]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bring snooper into line with new command format
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Gerhard de Koning Gans - May 2008
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Routines to support ISO 14443 type A.
9 //-----------------------------------------------------------------------------
10
11 #include "proxmark3.h"
12 #include "apps.h"
13 #include "util.h"
14 #include "string.h"
15
16 #include "iso14443crc.h"
17
18 static uint8_t *trace = (uint8_t *) BigBuf;
19 static int traceLen = 0;
20 static int rsamples = 0;
21 static int tracing = TRUE;
22
23 // CARD TO READER
24 // Sequence D: 11110000 modulation with subcarrier during first half
25 // Sequence E: 00001111 modulation with subcarrier during second half
26 // Sequence F: 00000000 no modulation with subcarrier
27 // READER TO CARD
28 // Sequence X: 00001100 drop after half a period
29 // Sequence Y: 00000000 no drop
30 // Sequence Z: 11000000 drop at start
31 #define SEC_D 0xf0
32 #define SEC_E 0x0f
33 #define SEC_F 0x00
34 #define SEC_X 0x0c
35 #define SEC_Y 0x00
36 #define SEC_Z 0xc0
37
38 static const uint8_t OddByteParity[256] = {
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
44 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
52 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
55 };
56
57 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
58 #define RECV_CMD_OFFSET 3032
59 #define RECV_RES_OFFSET 3096
60 #define DMA_BUFFER_OFFSET 3160
61 #define DMA_BUFFER_SIZE 4096
62 #define TRACE_LENGTH 3000
63
64 //-----------------------------------------------------------------------------
65 // Generate the parity value for a byte sequence
66 //
67 //-----------------------------------------------------------------------------
68 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
69 {
70 int i;
71 uint32_t dwPar = 0;
72
73 // Generate the encrypted data
74 for (i = 0; i < iLen; i++) {
75 // Save the encrypted parity bit
76 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
77 }
78 return dwPar;
79 }
80
81 static void AppendCrc14443a(uint8_t* data, int len)
82 {
83 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
84 }
85
86 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
87 {
88 // Return when trace is full
89 if (traceLen >= TRACE_LENGTH) return FALSE;
90
91 // Trace the random, i'm curious
92 rsamples += iSamples;
93 trace[traceLen++] = ((rsamples >> 0) & 0xff);
94 trace[traceLen++] = ((rsamples >> 8) & 0xff);
95 trace[traceLen++] = ((rsamples >> 16) & 0xff);
96 trace[traceLen++] = ((rsamples >> 24) & 0xff);
97 if (!bReader) {
98 trace[traceLen - 1] |= 0x80;
99 }
100 trace[traceLen++] = ((dwParity >> 0) & 0xff);
101 trace[traceLen++] = ((dwParity >> 8) & 0xff);
102 trace[traceLen++] = ((dwParity >> 16) & 0xff);
103 trace[traceLen++] = ((dwParity >> 24) & 0xff);
104 trace[traceLen++] = iLen;
105 memcpy(trace + traceLen, btBytes, iLen);
106 traceLen += iLen;
107 return TRUE;
108 }
109
110 //-----------------------------------------------------------------------------
111 // The software UART that receives commands from the reader, and its state
112 // variables.
113 //-----------------------------------------------------------------------------
114 static struct {
115 enum {
116 STATE_UNSYNCD,
117 STATE_START_OF_COMMUNICATION,
118 STATE_MILLER_X,
119 STATE_MILLER_Y,
120 STATE_MILLER_Z,
121 STATE_ERROR_WAIT
122 } state;
123 uint16_t shiftReg;
124 int bitCnt;
125 int byteCnt;
126 int byteCntMax;
127 int posCnt;
128 int syncBit;
129 int parityBits;
130 int samples;
131 int highCnt;
132 int bitBuffer;
133 enum {
134 DROP_NONE,
135 DROP_FIRST_HALF,
136 DROP_SECOND_HALF
137 } drop;
138 uint8_t *output;
139 } Uart;
140
141 static int MillerDecoding(int bit)
142 {
143 int error = 0;
144 int bitright;
145
146 if(!Uart.bitBuffer) {
147 Uart.bitBuffer = bit ^ 0xFF0;
148 return FALSE;
149 }
150 else {
151 Uart.bitBuffer <<= 4;
152 Uart.bitBuffer ^= bit;
153 }
154
155 int EOC = FALSE;
156
157 if(Uart.state != STATE_UNSYNCD) {
158 Uart.posCnt++;
159
160 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
161 bit = 0x00;
162 }
163 else {
164 bit = 0x01;
165 }
166 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
167 bitright = 0x00;
168 }
169 else {
170 bitright = 0x01;
171 }
172 if(bit != bitright) { bit = bitright; }
173
174 if(Uart.posCnt == 1) {
175 // measurement first half bitperiod
176 if(!bit) {
177 Uart.drop = DROP_FIRST_HALF;
178 }
179 }
180 else {
181 // measurement second half bitperiod
182 if(!bit & (Uart.drop == DROP_NONE)) {
183 Uart.drop = DROP_SECOND_HALF;
184 }
185 else if(!bit) {
186 // measured a drop in first and second half
187 // which should not be possible
188 Uart.state = STATE_ERROR_WAIT;
189 error = 0x01;
190 }
191
192 Uart.posCnt = 0;
193
194 switch(Uart.state) {
195 case STATE_START_OF_COMMUNICATION:
196 Uart.shiftReg = 0;
197 if(Uart.drop == DROP_SECOND_HALF) {
198 // error, should not happen in SOC
199 Uart.state = STATE_ERROR_WAIT;
200 error = 0x02;
201 }
202 else {
203 // correct SOC
204 Uart.state = STATE_MILLER_Z;
205 }
206 break;
207
208 case STATE_MILLER_Z:
209 Uart.bitCnt++;
210 Uart.shiftReg >>= 1;
211 if(Uart.drop == DROP_NONE) {
212 // logic '0' followed by sequence Y
213 // end of communication
214 Uart.state = STATE_UNSYNCD;
215 EOC = TRUE;
216 }
217 // if(Uart.drop == DROP_FIRST_HALF) {
218 // Uart.state = STATE_MILLER_Z; stay the same
219 // we see a logic '0' }
220 if(Uart.drop == DROP_SECOND_HALF) {
221 // we see a logic '1'
222 Uart.shiftReg |= 0x100;
223 Uart.state = STATE_MILLER_X;
224 }
225 break;
