dc2281b964c8dd065b68cf00b53c7bb72634f5dd
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include <stdlib.h>
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "hitagS.h"
20 #include "hitag2.h"
21 #include "string.h"
22 #include "BigBuf.h"
23
24 #define CRC_PRESET 0xFF
25 #define CRC_POLYNOM 0x1D
26
27 #define u8 uint8_t
28 #define u32 uint32_t
29 #define u64 uint64_t
30 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
31 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
32 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
33 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
34 #define bit(x,n) (((x)>>(n))&1)
35 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
36 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
37 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
38
39 static bool bQuiet;
40 static bool bSuccessful;
41 static struct hitagS_tag tag;
42 static byte_t page_to_be_written = 0;
43 static int block_data_left = 0;
44 typedef enum modulation {
45 AC2K = 0, AC4K, MC4K, MC8K
46 } MOD;
47 static MOD m = AC2K; //used modulation
48 static uint32_t temp_uid;
49 static int temp2 = 0;
50 static int sof_bits; //number of start-of-frame bits
51 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
52 static uint32_t rnd = 0x74124485; //randomnumber
53 static int test = 0;
54 size_t blocknr;
55 bool end=false;
56
57 // Single bit Hitag2 functions:
58 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
59 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
60 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
61 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
62 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
63 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
64 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
65 #define uf20bs u32
66
67 static u32 f20(const u64 x) {
68 u32 i5;
69
70 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
71 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
72 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
73 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
74 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
75
76 return (ht2_f5c >> i5) & 1;
77 }
78 static u64 hitag2_round(u64 *state) {
79 u64 x = *state;
80
81 x = (x >> 1)
82 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
83 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
84 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
85 & 1) << 47);
86
87 *state = x;
88 return f20(x);
89 }
90 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
91 u32 i;
92 u64 x = ((key & 0xFFFF) << 32) + serial;
93 for (i = 0; i < 32; i++) {
94 x >>= 1;
95 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
96 }
97 return x;
98 }
99 static u32 hitag2_byte(u64 *x) {
100 u32 i, c;
101
102 for (i = 0, c = 0; i < 8; i++)
103 c += (u32) hitag2_round(x) << (i ^ 7);
104 return c;
105 }
106
107 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
108 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
109 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
110 // T0 = TIMER_CLOCK1 / 125000 = 192
111 #define T0 192
112
113 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
114 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
115
116 #define HITAG_FRAME_LEN 20
117 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
118 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
119 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
120 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
121 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
122 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
123 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
124 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
125 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
126
127 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
128 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
129 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
130 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
131
132 #define HITAG_T_TAG_HALF_PERIOD 16
133 #define HITAG_T_TAG_FULL_PERIOD 32
134
135 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
136 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
137 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
138 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
139
140 #define DEBUG 0
141
142 /*
143 * Implementation of the crc8 calculation from Hitag S
144 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
145 */
146 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
147 *crc ^= data; // crc = crc (exor) data
148 do {
149 if (*crc & 0x80) // if (MSB-CRC == 1)
150 {
151 *crc <<= 1; // CRC = CRC Bit-shift left
152 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
153 } else {
154 *crc <<= 1; // CRC = CRC Bit-shift left
155 }
156 } while (--Bitcount);
157 }
158
159 static void hitag_send_bit(int bit) {
160 LED_A_ON();
161 // Reset clock for the next bit
162 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
163
164 switch (m) {
165 case AC2K:
166 if (bit == 0) {
167 // AC Coding --__
168 HIGH(GPIO_SSC_DOUT);
169 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
170 ;
171 LOW(GPIO_SSC_DOUT);
172 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
173 ;
174 } else {
175 // AC coding -_-_
176 HIGH(GPIO_SSC_DOUT);
177 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
178 ;
179 LOW(GPIO_SSC_DOUT);
180 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
181 ;
182 HIGH(GPIO_SSC_DOUT);
183 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
184 ;
185 LOW(GPIO_SSC_DOUT);
186 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
187 ;;
188 }
189 LED_A_OFF();
190 break;
191 case AC4K:
192 if (bit == 0) {
193 // AC Coding --__
194 HIGH(GPIO_SSC_DOUT);
195 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
196 ;
197 LOW(GPIO_SSC_DOUT);
198 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
199 ;
200 } else {
201 // AC coding -_-_
202 HIGH(GPIO_SSC_DOUT);
203 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
204 ;
205 LOW(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
207 ;
208 HIGH(GPIO_SSC_DOUT);
209 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
210 ;
211 LOW(GPIO_SSC_DOUT);
212 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
213 ;;
214 }
215 LED_A_OFF();
216 break;
217 case MC4K:
218 if (bit == 0) {
219 // Manchester: Unloaded, then loaded |__--|
220 LOW(GPIO_SSC_DOUT);
221 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
222 ;
223 HIGH(GPIO_SSC_DOUT);
224 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
225 ;
226 } else {
227 // Manchester: Loaded, then unloaded |--__|
228 HIGH(GPIO_SSC_DOUT);
229 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
230 ;
231 LOW(GPIO_SSC_DOUT);
232 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
233 ;
234 }
235 LED_A_OFF();
236 break;
237 case MC8K:
238 if (bit == 0) {
239 // Manchester: Unloaded, then loaded |__--|
240 LOW(GPIO_SSC_DOUT);
241 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
242 ;
243 HIGH(GPIO_SSC_DOUT);
244 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
245 ;
246 } else {
247 // Manchester: Loaded, then unloaded |--__|
248 HIGH(GPIO_SSC_DOUT);
249 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
250 ;
251 LOW(GPIO_SSC_DOUT);
252 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
253 ;
254 }
255 LED_A_OFF();
256 break;
257 default:
258 break;
259 }
260 }
261
262 static void hitag_send_frame(const byte_t* frame, size_t frame_len) {
263 // Send start of frame
264
265 for (size_t i = 0; i < sof_bits; i++) {
266 hitag_send_bit(1);
267 }
268
269 // Send the content of the frame
270 for (size_t i = 0; i < frame_len; i++) {
271 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
272 }
273 // Drop the modulation
274 LOW(GPIO_SSC_DOUT);
275 }
276
277 static void hitag_reader_send_bit(int bit) {
278 //Dbprintf("BIT: %d",bit);
279 LED_A_ON();
280 // Reset clock for the next bit
