]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/iso14443a.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Clean up data types, some header cleanup, etc.
[proxmark3-svn] / armsrc / iso14443a.c
1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
3 //
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
6 #include "proxmark3.h"
7 #include "apps.h"
8 #include "util.h"
9 #include "iso14443crc.h"
10
11 static uint8_t *trace = (uint8_t *) BigBuf;
12 static int traceLen = 0;
13 static int rsamples = 0;
14 static int tracing = TRUE;
15
16 typedef enum {
17 SEC_D = 1,
18 SEC_E = 2,
19 SEC_F = 3,
20 SEC_X = 4,
21 SEC_Y = 5,
22 SEC_Z = 6
23 } SecType;
24
25 static const uint8_t OddByteParity[256] = {
26 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
27 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
28 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
29 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
30 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
33 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
34 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
35 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
42 };
43
44 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
45 #define RECV_CMD_OFFSET 3032
46 #define RECV_RES_OFFSET 3096
47 #define DMA_BUFFER_OFFSET 3160
48 #define DMA_BUFFER_SIZE 4096
49 #define TRACE_LENGTH 3000
50
51 //-----------------------------------------------------------------------------
52 // Generate the parity value for a byte sequence
53 //
54 //-----------------------------------------------------------------------------
55 uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
56 {
57 int i;
58 uint32_t dwPar = 0;
59
60 // Generate the encrypted data
61 for (i = 0; i < iLen; i++) {
62 // Save the encrypted parity bit
63 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
64 }
65 return dwPar;
66 }
67
68 static void AppendCrc14443a(uint8_t* data, int len)
69 {
70 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
71 }
72
73 int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
74 {
75 // Return when trace is full
76 if (traceLen >= TRACE_LENGTH) return FALSE;
77
78 // Trace the random, i'm curious
79 rsamples += iSamples;
80 trace[traceLen++] = ((rsamples >> 0) & 0xff);
81 trace[traceLen++] = ((rsamples >> 8) & 0xff);
82 trace[traceLen++] = ((rsamples >> 16) & 0xff);
83 trace[traceLen++] = ((rsamples >> 24) & 0xff);
84 if (!bReader) {
85 trace[traceLen - 1] |= 0x80;
86 }
87 trace[traceLen++] = ((dwParity >> 0) & 0xff);
88 trace[traceLen++] = ((dwParity >> 8) & 0xff);
89 trace[traceLen++] = ((dwParity >> 16) & 0xff);
90 trace[traceLen++] = ((dwParity >> 24) & 0xff);
91 trace[traceLen++] = iLen;
92 memcpy(trace + traceLen, btBytes, iLen);
93 traceLen += iLen;
94 return TRUE;
95 }
96
97 int LogTraceInfo(byte_t* data, size_t len)
98 {
99 return LogTrace(data,len,0,GetParity(data,len),TRUE);
100 }
101
102 //-----------------------------------------------------------------------------
103 // The software UART that receives commands from the reader, and its state
104 // variables.
105 //-----------------------------------------------------------------------------
106 static struct {
107 enum {
108 STATE_UNSYNCD,
109 STATE_START_OF_COMMUNICATION,
110 STATE_MILLER_X,
111 STATE_MILLER_Y,
112 STATE_MILLER_Z,
113 STATE_ERROR_WAIT
114 } state;
115 uint16_t shiftReg;
116 int bitCnt;
117 int byteCnt;
118 int byteCntMax;
119 int posCnt;
120 int syncBit;
121 int parityBits;
122 int samples;
123 int highCnt;
124 int bitBuffer;
125 enum {
126 DROP_NONE,
127 DROP_FIRST_HALF,
128 DROP_SECOND_HALF
129 } drop;
130 uint8_t *output;
131 } Uart;
132
133 static int MillerDecoding(int bit)
134 {
135 int error = 0;
136 int bitright;
137
138 if(!Uart.bitBuffer) {
139 Uart.bitBuffer = bit ^ 0xFF0;
140 return FALSE;
141 }
142 else {
143 Uart.bitBuffer <<= 4;
144 Uart.bitBuffer ^= bit;
145 }
146
147 int EOC = FALSE;
148
149 if(Uart.state != STATE_UNSYNCD) {
150 Uart.posCnt++;
151
152 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
153 bit = 0x00;
154 }
155 else {
156 bit = 0x01;
157 }
158 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
159 bitright = 0x00;
160 }
161 else {
162 bitright = 0x01;
163 }
164 if(bit != bitright) { bit = bitright; }
165
166 if(Uart.posCnt == 1) {
167 // measurement first half bitperiod
168 if(!bit) {
169 Uart.drop = DROP_FIRST_HALF;
170 }
171 }
172 else {
173 // measurement second half bitperiod
174 if(!bit & (Uart.drop == DROP_NONE)) {
175 Uart.drop = DROP_SECOND_HALF;
176 }
177 else if(!bit) {
178 // measured a drop in first and second half
179 // which should not be possible
180 Uart.state = STATE_ERROR_WAIT;
181 error = 0x01;
182 }
183
184 Uart.posCnt = 0;
185
186 switch(Uart.state) {
187 case STATE_START_OF_COMMUNICATION:
188 Uart.shiftReg = 0;
189 if(Uart.drop == DROP_SECOND_HALF) {
190 // error, should not happen in SOC
191 Uart.state = STATE_ERROR_WAIT;
192 error = 0x02;
193 }
194 else {
195 // correct SOC
196 Uart.state = STATE_MILLER_Z;
197 }
198 break;
199
200 case STATE_MILLER_Z:
201 Uart.bitCnt++;
202 Uart.shiftReg >>= 1;
203 if(Uart.drop == DROP_NONE) {
204 // logic '0' followed by sequence Y
205 // end of communication
206 Uart.state = STATE_UNSYNCD;
207 EOC = TRUE;
208 }
209 // if(Uart.drop == DROP_FIRST_HALF) {
210 // Uart.state = STATE_MILLER_Z; stay the same
211 // we see a logic '0' }
212 if(Uart.drop == DROP_SECOND_HALF) {
213 // we see a logic '1'
214 Uart.shiftReg |= 0x100;
215 Uart.state = STATE_MILLER_X;
216 }
217 break;
218
219 case STATE_MILLER_X:
220 Uart.shiftReg >>= 1;
221 if(Uart.drop == DROP_NONE) {
222 // sequence Y, we see a '0'
223 Uart.state = STATE_MILLER_Y;
224 Uart.bitCnt++;
225 }
226 if(Uart.drop == DROP_FIRST_HALF) {
227 // Would be STATE_MILLER_Z
228 // but Z does not follow X, so error
229 Uart.state = STATE_ERROR_WAIT;
230 error = 0x03;
231 }
232 if(Uart.drop == DROP_SECOND_HALF) {
233 // We see a '1' and stay in state X
234 Uart.shiftReg |= 0x100;
235 Uart.bitCnt++;
236 }
237 break;
238
239 case STATE_MILLER_Y:
240 Uart.bitCnt++;
241 Uart.shiftReg >>= 1;
242 if(Uart.drop == DROP_NONE) {
243 // logic '0' followed by sequence Y
244 // end of communication
245 Uart.state = STATE_UNSYNCD;
246 EOC = TRUE;
247 }
248 if(Uart.drop == DROP_FIRST_HALF) {
249 // we see a '0'
250 Uart.state = STATE_MILLER_Z;
251 }
252 if(Uart.drop == DROP_SECOND_HALF) {
253 // We see a '1' and go to state X
254 Uart.shiftReg |= 0x100;
255 Uart.state = STATE_MILLER_X;
256 }
257 break;
258
259 case STATE_ERROR_WAIT:
260 // That went wrong. Now wait for at least two bit periods
261 // and try to sync again
262 if(Uart.drop == DROP_NONE) {
263 Uart.highCnt = 6;
264 Uart.state = STATE_UNSYNCD;
265 }
266 break;
267
268 default:
269 Uart.state = STATE_UNSYNCD;
270 Uart.highCnt = 0;
271 break;
272 }
273
274 Uart.drop = DROP_NONE;
275
276 // should have received at least one whole byte...
