]> git.zerfleddert.de Git - proxmark3-svn/blob - armsrc/hitagS.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add raw HF signal plotting (#786)
[proxmark3-svn] / armsrc / hitagS.c
1 //-----------------------------------------------------------------------------
2 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
3 // at your option, any later version. See the LICENSE.txt file for the text of
4 // the license.
5 //-----------------------------------------------------------------------------
6 // HitagS emulation (preliminary test version)
7 //
8 // (c) 2016 Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg
9 // <info@os-s.de>
10 //-----------------------------------------------------------------------------
11 // Some code was copied from Hitag2.c
12 //-----------------------------------------------------------------------------
13
14
15 #include <stdlib.h>
16 #include "proxmark3.h"
17 #include "apps.h"
18 #include "util.h"
19 #include "hitagS.h"
20 #include "hitag2.h"
21 #include "string.h"
22 #include "BigBuf.h"
23 #include "fpgaloader.h"
24
25 #define CRC_PRESET 0xFF
26 #define CRC_POLYNOM 0x1D
27
28 #define u8 uint8_t
29 #define u32 uint32_t
30 #define u64 uint64_t
31 #define rev8(x) ((((x)>>7)&1)+((((x)>>6)&1)<<1)+((((x)>>5)&1)<<2)+((((x)>>4)&1)<<3)+((((x)>>3)&1)<<4)+((((x)>>2)&1)<<5)+((((x)>>1)&1)<<6)+(((x)&1)<<7))
32 #define rev16(x) (rev8 (x)+(rev8 (x>> 8)<< 8))
33 #define rev32(x) (rev16(x)+(rev16(x>>16)<<16))
34 #define rev64(x) (rev32(x)+(rev32(x>>32)<<32))
35 #define bit(x,n) (((x)>>(n))&1)
36 #define bit32(x,n) ((((x)[(n)>>5])>>((n)))&1)
37 #define inv32(x,i,n) ((x)[(i)>>5]^=((u32)(n))<<((i)&31))
38 #define rotl64(x, n) ((((u64)(x))<<((n)&63))+(((u64)(x))>>((0-(n))&63)))
39
40 static bool bQuiet;
41 static bool bSuccessful;
42 static struct hitagS_tag tag;
43 static byte_t page_to_be_written = 0;
44 static int block_data_left = 0;
45 typedef enum modulation {
46 AC2K = 0, AC4K, MC4K, MC8K
47 } MOD;
48 static MOD m = AC2K; //used modulation
49 static uint32_t temp_uid;
50 static int temp2 = 0;
51 static int sof_bits; //number of start-of-frame bits
52 static byte_t pwdh0, pwdl0, pwdl1; //password bytes
53 static uint32_t rnd = 0x74124485; //randomnumber
54 static int test = 0;
55 size_t blocknr;
56 bool end=false;
57
58 // Single bit Hitag2 functions:
59 #define i4(x,a,b,c,d) ((u32)((((x)>>(a))&1)+(((x)>>(b))&1)*2+(((x)>>(c))&1)*4+(((x)>>(d))&1)*8))
60 static const u32 ht2_f4a = 0x2C79; // 0010 1100 0111 1001
61 static const u32 ht2_f4b = 0x6671; // 0110 0110 0111 0001
62 static const u32 ht2_f5c = 0x7907287B; // 0111 1001 0000 0111 0010 1000 0111 1011
63 #define ht2bs_4a(a,b,c,d) (~(((a|b)&c)^(a|d)^b))
64 #define ht2bs_4b(a,b,c,d) (~(((d|c)&(a^b))^(d|a|b)))
65 #define ht2bs_5c(a,b,c,d,e) (~((((((c^e)|d)&a)^b)&(c^b))^(((d^e)|a)&((d^b)|c))))
66 #define uf20bs u32
67
68 static u32 f20(const u64 x) {
69 u32 i5;
70
71 i5 = ((ht2_f4a >> i4(x, 1, 2, 4, 5)) & 1) * 1
72 + ((ht2_f4b >> i4(x, 7, 11, 13, 14)) & 1) * 2
73 + ((ht2_f4b >> i4(x, 16, 20, 22, 25)) & 1) * 4
74 + ((ht2_f4b >> i4(x, 27, 28, 30, 32)) & 1) * 8
75 + ((ht2_f4a >> i4(x, 33, 42, 43, 45)) & 1) * 16;
76
77 return (ht2_f5c >> i5) & 1;
78 }
79 static u64 hitag2_round(u64 *state) {
80 u64 x = *state;
81
82 x = (x >> 1)
83 + ((((x >> 0) ^ (x >> 2) ^ (x >> 3) ^ (x >> 6) ^ (x >> 7) ^ (x >> 8)
84 ^ (x >> 16) ^ (x >> 22) ^ (x >> 23) ^ (x >> 26) ^ (x >> 30)
85 ^ (x >> 41) ^ (x >> 42) ^ (x >> 43) ^ (x >> 46) ^ (x >> 47))
86 & 1) << 47);
87
88 *state = x;
89 return f20(x);
90 }
91 static u64 hitag2_init(const u64 key, const u32 serial, const u32 IV) {
92 u32 i;
93 u64 x = ((key & 0xFFFF) << 32) + serial;
94 for (i = 0; i < 32; i++) {
95 x >>= 1;
96 x += (u64) (f20(x) ^ (((IV >> i) ^ (key >> (i + 16))) & 1)) << 47;
97 }
98 return x;
99 }
100 static u32 hitag2_byte(u64 *x) {
101 u32 i, c;
102
103 for (i = 0, c = 0; i < 8; i++)
104 c += (u32) hitag2_round(x) << (i ^ 7);
105 return c;
106 }
107
108 // Sam7s has several timers, we will use the source TIMER_CLOCK1 (aka AT91C_TC_CLKS_TIMER_DIV1_CLOCK)
109 // TIMER_CLOCK1 = MCK/2, MCK is running at 48 MHz, Timer is running at 48/2 = 24 MHz
110 // Hitag units (T0) have duration of 8 microseconds (us), which is 1/125000 per second (carrier)
111 // T0 = TIMER_CLOCK1 / 125000 = 192
112 #define T0 192
113
114 #define SHORT_COIL() LOW(GPIO_SSC_DOUT)
115 #define OPEN_COIL() HIGH(GPIO_SSC_DOUT)
116
117 #define HITAG_FRAME_LEN 20
118 #define HITAG_T_STOP 36 /* T_EOF should be > 36 */
119 #define HITAG_T_LOW 8 /* T_LOW should be 4..10 */
120 #define HITAG_T_0_MIN 15 /* T[0] should be 18..22 */
121 #define HITAG_T_1_MIN 25 /* T[1] should be 26..30 */
122 //#define HITAG_T_EOF 40 /* T_EOF should be > 36 */
123 #define HITAG_T_EOF 80 /* T_EOF should be > 36 */
124 #define HITAG_T_WAIT_1 200 /* T_wresp should be 199..206 */
125 #define HITAG_T_WAIT_2 90 /* T_wresp should be 199..206 */
126 #define HITAG_T_WAIT_MAX 300 /* bit more than HITAG_T_WAIT_1 + HITAG_T_WAIT_2 */
127
128 #define HITAG_T_TAG_ONE_HALF_PERIOD 10
129 #define HITAG_T_TAG_TWO_HALF_PERIOD 25
130 #define HITAG_T_TAG_THREE_HALF_PERIOD 41
131 #define HITAG_T_TAG_FOUR_HALF_PERIOD 57
132
133 #define HITAG_T_TAG_HALF_PERIOD 16
134 #define HITAG_T_TAG_FULL_PERIOD 32
135
136 #define HITAG_T_TAG_CAPTURE_ONE_HALF 13
137 #define HITAG_T_TAG_CAPTURE_TWO_HALF 25
138 #define HITAG_T_TAG_CAPTURE_THREE_HALF 41
139 #define HITAG_T_TAG_CAPTURE_FOUR_HALF 57
140
141 #define DEBUG 0
142
143 /*
144 * Implementation of the crc8 calculation from Hitag S
145 * from http://www.proxmark.org/files/Documents/125%20kHz%20-%20Hitag/HitagS.V11.pdf
146 */
147 void calc_crc(unsigned char * crc, unsigned char data, unsigned char Bitcount) {
148 *crc ^= data; // crc = crc (exor) data
149 do {
150 if (*crc & 0x80) // if (MSB-CRC == 1)
151 {
152 *crc <<= 1; // CRC = CRC Bit-shift left
153 *crc ^= CRC_POLYNOM; // CRC = CRC (exor) CRC_POLYNOM
154 } else {
155 *crc <<= 1; // CRC = CRC Bit-shift left
156 }
157 } while (--Bitcount);
158 }
159
160
161 static void hitag_send_bit(int bit) {
162 LED_A_ON();
163 // Reset clock for the next bit
164 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
165
166 switch (m) {
167 case AC2K:
168 if (bit == 0) {
169 // AC Coding --__
170 HIGH(GPIO_SSC_DOUT);
171 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
172 ;
173 LOW(GPIO_SSC_DOUT);
174 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
175 ;
176 } else {
177 // AC coding -_-_
178 HIGH(GPIO_SSC_DOUT);
179 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
180 ;
181 LOW(GPIO_SSC_DOUT);
182 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
183 ;
184 HIGH(GPIO_SSC_DOUT);
185 while (AT91C_BASE_TC0->TC_CV < T0 * 48)
186 ;
187 LOW(GPIO_SSC_DOUT);
188 while (AT91C_BASE_TC0->TC_CV < T0 * 64)
189 ;;
190 }
191 LED_A_OFF();
192 break;
193 case AC4K:
194 if (bit == 0) {
195 // AC Coding --__
196 HIGH(GPIO_SSC_DOUT);
197 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_HALF_PERIOD)
198 ;
199 LOW(GPIO_SSC_DOUT);
200 while (AT91C_BASE_TC0->TC_CV < T0 * HITAG_T_TAG_FULL_PERIOD)
201 ;
202 } else {
203 // AC coding -_-_
204 HIGH(GPIO_SSC_DOUT);
205 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
206 ;
207 LOW(GPIO_SSC_DOUT);
208 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
209 ;
210 HIGH(GPIO_SSC_DOUT);
211 while (AT91C_BASE_TC0->TC_CV < T0 * 24)
212 ;
213 LOW(GPIO_SSC_DOUT);
214 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
215 ;
216 }
217 LED_A_OFF();
218 break;
219 case MC4K:
220 if (bit == 0) {
221 // Manchester: Unloaded, then loaded |__--|
222 LOW(GPIO_SSC_DOUT);
223 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
224 ;
225 HIGH(GPIO_SSC_DOUT);
226 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
227 ;
228 } else {
229 // Manchester: Loaded, then unloaded |--__|
230 HIGH(GPIO_SSC_DOUT);
231 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
232 ;
233 LOW(GPIO_SSC_DOUT);
234 while (AT91C_BASE_TC0->TC_CV < T0 * 32)
235 ;
236 }
237 LED_A_OFF();
238 break;
239 case MC8K:
240 if (bit == 0) {
241 // Manchester: Unloaded, then loaded |__--|
242 LOW(GPIO_SSC_DOUT);
243 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
244 ;
245 HIGH(GPIO_SSC_DOUT);
246 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
247 ;
248 } else {
249 // Manchester: Loaded, then unloaded |--__|
250 HIGH(GPIO_SSC_DOUT);
251 while (AT91C_BASE_TC0->TC_CV < T0 * 8)
252 ;
253 LOW(GPIO_SSC_DOUT);
254 while (AT91C_BASE_TC0->TC_CV < T0 * 16)
255 ;
256 }
257 LED_A_OFF();
258 break;
259 default:
260 break;
261 }
262 }
263
264 static void hitag_tag_send_frame(const byte_t* frame, size_t frame_len) {
265 // Send start of frame
266 for (size_t i = 0; i < sof_bits; i++) {
267 hitag_send_bit(1);
268 }
269
270 // Send the content of the frame
271 for (size_t i = 0; i < frame_len; i++) {
272 hitag_send_bit((frame[i / 8] >> (7 - (i % 8))) & 1);
273 }
274 // Drop the modulation
275 LOW(GPIO_SSC_DOUT);
276 }
277
278 static void hitag_reader_send_bit(int bit) {
279 //Dbprintf("BIT: %d",bit);
280 LED_A_ON();
281 // Reset clock for the next bit
282 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
283
284 // Binary puls length modulation (BPLM) is used to encode the data stream
285 // This means that a transmission of a one takes longer than that of a zero
286
287 // Enable modulation, which means, drop the the field
288 HIGH(GPIO_SSC_DOUT);
289 if (test == 1) {
290 // Wait for 4-10 times the carrier period
291 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
292 ;
293 // SpinDelayUs(8*8);
294
295 // Disable modulation, just activates the field again
296 LOW(GPIO_SSC_DOUT);
297
298 if (bit == 0) {
299 // Zero bit: |_-|
300 while (AT91C_BASE_TC0->TC_CV < T0 * 11)
301 ;
302 // SpinDelayUs(16*8);
303 } else {
304 // One bit: |_--|
305 while (AT91C_BASE_TC0->TC_CV < T0 * 14)
306 ;
307 // SpinDelayUs(22*8);
308 }
309 } else {
310 // Wait for 4-10 times the carrier period
311 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
312 ;
313 // SpinDelayUs(8*8);
314
315 // Disable modulation, just activates the field again
316 LOW(GPIO_SSC_DOUT);
317
318 if (bit == 0) {
319 // Zero bit: |_-|
320 while (AT91C_BASE_TC0->TC_CV < T0 * 22)
321 ;
322 // SpinDelayUs(16*8);
