]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitagS.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
usb communication (device side) refactoring
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include "hitagS.h"
16
17 #include <stdlib.h>
18 #include "proxmark3.h"
19 #include "apps.h"
20 #include "usb_cdc.h"
21 #include "util.h"
22 #include "hitag.h"
23 #include "string.h"
24 #include "BigBuf.h"
25 #include "fpgaloader.h"
26
27 #define CRC_PRESET 0xFF
28 #define CRC_POLYNOM 0x1D
29
30 static bool bQuiet;
31 static bool bSuccessful;
32 static struct hitagS_tag tag;
33 static byte_t page_to_be_written = 0;
34 static int block_data_left = 0;
35 typedef enum modulation {
36 AC2K = 0, AC4K, MC4K, MC8K
37 } MOD;
38 static MOD m = AC2K; //used modulation
39 static uint32_t temp_uid;
40 static int temp2 = 0;
41 static int sof_bits; //number of start-of-frame bits
42 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
43 static uint32_t rnd = 0x74124485; //randomnumber
44 static int test = 0;
45 size_t blocknr;
46 bool end=false;
47
48 // Single bit Hitag2 functions:
49 #define i4(x,a,b,c,d) ((uint32_t)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
50 static const uint32_t ht2_f4a = 0x2C79; // 0010 1100 0111 1001
51 static const uint32_t ht2_f4b = 0x6671; // 0110 0110 0111 0001
52 static const uint32_t ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
53 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
54 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
55 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
56 #define uf20bs uint32_t
57
58 static uint32_t f20(const uint64_t x) {
59 uint32_t i5;
60
61 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
62 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
63 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
64 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
65 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
66
67 return (ht2_f5c >> i5) & 1;
68 }
69
70 static uint64_t hitag2_init(const uint64_t key, const uint32_t serial, const uint32_t IV) {
71 uint32_t i;
72 uint64_t x = ((key & 0xFFFF) << 32) + serial;
73 for (i = 0; i < 32; i++) {
74 x >>= 1;
75 x += (uint64_t) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
76 }
77 return x;
78 }
79
80 static uint64_t hitag2_round(uint64_t *state) {
81 uint64_t x = *state;
82
83 x = (x >> 1)
84 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
85 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
86 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
87 & 1) << 47);
88
89 *state = x;
90 return f20(x);
91 }
92
93 static uint32_t hitag2_byte(uint64_t *x) {
94 uint32_t i, c;
95
96 for (i = 0, c = 0; i < 8; i++)
97 c += (uint32_t) hitag2_round(x) << (i ^ 7);
98 return c;
99 }
100
101 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
102 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
103 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
104 // T0 = TIMER_CLOCK1 / 125000 = 192
105 #define T0 192
106
107 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
108 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
109
110 #define HITAG_FRAME_LEN 20
111 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
112 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
113 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
114 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
115 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
116 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
117 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
118 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
119 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
120
121 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
122 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
123 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
124 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
125
126 #define HITAG_T_TAG_HALF_PERIOD 16
127 #define HITAG_T_TAG_FULL_PERIOD 32
128
129 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
130 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
131 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
132 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
133
134 #define DEBUG 0
135
136 /*
137 * Implementation of the crc8 calculation from Hitag S
138 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
139 */
140 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
141 *crc ^= data; // crc = crc (exor) data
142 do {
143 if (*crc & 0x80) // if (MSB-CRC == 1)
144 {
145 *crc <<= 1; // CRC = CRC Bit-shift left
146 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
147 } else {
148 *crc <<= 1; // CRC = CRC Bit-shift left
149 }
150 } while (--Bitcount);
151 }
152
153
154 static void hitag_send_bit(int bit) {
155 LED_A_ON();
156 // Reset clock for the next bit
157 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
158
159 switch (m) {
160 case AC2K:
161 if (bit == 0) {
162 // AC Coding --__
163 HIGH(GPIO_SSC_DOUT);
164 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
165 ;
166 LOW(GPIO_SSC_DOUT);
167 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
168 ;
169 } else {
170 // AC coding -_-_
171 HIGH(GPIO_SSC_DOUT);
172 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
173 ;
174 LOW(GPIO_SSC_DOUT);
175 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
176 ;
177 HIGH(GPIO_SSC_DOUT);
178 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
179 ;
180 LOW(GPIO_SSC_DOUT);
181 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
182 ;;
183 }
184 LED_A_OFF();
185 break;
186 case AC4K:
187 if (bit == 0) {
188 // AC Coding --__
189 HIGH(GPIO_SSC_DOUT);
190 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
191 ;
192 LOW(GPIO_SSC_DOUT);
193 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
194 ;
195 } else {
196 // AC coding -_-_
197 HIGH(GPIO_SSC_DOUT);
198 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
199 ;
200 LOW(GPIO_SSC_DOUT);
201 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
202 ;
203 HIGH(GPIO_SSC_DOUT);
204 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
205 ;
206 LOW(GPIO_SSC_DOUT);
207 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
208 ;
209 }
210 LED_A_OFF();
211 break;
212 case MC4K:
213 if (bit == 0) {
214 // Manchester: Unloaded, then loaded |__--|
215 LOW(GPIO_SSC_DOUT);
216 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
217 ;
218 HIGH(GPIO_SSC_DOUT);
219 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
220 ;
221 } else {
222 // Manchester: Loaded, then unloaded |--__|
223 HIGH(GPIO_SSC_DOUT);
224 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
225 ;
226 LOW(GPIO_SSC_DOUT);
227 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
228 ;
229 }
230 LED_A_OFF();
231 break;
232 case MC8K:
233 if (bit == 0) {
234 // Manchester: Unloaded, then loaded |__--|
235 LOW(GPIO_SSC_DOUT);
236 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
237 ;
238 HIGH(GPIO_SSC_DOUT);
239 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
240 ;
241 } else {
242 // Manchester: Loaded, then unloaded |--__|
243 HIGH(GPIO_SSC_DOUT);
244 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
245 ;
246 LOW(GPIO_SSC_DOUT);
247 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
248 ;
249 }
250 LED_A_OFF();
251 break;
252 default:
253 break;
254 }
255 }
256
257 static void hitag_tag_send_frame(const byte_t* frame, size_t frame_len) {
258 // Send start of frame
259 for (size_t i = 0; i < sof_bits; i++) {
260 hitag_send_bit(1);
261 }
262
263 // Send the content of the frame
264 for (size_t i = 0; i < frame_len; i++) {
265 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
266 }
267 // Drop the modulation
268 LOW(GPIO_SSC_DOUT);
269 }
270
271 static void hitag_reader_send_bit(int bit) {
272 //Dbprintf("BIT: %d",bit);
273 LED_A_ON();
274 // Reset clock for the next bit
275 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
276
277 // Binary puls length modulation (BPLM) is used to encode the data stream
278 // This means that a transmission of a one takes longer than that of a zero
279
280 // Enable modulation, which means, drop the the field
281 HIGH(GPIO_SSC_DOUT);
282 if (test == 1) {
283 // Wait for 4-10 times the carrier period
284 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
285 ;
286 // SpinDelayUs(8*8);
287
288 // Disable modulation, just activates the field again
289 LOW(GPIO_SSC_DOUT);
290
291 if (bit == 0) {
292 // Zero bit: |_-|
293 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
294 ;
295 // SpinDelayUs(16*8);
296 } else {
297 // One bit: |_--|
298 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
299 ;
300 // SpinDelayUs(22*8);
301 }
302 } else {
303 // Wait for 4-10 times the carrier period
304 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
305 ;
306 // SpinDelayUs(8*8);
307
308 // Disable modulation, just activates the field again
309 LOW(GPIO_SSC_DOUT);
310
311 if (bit == 0) {
312 // Zero bit: |_-|
313 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
314 ;
315 // SpinDelayUs(16*8);
316 } else {
317 // One bit: |_--|
318 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
319 ;
320 // SpinDelayUs(22*8);
321 }
322 }
323
324 LED_A_OFF();
325 }
326
327 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
328 // Send the content of the frame
329 for (size_t i = 0; i < frame_len; i++) {
330 if (frame[0] == 0xf8) {
331 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