226
227 case STATE_MILLER_X:
228 Uart.shiftReg >>= 1;
229 if(Uart.drop == DROP_NONE) {
230 // sequence Y, we see a '0'
231 Uart.state = STATE_MILLER_Y;
232 Uart.bitCnt++;
233 }
234 if(Uart.drop == DROP_FIRST_HALF) {
235 // Would be STATE_MILLER_Z
236 // but Z does not follow X, so error
237 Uart.state = STATE_ERROR_WAIT;
238 error = 0x03;
239 }
240 if(Uart.drop == DROP_SECOND_HALF) {
241 // We see a '1' and stay in state X
242 Uart.shiftReg |= 0x100;
243 Uart.bitCnt++;
244 }
245 break;
246
247 case STATE_MILLER_Y:
248 Uart.bitCnt++;
249 Uart.shiftReg >>= 1;
250 if(Uart.drop == DROP_NONE) {
251 // logic '0' followed by sequence Y
252 // end of communication
253 Uart.state = STATE_UNSYNCD;
254 EOC = TRUE;
255 }
256 if(Uart.drop == DROP_FIRST_HALF) {
257 // we see a '0'
258 Uart.state = STATE_MILLER_Z;
259 }
260 if(Uart.drop == DROP_SECOND_HALF) {
261 // We see a '1' and go to state X
262 Uart.shiftReg |= 0x100;
263 Uart.state = STATE_MILLER_X;
264 }
265 break;
266
267 case STATE_ERROR_WAIT:
268 // That went wrong. Now wait for at least two bit periods
269 // and try to sync again
270 if(Uart.drop == DROP_NONE) {
271 Uart.highCnt = 6;
272 Uart.state = STATE_UNSYNCD;
273 }
274 break;
275
276 default:
277 Uart.state = STATE_UNSYNCD;
278 Uart.highCnt = 0;
279 break;
280 }
281
282 Uart.drop = DROP_NONE;
283
284 // should have received at least one whole byte...
285 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
286 return TRUE;
287 }
288
289 if(Uart.bitCnt == 9) {
290 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
291 Uart.byteCnt++;
292
293 Uart.parityBits <<= 1;
294 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
295
296 if(EOC) {
297 // when End of Communication received and
298 // all data bits processed..
299 return TRUE;
300 }
301 Uart.bitCnt = 0;
302 }
303
304 /*if(error) {
305 Uart.output[Uart.byteCnt] = 0xAA;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = error & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = 0xAA;
318 Uart.byteCnt++;
319 return TRUE;
320 }*/
321 }
322
323 }
324 else {
325 bit = Uart.bitBuffer & 0xf0;
326 bit >>= 4;
327 bit ^= 0x0F;
328 if(bit) {
329 // should have been high or at least (4 * 128) / fc
330 // according to ISO this should be at least (9 * 128 + 20) / fc
331 if(Uart.highCnt == 8) {
332 // we went low, so this could be start of communication
333 // it turns out to be safer to choose a less significant
334 // syncbit... so we check whether the neighbour also represents the drop
335 Uart.posCnt = 1; // apparently we are busy with our first half bit period
336 Uart.syncBit = bit & 8;
337 Uart.samples = 3;
338 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
339 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
340 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
341 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
343 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
344 Uart.syncBit = 8;
345
346 // the first half bit period is expected in next sample
347 Uart.posCnt = 0;
348 Uart.samples = 3;
349 }
350 }
351 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
352
353 Uart.syncBit <<= 4;
354 Uart.state = STATE_START_OF_COMMUNICATION;
355 Uart.drop = DROP_FIRST_HALF;
356 Uart.bitCnt = 0;
357 Uart.byteCnt = 0;
358 Uart.parityBits = 0;
359 error = 0;
360 }
361 else {
362 Uart.highCnt = 0;
363 }
364 }
365 else {
366 if(Uart.highCnt < 8) {
367 Uart.highCnt++;
368 }
369 }
370 }
371
372 return FALSE;
373 }
374
375 //=============================================================================
376 // ISO 14443 Type A - Manchester
377 //=============================================================================
378
379 static struct {
380 enum {
381 DEMOD_UNSYNCD,
382 DEMOD_START_OF_COMMUNICATION,
383 DEMOD_MANCHESTER_D,
384 DEMOD_MANCHESTER_E,
385 DEMOD_MANCHESTER_F,
386 DEMOD_ERROR_WAIT
387 } state;
388 int bitCount;
389 int posCount;
390 int syncBit;
391 int parityBits;
392 uint16_t shiftReg;
393 int buffer;
394 int buff;
395 int samples;
396 int len;
397 enum {
398 SUB_NONE,
399 SUB_FIRST_HALF,
400 SUB_SECOND_HALF
401 } sub;
402 uint8_t *output;
403 } Demod;
404
405 static int ManchesterDecoding(int v)
406 {
407 int bit;
408 int modulation;
409 int error = 0;
410
411 if(!Demod.buff) {
412 Demod.buff = 1;
413 Demod.buffer = v;
414 return FALSE;
415 }
416 else {
417 bit = Demod.buffer;
418 Demod.buffer = v;
419 }
420
421 if(Demod.state==DEMOD_UNSYNCD) {
422 Demod.output[Demod.len] = 0xfa;
423 Demod.syncBit = 0;
424 //Demod.samples = 0;
425 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
426 if(bit & 0x08) { Demod.syncBit = 0x08; }
427 if(!Demod.syncBit) {
428 if(bit & 0x04) { Demod.syncBit = 0x04; }
429 }
430 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
431 if(!Demod.syncBit) {
432 if(bit & 0x02) { Demod.syncBit = 0x02; }
433 }
434 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
435 if(!Demod.syncBit) {
436 if(bit & 0x01) { Demod.syncBit = 0x01; }
437
438 if(Demod.syncBit & (Demod.buffer & 0x08)) {
439 Demod.syncBit = 0x08;
440
441 // The first half bitperiod is expected in next sample
442 Demod.posCount = 0;
443 Demod.output[Demod.len] = 0xfb;
444 }
445 }
446 else if(bit & 0x01) { Demod.syncBit = 0x01; }
447
448 if(Demod.syncBit) {
449 Demod.len = 0;
450 Demod.state = DEMOD_START_OF_COMMUNICATION;
451 Demod.sub = SUB_FIRST_HALF;
452 Demod.bitCount = 0;
453 Demod.shiftReg = 0;
454 Demod.parityBits = 0;
455 Demod.samples = 0;
456 if(Demod.posCount) {
457 switch(Demod.syncBit) {
458 case 0x08: Demod.samples = 3; break;
459 case 0x04: Demod.samples = 2; break;
460 case 0x02: Demod.samples = 1; break;
