Merge pull request #119 from marshmellow42/pm3+reveng
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include <stdlib.h>
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "hitagS.h"
20 #include "hitag2.h"
21 #include "string.h"
22 #include "BigBuf.h"
23
24 #define CRC_PRESET 0xFF
25 #define CRC_POLYNOM 0x1D
26
27 #define u8 uint8_t
28 #define u32 uint32_t
29 #define u64 uint64_t
30 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
31 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
32 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
33 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
34 #define bit(x,n) (((x)>>(n))&1)
35 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
36 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
37 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
38
39 static bool bQuiet;
40 static bool bSuccessful;
41 static struct hitagS_tag tag;
42 static byte_t page_to_be_written = 0;
43 static int block_data_left = 0;
44 typedef enum modulation {
45 AC2K = 0, AC4K, MC4K, MC8K
46 } MOD;
47 static MOD m = AC2K; //used modulation
48 static uint32_t temp_uid;
49 static int temp2 = 0;
50 static int sof_bits; //number of start-of-frame bits
51 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
52 static uint32_t rnd = 0x74124485; //randomnumber
53 static int test = 0;
54 size_t blocknr;
55 bool end=false;
56
57 // Single bit Hitag2 functions:
58 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
59 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
60 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
61 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
62 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
63 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
64 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
65 #define uf20bs u32
66
67 static u32 f20(const u64 x) {
68 u32 i5;
69
70 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
71 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
72 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
73 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
74 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
75
76 return (ht2_f5c >> i5) & 1;
77 }
78 static u64 hitag2_round(u64 *state) {
79 u64 x = *state;
80
81 x = (x >> 1)
82 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
83 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
84 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
85 & 1) << 47);
86
87 *state = x;
88 return f20(x);
89 }
90 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
91 u32 i;
92 u64 x = ((key & 0xFFFF) << 32) + serial;
93 for (i = 0; i < 32; i++) {
94 x >>= 1;
95 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
96 }
97 return x;
98 }
99 static u32 hitag2_byte(u64 *x) {
100 u32 i, c;
101
102 for (i = 0, c = 0; i < 8; i++)
103 c += (u32) hitag2_round(x) << (i ^ 7);
104 return c;
105 }
106
107 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
108 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
109 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
110 // T0 = TIMER_CLOCK1 / 125000 = 192
111 #define T0 192
112
113 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
114 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
115
116 #define HITAG_FRAME_LEN 20
117 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
118 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
119 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
120 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
121 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
122 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
123 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
124 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
125 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
126
127 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
128 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
129 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
130 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
131
132 #define HITAG_T_TAG_HALF_PERIOD 16
133 #define HITAG_T_TAG_FULL_PERIOD 32
134
135 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
136 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
137 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
138 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
139
140 #define DEBUG 0
141
142 /*
143 * Implementation of the crc8 calculation from Hitag S
144 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
145 */
146 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
147 *crc ^= data; // crc = crc (exor) data
148 do {
149 if (*crc & 0x80) // if (MSB-CRC == 1)
150 {
151 *crc <<= 1; // CRC = CRC Bit-shift left
152 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
153 } else {
154 *crc <<= 1; // CRC = CRC Bit-shift left
155 }
156 } while (--Bitcount);
157 }
158
159 static void hitag_send_bit(int bit) {
160 LED_A_ON();
161 // Reset clock for the next bit
162 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
163
164 switch (m) {
165 case AC2K:
166 if (bit == 0) {
167 // AC Coding --__
168 HIGH(GPIO_SSC_DOUT);
169 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
170 ;
171 LOW(GPIO_SSC_DOUT);
172 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
173 ;
174 } else {
175 // AC coding -_-_
176 HIGH(GPIO_SSC_DOUT);
177 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
178 ;
179 LOW(GPIO_SSC_DOUT);
180 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
181 ;
182 HIGH(GPIO_SSC_DOUT);
183 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
184 ;
185 LOW(GPIO_SSC_DOUT);
186 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
187 ;;
188 }
189 LED_A_OFF();
190 break;
191 case AC4K:
192 if (bit == 0) {
193 // AC Coding --__
194 HIGH(GPIO_SSC_DOUT);
195 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
196 ;
197 LOW(GPIO_SSC_DOUT);
198 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
199 ;
200 } else {
201 // AC coding -_-_
202 HIGH(GPIO_SSC_DOUT);
203 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
204 ;
205 LOW(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
207 ;
208 HIGH(GPIO_SSC_DOUT);
209 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
210 ;
211 LOW(GPIO_SSC_DOUT);
212 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
213 ;;
214 }
215 LED_A_OFF();
216 break;
217 case MC4K:
218 if (bit == 0) {
219 // Manchester: Unloaded, then loaded |__--|
220 LOW(GPIO_SSC_DOUT);
221 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
222 ;
223 HIGH(GPIO_SSC_DOUT);
224 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
225 ;
226 } else {
227 // Manchester: Loaded, then unloaded |--__|
228 HIGH(GPIO_SSC_DOUT);
229 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
230 ;
231 LOW(GPIO_SSC_DOUT);
232 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
233 ;
234 }
235 LED_A_OFF();
236 break;
237 case MC8K:
238 if (bit == 0) {
239 // Manchester: Unloaded, then loaded |__--|
240 LOW(GPIO_SSC_DOUT);
241 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
242 ;
243 HIGH(GPIO_SSC_DOUT);
244 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
245 ;
246 } else {
247 // Manchester: Loaded, then unloaded |--__|
248 HIGH(GPIO_SSC_DOUT);
249 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
250 ;
251 LOW(GPIO_SSC_DOUT);
252 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
253 ;
254 }
255 LED_A_OFF();
256 break;
257 default:
258 break;
259 }
260 }
261
262 static void hitag_send_frame(const byte_t* frame, size_t frame_len) {
263 // Send start of frame
264
265 for (size_t i = 0; i < sof_bits; i++) {
266 hitag_send_bit(1);
267 }
268
269 // Send the content of the frame
270 for (size_t i = 0; i < frame_len; i++) {
271 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
272 }
273 // Drop the modulation
274 LOW(GPIO_SSC_DOUT);
275 }
276
277 static void hitag_reader_send_bit(int bit) {
278 //Dbprintf("BIT: %d",bit);
279 LED_A_ON();
280 // Reset clock for the next bit
