]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitagS.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #969 from pwpiwi/gcc10_fixes
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include "hitagS.h"
16
17 #include <stdlib.h>
18 #include "proxmark3.h"
19 #include "apps.h"
20 #include "usb_cdc.h"
21 #include "util.h"
22 #include "hitag.h"
23 #include "string.h"
24 #include "BigBuf.h"
25 #include "fpgaloader.h"
26
27 #define CRC_PRESET 0xFF
28 #define CRC_POLYNOM 0x1D
29
30 static bool bQuiet;
31 static bool bSuccessful;
32 static struct hitagS_tag tag;
33 static byte_t page_to_be_written = 0;
34 static int block_data_left = 0;
35 typedef enum modulation {
36 AC2K = 0, AC4K, MC4K, MC8K
37 } MOD;
38 static MOD m = AC2K; //used modulation
39 static uint32_t temp_uid;
40 static int temp2 = 0;
41 static int sof_bits; //number of start-of-frame bits
42 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
43 static uint32_t rnd = 0x74124485; //randomnumber
44 static int test = 0;
45 bool end=false;
46
47 // Single bit Hitag2 functions:
48 #define i4(x,a,b,c,d) ((uint32_t)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
49 static const uint32_t ht2_f4a = 0x2C79; // 0010 1100 0111 1001
50 static const uint32_t ht2_f4b = 0x6671; // 0110 0110 0111 0001
51 static const uint32_t ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
52 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
53 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
54 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
55 #define uf20bs uint32_t
56
57 static uint32_t f20(const uint64_t x) {
58 uint32_t i5;
59
60 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
61 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
62 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
63 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
64 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
65
66 return (ht2_f5c >> i5) & 1;
67 }
68
69 static uint64_t hitag2_init(const uint64_t key, const uint32_t serial, const uint32_t IV) {
70 uint32_t i;
71 uint64_t x = ((key & 0xFFFF) << 32) + serial;
72 for (i = 0; i < 32; i++) {
73 x >>= 1;
74 x += (uint64_t) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
75 }
76 return x;
77 }
78
79 static uint64_t hitag2_round(uint64_t *state) {
80 uint64_t x = *state;
81
82 x = (x >> 1)
83 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
84 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
85 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
86 & 1) << 47);
87
88 *state = x;
89 return f20(x);
90 }
91
92 static uint32_t hitag2_byte(uint64_t *x) {
93 uint32_t i, c;
94
95 for (i = 0, c = 0; i < 8; i++)
96 c += (uint32_t) hitag2_round(x) << (i ^ 7);
97 return c;
98 }
99
100 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
101 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
102 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
103 // T0 = TIMER_CLOCK1 / 125000 = 192
104 #define T0 192
105
106 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
107 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
108
109 #define HITAG_FRAME_LEN 20
110 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
111 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
112 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
113 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
114 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
115 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
116 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
117 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
118 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
119
120 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
121 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
122 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
123 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
124
125 #define HITAG_T_TAG_HALF_PERIOD 16
126 #define HITAG_T_TAG_FULL_PERIOD 32
127
128 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
129 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
130 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
131 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
132
133 #define DEBUG 0
134
135 /*
136 * Implementation of the crc8 calculation from Hitag S
137 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
138 */
139 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
140 *crc ^= data; // crc = crc (exor) data
141 do {
142 if (*crc & 0x80) // if (MSB-CRC == 1)
143 {
144 *crc <<= 1; // CRC = CRC Bit-shift left
145 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
146 } else {
147 *crc <<= 1; // CRC = CRC Bit-shift left
148 }
149 } while (--Bitcount);
150 }
151
152
153 static void hitag_send_bit(int bit) {
154 LED_A_ON();
155 // Reset clock for the next bit
156 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
157
158 switch (m) {
159 case AC2K:
160 if (bit == 0) {
161 // AC Coding --__
162 HIGH(GPIO_SSC_DOUT);
163 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
164 ;
165 LOW(GPIO_SSC_DOUT);
166 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
167 ;
168 } else {
169 // AC coding -_-_
170 HIGH(GPIO_SSC_DOUT);
171 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
172 ;
173 LOW(GPIO_SSC_DOUT);
174 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
175 ;
176 HIGH(GPIO_SSC_DOUT);
177 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
178 ;
179 LOW(GPIO_SSC_DOUT);
180 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
181 ;;
182 }
183 LED_A_OFF();
184 break;
185 case AC4K:
186 if (bit == 0) {
187 // AC Coding --__
188 HIGH(GPIO_SSC_DOUT);
189 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
190 ;
191 LOW(GPIO_SSC_DOUT);
192 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
193 ;
194 } else {
195 // AC coding -_-_
196 HIGH(GPIO_SSC_DOUT);
197 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
198 ;
199 LOW(GPIO_SSC_DOUT);
200 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
201 ;
202 HIGH(GPIO_SSC_DOUT);
203 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
204 ;
205 LOW(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
207 ;
208 }
209 LED_A_OFF();
210 break;
211 case MC4K:
212 if (bit == 0) {
213 // Manchester: Unloaded, then loaded |__--|
214 LOW(GPIO_SSC_DOUT);
215 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
216 ;
217 HIGH(GPIO_SSC_DOUT);
218 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
219 ;
220 } else {
221 // Manchester: Loaded, then unloaded |--__|
222 HIGH(GPIO_SSC_DOUT);
223 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
224 ;
225 LOW(GPIO_SSC_DOUT);
226 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
227 ;
228 }
229 LED_A_OFF();
230 break;
231 case MC8K:
232 if (bit == 0) {
233 // Manchester: Unloaded, then loaded |__--|
234 LOW(GPIO_SSC_DOUT);
235 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
236 ;
237 HIGH(GPIO_SSC_DOUT);
238 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
239 ;
240 } else {
241 // Manchester: Loaded, then unloaded |--__|
242 HIGH(GPIO_SSC_DOUT);
243 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
244 ;
245 LOW(GPIO_SSC_DOUT);
246 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
247 ;
248 }
249 LED_A_OFF();
250 break;
251 default:
252 break;
253 }
254 }
255
256 static void hitag_tag_send_frame(const byte_t* frame, size_t frame_len) {
257 // Send start of frame
258 for (size_t i = 0; i < sof_bits; i++) {
259 hitag_send_bit(1);
260 }
261
262 // Send the content of the frame
263 for (size_t i = 0; i < frame_len; i++) {
264 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
265 }
266 // Drop the modulation
267 LOW(GPIO_SSC_DOUT);
268 }
269
270 static void hitag_reader_send_bit(int bit) {
271 //Dbprintf("BIT: %d",bit);
272 LED_A_ON();
273 // Reset clock for the next bit
274 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
275
276 // Binary puls length modulation (BPLM) is used to encode the data stream
277 // This means that a transmission of a one takes longer than that of a zero
278
279 // Enable modulation, which means, drop the the field
280 HIGH(GPIO_SSC_DOUT);
281 if (test == 1) {
282 // Wait for 4-10 times the carrier period
283 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
284 ;
285 // SpinDelayUs(8*8);
286
287 // Disable modulation, just activates the field again
288 LOW(GPIO_SSC_DOUT);
289
290 if (bit == 0) {
291 // Zero bit: |_-|
292 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
293 ;
294 // SpinDelayUs(16*8);
295 } else {
296 // One bit: |_--|
297 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
298 ;
299 // SpinDelayUs(22*8);
300 }
301 } else {
302 // Wait for 4-10 times the carrier period
303 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
304 ;
305 // SpinDelayUs(8*8);
306
307 // Disable modulation, just activates the field again
308 LOW(GPIO_SSC_DOUT);
309
310 if (bit == 0) {
311 // Zero bit: |_-|
312 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
313 ;
314 // SpinDelayUs(16*8);
315 } else {
316 // One bit: |_--|
317 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
318 ;
319 // SpinDelayUs(22*8);
320 }
321 }
322
323 LED_A_OFF();
324 }
325
326 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
327 // Send the content of the frame
328 for (size_t i = 0; i < frame_len; i++) {
329 if (frame[0] == 0xf8) {
330 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
331 }
