]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iclass.c
Added the changes to armsrc for milfare ultralight C and Desfire commands
[proxmark3-svn] / armsrc / iclass.c
CommitLineData
cee5a30d 1//-----------------------------------------------------------------------------
2// Gerhard de Koning Gans - May 2008
3// Hagen Fritsch - June 2010
4// Gerhard de Koning Gans - May 2011
1e262141 5// Gerhard de Koning Gans - June 2012 - Added iClass card and reader emulation
cee5a30d 6//
7// This code is licensed to you under the terms of the GNU GPL, version 2 or,
8// at your option, any later version. See the LICENSE.txt file for the text of
9// the license.
10//-----------------------------------------------------------------------------
11// Routines to support iClass.
12//-----------------------------------------------------------------------------
13// Based on ISO14443a implementation. Still in experimental phase.
14// Contribution made during a security research at Radboud University Nijmegen
15//
16// Please feel free to contribute and extend iClass support!!
17//-----------------------------------------------------------------------------
18//
cee5a30d 19// FIX:
20// ====
21// We still have sometimes a demodulation error when snooping iClass communication.
22// The resulting trace of a read-block-03 command may look something like this:
23//
24// + 22279: : 0c 03 e8 01
25//
26// ...with an incorrect answer...
27//
28// + 85: 0: TAG ff! ff! ff! ff! ff! ff! ff! ff! bb 33 bb 00 01! 0e! 04! bb !crc
29//
30// We still left the error signalling bytes in the traces like 0xbb
31//
32// A correct trace should look like this:
33//
34// + 21112: : 0c 03 e8 01
35// + 85: 0: TAG ff ff ff ff ff ff ff ff ea f5
36//
37//-----------------------------------------------------------------------------
38
39#include "proxmark3.h"
40#include "apps.h"
41#include "util.h"
42#include "string.h"
7e67e42f 43#include "common.h"
f028213f 44#include "cmd.h"
1e262141 45// Needed for CRC in emulation mode;
46// same construction as in ISO 14443;
47// different initial value (CRC_ICLASS)
48#include "iso14443crc.h"
f028213f 49#include "iso15693tools.h"
cee5a30d 50
1e262141 51static int timeout = 4096;
cee5a30d 52
f028213f 53// CARD TO READER
54// Sequence D: 11110000 modulation with subcarrier during first half
55// Sequence E: 00001111 modulation with subcarrier during second half
56// Sequence F: 00000000 no modulation with subcarrier
57// READER TO CARD
58// Sequence X: 00001100 drop after half a period
59// Sequence Y: 00000000 no drop
60// Sequence Z: 11000000 drop at start
61#define SEC_X 0x0c
62#define SEC_Y 0x00
63#define SEC_Z 0xc0
cee5a30d 64
1e262141 65static int SendIClassAnswer(uint8_t *resp, int respLen, int delay);
cee5a30d 66
67//-----------------------------------------------------------------------------
68// The software UART that receives commands from the reader, and its state
69// variables.
70//-----------------------------------------------------------------------------
71static struct {
72 enum {
73 STATE_UNSYNCD,
74 STATE_START_OF_COMMUNICATION,
75 STATE_RECEIVING
76 } state;
77 uint16_t shiftReg;
78 int bitCnt;
79 int byteCnt;
80 int byteCntMax;
81 int posCnt;
82 int nOutOfCnt;
83 int OutOfCnt;
84 int syncBit;
1e262141 85 int parityBits;
86 int samples;
cee5a30d 87 int highCnt;
88 int swapper;
89 int counter;
90 int bitBuffer;
91 int dropPosition;
92 uint8_t *output;
93} Uart;
94
1e262141 95static RAMFUNC int OutOfNDecoding(int bit)
cee5a30d 96{
9f693930 97 //int error = 0;
cee5a30d 98 int bitright;
99
100 if(!Uart.bitBuffer) {
101 Uart.bitBuffer = bit ^ 0xFF0;
102 return FALSE;
103 }
104 else {
105 Uart.bitBuffer <<= 4;
106 Uart.bitBuffer ^= bit;
107 }
108
109 /*if(Uart.swapper) {
110 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
111 Uart.byteCnt++;
112 Uart.swapper = 0;
113 if(Uart.byteCnt > 15) { return TRUE; }
114 }
115 else {
116 Uart.swapper = 1;
117 }*/
118
119 if(Uart.state != STATE_UNSYNCD) {
120 Uart.posCnt++;
121
122 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
123 bit = 0x00;
124 }
125 else {
126 bit = 0x01;
127 }
128 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
129 bitright = 0x00;
130 }
131 else {
132 bitright = 0x01;
133 }
134 if(bit != bitright) { bit = bitright; }
135
136
137 // So, now we only have to deal with *bit*, lets see...
138 if(Uart.posCnt == 1) {
139 // measurement first half bitperiod
140 if(!bit) {
141 // Drop in first half means that we are either seeing
142 // an SOF or an EOF.
143
144 if(Uart.nOutOfCnt == 1) {
145 // End of Communication
146 Uart.state = STATE_UNSYNCD;
147 Uart.highCnt = 0;
148 if(Uart.byteCnt == 0) {
149 // Its not straightforward to show single EOFs
150 // So just leave it and do not return TRUE
151 Uart.output[Uart.byteCnt] = 0xf0;
152 Uart.byteCnt++;
153
154 // Calculate the parity bit for the client...
155 Uart.parityBits = 1;
156 }
157 else {
158 return TRUE;
159 }
160 }
161 else if(Uart.state != STATE_START_OF_COMMUNICATION) {
162 // When not part of SOF or EOF, it is an error
163 Uart.state = STATE_UNSYNCD;
164 Uart.highCnt = 0;
9f693930 165 //error = 4;
cee5a30d 166 }
167 }
168 }
169 else {
170 // measurement second half bitperiod
171 // Count the bitslot we are in... (ISO 15693)
172 Uart.nOutOfCnt++;
173
174 if(!bit) {
175 if(Uart.dropPosition) {
176 if(Uart.state == STATE_START_OF_COMMUNICATION) {
9f693930 177 //error = 1;
cee5a30d 178 }
179 else {
9f693930 180 //error = 7;
cee5a30d 181 }
182 // It is an error if we already have seen a drop in current frame
183 Uart.state = STATE_UNSYNCD;
184 Uart.highCnt = 0;
185 }
186 else {
187 Uart.dropPosition = Uart.nOutOfCnt;
188 }
189 }
190
191 Uart.posCnt = 0;
192
193
194 if(Uart.nOutOfCnt == Uart.OutOfCnt && Uart.OutOfCnt == 4) {
195 Uart.nOutOfCnt = 0;
196
197 if(Uart.state == STATE_START_OF_COMMUNICATION) {
198 if(Uart.dropPosition == 4) {
199 Uart.state = STATE_RECEIVING;
200 Uart.OutOfCnt = 256;
201 }
202 else if(Uart.dropPosition == 3) {
203 Uart.state = STATE_RECEIVING;
204 Uart.OutOfCnt = 4;
205 //Uart.output[Uart.byteCnt] = 0xdd;
206 //Uart.byteCnt++;
207 }
208 else {
209 Uart.state = STATE_UNSYNCD;
210 Uart.highCnt = 0;
211 }
212 Uart.dropPosition = 0;
213 }
214 else {
215 // RECEIVING DATA
216 // 1 out of 4
217 if(!Uart.dropPosition) {
218 Uart.state = STATE_UNSYNCD;
219 Uart.highCnt = 0;
9f693930 220 //error = 9;
cee5a30d 221 }
222 else {
223 Uart.shiftReg >>= 2;
224
225 // Swap bit order
226 Uart.dropPosition--;
227 //if(Uart.dropPosition == 1) { Uart.dropPosition = 2; }
228 //else if(Uart.dropPosition == 2) { Uart.dropPosition = 1; }
229
230 Uart.shiftReg ^= ((Uart.dropPosition & 0x03) << 6);
231 Uart.bitCnt += 2;
232 Uart.dropPosition = 0;
233
234 if(Uart.bitCnt == 8) {
235 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
236 Uart.byteCnt++;
237
238 // Calculate the parity bit for the client...
