]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/hitagS.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
'lf hitag writer': add Hitag2 password auth
[proxmark3-svn] / armsrc / hitagS.c
CommitLineData
4e12287d
RS		 1//-----------------------------------------------------------------------------
2// This code is licensed to you under the terms of the GNU GPL, version 2 or,
3// at your option, any later version. See the LICENSE.txt file for the text of
4// the license.
5//-----------------------------------------------------------------------------
6// HitagS emulation (preliminary test version)
7//
8// (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9// <info@os-s.de>
10//-----------------------------------------------------------------------------
11// Some code was copied from Hitag2.c
12//-----------------------------------------------------------------------------
13
14
5866c187 15#include "hitagS.h"
16
4e12287d
RS		 17#include <stdlib.h>
18#include "proxmark3.h"
19#include "apps.h"
20#include "util.h"
5866c187 21#include "hitag.h"
4e12287d
RS		 22#include "string.h"
23#include "BigBuf.h"
fc52fbd4 24#include "fpgaloader.h"
4e12287d
RS		 25
26#define CRC_PRESET 0xFF
27#define CRC_POLYNOM 0x1D
28
4e12287d
RS		 29static bool bQuiet;
30static bool bSuccessful;
31static struct hitagS_tag tag;
32static byte_t page_to_be_written = 0;
33static int block_data_left = 0;
34typedef enum modulation {
35 AC2K = 0, AC4K, MC4K, MC8K
36} MOD;
5866c187 37static MOD m = AC2K; //used modulation
4e12287d
RS		 38static uint32_t temp_uid;
39static int temp2 = 0;
5866c187 40static int sof_bits; //number of start-of-frame bits
41static byte_t pwdh0, pwdl0, pwdl1; //password bytes
42static uint32_t rnd = 0x74124485; //randomnumber
4e12287d
RS		 43static int test = 0;
44size_t blocknr;
45bool end=false;
46
47// Single bit Hitag2 functions:
f2dbf3d2 48#define i4(x,a,b,c,d) ((uint32_t)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
49static const uint32_t ht2_f4a = 0x2C79; // 0010 1100 0111 1001
50static const uint32_t ht2_f4b = 0x6671; // 0110 0110 0111 0001
51static const uint32_t ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
5866c187 52#define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
53#define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
54#define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
f2dbf3d2 55#define uf20bs uint32_t
4e12287d 56
f2dbf3d2 57static uint32_t f20(const uint64_t x) {
58 uint32_t i5;
4e12287d
RS		 59
60 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
61 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
62 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
63 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
64 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
65
66 return (ht2_f5c >> i5) & 1;
67}
f2dbf3d2 68
69static uint64_t hitag2_init(const uint64_t key, const uint32_t serial, const uint32_t IV) {
70 uint32_t i;
71 uint64_t x = ((key & 0xFFFF) << 32) + serial;
72 for (i = 0; i < 32; i++) {
73 x >>= 1;
74 x += (uint64_t) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
75 }
76 return x;
77}
78
79static uint64_t hitag2_round(uint64_t *state) {
80 uint64_t x = *state;
4e12287d
RS		 81
82 x = (x >> 1)
83 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
84 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
85 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
86 & 1) << 47);
87
88 *state = x;
89 return f20(x);
90}
f2dbf3d2 91
92static uint32_t hitag2_byte(uint64_t *x) {
93 uint32_t i, c;
4e12287d
RS		 94
95 for (i = 0, c = 0; i < 8; i++)
f2dbf3d2 96 c += (uint32_t) hitag2_round(x) << (i ^ 7);
4e12287d
RS		 97 return c;
98}
99
100// Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
101// TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
102// Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
103// T0 = TIMER_CLOCK1 / 125000 = 192
5866c187 104#define T0 192
4e12287d 105
5866c187 106#define SHORT_COIL() LOW(GPIO_SSC_DOUT)
107#define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
4e12287d 108
5866c187 109#define HITAG_FRAME_LEN 20
110#define HITAG_T_STOP 36 /* T_EOF should be > 36 */
111#define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
112#define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
113#define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
4e12287d 114//#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
5866c187 115#define HITAG_T_EOF 80 /* T_EOF should be > 36 */
116#define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
117#define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
118#define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
119
120#define HITAG_T_TAG_ONE_HALF_PERIOD 10
121#define HITAG_T_TAG_TWO_HALF_PERIOD 25
122#define HITAG_T_TAG_THREE_HALF_PERIOD 41
123#define HITAG_T_TAG_FOUR_HALF_PERIOD 57
124
125#define HITAG_T_TAG_HALF_PERIOD 16
126#define HITAG_T_TAG_FULL_PERIOD 32
127
128#define HITAG_T_TAG_CAPTURE_ONE_HALF 13
129#define HITAG_T_TAG_CAPTURE_TWO_HALF 25
130#define HITAG_T_TAG_CAPTURE_THREE_HALF 41
131#define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
4e12287d
RS		 132
133#define DEBUG 0
134
135/*
136 * Implementation of the crc8 calculation from Hitag S
137 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
138 */
139void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
140 *crc ^= data; // crc = crc (exor) data
141 do {
142 if (*crc & 0x80) // if (MSB-CRC == 1)
143 {
144 *crc <<= 1; // CRC = CRC Bit-shift left
145 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
146 } else {
147 *crc <<= 1; // CRC = CRC Bit-shift left
148 }
149 } while (--Bitcount);
150}
151
7b6e3205 152
4e12287d
RS		 153static void hitag_send_bit(int bit) {
154 LED_A_ON();
155 // Reset clock for the next bit
156 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
157
158 switch (m) {
7b6e3205 159 case AC2K:
160 if (bit == 0) {
161 // AC Coding --__
162 HIGH(GPIO_SSC_DOUT);
163 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
164 ;
165 LOW(GPIO_SSC_DOUT);
166 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
167 ;
168 } else {
169 // AC coding -_-_
170 HIGH(GPIO_SSC_DOUT);
171 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
172 ;
173 LOW(GPIO_SSC_DOUT);
174 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
175 ;
176 HIGH(GPIO_SSC_DOUT);
177 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
178 ;
179 LOW(GPIO_SSC_DOUT);
180 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
181 ;;
182 }
183 LED_A_OFF();
184 break;
185 case AC4K:
186 if (bit == 0) {
187 // AC Coding --__
188 HIGH(GPIO_SSC_DOUT);
189 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
190 ;
191 LOW(GPIO_SSC_DOUT);
192 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
193 ;
194 } else {
195 // AC coding -_-_
196 HIGH(GPIO_SSC_DOUT);
197 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
198 ;
199 LOW(GPIO_SSC_DOUT);
200 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
201 ;
202 HIGH(GPIO_SSC_DOUT);
203 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
204 ;
205 LOW(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
207 ;
208 }
209 LED_A_OFF();
210 break;
211 case MC4K:
212 if (bit == 0) {
213 // Manchester: Unloaded, then loaded |__--|
214 LOW(GPIO_SSC_DOUT);
215 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
216 ;
217 HIGH(GPIO_SSC_DOUT);
218 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
219 ;
220 } else {
221 // Manchester: Loaded, then unloaded |--__|
222 HIGH(GPIO_SSC_DOUT);
223 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
224 ;
225 LOW(GPIO_SSC_DOUT);
226 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
227 ;
228 }
229 LED_A_OFF();
230 break;
231 case MC8K:
232 if (bit == 0) {
233 // Manchester: Unloaded, then loaded |__--|
234 LOW(GPIO_SSC_DOUT);
235 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
236 ;
237 HIGH(GPIO_SSC_DOUT);
238 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
239 ;
240 } else {
241 // Manchester: Loaded, then unloaded |--__|
242 HIGH(GPIO_SSC_DOUT);
243 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
244 ;
245 LOW(GPIO_SSC_DOUT);
246 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
247 ;
248 }
249 LED_A_OFF();
250 break;
251 default:
252 break;
4e12287d
RS		 253 }
254}
255
7b6e3205 256static void hitag_tag_send_frame(const byte_t* frame, size_t frame_len) {
4e12287d 257// Send start of frame
4e12287d
RS		 258 for (size_t i = 0; i < sof_bits; i++) {
259 hitag_send_bit(1);
260 }
261
262// Send the content of the frame
263 for (size_t i = 0; i < frame_len; i++) {
264 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
265 }
266// Drop the modulation
267 LOW(GPIO_SSC_DOUT);
268}
269
270static void hitag_reader_send_bit(int bit) {
271//Dbprintf("BIT: %d",bit);
272 LED_A_ON();
273// Reset clock for the next bit
274 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
275
276// Binary puls length modulation (BPLM) is used to encode the data stream
277// This means that a transmission of a one takes longer than that of a zero
278
279// Enable modulation, which means, drop the the field
280 HIGH(GPIO_SSC_DOUT);
281 if (test == 1) {
282 // Wait for 4-10 times the carrier period
283 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
284 ;
5866c187 285 // SpinDelayUs(8*8);
4e12287d
RS		 286
287 // Disable modulation, just activates the field again
288 LOW(GPIO_SSC_DOUT);
289
290 if (bit == 0) {
291 // Zero bit: |_-|
292 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
293 ;
5866c187 294 // SpinDelayUs(16*8);
4e12287d
RS		 295 } else {
296 // One bit: |_--|
297 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
298 ;
5866c187 299 // SpinDelayUs(22*8);
4e12287d
RS		 300 }
301 } else {
302 // Wait for 4-10 times the carrier period
303 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
304 ;
5866c187 305 // SpinDelayUs(8*8);
4e12287d
RS		 306
307 // Disable modulation, just activates the field again
308 LOW(GPIO_SSC_DOUT);
309
310 if (bit == 0) {
311 // Zero bit: |_-|
312 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
313 ;
5866c187 314 // SpinDelayUs(16*8);
