]>
Commit | Line | Data |
---|---|---|
15c4dc5a | 1 | //----------------------------------------------------------------------------- |
2 | // Routines to support ISO 14443 type A. | |
3 | // | |
4 | // Gerhard de Koning Gans - May 2008 | |
5 | //----------------------------------------------------------------------------- | |
e30c654b | 6 | #include "proxmark3.h" |
15c4dc5a | 7 | #include "apps.h" |
f7e3ed82 | 8 | #include "util.h" |
15c4dc5a | 9 | #include "iso14443crc.h" |
10 | ||
f7e3ed82 | 11 | static uint8_t *trace = (uint8_t *) BigBuf; |
15c4dc5a | 12 | static int traceLen = 0; |
13 | static int rsamples = 0; | |
f7e3ed82 | 14 | static int tracing = TRUE; |
15c4dc5a | 15 | |
16 | typedef enum { | |
17 | SEC_D = 1, | |
18 | SEC_E = 2, | |
19 | SEC_F = 3, | |
20 | SEC_X = 4, | |
21 | SEC_Y = 5, | |
22 | SEC_Z = 6 | |
23 | } SecType; | |
24 | ||
f7e3ed82 | 25 | static const uint8_t OddByteParity[256] = { |
15c4dc5a | 26 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, |
27 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
28 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
29 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
30 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
31 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
32 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
33 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
34 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
35 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
36 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
37 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
38 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, | |
39 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
40 | 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, | |
41 | 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1 | |
42 | }; | |
43 | ||
44 | // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT | |
45 | #define RECV_CMD_OFFSET 3032 | |
46 | #define RECV_RES_OFFSET 3096 | |
47 | #define DMA_BUFFER_OFFSET 3160 | |
48 | #define DMA_BUFFER_SIZE 4096 | |
49 | #define TRACE_LENGTH 3000 | |
50 | ||
51 | //----------------------------------------------------------------------------- | |
52 | // Generate the parity value for a byte sequence | |
e30c654b | 53 | // |
15c4dc5a | 54 | //----------------------------------------------------------------------------- |
f7e3ed82 | 55 | uint32_t GetParity(const uint8_t * pbtCmd, int iLen) |
15c4dc5a | 56 | { |
57 | int i; | |
f7e3ed82 | 58 | uint32_t dwPar = 0; |
e30c654b | 59 | |
15c4dc5a | 60 | // Generate the encrypted data |
61 | for (i = 0; i < iLen; i++) { | |
62 | // Save the encrypted parity bit | |
63 | dwPar |= ((OddByteParity[pbtCmd[i]]) << i); | |
64 | } | |
65 | return dwPar; | |
66 | } | |
67 | ||
f7e3ed82 | 68 | static void AppendCrc14443a(uint8_t* data, int len) |
15c4dc5a | 69 | { |
70 | ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1); | |
71 | } | |
72 | ||
f7e3ed82 | 73 | int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader) |
15c4dc5a | 74 | { |
75 | // Return when trace is full | |
76 | if (traceLen >= TRACE_LENGTH) return FALSE; | |
e30c654b | 77 | |
15c4dc5a | 78 | // Trace the random, i'm curious |
79 | rsamples += iSamples; | |
80 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
81 | trace[traceLen++] = ((rsamples >> 8) & 0xff); | |
82 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
83 | trace[traceLen++] = ((rsamples >> 24) & 0xff); | |
84 | if (!bReader) { | |
85 | trace[traceLen - 1] |= 0x80; | |
86 | } | |
87 | trace[traceLen++] = ((dwParity >> 0) & 0xff); | |
88 | trace[traceLen++] = ((dwParity >> 8) & 0xff); | |
89 | trace[traceLen++] = ((dwParity >> 16) & 0xff); | |
90 | trace[traceLen++] = ((dwParity >> 24) & 0xff); | |
91 | trace[traceLen++] = iLen; | |
92 | memcpy(trace + traceLen, btBytes, iLen); | |
93 | traceLen += iLen; | |
94 | return TRUE; | |
95 | } | |
96 | ||
f7e3ed82 | 97 | int LogTraceInfo(byte_t* data, size_t len) |
15c4dc5a | 98 | { |
99 | return LogTrace(data,len,0,GetParity(data,len),TRUE); | |
100 | } | |
101 | ||
102 | //----------------------------------------------------------------------------- | |
103 | // The software UART that receives commands from the reader, and its state | |
104 | // variables. | |
105 | //----------------------------------------------------------------------------- | |
106 | static struct { | |
107 | enum { | |
108 | STATE_UNSYNCD, | |
109 | STATE_START_OF_COMMUNICATION, | |
110 | STATE_MILLER_X, | |
111 | STATE_MILLER_Y, | |
112 | STATE_MILLER_Z, | |
113 | STATE_ERROR_WAIT | |
114 | } state; | |
f7e3ed82 | 115 | uint16_t shiftReg; |
15c4dc5a | 116 | int bitCnt; |
117 | int byteCnt; | |
118 | int byteCntMax; | |
119 | int posCnt; | |
120 | int syncBit; | |
121 | int parityBits; | |
122 | int samples; | |
123 | int highCnt; | |
124 | int bitBuffer; | |
125 | enum { | |
126 | DROP_NONE, | |
127 | DROP_FIRST_HALF, | |
128 | DROP_SECOND_HALF | |
129 | } drop; | |
f7e3ed82 | 130 | uint8_t *output; |
15c4dc5a | 131 | } Uart; |
132 | ||
f7e3ed82 | 133 | static int MillerDecoding(int bit) |
15c4dc5a | 134 | { |
135 | int error = 0; | |
136 | int bitright; | |
137 | ||
138 | if(!Uart.bitBuffer) { | |
139 | Uart.bitBuffer = bit ^ 0xFF0; | |
140 | return FALSE; | |
141 | } | |
142 | else { | |
143 | Uart.bitBuffer <<= 4; | |
144 | Uart.bitBuffer ^= bit; | |
145 | } | |
146 | ||
f7e3ed82 | 147 | int EOC = FALSE; |
15c4dc5a | 148 | |
149 | if(Uart.state != STATE_UNSYNCD) { | |
150 | Uart.posCnt++; | |
151 | ||
152 | if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) { | |
153 | bit = 0x00; | |
154 | } | |
155 | else { | |
156 | bit = 0x01; | |
157 | } | |
158 | if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) { | |
159 | bitright = 0x00; | |
160 | } | |
161 | else { | |
162 | bitright = 0x01; | |
163 | } | |
164 | if(bit != bitright) { bit = bitright; } | |
165 | ||
166 | if(Uart.posCnt == 1) { | |
167 | // measurement first half bitperiod | |
168 | if(!bit) { | |
169 | Uart.drop = DROP_FIRST_HALF; | |
170 | } | |
171 | } | |
172 | else { | |
173 | // measurement second half bitperiod | |
174 | if(!bit & (Uart.drop == DROP_NONE)) { | |
175 | Uart.drop = DROP_SECOND_HALF; | |
176 | } | |
177 | else if(!bit) { | |
178 | // measured a drop in first and second half | |
179 | // which should not be possible | |
180 | Uart.state = STATE_ERROR_WAIT; | |
181 | error = 0x01; | |
182 | } | |
183 | ||
184 | Uart.posCnt = 0; | |
185 | ||
186 | switch(Uart.state) { | |
187 | case STATE_START_OF_COMMUNICATION: | |
188 | Uart.shiftReg = 0; | |
189 | if(Uart.drop == DROP_SECOND_HALF) { | |
190 | // error, should not happen in SOC | |
191 | Uart.state = STATE_ERROR_WAIT; | |
192 | error = 0x02; | |
193 | } | |
194 | else { | |
195 | // correct SOC | |
196 | Uart.state = STATE_MILLER_Z; | |
197 | } | |
198 | break; | |
199 | ||
200 | case STATE_MILLER_Z: | |
201 | Uart.bitCnt++; | |
202 | Uart.shiftReg >>= 1; | |
203 | if(Uart.drop == DROP_NONE) { | |
204 | // logic '0' followed by sequence Y | |
205 | // end of communication | |
206 | Uart.state = STATE_UNSYNCD; | |
207 | EOC = TRUE; | |
208 | } | |
209 | // if(Uart.drop == DROP_FIRST_HALF) { | |
210 | // Uart.state = STATE_MILLER_Z; stay the same | |
211 | // we see a logic '0' } | |
212 | if(Uart.drop == DROP_SECOND_HALF) { | |
213 | // we see a logic '1' | |
214 | Uart.shiftReg |= 0x100; | |
215 | Uart.state = STATE_MILLER_X; | |
216 | } | |
217 | break; | |
218 | ||
219 | case STATE_MILLER_X: | |
220 | Uart.shiftReg >>= 1; | |
221 | if(Uart.drop == DROP_NONE) { | |
222 | // sequence Y, we see a '0' | |
223 | Uart.state = STATE_MILLER_Y; | |
224 | Uart.bitCnt++; | |
225 | } | |
226 | if(Uart.drop == DROP_FIRST_HALF) { | |
227 | // Would be STATE_MILLER_Z | |
228 | // but Z does not follow X, so error | |
229 | Uart.state = STATE_ERROR_WAIT; | |
230 | error = 0x03; | |
231 | } | |
232 | if(Uart.drop == DROP_SECOND_HALF) { | |
