]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
mifare firmware update
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
3 //
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
6 #include <proxmark3.h>
7 #include "apps.h"
8 #include "../common/iso14443_crc.c"
9
10 static BYTE *trace = (BYTE *) BigBuf;
11 static int traceLen = 0;
12 static int rsamples = 0;
13 static BOOL tracing = TRUE;
14
15 typedef enum {
16 SEC_D = 1,
17 SEC_E = 2,
18 SEC_F = 3,
19 SEC_X = 4,
20 SEC_Y = 5,
21 SEC_Z = 6
22 } SecType;
23
24 static const BYTE OddByteParity[256] = {
25 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
26 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
27 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
28 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
29 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
30 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
33 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
34 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
35 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
36 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
37 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
38 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
41 };
42
43 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
44 #define RECV_CMD_OFFSET 3032
45 #define RECV_RES_OFFSET 3096
46 #define DMA_BUFFER_OFFSET 3160
47 #define DMA_BUFFER_SIZE 4096
48 #define TRACE_LENGTH 3000
49
50 //-----------------------------------------------------------------------------
51 // Generate the parity value for a byte sequence
52 //
53 //-----------------------------------------------------------------------------
54 DWORD GetParity(const BYTE * pbtCmd, int iLen)
55 {
56 int i;
57 DWORD dwPar = 0;
58
59 // Generate the encrypted data
60 for (i = 0; i < iLen; i++) {
61 // Save the encrypted parity bit
62 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
63 }
64 return dwPar;
65 }
66
67 static void AppendCrc14443a(BYTE* data, int len)
68 {
69 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
70 }
71
72 BOOL LogTrace(const BYTE * btBytes, int iLen, int iSamples, DWORD dwParity, BOOL bReader)
73 {
74 // Return when trace is full
75 if (traceLen >= TRACE_LENGTH) return FALSE;
76
77 // Trace the random, i'm curious
78 rsamples += iSamples;
79 trace[traceLen++] = ((rsamples >> 0) & 0xff);
80 trace[traceLen++] = ((rsamples >> 8) & 0xff);
81 trace[traceLen++] = ((rsamples >> 16) & 0xff);
82 trace[traceLen++] = ((rsamples >> 24) & 0xff);
83 if (!bReader) {
84 trace[traceLen - 1] |= 0x80;
85 }
86 trace[traceLen++] = ((dwParity >> 0) & 0xff);
87 trace[traceLen++] = ((dwParity >> 8) & 0xff);
88 trace[traceLen++] = ((dwParity >> 16) & 0xff);
89 trace[traceLen++] = ((dwParity >> 24) & 0xff);
90 trace[traceLen++] = iLen;
91 memcpy(trace + traceLen, btBytes, iLen);
92 traceLen += iLen;
93 return TRUE;
94 }
95
96 BOOL LogTraceInfo(byte_t* data, size_t len)
97 {
98 return LogTrace(data,len,0,GetParity(data,len),TRUE);
99 }
100
101 //-----------------------------------------------------------------------------
102 // The software UART that receives commands from the reader, and its state
103 // variables.
104 //-----------------------------------------------------------------------------
105 static struct {
106 enum {
107 STATE_UNSYNCD,
108 STATE_START_OF_COMMUNICATION,
109 STATE_MILLER_X,
110 STATE_MILLER_Y,
111 STATE_MILLER_Z,
112 STATE_ERROR_WAIT
113 } state;
114 WORD shiftReg;
115 int bitCnt;
116 int byteCnt;
117 int byteCntMax;
118 int posCnt;
119 int syncBit;
120 int parityBits;
121 int samples;
122 int highCnt;
123 int bitBuffer;
124 enum {
125 DROP_NONE,
126 DROP_FIRST_HALF,
127 DROP_SECOND_HALF
128 } drop;
129 BYTE *output;
130 } Uart;
131
132 static BOOL MillerDecoding(int bit)
133 {
134 int error = 0;
135 int bitright;
136
137 if(!Uart.bitBuffer) {
138 Uart.bitBuffer = bit ^ 0xFF0;
139 return FALSE;
140 }
141 else {
142 Uart.bitBuffer <<= 4;
143 Uart.bitBuffer ^= bit;
144 }
145
146 BOOL EOC = FALSE;
147
148 if(Uart.state != STATE_UNSYNCD) {
149 Uart.posCnt++;
150
151 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
152 bit = 0x00;
153 }
154 else {
155 bit = 0x01;
156 }
157 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
158 bitright = 0x00;
159 }
160 else {
161 bitright = 0x01;
162 }
163 if(bit != bitright) { bit = bitright; }
164
165 if(Uart.posCnt == 1) {
166 // measurement first half bitperiod
167 if(!bit) {
168 Uart.drop = DROP_FIRST_HALF;
169 }
170 }
171 else {
172 // measurement second half bitperiod
173 if(!bit & (Uart.drop == DROP_NONE)) {
174 Uart.drop = DROP_SECOND_HALF;
175 }
176 else if(!bit) {
177 // measured a drop in first and second half
178 // which should not be possible
179 Uart.state = STATE_ERROR_WAIT;
180 error = 0x01;
181 }
182
183 Uart.posCnt = 0;
184
185 switch(Uart.state) {
186 case STATE_START_OF_COMMUNICATION:
187 Uart.shiftReg = 0;
188 if(Uart.drop == DROP_SECOND_HALF) {
189 // error, should not happen in SOC
190 Uart.state = STATE_ERROR_WAIT;
191 error = 0x02;
192 }
193 else {
194 // correct SOC
195 Uart.state = STATE_MILLER_Z;
196 }
197 break;
198
199 case STATE_MILLER_Z:
200 Uart.bitCnt++;
201 Uart.shiftReg >>= 1;
202 if(Uart.drop == DROP_NONE) {
203 // logic '0' followed by sequence Y
204 // end of communication
205 Uart.state = STATE_UNSYNCD;
206 EOC = TRUE;
207 }
208 // if(Uart.drop == DROP_FIRST_HALF) {
209 // Uart.state = STATE_MILLER_Z; stay the same
210 // we see a logic '0' }
211 if(Uart.drop == DROP_SECOND_HALF) {
212 // we see a logic '1'
213 Uart.shiftReg |= 0x100;
214 Uart.state = STATE_MILLER_X;
215 }
216 break;
217
218 case STATE_MILLER_X:
219 Uart.shiftReg >>= 1;
220 if(Uart.drop == DROP_NONE) {
221 // sequence Y, we see a '0'
222 Uart.state = STATE_MILLER_Y;
223 Uart.bitCnt++;
224 }
225 if(Uart.drop == DROP_FIRST_HALF) {
226 // Would be STATE_MILLER_Z
227 // but Z does not follow X, so error
228 Uart.state = STATE_ERROR_WAIT;
229 error = 0x03;
230 }
231 if(Uart.drop == DROP_SECOND_HALF) {
232 // We see a '1' and stay in state X
233 Uart.shiftReg |= 0x100;
234 Uart.bitCnt++;
235 }
236 break;
237
238 case STATE_MILLER_Y:
239 Uart.bitCnt++;
240 Uart.shiftReg >>= 1;
241 if(Uart.drop == DROP_NONE) {
242 // logic '0' followed by sequence Y
243 // end of communication
244 Uart.state = STATE_UNSYNCD;
245 EOC = TRUE;
246 }
247 if(Uart.drop == DROP_FIRST_HALF) {
248 // we see a '0'
249 Uart.state = STATE_MILLER_Z;
250 }
251 if(Uart.drop == DROP_SECOND_HALF) {
252 // We see a '1' and go to state X
253 Uart.shiftReg |= 0x100;
254 Uart.state = STATE_MILLER_X;
255 }
256 break;
257
258 case STATE_ERROR_WAIT:
259 // That went wrong. Now wait for at least two bit periods
260 // and try to sync again
261 if(Uart.drop == DROP_NONE) {
262 Uart.highCnt = 6;
263 Uart.state = STATE_UNSYNCD;
264 }
265 break;
266
267 default:
268 Uart.state = STATE_UNSYNCD;
269 Uart.highCnt = 0;
270 break;
271 }
272
273 Uart.drop = DROP_NONE;
274
275 // should have received at least one whole byte...
