]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/hitagS.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Added mifare trailer block decoding for sector commands (#734)
[proxmark3-svn] / armsrc / hitagS.c
CommitLineData
4e12287d
RS		 1//-----------------------------------------------------------------------------
2// This code is licensed to you under the terms of the GNU GPL, version 2 or,
3// at your option, any later version. See the LICENSE.txt file for the text of
4// the license.
5//-----------------------------------------------------------------------------
6// HitagS emulation (preliminary test version)
7//
8// (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9// <info@os-s.de>
10//-----------------------------------------------------------------------------
11// Some code was copied from Hitag2.c
12//-----------------------------------------------------------------------------
13
14
4e12287d
RS		 15#include <stdlib.h>
16#include "proxmark3.h"
17#include "apps.h"
18#include "util.h"
19#include "hitagS.h"
20#include "hitag2.h"
21#include "string.h"
22#include "BigBuf.h"
23
24#define CRC_PRESET 0xFF
25#define CRC_POLYNOM 0x1D
26
27#define u8 uint8_t
28#define u32 uint32_t
29#define u64 uint64_t
30#define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
31#define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
32#define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
33#define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
34#define bit(x,n) (((x)>>(n))&1)
35#define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
36#define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
37#define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
38
39static bool bQuiet;
40static bool bSuccessful;
41static struct hitagS_tag tag;
42static byte_t page_to_be_written = 0;
43static int block_data_left = 0;
44typedef enum modulation {
45 AC2K = 0, AC4K, MC4K, MC8K
46} MOD;
47static MOD m = AC2K; //used modulation
48static uint32_t temp_uid;
49static int temp2 = 0;
50static int sof_bits; //number of start-of-frame bits
51static byte_t pwdh0, pwdl0, pwdl1; //password bytes
52static uint32_t rnd = 0x74124485; //randomnumber
53static int test = 0;
54size_t blocknr;
55bool end=false;
56
57// Single bit Hitag2 functions:
58#define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
59static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
60static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
61static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
62#define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
63#define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
64#define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
65#define uf20bs u32
66
67static u32 f20(const u64 x) {
68 u32 i5;
69
70 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
71 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
72 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
73 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
74 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
75
76 return (ht2_f5c >> i5) & 1;
77}
78static u64 hitag2_round(u64 *state) {
79 u64 x = *state;
80
81 x = (x >> 1)
82 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
83 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
84 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
85 & 1) << 47);
86
87 *state = x;
88 return f20(x);
89}
90static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
91 u32 i;
92 u64 x = ((key & 0xFFFF) << 32) + serial;
93 for (i = 0; i < 32; i++) {
94 x >>= 1;
95 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
96 }
97 return x;
98}
99static u32 hitag2_byte(u64 *x) {
100 u32 i, c;
101
102 for (i = 0, c = 0; i < 8; i++)
103 c += (u32) hitag2_round(x) << (i ^ 7);
104 return c;
105}
106
107// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
108// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
109// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
110// T0 = TIMER_CLOCK1 / 125000 = 192
111#define T0 192
112
113#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
114#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
115
116#define HITAG_FRAME_LEN 20
117#define HITAG_T_STOP 36 /* T_EOF should be > 36 */
118#define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
119#define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
120#define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
121//#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
122#define HITAG_T_EOF 80 /* T_EOF should be > 36 */
123#define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
124#define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
125#define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
126
127#define HITAG_T_TAG_ONE_HALF_PERIOD 10
128#define HITAG_T_TAG_TWO_HALF_PERIOD 25
129#define HITAG_T_TAG_THREE_HALF_PERIOD 41
130#define HITAG_T_TAG_FOUR_HALF_PERIOD 57
131
132#define HITAG_T_TAG_HALF_PERIOD 16
133#define HITAG_T_TAG_FULL_PERIOD 32
134
135#define HITAG_T_TAG_CAPTURE_ONE_HALF 13
136#define HITAG_T_TAG_CAPTURE_TWO_HALF 25
137#define HITAG_T_TAG_CAPTURE_THREE_HALF 41
138#define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
139
140#define DEBUG 0
141
142/*
143 * Implementation of the crc8 calculation from Hitag S
144 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
145 */
146void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
147 *crc ^= data; // crc = crc (exor) data
148 do {
149 if (*crc & 0x80) // if (MSB-CRC == 1)
150 {
151 *crc <<= 1; // CRC = CRC Bit-shift left
152 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
153 } else {
154 *crc <<= 1; // CRC = CRC Bit-shift left
155 }
156 } while (--Bitcount);
157}
158
7b6e3205 159
4e12287d
RS		 160static void hitag_send_bit(int bit) {
161 LED_A_ON();
162 // Reset clock for the next bit
163 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
164
165 switch (m) {
7b6e3205 166 case AC2K:
167 if (bit == 0) {
168 // AC Coding --__
169 HIGH(GPIO_SSC_DOUT);
170 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
171 ;
172 LOW(GPIO_SSC_DOUT);
173 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
174 ;
175 } else {
176 // AC coding -_-_
177 HIGH(GPIO_SSC_DOUT);
178 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
179 ;
180 LOW(GPIO_SSC_DOUT);
181 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
182 ;
183 HIGH(GPIO_SSC_DOUT);
184 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
185 ;
186 LOW(GPIO_SSC_DOUT);
187 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
188 ;;
189 }
190 LED_A_OFF();
191 break;
192 case AC4K:
193 if (bit == 0) {
194 // AC Coding --__
195 HIGH(GPIO_SSC_DOUT);
196 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
197 ;
198 LOW(GPIO_SSC_DOUT);
199 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
200 ;
201 } else {
202 // AC coding -_-_
203 HIGH(GPIO_SSC_DOUT);
204 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
205 ;
206 LOW(GPIO_SSC_DOUT);
207 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
208 ;
209 HIGH(GPIO_SSC_DOUT);
210 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
211 ;
212 LOW(GPIO_SSC_DOUT);
213 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
214 ;
215 }
216 LED_A_OFF();
217 break;
218 case MC4K:
219 if (bit == 0) {
220 // Manchester: Unloaded, then loaded |__--|
221 LOW(GPIO_SSC_DOUT);
222 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
223 ;
224 HIGH(GPIO_SSC_DOUT);
225 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
226 ;
227 } else {
228 // Manchester: Loaded, then unloaded |--__|
229 HIGH(GPIO_SSC_DOUT);
230 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
231 ;
232 LOW(GPIO_SSC_DOUT);
233 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
234 ;
235 }
236 LED_A_OFF();
237 break;
238 case MC8K:
239 if (bit == 0) {
240 // Manchester: Unloaded, then loaded |__--|
241 LOW(GPIO_SSC_DOUT);
242 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
243 ;
244 HIGH(GPIO_SSC_DOUT);
245 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
246 ;
247 } else {
248 // Manchester: Loaded, then unloaded |--__|
249 HIGH(GPIO_SSC_DOUT);
250 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
251 ;
252 LOW(GPIO_SSC_DOUT);
253 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
254 ;
255 }
256 LED_A_OFF();
257 break;
258 default:
259 break;
4e12287d
RS		 260 }
261}
262
7b6e3205 263static void hitag_tag_send_frame(const byte_t* frame, size_t frame_len) {
4e12287d 264// Send start of frame
4e12287d
RS		 265 for (size_t i = 0; i < sof_bits; i++) {
266 hitag_send_bit(1);
267 }
268
269// Send the content of the frame
270 for (size_t i = 0; i < frame_len; i++) {
271 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
272 }
273// Drop the modulation
274 LOW(GPIO_SSC_DOUT);
275}
276
277static void hitag_reader_send_bit(int bit) {
278//Dbprintf("BIT: %d",bit);
279 LED_A_ON();
280// Reset clock for the next bit
281 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
282
283// Binary puls length modulation (BPLM) is used to encode the data stream
284// This means that a transmission of a one takes longer than that of a zero
285
286// Enable modulation, which means, drop the the field
287 HIGH(GPIO_SSC_DOUT);
288 if (test == 1) {
289 // Wait for 4-10 times the carrier period
290 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
291 ;
292 // SpinDelayUs(8*8);
293
294 // Disable modulation, just activates the field again
295 LOW(GPIO_SSC_DOUT);
296
297 if (bit == 0) {
298 // Zero bit: |_-|
299 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
300 ;
301 // SpinDelayUs(16*8);
302 } else {
303 // One bit: |_--|
304 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
305 ;
306 // SpinDelayUs(22*8);
307 }
308 } else {
309 // Wait for 4-10 times the carrier period
310 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
311 ;
312 // SpinDelayUs(8*8);
313
314 // Disable modulation, just activates the field again
315 LOW(GPIO_SSC_DOUT);
316
317 if (bit == 0) {
318 // Zero bit: |_-|
