]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
projects / proxmark3-svn / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
add l/h option to hw tune and optimize order of tuning
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
12
902cb3c0 13#include "usb_cdc.h"
14#include "cmd.h"
15
e30c654b 16#include "proxmark3.h"
15c4dc5a 17#include "apps.h"
f7e3ed82 18#include "util.h"
9ab7a6c7 19#include "printf.h"
20#include "string.h"
31d1caa5 21
9ab7a6c7 22#include <stdarg.h>
f7e3ed82 23
15c4dc5a 24#include "legicrf.h"
d19929cb 25#include <hitag2.h>
4e12287d 26#include <hitagS.h>
31abe49f 27#include "lfsampling.h"
3000dc4e 28#include "BigBuf.h"
c89274cc 29#include "mifareutil.h"
d10e08ae 30#include "pcf7931.h"
15c4dc5a 31#ifdef WITH_LCD
902cb3c0 32 #include "LCD.h"
15c4dc5a 33#endif
34
e46fe044
CY		 35// Craig Young - 14a stand-alone code
36#ifdef WITH_ISO14443a_StandAlone
37 #include "iso14443a.h"
38#endif
39
15c4dc5a 40#define abs(x) ( ((x)<0) ? -(x) : (x) )
41
42//=============================================================================
43// A buffer where we can queue things up to be sent through the FPGA, for
44// any purpose (fake tag, as reader, whatever). We go MSB first, since that
45// is the order in which they go out on the wire.
46//=============================================================================
47
6a1f2d82 48#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
49uint8_t ToSend[TOSEND_BUFFER_SIZE];
15c4dc5a 50int ToSendMax;
51static int ToSendBit;
52struct common_area common_area __attribute__((section(".commonarea")));
53
15c4dc5a 54void ToSendReset(void)
55{
56 ToSendMax = -1;
57 ToSendBit = 8;
58}
59
60void ToSendStuffBit(int b)
61{
62 if(ToSendBit >= 8) {
63 ToSendMax++;
64 ToSend[ToSendMax] = 0;
65 ToSendBit = 0;
66 }
67
68 if(b) {
69 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
70 }
71
72 ToSendBit++;
73
6a1f2d82 74 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 75 ToSendBit = 0;
76 DbpString("ToSendStuffBit overflowed!");
77 }
78}
79
80//=============================================================================
81// Debug print functions, to go out over USB, to the usual PC-side client.
82//=============================================================================
83
84void DbpString(char *str)
85{
9440213d 86 byte_t len = strlen(str);
87 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
15c4dc5a 88}
89
90#if 0
91void DbpIntegers(int x1, int x2, int x3)
92{
902cb3c0 93 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 94}
95#endif
96
97void Dbprintf(const char *fmt, ...) {
98// should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128];
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
e30c654b 105
15c4dc5a 106 DbpString(output_string);
107}
108
9455b51c 109// prints HEX & ASCII
d19929cb 110void Dbhexdump(int len, uint8_t *d, bool bAsci) {
9455b51c 111 int l=0,i;
112 char ascii[9];
d19929cb 113
9455b51c 114 while (len>0) {
115 if (len>8) l=8;
116 else l=len;
117
118 memcpy(ascii,d,l);
d19929cb 119 ascii[l]=0;
9455b51c 120
121 // filter safe ascii
d19929cb 122 for (i=0;i<l;i++)
9455b51c 123 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 124
125 if (bAsci) {
126 Dbprintf("%-8s %*D",ascii,l,d," ");
127 } else {
128 Dbprintf("%*D",l,d," ");
129 }
130
9455b51c 131 len-=8;
132 d+=8;
133 }
134}
135
15c4dc5a 136//-----------------------------------------------------------------------------
137// Read an ADC channel and block till it completes, then return the result
138// in ADC units (0 to 1023). Also a routine to average 32 samples and
139// return that.
140//-----------------------------------------------------------------------------
141static int ReadAdc(int ch)
142{
f7e3ed82 143 uint32_t d;
15c4dc5a 144
145 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
146 AT91C_BASE_ADC->ADC_MR =
3b692427 147 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
148 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
149 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
150
151 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
152 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
153 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
154 //
155 // The maths are:
156 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
157 //
158 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
159 //
160 // Note: with the "historic" values in the comments above, the error was 34% !!!
161
15c4dc5a 162 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
163
164 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
3b692427 165
15c4dc5a 166 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch)))
167 ;
168 d = AT91C_BASE_ADC->ADC_CDR[ch];
169
170 return d;
171}
172
9ca155ba 173int AvgAdc(int ch) // was static - merlok
15c4dc5a 174{
175 int i;
176 int a = 0;
177
178 for(i = 0; i < 32; i++) {
179 a += ReadAdc(ch);
180 }
181
182 return (a + 15) >> 5;
183}
184
fdcfbdcc 185void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
15c4dc5a 186{
fdcfbdcc 187 int i, adcval = 0, peak = 0;
15c4dc5a 188
189/*
190 * Sweeps the useful LF range of the proxmark from
191 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
192 * read the voltage in the antenna, the result left
193 * in the buffer is a graph which should clearly show
194 * the resonating frequency of your LF antenna
195 * ( hopefully around 95 if it is tuned to 125kHz!)