332 hitag_reader_send_bit(((frame[i / 8] >> (7 - (i % 8))) & 1));
333 }
334 // Send EOF
335 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
336 // Enable modulation, which means, drop the the field
337 HIGH(GPIO_SSC_DOUT);
338 // Wait for 4-10 times the carrier period
339 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
340 ;
341 // Disable modulation, just activates the field again
342 LOW(GPIO_SSC_DOUT);
343 }
344
345 static void hitag_decode_frame_MC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
346 size_t rxlen = 0;
347 bool bSkip = true;
348 int lastbit = 1;
349 int tag_sof = 0;
350 int timing = 1;
351 if (bitRate == 8) {
352 timing = 2;
353 }
354
355 for (int i=0; i < rawLen; i++) {
356 int ra = rawMod[i];
357 if (ra >= HITAG_T_EOF) {
358 if (rxlen != 0) {
359 //DbpString("wierd1?");
360 }
361 tag_sof = sofBits;
362
363 // Capture the T0 periods that have passed since last communication or field drop (reset)
364 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
365 *response = ra - HITAG_T_TAG_HALF_PERIOD;
366 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
367 tag_sof=0;
368 // Manchester coding example |-_|_-|-_| (101)
369 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
370 rxlen++;
371 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
372 rxlen++;
373 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
374 tag_sof=0;
375 // Manchester coding example |_-|...|_-|-_| (0...01)
376 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
377 rxlen++;
378 // We have to skip this half period at start and add the 'one' the second time
379 if (!bSkip) {
380 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
381 rxlen++;
382 }
383 lastbit = !lastbit;
384 bSkip = !bSkip;
385 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
386 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
387 if (tag_sof) {
388 // Ignore bits that are transmitted during SOF
389 tag_sof--;
390 } else {
391 // bit is same as last bit
392 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
393 rxlen++;
394 }
395 } else {
396 // Ignore wierd value, is to small to mean anything
397 }
398 }
399 *rxlenOrg = rxlen;
400 }
401
402 /*
403 static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
404 int tag_sof = 1; //skip start of frame
405 size_t rxlen = 0;
406
407 for (int i=0; i < rawLen; i++) {
408 int ra = rawMod[i];
409 if (ra >= HITAG_T_EOF) {
410 if (rxlen != 0) {
411 //DbpString("wierd1?");
412 }
413 // Capture the T0 periods that have passed since last communication or field drop (reset)
414 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
415 tag_sof = 1;
416 *response = ra - HITAG_T_TAG_HALF_PERIOD;
417 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
418 // AC coding example |--__|--__| means 0
419 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
420 rxlen++;
421 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
422 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
423 rxlen++;
424 i++; //drop next capture
425 }
426 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
427 if (tag_sof) {
428 // Ignore bits that are transmitted during SOF
429 tag_sof--;
430 } else {
431 // AC coding example |-_-_|-_-_| which means 1
432 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
433 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
434 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
435 rxlen++;
436 i++; //drop next capture
437 } else {
438 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
439 }
440 }
441 } else {
442 // Ignore wierd value, is to small to mean anything
443 }
444 }
445 *rxlenOrg = rxlen;
446 }
447 */
448
449 static void hitag_decode_frame_AC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
450 int tag_sof = 1;
451 size_t rxlen = 0;
452 int timing = 1;
453 if (bitRate == 4) {
454 timing = 2;
455 }
456
457
458 for (int i=0; i < rawLen; i++) {
459 int ra = rawMod[i];
460 if (ra >= HITAG_T_EOF) {
461 if (rxlen != 0) {
462 //DbpString("wierd1?");
463 }
464
465 // Capture the T0 periods that have passed since last communication or field drop (reset)
466 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
467 tag_sof = sofBits;
468 *response = ra - HITAG_T_TAG_HALF_PERIOD;
469 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
470 tag_sof=0;
471
472 // AC coding example |--__|--__| means 0
473 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
474 rxlen++;
475 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
476 tag_sof=0;
477
478 if (rawMod[i-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
479 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
480 if (rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
481 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
482 rxlen++;
483 i++; //drop next capture
484 } else {
485 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
486 }
487 } else {
488 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
489 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
490 rxlen++;
491 }
492 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
493 if (tag_sof) {
494 // Ignore bits that are transmitted during SOF
495 tag_sof--;
496 } else {
497 // AC coding example |-_-_|-_-_| which means 1
498 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
499 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
500 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
501 rxlen++;
502 i++; //drop next capture
503 } else {
504 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
505 }
506 }
507 } else {
508 // Ignore wierd value, is to small to mean anything
509 }
510 }
511 *rxlenOrg = rxlen;
512 }
513
514 static void hitag_receive_frame(byte_t* rx, size_t* rxlen, int* response) {
515 int rawMod[200] = {0};
516 int rawLen = 0;
517 int i = 0;
518 int sofBits = 0;
519
520 m = MC4K;
521 if (tag.pstate == READY) {
522 switch (tag.mode) {
523 case STANDARD:
524 m = AC2K;
525 sofBits = 1;
526 break;
527 case ADVANCED:
528 m = AC2K;
529 sofBits = 5; //3 sof bits but 5 captures
530 break;
531 case FAST_ADVANCED:
532 m = AC4K;
533 sofBits = 5; //3 sof bits but 5 captures
534 break;
535 default:
536 break;
537 }
538 } else {
539 switch (tag.mode) {
540 case STANDARD:
541 m = MC4K;
542 sofBits = 0; //in theory 1
543 break;
544 case ADVANCED:
545 m = MC4K;
546 sofBits = 5; //in theory 6
547 break;
548 case FAST_ADVANCED:
549 m = MC8K;
550 sofBits = 5; //in theory 6
551 break;
552 default:
553 break;
554 }
555 }
556
557 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
558 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
559
560
561 //first capture timing values
562 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX ) {
563 // Check if rising edge in modulation is detected
564 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
565 // Retrieve the new timing values
566 int ra = (AT91C_BASE_TC1->TC_RA / T0);
567
568 LED_B_ON();
569 // Reset timer every frame, we have to capture the last edge for timing
570 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
571 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
572
573 if (rawLen >= 200) { //avoid exception
574 break;
575 }
576 rawMod[rawLen] = ra;
577 rawLen++;
578
579 // We can break this loop if we received the last bit from a frame
580 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
581 if (rawLen > 2) {
582 if (DEBUG >= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen); }
583 break;
584 }
585 }
586 }
587 }
588
589 if (DEBUG >= 2) {
590 for (i=0; i < rawLen; i+=20) {
591 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
592 rawMod[i],rawMod[i+1],rawMod[i+2],rawMod[i+3], rawMod[i+4],rawMod[i+5],rawMod[i+6],rawMod[i+7],
593 rawMod[i+8],rawMod[i+9],rawMod[i+10],rawMod[i+11], rawMod[i+12],rawMod[i+13],rawMod[i+14],rawMod[i+15],
594 rawMod[i+16],rawMod[i+17],rawMod[i+18],rawMod[i+19]
595 );
596 }
597 }
598
599 switch (m) {
600 // DATA | 1 | 0 | 1 | 1 | 0 |
601 // Manchester |--__|__--|--__|--__|__--|
602 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
603 // |<-->|
604 // | T |
605 case AC2K:
606 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC2K"); }
607 hitag_decode_frame_AC(2, sofBits, rx, rxlen, response, rawMod, rawLen);
608 break;
609 case AC4K:
610 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC4K"); }
611 hitag_decode_frame_AC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
612 break;
613 case MC4K:
614 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC4K"); }
615 hitag_decode_frame_MC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
616 break;
617 case MC8K:
618 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC8K"); }
619 hitag_decode_frame_MC(8, sofBits, rx, rxlen, response, rawMod, rawLen);
620 break;
621 }
622
623 LED_B_OFF();
624 if (DEBUG >= 2) {
625 int rb[200] = {0}; int z = 0;
626 for (i = 0; i < 16; i++) { for (int j = 0; j < 8; j++) {
627 rb[z] = 0;
628 if ((rx[i] & ((1 << 7) >> j)) != 0) { rb[z] = 1; }
629 z++;
630 } }
631 for (i=0; i < z; i+=8) {
632 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb[i],rb[i+1],rb[i+2],rb[i+3],rb[i+4],rb[i+5],rb[i+6],rb[i+7] );
633 }
634 }
635 }
636
637 static void hitag_start_auth(byte_t* tx, size_t* txlen) {
638 *txlen = 5;
639 switch (tag.mode) {
640 case STANDARD:
641 //00110 - 0x30 - STANDARD MODE
642 memcpy(tx, "\x30", nbytes(*txlen));
643 break;
644 case ADVANCED:
645 //11000 - 0xc0 - Advance Mode
646 memcpy(tx, "\xc0", nbytes(*txlen));
647 break;
648 case FAST_ADVANCED:
649 //TODO!
