]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/appmain.c
projects / proxmark3-svn / blob
? search:


65fc6de6f6ed76faaebd49aa2dce39ab59e90c2f
[proxmark3-svn] / armsrc / appmain.c
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007 (##)
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // The main application code. This is the first thing called after start.c
10 // executes.
11 //-----------------------------------------------------------------------------
12
13 #include <stdarg.h>
14
15 #include "usb_cdc.h"
16 #include "cmd.h"
17 #include "proxmark3.h"
18 #include "apps.h"
19 #include "util.h"
20 #include "printf.h"
21 #include "string.h"
22 #include "legicrf.h"
23 #include "hitag2.h"
24 #include "hitagS.h"
25 #include "lfsampling.h"
26 #include "BigBuf.h"
27 #include "mifareutil.h"
28 #include "pcf7931.h"
29 #ifdef WITH_LCD
30 #include "LCD.h"
31 #endif
32
33 // Craig Young - 14a stand-alone code
34 #ifdef WITH_ISO14443a_StandAlone
35 #include "iso14443a.h"
36 #endif
37
38 //=============================================================================
39 // A buffer where we can queue things up to be sent through the FPGA, for
40 // any purpose (fake tag, as reader, whatever). We go MSB first, since that
41 // is the order in which they go out on the wire.
42 //=============================================================================
43
44 #define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
45 uint8_t ToSend[TOSEND_BUFFER_SIZE];
46 int ToSendMax;
47 static int ToSendBit;
48 struct common_area common_area __attribute__((section(".commonarea")));
49
50 void ToSendReset(void)
51 {
52 ToSendMax = -1;
53 ToSendBit = 8;
54 }
55
56 void ToSendStuffBit(int b)
57 {
58 if(ToSendBit >= 8) {
59 ToSendMax++;
60 ToSend[ToSendMax] = 0;
61 ToSendBit = 0;
62 }
63
64 if(b) {
65 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
66 }
67
68 ToSendBit++;
69
70 if(ToSendMax >= sizeof(ToSend)) {
71 ToSendBit = 0;
72 DbpString("ToSendStuffBit overflowed!");
73 }
74 }
75
76 //=============================================================================
77 // Debug print functions, to go out over USB, to the usual PC-side client.
78 //=============================================================================
79
80 void DbpString(char *str)
81 {
82 byte_t len = strlen(str);
83 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
84 }
85
86 #if 0
87 void DbpIntegers(int x1, int x2, int x3)
88 {
89 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
90 }
91 #endif
92
93 void Dbprintf(const char *fmt, ...) {
94 // should probably limit size here; oh well, let's just use a big buffer
95 char output_string[128];
96 va_list ap;
97
98 va_start(ap, fmt);
99 kvsprintf(fmt, output_string, 10, ap);
100 va_end(ap);
101
102 DbpString(output_string);
103 }
104
105 // prints HEX & ASCII
106 void Dbhexdump(int len, uint8_t *d, bool bAsci) {
107 int l=0,i;
108 char ascii[9];
109
110 while (len>0) {
111 if (len>8) l=8;
112 else l=len;
113
114 memcpy(ascii,d,l);
115 ascii[l]=0;
116
117 // filter safe ascii
118 for (i=0;i<l;i++)
119 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
120
121 if (bAsci) {
122 Dbprintf("%-8s %*D",ascii,l,d," ");
123 } else {
124 Dbprintf("%*D",l,d," ");
125 }
126
127 len-=8;
128 d+=8;
129 }
130 }
131
132 //-----------------------------------------------------------------------------
133 // Read an ADC channel and block till it completes, then return the result
134 // in ADC units (0 to 1023). Also a routine to average 32 samples and
135 // return that.
136 //-----------------------------------------------------------------------------
137 static int ReadAdc(int ch)
138 {
139 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
140 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
141 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
142 //
143 // The maths are:
144 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
145 //
146 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
147 //
148 // Note: with the "historic" values in the comments above, the error was 34% !!!
149
150 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
151 AT91C_BASE_ADC->ADC_MR =
152 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
153 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
154 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
155
156 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
157 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
158
159 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) {};
160
161 return AT91C_BASE_ADC->ADC_CDR[ch];
162 }
163
164 int AvgAdc(int ch) // was static - merlok
165 {
166 int i;
167 int a = 0;
168
169 for(i = 0; i < 32; i++) {
170 a += ReadAdc(ch);
171 }
172
173 return (a + 15) >> 5;
174 }
175
176 void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
177 {
178 uint8_t i;
179 int adcval = 0, peak = 0;
180
181 /*
182 * Sweeps the useful LF range of the proxmark from
183 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
184 * read the voltage in the antenna, the result left
185 * in the buffer is a graph which should clearly show
186 * the resonating frequency of your LF antenna
187 * ( hopefully around 95 if it is tuned to 125kHz!)
