1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443. This includes both the reader software and
3 // the `fake tag' modes. At the moment only the Type B modulation is
5 // Jonathan Westhues, split Nov 2006
6 //-----------------------------------------------------------------------------
12 #include "iso14443crc.h"
14 //static void GetSamplesFor14443(int weTx, int n);
16 #define DEMOD_TRACE_SIZE 4096
17 #define READER_TAG_BUFFER_SIZE 2048
18 #define TAG_READER_BUFFER_SIZE 2048
19 #define DMA_BUFFER_SIZE 1024
21 //=============================================================================
22 // An ISO 14443 Type B tag. We listen for commands from the reader, using
23 // a UART kind of thing that's implemented in software. When we get a
24 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
25 // If it's good, then we can do something appropriate with it, and send
27 //=============================================================================
29 //-----------------------------------------------------------------------------
30 // Code up a string of octets at layer 2 (including CRC, we don't generate
31 // that here) so that they can be transmitted to the reader. Doesn't transmit
32 // them yet, just leaves them ready to send in ToSend[].
33 //-----------------------------------------------------------------------------
34 static void CodeIso14443bAsTag(const uint8_t *cmd
, int len
)
40 // Transmit a burst of ones, as the initial thing that lets the
41 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
42 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
44 for(i
= 0; i
< 20; i
++) {
52 for(i
= 0; i
< 10; i
++) {
58 for(i
= 0; i
< 2; i
++) {
65 for(i
= 0; i
< len
; i
++) {
76 for(j
= 0; j
< 8; j
++) {
99 for(i
= 0; i
< 10; i
++) {
105 for(i
= 0; i
< 10; i
++) {
112 // Convert from last byte pos to length
115 // Add a few more for slop
119 //-----------------------------------------------------------------------------
120 // The software UART that receives commands from the reader, and its state
122 //-----------------------------------------------------------------------------
126 STATE_GOT_FALLING_EDGE_OF_SOF
,
127 STATE_AWAITING_START_BIT
,
128 STATE_RECEIVING_DATA
,
139 /* Receive & handle a bit coming from the reader.
142 * LED A -> ON once we have received the SOF and are expecting the rest.
143 * LED A -> OFF once we have received EOF or are in error state or unsynced
145 * Returns: true if we received a EOF
146 * false if we are still waiting for some more
148 static int Handle14443UartBit(int bit
)
154 // we went low, so this could be the beginning
156 Uart
.state
= STATE_GOT_FALLING_EDGE_OF_SOF
;
162 case STATE_GOT_FALLING_EDGE_OF_SOF
:
164 if(Uart
.posCnt
== 2) {
166 if(Uart
.bitCnt
>= 10) {
167 // we've seen enough consecutive
168 // zeros that it's a valid SOF
171 Uart
.state
= STATE_AWAITING_START_BIT
;
172 LED_A_ON(); // Indicate we got a valid SOF
174 // didn't stay down long enough
175 // before going high, error
176 Uart
.state
= STATE_ERROR_WAIT
;
179 // do nothing, keep waiting
183 if(Uart
.posCnt
>= 4) Uart
.posCnt
= 0;
184 if(Uart
.bitCnt
> 14) {
185 // Give up if we see too many zeros without
187 Uart
.state
= STATE_ERROR_WAIT
;
191 case STATE_AWAITING_START_BIT
:
194 if(Uart
.posCnt
> 25) {
195 // stayed high for too long between
197 Uart
.state
= STATE_ERROR_WAIT
;
200 // falling edge, this starts the data byte
204 Uart
.state
= STATE_RECEIVING_DATA
;
205 LED_A_ON(); // Indicate we're receiving
209 case STATE_RECEIVING_DATA
:
211 if(Uart
.posCnt
== 2) {
212 // time to sample a bit
215 Uart
.shiftReg
|= 0x200;
219 if(Uart
.posCnt
>= 4) {
222 if(Uart
.bitCnt
== 10) {
