]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitag2.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
MAJOR update, added hitag2 reader, emulation and eavesdropping, lots of new code...
[proxmark3-svn] / armsrc / hitag2.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Hitag2 emulation (preliminary test version)
7 //
8 // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
9 //-----------------------------------------------------------------------------
10 // Hitag2 complete rewrite of the code
11 // - Fixed modulation/encoding issues
12 // - Rewrote code for transponder emulation
13 // - Added snooping of transponder communication
14 // - Added reader functionality
15 //
16 // (c) 2012 Roel Verdult
17 //-----------------------------------------------------------------------------
18
19 #include "proxmark3.h"
20 #include "apps.h"
21 #include "util.h"
22 #include "hitag2.h"
23 #include "string.h"
24
25 static bool bQuiet;
26
27 bool bCrypto;
28 bool bPwd;
29
30 struct hitag2_tag {
31 uint32_t uid;
32 enum {
33 TAG_STATE_RESET = 0x01, // Just powered up, awaiting GetSnr
34 TAG_STATE_ACTIVATING = 0x02 , // In activation phase (password mode), sent UID, awaiting reader password
35 TAG_STATE_ACTIVATED = 0x03, // Activation complete, awaiting read/write commands
36 TAG_STATE_WRITING = 0x04, // In write command, awaiting sector contents to be written
37 } state;
38 unsigned int active_sector;
39 byte_t crypto_active;
40 uint64_t cs;
41 byte_t sectors[12][4];
42 };
43
44 static struct hitag2_tag tag;
45 static const struct hitag2_tag resetdata = {
46 .state = TAG_STATE_RESET,
47 .sectors = { // Password mode: | Crypto mode:
48 [0] = { 0x02, 0x4e, 0x02, 0x20}, // UID | UID
49 [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key
50 [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved
51 [3] = { 0x0e, 0xaa, 0x48, 0x54}, // Configuration, password TAG | Configuration, password TAG
52 [4] = { 0x46, 0x5f, 0x4f, 0x4b}, // Data: F_OK
53 [5] = { 0x55, 0x55, 0x55, 0x55}, // Data: UUUU
54 [6] = { 0xaa, 0xaa, 0xaa, 0xaa}, // Data: ....
55 [7] = { 0x55, 0x55, 0x55, 0x55}, // Data: UUUU
56 [8] = { 0x00, 0x00, 0x00, 0x00}, // RSK Low
57 [9] = { 0x00, 0x00, 0x00, 0x00}, // RSK High
58 [10] = { 0x00, 0x00, 0x00, 0x00}, // RCF
59 [11] = { 0x00, 0x00, 0x00, 0x00}, // SYNC
60 },
61 };
62
63 //#define TRACE_LENGTH 3000
64 //uint8_t *trace = (uint8_t *) BigBuf;
65 //int traceLen = 0;
66 //int rsamples = 0;
67
68 #define AUTH_TABLE_OFFSET FREE_BUFFER_OFFSET
69 #define AUTH_TABLE_LENGTH FREE_BUFFER_SIZE
70 byte_t* auth_table = (byte_t *)BigBuf+AUTH_TABLE_OFFSET;
71 size_t auth_table_pos = 0;
72 size_t auth_table_len = AUTH_TABLE_LENGTH;
73
74 byte_t password[4];
75 byte_t NrAr[8];
76
77 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
78 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
79 // For educational purposes only.
80 // No warranties or guarantees of any kind.
81 // This code is released into the public domain by its author.
