f6ba0c6bf8186060e7c724d503b01f497fe9feef
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include <stdlib.h>
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "hitagS.h"
20 #include "hitag2.h"
21 #include "string.h"
22 #include "BigBuf.h"
23
24 #define CRC_PRESET 0xFF
25 #define CRC_POLYNOM 0x1D
26
27 #define u8 uint8_t
28 #define u32 uint32_t
29 #define u64 uint64_t
30 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
31 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
32 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
33 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
34 #define bit(x,n) (((x)>>(n))&1)
35 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
36 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
37 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
38
39 static bool bQuiet;
40 static bool bSuccessful;
41 static struct hitagS_tag tag;
42 static byte_t page_to_be_written = 0;
43 static int block_data_left = 0;
44 typedef enum modulation {
45 AC2K = 0, AC4K, MC4K, MC8K
46 } MOD;
47 static MOD m = AC2K; //used modulation
48 static uint32_t temp_uid;
49 static int temp2 = 0;
50 static int sof_bits; //number of start-of-frame bits
51 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
52 static uint32_t rnd = 0x74124485; //randomnumber
53 static int test = 0;
54 size_t blocknr;
55 bool end=false;
56
57 // Single bit Hitag2 functions:
58 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
59 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
60 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
61 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
62 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
63 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
64 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
65 #define uf20bs u32
66
67 static u32 f20(const u64 x) {
68 u32 i5;
69
70 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
71 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
72 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
73 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
74 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
75
76 return (ht2_f5c >> i5) & 1;
77 }
78 static u64 hitag2_round(u64 *state) {
79 u64 x = *state;
80
81 x = (x >> 1)
82 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
83 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
84 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
85 & 1) << 47);
86
87 *state = x;
88 return f20(x);
89 }
90 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
91 u32 i;
92 u64 x = ((key & 0xFFFF) << 32) + serial;
93 for (i = 0; i < 32; i++) {
94 x >>= 1;
95 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
96 }
97 return x;
98 }
99 static u32 hitag2_byte(u64 *x) {
100 u32 i, c;
101
102 for (i = 0, c = 0; i < 8; i++)
103 c += (u32) hitag2_round(x) << (i ^ 7);
104 return c;
105 }
106
107 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
108 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
109 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
110 // T0 = TIMER_CLOCK1 / 125000 = 192
111 #define T0 192
112
113 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
114 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
115
116 #define HITAG_FRAME_LEN 20
117 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
118 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
119 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
120 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
121 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
122 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
123 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
124 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
125 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
126
127 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
128 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
129 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
130 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
131
132 #define HITAG_T_TAG_HALF_PERIOD 16
133 #define HITAG_T_TAG_FULL_PERIOD 32
134
135 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
136 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
137 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
138 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
139
140 #define DEBUG 0
141
142 /*
143 * Implementation of the crc8 calculation from Hitag S
144 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
145 */
146 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
147 *crc ^= data; // crc = crc (exor) data
148 do {
149 if (*crc & 0x80) // if (MSB-CRC == 1)
150 {
151 *crc <<= 1; // CRC = CRC Bit-shift left
152 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
153 } else {
154 *crc <<= 1; // CRC = CRC Bit-shift left
155 }
156 } while (--Bitcount);
157 }
158
159 static void hitag_send_bit(int bit) {
160 LED_A_ON();
161 // Reset clock for the next bit
162 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
163
164 switch (m) {
165 case AC2K:
166 if (bit == 0) {
167 // AC Coding --__
168 HIGH(GPIO_SSC_DOUT);
169 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
170 ;
171 LOW(GPIO_SSC_DOUT);
172 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
173 ;
174 } else {
175 // AC coding -_-_
176 HIGH(GPIO_SSC_DOUT);
177 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
178 ;
179 LOW(GPIO_SSC_DOUT);
180 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
181 ;
182 HIGH(GPIO_SSC_DOUT);
183 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
184 ;
185 LOW(GPIO_SSC_DOUT);
186 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
187 ;;
188 }
189 LED_A_OFF();
190 break;
191 case AC4K:
192 if (bit == 0) {
193 // AC Coding --__
194 HIGH(GPIO_SSC_DOUT);
195 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
196 ;
197 LOW(GPIO_SSC_DOUT);
198 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
199 ;
200 } else {
201 // AC coding -_-_
202 HIGH(GPIO_SSC_DOUT);
203 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
204 ;
205 LOW(GPIO_SSC_DOUT);
206 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
207 ;
208 HIGH(GPIO_SSC_DOUT);
209 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
210 ;
211 LOW(GPIO_SSC_DOUT);
212 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
213 ;
214 }
215 LED_A_OFF();
216 break;
217 case MC4K:
218 if (bit == 0) {
219 // Manchester: Unloaded, then loaded |__--|
220 LOW(GPIO_SSC_DOUT);
221 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
222 ;
223 HIGH(GPIO_SSC_DOUT);
224 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
225 ;
226 } else {
227 // Manchester: Loaded, then unloaded |--__|
228 HIGH(GPIO_SSC_DOUT);
229 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
230 ;
231 LOW(GPIO_SSC_DOUT);
232 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
233 ;
234 }
235 LED_A_OFF();
236 break;
237 case MC8K:
238 if (bit == 0) {
239 // Manchester: Unloaded, then loaded |__--|
240 LOW(GPIO_SSC_DOUT);
241 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
242 ;
243 HIGH(GPIO_SSC_DOUT);
244 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
245 ;
246 } else {
247 // Manchester: Loaded, then unloaded |--__|
248 HIGH(GPIO_SSC_DOUT);
249 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
250 ;
251 LOW(GPIO_SSC_DOUT);
252 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
253 ;
254 }
255 LED_A_OFF();
256 break;
257 default:
258 break;
259 }
260 }
261
262 static void hitag_send_frame(const byte_t* frame, size_t frame_len) {
263 // Send start of frame
264
265 for (size_t i = 0; i < sof_bits; i++) {
266 hitag_send_bit(1);
267 }
268
269 // Send the content of the frame
270 for (size_t i = 0; i < frame_len; i++) {
271 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
272 }
273 // Drop the modulation
274 LOW(GPIO_SSC_DOUT);
275 }
276
277 static void hitag_reader_send_bit(int bit) {
278 //Dbprintf("BIT: %d",bit);
279 LED_A_ON();
280 // Reset clock for the next bit