233 | // We see a '1' and stay in state X | |
234 | Uart.shiftReg |= 0x100; | |
235 | Uart.bitCnt++; | |
236 | } | |
237 | break; | |
238 | ||
239 | case STATE_MILLER_Y: | |
240 | Uart.bitCnt++; | |
241 | Uart.shiftReg >>= 1; | |
242 | if(Uart.drop == DROP_NONE) { | |
243 | // logic '0' followed by sequence Y | |
244 | // end of communication | |
245 | Uart.state = STATE_UNSYNCD; | |
246 | EOC = TRUE; | |
247 | } | |
248 | if(Uart.drop == DROP_FIRST_HALF) { | |
249 | // we see a '0' | |
250 | Uart.state = STATE_MILLER_Z; | |
251 | } | |
252 | if(Uart.drop == DROP_SECOND_HALF) { | |
253 | // We see a '1' and go to state X | |
254 | Uart.shiftReg |= 0x100; | |
255 | Uart.state = STATE_MILLER_X; | |
256 | } | |
257 | break; | |
258 | ||
259 | case STATE_ERROR_WAIT: | |
260 | // That went wrong. Now wait for at least two bit periods | |
261 | // and try to sync again | |
262 | if(Uart.drop == DROP_NONE) { | |
263 | Uart.highCnt = 6; | |
264 | Uart.state = STATE_UNSYNCD; | |
265 | } | |
266 | break; | |
267 | ||
268 | default: | |
269 | Uart.state = STATE_UNSYNCD; | |
270 | Uart.highCnt = 0; | |
271 | break; | |
272 | } | |
273 | ||
274 | Uart.drop = DROP_NONE; | |
275 | ||
276 | // should have received at least one whole byte... | |
277 | if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) { | |
278 | return TRUE; | |
279 | } | |
280 | ||
281 | if(Uart.bitCnt == 9) { | |
282 | Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff); | |
283 | Uart.byteCnt++; | |
284 | ||
285 | Uart.parityBits <<= 1; | |
286 | Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01); | |
287 | ||
288 | if(EOC) { | |
289 | // when End of Communication received and | |
290 | // all data bits processed.. | |
291 | return TRUE; | |
292 | } | |
293 | Uart.bitCnt = 0; | |
294 | } | |
295 | ||
296 | /*if(error) { | |
297 | Uart.output[Uart.byteCnt] = 0xAA; | |
298 | Uart.byteCnt++; | |
299 | Uart.output[Uart.byteCnt] = error & 0xFF; | |
300 | Uart.byteCnt++; | |
301 | Uart.output[Uart.byteCnt] = 0xAA; | |
302 | Uart.byteCnt++; | |
303 | Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF; | |
304 | Uart.byteCnt++; | |
305 | Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF; | |
306 | Uart.byteCnt++; | |
307 | Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF; | |
308 | Uart.byteCnt++; | |
309 | Uart.output[Uart.byteCnt] = 0xAA; | |
310 | Uart.byteCnt++; | |
311 | return TRUE; | |
312 | }*/ | |
313 | } | |
314 | ||
315 | } | |
316 | else { | |
317 | bit = Uart.bitBuffer & 0xf0; | |
318 | bit >>= 4; | |
319 | bit ^= 0x0F; | |
320 | if(bit) { | |
321 | // should have been high or at least (4 * 128) / fc | |
322 | // according to ISO this should be at least (9 * 128 + 20) / fc | |
323 | if(Uart.highCnt == 8) { | |
324 | // we went low, so this could be start of communication | |
325 | // it turns out to be safer to choose a less significant | |
326 | // syncbit... so we check whether the neighbour also represents the drop | |
327 | Uart.posCnt = 1; // apparently we are busy with our first half bit period | |
328 | Uart.syncBit = bit & 8; | |
329 | Uart.samples = 3; | |
330 | if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; } | |
331 | else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; } | |
332 | if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; } | |
333 | else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; } | |
334 | if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0; | |
335 | if(Uart.syncBit & (Uart.bitBuffer & 8)) { | |
336 | Uart.syncBit = 8; | |
337 | ||
338 | // the first half bit period is expected in next sample | |
339 | Uart.posCnt = 0; | |
340 | Uart.samples = 3; | |
341 | } | |
342 | } | |
343 | else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; } | |
344 | ||
345 | Uart.syncBit <<= 4; | |
346 | Uart.state = STATE_START_OF_COMMUNICATION; | |
347 | Uart.drop = DROP_FIRST_HALF; | |
348 | Uart.bitCnt = 0; | |
349 | Uart.byteCnt = 0; | |
350 | Uart.parityBits = 0; | |
351 | error = 0; | |
352 | } | |
353 | else { | |
354 | Uart.highCnt = 0; | |
355 | } | |
356 | } | |
357 | else { | |
358 | if(Uart.highCnt < 8) { | |
359 | Uart.highCnt++; | |
360 | } | |
361 | } | |
362 | } | |
363 | ||
364 | return FALSE; | |
365 | } | |
366 | ||
367 | //============================================================================= | |
368 | // ISO 14443 Type A - Manchester | |
369 | //============================================================================= | |
370 | ||
371 | static struct { | |
372 | enum { | |
373 | DEMOD_UNSYNCD, | |
374 | DEMOD_START_OF_COMMUNICATION, | |
375 | DEMOD_MANCHESTER_D, | |
376 | DEMOD_MANCHESTER_E, | |
377 | DEMOD_MANCHESTER_F, | |
378 | DEMOD_ERROR_WAIT | |
379 | } state; | |
380 | int bitCount; | |
381 | int posCount; | |
382 | int syncBit; | |
383 | int parityBits; | |
f7e3ed82 | 384 | uint16_t shiftReg; |
15c4dc5a | 385 | int buffer; |
386 | int buff; | |
387 | int samples; | |
388 | int len; | |
389 | enum { | |
390 | SUB_NONE, | |
391 | SUB_FIRST_HALF, | |
392 | SUB_SECOND_HALF | |
393 | } sub; | |
f7e3ed82 | 394 | uint8_t *output; |
15c4dc5a | 395 | } Demod; |
396 | ||
f7e3ed82 | 397 | static int ManchesterDecoding(int v) |
15c4dc5a | 398 | { |
399 | int bit; | |
400 | int modulation; | |
401 | int error = 0; | |
402 | ||
403 | if(!Demod.buff) { | |
404 | Demod.buff = 1; | |
405 | Demod.buffer = v; | |
406 | return FALSE; | |
407 | } | |
408 | else { | |
409 | bit = Demod.buffer; | |
410 | Demod.buffer = v; | |
411 | } | |
412 | ||
413 | if(Demod.state==DEMOD_UNSYNCD) { | |
414 | Demod.output[Demod.len] = 0xfa; | |
415 | Demod.syncBit = 0; | |
416 | //Demod.samples = 0; | |
417 | Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part | |
418 | if(bit & 0x08) { Demod.syncBit = 0x08; } | |
419 | if(!Demod.syncBit) { | |
420 | if(bit & 0x04) { Demod.syncBit = 0x04; } | |
421 | } | |
422 | else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; } | |
423 | if(!Demod.syncBit) { | |
424 | if(bit & 0x02) { Demod.syncBit = 0x02; } | |
425 | } | |
426 | else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; } | |
427 | if(!Demod.syncBit) { | |
428 | if(bit & 0x01) { Demod.syncBit = 0x01; } | |
429 | ||
430 | if(Demod.syncBit & (Demod.buffer & 0x08)) { | |
431 | Demod.syncBit = 0x08; | |
432 | ||
433 | // The first half bitperiod is expected in next sample | |
434 | Demod.posCount = 0; | |
435 | Demod.output[Demod.len] = 0xfb; | |
436 | } | |
437 | } | |
438 | else if(bit & 0x01) { Demod.syncBit = 0x01; } | |
439 | ||
440 | if(Demod.syncBit) { | |
441 | Demod.len = 0; | |
442 | Demod.state = DEMOD_START_OF_COMMUNICATION; | |
443 | Demod.sub = SUB_FIRST_HALF; | |
444 | Demod.bitCount = 0; | |
445 | Demod.shiftReg = 0; | |
446 | Demod.parityBits = 0; | |
447 | Demod.samples = 0; | |
448 | if(Demod.posCount) { | |
449 | switch(Demod.syncBit) { | |
450 | case 0x08: Demod.samples = 3; break; | |
451 | case 0x04: Demod.samples = 2; break; | |
452 | case 0x02: Demod.samples = 1; break; | |
453 | case 0x01: Demod.samples = 0; break; | |
454 | } | |
455 | } | |
456 | error = 0; | |
457 | } | |
458 | } | |
459 | else { | |
460 | //modulation = bit & Demod.syncBit; | |
461 | modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit; | |
462 | ||
463 | Demod.samples += 4; | |
464 | ||
465 | if(Demod.posCount==0) { | |
466 | Demod.posCount = 1; | |
467 | if(modulation) { | |
468 | Demod.sub = SUB_FIRST_HALF; | |
469 | } | |
470 | else { | |
471 | Demod.sub = SUB_NONE; | |
472 | } | |
473 | } | |
474 | else { | |
475 | Demod.posCount = 0; | |
476 | if(modulation && (Demod.sub == SUB_FIRST_HALF)) { | |
477 | if(Demod.state!=DEMOD_ERROR_WAIT) { | |
478 | Demod.state = DEMOD_ERROR_WAIT; | |
479 | Demod.output[Demod.len] = 0xaa; | |
480 | error = 0x01; | |
481 | } | |
482 | } | |
483 | else if(modulation) { | |
484 | Demod.sub = SUB_SECOND_HALF; | |
485 | } | |
486 | ||
487 | switch(Demod.state) { | |
488 | case DEMOD_START_OF_COMMUNICATION: | |