277 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
278 return TRUE;
279 }
280
281 if(Uart.bitCnt == 9) {
282 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
283 Uart.byteCnt++;
284
285 Uart.parityBits <<= 1;
286 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
287
288 if(EOC) {
289 // when End of Communication received and
290 // all data bits processed..
291 return TRUE;
292 }
293 Uart.bitCnt = 0;
294 }
295
296 /*if(error) {
297 Uart.output[Uart.byteCnt] = 0xAA;
298 Uart.byteCnt++;
299 Uart.output[Uart.byteCnt] = error & 0xFF;
300 Uart.byteCnt++;
301 Uart.output[Uart.byteCnt] = 0xAA;
302 Uart.byteCnt++;
303 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
304 Uart.byteCnt++;
305 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
306 Uart.byteCnt++;
307 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = 0xAA;
310 Uart.byteCnt++;
311 return TRUE;
312 }*/
313 }
314
315 }
316 else {
317 bit = Uart.bitBuffer & 0xf0;
318 bit >>= 4;
319 bit ^= 0x0F;
320 if(bit) {
321 // should have been high or at least (4 * 128) / fc
322 // according to ISO this should be at least (9 * 128 + 20) / fc
323 if(Uart.highCnt == 8) {
324 // we went low, so this could be start of communication
325 // it turns out to be safer to choose a less significant
326 // syncbit... so we check whether the neighbour also represents the drop
327 Uart.posCnt = 1; // apparently we are busy with our first half bit period
328 Uart.syncBit = bit & 8;
329 Uart.samples = 3;
330 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
331 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
332 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
333 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
334 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
335 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
336 Uart.syncBit = 8;
337
338 // the first half bit period is expected in next sample
339 Uart.posCnt = 0;
340 Uart.samples = 3;
341 }
342 }
343 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
344
345 Uart.syncBit <<= 4;
346 Uart.state = STATE_START_OF_COMMUNICATION;
347 Uart.drop = DROP_FIRST_HALF;
348 Uart.bitCnt = 0;
349 Uart.byteCnt = 0;
350 Uart.parityBits = 0;
351 error = 0;
352 }
353 else {
354 Uart.highCnt = 0;
355 }
356 }
357 else {
358 if(Uart.highCnt < 8) {
359 Uart.highCnt++;
360 }
361 }
362 }
363
364 return FALSE;
365 }
366
367 //=============================================================================
368 // ISO 14443 Type A - Manchester
369 //=============================================================================
370
371 static struct {
372 enum {
373 DEMOD_UNSYNCD,
374 DEMOD_START_OF_COMMUNICATION,
375 DEMOD_MANCHESTER_D,
376 DEMOD_MANCHESTER_E,
377 DEMOD_MANCHESTER_F,
378 DEMOD_ERROR_WAIT
379 } state;
380 int bitCount;
381 int posCount;
382 int syncBit;
383 int parityBits;
384 uint16_t shiftReg;
385 int buffer;
386 int buff;
387 int samples;
388 int len;
389 enum {
390 SUB_NONE,
391 SUB_FIRST_HALF,
392 SUB_SECOND_HALF
393 } sub;
394 uint8_t *output;
395 } Demod;
396
397 static int ManchesterDecoding(int v)
398 {
399 int bit;
400 int modulation;
401 int error = 0;
402
403 if(!Demod.buff) {
404 Demod.buff = 1;
405 Demod.buffer = v;
406 return FALSE;
407 }
408 else {
409 bit = Demod.buffer;
410 Demod.buffer = v;
411 }
412
413 if(Demod.state==DEMOD_UNSYNCD) {
414 Demod.output[Demod.len] = 0xfa;
415 Demod.syncBit = 0;
416 //Demod.samples = 0;
417 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
418 if(bit & 0x08) { Demod.syncBit = 0x08; }
419 if(!Demod.syncBit) {
420 if(bit & 0x04) { Demod.syncBit = 0x04; }
421 }
422 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
423 if(!Demod.syncBit) {
424 if(bit & 0x02) { Demod.syncBit = 0x02; }
425 }
426 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
427 if(!Demod.syncBit) {
428 if(bit & 0x01) { Demod.syncBit = 0x01; }
429
430 if(Demod.syncBit & (Demod.buffer & 0x08)) {
431 Demod.syncBit = 0x08;
432
433 // The first half bitperiod is expected in next sample
434 Demod.posCount = 0;
435 Demod.output[Demod.len] = 0xfb;
436 }
437 }
438 else if(bit & 0x01) { Demod.syncBit = 0x01; }
439
440 if(Demod.syncBit) {
441 Demod.len = 0;
442 Demod.state = DEMOD_START_OF_COMMUNICATION;
443 Demod.sub = SUB_FIRST_HALF;
444 Demod.bitCount = 0;
445 Demod.shiftReg = 0;
446 Demod.parityBits = 0;
447 Demod.samples = 0;
448 if(Demod.posCount) {
449 switch(Demod.syncBit) {
450 case 0x08: Demod.samples = 3; break;
451 case 0x04: Demod.samples = 2; break;
452 case 0x02: Demod.samples = 1; break;
453 case 0x01: Demod.samples = 0; break;
454 }
455 }
456 error = 0;
457 }
458 }
459 else {
460 //modulation = bit & Demod.syncBit;
461 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
462
463 Demod.samples += 4;
464
465 if(Demod.posCount==0) {
466 Demod.posCount = 1;
467 if(modulation) {
468 Demod.sub = SUB_FIRST_HALF;
469 }
470 else {
471 Demod.sub = SUB_NONE;
472 }
473 }
474 else {
475 Demod.posCount = 0;
476 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
477 if(Demod.state!=DEMOD_ERROR_WAIT) {
478 Demod.state = DEMOD_ERROR_WAIT;
479 Demod.output[Demod.len] = 0xaa;
480 error = 0x01;
481 }
482 }
483 else if(modulation) {
484 Demod.sub = SUB_SECOND_HALF;
