Merge branch 'master' into topaz
authorpwpiwi <pwpiwi@users.noreply.github.com>
Wed, 1 Jul 2015 06:17:00 +0000 (08:17 +0200)
committerpwpiwi <pwpiwi@users.noreply.github.com>
Wed, 1 Jul 2015 06:17:00 +0000 (08:17 +0200)
Conflicts:
client/Makefile
client/cmdhf.c
client/cmdhf14a.c

120 files changed:
.gitignore
CHANGELOG.md
COMPILING.txt
Makefile
README.txt
armsrc/BigBuf.c
armsrc/Makefile
armsrc/aes.c
armsrc/appmain.c
armsrc/apps.h
armsrc/des.c
armsrc/des.h
armsrc/epa.c
armsrc/epa.h
armsrc/fpgaloader.c
armsrc/fpgaloader.h [new file with mode: 0644]
armsrc/hitag2.c
armsrc/iclass.c
armsrc/iso14443.c [deleted file]
armsrc/iso14443a.c
armsrc/iso14443b.c [new file with mode: 0644]
armsrc/iso15693.c
armsrc/ldscript
armsrc/lfops.c
armsrc/mifarecmd.c
armsrc/mifareutil.c
armsrc/mifareutil.h
armsrc/optimized_cipher.c
armsrc/start.c
armsrc/util.c
client/Makefile
client/cmddata.c
client/cmddata.h
client/cmdhf.c
client/cmdhf14a.c
client/cmdhf14b.c
client/cmdhf14b.h
client/cmdhf15.c
client/cmdhf15.h
client/cmdhfepa.c
client/cmdhficlass.c
client/cmdhficlass.h
client/cmdhfmf.c
client/cmdhfmfu.c
client/cmdhfmfu.h
client/cmdhw.c
client/cmdlf.c
client/cmdlf.h
client/cmdlfem4x.c
client/cmdlfem4x.h
client/cmdlfhid.c
client/cmdlfhid.h
client/cmdlfio.c
client/cmdlft55xx.c
client/cmdlft55xx.h
client/cmdscript.c
client/default_keys.dic
client/fpga_compress.c [new file with mode: 0644]
client/graph.c
client/graph.h
client/hid-flasher/usb_cmd.h
client/lualibs/commands.lua
client/lualibs/default_toys.lua
client/lualibs/html_dumplib.lua
client/lualibs/md5.lua [new file with mode: 0644]
client/lualibs/mf_default_keys.lua
client/lualibs/precalc.lua [new file with mode: 0644]
client/lualibs/read14a.lua
client/lualibs/utils.lua
client/mifarehost.c
client/proxmark3.c
client/scripting.c
client/scripts/didump.lua [new file with mode: 0644]
client/scripts/dumptoemul.lua
client/scripts/formatMifare.lua
client/scripts/ndef_dump.lua
client/scripts/test_t55x7_ask.lua
client/scripts/test_t55x7_bi.lua
client/scripts/test_t55x7_fsk.lua
client/scripts/test_t55x7_psk.lua
client/scripts/tnp3clone.lua [new file with mode: 0644]
client/scripts/tnp3dump.lua
client/scripts/tnp3sim.lua
client/util.c
client/util.h
common/Makefile.common
common/crc16.c
common/crc16.h
common/crc64.c [new file with mode: 0644]
common/crc64.h [new file with mode: 0644]
common/lfdemod.c
common/lfdemod.h
common/protocols.c
common/protocols.h
common/sha1.c [new file with mode: 0644]
common/sha1.h [new file with mode: 0644]
fpga/fpga_hf.bit
fpga/fpga_hf.v
fpga/hi_read_rx_xcorr.v
include/proxmark3.h
include/usb_cmd.h
zlib/ChangeLog [new file with mode: 0644]
zlib/FAQ [new file with mode: 0644]
zlib/README [new file with mode: 0644]
zlib/adler32.c [new file with mode: 0644]
zlib/deflate.c [new file with mode: 0644]
zlib/deflate.h [new file with mode: 0644]
zlib/inffast.c [new file with mode: 0644]
zlib/inffast.h [new file with mode: 0644]
zlib/inffixed.h [new file with mode: 0644]
zlib/inflate.c [new file with mode: 0644]
zlib/inflate.h [new file with mode: 0644]
zlib/inftrees.c [new file with mode: 0644]
zlib/inftrees.h [new file with mode: 0644]
zlib/trees.c [new file with mode: 0644]
zlib/trees.h [new file with mode: 0644]
zlib/zconf.h [new file with mode: 0644]
zlib/zlib.h [new file with mode: 0644]
zlib/zutil.c [new file with mode: 0644]
zlib/zutil.h [new file with mode: 0644]

index 07669e14a240ae9125fef7ea6cc66387cae3211b..880c092f175fb82959cf11fba62da1985c758a07 100644 (file)
@@ -12,6 +12,7 @@
 *.bin
 *.dll
 *.moc.cpp
+*.z
 *.exe
 proxmark
 proxmark3
index 5f3f84efe0886d40a659df9a6351649041e1c5ff..3f9546d9856277428b89f0caa355f205e9ac1093 100644 (file)
@@ -3,13 +3,38 @@ All notable changes to this project will be documented in this file.
 This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
 
 ## [Unreleased][unreleased]
+
+### Changed
+- Changed `hf 14b write` to `hf 14b sriwrite` as it only applied to sri tags (marshmellow)
+- Added `hf 14b info` to `hf search` (marshmellow)
+
+### Added
+- Add `hf 14b info` to find and print info about std 14b tags and sri tags (using 14b raw commands in the client)  (marshmellow)
+- Add PACE replay functionality (frederikmoellers)
+
+### Fixed 
+- t55xx write timing (marshmellow)
+
+
+## [2.1.0][2015-06-23]
+
 ### Changed
+- Added ultralight/ntag tag type detection to `hf 14a read` (marshmellow)
+- Improved ultralight dump command to auto detect tag type, take authentication, and dump full memory (or subset specified) of known tag types (iceman1001 / marshmellow)
+- Combined ultralight read/write commands and added authentication (iceman1001)
+- Improved LF manchester and biphase demodulation and ask clock detection especially for reads with heavy clipping. (marshmellow)
 - Iclass read, `hf iclass read` now also reads tag config and prints configuration. (holiman)
+- *bootrom* needs to be flashed, due to new address boundaries between os and fpga, after a size optimization (piwi)
 
 ### Fixed
-- Fixed issue #19, problems with LF T55xx commands (marshmellow)
+- Fixed EM4x50 read/demod of the tags broadcasted memory blocks. 'lf em4x em4x50read' (not page read) (marshmellow)
+- Fixed issue #19, problems with LF T55xx commands (iceman1001, marshmellow)
+- Fixed various problems with iso14443b, issue #103 (piwi, marshmellow)
 
 ### Added
+- Added `hf search` - currently tests for 14443a tags, iclass tags, and 15693 tags (marshmellow) 
+- Added `hf mfu info` Ultralight/NTAG info command - reads tag configuration and info, allows authentication if needed (iceman1001, marshmellow)
+- Added Mifare Ultralight C and Ultralight EV1/NTAG authentication. (iceman1001)
 - Added changelog
 
 ## [2.0.0] - 2015-03-25
index c894f0ff04f14f6d9aa7d61e2502140ce50225b6..1cc34a0fc008309d1376b1755ceeb09e19c9ae3a 100644 (file)
@@ -81,7 +81,31 @@ Download the ProxSpace environment archive and extract it to C:\
 = Mac OS X =
 ============
 
-macport stuff should do ;)
+Tested on OSX 10.10 Yosemite
+
+1 - Install Xcode and Xcode Command Line Tools
+
+2 - Install Homebrew and dependencies
+    brew install readline
+    brew instal libusb
+
+3 - Download DevKitARM for OSX
+    http://sourceforge.net/projects/devkitpro/files/devkitARM/devkitARM_r44/
+    Unpack devkitARM_r44-osx.tar.bz2 to proxmark3 directory.
+
+4 - Edit proxmark3/client/Makefile adding path to readline
+
+    LDLIBS = -L/usr/local/Cellar/readline/6.3.8/lib/ -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm
+    CFLAGS = -std=c99 -I/usr/local/Cellar/readline/6.3.8/include/ -I. -I../include -I../common -I/opt/local/include -I../liblua  -Wall $(COMMON_FLAGS) -g -O4
+
+    Replace path /usr/local/Cellar/readline/6.3.8 with your actuall readline path. See homebrew manuals.
+
+5 - Set Environment
+
+    export DEVKITPRO=$HOME/proxmark3/
+    export DEVKITARM=$DEVKITPRO/devkitARM
+    export PATH=${PATH}:${DEVKITARM}/bin
+
 
 ============
 =   Linux  =
index b558da2d74a5dfcdbadd47d3bb37a89ae3eb7b47..0e065b41dc9ee86c6245d421163f66990c0a75e5 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,8 @@
 include common/Makefile.common
 
-GZIP=gzip
 FLASH_PORT=/dev/ttyACM0
 
-all clean: %: bootrom/% armsrc/% client/% recovery/%
+all clean: %: client/% bootrom/% armsrc/% recovery/%
 
 bootrom/%: FORCE
        $(MAKE) -C bootrom $(patsubst bootrom/%,%,$@)
@@ -15,8 +14,8 @@ recovery/%: FORCE
        $(MAKE) -C recovery $(patsubst recovery/%,%,$@)
 FORCE: # Dummy target to force remake in the subdirectories, even if files exist (this Makefile doesn't know about the prerequisites)
 
+.PHONY: all clean help _test flash-bootrom flash-os flash-all FORCE
 
-.PHONY: all clean help _test flash-bootrom flash-os flash-fpga flash-both flash-all FORCE
 help:
        @echo Multi-OS Makefile, you are running on $(DETECTED_OS)
        @echo Possible targets:
@@ -24,9 +23,7 @@ help:
        @echo + client        - Make only the OS-specific host directory
        @echo + flash-bootrom - Make bootrom and flash it
        @echo + flash-os      - Make armsrc and flash os (includes fpga)
-       @echo + flash-fpga    - (Deprecated:) Make armsrc and flash fpga
-       @echo + flash-both    - Make armsrc and flash os and fpga image
-       @echo + flash-all     - Make bootrom and armsrc and flash bootrom, os and fpga image
+       @echo + flash-all     - Make bootrom and armsrc and flash bootrom and os image
        @echo + clean         - Clean in bootrom, armsrc and the OS-specific host directory
 
 client: client/all
@@ -34,16 +31,10 @@ client: client/all
 flash-bootrom: bootrom/obj/bootrom.elf $(FLASH_TOOL)
        $(FLASH_TOOL) $(FLASH_PORT) -b $(subst /,$(PATHSEP),$<)
 
-flash-os: armsrc/obj/osimage.elf $(FLASH_TOOL)
+flash-os: armsrc/obj/fullimage.elf $(FLASH_TOOL)
        $(FLASH_TOOL) $(FLASH_PORT) $(subst /,$(PATHSEP),$<)
 
-#flash-fpga: armsrc/obj/fpgaimage.elf $(FLASH_TOOL)
-#      $(FLASH_TOOL) $(FLASH_PORT) $(subst /,$(PATHSEP),$<)
-
-flash-both: armsrc/obj/osimage.elf $(FLASH_TOOL)
-       $(FLASH_TOOL) $(FLASH_PORT) $(subst /,$(PATHSEP),$(filter-out $(FLASH_TOOL),$^))
-
-flash-all: bootrom/obj/bootrom.elf armsrc/obj/osimage.elf $(FLASH_TOOL)
+flash-all: bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf $(FLASH_TOOL)
        $(FLASH_TOOL) $(FLASH_PORT) -b $(subst /,$(PATHSEP),$(filter-out $(FLASH_TOOL),$^))
 
 newtarbin:
index cb2c7f3c783a137b43f99c7d14010d611bfa49ee..1a4ddb6d0e693b3192f7270a5b8326d75b4fd86a 100644 (file)
@@ -40,7 +40,7 @@ your operating system. Please refer to the Wiki for details.
 
 OBTAINING HARDWARE:
 
-The Proxmark 3 is available for purcahse (assembled and tested) from the
+The Proxmark 3 is available for purchase (assembled and tested) from the
 following locations:
 
    * http://proxmark3.com/
index 51fafdebc22b3b872a8a6b1cba3a9f34bfc2567e..a22c0cb0e499692054b66413c1af5214b290f063 100644 (file)
@@ -96,9 +96,6 @@ uint16_t BigBuf_max_traceLen(void)
 }
 
 void clear_trace() {
-       uint8_t *trace = BigBuf_get_addr();
-       uint16_t max_traceLen = BigBuf_max_traceLen();
-       memset(trace, 0x44, max_traceLen);
        traceLen = 0;
 }
 
index 899b03075af35d1d51a0d61f318d1028959ae09f..1214c949f3755c54833b8969753f8914042367c8 100644 (file)
@@ -10,21 +10,38 @@ APP_INCLUDES = apps.h
 
 #remove one of the following defines and comment out the relevant line
 #in the next section to remove that particular feature from compilation  
-APP_CFLAGS     = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG  -DWITH_CRC -DON_DEVICE -fno-strict-aliasing -ffunction-sections -fdata-sections
+APP_CFLAGS     = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG  -DWITH_CRC -DON_DEVICE \
+                               -fno-strict-aliasing -ffunction-sections -fdata-sections
 #-DWITH_LCD 
 
 #SRC_LCD = fonts.c LCD.c
 SRC_LF = lfops.c hitag2.c lfsampling.c
 SRC_ISO15693 = iso15693.c iso15693tools.c
 SRC_ISO14443a = epa.c iso14443a.c mifareutil.c mifarecmd.c mifaresniff.c
-SRC_ISO14443b = iso14443.c
+SRC_ISO14443b = iso14443b.c
 SRC_CRAPTO1 = crapto1.c crypto1.c des.c aes.c 
-SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c 
+SRC_CRC = iso14443crc.c crc.c crc16.c crc32.c
 
+#the FPGA bitstream files. Note: order matters!
+FPGA_BITSTREAMS = fpga_lf.bit fpga_hf.bit
+
+#the zlib source files required for decompressing the fpga config at run time
+SRC_ZLIB = inflate.c inffast.c inftrees.c adler32.c zutil.c
+#additional defines required to compile zlib
+ZLIB_CFLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED
+APP_CFLAGS += $(ZLIB_CFLAGS)
+# zlib includes:
+APP_CFLAGS += -I../zlib
+
+# stdint.h provided locally until GCC 4.5 becomes C99 compliant
+APP_CFLAGS += -I.
+
+# Compile these in thumb mode (small size)
 THUMBSRC = start.c \
        $(SRC_LCD) \
        $(SRC_ISO15693) \
        $(SRC_LF) \
+       $(SRC_ZLIB) \
        appmain.c \
        printf.c \
        util.c \
@@ -45,50 +62,63 @@ ARMSRC = fpgaloader.c \
        BigBuf.c \
        optimized_cipher.c
 
-# stdint.h provided locally until GCC 4.5 becomes C99 compliant
-APP_CFLAGS += -I.
-
 # Do not move this inclusion before the definition of {THUMB,ASM,ARM}SRC
 include ../common/Makefile.common
 
-OBJS = $(OBJDIR)/osimage.s19 
-#$(OBJDIR)/fpgaimage.s19
+OBJS = $(OBJDIR)/fullimage.s19 
+FPGA_COMPRESSOR = ../client/fpga_compress
 
 all: $(OBJS)
 
-$(OBJDIR)/fpga_lf.o: fpga_lf.bit
-       $(OBJCOPY) -O elf32-littlearm -I binary -B arm --redefine-sym _binary____fpga_fpga_lf_bit_start=_binary_fpga_lf_bit_start --redefine-sym _binary____fpga_fpga_lf_bit_end=_binary_fpga_lf_bit_end --prefix-sections=fpga_lf_bit  $^ $@
+.DELETE_ON_ERROR:
+
+$(OBJDIR)/fpga_all.o: $(OBJDIR)/fpga_all.bit.z
+       $(OBJCOPY) -O elf32-littlearm -I binary -B arm --prefix-sections=fpga_all_bit $^ $@
 
-$(OBJDIR)/fpga_hf.o: fpga_hf.bit
-       $(OBJCOPY) -O elf32-littlearm -I binary -B arm --redefine-sym _binary____fpga_fpga_hf_bit_start=_binary_fpga_hf_bit_start --redefine-sym _binary____fpga_fpga_hf_bit_end=_binary_fpga_hf_bit_end --prefix-sections=fpga_hf_bit  $^ $@
+$(OBJDIR)/fpga_all.bit.z: $(FPGA_BITSTREAMS) $(FPGA_COMPRESSOR)
+       $(FPGA_COMPRESSOR) $(filter %.bit,$^) $@
 
-$(OBJDIR)/fullimage.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_lf.o $(OBJDIR)/fpga_hf.o $(THUMBOBJ) $(ARMOBJ)
+$(FPGA_COMPRESSOR):
+               make -C ../client $(notdir $(FPGA_COMPRESSOR))
+               
+$(OBJDIR)/fullimage.stage1.elf: $(VERSIONOBJ) $(OBJDIR)/fpga_all.o $(THUMBOBJ) $(ARMOBJ)
        $(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^ $(LIBS)
 
-#$(OBJDIR)/fpgaimage.elf: $(OBJDIR)/fullimage.elf
-#      $(OBJCOPY) -F elf32-littlearm --only-section .fpgaimage $^ $@  
+$(OBJDIR)/fullimage.nodata.bin: $(OBJDIR)/fullimage.stage1.elf
+       $(OBJCOPY) -O binary -I elf32-littlearm --remove-section .data $^ $@
+       
+$(OBJDIR)/fullimage.nodata.o: $(OBJDIR)/fullimage.nodata.bin
+       $(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=stage1_image $^ $@
 
-$(OBJDIR)/osimage.elf: $(OBJDIR)/fullimage.elf
-       $(OBJCOPY) -F elf32-littlearm $^ $@
+$(OBJDIR)/fullimage.data.bin: $(OBJDIR)/fullimage.stage1.elf
+       $(OBJCOPY) -O binary -I elf32-littlearm --only-section .data $^ $@
 
+$(OBJDIR)/fullimage.data.bin.z: $(OBJDIR)/fullimage.data.bin $(FPGA_COMPRESSOR)
+       $(FPGA_COMPRESSOR) $(filter %.bin,$^) $@  
+       
+$(OBJDIR)/fullimage.data.o: $(OBJDIR)/fullimage.data.bin.z
+       $(OBJCOPY) -O elf32-littlearm -I binary -B arm --rename-section .data=compressed_data $^ $@
+
+$(OBJDIR)/fullimage.elf: $(OBJDIR)/fullimage.nodata.o $(OBJDIR)/fullimage.data.o
+       $(CC) $(LDFLAGS) -Wl,-T,ldscript,-Map,$(patsubst %.elf,%.map,$@) -o $@ $^
+       
 tarbin: $(OBJS)
        $(TAR) $(TARFLAGS) ../proxmark3-$(platform)-bin.tar $(OBJS:%=armsrc/%) $(OBJS:%.s19=armsrc/%.elf)
 
-
 clean:
        $(DELETE) $(OBJDIR)$(PATHSEP)*.o
        $(DELETE) $(OBJDIR)$(PATHSEP)*.elf
        $(DELETE) $(OBJDIR)$(PATHSEP)*.s19
        $(DELETE) $(OBJDIR)$(PATHSEP)*.map
        $(DELETE) $(OBJDIR)$(PATHSEP)*.d
+       $(DELETE) $(OBJDIR)$(PATHSEP)*.z
+       $(DELETE) $(OBJDIR)$(PATHSEP)*.bin
        $(DELETE) version.c
 
 .PHONY: all clean help
 help:
        @echo Multi-OS Makefile, you are running on $(DETECTED_OS)
        @echo Possible targets:
-       @echo + all               - Make both:
-       @echo + $(OBJDIR)/osimage.s19   - The OS image
-       @echo + $(OBJDIR)/fpgaimage.s19 - The FPGA image
-       @echo + clean             - Clean $(OBJDIR)
+       @echo + all    - Build the full image $(OBJDIR)/fullimage.s19
+       @echo + clean  - Clean $(OBJDIR)
 
index 3df006bb355f2b0f7db494b36f98c8fd53355868..a199d04b7dc8d48bacbf446de619406385320159 100644 (file)
@@ -1,4 +1,3 @@
-#include "stdio.h"
 #include "aes.h"
 
 static const unsigned int Te0[256] = {
@@ -1138,6 +1137,9 @@ int AesDecrypt(AesCtx *pCtx, unsigned char *pCipher, unsigned char *pData, unsig
 //////////////////////////////////////////////////////////////////////////////
 
 #ifndef EMBEDDED
+
+#include <stdio.h>
+
 int main()
 {
     AesCtx ctx;
index 6e0b58b3da84fa7bc3e2463c47fd10bc285a9eb8..0cbfa2498e6ca7349f23766af663cd57ab70ac47 100644 (file)
@@ -250,55 +250,6 @@ void MeasureAntennaTuningHf(void)
 }
 
 
-void SimulateTagHfListen(void)
-{
-       // ToDo: historically this used the free buffer, which was 2744 Bytes long. 
-       // There might be a better size to be defined:
-       #define HF_14B_SNOOP_BUFFER_SIZE 2744
-       uint8_t *dest = BigBuf_malloc(HF_14B_SNOOP_BUFFER_SIZE);
-       uint8_t v = 0;
-       int i;
-       int p = 0;
-
-       // We're using this mode just so that I can test it out; the simulated
-       // tag mode would work just as well and be simpler.
-       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
-
-       // We need to listen to the high-frequency, peak-detected path.
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
-       FpgaSetupSsc();
-
-       i = 0;
-       for(;;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0xff;
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       uint8_t r = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-
-                       v <<= 1;
-                       if(r & 1) {
-                               v |= 1;
-                       }
-                       p++;
-
-                       if(p >= 8) {
-                               dest[i] = v;
-                               v = 0;
-                               p = 0;
-                               i++;
-
-                               if(i >= HF_14B_SNOOP_BUFFER_SIZE) {
-                                       break;
-                               }
-                       }
-               }
-       }
-       DbpString("simulate tag (now type bitsamples)");
-}
-
 void ReadMem(int addr)
 {
        const uint8_t *data = ((uint8_t *)addr);
@@ -310,11 +261,11 @@ void ReadMem(int addr)
 /* osimage version information is linked in */
 extern struct version_information version_information;
 /* bootrom version information is pointed to from _bootphase1_version_pointer */
-extern char *_bootphase1_version_pointer, _flash_start, _flash_end;
+extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
 void SendVersion(void)
 {
-       char temp[512]; /* Limited data payload in USB packets */
-       DbpString("Prox/RFID mark3 RFID instrument");
+       char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
+       char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
 
        /* Try to find the bootrom version information. Expect to find a pointer at
         * symbol _bootphase1_version_pointer, perform slight sanity checks on the
@@ -322,19 +273,24 @@ void SendVersion(void)
         */
        char *bootrom_version = *(char**)&_bootphase1_version_pointer;
        if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
-               DbpString("bootrom version information appears invalid");
+               strcat(VersionString, "bootrom version information appears invalid\n");
        } else {
                FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
-               DbpString(temp);
+               strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
        }
 
        FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
-       DbpString(temp);
+       strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
+
+       FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
+       strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
+       FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
+       strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
 
-       FpgaGatherVersion(temp, sizeof(temp));
-       DbpString(temp);
-       // Send Chip ID
-       cmd_send(CMD_ACK,*(AT91C_DBGU_CIDR),0,0,NULL,0);
+       // Send Chip ID and used flash memory
+       uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
+       uint32_t compressed_data_section_size = common_area.arg1;
+       cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
 }
 
 #ifdef WITH_LF
@@ -738,7 +694,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
                        ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
                        break;
 #endif
-            
+
 #ifdef WITH_ISO15693
                case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
                        AcquireRawAdcSamplesIso15693();
@@ -782,20 +738,17 @@ void UsbPacketReceived(uint8_t *packet, int len)
 #endif
 
 #ifdef WITH_ISO14443b
-               case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_14443:
-                       AcquireRawAdcSamplesIso14443(c->arg[0]);
-                       break;
                case CMD_READ_SRI512_TAG:
-                       ReadSTMemoryIso14443(0x0F);
+                       ReadSTMemoryIso14443b(0x0F);
                        break;
                case CMD_READ_SRIX4K_TAG:
-                       ReadSTMemoryIso14443(0x7F);
+                       ReadSTMemoryIso14443b(0x7F);
                        break;
-               case CMD_SNOOP_ISO_14443:
-                       SnoopIso14443();
+               case CMD_SNOOP_ISO_14443B:
+                       SnoopIso14443b();
                        break;
-               case CMD_SIMULATE_TAG_ISO_14443:
-                       SimulateIso14443Tag();
+               case CMD_SIMULATE_TAG_ISO_14443B:
+                       SimulateIso14443bTag();
                        break;
                case CMD_ISO_14443B_COMMAND:
                        SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
@@ -816,27 +769,27 @@ void UsbPacketReceived(uint8_t *packet, int len)
                case CMD_EPA_PACE_COLLECT_NONCE:
                        EPA_PACE_Collect_Nonce(c);
                        break;
+               case CMD_EPA_PACE_REPLAY:
+                       EPA_PACE_Replay(c);
+                       break;
                        
                case CMD_READER_MIFARE:
-            ReaderMifare(c->arg[0]);
+                       ReaderMifare(c->arg[0]);
                        break;
                case CMD_MIFARE_READBL:
                        MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
                        break;
                case CMD_MIFAREU_READBL:
-                       MifareUReadBlock(c->arg[0],c->d.asBytes);
-                       break;
-               case CMD_MIFAREUC_AUTH1:
-                       MifareUC_Auth1(c->arg[0],c->d.asBytes);
+                       MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
                        break;
-               case CMD_MIFAREUC_AUTH2:
-                       MifareUC_Auth2(c->arg[0],c->d.asBytes);
+               case CMD_MIFAREUC_AUTH:
+                       MifareUC_Auth(c->arg[0],c->d.asBytes);
                        break;
                case CMD_MIFAREU_READCARD:
-                       MifareUReadCard(c->arg[0], c->arg[1], c->d.asBytes);
+                       MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
                        break;
-               case CMD_MIFAREUC_READCARD:
-                       MifareUReadCard(c->arg[0], c->arg[1], c->d.asBytes);
+               case CMD_MIFAREUC_SETPWD: 
+                       MifareUSetPwd(c->arg[0], c->d.asBytes);
                        break;
                case CMD_MIFARE_READSC:
                        MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
@@ -844,12 +797,12 @@ void UsbPacketReceived(uint8_t *packet, int len)
                case CMD_MIFARE_WRITEBL:
                        MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
                        break;
-               case CMD_MIFAREU_WRITEBL_COMPAT:
-                       MifareUWriteBlock(c->arg[0], c->d.asBytes);
-                        break;
+               //case CMD_MIFAREU_WRITEBL_COMPAT:
+                       //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
+                       //break;
                case CMD_MIFAREU_WRITEBL:
-                        MifareUWriteBlock_Special(c->arg[0], c->d.asBytes);
-                        break;
+                       MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
+                       break;
                case CMD_MIFARE_NESTED:
                        MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
                        break;
@@ -914,10 +867,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
                        break;
 #endif
 
-               case CMD_SIMULATE_TAG_HF_LISTEN:
-                       SimulateTagHfListen();
-                       break;
-
                case CMD_BUFF_CLEAR:
                        BigBuf_Clear();
                        break;
index 928a3075f44391c80e51f9ffc1f6d511225aa2ce..bb094b330521b08efbe4b57ff9fa8ee70fd8c250 100644 (file)
@@ -19,6 +19,7 @@
 #include "mifare.h"
 #include "../common/crc32.h"
 #include "BigBuf.h"
+#include "fpgaloader.h"
 
 extern const uint8_t OddByteParity[256];
 extern int rsamples;   // = 0;
@@ -50,60 +51,6 @@ void ListenReaderField(int limit);
 extern int ToSendMax;
 extern uint8_t ToSend[];
 
