]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Clean up data types, some header cleanup, etc.
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
2// Routines to support ISO 14443 type A.
3//
4// Gerhard de Koning Gans - May 2008
5//-----------------------------------------------------------------------------
e30c654b 6#include "proxmark3.h"
15c4dc5a 7#include "apps.h"
f7e3ed82 8#include "util.h"
15c4dc5a 9#include "iso14443crc.h"
10
f7e3ed82 11static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 12static int traceLen = 0;
13static int rsamples = 0;
f7e3ed82 14static int tracing = TRUE;
15c4dc5a 15
16typedef enum {
17 SEC_D = 1,
18 SEC_E = 2,
19 SEC_F = 3,
20 SEC_X = 4,
21 SEC_Y = 5,
22 SEC_Z = 6
23} SecType;
24
f7e3ed82 25static const uint8_t OddByteParity[256] = {
15c4dc5a 26 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
27 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
28 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
29 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
30 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
33 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
34 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
35 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
42};
43
44// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
45#define RECV_CMD_OFFSET 3032
46#define RECV_RES_OFFSET 3096
47#define DMA_BUFFER_OFFSET 3160
48#define DMA_BUFFER_SIZE 4096
49#define TRACE_LENGTH 3000
50
51//-----------------------------------------------------------------------------
52// Generate the parity value for a byte sequence
e30c654b 53//
15c4dc5a 54//-----------------------------------------------------------------------------
f7e3ed82 55uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 56{
57 int i;
f7e3ed82 58 uint32_t dwPar = 0;
e30c654b 59
15c4dc5a 60 // Generate the encrypted data
61 for (i = 0; i < iLen; i++) {
62 // Save the encrypted parity bit
63 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
64 }
65 return dwPar;
66}
67
f7e3ed82 68static void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 69{
70 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
71}
72
f7e3ed82 73int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 74{
75 // Return when trace is full
76 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 77
15c4dc5a 78 // Trace the random, i'm curious
79 rsamples += iSamples;
80 trace[traceLen++] = ((rsamples >> 0) & 0xff);
81 trace[traceLen++] = ((rsamples >> 8) & 0xff);
82 trace[traceLen++] = ((rsamples >> 16) & 0xff);
83 trace[traceLen++] = ((rsamples >> 24) & 0xff);
84 if (!bReader) {
85 trace[traceLen - 1] |= 0x80;
86 }
87 trace[traceLen++] = ((dwParity >> 0) & 0xff);
88 trace[traceLen++] = ((dwParity >> 8) & 0xff);
89 trace[traceLen++] = ((dwParity >> 16) & 0xff);
90 trace[traceLen++] = ((dwParity >> 24) & 0xff);
91 trace[traceLen++] = iLen;
92 memcpy(trace + traceLen, btBytes, iLen);
93 traceLen += iLen;
94 return TRUE;
95}
96
f7e3ed82 97int LogTraceInfo(byte_t* data, size_t len)
15c4dc5a 98{
99 return LogTrace(data,len,0,GetParity(data,len),TRUE);
100}
101
102//-----------------------------------------------------------------------------
103// The software UART that receives commands from the reader, and its state
104// variables.
105//-----------------------------------------------------------------------------
106static struct {
107 enum {
108 STATE_UNSYNCD,
109 STATE_START_OF_COMMUNICATION,
110 STATE_MILLER_X,
111 STATE_MILLER_Y,
112 STATE_MILLER_Z,
113 STATE_ERROR_WAIT
114 } state;
f7e3ed82 115 uint16_t shiftReg;
15c4dc5a 116 int bitCnt;
117 int byteCnt;
118 int byteCntMax;
119 int posCnt;
120 int syncBit;
121 int parityBits;
122 int samples;
123 int highCnt;
124 int bitBuffer;
125 enum {
126 DROP_NONE,
127 DROP_FIRST_HALF,
128 DROP_SECOND_HALF
129 } drop;
f7e3ed82 130 uint8_t *output;
15c4dc5a 131} Uart;
132
f7e3ed82 133static int MillerDecoding(int bit)
15c4dc5a 134{
135 int error = 0;
136 int bitright;
137
138 if(!Uart.bitBuffer) {
139 Uart.bitBuffer = bit ^ 0xFF0;
140 return FALSE;
141 }
142 else {
143 Uart.bitBuffer <<= 4;
144 Uart.bitBuffer ^= bit;
145 }
146
f7e3ed82 147 int EOC = FALSE;
15c4dc5a 148
149 if(Uart.state != STATE_UNSYNCD) {
150 Uart.posCnt++;
151
152 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
153 bit = 0x00;
154 }
155 else {
156 bit = 0x01;
157 }
158 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
159 bitright = 0x00;
160 }
161 else {
162 bitright = 0x01;
163 }
164 if(bit != bitright) { bit = bitright; }
165
166 if(Uart.posCnt == 1) {
167 // measurement first half bitperiod
168 if(!bit) {
169 Uart.drop = DROP_FIRST_HALF;
170 }
171 }
172 else {
173 // measurement second half bitperiod
174 if(!bit & (Uart.drop == DROP_NONE)) {
175 Uart.drop = DROP_SECOND_HALF;
176 }
177 else if(!bit) {
178 // measured a drop in first and second half
179 // which should not be possible
180 Uart.state = STATE_ERROR_WAIT;
181 error = 0x01;
182 }
183
184 Uart.posCnt = 0;
185
186 switch(Uart.state) {
187 case STATE_START_OF_COMMUNICATION:
188 Uart.shiftReg = 0;
189 if(Uart.drop == DROP_SECOND_HALF) {
190 // error, should not happen in SOC
191 Uart.state = STATE_ERROR_WAIT;
192 error = 0x02;
193 }
194 else {
195 // correct SOC
196 Uart.state = STATE_MILLER_Z;
197 }
198 break;
199
200 case STATE_MILLER_Z:
201 Uart.bitCnt++;
202 Uart.shiftReg >>= 1;
203 if(Uart.drop == DROP_NONE) {
204 // logic '0' followed by sequence Y
205 // end of communication
206 Uart.state = STATE_UNSYNCD;
207 EOC = TRUE;
208 }
209 // if(Uart.drop == DROP_FIRST_HALF) {
210 // Uart.state = STATE_MILLER_Z; stay the same
211 // we see a logic '0' }
212 if(Uart.drop == DROP_SECOND_HALF) {
213 // we see a logic '1'
214 Uart.shiftReg |= 0x100;
215 Uart.state = STATE_MILLER_X;
216 }
217 break;
218
219 case STATE_MILLER_X:
220 Uart.shiftReg >>= 1;
221 if(Uart.drop == DROP_NONE) {
222 // sequence Y, we see a '0'
223 Uart.state = STATE_MILLER_Y;
224 Uart.bitCnt++;
225 }
226 if(Uart.drop == DROP_FIRST_HALF) {
227 // Would be STATE_MILLER_Z
228 // but Z does not follow X, so error
229 Uart.state = STATE_ERROR_WAIT;
230 error = 0x03;
231 }
232 if(Uart.drop == DROP_SECOND_HALF) {
233 // We see a '1' and stay in state X
234 Uart.shiftReg |= 0x100;
235 Uart.bitCnt++;
236 }
237 break;
238
239 case STATE_MILLER_Y:
240 Uart.bitCnt++;
241 Uart.shiftReg >>= 1;
242 if(Uart.drop == DROP_NONE) {
243 // logic '0' followed by sequence Y
244 // end of communication
245 Uart.state = STATE_UNSYNCD;
246 EOC = TRUE;
247 }
248 if(Uart.drop == DROP_FIRST_HALF) {
249 // we see a '0'
250 Uart.state = STATE_MILLER_Z;
251 }
252 if(Uart.drop == DROP_SECOND_HALF) {
253 // We see a '1' and go to state X
254 Uart.shiftReg |= 0x100;
255 Uart.state = STATE_MILLER_X;
256 }
257 break;
258
259 case STATE_ERROR_WAIT:
260 // That went wrong. Now wait for at least two bit periods
261 // and try to sync again
262 if(Uart.drop == DROP_NONE) {
263 Uart.highCnt = 6;
264 Uart.state = STATE_UNSYNCD;
265 }
266 break;
267
268 default:
269 Uart.state = STATE_UNSYNCD;
270 Uart.highCnt = 0;
271 break;
272 }
273
274 Uart.drop = DROP_NONE;
275
276 // should have received at least one whole byte...
