(Uart.drop == DROP_FIRST_HALF) { | |
243 | // Would be STATE_MILLER_Z | |
244 | // but Z does not follow X, so error | |
245 | Uart.state = STATE_ERROR_WAIT; | |
246 | error = 0x03; | |
247 | } | |
248 | if(Uart.drop == DROP_SECOND_HALF) { | |
249 | // We see a '1' and stay in state X | |
250 | Uart.shiftReg |= 0x100; | |
251 | Uart.bitCnt++; | |
252 | } | |
253 | break; | |
254 | ||
255 | case STATE_MILLER_Y: | |
256 | Uart.bitCnt++; | |
257 | Uart.shiftReg >>= 1; | |
258 | if(Uart.drop == DROP_NONE) { | |
259 | // logic '0' followed by sequence Y | |
260 | // end of communication | |
261 | Uart.state = STATE_UNSYNCD; | |
262 | EOC = TRUE; | |
263 | } | |
264 | if(Uart.drop == DROP_FIRST_HALF) { | |
265 | // we see a '0' | |
266 | Uart.state = STATE_MILLER_Z; | |
267 | } | |
268 | if(Uart.drop == DROP_SECOND_HALF) { | |
269 | // We see a '1' and go to state X | |
270 | Uart.shiftReg |= 0x100; | |
271 | Uart.state = STATE_MILLER_X; | |
272 | } | |
273 | break; | |
274 | ||
275 | case STATE_ERROR_WAIT: | |
276 | // That went wrong. Now wait for at least two bit periods | |
277 | // and try to sync again | |
278 | if(Uart.drop == DROP_NONE) { | |
279 | Uart.highCnt = 6; | |
280 | Uart.state = STATE_UNSYNCD; | |
281 | } | |
282 | break; | |
283 | ||
284 | default: | |
285 | Uart.state = STATE_UNSYNCD; | |
286 | Uart.highCnt = 0; | |
287 | break; | |
288 | } | |
289 | ||
290 | Uart.drop = DROP_NONE; | |
291 | ||
292 | // should have received at least one whole byte... | |
293 | if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) { | |
294 | return TRUE; | |
295 | } | |
296 | ||
297 | if(Uart.bitCnt == 9) { | |
298 | Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff); | |
299 | Uart.byteCnt++; | |
300 | ||
301 | Uart.parityBits <<= 1; | |
302 | Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01); | |
303 | ||
304 | if(EOC) { | |
305 | // when End of Communication received and | |
306 | // all data bits processed.. | |
307 | return TRUE; | |
308 | } | |
309 | Uart.bitCnt = 0; | |
310 | } | |
311 | ||
312 | /*if(error) { | |
313 | Uart.output[Uart.byteCnt] = 0xAA; | |
314 | Uart.byteCnt++; | |
315 | Uart.output[Uart.byteCnt] = error & 0xFF; | |
316 | Uart.byteCnt++; | |
317 | Uart.output[Uart.byteCnt] = 0xAA; | |
318 | Uart.byteCnt++; | |
319 | Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF; | |
320 | Uart.byteCnt++; | |
321 | Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF; | |
322 | Uart.byteCnt++; | |
323 | Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF; | |
324 | Uart.byteCnt++; | |
325 | Uart.output[Uart.byteCnt] = 0xAA; | |
326 | Uart.byteCnt++; | |
327 | return TRUE; | |
328 | }*/ | |
329 | } | |
330 | ||
331 | } | |
332 | else { | |
333 | bit = Uart.bitBuffer & 0xf0; | |
334 | bit >>= 4; | |
335 | bit ^= 0x0F; | |
336 | if(bit) { | |
337 | // should have been high or at least (4 * 128) / fc | |
338 | // according to ISO this should be at least (9 * 128 + 20) / fc | |
339 | if(Uart.highCnt == 8) { | |
340 | // we went low, so this could be start of communication | |
341 | // it turns out to be safer to choose a less significant | |
342 | // syncbit... so we check whether the neighbour also represents the drop | |
343 | Uart.posCnt = 1; // apparently we are busy with our first half bit period | |
344 | Uart.syncBit = bit & 8; | |
345 | Uart.samples = 3; | |
346 | if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; } | |
347 | else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; } | |
348 | if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; } | |
349 | else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; } | |
350 | if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0; | |
351 | if(Uart.syncBit & (Uart.bitBuffer & 8)) { | |
352 | Uart.syncBit = 8; | |
353 | ||
354 | // the first half bit period is expected in next sample | |
355 | Uart.posCnt = 0; | |
356 | Uart.samples = 3; | |
357 | } | |
358 | } | |
359 | else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; } | |
360 | ||
361 | Uart.syncBit <<= 4; | |
362 | Uart.state = STATE_START_OF_COMMUNICATION; | |
363 | Uart.drop = DROP_FIRST_HALF; | |
364 | Uart.bitCnt = 0; | |
365 | Uart.byteCnt = 0; | |
366 | Uart.parityBits = 0; | |
367 | error = 0; | |
368 | } | |
369 | else { | |
370 | Uart.highCnt = 0; | |
371 | } | |
372 | } | |
373 | else { | |
374 | if(Uart.highCnt < 8) { | |
375 | Uart.highCnt++; | |
376 | } | |
377 | } | |
378 | } | |
379 | ||
380 | return FALSE; | |
381 | } | |
382 | ||
383 | //============================================================================= | |
384 | // ISO 14443 Type A - Manchester | |
385 | //============================================================================= | |
386 | ||
387 | static struct { | |
388 | enum { | |
389 | DEMOD_UNSYNCD, | |
390 | DEMOD_START_OF_COMMUNICATION, | |
391 | DEMOD_MANCHESTER_D, | |
392 | DEMOD_MANCHESTER_E, | |
393 | DEMOD_MANCHESTER_F, | |
394 | DEMOD_ERROR_WAIT | |
395 | } state; | |
396 | int bitCount; | |
397 | int posCount; | |
398 | int syncBit; | |
399 | int parityBits; | |
f7e3ed82 | 400 | uint16_t shiftReg; |
15c4dc5a | 401 | int buffer; |
402 | int buff; | |
403 | int samples; | |
404 | int len; | |
405 | enum { | |
406 | SUB_NONE, | |
407 | SUB_FIRST_HALF, | |
408 | SUB_SECOND_HALF | |
409 | } sub; | |
f7e3ed82 | 410 | uint8_t *output; |
15c4dc5a | 411 | } Demod; |
412 | ||
6c1e2d95 | 413 | static RAMFUNC int ManchesterDecoding(int v) |
15c4dc5a | 414 | { |
415 | int bit; | |
416 | int modulation; | |
417 | int error = 0; | |
418 | ||
419 | if(!Demod.buff) { | |
420 | Demod.buff = 1; | |
421 | Demod.buffer = v; | |
422 | return FALSE; | |
423 | } | |
424 | else { | |
425 | bit = Demod.buffer; | |
426 | Demod.buffer = v; | |
427 | } | |
428 | ||
429 | if(Demod.state==DEMOD_UNSYNCD) { | |
430 | Demod.output[Demod.len] = 0xfa; | |
431 | Demod.syncBit = 0; | |
432 | //Demod.samples = 0; | |
433 | Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part | |
434 | if(bit & 0x08) { Demod.syncBit = 0x08; } | |
435 | if(!Demod.syncBit) { | |
436 | if(bit & 0x04) { Demod.syncBit = 0x04; } | |
437 | } | |
438 | else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; } | |
439 | if(!Demod.syncBit) { | |
440 | if(bit & 0x02) { Demod.syncBit = 0x02; } | |
441 | } | |
442 | else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; } | |
443 | if(!Demod.syncBit) { | |
444 | if(bit & 0x01) { Demod.syncBit = 0x01; } | |
445 | ||
446 | if(Demod.syncBit & (Demod.buffer & 0x08)) { | |
447 | Demod.syncBit = 0x08; | |
448 | ||
449 | // The first half bitperiod is expected in next sample | |
450 | Demod.posCount = 0; | |
451 | Demod.output[Demod.len] = 0xfb; | |
452 | } | |
453 | } | |
454 | else if(bit & 0x01) { Demod.syncBit = 0x01; } | |
455 | ||
456 | if(Demod.syncBit) { | |