276 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
277 return TRUE;
278 }
279
280 if(Uart.bitCnt == 9) {
281 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
282 Uart.byteCnt++;
283
284 Uart.parityBits <<= 1;
285 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
286
287 if(EOC) {
288 // when End of Communication received and
289 // all data bits processed..
290 return TRUE;
291 }
292 Uart.bitCnt = 0;
293 }
294
295 /*if(error) {
296 Uart.output[Uart.byteCnt] = 0xAA;
297 Uart.byteCnt++;
298 Uart.output[Uart.byteCnt] = error & 0xFF;
299 Uart.byteCnt++;
300 Uart.output[Uart.byteCnt] = 0xAA;
301 Uart.byteCnt++;
302 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
303 Uart.byteCnt++;
304 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
305 Uart.byteCnt++;
306 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
307 Uart.byteCnt++;
308 Uart.output[Uart.byteCnt] = 0xAA;
309 Uart.byteCnt++;
310 return TRUE;
311 }*/
312 }
313
314 }
315 else {
316 bit = Uart.bitBuffer & 0xf0;
317 bit >>= 4;
318 bit ^= 0x0F;
319 if(bit) {
320 // should have been high or at least (4 * 128) / fc
321 // according to ISO this should be at least (9 * 128 + 20) / fc
322 if(Uart.highCnt == 8) {
323 // we went low, so this could be start of communication
324 // it turns out to be safer to choose a less significant
325 // syncbit... so we check whether the neighbour also represents the drop
326 Uart.posCnt = 1; // apparently we are busy with our first half bit period
327 Uart.syncBit = bit & 8;
328 Uart.samples = 3;
329 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
330 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
331 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
332 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
333 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
334 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
335 Uart.syncBit = 8;
336
337 // the first half bit period is expected in next sample
338 Uart.posCnt = 0;
339 Uart.samples = 3;
340 }
341 }
342 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
343
344 Uart.syncBit <<= 4;
345 Uart.state = STATE_START_OF_COMMUNICATION;
346 Uart.drop = DROP_FIRST_HALF;
347 Uart.bitCnt = 0;
348 Uart.byteCnt = 0;
349 Uart.parityBits = 0;
350 error = 0;
351 }
352 else {
353 Uart.highCnt = 0;
354 }
355 }
356 else {
357 if(Uart.highCnt < 8) {
358 Uart.highCnt++;
359 }
360 }
361 }
362
363 return FALSE;
364 }
365
366 //=============================================================================
367 // ISO 14443 Type A - Manchester
368 //=============================================================================
369
370 static struct {
371 enum {
372 DEMOD_UNSYNCD,
373 DEMOD_START_OF_COMMUNICATION,
374 DEMOD_MANCHESTER_D,
375 DEMOD_MANCHESTER_E,
376 DEMOD_MANCHESTER_F,
377 DEMOD_ERROR_WAIT
378 } state;
379 int bitCount;
380 int posCount;
381 int syncBit;
382 int parityBits;
383 WORD shiftReg;
384 int buffer;
385 int buff;
386 int samples;
387 int len;
388 enum {
389 SUB_NONE,
390 SUB_FIRST_HALF,
391 SUB_SECOND_HALF
392 } sub;
393 BYTE *output;
394 } Demod;
395
396 static BOOL ManchesterDecoding(int v)
397 {
398 int bit;
399 int modulation;
400 int error = 0;
401
402 if(!Demod.buff) {
403 Demod.buff = 1;
404 Demod.buffer = v;
405 return FALSE;
406 }
407 else {
408 bit = Demod.buffer;
409 Demod.buffer = v;
410 }
411
412 if(Demod.state==DEMOD_UNSYNCD) {
413 Demod.output[Demod.len] = 0xfa;
414 Demod.syncBit = 0;
415 //Demod.samples = 0;
416 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
417 if(bit & 0x08) { Demod.syncBit = 0x08; }
418 if(!Demod.syncBit) {
419 if(bit & 0x04) { Demod.syncBit = 0x04; }
420 }
421 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
422 if(!Demod.syncBit) {
423 if(bit & 0x02) { Demod.syncBit = 0x02; }
424 }
425 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
426 if(!Demod.syncBit) {
427 if(bit & 0x01) { Demod.syncBit = 0x01; }
428
429 if(Demod.syncBit & (Demod.buffer & 0x08)) {
430 Demod.syncBit = 0x08;
431
432 // The first half bitperiod is expected in next sample
433 Demod.posCount = 0;
434 Demod.output[Demod.len] = 0xfb;
435 }
436 }
437 else if(bit & 0x01) { Demod.syncBit = 0x01; }
438
439 if(Demod.syncBit) {
440 Demod.len = 0;
441 Demod.state = DEMOD_START_OF_COMMUNICATION;
442 Demod.sub = SUB_FIRST_HALF;
443 Demod.bitCount = 0;
444 Demod.shiftReg = 0;
445 Demod.parityBits = 0;
446 Demod.samples = 0;
447 if(Demod.posCount) {
448 switch(Demod.syncBit) {
449 case 0x08: Demod.samples = 3; break;
450 case 0x04: Demod.samples = 2; break;
451 case 0x02: Demod.samples = 1; break;
452 case 0x01: Demod.samples = 0; break;
453 }
454 }
455 error = 0;
456 }
457 }
458 else {
459 //modulation = bit & Demod.syncBit;
460 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
461
462 Demod.samples += 4;
463
464 if(Demod.posCount==0) {
465 Demod.posCount = 1;
466 if(modulation) {
467 Demod.sub = SUB_FIRST_HALF;
468 }
469 else {
470 Demod.sub = SUB_NONE;
471 }
472 }
473 else {
474 Demod.posCount = 0;
475 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
476 if(Demod.state!=DEMOD_ERROR_WAIT) {
477 Demod.state = DEMOD_ERROR_WAIT;
478 Demod.output[Demod.len] = 0xaa;
479 error = 0x01;
480 }
481 }
482 else if(modulation) {
483 Demod.sub = SUB_SECOND_HALF;
484 }
485
486 switch(Demod.state) {
487 case DEMOD_START_OF_COMMUNICATION:
488 if(Demod.sub == SUB_FIRST_HALF) {
489 Demod.state = DEMOD_MANCHESTER_D;
490 }
491 else {
492 Demod.output[Demod.len] = 0xab;
493 Demod.state = DEMOD_ERROR_WAIT;
494 error = 0x02;
495 }
496 break;
497
498 case DEMOD_MANCHESTER_D:
499 case DEMOD_MANCHESTER_E:
500 if(Demod.sub == SUB_FIRST_HALF) {
501 Demod.bitCount++;
502 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
503 Demod.state = DEMOD_MANCHESTER_D;
504 }
505 else if(Demod.sub == SUB_SECOND_HALF) {
506 Demod.bitCount++;
507 Demod.shiftReg >>= 1;
508 Demod.state = DEMOD_MANCHESTER_E;
509 }
510 else {
511 Demod.state = DEMOD_MANCHESTER_F;
512 }
513 break;
514
515 case DEMOD_MANCHESTER_F:
516 // Tag response does not need to be a complete byte!