281 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
282
283 // Binary puls length modulation (BPLM) is used to encode the data stream
284 // This means that a transmission of a one takes longer than that of a zero
285
286 // Enable modulation, which means, drop the the field
287 HIGH(GPIO_SSC_DOUT);
288 if (test == 1) {
289 // Wait for 4-10 times the carrier period
290 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
291 ;
292 // SpinDelayUs(8*8);
293
294 // Disable modulation, just activates the field again
295 LOW(GPIO_SSC_DOUT);
296
297 if (bit == 0) {
298 // Zero bit: |_-|
299 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
300 ;
301 // SpinDelayUs(16*8);
302 } else {
303 // One bit: |_--|
304 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
305 ;
306 // SpinDelayUs(22*8);
307 }
308 } else {
309 // Wait for 4-10 times the carrier period
310 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
311 ;
312 // SpinDelayUs(8*8);
313
314 // Disable modulation, just activates the field again
315 LOW(GPIO_SSC_DOUT);
316
317 if (bit == 0) {
318 // Zero bit: |_-|
319 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
320 ;
321 // SpinDelayUs(16*8);
322 } else {
323 // One bit: |_--|
324 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
325 ;
326 // SpinDelayUs(22*8);
327 }
328 }
329
330 LED_A_OFF();
331 }
332
333 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
334 // Send the content of the frame
335 for (size_t i = 0; i < frame_len; i++) {
336 if (frame[0] == 0xf8) {
337 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
338 }
339 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
340 }
341 // Send EOF
342 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
343 // Enable modulation, which means, drop the the field
344 HIGH(GPIO_SSC_DOUT);
345 // Wait for 4-10 times the carrier period
346 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
347 ;
348 // Disable modulation, just activates the field again
349 LOW(GPIO_SSC_DOUT);
350 }
351
352 /*
353 * to check if the right uid was selected
354 */
355 static int check_select(byte_t* rx, uint32_t uid) {
356 unsigned char resp[48];
357 int i;
358 uint32_t ans = 0x0;
359 for (i = 0; i < 48; i++)
360 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
361 for (i = 0; i < 32; i++)
362 ans += resp[5 + i] << (31 - i);
363 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
364 && rx[4] == 0x65 && rx[5] == 0x38)
365 Dbprintf("got uid %X", ans);*/
366 temp_uid = ans;
367 if (ans == tag.uid)
368 return 1;
369 return 0;
370 }
371
372 /*
373 * handles all commands from a reader
374 */
375 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
376 byte_t* tx, size_t* txlen) {
377 byte_t rx_air[HITAG_FRAME_LEN];
378 byte_t page;
379 int i;
380 u64 state;
381 unsigned char crc;
382
383 // Copy the (original) received frame how it is send over the air
384 memcpy(rx_air, rx, nbytes(rxlen));
385 // Reset the transmission frame length
386 *txlen = 0;
387 // Try to find out which command was send by selecting on length (in bits)
388 switch (rxlen) {
389 case 5: {
390 //UID request with a selected response protocol mode
391 tag.pstate = READY;
392 tag.tstate = NO_OP;
393 if ((rx[0] & 0xf0) == 0x30) {
394 tag.mode = STANDARD;
395 sof_bits = 1;
396 m = AC2K;
397 }
398 if ((rx[0] & 0xf0) == 0xc0) {
399 tag.mode = ADVANCED;
400 sof_bits = 3;
401 m = AC2K;
402 }
403
404 if ((rx[0] & 0xf0) == 0xd0) {
405 tag.mode = FAST_ADVANCED;
406 sof_bits = 3;
407 m = AC4K;
408 }
409 //send uid as a response
410 *txlen = 32;
411 for (i = 0; i < 4; i++)
412 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
413 }
414 break;
415 case 45: {
416 //select command from reader received
417 if (check_select(rx, tag.uid) == 1) {
418 //if the right tag was selected
419 *txlen = 32;
420 switch (tag.mode) {
421 case STANDARD:
422 sof_bits = 1;
423 m = MC4K;
424 break;
425 case ADVANCED:
426 sof_bits = 6;
427 m = MC4K;
428 break;
429 case FAST_ADVANCED:
430 sof_bits = 6;
431 m = MC8K;
432 break;
433 default:
434 break;
435 }
436
437 //send configuration
438 for (i = 0; i < 4; i++)
439 tx[i] = (tag.pages[0][1] >> (i * 8)) & 0xff;
440 tx[3] = 0xff;
441 if (tag.mode != STANDARD) {
442 *txlen = 40;
443 crc = CRC_PRESET;
444 for (i = 0; i < 4; i++)
445 calc_crc(&crc, tx[i], 8);
446 tx[4] = crc;
447 }
448 }
449 }
450 break;
451 case 64: {
452 //challenge message received
453 Dbprintf("Challenge for UID: %X", temp_uid);
454 temp2++;
455 *txlen = 32;
456 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
457 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
458 Dbprintf(
459 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
460 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
461 switch (tag.mode) {
462 case STANDARD:
463 sof_bits = 1;
464 m = MC4K;
465 break;
466 case ADVANCED:
467 sof_bits = 6;
468 m = MC4K;
469 break;
470 case FAST_ADVANCED:
471 sof_bits = 6;
472 m = MC8K;
473 break;
474 default:
475 break;
476 }
477
478 for (i = 0; i < 4; i++)
479 hitag2_byte(&state);
480 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
481 tx[0] = hitag2_byte(&state) ^ ((tag.pages[0][1] >> 16) & 0xff);
482 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
483 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
484 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
485 if (tag.mode != STANDARD) {
486 //add crc8
487 *txlen = 40;
488 crc = CRC_PRESET;
489 calc_crc(&crc, ((tag.pages[0][1] >> 16) & 0xff), 8);
490 calc_crc(&crc, tag.pwdh0, 8);
491 calc_crc(&crc, tag.pwdl0, 8);
492 calc_crc(&crc, tag.pwdl1, 8);
493 tx[4] = (crc ^ hitag2_byte(&state));
494 }
495 /*
496 * some readers do not allow to authenticate multiple times in a row with the same tag.
497 * use this to change the uid between authentications.
498 */
499
500 /*
501 if (temp2 % 2 == 0) {
502 tag.uid = 0x11223344;
503 tag.pages[0][0] = 0x44332211;
504 } else {
505 tag.uid = 0x55667788;
506 tag.pages[0][0] = 0x88776655;
507 }
508 */
509 }
510 case 40:
511 //data received to be written
512 if (tag.tstate == WRITING_PAGE_DATA) {
513 tag.tstate = NO_OP;
514 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
515 << 0) + (rx[1] << 8) + (rx[2] << 16) + (rx[3] << 24);
516 //send ack
517 *txlen = 2;
518 tx[0] = 0x40;
519 page_to_be_written = 0;
520 switch (tag.mode) {
521 case STANDARD:
522 sof_bits = 1;
523 m = MC4K;
524 break;
525 case ADVANCED:
526 sof_bits = 6;
527 m = MC4K;
528 break;
529 case FAST_ADVANCED:
530 sof_bits = 6;
531 m = MC8K;
532 break;
533 default:
534 break;
535 }
536 } else if (tag.tstate == WRITING_BLOCK_DATA) {
537 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
538 << 24) + (rx[1] << 16) + (rx[2] << 8) + rx[3];
539 //send ack
540 *txlen = 2;
541 tx[0] = 0x40;
542 switch (tag.mode) {
543 case STANDARD:
544 sof_bits = 1;
545 m = MC4K;
546 break;
547 case ADVANCED:
548 sof_bits = 6;
549 m = MC4K;
550 break;
551 case FAST_ADVANCED:
552 sof_bits = 6;
553 m = MC8K;
554 break;
555 default:
556 break;
557 }
558 page_to_be_written++;
559 block_data_left--;
560 if (block_data_left == 0) {
561 tag.tstate = NO_OP;
562 page_to_be_written = 0;
563 }
564 }
565 break;
566 case 20: {
567 //write page, write block, read page or read block command received
568 if ((rx[0] & 0xf0) == 0xc0) //read page
569 {
570 //send page data
571 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
572 *txlen = 32;
573 tx[0] = (tag.pages[page / 4][page % 4]) & 0xff;
574 tx[1] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
575 tx[2] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
576 tx[3] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
577 if (tag.LKP && page == 1)
578 tx[3] = 0xff;
579
580 switch (tag.mode) {
581 case STANDARD:
582 sof_bits = 1;
583 m = MC4K;
584 break;
585 case ADVANCED:
586 sof_bits = 6;
587 m = MC4K;
588 break;
589 case FAST_ADVANCED:
590 sof_bits = 6;
591 m = MC8K;
592 break;
593 default:
594 break;
595 }
596
597 if (tag.mode != STANDARD) {
598 //add crc8
599 *txlen = 40;
600 crc = CRC_PRESET;
