]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
ADD: started with a NEDAP demod, read, clone and sim functionality.
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
c3c241f3 12#include "usb_cdc.h"
13#include "cmd.h"
c3c241f3 14#include "proxmark3.h"
15c4dc5a 15#include "apps.h"
f7e3ed82 16#include "util.h"
9ab7a6c7 17#include "printf.h"
18#include "string.h"
9ab7a6c7 19#include <stdarg.h>
15c4dc5a 20#include "legicrf.h"
0db11b71 21#include "hitag2.h"
22#include "hitagS.h"
31abe49f 23#include "lfsampling.h"
3000dc4e 24#include "BigBuf.h"
7838f4be 25#include "mifareutil.h"
36804420 26#include "pcf7931.h"
f2c2b174 27
15c4dc5a 28#ifdef WITH_LCD
902cb3c0 29 #include "LCD.h"
15c4dc5a 30#endif
31
7838f4be 32// Craig Young - 14a stand-alone code
33#ifdef WITH_ISO14443a_StandAlone
34 #include "iso14443a.h"
c2731f37 35 #include "protocols.h"
7838f4be 36#endif
37
15c4dc5a 38//=============================================================================
39// A buffer where we can queue things up to be sent through the FPGA, for
40// any purpose (fake tag, as reader, whatever). We go MSB first, since that
41// is the order in which they go out on the wire.
42//=============================================================================
43
6a1f2d82 44#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
a501c82b 45uint8_t ToSend[TOSEND_BUFFER_SIZE];
7838f4be 46int ToSendMax = 0;
15c4dc5a 47static int ToSendBit;
48struct common_area common_area __attribute__((section(".commonarea")));
49
15c4dc5a 50void ToSendReset(void)
51{
52 ToSendMax = -1;
53 ToSendBit = 8;
54}
55
da198be4 56void ToSendStuffBit(int b) {
15c4dc5a 57 if(ToSendBit >= 8) {
da198be4 58 ++ToSendMax;
15c4dc5a 59 ToSend[ToSendMax] = 0;
60 ToSendBit = 0;
61 }
62
da198be4 63 if(b)
15c4dc5a 64 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
15c4dc5a 65
da198be4 66 ++ToSendBit;
15c4dc5a 67
6a1f2d82 68 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 69 ToSendBit = 0;
70 DbpString("ToSendStuffBit overflowed!");
71 }
72}
73
dccddaef 74void PrintToSendBuffer(void){
75 DbpString("Printing ToSendBuffer:");
76 Dbhexdump(ToSendMax, ToSend, 0);
77}
78
15c4dc5a 79//=============================================================================
80// Debug print functions, to go out over USB, to the usual PC-side client.
81//=============================================================================
82
38e41917 83void DbpStringEx(char *str, uint32_t cmd){
84 byte_t len = strlen(str);
85 cmd_send(CMD_DEBUG_PRINT_STRING,len, cmd,0,(byte_t*)str,len);
86}
87
da198be4 88void DbpString(char *str) {
38e41917 89 DbpStringEx(str, 0);
15c4dc5a 90}
91
92#if 0
da198be4 93void DbpIntegers(int x1, int x2, int x3) {
38e41917 94 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 95}
96#endif
38e41917 97void DbprintfEx(uint32_t cmd, const char *fmt, ...) {
98 // should probably limit size here; oh well, let's just use a big buffer
99 char output_string[128] = {0x00};
100 va_list ap;
101
102 va_start(ap, fmt);
103 kvsprintf(fmt, output_string, 10, ap);
104 va_end(ap);
105
106 DbpStringEx(output_string, cmd);
107}
15c4dc5a 108
109void Dbprintf(const char *fmt, ...) {
da198be4 110 // should probably limit size here; oh well, let's just use a big buffer
111 char output_string[128] = {0x00};
15c4dc5a 112 va_list ap;
113
114 va_start(ap, fmt);
115 kvsprintf(fmt, output_string, 10, ap);
116 va_end(ap);
e30c654b 117
15c4dc5a 118 DbpString(output_string);
119}
120
9455b51c 121// prints HEX & ASCII
d19929cb 122void Dbhexdump(int len, uint8_t *d, bool bAsci) {
da198be4 123 int l=0, i;
9455b51c 124 char ascii[9];
d19929cb 125
9455b51c 126 while (len>0) {
da198be4 127
128 l = (len>8) ? 8 : len;
9455b51c 129
130 memcpy(ascii,d,l);
d19929cb 131 ascii[l]=0;
9455b51c 132
133 // filter safe ascii
da198be4 134 for (i=0; i<l; ++i)
9455b51c 135 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 136
da198be4 137 if (bAsci)
d19929cb 138 Dbprintf("%-8s %*D",ascii,l,d," ");
da198be4 139 else
d19929cb 140 Dbprintf("%*D",l,d," ");
d19929cb 141
da198be4 142 len -= 8;
143 d += 8;
9455b51c 144 }
145}
146
15c4dc5a 147//-----------------------------------------------------------------------------
148// Read an ADC channel and block till it completes, then return the result
149// in ADC units (0 to 1023). Also a routine to average 32 samples and
150// return that.