517 if(Demod.len > 0 || Demod.bitCount > 0) {
518 if(Demod.bitCount > 0) {
519 Demod.shiftReg >>= (9 - Demod.bitCount);
520 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
521 Demod.len++;
522 // No parity bit, so just shift a 0
523 Demod.parityBits <<= 1;
524 }
525
526 Demod.state = DEMOD_UNSYNCD;
527 return TRUE;
528 }
529 else {
530 Demod.output[Demod.len] = 0xad;
531 Demod.state = DEMOD_ERROR_WAIT;
532 error = 0x03;
533 }
534 break;
535
536 case DEMOD_ERROR_WAIT:
537 Demod.state = DEMOD_UNSYNCD;
538 break;
539
540 default:
541 Demod.output[Demod.len] = 0xdd;
542 Demod.state = DEMOD_UNSYNCD;
543 break;
544 }
545
546 if(Demod.bitCount>=9) {
547 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
548 Demod.len++;
549
550 Demod.parityBits <<= 1;
551 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
552
553 Demod.bitCount = 0;
554 Demod.shiftReg = 0;
555 }
556
557 /*if(error) {
558 Demod.output[Demod.len] = 0xBB;
559 Demod.len++;
560 Demod.output[Demod.len] = error & 0xFF;
561 Demod.len++;
562 Demod.output[Demod.len] = 0xBB;
563 Demod.len++;
564 Demod.output[Demod.len] = bit & 0xFF;
565 Demod.len++;
566 Demod.output[Demod.len] = Demod.buffer & 0xFF;
567 Demod.len++;
568 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
569 Demod.len++;
570 Demod.output[Demod.len] = 0xBB;
571 Demod.len++;
572 return TRUE;
573 }*/
574
575 }
576
577 } // end (state != UNSYNCED)
578
579 return FALSE;
580 }
581
582 //=============================================================================
583 // Finally, a `sniffer' for ISO 14443 Type A
584 // Both sides of communication!
585 //=============================================================================
586
587 //-----------------------------------------------------------------------------
588 // Record the sequence of commands sent by the reader to the tag, with
589 // triggering so that we start recording at the point that the tag is moved
590 // near the reader.
591 //-----------------------------------------------------------------------------
592 void SnoopIso14443a(void)
593 {
594 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
595 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
596 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
597 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
598 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
599
600 // We won't start recording the frames that we acquire until we trigger;
601 // a good trigger condition to get started is probably when we see a
602 // response from the tag.
603 BOOL triggered = TRUE; // FALSE to wait first for card
604
605 // The command (reader -> tag) that we're receiving.
606 // The length of a received command will in most cases be no more than 18 bytes.
607 // So 32 should be enough!
608 BYTE *receivedCmd = (((BYTE *)BigBuf) + RECV_CMD_OFFSET);
609 // The response (tag -> reader) that we're receiving.
610 BYTE *receivedResponse = (((BYTE *)BigBuf) + RECV_RES_OFFSET);
611
612 // As we receive stuff, we copy it from receivedCmd or receivedResponse
613 // into trace, along with its length and other annotations.
614 //BYTE *trace = (BYTE *)BigBuf;
615 //int traceLen = 0;
616
617 // The DMA buffer, used to stream samples from the FPGA
618 SBYTE *dmaBuf = ((SBYTE *)BigBuf) + DMA_BUFFER_OFFSET;
619 int lastRxCounter;
620 SBYTE *upTo;
621 int smpl;
622 int maxBehindBy = 0;
623
624 // Count of samples received so far, so that we can include timing
625 // information in the trace buffer.
626 int samples = 0;
627 int rsamples = 0;
628
629 memset(trace, 0x44, RECV_CMD_OFFSET);
630
631 // Set up the demodulator for tag -> reader responses.
632 Demod.output = receivedResponse;
633 Demod.len = 0;
634 Demod.state = DEMOD_UNSYNCD;
635
636 // And the reader -> tag commands
637 memset(&Uart, 0, sizeof(Uart));
638 Uart.output = receivedCmd;
639 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
640 Uart.state = STATE_UNSYNCD;
641
642 // And put the FPGA in the appropriate mode
643 // Signal field is off with the appropriate LED
644 LED_D_OFF();
645 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
646 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
647
648 // Setup for the DMA.
649 FpgaSetupSsc();
650 upTo = dmaBuf;
651 lastRxCounter = DMA_BUFFER_SIZE;
652 FpgaSetupSscDma((BYTE *)dmaBuf, DMA_BUFFER_SIZE);
653
654 LED_A_ON();
655
656 // And now we loop, receiving samples.