601 for (i = 0; i < 4; i++)
602 calc_crc(&crc, tx[i], 8);
603 tx[4] = crc;
604 }
605
606 if (tag.LKP && (page == 2 || page == 3)) {
607 //if reader asks for key or password and the LKP-mark is set do not respond
608 sof_bits = 0;
609 *txlen = 0;
610 }
611 } else if ((rx[0] & 0xf0) == 0xd0) //read block
612 {
613 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
614 *txlen = 32 * 4;
615 //send page,...,page+3 data
616 for (i = 0; i < 4; i++) {
617 tx[0 + i * 4] = (tag.pages[page / 4][page % 4]) & 0xff;
618 tx[1 + i * 4] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
619 tx[2 + i * 4] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
620 tx[3 + i * 4] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
621 page++;
622 }
623
624 switch (tag.mode) {
625 case STANDARD:
626 sof_bits = 1;
627 m = MC4K;
628 break;
629 case ADVANCED:
630 sof_bits = 6;
631 m = MC4K;
632 break;
633 case FAST_ADVANCED:
634 sof_bits = 6;
635 m = MC8K;
636 break;
637 default:
638 break;
639 }
640
641 if (tag.mode != STANDARD) {
642 //add crc8
643 *txlen = 32 * 4 + 8;
644 crc = CRC_PRESET;
645 for (i = 0; i < 16; i++)
646 calc_crc(&crc, tx[i], 8);
647 tx[16] = crc;
648 }
649
650 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
651 sof_bits = 0;
652 *txlen = 0;
653 }
654 } else if ((rx[0] & 0xf0) == 0x80) //write page
655 {
656 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
657
658 switch (tag.mode) {
659 case STANDARD:
660 sof_bits = 1;
661 m = MC4K;
662 break;
663 case ADVANCED:
664 sof_bits = 6;
665 m = MC4K;
666 break;
667 case FAST_ADVANCED:
668 sof_bits = 6;
669 m = MC8K;
670 break;
671 default:
672 break;
673 }
674 if ((tag.LCON && page == 1)
675 || (tag.LKP && (page == 2 || page == 3))) {
676 //deny
677 *txlen = 0;
678 } else {
679 //allow
680 *txlen = 2;
681 tx[0] = 0x40;
682 page_to_be_written = page;
683 tag.tstate = WRITING_PAGE_DATA;
684 }
685
686 } else if ((rx[0] & 0xf0) == 0x90) //write block
687 {
688 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
689 switch (tag.mode) {
690 case STANDARD:
691 sof_bits = 1;
692 m = MC4K;
693 break;
694 case ADVANCED:
695 sof_bits = 6;
696 m = MC4K;
697 break;
698 case FAST_ADVANCED:
699 sof_bits = 6;
700 m = MC8K;
701 break;
702 default:
703 break;
704 }
705 if (page % 4 != 0 || page == 0) {
706 //deny
707 *txlen = 0;
708 } else {
709 //allow
710 *txlen = 2;
711 tx[0] = 0x40;
712 page_to_be_written = page;
713 block_data_left = 4;
714 tag.tstate = WRITING_BLOCK_DATA;
715 }
716 }
717 }
718 break;
719 default:
720
721 break;
722 }
723 }
724
725 /*
726 * to autenticate to a tag with the given key or challenge
727 */
728 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx, const size_t rxlen, byte_t* tx,
729 size_t* txlen) {
730 byte_t rx_air[HITAG_FRAME_LEN];
731 int response_bit[200];
732 int i, j, z, k;
733 unsigned char mask = 1;
734 unsigned char uid[32];
735 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
736 unsigned char crc;
737 u64 state;
738 byte_t auth_ks[4];
739 byte_t conf_pages[3];
740 memcpy(rx_air, rx, nbytes(rxlen));
741 *txlen = 0;
742
743 if (tag.pstate == READY && rxlen >= 67) {
744 //received uid
745 if(end==true) {
746 Dbprintf("authentication failed!");
747 return -1;
748 }
749 z = 0;
750 for (i = 0; i < 10; i++) {
751 for (j = 0; j < 8; j++) {
752 response_bit[z] = 0;
753 if ((rx[i] & ((mask << 7) >> j)) != 0)
754 response_bit[z] = 1;
755 z++;
756 }
757 }
758 k = 0;
759 for (i = 5; i < z; i += 2) {
760 uid[k] = response_bit[i];
761 k++;
762 if (k > 31)
763 break;
764 }
765 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
766 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
767 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
768 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
769 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
770 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
771 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
772 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
773 if (DEBUG)
774 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
775 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
776
777 //select uid
778 *txlen = 45;
779 crc = CRC_PRESET;
780 calc_crc(&crc, 0x00, 5);
781 calc_crc(&crc, uid1, 8);
782 calc_crc(&crc, uid2, 8);
783 calc_crc(&crc, uid3, 8);
784 calc_crc(&crc, uid4, 8);
785 for (i = 0; i < 100; i++) {
786 response_bit[i] = 0;
787 }
788 for (i = 0; i < 5; i++) {
789 response_bit[i] = 0;
790 }
791 for (i = 5; i < 37; i++) {
792 response_bit[i] = uid[i - 5];
793 }
794 for (j = 0; j < 8; j++) {
795 response_bit[i] = 0;
796 if ((crc & ((mask << 7) >> j)) != 0)
797 response_bit[i] = 1;
798 i++;
799 }
800 k = 0;
801 for (i = 0; i < 6; i++) {
802 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
803 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
804 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
805 | (response_bit[k + 6] << 1) | response_bit[k + 7];
806 k += 8;
807 }
808 tag.pstate = INIT;
809 } else if (tag.pstate == INIT && rxlen == 44) {
810 // received configuration after select command
811 z = 0;
812 for (i = 0; i < 6; i++) {
813 for (j = 0; j < 8; j++) {
814 response_bit[z] = 0;
815 if ((rx[i] & ((mask << 7) >> j)) != 0)
816 response_bit[z] = 1;
817 z++;
818 }
819 }
820 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
821 | (response_bit[6] << 5) | (response_bit[7] << 4)
822 | (response_bit[8] << 3) | (response_bit[9] << 2)
823 | (response_bit[10] << 1) | response_bit[11]);
824 //check wich memorysize this tag has
825 if (response_bit[10] == 0 && response_bit[11] == 0)
826 tag.max_page = 32 / 32;
827 if (response_bit[10] == 0 && response_bit[11] == 1)
828 tag.max_page = 256 / 32;
829 if (response_bit[10] == 1 && response_bit[11] == 0)
830 tag.max_page = 2048 / 32;
831 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
832 | (response_bit[14] << 5) | (response_bit[15] << 4)
833 | (response_bit[16] << 3) | (response_bit[17] << 2)
834 | (response_bit[18] << 1) | response_bit[19]);
835 tag.auth = response_bit[12];
836 tag.TTFC = response_bit[13];
837 //tag.TTFDR in response_bit[14] and response_bit[15]
838 //tag.TTFM in response_bit[16] and response_bit[17]
839 tag.LCON = response_bit[18];
840 tag.LKP = response_bit[19];
841 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
842 | (response_bit[22] << 5) | (response_bit[23] << 4)
843 | (response_bit[24] << 3) | (response_bit[25] << 2)
844 | (response_bit[26] << 1) | response_bit[27]);
845 tag.LCK7 = response_bit[20];
846 tag.LCK6 = response_bit[21];
847 tag.LCK5 = response_bit[22];
848 tag.LCK4 = response_bit[23];
849 tag.LCK3 = response_bit[24];
850 tag.LCK2 = response_bit[25];
851 tag.LCK1 = response_bit[26];
852 tag.LCK0 = response_bit[27];
853
854 if (DEBUG)
855 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0],
856 conf_pages[1], conf_pages[2]);
857 if (tag.auth == 1) {
858 //if the tag is in authentication mode try the key or challenge
859 *txlen = 64;
860 if(end!=true){
861 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
862 state = hitag2_init(rev64(key), rev32(tag.uid),
863 rev32(rnd));
864
865 for (i = 0; i < 4; i++) {
866 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
867 }
868 *txlen = 64;
869 tx[0] = rnd & 0xff;
870 tx[1] = (rnd >> 8) & 0xff;
871 tx[2] = (rnd >> 16) & 0xff;
872 tx[3] = (rnd >> 24) & 0xff;
873
874 tx[4] = auth_ks[0];
875 tx[5] = auth_ks[1];
876 tx[6] = auth_ks[2];
877 tx[7] = auth_ks[3];
878 if (DEBUG)
879 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
880 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
881 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
882 for (i = 0; i < 8; i++)
883 tx[i]=((NrAr>>(56-(i*8)))&0xff);
884 }
885 end=true;
886 tag.pstate = AUTHENTICATE;
887 } else {
888 Dbprintf("authentication failed!");
889 return -1;
890 }
891 } else if (tag.auth == 0) {
892 tag.pstate = SELECTED;
893 }
894
895 } else if (tag.pstate == AUTHENTICATE && rxlen == 44) {
896 //encrypted con2,password received.