650 break;
651 default: //STANDARD MODE
652 memcpy(tx, "\x30", nbytes(*txlen));
653 break;
654 }
655 tag.pstate = READY;
656 tag.tstate = NO_OP;
657 }
658
659 static int hitag_read_page(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int pageNum) {
660 int i, j, z;
661 int response_bit[200];
662 unsigned char mask = 1;
663 unsigned char crc;
664 unsigned char pageData[32];
665
666 if (pageNum >= tag.max_page) {
667 return -1;
668 }
669 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
670 //send read request
671 tag.tstate = READING_PAGE;
672 *txlen = 20;
673 crc = CRC_PRESET;
674 tx[0] = 0xc0 + (pageNum / 16);
675 calc_crc(&crc, tx[0], 8);
676 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
677 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
678 tx[2] = 0x00 + (crc % 16) * 16;
679 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE && *rxlen > 0) {
680 //save received data
681 z = 0;
682 for (i = 0; i < 4; i++) {
683 for (j = 0; j < 8; j++) {
684 response_bit[z] = 0;
685 if ((rx[i] & ((mask << 7) >> j)) != 0) {
686 response_bit[z] = 1;
687 }
688 if (z < 32) {
689 pageData[z] = response_bit[z];
690 }
691
692 z++;
693 }
694 }
695 for (i = 0; i < 4; i++) {
696 tag.pages[pageNum][i] = 0x0;
697 }
698 for (i = 0; i < 4; i++) {
699 tag.pages[pageNum][i] += ((pageData[i * 8] << 7) | (pageData[1 + (i * 8)] << 6) |
700 (pageData[2 + (i * 8)] << 5) | (pageData[3 + (i * 8)] << 4) |
701 (pageData[4 + (i * 8)] << 3) | (pageData[5 + (i * 8)] << 2) |
702 (pageData[6 + (i * 8)]
703 << 1) | pageData[7 + (i * 8)]);
704 }
705 if (tag.auth && tag.LKP && pageNum == 1) {
706 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
707 tag.pages[pageNum][2], tag.pages[pageNum][1], tag.pages[pageNum][0]);
708 } else {
709 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
710 tag.pages[pageNum][3], tag.pages[pageNum][2],
711 tag.pages[pageNum][1], tag.pages[pageNum][0]);
712 }
713
714
715 //display key and password if possible
716 if (pageNum == 1 && tag.auth == 1 && tag.LKP) {
717 if (htf == 02) { //RHTS_KEY
718 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
719 (byte_t)(key >> 8) & 0xff,
720 (byte_t) key & 0xff, pwdl1, pwdl0);
721 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
722 (byte_t)(key >> 40) & 0xff,
723 (byte_t)(key >> 32) & 0xff,
724 (byte_t)(key >> 24) & 0xff,
725 (byte_t)(key >> 16) & 0xff);
726 } else {
727 //if the authentication is done with a challenge the key and password are unknown
728 Dbprintf("Page[ 2]: __ __ __ __");
729 Dbprintf("Page[ 3]: __ __ __ __");
730 }
731 }
732
733 *txlen = 20;
734 crc = CRC_PRESET;
735 tx[0] = 0xc0 + ((pageNum+1) / 16);
736 calc_crc(&crc, tx[0], 8);
737 calc_crc(&crc, 0x00 + (((pageNum+1) % 16) * 16), 4);
738 tx[1] = 0x00 + (((pageNum+1) % 16) * 16) + (crc / 16);
739 tx[2] = 0x00 + (crc % 16) * 16;
740
741 return 1;
742 }
743 return 0;
744 }
745
746 static int hitag_read_block(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int blockNum) {
747 int i, j, z;
748 int response_bit[200];
749 unsigned char mask = 1;
750 unsigned char crc;
751 unsigned char blockData[128];
752
753 if (blockNum+4 >= tag.max_page) { //block always = 4 pages
754 return -1;
755 }
756
757 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
758 //send read request
759 tag.tstate = READING_BLOCK;
760 *txlen = 20;
761 crc = CRC_PRESET;
762 tx[0] = 0xd0 + (blockNum / 16);
763 calc_crc(&crc, tx[0], 8);
764 calc_crc(&crc, 0x00 + ((blockNum % 16) * 16), 4);
765 tx[1] = 0x00 + ((blockNum % 16) * 16) + (crc / 16);
766 tx[2] = 0x00 + (crc % 16) * 16;
767 } else if (tag.pstate == SELECTED && tag.tstate == READING_BLOCK && *rxlen > 0) {
768 //save received data
769 z = 0;
770 for (i = 0; i < 16; i++) {
771 for (j = 0; j < 8; j++) {
772 response_bit[z] = 0;
773 if ((rx[i] & ((mask << 7) >> j)) != 0) {
774 response_bit[z] = 1;
775 }
776 if (z < 128) {
777 blockData[z] = response_bit[z];
778 }
779 z++;
780 }
781 }
782
783 for (z = 0; z < 4; z++) { //4 pages
784 for (i = 0; i < 4; i++) {
785 tag.pages[blockNum+z][i] = 0x0;
786 }
787 }
788 for (z = 0; z < 4; z++) { //4 pages
789 for (i = 0; i < 4; i++) {
790 j = (i * 8) + (z*32); //bit in page + pageStart
791 tag.pages[blockNum+z][i] = ((blockData[j] << 7) | (blockData[1 + j] << 6) |
792 (blockData[2 + j] << 5) | (blockData[3 + j] << 4) |
793 (blockData[4 + j] << 3) | (blockData[5 + j] << 2) |
794 (blockData[6 + j] << 1) | blockData[7 + j]);
795 }
796 }
797 if (DEBUG) {
798 for (z = 0; z < 4; z++) {
799 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum+z,
800 tag.pages[blockNum+z][3], tag.pages[blockNum+z][2],
801 tag.pages[blockNum+z][1], tag.pages[blockNum+z][0]);
802 }
803 }
804 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum,
805 tag.pages[blockNum][3], tag.pages[blockNum][2], tag.pages[blockNum][1], tag.pages[blockNum][0],
806 tag.pages[blockNum+1][3], tag.pages[blockNum+1][2], tag.pages[blockNum+1][1], tag.pages[blockNum+1][0],
807 tag.pages[blockNum+2][3], tag.pages[blockNum+2][2], tag.pages[blockNum+2][1], tag.pages[blockNum+2][0],
808 tag.pages[blockNum+3][3], tag.pages[blockNum+3][2], tag.pages[blockNum+3][1], tag.pages[blockNum+3][0]);
809
810 *txlen = 20;
811 crc = CRC_PRESET;
812 tx[0] = 0xd0 + ((blockNum+4) / 16);
813 calc_crc(&crc, tx[0], 8);
814 calc_crc(&crc, 0x00 + (((blockNum+4) % 16) * 16), 4);
815 tx[1] = 0x00 + (((blockNum+4) % 16) * 16) + (crc / 16);
816 tx[2] = 0x00 + (crc % 16) * 16;
817
818 return 1;
819 }
820 return 0;
821 }
822
823
824 /*
825 * to check if the right uid was selected
826 */
827 static int check_select(byte_t* rx, uint32_t uid) {
828 unsigned char resp[48];
829 int i;
830 uint32_t ans = 0x0;
831 for (i = 0; i < 48; i++)
832 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
833 for (i = 0; i < 32; i++)
834 ans += resp[5 + i] << (31 - i);
835 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
836 && rx[4] == 0x65 && rx[5] == 0x38)
837 Dbprintf("got uid %X", ans);*/
838 temp_uid = ans;
839 if (ans == tag.uid)
840 return 1;
841 return 0;
842 }
843
844 /*
845 * handles all commands from a reader
846 */
847 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
848 byte_t* tx, size_t* txlen) {
849 byte_t rx_air[HITAG_FRAME_LEN];
850 byte_t page;
851 int i;
852 uint64_t state;
853 unsigned char crc;
854
855 // Copy the (original) received frame how it is send over the air
856 memcpy(rx_air, rx, nbytes(rxlen));
857 // Reset the transmission frame length
858 *txlen = 0;
859 // Try to find out which command was send by selecting on length (in bits)
860 switch (rxlen) {
861 case 5: {
862 //UID request with a selected response protocol mode
863 tag.pstate = READY;
864 tag.tstate = NO_OP;
865 if ((rx[0] & 0xf0) == 0x30) {
866 Dbprintf("recieved uid request in Standard Mode");
867 tag.mode = STANDARD;
868 sof_bits = 1;
869 m = AC2K;
870 }
871 if ((rx[0] & 0xf0) == 0xc0) {
872 Dbprintf("recieved uid request in ADVANCE Mode");
873 tag.mode = ADVANCED;
874 sof_bits = 3;
875 m = AC2K;
876 }
877 if ((rx[0] & 0xf0) == 0xd0) {
878 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
879 tag.mode = FAST_ADVANCED;
880 sof_bits = 3;
881 m = AC4K;
882 }
883 //send uid as a response
884 *txlen = 32;
885 for (i = 0; i < 4; i++) {
886 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
887 }
888 }
889 break;
890 case 45: {
891 //select command from reader received
892 if (check_select(rx, tag.uid) == 1) {
893 //if the right tag was selected
894 *txlen = 32;
895 switch (tag.mode) {
896 case STANDARD:
897 Dbprintf("uid selected in Standard Mode");
898 sof_bits = 1;
899 m = MC4K;
900 break;
901 case ADVANCED:
902 Dbprintf("uid selected in ADVANCE Mode");
903 sof_bits = 6;
904 m = MC4K;
905 break;
906 case FAST_ADVANCED:
907 Dbprintf("uid selected in FAST_ADVANCE Mode");
908 sof_bits = 6;
909 m = MC8K;
910 break;
911 default:
912 break;
913 }
914
915 //send configuration
916 tx[0] = tag.pages[1][3];
917 tx[1] = tag.pages[1][2];
918 tx[2] = tag.pages[1][1];
919 tx[3] = 0xff;
920 if (tag.mode != STANDARD) {
921 *txlen = 40;
922 crc = CRC_PRESET;