151//-----------------------------------------------------------------------------
152static int ReadAdc(int ch)
153{
f7e3ed82 154 uint32_t d;
15c4dc5a 155
156 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
157 AT91C_BASE_ADC->ADC_MR =
3b692427 158 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
159 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
160 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
161
162 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
163 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
164 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
165 //
166 // The maths are:
167 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
168 //
169 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
170 //
171 // Note: with the "historic" values in the comments above, the error was 34% !!!
172
15c4dc5a 173 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
174
175 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
3b692427 176
da198be4 177 while (!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch))) ;
178
15c4dc5a 179 d = AT91C_BASE_ADC->ADC_CDR[ch];
15c4dc5a 180 return d;
181}
182
9ca155ba 183int AvgAdc(int ch) // was static - merlok
15c4dc5a 184{
185 int i;
186 int a = 0;
187
da198be4 188 for(i = 0; i < 32; ++i)
15c4dc5a 189 a += ReadAdc(ch);
15c4dc5a 190
191 return (a + 15) >> 5;
192}
193
da198be4 194void MeasureAntennaTuning(void) {
d3499d36 195 uint8_t LF_Results[256];
9f693930 196 int i, adcval = 0, peak = 0, peakv = 0, peakf = 0; //ptr = 0
15c4dc5a 197 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
198
7838f4be 199 LED_B_ON();
15c4dc5a 200
201/*
202 * Sweeps the useful LF range of the proxmark from
203 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
204 * read the voltage in the antenna, the result left
205 * in the buffer is a graph which should clearly show
206 * the resonating frequency of your LF antenna
207 * ( hopefully around 95 if it is tuned to 125kHz!)
208 */
d19929cb 209
7cc204bf 210 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 211 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
da198be4 212
d3499d36 213 for (i=255; i>=19; i--) {
da198be4 214 WDT_HIT();
15c4dc5a 215 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
216 SpinDelay(20);
3b692427 217 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
15c4dc5a 218 if (i==95) vLf125 = adcval; // voltage at 125Khz
219 if (i==89) vLf134 = adcval; // voltage at 134Khz
220
d3499d36 221 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
222 if(LF_Results[i] > peak) {
15c4dc5a 223 peakv = adcval;
d3499d36 224 peak = LF_Results[i];
15c4dc5a 225 peakf = i;
9f693930 226 //ptr = i;
15c4dc5a 227 }
228 }
229
d3499d36 230 for (i=18; i >= 0; i--) LF_Results[i] = 0;
231
7838f4be 232 LED_A_ON();
15c4dc5a 233 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
7838f4be 234 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 235 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
236 SpinDelay(20);
3b692427 237 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
15c4dc5a 238
3b692427 239 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
d19929cb 240 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
da198be4 241
242 LEDsoff();
15c4dc5a 243}
244
da198be4 245void MeasureAntennaTuningHf(void) {
15c4dc5a 246 int vHf = 0; // in mV
3b692427 247 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
248 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
249 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
250
38e41917 251 while ( !BUTTON_PRESS() ){
15c4dc5a 252 SpinDelay(20);
3b692427 253 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
38e41917 254 //Dbprintf("%d mV",vHf);
255 DbprintfEx(CMD_MEASURE_ANTENNA_TUNING_HF, "%d mV",vHf);
15c4dc5a 256 }
3b692427 257 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
38e41917 258 DbpString("cancelled");
15c4dc5a 259}
260
261
da198be4 262void ReadMem(int addr) {
f7e3ed82 263 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 264
265 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
266 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
267}
268
269/* osimage version information is linked in */
270extern struct version_information version_information;
271/* bootrom version information is pointed to from _bootphase1_version_pointer */
9783989b 272extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
15c4dc5a 273void SendVersion(void)
274{
9783989b 275 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
276 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 277
278 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 279 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
280 * pointer, then use it.