897 crc = CRC_PRESET;
898 calc_crc(&crc, 0x80, 1);
899 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
900 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
901 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
902 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
903 if (DEBUG) {
904 Dbprintf("UID:::%X", tag.uid);
905 Dbprintf("RND:::%X", rnd);
906 }
907
908 //decrypt password
909 pwdh0=0;
910 pwdl0=0;
911 pwdl1=0;
912 if(htf==02 || htf==04){ //RHTS_KEY //WHTS_KEY
913 {
914 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
915 for (i = 0; i < 5; i++)
916 hitag2_byte(&state);
917 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16))
918 ^ hitag2_byte(&state);
919 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16))
920 ^ hitag2_byte(&state);
921 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16))
922 ^ hitag2_byte(&state);
923 }
924
925 if (DEBUG)
926 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
927
928
929 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
930 //rnd += 1;
931 }
932 tag.pstate = SELECTED; //tag is now ready for read/write commands
933 }
934 return 0;
935
936 }
937
938 /*
939 * Emulates a Hitag S Tag with the given data from the .hts file
940 */
941 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
942 int frame_count;
943 int response;
944 int overflow;
945 int i, j;
946 byte_t rx[HITAG_FRAME_LEN];
947 size_t rxlen = 0;
948 //bool bQuitTraceFull = false;
949 bQuiet = false;
950 byte_t txbuf[HITAG_FRAME_LEN];
951 byte_t* tx = txbuf;
952 size_t txlen = 0;
953 BigBuf_free();
954
955 // Clean up trace and prepare it for storing frames
956 set_tracing(TRUE);
957 clear_trace();
958
959 DbpString("Starting HitagS simulation");
960 LED_D_ON();
961
962 tag.pstate = READY;
963 tag.tstate = NO_OP;
964 for (i = 0; i < 16; i++)
965 for (j = 0; j < 4; j++)
966 tag.pages[i][j] = 0x0;
967 //read tag data into memory
968 if (tag_mem_supplied) {
969 DbpString("Loading hitagS memory...");
970 memcpy((byte_t*)tag.pages,data,4*64);
971 }
972 tag.uid=(uint32_t)tag.pages[0];
973 Dbprintf("Hitag S simulation started");
974 tag.key=(intptr_t)tag.pages[3];
975 tag.key<<=16;
976 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
977 tag.pwdl0=tag.pages[2][3];
978 tag.pwdl1=tag.pages[2][2];
979 tag.pwdh0=tag.pages[1][0];
980 //con0
981 tag.max_page=64;
982 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==1)
983 tag.max_page=8;
984 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==0)
985 tag.max_page=0;
986 //con1
987 tag.auth=0;
988 if((tag.pages[1][2]&0x80)==1)
989 tag.auth=1;
990 tag.LCON=0;
991 if((tag.pages[1][2]&0x2)==1)
992 tag.LCON=1;
993 tag.LKP=0;
994 if((tag.pages[1][2]&0x1)==1)
995 tag.LKP=1;
996 //con2
997 //0=read write 1=read only
998 tag.LCK7=0;
999 if((tag.pages[1][1]&0x80)==1)
1000 tag.LCK7=1;
1001 tag.LCK6=0;
1002 if((tag.pages[1][1]&0x40)==1)
1003 tag.LCK6=1;
1004 tag.LCK5=0;
1005 if((tag.pages[1][1]&0x20)==1)
1006 tag.LCK5=1;
1007 tag.LCK4=0;
1008 if((tag.pages[1][1]&0x10)==1)
1009 tag.LCK4=1;
1010 tag.LCK3=0;
1011 if((tag.pages[1][1]&0x8)==1)
1012 tag.LCK3=1;
1013 tag.LCK2=0;
1014 if((tag.pages[1][1]&0x4)==1)
1015 tag.LCK2=1;
1016 tag.LCK1=0;
1017 if((tag.pages[1][1]&0x2)==1)
1018 tag.LCK1=1;
1019 tag.LCK0=0;
1020 if((tag.pages[1][1]&0x1)==1)
1021 tag.LCK0=1;
1022
1023 // Set up simulator mode, frequency divisor which will drive the FPGA
1024 // and analog mux selection.
1025 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1026 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
1027 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1028 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1029 RELAY_OFF();
1030
1031 // Configure output pin that is connected to the FPGA (for modulating)
1032 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1033 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1034
1035 // Disable modulation at default, which means release resistance
1036 LOW(GPIO_SSC_DOUT);
1037
1038 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1039 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1040
1041 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1042 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1043 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1044
1045 // Disable timer during configuration
1046 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1047
1048 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1049 // external trigger rising edge, load RA on rising edge of TIOA.