4e12287d
RS		 315 } else {
316 // One bit: |_--|
317 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
318 ;
5866c187 319 // SpinDelayUs(22*8);
4e12287d
RS		 320 }
321 }
322
323 LED_A_OFF();
324}
325
326static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
7b6e3205 327 // Send the content of the frame
4e12287d
RS		 328 for (size_t i = 0; i < frame_len; i++) {
329 if (frame[0] == 0xf8) {
330 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
331 }
7b6e3205 332 hitag_reader_send_bit(((frame[i / 8] >> (7 - (i % 8))) & 1));
4e12287d
RS		 333 }
334// Send EOF
335 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
336// Enable modulation, which means, drop the the field
337 HIGH(GPIO_SSC_DOUT);
338// Wait for 4-10 times the carrier period
339 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
340 ;
341// Disable modulation, just activates the field again
342 LOW(GPIO_SSC_DOUT);
343}
344
7b6e3205 345static void hitag_decode_frame_MC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
346 size_t rxlen = 0;
347 bool bSkip = true;
348 int lastbit = 1;
349 int tag_sof = 0;
350 int timing = 1;
351 if (bitRate == 8) {
352 timing = 2;
353 }
354
355 for (int i=0; i < rawLen; i++) {
356 int ra = rawMod[i];
357 if (ra >= HITAG_T_EOF) {
358 if (rxlen != 0) {
359 //DbpString("wierd1?");
360 }
361 tag_sof = sofBits;
362
363 // Capture the T0 periods that have passed since last communication or field drop (reset)
364 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
365 *response = ra - HITAG_T_TAG_HALF_PERIOD;
366 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
367 tag_sof=0;
368 // Manchester coding example |-_|_-|-_| (101)
369 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
370 rxlen++;
371 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
372 rxlen++;
373 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
374 tag_sof=0;
375 // Manchester coding example |_-|...|_-|-_| (0...01)
376 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
377 rxlen++;
378 // We have to skip this half period at start and add the 'one' the second time
379 if (!bSkip) {
380 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
381 rxlen++;
382 }
383 lastbit = !lastbit;
384 bSkip = !bSkip;
385 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
386 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
387 if (tag_sof) {
388 // Ignore bits that are transmitted during SOF
389 tag_sof--;
390 } else {
391 // bit is same as last bit
392 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
393 rxlen++;
394 }
395 } else {
396 // Ignore wierd value, is to small to mean anything
397 }
5866c187 398 }
7b6e3205 399 *rxlenOrg = rxlen;
400}
401
5866c187 402/*
7b6e3205 403static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
404 int tag_sof = 1; //skip start of frame
405 size_t rxlen = 0;
406
407 for (int i=0; i < rawLen; i++) {
408 int ra = rawMod[i];
409 if (ra >= HITAG_T_EOF) {
410 if (rxlen != 0) {
411 //DbpString("wierd1?");
412 }
413 // Capture the T0 periods that have passed since last communication or field drop (reset)
414 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
415 tag_sof = 1;
416 *response = ra - HITAG_T_TAG_HALF_PERIOD;
417 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
418 // AC coding example |--__|--__| means 0
419 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
420 rxlen++;
421 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
422 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
423 rxlen++;
424 i++; //drop next capture
425 }
426 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
427 if (tag_sof) {
428 // Ignore bits that are transmitted during SOF
429 tag_sof--;
430 } else {
431 // AC coding example |-_-_|-_-_| which means 1
432 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
433 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
434 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
435 rxlen++;
436 i++; //drop next capture
437 } else {
438 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
439 }
440 }
441 } else {
442 // Ignore wierd value, is to small to mean anything
443 }
444 }
445 *rxlenOrg = rxlen;
446}
447*/
448
449static void hitag_decode_frame_AC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
450 int tag_sof = 1;
451 size_t rxlen = 0;
452 int timing = 1;
453 if (bitRate == 4) {
454 timing = 2;
455 }
5866c187 456
7b6e3205 457
458 for (int i=0; i < rawLen; i++) {
459 int ra = rawMod[i];
460 if (ra >= HITAG_T_EOF) {
461 if (rxlen != 0) {
462 //DbpString("wierd1?");
463 }
464
465 // Capture the T0 periods that have passed since last communication or field drop (reset)
466 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
467 tag_sof = sofBits;
468 *response = ra - HITAG_T_TAG_HALF_PERIOD;
469 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
470 tag_sof=0;
471
472 // AC coding example |--__|--__| means 0
473 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
474 rxlen++;
475 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
476 tag_sof=0;
477
478 if (rawMod[i-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
479 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
480 if (rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
481 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
482 rxlen++;
483 i++; //drop next capture
484 } else {
485 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
486 }
487 } else {
488 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
489 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
490 rxlen++;
491 }
492 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
493 if (tag_sof) {
494 // Ignore bits that are transmitted during SOF
495 tag_sof--;
496 } else {
497 // AC coding example |-_-_|-_-_| which means 1
498 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
499 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
500 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
501 rxlen++;
502 i++; //drop next capture
503 } else {
504 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
505 }
506 }
507 } else {
508 // Ignore wierd value, is to small to mean anything
509 }
510 }
511 *rxlenOrg = rxlen;
512}
513
514static void hitag_receive_frame(byte_t* rx, size_t* rxlen, int* response) {
515 int rawMod[200] = {0};
516 int rawLen = 0;
517 int i = 0;
518 int sofBits = 0;
519
520 m = MC4K;
521 if (tag.pstate == READY) {
522 switch (tag.mode) {
523 case STANDARD:
524 m = AC2K;
525 sofBits = 1;
526 break;
527 case ADVANCED:
528 m = AC2K;
5866c187 529 sofBits = 5; //3 sof bits but 5 captures
7b6e3205 530 break;
531 case FAST_ADVANCED:
532 m = AC4K;
5866c187 533 sofBits = 5; //3 sof bits but 5 captures
7b6e3205 534 break;
535 default:
536 break;
537 }
538 } else {
539 switch (tag.mode) {
540 case STANDARD:
541 m = MC4K;
542 sofBits = 0; //in theory 1
543 break;
544 case ADVANCED:
545 m = MC4K;
546 sofBits = 5; //in theory 6
547 break;
548 case FAST_ADVANCED:
549 m = MC8K;
550 sofBits = 5; //in theory 6
551 break;
552 default:
553 break;
554 }
555 }
5866c187 556
7b6e3205 557 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
558 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
559
560
561 //first capture timing values
562 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX ) {
563 // Check if rising edge in modulation is detected
564 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
565 // Retrieve the new timing values
566 int ra = (AT91C_BASE_TC1->TC_RA / T0);
567
568 LED_B_ON();
569 // Reset timer every frame, we have to capture the last edge for timing
570 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
571 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
572
573 if (rawLen >= 200) { //avoid exception
574 break;
575 }
576 rawMod[rawLen] = ra;
577 rawLen++;
578
579 // We can break this loop if we received the last bit from a frame
580 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
581 if (rawLen > 2) {
582 if (DEBUG >= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen); }
583 break;
584 }
585 }
586 }
587 }
588
589 if (DEBUG >= 2) {
590 for (i=0; i < rawLen; i+=20) {
5866c187 591 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
7b6e3205 592 rawMod[i],rawMod[i+1],rawMod[i+2],rawMod[i+3], rawMod[i+4],rawMod[i+5],rawMod[i+6],rawMod[i+7],
593 rawMod[i+8],rawMod[i+9],rawMod[i+10],rawMod[i+11], rawMod[i+12],rawMod[i+13],rawMod[i+14],rawMod[i+15],
594 rawMod[i+16],rawMod[i+17],rawMod[i+18],rawMod[i+19]
595 );
596 }
597 }
598
599 switch (m) {
600 // DATA | 1 | 0 | 1 | 1 | 0 |
601 // Manchester |--__|__--|--__|--__|__--|
602 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
5866c187 603 // |<-->|
604 // | T |
7b6e3205 605 case AC2K:
606 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC2K"); }
607 hitag_decode_frame_AC(2, sofBits, rx, rxlen, response, rawMod, rawLen);
608 break;
609 case AC4K:
610 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC4K"); }
611 hitag_decode_frame_AC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
612 break;
613 case MC4K:
614 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC4K"); }
615 hitag_decode_frame_MC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
616 break;
617 case MC8K:
618 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC8K"); }
619 hitag_decode_frame_MC(8, sofBits, rx, rxlen, response, rawMod, rawLen);
620 break;
621 }
622
623 LED_B_OFF();
624 if (DEBUG >= 2) {
625 int rb[200] = {0}; int z = 0;
626 for (i = 0; i < 16; i++) { for (int j = 0; j < 8; j++) {
627 rb[z] = 0;
628 if ((rx[i] & ((1 << 7) >> j)) != 0) { rb[z] = 1; }
629 z++;
630 } }
631 for (i=0; i < z; i+=8) {
632 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb[i],rb[i+1],rb[i+2],rb[i+3],rb[i+4],rb[i+5],rb[i+6],rb[i+7] );
633 }
634 }
635}
636
637static void hitag_start_auth(byte_t* tx, size_t* txlen) {
638 *txlen = 5;
639 switch (tag.mode) {
640 case STANDARD:
641 //00110 - 0x30 - STANDARD MODE
642 memcpy(tx, "\x30", nbytes(*txlen));
643 break;
644 case ADVANCED:
645 //11000 - 0xc0 - Advance Mode
646 memcpy(tx, "\xc0", nbytes(*txlen));
647 break;
648 case FAST_ADVANCED:
649 //TODO!
