]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fixed ISSUE 15 in iso14443a.c - Gerhard
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
534983d7 3// Hagen Fritsch - June 2010
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
15c4dc5a 8//-----------------------------------------------------------------------------
bd20f8f4 9// Routines to support ISO 14443 type A.
10//-----------------------------------------------------------------------------
11
e30c654b 12#include "proxmark3.h"
15c4dc5a 13#include "apps.h"
f7e3ed82 14#include "util.h"
9ab7a6c7 15#include "string.h"
16
15c4dc5a 17#include "iso14443crc.h"
534983d7 18#include "iso14443a.h"
15c4dc5a 19
f7e3ed82 20static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 21static int traceLen = 0;
22static int rsamples = 0;
f7e3ed82 23static int tracing = TRUE;
534983d7 24static uint32_t iso14a_timeout;
15c4dc5a 25
72934aa3 26// CARD TO READER
27// Sequence D: 11110000 modulation with subcarrier during first half
28// Sequence E: 00001111 modulation with subcarrier during second half
29// Sequence F: 00000000 no modulation with subcarrier
30// READER TO CARD
31// Sequence X: 00001100 drop after half a period
32// Sequence Y: 00000000 no drop
33// Sequence Z: 11000000 drop at start
34#define SEC_D 0xf0
35#define SEC_E 0x0f
36#define SEC_F 0x00
37#define SEC_X 0x0c
38#define SEC_Y 0x00
39#define SEC_Z 0xc0
15c4dc5a 40
f7e3ed82 41static const uint8_t OddByteParity[256] = {
15c4dc5a 42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
58};
59
60// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
61#define RECV_CMD_OFFSET 3032
62#define RECV_RES_OFFSET 3096
63#define DMA_BUFFER_OFFSET 3160
64#define DMA_BUFFER_SIZE 4096
65#define TRACE_LENGTH 3000
66
534983d7 67uint8_t trigger = 0;
68void iso14a_set_trigger(int enable) {
69 trigger = enable;
70}
71
15c4dc5a 72//-----------------------------------------------------------------------------
73// Generate the parity value for a byte sequence
e30c654b 74//
15c4dc5a 75//-----------------------------------------------------------------------------
f7e3ed82 76uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 77{
78 int i;
f7e3ed82 79 uint32_t dwPar = 0;
72934aa3 80
15c4dc5a 81 // Generate the encrypted data
82 for (i = 0; i < iLen; i++) {
83 // Save the encrypted parity bit
84 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
85 }
86 return dwPar;
87}
88
534983d7 89void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 90{
91 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
92}
93
ed82636b 94int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 95{
96 // Return when trace is full
97 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 98
15c4dc5a 99 // Trace the random, i'm curious
100 rsamples += iSamples;
101 trace[traceLen++] = ((rsamples >> 0) & 0xff);
102 trace[traceLen++] = ((rsamples >> 8) & 0xff);
103 trace[traceLen++] = ((rsamples >> 16) & 0xff);
104 trace[traceLen++] = ((rsamples >> 24) & 0xff);
105 if (!bReader) {
106 trace[traceLen - 1] |= 0x80;
107 }
108 trace[traceLen++] = ((dwParity >> 0) & 0xff);
109 trace[traceLen++] = ((dwParity >> 8) & 0xff);
110 trace[traceLen++] = ((dwParity >> 16) & 0xff);
111 trace[traceLen++] = ((dwParity >> 24) & 0xff);
112 trace[traceLen++] = iLen;
113 memcpy(trace + traceLen, btBytes, iLen);
114 traceLen += iLen;
115 return TRUE;
116}
117
15c4dc5a 118//-----------------------------------------------------------------------------
119// The software UART that receives commands from the reader, and its state
120// variables.
121//-----------------------------------------------------------------------------
122static struct {
123 enum {
124 STATE_UNSYNCD,
125 STATE_START_OF_COMMUNICATION,
126 STATE_MILLER_X,
127 STATE_MILLER_Y,
128 STATE_MILLER_Z,
129 STATE_ERROR_WAIT
130 } state;
f7e3ed82 131 uint16_t shiftReg;
15c4dc5a 132 int bitCnt;
133 int byteCnt;
134 int byteCntMax;
135 int posCnt;
136 int syncBit;
137 int parityBits;
138 int samples;
139 int highCnt;
140 int bitBuffer;
141 enum {
142 DROP_NONE,
143 DROP_FIRST_HALF,
144 DROP_SECOND_HALF
145 } drop;
f7e3ed82 146 uint8_t *output;
15c4dc5a 147} Uart;
148
6c1e2d95 149static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 150{
151 int error = 0;
152 int bitright;
153
154 if(!Uart.bitBuffer) {
155 Uart.bitBuffer = bit ^ 0xFF0;
156 return FALSE;
157 }
158 else {
159 Uart.bitBuffer <<= 4;
160 Uart.bitBuffer ^= bit;
161 }
162
f7e3ed82 163 int EOC = FALSE;
15c4dc5a 164
165 if(Uart.state != STATE_UNSYNCD) {
166 Uart.posCnt++;
167
168 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
169 bit = 0x00;
170 }
171 else {
172 bit = 0x01;
173 }
174 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
175 bitright = 0x00;
176 }
177 else {
178 bitright = 0x01;
179 }
180 if(bit != bitright) { bit = bitright; }
181
182 if(Uart.posCnt == 1) {
183 // measurement first half bitperiod
184 if(!bit) {
185 Uart.drop = DROP_FIRST_HALF;
186 }
187 }
188 else {
189 // measurement second half bitperiod
190 if(!bit & (Uart.drop == DROP_NONE)) {
191 Uart.drop = DROP_SECOND_HALF;
192 }
193 else if(!bit) {
194 // measured a drop in first and second half
195 // which should not be possible
196 Uart.state = STATE_ERROR_WAIT;
197 error = 0x01;
198 }
199
200 Uart.posCnt = 0;
201
202 switch(Uart.state) {
203 case STATE_START_OF_COMMUNICATION:
204 Uart.shiftReg = 0;
205 if(Uart.drop == DROP_SECOND_HALF) {
206 // error, should not happen in SOC
207 Uart.state = STATE_ERROR_WAIT;
208 error = 0x02;
209 }
210 else {
211 // correct SOC
212 Uart.state = STATE_MILLER_Z;
213 }
214 break;
215
216 case STATE_MILLER_Z:
217 Uart.bitCnt++;
218 Uart.shiftReg >>= 1;
219 if(Uart.drop == DROP_NONE) {
220 // logic '0' followed by sequence Y
221 // end of communication
