+ nt_diff = (nt_diff + 1) & 0x07;
+ mf_nr_ar[3] = nt_diff << 5;
+ par = par_low;
+ } else {
+ if (nt_diff == 0)
+ {
+ par++;
+ } else {
+ par = (((par >> 3) + 1) << 3) | par_low;
+ }
+ }
+ }
+
+ LogTrace(nt, 4, 0, GetParity(nt, 4), TRUE);
+ LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
+ LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
+
+ UsbCommand ack = {CMD_ACK, {isOK, 0, 0}};
+ memcpy(ack.d.asBytes + 0, uid, 4);
+ memcpy(ack.d.asBytes + 4, nt, 4);
+ memcpy(ack.d.asBytes + 8, par_list, 8);
+ memcpy(ack.d.asBytes + 16, ks_list, 8);
+
+ LED_B_ON();
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+ tracing = TRUE;
+
+ if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
+}
+
+
+//-----------------------------------------------------------------------------
+// MIFARE 1K simulate.
+//
+//-----------------------------------------------------------------------------
+void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ int cardSTATE = MFEMUL_NOFIELD;
+ int _7BUID = 0;
+ int vHf = 0; // in mV
+ int nextCycleTimeout = 0;
+ int res;
+ uint32_t timer = 0;
+ uint32_t selTimer = 0;
+ uint32_t authTimer = 0;
+ uint32_t par = 0;
+ int len = 0;
+ uint8_t cardWRBL = 0;
+ uint8_t cardAUTHSC = 0;
+ uint8_t cardAUTHKEY = 0xff; // no authentication
+ uint32_t cuid = 0;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ uint64_t key64 = 0xffffffffffffULL;
+
+ uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
+ uint8_t *response = eml_get_bigbufptr_sendbuf();
+
+ static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
+
+ static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
+ static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
+
+ static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
+ static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
+
+ static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
+ static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
+
+ // clear trace
+ traceLen = 0;
+ tracing = true;
+
+ // get UID from emul memory
+ emlGetMemBt(receivedCmd, 7, 1);
+ _7BUID = !(receivedCmd[0] == 0x00);
+ if (!_7BUID) { // ---------- 4BUID
+ rATQA[0] = 0x04;
+
+ emlGetMemBt(rUIDBCC1, 0, 4);
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ } else { // ---------- 7BUID
+ rATQA[0] = 0x44;
+
+ rUIDBCC1[0] = 0x88;
+ emlGetMemBt(&rUIDBCC1[1], 0, 3);
+ rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
+ emlGetMemBt(rUIDBCC2, 3, 4);
+ rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
+ }
+
+// -------------------------------------- test area
+
+ // Authenticate response - nonce
+ uint8_t *resp1 = (((uint8_t *)BigBuf) + EML_RESPONSES);
+ int resp1Len;
+// uint8_t *resp2 = (((uint8_t *)BigBuf) + EML_RESPONSES + 200);
+// int resp2Len;
+ CodeIso14443aAsTag(rAUTH_NT, sizeof(rAUTH_NT));
+ memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
+
+ timer = GetTickCount();
+ uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
+ uint32_t rn_enc = 0x98d76b77; // !!!!!!!!!!!!!!!!!
+ uint32_t ans = 0;
+ cuid = bytes_to_num(rUIDBCC1, 4);
+/*
+ crypto1_create(pcs, key64);
+ crypto1_word(pcs, cuid ^ nonce, 0);
+ crypto1_word(pcs, rn_enc , 1);
+ crypto1_word(pcs, 0, 0);
+ ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
+ num_to_bytes(ans, 4, rAUTH_AT);
+ CodeIso14443aAsTag(rAUTH_AT, sizeof(rAUTH_AT));
+ memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
+ Dbprintf("crypto auth time: %d", GetTickCount() - timer);
+*/
+// -------------------------------------- END test area
+ // start mkseconds counter
+ StartCountUS();
+
+ // We need to listen to the high-frequency, peak-detected path.
+ SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+ FpgaSetupSsc();
+
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+ SpinDelay(200);
+
+ Dbprintf("--> start. 7buid=%d", _7BUID);
+ // calibrate mkseconds counter
+ GetDeltaCountUS();
+ while (true) {
+ WDT_HIT();
+
+ if(BUTTON_PRESS()) {
+ break;
+ }
+
+ // find reader field
+ // Vref = 3300mV, and an 10:1 voltage divider on the input
+ // can measure voltages up to 33000 mV
+ if (cardSTATE == MFEMUL_NOFIELD) {
+ vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
+ if (vHf > MF_MINFIELDV) {
+ cardSTATE = MFEMUL_IDLE;
+ LED_A_ON();
+ }
+ }
+
+ if (cardSTATE != MFEMUL_NOFIELD) {
+ res = EmGetCmd(receivedCmd, &len, 100); // (+ nextCycleTimeout)
+ if (res == 2) {
+ cardSTATE = MFEMUL_NOFIELD;
+ LEDsoff();
+ continue;
+ }
+ if(res) break;
+ }
+
+ nextCycleTimeout = 0;
+
+// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
+
+ if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
+ // REQ or WUP request in ANY state and WUP in HALTED state
+ if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
+ selTimer = GetTickCount();
+ EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
+ cardSTATE = MFEMUL_SELECT1;
+
+ // init crypto block
+ LED_B_OFF();
+ LED_C_OFF();
+ crypto1_destroy(pcs);
+ cardAUTHKEY = 0xff;
+ }
+ }
+
+ switch (cardSTATE) {
+ case MFEMUL_NOFIELD:{
+ break;
+ }
+ case MFEMUL_HALTED:{
+ break;
+ }
+ case MFEMUL_IDLE:{
+ break;
+ }
+ case MFEMUL_SELECT1:{
+ // select all
+ if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
+ EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
+ }
+
+ // select card
+ if (len == 9 &&
+ (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+ if (!_7BUID)
+ EmSendCmd(rSAK, sizeof(rSAK));
+ else
+ EmSendCmd(rSAK1, sizeof(rSAK1));
+
+ cuid = bytes_to_num(rUIDBCC1, 4);
+ if (!_7BUID) {
+ cardSTATE = MFEMUL_WORK;
+ } else {
+ cardSTATE = MFEMUL_SELECT2;
+ break;
+ }
+ LED_B_ON();
+ Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
+ }
+
+ break;
+ }
+ case MFEMUL_SELECT2:{
+ if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
+ EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
+ break;
+ }