319 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
320 ;
321 // SpinDelayUs(16*8);
322 } else {
323 // One bit: |_--|
324 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
325 ;
326 // SpinDelayUs(22*8);
327 }
328 }
329
330 LED_A_OFF();
331}
332
333static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
7b6e3205 334 // Send the content of the frame
4e12287d
RS		 335 for (size_t i = 0; i < frame_len; i++) {
336 if (frame[0] == 0xf8) {
337 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
338 }
7b6e3205 339 hitag_reader_send_bit(((frame[i / 8] >> (7 - (i % 8))) & 1));
4e12287d
RS		 340 }
341// Send EOF
342 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
343// Enable modulation, which means, drop the the field
344 HIGH(GPIO_SSC_DOUT);
345// Wait for 4-10 times the carrier period
346 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
347 ;
348// Disable modulation, just activates the field again
349 LOW(GPIO_SSC_DOUT);
350}
351
7b6e3205 352static void hitag_decode_frame_MC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
353 size_t rxlen = 0;
354 bool bSkip = true;
355 int lastbit = 1;
356 int tag_sof = 0;
357 int timing = 1;
358 if (bitRate == 8) {
359 timing = 2;
360 }
361
362 for (int i=0; i < rawLen; i++) {
363 int ra = rawMod[i];
364 if (ra >= HITAG_T_EOF) {
365 if (rxlen != 0) {
366 //DbpString("wierd1?");
367 }
368 tag_sof = sofBits;
369
370 // Capture the T0 periods that have passed since last communication or field drop (reset)
371 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
372 *response = ra - HITAG_T_TAG_HALF_PERIOD;
373 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
374 tag_sof=0;
375 // Manchester coding example |-_|_-|-_| (101)
376 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
377 rxlen++;
378 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
379 rxlen++;
380 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
381 tag_sof=0;
382 // Manchester coding example |_-|...|_-|-_| (0...01)
383 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
384 rxlen++;
385 // We have to skip this half period at start and add the 'one' the second time
386 if (!bSkip) {
387 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
388 rxlen++;
389 }
390 lastbit = !lastbit;
391 bSkip = !bSkip;
392 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
393 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
394 if (tag_sof) {
395 // Ignore bits that are transmitted during SOF
396 tag_sof--;
397 } else {
398 // bit is same as last bit
399 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
400 rxlen++;
401 }
402 } else {
403 // Ignore wierd value, is to small to mean anything
404 }
405 }
406 *rxlenOrg = rxlen;
407}
408
409/*
410static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
411 int tag_sof = 1; //skip start of frame
412 size_t rxlen = 0;
413
414 for (int i=0; i < rawLen; i++) {
415 int ra = rawMod[i];
416 if (ra >= HITAG_T_EOF) {
417 if (rxlen != 0) {
418 //DbpString("wierd1?");
419 }
420 // Capture the T0 periods that have passed since last communication or field drop (reset)
421 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
422 tag_sof = 1;
423 *response = ra - HITAG_T_TAG_HALF_PERIOD;
424 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
425 // AC coding example |--__|--__| means 0
426 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
427 rxlen++;
428 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
429 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
430 rxlen++;
431 i++; //drop next capture
432 }
433 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
434 if (tag_sof) {
435 // Ignore bits that are transmitted during SOF
436 tag_sof--;
437 } else {
438 // AC coding example |-_-_|-_-_| which means 1
439 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
440 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
441 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
442 rxlen++;
443 i++; //drop next capture
444 } else {
445 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
446 }
447 }
448 } else {
449 // Ignore wierd value, is to small to mean anything
450 }
451 }
452 *rxlenOrg = rxlen;
453}
454*/
455
456static void hitag_decode_frame_AC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
457 int tag_sof = 1;
458 size_t rxlen = 0;
459 int timing = 1;
460 if (bitRate == 4) {
461 timing = 2;
462 }
463
464
465 for (int i=0; i < rawLen; i++) {
466 int ra = rawMod[i];
467 if (ra >= HITAG_T_EOF) {
468 if (rxlen != 0) {
469 //DbpString("wierd1?");
470 }
471
472 // Capture the T0 periods that have passed since last communication or field drop (reset)
473 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
474 tag_sof = sofBits;
475 *response = ra - HITAG_T_TAG_HALF_PERIOD;
476 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
477 tag_sof=0;
478
479 // AC coding example |--__|--__| means 0
480 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
481 rxlen++;
482 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
483 tag_sof=0;
484
485 if (rawMod[i-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
486 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
487 if (rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
488 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
489 rxlen++;
490 i++; //drop next capture
491 } else {
492 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
493 }
494 } else {
495 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
496 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
497 rxlen++;
498 }
499 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
500 if (tag_sof) {
501 // Ignore bits that are transmitted during SOF
502 tag_sof--;
503 } else {
504 // AC coding example |-_-_|-_-_| which means 1
505 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
506 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
507 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
508 rxlen++;
509 i++; //drop next capture
510 } else {
511 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
512 }
513 }
514 } else {
515 // Ignore wierd value, is to small to mean anything
516 }
517 }
518 *rxlenOrg = rxlen;
519}
520
521static void hitag_receive_frame(byte_t* rx, size_t* rxlen, int* response) {
522 int rawMod[200] = {0};
523 int rawLen = 0;
524 int i = 0;
525 int sofBits = 0;
526
527 m = MC4K;
528 if (tag.pstate == READY) {
529 switch (tag.mode) {
530 case STANDARD:
531 m = AC2K;
532 sofBits = 1;
533 break;
534 case ADVANCED:
535 m = AC2K;
536 sofBits = 5; //3 sof bits but 5 captures
537 break;
538 case FAST_ADVANCED:
539 m = AC4K;
540 sofBits = 5; //3 sof bits but 5 captures
541 break;
542 default:
543 break;
544 }
545 } else {
546 switch (tag.mode) {
547 case STANDARD:
548 m = MC4K;
549 sofBits = 0; //in theory 1
550 break;
551 case ADVANCED:
552 m = MC4K;
553 sofBits = 5; //in theory 6
554 break;
555 case FAST_ADVANCED:
556 m = MC8K;
557 sofBits = 5; //in theory 6
558 break;
559 default:
560 break;
561 }
562 }
563
564 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
565 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
566
567
568 //first capture timing values
569 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX ) {
570 // Check if rising edge in modulation is detected
571 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
572 // Retrieve the new timing values
573 int ra = (AT91C_BASE_TC1->TC_RA / T0);
574
575 LED_B_ON();
576 // Reset timer every frame, we have to capture the last edge for timing
577 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
578 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
579
580 if (rawLen >= 200) { //avoid exception
581 break;
582 }
583 rawMod[rawLen] = ra;
584 rawLen++;
585
586 // We can break this loop if we received the last bit from a frame
587 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
588 if (rawLen > 2) {
589 if (DEBUG >= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen); }
590 break;
591 }
592 }
593 }
594 }
595
596 if (DEBUG >= 2) {
597 for (i=0; i < rawLen; i+=20) {
598 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
599 rawMod[i],rawMod[i+1],rawMod[i+2],rawMod[i+3], rawMod[i+4],rawMod[i+5],rawMod[i+6],rawMod[i+7],
600 rawMod[i+8],rawMod[i+9],rawMod[i+10],rawMod[i+11], rawMod[i+12],rawMod[i+13],rawMod[i+14],rawMod[i+15],
601 rawMod[i+16],rawMod[i+17],rawMod[i+18],rawMod[i+19]
602 );
603 }
604 }
605
606 switch (m) {
607 // DATA | 1 | 0 | 1 | 1 | 0 |
608 // Manchester |--__|__--|--__|--__|__--|
609 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
610 // |<-->|
611 // | T |
612 case AC2K:
613 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC2K"); }
614 hitag_decode_frame_AC(2, sofBits, rx, rxlen, response, rawMod, rawLen);
615 break;
616 case AC4K:
617 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC4K"); }
618 hitag_decode_frame_AC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
619 break;
620 case MC4K:
621 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC4K"); }
622 hitag_decode_frame_MC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
623 break;
624 case MC8K:
625 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC8K"); }
626 hitag_decode_frame_MC(8, sofBits, rx, rxlen, response, rawMod, rawLen);
627 break;
628 }
629
630 LED_B_OFF();
631 if (DEBUG >= 2) {
632 int rb[200] = {0}; int z = 0;
633 for (i = 0; i < 16; i++) { for (int j = 0; j < 8; j++) {
634 rb[z] = 0;
635 if ((rx[i] & ((1 << 7) >> j)) != 0) { rb[z] = 1; }
636 z++;
637 } }
638 for (i=0; i < z; i+=8) {
639 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb[i],rb[i+1],rb[i+2],rb[i+3],rb[i+4],rb[i+5],rb[i+6],rb[i+7] );
640 }
641 }
642}
643
644static void hitag_start_auth(byte_t* tx, size_t* txlen) {
645 *txlen = 5;
646 switch (tag.mode) {
647 case STANDARD:
648 //00110 - 0x30 - STANDARD MODE
649 memcpy(tx, "\x30", nbytes(*txlen));
650 break;
651 case ADVANCED:
652 //11000 - 0xc0 - Advance Mode
653 memcpy(tx, "\xc0", nbytes(*txlen));
654 break;
655 case FAST_ADVANCED:
656 //TODO!