457 | Demod.len = 0; | |
458 | Demod.state = DEMOD_START_OF_COMMUNICATION; | |
459 | Demod.sub = SUB_FIRST_HALF; | |
460 | Demod.bitCount = 0; | |
461 | Demod.shiftReg = 0; | |
462 | Demod.parityBits = 0; | |
463 | Demod.samples = 0; | |
464 | if(Demod.posCount) { | |
534983d7 | 465 | if(trigger) LED_A_OFF(); |
15c4dc5a | 466 | switch(Demod.syncBit) { |
467 | case 0x08: Demod.samples = 3; break; | |
468 | case 0x04: Demod.samples = 2; break; | |
469 | case 0x02: Demod.samples = 1; break; | |
470 | case 0x01: Demod.samples = 0; break; | |
471 | } | |
472 | } | |
473 | error = 0; | |
474 | } | |
475 | } | |
476 | else { | |
477 | //modulation = bit & Demod.syncBit; | |
478 | modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; | |
479 | ||
480 | Demod.samples += 4; | |
481 | ||
482 | if(Demod.posCount==0) { | |
483 | Demod.posCount = 1; | |
484 | if(modulation) { | |
485 | Demod.sub = SUB_FIRST_HALF; | |
486 | } | |
487 | else { | |
488 | Demod.sub = SUB_NONE; | |
489 | } | |
490 | } | |
491 | else { | |
492 | Demod.posCount = 0; | |
493 | if(modulation && (Demod.sub == SUB_FIRST_HALF)) { | |
494 | if(Demod.state!=DEMOD_ERROR_WAIT) { | |
495 | Demod.state = DEMOD_ERROR_WAIT; | |
496 | Demod.output[Demod.len] = 0xaa; | |
497 | error = 0x01; | |
498 | } | |
499 | } | |
500 | else if(modulation) { | |
501 | Demod.sub = SUB_SECOND_HALF; | |
502 | } | |
503 | ||
504 | switch(Demod.state) { | |
505 | case DEMOD_START_OF_COMMUNICATION: | |
506 | if(Demod.sub == SUB_FIRST_HALF) { | |
507 | Demod.state = DEMOD_MANCHESTER_D; | |
508 | } | |
509 | else { | |
510 | Demod.output[Demod.len] = 0xab; | |
511 | Demod.state = DEMOD_ERROR_WAIT; | |
512 | error = 0x02; | |
513 | } | |
514 | break; | |
515 | ||
516 | case DEMOD_MANCHESTER_D: | |
517 | case DEMOD_MANCHESTER_E: | |
518 | if(Demod.sub == SUB_FIRST_HALF) { | |
519 | Demod.bitCount++; | |
520 | Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100; | |
521 | Demod.state = DEMOD_MANCHESTER_D; | |
522 | } | |
523 | else if(Demod.sub == SUB_SECOND_HALF) { | |
524 | Demod.bitCount++; | |
525 | Demod.shiftReg >>= 1; | |
526 | Demod.state = DEMOD_MANCHESTER_E; | |
527 | } | |
528 | else { | |
529 | Demod.state = DEMOD_MANCHESTER_F; | |
530 | } | |
531 | break; | |
532 | ||
533 | case DEMOD_MANCHESTER_F: | |
534 | // Tag response does not need to be a complete byte! | |
535 | if(Demod.len > 0 || Demod.bitCount > 0) { | |
536 | if(Demod.bitCount > 0) { | |
537 | Demod.shiftReg >>= (9 - Demod.bitCount); | |
538 | Demod.output[Demod.len] = Demod.shiftReg & 0xff; | |
539 | Demod.len++; | |
540 | // No parity bit, so just shift a 0 | |
541 | Demod.parityBits <<= 1; | |
542 | } | |
543 | ||
544 | Demod.state = DEMOD_UNSYNCD; | |
545 | return TRUE; | |
546 | } | |
547 | else { | |
548 | Demod.output[Demod.len] = 0xad; | |
549 | Demod.state = DEMOD_ERROR_WAIT; | |
550 | error = 0x03; | |
551 | } | |
552 | break; | |
553 | ||
554 | case DEMOD_ERROR_WAIT: | |
555 | Demod.state = DEMOD_UNSYNCD; | |
556 | break; | |
557 | ||
558 | default: | |
559 | Demod.output[Demod.len] = 0xdd; | |
560 | Demod.state = DEMOD_UNSYNCD; | |
561 | break; | |
562 | } | |
563 | ||
564 | if(Demod.bitCount>=9) { | |
565 | Demod.output[Demod.len] = Demod.shiftReg & 0xff; | |
566 | Demod.len++; | |
567 | ||
568 | Demod.parityBits <<= 1; | |
569 | Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01); | |
570 | ||
571 | Demod.bitCount = 0; | |
572 | Demod.shiftReg = 0; | |
573 | } | |
574 | ||
575 | /*if(error) { | |
576 | Demod.output[Demod.len] = 0xBB; | |
577 | Demod.len++; | |
578 | Demod.output[Demod.len] = error & 0xFF; | |
579 | Demod.len++; | |
580 | Demod.output[Demod.len] = 0xBB; | |
581 | Demod.len++; | |
582 | Demod.output[Demod.len] = bit & 0xFF; | |
583 | Demod.len++; | |
584 | Demod.output[Demod.len] = Demod.buffer & 0xFF; | |
585 | Demod.len++; | |
586 | Demod.output[Demod.len] = Demod.syncBit & 0xFF; | |
587 | Demod.len++; | |
588 | Demod.output[Demod.len] = 0xBB; | |
589 | Demod.len++; | |
590 | return TRUE; | |
591 | }*/ | |
592 | ||
593 | } | |
594 | ||
595 | } // end (state != UNSYNCED) | |
596 | ||
597 | return FALSE; | |
598 | } | |
599 | ||
600 | //============================================================================= | |
601 | // Finally, a `sniffer' for ISO 14443 Type A | |
602 | // Both sides of communication! | |
603 | //============================================================================= | |
604 | ||
605 | //----------------------------------------------------------------------------- | |
606 | // Record the sequence of commands sent by the reader to the tag, with | |
607 | // triggering so that we start recording at the point that the tag is moved | |
608 | // near the reader. | |
609 | //----------------------------------------------------------------------------- | |
6c1e2d95 | 610 | void RAMFUNC SnoopIso14443a(void) |
15c4dc5a | 611 | { |
612 | // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values | |
613 | // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values | |
614 | // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values | |
615 | // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values | |
616 | // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values | |
617 | ||
618 | // We won't start recording the frames that we acquire until we trigger; | |
619 | // a good trigger condition to get started is probably when we see a | |
620 | // response from the tag. | |
7e758047 | 621 | int triggered = FALSE; // FALSE to wait first for card |
15c4dc5a | 622 | |
623 | // The command (reader -> tag) that we're receiving. | |
624 | // The length of a received command will in most cases be no more than 18 bytes. | |
625 | // So 32 should be enough! | |
f7e3ed82 | 626 | uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); |
15c4dc5a | 627 | // The response (tag -> reader) that we're receiving. |
f7e3ed82 | 628 | uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); |
15c4dc5a | 629 | |
630 | // As we receive stuff, we copy it from receivedCmd or receivedResponse | |
631 | // into trace, along with its length and other annotations. | |
f7e3ed82 | 632 | //uint8_t *trace = (uint8_t *)BigBuf; |
d82c6ebb | 633 | |
634 | traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011 | |
15c4dc5a | 635 | |
636 | // The DMA buffer, used to stream samples from the FPGA | |
f7e3ed82 | 637 | int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET; |
15c4dc5a | 638 | int lastRxCounter; |
f7e3ed82 | 639 | int8_t *upTo; |
15c4dc5a | 640 | int smpl; |
641 | int maxBehindBy = 0; | |
642 | ||
643 | // Count of samples received so far, so that we can include timing | |
644 | // information in the trace buffer. | |
645 | int samples = 0; | |
646 | int rsamples = 0; | |
647 | ||