332 }
333 hitag_reader_send_bit(((frame[i / 8] >> (7 - (i % 8))) & 1));
334 }
335 // Send EOF
336 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
337 // Enable modulation, which means, drop the the field
338 HIGH(GPIO_SSC_DOUT);
339 // Wait for 4-10 times the carrier period
340 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
341 ;
342 // Disable modulation, just activates the field again
343 LOW(GPIO_SSC_DOUT);
344 }
345
346 static void hitag_decode_frame_MC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
347 size_t rxlen = 0;
348 bool bSkip = true;
349 int lastbit = 1;
350 int tag_sof = 0;
351 int timing = 1;
352 if (bitRate == 8) {
353 timing = 2;
354 }
355
356 for (int i=0; i < rawLen; i++) {
357 int ra = rawMod[i];
358 if (ra >= HITAG_T_EOF) {
359 if (rxlen != 0) {
360 //DbpString("wierd1?");
361 }
362 tag_sof = sofBits;
363
364 // Capture the T0 periods that have passed since last communication or field drop (reset)
365 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
366 *response = ra - HITAG_T_TAG_HALF_PERIOD;
367 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
368 tag_sof=0;
369 // Manchester coding example |-_|_-|-_| (101)
370 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
371 rxlen++;
372 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
373 rxlen++;
374 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
375 tag_sof=0;
376 // Manchester coding example |_-|...|_-|-_| (0...01)
377 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
378 rxlen++;
379 // We have to skip this half period at start and add the 'one' the second time
380 if (!bSkip) {
381 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
382 rxlen++;
383 }
384 lastbit = !lastbit;
385 bSkip = !bSkip;
386 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
387 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
388 if (tag_sof) {
389 // Ignore bits that are transmitted during SOF
390 tag_sof--;
391 } else {
392 // bit is same as last bit
393 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
394 rxlen++;
395 }
396 } else {
397 // Ignore wierd value, is to small to mean anything
398 }
399 }
400 *rxlenOrg = rxlen;
401 }
402
403 /*
404 static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
405 int tag_sof = 1; //skip start of frame
406 size_t rxlen = 0;
407
408 for (int i=0; i < rawLen; i++) {
409 int ra = rawMod[i];
410 if (ra >= HITAG_T_EOF) {
411 if (rxlen != 0) {
412 //DbpString("wierd1?");
413 }
414 // Capture the T0 periods that have passed since last communication or field drop (reset)
415 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
416 tag_sof = 1;
417 *response = ra - HITAG_T_TAG_HALF_PERIOD;
418 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
419 // AC coding example |--__|--__| means 0
420 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
421 rxlen++;
422 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
423 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
424 rxlen++;
425 i++; //drop next capture
426 }
427 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
428 if (tag_sof) {
429 // Ignore bits that are transmitted during SOF
430 tag_sof--;
431 } else {
432 // AC coding example |-_-_|-_-_| which means 1
433 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
434 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
435 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
436 rxlen++;
437 i++; //drop next capture
438 } else {
439 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
440 }
441 }
442 } else {
443 // Ignore wierd value, is to small to mean anything
444 }
445 }
446 *rxlenOrg = rxlen;
447 }
448 */
449
450 static void hitag_decode_frame_AC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
451 int tag_sof = 1;
452 size_t rxlen = 0;
453 int timing = 1;
454 if (bitRate == 4) {
455 timing = 2;
456 }
457
458
459 for (int i=0; i < rawLen; i++) {
460 int ra = rawMod[i];
461 if (ra >= HITAG_T_EOF) {
462 if (rxlen != 0) {
463 //DbpString("wierd1?");
464 }
465
466 // Capture the T0 periods that have passed since last communication or field drop (reset)
467 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
468 tag_sof = sofBits;
469 *response = ra - HITAG_T_TAG_HALF_PERIOD;
470 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
471 tag_sof=0;
472
473 // AC coding example |--__|--__| means 0
474 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
475 rxlen++;
476 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
477 tag_sof=0;
478
479 if (rawMod[i-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
480 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
481 if (rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
482 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
483 rxlen++;
484 i++; //drop next capture
485 } else {
486 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
487 }
488 } else {
489 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
490 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
491 rxlen++;
492 }
493 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
494 if (tag_sof) {
495 // Ignore bits that are transmitted during SOF
496 tag_sof--;
497 } else {
498 // AC coding example |-_-_|-_-_| which means 1
499 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
500 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
501 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
502 rxlen++;
503 i++; //drop next capture
504 } else {
505 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
506 }
507 }
508 } else {
509 // Ignore wierd value, is to small to mean anything
510 }
511 }
512 *rxlenOrg = rxlen;
513 }
514
515 static void hitag_receive_frame(byte_t* rx, size_t* rxlen, int* response) {
516 int rawMod[200] = {0};
517 int rawLen = 0;
518 int i = 0;
519 int sofBits = 0;
520
521 m = MC4K;
522 if (tag.pstate == READY) {
523 switch (tag.mode) {
524 case STANDARD:
525 m = AC2K;
526 sofBits = 1;
527 break;
528 case ADVANCED:
529 m = AC2K;
530 sofBits = 5; //3 sof bits but 5 captures
531 break;
532 case FAST_ADVANCED:
533 m = AC4K;
534 sofBits = 5; //3 sof bits but 5 captures
535 break;
536 default:
537 break;
538 }
539 } else {
540 switch (tag.mode) {
541 case STANDARD:
542 m = MC4K;
543 sofBits = 0; //in theory 1
544 break;
545 case ADVANCED:
546 m = MC4K;
547 sofBits = 5; //in theory 6
548 break;
549 case FAST_ADVANCED:
550 m = MC8K;
551 sofBits = 5; //in theory 6
552 break;
553 default:
554 break;
555 }
556 }
557
558 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
559 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
560
561
562 //first capture timing values
563 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX ) {
564 // Check if rising edge in modulation is detected
565 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
566 // Retrieve the new timing values
567 int ra = (AT91C_BASE_TC1->TC_RA / T0);
568
569 LED_B_ON();
570 // Reset timer every frame, we have to capture the last edge for timing
571 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
572 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
573
574 if (rawLen >= 200) { //avoid exception
575 break;
576 }
577 rawMod[rawLen] = ra;
578 rawLen++;
579
580 // We can break this loop if we received the last bit from a frame
581 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
582 if (rawLen > 2) {
583 if (DEBUG >= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen); }
584 break;
585 }
586 }
587 }
588 }
589
590 if (DEBUG >= 2) {
591 for (i=0; i < rawLen; i+=20) {
592 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
593 rawMod[i],rawMod[i+1],rawMod[i+2],rawMod[i+3], rawMod[i+4],rawMod[i+5],rawMod[i+6],rawMod[i+7],
594 rawMod[i+8],rawMod[i+9],rawMod[i+10],rawMod[i+11], rawMod[i+12],rawMod[i+13],rawMod[i+14],rawMod[i+15],
595 rawMod[i+16],rawMod[i+17],rawMod[i+18],rawMod[i+19]
596 );
597 }
598 }
599
600 switch (m) {
601 // DATA | 1 | 0 | 1 | 1 | 0 |
602 // Manchester |--__|__--|--__|--__|__--|
603 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
604 // |<-->|
605 // | T |
606 case AC2K:
607 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC2K"); }
608 hitag_decode_frame_AC(2, sofBits, rx, rxlen, response, rawMod, rawLen);
609 break;
610 case AC4K:
611 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC4K"); }
612 hitag_decode_frame_AC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
613 break;
614 case MC4K:
615 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC4K"); }
616 hitag_decode_frame_MC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
617 break;
618 case MC8K:
619 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC8K"); }
620 hitag_decode_frame_MC(8, sofBits, rx, rxlen, response, rawMod, rawLen);
621 break;
622 }
623
624 LED_B_OFF();
625 if (DEBUG >= 2) {
626 int rb[200] = {0}; int z = 0;
627 for (i = 0; i < 16; i++) { for (int j = 0; j < 8; j++) {
628 rb[z] = 0;
629 if ((rx[i] & ((1 << 7) >> j)) != 0) { rb[z] = 1; }
630 z++;
631 } }
632 for (i=0; i < z; i+=8) {
633 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb[i],rb[i+1],rb[i+2],rb[i+3],rb[i+4],rb[i+5],rb[i+6],rb[i+7] );
634 }
635 }
636 }
637
638 static void hitag_start_auth(byte_t* tx, size_t* txlen) {
639 *txlen = 5;
640 switch (tag.mode) {
641 case STANDARD:
642 //00110 - 0x30 - STANDARD MODE
643 memcpy(tx, "\x30", nbytes(*txlen));
644 break;
645 case ADVANCED:
646 //11000 - 0xc0 - Advance Mode
647 memcpy(tx, "\xc0", nbytes(*txlen));
648 break;
649 case FAST_ADVANCED:
650 //TODO!