281 */
282 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
da198be4 283
15c4dc5a 284 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
9783989b 285 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 286 } else {
287 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
9783989b 288 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 289 }
e30c654b 290
15c4dc5a 291 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
9783989b 292 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 293
9783989b 294 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
295 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
da198be4 296
9783989b 297 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
298 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
299
300 // Send Chip ID and used flash memory
301 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
302 uint32_t compressed_data_section_size = common_area.arg1;
303 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 304}
f62b5e12 305
306// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
307// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
0de8e387 308void printUSBSpeed(void)
f62b5e12 309{
310 Dbprintf("USB Speed:");
0de8e387 311 Dbprintf(" Sending USB packets to client...");
f62b5e12 312
0de8e387 313 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
f62b5e12 314 uint8_t *test_data = BigBuf_get_addr();
0de8e387 315 uint32_t end_time;
f62b5e12 316
0de8e387 317 uint32_t start_time = end_time = GetTickCount();
318 uint32_t bytes_transferred = 0;
f62b5e12 319
320 LED_B_ON();
0de8e387 321 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
322 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
323 end_time = GetTickCount();
324 bytes_transferred += USB_CMD_DATA_SIZE;
f62b5e12 325 }
326 LED_B_OFF();
327
0de8e387 328 Dbprintf(" Time elapsed: %dms", end_time - start_time);
329 Dbprintf(" Bytes transferred: %d", bytes_transferred);
330 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
331 1000 * bytes_transferred / (end_time - start_time));
f62b5e12 332
333}
334
7838f4be 335/**
336 * Prints runtime information about the PM3.
337**/
da198be4 338void SendStatus(void) {
7838f4be 339 BigBuf_print_status();
340 Fpga_print_status();
341 printConfig(); //LF Sampling config
0de8e387 342 printUSBSpeed();
7838f4be 343 Dbprintf("Various");
f62b5e12 344 Dbprintf(" MF_DBGLEVEL........%d", MF_DBGLEVEL);
345 Dbprintf(" ToSendMax..........%d", ToSendMax);
346 Dbprintf(" ToSendBit..........%d", ToSendBit);
347 Dbprintf(" ToSend BUFFERSIZE..%d", TOSEND_BUFFER_SIZE);
348
349 cmd_send(CMD_ACK,1,0,0,0,0);
7838f4be 350}
15c4dc5a 351
7838f4be 352#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
15c4dc5a 353
7838f4be 354#define OPTS 2
7838f4be 355void StandAloneMode()
356{
357 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 358 // Oooh pretty -- notify user we're in elite samy mode now
359 LED(LED_RED, 200);
360 LED(LED_ORANGE, 200);
361 LED(LED_GREEN, 200);
362 LED(LED_ORANGE, 200);
363 LED(LED_RED, 200);
364 LED(LED_ORANGE, 200);
365 LED(LED_GREEN, 200);
366 LED(LED_ORANGE, 200);
367 LED(LED_RED, 200);
7838f4be 368}
7838f4be 369#endif
370
7838f4be 371#ifdef WITH_ISO14443a_StandAlone
372void StandAloneMode14a()
373{
374 StandAloneMode();
375 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
376
377 int selected = 0;
0db6ed9a 378 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
7838f4be 379 int cardRead[OPTS] = {0};
380 uint8_t readUID[10] = {0};
381 uint32_t uid_1st[OPTS]={0};
382 uint32_t uid_2nd[OPTS]={0};
