]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Clean up data types, some header cleanup, etc.
[proxmark3-svn] / armsrc / iso14443.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443. This includes both the reader software and
3 // the `fake tag' modes. At the moment only the Type B modulation is
4 // supported.
5 // Jonathan Westhues, split Nov 2006
6 //-----------------------------------------------------------------------------
7 #include "proxmark3.h"
8 #include "apps.h"
9 #include "util.h"
10
11 #include "iso14443crc.h"
12
13 //static void GetSamplesFor14443(int weTx, int n);
14
15 #define DEMOD_TRACE_SIZE 4096
16 #define READER_TAG_BUFFER_SIZE 2048
17 #define TAG_READER_BUFFER_SIZE 2048
18 #define DMA_BUFFER_SIZE 1024
19
20 //=============================================================================
21 // An ISO 14443 Type B tag. We listen for commands from the reader, using
22 // a UART kind of thing that's implemented in software. When we get a
23 // frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
24 // If it's good, then we can do something appropriate with it, and send
25 // a response.
26 //=============================================================================
27
28 //-----------------------------------------------------------------------------
29 // Code up a string of octets at layer 2 (including CRC, we don't generate
30 // that here) so that they can be transmitted to the reader. Doesn't transmit
31 // them yet, just leaves them ready to send in ToSend[].
32 //-----------------------------------------------------------------------------
33 static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
34 {
35 int i;
36
37 ToSendReset();
38
39 // Transmit a burst of ones, as the initial thing that lets the
40 // reader get phase sync. This (TR1) must be > 80/fs, per spec,
41 // but tag that I've tried (a Paypass) exceeds that by a fair bit,
42 // so I will too.
43 for(i = 0; i < 20; i++) {
44 ToSendStuffBit(1);
45 ToSendStuffBit(1);
46 ToSendStuffBit(1);
47 ToSendStuffBit(1);
48 }
49
50 // Send SOF.
51 for(i = 0; i < 10; i++) {
52 ToSendStuffBit(0);
53 ToSendStuffBit(0);
54 ToSendStuffBit(0);
55 ToSendStuffBit(0);
56 }
57 for(i = 0; i < 2; i++) {
58 ToSendStuffBit(1);
59 ToSendStuffBit(1);
60 ToSendStuffBit(1);
61 ToSendStuffBit(1);
62 }
63
64 for(i = 0; i < len; i++) {
65 int j;
66 uint8_t b = cmd[i];
67
68 // Start bit
69 ToSendStuffBit(0);
70 ToSendStuffBit(0);
71 ToSendStuffBit(0);
72 ToSendStuffBit(0);
73
74 // Data bits
75 for(j = 0; j < 8; j++) {
76 if(b & 1) {
77 ToSendStuffBit(1);
78 ToSendStuffBit(1);
79 ToSendStuffBit(1);
80 ToSendStuffBit(1);
81 } else {
82 ToSendStuffBit(0);
83 ToSendStuffBit(0);
84 ToSendStuffBit(0);
85 ToSendStuffBit(0);
86 }
87 b >>= 1;
88 }
89
90 // Stop bit
91 ToSendStuffBit(1);
92 ToSendStuffBit(1);
93 ToSendStuffBit(1);
94 ToSendStuffBit(1);
95 }
96
97 // Send SOF.
98 for(i = 0; i < 10; i++) {
99 ToSendStuffBit(0);
100 ToSendStuffBit(0);
101 ToSendStuffBit(0);
102 ToSendStuffBit(0);
103 }
104 for(i = 0; i < 10; i++) {
105 ToSendStuffBit(1);
106 ToSendStuffBit(1);
107 ToSendStuffBit(1);
108 ToSendStuffBit(1);
109 }
110
111 // Convert from last byte pos to length
112 ToSendMax++;
113
114 // Add a few more for slop
115 ToSendMax += 2;
116 }
117
118 //-----------------------------------------------------------------------------
119 // The software UART that receives commands from the reader, and its state
120 // variables.
121 //-----------------------------------------------------------------------------
122 static struct {
123 enum {
124 STATE_UNSYNCD,
125 STATE_GOT_FALLING_EDGE_OF_SOF,
126 STATE_AWAITING_START_BIT,
127 STATE_RECEIVING_DATA,
128 STATE_ERROR_WAIT
129 } state;
130 uint16_t shiftReg;
131 int bitCnt;
132 int byteCnt;
133 int byteCntMax;
134 int posCnt;
135 uint8_t *output;
136 } Uart;
137
138 /* Receive & handle a bit coming from the reader.
139 *
140 * LED handling:
141 * LED A -> ON once we have received the SOF and are expecting the rest.