489 | if(Demod.sub == SUB_FIRST_HALF) { | |
490 | Demod.state = DEMOD_MANCHESTER_D; | |
491 | } | |
492 | else { | |
493 | Demod.output[Demod.len] = 0xab; | |
494 | Demod.state = DEMOD_ERROR_WAIT; | |
495 | error = 0x02; | |
496 | } | |
497 | break; | |
498 | ||
499 | case DEMOD_MANCHESTER_D: | |
500 | case DEMOD_MANCHESTER_E: | |
501 | if(Demod.sub == SUB_FIRST_HALF) { | |
502 | Demod.bitCount++; | |
503 | Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100; | |
504 | Demod.state = DEMOD_MANCHESTER_D; | |
505 | } | |
506 | else if(Demod.sub == SUB_SECOND_HALF) { | |
507 | Demod.bitCount++; | |
508 | Demod.shiftReg >>= 1; | |
509 | Demod.state = DEMOD_MANCHESTER_E; | |
510 | } | |
511 | else { | |
512 | Demod.state = DEMOD_MANCHESTER_F; | |
513 | } | |
514 | break; | |
515 | ||
516 | case DEMOD_MANCHESTER_F: | |
517 | // Tag response does not need to be a complete byte! | |
518 | if(Demod.len > 0 || Demod.bitCount > 0) { | |
519 | if(Demod.bitCount > 0) { | |
520 | Demod.shiftReg >>= (9 - Demod.bitCount); | |
521 | Demod.output[Demod.len] = Demod.shiftReg & 0xff; | |
522 | Demod.len++; | |
523 | // No parity bit, so just shift a 0 | |
524 | Demod.parityBits <<= 1; | |
525 | } | |
526 | ||
527 | Demod.state = DEMOD_UNSYNCD; | |
528 | return TRUE; | |
529 | } | |
530 | else { | |
531 | Demod.output[Demod.len] = 0xad; | |
532 | Demod.state = DEMOD_ERROR_WAIT; | |
533 | error = 0x03; | |
534 | } | |
535 | break; | |
536 | ||
537 | case DEMOD_ERROR_WAIT: | |
538 | Demod.state = DEMOD_UNSYNCD; | |
539 | break; | |
540 | ||
541 | default: | |
542 | Demod.output[Demod.len] = 0xdd; | |
543 | Demod.state = DEMOD_UNSYNCD; | |
544 | break; | |
545 | } | |
546 | ||
547 | if(Demod.bitCount>=9) { | |
548 | Demod.output[Demod.len] = Demod.shiftReg & 0xff; | |
549 | Demod.len++; | |
550 | ||
551 | Demod.parityBits <<= 1; | |
552 | Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01); | |
553 | ||
554 | Demod.bitCount = 0; | |
555 | Demod.shiftReg = 0; | |
556 | } | |
557 | ||
558 | /*if(error) { | |
559 | Demod.output[Demod.len] = 0xBB; | |
560 | Demod.len++; | |
561 | Demod.output[Demod.len] = error & 0xFF; | |
562 | Demod.len++; | |
563 | Demod.output[Demod.len] = 0xBB; | |
564 | Demod.len++; | |
565 | Demod.output[Demod.len] = bit & 0xFF; | |
566 | Demod.len++; | |
567 | Demod.output[Demod.len] = Demod.buffer & 0xFF; | |
568 | Demod.len++; | |
569 | Demod.output[Demod.len] = Demod.syncBit & 0xFF; | |
570 | Demod.len++; | |
571 | Demod.output[Demod.len] = 0xBB; | |
572 | Demod.len++; | |
573 | return TRUE; | |
574 | }*/ | |
575 | ||
576 | } | |
577 | ||
578 | } // end (state != UNSYNCED) | |
579 | ||
580 | return FALSE; | |
581 | } | |
582 | ||
583 | //============================================================================= | |
584 | // Finally, a `sniffer' for ISO 14443 Type A | |
585 | // Both sides of communication! | |
586 | //============================================================================= | |
587 | ||
588 | //----------------------------------------------------------------------------- | |
589 | // Record the sequence of commands sent by the reader to the tag, with | |
590 | // triggering so that we start recording at the point that the tag is moved | |
591 | // near the reader. | |
592 | //----------------------------------------------------------------------------- | |
593 | void SnoopIso14443a(void) | |
594 | { | |
595 | // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values | |
596 | // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values | |
597 | // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values | |
598 | // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values | |
599 | // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values | |
600 | ||
601 | // We won't start recording the frames that we acquire until we trigger; | |
602 | // a good trigger condition to get started is probably when we see a | |
603 | // response from the tag. | |
f7e3ed82 | 604 | int triggered = TRUE; // FALSE to wait first for card |
15c4dc5a | 605 | |
606 | // The command (reader -> tag) that we're receiving. | |
607 | // The length of a received command will in most cases be no more than 18 bytes. | |
608 | // So 32 should be enough! | |
f7e3ed82 | 609 | uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET); |
15c4dc5a | 610 | // The response (tag -> reader) that we're receiving. |
f7e3ed82 | 611 | uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET); |
15c4dc5a | 612 | |
613 | // As we receive stuff, we copy it from receivedCmd or receivedResponse | |
614 | // into trace, along with its length and other annotations. | |
f7e3ed82 | 615 | //uint8_t *trace = (uint8_t *)BigBuf; |
15c4dc5a | 616 | //int traceLen = 0; |
617 | ||
618 | // The DMA buffer, used to stream samples from the FPGA | |
f7e3ed82 | 619 | int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET; |
15c4dc5a | 620 | int lastRxCounter; |
f7e3ed82 | 621 | int8_t *upTo; |
15c4dc5a | 622 | int smpl; |
623 | int maxBehindBy = 0; | |
624 | ||
625 | // Count of samples received so far, so that we can include timing | |
626 | // information in the trace buffer. | |
627 | int samples = 0; | |
628 | int rsamples = 0; | |
629 | ||
630 | memset(trace, 0x44, RECV_CMD_OFFSET); | |
631 | ||
632 | // Set up the demodulator for tag -> reader responses. | |
633 | Demod.output = receivedResponse; | |
634 | Demod.len = 0; | |
635 | Demod.state = DEMOD_UNSYNCD; | |
636 | ||
637 | // And the reader -> tag commands | |
638 | memset(&Uart, 0, sizeof(Uart)); | |
639 | Uart.output = receivedCmd; | |
640 | Uart.byteCntMax = 32; // was 100 (greg)//////////////////////////////////////////////////////////////////////// | |
641 | Uart.state = STATE_UNSYNCD; | |
642 | ||
643 | // And put the FPGA in the appropriate mode | |
644 | // Signal field is off with the appropriate LED | |
645 | LED_D_OFF(); | |
646 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER); | |
647 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
648 | ||
649 | // Setup for the DMA. | |
650 | FpgaSetupSsc(); | |
651 | upTo = dmaBuf; | |
652 | lastRxCounter = DMA_BUFFER_SIZE; | |
f7e3ed82 | 653 | FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE); |
15c4dc5a | 654 | |
655 | LED_A_ON(); | |
656 | ||
657 | // And now we loop, receiving samples. | |
658 | for(;;) { | |
659 | WDT_HIT(); | |
660 | int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) & | |
661 | (DMA_BUFFER_SIZE-1); | |
662 | if(behindBy > maxBehindBy) { | |
663 | maxBehindBy = behindBy; | |
664 | if(behindBy > 400) { | |
665 | DbpString("blew circular buffer!"); | |
666 | goto done; | |
667 | } | |
668 | } | |
669 | if(behindBy < 1) continue; | |
670 | ||
671 | smpl = upTo[0]; | |
672 | upTo++; | |
673 | lastRxCounter -= 1; | |
674 | if(upTo - dmaBuf > DMA_BUFFER_SIZE) { | |
675 | upTo -= DMA_BUFFER_SIZE; | |
676 | lastRxCounter += DMA_BUFFER_SIZE; | |
f7e3ed82 | 677 | AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo; |
15c4dc5a | 678 | AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE; |
679 | } | |
680 | ||
681 | samples += 4; | |
682 | #define HANDLE_BIT_IF_BODY \ | |
683 | LED_C_ON(); \ | |
684 | if(triggered) { \ | |
685 | trace[traceLen++] = ((rsamples >> 0) & 0xff); \ | |
686 | trace[traceLen++] = ((rsamples >> 8) & 0xff); \ | |
687 | trace[traceLen++] = ((rsamples >> 16) & 0xff); \ | |
688 | trace[traceLen++] = ((rsamples >> 24) & 0xff); \ | |
689 | trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \ | |
690 | trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \ | |
691 | trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \ | |
692 | trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \ | |
693 | trace[traceLen++] = Uart.byteCnt; \ | |
694 | memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \ | |
695 | traceLen += Uart.byteCnt; \ | |
696 | if(traceLen > TRACE_LENGTH) break; \ | |
697 | } \ | |
698 | /* And ready to receive another command. */ \ | |