222 Uart.state = STATE_UNSYNCD;
223 EOC = TRUE;
224 }
225 // if(Uart.drop == DROP_FIRST_HALF) {
226 // Uart.state = STATE_MILLER_Z; stay the same
227 // we see a logic '0' }
228 if(Uart.drop == DROP_SECOND_HALF) {
229 // we see a logic '1'
230 Uart.shiftReg |= 0x100;
231 Uart.state = STATE_MILLER_X;
232 }
233 break;
234
235 case STATE_MILLER_X:
236 Uart.shiftReg >>= 1;
237 if(Uart.drop == DROP_NONE) {
238 // sequence Y, we see a '0'
239 Uart.state = STATE_MILLER_Y;
240 Uart.bitCnt++;
241 }
242 if(Uart.drop == DROP_FIRST_HALF) {
243 // Would be STATE_MILLER_Z
244 // but Z does not follow X, so error
245 Uart.state = STATE_ERROR_WAIT;
246 error = 0x03;
247 }
248 if(Uart.drop == DROP_SECOND_HALF) {
249 // We see a '1' and stay in state X
250 Uart.shiftReg |= 0x100;
251 Uart.bitCnt++;
252 }
253 break;
254
255 case STATE_MILLER_Y:
256 Uart.bitCnt++;
257 Uart.shiftReg >>= 1;
258 if(Uart.drop == DROP_NONE) {
259 // logic '0' followed by sequence Y
260 // end of communication
261 Uart.state = STATE_UNSYNCD;
262 EOC = TRUE;
263 }
264 if(Uart.drop == DROP_FIRST_HALF) {
265 // we see a '0'
266 Uart.state = STATE_MILLER_Z;
267 }
268 if(Uart.drop == DROP_SECOND_HALF) {
269 // We see a '1' and go to state X
270 Uart.shiftReg |= 0x100;
271 Uart.state = STATE_MILLER_X;
272 }
273 break;
274
275 case STATE_ERROR_WAIT:
276 // That went wrong. Now wait for at least two bit periods
277 // and try to sync again
278 if(Uart.drop == DROP_NONE) {
279 Uart.highCnt = 6;
280 Uart.state = STATE_UNSYNCD;
281 }
282 break;
283
284 default:
285 Uart.state = STATE_UNSYNCD;
286 Uart.highCnt = 0;
287 break;
288 }
289
290 Uart.drop = DROP_NONE;
291
292 // should have received at least one whole byte...
293 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
294 return TRUE;
295 }
296
297 if(Uart.bitCnt == 9) {
298 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
299 Uart.byteCnt++;
300
301 Uart.parityBits <<= 1;
302 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
303
304 if(EOC) {
305 // when End of Communication received and
306 // all data bits processed..
307 return TRUE;
308 }
309 Uart.bitCnt = 0;
310 }
311
312 /*if(error) {
313 Uart.output[Uart.byteCnt] = 0xAA;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = error & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
320 Uart.byteCnt++;
321 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
322 Uart.byteCnt++;
323 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
324 Uart.byteCnt++;
325 Uart.output[Uart.byteCnt] = 0xAA;
326 Uart.byteCnt++;
327 return TRUE;
328 }*/
329 }
330
331 }
332 else {
333 bit = Uart.bitBuffer & 0xf0;
334 bit >>= 4;
335 bit ^= 0x0F;
336 if(bit) {
337 // should have been high or at least (4 * 128) / fc
338 // according to ISO this should be at least (9 * 128 + 20) / fc
339 if(Uart.highCnt == 8) {
340 // we went low, so this could be start of communication
341 // it turns out to be safer to choose a less significant
342 // syncbit... so we check whether the neighbour also represents the drop
343 Uart.posCnt = 1; // apparently we are busy with our first half bit period
344 Uart.syncBit = bit & 8;
345 Uart.samples = 3;
346 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
347 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
348 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
349 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
350 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
351 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
352 Uart.syncBit = 8;
353
354 // the first half bit period is expected in next sample
355 Uart.posCnt = 0;
356 Uart.samples = 3;
357 }
358 }
359 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
360
361 Uart.syncBit <<= 4;
362 Uart.state = STATE_START_OF_COMMUNICATION;
363 Uart.drop = DROP_FIRST_HALF;
364 Uart.bitCnt = 0;
365 Uart.byteCnt = 0;
366 Uart.parityBits = 0;
367 error = 0;
368 }
369 else {
370 Uart.highCnt = 0;
371 }
372 }
373 else {
374 if(Uart.highCnt < 8) {
375 Uart.highCnt++;
376 }
377 }
378 }
379
380 return FALSE;
381}
382
383//=============================================================================
384// ISO 14443 Type A - Manchester
385//=============================================================================
386
387static struct {
388 enum {
389 DEMOD_UNSYNCD,
390 DEMOD_START_OF_COMMUNICATION,
391 DEMOD_MANCHESTER_D,
392 DEMOD_MANCHESTER_E,
393 DEMOD_MANCHESTER_F,
394 DEMOD_ERROR_WAIT
395 } state;
396 int bitCount;
397 int posCount;
398 int syncBit;
399 int parityBits;
f7e3ed82 400 uint16_t shiftReg;
15c4dc5a 401 int buffer;
402 int buff;
403 int samples;
404 int len;
405 enum {
406 SUB_NONE,
407 SUB_FIRST_HALF,
408 SUB_SECOND_HALF
409 } sub;
f7e3ed82 410 uint8_t *output;
15c4dc5a 411} Demod;
412
6c1e2d95 413static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 414{
415 int bit;
416 int modulation;
417 int error = 0;
418
419 if(!Demod.buff) {
420 Demod.buff = 1;
421 Demod.buffer = v;
422 return FALSE;
423 }
424 else {
425 bit = Demod.buffer;
426 Demod.buffer = v;
427 }
428
429 if(Demod.state==DEMOD_UNSYNCD) {
430 Demod.output[Demod.len] = 0xfa;
431 Demod.syncBit = 0;
432 //Demod.samples = 0;
433 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
434 if(bit & 0x08) { Demod.syncBit = 0x08; }
435 if(!Demod.syncBit) {
436 if(bit & 0x04) { Demod.syncBit = 0x04; }
437 }
438 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
439 if(!Demod.syncBit) {
440 if(bit & 0x02) { Demod.syncBit = 0x02; }
441 }
442 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
443 if(!Demod.syncBit) {
444 if(bit & 0x01) { Demod.syncBit = 0x01; }
445
446 if(Demod.syncBit & (Demod.buffer & 0x08)) {
447 Demod.syncBit = 0x08;
448
449 // The first half bitperiod is expected in next sample
450 Demod.posCount = 0;
451 Demod.output[Demod.len] = 0xfb;