223 if((Uart
.shiftReg
& 0x200) && !(Uart
.shiftReg
& 0x001))
225 // this is a data byte, with correct
226 // start and stop bits
227 Uart
.output
[Uart
.byteCnt
] = (Uart
.shiftReg
>> 1) & 0xff;
230 if(Uart
.byteCnt
>= Uart
.byteCntMax
) {
231 // Buffer overflowed, give up
233 Uart
.state
= STATE_ERROR_WAIT
;
235 // so get the next byte now
237 Uart
.state
= STATE_AWAITING_START_BIT
;
239 } else if(Uart
.shiftReg
== 0x000) {
240 // this is an EOF byte
241 LED_A_OFF(); // Finished receiving
246 Uart
.state
= STATE_ERROR_WAIT
;
251 case STATE_ERROR_WAIT
:
252 // We're all screwed up, so wait a little while
253 // for whatever went wrong to finish, and then
256 if(Uart
.posCnt
> 10) {
257 Uart
.state
= STATE_UNSYNCD
;
262 Uart
.state
= STATE_UNSYNCD
;
266 if (Uart
.state
== STATE_ERROR_WAIT
) LED_A_OFF(); // Error
271 //-----------------------------------------------------------------------------
272 // Receive a command (from the reader to us, where we are the simulated tag),
273 // and store it in the given buffer, up to the given maximum length. Keeps
274 // spinning, waiting for a well-framed command, until either we get one
275 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
277 // Assume that we're called with the SSC (to the FPGA) and ADC path set
279 //-----------------------------------------------------------------------------
280 static int GetIso14443CommandFromReader(uint8_t *received
, int *len
, int maxLen
)
285 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
286 // only, since we are receiving, not transmitting).
287 // Signal field is off with the appropriate LED
290 FPGA_MAJOR_MODE_HF_SIMULATOR
| FPGA_HF_SIMULATOR_NO_MODULATION
);
293 // Now run a `software UART' on the stream of incoming samples.
294 Uart
.output
= received
;
295 Uart
.byteCntMax
= maxLen
;
296 Uart
.state
= STATE_UNSYNCD
;
301 if(BUTTON_PRESS()) return FALSE
;
303 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
304 AT91C_BASE_SSC
->SSC_THR
= 0x00;
306 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
307 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
310 for(i
= 0; i
< 8; i
++, mask
>>= 1) {
312 if(Handle14443UartBit(bit
)) {
321 //-----------------------------------------------------------------------------
322 // Main loop of simulated tag: receive commands from reader, decide what
323 // response to send, and send it.
324 //-----------------------------------------------------------------------------
325 void SimulateIso14443Tag(void)
327 static const uint8_t cmd1
[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
328 static const uint8_t response1
[] = {
329 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
330 0x00, 0x21, 0x85, 0x5e, 0xd7
336 uint8_t *resp1
= (((uint8_t *)BigBuf
) + 800);
339 uint8_t *receivedCmd
= (uint8_t *)BigBuf
;
346 memset(receivedCmd
, 0x44, 400);
348 CodeIso14443bAsTag(response1
, sizeof(response1
));
349 memcpy(resp1
, ToSend
, ToSendMax
); resp1Len
= ToSendMax
;
351 // We need to listen to the high-frequency, peak-detected path.
352 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
360 if(!GetIso14443CommandFromReader(receivedCmd
, &len
, 100)) {
361 Dbprintf("button pressed, received %d commands", cmdsRecvd
);
365 // Good, look at the command now.
367 if(len
== sizeof(cmd1
) && memcmp(receivedCmd
, cmd1
, len
)==0) {
368 resp
= resp1
; respLen
= resp1Len
;
370 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len
, cmdsRecvd
);
371 // And print whether the CRC fails, just for good measure
372 ComputeCrc14443(CRC_14443_B
, receivedCmd
, len
-2, &b1
, &b2
);
373 if(b1
!= receivedCmd
[len
-2] || b2
!= receivedCmd
[len
-1]) {
374 // Not so good, try again.