650 break;
651 default: //STANDARD MODE
652 memcpy(tx, "\x30", nbytes(*txlen));
653 break;
654 }
655 tag.pstate = READY;
656 tag.tstate = NO_OP;
657}
658
659static int hitag_read_page(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int pageNum) {
660 int i, j, z;
661 int response_bit[200];
662 unsigned char mask = 1;
663 unsigned char crc;
664 unsigned char pageData[32];
665
666 if (pageNum >= tag.max_page) {
667 return -1;
668 }
669 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
670 //send read request
671 tag.tstate = READING_PAGE;
672 *txlen = 20;
673 crc = CRC_PRESET;
674 tx[0] = 0xc0 + (pageNum / 16);
675 calc_crc(&crc, tx[0], 8);
676 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
677 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
5866c187 678 tx[2] = 0x00 + (crc % 16) * 16;
7b6e3205 679 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE && *rxlen > 0) {
680 //save received data
681 z = 0;
682 for (i = 0; i < 4; i++) {
683 for (j = 0; j < 8; j++) {
684 response_bit[z] = 0;
685 if ((rx[i] & ((mask << 7) >> j)) != 0) {
686 response_bit[z] = 1;
687 }
688 if (z < 32) {
689 pageData[z] = response_bit[z];
690 }
691
692 z++;
693 }
694 }
695 for (i = 0; i < 4; i++) {
696 tag.pages[pageNum][i] = 0x0;
697 }
698 for (i = 0; i < 4; i++) {
5866c187 699 tag.pages[pageNum][i] += ((pageData[i * 8] << 7) | (pageData[1 + (i * 8)] << 6) |
700 (pageData[2 + (i * 8)] << 5) | (pageData[3 + (i * 8)] << 4) |
701 (pageData[4 + (i * 8)] << 3) | (pageData[5 + (i * 8)] << 2) |
7b6e3205 702 (pageData[6 + (i * 8)]
703 << 1) | pageData[7 + (i * 8)]);
704 }
705 if (tag.auth && tag.LKP && pageNum == 1) {
706 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
707 tag.pages[pageNum][2], tag.pages[pageNum][1], tag.pages[pageNum][0]);
708 } else {
709 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
5866c187 710 tag.pages[pageNum][3], tag.pages[pageNum][2],
7b6e3205 711 tag.pages[pageNum][1], tag.pages[pageNum][0]);
712 }
713
5866c187 714
7b6e3205 715 //display key and password if possible
716 if (pageNum == 1 && tag.auth == 1 && tag.LKP) {
717 if (htf == 02) { //RHTS_KEY
718 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
719 (byte_t)(key >> 8) & 0xff,
720 (byte_t) key & 0xff, pwdl1, pwdl0);
721 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
722 (byte_t)(key >> 40) & 0xff,
723 (byte_t)(key >> 32) & 0xff,
724 (byte_t)(key >> 24) & 0xff,
725 (byte_t)(key >> 16) & 0xff);
726 } else {
727 //if the authentication is done with a challenge the key and password are unknown
728 Dbprintf("Page[ 2]: __ __ __ __");
729 Dbprintf("Page[ 3]: __ __ __ __");
730 }
731 }
732
733 *txlen = 20;
734 crc = CRC_PRESET;
735 tx[0] = 0xc0 + ((pageNum+1) / 16);
736 calc_crc(&crc, tx[0], 8);
737 calc_crc(&crc, 0x00 + (((pageNum+1) % 16) * 16), 4);
738 tx[1] = 0x00 + (((pageNum+1) % 16) * 16) + (crc / 16);
739 tx[2] = 0x00 + (crc % 16) * 16;
740
741 return 1;
742 }
743 return 0;
744}
745
746static int hitag_read_block(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int blockNum) {
747 int i, j, z;
748 int response_bit[200];
749 unsigned char mask = 1;
750 unsigned char crc;
751 unsigned char blockData[128];
752
753 if (blockNum+4 >= tag.max_page) { //block always = 4 pages
754 return -1;
755 }
756
757 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
758 //send read request
759 tag.tstate = READING_BLOCK;
760 *txlen = 20;
761 crc = CRC_PRESET;
762 tx[0] = 0xd0 + (blockNum / 16);
763 calc_crc(&crc, tx[0], 8);
764 calc_crc(&crc, 0x00 + ((blockNum % 16) * 16), 4);
765 tx[1] = 0x00 + ((blockNum % 16) * 16) + (crc / 16);
5866c187 766 tx[2] = 0x00 + (crc % 16) * 16;
7b6e3205 767 } else if (tag.pstate == SELECTED && tag.tstate == READING_BLOCK && *rxlen > 0) {
768 //save received data
769 z = 0;
770 for (i = 0; i < 16; i++) {
771 for (j = 0; j < 8; j++) {
772 response_bit[z] = 0;
773 if ((rx[i] & ((mask << 7) >> j)) != 0) {
774 response_bit[z] = 1;
775 }
776 if (z < 128) {
777 blockData[z] = response_bit[z];
778 }
779 z++;
780 }
781 }
782
783 for (z = 0; z < 4; z++) { //4 pages
784 for (i = 0; i < 4; i++) {
785 tag.pages[blockNum+z][i] = 0x0;
786 }
787 }
788 for (z = 0; z < 4; z++) { //4 pages
789 for (i = 0; i < 4; i++) {
790 j = (i * 8) + (z*32); //bit in page + pageStart
5866c187 791 tag.pages[blockNum+z][i] = ((blockData[j] << 7) | (blockData[1 + j] << 6) |
792 (blockData[2 + j] << 5) | (blockData[3 + j] << 4) |
793 (blockData[4 + j] << 3) | (blockData[5 + j] << 2) |
7b6e3205 794 (blockData[6 + j] << 1) | blockData[7 + j]);
795 }
796 }
797 if (DEBUG) {
5866c187 798 for (z = 0; z < 4; z++) {
7b6e3205 799 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum+z,
5866c187 800 tag.pages[blockNum+z][3], tag.pages[blockNum+z][2],
7b6e3205 801 tag.pages[blockNum+z][1], tag.pages[blockNum+z][0]);
802 }
803 }
804 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum,
805 tag.pages[blockNum][3], tag.pages[blockNum][2], tag.pages[blockNum][1], tag.pages[blockNum][0],
806 tag.pages[blockNum+1][3], tag.pages[blockNum+1][2], tag.pages[blockNum+1][1], tag.pages[blockNum+1][0],
807 tag.pages[blockNum+2][3], tag.pages[blockNum+2][2], tag.pages[blockNum+2][1], tag.pages[blockNum+2][0],
808 tag.pages[blockNum+3][3], tag.pages[blockNum+3][2], tag.pages[blockNum+3][1], tag.pages[blockNum+3][0]);
809
810 *txlen = 20;
811 crc = CRC_PRESET;
812 tx[0] = 0xd0 + ((blockNum+4) / 16);
813 calc_crc(&crc, tx[0], 8);
814 calc_crc(&crc, 0x00 + (((blockNum+4) % 16) * 16), 4);
815 tx[1] = 0x00 + (((blockNum+4) % 16) * 16) + (crc / 16);
816 tx[2] = 0x00 + (crc % 16) * 16;
817
818 return 1;
819 }
820 return 0;
821}
822
823
4e12287d
RS		 824/*
825 * to check if the right uid was selected
826 */
827static int check_select(byte_t* rx, uint32_t uid) {
828 unsigned char resp[48];
829 int i;
830 uint32_t ans = 0x0;
831 for (i = 0; i < 48; i++)
832 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
833 for (i = 0; i < 32; i++)
834 ans += resp[5 + i] << (31 - i);
835 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
836 && rx[4] == 0x65 && rx[5] == 0x38)
837 Dbprintf("got uid %X", ans);*/
838 temp_uid = ans;
839 if (ans == tag.uid)
840 return 1;
841 return 0;
842}
843
844/*
845 * handles all commands from a reader
846 */
847static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
848 byte_t* tx, size_t* txlen) {
849 byte_t rx_air[HITAG_FRAME_LEN];
850 byte_t page;
851 int i;
f2dbf3d2 852 uint64_t state;
4e12287d
RS		 853 unsigned char crc;
854
7b6e3205 855 // Copy the (original) received frame how it is send over the air
4e12287d 856 memcpy(rx_air, rx, nbytes(rxlen));
7b6e3205 857 // Reset the transmission frame length
4e12287d 858 *txlen = 0;
7b6e3205 859 // Try to find out which command was send by selecting on length (in bits)
4e12287d 860 switch (rxlen) {
7b6e3205 861 case 5: {
862 //UID request with a selected response protocol mode
863 tag.pstate = READY;
864 tag.tstate = NO_OP;
865 if ((rx[0] & 0xf0) == 0x30) {
866 Dbprintf("recieved uid request in Standard Mode");
867 tag.mode = STANDARD;
868 sof_bits = 1;
869 m = AC2K;
870 }
871 if ((rx[0] & 0xf0) == 0xc0) {
872 Dbprintf("recieved uid request in ADVANCE Mode");
873 tag.mode = ADVANCED;
874 sof_bits = 3;
875 m = AC2K;
876 }
877 if ((rx[0] & 0xf0) == 0xd0) {
878 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
879 tag.mode = FAST_ADVANCED;
880 sof_bits = 3;
881 m = AC4K;
882 }
883 //send uid as a response
884 *txlen = 32;
885 for (i = 0; i < 4; i++) {
886 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
887 }
4e12287d 888 }
7b6e3205 889 break;
890 case 45: {
891 //select command from reader received
892 if (check_select(rx, tag.uid) == 1) {
893 //if the right tag was selected
894 *txlen = 32;
895 switch (tag.mode) {
896 case STANDARD:
897 Dbprintf("uid selected in Standard Mode");
898 sof_bits = 1;
899 m = MC4K;
900 break;
901 case ADVANCED:
902 Dbprintf("uid selected in ADVANCE Mode");
903 sof_bits = 6;
904 m = MC4K;
905 break;
906 case FAST_ADVANCED:
907 Dbprintf("uid selected in FAST_ADVANCE Mode");
908 sof_bits = 6;
909 m = MC8K;
910 break;
911 default:
912 break;
913 }
4e12287d 914
7b6e3205 915 //send configuration
916 tx[0] = tag.pages[1][3];
917 tx[1] = tag.pages[1][2];
918 tx[2] = tag.pages[1][1];
919 tx[3] = 0xff;
920 if (tag.mode != STANDARD) {
921 *txlen = 40;
922 crc = CRC_PRESET;
923 for (i = 0; i < 4; i++)
924 calc_crc(&crc, tx[i], 8);
925 tx[4] = crc;
926 }
927 }
4e12287d 928 }
4e12287d 929 break;
7b6e3205 930 case 64: {
931 switch (tag.mode) {
4e12287d
RS		 932 case STANDARD:
933 sof_bits = 1;
934 m = MC4K;
935 break;
936 case ADVANCED:
937 sof_bits = 6;