452 }
453 }
454 else if(bit & 0x01) { Demod.syncBit = 0x01; }
455
456 if(Demod.syncBit) {
457 Demod.len = 0;
458 Demod.state = DEMOD_START_OF_COMMUNICATION;
459 Demod.sub = SUB_FIRST_HALF;
460 Demod.bitCount = 0;
461 Demod.shiftReg = 0;
462 Demod.parityBits = 0;
463 Demod.samples = 0;
464 if(Demod.posCount) {
534983d7 465 if(trigger) LED_A_OFF();
15c4dc5a 466 switch(Demod.syncBit) {
467 case 0x08: Demod.samples = 3; break;
468 case 0x04: Demod.samples = 2; break;
469 case 0x02: Demod.samples = 1; break;
470 case 0x01: Demod.samples = 0; break;
471 }
472 }
473 error = 0;
474 }
475 }
476 else {
477 //modulation = bit & Demod.syncBit;
478 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
479
480 Demod.samples += 4;
481
482 if(Demod.posCount==0) {
483 Demod.posCount = 1;
484 if(modulation) {
485 Demod.sub = SUB_FIRST_HALF;
486 }
487 else {
488 Demod.sub = SUB_NONE;
489 }
490 }
491 else {
492 Demod.posCount = 0;
493 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
494 if(Demod.state!=DEMOD_ERROR_WAIT) {
495 Demod.state = DEMOD_ERROR_WAIT;
496 Demod.output[Demod.len] = 0xaa;
497 error = 0x01;
498 }
499 }
500 else if(modulation) {
501 Demod.sub = SUB_SECOND_HALF;
502 }
503
504 switch(Demod.state) {
505 case DEMOD_START_OF_COMMUNICATION:
506 if(Demod.sub == SUB_FIRST_HALF) {
507 Demod.state = DEMOD_MANCHESTER_D;
508 }
509 else {
510 Demod.output[Demod.len] = 0xab;
511 Demod.state = DEMOD_ERROR_WAIT;
512 error = 0x02;
513 }
514 break;
515
516 case DEMOD_MANCHESTER_D:
517 case DEMOD_MANCHESTER_E:
518 if(Demod.sub == SUB_FIRST_HALF) {
519 Demod.bitCount++;
520 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
521 Demod.state = DEMOD_MANCHESTER_D;
522 }
523 else if(Demod.sub == SUB_SECOND_HALF) {
524 Demod.bitCount++;
525 Demod.shiftReg >>= 1;
526 Demod.state = DEMOD_MANCHESTER_E;
527 }
528 else {
529 Demod.state = DEMOD_MANCHESTER_F;
530 }
531 break;
532
533 case DEMOD_MANCHESTER_F:
534 // Tag response does not need to be a complete byte!
535 if(Demod.len > 0 || Demod.bitCount > 0) {
536 if(Demod.bitCount > 0) {
537 Demod.shiftReg >>= (9 - Demod.bitCount);
538 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
539 Demod.len++;
540 // No parity bit, so just shift a 0
541 Demod.parityBits <<= 1;
542 }
543
544 Demod.state = DEMOD_UNSYNCD;
545 return TRUE;
546 }
547 else {
548 Demod.output[Demod.len] = 0xad;
549 Demod.state = DEMOD_ERROR_WAIT;
550 error = 0x03;
551 }
552 break;
553
554 case DEMOD_ERROR_WAIT:
555 Demod.state = DEMOD_UNSYNCD;
556 break;
557
558 default:
559 Demod.output[Demod.len] = 0xdd;
560 Demod.state = DEMOD_UNSYNCD;
561 break;
562 }
563
564 if(Demod.bitCount>=9) {
565 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
566 Demod.len++;
567
568 Demod.parityBits <<= 1;
569 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
570
571 Demod.bitCount = 0;
572 Demod.shiftReg = 0;
573 }
574
575 /*if(error) {
576 Demod.output[Demod.len] = 0xBB;
577 Demod.len++;
578 Demod.output[Demod.len] = error & 0xFF;
579 Demod.len++;
580 Demod.output[Demod.len] = 0xBB;
581 Demod.len++;
582 Demod.output[Demod.len] = bit & 0xFF;
583 Demod.len++;
584 Demod.output[Demod.len] = Demod.buffer & 0xFF;
585 Demod.len++;
586 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
587 Demod.len++;
588 Demod.output[Demod.len] = 0xBB;
589 Demod.len++;
590 return TRUE;
591 }*/
592
593 }
594
595 } // end (state != UNSYNCED)
596
597 return FALSE;
598}
599
600//=============================================================================
601// Finally, a `sniffer' for ISO 14443 Type A
602// Both sides of communication!
603//=============================================================================
604
605//-----------------------------------------------------------------------------
606// Record the sequence of commands sent by the reader to the tag, with
607// triggering so that we start recording at the point that the tag is moved
608// near the reader.
609//-----------------------------------------------------------------------------
6c1e2d95 610void RAMFUNC SnoopIso14443a(void)
15c4dc5a 611{
612// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
613// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
614// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
615// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
616// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
617
618 // We won't start recording the frames that we acquire until we trigger;
619 // a good trigger condition to get started is probably when we see a
620 // response from the tag.
7e758047 621 int triggered = FALSE; // FALSE to wait first for card
15c4dc5a 622
623 // The command (reader -> tag) that we're receiving.
624 // The length of a received command will in most cases be no more than 18 bytes.
625 // So 32 should be enough!
f7e3ed82 626 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 627 // The response (tag -> reader) that we're receiving.
f7e3ed82 628 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 629
630 // As we receive stuff, we copy it from receivedCmd or receivedResponse
631 // into trace, along with its length and other annotations.
f7e3ed82 632 //uint8_t *trace = (uint8_t *)BigBuf;
d82c6ebb 633
634 traceLen = 0; // uncommented to fix ISSUE 15 - gerhard - jan2011
15c4dc5a 635
636 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 637 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 638 int lastRxCounter;
f7e3ed82 639 int8_t *upTo;
15c4dc5a 640 int smpl;
641 int maxBehindBy = 0;
642
643 // Count of samples received so far, so that we can include timing
644 // information in the trace buffer.
645 int samples = 0;
646 int rsamples = 0;
647
648 memset(trace, 0x44, RECV_CMD_OFFSET);
649
650 // Set up the demodulator for tag -> reader responses.