239 Uart.parityBits <<= 1;
240 Uart.parityBits ^= OddByteParity[(Uart.shiftReg & 0xff)];
241
242 Uart.bitCnt = 0;
243 Uart.shiftReg = 0;
244 }
245 }
246 }
247 }
248 else if(Uart.nOutOfCnt == Uart.OutOfCnt) {
249 // RECEIVING DATA
250 // 1 out of 256
251 if(!Uart.dropPosition) {
252 Uart.state = STATE_UNSYNCD;
253 Uart.highCnt = 0;
9f693930 254 //error = 3;
cee5a30d 255 }
256 else {
257 Uart.dropPosition--;
258 Uart.output[Uart.byteCnt] = (Uart.dropPosition & 0xff);
259 Uart.byteCnt++;
260
261 // Calculate the parity bit for the client...
262 Uart.parityBits <<= 1;
263 Uart.parityBits ^= OddByteParity[(Uart.dropPosition & 0xff)];
264
265 Uart.bitCnt = 0;
266 Uart.shiftReg = 0;
267 Uart.nOutOfCnt = 0;
268 Uart.dropPosition = 0;
269 }
270 }
271
272 /*if(error) {
273 Uart.output[Uart.byteCnt] = 0xAA;
274 Uart.byteCnt++;
275 Uart.output[Uart.byteCnt] = error & 0xFF;
276 Uart.byteCnt++;
277 Uart.output[Uart.byteCnt] = 0xAA;
278 Uart.byteCnt++;
279 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
280 Uart.byteCnt++;
281 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
282 Uart.byteCnt++;
283 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
284 Uart.byteCnt++;
285 Uart.output[Uart.byteCnt] = 0xAA;
286 Uart.byteCnt++;
287 return TRUE;
288 }*/
289 }
290
291 }
292 else {
293 bit = Uart.bitBuffer & 0xf0;
294 bit >>= 4;
295 bit ^= 0x0F; // drops become 1s ;-)
296 if(bit) {
297 // should have been high or at least (4 * 128) / fc
298 // according to ISO this should be at least (9 * 128 + 20) / fc
299 if(Uart.highCnt == 8) {
300 // we went low, so this could be start of communication
301 // it turns out to be safer to choose a less significant
302 // syncbit... so we check whether the neighbour also represents the drop
303 Uart.posCnt = 1; // apparently we are busy with our first half bit period
304 Uart.syncBit = bit & 8;
305 Uart.samples = 3;
306 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
307 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
308 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
309 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
310 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
311 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
312 Uart.syncBit = 8;
313
314 // the first half bit period is expected in next sample
315 Uart.posCnt = 0;
316 Uart.samples = 3;
317 }
318 }
319 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
320
321 Uart.syncBit <<= 4;
322 Uart.state = STATE_START_OF_COMMUNICATION;
323 Uart.bitCnt = 0;
324 Uart.byteCnt = 0;
325 Uart.parityBits = 0;
326 Uart.nOutOfCnt = 0;
327 Uart.OutOfCnt = 4; // Start at 1/4, could switch to 1/256
328 Uart.dropPosition = 0;
329 Uart.shiftReg = 0;
9f693930 330 //error = 0;
cee5a30d 331 }
332 else {
333 Uart.highCnt = 0;
334 }
335 }
336 else {
337 if(Uart.highCnt < 8) {
338 Uart.highCnt++;
339 }
340 }
341 }
342
343 return FALSE;
344}
345
346//=============================================================================
1e262141 347// Manchester
cee5a30d 348//=============================================================================
349
350static struct {
351 enum {
352 DEMOD_UNSYNCD,
353 DEMOD_START_OF_COMMUNICATION,
354 DEMOD_START_OF_COMMUNICATION2,
355 DEMOD_START_OF_COMMUNICATION3,
356 DEMOD_SOF_COMPLETE,
357 DEMOD_MANCHESTER_D,
358 DEMOD_MANCHESTER_E,
359 DEMOD_END_OF_COMMUNICATION,
360 DEMOD_END_OF_COMMUNICATION2,
361 DEMOD_MANCHESTER_F,
362 DEMOD_ERROR_WAIT
363 } state;
364 int bitCount;
365 int posCount;
366 int syncBit;
367 int parityBits;
368 uint16_t shiftReg;
369 int buffer;
370 int buffer2;
371 int buffer3;
372 int buff;
373 int samples;
374 int len;
375 enum {
376 SUB_NONE,
377 SUB_FIRST_HALF,
378 SUB_SECOND_HALF,
379 SUB_BOTH
380 } sub;
381 uint8_t *output;
382} Demod;
383
384static RAMFUNC int ManchesterDecoding(int v)
385{
386 int bit;
387 int modulation;
388 int error = 0;
389
390 bit = Demod.buffer;
391 Demod.buffer = Demod.buffer2;
392 Demod.buffer2 = Demod.buffer3;
393 Demod.buffer3 = v;
394
395 if(Demod.buff < 3) {
396 Demod.buff++;
397 return FALSE;
398 }
399
400 if(Demod.state==DEMOD_UNSYNCD) {
401 Demod.output[Demod.len] = 0xfa;
402 Demod.syncBit = 0;
403 //Demod.samples = 0;
404 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
cee5a30d 405
406 if(bit & 0x08) {
407 Demod.syncBit = 0x08;
408 }
409
410 if(bit & 0x04) {
411 if(Demod.syncBit) {
412 bit <<= 4;
413 }
414 Demod.syncBit = 0x04;
415 }
416
417 if(bit & 0x02) {
418 if(Demod.syncBit) {
419 bit <<= 2;
420 }
421 Demod.syncBit = 0x02;
422 }
423
424 if(bit & 0x01 && Demod.syncBit) {
425 Demod.syncBit = 0x01;
426 }
427
428 if(Demod.syncBit) {
429 Demod.len = 0;
430 Demod.state = DEMOD_START_OF_COMMUNICATION;
431 Demod.sub = SUB_FIRST_HALF;
432 Demod.bitCount = 0;
433 Demod.shiftReg = 0;
434 Demod.parityBits = 0;
435 Demod.samples = 0;
436 if(Demod.posCount) {
437 //if(trigger) LED_A_OFF(); // Not useful in this case...
438 switch(Demod.syncBit) {
439 case 0x08: Demod.samples = 3; break;
440 case 0x04: Demod.samples = 2; break;
441 case 0x02: Demod.samples = 1; break;
442 case 0x01: Demod.samples = 0; break;
443 }
444 // SOF must be long burst... otherwise stay unsynced!!!