923 for (i = 0; i < 4; i++)
924 calc_crc(&crc, tx[i], 8);
925 tx[4] = crc;
926 }
927 }
928 }
929 break;
930 case 64: {
931 switch (tag.mode) {
932 case STANDARD:
933 sof_bits = 1;
934 m = MC4K;
935 break;
936 case ADVANCED:
937 sof_bits = 6;
938 m = MC4K;
939 break;
940 case FAST_ADVANCED:
941 sof_bits = 6;
942 m = MC8K;
943 break;
944 default:
945 break;
946 }
947 //challenge message received
948 Dbprintf("Challenge for UID: %X", temp_uid);
949 temp2++;
950 state = hitag2_init(REV64(tag.key), REV32(tag.pages[0][0]),
951 REV32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
952 Dbprintf(
953 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
954 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
955
956 for (i = 0; i < 4; i++) {
957 hitag2_byte(&state);
958 }
959
960 *txlen = 32;
961 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
962 tx[0] = hitag2_byte(&state) ^ tag.pages[1][1];
963 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
964 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
965 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
966 if (tag.mode != STANDARD) {
967 //add crc8
968 *txlen = 40;
969 crc = CRC_PRESET;
970 calc_crc(&crc, tag.pages[1][1], 8);
971 calc_crc(&crc, tag.pwdh0, 8);
972 calc_crc(&crc, tag.pwdl0, 8);
973 calc_crc(&crc, tag.pwdl1, 8);
974 tx[4] = (crc ^ hitag2_byte(&state));
975 }
976 }
977 case 40:
978 //data received to be written
979 if (tag.tstate == WRITING_PAGE_DATA) {
980 tag.tstate = NO_OP;
981 tag.pages[page_to_be_written][0] = rx[3];
982 tag.pages[page_to_be_written][1] = rx[2];
983 tag.pages[page_to_be_written][2] = rx[1];
984 tag.pages[page_to_be_written][3] = rx[0];
985
986 //send ack
987 *txlen = 2;
988 tx[0] = 0x40;
989 page_to_be_written = 0;
990 switch (tag.mode) {
991 case STANDARD:
992 sof_bits = 1;
993 m = MC4K;
994 break;
995 case ADVANCED:
996 sof_bits = 6;
997 m = MC4K;
998 break;
999 case FAST_ADVANCED:
1000 sof_bits = 6;
1001 m = MC8K;
1002 break;
1003 default:
1004 break;
1005 }
1006 } else if (tag.tstate == WRITING_BLOCK_DATA) {
1007 tag.pages[page_to_be_written][0] = rx[0];
1008 tag.pages[page_to_be_written][1] = rx[1];
1009 tag.pages[page_to_be_written][2] = rx[2];
1010 tag.pages[page_to_be_written][3] = rx[3];
1011
1012 //send ack
1013 *txlen = 2;
1014 tx[0] = 0x40;
1015 switch (tag.mode) {
1016 case STANDARD:
1017 sof_bits = 1;
1018 m = MC4K;
1019 break;
1020 case ADVANCED:
1021 sof_bits = 6;
1022 m = MC4K;
1023 break;
1024 case FAST_ADVANCED:
1025 sof_bits = 6;
1026 m = MC8K;
1027 break;
1028 default:
1029 break;
1030 }
1031 page_to_be_written++;
1032 block_data_left--;
1033 if (block_data_left == 0) {
1034 tag.tstate = NO_OP;
1035 page_to_be_written = 0;
1036 }
1037 }
1038 break;
1039 case 20: {
1040 //write page, write block, read page or read block command received
1041 if ((rx[0] & 0xf0) == 0xc0) { //read page
1042 //send page data
1043 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1044 Dbprintf("reading page %d", page);
1045 *txlen = 32;
1046 tx[0] = tag.pages[page][0];
1047 tx[1] = tag.pages[page][1];
1048 tx[2] = tag.pages[page][2];
1049 tx[3] = tag.pages[page][3];
1050
1051 if (tag.LKP && page == 1)
1052 tx[3] = 0xff;
1053
1054 switch (tag.mode) {
1055 case STANDARD:
1056 sof_bits = 1;
1057 m = MC4K;
1058 break;
1059 case ADVANCED:
1060 sof_bits = 6;
1061 m = MC4K;
1062 break;
1063 case FAST_ADVANCED:
1064 sof_bits = 6;
1065 m = MC8K;
1066 break;
1067 default:
1068 break;
1069 }
1070
1071 if (tag.mode != STANDARD) {
1072 //add crc8
1073 *txlen = 40;
1074 crc = CRC_PRESET;
1075 for (i = 0; i < 4; i++)
1076 calc_crc(&crc, tx[i], 8);
1077 tx[4] = crc;
1078 }
1079
1080 if (tag.LKP && (page == 2 || page == 3)) {
1081 //if reader asks for key or password and the LKP-mark is set do not respond
1082 sof_bits = 0;
1083 *txlen = 0;
1084 }
1085 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
1086 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1087 Dbprintf("reading block %d", page);
1088 *txlen = 32 * 4;
1089 //send page,...,page+3 data
1090 for (i = 0; i < 4; i++) {
1091 tx[0 + (i * 4)] = tag.pages[page][0];
1092 tx[1 + (i * 4)] = tag.pages[page][1];
1093 tx[2 + (i * 4)] = tag.pages[page][2];
1094 tx[3 + (i * 4)] = tag.pages[page][3];
1095 page++;
1096 }
1097
1098 switch (tag.mode) {
1099 case STANDARD:
1100 sof_bits = 1;
1101 m = MC4K;
1102 break;
1103 case ADVANCED:
1104 sof_bits = 6;
1105 m = MC4K;
1106 break;
1107 case FAST_ADVANCED:
1108 sof_bits = 6;
1109 m = MC8K;
1110 break;
1111 default:
1112 break;
1113 }
1114
1115 if (tag.mode != STANDARD) {
1116 //add crc8
1117 *txlen = 32 * 4 + 8;
1118 crc = CRC_PRESET;
1119 for (i = 0; i < 16; i++)
1120 calc_crc(&crc, tx[i], 8);
1121 tx[16] = crc;
1122 }
1123
1124 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
1125 sof_bits = 0;
1126 *txlen = 0;
1127 }
1128 } else if ((rx[0] & 0xf0) == 0x80) { //write page
1129 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1130
1131 switch (tag.mode) {
1132 case STANDARD:
1133 sof_bits = 1;
1134 m = MC4K;
1135 break;
1136 case ADVANCED:
1137 sof_bits = 6;
1138 m = MC4K;
1139 break;
1140 case FAST_ADVANCED:
1141 sof_bits = 6;
1142 m = MC8K;
1143 break;
1144 default:
1145 break;
1146 }
1147 if ((tag.LCON && page == 1)
1148 || (tag.LKP && (page == 2 || page == 3))) {
1149 //deny
1150 *txlen = 0;
1151 } else {
1152 //allow
1153 *txlen = 2;
1154 tx[0] = 0x40;
1155 page_to_be_written = page;
1156 tag.tstate = WRITING_PAGE_DATA;
1157 }
1158
1159 } else if ((rx[0] & 0xf0) == 0x90) { //write block
1160 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
1161 switch (tag.mode) {
1162 case STANDARD:
1163 sof_bits = 1;
1164 m = MC4K;
1165 break;
1166 case ADVANCED:
1167 sof_bits = 6;
1168 m = MC4K;
1169 break;
1170 case FAST_ADVANCED:
1171 sof_bits = 6;
1172 m = MC8K;
1173 break;
1174 default:
1175 break;
1176 }
1177 if (page % 4 != 0 || page == 0) {
1178 //deny
1179 *txlen = 0;
1180 } else {
1181 //allow
1182 *txlen = 2;
1183 tx[0] = 0x40;
1184 page_to_be_written = page;
1185 block_data_left = 4;
1186 tag.tstate = WRITING_BLOCK_DATA;
1187 }
1188 }
1189 }
1190 break;
1191 default:
1192
1193 break;
1194 }
1195 }
1196
1197
1198 /*
1199 * to autenticate to a tag with the given key or challenge
1200 */
1201 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx,
1202 const size_t rxlen, byte_t* tx, size_t* txlen) {
1203 byte_t rx_air[HITAG_FRAME_LEN];
1204 int response_bit[200] = {0};
1205 int i, j, z, k;
1206 unsigned char mask = 1;
1207 unsigned char uid[32];
1208 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
1209 unsigned char crc;
1210 uint64_t state;
1211 byte_t auth_ks[4];
1212 byte_t conf_pages[3];
1213 memcpy(rx_air, rx, nbytes(rxlen));
1214 *txlen = 0;
1215
1216 if (DEBUG) {
1217 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen, (int)tag.pstate);
1218 }
1219
1220 if (tag.pstate == READY && rxlen >= 32) {
1221 //received uid
1222 if(end==true) {
1223 Dbprintf("authentication failed!");
1224 return -1;
1225 }
1226 z = 0;
1227 for (i = 0; i < 10; i++) {
1228 for (j = 0; j < 8; j++) {
1229 response_bit[z] = 0;
1230 if ((rx[i] & ((mask << 7) >> j)) != 0)
1231 response_bit[z] = 1;
1232 z++;
1233 }
1234 }
1235 for (i = 0; i < 32; i++) {
1236 uid[i] = response_bit[i];
1237 }
1238
1239 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
1240 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
1241 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
1242 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
1243 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
1244 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
1245 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
1246 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
1247 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
1248 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
1249
1250 //select uid
1251 crc = CRC_PRESET;
1252 calc_crc(&crc, 0x00, 5);
1253 calc_crc(&crc, uid1, 8);
1254 calc_crc(&crc, uid2, 8);
1255 calc_crc(&crc, uid3, 8);
1256 calc_crc(&crc, uid4, 8);
1257 Dbprintf("crc: %02X", crc);