651 Demod.output = receivedResponse;
652 Demod.len = 0;
653 Demod.state = DEMOD_UNSYNCD;
654
7e758047 655 // Setup for the DMA.
656 FpgaSetupSsc();
657 upTo = dmaBuf;
658 lastRxCounter = DMA_BUFFER_SIZE;
659 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
660
15c4dc5a 661 // And the reader -> tag commands
662 memset(&Uart, 0, sizeof(Uart));
663 Uart.output = receivedCmd;
664 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
665 Uart.state = STATE_UNSYNCD;
666
667 // And put the FPGA in the appropriate mode
668 // Signal field is off with the appropriate LED
669 LED_D_OFF();
670 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
671 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
672
15c4dc5a 673
674 // And now we loop, receiving samples.
675 for(;;) {
7e758047 676 LED_A_ON();
677 WDT_HIT();
15c4dc5a 678 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
679 (DMA_BUFFER_SIZE-1);
680 if(behindBy > maxBehindBy) {
681 maxBehindBy = behindBy;
682 if(behindBy > 400) {
7e758047 683 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
15c4dc5a 684 goto done;
685 }
686 }
687 if(behindBy < 1) continue;
688
7e758047 689 LED_A_OFF();
15c4dc5a 690 smpl = upTo[0];
691 upTo++;
692 lastRxCounter -= 1;
693 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
694 upTo -= DMA_BUFFER_SIZE;
695 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 696 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 697 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
698 }
699
700 samples += 4;
7e758047 701 if(MillerDecoding((smpl & 0xF0) >> 4)) {
15c4dc5a 702 rsamples = samples - Uart.samples;
72934aa3 703 LED_C_ON();
7e758047 704 if(triggered) {
705 trace[traceLen++] = ((rsamples >> 0) & 0xff);
72934aa3 706 trace[traceLen++] = ((rsamples >> 8) & 0xff);
707 trace[traceLen++] = ((rsamples >> 16) & 0xff);
708 trace[traceLen++] = ((rsamples >> 24) & 0xff);
7e758047 709 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
710 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
711 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
712 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
72934aa3 713 trace[traceLen++] = Uart.byteCnt;
714 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
715 traceLen += Uart.byteCnt;
716 if(traceLen > TRACE_LENGTH) break;
717 }
718 /* And ready to receive another command. */
719 Uart.state = STATE_UNSYNCD;
720 /* And also reset the demod code, which might have been */
721 /* false-triggered by the commands from the reader. */
722 Demod.state = DEMOD_UNSYNCD;
7e758047 723 LED_B_OFF();
15c4dc5a 724 }
7e758047 725
726 if(ManchesterDecoding(smpl & 0x0F)) {
727 rsamples = samples - Demod.samples;
728 LED_B_ON();
729
730 // timestamp, as a count of samples
731 trace[traceLen++] = ((rsamples >> 0) & 0xff);
732 trace[traceLen++] = ((rsamples >> 8) & 0xff);
733 trace[traceLen++] = ((rsamples >> 16) & 0xff);
734 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
735 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
736 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
737 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
738 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
739 // length
740 trace[traceLen++] = Demod.len;
741 memcpy(trace+traceLen, receivedResponse, Demod.len);
742 traceLen += Demod.len;
743 if(traceLen > TRACE_LENGTH) break;
744
745 triggered = TRUE;
15c4dc5a 746
747 // And ready to receive another response.
748 memset(&Demod, 0, sizeof(Demod));
749 Demod.output = receivedResponse;
750 Demod.state = DEMOD_UNSYNCD;
7e758047 751 LED_C_OFF();
752 }
15c4dc5a 753
754 if(BUTTON_PRESS()) {
755 DbpString("cancelled_a");
756 goto done;
757 }
758 }
759
760 DbpString("COMMAND FINISHED");
761
762 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
763 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
764
765done:
766 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
767 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
768 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
769 LED_A_OFF();
770 LED_B_OFF();
771 LED_C_OFF();
772 LED_D_OFF();
773}
774
15c4dc5a 775//-----------------------------------------------------------------------------
776// Prepare tag messages
777//-----------------------------------------------------------------------------
f7e3ed82 778static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 779{
780 int i;
781 int oddparity;
782
783 ToSendReset();
784
785 // Correction bit, might be removed when not needed
786 ToSendStuffBit(0);
787 ToSendStuffBit(0);
788 ToSendStuffBit(0);
789 ToSendStuffBit(0);
790 ToSendStuffBit(1); // 1
791 ToSendStuffBit(0);
792 ToSendStuffBit(0);
793 ToSendStuffBit(0);
794
795 // Send startbit
72934aa3 796 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 797
798 for(i = 0; i < len; i++) {
799 int j;
f7e3ed82 800 uint8_t b = cmd[i];
15c4dc5a 801
802 // Data bits
803 oddparity = 0x01;
804 for(j = 0; j < 8; j++) {
805 oddparity ^= (b & 1);
806 if(b & 1) {
72934aa3 807 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 808 } else {
72934aa3 809 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 810 }
811 b >>= 1;
812 }
813
814 // Parity bit
815 if(oddparity) {
72934aa3 816 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 817 } else {
72934aa3 818 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 819 }
820 }
821
822 // Send stopbit
72934aa3 823 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 824
825 // Flush the buffer in FPGA!!
826 for(i = 0; i < 5; i++) {
72934aa3 827 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 828 }
829
830 // Convert from last byte pos to length
831 ToSendMax++;
832
833 // Add a few more for slop
834 ToSend[ToSendMax++] = 0x00;
835 ToSend[ToSendMax++] = 0x00;
836 //ToSendMax += 2;
837}
838
839//-----------------------------------------------------------------------------
840// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
841//-----------------------------------------------------------------------------
842static void CodeStrangeAnswer()
843{
844 int i;
845
846 ToSendReset();
847
848 // Correction bit, might be removed when not needed
849 ToSendStuffBit(0);
850 ToSendStuffBit(0);
851 ToSendStuffBit(0);
852 ToSendStuffBit(0);
853 ToSendStuffBit(1); // 1
854 ToSendStuffBit(0);
855 ToSendStuffBit(0);
856 ToSendStuffBit(0);
857
858 // Send startbit
72934aa3 859 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 860
861 // 0
72934aa3 862 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 863
864 // 0
72934aa3 865 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 866
867 // 1
72934aa3 868 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 869
870 // Send stopbit
72934aa3 871 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 872
873 // Flush the buffer in FPGA!!
