]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
Added script to dump ndef-compliant tags. Written in collaboration with @asper
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
b62a5a84 2// Merlok - June 2011, 2012
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
902cb3c0 17#include "cmd.h"
9ab7a6c7 18
15c4dc5a 19#include "iso14443crc.h"
534983d7 20#include "iso14443a.h"
20f9a2a1
M
21#include "crapto1.h"
22#include "mifareutil.h"
15c4dc5a 23
534983d7 24static uint32_t iso14a_timeout;
d19929cb 25uint8_t *trace = (uint8_t *) BigBuf+TRACE_OFFSET;
1e262141 26int traceLen = 0;
27int rsamples = 0;
28int tracing = TRUE;
29uint8_t trigger = 0;
b0127e65 30// the block number for the ISO14443-4 PCB
31static uint8_t iso14_pcb_blocknum = 0;
15c4dc5a 32
8f51ddb0 33// CARD TO READER - manchester
72934aa3 34// Sequence D: 11110000 modulation with subcarrier during first half
35// Sequence E: 00001111 modulation with subcarrier during second half
36// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 37// READER TO CARD - miller
72934aa3 38// Sequence X: 00001100 drop after half a period
39// Sequence Y: 00000000 no drop
40// Sequence Z: 11000000 drop at start
41#define SEC_D 0xf0
42#define SEC_E 0x0f
43#define SEC_F 0x00
44#define SEC_X 0x0c
45#define SEC_Y 0x00
46#define SEC_Z 0xc0
15c4dc5a 47
1e262141 48const uint8_t OddByteParity[256] = {
15c4dc5a 49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
62 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
63 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
64 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
65};
66
1e262141 67
902cb3c0 68void iso14a_set_trigger(bool enable) {
534983d7 69 trigger = enable;
70}
71
902cb3c0 72void iso14a_clear_trace() {
73 memset(trace, 0x44, TRACE_SIZE);
8556b852
M
74 traceLen = 0;
75}
d19929cb 76
902cb3c0 77void iso14a_set_tracing(bool enable) {
8556b852
M
78 tracing = enable;
79}
d19929cb 80
b0127e65 81void iso14a_set_timeout(uint32_t timeout) {
82 iso14a_timeout = timeout;
83}
8556b852 84
15c4dc5a 85//-----------------------------------------------------------------------------
86// Generate the parity value for a byte sequence
e30c654b 87//
15c4dc5a 88//-----------------------------------------------------------------------------
20f9a2a1
M
89byte_t oddparity (const byte_t bt)
90{
5f6d6c90 91 return OddByteParity[bt];
20f9a2a1
M
92}
93
f7e3ed82 94uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 95{
5f6d6c90 96 int i;
97 uint32_t dwPar = 0;
72934aa3 98
5f6d6c90 99 // Generate the encrypted data
100 for (i = 0; i < iLen; i++) {
101 // Save the encrypted parity bit
102 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
103 }
104 return dwPar;
15c4dc5a 105}
106
534983d7 107void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 108{
5f6d6c90 109 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
15c4dc5a 110}
111
1e262141 112// The function LogTrace() is also used by the iClass implementation in iClass.c
5cd9ec01 113int RAMFUNC LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 114{
115 // Return when trace is full
81cd0474 116 if (traceLen >= TRACE_SIZE) return FALSE;
e30c654b 117
15c4dc5a 118 // Trace the random, i'm curious
119 rsamples += iSamples;
120 trace[traceLen++] = ((rsamples >> 0) & 0xff);
121 trace[traceLen++] = ((rsamples >> 8) & 0xff);
122 trace[traceLen++] = ((rsamples >> 16) & 0xff);
123 trace[traceLen++] = ((rsamples >> 24) & 0xff);
124 if (!bReader) {
125 trace[traceLen - 1] |= 0x80;
126 }
127 trace[traceLen++] = ((dwParity >> 0) & 0xff);
128 trace[traceLen++] = ((dwParity >> 8) & 0xff);
129 trace[traceLen++] = ((dwParity >> 16) & 0xff);
130 trace[traceLen++] = ((dwParity >> 24) & 0xff);
131 trace[traceLen++] = iLen;
132 memcpy(trace + traceLen, btBytes, iLen);
133 traceLen += iLen;
134 return TRUE;
135}
136
15c4dc5a 137//-----------------------------------------------------------------------------
138// The software UART that receives commands from the reader, and its state
139// variables.
140//-----------------------------------------------------------------------------
b62a5a84 141static tUart Uart;
15c4dc5a 142
6c1e2d95 143static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 144{
9f693930 145 //int error = 0;
15c4dc5a 146 int bitright;
147
148 if(!Uart.bitBuffer) {
149 Uart.bitBuffer = bit ^ 0xFF0;
150 return FALSE;
151 }
152 else {
153 Uart.bitBuffer <<= 4;
154 Uart.bitBuffer ^= bit;
155 }
156
f7e3ed82 157 int EOC = FALSE;
15c4dc5a 158
159 if(Uart.state != STATE_UNSYNCD) {
160 Uart.posCnt++;
161
162 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
163 bit = 0x00;
164 }
165 else {
166 bit = 0x01;
167 }
168 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
169 bitright = 0x00;
170 }
171 else {
172 bitright = 0x01;
173 }
174 if(bit != bitright) { bit = bitright; }
175
176 if(Uart.posCnt == 1) {
177 // measurement first half bitperiod
178 if(!bit) {
179 Uart.drop = DROP_FIRST_HALF;
180 }
181 }
182 else {
183 // measurement second half bitperiod
184 if(!bit & (Uart.drop == DROP_NONE)) {
185 Uart.drop = DROP_SECOND_HALF;
186 }
187 else if(!bit) {
188 // measured a drop in first and second half
189 // which should not be possible
190 Uart.state = STATE_ERROR_WAIT;
9f693930 191 //error = 0x01;
15c4dc5a 192 }
193
194 Uart.posCnt = 0;
195
196 switch(Uart.state) {
197 case STATE_START_OF_COMMUNICATION:
198 Uart.shiftReg = 0;
199 if(Uart.drop == DROP_SECOND_HALF) {
200 // error, should not happen in SOC
201 Uart.state = STATE_ERROR_WAIT;
9f693930 202 //error = 0x02;
15c4dc5a 203 }
204 else {
205 // correct SOC
206 Uart.state = STATE_MILLER_Z;
207 }
208 break;
209
210 case STATE_MILLER_Z:
211 Uart.bitCnt++;
212 Uart.shiftReg >>= 1;
213 if(Uart.drop == DROP_NONE) {
214 // logic '0' followed by sequence Y
215 // end of communication
216 Uart.state = STATE_UNSYNCD;
217 EOC = TRUE;
218 }
219 // if(Uart.drop == DROP_FIRST_HALF) {
220 // Uart.state = STATE_MILLER_Z; stay the same
221 // we see a logic '0' }
222 if(Uart.drop == DROP_SECOND_HALF) {
223 // we see a logic '1'
224 Uart.shiftReg |= 0x100;
225 Uart.state = STATE_MILLER_X;
226 }
227 break;
228
229 case STATE_MILLER_X:
230 Uart.shiftReg >>= 1;
231 if(Uart.drop == DROP_NONE) {
232 // sequence Y, we see a '0'
233 Uart.state = STATE_MILLER_Y;
234 Uart.bitCnt++;
235 }
236 if(Uart.drop == DROP_FIRST_HALF) {
237 // Would be STATE_MILLER_Z
238 // but Z does not follow X, so error
239 Uart.state = STATE_ERROR_WAIT;
9f693930 240 //error = 0x03;
15c4dc5a 241 }
242 if(Uart.drop == DROP_SECOND_HALF) {
243 // We see a '1' and stay in state X
244 Uart.shiftReg |= 0x100;
245 Uart.bitCnt++;
246 }
247 break;
248
249 case STATE_MILLER_Y:
250 Uart.bitCnt++;
251 Uart.shiftReg >>= 1;
252 if(Uart.drop == DROP_NONE) {
253 // logic '0' followed by sequence Y
254 // end of communication
255 Uart.state = STATE_UNSYNCD;
256 EOC = TRUE;
257 }
258 if(Uart.drop == DROP_FIRST_HALF) {
259 // we see a '0'
260 Uart.state = STATE_MILLER_Z;
261 }
262 if(Uart.drop == DROP_SECOND_HALF) {
263 // We see a '1' and go to state X
264 Uart.shiftReg |= 0x100;
265 Uart.state = STATE_MILLER_X;
266 }
267 break;
268
269 case STATE_ERROR_WAIT:
270 // That went wrong. Now wait for at least two bit periods
271 // and try to sync again
272 if(Uart.drop == DROP_NONE) {
273 Uart.highCnt = 6;
274 Uart.state = STATE_UNSYNCD;
275 }
276 break;
277
278 default:
279 Uart.state = STATE_UNSYNCD;
280 Uart.highCnt = 0;
281 break;
282 }
283
284 Uart.drop = DROP_NONE;
285
286 // should have received at least one whole byte...
287 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
288 return TRUE;
289 }
290
291 if(Uart.bitCnt == 9) {
292 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
293 Uart.byteCnt++;
294
295 Uart.parityBits <<= 1;
296 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
297
298 if(EOC) {
299 // when End of Communication received and
300 // all data bits processed..