142 * LED A -> OFF once we have received EOF or are in error state or unsynced
143 *
144 * Returns: true if we received a EOF
145 * false if we are still waiting for some more
146 */
147 static int Handle14443UartBit(int bit)
148 {
149 switch(Uart.state) {
150 case STATE_UNSYNCD:
151 LED_A_OFF();
152 if(!bit) {
153 // we went low, so this could be the beginning
154 // of an SOF
155 Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
156 Uart.posCnt = 0;
157 Uart.bitCnt = 0;
158 }
159 break;
160
161 case STATE_GOT_FALLING_EDGE_OF_SOF:
162 Uart.posCnt++;
163 if(Uart.posCnt == 2) {
164 if(bit) {
165 if(Uart.bitCnt >= 10) {
166 // we've seen enough consecutive
167 // zeros that it's a valid SOF
168 Uart.posCnt = 0;
169 Uart.byteCnt = 0;
170 Uart.state = STATE_AWAITING_START_BIT;
171 LED_A_ON(); // Indicate we got a valid SOF
172 } else {
173 // didn't stay down long enough
174 // before going high, error
175 Uart.state = STATE_ERROR_WAIT;
176 }
177 } else {
178 // do nothing, keep waiting
179 }
180 Uart.bitCnt++;
181 }
182 if(Uart.posCnt >= 4) Uart.posCnt = 0;
183 if(Uart.bitCnt > 14) {
184 // Give up if we see too many zeros without
185 // a one, too.
186 Uart.state = STATE_ERROR_WAIT;
187 }
188 break;
189
190 case STATE_AWAITING_START_BIT:
191 Uart.posCnt++;
192 if(bit) {
193 if(Uart.posCnt > 25) {
194 // stayed high for too long between
195 // characters, error
196 Uart.state = STATE_ERROR_WAIT;
197 }
198 } else {
199 // falling edge, this starts the data byte
200 Uart.posCnt = 0;
201 Uart.bitCnt = 0;
202 Uart.shiftReg = 0;
203 Uart.state = STATE_RECEIVING_DATA;
204 LED_A_ON(); // Indicate we're receiving
205 }
206 break;
207
208 case STATE_RECEIVING_DATA:
209 Uart.posCnt++;
210 if(Uart.posCnt == 2) {
211 // time to sample a bit
212 Uart.shiftReg >>= 1;
213 if(bit) {
214 Uart.shiftReg |= 0x200;
215 }
216 Uart.bitCnt++;
217 }
218 if(Uart.posCnt >= 4) {
219 Uart.posCnt = 0;
220 }
221 if(Uart.bitCnt == 10) {
222 if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
223 {
224 // this is a data byte, with correct
225 // start and stop bits
226 Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
227 Uart.byteCnt++;
228
229 if(Uart.byteCnt >= Uart.byteCntMax) {
230 // Buffer overflowed, give up
231 Uart.posCnt = 0;
232 Uart.state = STATE_ERROR_WAIT;
233 } else {
234 // so get the next byte now
235 Uart.posCnt = 0;
236 Uart.state = STATE_AWAITING_START_BIT;
237 }
238 } else if(Uart.shiftReg == 0x000) {
239 // this is an EOF byte
240 LED_A_OFF(); // Finished receiving
241 return TRUE;
242 } else {
243 // this is an error
244 Uart.posCnt = 0;
245 Uart.state = STATE_ERROR_WAIT;
246 }
247 }
248 break;
249
250 case STATE_ERROR_WAIT:
251 // We're all screwed up, so wait a little while
252 // for whatever went wrong to finish, and then
253 // start over.
254 Uart.posCnt++;
255 if(Uart.posCnt > 10) {
256 Uart.state = STATE_UNSYNCD;
257 }
258 break;
259
260 default:
261 Uart.state = STATE_UNSYNCD;
262 break;
263 }
264
265 if (Uart.state == STATE_ERROR_WAIT) LED_A_OFF(); // Error
266
267 return FALSE;
268 }
269
270 //-----------------------------------------------------------------------------
271 // Receive a command (from the reader to us, where we are the simulated tag),
272 // and store it in the given buffer, up to the given maximum length. Keeps
273 // spinning, waiting for a well-framed command, until either we get one
274 // (returns TRUE) or someone presses the pushbutton on the board (FALSE).
275 //
276 // Assume that we're called with the SSC (to the FPGA) and ADC path set
277 // correctly.
278 //-----------------------------------------------------------------------------
279 static int GetIso14443CommandFromReader(uint8_t *received, int *len, int maxLen)
280 {
281 uint8_t mask;
282 int i, bit;
283
284 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
285 // only, since we are receiving, not transmitting).
286 // Signal field is off with the appropriate LED
287 LED_D_OFF();
288 FpgaWriteConfWord(
289 FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
290
291
292 // Now run a `software UART' on the stream of incoming samples.