485 }
486
487 switch(Demod.state) {
488 case DEMOD_START_OF_COMMUNICATION:
489 if(Demod.sub == SUB_FIRST_HALF) {
490 Demod.state = DEMOD_MANCHESTER_D;
491 }
492 else {
493 Demod.output[Demod.len] = 0xab;
494 Demod.state = DEMOD_ERROR_WAIT;
495 error = 0x02;
496 }
497 break;
498
499 case DEMOD_MANCHESTER_D:
500 case DEMOD_MANCHESTER_E:
501 if(Demod.sub == SUB_FIRST_HALF) {
502 Demod.bitCount++;
503 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
504 Demod.state = DEMOD_MANCHESTER_D;
505 }
506 else if(Demod.sub == SUB_SECOND_HALF) {
507 Demod.bitCount++;
508 Demod.shiftReg >>= 1;
509 Demod.state = DEMOD_MANCHESTER_E;
510 }
511 else {
512 Demod.state = DEMOD_MANCHESTER_F;
513 }
514 break;
515
516 case DEMOD_MANCHESTER_F:
517 // Tag response does not need to be a complete byte!
518 if(Demod.len > 0 || Demod.bitCount > 0) {
519 if(Demod.bitCount > 0) {
520 Demod.shiftReg >>= (9 - Demod.bitCount);
521 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
522 Demod.len++;
523 // No parity bit, so just shift a 0
524 Demod.parityBits <<= 1;
525 }
526
527 Demod.state = DEMOD_UNSYNCD;
528 return TRUE;
529 }
530 else {
531 Demod.output[Demod.len] = 0xad;
532 Demod.state = DEMOD_ERROR_WAIT;
533 error = 0x03;
534 }
535 break;
536
537 case DEMOD_ERROR_WAIT:
538 Demod.state = DEMOD_UNSYNCD;
539 break;
540
541 default:
542 Demod.output[Demod.len] = 0xdd;
543 Demod.state = DEMOD_UNSYNCD;
544 break;
545 }
546
547 if(Demod.bitCount>=9) {
548 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
549 Demod.len++;
550
551 Demod.parityBits <<= 1;
552 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
553
554 Demod.bitCount = 0;
555 Demod.shiftReg = 0;
556 }
557
558 /*if(error) {
559 Demod.output[Demod.len] = 0xBB;
560 Demod.len++;
561 Demod.output[Demod.len] = error & 0xFF;
562 Demod.len++;
563 Demod.output[Demod.len] = 0xBB;
564 Demod.len++;
565 Demod.output[Demod.len] = bit & 0xFF;
566 Demod.len++;
567 Demod.output[Demod.len] = Demod.buffer & 0xFF;
568 Demod.len++;
569 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
570 Demod.len++;
571 Demod.output[Demod.len] = 0xBB;
572 Demod.len++;
573 return TRUE;
574 }*/
575
576 }
577
578 } // end (state != UNSYNCED)
579
580 return FALSE;
581 }
582
583 //=============================================================================
584 // Finally, a `sniffer' for ISO 14443 Type A
585 // Both sides of communication!
586 //=============================================================================
587
588 //-----------------------------------------------------------------------------
589 // Record the sequence of commands sent by the reader to the tag, with
590 // triggering so that we start recording at the point that the tag is moved
591 // near the reader.
592 //-----------------------------------------------------------------------------
593 void SnoopIso14443a(void)
594 {
595 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
596 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
597 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
598 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
599 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
600
601 // We won't start recording the frames that we acquire until we trigger;
602 // a good trigger condition to get started is probably when we see a
603 // response from the tag.
604 int triggered = TRUE; // FALSE to wait first for card
605
606 // The command (reader -> tag) that we're receiving.
607 // The length of a received command will in most cases be no more than 18 bytes.
608 // So 32 should be enough!
609 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
610 // The response (tag -> reader) that we're receiving.
611 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
612
613 // As we receive stuff, we copy it from receivedCmd or receivedResponse
614 // into trace, along with its length and other annotations.
615 //uint8_t *trace = (uint8_t *)BigBuf;
616 //int traceLen = 0;
617
618 // The DMA buffer, used to stream samples from the FPGA
619 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
620 int lastRxCounter;
621 int8_t *upTo;
622 int smpl;
623 int maxBehindBy = 0;
624
625 // Count of samples received so far, so that we can include timing
626 // information in the trace buffer.
627 int samples = 0;
628 int rsamples = 0;
629
630 memset(trace, 0x44, RECV_CMD_OFFSET);
631
632 // Set up the demodulator for tag -> reader responses.
633 Demod.output = receivedResponse;
634 Demod.len = 0;
635 Demod.state = DEMOD_UNSYNCD;
636
637 // And the reader -> tag commands
638 memset(&Uart, 0, sizeof(Uart));
639 Uart.output = receivedCmd;
640 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
641 Uart.state = STATE_UNSYNCD;
642
643 // And put the FPGA in the appropriate mode
644 // Signal field is off with the appropriate LED
645 LED_D_OFF();
646 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
647 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
648
649 // Setup for the DMA.
650 FpgaSetupSsc();
651 upTo = dmaBuf;
652 lastRxCounter = DMA_BUFFER_SIZE;
653 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
654
655 LED_A_ON();
656
657 // And now we loop, receiving samples.