301 return TRUE;
302 }
303 Uart.bitCnt = 0;
304 }
305
306 /*if(error) {
307 Uart.output[Uart.byteCnt] = 0xAA;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = error & 0xFF;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = 0xAA;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = 0xAA;
320 Uart.byteCnt++;
321 return TRUE;
322 }*/
323 }
324
325 }
326 else {
327 bit = Uart.bitBuffer & 0xf0;
328 bit >>= 4;
329 bit ^= 0x0F;
330 if(bit) {
331 // should have been high or at least (4 * 128) / fc
332 // according to ISO this should be at least (9 * 128 + 20) / fc
333 if(Uart.highCnt == 8) {
334 // we went low, so this could be start of communication
335 // it turns out to be safer to choose a less significant
336 // syncbit... so we check whether the neighbour also represents the drop
337 Uart.posCnt = 1; // apparently we are busy with our first half bit period
338 Uart.syncBit = bit & 8;
339 Uart.samples = 3;
340 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
341 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
343 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
344 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 345 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 346 Uart.syncBit = 8;
347
348 // the first half bit period is expected in next sample
349 Uart.posCnt = 0;
350 Uart.samples = 3;
351 }
352 }
353 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
354
355 Uart.syncBit <<= 4;
356 Uart.state = STATE_START_OF_COMMUNICATION;
357 Uart.drop = DROP_FIRST_HALF;
358 Uart.bitCnt = 0;
359 Uart.byteCnt = 0;
360 Uart.parityBits = 0;
9f693930 361 //error = 0;
15c4dc5a 362 }
363 else {
364 Uart.highCnt = 0;
365 }
366 }
367 else {
368 if(Uart.highCnt < 8) {
369 Uart.highCnt++;
370 }
371 }
372 }
373
374 return FALSE;
375}
376
377//=============================================================================
378// ISO 14443 Type A - Manchester
379//=============================================================================
b62a5a84 380static tDemod Demod;
15c4dc5a 381
6c1e2d95 382static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 383{
384 int bit;
385 int modulation;
9f693930 386 //int error = 0;
15c4dc5a 387
388 if(!Demod.buff) {
389 Demod.buff = 1;
390 Demod.buffer = v;
391 return FALSE;
392 }
393 else {
394 bit = Demod.buffer;
395 Demod.buffer = v;
396 }
397
398 if(Demod.state==DEMOD_UNSYNCD) {
399 Demod.output[Demod.len] = 0xfa;
400 Demod.syncBit = 0;
401 //Demod.samples = 0;
402 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 403
404 if(bit & 0x08) {
405 Demod.syncBit = 0x08;
15c4dc5a 406 }
15c4dc5a 407
2f2d9fc5 408 if(bit & 0x04) {
409 if(Demod.syncBit) {
410 bit <<= 4;
411 }
412 Demod.syncBit = 0x04;
413 }
15c4dc5a 414
2f2d9fc5 415 if(bit & 0x02) {
416 if(Demod.syncBit) {
417 bit <<= 2;
15c4dc5a 418 }
2f2d9fc5 419 Demod.syncBit = 0x02;
15c4dc5a 420 }
15c4dc5a 421
593924e7 422 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 423 Demod.syncBit = 0x01;
424 }
425
15c4dc5a 426 if(Demod.syncBit) {
427 Demod.len = 0;
428 Demod.state = DEMOD_START_OF_COMMUNICATION;
429 Demod.sub = SUB_FIRST_HALF;
430 Demod.bitCount = 0;
431 Demod.shiftReg = 0;
432 Demod.parityBits = 0;
433 Demod.samples = 0;
434 if(Demod.posCount) {
534983d7 435 if(trigger) LED_A_OFF();
15c4dc5a 436 switch(Demod.syncBit) {
437 case 0x08: Demod.samples = 3; break;
438 case 0x04: Demod.samples = 2; break;
439 case 0x02: Demod.samples = 1; break;
440 case 0x01: Demod.samples = 0; break;
441 }
442 }
9f693930 443 //error = 0;
15c4dc5a 444 }
445 }
446 else {
447 //modulation = bit & Demod.syncBit;
448 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
449
450 Demod.samples += 4;
451
452 if(Demod.posCount==0) {
453 Demod.posCount = 1;
454 if(modulation) {
455 Demod.sub = SUB_FIRST_HALF;
456 }
457 else {
458 Demod.sub = SUB_NONE;
459 }
460 }
461 else {
462 Demod.posCount = 0;
463 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
464 if(Demod.state!=DEMOD_ERROR_WAIT) {
465 Demod.state = DEMOD_ERROR_WAIT;
466 Demod.output[Demod.len] = 0xaa;
9f693930 467 //error = 0x01;
15c4dc5a 468 }
469 }
470 else if(modulation) {
471 Demod.sub = SUB_SECOND_HALF;
472 }
473
474 switch(Demod.state) {
475 case DEMOD_START_OF_COMMUNICATION:
476 if(Demod.sub == SUB_FIRST_HALF) {
477 Demod.state = DEMOD_MANCHESTER_D;
478 }
479 else {
480 Demod.output[Demod.len] = 0xab;
481 Demod.state = DEMOD_ERROR_WAIT;
9f693930 482 //error = 0x02;
15c4dc5a 483 }
484 break;
485
486 case DEMOD_MANCHESTER_D:
487 case DEMOD_MANCHESTER_E:
488 if(Demod.sub == SUB_FIRST_HALF) {
489 Demod.bitCount++;
490 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
491 Demod.state = DEMOD_MANCHESTER_D;
492 }
493 else if(Demod.sub == SUB_SECOND_HALF) {
494 Demod.bitCount++;
495 Demod.shiftReg >>= 1;
496 Demod.state = DEMOD_MANCHESTER_E;
497 }
498 else {
499 Demod.state = DEMOD_MANCHESTER_F;
500 }
501 break;
502
503 case DEMOD_MANCHESTER_F:
504 // Tag response does not need to be a complete byte!
505 if(Demod.len > 0 || Demod.bitCount > 0) {
506 if(Demod.bitCount > 0) {
507 Demod.shiftReg >>= (9 - Demod.bitCount);
508 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
509 Demod.len++;
510 // No parity bit, so just shift a 0
511 Demod.parityBits <<= 1;
512 }
513
514 Demod.state = DEMOD_UNSYNCD;
515 return TRUE;
516 }
517 else {
518 Demod.output[Demod.len] = 0xad;
519 Demod.state = DEMOD_ERROR_WAIT;
9f693930 520 //error = 0x03;
15c4dc5a 521 }
522 break;
523
524 case DEMOD_ERROR_WAIT:
525 Demod.state = DEMOD_UNSYNCD;
526 break;
527
528 default:
529 Demod.output[Demod.len] = 0xdd;
530 Demod.state = DEMOD_UNSYNCD;
531 break;
532 }
533
534 if(Demod.bitCount>=9) {
535 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
536 Demod.len++;
537
538 Demod.parityBits <<= 1;
539 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
540
541 Demod.bitCount = 0;
542 Demod.shiftReg = 0;
543 }
544
545 /*if(error) {
546 Demod.output[Demod.len] = 0xBB;
547 Demod.len++;
548 Demod.output[Demod.len] = error & 0xFF;
549 Demod.len++;
550 Demod.output[Demod.len] = 0xBB;
551 Demod.len++;
552 Demod.output[Demod.len] = bit & 0xFF;
553 Demod.len++;
554 Demod.output[Demod.len] = Demod.buffer & 0xFF;
555 Demod.len++;
556 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
557 Demod.len++;
558 Demod.output[Demod.len] = 0xBB;
559 Demod.len++;
560 return TRUE;
561 }*/
562
563 }
564
565 } // end (state != UNSYNCED)
566
567 return FALSE;
568}
569
570//=============================================================================
571// Finally, a `sniffer' for ISO 14443 Type A
572// Both sides of communication!
573//=============================================================================
574
575//-----------------------------------------------------------------------------
576// Record the sequence of commands sent by the reader to the tag, with
577// triggering so that we start recording at the point that the tag is moved
578// near the reader.
579//-----------------------------------------------------------------------------
5cd9ec01
M
580void RAMFUNC SnoopIso14443a(uint8_t param) {
581 // param:
582 // bit 0 - trigger from first card answer
583 // bit 1 - trigger from first reader 7-bit request
584
585 LEDsoff();
586 // init trace buffer
5f6d6c90 587 iso14a_clear_trace();
5cd9ec01
M
588
589 // We won't start recording the frames that we acquire until we trigger;
590 // a good trigger condition to get started is probably when we see a
591 // response from the tag.
592 // triggered == FALSE -- to wait first for card
593 int triggered = !(param & 0x03);
594
595 // The command (reader -> tag) that we're receiving.
15c4dc5a 596 // The length of a received command will in most cases be no more than 18 bytes.
597 // So 32 should be enough!
5cd9ec01
M
598 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
599 // The response (tag -> reader) that we're receiving.
600 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 601
5cd9ec01
M
602 // As we receive stuff, we copy it from receivedCmd or receivedResponse
603 // into trace, along with its length and other annotations.
604 //uint8_t *trace = (uint8_t *)BigBuf;
605
606 // The DMA buffer, used to stream samples from the FPGA
607 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
608 int8_t *data = dmaBuf;
609 int maxDataLen = 0;
610 int dataLen = 0;
15c4dc5a 611
5cd9ec01
M
612 // Set up the demodulator for tag -> reader responses.
613 Demod.output = receivedResponse;
614 Demod.len = 0;
615 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 616
5cd9ec01
M
617 // Set up the demodulator for the reader -> tag commands
618 memset(&Uart, 0, sizeof(Uart));
619 Uart.output = receivedCmd;
620 Uart.byteCntMax = 32; // was 100 (greg)//////////////////
621 Uart.state = STATE_UNSYNCD;
15c4dc5a 622
5cd9ec01
M
623 // Setup for the DMA.
624 FpgaSetupSsc();
625 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 626
5cd9ec01
M
627 // And put the FPGA in the appropriate mode
628 // Signal field is off with the appropriate LED
629 LED_D_OFF();
630 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
631 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
7e758047 632
5cd9ec01
M
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 rsamples = 0;
636 // And now we loop, receiving samples.
637 while(true) {
638 if(BUTTON_PRESS()) {
639 DbpString("cancelled by button");
640 goto done;
641 }
15c4dc5a 642
5cd9ec01
M
643 LED_A_ON();
644 WDT_HIT();
15c4dc5a 645
5cd9ec01
M
646 int register readBufDataP = data - dmaBuf;
647 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
648 if (readBufDataP <= dmaBufDataP){
649 dataLen = dmaBufDataP - readBufDataP;
650 } else {
651 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP + 1;
652 }
653 // test for length of buffer
654 if(dataLen > maxDataLen) {
655 maxDataLen = dataLen;
656 if(dataLen > 400) {
657 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
658 goto done;
659 }
660 }
661 if(dataLen < 1) continue;
662
663 // primary buffer was stopped( <-- we lost data!
664 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
665 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
666 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
5cd9ec01
M
667 }
668 // secondary buffer sets as primary, secondary buffer was stopped
669 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
670 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
671 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
672 }
673
674 LED_A_OFF();
675
676 rsamples += 4;
677 if(MillerDecoding((data[0] & 0xF0) >> 4)) {
678 LED_C_ON();
679
680 // check - if there is a short 7bit request from reader
681 if ((!triggered) && (param & 0x02) && (Uart.byteCnt == 1) && (Uart.bitCnt = 9)) triggered = TRUE;
682
683 if(triggered) {
684 if (!LogTrace(receivedCmd, Uart.byteCnt, 0 - Uart.samples, Uart.parityBits, TRUE)) break;
685 }
686 /* And ready to receive another command. */
687 Uart.state = STATE_UNSYNCD;
688 /* And also reset the demod code, which might have been */
689 /* false-triggered by the commands from the reader. */
690 Demod.state = DEMOD_UNSYNCD;
691 LED_B_OFF();
692 }
693
694 if(ManchesterDecoding(data[0] & 0x0F)) {
695 LED_B_ON();
696
697 if (!LogTrace(receivedResponse, Demod.len, 0 - Demod.samples, Demod.parityBits, FALSE)) break;
698
699 if ((!triggered) && (param & 0x01)) triggered = TRUE;
700
701 // And ready to receive another response.
