]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitag2.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Added Hitag2 reading tag memory in password mode
[proxmark3-svn] / armsrc / hitag2.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // Hitag2 emulation (preliminary test version)
7 //
8 // (c) 2009 Henryk Plötz <henryk@ploetzli.ch>
9 //-----------------------------------------------------------------------------
10 // Hitag2 complete rewrite of the code
11 // - Fixed modulation/encoding issues
12 // - Rewrote code for transponder emulation
13 // - Added snooping of transponder communication
14 // - Added reader functionality
15 //
16 // (c) 2012 Roel Verdult
17 //-----------------------------------------------------------------------------
18
19 #include "proxmark3.h"
20 #include "apps.h"
21 #include "util.h"
22 #include "hitag2.h"
23 #include "string.h"
24
25 static bool bQuiet;
26
27 bool bCrypto;
28 bool bPwd;
29
30 struct hitag2_tag {
31 uint32_t uid;
32 enum {
33 TAG_STATE_RESET = 0x01, // Just powered up, awaiting GetSnr
34 TAG_STATE_ACTIVATING = 0x02 , // In activation phase (password mode), sent UID, awaiting reader password
35 TAG_STATE_ACTIVATED = 0x03, // Activation complete, awaiting read/write commands
36 TAG_STATE_WRITING = 0x04, // In write command, awaiting sector contents to be written
37 } state;
38 unsigned int active_sector;
39 byte_t crypto_active;
40 uint64_t cs;
41 byte_t sectors[12][4];
42 };
43
44 static struct hitag2_tag tag;
45 static const struct hitag2_tag resetdata = {
46 .state = TAG_STATE_RESET,
47 .sectors = { // Password mode: | Crypto mode:
48 [0] = { 0x02, 0x4e, 0x02, 0x20}, // UID | UID
49 [1] = { 0x4d, 0x49, 0x4b, 0x52}, // Password RWD | 32 bit LSB key
50 [2] = { 0x20, 0xf0, 0x4f, 0x4e}, // Reserved | 16 bit MSB key, 16 bit reserved
51 [3] = { 0x0e, 0xaa, 0x48, 0x54}, // Configuration, password TAG | Configuration, password TAG
52 [4] = { 0x46, 0x5f, 0x4f, 0x4b}, // Data: F_OK
53 [5] = { 0x55, 0x55, 0x55, 0x55}, // Data: UUUU
54 [6] = { 0xaa, 0xaa, 0xaa, 0xaa}, // Data: ....
55 [7] = { 0x55, 0x55, 0x55, 0x55}, // Data: UUUU
56 [8] = { 0x00, 0x00, 0x00, 0x00}, // RSK Low
57 [9] = { 0x00, 0x00, 0x00, 0x00}, // RSK High
58 [10] = { 0x00, 0x00, 0x00, 0x00}, // RCF
59 [11] = { 0x00, 0x00, 0x00, 0x00}, // SYNC
60 },
61 };
62
63 //#define TRACE_LENGTH 3000
64 //uint8_t *trace = (uint8_t *) BigBuf;
65 //int traceLen = 0;
66 //int rsamples = 0;
67
68 #define AUTH_TABLE_OFFSET FREE_BUFFER_OFFSET
69 #define AUTH_TABLE_LENGTH FREE_BUFFER_SIZE
70 byte_t* auth_table = (byte_t *)BigBuf+AUTH_TABLE_OFFSET;
71 size_t auth_table_pos = 0;
72 size_t auth_table_len = AUTH_TABLE_LENGTH;
73
74 byte_t password[4];
75 byte_t NrAr[8];
76
77 /* Following is a modified version of cryptolib.com/ciphers/hitag2/ */
78 // Software optimized 48-bit Philips/NXP Mifare Hitag2 PCF7936/46/47/52 stream cipher algorithm by I.C. Wiener 2006-2007.
79 // For educational purposes only.
80 // No warranties or guarantees of any kind.
81 // This code is released into the public domain by its author.