375 DbpString("+++CRC fail");
377 DbpString("CRC passes");
382 memset(receivedCmd
, 0x44, 32);
386 if(cmdsRecvd
> 0x30) {
387 DbpString("many commands later...");
391 if(respLen
<= 0) continue;
394 // Signal field is off with the appropriate LED
397 FPGA_MAJOR_MODE_HF_SIMULATOR
| FPGA_HF_SIMULATOR_MODULATE_BPSK
);
398 AT91C_BASE_SSC
->SSC_THR
= 0xff;
401 // Transmit the response.
404 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
407 AT91C_BASE_SSC
->SSC_THR
= b
;
414 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
415 volatile uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
422 //=============================================================================
423 // An ISO 14443 Type B reader. We take layer two commands, code them
424 // appropriately, and then send them to the tag. We then listen for the
425 // tag's response, which we leave in the buffer to be demodulated on the
427 //=============================================================================
432 DEMOD_PHASE_REF_TRAINING
,
433 DEMOD_AWAITING_FALLING_EDGE_OF_SOF
,
434 DEMOD_GOT_FALLING_EDGE_OF_SOF
,
435 DEMOD_AWAITING_START_BIT
,
436 DEMOD_RECEIVING_DATA
,
452 * Handles reception of a bit from the tag
455 * LED C -> ON once we have received the SOF and are expecting the rest.
456 * LED C -> OFF once we have received EOF or are unsynced
458 * Returns: true if we received a EOF
459 * false if we are still waiting for some more
462 static int Handle14443SamplesDemod(int ci
, int cq
)
466 // The soft decision on the bit uses an estimate of just the
467 // quadrant of the reference angle, not the exact angle.
468 #define MAKE_SOFT_DECISION() { \
469 if(Demod.sumI > 0) { \
474 if(Demod.sumQ > 0) { \
481 switch(Demod
.state
) {
492 Demod
.state
= DEMOD_PHASE_REF_TRAINING
;
498 case DEMOD_PHASE_REF_TRAINING
:
499 if(Demod
.posCount
< 8) {
502 } else if(Demod
.posCount
> 100) {
503 // error, waited too long
504 Demod
.state
= DEMOD_UNSYNCD
;
506 MAKE_SOFT_DECISION();
508 Demod
.state
= DEMOD_AWAITING_FALLING_EDGE_OF_SOF
;
515 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF
:
516 MAKE_SOFT_DECISION();
518 Demod
.state
= DEMOD_GOT_FALLING_EDGE_OF_SOF
;
521 if(Demod
.posCount
> 100) {
522 Demod
.state
= DEMOD_UNSYNCD
;
528 case DEMOD_GOT_FALLING_EDGE_OF_SOF
:
529 MAKE_SOFT_DECISION();
531 if(Demod
.posCount
< 12) {
532 Demod
.state
= DEMOD_UNSYNCD
;
534 LED_C_ON(); // Got SOF
535 Demod
.state
= DEMOD_AWAITING_START_BIT
;
542 if(Demod
.posCount
> 100) {
543 Demod
.state
= DEMOD_UNSYNCD
;
549 case DEMOD_AWAITING_START_BIT
:
550 MAKE_SOFT_DECISION();
552 if(Demod
.posCount
> 10) {
553 Demod
.state
= DEMOD_UNSYNCD
;
560 Demod
.state
= DEMOD_RECEIVING_DATA
;
564 case DEMOD_RECEIVING_DATA
:
565 MAKE_SOFT_DECISION();
566 if(Demod
.posCount
== 0) {
572 if(Demod
.thisBit
> 0) {
573 Demod
.metric
+= Demod
.thisBit
;
575 Demod
.metric
-= Demod
.thisBit
;
579 Demod
.shiftReg
>>= 1;
580 if(Demod
.thisBit
> 0) {
581 Demod
.shiftReg
|= 0x200;
585 if(Demod
.bitCount
== 10) {
586 uint16_t s
= Demod
.shiftReg
;
587 if((s
& 0x200) && !(s
& 0x001)) {
588 uint8_t b
= (s
>> 1);
589 Demod
.output
[Demod
.len
] = b
;
591 Demod
.state
= DEMOD_AWAITING_START_BIT
;
592 } else if(s
== 0x000) {
596 Demod
.state
= DEMOD_UNSYNCD
;
598 Demod
.state
= DEMOD_UNSYNCD
;
606 Demod
.state
= DEMOD_UNSYNCD
;
610 if (Demod
.state
== DEMOD_UNSYNCD
) LED_C_OFF(); // Not synchronized...