445 if(!(Demod.buffer & Demod.syncBit) || !(Demod.buffer2 & Demod.syncBit)) {
446 Demod.state = DEMOD_UNSYNCD;
447 }
448 }
449 else {
450 // SOF must be long burst... otherwise stay unsynced!!!
451 if(!(Demod.buffer2 & Demod.syncBit) || !(Demod.buffer3 & Demod.syncBit)) {
452 Demod.state = DEMOD_UNSYNCD;
453 error = 0x88;
454 }
455
456 }
457 error = 0;
458
459 }
460 }
461 else {
462 modulation = bit & Demod.syncBit;
463 modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
464 //modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
465
466 Demod.samples += 4;
467
468 if(Demod.posCount==0) {
469 Demod.posCount = 1;
470 if(modulation) {
471 Demod.sub = SUB_FIRST_HALF;
472 }
473 else {
474 Demod.sub = SUB_NONE;
475 }
476 }
477 else {
478 Demod.posCount = 0;
479 /*(modulation && (Demod.sub == SUB_FIRST_HALF)) {
480 if(Demod.state!=DEMOD_ERROR_WAIT) {
481 Demod.state = DEMOD_ERROR_WAIT;
482 Demod.output[Demod.len] = 0xaa;
483 error = 0x01;
484 }
485 }*/
486 //else if(modulation) {
487 if(modulation) {
488 if(Demod.sub == SUB_FIRST_HALF) {
489 Demod.sub = SUB_BOTH;
490 }
491 else {
492 Demod.sub = SUB_SECOND_HALF;
493 }
494 }
495 else if(Demod.sub == SUB_NONE) {
496 if(Demod.state == DEMOD_SOF_COMPLETE) {
497 Demod.output[Demod.len] = 0x0f;
498 Demod.len++;
499 Demod.parityBits <<= 1;
500 Demod.parityBits ^= OddByteParity[0x0f];
501 Demod.state = DEMOD_UNSYNCD;
502// error = 0x0f;
503 return TRUE;
504 }
505 else {
506 Demod.state = DEMOD_ERROR_WAIT;
507 error = 0x33;
508 }
509 /*if(Demod.state!=DEMOD_ERROR_WAIT) {
510 Demod.state = DEMOD_ERROR_WAIT;
511 Demod.output[Demod.len] = 0xaa;
512 error = 0x01;
513 }*/
514 }
515
516 switch(Demod.state) {
517 case DEMOD_START_OF_COMMUNICATION:
518 if(Demod.sub == SUB_BOTH) {
519 //Demod.state = DEMOD_MANCHESTER_D;
520 Demod.state = DEMOD_START_OF_COMMUNICATION2;
521 Demod.posCount = 1;
522 Demod.sub = SUB_NONE;
523 }
524 else {
525 Demod.output[Demod.len] = 0xab;
526 Demod.state = DEMOD_ERROR_WAIT;
527 error = 0xd2;
528 }
529 break;
530 case DEMOD_START_OF_COMMUNICATION2:
531 if(Demod.sub == SUB_SECOND_HALF) {
532 Demod.state = DEMOD_START_OF_COMMUNICATION3;
533 }
534 else {
535 Demod.output[Demod.len] = 0xab;
536 Demod.state = DEMOD_ERROR_WAIT;
537 error = 0xd3;
538 }
539 break;
540 case DEMOD_START_OF_COMMUNICATION3:
541 if(Demod.sub == SUB_SECOND_HALF) {
542// Demod.state = DEMOD_MANCHESTER_D;
543 Demod.state = DEMOD_SOF_COMPLETE;
544 //Demod.output[Demod.len] = Demod.syncBit & 0xFF;
545 //Demod.len++;
546 }
547 else {
548 Demod.output[Demod.len] = 0xab;
549 Demod.state = DEMOD_ERROR_WAIT;
550 error = 0xd4;
551 }
552 break;
553 case DEMOD_SOF_COMPLETE:
554 case DEMOD_MANCHESTER_D:
555 case DEMOD_MANCHESTER_E:
556 // OPPOSITE FROM ISO14443 - 11110000 = 0 (1 in 14443)
557 // 00001111 = 1 (0 in 14443)
558 if(Demod.sub == SUB_SECOND_HALF) { // SUB_FIRST_HALF
559 Demod.bitCount++;
560 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
561 Demod.state = DEMOD_MANCHESTER_D;
562 }
563 else if(Demod.sub == SUB_FIRST_HALF) { // SUB_SECOND_HALF
564 Demod.bitCount++;
565 Demod.shiftReg >>= 1;
566 Demod.state = DEMOD_MANCHESTER_E;
567 }
568 else if(Demod.sub == SUB_BOTH) {
569 Demod.state = DEMOD_MANCHESTER_F;
570 }
571 else {
572 Demod.state = DEMOD_ERROR_WAIT;
573 error = 0x55;
574 }
575 break;
576
577 case DEMOD_MANCHESTER_F:
578 // Tag response does not need to be a complete byte!
579 if(Demod.len > 0 || Demod.bitCount > 0) {
580 if(Demod.bitCount > 1) { // was > 0, do not interpret last closing bit, is part of EOF
581 Demod.shiftReg >>= (9 - Demod.bitCount);
582 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
583 Demod.len++;
584 // No parity bit, so just shift a 0
585 Demod.parityBits <<= 1;
586 }
587
588 Demod.state = DEMOD_UNSYNCD;
589 return TRUE;
590 }
591 else {
592 Demod.output[Demod.len] = 0xad;
593 Demod.state = DEMOD_ERROR_WAIT;
594 error = 0x03;
595 }
596 break;
597
598 case DEMOD_ERROR_WAIT:
599 Demod.state = DEMOD_UNSYNCD;
600 break;
601
602 default:
603 Demod.output[Demod.len] = 0xdd;
604 Demod.state = DEMOD_UNSYNCD;
605 break;
606 }
607
608 /*if(Demod.bitCount>=9) {
609 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
610 Demod.len++;
611
612 Demod.parityBits <<= 1;
613 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
614
615 Demod.bitCount = 0;
616 Demod.shiftReg = 0;
617 }*/
618 if(Demod.bitCount>=8) {
619 Demod.shiftReg >>= 1;
620 Demod.output[Demod.len] = (Demod.shiftReg & 0xff);
621 Demod.len++;
622
623 // FOR ISO15639 PARITY NOT SEND OTA, JUST CALCULATE IT FOR THE CLIENT
624 Demod.parityBits <<= 1;
625 Demod.parityBits ^= OddByteParity[(Demod.shiftReg & 0xff)];
626
627 Demod.bitCount = 0;
628 Demod.shiftReg = 0;
629 }
630
631 if(error) {
632 Demod.output[Demod.len] = 0xBB;
633 Demod.len++;
634 Demod.output[Demod.len] = error & 0xFF;
635 Demod.len++;
636 Demod.output[Demod.len] = 0xBB;
637 Demod.len++;
638 Demod.output[Demod.len] = bit & 0xFF;
639 Demod.len++;
640 Demod.output[Demod.len] = Demod.buffer & 0xFF;
641 Demod.len++;
642 // Look harder ;-)
643 Demod.output[Demod.len] = Demod.buffer2 & 0xFF;
644 Demod.len++;
645 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
646 Demod.len++;
647 Demod.output[Demod.len] = 0xBB;
648 Demod.len++;
649 return TRUE;
650 }
651
652 }
653
654 } // end (state != UNSYNCED)
655
656 return FALSE;
657}
658
659//=============================================================================
1e262141 660// Finally, a `sniffer' for iClass communication
cee5a30d 661// Both sides of communication!