281 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
282
283 // Binary puls length modulation (BPLM) is used to encode the data stream
284 // This means that a transmission of a one takes longer than that of a zero
285
286 // Enable modulation, which means, drop the the field
287 HIGH(GPIO_SSC_DOUT);
288 if (test == 1) {
289 // Wait for 4-10 times the carrier period
290 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
291 ;
292 // SpinDelayUs(8*8);
293
294 // Disable modulation, just activates the field again
295 LOW(GPIO_SSC_DOUT);
296
297 if (bit == 0) {
298 // Zero bit: |_-|
299 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
300 ;
301 // SpinDelayUs(16*8);
302 } else {
303 // One bit: |_--|
304 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
305 ;
306 // SpinDelayUs(22*8);
307 }
308 } else {
309 // Wait for 4-10 times the carrier period
310 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
311 ;
312 // SpinDelayUs(8*8);
313
314 // Disable modulation, just activates the field again
315 LOW(GPIO_SSC_DOUT);
316
317 if (bit == 0) {
318 // Zero bit: |_-|
319 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
320 ;
321 // SpinDelayUs(16*8);
322 } else {
323 // One bit: |_--|
324 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
325 ;
326 // SpinDelayUs(22*8);
327 }
328 }
329
330 LED_A_OFF();
331 }
332
333 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
334 // Send the content of the frame
335 for (size_t i = 0; i < frame_len; i++) {
336 if (frame[0] == 0xf8) {
337 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
338 }
339 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
340 }
341 // Send EOF
342 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
343 // Enable modulation, which means, drop the the field
344 HIGH(GPIO_SSC_DOUT);
345 // Wait for 4-10 times the carrier period
346 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
347 ;
348 // Disable modulation, just activates the field again
349 LOW(GPIO_SSC_DOUT);
350 }
351
352 /*
353 * to check if the right uid was selected
354 */
355 static int check_select(byte_t* rx, uint32_t uid) {
356 unsigned char resp[48];
357 int i;
358 uint32_t ans = 0x0;
359 for (i = 0; i < 48; i++)
360 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
361 for (i = 0; i < 32; i++)
362 ans += resp[5 + i] << (31 - i);
363 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
364 && rx[4] == 0x65 && rx[5] == 0x38)
365 Dbprintf("got uid %X", ans);*/
366 temp_uid = ans;
367 if (ans == tag.uid)
368 return 1;
369 return 0;
370 }
371
372 /*
373 * handles all commands from a reader
374 */
375 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
376 byte_t* tx, size_t* txlen) {
377 byte_t rx_air[HITAG_FRAME_LEN];
378 byte_t page;
379 int i;
380 u64 state;
381 unsigned char crc;
382
383 // Copy the (original) received frame how it is send over the air
384 memcpy(rx_air, rx, nbytes(rxlen));
385 // Reset the transmission frame length
386 *txlen = 0;
387 // Try to find out which command was send by selecting on length (in bits)
388 switch (rxlen) {
389 case 5: {
390 //UID request with a selected response protocol mode
391 tag.pstate = READY;
392 tag.tstate = NO_OP;
393 if ((rx[0] & 0xf0) == 0x30) {
394 tag.mode = STANDARD;
395 sof_bits = 1;
396 m = AC2K;
397 }
398 if ((rx[0] & 0xf0) == 0xc0) {
399 tag.mode = ADVANCED;
400 sof_bits = 3;
401 m = AC2K;
402 }
403
404 if ((rx[0] & 0xf0) == 0xd0) {
405 tag.mode = FAST_ADVANCED;
406 sof_bits = 3;
407 m = AC4K;
408 }
409 //send uid as a response
410 *txlen = 32;
411 for (i = 0; i < 4; i++)
412 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
413 }
414 break;
415 case 45: {
416 //select command from reader received
417 if (check_select(rx, tag.uid) == 1) {
418 //if the right tag was selected
419 *txlen = 32;
420 switch (tag.mode) {
421 case STANDARD:
422 sof_bits = 1;
423 m = MC4K;
424 break;
425 case ADVANCED:
426 sof_bits = 6;
427 m = MC4K;
428 break;
429 case FAST_ADVANCED:
430 sof_bits = 6;
431 m = MC8K;
432 break;
433 default:
434 break;
435 }
436
437 //send configuration
438 for (i = 0; i < 4; i++)
439 tx[i] = (tag.pages[0][1] >> (i * 8)) & 0xff;
440 tx[3] = 0xff;
441 if (tag.mode != STANDARD) {
442 *txlen = 40;
443 crc = CRC_PRESET;
444 for (i = 0; i < 4; i++)
445 calc_crc(&crc, tx[i], 8);
446 tx[4] = crc;
447 }
448 }
449 }
450 break;
451 case 64: {
452 //challenge message received
453 Dbprintf("Challenge for UID: %X", temp_uid);
454 temp2++;
455 *txlen = 32;
456 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
457 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
458 Dbprintf(
459 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
460 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
461 switch (tag.mode) {
462 case STANDARD:
463 sof_bits = 1;
464 m = MC4K;
465 break;
466 case ADVANCED:
467 sof_bits = 6;
468 m = MC4K;
469 break;
470 case FAST_ADVANCED:
471 sof_bits = 6;
472 m = MC8K;
473 break;
474 default:
475 break;
476 }
477
478 for (i = 0; i < 4; i++)
479 hitag2_byte(&state);
480 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
481 tx[0] = hitag2_byte(&state) ^ ((tag.pages[0][1] >> 16) & 0xff);
482 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
483 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
484 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
485 if (tag.mode != STANDARD) {
486 //add crc8
487 *txlen = 40;
488 crc = CRC_PRESET;
489 calc_crc(&crc, ((tag.pages[0][1] >> 16) & 0xff), 8);
490 calc_crc(&crc, tag.pwdh0, 8);
491 calc_crc(&crc, tag.pwdl0, 8);
492 calc_crc(&crc, tag.pwdl1, 8);
493 tx[4] = (crc ^ hitag2_byte(&state));
494 }
495 /*
496 * some readers do not allow to authenticate multiple times in a row with the same tag.
497 * use this to change the uid between authentications.
498 */
499
500 /*
501 if (temp2 % 2 == 0) {
502 tag.uid = 0x11223344;
503 tag.pages[0][0] = 0x44332211;
504 } else {
505 tag.uid = 0x55667788;
506 tag.pages[0][0] = 0x88776655;
507 }
508 */
509 }
510 case 40:
511 //data received to be written
512 if (tag.tstate == WRITING_PAGE_DATA) {
513 tag.tstate = NO_OP;
514 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
515 << 0) + (rx[1] << 8) + (rx[2] << 16) + (rx[3] << 24);
516 //send ack
517 *txlen = 2;
518 tx[0] = 0x40;
519 page_to_be_written = 0;
520 switch (tag.mode) {
521 case STANDARD:
522 sof_bits = 1;
523 m = MC4K;
524 break;
525 case ADVANCED:
526 sof_bits = 6;
527 m = MC4K;
528 break;
529 case FAST_ADVANCED:
530 sof_bits = 6;
531 m = MC8K;
532 break;
533 default:
534 break;
535 }
536 } else if (tag.tstate == WRITING_BLOCK_DATA) {
537 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
538 << 24) + (rx[1] << 16) + (rx[2] << 8) + rx[3];
539 //send ack
540 *txlen = 2;
541 tx[0] = 0x40;
542 switch (tag.mode) {
543 case STANDARD:
544 sof_bits = 1;
545 m = MC4K;
546 break;
547 case ADVANCED:
548 sof_bits = 6;
549 m = MC4K;
550 break;
551 case FAST_ADVANCED:
552 sof_bits = 6;
553 m = MC8K;
554 break;
555 default:
556 break;
557 }
558 page_to_be_written++;
559 block_data_left--;
560 if (block_data_left == 0) {
561 tag.tstate = NO_OP;
562 page_to_be_written = 0;
563 }
564 }
565 break;
566 case 20: {
567 //write page, write block, read page or read block command received
568 if ((rx[0] & 0xf0) == 0xc0) //read page
569 {
570 //send page data
571 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
572 *txlen = 32;
573 tx[0] = (tag.pages[page / 4][page % 4]) & 0xff;
574 tx[1] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
575 tx[2] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
576 tx[3] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
577 if (tag.LKP && page == 1)
578 tx[3] = 0xff;
579
580 switch (tag.mode) {
581 case STANDARD:
582 sof_bits = 1;
583 m = MC4K;
584 break;
585 case ADVANCED:
586 sof_bits = 6;
587 m = MC4K;
588 break;
589 case FAST_ADVANCED:
590 sof_bits = 6;
591 m = MC8K;
592 break;
593 default:
594 break;
595 }
596
597 if (tag.mode != STANDARD) {
598 //add crc8
599 *txlen = 40;