615 * Demodulate the samples we received from the tag
616 * weTx: set to 'TRUE' if we behave like a reader
617 * set to 'FALSE' if we behave like a snooper
618 * quiet: set to 'TRUE' to disable debug output
620 static void GetSamplesFor14443Demod(int weTx
, int n
, int quiet
)
623 int gotFrame
= FALSE
;
625 //# define DMA_BUFFER_SIZE 8
635 // Clear out the state of the "UART" that receives from the tag.
636 memset(BigBuf
, 0x44, 400);
637 Demod
.output
= (uint8_t *)BigBuf
;
639 Demod
.state
= DEMOD_UNSYNCD
;
641 // And the UART that receives from the reader
642 Uart
.output
= (((uint8_t *)BigBuf
) + 1024);
643 Uart
.byteCntMax
= 100;
644 Uart
.state
= STATE_UNSYNCD
;
646 // Setup for the DMA.
647 dmaBuf
= (int8_t *)(BigBuf
+ 32);
649 lastRxCounter
= DMA_BUFFER_SIZE
;
650 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
);
652 // Signal field is ON with the appropriate LED:
653 if (weTx
) LED_D_ON(); else LED_D_OFF();
654 // And put the FPGA in the appropriate mode
656 FPGA_MAJOR_MODE_HF_READER_RX_XCORR
| FPGA_HF_READER_RX_XCORR_848_KHZ
|
657 (weTx
? 0 : FPGA_HF_READER_RX_XCORR_SNOOP
));
660 int behindBy
= lastRxCounter
- AT91C_BASE_PDC_SSC
->PDC_RCR
;
661 if(behindBy
> max
) max
= behindBy
;
663 while(((lastRxCounter
-AT91C_BASE_PDC_SSC
->PDC_RCR
) & (DMA_BUFFER_SIZE
-1))
669 if(upTo
- dmaBuf
> DMA_BUFFER_SIZE
) {
670 upTo
-= DMA_BUFFER_SIZE
;
671 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) upTo
;
672 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
675 if(lastRxCounter
<= 0) {
676 lastRxCounter
+= DMA_BUFFER_SIZE
;
681 Handle14443UartBit(1);
682 Handle14443UartBit(1);
684 if(Handle14443SamplesDemod(ci
, cq
)) {
693 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTDIS
;
694 if (!quiet
) Dbprintf("%x %x %x", max
, gotFrame
, Demod
.len
);
697 //-----------------------------------------------------------------------------
698 // Read the tag's response. We just receive a stream of slightly-processed
699 // samples from the FPGA, which we will later do some signal processing on,
701 //-----------------------------------------------------------------------------
702 /*static void GetSamplesFor14443(int weTx, int n)
704 uint8_t *dest = (uint8_t *)BigBuf;
708 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
709 (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
713 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
714 AT91C_BASE_SSC->SSC_THR = 0x43;
716 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
718 b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
720 dest[c++] = (uint8_t)b;
729 //-----------------------------------------------------------------------------
730 // Transmit the command (to the tag) that was placed in ToSend[].
731 //-----------------------------------------------------------------------------
732 static void TransmitFor14443(void)
738 while(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
739 AT91C_BASE_SSC
->SSC_THR
= 0xff;
742 // Signal field is ON with the appropriate Red LED
744 // Signal we are transmitting with the Green LED
747 FPGA_MAJOR_MODE_HF_READER_TX
| FPGA_HF_READER_TX_SHALLOW_MOD
);
749 for(c
= 0; c
< 10;) {
750 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
751 AT91C_BASE_SSC
->SSC_THR
= 0xff;
754 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
755 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
763 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
764 AT91C_BASE_SSC
->SSC_THR
= ToSend
[c
];
770 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
771 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
776 LED_B_OFF(); // Finished sending
779 //-----------------------------------------------------------------------------
780 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
781 // so that it is ready to transmit to the tag using TransmitFor14443().