461 case 0x01: Demod.samples = 0; break;
462 }
463 }
464 error = 0;
465 }
466 }
467 else {
468 //modulation = bit & Demod.syncBit;
469 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
470
471 Demod.samples += 4;
472
473 if(Demod.posCount==0) {
474 Demod.posCount = 1;
475 if(modulation) {
476 Demod.sub = SUB_FIRST_HALF;
477 }
478 else {
479 Demod.sub = SUB_NONE;
480 }
481 }
482 else {
483 Demod.posCount = 0;
484 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
485 if(Demod.state!=DEMOD_ERROR_WAIT) {
486 Demod.state = DEMOD_ERROR_WAIT;
487 Demod.output[Demod.len] = 0xaa;
488 error = 0x01;
489 }
490 }
491 else if(modulation) {
492 Demod.sub = SUB_SECOND_HALF;
493 }
494
495 switch(Demod.state) {
496 case DEMOD_START_OF_COMMUNICATION:
497 if(Demod.sub == SUB_FIRST_HALF) {
498 Demod.state = DEMOD_MANCHESTER_D;
499 }
500 else {
501 Demod.output[Demod.len] = 0xab;
502 Demod.state = DEMOD_ERROR_WAIT;
503 error = 0x02;
504 }
505 break;
506
507 case DEMOD_MANCHESTER_D:
508 case DEMOD_MANCHESTER_E:
509 if(Demod.sub == SUB_FIRST_HALF) {
510 Demod.bitCount++;
511 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
512 Demod.state = DEMOD_MANCHESTER_D;
513 }
514 else if(Demod.sub == SUB_SECOND_HALF) {
515 Demod.bitCount++;
516 Demod.shiftReg >>= 1;
517 Demod.state = DEMOD_MANCHESTER_E;
518 }
519 else {
520 Demod.state = DEMOD_MANCHESTER_F;
521 }
522 break;
523
524 case DEMOD_MANCHESTER_F:
525 // Tag response does not need to be a complete byte!
526 if(Demod.len > 0 || Demod.bitCount > 0) {
527 if(Demod.bitCount > 0) {
528 Demod.shiftReg >>= (9 - Demod.bitCount);
529 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
530 Demod.len++;
531 // No parity bit, so just shift a 0
532 Demod.parityBits <<= 1;
533 }
534
535 Demod.state = DEMOD_UNSYNCD;
536 return TRUE;
537 }
538 else {
539 Demod.output[Demod.len] = 0xad;
540 Demod.state = DEMOD_ERROR_WAIT;
541 error = 0x03;
542 }
543 break;
544
545 case DEMOD_ERROR_WAIT:
546 Demod.state = DEMOD_UNSYNCD;
547 break;
548
549 default:
550 Demod.output[Demod.len] = 0xdd;
551 Demod.state = DEMOD_UNSYNCD;
552 break;
553 }
554
555 if(Demod.bitCount>=9) {
556 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
557 Demod.len++;
558
559 Demod.parityBits <<= 1;
560 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
561
562 Demod.bitCount = 0;
563 Demod.shiftReg = 0;
564 }
565
566 /*if(error) {
567 Demod.output[Demod.len] = 0xBB;
568 Demod.len++;
569 Demod.output[Demod.len] = error & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = 0xBB;
572 Demod.len++;
573 Demod.output[Demod.len] = bit & 0xFF;
574 Demod.len++;
575 Demod.output[Demod.len] = Demod.buffer & 0xFF;
576 Demod.len++;
577 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
578 Demod.len++;
579 Demod.output[Demod.len] = 0xBB;
580 Demod.len++;
581 return TRUE;
582 }*/
583
584 }
585
586 } // end (state != UNSYNCED)
587
588 return FALSE;
589 }
590
591 //=============================================================================
592 // Finally, a `sniffer' for ISO 14443 Type A
593 // Both sides of communication!
594 //=============================================================================
595
596 //-----------------------------------------------------------------------------
597 // Record the sequence of commands sent by the reader to the tag, with
598 // triggering so that we start recording at the point that the tag is moved
599 // near the reader.
600 //-----------------------------------------------------------------------------
601 void SnoopIso14443a(void)
602 {
603 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
604 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
605 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
606 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
607 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
608
609 // We won't start recording the frames that we acquire until we trigger;
610 // a good trigger condition to get started is probably when we see a
611 // response from the tag.
612 int triggered = TRUE; // FALSE to wait first for card
613
614 // The command (reader -> tag) that we're receiving.
615 // The length of a received command will in most cases be no more than 18 bytes.
616 // So 32 should be enough!
617 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
618 // The response (tag -> reader) that we're receiving.
619 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
620
621 // As we receive stuff, we copy it from receivedCmd or receivedResponse
622 // into trace, along with its length and other annotations.
623 //uint8_t *trace = (uint8_t *)BigBuf;
624 //int traceLen = 0;
625
626 // The DMA buffer, used to stream samples from the FPGA
627 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
628 int lastRxCounter;
629 int8_t *upTo;
630 int smpl;
631 int maxBehindBy = 0;
632
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 int samples = 0;
636 int rsamples = 0;
637
638 memset(trace, 0x44, RECV_CMD_OFFSET);
639
640 // Set up the demodulator for tag -> reader responses.
641 Demod.output = receivedResponse;
642 Demod.len = 0;
643 Demod.state = DEMOD_UNSYNCD;
644
645 // And the reader -> tag commands
646 memset(&Uart, 0, sizeof(Uart));
647 Uart.output = receivedCmd;
648 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
649 Uart.state = STATE_UNSYNCD;
650
651 // And put the FPGA in the appropriate mode
652 // Signal field is off with the appropriate LED
653 LED_D_OFF();
654 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
655 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
656
657 // Setup for the DMA.