651 break;
652 default: //STANDARD MODE
653 memcpy(tx, "\x30", nbytes(*txlen));
654 break;
655 }
656 tag.pstate = READY;
657 tag.tstate = NO_OP;
658 }
659
660 static int hitag_read_page(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int pageNum) {
661 int i, j, z;
662 int response_bit[200];
663 unsigned char mask = 1;
664 unsigned char crc;
665 unsigned char pageData[32];
666
667 if (pageNum >= tag.max_page) {
668 return -1;
669 }
670 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
671 //send read request
672 tag.tstate = READING_PAGE;
673 *txlen = 20;
674 crc = CRC_PRESET;
675 tx[0] = 0xc0 + (pageNum / 16);
676 calc_crc(&crc, tx[0], 8);
677 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
678 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
679 tx[2] = 0x00 + (crc % 16) * 16;
680 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE && *rxlen > 0) {
681 //save received data
682 z = 0;
683 for (i = 0; i < 4; i++) {
684 for (j = 0; j < 8; j++) {
685 response_bit[z] = 0;
686 if ((rx[i] & ((mask << 7) >> j)) != 0) {
687 response_bit[z] = 1;
688 }
689 if (z < 32) {
690 pageData[z] = response_bit[z];
691 }
692
693 z++;
694 }
695 }
696 for (i = 0; i < 4; i++) {
697 tag.pages[pageNum][i] = 0x0;
698 }
699 for (i = 0; i < 4; i++) {
700 tag.pages[pageNum][i] += ((pageData[i * 8] << 7) | (pageData[1 + (i * 8)] << 6) |
701 (pageData[2 + (i * 8)] << 5) | (pageData[3 + (i * 8)] << 4) |
702 (pageData[4 + (i * 8)] << 3) | (pageData[5 + (i * 8)] << 2) |
703 (pageData[6 + (i * 8)]
704 << 1) | pageData[7 + (i * 8)]);
705 }
706 if (tag.auth && tag.LKP && pageNum == 1) {
707 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
708 tag.pages[pageNum][2], tag.pages[pageNum][1], tag.pages[pageNum][0]);
709 } else {
710 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
711 tag.pages[pageNum][3], tag.pages[pageNum][2],
712 tag.pages[pageNum][1], tag.pages[pageNum][0]);
713 }
714
715
716 //display key and password if possible
717 if (pageNum == 1 && tag.auth == 1 && tag.LKP) {
718 if (htf == 02) { //RHTS_KEY
719 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
720 (byte_t)(key >> 8) & 0xff,
721 (byte_t) key & 0xff, pwdl1, pwdl0);
722 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
723 (byte_t)(key >> 40) & 0xff,
724 (byte_t)(key >> 32) & 0xff,
725 (byte_t)(key >> 24) & 0xff,
726 (byte_t)(key >> 16) & 0xff);
727 } else {
728 //if the authentication is done with a challenge the key and password are unknown
729 Dbprintf("Page[ 2]: __ __ __ __");
730 Dbprintf("Page[ 3]: __ __ __ __");
731 }
732 }
733
734 *txlen = 20;
735 crc = CRC_PRESET;
736 tx[0] = 0xc0 + ((pageNum+1) / 16);
737 calc_crc(&crc, tx[0], 8);
738 calc_crc(&crc, 0x00 + (((pageNum+1) % 16) * 16), 4);
739 tx[1] = 0x00 + (((pageNum+1) % 16) * 16) + (crc / 16);
740 tx[2] = 0x00 + (crc % 16) * 16;
741
742 return 1;
743 }
744 return 0;
745 }
746
747 static int hitag_read_block(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int blockNum) {
748 int i, j, z;
749 int response_bit[200];
750 unsigned char mask = 1;
751 unsigned char crc;
752 unsigned char blockData[128];
753
754 if (blockNum+4 >= tag.max_page) { //block always = 4 pages
755 return -1;
756 }
757
758 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
759 //send read request
760 tag.tstate = READING_BLOCK;
761 *txlen = 20;
762 crc = CRC_PRESET;
763 tx[0] = 0xd0 + (blockNum / 16);
764 calc_crc(&crc, tx[0], 8);
765 calc_crc(&crc, 0x00 + ((blockNum % 16) * 16), 4);
766 tx[1] = 0x00 + ((blockNum % 16) * 16) + (crc / 16);
767 tx[2] = 0x00 + (crc % 16) * 16;
768 } else if (tag.pstate == SELECTED && tag.tstate == READING_BLOCK && *rxlen > 0) {
769 //save received data
770 z = 0;
771 for (i = 0; i < 16; i++) {
772 for (j = 0; j < 8; j++) {
773 response_bit[z] = 0;
774 if ((rx[i] & ((mask << 7) >> j)) != 0) {
775 response_bit[z] = 1;
776 }
777 if (z < 128) {
778 blockData[z] = response_bit[z];
779 }
780 z++;
781 }
782 }
783
784 for (z = 0; z < 4; z++) { //4 pages
785 for (i = 0; i < 4; i++) {
786 tag.pages[blockNum+z][i] = 0x0;
787 }
788 }
789 for (z = 0; z < 4; z++) { //4 pages
790 for (i = 0; i < 4; i++) {
791 j = (i * 8) + (z*32); //bit in page + pageStart
792 tag.pages[blockNum+z][i] = ((blockData[j] << 7) | (blockData[1 + j] << 6) |
793 (blockData[2 + j] << 5) | (blockData[3 + j] << 4) |
794 (blockData[4 + j] << 3) | (blockData[5 + j] << 2) |
795 (blockData[6 + j] << 1) | blockData[7 + j]);
796 }
797 }
798 if (DEBUG) {
799 for (z = 0; z < 4; z++) {
800 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum+z,
801 tag.pages[blockNum+z][3], tag.pages[blockNum+z][2],
802 tag.pages[blockNum+z][1], tag.pages[blockNum+z][0]);
803 }
804 }
805 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum,
806 tag.pages[blockNum][3], tag.pages[blockNum][2], tag.pages[blockNum][1], tag.pages[blockNum][0],
807 tag.pages[blockNum+1][3], tag.pages[blockNum+1][2], tag.pages[blockNum+1][1], tag.pages[blockNum+1][0],
808 tag.pages[blockNum+2][3], tag.pages[blockNum+2][2], tag.pages[blockNum+2][1], tag.pages[blockNum+2][0],
809 tag.pages[blockNum+3][3], tag.pages[blockNum+3][2], tag.pages[blockNum+3][1], tag.pages[blockNum+3][0]);
810
811 *txlen = 20;
812 crc = CRC_PRESET;
813 tx[0] = 0xd0 + ((blockNum+4) / 16);
814 calc_crc(&crc, tx[0], 8);
815 calc_crc(&crc, 0x00 + (((blockNum+4) % 16) * 16), 4);
816 tx[1] = 0x00 + (((blockNum+4) % 16) * 16) + (crc / 16);
817 tx[2] = 0x00 + (crc % 16) * 16;
818
819 return 1;
820 }
821 return 0;
822 }
823
824
825 /*
826 * to check if the right uid was selected
827 */
828 static int check_select(byte_t* rx, uint32_t uid) {
829 unsigned char resp[48];
830 int i;
831 uint32_t ans = 0x0;
832 for (i = 0; i < 48; i++)
833 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
834 for (i = 0; i < 32; i++)
835 ans += resp[5 + i] << (31 - i);
836 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
837 && rx[4] == 0x65 && rx[5] == 0x38)
838 Dbprintf("got uid %X", ans);*/
839 temp_uid = ans;
840 if (ans == tag.uid)
841 return 1;
842 return 0;
843 }
844
845 /*
846 * handles all commands from a reader
847 */
848 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
849 byte_t* tx, size_t* txlen) {
850 byte_t rx_air[HITAG_FRAME_LEN];
851 byte_t page;
852 int i;
853 uint64_t state;
854 unsigned char crc;
855
856 // Copy the (original) received frame how it is send over the air
857 memcpy(rx_air, rx, nbytes(rxlen));
858 // Reset the transmission frame length
859 *txlen = 0;
860 // Try to find out which command was send by selecting on length (in bits)
861 switch (rxlen) {
862 case 5: {
863 //UID request with a selected response protocol mode
864 tag.pstate = READY;
865 tag.tstate = NO_OP;
866 if ((rx[0] & 0xf0) == 0x30) {
867 Dbprintf("recieved uid request in Standard Mode");
868 tag.mode = STANDARD;
869 sof_bits = 1;
870 m = AC2K;
871 }
872 if ((rx[0] & 0xf0) == 0xc0) {
873 Dbprintf("recieved uid request in ADVANCE Mode");
874 tag.mode = ADVANCED;
875 sof_bits = 3;
876 m = AC2K;
877 }
878 if ((rx[0] & 0xf0) == 0xd0) {
879 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
880 tag.mode = FAST_ADVANCED;
881 sof_bits = 3;
882 m = AC4K;
883 }
884 //send uid as a response
885 *txlen = 32;
886 for (i = 0; i < 4; i++) {
887 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
888 }
889 }
890 break;
891 case 45: {
892 //select command from reader received
893 if (check_select(rx, tag.uid) == 1) {
894 //if the right tag was selected
895 *txlen = 32;
896 switch (tag.mode) {
897 case STANDARD:
898 Dbprintf("uid selected in Standard Mode");
899 sof_bits = 1;
900 m = MC4K;
901 break;
902 case ADVANCED:
903 Dbprintf("uid selected in ADVANCE Mode");
904 sof_bits = 6;
905 m = MC4K;
906 break;
907 case FAST_ADVANCED:
908 Dbprintf("uid selected in FAST_ADVANCE Mode");
909 sof_bits = 6;
910 m = MC8K;
911 break;
912 default:
913 break;
914 }
915
916 //send configuration
917 tx[0] = tag.pages[1][3];
918 tx[1] = tag.pages[1][2];
919 tx[2] = tag.pages[1][1];
920 tx[3] = 0xff;
921 if (tag.mode != STANDARD) {
922 *txlen = 40;
923 crc = CRC_PRESET;