196 */
fdcfbdcc
RAB		 197
198 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 199 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2bdd68c3 200 for (i=255; i>=19; i--) {
fdcfbdcc 201 WDT_HIT();
15c4dc5a 202 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
203 SpinDelay(20);
3b692427 204 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
fdcfbdcc
RAB		 205 if (i==95) *vLf125 = adcval; // voltage at 125Khz
206 if (i==89) *vLf134 = adcval; // voltage at 134Khz
15c4dc5a 207
2bdd68c3 208 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
209 if(LF_Results[i] > peak) {
fdcfbdcc 210 *peakv = adcval;
2bdd68c3 211 peak = LF_Results[i];
fdcfbdcc 212 *peakf = i;
9f693930 213 //ptr = i;
15c4dc5a 214 }
215 }
216
2bdd68c3 217 for (i=18; i >= 0; i--) LF_Results[i] = 0;
fdcfbdcc
RAB		 218
219 return;
220}
221
222void MeasureAntennaTuningHfOnly(int *vHf)
223{
15c4dc5a 224 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
fdcfbdcc
RAB		 225 LED_A_ON();
226 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 227 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
228 SpinDelay(20);
fdcfbdcc
RAB		 229 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
230 LED_A_OFF();
231
232 return;
233}
234
235void MeasureAntennaTuning(int mode)
236{
237 uint8_t LF_Results[256] = {0};
238 int peakv = 0, peakf = 0;
239 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
240
241 LED_B_ON();
242
243 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
244 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
245 MeasureAntennaTuningHfOnly(&vHf);
246 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
247 } else {
248 if (mode & FLAG_TUNE_LF) {
249 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
250 }
251 if (mode & FLAG_TUNE_HF) {
252 MeasureAntennaTuningHfOnly(&vHf);
253 }
254 }
15c4dc5a 255
3b692427 256 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
d19929cb 257 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2bdd68c3 258 LED_B_OFF();
259 return;
15c4dc5a 260}
261
262void MeasureAntennaTuningHf(void)
263{
264 int vHf = 0; // in mV
265
266 DbpString("Measuring HF antenna, press button to exit");
267
3b692427 268 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
269 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
270 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
271
15c4dc5a 272 for (;;) {
15c4dc5a 273 SpinDelay(20);
3b692427 274 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
e30c654b 275
15c4dc5a 276 Dbprintf("%d mV",vHf);
277 if (BUTTON_PRESS()) break;
278 }
279 DbpString("cancelled");
3b692427 280
281 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
282
15c4dc5a 283}
284
285
15c4dc5a 286void ReadMem(int addr)
287{
f7e3ed82 288 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 289
290 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
291 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
292}
293
294/* osimage version information is linked in */
295extern struct version_information version_information;
296/* bootrom version information is pointed to from _bootphase1_version_pointer */
0fa01ec7 297extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
15c4dc5a 298void SendVersion(void)
299{
8e074056 300 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
301 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 302
303 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 304 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
305 * pointer, then use it.
306 */
307 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
308 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
8e074056 309 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 310 } else {
311 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
8e074056 312 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 313 }
e30c654b 314
15c4dc5a 315 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
8e074056 316 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 317
e6153040 318 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
8e074056 319 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e6153040 320 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
8e074056 321 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
0fa01ec7 322
e6153040 323 // Send Chip ID and used flash memory
0fa01ec7 324 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
325 uint32_t compressed_data_section_size = common_area.arg1;
8e074056 326 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 327}
328
bfb01844 329// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
330// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
67b7d6fa 331void printUSBSpeed(void)
bfb01844 332{
333 Dbprintf("USB Speed:");
67b7d6fa 334 Dbprintf(" Sending USB packets to client...");
bfb01844 335
67b7d6fa 336 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
bfb01844 337 uint8_t *test_data = BigBuf_get_addr();
67b7d6fa 338 uint32_t end_time;
bfb01844 339
67b7d6fa 340 uint32_t start_time = end_time = GetTickCount();
341 uint32_t bytes_transferred = 0;
342
bfb01844 343 LED_B_ON();
67b7d6fa 344 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
345 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
346 end_time = GetTickCount();
347 bytes_transferred += USB_CMD_DATA_SIZE;
bfb01844 348 }
349 LED_B_OFF();
350
67b7d6fa 351 Dbprintf(" Time elapsed: %dms", end_time - start_time);
352 Dbprintf(" Bytes transferred: %d", bytes_transferred);
353 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
354 1000 * bytes_transferred / (end_time - start_time));
bfb01844 355
356}
357
c89274cc
CY		 358/**
359 * Prints runtime information about the PM3.