648 | memset(trace, 0x44, RECV_CMD_OFFSET); | |
649 | ||
650 | // Set up the demodulator for tag -> reader responses. | |
651 | Demod.output = receivedResponse; | |
652 | Demod.len = 0; | |
653 | Demod.state = DEMOD_UNSYNCD; | |
654 | ||
7e758047 | 655 | // Setup for the DMA. |
656 | FpgaSetupSsc(); | |
657 | upTo = dmaBuf; | |
658 | lastRxCounter = DMA_BUFFER_SIZE; | |
659 | FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); | |
660 | ||
15c4dc5a | 661 | // And the reader -> tag commands |
662 | memset(&Uart, 0, sizeof(Uart)); | |
663 | Uart.output = receivedCmd; | |
664 | Uart.byteCntMax = 32; // was 100 (greg)//////////////////////////////////////////////////////////////////////// | |
665 | Uart.state = STATE_UNSYNCD; | |
666 | ||
667 | // And put the FPGA in the appropriate mode | |
668 | // Signal field is off with the appropriate LED | |
669 | LED_D_OFF(); | |
670 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER); | |
671 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
672 | ||
15c4dc5a | 673 | |
674 | // And now we loop, receiving samples. | |
675 | for(;;) { | |
7e758047 | 676 | LED_A_ON(); |
677 | WDT_HIT(); | |
15c4dc5a | 678 | int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & |
679 | (DMA_BUFFER_SIZE-1); | |
680 | if(behindBy > maxBehindBy) { | |
681 | maxBehindBy = behindBy; | |
682 | if(behindBy > 400) { | |
7e758047 | 683 | Dbprintf("blew circular buffer! behindBy=0x%x", behindBy); |
15c4dc5a | 684 | goto done; |
685 | } | |
686 | } | |
687 | if(behindBy < 1) continue; | |
688 | ||
7e758047 | 689 | LED_A_OFF(); |
15c4dc5a | 690 | smpl = upTo[0]; |
691 | upTo++; | |
692 | lastRxCounter -= 1; | |
693 | if(upTo - dmaBuf > DMA_BUFFER_SIZE) { | |
694 | upTo -= DMA_BUFFER_SIZE; | |
695 | lastRxCounter += DMA_BUFFER_SIZE; | |
f7e3ed82 | 696 | AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo; |
15c4dc5a | 697 | AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; |
698 | } | |
699 | ||
700 | samples += 4; | |
7e758047 | 701 | if(MillerDecoding((smpl & 0xF0) >> 4)) { |
15c4dc5a | 702 | rsamples = samples - Uart.samples; |
72934aa3 | 703 | LED_C_ON(); |
7e758047 | 704 | if(triggered) { |
705 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
72934aa3 | 706 | trace[traceLen++] = ((rsamples >> 8) & 0xff); |
707 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
708 | trace[traceLen++] = ((rsamples >> 24) & 0xff); | |
7e758047 | 709 | trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); |
710 | trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); | |
711 | trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); | |
712 | trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); | |
72934aa3 | 713 | trace[traceLen++] = Uart.byteCnt; |
714 | memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); | |
715 | traceLen += Uart.byteCnt; | |
716 | if(traceLen > TRACE_LENGTH) break; | |
717 | } | |
718 | /* And ready to receive another command. */ | |
719 | Uart.state = STATE_UNSYNCD; | |
720 | /* And also reset the demod code, which might have been */ | |
721 | /* false-triggered by the commands from the reader. */ | |
722 | Demod.state = DEMOD_UNSYNCD; | |
7e758047 | 723 | LED_B_OFF(); |
15c4dc5a | 724 | } |
7e758047 | 725 | |
726 | if(ManchesterDecoding(smpl & 0x0F)) { | |
727 | rsamples = samples - Demod.samples; | |
728 | LED_B_ON(); | |
729 | ||
730 | // timestamp, as a count of samples | |
731 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
732 | trace[traceLen++] = ((rsamples >> 8) & 0xff); | |
733 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
734 | trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff); | |
735 | trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff); | |
736 | trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff); | |
737 | trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff); | |
738 | trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff); | |
739 | // length | |
740 | trace[traceLen++] = Demod.len; | |
741 | memcpy(trace+traceLen, receivedResponse, Demod.len); | |
742 | traceLen += Demod.len; | |
743 | if(traceLen > TRACE_LENGTH) break; | |
744 | ||
745 | triggered = TRUE; | |
15c4dc5a | 746 | |
747 | // And ready to receive another response. | |
748 | memset(&Demod, 0, sizeof(Demod)); | |
749 | Demod.output = receivedResponse; | |
750 | Demod.state = DEMOD_UNSYNCD; | |
7e758047 | 751 | LED_C_OFF(); |
752 | } | |
15c4dc5a | 753 | |
754 | if(BUTTON_PRESS()) { | |
755 | DbpString("cancelled_a"); | |
756 | goto done; | |
757 | } | |
758 | } | |
759 | ||
760 | DbpString("COMMAND FINISHED"); | |
761 | ||
762 | Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt); | |
763 | Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]); | |
764 | ||
765 | done: | |
766 | AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; | |
767 | Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt); | |
768 | Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]); | |
769 | LED_A_OFF(); | |
770 | LED_B_OFF(); | |
771 | LED_C_OFF(); | |
772 | LED_D_OFF(); | |
773 | } | |
774 | ||
15c4dc5a | 775 | //----------------------------------------------------------------------------- |
776 | // Prepare tag messages | |
777 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 778 | static void CodeIso14443aAsTag(const uint8_t *cmd, int len) |
15c4dc5a | 779 | { |
780 | int i; | |
781 | int oddparity; | |
782 | ||
783 | ToSendReset(); | |
784 | ||
785 | // Correction bit, might be removed when not needed | |
786 | ToSendStuffBit(0); | |
787 | ToSendStuffBit(0); | |
788 | ToSendStuffBit(0); | |
789 | ToSendStuffBit(0); | |
790 | ToSendStuffBit(1); // 1 | |
791 | ToSendStuffBit(0); | |
792 | ToSendStuffBit(0); | |
793 | ToSendStuffBit(0); | |
794 | ||
795 | // Send startbit | |
72934aa3 | 796 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 797 | |
798 | for(i = 0; i < len; i++) { | |
799 | int j; | |
f7e3ed82 | 800 | uint8_t b = cmd[i]; |
15c4dc5a | 801 | |
802 | // Data bits | |
803 | oddparity = 0x01; | |
804 | for(j = 0; j < 8; j++) { | |
805 | oddparity ^= (b & 1); | |
806 | if(b & 1) { | |
72934aa3 | 807 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 808 | } else { |
72934aa3 | 809 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 810 | } |
811 | b >>= 1; | |
812 | } | |
813 | ||
814 | // Parity bit | |
815 | if(oddparity) { | |
72934aa3 | 816 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 817 | } else { |
72934aa3 | 818 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 819 | } |
820 | } | |
821 | ||
822 | // Send stopbit | |
72934aa3 | 823 | ToSend[++ToSendMax] = SEC_F; |
15c4dc5a | 824 | |
825 | // Flush the buffer in FPGA!! | |
826 | for(i = 0; i < 5; i++) { | |
72934aa3 | 827 | ToSend[++ToSendMax] = SEC_F; |
15c4dc5a | 828 | } |
829 | ||