782 //-----------------------------------------------------------------------------
783 void CodeIso14443bAsReader(const uint8_t *cmd
, int len
)
790 // Establish initial reference level
791 for(i
= 0; i
< 40; i
++) {
795 for(i
= 0; i
< 10; i
++) {
799 for(i
= 0; i
< len
; i
++) {
807 for(j
= 0; j
< 8; j
++) {
818 for(i
= 0; i
< 10; i
++) {
821 for(i
= 0; i
< 8; i
++) {
825 // And then a little more, to make sure that the last character makes
826 // it out before we switch to rx mode.
827 for(i
= 0; i
< 24; i
++) {
831 // Convert from last character reference to length
835 //-----------------------------------------------------------------------------
836 // Read an ISO 14443 tag. We send it some set of commands, and record the
838 // The command name is misleading, it actually decodes the reponse in HEX
839 // into the output buffer (read the result using hexsamples, not hisamples)
840 //-----------------------------------------------------------------------------
841 void AcquireRawAdcSamplesIso14443(uint32_t parameter
)
843 uint8_t cmd1
[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
845 // Make sure that we start from off, since the tags are stateful;
846 // confusing things will happen if we don't reset them between reads.
847 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
851 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
854 // Now give it time to spin up.
855 // Signal field is on with the appropriate LED
858 FPGA_MAJOR_MODE_HF_READER_RX_XCORR
| FPGA_HF_READER_RX_XCORR_848_KHZ
);
861 CodeIso14443bAsReader(cmd1
, sizeof(cmd1
));
864 GetSamplesFor14443Demod(TRUE
, 2000, FALSE
);
868 //-----------------------------------------------------------------------------
869 // Read a SRI512 ISO 14443 tag.
871 // SRI512 tags are just simple memory tags, here we're looking at making a dump
872 // of the contents of the memory. No anticollision algorithm is done, we assume
873 // we have a single tag in the field.
875 // I tried to be systematic and check every answer of the tag, every CRC, etc...
876 //-----------------------------------------------------------------------------
877 void ReadSRI512Iso14443(uint32_t parameter
)
879 ReadSTMemoryIso14443(parameter
,0x0F);
881 void ReadSRIX4KIso14443(uint32_t parameter
)
883 ReadSTMemoryIso14443(parameter
,0x7F);
886 void ReadSTMemoryIso14443(uint32_t parameter
,uint32_t dwLast
)
890 // Make sure that we start from off, since the tags are stateful;
891 // confusing things will happen if we don't reset them between reads.
893 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
896 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
899 // Now give it time to spin up.