323 } else {
324 // One bit: |_--|
325 while (AT91C_BASE_TC0->TC_CV < T0 * 28)
326 ;
327 // SpinDelayUs(22*8);
328 }
329 }
330
331 LED_A_OFF();
332 }
333
334 static void hitag_reader_send_frame(const byte_t* frame, size_t frame_len) {
335 // Send the content of the frame
336 for (size_t i = 0; i < frame_len; i++) {
337 if (frame[0] == 0xf8) {
338 //Dbprintf("BIT: %d",(frame[i / 8] >> (7 - (i % 8))) & 1);
339 }
340 hitag_reader_send_bit(((frame[i / 8] >> (7 - (i % 8))) & 1));
341 }
342 // Send EOF
343 AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
344 // Enable modulation, which means, drop the the field
345 HIGH(GPIO_SSC_DOUT);
346 // Wait for 4-10 times the carrier period
347 while (AT91C_BASE_TC0->TC_CV < T0 * 6)
348 ;
349 // Disable modulation, just activates the field again
350 LOW(GPIO_SSC_DOUT);
351 }
352
353 static void hitag_decode_frame_MC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
354 size_t rxlen = 0;
355 bool bSkip = true;
356 int lastbit = 1;
357 int tag_sof = 0;
358 int timing = 1;
359 if (bitRate == 8) {
360 timing = 2;
361 }
362
363 for (int i=0; i < rawLen; i++) {
364 int ra = rawMod[i];
365 if (ra >= HITAG_T_EOF) {
366 if (rxlen != 0) {
367 //DbpString("wierd1?");
368 }
369 tag_sof = sofBits;
370
371 // Capture the T0 periods that have passed since last communication or field drop (reset)
372 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
373 *response = ra - HITAG_T_TAG_HALF_PERIOD;
374 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
375 tag_sof=0;
376 // Manchester coding example |-_|_-|-_| (101)
377 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
378 rxlen++;
379 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
380 rxlen++;
381 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
382 tag_sof=0;
383 // Manchester coding example |_-|...|_-|-_| (0...01)
384 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
385 rxlen++;
386 // We have to skip this half period at start and add the 'one' the second time
387 if (!bSkip) {
388 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
389 rxlen++;
390 }
391 lastbit = !lastbit;
392 bSkip = !bSkip;
393 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
394 // Manchester coding example |_-|_-| (00) or |-_|-_| (11)
395 if (tag_sof) {
396 // Ignore bits that are transmitted during SOF
397 tag_sof--;
398 } else {
399 // bit is same as last bit
400 rx[rxlen / 8] |= lastbit << (7 - (rxlen % 8));
401 rxlen++;
402 }
403 } else {
404 // Ignore wierd value, is to small to mean anything
405 }
406 }
407 *rxlenOrg = rxlen;
408 }
409
410 /*
411 static void hitag_decode_frame_AC2K_rising(byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
412 int tag_sof = 1; //skip start of frame
413 size_t rxlen = 0;
414
415 for (int i=0; i < rawLen; i++) {
416 int ra = rawMod[i];
417 if (ra >= HITAG_T_EOF) {
418 if (rxlen != 0) {
419 //DbpString("wierd1?");
420 }
421 // Capture the T0 periods that have passed since last communication or field drop (reset)
422 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
423 tag_sof = 1;
424 *response = ra - HITAG_T_TAG_HALF_PERIOD;
425 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF) {
426 // AC coding example |--__|--__| means 0
427 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
428 rxlen++;
429 if (rawMod[i+1] == 0) { //TODO: this is weird - may we miss one capture with current configuration
430 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
431 rxlen++;
432 i++; //drop next capture
433 }
434 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
435 if (tag_sof) {
436 // Ignore bits that are transmitted during SOF
437 tag_sof--;
438 } else {
439 // AC coding example |-_-_|-_-_| which means 1
440 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
441 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF) {
442 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
443 rxlen++;
444 i++; //drop next capture
445 } else {
446 Dbprintf("got weird high - %d,%d", ra, rawMod[i+1]);
447 }
448 }
449 } else {
450 // Ignore wierd value, is to small to mean anything
451 }
452 }
453 *rxlenOrg = rxlen;
454 }
455 */
456
457 static void hitag_decode_frame_AC(int bitRate, int sofBits, byte_t* rx, size_t* rxlenOrg, int* response, int rawMod[], int rawLen) {
458 int tag_sof = 1;
459 size_t rxlen = 0;
460 int timing = 1;
461 if (bitRate == 4) {
462 timing = 2;
463 }
464
465
466 for (int i=0; i < rawLen; i++) {
467 int ra = rawMod[i];
468 if (ra >= HITAG_T_EOF) {
469 if (rxlen != 0) {
470 //DbpString("wierd1?");
471 }
472
473 // Capture the T0 periods that have passed since last communication or field drop (reset)
474 // We always recieve a 'one' first, which has the falling edge after a half period |-_|
475 tag_sof = sofBits;
476 *response = ra - HITAG_T_TAG_HALF_PERIOD;
477 } else if (ra >= HITAG_T_TAG_CAPTURE_FOUR_HALF / timing) {
478 tag_sof=0;
479
480 // AC coding example |--__|--__| means 0
481 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
482 rxlen++;
483 } else if (ra >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
484 tag_sof=0;
485
486 if (rawMod[i-1] >= HITAG_T_TAG_CAPTURE_THREE_HALF / timing) {
487 //treat like HITAG_T_TAG_CAPTURE_TWO_HALF
488 if (rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
489 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
490 rxlen++;
491 i++; //drop next capture
492 } else {
493 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
494 }
495 } else {
496 //treat like HITAG_T_TAG_CAPTURE_FOUR_HALF
497 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
498 rxlen++;
499 }
500 } else if (ra >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
501 if (tag_sof) {
502 // Ignore bits that are transmitted during SOF
503 tag_sof--;
504 } else {
505 // AC coding example |-_-_|-_-_| which means 1
506 //check if another high is coming (only -_-_ = 1) except end of the frame (support 0)
507 if (rawMod[i+1] == 0 || rawMod[i+1] >= HITAG_T_TAG_CAPTURE_TWO_HALF / timing) {
508 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
509 rxlen++;
510 i++; //drop next capture
511 } else {
512 Dbprintf("got weird value - %d,%d", ra, rawMod[i+1]);
513 }
514 }
515 } else {
516 // Ignore wierd value, is to small to mean anything
517 }
518 }
519 *rxlenOrg = rxlen;
520 }
521
522 static void hitag_receive_frame(byte_t* rx, size_t* rxlen, int* response) {
523 int rawMod[200] = {0};
524 int rawLen = 0;
525 int i = 0;
526 int sofBits = 0;
527
528 m = MC4K;
529 if (tag.pstate == READY) {
530 switch (tag.mode) {
531 case STANDARD:
532 m = AC2K;
533 sofBits = 1;
534 break;
535 case ADVANCED:
536 m = AC2K;
537 sofBits = 5; //3 sof bits but 5 captures
538 break;
539 case FAST_ADVANCED:
540 m = AC4K;
541 sofBits = 5; //3 sof bits but 5 captures
542 break;
543 default:
544 break;
545 }
546 } else {
547 switch (tag.mode) {
548 case STANDARD:
549 m = MC4K;
550 sofBits = 0; //in theory 1
551 break;
552 case ADVANCED:
553 m = MC4K;
554 sofBits = 5; //in theory 6
555 break;
556 case FAST_ADVANCED:
557 m = MC8K;
558 sofBits = 5; //in theory 6
559 break;
560 default:
561 break;
562 }
563 }
564
565 //rising AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
566 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
567
568
569 //first capture timing values
570 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_WAIT_MAX ) {
571 // Check if rising edge in modulation is detected
572 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
573 // Retrieve the new timing values
574 int ra = (AT91C_BASE_TC1->TC_RA / T0);
575
576 LED_B_ON();
577 // Reset timer every frame, we have to capture the last edge for timing
578 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
579 //AT91C_BASE_TC0->TC_CCR = AT91C_TC_SWTRG;
580
581 if (rawLen >= 200) { //avoid exception
582 break;
583 }
584 rawMod[rawLen] = ra;
585 rawLen++;
586
587 // We can break this loop if we received the last bit from a frame
588 if (AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF) {
589 if (rawLen > 2) {
590 if (DEBUG >= 2) { Dbprintf("AT91C_BASE_TC1->TC_CV > T0 * HITAG_T_EOF breaking (%d)", rawLen); }
591 break;
592 }
593 }
594 }
595 }
596
597 if (DEBUG >= 2) {
598 for (i=0; i < rawLen; i+=20) {
599 Dbprintf("raw modulation: - %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d",
600 rawMod[i],rawMod[i+1],rawMod[i+2],rawMod[i+3], rawMod[i+4],rawMod[i+5],rawMod[i+6],rawMod[i+7],
601 rawMod[i+8],rawMod[i+9],rawMod[i+10],rawMod[i+11], rawMod[i+12],rawMod[i+13],rawMod[i+14],rawMod[i+15],
602 rawMod[i+16],rawMod[i+17],rawMod[i+18],rawMod[i+19]
603 );
604 }
605 }
606
607 switch (m) {
608 // DATA | 1 | 0 | 1 | 1 | 0 |
609 // Manchester |--__|__--|--__|--__|__--|
610 // Anti Collision |-_-_|--__|-_-_|-_-_|--__|
611 // |<-->|
612 // | T |
613 case AC2K:
614 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC2K"); }
615 hitag_decode_frame_AC(2, sofBits, rx, rxlen, response, rawMod, rawLen);
616 break;
617 case AC4K:
618 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation AC4K"); }
619 hitag_decode_frame_AC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
620 break;
621 case MC4K:
622 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC4K"); }
623 hitag_decode_frame_MC(4, sofBits, rx, rxlen, response, rawMod, rawLen);
624 break;
625 case MC8K:
626 if (DEBUG >= 2) { Dbprintf("decoding frame with modulation MC8K"); }
627 hitag_decode_frame_MC(8, sofBits, rx, rxlen, response, rawMod, rawLen);
628 break;
629 }
630
631 LED_B_OFF();
632 if (DEBUG >= 2) {
633 int rb[200] = {0}; int z = 0;
634 for (i = 0; i < 16; i++) { for (int j = 0; j < 8; j++) {
635 rb[z] = 0;
636 if ((rx[i] & ((1 << 7) >> j)) != 0) { rb[z] = 1; }
637 z++;
638 } }
639 for (i=0; i < z; i+=8) {
640 Dbprintf("raw bit: - %d%d%d%d%d%d%d%d", rb[i],rb[i+1],rb[i+2],rb[i+3],rb[i+4],rb[i+5],rb[i+6],rb[i+7] );
641 }
642 }
643 }
644
645 static void hitag_start_auth(byte_t* tx, size_t* txlen) {
646 *txlen = 5;
647 switch (tag.mode) {
648 case STANDARD:
649 //00110 - 0x30 - STANDARD MODE
650 memcpy(tx, "\x30", nbytes(*txlen));
651 break;
652 case ADVANCED:
653 //11000 - 0xc0 - Advance Mode
654 memcpy(tx, "\xc0", nbytes(*txlen));
655 break;
656 case FAST_ADVANCED:
657 //TODO!