281 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
282
283 // Binary puls length modulation (BPLM) is used to encode the data stream
284 // This means that a transmission of a one takes longer than that of a zero
285
286 // Enable modulation, which means, drop the the field
287 HIGH(GPIO_SSC_DOUT);
288 if (test == 1) {
289 // Wait for 4-10 times the carrier period
290 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
291 ;
292 // SpinDelayUs(8*8);
293
294 // Disable modulation, just activates the field again
295 LOW(GPIO_SSC_DOUT);
296
297 if (bit == 0) {
298 // Zero bit: |_-|
299 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
300 ;
301 // SpinDelayUs(16*8);
302 } else {
303 // One bit: |_--|
304 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
305 ;
306 // SpinDelayUs(22*8);
307 }
308 } else {
309 // Wait for 4-10 times the carrier period
310 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
311 ;
312 // SpinDelayUs(8*8);
313
314 // Disable modulation, just activates the field again
315 LOW(GPIO_SSC_DOUT);
316
317 if (bit == 0) {
318 // Zero bit: |_-|
319 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
320 ;
321 // SpinDelayUs(16*8);
322 } else {
323 // One bit: |_--|
324 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
325 ;
326 // SpinDelayUs(22*8);
327 }
328 }
329
330 LED_A_OFF();
331 }
332
333 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
334 // Send the content of the frame
335 for (size_t i = 0; i < frame_len; i++) {
336 if (frame[0] == 0xf8) {
337 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
338 }
339 hitag_reader_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
340 }
341 // Send EOF
342 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
343 // Enable modulation, which means, drop the the field
344 HIGH(GPIO_SSC_DOUT);
345 // Wait for 4-10 times the carrier period
346 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
347 ;
348 // Disable modulation, just activates the field again
349 LOW(GPIO_SSC_DOUT);
350 }
351
352 /*
353 * to check if the right uid was selected
354 */
355 static int check_select(byte_t* rx, uint32_t uid) {
356 unsigned char resp[48];
357 int i;
358 uint32_t ans = 0x0;
359 for (i = 0; i < 48; i++)
360 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
361 for (i = 0; i < 32; i++)
362 ans += resp[5 + i] << (31 - i);
363 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
364 && rx[4] == 0x65 && rx[5] == 0x38)
365 Dbprintf("got uid %X", ans);*/
366 temp_uid = ans;
367 if (ans == tag.uid)
368 return 1;
369 return 0;
370 }
371
372 /*
373 * handles all commands from a reader
374 */
375 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
376 byte_t* tx, size_t* txlen) {
377 byte_t rx_air[HITAG_FRAME_LEN];
378 byte_t page;
379 int i;
380 u64 state;
381 unsigned char crc;
382
383 // Copy the (original) received frame how it is send over the air
384 memcpy(rx_air, rx, nbytes(rxlen));
385 // Reset the transmission frame length
386 *txlen = 0;
387 // Try to find out which command was send by selecting on length (in bits)
388 switch (rxlen) {
389 case 5: {
390 //UID request with a selected response protocol mode
391 tag.pstate = READY;
392 tag.tstate = NO_OP;
393 if ((rx[0] & 0xf0) == 0x30) {
394 tag.mode = STANDARD;
395 sof_bits = 1;
396 m = AC2K;
397 }
398 if ((rx[0] & 0xf0) == 0xc0) {
399 tag.mode = ADVANCED;
400 sof_bits = 3;
401 m = AC2K;
402 }
403
404 if ((rx[0] & 0xf0) == 0xd0) {
405 tag.mode = FAST_ADVANCED;
406 sof_bits = 3;
407 m = AC4K;
408 }
409 //send uid as a response
410 *txlen = 32;
411 for (i = 0; i < 4; i++)
412 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
413 }
414 break;
415 case 45: {
416 //select command from reader received
417 if (check_select(rx, tag.uid) == 1) {
418 //if the right tag was selected
419 *txlen = 32;
420 switch (tag.mode) {
421 case STANDARD:
422 sof_bits = 1;
423 m = MC4K;
424 break;
425 case ADVANCED:
426 sof_bits = 6;
427 m = MC4K;
428 break;
429 case FAST_ADVANCED:
430 sof_bits = 6;
431 m = MC8K;
432 break;
433 default:
434 break;
435 }
436
437 //send configuration
438 for (i = 0; i < 4; i++)
439 tx[i] = (tag.pages[0][1] >> (i * 8)) & 0xff;
440 tx[3] = 0xff;
441 if (tag.mode != STANDARD) {
442 *txlen = 40;
443 crc = CRC_PRESET;
444 for (i = 0; i < 4; i++)
445 calc_crc(&crc, tx[i], 8);
446 tx[4] = crc;
447 }
448 }
449 }
450 break;
451 case 64: {
452 //challenge message received
453 Dbprintf("Challenge for UID: %X", temp_uid);
454 temp2++;
455 *txlen = 32;
456 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
457 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
458 Dbprintf(
459 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
460 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
461 switch (tag.mode) {
462 case STANDARD:
463 sof_bits = 1;
464 m = MC4K;
465 break;
466 case ADVANCED:
467 sof_bits = 6;
468 m = MC4K;
469 break;
470 case FAST_ADVANCED:
471 sof_bits = 6;
472 m = MC8K;
473 break;
474 default:
475 break;
476 }
477
478 for (i = 0; i < 4; i++)
479 hitag2_byte(&state);
480 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
481 tx[0] = hitag2_byte(&state) ^ ((tag.pages[0][1] >> 16) & 0xff);
482 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
483 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
484 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
485 if (tag.mode != STANDARD) {
486 //add crc8
487 *txlen = 40;
488 crc = CRC_PRESET;
489 calc_crc(&crc, ((tag.pages[0][1] >> 16) & 0xff), 8);
490 calc_crc(&crc, tag.pwdh0, 8);
491 calc_crc(&crc, tag.pwdl0, 8);
492 calc_crc(&crc, tag.pwdl1, 8);
493 tx[4] = (crc ^ hitag2_byte(&state));
494 }
495 /*
496 * some readers do not allow to authenticate multiple times in a row with the same tag.
497 * use this to change the uid between authentications.
498 */
499
500 /*
501 if (temp2 % 2 == 0) {
502 tag.uid = 0x11223344;
503 tag.pages[0][0] = 0x44332211;
504 } else {
505 tag.uid = 0x55667788;
506 tag.pages[0][0] = 0x88776655;
507 }
508 */
509 }
510 case 40:
511 //data received to be written
512 if (tag.tstate == WRITING_PAGE_DATA) {
513 tag.tstate = NO_OP;
514 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
515 << 0) + (rx[1] << 8) + (rx[2] << 16) + (rx[3] << 24);
516 //send ack
517 *txlen = 2;
518 tx[0] = 0x40;
519 page_to_be_written = 0;
520 switch (tag.mode) {
521 case STANDARD:
522 sof_bits = 1;
523 m = MC4K;
524 break;
525 case ADVANCED:
526 sof_bits = 6;
527 m = MC4K;
528 break;
529 case FAST_ADVANCED:
530 sof_bits = 6;
531 m = MC8K;
532 break;
533 default:
534 break;
535 }
536 } else if (tag.tstate == WRITING_BLOCK_DATA) {
537 tag.pages[page_to_be_written / 4][page_to_be_written % 4] = (rx[0]
538 << 24) + (rx[1] << 16) + (rx[2] << 8) + rx[3];
539 //send ack
540 *txlen = 2;
541 tx[0] = 0x40;
542 switch (tag.mode) {
543 case STANDARD:
544 sof_bits = 1;
545 m = MC4K;
546 break;
547 case ADVANCED:
548 sof_bits = 6;
549 m = MC4K;
550 break;
551 case FAST_ADVANCED:
552 sof_bits = 6;
553 m = MC8K;
554 break;
555 default:
556 break;
557 }
558 page_to_be_written++;
559 block_data_left--;
560 if (block_data_left == 0) {
561 tag.tstate = NO_OP;
562 page_to_be_written = 0;
563 }
564 }
565 break;
566 case 20: {
567 //write page, write block, read page or read block command received
568 if ((rx[0] & 0xf0) == 0xc0) //read page
569 {
570 //send page data
571 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
572 *txlen = 32;
573 tx[0] = (tag.pages[page / 4][page % 4]) & 0xff;
574 tx[1] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
575 tx[2] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
576 tx[3] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
577 if (tag.LKP && page == 1)
578 tx[3] = 0xff;
579
580 switch (tag.mode) {
581 case STANDARD:
582 sof_bits = 1;
583 m = MC4K;
584 break;
585 case ADVANCED:
586 sof_bits = 6;
587 m = MC4K;
588 break;
589 case FAST_ADVANCED:
590 sof_bits = 6;
591 m = MC8K;
592 break;
593 default:
594 break;
595 }
596
597 if (tag.mode != STANDARD) {
598 //add crc8
599 *txlen = 40;
600 crc = CRC_PRESET;