-/// fpga.h
-void FpgaSendCommand(uint16_t cmd, uint16_t v);
-void FpgaWriteConfWord(uint8_t v);
-void FpgaDownloadAndGo(int bitstream_version);
-int FpgaGatherBitstreamVersion();
-void FpgaGatherVersion(char *dst, int len);
-void FpgaSetupSsc(void);
-void SetupSpi(int mode);
-bool FpgaSetupSscDma(uint8_t *buf, int len);
-#define FpgaDisableSscDma(void)        AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
-#define FpgaEnableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
-void SetAdcMuxFor(uint32_t whichGpio);
-
-// Definitions for the FPGA commands.
-#define FPGA_CMD_SET_CONFREG                                   (1<<12)
-#define FPGA_CMD_SET_DIVISOR                                   (2<<12)
-#define FPGA_CMD_SET_USER_BYTE1                                        (3<<12)
-// Definitions for the FPGA configuration word.
-// LF
-#define FPGA_MAJOR_MODE_LF_ADC                                 (0<<5)
-#define FPGA_MAJOR_MODE_LF_EDGE_DETECT                 (1<<5)
-#define FPGA_MAJOR_MODE_LF_PASSTHRU                            (2<<5)
-// HF
-#define FPGA_MAJOR_MODE_HF_READER_TX                           (0<<5)
-#define FPGA_MAJOR_MODE_HF_READER_RX_XCORR                     (1<<5)
-#define FPGA_MAJOR_MODE_HF_SIMULATOR                           (2<<5)
-#define FPGA_MAJOR_MODE_HF_ISO14443A                           (3<<5)
-// BOTH
-#define FPGA_MAJOR_MODE_OFF                                    (7<<5)
-// Options for LF_ADC
-#define FPGA_LF_ADC_READER_FIELD                               (1<<0)
-// Options for LF_EDGE_DETECT
-#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD                     FPGA_CMD_SET_USER_BYTE1
-#define FPGA_LF_EDGE_DETECT_READER_FIELD                       (1<<0)
-#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE                                (1<<1)
-// Options for the HF reader, tx to tag
-#define FPGA_HF_READER_TX_SHALLOW_MOD                          (1<<0)
-// Options for the HF reader, correlating against rx from tag
-#define FPGA_HF_READER_RX_XCORR_848_KHZ                                (1<<0)
-#define FPGA_HF_READER_RX_XCORR_SNOOP                          (1<<1)
-#define FPGA_HF_READER_RX_XCORR_QUARTER_FREQ                   (1<<2)
-// Options for the HF simulated tag, how to modulate
-#define FPGA_HF_SIMULATOR_NO_MODULATION                                (0<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_BPSK                                (1<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_212K                                (2<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_424K                                (4<<0)
-#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT           0x5//101
-
-// Options for ISO14443A
-#define FPGA_HF_ISO14443A_SNIFFER                              (0<<0)
-#define FPGA_HF_ISO14443A_TAGSIM_LISTEN                                (1<<0)
-#define FPGA_HF_ISO14443A_TAGSIM_MOD                           (2<<0)
-#define FPGA_HF_ISO14443A_READER_LISTEN                                (3<<0)
-#define FPGA_HF_ISO14443A_READER_MOD                           (4<<0)
 
 /// lfops.h
 extern uint8_t decimation;
@@ -141,10 +88,10 @@ void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
 
 /// iso14443.h
-void SimulateIso14443Tag(void);
-void AcquireRawAdcSamplesIso14443(uint32_t parameter);
-void ReadSTMemoryIso14443(uint32_t);
-void RAMFUNC SnoopIso14443(void);
+void SimulateIso14443bTag(void);
+void AcquireRawAdcSamplesIso14443b(uint32_t parameter);
+void ReadSTMemoryIso14443b(uint32_t);
+void RAMFUNC SnoopIso14443b(void);
 void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);
 
 /// iso14443a.h
@@ -160,19 +107,19 @@ void RAMFUNC SniffMifare(uint8_t param);
 
 /// epa.h
 void EPA_PACE_Collect_Nonce(UsbCommand * c);
+void EPA_PACE_Replay(UsbCommand *c);
 
 // mifarecmd.h
 void ReaderMifare(bool first_try);
 int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
-void MifareUReadBlock(uint8_t arg0,uint8_t *datain);
-void MifareUC_Auth1(uint8_t arg0, uint8_t *datain);
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain);
-void MifareUReadCard(uint8_t arg0, int Pages, uint8_t *datain);
+void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
+void MifareUC_Auth(uint8_t arg0, uint8_t *datain);
+void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
-void MifareUWriteBlock(uint8_t arg0,uint8_t *datain);
-void MifareUWriteBlock_Special(uint8_t arg0,uint8_t *datain);
+//void MifareUWriteBlockCompat(uint8_t arg0,uint8_t *datain);
+void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
 void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
 void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
@@ -184,6 +131,7 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);  // Work with "magic Chinese" card
 void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
 void MifareCIdent();  // is "magic chinese" card?
+void MifareUSetPwd(uint8_t arg0, uint8_t *datain);
 
 //desfire
 void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain);
index 0a27503e016d197e63d730a557b625cded147e63..a81df9c8d4234c7bd2bd5432b0a503f9a1c6ba36 100644 (file)
@@ -378,6 +378,60 @@ void tdes_dec(void* out, void* in, const uint8_t* key){
        des_dec(out, out, (uint8_t*)key + 0);
 }
 
+void tdes_2key_enc(void* out, const void* in, size_t length, const void* key, unsigned char iv[8]){
+
+       if( length % 8 ) return; 
+       
+       uint8_t i;
+       uint8_t* tin = (uint8_t*) in;
+       uint8_t* tout = (uint8_t*) out;
+       
+       while( length > 0 )
+       {
+               for ( i = 0; i < 8; i++ )
+                       tout[i] = (unsigned char)(tin[i] ^ iv[i]);
+
+               des_enc(tout,  tin, (uint8_t*)key + 0);
+               des_dec(tout, tout, (uint8_t*)key + 8);
+               des_enc(tout, tout, (uint8_t*)key + 0);
+               
+               memcpy(iv, tout, 8);
+
+               tin  += 8;
+               tout += 8;
+               length -= 8;
+       }
+}
+
+void tdes_2key_dec(void* out, const void* in, size_t length, const void* key, unsigned char iv[8]){
+       
+       if( length % 8 ) return; 
+
+       uint8_t i;
+       unsigned char temp[8];
+       uint8_t* tin = (uint8_t*) in;
+       uint8_t* tout = (uint8_t*) out;
+       
+       while( length > 0 )
+       {
+               memcpy(temp, tin, 8);
+
+               des_dec(tout,  tin, (uint8_t*)key + 0);
+               des_enc(tout, tout, (uint8_t*)key + 8);
+               des_dec(tout, tout, (uint8_t*)key + 0);          
+
+               for (i = 0; i < 8; i++)
+                       tout[i] = (unsigned char)(tout[i] ^ iv[i]);
+
+               memcpy(iv, temp, 8);
+               
+               tin  += 8;
+               tout += 8;
+               length -= 8;
+       }
+}
+
+
 /******************************************************************************/
 
 
index 652886fd7a523d9aeab176057ac7003d8fd0ba2e..90f742464ba6d4ed41988c81f2cf33b8c4dc77ec 100644 (file)
@@ -97,6 +97,9 @@ void tdes_enc(void* out, const void* in, const void* key);
  */
  void tdes_dec(void* out, const void* in, const void* key);
 
+ void tdes_2key_enc(void* out, const void* in, size_t length, const void* key, unsigned char iv[8]);
+ void tdes_2key_dec(void* out, const void* in, size_t length, const void* key, unsigned char iv[8]);
+
 #endif /*DES_H_*/
 
 // Copied from des.h in desfire imp.
index 0006d59d01c03fd4944caefef829771b1b8068fc..6bd8692ecaa52d53c7c18ea3364acac26fdb670a 100644 (file)
@@ -5,7 +5,7 @@
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
 //-----------------------------------------------------------------------------
-// Routines to support the German eletronic "Personalausweis" (ID card)
+// Routines to support the German electronic "Personalausweis" (ID card)
 // Note that the functions which do not implement USB commands do NOT initialize
 // the card (with iso14443a_select_card etc.). If You want to use these
 // functions, You need to do the setup before calling them!
@@ -74,6 +74,32 @@ static const uint8_t oid_pace_start[] = {
     0x04 // id-PACE
 };
 
+// APDUs for replaying:
+// MSE: Set AT (initiate PACE)
+static uint8_t apdu_replay_mse_set_at_pace[41];
+// General Authenticate (Get Nonce)
+static uint8_t apdu_replay_general_authenticate_pace_get_nonce[8];
+// General Authenticate (Map Nonce)
+static uint8_t apdu_replay_general_authenticate_pace_map_nonce[75];
+// General Authenticate (Mutual Authenticate)
+static uint8_t apdu_replay_general_authenticate_pace_mutual_authenticate[75];
+// General Authenticate (Perform Key Agreement)
+static uint8_t apdu_replay_general_authenticate_pace_perform_key_agreement[18];
+// pointers to the APDUs (for iterations)
+static struct {
+       uint8_t len;
+       uint8_t *data;
+} const apdus_replay[] = {
+       {sizeof(apdu_replay_mse_set_at_pace), apdu_replay_mse_set_at_pace},
+       {sizeof(apdu_replay_general_authenticate_pace_get_nonce), apdu_replay_general_authenticate_pace_get_nonce},
+       {sizeof(apdu_replay_general_authenticate_pace_map_nonce), apdu_replay_general_authenticate_pace_map_nonce},
+       {sizeof(apdu_replay_general_authenticate_pace_mutual_authenticate), apdu_replay_general_authenticate_pace_mutual_authenticate},
+       {sizeof(apdu_replay_general_authenticate_pace_perform_key_agreement), apdu_replay_general_authenticate_pace_perform_key_agreement}
+};
+
+// lengths of the replay APDUs
+static uint8_t apdu_lengths_replay[5];
+
 //-----------------------------------------------------------------------------
 // Closes the communication channel and turns off the field
 //-----------------------------------------------------------------------------
@@ -101,7 +127,7 @@ size_t EPA_Parse_CardAccess(uint8_t *data,
                             pace_version_info_t *pace_info)
 {
        size_t index = 0;
-       
+
        while (index <= length - 2) {
                // determine type of element
                // SET or SEQUENCE
@@ -158,7 +184,7 @@ size_t EPA_Parse_CardAccess(uint8_t *data,
                        index += 2 + data[index + 1];
                }
        }
-       
+
        // TODO: We should check whether we reached the end in error, but for that
        //       we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO)
        return 0;
@@ -176,7 +202,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
        // we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame)
        uint8_t response_apdu[262];
        int rapdu_length = 0;
-       
+
        // select the file EF.CardAccess
        rapdu_length = iso14_apdu((uint8_t *)apdu_select_binary_cardaccess,
                                  sizeof(apdu_select_binary_cardaccess),
@@ -188,7 +214,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
                Dbprintf("epa - no select cardaccess");
                return -1;
        }
-       
+
        // read the file
        rapdu_length = iso14_apdu((uint8_t *)apdu_read_binary,
                                  sizeof(apdu_read_binary),
@@ -200,7 +226,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
                Dbprintf("epa - no read cardaccess");
                return -1;
        }
-       
+
        // copy the content into the buffer
        // length of data available: apdu_length - 4 (ISO frame) - 2 (SW)
        size_t to_copy = rapdu_length - 6;
@@ -215,16 +241,11 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
 //-----------------------------------------------------------------------------
 static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
 {
-//     // step in which the failure occured
-//     ack->arg[0] = step;
-//     // last return code
-//     ack->arg[1] = func_return;
-
        // power down the field
        EPA_Finish();
-       
+
        // send the USB packet
-  cmd_send(CMD_ACK,step,func_return,0,0,0);
+       cmd_send(CMD_ACK,step,func_return,0,0,0);
 }
 
 //-----------------------------------------------------------------------------
@@ -246,10 +267,6 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
        // return value of a function
        int func_return = 0;
 
-//     // initialize ack with 0s
-//     memset(ack->arg, 0, 12);
-//     memset(ack->d.asBytes, 0, 48);
-       
        // set up communication
        func_return = EPA_Setup();
        if (func_return != 0) {
@@ -277,11 +294,11 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
                EPA_PACE_Collect_Nonce_Abort(3, func_return);
                return;
        }
-       
+
        // initiate the PACE protocol
        // use the CAN for the password since that doesn't change
        func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
-       
+
        // now get the nonce
        uint8_t nonce[256] = {0};
        uint8_t requested_size = (uint8_t)c->arg[0];
@@ -292,14 +309,12 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
                EPA_PACE_Collect_Nonce_Abort(4, func_return);
                return;
        }
-  
-  // all done, return
+
+       // all done, return
        EPA_Finish();
-       
+
        // save received information
-//     ack->arg[1] = func_return;
-//     memcpy(ack->d.asBytes, nonce, func_return);
-  cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
+       cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
 }
 
 //-----------------------------------------------------------------------------
@@ -320,7 +335,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
               sizeof(apdu_general_authenticate_pace_get_nonce));
        // append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU
        apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4;
-       
+
        // send it
        uint8_t response_apdu[262];
        int send_return = iso14_apdu(apdu,
@@ -333,7 +348,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
        {
                return -1;
        }
-       
+
        // if there is no nonce in the RAPDU, return here
        if (send_return < 10)
        {
@@ -348,7 +363,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
        }
        // copy the nonce
        memcpy(nonce, response_apdu + 6, nonce_length);
-       
+
        return nonce_length;
 }
 
@@ -407,13 +422,79 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
        return 0;
 }
 
+//-----------------------------------------------------------------------------
+// Perform the PACE protocol by replaying given APDUs
+//-----------------------------------------------------------------------------
+void EPA_PACE_Replay(UsbCommand *c)
+{
+       uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};
+
+       // if an APDU has been passed, save it
+       if (c->arg[0] != 0) {
+               // make sure it's not too big
+               if(c->arg[2] > apdus_replay[c->arg[0] - 1].len)
+               {
+                       cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
+               }
+               memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1],
+                  c->d.asBytes,
+                  c->arg[2]);
+               // save/update APDU length
+               if (c->arg[1] == 0) {
+                       apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
+               } else {
+                       apdu_lengths_replay[c->arg[0] - 1] += c->arg[2];
+               }
+               cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
+               return;
+       }
+
+       // return value of a function
+       int func_return;
+
+       // set up communication
+       func_return = EPA_Setup();
+       if (func_return != 0) {
+               EPA_Finish();
+               cmd_send(CMD_ACK, 2, func_return, 0, NULL, 0);
+               return;
+       }
+
+       // increase the timeout (at least some cards really do need this!)/////////////
+       // iso14a_set_timeout(0x0003FFFF);
+
+       // response APDU
+       uint8_t response_apdu[300] = {0};
+
+       // now replay the data and measure the timings
+       for (int i = 0; i < sizeof(apdu_lengths_replay); i++) {
+               StartCountUS();
+               func_return = iso14_apdu(apdus_replay[i].data,
+                                        apdu_lengths_replay[i],
+                                        response_apdu);
+               timings[i] = GetCountUS();
+               // every step but the last one should succeed
+               if (i < sizeof(apdu_lengths_replay) - 1
+                   && (func_return < 6
+                       || response_apdu[func_return - 4] != 0x90
+                       || response_apdu[func_return - 3] != 0x00))
+               {
+                       EPA_Finish();
+                       cmd_send(CMD_ACK, 3 + i, func_return, 0, timings, 20);
+                       return;
+               }
+       }
+       EPA_Finish();
+       cmd_send(CMD_ACK,0,0,0,timings,20);
+       return;
+}
+
 //-----------------------------------------------------------------------------
 // Set up a communication channel (Card Select, PPS)
 // Returns 0 on success or a non-zero error code on failure
 //-----------------------------------------------------------------------------
 int EPA_Setup()
 {
-
        int return_code = 0;
        uint8_t uid[10];
        uint8_t pps_response[3];
@@ -422,20 +503,16 @@ int EPA_Setup()
 
        // power up the field
        iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-
        // select the card
        return_code = iso14443a_select_card(uid, &card_select_info, NULL);
        if (return_code != 1) {
-               Dbprintf("Epa: Can't select card");
                return 1;
        }
-
        // send the PPS request
        ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
        return_code = ReaderReceive(pps_response, pps_response_par);
        if (return_code != 3 || pps_response[0] != 0xD0) {
                return return_code == 0 ? 2 : return_code;
        }
-       
        return 0;
-}
\ No newline at end of file
+}
index 730652b79ef8b8afd31d0e20523dec6f83965ccf..0c580205da938c80d952a853af16c98cc140614d 100644 (file)
@@ -19,7 +19,7 @@ typedef struct {
        uint8_t parameter_id;
 } pace_version_info_t;
 
-// note: EPA_PACE_GetNonce is declared in apps.h
+// note: EPA_PACE_Collect_Nonce is declared in apps.h
 
 // general functions
 void EPA_Finish();
@@ -33,4 +33,4 @@ int EPA_Setup();
 int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password);
 int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce);
 
-#endif /* __EPA_H */
\ No newline at end of file
+#endif /* __EPA_H */
index 077b378a918b438cb0dc625642d22a7543eaabbf..16fed7c52469b857437a3d58474a1dd4d892f4b4 100644 (file)
@@ -9,10 +9,32 @@
 // Routines to load the FPGA image, and then to configure the FPGA's major
 // mode once it is configured.
 //-----------------------------------------------------------------------------
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include "fpgaloader.h"
 #include "proxmark3.h"
-#include "apps.h"
 #include "util.h"
 #include "string.h"
+#include "BigBuf.h"
+#include "zlib.h"
+
+extern void Dbprintf(const char *fmt, ...);
+
+// remember which version of the bitstream we have already downloaded to the FPGA
+static int downloaded_bitstream = FPGA_BITSTREAM_ERR;
+
+// this is where the bitstreams are located in memory:
+extern uint8_t _binary_obj_fpga_all_bit_z_start, _binary_obj_fpga_all_bit_z_end;
+
+static uint8_t *fpga_image_ptr = NULL;
+static uint32_t uncompressed_bytes_cnt;
+
+static const uint8_t _bitparse_fixed_header[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01};
+#define FPGA_BITSTREAM_FIXED_HEADER_SIZE       sizeof(_bitparse_fixed_header)
+#define OUTPUT_BUFFER_LEN              80
+#define FPGA_INTERLEAVE_SIZE   288
 
 //-----------------------------------------------------------------------------
 // Set up the Serial Peripheral Interface as master
@@ -150,6 +172,94 @@ bool FpgaSetupSscDma(uint8_t *buf, int len)
     return true;
 }
 
+
+//----------------------------------------------------------------------------
+// Uncompress (inflate) the FPGA data. Returns one decompressed byte with
+// each call. 
+//----------------------------------------------------------------------------
+static int get_from_fpga_combined_stream(z_streamp compressed_fpga_stream, uint8_t *output_buffer)
+{
+       if (fpga_image_ptr == compressed_fpga_stream->next_out) {       // need more data
+               compressed_fpga_stream->next_out = output_buffer;
+               compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
+               fpga_image_ptr = output_buffer;
+               int res = inflate(compressed_fpga_stream, Z_SYNC_FLUSH);
+               if (res != Z_OK) {
+                       Dbprintf("inflate returned: %d, %s", res, compressed_fpga_stream->msg);
+               }
+               if (res < 0) {
+                       return res;
+               }
+       }
+
+       uncompressed_bytes_cnt++;
+       
+       return *fpga_image_ptr++;
+}
+
+//----------------------------------------------------------------------------
+// Undo the interleaving of several FPGA config files. FPGA config files
+// are combined into one big file:
+// 288 bytes from FPGA file 1, followed by 288 bytes from FGPA file 2, etc.
+//----------------------------------------------------------------------------
+static int get_from_fpga_stream(int bitstream_version, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
+{
+       while((uncompressed_bytes_cnt / FPGA_INTERLEAVE_SIZE) % FPGA_BITSTREAM_MAX != (bitstream_version - 1)) {
+               // skip undesired data belonging to other bitstream_versions
+               get_from_fpga_combined_stream(compressed_fpga_stream, output_buffer);
+       }
+
+       return get_from_fpga_combined_stream(compressed_fpga_stream, output_buffer);
+       
+}
+
+
+static voidpf fpga_inflate_malloc(voidpf opaque, uInt items, uInt size)
+{
+       return BigBuf_malloc(items*size);
+}
+
+
+static void fpga_inflate_free(voidpf opaque, voidpf address)
+{
+       BigBuf_free();
+}
+
+
+//----------------------------------------------------------------------------
+// Initialize decompression of the respective (HF or LF) FPGA stream 
+//----------------------------------------------------------------------------
+static bool reset_fpga_stream(int bitstream_version, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
+{
+       uint8_t header[FPGA_BITSTREAM_FIXED_HEADER_SIZE];
+       
+       uncompressed_bytes_cnt = 0;
+       
+       // initialize z_stream structure for inflate:
+       compressed_fpga_stream->next_in = &_binary_obj_fpga_all_bit_z_start;
+       compressed_fpga_stream->avail_in = &_binary_obj_fpga_all_bit_z_start - &_binary_obj_fpga_all_bit_z_end;
+       compressed_fpga_stream->next_out = output_buffer;
+       compressed_fpga_stream->avail_out = OUTPUT_BUFFER_LEN;
+       compressed_fpga_stream->zalloc = &fpga_inflate_malloc;
+       compressed_fpga_stream->zfree = &fpga_inflate_free;
+
+       inflateInit2(compressed_fpga_stream, 0);
+
+       fpga_image_ptr = output_buffer;
+
+       for (uint16_t i = 0; i < FPGA_BITSTREAM_FIXED_HEADER_SIZE; i++) {
+               header[i] = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+       }
+       
+       // Check for a valid .bit file (starts with _bitparse_fixed_header)
+       if(memcmp(_bitparse_fixed_header, header, FPGA_BITSTREAM_FIXED_HEADER_SIZE) == 0) {
+               return true;
+       } else {
+               return false;
+       }
+}
+
+
 static void DownloadFPGA_byte(unsigned char w)
 {
 #define SEND_BIT(x) { if(w & (1<<x) ) HIGH(GPIO_FPGA_DIN); else LOW(GPIO_FPGA_DIN); HIGH(GPIO_FPGA_CCLK); LOW(GPIO_FPGA_CCLK); }
@@ -163,10 +273,12 @@ static void DownloadFPGA_byte(unsigned char w)
        SEND_BIT(0);
 }
 
-// Download the fpga image starting at FpgaImage and with length FpgaImageLen bytes
-// If bytereversal is set: reverse the byte order in each 4-byte word
-static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int bytereversal)
+// Download the fpga image starting at current stream position with length FpgaImageLen bytes
+static void DownloadFPGA(int bitstream_version, int FpgaImageLen, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
 {
+
+       Dbprintf("DownloadFPGA(len: %d)", FpgaImageLen);
+       
        int i=0;
 
        AT91C_BASE_PIOA->PIO_OER = GPIO_FPGA_ON;
@@ -218,23 +330,15 @@ static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int byterevers
                return;
        }
 
-       if(bytereversal) {
-               /* This is only supported for uint32_t aligned images */
-               if( ((int)FpgaImage % sizeof(uint32_t)) == 0 ) {
-                       i=0;
-                       while(FpgaImageLen-->0)
-                               DownloadFPGA_byte(FpgaImage[(i++)^0x3]);
-                       /* Explanation of the magic in the above line:
-                        * i^0x3 inverts the lower two bits of the integer i, counting backwards
-                        * for each 4 byte increment. The generated sequence of (i++)^3 is
-                        * 3 2 1 0 7 6 5 4 11 10 9 8 15 14 13 12 etc. pp.
-                        */
+       for(i = 0; i < FpgaImageLen; i++) {
+               int b = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+               if (b < 0) {
+                       Dbprintf("Error %d during FpgaDownload", b);
+                       break;
                }
-       } else {
-               while(FpgaImageLen-->0)
-                       DownloadFPGA_byte(*FpgaImage++);
+               DownloadFPGA_byte(b);
        }
-
+       
        // continue to clock FPGA until ready signal goes high
        i=100000;
        while ( (i--) && ( !(AT91C_BASE_PIOA->PIO_PDSR & GPIO_FPGA_DONE ) ) ) {
@@ -250,39 +354,21 @@ static void DownloadFPGA(const char *FpgaImage, int FpgaImageLen, int byterevers
        LED_D_OFF();
 }
 
-static char *bitparse_headers_start;
-static char *bitparse_bitstream_end;
-static int bitparse_initialized = 0;
+
 /* Simple Xilinx .bit parser. The file starts with the fixed opaque byte sequence
  * 00 09 0f f0 0f f0 0f f0 0f f0 00 00 01
  * After that the format is 1 byte section type (ASCII character), 2 byte length
  * (big endian), <length> bytes content. Except for section 'e' which has 4 bytes
  * length.
  */
-static const char _bitparse_fixed_header[] = {0x00, 0x09, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x0f, 0xf0, 0x00, 0x00, 0x01};
-static int bitparse_init(void * start_address, void *end_address)
-{
-       bitparse_initialized = 0;
-
-       if(memcmp(_bitparse_fixed_header, start_address, sizeof(_bitparse_fixed_header)) != 0) {
-               return 0; /* Not matched */
-       } else {
-               bitparse_headers_start= ((char*)start_address) + sizeof(_bitparse_fixed_header);
-               bitparse_bitstream_end= (char*)end_address;
-               bitparse_initialized = 1;
-               return 1;
-       }
-}
-
-int bitparse_find_section(char section_name, char **section_start, unsigned int *section_length)
+static int bitparse_find_section(int bitstream_version, char section_name, unsigned int *section_length, z_streamp compressed_fpga_stream, uint8_t *output_buffer)
 {
-       char *pos = bitparse_headers_start;
        int result = 0;
-
-       if(!bitparse_initialized) return 0;
-
-       while(pos < bitparse_bitstream_end) {
-               char current_name = *pos++;
+       #define MAX_FPGA_BIT_STREAM_HEADER_SEARCH 100  // maximum number of bytes to search for the requested section
+       uint16_t numbytes = 0;
+       while(numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH) {
+               char current_name = get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+               numbytes++;
                unsigned int current_length = 0;
                if(current_name < 'a' || current_name > 'e') {
                        /* Strange section name, abort */
@@ -292,11 +378,13 @@ int bitparse_find_section(char section_name, char **section_start, unsigned int
                switch(current_name) {
                case 'e':
                        /* Four byte length field */
-                       current_length += (*pos++) << 24;
-                       current_length += (*pos++) << 16;
+                       current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 24;
+                       current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 16;
+                       numbytes += 2;
                default: /* Fall through, two byte length field */
-                       current_length += (*pos++) << 8;
-                       current_length += (*pos++) << 0;
+                       current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 8;
+                       current_length += get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer) << 0;
+                       numbytes += 2;
                }
 
                if(current_name != 'e' && current_length > 255) {
@@ -306,111 +394,123 @@ int bitparse_find_section(char section_name, char **section_start, unsigned int
 
                if(current_name == section_name) {
                        /* Found it */
-                       *section_start = pos;
                        *section_length = current_length;
                        result = 1;
                        break;
                }
 