874 for(i = 0; i < 5; i++) {
72934aa3 875 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 876 }
877
878 // Convert from last byte pos to length
879 ToSendMax++;
880
881 // Add a few more for slop
882 ToSend[ToSendMax++] = 0x00;
883 ToSend[ToSendMax++] = 0x00;
884 //ToSendMax += 2;
885}
886
887//-----------------------------------------------------------------------------
888// Wait for commands from reader
889// Stop when button is pressed
890// Or return TRUE when command is captured
891//-----------------------------------------------------------------------------
f7e3ed82 892static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 893{
894 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
895 // only, since we are receiving, not transmitting).
896 // Signal field is off with the appropriate LED
897 LED_D_OFF();
898 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
899
900 // Now run a `software UART' on the stream of incoming samples.
901 Uart.output = received;
902 Uart.byteCntMax = maxLen;
903 Uart.state = STATE_UNSYNCD;
904
905 for(;;) {
906 WDT_HIT();
907
908 if(BUTTON_PRESS()) return FALSE;
909
910 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
911 AT91C_BASE_SSC->SSC_THR = 0x00;
912 }
913 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 914 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 915 if(MillerDecoding((b & 0xf0) >> 4)) {
916 *len = Uart.byteCnt;
917 return TRUE;
918 }
919 if(MillerDecoding(b & 0x0f)) {
920 *len = Uart.byteCnt;
921 return TRUE;
922 }
923 }
924 }
925}
926
927//-----------------------------------------------------------------------------
928// Main loop of simulated tag: receive commands from reader, decide what
929// response to send, and send it.
930//-----------------------------------------------------------------------------
931void SimulateIso14443aTag(int tagType, int TagUid)
932{
933 // This function contains the tag emulation
934
935 // Prepare protocol messages
f7e3ed82 936 // static const uint8_t cmd1[] = { 0x26 };
937// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 938//
f7e3ed82 939 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
940// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 941
942 // UID response
f7e3ed82 943 // static const uint8_t cmd2[] = { 0x93, 0x20 };
944 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 945
15c4dc5a 946// my desfire
f7e3ed82 947 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 948
949
950// When reader selects us during cascade1 it will send cmd3
f7e3ed82 951//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
952uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 953ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
954
955// send cascade2 2nd half of UID
f7e3ed82 956static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 957// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
958
15c4dc5a 959// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 960//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
961uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 962ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
963
f7e3ed82 964 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 965
f7e3ed82 966 uint8_t *resp;
15c4dc5a 967 int respLen;
968
969 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
970 // This will need
971 // 144 data bits (18 * 8)
972 // 18 parity bits
973 // 2 Start and stop
974 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
975 // 1 just for the case
976 // ----------- +
977 // 166
978 //
979 // 166 bytes, since every bit that needs to be send costs us a byte
980 //
981
15c4dc5a 982 // Respond with card type
f7e3ed82 983 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 984 int resp1Len;
985
986 // Anticollision cascade1 - respond with uid
f7e3ed82 987 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 988 int resp2Len;
989
990 // Anticollision cascade2 - respond with 2nd half of uid if asked
991 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 992 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 993 int resp2aLen;
994
995 // Acknowledge select - cascade 1
f7e3ed82 996 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 997 int resp3Len;
998
999 // Acknowledge select - cascade 2
f7e3ed82 1000 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1001 int resp3aLen;
1002
1003 // Response to a read request - not implemented atm
f7e3ed82 1004 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1005 int resp4Len;
1006
1007 // Authenticate response - nonce
f7e3ed82 1008 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1009 int resp5Len;
1010
f7e3ed82 1011 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1012 int len;
1013
1014 int i;
1015 int u;
f7e3ed82 1016 uint8_t b;
15c4dc5a 1017
1018 // To control where we are in the protocol
1019 int order = 0;
1020 int lastorder;
1021
1022 // Just to allow some checks
1023 int happened = 0;
1024 int happened2 = 0;
1025
1026 int cmdsRecvd = 0;
1027
f7e3ed82 1028 int fdt_indicator;
15c4dc5a 1029
1030 memset(receivedCmd, 0x44, 400);
1031
1032 // Prepare the responses of the anticollision phase
1033 // there will be not enough time to do this at the moment the reader sends it REQA
1034
1035 // Answer to request
1036 CodeIso14443aAsTag(response1, sizeof(response1));
1037 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1038
1039 // Send our UID (cascade 1)
1040 CodeIso14443aAsTag(response2, sizeof(response2));
1041 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1042
1043 // Answer to select (cascade1)
1044 CodeIso14443aAsTag(response3, sizeof(response3));
1045 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1046
1047 // Send the cascade 2 2nd part of the uid
1048 CodeIso14443aAsTag(response2a, sizeof(response2a));
1049 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1050
1051 // Answer to select (cascade 2)
1052 CodeIso14443aAsTag(response3a, sizeof(response3a));
1053 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1054
1055 // Strange answer is an example of rare message size (3 bits)
1056 CodeStrangeAnswer();
1057 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1058
1059 // Authentication answer (random nonce)
1060 CodeIso14443aAsTag(response5, sizeof(response5));
1061 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1062
1063 // We need to listen to the high-frequency, peak-detected path.
1064 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1065 FpgaSetupSsc();
1066
1067 cmdsRecvd = 0;
1068
1069 LED_A_ON();
1070 for(;;) {
1071
1072 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1073 DbpString("button press");
1074 break;
1075 }
1076 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1077 // Okay, look at the command now.