600 crc = CRC_PRESET;
601 for (i = 0; i < 4; i++)
602 calc_crc(&crc, tx[i], 8);
603 tx[4] = crc;
604 }
605
606 if (tag.LKP && (page == 2 || page == 3)) {
607 //if reader asks for key or password and the LKP-mark is set do not respond
608 sof_bits = 0;
609 *txlen = 0;
610 }
611 } else if ((rx[0] & 0xf0) == 0xd0) //read block
612 {
613 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
614 *txlen = 32 * 4;
615 //send page,...,page+3 data
616 for (i = 0; i < 4; i++) {
617 tx[0 + i * 4] = (tag.pages[page / 4][page % 4]) & 0xff;
618 tx[1 + i * 4] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
619 tx[2 + i * 4] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
620 tx[3 + i * 4] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
621 page++;
622 }
623
624 switch (tag.mode) {
625 case STANDARD:
626 sof_bits = 1;
627 m = MC4K;
628 break;
629 case ADVANCED:
630 sof_bits = 6;
631 m = MC4K;
632 break;
633 case FAST_ADVANCED:
634 sof_bits = 6;
635 m = MC8K;
636 break;
637 default:
638 break;
639 }
640
641 if (tag.mode != STANDARD) {
642 //add crc8
643 *txlen = 32 * 4 + 8;
644 crc = CRC_PRESET;
645 for (i = 0; i < 16; i++)
646 calc_crc(&crc, tx[i], 8);
647 tx[16] = crc;
648 }
649
650 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
651 sof_bits = 0;
652 *txlen = 0;
653 }
654 } else if ((rx[0] & 0xf0) == 0x80) //write page
655 {
656 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
657
658 switch (tag.mode) {
659 case STANDARD:
660 sof_bits = 1;
661 m = MC4K;
662 break;
663 case ADVANCED:
664 sof_bits = 6;
665 m = MC4K;
666 break;
667 case FAST_ADVANCED:
668 sof_bits = 6;
669 m = MC8K;
670 break;
671 default:
672 break;
673 }
674 if ((tag.LCON && page == 1)
675 || (tag.LKP && (page == 2 || page == 3))) {
676 //deny
677 *txlen = 0;
678 } else {
679 //allow
680 *txlen = 2;
681 tx[0] = 0x40;
682 page_to_be_written = page;
683 tag.tstate = WRITING_PAGE_DATA;
684 }
685
686 } else if ((rx[0] & 0xf0) == 0x90) //write block
687 {
688 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
689 switch (tag.mode) {
690 case STANDARD:
691 sof_bits = 1;
692 m = MC4K;
693 break;
694 case ADVANCED:
695 sof_bits = 6;
696 m = MC4K;
697 break;
698 case FAST_ADVANCED:
699 sof_bits = 6;
700 m = MC8K;
701 break;
702 default:
703 break;
704 }
705 if (page % 4 != 0 || page == 0) {
706 //deny
707 *txlen = 0;
708 } else {
709 //allow
710 *txlen = 2;
711 tx[0] = 0x40;
712 page_to_be_written = page;
713 block_data_left = 4;
714 tag.tstate = WRITING_BLOCK_DATA;
715 }
716 }
717 }
718 break;
719 default:
720
721 break;
722 }
723 }
724
725 /*
726 * to autenticate to a tag with the given key or challenge
727 */
728 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx, const size_t rxlen, byte_t* tx,
729 size_t* txlen) {
730 byte_t rx_air[HITAG_FRAME_LEN];
731 int response_bit[200];
732 int i, j, z, k;
733 unsigned char mask = 1;
734 unsigned char uid[32];
735 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
736 unsigned char crc;
737 u64 state;
738 byte_t auth_ks[4];
739 byte_t conf_pages[3];
740 memcpy(rx_air, rx, nbytes(rxlen));
741 *txlen = 0;
742
743 if (tag.pstate == READY && rxlen >= 67) {
744 //received uid
745 if(end==true) {
746 Dbprintf("authentication failed!");
747 return -1;
748 }
749 z = 0;
750 for (i = 0; i < 10; i++) {
751 for (j = 0; j < 8; j++) {
752 response_bit[z] = 0;
753 if ((rx[i] & ((mask << 7) >> j)) != 0)
754 response_bit[z] = 1;
755 z++;
756 }
757 }
758 k = 0;
759 for (i = 5; i < z; i += 2) {
760 uid[k] = response_bit[i];
761 k++;
762 if (k > 31)
763 break;
764 }
765 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
766 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
767 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
768 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
769 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
770 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
771 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
772 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
773 if (DEBUG)
774 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
775 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
776
777 //select uid
778 *txlen = 45;
779 crc = CRC_PRESET;
780 calc_crc(&crc, 0x00, 5);
781 calc_crc(&crc, uid1, 8);
782 calc_crc(&crc, uid2, 8);
783 calc_crc(&crc, uid3, 8);
784 calc_crc(&crc, uid4, 8);
785 for (i = 0; i < 100; i++) {
786 response_bit[i] = 0;
787 }
788 for (i = 0; i < 5; i++) {
789 response_bit[i] = 0;
790 }
791 for (i = 5; i < 37; i++) {
792 response_bit[i] = uid[i - 5];
793 }
794 for (j = 0; j < 8; j++) {
795 response_bit[i] = 0;
796 if ((crc & ((mask << 7) >> j)) != 0)
797 response_bit[i] = 1;
798 i++;
799 }
800 k = 0;
801 for (i = 0; i < 6; i++) {
802 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
803 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
804 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
805 | (response_bit[k + 6] << 1) | response_bit[k + 7];
806 k += 8;
807 }
808 tag.pstate = INIT;
809 } else if (tag.pstate == INIT && rxlen == 44) {
810 // received configuration after select command
811 z = 0;
812 for (i = 0; i < 6; i++) {
813 for (j = 0; j < 8; j++) {
814 response_bit[z] = 0;
815 if ((rx[i] & ((mask << 7) >> j)) != 0)
816 response_bit[z] = 1;
817 z++;
818 }
819 }
820 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
821 | (response_bit[6] << 5) | (response_bit[7] << 4)
822 | (response_bit[8] << 3) | (response_bit[9] << 2)
823 | (response_bit[10] << 1) | response_bit[11]);
824 //check wich memorysize this tag has
825 if (response_bit[10] == 0 && response_bit[11] == 0)
826 tag.max_page = 32 / 32;
827 if (response_bit[10] == 0 && response_bit[11] == 1)
828 tag.max_page = 256 / 32;
829 if (response_bit[10] == 1 && response_bit[11] == 0)
830 tag.max_page = 2048 / 32;
831 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
832 | (response_bit[14] << 5) | (response_bit[15] << 4)
833 | (response_bit[16] << 3) | (response_bit[17] << 2)
834 | (response_bit[18] << 1) | response_bit[19]);
835 tag.auth = response_bit[12];
836 tag.TTFC = response_bit[13];
837 //tag.TTFDR in response_bit[14] and response_bit[15]
838 //tag.TTFM in response_bit[16] and response_bit[17]
839 tag.LCON = response_bit[18];
840 tag.LKP = response_bit[19];
841 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
842 | (response_bit[22] << 5) | (response_bit[23] << 4)
843 | (response_bit[24] << 3) | (response_bit[25] << 2)
844 | (response_bit[26] << 1) | response_bit[27]);
845 tag.LCK7 = response_bit[20];
846 tag.LCK6 = response_bit[21];
847 tag.LCK5 = response_bit[22];
848 tag.LCK4 = response_bit[23];
849 tag.LCK3 = response_bit[24];
850 tag.LCK2 = response_bit[25];
851 tag.LCK1 = response_bit[26];
852 tag.LCK0 = response_bit[27];
853
854 if (DEBUG)
855 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0],
856 conf_pages[1], conf_pages[2]);
857 if (tag.auth == 1) {
858 //if the tag is in authentication mode try the key or challenge
859 *txlen = 64;
860 if(end!=true){
861 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
862 state = hitag2_init(rev64(key), rev32(tag.uid),
863 rev32(rnd));
864
865 for (i = 0; i < 4; i++) {
866 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
867 }
868 *txlen = 64;
869 tx[0] = rnd & 0xff;
870 tx[1] = (rnd >> 8) & 0xff;
871 tx[2] = (rnd >> 16) & 0xff;
872 tx[3] = (rnd >> 24) & 0xff;
873
874 tx[4] = auth_ks[0];
875 tx[5] = auth_ks[1];
876 tx[6] = auth_ks[2];
877 tx[7] = auth_ks[3];
878 if (DEBUG)
879 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
880 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
881 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
882 for (i = 0; i < 8; i++)
883 tx[i]=((NrAr>>(56-(i*8)))&0xff);
884 }
885 end=true;
886 tag.pstate = AUTHENTICATE;
887 } else {
888 Dbprintf("authentication failed!");
889 return -1;
890 }
891 } else if (tag.auth == 0) {
892 tag.pstate = SELECTED;
893 }
894
895 } else if (tag.pstate == AUTHENTICATE && rxlen == 44) {
896 //encrypted con2,password received.