938 m = MC4K;
939 break;
940 case FAST_ADVANCED:
941 sof_bits = 6;
942 m = MC8K;
943 break;
944 default:
945 break;
4e12287d 946 }
4e12287d
RS		 947 //challenge message received
948 Dbprintf("Challenge for UID: %X", temp_uid);
949 temp2++;
f2dbf3d2 950 state = hitag2_init(REV64(tag.key), REV32(tag.pages[0][0]),
951 REV32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
4e12287d
RS		 952 Dbprintf(
953 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
954 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
4e12287d 955
7b6e3205 956 for (i = 0; i < 4; i++) {
4e12287d 957 hitag2_byte(&state);
7b6e3205 958 }
959
960 *txlen = 32;
4e12287d 961 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
7b6e3205 962 tx[0] = hitag2_byte(&state) ^ tag.pages[1][1];
4e12287d
RS		 963 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
964 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
965 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
966 if (tag.mode != STANDARD) {
967 //add crc8
968 *txlen = 40;
969 crc = CRC_PRESET;
7b6e3205 970 calc_crc(&crc, tag.pages[1][1], 8);
4e12287d
RS		 971 calc_crc(&crc, tag.pwdh0, 8);
972 calc_crc(&crc, tag.pwdl0, 8);
973 calc_crc(&crc, tag.pwdl1, 8);
974 tx[4] = (crc ^ hitag2_byte(&state));
975 }
4e12287d
RS		 976 }
977 case 40:
978 //data received to be written
979 if (tag.tstate == WRITING_PAGE_DATA) {
980 tag.tstate = NO_OP;
7b6e3205 981 tag.pages[page_to_be_written][0] = rx[3];
982 tag.pages[page_to_be_written][1] = rx[2];
983 tag.pages[page_to_be_written][2] = rx[1];
984 tag.pages[page_to_be_written][3] = rx[0];
985
4e12287d
RS		 986 //send ack
987 *txlen = 2;
988 tx[0] = 0x40;
989 page_to_be_written = 0;
990 switch (tag.mode) {
991 case STANDARD:
992 sof_bits = 1;
993 m = MC4K;
994 break;
995 case ADVANCED:
996 sof_bits = 6;
997 m = MC4K;
998 break;
999 case FAST_ADVANCED:
1000 sof_bits = 6;
1001 m = MC8K;
1002 break;
1003 default:
1004 break;
1005 }
1006 } else if (tag.tstate == WRITING_BLOCK_DATA) {
7b6e3205 1007 tag.pages[page_to_be_written][0] = rx[0];
1008 tag.pages[page_to_be_written][1] = rx[1];
1009 tag.pages[page_to_be_written][2] = rx[2];
1010 tag.pages[page_to_be_written][3] = rx[3];
1011
4e12287d
RS		 1012 //send ack
1013 *txlen = 2;
1014 tx[0] = 0x40;
1015 switch (tag.mode) {
1016 case STANDARD:
1017 sof_bits = 1;
1018 m = MC4K;
1019 break;
1020 case ADVANCED:
1021 sof_bits = 6;
1022 m = MC4K;
1023 break;
1024 case FAST_ADVANCED:
1025 sof_bits = 6;
1026 m = MC8K;
1027 break;
1028 default:
1029 break;
1030 }
1031 page_to_be_written++;
1032 block_data_left--;
1033 if (block_data_left == 0) {
1034 tag.tstate = NO_OP;
1035 page_to_be_written = 0;
1036 }
1037 }
1038 break;
1039 case 20: {
1040 //write page, write block, read page or read block command received
7b6e3205 1041 if ((rx[0] & 0xf0) == 0xc0) { //read page
4e12287d
RS		 1042 //send page data
1043 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
7b6e3205 1044 Dbprintf("reading page %d", page);
4e12287d 1045 *txlen = 32;
7b6e3205 1046 tx[0] = tag.pages[page][0];
1047 tx[1] = tag.pages[page][1];
1048 tx[2] = tag.pages[page][2];
1049 tx[3] = tag.pages[page][3];
5866c187 1050
4e12287d
RS		 1051 if (tag.LKP && page == 1)
1052 tx[3] = 0xff;
1053
1054 switch (tag.mode) {
1055 case STANDARD:
1056 sof_bits = 1;
1057 m = MC4K;
1058 break;
1059 case ADVANCED:
1060 sof_bits = 6;
1061 m = MC4K;
1062 break;
1063 case FAST_ADVANCED:
1064 sof_bits = 6;
1065 m = MC8K;
1066 break;
1067 default:
1068 break;
1069 }
1070
1071 if (tag.mode != STANDARD) {
1072 //add crc8
1073 *txlen = 40;
1074 crc = CRC_PRESET;
1075 for (i = 0; i < 4; i++)
1076 calc_crc(&crc, tx[i], 8);
1077 tx[4] = crc;
1078 }
1079
1080 if (tag.LKP && (page == 2 || page == 3)) {
1081 //if reader asks for key or password and the LKP-mark is set do not respond
1082 sof_bits = 0;
1083 *txlen = 0;
1084 }
7b6e3205 1085 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
4e12287d 1086 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
7b6e3205 1087 Dbprintf("reading block %d", page);
4e12287d
RS		 1088 *txlen = 32 * 4;
1089 //send page,...,page+3 data
1090 for (i = 0; i < 4; i++) {
7b6e3205 1091 tx[0 + (i * 4)] = tag.pages[page][0];
1092 tx[1 + (i * 4)] = tag.pages[page][1];
1093 tx[2 + (i * 4)] = tag.pages[page][2];
1094 tx[3 + (i * 4)] = tag.pages[page][3];
4e12287d
RS		 1095 page++;
1096 }
1097
1098 switch (tag.mode) {
7b6e3205 1099 case STANDARD:
1100 sof_bits = 1;
1101 m = MC4K;
1102 break;
1103 case ADVANCED:
1104 sof_bits = 6;
1105 m = MC4K;
1106 break;
1107 case FAST_ADVANCED:
1108 sof_bits = 6;
1109 m = MC8K;
1110 break;
1111 default:
1112 break;
4e12287d
RS		 1113 }
1114
1115 if (tag.mode != STANDARD) {
1116 //add crc8
1117 *txlen = 32 * 4 + 8;
1118 crc = CRC_PRESET;
1119 for (i = 0; i < 16; i++)
1120 calc_crc(&crc, tx[i], 8);
1121 tx[16] = crc;
1122 }
1123
1124 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
1125 sof_bits = 0;
1126 *txlen = 0;
1127 }
7b6e3205 1128 } else if ((rx[0] & 0xf0) == 0x80) { //write page
4e12287d
RS		 1129 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1130
1131 switch (tag.mode) {
1132 case STANDARD:
1133 sof_bits = 1;
1134 m = MC4K;
1135 break;
1136 case ADVANCED:
1137 sof_bits = 6;
1138 m = MC4K;
1139 break;
1140 case FAST_ADVANCED:
1141 sof_bits = 6;
1142 m = MC8K;
1143 break;
1144 default:
1145 break;
1146 }
1147 if ((tag.LCON && page == 1)
1148 || (tag.LKP && (page == 2 || page == 3))) {
1149 //deny
1150 *txlen = 0;
1151 } else {
1152 //allow
1153 *txlen = 2;
1154 tx[0] = 0x40;
1155 page_to_be_written = page;
1156 tag.tstate = WRITING_PAGE_DATA;
1157 }
1158
7b6e3205 1159 } else if ((rx[0] & 0xf0) == 0x90) { //write block
4e12287d
RS		 1160 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
1161 switch (tag.mode) {
1162 case STANDARD:
1163 sof_bits = 1;
1164 m = MC4K;
1165 break;
1166 case ADVANCED:
1167 sof_bits = 6;
1168 m = MC4K;
1169 break;
1170 case FAST_ADVANCED:
1171 sof_bits = 6;
1172 m = MC8K;
1173 break;
1174 default:
1175 break;
1176 }
1177 if (page % 4 != 0 || page == 0) {
1178 //deny
1179 *txlen = 0;
1180 } else {
1181 //allow
1182 *txlen = 2;
1183 tx[0] = 0x40;
1184 page_to_be_written = page;
1185 block_data_left = 4;
1186 tag.tstate = WRITING_BLOCK_DATA;
1187 }
1188 }
1189 }
1190 break;
1191 default:
1192
1193 break;
1194 }
1195}
1196
7b6e3205 1197
4e12287d
RS		 1198/*
1199 * to autenticate to a tag with the given key or challenge
1200 */
5866c187 1201static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx,
7b6e3205 1202 const size_t rxlen, byte_t* tx, size_t* txlen) {
4e12287d 1203 byte_t rx_air[HITAG_FRAME_LEN];
7b6e3205 1204 int response_bit[200] = {0};
4e12287d
RS		 1205 int i, j, z, k;
1206 unsigned char mask = 1;
1207 unsigned char uid[32];
1208 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
1209 unsigned char crc;
f2dbf3d2 1210 uint64_t state;
4e12287d
RS		 1211 byte_t auth_ks[4];
1212 byte_t conf_pages[3];
1213 memcpy(rx_air, rx, nbytes(rxlen));
1214 *txlen = 0;
1215
7b6e3205 1216 if (DEBUG) {
5866c187 1217 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen, (int)tag.pstate);
1218 }
7b6e3205 1219
1220 if (tag.pstate == READY && rxlen >= 32) {
4e12287d
RS		 1221 //received uid
1222 if(end==true) {
1223 Dbprintf("authentication failed!");
1224 return -1;
1225 }
1226 z = 0;
1227 for (i = 0; i < 10; i++) {
1228 for (j = 0; j < 8; j++) {
1229 response_bit[z] = 0;
1230 if ((rx[i] & ((mask << 7) >> j)) != 0)
1231 response_bit[z] = 1;
1232 z++;
1233 }
1234 }
7b6e3205 1235 for (i = 0; i < 32; i++) {
1236 uid[i] = response_bit[i];
4e12287d 1237 }
5866c187 1238
4e12287d
RS		 1239 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
1240 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
1241 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
1242 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
1243 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
1244 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
1245 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
5866c187 1246 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
7b6e3205 1247 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
4e12287d
RS		 1248 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
1249
1250 //select uid
4e12287d
RS		 1251 crc = CRC_PRESET;
1252 calc_crc(&crc, 0x00, 5);
1253 calc_crc(&crc, uid1, 8);
1254 calc_crc(&crc, uid2, 8);
1255 calc_crc(&crc, uid3, 8);
1256 calc_crc(&crc, uid4, 8);
7b6e3205 1257 Dbprintf("crc: %02X", crc);
1258
1259 //resetting response bit
4e12287d
RS		 1260 for (i = 0; i < 100; i++) {
1261 response_bit[i] = 0;
1262 }
7b6e3205 1263