277 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
278 return TRUE;
279 }
280
281 if(Uart.bitCnt == 9) {
282 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
283 Uart.byteCnt++;
284
285 Uart.parityBits <<= 1;
286 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
287
288 if(EOC) {
289 // when End of Communication received and
290 // all data bits processed..
291 return TRUE;
292 }
293 Uart.bitCnt = 0;
294 }
295
296 /*if(error) {
297 Uart.output[Uart.byteCnt] = 0xAA;
298 Uart.byteCnt++;
299 Uart.output[Uart.byteCnt] = error & 0xFF;
300 Uart.byteCnt++;
301 Uart.output[Uart.byteCnt] = 0xAA;
302 Uart.byteCnt++;
303 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
304 Uart.byteCnt++;
305 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 return TRUE;
312 }*/
313 }
314
315 }
316 else {
317 bit = Uart.bitBuffer & 0xf0;
318 bit >>= 4;
319 bit ^= 0x0F;
320 if(bit) {
321 // should have been high or at least (4 * 128) / fc
322 // according to ISO this should be at least (9 * 128 + 20) / fc
323 if(Uart.highCnt == 8) {
324 // we went low, so this could be start of communication
325 // it turns out to be safer to choose a less significant
326 // syncbit... so we check whether the neighbour also represents the drop
327 Uart.posCnt = 1; // apparently we are busy with our first half bit period
328 Uart.syncBit = bit & 8;
329 Uart.samples = 3;
330 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
331 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
332 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
333 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
334 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
335 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
336 Uart.syncBit = 8;
337
338 // the first half bit period is expected in next sample
339 Uart.posCnt = 0;
340 Uart.samples = 3;
341 }
342 }
343 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
344
345 Uart.syncBit <<= 4;
346 Uart.state = STATE_START_OF_COMMUNICATION;
347 Uart.drop = DROP_FIRST_HALF;
348 Uart.bitCnt = 0;
349 Uart.byteCnt = 0;
350 Uart.parityBits = 0;
351 error = 0;
352 }
353 else {
354 Uart.highCnt = 0;
355 }
356 }
357 else {
358 if(Uart.highCnt < 8) {
359 Uart.highCnt++;
360 }
361 }
362 }
363
364 return FALSE;
365}
366
367//=============================================================================
368// ISO 14443 Type A - Manchester
369//=============================================================================
370
371static struct {
372 enum {
373 DEMOD_UNSYNCD,
374 DEMOD_START_OF_COMMUNICATION,
375 DEMOD_MANCHESTER_D,
376 DEMOD_MANCHESTER_E,
377 DEMOD_MANCHESTER_F,
378 DEMOD_ERROR_WAIT
379 } state;
380 int bitCount;
381 int posCount;
382 int syncBit;
383 int parityBits;
f7e3ed82 384 uint16_t shiftReg;
15c4dc5a 385 int buffer;
386 int buff;
387 int samples;
388 int len;
389 enum {
390 SUB_NONE,
391 SUB_FIRST_HALF,
392 SUB_SECOND_HALF
393 } sub;
f7e3ed82 394 uint8_t *output;
15c4dc5a 395} Demod;
396
f7e3ed82 397static int ManchesterDecoding(int v)
15c4dc5a 398{
399 int bit;
400 int modulation;
401 int error = 0;
402
403 if(!Demod.buff) {
404 Demod.buff = 1;
405 Demod.buffer = v;
406 return FALSE;
407 }
408 else {
409 bit = Demod.buffer;
410 Demod.buffer = v;
411 }
412
413 if(Demod.state==DEMOD_UNSYNCD) {
414 Demod.output[Demod.len] = 0xfa;
415 Demod.syncBit = 0;
416 //Demod.samples = 0;
417 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
418 if(bit & 0x08) { Demod.syncBit = 0x08; }
419 if(!Demod.syncBit) {
420 if(bit & 0x04) { Demod.syncBit = 0x04; }
421 }
422 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
423 if(!Demod.syncBit) {
424 if(bit & 0x02) { Demod.syncBit = 0x02; }
425 }
426 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
427 if(!Demod.syncBit) {
428 if(bit & 0x01) { Demod.syncBit = 0x01; }
429
430 if(Demod.syncBit & (Demod.buffer & 0x08)) {
431 Demod.syncBit = 0x08;
432
433 // The first half bitperiod is expected in next sample
434 Demod.posCount = 0;
435 Demod.output[Demod.len] = 0xfb;
436 }
437 }
438 else if(bit & 0x01) { Demod.syncBit = 0x01; }
439
440 if(Demod.syncBit) {
441 Demod.len = 0;
442 Demod.state = DEMOD_START_OF_COMMUNICATION;
443 Demod.sub = SUB_FIRST_HALF;
444 Demod.bitCount = 0;
445 Demod.shiftReg = 0;
446 Demod.parityBits = 0;
447 Demod.samples = 0;
448 if(Demod.posCount) {
449 switch(Demod.syncBit) {
450 case 0x08: Demod.samples = 3; break;
451 case 0x04: Demod.samples = 2; break;
452 case 0x02: Demod.samples = 1; break;
453 case 0x01: Demod.samples = 0; break;
454 }
455 }
456 error = 0;
457 }
458 }
459 else {
460 //modulation = bit & Demod.syncBit;
461 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
462
463 Demod.samples += 4;
464
465 if(Demod.posCount==0) {
466 Demod.posCount = 1;
467 if(modulation) {
468 Demod.sub = SUB_FIRST_HALF;
469 }
470 else {
471 Demod.sub = SUB_NONE;
472 }
473 }
474 else {
475 Demod.posCount = 0;
476 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
477 if(Demod.state!=DEMOD_ERROR_WAIT) {
478 Demod.state = DEMOD_ERROR_WAIT;
479 Demod.output[Demod.len] = 0xaa;
480 error = 0x01;
481 }
482 }
483 else if(modulation) {
484 Demod.sub = SUB_SECOND_HALF;
485 }
486
487 switch(Demod.state) {