699 | Uart.state = STATE_UNSYNCD; \ | |
700 | /* And also reset the demod code, which might have been */ \ | |
701 | /* false-triggered by the commands from the reader. */ \ | |
702 | Demod.state = DEMOD_UNSYNCD; \ | |
703 | LED_B_OFF(); \ | |
704 | ||
705 | if(MillerDecoding((smpl & 0xF0) >> 4)) { | |
706 | rsamples = samples - Uart.samples; | |
707 | HANDLE_BIT_IF_BODY | |
708 | } | |
709 | if(ManchesterDecoding(smpl & 0x0F)) { | |
710 | rsamples = samples - Demod.samples; | |
711 | LED_B_ON(); | |
712 | ||
713 | // timestamp, as a count of samples | |
714 | trace[traceLen++] = ((rsamples >> 0) & 0xff); | |
715 | trace[traceLen++] = ((rsamples >> 8) & 0xff); | |
716 | trace[traceLen++] = ((rsamples >> 16) & 0xff); | |
717 | trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff); | |
718 | trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff); | |
719 | trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff); | |
720 | trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff); | |
721 | trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff); | |
722 | // length | |
723 | trace[traceLen++] = Demod.len; | |
724 | memcpy(trace+traceLen, receivedResponse, Demod.len); | |
725 | traceLen += Demod.len; | |
726 | if(traceLen > TRACE_LENGTH) break; | |
727 | ||
728 | triggered = TRUE; | |
729 | ||
730 | // And ready to receive another response. | |
731 | memset(&Demod, 0, sizeof(Demod)); | |
732 | Demod.output = receivedResponse; | |
733 | Demod.state = DEMOD_UNSYNCD; | |
734 | LED_C_OFF(); | |
735 | } | |
736 | ||
737 | if(BUTTON_PRESS()) { | |
738 | DbpString("cancelled_a"); | |
739 | goto done; | |
740 | } | |
741 | } | |
742 | ||
743 | DbpString("COMMAND FINISHED"); | |
744 | ||
745 | Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt); | |
746 | Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]); | |
747 | ||
748 | done: | |
749 | AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; | |
750 | Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt); | |
751 | Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]); | |
752 | LED_A_OFF(); | |
753 | LED_B_OFF(); | |
754 | LED_C_OFF(); | |
755 | LED_D_OFF(); | |
756 | } | |
757 | ||
758 | // Prepare communication bits to send to FPGA | |
759 | void Sequence(SecType seq) | |
760 | { | |
761 | ToSendMax++; | |
762 | switch(seq) { | |
763 | // CARD TO READER | |
764 | case SEC_D: | |
765 | // Sequence D: 11110000 | |
766 | // modulation with subcarrier during first half | |
767 | ToSend[ToSendMax] = 0xf0; | |
768 | break; | |
769 | case SEC_E: | |
770 | // Sequence E: 00001111 | |
771 | // modulation with subcarrier during second half | |
772 | ToSend[ToSendMax] = 0x0f; | |
773 | break; | |
774 | case SEC_F: | |
775 | // Sequence F: 00000000 | |
776 | // no modulation with subcarrier | |
777 | ToSend[ToSendMax] = 0x00; | |
778 | break; | |
779 | // READER TO CARD | |
780 | case SEC_X: | |
781 | // Sequence X: 00001100 | |
782 | // drop after half a period | |
783 | ToSend[ToSendMax] = 0x0c; | |
784 | break; | |
785 | case SEC_Y: | |
786 | default: | |
787 | // Sequence Y: 00000000 | |
788 | // no drop | |
789 | ToSend[ToSendMax] = 0x00; | |
790 | break; | |
791 | case SEC_Z: | |
792 | // Sequence Z: 11000000 | |
793 | // drop at start | |
794 | ToSend[ToSendMax] = 0xc0; | |
795 | break; | |
796 | } | |
797 | } | |
798 | ||
799 | //----------------------------------------------------------------------------- | |
800 | // Prepare tag messages | |
801 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 802 | static void CodeIso14443aAsTag(const uint8_t *cmd, int len) |
15c4dc5a | 803 | { |
804 | int i; | |
805 | int oddparity; | |
806 | ||
807 | ToSendReset(); | |
808 | ||
809 | // Correction bit, might be removed when not needed | |
810 | ToSendStuffBit(0); | |
811 | ToSendStuffBit(0); | |
812 | ToSendStuffBit(0); | |
813 | ToSendStuffBit(0); | |
814 | ToSendStuffBit(1); // 1 | |
815 | ToSendStuffBit(0); | |
816 | ToSendStuffBit(0); | |
817 | ToSendStuffBit(0); | |
818 | ||
819 | // Send startbit | |
820 | Sequence(SEC_D); | |
821 | ||
822 | for(i = 0; i < len; i++) { | |
823 | int j; | |
f7e3ed82 | 824 | uint8_t b = cmd[i]; |
15c4dc5a | 825 | |
826 | // Data bits | |
827 | oddparity = 0x01; | |
828 | for(j = 0; j < 8; j++) { | |
829 | oddparity ^= (b & 1); | |
830 | if(b & 1) { | |
831 | Sequence(SEC_D); | |
832 | } else { | |
833 | Sequence(SEC_E); | |
834 | } | |
835 | b >>= 1; | |
836 | } | |
837 | ||
838 | // Parity bit | |
839 | if(oddparity) { | |
840 | Sequence(SEC_D); | |
841 | } else { | |
842 | Sequence(SEC_E); | |
843 | } | |
844 | } | |
845 | ||
846 | // Send stopbit | |
847 | Sequence(SEC_F); | |
848 | ||
849 | // Flush the buffer in FPGA!! | |
850 | for(i = 0; i < 5; i++) { | |
851 | Sequence(SEC_F); | |
852 | } | |
853 | ||
854 | // Convert from last byte pos to length | |
855 | ToSendMax++; | |
856 | ||
857 | // Add a few more for slop | |
858 | ToSend[ToSendMax++] = 0x00; | |
859 | ToSend[ToSendMax++] = 0x00; | |
860 | //ToSendMax += 2; | |
861 | } | |
862 | ||
863 | //----------------------------------------------------------------------------- | |
864 | // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4 | |
865 | //----------------------------------------------------------------------------- | |
866 | static void CodeStrangeAnswer() | |
867 | { | |
868 | int i; | |
869 | ||
870 | ToSendReset(); | |
871 | ||
872 | // Correction bit, might be removed when not needed | |
873 | ToSendStuffBit(0); | |
874 | ToSendStuffBit(0); | |
875 | ToSendStuffBit(0); | |
876 | ToSendStuffBit(0); | |
877 | ToSendStuffBit(1); // 1 | |
878 | ToSendStuffBit(0); | |
879 | ToSendStuffBit(0); | |
880 | ToSendStuffBit(0); | |
881 | ||
882 | // Send startbit | |
883 | Sequence(SEC_D); | |
884 | ||
885 | // 0 | |
886 | Sequence(SEC_E); | |
887 | ||
888 | // 0 | |
889 | Sequence(SEC_E); | |
890 | ||
891 | // 1 | |
892 | Sequence(SEC_D); | |
893 | ||
894 | // Send stopbit | |
895 | Sequence(SEC_F); | |
896 | ||
897 | // Flush the buffer in FPGA!! | |
898 | for(i = 0; i < 5; i++) { | |
899 | Sequence(SEC_F); | |
900 | } | |
901 | ||
902 | // Convert from last byte pos to length | |
903 | ToSendMax++; | |
904 | ||
905 | // Add a few more for slop | |
906 | ToSend[ToSendMax++] = 0x00; | |
907 | ToSend[ToSendMax++] = 0x00; | |
908 | //ToSendMax += 2; | |
909 | } | |
910 | ||
911 | //----------------------------------------------------------------------------- | |
912 | // Wait for commands from reader | |
913 | // Stop when button is pressed | |
914 | // Or return TRUE when command is captured | |
915 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 916 | static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen) |
15c4dc5a | 917 | { |
918 | // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen | |
919 | // only, since we are receiving, not transmitting). | |
920 | // Signal field is off with the appropriate LED | |
921 | LED_D_OFF(); | |
922 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN); | |
923 | ||
924 | // Now run a `software UART' on the stream of incoming samples. | |
925 | Uart.output = received; | |
926 | Uart.byteCntMax = maxLen; | |
927 | Uart.state = STATE_UNSYNCD; | |
928 | ||
929 | for(;;) { | |
930 | WDT_HIT(); | |
931 | ||
932 | if(BUTTON_PRESS()) return FALSE; | |
933 | ||
934 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
935 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
936 | } | |
937 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 938 | uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 939 | if(MillerDecoding((b & 0xf0) >> 4)) { |
940 | *len = Uart.byteCnt; | |
941 | return TRUE; | |
942 | } | |
943 | if(MillerDecoding(b & 0x0f)) { | |
944 | *len = Uart.byteCnt; | |
945 | return TRUE; | |
946 | } | |
947 | } | |
948 | } | |
949 | } | |
950 | ||
951 | //----------------------------------------------------------------------------- | |
952 | // Main loop of simulated tag: receive commands from reader, decide what | |