1258
1259 //resetting response bit
1260 for (i = 0; i < 100; i++) {
1261 response_bit[i] = 0;
1262 }
1263
1264 //skip the first 5
1265 for (i = 5; i < 37; i++) {
1266 response_bit[i] = uid[i - 5];
1267 }
1268 //add crc value
1269 for (j = 0; j < 8; j++) {
1270 response_bit[i] = 0;
1271 if ((crc & ((mask << 7) >> j)) != 0)
1272 response_bit[i] = 1;
1273 i++;
1274 }
1275
1276 k = 0;
1277 for (i = 0; i < 6; i++) {
1278 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1279 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
1280 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
1281 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1282 k += 8;
1283 }
1284 *txlen = 45;
1285 tag.pstate = INIT;
1286 } else if (tag.pstate == INIT && rxlen > 24) {
1287 // received configuration after select command
1288 z = 0;
1289 for (i = 0; i < 4; i++) {
1290 for (j = 0; j < 8; j++) {
1291 response_bit[z] = 0;
1292 if ((rx[i] & ((mask << 7) >> j)) != 0) {
1293 response_bit[z] = 1;
1294 }
1295 z++;
1296 }
1297 }
1298
1299 //check wich memorysize this tag has
1300 //CON0
1301 if (response_bit[6] == 0 && response_bit[7] == 0)
1302 tag.max_page = 32 / 32;
1303 if (response_bit[6] == 0 && response_bit[7] == 1)
1304 tag.max_page = 256 / 32;
1305 if (response_bit[6] == 1 && response_bit[7] == 0)
1306 tag.max_page = 2048 / 32;
1307 if (response_bit[6] == 1 && response_bit[7] == 1) //reserved but some tags got this setting
1308 tag.max_page = 2048 / 32;
1309
1310 //CON1
1311 tag.auth = response_bit[8];
1312 tag.TTFC = response_bit[9];
1313 //tag.TTFDR in response_bit[10] and response_bit[11]
1314 //tag.TTFM in response_bit[12] and response_bit[13]
1315 tag.LCON = response_bit[14];
1316 tag.LKP = response_bit[15];
1317
1318 //CON2
1319 tag.LCK7 = response_bit[16];
1320 tag.LCK6 = response_bit[17];
1321 tag.LCK5 = response_bit[18];
1322 tag.LCK4 = response_bit[19];
1323 tag.LCK3 = response_bit[20];
1324 tag.LCK2 = response_bit[21];
1325 tag.LCK1 = response_bit[22];
1326 tag.LCK0 = response_bit[23];
1327
1328 if (DEBUG) {
1329 conf_pages[0] = ((response_bit[0] << 7) | (response_bit[1] << 6)
1330 | (response_bit[2] << 5) | (response_bit[3] << 4)
1331 | (response_bit[4] << 3) | (response_bit[5] << 2)
1332 | (response_bit[6] << 1) | response_bit[7]);
1333 conf_pages[1] = ((response_bit[8] << 7) | (response_bit[9] << 6)
1334 | (response_bit[10] << 5) | (response_bit[11] << 4)
1335 | (response_bit[12] << 3) | (response_bit[13] << 2)
1336 | (response_bit[14] << 1) | response_bit[15]);
1337 conf_pages[2] = ((response_bit[16] << 7) | (response_bit[17] << 6)
1338 | (response_bit[18] << 5) | (response_bit[19] << 4)
1339 | (response_bit[20] << 3) | (response_bit[21] << 2)
1340 | (response_bit[22] << 1) | response_bit[23]);
1341 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
1342 Dbprintf("tag.max_page: %d, tag.auth: %d", tag.max_page, tag.auth);
1343 }
1344
1345 if (tag.auth == 1) {
1346 //if the tag is in authentication mode try the key or challenge
1347 *txlen = 64;
1348 if(end!=true){
1349 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
1350 state = hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
1351 /*
1352 Dbprintf("key: %02X %02X\n\n", key, REV64(key));
1353 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, REV32(tag.uid));
1354 Dbprintf("rnd: %02X %02X\n\n", rnd, REV32(rnd));
1355 */
1356 for (i = 0; i < 4; i++) {
1357 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
1358 }
1359 *txlen = 64;
1360 tx[0] = rnd & 0xff;
1361 tx[1] = (rnd >> 8) & 0xff;
1362 tx[2] = (rnd >> 16) & 0xff;
1363 tx[3] = (rnd >> 24) & 0xff;
1364
1365 tx[4] = auth_ks[0];
1366 tx[5] = auth_ks[1];
1367 tx[6] = auth_ks[2];
1368 tx[7] = auth_ks[3];
1369 if (DEBUG)
1370 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
1371 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
1372 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1373 for (i = 0; i < 8; i++)
1374 tx[i]=((NrAr>>(56-(i*8)))&0xff);
1375 }
1376 end=true;
1377 tag.pstate = AUTHENTICATE;
1378 } else {
1379 Dbprintf("authentication failed!");
1380 return -1;
1381 }
1382 } else if (tag.auth == 0) {
1383 tag.pstate = SELECTED;
1384 }
1385
1386 } else if (tag.pstate == AUTHENTICATE && rxlen >= 32) {
1387 //encrypted con2,password received.
1388 if (DEBUG) {
1389 Dbprintf("UID:::%X", tag.uid);
1390 Dbprintf("RND:::%X", rnd);
1391 }
1392
1393 //decrypt password
1394 pwdh0=0;
1395 pwdl0=0;
1396 pwdl1=0;
1397 if(htf==02 || htf==04) { //RHTS_KEY //WHTS_KEY
1398 state = hitag2_init(REV64(key), REV32(tag.uid), REV32(rnd));
1399 for (i = 0; i < 5; i++) {
1400 hitag2_byte(&state);
1401 }
1402 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ hitag2_byte(&state);
1403 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ hitag2_byte(&state);
1404 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ hitag2_byte(&state);
1405 if (DEBUG) {
1406 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
1407 }
1408 }
1409 tag.pstate = SELECTED; //tag is now ready for read/write commands
1410 }
1411
1412 if (DEBUG) {
1413 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag.pstate);
1414 }
1415
1416 return 0;
1417 }
1418
1419 /*
1420 * Emulates a Hitag S Tag with the given data from the .hts file
1421 */
1422 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
1423 int frame_count;
1424 int response;
1425 int overflow;
1426 int i, j;
1427 byte_t rx[HITAG_FRAME_LEN];
1428 size_t rxlen = 0;
1429 bQuiet = false;
1430 byte_t txbuf[HITAG_FRAME_LEN];
1431 byte_t* tx = txbuf;
1432 size_t txlen = 0;
1433 uint8_t con0, con1, con2;
1434 BigBuf_free();
1435
1436 // Clean up trace and prepare it for storing frames
1437 set_tracing(true);
1438 clear_trace();
1439
1440 DbpString("Starting HitagS simulation");
1441 LED_D_ON();
1442
1443 tag.pstate = READY;
1444 tag.tstate = NO_OP;
1445 //read tag data into memory
1446 if (tag_mem_supplied) {
1447 DbpString("Loading hitagS memory...");
1448 for (i = 0; i < 64; i++) {
1449 for (j = 0; j < 4; j++) {
1450 tag.pages[i][j] = 0x0;
1451 }
1452 }
1453
1454 for (i = 0; i < 64; i++) {
1455 for (j = 0; j < 4; j++) {
1456 tag.pages[i][j] = data[(i*4)+j];
1457 }
1458 }
1459 }
1460 tag.uid = (tag.pages[0][3] << 24 | tag.pages[0][2] << 16 | tag.pages[0][1] << 8 | tag.pages[0][0]);
1461 con0 = tag.pages[1][3];
1462 con1 = tag.pages[1][2];
1463 con2 = tag.pages[1][1];
1464 Dbprintf("UID: %X", tag.uid);
1465 Dbprintf("Hitag S simulation started");
1466
1467 //0x01 plain mode - Reserved, CON2, CON1, CON0
1468 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1469 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1470 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1471
1472 //con0
1473 tag.max_page = 2048 / 32;
1474 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 1)
1475 tag.max_page = 256 / 32;
1476 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 0)
1477 tag.max_page = 32 / 32;
1478
1479 //CON1
1480 tag.auth = ((con1 & 0x80) == 0x80) ? 1 : 0;
1481 tag.TTFC = ((con1 & 0x40) == 0x40) ? 1 : 0;
1482 //tag.TTFDR in response_bit[10] and response_bit[11]
1483 //tag.TTFM in response_bit[12] and response_bit[13]
1484 tag.LCON = ((con1 & 0x2) == 0x2) ? 1 : 0;
1485 tag.LKP = ((con1 & 0x1) == 0x1) ? 1 : 0;
1486
1487 //CON2
1488 tag.LCK7 = ((con2 & 0x80) == 0x80) ? 1 : 0;
1489 tag.LCK6 = ((con2 & 0x40) == 0x40) ? 1 : 0;
1490 tag.LCK5 = ((con2 & 0x20) == 0x20) ? 1 : 0;
1491 tag.LCK4 = ((con2 & 0x10) == 0x10) ? 1 : 0;
1492 tag.LCK3 = ((con2 & 0x8) == 0x8) ? 1 : 0;
1493 tag.LCK2 = ((con2 & 0x4) == 0x4) ? 1 : 0;
1494 tag.LCK1 = ((con2 & 0x2) == 0x2) ? 1 : 0;
1495 tag.LCK0 = ((con2 & 0x1) == 0x1) ? 1 : 0;
1496
1497 if (tag.auth == 1) {
1498 //TODO check if this working :D
1499 tag.key=(intptr_t)tag.pages[3];
1500 tag.key<<=16;
1501 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
1502 tag.pwdl0=tag.pages[2][3];
1503 tag.pwdl1=tag.pages[2][2];
1504 tag.pwdh0=tag.pages[1][0];
1505 }
1506
1507 // Set up simulator mode, frequency divisor which will drive the FPGA
1508 // and analog mux selection.