488 case DEMOD_START_OF_COMMUNICATION:
489 if(Demod.sub == SUB_FIRST_HALF) {
490 Demod.state = DEMOD_MANCHESTER_D;
491 }
492 else {
493 Demod.output[Demod.len] = 0xab;
494 Demod.state = DEMOD_ERROR_WAIT;
495 error = 0x02;
496 }
497 break;
498
499 case DEMOD_MANCHESTER_D:
500 case DEMOD_MANCHESTER_E:
501 if(Demod.sub == SUB_FIRST_HALF) {
502 Demod.bitCount++;
503 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
504 Demod.state = DEMOD_MANCHESTER_D;
505 }
506 else if(Demod.sub == SUB_SECOND_HALF) {
507 Demod.bitCount++;
508 Demod.shiftReg >>= 1;
509 Demod.state = DEMOD_MANCHESTER_E;
510 }
511 else {
512 Demod.state = DEMOD_MANCHESTER_F;
513 }
514 break;
515
516 case DEMOD_MANCHESTER_F:
517 // Tag response does not need to be a complete byte!
518 if(Demod.len > 0 || Demod.bitCount > 0) {
519 if(Demod.bitCount > 0) {
520 Demod.shiftReg >>= (9 - Demod.bitCount);
521 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
522 Demod.len++;
523 // No parity bit, so just shift a 0
524 Demod.parityBits <<= 1;
525 }
526
527 Demod.state = DEMOD_UNSYNCD;
528 return TRUE;
529 }
530 else {
531 Demod.output[Demod.len] = 0xad;
532 Demod.state = DEMOD_ERROR_WAIT;
533 error = 0x03;
534 }
535 break;
536
537 case DEMOD_ERROR_WAIT:
538 Demod.state = DEMOD_UNSYNCD;
539 break;
540
541 default:
542 Demod.output[Demod.len] = 0xdd;
543 Demod.state = DEMOD_UNSYNCD;
544 break;
545 }
546
547 if(Demod.bitCount>=9) {
548 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
549 Demod.len++;
550
551 Demod.parityBits <<= 1;
552 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
553
554 Demod.bitCount = 0;
555 Demod.shiftReg = 0;
556 }
557
558 /*if(error) {
559 Demod.output[Demod.len] = 0xBB;
560 Demod.len++;
561 Demod.output[Demod.len] = error & 0xFF;
562 Demod.len++;
563 Demod.output[Demod.len] = 0xBB;
564 Demod.len++;
565 Demod.output[Demod.len] = bit & 0xFF;
566 Demod.len++;
567 Demod.output[Demod.len] = Demod.buffer & 0xFF;
568 Demod.len++;
569 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = 0xBB;
572 Demod.len++;
573 return TRUE;
574 }*/
575
576 }
577
578 } // end (state != UNSYNCED)
579
580 return FALSE;
581}
582
583//=============================================================================
584// Finally, a `sniffer' for ISO 14443 Type A
585// Both sides of communication!
586//=============================================================================
587
588//-----------------------------------------------------------------------------
589// Record the sequence of commands sent by the reader to the tag, with
590// triggering so that we start recording at the point that the tag is moved
591// near the reader.
592//-----------------------------------------------------------------------------
593void SnoopIso14443a(void)
594{
595// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
596// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
597// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
598// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
599// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
600
601 // We won't start recording the frames that we acquire until we trigger;
602 // a good trigger condition to get started is probably when we see a
603 // response from the tag.
f7e3ed82 604 int triggered = TRUE; // FALSE to wait first for card
15c4dc5a 605
606 // The command (reader -> tag) that we're receiving.
607 // The length of a received command will in most cases be no more than 18 bytes.
608 // So 32 should be enough!
f7e3ed82 609 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 610 // The response (tag -> reader) that we're receiving.
f7e3ed82 611 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 612
613 // As we receive stuff, we copy it from receivedCmd or receivedResponse
614 // into trace, along with its length and other annotations.
f7e3ed82 615 //uint8_t *trace = (uint8_t *)BigBuf;
15c4dc5a 616 //int traceLen = 0;
617
618 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 619 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 620 int lastRxCounter;
f7e3ed82 621 int8_t *upTo;
15c4dc5a 622 int smpl;
623 int maxBehindBy = 0;
624
625 // Count of samples received so far, so that we can include timing
626 // information in the trace buffer.
627 int samples = 0;
628 int rsamples = 0;
629
630 memset(trace, 0x44, RECV_CMD_OFFSET);
631
632 // Set up the demodulator for tag -> reader responses.
633 Demod.output = receivedResponse;
634 Demod.len = 0;
635 Demod.state = DEMOD_UNSYNCD;
636
637 // And the reader -> tag commands
638 memset(&Uart, 0, sizeof(Uart));
639 Uart.output = receivedCmd;
640 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
641 Uart.state = STATE_UNSYNCD;
642
643 // And put the FPGA in the appropriate mode
644 // Signal field is off with the appropriate LED
645 LED_D_OFF();
646 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
647 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
648
649 // Setup for the DMA.
650 FpgaSetupSsc();
651 upTo = dmaBuf;
652 lastRxCounter = DMA_BUFFER_SIZE;
f7e3ed82 653 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 654
655 LED_A_ON();
656
657 // And now we loop, receiving samples.
