} tUart;
static uint32_t iso14a_timeout;
+#define MAX_ISO14A_TIMEOUT 524288
+
int rsamples = 0;
uint8_t trigger = 0;
// the block number for the ISO14443-4 PCB
void iso14a_set_timeout(uint32_t timeout) {
- iso14a_timeout = timeout;
- if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", iso14a_timeout, iso14a_timeout / 106);
+ // adjust timeout by FPGA delays and 2 additional ssp_frames to detect SOF
+ iso14a_timeout = timeout + (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) + 2;
+ if(MF_DBGLEVEL >= 3) Dbprintf("ISO14443A Timeout set to %ld (%dms)", timeout, timeout / 106);
}
-static void iso14a_set_ATS_timeout(uint8_t *ats) {
-
- uint8_t tb1;
- uint8_t fwi;
- uint32_t fwt;
-
- if (ats[0] > 1) { // there is a format byte T0
- if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
- if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
- tb1 = ats[3];
- } else {
- tb1 = ats[2];
- }
- fwi = (tb1 & 0xf0) >> 4; // frame waiting indicator (FWI)
- fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
-
- iso14a_set_timeout(fwt/(8*16));
- }
- }
+uint32_t iso14a_get_timeout(void) {
+ return iso14a_timeout - (DELAY_AIR2ARM_AS_READER + DELAY_ARM2AIR_AS_READER)/(16*8) - 2;
}
-
//-----------------------------------------------------------------------------
// Generate the parity value for a byte sequence
//
EmSendPrecompiledCmd(p_response);
}
- if (!tracing) {
+ if (!get_tracing()) {
Dbprintf("Trace Full. Simulation stopped.");
break;
}
// Transmit the command (to the tag) that was placed in ToSend[].
// Parameter timing:
// if NULL: transfer at next possible time, taking into account
-// request guard time and frame delay time
+// request guard time, startup frame guard time and frame delay time
// if == 0: transfer immediately and return time of transfer
// if != 0: delay transfer until time specified
//-------------------------------------------------------------------------------------
ADC_MODE_PRESCALE(63) |
ADC_MODE_STARTUP_TIME(1) |
ADC_MODE_SAMPLE_HOLD_TIME(15);
- AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
+ AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF_LOW);
// start ADC
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
if (BUTTON_PRESS()) return 1;
// test if the field exists
- if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
+ if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF_LOW)) {
analogCnt++;
- analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
+ analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF_LOW];
AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
if (analogCnt >= 32) {
- if ((MAX_ADC_HF_VOLTAGE * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
+ if ((MAX_ADC_HF_VOLTAGE_LOW * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
vtime = GetTickCount();
if (!timer) timer = vtime;
// 50ms no field --> card to idle state
LED_A_ON();
// Log reader command in trace buffer
- if (tracing) {
- LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, true);
- }
+ LogTrace(frame, nbytes(bits), LastTimeProxToAirStart*16 + DELAY_ARM2AIR_AS_READER, (LastTimeProxToAirStart + LastProxToAirDuration)*16 + DELAY_ARM2AIR_AS_READER, par, true);
}
static int ReaderReceiveOffset(uint8_t* receivedAnswer, uint16_t offset, uint8_t *parity)
{
if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, offset)) return false;
- if (tracing) {
- LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
- }
+ LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
return Demod.len;
}
int ReaderReceive(uint8_t *receivedAnswer, uint8_t *parity)
{
if (!GetIso14443aAnswerFromTag(receivedAnswer, parity, 0)) return false;
- if (tracing) {
- LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
- }
+ LogTrace(receivedAnswer, Demod.len, Demod.startTime*16 - DELAY_AIR2ARM_AS_READER, Demod.endTime*16 - DELAY_AIR2ARM_AS_READER, parity, false);
return Demod.len;
}
+
+static void iso14a_set_ATS_times(uint8_t *ats) {
+
+ uint8_t tb1;
+ uint8_t fwi, sfgi;
+ uint32_t fwt, sfgt;
+
+ if (ats[0] > 1) { // there is a format byte T0
+ if ((ats[1] & 0x20) == 0x20) { // there is an interface byte TB(1)
+ if ((ats[1] & 0x10) == 0x10) { // there is an interface byte TA(1) preceding TB(1)
+ tb1 = ats[3];
+ } else {
+ tb1 = ats[2];
+ }
+ fwi = (tb1 & 0xf0) >> 4; // frame waiting time integer (FWI)
+ if (fwi != 15) {
+ fwt = 256 * 16 * (1 << fwi); // frame waiting time (FWT) in 1/fc
+ iso14a_set_timeout(fwt/(8*16));
+ }
+ sfgi = tb1 & 0x0f; // startup frame guard time integer (SFGI)
+ if (sfgi != 0 && sfgi != 15) {
+ sfgt = 256 * 16 * (1 << sfgi); // startup frame guard time (SFGT) in 1/fc
+ NextTransferTime = MAX(NextTransferTime, Demod.endTime + (sfgt - DELAY_AIR2ARM_AS_READER - DELAY_ARM2AIR_AS_READER)/16);
+ }
+ }
+ }
+}
+
+
+static int GetATQA(uint8_t *resp, uint8_t *resp_par) {
+
+#define WUPA_RETRY_TIMEOUT 10 // 10ms
+ uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
+
+ uint32_t save_iso14a_timeout = iso14a_get_timeout();
+ iso14a_set_timeout(1236/(16*8)+1); // response to WUPA is expected at exactly 1236/fc. No need to wait longer.
+
+ uint32_t start_time = GetTickCount();
+ int len;
+
+ // we may need several tries if we did send an unknown command or a wrong authentication before...
+ do {
+ // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
+ ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
+ // Receive the ATQA
+ len = ReaderReceive(resp, resp_par);
+ } while (len == 0 && GetTickCount() <= start_time + WUPA_RETRY_TIMEOUT);
+
+ iso14a_set_timeout(save_iso14a_timeout);
+ return len;
+}
+
+
// performs iso14443a anticollision (optional) and card select procedure
// fills the uid and cuid pointer unless NULL
// fills the card info record unless NULL
// and num_cascades must be set (1: 4 Byte UID, 2: 7 Byte UID, 3: 10 Byte UID)
// requests ATS unless no_rats is true
int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, uint32_t *cuid_ptr, bool anticollision, uint8_t num_cascades, bool no_rats) {
- uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
uint8_t sel_all[] = { 0x93,0x20 };
uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
p_hi14a_card->ats_len = 0;
}
- // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
- ReaderTransmitBitsPar(wupa, 7, NULL, NULL);
-
- // Receive the ATQA
- if(!ReaderReceive(resp, resp_par)) return 0;
+ if (!GetATQA(resp, resp_par)) {
+ return 0;
+ }
if(p_hi14a_card) {
memcpy(p_hi14a_card->atqa, resp, 2);
// reset the PCB block number
iso14_pcb_blocknum = 0;
- // set default timeout based on ATS
- iso14a_set_ATS_timeout(resp);
+ // set default timeout and delay next transfer based on ATS
+ iso14a_set_ATS_times(resp);
+
}
return 1;
}
void iso14443a_setup(uint8_t fpga_minor_mode) {
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// Set up the synchronous serial port
- FpgaSetupSsc();
+ FpgaSetupSsc(FPGA_MAJOR_MODE_HF_ISO14443A);
// connect Demodulated Signal to ADC:
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
iso14a_set_timeout(1060); // 10ms default
}
-
-int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data) {
+/* Peter Fillmore 2015
+Added card id field to the function
+ info from ISO14443A standard
+b1 = Block Number
+b2 = RFU (always 1)
+b3 = depends on block
+b4 = Card ID following if set to 1
+b5 = depends on block type
+b6 = depends on block type
+b7,b8 = block type.
