+ // Send EOF
+ ToSend[++ToSendMax] = 0xB8;
+ //lastProxToAirDuration = 8*ToSendMax - 3*8 - 3*8;//Not counting zeroes in the beginning or end
+ // Convert from last byte pos to length
+ ToSendMax++;
+}
+
+// Only SOF
+static void CodeIClassTagSOF() {
+ //So far a dummy implementation, not used
+ //int lastProxToAirDuration =0;
+
+ ToSendReset();
+ // Send SOF
+ ToSend[++ToSendMax] = 0x1D;
+// lastProxToAirDuration = 8*ToSendMax - 3*8;//Not counting zeroes in the beginning
+
+ // Convert from last byte pos to length
+ ToSendMax++;
+}
+
+static void AppendCrc(uint8_t *data, int len) {
+ ComputeCrc14443(CRC_ICLASS, data, len, data+len, data+len+1);
+}
+
+static int SendIClassAnswer(uint8_t *resp, int respLen, int delay) {
+ int i = 0, d = 0;//, u = 0, d = 0;
+ uint8_t b = 0;
+
+ //FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_424K_8BIT);
+
+ AT91C_BASE_SSC->SSC_THR = 0x00;
+ FpgaSetupSsc(FPGA_MAJOR_MODE_HF_SIMULATOR);
+ while (!BUTTON_PRESS()) {
+ if ((AT91C_BASE_SSC->SSC_SR & AT91C_SSC_RXRDY)){
+ b = AT91C_BASE_SSC->SSC_RHR; (void) b;
+ }
+ if (AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)){
+ b = 0x00;
+ if (d < delay) {
+ d++;
+ }
+ else {
+ if (i < respLen) {
+ b = resp[i];
+ //Hack
+ //b = 0xAC;
+ }
+ i++;
+ }
+ AT91C_BASE_SSC->SSC_THR = b;
+ }
+
+// if (i > respLen +4) break;
+ if (i > respLen + 1) break;
+ }
+
+ return 0;
+}
+
+
+#define MODE_SIM_CSN 0
+#define MODE_EXIT_AFTER_MAC 1
+#define MODE_FULLSIM 2
+
+/**
+ * @brief Does the actual simulation
+ * @param csn - csn to use
+ * @param breakAfterMacReceived if true, returns after reader MAC has been received.
+ */
+int doIClassSimulation(int simulationMode, uint8_t *reader_mac_buf) {
+ // free eventually allocated BigBuf memory
+ BigBuf_free_keep_EM();
+
+ State cipher_state;
+// State cipher_state_reserve;
+ uint8_t *csn = BigBuf_get_EM_addr();
+ uint8_t *emulator = csn;
+ uint8_t sof_data[] = { 0x0F} ;
+ // CSN followed by two CRC bytes
+ uint8_t anticoll_data[10] = { 0 };
+ uint8_t csn_data[10] = { 0 };
+ memcpy(csn_data, csn, sizeof(csn_data));
+ Dbprintf("Simulating CSN %02x%02x%02x%02x%02x%02x%02x%02x", csn[0], csn[1], csn[2], csn[3], csn[4], csn[5], csn[6], csn[7]);
+
+ // Construct anticollision-CSN
+ rotateCSN(csn_data, anticoll_data);
+
+ // Compute CRC on both CSNs
+ ComputeCrc14443(CRC_ICLASS, anticoll_data, 8, &anticoll_data[8], &anticoll_data[9]);
+ ComputeCrc14443(CRC_ICLASS, csn_data, 8, &csn_data[8], &csn_data[9]);
+
+ uint8_t diversified_key[8] = { 0 };
+ // e-Purse
+ uint8_t card_challenge_data[8] = { 0x00 };
+ if (simulationMode == MODE_FULLSIM) {
+ //The diversified key should be stored on block 3
+ //Get the diversified key from emulator memory
+ memcpy(diversified_key, emulator + (8*3), 8);
+ //Card challenge, a.k.a e-purse is on block 2
+ memcpy(card_challenge_data, emulator + (8 * 2), 8);
+ //Precalculate the cipher state, feeding it the CC
+ cipher_state = opt_doTagMAC_1(card_challenge_data, diversified_key);
+ }
+
+ int exitLoop = 0;
+ // Reader 0a
+ // Tag 0f
+ // Reader 0c
+ // Tag anticoll. CSN
+ // Reader 81 anticoll. CSN
+ // Tag CSN
+
+ uint8_t *modulated_response;
+ int modulated_response_size = 0;
+ uint8_t *trace_data = NULL;
+ int trace_data_size = 0;
+
+ // Respond SOF -- takes 1 bytes
+ uint8_t *resp_sof = BigBuf_malloc(2);
+ int resp_sof_Len;
+
+ // Anticollision CSN (rotated CSN)
+ // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+ uint8_t *resp_anticoll = BigBuf_malloc(28);
+ int resp_anticoll_len;
+
+ // CSN
+ // 22: Takes 2 bytes for SOF/EOF and 10 * 2 = 20 bytes (2 bytes/byte)
+ uint8_t *resp_csn = BigBuf_malloc(30);
+ int resp_csn_len;
+
+ // e-Purse
+ // 18: Takes 2 bytes for SOF/EOF and 8 * 2 = 16 bytes (2 bytes/bit)
+ uint8_t *resp_cc = BigBuf_malloc(20);
+ int resp_cc_len;
+
+ uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+ int len;
+
+ // Prepare card messages
+ ToSendMax = 0;
+
+ // First card answer: SOF
+ CodeIClassTagSOF();
+ memcpy(resp_sof, ToSend, ToSendMax);
+ resp_sof_Len = ToSendMax;
+
+ // Anticollision CSN
+ CodeIClassTagAnswer(anticoll_data, sizeof(anticoll_data));
+ memcpy(resp_anticoll, ToSend, ToSendMax);
+ resp_anticoll_len = ToSendMax;
+
+ // CSN
+ CodeIClassTagAnswer(csn_data, sizeof(csn_data));
+ memcpy(resp_csn, ToSend, ToSendMax);
+ resp_csn_len = ToSendMax;
+
+ // e-Purse
+ CodeIClassTagAnswer(card_challenge_data, sizeof(card_challenge_data));
+ memcpy(resp_cc, ToSend, ToSendMax); resp_cc_len = ToSendMax;
+
+ //This is used for responding to READ-block commands or other data which is dynamically generated
+ //First the 'trace'-data, not encoded for FPGA
+ uint8_t *data_generic_trace = BigBuf_malloc(8 + 2);//8 bytes data + 2byte CRC is max tag answer
+ //Then storage for the modulated data
+ //Each bit is doubled when modulated for FPGA, and we also have SOF and EOF (2 bytes)
+ uint8_t *data_response = BigBuf_malloc( (8+2) * 2 + 2);
+
+ // Start from off (no field generated)
+ //FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ //SpinDelay(200);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+ SpinDelay(100);
+ StartCountSspClk();
+ // We need to listen to the high-frequency, peak-detected path.
+ SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+ FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A);
+
+ // To control where we are in the protocol
+ int cmdsRecvd = 0;
+ uint32_t time_0 = GetCountSspClk();
+ uint32_t t2r_time =0;
+ uint32_t r2t_time =0;
+
+ LED_A_ON();
+ bool buttonPressed = false;
+ uint8_t response_delay = 1;
+ while (!exitLoop) {
+ response_delay = 1;
+ LED_B_OFF();
+ //Signal tracer
+ // Can be used to get a trigger for an oscilloscope..
+ LED_C_OFF();
+
+ if (!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
+ buttonPressed = true;
+ break;
+ }
+ r2t_time = GetCountSspClk();
+ //Signal tracer
+ LED_C_ON();
+
+ // Okay, look at the command now.
+ if (receivedCmd[0] == ICLASS_CMD_ACTALL) {
+ // Reader in anticollission phase
+ modulated_response = resp_sof;
+ modulated_response_size = resp_sof_Len; //order = 1;
+ trace_data = sof_data;
+ trace_data_size = sizeof(sof_data);
+ } else if (receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 1) {
+ // Reader asks for anticollission CSN
+ modulated_response = resp_anticoll;
+ modulated_response_size = resp_anticoll_len; //order = 2;
+ trace_data = anticoll_data;
+ trace_data_size = sizeof(anticoll_data);
+ //DbpString("Reader requests anticollission CSN:");
+ } else if (receivedCmd[0] == ICLASS_CMD_SELECT) {
+ // Reader selects anticollission CSN.
+ // Tag sends the corresponding real CSN
+ modulated_response = resp_csn;
+ modulated_response_size = resp_csn_len; //order = 3;
+ trace_data = csn_data;
+ trace_data_size = sizeof(csn_data);
+ //DbpString("Reader selects anticollission CSN:");
+ } else if (receivedCmd[0] == ICLASS_CMD_READCHECK_KD) {
+ // Read e-purse (88 02)
+ modulated_response = resp_cc;
+ modulated_response_size = resp_cc_len; //order = 4;
+ trace_data = card_challenge_data;
+ trace_data_size = sizeof(card_challenge_data);
+ LED_B_ON();
+ } else if (receivedCmd[0] == ICLASS_CMD_CHECK) {
+ // Reader random and reader MAC!!!
+ if (simulationMode == MODE_FULLSIM) {
+ //NR, from reader, is in receivedCmd +1
+ opt_doTagMAC_2(cipher_state, receivedCmd+1, data_generic_trace, diversified_key);
+
+ trace_data = data_generic_trace;
+ trace_data_size = 4;
+ CodeIClassTagAnswer(trace_data, trace_data_size);
+ memcpy(data_response, ToSend, ToSendMax);
+ modulated_response = data_response;
+ modulated_response_size = ToSendMax;
+ response_delay = 0; //We need to hurry here... (but maybe not too much... ??)
