1 //-----------------------------------------------------------------------------
2 // Routines to support ISO 14443 type A.
4 // Gerhard de Koning Gans - May 2008
5 //-----------------------------------------------------------------------------
9 #include "iso14443crc.h"
11 static uint8_t *trace
= (uint8_t *) BigBuf
;
12 static int traceLen
= 0;
13 static int rsamples
= 0;
14 static int tracing
= TRUE
;
25 static const uint8_t OddByteParity
[256] = {
26 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
27 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
28 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
29 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
30 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
31 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
32 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
33 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
34 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
35 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
44 // BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
45 #define RECV_CMD_OFFSET 3032
46 #define RECV_RES_OFFSET 3096
47 #define DMA_BUFFER_OFFSET 3160
48 #define DMA_BUFFER_SIZE 4096
49 #define TRACE_LENGTH 3000
51 //-----------------------------------------------------------------------------
52 // Generate the parity value for a byte sequence
54 //-----------------------------------------------------------------------------
55 uint32_t GetParity(const uint8_t * pbtCmd
, int iLen
)
60 // Generate the encrypted data
61 for (i
= 0; i
< iLen
; i
++) {
62 // Save the encrypted parity bit
63 dwPar
|= ((OddByteParity
[pbtCmd
[i
]]) << i
);
68 static void AppendCrc14443a(uint8_t* data
, int len
)
70 ComputeCrc14443(CRC_14443_A
,data
,len
,data
+len
,data
+len
+1);
73 int LogTrace(const uint8_t * btBytes
, int iLen
, int iSamples
, uint32_t dwParity
, int bReader
)
75 // Return when trace is full
76 if (traceLen
>= TRACE_LENGTH
) return FALSE
;
78 // Trace the random, i'm curious
80 trace
[traceLen
++] = ((rsamples
>> 0) & 0xff);
81 trace
[traceLen
++] = ((rsamples
>> 8) & 0xff);
82 trace
[traceLen
++] = ((rsamples
>> 16) & 0xff);
83 trace
[traceLen
++] = ((rsamples
>> 24) & 0xff);
85 trace
[traceLen
- 1] |= 0x80;
87 trace
[traceLen
++] = ((dwParity
>> 0) & 0xff);
88 trace
[traceLen
++] = ((dwParity
>> 8) & 0xff);
89 trace
[traceLen
++] = ((dwParity
>> 16) & 0xff);
90 trace
[traceLen
++] = ((dwParity
>> 24) & 0xff);
91 trace
[traceLen
++] = iLen
;
92 memcpy(trace
+ traceLen
, btBytes
, iLen
);
97 int LogTraceInfo(byte_t
* data
, size_t len
)
99 return LogTrace(data
,len
,0,GetParity(data
,len
),TRUE
);
102 //-----------------------------------------------------------------------------
103 // The software UART that receives commands from the reader, and its state
105 //-----------------------------------------------------------------------------
109 STATE_START_OF_COMMUNICATION
,
133 static int MillerDecoding(int bit
)
138 if(!Uart
.bitBuffer
) {
139 Uart
.bitBuffer
= bit
^ 0xFF0;
143 Uart
.bitBuffer
<<= 4;
144 Uart
.bitBuffer
^= bit
;
149 if(Uart
.state
!= STATE_UNSYNCD
) {
152 if((Uart
.bitBuffer
& Uart
.syncBit
) ^ Uart
.syncBit
) {
158 if(((Uart
.bitBuffer
<< 1) & Uart
.syncBit
) ^ Uart
.syncBit
) {
164 if(bit
!= bitright
) { bit
= bitright
; }
166 if(Uart
.posCnt
== 1) {
167 // measurement first half bitperiod
169 Uart
.drop
= DROP_FIRST_HALF
;
173 // measurement second half bitperiod
174 if(!bit
& (Uart
.drop
== DROP_NONE
)) {
175 Uart
.drop
= DROP_SECOND_HALF
;
178 // measured a drop in first and second half
179 // which should not be possible
180 Uart
.state
= STATE_ERROR_WAIT
;
187 case STATE_START_OF_COMMUNICATION
:
189 if(Uart
.drop
== DROP_SECOND_HALF
) {
190 // error, should not happen in SOC
191 Uart
.state
= STATE_ERROR_WAIT
;
196 Uart
.state
= STATE_MILLER_Z
;
203 if(Uart
.drop
== DROP_NONE
) {
204 // logic '0' followed by sequence Y
205 // end of communication
206 Uart
.state
= STATE_UNSYNCD
;
209 // if(Uart.drop == DROP_FIRST_HALF) {
210 // Uart.state = STATE_MILLER_Z; stay the same
211 // we see a logic '0' }
212 if(Uart
.drop
== DROP_SECOND_HALF
) {
213 // we see a logic '1'
214 Uart
.shiftReg
|= 0x100;
215 Uart
.state
= STATE_MILLER_X
;
221 if(Uart
.drop
== DROP_NONE
) {
222 // sequence Y, we see a '0'
223 Uart
.state
= STATE_MILLER_Y
;
226 if(Uart
.drop
== DROP_FIRST_HALF
) {
227 // Would be STATE_MILLER_Z
228 // but Z does not follow X, so error
229 Uart
.state
= STATE_ERROR_WAIT
;
232 if(Uart
.drop
== DROP_SECOND_HALF
) {
233 // We see a '1' and stay in state X
234 Uart
.shiftReg
|= 0x100;
242 if(Uart
.drop
== DROP_NONE
) {
243 // logic '0' followed by sequence Y
244 // end of communication
245 Uart
.state
= STATE_UNSYNCD
;
248 if(Uart
.drop
== DROP_FIRST_HALF
) {
250 Uart
.state
= STATE_MILLER_Z
;
252 if(Uart
.drop
== DROP_SECOND_HALF
) {
253 // We see a '1' and go to state X
254 Uart
.shiftReg
|= 0x100;
255 Uart
.state
= STATE_MILLER_X
;
259 case STATE_ERROR_WAIT
:
260 // That went wrong. Now wait for at least two bit periods
261 // and try to sync again
262 if(Uart
.drop
== DROP_NONE
) {
264 Uart
.state
= STATE_UNSYNCD
;
269 Uart
.state
= STATE_UNSYNCD
;
274 Uart
.drop
= DROP_NONE
;
276 // should have received at least one whole byte...