82
83 // Basic macros:
84
85 #define u8 uint8_t
86 #define u32 uint32_t
87 #define u64 uint64_t
88 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
89 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
90 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
91 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
92 #define bit(x,n) (((x)>>(n))&1)
93 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
94 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
95 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
96
97 // Single bit Hitag2 functions:
98
99 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
100
101 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
102 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
103 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
104
105 static u32 _f20 (const u64 x)
106 {
107 u32 i5;
108
109 i5 = ((ht2_f4a >> i4 (x, 1, 2, 4, 5)) & 1)* 1
110 + ((ht2_f4b >> i4 (x, 7,11,13,14)) & 1)* 2
111 + ((ht2_f4b >> i4 (x,16,20,22,25)) & 1)* 4
112 + ((ht2_f4b >> i4 (x,27,28,30,32)) & 1)* 8
113 + ((ht2_f4a >> i4 (x,33,42,43,45)) & 1)*16;
114
115 return (ht2_f5c >> i5) & 1;
116 }
117
118 static u64 _hitag2_init (const u64 key, const u32 serial, const u32 IV)
119 {
120 u32 i;
121 u64 x = ((key & 0xFFFF) << 32) + serial;
122
123 for (i = 0; i < 32; i++)
124 {
125 x >>= 1;
126 x += (u64) (_f20 (x) ^ (((IV >> i) ^ (key >> (i+16))) & 1)) << 47;
127 }
128 return x;
129 }
130
131 static u64 _hitag2_round (u64 *state)
132 {
133 u64 x = *state;
134
135 x = (x >> 1) +
136 ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6)
137 ^ (x >> 7) ^ (x >> 8) ^ (x >> 16) ^ (x >> 22)
138 ^ (x >> 23) ^ (x >> 26) ^ (x >> 30) ^ (x >> 41)
139 ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47)) & 1) << 47);
140
141 *state = x;
142 return _f20 (x);
143 }
144
145 static u32 _hitag2_byte (u64 * x)
146 {
147 u32 i, c;
148
149 for (i = 0, c = 0; i < 8; i++) c += (u32) _hitag2_round (x) << (i^7);
150 return c;
151 }
152
153 size_t nbytes(size_t nbits) {
154 return (nbits/8)+((nbits%8)>0);
155 }
156
157 int hitag2_reset(void)
158 {
159 tag.state = TAG_STATE_RESET;
160 tag.crypto_active = 0;
161 return 0;
162 }
163
164 int hitag2_init(void)
165 {
166 memcpy(&tag, &resetdata, sizeof(tag));
167 hitag2_reset();
168 return 0;
169 }
170
171 static void hitag2_cipher_reset(struct hitag2_tag *tag, const byte_t *iv)
172 {
173 uint64_t key = ((uint64_t)tag->sectors[2][2]) |
174 ((uint64_t)tag->sectors[2][3] << 8) |
175 ((uint64_t)tag->sectors[1][0] << 16) |
176 ((uint64_t)tag->sectors[1][1] << 24) |
177 ((uint64_t)tag->sectors[1][2] << 32) |
178 ((uint64_t)tag->sectors[1][3] << 40);
179 uint32_t uid = ((uint32_t)tag->sectors[0][0]) |
180 ((uint32_t)tag->sectors[0][1] << 8) |
181 ((uint32_t)tag->sectors[0][2] << 16) |
182 ((uint32_t)tag->sectors[0][3] << 24);
183 uint32_t iv_ = (((uint32_t)(iv[0]))) |
184 (((uint32_t)(iv[1])) << 8) |
185 (((uint32_t)(iv[2])) << 16) |
186 (((uint32_t)(iv[3])) << 24);
187 tag->cs = _hitag2_init(rev64(key), rev32(uid), rev32(iv_));
188 }
189
190 static int hitag2_cipher_authenticate(uint64_t* cs, const byte_t *authenticator_is)
191 {
192 byte_t authenticator_should[4];
193 authenticator_should[0] = ~_hitag2_byte(cs);
194 authenticator_should[1] = ~_hitag2_byte(cs);
195 authenticator_should[2] = ~_hitag2_byte(cs);
196 authenticator_should[3] = ~_hitag2_byte(cs);
197 return (memcmp(authenticator_should, authenticator_is, 4) == 0);
198 }
199
200 static int hitag2_cipher_transcrypt(uint64_t* cs, byte_t *data, unsigned int bytes, unsigned int bits)
201 {
202 int i;
203 for(i=0; i<bytes; i++) data[i] ^= _hitag2_byte(cs);
204 for(i=0; i<bits; i++) data[bytes] ^= _hitag2_round(cs) << (7-i);
205 return 0;
206 }
207
208 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
209 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
210 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
211 // T0 = TIMER_CLOCK1 / 125000 = 192
212 #define T0 192
213
214 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
215 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
216
217 #define HITAG_FRAME_LEN 20
218 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
219 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
220 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
221 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
222 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
223 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
224 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
225 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
226 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
227
228 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
229 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
230 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
231 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
232
233 #define HITAG_T_TAG_HALF_PERIOD 16
234 #define HITAG_T_TAG_FULL_PERIOD 32
235
236 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
237 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
238 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
239 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
240
241
242 static void hitag_send_bit(int bit) {
243 LED_A_ON();
244 // Reset clock for the next bit
245 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
246
247 // Fixed modulation, earlier proxmark version used inverted signal
248 if(bit == 0) {
249 // Manchester: Unloaded, then loaded |__--|
250 LOW(GPIO_SSC_DOUT);
251 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_HALF_PERIOD);
252 HIGH(GPIO_SSC_DOUT);
253 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_FULL_PERIOD);
254 } else {
255 // Manchester: Loaded, then unloaded |--__|
256 HIGH(GPIO_SSC_DOUT);
257 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_HALF_PERIOD);
258 LOW(GPIO_SSC_DOUT);
259 while(AT91C_BASE_TC0->TC_CV < T0*HITAG_T_TAG_FULL_PERIOD);
260 }
261 LED_A_OFF();
262 }
263
264 static void hitag_send_frame(const byte_t* frame, size_t frame_len)
265 {
266 // Send start of frame
267 for(size_t i=0; i<5; i++) {
268 hitag_send_bit(1);
269 }
270
271 // Send the content of the frame
272 for(size_t i=0; i<frame_len; i++) {
273 hitag_send_bit((frame[i/8] >> (7-(i%8)))&1);
274 }
275
276 // Drop the modulation
277 LOW(GPIO_SSC_DOUT);
278 }
279
280 void hitag2_handle_reader_command(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen)
281 {
282 byte_t rx_air[HITAG_FRAME_LEN];
283
284 // Copy the (original) received frame how it is send over the air
285 memcpy(rx_air,rx,nbytes(rxlen));
286
287 if(tag.crypto_active) {
288 hitag2_cipher_transcrypt(&(tag.cs),rx,rxlen/8,rxlen%8);
289 }
290
291 // Reset the transmission frame length
292 *txlen = 0;
293
294 // Try to find out which command was send by selecting on length (in bits)
295 switch (rxlen) {
296 // Received 11000 from the reader, request for UID, send UID
297 case 05: {
298 // Always send over the air in the clear plaintext mode
299 if(rx_air[0] != 0xC0) {
300 // Unknown frame ?