702 memset(&Demod, 0, sizeof(Demod));
703 Demod.output = receivedResponse;
704 Demod.state = DEMOD_UNSYNCD;
705 LED_C_OFF();
706 }
707
708 data++;
709 if(data > dmaBuf + DMA_BUFFER_SIZE) {
710 data = dmaBuf;
711 }
712 } // main cycle
713
714 DbpString("COMMAND FINISHED");
15c4dc5a 715
15c4dc5a 716done:
5cd9ec01
M
717 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
718 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt);
719 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%08x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
720 LEDsoff();
15c4dc5a 721}
722
15c4dc5a 723//-----------------------------------------------------------------------------
724// Prepare tag messages
725//-----------------------------------------------------------------------------
8f51ddb0 726static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 727{
8f51ddb0 728 int i;
15c4dc5a 729
8f51ddb0 730 ToSendReset();
15c4dc5a 731
732 // Correction bit, might be removed when not needed
733 ToSendStuffBit(0);
734 ToSendStuffBit(0);
735 ToSendStuffBit(0);
736 ToSendStuffBit(0);
737 ToSendStuffBit(1); // 1
738 ToSendStuffBit(0);
739 ToSendStuffBit(0);
740 ToSendStuffBit(0);
8f51ddb0 741
15c4dc5a 742 // Send startbit
72934aa3 743 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 744
8f51ddb0
M
745 for(i = 0; i < len; i++) {
746 int j;
747 uint8_t b = cmd[i];
15c4dc5a 748
749 // Data bits
15c4dc5a 750 for(j = 0; j < 8; j++) {
15c4dc5a 751 if(b & 1) {
72934aa3 752 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 753 } else {
72934aa3 754 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M
755 }
756 b >>= 1;
757 }
15c4dc5a 758
0014cb46 759 // Get the parity bit
8f51ddb0
M
760 if ((dwParity >> i) & 0x01) {
761 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 762 } else {
72934aa3 763 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 764 }
8f51ddb0 765 }
15c4dc5a 766
8f51ddb0
M
767 // Send stopbit
768 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 769
8f51ddb0
M
770 // Convert from last byte pos to length
771 ToSendMax++;
8f51ddb0
M
772}
773
774static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
775 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 776}
777
ce02f6f9 778////-----------------------------------------------------------------------------
779//// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
780////-----------------------------------------------------------------------------
781//static void CodeStrangeAnswerAsTag()
782//{
783// int i;
784//
785// ToSendReset();
786//
787// // Correction bit, might be removed when not needed
788// ToSendStuffBit(0);
789// ToSendStuffBit(0);
790// ToSendStuffBit(0);
791// ToSendStuffBit(0);
792// ToSendStuffBit(1); // 1
793// ToSendStuffBit(0);
794// ToSendStuffBit(0);
795// ToSendStuffBit(0);
796//
797// // Send startbit
798// ToSend[++ToSendMax] = SEC_D;
799//
800// // 0
801// ToSend[++ToSendMax] = SEC_E;
802//
803// // 0
804// ToSend[++ToSendMax] = SEC_E;
805//
806// // 1
807// ToSend[++ToSendMax] = SEC_D;
808//
809// // Send stopbit
810// ToSend[++ToSendMax] = SEC_F;
811//
812// // Flush the buffer in FPGA!!
813// for(i = 0; i < 5; i++) {
814// ToSend[++ToSendMax] = SEC_F;
815// }
816//
817// // Convert from last byte pos to length
818// ToSendMax++;
819//}
15c4dc5a 820
8f51ddb0
M
821static void Code4bitAnswerAsTag(uint8_t cmd)
822{
823 int i;
824
5f6d6c90 825 ToSendReset();
8f51ddb0
M
826
827 // Correction bit, might be removed when not needed
828 ToSendStuffBit(0);
829 ToSendStuffBit(0);
830 ToSendStuffBit(0);
831 ToSendStuffBit(0);
832 ToSendStuffBit(1); // 1
833 ToSendStuffBit(0);
834 ToSendStuffBit(0);
835 ToSendStuffBit(0);
836
837 // Send startbit
838 ToSend[++ToSendMax] = SEC_D;
839
840 uint8_t b = cmd;
841 for(i = 0; i < 4; i++) {
842 if(b & 1) {
843 ToSend[++ToSendMax] = SEC_D;
844 } else {
845 ToSend[++ToSendMax] = SEC_E;
846 }
847 b >>= 1;
848 }
849
850 // Send stopbit
851 ToSend[++ToSendMax] = SEC_F;
852
853 // Flush the buffer in FPGA!!
854 for(i = 0; i < 5; i++) {
855 ToSend[++ToSendMax] = SEC_F;
856 }
857
5f6d6c90 858 // Convert from last byte pos to length
859 ToSendMax++;
15c4dc5a 860}
861
862//-----------------------------------------------------------------------------
863// Wait for commands from reader
864// Stop when button is pressed
865// Or return TRUE when command is captured
866//-----------------------------------------------------------------------------
f7e3ed82 867static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 868{
869 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
870 // only, since we are receiving, not transmitting).
871 // Signal field is off with the appropriate LED
872 LED_D_OFF();
873 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
874
875 // Now run a `software UART' on the stream of incoming samples.
876 Uart.output = received;
877 Uart.byteCntMax = maxLen;
878 Uart.state = STATE_UNSYNCD;
879
880 for(;;) {
881 WDT_HIT();
882
883 if(BUTTON_PRESS()) return FALSE;
884
885 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
886 AT91C_BASE_SSC->SSC_THR = 0x00;
887 }
888 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 889 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 890 if(MillerDecoding((b & 0xf0) >> 4)) {
891 *len = Uart.byteCnt;
892 return TRUE;
893 }
894 if(MillerDecoding(b & 0x0f)) {
895 *len = Uart.byteCnt;
896 return TRUE;
897 }
898 }
899 }
900}
28afbd2b 901
9ca155ba 902static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
28afbd2b 903int EmSend4bitEx(uint8_t resp, int correctionNeeded);
904int EmSend4bit(uint8_t resp);
905int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par);
906int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par);
907int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded);
908int EmSendCmd(uint8_t *resp, int respLen);
909int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par);
15c4dc5a 910
ce02f6f9 911static uint8_t* free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
912
913typedef struct {
914 uint8_t* response;
915 size_t response_n;
916 uint8_t* modulation;
917 size_t modulation_n;
918} tag_response_info_t;
919
920void reset_free_buffer() {
921 free_buffer_pointer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
922}
923
924bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffer_size) {
925 // Exmaple response, answer to MIFARE Classic read block will be 16 bytes + 2 CRC = 18 bytes
926 // This will need the following byte array for a modulation sequence
927 // 144 data bits (18 * 8)
928 // 18 parity bits
929 // 2 Start and stop
930 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
931 // 1 just for the case
932 // ----------- +
933 // 166 bytes, since every bit that needs to be send costs us a byte
934 //
935
936 // Prepare the tag modulation bits from the message
937 CodeIso14443aAsTag(response_info->response,response_info->response_n);
938
939 // Make sure we do not exceed the free buffer space
940 if (ToSendMax > max_buffer_size) {
941 Dbprintf("Out of memory, when modulating bits for tag answer:");
942 Dbhexdump(response_info->response_n,response_info->response,false);
943 return false;
944 }
945
946 // Copy the byte array, used for this modulation to the buffer position
947 memcpy(response_info->modulation,ToSend,ToSendMax);
948
949 // Store the number of bytes that were used for encoding/modulation
950 response_info->modulation_n = ToSendMax;
951
952 return true;
953}
954
955bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
956 // Retrieve and store the current buffer index
957 response_info->modulation = free_buffer_pointer;
958
959 // Determine the maximum size we can use from our buffer
960 size_t max_buffer_size = (((uint8_t *)BigBuf)+FREE_BUFFER_OFFSET+FREE_BUFFER_SIZE)-free_buffer_pointer;
961
962 // Forward the prepare tag modulation function to the inner function
963 if (prepare_tag_modulation(response_info,max_buffer_size)) {
964 // Update the free buffer offset
965 free_buffer_pointer += ToSendMax;
966 return true;
967 } else {
968 return false;
969 }
970}
971
15c4dc5a 972//-----------------------------------------------------------------------------
973// Main loop of simulated tag: receive commands from reader, decide what
974// response to send, and send it.
975//-----------------------------------------------------------------------------
28afbd2b 976void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
15c4dc5a 977{
5f6d6c90 978 // Enable and clear the trace
81cd0474 979 tracing = TRUE;
5f6d6c90 980 iso14a_clear_trace();
81cd0474 981
15c4dc5a 982 // This function contains the tag emulation
81cd0474 983 uint8_t sak;
984
985 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
986 uint8_t response1[2];
987
988 switch (tagType) {
989 case 1: { // MIFARE Classic
990 // Says: I am Mifare 1k - original line
991 response1[0] = 0x04;
992 response1[1] = 0x00;
993 sak = 0x08;
994 } break;
995 case 2: { // MIFARE Ultralight
996 // Says: I am a stupid memory tag, no crypto
997 response1[0] = 0x04;
998 response1[1] = 0x00;
999 sak = 0x00;
1000 } break;
1001 case 3: { // MIFARE DESFire
1002 // Says: I am a DESFire tag, ph33r me
1003 response1[0] = 0x04;
1004 response1[1] = 0x03;
1005 sak = 0x20;
1006 } break;
1007 case 4: { // ISO/IEC 14443-4
1008 // Says: I am a javacard (JCOP)
1009 response1[0] = 0x04;
1010 response1[1] = 0x00;
1011 sak = 0x28;
1012 } break;
1013 default: {
1014 Dbprintf("Error: unkown tagtype (%d)",tagType);
1015 return;
1016 } break;
1017 }
1018
1019 // The second response contains the (mandatory) first 24 bits of the UID
1020 uint8_t response2[5];
1021
1022 // Check if the uid uses the (optional) part
1023 uint8_t response2a[5];
1024 if (uid_2nd) {
1025 response2[0] = 0x88;
1026 num_to_bytes(uid_1st,3,response2+1);
1027 num_to_bytes(uid_2nd,4,response2a);
1028 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
1029
1030 // Configure the ATQA and SAK accordingly
1031 response1[0] |= 0x40;
1032 sak |= 0x04;
1033 } else {
1034 num_to_bytes(uid_1st,4,response2);
1035 // Configure the ATQA and SAK accordingly
1036 response1[0] &= 0xBF;
1037 sak &= 0xFB;
1038 }
1039
1040 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
1041 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
1042
1043 // Prepare the mandatory SAK (for 4 and 7 byte UID)
1044 uint8_t response3[3];
1045 response3[0] = sak;
1046 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
1047
1048 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
1049 uint8_t response3a[3];
1050 response3a[0] = sak & 0xFB;
1051 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
1052
254b70a4 1053 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
ce02f6f9 1054 uint8_t response6[] = { 0x04, 0x58, 0x00, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS
1055 ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
1056
1057 #define TAG_RESPONSE_COUNT 7
1058 tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
1059 { .response = response1, .response_n = sizeof(response1) }, // Answer to request - respond with card type
1060 { .response = response2, .response_n = sizeof(response2) }, // Anticollision cascade1 - respond with uid
1061 { .response = response2a, .response_n = sizeof(response2a) }, // Anticollision cascade2 - respond with 2nd half of uid if asked
1062 { .response = response3, .response_n = sizeof(response3) }, // Acknowledge select - cascade 1
1063 { .response = response3a, .response_n = sizeof(response3a) }, // Acknowledge select - cascade 2
1064 { .response = response5, .response_n = sizeof(response5) }, // Authentication answer (random nonce)
1065 { .response = response6, .response_n = sizeof(response6) }, // dummy ATS (pseudo-ATR), answer to RATS
1066 };
1067
1068 // Allocate 512 bytes for the dynamic modulation, created when the reader querries for it
1069 // Such a response is less time critical, so we can prepare them on the fly
1070 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
1071 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
1072 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE];
1073 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE];
1074 tag_response_info_t dynamic_response_info = {
1075 .response = dynamic_response_buffer,
1076 .response_n = 0,
1077 .modulation = dynamic_modulation_buffer,
1078 .modulation_n = 0
1079 };
1080
1081 // Reset the offset pointer of the free buffer
1082 reset_free_buffer();
1083
1084 // Prepare the responses of the anticollision phase
1085 // there will be not enough time to do this at the moment the reader sends it REQA
1086 for (size_t i=0; i<TAG_RESPONSE_COUNT; i++) {
1087 prepare_allocated_tag_modulation(&responses[i]);
1088 }
15c4dc5a 1089
254b70a4 1090 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1091 int len;
15c4dc5a 1092
1093 // To control where we are in the protocol
1094 int order = 0;
1095 int lastorder;
1096
1097 // Just to allow some checks
1098 int happened = 0;
1099 int happened2 = 0;
81cd0474 1100 int cmdsRecvd = 0;
15c4dc5a 1101
254b70a4 1102 // We need to listen to the high-frequency, peak-detected path.