662//=============================================================================
663
664//-----------------------------------------------------------------------------
665// Record the sequence of commands sent by the reader to the tag, with
666// triggering so that we start recording at the point that the tag is moved
667// near the reader.
668//-----------------------------------------------------------------------------
669void RAMFUNC SnoopIClass(void)
670{
f028213f 671// DEFINED ABOVE
672// #define RECV_CMD_OFFSET 3032
673// #define RECV_RES_OFFSET 3096
674// #define DMA_BUFFER_OFFSET 3160
675// #define DMA_BUFFER_SIZE 4096
676// #define TRACE_SIZE 3000
cee5a30d 677
678 // We won't start recording the frames that we acquire until we trigger;
679 // a good trigger condition to get started is probably when we see a
680 // response from the tag.
9f693930 681 //int triggered = FALSE; // FALSE to wait first for card
cee5a30d 682
683 // The command (reader -> tag) that we're receiving.
684 // The length of a received command will in most cases be no more than 18 bytes.
685 // So 32 should be enough!
f028213f 686 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
cee5a30d 687 // The response (tag -> reader) that we're receiving.
f028213f 688 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
cee5a30d 689
f028213f 690 // As we receive stuff, we copy it from receivedCmd or receivedResponse
691 // into trace, along with its length and other annotations.
692 //uint8_t *trace = (uint8_t *)BigBuf;
693
1e262141 694 // reset traceLen to 0
695 iso14a_set_tracing(TRUE);
d19929cb 696 iso14a_clear_trace();
1e262141 697 iso14a_set_trigger(FALSE);
cee5a30d 698
699 // The DMA buffer, used to stream samples from the FPGA
700 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
701 int lastRxCounter;
702 int8_t *upTo;
703 int smpl;
704 int maxBehindBy = 0;
705
706 // Count of samples received so far, so that we can include timing
707 // information in the trace buffer.
708 int samples = 0;
709 rsamples = 0;
710
f028213f 711 memset(trace, 0x44, RECV_CMD_OFFSET);
712
cee5a30d 713 // Set up the demodulator for tag -> reader responses.
f028213f 714 Demod.output = receivedResponse;
cee5a30d 715 Demod.len = 0;
716 Demod.state = DEMOD_UNSYNCD;
717
718 // Setup for the DMA.
719 FpgaSetupSsc();
720 upTo = dmaBuf;
721 lastRxCounter = DMA_BUFFER_SIZE;
722 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
723
724 // And the reader -> tag commands
725 memset(&Uart, 0, sizeof(Uart));
f028213f 726 Uart.output = receivedCmd;
cee5a30d 727 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
728 Uart.state = STATE_UNSYNCD;
729
730 // And put the FPGA in the appropriate mode
731 // Signal field is off with the appropriate LED
732 LED_D_OFF();
733 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
734 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
735
736 int div = 0;
737 //int div2 = 0;
738 int decbyte = 0;
739 int decbyter = 0;
740
741 // And now we loop, receiving samples.
742 for(;;) {
743 LED_A_ON();
744 WDT_HIT();
745 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
746 (DMA_BUFFER_SIZE-1);
747 if(behindBy > maxBehindBy) {
748 maxBehindBy = behindBy;
749 if(behindBy > 400) {
750 Dbprintf("blew circular buffer! behindBy=0x%x", behindBy);
751 goto done;
752 }
753 }
754 if(behindBy < 1) continue;
755
756 LED_A_OFF();
757 smpl = upTo[0];
758 upTo++;
759 lastRxCounter -= 1;
760 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
761 upTo -= DMA_BUFFER_SIZE;
762 lastRxCounter += DMA_BUFFER_SIZE;
763 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
764 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
765 }
766
767 //samples += 4;
768 samples += 1;
f028213f 769 //div2++;
cee5a30d 770
f028213f 771 //if(div2 > 3) {
772 //div2 = 0;
773 //decbyte ^= ((smpl & 0x01) << (3 - div));
774 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1)) << (3 - div)); // better already...
775 //decbyte ^= (((smpl & 0x01) | ((smpl & 0x02) >> 1) | ((smpl & 0x04) >> 2)) << (3 - div)); // even better...
cee5a30d 776 if(smpl & 0xF) {
777 decbyte ^= (1 << (3 - div));
778 }
f028213f 779 //decbyte ^= (MajorityNibble[(smpl & 0x0F)] << (3 - div));
cee5a30d 780
781 // FOR READER SIDE COMMUMICATION...
f028213f 782 //decbyte ^= ((smpl & 0x10) << (3 - div));
cee5a30d 783 decbyter <<= 2;
784 decbyter ^= (smpl & 0x30);
785
786 div++;
787
788 if((div + 1) % 2 == 0) {
789 smpl = decbyter;
1e262141 790 if(OutOfNDecoding((smpl & 0xF0) >> 4)) {
cee5a30d 791 rsamples = samples - Uart.samples;
792 LED_C_ON();
f028213f 793 //if(triggered) {
794 trace[traceLen++] = ((rsamples >> 0) & 0xff);
795 trace[traceLen++] = ((rsamples >> 8) & 0xff);
796 trace[traceLen++] = ((rsamples >> 16) & 0xff);
797 trace[traceLen++] = ((rsamples >> 24) & 0xff);
798 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff);
799 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff);
800 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff);
801 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff);
802 trace[traceLen++] = Uart.byteCnt;
803 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt);
804 traceLen += Uart.byteCnt;
805 if(traceLen > TRACE_SIZE) break;
806 //}
807 /* And ready to receive another command. */
cee5a30d 808 Uart.state = STATE_UNSYNCD;
809 /* And also reset the demod code, which might have been */
810 /* false-triggered by the commands from the reader. */
811 Demod.state = DEMOD_UNSYNCD;
812 LED_B_OFF();
813 Uart.byteCnt = 0;
814 }
815 decbyter = 0;
816 }
817
818 if(div > 3) {
819 smpl = decbyte;
820 if(ManchesterDecoding(smpl & 0x0F)) {
821 rsamples = samples - Demod.samples;
822 LED_B_ON();
823
f028213f 824 // timestamp, as a count of samples
825 trace[traceLen++] = ((rsamples >> 0) & 0xff);
826 trace[traceLen++] = ((rsamples >> 8) & 0xff);
827 trace[traceLen++] = ((rsamples >> 16) & 0xff);
828 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
829 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
830 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
831 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
832 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
833 // length
834 trace[traceLen++] = Demod.len;
835 memcpy(trace+traceLen, receivedResponse, Demod.len);
836 traceLen += Demod.len;
837 if(traceLen > TRACE_SIZE) break;
838
839 //triggered = TRUE;
cee5a30d 840
841 // And ready to receive another response.