897 crc = CRC_PRESET;
898 calc_crc(&crc, 0x80, 1);
899 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
900 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
901 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
902 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
903 if (DEBUG) {
904 Dbprintf("UID:::%X", tag.uid);
905 Dbprintf("RND:::%X", rnd);
906 }
907
908 //decrypt password
909 pwdh0=0;
910 pwdl0=0;
911 pwdl1=0;
912 if(htf==02 || htf==04){ //RHTS_KEY //WHTS_KEY
913 {
914 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
915 for (i = 0; i < 5; i++)
916 hitag2_byte(&state);
917 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16))
918 ^ hitag2_byte(&state);
919 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16))
920 ^ hitag2_byte(&state);
921 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16))
922 ^ hitag2_byte(&state);
923 }
924
925 if (DEBUG)
926 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
927
928
929 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
930 //rnd += 1;
931 }
932 tag.pstate = SELECTED; //tag is now ready for read/write commands
933 }
934 return 0;
935
936 }
937
938 /*
939 * Emulates a Hitag S Tag with the given data from the .hts file
940 */
941 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
942 int frame_count;
943 int response;
944 int overflow;
945 int i, j;
946 byte_t rx[HITAG_FRAME_LEN];
947 size_t rxlen = 0;
948 //bool bQuitTraceFull = false;
949 bQuiet = false;
950 byte_t txbuf[HITAG_FRAME_LEN];
951 byte_t* tx = txbuf;
952 size_t txlen = 0;
953 BigBuf_free();
954
955 // Clean up trace and prepare it for storing frames
956 set_tracing(TRUE);
957 clear_trace();
958
959 DbpString("Starting HitagS simulation");
960 LED_D_ON();
961
962 tag.pstate = READY;
963 tag.tstate = NO_OP;
964 for (i = 0; i < 16; i++)
965 for (j = 0; j < 4; j++)
966 tag.pages[i][j] = 0x0;
967 //read tag data into memory
968 if (tag_mem_supplied) {
969 DbpString("Loading hitagS memory...");
970 memcpy((byte_t*)tag.pages,data,4*64);
971 }
972 tag.uid=(uint32_t)tag.pages[0];
973 Dbprintf("Hitag S simulation started");
974 tag.key=(intptr_t)tag.pages[3];
975 tag.key<<=16;
976 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
977 tag.pwdl0=tag.pages[2][3];
978 tag.pwdl1=tag.pages[2][2];
979 tag.pwdh0=tag.pages[1][0];
980 //con0
981 tag.max_page=64;
982 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==1)
983 tag.max_page=8;
984 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==0)
985 tag.max_page=0;
986 //con1
987 tag.auth=0;
988 if((tag.pages[1][2]&0x80)==1)
989 tag.auth=1;
990 tag.LCON=0;
991 if((tag.pages[1][2]&0x2)==1)
992 tag.LCON=1;
993 tag.LKP=0;
994 if((tag.pages[1][2]&0x1)==1)
995 tag.LKP=1;
996 //con2
997 //0=read write 1=read only
998 tag.LCK7=0;
999 if((tag.pages[1][1]&0x80)==1)
1000 tag.LCK7=1;
1001 tag.LCK6=0;
1002 if((tag.pages[1][1]&0x40)==1)
1003 tag.LCK6=1;
1004 tag.LCK5=0;
1005 if((tag.pages[1][1]&0x20)==1)
1006 tag.LCK5=1;
1007 tag.LCK4=0;
1008 if((tag.pages[1][1]&0x10)==1)
1009 tag.LCK4=1;
1010 tag.LCK3=0;
1011 if((tag.pages[1][1]&0x8)==1)
1012 tag.LCK3=1;
1013 tag.LCK2=0;
1014 if((tag.pages[1][1]&0x4)==1)
1015 tag.LCK2=1;
1016 tag.LCK1=0;
1017 if((tag.pages[1][1]&0x2)==1)
1018 tag.LCK1=1;
1019 tag.LCK0=0;
1020 if((tag.pages[1][1]&0x1)==1)
1021 tag.LCK0=1;
1022
1023 // Set up simulator mode, frequency divisor which will drive the FPGA
1024 // and analog mux selection.
1025 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1026 FpgaWriteConfWord(
1027 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1028 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1029 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1030 RELAY_OFF();
1031
1032 // Configure output pin that is connected to the FPGA (for modulating)
1033 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1034 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1035
1036 // Disable modulation at default, which means release resistance
1037 LOW(GPIO_SSC_DOUT);
1038
1039 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1040 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1041
1042 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1043 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1044 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1045
1046 // Disable timer during configuration
1047 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1048
1049 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1050 // external trigger rising edge, load RA on rising edge of TIOA.