658 FpgaSetupSsc();
659 upTo = dmaBuf;
660 lastRxCounter = DMA_BUFFER_SIZE;
661 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
662
663 LED_A_ON();
664
665 // And now we loop, receiving samples.
666 for(;;) {
667 WDT_HIT();
668 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
669 (DMA_BUFFER_SIZE-1);
670 if(behindBy > maxBehindBy) {
671 maxBehindBy = behindBy;
672 if(behindBy > 400) {
673 DbpString("blew circular buffer!");
674 goto done;
675 }
676 }
677 if(behindBy < 1) continue;
678
679 smpl = upTo[0];
680 upTo++;
681 lastRxCounter -= 1;
682 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
683 upTo -= DMA_BUFFER_SIZE;
684 lastRxCounter += DMA_BUFFER_SIZE;
685 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
686 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
687 }
688
689 samples += 4;
690 if(MillerDecoding((smpl & 0xF0) >> 4)) {
691 rsamples = samples - Uart.samples;
692 LED_C_ON();
693 if(triggered) {
694 trace[traceLen++] = ((rsamples >> 0) & 0xff);
695 trace[traceLen++] = ((rsamples >> 8) & 0xff);
696 trace[traceLen++] = ((rsamples >> 16) & 0xff);
697 trace[traceLen++] = ((rsamples >> 24) & 0xff);
698 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
699 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
700 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
701 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
702 trace[traceLen++] = Uart.byteCnt;
703 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
704 traceLen += Uart.byteCnt;
705 if(traceLen > TRACE_LENGTH) break;
706 }
707 /* And ready to receive another command. */
708 Uart.state = STATE_UNSYNCD;
709 /* And also reset the demod code, which might have been */
710 /* false-triggered by the commands from the reader. */
711 Demod.state = DEMOD_UNSYNCD;
712 LED_B_OFF();
713 }
714 if(ManchesterDecoding(smpl & 0x0F)) {
715 rsamples = samples - Demod.samples;
716 LED_B_ON();
717
718 // timestamp, as a count of samples
719 trace[traceLen++] = ((rsamples >> 0) & 0xff);
720 trace[traceLen++] = ((rsamples >> 8) & 0xff);
721 trace[traceLen++] = ((rsamples >> 16) & 0xff);
722 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
723 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
724 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
725 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
726 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
727 // length
728 trace[traceLen++] = Demod.len;
729 memcpy(trace+traceLen, receivedResponse, Demod.len);
730 traceLen += Demod.len;
731 if(traceLen > TRACE_LENGTH) break;
732
733 triggered = TRUE;
734
735 // And ready to receive another response.
736 memset(&Demod, 0, sizeof(Demod));
737 Demod.output = receivedResponse;
738 Demod.state = DEMOD_UNSYNCD;
739 LED_C_OFF();
740 }
741
742 if(BUTTON_PRESS()) {
743 DbpString("cancelled_a");
744 goto done;
745 }
746 }
747
748 DbpString("COMMAND FINISHED");
749
750 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
751 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
752
753 done:
754 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
755 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
756 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
757 LED_A_OFF();
758 LED_B_OFF();
759 LED_C_OFF();
760 LED_D_OFF();
761 }
762
763 //-----------------------------------------------------------------------------
764 // Prepare tag messages
765 //-----------------------------------------------------------------------------
766 static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
767 {
768 int i;
769 int oddparity;
770
771 ToSendReset();
772
773 // Correction bit, might be removed when not needed
774 ToSendStuffBit(0);
775 ToSendStuffBit(0);
776 ToSendStuffBit(0);
777 ToSendStuffBit(0);
778 ToSendStuffBit(1); // 1
779 ToSendStuffBit(0);
780 ToSendStuffBit(0);
781 ToSendStuffBit(0);
782
783 // Send startbit
784 ToSend[++ToSendMax] = SEC_D;
785
786 for(i = 0; i < len; i++) {
787 int j;
788 uint8_t b = cmd[i];
789
790 // Data bits
791 oddparity = 0x01;
792 for(j = 0; j < 8; j++) {
793 oddparity ^= (b & 1);
794 if(b & 1) {
795 ToSend[++ToSendMax] = SEC_D;
796 } else {
797 ToSend[++ToSendMax] = SEC_E;
798 }
799 b >>= 1;
800 }
801
802 // Parity bit
803 if(oddparity) {
804 ToSend[++ToSendMax] = SEC_D;
805 } else {
806 ToSend[++ToSendMax] = SEC_E;
807 }
808 }
809
810 // Send stopbit
811 ToSend[++ToSendMax] = SEC_F;
812
813 // Flush the buffer in FPGA!!
814 for(i = 0; i < 5; i++) {
815 ToSend[++ToSendMax] = SEC_F;
816 }
817
818 // Convert from last byte pos to length
819 ToSendMax++;
820
821 // Add a few more for slop
822 ToSend[ToSendMax++] = 0x00;
823 ToSend[ToSendMax++] = 0x00;
824 //ToSendMax += 2;
825 }
826
827 //-----------------------------------------------------------------------------
828 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
829 //-----------------------------------------------------------------------------
830 static void CodeStrangeAnswer()
831 {
832 int i;
833
834 ToSendReset();
835
836 // Correction bit, might be removed when not needed
837 ToSendStuffBit(0);
838 ToSendStuffBit(0);
839 ToSendStuffBit(0);
840 ToSendStuffBit(0);
841 ToSendStuffBit(1); // 1
842 ToSendStuffBit(0);
843 ToSendStuffBit(0);
844 ToSendStuffBit(0);
845
846 // Send startbit
847 ToSend[++ToSendMax] = SEC_D;
848
849 // 0
850 ToSend[++ToSendMax] = SEC_E;
851
852 // 0
853 ToSend[++ToSendMax] = SEC_E;
854
855 // 1
856 ToSend[++ToSendMax] = SEC_D;
857
858 // Send stopbit
859 ToSend[++ToSendMax] = SEC_F;
860
861 // Flush the buffer in FPGA!!