293 Uart.output = received;
294 Uart.byteCntMax = maxLen;
295 Uart.state = STATE_UNSYNCD;
296
297 for(;;) {
298 WDT_HIT();
299
300 if(BUTTON_PRESS()) return FALSE;
301
302 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
303 AT91C_BASE_SSC->SSC_THR = 0x00;
304 }
305 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
306 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
307
308 mask = 0x80;
309 for(i = 0; i < 8; i++, mask >>= 1) {
310 bit = (b & mask);
311 if(Handle14443UartBit(bit)) {
312 *len = Uart.byteCnt;
313 return TRUE;
314 }
315 }
316 }
317 }
318 }
319
320 //-----------------------------------------------------------------------------
321 // Main loop of simulated tag: receive commands from reader, decide what
322 // response to send, and send it.
323 //-----------------------------------------------------------------------------
324 void SimulateIso14443Tag(void)
325 {
326 static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
327 static const uint8_t response1[] = {
328 0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
329 0x00, 0x21, 0x85, 0x5e, 0xd7
330 };
331
332 uint8_t *resp;
333 int respLen;
334
335 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
336 int resp1Len;
337
338 uint8_t *receivedCmd = (uint8_t *)BigBuf;
339 int len;
340
341 int i;
342
343 int cmdsRecvd = 0;
344
345 memset(receivedCmd, 0x44, 400);
346
347 CodeIso14443bAsTag(response1, sizeof(response1));
348 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
349
350 // We need to listen to the high-frequency, peak-detected path.
351 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
352 FpgaSetupSsc();
353
354 cmdsRecvd = 0;
355
356 for(;;) {
357 uint8_t b1, b2;
358
359 if(!GetIso14443CommandFromReader(receivedCmd, &len, 100)) {
360 Dbprintf("button pressed, received %d commands", cmdsRecvd);
361 break;
362 }
363
364 // Good, look at the command now.
365
366 if(len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len)==0) {
367 resp = resp1; respLen = resp1Len;
368 } else {
369 Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
370 // And print whether the CRC fails, just for good measure
371 ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
372 if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
373 // Not so good, try again.
374 DbpString("+++CRC fail");
375 } else {
376 DbpString("CRC passes");
377 }
378 break;
379 }
380
381 memset(receivedCmd, 0x44, 32);
382
383 cmdsRecvd++;
384
385 if(cmdsRecvd > 0x30) {
386 DbpString("many commands later...");
387 break;
388 }
389
390 if(respLen <= 0) continue;
391
392 // Modulate BPSK
393 // Signal field is off with the appropriate LED
394 LED_D_OFF();
395 FpgaWriteConfWord(
396 FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
397 AT91C_BASE_SSC->SSC_THR = 0xff;
398 FpgaSetupSsc();
399
400 // Transmit the response.
401 i = 0;
402 for(;;) {
403 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
404 uint8_t b = resp[i];
405
406 AT91C_BASE_SSC->SSC_THR = b;
407
408 i++;
409 if(i > respLen) {
410 break;
411 }
412 }
413 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
414 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
415 (void)b;
416 }
417 }
418 }
419 }
420
421 //=============================================================================
422 // An ISO 14443 Type B reader. We take layer two commands, code them
423 // appropriately, and then send them to the tag. We then listen for the
424 // tag's response, which we leave in the buffer to be demodulated on the
425 // PC side.
426 //=============================================================================
427
428 static struct {
429 enum {
430 DEMOD_UNSYNCD,
431 DEMOD_PHASE_REF_TRAINING,
432 DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
433 DEMOD_GOT_FALLING_EDGE_OF_SOF,
434 DEMOD_AWAITING_START_BIT,
435 DEMOD_RECEIVING_DATA,
436 DEMOD_ERROR_WAIT
437 } state;
438 int bitCount;
439 int posCount;
440 int thisBit;
441 int metric;
442 int metricN;
443 uint16_t shiftReg;
444 uint8_t *output;
445 int len;
446 int sumI;
447 int sumQ;
448 } Demod;
449
450 /*
451 * Handles reception of a bit from the tag
452 *
453 * LED handling:
454 * LED C -> ON once we have received the SOF and are expecting the rest.
455 * LED C -> OFF once we have received EOF or are unsynced
456 *
457 * Returns: true if we received a EOF
458 * false if we are still waiting for some more
459 *
460 */
461 static int Handle14443SamplesDemod(int ci, int cq)
462 {
463 int v;
464
465 // The soft decision on the bit uses an estimate of just the
466 // quadrant of the reference angle, not the exact angle.