658 for(;;) {
659 WDT_HIT();
660 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
661 (DMA_BUFFER_SIZE-1);
662 if(behindBy > maxBehindBy) {
663 maxBehindBy = behindBy;
664 if(behindBy > 400) {
665 DbpString("blew circular buffer!");
666 goto done;
667 }
668 }
669 if(behindBy < 1) continue;
670
671 smpl = upTo[0];
672 upTo++;
673 lastRxCounter -= 1;
674 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
675 upTo -= DMA_BUFFER_SIZE;
676 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 677 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 678 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
679 }
680
681 samples += 4;
682#define HANDLE_BIT_IF_BODY \
683 LED_C_ON(); \
684 if(triggered) { \
685 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
686 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
687 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
688 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
689 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
690 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
692 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
693 trace[traceLen++] = Uart.byteCnt; \
694 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
695 traceLen += Uart.byteCnt; \
696 if(traceLen > TRACE_LENGTH) break; \
697 } \
698 /* And ready to receive another command. */ \
699 Uart.state = STATE_UNSYNCD; \
700 /* And also reset the demod code, which might have been */ \
701 /* false-triggered by the commands from the reader. */ \
702 Demod.state = DEMOD_UNSYNCD; \
703 LED_B_OFF(); \
704
705 if(MillerDecoding((smpl & 0xF0) >> 4)) {
706 rsamples = samples - Uart.samples;
707 HANDLE_BIT_IF_BODY
708 }
709 if(ManchesterDecoding(smpl & 0x0F)) {
710 rsamples = samples - Demod.samples;
711 LED_B_ON();
712
713 // timestamp, as a count of samples
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
718 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
722 // length
723 trace[traceLen++] = Demod.len;
724 memcpy(trace+traceLen, receivedResponse, Demod.len);
725 traceLen += Demod.len;
726 if(traceLen > TRACE_LENGTH) break;
727
728 triggered = TRUE;
729
730 // And ready to receive another response.
731 memset(&Demod, 0, sizeof(Demod));
732 Demod.output = receivedResponse;
733 Demod.state = DEMOD_UNSYNCD;
734 LED_C_OFF();
735 }
736
737 if(BUTTON_PRESS()) {
738 DbpString("cancelled_a");
739 goto done;
740 }
741 }
742
743 DbpString("COMMAND FINISHED");
744
745 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
746 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
747
748done:
749 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
750 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
751 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
752 LED_A_OFF();
753 LED_B_OFF();
754 LED_C_OFF();
755 LED_D_OFF();
756}
757
758// Prepare communication bits to send to FPGA
759void Sequence(SecType seq)
760{
761 ToSendMax++;
762 switch(seq) {
763 // CARD TO READER
764 case SEC_D:
765 // Sequence D: 11110000
766 // modulation with subcarrier during first half
767 ToSend[ToSendMax] = 0xf0;
768 break;
769 case SEC_E:
770 // Sequence E: 00001111
771 // modulation with subcarrier during second half
772 ToSend[ToSendMax] = 0x0f;
773 break;
774 case SEC_F:
775 // Sequence F: 00000000
776 // no modulation with subcarrier
777 ToSend[ToSendMax] = 0x00;
778 break;
779 // READER TO CARD
780 case SEC_X:
781 // Sequence X: 00001100
782 // drop after half a period
783 ToSend[ToSendMax] = 0x0c;
784 break;
785 case SEC_Y:
786 default:
787 // Sequence Y: 00000000
788 // no drop
789 ToSend[ToSendMax] = 0x00;
790 break;
791 case SEC_Z:
792 // Sequence Z: 11000000
793 // drop at start
794 ToSend[ToSendMax] = 0xc0;
795 break;
796 }
797}
798
799//-----------------------------------------------------------------------------
800// Prepare tag messages
801//-----------------------------------------------------------------------------
f7e3ed82 802static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 803{
804 int i;
805 int oddparity;
806
807 ToSendReset();
808
809 // Correction bit, might be removed when not needed
810 ToSendStuffBit(0);
811 ToSendStuffBit(0);
812 ToSendStuffBit(0);
813 ToSendStuffBit(0);
814 ToSendStuffBit(1); // 1
815 ToSendStuffBit(0);
816 ToSendStuffBit(0);
817 ToSendStuffBit(0);
818
819 // Send startbit
820 Sequence(SEC_D);
821
822 for(i = 0; i < len; i++) {
823 int j;
f7e3ed82 824 uint8_t b = cmd[i];
15c4dc5a 825
826 // Data bits
827 oddparity = 0x01;
828 for(j = 0; j < 8; j++) {
829 oddparity ^= (b & 1);
830 if(b & 1) {
831 Sequence(SEC_D);
832 } else {
833 Sequence(SEC_E);
834 }
835 b >>= 1;
836 }
837
838 // Parity bit
839 if(oddparity) {
840 Sequence(SEC_D);
841 } else {
842 Sequence(SEC_E);
843 }
844 }
845
846 // Send stopbit
847 Sequence(SEC_F);
848
849 // Flush the buffer in FPGA!!
850 for(i = 0; i < 5; i++) {
851 Sequence(SEC_F);
852 }
853
854 // Convert from last byte pos to length
855 ToSendMax++;
856
857 // Add a few more for slop
858 ToSend[ToSendMax++] = 0x00;
859 ToSend[ToSendMax++] = 0x00;
860 //ToSendMax += 2;
861}
862
863//-----------------------------------------------------------------------------
864// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
865//-----------------------------------------------------------------------------
866static void CodeStrangeAnswer()
867{
868 int i;
869
870 ToSendReset();
871
872 // Correction bit, might be removed when not needed
873 ToSendStuffBit(0);
874 ToSendStuffBit(0);
875 ToSendStuffBit(0);
876 ToSendStuffBit(0);
877 ToSendStuffBit(1); // 1
878 ToSendStuffBit(0);
879 ToSendStuffBit(0);
880 ToSendStuffBit(0);
881
882 // Send startbit
883 Sequence(SEC_D);
884
885 // 0
886 Sequence(SEC_E);
887
888 // 0
889 Sequence(SEC_E);
890
891 // 1
892 Sequence(SEC_D);
893
894 // Send stopbit
895 Sequence(SEC_F);
896
897 // Flush the buffer in FPGA!!
898 for(i = 0; i < 5; i++) {
899 Sequence(SEC_F);
900 }
901
902 // Convert from last byte pos to length
903 ToSendMax++;
904
905 // Add a few more for slop
906 ToSend[ToSendMax++] = 0x00;
907 ToSend[ToSendMax++] = 0x00;
908 //ToSendMax += 2;
909}
910
911//-----------------------------------------------------------------------------
912// Wait for commands from reader
913// Stop when button is pressed
914// Or return TRUE when command is captured
915//-----------------------------------------------------------------------------
f7e3ed82 916static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 917{
918 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
919 // only, since we are receiving, not transmitting).
920 // Signal field is off with the appropriate LED
921 LED_D_OFF();
922 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
923
924 // Now run a `software UART' on the stream of incoming samples.