924 for (i = 0; i < 4; i++)
925 calc_crc(&crc, tx[i], 8);
926 tx[4] = crc;
927 }
928 }
929 }
930 break;
931 case 64: {
932 switch (tag.mode) {
933 case STANDARD:
934 sof_bits = 1;
935 m = MC4K;
936 break;
937 case ADVANCED:
938 sof_bits = 6;
939 m = MC4K;
940 break;
941 case FAST_ADVANCED:
942 sof_bits = 6;
943 m = MC8K;
944 break;
945 default:
946 break;
947 }
948 //challenge message received
949 Dbprintf("Challenge for UID: %X", temp_uid);
950 temp2++;
951 state = hitag2_init(REV64(tag.key), REV32(tag.pages[0][0]),
952 REV32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
953 Dbprintf(
954 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
955 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
956
957 for (i = 0; i < 4; i++) {
958 hitag2_byte(&state);
959 }
960
961 *txlen = 32;
962 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
963 tx[0] = hitag2_byte(&state) ^ tag.pages[1][1];
964 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
965 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
966 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
967 if (tag.mode != STANDARD) {
968 //add crc8
969 *txlen = 40;
970 crc = CRC_PRESET;
971 calc_crc(&crc, tag.pages[1][1], 8);
972 calc_crc(&crc, tag.pwdh0, 8);
973 calc_crc(&crc, tag.pwdl0, 8);
974 calc_crc(&crc, tag.pwdl1, 8);
975 tx[4] = (crc ^ hitag2_byte(&state));
976 }
977 }
978 case 40:
979 //data received to be written
980 if (tag.tstate == WRITING_PAGE_DATA) {
981 tag.tstate = NO_OP;
982 tag.pages[page_to_be_written][0] = rx[3];
983 tag.pages[page_to_be_written][1] = rx[2];
984 tag.pages[page_to_be_written][2] = rx[1];
985 tag.pages[page_to_be_written][3] = rx[0];
986
987 //send ack
988 *txlen = 2;
989 tx[0] = 0x40;
990 page_to_be_written = 0;
991 switch (tag.mode) {
992 case STANDARD:
993 sof_bits = 1;
994 m = MC4K;
995 break;
996 case ADVANCED:
997 sof_bits = 6;
998 m = MC4K;
999 break;
1000 case FAST_ADVANCED:
1001 sof_bits = 6;
1002 m = MC8K;
1003 break;
1004 default:
1005 break;
1006 }
1007 } else if (tag.tstate == WRITING_BLOCK_DATA) {
1008 tag.pages[page_to_be_written][0] = rx[0];
1009 tag.pages[page_to_be_written][1] = rx[1];
1010 tag.pages[page_to_be_written][2] = rx[2];
1011 tag.pages[page_to_be_written][3] = rx[3];
1012
1013 //send ack
1014 *txlen = 2;
1015 tx[0] = 0x40;
1016 switch (tag.mode) {
1017 case STANDARD:
1018 sof_bits = 1;
1019 m = MC4K;
1020 break;
1021 case ADVANCED:
1022 sof_bits = 6;
1023 m = MC4K;
1024 break;
1025 case FAST_ADVANCED:
1026 sof_bits = 6;
1027 m = MC8K;
1028 break;
1029 default:
1030 break;
1031 }
1032 page_to_be_written++;
1033 block_data_left--;
1034 if (block_data_left == 0) {
1035 tag.tstate = NO_OP;
1036 page_to_be_written = 0;
1037 }
1038 }
1039 break;
1040 case 20: {
1041 //write page, write block, read page or read block command received
1042 if ((rx[0] & 0xf0) == 0xc0) { //read page
1043 //send page data
1044 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1045 Dbprintf("reading page %d", page);
1046 *txlen = 32;
1047 tx[0] = tag.pages[page][0];
1048 tx[1] = tag.pages[page][1];
1049 tx[2] = tag.pages[page][2];
1050 tx[3] = tag.pages[page][3];
1051
1052 if (tag.LKP && page == 1)
1053 tx[3] = 0xff;
1054
1055 switch (tag.mode) {
1056 case STANDARD:
1057 sof_bits = 1;
1058 m = MC4K;
1059 break;
1060 case ADVANCED:
1061 sof_bits = 6;
1062 m = MC4K;
1063 break;
1064 case FAST_ADVANCED:
1065 sof_bits = 6;
1066 m = MC8K;
1067 break;
1068 default:
1069 break;
1070 }
1071
1072 if (tag.mode != STANDARD) {
1073 //add crc8
1074 *txlen = 40;
1075 crc = CRC_PRESET;
1076 for (i = 0; i < 4; i++)
1077 calc_crc(&crc, tx[i], 8);
1078 tx[4] = crc;
1079 }
1080
1081 if (tag.LKP && (page == 2 || page == 3)) {
1082 //if reader asks for key or password and the LKP-mark is set do not respond
1083 sof_bits = 0;
1084 *txlen = 0;
1085 }
1086 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
1087 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1088 Dbprintf("reading block %d", page);
1089 *txlen = 32 * 4;
1090 //send page,...,page+3 data
1091 for (i = 0; i < 4; i++) {
1092 tx[0 + (i * 4)] = tag.pages[page][0];
1093 tx[1 + (i * 4)] = tag.pages[page][1];
1094 tx[2 + (i * 4)] = tag.pages[page][2];
1095 tx[3 + (i * 4)] = tag.pages[page][3];
1096 page++;
1097 }
1098
1099 switch (tag.mode) {
1100 case STANDARD:
1101 sof_bits = 1;
1102 m = MC4K;
1103 break;
1104 case ADVANCED:
1105 sof_bits = 6;
1106 m = MC4K;
1107 break;
1108 case FAST_ADVANCED:
1109 sof_bits = 6;
1110 m = MC8K;
1111 break;
1112 default:
1113 break;
1114 }
1115
1116 if (tag.mode != STANDARD) {
1117 //add crc8
1118 *txlen = 32 * 4 + 8;
1119 crc = CRC_PRESET;
1120 for (i = 0; i < 16; i++)
1121 calc_crc(&crc, tx[i], 8);
1122 tx[16] = crc;
1123 }
1124
1125 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
1126 sof_bits = 0;
1127 *txlen = 0;
1128 }
1129 } else if ((rx[0] & 0xf0) == 0x80) { //write page
1130 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1131
1132 switch (tag.mode) {
1133 case STANDARD:
1134 sof_bits = 1;
1135 m = MC4K;
1136 break;
1137 case ADVANCED:
1138 sof_bits = 6;
1139 m = MC4K;
1140 break;
1141 case FAST_ADVANCED:
1142 sof_bits = 6;
1143 m = MC8K;
1144 break;
1145 default:
1146 break;
1147 }
1148 if ((tag.LCON && page == 1)
1149 || (tag.LKP && (page == 2 || page == 3))) {
1150 //deny
1151 *txlen = 0;
1152 } else {
1153 //allow
1154 *txlen = 2;
1155 tx[0] = 0x40;
1156 page_to_be_written = page;
1157 tag.tstate = WRITING_PAGE_DATA;
1158 }
1159
1160 } else if ((rx[0] & 0xf0) == 0x90) { //write block
1161 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
1162 switch (tag.mode) {
1163 case STANDARD:
1164 sof_bits = 1;
1165 m = MC4K;
1166 break;
1167 case ADVANCED:
1168 sof_bits = 6;
1169 m = MC4K;
1170 break;
1171 case FAST_ADVANCED:
1172 sof_bits = 6;
1173 m = MC8K;
1174 break;
1175 default:
1176 break;
1177 }
1178 if (page % 4 != 0 || page == 0) {
1179 //deny
1180 *txlen = 0;
1181 } else {
1182 //allow
1183 *txlen = 2;
1184 tx[0] = 0x40;
1185 page_to_be_written = page;
1186 block_data_left = 4;
1187 tag.tstate = WRITING_BLOCK_DATA;
1188 }
1189 }
1190 }
1191 break;
1192 default:
1193
1194 break;
1195 }
1196 }
1197
1198
1199 /*
1200 * to autenticate to a tag with the given key or challenge
1201 */
1202 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx,
1203 const size_t rxlen, byte_t* tx, size_t* txlen) {
1204 byte_t rx_air[HITAG_FRAME_LEN];
1205 int response_bit[200] = {0};
1206 int i, j, z, k;
1207 unsigned char mask = 1;
1208 unsigned char uid[32];
1209 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
1210 unsigned char crc;
1211 uint64_t state;
1212 byte_t auth_ks[4];
1213 byte_t conf_pages[3];
1214 memcpy(rx_air, rx, nbytes(rxlen));
1215 *txlen = 0;
1216
1217 if (DEBUG) {
1218 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen, (int)tag.pstate);
1219 }
1220
1221 if (tag.pstate == READY && rxlen >= 32) {
1222 //received uid
1223 if(end==true) {
1224 Dbprintf("authentication failed!");
1225 return -1;
1226 }
1227 z = 0;
1228 for (i = 0; i < 10; i++) {
1229 for (j = 0; j < 8; j++) {
1230 response_bit[z] = 0;
1231 if ((rx[i] & ((mask << 7) >> j)) != 0)
1232 response_bit[z] = 1;
1233 z++;
1234 }
1235 }
1236 for (i = 0; i < 32; i++) {
1237 uid[i] = response_bit[i];
1238 }
1239
1240 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
1241 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
1242 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
1243 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
1244 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
1245 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
1246 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
1247 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
1248 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
1249 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
1250
1251 //select uid
1252 crc = CRC_PRESET;
1253 calc_crc(&crc, 0x00, 5);
1254 calc_crc(&crc, uid1, 8);
1255 calc_crc(&crc, uid2, 8);
1256 calc_crc(&crc, uid3, 8);
1257 calc_crc(&crc, uid4, 8);
1258 Dbprintf("crc: %02X", crc);