467 #define MAKE_SOFT_DECISION() { \
468 if(Demod.sumI > 0) { \
469 v = ci; \
470 } else { \
471 v = -ci; \
472 } \
473 if(Demod.sumQ > 0) { \
474 v += cq; \
475 } else { \
476 v -= cq; \
477 } \
478 }
479
480 switch(Demod.state) {
481 case DEMOD_UNSYNCD:
482 v = ci;
483 if(v < 0) v = -v;
484 if(cq > 0) {
485 v += cq;
486 } else {
487 v -= cq;
488 }
489 if(v > 40) {
490 Demod.posCount = 0;
491 Demod.state = DEMOD_PHASE_REF_TRAINING;
492 Demod.sumI = 0;
493 Demod.sumQ = 0;
494 }
495 break;
496
497 case DEMOD_PHASE_REF_TRAINING:
498 if(Demod.posCount < 8) {
499 Demod.sumI += ci;
500 Demod.sumQ += cq;
501 } else if(Demod.posCount > 100) {
502 // error, waited too long
503 Demod.state = DEMOD_UNSYNCD;
504 } else {
505 MAKE_SOFT_DECISION();
506 if(v < 0) {
507 Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
508 Demod.posCount = 0;
509 }
510 }
511 Demod.posCount++;
512 break;
513
514 case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
515 MAKE_SOFT_DECISION();
516 if(v < 0) {
517 Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
518 Demod.posCount = 0;
519 } else {
520 if(Demod.posCount > 100) {
521 Demod.state = DEMOD_UNSYNCD;
522 }
523 }
524 Demod.posCount++;
525 break;
526
527 case DEMOD_GOT_FALLING_EDGE_OF_SOF:
528 MAKE_SOFT_DECISION();
529 if(v > 0) {
530 if(Demod.posCount < 12) {
531 Demod.state = DEMOD_UNSYNCD;
532 } else {
533 LED_C_ON(); // Got SOF
534 Demod.state = DEMOD_AWAITING_START_BIT;
535 Demod.posCount = 0;
536 Demod.len = 0;
537 Demod.metricN = 0;
538 Demod.metric = 0;
539 }
540 } else {
541 if(Demod.posCount > 100) {
542 Demod.state = DEMOD_UNSYNCD;
543 }
544 }
545 Demod.posCount++;
546 break;
547
548 case DEMOD_AWAITING_START_BIT:
549 MAKE_SOFT_DECISION();
550 if(v > 0) {
551 if(Demod.posCount > 10) {
552 Demod.state = DEMOD_UNSYNCD;
553 }
554 } else {
555 Demod.bitCount = 0;
556 Demod.posCount = 1;
557 Demod.thisBit = v;
558 Demod.shiftReg = 0;
559 Demod.state = DEMOD_RECEIVING_DATA;
560 }
561 break;
562
563 case DEMOD_RECEIVING_DATA:
564 MAKE_SOFT_DECISION();
565 if(Demod.posCount == 0) {
566 Demod.thisBit = v;
567 Demod.posCount = 1;
568 } else {
569 Demod.thisBit += v;
570
571 if(Demod.thisBit > 0) {
572 Demod.metric += Demod.thisBit;
573 } else {
574 Demod.metric -= Demod.thisBit;
575 }
576 (Demod.metricN)++;
577
578 Demod.shiftReg >>= 1;
579 if(Demod.thisBit > 0) {
580 Demod.shiftReg |= 0x200;
581 }
582
583 Demod.bitCount++;
584 if(Demod.bitCount == 10) {
585 uint16_t s = Demod.shiftReg;
586 if((s & 0x200) && !(s & 0x001)) {
587 uint8_t b = (s >> 1);
588 Demod.output[Demod.len] = b;
589 Demod.len++;
590 Demod.state = DEMOD_AWAITING_START_BIT;
591 } else if(s == 0x000) {
592 // This is EOF
593 LED_C_OFF();
594 return TRUE;
595 Demod.state = DEMOD_UNSYNCD;
596 } else {
597 Demod.state = DEMOD_UNSYNCD;
598 }
599 }
600 Demod.posCount = 0;
601 }
602 break;
603
604 default:
605 Demod.state = DEMOD_UNSYNCD;
606 break;
607 }
608
609 if (Demod.state == DEMOD_UNSYNCD) LED_C_OFF(); // Not synchronized...
610 return FALSE;
611 }
612
613 /*
614 * Demodulate the samples we received from the tag
615 * weTx: set to 'TRUE' if we behave like a reader
616 * set to 'FALSE' if we behave like a snooper
617 * quiet: set to 'TRUE' to disable debug output
618 */
619 static void GetSamplesFor14443Demod(int weTx, int n, int quiet)
620 {
621 int max = 0;
622 int gotFrame = FALSE;
623
624 //# define DMA_BUFFER_SIZE 8
625 int8_t *dmaBuf;
626
627 int lastRxCounter;
628 int8_t *upTo;
629
630 int ci, cq;
631
632 int samples = 0;
633
634 // Clear out the state of the "UART" that receives from the tag.
635 memset(BigBuf, 0x44, 400);
636 Demod.output = (uint8_t *)BigBuf;
637 Demod.len = 0;
638 Demod.state = DEMOD_UNSYNCD;
639
640 // And the UART that receives from the reader
641 Uart.output = (((uint8_t *)BigBuf) + 1024);
642 Uart.byteCntMax = 100;
643 Uart.state = STATE_UNSYNCD;
644
645 // Setup for the DMA.