601 for (i = 0; i < 4; i++)
602 calc_crc(&crc, tx[i], 8);
603 tx[4] = crc;
604 }
605
606 if (tag.LKP && (page == 2 || page == 3)) {
607 //if reader asks for key or password and the LKP-mark is set do not respond
608 sof_bits = 0;
609 *txlen = 0;
610 }
611 } else if ((rx[0] & 0xf0) == 0xd0) //read block
612 {
613 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
614 *txlen = 32 * 4;
615 //send page,...,page+3 data
616 for (i = 0; i < 4; i++) {
617 tx[0 + i * 4] = (tag.pages[page / 4][page % 4]) & 0xff;
618 tx[1 + i * 4] = (tag.pages[page / 4][page % 4] >> 8) & 0xff;
619 tx[2 + i * 4] = (tag.pages[page / 4][page % 4] >> 16) & 0xff;
620 tx[3 + i * 4] = (tag.pages[page / 4][page % 4] >> 24) & 0xff;
621 page++;
622 }
623
624 switch (tag.mode) {
625 case STANDARD:
626 sof_bits = 1;
627 m = MC4K;
628 break;
629 case ADVANCED:
630 sof_bits = 6;
631 m = MC4K;
632 break;
633 case FAST_ADVANCED:
634 sof_bits = 6;
635 m = MC8K;
636 break;
637 default:
638 break;
639 }
640
641 if (tag.mode != STANDARD) {
642 //add crc8
643 *txlen = 32 * 4 + 8;
644 crc = CRC_PRESET;
645 for (i = 0; i < 16; i++)
646 calc_crc(&crc, tx[i], 8);
647 tx[16] = crc;
648 }
649
650 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
651 sof_bits = 0;
652 *txlen = 0;
653 }
654 } else if ((rx[0] & 0xf0) == 0x80) //write page
655 {
656 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
657
658 switch (tag.mode) {
659 case STANDARD:
660 sof_bits = 1;
661 m = MC4K;
662 break;
663 case ADVANCED:
664 sof_bits = 6;
665 m = MC4K;
666 break;
667 case FAST_ADVANCED:
668 sof_bits = 6;
669 m = MC8K;
670 break;
671 default:
672 break;
673 }
674 if ((tag.LCON && page == 1)
675 || (tag.LKP && (page == 2 || page == 3))) {
676 //deny
677 *txlen = 0;
678 } else {
679 //allow
680 *txlen = 2;
681 tx[0] = 0x40;
682 page_to_be_written = page;
683 tag.tstate = WRITING_PAGE_DATA;
684 }
685
686 } else if ((rx[0] & 0xf0) == 0x90) //write block
687 {
688 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
689 switch (tag.mode) {
690 case STANDARD:
691 sof_bits = 1;
692 m = MC4K;
693 break;
694 case ADVANCED:
695 sof_bits = 6;
696 m = MC4K;
697 break;
698 case FAST_ADVANCED:
699 sof_bits = 6;
700 m = MC8K;
701 break;
702 default:
703 break;
704 }
705 if (page % 4 != 0 || page == 0) {
706 //deny
707 *txlen = 0;
708 } else {
709 //allow
710 *txlen = 2;
711 tx[0] = 0x40;
712 page_to_be_written = page;
713 block_data_left = 4;
714 tag.tstate = WRITING_BLOCK_DATA;
715 }
716 }
717 }
718 break;
719 default:
720
721 break;
722 }
723 }
724
725 /*
726 * to autenticate to a tag with the given key or challenge
727 */
728 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx, const size_t rxlen, byte_t* tx,
729 size_t* txlen) {
730 byte_t rx_air[HITAG_FRAME_LEN];
731 int response_bit[200];
732 int i, j, z, k;
733 unsigned char mask = 1;
734 unsigned char uid[32];
735 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
736 unsigned char crc;
737 u64 state;
738 byte_t auth_ks[4];
739 byte_t conf_pages[3];
740 memcpy(rx_air, rx, nbytes(rxlen));
741 *txlen = 0;
742
743 if (tag.pstate == READY && rxlen >= 67) {
744 //received uid
745 if(end==true) {
746 Dbprintf("authentication failed!");
747 return -1;
748 }
749 z = 0;
750 for (i = 0; i < 10; i++) {
751 for (j = 0; j < 8; j++) {
752 response_bit[z] = 0;
753 if ((rx[i] & ((mask << 7) >> j)) != 0)
754 response_bit[z] = 1;
755 z++;
756 }
757 }
758 k = 0;
759 for (i = 5; i < z; i += 2) {
760 uid[k] = response_bit[i];
761 k++;
762 if (k > 31)
763 break;
764 }
765 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
766 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
767 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
768 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
769 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
770 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
771 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
772 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
773 if (DEBUG)
774 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
775 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
776
777 //select uid
778 *txlen = 45;
779 crc = CRC_PRESET;
780 calc_crc(&crc, 0x00, 5);
781 calc_crc(&crc, uid1, 8);
782 calc_crc(&crc, uid2, 8);
783 calc_crc(&crc, uid3, 8);
784 calc_crc(&crc, uid4, 8);
785 for (i = 0; i < 100; i++) {
786 response_bit[i] = 0;
787 }
788 for (i = 0; i < 5; i++) {
789 response_bit[i] = 0;
790 }
791 for (i = 5; i < 37; i++) {
792 response_bit[i] = uid[i - 5];
793 }
794 for (j = 0; j < 8; j++) {
795 response_bit[i] = 0;
796 if ((crc & ((mask << 7) >> j)) != 0)
797 response_bit[i] = 1;
798 i++;
799 }
800 k = 0;
801 for (i = 0; i < 6; i++) {
802 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
803 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
804 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
805 | (response_bit[k + 6] << 1) | response_bit[k + 7];
806 k += 8;
807 }
808 tag.pstate = INIT;
809 } else if (tag.pstate == INIT && rxlen == 44) {
810 // received configuration after select command
811 z = 0;
812 for (i = 0; i < 6; i++) {
813 for (j = 0; j < 8; j++) {
814 response_bit[z] = 0;
815 if ((rx[i] & ((mask << 7) >> j)) != 0)
816 response_bit[z] = 1;
817 z++;
818 }
819 }
820 conf_pages[0] = ((response_bit[4] << 7) | (response_bit[5] << 6)
821 | (response_bit[6] << 5) | (response_bit[7] << 4)
822 | (response_bit[8] << 3) | (response_bit[9] << 2)
823 | (response_bit[10] << 1) | response_bit[11]);
824 //check wich memorysize this tag has
825 if (response_bit[10] == 0 && response_bit[11] == 0)
826 tag.max_page = 32 / 32;
827 if (response_bit[10] == 0 && response_bit[11] == 1)
828 tag.max_page = 256 / 32;
829 if (response_bit[10] == 1 && response_bit[11] == 0)
830 tag.max_page = 2048 / 32;
831 conf_pages[1] = ((response_bit[12] << 7) | (response_bit[13] << 6)
832 | (response_bit[14] << 5) | (response_bit[15] << 4)
833 | (response_bit[16] << 3) | (response_bit[17] << 2)
834 | (response_bit[18] << 1) | response_bit[19]);
835 tag.auth = response_bit[12];
836 tag.TTFC = response_bit[13];
837 //tag.TTFDR in response_bit[14] and response_bit[15]
838 //tag.TTFM in response_bit[16] and response_bit[17]
839 tag.LCON = response_bit[18];
840 tag.LKP = response_bit[19];
841 conf_pages[2] = ((response_bit[20] << 7) | (response_bit[21] << 6)
842 | (response_bit[22] << 5) | (response_bit[23] << 4)
843 | (response_bit[24] << 3) | (response_bit[25] << 2)
844 | (response_bit[26] << 1) | response_bit[27]);
845 tag.LCK7 = response_bit[20];
846 tag.LCK6 = response_bit[21];
847 tag.LCK5 = response_bit[22];
848 tag.LCK4 = response_bit[23];
849 tag.LCK3 = response_bit[24];
850 tag.LCK2 = response_bit[25];
851 tag.LCK1 = response_bit[26];
852 tag.LCK0 = response_bit[27];
853
854 if (DEBUG)
855 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0],
856 conf_pages[1], conf_pages[2]);
857 if (tag.auth == 1) {
858 //if the tag is in authentication mode try the key or challenge
859 *txlen = 64;
860 if(end!=true){
861 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
862 state = hitag2_init(rev64(key), rev32(tag.uid),
863 rev32(rnd));
864
865 for (i = 0; i < 4; i++) {
866 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
867 }
868 *txlen = 64;
869 tx[0] = rnd & 0xff;
870 tx[1] = (rnd >> 8) & 0xff;
871 tx[2] = (rnd >> 16) & 0xff;
872 tx[3] = (rnd >> 24) & 0xff;
873
874 tx[4] = auth_ks[0];
875 tx[5] = auth_ks[1];
876 tx[6] = auth_ks[2];
877 tx[7] = auth_ks[3];
878 if (DEBUG)
879 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
880 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
881 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
882 for (i = 0; i < 8; i++)
883 tx[i]=((NrAr>>(56-(i*8)))&0xff);
884 }
885 end=true;
886 tag.pstate = AUTHENTICATE;
887 } else {
888 Dbprintf("authentication failed!");
889 return -1;
890 }
891 } else if (tag.auth == 0) {
892 tag.pstate = SELECTED;
893 }
894
895 } else if (tag.pstate == AUTHENTICATE && rxlen == 44) {
896 //encrypted con2,password received.