301 return;
302 }
303 *txlen = 32;
304 memcpy(tx,tag.sectors[0],4);
305 tag.crypto_active = 0;
306 }
307 break;
308
309 // Read/Write command: ..xx x..y yy with yyy == ~xxx, xxx is sector number
310 case 10: {
311 unsigned int sector = (~( ((rx[0]<<2)&0x04) | ((rx[1]>>6)&0x03) ) & 0x07);
312 // Verify complement of sector index
313 if(sector != ((rx[0]>>3)&0x07)) {
314 //DbpString("Transmission error (read/write)");
315 return;
316 }
317
318 switch (rx[0] & 0xC6) {
319 // Read command: 11xx x00y
320 case 0xC0:
321 memcpy(tx,tag.sectors[sector],4);
322 *txlen = 32;
323 break;
324
325 // Inverted Read command: 01xx x10y
326 case 0x44:
327 for (size_t i=0; i<4; i++) {
328 tx[i] = tag.sectors[sector][i] ^ 0xff;
329 }
330 *txlen = 32;
331 break;
332
333 // Write command: 10xx x01y
334 case 0x82:
335 // Prepare write, acknowledge by repeating command
336 memcpy(tx,rx,nbytes(rxlen));
337 *txlen = rxlen;
338 tag.active_sector = sector;
339 tag.state=TAG_STATE_WRITING;
340 break;
341
342 // Unknown command
343 default:
344 Dbprintf("Uknown command: %02x %02x",rx[0],rx[1]);
345 return;
346 break;
347 }
348 }
349 break;
350
351 // Writing data or Reader password
352 case 32: {
353 if(tag.state == TAG_STATE_WRITING) {
354 // These are the sector contents to be written. We don't have to do anything else.
355 memcpy(tag.sectors[tag.active_sector],rx,nbytes(rxlen));
356 tag.state=TAG_STATE_RESET;
357 return;
358 } else {
359 // Received RWD password, respond with configuration and our password
360 if(memcmp(rx,tag.sectors[1],4) != 0) {
361 DbpString("Reader password is wrong");
362 return;
363 }
364 *txlen = 32;
365 memcpy(tx,tag.sectors[3],4);
366 }
367 }
368 break;
369
370 // Received RWD authentication challenge and respnse
371 case 64: {
372 // Store the authentication attempt
373 if (auth_table_len < (AUTH_TABLE_LENGTH-8)) {
374 memcpy(auth_table+auth_table_len,rx,8);
375 auth_table_len += 8;
376 }
377
378 // Reset the cipher state
379 hitag2_cipher_reset(&tag,rx);
380 // Check if the authentication was correct
381 if(!hitag2_cipher_authenticate(&(tag.cs),rx+4)) {
382 // The reader failed to authenticate, do nothing
383 Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x Failed!",rx[0],rx[1],rx[2],rx[3],rx[4],rx[5],rx[6],rx[7]);
384 return;
385 }
386 // Succesful, but commented out reporting back to the Host, this may delay to much.