830 | // Convert from last byte pos to length | |
831 | ToSendMax++; | |
832 | ||
833 | // Add a few more for slop | |
834 | ToSend[ToSendMax++] = 0x00; | |
835 | ToSend[ToSendMax++] = 0x00; | |
836 | //ToSendMax += 2; | |
837 | } | |
838 | ||
839 | //----------------------------------------------------------------------------- | |
840 | // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4 | |
841 | //----------------------------------------------------------------------------- | |
842 | static void CodeStrangeAnswer() | |
843 | { | |
844 | int i; | |
845 | ||
846 | ToSendReset(); | |
847 | ||
848 | // Correction bit, might be removed when not needed | |
849 | ToSendStuffBit(0); | |
850 | ToSendStuffBit(0); | |
851 | ToSendStuffBit(0); | |
852 | ToSendStuffBit(0); | |
853 | ToSendStuffBit(1); // 1 | |
854 | ToSendStuffBit(0); | |
855 | ToSendStuffBit(0); | |
856 | ToSendStuffBit(0); | |
857 | ||
858 | // Send startbit | |
72934aa3 | 859 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 860 | |
861 | // 0 | |
72934aa3 | 862 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 863 | |
864 | // 0 | |
72934aa3 | 865 | ToSend[++ToSendMax] = SEC_E; |
15c4dc5a | 866 | |
867 | // 1 | |
72934aa3 | 868 | ToSend[++ToSendMax] = SEC_D; |
15c4dc5a | 869 | |
870 | // Send stopbit | |
72934aa3 | 871 | ToSend[++ToSendMax] = SEC_F; |
15c4dc5a | 872 | |
873 | // Flush the buffer in FPGA!! | |
874 | for(i = 0; i < 5; i++) { | |
72934aa3 | 875 | ToSend[++ToSendMax] = SEC_F; |
15c4dc5a | 876 | } |
877 | ||
878 | // Convert from last byte pos to length | |
879 | ToSendMax++; | |
880 | ||
881 | // Add a few more for slop | |
882 | ToSend[ToSendMax++] = 0x00; | |
883 | ToSend[ToSendMax++] = 0x00; | |
884 | //ToSendMax += 2; | |
885 | } | |
886 | ||
887 | //----------------------------------------------------------------------------- | |
888 | // Wait for commands from reader | |
889 | // Stop when button is pressed | |
890 | // Or return TRUE when command is captured | |
891 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 892 | static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen) |
15c4dc5a | 893 | { |
894 | // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen | |
895 | // only, since we are receiving, not transmitting). | |
896 | // Signal field is off with the appropriate LED | |
897 | LED_D_OFF(); | |
898 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); | |
899 | ||
900 | // Now run a `software UART' on the stream of incoming samples. | |
901 | Uart.output = received; | |
902 | Uart.byteCntMax = maxLen; | |
903 | Uart.state = STATE_UNSYNCD; | |
904 | ||
905 | for(;;) { | |
906 | WDT_HIT(); | |
907 | ||
908 | if(BUTTON_PRESS()) return FALSE; | |
909 | ||
910 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
911 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
912 | } | |
913 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 914 | uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 915 | if(MillerDecoding((b & 0xf0) >> 4)) { |
916 | *len = Uart.byteCnt; | |
917 | return TRUE; | |
918 | } | |
919 | if(MillerDecoding(b & 0x0f)) { | |
920 | *len = Uart.byteCnt; | |
921 | return TRUE; | |
922 | } | |
923 | } | |
924 | } | |
925 | } | |
926 | ||
927 | //----------------------------------------------------------------------------- | |
928 | // Main loop of simulated tag: receive commands from reader, decide what | |
929 | // response to send, and send it. | |
930 | //----------------------------------------------------------------------------- | |
931 | void SimulateIso14443aTag(int tagType, int TagUid) | |
932 | { | |
933 | // This function contains the tag emulation | |
934 | ||
935 | // Prepare protocol messages | |
f7e3ed82 | 936 | // static const uint8_t cmd1[] = { 0x26 }; |
937 | // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg | |
15c4dc5a | 938 | // |
f7e3ed82 | 939 | static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me |
940 | // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me | |
15c4dc5a | 941 | |
942 | // UID response | |
f7e3ed82 | 943 | // static const uint8_t cmd2[] = { 0x93, 0x20 }; |
944 | //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg | |
15c4dc5a | 945 | |
15c4dc5a | 946 | // my desfire |
f7e3ed82 | 947 | static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips |
15c4dc5a | 948 | |
949 | ||
950 | // When reader selects us during cascade1 it will send cmd3 | |
f7e3ed82 | 951 | //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE) |
952 | uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire) | |
15c4dc5a | 953 | ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]); |
954 | ||
955 | // send cascade2 2nd half of UID | |
f7e3ed82 | 956 | static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck |
15c4dc5a | 957 | // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID |
958 | ||
15c4dc5a | 959 | // When reader selects us during cascade2 it will send cmd3a |
f7e3ed82 | 960 | //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE) |
961 | uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire) | |
15c4dc5a | 962 | ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]); |
963 | ||
f7e3ed82 | 964 | static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce |
15c4dc5a | 965 | |
f7e3ed82 | 966 | uint8_t *resp; |
15c4dc5a | 967 | int respLen; |
968 | ||
969 | // Longest possible response will be 16 bytes + 2 CRC = 18 bytes | |
970 | // This will need | |
971 | // 144 data bits (18 * 8) | |
972 | // 18 parity bits | |
973 | // 2 Start and stop | |
974 | // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA) | |
975 | // 1 just for the case | |
976 | // ----------- + | |
977 | // 166 | |
978 | // | |
979 | // 166 bytes, since every bit that needs to be send costs us a byte | |
980 | // | |
981 | ||
15c4dc5a | 982 | // Respond with card type |
f7e3ed82 | 983 | uint8_t *resp1 = (((uint8_t *)BigBuf) + 800); |
15c4dc5a | 984 | int resp1Len; |
985 | ||
986 | // Anticollision cascade1 - respond with uid | |
f7e3ed82 | 987 | uint8_t *resp2 = (((uint8_t *)BigBuf) + 970); |
15c4dc5a | 988 | int resp2Len; |
989 | ||
990 | // Anticollision cascade2 - respond with 2nd half of uid if asked | |
991 | // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88 | |
f7e3ed82 | 992 | uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140); |
15c4dc5a | 993 | int resp2aLen; |
994 | ||
995 | // Acknowledge select - cascade 1 | |
f7e3ed82 | 996 | uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310); |
15c4dc5a | 997 | int resp3Len; |
998 | ||
999 | // Acknowledge select - cascade 2 | |
f7e3ed82 | 1000 | uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480); |
15c4dc5a | 1001 | int resp3aLen; |
1002 | ||
1003 | // Response to a read request - not implemented atm | |