658 for(;;) {
659 WDT_HIT();
660 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
661 (DMA_BUFFER_SIZE-1);
662 if(behindBy > maxBehindBy) {
663 maxBehindBy = behindBy;
664 if(behindBy > 400) {
665 DbpString("blew circular buffer!");
666 goto done;
667 }
668 }
669 if(behindBy < 1) continue;
670
671 smpl = upTo[0];
672 upTo++;
673 lastRxCounter -= 1;
674 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
675 upTo -= DMA_BUFFER_SIZE;
676 lastRxCounter += DMA_BUFFER_SIZE;
677 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
678 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
679 }
680
681 samples += 4;
682 #define HANDLE_BIT_IF_BODY \
683 LED_C_ON(); \
684 if(triggered) { \
685 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
686 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
687 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
688 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
689 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
690 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
692 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
693 trace[traceLen++] = Uart.byteCnt; \
694 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
695 traceLen += Uart.byteCnt; \
696 if(traceLen > TRACE_LENGTH) break; \
697 } \
698 /* And ready to receive another command. */ \
699 Uart.state = STATE_UNSYNCD; \
700 /* And also reset the demod code, which might have been */ \
701 /* false-triggered by the commands from the reader. */ \
702 Demod.state = DEMOD_UNSYNCD; \
703 LED_B_OFF(); \
704
705 if(MillerDecoding((smpl & 0xF0) >> 4)) {
706 rsamples = samples - Uart.samples;
707 HANDLE_BIT_IF_BODY
708 }
709 if(ManchesterDecoding(smpl & 0x0F)) {
710 rsamples = samples - Demod.samples;
711 LED_B_ON();
712
713 // timestamp, as a count of samples
714 trace[traceLen++] = ((rsamples >> 0) & 0xff);
715 trace[traceLen++] = ((rsamples >> 8) & 0xff);
716 trace[traceLen++] = ((rsamples >> 16) & 0xff);
717 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
718 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
719 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
720 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
721 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
722 // length
723 trace[traceLen++] = Demod.len;
724 memcpy(trace+traceLen, receivedResponse, Demod.len);
725 traceLen += Demod.len;
726 if(traceLen > TRACE_LENGTH) break;
727
728 triggered = TRUE;
729
730 // And ready to receive another response.
731 memset(&Demod, 0, sizeof(Demod));
732 Demod.output = receivedResponse;
733 Demod.state = DEMOD_UNSYNCD;
734 LED_C_OFF();
735 }
736
737 if(BUTTON_PRESS()) {
738 DbpString("cancelled_a");
739 goto done;
740 }
741 }
742
743 DbpString("COMMAND FINISHED");
744
745 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
746 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
747
748 done:
749 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
750 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
751 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
752 LED_A_OFF();
753 LED_B_OFF();
754 LED_C_OFF();
755 LED_D_OFF();
756 }
757
758 // Prepare communication bits to send to FPGA
759 void Sequence(SecType seq)
760 {
761 ToSendMax++;
762 switch(seq) {
763 // CARD TO READER
764 case SEC_D:
765 // Sequence D: 11110000
766 // modulation with subcarrier during first half
767 ToSend[ToSendMax] = 0xf0;
768 break;
769 case SEC_E:
770 // Sequence E: 00001111
771 // modulation with subcarrier during second half
772 ToSend[ToSendMax] = 0x0f;
773 break;
774 case SEC_F:
775 // Sequence F: 00000000
776 // no modulation with subcarrier
777 ToSend[ToSendMax] = 0x00;
778 break;
779 // READER TO CARD
780 case SEC_X:
781 // Sequence X: 00001100
782 // drop after half a period
783 ToSend[ToSendMax] = 0x0c;
784 break;
785 case SEC_Y:
786 default:
787 // Sequence Y: 00000000
788 // no drop
789 ToSend[ToSendMax] = 0x00;
790 break;
791 case SEC_Z:
792 // Sequence Z: 11000000
793 // drop at start
794 ToSend[ToSendMax] = 0xc0;
795 break;
796 }
797 }
798
799 //-----------------------------------------------------------------------------
800 // Prepare tag messages
801 //-----------------------------------------------------------------------------
802 static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
803 {
804 int i;
805 int oddparity;
806
807 ToSendReset();
808
809 // Correction bit, might be removed when not needed
810 ToSendStuffBit(0);
811 ToSendStuffBit(0);
812 ToSendStuffBit(0);
813 ToSendStuffBit(0);
814 ToSendStuffBit(1); // 1
815 ToSendStuffBit(0);
816 ToSendStuffBit(0);
817 ToSendStuffBit(0);
818
819 // Send startbit
820 Sequence(SEC_D);
821
822 for(i = 0; i < len; i++) {
823 int j;
824 uint8_t b = cmd[i];
825
826 // Data bits
827 oddparity = 0x01;
828 for(j = 0; j < 8; j++) {
829 oddparity ^= (b & 1);
830 if(b & 1) {
831 Sequence(SEC_D);
832 } else {
833 Sequence(SEC_E);
834 }
835 b >>= 1;
836 }
837
838 // Parity bit
839 if(oddparity) {
840 Sequence(SEC_D);
841 } else {
842 Sequence(SEC_E);
843 }
844 }
845
846 // Send stopbit
847 Sequence(SEC_F);
848
849 // Flush the buffer in FPGA!!
850 for(i = 0; i < 5; i++) {
851 Sequence(SEC_F);
852 }
853
854 // Convert from last byte pos to length
855 ToSendMax++;
856
857 // Add a few more for slop
858 ToSend[ToSendMax++] = 0x00;
859 ToSend[ToSendMax++] = 0x00;
860 //ToSendMax += 2;
861 }
862
863 //-----------------------------------------------------------------------------
864 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
865 //-----------------------------------------------------------------------------
866 static void CodeStrangeAnswer()
867 {
868 int i;
869
870 ToSendReset();
871
872 // Correction bit, might be removed when not needed
873 ToSendStuffBit(0);
874 ToSendStuffBit(0);
875 ToSendStuffBit(0);
876 ToSendStuffBit(0);
877 ToSendStuffBit(1); // 1
878 ToSendStuffBit(0);
879 ToSendStuffBit(0);
880 ToSendStuffBit(0);
881
882 // Send startbit
883 Sequence(SEC_D);
884
885 // 0
886 Sequence(SEC_E);
887
888 // 0
889 Sequence(SEC_E);
890
891 // 1
892 Sequence(SEC_D);
893
894 // Send stopbit
895 Sequence(SEC_F);
896
897 // Flush the buffer in FPGA!!