360**/
67b7d6fa 361void SendStatus(void)
c89274cc
CY		 362{
363 BigBuf_print_status();
364 Fpga_print_status();
365 printConfig(); //LF Sampling config
67b7d6fa 366 printUSBSpeed();
c89274cc
CY		 367 Dbprintf("Various");
368 Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL);
369 Dbprintf(" ToSendMax........%d",ToSendMax);
370 Dbprintf(" ToSendBit........%d",ToSendBit);
bfb01844 371
372 cmd_send(CMD_ACK,1,0,0,0,0);
c89274cc 373}
15c4dc5a 374
86a83668 375#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
15c4dc5a 376
15c4dc5a 377#define OPTS 2
378
86a83668
MHS		 379void StandAloneMode()
380{
381 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 382 // Oooh pretty -- notify user we're in elite samy mode now
383 LED(LED_RED, 200);
384 LED(LED_ORANGE, 200);
385 LED(LED_GREEN, 200);
386 LED(LED_ORANGE, 200);
387 LED(LED_RED, 200);
388 LED(LED_ORANGE, 200);
389 LED(LED_GREEN, 200);
390 LED(LED_ORANGE, 200);
391 LED(LED_RED, 200);
392
86a83668
MHS		 393}
394
395#endif
396
397
398
399#ifdef WITH_ISO14443a_StandAlone
400void StandAloneMode14a()
401{
402 StandAloneMode();
403 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
404
15c4dc5a 405 int selected = 0;
c89274cc 406 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
86a83668
MHS		 407 int cardRead[OPTS] = {0};
408 uint8_t readUID[10] = {0};
409 uint32_t uid_1st[OPTS]={0};
410 uint32_t uid_2nd[OPTS]={0};
c89274cc
CY		 411 uint32_t uid_tmp1 = 0;
412 uint32_t uid_tmp2 = 0;
413 iso14a_card_select_t hi14a_card[OPTS];
15c4dc5a 414
15c4dc5a 415 LED(selected + 1, 0);
416
417 for (;;)
418 {
6e82300d 419 usb_poll();
86a83668 420 WDT_HIT();
15c4dc5a 421 SpinDelay(300);
422
c89274cc 423 if (iGotoRecord == 1 || cardRead[selected] == 0)
15c4dc5a 424 {
c89274cc 425 iGotoRecord = 0;
15c4dc5a 426 LEDsoff();
427 LED(selected + 1, 0);
428 LED(LED_RED2, 0);
429
430 // record
86a83668 431 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
15c4dc5a 432 /* need this delay to prevent catching some weird data */
433 SpinDelay(500);
86a83668
MHS		 434 /* Code for reading from 14a tag */
435 uint8_t uid[10] ={0};
436 uint32_t cuid;
437 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
15c4dc5a 438
86a83668
MHS		 439 for ( ; ; )
440 {
441 WDT_HIT();
c89274cc
CY		 442 if (BUTTON_PRESS()) {
443 if (cardRead[selected]) {
444 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
445 break;
446 }
447 else if (cardRead[(selected+1)%OPTS]) {
448 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
449 selected = (selected+1)%OPTS;
450 break; // playing = 1;
451 }
452 else {
453 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
454 SpinDelay(300);
455 }
456 }
457 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid))
86a83668
MHS		 458 continue;
459 else
460 {
461 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
462 memcpy(readUID,uid,10*sizeof(uint8_t));
c89274cc 463 uint8_t *dst = (uint8_t *)&uid_tmp1;
86a83668
MHS		 464 // Set UID byte order
465 for (int i=0; i<4; i++)
466 dst[i] = uid[3-i];
c89274cc 467 dst = (uint8_t *)&uid_tmp2;
86a83668
MHS		 468 for (int i=0; i<4; i++)
469 dst[i] = uid[7-i];
c89274cc
CY		 470 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
471 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
472 }
473 else {
474 if (uid_tmp2) {
475 Dbprintf("Bank[%d] received a 7-byte UID",selected);
476 uid_1st[selected] = (uid_tmp1)>>8;
477 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
478 }
479 else {
480 Dbprintf("Bank[%d] received a 4-byte UID",selected);
481 uid_1st[selected] = uid_tmp1;
482 uid_2nd[selected] = uid_tmp2;
483 }
484 break;
485 }
86a83668
MHS		 486 }
487 }
c89274cc
CY		 488 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
489 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
86a83668
MHS		 490 LEDsoff();
491 LED(LED_GREEN, 200);
492 LED(LED_ORANGE, 200);
493 LED(LED_GREEN, 200);
494 LED(LED_ORANGE, 200);
15c4dc5a 495
496 LEDsoff();
497 LED(selected + 1, 0);
15c4dc5a 498
c89274cc
CY		 499 // Next state is replay:
500 playing = 1;
3fe4ff4f 501
86a83668 502 cardRead[selected] = 1;
86a83668 503 }
c89274cc
CY		 504 /* MF Classic UID clone */
505 else if (iGotoClone==1)
3fe4ff4f 506 {
c89274cc
CY		 507 iGotoClone=0;
508 LEDsoff();
509 LED(selected + 1, 0);
510 LED(LED_ORANGE, 250);
3fe4ff4f 511
3fe4ff4f 512
c89274cc
CY		 513 // record
514 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
3fe4ff4f 515
c89274cc
CY		 516 // wait for button to be released
517 while(BUTTON_PRESS())
518 {
519 // Delay cloning until card is in place
520 WDT_HIT();
521 }
522 Dbprintf("Starting clone. [Bank: %u]", selected);
523 // need this delay to prevent catching some weird data
524 SpinDelay(500);
525 // Begin clone function here:
526 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
527 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
528 memcpy(c.d.asBytes, data, 16);