f7e3ed82 | 1004 | uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550); |
15c4dc5a | 1005 | int resp4Len; |
1006 | ||
1007 | // Authenticate response - nonce | |
f7e3ed82 | 1008 | uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720); |
15c4dc5a | 1009 | int resp5Len; |
1010 | ||
f7e3ed82 | 1011 | uint8_t *receivedCmd = (uint8_t *)BigBuf; |
15c4dc5a | 1012 | int len; |
1013 | ||
1014 | int i; | |
1015 | int u; | |
f7e3ed82 | 1016 | uint8_t b; |
15c4dc5a | 1017 | |
1018 | // To control where we are in the protocol | |
1019 | int order = 0; | |
1020 | int lastorder; | |
1021 | ||
1022 | // Just to allow some checks | |
1023 | int happened = 0; | |
1024 | int happened2 = 0; | |
1025 | ||
1026 | int cmdsRecvd = 0; | |
1027 | ||
f7e3ed82 | 1028 | int fdt_indicator; |
15c4dc5a | 1029 | |
1030 | memset(receivedCmd, 0x44, 400); | |
1031 | ||
1032 | // Prepare the responses of the anticollision phase | |
1033 | // there will be not enough time to do this at the moment the reader sends it REQA | |
1034 | ||
1035 | // Answer to request | |
1036 | CodeIso14443aAsTag(response1, sizeof(response1)); | |
1037 | memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax; | |
1038 | ||
1039 | // Send our UID (cascade 1) | |
1040 | CodeIso14443aAsTag(response2, sizeof(response2)); | |
1041 | memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax; | |
1042 | ||
1043 | // Answer to select (cascade1) | |
1044 | CodeIso14443aAsTag(response3, sizeof(response3)); | |
1045 | memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax; | |
1046 | ||
1047 | // Send the cascade 2 2nd part of the uid | |
1048 | CodeIso14443aAsTag(response2a, sizeof(response2a)); | |
1049 | memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax; | |
1050 | ||
1051 | // Answer to select (cascade 2) | |
1052 | CodeIso14443aAsTag(response3a, sizeof(response3a)); | |
1053 | memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax; | |
1054 | ||
1055 | // Strange answer is an example of rare message size (3 bits) | |
1056 | CodeStrangeAnswer(); | |
1057 | memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax; | |
1058 | ||
1059 | // Authentication answer (random nonce) | |
1060 | CodeIso14443aAsTag(response5, sizeof(response5)); | |
1061 | memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax; | |
1062 | ||
1063 | // We need to listen to the high-frequency, peak-detected path. | |
1064 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
1065 | FpgaSetupSsc(); | |
1066 | ||
1067 | cmdsRecvd = 0; | |
1068 | ||
1069 | LED_A_ON(); | |
1070 | for(;;) { | |
1071 | ||
1072 | if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) { | |
1073 | DbpString("button press"); | |
1074 | break; | |
1075 | } | |
1076 | // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated | |
1077 | // Okay, look at the command now. | |
1078 | lastorder = order; | |
1079 | i = 1; // first byte transmitted | |
1080 | if(receivedCmd[0] == 0x26) { | |
1081 | // Received a REQUEST | |
1082 | resp = resp1; respLen = resp1Len; order = 1; | |
1083 | //DbpString("Hello request from reader:"); | |
1084 | } else if(receivedCmd[0] == 0x52) { | |
1085 | // Received a WAKEUP | |
1086 | resp = resp1; respLen = resp1Len; order = 6; | |
1087 | // //DbpString("Wakeup request from reader:"); | |
1088 | ||
1089 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision | |
1090 | // Received request for UID (cascade 1) | |
1091 | resp = resp2; respLen = resp2Len; order = 2; | |
1092 | // DbpString("UID (cascade 1) request from reader:"); | |
1093 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1094 | ||
1095 | ||
1096 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision | |
1097 | // Received request for UID (cascade 2) | |
1098 | resp = resp2a; respLen = resp2aLen; order = 20; | |
1099 | // DbpString("UID (cascade 2) request from reader:"); | |
1100 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1101 | ||
1102 | ||
1103 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select | |
1104 | // Received a SELECT | |
1105 | resp = resp3; respLen = resp3Len; order = 3; | |
1106 | // DbpString("Select (cascade 1) request from reader:"); | |
1107 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1108 | ||
1109 | ||
1110 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select | |
1111 | // Received a SELECT | |
1112 | resp = resp3a; respLen = resp3aLen; order = 30; | |
1113 | // DbpString("Select (cascade 2) request from reader:"); | |
1114 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1115 | ||
1116 | ||
1117 | } else if(receivedCmd[0] == 0x30) { | |
1118 | // Received a READ | |
1119 | resp = resp4; respLen = resp4Len; order = 4; // Do nothing | |
1120 | Dbprintf("Read request from reader: %x %x %x", | |
1121 | receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1122 | ||
1123 | ||
1124 | } else if(receivedCmd[0] == 0x50) { | |
1125 | // Received a HALT | |
1126 | resp = resp1; respLen = 0; order = 5; // Do nothing | |
1127 | DbpString("Reader requested we HALT!:"); | |
1128 | ||
1129 | } else if(receivedCmd[0] == 0x60) { | |
1130 | // Received an authentication request | |
1131 | resp = resp5; respLen = resp5Len; order = 7; | |
1132 | Dbprintf("Authenticate request from reader: %x %x %x", | |
1133 | receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1134 | ||
1135 | } else if(receivedCmd[0] == 0xE0) { | |
1136 | // Received a RATS request | |
1137 | resp = resp1; respLen = 0;order = 70; | |
1138 | Dbprintf("RATS request from reader: %x %x %x", | |
1139 | receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1140 | } else { | |
1141 | // Never seen this command before | |
1142 | Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x", | |
1143 | receivedCmd[0], receivedCmd[1], receivedCmd[2], | |
1144 | receivedCmd[3], receivedCmd[3], receivedCmd[4], | |
1145 | receivedCmd[5], receivedCmd[6], receivedCmd[7]); | |
1146 | // Do not respond | |
1147 | resp = resp1; respLen = 0; order = 0; | |
1148 | } | |
1149 | ||
1150 | // Count number of wakeups received after a halt | |
1151 | if(order == 6 && lastorder == 5) { happened++; } | |
1152 | ||
1153 | // Count number of other messages after a halt | |
1154 | if(order != 6 && lastorder == 5) { happened2++; } | |
1155 | ||
1156 | // Look at last parity bit to determine timing of answer | |
1157 | if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) { | |
1158 | // 1236, so correction bit needed | |
1159 | i = 0; | |
1160 | } | |
1161 | ||
1162 | memset(receivedCmd, 0x44, 32); | |
1163 | ||
1164 | if(cmdsRecvd > 999) { | |
1165 | DbpString("1000 commands later..."); | |
1166 | break; | |
1167 | } | |
1168 | else { | |
1169 | cmdsRecvd++; | |
1170 | } | |
1171 | ||
1172 | if(respLen <= 0) continue; | |
1173 | ||