82
83 // Basic macros:
84
85 #define u8 uint8_t
86 #define u32 uint32_t
87 #define u64 uint64_t
88 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
89 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
90 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
91 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
92 #define bit(x,n) (((x)>>(n))&1)
93 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
94 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
95 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
96
97 // Single bit Hitag2 functions:
98
99 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
100
101 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
102 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
103 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
104
105 static u32 _f20 (const u64 x)
106 {
107 u32 i5;
108
109 i5 = ((ht2_f4a >> i4 (x, 1, 2, 4, 5)) & 1)* 1
110 + ((ht2_f4b >> i4 (x, 7,11,13,14)) & 1)* 2
111 + ((ht2_f4b >> i4 (x,16,20,22,25)) & 1)* 4
112 + ((ht2_f4b >> i4 (x,27,28,30,32)) & 1)* 8
113 + ((ht2_f4a >> i4 (x,33,42,43,45)) & 1)*16;
114
115 return (ht2_f5c >> i5) & 1;
116 }
117
118 static u64 _hitag2_init (const u64 key, const u32 serial, const u32 IV)
119 {
120 u32 i;
121 u64 x = ((key & 0xFFFF) << 32) + serial;
122
123 for (i = 0; i < 32; i++)
124 {
125 x >>= 1;
126 x += (u64) (_f20 (x) ^ (((IV >> i) ^ (key >> (i+16))) & 1)) << 47;
127 }
128 return x;
129 }
130
131 static u64 _hitag2_round (u64 *state)
132 {
133 u64 x = *state;
134
135 x = (x >> 1) +
136 ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6)
137 ^ (x >> 7) ^ (x >> 8) ^ (x >> 16) ^ (x >> 22)
138 ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41)
139 ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47);
140
141 *state = x;
142 return _f20 (x);
143 }
144
145 static u32 _hitag2_byte (u64 * x)
146 {
147 u32 i, c;
148
149 for (i = 0, c = 0; i < 8; i++) c += (u32) _hitag2_round (x) << (i^7);
150 return c;
151 }
152
153 size_t nbytes(size_t nbits) {
154 return (nbits/8)+((nbits%8)>0);
155 }
156
157 int hitag2_reset(void)
158 {
159 tag.state = TAG_STATE_RESET;
160 tag.crypto_active = 0;
161 return 0;
162 }
163
164 int hitag2_init(void)
165 {
166 memcpy(&tag, &resetdata, sizeof(tag));
167 hitag2_reset();
168 return 0;
169 }
170
171 static void hitag2_cipher_reset(struct hitag2_tag *tag, const byte_t *iv)
172 {
173 uint64_t key = ((uint64_t)tag->sectors[2][2]) |
174 ((uint64_t)tag->sectors[2][3] << 8) |
175 ((uint64_t)tag->sectors[1][0] << 16) |
176 ((uint64_t)tag->sectors[1][1] << 24) |
177 ((uint64_t)tag->sectors[1][2] << 32) |
178 ((uint64_t)tag->sectors[1][3] << 40);
179 uint32_t uid = ((uint32_t)tag->sectors[0][0]) |
180 ((uint32_t)tag->sectors[0][1] << 8) |
181 ((uint32_t)tag->sectors[0][2] << 16) |
182 ((uint32_t)tag->sectors[0][3] << 24);
183 uint32_t iv_ = (((uint32_t)(iv[0]))) |
184 (((uint32_t)(iv[1])) << 8) |
185 (((uint32_t)(iv[2])) << 16) |
186 (((uint32_t)(iv[3])) << 24);
187 tag->cs = _hitag2_init(rev64(key), rev32(uid), rev32(iv_));
188 }
189
190 static int hitag2_cipher_authenticate(uint64_t* cs, const byte_t *authenticator_is)
191 {
192 byte_t authenticator_should[4];
193 authenticator_should[0] = ~_hitag2_byte(cs);
194 authenticator_should[1] = ~_hitag2_byte(cs);
195 authenticator_should[2] = ~_hitag2_byte(cs);
196 authenticator_should[3] = ~_hitag2_byte(cs);
197 return (memcmp(authenticator_should, authenticator_is, 4) == 0);
198 }
199
200 static int hitag2_cipher_transcrypt(uint64_t* cs, byte_t *data, unsigned int bytes, unsigned int bits)
201 {
202 int i;
203 for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(cs);
204 for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(cs) << (7-i);
205 return 0;
206 }
207
208 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
209 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
210 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
211 // T0 = TIMER_CLOCK1 / 125000 = 192
212 #define T0 192
213
214 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
215 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
216
217 #define HITAG_FRAME_LEN 20
218 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
219 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
220 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
221 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
222 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
223 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
224 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
225 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
226 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
227
228 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
229 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
230 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
231 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
232
233 #define HITAG_T_TAG_HALF_PERIOD 16
234 #define HITAG_T_TAG_FULL_PERIOD 32
235
236 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
237 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
238 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
239 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
240
241
242 static void hitag_send_bit(int bit) {
243 LED_A_ON();
244 // Reset clock for the next bit
245 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
246
247 // Fixed modulation, earlier proxmark version used inverted signal
248 if(bit == 0) {
249 // Manchester: Unloaded, then loaded |__--|
250 LOW(GPIO_SSC_DOUT);
251 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_HALF_PERIOD);
252 HIGH(GPIO_SSC_DOUT);
253 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_FULL_PERIOD);
254 } else {
255 // Manchester: Loaded, then unloaded |--__|
256 HIGH(GPIO_SSC_DOUT);
257 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_HALF_PERIOD);
258 LOW(GPIO_SSC_DOUT);
259 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_FULL_PERIOD);
260 }
261 LED_A_OFF();
262 }
263
264 static void hitag_send_frame(const byte_t* frame, size_t frame_len)
265 {
266 // Send start of frame
267 for(size_t i=0; i<5; i++) {
268 hitag_send_bit(1);
269 }
270
271 // Send the content of the frame
272 for(size_t i=0; i<frame_len; i++) {
273 hitag_send_bit((frame[i/8] >> (7-(i%8)))&1);
274 }
275
276 // Drop the modulation
277 LOW(GPIO_SSC_DOUT);
278 }
279
280 void hitag2_handle_reader_command(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen)
281 {
282 byte_t rx_air[HITAG_FRAME_LEN];
283
284 // Copy the (original) received frame how it is send over the air
285 memcpy(rx_air,rx,nbytes(rxlen));
286
287 if(tag.crypto_active) {
288 hitag2_cipher_transcrypt(&(tag.cs),rx,rxlen/8,rxlen%8);
289 }
290
291 // Reset the transmission frame length
292 *txlen = 0;
293
294 // Try to find out which command was send by selecting on length (in bits)
295 switch (rxlen) {
296 // Received 11000 from the reader, request for UID, send UID
297 case 05: {
298 // Always send over the air in the clear plaintext mode
299 if(rx_air[0] != 0xC0) {
300 // Unknown frame ?