657 break;
658 default: //STANDARD MODE
659 memcpy(tx, "\x30", nbytes(*txlen));
660 break;
661 }
662 tag.pstate = READY;
663 tag.tstate = NO_OP;
664}
665
666static int hitag_read_page(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int pageNum) {
667 int i, j, z;
668 int response_bit[200];
669 unsigned char mask = 1;
670 unsigned char crc;
671 unsigned char pageData[32];
672
673 if (pageNum >= tag.max_page) {
674 return -1;
675 }
676 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
677 //send read request
678 tag.tstate = READING_PAGE;
679 *txlen = 20;
680 crc = CRC_PRESET;
681 tx[0] = 0xc0 + (pageNum / 16);
682 calc_crc(&crc, tx[0], 8);
683 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
684 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
685 tx[2] = 0x00 + (crc % 16) * 16;
686 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE && *rxlen > 0) {
687 //save received data
688 z = 0;
689 for (i = 0; i < 4; i++) {
690 for (j = 0; j < 8; j++) {
691 response_bit[z] = 0;
692 if ((rx[i] & ((mask << 7) >> j)) != 0) {
693 response_bit[z] = 1;
694 }
695 if (z < 32) {
696 pageData[z] = response_bit[z];
697 }
698
699 z++;
700 }
701 }
702 for (i = 0; i < 4; i++) {
703 tag.pages[pageNum][i] = 0x0;
704 }
705 for (i = 0; i < 4; i++) {
706 tag.pages[pageNum][i] += ((pageData[i * 8] << 7) | (pageData[1 + (i * 8)] << 6) |
707 (pageData[2 + (i * 8)] << 5) | (pageData[3 + (i * 8)] << 4) |
708 (pageData[4 + (i * 8)] << 3) | (pageData[5 + (i * 8)] << 2) |
709 (pageData[6 + (i * 8)]
710 << 1) | pageData[7 + (i * 8)]);
711 }
712 if (tag.auth && tag.LKP && pageNum == 1) {
713 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
714 tag.pages[pageNum][2], tag.pages[pageNum][1], tag.pages[pageNum][0]);
715 } else {
716 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
717 tag.pages[pageNum][3], tag.pages[pageNum][2],
718 tag.pages[pageNum][1], tag.pages[pageNum][0]);
719 }
720
721
722 //display key and password if possible
723 if (pageNum == 1 && tag.auth == 1 && tag.LKP) {
724 if (htf == 02) { //RHTS_KEY
725 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
726 (byte_t)(key >> 8) & 0xff,
727 (byte_t) key & 0xff, pwdl1, pwdl0);
728 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
729 (byte_t)(key >> 40) & 0xff,
730 (byte_t)(key >> 32) & 0xff,
731 (byte_t)(key >> 24) & 0xff,
732 (byte_t)(key >> 16) & 0xff);
733 } else {
734 //if the authentication is done with a challenge the key and password are unknown
735 Dbprintf("Page[ 2]: __ __ __ __");
736 Dbprintf("Page[ 3]: __ __ __ __");
737 }
738 }
739
740 *txlen = 20;
741 crc = CRC_PRESET;
742 tx[0] = 0xc0 + ((pageNum+1) / 16);
743 calc_crc(&crc, tx[0], 8);
744 calc_crc(&crc, 0x00 + (((pageNum+1) % 16) * 16), 4);
745 tx[1] = 0x00 + (((pageNum+1) % 16) * 16) + (crc / 16);
746 tx[2] = 0x00 + (crc % 16) * 16;
747
748 return 1;
749 }
750 return 0;
751}
752
753static int hitag_read_block(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int blockNum) {
754 int i, j, z;
755 int response_bit[200];
756 unsigned char mask = 1;
757 unsigned char crc;
758 unsigned char blockData[128];
759
760 if (blockNum+4 >= tag.max_page) { //block always = 4 pages
761 return -1;
762 }
763
764 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
765 //send read request
766 tag.tstate = READING_BLOCK;
767 *txlen = 20;
768 crc = CRC_PRESET;
769 tx[0] = 0xd0 + (blockNum / 16);
770 calc_crc(&crc, tx[0], 8);
771 calc_crc(&crc, 0x00 + ((blockNum % 16) * 16), 4);
772 tx[1] = 0x00 + ((blockNum % 16) * 16) + (crc / 16);
773 tx[2] = 0x00 + (crc % 16) * 16;
774 } else if (tag.pstate == SELECTED && tag.tstate == READING_BLOCK && *rxlen > 0) {
775 //save received data
776 z = 0;
777 for (i = 0; i < 16; i++) {
778 for (j = 0; j < 8; j++) {
779 response_bit[z] = 0;
780 if ((rx[i] & ((mask << 7) >> j)) != 0) {
781 response_bit[z] = 1;
782 }
783 if (z < 128) {
784 blockData[z] = response_bit[z];
785 }
786 z++;
787 }
788 }
789
790 for (z = 0; z < 4; z++) { //4 pages
791 for (i = 0; i < 4; i++) {
792 tag.pages[blockNum+z][i] = 0x0;
793 }
794 }
795 for (z = 0; z < 4; z++) { //4 pages
796 for (i = 0; i < 4; i++) {
797 j = (i * 8) + (z*32); //bit in page + pageStart
798 tag.pages[blockNum+z][i] = ((blockData[j] << 7) | (blockData[1 + j] << 6) |
799 (blockData[2 + j] << 5) | (blockData[3 + j] << 4) |
800 (blockData[4 + j] << 3) | (blockData[5 + j] << 2) |
801 (blockData[6 + j] << 1) | blockData[7 + j]);
802 }
803 }
804 if (DEBUG) {
805 for (z = 0; z < 4; z++) {
806 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum+z,
807 tag.pages[blockNum+z][3], tag.pages[blockNum+z][2],
808 tag.pages[blockNum+z][1], tag.pages[blockNum+z][0]);
809 }
810 }
811 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum,
812 tag.pages[blockNum][3], tag.pages[blockNum][2], tag.pages[blockNum][1], tag.pages[blockNum][0],
813 tag.pages[blockNum+1][3], tag.pages[blockNum+1][2], tag.pages[blockNum+1][1], tag.pages[blockNum+1][0],
814 tag.pages[blockNum+2][3], tag.pages[blockNum+2][2], tag.pages[blockNum+2][1], tag.pages[blockNum+2][0],
815 tag.pages[blockNum+3][3], tag.pages[blockNum+3][2], tag.pages[blockNum+3][1], tag.pages[blockNum+3][0]);
816
817 *txlen = 20;
818 crc = CRC_PRESET;
819 tx[0] = 0xd0 + ((blockNum+4) / 16);
820 calc_crc(&crc, tx[0], 8);
821 calc_crc(&crc, 0x00 + (((blockNum+4) % 16) * 16), 4);
822 tx[1] = 0x00 + (((blockNum+4) % 16) * 16) + (crc / 16);
823 tx[2] = 0x00 + (crc % 16) * 16;
824
825 return 1;
826 }
827 return 0;
828}
829
830
4e12287d
RS		 831/*
832 * to check if the right uid was selected
833 */
834static int check_select(byte_t* rx, uint32_t uid) {
835 unsigned char resp[48];
836 int i;
837 uint32_t ans = 0x0;
838 for (i = 0; i < 48; i++)
839 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
840 for (i = 0; i < 32; i++)
841 ans += resp[5 + i] << (31 - i);
842 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
843 && rx[4] == 0x65 && rx[5] == 0x38)
844 Dbprintf("got uid %X", ans);*/
845 temp_uid = ans;
846 if (ans == tag.uid)
847 return 1;
848 return 0;
849}
850
851/*
852 * handles all commands from a reader
853 */
854static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
855 byte_t* tx, size_t* txlen) {
856 byte_t rx_air[HITAG_FRAME_LEN];
857 byte_t page;
858 int i;
859 u64 state;
860 unsigned char crc;
861
7b6e3205 862 // Copy the (original) received frame how it is send over the air
4e12287d 863 memcpy(rx_air, rx, nbytes(rxlen));
7b6e3205 864 // Reset the transmission frame length
4e12287d 865 *txlen = 0;
7b6e3205 866 // Try to find out which command was send by selecting on length (in bits)
4e12287d 867 switch (rxlen) {
7b6e3205 868 case 5: {
869 //UID request with a selected response protocol mode
870 tag.pstate = READY;
871 tag.tstate = NO_OP;
872 if ((rx[0] & 0xf0) == 0x30) {
873 Dbprintf("recieved uid request in Standard Mode");
874 tag.mode = STANDARD;
875 sof_bits = 1;
876 m = AC2K;
877 }
878 if ((rx[0] & 0xf0) == 0xc0) {
879 Dbprintf("recieved uid request in ADVANCE Mode");
880 tag.mode = ADVANCED;
881 sof_bits = 3;
882 m = AC2K;
883 }
884 if ((rx[0] & 0xf0) == 0xd0) {
885 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
886 tag.mode = FAST_ADVANCED;
887 sof_bits = 3;
888 m = AC4K;
889 }
890 //send uid as a response
891 *txlen = 32;
892 for (i = 0; i < 4; i++) {
893 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
894 }
4e12287d 895 }
7b6e3205 896 break;
897 case 45: {
898 //select command from reader received
899 if (check_select(rx, tag.uid) == 1) {
900 //if the right tag was selected
901 *txlen = 32;
902 switch (tag.mode) {
903 case STANDARD:
904 Dbprintf("uid selected in Standard Mode");
905 sof_bits = 1;
906 m = MC4K;
907 break;
908 case ADVANCED:
909 Dbprintf("uid selected in ADVANCE Mode");
910 sof_bits = 6;
911 m = MC4K;
912 break;
913 case FAST_ADVANCED:
914 Dbprintf("uid selected in FAST_ADVANCE Mode");
915 sof_bits = 6;
916 m = MC8K;
917 break;
918 default:
919 break;
920 }
4e12287d 921
7b6e3205 922 //send configuration
923 tx[0] = tag.pages[1][3];
924 tx[1] = tag.pages[1][2];
925 tx[2] = tag.pages[1][1];
926 tx[3] = 0xff;
927 if (tag.mode != STANDARD) {
928 *txlen = 40;
929 crc = CRC_PRESET;
930 for (i = 0; i < 4; i++)
931 calc_crc(&crc, tx[i], 8);
932 tx[4] = crc;
933 }
934 }
4e12287d 935 }
4e12287d 936 break;
7b6e3205 937 case 64: {
938 switch (tag.mode) {
4e12287d
RS		 939 case STANDARD:
940 sof_bits = 1;
941 m = MC4K;
942 break;
943 case ADVANCED:
944 sof_bits = 6;
945 m = MC4K;
946 break;
947 case FAST_ADVANCED:
948 sof_bits = 6;
949 m = MC8K;
950 break;
951 default:
952 break;
4e12287d 953 }
4e12287d
RS		 954 //challenge message received
955 Dbprintf("Challenge for UID: %X", temp_uid);
956 temp2++;
4e12287d
RS		 957 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
958 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
959 Dbprintf(
960 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
961 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
4e12287d 962
7b6e3205 963 for (i = 0; i < 4; i++) {
4e12287d 964 hitag2_byte(&state);
7b6e3205 965 }
966
967 *txlen = 32;
4e12287d 968 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
7b6e3205 969 tx[0] = hitag2_byte(&state) ^ tag.pages[1][1];
4e12287d
RS		 970 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
971 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
972 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
973 if (tag.mode != STANDARD) {
974 //add crc8
975 *txlen = 40;
976 crc = CRC_PRESET;
7b6e3205 977 calc_crc(&crc, tag.pages[1][1], 8);
4e12287d
RS		 978 calc_crc(&crc, tag.pwdh0, 8);
979 calc_crc(&crc, tag.pwdl0, 8);
980 calc_crc(&crc, tag.pwdl1, 8);
981 tx[4] = (crc ^ hitag2_byte(&state));
982 }
4e12287d
RS		 983 }
984 case 40:
985 //data received to be written
986 if (tag.tstate == WRITING_PAGE_DATA) {
987 tag.tstate = NO_OP;
7b6e3205 988 tag.pages[page_to_be_written][0] = rx[3];
989 tag.pages[page_to_be_written][1] = rx[2];
990 tag.pages[page_to_be_written][2] = rx[1];
991 tag.pages[page_to_be_written][3] = rx[0];
992
4e12287d
RS		 993 //send ack
994 *txlen = 2;
995 tx[0] = 0x40;
996 page_to_be_written = 0;
997 switch (tag.mode) {
998 case STANDARD:
999 sof_bits = 1;
1000 m = MC4K;
1001 break;
1002 case ADVANCED:
1003 sof_bits = 6;
1004 m = MC4K;
1005 break;
1006 case FAST_ADVANCED:
1007 sof_bits = 6;
1008 m = MC8K;
1009 break;
1010 default:
1011 break;
1012 }
1013 } else if (tag.tstate == WRITING_BLOCK_DATA) {
7b6e3205 1014 tag.pages[page_to_be_written][0] = rx[0];
1015 tag.pages[page_to_be_written][1] = rx[1];
1016 tag.pages[page_to_be_written][2] = rx[2];
1017 tag.pages[page_to_be_written][3] = rx[3];
1018
4e12287d
RS		 1019 //send ack
1020 *txlen = 2;
1021 tx[0] = 0x40;
1022 switch (tag.mode) {
1023 case STANDARD:
1024 sof_bits = 1;
1025 m = MC4K;
1026 break;
1027 case ADVANCED:
1028 sof_bits = 6;
1029 m = MC4K;
1030 break;
1031 case FAST_ADVANCED:
1032 sof_bits = 6;
1033 m = MC8K;
1034 break;
1035 default:
1036 break;
1037 }
1038 page_to_be_written++;
1039 block_data_left--;
1040 if (block_data_left == 0) {
1041 tag.tstate = NO_OP;
1042 page_to_be_written = 0;
1043 }
1044 }
1045 break;
1046 case 20: {
1047 //write page, write block, read page or read block command received
7b6e3205 1048 if ((rx[0] & 0xf0) == 0xc0) { //read page
4e12287d
RS		 1049 //send page data
1050 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
7b6e3205 1051 Dbprintf("reading page %d", page);
4e12287d 1052 *txlen = 32;
7b6e3205 1053 tx[0] = tag.pages[page][0];
1054 tx[1] = tag.pages[page][1];
1055 tx[2] = tag.pages[page][2];
1056 tx[3] = tag.pages[page][3];
1057
4e12287d
RS		 1058 if (tag.LKP && page == 1)
1059 tx[3] = 0xff;
1060
1061 switch (tag.mode) {
1062 case STANDARD:
1063 sof_bits = 1;
1064 m = MC4K;
1065 break;
1066 case ADVANCED:
1067 sof_bits = 6;
1068 m = MC4K;
1069 break;
1070 case FAST_ADVANCED:
1071 sof_bits = 6;
1072 m = MC8K;
1073 break;
1074 default:
1075 break;
1076 }
1077
1078 if (tag.mode != STANDARD) {
1079 //add crc8
1080 *txlen = 40;
1081 crc = CRC_PRESET;
1082 for (i = 0; i < 4; i++)
1083 calc_crc(&crc, tx[i], 8);
1084 tx[4] = crc;
1085 }
1086
1087 if (tag.LKP && (page == 2 || page == 3)) {
1088 //if reader asks for key or password and the LKP-mark is set do not respond
1089 sof_bits = 0;
1090 *txlen = 0;
1091 }
7b6e3205 1092 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
4e12287d 1093 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
7b6e3205 1094 Dbprintf("reading block %d", page);
4e12287d
RS		 1095 *txlen = 32 * 4;
1096 //send page,...,page+3 data
1097 for (i = 0; i < 4; i++) {
7b6e3205 1098 tx[0 + (i * 4)] = tag.pages[page][0];
1099 tx[1 + (i * 4)] = tag.pages[page][1];
1100 tx[2 + (i * 4)] = tag.pages[page][2];
1101 tx[3 + (i * 4)] = tag.pages[page][3];
4e12287d
RS		 1102 page++;
1103 }
1104
1105 switch (tag.mode) {
7b6e3205 1106 case STANDARD:
1107 sof_bits = 1;
1108 m = MC4K;
1109 break;
1110 case ADVANCED:
1111 sof_bits = 6;
1112 m = MC4K;
1113 break;
1114 case FAST_ADVANCED:
1115 sof_bits = 6;
1116 m = MC8K;
1117 break;
1118 default:
1119 break;
4e12287d
RS		 1120 }
1121
1122 if (tag.mode != STANDARD) {
1123 //add crc8
1124 *txlen = 32 * 4 + 8;
1125 crc = CRC_PRESET;
1126 for (i = 0; i < 16; i++)
1127 calc_crc(&crc, tx[i], 8);
1128 tx[16] = crc;
1129 }
1130
1131 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
1132 sof_bits = 0;
1133 *txlen = 0;
1134 }
7b6e3205 1135 } else if ((rx[0] & 0xf0) == 0x80) { //write page
4e12287d
RS		 1136 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1137
1138 switch (tag.mode) {
1139 case STANDARD:
1140 sof_bits = 1;
1141 m = MC4K;
1142 break;
1143 case ADVANCED:
1144 sof_bits = 6;
1145 m = MC4K;
1146 break;
1147 case FAST_ADVANCED:
1148 sof_bits = 6;
1149 m = MC8K;
1150 break;
1151 default:
1152 break;
1153 }
1154 if ((tag.LCON && page == 1)
1155 || (tag.LKP && (page == 2 || page == 3))) {
1156 //deny
1157 *txlen = 0;
1158 } else {
1159 //allow
1160 *txlen = 2;
1161 tx[0] = 0x40;
1162 page_to_be_written = page;
1163 tag.tstate = WRITING_PAGE_DATA;
1164 }
1165
7b6e3205 1166 } else if ((rx[0] & 0xf0) == 0x90) { //write block
4e12287d
RS		 1167 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
1168 switch (tag.mode) {
1169 case STANDARD:
1170 sof_bits = 1;
1171 m = MC4K;
1172 break;
1173 case ADVANCED:
1174 sof_bits = 6;
1175 m = MC4K;
1176 break;
1177 case FAST_ADVANCED:
1178 sof_bits = 6;
1179 m = MC8K;
1180 break;
1181 default:
1182 break;
1183 }
1184 if (page % 4 != 0 || page == 0) {
1185 //deny
1186 *txlen = 0;
1187 } else {
1188 //allow
1189 *txlen = 2;
1190 tx[0] = 0x40;
1191 page_to_be_written = page;
1192 block_data_left = 4;
1193 tag.tstate = WRITING_BLOCK_DATA;
1194 }
1195 }
1196 }
1197 break;
1198 default:
1199
1200 break;
1201 }
1202}
1203
7b6e3205 1204
4e12287d
RS		 1205/*
1206 * to autenticate to a tag with the given key or challenge
1207 */
7b6e3205 1208static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx,
1209 const size_t rxlen, byte_t* tx, size_t* txlen) {
4e12287d 1210 byte_t rx_air[HITAG_FRAME_LEN];
7b6e3205 1211 int response_bit[200] = {0};
4e12287d
RS		 1212 int i, j, z, k;
1213 unsigned char mask = 1;
1214 unsigned char uid[32];
1215 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
1216 unsigned char crc;
1217 u64 state;
1218 byte_t auth_ks[4];
1219 byte_t conf_pages[3];
1220 memcpy(rx_air, rx, nbytes(rxlen));
1221 *txlen = 0;
1222
7b6e3205 1223 if (DEBUG) {
1224 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen, (int)tag.pstate);
1225 }
1226
1227 if (tag.pstate == READY && rxlen >= 32) {
4e12287d
RS		 1228 //received uid
1229 if(end==true) {
1230 Dbprintf("authentication failed!");
1231 return -1;
1232 }
1233 z = 0;
1234 for (i = 0; i < 10; i++) {
1235 for (j = 0; j < 8; j++) {
1236 response_bit[z] = 0;
1237 if ((rx[i] & ((mask << 7) >> j)) != 0)
1238 response_bit[z] = 1;
1239 z++;
1240 }
1241 }
7b6e3205 1242 for (i = 0; i < 32; i++) {
1243 uid[i] = response_bit[i];
4e12287d 1244 }
7b6e3205 1245
4e12287d
RS		 1246 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
1247 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
1248 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
1249 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
1250 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
1251 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
1252 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
7b6e3205 1253 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
1254 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
4e12287d
RS		 1255 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
1256
1257 //select uid
4e12287d
RS		 1258 crc = CRC_PRESET;
1259 calc_crc(&crc, 0x00, 5);
1260 calc_crc(&crc, uid1, 8);
1261 calc_crc(&crc, uid2, 8);
1262 calc_crc(&crc, uid3, 8);
1263 calc_crc(&crc, uid4, 8);
7b6e3205 1264 Dbprintf("crc: %02X", crc);
1265
1266 //resetting response bit
4e12287d
RS		 1267 for (i = 0; i < 100; i++) {
1268 response_bit[i] = 0;
1269 }
7b6e3205 1270