953 | // response to send, and send it. | |
954 | //----------------------------------------------------------------------------- | |
955 | void SimulateIso14443aTag(int tagType, int TagUid) | |
956 | { | |
957 | // This function contains the tag emulation | |
958 | ||
959 | // Prepare protocol messages | |
f7e3ed82 | 960 | // static const uint8_t cmd1[] = { 0x26 }; |
961 | // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg | |
15c4dc5a | 962 | // |
f7e3ed82 | 963 | static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me |
964 | // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me | |
15c4dc5a | 965 | |
966 | // UID response | |
f7e3ed82 | 967 | // static const uint8_t cmd2[] = { 0x93, 0x20 }; |
968 | //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg | |
15c4dc5a | 969 | |
970 | ||
971 | ||
972 | // my desfire | |
f7e3ed82 | 973 | static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips |
15c4dc5a | 974 | |
975 | ||
976 | // When reader selects us during cascade1 it will send cmd3 | |
f7e3ed82 | 977 | //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE) |
978 | uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire) | |
15c4dc5a | 979 | ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]); |
980 | ||
981 | // send cascade2 2nd half of UID | |
f7e3ed82 | 982 | static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck |
15c4dc5a | 983 | // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID |
984 | ||
985 | ||
986 | // When reader selects us during cascade2 it will send cmd3a | |
f7e3ed82 | 987 | //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE) |
988 | uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire) | |
15c4dc5a | 989 | ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]); |
990 | ||
f7e3ed82 | 991 | static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce |
15c4dc5a | 992 | |
f7e3ed82 | 993 | uint8_t *resp; |
15c4dc5a | 994 | int respLen; |
995 | ||
996 | // Longest possible response will be 16 bytes + 2 CRC = 18 bytes | |
997 | // This will need | |
998 | // 144 data bits (18 * 8) | |
999 | // 18 parity bits | |
1000 | // 2 Start and stop | |
1001 | // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA) | |
1002 | // 1 just for the case | |
1003 | // ----------- + | |
1004 | // 166 | |
1005 | // | |
1006 | // 166 bytes, since every bit that needs to be send costs us a byte | |
1007 | // | |
1008 | ||
1009 | ||
1010 | // Respond with card type | |
f7e3ed82 | 1011 | uint8_t *resp1 = (((uint8_t *)BigBuf) + 800); |
15c4dc5a | 1012 | int resp1Len; |
1013 | ||
1014 | // Anticollision cascade1 - respond with uid | |
f7e3ed82 | 1015 | uint8_t *resp2 = (((uint8_t *)BigBuf) + 970); |
15c4dc5a | 1016 | int resp2Len; |
1017 | ||
1018 | // Anticollision cascade2 - respond with 2nd half of uid if asked | |
1019 | // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88 | |
f7e3ed82 | 1020 | uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140); |
15c4dc5a | 1021 | int resp2aLen; |
1022 | ||
1023 | // Acknowledge select - cascade 1 | |
f7e3ed82 | 1024 | uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310); |
15c4dc5a | 1025 | int resp3Len; |
1026 | ||
1027 | // Acknowledge select - cascade 2 | |
f7e3ed82 | 1028 | uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480); |
15c4dc5a | 1029 | int resp3aLen; |
1030 | ||
1031 | // Response to a read request - not implemented atm | |
f7e3ed82 | 1032 | uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550); |
15c4dc5a | 1033 | int resp4Len; |
1034 | ||
1035 | // Authenticate response - nonce | |
f7e3ed82 | 1036 | uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720); |
15c4dc5a | 1037 | int resp5Len; |
1038 | ||
f7e3ed82 | 1039 | uint8_t *receivedCmd = (uint8_t *)BigBuf; |
15c4dc5a | 1040 | int len; |
1041 | ||
1042 | int i; | |
1043 | int u; | |
f7e3ed82 | 1044 | uint8_t b; |
15c4dc5a | 1045 | |
1046 | // To control where we are in the protocol | |
1047 | int order = 0; | |
1048 | int lastorder; | |
1049 | ||
1050 | // Just to allow some checks | |
1051 | int happened = 0; | |
1052 | int happened2 = 0; | |
1053 | ||
1054 | int cmdsRecvd = 0; | |
1055 | ||
f7e3ed82 | 1056 | int fdt_indicator; |
15c4dc5a | 1057 | |
1058 | memset(receivedCmd, 0x44, 400); | |
1059 | ||
1060 | // Prepare the responses of the anticollision phase | |
1061 | // there will be not enough time to do this at the moment the reader sends it REQA | |
1062 | ||
1063 | // Answer to request | |
1064 | CodeIso14443aAsTag(response1, sizeof(response1)); | |
1065 | memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax; | |
1066 | ||
1067 | // Send our UID (cascade 1) | |
1068 | CodeIso14443aAsTag(response2, sizeof(response2)); | |
1069 | memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax; | |
1070 | ||
1071 | // Answer to select (cascade1) | |
1072 | CodeIso14443aAsTag(response3, sizeof(response3)); | |
1073 | memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax; | |
1074 | ||
1075 | // Send the cascade 2 2nd part of the uid | |
1076 | CodeIso14443aAsTag(response2a, sizeof(response2a)); | |
1077 | memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax; | |
1078 | ||
1079 | // Answer to select (cascade 2) | |
1080 | CodeIso14443aAsTag(response3a, sizeof(response3a)); | |
1081 | memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax; | |
1082 | ||
1083 | // Strange answer is an example of rare message size (3 bits) | |
1084 | CodeStrangeAnswer(); | |
1085 | memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax; | |
1086 | ||
1087 | // Authentication answer (random nonce) | |
1088 | CodeIso14443aAsTag(response5, sizeof(response5)); | |
1089 | memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax; | |
1090 | ||
1091 | // We need to listen to the high-frequency, peak-detected path. | |
1092 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
1093 | FpgaSetupSsc(); | |
1094 | ||
1095 | cmdsRecvd = 0; | |
1096 | ||
1097 | LED_A_ON(); | |
1098 | for(;;) { | |
1099 | ||
1100 | if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) { | |
1101 | DbpString("button press"); | |
1102 | break; | |
1103 | } | |
1104 | // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated | |
1105 | // Okay, look at the command now. | |
1106 | lastorder = order; | |
1107 | i = 1; // first byte transmitted | |
1108 | if(receivedCmd[0] == 0x26) { | |
1109 | // Received a REQUEST | |
1110 | resp = resp1; respLen = resp1Len; order = 1; | |
1111 | //DbpString("Hello request from reader:"); | |
1112 | } else if(receivedCmd[0] == 0x52) { | |
1113 | // Received a WAKEUP | |
1114 | resp = resp1; respLen = resp1Len; order = 6; | |
1115 | // //DbpString("Wakeup request from reader:"); | |
1116 | ||
1117 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision | |
1118 | // Received request for UID (cascade 1) | |
1119 | resp = resp2; respLen = resp2Len; order = 2; | |
1120 | // DbpString("UID (cascade 1) request from reader:"); | |
1121 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1122 | ||
1123 | ||
1124 | } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision | |
1125 | // Received request for UID (cascade 2) | |
1126 | resp = resp2a; respLen = resp2aLen; order = 20; | |
1127 | // DbpString("UID (cascade 2) request from reader:"); | |
1128 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1129 | ||
1130 | ||
1131 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select | |
1132 | // Received a SELECT | |
1133 | resp = resp3; respLen = resp3Len; order = 3; | |
1134 | // DbpString("Select (cascade 1) request from reader:"); | |
1135 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1136 | ||
1137 | ||
1138 | } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select | |
1139 | // Received a SELECT | |
1140 | resp = resp3a; respLen = resp3aLen; order = 30; | |
1141 | // DbpString("Select (cascade 2) request from reader:"); | |
1142 | // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1143 | ||