277 if((Uart
.bitCnt
== 2) && EOC
&& (Uart
.byteCnt
> 0)) {
281 if(Uart
.bitCnt
== 9) {
282 Uart
.output
[Uart
.byteCnt
] = (Uart
.shiftReg
& 0xff);
285 Uart
.parityBits
<<= 1;
286 Uart
.parityBits
^= ((Uart
.shiftReg
>> 8) & 0x01);
289 // when End of Communication received and
290 // all data bits processed..
297 Uart.output[Uart.byteCnt] = 0xAA;
299 Uart.output[Uart.byteCnt] = error & 0xFF;
301 Uart.output[Uart.byteCnt] = 0xAA;
303 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
305 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
307 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
309 Uart.output[Uart.byteCnt] = 0xAA;
317 bit
= Uart
.bitBuffer
& 0xf0;
321 // should have been high or at least (4 * 128) / fc
322 // according to ISO this should be at least (9 * 128 + 20) / fc
323 if(Uart
.highCnt
== 8) {
324 // we went low, so this could be start of communication
325 // it turns out to be safer to choose a less significant
326 // syncbit... so we check whether the neighbour also represents the drop
327 Uart
.posCnt
= 1; // apparently we are busy with our first half bit period
328 Uart
.syncBit
= bit
& 8;
330 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 4; Uart
.samples
= 2; }
331 else if(bit
& 4) { Uart
.syncBit
= bit
& 4; Uart
.samples
= 2; bit
<<= 2; }
332 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 2; Uart
.samples
= 1; }
333 else if(bit
& 2) { Uart
.syncBit
= bit
& 2; Uart
.samples
= 1; bit
<<= 1; }
334 if(!Uart
.syncBit
) { Uart
.syncBit
= bit
& 1; Uart
.samples
= 0;
335 if(Uart
.syncBit
& (Uart
.bitBuffer
& 8)) {
338 // the first half bit period is expected in next sample
343 else if(bit
& 1) { Uart
.syncBit
= bit
& 1; Uart
.samples
= 0; }
346 Uart
.state
= STATE_START_OF_COMMUNICATION
;
347 Uart
.drop
= DROP_FIRST_HALF
;
358 if(Uart
.highCnt
< 8) {
367 //=============================================================================
368 // ISO 14443 Type A - Manchester
369 //=============================================================================
374 DEMOD_START_OF_COMMUNICATION
,
397 static int ManchesterDecoding(int v
)
413 if(Demod
.state
==DEMOD_UNSYNCD
) {
414 Demod
.output
[Demod
.len
] = 0xfa;
417 Demod
.posCount
= 1; // This is the first half bit period, so after syncing handle the second part
418 if(bit
& 0x08) { Demod
.syncBit
= 0x08; }
420 if(bit
& 0x04) { Demod
.syncBit
= 0x04; }
422 else if(bit
& 0x04) { Demod
.syncBit
= 0x04; bit
<<= 4; }
424 if(bit
& 0x02) { Demod
.syncBit
= 0x02; }
426 else if(bit
& 0x02) { Demod
.syncBit
= 0x02; bit
<<= 4; }
428 if(bit
& 0x01) { Demod
.syncBit
= 0x01; }
430 if(Demod
.syncBit
& (Demod
.buffer
& 0x08)) {
431 Demod
.syncBit
= 0x08;
433 // The first half bitperiod is expected in next sample
435 Demod
.output
[Demod
.len
] = 0xfb;
438 else if(bit
& 0x01) { Demod
.syncBit
= 0x01; }
442 Demod
.state
= DEMOD_START_OF_COMMUNICATION
;
443 Demod
.sub
= SUB_FIRST_HALF
;
446 Demod
.parityBits
= 0;
449 switch(Demod
.syncBit
) {
450 case 0x08: Demod
.samples
= 3; break;
451 case 0x04: Demod
.samples
= 2; break;
452 case 0x02: Demod
.samples
= 1; break;
453 case 0x01: Demod
.samples
= 0; break;
460 //modulation = bit & Demod.syncBit;
461 modulation
= ((bit
<< 1) ^ ((Demod
.buffer
& 0x08) >> 3)) & Demod
.syncBit
;
465 if(Demod
.posCount
==0) {
468 Demod
.sub
= SUB_FIRST_HALF
;
471 Demod
.sub
= SUB_NONE
;
476 if(modulation
&& (Demod
.sub
== SUB_FIRST_HALF
)) {
477 if(Demod
.state
!=DEMOD_ERROR_WAIT
) {
478 Demod
.state
= DEMOD_ERROR_WAIT
;
479 Demod
.output
[Demod
.len
] = 0xaa;
483 else if(modulation
) {
484 Demod
.sub
= SUB_SECOND_HALF
;
487 switch(Demod
.state
) {
488 case DEMOD_START_OF_COMMUNICATION
:
489 if(Demod
.sub
== SUB_FIRST_HALF
) {
490 Demod
.state
= DEMOD_MANCHESTER_D
;
493 Demod
.output
[Demod
.len
] = 0xab;
494 Demod
.state
= DEMOD_ERROR_WAIT
;
499 case DEMOD_MANCHESTER_D
:
500 case DEMOD_MANCHESTER_E
:
501 if(Demod
.sub
== SUB_FIRST_HALF
) {
503 Demod
.shiftReg
= (Demod
.shiftReg
>> 1) ^ 0x100;
504 Demod
.state
= DEMOD_MANCHESTER_D
;
506 else if(Demod
.sub
== SUB_SECOND_HALF
) {
508 Demod
.shiftReg
>>= 1;
509 Demod
.state
= DEMOD_MANCHESTER_E
;
512 Demod
.state
= DEMOD_MANCHESTER_F
;
516 case DEMOD_MANCHESTER_F
:
517 // Tag response does not need to be a complete byte!