1259
1260 //resetting response bit
1261 for (i = 0; i < 100; i++) {
1262 response_bit[i] = 0;
1263 }
1264
1265 //skip the first 5
1266 for (i = 5; i < 37; i++) {
1267 response_bit[i] = uid[i - 5];
1268 }
1269 //add crc value
1270 for (j = 0; j < 8; j++) {
1271 response_bit[i] = 0;
1272 if ((crc & ((mask << 7) >> j)) != 0)
1273 response_bit[i] = 1;
1274 i++;
1275 }
1276
1277 k = 0;
1278 for (i = 0; i < 6; i++) {
1279 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1280 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
1281 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
1282 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1283 k += 8;
1284 }
1285 *txlen = 45;
1286 tag.pstate = INIT;
1287 } else if (tag.pstate == INIT && rxlen > 24) {
1288 // received configuration after select command
1289 z = 0;
1290 for (i = 0; i < 4; i++) {
1291 for (j = 0; j < 8; j++) {
1292 response_bit[z] = 0;
1293 if ((rx[i] & ((mask << 7) >> j)) != 0) {
1294 response_bit[z] = 1;
1295 }
1296 z++;
1297 }
1298 }
1299
1300 //check wich memorysize this tag has
1301 //CON0
1302 if (response_bit[6] == 0 && response_bit[7] == 0)
1303 tag.max_page = 32 / 32;
1304 if (response_bit[6] == 0 && response_bit[7] == 1)
1305 tag.max_page = 256 / 32;
1306 if (response_bit[6] == 1 && response_bit[7] == 0)
1307 tag.max_page = 2048 / 32;
1308 if (response_bit[6] == 1 && response_bit[7] == 1) //reserved but some tags got this setting
1309 tag.max_page = 2048 / 32;
1310
1311 //CON1
1312 tag.auth = response_bit[8];
1313 tag.TTFC = response_bit[9];
1314 //tag.TTFDR in response_bit[10] and response_bit[11]
1315 //tag.TTFM in response_bit[12] and response_bit[13]
1316 tag.LCON = response_bit[14];
1317 tag.LKP = response_bit[15];
1318
1319 //CON2
1320 tag.LCK7 = response_bit[16];
1321 tag.LCK6 = response_bit[17];
1322 tag.LCK5 = response_bit[18];
1323 tag.LCK4 = response_bit[19];
1324 tag.LCK3 = response_bit[20];
1325 tag.LCK2 = response_bit[21];
1326 tag.LCK1 = response_bit[22];
1327 tag.LCK0 = response_bit[23];
1328
1329 if (DEBUG) {
1330 conf_pages[0] = ((response_bit[0] << 7) | (response_bit[1] << 6)
1331 | (response_bit[2] << 5) | (response_bit[3] << 4)
1332 | (response_bit[4] << 3) | (response_bit[5] << 2)
1333 | (response_bit[6] << 1) | response_bit[7]);
1334 conf_pages[1] = ((response_bit[8] << 7) | (response_bit[9] << 6)
1335 | (response_bit[10] << 5) | (response_bit[11] << 4)
1336 | (response_bit[12] << 3) | (response_bit[13] << 2)
1337 | (response_bit[14] << 1) | response_bit[15]);
1338 conf_pages[2] = ((response_bit[16] << 7) | (response_bit[17] << 6)
1339 | (response_bit[18] << 5) | (response_bit[19] << 4)
1340 | (response_bit[20] << 3) | (response_bit[21] << 2)
1341 | (response_bit[22] << 1) | response_bit[23]);
1342 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
1343 Dbprintf("tag.max_page: %d, tag.auth: %d", tag.max_page, tag.auth);
1344 }
1345
1346 if (tag.auth == 1) {
1347 //if the tag is in authentication mode try the key or challenge
1348 *txlen = 64;
1349 if(end!=true){
1350 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
1351 state = hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
1352 /*
1353 Dbprintf("key: %02X %02X\n\n", key, REV64(key));
1354 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, REV32(tag.uid));
1355 Dbprintf("rnd: %02X %02X\n\n", rnd, REV32(rnd));
1356 */
1357 for (i = 0; i < 4; i++) {
1358 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
1359 }
1360 *txlen = 64;
1361 tx[0] = rnd & 0xff;
1362 tx[1] = (rnd >> 8) & 0xff;
1363 tx[2] = (rnd >> 16) & 0xff;
1364 tx[3] = (rnd >> 24) & 0xff;
1365
1366 tx[4] = auth_ks[0];
1367 tx[5] = auth_ks[1];
1368 tx[6] = auth_ks[2];
1369 tx[7] = auth_ks[3];
1370 if (DEBUG)
1371 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
1372 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
1373 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1374 for (i = 0; i < 8; i++)
1375 tx[i]=((NrAr>>(56-(i*8)))&0xff);
1376 }
1377 end=true;
1378 tag.pstate = AUTHENTICATE;
1379 } else {
1380 Dbprintf("authentication failed!");
1381 return -1;
1382 }
1383 } else if (tag.auth == 0) {
1384 tag.pstate = SELECTED;
1385 }
1386
1387 } else if (tag.pstate == AUTHENTICATE && rxlen >= 32) {
1388 //encrypted con2,password received.
1389 if (DEBUG) {
1390 Dbprintf("UID:::%X", tag.uid);
1391 Dbprintf("RND:::%X", rnd);
1392 }
1393
1394 //decrypt password
1395 pwdh0=0;
1396 pwdl0=0;
1397 pwdl1=0;
1398 if(htf==02 || htf==04) { //RHTS_KEY //WHTS_KEY
1399 state = hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
1400 for (i = 0; i < 5; i++) {
1401 hitag2_byte(&state);
1402 }
1403 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ hitag2_byte(&state);
1404 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ hitag2_byte(&state);
1405 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ hitag2_byte(&state);
1406 if (DEBUG) {
1407 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
1408 }
1409 }
1410 tag.pstate = SELECTED; //tag is now ready for read/write commands
1411 }
1412
1413 if (DEBUG) {
1414 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag.pstate);
1415 }
1416
1417 return 0;
1418 }
1419
1420 /*
1421 * Emulates a Hitag S Tag with the given data from the .hts file
1422 */
1423 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
1424 int frame_count;
1425 int response;
1426 int overflow;
1427 int i, j;
1428 byte_t rx[HITAG_FRAME_LEN];
1429 size_t rxlen = 0;
1430 bQuiet = false;
1431 byte_t txbuf[HITAG_FRAME_LEN];
1432 byte_t* tx = txbuf;
1433 size_t txlen = 0;
1434 uint8_t con0, con1, con2;
1435 BigBuf_free();
1436
1437 // Clean up trace and prepare it for storing frames
1438 set_tracing(true);
1439 clear_trace();
1440
1441 DbpString("Starting HitagS simulation");
1442 LED_D_ON();
1443
1444 tag.pstate = READY;
1445 tag.tstate = NO_OP;
1446 //read tag data into memory
1447 if (tag_mem_supplied) {
1448 DbpString("Loading hitagS memory...");
1449 for (i = 0; i < 64; i++) {
1450 for (j = 0; j < 4; j++) {
1451 tag.pages[i][j] = 0x0;
1452 }
1453 }
1454
1455 for (i = 0; i < 64; i++) {
1456 for (j = 0; j < 4; j++) {
1457 tag.pages[i][j] = data[(i*4)+j];
1458 }
1459 }
1460 }
1461 tag.uid = (tag.pages[0][3] << 24 | tag.pages[0][2] << 16 | tag.pages[0][1] << 8 | tag.pages[0][0]);
1462 con0 = tag.pages[1][3];
1463 con1 = tag.pages[1][2];
1464 con2 = tag.pages[1][1];
1465 Dbprintf("UID: %X", tag.uid);
1466 Dbprintf("Hitag S simulation started");
1467
1468 //0x01 plain mode - Reserved, CON2, CON1, CON0
1469 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1470 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1471 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1472
1473 //con0
1474 tag.max_page = 2048 / 32;
1475 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 1)
1476 tag.max_page = 256 / 32;
1477 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 0)
1478 tag.max_page = 32 / 32;
1479
1480 //CON1
1481 tag.auth = ((con1 & 0x80) == 0x80) ? 1 : 0;
1482 tag.TTFC = ((con1 & 0x40) == 0x40) ? 1 : 0;
1483 //tag.TTFDR in response_bit[10] and response_bit[11]
1484 //tag.TTFM in response_bit[12] and response_bit[13]
1485 tag.LCON = ((con1 & 0x2) == 0x2) ? 1 : 0;
1486 tag.LKP = ((con1 & 0x1) == 0x1) ? 1 : 0;
1487
1488 //CON2
1489 tag.LCK7 = ((con2 & 0x80) == 0x80) ? 1 : 0;
1490 tag.LCK6 = ((con2 & 0x40) == 0x40) ? 1 : 0;
1491 tag.LCK5 = ((con2 & 0x20) == 0x20) ? 1 : 0;
1492 tag.LCK4 = ((con2 & 0x10) == 0x10) ? 1 : 0;
1493 tag.LCK3 = ((con2 & 0x8) == 0x8) ? 1 : 0;
1494 tag.LCK2 = ((con2 & 0x4) == 0x4) ? 1 : 0;
1495 tag.LCK1 = ((con2 & 0x2) == 0x2) ? 1 : 0;
1496 tag.LCK0 = ((con2 & 0x1) == 0x1) ? 1 : 0;
1497
1498 if (tag.auth == 1) {
1499 //TODO check if this working :D
1500 tag.key=(intptr_t)tag.pages[3];
1501 tag.key<<=16;
1502 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
1503 tag.pwdl0=tag.pages[2][3];
1504 tag.pwdl1=tag.pages[2][2];
1505 tag.pwdh0=tag.pages[1][0];
1506 }
1507
1508 // Set up simulator mode, frequency divisor which will drive the FPGA
1509 // and analog mux selection.