529 SendCommand(&c);
530
531 Block read is similar:
532 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
533 We need to imitate that call with blockNo 0 to set a uid.
534
535 The get and set commands are handled in this file:
536 // Work with "magic Chinese" card
537 case CMD_MIFARE_CSETBLOCK:
538 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
539 break;
540 case CMD_MIFARE_CGETBLOCK:
541 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
542 break;
543
544 mfCSetUID provides example logic for UID set workflow:
545 -Read block0 from card in field with MifareCGetBlock()
546 -Configure new values without replacing reserved bytes
547 memcpy(block0, uid, 4); // Copy UID bytes from byte array
548 // Mifare UID BCC
549 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
550 Bytes 5-7 are reserved SAK and ATQA for mifare classic
551 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
552 */
553 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
554 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
555 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
556 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
557 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
558 playing = 1;
559 }
560 else {
561 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
562 memcpy(newBlock0,oldBlock0,16);
563 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
564
565 newBlock0[0] = uid_1st[selected]>>24;
566 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
567 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
568 newBlock0[3] = 0xFF & (uid_1st[selected]);
569 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
570 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
571 MifareCSetBlock(0, 0xFF,0, newBlock0);
572 MifareCGetBlock(0x3F, 1, 0, testBlock0);
573 if (memcmp(testBlock0,newBlock0,16)==0)
574 {
575 DbpString("Cloned successfull!");
576 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
3fe4ff4f 577 playing = 0;
c89274cc
CY		 578 iGotoRecord = 1;
579 selected = (selected+1) % OPTS;
580 }
581 else {
582 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
583 playing = 1;
584 }
585 }
586 LEDsoff();
587 LED(selected + 1, 0);
15c4dc5a 588
86a83668 589 }
15c4dc5a 590 // Change where to record (or begin playing)
c89274cc 591 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
15c4dc5a 592 {
15c4dc5a 593 LEDsoff();
594 LED(selected + 1, 0);
595
596 // Begin transmitting
597 if (playing)
598 {
599 LED(LED_GREEN, 0);
600 DbpString("Playing");
c89274cc
CY		 601 for ( ; ; ) {
602 WDT_HIT();
603 int button_action = BUTTON_HELD(1000);
604 if (button_action == 0) { // No button action, proceed with sim
605 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
86a83668 606 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
c89274cc
CY		 607 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
608 DbpString("Mifare Classic");
609 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
610 }
611 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
612 DbpString("Mifare Ultralight");
613 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
614 }
615 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
616 DbpString("Mifare DESFire");
617 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
618 }
619 else {
620 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
621 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
622 }
623 }
624 else if (button_action == BUTTON_SINGLE_CLICK) {
625 selected = (selected + 1) % OPTS;
626 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
627 iGotoRecord = 1;
628 break;
15c4dc5a 629 }
c89274cc
CY		 630 else if (button_action == BUTTON_HOLD) {
631 Dbprintf("Playtime over. Begin cloning...");
632 iGotoClone = 1;
633 break;
634 }
635 WDT_HIT();
636 }
15c4dc5a 637
638 /* We pressed a button so ignore it here with a delay */
639 SpinDelay(300);
15c4dc5a 640 LEDsoff();
641 LED(selected + 1, 0);
642 }
643 else
644 while(BUTTON_PRESS())
645 WDT_HIT();
646 }
647 }
648}
86a83668
MHS		 649#elif WITH_LF
650// samy's sniff and repeat routine
651void SamyRun()
e46fe044 652{
86a83668
MHS		 653 StandAloneMode();
654 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
e46fe044 655
86a83668 656 int high[OPTS], low[OPTS];
15c4dc5a 657 int selected = 0;
658 int playing = 0;
3fe4ff4f 659 int cardRead = 0;
15c4dc5a 660
661 // Turn on selected LED
662 LED(selected + 1, 0);
663
664 for (;;)
665 {
6e82300d 666 usb_poll();
86a83668 667 WDT_HIT();
15c4dc5a 668
669 // Was our button held down or pressed?
670 int button_pressed = BUTTON_HELD(1000);
671 SpinDelay(300);
672
673 // Button was held for a second, begin recording
3fe4ff4f 674 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 675 {
676 LEDsoff();
677 LED(selected + 1, 0);
678 LED(LED_RED2, 0);
679
680 // record
681 DbpString("Starting recording");
682
683 // wait for button to be released
684 while(BUTTON_PRESS())
685 WDT_HIT();
686
687 /* need this delay to prevent catching some weird data */
688 SpinDelay(500);
689
690 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
098015eb 691 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 692
693 LEDsoff();
694 LED(selected + 1, 0);
695 // Finished recording
696
697 // If we were previously playing, set playing off
698 // so next button push begins playing what we recorded
699 playing = 0;
3fe4ff4f 700
701 cardRead = 1;
702
703 }
704
705 else if (button_pressed > 0 && cardRead == 1)
706 {
707 LEDsoff();
708 LED(selected + 1, 0);
709 LED(LED_ORANGE, 0);
710
711 // record
098015eb 712 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 713
714 // wait for button to be released
715 while(BUTTON_PRESS())
716 WDT_HIT();
717
718 /* need this delay to prevent catching some weird data */
719 SpinDelay(500);
720
098015eb 721 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
722 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 723
724 LEDsoff();
725 LED(selected + 1, 0);
726 // Finished recording
727
728 // If we were previously playing, set playing off
729 // so next button push begins playing what we recorded
730 playing = 0;
731
732 cardRead = 0;
733
15c4dc5a 734 }
735
736 // Change where to record (or begin playing)
737 else if (button_pressed)
738 {
739 // Next option if we were previously playing
740 if (playing)
741 selected = (selected + 1) % OPTS;
742 playing = !playing;
743
744 LEDsoff();
745 LED(selected + 1, 0);
746
747 // Begin transmitting
748 if (playing)
749 {
750 LED(LED_GREEN, 0);
751 DbpString("Playing");
752 // wait for button to be released
753 while(BUTTON_PRESS())
754 WDT_HIT();
098015eb 755 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 756 CmdHIDsimTAG(high[selected], low[selected], 0);
757 DbpString("Done playing");
758 if (BUTTON_HELD(1000) > 0)
759 {
760 DbpString("Exiting");
761 LEDsoff();
762 return;
763 }
764
765 /* We pressed a button so ignore it here with a delay */
766 SpinDelay(300);
767
768 // when done, we're done playing, move to next option
769 selected = (selected + 1) % OPTS;
770 playing = !playing;
771 LEDsoff();
772 LED(selected + 1, 0);
773 }
774 else
775 while(BUTTON_PRESS())
776 WDT_HIT();
777 }
778 }
779}
15c4dc5a 780
e46fe044 781#endif
15c4dc5a 782/*
783OBJECTIVE
784Listen and detect an external reader. Determine the best location
785for the antenna.