518 if(Demod
.len
> 0 || Demod
.bitCount
> 0) {
519 if(Demod
.bitCount
> 0) {
520 Demod
.shiftReg
>>= (9 - Demod
.bitCount
);
521 Demod
.output
[Demod
.len
] = Demod
.shiftReg
& 0xff;
523 // No parity bit, so just shift a 0
524 Demod
.parityBits
<<= 1;
527 Demod
.state
= DEMOD_UNSYNCD
;
531 Demod
.output
[Demod
.len
] = 0xad;
532 Demod
.state
= DEMOD_ERROR_WAIT
;
537 case DEMOD_ERROR_WAIT
:
538 Demod
.state
= DEMOD_UNSYNCD
;
542 Demod
.output
[Demod
.len
] = 0xdd;
543 Demod
.state
= DEMOD_UNSYNCD
;
547 if(Demod
.bitCount
>=9) {
548 Demod
.output
[Demod
.len
] = Demod
.shiftReg
& 0xff;
551 Demod
.parityBits
<<= 1;
552 Demod
.parityBits
^= ((Demod
.shiftReg
>> 8) & 0x01);
559 Demod.output[Demod.len] = 0xBB;
561 Demod.output[Demod.len] = error & 0xFF;
563 Demod.output[Demod.len] = 0xBB;
565 Demod.output[Demod.len] = bit & 0xFF;
567 Demod.output[Demod.len] = Demod.buffer & 0xFF;
569 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
571 Demod.output[Demod.len] = 0xBB;
578 } // end (state != UNSYNCED)
583 //=============================================================================
584 // Finally, a `sniffer' for ISO 14443 Type A
585 // Both sides of communication!
586 //=============================================================================
588 //-----------------------------------------------------------------------------
589 // Record the sequence of commands sent by the reader to the tag, with
590 // triggering so that we start recording at the point that the tag is moved
592 //-----------------------------------------------------------------------------
593 void SnoopIso14443a(void)
595 // #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
596 // #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
597 // #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
598 // #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
599 // #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
601 // We won't start recording the frames that we acquire until we trigger;
602 // a good trigger condition to get started is probably when we see a
603 // response from the tag.
604 int triggered
= TRUE
; // FALSE to wait first for card
606 // The command (reader -> tag) that we're receiving.
607 // The length of a received command will in most cases be no more than 18 bytes.
608 // So 32 should be enough!
609 uint8_t *receivedCmd
= (((uint8_t *)BigBuf
) + RECV_CMD_OFFSET
);
610 // The response (tag -> reader) that we're receiving.
611 uint8_t *receivedResponse
= (((uint8_t *)BigBuf
) + RECV_RES_OFFSET
);
613 // As we receive stuff, we copy it from receivedCmd or receivedResponse
614 // into trace, along with its length and other annotations.
615 //uint8_t *trace = (uint8_t *)BigBuf;
618 // The DMA buffer, used to stream samples from the FPGA
619 int8_t *dmaBuf
= ((int8_t *)BigBuf
) + DMA_BUFFER_OFFSET
;
625 // Count of samples received so far, so that we can include timing
626 // information in the trace buffer.
630 memset(trace
, 0x44, RECV_CMD_OFFSET
);
632 // Set up the demodulator for tag -> reader responses.
633 Demod
.output
= receivedResponse
;
635 Demod
.state
= DEMOD_UNSYNCD
;
637 // And the reader -> tag commands
638 memset(&Uart
, 0, sizeof(Uart
));
639 Uart
.output
= receivedCmd
;
640 Uart
.byteCntMax
= 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
641 Uart
.state
= STATE_UNSYNCD
;
643 // And put the FPGA in the appropriate mode
644 // Signal field is off with the appropriate LED
646 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_SNIFFER
);
647 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
649 // Setup for the DMA.
652 lastRxCounter
= DMA_BUFFER_SIZE
;
653 FpgaSetupSscDma((uint8_t *)dmaBuf
, DMA_BUFFER_SIZE
);
657 // And now we loop, receiving samples.