1510 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1511 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
1512 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1513 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1514 RELAY_OFF();
1515
1516 // Configure output pin that is connected to the FPGA (for modulating)
1517 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1518 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1519
1520 // Disable modulation at default, which means release resistance
1521 LOW(GPIO_SSC_DOUT);
1522
1523 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1524 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1525
1526 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1527 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1528 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1529
1530 // Disable timer during configuration
1531 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1532 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1533
1534 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1535 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1536
1537 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1538 // external trigger rising edge, load RA on rising edge of TIOA.
1539 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1540
1541 // Reset the received frame, frame count and timing info
1542 memset(rx, 0x00, sizeof(rx));
1543 frame_count = 0;
1544 response = 0;
1545 overflow = 0;
1546
1547 // Enable and reset counter
1548 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1549
1550 while (!BUTTON_PRESS()) {
1551 // Watchdog hit
1552 WDT_HIT();
1553
1554 // Receive frame, watch for at most T0*EOF periods
1555 //HITAG_T_WAIT_MAX
1556 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1557 // Check if rising edge in modulation is detected
1558 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1559 // Retrieve the new timing values
1560 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1561 overflow = 0;
1562
1563 // Reset timer every frame, we have to capture the last edge for timing
1564 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1565
1566 LED_B_ON();
1567
1568 // Capture reader frame
1569 if (ra >= HITAG_T_STOP) {
1570 if (rxlen != 0) {
1571 //DbpString("wierd0?");
1572 }
1573 // Capture the T0 periods that have passed since last communication or field drop (reset)
1574 response = (ra - HITAG_T_LOW);
1575 } else if (ra >= HITAG_T_1_MIN) {
1576 // '1' bit
1577 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1578 rxlen++;
1579 } else if (ra >= HITAG_T_0_MIN) {
1580 // '0' bit
1581 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1582 rxlen++;
1583 } else {
1584 // Ignore wierd value, is to small to mean anything
1585 }
1586 }
1587 }
1588
1589 // Check if frame was captured
1590 if (rxlen > 0) {
1591 frame_count++;
1592 if (!bQuiet) {
1593 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1594 DbpString("Trace full");
1595 clear_trace();
1596 }
1597 }
1598
1599 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1600 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1601
1602 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1603 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1604
1605 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1606 // not that since the clock counts since the rising edge, but T_Wait1 is
1607 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1608 // periods. The gap time T_Low varies (4..10). All timer values are in
1609 // terms of T0 units
1610 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) { }
1611
1612 // Send and store the tag answer (if there is any)
1613 if (txlen > 0) {
1614 // Transmit the tag frame
1615 hitag_tag_send_frame(tx, txlen);
1616
1617 // Store the frame in the trace
1618 if (!bQuiet) {
1619 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1620 DbpString("Trace full");
1621 clear_trace();
1622 }
1623 }
1624 }
1625
1626 // Enable and reset external trigger in timer for capturing future frames
1627 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1628
1629 // Reset the received frame and response timing info
1630 memset(rx, 0x00, sizeof(rx));
1631 response = 0;
1632
1633 LED_B_OFF();
1634 }
1635 // Reset the frame length
1636 rxlen = 0;
1637 // Save the timer overflow, will be 0 when frame was received
1638 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1639 // Reset the timer to restart while-loop that receives frames
1640 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1641 }
1642 Dbprintf("Hitag S simulation stopped");
1643 LED_B_OFF();
1644 LED_D_OFF();
1645 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1646 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1647 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1648 }
1649
1650 /*
1651 * Authenticates to the Tag with the given key or challenge.
1652 * If the key was given the password will be decrypted.
1653 * Reads every page of a hitag S transpoder.
1654 */
1655 void ReadHitagSintern(hitag_function htf, hitag_data* htd, stype tagMode, int startPage, bool readBlock) {
1656 int frame_count;
1657 int i;
1658 int sendNum = startPage;
1659 tag.mode = tagMode;
1660
1661 //int i, j, z;
1662 //int response_bit[200];
1663 //unsigned char mask = 1;
1664
1665 int response;
1666 byte_t rx[HITAG_FRAME_LEN];
1667 size_t rxlen = 0;
1668 byte_t txbuf[HITAG_FRAME_LEN];
1669 byte_t* tx = txbuf;
1670 size_t txlen = 0;
1671 int lastbit;
1672 int t_wait = HITAG_T_WAIT_MAX;
1673 bool bStop;
1674 bool bQuitTraceFull = false;
1675
1676 page_to_be_written = 0;
1677
1678 //read given key/challenge
1679 byte_t NrAr_[8];
1680 uint64_t key=0;
1681 uint64_t NrAr=0;
1682 byte_t key_[6];
1683 switch(htf) {
1684 case 01:
1685 case 03: { //RHTS_CHALLENGE
1686 DbpString("Authenticating using nr,ar pair:");
1687 memcpy(NrAr_,htd->auth.NrAr,8);
1688 Dbhexdump(8,NrAr_,false);
1689 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1690 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1691 } break;
1692 case 02:
1693 case 04: { //RHTS_KEY
1694 DbpString("Authenticating using key:");
1695 memcpy(key_,htd->crypto.key,6);
1696 Dbhexdump(6,key_,false);
1697 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1698 } break;
1699 default: {
1700 Dbprintf("Error , unknown function: %d",htf);
1701 return;
1702 } break;
1703 }
1704
1705
1706
1707 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1708 // Reset the return status
1709 bSuccessful = false;
1710
1711 // Clean up trace and prepare it for storing frames
1712 set_tracing(true);
1713 clear_trace();
1714
1715 bQuiet = false;
1716
1717 LED_D_ON();
1718
1719 // Configure output and enable pin that is connected to the FPGA (for modulating)
1720 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1721 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1722
1723 // Set fpga in edge detect with reader field, we can modulate as reader now
1724 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1725
1726 // Set Frequency divisor which will drive the FPGA and analog mux selection
1727 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1728 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1729 RELAY_OFF();
1730
1731 // Disable modulation at default, which means enable the field
1732 LOW(GPIO_SSC_DOUT);
1733
1734 // Give it a bit of time for the resonant antenna to settle.
1735 SpinDelay(30);
1736
1737 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1738 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1739
1740 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1741 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1742 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1743
1744 // Disable timer during configuration
1745 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1746 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1747
1748 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1749 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1750
1751 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1752 // external trigger rising edge, load RA on falling edge of TIOA.