657 for(;;) {
658 WDT_HIT();
659 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
660 (DMA_BUFFER_SIZE-1);
661 if(behindBy > maxBehindBy) {
662 maxBehindBy = behindBy;
663 if(behindBy > 400) {
664 DbpString("blew circular buffer!");
665 goto done;
666 }
667 }
668 if(behindBy < 1) continue;
669
670 smpl = upTo[0];
671 upTo++;
672 lastRxCounter -= 1;
673 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
674 upTo -= DMA_BUFFER_SIZE;
675 lastRxCounter += DMA_BUFFER_SIZE;
676 AT91C_BASE_PDC_SSC->PDC_RNPR = (DWORD)upTo;
677 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
678 }
679
680 samples += 4;
681 #define HANDLE_BIT_IF_BODY \
682 LED_C_ON(); \
683 if(triggered) { \
684 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
685 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
686 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
687 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
688 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
689 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
690 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
692 trace[traceLen++] = Uart.byteCnt; \
693 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
694 traceLen += Uart.byteCnt; \
695 if(traceLen > TRACE_LENGTH) break; \
696 } \
697 /* And ready to receive another command. */ \
698 Uart.state = STATE_UNSYNCD; \
699 /* And also reset the demod code, which might have been */ \
700 /* false-triggered by the commands from the reader. */ \
701 Demod.state = DEMOD_UNSYNCD; \
702 LED_B_OFF(); \
703
704 if(MillerDecoding((smpl & 0xF0) >> 4)) {
705 rsamples = samples - Uart.samples;
706 HANDLE_BIT_IF_BODY
707 }
708 if(ManchesterDecoding(smpl & 0x0F)) {
709 rsamples = samples - Demod.samples;
710 LED_B_ON();
711
712 // timestamp, as a count of samples
713 trace[traceLen++] = ((rsamples >> 0) & 0xff);
714 trace[traceLen++] = ((rsamples >> 8) & 0xff);
715 trace[traceLen++] = ((rsamples >> 16) & 0xff);
716 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
717 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
718 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
719 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
720 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
721 // length
722 trace[traceLen++] = Demod.len;
723 memcpy(trace+traceLen, receivedResponse, Demod.len);
724 traceLen += Demod.len;
725 if(traceLen > TRACE_LENGTH) break;
726
727 triggered = TRUE;
728
729 // And ready to receive another response.
730 memset(&Demod, 0, sizeof(Demod));
731 Demod.output = receivedResponse;
732 Demod.state = DEMOD_UNSYNCD;
733 LED_C_OFF();
734 }
735
736 if(BUTTON_PRESS()) {
737 DbpString("cancelled_a");
738 goto done;
739 }
740 }
741
742 DbpString("COMMAND FINISHED");
743
744 DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);
745 DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);
746
747 done:
748 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
749 DbpIntegers(maxBehindBy, Uart.state, Uart.byteCnt);
750 DbpIntegers(Uart.byteCntMax, traceLen, (int)Uart.output[0]);
751 LED_A_OFF();
752 LED_B_OFF();
753 LED_C_OFF();
754 LED_D_OFF();
755 }
756
757 // Prepare communication bits to send to FPGA
758 void Sequence(SecType seq)
759 {
760 ToSendMax++;
761 switch(seq) {
762 // CARD TO READER
763 case SEC_D:
764 // Sequence D: 11110000
765 // modulation with subcarrier during first half
766 ToSend[ToSendMax] = 0xf0;
767 break;
768 case SEC_E:
769 // Sequence E: 00001111
770 // modulation with subcarrier during second half
771 ToSend[ToSendMax] = 0x0f;
772 break;
773 case SEC_F:
774 // Sequence F: 00000000
775 // no modulation with subcarrier
776 ToSend[ToSendMax] = 0x00;
777 break;
778 // READER TO CARD
779 case SEC_X:
780 // Sequence X: 00001100
781 // drop after half a period
782 ToSend[ToSendMax] = 0x0c;
783 break;
784 case SEC_Y:
785 default:
786 // Sequence Y: 00000000
787 // no drop
788 ToSend[ToSendMax] = 0x00;
789 break;
790 case SEC_Z:
791 // Sequence Z: 11000000
792 // drop at start
793 ToSend[ToSendMax] = 0xc0;
794 break;
795 }
796 }
797
798 //-----------------------------------------------------------------------------
799 // Prepare tag messages
800 //-----------------------------------------------------------------------------
801 static void CodeIso14443aAsTag(const BYTE *cmd, int len)
802 {
803 int i;
804 int oddparity;
805
806 ToSendReset();
807
808 // Correction bit, might be removed when not needed
809 ToSendStuffBit(0);
810 ToSendStuffBit(0);
811 ToSendStuffBit(0);
812 ToSendStuffBit(0);
813 ToSendStuffBit(1); // 1
814 ToSendStuffBit(0);
815 ToSendStuffBit(0);
816 ToSendStuffBit(0);
817
818 // Send startbit
819 Sequence(SEC_D);
820
821 for(i = 0; i < len; i++) {
822 int j;
823 BYTE b = cmd[i];
824
825 // Data bits
826 oddparity = 0x01;
827 for(j = 0; j < 8; j++) {
828 oddparity ^= (b & 1);
829 if(b & 1) {
830 Sequence(SEC_D);
831 } else {
832 Sequence(SEC_E);
833 }
834 b >>= 1;
835 }
836
837 // Parity bit
838 if(oddparity) {
839 Sequence(SEC_D);
840 } else {
841 Sequence(SEC_E);
842 }
843 }
844
845 // Send stopbit
846 Sequence(SEC_F);
847
848 // Flush the buffer in FPGA!!
849 for(i = 0; i < 5; i++) {
850 Sequence(SEC_F);
851 }
852
853 // Convert from last byte pos to length
854 ToSendMax++;
855
856 // Add a few more for slop
857 ToSend[ToSendMax++] = 0x00;
858 ToSend[ToSendMax++] = 0x00;
859 //ToSendMax += 2;
860 }
861
862 //-----------------------------------------------------------------------------
863 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
864 //-----------------------------------------------------------------------------
865 static void CodeStrangeAnswer()
866 {
867 int i;
868
869 ToSendReset();
870
871 // Correction bit, might be removed when not needed
872 ToSendStuffBit(0);
873 ToSendStuffBit(0);
874 ToSendStuffBit(0);
875 ToSendStuffBit(0);
876 ToSendStuffBit(1); // 1
877 ToSendStuffBit(0);
878 ToSendStuffBit(0);
879 ToSendStuffBit(0);
880
881 // Send startbit
882 Sequence(SEC_D);
883
884 // 0
885 Sequence(SEC_E);
886
887 // 0
888 Sequence(SEC_E);
889
890 // 1
891 Sequence(SEC_D);
892
893 // Send stopbit
894 Sequence(SEC_F);
895
896 // Flush the buffer in FPGA!!
897 for(i = 0; i < 5; i++) {
898 Sequence(SEC_F);
899 }
900
901 // Convert from last byte pos to length
902 ToSendMax++;
903
904 // Add a few more for slop
905 ToSend[ToSendMax++] = 0x00;
906 ToSend[ToSendMax++] = 0x00;
907 //ToSendMax += 2;
908 }
909
910 //-----------------------------------------------------------------------------
911 // Wait for commands from reader
912 // Stop when button is pressed
913 // Or return TRUE when command is captured
914 //-----------------------------------------------------------------------------
915 static BOOL GetIso14443aCommandFromReader(BYTE *received, int *len, int maxLen)
916 {
917 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
918 // only, since we are receiving, not transmitting).