862 for(i = 0; i < 5; i++) {
863 ToSend[++ToSendMax] = SEC_F;
864 }
865
866 // Convert from last byte pos to length
867 ToSendMax++;
868
869 // Add a few more for slop
870 ToSend[ToSendMax++] = 0x00;
871 ToSend[ToSendMax++] = 0x00;
872 //ToSendMax += 2;
873 }
874
875 //-----------------------------------------------------------------------------
876 // Wait for commands from reader
877 // Stop when button is pressed
878 // Or return TRUE when command is captured
879 //-----------------------------------------------------------------------------
880 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
881 {
882 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
883 // only, since we are receiving, not transmitting).
884 // Signal field is off with the appropriate LED
885 LED_D_OFF();
886 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
887
888 // Now run a `software UART' on the stream of incoming samples.
889 Uart.output = received;
890 Uart.byteCntMax = maxLen;
891 Uart.state = STATE_UNSYNCD;
892
893 for(;;) {
894 WDT_HIT();
895
896 if(BUTTON_PRESS()) return FALSE;
897
898 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
899 AT91C_BASE_SSC->SSC_THR = 0x00;
900 }
901 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
902 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
903 if(MillerDecoding((b & 0xf0) >> 4)) {
904 *len = Uart.byteCnt;
905 return TRUE;
906 }
907 if(MillerDecoding(b & 0x0f)) {
908 *len = Uart.byteCnt;
909 return TRUE;
910 }
911 }
912 }
913 }
914
915 //-----------------------------------------------------------------------------
916 // Main loop of simulated tag: receive commands from reader, decide what
917 // response to send, and send it.
918 //-----------------------------------------------------------------------------
919 void SimulateIso14443aTag(int tagType, int TagUid)
920 {
921 // This function contains the tag emulation
922
923 // Prepare protocol messages
924 // static const uint8_t cmd1[] = { 0x26 };
925 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
926 //
927 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
928 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
929
930 // UID response
931 // static const uint8_t cmd2[] = { 0x93, 0x20 };
932 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
933
934 // my desfire
935 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
936
937
938 // When reader selects us during cascade1 it will send cmd3
939 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
940 uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
941 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
942
943 // send cascade2 2nd half of UID
944 static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
945 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
946
947 // When reader selects us during cascade2 it will send cmd3a
948 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
949 uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
950 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
951
952 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
953
954 uint8_t *resp;
955 int respLen;
956
957 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
958 // This will need
959 // 144 data bits (18 * 8)
960 // 18 parity bits
961 // 2 Start and stop
962 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
963 // 1 just for the case
964 // ----------- +
965 // 166
966 //
967 // 166 bytes, since every bit that needs to be send costs us a byte
968 //
969
970 // Respond with card type
971 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
972 int resp1Len;
973
974 // Anticollision cascade1 - respond with uid
975 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
976 int resp2Len;
977
978 // Anticollision cascade2 - respond with 2nd half of uid if asked
979 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
980 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
981 int resp2aLen;
982
983 // Acknowledge select - cascade 1
984 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
985 int resp3Len;
986
987 // Acknowledge select - cascade 2
988 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
989 int resp3aLen;
990
991 // Response to a read request - not implemented atm
992 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
993 int resp4Len;
994
995 // Authenticate response - nonce
996 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
997 int resp5Len;
998
999 uint8_t *receivedCmd = (uint8_t *)BigBuf;
1000 int len;
1001
1002 int i;
1003 int u;
1004 uint8_t b;
1005
1006 // To control where we are in the protocol
1007 int order = 0;
1008 int lastorder;
1009
1010 // Just to allow some checks
1011 int happened = 0;
1012 int happened2 = 0;
1013
1014 int cmdsRecvd = 0;
1015
1016 int fdt_indicator;
1017
1018 memset(receivedCmd, 0x44, 400);
1019
1020 // Prepare the responses of the anticollision phase
1021 // there will be not enough time to do this at the moment the reader sends it REQA
1022
1023 // Answer to request
1024 CodeIso14443aAsTag(response1, sizeof(response1));
1025 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1026
1027 // Send our UID (cascade 1)
1028 CodeIso14443aAsTag(response2, sizeof(response2));
1029 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1030
1031 // Answer to select (cascade1)
1032 CodeIso14443aAsTag(response3, sizeof(response3));
1033 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1034
1035 // Send the cascade 2 2nd part of the uid
1036 CodeIso14443aAsTag(response2a, sizeof(response2a));
1037 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1038
1039 // Answer to select (cascade 2)
1040 CodeIso14443aAsTag(response3a, sizeof(response3a));
1041 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1042
1043 // Strange answer is an example of rare message size (3 bits)
1044 CodeStrangeAnswer();
1045 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1046
1047 // Authentication answer (random nonce)
1048 CodeIso14443aAsTag(response5, sizeof(response5));
1049 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1050
1051 // We need to listen to the high-frequency, peak-detected path.
1052 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1053 FpgaSetupSsc();
1054
1055 cmdsRecvd = 0;
1056
1057 LED_A_ON();
1058 for(;;) {
1059
1060 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1061 DbpString("button press");
1062 break;
1063 }
1064 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1065 // Okay, look at the command now.