646 dmaBuf = (int8_t *)(BigBuf + 32);
647 upTo = dmaBuf;
648 lastRxCounter = DMA_BUFFER_SIZE;
649 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
650
651 // Signal field is ON with the appropriate LED:
652 if (weTx) LED_D_ON(); else LED_D_OFF();
653 // And put the FPGA in the appropriate mode
654 FpgaWriteConfWord(
655 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
656 (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
657
658 for(;;) {
659 int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
660 if(behindBy > max) max = behindBy;
661
662 while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (DMA_BUFFER_SIZE-1))
663 > 2)
664 {
665 ci = upTo[0];
666 cq = upTo[1];
667 upTo += 2;
668 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
669 upTo -= DMA_BUFFER_SIZE;
670 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
671 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
672 }
673 lastRxCounter -= 2;
674 if(lastRxCounter <= 0) {
675 lastRxCounter += DMA_BUFFER_SIZE;
676 }
677
678 samples += 2;
679
680 Handle14443UartBit(1);
681 Handle14443UartBit(1);
682
683 if(Handle14443SamplesDemod(ci, cq)) {
684 gotFrame = 1;
685 }
686 }
687
688 if(samples > 2000) {
689 break;
690 }
691 }
692 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
693 if (!quiet) Dbprintf("%x %x %x", max, gotFrame, Demod.len);
694 }
695
696 //-----------------------------------------------------------------------------
697 // Read the tag's response. We just receive a stream of slightly-processed
698 // samples from the FPGA, which we will later do some signal processing on,
699 // to get the bits.
700 //-----------------------------------------------------------------------------
701 /*static void GetSamplesFor14443(int weTx, int n)
702 {
703 uint8_t *dest = (uint8_t *)BigBuf;
704 int c;
705
706 FpgaWriteConfWord(
707 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
708 (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
709
710 c = 0;
711 for(;;) {
712 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
713 AT91C_BASE_SSC->SSC_THR = 0x43;
714 }
715 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
716 int8_t b;
717 b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
718
719 dest[c++] = (uint8_t)b;
720
721 if(c >= n) {
722 break;
723 }
724 }
725 }
726 }*/
727
728 //-----------------------------------------------------------------------------
729 // Transmit the command (to the tag) that was placed in ToSend[].
730 //-----------------------------------------------------------------------------
731 static void TransmitFor14443(void)
732 {
733 int c;
734
735 FpgaSetupSsc();
736
737 while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
738 AT91C_BASE_SSC->SSC_THR = 0xff;
739 }
740
741 // Signal field is ON with the appropriate Red LED
742 LED_D_ON();
743 // Signal we are transmitting with the Green LED
744 LED_B_ON();
745 FpgaWriteConfWord(
746 FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
747
748 for(c = 0; c < 10;) {
749 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
750 AT91C_BASE_SSC->SSC_THR = 0xff;
751 c++;
752 }
753 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
754 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
755 (void)r;
756 }
757 WDT_HIT();
758 }
759
760 c = 0;
761 for(;;) {
762 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
763 AT91C_BASE_SSC->SSC_THR = ToSend[c];
764 c++;
765 if(c >= ToSendMax) {
766 break;
767 }
768 }
769 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
770 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
771 (void)r;
772 }
773 WDT_HIT();
774 }
775 LED_B_OFF(); // Finished sending
776 }
777
778 //-----------------------------------------------------------------------------
779 // Code a layer 2 command (string of octets, including CRC) into ToSend[],
780 // so that it is ready to transmit to the tag using TransmitFor14443().
781 //-----------------------------------------------------------------------------
782 void CodeIso14443bAsReader(const uint8_t *cmd, int len)
783 {
784 int i, j;
785 uint8_t b;
786
787 ToSendReset();
788
789 // Establish initial reference level
790 for(i = 0; i < 40; i++) {
791 ToSendStuffBit(1);
792 }
793 // Send SOF
794 for(i = 0; i < 10; i++) {
795 ToSendStuffBit(0);
796 }
797
798 for(i = 0; i < len; i++) {
799 // Stop bits/EGT
800 ToSendStuffBit(1);
801 ToSendStuffBit(1);
802 // Start bit
803 ToSendStuffBit(0);
804 // Data bits
805 b = cmd[i];
806 for(j = 0; j < 8; j++) {
807 if(b & 1) {
808 ToSendStuffBit(1);
809 } else {
810 ToSendStuffBit(0);
811 }
812 b >>= 1;
813 }
814 }
815 // Send EOF
816 ToSendStuffBit(1);
817 for(i = 0; i < 10; i++) {
818 ToSendStuffBit(0);
819 }
820 for(i = 0; i < 8; i++) {
821 ToSendStuffBit(1);
822 }
823
824 // And then a little more, to make sure that the last character makes
825 // it out before we switch to rx mode.
826 for(i = 0; i < 24; i++) {
827 ToSendStuffBit(1);
828 }
829
830 // Convert from last character reference to length
831 ToSendMax++;
832 }
833
834 //-----------------------------------------------------------------------------
835 // Read an ISO 14443 tag. We send it some set of commands, and record the
836 // responses.