1051 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1052 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1053
1054 // Reset the received frame, frame count and timing info
1055 memset(rx, 0x00, sizeof(rx));
1056 frame_count = 0;
1057 response = 0;
1058 overflow = 0;
1059
1060 // Enable and reset counter
1061 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1062
1063 while (!BUTTON_PRESS()) {
1064 // Watchdog hit
1065 WDT_HIT();
1066
1067 // Receive frame, watch for at most T0*EOF periods
1068 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1069 // Check if rising edge in modulation is detected
1070 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1071 // Retrieve the new timing values
1072 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1073 overflow = 0;
1074
1075 // Reset timer every frame, we have to capture the last edge for timing
1076 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1077
1078 LED_B_ON();
1079
1080 // Capture reader frame
1081 if (ra >= HITAG_T_STOP) {
1082 if (rxlen != 0) {
1083 //DbpString("wierd0?");
1084 }
1085 // Capture the T0 periods that have passed since last communication or field drop (reset)
1086 response = (ra - HITAG_T_LOW);
1087 } else if (ra >= HITAG_T_1_MIN) {
1088 // '1' bit
1089 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1090 rxlen++;
1091 } else if (ra >= HITAG_T_0_MIN) {
1092 // '0' bit
1093 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1094 rxlen++;
1095 } else {
1096 // Ignore wierd value, is to small to mean anything
1097 }
1098 }
1099 }
1100
1101 // Check if frame was captured
1102 if (rxlen > 0) {
1103 frame_count++;
1104 if (!bQuiet) {
1105 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1106 DbpString("Trace full");
1107 clear_trace();
1108 }
1109 }
1110
1111 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1112 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1113
1114 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1115 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1116
1117 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1118 // not that since the clock counts since the rising edge, but T_Wait1 is
1119 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1120 // periods. The gap time T_Low varies (4..10). All timer values are in
1121 // terms of T0 units
1122 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW))
1123 ;
1124
1125 // Send and store the tag answer (if there is any)
1126 if (txlen > 0) {
1127 // Transmit the tag frame
1128 hitag_send_frame(tx, txlen);
1129 // Store the frame in the trace
1130 if (!bQuiet) {
1131 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1132 DbpString("Trace full");
1133 clear_trace();
1134 }
1135 }
1136 }
1137
1138 // Reset the received frame and response timing info
1139 memset(rx, 0x00, sizeof(rx));
1140 response = 0;
1141
1142 // Enable and reset external trigger in timer for capturing future frames
1143 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1144 LED_B_OFF();
1145 }
1146 // Reset the frame length
1147 rxlen = 0;
1148 // Save the timer overflow, will be 0 when frame was received
1149 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1150 // Reset the timer to restart while-loop that receives frames
1151 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1152 }
1153 LED_B_OFF();
1154 LED_D_OFF();
1155 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1156 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1157 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1158 }
1159
1160 /*
1161 * Authenticates to the Tag with the given key or challenge.
1162 * If the key was given the password will be decrypted.
1163 * Reads every page of a hitag S transpoder.
1164 */
1165 void ReadHitagS(hitag_function htf, hitag_data* htd) {
1166 int i, j, z, k;
1167 int frame_count;
1168 int response_bit[200];
1169 int response;
1170 byte_t rx[HITAG_FRAME_LEN];
1171 size_t rxlen = 0;
1172 byte_t txbuf[HITAG_FRAME_LEN];
1173 byte_t* tx = txbuf;
1174 size_t txlen = 0;
1175 int lastbit;
1176 bool bSkip;
1177 int reset_sof;
1178 int tag_sof;
1179 int t_wait = HITAG_T_WAIT_MAX;
1180 bool bStop;
1181 bool bQuitTraceFull = false;
1182 int sendNum = 0;
1183 unsigned char mask = 1;
1184 unsigned char crc;
1185 unsigned char pageData[32];
1186 page_to_be_written = 0;
1187
1188 //read given key/challenge
1189 byte_t NrAr_[8];
1190 uint64_t key=0;
1191 uint64_t NrAr=0;
1192 byte_t key_[6];
1193 switch(htf) {
1194 case 01: { //RHTS_CHALLENGE
1195 DbpString("Authenticating using nr,ar pair:");
1196 memcpy(NrAr_,htd->auth.NrAr,8);
1197 Dbhexdump(8,NrAr_,false);
1198 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1199 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1200 } break;
1201 case 02: { //RHTS_KEY
1202 DbpString("Authenticating using key:");
1203 memcpy(key_,htd->crypto.key,6);
1204 Dbhexdump(6,key_,false);
1205 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1206 } break;
1207 default: {
1208 Dbprintf("Error , unknown function: %d",htf);
1209 return;
1210 } break;
1211 }
1212
1213
1214
1215 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1216 // Reset the return status
1217 bSuccessful = false;
1218
1219 // Clean up trace and prepare it for storing frames
1220 set_tracing(TRUE);
1221 clear_trace();
1222
1223 bQuiet = false;
1224 bQuitTraceFull = true;
1225
1226 LED_D_ON();
1227
1228 // Configure output and enable pin that is connected to the FPGA (for modulating)
1229 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1230 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1231
1232 // Set fpga in edge detect with reader field, we can modulate as reader now
1233 FpgaWriteConfWord(
1234 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1235
1236 // Set Frequency divisor which will drive the FPGA and analog mux selection
1237 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1238 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1239 RELAY_OFF();
1240
1241 // Disable modulation at default, which means enable the field
1242 LOW(GPIO_SSC_DOUT);
1243
1244 // Give it a bit of time for the resonant antenna to settle.
1245 SpinDelay(30);
1246
1247 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1248 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1249
1250 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1251 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1252 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1253
1254 // Disable timer during configuration
1255 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1256
1257 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1258 // external trigger rising edge, load RA on falling edge of TIOA.
1259 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1260
1261 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1262
1263 // Enable and reset counters
1264 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1265 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1266
1267 // Reset the received frame, frame count and timing info
1268 frame_count = 0;
1269 response = 0;
1270 lastbit = 1;
1271 bStop = false;
1272
1273 reset_sof = 1;
1274 t_wait = 200;
1275
1276 while (!bStop && !BUTTON_PRESS()) {
1277 // Watchdog hit
1278 WDT_HIT();
1279
1280 // Check if frame was captured and store it
1281 if (rxlen > 0) {
1282 frame_count++;
1283 if (!bQuiet) {
1284 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1285 DbpString("Trace full");
1286 if (bQuitTraceFull) {
1287 break;
1288 } else {
1289 bQuiet = true;
1290 }
1291 }
1292 }
1293 }
1294
1295 // By default reset the transmission buffer
1296 tx = txbuf;
1297 txlen = 0;
1298
1299 if (rxlen == 0) {
1300 //start authentication
1301 txlen = 5;
1302 memcpy(tx, "\xc0", nbytes(txlen));
1303 tag.pstate = READY;
1304 tag.tstate = NO_OP;
1305 } else if (tag.pstate != SELECTED) {
1306 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1)
1307 bStop = !false;
1308 }
1309 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
1310 //send read request
1311 tag.tstate = READING_PAGE;
1312 txlen = 20;
1313 crc = CRC_PRESET;
1314 tx[0] = 0xc0 + (sendNum / 16);
1315 calc_crc(&crc, tx[0], 8);
1316 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1317 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1318 tx[2] = 0x00 + (crc % 16) * 16;
1319 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE
1320 && rxlen > 0) {
1321 //save received data
1322 z = 0;
1323 for (i = 0; i < 5; i++) {
1324 for (j = 0; j < 8; j++) {
1325 response_bit[z] = 0;
1326 if ((rx[i] & ((mask << 7) >> j)) != 0)
1327 response_bit[z] = 1;
1328 z++;
1329 }
1330 }
1331 k = 0;
1332 for (i = 4; i < 36; i++) {
1333 pageData[k] = response_bit[i];
1334 k++;
1335 }
1336 for (i = 0; i < 4; i++)
1337 tag.pages[sendNum / 4][sendNum % 4] = 0x0;
1338 for (i = 0; i < 4; i++) {
1339 tag.pages[sendNum / 4][sendNum % 4] += ((pageData[i * 8] << 7)