+Coding of I-BLOCK:
+b8 b7 b6 b5 b4 b3 b2 b1
+0 0 0 x x x 1 x
+b5 = chaining bit
+Coding of R-block:
+b8 b7 b6 b5 b4 b3 b2 b1
+1 0 1 x x 0 1 x
+b5 = ACK/NACK
+Coding of S-block:
+b8 b7 b6 b5 b4 b3 b2 b1
+1 1 x x x 0 1 0
+b5,b6 = 00 - DESELECT
+ 11 - WTX
+*/
+int iso14_apdu(uint8_t *cmd, uint16_t cmd_len, void *data, uint8_t *res) {
uint8_t parity[MAX_PARITY_SIZE];
uint8_t real_cmd[cmd_len + 4];
- // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
- real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00)
- // put block number into the PCB
- real_cmd[0] |= iso14_pcb_blocknum;
- memcpy(real_cmd + 1, cmd, cmd_len);
+ if (cmd_len) {
+ // ISO 14443 APDU frame: PCB [CID] [NAD] APDU CRC PCB=0x02
+ real_cmd[0] = 0x02; // bnr,nad,cid,chn=0; i-block(0x00)
+ // put block number into the PCB
+ real_cmd[0] |= iso14_pcb_blocknum;
+ memcpy(real_cmd + 1, cmd, cmd_len);
+ } else {
+ // R-block. ACK
+ real_cmd[0] = 0xA2; // r-block + ACK
+ real_cmd[0] |= iso14_pcb_blocknum;
+ }
AppendCrc14443a(real_cmd, cmd_len + 1);
ReaderTransmit(real_cmd, cmd_len + 3, NULL);
if (!len) {
return 0; //DATA LINK ERROR
-
- // if we received an I- or R(ACK)-Block with a block number equal to the
- // current block number, toggle the current block number
} else{
+ // S-Block WTX
+ while(len && ((data_bytes[0] & 0xF2) == 0xF2)) {
+ uint32_t save_iso14a_timeout = iso14a_get_timeout();
+ // temporarily increase timeout
+ iso14a_set_timeout(MAX((data_bytes[1] & 0x3f) * save_iso14a_timeout, MAX_ISO14A_TIMEOUT));
+ // Transmit WTX back
+ // byte1 - WTXM [1..59]. command FWT=FWT*WTXM
+ data_bytes[1] = data_bytes[1] & 0x3f; // 2 high bits mandatory set to 0b
+ // now need to fix CRC.
+ AppendCrc14443a(data_bytes, len - 2);
+ // transmit S-Block
+ ReaderTransmit(data_bytes, len, NULL);
+ // retrieve the result again (with increased timeout)
+ len = ReaderReceive(data, parity);
+ data_bytes = data;
+ // restore timeout
+ iso14a_set_timeout(save_iso14a_timeout);
+ }
+
+ // if we received an I- or R(ACK)-Block with a block number equal to the
+ // current block number, toggle the current block number
if (len >= 3 // PCB+CRC = 3 bytes
&& ((data_bytes[0] & 0xC0) == 0 // I-Block
|| (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
{
iso14_pcb_blocknum ^= 1;
}
+
+ // if we received I-block with chaining we need to send ACK and receive another block of data
+ if (res)
+ *res = data_bytes[0];
// crc check
- if (len >=3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
+ if (len >= 3 && !CheckCrc14443(CRC_14443_A, data_bytes, len)) {
return -1;
}
}
- // cut frame byte
- len -= 1;
- // memmove(data_bytes, data_bytes + 1, len);
- for (int i = 0; i < len; i++)
- data_bytes[i] = data_bytes[i + 1];
-
+ if (len) {
+ // cut frame byte
+ len -= 1;
+ // memmove(data_bytes, data_bytes + 1, len);
+ for (int i = 0; i < len; i++)
+ data_bytes[i] = data_bytes[i + 1];
+ }
+
return len;
}
}
if(param & ISO14A_APDU && !cantSELECT) {
- arg0 = iso14_apdu(cmd, len, buf);
+ uint8_t res;
+ arg0 = iso14_apdu(cmd, len, buf, &res);
LED_B_ON();
- cmd_send(CMD_ACK, arg0, 0, 0, buf, sizeof(buf));
+ cmd_send(CMD_ACK, arg0, res, 0, buf, sizeof(buf));
LED_B_OFF();
}
uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
- if (first_try) {
- iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
- }
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
// free eventually allocated BigBuf memory. We want all for tracing.