1271 //skip the first 5
4e12287d
RS		 1272 for (i = 5; i < 37; i++) {
1273 response_bit[i] = uid[i - 5];
1274 }
7b6e3205 1275 //add crc value
4e12287d
RS		 1276 for (j = 0; j < 8; j++) {
1277 response_bit[i] = 0;
1278 if ((crc & ((mask << 7) >> j)) != 0)
1279 response_bit[i] = 1;
1280 i++;
1281 }
7b6e3205 1282
4e12287d
RS		 1283 k = 0;
1284 for (i = 0; i < 6; i++) {
1285 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1286 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
1287 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
1288 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1289 k += 8;
1290 }
7b6e3205 1291 *txlen = 45;
4e12287d 1292 tag.pstate = INIT;
7b6e3205 1293 } else if (tag.pstate == INIT && rxlen > 24) {
4e12287d
RS		 1294 // received configuration after select command
1295 z = 0;
7b6e3205 1296 for (i = 0; i < 4; i++) {
4e12287d
RS		 1297 for (j = 0; j < 8; j++) {
1298 response_bit[z] = 0;
7b6e3205 1299 if ((rx[i] & ((mask << 7) >> j)) != 0) {
4e12287d 1300 response_bit[z] = 1;
7b6e3205 1301 }
4e12287d
RS		 1302 z++;
1303 }
1304 }
7b6e3205 1305
4e12287d 1306 //check wich memorysize this tag has
7b6e3205 1307 //CON0
1308 if (response_bit[6] == 0 && response_bit[7] == 0)
4e12287d 1309 tag.max_page = 32 / 32;
7b6e3205 1310 if (response_bit[6] == 0 && response_bit[7] == 1)
4e12287d 1311 tag.max_page = 256 / 32;
7b6e3205 1312 if (response_bit[6] == 1 && response_bit[7] == 0)
1313 tag.max_page = 2048 / 32;
1314 if (response_bit[6] == 1 && response_bit[7] == 1) //reserved but some tags got this setting
4e12287d 1315 tag.max_page = 2048 / 32;
7b6e3205 1316
1317 //CON1
1318 tag.auth = response_bit[8];
1319 tag.TTFC = response_bit[9];
1320 //tag.TTFDR in response_bit[10] and response_bit[11]
1321 //tag.TTFM in response_bit[12] and response_bit[13]
1322 tag.LCON = response_bit[14];
1323 tag.LKP = response_bit[15];
1324
1325 //CON2
1326 tag.LCK7 = response_bit[16];
1327 tag.LCK6 = response_bit[17];
1328 tag.LCK5 = response_bit[18];
1329 tag.LCK4 = response_bit[19];
1330 tag.LCK3 = response_bit[20];
1331 tag.LCK2 = response_bit[21];
1332 tag.LCK1 = response_bit[22];
1333 tag.LCK0 = response_bit[23];
1334
1335 if (DEBUG) {
1336 conf_pages[0] = ((response_bit[0] << 7) | (response_bit[1] << 6)
1337 | (response_bit[2] << 5) | (response_bit[3] << 4)
1338 | (response_bit[4] << 3) | (response_bit[5] << 2)
1339 | (response_bit[6] << 1) | response_bit[7]);
1340 conf_pages[1] = ((response_bit[8] << 7) | (response_bit[9] << 6)
1341 | (response_bit[10] << 5) | (response_bit[11] << 4)
1342 | (response_bit[12] << 3) | (response_bit[13] << 2)
1343 | (response_bit[14] << 1) | response_bit[15]);
1344 conf_pages[2] = ((response_bit[16] << 7) | (response_bit[17] << 6)
1345 | (response_bit[18] << 5) | (response_bit[19] << 4)
1346 | (response_bit[20] << 3) | (response_bit[21] << 2)
1347 | (response_bit[22] << 1) | response_bit[23]);
1348 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
1349 Dbprintf("tag.max_page: %d, tag.auth: %d", tag.max_page, tag.auth);
1350 }
1351
4e12287d
RS		 1352 if (tag.auth == 1) {
1353 //if the tag is in authentication mode try the key or challenge
1354 *txlen = 64;
1355 if(end!=true){
1356 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
7b6e3205 1357 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
1358 /*
1359 Dbprintf("key: %02X %02X\n\n", key, rev64(key));
1360 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, rev32(tag.uid));
1361 Dbprintf("rnd: %02X %02X\n\n", rnd, rev32(rnd));
1362 */
4e12287d
RS		 1363 for (i = 0; i < 4; i++) {
1364 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
1365 }
1366 *txlen = 64;
1367 tx[0] = rnd & 0xff;
1368 tx[1] = (rnd >> 8) & 0xff;
1369 tx[2] = (rnd >> 16) & 0xff;
1370 tx[3] = (rnd >> 24) & 0xff;
1371
1372 tx[4] = auth_ks[0];
1373 tx[5] = auth_ks[1];
1374 tx[6] = auth_ks[2];
1375 tx[7] = auth_ks[3];
1376 if (DEBUG)
1377 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
1378 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
1379 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1380 for (i = 0; i < 8; i++)
1381 tx[i]=((NrAr>>(56-(i*8)))&0xff);
1382 }
1383 end=true;
1384 tag.pstate = AUTHENTICATE;
1385 } else {
1386 Dbprintf("authentication failed!");
1387 return -1;
1388 }
1389 } else if (tag.auth == 0) {
1390 tag.pstate = SELECTED;
1391 }
1392
7b6e3205 1393 } else if (tag.pstate == AUTHENTICATE && rxlen >= 32) {
4e12287d 1394 //encrypted con2,password received.
4e12287d
RS		 1395 if (DEBUG) {
1396 Dbprintf("UID:::%X", tag.uid);
1397 Dbprintf("RND:::%X", rnd);
1398 }
1399
1400 //decrypt password
1401 pwdh0=0;
1402 pwdl0=0;
1403 pwdl1=0;
7b6e3205 1404 if(htf==02 || htf==04) { //RHTS_KEY //WHTS_KEY
4e12287d 1405 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
7b6e3205 1406 for (i = 0; i < 5; i++) {
4e12287d 1407 hitag2_byte(&state);
7b6e3205 1408 }
1409 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ hitag2_byte(&state);
1410 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ hitag2_byte(&state);
1411 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ hitag2_byte(&state);
1412 if (DEBUG) {
1413 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
1414 }
4e12287d 1415 }
4e12287d
RS		 1416 tag.pstate = SELECTED; //tag is now ready for read/write commands
1417 }
7b6e3205 1418
1419 if (DEBUG) {
1420 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag.pstate);
1421 }
1422
4e12287d 1423 return 0;
4e12287d
RS		 1424}
1425
1426/*
1427 * Emulates a Hitag S Tag with the given data from the .hts file
1428 */
1429void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
1430 int frame_count;
1431 int response;
1432 int overflow;
1433 int i, j;
1434 byte_t rx[HITAG_FRAME_LEN];
1435 size_t rxlen = 0;
4e12287d
RS		 1436 bQuiet = false;
1437 byte_t txbuf[HITAG_FRAME_LEN];
1438 byte_t* tx = txbuf;
1439 size_t txlen = 0;
7b6e3205 1440 uint8_t con0, con1, con2;
4e12287d
RS		 1441 BigBuf_free();
1442
1443// Clean up trace and prepare it for storing frames
44964fd1 1444 set_tracing(true);
4e12287d
RS		 1445 clear_trace();
1446
1447 DbpString("Starting HitagS simulation");
1448 LED_D_ON();
1449
1450 tag.pstate = READY;
1451 tag.tstate = NO_OP;
4e12287d
RS		 1452 //read tag data into memory
1453 if (tag_mem_supplied) {
1454 DbpString("Loading hitagS memory...");
7b6e3205 1455 for (i = 0; i < 64; i++) {
1456 for (j = 0; j < 4; j++) {
1457 tag.pages[i][j] = 0x0;
1458 }
1459 }
1460
1461 for (i = 0; i < 64; i++) {
1462 for (j = 0; j < 4; j++) {
1463 tag.pages[i][j] = data[(i*4)+j];
1464 }
1465 }
4e12287d 1466 }
7b6e3205 1467 tag.uid = (tag.pages[0][3] << 24 | tag.pages[0][2] << 16 | tag.pages[0][1] << 8 | tag.pages[0][0]);
1468 con0 = tag.pages[1][3];
1469 con1 = tag.pages[1][2];
1470 con2 = tag.pages[1][1];
1471 Dbprintf("UID: %X", tag.uid);
4e12287d 1472 Dbprintf("Hitag S simulation started");
7b6e3205 1473
1474 //0x01 plain mode - Reserved, CON2, CON1, CON0
1475 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1476 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1477 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1478
4e12287d 1479 //con0
7b6e3205 1480 tag.max_page = 2048 / 32;
1481 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 1)
1482 tag.max_page = 256 / 32;
1483 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 0)
1484 tag.max_page = 32 / 32;
1485
1486 //CON1
1487 tag.auth = ((con1 & 0x80) == 0x80) ? 1 : 0;
1488 tag.TTFC = ((con1 & 0x40) == 0x40) ? 1 : 0;
1489 //tag.TTFDR in response_bit[10] and response_bit[11]
1490 //tag.TTFM in response_bit[12] and response_bit[13]
1491 tag.LCON = ((con1 & 0x2) == 0x2) ? 1 : 0;
383f4e24 1492 tag.LKP = ((con1 & 0x1) == 0x1) ? 1 : 0;
7b6e3205 1493
1494 //CON2
1495 tag.LCK7 = ((con2 & 0x80) == 0x80) ? 1 : 0;
1496 tag.LCK6 = ((con2 & 0x40) == 0x40) ? 1 : 0;
1497 tag.LCK5 = ((con2 & 0x20) == 0x20) ? 1 : 0;
1498 tag.LCK4 = ((con2 & 0x10) == 0x10) ? 1 : 0;
1499 tag.LCK3 = ((con2 & 0x8) == 0x8) ? 1 : 0;
1500 tag.LCK2 = ((con2 & 0x4) == 0x4) ? 1 : 0;
1501 tag.LCK1 = ((con2 & 0x2) == 0x2) ? 1 : 0;
1502 tag.LCK0 = ((con2 & 0x1) == 0x1) ? 1 : 0;
1503
1504 if (tag.auth == 1) {
1505 //TODO check if this working :D
1506 tag.key=(intptr_t)tag.pages[3];
1507 tag.key<<=16;
1508 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
1509 tag.pwdl0=tag.pages[2][3];
1510 tag.pwdl1=tag.pages[2][2];
1511 tag.pwdh0=tag.pages[1][0];
1512 }
1513
1514 // Set up simulator mode, frequency divisor which will drive the FPGA
1515 // and analog mux selection.