301 return;
302 }
303 *txlen = 32;
304 memcpy(tx,tag.sectors[0],4);
305 tag.crypto_active = 0;
306 }
307 break;
308
309 // Read/Write command: ..xx x..y yy with yyy == ~xxx, xxx is sector number
310 case 10: {
311 unsigned int sector = (~( ((rx[0]<<2)&0x04) | ((rx[1]>>6)&0x03) ) & 0x07);
312 // Verify complement of sector index
313 if(sector != ((rx[0]>>3)&0x07)) {
314 //DbpString("Transmission error (read/write)");
315 return;
316 }
317
318 switch (rx[0] & 0xC6) {
319 // Read command: 11xx x00y
320 case 0xC0:
321 memcpy(tx,tag.sectors[sector],4);
322 *txlen = 32;
323 break;
324
325 // Inverted Read command: 01xx x10y
326 case 0x44:
327 for (size_t i=0; i<4; i++) {
328 tx[i] = tag.sectors[sector][i] ^ 0xff;
329 }
330 *txlen = 32;
331 break;
332
333 // Write command: 10xx x01y
334 case 0x82:
335 // Prepare write, acknowledge by repeating command
336 memcpy(tx,rx,nbytes(rxlen));
337 *txlen = rxlen;
338 tag.active_sector = sector;
339 tag.state=TAG_STATE_WRITING;
340 break;
341
342 // Unknown command
343 default:
344 Dbprintf("Uknown command: %02x %02x",rx[0],rx[1]);
345 return;
346 break;
347 }
348 }
349 break;
350
351 // Writing data or Reader password
352 case 32: {
353 if(tag.state == TAG_STATE_WRITING) {
354 // These are the sector contents to be written. We don't have to do anything else.
355 memcpy(tag.sectors[tag.active_sector],rx,nbytes(rxlen));
356 tag.state=TAG_STATE_RESET;
357 return;
358 } else {
359 // Received RWD password, respond with configuration and our password
360 if(memcmp(rx,tag.sectors[1],4) != 0) {
361 DbpString("Reader password is wrong");
362 return;
363 }
364 *txlen = 32;
365 memcpy(tx,tag.sectors[3],4);
366 }
367 }
368 break;
369
370 // Received RWD authentication challenge and respnse
371 case 64: {
372 // Store the authentication attempt
373 if (auth_table_len < (AUTH_TABLE_LENGTH-8)) {
374 memcpy(auth_table+auth_table_len,rx,8);
375 auth_table_len += 8;
376 }
377
378 // Reset the cipher state
379 hitag2_cipher_reset(&tag,rx);
380 // Check if the authentication was correct
381 if(!hitag2_cipher_authenticate(&(tag.cs),rx+4)) {
382 // The reader failed to authenticate, do nothing
383 Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x Failed!",rx[0],rx[1],rx[2],rx[3],rx[4],rx[5],rx[6],rx[7]);
384 return;
385 }
386 // Succesful, but commented out reporting back to the Host, this may delay to much.