919 // Signal field is off with the appropriate LED
920 LED_D_OFF();
921 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
922
923 // Now run a `software UART' on the stream of incoming samples.
924 Uart.output = received;
925 Uart.byteCntMax = maxLen;
926 Uart.state = STATE_UNSYNCD;
927
928 for(;;) {
929 WDT_HIT();
930
931 if(BUTTON_PRESS()) return FALSE;
932
933 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
934 AT91C_BASE_SSC->SSC_THR = 0x00;
935 }
936 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
937 BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
938 if(MillerDecoding((b & 0xf0) >> 4)) {
939 *len = Uart.byteCnt;
940 return TRUE;
941 }
942 if(MillerDecoding(b & 0x0f)) {
943 *len = Uart.byteCnt;
944 return TRUE;
945 }
946 }
947 }
948 }
949
950 //-----------------------------------------------------------------------------
951 // Main loop of simulated tag: receive commands from reader, decide what
952 // response to send, and send it.
953 //-----------------------------------------------------------------------------
954 void SimulateIso14443aTag(int tagType, int TagUid)
955 {
956 // This function contains the tag emulation
957
958 // Prepare protocol messages
959 // static const BYTE cmd1[] = { 0x26 };
960 // static const BYTE response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
961 //
962 static const BYTE response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
963 // static const BYTE response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
964
965 // UID response
966 // static const BYTE cmd2[] = { 0x93, 0x20 };
967 //static const BYTE response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
968
969
970
971 // my desfire
972 static const BYTE response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
973
974
975 // When reader selects us during cascade1 it will send cmd3
976 //BYTE response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
977 BYTE response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
978 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
979
980 // send cascade2 2nd half of UID
981 static const BYTE response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
982 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
983
984
985 // When reader selects us during cascade2 it will send cmd3a
986 //BYTE response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
987 BYTE response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
988 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
989
990 static const BYTE response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
991
992 BYTE *resp;
993 int respLen;
994
995 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
996 // This will need
997 // 144 data bits (18 * 8)
998 // 18 parity bits
999 // 2 Start and stop
1000 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1001 // 1 just for the case
1002 // ----------- +
1003 // 166
1004 //
1005 // 166 bytes, since every bit that needs to be send costs us a byte
1006 //
1007
1008
1009 // Respond with card type
1010 BYTE *resp1 = (((BYTE *)BigBuf) + 800);
1011 int resp1Len;
1012
1013 // Anticollision cascade1 - respond with uid
1014 BYTE *resp2 = (((BYTE *)BigBuf) + 970);
1015 int resp2Len;
1016
1017 // Anticollision cascade2 - respond with 2nd half of uid if asked
1018 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1019 BYTE *resp2a = (((BYTE *)BigBuf) + 1140);
1020 int resp2aLen;
1021
1022 // Acknowledge select - cascade 1
1023 BYTE *resp3 = (((BYTE *)BigBuf) + 1310);
1024 int resp3Len;
1025
1026 // Acknowledge select - cascade 2
1027 BYTE *resp3a = (((BYTE *)BigBuf) + 1480);
1028 int resp3aLen;
1029
1030 // Response to a read request - not implemented atm
1031 BYTE *resp4 = (((BYTE *)BigBuf) + 1550);
1032 int resp4Len;
1033
1034 // Authenticate response - nonce
1035 BYTE *resp5 = (((BYTE *)BigBuf) + 1720);
1036 int resp5Len;
1037
1038 BYTE *receivedCmd = (BYTE *)BigBuf;
1039 int len;
1040
1041 int i;
1042 int u;
1043 BYTE b;
1044
1045 // To control where we are in the protocol
1046 int order = 0;
1047 int lastorder;
1048
1049 // Just to allow some checks
1050 int happened = 0;
1051 int happened2 = 0;
1052
1053 int cmdsRecvd = 0;
1054
1055 BOOL fdt_indicator;
1056
1057 memset(receivedCmd, 0x44, 400);
1058
1059 // Prepare the responses of the anticollision phase
1060 // there will be not enough time to do this at the moment the reader sends it REQA
1061
1062 // Answer to request
1063 CodeIso14443aAsTag(response1, sizeof(response1));
1064 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1065
1066 // Send our UID (cascade 1)
1067 CodeIso14443aAsTag(response2, sizeof(response2));
1068 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1069
1070 // Answer to select (cascade1)
1071 CodeIso14443aAsTag(response3, sizeof(response3));
1072 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1073
1074 // Send the cascade 2 2nd part of the uid
1075 CodeIso14443aAsTag(response2a, sizeof(response2a));
1076 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1077
1078 // Answer to select (cascade 2)
1079 CodeIso14443aAsTag(response3a, sizeof(response3a));
1080 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1081
1082 // Strange answer is an example of rare message size (3 bits)
1083 CodeStrangeAnswer();
1084 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1085
1086 // Authentication answer (random nonce)
1087 CodeIso14443aAsTag(response5, sizeof(response5));
1088 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1089
1090 // We need to listen to the high-frequency, peak-detected path.
1091 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1092 FpgaSetupSsc();
1093
1094 cmdsRecvd = 0;
1095
1096 LED_A_ON();
1097 for(;;) {
1098
1099 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1100 DbpString("button press");
1101 break;
1102 }
1103 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1104 // Okay, look at the command now.