660 int behindBy
= (lastRxCounter
- AT91C_BASE_PDC_SSC
->PDC_RCR
) &
662 if(behindBy
> maxBehindBy
) {
663 maxBehindBy
= behindBy
;
665 DbpString("blew circular buffer!");
669 if(behindBy
< 1) continue;
674 if(upTo
- dmaBuf
> DMA_BUFFER_SIZE
) {
675 upTo
-= DMA_BUFFER_SIZE
;
676 lastRxCounter
+= DMA_BUFFER_SIZE
;
677 AT91C_BASE_PDC_SSC
->PDC_RNPR
= (uint32_t) upTo
;
678 AT91C_BASE_PDC_SSC
->PDC_RNCR
= DMA_BUFFER_SIZE
;
682 #define HANDLE_BIT_IF_BODY \
685 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
686 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
687 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
688 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
689 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
690 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
691 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
692 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
693 trace[traceLen++] = Uart.byteCnt; \
694 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
695 traceLen += Uart.byteCnt; \
696 if(traceLen > TRACE_LENGTH) break; \
698 /* And ready to receive another command. */ \
699 Uart.state = STATE_UNSYNCD; \
700 /* And also reset the demod code, which might have been */ \
701 /* false-triggered by the commands from the reader. */ \
702 Demod.state = DEMOD_UNSYNCD; \
705 if(MillerDecoding((smpl & 0xF0) >> 4)) {
706 rsamples
= samples
- Uart
.samples
;
709 if(ManchesterDecoding(smpl
& 0x0F)) {
710 rsamples
= samples
- Demod
.samples
;
713 // timestamp, as a count of samples
714 trace
[traceLen
++] = ((rsamples
>> 0) & 0xff);
715 trace
[traceLen
++] = ((rsamples
>> 8) & 0xff);
716 trace
[traceLen
++] = ((rsamples
>> 16) & 0xff);
717 trace
[traceLen
++] = 0x80 | ((rsamples
>> 24) & 0xff);
718 trace
[traceLen
++] = ((Demod
.parityBits
>> 0) & 0xff);
719 trace
[traceLen
++] = ((Demod
.parityBits
>> 8) & 0xff);
720 trace
[traceLen
++] = ((Demod
.parityBits
>> 16) & 0xff);
721 trace
[traceLen
++] = ((Demod
.parityBits
>> 24) & 0xff);
723 trace
[traceLen
++] = Demod
.len
;
724 memcpy(trace
+traceLen
, receivedResponse
, Demod
.len
);
725 traceLen
+= Demod
.len
;
726 if(traceLen
> TRACE_LENGTH
) break;
730 // And ready to receive another response.
731 memset(&Demod
, 0, sizeof(Demod
));
732 Demod
.output
= receivedResponse
;
733 Demod
.state
= DEMOD_UNSYNCD
;
738 DbpString("cancelled_a");
743 DbpString("COMMAND FINISHED");
745 Dbprintf("%x %x %x", maxBehindBy
, Uart
.state
, Uart
.byteCnt
);
746 Dbprintf("%x %x %x", Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]);
749 AT91C_BASE_PDC_SSC
->PDC_PTCR
= AT91C_PDC_RXTDIS
;
750 Dbprintf("%x %x %x", maxBehindBy
, Uart
.state
, Uart
.byteCnt
);
751 Dbprintf("%x %x %x", Uart
.byteCntMax
, traceLen
, (int)Uart
.output
[0]);
758 // Prepare communication bits to send to FPGA
759 void Sequence(SecType seq
)
765 // Sequence D: 11110000
766 // modulation with subcarrier during first half
767 ToSend
[ToSendMax
] = 0xf0;
770 // Sequence E: 00001111
771 // modulation with subcarrier during second half
772 ToSend
[ToSendMax
] = 0x0f;
775 // Sequence F: 00000000
776 // no modulation with subcarrier
777 ToSend
[ToSendMax
] = 0x00;
781 // Sequence X: 00001100
782 // drop after half a period
783 ToSend
[ToSendMax
] = 0x0c;
787 // Sequence Y: 00000000
789 ToSend
[ToSendMax
] = 0x00;
792 // Sequence Z: 11000000
794 ToSend
[ToSendMax
] = 0xc0;
799 //-----------------------------------------------------------------------------
800 // Prepare tag messages
801 //-----------------------------------------------------------------------------
802 static void CodeIso14443aAsTag(const uint8_t *cmd
, int len
)
809 // Correction bit, might be removed when not needed
814 ToSendStuffBit(1); // 1
822 for(i
= 0; i
< len
; i
++) {
828 for(j
= 0; j
< 8; j
++) {
829 oddparity
^= (b
& 1);
849 // Flush the buffer in FPGA!!
850 for(i
= 0; i
< 5; i
++) {
854 // Convert from last byte pos to length
857 // Add a few more for slop
858 ToSend
[ToSendMax
++] = 0x00;
859 ToSend
[ToSendMax
++] = 0x00;
863 //-----------------------------------------------------------------------------
864 // This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
865 //-----------------------------------------------------------------------------
866 static void CodeStrangeAnswer()
872 // Correction bit, might be removed when not needed
877 ToSendStuffBit(1); // 1
897 // Flush the buffer in FPGA!!