1103 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1104 FpgaSetupSsc();
15c4dc5a 1105
254b70a4 1106 cmdsRecvd = 0;
ce02f6f9 1107 tag_response_info_t* p_response;
15c4dc5a 1108
254b70a4 1109 LED_A_ON();
1110 for(;;) {
ce02f6f9 1111 // Clean receive command buffer
1112 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
254b70a4 1113
81cd0474 1114 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
ce02f6f9 1115 DbpString("Button press");
254b70a4 1116 break;
1117 }
28afbd2b 1118
5f6d6c90 1119 if (tracing) {
28afbd2b 1120 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
5f6d6c90 1121 }
28afbd2b 1122
ce02f6f9 1123 p_response = NULL;
1124
254b70a4 1125 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1126 // Okay, look at the command now.
1127 lastorder = order;
1128 if(receivedCmd[0] == 0x26) { // Received a REQUEST
ce02f6f9 1129 p_response = &responses[0]; order = 1;
254b70a4 1130 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
ce02f6f9 1131 p_response = &responses[0]; order = 6;
254b70a4 1132 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
ce02f6f9 1133 p_response = &responses[1]; order = 2;
254b70a4 1134 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
ce02f6f9 1135 p_response = &responses[2]; order = 20;
254b70a4 1136 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
ce02f6f9 1137 p_response = &responses[3]; order = 3;
254b70a4 1138 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
ce02f6f9 1139 p_response = &responses[4]; order = 30;
254b70a4 1140 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
5f6d6c90 1141 EmSendCmdEx(data+(4*receivedCmd[0]),16,false);
254b70a4 1142 Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
5f6d6c90 1143 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
ce02f6f9 1144 p_response = NULL;
254b70a4 1145 } else if(receivedCmd[0] == 0x50) { // Received a HALT
17331e14 1146// DbpString("Reader requested we HALT!:");
ce02f6f9 1147 p_response = NULL;
254b70a4 1148 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
ce02f6f9 1149 p_response = &responses[5]; order = 7;
254b70a4 1150 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
ce02f6f9 1151 p_response = &responses[6]; order = 70;
1152 } else if (order == 7 && len ==8) { // Received authentication request
1153 uint32_t nr = bytes_to_num(receivedCmd,4);
1154 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1155 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1156 } else {
1157 // Check for ISO 14443A-4 compliant commands, look at left nibble
1158 switch (receivedCmd[0]) {
1159
1160 case 0x0B:
1161 case 0x0A: { // IBlock (command)
1162 dynamic_response_info.response[0] = receivedCmd[0];
1163 dynamic_response_info.response[1] = 0x00;
1164 dynamic_response_info.response[2] = 0x90;
1165 dynamic_response_info.response[3] = 0x00;
1166 dynamic_response_info.response_n = 4;
1167 } break;
1168
1169 case 0x1A:
1170 case 0x1B: { // Chaining command
1171 dynamic_response_info.response[0] = 0xaa | ((receivedCmd[0]) & 1);
1172 dynamic_response_info.response_n = 2;
1173 } break;
1174
1175 case 0xaa:
1176 case 0xbb: {
1177 dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
1178 dynamic_response_info.response_n = 2;
1179 } break;
1180
1181 case 0xBA: { //
1182 memcpy(dynamic_response_info.response,"\xAB\x00",2);
1183 dynamic_response_info.response_n = 2;
1184 } break;
1185
1186 case 0xCA:
1187 case 0xC2: { // Readers sends deselect command
1188 memcpy(dynamic_response_info.response,"\xCA\x00",2);
1189 dynamic_response_info.response_n = 2;
1190 } break;
1191
1192 default: {
1193 // Never seen this command before
1194 Dbprintf("Received unknown command (len=%d):",len);
1195 Dbhexdump(len,receivedCmd,false);
1196 // Do not respond
1197 dynamic_response_info.response_n = 0;
1198 } break;
1199 }
1200
1201 if (dynamic_response_info.response_n > 0) {
1202 // Copy the CID from the reader query
1203 dynamic_response_info.response[1] = receivedCmd[1];
1204
1205 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
1206 AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
1207 dynamic_response_info.response_n += 2;
1208
1209 if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
1210 Dbprintf("Error preparing tag response");
1211 break;
1212 }
1213 p_response = &dynamic_response_info;
17331e14 1214 }
81cd0474 1215 }
15c4dc5a 1216
1217 // Count number of wakeups received after a halt
1218 if(order == 6 && lastorder == 5) { happened++; }
1219
1220 // Count number of other messages after a halt
1221 if(order != 6 && lastorder == 5) { happened2++; }
1222
1223 // Look at last parity bit to determine timing of answer
1224 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1225 // 1236, so correction bit needed
9f693930 1226 //i = 0;
15c4dc5a 1227 }
1228
15c4dc5a 1229 if(cmdsRecvd > 999) {
1230 DbpString("1000 commands later...");
254b70a4 1231 break;
15c4dc5a 1232 }
ce02f6f9 1233 cmdsRecvd++;
1234
1235 if (p_response != NULL) {
1236 EmSendCmd14443aRaw(p_response->modulation, p_response->modulation_n, receivedCmd[0] == 0x52);
1237 if (tracing) {
1238 LogTrace(p_response->response,p_response->response_n,0,SwapBits(GetParity(p_response->response,p_response->response_n),p_response->response_n),FALSE);
1239 if(traceLen > TRACE_SIZE) {
1240 DbpString("Trace full");
1241// break;
1242 }
1243 }
1244 }
254b70a4 1245 }
15c4dc5a 1246
1247 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1248 LED_A_OFF();
1249}
1250
9492e0b0 1251
1252// prepare a delayed transfer. This simply shifts ToSend[] by a number
1253// of bits specified in the delay parameter.
1254void PrepareDelayedTransfer(uint16_t delay)
1255{
1256 uint8_t bitmask = 0;
1257 uint8_t bits_to_shift = 0;
1258 uint8_t bits_shifted = 0;
1259
1260 delay &= 0x07;
1261 if (delay) {
1262 for (uint16_t i = 0; i < delay; i++) {
1263 bitmask |= (0x01 << i);
1264 }
1265 ToSend[++ToSendMax] = 0x00;
1266 for (uint16_t i = 0; i < ToSendMax; i++) {
1267 bits_to_shift = ToSend[i] & bitmask;
1268 ToSend[i] = ToSend[i] >> delay;
1269 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1270 bits_shifted = bits_to_shift;
1271 }
1272 }
1273}
1274
15c4dc5a 1275//-----------------------------------------------------------------------------
1276// Transmit the command (to the tag) that was placed in ToSend[].
9492e0b0 1277// Parameter timing:
1278// if NULL: ignored
1279// if == 0: return time of transfer
1280// if != 0: delay transfer until time specified
15c4dc5a 1281//-----------------------------------------------------------------------------
9492e0b0 1282static void TransmitFor14443a(const uint8_t *cmd, int len, uint32_t *timing)
15c4dc5a 1283{
9492e0b0 1284 int c;
e30c654b 1285
9492e0b0 1286 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1287
e30c654b 1288
9492e0b0 1289 if (timing) {
1290 if(*timing == 0) { // Measure time
1291 *timing = (GetCountMifare() + 8) & 0xfffffff8;
1292 } else {
1293 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1294 }
1295 if(MF_DBGLEVEL >= 4 && GetCountMifare() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1296 while(GetCountMifare() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1297 }
1298
1299 for(c = 0; c < 10;) { // standard delay for each transfer (allow tag to be ready after last transmission)
1300 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1301 AT91C_BASE_SSC->SSC_THR = 0x00;
1302 c++;
1303 }
1304 }
1305
1306 c = 0;
1307 for(;;) {
1308 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1309 AT91C_BASE_SSC->SSC_THR = cmd[c];
1310 c++;
1311 if(c >= len) {
1312 break;
1313 }
1314 }
1315 }
e30c654b 1316
15c4dc5a 1317}
1318
15c4dc5a 1319//-----------------------------------------------------------------------------
195af472 1320// Prepare reader command (in bits, support short frames) to send to FPGA
15c4dc5a 1321//-----------------------------------------------------------------------------
195af472 1322void CodeIso14443aBitsAsReaderPar(const uint8_t * cmd, int bits, uint32_t dwParity)
15c4dc5a 1323{
1324 int i, j;
1325 int last;
f7e3ed82 1326 uint8_t b;
e30c654b 1327
15c4dc5a 1328 ToSendReset();
e30c654b 1329
15c4dc5a 1330 // Start of Communication (Seq. Z)
72934aa3 1331 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1332 last = 0;
e30c654b 1333
195af472 1334 size_t bytecount = nbytes(bits);
15c4dc5a 1335 // Generate send structure for the data bits
195af472 1336 for (i = 0; i < bytecount; i++) {
15c4dc5a 1337 // Get the current byte to send
1338 b = cmd[i];
195af472 1339 size_t bitsleft = MIN((bits-(i*8)),8);
e30c654b 1340
195af472 1341 for (j = 0; j < bitsleft; j++) {
15c4dc5a 1342 if (b & 1) {
1343 // Sequence X
72934aa3 1344 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1345 last = 1;
1346 } else {
1347 if (last == 0) {
1348 // Sequence Z
72934aa3 1349 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1350 } else {
1351 // Sequence Y
72934aa3 1352 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1353 last = 0;
1354 }
1355 }
1356 b >>= 1;
1357 }
e30c654b 1358
195af472 1359 // Only transmit (last) parity bit if we transmitted a complete byte
1360 if (j == 8) {
1361 // Get the parity bit
1362 if ((dwParity >> i) & 0x01) {
1363 // Sequence X
1364 ToSend[++ToSendMax] = SEC_X;
1365 last = 1;
15c4dc5a 1366 } else {
195af472 1367 if (last == 0) {
1368 // Sequence Z
1369 ToSend[++ToSendMax] = SEC_Z;
1370 } else {
1371 // Sequence Y
1372 ToSend[++ToSendMax] = SEC_Y;
1373 last = 0;
1374 }
15c4dc5a 1375 }
1376 }
1377 }
e30c654b 1378
15c4dc5a 1379 // End of Communication
1380 if (last == 0) {
1381 // Sequence Z
72934aa3 1382 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1383 } else {
1384 // Sequence Y
72934aa3 1385 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1386 last = 0;
1387 }
1388 // Sequence Y
72934aa3 1389 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1390
15c4dc5a 1391 // Just to be sure!