387 // Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x OK!",rx[0],rx[1],rx[2],rx[3],rx[4],rx[5],rx[6],rx[7]);
388
389 // Activate encryption algorithm for all further communication
390 tag.crypto_active = 1;
391
392 // Use the tag password as response
393 memcpy(tx,tag.sectors[3],4);
394 *txlen = 32;
395 }
396 break;
397 }
398
399 // LogTrace(rx,nbytes(rxlen),0,0,false);
400 // LogTrace(tx,nbytes(*txlen),0,0,true);
401
402 if(tag.crypto_active) {
403 hitag2_cipher_transcrypt(&(tag.cs), tx, *txlen/8, *txlen%8);
404 }
405 }
406
407 static void hitag_reader_send_bit(int bit) {
408 LED_A_ON();
409 // Reset clock for the next bit
410 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
411
412 // Binary puls length modulation (BPLM) is used to encode the data stream
413 // This means that a transmission of a one takes longer than that of a zero
414
415 // Enable modulation, which means, drop the the field
416 HIGH(GPIO_SSC_DOUT);
417
418 // Wait for 4-10 times the carrier period
419 while(AT91C_BASE_TC0->TC_CV < T0*6);
420 // SpinDelayUs(8*8);
421
422 // Disable modulation, just activates the field again
423 LOW(GPIO_SSC_DOUT);
424
425 if(bit == 0) {
426 // Zero bit: |_-|
427 while(AT91C_BASE_TC0->TC_CV < T0*22);
428 // SpinDelayUs(16*8);
429 } else {
430 // One bit: |_--|
431 while(AT91C_BASE_TC0->TC_CV < T0*28);
432 // SpinDelayUs(22*8);
433 }
434 LED_A_OFF();
435 }
436
437 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len)
438 {
439 // Send the content of the frame
440 for(size_t i=0; i<frame_len; i++) {
441 hitag_reader_send_bit((frame[i/8] >> (7-(i%8)))&1);
442 }
443 // Send EOF
444 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
445 // Enable modulation, which means, drop the the field
446 HIGH(GPIO_SSC_DOUT);
447 // Wait for 4-10 times the carrier period
448 while(AT91C_BASE_TC0->TC_CV < T0*6);
449 // Disable modulation, just activates the field again
450 LOW(GPIO_SSC_DOUT);
451 }
452
453 bool hitag2_password(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
454 // Reset the transmission frame length
455 *txlen = 0;
456
457 // Try to find out which command was send by selecting on length (in bits)
458 switch (rxlen) {
459 // No answer, try to resurrect
460 case 0: {
461 // Stop if there is no answer (after sending password)
462 if (bPwd) {
463 DbpString("Password failed!");
464 return false;
465 }
466 *txlen = 5;
467 memcpy(tx,"\xc0",nbytes(*txlen));
468 } break;
469
470 // Received UID, tag password
471 case 32: {
472 if (!bPwd) {
473 *txlen = 32;
474 memcpy(tx,password,4);
475 bPwd = true;
476 } else {
477 DbpString("Password succesful!");
478 // We are done... for now
479 return false;
480 }
481 } break;
482
483 // Unexpected response
484 default: {
485 Dbprintf("Uknown frame length: %d",rxlen);
486 return false;
487 } break;
488 }
489 return true;
490 }
491
492 bool hitag2_authenticate(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
493 // Reset the transmission frame length
494 *txlen = 0;
495
496 // Try to find out which command was send by selecting on length (in bits)
497 switch (rxlen) {
498 // No answer, try to resurrect
499 case 0: {
500 // Stop if there is no answer while we are in crypto mode (after sending NrAr)
501 if (bCrypto) {
502 DbpString("Authentication failed!");
503 return false;
504 }
505 *txlen = 5;
506 memcpy(tx,"\xc0",nbytes(*txlen));
507 } break;
508
509 // Received UID, crypto tag answer
510 case 32: {
511 if (!bCrypto) {
512 *txlen = 64;
513 memcpy(tx,NrAr,8);
514 bCrypto = true;
515 } else {
516 DbpString("Authentication succesful!");
517 // We are done... for now
518 return false;
519 }
520 } break;
521
522 // Unexpected response
523 default: {
524 Dbprintf("Uknown frame length: %d",rxlen);
525 return false;
526 } break;
527 }
528
529 return true;
530 }
531
532 bool hitag2_test_auth_attempts(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
533 // Reset the transmission frame length
534 *txlen = 0;
535
536 // Try to find out which command was send by selecting on length (in bits)
537 switch (rxlen) {
538 // No answer, try to resurrect
539 case 0: {
540 // Stop if there is no answer while we are in crypto mode (after sending NrAr)
541 if (bCrypto) {
542 Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x Failed!",NrAr[0],NrAr[1],NrAr[2],NrAr[3],NrAr[4],NrAr[5],NrAr[6],NrAr[7]);
543 bCrypto = false;
544 if ((auth_table_pos+8) == auth_table_len) {
545 return false;
546 }
547 auth_table_pos += 8;
548 memcpy(NrAr,auth_table+auth_table_pos,8);
549 }
550 *txlen = 5;
551 memcpy(tx,"\xc0",nbytes(*txlen));
552 } break;
553
554 // Received UID, crypto tag answer, or read block response
555 case 32: {
556 if (!bCrypto) {
557 *txlen = 64;
558 memcpy(tx,NrAr,8);
559 bCrypto = true;
560 } else {
561 Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x OK",NrAr[0],NrAr[1],NrAr[2],NrAr[3],NrAr[4],NrAr[5],NrAr[6],NrAr[7]);
562 bCrypto = false;
563 if ((auth_table_pos+8) == auth_table_len) {
564 return false;
565 }
566 auth_table_pos += 8;
567 memcpy(NrAr,auth_table+auth_table_pos,8);
568 }
569 } break;
570
571 default: {
572 Dbprintf("Uknown frame length: %d",rxlen);
573 return false;
574 } break;
575 }
576
577 return true;
578 }
579
580 void SnoopHitag(uint32_t type) {
581 int frame_count;
582 int response;
583 int overflow;
584 bool rising_edge;
585 bool reader_frame;
586 int lastbit;
587 bool bSkip;
588 int tag_sof;
589 byte_t rx[HITAG_FRAME_LEN];
590 size_t rxlen=0;
591
592 // Clean up trace and prepare it for storing frames
593 iso14a_set_tracing(TRUE);
594 iso14a_clear_trace();
595
596 auth_table_len = 0;
597 auth_table_pos = 0;
598 memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
599
600 DbpString("Starting Hitag2 snoop");
601 LED_D_ON();
602
603 // Set up eavesdropping mode, frequency divisor which will drive the FPGA
604 // and analog mux selection.