-               pos += current_length; /* Skip section */
+               for (uint16_t i = 0; i < current_length && numbytes < MAX_FPGA_BIT_STREAM_HEADER_SEARCH; i++) {
+                       get_from_fpga_stream(bitstream_version, compressed_fpga_stream, output_buffer);
+                       numbytes++;
+               }
        }
 
        return result;
 }
 
-//-----------------------------------------------------------------------------
-// Find out which FPGA image format is stored in flash, then call DownloadFPGA
-// with the right parameters to download the image
-//-----------------------------------------------------------------------------
-extern char _binary_fpga_lf_bit_start, _binary_fpga_lf_bit_end;
-extern char _binary_fpga_hf_bit_start, _binary_fpga_hf_bit_end;
+
+//----------------------------------------------------------------------------
+// Check which FPGA image is currently loaded (if any). If necessary 
+// decompress and load the correct (HF or LF) image to the FPGA
+//----------------------------------------------------------------------------
 void FpgaDownloadAndGo(int bitstream_version)
 {
-       void *bit_start;
-       void *bit_end;
-
+       z_stream compressed_fpga_stream;
+       uint8_t output_buffer[OUTPUT_BUFFER_LEN];
+       
        // check whether or not the bitstream is already loaded
-       if (FpgaGatherBitstreamVersion() == bitstream_version)
+       if (downloaded_bitstream == bitstream_version)
                return;
 
-       if (bitstream_version == FPGA_BITSTREAM_LF) {
-               bit_start = &_binary_fpga_lf_bit_start;
-               bit_end = &_binary_fpga_lf_bit_end;
-       } else if (bitstream_version == FPGA_BITSTREAM_HF) {
-               bit_start = &_binary_fpga_hf_bit_start;
-               bit_end = &_binary_fpga_hf_bit_end;
-       } else
+       // make sure that we have enough memory to decompress
+       BigBuf_free();
+       
+       if (!reset_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer)) {
                return;
-       /* Check for the new flash image format: Should have the .bit file at &_binary_fpga_bit_start
-        */
-       if(bitparse_init(bit_start, bit_end)) {
-               /* Successfully initialized the .bit parser. Find the 'e' section and
-                * send its contents to the FPGA.
-                */
-               char *bitstream_start;
-               unsigned int bitstream_length;
-               if(bitparse_find_section('e', &bitstream_start, &bitstream_length)) {
-                       DownloadFPGA(bitstream_start, bitstream_length, 0);
-
-                       return; /* All done */
-               }
        }
 
-       /* Fallback for the old flash image format: Check for the magic marker 0xFFFFFFFF
-        * 0xAA995566 at address 0x102000. This is raw bitstream with a size of 336,768 bits
-        * = 10,524 uint32_t, stored as uint32_t e.g. little-endian in memory, but each DWORD
-        * is still to be transmitted in MSBit first order. Set the invert flag to indicate
-        * that the DownloadFPGA function should invert every 4 byte sequence when doing
-        * the bytewise download.
-        */
-       if( *(uint32_t*)0x102000 == 0xFFFFFFFF && *(uint32_t*)0x102004 == 0xAA995566 )
-               DownloadFPGA((char*)0x102000, 10524*4, 1);
-}
+       unsigned int bitstream_length;
+       if(bitparse_find_section(bitstream_version, 'e', &bitstream_length, &compressed_fpga_stream, output_buffer)) {
+               DownloadFPGA(bitstream_version, bitstream_length, &compressed_fpga_stream, output_buffer);
+               downloaded_bitstream = bitstream_version;
+       }
+
+       inflateEnd(&compressed_fpga_stream);
+}      
 
-int FpgaGatherBitstreamVersion()
-{
-       char temp[256];
-       FpgaGatherVersion(temp, sizeof (temp));
-       if (!memcmp("LF", temp, 2))
-               return FPGA_BITSTREAM_LF;
-       else if (!memcmp("HF", temp, 2))
-               return FPGA_BITSTREAM_HF;
-       return FPGA_BITSTREAM_ERR;
-}
 
-void FpgaGatherVersion(char *dst, int len)
+//-----------------------------------------------------------------------------
+// Gather version information from FPGA image. Needs to decompress the begin 
+// of the respective (HF or LF) image.
+// Note: decompression makes use of (i.e. overwrites) BigBuf[]. It is therefore
+// advisable to call this only once and store the results for later use.
+//-----------------------------------------------------------------------------
+void FpgaGatherVersion(int bitstream_version, char *dst, int len)
 {
-       char *fpga_info;
        unsigned int fpga_info_len;
-       dst[0] = 0;
-       if(!bitparse_find_section('e', &fpga_info, &fpga_info_len)) {
-               strncat(dst, "FPGA image: legacy image without version information", len-1);
-       } else {
-               /* USB packets only have 48 bytes data payload, so be terse */
-               if(bitparse_find_section('a', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-                       if (!memcmp("fpga_lf", fpga_info, 7))
-                               strncat(dst, "LF ", len-1);
-                       else if (!memcmp("fpga_hf", fpga_info, 7))
-                               strncat(dst, "HF ", len-1);
+       char tempstr[40];
+       z_stream compressed_fpga_stream;
+       uint8_t output_buffer[OUTPUT_BUFFER_LEN];
+       
+       dst[0] = '\0';
+
+       // ensure that we can allocate enough memory for decompression:
+       BigBuf_free();
+
+       if (!reset_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer)) {
+               return;
+       }
+
+       if(bitparse_find_section(bitstream_version, 'a', &fpga_info_len, &compressed_fpga_stream, output_buffer)) {
+               for (uint16_t i = 0; i < fpga_info_len; i++) {
+                       char c = (char)get_from_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer);
+                       if (i < sizeof(tempstr)) {
+                               tempstr[i] = c;
+                       }
                }
-               strncat(dst, "FPGA image built", len-1);
-#if 0
-               if(bitparse_find_section('b', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-                       strncat(dst, " for ", len-1);
-                       strncat(dst, fpga_info, len-1);
+               if (!memcmp("fpga_lf", tempstr, 7))
+                       strncat(dst, "LF ", len-1);
+               else if (!memcmp("fpga_hf", tempstr, 7))
+                       strncat(dst, "HF ", len-1);
+       }
+       strncat(dst, "FPGA image built", len-1);
+       if(bitparse_find_section(bitstream_version, 'b', &fpga_info_len, &compressed_fpga_stream, output_buffer)) {
+               strncat(dst, " for ", len-1);
+               for (uint16_t i = 0; i < fpga_info_len; i++) {
+                       char c = (char)get_from_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer);
+                       if (i < sizeof(tempstr)) {
+                               tempstr[i] = c;
+                       }
                }
-#endif
-               if(bitparse_find_section('c', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-                       strncat(dst, " on ", len-1);
-                       strncat(dst, fpga_info, len-1);
+               strncat(dst, tempstr, len-1);
+       }
+       if(bitparse_find_section(bitstream_version, 'c', &fpga_info_len, &compressed_fpga_stream, output_buffer)) {
+               strncat(dst, " on ", len-1);
+               for (uint16_t i = 0; i < fpga_info_len; i++) {
+                       char c = (char)get_from_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer);
+                       if (i < sizeof(tempstr)) {
+                               tempstr[i] = c;
+                       }
                }
-               if(bitparse_find_section('d', &fpga_info, &fpga_info_len) && fpga_info[fpga_info_len-1] == 0 ) {
-                       strncat(dst, " at ", len-1);
-                       strncat(dst, fpga_info, len-1);
+               strncat(dst, tempstr, len-1);
+       }
+       if(bitparse_find_section(bitstream_version, 'd', &fpga_info_len, &compressed_fpga_stream, output_buffer)) {
+               strncat(dst, " at ", len-1);
+               for (uint16_t i = 0; i < fpga_info_len; i++) {
+                       char c = (char)get_from_fpga_stream(bitstream_version, &compressed_fpga_stream, output_buffer);
+                       if (i < sizeof(tempstr)) {
+                               tempstr[i] = c;
+                       }
                }
+               strncat(dst, tempstr, len-1);
        }
+       
+       strncat(dst, "\n", len-1);
+
+       inflateEnd(&compressed_fpga_stream);
 }
 
+
 //-----------------------------------------------------------------------------
 // Send a 16 bit command/data pair to the FPGA.
 // The bit format is:  C3 C2 C1 C0 D11 D10 D9 D8 D7 D6 D5 D4 D3 D2 D1 D0
diff --git a/armsrc/fpgaloader.h b/armsrc/fpgaloader.h
new file mode 100644 (file)
index 0000000..0bad380
--- /dev/null
@@ -0,0 +1,71 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, April 2006
+// iZsh <izsh at fail0verflow.com>, 2014
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to load the FPGA image, and then to configure the FPGA's major
+// mode once it is configured.
+//-----------------------------------------------------------------------------
+
+void FpgaSendCommand(uint16_t cmd, uint16_t v);
+void FpgaWriteConfWord(uint8_t v);
+void FpgaDownloadAndGo(int bitstream_version);
+void FpgaGatherVersion(int bitstream_version, char *dst, int len);
+void FpgaSetupSsc(void);
+void SetupSpi(int mode);
+bool FpgaSetupSscDma(uint8_t *buf, int len);
+#define FpgaDisableSscDma(void)        AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+#define FpgaEnableSscDma(void) AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN;
+void SetAdcMuxFor(uint32_t whichGpio);
+
+// definitions for multiple FPGA config files support
+#define FPGA_BITSTREAM_MAX 2   // the total number of FPGA bitstreams (configs)
+#define FPGA_BITSTREAM_ERR 0
+#define FPGA_BITSTREAM_LF 1
+#define FPGA_BITSTREAM_HF 2
+
+
+// Definitions for the FPGA commands.
+#define FPGA_CMD_SET_CONFREG                                           (1<<12)
+#define FPGA_CMD_SET_DIVISOR                                           (2<<12)
+#define FPGA_CMD_SET_USER_BYTE1                                                (3<<12)
+// Definitions for the FPGA configuration word.
+// LF
+#define FPGA_MAJOR_MODE_LF_ADC                                         (0<<5)
+#define FPGA_MAJOR_MODE_LF_EDGE_DETECT                         (1<<5)
+#define FPGA_MAJOR_MODE_LF_PASSTHRU                                    (2<<5)
+// HF
+#define FPGA_MAJOR_MODE_HF_READER_TX                           (0<<5)
+#define FPGA_MAJOR_MODE_HF_READER_RX_XCORR                     (1<<5)
+#define FPGA_MAJOR_MODE_HF_SIMULATOR                           (2<<5)
+#define FPGA_MAJOR_MODE_HF_ISO14443A                           (3<<5)
+// BOTH
+#define FPGA_MAJOR_MODE_OFF                                                    (7<<5)
+// Options for LF_ADC
+#define FPGA_LF_ADC_READER_FIELD                                       (1<<0)
+// Options for LF_EDGE_DETECT
+#define FPGA_CMD_SET_EDGE_DETECT_THRESHOLD                     FPGA_CMD_SET_USER_BYTE1
+#define FPGA_LF_EDGE_DETECT_READER_FIELD                       (1<<0)
+#define FPGA_LF_EDGE_DETECT_TOGGLE_MODE                                (1<<1)
+// Options for the HF reader, tx to tag
+#define FPGA_HF_READER_TX_SHALLOW_MOD                          (1<<0)
+// Options for the HF reader, correlating against rx from tag
+#define FPGA_HF_READER_RX_XCORR_848_KHZ                                (1<<0)
+#define FPGA_HF_READER_RX_XCORR_SNOOP                          (1<<1)
+#define FPGA_HF_READER_RX_XCORR_QUARTER_FREQ           (1<<2)
+// Options for the HF simulated tag, how to modulate
+#define FPGA_HF_SIMULATOR_NO_MODULATION                                (0<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_BPSK                                (1<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_212K                                (2<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K                                (4<<0)
+#define FPGA_HF_SIMULATOR_MODULATE_424K_8BIT           0x5//101
+
+// Options for ISO14443A
+#define FPGA_HF_ISO14443A_SNIFFER                                      (0<<0)
+#define FPGA_HF_ISO14443A_TAGSIM_LISTEN                                (1<<0)
+#define FPGA_HF_ISO14443A_TAGSIM_MOD                           (2<<0)
+#define FPGA_HF_ISO14443A_READER_LISTEN                                (3<<0)
+#define FPGA_HF_ISO14443A_READER_MOD                           (4<<0)
index 4b173d6f223845620eeb47e96e35c89ffb78f628..719164d19e18b08c94b7f8f5839b8e2e86376502 100644 (file)
@@ -710,22 +710,24 @@ void SnoopHitag(uint32_t type) {
        byte_t rx[HITAG_FRAME_LEN];
        size_t rxlen=0;
        
+       FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+       // Clean up trace and prepare it for storing frames
+       set_tracing(TRUE);
+       clear_trace();
+       
        auth_table_len = 0;
        auth_table_pos = 0;
+
        BigBuf_free();
     auth_table = (byte_t *)BigBuf_malloc(AUTH_TABLE_LENGTH);
        memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
 
-       // Clean up trace and prepare it for storing frames
-       set_tracing(TRUE);
-       clear_trace();
-       
        DbpString("Starting Hitag2 snoop");
        LED_D_ON();
        
        // Set up eavesdropping mode, frequency divisor which will drive the FPGA
        // and analog mux selection.
-       FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
        FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT  | FPGA_LF_EDGE_DETECT_TOGGLE_MODE);
        FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
        SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
@@ -922,6 +924,12 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
        bool bQuitTraceFull = false;
        bQuiet = false;
        
+       FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+       // Clean up trace and prepare it for storing frames
+       set_tracing(TRUE);
+       clear_trace();
+
        auth_table_len = 0;
        auth_table_pos = 0;
     byte_t* auth_table;
@@ -929,10 +937,6 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
     auth_table = (byte_t *)BigBuf_malloc(AUTH_TABLE_LENGTH);
        memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
 
-       // Clean up trace and prepare it for storing frames
-       set_tracing(TRUE);
-       clear_trace();
-
        DbpString("Starting Hitag2 simulation");
        LED_D_ON();
        hitag2_init();
@@ -953,7 +957,6 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
        
        // Set up simulator mode, frequency divisor which will drive the FPGA
        // and analog mux selection.
-       FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
        FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
        FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
        SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
index 7b4daa36bb3b6541e5b77fffbceb84189639ce02..97c62bb60daf7c4d3367f1a49a5bdd9f7c001468 100644 (file)
@@ -1125,7 +1125,6 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf)
        int resp_cc_len;
 
        uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
-       memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
        int len;
 
        // Prepare card messages
@@ -1336,7 +1335,6 @@ int doIClassSimulation( int simulationMode, uint8_t *reader_mac_buf)
                        }
 
                }
-               memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
        }
 
        //Dbprintf("%x", cmdsRecvd);
@@ -1675,8 +1673,9 @@ uint8_t handshakeIclassTag(uint8_t *card_data)
 // Reader iClass Anticollission
 void ReaderIClass(uint8_t arg0) {
 
-       uint8_t card_data[6 * 8]={0xFF};
-    uint8_t last_csn[8]={0};
+       uint8_t card_data[6 * 8]={0};
+       memset(card_data, 0xFF, sizeof(card_data));
+       uint8_t last_csn[8]={0};
        
        //Read conf block CRC(0x01) => 0xfa 0x22
        uint8_t readConf[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x01, 0xfa, 0x22};
@@ -1684,16 +1683,18 @@ void ReaderIClass(uint8_t arg0) {
        uint8_t readAA[] = { ICLASS_CMD_READ_OR_IDENTIFY,0x05, 0xde, 0x64};
 
 
-    int read_status= 0;
+       int read_status= 0;
        uint8_t result_status = 0;
-    bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
-
+       bool abort_after_read = arg0 & FLAG_ICLASS_READER_ONLY_ONCE;
+       bool try_once = arg0 & FLAG_ICLASS_READER_ONE_TRY;
        set_tracing(TRUE);
-    setupIclassReader();
+       setupIclassReader();
 
+       uint16_t tryCnt=0;
        while(!BUTTON_PRESS())
-    {
-
+       {
+               if (try_once && tryCnt > 5) break; 
+               tryCnt++;
                if(!tracing) {
                        DbpString("Trace full");
                        break;
@@ -1760,7 +1761,7 @@ void ReaderIClass(uint8_t arg0) {
 