387 // Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x OK!",rx[0],rx[1],rx[2],rx[3],rx[4],rx[5],rx[6],rx[7]);
388
389 // Activate encryption algorithm for all further communication
390 tag.crypto_active = 1;
391
392 // Use the tag password as response
393 memcpy(tx,tag.sectors[3],4);
394 *txlen = 32;
395 }
396 break;
397 }
398
399 // LogTrace(rx,nbytes(rxlen),0,0,false);
400 // LogTrace(tx,nbytes(*txlen),0,0,true);
401
402 if(tag.crypto_active) {
403 hitag2_cipher_transcrypt(&(tag.cs), tx, *txlen/8, *txlen%8);
404 }
405 }
406
407 static void hitag_reader_send_bit(int bit) {
408 LED_A_ON();
409 // Reset clock for the next bit
410 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
411
412 // Binary puls length modulation (BPLM) is used to encode the data stream
413 // This means that a transmission of a one takes longer than that of a zero
414
415 // Enable modulation, which means, drop the the field
416 HIGH(GPIO_SSC_DOUT);
417
418 // Wait for 4-10 times the carrier period
419 while(AT91C_BASE_TC0->TC_CV < T0*6);
420 // SpinDelayUs(8*8);
421
422 // Disable modulation, just activates the field again
423 LOW(GPIO_SSC_DOUT);
424
425 if(bit == 0) {
426 // Zero bit: |_-|
427 while(AT91C_BASE_TC0->TC_CV < T0*22);
428 // SpinDelayUs(16*8);
429 } else {
430 // One bit: |_--|
431 while(AT91C_BASE_TC0->TC_CV < T0*28);
432 // SpinDelayUs(22*8);
433 }
434 LED_A_OFF();
435 }
436
437 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len)
438 {
439 // Send the content of the frame
440 for(size_t i=0; i<frame_len; i++) {
441 hitag_reader_send_bit((frame[i/8] >> (7-(i%8)))&1);
442 }
443 // Send EOF
444 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
445 // Enable modulation, which means, drop the the field
446 HIGH(GPIO_SSC_DOUT);
447 // Wait for 4-10 times the carrier period
448 while(AT91C_BASE_TC0->TC_CV < T0*6);
449 // Disable modulation, just activates the field again
450 LOW(GPIO_SSC_DOUT);
451 }
452
453 size_t blocknr;
454
455 bool hitag2_password(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
456 // Reset the transmission frame length
457 *txlen = 0;
458
459 // Try to find out which command was send by selecting on length (in bits)
460 switch (rxlen) {
461 // No answer, try to resurrect
462 case 0: {
463 // Stop if there is no answer (after sending password)
464 if (bPwd) {
465 DbpString("Password failed!");
466 return false;
467 }
468 *txlen = 5;
469 memcpy(tx,"\xc0",nbytes(*txlen));
470 } break;
471
472 // Received UID, tag password
473 case 32: {
474 if (!bPwd) {
475 *txlen = 32;
476 memcpy(tx,password,4);
477 bPwd = true;
478 } else {
479 if (blocknr > 7) {
480 DbpString("Read succesful!");
481 // We are done... for now
482 return false;
483 }
484 *txlen = 10;
485 tx[0] = 0xc0 | (blocknr << 3) | ((blocknr^7) >> 2);
486 tx[1] = ((blocknr^7) << 6);
487 blocknr++;
488 }
489 } break;
490
491 // Unexpected response
492 default: {
493 Dbprintf("Uknown frame length: %d",rxlen);
494 return false;
495 } break;
496 }
497 return true;
498 }
499
500 bool hitag2_authenticate(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
501 // Reset the transmission frame length
502 *txlen = 0;
503
504 // Try to find out which command was send by selecting on length (in bits)
505 switch (rxlen) {
506 // No answer, try to resurrect
507 case 0: {
508 // Stop if there is no answer while we are in crypto mode (after sending NrAr)
509 if (bCrypto) {
510 DbpString("Authentication failed!");
511 return false;
512 }
513 *txlen = 5;
514 memcpy(tx,"\xc0",nbytes(*txlen));
515 } break;
516
517 // Received UID, crypto tag answer
518 case 32: {
519 if (!bCrypto) {
520 *txlen = 64;
521 memcpy(tx,NrAr,8);
522 bCrypto = true;
523 } else {
524 DbpString("Read succesful!");
525 // We are done... for now
526 return false;
527 }
528 } break;
529
530 // Unexpected response
531 default: {
532 Dbprintf("Uknown frame length: %d",rxlen);
533 return false;
534 } break;
535 }
536
537 return true;
538 }
539
540 bool hitag2_test_auth_attempts(byte_t* rx, const size_t rxlen, byte_t* tx, size_t* txlen) {
541 // Reset the transmission frame length
542 *txlen = 0;
543
544 // Try to find out which command was send by selecting on length (in bits)
545 switch (rxlen) {
546 // No answer, try to resurrect
547 case 0: {
548 // Stop if there is no answer while we are in crypto mode (after sending NrAr)
549 if (bCrypto) {
550 Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x Failed!",NrAr[0],NrAr[1],NrAr[2],NrAr[3],NrAr[4],NrAr[5],NrAr[6],NrAr[7]);
551 bCrypto = false;
552 if ((auth_table_pos+8) == auth_table_len) {
553 return false;
554 }
555 auth_table_pos += 8;
556 memcpy(NrAr,auth_table+auth_table_pos,8);
557 }
558 *txlen = 5;
559 memcpy(tx,"\xc0",nbytes(*txlen));
560 } break;
561
562 // Received UID, crypto tag answer, or read block response
563 case 32: {
564 if (!bCrypto) {
565 *txlen = 64;
566 memcpy(tx,NrAr,8);
567 bCrypto = true;
568 } else {
569 Dbprintf("auth: %02x%02x%02x%02x%02x%02x%02x%02x OK",NrAr[0],NrAr[1],NrAr[2],NrAr[3],NrAr[4],NrAr[5],NrAr[6],NrAr[7]);
570 bCrypto = false;
571 if ((auth_table_pos+8) == auth_table_len) {
572 return false;
573 }
574 auth_table_pos += 8;
575 memcpy(NrAr,auth_table+auth_table_pos,8);
576 }
577 } break;
578
579 default: {
580 Dbprintf("Uknown frame length: %d",rxlen);
581 return false;
582 } break;
583 }
584
585 return true;
586 }
587
588 void SnoopHitag(uint32_t type) {
589 int frame_count;
590 int response;
591 int overflow;
592 bool rising_edge;
593 bool reader_frame;
594 int lastbit;
595 bool bSkip;
596 int tag_sof;
597 byte_t rx[HITAG_FRAME_LEN];
598 size_t rxlen=0;
599
600 // Clean up trace and prepare it for storing frames
601 iso14a_set_tracing(TRUE);
602 iso14a_clear_trace();
603
604 auth_table_len = 0;
605 auth_table_pos = 0;
606 memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
607
608 DbpString("Starting Hitag2 snoop");
609 LED_D_ON();
610
611 // Set up eavesdropping mode, frequency divisor which will drive the FPGA
612 // and analog mux selection.