605 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
606 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
607 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
608 RELAY_OFF();
609
610 // Configure output pin that is connected to the FPGA (for modulating)
611 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
612 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
613
614 // Disable modulation, we are going to eavesdrop, not modulate ;)
615 LOW(GPIO_SSC_DOUT);
616
617 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
618 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
619 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
620
621 // Disable timer during configuration
622 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
623
624 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
625 // external trigger rising edge, load RA on rising edge of TIOA.
626 uint32_t t1_channel_mode = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_BOTH | AT91C_TC_ABETRG | AT91C_TC_LDRA_BOTH;
627 AT91C_BASE_TC1->TC_CMR = t1_channel_mode;
628
629 // Enable and reset counter
630 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
631
632 // Reset the received frame, frame count and timing info
633 memset(rx,0x00,sizeof(rx));
634 frame_count = 0;
635 response = 0;
636 overflow = 0;
637 reader_frame = false;
638 lastbit = 1;
639 bSkip = true;
640 tag_sof = 4;
641
642 while(!BUTTON_PRESS()) {
643 // Watchdog hit
644 WDT_HIT();
645
646 // Receive frame, watch for at most T0*EOF periods
647 while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_EOF) {
648 // Check if rising edge in modulation is detected
649 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
650 // Retrieve the new timing values
651 int ra = (AT91C_BASE_TC1->TC_RA/T0);
652
653 // Find out if we are dealing with a rising or falling edge
654 rising_edge = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME) > 0;
655
656 // Shorter periods will only happen with reader frames
657 if (!reader_frame && rising_edge && ra < HITAG_T_TAG_CAPTURE_ONE_HALF) {
658 // Switch from tag to reader capture
659 LED_C_OFF();
660 reader_frame = true;
661 memset(rx,0x00,sizeof(rx));
662 rxlen = 0;
663 }
664
665 // Only handle if reader frame and rising edge, or tag frame and falling edge
666 if (reader_frame != rising_edge) {
667 overflow += ra;
668 continue;
669 }
670
671 // Add the buffered timing values of earlier captured edges which were skipped
672 ra += overflow;
673 overflow = 0;
674
675 if (reader_frame) {
676 LED_B_ON();
677 // Capture reader frame
678 if(ra >= HITAG_T_STOP) {
679 if (rxlen != 0) {
680 //DbpString("wierd0?");
681 }
682 // Capture the T0 periods that have passed since last communication or field drop (reset)
683 response = (ra - HITAG_T_LOW);
684 } else if(ra >= HITAG_T_1_MIN ) {
685 // '1' bit
686 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
687 rxlen++;
688 } else if(ra >= HITAG_T_0_MIN) {
689 // '0' bit
690 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
691 rxlen++;
692 } else {
693 // Ignore wierd value, is to small to mean anything
694 }
695 } else {
696 LED_C_ON();
697 // Capture tag frame (manchester decoding using only falling edges)
698 if(ra >= HITAG_T_EOF) {
699 if (rxlen != 0) {
700 //DbpString("wierd1?");
701 }
702 // Capture the T0 periods that have passed since last communication or field drop (reset)
703 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
704 response = ra-HITAG_T_TAG_HALF_PERIOD;
705 } else if(ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
706 // Manchester coding example |-_|_-|-_| (101)
707 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
708 rxlen++;
709 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
710 rxlen++;
711 } else if(ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
712 // Manchester coding example |_-|...|_-|-_| (0...01)
713 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
714 rxlen++;
715 // We have to skip this half period at start and add the 'one' the second time
716 if (!bSkip) {
717 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
718 rxlen++;
719 }
720 lastbit = !lastbit;
721 bSkip = !bSkip;
722 } else if(ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
723 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
724 if (tag_sof) {
725 // Ignore bits that are transmitted during SOF
726 tag_sof--;
727 } else {
728 // bit is same as last bit
729 rx[rxlen / 8] |= lastbit << (7-(rxlen%8));
730 rxlen++;
731 }
732 } else {
733 // Ignore wierd value, is to small to mean anything
734 }
735 }
736 }
737 }
738
739 // Check if frame was captured
740 if(rxlen > 0) {
741 frame_count++;
742 if (!LogTrace(rx,nbytes(rxlen),response,0,reader_frame)) {
743 DbpString("Trace full");
744 break;
745 }
746
747 // Check if we recognize a valid authentication attempt
748 if (nbytes(rxlen) == 8) {
749 // Store the authentication attempt
750 if (auth_table_len < (AUTH_TABLE_LENGTH-8)) {