786
787INSTRUCTIONS:
788Inside the ListenReaderField() function, there is two mode.
789By default, when you call the function, you will enter mode 1.
790If you press the PM3 button one time, you will enter mode 2.
791If you press the PM3 button a second time, you will exit the function.
792
793DESCRIPTION OF MODE 1:
794This mode just listens for an external reader field and lights up green
795for HF and/or red for LF. This is the original mode of the detectreader
796function.
797
798DESCRIPTION OF MODE 2:
799This mode will visually represent, using the LEDs, the actual strength of the
800current compared to the maximum current detected. Basically, once you know
801what kind of external reader is present, it will help you spot the best location to place
802your antenna. You will probably not get some good results if there is a LF and a HF reader
803at the same place! :-)
804
805LIGHT SCHEME USED:
806*/
807static const char LIGHT_SCHEME[] = {
808 0x0, /* ---- | No field detected */
809 0x1, /* X--- | 14% of maximum current detected */
810 0x2, /* -X-- | 29% of maximum current detected */
811 0x4, /* --X- | 43% of maximum current detected */
812 0x8, /* ---X | 57% of maximum current detected */
813 0xC, /* --XX | 71% of maximum current detected */
814 0xE, /* -XXX | 86% of maximum current detected */
815 0xF, /* XXXX | 100% of maximum current detected */
816};
817static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
818
819void ListenReaderField(int limit)
820{
3b692427 821 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
822 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
15c4dc5a 823 int mode=1, display_val, display_max, i;
824
3b692427 825#define LF_ONLY 1
826#define HF_ONLY 2
827#define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
828
829
830 // switch off FPGA - we don't want to measure our own signal
831 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
832 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 833
834 LEDsoff();
835
3b692427 836 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
15c4dc5a 837
838 if(limit != HF_ONLY) {
3b692427 839 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
15c4dc5a 840 lf_baseline = lf_av;
841 }
842
3b692427 843 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
15c4dc5a 844
845 if (limit != LF_ONLY) {
3b692427 846 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
15c4dc5a 847 hf_baseline = hf_av;
848 }
849
850 for(;;) {
851 if (BUTTON_PRESS()) {
852 SpinDelay(500);
853 switch (mode) {
854 case 1:
855 mode=2;
856 DbpString("Signal Strength Mode");
857 break;
858 case 2:
859 default:
860 DbpString("Stopped");
861 LEDsoff();
862 return;
863 break;
864 }
865 }
866 WDT_HIT();
867
868 if (limit != HF_ONLY) {
3b692427 869 if(mode == 1) {
870 if (abs(lf_av - lf_baseline) > REPORT_CHANGE)
871 LED_D_ON();
872 else
873 LED_D_OFF();
15c4dc5a 874 }
e30c654b 875
3b692427 876 lf_av_new = AvgAdc(ADC_CHAN_LF);
15c4dc5a 877 // see if there's a significant change
3b692427 878 if(abs(lf_av - lf_av_new) > REPORT_CHANGE) {
879 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
15c4dc5a 880 lf_av = lf_av_new;
881 if (lf_av > lf_max)
882 lf_max = lf_av;
15c4dc5a 883 }
884 }
885
886 if (limit != LF_ONLY) {
887 if (mode == 1){
3b692427 888 if (abs(hf_av - hf_baseline) > REPORT_CHANGE)
889 LED_B_ON();
890 else
891 LED_B_OFF();
15c4dc5a 892 }
e30c654b 893
3b692427 894 hf_av_new = AvgAdc(ADC_CHAN_HF);
15c4dc5a 895 // see if there's a significant change
3b692427 896 if(abs(hf_av - hf_av_new) > REPORT_CHANGE) {
897 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
15c4dc5a 898 hf_av = hf_av_new;
899 if (hf_av > hf_max)
900 hf_max = hf_av;
15c4dc5a 901 }
902 }
e30c654b 903
15c4dc5a 904 if(mode == 2) {
905 if (limit == LF_ONLY) {
906 display_val = lf_av;
907 display_max = lf_max;
908 } else if (limit == HF_ONLY) {
909 display_val = hf_av;
910 display_max = hf_max;
911 } else { /* Pick one at random */
912 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
913 display_val = hf_av;
914 display_max = hf_max;
915 } else {
916 display_val = lf_av;
917 display_max = lf_max;
918 }
919 }
920 for (i=0; i<LIGHT_LEN; i++) {
921 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
922 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
923 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
924 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
925 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
926 break;
927 }
928 }
929 }
930 }
931}
932
f7e3ed82 933void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 934{
935 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 936
902cb3c0 937// Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
938
15c4dc5a 939 switch(c->cmd) {
940#ifdef WITH_LF
31abe49f
MHS		 941 case CMD_SET_LF_SAMPLING_CONFIG:
942 setSamplingConfig((sample_config *) c->d.asBytes);
943 break;
15c4dc5a 944 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
1fbf8956 945 cmd_send(CMD_ACK,SampleLF(c->arg[0]),0,0,0,0);
15c4dc5a 946 break;
15c4dc5a 947 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
948 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
949 break;