1340 | (pageData[1 + (i * 8)] << 6)
1341 | (pageData[2 + (i * 8)] << 5)
1342 | (pageData[3 + (i * 8)] << 4)
1343 | (pageData[4 + (i * 8)] << 3)
1344 | (pageData[5 + (i * 8)] << 2)
1345 | (pageData[6 + (i * 8)] << 1) | pageData[7 + (i * 8)])
1346 << (i * 8);
1347 }
1348 if (tag.auth && tag.LKP && sendNum == 1) {
1349 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum, pwdh0,
1350 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1351 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1352 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1353 } else {
1354 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum,
1355 (tag.pages[sendNum / 4][sendNum % 4] >> 24) & 0xff,
1356 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1357 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1358 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1359 }
1360
1361 sendNum++;
1362 //display key and password if possible
1363 if (sendNum == 2 && tag.auth == 1 && tag.LKP) {
1364 if (htf == 02) { //RHTS_KEY
1365 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1366 (byte_t)(key >> 8) & 0xff,
1367 (byte_t) key & 0xff, pwdl1, pwdl0);
1368 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1369 (byte_t)(key >> 40) & 0xff,
1370 (byte_t)(key >> 32) & 0xff,
1371 (byte_t)(key >> 24) & 0xff,
1372 (byte_t)(key >> 16) & 0xff);
1373 } else {
1374 //if the authentication is done with a challenge the key and password are unknown
1375 Dbprintf("Page[ 2]: __ __ __ __");
1376 Dbprintf("Page[ 3]: __ __ __ __");
1377 }
1378 }
1379
1380 txlen = 20;
1381 crc = CRC_PRESET;
1382 tx[0] = 0xc0 + (sendNum / 16);
1383 calc_crc(&crc, tx[0], 8);
1384 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1385 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1386 tx[2] = 0x00 + (crc % 16) * 16;
1387 if (sendNum >= tag.max_page) {
1388 bStop = !false;
1389 }
1390 }
1391
1392 // Send and store the reader command
1393 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1394 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1395
1396 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1397 // Since the clock counts since the last falling edge, a 'one' means that the
1398 // falling edge occured halfway the period. with respect to this falling edge,
1399 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1400 // All timer values are in terms of T0 units
1401
1402 while (AT91C_BASE_TC0->TC_CV
1403 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1404 ;
1405
1406 // Transmit the reader frame
1407 hitag_reader_send_frame(tx, txlen);
1408
1409 // Enable and reset external trigger in timer for capturing future frames
1410 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1411
1412 // Add transmitted frame to total count
1413 if (txlen > 0) {
1414 frame_count++;
1415 if (!bQuiet) {
1416 // Store the frame in the trace
1417 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1418 if (bQuitTraceFull) {
1419 DbpString("Trace full");
1420 break;
1421 } else {
1422 bQuiet = true;
1423 }
1424 }
1425 }
1426 }
1427
1428 // Reset values for receiving frames
1429 memset(rx, 0x00, sizeof(rx));
1430 rxlen = 0;
1431 lastbit = 1;
1432 bSkip = true;
1433 tag_sof = reset_sof;
1434 response = 0;
1435
1436 // Receive frame, watch for at most T0*EOF periods
1437 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1438 // Check if falling edge in tag modulation is detected
1439 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1440 // Retrieve the new timing values
1441 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1442
1443 // Reset timer every frame, we have to capture the last edge for timing
1444 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1445
1446 LED_B_ON();
1447
1448 // Capture tag frame (manchester decoding using only falling edges)
1449 if (ra >= HITAG_T_EOF) {
1450 if (rxlen != 0) {
1451 //DbpString("wierd1?");
1452 }
1453 // Capture the T0 periods that have passed since last communication or field drop (reset)
1454 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1455 response = ra - HITAG_T_TAG_HALF_PERIOD;
1456 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1457 // Manchester coding example |-_|_-|-_| (101)
1458 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1459 rxlen++;
1460 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1461 rxlen++;
1462 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1463 // Manchester coding example |_-|...|_-|-_| (0...01)
1464 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1465 rxlen++;
1466 // We have to skip this half period at start and add the 'one' the second time
1467 if (!bSkip) {
1468 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1469 rxlen++;
1470 }
1471 lastbit = !lastbit;
1472 bSkip = !bSkip;
1473 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1474 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1475 if (tag_sof) {
1476 // Ignore bits that are transmitted during SOF
1477 tag_sof--;
1478 } else {
1479 // bit is same as last bit
1480 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1481 rxlen++;
1482 }
1483 } else {
1484 // Ignore wierd value, is to small to mean anything
1485 }
1486 }
1487
1488 // We can break this loop if we received the last bit from a frame
1489 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1490 if (rxlen > 0)
1491 break;
1492 }
1493 }
1494 }
1495 end=false;
1496 LED_B_OFF();
1497 LED_D_OFF();
1498 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1499 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1500 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1501 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1502 }
1503
1504 /*
1505 * Authenticates to the Tag with the given Key or Challenge.
1506 * Writes the given 32Bit data into page_
1507 */
1508 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1509 int frame_count;
1510 int response;
1511 byte_t rx[HITAG_FRAME_LEN];
1512 size_t rxlen = 0;
1513 byte_t txbuf[HITAG_FRAME_LEN];
1514 byte_t* tx = txbuf;
1515 size_t txlen = 0;
1516 int lastbit;
1517 bool bSkip;
1518 int reset_sof;
1519 int tag_sof;
1520 int t_wait = HITAG_T_WAIT_MAX;
1521 bool bStop;
1522 bool bQuitTraceFull = false;
1523 int page = page_;
1524 unsigned char crc;
1525 byte_t data[4]= {0,0,0,0};
1526
1527 //read given key/challenge, the page and the data
1528 byte_t NrAr_[8];
1529 uint64_t key=0;
1530 uint64_t NrAr=0;
1531 byte_t key_[6];
1532 switch(htf) {
1533 case 03: { //WHTS_CHALLENGE
1534 memcpy(data,htd->auth.data,4);
1535 DbpString("Authenticating using nr,ar pair:");
1536 memcpy(NrAr_,htd->auth.NrAr,8);
1537 Dbhexdump(8,NrAr_,false);
1538 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1539 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1540 } break;
1541 case 04: { //WHTS_KEY
1542 memcpy(data,htd->crypto.data,4);
1543 DbpString("Authenticating using key:");
1544 memcpy(key_,htd->crypto.key,6);
1545 Dbhexdump(6,key_,false);
1546 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1547 } break;
1548 default: {
1549 Dbprintf("Error , unknown function: %d",htf);
1550 return;
1551 } break;
1552 }
1553
1554 Dbprintf("Page: %d",page_);
1555 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1556 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1557 // Reset the return status
1558 bSuccessful = false;
1559
1560 tag.pstate = READY;
1561 tag.tstate = NO_OP;
1562
1563 // Clean up trace and prepare it for storing frames
1564 set_tracing(TRUE);
1565 clear_trace();
1566
1567 bQuiet = false;
1568 bQuitTraceFull = true;
1569
1570 LED_D_ON();
1571
1572 // Configure output and enable pin that is connected to the FPGA (for modulating)
1573 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1574 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1575
1576 // Set fpga in edge detect with reader field, we can modulate as reader now
1577 FpgaWriteConfWord(
1578 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1579
1580 // Set Frequency divisor which will drive the FPGA and analog mux selection
1581 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1582 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1583 RELAY_OFF();
1584
1585 // Disable modulation at default, which means enable the field
1586 LOW(GPIO_SSC_DOUT);
1587
1588 // Give it a bit of time for the resonant antenna to settle.
1589 SpinDelay(30);
1590
1591 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1592 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1593
1594 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1595 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1596 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1597
1598 // Disable timer during configuration
1599 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1600
1601 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1602 // external trigger rising edge, load RA on falling edge of TIOA.