751 memcpy(auth_table+auth_table_len,rx,8);
752 auth_table_len += 8;
753 }
754 }
755
756 // Reset the received frame and response timing info
757 memset(rx,0x00,sizeof(rx));
758 response = 0;
759 reader_frame = false;
760 lastbit = 1;
761 bSkip = true;
762 tag_sof = 4;
763 overflow = 0;
764
765 LED_B_OFF();
766 LED_C_OFF();
767 } else {
768 // Save the timer overflow, will be 0 when frame was received
769 overflow += (AT91C_BASE_TC1->TC_CV/T0);
770 }
771 // Reset the frame length
772 rxlen = 0;
773 // Reset the timer to restart while-loop that receives frames
774 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
775 }
776 LED_A_ON();
777 LED_B_OFF();
778 LED_C_OFF();
779 LED_D_OFF();
780 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
781 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
782 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
783 LED_A_OFF();
784
785 // Dbprintf("frame received: %d",frame_count);
786 // Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
787 // DbpString("All done");
788 }
789
790 void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
791 int frame_count;
792 int response;
793 int overflow;
794 byte_t rx[HITAG_FRAME_LEN];
795 size_t rxlen=0;
796 byte_t tx[HITAG_FRAME_LEN];
797 size_t txlen=0;
798 bool bQuitTraceFull = false;
799 bQuiet = false;
800
801 // Clean up trace and prepare it for storing frames
802 iso14a_set_tracing(TRUE);
803 iso14a_clear_trace();
804 auth_table_len = 0;
805 auth_table_pos = 0;
806 memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
807
808 DbpString("Starting Hitag2 simulation");
809 LED_D_ON();
810 hitag2_init();
811
812 if (tag_mem_supplied) {
813 DbpString("Loading hitag2 memory...");
814 memcpy((byte_t*)tag.sectors,data,48);
815 }
816
817 uint32_t block = 0;
818 for (size_t i=0; i<12; i++) {
819 for (size_t j=0; j<4; j++) {
820 block <<= 8;
821 block |= tag.sectors[i][j];
822 }
823 Dbprintf("| %d | %08x |",i,block);
824 }
825
826 // Set up simulator mode, frequency divisor which will drive the FPGA
827 // and analog mux selection.
828 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
829 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
830 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
831 RELAY_OFF();
832
833 // Configure output pin that is connected to the FPGA (for modulating)
834 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
835 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
836
837 // Disable modulation at default, which means release resistance
838 LOW(GPIO_SSC_DOUT);
839
840 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
841 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
842
843 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
844 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
845 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
846
847 // Disable timer during configuration
848 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
849
850 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
851 // external trigger rising edge, load RA on rising edge of TIOA.
852 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
853
854 // Enable and reset counter
855 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
856
857 // Reset the received frame, frame count and timing info
858 memset(rx,0x00,sizeof(rx));
859 frame_count = 0;
860 response = 0;
861 overflow = 0;
862
863 while(!BUTTON_PRESS()) {
864 // Watchdog hit
865 WDT_HIT();
866
867 // Receive frame, watch for at most T0*EOF periods
868 while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_EOF) {
869 // Check if rising edge in modulation is detected
870 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
871 // Retrieve the new timing values
872 int ra = (AT91C_BASE_TC1->TC_RA/T0) + overflow;
873 overflow = 0;
874
875 // Reset timer every frame, we have to capture the last edge for timing
876 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
877
878 LED_B_ON();
879
880 // Capture reader frame
881 if(ra >= HITAG_T_STOP) {
882 if (rxlen != 0) {
883 //DbpString("wierd0?");
884 }
885 // Capture the T0 periods that have passed since last communication or field drop (reset)
886 response = (ra - HITAG_T_LOW);
887 } else if(ra >= HITAG_T_1_MIN ) {
888 // '1' bit
889 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
890 rxlen++;
891 } else if(ra >= HITAG_T_0_MIN) {
892 // '0' bit
893 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
894 rxlen++;
895 } else {
896 // Ignore wierd value, is to small to mean anything
897 }
898 }
899 }
900
901 // Check if frame was captured
902 if(rxlen > 4) {
903 frame_count++;
904 if (!bQuiet) {
905 if (!LogTrace(rx,nbytes(rxlen),response,0,true)) {
906 DbpString("Trace full");
907 if (bQuitTraceFull) {
908 break;
909 } else {
910 bQuiet = true;
911 }
912 }
913 }
914
915 // Disable timer 1 with external trigger to avoid triggers during our own modulation
916 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
917