b014c96d 950 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 951 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 952 break;
7e67e42f 953 case CMD_HID_DEMOD_FSK:
3fe4ff4f 954 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
7e67e42f 955 break;
956 case CMD_HID_SIM_TAG:
3fe4ff4f 957 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
7e67e42f 958 break;
abd6112f 959 case CMD_FSK_SIM_TAG:
960 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
961 break;
962 case CMD_ASK_SIM_TAG:
963 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
964 break;
872e3d4d 965 case CMD_PSK_SIM_TAG:
966 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
967 break;
968 case CMD_HID_CLONE_TAG:
1c611bbd 969 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
7e67e42f 970 break;
a1f3bb12 971 case CMD_IO_DEMOD_FSK:
3fe4ff4f 972 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 973 break;
3fe4ff4f 974 case CMD_IO_CLONE_TAG:
9f669cb2 975 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 976 break;
66707a3b 977 case CMD_EM410X_DEMOD:
978 CmdEM410xdemod(c->arg[0], 0, 0, 1);
979 break;
2d4eae76 980 case CMD_EM410X_WRITE_TAG:
981 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
982 break;
7e67e42f 983 case CMD_READ_TI_TYPE:
984 ReadTItag();
985 break;
986 case CMD_WRITE_TI_TYPE:
987 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
988 break;
989 case CMD_SIMULATE_TAG_125K:
31d1caa5 990 LED_A_ON();
7e67e42f 991 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
31d1caa5 992 LED_A_OFF();
7e67e42f 993 break;
994 case CMD_LF_SIMULATE_BIDIR:
995 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
996 break;
3fe4ff4f 997 case CMD_INDALA_CLONE_TAG:
2414f978 998 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
999 break;
3fe4ff4f 1000 case CMD_INDALA_CLONE_TAG_L:
2414f978 1001 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
1002 break;
1c611bbd 1003 case CMD_T55XX_READ_BLOCK:
8e99ec25 1004 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1005 break;
1006 case CMD_T55XX_WRITE_BLOCK:
1007 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1008 break;
be2d41b7 1009 case CMD_T55XX_WAKEUP:
1010 T55xxWakeUp(c->arg[0]);
1c611bbd 1011 break;
66837a03 1012 case CMD_T55XX_RESET_READ:
1013 T55xxResetRead();
1014 break;
3fe4ff4f 1015 case CMD_PCF7931_READ:
1c611bbd 1016 ReadPCF7931();
1c611bbd 1017 break;
dc4300ba 1018 case CMD_PCF7931_WRITE:
d10e08ae 1019 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
dc4300ba 1020 break;
1c611bbd 1021 case CMD_EM4X_READ_WORD:
1022 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
1023 break;
1024 case CMD_EM4X_WRITE_WORD:
1025 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1026 break;
dbf6e824
CY		 1027 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1028 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
7cfc777b 1029 break;
709665b5 1030 case CMD_VIKING_CLONE_TAG:
1031 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1032 break;
15c4dc5a 1033#endif
1034
d19929cb 1035#ifdef WITH_HITAG
1036 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1037 SnoopHitag(c->arg[0]);
1038 break;
1039 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1040 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1041 break;
1042 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1043 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1044 break;
4e12287d
RS		 1045 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1046 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1047 break;
1048 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1049 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1050 break;
1051 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1052 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1053 break;
1054 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1055 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1056 break;
d19929cb 1057#endif
f168b263 1058
15c4dc5a 1059#ifdef WITH_ISO15693
1060 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1061 AcquireRawAdcSamplesIso15693();
1062 break;
9455b51c 1063 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1064 RecordRawAdcSamplesIso15693();
1065 break;
1066
1067 case CMD_ISO_15693_COMMAND:
1068 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1069 break;
1070
1071 case CMD_ISO_15693_FIND_AFI:
1072 BruteforceIso15693Afi(c->arg[0]);
1073 break;
1074
1075 case CMD_ISO_15693_DEBUG:
1076 SetDebugIso15693(c->arg[0]);
1077 break;
15c4dc5a 1078
15c4dc5a 1079 case CMD_READER_ISO_15693:
1080 ReaderIso15693(c->arg[0]);
1081 break;
7e67e42f 1082 case CMD_SIMTAG_ISO_15693:
3fe4ff4f 1083 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1084 break;
15c4dc5a 1085#endif
1086
7e67e42f 1087#ifdef WITH_LEGICRF
1088 case CMD_SIMULATE_TAG_LEGIC_RF:
1089 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1090 break;
3612a8a8 1091
7e67e42f 1092 case CMD_WRITER_LEGIC_RF:
1093 LegicRfWriter(c->arg[1], c->arg[0]);
1094 break;
3612a8a8 1095
15c4dc5a 1096 case CMD_READER_LEGIC_RF:
1097 LegicRfReader(c->arg[0], c->arg[1]);
1098 break;
15c4dc5a 1099#endif
1100
1101#ifdef WITH_ISO14443b
15c4dc5a 1102 case CMD_READ_SRI512_TAG:
51d4f6f1 1103 ReadSTMemoryIso14443b(0x0F);
15c4dc5a 1104 break;