1050 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1051 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1052
1053 // Reset the received frame, frame count and timing info
1054 memset(rx, 0x00, sizeof(rx));
1055 frame_count = 0;
1056 response = 0;
1057 overflow = 0;
1058
1059 // Enable and reset counter
1060 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1061
1062 while (!BUTTON_PRESS()) {
1063 // Watchdog hit
1064 WDT_HIT();
1065
1066 // Receive frame, watch for at most T0*EOF periods
1067 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1068 // Check if rising edge in modulation is detected
1069 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1070 // Retrieve the new timing values
1071 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1072 overflow = 0;
1073
1074 // Reset timer every frame, we have to capture the last edge for timing
1075 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1076
1077 LED_B_ON();
1078
1079 // Capture reader frame
1080 if (ra >= HITAG_T_STOP) {
1081 if (rxlen != 0) {
1082 //DbpString("wierd0?");
1083 }
1084 // Capture the T0 periods that have passed since last communication or field drop (reset)
1085 response = (ra - HITAG_T_LOW);
1086 } else if (ra >= HITAG_T_1_MIN) {
1087 // '1' bit
1088 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1089 rxlen++;
1090 } else if (ra >= HITAG_T_0_MIN) {
1091 // '0' bit
1092 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1093 rxlen++;
1094 } else {
1095 // Ignore wierd value, is to small to mean anything
1096 }
1097 }
1098 }
1099
1100 // Check if frame was captured
1101 if (rxlen > 0) {
1102 frame_count++;
1103 if (!bQuiet) {
1104 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1105 DbpString("Trace full");
1106 clear_trace();
1107 }
1108 }
1109
1110 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1111 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1112
1113 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1114 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1115
1116 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1117 // not that since the clock counts since the rising edge, but T_Wait1 is
1118 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1119 // periods. The gap time T_Low varies (4..10). All timer values are in
1120 // terms of T0 units
1121 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW))
1122 ;
1123
1124 // Send and store the tag answer (if there is any)
1125 if (txlen > 0) {
1126 // Transmit the tag frame
1127 hitag_send_frame(tx, txlen);
1128 // Store the frame in the trace
1129 if (!bQuiet) {
1130 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1131 DbpString("Trace full");
1132 clear_trace();
1133 }
1134 }
1135 }
1136
1137 // Reset the received frame and response timing info
1138 memset(rx, 0x00, sizeof(rx));
1139 response = 0;
1140
1141 // Enable and reset external trigger in timer for capturing future frames
1142 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1143 LED_B_OFF();
1144 }
1145 // Reset the frame length
1146 rxlen = 0;
1147 // Save the timer overflow, will be 0 when frame was received
1148 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1149 // Reset the timer to restart while-loop that receives frames
1150 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1151 }
1152 LED_B_OFF();
1153 LED_D_OFF();
1154 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1155 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1156 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1157 }
1158
1159 /*
1160 * Authenticates to the Tag with the given key or challenge.
1161 * If the key was given the password will be decrypted.
1162 * Reads every page of a hitag S transpoder.
1163 */
1164 void ReadHitagS(hitag_function htf, hitag_data* htd) {
1165 int i, j, z, k;
1166 int frame_count;
1167 int response_bit[200];
1168 int response;
1169 byte_t rx[HITAG_FRAME_LEN];
1170 size_t rxlen = 0;
1171 byte_t txbuf[HITAG_FRAME_LEN];
1172 byte_t* tx = txbuf;
1173 size_t txlen = 0;
1174 int lastbit;
1175 bool bSkip;
1176 int reset_sof;
1177 int tag_sof;
1178 int t_wait = HITAG_T_WAIT_MAX;
1179 bool bStop;
1180 bool bQuitTraceFull = false;
1181 int sendNum = 0;
1182 unsigned char mask = 1;
1183 unsigned char crc;
1184 unsigned char pageData[32];
1185 page_to_be_written = 0;
1186
1187 //read given key/challenge
1188 byte_t NrAr_[8];
1189 uint64_t key=0;
1190 uint64_t NrAr=0;
1191 byte_t key_[6];
1192 switch(htf) {
1193 case 01: { //RHTS_CHALLENGE
1194 DbpString("Authenticating using nr,ar pair:");
1195 memcpy(NrAr_,htd->auth.NrAr,8);
1196 Dbhexdump(8,NrAr_,false);
1197 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1198 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1199 } break;
1200 case 02: { //RHTS_KEY
1201 DbpString("Authenticating using key:");
1202 memcpy(key_,htd->crypto.key,6);
1203 Dbhexdump(6,key_,false);
1204 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1205 } break;
1206 default: {
1207 Dbprintf("Error , unknown function: %d",htf);
1208 return;
1209 } break;
1210 }
1211
1212
1213
1214 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1215 // Reset the return status
1216 bSuccessful = false;
1217
1218 // Clean up trace and prepare it for storing frames
1219 set_tracing(TRUE);
1220 clear_trace();
1221
1222 bQuiet = false;
1223 bQuitTraceFull = true;
1224
1225 LED_D_ON();
1226
1227 // Configure output and enable pin that is connected to the FPGA (for modulating)
1228 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1229 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1230
1231 // Set fpga in edge detect with reader field, we can modulate as reader now
1232 FpgaWriteConfWord(
1233 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1234
1235 // Set Frequency divisor which will drive the FPGA and analog mux selection
1236 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1237 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1238 RELAY_OFF();
1239
1240 // Disable modulation at default, which means enable the field
1241 LOW(GPIO_SSC_DOUT);
1242
1243 // Give it a bit of time for the resonant antenna to settle.
1244 SpinDelay(30);
1245
1246 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1247 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1248
1249 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1250 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1251 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1252
1253 // Disable timer during configuration
1254 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1255
1256 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1257 // external trigger rising edge, load RA on falling edge of TIOA.
1258 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1259
1260 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1261
1262 // Enable and reset counters
1263 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1264 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1265
1266 // Reset the received frame, frame count and timing info
1267 frame_count = 0;
1268 response = 0;
1269 lastbit = 1;
1270 bStop = false;
1271
1272 reset_sof = 1;
1273 t_wait = 200;
1274
1275 while (!bStop && !BUTTON_PRESS()) {
1276 // Watchdog hit
1277 WDT_HIT();
1278
1279 // Check if frame was captured and store it
1280 if (rxlen > 0) {
1281 frame_count++;
1282 if (!bQuiet) {
1283 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1284 DbpString("Trace full");
1285 if (bQuitTraceFull) {
1286 break;
1287 } else {
1288 bQuiet = true;
1289 }
1290 }
1291 }
1292 }
1293
1294 // By default reset the transmission buffer
1295 tx = txbuf;
1296 txlen = 0;
1297
1298 if (rxlen == 0) {
1299 //start authentication
1300 txlen = 5;
1301 memcpy(tx, "\xc0", nbytes(txlen));
1302 tag.pstate = READY;
1303 tag.tstate = NO_OP;
1304 } else if (tag.pstate != SELECTED) {
1305 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1)
1306 bStop = !false;
1307 }
1308 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
1309 //send read request
1310 tag.tstate = READING_PAGE;
1311 txlen = 20;
1312 crc = CRC_PRESET;
1313 tx[0] = 0xc0 + (sendNum / 16);
1314 calc_crc(&crc, tx[0], 8);
1315 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1316 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1317 tx[2] = 0x00 + (crc % 16) * 16;
1318 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE
1319 && rxlen > 0) {
1320 //save received data
1321 z = 0;
1322 for (i = 0; i < 5; i++) {
1323 for (j = 0; j < 8; j++) {
1324 response_bit[z] = 0;
1325 if ((rx[i] & ((mask << 7) >> j)) != 0)
1326 response_bit[z] = 1;
1327 z++;
1328 }
1329 }
1330 k = 0;
1331 for (i = 4; i < 36; i++) {
1332 pageData[k] = response_bit[i];
1333 k++;
1334 }
1335 for (i = 0; i < 4; i++)
1336 tag.pages[sendNum / 4][sendNum % 4] = 0x0;
1337 for (i = 0; i < 4; i++) {
1338 tag.pages[sendNum / 4][sendNum % 4] += ((pageData[i * 8] << 7)