897 crc = CRC_PRESET;
898 calc_crc(&crc, 0x80, 1);
899 calc_crc(&crc, ((rx[0] & 0x0f) * 16 + ((rx[1] & 0xf0) / 16)), 8);
900 calc_crc(&crc, ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)), 8);
901 calc_crc(&crc, ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)), 8);
902 calc_crc(&crc, ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)), 8);
903 if (DEBUG) {
904 Dbprintf("UID:::%X", tag.uid);
905 Dbprintf("RND:::%X", rnd);
906 }
907
908 //decrypt password
909 pwdh0=0;
910 pwdl0=0;
911 pwdl1=0;
912 if(htf==02 || htf==04){ //RHTS_KEY //WHTS_KEY
913 {
914 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
915 for (i = 0; i < 5; i++)
916 hitag2_byte(&state);
917 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16))
918 ^ hitag2_byte(&state);
919 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16))
920 ^ hitag2_byte(&state);
921 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16))
922 ^ hitag2_byte(&state);
923 }
924
925 if (DEBUG)
926 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
927
928
929 //Dbprintf("%X %02X", rnd, ((rx[4] & 0x0f) * 16) + ((rx[5] & 0xf0) / 16));
930 //rnd += 1;
931 }
932 tag.pstate = SELECTED; //tag is now ready for read/write commands
933 }
934 return 0;
935
936 }
937
938 /*
939 * Emulates a Hitag S Tag with the given data from the .hts file
940 */
941 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
942 int frame_count;
943 int response;
944 int overflow;
945 int i, j;
946 byte_t rx[HITAG_FRAME_LEN];
947 size_t rxlen = 0;
948 bQuiet = false;
949 byte_t txbuf[HITAG_FRAME_LEN];
950 byte_t* tx = txbuf;
951 size_t txlen = 0;
952 BigBuf_free();
953
954 // Clean up trace and prepare it for storing frames
955 set_tracing(true);
956 clear_trace();
957
958 DbpString("Starting HitagS simulation");
959 LED_D_ON();
960
961 tag.pstate = READY;
962 tag.tstate = NO_OP;
963 for (i = 0; i < 16; i++)
964 for (j = 0; j < 4; j++)
965 tag.pages[i][j] = 0x0;
966 //read tag data into memory
967 if (tag_mem_supplied) {
968 DbpString("Loading hitagS memory...");
969 memcpy((byte_t*)tag.pages,data,4*64);
970 }
971 tag.uid=(uint32_t)tag.pages[0];
972 Dbprintf("Hitag S simulation started");
973 tag.key=(intptr_t)tag.pages[3];
974 tag.key<<=16;
975 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
976 tag.pwdl0=tag.pages[2][3];
977 tag.pwdl1=tag.pages[2][2];
978 tag.pwdh0=tag.pages[1][0];
979 //con0
980 tag.max_page=64;
981 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==1)
982 tag.max_page=8;
983 if((tag.pages[1][3]&0x2)==0 && (tag.pages[1][3]&0x1)==0)
984 tag.max_page=0;
985 //con1
986 tag.auth=0;
987 if (tag.pages[1][2]&0x80)
988 tag.auth=1;
989 tag.LCON=0;
990 if (tag.pages[1][2]&0x2)
991 tag.LCON=1;
992 tag.LKP=0;
993 if (tag.pages[1][2]&0x1)
994 tag.LKP=1;
995 //con2
996 //0=read write 1=read only
997 tag.LCK7=0;
998 if (tag.pages[1][1]&0x80)
999 tag.LCK7=1;
1000 tag.LCK6=0;
1001 if (tag.pages[1][1]&0x40)
1002 tag.LCK6=1;
1003 tag.LCK5=0;
1004 if (tag.pages[1][1]&0x20)
1005 tag.LCK5=1;
1006 tag.LCK4=0;
1007 if (tag.pages[1][1]&0x10)
1008 tag.LCK4=1;
1009 tag.LCK3=0;
1010 if (tag.pages[1][1]&0x8)
1011 tag.LCK3=1;
1012 tag.LCK2=0;
1013 if (tag.pages[1][1]&0x4)
1014 tag.LCK2=1;
1015 tag.LCK1=0;
1016 if (tag.pages[1][1]&0x2)
1017 tag.LCK1=1;
1018 tag.LCK0=0;
1019 if (tag.pages[1][1]&0x1)
1020 tag.LCK0=1;
1021
1022 // Set up simulator mode, frequency divisor which will drive the FPGA
1023 // and analog mux selection.
1024 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1025 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
1026 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1027 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1028 RELAY_OFF();
1029
1030 // Configure output pin that is connected to the FPGA (for modulating)
1031 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1032 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1033
1034 // Disable modulation at default, which means release resistance
1035 LOW(GPIO_SSC_DOUT);
1036
1037 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1038 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1039
1040 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1041 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1042 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1043
1044 // Disable timer during configuration
1045 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1046
1047 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1048 // external trigger rising edge, load RA on rising edge of TIOA.