0db6ed9a 383 uint32_t uid_tmp1 = 0;
384 uint32_t uid_tmp2 = 0;
385 iso14a_card_select_t hi14a_card[OPTS];
7838f4be 386
c2731f37 387 uint8_t params = (MAGIC_SINGLE | MAGIC_DATAIN);
388
7838f4be 389 LED(selected + 1, 0);
390
391 for (;;)
392 {
393 usb_poll();
394 WDT_HIT();
7838f4be 395 SpinDelay(300);
396
0db6ed9a 397 if (iGotoRecord == 1 || cardRead[selected] == 0)
7838f4be 398 {
0db6ed9a 399 iGotoRecord = 0;
7838f4be 400 LEDsoff();
401 LED(selected + 1, 0);
402 LED(LED_RED2, 0);
403
404 // record
405 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
7838f4be 406 /* need this delay to prevent catching some weird data */
407 SpinDelay(500);
408 /* Code for reading from 14a tag */
810f5379 409 uint8_t uid[10] = {0};
410 uint32_t cuid = 0;
7838f4be 411 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
412
413 for ( ; ; )
414 {
415 WDT_HIT();
0db6ed9a 416 if (BUTTON_PRESS()) {
417 if (cardRead[selected]) {
418 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
419 break;
420 }
421 else if (cardRead[(selected+1)%OPTS]) {
422 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
423 selected = (selected+1)%OPTS;
424 break; // playing = 1;
425 }
426 else {
427 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
428 SpinDelay(300);
429 }
430 }
c188b1b9 431 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0))
7838f4be 432 continue;
433 else
434 {
435 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
436 memcpy(readUID,uid,10*sizeof(uint8_t));
0db6ed9a 437 uint8_t *dst = (uint8_t *)&uid_tmp1;
7838f4be 438 // Set UID byte order
439 for (int i=0; i<4; i++)
440 dst[i] = uid[3-i];
0db6ed9a 441 dst = (uint8_t *)&uid_tmp2;
7838f4be 442 for (int i=0; i<4; i++)
443 dst[i] = uid[7-i];
0db6ed9a 444 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
445 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
446 }
447 else {
448 if (uid_tmp2) {
449 Dbprintf("Bank[%d] received a 7-byte UID",selected);
450 uid_1st[selected] = (uid_tmp1)>>8;
451 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
452 }
453 else {
454 Dbprintf("Bank[%d] received a 4-byte UID",selected);
455 uid_1st[selected] = uid_tmp1;
456 uid_2nd[selected] = uid_tmp2;
457 }
7838f4be 458 break;
459 }
460 }
0db6ed9a 461 }
462 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
463 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
7838f4be 464 LEDsoff();
465 LED(LED_GREEN, 200);
466 LED(LED_ORANGE, 200);
467 LED(LED_GREEN, 200);
468 LED(LED_ORANGE, 200);
469
470 LEDsoff();
471 LED(selected + 1, 0);
7838f4be 472
0db6ed9a 473 // Next state is replay:
474 playing = 1;
7838f4be 475
476 cardRead[selected] = 1;
7838f4be 477 }
0db6ed9a 478 /* MF Classic UID clone */
479 else if (iGotoClone==1)
7838f4be 480 {
0db6ed9a 481 iGotoClone=0;
c2731f37 482 LEDsoff();
483 LED(selected + 1, 0);
484 LED(LED_ORANGE, 250);
7838f4be 485
c2731f37 486 // record
487 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
7838f4be 488
c2731f37 489 // wait for button to be released
490 // Delay cloning until card is in place
491 while(BUTTON_PRESS())
492 WDT_HIT();
7838f4be 493
c2731f37 494 Dbprintf("Starting clone. [Bank: %u]", selected);
495 // need this delay to prevent catching some weird data
496 SpinDelay(500);
497 // Begin clone function here:
498 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
499 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {params & (0xFE | (uid == NULL ? 0:1)), blockNo, 0}};
500 memcpy(c.d.asBytes, data, 16);
501 SendCommand(&c);
502
503 Block read is similar:
504 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, blockNo, 0}};