1078 lastorder = order;
1079 i = 1; // first byte transmitted
1080 if(receivedCmd[0] == 0x26) {
1081 // Received a REQUEST
1082 resp = resp1; respLen = resp1Len; order = 1;
1083 //DbpString("Hello request from reader:");
1084 } else if(receivedCmd[0] == 0x52) {
1085 // Received a WAKEUP
1086 resp = resp1; respLen = resp1Len; order = 6;
1087// //DbpString("Wakeup request from reader:");
1088
1089 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1090 // Received request for UID (cascade 1)
1091 resp = resp2; respLen = resp2Len; order = 2;
1092// DbpString("UID (cascade 1) request from reader:");
1093// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1094
1095
1096 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1097 // Received request for UID (cascade 2)
1098 resp = resp2a; respLen = resp2aLen; order = 20;
1099// DbpString("UID (cascade 2) request from reader:");
1100// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1101
1102
1103 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1104 // Received a SELECT
1105 resp = resp3; respLen = resp3Len; order = 3;
1106// DbpString("Select (cascade 1) request from reader:");
1107// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1108
1109
1110 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1111 // Received a SELECT
1112 resp = resp3a; respLen = resp3aLen; order = 30;
1113// DbpString("Select (cascade 2) request from reader:");
1114// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1115
1116
1117 } else if(receivedCmd[0] == 0x30) {
1118 // Received a READ
1119 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1120 Dbprintf("Read request from reader: %x %x %x",
1121 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1122
1123
1124 } else if(receivedCmd[0] == 0x50) {
1125 // Received a HALT
1126 resp = resp1; respLen = 0; order = 5; // Do nothing
1127 DbpString("Reader requested we HALT!:");
1128
1129 } else if(receivedCmd[0] == 0x60) {
1130 // Received an authentication request
1131 resp = resp5; respLen = resp5Len; order = 7;
1132 Dbprintf("Authenticate request from reader: %x %x %x",
1133 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1134
1135 } else if(receivedCmd[0] == 0xE0) {
1136 // Received a RATS request
1137 resp = resp1; respLen = 0;order = 70;
1138 Dbprintf("RATS request from reader: %x %x %x",
1139 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1140 } else {
1141 // Never seen this command before
1142 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1143 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1144 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1145 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1146 // Do not respond
1147 resp = resp1; respLen = 0; order = 0;
1148 }
1149
1150 // Count number of wakeups received after a halt
1151 if(order == 6 && lastorder == 5) { happened++; }
1152
1153 // Count number of other messages after a halt
1154 if(order != 6 && lastorder == 5) { happened2++; }
1155
1156 // Look at last parity bit to determine timing of answer
1157 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1158 // 1236, so correction bit needed
1159 i = 0;
1160 }
1161
1162 memset(receivedCmd, 0x44, 32);
1163
1164 if(cmdsRecvd > 999) {
1165 DbpString("1000 commands later...");
1166 break;
1167 }
1168 else {
1169 cmdsRecvd++;
1170 }
1171
1172 if(respLen <= 0) continue;
1173
1174 // Modulate Manchester
1175 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1176 AT91C_BASE_SSC->SSC_THR = 0x00;
1177 FpgaSetupSsc();
1178
1179 // ### Transmit the response ###
1180 u = 0;
1181 b = 0x00;
1182 fdt_indicator = FALSE;
1183 for(;;) {
1184 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1185 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1186 (void)b;
1187 }
1188 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1189 if(i > respLen) {
1190 b = 0x00;
1191 u++;
1192 } else {
1193 b = resp[i];
1194 i++;
1195 }
1196 AT91C_BASE_SSC->SSC_THR = b;
1197
1198 if(u > 4) {
1199 break;
1200 }
1201 }
1202 if(BUTTON_PRESS()) {
1203 break;
1204 }
1205 }
1206
1207 }
1208
1209 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1210 LED_A_OFF();
1211}
1212
1213//-----------------------------------------------------------------------------
1214// Transmit the command (to the tag) that was placed in ToSend[].
1215//-----------------------------------------------------------------------------
f7e3ed82 1216static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1217{
1218 int c;
e30c654b 1219
15c4dc5a 1220 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1221
15c4dc5a 1222 if (wait)
1223 if(*wait < 10)
1224 *wait = 10;
e30c654b 1225
15c4dc5a 1226 for(c = 0; c < *wait;) {
1227 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1228 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1229 c++;
1230 }
1231 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1232 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1233 (void)r;
1234 }
1235 WDT_HIT();
1236 }
e30c654b 1237
15c4dc5a 1238 c = 0;
1239 for(;;) {
1240 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1241 AT91C_BASE_SSC->SSC_THR = cmd[c];
1242 c++;
1243 if(c >= len) {
1244 break;
1245 }
1246 }
1247 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1248 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1249 (void)r;
1250 }
1251 WDT_HIT();
1252 }
1253 if (samples) *samples = (c + *wait) << 3;
1254}
1255
15c4dc5a 1256//-----------------------------------------------------------------------------
1257// Code a 7-bit command without parity bit
1258// This is especially for 0x26 and 0x52 (REQA and WUPA)
1259//-----------------------------------------------------------------------------
f7e3ed82 1260void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1261{
1262 int j;
1263 int last;
f7e3ed82 1264 uint8_t b;
15c4dc5a 1265
1266 ToSendReset();
1267
1268 // Start of Communication (Seq. Z)
72934aa3 1269 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1270 last = 0;
1271
1272 b = bt;
1273 for(j = 0; j < 7; j++) {
1274 if(b & 1) {
1275 // Sequence X
72934aa3 1276 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1277 last = 1;
1278 } else {
1279 if(last == 0) {
1280 // Sequence Z
72934aa3 1281 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1282 }
1283 else {
1284 // Sequence Y
72934aa3 1285 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1286 last = 0;
1287 }
1288 }
1289 b >>= 1;
1290 }
1291
1292 // End of Communication
1293 if(last == 0) {
1294 // Sequence Z
72934aa3 1295 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1296 }
1297 else {
1298 // Sequence Y
72934aa3 1299 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1300 last = 0;
1301 }
1302 // Sequence Y
72934aa3 1303 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1304
1305 // Just to be sure!
72934aa3 1306 ToSend[++ToSendMax] = SEC_Y;
1307 ToSend[++ToSendMax] = SEC_Y;
1308 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1309
1310 // Convert from last character reference to length
1311 ToSendMax++;
1312}
1313
1314//-----------------------------------------------------------------------------
1315// Prepare reader command to send to FPGA
e30c654b 1316//
15c4dc5a 1317//-----------------------------------------------------------------------------
f7e3ed82 1318void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1319{
1320 int i, j;
1321 int last;
f7e3ed82 1322 uint8_t b;
e30c654b 1323
15c4dc5a 1324 ToSendReset();
e30c654b 1325
15c4dc5a 1326 // Start of Communication (Seq. Z)
72934aa3 1327 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1328 last = 0;
e30c654b 1329
15c4dc5a 1330 // Generate send structure for the data bits
1331 for (i = 0; i < len; i++) {
1332 // Get the current byte to send
1333 b = cmd[i];
e30c654b 1334
15c4dc5a 1335 for (j = 0; j < 8; j++) {
1336 if (b & 1) {
1337 // Sequence X
72934aa3 1338 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1339 last = 1;
1340 } else {
1341 if (last == 0) {
1342 // Sequence Z
72934aa3 1343 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1344 } else {
1345 // Sequence Y
72934aa3 1346 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1347 last = 0;
1348 }
1349 }
1350 b >>= 1;
1351 }
e30c654b 1352
15c4dc5a 1353 // Get the parity bit
1354 if ((dwParity >> i) & 0x01) {
1355 // Sequence X
72934aa3 1356 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1357 last = 1;
1358 } else {
1359 if (last == 0) {
1360 // Sequence Z
72934aa3 1361 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1362 } else {
1363 // Sequence Y
72934aa3 1364 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1365 last = 0;
1366 }
1367 }
1368 }
e30c654b 1369
15c4dc5a 1370 // End of Communication
1371 if (last == 0) {
1372 // Sequence Z
72934aa3 1373 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1374 } else {
1375 // Sequence Y
72934aa3 1376 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1377 last = 0;
1378 }
1379 // Sequence Y
72934aa3 1380 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1381
15c4dc5a 1382 // Just to be sure!