1753 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1754
1755 // Enable and reset counters
1756 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1757 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1758
1759 // Reset the received frame, frame count and timing info
1760 frame_count = 0;
1761 response = 0;
1762 lastbit = 1;
1763 bStop = false;
1764 t_wait = 200;
1765
1766 while (!bStop && !BUTTON_PRESS()) {
1767 // Watchdog hit
1768 WDT_HIT();
1769
1770
1771 // Add transmitted frame to total count
1772 if (txlen > 0) {
1773 frame_count++;
1774
1775 if (tag.pstate == READY && rxlen < 1) {
1776 //skip logging starting auths if no response
1777 } else {
1778 if (!bQuiet) {
1779 // Store the frame in the trace
1780 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1781 if (bQuitTraceFull) {
1782 DbpString("Trace full");
1783 break;
1784 } else {
1785 bQuiet = true;
1786 }
1787 }
1788 }
1789 }
1790 }
1791
1792 // Check if frame was captured and store it
1793 if (rxlen > 0) {
1794 frame_count++;
1795 if (!bQuiet) {
1796 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1797 DbpString("Trace full");
1798 if (bQuitTraceFull) {
1799 break;
1800 } else {
1801 bQuiet = true;
1802 }
1803 }
1804 }
1805 }
1806
1807 // By default reset the transmission buffer
1808 tx = txbuf;
1809 txlen = 0;
1810
1811 if (DEBUG >= 2) {
1812 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count, rxlen, (int)tag.pstate, (int)tag.tstate);
1813 }
1814
1815 if (rxlen == 0) {
1816 //start authentication
1817 hitag_start_auth(tx, &txlen);
1818 } else if (tag.pstate != SELECTED) {
1819 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1) {
1820 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
1821 bStop = !false;
1822 }
1823 }
1824
1825
1826
1827 if (readBlock && tag.pstate == SELECTED && (tag.tstate == READING_BLOCK || tag.tstate == NO_OP) && rxlen > 0) {
1828 i = hitag_read_block(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1829 if (i > 0) { sendNum+=4; }
1830 if (sendNum+4 >= tag.max_page) {
1831 bStop = !false;
1832 }
1833 } else if (!readBlock && tag.pstate == SELECTED && (tag.tstate == READING_PAGE || tag.tstate == NO_OP) && rxlen > 0) {
1834 i = hitag_read_page(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1835 if (i > 0) { sendNum++; }
1836 if (sendNum >= tag.max_page) {
1837 bStop = !false;
1838 }
1839 }
1840
1841 // Send and store the reader command
1842 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1843 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1844
1845 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1846 // Since the clock counts since the last falling edge, a 'one' means that the
1847 // falling edge occured halfway the period. with respect to this falling edge,
1848 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1849 // All timer values are in terms of T0 units
1850
1851 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
1852
1853 // Transmit the reader frame
1854 hitag_reader_send_frame(tx, txlen);
1855
1856
1857 // Enable and reset external trigger in timer for capturing future frames
1858 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1859
1860
1861 // Reset values for receiving frames
1862 memset(rx, 0x00, sizeof(rx));
1863 rxlen = 0;
1864 lastbit = 1;
1865 response = 0;
1866
1867 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1868 hitag_receive_frame(rx, &rxlen, &response);
1869 }
1870 end=false;
1871 LED_B_OFF();
1872 LED_D_OFF();
1873 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1874 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1875 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1876 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1877 }
1878
1879 void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock) {
1880 if (tagMode == 1) {
1881 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1882 ReadHitagSintern(htf, htd, ADVANCED, (int)startPage, readBlock);
1883 } else if (tagMode == 2) {
1884 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1885 ReadHitagSintern(htf, htd, FAST_ADVANCED, (int)startPage, readBlock);
1886 } else {
1887 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock, startPage);
1888 ReadHitagSintern(htf, htd, STANDARD, (int)startPage, readBlock);
1889 }
1890 }
1891
1892
1893
1894 /*
1895 * Authenticates to the Tag with the given Key or Challenge.
1896 * Writes the given 32Bit data into page_
1897 */
1898 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1899 int frame_count;
1900 int response;
1901 byte_t rx[HITAG_FRAME_LEN];
1902 size_t rxlen = 0;
1903 byte_t txbuf[HITAG_FRAME_LEN];
1904 byte_t* tx = txbuf;
1905 size_t txlen = 0;
1906 int lastbit;
1907 int t_wait = HITAG_T_WAIT_MAX;
1908 bool bStop;
1909 bool bQuitTraceFull = false;
1910 int page = page_;
1911 unsigned char crc;
1912 byte_t data[4]= {0,0,0,0};
1913
1914 //read given key/challenge, the page and the data
1915 byte_t NrAr_[8];
1916 uint64_t key=0;
1917 uint64_t NrAr=0;
1918 byte_t key_[6];
1919 switch(htf) {
1920 case 03: { //WHTS_CHALLENGE
1921 memcpy(data,htd->auth.data,4);
1922 DbpString("Authenticating using nr,ar pair:");
1923 memcpy(NrAr_,htd->auth.NrAr,8);
1924 Dbhexdump(8,NrAr_,false);
1925 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1926 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1927 } break;
1928 case 04: { //WHTS_KEY
1929 memcpy(data,htd->crypto.data,4);
1930 DbpString("Authenticating using key:");
1931 memcpy(key_,htd->crypto.key,6);
1932 Dbhexdump(6,key_,false);
1933 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1934 } break;
1935 default: {
1936 Dbprintf("Error , unknown function: %d",htf);
1937 return;
1938 } break;
1939 }
1940
1941 Dbprintf("Page: %d",page_);
1942 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1943 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1944 // Reset the return status
1945 bSuccessful = false;
1946
1947 tag.pstate = READY;
1948 tag.tstate = NO_OP;
1949
1950 // Clean up trace and prepare it for storing frames
1951 set_tracing(true);
1952 clear_trace();
1953
1954 bQuiet = false;
1955
1956 LED_D_ON();
1957
1958 // Configure output and enable pin that is connected to the FPGA (for modulating)
1959 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1960 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1961
1962 // Set fpga in edge detect with reader field, we can modulate as reader now
1963 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1964
1965 // Set Frequency divisor which will drive the FPGA and analog mux selection
1966 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1967 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1968 RELAY_OFF();
1969
1970 // Disable modulation at default, which means enable the field
1971 LOW(GPIO_SSC_DOUT);
1972
1973 // Give it a bit of time for the resonant antenna to settle.
1974 SpinDelay(30);
1975
1976 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1977 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1978
1979 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1980 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1981 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1982
1983 // Disable timer during configuration
1984 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1985 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1986
1987 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1988 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1989
1990 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1991 // external trigger rising edge, load RA on falling edge of TIOA.
1992 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1993 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1994 | AT91C_TC_LDRA_FALLING;
1995
1996 // Enable and reset counters
1997 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1998 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1999
2000 // Reset the received frame, frame count and timing info
2001 frame_count = 0;
2002 response = 0;
2003 lastbit = 1;
2004 bStop = false;
2005 t_wait = 200;
2006
2007 while (!bStop && !BUTTON_PRESS()) {
2008 // Watchdog hit
2009 WDT_HIT();
2010
2011 // Check if frame was captured and store it
2012 if (rxlen > 0) {
2013 frame_count++;
2014 if (!bQuiet) {
2015 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2016 DbpString("Trace full");
2017 if (bQuitTraceFull) {
2018 break;
2019 } else {
2020 bQuiet = true;
2021 }
2022 }
2023 }
2024 }
2025
2026 //check for valid input
2027 /*
2028 if (page == 0) {
2029 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
2030 bStop = !false;
2031 }*/
2032
2033
2034 // By default reset the transmission buffer
2035 tx = txbuf;
2036 txlen = 0;
2037
2038 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
2039 //no write access on this page
2040 Dbprintf("no write access on page %d", page_);
2041 bStop = !false;
2042 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
2043 //start the authetication
2044 //tag.mode = ADVANCED;
2045 tag.mode = STANDARD;
2046 hitag_start_auth(tx, &txlen);
2047 m = AC2K;
2048 } else if (tag.pstate != SELECTED) {
2049 //try to authenticate with the given key or challenge
2050 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1) {
2051 bStop = !false;
2052 }
2053 m = MC4K;
2054 }
2055
2056 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
2057 //check if the given page exists
2058 if (page > tag.max_page) {
2059 Dbprintf("page number too big");
2060 bStop = !false;
2061 }
2062 //ask Tag for write permission
2063 tag.tstate = WRITING_PAGE_ACK;
2064 txlen = 20;
2065 crc = CRC_PRESET;
2066 tx[0] = 0x90 + (page / 16);
2067 calc_crc(&crc, tx[0], 8);
2068 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
2069 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
2070 tx[2] = 0x00 + (crc % 16) * 16;
2071 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
2072 && rxlen == 2 && rx[0] == 0x40) {
2073 //ACK recieved to write the page. send data
2074 tag.tstate = WRITING_PAGE_DATA;
2075 txlen = 40;
2076 crc = CRC_PRESET;
2077 calc_crc(&crc, data[3], 8);
2078 calc_crc(&crc, data[2], 8);
2079 calc_crc(&crc, data[1], 8);
2080 calc_crc(&crc, data[0], 8);
2081 tx[0] = data[3];
2082 tx[1] = data[2];
2083 tx[2] = data[1];
2084 tx[3] = data[0];
2085 tx[4] = crc;
2086 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
2087 && rxlen == 2 && rx[0] == 0x40) {
2088 //received ACK
2089 Dbprintf("Successful!");
2090 bStop = !false;
2091 }
2092
2093 // Send and store the reader command
2094 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2095 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2096
2097 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2098 // Since the clock counts since the last falling edge, a 'one' means that the
2099 // falling edge occured halfway the period. with respect to this falling edge,
2100 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2101 // All timer values are in terms of T0 units
2102
2103 while (AT91C_BASE_TC0->TC_CV
2104 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2105 ;
2106
2107 // Transmit the reader frame
2108 hitag_reader_send_frame(tx, txlen);
2109
2110 // Enable and reset external trigger in timer for capturing future frames
2111 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2112
2113 // Add transmitted frame to total count
2114 if (txlen > 0) {
2115 frame_count++;
2116 if (!bQuiet) {
2117 // Store the frame in the trace
2118 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2119 if (bQuitTraceFull) {
2120 DbpString("Trace full");
2121 break;
2122 } else {
2123 bQuiet = true;
2124 }
2125 }
2126 }
2127 }
2128
2129 // Reset values for receiving frames
2130 memset(rx, 0x00, sizeof(rx));
2131 rxlen = 0;
2132 lastbit = 1;
2133 response = 0;
2134
2135 hitag_receive_frame(rx, &rxlen, &response);
2136 }
2137 end=false;
2138 LED_B_OFF();
2139 LED_D_OFF();
2140 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2141 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2142 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2143 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2144 }
2145
2146
2147 /*
2148 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2149 * Displays all Challenges that failed.