1339 | (pageData[1 + (i * 8)] << 6)
1340 | (pageData[2 + (i * 8)] << 5)
1341 | (pageData[3 + (i * 8)] << 4)
1342 | (pageData[4 + (i * 8)] << 3)
1343 | (pageData[5 + (i * 8)] << 2)
1344 | (pageData[6 + (i * 8)] << 1) | pageData[7 + (i * 8)])
1345 << (i * 8);
1346 }
1347 if (tag.auth && tag.LKP && sendNum == 1) {
1348 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum, pwdh0,
1349 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1350 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1351 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1352 } else {
1353 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum,
1354 (tag.pages[sendNum / 4][sendNum % 4] >> 24) & 0xff,
1355 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1356 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1357 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1358 }
1359
1360 sendNum++;
1361 //display key and password if possible
1362 if (sendNum == 2 && tag.auth == 1 && tag.LKP) {
1363 if (htf == 02) { //RHTS_KEY
1364 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1365 (byte_t)(key >> 8) & 0xff,
1366 (byte_t) key & 0xff, pwdl1, pwdl0);
1367 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1368 (byte_t)(key >> 40) & 0xff,
1369 (byte_t)(key >> 32) & 0xff,
1370 (byte_t)(key >> 24) & 0xff,
1371 (byte_t)(key >> 16) & 0xff);
1372 } else {
1373 //if the authentication is done with a challenge the key and password are unknown
1374 Dbprintf("Page[ 2]: __ __ __ __");
1375 Dbprintf("Page[ 3]: __ __ __ __");
1376 }
1377 }
1378
1379 txlen = 20;
1380 crc = CRC_PRESET;
1381 tx[0] = 0xc0 + (sendNum / 16);
1382 calc_crc(&crc, tx[0], 8);
1383 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1384 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1385 tx[2] = 0x00 + (crc % 16) * 16;
1386 if (sendNum >= tag.max_page) {
1387 bStop = !false;
1388 }
1389 }
1390
1391 // Send and store the reader command
1392 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1393 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1394
1395 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1396 // Since the clock counts since the last falling edge, a 'one' means that the
1397 // falling edge occured halfway the period. with respect to this falling edge,
1398 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1399 // All timer values are in terms of T0 units
1400
1401 while (AT91C_BASE_TC0->TC_CV
1402 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1403 ;
1404
1405 // Transmit the reader frame
1406 hitag_reader_send_frame(tx, txlen);
1407
1408 // Enable and reset external trigger in timer for capturing future frames
1409 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1410
1411 // Add transmitted frame to total count
1412 if (txlen > 0) {
1413 frame_count++;
1414 if (!bQuiet) {
1415 // Store the frame in the trace
1416 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1417 if (bQuitTraceFull) {
1418 DbpString("Trace full");
1419 break;
1420 } else {
1421 bQuiet = true;
1422 }
1423 }
1424 }
1425 }
1426
1427 // Reset values for receiving frames
1428 memset(rx, 0x00, sizeof(rx));
1429 rxlen = 0;
1430 lastbit = 1;
1431 bSkip = true;
1432 tag_sof = reset_sof;
1433 response = 0;
1434
1435 // Receive frame, watch for at most T0*EOF periods
1436 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1437 // Check if falling edge in tag modulation is detected
1438 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1439 // Retrieve the new timing values
1440 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1441
1442 // Reset timer every frame, we have to capture the last edge for timing
1443 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1444
1445 LED_B_ON();
1446
1447 // Capture tag frame (manchester decoding using only falling edges)
1448 if (ra >= HITAG_T_EOF) {
1449 if (rxlen != 0) {
1450 //DbpString("wierd1?");
1451 }
1452 // Capture the T0 periods that have passed since last communication or field drop (reset)
1453 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1454 response = ra - HITAG_T_TAG_HALF_PERIOD;
1455 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1456 // Manchester coding example |-_|_-|-_| (101)
1457 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1458 rxlen++;
1459 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1460 rxlen++;
1461 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1462 // Manchester coding example |_-|...|_-|-_| (0...01)
1463 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1464 rxlen++;
1465 // We have to skip this half period at start and add the 'one' the second time
1466 if (!bSkip) {
1467 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1468 rxlen++;
1469 }
1470 lastbit = !lastbit;
1471 bSkip = !bSkip;
1472 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1473 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1474 if (tag_sof) {
1475 // Ignore bits that are transmitted during SOF
1476 tag_sof--;
1477 } else {
1478 // bit is same as last bit
1479 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1480 rxlen++;
1481 }
1482 } else {
1483 // Ignore wierd value, is to small to mean anything
1484 }
1485 }
1486
1487 // We can break this loop if we received the last bit from a frame
1488 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1489 if (rxlen > 0)
1490 break;
1491 }
1492 }
1493 }
1494 end=false;
1495 LED_B_OFF();
1496 LED_D_OFF();
1497 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1498 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1499 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1500 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1501 }
1502
1503 /*
1504 * Authenticates to the Tag with the given Key or Challenge.
1505 * Writes the given 32Bit data into page_
1506 */
1507 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1508 int frame_count;
1509 int response;
1510 byte_t rx[HITAG_FRAME_LEN];
1511 size_t rxlen = 0;
1512 byte_t txbuf[HITAG_FRAME_LEN];
1513 byte_t* tx = txbuf;
1514 size_t txlen = 0;
1515 int lastbit;
1516 bool bSkip;
1517 int reset_sof;
1518 int tag_sof;
1519 int t_wait = HITAG_T_WAIT_MAX;
1520 bool bStop;
1521 bool bQuitTraceFull = false;
1522 int page = page_;
1523 unsigned char crc;
1524 byte_t data[4]= {0,0,0,0};
1525
1526 //read given key/challenge, the page and the data
1527 byte_t NrAr_[8];
1528 uint64_t key=0;
1529 uint64_t NrAr=0;
1530 byte_t key_[6];
1531 switch(htf) {
1532 case 03: { //WHTS_CHALLENGE
1533 memcpy(data,htd->auth.data,4);
1534 DbpString("Authenticating using nr,ar pair:");
1535 memcpy(NrAr_,htd->auth.NrAr,8);
1536 Dbhexdump(8,NrAr_,false);
1537 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1538 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1539 } break;
1540 case 04: { //WHTS_KEY
1541 memcpy(data,htd->crypto.data,4);
1542 DbpString("Authenticating using key:");
1543 memcpy(key_,htd->crypto.key,6);
1544 Dbhexdump(6,key_,false);
1545 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1546 } break;
1547 default: {
1548 Dbprintf("Error , unknown function: %d",htf);
1549 return;
1550 } break;
1551 }
1552
1553 Dbprintf("Page: %d",page_);
1554 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1555 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1556 // Reset the return status
1557 bSuccessful = false;
1558
1559 tag.pstate = READY;
1560 tag.tstate = NO_OP;
1561
1562 // Clean up trace and prepare it for storing frames
1563 set_tracing(TRUE);
1564 clear_trace();
1565
1566 bQuiet = false;
1567 bQuitTraceFull = true;
1568
1569 LED_D_ON();
1570
1571 // Configure output and enable pin that is connected to the FPGA (for modulating)
1572 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1573 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1574
1575 // Set fpga in edge detect with reader field, we can modulate as reader now
1576 FpgaWriteConfWord(
1577 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1578
1579 // Set Frequency divisor which will drive the FPGA and analog mux selection
1580 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1581 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1582 RELAY_OFF();
1583
1584 // Disable modulation at default, which means enable the field
1585 LOW(GPIO_SSC_DOUT);
1586
1587 // Give it a bit of time for the resonant antenna to settle.
1588 SpinDelay(30);
1589
1590 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1591 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1592
1593 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1594 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1595 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1596
1597 // Disable timer during configuration
1598 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1599
1600 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1601 // external trigger rising edge, load RA on falling edge of TIOA.