7e67e42f 1105 case CMD_READ_SRIX4K_TAG:
51d4f6f1 1106 ReadSTMemoryIso14443b(0x7F);
7e67e42f 1107 break;
132a0217 1108 case CMD_SNOOP_ISO_14443B:
51d4f6f1 1109 SnoopIso14443b();
7e67e42f 1110 break;
132a0217 1111 case CMD_SIMULATE_TAG_ISO_14443B:
51d4f6f1 1112 SimulateIso14443bTag();
7e67e42f 1113 break;
7cf3ef20 1114 case CMD_ISO_14443B_COMMAND:
1115 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1116 break;
15c4dc5a 1117#endif
1118
1119#ifdef WITH_ISO14443a
7e67e42f 1120 case CMD_SNOOP_ISO_14443a:
5cd9ec01 1121 SnoopIso14443a(c->arg[0]);
7e67e42f 1122 break;
15c4dc5a 1123 case CMD_READER_ISO_14443a:
902cb3c0 1124 ReaderIso14443a(c);
15c4dc5a 1125 break;
7e67e42f 1126 case CMD_SIMULATE_TAG_ISO_14443a:
28afbd2b 1127 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1128 break;
3fe4ff4f 1129
5acd09bd 1130 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1131 EPA_PACE_Collect_Nonce(c);
5acd09bd 1132 break;
3bb07d96
FM		 1133 case CMD_EPA_PACE_REPLAY:
1134 EPA_PACE_Replay(c);
1135 break;
7e67e42f 1136
15c4dc5a 1137 case CMD_READER_MIFARE:
f168b263 1138 ReaderMifare(c->arg[0]);
15c4dc5a 1139 break;
20f9a2a1
M		 1140 case CMD_MIFARE_READBL:
1141 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1142 break;
981bd429 1143 case CMD_MIFAREU_READBL:
f168b263 1144 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1145 break;
8258f409 1146 case CMD_MIFAREUC_AUTH:
1147 MifareUC_Auth(c->arg[0],c->d.asBytes);
a631936e 1148 break;
981bd429 1149 case CMD_MIFAREU_READCARD:
75377d29 1150 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1151 break;
f168b263 1152 case CMD_MIFAREUC_SETPWD:
1153 MifareUSetPwd(c->arg[0], c->d.asBytes);
1154 break;
20f9a2a1
M		 1155 case CMD_MIFARE_READSC:
1156 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1157 break;
1158 case CMD_MIFARE_WRITEBL:
1159 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1160 break;
4973f23d 1161 //case CMD_MIFAREU_WRITEBL_COMPAT:
1162 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1163 //break;
981bd429 1164 case CMD_MIFAREU_WRITEBL:
4973f23d 1165 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
f168b263 1166 break;
20f9a2a1
M		 1167 case CMD_MIFARE_NESTED:
1168 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M		 1169 break;
1170 case CMD_MIFARE_CHKKEYS:
1171 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M		 1172 break;
1173 case CMD_SIMULATE_MIFARE_CARD:
1174 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1175 break;
8556b852
M		 1176
1177 // emulator
1178 case CMD_MIFARE_SET_DBGMODE:
1179 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1180 break;
1181 case CMD_MIFARE_EML_MEMCLR:
1182 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1183 break;
1184 case CMD_MIFARE_EML_MEMSET:
1185 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1186 break;
1187 case CMD_MIFARE_EML_MEMGET:
1188 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1189 break;
1190 case CMD_MIFARE_EML_CARDLOAD:
1191 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M		 1192 break;
1193
1194 // Work with "magic Chinese" card
3fe4ff4f 1195 case CMD_MIFARE_CSETBLOCK:
0675f200 1196 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
545a1f38 1197 break;
3fe4ff4f 1198 case CMD_MIFARE_CGETBLOCK:
545a1f38 1199 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
8556b852 1200 break;
3fe4ff4f 1201 case CMD_MIFARE_CIDENT:
1202 MifareCIdent();
1203 break;
b62a5a84
M		 1204
1205 // mifare sniffer
1206 case CMD_MIFARE_SNIFFER:
5cd9ec01 1207 SniffMifare(c->arg[0]);
b62a5a84 1208 break;
a631936e 1209
20f9a2a1
M		 1210#endif
1211
7e67e42f 1212#ifdef WITH_ICLASS
cee5a30d 1213 // Makes use of ISO14443a FPGA Firmware
1214 case CMD_SNOOP_ICLASS:
1215 SnoopIClass();
1216 break;
1e262141 1217 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1218 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1219 break;
1220 case CMD_READER_ICLASS:
1221 ReaderIClass(c->arg[0]);
1222 break;
c3963755 1223 case CMD_READER_ICLASS_REPLAY:
aa53efc3 1224 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
c3963755 1225 break;
aa53efc3 1226 case CMD_ICLASS_EML_MEMSET:
e80aeb96
MHS		 1227 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1228 break;
aa53efc3 1229 case CMD_ICLASS_WRITEBLOCK:
3ac22ee1 1230 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1231 break;
1232 case CMD_ICLASS_READCHECK: // auth step 1
1233 iClass_ReadCheck(c->arg[0], c->arg[1]);
aa53efc3 1234 break;
1235 case CMD_ICLASS_READBLOCK:
3ac22ee1 1236 iClass_ReadBlk(c->arg[0]);
aa53efc3 1237 break;
3ac22ee1 1238 case CMD_ICLASS_AUTHENTICATION: //check
aa53efc3 1239 iClass_Authentication(c->d.asBytes);
1240 break;
1241 case CMD_ICLASS_DUMP:
3ac22ee1 1242 iClass_Dump(c->arg[0], c->arg[1]);
aa53efc3 1243 break;
1244 case CMD_ICLASS_CLONE:
3ac22ee1 1245 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
aa53efc3 1246 break;
cee5a30d 1247#endif
0472d76d 1248#ifdef WITH_HFSNOOP
1249 case CMD_HF_SNIFFER:
1250 HfSnoop(c->arg[0], c->arg[1]);
1251 break;
1252#endif
cee5a30d 1253
7e67e42f 1254 case CMD_BUFF_CLEAR:
117d9ec2 1255 BigBuf_Clear();
15c4dc5a 1256 break;
15c4dc5a 1257
1258 case CMD_MEASURE_ANTENNA_TUNING:
fdcfbdcc 1259 MeasureAntennaTuning(c->arg[0]);
15c4dc5a 1260 break;