1049 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1050 | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1051
1052 // Reset the received frame, frame count and timing info
1053 memset(rx, 0x00, sizeof(rx));
1054 frame_count = 0;
1055 response = 0;
1056 overflow = 0;
1057
1058 // Enable and reset counter
1059 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1060
1061 while (!BUTTON_PRESS()) {
1062 // Watchdog hit
1063 WDT_HIT();
1064
1065 // Receive frame, watch for at most T0*EOF periods
1066 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1067 // Check if rising edge in modulation is detected
1068 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1069 // Retrieve the new timing values
1070 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1071 overflow = 0;
1072
1073 // Reset timer every frame, we have to capture the last edge for timing
1074 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1075
1076 LED_B_ON();
1077
1078 // Capture reader frame
1079 if (ra >= HITAG_T_STOP) {
1080 if (rxlen != 0) {
1081 //DbpString("wierd0?");
1082 }
1083 // Capture the T0 periods that have passed since last communication or field drop (reset)
1084 response = (ra - HITAG_T_LOW);
1085 } else if (ra >= HITAG_T_1_MIN) {
1086 // '1' bit
1087 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1088 rxlen++;
1089 } else if (ra >= HITAG_T_0_MIN) {
1090 // '0' bit
1091 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1092 rxlen++;
1093 } else {
1094 // Ignore wierd value, is to small to mean anything
1095 }
1096 }
1097 }
1098
1099 // Check if frame was captured
1100 if (rxlen > 0) {
1101 frame_count++;
1102 if (!bQuiet) {
1103 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1104 DbpString("Trace full");
1105 clear_trace();
1106 }
1107 }
1108
1109 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1110 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1111
1112 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1113 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1114
1115 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1116 // not that since the clock counts since the rising edge, but T_Wait1 is
1117 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1118 // periods. The gap time T_Low varies (4..10). All timer values are in
1119 // terms of T0 units
1120 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW))
1121 ;
1122
1123 // Send and store the tag answer (if there is any)
1124 if (txlen > 0) {
1125 // Transmit the tag frame
1126 hitag_send_frame(tx, txlen);
1127 // Store the frame in the trace
1128 if (!bQuiet) {
1129 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1130 DbpString("Trace full");
1131 clear_trace();
1132 }
1133 }
1134 }
1135
1136 // Reset the received frame and response timing info
1137 memset(rx, 0x00, sizeof(rx));
1138 response = 0;
1139
1140 // Enable and reset external trigger in timer for capturing future frames
1141 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1142 LED_B_OFF();
1143 }
1144 // Reset the frame length
1145 rxlen = 0;
1146 // Save the timer overflow, will be 0 when frame was received
1147 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1148 // Reset the timer to restart while-loop that receives frames
1149 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1150 }
1151 LED_B_OFF();
1152 LED_D_OFF();
1153 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1154 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1155 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1156 }
1157
1158 /*
1159 * Authenticates to the Tag with the given key or challenge.
1160 * If the key was given the password will be decrypted.
1161 * Reads every page of a hitag S transpoder.
1162 */
1163 void ReadHitagS(hitag_function htf, hitag_data* htd) {
1164 int i, j, z, k;
1165 int frame_count;
1166 int response_bit[200];
1167 int response;
1168 byte_t rx[HITAG_FRAME_LEN];
1169 size_t rxlen = 0;
1170 byte_t txbuf[HITAG_FRAME_LEN];
1171 byte_t* tx = txbuf;
1172 size_t txlen = 0;
1173 int lastbit;
1174 bool bSkip;
1175 int reset_sof;
1176 int tag_sof;
1177 int t_wait = HITAG_T_WAIT_MAX;
1178 bool bStop;
1179 bool bQuitTraceFull = false;
1180 int sendNum = 0;
1181 unsigned char mask = 1;
1182 unsigned char crc;
1183 unsigned char pageData[32];
1184 page_to_be_written = 0;
1185
1186 //read given key/challenge
1187 byte_t NrAr_[8];
1188 uint64_t key=0;
1189 uint64_t NrAr=0;
1190 byte_t key_[6];
1191 switch(htf) {
1192 case 01: { //RHTS_CHALLENGE
1193 DbpString("Authenticating using nr,ar pair:");
1194 memcpy(NrAr_,htd->auth.NrAr,8);
1195 Dbhexdump(8,NrAr_,false);
1196 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1197 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1198 } break;
1199 case 02: { //RHTS_KEY
1200 DbpString("Authenticating using key:");
1201 memcpy(key_,htd->crypto.key,6);
1202 Dbhexdump(6,key_,false);
1203 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1204 } break;
1205 default: {
1206 Dbprintf("Error , unknown function: %d",htf);
1207 return;
1208 } break;
1209 }
1210
1211
1212
1213 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1214 // Reset the return status
1215 bSuccessful = false;
1216
1217 // Clean up trace and prepare it for storing frames
1218 set_tracing(true);
1219 clear_trace();
1220
1221 bQuiet = false;
1222 bQuitTraceFull = true;
1223
1224 LED_D_ON();
1225
1226 // Configure output and enable pin that is connected to the FPGA (for modulating)
1227 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1228 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1229
1230 // Set fpga in edge detect with reader field, we can modulate as reader now
1231 FpgaWriteConfWord(
1232 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1233
1234 // Set Frequency divisor which will drive the FPGA and analog mux selection
1235 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1236 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1237 RELAY_OFF();
1238
1239 // Disable modulation at default, which means enable the field
1240 LOW(GPIO_SSC_DOUT);
1241
1242 // Give it a bit of time for the resonant antenna to settle.
1243 SpinDelay(30);
1244
1245 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1246 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1247
1248 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1249 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1250 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1251
1252 // Disable timer during configuration
1253 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1254
1255 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1256 // external trigger rising edge, load RA on falling edge of TIOA.
1257 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1258
1259 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1260
1261 // Enable and reset counters
1262 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1263 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1264
1265 // Reset the received frame, frame count and timing info
1266 frame_count = 0;
1267 response = 0;
1268 lastbit = 1;
1269 bStop = false;
1270
1271 reset_sof = 1;
1272 t_wait = 200;
1273
1274 while (!bStop && !BUTTON_PRESS()) {
1275 // Watchdog hit
1276 WDT_HIT();
1277
1278 // Check if frame was captured and store it
1279 if (rxlen > 0) {
1280 frame_count++;
1281 if (!bQuiet) {
1282 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1283 DbpString("Trace full");
1284 if (bQuitTraceFull) {
1285 break;
1286 } else {
1287 bQuiet = true;
1288 }
1289 }
1290 }
1291 }
1292
1293 // By default reset the transmission buffer
1294 tx = txbuf;
1295 txlen = 0;
1296
1297 if (rxlen == 0) {
1298 //start authentication
1299 txlen = 5;
1300 memcpy(tx, "\xc0", nbytes(txlen));
1301 tag.pstate = READY;
1302 tag.tstate = NO_OP;
1303 } else if (tag.pstate != SELECTED) {
1304 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1)
1305 bStop = !false;
1306 }
1307 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
1308 //send read request
1309 tag.tstate = READING_PAGE;
1310 txlen = 20;
1311 crc = CRC_PRESET;
1312 tx[0] = 0xc0 + (sendNum / 16);
1313 calc_crc(&crc, tx[0], 8);
1314 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1315 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1316 tx[2] = 0x00 + (crc % 16) * 16;
1317 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE
1318 && rxlen > 0) {
1319 //save received data
1320 z = 0;
1321 for (i = 0; i < 5; i++) {
1322 for (j = 0; j < 8; j++) {
1323 response_bit[z] = 0;
1324 if ((rx[i] & ((mask << 7) >> j)) != 0)
1325 response_bit[z] = 1;
1326 z++;
1327 }
1328 }
1329 k = 0;
1330 for (i = 4; i < 36; i++) {
1331 pageData[k] = response_bit[i];
1332 k++;
1333 }
1334 for (i = 0; i < 4; i++)
1335 tag.pages[sendNum / 4][sendNum % 4] = 0x0;
1336 for (i = 0; i < 4; i++) {
1337 tag.pages[sendNum / 4][sendNum % 4] += ((pageData[i * 8] << 7)