658 break;
659 default: //STANDARD MODE
660 memcpy(tx, "\x30", nbytes(*txlen));
661 break;
662 }
663 tag.pstate = READY;
664 tag.tstate = NO_OP;
665 }
666
667 static int hitag_read_page(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int pageNum) {
668 int i, j, z;
669 int response_bit[200];
670 unsigned char mask = 1;
671 unsigned char crc;
672 unsigned char pageData[32];
673
674 if (pageNum >= tag.max_page) {
675 return -1;
676 }
677 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
678 //send read request
679 tag.tstate = READING_PAGE;
680 *txlen = 20;
681 crc = CRC_PRESET;
682 tx[0] = 0xc0 + (pageNum / 16);
683 calc_crc(&crc, tx[0], 8);
684 calc_crc(&crc, 0x00 + ((pageNum % 16) * 16), 4);
685 tx[1] = 0x00 + ((pageNum % 16) * 16) + (crc / 16);
686 tx[2] = 0x00 + (crc % 16) * 16;
687 } else if (tag.pstate == SELECTED && tag.tstate == READING_PAGE && *rxlen > 0) {
688 //save received data
689 z = 0;
690 for (i = 0; i < 4; i++) {
691 for (j = 0; j < 8; j++) {
692 response_bit[z] = 0;
693 if ((rx[i] & ((mask << 7) >> j)) != 0) {
694 response_bit[z] = 1;
695 }
696 if (z < 32) {
697 pageData[z] = response_bit[z];
698 }
699
700 z++;
701 }
702 }
703 for (i = 0; i < 4; i++) {
704 tag.pages[pageNum][i] = 0x0;
705 }
706 for (i = 0; i < 4; i++) {
707 tag.pages[pageNum][i] += ((pageData[i * 8] << 7) | (pageData[1 + (i * 8)] << 6) |
708 (pageData[2 + (i * 8)] << 5) | (pageData[3 + (i * 8)] << 4) |
709 (pageData[4 + (i * 8)] << 3) | (pageData[5 + (i * 8)] << 2) |
710 (pageData[6 + (i * 8)]
711 << 1) | pageData[7 + (i * 8)]);
712 }
713 if (tag.auth && tag.LKP && pageNum == 1) {
714 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum, pwdh0,
715 tag.pages[pageNum][2], tag.pages[pageNum][1], tag.pages[pageNum][0]);
716 } else {
717 Dbprintf("Page[%2d]: %02X %02X %02X %02X", pageNum,
718 tag.pages[pageNum][3], tag.pages[pageNum][2],
719 tag.pages[pageNum][1], tag.pages[pageNum][0]);
720 }
721
722
723 //display key and password if possible
724 if (pageNum == 1 && tag.auth == 1 && tag.LKP) {
725 if (htf == 02) { //RHTS_KEY
726 Dbprintf("Page[ 2]: %02X %02X %02X %02X",
727 (byte_t)(key >> 8) & 0xff,
728 (byte_t) key & 0xff, pwdl1, pwdl0);
729 Dbprintf("Page[ 3]: %02X %02X %02X %02X",
730 (byte_t)(key >> 40) & 0xff,
731 (byte_t)(key >> 32) & 0xff,
732 (byte_t)(key >> 24) & 0xff,
733 (byte_t)(key >> 16) & 0xff);
734 } else {
735 //if the authentication is done with a challenge the key and password are unknown
736 Dbprintf("Page[ 2]: __ __ __ __");
737 Dbprintf("Page[ 3]: __ __ __ __");
738 }
739 }
740
741 *txlen = 20;
742 crc = CRC_PRESET;
743 tx[0] = 0xc0 + ((pageNum+1) / 16);
744 calc_crc(&crc, tx[0], 8);
745 calc_crc(&crc, 0x00 + (((pageNum+1) % 16) * 16), 4);
746 tx[1] = 0x00 + (((pageNum+1) % 16) * 16) + (crc / 16);
747 tx[2] = 0x00 + (crc % 16) * 16;
748
749 return 1;
750 }
751 return 0;
752 }
753
754 static int hitag_read_block(hitag_function htf, uint64_t key, byte_t* rx, size_t* rxlen, byte_t* tx, size_t* txlen, int blockNum) {
755 int i, j, z;
756 int response_bit[200];
757 unsigned char mask = 1;
758 unsigned char crc;
759 unsigned char blockData[128];
760
761 if (blockNum+4 >= tag.max_page) { //block always = 4 pages
762 return -1;
763 }
764
765 if (tag.pstate == SELECTED && tag.tstate == NO_OP && *rxlen > 0) {
766 //send read request
767 tag.tstate = READING_BLOCK;
768 *txlen = 20;
769 crc = CRC_PRESET;
770 tx[0] = 0xd0 + (blockNum / 16);
771 calc_crc(&crc, tx[0], 8);
772 calc_crc(&crc, 0x00 + ((blockNum % 16) * 16), 4);
773 tx[1] = 0x00 + ((blockNum % 16) * 16) + (crc / 16);
774 tx[2] = 0x00 + (crc % 16) * 16;
775 } else if (tag.pstate == SELECTED && tag.tstate == READING_BLOCK && *rxlen > 0) {
776 //save received data
777 z = 0;
778 for (i = 0; i < 16; i++) {
779 for (j = 0; j < 8; j++) {
780 response_bit[z] = 0;
781 if ((rx[i] & ((mask << 7) >> j)) != 0) {
782 response_bit[z] = 1;
783 }
784 if (z < 128) {
785 blockData[z] = response_bit[z];
786 }
787 z++;
788 }
789 }
790
791 for (z = 0; z < 4; z++) { //4 pages
792 for (i = 0; i < 4; i++) {
793 tag.pages[blockNum+z][i] = 0x0;
794 }
795 }
796 for (z = 0; z < 4; z++) { //4 pages
797 for (i = 0; i < 4; i++) {
798 j = (i * 8) + (z*32); //bit in page + pageStart
799 tag.pages[blockNum+z][i] = ((blockData[j] << 7) | (blockData[1 + j] << 6) |
800 (blockData[2 + j] << 5) | (blockData[3 + j] << 4) |
801 (blockData[4 + j] << 3) | (blockData[5 + j] << 2) |
802 (blockData[6 + j] << 1) | blockData[7 + j]);
803 }
804 }
805 if (DEBUG) {
806 for (z = 0; z < 4; z++) {
807 Dbprintf("Page[%2d]: %02X %02X %02X %02X", blockNum+z,
808 tag.pages[blockNum+z][3], tag.pages[blockNum+z][2],
809 tag.pages[blockNum+z][1], tag.pages[blockNum+z][0]);
810 }
811 }
812 Dbprintf("Block[%2d]: %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X - %02X %02X %02X %02X", blockNum,
813 tag.pages[blockNum][3], tag.pages[blockNum][2], tag.pages[blockNum][1], tag.pages[blockNum][0],
814 tag.pages[blockNum+1][3], tag.pages[blockNum+1][2], tag.pages[blockNum+1][1], tag.pages[blockNum+1][0],
815 tag.pages[blockNum+2][3], tag.pages[blockNum+2][2], tag.pages[blockNum+2][1], tag.pages[blockNum+2][0],
816 tag.pages[blockNum+3][3], tag.pages[blockNum+3][2], tag.pages[blockNum+3][1], tag.pages[blockNum+3][0]);
817
818 *txlen = 20;
819 crc = CRC_PRESET;
820 tx[0] = 0xd0 + ((blockNum+4) / 16);
821 calc_crc(&crc, tx[0], 8);
822 calc_crc(&crc, 0x00 + (((blockNum+4) % 16) * 16), 4);
823 tx[1] = 0x00 + (((blockNum+4) % 16) * 16) + (crc / 16);
824 tx[2] = 0x00 + (crc % 16) * 16;
825
826 return 1;
827 }
828 return 0;
829 }
830
831
832 /*
833 * to check if the right uid was selected
834 */
835 static int check_select(byte_t* rx, uint32_t uid) {
836 unsigned char resp[48];
837 int i;
838 uint32_t ans = 0x0;
839 for (i = 0; i < 48; i++)
840 resp[i] = (rx[i / 8] >> (7 - (i % 8))) & 0x1;
841 for (i = 0; i < 32; i++)
842 ans += resp[5 + i] << (31 - i);
843 /*if (rx[0] == 0x01 && rx[1] == 0x15 && rx[2] == 0xc1 && rx[3] == 0x14
844 && rx[4] == 0x65 && rx[5] == 0x38)
845 Dbprintf("got uid %X", ans);*/
846 temp_uid = ans;
847 if (ans == tag.uid)
848 return 1;
849 return 0;
850 }
851
852 /*
853 * handles all commands from a reader
854 */
855 static void hitagS_handle_reader_command(byte_t* rx, const size_t rxlen,
856 byte_t* tx, size_t* txlen) {
857 byte_t rx_air[HITAG_FRAME_LEN];
858 byte_t page;
859 int i;
860 u64 state;
861 unsigned char crc;
862
863 // Copy the (original) received frame how it is send over the air
864 memcpy(rx_air, rx, nbytes(rxlen));
865 // Reset the transmission frame length
866 *txlen = 0;
867 // Try to find out which command was send by selecting on length (in bits)
868 switch (rxlen) {
869 case 5: {
870 //UID request with a selected response protocol mode
871 tag.pstate = READY;
872 tag.tstate = NO_OP;
873 if ((rx[0] & 0xf0) == 0x30) {
874 Dbprintf("recieved uid request in Standard Mode");
875 tag.mode = STANDARD;
876 sof_bits = 1;
877 m = AC2K;
878 }
879 if ((rx[0] & 0xf0) == 0xc0) {
880 Dbprintf("recieved uid request in ADVANCE Mode");
881 tag.mode = ADVANCED;
882 sof_bits = 3;
883 m = AC2K;
884 }
885 if ((rx[0] & 0xf0) == 0xd0) {
886 Dbprintf("recieved uid request in FAST_ADVANCE Mode");
887 tag.mode = FAST_ADVANCED;
888 sof_bits = 3;
889 m = AC4K;
890 }
891 //send uid as a response
892 *txlen = 32;
893 for (i = 0; i < 4; i++) {
894 tx[i] = (tag.uid >> (24 - (i * 8))) & 0xff;
895 }
896 }
897 break;
898 case 45: {
899 //select command from reader received
900 if (check_select(rx, tag.uid) == 1) {
901 //if the right tag was selected
902 *txlen = 32;
903 switch (tag.mode) {
904 case STANDARD:
905 Dbprintf("uid selected in Standard Mode");
906 sof_bits = 1;
907 m = MC4K;
908 break;
909 case ADVANCED:
910 Dbprintf("uid selected in ADVANCE Mode");
911 sof_bits = 6;
912 m = MC4K;
913 break;
914 case FAST_ADVANCED:
915 Dbprintf("uid selected in FAST_ADVANCE Mode");
916 sof_bits = 6;
917 m = MC8K;
918 break;
919 default:
920 break;
921 }
922
923 //send configuration
924 tx[0] = tag.pages[1][3];
925 tx[1] = tag.pages[1][2];
926 tx[2] = tag.pages[1][1];
927 tx[3] = 0xff;
928 if (tag.mode != STANDARD) {
929 *txlen = 40;
930 crc = CRC_PRESET;