918 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
919 hitag2_handle_reader_command(rx,rxlen,tx,&txlen);
920
921 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
922 // not that since the clock counts since the rising edge, but T_Wait1 is
923 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
924 // periods. The gap time T_Low varies (4..10). All timer values are in
925 // terms of T0 units
926 while(AT91C_BASE_TC0->TC_CV < T0*(HITAG_T_WAIT_1-HITAG_T_LOW));
927
928 // Send and store the tag answer (if there is any)
929 if (txlen) {
930 // Transmit the tag frame
931 hitag_send_frame(tx,txlen);
932 // Store the frame in the trace
933 if (!bQuiet) {
934 if (!LogTrace(tx,nbytes(txlen),0,0,false)) {
935 DbpString("Trace full");
936 if (bQuitTraceFull) {
937 break;
938 } else {
939 bQuiet = true;
940 }
941 }
942 }
943 }
944
945 // Reset the received frame and response timing info
946 memset(rx,0x00,sizeof(rx));
947 response = 0;
948
949 // Enable and reset external trigger in timer for capturing future frames
950 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
951 LED_B_OFF();
952 }
953 // Reset the frame length
954 rxlen = 0;
955 // Save the timer overflow, will be 0 when frame was received
956 overflow += (AT91C_BASE_TC1->TC_CV/T0);
957 // Reset the timer to restart while-loop that receives frames
958 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
959 }
960 LED_B_OFF();
961 LED_D_OFF();
962 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
963 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
964 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
965 // Dbprintf("frame received: %d",frame_count);
966 // Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
967 // DbpString("All done");
968 }
969
970 void ReaderHitag(hitag_function htf, hitag_data* htd) {
971 int frame_count;
972 int response;
973 byte_t rx[HITAG_FRAME_LEN];
974 size_t rxlen=0;
975 byte_t txbuf[HITAG_FRAME_LEN];
976 byte_t* tx = txbuf;
977 size_t txlen=0;
978 int lastbit;
979 bool bSkip;
980 int reset_sof;
981 int tag_sof;
982 int t_wait = HITAG_T_WAIT_MAX;
983 bool bStop;
984 bool bQuitTraceFull = false;
985
986 // Clean up trace and prepare it for storing frames
987 iso14a_set_tracing(TRUE);
988 iso14a_clear_trace();
989 DbpString("Starting Hitag reader family");
990
991 // Check configuration
992 switch(htf) {
993 case RHT2F_PASSWORD: {
994 Dbprintf("List identifier in password mode");
995 memcpy(password,htd->pwd.password,4);
996 bQuitTraceFull = false;
997 bQuiet = false;
998 bPwd = false;
999 } break;
1000 case RHT2F_AUTHENTICATE: {
1001 DbpString("Authenticating in crypto mode");
1002 memcpy(NrAr,htd->auth.NrAr,8);
1003 Dbprintf("Reader-challenge:");
1004 Dbhexdump(8,NrAr,false);
1005 bQuiet = false;
1006 bCrypto = false;
1007 bQuitTraceFull = true;
1008 } break;
1009
1010 case RHT2F_TEST_AUTH_ATTEMPTS: {
1011 Dbprintf("Testing %d authentication attempts",(auth_table_len/8));
1012 auth_table_pos = 0;
1013 memcpy(NrAr,auth_table,8);
1014 bQuitTraceFull = false;
1015 bQuiet = false;
1016 bCrypto = false;
1017 } break;
1018
1019 default: {
1020 Dbprintf("Error, unknown function: %d",htf);
1021 return;
1022 } break;
1023 }
1024
1025 LED_D_ON();
1026 hitag2_init();
1027
1028 // Configure output and enable pin that is connected to the FPGA (for modulating)
1029 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1030 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1031
1032 // Set fpga in edge detect with reader field, we can modulate as reader now
1033 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1034
1035 // Set Frequency divisor which will drive the FPGA and analog mux selection
1036 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1037 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1038 RELAY_OFF();
1039
1040 // Disable modulation at default, which means enable the field
1041 LOW(GPIO_SSC_DOUT);
1042
1043 // Give it a bit of time for the resonant antenna to settle.
1044 SpinDelay(30);
1045
1046 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1047 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1048
1049 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1050 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1051 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1052
1053 // Disable timer during configuration
1054 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1055
1056 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1057 // external trigger rising edge, load RA on falling edge of TIOA.
1058 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1059
1060 // Enable and reset counters
1061 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1062 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1063
1064 // Reset the received frame, frame count and timing info
1065 frame_count = 0;
1066 response = 0;
1067 lastbit = 1;
1068 bStop = false;
1069
1070 // Tag specific configuration settings (sof, timings, etc.)