5866c187 1264 //skip the first 5
4e12287d
RS		 1265 for (i = 5; i < 37; i++) {
1266 response_bit[i] = uid[i - 5];
1267 }
7b6e3205 1268 //add crc value
4e12287d
RS		 1269 for (j = 0; j < 8; j++) {
1270 response_bit[i] = 0;
1271 if ((crc & ((mask << 7) >> j)) != 0)
1272 response_bit[i] = 1;
1273 i++;
1274 }
7b6e3205 1275
4e12287d
RS		 1276 k = 0;
1277 for (i = 0; i < 6; i++) {
1278 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1279 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
1280 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
1281 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1282 k += 8;
1283 }
7b6e3205 1284 *txlen = 45;
4e12287d 1285 tag.pstate = INIT;
7b6e3205 1286 } else if (tag.pstate == INIT && rxlen > 24) {
4e12287d
RS		 1287 // received configuration after select command
1288 z = 0;
7b6e3205 1289 for (i = 0; i < 4; i++) {
4e12287d
RS		 1290 for (j = 0; j < 8; j++) {
1291 response_bit[z] = 0;
7b6e3205 1292 if ((rx[i] & ((mask << 7) >> j)) != 0) {
4e12287d 1293 response_bit[z] = 1;
7b6e3205 1294 }
4e12287d
RS		 1295 z++;
1296 }
1297 }
7b6e3205 1298
4e12287d 1299 //check wich memorysize this tag has
7b6e3205 1300 //CON0
1301 if (response_bit[6] == 0 && response_bit[7] == 0)
4e12287d 1302 tag.max_page = 32 / 32;
7b6e3205 1303 if (response_bit[6] == 0 && response_bit[7] == 1)
4e12287d 1304 tag.max_page = 256 / 32;
7b6e3205 1305 if (response_bit[6] == 1 && response_bit[7] == 0)
1306 tag.max_page = 2048 / 32;
1307 if (response_bit[6] == 1 && response_bit[7] == 1) //reserved but some tags got this setting
4e12287d 1308 tag.max_page = 2048 / 32;
7b6e3205 1309
1310 //CON1
1311 tag.auth = response_bit[8];
1312 tag.TTFC = response_bit[9];
1313 //tag.TTFDR in response_bit[10] and response_bit[11]
1314 //tag.TTFM in response_bit[12] and response_bit[13]
1315 tag.LCON = response_bit[14];
1316 tag.LKP = response_bit[15];
5866c187 1317
7b6e3205 1318 //CON2
1319 tag.LCK7 = response_bit[16];
1320 tag.LCK6 = response_bit[17];
1321 tag.LCK5 = response_bit[18];
1322 tag.LCK4 = response_bit[19];
1323 tag.LCK3 = response_bit[20];
1324 tag.LCK2 = response_bit[21];
1325 tag.LCK1 = response_bit[22];
1326 tag.LCK0 = response_bit[23];
1327
1328 if (DEBUG) {
1329 conf_pages[0] = ((response_bit[0] << 7) | (response_bit[1] << 6)
1330 | (response_bit[2] << 5) | (response_bit[3] << 4)
1331 | (response_bit[4] << 3) | (response_bit[5] << 2)
1332 | (response_bit[6] << 1) | response_bit[7]);
1333 conf_pages[1] = ((response_bit[8] << 7) | (response_bit[9] << 6)
1334 | (response_bit[10] << 5) | (response_bit[11] << 4)
1335 | (response_bit[12] << 3) | (response_bit[13] << 2)
1336 | (response_bit[14] << 1) | response_bit[15]);
1337 conf_pages[2] = ((response_bit[16] << 7) | (response_bit[17] << 6)
1338 | (response_bit[18] << 5) | (response_bit[19] << 4)
1339 | (response_bit[20] << 3) | (response_bit[21] << 2)
1340 | (response_bit[22] << 1) | response_bit[23]);
1341 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
1342 Dbprintf("tag.max_page: %d, tag.auth: %d", tag.max_page, tag.auth);
1343 }
1344
4e12287d
RS		 1345 if (tag.auth == 1) {
1346 //if the tag is in authentication mode try the key or challenge
1347 *txlen = 64;
1348 if(end!=true){
1349 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
f2dbf3d2 1350 state = hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
7b6e3205 1351 /*
f2dbf3d2 1352 Dbprintf("key: %02X %02X\n\n", key, REV64(key));
1353 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, REV32(tag.uid));
1354 Dbprintf("rnd: %02X %02X\n\n", rnd, REV32(rnd));
7b6e3205 1355 */
4e12287d
RS		 1356 for (i = 0; i < 4; i++) {
1357 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
1358 }
1359 *txlen = 64;
1360 tx[0] = rnd & 0xff;
1361 tx[1] = (rnd >> 8) & 0xff;
1362 tx[2] = (rnd >> 16) & 0xff;
1363 tx[3] = (rnd >> 24) & 0xff;
1364
1365 tx[4] = auth_ks[0];
1366 tx[5] = auth_ks[1];
1367 tx[6] = auth_ks[2];
1368 tx[7] = auth_ks[3];
1369 if (DEBUG)
1370 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
1371 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
1372 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1373 for (i = 0; i < 8; i++)
1374 tx[i]=((NrAr>>(56-(i*8)))&0xff);
1375 }
1376 end=true;
1377 tag.pstate = AUTHENTICATE;
1378 } else {
1379 Dbprintf("authentication failed!");
1380 return -1;
1381 }
1382 } else if (tag.auth == 0) {
1383 tag.pstate = SELECTED;
1384 }
5866c187 1385
7b6e3205 1386 } else if (tag.pstate == AUTHENTICATE && rxlen >= 32) {
4e12287d 1387 //encrypted con2,password received.
4e12287d
RS		 1388 if (DEBUG) {
1389 Dbprintf("UID:::%X", tag.uid);
1390 Dbprintf("RND:::%X", rnd);
1391 }
1392
1393 //decrypt password
1394 pwdh0=0;
1395 pwdl0=0;
1396 pwdl1=0;
7b6e3205 1397 if(htf==02 || htf==04) { //RHTS_KEY //WHTS_KEY
f2dbf3d2 1398 state = hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
7b6e3205 1399 for (i = 0; i < 5; i++) {
4e12287d 1400 hitag2_byte(&state);
7b6e3205 1401 }
1402 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ hitag2_byte(&state);
1403 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ hitag2_byte(&state);
1404 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ hitag2_byte(&state);
1405 if (DEBUG) {
1406 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
1407 }
4e12287d 1408 }
4e12287d
RS		 1409 tag.pstate = SELECTED; //tag is now ready for read/write commands
1410 }
7b6e3205 1411
1412 if (DEBUG) {
5866c187 1413 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag.pstate);
1414 }
7b6e3205 1415
4e12287d 1416 return 0;
4e12287d
RS		 1417}
1418
1419/*
1420 * Emulates a Hitag S Tag with the given data from the .hts file
1421 */
1422void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
1423 int frame_count;
1424 int response;
1425 int overflow;
1426 int i, j;
1427 byte_t rx[HITAG_FRAME_LEN];
1428 size_t rxlen = 0;
4e12287d
RS		 1429 bQuiet = false;
1430 byte_t txbuf[HITAG_FRAME_LEN];
1431 byte_t* tx = txbuf;
1432 size_t txlen = 0;
7b6e3205 1433 uint8_t con0, con1, con2;
4e12287d
RS		 1434 BigBuf_free();
1435
1436// Clean up trace and prepare it for storing frames
44964fd1 1437 set_tracing(true);
4e12287d
RS		 1438 clear_trace();
1439
1440 DbpString("Starting HitagS simulation");
1441 LED_D_ON();
1442
1443 tag.pstate = READY;
1444 tag.tstate = NO_OP;
4e12287d
RS		 1445 //read tag data into memory
1446 if (tag_mem_supplied) {
1447 DbpString("Loading hitagS memory...");
7b6e3205 1448 for (i = 0; i < 64; i++) {
1449 for (j = 0; j < 4; j++) {
1450 tag.pages[i][j] = 0x0;
1451 }
1452 }
1453
5866c187 1454 for (i = 0; i < 64; i++) {
7b6e3205 1455 for (j = 0; j < 4; j++) {
1456 tag.pages[i][j] = data[(i*4)+j];
1457 }
1458 }
4e12287d 1459 }
7b6e3205 1460 tag.uid = (tag.pages[0][3] << 24 | tag.pages[0][2] << 16 | tag.pages[0][1] << 8 | tag.pages[0][0]);
1461 con0 = tag.pages[1][3];
1462 con1 = tag.pages[1][2];
1463 con2 = tag.pages[1][1];
1464 Dbprintf("UID: %X", tag.uid);
4e12287d 1465 Dbprintf("Hitag S simulation started");
7b6e3205 1466
1467 //0x01 plain mode - Reserved, CON2, CON1, CON0
1468 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1469 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1470 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1471
4e12287d 1472 //con0
7b6e3205 1473 tag.max_page = 2048 / 32;
1474 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 1)
1475 tag.max_page = 256 / 32;
1476 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 0)
1477 tag.max_page = 32 / 32;
1478
1479 //CON1
1480 tag.auth = ((con1 & 0x80) == 0x80) ? 1 : 0;
1481 tag.TTFC = ((con1 & 0x40) == 0x40) ? 1 : 0;
1482 //tag.TTFDR in response_bit[10] and response_bit[11]
1483 //tag.TTFM in response_bit[12] and response_bit[13]
1484 tag.LCON = ((con1 & 0x2) == 0x2) ? 1 : 0;
383f4e24 1485 tag.LKP = ((con1 & 0x1) == 0x1) ? 1 : 0;
5866c187 1486
7b6e3205 1487 //CON2
1488 tag.LCK7 = ((con2 & 0x80) == 0x80) ? 1 : 0;
1489 tag.LCK6 = ((con2 & 0x40) == 0x40) ? 1 : 0;
1490 tag.LCK5 = ((con2 & 0x20) == 0x20) ? 1 : 0;
1491 tag.LCK4 = ((con2 & 0x10) == 0x10) ? 1 : 0;
1492 tag.LCK3 = ((con2 & 0x8) == 0x8) ? 1 : 0;
1493 tag.LCK2 = ((con2 & 0x4) == 0x4) ? 1 : 0;
1494 tag.LCK1 = ((con2 & 0x2) == 0x2) ? 1 : 0;
1495 tag.LCK0 = ((con2 & 0x1) == 0x1) ? 1 : 0;
1496
1497 if (tag.auth == 1) {
1498 //TODO check if this working :D
1499 tag.key=(intptr_t)tag.pages[3];
1500 tag.key<<=16;
1501 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
1502 tag.pwdl0=tag.pages[2][3];
1503 tag.pwdl1=tag.pages[2][2];
1504 tag.pwdh0=tag.pages[1][0];
1505 }
1506
1507 // Set up simulator mode, frequency divisor which will drive the FPGA
1508 // and analog mux selection.