931 for (i = 0; i < 4; i++)
932 calc_crc(&crc, tx[i], 8);
933 tx[4] = crc;
934 }
935 }
936 }
937 break;
938 case 64: {
939 switch (tag.mode) {
940 case STANDARD:
941 sof_bits = 1;
942 m = MC4K;
943 break;
944 case ADVANCED:
945 sof_bits = 6;
946 m = MC4K;
947 break;
948 case FAST_ADVANCED:
949 sof_bits = 6;
950 m = MC8K;
951 break;
952 default:
953 break;
954 }
955 //challenge message received
956 Dbprintf("Challenge for UID: %X", temp_uid);
957 temp2++;
958 state = hitag2_init(rev64(tag.key), rev32(tag.pages[0][0]),
959 rev32(((rx[3] << 24) + (rx[2] << 16) + (rx[1] << 8) + rx[0])));
960 Dbprintf(
961 ",{0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X, 0x%02X}",
962 rx[0], rx[1], rx[2], rx[3], rx[4], rx[5], rx[6], rx[7]);
963
964 for (i = 0; i < 4; i++) {
965 hitag2_byte(&state);
966 }
967
968 *txlen = 32;
969 //send con2,pwdh0,pwdl0,pwdl1 encrypted as a response
970 tx[0] = hitag2_byte(&state) ^ tag.pages[1][1];
971 tx[1] = hitag2_byte(&state) ^ tag.pwdh0;
972 tx[2] = hitag2_byte(&state) ^ tag.pwdl0;
973 tx[3] = hitag2_byte(&state) ^ tag.pwdl1;
974 if (tag.mode != STANDARD) {
975 //add crc8
976 *txlen = 40;
977 crc = CRC_PRESET;
978 calc_crc(&crc, tag.pages[1][1], 8);
979 calc_crc(&crc, tag.pwdh0, 8);
980 calc_crc(&crc, tag.pwdl0, 8);
981 calc_crc(&crc, tag.pwdl1, 8);
982 tx[4] = (crc ^ hitag2_byte(&state));
983 }
984 }
985 case 40:
986 //data received to be written
987 if (tag.tstate == WRITING_PAGE_DATA) {
988 tag.tstate = NO_OP;
989 tag.pages[page_to_be_written][0] = rx[3];
990 tag.pages[page_to_be_written][1] = rx[2];
991 tag.pages[page_to_be_written][2] = rx[1];
992 tag.pages[page_to_be_written][3] = rx[0];
993
994 //send ack
995 *txlen = 2;
996 tx[0] = 0x40;
997 page_to_be_written = 0;
998 switch (tag.mode) {
999 case STANDARD:
1000 sof_bits = 1;
1001 m = MC4K;
1002 break;
1003 case ADVANCED:
1004 sof_bits = 6;
1005 m = MC4K;
1006 break;
1007 case FAST_ADVANCED:
1008 sof_bits = 6;
1009 m = MC8K;
1010 break;
1011 default:
1012 break;
1013 }
1014 } else if (tag.tstate == WRITING_BLOCK_DATA) {
1015 tag.pages[page_to_be_written][0] = rx[0];
1016 tag.pages[page_to_be_written][1] = rx[1];
1017 tag.pages[page_to_be_written][2] = rx[2];
1018 tag.pages[page_to_be_written][3] = rx[3];
1019
1020 //send ack
1021 *txlen = 2;
1022 tx[0] = 0x40;
1023 switch (tag.mode) {
1024 case STANDARD:
1025 sof_bits = 1;
1026 m = MC4K;
1027 break;
1028 case ADVANCED:
1029 sof_bits = 6;
1030 m = MC4K;
1031 break;
1032 case FAST_ADVANCED:
1033 sof_bits = 6;
1034 m = MC8K;
1035 break;
1036 default:
1037 break;
1038 }
1039 page_to_be_written++;
1040 block_data_left--;
1041 if (block_data_left == 0) {
1042 tag.tstate = NO_OP;
1043 page_to_be_written = 0;
1044 }
1045 }
1046 break;
1047 case 20: {
1048 //write page, write block, read page or read block command received
1049 if ((rx[0] & 0xf0) == 0xc0) { //read page
1050 //send page data
1051 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1052 Dbprintf("reading page %d", page);
1053 *txlen = 32;
1054 tx[0] = tag.pages[page][0];
1055 tx[1] = tag.pages[page][1];
1056 tx[2] = tag.pages[page][2];
1057 tx[3] = tag.pages[page][3];
1058
1059 if (tag.LKP && page == 1)
1060 tx[3] = 0xff;
1061
1062 switch (tag.mode) {
1063 case STANDARD:
1064 sof_bits = 1;
1065 m = MC4K;
1066 break;
1067 case ADVANCED:
1068 sof_bits = 6;
1069 m = MC4K;
1070 break;
1071 case FAST_ADVANCED:
1072 sof_bits = 6;
1073 m = MC8K;
1074 break;
1075 default:
1076 break;
1077 }
1078
1079 if (tag.mode != STANDARD) {
1080 //add crc8
1081 *txlen = 40;
1082 crc = CRC_PRESET;
1083 for (i = 0; i < 4; i++)
1084 calc_crc(&crc, tx[i], 8);
1085 tx[4] = crc;
1086 }
1087
1088 if (tag.LKP && (page == 2 || page == 3)) {
1089 //if reader asks for key or password and the LKP-mark is set do not respond
1090 sof_bits = 0;
1091 *txlen = 0;
1092 }
1093 } else if ((rx[0] & 0xf0) == 0xd0) { //read block
1094 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1095 Dbprintf("reading block %d", page);
1096 *txlen = 32 * 4;
1097 //send page,...,page+3 data
1098 for (i = 0; i < 4; i++) {
1099 tx[0 + (i * 4)] = tag.pages[page][0];
1100 tx[1 + (i * 4)] = tag.pages[page][1];
1101 tx[2 + (i * 4)] = tag.pages[page][2];
1102 tx[3 + (i * 4)] = tag.pages[page][3];
1103 page++;
1104 }
1105
1106 switch (tag.mode) {
1107 case STANDARD:
1108 sof_bits = 1;
1109 m = MC4K;
1110 break;
1111 case ADVANCED:
1112 sof_bits = 6;
1113 m = MC4K;
1114 break;
1115 case FAST_ADVANCED:
1116 sof_bits = 6;
1117 m = MC8K;
1118 break;
1119 default:
1120 break;
1121 }
1122
1123 if (tag.mode != STANDARD) {
1124 //add crc8
1125 *txlen = 32 * 4 + 8;
1126 crc = CRC_PRESET;
1127 for (i = 0; i < 16; i++)
1128 calc_crc(&crc, tx[i], 8);
1129 tx[16] = crc;
1130 }
1131
1132 if ((page - 4) % 4 != 0 || (tag.LKP && (page - 4) == 0)) {
1133 sof_bits = 0;
1134 *txlen = 0;
1135 }
1136 } else if ((rx[0] & 0xf0) == 0x80) { //write page
1137 page = ((rx[0] & 0x0f) * 16) + ((rx[1] & 0xf0) / 16);
1138
1139 switch (tag.mode) {
1140 case STANDARD:
1141 sof_bits = 1;
1142 m = MC4K;
1143 break;
1144 case ADVANCED:
1145 sof_bits = 6;
1146 m = MC4K;
1147 break;
1148 case FAST_ADVANCED:
1149 sof_bits = 6;
1150 m = MC8K;
1151 break;
1152 default:
1153 break;
1154 }
1155 if ((tag.LCON && page == 1)
1156 || (tag.LKP && (page == 2 || page == 3))) {
1157 //deny
1158 *txlen = 0;
1159 } else {
1160 //allow
1161 *txlen = 2;
1162 tx[0] = 0x40;
1163 page_to_be_written = page;
1164 tag.tstate = WRITING_PAGE_DATA;
1165 }
1166
1167 } else if ((rx[0] & 0xf0) == 0x90) { //write block
1168 page = ((rx[0] & 0x0f) * 6) + ((rx[1] & 0xf0) / 16);
1169 switch (tag.mode) {
1170 case STANDARD:
1171 sof_bits = 1;
1172 m = MC4K;
1173 break;
1174 case ADVANCED:
1175 sof_bits = 6;
1176 m = MC4K;
1177 break;
1178 case FAST_ADVANCED:
1179 sof_bits = 6;
1180 m = MC8K;
1181 break;
1182 default:
1183 break;
1184 }
1185 if (page % 4 != 0 || page == 0) {
1186 //deny
1187 *txlen = 0;
1188 } else {
1189 //allow
1190 *txlen = 2;
1191 tx[0] = 0x40;
1192 page_to_be_written = page;
1193 block_data_left = 4;
1194 tag.tstate = WRITING_BLOCK_DATA;
1195 }
1196 }
1197 }
1198 break;
1199 default:
1200
1201 break;
1202 }
1203 }
1204
1205
1206 /*
1207 * to autenticate to a tag with the given key or challenge
1208 */
1209 static int hitagS_handle_tag_auth(hitag_function htf,uint64_t key, uint64_t NrAr, byte_t* rx,
1210 const size_t rxlen, byte_t* tx, size_t* txlen) {
1211 byte_t rx_air[HITAG_FRAME_LEN];
1212 int response_bit[200] = {0};
1213 int i, j, z, k;
1214 unsigned char mask = 1;
1215 unsigned char uid[32];
1216 byte_t uid1 = 0x00, uid2 = 0x00, uid3 = 0x00, uid4 = 0x00;
1217 unsigned char crc;
1218 u64 state;
1219 byte_t auth_ks[4];
1220 byte_t conf_pages[3];
1221 memcpy(rx_air, rx, nbytes(rxlen));
1222 *txlen = 0;
1223
1224 if (DEBUG) {
1225 Dbprintf("START hitagS_handle_tag_auth - rxlen: %d, tagstate=%d", rxlen, (int)tag.pstate);
1226 }
1227
1228 if (tag.pstate == READY && rxlen >= 32) {
1229 //received uid
1230 if(end==true) {
1231 Dbprintf("authentication failed!");
1232 return -1;
1233 }
1234 z = 0;
1235 for (i = 0; i < 10; i++) {
1236 for (j = 0; j < 8; j++) {
1237 response_bit[z] = 0;
1238 if ((rx[i] & ((mask << 7) >> j)) != 0)
1239 response_bit[z] = 1;
1240 z++;
1241 }
1242 }
1243 for (i = 0; i < 32; i++) {
1244 uid[i] = response_bit[i];
1245 }
1246
1247 uid1 = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5) | (uid[3] << 4)
1248 | (uid[4] << 3) | (uid[5] << 2) | (uid[6] << 1) | uid[7];
1249 uid2 = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5) | (uid[11] << 4)
1250 | (uid[12] << 3) | (uid[13] << 2) | (uid[14] << 1) | uid[15];
1251 uid3 = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5) | (uid[19] << 4)
1252 | (uid[20] << 3) | (uid[21] << 2) | (uid[22] << 1) | uid[23];
1253 uid4 = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5) | (uid[27] << 4)
1254 | (uid[28] << 3) | (uid[29] << 2) | (uid[30] << 1) | uid[31];
1255 Dbprintf("UID: %02X %02X %02X %02X", uid1, uid2, uid3, uid4);
1256 tag.uid = (uid4 << 24 | uid3 << 16 | uid2 << 8 | uid1);
1257
1258 //select uid
1259 crc = CRC_PRESET;
1260 calc_crc(&crc, 0x00, 5);
1261 calc_crc(&crc, uid1, 8);
1262 calc_crc(&crc, uid2, 8);