613 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
614 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
615 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
616 RELAY_OFF();
617
618 // Configure output pin that is connected to the FPGA (for modulating)
619 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
620 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
621
622 // Disable modulation, we are going to eavesdrop, not modulate ;)
623 LOW(GPIO_SSC_DOUT);
624
625 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
626 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
627 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
628
629 // Disable timer during configuration
630 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
631
632 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
633 // external trigger rising edge, load RA on rising edge of TIOA.
634 uint32_t t1_channel_mode = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_BOTH | AT91C_TC_ABETRG | AT91C_TC_LDRA_BOTH;
635 AT91C_BASE_TC1->TC_CMR = t1_channel_mode;
636
637 // Enable and reset counter
638 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
639
640 // Reset the received frame, frame count and timing info
641 memset(rx,0x00,sizeof(rx));
642 frame_count = 0;
643 response = 0;
644 overflow = 0;
645 reader_frame = false;
646 lastbit = 1;
647 bSkip = true;
648 tag_sof = 4;
649
650 while(!BUTTON_PRESS()) {
651 // Watchdog hit
652 WDT_HIT();
653
654 // Receive frame, watch for at most T0*EOF periods
655 while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_EOF) {
656 // Check if rising edge in modulation is detected
657 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
658 // Retrieve the new timing values
659 int ra = (AT91C_BASE_TC1->TC_RA/T0);
660
661 // Find out if we are dealing with a rising or falling edge
662 rising_edge = (AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_FRAME) > 0;
663
664 // Shorter periods will only happen with reader frames
665 if (!reader_frame && rising_edge && ra < HITAG_T_TAG_CAPTURE_ONE_HALF) {
666 // Switch from tag to reader capture
667 LED_C_OFF();
668 reader_frame = true;
669 memset(rx,0x00,sizeof(rx));
670 rxlen = 0;
671 }
672
673 // Only handle if reader frame and rising edge, or tag frame and falling edge
674 if (reader_frame != rising_edge) {
675 overflow += ra;
676 continue;
677 }
678
679 // Add the buffered timing values of earlier captured edges which were skipped
680 ra += overflow;
681 overflow = 0;
682
683 if (reader_frame) {
684 LED_B_ON();
685 // Capture reader frame
686 if(ra >= HITAG_T_STOP) {
687 if (rxlen != 0) {
688 //DbpString("wierd0?");
689 }
690 // Capture the T0 periods that have passed since last communication or field drop (reset)
691 response = (ra - HITAG_T_LOW);
692 } else if(ra >= HITAG_T_1_MIN ) {
693 // '1' bit
694 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
695 rxlen++;
696 } else if(ra >= HITAG_T_0_MIN) {
697 // '0' bit
698 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
699 rxlen++;
700 } else {
701 // Ignore wierd value, is to small to mean anything
702 }
703 } else {
704 LED_C_ON();
705 // Capture tag frame (manchester decoding using only falling edges)
706 if(ra >= HITAG_T_EOF) {
707 if (rxlen != 0) {
708 //DbpString("wierd1?");
709 }
710 // Capture the T0 periods that have passed since last communication or field drop (reset)
711 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
712 response = ra-HITAG_T_TAG_HALF_PERIOD;
713 } else if(ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
714 // Manchester coding example |-_|_-|-_| (101)
715 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
716 rxlen++;
717 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
718 rxlen++;
719 } else if(ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
720 // Manchester coding example |_-|...|_-|-_| (0...01)
721 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
722 rxlen++;
723 // We have to skip this half period at start and add the 'one' the second time
724 if (!bSkip) {
725 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
726 rxlen++;
727 }
728 lastbit = !lastbit;
729 bSkip = !bSkip;
730 } else if(ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
731 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
732 if (tag_sof) {
733 // Ignore bits that are transmitted during SOF
734 tag_sof--;
735 } else {
736 // bit is same as last bit
737 rx[rxlen / 8] |= lastbit << (7-(rxlen%8));
738 rxlen++;
739 }
740 } else {
741 // Ignore wierd value, is to small to mean anything
742 }
743 }
744 }
745 }
746
747 // Check if frame was captured
748 if(rxlen > 0) {
749 frame_count++;
750 if (!LogTrace(rx,nbytes(rxlen),response,0,reader_frame)) {
751 DbpString("Trace full");
752 break;
753 }
754
755 // Check if we recognize a valid authentication attempt
756 if (nbytes(rxlen) == 8) {
757 // Store the authentication attempt
758 if (auth_table_len < (AUTH_TABLE_LENGTH-8)) {