1066 lastorder = order;
1067 i = 1; // first byte transmitted
1068 if(receivedCmd[0] == 0x26) {
1069 // Received a REQUEST
1070 resp = resp1; respLen = resp1Len; order = 1;
1071 //DbpString("Hello request from reader:");
1072 } else if(receivedCmd[0] == 0x52) {
1073 // Received a WAKEUP
1074 resp = resp1; respLen = resp1Len; order = 6;
1075 // //DbpString("Wakeup request from reader:");
1076
1077 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1078 // Received request for UID (cascade 1)
1079 resp = resp2; respLen = resp2Len; order = 2;
1080 // DbpString("UID (cascade 1) request from reader:");
1081 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1082
1083
1084 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1085 // Received request for UID (cascade 2)
1086 resp = resp2a; respLen = resp2aLen; order = 20;
1087 // DbpString("UID (cascade 2) request from reader:");
1088 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1089
1090
1091 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1092 // Received a SELECT
1093 resp = resp3; respLen = resp3Len; order = 3;
1094 // DbpString("Select (cascade 1) request from reader:");
1095 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1096
1097
1098 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1099 // Received a SELECT
1100 resp = resp3a; respLen = resp3aLen; order = 30;
1101 // DbpString("Select (cascade 2) request from reader:");
1102 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1103
1104
1105 } else if(receivedCmd[0] == 0x30) {
1106 // Received a READ
1107 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1108 Dbprintf("Read request from reader: %x %x %x",
1109 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1110
1111
1112 } else if(receivedCmd[0] == 0x50) {
1113 // Received a HALT
1114 resp = resp1; respLen = 0; order = 5; // Do nothing
1115 DbpString("Reader requested we HALT!:");
1116
1117 } else if(receivedCmd[0] == 0x60) {
1118 // Received an authentication request
1119 resp = resp5; respLen = resp5Len; order = 7;
1120 Dbprintf("Authenticate request from reader: %x %x %x",
1121 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1122
1123 } else if(receivedCmd[0] == 0xE0) {
1124 // Received a RATS request
1125 resp = resp1; respLen = 0;order = 70;
1126 Dbprintf("RATS request from reader: %x %x %x",
1127 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1128 } else {
1129 // Never seen this command before
1130 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1131 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1132 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1133 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1134 // Do not respond
1135 resp = resp1; respLen = 0; order = 0;
1136 }
1137
1138 // Count number of wakeups received after a halt
1139 if(order == 6 && lastorder == 5) { happened++; }
1140
1141 // Count number of other messages after a halt
1142 if(order != 6 && lastorder == 5) { happened2++; }
1143
1144 // Look at last parity bit to determine timing of answer
1145 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1146 // 1236, so correction bit needed
1147 i = 0;
1148 }
1149
1150 memset(receivedCmd, 0x44, 32);
1151
1152 if(cmdsRecvd > 999) {
1153 DbpString("1000 commands later...");
1154 break;
1155 }
1156 else {
1157 cmdsRecvd++;
1158 }
1159
1160 if(respLen <= 0) continue;
1161
1162 // Modulate Manchester
1163 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1164 AT91C_BASE_SSC->SSC_THR = 0x00;
1165 FpgaSetupSsc();
1166
1167 // ### Transmit the response ###
1168 u = 0;
1169 b = 0x00;
1170 fdt_indicator = FALSE;
1171 for(;;) {
1172 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1173 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1174 (void)b;
1175 }
1176 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1177 if(i > respLen) {
1178 b = 0x00;
1179 u++;
1180 } else {
1181 b = resp[i];
1182 i++;
1183 }
1184 AT91C_BASE_SSC->SSC_THR = b;
1185
1186 if(u > 4) {
1187 break;
1188 }
1189 }
1190 if(BUTTON_PRESS()) {
1191 break;
1192 }
1193 }
1194
1195 }
1196
1197 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1198 LED_A_OFF();
1199 }
1200
1201 //-----------------------------------------------------------------------------
1202 // Transmit the command (to the tag) that was placed in ToSend[].
1203 //-----------------------------------------------------------------------------
1204 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1205 {
1206 int c;
1207
1208 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1209
1210 if (wait)
1211 if(*wait < 10)
1212 *wait = 10;
1213
1214 for(c = 0; c < *wait;) {
1215 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1216 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1217 c++;
1218 }
1219 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1220 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1221 (void)r;
1222 }
1223 WDT_HIT();
1224 }
1225
1226 c = 0;
1227 for(;;) {
1228 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1229 AT91C_BASE_SSC->SSC_THR = cmd[c];
1230 c++;
1231 if(c >= len) {
1232 break;
1233 }
1234 }
1235 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1236 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1237 (void)r;
1238 }
1239 WDT_HIT();
1240 }
1241 if (samples) *samples = (c + *wait) << 3;
1242 }
1243
1244 //-----------------------------------------------------------------------------
1245 // Code a 7-bit command without parity bit
1246 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1247 //-----------------------------------------------------------------------------
1248 void ShortFrameFromReader(const uint8_t bt)
1249 {
1250 int j;
1251 int last;
1252 uint8_t b;
1253
1254 ToSendReset();
1255
1256 // Start of Communication (Seq. Z)
1257 ToSend[++ToSendMax] = SEC_Z;
1258 last = 0;
1259
1260 b = bt;
1261 for(j = 0; j < 7; j++) {
1262 if(b & 1) {
1263 // Sequence X
1264 ToSend[++ToSendMax] = SEC_X;
1265 last = 1;
1266 } else {
1267 if(last == 0) {
1268 // Sequence Z
1269 ToSend[++ToSendMax] = SEC_Z;
1270 }
1271 else {
1272 // Sequence Y
1273 ToSend[++ToSendMax] = SEC_Y;
1274 last = 0;
1275 }
1276 }
1277 b >>= 1;
1278 }
1279
1280 // End of Communication
1281 if(last == 0) {
1282 // Sequence Z
1283 ToSend[++ToSendMax] = SEC_Z;
1284 }
1285 else {
1286 // Sequence Y
1287 ToSend[++ToSendMax] = SEC_Y;
1288 last = 0;
1289 }
1290 // Sequence Y
1291 ToSend[++ToSendMax] = SEC_Y;
1292
1293 // Just to be sure!