842 memset(&Demod, 0, sizeof(Demod));
f028213f 843 Demod.output = receivedResponse;
cee5a30d 844 Demod.state = DEMOD_UNSYNCD;
845 LED_C_OFF();
846 }
847
848 div = 0;
849 decbyte = 0x00;
850 }
851 //}
852
853 if(BUTTON_PRESS()) {
854 DbpString("cancelled_a");
855 goto done;
856 }
857 }
858
859 DbpString("COMMAND FINISHED");
860
861 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
862 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
863
864done:
865 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
866 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
867 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
868 LED_A_OFF();
869 LED_B_OFF();
1e262141 870 LED_C_OFF();
871 LED_D_OFF();
872}
873
912a3e94 874void rotateCSN(uint8_t* originalCSN, uint8_t* rotatedCSN) {
875 int i;
876 for(i = 0; i < 8; i++) {
877 rotatedCSN[i] = (originalCSN[i] >> 3) | (originalCSN[(i+1)%8] << 5);
1e262141 878 }
879}
880
881//-----------------------------------------------------------------------------
882// Wait for commands from reader
883// Stop when button is pressed
884// Or return TRUE when command is captured
885//-----------------------------------------------------------------------------
886static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
887{
912a3e94 888 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1e262141 889 // only, since we are receiving, not transmitting).
890 // Signal field is off with the appropriate LED
891 LED_D_OFF();
892 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
893
894 // Now run a `software UART' on the stream of incoming samples.
895 Uart.output = received;
896 Uart.byteCntMax = maxLen;
897 Uart.state = STATE_UNSYNCD;
898
899 for(;;) {
900 WDT_HIT();
901
902 if(BUTTON_PRESS()) return FALSE;
903
904 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
905 AT91C_BASE_SSC->SSC_THR = 0x00;
906 }
907 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
908 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
909 /*if(OutOfNDecoding((b & 0xf0) >> 4)) {
910 *len = Uart.byteCnt;
911 return TRUE;
912 }*/
913 if(OutOfNDecoding(b & 0x0f)) {
914 *len = Uart.byteCnt;
915 return TRUE;
916 }
917 }
918 }
919}
920
921
922//-----------------------------------------------------------------------------
923// Prepare tag messages
924//-----------------------------------------------------------------------------
925static void CodeIClassTagAnswer(const uint8_t *cmd, int len)
926{
927 int i;
928
929 ToSendReset();
930
931 // Send SOF
932 ToSend[++ToSendMax] = 0x00;
933 ToSend[++ToSendMax] = 0x00;
934 ToSend[++ToSendMax] = 0x00;
f028213f 935 ToSend[++ToSendMax] = 0xff;
1e262141 936 ToSend[++ToSendMax] = 0xff;
937 ToSend[++ToSendMax] = 0xff;
938 ToSend[++ToSendMax] = 0x00;
939 ToSend[++ToSendMax] = 0xff;
940
941 for(i = 0; i < len; i++) {
942 int j;
943 uint8_t b = cmd[i];
944
945 // Data bits
946 for(j = 0; j < 8; j++) {
947 if(b & 1) {
948 ToSend[++ToSendMax] = 0x00;
949 ToSend[++ToSendMax] = 0xff;
950 } else {
951 ToSend[++ToSendMax] = 0xff;
952 ToSend[++ToSendMax] = 0x00;
953 }
954 b >>= 1;
955 }
956 }
957
958 // Send EOF
959 ToSend[++ToSendMax] = 0xff;
960 ToSend[++ToSendMax] = 0x00;
961 ToSend[++ToSendMax] = 0xff;
962 ToSend[++ToSendMax] = 0xff;
f028213f 963 ToSend[++ToSendMax] = 0xff;
1e262141 964 ToSend[++ToSendMax] = 0x00;
965 ToSend[++ToSendMax] = 0x00;
966 ToSend[++ToSendMax] = 0x00;
967
968 // Convert from last byte pos to length
969 ToSendMax++;
970}
971
972// Only SOF
973static void CodeIClassTagSOF()
974{
81012e67 975 ToSendReset();
f028213f 976
1e262141 977 // Send SOF
978 ToSend[++ToSendMax] = 0x00;
979 ToSend[++ToSendMax] = 0x00;
980 ToSend[++ToSendMax] = 0x00;
981 ToSend[++ToSendMax] = 0xff;
982 ToSend[++ToSendMax] = 0xff;
983 ToSend[++ToSendMax] = 0xff;
984 ToSend[++ToSendMax] = 0x00;
985 ToSend[++ToSendMax] = 0xff;
986
987 // Convert from last byte pos to length
988 ToSendMax++;
989}
ff7bb4ef 990
f028213f 991//-----------------------------------------------------------------------------
992// Simulate iClass Card
993// Only CSN (Card Serial Number)
994//
995//-----------------------------------------------------------------------------
996void SimulateIClass(uint8_t arg0, uint8_t *datain)
ff7bb4ef 997{
f028213f 998 uint8_t simType = arg0;
81012e67 999
f028213f 1000 // Enable and clear the trace
1001 tracing = TRUE;
1002 traceLen = 0;
1003 memset(trace, 0x44, TRACE_SIZE);
81cd0474 1004
1e262141 1005 // CSN followed by two CRC bytes
1e262141 1006 uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
f028213f 1007 uint8_t response3[] = { 0x03, 0x1f, 0xec, 0x8a, 0xf7, 0xff, 0x12, 0xe0, 0x00, 0x00 };
1008
1e262141 1009 // e-Purse
1010 uint8_t response4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1e262141 1011
f028213f 1012 if(simType == 0) {
1013 // Use the CSN from commandline
1014 memcpy(response3, datain, 8);
1015 }
1016
1e262141 1017 // Construct anticollision-CSN
912a3e94 1018 rotateCSN(response3,response2);
1e262141 1019
1020 // Compute CRC on both CSNs
1021 ComputeCrc14443(CRC_ICLASS, response2, 8, &response2[8], &response2[9]);
1022 ComputeCrc14443(CRC_ICLASS, response3, 8, &response3[8], &response3[9]);
1023
1024 // Reader 0a
1025 // Tag 0f
1026 // Reader 0c
1027 // Tag anticoll. CSN
1028 // Reader 81 anticoll. CSN
1029 // Tag CSN
1030
81cd0474 1031 uint8_t *resp;
1032 int respLen;
1033 uint8_t* respdata = NULL;
1034 int respsize = 0;
1035 uint8_t sof = 0x0f;
1e262141 1036
1037 // Respond SOF -- takes 8 bytes
81cd0474 1038 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1e262141 1039 int resp1Len;
1040
1041 // Anticollision CSN (rotated CSN)
1042 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
81cd0474 1043 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 10);
1e262141 1044 int resp2Len;
1045
1046 // CSN
1047 // 176: Takes 16 bytes for SOF/EOF and 10 * 16 = 160 bytes (2 bytes/bit)
81cd0474 1048 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 190);
912a3e94 1049 int resp3Len;
1e262141 1050
1051 // e-Purse
1052 // 144: Takes 16 bytes for SOF/EOF and 8 * 16 = 128 bytes (2 bytes/bit)
81cd0474 1053 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 370);
1e262141 1054 int resp4Len;
1055
1056 // + 1720..
f028213f 1057 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
81cd0474 1058 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1e262141 1059 int len;
1060
1e262141 1061 // Prepare card messages
1062 ToSendMax = 0;
1063
1064 // First card answer: SOF
1065 CodeIClassTagSOF();
1066 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1067
1068 // Anticollision CSN
1069 CodeIClassTagAnswer(response2, sizeof(response2));
1070 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1071
1072 // CSN
1073 CodeIClassTagAnswer(response3, sizeof(response3));
912a3e94 1074 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1e262141 1075
1076 // e-Purse
1077 CodeIClassTagAnswer(response4, sizeof(response4));
1078 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1079
1080 // We need to listen to the high-frequency, peak-detected path.