                }
                LED_B_OFF();
-    }
+       }
     cmd_send(CMD_ACK,0,0,0,card_data, 0);
     LED_A_OFF();
 }
diff --git a/armsrc/iso14443.c b/armsrc/iso14443.c
deleted file mode 100644 (file)
index c7f49f1..0000000
+++ /dev/null
@@ -1,1250 +0,0 @@
-//-----------------------------------------------------------------------------
-// Jonathan Westhues, split Nov 2006
-//
-// This code is licensed to you under the terms of the GNU GPL, version 2 or,
-// at your option, any later version. See the LICENSE.txt file for the text of
-// the license.
-//-----------------------------------------------------------------------------
-// Routines to support ISO 14443. This includes both the reader software and
-// the `fake tag' modes. At the moment only the Type B modulation is
-// supported.
-//-----------------------------------------------------------------------------
-
-#include "proxmark3.h"
-#include "apps.h"
-#include "util.h"
-#include "string.h"
-
-#include "iso14443crc.h"
-
-//static void GetSamplesFor14443(int weTx, int n);
-
-/*#define DEMOD_TRACE_SIZE 4096
-#define READER_TAG_BUFFER_SIZE 2048
-#define TAG_READER_BUFFER_SIZE 2048
-#define DEMOD_DMA_BUFFER_SIZE 1024
-*/
-//=============================================================================
-// An ISO 14443 Type B tag. We listen for commands from the reader, using
-// a UART kind of thing that's implemented in software. When we get a
-// frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
-// If it's good, then we can do something appropriate with it, and send
-// a response.
-//=============================================================================
-
-//-----------------------------------------------------------------------------
-// Code up a string of octets at layer 2 (including CRC, we don't generate
-// that here) so that they can be transmitted to the reader. Doesn't transmit
-// them yet, just leaves them ready to send in ToSend[].
-//-----------------------------------------------------------------------------
-static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
-{
-       int i;
-
-       ToSendReset();
-
-       // Transmit a burst of ones, as the initial thing that lets the
-       // reader get phase sync. This (TR1) must be > 80/fs, per spec,
-       // but tag that I've tried (a Paypass) exceeds that by a fair bit,
-       // so I will too.
-       for(i = 0; i < 20; i++) {
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-       }
-
-       // Send SOF.
-       for(i = 0; i < 10; i++) {
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-       }
-       for(i = 0; i < 2; i++) {
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-       }
-
-       for(i = 0; i < len; i++) {
-               int j;
-               uint8_t b = cmd[i];
-
-               // Start bit
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-
-               // Data bits
-               for(j = 0; j < 8; j++) {
-                       if(b & 1) {
-                               ToSendStuffBit(1);
-                               ToSendStuffBit(1);
-                               ToSendStuffBit(1);
-                               ToSendStuffBit(1);
-                       } else {
-                               ToSendStuffBit(0);
-                               ToSendStuffBit(0);
-                               ToSendStuffBit(0);
-                               ToSendStuffBit(0);
-                       }
-                       b >>= 1;
-               }
-
-               // Stop bit
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-       }
-
-       // Send SOF.
-       for(i = 0; i < 10; i++) {
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-               ToSendStuffBit(0);
-       }
-       for(i = 0; i < 10; i++) {
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-       }
-
-       // Convert from last byte pos to length
-       ToSendMax++;
-
-       // Add a few more for slop
-       ToSendMax += 2;
-}
-
-//-----------------------------------------------------------------------------
-// The software UART that receives commands from the reader, and its state
-// variables.
-//-----------------------------------------------------------------------------
-static struct {
-       enum {
-               STATE_UNSYNCD,
-               STATE_GOT_FALLING_EDGE_OF_SOF,
-               STATE_AWAITING_START_BIT,
-               STATE_RECEIVING_DATA,
-               STATE_ERROR_WAIT
-       }       state;
-       uint16_t    shiftReg;
-       int     bitCnt;
-       int     byteCnt;
-       int     byteCntMax;
-       int     posCnt;
-       uint8_t   *output;
-} Uart;
-
-/* Receive & handle a bit coming from the reader.
- *
- * LED handling:
- * LED A -> ON once we have received the SOF and are expecting the rest.
- * LED A -> OFF once we have received EOF or are in error state or unsynced
- *
- * Returns: true if we received a EOF
- *          false if we are still waiting for some more
- */
-static int Handle14443UartBit(int bit)
-{
-       switch(Uart.state) {
-               case STATE_UNSYNCD:
-                       LED_A_OFF();
-                       if(!bit) {
-                               // we went low, so this could be the beginning
-                               // of an SOF
-                               Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
-                               Uart.posCnt = 0;
-                               Uart.bitCnt = 0;
-                       }
-                       break;
-
-               case STATE_GOT_FALLING_EDGE_OF_SOF:
-                       Uart.posCnt++;
-                       if(Uart.posCnt == 2) {
-                               if(bit) {
-                                       if(Uart.bitCnt >= 10) {
-                                               // we've seen enough consecutive
-                                               // zeros that it's a valid SOF
-                                               Uart.posCnt = 0;
-                                               Uart.byteCnt = 0;
-                                               Uart.state = STATE_AWAITING_START_BIT;
-                                               LED_A_ON(); // Indicate we got a valid SOF
-                                       } else {
-                                               // didn't stay down long enough
-                                               // before going high, error
-                                               Uart.state = STATE_ERROR_WAIT;
-                                       }
-                               } else {
-                                       // do nothing, keep waiting
-                               }
-                               Uart.bitCnt++;
-                       }
-                       if(Uart.posCnt >= 4) Uart.posCnt = 0;
-                       if(Uart.bitCnt > 14) {
-                               // Give up if we see too many zeros without
-                               // a one, too.
-                               Uart.state = STATE_ERROR_WAIT;
-                       }
-                       break;
-
-               case STATE_AWAITING_START_BIT:
-                       Uart.posCnt++;
-                       if(bit) {
-                               if(Uart.posCnt > 25) {
-                                       // stayed high for too long between
-                                       // characters, error
-                                       Uart.state = STATE_ERROR_WAIT;
-                               }
-                       } else {
-                               // falling edge, this starts the data byte
-                               Uart.posCnt = 0;
-                               Uart.bitCnt = 0;
-                               Uart.shiftReg = 0;
-                               Uart.state = STATE_RECEIVING_DATA;
-                               LED_A_ON(); // Indicate we're receiving
-                       }
-                       break;
-
-               case STATE_RECEIVING_DATA:
-                       Uart.posCnt++;
-                       if(Uart.posCnt == 2) {
-                               // time to sample a bit
-                               Uart.shiftReg >>= 1;
-                               if(bit) {
-                                       Uart.shiftReg |= 0x200;
-                               }
-                               Uart.bitCnt++;
-                       }
-                       if(Uart.posCnt >= 4) {
-                               Uart.posCnt = 0;
-                       }
-                       if(Uart.bitCnt == 10) {
-                               if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
-                               {
-                                       // this is a data byte, with correct
-                                       // start and stop bits
-                                       Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
-                                       Uart.byteCnt++;
-
-                                       if(Uart.byteCnt >= Uart.byteCntMax) {
-                                               // Buffer overflowed, give up
-                                               Uart.posCnt = 0;
-                                               Uart.state = STATE_ERROR_WAIT;
-                                       } else {
-                                               // so get the next byte now
-                                               Uart.posCnt = 0;
-                                               Uart.state = STATE_AWAITING_START_BIT;
-                                       }
-                               } else if(Uart.shiftReg == 0x000) {
-                                       // this is an EOF byte
-                                       LED_A_OFF(); // Finished receiving
-                                       return TRUE;
-                               } else {
-                                       // this is an error
-                                       Uart.posCnt = 0;
-                                       Uart.state = STATE_ERROR_WAIT;
-                               }
-                       }
-                       break;
-
-               case STATE_ERROR_WAIT:
-                       // We're all screwed up, so wait a little while
-                       // for whatever went wrong to finish, and then
-                       // start over.
-                       Uart.posCnt++;
-                       if(Uart.posCnt > 10) {
-                               Uart.state = STATE_UNSYNCD;
-                       }
-                       break;
-
-               default:
-                       Uart.state = STATE_UNSYNCD;
-                       break;
-       }
-
-       // This row make the error blew circular buffer in hf 14b snoop
-       //if (Uart.state == STATE_ERROR_WAIT) LED_A_OFF(); // Error
-
-       return FALSE;
-}
-
-//-----------------------------------------------------------------------------
-// Receive a command (from the reader to us, where we are the simulated tag),
-// and store it in the given buffer, up to the given maximum length. Keeps
-// spinning, waiting for a well-framed command, until either we get one
-// (returns TRUE) or someone presses the pushbutton on the board (FALSE).
-//
-// Assume that we're called with the SSC (to the FPGA) and ADC path set
-// correctly.
-//-----------------------------------------------------------------------------
-static int GetIso14443CommandFromReader(uint8_t *received, int *len, int maxLen)
-{
-       uint8_t mask;
-       int i, bit;
-
-       // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
-       // only, since we are receiving, not transmitting).
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
-
-
-       // Now run a `software UART' on the stream of incoming samples.
-       Uart.output = received;
-       Uart.byteCntMax = maxLen;
-       Uart.state = STATE_UNSYNCD;
-
-       for(;;) {
-               WDT_HIT();
-
-               if(BUTTON_PRESS()) return FALSE;
-
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0x00;
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-
-                       mask = 0x80;
-                       for(i = 0; i < 8; i++, mask >>= 1) {
-                               bit = (b & mask);
-                               if(Handle14443UartBit(bit)) {
-                                       *len = Uart.byteCnt;
-                                       return TRUE;
-                               }
-                       }
-               }
-       }
-}
-
-//-----------------------------------------------------------------------------
-// Main loop of simulated tag: receive commands from reader, decide what
-// response to send, and send it.
-//-----------------------------------------------------------------------------
-void SimulateIso14443Tag(void)
-{
-       static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
-       static const uint8_t response1[] = {
-               0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
-               0x00, 0x21, 0x85, 0x5e, 0xd7
-       };
-
-       uint8_t *resp;
-       int respLen;
-
-       uint8_t *resp1 = BigBuf_get_addr() + 800;
-       int resp1Len;
-
-       uint8_t *receivedCmd = BigBuf_get_addr();
-       int len;
-
-       int i;
-
-       int cmdsRecvd = 0;
-
-       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-       memset(receivedCmd, 0x44, 400);
-
-       CodeIso14443bAsTag(response1, sizeof(response1));
-       memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
-
-       // We need to listen to the high-frequency, peak-detected path.
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-       FpgaSetupSsc();
-
-       cmdsRecvd = 0;
-
-       for(;;) {
-               uint8_t b1, b2;
-
-               if(!GetIso14443CommandFromReader(receivedCmd, &len, 100)) {
-               Dbprintf("button pressed, received %d commands", cmdsRecvd);
-               break;
-               }
-
-               // Good, look at the command now.
-
-               if(len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len)==0) {
-                       resp = resp1; respLen = resp1Len;
-               } else {
-                       Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
-                       // And print whether the CRC fails, just for good measure
-                       ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
-                       if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
-                               // Not so good, try again.
-                               DbpString("+++CRC fail");
-                       } else {
-                               DbpString("CRC passes");
-                       }
-                       break;
-               }
-
-               memset(receivedCmd, 0x44, 32);
-
-               cmdsRecvd++;
-
-               if(cmdsRecvd > 0x30) {
-                       DbpString("many commands later...");
-                       break;
-               }
-
-               if(respLen <= 0) continue;
-
-               // Modulate BPSK
-               // Signal field is off with the appropriate LED
-               LED_D_OFF();
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
-               AT91C_BASE_SSC->SSC_THR = 0xff;
-               FpgaSetupSsc();
-
-               // Transmit the response.
-               i = 0;
-               for(;;) {
-                       if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                               uint8_t b = resp[i];
-
-                               AT91C_BASE_SSC->SSC_THR = b;
-
-                               i++;
-                               if(i > respLen) {
-                                       break;
-                               }
-                       }
-                       if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                               volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
-                               (void)b;
-                       }
-               }
-       }
-}
-
-//=============================================================================
-// An ISO 14443 Type B reader. We take layer two commands, code them
-// appropriately, and then send them to the tag. We then listen for the
-// tag's response, which we leave in the buffer to be demodulated on the
-// PC side.
-//=============================================================================
-
-static struct {
-       enum {
-               DEMOD_UNSYNCD,
-               DEMOD_PHASE_REF_TRAINING,
-               DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
-               DEMOD_GOT_FALLING_EDGE_OF_SOF,
-               DEMOD_AWAITING_START_BIT,
-               DEMOD_RECEIVING_DATA,
-               DEMOD_ERROR_WAIT
-       }       state;
-       int     bitCount;
-       int     posCount;
-       int     thisBit;
-       int     metric;
-       int     metricN;
-       uint16_t    shiftReg;
-       uint8_t   *output;
-       int     len;
-       int     sumI;
-       int     sumQ;
-} Demod;
-
-/*
- * Handles reception of a bit from the tag
- *
- * LED handling:
- * LED C -> ON once we have received the SOF and are expecting the rest.
- * LED C -> OFF once we have received EOF or are unsynced
- *
- * Returns: true if we received a EOF
- *          false if we are still waiting for some more
- *
- */
-static RAMFUNC int Handle14443SamplesDemod(int ci, int cq)
-{
-       int v;
-
-       // The soft decision on the bit uses an estimate of just the
-       // quadrant of the reference angle, not the exact angle.
-#define MAKE_SOFT_DECISION() { \
-               if(Demod.sumI > 0) { \
-                       v = ci; \
-               } else { \
-                       v = -ci; \
-               } \
-               if(Demod.sumQ > 0) { \
-                       v += cq; \
-               } else { \
-                       v -= cq; \
-               } \
-       }
-
-       switch(Demod.state) {
-               case DEMOD_UNSYNCD:
-                       v = ci;
-                       if(v < 0) v = -v;
-                       if(cq > 0) {
-                               v += cq;
-                       } else {
-                               v -= cq;
-                       }
-                       if(v > 40) {
-                               Demod.posCount = 0;
-                               Demod.state = DEMOD_PHASE_REF_TRAINING;
-                               Demod.sumI = 0;
-                               Demod.sumQ = 0;
-                       }
-                       break;
-
-               case DEMOD_PHASE_REF_TRAINING:
-                       if(Demod.posCount < 8) {
-                               Demod.sumI += ci;
-                               Demod.sumQ += cq;
-                       } else if(Demod.posCount > 100) {
-                               // error, waited too long
-                               Demod.state = DEMOD_UNSYNCD;
-                       } else {
-                               MAKE_SOFT_DECISION();
-                               if(v < 0) {
-                                       Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
-                                       Demod.posCount = 0;
-                               }
-                       }
-                       Demod.posCount++;
-                       break;
-
-               case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
-                       MAKE_SOFT_DECISION();
-                       if(v < 0) {
-                               Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
-                               Demod.posCount = 0;
-                       } else {
-                               if(Demod.posCount > 100) {
-                                       Demod.state = DEMOD_UNSYNCD;
-                               }
-                       }
-                       Demod.posCount++;
-                       break;
-
-               case DEMOD_GOT_FALLING_EDGE_OF_SOF:
-                       MAKE_SOFT_DECISION();
-                       if(v > 0) {
-                               if(Demod.posCount < 12) {
-                                       Demod.state = DEMOD_UNSYNCD;
-                               } else {
-                                       LED_C_ON(); // Got SOF
-                                       Demod.state = DEMOD_AWAITING_START_BIT;
-                                       Demod.posCount = 0;
-                                       Demod.len = 0;
-                                       Demod.metricN = 0;
-                                       Demod.metric = 0;
-                               }
-                       } else {
-                               if(Demod.posCount > 100) {
-                                       Demod.state = DEMOD_UNSYNCD;
-                               }
-                       }
-                       Demod.posCount++;
-                       break;
-
-               case DEMOD_AWAITING_START_BIT:
-                       MAKE_SOFT_DECISION();
-                       if(v > 0) {
-                               if(Demod.posCount > 10) {
-                                       Demod.state = DEMOD_UNSYNCD;
-                               }
-                       } else {
-                               Demod.bitCount = 0;
-                               Demod.posCount = 1;
-                               Demod.thisBit = v;
-                               Demod.shiftReg = 0;
-                               Demod.state = DEMOD_RECEIVING_DATA;
-                       }
-                       break;
-
-               case DEMOD_RECEIVING_DATA:
-                       MAKE_SOFT_DECISION();
-                       if(Demod.posCount == 0) {
-                               Demod.thisBit = v;
-                               Demod.posCount = 1;
-                       } else {
-                               Demod.thisBit += v;
-
-                               if(Demod.thisBit > 0) {
-                                       Demod.metric += Demod.thisBit;
-                               } else {
-                                       Demod.metric -= Demod.thisBit;
-                               }
-                               (Demod.metricN)++;
-
-                               Demod.shiftReg >>= 1;
-                               if(Demod.thisBit > 0) {
-                                       Demod.shiftReg |= 0x200;
-                               }
-
-                               Demod.bitCount++;
-                               if(Demod.bitCount == 10) {
-                                       uint16_t s = Demod.shiftReg;
-                                       if((s & 0x200) && !(s & 0x001)) {
-                                               uint8_t b = (s >> 1);
-                                               Demod.output[Demod.len] = b;
-                                               Demod.len++;
-                                               Demod.state = DEMOD_AWAITING_START_BIT;
-                                       } else if(s == 0x000) {
-                                               // This is EOF
-                                               LED_C_OFF();
-                                               Demod.state = DEMOD_UNSYNCD;
-                                               return TRUE;
-                                       } else {
-                                               Demod.state = DEMOD_UNSYNCD;
-                                       }
-                               }
-                               Demod.posCount = 0;
-                       }
-                       break;
-
-               default:
-                       Demod.state = DEMOD_UNSYNCD;
-                       break;
-       }
-
-       if (Demod.state == DEMOD_UNSYNCD) LED_C_OFF(); // Not synchronized...
-       return FALSE;
-}
-static void DemodReset()
-{
-       // Clear out the state of the "UART" that receives from the tag.
-       Demod.len = 0;
-       Demod.state = DEMOD_UNSYNCD;
-       memset(Demod.output, 0x00, MAX_FRAME_SIZE);
-}
-static void DemodInit(uint8_t *data)
-{
-       Demod.output = data;
-       DemodReset();
-}
-
-static void UartReset()
-{
-       Uart.byteCntMax = MAX_FRAME_SIZE;
-       Uart.state = STATE_UNSYNCD;
-       Uart.byteCnt = 0;
-       Uart.bitCnt = 0;
-}
-static void UartInit(uint8_t *data)
-{
-       Uart.output = data;
-       UartReset();
-}
-
-/*
- *  Demodulate the samples we received from the tag, also log to tracebuffer
- *  weTx: set to 'TRUE' if we behave like a reader
- *        set to 'FALSE' if we behave like a snooper
- *  quiet: set to 'TRUE' to disable debug output
- */
-static void GetSamplesFor14443Demod(int weTx, int n, int quiet)
-{
-       int max = 0;
-       int gotFrame = FALSE;
-       int lastRxCounter, ci, cq, samples = 0;
-
-       // Allocate memory from BigBuf for some buffers
-       // free all previous allocations first
-       BigBuf_free();
-       
-       // The command (reader -> tag) that we're receiving.
-       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
-       
-       // The response (tag -> reader) that we're receiving.
-       uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
-       
-       // The DMA buffer, used to stream samples from the FPGA
-       uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
-
-       // Set up the demodulator for tag -> reader responses.
-       DemodInit(receivedResponse);
-       // Set up the demodulator for the reader -> tag commands
-       UartInit(receivedCmd);
-
-       // Setup and start DMA.
-       FpgaSetupSscDma(dmaBuf, DMA_BUFFER_SIZE);
-
-       uint8_t *upTo= dmaBuf;
-       lastRxCounter = DMA_BUFFER_SIZE;
-
-       // Signal field is ON with the appropriate LED:
-       if (weTx) LED_D_ON(); else LED_D_OFF();
-       // And put the FPGA in the appropriate mode
-       FpgaWriteConfWord(
-               FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
-               (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
-
-       for(;;) {
-               int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
-               if(behindBy > max) max = behindBy;
-
-               while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (DMA_BUFFER_SIZE-1))
-                                       > 2)
-               {
-                       ci = upTo[0];
-                       cq = upTo[1];
-                       upTo += 2;
-                       if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
-                               upTo -= DMA_BUFFER_SIZE;
-                               AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
-                               AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
-                       }
-                       lastRxCounter -= 2;
-                       if(lastRxCounter <= 0) {
-                               lastRxCounter += DMA_BUFFER_SIZE;
-                       }
-
-                       samples += 2;
-
-                       Handle14443UartBit(1);
-                       Handle14443UartBit(1);
-
-                       if(Handle14443SamplesDemod(ci, cq)) {
-                               gotFrame = 1;
-                       }
-               }
-
-               if(samples > 2000) {
-                       break;
-               }
-       }
-       AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
-       if (!quiet) Dbprintf("%x %x %x", max, gotFrame, Demod.len);
-       //Tracing
-       if (tracing && Demod.len > 0) {
-               uint8_t parity[MAX_PARITY_SIZE];
-               GetParity(Demod.output , Demod.len, parity);
-               LogTrace(Demod.output,Demod.len, 0, 0, parity, FALSE);
-       }
-}
-
-//-----------------------------------------------------------------------------
-// Read the tag's response. We just receive a stream of slightly-processed
-// samples from the FPGA, which we will later do some signal processing on,
-// to get the bits.
-//-----------------------------------------------------------------------------
-/*static void GetSamplesFor14443(int weTx, int n)
-{
-       uint8_t *dest = (uint8_t *)BigBuf;
-       int c;
-
-       FpgaWriteConfWord(
-               FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
-               (weTx ? 0 : FPGA_HF_READER_RX_XCORR_SNOOP));
-
-       c = 0;
-       for(;;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0x43;
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       int8_t b;
-                       b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
-
-                       dest[c++] = (uint8_t)b;
-
-                       if(c >= n) {
-                               break;
-                       }
-               }
-       }
-}*/
-
-//-----------------------------------------------------------------------------
-// Transmit the command (to the tag) that was placed in ToSend[].
-//-----------------------------------------------------------------------------
-static void TransmitFor14443(void)
-{
-       int c;
-
-       FpgaSetupSsc();
-
-       while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-               AT91C_BASE_SSC->SSC_THR = 0xff;
-       }
-
-       // Signal field is ON with the appropriate Red LED
-       LED_D_ON();
-       // Signal we are transmitting with the Green LED
-       LED_B_ON();
-       FpgaWriteConfWord(
-               FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
-
-       for(c = 0; c < 10;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = 0xff;
-                       c++;
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-                       (void)r;
-               }
-               WDT_HIT();
-       }
-
-       c = 0;
-       for(;;) {
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
-                       AT91C_BASE_SSC->SSC_THR = ToSend[c];
-                       c++;
-                       if(c >= ToSendMax) {
-                               break;
-                       }
-               }
-               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
-                       volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
-                       (void)r;
-               }
-               WDT_HIT();
-       }
-       LED_B_OFF(); // Finished sending
-}
-
-//-----------------------------------------------------------------------------
-// Code a layer 2 command (string of octets, including CRC) into ToSend[],
-// so that it is ready to transmit to the tag using TransmitFor14443().
-//-----------------------------------------------------------------------------
-static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
-{
-       int i, j;
-       uint8_t b;
-
-       ToSendReset();
-
-       // Establish initial reference level
-       for(i = 0; i < 40; i++) {
-               ToSendStuffBit(1);
-       }
-       // Send SOF
-       for(i = 0; i < 10; i++) {
-               ToSendStuffBit(0);
-       }
-
-       for(i = 0; i < len; i++) {
-               // Stop bits/EGT
-               ToSendStuffBit(1);
-               ToSendStuffBit(1);
-               // Start bit
-               ToSendStuffBit(0);
-               // Data bits
-               b = cmd[i];
-               for(j = 0; j < 8; j++) {
-                       if(b & 1) {
-                               ToSendStuffBit(1);
-                       } else {
-                               ToSendStuffBit(0);
-                       }
-                       b >>= 1;
-               }
-       }
-       // Send EOF
-       ToSendStuffBit(1);
-       for(i = 0; i < 10; i++) {
-               ToSendStuffBit(0);
-       }
-       for(i = 0; i < 8; i++) {
-               ToSendStuffBit(1);
-       }
-
-       // And then a little more, to make sure that the last character makes
-       // it out before we switch to rx mode.
-       for(i = 0; i < 24; i++) {
-               ToSendStuffBit(1);
-       }
-
-       // Convert from last character reference to length
-       ToSendMax++;
-}
-
-//-----------------------------------------------------------------------------
-// Read an ISO 14443 tag. We send it some set of commands, and record the
-// responses.
-// The command name is misleading, it actually decodes the reponse in HEX
-// into the output buffer (read the result using hexsamples, not hisamples)
-//
-// obsolete function only for test
-//-----------------------------------------------------------------------------
-void AcquireRawAdcSamplesIso14443(uint32_t parameter)
-{
-       uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
-
-       SendRawCommand14443B(sizeof(cmd1),1,1,cmd1);
-}
-
-/**
-  Convenience function to encode, transmit and trace iso 14443b comms
-  **/
-static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
-{
-       CodeIso14443bAsReader(cmd, len);
-       TransmitFor14443();
-       if (tracing) {
-               uint8_t parity[MAX_PARITY_SIZE];
-               GetParity(cmd, len, parity);
-               LogTrace(cmd,len, 0, 0, parity, TRUE);
-       }
-}
-
-//-----------------------------------------------------------------------------
-// Read a SRI512 ISO 14443 tag.
-//
-// SRI512 tags are just simple memory tags, here we're looking at making a dump
-// of the contents of the memory. No anticollision algorithm is done, we assume
-// we have a single tag in the field.
-//
-// I tried to be systematic and check every answer of the tag, every CRC, etc...
-//-----------------------------------------------------------------------------
-void ReadSTMemoryIso14443(uint32_t dwLast)
-{
-       clear_trace();
-       set_tracing(TRUE);
-
-       uint8_t i = 0x00;
-
-       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-       // Make sure that we start from off, since the tags are stateful;
-       // confusing things will happen if we don't reset them between reads.
-       LED_D_OFF();
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
-
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-       FpgaSetupSsc();
-
-       // Now give it time to spin up.
-       // Signal field is on with the appropriate LED
-       LED_D_ON();
-       FpgaWriteConfWord(
-               FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
-       SpinDelay(200);
-
-       // First command: wake up the tag using the INITIATE command
-       uint8_t cmd1[] = { 0x06, 0x00, 0x97, 0x5b};
-
-       CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-//    LED_A_ON();
-       GetSamplesFor14443Demod(TRUE, 2000,TRUE);
-//    LED_A_OFF();
-
-       if (Demod.len == 0) {
-       DbpString("No response from tag");
-       return;
-       } else {
-       Dbprintf("Randomly generated UID from tag (+ 2 byte CRC): %x %x %x",
-               Demod.output[0], Demod.output[1],Demod.output[2]);
-       }
-       // There is a response, SELECT the uid
-       DbpString("Now SELECT tag:");
-       cmd1[0] = 0x0E; // 0x0E is SELECT
-       cmd1[1] = Demod.output[0];
-       ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
-       CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-
-//    LED_A_ON();
-       GetSamplesFor14443Demod(TRUE, 2000,TRUE);
-//    LED_A_OFF();
-       if (Demod.len != 3) {
-       Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
-       return;
-       }
-       // Check the CRC of the answer:
-       ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
-       if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
-       DbpString("CRC Error reading select response.");
-       return;
-       }
-       // Check response from the tag: should be the same UID as the command we just sent:
-       if (cmd1[1] != Demod.output[0]) {
-       Dbprintf("Bad response to SELECT from Tag, aborting: %x %x", cmd1[1], Demod.output[0]);
-       return;
-       }
-       // Tag is now selected,
-       // First get the tag's UID:
-       cmd1[0] = 0x0B;
-       ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
-       CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
-
-//    LED_A_ON();
-       GetSamplesFor14443Demod(TRUE, 2000,TRUE);
-//    LED_A_OFF();
-       if (Demod.len != 10) {
-       Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
-       return;
-       }
-       // The check the CRC of the answer (use cmd1 as temporary variable):
-       ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
-                  if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
-       Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
-               (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
-       // Do not return;, let's go on... (we should retry, maybe ?)
-       }
-       Dbprintf("Tag UID (64 bits): %08x %08x",
-       (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
-       (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
-
-       // Now loop to read all 16 blocks, address from 0 to last block
-       Dbprintf("Tag memory dump, block 0 to %d",dwLast);
-       cmd1[0] = 0x08;
-       i = 0x00;
-       dwLast++;
-       for (;;) {
-                  if (i == dwLast) {
-                       DbpString("System area block (0xff):");
-                       i = 0xff;
-               }
-               cmd1[1] = i;
-               ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
-               CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
-
-//         LED_A_ON();
-               GetSamplesFor14443Demod(TRUE, 2000,TRUE);
-//         LED_A_OFF();
-               if (Demod.len != 6) { // Check if we got an answer from the tag
-               DbpString("Expected 6 bytes from tag, got less...");
-               return;
-               }
-               // The check the CRC of the answer (use cmd1 as temporary variable):
-               ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
-                       if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
-               Dbprintf("CRC Error reading block! - Below: expected, got %x %x",
-                       (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
-               // Do not return;, let's go on... (we should retry, maybe ?)
-               }
-               // Now print out the memory location:
-               Dbprintf("Address=%x, Contents=%x, CRC=%x", i,
-               (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
-               (Demod.output[4]<<8)+Demod.output[5]);
-               if (i == 0xff) {
-               break;
-               }
-               i++;
-       }
-}
-
-
-//=============================================================================
-// Finally, the `sniffer' combines elements from both the reader and
-// simulated tag, to show both sides of the conversation.
-//=============================================================================
-
-//-----------------------------------------------------------------------------
-// Record the sequence of commands sent by the reader to the tag, with
-// triggering so that we start recording at the point that the tag is moved
-// near the reader.
-//-----------------------------------------------------------------------------
-/*
- * Memory usage for this function, (within BigBuf)
- * 0-4095 : Demodulated samples receive (4096 bytes) - DEMOD_TRACE_SIZE
- * 4096-6143 : Last Received command, 2048 bytes (reader->tag) - READER_TAG_BUFFER_SIZE
- * 6144-8191 : Last Received command, 2048 bytes(tag->reader) - TAG_READER_BUFFER_SIZE
- * 8192-9215 : DMA Buffer, 1024 bytes (samples) - DEMOD_DMA_BUFFER_SIZE
- */
-void RAMFUNC SnoopIso14443(void)
-{
-       // We won't start recording the frames that we acquire until we trigger;
-       // a good trigger condition to get started is probably when we see a
-       // response from the tag.
-       int triggered = TRUE;
-
-       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-       BigBuf_free();
-
-       clear_trace();
-       set_tracing(TRUE);
-
-       // The DMA buffer, used to stream samples from the FPGA
-       uint8_t *dmaBuf = BigBuf_malloc(DMA_BUFFER_SIZE);
-       int lastRxCounter;
-       uint8_t *upTo;
-       int ci, cq;
-       int maxBehindBy = 0;
-
-       // Count of samples received so far, so that we can include timing
-       // information in the trace buffer.
-       int samples = 0;
-
-       DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
-       UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
-
-       // Print some debug information about the buffer sizes
-       Dbprintf("Snooping buffers initialized:");
-       Dbprintf("  Trace: %i bytes", BigBuf_max_traceLen());
-       Dbprintf("  Reader -> tag: %i bytes", MAX_FRAME_SIZE);
-       Dbprintf("  tag -> Reader: %i bytes", MAX_FRAME_SIZE);
-       Dbprintf("  DMA: %i bytes", DMA_BUFFER_SIZE);
-
-       // Signal field is off with the appropriate LED
-       LED_D_OFF();
-
-       // And put the FPGA in the appropriate mode
-       FpgaWriteConfWord(
-               FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ |
-               FPGA_HF_READER_RX_XCORR_SNOOP);
-       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
-       // Setup for the DMA.
-       FpgaSetupSsc();
-       upTo = dmaBuf;
-       lastRxCounter = DMA_BUFFER_SIZE;
-       FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
-       uint8_t parity[MAX_PARITY_SIZE];
-       LED_A_ON();
-               
-       // And now we loop, receiving samples.
-       for(;;) {
-               int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
-                                                               (DMA_BUFFER_SIZE-1);
-               if(behindBy > maxBehindBy) {
-                       maxBehindBy = behindBy;
-                       if(behindBy > (9*DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
-                               Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
-                               break;
-                       }
-               }
-               if(behindBy < 2) continue;
-
-               ci = upTo[0];
-               cq = upTo[1];
-               upTo += 2;
-               lastRxCounter -= 2;
-               if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
-                       upTo -= DMA_BUFFER_SIZE;
-                       lastRxCounter += DMA_BUFFER_SIZE;
-                       AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
-                       AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
-               }
-
-               samples += 2;
-
-               if(Handle14443UartBit(ci & 1)) {
-                       if(triggered && tracing) {
-                               GetParity(Uart.output, Uart.byteCnt, parity);
-                               LogTrace(Uart.output,Uart.byteCnt,samples, samples,parity,TRUE);
-                       }
-                       if(Uart.byteCnt==0) Dbprintf("[1] Error, Uart.byteCnt==0, Uart.bitCnt=%d", Uart.bitCnt);
-
-                       /* And ready to receive another command. */
-                       UartReset();
-                       /* And also reset the demod code, which might have been */
-                       /* false-triggered by the commands from the reader. */
-                       DemodReset();
-               }
-               if(Handle14443UartBit(cq & 1)) {
-                       if(triggered && tracing) {
-                               GetParity(Uart.output, Uart.byteCnt, parity);
-                               LogTrace(Uart.output,Uart.byteCnt,samples, samples,parity,TRUE);
-                       }
-                       if(Uart.byteCnt==0) Dbprintf("[2] Error, Uart.byteCnt==0, Uart.bitCnt=%d", Uart.bitCnt);
-
-                       /* And ready to receive another command. */
-                       UartReset();
-                       /* And also reset the demod code, which might have been */
-                       /* false-triggered by the commands from the reader. */
-                       DemodReset();
-               }
-
-               if(Handle14443SamplesDemod(ci, cq)) {
-
-                       //Use samples as a time measurement
-                       if(tracing)
-                       {
-                               uint8_t parity[MAX_PARITY_SIZE];
-                               GetParity(Demod.output, Demod.len, parity);
-                               LogTrace(Demod.output,Demod.len,samples, samples,parity,FALSE);
-                       }
-                       triggered = TRUE;
-                       LED_A_OFF();
-                       LED_B_ON();
-
-                       // And ready to receive another response.
-                       DemodReset();
-               }
-               WDT_HIT();
-
-               if(!tracing) {
-                       DbpString("Reached trace limit");
-                       break;
-               }
-
-               if(BUTTON_PRESS()) {
-                       DbpString("cancelled");
-                       break;
-               }
-       }
-       FpgaDisableSscDma();
-       LED_A_OFF();
-       LED_B_OFF();
-       LED_C_OFF();
-       AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
-       DbpString("Snoop statistics:");
-       Dbprintf("  Max behind by: %i", maxBehindBy);
-       Dbprintf("  Uart State: %x", Uart.state);
-       Dbprintf("  Uart ByteCnt: %i", Uart.byteCnt);
-       Dbprintf("  Uart ByteCntMax: %i", Uart.byteCntMax);
-       Dbprintf("  Trace length: %i", BigBuf_get_traceLen());
-}
-
-/*
- * Send raw command to tag ISO14443B
- * @Input
- * datalen     len of buffer data
- * recv        bool when true wait for data from tag and send to client
- * powerfield  bool leave the field on when true
- * data        buffer with byte to send
- *
- * @Output
- * none
- *
- */
-
-void SendRawCommand14443B(uint32_t datalen, uint32_t recv,uint8_t powerfield, uint8_t data[])
-{
-       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-       if(!powerfield)
-       {
-               // Make sure that we start from off, since the tags are stateful;
-               // confusing things will happen if we don't reset them between reads.
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-               LED_D_OFF();
-               SpinDelay(200);
-       }
-
-       if(!GETBIT(GPIO_LED_D))
-       {
-               SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-               FpgaSetupSsc();
-
-               // Now give it time to spin up.
-               // Signal field is on with the appropriate LED
-               LED_D_ON();
-               FpgaWriteConfWord(
-                       FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
-               SpinDelay(200);
-       }
-
-       CodeAndTransmit14443bAsReader(data, datalen);
-
-       if(recv)
-       {
-               uint16_t iLen = MIN(Demod.len,USB_CMD_DATA_SIZE);
-               GetSamplesFor14443Demod(TRUE, 2000, TRUE);
-               cmd_send(CMD_ACK,iLen,0,0,Demod.output,iLen);
-       }
-       if(!powerfield)
-       {
-               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-               LED_D_OFF();
-       }
-}
-
index 81cb9728ff52cf216b3b977d682a696ae6fb50c9..a4e5ceaf1ece9ea5bc57eeade9c2ed77aa1ccc5e 100644 (file)
@@ -555,12 +555,8 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
        
        LEDsoff();
 
-       // We won't start recording the frames that we acquire until we trigger;
-       // a good trigger condition to get started is probably when we see a
-       // response from the tag.
-       // triggered == FALSE -- to wait first for card
-       bool triggered = !(param & 0x03); 
-       
+       iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+
        // Allocate memory from BigBuf for some buffers
        // free all previous allocations first
        BigBuf_free();
@@ -587,8 +583,6 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
        bool TagIsActive = FALSE;
        bool ReaderIsActive = FALSE;
        
-       iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
-
        // Set up the demodulator for tag -> reader responses.
        DemodInit(receivedResponse, receivedResponsePar);
        
@@ -598,6 +592,12 @@ void RAMFUNC SnoopIso14443a(uint8_t param) {
        // Setup and start DMA.
        FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
        
+       // We won't start recording the frames that we acquire until we trigger;
+       // a good trigger condition to get started is probably when we see a
+       // response from the tag.
+       // triggered == FALSE -- to wait first for card
+       bool triggered = !(param & 0x03); 
+       
        // And now we loop, receiving samples.
        for(uint32_t rsamples = 0; TRUE; ) {
 
@@ -1033,6 +1033,9 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
                .modulation_n = 0
        };
   
+       // We need to listen to the high-frequency, peak-detected path.
+       iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
        BigBuf_free_keep_EM();
 
        // allocate buffers:
@@ -1061,9 +1064,6 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
        int happened2 = 0;
        int cmdsRecvd = 0;
 
-       // We need to listen to the high-frequency, peak-detected path.
-       iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
        cmdsRecvd = 0;
        tag_response_info_t* p_response;
 
@@ -2010,7 +2010,7 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
                nttmp1 = prng_successor(nttmp1, 1);
                if (nttmp1 == nt2) return i;
                nttmp2 = prng_successor(nttmp2, 1);
-                       if (nttmp2 == nt1) return -i;
+               if (nttmp2 == nt1) return -i;
                }
        
        return(-99999); // either nt1 or nt2 are invalid nonces
@@ -2033,6 +2033,10 @@ void ReaderMifare(bool first_try)
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
 
