X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/ece38ef311b28eefb1d716937139aad9ee00985c..be09ea86035044f67e0419b067ac54ee055ad9ee:/armsrc/iso15693.c diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index 3b39d576..9c50c036 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -69,31 +69,35 @@ #define DELAY_READER_TO_ARM 8 #define DELAY_ARM_TO_READER 0 //SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when acting as reader. All values should be multiples of 16 -#define DELAY_TAG_TO_ARM 32 #define DELAY_ARM_TO_TAG 16 +#define DELAY_TAG_TO_ARM 32 +//SSP_CLK runs at 13.56MHz / 4 = 3,39MHz when snooping. All values should be multiples of 16 +#define DELAY_TAG_TO_ARM_SNOOP 32 +#define DELAY_READER_TO_ARM_SNOOP 32 static int DEBUG = 0; -// specific LogTrace function for ISO15693: the duration needs to be scaled because otherwise it won't fit into a uint16_t -bool LogTrace_ISO15693(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag) { - uint32_t duration = timestamp_end - timestamp_start; - duration /= 32; - timestamp_end = timestamp_start + duration; - return LogTrace(btBytes, iLen, timestamp_start, timestamp_end, parity, readerToTag); -} - - /////////////////////////////////////////////////////////////////////// // ISO 15693 Part 2 - Air Interface // This section basically contains transmission and receiving of bits /////////////////////////////////////////////////////////////////////// // buffers -#define ISO15693_DMA_BUFFER_SIZE 2048 // must be a power of 2 +#define ISO15693_DMA_BUFFER_SIZE 128 // must be a power of 2 #define ISO15693_MAX_RESPONSE_LENGTH 36 // allows read single block with the maximum block size of 256bits. Read multiple blocks not supported yet #define ISO15693_MAX_COMMAND_LENGTH 45 // allows write single block with the maximum block size of 256bits. Write multiple blocks not supported yet + +// specific LogTrace function for ISO15693: the duration needs to be scaled because otherwise it won't fit into a uint16_t +bool LogTrace_ISO15693(const uint8_t *btBytes, uint16_t iLen, uint32_t timestamp_start, uint32_t timestamp_end, uint8_t *parity, bool readerToTag) { + uint32_t duration = timestamp_end - timestamp_start; + duration /= 32; + timestamp_end = timestamp_start + duration; + return LogTrace(btBytes, iLen, timestamp_start, timestamp_end, parity, readerToTag); +} + + // --------------------------- // Signal Processing // --------------------------- @@ -256,11 +260,10 @@ void TransmitTo15693Tag(const uint8_t *cmd, int len, uint32_t *start_time) { *start_time = (*start_time - DELAY_ARM_TO_TAG) & 0xfffffff0; - while (GetCountSspClk() > *start_time) { // we may miss the intended time - *start_time += 16; // next possible time + if (GetCountSspClk() > *start_time) { // we may miss the intended time + *start_time = (GetCountSspClk() + 16) & 0xfffffff0; // next possible time } - while (GetCountSspClk() < *start_time) /* wait */ ; @@ -338,6 +341,11 @@ void TransmitTo15693Reader(const uint8_t *cmd, size_t len, uint32_t *start_time, } +static void jam(void) { + // send a short burst to jam the reader signal +} + + //============================================================================= // An ISO 15693 decoder for tag responses (one subcarrier only). // Uses cross correlation to identify each bit and EOF. @@ -384,14 +392,13 @@ typedef struct DecodeTag { } DecodeTag_t; -static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *DecodeTag) -{ - switch(DecodeTag->state) { +static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint16_t amplitude, DecodeTag_t *restrict DecodeTag) { + switch (DecodeTag->state) { case STATE_TAG_SOF_LOW: // waiting for a rising edge if (amplitude > NOISE_THRESHOLD + DecodeTag->previous_amplitude) { if (DecodeTag->posCount > 10) { - DecodeTag->threshold_sof = amplitude - DecodeTag->previous_amplitude; + DecodeTag->threshold_sof = amplitude - DecodeTag->previous_amplitude; // to be divided by 2 DecodeTag->threshold_half = 0; DecodeTag->state = STATE_TAG_SOF_RISING_EDGE; } else { @@ -404,8 +411,8 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1 break; case STATE_TAG_SOF_RISING_EDGE: - if (amplitude - DecodeTag->previous_amplitude > DecodeTag->threshold_sof) { // edge still rising - if (amplitude - DecodeTag->threshold_sof > DecodeTag->threshold_sof) { // steeper edge, take this as time reference + if (amplitude > DecodeTag->threshold_sof + DecodeTag->previous_amplitude) { // edge still rising + if (amplitude > DecodeTag->threshold_sof + DecodeTag->threshold_sof) { // steeper edge, take this as time reference DecodeTag->posCount = 1; } else { DecodeTag->posCount = 2; @@ -448,12 +455,12 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1 DecodeTag->sum2 = 0; DecodeTag->posCount = 2; DecodeTag->state = STATE_TAG_RECEIVING_DATA; - FpgaDisableTracing(); // DEBUGGING - Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d", - amplitude, - DecodeTag->threshold_sof, - DecodeTag->threshold_half/4, - DecodeTag->previous_amplitude); // DEBUGGING + // FpgaDisableTracing(); // DEBUGGING + // Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d", + // amplitude, + // DecodeTag->threshold_sof, + // DecodeTag->threshold_half/4, + // DecodeTag->previous_amplitude); // DEBUGGING LED_C_ON(); } else { DecodeTag->posCount++; @@ -467,6 +474,12 @@ static int inline __attribute__((always_inline)) Handle15693SamplesFromTag(uint1 break; case STATE_TAG_RECEIVING_DATA: + // FpgaDisableTracing(); // DEBUGGING + // Dbprintf("amplitude = %d, threshold_sof = %d, threshold_half/4 = %d, previous_amplitude = %d", + // amplitude, + // DecodeTag->threshold_sof, + // DecodeTag->threshold_half/4, + // DecodeTag->previous_amplitude); // DEBUGGING if (DecodeTag->posCount == 1) { DecodeTag->sum1 = 0; DecodeTag->sum2 = 0; @@ -659,7 +672,7 @@ int GetIso15693AnswerFromTag(uint8_t* response, uint16_t max_len, uint16_t timeo if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. upTo = dmaBuf; // start reading the circular buffer from the beginning - if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) { + if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) { Dbprintf("About to blow circular buffer - aborted! behindBy=%d", behindBy); ret = -1; break; @@ -745,11 +758,12 @@ typedef struct DecodeReader { int posCount; int sum1, sum2; uint8_t *output; + uint8_t jam_search_len; + uint8_t *jam_search_string; } DecodeReader_t; -static void DecodeReaderInit(DecodeReader_t* DecodeReader, uint8_t *data, uint16_t max_len) -{ +static void DecodeReaderInit(DecodeReader_t* DecodeReader, uint8_t *data, uint16_t max_len, uint8_t jam_search_len, uint8_t *jam_search_string) { DecodeReader->output = data; DecodeReader->byteCountMax = max_len; DecodeReader->state = STATE_READER_UNSYNCD; @@ -757,17 +771,17 @@ static void DecodeReaderInit(DecodeReader_t* DecodeReader, uint8_t *data, uint16 DecodeReader->bitCount = 0; DecodeReader->posCount = 1; DecodeReader->shiftReg = 0; + DecodeReader->jam_search_len = jam_search_len; + DecodeReader->jam_search_string = jam_search_string; } -static void DecodeReaderReset(DecodeReader_t* DecodeReader) -{ +static void DecodeReaderReset(DecodeReader_t* DecodeReader) { DecodeReader->state = STATE_READER_UNSYNCD; } -static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uint8_t bit, DecodeReader_t *restrict DecodeReader) -{ +static int inline __attribute__((always_inline)) Handle15693SampleFromReader(bool bit, DecodeReader_t *restrict DecodeReader) { switch (DecodeReader->state) { case STATE_READER_UNSYNCD: // wait for unmodulated carrier @@ -882,16 +896,15 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin break; case STATE_READER_RECEIVE_DATA_1_OUT_OF_4: - bit = !!bit; DecodeReader->posCount++; if (DecodeReader->posCount == 1) { - DecodeReader->sum1 = bit; + DecodeReader->sum1 = bit?1:0; } else if (DecodeReader->posCount <= 4) { - DecodeReader->sum1 += bit; + if (bit) DecodeReader->sum1++; } else if (DecodeReader->posCount == 5) { - DecodeReader->sum2 = bit; + DecodeReader->sum2 = bit?1:0; } else { - DecodeReader->sum2 += bit; + if (bit) DecodeReader->sum2++; } if (DecodeReader->posCount == 8) { DecodeReader->posCount = 0; @@ -901,13 +914,18 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin if (DecodeReader->byteCount != 0) { return true; } - } - if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected a 2bit position + } else if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected a 2bit position DecodeReader->shiftReg >>= 2; DecodeReader->shiftReg |= (DecodeReader->bitCount << 6); } if (DecodeReader->bitCount == 15) { // we have a full byte DecodeReader->output[DecodeReader->byteCount++] = DecodeReader->shiftReg; + if (DecodeReader->byteCount == DecodeReader->jam_search_len) { + if (!memcmp(DecodeReader->output, DecodeReader->jam_search_string, DecodeReader->jam_search_len)) { + jam(); // send a jamming signal + Dbprintf("JAMMING!"); + } + } if (DecodeReader->byteCount > DecodeReader->byteCountMax) { // buffer overflow, give up LED_B_OFF(); @@ -922,16 +940,15 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin break; case STATE_READER_RECEIVE_DATA_1_OUT_OF_256: - bit = !!bit; DecodeReader->posCount++; if (DecodeReader->posCount == 1) { - DecodeReader->sum1 = bit; + DecodeReader->sum1 = bit?1:0; } else if (DecodeReader->posCount <= 4) { - DecodeReader->sum1 += bit; + if (bit) DecodeReader->sum1++; } else if (DecodeReader->posCount == 5) { - DecodeReader->sum2 = bit; - } else { - DecodeReader->sum2 += bit; + DecodeReader->sum2 = bit?1:0; + } else if (bit) { + DecodeReader->sum2++; } if (DecodeReader->posCount == 8) { DecodeReader->posCount = 0; @@ -941,8 +958,7 @@ static int inline __attribute__((always_inline)) Handle15693SampleFromReader(uin if (DecodeReader->byteCount != 0) { return true; } - } - if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected the bit position + } else if (DecodeReader->sum1 >= 3 && DecodeReader->sum2 <= 1) { // detected the bit position DecodeReader->shiftReg = DecodeReader->bitCount; } if (DecodeReader->bitCount == 255) { // we have a full byte @@ -986,7 +1002,7 @@ int GetIso15693CommandFromReader(uint8_t *received, size_t max_len, uint32_t *eo // the decoder data structure DecodeReader_t DecodeReader = {0}; - DecodeReaderInit(&DecodeReader, received, max_len); + DecodeReaderInit(&DecodeReader, received, max_len, 0, NULL); // wait for last transfer to complete while (!(AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXEMPTY)); @@ -1127,19 +1143,17 @@ void AcquireRawAdcSamplesIso15693(void) } -void SnoopIso15693(void) -{ +void SnoopIso15693(uint8_t jam_search_len, uint8_t *jam_search_string) { + LED_A_ON(); - + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - BigBuf_free(); clear_trace(); set_tracing(true); // The DMA buffer, used to stream samples from the FPGA - uint16_t* dmaBuf = (uint16_t*)BigBuf_malloc(ISO15693_DMA_BUFFER_SIZE*sizeof(uint16_t)); - uint16_t *upTo; + uint16_t dmaBuf[ISO15693_DMA_BUFFER_SIZE]; // Count of samples received so far, so that we can include timing // information in the trace buffer. @@ -1149,9 +1163,9 @@ void SnoopIso15693(void) uint8_t response[ISO15693_MAX_RESPONSE_LENGTH]; DecodeTagInit(&DecodeTag, response, sizeof(response)); - DecodeReader_t DecodeReader = {0};; + DecodeReader_t DecodeReader = {0}; uint8_t cmd[ISO15693_MAX_COMMAND_LENGTH]; - DecodeReaderInit(&DecodeReader, cmd, sizeof(cmd)); + DecodeReaderInit(&DecodeReader, cmd, sizeof(cmd), jam_search_len, jam_search_string); // Print some debug information about the buffer sizes if (DEBUG) { @@ -1164,28 +1178,41 @@ void SnoopIso15693(void) Dbprintf("Snoop started. Press PM3 Button to stop."); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER | FPGA_HF_READER_MODE_SNOOP_AMPLITUDE); + LED_D_OFF(); SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - - // Setup for the DMA. FpgaSetupSsc(FPGA_MAJOR_MODE_HF_READER); - upTo = dmaBuf; + StartCountSspClk(); FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); bool TagIsActive = false; bool ReaderIsActive = false; bool ExpectTagAnswer = false; + uint32_t dma_start_time = 0; + uint16_t *upTo = dmaBuf; + uint16_t max_behindBy = 0; + // And now we loop, receiving samples. for(;;) { uint16_t behindBy = ((uint16_t*)AT91C_BASE_PDC_SSC->PDC_RPR - upTo) & (ISO15693_DMA_BUFFER_SIZE-1); - + if (behindBy > max_behindBy) { + max_behindBy = behindBy; + } + if (behindBy == 0) continue; + samples++; + if (samples == 1) { + // DMA has transferred the very first data + dma_start_time = GetCountSspClk() & 0xfffffff0; + } + uint16_t snoopdata = *upTo++; - if(upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. + if (upTo >= dmaBuf + ISO15693_DMA_BUFFER_SIZE) { // we have read all of the DMA buffer content. upTo = dmaBuf; // start reading the circular buffer from the beginning - if(behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) { + if (behindBy > (9*ISO15693_DMA_BUFFER_SIZE/10)) { + FpgaDisableTracing(); Dbprintf("About to blow circular buffer - aborted! behindBy=%d, samples=%d", behindBy, samples); break; } @@ -1193,71 +1220,103 @@ void SnoopIso15693(void) AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; // refresh the DMA Next Buffer and AT91C_BASE_PDC_SSC->PDC_RNCR = ISO15693_DMA_BUFFER_SIZE; // DMA Next Counter registers WDT_HIT(); - if(BUTTON_PRESS()) { + if (BUTTON_PRESS()) { DbpString("Snoop stopped."); break; } } } - samples++; - if (!TagIsActive) { // no need to try decoding reader data if the tag is sending + if (!TagIsActive) { // no need to try decoding reader data if the tag is sending if (Handle15693SampleFromReader(snoopdata & 0x02, &DecodeReader)) { - FpgaDisableSscDma(); - ExpectTagAnswer = true; - LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, samples*64, samples*64, NULL, true); + // FpgaDisableSscDma(); + uint32_t eof_time = dma_start_time + samples*16 + 8 - DELAY_READER_TO_ARM_SNOOP; // end of EOF + if (DecodeReader.byteCount > 0) { + uint32_t sof_time = eof_time + - DecodeReader.byteCount * (DecodeReader.Coding==CODING_1_OUT_OF_4?128*16:2048*16) // time for byte transfers + - 32*16 // time for SOF transfer + - 16*16; // time for EOF transfer + LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, sof_time*4, eof_time*4, NULL, true); + } /* And ready to receive another command. */ DecodeReaderReset(&DecodeReader); /* And also reset the demod code, which might have been */ /* false-triggered by the commands from the reader. */ DecodeTagReset(&DecodeTag); - upTo = dmaBuf; - FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); - } - if (Handle15693SampleFromReader(snoopdata & 0x01, &DecodeReader)) { - FpgaDisableSscDma(); + ReaderIsActive = false; ExpectTagAnswer = true; - LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, samples*64, samples*64, NULL, true); + // upTo = dmaBuf; + // samples = 0; + // FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); + // continue; + } else if (Handle15693SampleFromReader(snoopdata & 0x01, &DecodeReader)) { + // FpgaDisableSscDma(); + uint32_t eof_time = dma_start_time + samples*16 + 16 - DELAY_READER_TO_ARM_SNOOP; // end of EOF + if (DecodeReader.byteCount > 0) { + uint32_t sof_time = eof_time + - DecodeReader.byteCount * (DecodeReader.Coding==CODING_1_OUT_OF_4?128*16:2048*16) // time for byte transfers + - 32*16 // time for SOF transfer + - 16*16; // time for EOF transfer + LogTrace_ISO15693(DecodeReader.output, DecodeReader.byteCount, sof_time*4, eof_time*4, NULL, true); + } /* And