925 Uart.output = received;
926 Uart.byteCntMax = maxLen;
927 Uart.state = STATE_UNSYNCD;
928
929 for(;;) {
930 WDT_HIT();
931
932 if(BUTTON_PRESS()) return FALSE;
933
934 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
935 AT91C_BASE_SSC->SSC_THR = 0x00;
936 }
937 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 938 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 939 if(MillerDecoding((b & 0xf0) >> 4)) {
940 *len = Uart.byteCnt;
941 return TRUE;
942 }
943 if(MillerDecoding(b & 0x0f)) {
944 *len = Uart.byteCnt;
945 return TRUE;
946 }
947 }
948 }
949}
950
951//-----------------------------------------------------------------------------
952// Main loop of simulated tag: receive commands from reader, decide what
953// response to send, and send it.
954//-----------------------------------------------------------------------------
955void SimulateIso14443aTag(int tagType, int TagUid)
956{
957 // This function contains the tag emulation
958
959 // Prepare protocol messages
f7e3ed82 960 // static const uint8_t cmd1[] = { 0x26 };
961// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 962//
f7e3ed82 963 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
964// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 965
966 // UID response
f7e3ed82 967 // static const uint8_t cmd2[] = { 0x93, 0x20 };
968 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 969
970
971
972// my desfire
f7e3ed82 973 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 974
975
976// When reader selects us during cascade1 it will send cmd3
f7e3ed82 977//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
978uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 979ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
980
981// send cascade2 2nd half of UID
f7e3ed82 982static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 983// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
984
985
986// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 987//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
988uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 989ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
990
f7e3ed82 991 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 992
f7e3ed82 993 uint8_t *resp;
15c4dc5a 994 int respLen;
995
996 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
997 // This will need
998 // 144 data bits (18 * 8)
999 // 18 parity bits
1000 // 2 Start and stop
1001 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1002 // 1 just for the case
1003 // ----------- +
1004 // 166
1005 //
1006 // 166 bytes, since every bit that needs to be send costs us a byte
1007 //
1008
1009
1010 // Respond with card type
f7e3ed82 1011 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 1012 int resp1Len;
1013
1014 // Anticollision cascade1 - respond with uid
f7e3ed82 1015 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 1016 int resp2Len;
1017
1018 // Anticollision cascade2 - respond with 2nd half of uid if asked
1019 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1020 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1021 int resp2aLen;
1022
1023 // Acknowledge select - cascade 1
f7e3ed82 1024 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1025 int resp3Len;
1026
1027 // Acknowledge select - cascade 2
f7e3ed82 1028 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1029 int resp3aLen;
1030
1031 // Response to a read request - not implemented atm
f7e3ed82 1032 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1033 int resp4Len;
1034
1035 // Authenticate response - nonce
f7e3ed82 1036 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1037 int resp5Len;
1038
f7e3ed82 1039 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1040 int len;
1041
1042 int i;
1043 int u;
f7e3ed82 1044 uint8_t b;
15c4dc5a 1045
1046 // To control where we are in the protocol
1047 int order = 0;
1048 int lastorder;
1049
1050 // Just to allow some checks
1051 int happened = 0;
1052 int happened2 = 0;
1053
1054 int cmdsRecvd = 0;
1055
f7e3ed82 1056 int fdt_indicator;
15c4dc5a 1057
1058 memset(receivedCmd, 0x44, 400);
1059
1060 // Prepare the responses of the anticollision phase
1061 // there will be not enough time to do this at the moment the reader sends it REQA
1062
1063 // Answer to request
1064 CodeIso14443aAsTag(response1, sizeof(response1));
1065 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1066
1067 // Send our UID (cascade 1)
1068 CodeIso14443aAsTag(response2, sizeof(response2));
1069 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1070
1071 // Answer to select (cascade1)
1072 CodeIso14443aAsTag(response3, sizeof(response3));
1073 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1074
1075 // Send the cascade 2 2nd part of the uid
1076 CodeIso14443aAsTag(response2a, sizeof(response2a));
1077 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1078
1079 // Answer to select (cascade 2)
1080 CodeIso14443aAsTag(response3a, sizeof(response3a));
1081 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1082
1083 // Strange answer is an example of rare message size (3 bits)
1084 CodeStrangeAnswer();
1085 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1086
1087 // Authentication answer (random nonce)
1088 CodeIso14443aAsTag(response5, sizeof(response5));
1089 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1090
1091 // We need to listen to the high-frequency, peak-detected path.
1092 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1093 FpgaSetupSsc();
1094
1095 cmdsRecvd = 0;
1096
1097 LED_A_ON();
1098 for(;;) {
1099
1100 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1101 DbpString("button press");
1102 break;
1103 }
1104 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1105 // Okay, look at the command now.
1106 lastorder = order;
1107 i = 1; // first byte transmitted
1108 if(receivedCmd[0] == 0x26) {
1109 // Received a REQUEST
1110 resp = resp1; respLen = resp1Len; order = 1;
1111 //DbpString("Hello request from reader:");
1112 } else if(receivedCmd[0] == 0x52) {
1113 // Received a WAKEUP
1114 resp = resp1; respLen = resp1Len; order = 6;
1115// //DbpString("Wakeup request from reader:");
1116
1117 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1118 // Received request for UID (cascade 1)
1119 resp = resp2; respLen = resp2Len; order = 2;
1120// DbpString("UID (cascade 1) request from reader:");
1121// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1122
1123
1124 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1125 // Received request for UID (cascade 2)
1126 resp = resp2a; respLen = resp2aLen; order = 20;
1127// DbpString("UID (cascade 2) request from reader:");
1128// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1129
1130
1131 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1132 // Received a SELECT
1133 resp = resp3; respLen = resp3Len; order = 3;
1134// DbpString("Select (cascade 1) request from reader:");
1135// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1136
1137
1138 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1139 // Received a SELECT
1140 resp = resp3a; respLen = resp3aLen; order = 30;
1141// DbpString("Select (cascade 2) request from reader:");
1142// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144
1145 } else if(receivedCmd[0] == 0x30) {
1146 // Received a READ
1147 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1148 Dbprintf("Read request from reader: %x %x %x",
1149 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1150
1151
1152 } else if(receivedCmd[0] == 0x50) {
1153 // Received a HALT
1154 resp = resp1; respLen = 0; order = 5; // Do nothing
1155 DbpString("Reader requested we HALT!:");
1156
1157 } else if(receivedCmd[0] == 0x60) {
1158 // Received an authentication request
1159 resp = resp5; respLen = resp5Len; order = 7;
1160 Dbprintf("Authenticate request from reader: %x %x %x",
1161 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1162
1163 } else if(receivedCmd[0] == 0xE0) {
1164 // Received a RATS request
1165 resp = resp1; respLen = 0;order = 70;
1166 Dbprintf("RATS request from reader: %x %x %x",
1167 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1168 } else {
1169 // Never seen this command before
1170 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1171 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1172 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1173 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1174 // Do not respond
1175 resp = resp1; respLen = 0; order = 0;
1176 }
1177
1178 // Count number of wakeups received after a halt
1179 if(order == 6 && lastorder == 5) { happened++; }
1180
1181 // Count number of other messages after a halt
1182 if(order != 6 && lastorder == 5) { happened2++; }
1183
1184 // Look at last parity bit to determine timing of answer
1185 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1186 // 1236, so correction bit needed
1187 i = 0;
1188 }
1189
1190 memset(receivedCmd, 0x44, 32);
1191
1192 if(cmdsRecvd > 999) {
1193 DbpString("1000 commands later...");
1194 break;
1195 }
1196 else {
1197 cmdsRecvd++;
1198 }
1199
1200 if(respLen <= 0) continue;
1201
1202 // Modulate Manchester
1203 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1204 AT91C_BASE_SSC->SSC_THR = 0x00;
1205 FpgaSetupSsc();
1206
1207 // ### Transmit the response ###
1208 u = 0;
1209 b = 0x00;
1210 fdt_indicator = FALSE;
1211 for(;;) {
1212 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1213 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1214 (void)b;
1215 }
1216 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1217 if(i > respLen) {
1218 b = 0x00;
1219 u++;
1220 } else {
1221 b = resp[i];
1222 i++;
1223 }
1224 AT91C_BASE_SSC->SSC_THR = b;
1225
1226 if(u > 4) {
1227 break;
1228 }
1229 }
1230 if(BUTTON_PRESS()) {
1231 break;
1232 }
1233 }
1234
1235 }
1236
1237 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1238 LED_A_OFF();
1239}
1240
1241//-----------------------------------------------------------------------------
1242// Transmit the command (to the tag) that was placed in ToSend[].