1071 if (htf < 10){
1072 // hitagS settings
1073 reset_sof = 1;
1074 t_wait = 200;
1075 DbpString("Configured for hitagS reader");
1076 } else if (htf < 20) {
1077 // hitag1 settings
1078 reset_sof = 1;
1079 t_wait = 200;
1080 DbpString("Configured for hitag1 reader");
1081 } else if (htf < 30) {
1082 // hitag2 settings
1083 reset_sof = 4;
1084 t_wait = HITAG_T_WAIT_2;
1085 DbpString("Configured for hitag2 reader");
1086 } else {
1087 Dbprintf("Error, unknown hitag reader type: %d",htf);
1088 return;
1089 }
1090
1091 while(!bStop && !BUTTON_PRESS()) {
1092 // Watchdog hit
1093 WDT_HIT();
1094
1095 // Check if frame was captured and store it
1096 if(rxlen > 0) {
1097 frame_count++;
1098 if (!bQuiet) {
1099 if (!LogTrace(rx,nbytes(rxlen),response,0,false)) {
1100 DbpString("Trace full");
1101 if (bQuitTraceFull) {
1102 break;
1103 } else {
1104 bQuiet = true;
1105 }
1106 }
1107 }
1108 }
1109
1110 // By default reset the transmission buffer
1111 tx = txbuf;
1112 switch(htf) {
1113 case RHT2F_PASSWORD: {
1114 bStop = !hitag2_password(rx,rxlen,tx,&txlen);
1115 } break;
1116 case RHT2F_AUTHENTICATE: {
1117 bStop = !hitag2_authenticate(rx,rxlen,tx,&txlen);
1118 } break;
1119 case RHT2F_TEST_AUTH_ATTEMPTS: {
1120 bStop = !hitag2_test_auth_attempts(rx,rxlen,tx,&txlen);
1121 } break;
1122 default: {
1123 Dbprintf("Error, unknown function: %d",htf);
1124 return;
1125 } break;
1126 }
1127
1128 // Send and store the reader command
1129 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1130 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1131
1132 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1133 // Since the clock counts since the last falling edge, a 'one' means that the
1134 // falling edge occured halfway the period. with respect to this falling edge,
1135 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1136 // All timer values are in terms of T0 units
1137 while(AT91C_BASE_TC0->TC_CV < T0*(t_wait+(HITAG_T_TAG_HALF_PERIOD*lastbit)));
1138
1139 // Transmit the reader frame
1140 hitag_reader_send_frame(tx,txlen);
1141
1142 // Enable and reset external trigger in timer for capturing future frames
1143 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1144
1145 // Add transmitted frame to total count
1146 if(txlen > 0) {
1147 frame_count++;
1148 if (!bQuiet) {
1149 // Store the frame in the trace
1150 if (!LogTrace(tx,nbytes(txlen),HITAG_T_WAIT_2,0,true)) {
1151 if (bQuitTraceFull) {
1152 break;
1153 } else {
1154 bQuiet = true;
1155 }
1156 }
1157 }
1158 }
1159
1160 // Reset values for receiving frames
1161 memset(rx,0x00,sizeof(rx));
1162 rxlen = 0;
1163 lastbit = 1;
1164 bSkip = true;
1165 tag_sof = reset_sof;
1166 response = 0;
1167
1168 // Receive frame, watch for at most T0*EOF periods
1169 while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_WAIT_MAX) {
1170 // Check if falling edge in tag modulation is detected
1171 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1172 // Retrieve the new timing values
1173 int ra = (AT91C_BASE_TC1->TC_RA/T0);
1174
1175 // Reset timer every frame, we have to capture the last edge for timing
1176 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1177
1178 LED_B_ON();
1179
1180 // Capture tag frame (manchester decoding using only falling edges)
1181 if(ra >= HITAG_T_EOF) {
1182 if (rxlen != 0) {
1183 //DbpString("wierd1?");
1184 }
1185 // Capture the T0 periods that have passed since last communication or field drop (reset)
1186 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1187 response = ra-HITAG_T_TAG_HALF_PERIOD;
1188 } else if(ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1189 // Manchester coding example |-_|_-|-_| (101)
1190 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
1191 rxlen++;
1192 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
1193 rxlen++;
1194 } else if(ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1195 // Manchester coding example |_-|...|_-|-_| (0...01)
1196 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
1197 rxlen++;
1198 // We have to skip this half period at start and add the 'one' the second time
1199 if (!bSkip) {
1200 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
1201 rxlen++;
1202 }
1203 lastbit = !lastbit;
1204 bSkip = !bSkip;
1205 } else if(ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1206 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1207 if (tag_sof) {
1208 // Ignore bits that are transmitted during SOF
1209 tag_sof--;
1210 } else {
1211 // bit is same as last bit
1212 rx[rxlen / 8] |= lastbit << (7-(rxlen%8));
1213 rxlen++;
1214 }
1215 } else {
1216 // Ignore wierd value, is to small to mean anything
1217 }
1218 }
1219
1220 // We can break this loop if we received the last bit from a frame
1221 if (AT91C_BASE_TC1->TC_CV > T0*HITAG_T_EOF) {
1222 if (rxlen>0) break;
1223 }
1224 }
1225 }
1226 LED_B_OFF();
1227 LED_D_OFF();
1228 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1229 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1230 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1231
1232 // Dbprintf("frame received: %d",frame_count);
1233 // DbpString("All done");
1234 }
Proxmark3 GIT tracking
Impressum, Datenschutz