1603 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1604 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1605 | AT91C_TC_LDRA_FALLING;
1606
1607 // Enable and reset counters
1608 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1609 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1610
1611 // Reset the received frame, frame count and timing info
1612 frame_count = 0;
1613 response = 0;
1614 lastbit = 1;
1615 bStop = false;
1616
1617 reset_sof = 1;
1618 t_wait = 200;
1619
1620 while (!bStop && !BUTTON_PRESS()) {
1621 // Watchdog hit
1622 WDT_HIT();
1623
1624 // Check if frame was captured and store it
1625 if (rxlen > 0) {
1626 frame_count++;
1627 if (!bQuiet) {
1628 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1629 DbpString("Trace full");
1630 if (bQuitTraceFull) {
1631 break;
1632 } else {
1633 bQuiet = true;
1634 }
1635 }
1636 }
1637 }
1638
1639 //check for valid input
1640 if (page == 0) {
1641 Dbprintf(
1642 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1643 bStop = !false;
1644 }
1645
1646 // By default reset the transmission buffer
1647 tx = txbuf;
1648 txlen = 0;
1649
1650 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
1651 //no write access on this page
1652 Dbprintf("no write access on page %d", page_);
1653 bStop = !false;
1654 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
1655 //start the authetication
1656 txlen = 5;
1657 memcpy(tx, "\xc0", nbytes(txlen));
1658 tag.pstate = READY;
1659 tag.tstate = NO_OP;
1660 } else if (tag.pstate != SELECTED) {
1661 //try to authenticate with the given key or challenge
1662 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1)
1663 bStop = !false;
1664 }
1665 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
1666 //check if the given page exists
1667 if (page > tag.max_page) {
1668 Dbprintf("page number too big");
1669 bStop = !false;
1670 }
1671 //ask Tag for write permission
1672 tag.tstate = WRITING_PAGE_ACK;
1673 txlen = 20;
1674 crc = CRC_PRESET;
1675 tx[0] = 0x90 + (page / 16);
1676 calc_crc(&crc, tx[0], 8);
1677 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1678 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1679 tx[2] = 0x00 + (crc % 16) * 16;
1680 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
1681 && rxlen == 6 && rx[0] == 0xf4) {
1682 //ACK recieved to write the page. send data
1683 tag.tstate = WRITING_PAGE_DATA;
1684 txlen = 40;
1685 crc = CRC_PRESET;
1686 calc_crc(&crc, data[3], 8);
1687 calc_crc(&crc, data[2], 8);
1688 calc_crc(&crc, data[1], 8);
1689 calc_crc(&crc, data[0], 8);
1690 tx[0] = data[3];
1691 tx[1] = data[2];
1692 tx[2] = data[1];
1693 tx[3] = data[0];
1694 tx[4] = crc;
1695 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
1696 && rxlen == 6 && rx[0] == 0xf4) {
1697 //received ACK
1698 Dbprintf("Successful!");
1699 bStop = !false;
1700 }
1701
1702 // Send and store the reader command
1703 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1704 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1705
1706 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1707 // Since the clock counts since the last falling edge, a 'one' means that the
1708 // falling edge occured halfway the period. with respect to this falling edge,
1709 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1710 // All timer values are in terms of T0 units
1711
1712 while (AT91C_BASE_TC0->TC_CV
1713 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1714 ;
1715
1716 // Transmit the reader frame
1717 hitag_reader_send_frame(tx, txlen);
1718
1719 // Enable and reset external trigger in timer for capturing future frames
1720 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1721
1722 // Add transmitted frame to total count
1723 if (txlen > 0) {
1724 frame_count++;
1725 if (!bQuiet) {
1726 // Store the frame in the trace
1727 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1728 if (bQuitTraceFull) {
1729 DbpString("Trace full");
1730 break;
1731 } else {
1732 bQuiet = true;
1733 }
1734 }
1735 }
1736 }
1737
1738 // Reset values for receiving frames
1739 memset(rx, 0x00, sizeof(rx));
1740 rxlen = 0;
1741 lastbit = 1;
1742 bSkip = true;
1743 tag_sof = reset_sof;
1744 response = 0;
1745
1746 // Receive frame, watch for at most T0*EOF periods
1747 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1748 // Check if falling edge in tag modulation is detected
1749 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1750 // Retrieve the new timing values
1751 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1752
1753 // Reset timer every frame, we have to capture the last edge for timing
1754 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1755
1756 LED_B_ON();
1757
1758 // Capture tag frame (manchester decoding using only falling edges)
1759 if (ra >= HITAG_T_EOF) {
1760 if (rxlen != 0) {
1761 //DbpString("wierd1?");
1762 }
1763 // Capture the T0 periods that have passed since last communication or field drop (reset)
1764 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1765 response = ra - HITAG_T_TAG_HALF_PERIOD;
1766 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1767 // Manchester coding example |-_|_-|-_| (101)
1768 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1769 rxlen++;
1770 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1771 rxlen++;
1772 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1773 // Manchester coding example |_-|...|_-|-_| (0...01)
1774 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1775 rxlen++;
1776 // We have to skip this half period at start and add the 'one' the second time
1777 if (!bSkip) {
1778 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1779 rxlen++;
1780 }
1781 lastbit = !lastbit;
1782 bSkip = !bSkip;
1783 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1784 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1785 if (tag_sof) {
1786 // Ignore bits that are transmitted during SOF
1787 tag_sof--;
1788 } else {
1789 // bit is same as last bit
1790 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1791 rxlen++;
1792 }
1793 } else {
1794 // Ignore wierd value, is to small to mean anything
1795 }
1796 }
1797
1798 // We can break this loop if we received the last bit from a frame
1799 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1800 if (rxlen > 0)
1801 break;
1802 }
1803 }
1804 }
1805 end=false;
1806 LED_B_OFF();
1807 LED_D_OFF();
1808 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1809 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1810 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1811 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1812 }
1813
1814 /*
1815 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1816 * Displays all Challenges that failed.
1817 * When collecting Challenges to break the key it is possible that some data
1818 * is not received correctly due to Antenna problems. This function
1819 * detects these challenges.
1820 */
1821 void check_challenges(bool file_given, byte_t* data) {
1822 int i, j, z, k;
1823 byte_t uid_byte[4];
1824 int frame_count;
1825 int response;
1826 byte_t rx[HITAG_FRAME_LEN];
1827 byte_t unlocker[60][8];
1828 int u1 = 0;
1829 size_t rxlen = 0;
1830 byte_t txbuf[HITAG_FRAME_LEN];
1831 byte_t* tx = txbuf;
1832 size_t txlen = 0;
1833 int lastbit;
1834 bool bSkip;
1835 int reset_sof;
1836 int tag_sof;
1837 int t_wait = HITAG_T_WAIT_MAX;
1838 int STATE = 0;
1839 bool bStop;
1840 bool bQuitTraceFull = false;
1841 int response_bit[200];
1842 unsigned char mask = 1;
1843 unsigned char uid[32];
1844 unsigned char crc;
1845
1846 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1847 // Reset the return status
1848 bSuccessful = false;
1849
1850 // Clean up trace and prepare it for storing frames
1851 set_tracing(TRUE);
1852 clear_trace();
1853
1854 bQuiet = false;
1855 bQuitTraceFull = true;
1856
1857 LED_D_ON();
1858
1859 // Configure output and enable pin that is connected to the FPGA (for modulating)
1860 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1861 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1862
1863 // Set fpga in edge detect with reader field, we can modulate as reader now
1864 FpgaWriteConfWord(
1865 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1866
1867 // Set Frequency divisor which will drive the FPGA and analog mux selection
1868 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1869 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1870 RELAY_OFF();
1871
1872 // Disable modulation at default, which means enable the field
1873 LOW(GPIO_SSC_DOUT);
1874
1875 // Give it a bit of time for the resonant antenna to settle.