1294 ToSend[++ToSendMax] = SEC_Y;
1295 ToSend[++ToSendMax] = SEC_Y;
1296 ToSend[++ToSendMax] = SEC_Y;
1297
1298 // Convert from last character reference to length
1299 ToSendMax++;
1300 }
1301
1302 //-----------------------------------------------------------------------------
1303 // Prepare reader command to send to FPGA
1304 //
1305 //-----------------------------------------------------------------------------
1306 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1307 {
1308 int i, j;
1309 int last;
1310 uint8_t b;
1311
1312 ToSendReset();
1313
1314 // Start of Communication (Seq. Z)
1315 ToSend[++ToSendMax] = SEC_Z;
1316 last = 0;
1317
1318 // Generate send structure for the data bits
1319 for (i = 0; i < len; i++) {
1320 // Get the current byte to send
1321 b = cmd[i];
1322
1323 for (j = 0; j < 8; j++) {
1324 if (b & 1) {
1325 // Sequence X
1326 ToSend[++ToSendMax] = SEC_X;
1327 last = 1;
1328 } else {
1329 if (last == 0) {
1330 // Sequence Z
1331 ToSend[++ToSendMax] = SEC_Z;
1332 } else {
1333 // Sequence Y
1334 ToSend[++ToSendMax] = SEC_Y;
1335 last = 0;
1336 }
1337 }
1338 b >>= 1;
1339 }
1340
1341 // Get the parity bit
1342 if ((dwParity >> i) & 0x01) {
1343 // Sequence X
1344 ToSend[++ToSendMax] = SEC_X;
1345 last = 1;
1346 } else {
1347 if (last == 0) {
1348 // Sequence Z
1349 ToSend[++ToSendMax] = SEC_Z;
1350 } else {
1351 // Sequence Y
1352 ToSend[++ToSendMax] = SEC_Y;
1353 last = 0;
1354 }
1355 }
1356 }
1357
1358 // End of Communication
1359 if (last == 0) {
1360 // Sequence Z
1361 ToSend[++ToSendMax] = SEC_Z;
1362 } else {
1363 // Sequence Y
1364 ToSend[++ToSendMax] = SEC_Y;
1365 last = 0;
1366 }
1367 // Sequence Y
1368 ToSend[++ToSendMax] = SEC_Y;
1369
1370 // Just to be sure!
1371 ToSend[++ToSendMax] = SEC_Y;
1372 ToSend[++ToSendMax] = SEC_Y;
1373 ToSend[++ToSendMax] = SEC_Y;
1374
1375 // Convert from last character reference to length
1376 ToSendMax++;
1377 }
1378
1379 //-----------------------------------------------------------------------------
1380 // Wait a certain time for tag response
1381 // If a response is captured return TRUE
1382 // If it takes to long return FALSE
1383 //-----------------------------------------------------------------------------
1384 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1385 {
1386 // buffer needs to be 512 bytes
1387 int c;
1388
1389 // Set FPGA mode to "reader listen mode", no modulation (listen
1390 // only, since we are receiving, not transmitting).
1391 // Signal field is on with the appropriate LED
1392 LED_D_ON();
1393 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1394
1395 // Now get the answer from the card
1396 Demod.output = receivedResponse;
1397 Demod.len = 0;
1398 Demod.state = DEMOD_UNSYNCD;
1399
1400 uint8_t b;
1401 if (elapsed) *elapsed = 0;
1402
1403 c = 0;
1404 for(;;) {
1405 WDT_HIT();
1406
1407 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1408 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1409 if (elapsed) (*elapsed)++;
1410 }
1411 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1412 if(c < 512) { c++; } else { return FALSE; }
1413 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1414 if(ManchesterDecoding((b>>4) & 0xf)) {
1415 *samples = ((c - 1) << 3) + 4;
1416 return TRUE;
1417 }
1418 if(ManchesterDecoding(b & 0x0f)) {
1419 *samples = c << 3;
1420 return TRUE;
1421 }
1422 }
1423 }
1424 }
1425
1426 void ReaderTransmitShort(const uint8_t* bt)
1427 {
1428 int wait = 0;
1429 int samples = 0;
1430
1431 ShortFrameFromReader(*bt);
1432
1433 // Select the card
1434 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1435
1436 // Store reader command in buffer
1437 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1438 }
1439
1440 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1441 {
1442 int wait = 0;
1443 int samples = 0;
1444
1445 // This is tied to other size changes
1446 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1447 CodeIso14443aAsReaderPar(frame,len,par);
1448
1449 // Select the card
1450 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1451
1452 // Store reader command in buffer
1453 if (tracing) LogTrace(frame,len,0,par,TRUE);
1454 }
1455
1456
1457 void ReaderTransmit(uint8_t* frame, int len)
1458 {
1459 // Generate parity and redirect
1460 ReaderTransmitPar(frame,len,GetParity(frame,len));
1461 }
1462
1463 int ReaderReceive(uint8_t* receivedAnswer)
1464 {
1465 int samples = 0;
1466 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1467 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1468 return TRUE;
1469 }
1470
1471 //-----------------------------------------------------------------------------
1472 // Read an ISO 14443a tag. Send out commands and store answers.
1473 //
1474 //-----------------------------------------------------------------------------
1475 void ReaderIso14443a(uint32_t parameter)
1476 {
1477 // Anticollision
1478 uint8_t wupa[] = { 0x52 };
1479 uint8_t sel_all[] = { 0x93,0x20 };
1480 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1481 uint8_t sel_all_c2[] = { 0x95,0x20 };
1482 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1483
1484 // Mifare AUTH
1485 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1486 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1487
1488 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1489 traceLen = 0;
1490
1491 // Setup SSC
1492 FpgaSetupSsc();
1493
1494 // Start from off (no field generated)
1495 // Signal field is off with the appropriate LED
1496 LED_D_OFF();
1497 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1498 SpinDelay(200);
1499
1500 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1501
1502 // Now give it time to spin up.
1503 // Signal field is on with the appropriate LED
1504 LED_D_ON();
1505 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1506 SpinDelay(200);
1507
1508 LED_A_ON();
1509 LED_B_OFF();
1510 LED_C_OFF();
1511
1512 while(traceLen < TRACE_LENGTH)
1513 {
1514 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1515 ReaderTransmitShort(wupa);
1516
1517 // Test if the action was cancelled
1518 if(BUTTON_PRESS()) {
1519 break;
1520 }
1521
1522 // Receive the ATQA
1523 if (!ReaderReceive(receivedAnswer)) continue;
1524
1525 // Transmit SELECT_ALL
1526 ReaderTransmit(sel_all,sizeof(sel_all));
1527
1528 // Receive the UID
1529 if (!ReaderReceive(receivedAnswer)) continue;
1530
1531 // Construct SELECT UID command
1532 // First copy the 5 bytes (Mifare Classic) after the 93 70
1533 memcpy(sel_uid+2,receivedAnswer,5);
1534 // Secondly compute the two CRC bytes at the end
1535 AppendCrc14443a(sel_uid,7);
1536
1537 // Transmit SELECT_UID
1538 ReaderTransmit(sel_uid,sizeof(sel_uid));
1539
1540 // Receive the SAK
1541 if (!ReaderReceive(receivedAnswer)) continue;
1542
1543 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1544 // which case we need to make a cascade 2 request and select - this is a long UID
1545 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1546 if (receivedAnswer[0] &= 0x04)
1547 {
1548 // Transmit SELECT_ALL
1549 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1550
1551 // Receive the UID
1552 if (!ReaderReceive(receivedAnswer)) continue;
1553
1554 // Construct SELECT UID command
1555 memcpy(sel_uid_c2+2,receivedAnswer,5);
1556 // Secondly compute the two CRC bytes at the end
1557 AppendCrc14443a(sel_uid_c2,7);
1558
1559 // Transmit SELECT_UID
1560 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1561
1562 // Receive the SAK
1563 if (!ReaderReceive(receivedAnswer)) continue;
1564 }
1565
1566 // Transmit MIFARE_CLASSIC_AUTH
1567 ReaderTransmit(mf_auth,sizeof(mf_auth));
1568
1569 // Receive the (16 bit) "random" nonce
1570 if (!ReaderReceive(receivedAnswer)) continue;
1571 }
1572
1573 // Thats it...