1263 calc_crc(&crc, uid3, 8);
1264 calc_crc(&crc, uid4, 8);
1265 Dbprintf("crc: %02X", crc);
1266
1267 //resetting response bit
1268 for (i = 0; i < 100; i++) {
1269 response_bit[i] = 0;
1270 }
1271
1272 //skip the first 5
1273 for (i = 5; i < 37; i++) {
1274 response_bit[i] = uid[i - 5];
1275 }
1276 //add crc value
1277 for (j = 0; j < 8; j++) {
1278 response_bit[i] = 0;
1279 if ((crc & ((mask << 7) >> j)) != 0)
1280 response_bit[i] = 1;
1281 i++;
1282 }
1283
1284 k = 0;
1285 for (i = 0; i < 6; i++) {
1286 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
1287 | (response_bit[k + 2] << 5) | (response_bit[k + 3] << 4)
1288 | (response_bit[k + 4] << 3) | (response_bit[k + 5] << 2)
1289 | (response_bit[k + 6] << 1) | response_bit[k + 7];
1290 k += 8;
1291 }
1292 *txlen = 45;
1293 tag.pstate = INIT;
1294 } else if (tag.pstate == INIT && rxlen > 24) {
1295 // received configuration after select command
1296 z = 0;
1297 for (i = 0; i < 4; i++) {
1298 for (j = 0; j < 8; j++) {
1299 response_bit[z] = 0;
1300 if ((rx[i] & ((mask << 7) >> j)) != 0) {
1301 response_bit[z] = 1;
1302 }
1303 z++;
1304 }
1305 }
1306
1307 //check wich memorysize this tag has
1308 //CON0
1309 if (response_bit[6] == 0 && response_bit[7] == 0)
1310 tag.max_page = 32 / 32;
1311 if (response_bit[6] == 0 && response_bit[7] == 1)
1312 tag.max_page = 256 / 32;
1313 if (response_bit[6] == 1 && response_bit[7] == 0)
1314 tag.max_page = 2048 / 32;
1315 if (response_bit[6] == 1 && response_bit[7] == 1) //reserved but some tags got this setting
1316 tag.max_page = 2048 / 32;
1317
1318 //CON1
1319 tag.auth = response_bit[8];
1320 tag.TTFC = response_bit[9];
1321 //tag.TTFDR in response_bit[10] and response_bit[11]
1322 //tag.TTFM in response_bit[12] and response_bit[13]
1323 tag.LCON = response_bit[14];
1324 tag.LKP = response_bit[15];
1325
1326 //CON2
1327 tag.LCK7 = response_bit[16];
1328 tag.LCK6 = response_bit[17];
1329 tag.LCK5 = response_bit[18];
1330 tag.LCK4 = response_bit[19];
1331 tag.LCK3 = response_bit[20];
1332 tag.LCK2 = response_bit[21];
1333 tag.LCK1 = response_bit[22];
1334 tag.LCK0 = response_bit[23];
1335
1336 if (DEBUG) {
1337 conf_pages[0] = ((response_bit[0] << 7) | (response_bit[1] << 6)
1338 | (response_bit[2] << 5) | (response_bit[3] << 4)
1339 | (response_bit[4] << 3) | (response_bit[5] << 2)
1340 | (response_bit[6] << 1) | response_bit[7]);
1341 conf_pages[1] = ((response_bit[8] << 7) | (response_bit[9] << 6)
1342 | (response_bit[10] << 5) | (response_bit[11] << 4)
1343 | (response_bit[12] << 3) | (response_bit[13] << 2)
1344 | (response_bit[14] << 1) | response_bit[15]);
1345 conf_pages[2] = ((response_bit[16] << 7) | (response_bit[17] << 6)
1346 | (response_bit[18] << 5) | (response_bit[19] << 4)
1347 | (response_bit[20] << 3) | (response_bit[21] << 2)
1348 | (response_bit[22] << 1) | response_bit[23]);
1349 Dbprintf("conf0: %02X conf1: %02X conf2: %02X", conf_pages[0], conf_pages[1], conf_pages[2]);
1350 Dbprintf("tag.max_page: %d, tag.auth: %d", tag.max_page, tag.auth);
1351 }
1352
1353 if (tag.auth == 1) {
1354 //if the tag is in authentication mode try the key or challenge
1355 *txlen = 64;
1356 if(end!=true){
1357 if(htf==02||htf==04){ //RHTS_KEY //WHTS_KEY
1358 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
1359 /*
1360 Dbprintf("key: %02X %02X\n\n", key, rev64(key));
1361 Dbprintf("tag.uid: %02X %02X\n\n", tag.uid, rev32(tag.uid));
1362 Dbprintf("rnd: %02X %02X\n\n", rnd, rev32(rnd));
1363 */
1364 for (i = 0; i < 4; i++) {
1365 auth_ks[i] = hitag2_byte(&state) ^ 0xff;
1366 }
1367 *txlen = 64;
1368 tx[0] = rnd & 0xff;
1369 tx[1] = (rnd >> 8) & 0xff;
1370 tx[2] = (rnd >> 16) & 0xff;
1371 tx[3] = (rnd >> 24) & 0xff;
1372
1373 tx[4] = auth_ks[0];
1374 tx[5] = auth_ks[1];
1375 tx[6] = auth_ks[2];
1376 tx[7] = auth_ks[3];
1377 if (DEBUG)
1378 Dbprintf("%02X %02X %02X %02X %02X %02X %02X %02X", tx[0],
1379 tx[1], tx[2], tx[3], tx[4], tx[5], tx[6], tx[7]);
1380 } else if(htf==01 || htf==03) { //RHTS_CHALLENGE //WHTS_CHALLENGE
1381 for (i = 0; i < 8; i++)
1382 tx[i]=((NrAr>>(56-(i*8)))&0xff);
1383 }
1384 end=true;
1385 tag.pstate = AUTHENTICATE;
1386 } else {
1387 Dbprintf("authentication failed!");
1388 return -1;
1389 }
1390 } else if (tag.auth == 0) {
1391 tag.pstate = SELECTED;
1392 }
1393
1394 } else if (tag.pstate == AUTHENTICATE && rxlen >= 32) {
1395 //encrypted con2,password received.
1396 if (DEBUG) {
1397 Dbprintf("UID:::%X", tag.uid);
1398 Dbprintf("RND:::%X", rnd);
1399 }
1400
1401 //decrypt password
1402 pwdh0=0;
1403 pwdl0=0;
1404 pwdl1=0;
1405 if(htf==02 || htf==04) { //RHTS_KEY //WHTS_KEY
1406 state = hitag2_init(rev64(key), rev32(tag.uid), rev32(rnd));
1407 for (i = 0; i < 5; i++) {
1408 hitag2_byte(&state);
1409 }
1410 pwdh0 = ((rx[1] & 0x0f) * 16 + ((rx[2] & 0xf0) / 16)) ^ hitag2_byte(&state);
1411 pwdl0 = ((rx[2] & 0x0f) * 16 + ((rx[3] & 0xf0) / 16)) ^ hitag2_byte(&state);
1412 pwdl1 = ((rx[3] & 0x0f) * 16 + ((rx[4] & 0xf0) / 16)) ^ hitag2_byte(&state);
1413 if (DEBUG) {
1414 Dbprintf("pwdh0 %02X pwdl0 %02X pwdl1 %02X", pwdh0, pwdl0, pwdl1);
1415 }
1416 }
1417 tag.pstate = SELECTED; //tag is now ready for read/write commands
1418 }
1419
1420 if (DEBUG) {
1421 Dbprintf("END hitagS_handle_tag_auth - tagstate=%d", (int)tag.pstate);
1422 }
1423
1424 return 0;
1425 }
1426
1427 /*
1428 * Emulates a Hitag S Tag with the given data from the .hts file
1429 */
1430 void SimulateHitagSTag(bool tag_mem_supplied, byte_t* data) {
1431 int frame_count;
1432 int response;
1433 int overflow;
1434 int i, j;
1435 byte_t rx[HITAG_FRAME_LEN];
1436 size_t rxlen = 0;
1437 bQuiet = false;
1438 byte_t txbuf[HITAG_FRAME_LEN];
1439 byte_t* tx = txbuf;
1440 size_t txlen = 0;
1441 uint8_t con0, con1, con2;
1442 BigBuf_free();
1443
1444 // Clean up trace and prepare it for storing frames
1445 set_tracing(true);
1446 clear_trace();
1447
1448 DbpString("Starting HitagS simulation");
1449 LED_D_ON();
1450
1451 tag.pstate = READY;
1452 tag.tstate = NO_OP;
1453 //read tag data into memory
1454 if (tag_mem_supplied) {
1455 DbpString("Loading hitagS memory...");
1456 for (i = 0; i < 64; i++) {
1457 for (j = 0; j < 4; j++) {
1458 tag.pages[i][j] = 0x0;
1459 }
1460 }
1461
1462 for (i = 0; i < 64; i++) {
1463 for (j = 0; j < 4; j++) {
1464 tag.pages[i][j] = data[(i*4)+j];
1465 }
1466 }
1467 }
1468 tag.uid = (tag.pages[0][3] << 24 | tag.pages[0][2] << 16 | tag.pages[0][1] << 8 | tag.pages[0][0]);
1469 con0 = tag.pages[1][3];
1470 con1 = tag.pages[1][2];
1471 con2 = tag.pages[1][1];
1472 Dbprintf("UID: %X", tag.uid);
1473 Dbprintf("Hitag S simulation started");
1474
1475 //0x01 plain mode - Reserved, CON2, CON1, CON0
1476 //0x01 auth mode - PWDH 0, CON2, CON1, CON0
1477 //0x02 auth mode - KEYH 1, KEYH 0, PWDL 1, PWDL 0
1478 //0x03 auth mode - KEYL 3, KEYL 2, KEYL 1, KEYL 0
1479
1480 //con0
1481 tag.max_page = 2048 / 32;
1482 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 1)
1483 tag.max_page = 256 / 32;
1484 if ((con0 & 0x2) == 0 && (con0 & 0x1) == 0)
1485 tag.max_page = 32 / 32;
1486
1487 //CON1
1488 tag.auth = ((con1 & 0x80) == 0x80) ? 1 : 0;
1489 tag.TTFC = ((con1 & 0x40) == 0x40) ? 1 : 0;
1490 //tag.TTFDR in response_bit[10] and response_bit[11]
1491 //tag.TTFM in response_bit[12] and response_bit[13]
1492 tag.LCON = ((con1 & 0x2) == 0x2) ? 1 : 0;
1493 tag.LKP = ((con1 & 0x1) == 0x1) ? 1 : 0;
1494
1495 //CON2
1496 tag.LCK7 = ((con2 & 0x80) == 0x80) ? 1 : 0;
1497 tag.LCK6 = ((con2 & 0x40) == 0x40) ? 1 : 0;
1498 tag.LCK5 = ((con2 & 0x20) == 0x20) ? 1 : 0;
1499 tag.LCK4 = ((con2 & 0x10) == 0x10) ? 1 : 0;
1500 tag.LCK3 = ((con2 & 0x8) == 0x8) ? 1 : 0;
1501 tag.LCK2 = ((con2 & 0x4) == 0x4) ? 1 : 0;
1502 tag.LCK1 = ((con2 & 0x2) == 0x2) ? 1 : 0;
1503 tag.LCK0 = ((con2 & 0x1) == 0x1) ? 1 : 0;
1504
1505 if (tag.auth == 1) {
1506 //TODO check if this working :D
1507 tag.key=(intptr_t)tag.pages[3];
1508 tag.key<<=16;
1509 tag.key+=((tag.pages[2][0])<<8)+tag.pages[2][1];
1510 tag.pwdl0=tag.pages[2][3];
1511 tag.pwdl1=tag.pages[2][2];
1512 tag.pwdh0=tag.pages[1][0];
1513 }
1514
1515 // Set up simulator mode, frequency divisor which will drive the FPGA
1516 // and analog mux selection.