+       if (first_try) { 
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
+       }
+       
        // free eventually allocated BigBuf memory. We want all for tracing.
        BigBuf_free();
        
@@ -2061,7 +2065,6 @@ void ReaderMifare(bool first_try)
 
        if (first_try) { 
                mf_nr_ar3 = 0;
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
                sync_time = GetCountSspClk() & 0xfffffff8;
                sync_cycles = 65536;                                                                    // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
                nt_attacked = 0;
@@ -2079,18 +2082,21 @@ void ReaderMifare(bool first_try)
        LED_B_OFF();
        LED_C_OFF();
        
-  
+
+       #define DARKSIDE_MAX_TRIES      32              // number of tries to sync on PRNG cycle. Then give up.
+       uint16_t unsuccessfull_tries = 0;
+       
        for(uint16_t i = 0; TRUE; i++) {
                
+               LED_C_ON();
                WDT_HIT();
 
                // Test if the action was cancelled
                if(BUTTON_PRESS()) {
+                       isOK = -1;
                        break;
                }
                
-               LED_C_ON();
-
                if(!iso14443a_select_card(uid, NULL, &cuid)) {
                        if (MF_DBGLEVEL >= 1)   Dbprintf("Mifare: Can't select card");
                        continue;
@@ -2125,8 +2131,14 @@ void ReaderMifare(bool first_try)
                                nt_attacked = nt;
                        }
                        else {
-                               if (nt_distance == -99999) { // invalid nonce received, try again
-                                       continue;
+                               if (nt_distance == -99999) { // invalid nonce received
+                                       unsuccessfull_tries++;
+                                       if (!nt_attacked && unsuccessfull_tries > DARKSIDE_MAX_TRIES) {
+                                               isOK = -3;              // Card has an unpredictable PRNG. Give up      
+                                               break;
+                                       } else {
+                                               continue;               // continue trying...
+                                       }
                                }
                                sync_cycles = (sync_cycles - nt_distance);
                                if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
@@ -2188,6 +2200,10 @@ void ReaderMifare(bool first_try)
                        if (nt_diff == 0 && first_try)
                        {
                                par[0]++;
+                               if (par[0] == 0x00) {           // tried all 256 possible parities without success. Card doesn't send NACK.
+                                       isOK = -2;
+                                       break;
+                               }
                        } else {
                                par[0] = ((par[0] & 0x1F) + 1) | par_low;
                        }
@@ -2204,7 +2220,7 @@ void ReaderMifare(bool first_try)
        memcpy(buf + 16, ks_list, 8);
        memcpy(buf + 24, mf_nr_ar, 4);
                
-       cmd_send(CMD_ACK,isOK,0,0,buf,28);
+       cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
 
        // Thats it...
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
@@ -2265,13 +2281,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
        uint8_t ar_nr_collected = 0;
 
-       // free eventually allocated BigBuf memory but keep Emulator Memory
-       BigBuf_free_keep_EM();
-
-       // clear trace
-       clear_trace();
-       set_tracing(TRUE);
-
        // Authenticate response - nonce
        uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
        
@@ -2309,13 +2318,10 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        if (_7BUID) {
                rATQA[0] = 0x44;
                rUIDBCC1[0] = 0x88;
+               rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
                rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
        }
 
-       // We need to listen to the high-frequency, peak-detected path.
-       iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
-
        if (MF_DBGLEVEL >= 1)   {
                if (!_7BUID) {
                        Dbprintf("4B UID: %02x%02x%02x%02x", 
@@ -2327,6 +2333,17 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
+       // We need to listen to the high-frequency, peak-detected path.
+       iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+       // free eventually allocated BigBuf memory but keep Emulator Memory
+       BigBuf_free_keep_EM();
+
+       // clear trace
+       clear_trace();
+       set_tracing(TRUE);
+
+
        bool finished = FALSE;
        while (!BUTTON_PRESS() && !finished) {
                WDT_HIT();
@@ -2548,13 +2565,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                || receivedCmd[0] == 0xB0) { // transfer
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                                break;
                                        }
 
                                        if (receivedCmd[1] / 4 != cardAUTHSC) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
+                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
                                                break;
                                        }
                                }
@@ -2745,10 +2762,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
        uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
        uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
 
-       // As we receive stuff, we copy it from receivedCmd or receivedResponse
-       // into trace, along with its length and other annotations.
-       //uint8_t *trace = (uint8_t *)BigBuf;
-       
+       iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+
        // free eventually allocated BigBuf memory
        BigBuf_free();
        // allocate the DMA buffer, used to stream samples from the FPGA
@@ -2760,8 +2775,6 @@ void RAMFUNC SniffMifare(uint8_t param) {
        bool ReaderIsActive = FALSE;
        bool TagIsActive = FALSE;
 
-       iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
-
        // Set up the demodulator for tag -> reader responses.
        DemodInit(receivedResponse, receivedResponsePar);
 
diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c
new file mode 100644 (file)
index 0000000..33c047d
--- /dev/null
@@ -0,0 +1,1218 @@
+//-----------------------------------------------------------------------------
+// Jonathan Westhues, split Nov 2006
+//
+// This code is licensed to you under the terms of the GNU GPL, version 2 or,
+// at your option, any later version. See the LICENSE.txt file for the text of
+// the license.
+//-----------------------------------------------------------------------------
+// Routines to support ISO 14443B. This includes both the reader software and
+// the `fake tag' modes.
+//-----------------------------------------------------------------------------
+
+#include "proxmark3.h"
+#include "apps.h"
+#include "util.h"
+#include "string.h"
+
+#include "iso14443crc.h"
+
+#define RECEIVE_SAMPLES_TIMEOUT 2000
+#define ISO14443B_DMA_BUFFER_SIZE 256
+
+//=============================================================================
+// An ISO 14443 Type B tag. We listen for commands from the reader, using
+// a UART kind of thing that's implemented in software. When we get a
+// frame (i.e., a group of bytes between SOF and EOF), we check the CRC.
+// If it's good, then we can do something appropriate with it, and send
+// a response.
+//=============================================================================
+
+//-----------------------------------------------------------------------------
+// Code up a string of octets at layer 2 (including CRC, we don't generate
+// that here) so that they can be transmitted to the reader. Doesn't transmit
+// them yet, just leaves them ready to send in ToSend[].
+//-----------------------------------------------------------------------------
+static void CodeIso14443bAsTag(const uint8_t *cmd, int len)
+{
+       int i;
+
+       ToSendReset();
+
+       // Transmit a burst of ones, as the initial thing that lets the
+       // reader get phase sync. This (TR1) must be > 80/fs, per spec,
+       // but tag that I've tried (a Paypass) exceeds that by a fair bit,
+       // so I will too.
+       for(i = 0; i < 20; i++) {
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+       }
+
+       // Send SOF.
+       for(i = 0; i < 10; i++) {
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+       }
+       for(i = 0; i < 2; i++) {
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+       }
+
+       for(i = 0; i < len; i++) {
+               int j;
+               uint8_t b = cmd[i];
+
+               // Start bit
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+
+               // Data bits
+               for(j = 0; j < 8; j++) {
+                       if(b & 1) {
+                               ToSendStuffBit(1);
+                               ToSendStuffBit(1);
+                               ToSendStuffBit(1);
+                               ToSendStuffBit(1);
+                       } else {
+                               ToSendStuffBit(0);
+                               ToSendStuffBit(0);
+                               ToSendStuffBit(0);
+                               ToSendStuffBit(0);
+                       }
+                       b >>= 1;
+               }
+
+               // Stop bit
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+       }
+
+       // Send EOF.
+       for(i = 0; i < 10; i++) {
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+               ToSendStuffBit(0);
+       }
+       for(i = 0; i < 2; i++) {
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+       }
+
+       // Convert from last byte pos to length
+       ToSendMax++;
+}
+
+//-----------------------------------------------------------------------------
+// The software UART that receives commands from the reader, and its state
+// variables.
+//-----------------------------------------------------------------------------
+static struct {
+       enum {
+               STATE_UNSYNCD,
+               STATE_GOT_FALLING_EDGE_OF_SOF,
+               STATE_AWAITING_START_BIT,
+               STATE_RECEIVING_DATA
+       }       state;
+       uint16_t    shiftReg;
+       int     bitCnt;
+       int     byteCnt;
+       int     byteCntMax;
+       int     posCnt;
+       uint8_t   *output;
+} Uart;
+
+/* Receive & handle a bit coming from the reader.
+ *
+ * This function is called 4 times per bit (every 2 subcarrier cycles).
+ * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 2,36us
+ *
+ * LED handling:
+ * LED A -> ON once we have received the SOF and are expecting the rest.
+ * LED A -> OFF once we have received EOF or are in error state or unsynced
+ *
+ * Returns: true if we received a EOF
+ *          false if we are still waiting for some more
+ */
+static RAMFUNC int Handle14443bUartBit(uint8_t bit)
+{
+       switch(Uart.state) {
+               case STATE_UNSYNCD:
+                       if(!bit) {
+                               // we went low, so this could be the beginning
+                               // of an SOF
+                               Uart.state = STATE_GOT_FALLING_EDGE_OF_SOF;
+                               Uart.posCnt = 0;
+                               Uart.bitCnt = 0;
+                       }
+                       break;
+
+               case STATE_GOT_FALLING_EDGE_OF_SOF:
+                       Uart.posCnt++;
+                       if(Uart.posCnt == 2) {  // sample every 4 1/fs in the middle of a bit
+                               if(bit) {
+                                       if(Uart.bitCnt > 9) {
+                                               // we've seen enough consecutive
+                                               // zeros that it's a valid SOF
+                                               Uart.posCnt = 0;
+                                               Uart.byteCnt = 0;
+                                               Uart.state = STATE_AWAITING_START_BIT;
+                                               LED_A_ON(); // Indicate we got a valid SOF
+                                       } else {
+                                               // didn't stay down long enough
+                                               // before going high, error
+                                               Uart.state = STATE_UNSYNCD;
+                                       }
+                               } else {
+                                       // do nothing, keep waiting
+                               }
+                               Uart.bitCnt++;
+                       }
+                       if(Uart.posCnt >= 4) Uart.posCnt = 0;
+                       if(Uart.bitCnt > 12) {
+                               // Give up if we see too many zeros without
+                               // a one, too.
+                               LED_A_OFF();
+                               Uart.state = STATE_UNSYNCD;
+                       }
+                       break;
+
+               case STATE_AWAITING_START_BIT:
+                       Uart.posCnt++;
+                       if(bit) {
+                               if(Uart.posCnt > 50/2) {        // max 57us between characters = 49 1/fs, max 3 etus after low phase of SOF = 24 1/fs
+                                       // stayed high for too long between
+                                       // characters, error
+                                       Uart.state = STATE_UNSYNCD;
+                               }
+                       } else {
+                               // falling edge, this starts the data byte
+                               Uart.posCnt = 0;
+                               Uart.bitCnt = 0;
+                               Uart.shiftReg = 0;
+                               Uart.state = STATE_RECEIVING_DATA;
+                       }
+                       break;
+
+               case STATE_RECEIVING_DATA:
+                       Uart.posCnt++;
+                       if(Uart.posCnt == 2) {
+                               // time to sample a bit
+                               Uart.shiftReg >>= 1;
+                               if(bit) {
+                                       Uart.shiftReg |= 0x200;
+                               }
+                               Uart.bitCnt++;
+                       }
+                       if(Uart.posCnt >= 4) {
+                               Uart.posCnt = 0;
+                       }
+                       if(Uart.bitCnt == 10) {
+                               if((Uart.shiftReg & 0x200) && !(Uart.shiftReg & 0x001))
+                               {
+                                       // this is a data byte, with correct
+                                       // start and stop bits
+                                       Uart.output[Uart.byteCnt] = (Uart.shiftReg >> 1) & 0xff;
+                                       Uart.byteCnt++;
+
+                                       if(Uart.byteCnt >= Uart.byteCntMax) {
+                                               // Buffer overflowed, give up
+                                               LED_A_OFF();
+                                               Uart.state = STATE_UNSYNCD;
+                                       } else {
+                                               // so get the next byte now
+                                               Uart.posCnt = 0;
+                                               Uart.state = STATE_AWAITING_START_BIT;
+                                       }
+                               } else if (Uart.shiftReg == 0x000) {
+                                       // this is an EOF byte
+                                       LED_A_OFF(); // Finished receiving
+                                       Uart.state = STATE_UNSYNCD;
+                                       if (Uart.byteCnt != 0) {
+                                               return TRUE;
+                                       }
+                               } else {
+                                       // this is an error
+                                       LED_A_OFF();
+                                       Uart.state = STATE_UNSYNCD;
+                               }
+                       }
+                       break;
+
+               default:
+                       LED_A_OFF();
+                       Uart.state = STATE_UNSYNCD;
+                       break;
+       }
+
+       return FALSE;
+}
+
+
+static void UartReset()
+{
+       Uart.byteCntMax = MAX_FRAME_SIZE;
+       Uart.state = STATE_UNSYNCD;
+       Uart.byteCnt = 0;
+       Uart.bitCnt = 0;
+}
+
+
+static void UartInit(uint8_t *data)
+{
+       Uart.output = data;
+       UartReset();
+}
+
+
+//-----------------------------------------------------------------------------
+// Receive a command (from the reader to us, where we are the simulated tag),
+// and store it in the given buffer, up to the given maximum length. Keeps
+// spinning, waiting for a well-framed command, until either we get one
+// (returns TRUE) or someone presses the pushbutton on the board (FALSE).
+//
+// Assume that we're called with the SSC (to the FPGA) and ADC path set
+// correctly.
+//-----------------------------------------------------------------------------
+static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len)
+{
+       // Set FPGA mode to "simulated ISO 14443B tag", no modulation (listen
+       // only, since we are receiving, not transmitting).
+       // Signal field is off with the appropriate LED
+       LED_D_OFF();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
+
+       // Now run a `software UART' on the stream of incoming samples.
+       UartInit(received);
+
+       for(;;) {
+               WDT_HIT();
+
+               if(BUTTON_PRESS()) return FALSE;
+
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+                       uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+                       for(uint8_t mask = 0x80; mask != 0x00; mask >>= 1) {
+                               if(Handle14443bUartBit(b & mask)) {
+                                       *len = Uart.byteCnt;
+                                       return TRUE;
+                               }
+                       }
+               }
+       }
+       
+       return FALSE;
+}
+
+//-----------------------------------------------------------------------------
+// Main loop of simulated tag: receive commands from reader, decide what
+// response to send, and send it.
+//-----------------------------------------------------------------------------
+void SimulateIso14443bTag(void)
+{
+       // the only commands we understand is REQB, AFI=0, Select All, N=0:
+       static const uint8_t cmd1[] = { 0x05, 0x00, 0x08, 0x39, 0x73 };
+       // ... and REQB, AFI=0, Normal Request, N=0:
+       static const uint8_t cmd2[] = { 0x05, 0x00, 0x00, 0x71, 0xFF };
+
+       // ... and we always respond with ATQB, PUPI = 820de174, Application Data = 0x20381922,
+       // supports only 106kBit/s in both directions, max frame size = 32Bytes,
+       // supports ISO14443-4, FWI=8 (77ms), NAD supported, CID not supported:
+       static const uint8_t response1[] = {
+               0x50, 0x82, 0x0d, 0xe1, 0x74, 0x20, 0x38, 0x19, 0x22,
+               0x00, 0x21, 0x85, 0x5e, 0xd7
+       };
+
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+
+       clear_trace();
+       set_tracing(TRUE);
+
+       const uint8_t *resp;
+       uint8_t *respCode;
+       uint16_t respLen, respCodeLen;
+
+       // allocate command receive buffer
+       BigBuf_free();
+       uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
+
+       uint16_t len;
+       uint16_t cmdsRecvd = 0;
+
+       // prepare the (only one) tag answer:
+       CodeIso14443bAsTag(response1, sizeof(response1));
+       uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
+       memcpy(resp1Code, ToSend, ToSendMax); 
+       uint16_t resp1CodeLen = ToSendMax;
+
+       // We need to listen to the high-frequency, peak-detected path.
+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+       FpgaSetupSsc();
+
+       cmdsRecvd = 0;
+
+       for(;;) {
+
+               if(!GetIso14443bCommandFromReader(receivedCmd, &len)) {
+                       Dbprintf("button pressed, received %d commands", cmdsRecvd);
+                       break;
+               }
+
+               if (tracing) {
+                       uint8_t parity[MAX_PARITY_SIZE];
+                       LogTrace(receivedCmd, len, 0, 0, parity, TRUE);
+               }
+
+               // Good, look at the command now.
+               if ( (len == sizeof(cmd1) && memcmp(receivedCmd, cmd1, len) == 0)
+                       || (len == sizeof(cmd2) && memcmp(receivedCmd, cmd2, len) == 0) ) {
+                       resp = response1; 
+                       respLen = sizeof(response1);
+                       respCode = resp1Code; 
+                       respCodeLen = resp1CodeLen;
+               } else {
+                       Dbprintf("new cmd from reader: len=%d, cmdsRecvd=%d", len, cmdsRecvd);
+                       // And print whether the CRC fails, just for good measure
+                       uint8_t b1, b2;
+                       ComputeCrc14443(CRC_14443_B, receivedCmd, len-2, &b1, &b2);
+                       if(b1 != receivedCmd[len-2] || b2 != receivedCmd[len-1]) {
+                               // Not so good, try again.
+                               DbpString("+++CRC fail");
+                       } else {
+                               DbpString("CRC passes");
+                       }
+                       break;
+               }
+
+               cmdsRecvd++;
+
+               if(cmdsRecvd > 0x30) {
+                       DbpString("many commands later...");
+                       break;
+               }
+
+               if(respCodeLen <= 0) continue;
+
+               // Modulate BPSK
+               // Signal field is off with the appropriate LED
+               LED_D_OFF();
+               FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
+               AT91C_BASE_SSC->SSC_THR = 0xff;
+               FpgaSetupSsc();
+
+               // Transmit the response.
+               uint16_t i = 0;
+               for(;;) {
+                       if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+                               uint8_t b = respCode[i];
+
+                               AT91C_BASE_SSC->SSC_THR = b;
+
+                               i++;
+                               if(i > respCodeLen) {
+                                       break;
+                               }
+                       }
+                       if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+                               volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
+                               (void)b;
+                       }
+               }
+               
+               // trace the response:
+               if (tracing) {
+                       uint8_t parity[MAX_PARITY_SIZE];
+                       LogTrace(resp, respLen, 0, 0, parity, FALSE);
+               }
+                       
+       }
+}
+
+//=============================================================================
+// An ISO 14443 Type B reader. We take layer two commands, code them
+// appropriately, and then send them to the tag. We then listen for the
+// tag's response, which we leave in the buffer to be demodulated on the
+// PC side.
+//=============================================================================
+
+static struct {
+       enum {
+               DEMOD_UNSYNCD,
+               DEMOD_PHASE_REF_TRAINING,
+               DEMOD_AWAITING_FALLING_EDGE_OF_SOF,
+               DEMOD_GOT_FALLING_EDGE_OF_SOF,
+               DEMOD_AWAITING_START_BIT,
+               DEMOD_RECEIVING_DATA
+       }       state;
+       int     bitCount;
+       int     posCount;
+       int     thisBit;
+/* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
+       int     metric;
+       int     metricN;
+*/
+       uint16_t    shiftReg;
+       uint8_t   *output;
+       int     len;
+       int     sumI;
+       int     sumQ;
+} Demod;
+
+/*
+ * Handles reception of a bit from the tag
+ *
+ * This function is called 2 times per bit (every 4 subcarrier cycles).
+ * Subcarrier frequency fs is 848kHz, 1/fs = 1,18us, i.e. function is called every 4,72us
+ *
+ * LED handling:
+ * LED C -> ON once we have received the SOF and are expecting the rest.
+ * LED C -> OFF once we have received EOF or are unsynced
+ *
+ * Returns: true if we received a EOF
+ *          false if we are still waiting for some more
+ *
+ */
+static RAMFUNC int Handle14443bSamplesDemod(int ci, int cq)
+{
+       int v;
+
+// The soft decision on the bit uses an estimate of just the
+// quadrant of the reference angle, not the exact angle.
+#define MAKE_SOFT_DECISION() { \
+               if(Demod.sumI > 0) { \
+                       v = ci; \
+               } else { \
+                       v = -ci; \
+               } \
+               if(Demod.sumQ > 0) { \
+                       v += cq; \
+               } else { \
+                       v -= cq; \
+               } \
+       }
+
+#define SUBCARRIER_DETECT_THRESHOLD    8
+
+// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by abs(ci) + abs(cq)
+/* #define CHECK_FOR_SUBCARRIER() { \
+               v = ci; \
+               if(v < 0) v = -v; \
+               if(cq > 0) { \
+                       v += cq; \
+               } else { \
+                       v -= cq; \
+               } \
+       }               
+ */
+// Subcarrier amplitude v = sqrt(ci^2 + cq^2), approximated here by max(abs(ci),abs(cq)) + 1/2*min(abs(ci),abs(cq)))
+#define CHECK_FOR_SUBCARRIER() { \
+               if(ci < 0) { \
+                       if(cq < 0) { /* ci < 0, cq < 0 */ \
+                               if (cq < ci) { \
+                                       v = -cq - (ci >> 1); \
+                               } else { \
+                                       v = -ci - (cq >> 1); \
+                               } \
+                       } else {        /* ci < 0, cq >= 0 */ \
+                               if (cq < -ci) { \
+                                       v = -ci + (cq >> 1); \
+                               } else { \
+                                       v = cq - (ci >> 1); \
+                               } \
+                       } \
+               } else { \
+                       if(cq < 0) { /* ci >= 0, cq < 0 */ \
+                               if (-cq < ci) { \
+                                       v = ci - (cq >> 1); \
+                               } else { \
+                                       v = -cq + (ci >> 1); \
+                               } \
+                       } else {        /* ci >= 0, cq >= 0 */ \
+                               if (cq < ci) { \
+                                       v = ci + (cq >> 1); \
+                               } else { \
+                                       v = cq + (ci >> 1); \
+                               } \
+                       } \
+               } \
+       }
+       
+       switch(Demod.state) {
+               case DEMOD_UNSYNCD:
+                       CHECK_FOR_SUBCARRIER();
+                       if(v > SUBCARRIER_DETECT_THRESHOLD) {   // subcarrier detected
+                               Demod.state = DEMOD_PHASE_REF_TRAINING;
+                               Demod.sumI = ci;
+                               Demod.sumQ = cq;
+                               Demod.posCount = 1;
+                               }
+                       break;
+
+               case DEMOD_PHASE_REF_TRAINING:
+                       if(Demod.posCount < 8) {
+                               CHECK_FOR_SUBCARRIER();
+                               if (v > SUBCARRIER_DETECT_THRESHOLD) {
+                                       // set the reference phase (will code a logic '1') by averaging over 32 1/fs.
+                                       // note: synchronization time > 80 1/fs
+                                       Demod.sumI += ci;
+                                       Demod.sumQ += cq;
+                                       Demod.posCount++;
+                               } else {                // subcarrier lost
+                                       Demod.state = DEMOD_UNSYNCD;
+                               }
+                       } else {
+                               Demod.state = DEMOD_AWAITING_FALLING_EDGE_OF_SOF;
+                       }
+                       break;
+
+               case DEMOD_AWAITING_FALLING_EDGE_OF_SOF:
+                       MAKE_SOFT_DECISION();
+                       if(v < 0) {     // logic '0' detected
+                               Demod.state = DEMOD_GOT_FALLING_EDGE_OF_SOF;
+                               Demod.posCount = 0;     // start of SOF sequence
+                       } else {
+                               if(Demod.posCount > 200/4) {    // maximum length of TR1 = 200 1/fs
+                                       Demod.state = DEMOD_UNSYNCD;
+                               }
+                       }
+                       Demod.posCount++;
+                       break;
+
+               case DEMOD_GOT_FALLING_EDGE_OF_SOF:
+                       Demod.posCount++;
+                       MAKE_SOFT_DECISION();
+                       if(v > 0) {
+                               if(Demod.posCount < 9*2) { // low phase of SOF too short (< 9 etu). Note: spec is >= 10, but FPGA tends to "smear" edges
+                                       Demod.state = DEMOD_UNSYNCD;
+                               } else {
+                                       LED_C_ON(); // Got SOF
+                                       Demod.state = DEMOD_AWAITING_START_BIT;
+                                       Demod.posCount = 0;
+                                       Demod.len = 0;
+/* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
+                                       Demod.metricN = 0;
+                                       Demod.metric = 0;
+*/
+                               }
+                       } else {
+                               if(Demod.posCount > 12*2) { // low phase of SOF too long (> 12 etu)
+                                       Demod.state = DEMOD_UNSYNCD;
+                                       LED_C_OFF();
+                               }
+                       }
+                       break;
+
+               case DEMOD_AWAITING_START_BIT:
+                       Demod.posCount++;
+                       MAKE_SOFT_DECISION();
+                       if(v > 0) {
+                               if(Demod.posCount > 3*2) {              // max 19us between characters = 16 1/fs, max 3 etu after low phase of SOF = 24 1/fs
+                                       Demod.state = DEMOD_UNSYNCD;
+                                       LED_C_OFF();
+                               }
+                       } else {                                                        // start bit detected
+                               Demod.bitCount = 0;
+                               Demod.posCount = 1;                             // this was the first half
+                               Demod.thisBit = v;
+                               Demod.shiftReg = 0;
+                               Demod.state = DEMOD_RECEIVING_DATA;
+                       }
+                       break;
+
+               case DEMOD_RECEIVING_DATA:
+                       MAKE_SOFT_DECISION();
+                       if(Demod.posCount == 0) {                       // first half of bit
+                               Demod.thisBit = v;
+                               Demod.posCount = 1;
+                       } else {                                                        // second half of bit
+                               Demod.thisBit += v;
+
+/* this had been used to add RSSI (Received Signal Strength Indication) to traces. Currently not implemented.
+                               if(Demod.thisBit > 0) {
+                                       Demod.metric += Demod.thisBit;
+                               } else {
+                                       Demod.metric -= Demod.thisBit;
+                               }
+                               (Demod.metricN)++;
+*/                             
+
+                               Demod.shiftReg >>= 1;
+                               if(Demod.thisBit > 0) { // logic '1'
+                                       Demod.shiftReg |= 0x200;
+                               }
+
+                               Demod.bitCount++;
+                               if(Demod.bitCount == 10) {
+                                       uint16_t s = Demod.shiftReg;
+                                       if((s & 0x200) && !(s & 0x001)) { // stop bit == '1', start bit == '0'
+                                               uint8_t b = (s >> 1);
+                                               Demod.output[Demod.len] = b;
+                                               Demod.len++;
+                                               Demod.state = DEMOD_AWAITING_START_BIT;
+                                       } else {
+                                               Demod.state = DEMOD_UNSYNCD;
+                                               LED_C_OFF();
+                                               if(s == 0x000) {
+                                                       // This is EOF (start, stop and all data bits == '0'
+                                                       return TRUE;
+                                               }
+                                       }
+                               }
+                               Demod.posCount = 0;
+                       }
+                       break;
+
+               default:
+                       Demod.state = DEMOD_UNSYNCD;
+                       LED_C_OFF();
+                       break;
+       }
+
+       return FALSE;
+}
+
+
+static void DemodReset()
+{
+       // Clear out the state of the "UART" that receives from the tag.
+       Demod.len = 0;
+       Demod.state = DEMOD_UNSYNCD;
+       Demod.posCount = 0;
+       memset(Demod.output, 0x00, MAX_FRAME_SIZE);
+}
+
+
+static void DemodInit(uint8_t *data)
+{
+       Demod.output = data;
+       DemodReset();
+}
+
+
+/*
+ *  Demodulate the samples we received from the tag, also log to tracebuffer
+ *  quiet: set to 'TRUE' to disable debug output
+ */
+static void GetSamplesFor14443bDemod(int n, bool quiet)
+{
+       int max = 0;
+       bool gotFrame = FALSE;
+       int lastRxCounter, ci, cq, samples = 0;
+
+       // Allocate memory from BigBuf for some buffers
+       // free all previous allocations first
+       BigBuf_free();
+       
+       // The response (tag -> reader) that we're receiving.
+       uint8_t *receivedResponse = BigBuf_malloc(MAX_FRAME_SIZE);
+       
+       // The DMA buffer, used to stream samples from the FPGA
+       int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
+
+       // Set up the demodulator for tag -> reader responses.
+       DemodInit(receivedResponse);
+
+       // Setup and start DMA.
+       FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
+
+       int8_t *upTo = dmaBuf;
+       lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
+
+       // Signal field is ON with the appropriate LED:
+       LED_D_ON();
+       // And put the FPGA in the appropriate mode
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
+
+       for(;;) {
+               int behindBy = lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR;
+               if(behindBy > max) max = behindBy;
+
+               while(((lastRxCounter-AT91C_BASE_PDC_SSC->PDC_RCR) & (ISO14443B_DMA_BUFFER_SIZE-1)) > 2) {
+                       ci = upTo[0];
+                       cq = upTo[1];
+                       upTo += 2;
+                       if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
+                               upTo = dmaBuf;
+                               AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
+                               AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
+                       }
+                       lastRxCounter -= 2;
+                       if(lastRxCounter <= 0) {
+                               lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
+                       }
+
+                       samples += 2;
+
+                       if(Handle14443bSamplesDemod(ci, cq)) {
+                               gotFrame = TRUE;
+                               break;
+                       }
+               }
+
+               if(samples > n || gotFrame) {
+                       break;
+               }
+       }
+
+       AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+
+       if (!quiet) Dbprintf("max behindby = %d, samples = %d, gotFrame = %d, Demod.len = %d, Demod.sumI = %d, Demod.sumQ = %d", max, samples, gotFrame, Demod.len, Demod.sumI, Demod.sumQ);
+       //Tracing
+       if (tracing && Demod.len > 0) {
+               uint8_t parity[MAX_PARITY_SIZE];
+               LogTrace(Demod.output, Demod.len, 0, 0, parity, FALSE);
+       }
+}
+
+
+//-----------------------------------------------------------------------------
+// Transmit the command (to the tag) that was placed in ToSend[].
+//-----------------------------------------------------------------------------
+static void TransmitFor14443b(void)
+{
+       int c;
+
+       FpgaSetupSsc();
+
+       while(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+               AT91C_BASE_SSC->SSC_THR = 0xff;
+       }
+
+       // Signal field is ON with the appropriate Red LED
+       LED_D_ON();
+       // Signal we are transmitting with the Green LED
+       LED_B_ON();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX | FPGA_HF_READER_TX_SHALLOW_MOD);
+
+       for(c = 0; c < 10;) {
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+                       AT91C_BASE_SSC->SSC_THR = 0xff;
+                       c++;
+               }
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+                       volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
+                       (void)r;
+               }
+               WDT_HIT();
+       }
+
+       c = 0;
+       for(;;) {
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
+                       AT91C_BASE_SSC->SSC_THR = ToSend[c];
+                       c++;
+                       if(c >= ToSendMax) {
+                               break;
+                       }
+               }
+               if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
+                       volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
+                       (void)r;
+               }
+               WDT_HIT();
+       }
+       LED_B_OFF(); // Finished sending
+}
+
+
+//-----------------------------------------------------------------------------
+// Code a layer 2 command (string of octets, including CRC) into ToSend[],
+// so that it is ready to transmit to the tag using TransmitFor14443b().
+//-----------------------------------------------------------------------------
+static void CodeIso14443bAsReader(const uint8_t *cmd, int len)
+{
+       int i, j;
+       uint8_t b;
+
+       ToSendReset();
+
+       // Establish initial reference level
+       for(i = 0; i < 40; i++) {
+               ToSendStuffBit(1);
+       }
+       // Send SOF
+       for(i = 0; i < 10; i++) {
+               ToSendStuffBit(0);
+       }
+
+       for(i = 0; i < len; i++) {
+               // Stop bits/EGT
+               ToSendStuffBit(1);
+               ToSendStuffBit(1);
+               // Start bit
+               ToSendStuffBit(0);
+               // Data bits
+               b = cmd[i];
+               for(j = 0; j < 8; j++) {
+                       if(b & 1) {
+                               ToSendStuffBit(1);
+                       } else {
+                               ToSendStuffBit(0);
+                       }
+                       b >>= 1;
+               }
+       }
+       // Send EOF
+       ToSendStuffBit(1);
+       for(i = 0; i < 10; i++) {
+               ToSendStuffBit(0);
+       }
+       for(i = 0; i < 8; i++) {
+               ToSendStuffBit(1);
+       }
+
+       // And then a little more, to make sure that the last character makes
+       // it out before we switch to rx mode.
+       for(i = 0; i < 24; i++) {
+               ToSendStuffBit(1);
+       }
+
+       // Convert from last character reference to length
+       ToSendMax++;
+}
+
+
+/**
+  Convenience function to encode, transmit and trace iso 14443b comms
+  **/
+static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len)
+{
+       CodeIso14443bAsReader(cmd, len);
+       TransmitFor14443b();
+       if (tracing) {
+               uint8_t parity[MAX_PARITY_SIZE];
+               LogTrace(cmd,len, 0, 0, parity, TRUE);
+       }
+}
+
+
+//-----------------------------------------------------------------------------
+// Read a SRI512 ISO 14443B tag.
+//
+// SRI512 tags are just simple memory tags, here we're looking at making a dump
+// of the contents of the memory. No anticollision algorithm is done, we assume
+// we have a single tag in the field.
+//
+// I tried to be systematic and check every answer of the tag, every CRC, etc...
+//-----------------------------------------------------------------------------
+void ReadSTMemoryIso14443b(uint32_t dwLast)
+{
+       uint8_t i = 0x00;
+
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       // Make sure that we start from off, since the tags are stateful;
+       // confusing things will happen if we don't reset them between reads.
+       LED_D_OFF();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       SpinDelay(200);
+
+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+       FpgaSetupSsc();
+
+       // Now give it time to spin up.
+       // Signal field is on with the appropriate LED
+       LED_D_ON();
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
+       SpinDelay(200);
+
+       clear_trace();
+       set_tracing(TRUE);
+
+       // First command: wake up the tag using the INITIATE command
+       uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
+       CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
+       GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+
+       if (Demod.len == 0) {
+               DbpString("No response from tag");
+               return;
+       } else {
+               Dbprintf("Randomly generated Chip ID (+ 2 byte CRC): %02x %02x %02x",
+                               Demod.output[0], Demod.output[1], Demod.output[2]);
+       }
+
+       // There is a response, SELECT the uid
+       DbpString("Now SELECT tag:");
+       cmd1[0] = 0x0E; // 0x0E is SELECT
+       cmd1[1] = Demod.output[0];
+       ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
+       CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
+       GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+       if (Demod.len != 3) {
+               Dbprintf("Expected 3 bytes from tag, got %d", Demod.len);
+               return;
+       }
+       // Check the CRC of the answer:
+       ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]);
+       if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) {
+               DbpString("CRC Error reading select response.");
+               return;
+       }
+       // Check response from the tag: should be the same UID as the command we just sent:
+       if (cmd1[1] != Demod.output[0]) {
+               Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]);
+               return;
+       }
+
+       // Tag is now selected,
+       // First get the tag's UID:
+       cmd1[0] = 0x0B;
+       ComputeCrc14443(CRC_14443_B, cmd1, 1 , &cmd1[1], &cmd1[2]);
+       CodeAndTransmit14443bAsReader(cmd1, 3); // Only first three bytes for this one
+       GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+       if (Demod.len != 10) {
+               Dbprintf("Expected 10 bytes from tag, got %d", Demod.len);
+               return;
+       }
+       // The check the CRC of the answer (use cmd1 as temporary variable):
+       ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]);
+       if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) {
+               Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
+                               (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]);
+               // Do not return;, let's go on... (we should retry, maybe ?)
+       }
+       Dbprintf("Tag UID (64 bits): %08x %08x",
+                       (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4],
+                       (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]);
+
+       // Now loop to read all 16 blocks, address from 0 to last block
+       Dbprintf("Tag memory dump, block 0 to %d", dwLast);
+       cmd1[0] = 0x08;
+       i = 0x00;
+       dwLast++;
+       for (;;) {
+               if (i == dwLast) {
+                       DbpString("System area block (0xff):");
+                       i = 0xff;
+               }
+               cmd1[1] = i;
+               ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]);
+               CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
+               GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+               if (Demod.len != 6) { // Check if we got an answer from the tag
+                       DbpString("Expected 6 bytes from tag, got less...");
+                       return;
+               }
+               // The check the CRC of the answer (use cmd1 as temporary variable):
+               ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]);
+               if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) {
+                       Dbprintf("CRC Error reading block! Expected: %04x got: %04x",
+                                       (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]);
+                       // Do not return;, let's go on... (we should retry, maybe ?)
+               }
+               // Now print out the memory location:
+               Dbprintf("Address=%02x, Contents=%08x, CRC=%04x", i,
+                               (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0],
+                               (Demod.output[4]<<8)+Demod.output[5]);
+               if (i == 0xff) {
+                       break;
+               }
+               i++;
+       }
+}
+
+
+//=============================================================================
+// Finally, the `sniffer' combines elements from both the reader and
+// simulated tag, to show both sides of the conversation.
+//=============================================================================
+
+//-----------------------------------------------------------------------------
+// Record the sequence of commands sent by the reader to the tag, with
+// triggering so that we start recording at the point that the tag is moved
+// near the reader.
+//-----------------------------------------------------------------------------
+/*
+ * Memory usage for this function, (within BigBuf)
+ * Last Received command (reader->tag) - MAX_FRAME_SIZE
+ * Last Received command (tag->reader) - MAX_FRAME_SIZE
+ * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE
+ * Demodulated samples received - all the rest
+ */
+void RAMFUNC SnoopIso14443b(void)
+{
+       // We won't start recording the frames that we acquire until we trigger;
+       // a good trigger condition to get started is probably when we see a
+       // response from the tag.
+       int triggered = TRUE;                   // TODO: set and evaluate trigger condition
+
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       BigBuf_free();
+
+       clear_trace();
+       set_tracing(TRUE);
+
+       // The DMA buffer, used to stream samples from the FPGA
+       int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE);
+       int lastRxCounter;
+       int8_t *upTo;
+       int ci, cq;
+       int maxBehindBy = 0;
+
+       // Count of samples received so far, so that we can include timing
+       // information in the trace buffer.
+       int samples = 0;
+
+       DemodInit(BigBuf_malloc(MAX_FRAME_SIZE));
+       UartInit(BigBuf_malloc(MAX_FRAME_SIZE));
+
+       // Print some debug information about the buffer sizes
+       Dbprintf("Snooping buffers initialized:");
+       Dbprintf("  Trace: %i bytes", BigBuf_max_traceLen());
+       Dbprintf("  Reader -> tag: %i bytes", MAX_FRAME_SIZE);
+       Dbprintf("  tag -> Reader: %i bytes", MAX_FRAME_SIZE);
+       Dbprintf("  DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE);
+
+       // Signal field is off, no reader signal, no tag signal
+       LEDsoff();
+
+       // And put the FPGA in the appropriate mode
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ | FPGA_HF_READER_RX_XCORR_SNOOP);
+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+
+       // Setup for the DMA.
+       FpgaSetupSsc();
+       upTo = dmaBuf;
+       lastRxCounter = ISO14443B_DMA_BUFFER_SIZE;
+       FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE);
+       uint8_t parity[MAX_PARITY_SIZE];
+
+       bool TagIsActive = FALSE;
+       bool ReaderIsActive = FALSE;
+       
+       // And now we loop, receiving samples.
+       for(;;) {
+               int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
+                                                               (ISO14443B_DMA_BUFFER_SIZE-1);
+               if(behindBy > maxBehindBy) {
+                       maxBehindBy = behindBy;
+               }
+
+               if(behindBy < 2) continue;
+
+               ci = upTo[0];
+               cq = upTo[1];
+               upTo += 2;
+               lastRxCounter -= 2;
+               if(upTo >= dmaBuf + ISO14443B_DMA_BUFFER_SIZE) {
+                       upTo = dmaBuf;
+                       lastRxCounter += ISO14443B_DMA_BUFFER_SIZE;
+                       AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
+                       AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE;
+                       WDT_HIT();
+                       if(behindBy > (9*ISO14443B_DMA_BUFFER_SIZE/10)) { // TODO: understand whether we can increase/decrease as we want or not?
+                               Dbprintf("blew circular buffer! behindBy=%d", behindBy);
+                               break;
+                       }
+                       if(!tracing) {
+                               DbpString("Reached trace limit");
+                               break;
+                       }
+                       if(BUTTON_PRESS()) {
+                               DbpString("cancelled");
+                               break;
+                       }
+               }
+
+               samples += 2;
+
+               if (!TagIsActive) {                                                     // no need to try decoding reader data if the tag is sending
+                       if(Handle14443bUartBit(ci & 0x01)) {
+                               if(triggered && tracing) {
+                                       LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
+                               }
+                               /* And ready to receive another command. */
+                               UartReset();
+                               /* And also reset the demod code, which might have been */
+                               /* false-triggered by the commands from the reader. */
+                               DemodReset();
+                       }
+                       if(Handle14443bUartBit(cq & 0x01)) {
+                               if(triggered && tracing) {
+                                       LogTrace(Uart.output, Uart.byteCnt, samples, samples, parity, TRUE);
+                               }
+                               /* And ready to receive another command. */
+                               UartReset();
+                               /* And also reset the demod code, which might have been */
+                               /* false-triggered by the commands from the reader. */
+                               DemodReset();
+                       }
+                       ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF);
+               }
+
+               if(!ReaderIsActive) {                                           // no need to try decoding tag data if the reader is sending - and we cannot afford the time
+                       if(Handle14443bSamplesDemod(ci | 0x01, cq | 0x01)) {
+
+                               //Use samples as a time measurement
+                               if(tracing)
+                               {
+                                       uint8_t parity[MAX_PARITY_SIZE];
+                                       LogTrace(Demod.output, Demod.len, samples, samples, parity, FALSE);
+                               }
+                               triggered = TRUE;
+
+                               // And ready to receive another response.
+                               DemodReset();
+                       }
+                       TagIsActive = (Demod.state > DEMOD_GOT_FALLING_EDGE_OF_SOF);
+               }
+
+       }
+
+       FpgaDisableSscDma();
+       LEDsoff();
+       AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
+       DbpString("Snoop statistics:");
+       Dbprintf("  Max behind by: %i", maxBehindBy);
+       Dbprintf("  Uart State: %x", Uart.state);
+       Dbprintf("  Uart ByteCnt: %i", Uart.byteCnt);
+       Dbprintf("  Uart ByteCntMax: %i", Uart.byteCntMax);
+       Dbprintf("  Trace length: %i", BigBuf_get_traceLen());
+}
+
+
+/*
+ * Send raw command to tag ISO14443B
+ * @Input
+ * datalen     len of buffer data
+ * recv        bool when true wait for data from tag and send to client
+ * powerfield  bool leave the field on when true
+ * data        buffer with byte to send
+ *
+ * @Output
+ * none
+ *
+ */
+void SendRawCommand14443B(uint32_t datalen, uint32_t recv, uint8_t powerfield, uint8_t data[])
+{
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+       SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
+       FpgaSetupSsc();
+
+       set_tracing(TRUE);
+       
+       CodeAndTransmit14443bAsReader(data, datalen);
+
+       if(recv) {
+               GetSamplesFor14443bDemod(RECEIVE_SAMPLES_TIMEOUT, TRUE);
+               uint16_t iLen = MIN(Demod.len, USB_CMD_DATA_SIZE);
+               cmd_send(CMD_ACK, iLen, 0, 0, Demod.output, iLen);
+       }
+       
+       if(!powerfield) {
+               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+               LED_D_OFF();
+       }
+}
+
index 94040a85796a36eb38b7e5976b2339123845234f..e7145c5c9e84b3d6dd5399c145e74123e72be077 100644 (file)
@@ -877,12 +877,12 @@ int SendDataTag(uint8_t *send, int sendlen, int init, int speed, uint8_t **recv)
        LED_C_OFF();
        LED_D_OFF();
        