505 We need to imitate that call with blockNo 0 to set a uid.
506
507 The get and set commands are handled in this file:
508 // Work with "magic Chinese" card
509 case CMD_MIFARE_CSETBLOCK:
510 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
511 break;
512 case CMD_MIFARE_CGETBLOCK:
513 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
514 break;
515
516 mfCSetUID provides example logic for UID set workflow:
517 -Read block0 from card in field with MifareCGetBlock()
518 -Configure new values without replacing reserved bytes
519 memcpy(block0, uid, 4); // Copy UID bytes from byte array
520 // Mifare UID BCC
521 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
522 Bytes 5-7 are reserved SAK and ATQA for mifare classic
523 -Use mfCSetBlock(0, block0, oldUID, wantWipe, MAGIC_SINGLE) to write it
524 */
525 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
526 // arg0 = Flags, arg1=blockNo
527 MifareCGetBlock(params, 0, oldBlock0);
0db6ed9a 528 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
529 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
530 playing = 1;
531 }
532 else {
c2731f37 533 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
534 memcpy(newBlock0,oldBlock0,16);
535 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
536
537 newBlock0[0] = uid_1st[selected]>>24;
538 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
539 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
540 newBlock0[3] = 0xFF & (uid_1st[selected]);
541 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
542
543 // arg0 = workFlags, arg1 = blockNo, datain
544 MifareCSetBlock(params, 0, newBlock0);
545 MifareCGetBlock(params, 0, testBlock0);
546
547 if (memcmp(testBlock0, newBlock0, 16)==0) {
548 DbpString("Cloned successfull!");
549 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
7838f4be 550 playing = 0;
0db6ed9a 551 iGotoRecord = 1;
c2731f37 552 selected = (selected + 1) % OPTS;
553 } else {
0db6ed9a 554 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
555 playing = 1;
556 }
557 }
558 LEDsoff();
559 LED(selected + 1, 0);
7838f4be 560 }
561 // Change where to record (or begin playing)
0db6ed9a 562 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
7838f4be 563 {
7838f4be 564 LEDsoff();
565 LED(selected + 1, 0);
566
567 // Begin transmitting
568 if (playing)
569 {
570 LED(LED_GREEN, 0);
571 DbpString("Playing");
0db6ed9a 572 for ( ; ; ) {
573 WDT_HIT();
574 int button_action = BUTTON_HELD(1000);
575 if (button_action == 0) { // No button action, proceed with sim
576 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
577 uint8_t flags = ( uid_2nd[selected] > 0x00 ) ? FLAG_7B_UID_IN_DATA : FLAG_4B_UID_IN_DATA;
578 num_to_bytes(uid_1st[selected], 3, data);
579 num_to_bytes(uid_2nd[selected], 4, data);
580
7838f4be 581 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
0db6ed9a 582 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
583 DbpString("Mifare Classic");
584 SimulateIso14443aTag(1, flags, data); // Mifare Classic
585 }
586 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
587 DbpString("Mifare Ultralight");
588 SimulateIso14443aTag(2, flags, data); // Mifare Ultralight
589 }
590 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
591 DbpString("Mifare DESFire");
592 SimulateIso14443aTag(3, flags, data); // Mifare DESFire
593 }
594 else {
595 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
596 SimulateIso14443aTag(1, flags, data);
597 }
598 }
599 else if (button_action == BUTTON_SINGLE_CLICK) {
600 selected = (selected + 1) % OPTS;
601 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
602 iGotoRecord = 1;
603 break;
604 }
605 else if (button_action == BUTTON_HOLD) {
606 Dbprintf("Playtime over. Begin cloning...");
607 iGotoClone = 1;
608 break;
7838f4be 609 }
0db6ed9a 610 WDT_HIT();
611 }
7838f4be 612
613 /* We pressed a button so ignore it here with a delay */
614 SpinDelay(300);
7838f4be 615 LEDsoff();
616 LED(selected + 1, 0);
617 }
618 else
619 while(BUTTON_PRESS())
620 WDT_HIT();
621 }
622 }
623}
624#elif WITH_LF
625// samy's sniff and repeat routine
626void SamyRun()
627{
628 StandAloneMode();
629 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
630
631 int high[OPTS], low[OPTS];
15c4dc5a 632 int selected = 0;
633 int playing = 0;
72e930ef 634 int cardRead = 0;
15c4dc5a 635
636 // Turn on selected LED
637 LED(selected + 1, 0);
638
614da335 639 for (;;) {
6e82300d 640 usb_poll();
95e63594 641 WDT_HIT();
15c4dc5a 642
643 // Was our button held down or pressed?