898 for(i = 0; i < 5; i++) {
899 Sequence(SEC_F);
900 }
901
902 // Convert from last byte pos to length
903 ToSendMax++;
904
905 // Add a few more for slop
906 ToSend[ToSendMax++] = 0x00;
907 ToSend[ToSendMax++] = 0x00;
908 //ToSendMax += 2;
909 }
910
911 //-----------------------------------------------------------------------------
912 // Wait for commands from reader
913 // Stop when button is pressed
914 // Or return TRUE when command is captured
915 //-----------------------------------------------------------------------------
916 static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
917 {
918 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
919 // only, since we are receiving, not transmitting).
920 // Signal field is off with the appropriate LED
921 LED_D_OFF();
922 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
923
924 // Now run a `software UART' on the stream of incoming samples.
925 Uart.output = received;
926 Uart.byteCntMax = maxLen;
927 Uart.state = STATE_UNSYNCD;
928
929 for(;;) {
930 WDT_HIT();
931
932 if(BUTTON_PRESS()) return FALSE;
933
934 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
935 AT91C_BASE_SSC->SSC_THR = 0x00;
936 }
937 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
938 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
939 if(MillerDecoding((b & 0xf0) >> 4)) {
940 *len = Uart.byteCnt;
941 return TRUE;
942 }
943 if(MillerDecoding(b & 0x0f)) {
944 *len = Uart.byteCnt;
945 return TRUE;
946 }
947 }
948 }
949 }
950
951 //-----------------------------------------------------------------------------
952 // Main loop of simulated tag: receive commands from reader, decide what
953 // response to send, and send it.
954 //-----------------------------------------------------------------------------
955 void SimulateIso14443aTag(int tagType, int TagUid)
956 {
957 // This function contains the tag emulation
958
959 // Prepare protocol messages
960 // static const uint8_t cmd1[] = { 0x26 };
961 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
962 //
963 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
964 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
965
966 // UID response
967 // static const uint8_t cmd2[] = { 0x93, 0x20 };
968 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
969
970
971
972 // my desfire
973 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
974
975
976 // When reader selects us during cascade1 it will send cmd3
977 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
978 uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
979 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
980
981 // send cascade2 2nd half of UID
982 static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
983 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
984
985
986 // When reader selects us during cascade2 it will send cmd3a
987 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
988 uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
989 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
990
991 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
992
993 uint8_t *resp;
994 int respLen;
995
996 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
997 // This will need
998 // 144 data bits (18 * 8)
999 // 18 parity bits
1000 // 2 Start and stop
1001 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1002 // 1 just for the case
1003 // ----------- +
1004 // 166
1005 //
1006 // 166 bytes, since every bit that needs to be send costs us a byte
1007 //
1008
1009
1010 // Respond with card type
1011 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
1012 int resp1Len;
1013
1014 // Anticollision cascade1 - respond with uid
1015 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
1016 int resp2Len;
1017
1018 // Anticollision cascade2 - respond with 2nd half of uid if asked
1019 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1020 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1021 int resp2aLen;
1022
1023 // Acknowledge select - cascade 1
1024 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
1025 int resp3Len;
1026
1027 // Acknowledge select - cascade 2
1028 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
1029 int resp3aLen;
1030
1031 // Response to a read request - not implemented atm
1032 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
1033 int resp4Len;
1034
1035 // Authenticate response - nonce
1036 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
1037 int resp5Len;
1038
1039 uint8_t *receivedCmd = (uint8_t *)BigBuf;
1040 int len;
1041
1042 int i;
1043 int u;
1044 uint8_t b;
1045
1046 // To control where we are in the protocol
1047 int order = 0;
1048 int lastorder;
1049
1050 // Just to allow some checks
1051 int happened = 0;
1052 int happened2 = 0;
1053
1054 int cmdsRecvd = 0;
1055
1056 int fdt_indicator;
1057
1058 memset(receivedCmd, 0x44, 400);
1059
1060 // Prepare the responses of the anticollision phase
1061 // there will be not enough time to do this at the moment the reader sends it REQA
1062
1063 // Answer to request
1064 CodeIso14443aAsTag(response1, sizeof(response1));
1065 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1066
1067 // Send our UID (cascade 1)
1068 CodeIso14443aAsTag(response2, sizeof(response2));
1069 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1070
1071 // Answer to select (cascade1)
1072 CodeIso14443aAsTag(response3, sizeof(response3));
1073 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1074
1075 // Send the cascade 2 2nd part of the uid
1076 CodeIso14443aAsTag(response2a, sizeof(response2a));
1077 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1078
1079 // Answer to select (cascade 2)
1080 CodeIso14443aAsTag(response3a, sizeof(response3a));
1081 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1082
1083 // Strange answer is an example of rare message size (3 bits)
1084 CodeStrangeAnswer();
1085 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1086
1087 // Authentication answer (random nonce)
1088 CodeIso14443aAsTag(response5, sizeof(response5));
1089 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1090
1091 // We need to listen to the high-frequency, peak-detected path.
1092 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1093 FpgaSetupSsc();
1094
1095 cmdsRecvd = 0;
1096
1097 LED_A_ON();
1098 for(;;) {
1099
1100 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1101 DbpString("button press");
1102 break;
1103 }
1104 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1105 // Okay, look at the command now.