1174 | // Modulate Manchester | |
1175 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD); | |
1176 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
1177 | FpgaSetupSsc(); | |
1178 | ||
1179 | // ### Transmit the response ### | |
1180 | u = 0; | |
1181 | b = 0x00; | |
1182 | fdt_indicator = FALSE; | |
1183 | for(;;) { | |
1184 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1185 | volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1186 | (void)b; |
1187 | } | |
1188 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1189 | if(i > respLen) { | |
1190 | b = 0x00; | |
1191 | u++; | |
1192 | } else { | |
1193 | b = resp[i]; | |
1194 | i++; | |
1195 | } | |
1196 | AT91C_BASE_SSC->SSC_THR = b; | |
1197 | ||
1198 | if(u > 4) { | |
1199 | break; | |
1200 | } | |
1201 | } | |
1202 | if(BUTTON_PRESS()) { | |
1203 | break; | |
1204 | } | |
1205 | } | |
1206 | ||
1207 | } | |
1208 | ||
1209 | Dbprintf("%x %x %x", happened, happened2, cmdsRecvd); | |
1210 | LED_A_OFF(); | |
1211 | } | |
1212 | ||
1213 | //----------------------------------------------------------------------------- | |
1214 | // Transmit the command (to the tag) that was placed in ToSend[]. | |
1215 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1216 | static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait) |
15c4dc5a | 1217 | { |
1218 | int c; | |
e30c654b | 1219 | |
15c4dc5a | 1220 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); |
e30c654b | 1221 | |
15c4dc5a | 1222 | if (wait) |
1223 | if(*wait < 10) | |
1224 | *wait = 10; | |
e30c654b | 1225 | |
15c4dc5a | 1226 | for(c = 0; c < *wait;) { |
1227 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1228 | AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! | |
1229 | c++; | |
1230 | } | |
1231 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1232 | volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1233 | (void)r; |
1234 | } | |
1235 | WDT_HIT(); | |
1236 | } | |
e30c654b | 1237 | |
15c4dc5a | 1238 | c = 0; |
1239 | for(;;) { | |
1240 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1241 | AT91C_BASE_SSC->SSC_THR = cmd[c]; | |
1242 | c++; | |
1243 | if(c >= len) { | |
1244 | break; | |
1245 | } | |
1246 | } | |
1247 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1248 | volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1249 | (void)r; |
1250 | } | |
1251 | WDT_HIT(); | |
1252 | } | |
1253 | if (samples) *samples = (c + *wait) << 3; | |
1254 | } | |
1255 | ||
15c4dc5a | 1256 | //----------------------------------------------------------------------------- |
1257 | // Code a 7-bit command without parity bit | |
1258 | // This is especially for 0x26 and 0x52 (REQA and WUPA) | |
1259 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1260 | void ShortFrameFromReader(const uint8_t bt) |
15c4dc5a | 1261 | { |
1262 | int j; | |
1263 | int last; | |
f7e3ed82 | 1264 | uint8_t b; |
15c4dc5a | 1265 | |
1266 | ToSendReset(); | |
1267 | ||
1268 | // Start of Communication (Seq. Z) | |
72934aa3 | 1269 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1270 | last = 0; |
1271 | ||
1272 | b = bt; | |
1273 | for(j = 0; j < 7; j++) { | |
1274 | if(b & 1) { | |
1275 | // Sequence X | |
72934aa3 | 1276 | ToSend[++ToSendMax] = SEC_X; |
15c4dc5a | 1277 | last = 1; |
1278 | } else { | |
1279 | if(last == 0) { | |
1280 | // Sequence Z | |
72934aa3 | 1281 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1282 | } |
1283 | else { | |
1284 | // Sequence Y | |
72934aa3 | 1285 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1286 | last = 0; |
1287 | } | |
1288 | } | |
1289 | b >>= 1; | |
1290 | } | |
1291 | ||
1292 | // End of Communication | |
1293 | if(last == 0) { | |
1294 | // Sequence Z | |
72934aa3 | 1295 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1296 | } |
1297 | else { | |
1298 | // Sequence Y | |
72934aa3 | 1299 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1300 | last = 0; |
1301 | } | |
1302 | // Sequence Y | |
72934aa3 | 1303 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1304 | |
1305 | // Just to be sure! | |
72934aa3 | 1306 | ToSend[++ToSendMax] = SEC_Y; |
1307 | ToSend[++ToSendMax] = SEC_Y; | |
1308 | ToSend[++ToSendMax] = SEC_Y; | |
15c4dc5a | 1309 | |
1310 | // Convert from last character reference to length | |
1311 | ToSendMax++; | |
1312 | } | |
1313 | ||
1314 | //----------------------------------------------------------------------------- | |
1315 | // Prepare reader command to send to FPGA | |
e30c654b | 1316 | // |
15c4dc5a | 1317 | //----------------------------------------------------------------------------- |
f7e3ed82 | 1318 | void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity) |
15c4dc5a | 1319 | { |
1320 | int i, j; | |
1321 | int last; | |
f7e3ed82 | 1322 | uint8_t b; |
e30c654b | 1323 | |
15c4dc5a | 1324 | ToSendReset(); |
e30c654b | 1325 | |
15c4dc5a | 1326 | // Start of Communication (Seq. Z) |
72934aa3 | 1327 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1328 | last = 0; |
e30c654b | 1329 | |
15c4dc5a | 1330 | // Generate send structure for the data bits |
1331 | for (i = 0; i < len; i++) { | |
1332 | // Get the current byte to send | |
1333 | b = cmd[i]; | |
e30c654b | 1334 | |
15c4dc5a | 1335 | for (j = 0; j < 8; j++) { |
1336 | if (b & 1) { | |
1337 | // Sequence X | |
72934aa3 | 1338 | ToSend[++ToSendMax] = SEC_X; |
15c4dc5a | 1339 | last = 1; |
1340 | } else { | |
1341 | if (last == 0) { | |
1342 | // Sequence Z | |
72934aa3 | 1343 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1344 | } else { |
1345 | // Sequence Y | |
72934aa3 | 1346 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1347 | last = 0; |
1348 | } | |
1349 | } | |
1350 | b >>= 1; | |
1351 | } | |
e30c654b | 1352 | |
15c4dc5a | 1353 | // Get the parity bit |
1354 | if ((dwParity >> i) & 0x01) { | |
1355 | // Sequence X | |
72934aa3 | 1356 | ToSend[++ToSendMax] = SEC_X; |
15c4dc5a | 1357 | last = 1; |
1358 | } else { | |
1359 | if (last == 0) { | |
1360 | // Sequence Z | |
72934aa3 | 1361 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1362 | } else { |
1363 | // Sequence Y | |
72934aa3 | 1364 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1365 | last = 0; |
1366 | } | |
1367 | } | |
1368 | } | |
e30c654b | 1369 | |
15c4dc5a | 1370 | // End of Communication |
1371 | if (last == 0) { | |
1372 | // Sequence Z | |
72934aa3 | 1373 | ToSend[++ToSendMax] = SEC_Z; |
15c4dc5a | 1374 | } else { |
1375 | // Sequence Y | |
72934aa3 | 1376 | ToSend[++ToSendMax] = SEC_Y; |
15c4dc5a | 1377 | last = 0; |
1378 | } | |
1379 | // Sequence Y | |
72934aa3 | 1380 | ToSend[++ToSendMax] = SEC_Y; |
e30c654b | 1381 | |
15c4dc5a | 1382 | // Just to be sure! |
72934aa3 | 1383 | ToSend[++ToSendMax] = SEC_Y; |
1384 | ToSend[++ToSendMax] = SEC_Y; | |