1081 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1082 FpgaSetupSsc();
1083
1084 // To control where we are in the protocol
1e262141 1085 int cmdsRecvd = 0;
912a3e94 1086
1e262141 1087 LED_A_ON();
f028213f 1088 for(;;) {
1e262141 1089 LED_B_OFF();
1090 if(!GetIClassCommandFromReader(receivedCmd, &len, 100)) {
f028213f 1091 DbpString("button press");
1e262141 1092 break;
81cd0474 1093 }
1e262141 1094
81cd0474 1095 // Okay, look at the command now.
f028213f 1096 if(receivedCmd[0] == 0x0a) {
1e262141 1097 // Reader in anticollission phase
1098 resp = resp1; respLen = resp1Len; //order = 1;
81cd0474 1099 respdata = &sof;
1100 respsize = sizeof(sof);
f028213f 1101 //resp = resp2; respLen = resp2Len; order = 2;
1102 //DbpString("Hello request from reader:");
1e262141 1103 } else if(receivedCmd[0] == 0x0c) {
1104 // Reader asks for anticollission CSN
1105 resp = resp2; respLen = resp2Len; //order = 2;
81cd0474 1106 respdata = response2;
1107 respsize = sizeof(response2);
1e262141 1108 //DbpString("Reader requests anticollission CSN:");
1109 } else if(receivedCmd[0] == 0x81) {
1110 // Reader selects anticollission CSN.
1111 // Tag sends the corresponding real CSN
912a3e94 1112 resp = resp3; respLen = resp3Len; //order = 3;
81cd0474 1113 respdata = response3;
1114 respsize = sizeof(response3);
1e262141 1115 //DbpString("Reader selects anticollission CSN:");
1116 } else if(receivedCmd[0] == 0x88) {
1117 // Read e-purse (88 02)
1118 resp = resp4; respLen = resp4Len; //order = 4;
81cd0474 1119 respdata = response4;
1120 respsize = sizeof(response4);
1e262141 1121 LED_B_ON();
1122 } else if(receivedCmd[0] == 0x05) {
1123 // Reader random and reader MAC!!!
f028213f 1124 // Lets store this ;-)
1125/*
1126 Dbprintf(" CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1127 response3[0], response3[1], response3[2],
1128 response3[3], response3[4], response3[5],
1129 response3[6], response3[7]);
1130*/
1131 Dbprintf("READER AUTH (len=%02d): %02x %02x %02x %02x %02x %02x %02x %02x %02x",
1132 len,
1133 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1134 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1135 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1136
1e262141 1137 // Do not respond
1138 // We do not know what to answer, so lets keep quit
1139 resp = resp1; respLen = 0; //order = 5;
81cd0474 1140 respdata = NULL;
1141 respsize = 0;
1e262141 1142 } else if(receivedCmd[0] == 0x00 && len == 1) {
1143 // Reader ends the session
1144 resp = resp1; respLen = 0; //order = 0;
81cd0474 1145 respdata = NULL;
1146 respsize = 0;
1147 } else {
1e262141 1148 // Never seen this command before
1149 Dbprintf("Unknown command received from reader (len=%d): %x %x %x %x %x %x %x %x %x",
1150 len,
1151 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1152 receivedCmd[3], receivedCmd[4], receivedCmd[5],
1153 receivedCmd[6], receivedCmd[7], receivedCmd[8]);
1154 // Do not respond
1155 resp = resp1; respLen = 0; //order = 0;
81cd0474 1156 respdata = NULL;
1157 respsize = 0;
1e262141 1158 }
1159
f028213f 1160 if(cmdsRecvd > 999) {
1161 DbpString("1000 commands later...");
1162 break;
1e262141 1163 }
1164 else {
1165 cmdsRecvd++;
1166 }
1167
81cd0474 1168 if(respLen > 0) {
1169 SendIClassAnswer(resp, respLen, 21);
1170 }
f028213f 1171
81cd0474 1172 if (tracing) {
f028213f 1173 LogTrace(receivedCmd,len, rsamples, Uart.parityBits, TRUE);
17cba269 1174 if (respdata != NULL) {
f028213f 1175 LogTrace(respdata,respsize, rsamples, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
17cba269 1176 }
f028213f 1177 if(traceLen > TRACE_SIZE) {
81012e67 1178 DbpString("Trace full");
f028213f 1179 break;
81012e67 1180 }
81cd0474 1181 }
f028213f 1182
81cd0474 1183 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
1184 }
1e262141 1185
f028213f 1186 Dbprintf("%x", cmdsRecvd);
1e262141 1187 LED_A_OFF();
1188 LED_B_OFF();
1189}
1190
1191static int SendIClassAnswer(uint8_t *resp, int respLen, int delay)
1192{
f028213f 1193 int i = 0, u = 0, d = 0;
1e262141 1194 uint8_t b = 0;
f028213f 1195 // return 0;
1196 // Modulate Manchester
1197 // FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD424);
1198 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1e262141 1199 AT91C_BASE_SSC->SSC_THR = 0x00;
1200 FpgaSetupSsc();
f028213f 1201
1202 // send cycle
1203 for(;;) {
1204 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1205 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1206 (void)b;
1e262141 1207 }
f028213f 1208 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1e262141 1209 if(d < delay) {
f028213f 1210 b = 0x00;
1e262141 1211 d++;
1212 }
f028213f 1213 else if(i >= respLen) {
1214 b = 0x00;
1215 u++;
1216 } else {
1217 b = resp[i];
1218 u++;
1219 if(u > 1) { i++; u = 0; }
1e262141 1220 }
1221 AT91C_BASE_SSC->SSC_THR = b;
e3dc1e4c 1222
f028213f 1223 if(u > 4) break;
1224 }
1225 if(BUTTON_PRESS()) {
1226 break;
1227 }
1e262141 1228 }
1229
1230 return 0;
1231}
1232
1233/// THE READER CODE
1234
1235//-----------------------------------------------------------------------------
1236// Transmit the command (to the tag) that was placed in ToSend[].
1237//-----------------------------------------------------------------------------
1238static void TransmitIClassCommand(const uint8_t *cmd, int len, int *samples, int *wait)
1239{
1240 int c;
f028213f 1241
1e262141 1242 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1243 AT91C_BASE_SSC->SSC_THR = 0x00;
1244 FpgaSetupSsc();
1245
1246 if (wait)
1247 if(*wait < 10)
1248 *wait = 10;
1249
1250 for(c = 0; c < *wait;) {
1251 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1252 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1253 c++;
1254 }
1255 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1256 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1257 (void)r;
1258 }
1259 WDT_HIT();
1260 }
1261
1262 uint8_t sendbyte;
1263 bool firstpart = TRUE;
1264 c = 0;
1265 for(;;) {
1266 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1267
1268 // DOUBLE THE SAMPLES!