72934aa3 1383 ToSend[++ToSendMax] = SEC_Y;
1384 ToSend[++ToSendMax] = SEC_Y;
1385 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1386
15c4dc5a 1387 // Convert from last character reference to length
1388 ToSendMax++;
1389}
1390
1391//-----------------------------------------------------------------------------
1392// Wait a certain time for tag response
1393// If a response is captured return TRUE
1394// If it takes to long return FALSE
1395//-----------------------------------------------------------------------------
f7e3ed82 1396static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1397{
1398 // buffer needs to be 512 bytes
1399 int c;
1400
1401 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1402 // only, since we are receiving, not transmitting).
1403 // Signal field is on with the appropriate LED
1404 LED_D_ON();
1405 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1406
534983d7 1407 // Now get the answer from the card
1408 Demod.output = receivedResponse;
1409 Demod.len = 0;
1410 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1411
f7e3ed82 1412 uint8_t b;
15c4dc5a 1413 if (elapsed) *elapsed = 0;
1414
1415 c = 0;
1416 for(;;) {
534983d7 1417 WDT_HIT();
15c4dc5a 1418
534983d7 1419 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1420 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1421 if (elapsed) (*elapsed)++;
534983d7 1422 }
1423 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1424 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1425 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1426 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1427 *samples = ((c - 1) << 3) + 4;
1428 return TRUE;
1429 }
1430 if(ManchesterDecoding(b & 0x0f)) {
1431 *samples = c << 3;
1432 return TRUE;
1433 }
534983d7 1434 }
1435 }
15c4dc5a 1436}
1437
f7e3ed82 1438void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1439{
1440 int wait = 0;
1441 int samples = 0;
1442
1443 ShortFrameFromReader(*bt);
e30c654b 1444
15c4dc5a 1445 // Select the card
e30c654b 1446 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1447
15c4dc5a 1448 // Store reader command in buffer
1449 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1450}
1451
f7e3ed82 1452void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1453{
1454 int wait = 0;
1455 int samples = 0;
e30c654b 1456
15c4dc5a 1457 // This is tied to other size changes
f7e3ed82 1458 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1459 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1460
15c4dc5a 1461 // Select the card
e30c654b 1462 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1463 if(trigger)
1464 LED_A_ON();
e30c654b 1465
15c4dc5a 1466 // Store reader command in buffer
1467 if (tracing) LogTrace(frame,len,0,par,TRUE);
1468}
1469
1470
f7e3ed82 1471void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1472{
1473 // Generate parity and redirect
1474 ReaderTransmitPar(frame,len,GetParity(frame,len));
1475}
1476
f7e3ed82 1477int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1478{
1479 int samples = 0;
1480 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1481 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1482 if(samples == 0) return FALSE;
1483 return Demod.len;
15c4dc5a 1484}
1485
7e758047 1486/* performs iso14443a anticolision procedure
534983d7 1487 * fills the uid pointer unless NULL
1488 * fills resp_data unless NULL */
1489int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data) {
f7e3ed82 1490 uint8_t wupa[] = { 0x52 };
1491 uint8_t sel_all[] = { 0x93,0x20 };
1492 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
7e758047 1493 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
15c4dc5a 1494
7e758047 1495 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1496 uint8_t* uid = resp + 7;
15c4dc5a 1497
534983d7 1498 uint8_t sak = 0x04; // cascade uid
1499 int cascade_level = 0;
1500
7e758047 1501 int len;
15c4dc5a 1502
7e758047 1503 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1504 ReaderTransmitShort(wupa);
1505 // Receive the ATQA
1506 if(!ReaderReceive(resp)) return 0;
15c4dc5a 1507
534983d7 1508 if(resp_data)
1509 memcpy(resp_data->atqa, resp, 2);
1510
1511 ReaderTransmit(sel_all,sizeof(sel_all));
7e758047 1512 if(!ReaderReceive(uid)) return 0;
15c4dc5a 1513
534983d7 1514 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
7e758047 1515 // which case we need to make a cascade 2 request and select - this is a long UID
534983d7 1516 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1517 for(; sak & 0x04; cascade_level++)
7e758047 1518 {
534983d7 1519 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1520 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1521
1522 // SELECT_ALL
1523 ReaderTransmit(sel_all,sizeof(sel_all));
1524 if (!ReaderReceive(resp)) return 0;
1525 if(uid_ptr) memcpy(uid_ptr + cascade_level*4, resp, 4);
e30c654b 1526
7e758047 1527 // Construct SELECT UID command
534983d7 1528 memcpy(sel_uid+2,resp,5);
1529 AppendCrc14443a(sel_uid,7);
1530 ReaderTransmit(sel_uid,sizeof(sel_uid));
1531
7e758047 1532 // Receive the SAK
1533 if (!ReaderReceive(resp)) return 0;
534983d7 1534 sak = resp[0];
7e758047 1535 }
534983d7 1536 if(resp_data) {
1537 resp_data->sak = sak;
1538 resp_data->ats_len = 0;
1539 }
1540
1541 if( (sak & 0x20) == 0)
7e758047 1542 return 2; // non iso14443a compliant tag
534983d7 1543
7e758047 1544 // Request for answer to select
1545 AppendCrc14443a(rats, 2);
1546 ReaderTransmit(rats, sizeof(rats));
1547 if (!(len = ReaderReceive(resp))) return 0;
534983d7 1548 if(resp_data) {
1549 memcpy(resp_data->ats, resp, sizeof(resp_data->ats));
1550 resp_data->ats_len = len;
1551 }
1552
7e758047 1553 return 1;
1554}
15c4dc5a 1555
7e758047 1556void iso14443a_setup() {
1557 // Setup SSC
1558 FpgaSetupSsc();
1559 // Start from off (no field generated)
1560 // Signal field is off with the appropriate LED
1561 LED_D_OFF();
1562 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1563 SpinDelay(200);
15c4dc5a 1564
7e758047 1565 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1566
7e758047 1567 // Now give it time to spin up.