72934aa3 1392 ToSend[++ToSendMax] = SEC_Y;
1393 ToSend[++ToSendMax] = SEC_Y;
1394 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1395
15c4dc5a 1396 // Convert from last character reference to length
1397 ToSendMax++;
1398}
1399
195af472 1400//-----------------------------------------------------------------------------
1401// Prepare reader command to send to FPGA
1402//-----------------------------------------------------------------------------
1403void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1404{
1405 CodeIso14443aBitsAsReaderPar(cmd,len*8,dwParity);
1406}
1407
9ca155ba
M
1408//-----------------------------------------------------------------------------
1409// Wait for commands from reader
1410// Stop when button is pressed (return 1) or field was gone (return 2)
1411// Or return 0 when command is captured
1412//-----------------------------------------------------------------------------
1413static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1414{
1415 *len = 0;
1416
1417 uint32_t timer = 0, vtime = 0;
1418 int analogCnt = 0;
1419 int analogAVG = 0;
1420
1421 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1422 // only, since we are receiving, not transmitting).
1423 // Signal field is off with the appropriate LED
1424 LED_D_OFF();
1425 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1426
1427 // Set ADC to read field strength
1428 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1429 AT91C_BASE_ADC->ADC_MR =
1430 ADC_MODE_PRESCALE(32) |
1431 ADC_MODE_STARTUP_TIME(16) |
1432 ADC_MODE_SAMPLE_HOLD_TIME(8);
1433 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1434 // start ADC
1435 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1436
1437 // Now run a 'software UART' on the stream of incoming samples.
1438 Uart.output = received;
1439 Uart.byteCntMax = maxLen;
1440 Uart.state = STATE_UNSYNCD;
1441
1442 for(;;) {
1443 WDT_HIT();
1444
1445 if (BUTTON_PRESS()) return 1;
1446
1447 // test if the field exists
1448 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1449 analogCnt++;
1450 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1451 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1452 if (analogCnt >= 32) {
1453 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1454 vtime = GetTickCount();
1455 if (!timer) timer = vtime;
1456 // 50ms no field --> card to idle state
1457 if (vtime - timer > 50) return 2;
1458 } else
1459 if (timer) timer = 0;
1460 analogCnt = 0;
1461 analogAVG = 0;
1462 }
1463 }
1464 // transmit none
1465 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1466 AT91C_BASE_SSC->SSC_THR = 0x00;
1467 }
1468 // receive and test the miller decoding
1469 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1470 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1471 if(MillerDecoding((b & 0xf0) >> 4)) {
1472 *len = Uart.byteCnt;
8f51ddb0 1473 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1474 return 0;
1475 }
1476 if(MillerDecoding(b & 0x0f)) {
1477 *len = Uart.byteCnt;
8f51ddb0 1478 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1479 return 0;
1480 }
1481 }
1482 }
1483}
1484
1485static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1486{
1487 int i, u = 0;
1488 uint8_t b = 0;
1489
1490 // Modulate Manchester
1491 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1492 AT91C_BASE_SSC->SSC_THR = 0x00;
1493 FpgaSetupSsc();
1494
1495 // include correction bit
1496 i = 1;
1497 if((Uart.parityBits & 0x01) || correctionNeeded) {
1498 // 1236, so correction bit needed
1499 i = 0;
1500 }
1501
1502 // send cycle
1503 for(;;) {
1504 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1505 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1506 (void)b;
1507 }
1508 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1509 if(i > respLen) {
8f51ddb0 1510 b = 0xff; // was 0x00
9ca155ba
M
1511 u++;
1512 } else {
1513 b = resp[i];
1514 i++;
1515 }
1516 AT91C_BASE_SSC->SSC_THR = b;
1517
1518 if(u > 4) break;
1519 }
1520 if(BUTTON_PRESS()) {
1521 break;
1522 }
1523 }
1524
1525 return 0;
1526}
1527
8f51ddb0
M
1528int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1529 Code4bitAnswerAsTag(resp);
0a39986e 1530 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1531 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1532 return res;
9ca155ba
M
1533}
1534
8f51ddb0
M
1535int EmSend4bit(uint8_t resp){
1536 return EmSend4bitEx(resp, 0);
1537}
1538
1539int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1540 CodeIso14443aAsTagPar(resp, respLen, par);
1541 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1542 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1543 return res;
1544}
1545
1546int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1547 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1548}
1549
1550int EmSendCmd(uint8_t *resp, int respLen){
1551 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1552}
1553
1554int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1555 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M
1556}
1557
15c4dc5a 1558//-----------------------------------------------------------------------------
1559// Wait a certain time for tag response
1560// If a response is captured return TRUE
1561// If it takes to long return FALSE
1562//-----------------------------------------------------------------------------
f7e3ed82 1563static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1564{
1565 // buffer needs to be 512 bytes
1566 int c;
1567
1568 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1569 // only, since we are receiving, not transmitting).
1570 // Signal field is on with the appropriate LED
1571 LED_D_ON();
1572 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1c611bbd 1573
534983d7 1574 // Now get the answer from the card
1575 Demod.output = receivedResponse;
1576 Demod.len = 0;
1577 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1578
f7e3ed82 1579 uint8_t b;
15c4dc5a 1580 if (elapsed) *elapsed = 0;
1581
1582 c = 0;
1583 for(;;) {
534983d7 1584 WDT_HIT();
15c4dc5a 1585
9492e0b0 1586 // if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1587 // AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1588 // if (elapsed) (*elapsed)++;
1589 // }
534983d7 1590 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1591 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1592 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1593 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1594 *samples = ((c - 1) << 3) + 4;
1595 return TRUE;
1596 }
1597 if(ManchesterDecoding(b & 0x0f)) {
1598 *samples = c << 3;
1599 return TRUE;
1600 }
534983d7 1601 }
1602 }
15c4dc5a 1603}
1604
9492e0b0 1605void ReaderTransmitBitsPar(uint8_t* frame, int bits, uint32_t par, uint32_t *timing)
15c4dc5a 1606{
981bd429 1607
dfc3c505 1608 CodeIso14443aBitsAsReaderPar(frame,bits,par);
1609
15c4dc5a 1610 // Select the card
9492e0b0 1611 TransmitFor14443a(ToSend, ToSendMax, timing);
534983d7 1612 if(trigger)
1613 LED_A_ON();
dfc3c505 1614
15c4dc5a 1615 // Store reader command in buffer
dfc3c505 1616 if (tracing) LogTrace(frame,nbytes(bits),0,par,TRUE);
15c4dc5a 1617}
1618
9492e0b0 1619void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par, uint32_t *timing)
dfc3c505 1620{
9492e0b0 1621 ReaderTransmitBitsPar(frame,len*8,par, timing);
dfc3c505 1622}
15c4dc5a 1623
9492e0b0 1624void ReaderTransmit(uint8_t* frame, int len, uint32_t *timing)
15c4dc5a 1625{
1626 // Generate parity and redirect
9492e0b0 1627 ReaderTransmitBitsPar(frame,len*8,GetParity(frame,len), timing);
15c4dc5a 1628}
1629
f7e3ed82 1630int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1631{
1632 int samples = 0;
20f9a2a1 1633 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1634 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1635 if(samples == 0) return FALSE;
1636 return Demod.len;
15c4dc5a 1637}
1638
f89c7050
M
1639int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1640{
1641 int samples = 0;
1642 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1643 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1644 *parptr = Demod.parityBits;
1645 if(samples == 0) return FALSE;
1646 return Demod.len;
1647}
1648
7e758047 1649/* performs iso14443a anticolision procedure
534983d7 1650 * fills the uid pointer unless NULL
1651 * fills resp_data unless NULL */
79a73ab2 1652int iso14443a_select_card(byte_t* uid_ptr, iso14a_card_select_t* p_hi14a_card, uint32_t* cuid_ptr) {
ed258538 1653 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1654 uint8_t sel_all[] = { 0x93,0x20 };
1655 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1656 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1657 uint8_t* resp = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); // was 3560 - tied to other size changes
79a73ab2 1658 byte_t uid_resp[4];
1659 size_t uid_resp_len;
15c4dc5a 1660
ed258538 1661 uint8_t sak = 0x04; // cascade uid
1662 int cascade_level = 0;
1663 int len;
79a73ab2 1664
ed258538 1665 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
9492e0b0 1666 ReaderTransmitBitsPar(wupa,7,0, NULL);
ed258538 1667 // Receive the ATQA
1668 if(!ReaderReceive(resp)) return 0;
902cb3c0 1669// Dbprintf("atqa: %02x %02x",resp[0],resp[1]);
1c611bbd 1670
ed258538 1671 if(p_hi14a_card) {
1672 memcpy(p_hi14a_card->atqa, resp, 2);
79a73ab2 1673 p_hi14a_card->uidlen = 0;
1674 memset(p_hi14a_card->uid,0,10);
1675 }
5f6d6c90 1676
79a73ab2 1677 // clear uid
1678 if (uid_ptr) {
1c611bbd 1679 memset(uid_ptr,0,10);
79a73ab2 1680 }
1681
ed258538 1682 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1683 // which case we need to make a cascade 2 request and select - this is a long UID
1684 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1685 for(; sak & 0x04; cascade_level++) {
1686 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1687 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1688
1689 // SELECT_ALL
9492e0b0 1690 ReaderTransmit(sel_all,sizeof(sel_all), NULL);
ed258538 1691 if (!ReaderReceive(resp)) return 0;
5f6d6c90 1692
ed258538 1693 // First backup the current uid
79a73ab2 1694 memcpy(uid_resp,resp,4);
1695 uid_resp_len = 4;
1696 // Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
5f6d6c90 1697
1698 // calculate crypto UID. Always use last 4 Bytes.