188 */
189
190 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
191 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
192 SpinDelay(50);
193
194 for (i=255; i>=19; i--) {
195 WDT_HIT();
196 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
197 SpinDelay(20);
198 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
199 if (i==95) *vLf125 = adcval; // voltage at 125Khz
200 if (i==89) *vLf134 = adcval; // voltage at 134Khz
201
202 LF_Results[i] = adcval >> 9; // scale int to fit in byte for graphing purposes
203 if(LF_Results[i] > peak) {
204 *peakv = adcval;
205 peak = LF_Results[i];
206 *peakf = i;
207 //ptr = i;
208 }
209 }
210
211 for (i=18; i >= 0; i--) LF_Results[i] = 0;
212
213 return;
214 }
215
216 void MeasureAntennaTuningHfOnly(int *vHf)
217 {
218 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
219 LED_A_ON();
220 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
221 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
222 SpinDelay(20);
223 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
224 LED_A_OFF();
225
226 return;
227 }
228
229 void MeasureAntennaTuning(int mode)
230 {
231 uint8_t LF_Results[256] = {0};
232 int peakv = 0, peakf = 0;
233 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
234
235 LED_B_ON();
236
237 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
238 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
239 MeasureAntennaTuningHfOnly(&vHf);
240 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
241 } else {
242 if (mode & FLAG_TUNE_LF) {
243 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
244 }
245 if (mode & FLAG_TUNE_HF) {
246 MeasureAntennaTuningHfOnly(&vHf);
247 }
248 }
249
250 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
251 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
252 LED_B_OFF();
253 return;
254 }
255
256 void MeasureAntennaTuningHf(void)
257 {
258 int vHf = 0; // in mV
259
260 DbpString("Measuring HF antenna, press button to exit");
261
262 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
263 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
264 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
265
266 for (;;) {
267 SpinDelay(20);
268 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
269
270 Dbprintf("%d mV",vHf);
271 if (BUTTON_PRESS()) break;
272 }
273 DbpString("cancelled");
274
275 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
276
277 }
278
279
280 void ReadMem(int addr)
281 {
282 const uint8_t *data = ((uint8_t *)addr);
283
284 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
285 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
286 }
287
288 /* osimage version information is linked in */
289 extern struct version_information version_information;
290 /* bootrom version information is pointed to from _bootphase1_version_pointer */
291 extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
292 void SendVersion(void)
293 {
294 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
295 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
296
297 /* Try to find the bootrom version information. Expect to find a pointer at
298 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
299 * pointer, then use it.
300 */
301 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
302 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
303 strcat(VersionString, "bootrom version information appears invalid\n");
304 } else {
305 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
306 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
307 }
308
309 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
310 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
311
312 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
313 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
314 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
315 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
316
317 // Send Chip ID and used flash memory
318 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
319 uint32_t compressed_data_section_size = common_area.arg1;
320 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
321 }
322
323 // measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
324 // Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
325 void printUSBSpeed(void)
326 {
327 Dbprintf("USB Speed:");
328 Dbprintf(" Sending USB packets to client...");
329
330 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
331 uint8_t *test_data = BigBuf_get_addr();
332 uint32_t end_time;
333
334 uint32_t start_time = end_time = GetTickCount();
335 uint32_t bytes_transferred = 0;
336
337 LED_B_ON();
338 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
339 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
340 end_time = GetTickCount();
341 bytes_transferred += USB_CMD_DATA_SIZE;
342 }
343 LED_B_OFF();
344
345 Dbprintf(" Time elapsed: %dms", end_time - start_time);
346 Dbprintf(" Bytes transferred: %d", bytes_transferred);
347 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
348 1000 * bytes_transferred / (end_time - start_time));
349
350 }
351
352 /**
353 * Prints runtime information about the PM3.