898 for(i
= 0; i
< 5; i
++) {
902 // Convert from last byte pos to length
905 // Add a few more for slop
906 ToSend
[ToSendMax
++] = 0x00;
907 ToSend
[ToSendMax
++] = 0x00;
911 //-----------------------------------------------------------------------------
912 // Wait for commands from reader
913 // Stop when button is pressed
914 // Or return TRUE when command is captured
915 //-----------------------------------------------------------------------------
916 static int GetIso14443aCommandFromReader(uint8_t *received
, int *len
, int maxLen
)
918 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
919 // only, since we are receiving, not transmitting).
920 // Signal field is off with the appropriate LED
922 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_LISTEN
);
924 // Now run a `software UART' on the stream of incoming samples.
925 Uart
.output
= received
;
926 Uart
.byteCntMax
= maxLen
;
927 Uart
.state
= STATE_UNSYNCD
;
932 if(BUTTON_PRESS()) return FALSE
;
934 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
935 AT91C_BASE_SSC
->SSC_THR
= 0x00;
937 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
938 uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
939 if(MillerDecoding((b
& 0xf0) >> 4)) {
943 if(MillerDecoding(b
& 0x0f)) {
951 //-----------------------------------------------------------------------------
952 // Main loop of simulated tag: receive commands from reader, decide what
953 // response to send, and send it.
954 //-----------------------------------------------------------------------------
955 void SimulateIso14443aTag(int tagType
, int TagUid
)
957 // This function contains the tag emulation
959 // Prepare protocol messages
960 // static const uint8_t cmd1[] = { 0x26 };
961 // static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
963 static const uint8_t response1
[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
964 // static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
967 // static const uint8_t cmd2[] = { 0x93, 0x20 };
968 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
973 static const uint8_t response2
[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
976 // When reader selects us during cascade1 it will send cmd3
977 //uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
978 uint8_t response3
[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
979 ComputeCrc14443(CRC_14443_A
, response3
, 1, &response3
[1], &response3
[2]);
981 // send cascade2 2nd half of UID
982 static const uint8_t response2a
[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
983 // NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
986 // When reader selects us during cascade2 it will send cmd3a
987 //uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
988 uint8_t response3a
[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
989 ComputeCrc14443(CRC_14443_A
, response3a
, 1, &response3a
[1], &response3a
[2]);
991 static const uint8_t response5
[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
996 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
998 // 144 data bits (18 * 8)
1001 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1002 // 1 just for the case
1006 // 166 bytes, since every bit that needs to be send costs us a byte
1010 // Respond with card type
1011 uint8_t *resp1
= (((uint8_t *)BigBuf
) + 800);
1014 // Anticollision cascade1 - respond with uid
1015 uint8_t *resp2
= (((uint8_t *)BigBuf
) + 970);
1018 // Anticollision cascade2 - respond with 2nd half of uid if asked
1019 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1020 uint8_t *resp2a
= (((uint8_t *)BigBuf
) + 1140);
1023 // Acknowledge select - cascade 1
1024 uint8_t *resp3
= (((uint8_t *)BigBuf
) + 1310);
1027 // Acknowledge select - cascade 2
1028 uint8_t *resp3a
= (((uint8_t *)BigBuf
) + 1480);
1031 // Response to a read request - not implemented atm
1032 uint8_t *resp4
= (((uint8_t *)BigBuf
) + 1550);
1035 // Authenticate response - nonce
1036 uint8_t *resp5
= (((uint8_t *)BigBuf
) + 1720);
1039 uint8_t *receivedCmd
= (uint8_t *)BigBuf
;
1046 // To control where we are in the protocol
1050 // Just to allow some checks
1058 memset(receivedCmd
, 0x44, 400);
1060 // Prepare the responses of the anticollision phase
1061 // there will be not enough time to do this at the moment the reader sends it REQA
1063 // Answer to request
1064 CodeIso14443aAsTag(response1
, sizeof(response1
));
1065 memcpy(resp1
, ToSend
, ToSendMax
); resp1Len
= ToSendMax
;
1067 // Send our UID (cascade 1)
1068 CodeIso14443aAsTag(response2
, sizeof(response2
));
1069 memcpy(resp2
, ToSend
, ToSendMax
); resp2Len
= ToSendMax
;
1071 // Answer to select (cascade1)
1072 CodeIso14443aAsTag(response3
, sizeof(response3
));
1073 memcpy(resp3
, ToSend
, ToSendMax
); resp3Len
= ToSendMax
;
1075 // Send the cascade 2 2nd part of the uid
1076 CodeIso14443aAsTag(response2a
, sizeof(response2a
));
1077 memcpy(resp2a
, ToSend
, ToSendMax
); resp2aLen
= ToSendMax
;
1079 // Answer to select (cascade 2)
1080 CodeIso14443aAsTag(response3a
, sizeof(response3a
));
1081 memcpy(resp3a
, ToSend
, ToSendMax
); resp3aLen
= ToSendMax
;
1083 // Strange answer is an example of rare message size (3 bits)
1084 CodeStrangeAnswer();
1085 memcpy(resp4
, ToSend
, ToSendMax
); resp4Len
= ToSendMax
;
1087 // Authentication answer (random nonce)
1088 CodeIso14443aAsTag(response5
, sizeof(response5
));
1089 memcpy(resp5
, ToSend
, ToSendMax
); resp5Len
= ToSendMax
;
1091 // We need to listen to the high-frequency, peak-detected path.
1092 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1100 if(!GetIso14443aCommandFromReader(receivedCmd
, &len
, 100)) {
1101 DbpString("button press");
1104 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1105 // Okay, look at the command now.