1105 lastorder = order;
1106 i = 1; // first byte transmitted
1107 if(receivedCmd[0] == 0x26) {
1108 // Received a REQUEST
1109 resp = resp1; respLen = resp1Len; order = 1;
1110 //DbpString("Hello request from reader:");
1111 } else if(receivedCmd[0] == 0x52) {
1112 // Received a WAKEUP
1113 resp = resp1; respLen = resp1Len; order = 6;
1114 // //DbpString("Wakeup request from reader:");
1115
1116 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1117 // Received request for UID (cascade 1)
1118 resp = resp2; respLen = resp2Len; order = 2;
1119 // DbpString("UID (cascade 1) request from reader:");
1120 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1121
1122
1123 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1124 // Received request for UID (cascade 2)
1125 resp = resp2a; respLen = resp2aLen; order = 20;
1126 // DbpString("UID (cascade 2) request from reader:");
1127 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1128
1129
1130 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1131 // Received a SELECT
1132 resp = resp3; respLen = resp3Len; order = 3;
1133 // DbpString("Select (cascade 1) request from reader:");
1134 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1135
1136
1137 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1138 // Received a SELECT
1139 resp = resp3a; respLen = resp3aLen; order = 30;
1140 // DbpString("Select (cascade 2) request from reader:");
1141 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1142
1143
1144 } else if(receivedCmd[0] == 0x30) {
1145 // Received a READ
1146 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1147 DbpString("Read request from reader:");
1148 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1149
1150
1151 } else if(receivedCmd[0] == 0x50) {
1152 // Received a HALT
1153 resp = resp1; respLen = 0; order = 5; // Do nothing
1154 DbpString("Reader requested we HALT!:");
1155
1156 } else if(receivedCmd[0] == 0x60) {
1157 // Received an authentication request
1158 resp = resp5; respLen = resp5Len; order = 7;
1159 DbpString("Authenticate request from reader:");
1160 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1161
1162 } else if(receivedCmd[0] == 0xE0) {
1163 // Received a RATS request
1164 resp = resp1; respLen = 0;order = 70;
1165 DbpString("RATS request from reader:");
1166 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1167 } else {
1168 // Never seen this command before
1169 DbpString("Unknown command received from reader:");
1170 DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1171 DbpIntegers(receivedCmd[3], receivedCmd[4], receivedCmd[5]);
1172 DbpIntegers(receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1173
1174 // Do not respond
1175 resp = resp1; respLen = 0; order = 0;
1176 }
1177
1178 // Count number of wakeups received after a halt
1179 if(order == 6 && lastorder == 5) { happened++; }
1180
1181 // Count number of other messages after a halt
1182 if(order != 6 && lastorder == 5) { happened2++; }
1183
1184 // Look at last parity bit to determine timing of answer
1185 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1186 // 1236, so correction bit needed
1187 i = 0;
1188 }
1189
1190 memset(receivedCmd, 0x44, 32);
1191
1192 if(cmdsRecvd > 999) {
1193 DbpString("1000 commands later...");
1194 break;
1195 }
1196 else {
1197 cmdsRecvd++;
1198 }
1199
1200 if(respLen <= 0) continue;
1201
1202 // Modulate Manchester
1203 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1204 AT91C_BASE_SSC->SSC_THR = 0x00;
1205 FpgaSetupSsc();
1206
1207 // ### Transmit the response ###
1208 u = 0;
1209 b = 0x00;
1210 fdt_indicator = FALSE;
1211 for(;;) {
1212 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1213 volatile BYTE b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1214 (void)b;
1215 }
1216 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1217 if(i > respLen) {
1218 b = 0x00;
1219 u++;
1220 } else {
1221 b = resp[i];
1222 i++;
1223 }
1224 AT91C_BASE_SSC->SSC_THR = b;
1225
1226 if(u > 4) {
1227 break;
1228 }
1229 }
1230 if(BUTTON_PRESS()) {
1231 break;
1232 }
1233 }
1234
1235 }
1236
1237 DbpIntegers(happened, happened2, cmdsRecvd);
1238 LED_A_OFF();
1239 }
1240
1241 //-----------------------------------------------------------------------------
1242 // Transmit the command (to the tag) that was placed in ToSend[].
1243 //-----------------------------------------------------------------------------
1244 static void TransmitFor14443a(const BYTE *cmd, int len, int *samples, int *wait)
1245 {
1246 int c;
1247
1248 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1249
1250 if (wait)
1251 if(*wait < 10)
1252 *wait = 10;
1253
1254 for(c = 0; c < *wait;) {
1255 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1256 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1257 c++;
1258 }
1259 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1260 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1261 (void)r;
1262 }
1263 WDT_HIT();
1264 }
1265
1266 c = 0;
1267 for(;;) {
1268 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1269 AT91C_BASE_SSC->SSC_THR = cmd[c];
1270 c++;
1271 if(c >= len) {
1272 break;
1273 }
1274 }
1275 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1276 volatile DWORD r = AT91C_BASE_SSC->SSC_RHR;
1277 (void)r;
1278 }
1279 WDT_HIT();
1280 }
1281 if (samples) *samples = (c + *wait) << 3;
1282 }
1283
1284 //-----------------------------------------------------------------------------
1285 // To generate an arbitrary stream from reader
1286 //
1287 //-----------------------------------------------------------------------------
1288 void ArbitraryFromReader(const BYTE *cmd, int parity, int len)
1289 {
1290 int i;
1291 int j;
1292 int last;
1293 BYTE b;
1294
1295 ToSendReset();
1296
1297 // Start of Communication (Seq. Z)
1298 Sequence(SEC_Z);
1299 last = 0;
1300
1301 for(i = 0; i < len; i++) {
1302 // Data bits
1303 b = cmd[i];
1304 for(j = 0; j < 8; j++) {
1305 if(b & 1) {
1306 // Sequence X
1307 Sequence(SEC_X);
1308 last = 1;
1309 } else {
1310 if(last == 0) {
1311 // Sequence Z
1312 Sequence(SEC_Z);
1313 }
1314 else {
1315 // Sequence Y
1316 Sequence(SEC_Y);
1317 last = 0;
1318 }
1319 }
1320 b >>= 1;
1321
1322 }
1323
1324 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1325 if(((parity >> (len - i - 1)) & 1)) {
1326 // Sequence X
1327 Sequence(SEC_X);
1328 last = 1;
1329 } else {
1330 if(last == 0) {
1331 // Sequence Z
1332 Sequence(SEC_Z);
1333 }
1334 else {
1335 // Sequence Y
1336 Sequence(SEC_Y);
1337 last = 0;
1338 }
1339 }
1340 }
1341
1342 // End of Communication
1343 if(last == 0) {
1344 // Sequence Z
1345 Sequence(SEC_Z);
1346 }
1347 else {
1348 // Sequence Y
1349 Sequence(SEC_Y);
1350 last = 0;
1351 }
1352 // Sequence Y
1353 Sequence(SEC_Y);
1354
1355 // Just to be sure!
1356 Sequence(SEC_Y);
1357 Sequence(SEC_Y);
1358 Sequence(SEC_Y);
1359
1360 // Convert from last character reference to length
1361 ToSendMax++;
1362 }
1363
1364 //-----------------------------------------------------------------------------
1365 // Code a 7-bit command without parity bit
1366 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1367 //-----------------------------------------------------------------------------
1368 void ShortFrameFromReader(const BYTE bt)
1369 {
1370 int j;
1371 int last;
1372 BYTE b;
1373
1374 ToSendReset();
1375
1376 // Start of Communication (Seq. Z)
1377 Sequence(SEC_Z);
1378 last = 0;
1379
1380 b = bt;
1381 for(j = 0; j < 7; j++) {
1382 if(b & 1) {
1383 // Sequence X
1384 Sequence(SEC_X);
1385 last = 1;
1386 } else {
1387 if(last == 0) {
1388 // Sequence Z
1389 Sequence(SEC_Z);
1390 }
1391 else {
1392 // Sequence Y
1393 Sequence(SEC_Y);
1394 last = 0;
1395 }
1396 }
1397 b >>= 1;
1398 }
1399
1400 // End of Communication
1401 if(last == 0) {
1402 // Sequence Z
1403 Sequence(SEC_Z);
1404 }
1405 else {
1406 // Sequence Y
1407 Sequence(SEC_Y);
1408 last = 0;
1409 }
1410 // Sequence Y
1411 Sequence(SEC_Y);
1412
1413 // Just to be sure!