1144 | ||
1145 | } else if(receivedCmd[0] == 0x30) { | |
1146 | // Received a READ | |
1147 | resp = resp4; respLen = resp4Len; order = 4; // Do nothing | |
1148 | Dbprintf("Read request from reader: %x %x %x", | |
1149 | receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1150 | ||
1151 | ||
1152 | } else if(receivedCmd[0] == 0x50) { | |
1153 | // Received a HALT | |
1154 | resp = resp1; respLen = 0; order = 5; // Do nothing | |
1155 | DbpString("Reader requested we HALT!:"); | |
1156 | ||
1157 | } else if(receivedCmd[0] == 0x60) { | |
1158 | // Received an authentication request | |
1159 | resp = resp5; respLen = resp5Len; order = 7; | |
1160 | Dbprintf("Authenticate request from reader: %x %x %x", | |
1161 | receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1162 | ||
1163 | } else if(receivedCmd[0] == 0xE0) { | |
1164 | // Received a RATS request | |
1165 | resp = resp1; respLen = 0;order = 70; | |
1166 | Dbprintf("RATS request from reader: %x %x %x", | |
1167 | receivedCmd[0], receivedCmd[1], receivedCmd[2]); | |
1168 | } else { | |
1169 | // Never seen this command before | |
1170 | Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x", | |
1171 | receivedCmd[0], receivedCmd[1], receivedCmd[2], | |
1172 | receivedCmd[3], receivedCmd[3], receivedCmd[4], | |
1173 | receivedCmd[5], receivedCmd[6], receivedCmd[7]); | |
1174 | // Do not respond | |
1175 | resp = resp1; respLen = 0; order = 0; | |
1176 | } | |
1177 | ||
1178 | // Count number of wakeups received after a halt | |
1179 | if(order == 6 && lastorder == 5) { happened++; } | |
1180 | ||
1181 | // Count number of other messages after a halt | |
1182 | if(order != 6 && lastorder == 5) { happened2++; } | |
1183 | ||
1184 | // Look at last parity bit to determine timing of answer | |
1185 | if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) { | |
1186 | // 1236, so correction bit needed | |
1187 | i = 0; | |
1188 | } | |
1189 | ||
1190 | memset(receivedCmd, 0x44, 32); | |
1191 | ||
1192 | if(cmdsRecvd > 999) { | |
1193 | DbpString("1000 commands later..."); | |
1194 | break; | |
1195 | } | |
1196 | else { | |
1197 | cmdsRecvd++; | |
1198 | } | |
1199 | ||
1200 | if(respLen <= 0) continue; | |
1201 | ||
1202 | // Modulate Manchester | |
1203 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD); | |
1204 | AT91C_BASE_SSC->SSC_THR = 0x00; | |
1205 | FpgaSetupSsc(); | |
1206 | ||
1207 | // ### Transmit the response ### | |
1208 | u = 0; | |
1209 | b = 0x00; | |
1210 | fdt_indicator = FALSE; | |
1211 | for(;;) { | |
1212 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1213 | volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1214 | (void)b; |
1215 | } | |
1216 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1217 | if(i > respLen) { | |
1218 | b = 0x00; | |
1219 | u++; | |
1220 | } else { | |
1221 | b = resp[i]; | |
1222 | i++; | |
1223 | } | |
1224 | AT91C_BASE_SSC->SSC_THR = b; | |
1225 | ||
1226 | if(u > 4) { | |
1227 | break; | |
1228 | } | |
1229 | } | |
1230 | if(BUTTON_PRESS()) { | |
1231 | break; | |
1232 | } | |
1233 | } | |
1234 | ||
1235 | } | |
1236 | ||
1237 | Dbprintf("%x %x %x", happened, happened2, cmdsRecvd); | |
1238 | LED_A_OFF(); | |
1239 | } | |
1240 | ||
1241 | //----------------------------------------------------------------------------- | |
1242 | // Transmit the command (to the tag) that was placed in ToSend[]. | |
1243 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1244 | static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait) |
15c4dc5a | 1245 | { |
1246 | int c; | |
e30c654b | 1247 | |
15c4dc5a | 1248 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); |
e30c654b | 1249 | |
15c4dc5a | 1250 | if (wait) |
1251 | if(*wait < 10) | |
1252 | *wait = 10; | |
e30c654b | 1253 | |
15c4dc5a | 1254 | for(c = 0; c < *wait;) { |
1255 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1256 | AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing! | |
1257 | c++; | |
1258 | } | |
1259 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1260 | volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1261 | (void)r; |
1262 | } | |
1263 | WDT_HIT(); | |
1264 | } | |
e30c654b | 1265 | |
15c4dc5a | 1266 | c = 0; |
1267 | for(;;) { | |
1268 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1269 | AT91C_BASE_SSC->SSC_THR = cmd[c]; | |
1270 | c++; | |
1271 | if(c >= len) { | |
1272 | break; | |
1273 | } | |
1274 | } | |
1275 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
f7e3ed82 | 1276 | volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1277 | (void)r; |
1278 | } | |
1279 | WDT_HIT(); | |
1280 | } | |
1281 | if (samples) *samples = (c + *wait) << 3; | |
1282 | } | |
1283 | ||
1284 | //----------------------------------------------------------------------------- | |
1285 | // To generate an arbitrary stream from reader | |
1286 | // | |
1287 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1288 | void ArbitraryFromReader(const uint8_t *cmd, int parity, int len) |
15c4dc5a | 1289 | { |
1290 | int i; | |
1291 | int j; | |
1292 | int last; | |
f7e3ed82 | 1293 | uint8_t b; |
15c4dc5a | 1294 | |
1295 | ToSendReset(); | |
1296 | ||
1297 | // Start of Communication (Seq. Z) | |
1298 | Sequence(SEC_Z); | |
1299 | last = 0; | |
1300 | ||
1301 | for(i = 0; i < len; i++) { | |
1302 | // Data bits | |
1303 | b = cmd[i]; | |
1304 | for(j = 0; j < 8; j++) { | |
1305 | if(b & 1) { | |
1306 | // Sequence X | |
1307 | Sequence(SEC_X); | |
1308 | last = 1; | |
1309 | } else { | |
1310 | if(last == 0) { | |
1311 | // Sequence Z | |
1312 | Sequence(SEC_Z); | |
1313 | } | |
1314 | else { | |
1315 | // Sequence Y | |
1316 | Sequence(SEC_Y); | |
1317 | last = 0; | |
1318 | } | |
1319 | } | |
1320 | b >>= 1; | |
1321 | ||
1322 | } | |
1323 | ||
1324 | // Predefined parity bit, the flipper flips when needed, because of flips in byte sent | |
1325 | if(((parity >> (len - i - 1)) & 1)) { | |
1326 | // Sequence X | |
1327 | Sequence(SEC_X); | |
1328 | last = 1; | |
1329 | } else { | |
1330 | if(last == 0) { | |
1331 | // Sequence Z | |
1332 | Sequence(SEC_Z); | |
1333 | } | |
1334 | else { | |
1335 | // Sequence Y | |
1336 | Sequence(SEC_Y); | |
1337 | last = 0; | |
1338 | } | |
1339 | } | |
1340 | } | |
1341 | ||
1342 | // End of Communication | |
1343 | if(last == 0) { | |
1344 | // Sequence Z | |
1345 | Sequence(SEC_Z); | |
1346 | } | |
1347 | else { | |
1348 | // Sequence Y | |
1349 | Sequence(SEC_Y); | |
1350 | last = 0; | |
1351 | } | |
1352 | // Sequence Y | |
1353 | Sequence(SEC_Y); | |
1354 | ||
1355 | // Just to be sure! | |
1356 | Sequence(SEC_Y); | |
1357 | Sequence(SEC_Y); | |
1358 | Sequence(SEC_Y); | |
1359 | ||
1360 | // Convert from last character reference to length | |
1361 | ToSendMax++; | |
1362 | } | |
1363 | ||
1364 | //----------------------------------------------------------------------------- | |
1365 | // Code a 7-bit command without parity bit | |
1366 | // This is especially for 0x26 and 0x52 (REQA and WUPA) | |
1367 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1368 | void ShortFrameFromReader(const uint8_t bt) |
15c4dc5a | 1369 | { |
1370 | int j; | |
1371 | int last; | |
f7e3ed82 | 1372 | uint8_t b; |
15c4dc5a | 1373 | |
1374 | ToSendReset(); | |
1375 | ||
1376 | // Start of Communication (Seq. Z) | |
1377 | Sequence(SEC_Z); | |
1378 | last = 0; | |
1379 | ||
1380 | b = bt; | |
1381 | for(j = 0; j < 7; j++) { | |
1382 | if(b & 1) { | |
1383 | // Sequence X | |
1384 | Sequence(SEC_X); | |
1385 | last = 1; | |
1386 | } else { | |
1387 | if(last == 0) { | |
1388 | // Sequence Z | |
1389 | Sequence(SEC_Z); | |
1390 | } | |
1391 | else { | |
1392 | // Sequence Y | |
1393 | Sequence(SEC_Y); | |
1394 | last = 0; | |
1395 | } | |
1396 | } | |
1397 | b >>= 1; | |
1398 | } | |
1399 | ||
1400 | // End of Communication | |
1401 | if(last == 0) { | |
1402 | // Sequence Z | |
1403 | Sequence(SEC_Z); | |
1404 | } | |
1405 | else { | |