4e12287d 1509 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
28598e80 1510 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
4e12287d
RS		 1511 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1512 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1513 RELAY_OFF();
1514
7b6e3205 1515 // Configure output pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1516 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1517 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1518
7b6e3205 1519 // Disable modulation at default, which means release resistance
4e12287d
RS		 1520 LOW(GPIO_SSC_DOUT);
1521
7b6e3205 1522 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1523 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1524
7b6e3205 1525 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
4e12287d
RS		 1526 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1527 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1528
7b6e3205 1529 // Disable timer during configuration
5866c187 1530 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 1531 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1532
5866c187 1533 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1534 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1535
1536 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
7b6e3205 1537 // external trigger rising edge, load RA on rising edge of TIOA.
1538 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
4e12287d 1539
7b6e3205 1540 // Reset the received frame, frame count and timing info
4e12287d
RS		 1541 memset(rx, 0x00, sizeof(rx));
1542 frame_count = 0;
1543 response = 0;
1544 overflow = 0;
1545
7b6e3205 1546 // Enable and reset counter
4e12287d
RS		 1547 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1548
1549 while (!BUTTON_PRESS()) {
1550 // Watchdog hit
1551 WDT_HIT();
1552
1553 // Receive frame, watch for at most T0*EOF periods
7b6e3205 1554 //HITAG_T_WAIT_MAX
4e12287d
RS		 1555 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1556 // Check if rising edge in modulation is detected
1557 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1558 // Retrieve the new timing values
1559 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1560 overflow = 0;
1561
1562 // Reset timer every frame, we have to capture the last edge for timing
1563 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1564
1565 LED_B_ON();
1566
1567 // Capture reader frame
1568 if (ra >= HITAG_T_STOP) {
1569 if (rxlen != 0) {
1570 //DbpString("wierd0?");
1571 }
1572 // Capture the T0 periods that have passed since last communication or field drop (reset)
1573 response = (ra - HITAG_T_LOW);
1574 } else if (ra >= HITAG_T_1_MIN) {
1575 // '1' bit
1576 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1577 rxlen++;
1578 } else if (ra >= HITAG_T_0_MIN) {
1579 // '0' bit
1580 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1581 rxlen++;
1582 } else {
1583 // Ignore wierd value, is to small to mean anything
1584 }
1585 }
1586 }
1587
1588 // Check if frame was captured
1589 if (rxlen > 0) {
1590 frame_count++;
1591 if (!bQuiet) {
1592 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1593 DbpString("Trace full");
1594 clear_trace();
1595 }
1596 }
1597
1598 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1599 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1600
1601 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1602 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1603
1604 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1605 // not that since the clock counts since the rising edge, but T_Wait1 is
1606 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1607 // periods. The gap time T_Low varies (4..10). All timer values are in
1608 // terms of T0 units
7b6e3205 1609 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) { }
4e12287d
RS		 1610
1611 // Send and store the tag answer (if there is any)
1612 if (txlen > 0) {
1613 // Transmit the tag frame
7b6e3205 1614 hitag_tag_send_frame(tx, txlen);
1615
4e12287d
RS		 1616 // Store the frame in the trace
1617 if (!bQuiet) {
1618 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1619 DbpString("Trace full");
1620 clear_trace();
1621 }
1622 }
1623 }
1624
7b6e3205 1625 // Enable and reset external trigger in timer for capturing future frames
1626 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1627
4e12287d
RS		 1628 // Reset the received frame and response timing info
1629 memset(rx, 0x00, sizeof(rx));
1630 response = 0;
1631
4e12287d
RS		 1632 LED_B_OFF();
1633 }
1634 // Reset the frame length
1635 rxlen = 0;
1636 // Save the timer overflow, will be 0 when frame was received
1637 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1638 // Reset the timer to restart while-loop that receives frames
1639 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1640 }
7b6e3205 1641 Dbprintf("Hitag S simulation stopped");
4e12287d
RS		 1642 LED_B_OFF();
1643 LED_D_OFF();
1644 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1645 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1646 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1647}
1648
1649/*
1650 * Authenticates to the Tag with the given key or challenge.
1651 * If the key was given the password will be decrypted.
1652 * Reads every page of a hitag S transpoder.
1653 */
7b6e3205 1654void ReadHitagSintern(hitag_function htf, hitag_data* htd, stype tagMode, int startPage, bool readBlock) {
4e12287d 1655 int frame_count;
7b6e3205 1656 int i;
1657 int sendNum = startPage;
1658 tag.mode = tagMode;
1659
1660 //int i, j, z;
1661 //int response_bit[200];
1662 //unsigned char mask = 1;
1663
4e12287d
RS		 1664 int response;
1665 byte_t rx[HITAG_FRAME_LEN];
1666 size_t rxlen = 0;
1667 byte_t txbuf[HITAG_FRAME_LEN];
1668 byte_t* tx = txbuf;
1669 size_t txlen = 0;
1670 int lastbit;
4e12287d
RS		 1671 int t_wait = HITAG_T_WAIT_MAX;
1672 bool bStop;
1673 bool bQuitTraceFull = false;
7b6e3205 1674
4e12287d 1675 page_to_be_written = 0;
5866c187 1676
4e12287d
RS		 1677 //read given key/challenge
1678 byte_t NrAr_[8];
1679 uint64_t key=0;
1680 uint64_t NrAr=0;
1681 byte_t key_[6];
1682 switch(htf) {
7b6e3205 1683 case 01:
1684 case 03: { //RHTS_CHALLENGE
4e12287d
RS		 1685 DbpString("Authenticating using nr,ar pair:");
1686 memcpy(NrAr_,htd->auth.NrAr,8);
1687 Dbhexdump(8,NrAr_,false);
1688 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
5866c187 1689 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
4e12287d 1690 } break;
7b6e3205 1691 case 02:
1692 case 04: { //RHTS_KEY
4e12287d 1693 DbpString("Authenticating using key:");
5866c187 1694 memcpy(key_,htd->crypto.key,6);
4e12287d
RS		 1695 Dbhexdump(6,key_,false);
1696 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1697 } break;
1698 default: {
1699 Dbprintf("Error , unknown function: %d",htf);
1700 return;
1701 } break;
1702 }
1703
1704
1705
1706 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
5866c187 1707 // Reset the return status
4e12287d
RS		 1708 bSuccessful = false;
1709
5866c187 1710 // Clean up trace and prepare it for storing frames
44964fd1 1711 set_tracing(true);
4e12287d
RS		 1712 clear_trace();
1713
1714 bQuiet = false;
4e12287d
RS		 1715
1716 LED_D_ON();
1717
5866c187 1718 // Configure output and enable pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1719 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1720 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1721
5866c187 1722 // Set fpga in edge detect with reader field, we can modulate as reader now
7b6e3205 1723 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
4e12287d 1724
5866c187 1725 // Set Frequency divisor which will drive the FPGA and analog mux selection
1726 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
4e12287d
RS		 1727 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1728 RELAY_OFF();
1729
5866c187 1730 // Disable modulation at default, which means enable the field
4e12287d
RS		 1731 LOW(GPIO_SSC_DOUT);
1732
5866c187 1733 // Give it a bit of time for the resonant antenna to settle.
4e12287d
RS		 1734 SpinDelay(30);
1735
5866c187 1736 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1737 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1738
5866c187 1739 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
4e12287d
RS		 1740 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1741 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1742
5866c187 1743 // Disable timer during configuration
1744 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 1745 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1746
5866c187 1747 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1748 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1749
1750 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1751 // external trigger rising edge, load RA on falling edge of TIOA.