ready to receive another command. */ DecodeReaderReset(&DecodeReader); /* And also reset the demod code, which might have been */ /* false-triggered by the commands from the reader. */ DecodeTagReset(&DecodeTag); - upTo = dmaBuf; - FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); + ReaderIsActive = false; + ExpectTagAnswer = true; + // upTo = dmaBuf; + // samples = 0; + // FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); + // continue; + } else { + ReaderIsActive = (DecodeReader.state >= STATE_READER_RECEIVE_DATA_1_OUT_OF_4); } - ReaderIsActive = (DecodeReader.state >= STATE_READER_AWAIT_2ND_RISING_EDGE_OF_SOF); } if (!ReaderIsActive && ExpectTagAnswer) { // no need to try decoding tag data if the reader is currently sending or no answer expected yet if (Handle15693SamplesFromTag(snoopdata >> 2, &DecodeTag)) { - FpgaDisableSscDma(); - //Use samples as a time measurement - LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, samples*64, samples*64, NULL, false); + // FpgaDisableSscDma(); + uint32_t eof_time = dma_start_time + samples*16 - DELAY_TAG_TO_ARM_SNOOP; // end of EOF + if (DecodeTag.lastBit == SOF_PART2) { + eof_time -= 8*16; // needed 8 additional samples to confirm single SOF (iCLASS) + } + uint32_t sof_time = eof_time + - DecodeTag.len * 8 * 8 * 16 // time for byte transfers + - 32 * 16 // time for SOF transfer + - (DecodeTag.lastBit != SOF_PART2?32*16:0); // time for EOF transfer + LogTrace_ISO15693(DecodeTag.output, DecodeTag.len, sof_time*4, eof_time*4, NULL, false); // And ready to receive another response. DecodeTagReset(&DecodeTag); DecodeReaderReset(&DecodeReader); ExpectTagAnswer = false; - upTo = dmaBuf; - FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); + TagIsActive = false; + // upTo = dmaBuf; + // samples = 0; + // FpgaSetupSscDma((uint8_t*) dmaBuf, ISO15693_DMA_BUFFER_SIZE); + // continue; + } else { + TagIsActive = (DecodeTag.state >= STATE_TAG_RECEIVING_DATA); } - TagIsActive = (DecodeTag.state >= STATE_TAG_RECEIVING_DATA); } } FpgaDisableSscDma(); - BigBuf_free(); LEDsoff(); DbpString("Snoop statistics:"); - Dbprintf(" ExpectTagAnswer: %d", ExpectTagAnswer); + Dbprintf(" ExpectTagAnswer: %d, TagIsActive: %d, ReaderIsActive: %d", ExpectTagAnswer, TagIsActive, ReaderIsActive); Dbprintf(" DecodeTag State: %d", DecodeTag.state); Dbprintf(" DecodeTag byteCnt: %d", DecodeTag.len); + Dbprintf(" DecodeTag posCount: %d", DecodeTag.posCount); Dbprintf(" DecodeReader State: %d", DecodeReader.state); Dbprintf(" DecodeReader byteCnt: %d", DecodeReader.byteCount); + Dbprintf(" DecodeReader posCount: %d", DecodeReader.posCount); Dbprintf(" Trace length: %d", BigBuf_get_traceLen()); + Dbprintf(" Max behindBy: %d", max_behindBy); } @@ -1692,44 +1751,26 @@ void SetTag15693Uid(uint8_t *uid) { LED_A_ON(); - uint8_t cmd[4][9] = {0x00}; + uint8_t cmd[4][9] = { + {0x02, 0x21, 0x3e, 0x00, 0x00, 0x00, 0x00}, + {0x02, 0x21, 0x3f, 0x69, 0x96, 0x00, 0x00}, + {0x02, 0x21, 0x38}, + {0x02, 0x21, 0x39} + }; + uint16_t crc; int recvlen = 0; uint8_t recvbuf[ISO15693_MAX_RESPONSE_LENGTH]; uint32_t eof_time; - // Command 1 : 02213E00000000 - cmd[0][0] = 0x02; - cmd[0][1] = 0x21; - cmd[0][2] = 0x3e; - cmd[0][3] = 0x00; - cmd[0][4] = 0x00; - cmd[0][5] = 0x00; - cmd[0][6] = 0x00; - - // Command 2 : 02213F69960000 - cmd[1][0] = 0x02; - cmd[1][1] = 0x21; - cmd[1][2] = 0x3f; - cmd[1][3] = 0x69; - cmd[1][4] = 0x96; - cmd[1][5] = 0x00; - cmd[1][6] = 0x00; - // Command 3 : 022138u8u7u6u5 (where uX = uid byte X) - cmd[2][0] = 0x02; - cmd[2][1] = 0x21; - cmd[2][2] = 0x38; cmd[2][3] = uid[7]; cmd[2][4] = uid[6]; cmd[2][5] = uid[5]; cmd[2][6] = uid[4]; // Command 4 : 022139u4u3u2u1 (where uX = uid byte X) - cmd[3][0] = 0x02; - cmd[3][1] = 0x21; - cmd[3][2] = 0x39; cmd[3][3] = uid[3]; cmd[3][4] = uid[2]; cmd[3][5] = uid[1];