354 **/
355 void SendStatus(void)
356 {
357 BigBuf_print_status();
358 Fpga_print_status();
359 printConfig(); //LF Sampling config
360 printUSBSpeed();
361 Dbprintf("Various");
362 Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL);
363 Dbprintf(" ToSendMax........%d",ToSendMax);
364 Dbprintf(" ToSendBit........%d",ToSendBit);
365
366 cmd_send(CMD_ACK,1,0,0,0,0);
367 }
368
369 #if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
370
371 #define OPTS 2
372
373 void StandAloneMode()
374 {
375 DbpString("Stand-alone mode! No PC necessary.");
376 // Oooh pretty -- notify user we're in elite samy mode now
377 LED(LED_RED, 200);
378 LED(LED_ORANGE, 200);
379 LED(LED_GREEN, 200);
380 LED(LED_ORANGE, 200);
381 LED(LED_RED, 200);
382 LED(LED_ORANGE, 200);
383 LED(LED_GREEN, 200);
384 LED(LED_ORANGE, 200);
385 LED(LED_RED, 200);
386
387 }
388
389 #endif
390
391
392
393 #ifdef WITH_ISO14443a_StandAlone
394 void StandAloneMode14a()
395 {
396 StandAloneMode();
397 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
398
399 int selected = 0;
400 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
401 int cardRead[OPTS] = {0};
402 uint8_t readUID[10] = {0};
403 uint32_t uid_1st[OPTS]={0};
404 uint32_t uid_2nd[OPTS]={0};
405 uint32_t uid_tmp1 = 0;
406 uint32_t uid_tmp2 = 0;
407 iso14a_card_select_t hi14a_card[OPTS];
408
409 LED(selected + 1, 0);
410
411 for (;;)
412 {
413 usb_poll();
414 WDT_HIT();
415 SpinDelay(300);
416
417 if (iGotoRecord == 1 || cardRead[selected] == 0)
418 {
419 iGotoRecord = 0;
420 LEDsoff();
421 LED(selected + 1, 0);
422 LED(LED_RED2, 0);
423
424 // record
425 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
426 /* need this delay to prevent catching some weird data */
427 SpinDelay(500);
428 /* Code for reading from 14a tag */
429 uint8_t uid[10] ={0};
430 uint32_t cuid;
431 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
432
433 for ( ; ; )
434 {
435 WDT_HIT();
436 if (BUTTON_PRESS()) {
437 if (cardRead[selected]) {
438 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
439 break;
440 }
441 else if (cardRead[(selected+1)%OPTS]) {
442 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
443 selected = (selected+1)%OPTS;
444 break; // playing = 1;
445 }
446 else {
447 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
448 SpinDelay(300);
449 }
450 }
451 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0, true))
452 continue;
453 else
454 {
455 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
456 memcpy(readUID,uid,10*sizeof(uint8_t));
457 uint8_t *dst = (uint8_t *)&uid_tmp1;
458 // Set UID byte order
459 for (int i=0; i<4; i++)
460 dst[i] = uid[3-i];
461 dst = (uint8_t *)&uid_tmp2;
462 for (int i=0; i<4; i++)
463 dst[i] = uid[7-i];
464 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
465 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
466 }
467 else {
468 if (uid_tmp2) {
469 Dbprintf("Bank[%d] received a 7-byte UID",selected);
470 uid_1st[selected] = (uid_tmp1)>>8;
471 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
472 }
473 else {
474 Dbprintf("Bank[%d] received a 4-byte UID",selected);
475 uid_1st[selected] = uid_tmp1;
476 uid_2nd[selected] = uid_tmp2;
477 }
478 break;
479 }
480 }
481 }
482 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
483 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
484 LEDsoff();
485 LED(LED_GREEN, 200);
486 LED(LED_ORANGE, 200);
487 LED(LED_GREEN, 200);
488 LED(LED_ORANGE, 200);
489
490 LEDsoff();
491 LED(selected + 1, 0);
492
493 // Next state is replay:
494 playing = 1;
495
496 cardRead[selected] = 1;
497 }
498 /* MF Classic UID clone */
499 else if (iGotoClone==1)
500 {
501 iGotoClone=0;
502 LEDsoff();
503 LED(selected + 1, 0);
504 LED(LED_ORANGE, 250);
505
506
507 // record
508 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
509
510 // wait for button to be released
511 while(BUTTON_PRESS())
512 {
513 // Delay cloning until card is in place
514 WDT_HIT();
515 }
516 Dbprintf("Starting clone. [Bank: %u]", selected);
517 // need this delay to prevent catching some weird data
518 SpinDelay(500);
519 // Begin clone function here:
520 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
521 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
522 memcpy(c.d.asBytes, data, 16);