900 // Signal field is on with the appropriate LED
903 FPGA_MAJOR_MODE_HF_READER_RX_XCORR
| FPGA_HF_READER_RX_XCORR_848_KHZ
);
906 // First command: wake up the tag using the INITIATE command
907 uint8_t cmd1
[] = { 0x06, 0x00, 0x97, 0x5b};
908 CodeIso14443bAsReader(cmd1
, sizeof(cmd1
));
911 GetSamplesFor14443Demod(TRUE
, 2000,TRUE
);
914 if (Demod
.len
== 0) {
915 DbpString("No response from tag");
918 Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %x %x %x",
919 Demod
.output
[0], Demod
.output
[1],Demod
.output
[2]);
921 // There is a response, SELECT the uid
922 DbpString("Now SELECT tag:");
923 cmd1
[0] = 0x0E; // 0x0E is SELECT
924 cmd1
[1] = Demod
.output
[0];
925 ComputeCrc14443(CRC_14443_B
, cmd1
, 2, &cmd1
[2], &cmd1
[3]);
926 CodeIso14443bAsReader(cmd1
, sizeof(cmd1
));
929 GetSamplesFor14443Demod(TRUE
, 2000,TRUE
);
931 if (Demod
.len
!= 3) {
932 Dbprintf("Expected 3 bytes from tag, got %d", Demod
.len
);
935 // Check the CRC of the answer:
936 ComputeCrc14443(CRC_14443_B
, Demod
.output
, 1 , &cmd1
[2], &cmd1
[3]);
937 if(cmd1
[2] != Demod
.output
[1] || cmd1
[3] != Demod
.output
[2]) {
938 DbpString("CRC Error reading select response.");
941 // Check response from the tag: should be the same UID as the command we just sent:
942 if (cmd1
[1] != Demod
.output
[0]) {
943 Dbprintf("Bad response to SELECT from Tag, aborting: %x %x", cmd1
[1], Demod
.output
[0]);
946 // Tag is now selected,
947 // First get the tag's UID:
949 ComputeCrc14443(CRC_14443_B
, cmd1
, 1 , &cmd1
[1], &cmd1
[2]);
950 CodeIso14443bAsReader(cmd1
, 3); // Only first three bytes for this one
953 GetSamplesFor14443Demod(TRUE
, 2000,TRUE
);
955 if (Demod
.len
!= 10) {
956 Dbprintf("Expected 10 bytes from tag, got %d", Demod
.len
);
959 // The check the CRC of the answer (use cmd1 as temporary variable):
960 ComputeCrc14443(CRC_14443_B
, Demod
.output
, 8, &cmd1
[2], &cmd1
[3]);
961 if(cmd1
[2] != Demod
.output
[8] || cmd1
[3] != Demod
.output
[9]) {
962 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
963 (cmd1
[2]<<8)+cmd1
[3], (Demod
.output
[8]<<8)+Demod
.output
[9]);
964 // Do not return;, let's go on... (we should retry, maybe ?)
966 Dbprintf("Tag UID (64 bits): %08x %08x",
967 (Demod
.output
[7]<<24) + (Demod
.output
[6]<<16) + (Demod
.output
[5]<<8) + Demod
.output
[4],
968 (Demod
.output
[3]<<24) + (Demod
.output
[2]<<16) + (Demod
.output
[1]<<8) + Demod
.output
[0]);
970 // Now loop to read all 16 blocks, address from 0 to 15
971 DbpString("Tag memory dump, block 0 to 15");
977 DbpString("System area block (0xff):");
981 ComputeCrc14443(CRC_14443_B
, cmd1
, 2, &cmd1
[2], &cmd1
[3]);
982 CodeIso14443bAsReader(cmd1
, sizeof(cmd1
));
985 GetSamplesFor14443Demod(TRUE
, 2000,TRUE
);
987 if (Demod
.len
!= 6) { // Check if we got an answer from the tag
988 DbpString("Expected 6 bytes from tag, got less...");
991 // The check the CRC of the answer (use cmd1 as temporary variable):
992 ComputeCrc14443(CRC_14443_B
, Demod
.output
, 4, &cmd1
[2], &cmd1
[3]);
993 if(cmd1
[2] != Demod
.output
[4] || cmd1
[3] != Demod
.output
[5]) {
994 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
995 (cmd1
[2]<<8)+cmd1
[3], (Demod
.output
[4]<<8)+Demod
.output
[5]);
996 // Do not return;, let's go on... (we should retry, maybe ?)
998 // Now print out the memory location:
999 Dbprintf("Address=%x, Contents=%x, CRC=%x", i
,
1000 (Demod
.output
[3]<<24) + (Demod
.output
[2]<<16) + (Demod
.output
[1]<<8) + Demod
.output
[0],
1001 (Demod
.output
[4]<<8)+Demod
.output
[5]);
1010 //=============================================================================
1011 // Finally, the `sniffer' combines elements from both the reader and
1012 // simulated tag, to show both sides of the conversation.