1509 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1510 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
1511 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1512 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1513 RELAY_OFF();
1514
1515 // Configure output pin that is connected to the FPGA (for modulating)
1516 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1517 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1518
1519 // Disable modulation at default, which means release resistance
1520 LOW(GPIO_SSC_DOUT);
1521
1522 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1523 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1524
1525 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1526 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1527 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1528
1529 // Disable timer during configuration
1530 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1531 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1532
1533 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1534 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1535
1536 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1537 // external trigger rising edge, load RA on rising edge of TIOA.
1538 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1539
1540 // Reset the received frame, frame count and timing info
1541 memset(rx, 0x00, sizeof(rx));
1542 frame_count = 0;
1543 response = 0;
1544 overflow = 0;
1545
1546 // Enable and reset counter
1547 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1548
1549 while (!BUTTON_PRESS()) {
1550 // Watchdog hit
1551 WDT_HIT();
1552
1553 // Receive frame, watch for at most T0*EOF periods
1554 //HITAG_T_WAIT_MAX
1555 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1556 // Check if rising edge in modulation is detected
1557 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1558 // Retrieve the new timing values
1559 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1560 overflow = 0;
1561
1562 // Reset timer every frame, we have to capture the last edge for timing
1563 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1564
1565 LED_B_ON();
1566
1567 // Capture reader frame
1568 if (ra >= HITAG_T_STOP) {
1569 if (rxlen != 0) {
1570 //DbpString("wierd0?");
1571 }
1572 // Capture the T0 periods that have passed since last communication or field drop (reset)
1573 response = (ra - HITAG_T_LOW);
1574 } else if (ra >= HITAG_T_1_MIN) {
1575 // '1' bit
1576 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1577 rxlen++;
1578 } else if (ra >= HITAG_T_0_MIN) {
1579 // '0' bit
1580 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1581 rxlen++;
1582 } else {
1583 // Ignore wierd value, is to small to mean anything
1584 }
1585 }
1586 }
1587
1588 // Check if frame was captured
1589 if (rxlen > 0) {
1590 frame_count++;
1591 if (!bQuiet) {
1592 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1593 DbpString("Trace full");
1594 clear_trace();
1595 }
1596 }
1597
1598 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1599 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1600
1601 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1602 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1603
1604 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1605 // not that since the clock counts since the rising edge, but T_Wait1 is
1606 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1607 // periods. The gap time T_Low varies (4..10). All timer values are in
1608 // terms of T0 units
1609 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) { }
1610
1611 // Send and store the tag answer (if there is any)
1612 if (txlen > 0) {
1613 // Transmit the tag frame
1614 hitag_tag_send_frame(tx, txlen);
1615
1616 // Store the frame in the trace
1617 if (!bQuiet) {
1618 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1619 DbpString("Trace full");
1620 clear_trace();
1621 }
1622 }
1623 }
1624
1625 // Enable and reset external trigger in timer for capturing future frames
1626 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1627
1628 // Reset the received frame and response timing info
1629 memset(rx, 0x00, sizeof(rx));
1630 response = 0;
1631
1632 LED_B_OFF();
1633 }
1634 // Reset the frame length
1635 rxlen = 0;
1636 // Save the timer overflow, will be 0 when frame was received
1637 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1638 // Reset the timer to restart while-loop that receives frames
1639 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1640 }
1641 Dbprintf("Hitag S simulation stopped");
1642 LED_B_OFF();
1643 LED_D_OFF();
1644 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1645 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1646 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1647 }
1648
1649 /*
1650 * Authenticates to the Tag with the given key or challenge.
1651 * If the key was given the password will be decrypted.
1652 * Reads every page of a hitag S transpoder.
1653 */
1654 void ReadHitagSintern(hitag_function htf, hitag_data* htd, stype tagMode, int startPage, bool readBlock) {
1655 int frame_count;
1656 int i;
1657 int sendNum = startPage;
1658 tag.mode = tagMode;
1659
1660 //int i, j, z;
1661 //int response_bit[200];
1662 //unsigned char mask = 1;
1663
1664 int response;
1665 byte_t rx[HITAG_FRAME_LEN];
1666 size_t rxlen = 0;
1667 byte_t txbuf[HITAG_FRAME_LEN];
1668 byte_t* tx = txbuf;
1669 size_t txlen = 0;
1670 int lastbit;
1671 int t_wait = HITAG_T_WAIT_MAX;
1672 bool bStop;
1673 bool bQuitTraceFull = false;
1674
1675 page_to_be_written = 0;
1676
1677 //read given key/challenge
1678 byte_t NrAr_[8];
1679 uint64_t key=0;
1680 uint64_t NrAr=0;
1681 byte_t key_[6];
1682 switch(htf) {
1683 case 01:
1684 case 03: { //RHTS_CHALLENGE
1685 DbpString("Authenticating using nr,ar pair:");
1686 memcpy(NrAr_,htd->auth.NrAr,8);
1687 Dbhexdump(8,NrAr_,false);
1688 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1689 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1690 } break;
1691 case 02:
1692 case 04: { //RHTS_KEY
1693 DbpString("Authenticating using key:");
1694 memcpy(key_,htd->crypto.key,6);
1695 Dbhexdump(6,key_,false);
1696 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1697 } break;
1698 default: {
1699 Dbprintf("Error , unknown function: %d",htf);
1700 return;
1701 } break;
1702 }
1703
1704
1705
1706 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1707 // Reset the return status
1708 bSuccessful = false;
1709
1710 // Clean up trace and prepare it for storing frames
1711 set_tracing(true);
1712 clear_trace();
1713
1714 bQuiet = false;
1715
1716 LED_D_ON();
1717
1718 // Configure output and enable pin that is connected to the FPGA (for modulating)
1719 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1720 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1721
1722 // Set fpga in edge detect with reader field, we can modulate as reader now
1723 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1724
1725 // Set Frequency divisor which will drive the FPGA and analog mux selection
1726 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1727 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1728 RELAY_OFF();
1729
1730 // Disable modulation at default, which means enable the field
1731 LOW(GPIO_SSC_DOUT);
1732
1733 // Give it a bit of time for the resonant antenna to settle.
1734 SpinDelay(30);
1735
1736 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1737 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1738
1739 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1740 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1741 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1742
1743 // Disable timer during configuration
1744 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1745 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1746
1747 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1748 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1749
1750 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1751 // external trigger rising edge, load RA on falling edge of TIOA.