1261
1262 case CMD_MEASURE_ANTENNA_TUNING_HF:
1263 MeasureAntennaTuningHf();
1264 break;
1265
1266 case CMD_LISTEN_READER_FIELD:
1267 ListenReaderField(c->arg[0]);
1268 break;
1269
15c4dc5a 1270 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1271 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1272 SpinDelay(200);
1273 LED_D_OFF(); // LED D indicates field ON or OFF
1274 break;
1275
1c611bbd 1276 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
902cb3c0 1277
1c611bbd 1278 LED_B_ON();
117d9ec2 1279 uint8_t *BigBuf = BigBuf_get_addr();
1c611bbd 1280 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1281 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1282 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1283 }
1284 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1285 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1286 LED_B_OFF();
1c611bbd 1287 break;
15c4dc5a 1288
1289 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
117d9ec2 1290 uint8_t *b = BigBuf_get_addr();
3fe4ff4f 1291 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1292 cmd_send(CMD_ACK,0,0,0,0,0);
1293 break;
1294 }
15c4dc5a 1295 case CMD_READ_MEM:
1296 ReadMem(c->arg[0]);
1297 break;
1298
1299 case CMD_SET_LF_DIVISOR:
7cc204bf 1300 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1301 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1302 break;
1303
1304 case CMD_SET_ADC_MUX:
1305 switch(c->arg[0]) {
1306 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1307 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1308 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1309 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1310 }
1311 break;
1312
1313 case CMD_VERSION:
1314 SendVersion();
1315 break;
c89274cc 1316 case CMD_STATUS:
67b7d6fa 1317 SendStatus();
c89274cc
CY		 1318 break;
1319 case CMD_PING:
1320 cmd_send(CMD_ACK,0,0,0,0,0);
1321 break;
15c4dc5a 1322#ifdef WITH_LCD
1323 case CMD_LCD_RESET:
1324 LCDReset();
1325 break;
1326 case CMD_LCD:
1327 LCDSend(c->arg[0]);
1328 break;
1329#endif
1330 case CMD_SETUP_WRITE:
1331 case CMD_FINISH_WRITE:
1c611bbd 1332 case CMD_HARDWARE_RESET:
1333 usb_disable();
15c4dc5a 1334 SpinDelay(1000);
1335 SpinDelay(1000);
1336 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1337 for(;;) {
1338 // We're going to reset, and the bootrom will take control.
1339 }
1c611bbd 1340 break;
15c4dc5a 1341
1c611bbd 1342 case CMD_START_FLASH:
15c4dc5a 1343 if(common_area.flags.bootrom_present) {
1344 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1345 }
1c611bbd 1346 usb_disable();
15c4dc5a 1347 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1348 for(;;);
1c611bbd 1349 break;
e30c654b 1350
15c4dc5a 1351 case CMD_DEVICE_INFO: {
902cb3c0 1352 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1353 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1354 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1355 break;
1356 }
1357 default:
15c4dc5a 1358 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1359 break;
15c4dc5a 1360 }
1361}
1362
1363void __attribute__((noreturn)) AppMain(void)
1364{
1365 SpinDelay(100);
9e8255d4 1366 clear_trace();
15c4dc5a 1367 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1368 /* Initialize common area */
1369 memset(&common_area, 0, sizeof(common_area));
1370 common_area.magic = COMMON_AREA_MAGIC;
1371 common_area.version = 1;
1372 }
1373 common_area.flags.osimage_present = 1;
1374
1375 LED_D_OFF();
1376 LED_C_OFF();
1377 LED_B_OFF();
1378 LED_A_OFF();
1379
3fe4ff4f 1380 // Init USB device
902cb3c0 1381 usb_enable();
15c4dc5a 1382
1383 // The FPGA gets its clock from us from PCK0 output, so set that up.
1384 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1385 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1386 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1387 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1388 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
0472d76d 1389 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1390 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1391
1392 // Reset SPI
1393 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1394 // Reset SSC
1395 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1396
1397 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1398 // (the HF version by default)
1399 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1400
9ca155ba 1401 StartTickCount();
902cb3c0 1402
15c4dc5a 1403#ifdef WITH_LCD
15c4dc5a 1404 LCDInit();
15c4dc5a 1405#endif
1406
902cb3c0 1407 byte_t rx[sizeof(UsbCommand)];
1408 size_t rx_len;
1409
15c4dc5a 1410 for(;;) {
902cb3c0 1411 if (usb_poll()) {
1412 rx_len = usb_read(rx,sizeof(UsbCommand));
1413 if (rx_len) {
1414 UsbPacketReceived(rx,rx_len);
1415 }
1416 }
15c4dc5a 1417 WDT_HIT();
1418
1419#ifdef WITH_LF
e46fe044 1420#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1421 if (BUTTON_HELD(1000) > 0)
1422 SamyRun();
e46fe044
CY		 1423#endif
1424#endif
1425#ifdef WITH_ISO14443a
1426#ifdef WITH_ISO14443a_StandAlone
1427 if (BUTTON_HELD(1000) > 0)
1428 StandAloneMode14a();
1429#endif
15c4dc5a 1430#endif
1431 }
1432}
Proxmark3 GIT tracking
Impressum, Datenschutz