1013 //=============================================================================
1015 //-----------------------------------------------------------------------------
1016 // Record the sequence of commands sent by the reader to the tag, with
1017 // triggering so that we start recording at the point that the tag is moved
1019 //-----------------------------------------------------------------------------
1021 * Memory usage for this function, (within BigBuf)
1022 * 0-4095 : Demodulated samples receive (4096 bytes) - DEMOD_TRACE_SIZE
1023 * 4096-6143 : Last Received command, 2048 bytes (reader->tag) - READER_TAG_BUFFER_SIZE
1024 * 6144-8191 : Last Received command, 2048 bytes(tag->reader) - TAG_READER_BUFFER_SIZE
1025 * 8192-9215 : DMA Buffer, 1024 bytes (samples) - DMA_BUFFER_SIZE
1027 void SnoopIso14443(void)
1029 // We won't start recording the frames that we acquire until we trigger;
1030 // a good trigger condition to get started is probably when we see a
1031 // response from the tag.
1032 int triggered
= FALSE
;
1034 // The command (reader -> tag) that we're working on receiving.
1035 uint8_t *receivedCmd
= (uint8_t *)(BigBuf
) + DEMOD_TRACE_SIZE
;
1036 // The response (tag -> reader) that we're working on receiving.
1037 uint8_t *receivedResponse
= (uint8_t *)(BigBuf
) + DEMOD_TRACE_SIZE
+ READER_TAG_BUFFER_SIZE
;
1039 // As we receive stuff, we copy it from receivedCmd or receivedResponse
1040 // into trace, along with its length and other annotations.
1041 uint8_t *trace
= (uint8_t *)BigBuf
;
1044 // The DMA buffer, used to stream samples from the FPGA.
1045 int8_t *dmaBuf
= (int8_t *)(BigBuf
) + DEMOD_TRACE_SIZE
+ READER_TAG_BUFFER_SIZE
+ TAG_READER_BUFFER_SIZE
;
1049 int maxBehindBy
= 0;
1051 // Count of samples received so far, so that we can include timing
1052 // information in the trace buffer.
1055 // Initialize the trace buffer
1056 memset(trace
, 0x44, DEMOD_TRACE_SIZE
);
1058 // Set up the demodulator for tag -> reader responses.
1059 Demod
.output
= receivedResponse
;
1061 Demod
.state
= DEMOD_UNSYNCD
;
1063 // And the reader -> tag commands
1064 memset(&Uart
, 0, sizeof(Uart
));
1065 Uart
.output
= receivedCmd
;
1066 Uart
.byteCntMax
= 100;
1067 Uart
.state
= STATE_UNSYNCD
;
1069 // Print some debug information about the buffer sizes
1070 Dbprintf("Snooping buffers initialized:");
1071 Dbprintf(" Trace: %i bytes", DEMOD_TRACE_SIZE
);
1072 Dbprintf(" Reader -> tag: %i bytes", READER_TAG_BUFFER_SIZE
);
1073 Dbprintf(" tag -> Reader: %i bytes", TAG_READER_BUFFER_SIZE
);
1074 Dbprintf(" DMA: %i bytes", DMA_BUFFER_SIZE
);
1076 // Use a counter for blinking the LED
1078 long ledFlashAt
=200000;
1080 // And put the FPGA in the appropriate mode
1081 // Signal field is off with the appropriate LED
1084 FPGA_MAJOR_MODE_HF_READER_RX_XCORR
| FPGA_HF_READER_RX_XCORR_848_KHZ
|
1085 FPGA_HF_READER_RX_XCORR_SNOOP
);
1086 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1088 // Setup for the DMA.
1091 lastRxCounter
= DMA_BUFFER_SIZE
;
1092 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
);
1093 // And now we loop, receiving samples.
1095 // Blink the LED while Snooping
1097 if (ledCount
== ledFlashAt
) {
1100 if (ledCount
>= 2*ledFlashAt
) {
1105 int behindBy
= (lastRxCounter
- AT91C_BASE_PDC_SSC
->PDC_RCR
) &
1106 (DMA_BUFFER_SIZE
-1);
1107 if(behindBy
> maxBehindBy
) {
1108 maxBehindBy
= behindBy
;
1109 if(behindBy
> (DMA_BUFFER_SIZE
-2)) { // TODO: understand whether we can increase/decrease as we want or not?