837 // The command name is misleading, it actually decodes the reponse in HEX
838 // into the output buffer (read the result using hexsamples, not hisamples)
839 //-----------------------------------------------------------------------------
840 void AcquireRawAdcSamplesIso14443(uint32_t parameter)
841 {
842 uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
843
844 // Make sure that we start from off, since the tags are stateful;
845 // confusing things will happen if we don't reset them between reads.
846 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
847 LED_D_OFF();
848 SpinDelay(200);
849
850 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
851 FpgaSetupSsc();
852
853 // Now give it time to spin up.
854 // Signal field is on with the appropriate LED
855 LED_D_ON();
856 FpgaWriteConfWord(
857 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
858 SpinDelay(200);
859
860 CodeIso14443bAsReader(cmd1, sizeof(cmd1));
861 TransmitFor14443();
862 // LED_A_ON();
863 GetSamplesFor14443Demod(TRUE, 2000, FALSE);
864 // LED_A_OFF();
865 }
866
867 //-----------------------------------------------------------------------------
868 // Read a SRI512 ISO 14443 tag.
869 //
870 // SRI512 tags are just simple memory tags, here we're looking at making a dump
871 // of the contents of the memory. No anticollision algorithm is done, we assume
872 // we have a single tag in the field.
873 //
874 // I tried to be systematic and check every answer of the tag, every CRC, etc...
875 //-----------------------------------------------------------------------------
876 void ReadSRI512Iso14443(uint32_t parameter)
877 {
878 ReadSTMemoryIso14443(parameter,0x0F);
879 }
880 void ReadSRIX4KIso14443(uint32_t parameter)
881 {
882 ReadSTMemoryIso14443(parameter,0x7F);
883 }
884
885 void ReadSTMemoryIso14443(uint32_t parameter,uint32_t dwLast)
886 {
887 uint8_t i = 0x00;
888
889 // Make sure that we start from off, since the tags are stateful;
890 // confusing things will happen if we don't reset them between reads.
891 LED_D_OFF();
892 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
893 SpinDelay(200);
894
895 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
896 FpgaSetupSsc();
897
898 // Now give it time to spin up.
899 // Signal field is on with the appropriate LED
900 LED_D_ON();
901 FpgaWriteConfWord(
902 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
903 SpinDelay(200);
904
905 // First command: wake up the tag using the INITIATE command
906 uint8_t cmd1[] = { 0x06, 0x00, 0x97, 0x5b};
907 CodeIso14443bAsReader(cmd1, sizeof(cmd1));
908 TransmitFor14443();
909 // LED_A_ON();
910 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
911 // LED_A_OFF();
912
913 if (Demod.len == 0) {
914 DbpString("No response from tag");
915 return;
916 } else {
917 Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %x %x %x",
918 Demod.output[0], Demod.output[1],Demod.output[2]);
919 }
920 // There is a response, SELECT the uid
921 DbpString("Now SELECT tag:");
922 cmd1[0] = 0x0E; // 0x0E is SELECT
923 cmd1[1] = Demod.output[0];
924 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
925 CodeIso14443bAsReader(cmd1, sizeof(cmd1));
926 TransmitFor14443();
927 // LED_A_ON();
928 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
929 // LED_A_OFF();
930 if (Demod.len != 3) {
931 Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
932 return;
933 }
934 // Check the CRC of the answer:
935 ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
936 if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
937 DbpString("CRC Error reading select response.");
938 return;
939 }
940 // Check response from the tag: should be the same UID as the command we just sent:
941 if (cmd1[1] != Demod.output[0]) {
942 Dbprintf("Bad response to SELECT from Tag, aborting: %x %x", cmd1[1], Demod.output[0]);
943 return;
944 }
945 // Tag is now selected,
946 // First get the tag's UID:
947 cmd1[0] = 0x0B;
948 ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
949 CodeIso14443bAsReader(cmd1, 3); // Only first three bytes for this one
950 TransmitFor14443();
951 // LED_A_ON();
952 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
953 // LED_A_OFF();
954 if (Demod.len != 10) {
955 Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
956 return;
957 }
958 // The check the CRC of the answer (use cmd1 as temporary variable):
959 ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
960 if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
961 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
962 (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
963 // Do not return;, let's go on... (we should retry, maybe ?)
964 }
965 Dbprintf("Tag UID (64 bits): %08x %08x",
966 (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
967 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
968
969 // Now loop to read all 16 blocks, address from 0 to 15
970 DbpString("Tag memory dump, block 0 to 15");
971 cmd1[0] = 0x08;
972 i = 0x00;
973 dwLast++;
974 for (;;) {
975 if (i == dwLast) {
976 DbpString("System area block (0xff):");
977 i = 0xff;
978 }
979 cmd1[1] = i;
980 ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
981 CodeIso14443bAsReader(cmd1, sizeof(cmd1));
982 TransmitFor14443();
983 // LED_A_ON();
984 GetSamplesFor14443Demod(TRUE, 2000,TRUE);
985 // LED_A_OFF();
986 if (Demod.len != 6) { // Check if we got an answer from the tag
987 DbpString("Expected 6 bytes from tag, got less...");
988 return;
989 }
990 // The check the CRC of the answer (use cmd1 as temporary variable):
991 ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
992 if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
993 Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
994 (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
995 // Do not return;, let's go on... (we should retry, maybe ?)