4e12287d 1516 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
28598e80 1517 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
4e12287d
RS		 1518 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1519 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1520 RELAY_OFF();
1521
7b6e3205 1522 // Configure output pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1523 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1524 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1525
7b6e3205 1526 // Disable modulation at default, which means release resistance
4e12287d
RS		 1527 LOW(GPIO_SSC_DOUT);
1528
7b6e3205 1529 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1530 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1531
7b6e3205 1532 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
4e12287d
RS		 1533 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1534 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1535
7b6e3205 1536 // Disable timer during configuration
4e12287d
RS		 1537 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1538
7b6e3205 1539 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1540 // external trigger rising edge, load RA on rising edge of TIOA.
1541 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
4e12287d 1542
7b6e3205 1543 // Reset the received frame, frame count and timing info
4e12287d
RS		 1544 memset(rx, 0x00, sizeof(rx));
1545 frame_count = 0;
1546 response = 0;
1547 overflow = 0;
1548
7b6e3205 1549 // Enable and reset counter
4e12287d
RS		 1550 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1551
1552 while (!BUTTON_PRESS()) {
1553 // Watchdog hit
1554 WDT_HIT();
1555
1556 // Receive frame, watch for at most T0*EOF periods
7b6e3205 1557 //HITAG_T_WAIT_MAX
4e12287d
RS		 1558 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1559 // Check if rising edge in modulation is detected
1560 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1561 // Retrieve the new timing values
1562 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1563 overflow = 0;
1564
1565 // Reset timer every frame, we have to capture the last edge for timing
1566 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1567
1568 LED_B_ON();
1569
1570 // Capture reader frame
1571 if (ra >= HITAG_T_STOP) {
1572 if (rxlen != 0) {
1573 //DbpString("wierd0?");
1574 }
1575 // Capture the T0 periods that have passed since last communication or field drop (reset)
1576 response = (ra - HITAG_T_LOW);
1577 } else if (ra >= HITAG_T_1_MIN) {
1578 // '1' bit
1579 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1580 rxlen++;
1581 } else if (ra >= HITAG_T_0_MIN) {
1582 // '0' bit
1583 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1584 rxlen++;
1585 } else {
1586 // Ignore wierd value, is to small to mean anything
1587 }
1588 }
1589 }
1590
1591 // Check if frame was captured
1592 if (rxlen > 0) {
1593 frame_count++;
1594 if (!bQuiet) {
1595 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1596 DbpString("Trace full");
1597 clear_trace();
1598 }
1599 }
1600
1601 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1602 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1603
1604 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1605 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1606
1607 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1608 // not that since the clock counts since the rising edge, but T_Wait1 is
1609 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1610 // periods. The gap time T_Low varies (4..10). All timer values are in
1611 // terms of T0 units
7b6e3205 1612 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) { }
4e12287d
RS		 1613
1614 // Send and store the tag answer (if there is any)
1615 if (txlen > 0) {
1616 // Transmit the tag frame
7b6e3205 1617 hitag_tag_send_frame(tx, txlen);
1618
4e12287d
RS		 1619 // Store the frame in the trace
1620 if (!bQuiet) {
1621 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1622 DbpString("Trace full");
1623 clear_trace();
1624 }
1625 }
1626 }
1627
7b6e3205 1628 // Enable and reset external trigger in timer for capturing future frames
1629 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1630
4e12287d
RS		 1631 // Reset the received frame and response timing info
1632 memset(rx, 0x00, sizeof(rx));
1633 response = 0;
1634
4e12287d
RS		 1635 LED_B_OFF();
1636 }
1637 // Reset the frame length
1638 rxlen = 0;
1639 // Save the timer overflow, will be 0 when frame was received
1640 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1641 // Reset the timer to restart while-loop that receives frames
1642 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1643 }
7b6e3205 1644 Dbprintf("Hitag S simulation stopped");
4e12287d
RS		 1645 LED_B_OFF();
1646 LED_D_OFF();
1647 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1648 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1649 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1650}
1651
1652/*
1653 * Authenticates to the Tag with the given key or challenge.
1654 * If the key was given the password will be decrypted.
1655 * Reads every page of a hitag S transpoder.
1656 */
7b6e3205 1657void ReadHitagSintern(hitag_function htf, hitag_data* htd, stype tagMode, int startPage, bool readBlock) {
4e12287d 1658 int frame_count;
7b6e3205 1659 int i;
1660 int sendNum = startPage;
1661 tag.mode = tagMode;
1662
1663 //int i, j, z;
1664 //int response_bit[200];
1665 //unsigned char mask = 1;
1666
4e12287d
RS		 1667 int response;
1668 byte_t rx[HITAG_FRAME_LEN];
1669 size_t rxlen = 0;
1670 byte_t txbuf[HITAG_FRAME_LEN];
1671 byte_t* tx = txbuf;
1672 size_t txlen = 0;
1673 int lastbit;
4e12287d
RS		 1674 int t_wait = HITAG_T_WAIT_MAX;
1675 bool bStop;
1676 bool bQuitTraceFull = false;
7b6e3205 1677
4e12287d
RS		 1678 page_to_be_written = 0;
1679
1680 //read given key/challenge
1681 byte_t NrAr_[8];
1682 uint64_t key=0;
1683 uint64_t NrAr=0;
1684 byte_t key_[6];
1685 switch(htf) {
7b6e3205 1686 case 01:
1687 case 03: { //RHTS_CHALLENGE
4e12287d
RS		 1688 DbpString("Authenticating using nr,ar pair:");
1689 memcpy(NrAr_,htd->auth.NrAr,8);
1690 Dbhexdump(8,NrAr_,false);
1691 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1692 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1693 } break;
7b6e3205 1694 case 02:
1695 case 04: { //RHTS_KEY
4e12287d
RS		 1696 DbpString("Authenticating using key:");
1697 memcpy(key_,htd->crypto.key,6);
1698 Dbhexdump(6,key_,false);
1699 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1700 } break;
1701 default: {
1702 Dbprintf("Error , unknown function: %d",htf);
1703 return;
1704 } break;
1705 }
1706
1707
1708
1709 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1710// Reset the return status
1711 bSuccessful = false;
1712
1713// Clean up trace and prepare it for storing frames
44964fd1 1714 set_tracing(true);
4e12287d
RS		 1715 clear_trace();
1716
1717 bQuiet = false;
4e12287d
RS		 1718
1719 LED_D_ON();
1720
1721// Configure output and enable pin that is connected to the FPGA (for modulating)
1722 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1723 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1724
1725// Set fpga in edge detect with reader field, we can modulate as reader now
7b6e3205 1726 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
4e12287d
RS		 1727
1728// Set Frequency divisor which will drive the FPGA and analog mux selection
1729 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1730 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1731 RELAY_OFF();
1732
1733// Disable modulation at default, which means enable the field
1734 LOW(GPIO_SSC_DOUT);
1735
1736// Give it a bit of time for the resonant antenna to settle.
1737 SpinDelay(30);
1738
1739// Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1740 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1741
1742// Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1743 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1744 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1745
1746// Disable timer during configuration
1747 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1748
1749// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1750// external trigger rising edge, load RA on falling edge of TIOA.