759 memcpy(auth_table+auth_table_len,rx,8);
760 auth_table_len += 8;
761 }
762 }
763
764 // Reset the received frame and response timing info
765 memset(rx,0x00,sizeof(rx));
766 response = 0;
767 reader_frame = false;
768 lastbit = 1;
769 bSkip = true;
770 tag_sof = 4;
771 overflow = 0;
772
773 LED_B_OFF();
774 LED_C_OFF();
775 } else {
776 // Save the timer overflow, will be 0 when frame was received
777 overflow += (AT91C_BASE_TC1->TC_CV/T0);
778 }
779 // Reset the frame length
780 rxlen = 0;
781 // Reset the timer to restart while-loop that receives frames
782 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
783 }
784 LED_A_ON();
785 LED_B_OFF();
786 LED_C_OFF();
787 LED_D_OFF();
788 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
789 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
790 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
791 LED_A_OFF();
792
793 // Dbprintf("frame received: %d",frame_count);
794 // Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
795 // DbpString("All done");
796 }
797
798 void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
799 int frame_count;
800 int response;
801 int overflow;
802 byte_t rx[HITAG_FRAME_LEN];
803 size_t rxlen=0;
804 byte_t tx[HITAG_FRAME_LEN];
805 size_t txlen=0;
806 bool bQuitTraceFull = false;
807 bQuiet = false;
808
809 // Clean up trace and prepare it for storing frames
810 iso14a_set_tracing(TRUE);
811 iso14a_clear_trace();
812 auth_table_len = 0;
813 auth_table_pos = 0;
814 memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
815
816 DbpString("Starting Hitag2 simulation");
817 LED_D_ON();
818 hitag2_init();
819
820 if (tag_mem_supplied) {
821 DbpString("Loading hitag2 memory...");
822 memcpy((byte_t*)tag.sectors,data,48);
823 }
824
825 uint32_t block = 0;
826 for (size_t i=0; i<12; i++) {
827 for (size_t j=0; j<4; j++) {
828 block <<= 8;
829 block |= tag.sectors[i][j];
830 }
831 Dbprintf("| %d | %08x |",i,block);
832 }
833
834 // Set up simulator mode, frequency divisor which will drive the FPGA
835 // and analog mux selection.
836 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
837 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
838 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
839 RELAY_OFF();
840
841 // Configure output pin that is connected to the FPGA (for modulating)
842 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
843 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
844
845 // Disable modulation at default, which means release resistance
846 LOW(GPIO_SSC_DOUT);
847
848 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
849 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
850
851 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
852 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
853 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
854
855 // Disable timer during configuration
856 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
857
858 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
859 // external trigger rising edge, load RA on rising edge of TIOA.
860 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
861
862 // Enable and reset counter
863 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
864
865 // Reset the received frame, frame count and timing info
866 memset(rx,0x00,sizeof(rx));
867 frame_count = 0;
868 response = 0;
869 overflow = 0;
870
871 while(!BUTTON_PRESS()) {
872 // Watchdog hit
873 WDT_HIT();
874
875 // Receive frame, watch for at most T0*EOF periods
876 while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_EOF) {
877 // Check if rising edge in modulation is detected
878 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
879 // Retrieve the new timing values
880 int ra = (AT91C_BASE_TC1->TC_RA/T0) + overflow;
881 overflow = 0;
882
883 // Reset timer every frame, we have to capture the last edge for timing
884 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
885
886 LED_B_ON();
887
888 // Capture reader frame
889 if(ra >= HITAG_T_STOP) {
890 if (rxlen != 0) {
891 //DbpString("wierd0?");
892 }
893 // Capture the T0 periods that have passed since last communication or field drop (reset)
894 response = (ra - HITAG_T_LOW);
895 } else if(ra >= HITAG_T_1_MIN ) {
896 // '1' bit
897 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
898 rxlen++;
899 } else if(ra >= HITAG_T_0_MIN) {
900 // '0' bit
901 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
902 rxlen++;
903 } else {
904 // Ignore wierd value, is to small to mean anything
905 }
906 }
907 }
908
909 // Check if frame was captured
910 if(rxlen > 4) {
911 frame_count++;
912 if (!bQuiet) {
913 if (!LogTrace(rx,nbytes(rxlen),response,0,true)) {
914 DbpString("Trace full");
915 if (bQuitTraceFull) {
916 break;
917 } else {
918 bQuiet = true;
919 }
920 }
921 }
922
923 // Disable timer 1 with external trigger to avoid triggers during our own modulation
924 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
925