BigBuf_free();
clear_trace();
set_tracing(true);
- byte_t nt_diff = 0;
+ uint8_t nt_diff = 0;
uint8_t par[1] = {0}; // maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
- static byte_t par_low = 0;
+ static uint8_t par_low = 0;
bool led_on = true;
uint8_t uid[10] ={0};
uint32_t cuid;
uint32_t nt = 0;
uint32_t previous_nt = 0;
static uint32_t nt_attacked = 0;
- byte_t par_list[8] = {0x00};
- byte_t ks_list[8] = {0x00};
+ uint8_t par_list[8] = {0x00};
+ uint8_t ks_list[8] = {0x00};
#define PRNG_SEQUENCE_LENGTH (1 << 16);
- static uint32_t sync_time;
+ uint32_t sync_time = GetCountSspClk() & 0xfffffff8;
static int32_t sync_cycles;
int catch_up_cycles = 0;
int last_catch_up = 0;
if (first_try) {
mf_nr_ar3 = 0;
- sync_time = GetCountSspClk() & 0xfffffff8;
+ par[0] = par_low = 0;
sync_cycles = PRNG_SEQUENCE_LENGTH; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the tag nonces).
nt_attacked = 0;
- par[0] = 0;
}
else {
// we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
#define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
#define MAX_SYNC_TRIES 32
+ #define SYNC_TIME_BUFFER 16 // if there is only SYNC_TIME_BUFFER left before next planned sync, wait for next PRNG cycle
#define NUM_DEBUG_INFOS 8 // per strategy
#define MAX_STRATEGY 3
uint16_t unexpected_random = 0;
sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
catch_up_cycles = 0;
- // if we missed the sync time already, advance to the next nonce repeat
- while(GetCountSspClk() > sync_time) {
+ // if we missed the sync time already or are about to miss it, advance to the next nonce repeat
+ while(sync_time < GetCountSspClk() + SYNC_TIME_BUFFER) {
elapsed_prng_sequences++;
sync_time = (sync_time & 0xfffffff8) + sync_cycles;
}
}
}
- byte_t buf[28];
+ uint8_t buf[32];
memcpy(buf + 0, uid, 4);
num_to_bytes(nt, 4, buf + 4);
memcpy(buf + 8, par_list, 8);
memcpy(buf + 16, ks_list, 8);
- memcpy(buf + 24, mf_nr_ar, 4);
+ memcpy(buf + 24, mf_nr_ar, 8);
- cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
+ cmd_send(CMD_ACK, isOK, 0, 0, buf, 32);
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
for(uint32_t sniffCounter = 0; true; ) {
if(BUTTON_PRESS()) {
- DbpString("cancelled by button");
+ DbpString("Canceled by button.");
break;
}
if(!TagIsActive) { // no need to try decoding tag data if the reader is sending
uint8_t readerdata = (previous_data & 0xF0) | (*data >> 4);
if(MillerDecoding(readerdata, (sniffCounter-1)*4)) {
- LED_C_INV();
+ LED_B_ON();
+ LED_C_OFF();
+
if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, true)) break;
/* And ready to receive another command. */
if(!ReaderIsActive) { // no need to try decoding tag data if the reader is sending
uint8_t tagdata = (previous_data << 4) | (*data & 0x0F);
if(ManchesterDecoding(tagdata, 0, (sniffCounter-1)*4)) {
- LED_C_INV();
+ LED_B_OFF();
+ LED_C_ON();
if (MfSniffLogic(receivedResponse, Demod.len, Demod.parity, Demod.bitCount, false)) break;
} // main cycle
- DbpString("COMMAND FINISHED");
+ DbpString("COMMAND FINISHED.");
FpgaDisableSscDma();
MfSniffEnd();
projects / proxmark3-svn / blobdiff