1414 Sequence(SEC_Y);
1415 Sequence(SEC_Y);
1416 Sequence(SEC_Y);
1417
1418 // Convert from last character reference to length
1419 ToSendMax++;
1420 }
1421
1422 //-----------------------------------------------------------------------------
1423 // Prepare reader command to send to FPGA
1424 //
1425 //-----------------------------------------------------------------------------
1426 void CodeIso14443aAsReaderPar(const BYTE * cmd, int len, DWORD dwParity)
1427 {
1428 int i, j;
1429 int last;
1430 BYTE b;
1431
1432 ToSendReset();
1433
1434 // Start of Communication (Seq. Z)
1435 Sequence(SEC_Z);
1436 last = 0;
1437
1438 // Generate send structure for the data bits
1439 for (i = 0; i < len; i++) {
1440 // Get the current byte to send
1441 b = cmd[i];
1442
1443 for (j = 0; j < 8; j++) {
1444 if (b & 1) {
1445 // Sequence X
1446 Sequence(SEC_X);
1447 last = 1;
1448 } else {
1449 if (last == 0) {
1450 // Sequence Z
1451 Sequence(SEC_Z);
1452 } else {
1453 // Sequence Y
1454 Sequence(SEC_Y);
1455 last = 0;
1456 }
1457 }
1458 b >>= 1;
1459 }
1460
1461 // Get the parity bit
1462 if ((dwParity >> i) & 0x01) {
1463 // Sequence X
1464 Sequence(SEC_X);
1465 last = 1;
1466 } else {
1467 if (last == 0) {
1468 // Sequence Z
1469 Sequence(SEC_Z);
1470 } else {
1471 // Sequence Y
1472 Sequence(SEC_Y);
1473 last = 0;
1474 }
1475 }
1476 }
1477
1478 // End of Communication
1479 if (last == 0) {
1480 // Sequence Z
1481 Sequence(SEC_Z);
1482 } else {
1483 // Sequence Y
1484 Sequence(SEC_Y);
1485 last = 0;
1486 }
1487 // Sequence Y
1488 Sequence(SEC_Y);
1489
1490 // Just to be sure!
1491 Sequence(SEC_Y);
1492 Sequence(SEC_Y);
1493 Sequence(SEC_Y);
1494
1495 // Convert from last character reference to length
1496 ToSendMax++;
1497 }
1498
1499 //-----------------------------------------------------------------------------
1500 // Wait a certain time for tag response
1501 // If a response is captured return TRUE
1502 // If it takes to long return FALSE
1503 //-----------------------------------------------------------------------------
1504 static BOOL GetIso14443aAnswerFromTag(BYTE *receivedResponse, int maxLen, int *samples, int *elapsed) //BYTE *buffer
1505 {
1506 // buffer needs to be 512 bytes
1507 int c;
1508
1509 // Set FPGA mode to "reader listen mode", no modulation (listen
1510 // only, since we are receiving, not transmitting).
1511 // Signal field is on with the appropriate LED
1512 LED_D_ON();
1513 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1514
1515 // Now get the answer from the card
1516 Demod.output = receivedResponse;
1517 Demod.len = 0;
1518 Demod.state = DEMOD_UNSYNCD;
1519
1520 BYTE b;
1521 if (elapsed) *elapsed = 0;
1522
1523 c = 0;
1524 for(;;) {
1525 WDT_HIT();
1526
1527 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1528 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1529 if (elapsed) (*elapsed)++;
1530 }
1531 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1532 if(c < 512) { c++; } else { return FALSE; }
1533 b = (BYTE)AT91C_BASE_SSC->SSC_RHR;
1534 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1535 *samples = ((c - 1) << 3) + 4;
1536 return TRUE;
1537 }
1538 if(ManchesterDecoding(b & 0x0f)) {
1539 *samples = c << 3;
1540 return TRUE;
1541 }
1542 }
1543 }
1544 }
1545
1546 void ReaderTransmitShort(const BYTE* bt)
1547 {
1548 int wait = 0;
1549 int samples = 0;
1550
1551 ShortFrameFromReader(*bt);
1552
1553 // Select the card
1554 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1555
1556 // Store reader command in buffer
1557 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1558 }
1559
1560 void ReaderTransmitPar(BYTE* frame, int len, DWORD par)
1561 {
1562 int wait = 0;
1563 int samples = 0;
1564
1565 // This is tied to other size changes
1566 // BYTE* frame_addr = ((BYTE*)BigBuf) + 2024;
1567 CodeIso14443aAsReaderPar(frame,len,par);
1568
1569 // Select the card
1570 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1571
1572 // Store reader command in buffer
1573 if (tracing) LogTrace(frame,len,0,par,TRUE);
1574 }
1575
1576
1577 void ReaderTransmit(BYTE* frame, int len)
1578 {
1579 // Generate parity and redirect
1580 ReaderTransmitPar(frame,len,GetParity(frame,len));
1581 }
1582
1583 BOOL ReaderReceive(BYTE* receivedAnswer)
1584 {
1585 int samples = 0;
1586 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1587 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1588 return TRUE;
1589 }
1590
1591 //-----------------------------------------------------------------------------
1592 // Read an ISO 14443a tag. Send out commands and store answers.
1593 //
1594 //-----------------------------------------------------------------------------
1595 void ReaderIso14443a(DWORD parameter)
1596 {
1597 // Anticollision
1598 BYTE wupa[] = { 0x52 };
1599 BYTE sel_all[] = { 0x93,0x20 };
1600 BYTE sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1601 BYTE sel_all_c2[] = { 0x95,0x20 };
1602 BYTE sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1603
1604 // Mifare AUTH
1605 BYTE mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1606 // BYTE mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1607
1608 BYTE* receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes
1609 traceLen = 0;
1610
1611 // Setup SSC
1612 FpgaSetupSsc();
1613
1614 // Start from off (no field generated)
1615 // Signal field is off with the appropriate LED
1616 LED_D_OFF();
1617 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1618 SpinDelay(200);
1619
1620 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1621 FpgaSetupSsc();
1622
1623 // Now give it time to spin up.