1876 SpinDelay(30);
1877
1878 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1879 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1880
1881 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1882 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1883 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1884
1885 // Disable timer during configuration
1886 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1887
1888 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1889 // external trigger rising edge, load RA on falling edge of TIOA.
1890 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1891
1892 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1893
1894 // Enable and reset counters
1895 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1896 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1897
1898 // Reset the received frame, frame count and timing info
1899 frame_count = 0;
1900 response = 0;
1901 lastbit = 1;
1902 bStop = false;
1903
1904 reset_sof = 1;
1905 t_wait = 200;
1906
1907 if (file_given) {
1908 DbpString("Loading challenges...");
1909 memcpy((byte_t*)unlocker,data,60*8);
1910 }
1911
1912 while (file_given && !bStop && !BUTTON_PRESS()) {
1913 // Watchdog hit
1914 WDT_HIT();
1915
1916 // Check if frame was captured and store it
1917 if (rxlen > 0) {
1918 frame_count++;
1919 if (!bQuiet) {
1920 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1921 DbpString("Trace full");
1922 if (bQuitTraceFull) {
1923 break;
1924 } else {
1925 bQuiet = true;
1926 }
1927 }
1928 }
1929 }
1930
1931 tx = txbuf;
1932 txlen = 0;
1933 if (rxlen == 0) {
1934 if (STATE == 2)
1935 // challenge failed
1936 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1937 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1938 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1939 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1940 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1941 STATE = 0;
1942 txlen = 5;
1943 //start new authentication
1944 memcpy(tx, "\xc0", nbytes(txlen));
1945 } else if (rxlen >= 67 && STATE == 0) {
1946 //received uid
1947 z = 0;
1948 for (i = 0; i < 10; i++) {
1949 for (j = 0; j < 8; j++) {
1950 response_bit[z] = 0;
1951 if ((rx[i] & ((mask << 7) >> j)) != 0)
1952 response_bit[z] = 1;
1953 z++;
1954 }
1955 }
1956 k = 0;
1957 for (i = 5; i < z; i += 2) {
1958 uid[k] = response_bit[i];
1959 k++;
1960 if (k > 31)
1961 break;
1962 }
1963 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1964 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1965 | (uid[6] << 1) | uid[7];
1966 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1967 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1968 | (uid[14] << 1) | uid[15];
1969 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1970 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1971 | (uid[22] << 1) | uid[23];
1972 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1973 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1974 | (uid[30] << 1) | uid[31];
1975 //Dbhexdump(10, rx, rxlen);
1976 STATE = 1;
1977 txlen = 45;
1978 crc = CRC_PRESET;
1979 calc_crc(&crc, 0x00, 5);
1980 calc_crc(&crc, uid_byte[0], 8);
1981 calc_crc(&crc, uid_byte[1], 8);
1982 calc_crc(&crc, uid_byte[2], 8);
1983 calc_crc(&crc, uid_byte[3], 8);
1984 for (i = 0; i < 100; i++) {
1985 response_bit[i] = 0;
1986 }
1987 for (i = 0; i < 5; i++) {
1988 response_bit[i] = 0;
1989 }
1990 for (i = 5; i < 37; i++) {
1991 response_bit[i] = uid[i - 5];
1992 }
1993 for (j = 0; j < 8; j++) {
1994 response_bit[i] = 0;
1995 if ((crc & ((mask << 7) >> j)) != 0)
1996 response_bit[i] = 1;
1997 i++;
1998 }
1999 k = 0;
2000 for (i = 0; i < 6; i++) {
2001 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2002 | (response_bit[k + 2] << 5)
2003 | (response_bit[k + 3] << 4)
2004 | (response_bit[k + 4] << 3)
2005 | (response_bit[k + 5] << 2)
2006 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2007 k += 8;
2008 }
2009
2010 } else if (STATE == 1 && rxlen == 44) {
2011 //received configuration
2012 STATE = 2;
2013 z = 0;
2014 for (i = 0; i < 6; i++) {
2015 for (j = 0; j < 8; j++) {
2016 response_bit[z] = 0;
2017 if ((rx[i] & ((mask << 7) >> j)) != 0)
2018 response_bit[z] = 1;
2019 z++;
2020 }
2021 }
2022 txlen = 64;
2023
2024 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2025 bStop = !false;
2026 for (i = 0; i < 8; i++)
2027 tx[i] = unlocker[u1][i];
2028 u1++;
2029
2030 } else if (STATE == 2 && rxlen >= 44) {
2031 STATE = 0;
2032 }
2033
2034 // Send and store the reader command
2035 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2036 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2037
2038 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2039 // Since the clock counts since the last falling edge, a 'one' means that the
2040 // falling edge occured halfway the period. with respect to this falling edge,
2041 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2042 // All timer values are in terms of T0 units
2043
2044 while (AT91C_BASE_TC0->TC_CV
2045 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2046 ;
2047
2048 // Transmit the reader frame
2049 hitag_reader_send_frame(tx, txlen);
2050
2051 // Enable and reset external trigger in timer for capturing future frames
2052 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2053
2054 // Add transmitted frame to total count
2055 if (txlen > 0) {
2056 frame_count++;
2057 if (!bQuiet) {
2058 // Store the frame in the trace
2059 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2060 if (bQuitTraceFull) {
2061 DbpString("Trace full");
2062 break;
2063 } else {
2064 bQuiet = true;
2065 }
2066 }
2067 }
2068 }
2069
2070 // Reset values for receiving frames
2071 memset(rx, 0x00, sizeof(rx));
2072 rxlen = 0;
2073 lastbit = 1;
2074 bSkip = true;
2075 tag_sof = reset_sof;
2076 response = 0;
2077
2078 // Receive frame, watch for at most T0*EOF periods
2079 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
2080 // Check if falling edge in tag modulation is detected
2081 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
2082 // Retrieve the new timing values
2083 int ra = (AT91C_BASE_TC1->TC_RA / T0);
2084
2085 // Reset timer every frame, we have to capture the last edge for timing
2086 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
2087
2088 LED_B_ON();
2089
2090 // Capture tag frame (manchester decoding using only falling edges)
2091 if (ra >= HITAG_T_EOF) {
2092 if (rxlen != 0) {
2093 //DbpString("wierd1?");
2094 }
2095 // Capture the T0 periods that have passed since last communication or field drop (reset)
2096 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2097 response = ra - HITAG_T_TAG_HALF_PERIOD;
2098 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
2099 // Manchester coding example |-_|_-|-_| (101)
2100 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2101 rxlen++;
2102 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2103 rxlen++;
2104 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
2105 // Manchester coding example |_-|...|_-|-_| (0...01)
2106 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2107 rxlen++;
2108 // We have to skip this half period at start and add the 'one' the second time
2109 if (!bSkip) {
2110 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2111 rxlen++;
2112 }
2113 lastbit = !lastbit;
2114 bSkip = !bSkip;
2115 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
2116 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2117 if (tag_sof) {
2118 // Ignore bits that are transmitted during SOF
2119 tag_sof--;
2120 } else {
2121 // bit is same as last bit
2122 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
2123 rxlen++;
2124 }
2125 } else {
2126 // Ignore wierd value, is to small to mean anything
2127 }
2128 }
2129
2130 // We can break this loop if we received the last bit from a frame
2131 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
2132 if (rxlen > 0)
2133 break;
2134 }
2135 }
2136 }
2137 LED_B_OFF();
2138 LED_D_OFF();
2139 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2140 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2141 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2142 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2143 }
2144
2145
2146
Impressum, Datenschutz