+       if (init) Iso15693InitReader();
+
        int answerLen=0;
        uint8_t *answer = BigBuf_get_addr() + 3660;
        if (recv != NULL) memset(answer, 0, 100);
 
-       if (init) Iso15693InitReader();
-       
        if (!speed) {
                // low speed (1 out of 256)
                CodeIso15693AsReader256(send, sendlen);
@@ -999,10 +999,6 @@ void ReaderIso15693(uint32_t parameter)
        LED_C_OFF();
        LED_D_OFF();
 
-       uint8_t *answer1 = BigBuf_get_addr() + 3660;
-       uint8_t *answer2 = BigBuf_get_addr() + 3760;
-       uint8_t *answer3 = BigBuf_get_addr() + 3860;
-
        int answerLen1 = 0;
        int answerLen2 = 0;
        int answerLen3 = 0;
@@ -1013,19 +1009,21 @@ void ReaderIso15693(uint32_t parameter)
        int elapsed = 0;
        uint8_t TagUID[8] = {0x00};
 
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 
+       uint8_t *answer1 = BigBuf_get_addr() + 3660;
+       uint8_t *answer2 = BigBuf_get_addr() + 3760;
+       uint8_t *answer3 = BigBuf_get_addr() + 3860;
        // Blank arrays
        memset(answer1, 0x00, 300);
 
-       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
        // Setup SSC
        FpgaSetupSsc();
 
        // Start from off (no field generated)
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       SpinDelay(200);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       SpinDelay(200);
 
        // Give the tags time to energize
        FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
@@ -1111,24 +1109,22 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid)
        LED_C_OFF();
        LED_D_OFF();
 
-       uint8_t *buf = BigBuf_get_addr() + 3660;
-       
        int answerLen1 = 0;
        int samples = 0;
        int tsamples = 0;
        int wait = 0;
        int elapsed = 0;
 
-       memset(buf, 0x00, 100);
-
        FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
 
+       uint8_t *buf = BigBuf_get_addr() + 3660;
+       memset(buf, 0x00, 100);
+       
        SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
        FpgaSetupSsc();
 
        // Start from off (no field generated)
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        SpinDelay(200);
 
        LED_A_OFF();
index 840b819643dcb21e49b7fc4159f138706e142fb6..34da26bcdfd8cee58e6bfa99cb6bfb4c57eb59af 100644 (file)
@@ -24,6 +24,7 @@ SECTIONS
        } >osimage :text
 
        .text : {
+               KEEP(*(stage1_image))
                *(.text)
                *(.text.*)
                *(.eh_frame)
@@ -34,14 +35,13 @@ SECTIONS
        .rodata : {
                *(.rodata)
                *(.rodata.*)
-               *(fpga_lf_bit.data)
-               *(fpga_hf_bit.data)
+               *(fpga_all_bit.data)
                KEEP(*(.version_information))
+               . = ALIGN(8);
        } >osimage :text
 
-       . = ALIGN(4);
-
        .data : {
+               KEEP(*(compressed_data))
                *(.data)
                *(.data.*)
                *(.ramfunc)
@@ -51,6 +51,7 @@ SECTIONS
        __data_src_start__ = LOADADDR(.data);
        __data_start__ = ADDR(.data);
        __data_end__ = __data_start__ + SIZEOF(.data);
+       __os_size__ = SIZEOF(.text) + SIZEOF(.data) + SIZEOF(.rodata);
        
        .bss : {
                __bss_start__ = .; 
index e5a40b2e916f16b4d963325c7bf1c940502e0a47..7e53d4a566173d97301f9e56ee1e5ad01a1ca15e 100644 (file)
@@ -651,7 +651,7 @@ void CmdASKsimTag(uint16_t arg1, uint16_t arg2, size_t size, uint8_t *BitStream)
        int ledcontrol = 1;
        int n=0, i=0;
        uint8_t clk = (arg1 >> 8) & 0xFF;
-       uint8_t encoding = arg1 & 1;
+       uint8_t encoding = arg1 & 0xFF;
        uint8_t separator = arg2 & 1;
        uint8_t invert = (arg2 >> 8) & 1;
 
@@ -861,7 +861,7 @@ void CmdEM410xdemod(int findone, int *high, int *low, int ledcontrol)
                size  = BigBuf_max_traceLen();
                //askdemod and manchester decode
                if (size > 16385) size = 16385; //big enough to catch 2 sequences of largest format
-               errCnt = askmandemod(dest, &size, &clk, &invert, maxErr);
+               errCnt = askdemod(dest, &size, &clk, &invert, maxErr, 0, 1);
                WDT_HIT();
 
                if (errCnt<0) continue;
@@ -1024,10 +1024,10 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol)
  * To compensate antenna falling times shorten the write times
  * and enlarge the gap ones.
  */
-#define START_GAP 50*8 // 10 - 50fc 250
-#define WRITE_GAP 20*8 //    - 30fc 160
-#define WRITE_0   24*8 // 16 - 63fc 54fc 144
-#define WRITE_1   54*8 // 48 - 63fc 54fc 432 for T55x7; 448 for E5550 //400
+#define START_GAP 31*8 // was 250 // SPEC:  1*8 to 50*8 - typ 15*8 (or 15fc)
+#define WRITE_GAP 20*8 // was 160 // SPEC:  1*8 to 20*8 - typ 10*8 (or 10fc)
+#define WRITE_0   18*8 // was 144 // SPEC: 16*8 to 32*8 - typ 24*8 (or 24fc)
+#define WRITE_1   50*8 // was 400 // SPEC: 48*8 to 64*8 - typ 56*8 (or 56fc)  432 for T55x7; 448 for E5550
 
 #define T55xx_SAMPLES_SIZE      12000 // 32 x 32 x 10  (32 bit times numofblock (7), times clock skip..)
 