1624 // Signal field is on with the appropriate LED
1625 LED_D_ON();
1626 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1627 SpinDelay(200);
1628
1629 LED_A_ON();
1630 LED_B_OFF();
1631 LED_C_OFF();
1632
1633 while(traceLen < TRACE_LENGTH)
1634 {
1635 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1636 ReaderTransmitShort(wupa);
1637
1638 // Test if the action was cancelled
1639 if(BUTTON_PRESS()) {
1640 break;
1641 }
1642
1643 // Receive the ATQA
1644 if (!ReaderReceive(receivedAnswer)) continue;
1645
1646 // Transmit SELECT_ALL
1647 ReaderTransmit(sel_all,sizeof(sel_all));
1648
1649 // Receive the UID
1650 if (!ReaderReceive(receivedAnswer)) continue;
1651
1652 // Construct SELECT UID command
1653 // First copy the 5 bytes (Mifare Classic) after the 93 70
1654 memcpy(sel_uid+2,receivedAnswer,5);
1655 // Secondly compute the two CRC bytes at the end
1656 AppendCrc14443a(sel_uid,7);
1657
1658 // Transmit SELECT_UID
1659 ReaderTransmit(sel_uid,sizeof(sel_uid));
1660
1661 // Receive the SAK
1662 if (!ReaderReceive(receivedAnswer)) continue;
1663
1664 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1665 // which case we need to make a cascade 2 request and select - this is a long UID
1666 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1667 if (receivedAnswer[0] &= 0x04)
1668 {
1669 // Transmit SELECT_ALL
1670 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1671
1672 // Receive the UID
1673 if (!ReaderReceive(receivedAnswer)) continue;
1674
1675 // Construct SELECT UID command
1676 memcpy(sel_uid_c2+2,receivedAnswer,5);
1677 // Secondly compute the two CRC bytes at the end
1678 AppendCrc14443a(sel_uid_c2,7);
1679
1680 // Transmit SELECT_UID
1681 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1682
1683 // Receive the SAK
1684 if (!ReaderReceive(receivedAnswer)) continue;
1685 }
1686
1687 // Transmit MIFARE_CLASSIC_AUTH
1688 ReaderTransmit(mf_auth,sizeof(mf_auth));
1689
1690 // Receive the (16 bit) "random" nonce
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 }
1693
1694 // Thats it...
1695 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1696 LEDsoff();
1697 DbpIntegers(rsamples, 0xCC, 0xCC);
1698 DbpString("ready..");
1699 }
1700
1701 //-----------------------------------------------------------------------------
1702 // Read an ISO 14443a tag. Send out commands and store answers.
1703 //
1704 //-----------------------------------------------------------------------------
1705 void ReaderMifare(DWORD parameter)
1706 {
1707
1708 // Anticollision
1709 BYTE wupa[] = { 0x52 };
1710 BYTE sel_all[] = { 0x93,0x20 };
1711 BYTE sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1712
1713 // Mifare AUTH
1714 BYTE mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1715 BYTE mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1716
1717 BYTE* receivedAnswer = (((BYTE *)BigBuf) + 3560); // was 3560 - tied to other size changes
1718 traceLen = 0;
1719 tracing = false;
1720
1721 // Setup SSC
1722 FpgaSetupSsc();
1723
1724 // Start from off (no field generated)
1725 // Signal field is off with the appropriate LED
1726 LED_D_OFF();
1727 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1728 SpinDelay(200);
1729
1730 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1731 FpgaSetupSsc();
1732
1733 // Now give it time to spin up.
1734 // Signal field is on with the appropriate LED
1735 LED_D_ON();
1736 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1737 SpinDelay(200);
1738
1739 LED_A_ON();
1740 LED_B_OFF();
1741 LED_C_OFF();
1742
1743 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1744 ReaderTransmitShort(wupa);
1745 // Receive the ATQA
1746 ReaderReceive(receivedAnswer);
1747 // Transmit SELECT_ALL
1748 ReaderTransmit(sel_all,sizeof(sel_all));
1749 // Receive the UID
1750 ReaderReceive(receivedAnswer);
1751 // Construct SELECT UID command
1752 // First copy the 5 bytes (Mifare Classic) after the 93 70
1753 memcpy(sel_uid+2,receivedAnswer,5);
1754 // Secondly compute the two CRC bytes at the end
1755 AppendCrc14443a(sel_uid,7);
1756
1757 byte_t nt_diff = 0;
1758 LED_A_OFF();
1759 byte_t par = 0;
1760 byte_t par_mask = 0xff;
1761 byte_t par_low = 0;
1762 BOOL led_on = TRUE;
1763
1764 tracing = FALSE;
1765 byte_t nt[4];
1766 byte_t nt_attacked[4];
1767 byte_t par_list[8];
1768 byte_t ks_list[8];
1769 num_to_bytes(parameter,4,nt_attacked);
1770
1771 while(TRUE)
1772 {
1773 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1774 SpinDelay(200);
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1776
1777 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1778 ReaderTransmitShort(wupa);
1779
1780 // Test if the action was cancelled
1781 if(BUTTON_PRESS()) {
1782 break;
1783 }
1784
1785 // Receive the ATQA
1786 if (!ReaderReceive(receivedAnswer)) continue;
1787
1788 // Transmit SELECT_ALL
1789 ReaderTransmit(sel_all,sizeof(sel_all));
1790
1791 // Receive the UID
1792 if (!ReaderReceive(receivedAnswer)) continue;
1793
1794 // Transmit SELECT_UID
1795 ReaderTransmit(sel_uid,sizeof(sel_uid));
1796
1797 // Receive the SAK
1798 if (!ReaderReceive(receivedAnswer)) continue;
1799
1800 // Transmit MIFARE_CLASSIC_AUTH
1801 ReaderTransmit(mf_auth,sizeof(mf_auth));
1802
1803 // Receive the (16 bit) "random" nonce
1804 if (!ReaderReceive(receivedAnswer)) continue;
1805 memcpy(nt,receivedAnswer,4);
1806
1807 // Transmit reader nonce and reader answer
1808 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1809
1810 // Receive 4 bit answer
1811 if (ReaderReceive(receivedAnswer))
1812 {
1813 if (nt_diff == 0)
1814 {
1815 LED_A_ON();
1816 memcpy(nt_attacked,nt,4);
1817 par_mask = 0xf8;
1818 par_low = par & 0x07;
1819 }
1820
1821 if (memcmp(nt,nt_attacked,4) != 0) continue;
1822
1823 led_on = !led_on;
1824 if(led_on) LED_B_ON(); else LED_B_OFF();
1825 par_list[nt_diff] = par;
1826 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1827
1828 // Test if the information is complete
1829 if (nt_diff == 0x07) break;
1830
1831 nt_diff = (nt_diff+1) & 0x07;
1832 mf_nr_ar[3] = nt_diff << 5;
1833 par = par_low;
1834 } else {
1835 if (nt_diff == 0)
1836 {
1837 par++;
1838 } else {
1839 par = (((par>>3)+1) << 3) | par_low;
1840 }
1841 }
1842 }
1843
1844 LogTraceInfo(sel_uid+2,4);
1845 LogTraceInfo(nt,4);
1846 LogTraceInfo(par_list,8);
1847 LogTraceInfo(ks_list,8);
1848
1849 // Thats it...
1850 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1851 LEDsoff();
1852 tracing = TRUE;
1853 }
Proxmark3 GIT tracking
Impressum, Datenschutz