1338 | (pageData[1 + (i * 8)] << 6)
1339 | (pageData[2 + (i * 8)] << 5)
1340 | (pageData[3 + (i * 8)] << 4)
1341 | (pageData[4 + (i * 8)] << 3)
1342 | (pageData[5 + (i * 8)] << 2)
1343 | (pageData[6 + (i * 8)] << 1) | pageData[7 + (i * 8)])
1344 << (i * 8);
1345 }
1346 if (tag.auth && tag.LKP && sendNum == 1) {
1347 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum, pwdh0,
1348 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1349 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1350 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1351 } else {
1352 Dbprintf("Page[%2d]: %02X %02X %02X %02X", sendNum,
1353 (tag.pages[sendNum / 4][sendNum % 4] >> 24) & 0xff,
1354 (tag.pages[sendNum / 4][sendNum % 4] >> 16) & 0xff,
1355 (tag.pages[sendNum / 4][sendNum % 4] >> 8) & 0xff,
1356 tag.pages[sendNum / 4][sendNum % 4] & 0xff);
1357 }
1358
1359 sendNum++;
1360 //display key and password if possible
1361 if (sendNum == 2 && tag.auth == 1 && tag.LKP) {
1362 if (htf == 02) { //RHTS_KEY
1363 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
1364 (byte_t)(key >> 8) & 0xff,
1365 (byte_t) key & 0xff, pwdl1, pwdl0);
1366 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
1367 (byte_t)(key >> 40) & 0xff,
1368 (byte_t)(key >> 32) & 0xff,
1369 (byte_t)(key >> 24) & 0xff,
1370 (byte_t)(key >> 16) & 0xff);
1371 } else {
1372 //if the authentication is done with a challenge the key and password are unknown
1373 Dbprintf("Page[ 2]: __ __ __ __");
1374 Dbprintf("Page[ 3]: __ __ __ __");
1375 }
1376 }
1377
1378 txlen = 20;
1379 crc = CRC_PRESET;
1380 tx[0] = 0xc0 + (sendNum / 16);
1381 calc_crc(&crc, tx[0], 8);
1382 calc_crc(&crc, 0x00 + ((sendNum % 16) * 16), 4);
1383 tx[1] = 0x00 + ((sendNum % 16) * 16) + (crc / 16);
1384 tx[2] = 0x00 + (crc % 16) * 16;
1385 if (sendNum >= tag.max_page) {
1386 bStop = !false;
1387 }
1388 }
1389
1390 // Send and store the reader command
1391 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1392 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1393
1394 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1395 // Since the clock counts since the last falling edge, a 'one' means that the
1396 // falling edge occured halfway the period. with respect to this falling edge,
1397 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1398 // All timer values are in terms of T0 units
1399
1400 while (AT91C_BASE_TC0->TC_CV
1401 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1402 ;
1403
1404 // Transmit the reader frame
1405 hitag_reader_send_frame(tx, txlen);
1406
1407 // Enable and reset external trigger in timer for capturing future frames
1408 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1409
1410 // Add transmitted frame to total count
1411 if (txlen > 0) {
1412 frame_count++;
1413 if (!bQuiet) {
1414 // Store the frame in the trace
1415 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1416 if (bQuitTraceFull) {
1417 DbpString("Trace full");
1418 break;
1419 } else {
1420 bQuiet = true;
1421 }
1422 }
1423 }
1424 }
1425
1426 // Reset values for receiving frames
1427 memset(rx, 0x00, sizeof(rx));
1428 rxlen = 0;
1429 lastbit = 1;
1430 bSkip = true;
1431 tag_sof = reset_sof;
1432 response = 0;
1433
1434 // Receive frame, watch for at most T0*EOF periods
1435 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1436 // Check if falling edge in tag modulation is detected
1437 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1438 // Retrieve the new timing values
1439 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1440
1441 // Reset timer every frame, we have to capture the last edge for timing
1442 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1443
1444 LED_B_ON();
1445
1446 // Capture tag frame (manchester decoding using only falling edges)
1447 if (ra >= HITAG_T_EOF) {
1448 if (rxlen != 0) {
1449 //DbpString("wierd1?");
1450 }
1451 // Capture the T0 periods that have passed since last communication or field drop (reset)
1452 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1453 response = ra - HITAG_T_TAG_HALF_PERIOD;
1454 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1455 // Manchester coding example |-_|_-|-_| (101)
1456 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1457 rxlen++;
1458 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1459 rxlen++;
1460 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1461 // Manchester coding example |_-|...|_-|-_| (0...01)
1462 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1463 rxlen++;
1464 // We have to skip this half period at start and add the 'one' the second time
1465 if (!bSkip) {
1466 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1467 rxlen++;
1468 }
1469 lastbit = !lastbit;
1470 bSkip = !bSkip;
1471 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1472 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1473 if (tag_sof) {
1474 // Ignore bits that are transmitted during SOF
1475 tag_sof--;
1476 } else {
1477 // bit is same as last bit
1478 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1479 rxlen++;
1480 }
1481 } else {
1482 // Ignore wierd value, is to small to mean anything
1483 }
1484 }
1485
1486 // We can break this loop if we received the last bit from a frame
1487 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1488 if (rxlen > 0)
1489 break;
1490 }
1491 }
1492 }
1493 end=false;
1494 LED_B_OFF();
1495 LED_D_OFF();
1496 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1497 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1498 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1499 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1500 }
1501
1502 /*
1503 * Authenticates to the Tag with the given Key or Challenge.
1504 * Writes the given 32Bit data into page_
1505 */
1506 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1507 int frame_count;
1508 int response;
1509 byte_t rx[HITAG_FRAME_LEN];
1510 size_t rxlen = 0;
1511 byte_t txbuf[HITAG_FRAME_LEN];
1512 byte_t* tx = txbuf;
1513 size_t txlen = 0;
1514 int lastbit;
1515 bool bSkip;
1516 int reset_sof;
1517 int tag_sof;
1518 int t_wait = HITAG_T_WAIT_MAX;
1519 bool bStop;
1520 bool bQuitTraceFull = false;
1521 int page = page_;
1522 unsigned char crc;
1523 byte_t data[4]= {0,0,0,0};
1524
1525 //read given key/challenge, the page and the data
1526 byte_t NrAr_[8];
1527 uint64_t key=0;
1528 uint64_t NrAr=0;
1529 byte_t key_[6];
1530 switch(htf) {
1531 case 03: { //WHTS_CHALLENGE
1532 memcpy(data,htd->auth.data,4);
1533 DbpString("Authenticating using nr,ar pair:");
1534 memcpy(NrAr_,htd->auth.NrAr,8);
1535 Dbhexdump(8,NrAr_,false);
1536 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1537 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1538 } break;
1539 case 04: { //WHTS_KEY
1540 memcpy(data,htd->crypto.data,4);
1541 DbpString("Authenticating using key:");
1542 memcpy(key_,htd->crypto.key,6);
1543 Dbhexdump(6,key_,false);
1544 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1545 } break;
1546 default: {
1547 Dbprintf("Error , unknown function: %d",htf);
1548 return;
1549 } break;
1550 }
1551
1552 Dbprintf("Page: %d",page_);
1553 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1554 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1555 // Reset the return status
1556 bSuccessful = false;
1557
1558 tag.pstate = READY;
1559 tag.tstate = NO_OP;
1560
1561 // Clean up trace and prepare it for storing frames
1562 set_tracing(true);
1563 clear_trace();
1564
1565 bQuiet = false;
1566 bQuitTraceFull = true;
1567
1568 LED_D_ON();
1569
1570 // Configure output and enable pin that is connected to the FPGA (for modulating)
1571 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1572 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1573
1574 // Set fpga in edge detect with reader field, we can modulate as reader now
1575 FpgaWriteConfWord(
1576 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1577
1578 // Set Frequency divisor which will drive the FPGA and analog mux selection
1579 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1580 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1581 RELAY_OFF();
1582
1583 // Disable modulation at default, which means enable the field
1584 LOW(GPIO_SSC_DOUT);
1585
1586 // Give it a bit of time for the resonant antenna to settle.
1587 SpinDelay(30);
1588
1589 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1590 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1591
1592 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1593 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1594 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1595
1596 // Disable timer during configuration
1597 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1598
1599 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1600 // external trigger rising edge, load RA on falling edge of TIOA.