644 int button_pressed = BUTTON_HELD(1000);
645 SpinDelay(300);
646
647 // Button was held for a second, begin recording
72e930ef 648 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 649 {
650 LEDsoff();
651 LED(selected + 1, 0);
652 LED(LED_RED2, 0);
653
654 // record
655 DbpString("Starting recording");
656
657 // wait for button to be released
658 while(BUTTON_PRESS())
659 WDT_HIT();
660
661 /* need this delay to prevent catching some weird data */
662 SpinDelay(500);
663
664 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
b7536e11 665 Dbprintf("Recorded %x %x %08x", selected, high[selected], low[selected]);
15c4dc5a 666
667 LEDsoff();
668 LED(selected + 1, 0);
669 // Finished recording
15c4dc5a 670 // If we were previously playing, set playing off
671 // so next button push begins playing what we recorded
614da335 672 playing = 0;
673 cardRead = 1;
72e930ef 674 }
614da335 675 else if (button_pressed > 0 && cardRead == 1) {
676 LEDsoff();
677 LED(selected + 1, 0);
678 LED(LED_ORANGE, 0);
72e930ef 679
614da335 680 // record
b7536e11 681 Dbprintf("Cloning %x %x %08x", selected, high[selected], low[selected]);
72e930ef 682
614da335 683 // wait for button to be released
684 while(BUTTON_PRESS())
685 WDT_HIT();
72e930ef 686
614da335 687 /* need this delay to prevent catching some weird data */
688 SpinDelay(500);
72e930ef 689
b7536e11 690 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
691 Dbprintf("Cloned %x %x %08x", selected, high[selected], low[selected]);
72e930ef 692
614da335 693 LEDsoff();
694 LED(selected + 1, 0);
695 // Finished recording
72e930ef 696
614da335 697 // If we were previously playing, set playing off
698 // so next button push begins playing what we recorded
699 playing = 0;
700 cardRead = 0;
15c4dc5a 701 }
702
703 // Change where to record (or begin playing)
614da335 704 else if (button_pressed) {
15c4dc5a 705 // Next option if we were previously playing
706 if (playing)
707 selected = (selected + 1) % OPTS;
708 playing = !playing;
709
710 LEDsoff();
711 LED(selected + 1, 0);
712
713 // Begin transmitting
714 if (playing)
715 {
716 LED(LED_GREEN, 0);
717 DbpString("Playing");
718 // wait for button to be released
719 while(BUTTON_PRESS())
720 WDT_HIT();
0d5ee8e2 721
b7536e11 722 Dbprintf("%x %x %08x", selected, high[selected], low[selected]);
0d5ee8e2 723 CmdHIDsimTAG(high[selected], low[selected], 0);
15c4dc5a 724 DbpString("Done playing");
0d5ee8e2 725
726 if (BUTTON_HELD(1000) > 0) {
15c4dc5a 727 DbpString("Exiting");
728 LEDsoff();
729 return;
0d5ee8e2 730 }
15c4dc5a 731
732 /* We pressed a button so ignore it here with a delay */
733 SpinDelay(300);
734
735 // when done, we're done playing, move to next option
736 selected = (selected + 1) % OPTS;
737 playing = !playing;
738 LEDsoff();
739 LED(selected + 1, 0);
740 }
741 else
742 while(BUTTON_PRESS())
743 WDT_HIT();
744 }
745 }
746}
15c4dc5a 747
7838f4be 748#endif
15c4dc5a 749/*
750OBJECTIVE
751Listen and detect an external reader. Determine the best location
752for the antenna.
753
754INSTRUCTIONS:
755Inside the ListenReaderField() function, there is two mode.
756By default, when you call the function, you will enter mode 1.
757If you press the PM3 button one time, you will enter mode 2.
758If you press the PM3 button a second time, you will exit the function.
759
760DESCRIPTION OF MODE 1:
761This mode just listens for an external reader field and lights up green
762for HF and/or red for LF. This is the original mode of the detectreader
763function.