1269 if(firstpart) {
1270 sendbyte = (cmd[c] & 0xf0) | (cmd[c] >> 4);
1271 }
1272 else {
1273 sendbyte = (cmd[c] & 0x0f) | (cmd[c] << 4);
1274 c++;
1275 }
1276 if(sendbyte == 0xff) {
1277 sendbyte = 0xfe;
1278 }
1279 AT91C_BASE_SSC->SSC_THR = sendbyte;
1280 firstpart = !firstpart;
1281
1282 if(c >= len) {
1283 break;
1284 }
1285 }
1286 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1287 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
1288 (void)r;
1289 }
1290 WDT_HIT();
1291 }
1292 if (samples) *samples = (c + *wait) << 3;
1293}
1294
1295
1296//-----------------------------------------------------------------------------
1297// Prepare iClass reader command to send to FPGA
1298//-----------------------------------------------------------------------------
1299void CodeIClassCommand(const uint8_t * cmd, int len)
1300{
1301 int i, j, k;
1302 uint8_t b;
1303
1304 ToSendReset();
1305
1306 // Start of Communication: 1 out of 4
1307 ToSend[++ToSendMax] = 0xf0;
1308 ToSend[++ToSendMax] = 0x00;
1309 ToSend[++ToSendMax] = 0x0f;
1310 ToSend[++ToSendMax] = 0x00;
1311
1312 // Modulate the bytes
1313 for (i = 0; i < len; i++) {
1314 b = cmd[i];
1315 for(j = 0; j < 4; j++) {
1316 for(k = 0; k < 4; k++) {
f028213f 1317 if(k == (b & 3)) {
1318 ToSend[++ToSendMax] = 0x0f;
1319 }
1320 else {
1321 ToSend[++ToSendMax] = 0x00;
1322 }
1e262141 1323 }
1324 b >>= 2;
1325 }
1326 }
1327
1328 // End of Communication
1329 ToSend[++ToSendMax] = 0x00;
1330 ToSend[++ToSendMax] = 0x00;
1331 ToSend[++ToSendMax] = 0xf0;
1332 ToSend[++ToSendMax] = 0x00;
1333
1334 // Convert from last character reference to length
1335 ToSendMax++;
1336}
1337
1338void ReaderTransmitIClass(uint8_t* frame, int len)
1339{
1340 int wait = 0;
1341 int samples = 0;
1342 int par = 0;
1343
1344 // This is tied to other size changes
1345 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
1346 CodeIClassCommand(frame,len);
1347
1348 // Select the card
1349 TransmitIClassCommand(ToSend, ToSendMax, &samples, &wait);
1350 if(trigger)
1351 LED_A_ON();
1352
1353 // Store reader command in buffer
7bc95e2e 1354 if (tracing) LogTrace(frame,len,rsamples,par,TRUE);
1e262141 1355}
1356
1357//-----------------------------------------------------------------------------
1358// Wait a certain time for tag response
1359// If a response is captured return TRUE
1360// If it takes too long return FALSE
1361//-----------------------------------------------------------------------------
1362static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
1363{
1364 // buffer needs to be 512 bytes
1365 int c;
1366
1367 // Set FPGA mode to "reader listen mode", no modulation (listen
1368 // only, since we are receiving, not transmitting).
1369 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1370
1371 // Now get the answer from the card
1372 Demod.output = receivedResponse;
1373 Demod.len = 0;
1374 Demod.state = DEMOD_UNSYNCD;
1375
1376 uint8_t b;
1377 if (elapsed) *elapsed = 0;
1378
1379 bool skip = FALSE;
1380
1381 c = 0;
1382 for(;;) {
1383 WDT_HIT();
1384
1385 if(BUTTON_PRESS()) return FALSE;
1386
1387 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1388 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1389 if (elapsed) (*elapsed)++;
1390 }
1391 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1392 if(c < timeout) { c++; } else { return FALSE; }
1393 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1394 skip = !skip;
1395 if(skip) continue;
1396 /*if(ManchesterDecoding((b>>4) & 0xf)) {
1397 *samples = ((c - 1) << 3) + 4;
1398 return TRUE;
1399 }*/
1400 if(ManchesterDecoding(b & 0x0f)) {
1401 *samples = c << 3;
1402 return TRUE;
1403 }
1404 }
1405 }
1406}
1407
1408int ReaderReceiveIClass(uint8_t* receivedAnswer)
1409{
1410 int samples = 0;
1411 if (!GetIClassAnswer(receivedAnswer,160,&samples,0)) return FALSE;
7bc95e2e 1412 rsamples += samples;
1413 if (tracing) LogTrace(receivedAnswer,Demod.len,rsamples,Demod.parityBits,FALSE);
1e262141 1414 if(samples == 0) return FALSE;
1415 return Demod.len;
1416}
1417
1418// Reader iClass Anticollission
1419void ReaderIClass(uint8_t arg0) {
1e262141 1420 uint8_t act_all[] = { 0x0a };
1421 uint8_t identify[] = { 0x0c };
4ab4336a 1422 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1e262141 1423
1424 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1425
1426 // Reset trace buffer
f028213f 1427 memset(trace, 0x44, RECV_CMD_OFFSET);
1e262141 1428 traceLen = 0;
1429
1430 // Setup SSC
1431 FpgaSetupSsc();
1432 // Start from off (no field generated)
1433 // Signal field is off with the appropriate LED
cee5a30d 1434 LED_D_OFF();
1e262141 1435 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1436 SpinDelay(200);
1437
1438 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1439
1440 // Now give it time to spin up.
1441 // Signal field is on with the appropriate LED
1442 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1443 SpinDelay(200);
1444
1445 LED_A_ON();
1446
1447 for(;;) {
4ab4336a 1448
1449 if(traceLen > TRACE_SIZE) {
1450 DbpString("Trace full");
1451 break;
1452 }
1453
1454 if (BUTTON_PRESS()) break;
1e262141 1455
1456 // Send act_all
1457 ReaderTransmitIClass(act_all, 1);
1458 // Card present?
1459 if(ReaderReceiveIClass(resp)) {
1460 ReaderTransmitIClass(identify, 1);
4ab4336a 1461 if(ReaderReceiveIClass(resp) == 10) {
1462 // Select card
1463 memcpy(&select[1],resp,8);
1464 ReaderTransmitIClass(select, sizeof(select));
1465
1466 if(ReaderReceiveIClass(resp) == 10) {
1467 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1468 resp[0], resp[1], resp[2],
1469 resp[3], resp[4], resp[5],
1470 resp[6], resp[7]);
1471 }
1472 // Card selected, whats next... ;-)
1e262141 1473 }
1474 }
1475 WDT_HIT();
1476 }
1477
1478 LED_A_OFF();
cee5a30d 1479}
1480
f028213f 1481void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) {
1482 uint8_t act_all[] = { 0x0a };
1483 uint8_t identify[] = { 0x0c };
1484 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1485 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1486 uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1487 uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1488
1489 uint16_t crc = 0;
1490 uint8_t cardsize=0;
1491 bool read_success=false;
1492 uint8_t mem=0;
1493
1494 static struct memory_t{
1495 int k16;
1496 int book;
1497 int k2;
1498 int lockauth;
1499 int keyaccess;
1500 } memory;
1501
1502 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1503
1504 // Reset trace buffer
1505 memset(trace, 0x44, RECV_CMD_OFFSET);
1506 traceLen = 0;
1507
1508 // Setup SSC
1509 FpgaSetupSsc();
1510 // Start from off (no field generated)
1511 // Signal field is off with the appropriate LED
1512 LED_D_OFF();
1513 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1514 SpinDelay(200);
1515
1516 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1517
1518 // Now give it time to spin up.
1519 // Signal field is on with the appropriate LED
1520 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1521 SpinDelay(200);
1522
1523 LED_A_ON();
1524
1525 for(int i=0;i<1;i++) {
1526
1527 if(traceLen > TRACE_SIZE) {
1528 DbpString("Trace full");
1529 break;
1530 }
1531
1532 if (BUTTON_PRESS()) break;
1533
1534 // Send act_all
1535 ReaderTransmitIClass(act_all, 1);
1536 // Card present?