1601 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1602 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1603 | AT91C_TC_LDRA_FALLING;
1604
1605 // Enable and reset counters
1606 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1607 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1608
1609 // Reset the received frame, frame count and timing info
1610 frame_count = 0;
1611 response = 0;
1612 lastbit = 1;
1613 bStop = false;
1614
1615 reset_sof = 1;
1616 t_wait = 200;
1617
1618 while (!bStop && !BUTTON_PRESS()) {
1619 // Watchdog hit
1620 WDT_HIT();
1621
1622 // Check if frame was captured and store it
1623 if (rxlen > 0) {
1624 frame_count++;
1625 if (!bQuiet) {
1626 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1627 DbpString("Trace full");
1628 if (bQuitTraceFull) {
1629 break;
1630 } else {
1631 bQuiet = true;
1632 }
1633 }
1634 }
1635 }
1636
1637 //check for valid input
1638 if (page == 0) {
1639 Dbprintf(
1640 "usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
1641 bStop = !false;
1642 }
1643
1644 // By default reset the transmission buffer
1645 tx = txbuf;
1646 txlen = 0;
1647
1648 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
1649 //no write access on this page
1650 Dbprintf("no write access on page %d", page_);
1651 bStop = !false;
1652 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
1653 //start the authetication
1654 txlen = 5;
1655 memcpy(tx, "\xc0", nbytes(txlen));
1656 tag.pstate = READY;
1657 tag.tstate = NO_OP;
1658 } else if (tag.pstate != SELECTED) {
1659 //try to authenticate with the given key or challenge
1660 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1)
1661 bStop = !false;
1662 }
1663 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
1664 //check if the given page exists
1665 if (page > tag.max_page) {
1666 Dbprintf("page number too big");
1667 bStop = !false;
1668 }
1669 //ask Tag for write permission
1670 tag.tstate = WRITING_PAGE_ACK;
1671 txlen = 20;
1672 crc = CRC_PRESET;
1673 tx[0] = 0x90 + (page / 16);
1674 calc_crc(&crc, tx[0], 8);
1675 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
1676 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
1677 tx[2] = 0x00 + (crc % 16) * 16;
1678 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
1679 && rxlen == 6 && rx[0] == 0xf4) {
1680 //ACK recieved to write the page. send data
1681 tag.tstate = WRITING_PAGE_DATA;
1682 txlen = 40;
1683 crc = CRC_PRESET;
1684 calc_crc(&crc, data[3], 8);
1685 calc_crc(&crc, data[2], 8);
1686 calc_crc(&crc, data[1], 8);
1687 calc_crc(&crc, data[0], 8);
1688 tx[0] = data[3];
1689 tx[1] = data[2];
1690 tx[2] = data[1];
1691 tx[3] = data[0];
1692 tx[4] = crc;
1693 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
1694 && rxlen == 6 && rx[0] == 0xf4) {
1695 //received ACK
1696 Dbprintf("Successful!");
1697 bStop = !false;
1698 }
1699
1700 // Send and store the reader command
1701 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1702 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1703
1704 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1705 // Since the clock counts since the last falling edge, a 'one' means that the
1706 // falling edge occured halfway the period. with respect to this falling edge,
1707 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1708 // All timer values are in terms of T0 units
1709
1710 while (AT91C_BASE_TC0->TC_CV
1711 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
1712 ;
1713
1714 // Transmit the reader frame
1715 hitag_reader_send_frame(tx, txlen);
1716
1717 // Enable and reset external trigger in timer for capturing future frames
1718 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1719
1720 // Add transmitted frame to total count
1721 if (txlen > 0) {
1722 frame_count++;
1723 if (!bQuiet) {
1724 // Store the frame in the trace
1725 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1726 if (bQuitTraceFull) {
1727 DbpString("Trace full");
1728 break;
1729 } else {
1730 bQuiet = true;
1731 }
1732 }
1733 }
1734 }
1735
1736 // Reset values for receiving frames
1737 memset(rx, 0x00, sizeof(rx));
1738 rxlen = 0;
1739 lastbit = 1;
1740 bSkip = true;
1741 tag_sof = reset_sof;
1742 response = 0;
1743
1744 // Receive frame, watch for at most T0*EOF periods
1745 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
1746 // Check if falling edge in tag modulation is detected
1747 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1748 // Retrieve the new timing values
1749 int ra = (AT91C_BASE_TC1->TC_RA / T0);
1750
1751 // Reset timer every frame, we have to capture the last edge for timing
1752 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
1753
1754 LED_B_ON();
1755
1756 // Capture tag frame (manchester decoding using only falling edges)
1757 if (ra >= HITAG_T_EOF) {
1758 if (rxlen != 0) {
1759 //DbpString("wierd1?");
1760 }
1761 // Capture the T0 periods that have passed since last communication or field drop (reset)
1762 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
1763 response = ra - HITAG_T_TAG_HALF_PERIOD;
1764 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
1765 // Manchester coding example |-_|_-|-_| (101)
1766 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1767 rxlen++;
1768 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1769 rxlen++;
1770 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
1771 // Manchester coding example |_-|...|_-|-_| (0...01)
1772 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1773 rxlen++;
1774 // We have to skip this half period at start and add the 'one' the second time
1775 if (!bSkip) {
1776 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1777 rxlen++;
1778 }
1779 lastbit = !lastbit;
1780 bSkip = !bSkip;
1781 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
1782 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
1783 if (tag_sof) {
1784 // Ignore bits that are transmitted during SOF
1785 tag_sof--;
1786 } else {
1787 // bit is same as last bit
1788 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
1789 rxlen++;
1790 }
1791 } else {
1792 // Ignore wierd value, is to small to mean anything
1793 }
1794 }
1795
1796 // We can break this loop if we received the last bit from a frame
1797 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
1798 if (rxlen > 0)
1799 break;
1800 }
1801 }
1802 }
1803 end=false;
1804 LED_B_OFF();
1805 LED_D_OFF();
1806 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1807 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1808 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1809 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1810 }
1811
1812 /*
1813 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
1814 * Displays all Challenges that failed.
1815 * When collecting Challenges to break the key it is possible that some data
1816 * is not received correctly due to Antenna problems. This function
1817 * detects these challenges.
1818 */
1819 void check_challenges(bool file_given, byte_t* data) {
1820 int i, j, z, k;
1821 byte_t uid_byte[4];
1822 int frame_count;
1823 int response;
1824 byte_t rx[HITAG_FRAME_LEN];
1825 byte_t unlocker[60][8];
1826 int u1 = 0;
1827 size_t rxlen = 0;
1828 byte_t txbuf[HITAG_FRAME_LEN];
1829 byte_t* tx = txbuf;
1830 size_t txlen = 0;
1831 int lastbit;
1832 bool bSkip;
1833 int reset_sof;
1834 int tag_sof;
1835 int t_wait = HITAG_T_WAIT_MAX;
1836 int STATE = 0;
1837 bool bStop;
1838 bool bQuitTraceFull = false;
1839 int response_bit[200];
1840 unsigned char mask = 1;
1841 unsigned char uid[32];
1842 unsigned char crc;
1843
1844 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1845 // Reset the return status
1846 bSuccessful = false;
1847
1848 // Clean up trace and prepare it for storing frames
1849 set_tracing(true);
1850 clear_trace();
1851
1852 bQuiet = false;
1853 bQuitTraceFull = true;
1854
1855 LED_D_ON();
1856
1857 // Configure output and enable pin that is connected to the FPGA (for modulating)
1858 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1859 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1860
1861 // Set fpga in edge detect with reader field, we can modulate as reader now
1862 FpgaWriteConfWord(
1863 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1864
1865 // Set Frequency divisor which will drive the FPGA and analog mux selection
1866 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1867 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1868 RELAY_OFF();
1869
1870 // Disable modulation at default, which means enable the field
1871 LOW(GPIO_SSC_DOUT);
1872
1873 // Give it a bit of time for the resonant antenna to settle.