7b6e3205 1752 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
4e12287d 1753
5866c187 1754 // Enable and reset counters
4e12287d
RS		 1755 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1756 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1757
5866c187 1758 // Reset the received frame, frame count and timing info
4e12287d
RS		 1759 frame_count = 0;
1760 response = 0;
1761 lastbit = 1;
1762 bStop = false;
4e12287d
RS		 1763 t_wait = 200;
1764
1765 while (!bStop && !BUTTON_PRESS()) {
1766 // Watchdog hit
1767 WDT_HIT();
1768
7b6e3205 1769
1770 // Add transmitted frame to total count
1771 if (txlen > 0) {
1772 frame_count++;
1773
1774 if (tag.pstate == READY && rxlen < 1) {
1775 //skip logging starting auths if no response
1776 } else {
1777 if (!bQuiet) {
1778 // Store the frame in the trace
1779 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1780 if (bQuitTraceFull) {
1781 DbpString("Trace full");
1782 break;
1783 } else {
1784 bQuiet = true;
1785 }
1786 }
1787 }
1788 }
1789 }
1790
4e12287d
RS		 1791 // Check if frame was captured and store it
1792 if (rxlen > 0) {
1793 frame_count++;
1794 if (!bQuiet) {
1795 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1796 DbpString("Trace full");
1797 if (bQuitTraceFull) {
1798 break;
1799 } else {
1800 bQuiet = true;
1801 }
1802 }
1803 }
1804 }
1805
1806 // By default reset the transmission buffer
1807 tx = txbuf;
1808 txlen = 0;
1809
7b6e3205 1810 if (DEBUG >= 2) {
5866c187 1811 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count, rxlen, (int)tag.pstate, (int)tag.tstate);
1812 }
7b6e3205 1813
4e12287d
RS		 1814 if (rxlen == 0) {
1815 //start authentication
7b6e3205 1816 hitag_start_auth(tx, &txlen);
4e12287d 1817 } else if (tag.pstate != SELECTED) {
7b6e3205 1818 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1) {
1819 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
4e12287d 1820 bStop = !false;
4e12287d 1821 }
7b6e3205 1822 }
4e12287d 1823
7b6e3205 1824
5866c187 1825
7b6e3205 1826 if (readBlock && tag.pstate == SELECTED && (tag.tstate == READING_BLOCK || tag.tstate == NO_OP) && rxlen > 0) {
1827 i = hitag_read_block(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1828 if (i > 0) { sendNum+=4; }
1829 if (sendNum+4 >= tag.max_page) {
1830 bStop = !false;
1831 }
1832 } else if (!readBlock && tag.pstate == SELECTED && (tag.tstate == READING_PAGE || tag.tstate == NO_OP) && rxlen > 0) {
1833 i = hitag_read_page(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1834 if (i > 0) { sendNum++; }
4e12287d
RS		 1835 if (sendNum >= tag.max_page) {
1836 bStop = !false;
1837 }
1838 }
1839
1840 // Send and store the reader command
1841 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1842 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1843
1844 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1845 // Since the clock counts since the last falling edge, a 'one' means that the
1846 // falling edge occured halfway the period. with respect to this falling edge,
1847 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1848 // All timer values are in terms of T0 units
1849
7b6e3205 1850 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
4e12287d
RS		 1851
1852 // Transmit the reader frame
1853 hitag_reader_send_frame(tx, txlen);
1854
7b6e3205 1855
4e12287d
RS		 1856 // Enable and reset external trigger in timer for capturing future frames
1857 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1858
4e12287d
RS		 1859
1860 // Reset values for receiving frames
1861 memset(rx, 0x00, sizeof(rx));
1862 rxlen = 0;
1863 lastbit = 1;
4e12287d
RS		 1864 response = 0;
1865
5866c187 1866 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1867 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 1868 }
1869 end=false;
1870 LED_B_OFF();
1871 LED_D_OFF();
1872 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1873 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1874 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1875 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1876}
1877
7b6e3205 1878void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock) {
1879 if (tagMode == 1) {
1880 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1881 ReadHitagSintern(htf, htd, ADVANCED, (int)startPage, readBlock);
1882 } else if (tagMode == 2) {
1883 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1884 ReadHitagSintern(htf, htd, FAST_ADVANCED, (int)startPage, readBlock);
1885 } else {
1886 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock, startPage);
1887 ReadHitagSintern(htf, htd, STANDARD, (int)startPage, readBlock);
5866c187 1888 }
7b6e3205 1889}
1890
1891
1892
4e12287d
RS		 1893/*
1894 * Authenticates to the Tag with the given Key or Challenge.
1895 * Writes the given 32Bit data into page_
1896 */
1897void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1898 int frame_count;
1899 int response;
1900 byte_t rx[HITAG_FRAME_LEN];
1901 size_t rxlen = 0;
1902 byte_t txbuf[HITAG_FRAME_LEN];
1903 byte_t* tx = txbuf;
1904 size_t txlen = 0;
1905 int lastbit;
4e12287d
RS		 1906 int t_wait = HITAG_T_WAIT_MAX;
1907 bool bStop;
1908 bool bQuitTraceFull = false;
1909 int page = page_;
1910 unsigned char crc;
1911 byte_t data[4]= {0,0,0,0};
5866c187 1912
4e12287d
RS		 1913 //read given key/challenge, the page and the data
1914 byte_t NrAr_[8];
1915 uint64_t key=0;
1916 uint64_t NrAr=0;
1917 byte_t key_[6];
1918 switch(htf) {
1919 case 03: { //WHTS_CHALLENGE
1920 memcpy(data,htd->auth.data,4);
1921 DbpString("Authenticating using nr,ar pair:");
1922 memcpy(NrAr_,htd->auth.NrAr,8);
1923 Dbhexdump(8,NrAr_,false);
1924 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
5866c187 1925 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
4e12287d
RS		 1926 } break;
1927 case 04: { //WHTS_KEY
1928 memcpy(data,htd->crypto.data,4);
1929 DbpString("Authenticating using key:");
5866c187 1930 memcpy(key_,htd->crypto.key,6);
4e12287d
RS		 1931 Dbhexdump(6,key_,false);
1932 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1933 } break;
1934 default: {
1935 Dbprintf("Error , unknown function: %d",htf);
1936 return;
1937 } break;
1938 }
1939
1940 Dbprintf("Page: %d",page_);
1941 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1942 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
5866c187 1943 // Reset the return status
4e12287d
RS		 1944 bSuccessful = false;
1945
1946 tag.pstate = READY;
1947 tag.tstate = NO_OP;
1948
5866c187 1949 // Clean up trace and prepare it for storing frames
44964fd1 1950 set_tracing(true);
4e12287d
RS		 1951 clear_trace();
1952
1953 bQuiet = false;
4e12287d
RS		 1954
1955 LED_D_ON();
1956
5866c187 1957 // Configure output and enable pin that is connected to the FPGA (for modulating)
4e12287d
RS		 1958 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1959 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1960
5866c187 1961 // Set fpga in edge detect with reader field, we can modulate as reader now
7b6e3205 1962 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
4e12287d 1963
5866c187 1964 // Set Frequency divisor which will drive the FPGA and analog mux selection
4e12287d
RS		 1965 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1966 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1967 RELAY_OFF();
1968
5866c187 1969 // Disable modulation at default, which means enable the field
4e12287d
RS		 1970 LOW(GPIO_SSC_DOUT);
1971
5866c187 1972 // Give it a bit of time for the resonant antenna to settle.
4e12287d
RS		 1973 SpinDelay(30);
1974
5866c187 1975 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 1976 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1977
5866c187 1978 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
4e12287d
RS		 1979 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1980 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1981
5866c187 1982 // Disable timer during configuration
1983 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 1984 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1985
5866c187 1986 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1987 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1988
1989 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1990 // external trigger rising edge, load RA on falling edge of TIOA.
4e12287d
RS		 1991 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1992 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1993 | AT91C_TC_LDRA_FALLING;
1994
5866c187 1995 // Enable and reset counters
4e12287d
RS		 1996 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1997 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1998
5866c187 1999 // Reset the received frame, frame count and timing info
4e12287d
RS		 2000 frame_count = 0;
2001 response = 0;
2002 lastbit = 1;
2003 bStop = false;
4e12287d
RS		 2004 t_wait = 200;
2005
2006 while (!bStop && !BUTTON_PRESS()) {
2007 // Watchdog hit
2008 WDT_HIT();
2009
2010 // Check if frame was captured and store it
2011 if (rxlen > 0) {
2012 frame_count++;
2013 if (!bQuiet) {
2014 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2015 DbpString("Trace full");
2016 if (bQuitTraceFull) {
2017 break;
2018 } else {
2019 bQuiet = true;
2020 }
2021 }
2022 }
2023 }
2024
2025 //check for valid input
7b6e3205 2026 /*
4e12287d 2027 if (page == 0) {
7b6e3205 2028 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
4e12287d 2029 bStop = !false;
7b6e3205 2030 }*/
2031
4e12287d
RS		 2032
2033 // By default reset the transmission buffer
2034 tx = txbuf;
2035 txlen = 0;
2036
2037 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
2038 //no write access on this page
2039 Dbprintf("no write access on page %d", page_);
2040 bStop = !false;
2041 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
2042 //start the authetication
7b6e3205 2043 //tag.mode = ADVANCED;
2044 tag.mode = STANDARD;
2045 hitag_start_auth(tx, &txlen);
2046 m = AC2K;
4e12287d
RS		 2047 } else if (tag.pstate != SELECTED) {
2048 //try to authenticate with the given key or challenge
7b6e3205 2049 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1) {
4e12287d 2050 bStop = !false;
7b6e3205 2051 }
2052 m = MC4K;
4e12287d 2053 }
7b6e3205 2054
4e12287d
RS		 2055 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
2056 //check if the given page exists
2057 if (page > tag.max_page) {
2058 Dbprintf("page number too big");
2059 bStop = !false;
2060 }
2061 //ask Tag for write permission
2062 tag.tstate = WRITING_PAGE_ACK;
2063 txlen = 20;
2064 crc = CRC_PRESET;
2065 tx[0] = 0x90 + (page / 16);
2066 calc_crc(&crc, tx[0], 8);
2067 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
2068 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
2069 tx[2] = 0x00 + (crc % 16) * 16;
2070 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
7b6e3205 2071 && rxlen == 2 && rx[0] == 0x40) {
4e12287d
RS		 2072 //ACK recieved to write the page. send data
2073 tag.tstate = WRITING_PAGE_DATA;
2074 txlen = 40;
2075 crc = CRC_PRESET;
2076 calc_crc(&crc, data[3], 8);
2077 calc_crc(&crc, data[2], 8);
2078 calc_crc(&crc, data[1], 8);
2079 calc_crc(&crc, data[0], 8);
2080 tx[0] = data[3];
2081 tx[1] = data[2];
2082 tx[2] = data[1];
2083 tx[3] = data[0];
2084 tx[4] = crc;
2085 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
7b6e3205 2086 && rxlen == 2 && rx[0] == 0x40) {
4e12287d
RS		 2087 //received ACK
2088 Dbprintf("Successful!");
2089 bStop = !false;
2090 }
2091
2092 // Send and store the reader command
2093 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2094 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2095
2096 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2097 // Since the clock counts since the last falling edge, a 'one' means that the
2098 // falling edge occured halfway the period. with respect to this falling edge,
2099 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2100 // All timer values are in terms of T0 units
2101
2102 while (AT91C_BASE_TC0->TC_CV
2103 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2104 ;
2105
2106 // Transmit the reader frame
2107 hitag_reader_send_frame(tx, txlen);
2108
2109 // Enable and reset external trigger in timer for capturing future frames
2110 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2111
2112 // Add transmitted frame to total count
2113 if (txlen > 0) {
2114 frame_count++;
2115 if (!bQuiet) {
2116 // Store the frame in the trace
2117 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2118 if (bQuitTraceFull) {
2119 DbpString("Trace full");
2120 break;
2121 } else {
2122 bQuiet = true;
2123 }
2124 }
2125 }
2126 }
2127
2128 // Reset values for receiving frames
2129 memset(rx, 0x00, sizeof(rx));
2130 rxlen = 0;
2131 lastbit = 1;
4e12287d
RS		 2132 response = 0;
2133
7b6e3205 2134 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 2135 }
2136 end=false;
2137 LED_B_OFF();
2138 LED_D_OFF();
2139 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2140 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2141 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2142 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2143}
2144
7b6e3205 2145
4e12287d
RS		 2146/*
2147 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2148 * Displays all Challenges that failed.