1537 if(ReaderReceiveIClass(resp)) {
1538 ReaderTransmitIClass(identify, 1);
1539 if(ReaderReceiveIClass(resp) == 10) {
1540 // Select card
1541 memcpy(&select[1],resp,8);
1542 ReaderTransmitIClass(select, sizeof(select));
1543
1544 if(ReaderReceiveIClass(resp) == 10) {
1545 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1546 resp[0], resp[1], resp[2],
1547 resp[3], resp[4], resp[5],
1548 resp[6], resp[7]);
1549 }
1550 // Card selected
1551 Dbprintf("Readcheck on Sector 2");
1552 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1553 if(ReaderReceiveIClass(resp) == 8) {
1554 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1555 resp[0], resp[1], resp[2],
1556 resp[3], resp[4], resp[5],
1557 resp[6], resp[7]);
1558 }else return;
1559 Dbprintf("Authenticate");
1560 //for now replay captured auth (as cc not updated)
1561 memcpy(check+5,MAC,4);
1562 Dbprintf(" AA: %02x %02x %02x %02x",
1563 check[5], check[6], check[7],check[8]);
1564 ReaderTransmitIClass(check, sizeof(check));
1565 if(ReaderReceiveIClass(resp) == 4) {
1566 Dbprintf(" AR: %02x %02x %02x %02x",
1567 resp[0], resp[1], resp[2],resp[3]);
1568 }else {
1569 Dbprintf("Error: Authentication Fail!");
1570 return;
1571 }
1572 Dbprintf("Dump Contents");
1573 //first get configuration block
1574 read_success=false;
1575 read[1]=1;
1576 uint8_t *blockno=&read[1];
1577 crc = iclass_crc16((char *)blockno,1);
1578 read[2] = crc >> 8;
1579 read[3] = crc & 0xff;
1580 while(!read_success){
1581 ReaderTransmitIClass(read, sizeof(read));
1582 if(ReaderReceiveIClass(resp) == 10) {
1583 read_success=true;
1584 mem=resp[5];
1585 memory.k16= (mem & 0x80);
1586 memory.book= (mem & 0x20);
1587 memory.k2= (mem & 0x8);
1588 memory.lockauth= (mem & 0x2);
1589 memory.keyaccess= (mem & 0x1);
1590
1591 }
1592 }
1593 if (memory.k16){
1594 cardsize=255;
1595 }else cardsize=32;
1596 //then loop around remaining blocks
1597 for(uint8_t j=0; j<cardsize; j++){
1598 read_success=false;
1599 uint8_t *blockno=&j;
1600 //crc_data[0]=j;
1601 read[1]=j;
1602 crc = iclass_crc16((char *)blockno,1);
1603 read[2] = crc >> 8;
1604 read[3] = crc & 0xff;
1605 while(!read_success){
1606 ReaderTransmitIClass(read, sizeof(read));
1607 if(ReaderReceiveIClass(resp) == 10) {
1608 read_success=true;
1609 Dbprintf(" %02x: %02x %02x %02x %02x %02x %02x %02x %02x",
1610 j, resp[0], resp[1], resp[2],
1611 resp[3], resp[4], resp[5],
1612 resp[6], resp[7]);
1613 }
1614 }
1615 }
1616 }
1617 }
1618 WDT_HIT();
1619 }
1620
1621 LED_A_OFF();
1622}
1623
1624//1. Create Method to Read sectors/blocks 0,1,2 and Send to client
1625void IClass_iso14443A_GetPublic(uint8_t arg0) {
1626 uint8_t act_all[] = { 0x0a };
1627 uint8_t identify[] = { 0x0c };
1628 uint8_t select[] = { 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
1629 uint8_t readcheck_cc[]= { 0x88, 0x02 };
1630 //uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 };
1631 uint8_t card_data[24]={0};
1632
1633 //bool read_success=false;
1634 uint8_t* resp = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
1635
1636 // Reset trace buffer
1637 memset(trace, 0x44, RECV_CMD_OFFSET);
1638 traceLen = 0;
1639
1640 // Setup SSC
1641 FpgaSetupSsc();
1642 // Start from off (no field generated)
1643 // Signal field is off with the appropriate LED
1644 LED_D_OFF();
1645 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1646 SpinDelay(200);
1647
1648 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1649
1650 // Now give it time to spin up.
1651 // Signal field is on with the appropriate LED
1652 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1653 SpinDelay(200);
1654
1655 LED_A_ON();
1656
1657 for(int i=0;i<1;i++) {
1658
1659 if(traceLen > TRACE_SIZE) {
1660 DbpString("Trace full");
1661 break;
1662 }
1663
1664 if (BUTTON_PRESS()) break;
1665
1666 // Send act_all
1667 ReaderTransmitIClass(act_all, 1);
1668 // Card present?
1669 if(ReaderReceiveIClass(resp)) {
1670 ReaderTransmitIClass(identify, 1);
1671 if(ReaderReceiveIClass(resp) == 10) {
1672 // Select card
1673 memcpy(&select[1],resp,8);
1674 ReaderTransmitIClass(select, sizeof(select));
1675
1676 if(ReaderReceiveIClass(resp) == 10) {
1677 Dbprintf(" Selected CSN: %02x %02x %02x %02x %02x %02x %02x %02x",
1678 resp[0], resp[1], resp[2],
1679 resp[3], resp[4], resp[5],
1680 resp[6], resp[7]);
1681 }
1682 memcpy(card_data,resp,8);
1683 // Card selected
1684 Dbprintf("Readcheck on Sector 2");
1685 ReaderTransmitIClass(readcheck_cc, sizeof(readcheck_cc));
1686 if(ReaderReceiveIClass(resp) == 8) {
1687 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1688 resp[0], resp[1], resp[2],
1689 resp[3], resp[4], resp[5],
1690 resp[6], resp[7]);
1691 }
1692 memcpy(card_data+8,resp,8);
1693 //prep to read config block
1694 /* read card configuration block
1695 while(!read_success){
1696 uint8_t sector_config=0x01;
1697 memcpy(read+1,&sector_config,1);
1698 ReaderTransmitIClass(read, sizeof(read));
1699 if(ReaderReceiveIClass(resp) == 8) {
1700 Dbprintf(" CC: %02x %02x %02x %02x %02x %02x %02x %02x",
1701 resp[0], resp[1], resp[2],
1702 resp[3], resp[4], resp[5],
1703 resp[6], resp[7]);
1704 read_success=true;
1705 memcpy(card_data+16,resp,8);
1706 }
1707 }*/
1708 }
1709 }
1710 WDT_HIT();
1711 }
1712 //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[0],card_data[1],card_data[2],card_data[3],card_data[4],card_data[5],card_data[6],card_data[7]);
1713 //Dbprintf("DEBUG: %02x%02x%02x%02x%02x%02x%02x%02x",card_data[8],card_data[9],card_data[10],card_data[11],card_data[12],card_data[13],card_data[14],card_data[15]);
1714 LED_A_OFF();
1715 LED_B_ON();
1716 //send data back to the client
1717 cmd_send(CMD_ACK,0,0,0,card_data,16);
1718 LED_B_OFF();
1719}
1720
1721//TODO: Create Write method
912a3e94 1722
Impressum, Datenschutz