1243//-----------------------------------------------------------------------------
f7e3ed82 1244static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1245{
1246 int c;
e30c654b 1247
15c4dc5a 1248 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1249
15c4dc5a 1250 if (wait)
1251 if(*wait < 10)
1252 *wait = 10;
e30c654b 1253
15c4dc5a 1254 for(c = 0; c < *wait;) {
1255 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1256 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1257 c++;
1258 }
1259 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1260 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1261 (void)r;
1262 }
1263 WDT_HIT();
1264 }
e30c654b 1265
15c4dc5a 1266 c = 0;
1267 for(;;) {
1268 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1269 AT91C_BASE_SSC->SSC_THR = cmd[c];
1270 c++;
1271 if(c >= len) {
1272 break;
1273 }
1274 }
1275 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1276 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1277 (void)r;
1278 }
1279 WDT_HIT();
1280 }
1281 if (samples) *samples = (c + *wait) << 3;
1282}
1283
1284//-----------------------------------------------------------------------------
1285// To generate an arbitrary stream from reader
1286//
1287//-----------------------------------------------------------------------------
f7e3ed82 1288void ArbitraryFromReader(const uint8_t *cmd, int parity, int len)
15c4dc5a 1289{
1290 int i;
1291 int j;
1292 int last;
f7e3ed82 1293 uint8_t b;
15c4dc5a 1294
1295 ToSendReset();
1296
1297 // Start of Communication (Seq. Z)
1298 Sequence(SEC_Z);
1299 last = 0;
1300
1301 for(i = 0; i < len; i++) {
1302 // Data bits
1303 b = cmd[i];
1304 for(j = 0; j < 8; j++) {
1305 if(b & 1) {
1306 // Sequence X
1307 Sequence(SEC_X);
1308 last = 1;
1309 } else {
1310 if(last == 0) {
1311 // Sequence Z
1312 Sequence(SEC_Z);
1313 }
1314 else {
1315 // Sequence Y
1316 Sequence(SEC_Y);
1317 last = 0;
1318 }
1319 }
1320 b >>= 1;
1321
1322 }
1323
1324 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1325 if(((parity >> (len - i - 1)) & 1)) {
1326 // Sequence X
1327 Sequence(SEC_X);
1328 last = 1;
1329 } else {
1330 if(last == 0) {
1331 // Sequence Z
1332 Sequence(SEC_Z);
1333 }
1334 else {
1335 // Sequence Y
1336 Sequence(SEC_Y);
1337 last = 0;
1338 }
1339 }
1340 }
1341
1342 // End of Communication
1343 if(last == 0) {
1344 // Sequence Z
1345 Sequence(SEC_Z);
1346 }
1347 else {
1348 // Sequence Y
1349 Sequence(SEC_Y);
1350 last = 0;
1351 }
1352 // Sequence Y
1353 Sequence(SEC_Y);
1354
1355 // Just to be sure!
1356 Sequence(SEC_Y);
1357 Sequence(SEC_Y);
1358 Sequence(SEC_Y);
1359
1360 // Convert from last character reference to length
1361 ToSendMax++;
1362}
1363
1364//-----------------------------------------------------------------------------
1365// Code a 7-bit command without parity bit
1366// This is especially for 0x26 and 0x52 (REQA and WUPA)
1367//-----------------------------------------------------------------------------
f7e3ed82 1368void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1369{
1370 int j;
1371 int last;
f7e3ed82 1372 uint8_t b;
15c4dc5a 1373
1374 ToSendReset();
1375
1376 // Start of Communication (Seq. Z)
1377 Sequence(SEC_Z);
1378 last = 0;
1379
1380 b = bt;
1381 for(j = 0; j < 7; j++) {
1382 if(b & 1) {
1383 // Sequence X
1384 Sequence(SEC_X);
1385 last = 1;
1386 } else {
1387 if(last == 0) {
1388 // Sequence Z
1389 Sequence(SEC_Z);
1390 }
1391 else {
1392 // Sequence Y
1393 Sequence(SEC_Y);
1394 last = 0;
1395 }
1396 }
1397 b >>= 1;
1398 }
1399
1400 // End of Communication
1401 if(last == 0) {
1402 // Sequence Z
1403 Sequence(SEC_Z);
1404 }
1405 else {
1406 // Sequence Y
1407 Sequence(SEC_Y);
1408 last = 0;
1409 }
1410 // Sequence Y
1411 Sequence(SEC_Y);
1412
1413 // Just to be sure!