523 SendCommand(&c);
524
525 Block read is similar:
526 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
527 We need to imitate that call with blockNo 0 to set a uid.
528
529 The get and set commands are handled in this file:
530 // Work with "magic Chinese" card
531 case CMD_MIFARE_CSETBLOCK:
532 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
533 break;
534 case CMD_MIFARE_CGETBLOCK:
535 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
536 break;
537
538 mfCSetUID provides example logic for UID set workflow:
539 -Read block0 from card in field with MifareCGetBlock()
540 -Configure new values without replacing reserved bytes
541 memcpy(block0, uid, 4); // Copy UID bytes from byte array
542 // Mifare UID BCC
543 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
544 Bytes 5-7 are reserved SAK and ATQA for mifare classic
545 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
546 */
547 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
548 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
549 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
550 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
551 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
552 playing = 1;
553 }
554 else {
555 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
556 memcpy(newBlock0,oldBlock0,16);
557 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
558
559 newBlock0[0] = uid_1st[selected]>>24;
560 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
561 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
562 newBlock0[3] = 0xFF & (uid_1st[selected]);
563 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
564 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
565 MifareCSetBlock(0, 0xFF,0, newBlock0);
566 MifareCGetBlock(0x3F, 1, 0, testBlock0);
567 if (memcmp(testBlock0,newBlock0,16)==0)
568 {
569 DbpString("Cloned successfull!");
570 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
571 playing = 0;
572 iGotoRecord = 1;
573 selected = (selected+1) % OPTS;
574 }
575 else {
576 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
577 playing = 1;
578 }
579 }
580 LEDsoff();
581 LED(selected + 1, 0);
582
583 }
584 // Change where to record (or begin playing)
585 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
586 {
587 LEDsoff();
588 LED(selected + 1, 0);
589
590 // Begin transmitting
591 if (playing)
592 {
593 LED(LED_GREEN, 0);
594 DbpString("Playing");
595 for ( ; ; ) {
596 WDT_HIT();
597 int button_action = BUTTON_HELD(1000);
598 if (button_action == 0) { // No button action, proceed with sim
599 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
600 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
601 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
602 DbpString("Mifare Classic");
603 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
604 }
605 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
606 DbpString("Mifare Ultralight");
607 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
608 }
609 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
610 DbpString("Mifare DESFire");
611 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
612 }
613 else {
614 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
615 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
616 }
617 }
618 else if (button_action == BUTTON_SINGLE_CLICK) {
619 selected = (selected + 1) % OPTS;
620 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
621 iGotoRecord = 1;
622 break;
623 }
624 else if (button_action == BUTTON_HOLD) {
625 Dbprintf("Playtime over. Begin cloning...");
626 iGotoClone = 1;
627 break;
628 }
629 WDT_HIT();
630 }
631
632 /* We pressed a button so ignore it here with a delay */
633 SpinDelay(300);
634 LEDsoff();
635 LED(selected + 1, 0);
636 }
637 else
638 while(BUTTON_PRESS())
639 WDT_HIT();
640 }
641 }
642 }
643 #elif WITH_LF
644 // samy's sniff and repeat routine
645 void SamyRun()
646 {
647 StandAloneMode();
648 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
649
650 int high[OPTS], low[OPTS];
651 int selected = 0;
652 int playing = 0;
653 int cardRead = 0;
654
655 // Turn on selected LED
656 LED(selected + 1, 0);
657
658 for (;;)
659 {
660 usb_poll();
661 WDT_HIT();
662
663 // Was our button held down or pressed?
664 int button_pressed = BUTTON_HELD(1000);
665 SpinDelay(300);
666
667 // Button was held for a second, begin recording
668 if (button_pressed > 0 && cardRead == 0)
669 {
670 LEDsoff();
671 LED(selected + 1, 0);
672 LED(LED_RED2, 0);
673
674 // record
675 DbpString("Starting recording");
676
677 // wait for button to be released
678 while(BUTTON_PRESS())
679 WDT_HIT();
680
681 /* need this delay to prevent catching some weird data */
682 SpinDelay(500);
683
684 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
685 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
686
687 LEDsoff();
688 LED(selected + 1, 0);
689 // Finished recording
690
691 // If we were previously playing, set playing off
692 // so next button push begins playing what we recorded
693 playing = 0;
694
695 cardRead = 1;
696
697 }
698
699 else if (button_pressed > 0 && cardRead == 1)
700 {
701 LEDsoff();
702 LED(selected + 1, 0);
703 LED(LED_ORANGE, 0);
704
705 // record
706 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
707
708 // wait for button to be released
709 while(BUTTON_PRESS())
710 WDT_HIT();
711
712 /* need this delay to prevent catching some weird data */
713 SpinDelay(500);
714
715 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
716 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
717
718 LEDsoff();
719 LED(selected + 1, 0);
720 // Finished recording
721
722 // If we were previously playing, set playing off
723 // so next button push begins playing what we recorded
724 playing = 0;
725
726 cardRead = 0;
727
728 }
729
730 // Change where to record (or begin playing)
731 else if (button_pressed)
732 {
733 // Next option if we were previously playing
734 if (playing)
735 selected = (selected + 1) % OPTS;
736 playing = !playing;
737
738 LEDsoff();
739 LED(selected + 1, 0);
740
741 // Begin transmitting
742 if (playing)
743 {
744 LED(LED_GREEN, 0);
745 DbpString("Playing");
746 // wait for button to be released
747 while(BUTTON_PRESS())
748 WDT_HIT();
749 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
750 CmdHIDsimTAG(high[selected], low[selected], 0);
751 DbpString("Done playing");
752 if (BUTTON_HELD(1000) > 0)
753 {
754 DbpString("Exiting");
755 LEDsoff();
756 return;
757 }
758
759 /* We pressed a button so ignore it here with a delay */
760 SpinDelay(300);
761
762 // when done, we're done playing, move to next option
763 selected = (selected + 1) % OPTS;
764 playing = !playing;
765 LEDsoff();
766 LED(selected + 1, 0);
767 }
768 else
769 while(BUTTON_PRESS())
770 WDT_HIT();
771 }
772 }
773 }
774
775 #endif
776 /*
777 OBJECTIVE
778 Listen and detect an external reader. Determine the best location
779 for the antenna.