996 }
997 // Now print out the memory location:
998 Dbprintf("Address=%x, Contents=%x, CRC=%x", i,
999 (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
1000 (Demod.output[4]<<8)+Demod.output[5]);
1001 if (i == 0xff) {
1002 break;
1003 }
1004 i++;
1005 }
1006 }
1007
1008
1009 //=============================================================================
1010 // Finally, the `sniffer' combines elements from both the reader and
1011 // simulated tag, to show both sides of the conversation.
1012 //=============================================================================
1013
1014 //-----------------------------------------------------------------------------
1015 // Record the sequence of commands sent by the reader to the tag, with
1016 // triggering so that we start recording at the point that the tag is moved
1017 // near the reader.
1018 //-----------------------------------------------------------------------------
1019 /*
1020 * Memory usage for this function, (within BigBuf)
1021 * 0-4095 : Demodulated samples receive (4096 bytes) - DEMOD_TRACE_SIZE
1022 * 4096-6143 : Last Received command, 2048 bytes (reader->tag) - READER_TAG_BUFFER_SIZE
1023 * 6144-8191 : Last Received command, 2048 bytes(tag->reader) - TAG_READER_BUFFER_SIZE
1024 * 8192-9215 : DMA Buffer, 1024 bytes (samples) - DMA_BUFFER_SIZE
1025 */
1026 void SnoopIso14443(void)
1027 {
1028 // We won't start recording the frames that we acquire until we trigger;
1029 // a good trigger condition to get started is probably when we see a
1030 // response from the tag.
1031 int triggered = FALSE;
1032
1033 // The command (reader -> tag) that we're working on receiving.
1034 uint8_t *receivedCmd = (uint8_t *)(BigBuf) + DEMOD_TRACE_SIZE;
1035 // The response (tag -> reader) that we're working on receiving.
1036 uint8_t *receivedResponse = (uint8_t *)(BigBuf) + DEMOD_TRACE_SIZE + READER_TAG_BUFFER_SIZE;
1037
1038 // As we receive stuff, we copy it from receivedCmd or receivedResponse
1039 // into trace, along with its length and other annotations.
1040 uint8_t *trace = (uint8_t *)BigBuf;
1041 int traceLen = 0;
1042
1043 // The DMA buffer, used to stream samples from the FPGA.
1044 int8_t *dmaBuf = (int8_t *)(BigBuf) + DEMOD_TRACE_SIZE + READER_TAG_BUFFER_SIZE + TAG_READER_BUFFER_SIZE;
1045 int lastRxCounter;
1046 int8_t *upTo;
1047 int ci, cq;
1048 int maxBehindBy = 0;
1049
1050 // Count of samples received so far, so that we can include timing
1051 // information in the trace buffer.
1052 int samples = 0;
1053
1054 // Initialize the trace buffer
1055 memset(trace, 0x44, DEMOD_TRACE_SIZE);
1056
1057 // Set up the demodulator for tag -> reader responses.
1058 Demod.output = receivedResponse;
1059 Demod.len = 0;
1060 Demod.state = DEMOD_UNSYNCD;
1061
1062 // And the reader -> tag commands
1063 memset(&Uart, 0, sizeof(Uart));
1064 Uart.output = receivedCmd;
1065 Uart.byteCntMax = 100;
1066 Uart.state = STATE_UNSYNCD;
1067
1068 // Print some debug information about the buffer sizes
1069 Dbprintf("Snooping buffers initialized:");
1070 Dbprintf(" Trace: %i bytes", DEMOD_TRACE_SIZE);
1071 Dbprintf(" Reader -> tag: %i bytes", READER_TAG_BUFFER_SIZE);
1072 Dbprintf(" tag -> Reader: %i bytes", TAG_READER_BUFFER_SIZE);
1073 Dbprintf(" DMA: %i bytes", DMA_BUFFER_SIZE);
1074
1075 // Use a counter for blinking the LED
1076 long ledCount=0;
1077 long ledFlashAt=200000;
1078
1079 // And put the FPGA in the appropriate mode
1080 // Signal field is off with the appropriate LED
1081 LED_D_OFF();
1082 FpgaWriteConfWord(
1083 FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
1084 FPGA_HF_READER_RX_XCORR_SNOOP);
1085 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1086
1087 // Setup for the DMA.
1088 FpgaSetupSsc();
1089 upTo = dmaBuf;
1090 lastRxCounter = DMA_BUFFER_SIZE;
1091 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
1092 // And now we loop, receiving samples.