1602 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1603 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1604 | AT91C_TC_LDRA_FALLING;
1605
1606 // Enable and reset counters
1607 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1608 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1609
1610 // Reset the received frame, frame count and timing info
1611 frame_count = 0;
1612 response = 0;
1613 lastbit = 1;
1614 bStop = false;
1615
1616 reset_sof = 1;
1617 t_wait = 200;
1618
1619 while (!bStop && !BUTTON_PRESS()) {
1620 // Watchdog hit
1621 WDT_HIT();
1622
1623 // Check if frame was captured and store it
1624 if (rxlen > 0) {
1625 frame_count++;
1626 if (!bQuiet) {
1627 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1628 DbpString("Trace full");
1629 if (bQuitTraceFull) {
1630 break;
1631 } else {
1632 bQuiet = true;
1633 }
1634 }
1635 }
1636 }
1637
1638 //check for valid input
1639 if (page == 0) {
1640 Dbprintf(
1641 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1642 bStop = !false;
1643 }
1644
1645 // By default reset the transmission buffer
1646 tx = txbuf;
1647 txlen = 0;
1648
1649 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
1650 //no write access on this page
1651 Dbprintf("no write access on page %d", page_);
1652 bStop = !false;
1653 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
1654 //start the authetication
1655 txlen = 5;
1656 memcpy(tx, "\xc0", nbytes(txlen));
1657 tag.pstate = READY;
1658 tag.tstate = NO_OP;
1659 } else if (tag.pstate != SELECTED) {
1660 //try to authenticate with the given key or challenge
1661 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1)
1662 bStop = !false;
1663 }
1664 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
1665 //check if the given page exists
1666 if (page > tag.max_page) {
1667 Dbprintf("page number too big");
1668 bStop = !false;
1669 }
1670 //ask Tag for write permission
1671 tag.tstate = WRITING_PAGE_ACK;
1672 txlen = 20;
1673 crc = CRC_PRESET;
1674 tx[0] = 0x90 + (page / 16);
1675 calc_crc(&crc, tx[0], 8);
1676 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1677 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1678 tx[2] = 0x00 + (crc % 16) * 16;
1679 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
1680 && rxlen == 6 && rx[0] == 0xf4) {
1681 //ACK recieved to write the page. send data
1682 tag.tstate = WRITING_PAGE_DATA;
1683 txlen = 40;
1684 crc = CRC_PRESET;
1685 calc_crc(&crc, data[3], 8);
1686 calc_crc(&crc, data[2], 8);
1687 calc_crc(&crc, data[1], 8);
1688 calc_crc(&crc, data[0], 8);
1689 tx[0] = data[3];
1690 tx[1] = data[2];
1691 tx[2] = data[1];
1692 tx[3] = data[0];
1693 tx[4] = crc;
1694 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
1695 && rxlen == 6 && rx[0] == 0xf4) {
1696 //received ACK
1697 Dbprintf("Successful!");
1698 bStop = !false;
1699 }
1700
1701 // Send and store the reader command
1702 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1703 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1704
1705 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1706 // Since the clock counts since the last falling edge, a 'one' means that the
1707 // falling edge occured halfway the period. with respect to this falling edge,
1708 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1709 // All timer values are in terms of T0 units
1710
1711 while (AT91C_BASE_TC0->TC_CV
1712 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1713 ;
1714
1715 // Transmit the reader frame
1716 hitag_reader_send_frame(tx, txlen);
1717
1718 // Enable and reset external trigger in timer for capturing future frames
1719 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1720
1721 // Add transmitted frame to total count
1722 if (txlen > 0) {
1723 frame_count++;
1724 if (!bQuiet) {
1725 // Store the frame in the trace
1726 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1727 if (bQuitTraceFull) {
1728 DbpString("Trace full");
1729 break;
1730 } else {
1731 bQuiet = true;
1732 }
1733 }
1734 }
1735 }
1736
1737 // Reset values for receiving frames
1738 memset(rx, 0x00, sizeof(rx));
1739 rxlen = 0;
1740 lastbit = 1;
1741 bSkip = true;
1742 tag_sof = reset_sof;
1743 response = 0;
1744
1745 // Receive frame, watch for at most T0*EOF periods
1746 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1747 // Check if falling edge in tag modulation is detected
1748 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1749 // Retrieve the new timing values
1750 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1751
1752 // Reset timer every frame, we have to capture the last edge for timing
1753 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1754
1755 LED_B_ON();
1756
1757 // Capture tag frame (manchester decoding using only falling edges)
1758 if (ra >= HITAG_T_EOF) {
1759 if (rxlen != 0) {
1760 //DbpString("wierd1?");
1761 }
1762 // Capture the T0 periods that have passed since last communication or field drop (reset)
1763 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1764 response = ra - HITAG_T_TAG_HALF_PERIOD;
1765 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1766 // Manchester coding example |-_|_-|-_| (101)
1767 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1768 rxlen++;
1769 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1770 rxlen++;
1771 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1772 // Manchester coding example |_-|...|_-|-_| (0...01)
1773 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1774 rxlen++;
1775 // We have to skip this half period at start and add the 'one' the second time
1776 if (!bSkip) {
1777 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1778 rxlen++;
1779 }
1780 lastbit = !lastbit;
1781 bSkip = !bSkip;
1782 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1783 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1784 if (tag_sof) {
1785 // Ignore bits that are transmitted during SOF
1786 tag_sof--;
1787 } else {
1788 // bit is same as last bit
1789 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1790 rxlen++;
1791 }
1792 } else {
1793 // Ignore wierd value, is to small to mean anything
1794 }
1795 }
1796
1797 // We can break this loop if we received the last bit from a frame
1798 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1799 if (rxlen > 0)
1800 break;
1801 }
1802 }
1803 }
1804 end=false;
1805 LED_B_OFF();
1806 LED_D_OFF();
1807 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1808 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1809 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1810 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1811 }
1812
1813 /*
1814 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1815 * Displays all Challenges that failed.
1816 * When collecting Challenges to break the key it is possible that some data
1817 * is not received correctly due to Antenna problems. This function
1818 * detects these challenges.
1819 */
1820 void check_challenges(bool file_given, byte_t* data) {
1821 int i, j, z, k;
1822 byte_t uid_byte[4];
1823 int frame_count;
1824 int response;
1825 byte_t rx[HITAG_FRAME_LEN];
1826 byte_t unlocker[60][8];
1827 int u1 = 0;
1828 size_t rxlen = 0;
1829 byte_t txbuf[HITAG_FRAME_LEN];
1830 byte_t* tx = txbuf;
1831 size_t txlen = 0;
1832 int lastbit;
1833 bool bSkip;
1834 int reset_sof;
1835 int tag_sof;
1836 int t_wait = HITAG_T_WAIT_MAX;
1837 int STATE = 0;
1838 bool bStop;
1839 bool bQuitTraceFull = false;
1840 int response_bit[200];
1841 unsigned char mask = 1;
1842 unsigned char uid[32];
1843 unsigned char crc;
1844
1845 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1846 // Reset the return status
1847 bSuccessful = false;
1848
1849 // Clean up trace and prepare it for storing frames
1850 set_tracing(TRUE);
1851 clear_trace();
1852
1853 bQuiet = false;
1854 bQuitTraceFull = true;
1855
1856 LED_D_ON();
1857
1858 // Configure output and enable pin that is connected to the FPGA (for modulating)
1859 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1860 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1861
1862 // Set fpga in edge detect with reader field, we can modulate as reader now
1863 FpgaWriteConfWord(
1864 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1865
1866 // Set Frequency divisor which will drive the FPGA and analog mux selection
1867 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1868 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1869 RELAY_OFF();
1870
1871 // Disable modulation at default, which means enable the field
1872 LOW(GPIO_SSC_DOUT);
1873
1874 // Give it a bit of time for the resonant antenna to settle.