1752 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1753
1754 // Enable and reset counters
1755 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1756 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1757
1758 // Reset the received frame, frame count and timing info
1759 frame_count = 0;
1760 response = 0;
1761 lastbit = 1;
1762 bStop = false;
1763 t_wait = 200;
1764
1765 while (!bStop && !BUTTON_PRESS()) {
1766 // Watchdog hit
1767 WDT_HIT();
1768
1769
1770 // Add transmitted frame to total count
1771 if (txlen > 0) {
1772 frame_count++;
1773
1774 if (tag.pstate == READY && rxlen < 1) {
1775 //skip logging starting auths if no response
1776 } else {
1777 if (!bQuiet) {
1778 // Store the frame in the trace
1779 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1780 if (bQuitTraceFull) {
1781 DbpString("Trace full");
1782 break;
1783 } else {
1784 bQuiet = true;
1785 }
1786 }
1787 }
1788 }
1789 }
1790
1791 // Check if frame was captured and store it
1792 if (rxlen > 0) {
1793 frame_count++;
1794 if (!bQuiet) {
1795 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1796 DbpString("Trace full");
1797 if (bQuitTraceFull) {
1798 break;
1799 } else {
1800 bQuiet = true;
1801 }
1802 }
1803 }
1804 }
1805
1806 // By default reset the transmission buffer
1807 tx = txbuf;
1808 txlen = 0;
1809
1810 if (DEBUG >= 2) {
1811 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count, rxlen, (int)tag.pstate, (int)tag.tstate);
1812 }
1813
1814 if (rxlen == 0) {
1815 //start authentication
1816 hitag_start_auth(tx, &txlen);
1817 } else if (tag.pstate != SELECTED) {
1818 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1) {
1819 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
1820 bStop = !false;
1821 }
1822 }
1823
1824
1825
1826 if (readBlock && tag.pstate == SELECTED && (tag.tstate == READING_BLOCK || tag.tstate == NO_OP) && rxlen > 0) {
1827 i = hitag_read_block(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1828 if (i > 0) { sendNum+=4; }
1829 if (sendNum+4 >= tag.max_page) {
1830 bStop = !false;
1831 }
1832 } else if (!readBlock && tag.pstate == SELECTED && (tag.tstate == READING_PAGE || tag.tstate == NO_OP) && rxlen > 0) {
1833 i = hitag_read_page(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1834 if (i > 0) { sendNum++; }
1835 if (sendNum >= tag.max_page) {
1836 bStop = !false;
1837 }
1838 }
1839
1840 // Send and store the reader command
1841 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1842 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1843
1844 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1845 // Since the clock counts since the last falling edge, a 'one' means that the
1846 // falling edge occured halfway the period. with respect to this falling edge,
1847 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1848 // All timer values are in terms of T0 units
1849
1850 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
1851
1852 // Transmit the reader frame
1853 hitag_reader_send_frame(tx, txlen);
1854
1855
1856 // Enable and reset external trigger in timer for capturing future frames
1857 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1858
1859
1860 // Reset values for receiving frames
1861 memset(rx, 0x00, sizeof(rx));
1862 rxlen = 0;
1863 lastbit = 1;
1864 response = 0;
1865
1866 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1867 hitag_receive_frame(rx, &rxlen, &response);
1868 }
1869 end=false;
1870 LED_B_OFF();
1871 LED_D_OFF();
1872 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1873 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1874 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1875 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1876 }
1877
1878 void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock) {
1879 if (tagMode == 1) {
1880 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1881 ReadHitagSintern(htf, htd, ADVANCED, (int)startPage, readBlock);
1882 } else if (tagMode == 2) {
1883 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1884 ReadHitagSintern(htf, htd, FAST_ADVANCED, (int)startPage, readBlock);
1885 } else {
1886 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock, startPage);
1887 ReadHitagSintern(htf, htd, STANDARD, (int)startPage, readBlock);
1888 }
1889 }
1890
1891
1892
1893 /*
1894 * Authenticates to the Tag with the given Key or Challenge.
1895 * Writes the given 32Bit data into page_
1896 */
1897 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1898 int frame_count;
1899 int response;
1900 byte_t rx[HITAG_FRAME_LEN];
1901 size_t rxlen = 0;
1902 byte_t txbuf[HITAG_FRAME_LEN];
1903 byte_t* tx = txbuf;
1904 size_t txlen = 0;
1905 int lastbit;
1906 int t_wait = HITAG_T_WAIT_MAX;
1907 bool bStop;
1908 bool bQuitTraceFull = false;
1909 int page = page_;
1910 unsigned char crc;
1911 byte_t data[4]= {0,0,0,0};
1912
1913 //read given key/challenge, the page and the data
1914 byte_t NrAr_[8];
1915 uint64_t key=0;
1916 uint64_t NrAr=0;
1917 byte_t key_[6];
1918 switch(htf) {
1919 case 03: { //WHTS_CHALLENGE
1920 memcpy(data,htd->auth.data,4);
1921 DbpString("Authenticating using nr,ar pair:");
1922 memcpy(NrAr_,htd->auth.NrAr,8);
1923 Dbhexdump(8,NrAr_,false);
1924 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1925 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1926 } break;
1927 case 04: { //WHTS_KEY
1928 memcpy(data,htd->crypto.data,4);
1929 DbpString("Authenticating using key:");
1930 memcpy(key_,htd->crypto.key,6);
1931 Dbhexdump(6,key_,false);
1932 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1933 } break;
1934 default: {
1935 Dbprintf("Error , unknown function: %d",htf);
1936 return;
1937 } break;
1938 }
1939
1940 Dbprintf("Page: %d",page_);
1941 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1942 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1943 // Reset the return status
1944 bSuccessful = false;
1945
1946 tag.pstate = READY;
1947 tag.tstate = NO_OP;
1948
1949 // Clean up trace and prepare it for storing frames
1950 set_tracing(true);
1951 clear_trace();
1952
1953 bQuiet = false;
1954
1955 LED_D_ON();
1956
1957 // Configure output and enable pin that is connected to the FPGA (for modulating)
1958 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1959 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1960
1961 // Set fpga in edge detect with reader field, we can modulate as reader now
1962 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1963
1964 // Set Frequency divisor which will drive the FPGA and analog mux selection
1965 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1966 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1967 RELAY_OFF();
1968
1969 // Disable modulation at default, which means enable the field
1970 LOW(GPIO_SSC_DOUT);
1971
1972 // Give it a bit of time for the resonant antenna to settle.
1973 SpinDelay(30);
1974
1975 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1976 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1977
1978 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1979 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1980 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1981
1982 // Disable timer during configuration
1983 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1984 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1985
1986 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
1987 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
1988
1989 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1990 // external trigger rising edge, load RA on falling edge of TIOA.
1991 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1992 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1993 | AT91C_TC_LDRA_FALLING;
1994
1995 // Enable and reset counters
1996 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1997 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1998
1999 // Reset the received frame, frame count and timing info
2000 frame_count = 0;
2001 response = 0;
2002 lastbit = 1;
2003 bStop = false;
2004 t_wait = 200;
2005
2006 while (!bStop && !BUTTON_PRESS()) {
2007 // Watchdog hit
2008 WDT_HIT();
2009
2010 // Check if frame was captured and store it
2011 if (rxlen > 0) {
2012 frame_count++;
2013 if (!bQuiet) {
2014 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2015 DbpString("Trace full");
2016 if (bQuitTraceFull) {
2017 break;
2018 } else {
2019 bQuiet = true;
2020 }
2021 }
2022 }
2023 }
2024
2025 //check for valid input
2026 /*
2027 if (page == 0) {
2028 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
2029 bStop = !false;
2030 }*/
2031
2032
2033 // By default reset the transmission buffer
2034 tx = txbuf;
2035 txlen = 0;
2036
2037 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
2038 //no write access on this page
2039 Dbprintf("no write access on page %d", page_);
2040 bStop = !false;
2041 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
2042 //start the authetication
2043 //tag.mode = ADVANCED;
2044 tag.mode = STANDARD;
2045 hitag_start_auth(tx, &txlen);
2046 m = AC2K;
2047 } else if (tag.pstate != SELECTED) {
2048 //try to authenticate with the given key or challenge
2049 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1) {
2050 bStop = !false;
2051 }
2052 m = MC4K;
2053 }
2054
2055 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
2056 //check if the given page exists
2057 if (page > tag.max_page) {
2058 Dbprintf("page number too big");
2059 bStop = !false;
2060 }
2061 //ask Tag for write permission
2062 tag.tstate = WRITING_PAGE_ACK;
2063 txlen = 20;
2064 crc = CRC_PRESET;
2065 tx[0] = 0x90 + (page / 16);
2066 calc_crc(&crc, tx[0], 8);
2067 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
2068 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
2069 tx[2] = 0x00 + (crc % 16) * 16;
2070 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
2071 && rxlen == 2 && rx[0] == 0x40) {
2072 //ACK recieved to write the page. send data
2073 tag.tstate = WRITING_PAGE_DATA;
2074 txlen = 40;
2075 crc = CRC_PRESET;
2076 calc_crc(&crc, data[3], 8);
2077 calc_crc(&crc, data[2], 8);
2078 calc_crc(&crc, data[1], 8);
2079 calc_crc(&crc, data[0], 8);
2080 tx[0] = data[3];
2081 tx[1] = data[2];
2082 tx[2] = data[1];
2083 tx[3] = data[0];
2084 tx[4] = crc;
2085 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
2086 && rxlen == 2 && rx[0] == 0x40) {
2087 //received ACK
2088 Dbprintf("Successful!");
2089 bStop = !false;
2090 }
2091
2092 // Send and store the reader command
2093 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2094 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2095
2096 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2097 // Since the clock counts since the last falling edge, a 'one' means that the
2098 // falling edge occured halfway the period. with respect to this falling edge,
2099 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2100 // All timer values are in terms of T0 units
2101
2102 while (AT91C_BASE_TC0->TC_CV
2103 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2104 ;
2105
2106 // Transmit the reader frame
2107 hitag_reader_send_frame(tx, txlen);
2108
2109 // Enable and reset external trigger in timer for capturing future frames
2110 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2111
2112 // Add transmitted frame to total count
2113 if (txlen > 0) {
2114 frame_count++;
2115 if (!bQuiet) {
2116 // Store the frame in the trace
2117 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2118 if (bQuitTraceFull) {
2119 DbpString("Trace full");
2120 break;
2121 } else {
2122 bQuiet = true;
2123 }
2124 }
2125 }
2126 }
2127
2128 // Reset values for receiving frames
2129 memset(rx, 0x00, sizeof(rx));
2130 rxlen = 0;
2131 lastbit = 1;
2132 response = 0;
2133
2134 hitag_receive_frame(rx, &rxlen, &response);
2135 }
2136 end=false;
2137 LED_B_OFF();
2138 LED_D_OFF();
2139 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2140 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2141 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2142 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2143 }
2144
2145
2146 /*
2147 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2148 * Displays all Challenges that failed.