1106 lastorder = order;
1107 i = 1; // first byte transmitted
1108 if(receivedCmd[0] == 0x26) {
1109 // Received a REQUEST
1110 resp = resp1; respLen = resp1Len; order = 1;
1111 //DbpString("Hello request from reader:");
1112 } else if(receivedCmd[0] == 0x52) {
1113 // Received a WAKEUP
1114 resp = resp1; respLen = resp1Len; order = 6;
1115 // //DbpString("Wakeup request from reader:");
1116
1117 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1118 // Received request for UID (cascade 1)
1119 resp = resp2; respLen = resp2Len; order = 2;
1120 // DbpString("UID (cascade 1) request from reader:");
1121 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1122
1123
1124 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1125 // Received request for UID (cascade 2)
1126 resp = resp2a; respLen = resp2aLen; order = 20;
1127 // DbpString("UID (cascade 2) request from reader:");
1128 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1129
1130
1131 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1132 // Received a SELECT
1133 resp = resp3; respLen = resp3Len; order = 3;
1134 // DbpString("Select (cascade 1) request from reader:");
1135 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1136
1137
1138 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1139 // Received a SELECT
1140 resp = resp3a; respLen = resp3aLen; order = 30;
1141 // DbpString("Select (cascade 2) request from reader:");
1142 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144
1145 } else if(receivedCmd[0] == 0x30) {
1146 // Received a READ
1147 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1148 Dbprintf("Read request from reader: %x %x %x",
1149 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1150
1151
1152 } else if(receivedCmd[0] == 0x50) {
1153 // Received a HALT
1154 resp = resp1; respLen = 0; order = 5; // Do nothing
1155 DbpString("Reader requested we HALT!:");
1156
1157 } else if(receivedCmd[0] == 0x60) {
1158 // Received an authentication request
1159 resp = resp5; respLen = resp5Len; order = 7;
1160 Dbprintf("Authenticate request from reader: %x %x %x",
1161 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1162
1163 } else if(receivedCmd[0] == 0xE0) {
1164 // Received a RATS request
1165 resp = resp1; respLen = 0;order = 70;
1166 Dbprintf("RATS request from reader: %x %x %x",
1167 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1168 } else {
1169 // Never seen this command before
1170 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1171 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1172 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1173 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1174 // Do not respond
1175 resp = resp1; respLen = 0; order = 0;
1176 }
1177
1178 // Count number of wakeups received after a halt
1179 if(order == 6 && lastorder == 5) { happened++; }
1180
1181 // Count number of other messages after a halt
1182 if(order != 6 && lastorder == 5) { happened2++; }
1183
1184 // Look at last parity bit to determine timing of answer
1185 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1186 // 1236, so correction bit needed
1187 i = 0;
1188 }
1189
1190 memset(receivedCmd, 0x44, 32);
1191
1192 if(cmdsRecvd > 999) {
1193 DbpString("1000 commands later...");
1194 break;
1195 }
1196 else {
1197 cmdsRecvd++;
1198 }
1199
1200 if(respLen <= 0) continue;
1201
1202 // Modulate Manchester
1203 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1204 AT91C_BASE_SSC->SSC_THR = 0x00;
1205 FpgaSetupSsc();
1206
1207 // ### Transmit the response ###
1208 u = 0;
1209 b = 0x00;
1210 fdt_indicator = FALSE;
1211 for(;;) {
1212 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1213 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1214 (void)b;
1215 }
1216 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1217 if(i > respLen) {
1218 b = 0x00;
1219 u++;
1220 } else {
1221 b = resp[i];
1222 i++;
1223 }
1224 AT91C_BASE_SSC->SSC_THR = b;
1225
1226 if(u > 4) {
1227 break;
1228 }
1229 }
1230 if(BUTTON_PRESS()) {
1231 break;
1232 }
1233 }
1234
1235 }
1236
1237 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1238 LED_A_OFF();
1239 }
1240
1241 //-----------------------------------------------------------------------------
1242 // Transmit the command (to the tag) that was placed in ToSend[].
1243 //-----------------------------------------------------------------------------
1244 static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
1245 {
1246 int c;
1247
1248 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1249
1250 if (wait)
1251 if(*wait < 10)
1252 *wait = 10;
1253
1254 for(c = 0; c < *wait;) {
1255 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1256 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1257 c++;
1258 }
1259 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1260 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1261 (void)r;
1262 }
1263 WDT_HIT();
1264 }
1265
1266 c = 0;
1267 for(;;) {
1268 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1269 AT91C_BASE_SSC->SSC_THR = cmd[c];
1270 c++;
1271 if(c >= len) {
1272 break;
1273 }
1274 }
1275 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1276 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1277 (void)r;
1278 }
1279 WDT_HIT();
1280 }
1281 if (samples) *samples = (c + *wait) << 3;
1282 }
1283
1284 //-----------------------------------------------------------------------------
1285 // To generate an arbitrary stream from reader
1286 //
1287 //-----------------------------------------------------------------------------
1288 void ArbitraryFromReader(const uint8_t *cmd, int parity, int len)
1289 {
1290 int i;
1291 int j;
1292 int last;
1293 uint8_t b;
1294
1295 ToSendReset();
1296
1297 // Start of Communication (Seq. Z)
1298 Sequence(SEC_Z);
1299 last = 0;
1300
1301 for(i = 0; i < len; i++) {
1302 // Data bits
1303 b = cmd[i];
1304 for(j = 0; j < 8; j++) {
1305 if(b & 1) {
1306 // Sequence X
1307 Sequence(SEC_X);
1308 last = 1;
1309 } else {
1310 if(last == 0) {
1311 // Sequence Z
1312 Sequence(SEC_Z);
1313 }
1314 else {
1315 // Sequence Y
1316 Sequence(SEC_Y);
1317 last = 0;
1318 }
1319 }
1320 b >>= 1;
1321
1322 }
1323
1324 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1325 if(((parity >> (len - i - 1)) & 1)) {
1326 // Sequence X
1327 Sequence(SEC_X);
1328 last = 1;
1329 } else {
1330 if(last == 0) {
1331 // Sequence Z
1332 Sequence(SEC_Z);
1333 }
1334 else {
1335 // Sequence Y
1336 Sequence(SEC_Y);
1337 last = 0;
1338 }
1339 }
1340 }
1341
1342 // End of Communication
1343 if(last == 0) {
1344 // Sequence Z
1345 Sequence(SEC_Z);
1346 }
1347 else {
1348 // Sequence Y
1349 Sequence(SEC_Y);
1350 last = 0;
1351 }
1352 // Sequence Y
1353 Sequence(SEC_Y);
1354
1355 // Just to be sure!
1356 Sequence(SEC_Y);
1357 Sequence(SEC_Y);
1358 Sequence(SEC_Y);
1359
1360 // Convert from last character reference to length
1361 ToSendMax++;
1362 }
1363
1364 //-----------------------------------------------------------------------------
1365 // Code a 7-bit command without parity bit
1366 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1367 //-----------------------------------------------------------------------------
1368 void ShortFrameFromReader(const uint8_t bt)
1369 {
1370 int j;
1371 int last;
1372 uint8_t b;
1373
1374 ToSendReset();
1375
1376 // Start of Communication (Seq. Z)
1377 Sequence(SEC_Z);
1378 last = 0;
1379
1380 b = bt;
1381 for(j = 0; j < 7; j++) {
1382 if(b & 1) {
1383 // Sequence X
1384 Sequence(SEC_X);
1385 last = 1;
1386 } else {
1387 if(last == 0) {
1388 // Sequence Z
1389 Sequence(SEC_Z);
1390 }
1391 else {
1392 // Sequence Y
1393 Sequence(SEC_Y);
1394 last = 0;
1395 }
1396 }
1397 b >>= 1;
1398 }
1399
1400 // End of Communication
1401 if(last == 0) {
1402 // Sequence Z
1403 Sequence(SEC_Z);
1404 }
1405 else {
1406 // Sequence Y
1407 Sequence(SEC_Y);
1408 last = 0;
1409 }
1410 // Sequence Y
1411 Sequence(SEC_Y);
1412
1413 // Just to be sure!