926 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
927 hitag2_handle_reader_command(rx,rxlen,tx,&txlen);
928
929 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
930 // not that since the clock counts since the rising edge, but T_Wait1 is
931 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
932 // periods. The gap time T_Low varies (4..10). All timer values are in
933 // terms of T0 units
934 while(AT91C_BASE_TC0->TC_CV < T0*(HITAG_T_WAIT_1-HITAG_T_LOW));
935
936 // Send and store the tag answer (if there is any)
937 if (txlen) {
938 // Transmit the tag frame
939 hitag_send_frame(tx,txlen);
940 // Store the frame in the trace
941 if (!bQuiet) {
942 if (!LogTrace(tx,nbytes(txlen),0,0,false)) {
943 DbpString("Trace full");
944 if (bQuitTraceFull) {
945 break;
946 } else {
947 bQuiet = true;
948 }
949 }
950 }
951 }
952
953 // Reset the received frame and response timing info
954 memset(rx,0x00,sizeof(rx));
955 response = 0;
956
957 // Enable and reset external trigger in timer for capturing future frames
958 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
959 LED_B_OFF();
960 }
961 // Reset the frame length
962 rxlen = 0;
963 // Save the timer overflow, will be 0 when frame was received
964 overflow += (AT91C_BASE_TC1->TC_CV/T0);
965 // Reset the timer to restart while-loop that receives frames
966 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
967 }
968 LED_B_OFF();
969 LED_D_OFF();
970 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
971 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
972 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
973 // Dbprintf("frame received: %d",frame_count);
974 // Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
975 // DbpString("All done");
976 }
977
978 void ReaderHitag(hitag_function htf, hitag_data* htd) {
979 int frame_count;
980 int response;
981 byte_t rx[HITAG_FRAME_LEN];
982 size_t rxlen=0;
983 byte_t txbuf[HITAG_FRAME_LEN];
984 byte_t* tx = txbuf;
985 size_t txlen=0;
986 int lastbit;
987 bool bSkip;
988 int reset_sof;
989 int tag_sof;
990 int t_wait = HITAG_T_WAIT_MAX;
991 bool bStop;
992 bool bQuitTraceFull = false;
993
994 // Clean up trace and prepare it for storing frames
995 iso14a_set_tracing(TRUE);
996 iso14a_clear_trace();
997 DbpString("Starting Hitag reader family");
998
999 // Check configuration
1000 switch(htf) {
1001 case RHT2F_PASSWORD: {
1002 Dbprintf("List identifier in password mode");
1003 memcpy(password,htd->pwd.password,4);
1004 blocknr = 0;
1005 bQuitTraceFull = false;
1006 bQuiet = false;
1007 bPwd = false;
1008 } break;
1009 case RHT2F_AUTHENTICATE: {
1010 DbpString("Authenticating in crypto mode");
1011 memcpy(NrAr,htd->auth.NrAr,8);
1012 Dbprintf("Reader-challenge:");
1013 Dbhexdump(8,NrAr,false);
1014 bQuiet = false;
1015 bCrypto = false;
1016 bQuitTraceFull = true;
1017 } break;
1018
1019 case RHT2F_TEST_AUTH_ATTEMPTS: {
1020 Dbprintf("Testing %d authentication attempts",(auth_table_len/8));
1021 auth_table_pos = 0;
1022 memcpy(NrAr,auth_table,8);
1023 bQuitTraceFull = false;
1024 bQuiet = false;
1025 bCrypto = false;
1026 } break;
1027
1028 default: {
1029 Dbprintf("Error, unknown function: %d",htf);
1030 return;
1031 } break;
1032 }
1033
1034 LED_D_ON();
1035 hitag2_init();
1036
1037 // Configure output and enable pin that is connected to the FPGA (for modulating)
1038 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1039 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1040
1041 // Set fpga in edge detect with reader field, we can modulate as reader now
1042 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1043
1044 // Set Frequency divisor which will drive the FPGA and analog mux selection
1045 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1046 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1047 RELAY_OFF();
1048
1049 // Disable modulation at default, which means enable the field
1050 LOW(GPIO_SSC_DOUT);
1051
1052 // Give it a bit of time for the resonant antenna to settle.
1053 SpinDelay(30);
1054
1055 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1056 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1057
1058 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1059 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1060 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1061
1062 // Disable timer during configuration
1063 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1064
1065 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1066 // external trigger rising edge, load RA on falling edge of TIOA.
1067 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1068
1069 // Enable and reset counters
1070 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1071 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1072
1073 // Reset the received frame, frame count and timing info
1074 frame_count = 0;
1075 response = 0;
1076 lastbit = 1;
1077 bStop = false;
1078
1079 // Tag specific configuration settings (sof, timings, etc.)