780
781 INSTRUCTIONS:
782 Inside the ListenReaderField() function, there is two mode.
783 By default, when you call the function, you will enter mode 1.
784 If you press the PM3 button one time, you will enter mode 2.
785 If you press the PM3 button a second time, you will exit the function.
786
787 DESCRIPTION OF MODE 1:
788 This mode just listens for an external reader field and lights up green
789 for HF and/or red for LF. This is the original mode of the detectreader
790 function.
791
792 DESCRIPTION OF MODE 2:
793 This mode will visually represent, using the LEDs, the actual strength of the
794 current compared to the maximum current detected. Basically, once you know
795 what kind of external reader is present, it will help you spot the best location to place
796 your antenna. You will probably not get some good results if there is a LF and a HF reader
797 at the same place! :-)
798
799 LIGHT SCHEME USED:
800 */
801 static const char LIGHT_SCHEME[] = {
802 0x0, /* ---- | No field detected */
803 0x1, /* X--- | 14% of maximum current detected */
804 0x2, /* -X-- | 29% of maximum current detected */
805 0x4, /* --X- | 43% of maximum current detected */
806 0x8, /* ---X | 57% of maximum current detected */
807 0xC, /* --XX | 71% of maximum current detected */
808 0xE, /* -XXX | 86% of maximum current detected */
809 0xF, /* XXXX | 100% of maximum current detected */
810 };
811 static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
812
813 void ListenReaderField(int limit)
814 {
815 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
816 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
817 int mode=1, display_val, display_max, i;
818
819 #define LF_ONLY 1
820 #define HF_ONLY 2
821 #define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
822
823
824 // switch off FPGA - we don't want to measure our own signal
825 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
826 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
827
828 LEDsoff();
829
830 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
831
832 if(limit != HF_ONLY) {
833 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
834 lf_baseline = lf_av;
835 }
836
837 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
838
839 if (limit != LF_ONLY) {
840 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
841 hf_baseline = hf_av;
842 }
843
844 for(;;) {
845 if (BUTTON_PRESS()) {
846 SpinDelay(500);
847 switch (mode) {
848 case 1:
849 mode=2;
850 DbpString("Signal Strength Mode");
851 break;
852 case 2:
853 default:
854 DbpString("Stopped");
855 LEDsoff();
856 return;
857 break;
858 }
859 }
860 WDT_HIT();
861
862 if (limit != HF_ONLY) {
863 if(mode == 1) {
864 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
865 LED_D_ON();
866 else
867 LED_D_OFF();
868 }
869
870 lf_av_new = AvgAdc(ADC_CHAN_LF);
871 // see if there's a significant change
872 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
873 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
874 lf_av = lf_av_new;
875 if (lf_av > lf_max)
876 lf_max = lf_av;
877 }
878 }
879
880 if (limit != LF_ONLY) {
881 if (mode == 1){
882 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
883 LED_B_ON();
884 else
885 LED_B_OFF();
886 }
887
888 hf_av_new = AvgAdc(ADC_CHAN_HF);
889 // see if there's a significant change
890 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
891 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
892 hf_av = hf_av_new;
893 if (hf_av > hf_max)
894 hf_max = hf_av;
895 }
896 }
897
898 if(mode == 2) {
899 if (limit == LF_ONLY) {
900 display_val = lf_av;
901 display_max = lf_max;
902 } else if (limit == HF_ONLY) {
903 display_val = hf_av;
904 display_max = hf_max;
905 } else { /* Pick one at random */
906 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
907 display_val = hf_av;
908 display_max = hf_max;
909 } else {
910 display_val = lf_av;
911 display_max = lf_max;
912 }
913 }
914 for (i=0; i<LIGHT_LEN; i++) {
915 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
916 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
917 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
918 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
919 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
920 break;
921 }
922 }
923 }
924 }
925 }
926
927 void UsbPacketReceived(uint8_t *packet, int len)
928 {
929 UsbCommand *c = (UsbCommand *)packet;
930
931 // Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
932
933 switch(c->cmd) {
934 #ifdef WITH_LF
935 case CMD_SET_LF_SAMPLING_CONFIG:
936 setSamplingConfig((sample_config *) c->d.asBytes);
937 break;
938 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
939 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
940 break;
941 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
942 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
943 break;
944 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
945 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
946 break;
947 case CMD_HID_DEMOD_FSK:
948 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
949 break;
950 case CMD_HID_SIM_TAG:
951 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
952 break;
953 case CMD_FSK_SIM_TAG:
954 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
955 break;
956 case CMD_ASK_SIM_TAG:
957 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
958 break;
959 case CMD_PSK_SIM_TAG:
960 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
961 break;
962 case CMD_HID_CLONE_TAG:
963 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
964 break;
965 case CMD_IO_DEMOD_FSK:
966 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
967 break;
968 case CMD_IO_CLONE_TAG:
969 CopyIOtoT55x7(c->arg[0], c->arg[1]);
970 break;
971 case CMD_EM410X_DEMOD:
972 CmdEM410xdemod(c->arg[0], 0, 0, 1);
973 break;
974 case CMD_EM410X_WRITE_TAG:
975 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
976 break;
977 case CMD_READ_TI_TYPE:
978 ReadTItag();
979 break;
980 case CMD_WRITE_TI_TYPE:
981 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
982 break;
983 case CMD_SIMULATE_TAG_125K:
984 LED_A_ON();
985 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
986 LED_A_OFF();
987 break;
988 case CMD_LF_SIMULATE_BIDIR:
989 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
990 break;
991 case CMD_INDALA_CLONE_TAG:
992 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
993 break;
994 case CMD_INDALA_CLONE_TAG_L:
995 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
996 break;
997 case CMD_T55XX_READ_BLOCK:
998 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
999 break;
1000 case CMD_T55XX_WRITE_BLOCK:
1001 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1002 break;
1003 case CMD_T55XX_WAKEUP:
1004 T55xxWakeUp(c->arg[0]);
1005 break;
1006 case CMD_T55XX_RESET_READ:
1007 T55xxResetRead();
1008 break;
1009 case CMD_PCF7931_READ:
1010 ReadPCF7931();
1011 break;
1012 case CMD_PCF7931_WRITE:
1013 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
1014 break;
1015 case CMD_EM4X_READ_WORD:
1016 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1017 break;
1018 case CMD_EM4X_WRITE_WORD:
1019 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1020 break;
1021 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1022 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
1023 break;
1024 case CMD_VIKING_CLONE_TAG:
1025 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1026 break;
1027 case CMD_COTAG:
1028 Cotag(c->arg[0]);
1029 break;
1030 #endif
1031
1032 #ifdef WITH_HITAG
1033 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1034 SnoopHitag(c->arg[0]);
1035 break;
1036 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1037 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1038 break;
1039 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1040 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1041 break;
1042 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1043 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1044 break;
1045 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1046 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1047 break;
1048 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1049 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1050 break;
1051 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1052 if ((hitag_function)c->arg[0] < 10) {
1053 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1054 }
1055 else if ((hitag_function)c->arg[0] >= 10) {
1056 WriterHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes, c->arg[2]);
1057 }
1058 break;
1059 #endif
1060
1061 #ifdef WITH_ISO15693
1062 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1063 AcquireRawAdcSamplesIso15693();
1064 break;
1065 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1066 RecordRawAdcSamplesIso15693();
1067 break;
1068
1069 case CMD_ISO_15693_COMMAND:
1070 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1071 break;
1072
1073 case CMD_ISO_15693_FIND_AFI:
1074 BruteforceIso15693Afi(c->arg[0]);
1075 break;
1076
1077 case CMD_ISO_15693_DEBUG:
1078 SetDebugIso15693(c->arg[0]);
1079 break;
1080
1081 case CMD_READER_ISO_15693:
1082 ReaderIso15693(c->arg[0]);
1083 break;
1084 case CMD_SIMTAG_ISO_15693:
1085 SimTagIso15693(c->arg[0], c->d.asBytes);
1086 break;
1087 #endif
1088
1089 #ifdef WITH_LEGICRF
1090 case CMD_SIMULATE_TAG_LEGIC_RF:
1091 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1092 break;
1093
1094 case CMD_WRITER_LEGIC_RF:
1095 LegicRfWriter(c->arg[1], c->arg[0]);
1096 break;
1097
1098 case CMD_READER_LEGIC_RF:
1099 LegicRfReader(c->arg[0], c->arg[1]);
1100 break;
1101 #endif
1102
1103 #ifdef WITH_ISO14443b
1104 case CMD_READ_SRI512_TAG:
1105 ReadSTMemoryIso14443b(0x0F);
1106 break;
1107 case CMD_READ_SRIX4K_TAG:
1108 ReadSTMemoryIso14443b(0x7F);
1109 break;
1110 case CMD_SNOOP_ISO_14443B:
1111 SnoopIso14443b();
1112 break;
1113 case CMD_SIMULATE_TAG_ISO_14443B:
1114 SimulateIso14443bTag();
1115 break;
1116 case CMD_ISO_14443B_COMMAND:
1117 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1118 break;
1119 #endif
1120
1121 #ifdef WITH_ISO14443a
1122 case CMD_SNOOP_ISO_14443a:
1123 SnoopIso14443a(c->arg[0]);
1124 break;
1125 case CMD_READER_ISO_14443a:
1126 ReaderIso14443a(c);