1517 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1518 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT);
1519 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1520 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1521 RELAY_OFF();
1522
1523 // Configure output pin that is connected to the FPGA (for modulating)
1524 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1525 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1526
1527 // Disable modulation at default, which means release resistance
1528 LOW(GPIO_SSC_DOUT);
1529
1530 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1531 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1532
1533 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the reader frames
1534 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1535 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1536
1537 // Disable timer during configuration
1538 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1539
1540 // Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1541 // external trigger rising edge, load RA on rising edge of TIOA.
1542 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
1543
1544 // Reset the received frame, frame count and timing info
1545 memset(rx, 0x00, sizeof(rx));
1546 frame_count = 0;
1547 response = 0;
1548 overflow = 0;
1549
1550 // Enable and reset counter
1551 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1552
1553 while (!BUTTON_PRESS()) {
1554 // Watchdog hit
1555 WDT_HIT();
1556
1557 // Receive frame, watch for at most T0*EOF periods
1558 //HITAG_T_WAIT_MAX
1559 while (AT91C_BASE_TC1->TC_CV < T0 * HITAG_T_EOF) {
1560 // Check if rising edge in modulation is detected
1561 if (AT91C_BASE_TC1->TC_SR & AT91C_TC_LDRAS) {
1562 // Retrieve the new timing values
1563 int ra = (AT91C_BASE_TC1->TC_RA / T0) + overflow;
1564 overflow = 0;
1565
1566 // Reset timer every frame, we have to capture the last edge for timing
1567 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1568
1569 LED_B_ON();
1570
1571 // Capture reader frame
1572 if (ra >= HITAG_T_STOP) {
1573 if (rxlen != 0) {
1574 //DbpString("wierd0?");
1575 }
1576 // Capture the T0 periods that have passed since last communication or field drop (reset)
1577 response = (ra - HITAG_T_LOW);
1578 } else if (ra >= HITAG_T_1_MIN) {
1579 // '1' bit
1580 rx[rxlen / 8] |= 1 << (7 - (rxlen % 8));
1581 rxlen++;
1582 } else if (ra >= HITAG_T_0_MIN) {
1583 // '0' bit
1584 rx[rxlen / 8] |= 0 << (7 - (rxlen % 8));
1585 rxlen++;
1586 } else {
1587 // Ignore wierd value, is to small to mean anything
1588 }
1589 }
1590 }
1591
1592 // Check if frame was captured
1593 if (rxlen > 0) {
1594 frame_count++;
1595 if (!bQuiet) {
1596 if (!LogTraceHitag(rx, rxlen, response, 0, true)) {
1597 DbpString("Trace full");
1598 clear_trace();
1599 }
1600 }
1601
1602 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1603 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1604
1605 // Process the incoming frame (rx) and prepare the outgoing frame (tx)
1606 hitagS_handle_reader_command(rx, rxlen, tx, &txlen);
1607
1608 // Wait for HITAG_T_WAIT_1 carrier periods after the last reader bit,
1609 // not that since the clock counts since the rising edge, but T_Wait1 is
1610 // with respect to the falling edge, we need to wait actually (T_Wait1 - T_Low)
1611 // periods. The gap time T_Low varies (4..10). All timer values are in
1612 // terms of T0 units
1613 while (AT91C_BASE_TC0->TC_CV < T0 * (HITAG_T_WAIT_1 - HITAG_T_LOW)) { }
1614
1615 // Send and store the tag answer (if there is any)
1616 if (txlen > 0) {
1617 // Transmit the tag frame
1618 hitag_tag_send_frame(tx, txlen);
1619
1620 // Store the frame in the trace
1621 if (!bQuiet) {
1622 if (!LogTraceHitag(tx, txlen, 0, 0, false)) {
1623 DbpString("Trace full");
1624 clear_trace();
1625 }
1626 }
1627 }
1628
1629 // Enable and reset external trigger in timer for capturing future frames
1630 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1631
1632 // Reset the received frame and response timing info
1633 memset(rx, 0x00, sizeof(rx));
1634 response = 0;
1635
1636 LED_B_OFF();
1637 }
1638 // Reset the frame length
1639 rxlen = 0;
1640 // Save the timer overflow, will be 0 when frame was received
1641 overflow += (AT91C_BASE_TC1->TC_CV / T0);
1642 // Reset the timer to restart while-loop that receives frames
1643 AT91C_BASE_TC1->TC_CCR = AT91C_TC_SWTRG;
1644 }
1645 Dbprintf("Hitag S simulation stopped");
1646 LED_B_OFF();
1647 LED_D_OFF();
1648 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1649 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1650 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1651 }
1652
1653 /*
1654 * Authenticates to the Tag with the given key or challenge.
1655 * If the key was given the password will be decrypted.
1656 * Reads every page of a hitag S transpoder.
1657 */
1658 void ReadHitagSintern(hitag_function htf, hitag_data* htd, stype tagMode, int startPage, bool readBlock) {
1659 int frame_count;
1660 int i;
1661 int sendNum = startPage;
1662 tag.mode = tagMode;
1663
1664 //int i, j, z;
1665 //int response_bit[200];
1666 //unsigned char mask = 1;
1667
1668 int response;
1669 byte_t rx[HITAG_FRAME_LEN];
1670 size_t rxlen = 0;
1671 byte_t txbuf[HITAG_FRAME_LEN];
1672 byte_t* tx = txbuf;
1673 size_t txlen = 0;
1674 int lastbit;
1675 int t_wait = HITAG_T_WAIT_MAX;
1676 bool bStop;
1677 bool bQuitTraceFull = false;
1678
1679 page_to_be_written = 0;
1680
1681 //read given key/challenge
1682 byte_t NrAr_[8];
1683 uint64_t key=0;
1684 uint64_t NrAr=0;
1685 byte_t key_[6];
1686 switch(htf) {
1687 case 01:
1688 case 03: { //RHTS_CHALLENGE
1689 DbpString("Authenticating using nr,ar pair:");
1690 memcpy(NrAr_,htd->auth.NrAr,8);
1691 Dbhexdump(8,NrAr_,false);
1692 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1693 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1694 } break;
1695 case 02:
1696 case 04: { //RHTS_KEY
1697 DbpString("Authenticating using key:");
1698 memcpy(key_,htd->crypto.key,6);
1699 Dbhexdump(6,key_,false);
1700 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1701 } break;
1702 default: {
1703 Dbprintf("Error , unknown function: %d",htf);
1704 return;
1705 } break;
1706 }
1707
1708
1709
1710 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1711 // Reset the return status
1712 bSuccessful = false;
1713
1714 // Clean up trace and prepare it for storing frames
1715 set_tracing(true);
1716 clear_trace();
1717
1718 bQuiet = false;
1719
1720 LED_D_ON();
1721
1722 // Configure output and enable pin that is connected to the FPGA (for modulating)
1723 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1724 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1725
1726 // Set fpga in edge detect with reader field, we can modulate as reader now
1727 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1728
1729 // Set Frequency divisor which will drive the FPGA and analog mux selection
1730 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1731 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1732 RELAY_OFF();
1733
1734 // Disable modulation at default, which means enable the field
1735 LOW(GPIO_SSC_DOUT);
1736
1737 // Give it a bit of time for the resonant antenna to settle.
1738 SpinDelay(30);
1739
1740 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1741 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1742
1743 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1744 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1745 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1746
1747 // Disable timer during configuration
1748 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1749
1750 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1751 // external trigger rising edge, load RA on falling edge of TIOA.