1385 | ToSend[++ToSendMax] = SEC_Y; | |
e30c654b | 1386 | |
15c4dc5a | 1387 | // Convert from last character reference to length |
1388 | ToSendMax++; | |
1389 | } | |
1390 | ||
1391 | //----------------------------------------------------------------------------- | |
1392 | // Wait a certain time for tag response | |
1393 | // If a response is captured return TRUE | |
1394 | // If it takes to long return FALSE | |
1395 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1396 | static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer |
15c4dc5a | 1397 | { |
1398 | // buffer needs to be 512 bytes | |
1399 | int c; | |
1400 | ||
1401 | // Set FPGA mode to "reader listen mode", no modulation (listen | |
534983d7 | 1402 | // only, since we are receiving, not transmitting). |
1403 | // Signal field is on with the appropriate LED | |
1404 | LED_D_ON(); | |
1405 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN); | |
15c4dc5a | 1406 | |
534983d7 | 1407 | // Now get the answer from the card |
1408 | Demod.output = receivedResponse; | |
1409 | Demod.len = 0; | |
1410 | Demod.state = DEMOD_UNSYNCD; | |
15c4dc5a | 1411 | |
f7e3ed82 | 1412 | uint8_t b; |
15c4dc5a | 1413 | if (elapsed) *elapsed = 0; |
1414 | ||
1415 | c = 0; | |
1416 | for(;;) { | |
534983d7 | 1417 | WDT_HIT(); |
15c4dc5a | 1418 | |
534983d7 | 1419 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { |
1420 | AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!! | |
15c4dc5a | 1421 | if (elapsed) (*elapsed)++; |
534983d7 | 1422 | } |
1423 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
1424 | if(c < iso14a_timeout) { c++; } else { return FALSE; } | |
1425 | b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; | |
72934aa3 | 1426 | if(ManchesterDecoding((b>>4) & 0xf)) { |
15c4dc5a | 1427 | *samples = ((c - 1) << 3) + 4; |
1428 | return TRUE; | |
1429 | } | |
1430 | if(ManchesterDecoding(b & 0x0f)) { | |
1431 | *samples = c << 3; | |
1432 | return TRUE; | |
1433 | } | |
534983d7 | 1434 | } |
1435 | } | |
15c4dc5a | 1436 | } |
1437 | ||
f7e3ed82 | 1438 | void ReaderTransmitShort(const uint8_t* bt) |
15c4dc5a | 1439 | { |
1440 | int wait = 0; | |
1441 | int samples = 0; | |
1442 | ||
1443 | ShortFrameFromReader(*bt); | |
e30c654b | 1444 | |
15c4dc5a | 1445 | // Select the card |
e30c654b | 1446 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); |
1447 | ||
15c4dc5a | 1448 | // Store reader command in buffer |
1449 | if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE); | |
1450 | } | |
1451 | ||
f7e3ed82 | 1452 | void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par) |
15c4dc5a | 1453 | { |
1454 | int wait = 0; | |
1455 | int samples = 0; | |
e30c654b | 1456 | |
15c4dc5a | 1457 | // This is tied to other size changes |
f7e3ed82 | 1458 | // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024; |
15c4dc5a | 1459 | CodeIso14443aAsReaderPar(frame,len,par); |
e30c654b | 1460 | |
15c4dc5a | 1461 | // Select the card |
e30c654b | 1462 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); |
534983d7 | 1463 | if(trigger) |
1464 | LED_A_ON(); | |
e30c654b | 1465 | |
15c4dc5a | 1466 | // Store reader command in buffer |
1467 | if (tracing) LogTrace(frame,len,0,par,TRUE); | |
1468 | } | |
1469 | ||
1470 | ||
f7e3ed82 | 1471 | void ReaderTransmit(uint8_t* frame, int len) |
15c4dc5a | 1472 | { |
1473 | // Generate parity and redirect | |
1474 | ReaderTransmitPar(frame,len,GetParity(frame,len)); | |
1475 | } | |
1476 | ||
f7e3ed82 | 1477 | int ReaderReceive(uint8_t* receivedAnswer) |
15c4dc5a | 1478 | { |
1479 | int samples = 0; | |
1480 | if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE; | |
1481 | if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE); | |
7e758047 | 1482 | if(samples == 0) return FALSE; |
1483 | return Demod.len; | |
15c4dc5a | 1484 | } |
1485 | ||
7e758047 | 1486 | /* performs iso14443a anticolision procedure |
534983d7 | 1487 | * fills the uid pointer unless NULL |
1488 | * fills resp_data unless NULL */ | |
1489 | int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) { | |
f7e3ed82 | 1490 | uint8_t wupa[] = { 0x52 }; |
1491 | uint8_t sel_all[] = { 0x93,0x20 }; | |
1492 | uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
7e758047 | 1493 | uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0 |
15c4dc5a | 1494 | |
7e758047 | 1495 | uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes |
1496 | uint8_t* uid = resp + 7; | |
15c4dc5a | 1497 | |
534983d7 | 1498 | uint8_t sak = 0x04; // cascade uid |
1499 | int cascade_level = 0; | |
1500 | ||
7e758047 | 1501 | int len; |
15c4dc5a | 1502 | |
7e758047 | 1503 | // Broadcast for a card, WUPA (0x52) will force response from all cards in the field |
1504 | ReaderTransmitShort(wupa); | |
1505 | // Receive the ATQA | |
1506 | if(!ReaderReceive(resp)) return 0; | |
15c4dc5a | 1507 | |
534983d7 | 1508 | if(resp_data) |
1509 | memcpy(resp_data->atqa, resp, 2); | |
1510 | ||
1511 | ReaderTransmit(sel_all,sizeof(sel_all)); | |
7e758047 | 1512 | if(!ReaderReceive(uid)) return 0; |
15c4dc5a | 1513 | |
534983d7 | 1514 | // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in |
7e758047 | 1515 | // which case we need to make a cascade 2 request and select - this is a long UID |
534983d7 | 1516 | // While the UID is not complete, the 3nd bit (from the right) is set in the SAK. |
1517 | for(; sak & 0x04; cascade_level++) | |
7e758047 | 1518 | { |
534983d7 | 1519 | // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97) |
1520 | sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2; | |
1521 | ||
1522 | // SELECT_ALL | |
1523 | ReaderTransmit(sel_all,sizeof(sel_all)); | |
1524 | if (!ReaderReceive(resp)) return 0; | |
1525 | if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4); | |
e30c654b | 1526 | |
7e758047 | 1527 | // Construct SELECT UID command |
534983d7 | 1528 | memcpy(sel_uid+2,resp,5); |
1529 | AppendCrc14443a(sel_uid,7); | |
1530 | ReaderTransmit(sel_uid,sizeof(sel_uid)); | |
1531 | ||
7e758047 | 1532 | // Receive the SAK |
1533 | if (!ReaderReceive(resp)) return 0; | |
534983d7 | 1534 | sak = resp[0]; |
7e758047 | 1535 | } |
534983d7 | 1536 | if(resp_data) { |
1537 | resp_data->sak = sak; | |
1538 | resp_data->ats_len = 0; | |
1539 | } | |
1540 | ||
1541 | if( (sak & 0x20) == 0) | |
7e758047 | 1542 | return 2; // non iso14443a compliant tag |
534983d7 | 1543 | |
7e758047 | 1544 | // Request for answer to select |
1545 | AppendCrc14443a(rats, 2); | |
1546 | ReaderTransmit(rats, sizeof(rats)); | |
1547 | if (!(len = ReaderReceive(resp))) return 0; | |
534983d7 | 1548 | if(resp_data) { |
1549 | memcpy(resp_data->ats, resp, sizeof(resp_data->ats)); | |
1550 | resp_data->ats_len = len; | |
1551 | } | |
1552 | ||
7e758047 | 1553 | return 1; |
1554 | } | |
15c4dc5a | 1555 | |
7e758047 | 1556 | void iso14443a_setup() { |