1414 Sequence(SEC_Y);
1415 Sequence(SEC_Y);
1416 Sequence(SEC_Y);
1417
1418 // Convert from last character reference to length
1419 ToSendMax++;
1420 }
1421
1422 //-----------------------------------------------------------------------------
1423 // Prepare reader command to send to FPGA
1424 //
1425 //-----------------------------------------------------------------------------
1426 void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1427 {
1428 int i, j;
1429 int last;
1430 uint8_t b;
1431
1432 ToSendReset();
1433
1434 // Start of Communication (Seq. Z)
1435 Sequence(SEC_Z);
1436 last = 0;
1437
1438 // Generate send structure for the data bits
1439 for (i = 0; i < len; i++) {
1440 // Get the current byte to send
1441 b = cmd[i];
1442
1443 for (j = 0; j < 8; j++) {
1444 if (b & 1) {
1445 // Sequence X
1446 Sequence(SEC_X);
1447 last = 1;
1448 } else {
1449 if (last == 0) {
1450 // Sequence Z
1451 Sequence(SEC_Z);
1452 } else {
1453 // Sequence Y
1454 Sequence(SEC_Y);
1455 last = 0;
1456 }
1457 }
1458 b >>= 1;
1459 }
1460
1461 // Get the parity bit
1462 if ((dwParity >> i) & 0x01) {
1463 // Sequence X
1464 Sequence(SEC_X);
1465 last = 1;
1466 } else {
1467 if (last == 0) {
1468 // Sequence Z
1469 Sequence(SEC_Z);
1470 } else {
1471 // Sequence Y
1472 Sequence(SEC_Y);
1473 last = 0;
1474 }
1475 }
1476 }
1477
1478 // End of Communication
1479 if (last == 0) {
1480 // Sequence Z
1481 Sequence(SEC_Z);
1482 } else {
1483 // Sequence Y
1484 Sequence(SEC_Y);
1485 last = 0;
1486 }
1487 // Sequence Y
1488 Sequence(SEC_Y);
1489
1490 // Just to be sure!
1491 Sequence(SEC_Y);
1492 Sequence(SEC_Y);
1493 Sequence(SEC_Y);
1494
1495 // Convert from last character reference to length
1496 ToSendMax++;
1497 }
1498
1499 //-----------------------------------------------------------------------------
1500 // Wait a certain time for tag response
1501 // If a response is captured return TRUE
1502 // If it takes to long return FALSE
1503 //-----------------------------------------------------------------------------
1504 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1505 {
1506 // buffer needs to be 512 bytes
1507 int c;
1508
1509 // Set FPGA mode to "reader listen mode", no modulation (listen
1510 // only, since we are receiving, not transmitting).
1511 // Signal field is on with the appropriate LED
1512 LED_D_ON();
1513 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1514
1515 // Now get the answer from the card
1516 Demod.output = receivedResponse;
1517 Demod.len = 0;
1518 Demod.state = DEMOD_UNSYNCD;
1519
1520 uint8_t b;
1521 if (elapsed) *elapsed = 0;
1522
1523 c = 0;
1524 for(;;) {
1525 WDT_HIT();
1526
1527 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1528 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1529 if (elapsed) (*elapsed)++;
1530 }
1531 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1532 if(c < 512) { c++; } else { return FALSE; }
1533 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1534 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1535 *samples = ((c - 1) << 3) + 4;
1536 return TRUE;
1537 }
1538 if(ManchesterDecoding(b & 0x0f)) {
1539 *samples = c << 3;
1540 return TRUE;
1541 }
1542 }
1543 }
1544 }
1545
1546 void ReaderTransmitShort(const uint8_t* bt)
1547 {
1548 int wait = 0;
1549 int samples = 0;
1550
1551 ShortFrameFromReader(*bt);
1552
1553 // Select the card
1554 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1555
1556 // Store reader command in buffer
1557 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1558 }
1559
1560 void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1561 {
1562 int wait = 0;
1563 int samples = 0;
1564
1565 // This is tied to other size changes
1566 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1567 CodeIso14443aAsReaderPar(frame,len,par);
1568
1569 // Select the card
1570 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1571
1572 // Store reader command in buffer
1573 if (tracing) LogTrace(frame,len,0,par,TRUE);
1574 }
1575
1576
1577 void ReaderTransmit(uint8_t* frame, int len)
1578 {
1579 // Generate parity and redirect
1580 ReaderTransmitPar(frame,len,GetParity(frame,len));
1581 }
1582
1583 int ReaderReceive(uint8_t* receivedAnswer)
1584 {
1585 int samples = 0;
1586 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1587 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1588 return TRUE;
1589 }
1590
1591 //-----------------------------------------------------------------------------
1592 // Read an ISO 14443a tag. Send out commands and store answers.
1593 //
1594 //-----------------------------------------------------------------------------
1595 void ReaderIso14443a(uint32_t parameter)
1596 {
1597 // Anticollision
1598 uint8_t wupa[] = { 0x52 };
1599 uint8_t sel_all[] = { 0x93,0x20 };
1600 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1601 uint8_t sel_all_c2[] = { 0x95,0x20 };
1602 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1603
1604 // Mifare AUTH
1605 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1606 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1607
1608 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1609 traceLen = 0;
1610
1611 // Setup SSC
1612 FpgaSetupSsc();
1613
1614 // Start from off (no field generated)
1615 // Signal field is off with the appropriate LED
1616 LED_D_OFF();
1617 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1618 SpinDelay(200);
1619
1620 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1621 FpgaSetupSsc();
1622
1623 // Now give it time to spin up.