1107 i
= 1; // first byte transmitted
1108 if(receivedCmd
[0] == 0x26) {
1109 // Received a REQUEST
1110 resp
= resp1
; respLen
= resp1Len
; order
= 1;
1111 //DbpString("Hello request from reader:");
1112 } else if(receivedCmd
[0] == 0x52) {
1113 // Received a WAKEUP
1114 resp
= resp1
; respLen
= resp1Len
; order
= 6;
1115 // //DbpString("Wakeup request from reader:");
1117 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] == 0x93) { // greg - cascade 1 anti-collision
1118 // Received request for UID (cascade 1)
1119 resp
= resp2
; respLen
= resp2Len
; order
= 2;
1120 // DbpString("UID (cascade 1) request from reader:");
1121 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1124 } else if(receivedCmd
[1] == 0x20 && receivedCmd
[0] ==0x95) { // greg - cascade 2 anti-collision
1125 // Received request for UID (cascade 2)
1126 resp
= resp2a
; respLen
= resp2aLen
; order
= 20;
1127 // DbpString("UID (cascade 2) request from reader:");
1128 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1131 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] ==0x93) { // greg - cascade 1 select
1132 // Received a SELECT
1133 resp
= resp3
; respLen
= resp3Len
; order
= 3;
1134 // DbpString("Select (cascade 1) request from reader:");
1135 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1138 } else if(receivedCmd
[1] == 0x70 && receivedCmd
[0] ==0x95) { // greg - cascade 2 select
1139 // Received a SELECT
1140 resp
= resp3a
; respLen
= resp3aLen
; order
= 30;
1141 // DbpString("Select (cascade 2) request from reader:");
1142 // DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1145 } else if(receivedCmd
[0] == 0x30) {
1147 resp
= resp4
; respLen
= resp4Len
; order
= 4; // Do nothing
1148 Dbprintf("Read request from reader: %x %x %x",
1149 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]);
1152 } else if(receivedCmd
[0] == 0x50) {
1154 resp
= resp1
; respLen
= 0; order
= 5; // Do nothing
1155 DbpString("Reader requested we HALT!:");
1157 } else if(receivedCmd
[0] == 0x60) {
1158 // Received an authentication request
1159 resp
= resp5
; respLen
= resp5Len
; order
= 7;
1160 Dbprintf("Authenticate request from reader: %x %x %x",
1161 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]);
1163 } else if(receivedCmd
[0] == 0xE0) {
1164 // Received a RATS request
1165 resp
= resp1
; respLen
= 0;order
= 70;
1166 Dbprintf("RATS request from reader: %x %x %x",
1167 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2]);
1169 // Never seen this command before
1170 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1171 receivedCmd
[0], receivedCmd
[1], receivedCmd
[2],
1172 receivedCmd
[3], receivedCmd
[3], receivedCmd
[4],
1173 receivedCmd
[5], receivedCmd
[6], receivedCmd
[7]);
1175 resp
= resp1
; respLen
= 0; order
= 0;
1178 // Count number of wakeups received after a halt
1179 if(order
== 6 && lastorder
== 5) { happened
++; }
1181 // Count number of other messages after a halt
1182 if(order
!= 6 && lastorder
== 5) { happened2
++; }
1184 // Look at last parity bit to determine timing of answer
1185 if((Uart
.parityBits
& 0x01) || receivedCmd
[0] == 0x52) {
1186 // 1236, so correction bit needed
1190 memset(receivedCmd
, 0x44, 32);
1192 if(cmdsRecvd
> 999) {
1193 DbpString("1000 commands later...");
1200 if(respLen
<= 0) continue;
1202 // Modulate Manchester
1203 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_TAGSIM_MOD
);
1204 AT91C_BASE_SSC
->SSC_THR
= 0x00;
1207 // ### Transmit the response ###
1210 fdt_indicator
= FALSE
;
1212 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1213 volatile uint8_t b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1216 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1224 AT91C_BASE_SSC
->SSC_THR
= b
;
1230 if(BUTTON_PRESS()) {
1237 Dbprintf("%x %x %x", happened
, happened2
, cmdsRecvd
);
1241 //-----------------------------------------------------------------------------
1242 // Transmit the command (to the tag) that was placed in ToSend[].
1243 //-----------------------------------------------------------------------------
1244 static void TransmitFor14443a(const uint8_t *cmd
, int len
, int *samples
, int *wait
)
1248 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1254 for(c
= 0; c
< *wait
;) {
1255 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1256 AT91C_BASE_SSC
->SSC_THR
= 0x00; // For exact timing!