1110 Dbprintf("blew circular buffer! behindBy=%x", behindBy
);
1114 if(behindBy
< 2) continue;
1120 if(upTo
- dmaBuf
> DMA_BUFFER_SIZE
) {
1121 upTo
-= DMA_BUFFER_SIZE
;
1122 lastRxCounter
+= DMA_BUFFER_SIZE
;
1123 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) upTo
;
1124 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
1129 #define HANDLE_BIT_IF_BODY \
1132 trace[traceLen++] = ((samples >> 0) & 0xff); \
1133 trace[traceLen++] = ((samples >> 8) & 0xff); \
1134 trace[traceLen++] = ((samples >> 16) & 0xff); \
1135 trace[traceLen++] = ((samples >> 24) & 0xff); \
1136 trace[traceLen++] = 0; \
1137 trace[traceLen++] = 0; \
1138 trace[traceLen++] = 0; \
1139 trace[traceLen++] = 0; \
1140 trace[traceLen++] = Uart.byteCnt; \
1141 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
1142 traceLen += Uart.byteCnt; \
1143 if(traceLen > 1000) break; \
1145 /* And ready to receive another command. */ \
1146 memset(&Uart, 0, sizeof(Uart)); \
1147 Uart.output = receivedCmd; \
1148 Uart.byteCntMax = 100; \
1149 Uart.state = STATE_UNSYNCD; \
1150 /* And also reset the demod code, which might have been */ \
1151 /* false-triggered by the commands from the reader. */ \
1152 memset(&Demod, 0, sizeof(Demod)); \
1153 Demod.output = receivedResponse; \
1154 Demod.state = DEMOD_UNSYNCD; \
1156 if(Handle14443UartBit(ci & 1)) {
1159 if(Handle14443UartBit(cq
& 1)) {
1163 if(Handle14443SamplesDemod(ci
, cq
)) {
1164 // timestamp, as a count of samples
1165 trace
[traceLen
++] = ((samples
>> 0) & 0xff);
1166 trace
[traceLen
++] = ((samples
>> 8) & 0xff);
1167 trace
[traceLen
++] = ((samples
>> 16) & 0xff);
1168 trace
[traceLen
++] = 0x80 | ((samples
>> 24) & 0xff);
1169 // correlation metric (~signal strength estimate)
1170 if(Demod
.metricN
!= 0) {
1171 Demod
.metric
/= Demod
.metricN
;
1173 trace
[traceLen
++] = ((Demod
.metric
>> 0) & 0xff);
1174 trace
[traceLen
++] = ((Demod
.metric
>> 8) & 0xff);
1175 trace
[traceLen
++] = ((Demod
.metric
>> 16) & 0xff);
1176 trace
[traceLen
++] = ((Demod
.metric
>> 24) & 0xff);
1178 trace
[traceLen
++] = Demod
.len
;
1179 memcpy(trace
+traceLen
, receivedResponse
, Demod
.len
);
1180 traceLen
+= Demod
.len
;
1181 if(traceLen
> DEMOD_TRACE_SIZE
) {
1182 DbpString("Reached trace limit");
1188 // And ready to receive another response.
1189 memset(&Demod
, 0, sizeof(Demod
));
1190 Demod
.output
= receivedResponse
;
1191 Demod
.state
= DEMOD_UNSYNCD
;
1195 if(BUTTON_PRESS()) {
1196 DbpString("cancelled");
1203 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTDIS
;
1204 DbpString("Snoop statistics:");
1205 Dbprintf(" Max behind by: %i", maxBehindBy
);
1206 Dbprintf(" Uart State: %x", Uart
.state
);
1207 Dbprintf(" Uart ByteCnt: %i", Uart
.byteCnt
);
1208 Dbprintf(" Uart ByteCntMax: %i", Uart
.byteCntMax
);
1209 Dbprintf(" Trace length: %i", traceLen
);