1624 // Signal field is on with the appropriate LED
1625 LED_D_ON();
1626 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1627 SpinDelay(200);
1628
1629 LED_A_ON();
1630 LED_B_OFF();
1631 LED_C_OFF();
1632
1633 while(traceLen < TRACE_LENGTH)
1634 {
1635 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1636 ReaderTransmitShort(wupa);
1637
1638 // Test if the action was cancelled
1639 if(BUTTON_PRESS()) {
1640 break;
1641 }
1642
1643 // Receive the ATQA
1644 if (!ReaderReceive(receivedAnswer)) continue;
1645
1646 // Transmit SELECT_ALL
1647 ReaderTransmit(sel_all,sizeof(sel_all));
1648
1649 // Receive the UID
1650 if (!ReaderReceive(receivedAnswer)) continue;
1651
1652 // Construct SELECT UID command
1653 // First copy the 5 bytes (Mifare Classic) after the 93 70
1654 memcpy(sel_uid+2,receivedAnswer,5);
1655 // Secondly compute the two CRC bytes at the end
1656 AppendCrc14443a(sel_uid,7);
1657
1658 // Transmit SELECT_UID
1659 ReaderTransmit(sel_uid,sizeof(sel_uid));
1660
1661 // Receive the SAK
1662 if (!ReaderReceive(receivedAnswer)) continue;
1663
1664 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1665 // which case we need to make a cascade 2 request and select - this is a long UID
1666 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1667 if (receivedAnswer[0] &= 0x04)
1668 {
1669 // Transmit SELECT_ALL
1670 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
1671
1672 // Receive the UID
1673 if (!ReaderReceive(receivedAnswer)) continue;
1674
1675 // Construct SELECT UID command
1676 memcpy(sel_uid_c2+2,receivedAnswer,5);
1677 // Secondly compute the two CRC bytes at the end
1678 AppendCrc14443a(sel_uid_c2,7);
1679
1680 // Transmit SELECT_UID
1681 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
1682
1683 // Receive the SAK
1684 if (!ReaderReceive(receivedAnswer)) continue;
1685 }
1686
1687 // Transmit MIFARE_CLASSIC_AUTH
1688 ReaderTransmit(mf_auth,sizeof(mf_auth));
1689
1690 // Receive the (16 bit) "random" nonce
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 }
1693
1694 // Thats it...
1695 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1696 LEDsoff();
1697 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1698 DbpString("ready..");
1699 }
1700
1701 //-----------------------------------------------------------------------------
1702 // Read an ISO 14443a tag. Send out commands and store answers.
1703 //
1704 //-----------------------------------------------------------------------------
1705 void ReaderMifare(uint32_t parameter)
1706 {
1707
1708 // Anticollision
1709 uint8_t wupa[] = { 0x52 };
1710 uint8_t sel_all[] = { 0x93,0x20 };
1711 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1712
1713 // Mifare AUTH
1714 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1715 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1716
1717 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1718 traceLen = 0;
1719 tracing = false;
1720
1721 // Setup SSC
1722 FpgaSetupSsc();
1723
1724 // Start from off (no field generated)
1725 // Signal field is off with the appropriate LED
1726 LED_D_OFF();
1727 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1728 SpinDelay(200);
1729
1730 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1731 FpgaSetupSsc();
1732
1733 // Now give it time to spin up.
1734 // Signal field is on with the appropriate LED
1735 LED_D_ON();
1736 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1737 SpinDelay(200);
1738
1739 LED_A_ON();
1740 LED_B_OFF();
1741 LED_C_OFF();
1742
1743 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1744 ReaderTransmitShort(wupa);
1745 // Receive the ATQA
1746 ReaderReceive(receivedAnswer);
1747 // Transmit SELECT_ALL
1748 ReaderTransmit(sel_all,sizeof(sel_all));
1749 // Receive the UID
1750 ReaderReceive(receivedAnswer);
1751 // Construct SELECT UID command
1752 // First copy the 5 bytes (Mifare Classic) after the 93 70
1753 memcpy(sel_uid+2,receivedAnswer,5);
1754 // Secondly compute the two CRC bytes at the end
1755 AppendCrc14443a(sel_uid,7);
1756
1757 byte_t nt_diff = 0;
1758 LED_A_OFF();
1759 byte_t par = 0;
1760 byte_t par_mask = 0xff;
1761 byte_t par_low = 0;
1762 int led_on = TRUE;
1763
1764 tracing = FALSE;
1765 byte_t nt[4];
1766 byte_t nt_attacked[4];
1767 byte_t par_list[8];
1768 byte_t ks_list[8];
1769 num_to_bytes(parameter,4,nt_attacked);
1770
1771 while(TRUE)
1772 {
1773 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1774 SpinDelay(200);
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1776
1777 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1778 ReaderTransmitShort(wupa);
1779
1780 // Test if the action was cancelled
1781 if(BUTTON_PRESS()) {
1782 break;
1783 }
1784
1785 // Receive the ATQA
1786 if (!ReaderReceive(receivedAnswer)) continue;
1787
1788 // Transmit SELECT_ALL
1789 ReaderTransmit(sel_all,sizeof(sel_all));
1790
1791 // Receive the UID
1792 if (!ReaderReceive(receivedAnswer)) continue;
1793
1794 // Transmit SELECT_UID
1795 ReaderTransmit(sel_uid,sizeof(sel_uid));
1796
1797 // Receive the SAK
1798 if (!ReaderReceive(receivedAnswer)) continue;
1799
1800 // Transmit MIFARE_CLASSIC_AUTH
1801 ReaderTransmit(mf_auth,sizeof(mf_auth));
1802
1803 // Receive the (16 bit) "random" nonce
1804 if (!ReaderReceive(receivedAnswer)) continue;
1805 memcpy(nt,receivedAnswer,4);
1806
1807 // Transmit reader nonce and reader answer
1808 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
1809
1810 // Receive 4 bit answer
1811 if (ReaderReceive(receivedAnswer))
1812 {
1813 if (nt_diff == 0)
1814 {
1815 LED_A_ON();
1816 memcpy(nt_attacked,nt,4);
1817 par_mask = 0xf8;
1818 par_low = par & 0x07;
1819 }
1820
1821 if (memcmp(nt,nt_attacked,4) != 0) continue;
1822
1823 led_on = !led_on;
1824 if(led_on) LED_B_ON(); else LED_B_OFF();
1825 par_list[nt_diff] = par;
1826 ks_list[nt_diff] = receivedAnswer[0]^0x05;
1827
1828 // Test if the information is complete
1829 if (nt_diff == 0x07) break;
1830
1831 nt_diff = (nt_diff+1) & 0x07;
1832 mf_nr_ar[3] = nt_diff << 5;
1833 par = par_low;
1834 } else {
1835 if (nt_diff == 0)
1836 {
1837 par++;
1838 } else {
1839 par = (((par>>3)+1) << 3) | par_low;
1840 }
1841 }
1842 }
1843
1844 LogTraceInfo(sel_uid+2,4);
1845 LogTraceInfo(nt,4);
1846 LogTraceInfo(par_list,8);
1847 LogTraceInfo(ks_list,8);
1848
1849 // Thats it...
1850 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1851 LEDsoff();
1852 tracing = TRUE;
1853 }
Proxmark3 GIT tracking
Impressum, Datenschutz