2149 * When collecting Challenges to break the key it is possible that some data
2150 * is not received correctly due to Antenna problems. This function
2151 * detects these challenges.
2152 */
2153 void check_challenges_cmd(bool file_given, byte_t* data, uint64_t tagMode) {
2154 int i, j, z, k;
2155 byte_t uid_byte[4];
2156 int frame_count;
2157 int response;
2158 byte_t rx[HITAG_FRAME_LEN];
2159 byte_t unlocker[60][8];
2160 int u1 = 0;
2161 size_t rxlen = 0;
2162 byte_t txbuf[HITAG_FRAME_LEN];
2163 byte_t* tx = txbuf;
2164 size_t txlen = 0;
2165 int lastbit;
2166 int t_wait = HITAG_T_WAIT_MAX;
2167 int STATE = 0;
2168 bool bStop;
2169 bool bQuitTraceFull = false;
2170 int response_bit[200];
2171 unsigned char mask = 1;
2172 unsigned char uid[32];
2173 unsigned char crc;
2174
2175 if (tagMode == 1) {
2176 Dbprintf("check_challenges in mode=ADVANCED");
2177 tag.mode = ADVANCED;
2178 } else if (tagMode == 2) {
2179 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2180 tag.mode = FAST_ADVANCED;
2181 } else {
2182 Dbprintf("check_challenges in mode=STANDARD");
2183 tag.mode = STANDARD;
2184 }
2185
2186
2187 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2188 // Reset the return status
2189 bSuccessful = false;
2190
2191 // Clean up trace and prepare it for storing frames
2192 set_tracing(true);
2193 clear_trace();
2194
2195 bQuiet = false;
2196
2197 LED_D_ON();
2198
2199 // Configure output and enable pin that is connected to the FPGA (for modulating)
2200 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
2201 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
2202
2203 // Set fpga in edge detect with reader field, we can modulate as reader now
2204 FpgaWriteConfWord(
2205 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
2206
2207 // Set Frequency divisor which will drive the FPGA and analog mux selection
2208 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
2209 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2210 RELAY_OFF();
2211
2212 // Disable modulation at default, which means enable the field
2213 LOW(GPIO_SSC_DOUT);
2214
2215 // Give it a bit of time for the resonant antenna to settle.
2216 SpinDelay(30);
2217
2218 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
2219 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
2220
2221 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
2222 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
2223 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
2224
2225 // Disable timer during configuration
2226 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2227 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2228
2229 // TC0: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), no triggers
2230 AT91C_BASE_TC0->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK;
2231
2232 // TC1: Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2233 // external trigger rising edge, load RA on falling edge of TIOA.
2234 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
2235
2236 // Enable and reset counters
2237 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2238 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2239
2240 // Reset the received frame, frame count and timing info
2241 frame_count = 0;
2242 response = 0;
2243 lastbit = 1;
2244 bStop = false;
2245
2246 t_wait = 200;
2247
2248 if (file_given) {
2249 DbpString("Loading challenges...");
2250 memcpy((byte_t*)unlocker,data,60*8);
2251 }
2252
2253 while (file_given && !bStop && !BUTTON_PRESS()) {
2254 // Watchdog hit
2255 WDT_HIT();
2256
2257 // Check if frame was captured and store it
2258 if (rxlen > 0) {
2259 frame_count++;
2260 if (!bQuiet) {
2261 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2262 DbpString("Trace full");
2263 if (bQuitTraceFull) {
2264 break;
2265 } else {
2266 bQuiet = true;
2267 }
2268 }
2269 }
2270 }
2271
2272 tx = txbuf;
2273 txlen = 0;
2274 if (rxlen == 0) {
2275 if (STATE == 2) {
2276 // challenge failed
2277 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2278 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
2279 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
2280 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
2281 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
2282 }
2283 STATE = 0;
2284 hitag_start_auth(tx, &txlen);
2285 } else if (rxlen >= 32 && STATE == 0) {
2286 //received uid
2287 z = 0;
2288 for (i = 0; i < 10; i++) {
2289 for (j = 0; j < 8; j++) {
2290 response_bit[z] = 0;
2291 if ((rx[i] & ((mask << 7) >> j)) != 0)
2292 response_bit[z] = 1;
2293 z++;
2294 }
2295 }
2296 for (i = 0; i < 32; i++) {
2297 uid[i] = response_bit[i];
2298 }
2299
2300 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
2301 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
2302 | (uid[6] << 1) | uid[7];
2303 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
2304 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
2305 | (uid[14] << 1) | uid[15];
2306 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
2307 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
2308 | (uid[22] << 1) | uid[23];
2309 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
2310 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
2311 | (uid[30] << 1) | uid[31];
2312 //Dbhexdump(10, rx, rxlen);
2313 STATE = 1;
2314 txlen = 45;
2315 crc = CRC_PRESET;
2316 calc_crc(&crc, 0x00, 5);
2317 calc_crc(&crc, uid_byte[0], 8);
2318 calc_crc(&crc, uid_byte[1], 8);
2319 calc_crc(&crc, uid_byte[2], 8);
2320 calc_crc(&crc, uid_byte[3], 8);
2321 for (i = 0; i < 100; i++) {
2322 response_bit[i] = 0;
2323 }
2324 for (i = 0; i < 5; i++) {
2325 response_bit[i] = 0;
2326 }
2327 for (i = 5; i < 37; i++) {
2328 response_bit[i] = uid[i - 5];
2329 }
2330 for (j = 0; j < 8; j++) {
2331 response_bit[i] = 0;
2332 if ((crc & ((mask << 7) >> j)) != 0)
2333 response_bit[i] = 1;
2334 i++;
2335 }
2336 k = 0;
2337 for (i = 0; i < 6; i++) {
2338 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2339 | (response_bit[k + 2] << 5)
2340 | (response_bit[k + 3] << 4)
2341 | (response_bit[k + 4] << 3)
2342 | (response_bit[k + 5] << 2)
2343 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2344 k += 8;
2345 }
2346
2347
2348 tag.pstate = INIT;
2349 } else if (STATE == 1 && rxlen > 24) {
2350 //received configuration
2351 STATE = 2;
2352 z = 0;
2353 for (i = 0; i < 6; i++) {
2354 for (j = 0; j < 8; j++) {
2355 response_bit[z] = 0;
2356 if ((rx[i] & ((mask << 7) >> j)) != 0)
2357 response_bit[z] = 1;
2358 z++;
2359 }
2360 }
2361 txlen = 64;
2362
2363 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2364 bStop = !false;
2365 for (i = 0; i < 8; i++)
2366 tx[i] = unlocker[u1][i];
2367 u1++;
2368
2369 tag.pstate = SELECTED;
2370 } else if (STATE == 2 && rxlen >= 32) {
2371 STATE = 0;
2372 }
2373
2374 // Send and store the reader command
2375 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2376 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2377
2378 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2379 // Since the clock counts since the last falling edge, a 'one' means that the
2380 // falling edge occured halfway the period. with respect to this falling edge,
2381 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2382 // All timer values are in terms of T0 units
2383 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
2384
2385 // Transmit the reader frame
2386 hitag_reader_send_frame(tx, txlen);
2387
2388 // Enable and reset external trigger in timer for capturing future frames
2389 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2390
2391 // Add transmitted frame to total count
2392 if (txlen > 0) {
2393 frame_count++;
2394 if (!bQuiet) {
2395 // Store the frame in the trace
2396 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2397 if (bQuitTraceFull) {
2398 DbpString("Trace full");
2399 break;
2400 } else {
2401 bQuiet = true;
2402 }
2403 }
2404 }
2405 }
2406
2407 // Reset values for receiving frames
2408 memset(rx, 0x00, sizeof(rx));
2409 rxlen = 0;
2410 lastbit = 1;
2411 response = 0;
2412
2413 hitag_receive_frame(rx, &rxlen, &response);
2414 }
2415 LED_B_OFF();
2416 LED_D_OFF();
2417 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2418 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2419 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2420 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2421 }
2422
2423 /**
2424 Backward compatibility
2425 */
2426 void check_challenges(bool file_given, byte_t* data) {
2427 check_challenges_cmd(file_given, data, 1);
2428 }
2429
2430 void ReadHitagS(hitag_function htf, hitag_data* htd) {
2431 ReadHitagSintern(htf, htd, ADVANCED, 0, false);
2432 }
Proxmark3 GIT tracking
Impressum, Datenschutz