2150 * When collecting Challenges to break the key it is possible that some data
2151 * is not received correctly due to Antenna problems. This function
2152 * detects these challenges.
2153 */
2154 void check_challenges_cmd(bool file_given, byte_t* data, uint64_t tagMode) {
2155 int i, j, z, k;
2156 byte_t uid_byte[4];
2157 int frame_count;
2158 int response;
2159 byte_t rx[HITAG_FRAME_LEN];
2160 byte_t unlocker[60][8];
2161 int u1 = 0;
2162 size_t rxlen = 0;
2163 byte_t txbuf[HITAG_FRAME_LEN];
2164 byte_t* tx = txbuf;
2165 size_t txlen = 0;
2166 int lastbit;
2167 int t_wait = HITAG_T_WAIT_MAX;
2168 int STATE = 0;
2169 bool bStop;
2170 bool bQuitTraceFull = false;
2171 int response_bit[200];
2172 unsigned char mask = 1;
2173 unsigned char uid[32];
2174 unsigned char crc;
2175
2176 if (tagMode == 1) {
2177 Dbprintf("check_challenges in mode=ADVANCED");
2178 tag.mode = ADVANCED;
2179 } else if (tagMode == 2) {
2180 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2181 tag.mode = FAST_ADVANCED;
2182 } else {
2183 Dbprintf("check_challenges in mode=STANDARD");
2184 tag.mode = STANDARD;
2185 }
2186
2187
2188 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2189 // Reset the return status
2190 bSuccessful = false;
2191
2192 // Clean up trace and prepare it for storing frames
2193 set_tracing(true);
2194 clear_trace();
2195
2196 bQuiet = false;
2197
2198 LED_D_ON();
2199
2200 // Configure output and enable pin that is connected to the FPGA (for modulating)
2201 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
2202 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
2203
2204 // Set fpga in edge detect with reader field, we can modulate as reader now
2205 FpgaWriteConfWord(
2206 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
2207
2208 // Set Frequency divisor which will drive the FPGA and analog mux selection
2209 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
2210 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2211 RELAY_OFF();
2212
2213 // Disable modulation at default, which means enable the field
2214 LOW(GPIO_SSC_DOUT);
2215
2216 // Give it a bit of time for the resonant antenna to settle.
2217 SpinDelay(30);
2218
2219 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
2220 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
2221
2222 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
2223 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
2224 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
2225
2226 // Disable timer during configuration
2227 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2228 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2229
2230 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
2231 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
2232
2233 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2234 // external trigger rising edge, load RA on falling edge of TIOA.
2235 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
2236
2237 // Enable and reset counters
2238 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2239 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2240
2241 // Reset the received frame, frame count and timing info
2242 frame_count = 0;
2243 response = 0;
2244 lastbit = 1;
2245 bStop = false;
2246
2247 t_wait = 200;
2248
2249 if (file_given) {
2250 DbpString("Loading challenges...");
2251 memcpy((byte_t*)unlocker,data,60*8);
2252 }
2253
2254 while (file_given && !bStop && !BUTTON_PRESS()) {
2255 // Watchdog hit
2256 WDT_HIT();
2257
2258 // Check if frame was captured and store it
2259 if (rxlen > 0) {
2260 frame_count++;
2261 if (!bQuiet) {
2262 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2263 DbpString("Trace full");
2264 if (bQuitTraceFull) {
2265 break;
2266 } else {
2267 bQuiet = true;
2268 }
2269 }
2270 }
2271 }
2272
2273 tx = txbuf;
2274 txlen = 0;
2275 if (rxlen == 0) {
2276 if (STATE == 2) {
2277 // challenge failed
2278 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2279 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
2280 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
2281 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
2282 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
2283 }
2284 STATE = 0;
2285 hitag_start_auth(tx, &txlen);
2286 } else if (rxlen >= 32 && STATE == 0) {
2287 //received uid
2288 z = 0;
2289 for (i = 0; i < 10; i++) {
2290 for (j = 0; j < 8; j++) {
2291 response_bit[z] = 0;
2292 if ((rx[i] & ((mask << 7) >> j)) != 0)
2293 response_bit[z] = 1;
2294 z++;
2295 }
2296 }
2297 for (i = 0; i < 32; i++) {
2298 uid[i] = response_bit[i];
2299 }
2300
2301 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
2302 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
2303 | (uid[6] << 1) | uid[7];
2304 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
2305 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
2306 | (uid[14] << 1) | uid[15];
2307 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
2308 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
2309 | (uid[22] << 1) | uid[23];
2310 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
2311 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
2312 | (uid[30] << 1) | uid[31];
2313 //Dbhexdump(10, rx, rxlen);
2314 STATE = 1;
2315 txlen = 45;
2316 crc = CRC_PRESET;
2317 calc_crc(&crc, 0x00, 5);
2318 calc_crc(&crc, uid_byte[0], 8);
2319 calc_crc(&crc, uid_byte[1], 8);
2320 calc_crc(&crc, uid_byte[2], 8);
2321 calc_crc(&crc, uid_byte[3], 8);
2322 for (i = 0; i < 100; i++) {
2323 response_bit[i] = 0;
2324 }
2325 for (i = 0; i < 5; i++) {
2326 response_bit[i] = 0;
2327 }
2328 for (i = 5; i < 37; i++) {
2329 response_bit[i] = uid[i - 5];
2330 }
2331 for (j = 0; j < 8; j++) {
2332 response_bit[i] = 0;
2333 if ((crc & ((mask << 7) >> j)) != 0)
2334 response_bit[i] = 1;
2335 i++;
2336 }
2337 k = 0;
2338 for (i = 0; i < 6; i++) {
2339 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2340 | (response_bit[k + 2] << 5)
2341 | (response_bit[k + 3] << 4)
2342 | (response_bit[k + 4] << 3)
2343 | (response_bit[k + 5] << 2)
2344 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2345 k += 8;
2346 }
2347
2348
2349 tag.pstate = INIT;
2350 } else if (STATE == 1 && rxlen > 24) {
2351 //received configuration
2352 STATE = 2;
2353 z = 0;
2354 for (i = 0; i < 6; i++) {
2355 for (j = 0; j < 8; j++) {
2356 response_bit[z] = 0;
2357 if ((rx[i] & ((mask << 7) >> j)) != 0)
2358 response_bit[z] = 1;
2359 z++;
2360 }
2361 }
2362 txlen = 64;
2363
2364 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2365 bStop = !false;
2366 for (i = 0; i < 8; i++)
2367 tx[i] = unlocker[u1][i];
2368 u1++;
2369
2370 tag.pstate = SELECTED;
2371 } else if (STATE == 2 && rxlen >= 32) {
2372 STATE = 0;
2373 }
2374
2375 // Send and store the reader command
2376 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2377 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2378
2379 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2380 // Since the clock counts since the last falling edge, a 'one' means that the
2381 // falling edge occured halfway the period. with respect to this falling edge,
2382 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2383 // All timer values are in terms of T0 units
2384 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
2385
2386 // Transmit the reader frame
2387 hitag_reader_send_frame(tx, txlen);
2388
2389 // Enable and reset external trigger in timer for capturing future frames
2390 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2391
2392 // Add transmitted frame to total count
2393 if (txlen > 0) {
2394 frame_count++;
2395 if (!bQuiet) {
2396 // Store the frame in the trace
2397 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2398 if (bQuitTraceFull) {
2399 DbpString("Trace full");
2400 break;
2401 } else {
2402 bQuiet = true;
2403 }
2404 }
2405 }
2406 }
2407
2408 // Reset values for receiving frames
2409 memset(rx, 0x00, sizeof(rx));
2410 rxlen = 0;
2411 lastbit = 1;
2412 response = 0;
2413
2414 hitag_receive_frame(rx, &rxlen, &response);
2415 }
2416 LED_B_OFF();
2417 LED_D_OFF();
2418 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2419 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2420 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2421 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2422 }
2423
2424 /**
2425 Backward compatibility
2426 */
2427 void check_challenges(bool file_given, byte_t* data) {
2428 check_challenges_cmd(file_given, data, 1);
2429 }
2430
2431 void ReadHitagS(hitag_function htf, hitag_data* htd) {
2432 ReadHitagSintern(htf, htd, ADVANCED, 0, false);
2433 }
Proxmark3 GIT tracking
Impressum, Datenschutz