1568 // Signal field is on with the appropriate LED
1569 LED_D_ON();
1570 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1571 SpinDelay(200);
534983d7 1572
1573 iso14a_timeout = 2048; //default
7e758047 1574}
15c4dc5a 1575
534983d7 1576int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1577 uint8_t real_cmd[cmd_len+4];
1578 real_cmd[0] = 0x0a; //I-Block
1579 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1580 memcpy(real_cmd+2, cmd, cmd_len);
1581 AppendCrc14443a(real_cmd,cmd_len+2);
1582
1583 ReaderTransmit(real_cmd, cmd_len+4);
1584 size_t len = ReaderReceive(data);
1585 if(!len)
1586 return -1; //DATA LINK ERROR
1587
1588 return len;
1589}
1590
1591
7e758047 1592//-----------------------------------------------------------------------------
1593// Read an ISO 14443a tag. Send out commands and store answers.
1594//
1595//-----------------------------------------------------------------------------
534983d7 1596void ReaderIso14443a(UsbCommand * c, UsbCommand * ack)
7e758047 1597{
534983d7 1598 iso14a_command_t param = c->arg[0];
1599 uint8_t * cmd = c->d.asBytes;
1600 size_t len = c->arg[1];
e30c654b 1601
534983d7 1602 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(1);
15c4dc5a 1603
534983d7 1604 if(param & ISO14A_CONNECT) {
1605 iso14443a_setup();
1606 ack->arg[0] = iso14443a_select_card(ack->d.asBytes, (iso14a_card_select_t *) (ack->d.asBytes+12));
1607 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1608 }
e30c654b 1609
534983d7 1610 if(param & ISO14A_SET_TIMEOUT) {
1611 iso14a_timeout = c->arg[2];
1612 }
e30c654b 1613
534983d7 1614 if(param & ISO14A_SET_TIMEOUT) {
1615 iso14a_timeout = c->arg[2];
1616 }
e30c654b 1617
534983d7 1618 if(param & ISO14A_APDU) {
1619 ack->arg[0] = iso14_apdu(cmd, len, ack->d.asBytes);
1620 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1621 }
e30c654b 1622
534983d7 1623 if(param & ISO14A_RAW) {
1624 if(param & ISO14A_APPEND_CRC) {
1625 AppendCrc14443a(cmd,len);
1626 len += 2;
15c4dc5a 1627 }
534983d7 1628 ReaderTransmit(cmd,len);
1629 ack->arg[0] = ReaderReceive(ack->d.asBytes);
1630 UsbSendPacket((void *)ack, sizeof(UsbCommand));
1631 }
15c4dc5a 1632
534983d7 1633 if(param & ISO14A_REQUEST_TRIGGER) iso14a_set_trigger(0);
15c4dc5a 1634
534983d7 1635 if(param & ISO14A_NO_DISCONNECT)
1636 return;
15c4dc5a 1637
15c4dc5a 1638 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1639 LEDsoff();
15c4dc5a 1640}
15c4dc5a 1641//-----------------------------------------------------------------------------
1642// Read an ISO 14443a tag. Send out commands and store answers.
1643//
1644//-----------------------------------------------------------------------------
f7e3ed82 1645void ReaderMifare(uint32_t parameter)
15c4dc5a 1646{
15c4dc5a 1647 // Mifare AUTH
f7e3ed82 1648 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1649 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1650
f7e3ed82 1651 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1652 traceLen = 0;
1653 tracing = false;
e30c654b 1654
7e758047 1655 iso14443a_setup();
e30c654b 1656
15c4dc5a 1657 LED_A_ON();
1658 LED_B_OFF();
1659 LED_C_OFF();
e30c654b 1660
15c4dc5a 1661 byte_t nt_diff = 0;
1662 LED_A_OFF();
1663 byte_t par = 0;
1664 byte_t par_mask = 0xff;
1665 byte_t par_low = 0;
f7e3ed82 1666 int led_on = TRUE;
e30c654b 1667
15c4dc5a 1668 tracing = FALSE;
1669 byte_t nt[4];
1670 byte_t nt_attacked[4];
1671 byte_t par_list[8];
1672 byte_t ks_list[8];
1673 num_to_bytes(parameter,4,nt_attacked);
1674
1675 while(TRUE)
1676 {
1677 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1678 SpinDelay(200);
1679 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1680
15c4dc5a 1681 // Test if the action was cancelled
1682 if(BUTTON_PRESS()) {
1683 break;
1684 }
e30c654b 1685
534983d7 1686 if(!iso14443a_select_card(NULL, NULL)) continue;
e30c654b 1687
15c4dc5a 1688 // Transmit MIFARE_CLASSIC_AUTH
1689 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1690
15c4dc5a 1691 // Receive the (16 bit) "random" nonce
1692 if (!ReaderReceive(receivedAnswer)) continue;
1693 memcpy(nt,receivedAnswer,4);
1694
1695 // Transmit reader nonce and reader answer
1696 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1697
15c4dc5a 1698 // Receive 4 bit answer
1699 if (ReaderReceive(receivedAnswer))
1700 {
e30c654b 1701 if (nt_diff == 0)
15c4dc5a 1702 {
1703 LED_A_ON();
1704 memcpy(nt_attacked,nt,4);
1705 par_mask = 0xf8;
1706 par_low = par & 0x07;
1707 }
1708
1709 if (memcmp(nt,nt_attacked,4) != 0) continue;
1710
1711 led_on = !led_on;
1712 if(led_on) LED_B_ON(); else LED_B_OFF();
1713 par_list[nt_diff] = par;
1714 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1715
15c4dc5a 1716 // Test if the information is complete
1717 if (nt_diff == 0x07) break;
e30c654b 1718
15c4dc5a 1719 nt_diff = (nt_diff+1) & 0x07;
1720 mf_nr_ar[3] = nt_diff << 5;
1721 par = par_low;
1722 } else {
1723 if (nt_diff == 0)
1724 {
1725 par++;
1726 } else {
1727 par = (((par>>3)+1) << 3) | par_low;
1728 }
1729 }
1730 }
e30c654b 1731
72934aa3 1732 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1733 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1734 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
e30c654b 1735
15c4dc5a 1736 // Thats it...
1737 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1738 LEDsoff();
1739 tracing = TRUE;
1740}
Proxmark3 GIT tracking
Impressum, Datenschutz