1875 SpinDelay(30);
1876
1877 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1878 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1879
1880 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1881 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1882 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1883
1884 // Disable timer during configuration
1885 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1886
1887 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1888 // external trigger rising edge, load RA on falling edge of TIOA.
1889 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1890
1891 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1892
1893 // Enable and reset counters
1894 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1895 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1896
1897 // Reset the received frame, frame count and timing info
1898 frame_count = 0;
1899 response = 0;
1900 lastbit = 1;
1901 bStop = false;
1902
1903 reset_sof = 1;
1904 t_wait = 200;
1905
1906 if (file_given) {
1907 DbpString("Loading challenges...");
1908 memcpy((byte_t*)unlocker,data,60*8);
1909 }
1910
1911 while (file_given && !bStop && !BUTTON_PRESS()) {
1912 // Watchdog hit
1913 WDT_HIT();
1914
1915 // Check if frame was captured and store it
1916 if (rxlen > 0) {
1917 frame_count++;
1918 if (!bQuiet) {
1919 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1920 DbpString("Trace full");
1921 if (bQuitTraceFull) {
1922 break;
1923 } else {
1924 bQuiet = true;
1925 }
1926 }
1927 }
1928 }
1929
1930 tx = txbuf;
1931 txlen = 0;
1932 if (rxlen == 0) {
1933 if (STATE == 2)
1934 // challenge failed
1935 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1936 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1937 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1938 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1939 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1940 STATE = 0;
1941 txlen = 5;
1942 //start new authentication
1943 memcpy(tx, "\xc0", nbytes(txlen));
1944 } else if (rxlen >= 67 && STATE == 0) {
1945 //received uid
1946 z = 0;
1947 for (i = 0; i < 10; i++) {
1948 for (j = 0; j < 8; j++) {
1949 response_bit[z] = 0;
1950 if ((rx[i] & ((mask << 7) >> j)) != 0)
1951 response_bit[z] = 1;
1952 z++;
1953 }
1954 }
1955 k = 0;
1956 for (i = 5; i < z; i += 2) {
1957 uid[k] = response_bit[i];
1958 k++;
1959 if (k > 31)
1960 break;
1961 }
1962 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1963 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1964 | (uid[6] << 1) | uid[7];
1965 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1966 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1967 | (uid[14] << 1) | uid[15];
1968 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1969 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1970 | (uid[22] << 1) | uid[23];
1971 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1972 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1973 | (uid[30] << 1) | uid[31];
1974 //Dbhexdump(10, rx, rxlen);
1975 STATE = 1;
1976 txlen = 45;
1977 crc = CRC_PRESET;
1978 calc_crc(&crc, 0x00, 5);
1979 calc_crc(&crc, uid_byte[0], 8);
1980 calc_crc(&crc, uid_byte[1], 8);
1981 calc_crc(&crc, uid_byte[2], 8);
1982 calc_crc(&crc, uid_byte[3], 8);
1983 for (i = 0; i < 100; i++) {
1984 response_bit[i] = 0;
1985 }
1986 for (i = 0; i < 5; i++) {
1987 response_bit[i] = 0;
1988 }
1989 for (i = 5; i < 37; i++) {
1990 response_bit[i] = uid[i - 5];
1991 }
1992 for (j = 0; j < 8; j++) {
1993 response_bit[i] = 0;
1994 if ((crc & ((mask << 7) >> j)) != 0)
1995 response_bit[i] = 1;
1996 i++;
1997 }
1998 k = 0;
1999 for (i = 0; i < 6; i++) {
2000 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2001 | (response_bit[k + 2] << 5)
2002 | (response_bit[k + 3] << 4)
2003 | (response_bit[k + 4] << 3)
2004 | (response_bit[k + 5] << 2)
2005 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2006 k += 8;
2007 }
2008
2009 } else if (STATE == 1 && rxlen == 44) {
2010 //received configuration
2011 STATE = 2;
2012 z = 0;
2013 for (i = 0; i < 6; i++) {
2014 for (j = 0; j < 8; j++) {
2015 response_bit[z] = 0;
2016 if ((rx[i] & ((mask << 7) >> j)) != 0)
2017 response_bit[z] = 1;
2018 z++;
2019 }
2020 }
2021 txlen = 64;
2022
2023 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2024 bStop = !false;
2025 for (i = 0; i < 8; i++)
2026 tx[i] = unlocker[u1][i];
2027 u1++;
2028
2029 } else if (STATE == 2 && rxlen >= 44) {
2030 STATE = 0;
2031 }
2032
2033 // Send and store the reader command
2034 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2035 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2036
2037 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2038 // Since the clock counts since the last falling edge, a 'one' means that the
2039 // falling edge occured halfway the period. with respect to this falling edge,
2040 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2041 // All timer values are in terms of T0 units
2042
2043 while (AT91C_BASE_TC0->TC_CV
2044 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2045 ;
2046
2047 // Transmit the reader frame
2048 hitag_reader_send_frame(tx, txlen);
2049
2050 // Enable and reset external trigger in timer for capturing future frames
2051 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2052
2053 // Add transmitted frame to total count
2054 if (txlen > 0) {
2055 frame_count++;
2056 if (!bQuiet) {
2057 // Store the frame in the trace
2058 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2059 if (bQuitTraceFull) {
2060 DbpString("Trace full");
2061 break;
2062 } else {
2063 bQuiet = true;
2064 }
2065 }
2066 }
2067 }
2068
2069 // Reset values for receiving frames
2070 memset(rx, 0x00, sizeof(rx));
2071 rxlen = 0;
2072 lastbit = 1;
2073 bSkip = true;
2074 tag_sof = reset_sof;
2075 response = 0;
2076
2077 // Receive frame, watch for at most T0*EOF periods
2078 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
2079 // Check if falling edge in tag modulation is detected
2080 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
2081 // Retrieve the new timing values
2082 int ra = (AT91C_BASE_TC1->TC_RA / T0);
2083
2084 // Reset timer every frame, we have to capture the last edge for timing
2085 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
2086
2087 LED_B_ON();
2088
2089 // Capture tag frame (manchester decoding using only falling edges)
2090 if (ra >= HITAG_T_EOF) {
2091 if (rxlen != 0) {
2092 //DbpString("wierd1?");
2093 }
2094 // Capture the T0 periods that have passed since last communication or field drop (reset)
2095 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2096 response = ra - HITAG_T_TAG_HALF_PERIOD;
2097 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
2098 // Manchester coding example |-_|_-|-_| (101)
2099 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2100 rxlen++;
2101 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2102 rxlen++;
2103 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
2104 // Manchester coding example |_-|...|_-|-_| (0...01)
2105 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2106 rxlen++;
2107 // We have to skip this half period at start and add the 'one' the second time
2108 if (!bSkip) {
2109 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2110 rxlen++;
2111 }
2112 lastbit = !lastbit;
2113 bSkip = !bSkip;
2114 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
2115 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2116 if (tag_sof) {
2117 // Ignore bits that are transmitted during SOF
2118 tag_sof--;
2119 } else {
2120 // bit is same as last bit
2121 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
2122 rxlen++;
2123 }
2124 } else {
2125 // Ignore wierd value, is to small to mean anything
2126 }
2127 }
2128
2129 // We can break this loop if we received the last bit from a frame
2130 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
2131 if (rxlen > 0)
2132 break;
2133 }
2134 }
2135 }
2136 LED_B_OFF();
2137 LED_D_OFF();
2138 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2139 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2140 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2141 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2142 }
2143
2144
2145
Impressum, Datenschutz