1406 | // Sequence Y | |
1407 | Sequence(SEC_Y); | |
1408 | last = 0; | |
1409 | } | |
1410 | // Sequence Y | |
1411 | Sequence(SEC_Y); | |
1412 | ||
1413 | // Just to be sure! | |
1414 | Sequence(SEC_Y); | |
1415 | Sequence(SEC_Y); | |
1416 | Sequence(SEC_Y); | |
1417 | ||
1418 | // Convert from last character reference to length | |
1419 | ToSendMax++; | |
1420 | } | |
1421 | ||
1422 | //----------------------------------------------------------------------------- | |
1423 | // Prepare reader command to send to FPGA | |
e30c654b | 1424 | // |
15c4dc5a | 1425 | //----------------------------------------------------------------------------- |
f7e3ed82 | 1426 | void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity) |
15c4dc5a | 1427 | { |
1428 | int i, j; | |
1429 | int last; | |
f7e3ed82 | 1430 | uint8_t b; |
e30c654b | 1431 | |
15c4dc5a | 1432 | ToSendReset(); |
e30c654b | 1433 | |
15c4dc5a | 1434 | // Start of Communication (Seq. Z) |
1435 | Sequence(SEC_Z); | |
1436 | last = 0; | |
e30c654b | 1437 | |
15c4dc5a | 1438 | // Generate send structure for the data bits |
1439 | for (i = 0; i < len; i++) { | |
1440 | // Get the current byte to send | |
1441 | b = cmd[i]; | |
e30c654b | 1442 | |
15c4dc5a | 1443 | for (j = 0; j < 8; j++) { |
1444 | if (b & 1) { | |
1445 | // Sequence X | |
1446 | Sequence(SEC_X); | |
1447 | last = 1; | |
1448 | } else { | |
1449 | if (last == 0) { | |
1450 | // Sequence Z | |
1451 | Sequence(SEC_Z); | |
1452 | } else { | |
1453 | // Sequence Y | |
1454 | Sequence(SEC_Y); | |
1455 | last = 0; | |
1456 | } | |
1457 | } | |
1458 | b >>= 1; | |
1459 | } | |
e30c654b | 1460 | |
15c4dc5a | 1461 | // Get the parity bit |
1462 | if ((dwParity >> i) & 0x01) { | |
1463 | // Sequence X | |
1464 | Sequence(SEC_X); | |
1465 | last = 1; | |
1466 | } else { | |
1467 | if (last == 0) { | |
1468 | // Sequence Z | |
1469 | Sequence(SEC_Z); | |
1470 | } else { | |
1471 | // Sequence Y | |
1472 | Sequence(SEC_Y); | |
1473 | last = 0; | |
1474 | } | |
1475 | } | |
1476 | } | |
e30c654b | 1477 | |
15c4dc5a | 1478 | // End of Communication |
1479 | if (last == 0) { | |
1480 | // Sequence Z | |
1481 | Sequence(SEC_Z); | |
1482 | } else { | |
1483 | // Sequence Y | |
1484 | Sequence(SEC_Y); | |
1485 | last = 0; | |
1486 | } | |
1487 | // Sequence Y | |
1488 | Sequence(SEC_Y); | |
e30c654b | 1489 | |
15c4dc5a | 1490 | // Just to be sure! |
1491 | Sequence(SEC_Y); | |
1492 | Sequence(SEC_Y); | |
1493 | Sequence(SEC_Y); | |
e30c654b | 1494 | |
15c4dc5a | 1495 | // Convert from last character reference to length |
1496 | ToSendMax++; | |
1497 | } | |
1498 | ||
1499 | //----------------------------------------------------------------------------- | |
1500 | // Wait a certain time for tag response | |
1501 | // If a response is captured return TRUE | |
1502 | // If it takes to long return FALSE | |
1503 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1504 | static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer |
15c4dc5a | 1505 | { |
1506 | // buffer needs to be 512 bytes | |
1507 | int c; | |
1508 | ||
1509 | // Set FPGA mode to "reader listen mode", no modulation (listen | |
1510 | // only, since we are receiving, not transmitting). | |
1511 | // Signal field is on with the appropriate LED | |
1512 | LED_D_ON(); | |
1513 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN); | |
1514 | ||
1515 | // Now get the answer from the card | |
1516 | Demod.output = receivedResponse; | |
1517 | Demod.len = 0; | |
1518 | Demod.state = DEMOD_UNSYNCD; | |
1519 | ||
f7e3ed82 | 1520 | uint8_t b; |
15c4dc5a | 1521 | if (elapsed) *elapsed = 0; |
1522 | ||
1523 | c = 0; | |
1524 | for(;;) { | |
1525 | WDT_HIT(); | |
1526 | ||
1527 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { | |
1528 | AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!! | |
1529 | if (elapsed) (*elapsed)++; | |
1530 | } | |
1531 | if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) { | |
1532 | if(c < 512) { c++; } else { return FALSE; } | |
f7e3ed82 | 1533 | b = (uint8_t)AT91C_BASE_SSC->SSC_RHR; |
15c4dc5a | 1534 | if(ManchesterDecoding((b & 0xf0) >> 4)) { |
1535 | *samples = ((c - 1) << 3) + 4; | |
1536 | return TRUE; | |
1537 | } | |
1538 | if(ManchesterDecoding(b & 0x0f)) { | |
1539 | *samples = c << 3; | |
1540 | return TRUE; | |
1541 | } | |
1542 | } | |
1543 | } | |
1544 | } | |
1545 | ||
f7e3ed82 | 1546 | void ReaderTransmitShort(const uint8_t* bt) |
15c4dc5a | 1547 | { |
1548 | int wait = 0; | |
1549 | int samples = 0; | |
1550 | ||
1551 | ShortFrameFromReader(*bt); | |
e30c654b | 1552 | |
15c4dc5a | 1553 | // Select the card |
e30c654b | 1554 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); |
1555 | ||
15c4dc5a | 1556 | // Store reader command in buffer |
1557 | if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE); | |
1558 | } | |
1559 | ||
f7e3ed82 | 1560 | void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par) |
15c4dc5a | 1561 | { |
1562 | int wait = 0; | |
1563 | int samples = 0; | |
e30c654b | 1564 | |
15c4dc5a | 1565 | // This is tied to other size changes |
f7e3ed82 | 1566 | // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024; |
15c4dc5a | 1567 | CodeIso14443aAsReaderPar(frame,len,par); |
e30c654b | 1568 | |
15c4dc5a | 1569 | // Select the card |
e30c654b | 1570 | TransmitFor14443a(ToSend, ToSendMax, &samples, &wait); |
1571 | ||
15c4dc5a | 1572 | // Store reader command in buffer |
1573 | if (tracing) LogTrace(frame,len,0,par,TRUE); | |
1574 | } | |
1575 | ||
1576 | ||
f7e3ed82 | 1577 | void ReaderTransmit(uint8_t* frame, int len) |
15c4dc5a | 1578 | { |
1579 | // Generate parity and redirect | |
1580 | ReaderTransmitPar(frame,len,GetParity(frame,len)); | |
1581 | } | |
1582 | ||
f7e3ed82 | 1583 | int ReaderReceive(uint8_t* receivedAnswer) |
15c4dc5a | 1584 | { |
1585 | int samples = 0; | |
1586 | if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE; | |
1587 | if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE); | |
1588 | return TRUE; | |
1589 | } | |
1590 | ||
1591 | //----------------------------------------------------------------------------- | |
1592 | // Read an ISO 14443a tag. Send out commands and store answers. | |
1593 | // | |
1594 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1595 | void ReaderIso14443a(uint32_t parameter) |
15c4dc5a | 1596 | { |
1597 | // Anticollision | |
f7e3ed82 | 1598 | uint8_t wupa[] = { 0x52 }; |
1599 | uint8_t sel_all[] = { 0x93,0x20 }; | |
1600 | uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
1601 | uint8_t sel_all_c2[] = { 0x95,0x20 }; | |
1602 | uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
15c4dc5a | 1603 | |
1604 | // Mifare AUTH | |
f7e3ed82 | 1605 | uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; |
1606 | // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 }; | |
e30c654b | 1607 | |
f7e3ed82 | 1608 | uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes |
15c4dc5a | 1609 | traceLen = 0; |
1610 | ||
1611 | // Setup SSC | |
1612 | FpgaSetupSsc(); | |
1613 | ||
1614 | // Start from off (no field generated) | |
1615 | // Signal field is off with the appropriate LED | |
1616 | LED_D_OFF(); | |
1617 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1618 | SpinDelay(200); | |
1619 | ||
1620 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); | |
1621 | FpgaSetupSsc(); | |
1622 | ||
1623 | // Now give it time to spin up. | |
1624 | // Signal field is on with the appropriate LED | |
1625 | LED_D_ON(); | |
1626 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
1627 | SpinDelay(200); | |
1628 | ||
1629 | LED_A_ON(); | |
1630 | LED_B_OFF(); | |
1631 | LED_C_OFF(); | |
1632 | ||
1633 | while(traceLen < TRACE_LENGTH) | |
1634 | { | |
1635 | // Broadcast for a card, WUPA (0x52) will force response from all cards in the field | |
1636 | ReaderTransmitShort(wupa); | |
e30c654b | 1637 | |
15c4dc5a | 1638 | // Test if the action was cancelled |
1639 | if(BUTTON_PRESS()) { | |
1640 | break; | |
1641 | } | |