1259 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1260 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
1268 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1269 AT91C_BASE_SSC
->SSC_THR
= cmd
[c
];
1275 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1276 volatile uint32_t r
= AT91C_BASE_SSC
->SSC_RHR
;
1281 if (samples
) *samples
= (c
+ *wait
) << 3;
1284 //-----------------------------------------------------------------------------
1285 // To generate an arbitrary stream from reader
1287 //-----------------------------------------------------------------------------
1288 void ArbitraryFromReader(const uint8_t *cmd
, int parity
, int len
)
1297 // Start of Communication (Seq. Z)
1301 for(i
= 0; i
< len
; i
++) {
1304 for(j
= 0; j
< 8; j
++) {
1324 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1325 if(((parity
>> (len
- i
- 1)) & 1)) {
1342 // End of Communication
1360 // Convert from last character reference to length
1364 //-----------------------------------------------------------------------------
1365 // Code a 7-bit command without parity bit
1366 // This is especially for 0x26 and 0x52 (REQA and WUPA)
1367 //-----------------------------------------------------------------------------
1368 void ShortFrameFromReader(const uint8_t bt
)
1376 // Start of Communication (Seq. Z)
1381 for(j
= 0; j
< 7; j
++) {
1400 // End of Communication
1418 // Convert from last character reference to length
1422 //-----------------------------------------------------------------------------
1423 // Prepare reader command to send to FPGA
1425 //-----------------------------------------------------------------------------
1426 void CodeIso14443aAsReaderPar(const uint8_t * cmd
, int len
, uint32_t dwParity
)
1434 // Start of Communication (Seq. Z)
1438 // Generate send structure for the data bits
1439 for (i
= 0; i
< len
; i
++) {
1440 // Get the current byte to send
1443 for (j
= 0; j
< 8; j
++) {
1461 // Get the parity bit
1462 if ((dwParity
>> i
) & 0x01) {
1478 // End of Communication
1495 // Convert from last character reference to length
1499 //-----------------------------------------------------------------------------
1500 // Wait a certain time for tag response
1501 // If a response is captured return TRUE
1502 // If it takes to long return FALSE
1503 //-----------------------------------------------------------------------------
1504 static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse
, int maxLen
, int *samples
, int *elapsed
) //uint8_t *buffer
1506 // buffer needs to be 512 bytes
1509 // Set FPGA mode to "reader listen mode", no modulation (listen
1510 // only, since we are receiving, not transmitting).
1511 // Signal field is on with the appropriate LED
1513 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_LISTEN
);
1515 // Now get the answer from the card
1516 Demod
.output
= receivedResponse
;
1518 Demod
.state
= DEMOD_UNSYNCD
;
1521 if (elapsed
) *elapsed
= 0;
1527 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_TXRDY
)) {
1528 AT91C_BASE_SSC
->SSC_THR
= 0x00; // To make use of exact timing of next command from reader!!
1529 if (elapsed
) (*elapsed
)++;
1531 if(AT91C_BASE_SSC
->SSC_SR
& (AT91C_SSC_RXRDY
)) {
1532 if(c
< 512) { c
++; } else { return FALSE
; }
1533 b
= (uint8_t)AT91C_BASE_SSC
->SSC_RHR
;
1534 if(ManchesterDecoding((b
& 0xf0) >> 4)) {
1535 *samples
= ((c
- 1) << 3) + 4;
1538 if(ManchesterDecoding(b
& 0x0f)) {
1546 void ReaderTransmitShort(const uint8_t* bt
)
1551 ShortFrameFromReader(*bt
);
1554 TransmitFor14443a(ToSend
, ToSendMax
, &samples
, &wait
);
1556 // Store reader command in buffer
1557 if (tracing
) LogTrace(bt
,1,0,GetParity(bt
,1),TRUE
);
1560 void ReaderTransmitPar(uint8_t* frame
, int len
, uint32_t par
)
1565 // This is tied to other size changes
1566 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1567 CodeIso14443aAsReaderPar(frame
,len
,par
);
1570 TransmitFor14443a(ToSend
, ToSendMax
, &samples
, &wait
);
1572 // Store reader command in buffer
1573 if (tracing
) LogTrace(frame
,len
,0,par
,TRUE
);
1577 void ReaderTransmit(uint8_t* frame
, int len
)
1579 // Generate parity and redirect
1580 ReaderTransmitPar(frame
,len
,GetParity(frame
,len
));
1583 int ReaderReceive(uint8_t* receivedAnswer
)
1586 if (!GetIso14443aAnswerFromTag(receivedAnswer
,100,&samples
,0)) return FALSE
;
1587 if (tracing
) LogTrace(receivedAnswer
,Demod
.len
,samples
,Demod
.parityBits
,FALSE
);
1591 //-----------------------------------------------------------------------------
1592 // Read an ISO 14443a tag. Send out commands and store answers.
1594 //-----------------------------------------------------------------------------
1595 void ReaderIso14443a(uint32_t parameter
)
1598 uint8_t wupa
[] = { 0x52 };
1599 uint8_t sel_all
[] = { 0x93,0x20 };
1600 uint8_t sel_uid
[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1601 uint8_t sel_all_c2
[] = { 0x95,0x20 };
1602 uint8_t sel_uid_c2
[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1605 uint8_t mf_auth
[] = { 0x60,0x00,0xf5,0x7b };
1606 // uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
1608 uint8_t* receivedAnswer
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1614 // Start from off (no field generated)
1615 // Signal field is off with the appropriate LED
1617 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1620 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1623 // Now give it time to spin up.