1093 for(;;) {
1094 // Blink the LED while Snooping
1095 ledCount++;
1096 if (ledCount == ledFlashAt) {
1097 LED_D_ON();
1098 }
1099 if (ledCount >= 2*ledFlashAt) {
1100 LED_D_OFF();
1101 ledCount=0;
1102 }
1103
1104 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
1105 (DMA_BUFFER_SIZE-1);
1106 if(behindBy > maxBehindBy) {
1107 maxBehindBy = behindBy;
1108 if(behindBy > (DMA_BUFFER_SIZE-2)) { // TODO: understand whether we can increase/decrease as we want or not?
1109 Dbprintf("blew circular buffer! behindBy=%x", behindBy);
1110 goto done;
1111 }
1112 }
1113 if(behindBy < 2) continue;
1114
1115 ci = upTo[0];
1116 cq = upTo[1];
1117 upTo += 2;
1118 lastRxCounter -= 2;
1119 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
1120 upTo -= DMA_BUFFER_SIZE;
1121 lastRxCounter += DMA_BUFFER_SIZE;
1122 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
1123 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
1124 }
1125
1126 samples += 2;
1127
1128 #define HANDLE_BIT_IF_BODY \
1129 if(triggered) { \
1130 ledFlashAt=30000; \
1131 trace[traceLen++] = ((samples >> 0) & 0xff); \
1132 trace[traceLen++] = ((samples >> 8) & 0xff); \
1133 trace[traceLen++] = ((samples >> 16) & 0xff); \
1134 trace[traceLen++] = ((samples >> 24) & 0xff); \
1135 trace[traceLen++] = 0; \
1136 trace[traceLen++] = 0; \
1137 trace[traceLen++] = 0; \
1138 trace[traceLen++] = 0; \
1139 trace[traceLen++] = Uart.byteCnt; \
1140 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
1141 traceLen += Uart.byteCnt; \
1142 if(traceLen > 1000) break; \
1143 } \
1144 /* And ready to receive another command. */ \
1145 memset(&Uart, 0, sizeof(Uart)); \
1146 Uart.output = receivedCmd; \
1147 Uart.byteCntMax = 100; \
1148 Uart.state = STATE_UNSYNCD; \
1149 /* And also reset the demod code, which might have been */ \
1150 /* false-triggered by the commands from the reader. */ \
1151 memset(&Demod, 0, sizeof(Demod)); \
1152 Demod.output = receivedResponse; \
1153 Demod.state = DEMOD_UNSYNCD; \
1154
1155 if(Handle14443UartBit(ci & 1)) {
1156 HANDLE_BIT_IF_BODY
1157 }
1158 if(Handle14443UartBit(cq & 1)) {
1159 HANDLE_BIT_IF_BODY
1160 }
1161
1162 if(Handle14443SamplesDemod(ci, cq)) {
1163 // timestamp, as a count of samples
1164 trace[traceLen++] = ((samples >> 0) & 0xff);
1165 trace[traceLen++] = ((samples >> 8) & 0xff);
1166 trace[traceLen++] = ((samples >> 16) & 0xff);
1167 trace[traceLen++] = 0x80 | ((samples >> 24) & 0xff);
1168 // correlation metric (~signal strength estimate)
1169 if(Demod.metricN != 0) {
1170 Demod.metric /= Demod.metricN;
1171 }
1172 trace[traceLen++] = ((Demod.metric >> 0) & 0xff);
1173 trace[traceLen++] = ((Demod.metric >> 8) & 0xff);
1174 trace[traceLen++] = ((Demod.metric >> 16) & 0xff);
1175 trace[traceLen++] = ((Demod.metric >> 24) & 0xff);
1176 // length
1177 trace[traceLen++] = Demod.len;
1178 memcpy(trace+traceLen, receivedResponse, Demod.len);
1179 traceLen += Demod.len;
1180 if(traceLen > DEMOD_TRACE_SIZE) {
1181 DbpString("Reached trace limit");
1182 goto done;
1183 }
1184
1185 triggered = TRUE;
1186
1187 // And ready to receive another response.
1188 memset(&Demod, 0, sizeof(Demod));
1189 Demod.output = receivedResponse;
1190 Demod.state = DEMOD_UNSYNCD;
1191 }
1192 WDT_HIT();
1193
1194 if(BUTTON_PRESS()) {
1195 DbpString("cancelled");
1196 goto done;
1197 }
1198 }
1199
1200 done:
1201 LED_D_OFF();
1202 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
1203 DbpString("Snoop statistics:");
1204 Dbprintf(" Max behind by: %i", maxBehindBy);
1205 Dbprintf(" Uart State: %x", Uart.state);
1206 Dbprintf(" Uart ByteCnt: %i", Uart.byteCnt);
1207 Dbprintf(" Uart ByteCntMax: %i", Uart.byteCntMax);
1208 Dbprintf(" Trace length: %i", traceLen);
1209 }
Proxmark3 GIT tracking
Impressum, Datenschutz