1080 if (htf < 10){
1081 // hitagS settings
1082 reset_sof = 1;
1083 t_wait = 200;
1084 DbpString("Configured for hitagS reader");
1085 } else if (htf < 20) {
1086 // hitag1 settings
1087 reset_sof = 1;
1088 t_wait = 200;
1089 DbpString("Configured for hitag1 reader");
1090 } else if (htf < 30) {
1091 // hitag2 settings
1092 reset_sof = 4;
1093 t_wait = HITAG_T_WAIT_2;
1094 DbpString("Configured for hitag2 reader");
1095 } else {
1096 Dbprintf("Error, unknown hitag reader type: %d",htf);
1097 return;
1098 }
1099
1100 while(!bStop && !BUTTON_PRESS()) {
1101 // Watchdog hit
1102 WDT_HIT();
1103
1104 // Check if frame was captured and store it
1105 if(rxlen > 0) {
1106 frame_count++;
1107 if (!bQuiet) {
1108 if (!LogTrace(rx,nbytes(rxlen),response,0,false)) {
1109 DbpString("Trace full");
1110 if (bQuitTraceFull) {
1111 break;
1112 } else {
1113 bQuiet = true;
1114 }
1115 }
1116 }
1117 }
1118
1119 // By default reset the transmission buffer
1120 tx = txbuf;
1121 switch(htf) {
1122 case RHT2F_PASSWORD: {
1123 bStop = !hitag2_password(rx,rxlen,tx,&txlen);
1124 } break;
1125 case RHT2F_AUTHENTICATE: {
1126 bStop = !hitag2_authenticate(rx,rxlen,tx,&txlen);
1127 } break;
1128 case RHT2F_TEST_AUTH_ATTEMPTS: {
1129 bStop = !hitag2_test_auth_attempts(rx,rxlen,tx,&txlen);
1130 } break;
1131 default: {
1132 Dbprintf("Error, unknown function: %d",htf);
1133 return;
1134 } break;
1135 }
1136
1137 // Send and store the reader command
1138 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1139 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1140
1141 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1142 // Since the clock counts since the last falling edge, a 'one' means that the
1143 // falling edge occured halfway the period. with respect to this falling edge,
1144 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1145 // All timer values are in terms of T0 units
1146 while(AT91C_BASE_TC0->TC_CV < T0*(t_wait+(HITAG_T_TAG_HALF_PERIOD*lastbit)));
1147
1148 // Transmit the reader frame
1149 hitag_reader_send_frame(tx,txlen);
1150
1151 // Enable and reset external trigger in timer for capturing future frames
1152 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1153
1154 // Add transmitted frame to total count
1155 if(txlen > 0) {
1156 frame_count++;
1157 if (!bQuiet) {
1158 // Store the frame in the trace
1159 if (!LogTrace(tx,nbytes(txlen),HITAG_T_WAIT_2,0,true)) {
1160 if (bQuitTraceFull) {
1161 break;
1162 } else {
1163 bQuiet = true;
1164 }
1165 }
1166 }
1167 }
1168
1169 // Reset values for receiving frames
1170 memset(rx,0x00,sizeof(rx));
1171 rxlen = 0;
1172 lastbit = 1;
1173 bSkip = true;
1174 tag_sof = reset_sof;
1175 response = 0;
1176
1177 // Receive frame, watch for at most T0*EOF periods
1178 while (AT91C_BASE_TC1->TC_CV < T0*HITAG_T_WAIT_MAX) {
1179 // Check if falling edge in tag modulation is detected
1180 if(AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1181 // Retrieve the new timing values
1182 int ra = (AT91C_BASE_TC1->TC_RA/T0);
1183
1184 // Reset timer every frame, we have to capture the last edge for timing
1185 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1186
1187 LED_B_ON();
1188
1189 // Capture tag frame (manchester decoding using only falling edges)
1190 if(ra >= HITAG_T_EOF) {
1191 if (rxlen != 0) {
1192 //DbpString("wierd1?");
1193 }
1194 // Capture the T0 periods that have passed since last communication or field drop (reset)
1195 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1196 response = ra-HITAG_T_TAG_HALF_PERIOD;
1197 } else if(ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1198 // Manchester coding example |-_|_-|-_| (101)
1199 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
1200 rxlen++;
1201 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
1202 rxlen++;
1203 } else if(ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1204 // Manchester coding example |_-|...|_-|-_| (0...01)
1205 rx[rxlen / 8] |= 0 << (7-(rxlen%8));
1206 rxlen++;
1207 // We have to skip this half period at start and add the 'one' the second time
1208 if (!bSkip) {
1209 rx[rxlen / 8] |= 1 << (7-(rxlen%8));
1210 rxlen++;
1211 }
1212 lastbit = !lastbit;
1213 bSkip = !bSkip;
1214 } else if(ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1215 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1216 if (tag_sof) {
1217 // Ignore bits that are transmitted during SOF
1218 tag_sof--;
1219 } else {
1220 // bit is same as last bit
1221 rx[rxlen / 8] |= lastbit << (7-(rxlen%8));
1222 rxlen++;
1223 }
1224 } else {
1225 // Ignore wierd value, is to small to mean anything
1226 }
1227 }
1228
1229 // We can break this loop if we received the last bit from a frame
1230 if (AT91C_BASE_TC1->TC_CV > T0*HITAG_T_EOF) {
1231 if (rxlen>0) break;
1232 }
1233 }
1234 }
1235 LED_B_OFF();
1236 LED_D_OFF();
1237 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1238 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1239 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1240
1241 // Dbprintf("frame received: %d",frame_count);
1242 // DbpString("All done");
1243 }
Proxmark3 GIT tracking
Impressum, Datenschutz