7b6e3205 1751 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
4e12287d
RS		 1752
1753// Enable and reset counters
1754 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1755 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1756
1757// Reset the received frame, frame count and timing info
1758 frame_count = 0;
1759 response = 0;
1760 lastbit = 1;
1761 bStop = false;
4e12287d
RS		 1762 t_wait = 200;
1763
1764 while (!bStop && !BUTTON_PRESS()) {
1765 // Watchdog hit
1766 WDT_HIT();
1767
7b6e3205 1768
1769 // Add transmitted frame to total count
1770 if (txlen > 0) {
1771 frame_count++;
1772
1773 if (tag.pstate == READY && rxlen < 1) {
1774 //skip logging starting auths if no response
1775 } else {
1776 if (!bQuiet) {
1777 // Store the frame in the trace
1778 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1779 if (bQuitTraceFull) {
1780 DbpString("Trace full");
1781 break;
1782 } else {
1783 bQuiet = true;
1784 }
1785 }
1786 }
1787 }
1788 }
1789
4e12287d
RS		 1790 // Check if frame was captured and store it
1791 if (rxlen > 0) {
1792 frame_count++;
1793 if (!bQuiet) {
1794 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1795 DbpString("Trace full");
1796 if (bQuitTraceFull) {
1797 break;
1798 } else {
1799 bQuiet = true;
1800 }
1801 }
1802 }
1803 }
1804
1805 // By default reset the transmission buffer
1806 tx = txbuf;
1807 txlen = 0;
1808
7b6e3205 1809 if (DEBUG >= 2) {
1810 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count, rxlen, (int)tag.pstate, (int)tag.tstate);
1811 }
1812
4e12287d
RS		 1813 if (rxlen == 0) {
1814 //start authentication
7b6e3205 1815 hitag_start_auth(tx, &txlen);
4e12287d 1816 } else if (tag.pstate != SELECTED) {
7b6e3205 1817 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1) {
1818 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
4e12287d 1819 bStop = !false;
4e12287d 1820 }
7b6e3205 1821 }
4e12287d 1822
7b6e3205 1823
1824
1825 if (readBlock && tag.pstate == SELECTED && (tag.tstate == READING_BLOCK || tag.tstate == NO_OP) && rxlen > 0) {
1826 i = hitag_read_block(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1827 if (i > 0) { sendNum+=4; }
1828 if (sendNum+4 >= tag.max_page) {
1829 bStop = !false;
1830 }
1831 } else if (!readBlock && tag.pstate == SELECTED && (tag.tstate == READING_PAGE || tag.tstate == NO_OP) && rxlen > 0) {
1832 i = hitag_read_page(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1833 if (i > 0) { sendNum++; }
4e12287d
RS		 1834 if (sendNum >= tag.max_page) {
1835 bStop = !false;
1836 }
1837 }
1838
1839 // Send and store the reader command
1840 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1841 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1842
1843 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1844 // Since the clock counts since the last falling edge, a 'one' means that the
1845 // falling edge occured halfway the period. with respect to this falling edge,
1846 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1847 // All timer values are in terms of T0 units
1848
7b6e3205 1849 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
4e12287d
RS		 1850
1851 // Transmit the reader frame
1852 hitag_reader_send_frame(tx, txlen);
1853
7b6e3205 1854
4e12287d
RS		 1855 // Enable and reset external trigger in timer for capturing future frames
1856 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1857
4e12287d
RS		 1858
1859 // Reset values for receiving frames
1860 memset(rx, 0x00, sizeof(rx));
1861 rxlen = 0;
1862 lastbit = 1;
4e12287d
RS		 1863 response = 0;
1864
7b6e3205 1865 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1866 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 1867 }
1868 end=false;
1869 LED_B_OFF();
1870 LED_D_OFF();
1871 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1872 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1873 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1874 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1875}
1876
7b6e3205 1877void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock) {
1878 if (tagMode == 1) {
1879 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1880 ReadHitagSintern(htf, htd, ADVANCED, (int)startPage, readBlock);
1881 } else if (tagMode == 2) {
1882 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1883 ReadHitagSintern(htf, htd, FAST_ADVANCED, (int)startPage, readBlock);
1884 } else {
1885 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock, startPage);
1886 ReadHitagSintern(htf, htd, STANDARD, (int)startPage, readBlock);
1887 }
1888}
1889
1890
1891
4e12287d
RS		 1892/*
1893 * Authenticates to the Tag with the given Key or Challenge.
1894 * Writes the given 32Bit data into page_
1895 */
1896void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1897 int frame_count;
1898 int response;
1899 byte_t rx[HITAG_FRAME_LEN];
1900 size_t rxlen = 0;
1901 byte_t txbuf[HITAG_FRAME_LEN];
1902 byte_t* tx = txbuf;
1903 size_t txlen = 0;
1904 int lastbit;
4e12287d
RS		 1905 int t_wait = HITAG_T_WAIT_MAX;
1906 bool bStop;
1907 bool bQuitTraceFull = false;
1908 int page = page_;
1909 unsigned char crc;
1910 byte_t data[4]= {0,0,0,0};
1911
1912 //read given key/challenge, the page and the data
1913 byte_t NrAr_[8];
1914 uint64_t key=0;
1915 uint64_t NrAr=0;
1916 byte_t key_[6];
1917 switch(htf) {
1918 case 03: { //WHTS_CHALLENGE
1919 memcpy(data,htd->auth.data,4);
1920 DbpString("Authenticating using nr,ar pair:");
1921 memcpy(NrAr_,htd->auth.NrAr,8);
1922 Dbhexdump(8,NrAr_,false);
1923 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1924 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1925 } break;
1926 case 04: { //WHTS_KEY
1927 memcpy(data,htd->crypto.data,4);
1928 DbpString("Authenticating using key:");
1929 memcpy(key_,htd->crypto.key,6);
1930 Dbhexdump(6,key_,false);
1931 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1932 } break;
1933 default: {
1934 Dbprintf("Error , unknown function: %d",htf);
1935 return;
1936 } break;
1937 }
1938
1939 Dbprintf("Page: %d",page_);
1940 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1941 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1942// Reset the return status
1943 bSuccessful = false;
1944
1945 tag.pstate = READY;
1946 tag.tstate = NO_OP;
1947
1948// Clean up trace and prepare it for storing frames
44964fd1 1949 set_tracing(true);
4e12287d
RS		 1950 clear_trace();
1951
1952 bQuiet = false;
4e12287d
RS		 1953
1954 LED_D_ON();
1955
1956// Configure output and enable pin that is connected to the FPGA (for modulating)
1957 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1958 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1959
1960// Set fpga in edge detect with reader field, we can modulate as reader now
7b6e3205 1961 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
4e12287d
RS		 1962
1963// Set Frequency divisor which will drive the FPGA and analog mux selection
1964 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1965 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1966 RELAY_OFF();
1967
1968// Disable modulation at default, which means enable the field
1969 LOW(GPIO_SSC_DOUT);
1970
1971// Give it a bit of time for the resonant antenna to settle.
1972 SpinDelay(30);
1973
1974// Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1975 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1976
1977// Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1978 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1979 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1980
1981// Disable timer during configuration
1982 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1983
1984// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1985// external trigger rising edge, load RA on falling edge of TIOA.
1986 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1987 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1988 | AT91C_TC_LDRA_FALLING;
1989
1990// Enable and reset counters
1991 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1992 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1993
1994// Reset the received frame, frame count and timing info
1995 frame_count = 0;
1996 response = 0;
1997 lastbit = 1;
1998 bStop = false;
4e12287d
RS		 1999 t_wait = 200;
2000
2001 while (!bStop && !BUTTON_PRESS()) {
2002 // Watchdog hit
2003 WDT_HIT();
2004
2005 // Check if frame was captured and store it
2006 if (rxlen > 0) {
2007 frame_count++;
2008 if (!bQuiet) {
2009 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2010 DbpString("Trace full");
2011 if (bQuitTraceFull) {
2012 break;
2013 } else {
2014 bQuiet = true;
2015 }
2016 }
2017 }
2018 }
2019
2020 //check for valid input
7b6e3205 2021 /*
4e12287d 2022 if (page == 0) {
7b6e3205 2023 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
4e12287d 2024 bStop = !false;
7b6e3205 2025 }*/
2026
4e12287d
RS		 2027
2028 // By default reset the transmission buffer
2029 tx = txbuf;
2030 txlen = 0;
2031
2032 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
2033 //no write access on this page
2034 Dbprintf("no write access on page %d", page_);
2035 bStop = !false;
2036 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
2037 //start the authetication
7b6e3205 2038 //tag.mode = ADVANCED;
2039 tag.mode = STANDARD;
2040 hitag_start_auth(tx, &txlen);
2041 m = AC2K;
4e12287d
RS		 2042 } else if (tag.pstate != SELECTED) {
2043 //try to authenticate with the given key or challenge
7b6e3205 2044 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1) {
4e12287d 2045 bStop = !false;
7b6e3205 2046 }
2047 m = MC4K;
4e12287d 2048 }
7b6e3205 2049
4e12287d
RS		 2050 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
2051 //check if the given page exists
2052 if (page > tag.max_page) {
2053 Dbprintf("page number too big");
2054 bStop = !false;
2055 }
2056 //ask Tag for write permission
2057 tag.tstate = WRITING_PAGE_ACK;
2058 txlen = 20;
2059 crc = CRC_PRESET;
2060 tx[0] = 0x90 + (page / 16);
2061 calc_crc(&crc, tx[0], 8);
2062 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
2063 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
2064 tx[2] = 0x00 + (crc % 16) * 16;
2065 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
7b6e3205 2066 && rxlen == 2 && rx[0] == 0x40) {
4e12287d
RS		 2067 //ACK recieved to write the page. send data
2068 tag.tstate = WRITING_PAGE_DATA;
2069 txlen = 40;
2070 crc = CRC_PRESET;
2071 calc_crc(&crc, data[3], 8);
2072 calc_crc(&crc, data[2], 8);
2073 calc_crc(&crc, data[1], 8);
2074 calc_crc(&crc, data[0], 8);
2075 tx[0] = data[3];
2076 tx[1] = data[2];
2077 tx[2] = data[1];
2078 tx[3] = data[0];
2079 tx[4] = crc;
2080 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
7b6e3205 2081 && rxlen == 2 && rx[0] == 0x40) {
4e12287d
RS		 2082 //received ACK
2083 Dbprintf("Successful!");
2084 bStop = !false;
2085 }
2086
2087 // Send and store the reader command
2088 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2089 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2090
2091 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2092 // Since the clock counts since the last falling edge, a 'one' means that the
2093 // falling edge occured halfway the period. with respect to this falling edge,
2094 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2095 // All timer values are in terms of T0 units
2096
2097 while (AT91C_BASE_TC0->TC_CV
2098 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2099 ;
2100
2101 // Transmit the reader frame
2102 hitag_reader_send_frame(tx, txlen);
2103
2104 // Enable and reset external trigger in timer for capturing future frames
2105 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2106
2107 // Add transmitted frame to total count
2108 if (txlen > 0) {
2109 frame_count++;
2110 if (!bQuiet) {
2111 // Store the frame in the trace
2112 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2113 if (bQuitTraceFull) {
2114 DbpString("Trace full");
2115 break;
2116 } else {
2117 bQuiet = true;
2118 }
2119 }
2120 }
2121 }
2122
2123 // Reset values for receiving frames
2124 memset(rx, 0x00, sizeof(rx));
2125 rxlen = 0;
2126 lastbit = 1;
4e12287d
RS		 2127 response = 0;
2128
7b6e3205 2129 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 2130 }
2131 end=false;
2132 LED_B_OFF();
2133 LED_D_OFF();
2134 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2135 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2136 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2137 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2138}
2139
7b6e3205 2140
4e12287d
RS		 2141/*
2142 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2143 * Displays all Challenges that failed.