1874 SpinDelay(30);
1875
1876 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1877 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1878
1879 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1880 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1881 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1882
1883 // Disable timer during configuration
1884 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1885
1886 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1887 // external trigger rising edge, load RA on falling edge of TIOA.
1888 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1889
1890 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1891
1892 // Enable and reset counters
1893 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1894 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1895
1896 // Reset the received frame, frame count and timing info
1897 frame_count = 0;
1898 response = 0;
1899 lastbit = 1;
1900 bStop = false;
1901
1902 reset_sof = 1;
1903 t_wait = 200;
1904
1905 if (file_given) {
1906 DbpString("Loading challenges...");
1907 memcpy((byte_t*)unlocker,data,60*8);
1908 }
1909
1910 while (file_given && !bStop && !BUTTON_PRESS()) {
1911 // Watchdog hit
1912 WDT_HIT();
1913
1914 // Check if frame was captured and store it
1915 if (rxlen > 0) {
1916 frame_count++;
1917 if (!bQuiet) {
1918 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1919 DbpString("Trace full");
1920 if (bQuitTraceFull) {
1921 break;
1922 } else {
1923 bQuiet = true;
1924 }
1925 }
1926 }
1927 }
1928
1929 tx = txbuf;
1930 txlen = 0;
1931 if (rxlen == 0) {
1932 if (STATE == 2)
1933 // challenge failed
1934 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
1935 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
1936 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
1937 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
1938 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
1939 STATE = 0;
1940 txlen = 5;
1941 //start new authentication
1942 memcpy(tx, "\xc0", nbytes(txlen));
1943 } else if (rxlen >= 67 && STATE == 0) {
1944 //received uid
1945 z = 0;
1946 for (i = 0; i < 10; i++) {
1947 for (j = 0; j < 8; j++) {
1948 response_bit[z] = 0;
1949 if ((rx[i] & ((mask << 7) >> j)) != 0)
1950 response_bit[z] = 1;
1951 z++;
1952 }
1953 }
1954 k = 0;
1955 for (i = 5; i < z; i += 2) {
1956 uid[k] = response_bit[i];
1957 k++;
1958 if (k > 31)
1959 break;
1960 }
1961 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
1962 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
1963 | (uid[6] << 1) | uid[7];
1964 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
1965 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
1966 | (uid[14] << 1) | uid[15];
1967 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
1968 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
1969 | (uid[22] << 1) | uid[23];
1970 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
1971 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
1972 | (uid[30] << 1) | uid[31];
1973 //Dbhexdump(10, rx, rxlen);
1974 STATE = 1;
1975 txlen = 45;
1976 crc = CRC_PRESET;
1977 calc_crc(&crc, 0x00, 5);
1978 calc_crc(&crc, uid_byte[0], 8);
1979 calc_crc(&crc, uid_byte[1], 8);
1980 calc_crc(&crc, uid_byte[2], 8);
1981 calc_crc(&crc, uid_byte[3], 8);
1982 for (i = 0; i < 100; i++) {
1983 response_bit[i] = 0;
1984 }
1985 for (i = 0; i < 5; i++) {
1986 response_bit[i] = 0;
1987 }
1988 for (i = 5; i < 37; i++) {
1989 response_bit[i] = uid[i - 5];
1990 }
1991 for (j = 0; j < 8; j++) {
1992 response_bit[i] = 0;
1993 if ((crc & ((mask << 7) >> j)) != 0)
1994 response_bit[i] = 1;
1995 i++;
1996 }
1997 k = 0;
1998 for (i = 0; i < 6; i++) {
1999 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2000 | (response_bit[k + 2] << 5)
2001 | (response_bit[k + 3] << 4)
2002 | (response_bit[k + 4] << 3)
2003 | (response_bit[k + 5] << 2)
2004 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2005 k += 8;
2006 }
2007
2008 } else if (STATE == 1 && rxlen == 44) {
2009 //received configuration
2010 STATE = 2;
2011 z = 0;
2012 for (i = 0; i < 6; i++) {
2013 for (j = 0; j < 8; j++) {
2014 response_bit[z] = 0;
2015 if ((rx[i] & ((mask << 7) >> j)) != 0)
2016 response_bit[z] = 1;
2017 z++;
2018 }
2019 }
2020 txlen = 64;
2021
2022 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2023 bStop = !false;
2024 for (i = 0; i < 8; i++)
2025 tx[i] = unlocker[u1][i];
2026 u1++;
2027
2028 } else if (STATE == 2 && rxlen >= 44) {
2029 STATE = 0;
2030 }
2031
2032 // Send and store the reader command
2033 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2034 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2035
2036 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2037 // Since the clock counts since the last falling edge, a 'one' means that the
2038 // falling edge occured halfway the period. with respect to this falling edge,
2039 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2040 // All timer values are in terms of T0 units
2041
2042 while (AT91C_BASE_TC0->TC_CV
2043 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2044 ;
2045
2046 // Transmit the reader frame
2047 hitag_reader_send_frame(tx, txlen);
2048
2049 // Enable and reset external trigger in timer for capturing future frames
2050 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2051
2052 // Add transmitted frame to total count
2053 if (txlen > 0) {
2054 frame_count++;
2055 if (!bQuiet) {
2056 // Store the frame in the trace
2057 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2058 if (bQuitTraceFull) {
2059 DbpString("Trace full");
2060 break;
2061 } else {
2062 bQuiet = true;
2063 }
2064 }
2065 }
2066 }
2067
2068 // Reset values for receiving frames
2069 memset(rx, 0x00, sizeof(rx));
2070 rxlen = 0;
2071 lastbit = 1;
2072 bSkip = true;
2073 tag_sof = reset_sof;
2074 response = 0;
2075
2076 // Receive frame, watch for at most T0*EOF periods
2077 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX) {
2078 // Check if falling edge in tag modulation is detected
2079 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
2080 // Retrieve the new timing values
2081 int ra = (AT91C_BASE_TC1->TC_RA / T0);
2082
2083 // Reset timer every frame, we have to capture the last edge for timing
2084 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
2085
2086 LED_B_ON();
2087
2088 // Capture tag frame (manchester decoding using only falling edges)
2089 if (ra >= HITAG_T_EOF) {
2090 if (rxlen != 0) {
2091 //DbpString("wierd1?");
2092 }
2093 // Capture the T0 periods that have passed since last communication or field drop (reset)
2094 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
2095 response = ra - HITAG_T_TAG_HALF_PERIOD;
2096 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
2097 // Manchester coding example |-_|_-|-_| (101)
2098 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2099 rxlen++;
2100 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2101 rxlen++;
2102 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF) {
2103 // Manchester coding example |_-|...|_-|-_| (0...01)
2104 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
2105 rxlen++;
2106 // We have to skip this half period at start and add the 'one' the second time
2107 if (!bSkip) {
2108 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
2109 rxlen++;
2110 }
2111 lastbit = !lastbit;
2112 bSkip = !bSkip;
2113 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
2114 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
2115 if (tag_sof) {
2116 // Ignore bits that are transmitted during SOF
2117 tag_sof--;
2118 } else {
2119 // bit is same as last bit
2120 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
2121 rxlen++;
2122 }
2123 } else {
2124 // Ignore wierd value, is to small to mean anything
2125 }
2126 }
2127
2128 // We can break this loop if we received the last bit from a frame
2129 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
2130 if (rxlen > 0)
2131 break;
2132 }
2133 }
2134 }
2135 LED_B_OFF();
2136 LED_D_OFF();
2137 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2138 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2139 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2140 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2141 }
2142
2143
2144
Impressum, Datenschutz