1574 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1575 LEDsoff();
1576 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1577 DbpString("ready..");
1578 }
1579
1580 //-----------------------------------------------------------------------------
1581 // Read an ISO 14443a tag. Send out commands and store answers.
1582 //
1583 //-----------------------------------------------------------------------------
1584 void ReaderMifare(uint32_t parameter)
1585 {
1586
1587 // Anticollision
1588 uint8_t wupa[] = { 0x52 };
1589 uint8_t sel_all[] = { 0x93,0x20 };
1590 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1591
1592 // Mifare AUTH
1593 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1594 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1595
1596 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1597 traceLen = 0;
1598 tracing = false;
1599
1600 // Setup SSC
1601 FpgaSetupSsc();
1602
1603 // Start from off (no field generated)
1604 // Signal field is off with the appropriate LED
1605 LED_D_OFF();
1606 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1607 SpinDelay(200);
1608
1609 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1610
1611 // Now give it time to spin up.
1612 // Signal field is on with the appropriate LED
1613 LED_D_ON();
1614 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1615 SpinDelay(200);
1616
1617 LED_A_ON();
1618 LED_B_OFF();
1619 LED_C_OFF();
1620
1621 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1622 ReaderTransmitShort(wupa);
1623 // Receive the ATQA
1624 ReaderReceive(receivedAnswer);
1625 // Transmit SELECT_ALL
1626 ReaderTransmit(sel_all,sizeof(sel_all));
1627 // Receive the UID
1628 ReaderReceive(receivedAnswer);
1629 // Construct SELECT UID command
1630 // First copy the 5 bytes (Mifare Classic) after the 93 70
1631 memcpy(sel_uid+2,receivedAnswer,5);
1632 // Secondly compute the two CRC bytes at the end
1633 AppendCrc14443a(sel_uid,7);
1634
1635 byte_t nt_diff = 0;
1636 LED_A_OFF();
1637 byte_t par = 0;
1638 byte_t par_mask = 0xff;
1639 byte_t par_low = 0;
1640 int led_on = TRUE;
1641
1642 tracing = FALSE;
1643 byte_t nt[4];
1644 byte_t nt_attacked[4];
1645 byte_t par_list[8];
1646 byte_t ks_list[8];
1647 num_to_bytes(parameter,4,nt_attacked);
1648
1649 while(TRUE)
1650 {
1651 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1652 SpinDelay(200);
1653 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1654
1655 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1656 ReaderTransmitShort(wupa);
1657
1658 // Test if the action was cancelled
1659 if(BUTTON_PRESS()) {
1660 break;
1661 }
1662
1663 // Receive the ATQA
1664 if (!ReaderReceive(receivedAnswer)) continue;
1665
1666 // Transmit SELECT_ALL
1667 ReaderTransmit(sel_all,sizeof(sel_all));
1668
1669 // Receive the UID
1670 if (!ReaderReceive(receivedAnswer)) continue;
1671
1672 // Transmit SELECT_UID
1673 ReaderTransmit(sel_uid,sizeof(sel_uid));
1674
1675 // Receive the SAK
1676 if (!ReaderReceive(receivedAnswer)) continue;
1677
1678 // Transmit MIFARE_CLASSIC_AUTH
1679 ReaderTransmit(mf_auth,sizeof(mf_auth));
1680
1681 // Receive the (16 bit) "random" nonce
1682 if (!ReaderReceive(receivedAnswer)) continue;
1683 memcpy(nt,receivedAnswer,4);
1684
1685 // Transmit reader nonce and reader answer
1686 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1687
1688 // Receive 4 bit answer
1689 if (ReaderReceive(receivedAnswer))
1690 {
1691 if (nt_diff == 0)
1692 {
1693 LED_A_ON();
1694 memcpy(nt_attacked,nt,4);
1695 par_mask = 0xf8;
1696 par_low = par & 0x07;
1697 }
1698
1699 if (memcmp(nt,nt_attacked,4) != 0) continue;
1700
1701 led_on = !led_on;
1702 if(led_on) LED_B_ON(); else LED_B_OFF();
1703 par_list[nt_diff] = par;
1704 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1705
1706 // Test if the information is complete
1707 if (nt_diff == 0x07) break;
1708
1709 nt_diff = (nt_diff+1) & 0x07;
1710 mf_nr_ar[3] = nt_diff << 5;
1711 par = par_low;
1712 } else {
1713 if (nt_diff == 0)
1714 {
1715 par++;
1716 } else {
1717 par = (((par>>3)+1) << 3) | par_low;
1718 }
1719 }
1720 }
1721
1722 LogTrace(sel_uid+2,4,0,GetParity(sel_uid+2,4),TRUE);
1723 LogTrace(nt,4,0,GetParity(nt,4),TRUE);
1724 LogTrace(par_list,8,0,GetParity(par_list,8),TRUE);
1725 LogTrace(ks_list,8,0,GetParity(ks_list,8),TRUE);
1726
1727 // Thats it...
1728 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1729 LEDsoff();
1730 tracing = TRUE;
1731 }
Proxmark3 GIT tracking
Impressum, Datenschutz