index a16cbf16612f9130e29f26ecce116c13669aacfa..c2d85abb496f50a00b27dd0281c2b54541b3ec41 100644 (file)
 #include "mifarecmd.h"\r
 #include "apps.h"\r
 #include "util.h"\r
-\r
 #include "crc.h"\r
 \r
+// the block number for the ISO14443-4 PCB\r
+uint8_t pcb_blocknum = 0;\r
+// Deselect card by sending a s-block. the crc is precalced for speed\r
+static  uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};\r
+\r
 //-----------------------------------------------------------------------------\r
 // Select, Authenticate, Read a MIFARE tag. \r
 // read block\r
@@ -40,10 +44,10 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
-       // clear trace\r
-       clear_trace();\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
+       clear_trace();\r
+\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
@@ -86,107 +90,93 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        LEDsoff();\r
 }\r
 \r
+void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){\r
 \r
-void MifareUC_Auth1(uint8_t arg0, uint8_t *datain){\r
+       bool turnOffField = (arg0 == 1);\r
 \r
-       byte_t isOK = 0;\r
-       byte_t dataoutbuf[16] = {0x00};\r
-       uint8_t uid[10] = {0x00};\r
-       uint32_t cuid;\r
+       LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
 \r
-       LED_A_ON();\r
-       LED_B_OFF();\r
-       LED_C_OFF();\r
-    \r
-       clear_trace();\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
-       if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Can't select card");\r
-               //OnError(0);\r
+       clear_trace();\r
+\r
+       if(!iso14443a_select_card(NULL, NULL, NULL)) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");\r
+               OnError(0);\r
                return;\r
        };\r
        \r
-       if(mifare_ultra_auth1(cuid, dataoutbuf)){\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)        \r
-                       Dbprintf("Authentication part1: Fail.");\r
-               //OnError(1);\r
+       if(!mifare_ultra_auth(keybytes)){\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");\r
+               OnError(1);\r
                return;\r
        }\r
 \r
-       isOK = 1;\r
-       if (MF_DBGLEVEL >= MF_DBG_EXTENDED)\r
-               DbpString("AUTH 1 FINISHED");\r
-    \r
-    cmd_send(CMD_ACK,isOK,cuid,0,dataoutbuf,11);\r
-       LEDsoff();\r
-}\r
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){\r
-\r
-       uint32_t cuid = arg0;\r
-       uint8_t key[16] = {0x00};\r
-       byte_t isOK = 0;\r
-       byte_t dataoutbuf[16] = {0x00};\r
-    \r
-       memcpy(key, datain, 16);\r
-    \r
-       LED_A_ON();\r
-       LED_B_OFF();\r
-       LED_C_OFF();\r
-       \r
-       if(mifare_ultra_auth2(cuid, key, dataoutbuf)){\r
-           if (MF_DBGLEVEL >= MF_DBG_ERROR) \r
-                       Dbprintf("Authentication part2: Fail...");\r
-               //OnError(1);\r
-               return;                 \r
+       if (turnOffField) {\r
+               FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+               LEDsoff();\r
        }\r
-       \r
-       isOK = 1;\r
-       if (MF_DBGLEVEL >= MF_DBG_EXTENDED)\r
-               DbpString("AUTH 2 FINISHED");\r
-    \r
-       cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,11);\r
-       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-       LEDsoff();\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
 }\r
 \r
-void MifareUReadBlock(uint8_t arg0,uint8_t *datain)\r
+// Arg0 = BlockNo,\r
+// Arg1 = UsePwd bool\r
+// datain = PWD bytes,\r
+void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)\r
 {\r
        uint8_t blockNo = arg0;\r
        byte_t dataout[16] = {0x00};\r
-       uint8_t uid[10] = {0x00};\r
-       uint32_t cuid;\r
-    \r
+       bool useKey = (arg1 == 1); //UL_C\r
+       bool usePwd = (arg1 == 2); //UL_EV1/NTAG\r
+\r
+       LEDsoff();\r
        LED_A_ON();\r
-       LED_B_OFF();\r
-       LED_C_OFF();\r
-    \r
-       clear_trace();\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-    \r
-       int len = iso14443a_select_card(uid, NULL, &cuid);\r
+\r
+       clear_trace();\r
+\r
+       int len = iso14443a_select_card(NULL, NULL, NULL);\r
        if(!len) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)        Dbprintf("Can't select card");\r
-               //OnError(1);\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);\r
+               OnError(1);\r
                return;\r
-               };\r
-        \r
-       len = mifare_ultra_readblock(cuid, blockNo, dataout);\r
-       if(len) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)        Dbprintf("Read block error");\r
-               //OnError(2);\r
+       }\r
+\r
+       // UL-C authentication\r
+       if ( useKey ) {\r
+               uint8_t key[16] = {0x00};\r
+               memcpy(key, datain, sizeof(key) );\r
+\r
+               if ( !mifare_ultra_auth(key) ) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+\r
+       // UL-EV1 / NTAG authentication\r
+       if ( usePwd ) {\r
+               uint8_t pwd[4] = {0x00};\r
+               memcpy(pwd, datain, 4);\r
+               uint8_t pack[4] = {0,0,0,0};\r
+               if (!mifare_ul_ev1_auth(pwd, pack)) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }       \r
+\r
+       if( mifare_ultra_readblock(blockNo, dataout) ) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block error");\r
+               OnError(2);\r
                return;\r
-               };\r
-        \r
-       len = mifare_ultra_halt(cuid);\r
-       if(len) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)        Dbprintf("Halt error");\r
-               //OnError(3);\r
+       }\r
+\r
+       if( mifare_ultra_halt() ) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");\r
+               OnError(3);\r
                return;\r
-               };\r
-               \r
-    cmd_send(CMD_ACK,1,0,0,dataout,16);\r
+       }\r
+\r
+       cmd_send(CMD_ACK,1,0,0,dataout,16);\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
 }\r
@@ -212,11 +202,10 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
-       // clear trace\r
-       clear_trace();\r
-\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
+       clear_trace();\r
+\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
@@ -259,73 +248,103 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        LEDsoff();\r
 }\r
 \r
-void MifareUReadCard(uint8_t arg0, int arg1, uint8_t *datain)\r
+// arg0 = blockNo (start)\r
+// arg1 = Pages (number of blocks)\r
+// arg2 = useKey\r
+// datain = KEY bytes\r
+void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)\r
 {\r
-  // params\r
-        uint8_t sectorNo = arg0;\r
-       int Pages = arg1;\r
-       int count_Pages = 0;\r
-       byte_t dataout[176] = {0x00};;\r
-       uint8_t uid[10] = {0x00};\r
-       uint32_t cuid;\r
-\r
+       LEDsoff();\r
        LED_A_ON();\r
-       LED_B_OFF();\r
-       LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
-       if (MF_DBGLEVEL >= MF_DBG_ALL) \r
-               Dbprintf("Pages %d",Pages);\r
-       \r
+       // free eventually allocated BigBuf memory\r
+       BigBuf_free();\r
        clear_trace();\r
-       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
-       int len = iso14443a_select_card(uid, NULL, &cuid);\r
-       \r
+       // params\r
+       uint8_t blockNo = arg0;\r
+       uint16_t blocks = arg1;\r
+       bool useKey = (arg2 == 1); //UL_C\r
+       bool usePwd = (arg2 == 2); //UL_EV1/NTAG\r
+       uint32_t countblocks = 0;\r
+       uint8_t *dataout = BigBuf_malloc(CARD_MEMORY_SIZE);\r
+       if (dataout == NULL){\r
+               Dbprintf("out of memory");\r
+               OnError(1);\r
+               return;\r
+       }\r
+\r
+       int len = iso14443a_select_card(NULL, NULL, NULL);\r
        if (!len) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Can't select card");\r
-               //OnError(1);\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);\r
+               OnError(1);\r
                return;\r
        }\r
+\r
+       // UL-C authentication\r
+       if ( useKey ) {\r
+               uint8_t key[16] = {0x00};\r
+               memcpy(key, datain, sizeof(key) );\r
+\r
+               if ( !mifare_ultra_auth(key) ) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+\r
+       // UL-EV1 / NTAG authentication\r
+       if (usePwd) {\r
+               uint8_t pwd[4] = {0x00};\r
+               memcpy(pwd, datain, sizeof(pwd));\r
+               uint8_t pack[4] = {0,0,0,0};\r
+\r
+               if (!mifare_ul_ev1_auth(pwd, pack)){\r
+                       OnError(1);\r
+                       return;                 \r
+               }\r
+       }\r
+\r
+       for (int i = 0; i < blocks; i++){\r
+               if ((i*4) + 4 >= CARD_MEMORY_SIZE) {\r
+                       Dbprintf("Data exceeds buffer!!");\r
+                       break;\r
+               }\r
        \r
-       for (int i = 0; i < Pages; i++){\r
-       \r
-               len = mifare_ultra_readblock(cuid, sectorNo * 4 + i, dataout + 4 * i);\r
-               \r
+               len = mifare_ultra_readblock(blockNo + i, dataout + 4 * i);\r
+\r
                if (len) {\r
-                       if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                               Dbprintf("Read block %d error",i);\r
-                       //OnError(2);\r
-                       return;\r
+                       if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Read block %d error",i);\r
+                       // if no blocks read - error out\r
+                       if (i==0){\r
+                               OnError(2);\r
+                               return;\r
+                       } else {\r
+                               //stop at last successful read block and return what we got\r
+                               break;\r
+                       }\r
                } else {\r
-                       count_Pages++;\r
+                       countblocks++;\r
                }\r
        }\r
-               \r
-       len = mifare_ultra_halt(cuid);\r
+\r
+       len = mifare_ultra_halt();\r
        if (len) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Halt error");\r
-               //OnError(3);\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");\r
+               OnError(3);\r
                return;\r
        }\r
-       \r
-       if (MF_DBGLEVEL >= MF_DBG_ALL) {\r
-               Dbprintf("Pages read %d", count_Pages);\r
-       }\r
 \r
-       len = 16*4; //64 bytes\r
-       \r
-       // Read a UL-C\r
-       if (Pages == 44 && count_Pages > 16) \r
-               len = 176;\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);\r
 \r
-       cmd_send(CMD_ACK, 1, 0, 0, dataout, len);       \r
+       countblocks *= 4;\r
+\r
+       cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(), 0, 0);\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
+       BigBuf_free();\r
 }\r
 \r
-\r
 //-----------------------------------------------------------------------------\r
 // Select, Authenticate, Write a MIFARE tag. \r
 // read block\r
@@ -349,11 +368,10 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        struct Crypto1State *pcs;\r
        pcs = &mpcs;\r
 \r
-       // clear trace\r
-       clear_trace();\r
-\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
+       clear_trace();\r
+\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
@@ -398,96 +416,179 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        LEDsoff();\r
 }\r
 \r
-void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)\r
+/* // Command not needed but left for future testing \r
+void MifareUWriteBlockCompat(uint8_t arg0, uint8_t *datain)\r
 {\r
-        // params\r
-        uint8_t blockNo = arg0;\r
+       uint8_t blockNo = arg0;\r
        byte_t blockdata[16] = {0x00};\r
 \r
-        memcpy(blockdata, datain,16);\r
-        \r
-        // variables\r
-        byte_t isOK = 0;\r
+       memcpy(blockdata, datain, 16);\r
+\r
        uint8_t uid[10] = {0x00};\r
-        uint32_t cuid;\r
 \r
-               clear_trace();\r
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+       LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
 \r
-        LED_A_ON();\r
-        LED_B_OFF();\r
-        LED_C_OFF();\r
-\r
-        while (true) {\r
-                if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-                        if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                        break;\r
-                };\r
-\r
-                if(mifare_ultra_writeblock(cuid, blockNo, blockdata)) {\r
-                        if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
-                        break;\r
-                };\r
-\r
-                if(mifare_ultra_halt(cuid)) {\r
-                        if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                        break;\r
-                };\r
-                \r
-                isOK = 1;\r
-                break;\r
-        }\r
-        \r
-        if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
-\r
-               cmd_send(CMD_ACK,isOK,0,0,0,0);\r
-        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
-        LEDsoff();\r
-}\r
+       clear_trace();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       if(!iso14443a_select_card(uid, NULL, NULL)) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       if(mifare_ultra_writeblock_compat(blockNo, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
+               OnError(0);\r
+               return; };\r
+\r
+       if(mifare_ultra_halt()) {\r
+               if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
-void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)\r
+       if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
+\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+*/\r
+\r
+// Arg0   : Block to write to.\r
+// Arg1   : 0 = use no authentication.\r
+//          1 = use 0x1A authentication.\r
+//          2 = use 0x1B authentication.\r
+// datain : 4 first bytes is data to be written.\r
+//        : 4/16 next bytes is authentication key.\r
+void MifareUWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)\r
 {\r
-       // params\r
        uint8_t blockNo = arg0;\r
+       bool useKey = (arg1 == 1); //UL_C\r
+       bool usePwd = (arg1 == 2); //UL_EV1/NTAG\r
        byte_t blockdata[4] = {0x00};\r
-       \r
-       memcpy(blockdata, datain,4);\r
 \r
-       // variables\r
-       byte_t isOK = 0;\r
-       uint8_t uid[10] = {0x00};\r
-       uint32_t cuid;\r
+       memcpy(blockdata, datain,4);\r
+       \r
+       LEDsoff();\r
+       LED_A_ON();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
        clear_trace();\r
+\r
+       if(!iso14443a_select_card(NULL, NULL, NULL)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       // UL-C authentication\r
+       if ( useKey ) {\r
+               uint8_t key[16] = {0x00};\r
+               memcpy(key, datain+4, sizeof(key) );\r
+\r
+               if ( !mifare_ultra_auth(key) ) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+       \r
+       // UL-EV1 / NTAG authentication\r
+       if (usePwd) {\r
+               uint8_t pwd[4] = {0x00};\r
+               memcpy(pwd, datain+4, 4);\r
+               uint8_t pack[4] = {0,0,0,0};\r
+               if (!mifare_ul_ev1_auth(pwd, pack)) {\r
+                       OnError(1);\r
+                       return;\r
+               }\r
+       }\r
+\r
+       if(mifare_ultra_writeblock(blockNo, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       if(mifare_ultra_halt()) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       if (MF_DBGLEVEL >= 2) DbpString("WRITE BLOCK FINISHED");\r
+\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+\r
+void MifareUSetPwd(uint8_t arg0, uint8_t *datain){\r
+       \r
+       uint8_t pwd[16] = {0x00};\r
+       byte_t blockdata[4] = {0x00};\r
+       \r
+       memcpy(pwd, datain, 16);\r
+       \r
+       LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
 \r
-       LED_A_ON();\r
-       LED_B_OFF();\r
-       LED_C_OFF();\r
+       clear_trace();\r
 \r
-       while (true) {\r
-               if(!iso14443a_select_card(uid, NULL, &cuid)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Can't select card");\r
-                       break;\r
-               };\r
+       if(!iso14443a_select_card(NULL, NULL, NULL)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
+               OnError(0);\r
+               return;\r
+       };\r
 \r
-               if(mifare_ultra_special_writeblock(cuid, blockNo, blockdata)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Write block error");\r
-                       break;\r
-               };\r
+       blockdata[0] = pwd[7];\r
+       blockdata[1] = pwd[6];\r
+       blockdata[2] = pwd[5];\r
+       blockdata[3] = pwd[4];\r
+       if(mifare_ultra_writeblock( 44, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(44);\r
+               return;\r
+       };\r
 \r
-               if(mifare_ultra_halt(cuid)) {\r
-                       if (MF_DBGLEVEL >= 1)   Dbprintf("Halt error");\r
-                       break;\r
-               };\r
+       blockdata[0] = pwd[3];\r
+       blockdata[1] = pwd[2];\r
+       blockdata[2] = pwd[1];\r
+       blockdata[3] = pwd[0];\r
+       if(mifare_ultra_writeblock( 45, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(45);\r
+               return;\r
+       };\r
 \r
-               isOK = 1;\r
-               break;\r
-       }\r
+       blockdata[0] = pwd[15];\r
+       blockdata[1] = pwd[14];\r
+       blockdata[2] = pwd[13];\r
+       blockdata[3] = pwd[12];\r
+       if(mifare_ultra_writeblock( 46, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(46);\r
+               return;\r
+       };\r
 \r
-       if (MF_DBGLEVEL >= 2)   DbpString("WRITE BLOCK FINISHED");\r
+       blockdata[0] = pwd[11];\r
+       blockdata[1] = pwd[10];\r
+       blockdata[2] = pwd[9];\r
+       blockdata[3] = pwd[8];\r
+       if(mifare_ultra_writeblock( 47, blockdata)) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Write block error");\r
+               OnError(47);\r
+               return;\r
+       };      \r
 \r
-       cmd_send(CMD_ACK,isOK,0,0,0,0);\r
+       if(mifare_ultra_halt()) {\r
+               if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");\r
+               OnError(0);\r
+               return;\r
+       };\r
+\r
+       cmd_send(CMD_ACK,1,0,0,0,0);\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
 }\r
@@ -534,19 +635,20 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
        uint32_t auth1_time, auth2_time;\r
        static uint16_t delta_time;\r
 \r
+       LED_A_ON();\r
+       LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
        // free eventually allocated BigBuf memory\r
        BigBuf_free();\r
-       // clear trace\r
+\r
        clear_trace();\r
        set_tracing(false);\r
        \r
-       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
-       LED_A_ON();\r
-       LED_C_OFF();\r
-\r
-\r
        // statistics on nonce distance\r
+       int16_t isOK = 0;\r
+       #define NESTED_MAX_TRIES 12\r
+       uint16_t unsuccessfull_tries = 0;\r
        if (calibrate) {        // for first call only. Otherwise reuse previous calibration\r
                LED_B_ON();\r
                WDT_HIT();\r
@@ -557,6 +659,12 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
                \r
                for (rtr = 0; rtr < 17; rtr++) {\r
 \r
+                       // Test if the action was cancelled\r
+                       if(BUTTON_PRESS()) {\r
+                               isOK = -2;\r
+                               break;\r
+                       }\r
+\r
                        // prepare next select. No need to power down the card.\r
                        if(mifare_classic_halt(pcs, cuid)) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Halt error");\r
@@ -604,14 +712,17 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
                                        delta_time = auth2_time - auth1_time + 32;  // allow some slack for proper timing\r
                                }\r
                                if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);\r
+                       } else {\r
+                               unsuccessfull_tries++;\r
+                               if (unsuccessfull_tries > NESTED_MAX_TRIES) {   // card isn't vulnerable to nested attack (random numbers are not predictable)\r
+                                       isOK = -3;\r
+                               }\r
                        }\r
                }\r
-               \r
-               if (rtr <= 1)   return;\r
 \r
                davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
                \r
-               if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);\r
+               if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);\r
 \r
                dmin = davg - 2;\r
                dmax = davg + 2;\r
@@ -619,12 +730,12 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
                LED_B_OFF();\r
        \r
        }\r
-//  -------------------------------------------------------------------------------------------------  \r
+       //  -------------------------------------------------------------------------------------------------   \r
        \r
        LED_C_ON();\r
 \r
        //  get crypted nonces for target sector\r
-       for(i=0; i < 2; i++) { // look for exactly two different nonces\r
+       for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces\r
 \r
                target_nt[i] = 0;\r
                while(target_nt[i] == 0) { // continue until we have an unambiguous nonce\r
@@ -648,7 +759,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
 \r
                        // nested authentication\r
                        auth2_time = auth1_time + delta_time;\r
-                       len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
+                       len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
                        if (len != 4) {\r
                                if (MF_DBGLEVEL >= 1)   Dbprintf("Nested: Auth2 error len=%d", len);\r
                                continue;\r
@@ -702,7 +813,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
        memcpy(buf+16, &target_ks[1], 4);\r
        \r
        LED_B_ON();\r
-       cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));\r
+       cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));\r
        LED_B_OFF();\r
 \r
        if (MF_DBGLEVEL >= 3)   DbpString("NESTED FINISHED");\r
@@ -737,15 +848,13 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
        int OLD_MF_DBGLEVEL = MF_DBGLEVEL;      \r
        MF_DBGLEVEL = MF_DBG_NONE;\r
        \r
-       // clear trace\r
-       clear_trace();\r
-       set_tracing(TRUE);\r
-\r
-       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+       clear_trace();\r
+       set_tracing(TRUE);\r
 \r
        for (i = 0; i < keyCount; i++) {\r
                if(mifare_classic_halt(pcs, cuid)) {\r
@@ -792,16 +901,23 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
 //-----------------------------------------------------------------------------\r
 // Work with emulator memory\r
 // \r
+// Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not\r
+// involved in dealing with emulator memory. But if it is called later, it might\r
+// destroy the Emulator Memory.\r
 //-----------------------------------------------------------------------------\r
+\r
 void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
        emlClearMem();\r
 }\r
 \r
 void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
        emlSetMem(datain, arg0, arg1); // data, block num, blocks count\r
 }\r
 \r
 void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+       FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
        byte_t buf[USB_CMD_DATA_SIZE];\r
        emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)\r
 \r
@@ -828,15 +944,13 @@ void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
        byte_t dataoutbuf2[16];\r
        uint8_t uid[10];\r
 \r
-       // clear trace\r
-       clear_trace();\r
-       set_tracing(false);\r
-       \r
-       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
        LED_A_ON();\r
        LED_B_OFF();\r
        LED_C_OFF();\r
+       iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+       \r
+       clear_trace();\r
+       set_tracing(false);\r
        \r
        bool isOK = true;\r
 \r
@@ -930,10 +1044,10 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
                LED_A_ON();\r
                LED_B_OFF();\r
                LED_C_OFF();\r
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
        \r
                clear_trace();\r
                set_tracing(TRUE);\r
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
        }\r
 \r
        while (true) {\r
@@ -1048,10 +1162,10 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
                LED_A_ON();\r
                LED_B_OFF();\r
                LED_C_OFF();\r
-       \r
+               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
                clear_trace();\r
                set_tracing(TRUE);\r
-               iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
        }\r
 \r
        while (true) {\r
@@ -1126,7 +1240,7 @@ void MifareCIdent(){
        cmd_send(CMD_ACK,isOK,0,0,0,0);\r
 }\r
 \r
-                       //\r
+//\r
 // DESFIRE\r
 //\r
 \r
@@ -1136,26 +1250,23 @@ void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){
        uint8_t uid[10] = {0x00};\r
        uint32_t cuid;\r
     \r
-       clear_trace();\r
        iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+       clear_trace();\r
 \r
        int len = iso14443a_select_card(uid, NULL, &cuid);\r
        if(!len) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)        \r
-                       Dbprintf("Can't select card");\r
-               //OnError(1);\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");\r
+               OnError(1);\r
                return;\r
        };\r
 \r
        if(mifare_desfire_des_auth1(cuid, dataout)){\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)        \r
-                       Dbprintf("Authentication part1: Fail.");\r
-               //OnError(4);\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");\r
+               OnError(4);\r
                return;\r
        }\r
 \r
        if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");\r
-    \r
     cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));\r
 }\r
 \r
@@ -1171,16 +1282,29 @@ void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){
        isOK = mifare_desfire_des_auth2(cuid, key, dataout);\r
        \r
        if( isOK) {\r
-           if (MF_DBGLEVEL >= MF_DBG_EXTENDED) \r
-                       Dbprintf("Authentication part2: Failed");  \r
-               //OnError(4);\r
+               if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Authentication part2: Failed");  \r
+               OnError(4);\r
                return;\r
        }\r
 \r
-       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) \r
-               DbpString("AUTH 2 FINISHED");\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");\r
 \r
        cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
 }\r
+\r
+void OnSuccess(){\r
+       pcb_blocknum = 0;\r
+       ReaderTransmit(deselect_cmd, 3 , NULL);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       LEDsoff();\r
+}\r
+\r
+void OnError(uint8_t reason){\r
+       pcb_blocknum = 0;\r
+       ReaderTransmit(deselect_cmd, 3 , NULL);\r
+       FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+       cmd_send(CMD_ACK,0,reason,0,0,0);\r
+       LEDsoff();\r
+}\r
index f79c2ede2d78676ddc6aef7b373129e3198a23ca..8ef364c259f0d16216834a87dac9bef073be1e92 100644 (file)
@@ -18,6 +18,7 @@
 #include "iso14443a.h"\r
 #include "crapto1.h"\r
 #include "mifareutil.h"\r
+#include "des.h"\r
 \r
 int MF_DBGLEVEL = MF_DBG_ALL;\r
 \r
@@ -64,55 +65,27 @@ uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data) {
        return bt;\r
 }\r
 \r
-// send commands\r
-int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)\r
+// send X byte basic commands\r
+int mifare_sendcmd(uint8_t cmd, uint8_t* data, uint8_t data_size, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)\r
 {\r
-       return mifare_sendcmd_shortex(pcs, crypted, cmd, data, answer, answer_parity, timing);
-}
-
-int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)
-{
-       uint8_t dcmd[8];
-    dcmd[0] = cmd;
-    dcmd[1] = data[0];
-       dcmd[2] = data[1];
-       dcmd[3] = data[2];
-       dcmd[4] = data[3];
-       dcmd[5] = data[4];
-       AppendCrc14443a(dcmd, 6);
-       ReaderTransmit(dcmd, sizeof(dcmd), NULL);
-       int len = ReaderReceive(answer, answer_parity);
-       if(!len) {
-                if (MF_DBGLEVEL >= 1)   Dbprintf("Authentication failed. Card timeout.");
-                return 2;
-    }\r
+       uint8_t dcmd[data_size+3];\r
+       dcmd[0] = cmd;\r
+       memcpy(dcmd+1,data,data_size);\r
+       AppendCrc14443a(dcmd, data_size+1);\r
+       ReaderTransmit(dcmd, sizeof(dcmd), timing);\r
+       int len = ReaderReceive(answer, answer_parity);\r
+       if(!len) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR)   Dbprintf("%02X Cmd failed. Card timeout.", cmd);\r
+                       len = ReaderReceive(answer,answer_parity);\r
+               //return 0;\r
+       }\r
        return len;\r
 }\r
 \r
-int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)\r
+// send 2 byte commands\r
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)\r
 {\r
-    uint8_t dcmd[19];\r
-       int len; \r
-    dcmd[0] = cmd;\r
-    memcpy(dcmd+1,data,16);\r
-       AppendCrc14443a(dcmd, 17);\r
-       \r
-       ReaderTransmit(dcmd, sizeof(dcmd), timing);\r
-       len = ReaderReceive(answer, answer_parity);\r
-       if(!len) {\r
-        if (MF_DBGLEVEL >= MF_DBG_ERROR)   Dbprintf("Authentication failed. Card timeout.");\r
-        len = ReaderReceive(answer,answer_parity);\r
-    }\r
-    if(len==1) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)   Dbprintf("NAK - Authentication failed.");\r
-               return 1;\r
-        }
-       return len;
-}
-
-int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)
-{
-       uint8_t dcmd[4], ecmd[4];
+       uint8_t dcmd[4], ecmd[4];\r
        uint16_t pos, res;\r
        uint8_t par[1];                 // 1 Byte parity is enough here\r
        dcmd[0] = cmd;\r
@@ -284,97 +257,152 @@ int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blo
        }\r
        \r
        memcpy(blockData, receivedAnswer, 16);\r
-       return 0;
-}
-
+       return 0;\r
+}\r
+\r
 // mifare ultralight commands\r
-int mifare_ultra_auth1(uint32_t uid, uint8_t *blockData){\r
+int mifare_ul_ev1_auth(uint8_t *keybytes, uint8_t *pack){\r
 \r
        uint16_t len;\r
-       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
-       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
-       \r
-       len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);\r
-       if (len == 1) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Error: %02x", receivedAnswer[0]);\r
-               return 1;\r
+       uint8_t resp[4];\r
+       uint8_t respPar[1];\r
+       uint8_t key[4] = {0x00};\r
+       memcpy(key, keybytes, 4);\r
+\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED)\r
+               Dbprintf("EV1 Auth : %02x%02x%02x%02x", key[0], key[1], key[2], key[3]);\r
+       len = mifare_sendcmd(0x1B, key, sizeof(key), resp, respPar, NULL);\r
+       //len = mifare_sendcmd_short_mfuev1auth(NULL, 0, 0x1B, key, resp, respPar, NULL);\r
+       if (len != 4) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x %u", resp[0], len);\r
+               return 0;\r
        }\r
-       if (len != 11)\r
-               return 1;\r
 \r
-       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {\r
-               Dbprintf("Auth1 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",\r
-                       receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],\r
-                       receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],\r
-                       receivedAnswer[10]);\r
-               }\r
-       memcpy(blockData, receivedAnswer, 11);\r
-       return 0;\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED)\r
+               Dbprintf("Auth Resp: %02x%02x%02x%02x", resp[0],resp[1],resp[2],resp[3]);\r
+\r
+       memcpy(pack, resp, 4);\r
+       return 1;\r
 }\r
 \r
-int mifare_ultra_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){\r
+int mifare_ultra_auth(uint8_t *keybytes){\r
+\r
+       /// 3des2k\r
+\r
+       uint8_t random_a[8] = {1,1,1,1,1,1,1,1};\r
+       uint8_t random_b[8] = {0x00};\r
+       uint8_t enc_random_b[8] = {0x00};\r
+       uint8_t rnd_ab[16] = {0x00};\r
+       uint8_t IV[8] = {0x00};\r
+       uint8_t key[16] = {0x00};\r
+       memcpy(key, keybytes, 16);\r
 \r
        uint16_t len;\r
-       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
-       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
+       uint8_t resp[19] = {0x00};\r
+       uint8_t respPar[3] = {0,0,0};\r
+\r
+       // REQUEST AUTHENTICATION\r
+       len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, resp, respPar ,NULL);\r
+       if (len != 11) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", resp[0]);\r
+               return 0;\r
+       }\r
+\r
+       // tag nonce.\r
+       memcpy(enc_random_b,resp+1,8);\r
+\r
+       // decrypt nonce.\r
+       tdes_2key_dec(random_b, enc_random_b, sizeof(random_b), key, IV );\r
+       rol(random_b,8);\r
+       memcpy(rnd_ab  ,random_a,8);\r
+       memcpy(rnd_ab+8,random_b,8);\r
+\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {\r
+               Dbprintf("enc_B: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                       enc_random_b[0],enc_random_b[1],enc_random_b[2],enc_random_b[3],enc_random_b[4],enc_random_b[5],enc_random_b[6],enc_random_b[7]);\r
+\r
+               Dbprintf("    B: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                       random_b[0],random_b[1],random_b[2],random_b[3],random_b[4],random_b[5],random_b[6],random_b[7]);\r
+\r
+               Dbprintf("rnd_ab: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                               rnd_ab[0],rnd_ab[1],rnd_ab[2],rnd_ab[3],rnd_ab[4],rnd_ab[5],rnd_ab[6],rnd_ab[7]);\r
+\r
+               Dbprintf("rnd_ab: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                               rnd_ab[8],rnd_ab[9],rnd_ab[10],rnd_ab[11],rnd_ab[12],rnd_ab[13],rnd_ab[14],rnd_ab[15] );\r
+       }\r
+\r
+       // encrypt    out, in, length, key, iv\r
+       tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);\r
+       //len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, resp, respPar, NULL);\r
+       len = mifare_sendcmd(0xAF, rnd_ab, sizeof(rnd_ab), resp, respPar, NULL);\r
+       if (len != 11) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", resp[0]);\r
+               return 0;\r
+       }\r
+\r
+       uint8_t enc_resp[8] = { 0,0,0,0,0,0,0,0 };\r
+       uint8_t resp_random_a[8] = { 0,0,0,0,0,0,0,0 };\r
+       memcpy(enc_resp, resp+1, 8);\r
+\r
+       // decrypt    out, in, length, key, iv \r
+       tdes_2key_dec(resp_random_a, enc_resp, 8, key, enc_random_b);\r
+       if ( memcmp(resp_random_a, random_a, 8) != 0 ) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("failed authentication");\r
+               return 0;\r
+       }\r
+\r
+       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {\r
+               Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", \r
+                               rnd_ab[0],rnd_ab[1],rnd_ab[2],rnd_ab[3],\r
+                               rnd_ab[4],rnd_ab[5],rnd_ab[6],rnd_ab[7]);\r
+\r
+               Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                               rnd_ab[8],rnd_ab[9],rnd_ab[10],rnd_ab[11],\r
+                               rnd_ab[12],rnd_ab[13],rnd_ab[14],rnd_ab[15]);\r
+\r
+               Dbprintf("a: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                               random_a[0],random_a[1],random_a[2],random_a[3],\r
+                               random_a[4],random_a[5],random_a[6],random_a[7]);\r
+\r
+               Dbprintf("b: %02x %02x %02x %02x %02x %02x %02x %02x",\r
+                               resp_random_a[0],resp_random_a[1],resp_random_a[2],resp_random_a[3],\r
+                               resp_random_a[4],resp_random_a[5],resp_random_a[6],resp_random_a[7]);\r
+       }\r
+       return 1;\r
+}\r
+\r
+int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData)\r
+{\r
+       uint16_t len;\r
+       uint8_t bt[2];\r
+       uint8_t receivedAnswer[MAX_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_PARITY_SIZE];\r
        \r
-       len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, key, receivedAnswer, receivedAnswerPar, NULL);\r
+\r
+       len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);\r
        if (len == 1) {\r
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Error: %02x", receivedAnswer[0]);\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);\r
                return 1;\r
        }\r
-       if (len != 11)\r
-               return 1;       \r
-       \r
-       if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {\r
-               Dbprintf("Auth2 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",\r
-                       receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],\r
-                       receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],\r
-                       receivedAnswer[10]);\r
+       if (len != 18) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: card timeout. len: %x", len);\r
+               return 2;\r
        }\r
-       memcpy(blockData, receivedAnswer, 11);\r
+    \r
+       memcpy(bt, receivedAnswer + 16, 2);\r
+       AppendCrc14443a(receivedAnswer, 16);\r
+       if (bt[0] != receivedAnswer[16] || bt[1] != receivedAnswer[17]) {\r
+               if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd CRC response error.");\r
+               return 3;\r
+       }\r
+       \r
+       memcpy(blockData, receivedAnswer, 14);\r
        return 0;\r
 }\r
 \r
-int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
-{
-       uint16_t len;
-       uint8_t bt[2];
-       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
-       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
-       
-       \r
-       // command MIFARE_CLASSIC_READBLOCK
-       len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);
-       if (len == 1) {
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
-               return 1;
-       }
-       if (len != 18) {
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Error: card timeout. len: %x", len);
-               return 2;
-       }
-    
-       memcpy(bt, receivedAnswer + 16, 2);
-       AppendCrc14443a(receivedAnswer, 16);
-       if (bt[0] != receivedAnswer[16] || bt[1] != receivedAnswer[17]) {
-               if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd CRC response error.");
-               return 3;
-       }
-       
-       memcpy(blockData, receivedAnswer, 14);
-       return 0;
-}
-
-
-int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) 
-{
-       // variables
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData) \r
+{\r
+       // variables\r
        uint16_t len, i;        \r
        uint32_t pos;\r
        uint8_t par[3] = {0};           // enough for 18 Bytes to send\r
@@ -416,65 +444,66 @@ int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t bl
                return 2;\r
        }\r
        \r
-       return 0;
-}
-
-int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData) 
-{
-    uint16_t len;     
-    uint8_t par[3] = {0};  // enough for 18 parity bits
-       uint8_t d_block[18] = {0x00};
-       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
-       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
-        
-    // command MIFARE_CLASSIC_WRITEBLOCK
-    len = mifare_sendcmd_short(NULL, true, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL);
-
-    if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK
+       return 0;\r
+}\r
+\r
+/* // command not needed, but left for future testing\r
+int mifare_ultra_writeblock_compat(uint8_t blockNo, uint8_t *blockData) \r
+{\r
+       uint16_t len;\r
+       uint8_t par[3] = {0};  // enough for 18 parity bits\r
+       uint8_t d_block[18] = {0x00};\r
+       uint8_t receivedAnswer[MAX_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_PARITY_SIZE];\r
+\r
+       len = mifare_sendcmd_short(NULL, true, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL);\r
+\r
+       if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK\r
                if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Addr Error: %02x", receivedAnswer[0]);  
-        return 1;
-    }
-
-       memcpy(d_block, blockData, 16);
-    AppendCrc14443a(d_block, 16);
-
-       ReaderTransmitPar(d_block, sizeof(d_block), par, NULL);
-
-    len = ReaderReceive(receivedAnswer, receivedAnswerPar);    
-
-       if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK
+                       Dbprintf("Cmd Addr Error: %02x", receivedAnswer[0]);\r
+               return 1;\r
+       }\r
+\r
+       memcpy(d_block, blockData, 16);\r
+       AppendCrc14443a(d_block, 16);\r
+\r
+       ReaderTransmitPar(d_block, sizeof(d_block), par, NULL);\r
+\r
+       len = ReaderReceive(receivedAnswer, receivedAnswerPar);\r
+\r
+       if ((len != 1) || (receivedAnswer[0] != 0x0A)) {   //  0x0a - ACK\r
                if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Data Error: %02x %d", receivedAnswer[0],len);
-        return 2;
-    }        
-    return 0;
-} 
-
-int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
-{
-    uint16_t len;
-       uint8_t d_block[8] = {0x00};
+                       Dbprintf("Cmd Data Error: %02x %d", receivedAnswer[0],len);\r
+               return 2;\r
+       }\r
+       return 0;\r
+}\r
+*/\r
+\r
+int mifare_ultra_writeblock(uint8_t blockNo, uint8_t *blockData)\r
+{\r
+       uint16_t len;\r
+       uint8_t d_block[5] = {0x00};\r
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
-
-    // command MIFARE_CLASSIC_WRITEBLOCK
-       d_block[0]= blockNo;
-       memcpy(d_block+1,blockData,4);
-       AppendCrc14443a(d_block, 6);
-
-    len = mifare_sendcmd_short_special(NULL, 1, 0xA2, d_block, receivedAnswer, receivedAnswerPar, NULL);
-
-    if (receivedAnswer[0] != 0x0A) {   //  0x0a - ACK
+\r
+       // command MIFARE_CLASSIC_WRITEBLOCK\r
+       d_block[0]= blockNo;\r
+       memcpy(d_block+1,blockData,4);\r
+       //AppendCrc14443a(d_block, 6);\r
+\r
+       len = mifare_sendcmd(0xA2, d_block, sizeof(d_block), receivedAnswer, receivedAnswerPar, NULL);\r
+\r
+       if (receivedAnswer[0] != 0x0A) {   //  0x0a - ACK\r
                if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("Cmd Send Error: %02x %d", receivedAnswer[0],len);
-        return 1;
-    }
-\r    return 0;
-}
-
-int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid) 
-{
+                       Dbprintf("Cmd Send Error: %02x %d", receivedAnswer[0],len);\r
+               return 1;\r
+       }\r
+       return 0;\r
+}\r
+\r
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid) \r
+{\r
        uint16_t len;   \r
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
@@ -486,24 +515,24 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
                return 1;\r
        }\r
 \r
-       return 0;
-}
-
-int mifare_ultra_halt(uint32_t uid)
-{
-       uint16_t len;
+       return 0;\r
+}\r
+\r
+int mifare_ultra_halt()\r
+{\r
+       uint16_t len;\r
        uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
        uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
-    
-       len = mifare_sendcmd_short(NULL, true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);
-       if (len != 0) {
+    \r
+       len = mifare_sendcmd_short(NULL, true, 0x50, 0x00, receivedAnswer, receivedAnswerPar, NULL);\r
+       if (len != 0) {\r
                if (MF_DBGLEVEL >= MF_DBG_ERROR)\r
-                       Dbprintf("halt error. response len: %x", len);
-               return 1;
-       }
-       return 0;
-}
-
+                       Dbprintf("halt error. response len: %x", len);\r
+               return 1;\r
+       }\r
+       return 0;\r
+}\r
+\r
 \r
 // Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards),\r
 // plus evtl. 8 sectors with 16 blocks each (4k cards)\r
@@ -525,9 +554,9 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo)
 }\r
 \r
 \r
-// work with emulator memory
-void emlSetMem(uint8_t *data, int blockNum, int blocksCount) {
-       uint8_t* emCARD = BigBuf_get_EM_addr();
+// work with emulator memory\r
+void emlSetMem(uint8_t *data, int blockNum, int blocksCount) {\r
+       uint8_t* emCARD = BigBuf_get_EM_addr();\r
        memcpy(emCARD + blockNum * 16, data, blocksCount * 16);\r
 }\r
 \r
@@ -654,8 +683,8 @@ int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData){
        int len;\r
        // load key, keynumber\r
        uint8_t data[2]={0x0a, 0x00};\r
-       uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
-       uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];\r
+       uint8_t receivedAnswer[MAX_FRAME_SIZE];\r
+       uint8_t receivedAnswerPar[MAX_PARITY_SIZE];\r
        \r
        len = mifare_sendcmd_special(NULL, 1, 0x02, data, receivedAnswer,receivedAnswerPar,NULL);\r
        if (len == 1) {\r
@@ -706,4 +735,4 @@ int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){
                return 0;\r
        }\r
        return 1;\r
-}
+}\r
index 195afa534b45e639e5488163e9068be41385c99d..85a34ef62104fa2445503eac3517436d43fa8438 100644 (file)
@@ -52,33 +52,33 @@ extern int MF_DBGLEVEL;
 \r
 #define cardSTATE_TO_IDLE() cardSTATE = MFEMUL_IDLE; LED_B_OFF(); LED_C_OFF();\r
 \r
-//functions
-int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
-int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
+//functions\r
+int mifare_sendcmd(uint8_t cmd, uint8_t *data, uint8_t data_size, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);\r
+int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);\r
 \r
-int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing);\r
-int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);
-
+// mifare classic\r
 int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested);\r
-int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);
-int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); 
-int mifare_ultra_auth1(uint32_t cuid, uint8_t *blockData);\r
-int mifare_ultra_auth2(uint32_t cuid, uint8_t *key, uint8_t *blockData);\r
-int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData);
-int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid); 
-int mifare_ultra_halt(uint32_t uid);
+int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);\r
+int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);\r
+int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid); \r
+int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);\r
+\r
+// Ultralight/NTAG...\r
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack);\r
+int mifare_ultra_auth(uint8_t *key);\r
+int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData);\r
+//int mifare_ultra_writeblock_compat(uint8_t blockNo, uint8_t *blockData);\r
+int mifare_ultra_writeblock(uint8_t blockNo, uint8_t *blockData);\r
+int mifare_ultra_halt();\r
 \r
 // desfire\r
 int mifare_sendcmd_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);\r
 int mifare_sendcmd_special2(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer,uint8_t *answer_parity, uint32_t *timing);\r
 int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData);\r
 int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData);\r
-
-// crypto functions
-void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);
+\r
+// crypto functions\r
+void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *receivedCmd, int len);\r
 void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, uint8_t *par);\r
 uint8_t mf_crypto1_encrypt4bit(struct Crypto1State *pcs, uint8_t data);\r
 \r
@@ -93,7 +93,7 @@ void emlGetMem(uint8_t *data, int blockNum, int blocksCount);
 void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount);\r
 uint64_t emlGetKey(int sectorNum, int keyType);\r
 int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum);\r
-int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum);
-int emlCheckValBl(int blockNum);
-
-#endif
+int emlSetValBl(uint32_t blReg, uint8_t blBlock, int blockNum);\r
+int emlCheckValBl(int blockNum);\r
+\r
+#endif\r
index 444b93d09f688db68b71d152745c3a92f84c6b43..bfaf5088fa4ae7cba28e2cc58a489c81b16c3180 100644 (file)
 **/
 