1699 if(cuid_ptr) {
1700 *cuid_ptr = bytes_to_num(uid_resp, 4);
79a73ab2 1701 }
e30c654b 1702
ed258538 1703 // Construct SELECT UID command
5f6d6c90 1704 memcpy(sel_uid+2,resp,5);
ed258538 1705 AppendCrc14443a(sel_uid,7);
9492e0b0 1706 ReaderTransmit(sel_uid,sizeof(sel_uid), NULL);
534983d7 1707
ed258538 1708 // Receive the SAK
1709 if (!ReaderReceive(resp)) return 0;
1710 sak = resp[0];
79a73ab2 1711
1712 // Test if more parts of the uid are comming
1713 if ((sak & 0x04) && uid_resp[0] == 0x88) {
1714 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1715 // http://www.nxp.com/documents/application_note/AN10927.pdf
ed258538 1716 memcpy(uid_resp, uid_resp + 1, 3);
79a73ab2 1717 uid_resp_len = 3;
1718 }
5f6d6c90 1719
79a73ab2 1720 if(uid_ptr) {
1721 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1722 }
5f6d6c90 1723
79a73ab2 1724 if(p_hi14a_card) {
1725 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1726 p_hi14a_card->uidlen += uid_resp_len;
1727 }
ed258538 1728 }
79a73ab2 1729
ed258538 1730 if(p_hi14a_card) {
1731 p_hi14a_card->sak = sak;
1732 p_hi14a_card->ats_len = 0;
1733 }
534983d7 1734
ed258538 1735 if( (sak & 0x20) == 0) {
1736 return 2; // non iso14443a compliant tag
79a73ab2 1737 }
534983d7 1738
ed258538 1739 // Request for answer to select
5191b3d1 1740 AppendCrc14443a(rats, 2);
9492e0b0 1741 ReaderTransmit(rats, sizeof(rats), NULL);
1c611bbd 1742
5191b3d1 1743 if (!(len = ReaderReceive(resp))) return 0;
1744
1745 if(p_hi14a_card) {
ed258538 1746 memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
1747 p_hi14a_card->ats_len = len;
1748 }
5f6d6c90 1749
ed258538 1750 // reset the PCB block number
1751 iso14_pcb_blocknum = 0;
1752 return 1;
7e758047 1753}
15c4dc5a 1754
7e758047 1755void iso14443a_setup() {
9492e0b0 1756 // Set up the synchronous serial port
1757 FpgaSetupSsc();
7e758047 1758 // Start from off (no field generated)
1759 // Signal field is off with the appropriate LED
9492e0b0 1760// LED_D_OFF();
1761// FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1762 // SpinDelay(50);
15c4dc5a 1763
7e758047 1764 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1765
7e758047 1766 // Now give it time to spin up.
1767 // Signal field is on with the appropriate LED
1768 LED_D_ON();
1769 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
9492e0b0 1770 SpinDelay(7); // iso14443-3 specifies 5ms max.
534983d7 1771
1772 iso14a_timeout = 2048; //default
7e758047 1773}
15c4dc5a 1774
534983d7 1775int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1776 uint8_t real_cmd[cmd_len+4];
1777 real_cmd[0] = 0x0a; //I-Block
b0127e65 1778 // put block number into the PCB
1779 real_cmd[0] |= iso14_pcb_blocknum;
534983d7 1780 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1781 memcpy(real_cmd+2, cmd, cmd_len);
1782 AppendCrc14443a(real_cmd,cmd_len+2);
1783
9492e0b0 1784 ReaderTransmit(real_cmd, cmd_len+4, NULL);
534983d7 1785 size_t len = ReaderReceive(data);
b0127e65 1786 uint8_t * data_bytes = (uint8_t *) data;
1787 if (!len)
1788 return 0; //DATA LINK ERROR
1789 // if we received an I- or R(ACK)-Block with a block number equal to the
1790 // current block number, toggle the current block number
1791 else if (len >= 4 // PCB+CID+CRC = 4 bytes
1792 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1793 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1794 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1795 {
1796 iso14_pcb_blocknum ^= 1;
1797 }
1798
534983d7 1799 return len;
1800}
1801
7e758047 1802//-----------------------------------------------------------------------------
1803// Read an ISO 14443a tag. Send out commands and store answers.
1804//
1805//-----------------------------------------------------------------------------
902cb3c0 1806void ReaderIso14443a(UsbCommand * c)
7e758047 1807{
534983d7 1808 iso14a_command_t param = c->arg[0];
1809 uint8_t * cmd = c->d.asBytes;
1810 size_t len = c->arg[1];
5f6d6c90 1811 size_t lenbits = c->arg[2];
9492e0b0 1812 uint32_t arg0 = 0;
1813 byte_t buf[USB_CMD_DATA_SIZE];
902cb3c0 1814
5f6d6c90 1815 if(param & ISO14A_CONNECT) {
1816 iso14a_clear_trace();
1817 }
9492e0b0 1818 iso14a_set_tracing(true);
e30c654b 1819
79a73ab2 1820 if(param & ISO14A_REQUEST_TRIGGER) {
9492e0b0 1821 iso14a_set_trigger(1);
1822 }
15c4dc5a 1823
534983d7 1824 if(param & ISO14A_CONNECT) {
1825 iso14443a_setup();
5f6d6c90 1826 if(!(param & ISO14A_NO_SELECT)) {
1827 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
1828 arg0 = iso14443a_select_card(NULL,card,NULL);
1829 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
1830 }
534983d7 1831 }
e30c654b 1832
534983d7 1833 if(param & ISO14A_SET_TIMEOUT) {
1834 iso14a_timeout = c->arg[2];
1835 }
e30c654b 1836
534983d7 1837 if(param & ISO14A_SET_TIMEOUT) {
1838 iso14a_timeout = c->arg[2];
1839 }
e30c654b 1840
534983d7 1841 if(param & ISO14A_APDU) {
902cb3c0 1842 arg0 = iso14_apdu(cmd, len, buf);
79a73ab2 1843 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1844 }
e30c654b 1845
534983d7 1846 if(param & ISO14A_RAW) {
1847 if(param & ISO14A_APPEND_CRC) {
1848 AppendCrc14443a(cmd,len);
1849 len += 2;
15c4dc5a 1850 }
5f6d6c90 1851 if(lenbits>0) {
1852 ReaderTransmitBitsPar(cmd,lenbits,GetParity(cmd,lenbits/8), NULL);
1853 } else {
1854 ReaderTransmit(cmd,len, NULL);
1855 }
902cb3c0 1856 arg0 = ReaderReceive(buf);
9492e0b0 1857 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1858 }
15c4dc5a 1859
79a73ab2 1860 if(param & ISO14A_REQUEST_TRIGGER) {
9492e0b0 1861 iso14a_set_trigger(0);
1862 }
15c4dc5a 1863
79a73ab2 1864 if(param & ISO14A_NO_DISCONNECT) {
534983d7 1865 return;
9492e0b0 1866 }
15c4dc5a 1867
15c4dc5a 1868 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1869 LEDsoff();
15c4dc5a 1870}
b0127e65 1871
1c611bbd 1872
1c611bbd 1873// Determine the distance between two nonces.
1874// Assume that the difference is small, but we don't know which is first.
1875// Therefore try in alternating directions.
1876int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
1877
1878 uint16_t i;
1879 uint32_t nttmp1, nttmp2;
e772353f 1880
1c611bbd 1881 if (nt1 == nt2) return 0;
1882
1883 nttmp1 = nt1;
1884 nttmp2 = nt2;
1885
1886 for (i = 1; i < 32768; i++) {
1887 nttmp1 = prng_successor(nttmp1, 1);
1888 if (nttmp1 == nt2) return i;
1889 nttmp2 = prng_successor(nttmp2, 1);
1890 if (nttmp2 == nt1) return -i;
1891 }
1892
1893 return(-99999); // either nt1 or nt2 are invalid nonces
e772353f 1894}
1895
e772353f 1896
1c611bbd 1897//-----------------------------------------------------------------------------
1898// Recover several bits of the cypher stream. This implements (first stages of)
1899// the algorithm described in "The Dark Side of Security by Obscurity and
1900// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
1901// (article by Nicolas T. Courtois, 2009)
1902//-----------------------------------------------------------------------------
1903void ReaderMifare(bool first_try)
1904{
1905 // Mifare AUTH
1906 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1907 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1908 static uint8_t mf_nr_ar3;
e772353f 1909
1c611bbd 1910 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1911 traceLen = 0;
1912 tracing = false;
e772353f 1913
1c611bbd 1914 byte_t nt_diff = 0;
1915 byte_t par = 0;
1916 //byte_t par_mask = 0xff;
1917 static byte_t par_low = 0;
1918 bool led_on = TRUE;
1919 uint8_t uid[10];
1920 uint32_t cuid;
e772353f 1921
1c611bbd 1922 uint32_t nt, previous_nt;
1923 static uint32_t nt_attacked = 0;
1924 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1925 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
e772353f 1926
1c611bbd 1927 static uint32_t sync_time;
1928 static uint32_t sync_cycles;
1929 int catch_up_cycles = 0;
1930 int last_catch_up = 0;
1931 uint16_t consecutive_resyncs = 0;
1932 int isOK = 0;
e772353f 1933
e772353f 1934
e772353f 1935
1c611bbd 1936 if (first_try) {
1937 StartCountMifare();
1938 mf_nr_ar3 = 0;
1939 iso14443a_setup();
1c611bbd 1940 while((GetCountMifare() & 0xffff0000) != 0x10000); // wait for counter to reset and "warm up"
9492e0b0 1941 sync_time = GetCountMifare() & 0xfffffff8;
1c611bbd 1942 sync_cycles = 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
1943 nt_attacked = 0;
1944 nt = 0;
1945 par = 0;
1946 }
1947 else {
1948 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
1949 // nt_attacked = prng_successor(nt_attacked, 1);
1950 mf_nr_ar3++;
1951 mf_nr_ar[3] = mf_nr_ar3;
1952 par = par_low;
1953 }
e30c654b 1954
15c4dc5a 1955 LED_A_ON();
1956 LED_B_OFF();
1957 LED_C_OFF();
1c611bbd 1958
1959
1960 for(uint16_t i = 0; TRUE; i++) {
1961
1962 WDT_HIT();
e30c654b 1963
1c611bbd 1964 // Test if the action was cancelled
1965 if(BUTTON_PRESS()) {
1966 break;
1967 }
1968
1969 LED_C_ON();
e30c654b 1970
1c611bbd 1971 if(!iso14443a_select_card(uid, NULL, &cuid)) {
9492e0b0 1972 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
1c611bbd 1973 continue;
1974 }
1975
1976 //keep the card active
f89c7050 1977 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1978
9492e0b0 1979 // CodeIso14443aBitsAsReaderPar(mf_auth, sizeof(mf_auth)*8, GetParity(mf_auth, sizeof(mf_auth)*8));
1c611bbd 1980
9492e0b0 1981 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
1c611bbd 1982 catch_up_cycles = 0;
1983
1984 // if we missed the sync time already, advance to the next nonce repeat
1985 while(GetCountMifare() > sync_time) {
9492e0b0 1986 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
1c611bbd 1987 }
e30c654b 1988
9492e0b0 1989 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
1990 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
f89c7050 1991
1c611bbd 1992 // Receive the (4 Byte) "random" nonce
1993 if (!ReaderReceive(receivedAnswer)) {
9492e0b0 1994 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
1c611bbd 1995 continue;
1996 }
1997
1c611bbd 1998 previous_nt = nt;
1999 nt = bytes_to_num(receivedAnswer, 4);
2000
2001 // Transmit reader nonce with fake par
9492e0b0 2002 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
1c611bbd 2003
2004 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
2005 int nt_distance = dist_nt(previous_nt, nt);
2006 if (nt_distance == 0) {
2007 nt_attacked = nt;
2008 }
2009 else {
2010 if (nt_distance == -99999) { // invalid nonce received, try again
2011 continue;
2012 }
2013 sync_cycles = (sync_cycles - nt_distance);
9492e0b0 2014 if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
1c611bbd 2015 continue;
2016 }
2017 }
2018
2019 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
2020 catch_up_cycles = -dist_nt(nt_attacked, nt);
2021 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
2022 catch_up_cycles = 0;
2023 continue;
2024 }
2025 if (catch_up_cycles == last_catch_up) {
2026 consecutive_resyncs++;
2027 }
2028 else {
2029 last_catch_up = catch_up_cycles;
2030 consecutive_resyncs = 0;
2031 }
2032 if (consecutive_resyncs < 3) {
9492e0b0 2033 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
1c611bbd 2034 }
2035 else {
2036 sync_cycles = sync_cycles + catch_up_cycles;
9492e0b0 2037 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
1c611bbd 2038 }
2039 continue;
2040 }
2041
2042 consecutive_resyncs = 0;
2043
2044 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2045 if (ReaderReceive(receivedAnswer))
2046 {
9492e0b0 2047 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
1c611bbd 2048
2049 if (nt_diff == 0)
2050 {
2051 par_low = par & 0x07; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2052 }
2053
2054 led_on = !led_on;
2055 if(led_on) LED_B_ON(); else LED_B_OFF();
2056
2057 par_list[nt_diff] = par;
2058 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2059
2060 // Test if the information is complete
2061 if (nt_diff == 0x07) {
2062 isOK = 1;
2063 break;
2064 }
2065
2066 nt_diff = (nt_diff + 1) & 0x07;
2067 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2068 par = par_low;
2069 } else {
2070 if (nt_diff == 0 && first_try)
2071 {
2072 par++;
2073 } else {
2074 par = (((par >> 3) + 1) << 3) | par_low;
2075 }
2076 }
2077 }
2078
2079 LogTrace((const uint8_t *)&nt, 4, 0, GetParity((const uint8_t *)&nt, 4), TRUE);
2080 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
2081 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
2082
2083 mf_nr_ar[3] &= 0x1F;
2084
2085 byte_t buf[28];
2086 memcpy(buf + 0, uid, 4);
2087 num_to_bytes(nt, 4, buf + 4);
2088 memcpy(buf + 8, par_list, 8);
2089 memcpy(buf + 16, ks_list, 8);
2090 memcpy(buf + 24, mf_nr_ar, 4);
2091
2092 cmd_send(CMD_ACK,isOK,0,0,buf,28);
2093
2094 // Thats it...