1752 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
1753
1754 // Enable and reset counters
1755 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1756 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1757
1758 // Reset the received frame, frame count and timing info
1759 frame_count = 0;
1760 response = 0;
1761 lastbit = 1;
1762 bStop = false;
1763 t_wait = 200;
1764
1765 while (!bStop && !BUTTON_PRESS()) {
1766 // Watchdog hit
1767 WDT_HIT();
1768
1769
1770 // Add transmitted frame to total count
1771 if (txlen > 0) {
1772 frame_count++;
1773
1774 if (tag.pstate == READY && rxlen < 1) {
1775 //skip logging starting auths if no response
1776 } else {
1777 if (!bQuiet) {
1778 // Store the frame in the trace
1779 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
1780 if (bQuitTraceFull) {
1781 DbpString("Trace full");
1782 break;
1783 } else {
1784 bQuiet = true;
1785 }
1786 }
1787 }
1788 }
1789 }
1790
1791 // Check if frame was captured and store it
1792 if (rxlen > 0) {
1793 frame_count++;
1794 if (!bQuiet) {
1795 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
1796 DbpString("Trace full");
1797 if (bQuitTraceFull) {
1798 break;
1799 } else {
1800 bQuiet = true;
1801 }
1802 }
1803 }
1804 }
1805
1806 // By default reset the transmission buffer
1807 tx = txbuf;
1808 txlen = 0;
1809
1810 if (DEBUG >= 2) {
1811 Dbprintf("FRO %d rxlen: %d, pstate=%d, tstate=%d", frame_count, rxlen, (int)tag.pstate, (int)tag.tstate);
1812 }
1813
1814 if (rxlen == 0) {
1815 //start authentication
1816 hitag_start_auth(tx, &txlen);
1817 } else if (tag.pstate != SELECTED) {
1818 if (hitagS_handle_tag_auth(htf, key,NrAr,rx, rxlen, tx, &txlen) == -1) {
1819 Dbprintf("hitagS_handle_tag_auth - bStop = !false");
1820 bStop = !false;
1821 }
1822 }
1823
1824
1825
1826 if (readBlock && tag.pstate == SELECTED && (tag.tstate == READING_BLOCK || tag.tstate == NO_OP) && rxlen > 0) {
1827 i = hitag_read_block(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1828 if (i > 0) { sendNum+=4; }
1829 if (sendNum+4 >= tag.max_page) {
1830 bStop = !false;
1831 }
1832 } else if (!readBlock && tag.pstate == SELECTED && (tag.tstate == READING_PAGE || tag.tstate == NO_OP) && rxlen > 0) {
1833 i = hitag_read_page(htf, key, rx, &rxlen, tx, &txlen, sendNum);
1834 if (i > 0) { sendNum++; }
1835 if (sendNum >= tag.max_page) {
1836 bStop = !false;
1837 }
1838 }
1839
1840 // Send and store the reader command
1841 // Disable timer 1 with external trigger to avoid triggers during our own modulation
1842 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1843
1844 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
1845 // Since the clock counts since the last falling edge, a 'one' means that the
1846 // falling edge occured halfway the period. with respect to this falling edge,
1847 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
1848 // All timer values are in terms of T0 units
1849
1850 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
1851
1852 // Transmit the reader frame
1853 hitag_reader_send_frame(tx, txlen);
1854
1855
1856 // Enable and reset external trigger in timer for capturing future frames
1857 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1858
1859
1860 // Reset values for receiving frames
1861 memset(rx, 0x00, sizeof(rx));
1862 rxlen = 0;
1863 lastbit = 1;
1864 response = 0;
1865
1866 // get tag id in anti-collision mode (proprietary data format, so switch off manchester and read at double the data rate, for 4 x the data bits)
1867 hitag_receive_frame(rx, &rxlen, &response);
1868 }
1869 end=false;
1870 LED_B_OFF();
1871 LED_D_OFF();
1872 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1873 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
1874 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1875 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
1876 }
1877
1878 void ReadHitagSCmd(hitag_function htf, hitag_data* htd, uint64_t startPage, uint64_t tagMode, bool readBlock) {
1879 if (tagMode == 1) {
1880 Dbprintf("ReadHitagS in mode=ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1881 ReadHitagSintern(htf, htd, ADVANCED, (int)startPage, readBlock);
1882 } else if (tagMode == 2) {
1883 Dbprintf("ReadHitagS in mode=FAST_ADVANCED, blockRead=%d, startPage=%d", readBlock, startPage);
1884 ReadHitagSintern(htf, htd, FAST_ADVANCED, (int)startPage, readBlock);
1885 } else {
1886 Dbprintf("ReadHitagS in mode=STANDARD, blockRead=%d, startPage=%d", readBlock, startPage);
1887 ReadHitagSintern(htf, htd, STANDARD, (int)startPage, readBlock);
1888 }
1889 }
1890
1891
1892
1893 /*
1894 * Authenticates to the Tag with the given Key or Challenge.
1895 * Writes the given 32Bit data into page_
1896 */
1897 void WritePageHitagS(hitag_function htf, hitag_data* htd,int page_) {
1898 int frame_count;
1899 int response;
1900 byte_t rx[HITAG_FRAME_LEN];
1901 size_t rxlen = 0;
1902 byte_t txbuf[HITAG_FRAME_LEN];
1903 byte_t* tx = txbuf;
1904 size_t txlen = 0;
1905 int lastbit;
1906 int t_wait = HITAG_T_WAIT_MAX;
1907 bool bStop;
1908 bool bQuitTraceFull = false;
1909 int page = page_;
1910 unsigned char crc;
1911 byte_t data[4]= {0,0,0,0};
1912
1913 //read given key/challenge, the page and the data
1914 byte_t NrAr_[8];
1915 uint64_t key=0;
1916 uint64_t NrAr=0;
1917 byte_t key_[6];
1918 switch(htf) {
1919 case 03: { //WHTS_CHALLENGE
1920 memcpy(data,htd->auth.data,4);
1921 DbpString("Authenticating using nr,ar pair:");
1922 memcpy(NrAr_,htd->auth.NrAr,8);
1923 Dbhexdump(8,NrAr_,false);
1924 NrAr=NrAr_[7] | ((uint64_t)NrAr_[6]) << 8 | ((uint64_t)NrAr_[5]) << 16 | ((uint64_t)NrAr_[4]) << 24 | ((uint64_t)NrAr_[3]) << 32 |
1925 ((uint64_t)NrAr_[2]) << 40| ((uint64_t)NrAr_[1]) << 48 | ((uint64_t)NrAr_[0]) << 56;
1926 } break;
1927 case 04: { //WHTS_KEY
1928 memcpy(data,htd->crypto.data,4);
1929 DbpString("Authenticating using key:");
1930 memcpy(key_,htd->crypto.key,6);
1931 Dbhexdump(6,key_,false);
1932 key=key_[5] | ((uint64_t)key_[4]) << 8 | ((uint64_t)key_[3]) << 16 | ((uint64_t)key_[2]) << 24 | ((uint64_t)key_[1]) << 32 | ((uint64_t)key_[0]) << 40;
1933 } break;
1934 default: {
1935 Dbprintf("Error , unknown function: %d",htf);
1936 return;
1937 } break;
1938 }
1939
1940 Dbprintf("Page: %d",page_);
1941 Dbprintf("DATA: %02X %02X %02X %02X", data[0], data[1], data[2], data[3]);
1942 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
1943 // Reset the return status
1944 bSuccessful = false;
1945
1946 tag.pstate = READY;
1947 tag.tstate = NO_OP;
1948
1949 // Clean up trace and prepare it for storing frames
1950 set_tracing(true);
1951 clear_trace();
1952
1953 bQuiet = false;
1954
1955 LED_D_ON();
1956
1957 // Configure output and enable pin that is connected to the FPGA (for modulating)
1958 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
1959 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
1960
1961 // Set fpga in edge detect with reader field, we can modulate as reader now
1962 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
1963
1964 // Set Frequency divisor which will drive the FPGA and analog mux selection
1965 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
1966 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
1967 RELAY_OFF();
1968
1969 // Disable modulation at default, which means enable the field
1970 LOW(GPIO_SSC_DOUT);
1971
1972 // Give it a bit of time for the resonant antenna to settle.
1973 SpinDelay(30);
1974
1975 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
1976 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
1977
1978 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
1979 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
1980 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
1981
1982 // Disable timer during configuration
1983 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
1984
1985 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
1986 // external trigger rising edge, load RA on falling edge of TIOA.
1987 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK
1988 | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG
1989 | AT91C_TC_LDRA_FALLING;
1990
1991 // Enable and reset counters
1992 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1993 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
1994
1995 // Reset the received frame, frame count and timing info
1996 frame_count = 0;
1997 response = 0;
1998 lastbit = 1;
1999 bStop = false;
2000 t_wait = 200;
2001
2002 while (!bStop && !BUTTON_PRESS()) {
2003 // Watchdog hit
2004 WDT_HIT();
2005
2006 // Check if frame was captured and store it
2007 if (rxlen > 0) {
2008 frame_count++;
2009 if (!bQuiet) {
2010 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2011 DbpString("Trace full");
2012 if (bQuitTraceFull) {
2013 break;
2014 } else {
2015 bQuiet = true;
2016 }
2017 }
2018 }
2019 }
2020
2021 //check for valid input
2022 /*
2023 if (page == 0) {
2024 Dbprintf("usage: lf hitag writer [03 | 04] [CHALLENGE | KEY] [page] [byte0] [byte1] [byte2] [byte3]");
2025 bStop = !false;
2026 }*/
2027
2028
2029 // By default reset the transmission buffer
2030 tx = txbuf;
2031 txlen = 0;
2032
2033 if (rxlen == 0 && tag.tstate == WRITING_PAGE_ACK) {
2034 //no write access on this page
2035 Dbprintf("no write access on page %d", page_);
2036 bStop = !false;
2037 } else if (rxlen == 0 && tag.tstate != WRITING_PAGE_DATA) {
2038 //start the authetication
2039 //tag.mode = ADVANCED;
2040 tag.mode = STANDARD;
2041 hitag_start_auth(tx, &txlen);
2042 m = AC2K;
2043 } else if (tag.pstate != SELECTED) {
2044 //try to authenticate with the given key or challenge
2045 if (hitagS_handle_tag_auth(htf,key,NrAr,rx, rxlen, tx, &txlen) == -1) {
2046 bStop = !false;
2047 }
2048 m = MC4K;
2049 }
2050
2051 if (tag.pstate == SELECTED && tag.tstate == NO_OP && rxlen > 0) {
2052 //check if the given page exists
2053 if (page > tag.max_page) {
2054 Dbprintf("page number too big");
2055 bStop = !false;
2056 }
2057 //ask Tag for write permission
2058 tag.tstate = WRITING_PAGE_ACK;
2059 txlen = 20;
2060 crc = CRC_PRESET;
2061 tx[0] = 0x90 + (page / 16);
2062 calc_crc(&crc, tx[0], 8);
2063 calc_crc(&crc, 0x00 + ((page % 16) * 16), 4);
2064 tx[1] = 0x00 + ((page % 16) * 16) + (crc / 16);
2065 tx[2] = 0x00 + (crc % 16) * 16;
2066 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_ACK
2067 && rxlen == 2 && rx[0] == 0x40) {
2068 //ACK recieved to write the page. send data
2069 tag.tstate = WRITING_PAGE_DATA;
2070 txlen = 40;
2071 crc = CRC_PRESET;
2072 calc_crc(&crc, data[3], 8);
2073 calc_crc(&crc, data[2], 8);
2074 calc_crc(&crc, data[1], 8);
2075 calc_crc(&crc, data[0], 8);
2076 tx[0] = data[3];
2077 tx[1] = data[2];
2078 tx[2] = data[1];
2079 tx[3] = data[0];
2080 tx[4] = crc;
2081 } else if (tag.pstate == SELECTED && tag.tstate == WRITING_PAGE_DATA
2082 && rxlen == 2 && rx[0] == 0x40) {
2083 //received ACK
2084 Dbprintf("Successful!");
2085 bStop = !false;
2086 }
2087
2088 // Send and store the reader command
2089 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2090 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2091
2092 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2093 // Since the clock counts since the last falling edge, a 'one' means that the
2094 // falling edge occured halfway the period. with respect to this falling edge,
2095 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2096 // All timer values are in terms of T0 units
2097
2098 while (AT91C_BASE_TC0->TC_CV
2099 < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit)))
2100 ;
2101
2102 // Transmit the reader frame
2103 hitag_reader_send_frame(tx, txlen);
2104
2105 // Enable and reset external trigger in timer for capturing future frames
2106 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2107
2108 // Add transmitted frame to total count
2109 if (txlen > 0) {
2110 frame_count++;
2111 if (!bQuiet) {
2112 // Store the frame in the trace
2113 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2114 if (bQuitTraceFull) {
2115 DbpString("Trace full");
2116 break;
2117 } else {
2118 bQuiet = true;
2119 }
2120 }
2121 }
2122 }
2123
2124 // Reset values for receiving frames
2125 memset(rx, 0x00, sizeof(rx));
2126 rxlen = 0;
2127 lastbit = 1;
2128 response = 0;
2129
2130 hitag_receive_frame(rx, &rxlen, &response);
2131 }
2132 end=false;
2133 LED_B_OFF();
2134 LED_D_OFF();
2135 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2136 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2137 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2138 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2139 }
2140
2141
2142 /*
2143 * Tries to authenticate to a Hitag S Transponder with the given challenges from a .cc file.