1414 Sequence(SEC_Y);
1415 Sequence(SEC_Y);
1416 Sequence(SEC_Y);
1417
1418 // Convert from last character reference to length
1419 ToSendMax++;
1420}
1421
1422//-----------------------------------------------------------------------------
1423// Prepare reader command to send to FPGA
e30c654b 1424//
15c4dc5a 1425//-----------------------------------------------------------------------------
f7e3ed82 1426void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1427{
1428 int i, j;
1429 int last;
f7e3ed82 1430 uint8_t b;
e30c654b 1431
15c4dc5a 1432 ToSendReset();
e30c654b 1433
15c4dc5a 1434 // Start of Communication (Seq. Z)
1435 Sequence(SEC_Z);
1436 last = 0;
e30c654b 1437
15c4dc5a 1438 // Generate send structure for the data bits
1439 for (i = 0; i < len; i++) {
1440 // Get the current byte to send
1441 b = cmd[i];
e30c654b 1442
15c4dc5a 1443 for (j = 0; j < 8; j++) {
1444 if (b & 1) {
1445 // Sequence X
1446 Sequence(SEC_X);
1447 last = 1;
1448 } else {
1449 if (last == 0) {
1450 // Sequence Z
1451 Sequence(SEC_Z);
1452 } else {
1453 // Sequence Y
1454 Sequence(SEC_Y);
1455 last = 0;
1456 }
1457 }
1458 b >>= 1;
1459 }
e30c654b 1460
15c4dc5a 1461 // Get the parity bit
1462 if ((dwParity >> i) & 0x01) {
1463 // Sequence X
1464 Sequence(SEC_X);
1465 last = 1;
1466 } else {
1467 if (last == 0) {
1468 // Sequence Z
1469 Sequence(SEC_Z);
1470 } else {
1471 // Sequence Y
1472 Sequence(SEC_Y);
1473 last = 0;
1474 }
1475 }
1476 }
e30c654b 1477
15c4dc5a 1478 // End of Communication
1479 if (last == 0) {
1480 // Sequence Z
1481 Sequence(SEC_Z);
1482 } else {
1483 // Sequence Y
1484 Sequence(SEC_Y);
1485 last = 0;
1486 }
1487 // Sequence Y
1488 Sequence(SEC_Y);
e30c654b 1489
15c4dc5a 1490 // Just to be sure!
1491 Sequence(SEC_Y);
1492 Sequence(SEC_Y);
1493 Sequence(SEC_Y);
e30c654b 1494
15c4dc5a 1495 // Convert from last character reference to length
1496 ToSendMax++;
1497}
1498
1499//-----------------------------------------------------------------------------
1500// Wait a certain time for tag response
1501// If a response is captured return TRUE
1502// If it takes to long return FALSE
1503//-----------------------------------------------------------------------------
f7e3ed82 1504static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1505{
1506 // buffer needs to be 512 bytes
1507 int c;
1508
1509 // Set FPGA mode to "reader listen mode", no modulation (listen
1510 // only, since we are receiving, not transmitting).
1511 // Signal field is on with the appropriate LED
1512 LED_D_ON();
1513 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1514
1515 // Now get the answer from the card
1516 Demod.output = receivedResponse;
1517 Demod.len = 0;
1518 Demod.state = DEMOD_UNSYNCD;
1519
f7e3ed82 1520 uint8_t b;
15c4dc5a 1521 if (elapsed) *elapsed = 0;
1522
1523 c = 0;
1524 for(;;) {
1525 WDT_HIT();
1526
1527 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1528 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1529 if (elapsed) (*elapsed)++;
1530 }
1531 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1532 if(c < 512) { c++; } else { return FALSE; }
f7e3ed82 1533 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1534 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1535 *samples = ((c - 1) << 3) + 4;
1536 return TRUE;
1537 }
1538 if(ManchesterDecoding(b & 0x0f)) {
1539 *samples = c << 3;
1540 return TRUE;
1541 }
1542 }
1543 }
1544}
1545
f7e3ed82 1546void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1547{
1548 int wait = 0;
1549 int samples = 0;
1550
1551 ShortFrameFromReader(*bt);
e30c654b 1552
15c4dc5a 1553 // Select the card
e30c654b 1554 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1555
15c4dc5a 1556 // Store reader command in buffer
1557 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1558}
1559
f7e3ed82 1560void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1561{
1562 int wait = 0;
1563 int samples = 0;
e30c654b 1564
15c4dc5a 1565 // This is tied to other size changes
f7e3ed82 1566 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1567 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1568
15c4dc5a 1569 // Select the card
e30c654b 1570 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1571
15c4dc5a 1572 // Store reader command in buffer
1573 if (tracing) LogTrace(frame,len,0,par,TRUE);
1574}
1575
1576
f7e3ed82 1577void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1578{
1579 // Generate parity and redirect
1580 ReaderTransmitPar(frame,len,GetParity(frame,len));
1581}
1582
f7e3ed82 1583int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1584{
1585 int samples = 0;
1586 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1587 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1588 return TRUE;
1589}
1590
1591//-----------------------------------------------------------------------------
1592// Read an ISO 14443a tag. Send out commands and store answers.
1593//
1594//-----------------------------------------------------------------------------
f7e3ed82 1595void ReaderIso14443a(uint32_t parameter)
15c4dc5a 1596{
1597 // Anticollision
f7e3ed82 1598 uint8_t wupa[] = { 0x52 };
1599 uint8_t sel_all[] = { 0x93,0x20 };
1600 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1601 uint8_t sel_all_c2[] = { 0x95,0x20 };
1602 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
15c4dc5a 1603
1604 // Mifare AUTH
f7e3ed82 1605 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1606// uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
e30c654b 1607
f7e3ed82 1608 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1609 traceLen = 0;
1610
1611 // Setup SSC
1612 FpgaSetupSsc();
1613
1614 // Start from off (no field generated)
1615 // Signal field is off with the appropriate LED
1616 LED_D_OFF();
1617 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1618 SpinDelay(200);
1619
1620 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1621 FpgaSetupSsc();
1622
1623 // Now give it time to spin up.