764
765DESCRIPTION OF MODE 2:
766This mode will visually represent, using the LEDs, the actual strength of the
767current compared to the maximum current detected. Basically, once you know
768what kind of external reader is present, it will help you spot the best location to place
769your antenna. You will probably not get some good results if there is a LF and a HF reader
770at the same place! :-)
771
772LIGHT SCHEME USED:
773*/
774static const char LIGHT_SCHEME[] = {
775 0x0, /* ---- | No field detected */
776 0x1, /* X--- | 14% of maximum current detected */
777 0x2, /* -X-- | 29% of maximum current detected */
778 0x4, /* --X- | 43% of maximum current detected */
779 0x8, /* ---X | 57% of maximum current detected */
780 0xC, /* --XX | 71% of maximum current detected */
781 0xE, /* -XXX | 86% of maximum current detected */
782 0xF, /* XXXX | 100% of maximum current detected */
783};
784static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
785
da198be4 786void ListenReaderField(int limit) {
3b692427 787#define LF_ONLY 1
788#define HF_ONLY 2
789#define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
790
da198be4 791 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
792 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
793 int mode=1, display_val, display_max, i;
3b692427 794
795 // switch off FPGA - we don't want to measure our own signal
796 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
797 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 798
799 LEDsoff();
800
3b692427 801 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
15c4dc5a 802
803 if(limit != HF_ONLY) {
3b692427 804 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
15c4dc5a 805 lf_baseline = lf_av;
806 }
807
3b692427 808 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
15c4dc5a 809
810 if (limit != LF_ONLY) {
3b692427 811 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
15c4dc5a 812 hf_baseline = hf_av;
813 }
814
815 for(;;) {
816 if (BUTTON_PRESS()) {
817 SpinDelay(500);
818 switch (mode) {
819 case 1:
820 mode=2;
821 DbpString("Signal Strength Mode");
822 break;
823 case 2:
824 default:
825 DbpString("Stopped");
826 LEDsoff();
827 return;
828 break;
829 }
830 }
831 WDT_HIT();
832
833 if (limit != HF_ONLY) {
3b692427 834 if(mode == 1) {
f2c2b174 835 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
3b692427 836 LED_D_ON();
837 else
838 LED_D_OFF();
15c4dc5a 839 }
e30c654b 840
3b692427 841 lf_av_new = AvgAdc(ADC_CHAN_LF);
15c4dc5a 842 // see if there's a significant change
f2c2b174 843 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
3b692427 844 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
15c4dc5a 845 lf_av = lf_av_new;
846 if (lf_av > lf_max)
847 lf_max = lf_av;
15c4dc5a 848 }
849 }
850
851 if (limit != LF_ONLY) {
852 if (mode == 1){
f2c2b174 853 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
3b692427 854 LED_B_ON();
855 else
856 LED_B_OFF();
15c4dc5a 857 }
e30c654b 858
3b692427 859 hf_av_new = AvgAdc(ADC_CHAN_HF);
15c4dc5a 860 // see if there's a significant change
f2c2b174 861 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
3b692427 862 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
15c4dc5a 863 hf_av = hf_av_new;
864 if (hf_av > hf_max)
865 hf_max = hf_av;
15c4dc5a 866 }
867 }
e30c654b 868
15c4dc5a 869 if(mode == 2) {
870 if (limit == LF_ONLY) {
871 display_val = lf_av;
872 display_max = lf_max;
873 } else if (limit == HF_ONLY) {
874 display_val = hf_av;
875 display_max = hf_max;
876 } else { /* Pick one at random */
877 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
878 display_val = hf_av;
879 display_max = hf_max;
880 } else {
881 display_val = lf_av;
882 display_max = lf_max;
883 }
884 }
885 for (i=0; i<LIGHT_LEN; i++) {
886 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
887 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
888 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
889 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
890 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
891 break;
892 }
893 }
894 }
895 }
896}
897
f7e3ed82 898void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 899{
900 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 901
313ee67e 902 //Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
902cb3c0 903
15c4dc5a 904 switch(c->cmd) {
905#ifdef WITH_LF
31abe49f
MHS
906 case CMD_SET_LF_SAMPLING_CONFIG:
907 setSamplingConfig((sample_config *) c->d.asBytes);
908 break;
15c4dc5a 909 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
1c8fbeb9 910 cmd_send(CMD_ACK, SampleLF(c->arg[0]),0,0,0,0);
15c4dc5a 911 break;
15c4dc5a 912 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
913 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
914 break;
b014c96d 915 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 916 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 917 break;