2144 * Displays all Challenges that failed.
2145 * When collecting Challenges to break the key it is possible that some data
2146 * is not received correctly due to Antenna problems. This function
2147 * detects these challenges.
2148 */
2149 void check_challenges_cmd(bool file_given, byte_t* data, uint64_t tagMode) {
2150 int i, j, z, k;
2151 byte_t uid_byte[4];
2152 int frame_count;
2153 int response;
2154 byte_t rx[HITAG_FRAME_LEN];
2155 byte_t unlocker[60][8];
2156 int u1 = 0;
2157 size_t rxlen = 0;
2158 byte_t txbuf[HITAG_FRAME_LEN];
2159 byte_t* tx = txbuf;
2160 size_t txlen = 0;
2161 int lastbit;
2162 int t_wait = HITAG_T_WAIT_MAX;
2163 int STATE = 0;
2164 bool bStop;
2165 bool bQuitTraceFull = false;
2166 int response_bit[200];
2167 unsigned char mask = 1;
2168 unsigned char uid[32];
2169 unsigned char crc;
2170
2171 if (tagMode == 1) {
2172 Dbprintf("check_challenges in mode=ADVANCED");
2173 tag.mode = ADVANCED;
2174 } else if (tagMode == 2) {
2175 Dbprintf("check_challenges in mode=FAST_ADVANCED");
2176 tag.mode = FAST_ADVANCED;
2177 } else {
2178 Dbprintf("check_challenges in mode=STANDARD");
2179 tag.mode = STANDARD;
2180 }
2181
2182
2183 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
2184 // Reset the return status
2185 bSuccessful = false;
2186
2187 // Clean up trace and prepare it for storing frames
2188 set_tracing(true);
2189 clear_trace();
2190
2191 bQuiet = false;
2192
2193 LED_D_ON();
2194
2195 // Configure output and enable pin that is connected to the FPGA (for modulating)
2196 AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT;
2197 AT91C_BASE_PIOA->PIO_PER = GPIO_SSC_DOUT;
2198
2199 // Set fpga in edge detect with reader field, we can modulate as reader now
2200 FpgaWriteConfWord(
2201 FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
2202
2203 // Set Frequency divisor which will drive the FPGA and analog mux selection
2204 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
2205 SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
2206 RELAY_OFF();
2207
2208 // Disable modulation at default, which means enable the field
2209 LOW(GPIO_SSC_DOUT);
2210
2211 // Give it a bit of time for the resonant antenna to settle.
2212 SpinDelay(30);
2213
2214 // Enable Peripheral Clock for TIMER_CLOCK0, used to measure exact timing before answering
2215 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC0);
2216
2217 // Enable Peripheral Clock for TIMER_CLOCK1, used to capture edges of the tag frames
2218 AT91C_BASE_PMC->PMC_PCER = (1 << AT91C_ID_TC1);
2219 AT91C_BASE_PIOA->PIO_BSR = GPIO_SSC_FRAME;
2220
2221 // Disable timer during configuration
2222 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2223
2224 // Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
2225 // external trigger rising edge, load RA on falling edge of TIOA.
2226 AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_FALLING | AT91C_TC_ABETRG | AT91C_TC_LDRA_FALLING;
2227
2228 // Enable and reset counters
2229 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2230 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2231
2232 // Reset the received frame, frame count and timing info
2233 frame_count = 0;
2234 response = 0;
2235 lastbit = 1;
2236 bStop = false;
2237
2238 t_wait = 200;
2239
2240 if (file_given) {
2241 DbpString("Loading challenges...");
2242 memcpy((byte_t*)unlocker,data,60*8);
2243 }
2244
2245 while (file_given && !bStop && !BUTTON_PRESS()) {
2246 // Watchdog hit
2247 WDT_HIT();
2248
2249 // Check if frame was captured and store it
2250 if (rxlen > 0) {
2251 frame_count++;
2252 if (!bQuiet) {
2253 if (!LogTraceHitag(rx, rxlen, response, 0, false)) {
2254 DbpString("Trace full");
2255 if (bQuitTraceFull) {
2256 break;
2257 } else {
2258 bQuiet = true;
2259 }
2260 }
2261 }
2262 }
2263
2264 tx = txbuf;
2265 txlen = 0;
2266 if (rxlen == 0) {
2267 if (STATE == 2) {
2268 // challenge failed
2269 Dbprintf("Challenge failed: %02X %02X %02X %02X %02X %02X %02X %02X",
2270 unlocker[u1 - 1][0], unlocker[u1 - 1][1],
2271 unlocker[u1 - 1][2], unlocker[u1 - 1][3],
2272 unlocker[u1 - 1][4], unlocker[u1 - 1][5],
2273 unlocker[u1 - 1][6], unlocker[u1 - 1][7]);
2274 }
2275 STATE = 0;
2276 hitag_start_auth(tx, &txlen);
2277 } else if (rxlen >= 32 && STATE == 0) {
2278 //received uid
2279 z = 0;
2280 for (i = 0; i < 10; i++) {
2281 for (j = 0; j < 8; j++) {
2282 response_bit[z] = 0;
2283 if ((rx[i] & ((mask << 7) >> j)) != 0)
2284 response_bit[z] = 1;
2285 z++;
2286 }
2287 }
2288 for (i = 0; i < 32; i++) {
2289 uid[i] = response_bit[i];
2290 }
2291
2292 uid_byte[0] = (uid[0] << 7) | (uid[1] << 6) | (uid[2] << 5)
2293 | (uid[3] << 4) | (uid[4] << 3) | (uid[5] << 2)
2294 | (uid[6] << 1) | uid[7];
2295 uid_byte[1] = (uid[8] << 7) | (uid[9] << 6) | (uid[10] << 5)
2296 | (uid[11] << 4) | (uid[12] << 3) | (uid[13] << 2)
2297 | (uid[14] << 1) | uid[15];
2298 uid_byte[2] = (uid[16] << 7) | (uid[17] << 6) | (uid[18] << 5)
2299 | (uid[19] << 4) | (uid[20] << 3) | (uid[21] << 2)
2300 | (uid[22] << 1) | uid[23];
2301 uid_byte[3] = (uid[24] << 7) | (uid[25] << 6) | (uid[26] << 5)
2302 | (uid[27] << 4) | (uid[28] << 3) | (uid[29] << 2)
2303 | (uid[30] << 1) | uid[31];
2304 //Dbhexdump(10, rx, rxlen);
2305 STATE = 1;
2306 txlen = 45;
2307 crc = CRC_PRESET;
2308 calc_crc(&crc, 0x00, 5);
2309 calc_crc(&crc, uid_byte[0], 8);
2310 calc_crc(&crc, uid_byte[1], 8);
2311 calc_crc(&crc, uid_byte[2], 8);
2312 calc_crc(&crc, uid_byte[3], 8);
2313 for (i = 0; i < 100; i++) {
2314 response_bit[i] = 0;
2315 }
2316 for (i = 0; i < 5; i++) {
2317 response_bit[i] = 0;
2318 }
2319 for (i = 5; i < 37; i++) {
2320 response_bit[i] = uid[i - 5];
2321 }
2322 for (j = 0; j < 8; j++) {
2323 response_bit[i] = 0;
2324 if ((crc & ((mask << 7) >> j)) != 0)
2325 response_bit[i] = 1;
2326 i++;
2327 }
2328 k = 0;
2329 for (i = 0; i < 6; i++) {
2330 tx[i] = (response_bit[k] << 7) | (response_bit[k + 1] << 6)
2331 | (response_bit[k + 2] << 5)
2332 | (response_bit[k + 3] << 4)
2333 | (response_bit[k + 4] << 3)
2334 | (response_bit[k + 5] << 2)
2335 | (response_bit[k + 6] << 1) | response_bit[k + 7];
2336 k += 8;
2337 }
2338
2339
2340 tag.pstate = INIT;
2341 } else if (STATE == 1 && rxlen > 24) {
2342 //received configuration
2343 STATE = 2;
2344 z = 0;
2345 for (i = 0; i < 6; i++) {
2346 for (j = 0; j < 8; j++) {
2347 response_bit[z] = 0;
2348 if ((rx[i] & ((mask << 7) >> j)) != 0)
2349 response_bit[z] = 1;
2350 z++;
2351 }
2352 }
2353 txlen = 64;
2354
2355 if (u1 >= (sizeof(unlocker) / sizeof(unlocker[0])))
2356 bStop = !false;
2357 for (i = 0; i < 8; i++)
2358 tx[i] = unlocker[u1][i];
2359 u1++;
2360
2361 tag.pstate = SELECTED;
2362 } else if (STATE == 2 && rxlen >= 32) {
2363 STATE = 0;
2364 }
2365
2366 // Send and store the reader command
2367 // Disable timer 1 with external trigger to avoid triggers during our own modulation
2368 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2369
2370 // Wait for HITAG_T_WAIT_2 carrier periods after the last tag bit before transmitting,
2371 // Since the clock counts since the last falling edge, a 'one' means that the
2372 // falling edge occured halfway the period. with respect to this falling edge,
2373 // we need to wait (T_Wait2 + half_tag_period) when the last was a 'one'.
2374 // All timer values are in terms of T0 units
2375 while (AT91C_BASE_TC0->TC_CV < T0 * (t_wait + (HITAG_T_TAG_HALF_PERIOD * lastbit))) { }
2376
2377 // Transmit the reader frame
2378 hitag_reader_send_frame(tx, txlen);
2379
2380 // Enable and reset external trigger in timer for capturing future frames
2381 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
2382
2383 // Add transmitted frame to total count
2384 if (txlen > 0) {
2385 frame_count++;
2386 if (!bQuiet) {
2387 // Store the frame in the trace
2388 if (!LogTraceHitag(tx, txlen, HITAG_T_WAIT_2, 0, true)) {
2389 if (bQuitTraceFull) {
2390 DbpString("Trace full");
2391 break;
2392 } else {
2393 bQuiet = true;
2394 }
2395 }
2396 }
2397 }
2398
2399 // Reset values for receiving frames
2400 memset(rx, 0x00, sizeof(rx));
2401 rxlen = 0;
2402 lastbit = 1;
2403 response = 0;
2404
2405 hitag_receive_frame(rx, &rxlen, &response);
2406 }
2407 LED_B_OFF();
2408 LED_D_OFF();
2409 AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
2410 AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
2411 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2412 cmd_send(CMD_ACK, bSuccessful, 0, 0, 0, 0);
2413 }
2414
2415 /**
2416 Backward compatibility
2417 */
2418 void check_challenges(bool file_given, byte_t* data) {
2419 check_challenges_cmd(file_given, data, 1);
2420 }
2421
2422 void ReadHitagS(hitag_function htf, hitag_data* htd) {
2423 ReadHitagSintern(htf, htd, ADVANCED, 0, false);
2424 }
Proxmark3 GIT tracking
Impressum, Datenschutz