+ //exitLoop = true;
+ } else { //Not fullsim, we don't respond
+ // We do not know what to answer, so lets keep quiet
+ modulated_response = resp_sof;
+ modulated_response_size = 0;
+ trace_data = NULL;
+ trace_data_size = 0;
+ if (simulationMode == MODE_EXIT_AFTER_MAC) {
+ // dbprintf:ing ...
+ Dbprintf("CSN: %02x %02x %02x %02x %02x %02x %02x %02x"
+ ,csn[0],csn[1],csn[2],csn[3],csn[4],csn[5],csn[6],csn[7]);
+ Dbprintf("RDR: (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",len,
+ receivedCmd[0], receivedCmd[1], receivedCmd[2],
+ receivedCmd[3], receivedCmd[4], receivedCmd[5],
+ receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+ if (reader_mac_buf != NULL) {
+ memcpy(reader_mac_buf, receivedCmd+1, 8);
+ }
+ exitLoop = true;
+ }
+ }
+
+ } else if (receivedCmd[0] == ICLASS_CMD_HALT && len == 1) {
+ // Reader ends the session
+ modulated_response = resp_sof;
+ modulated_response_size = 0; //order = 0;
+ trace_data = NULL;
+ trace_data_size = 0;
+ } else if (simulationMode == MODE_FULLSIM && receivedCmd[0] == ICLASS_CMD_READ_OR_IDENTIFY && len == 4) {
+ //Read block
+ uint16_t blk = receivedCmd[1];
+ //Take the data...
+ memcpy(data_generic_trace, emulator + (blk << 3), 8);
+ //Add crc
+ AppendCrc(data_generic_trace, 8);
+ trace_data = data_generic_trace;
+ trace_data_size = 10;
+ CodeIClassTagAnswer(trace_data, trace_data_size);
+ memcpy(data_response, ToSend, ToSendMax);
+ modulated_response = data_response;
+ modulated_response_size = ToSendMax;
+ } else if (receivedCmd[0] == ICLASS_CMD_UPDATE && simulationMode == MODE_FULLSIM) {
+ //Probably the reader wants to update the nonce. Let's just ignore that for now.
+ // OBS! If this is implemented, don't forget to regenerate the cipher_state
+ //We're expected to respond with the data+crc, exactly what's already in the receivedcmd
+ //receivedcmd is now UPDATE 1b | ADDRESS 1b| DATA 8b| Signature 4b or CRC 2b|
+
+ //Take the data...
+ memcpy(data_generic_trace, receivedCmd+2, 8);
+ //Add crc
+ AppendCrc(data_generic_trace, 8);
+ trace_data = data_generic_trace;
+ trace_data_size = 10;
+ CodeIClassTagAnswer(trace_data, trace_data_size);
+ memcpy(data_response, ToSend, ToSendMax);
+ modulated_response = data_response;
+ modulated_response_size = ToSendMax;
+ } else if (receivedCmd[0] == ICLASS_CMD_PAGESEL) {
+ //Pagesel
+ //Pagesel enables to select a page in the selected chip memory and return its configuration block
+ //Chips with a single page will not answer to this command
+ // It appears we're fine ignoring this.
+ //Otherwise, we should answer 8bytes (block) + 2bytes CRC
+ } else {
+ //#db# Unknown command received from reader (len=5): 26 1 0 f6 a 44 44 44 44
+ // Never seen this command before
+ Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
+ len,
+ receivedCmd[0], receivedCmd[1], receivedCmd[2],
+ receivedCmd[3], receivedCmd[4], receivedCmd[5],
+ receivedCmd[6], receivedCmd[7], receivedCmd[8]);
+ // Do not respond
+ modulated_response = resp_sof;
+ modulated_response_size = 0; //order = 0;
+ trace_data = NULL;
+ trace_data_size = 0;
+ }
+
+ if (cmdsRecvd > 100) {
+ //DbpString("100 commands later...");
+ //break;
+ } else {
+ cmdsRecvd++;
+ }
+ /**
+ A legit tag has about 380us delay between reader EOT and tag SOF.
+ **/
+ if (modulated_response_size > 0) {
+ SendIClassAnswer(modulated_response, modulated_response_size, response_delay);
+ t2r_time = GetCountSspClk();
+ }
+
+ uint8_t parity[MAX_PARITY_SIZE];
+ GetParity(receivedCmd, len, parity);
+ LogTrace(receivedCmd, len, (r2t_time-time_0) << 4, (r2t_time-time_0) << 4, parity, true);
+
+ if (trace_data != NULL) {
+ GetParity(trace_data, trace_data_size, parity);
+ LogTrace(trace_data, trace_data_size, (t2r_time-time_0) << 4, (t2r_time-time_0) << 4, parity, false);
+ }
+ if (!get_tracing()) {
+ DbpString("Trace full");
+ //break;
+ }
+ }
+
+ //Dbprintf("%x", cmdsRecvd);
+ LED_A_OFF();
+ LED_B_OFF();