1624 // Signal field is on with the appropriate LED
1626 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1633 while(traceLen
< TRACE_LENGTH
)
1635 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1636 ReaderTransmitShort(wupa
);
1638 // Test if the action was cancelled
1639 if(BUTTON_PRESS()) {
1644 if (!ReaderReceive(receivedAnswer
)) continue;
1646 // Transmit SELECT_ALL
1647 ReaderTransmit(sel_all
,sizeof(sel_all
));
1650 if (!ReaderReceive(receivedAnswer
)) continue;
1652 // Construct SELECT UID command
1653 // First copy the 5 bytes (Mifare Classic) after the 93 70
1654 memcpy(sel_uid
+2,receivedAnswer
,5);
1655 // Secondly compute the two CRC bytes at the end
1656 AppendCrc14443a(sel_uid
,7);
1658 // Transmit SELECT_UID
1659 ReaderTransmit(sel_uid
,sizeof(sel_uid
));
1662 if (!ReaderReceive(receivedAnswer
)) continue;
1664 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1665 // which case we need to make a cascade 2 request and select - this is a long UID
1666 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1667 if (receivedAnswer
[0] &= 0x04)
1669 // Transmit SELECT_ALL
1670 ReaderTransmit(sel_all_c2
,sizeof(sel_all_c2
));
1673 if (!ReaderReceive(receivedAnswer
)) continue;
1675 // Construct SELECT UID command
1676 memcpy(sel_uid_c2
+2,receivedAnswer
,5);
1677 // Secondly compute the two CRC bytes at the end
1678 AppendCrc14443a(sel_uid_c2
,7);
1680 // Transmit SELECT_UID
1681 ReaderTransmit(sel_uid_c2
,sizeof(sel_uid_c2
));
1684 if (!ReaderReceive(receivedAnswer
)) continue;
1687 // Transmit MIFARE_CLASSIC_AUTH
1688 ReaderTransmit(mf_auth
,sizeof(mf_auth
));
1690 // Receive the (16 bit) "random" nonce
1691 if (!ReaderReceive(receivedAnswer
)) continue;
1695 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1697 Dbprintf("%x %x %x", rsamples
, 0xCC, 0xCC);
1698 DbpString("ready..");
1701 //-----------------------------------------------------------------------------
1702 // Read an ISO 14443a tag. Send out commands and store answers.
1704 //-----------------------------------------------------------------------------
1705 void ReaderMifare(uint32_t parameter
)
1709 uint8_t wupa
[] = { 0x52 };
1710 uint8_t sel_all
[] = { 0x93,0x20 };
1711 uint8_t sel_uid
[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1714 uint8_t mf_auth
[] = { 0x60,0x00,0xf5,0x7b };
1715 uint8_t mf_nr_ar
[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1717 uint8_t* receivedAnswer
= (((uint8_t *)BigBuf
) + 3560); // was 3560 - tied to other size changes
1724 // Start from off (no field generated)
1725 // Signal field is off with the appropriate LED
1727 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1730 SetAdcMuxFor(GPIO_MUXSEL_HIPKD
);
1733 // Now give it time to spin up.
1734 // Signal field is on with the appropriate LED
1736 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1743 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1744 ReaderTransmitShort(wupa
);
1746 ReaderReceive(receivedAnswer
);
1747 // Transmit SELECT_ALL
1748 ReaderTransmit(sel_all
,sizeof(sel_all
));
1750 ReaderReceive(receivedAnswer
);
1751 // Construct SELECT UID command
1752 // First copy the 5 bytes (Mifare Classic) after the 93 70
1753 memcpy(sel_uid
+2,receivedAnswer
,5);
1754 // Secondly compute the two CRC bytes at the end
1755 AppendCrc14443a(sel_uid
,7);
1760 byte_t par_mask
= 0xff;
1766 byte_t nt_attacked
[4];
1769 num_to_bytes(parameter
,4,nt_attacked
);
1773 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
1775 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A
| FPGA_HF_ISO14443A_READER_MOD
);
1777 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1778 ReaderTransmitShort(wupa
);
1780 // Test if the action was cancelled
1781 if(BUTTON_PRESS()) {
1786 if (!ReaderReceive(receivedAnswer
)) continue;
1788 // Transmit SELECT_ALL
1789 ReaderTransmit(sel_all
,sizeof(sel_all
));
1792 if (!ReaderReceive(receivedAnswer
)) continue;
1794 // Transmit SELECT_UID
1795 ReaderTransmit(sel_uid
,sizeof(sel_uid
));
1798 if (!ReaderReceive(receivedAnswer
)) continue;
1800 // Transmit MIFARE_CLASSIC_AUTH
1801 ReaderTransmit(mf_auth
,sizeof(mf_auth
));
1803 // Receive the (16 bit) "random" nonce
1804 if (!ReaderReceive(receivedAnswer
)) continue;
1805 memcpy(nt
,receivedAnswer
,4);
1807 // Transmit reader nonce and reader answer
1808 ReaderTransmitPar(mf_nr_ar
,sizeof(mf_nr_ar
),par
);
1810 // Receive 4 bit answer
1811 if (ReaderReceive(receivedAnswer
))
1816 memcpy(nt_attacked
,nt
,4);
1818 par_low
= par
& 0x07;
1821 if (memcmp(nt
,nt_attacked
,4) != 0) continue;
1824 if(led_on
) LED_B_ON(); else LED_B_OFF();
1825 par_list
[nt_diff
] = par
;
1826 ks_list
[nt_diff
] = receivedAnswer
[0]^0x05;
1828 // Test if the information is complete
1829 if (nt_diff
== 0x07) break;
1831 nt_diff
= (nt_diff
+1) & 0x07;
1832 mf_nr_ar
[3] = nt_diff
<< 5;
1839 par
= (((par
>>3)+1) << 3) | par_low
;
1844 LogTraceInfo(sel_uid
+2,4);
1846 LogTraceInfo(par_list
,8);
1847 LogTraceInfo(ks_list
,8);
1850 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);