1624 // Signal field is on with the appropriate LED
1625 LED_D_ON();
1626 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1627 SpinDelay(200);
1628
1629 LED_A_ON();
1630 LED_B_OFF();
1631 LED_C_OFF();
1632
1633 while(traceLen < TRACE_LENGTH)
1634 {
1635 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1636 ReaderTransmitShort(wupa);
e30c654b 1637
15c4dc5a 1638 // Test if the action was cancelled
1639 if(BUTTON_PRESS()) {
1640 break;
1641 }
e30c654b 1642
15c4dc5a 1643 // Receive the ATQA
1644 if (!ReaderReceive(receivedAnswer)) continue;
1645
1646 // Transmit SELECT_ALL
1647 ReaderTransmit(sel_all,sizeof(sel_all));
1648
1649 // Receive the UID
1650 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1651
15c4dc5a 1652 // Construct SELECT UID command
1653 // First copy the 5 bytes (Mifare Classic) after the 93 70
1654 memcpy(sel_uid+2,receivedAnswer,5);
1655 // Secondly compute the two CRC bytes at the end
1656 AppendCrc14443a(sel_uid,7);
1657
1658 // Transmit SELECT_UID
1659 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1660
15c4dc5a 1661 // Receive the SAK
1662 if (!ReaderReceive(receivedAnswer)) continue;
1663
1664 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1665 // which case we need to make a cascade 2 request and select - this is a long UID
e30c654b 1666 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
15c4dc5a 1667 if (receivedAnswer[0] &= 0x04)
1668 {
1669 // Transmit SELECT_ALL
1670 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
e30c654b 1671
15c4dc5a 1672 // Receive the UID
1673 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1674
15c4dc5a 1675 // Construct SELECT UID command
1676 memcpy(sel_uid_c2+2,receivedAnswer,5);
1677 // Secondly compute the two CRC bytes at the end
1678 AppendCrc14443a(sel_uid_c2,7);
e30c654b 1679
15c4dc5a 1680 // Transmit SELECT_UID
1681 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
e30c654b 1682
15c4dc5a 1683 // Receive the SAK
1684 if (!ReaderReceive(receivedAnswer)) continue;
1685 }
1686
1687 // Transmit MIFARE_CLASSIC_AUTH
1688 ReaderTransmit(mf_auth,sizeof(mf_auth));
1689
1690 // Receive the (16 bit) "random" nonce
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 }
1693
1694 // Thats it...
1695 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1696 LEDsoff();
1697 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1698 DbpString("ready..");
1699}
1700
1701//-----------------------------------------------------------------------------
1702// Read an ISO 14443a tag. Send out commands and store answers.
1703//
1704//-----------------------------------------------------------------------------
f7e3ed82 1705void ReaderMifare(uint32_t parameter)
15c4dc5a 1706{
e30c654b 1707
15c4dc5a 1708 // Anticollision
f7e3ed82 1709 uint8_t wupa[] = { 0x52 };
1710 uint8_t sel_all[] = { 0x93,0x20 };
1711 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1712
15c4dc5a 1713 // Mifare AUTH
f7e3ed82 1714 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1715 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1716
f7e3ed82 1717 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1718 traceLen = 0;
1719 tracing = false;
e30c654b 1720
15c4dc5a 1721 // Setup SSC
1722 FpgaSetupSsc();
e30c654b 1723
15c4dc5a 1724 // Start from off (no field generated)
1725 // Signal field is off with the appropriate LED
1726 LED_D_OFF();
1727 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1728 SpinDelay(200);
e30c654b 1729
15c4dc5a 1730 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1731 FpgaSetupSsc();
e30c654b 1732
15c4dc5a 1733 // Now give it time to spin up.
1734 // Signal field is on with the appropriate LED
1735 LED_D_ON();
1736 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1737 SpinDelay(200);
e30c654b 1738
15c4dc5a 1739 LED_A_ON();
1740 LED_B_OFF();
1741 LED_C_OFF();
e30c654b 1742
15c4dc5a 1743 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1744 ReaderTransmitShort(wupa);
1745 // Receive the ATQA
1746 ReaderReceive(receivedAnswer);
1747 // Transmit SELECT_ALL
1748 ReaderTransmit(sel_all,sizeof(sel_all));
1749 // Receive the UID
1750 ReaderReceive(receivedAnswer);
1751 // Construct SELECT UID command
1752 // First copy the 5 bytes (Mifare Classic) after the 93 70
1753 memcpy(sel_uid+2,receivedAnswer,5);
1754 // Secondly compute the two CRC bytes at the end
1755 AppendCrc14443a(sel_uid,7);
e30c654b 1756
15c4dc5a 1757 byte_t nt_diff = 0;
1758 LED_A_OFF();
1759 byte_t par = 0;
1760 byte_t par_mask = 0xff;
1761 byte_t par_low = 0;
f7e3ed82 1762 int led_on = TRUE;
e30c654b 1763
15c4dc5a 1764 tracing = FALSE;
1765 byte_t nt[4];
1766 byte_t nt_attacked[4];
1767 byte_t par_list[8];
1768 byte_t ks_list[8];
1769 num_to_bytes(parameter,4,nt_attacked);
1770
1771 while(TRUE)
1772 {
1773 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1774 SpinDelay(200);
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1776
15c4dc5a 1777 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1778 ReaderTransmitShort(wupa);
e30c654b 1779
15c4dc5a 1780 // Test if the action was cancelled
1781 if(BUTTON_PRESS()) {
1782 break;
1783 }
e30c654b 1784
15c4dc5a 1785 // Receive the ATQA
1786 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1787
15c4dc5a 1788 // Transmit SELECT_ALL
1789 ReaderTransmit(sel_all,sizeof(sel_all));
e30c654b 1790
15c4dc5a 1791 // Receive the UID
1792 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1793
15c4dc5a 1794 // Transmit SELECT_UID
1795 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1796
15c4dc5a 1797 // Receive the SAK
1798 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1799
15c4dc5a 1800 // Transmit MIFARE_CLASSIC_AUTH
1801 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1802
15c4dc5a 1803 // Receive the (16 bit) "random" nonce
1804 if (!ReaderReceive(receivedAnswer)) continue;
1805 memcpy(nt,receivedAnswer,4);
1806
1807 // Transmit reader nonce and reader answer
1808 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1809
15c4dc5a 1810 // Receive 4 bit answer
1811 if (ReaderReceive(receivedAnswer))
1812 {
e30c654b 1813 if (nt_diff == 0)
15c4dc5a 1814 {
1815 LED_A_ON();
1816 memcpy(nt_attacked,nt,4);
1817 par_mask = 0xf8;
1818 par_low = par & 0x07;
1819 }
1820
1821 if (memcmp(nt,nt_attacked,4) != 0) continue;
1822
1823 led_on = !led_on;
1824 if(led_on) LED_B_ON(); else LED_B_OFF();
1825 par_list[nt_diff] = par;
1826 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1827
15c4dc5a 1828 // Test if the information is complete
1829 if (nt_diff == 0x07) break;
e30c654b 1830
15c4dc5a 1831 nt_diff = (nt_diff+1) & 0x07;
1832 mf_nr_ar[3] = nt_diff << 5;
1833 par = par_low;
1834 } else {
1835 if (nt_diff == 0)
1836 {
1837 par++;
1838 } else {
1839 par = (((par>>3)+1) << 3) | par_low;
1840 }
1841 }
1842 }
e30c654b 1843
15c4dc5a 1844 LogTraceInfo(sel_uid+2,4);
1845 LogTraceInfo(nt,4);
1846 LogTraceInfo(par_list,8);
1847 LogTraceInfo(ks_list,8);
e30c654b 1848
15c4dc5a 1849 // Thats it...
1850 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1851 LEDsoff();
1852 tracing = TRUE;
1853}
Proxmark3 GIT tracking
Impressum, Datenschutz