2149 * When collecting Challenges to break the key it is possible that some data
2150 * is not received correctly due to Antenna problems. This function
2151 * detects these challenges.
2152 */
7b6e3205 2153void check_challenges_cmd(bool file_given, byte_t* data, uint64_t tagMode) {
4e12287d
RS		 2154 int i, j, z, k;
2155 byte_t uid_byte[4];
2156 int frame_count;
2157 int response;
2158 byte_t rx[HITAG_FRAME_LEN];
2159 byte_t unlocker[60][8];
2160 int u1 = 0;
2161 size_t rxlen = 0;
2162 byte_t txbuf[HITAG_FRAME_LEN];
2163 byte_t* tx = txbuf;
2164 size_t txlen = 0;
2165 int lastbit;
4e12287d
RS		 2166 int t_wait = HITAG_T_WAIT_MAX;
2167 int STATE = 0;
2168 bool bStop;
2169 bool bQuitTraceFull = false;
2170 int response_bit[200];
2171 unsigned char mask = 1;
2172 unsigned char uid[32];
2173 unsigned char crc;
2174
7b6e3205 2175 if (tagMode == 1) {
2176 Dbprintf("check_challenges in mode=ADVANCED");
2177 tag.mode = ADVANCED;
2178 } else if (tagMode == 2) {
2179 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2180 tag.mode = FAST_ADVANCED;
2181 } else {
2182 Dbprintf("check_challenges in mode=STANDARD");
2183 tag.mode = STANDARD;
2184 }
2185
2186
4e12287d 2187 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
5866c187 2188 // Reset the return status
4e12287d
RS		 2189 bSuccessful = false;
2190
5866c187 2191 // Clean up trace and prepare it for storing frames
44964fd1 2192 set_tracing(true);
4e12287d
RS		 2193 clear_trace();
2194
2195 bQuiet = false;
4e12287d
RS		 2196
2197 LED_D_ON();
2198
5866c187 2199 // Configure output and enable pin that is connected to the FPGA (for modulating)
4e12287d
RS		 2200 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
2201 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
2202
5866c187 2203 // Set fpga in edge detect with reader field, we can modulate as reader now
4e12287d
RS		 2204 FpgaWriteConfWord(
2205 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
2206
5866c187 2207 // Set Frequency divisor which will drive the FPGA and analog mux selection
2208 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
4e12287d
RS		 2209 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2210 RELAY_OFF();
2211
5866c187 2212 // Disable modulation at default, which means enable the field
4e12287d
RS		 2213 LOW(GPIO_SSC_DOUT);
2214
5866c187 2215 // Give it a bit of time for the resonant antenna to settle.
4e12287d
RS		 2216 SpinDelay(30);
2217
5866c187 2218 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
4e12287d
RS		 2219 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
2220
5866c187 2221 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
4e12287d
RS		 2222 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
2223 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
2224
5866c187 2225 // Disable timer during configuration
2226 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
4e12287d
RS		 2227 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2228
5866c187 2229 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
2230 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
2231
2232 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2233 // external trigger rising edge, load RA on falling edge of TIOA.
7b6e3205 2234 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
4e12287d 2235
5866c187 2236 // Enable and reset counters
4e12287d
RS		 2237 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2238 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2239
5866c187 2240 // Reset the received frame, frame count and timing info
4e12287d
RS		 2241 frame_count = 0;
2242 response = 0;
2243 lastbit = 1;
2244 bStop = false;
2245
4e12287d
RS		 2246 t_wait = 200;
2247
2248 if (file_given) {
2249 DbpString("Loading challenges...");
2250 memcpy((byte_t*)unlocker,data,60*8);
2251 }
2252
2253 while (file_given && !bStop && !BUTTON_PRESS()) {
2254 // Watchdog hit
2255 WDT_HIT();
2256
2257 // Check if frame was captured and store it
2258 if (rxlen > 0) {
2259 frame_count++;
2260 if (!bQuiet) {
2261 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2262 DbpString("Trace full");
2263 if (bQuitTraceFull) {
2264 break;
2265 } else {
2266 bQuiet = true;
2267 }
2268 }
2269 }
2270 }
2271
2272 tx = txbuf;
2273 txlen = 0;
2274 if (rxlen == 0) {
7b6e3205 2275 if (STATE == 2) {
4e12287d
RS		 2276 // challenge failed
2277 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2278 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
2279 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
2280 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
2281 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
7b6e3205 2282 }
4e12287d 2283 STATE = 0;
7b6e3205 2284 hitag_start_auth(tx, &txlen);
2285 } else if (rxlen >= 32 && STATE == 0) {
4e12287d
RS		 2286 //received uid
2287 z = 0;
2288 for (i = 0; i < 10; i++) {
2289 for (j = 0; j < 8; j++) {
2290 response_bit[z] = 0;
2291 if ((rx[i] & ((mask << 7) >> j)) != 0)
2292 response_bit[z] = 1;
2293 z++;
2294 }
2295 }
7b6e3205 2296 for (i = 0; i < 32; i++) {
2297 uid[i] = response_bit[i];
4e12287d 2298 }
7b6e3205 2299
4e12287d
RS		 2300 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
2301 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
2302 | (uid[6] << 1) | uid[7];
2303 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
2304 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
2305 | (uid[14] << 1) | uid[15];
2306 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
2307 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
2308 | (uid[22] << 1) | uid[23];
2309 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
2310 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
2311 | (uid[30] << 1) | uid[31];
2312 //Dbhexdump(10, rx, rxlen);
2313 STATE = 1;
2314 txlen = 45;
2315 crc = CRC_PRESET;
2316 calc_crc(&crc, 0x00, 5);
2317 calc_crc(&crc, uid_byte[0], 8);
2318 calc_crc(&crc, uid_byte[1], 8);
2319 calc_crc(&crc, uid_byte[2], 8);
2320 calc_crc(&crc, uid_byte[3], 8);
2321 for (i = 0; i < 100; i++) {
2322 response_bit[i] = 0;
2323 }
2324 for (i = 0; i < 5; i++) {
2325 response_bit[i] = 0;
2326 }
2327 for (i = 5; i < 37; i++) {
2328 response_bit[i] = uid[i - 5];
2329 }
2330 for (j = 0; j < 8; j++) {
2331 response_bit[i] = 0;
2332 if ((crc & ((mask << 7) >> j)) != 0)
2333 response_bit[i] = 1;
2334 i++;
2335 }
2336 k = 0;
2337 for (i = 0; i < 6; i++) {
2338 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2339 | (response_bit[k + 2] << 5)
2340 | (response_bit[k + 3] << 4)
2341 | (response_bit[k + 4] << 3)
2342 | (response_bit[k + 5] << 2)
2343 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2344 k += 8;
2345 }
2346
7b6e3205 2347
2348 tag.pstate = INIT;
2349 } else if (STATE == 1 && rxlen > 24) {
4e12287d
RS		 2350 //received configuration
2351 STATE = 2;
2352 z = 0;
2353 for (i = 0; i < 6; i++) {
2354 for (j = 0; j < 8; j++) {
2355 response_bit[z] = 0;
2356 if ((rx[i] & ((mask << 7) >> j)) != 0)
2357 response_bit[z] = 1;
2358 z++;
2359 }
2360 }
2361 txlen = 64;
2362
2363 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2364 bStop = !false;
2365 for (i = 0; i < 8; i++)
2366 tx[i] = unlocker[u1][i];
2367 u1++;
2368
7b6e3205 2369 tag.pstate = SELECTED;
2370 } else if (STATE == 2 && rxlen >= 32) {
4e12287d
RS		 2371 STATE = 0;
2372 }
2373
2374 // Send and store the reader command
2375 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2376 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2377
2378 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2379 // Since the clock counts since the last falling edge, a 'one' means that the
2380 // falling edge occured halfway the period. with respect to this falling edge,
2381 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2382 // All timer values are in terms of T0 units
7b6e3205 2383 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
4e12287d
RS		 2384
2385 // Transmit the reader frame
2386 hitag_reader_send_frame(tx, txlen);
2387
2388 // Enable and reset external trigger in timer for capturing future frames
2389 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2390
2391 // Add transmitted frame to total count
2392 if (txlen > 0) {
2393 frame_count++;
2394 if (!bQuiet) {
2395 // Store the frame in the trace
2396 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2397 if (bQuitTraceFull) {
2398 DbpString("Trace full");
2399 break;
2400 } else {
2401 bQuiet = true;
2402 }
2403 }
2404 }
2405 }
2406
2407 // Reset values for receiving frames
2408 memset(rx, 0x00, sizeof(rx));
2409 rxlen = 0;
2410 lastbit = 1;
4e12287d
RS		 2411 response = 0;
2412
7b6e3205 2413 hitag_receive_frame(rx, &rxlen, &response);
4e12287d
RS		 2414 }
2415 LED_B_OFF();
2416 LED_D_OFF();
2417 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2418 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2419 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2420 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2421}
2422
7b6e3205 2423/**
2424Backward compatibility
2425*/
2426void check_challenges(bool file_given, byte_t* data) {
2427 check_challenges_cmd(file_given, data, 1);
2428}
4e12287d 2429
7b6e3205 2430void ReadHitagS(hitag_function htf, hitag_data* htd) {
2431 ReadHitagSintern(htf, htd, ADVANCED, 0, false);
2432}
Proxmark3 GIT tracking
Impressum, Datenschutz