1127 break;
1128 case CMD_SIMULATE_TAG_ISO_14443a:
1129 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
1130 break;
1131
1132 case CMD_EPA_PACE_COLLECT_NONCE:
1133 EPA_PACE_Collect_Nonce(c);
1134 break;
1135 case CMD_EPA_PACE_REPLAY:
1136 EPA_PACE_Replay(c);
1137 break;
1138
1139 case CMD_READER_MIFARE:
1140 ReaderMifare(c->arg[0]);
1141 break;
1142 case CMD_MIFARE_READBL:
1143 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1144 break;
1145 case CMD_MIFAREU_READBL:
1146 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
1147 break;
1148 case CMD_MIFAREUC_AUTH:
1149 MifareUC_Auth(c->arg[0],c->d.asBytes);
1150 break;
1151 case CMD_MIFAREU_READCARD:
1152 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1153 break;
1154 case CMD_MIFAREUC_SETPWD:
1155 MifareUSetPwd(c->arg[0], c->d.asBytes);
1156 break;
1157 case CMD_MIFARE_READSC:
1158 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1159 break;
1160 case CMD_MIFARE_WRITEBL:
1161 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1162 break;
1163 //case CMD_MIFAREU_WRITEBL_COMPAT:
1164 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1165 //break;
1166 case CMD_MIFAREU_WRITEBL:
1167 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
1168 break;
1169 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1170 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1171 break;
1172 case CMD_MIFARE_NESTED:
1173 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1174 break;
1175 case CMD_MIFARE_CHKKEYS:
1176 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1177 break;
1178 case CMD_SIMULATE_MIFARE_CARD:
1179 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1180 break;
1181
1182 // emulator
1183 case CMD_MIFARE_SET_DBGMODE:
1184 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1185 break;
1186 case CMD_MIFARE_EML_MEMCLR:
1187 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1188 break;
1189 case CMD_MIFARE_EML_MEMSET:
1190 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1191 break;
1192 case CMD_MIFARE_EML_MEMGET:
1193 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1194 break;
1195 case CMD_MIFARE_EML_CARDLOAD:
1196 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1197 break;
1198
1199 // Work with "magic Chinese" card
1200 case CMD_MIFARE_CWIPE:
1201 MifareCWipe(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1202 break;
1203 case CMD_MIFARE_CSETBLOCK:
1204 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1205 break;
1206 case CMD_MIFARE_CGETBLOCK:
1207 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1208 break;
1209 case CMD_MIFARE_CIDENT:
1210 MifareCIdent();
1211 break;
1212
1213 // mifare sniffer
1214 case CMD_MIFARE_SNIFFER:
1215 SniffMifare(c->arg[0]);
1216 break;
1217
1218 #endif
1219
1220 #ifdef WITH_ICLASS
1221 // Makes use of ISO14443a FPGA Firmware
1222 case CMD_SNOOP_ICLASS:
1223 SnoopIClass();
1224 break;
1225 case CMD_SIMULATE_TAG_ICLASS:
1226 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1227 break;
1228 case CMD_READER_ICLASS:
1229 ReaderIClass(c->arg[0]);
1230 break;
1231 case CMD_READER_ICLASS_REPLAY:
1232 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
1233 break;
1234 case CMD_ICLASS_EML_MEMSET:
1235 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1236 break;
1237 case CMD_ICLASS_WRITEBLOCK:
1238 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1239 break;
1240 case CMD_ICLASS_READCHECK: // auth step 1
1241 iClass_ReadCheck(c->arg[0], c->arg[1]);
1242 break;
1243 case CMD_ICLASS_READBLOCK:
1244 iClass_ReadBlk(c->arg[0]);
1245 break;
1246 case CMD_ICLASS_AUTHENTICATION: //check
1247 iClass_Authentication(c->d.asBytes);
1248 break;
1249 case CMD_ICLASS_DUMP:
1250 iClass_Dump(c->arg[0], c->arg[1]);
1251 break;
1252 case CMD_ICLASS_CLONE:
1253 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1254 break;
1255 #endif
1256 #ifdef WITH_HFSNOOP
1257 case CMD_HF_SNIFFER:
1258 HfSnoop(c->arg[0], c->arg[1]);
1259 break;
1260 #endif
1261
1262 case CMD_BUFF_CLEAR:
1263 BigBuf_Clear();
1264 break;
1265
1266 case CMD_MEASURE_ANTENNA_TUNING:
1267 MeasureAntennaTuning(c->arg[0]);
1268 break;
1269
1270 case CMD_MEASURE_ANTENNA_TUNING_HF:
1271 MeasureAntennaTuningHf();
1272 break;
1273
1274 case CMD_LISTEN_READER_FIELD:
1275 ListenReaderField(c->arg[0]);
1276 break;
1277
1278 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1279 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1280 SpinDelay(200);
1281 LED_D_OFF(); // LED D indicates field ON or OFF
1282 break;
1283
1284 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
1285
1286 LED_B_ON();
1287 uint8_t *BigBuf = BigBuf_get_addr();
1288 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1289 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
1290 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1291 }
1292 // Trigger a finish downloading signal with an ACK frame
1293 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
1294 LED_B_OFF();
1295 break;
1296
1297 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
1298 // iceman; since changing fpga_bitstreams clears bigbuff, Its better to call it before.