2095 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2096 LEDsoff();
2097 tracing = TRUE;
20f9a2a1 2098}
1c611bbd 2099
20f9a2a1
M
2100//-----------------------------------------------------------------------------
2101// MIFARE 1K simulate.
2102//
2103//-----------------------------------------------------------------------------
2104void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2105{
50193c1e 2106 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2107 int _7BUID = 0;
9ca155ba 2108 int vHf = 0; // in mV
9f693930 2109 //int nextCycleTimeout = 0;
8f51ddb0 2110 int res;
51969283 2111// uint32_t timer = 0;
0a39986e
M
2112 uint32_t selTimer = 0;
2113 uint32_t authTimer = 0;
2114 uint32_t par = 0;
9ca155ba 2115 int len = 0;
8f51ddb0 2116 uint8_t cardWRBL = 0;
9ca155ba
M
2117 uint8_t cardAUTHSC = 0;
2118 uint8_t cardAUTHKEY = 0xff; // no authentication
9f693930 2119 //uint32_t cardRn = 0;
51969283 2120 uint32_t cardRr = 0;
9ca155ba 2121 uint32_t cuid = 0;
9f693930 2122 //uint32_t rn_enc = 0;
51969283 2123 uint32_t ans = 0;
0014cb46
M
2124 uint32_t cardINTREG = 0;
2125 uint8_t cardINTBLOCK = 0;
9ca155ba
M
2126 struct Crypto1State mpcs = {0, 0};
2127 struct Crypto1State *pcs;
2128 pcs = &mpcs;
2129
8f51ddb0
M
2130 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2131 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2132
8556b852 2133 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2134
0a39986e
M
2135 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2136 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2137
0a39986e 2138 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2139 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2140
0014cb46
M
2141 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2142// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2143 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2144
0a39986e
M
2145 // clear trace
2146 traceLen = 0;
2147 tracing = true;
51969283
M
2148
2149 // Authenticate response - nonce
2150 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2151
8556b852
M
2152 // get UID from emul memory
2153 emlGetMemBt(receivedCmd, 7, 1);
2154 _7BUID = !(receivedCmd[0] == 0x00);
2155 if (!_7BUID) { // ---------- 4BUID
2156 rATQA[0] = 0x04;
2157
2158 emlGetMemBt(rUIDBCC1, 0, 4);
2159 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2160 } else { // ---------- 7BUID
2161 rATQA[0] = 0x44;
2162
2163 rUIDBCC1[0] = 0x88;
2164 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2165 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2166 emlGetMemBt(rUIDBCC2, 3, 4);
2167 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2168 }
2169
9ca155ba 2170// -------------------------------------- test area
50193c1e 2171
9ca155ba 2172// -------------------------------------- END test area
8f51ddb0
M
2173 // start mkseconds counter
2174 StartCountUS();
9ca155ba
M
2175
2176 // We need to listen to the high-frequency, peak-detected path.
2177 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2178 FpgaSetupSsc();
2179
2180 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2181 SpinDelay(200);
2182
0014cb46 2183 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M
2184 // calibrate mkseconds counter
2185 GetDeltaCountUS();
9ca155ba
M
2186 while (true) {
2187 WDT_HIT();
9ca155ba 2188
8f51ddb0
M
2189 if(BUTTON_PRESS()) {
2190 break;
2191 }
2192
9ca155ba
M
2193 // find reader field
2194 // Vref = 3300mV, and an 10:1 voltage divider on the input
2195 // can measure voltages up to 33000 mV
2196 if (cardSTATE == MFEMUL_NOFIELD) {
2197 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2198 if (vHf > MF_MINFIELDV) {
0014cb46 2199 cardSTATE_TO_IDLE();
9ca155ba
M
2200 LED_A_ON();
2201 }
2202 }
2203
2204 if (cardSTATE != MFEMUL_NOFIELD) {
81cd0474 2205 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
9ca155ba
M
2206 if (res == 2) {
2207 cardSTATE = MFEMUL_NOFIELD;
2208 LEDsoff();
2209 continue;
2210 }
2211 if(res) break;
2212 }
2213
9f693930 2214 //nextCycleTimeout = 0;
8f51ddb0 2215
9ca155ba 2216// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M
2217
2218 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2219 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M
2220 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2221 selTimer = GetTickCount();
2222 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2223 cardSTATE = MFEMUL_SELECT1;
2224
2225 // init crypto block
2226 LED_B_OFF();
2227 LED_C_OFF();
2228 crypto1_destroy(pcs);
2229 cardAUTHKEY = 0xff;
2230 }
2231 }
9ca155ba 2232
50193c1e
M
2233 switch (cardSTATE) {
2234 case MFEMUL_NOFIELD:{
2235 break;
2236 }
9ca155ba 2237 case MFEMUL_HALTED:{
0a39986e 2238 break;
9ca155ba 2239 }
50193c1e
M
2240 case MFEMUL_IDLE:{
2241 break;
2242 }
2243 case MFEMUL_SELECT1:{
9ca155ba
M
2244 // select all
2245 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2246 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2247 break;
9ca155ba
M
2248 }
2249
2250 // select card
0a39986e
M
2251 if (len == 9 &&
2252 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M
2253 if (!_7BUID)
2254 EmSendCmd(rSAK, sizeof(rSAK));
2255 else
2256 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M
2257
2258 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M
2259 if (!_7BUID) {
2260 cardSTATE = MFEMUL_WORK;
0014cb46
M
2261 LED_B_ON();
2262 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2263 break;
8556b852
M
2264 } else {
2265 cardSTATE = MFEMUL_SELECT2;
2266 break;
2267 }
9ca155ba
M
2268 }
2269
50193c1e
M
2270 break;
2271 }
2272 case MFEMUL_SELECT2:{
0014cb46
M
2273 if (!len) break;
2274
8556b852 2275 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2276 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M
2277 break;
2278 }
9ca155ba 2279
8556b852
M
2280 // select 2 card
2281 if (len == 9 &&
2282 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2283 EmSendCmd(rSAK, sizeof(rSAK));
2284
2285 cuid = bytes_to_num(rUIDBCC2, 4);
2286 cardSTATE = MFEMUL_WORK;
2287 LED_B_ON();
0014cb46 2288 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M
2289 break;
2290 }
0014cb46
M
2291
2292 // i guess there is a command). go into the work state.