e30c654b | 1642 | |
15c4dc5a | 1643 | // Receive the ATQA |
1644 | if (!ReaderReceive(receivedAnswer)) continue; | |
1645 | ||
1646 | // Transmit SELECT_ALL | |
1647 | ReaderTransmit(sel_all,sizeof(sel_all)); | |
1648 | ||
1649 | // Receive the UID | |
1650 | if (!ReaderReceive(receivedAnswer)) continue; | |
e30c654b | 1651 | |
15c4dc5a | 1652 | // Construct SELECT UID command |
1653 | // First copy the 5 bytes (Mifare Classic) after the 93 70 | |
1654 | memcpy(sel_uid+2,receivedAnswer,5); | |
1655 | // Secondly compute the two CRC bytes at the end | |
1656 | AppendCrc14443a(sel_uid,7); | |
1657 | ||
1658 | // Transmit SELECT_UID | |
1659 | ReaderTransmit(sel_uid,sizeof(sel_uid)); | |
e30c654b | 1660 | |
15c4dc5a | 1661 | // Receive the SAK |
1662 | if (!ReaderReceive(receivedAnswer)) continue; | |
1663 | ||
1664 | // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in | |
1665 | // which case we need to make a cascade 2 request and select - this is a long UID | |
e30c654b | 1666 | // When the UID is not complete, the 3nd bit (from the right) is set in the SAK. |
15c4dc5a | 1667 | if (receivedAnswer[0] &= 0x04) |
1668 | { | |
1669 | // Transmit SELECT_ALL | |
1670 | ReaderTransmit(sel_all_c2,sizeof(sel_all_c2)); | |
e30c654b | 1671 | |
15c4dc5a | 1672 | // Receive the UID |
1673 | if (!ReaderReceive(receivedAnswer)) continue; | |
e30c654b | 1674 | |
15c4dc5a | 1675 | // Construct SELECT UID command |
1676 | memcpy(sel_uid_c2+2,receivedAnswer,5); | |
1677 | // Secondly compute the two CRC bytes at the end | |
1678 | AppendCrc14443a(sel_uid_c2,7); | |
e30c654b | 1679 | |
15c4dc5a | 1680 | // Transmit SELECT_UID |
1681 | ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2)); | |
e30c654b | 1682 | |
15c4dc5a | 1683 | // Receive the SAK |
1684 | if (!ReaderReceive(receivedAnswer)) continue; | |
1685 | } | |
1686 | ||
1687 | // Transmit MIFARE_CLASSIC_AUTH | |
1688 | ReaderTransmit(mf_auth,sizeof(mf_auth)); | |
1689 | ||
1690 | // Receive the (16 bit) "random" nonce | |
1691 | if (!ReaderReceive(receivedAnswer)) continue; | |
1692 | } | |
1693 | ||
1694 | // Thats it... | |
1695 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1696 | LEDsoff(); | |
1697 | Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC); | |
1698 | DbpString("ready.."); | |
1699 | } | |
1700 | ||
1701 | //----------------------------------------------------------------------------- | |
1702 | // Read an ISO 14443a tag. Send out commands and store answers. | |
1703 | // | |
1704 | //----------------------------------------------------------------------------- | |
f7e3ed82 | 1705 | void ReaderMifare(uint32_t parameter) |
15c4dc5a | 1706 | { |
e30c654b | 1707 | |
15c4dc5a | 1708 | // Anticollision |
f7e3ed82 | 1709 | uint8_t wupa[] = { 0x52 }; |
1710 | uint8_t sel_all[] = { 0x93,0x20 }; | |
1711 | uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
e30c654b | 1712 | |
15c4dc5a | 1713 | // Mifare AUTH |
f7e3ed82 | 1714 | uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b }; |
1715 | uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
e30c654b | 1716 | |
f7e3ed82 | 1717 | uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes |
15c4dc5a | 1718 | traceLen = 0; |
1719 | tracing = false; | |
e30c654b | 1720 | |
15c4dc5a | 1721 | // Setup SSC |
1722 | FpgaSetupSsc(); | |
e30c654b | 1723 | |
15c4dc5a | 1724 | // Start from off (no field generated) |
1725 | // Signal field is off with the appropriate LED | |
1726 | LED_D_OFF(); | |
1727 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1728 | SpinDelay(200); | |
e30c654b | 1729 | |
15c4dc5a | 1730 | SetAdcMuxFor(GPIO_MUXSEL_HIPKD); |
1731 | FpgaSetupSsc(); | |
e30c654b | 1732 | |
15c4dc5a | 1733 | // Now give it time to spin up. |
1734 | // Signal field is on with the appropriate LED | |
1735 | LED_D_ON(); | |
1736 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
1737 | SpinDelay(200); | |
e30c654b | 1738 | |
15c4dc5a | 1739 | LED_A_ON(); |
1740 | LED_B_OFF(); | |
1741 | LED_C_OFF(); | |
e30c654b | 1742 | |
15c4dc5a | 1743 | // Broadcast for a card, WUPA (0x52) will force response from all cards in the field |
1744 | ReaderTransmitShort(wupa); | |
1745 | // Receive the ATQA | |
1746 | ReaderReceive(receivedAnswer); | |
1747 | // Transmit SELECT_ALL | |
1748 | ReaderTransmit(sel_all,sizeof(sel_all)); | |
1749 | // Receive the UID | |
1750 | ReaderReceive(receivedAnswer); | |
1751 | // Construct SELECT UID command | |
1752 | // First copy the 5 bytes (Mifare Classic) after the 93 70 | |
1753 | memcpy(sel_uid+2,receivedAnswer,5); | |
1754 | // Secondly compute the two CRC bytes at the end | |
1755 | AppendCrc14443a(sel_uid,7); | |
e30c654b | 1756 | |
15c4dc5a | 1757 | byte_t nt_diff = 0; |
1758 | LED_A_OFF(); | |
1759 | byte_t par = 0; | |
1760 | byte_t par_mask = 0xff; | |
1761 | byte_t par_low = 0; | |
f7e3ed82 | 1762 | int led_on = TRUE; |
e30c654b | 1763 | |
15c4dc5a | 1764 | tracing = FALSE; |
1765 | byte_t nt[4]; | |
1766 | byte_t nt_attacked[4]; | |
1767 | byte_t par_list[8]; | |
1768 | byte_t ks_list[8]; | |
1769 | num_to_bytes(parameter,4,nt_attacked); | |
1770 | ||
1771 | while(TRUE) | |
1772 | { | |
1773 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1774 | SpinDelay(200); | |
1775 | FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD); | |
e30c654b | 1776 | |
15c4dc5a | 1777 | // Broadcast for a card, WUPA (0x52) will force response from all cards in the field |
1778 | ReaderTransmitShort(wupa); | |
e30c654b | 1779 | |
15c4dc5a | 1780 | // Test if the action was cancelled |
1781 | if(BUTTON_PRESS()) { | |
1782 | break; | |
1783 | } | |
e30c654b | 1784 | |
15c4dc5a | 1785 | // Receive the ATQA |
1786 | if (!ReaderReceive(receivedAnswer)) continue; | |
e30c654b | 1787 | |
15c4dc5a | 1788 | // Transmit SELECT_ALL |
1789 | ReaderTransmit(sel_all,sizeof(sel_all)); | |
e30c654b | 1790 | |
15c4dc5a | 1791 | // Receive the UID |
1792 | if (!ReaderReceive(receivedAnswer)) continue; | |
e30c654b | 1793 | |
15c4dc5a | 1794 | // Transmit SELECT_UID |
1795 | ReaderTransmit(sel_uid,sizeof(sel_uid)); | |
e30c654b | 1796 | |
15c4dc5a | 1797 | // Receive the SAK |
1798 | if (!ReaderReceive(receivedAnswer)) continue; | |
e30c654b | 1799 | |
15c4dc5a | 1800 | // Transmit MIFARE_CLASSIC_AUTH |
1801 | ReaderTransmit(mf_auth,sizeof(mf_auth)); | |
e30c654b | 1802 | |
15c4dc5a | 1803 | // Receive the (16 bit) "random" nonce |
1804 | if (!ReaderReceive(receivedAnswer)) continue; | |
1805 | memcpy(nt,receivedAnswer,4); | |
1806 | ||
1807 | // Transmit reader nonce and reader answer | |
1808 | ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par); | |
e30c654b | 1809 | |
15c4dc5a | 1810 | // Receive 4 bit answer |
1811 | if (ReaderReceive(receivedAnswer)) | |
1812 | { | |
e30c654b | 1813 | if (nt_diff == 0) |
15c4dc5a | 1814 | { |
1815 | LED_A_ON(); | |
1816 | memcpy(nt_attacked,nt,4); | |
1817 | par_mask = 0xf8; | |
1818 | par_low = par & 0x07; | |
1819 | } | |
1820 | ||
1821 | if (memcmp(nt,nt_attacked,4) != 0) continue; | |
1822 | ||
1823 | led_on = !led_on; | |
1824 | if(led_on) LED_B_ON(); else LED_B_OFF(); | |
1825 | par_list[nt_diff] = par; | |
1826 | ks_list[nt_diff] = receivedAnswer[0]^0x05; | |
e30c654b | 1827 | |
15c4dc5a | 1828 | // Test if the information is complete |
1829 | if (nt_diff == 0x07) break; | |
e30c654b | 1830 | |
15c4dc5a | 1831 | nt_diff = (nt_diff+1) & 0x07; |
1832 | mf_nr_ar[3] = nt_diff << 5; | |
1833 | par = par_low; | |
1834 | } else { | |
1835 | if (nt_diff == 0) | |
1836 | { | |
1837 | par++; | |
1838 | } else { | |
1839 | par = (((par>>3)+1) << 3) | par_low; | |
1840 | } | |
1841 | } | |
1842 | } | |
e30c654b | 1843 | |
15c4dc5a | 1844 | LogTraceInfo(sel_uid+2,4); |
1845 | LogTraceInfo(nt,4); | |
1846 | LogTraceInfo(par_list,8); | |
1847 | LogTraceInfo(ks_list,8); | |
e30c654b | 1848 | |
15c4dc5a | 1849 | // Thats it... |
1850 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
1851 | LEDsoff(); | |
1852 | tracing = TRUE; | |
1853 | } |