1557 | // Setup SSC | |
1558 | FpgaSetupSsc(); | |
1559 | // Start from off (no field generated) | |
1560 | // Signal field is off with the appropriate LED | |
1561 | LED_D_OFF(); | |
1562 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1563 | SpinDelay(200); | |
15c4dc5a | 1564 | |
7e758047 | 1565 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); |
e30c654b | 1566 | |
7e758047 | 1567 | // Now give it time to spin up. |
1568 | // Signal field is on with the appropriate LED | |
1569 | LED_D_ON(); | |
1570 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
1571 | SpinDelay(200); | |
534983d7 | 1572 | |
1573 | iso14a_timeout = 2048; //default | |
7e758047 | 1574 | } |
15c4dc5a | 1575 | |
534983d7 | 1576 | int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) { |
1577 | uint8_t real_cmd[cmd_len+4]; | |
1578 | real_cmd[0] = 0x0a; //I-Block | |
1579 | real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards | |
1580 | memcpy(real_cmd+2, cmd, cmd_len); | |
1581 | AppendCrc14443a(real_cmd,cmd_len+2); | |
1582 | ||
1583 | ReaderTransmit(real_cmd, cmd_len+4); | |
1584 | size_t len = ReaderReceive(data); | |
1585 | if(!len) | |
1586 | return -1; //DATA LINK ERROR | |
1587 | ||
1588 | return len; | |
1589 | } | |
1590 | ||
1591 | ||
7e758047 | 1592 | //----------------------------------------------------------------------------- |
1593 | // Read an ISO 14443a tag. Send out commands and store answers. | |
1594 | // | |
1595 | //----------------------------------------------------------------------------- | |
534983d7 | 1596 | void ReaderIso14443a(UsbCommand * c, UsbCommand * ack) |
7e758047 | 1597 | { |
534983d7 | 1598 | iso14a_command_t param = c->arg[0]; |
1599 | uint8_t * cmd = c->d.asBytes; | |
1600 | size_t len = c->arg[1]; | |
e30c654b | 1601 | |
534983d7 | 1602 | if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1); |
15c4dc5a | 1603 | |
534983d7 | 1604 | if(param & ISO14A_CONNECT) { |
1605 | iso14443a_setup(); | |
1606 | ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12)); | |
1607 | UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
1608 | } | |
e30c654b | 1609 | |
534983d7 | 1610 | if(param & ISO14A_SET_TIMEOUT) { |
1611 | iso14a_timeout = c->arg[2]; | |
1612 | } | |
e30c654b | 1613 | |
534983d7 | 1614 | if(param & ISO14A_SET_TIMEOUT) { |
1615 | iso14a_timeout = c->arg[2]; | |
1616 | } | |
e30c654b | 1617 | |
534983d7 | 1618 | if(param & ISO14A_APDU) { |
1619 | ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes); | |
1620 | UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
1621 | } | |
e30c654b | 1622 | |
534983d7 | 1623 | if(param & ISO14A_RAW) { |
1624 | if(param & ISO14A_APPEND_CRC) { | |
1625 | AppendCrc14443a(cmd,len); | |
1626 | len += 2; | |
15c4dc5a | 1627 | } |
534983d7 | 1628 | ReaderTransmit(cmd,len); |
1629 | ack->arg[0] = ReaderReceive(ack->d.asBytes); | |
1630 | UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
1631 | } | |
15c4dc5a | 1632 | |
534983d7 | 1633 | if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0); |
15c4dc5a | 1634 | |
534983d7 | 1635 | if(param & ISO14A_NO_DISCONNECT) |
1636 | return; | |
15c4dc5a | 1637 | |
15c4dc5a | 1638 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); |
1639 | LEDsoff(); | |
15c4dc5a | 1640 | } |
15c4dc5a | 1641 | //----------------------------------------------------------------------------- |
1642 | // Read an ISO 14443a tag. Send out commands and store answers. | |
1643 | // | |
1644 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1645 | void ReaderMifare(uint32_t parameter) |
15c4dc5a | 1646 | { |
15c4dc5a | 1647 | // Mifare AUTH |
f7e3ed82 | 1648 | uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; |
1649 | uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
e30c654b | 1650 | |
f7e3ed82 | 1651 | uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes |
15c4dc5a | 1652 | traceLen = 0; |
1653 | tracing = false; | |
e30c654b | 1654 | |
7e758047 | 1655 | iso14443a_setup(); |
e30c654b | 1656 | |
15c4dc5a | 1657 | LED_A_ON(); |
1658 | LED_B_OFF(); | |
1659 | LED_C_OFF(); | |
e30c654b | 1660 | |
15c4dc5a | 1661 | byte_t nt_diff = 0; |
1662 | LED_A_OFF(); | |
1663 | byte_t par = 0; | |
1664 | byte_t par_mask = 0xff; | |
1665 | byte_t par_low = 0; | |
f7e3ed82 | 1666 | int led_on = TRUE; |
e30c654b | 1667 | |
15c4dc5a | 1668 | tracing = FALSE; |
1669 | byte_t nt[4]; | |
1670 | byte_t nt_attacked[4]; | |
1671 | byte_t par_list[8]; | |
1672 | byte_t ks_list[8]; | |
1673 | num_to_bytes(parameter,4,nt_attacked); | |
1674 | ||
1675 | while(TRUE) | |
1676 | { | |
1677 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1678 | SpinDelay(200); | |
1679 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
e30c654b | 1680 | |
15c4dc5a | 1681 | // Test if the action was cancelled |
1682 | if(BUTTON_PRESS()) { | |
1683 | break; | |
1684 | } | |
e30c654b | 1685 | |
534983d7 | 1686 | if(!iso14443a_select_card(NULL, NULL)) continue; |
e30c654b | 1687 | |
15c4dc5a | 1688 | // Transmit MIFARE_CLASSIC_AUTH |
1689 | ReaderTransmit(mf_auth,sizeof(mf_auth)); | |
e30c654b | 1690 | |
15c4dc5a | 1691 | // Receive the (16 bit) "random" nonce |
1692 | if (!ReaderReceive(receivedAnswer)) continue; | |
1693 | memcpy(nt,receivedAnswer,4); | |
1694 | ||
1695 | // Transmit reader nonce and reader answer | |
1696 | ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par); | |
e30c654b | 1697 | |
15c4dc5a | 1698 | // Receive 4 bit answer |
1699 | if (ReaderReceive(receivedAnswer)) | |
1700 | { | |
e30c654b | 1701 | if (nt_diff == 0) |
15c4dc5a | 1702 | { |
1703 | LED_A_ON(); | |
1704 | memcpy(nt_attacked,nt,4); | |
1705 | par_mask = 0xf8; | |
1706 | par_low = par & 0x07; | |
1707 | } | |
1708 | ||
1709 | if (memcmp(nt,nt_attacked,4) != 0) continue; | |
1710 | ||
1711 | led_on = !led_on; | |
1712 | if(led_on) LED_B_ON(); else LED_B_OFF(); | |
1713 | par_list[nt_diff] = par; | |
1714 | ks_list[nt_diff] = receivedAnswer[0]^0x05; | |
e30c654b | 1715 | |
15c4dc5a | 1716 | // Test if the information is complete |
1717 | if (nt_diff == 0x07) break; | |
e30c654b | 1718 | |
15c4dc5a | 1719 | nt_diff = (nt_diff+1) & 0x07; |
1720 | mf_nr_ar[3] = nt_diff << 5; | |
1721 | par = par_low; | |
1722 | } else { | |
1723 | if (nt_diff == 0) | |
1724 | { | |
1725 | par++; | |
1726 | } else { | |
1727 | par = (((par>>3)+1) << 3) | par_low; | |
1728 | } | |
1729 | } | |
1730 | } | |
e30c654b | 1731 | |
72934aa3 | 1732 | LogTrace(nt,4,0,GetParity(nt,4),TRUE); |
1733 | LogTrace(par_list,8,0,GetParity(par_list,8),TRUE); | |
1734 | LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE); | |
e30c654b | 1735 | |
15c4dc5a | 1736 | // Thats it... |
1737 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1738 | LEDsoff(); | |
1739 | tracing = TRUE; | |
1740 | } |