 #include "optimized_cipher.h"
-#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdbool.h>
 #include <stdint.h>
-#include <time.h>
 
 
 #define opt_T(s) (0x1 & ((s->t >> 15) ^ (s->t >> 14)^ (s->t >> 10)^ (s->t >> 8)^ (s->t >> 5)^ (s->t >> 4)^ (s->t >> 1)^ s->t))
index d7332bda5682255bb03e4d306e87763d97218a51..f1e58ab0ed9359e80714c4be2fd146494b9fa4d4 100644 (file)
 
 #include "proxmark3.h"
 #include "apps.h"
+#include "zlib.h"
+#include "BigBuf.h"
+
+static uint8_t *next_free_memory;
+extern struct common_area common_area;
+extern char __data_src_start__, __data_start__, __data_end__, __bss_start__, __bss_end__;
+
+
+static voidpf inflate_malloc(voidpf opaque, uInt items, uInt size)
+{
+       uint8_t *allocated_memory;
+       
+       allocated_memory = next_free_memory;
+       next_free_memory += items*size;
+       return allocated_memory;
+}
+
+
+static void inflate_free(voidpf opaque, voidpf address)
+{
+       // nothing to do
+       
+}
+
+static void uncompress_data_section(void)
+{
+       z_stream data_section;
+
+       next_free_memory = BigBuf_get_addr();
+       
+       // initialize zstream structure
+       data_section.next_in = (uint8_t *) &__data_src_start__;
+       data_section.avail_in = &__data_end__ - &__data_start__;  // uncompressed size. Wrong but doesn't matter.
+       data_section.next_out = (uint8_t *) &__data_start__;
+       data_section.avail_out = &__data_end__ - &__data_start__;  // uncompressed size. Correct.
+       data_section.zalloc = &inflate_malloc;
+       data_section.zfree = &inflate_free;
+       data_section.opaque = NULL;
+
+       // initialize zlib for inflate
+       inflateInit2(&data_section, 15);
+
+       // uncompress data segment to RAM
+       inflate(&data_section, Z_FINISH);
+       
+       // save the size of the compressed data section
+       common_area.arg1 = data_section.total_in;
+}
+
 
-extern char __data_start__, __data_src_start__,  __data_end__, __bss_start__, __bss_end__;
 void __attribute__((section(".startos"))) Vector(void)
 {
        /* Stack should have been set up by the bootloader */
-       char *src, *dst, *end;
+       // char *src;
+       char *dst, *end;
+       
+       uncompress_data_section();
 
        /* Set up (that is: clear) BSS. */
        dst = &__bss_start__;
        end = &__bss_end__;
        while(dst < end) *dst++ = 0;
 
-       /* Set up data segment: Copy from flash to ram */
-       src = &__data_src_start__;
-       dst = &__data_start__;
-       end = &__data_end__;
-       while(dst < end) *dst++ = *src++;
+       // Set up data segment: Copy from flash to ram
+       // src = &__data_src_start__;
+       // dst = &__data_start__;
+       // end = &__data_end__;
+       // while(dst < end) *dst++ = *src++;
+
 
        AppMain();
 }
index 74fba94b764db748cf6a377ba23b96f5d06bc304..8576ddce5fcb7c641236d214bb224ca3221769b1 100644 (file)
@@ -268,15 +268,15 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers
        dst[0] = 0;
        strncat(dst, prefix, len-1);
        if(v->magic != VERSION_INFORMATION_MAGIC) {
-               strncat(dst, "Missing/Invalid version information", len - strlen(dst) - 1);
+               strncat(dst, "Missing/Invalid version information\n", len - strlen(dst) - 1);
                return;
        }
        if(v->versionversion != 1) {
-               strncat(dst, "Version information not understood", len - strlen(dst) - 1);
+               strncat(dst, "Version information not understood\n", len - strlen(dst) - 1);
                return;
        }
        if(!v->present) {
-               strncat(dst, "Version information not available", len - strlen(dst) - 1);
+               strncat(dst, "Version information not available\n", len - strlen(dst) - 1);
                return;
        }
 
@@ -289,6 +289,7 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers
 
        strncat(dst, " ", len - strlen(dst) - 1);
        strncat(dst, v->buildtime, len - strlen(dst) - 1);
+       strncat(dst, "\n", len - strlen(dst) - 1);
 }
 
 //  -------------------------------------------------------------------------
index 48cbdfaa9d1c27107846d5ce566021b33dbf3db4..f768f3d8ef1e3e6328472151a8433a5b72fcb437 100644 (file)
@@ -9,12 +9,13 @@ include ../common/Makefile.common
 CC=gcc
 CXX=g++
 #COMMON_FLAGS = -m32
-VPATH = ../common
+VPATH = ../common ../zlib
 OBJDIR = obj
 
-LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lreadline -lpthread -lm
+LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread -lm
+LUALIB = ../liblua/liblua.a
 LDFLAGS = $(COMMON_FLAGS)
-CFLAGS = -std=c99 -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
+CFLAGS = -std=c99 -I. -I../include -I../common -I../zlib -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
 LUAPLATFORM = generic
 
 ifneq (,$(findstring MINGW,$(platform)))
@@ -35,14 +36,13 @@ else ifeq ($(platform),Darwin)
 else
     CXXFLAGS = $(shell pkg-config --cflags QtCore QtGui 2>/dev/null) -Wall -O4
     QTLDLIBS = $(shell pkg-config --libs QtCore QtGui 2>/dev/null)
+    LUALIB +=  -ldl
     MOC = $(shell pkg-config --variable=moc_location QtCore)
-    LDLIBS +=  -ldl
     # Below is a variant you can use if you have problems compiling with QT5 on ubuntu. see http://www.proxmark.org/forum/viewtopic.php?id=1661 for more info. 
     #MOC = /usr/lib/x86_64-linux-gnu/qt4/bin/moc
     LUAPLATFORM = linux
 endif
 
-
 ifneq ($(QTLDLIBS),)
     QTGUI = $(OBJDIR)/proxgui.o $(OBJDIR)/proxguiqt.o $(OBJDIR)/proxguiqt.moc.o
     CFLAGS += -DHAVE_GUI
@@ -57,65 +57,73 @@ CORESRCS =  uart.c \
 
 
 CMDSRCS =      nonce2key/crapto1.c\
-               nonce2key/crypto1.c\
-               nonce2key/nonce2key.c\
-               loclass/cipher.c \
-               loclass/cipherutils.c \
-               loclass/des.c \
-               loclass/ikeys.c \
-               loclass/elite_crack.c\
-               loclass/fileutils.c\
-               mifarehost.c\
-               crc.c \
-               crc16.c \
-               iso14443crc.c \
-               iso15693tools.c \
-               data.c \
-               graph.c \
-               ui.c \
-               cmddata.c \
-               lfdemod.c \
-               cmdhf.c \
-               cmdhf14a.c \
-               cmdhf14b.c \
-               cmdhf15.c \
-               cmdhfepa.c \
-               cmdhflegic.c \
-               cmdhficlass.c \
-               cmdhfmf.c \
-        cmdhfmfu.c \
-               cmdhftopaz.c \
-               cmdhw.c \
-               cmdlf.c \
-               cmdlfio.c \
-               cmdlfhid.c \
-               cmdlfem4x.c \
-               cmdlfhitag.c \
-               cmdlfti.c \
-               cmdparser.c \
-               cmdmain.c \
-               cmdlft55xx.c \
-               cmdlfpcf7931.c\
-               pm3_binlib.c\
-               scripting.c\
-               cmdscript.c\
-               pm3_bitlib.c\
-               aes.c\
-               protocols.c
+                       nonce2key/crypto1.c\
+                       nonce2key/nonce2key.c\
+                       loclass/cipher.c \
+                       loclass/cipherutils.c \
+                       loclass/des.c \
+                       loclass/ikeys.c \
+                       loclass/elite_crack.c\
+                       loclass/fileutils.c\
+                       mifarehost.c\
+                       crc.c \
+                       crc16.c \
+                       crc64.c \
+                       iso14443crc.c \
+                       iso15693tools.c \
+                       data.c \
+                       graph.c \
+                       ui.c \
+                       cmddata.c \
+                       lfdemod.c \
+                       cmdhf.c \
+                       cmdhf14a.c \
+                       cmdhf14b.c \
+                       cmdhf15.c \
+                       cmdhfepa.c \
+                       cmdhflegic.c \
+                       cmdhficlass.c \
+                       cmdhfmf.c \
+            cmdhfmfu.c \
+                       cmdhftopaz.c \
+                       cmdhw.c \
+                       cmdlf.c \
+                       cmdlfio.c \
+                       cmdlfhid.c \
+                       cmdlfem4x.c \
+                       cmdlfhitag.c \
+                       cmdlfti.c \
+                       cmdparser.c \
+                       cmdmain.c \
+                       cmdlft55xx.c \
+                       cmdlfpcf7931.c\
+                       pm3_binlib.c\
+                       scripting.c\
+                       cmdscript.c\
+                       pm3_bitlib.c\
+                       aes.c\
+                       protocols.c\
+                       sha1.c\
+
+ZLIBSRCS = deflate.c adler32.c trees.c zutil.c inflate.c inffast.c inftrees.c
+ZLIB_FLAGS = -DZ_SOLO -DZ_PREFIX -DNO_GZIP -DZLIB_PM3_TUNED 
+#-DDEBUG -Dverbose=1
+
 
 COREOBJS = $(CORESRCS:%.c=$(OBJDIR)/%.o)
 CMDOBJS = $(CMDSRCS:%.c=$(OBJDIR)/%.o)
+ZLIBOBJS = $(ZLIBSRCS:%.c=$(OBJDIR)/%.o)
 
 RM = rm -f
-BINS = proxmark3 flasher #snooper cli
-CLEAN = cli cli.exe flasher flasher.exe proxmark3 proxmark3.exe snooper snooper.exe $(CMDOBJS) $(OBJDIR)/*.o *.o *.moc.cpp
+BINS = proxmark3 flasher fpga_compress #snooper cli
+CLEAN = cli cli.exe flasher flasher.exe proxmark3 proxmark3.exe fpga_compress fpga_compress.exe snooper snooper.exe $(CMDOBJS) $(OBJDIR)/*.o *.o *.moc.cpp
 
 all: lua_build $(BINS) 
 
 all-static: LDLIBS:=-static $(LDLIBS)
-all-static: snooper cli flasher
-       
-proxmark3: LDLIBS+=$(QTLDLIBS)
+all-static: snooper cli flasher fpga_compress
+
+proxmark3: LDLIBS+=$(LUALIB) $(QTLDLIBS)
 proxmark3: $(OBJDIR)/proxmark3.o $(COREOBJS) $(CMDOBJS) $(QTGUI)
        $(CXX) $(CXXFLAGS) $^ $(LDLIBS) -o $@
 
@@ -128,8 +136,11 @@ cli: $(OBJDIR)/cli.o $(COREOBJS) $(CMDOBJS) $(OBJDIR)/guidummy.o
 flasher: $(OBJDIR)/flash.o $(OBJDIR)/flasher.o $(COREOBJS)
        $(CXX) $(CXXFLAGS) $^ $(LDLIBS) -o $@
 
+fpga_compress: $(OBJDIR)/fpga_compress.o $(ZLIBOBJS)
+       $(CXX) $(CXXFLAGS) $(ZLIB_FLAGS) $^ $(LDLIBS) -o $@
+
 $(OBJDIR)/%.o: %.c
-       $(CC) $(CFLAGS) -c -o $@ $<
+       $(CC) $(CFLAGS) $(ZLIB_FLAGS) -c -o $@ $<
 
 $(OBJDIR)/%.o: %.cpp
        $(CXX) $(CXXFLAGS) -c -o $@ $<
index 5595998445db159118df4cdceb26d81e8e259359..bec1b5aa3f4d4394f011394fa61edca5b9a06767 100644 (file)
 #include "lfdemod.h"
 #include "usb_cmd.h"
 #include "crc.h"
+#include "crc16.h"
 
 uint8_t DemodBuffer[MAX_DEMOD_BUF_LEN];
 uint8_t g_debugMode;
-int DemodBufferLen;
+size_t DemodBufferLen;
 static int CmdHelp(const char *Cmd);
 
 //set the demod buffer with given array of binary (one bit per byte)
@@ -55,164 +56,82 @@ int CmdSetDebugMode(const char *Cmd)
        return 1;
 }
 
+int usage_data_printdemodbuf(){
+               PrintAndLog("Usage: data printdemodbuffer x o <offset>");
+               PrintAndLog("Options:        ");
+               PrintAndLog("       h          This help");
+               PrintAndLog("       x          output in hex (omit for binary output)");
+               PrintAndLog("       o <offset> enter offset in # of bits");
+               return 0;       
+}
+
 //by marshmellow
 void printDemodBuff(void)
 {
-       uint32_t i = 0;
        int bitLen = DemodBufferLen;
-       if (bitLen<16) {
+       if (bitLen<1) {
                PrintAndLog("no bits found in demod buffer");
                return;
        }
        if (bitLen>512) bitLen=512; //max output to 512 bits if we have more - should be plenty
 
-       // ensure equally divided by 16
-       bitLen &= 0xfff0;
-
-       for (i = 0; i <= (bitLen-16); i+=16) {
-               PrintAndLog("%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i%i",
-                   DemodBuffer[i],
-                   DemodBuffer[i+1],
-                   DemodBuffer[i+2],
-                   DemodBuffer[i+3],
-                   DemodBuffer[i+4],
-                   DemodBuffer[i+5],
-                   DemodBuffer[i+6],
-                   DemodBuffer[i+7],
-                   DemodBuffer[i+8],
-                   DemodBuffer[i+9],
-                   DemodBuffer[i+10],
-                   DemodBuffer[i+11],
-                   DemodBuffer[i+12],
-                   DemodBuffer[i+13],
-                   DemodBuffer[i+14],
-                   DemodBuffer[i+15]
-               );
-       }
+       char *bin = sprint_bin_break(DemodBuffer,bitLen,16);
+       PrintAndLog("%s",bin);
+
        return;
 }
 
 int CmdPrintDemodBuff(const char *Cmd)
 {
-       char hex;
-       char printBuff[512]={0x00};
-       uint8_t numBits = DemodBufferLen & 0xFFF0;
-       sscanf(Cmd, "%c", &hex);
-       if (hex == 'h'){
-               PrintAndLog("Usage: data printdemodbuffer [x]");
-               PrintAndLog("Options:        ");
-               PrintAndLog("       h       This help");
-               PrintAndLog("       x       output in hex (omit for binary output)");
-               return 0;
-       }
-       if (hex == 'x'){
-               numBits = binarraytohex(printBuff, (char *)DemodBuffer, numBits);
-               if (numBits==0) return 0;
-               PrintAndLog("DemodBuffer: %s",printBuff);
-       } else {
-               printDemodBuff();
-       }
-       return 1;
-}
-int CmdAmp(const char *Cmd)
-{
-       int i, rising, falling;
-       int max = INT_MIN, min = INT_MAX;
-
-       for (i = 10; i < GraphTraceLen; ++i) {
-               if (GraphBuffer[i] > max)
-                       max = GraphBuffer[i];
-               if (GraphBuffer[i] < min)
-                       min = GraphBuffer[i];
-       }
-
-       if (max != min) {
-               rising = falling= 0;
-               for (i = 0; i < GraphTraceLen; ++i) {
-                       if (GraphBuffer[i + 1] < GraphBuffer[i]) {
-                               if (rising) {
-                                       GraphBuffer[i] = max;
-                                       rising = 0;
-                               }
-                               falling = 1;
-                       }
-                       if (GraphBuffer[i + 1] > GraphBuffer[i]) {
-                               if (falling) {
-                                       GraphBuffer[i] = min;
-                                       falling = 0;
-                               }
-                               rising= 1;
-                       }
+       char hex[512]={0x00};
+       bool hexMode = false;
+       bool errors = false;
+       uint8_t offset = 0;
+       char cmdp = 0;
+       while(param_getchar(Cmd, cmdp) != 0x00)
+       {
+               switch(param_getchar(Cmd, cmdp))
+               {
+               case 'h':
+               case 'H':
+                       return usage_data_printdemodbuf();
+               case 'x':
+               case 'X':
+                       hexMode = true;
+                       cmdp++;
+                       break;
+               case 'o':
+               case 'O':
+                       offset = param_get8(Cmd, cmdp+1);
+                       if (!offset) errors = true;
+                       cmdp += 2;
+                       break;
+               default:
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+                       errors = true;
+                       break;
                }
+               if(errors) break;
        }
-       RepaintGraphWindow();
-       return 0;
-}
-
-/*
- * Generic command to demodulate ASK.
- *
- * Argument is convention: positive or negative (High mod means zero
- * or high mod means one)
- *
- * Updates the Graph trace with 0/1 values
- *
- * Arguments:
- * c : 0 or 1  (or invert)
- */
- //this method ignores the clock
+       //Validations
+       if(errors) return usage_data_printdemodbuf();
 
- //this function strictly converts highs and lows to 1s and 0s for each sample in the graphbuffer
-int Cmdaskdemod(const char *Cmd)
-{
-       int i;
-       int c, high = 0, low = 0;
-
-       sscanf(Cmd, "%i", &c);
+       int numBits = (DemodBufferLen-offset) & 0x7FC; //make sure we don't exceed our string
 
-       /* Detect high and lows */
-       for (i = 0; i < GraphTraceLen; ++i)
-       {
-               if (GraphBuffer[i] > high)
-                       high = GraphBuffer[i];
-               else if (GraphBuffer[i] < low)
-                       low = GraphBuffer[i];
-       }
-       high=abs(high*.75);
-       low=abs(low*.75);
-   &nb