2144 * When collecting Challenges to break the key it is possible that some data
2145 * is not received correctly due to Antenna problems. This function
2146 * detects these challenges.
2147 */
7b6e3205 2148void check_challenges_cmd(bool file_given, byte_t* data, uint64_t tagMode) {
4e12287d
RS		 2149 int i, j, z, k;
2150 byte_t uid_byte[4];
2151 int frame_count;
2152 int response;
2153 byte_t rx[HITAG_FRAME_LEN];
2154 byte_t unlocker[60][8];
2155 int u1 = 0;
2156 size_t rxlen = 0;
2157 byte_t txbuf[HITAG_FRAME_LEN];
2158 byte_t* tx = txbuf;
2159 size_t txlen = 0;
2160 int lastbit;
4e12287d
RS		 2161 int t_wait = HITAG_T_WAIT_MAX;
2162 int STATE = 0;
2163 bool bStop;
2164 bool bQuitTraceFull = false;
2165 int response_bit[200];
2166 unsigned char mask = 1;
2167 unsigned char uid[32];
2168 unsigned char crc;
2169
7b6e3205 2170 if (tagMode == 1) {
2171 Dbprintf("check_challenges in mode=ADVANCED");
2172 tag.mode = ADVANCED;
2173 } else if (tagMode == 2) {
2174 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2175 tag.mode = FAST_ADVANCED;
2176 } else {
2177 Dbprintf("check_challenges in mode=STANDARD");
2178 tag.mode = STANDARD;
2179 }
2180
2181
4e12287d
RS		 2182 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2183// Reset the return status
2184 bSuccessful = false;
2185
2186// Clean up trace and prepare it for storing frames
44964fd1 2187 set_tracing(true);
4e12287d
RS		 2188 clear_trace();
2189
2190 bQuiet = false;
4e12287d
RS		 2191
2192 LED_D_ON();
2193
2194// Configure output and enable pin that is connected to the FPGA (for modulating)
2195 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
2196 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
2197
2198// Set fpga in edge detect with reader field, we can modulate as reader now
2199 FpgaWriteConfWord(
2200 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
2201
2202// Set Frequency divisor which will drive the FPGA and analog mux selection
2203 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
2204 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2205 RELAY_OFF();
2206
2207// Disable modulation at default, which means enable the field
2208 LOW(GPIO_SSC_DOUT);
2209
2210// Give it a bit of time for the resonant antenna to settle.
2211 SpinDelay(30);
2212
2213// Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
2214 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
2215
2216// Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
2217 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
2218 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
2219
2220// Disable timer during configuration
2221 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2222
2223// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2224// external trigger rising edge, load RA on falling edge of TIOA.
7b6e3205 2225 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
4e12287d
RS		 2226
2227// Enable and reset counters
2228 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2229 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2230
2231// Reset the received frame, frame count and timing info
2232 frame_count = 0;
2233 response = 0;
2234 lastbit = 1;
2235 bStop = false;
2236
4e12287d
RS		 2237 t_wait = 200;
2238
2239 if (file_given) {
2240 DbpString("Loading challenges...");
2241 memcpy((byte_t*)unlocker,data,60*8);
2242 }
2243
2244 while (file_given && !bStop && !BUTTON_PRESS()) {
2245 // Watchdog hit
2246 WDT_HIT();
2247
2248 // Check if frame was captured and store it
2249 if (rxlen > 0) {
2250 frame_count++;
2251 if (!bQuiet) {
2252 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2253 DbpString("Trace full");
2254 if (bQuitTraceFull) {
2255 break;
2256 } else {
2257 bQuiet = true;
2258 }
2259 }
2260 }
2261 }
2262
2263 tx = txbuf;
2264 txlen = 0;
2265 if (rxlen == 0) {
7b6e3205 2266 if (STATE == 2) {
4e12287d
RS		 2267 // challenge failed
2268 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2269 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
2270 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
2271 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
2272 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
7b6e3205 2273 }
4e12287d 2274 STATE = 0;
7b6e3205 2275 hitag_start_auth(tx, &txlen);
2276 } else if (rxlen >= 32 && STATE == 0) {
4e12287d
RS		 2277 //received uid
2278 z = 0;
2279 for (i = 0; i < 10; i++) {
2280 for (j = 0; j < 8; j++) {
2281 response_bit[z] = 0;
2282 if ((rx[i] & ((mask << 7) >> j)) != 0)
2283 response_bit[z] = 1;
2284 z++;
2285 }
2286 }
7b6e3205 2287 for (i = 0; i < 32; i++) {
2288 uid[i] = response_bit[i];
4e12287d 2289 }
7b6e3205 2290
4e12287d
RS		 2291 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
2292 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
2293 | (uid[6] << 1) | uid[7];
2294 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
2295 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
2296 | (uid[14] << 1) | uid[15];
2297 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
2298 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
2299 | (uid[22] << 1) | uid[23];
2300 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
2301 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
2302 | (uid[30] << 1) | uid[31];
2303 //Dbhexdump(10, rx, rxlen);
2304 STATE = 1;
2305 txlen = 45;
2306 crc = CRC_PRESET;
2307 calc_crc(&crc, 0x00, 5);
2308 calc_crc(&crc, uid_byte[0], 8);
2309 calc_crc(&crc, uid_byte[1], 8);
2310 calc_crc(&crc, uid_byte[2], 8);
2311 calc_crc(&crc, uid_byte[3], 8);
2312 for (i = 0; i < 100; i++) {
2313 response_bit[i] = 0;
2314 }
2315 for (i = 0; i < 5; i++) {
2316 response_bit[i] = 0;
2317 }
2318 for (i = 5; i < 37; i++) {
2319 response_bit[i] = uid[i - 5];
2320 }
2321 for (j = 0; j < 8; j++) {
2322 response_bit[i] = 0;
2323 if ((crc & ((mask << 7) >> j)) != 0)
2324 response_bit[i] = 1;
2325 i++;
2326 }
2327 k = 0;
2328 for (i = 0; i < 6; i++) {
2329 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2330 | (response_bit[k + 2] << 5)
2331 | (response_bit[k + 3] << 4)
2332 | (response_bit[k + 4] << 3)
2333 | (response_bit[k + 5] << 2)
2334 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2335 k += 8;
2336 }
2337
7b6e3205 2338
2339 tag.pstate = INIT;
2340 } else if (STATE == 1 && rxlen > 24) {
4e12287d
RS		 2341 //received configuration
2342 STATE = 2;
2343 z = 0;
2344 for (i = 0; i < 6; i++) {
2345 for (j = 0; j < 8; j++) {
2346 response_bit[z] = 0;
2347 if ((rx[i] & ((mask << 7) >> j)) != 0)
2348 response_bit[z] = 1;
2349 z++;
2350 }
2351 }
2352 txlen = 64;
2353
2354 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2355 bStop = !false;
2356 for (i = 0; i < 8; i++)
2357 tx[i] = unlocker[u1][i];
2358 u1++;
2359
7b6e3205 2360 tag.pstate = SELECTED;
2361 } else if (STATE == 2 && rxlen >= 32) {
4e12287d
RS		 2362 STATE = 0;
2363 }
2364
2365 // Send and store the reader command
2366 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2367 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2368
2369 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2370 // Since the clock counts since the last falling edge, a 'one' means that the
2371 // falling edge occured halfway the period. with respect to this falling edge,
2372 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2373 // All timer values are in terms of T0 units
7b6e3205 2374 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
4e12287d
RS		 2375
2376 // Transmit the reader frame
2377 hitag_reader_send_frame(tx, txlen);
2378
2379 // Enable and reset external trigger in timer for capturing future frames
2380 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2381
2382 // Add transmitted frame to total count
2383 if (txlen > 0) {
2384 frame_count++;
2385 if (!bQuiet) {
2386 // Store the frame in the trace
2387 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2388 if (bQuitTraceFull) {
2389 DbpString("Trace full");
2390 break;
2391 } else {
2392 bQuiet = true;
2393 }
2394 }
2395 }
2396 }
2397
2398 // Reset values for receiving frames
2399 memset(rx, 0x00, sizeof(rx));
2400 rxlen = 0;
2401 lastbit = 1;
4e12287d
RS		 2402 response = 0;
2403
7b6e3205 2404 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 2405 }
2406 LED_B_OFF();
2407 LED_D_OFF();
2408 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2409 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2410 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2411 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2412}
2413
7b6e3205 2414/**
2415Backward compatibility
2416*/
2417void check_challenges(bool file_given, byte_t* data) {
2418 check_challenges_cmd(file_given, data, 1);
2419}
4e12287d 2420
7b6e3205 2421void ReadHitagS(hitag_function htf, hitag_data* htd) {
2422 ReadHitagSintern(htf, htd, ADVANCED, 0, false);
2423}
Proxmark3 GIT tracking
Impressum, Datenschutz