1299 // to be able to use this one for uploading data to device
1300 // arg1 = 0 upload for LF usage
1301 // 1 upload for HF usage
1302 if (c->arg[1] == 0)
1303 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1304 else
1305 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1306
1307 uint8_t *b = BigBuf_get_addr();
1308 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1309 cmd_send(CMD_ACK,0,0,0,0,0);
1310 break;
1311 }
1312 case CMD_READ_MEM:
1313 ReadMem(c->arg[0]);
1314 break;
1315
1316 case CMD_SET_LF_DIVISOR:
1317 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1318 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1319 break;
1320
1321 case CMD_SET_ADC_MUX:
1322 switch(c->arg[0]) {
1323 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1324 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1325 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1326 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1327 }
1328 break;
1329
1330 case CMD_VERSION:
1331 SendVersion();
1332 break;
1333 case CMD_STATUS:
1334 SendStatus();
1335 break;
1336 case CMD_PING:
1337 cmd_send(CMD_ACK,0,0,0,0,0);
1338 break;
1339 #ifdef WITH_LCD
1340 case CMD_LCD_RESET:
1341 LCDReset();
1342 break;
1343 case CMD_LCD:
1344 LCDSend(c->arg[0]);
1345 break;
1346 #endif
1347 case CMD_SETUP_WRITE:
1348 case CMD_FINISH_WRITE:
1349 case CMD_HARDWARE_RESET:
1350 usb_disable();
1351 SpinDelay(1000);
1352 SpinDelay(1000);
1353 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1354 for(;;) {
1355 // We're going to reset, and the bootrom will take control.
1356 }
1357 break;
1358
1359 case CMD_START_FLASH:
1360 if(common_area.flags.bootrom_present) {
1361 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1362 }
1363 usb_disable();
1364 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1365 for(;;);
1366 break;
1367
1368 case CMD_DEVICE_INFO: {
1369 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1370 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1371 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1372 break;
1373 }
1374 default:
1375 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1376 break;
1377 }
1378 }
1379
1380 void __attribute__((noreturn)) AppMain(void)
1381 {
1382 SpinDelay(100);
1383 clear_trace();
1384 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1385 /* Initialize common area */
1386 memset(&common_area, 0, sizeof(common_area));
1387 common_area.magic = COMMON_AREA_MAGIC;
1388 common_area.version = 1;
1389 }
1390 common_area.flags.osimage_present = 1;
1391
1392 LED_D_OFF();
1393 LED_C_OFF();
1394 LED_B_OFF();
1395 LED_A_OFF();
1396
1397 // Init USB device
1398 usb_enable();
1399
1400 // The FPGA gets its clock from us from PCK0 output, so set that up.
1401 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1402 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1403 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1404 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1405 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1406 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
1407 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1408
1409 // Reset SPI
1410 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1411 // Reset SSC
1412 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1413
1414 // Load the FPGA image, which we have stored in our flash.
1415 // (the HF version by default)
1416 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
1417
1418 StartTickCount();
1419
1420 #ifdef WITH_LCD
1421 LCDInit();
1422 #endif
1423
1424 byte_t rx[sizeof(UsbCommand)];
1425 size_t rx_len;
1426
1427 for(;;) {
1428 if (usb_poll()) {
1429 rx_len = usb_read(rx,sizeof(UsbCommand));
1430 if (rx_len) {
1431 UsbPacketReceived(rx,rx_len);
1432 }
1433 }
1434 WDT_HIT();
1435
1436 #ifdef WITH_LF
1437 #ifndef WITH_ISO14443a_StandAlone
1438 if (BUTTON_HELD(1000) > 0)
1439 SamyRun();
1440 #endif
1441 #endif
1442 #ifdef WITH_ISO14443a
1443 #ifdef WITH_ISO14443a_StandAlone
1444 if (BUTTON_HELD(1000) > 0)
1445 StandAloneMode14a();
1446 #endif
1447 #endif
1448 }
1449 }
Proxmark3 GIT tracking
Impressum, Datenschutz