2293 if (len != 4) break;
2294 cardSTATE = MFEMUL_WORK;
2295 goto lbWORK;
50193c1e
M
2296 }
2297 case MFEMUL_AUTH1:{
9ca155ba 2298 if (len == 8) {
51969283 2299 // --- crypto
9f693930
GY
2300 //rn_enc = bytes_to_num(receivedCmd, 4);
2301 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
51969283
M
2302 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2303 // test if auth OK
2304 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M
2305 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2306 cardSTATE_TO_IDLE();
51969283
M
2307 break;
2308 }
2309 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2310 num_to_bytes(ans, 4, rAUTH_AT);
2311 // --- crypto
2312 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M
2313 cardSTATE = MFEMUL_AUTH2;
2314 } else {
0014cb46 2315 cardSTATE_TO_IDLE();
9ca155ba 2316 }
0a39986e 2317 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M
2318 }
2319 case MFEMUL_AUTH2:{
9ca155ba 2320 LED_C_ON();
0a39986e 2321 cardSTATE = MFEMUL_WORK;
0014cb46 2322 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M
2323 break;
2324 }
9ca155ba 2325 case MFEMUL_WORK:{
0014cb46 2326lbWORK: if (len == 0) break;
0a39986e 2327
51969283
M
2328 if (cardAUTHKEY == 0xff) {
2329 // first authentication
2330 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2331 authTimer = GetTickCount();
2332
2333 cardAUTHSC = receivedCmd[1] / 4; // received block num
2334 cardAUTHKEY = receivedCmd[0] - 0x60;
2335
2336 // --- crypto
2337 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2338 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2339 num_to_bytes(nonce, 4, rAUTH_AT);
2340 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2341 // --- crypto
2342
2343// last working revision
2344// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2345// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2346
2347 cardSTATE = MFEMUL_AUTH1;
9f693930 2348 //nextCycleTimeout = 10;
51969283
M
2349 break;
2350 }
2351 } else {
2352 // decrypt seqence
2353 mf_crypto1_decrypt(pcs, receivedCmd, len);
2354
2355 // nested authentication
2356 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2357 authTimer = GetTickCount();
2358
2359 cardAUTHSC = receivedCmd[1] / 4; // received block num
2360 cardAUTHKEY = receivedCmd[0] - 0x60;
2361
2362 // --- crypto
2363 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2364 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2365 num_to_bytes(ans, 4, rAUTH_AT);
2366 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2367 // --- crypto
2368
2369 cardSTATE = MFEMUL_AUTH1;
9f693930 2370 //nextCycleTimeout = 10;
51969283
M
2371 break;
2372 }
2373 }
0a39986e 2374
8f51ddb0
M
2375 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2376 // BUT... ACK --> NACK
2377 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2378 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2379 break;
2380 }
2381
2382 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2383 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2384 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2385 break;
0a39986e
M
2386 }
2387
2388 // read block
2389 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2390 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2391 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2392 break;
2393 }
2394 emlGetMem(response, receivedCmd[1], 1);
2395 AppendCrc14443a(response, 16);
2396 mf_crypto1_encrypt(pcs, response, 18, &par);
2397 EmSendCmdPar(response, 18, par);
0a39986e
M
2398 break;
2399 }
2400
2401 // write block
2402 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2403 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2404 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2405 break;
2406 }
2407 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
9f693930 2408 //nextCycleTimeout = 50;
8f51ddb0
M
2409 cardSTATE = MFEMUL_WRITEBL2;
2410 cardWRBL = receivedCmd[1];
0a39986e 2411 break;
9ca155ba 2412 }
8f51ddb0 2413
0014cb46
M
2414 // works with cardINTREG
2415
2416 // increment, decrement, restore
2417 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2418 if (receivedCmd[1] >= 16 * 4 ||
2419 receivedCmd[1] / 4 != cardAUTHSC ||
2420 emlCheckValBl(receivedCmd[1])) {
2421 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2422 break;
2423 }
2424 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2425 if (receivedCmd[0] == 0xC1)
2426 cardSTATE = MFEMUL_INTREG_INC;
2427 if (receivedCmd[0] == 0xC0)
2428 cardSTATE = MFEMUL_INTREG_DEC;
2429 if (receivedCmd[0] == 0xC2)
2430 cardSTATE = MFEMUL_INTREG_REST;
2431 cardWRBL = receivedCmd[1];
2432
2433 break;
2434 }
2435
2436
2437 // transfer
2438 if (len == 4 && receivedCmd[0] == 0xB0) {
2439 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2440 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2441 break;
2442 }
2443
2444 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2445 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2446 else
2447 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2448
2449 break;
2450 }
2451
9ca155ba 2452 // halt
0a39986e 2453 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2454 LED_B_OFF();
0a39986e 2455 LED_C_OFF();
0014cb46
M
2456 cardSTATE = MFEMUL_HALTED;
2457 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2458 break;
9ca155ba 2459 }
51969283 2460
8f51ddb0
M
2461 // command not allowed
2462 if (len == 4) {
2463 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2464 break;
2465 }
51969283
M
2466
2467 // case break
2468 break;
8f51ddb0
M
2469 }
2470 case MFEMUL_WRITEBL2:{
2471 if (len == 18){
2472 mf_crypto1_decrypt(pcs, receivedCmd, len);
2473 emlSetMem(receivedCmd, cardWRBL, 1);
2474 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2475 cardSTATE = MFEMUL_WORK;
2476 break;
51969283 2477 } else {
0014cb46 2478 cardSTATE_TO_IDLE();
51969283 2479 break;
8f51ddb0 2480 }
8f51ddb0 2481 break;
50193c1e 2482 }
0014cb46
M
2483
2484 case MFEMUL_INTREG_INC:{
2485 mf_crypto1_decrypt(pcs, receivedCmd, len);
2486 memcpy(&ans, receivedCmd, 4);
2487 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2488 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2489 cardSTATE_TO_IDLE();
2490 break;
2491 }
2492 cardINTREG = cardINTREG + ans;
2493 cardSTATE = MFEMUL_WORK;
2494 break;
2495 }
2496 case MFEMUL_INTREG_DEC:{
2497 mf_crypto1_decrypt(pcs, receivedCmd, len);
2498 memcpy(&ans, receivedCmd, 4);
2499 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2500 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2501 cardSTATE_TO_IDLE();
2502 break;
2503 }
2504 cardINTREG = cardINTREG - ans;
2505 cardSTATE = MFEMUL_WORK;
2506 break;
2507 }
2508 case MFEMUL_INTREG_REST:{
2509 mf_crypto1_decrypt(pcs, receivedCmd, len);
2510 memcpy(&ans, receivedCmd, 4);
2511 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2512 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2513 cardSTATE_TO_IDLE();
2514 break;
2515 }
2516 cardSTATE = MFEMUL_WORK;
2517 break;
2518 }
50193c1e 2519 }
50193c1e
M
2520 }
2521
9ca155ba
M
2522 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2523 LEDsoff();
2524
0a39986e 2525 // add trace trailer
8f51ddb0 2526 memset(rAUTH_NT, 0x44, 4);
0a39986e
M
2527 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2528
0014cb46 2529 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2530}
b62a5a84
M
2531
2532//-----------------------------------------------------------------------------
2533// MIFARE sniffer.
2534//
2535//-----------------------------------------------------------------------------
5cd9ec01
M
2536void RAMFUNC SniffMifare(uint8_t param) {
2537 // param:
2538 // bit 0 - trigger from first card answer
2539 // bit 1 - trigger from first reader 7-bit request
39864b0b
M
2540
2541 // C(red) A(yellow) B(green)
b62a5a84
M
2542 LEDsoff();
2543 // init trace buffer
d19929cb 2544 iso14a_clear_trace();
b62a5a84 2545
b62a5a84
M
2546 // The command (reader -> tag) that we're receiving.
2547 // The length of a received command will in most cases be no more than 18 bytes.
2548 // So 32 should be enough!
2549 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
2550 // The response (tag -> reader) that we're receiving.
2551 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
2552
2553 // As we receive stuff, we copy it from receivedCmd or receivedResponse
2554 // into trace, along with its length and other annotations.
2555 //uint8_t *trace = (uint8_t *)BigBuf;
2556
2557 // The DMA buffer, used to stream samples from the FPGA
2558 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
5cd9ec01
M
2559 int8_t *data = dmaBuf;
2560 int maxDataLen = 0;
2561 int dataLen = 0;
b62a5a84
M
2562
2563 // Set up the demodulator for tag -> reader responses.
2564 Demod.output = receivedResponse;
2565 Demod.len = 0;
2566 Demod.state = DEMOD_UNSYNCD;
2567
2568 // Set up the demodulator for the reader -> tag commands
2569 memset(&Uart, 0, sizeof(Uart));
2570 Uart.output = receivedCmd;
2571 Uart.byteCntMax = 32; // was 100 (greg)//////////////////
2572 Uart.state = STATE_UNSYNCD;
2573
2574 // Setup for the DMA.
2575 FpgaSetupSsc();
b62a5a84
M
2576 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
2577
2578 // And put the FPGA in the appropriate mode
2579 // Signal field is off with the appropriate LED
2580 LED_D_OFF();
2581 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
2582 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
39864b0b
M
2583
2584 // init sniffer
2585 MfSniffInit();
2586 int sniffCounter = 0;
b62a5a84 2587
b62a5a84
M
2588 // And now we loop, receiving samples.
2589 while(true) {
5cd9ec01
M
2590 if(BUTTON_PRESS()) {
2591 DbpString("cancelled by button");
2592 goto done;
2593 }
2594
b62a5a84
M
2595 LED_A_ON();
2596 WDT_HIT();
39864b0b
M
2597
2598 if (++sniffCounter > 65) {
2599 if (MfSniffSend(2000)) {
55acbb2a 2600 FpgaEnableSscDma();
39864b0b
M
2601 }
2602 sniffCounter = 0;
2603 }
5cd9ec01
M
2604
2605 int register readBufDataP = data - dmaBuf;
2606 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
2607 if (readBufDataP <= dmaBufDataP){
2608 dataLen = dmaBufDataP - readBufDataP;
2609 } else {
2610 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP + 1;
2611 }
2612 // test for length of buffer
2613 if(dataLen > maxDataLen) {
2614 maxDataLen = dataLen;
2615 if(dataLen > 400) {
2616 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
b62a5a84
M
2617 goto done;
2618 }
2619 }
5cd9ec01 2620 if(dataLen < 1) continue;
b62a5a84 2621
5cd9ec01
M
2622 // primary buffer was stopped( <-- we lost data!
2623 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2624 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2625 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
55acbb2a 2626 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
5cd9ec01
M
2627 }
2628 // secondary buffer sets as primary, secondary buffer was stopped
2629 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2630 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
b62a5a84
M
2631 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2632 }
5cd9ec01
M
2633
2634 LED_A_OFF();
b62a5a84 2635
5cd9ec01 2636 if(MillerDecoding((data[0] & 0xF0) >> 4)) {
39864b0b 2637 LED_C_INV();
5cd9ec01 2638 // check - if there is a short 7bit request from reader
71d90e54 2639 if (MfSniffLogic(receivedCmd, Uart.byteCnt, Uart.parityBits, Uart.bitCnt, TRUE)) break;
5cd9ec01 2640
b62a5a84
M
2641 /* And ready to receive another command. */
2642 Uart.state = STATE_UNSYNCD;
39864b0b
M
2643
2644 /* And also reset the demod code */
b62a5a84 2645 Demod.state = DEMOD_UNSYNCD;
b62a5a84
M
2646 }
2647
5cd9ec01 2648 if(ManchesterDecoding(data[0] & 0x0F)) {
39864b0b 2649 LED_C_INV();
b62a5a84 2650
71d90e54 2651 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parityBits, Demod.bitCount, FALSE)) break;
b62a5a84
M
2652
2653 // And ready to receive another response.
2654 memset(&Demod, 0, sizeof(Demod));
2655 Demod.output = receivedResponse;
2656 Demod.state = DEMOD_UNSYNCD;
39864b0b
M
2657
2658 /* And also reset the uart code */
2659 Uart.state = STATE_UNSYNCD;
b62a5a84
M
2660 }
2661
5cd9ec01
M
2662 data++;
2663 if(data > dmaBuf + DMA_BUFFER_SIZE) {
2664 data = dmaBuf;
b62a5a84
M
2665 }
2666 } // main cycle
2667
2668 DbpString("COMMAND FINISHED");
2669
2670done:
55acbb2a 2671 FpgaDisableSscDma();
39864b0b
M
2672 MfSniffEnd();
2673
55acbb2a 2674 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x Uart.byteCntMax=%x", maxDataLen, Uart.state, Uart.byteCnt, Uart.byteCntMax);
b62a5a84 2675 LEDsoff();
3803d529 2676}
Impressum, Datenschutz