7e67e42f 918 case CMD_HID_DEMOD_FSK:
a501c82b 919 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
7e67e42f 920 break;
921 case CMD_HID_SIM_TAG:
a501c82b 922 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
7e67e42f 923 break;
abd6112f 924 case CMD_FSK_SIM_TAG:
925 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
926 break;
927 case CMD_ASK_SIM_TAG:
928 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
929 break;
872e3d4d 930 case CMD_PSK_SIM_TAG:
931 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
932 break;
a501c82b 933 case CMD_HID_CLONE_TAG:
1c611bbd 934 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
7e67e42f 935 break;
a1f3bb12 936 case CMD_IO_DEMOD_FSK:
a501c82b 937 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 938 break;
a501c82b 939 case CMD_IO_CLONE_TAG:
94422fa2 940 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 941 break;
6ff6ade2 942 case CMD_EM410X_DEMOD:
943 CmdEM410xdemod(c->arg[0], 0, 0, 1);
944 break;
2d4eae76 945 case CMD_EM410X_WRITE_TAG:
946 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
947 break;
7e67e42f 948 case CMD_READ_TI_TYPE:
949 ReadTItag();
950 break;
951 case CMD_WRITE_TI_TYPE:
952 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
953 break;
954 case CMD_SIMULATE_TAG_125K:
74daee24 955 LED_A_ON();
956 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
957 LED_A_OFF();
7e67e42f 958 break;
959 case CMD_LF_SIMULATE_BIDIR:
960 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
961 break;
a501c82b 962 case CMD_INDALA_CLONE_TAG:
2414f978 963 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
964 break;
a501c82b 965 case CMD_INDALA_CLONE_TAG_L:
2414f978 966 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
967 break;
1c611bbd 968 case CMD_T55XX_READ_BLOCK:
9276e859 969 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 970 break;
971 case CMD_T55XX_WRITE_BLOCK:
972 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
973 break;
9276e859 974 case CMD_T55XX_WAKEUP:
975 T55xxWakeUp(c->arg[0]);
976 break;
94422fa2 977 case CMD_T55XX_RESET_READ:
978 T55xxResetRead();
979 break;
a501c82b 980 case CMD_PCF7931_READ:
1c611bbd 981 ReadPCF7931();
1c611bbd 982 break;
e98572a1 983 case CMD_PCF7931_WRITE:
ac2df346 984 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
e98572a1 985 break;
1c611bbd 986 case CMD_EM4X_READ_WORD:
987 EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
988 break;
989 case CMD_EM4X_WRITE_WORD:
990 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
991 break;
db25599d 992 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
993 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
70459879 994 break;
0de8e387 995 case CMD_VIKING_CLONE_TAG:
a126332a 996 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
0de8e387 997 break;
15c4dc5a 998#endif
999
d19929cb 1000#ifdef WITH_HITAG
1001 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1002 SnoopHitag(c->arg[0]);
1003 break;
1004 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1005 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1006 break;
1007 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1008 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1009 break;
0db11b71 1010 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1011 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1012 break;
1013 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1014 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1015 break;
6fc68747 1016 case CMD_READ_HITAG_S: //Reader for only Hitag S tags, args = key or challenge
0db11b71 1017 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1018 break;
6fc68747 1019 case CMD_WR_HITAG_S: //writer for Hitag tags args=data to write,page and key or challenge
0db11b71 1020 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1021 break;
d19929cb 1022#endif
f168b263 1023
15c4dc5a 1024#ifdef WITH_ISO15693
1025 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1026 AcquireRawAdcSamplesIso15693();
1027 break;
9455b51c 1028 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1029 RecordRawAdcSamplesIso15693();
1030 break;
1031
1032 case CMD_ISO_15693_COMMAND:
1033 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1034 break;
1035
1036 case CMD_ISO_15693_FIND_AFI:
1037 BruteforceIso15693Afi(c->arg[0]);
1038 break;
1039
1040 case CMD_ISO_15693_DEBUG:
1041 SetDebugIso15693(c->arg[0]);
1042 break;
15c4dc5a 1043
15c4dc5a 1044 case CMD_READER_ISO_15693:
1045 ReaderIso15693(c->arg[0]);
1046 break;
7e67e42f 1047 case CMD_SIMTAG_ISO_15693:
3649b640 1048 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1049 break;
15c4dc5a 1050#endif
1051
7e67e42f 1052#ifdef WITH_LEGICRF
1053 case CMD_SIMULATE_TAG_LEGIC_RF:
1054 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1055 break;
3612a8a8 1056
7e67e42f 1057 case CMD_WRITER_LEGIC_RF:
1058 LegicRfWriter(c->arg[1], c->arg[0]);
1059 break;
3612a8a8 1060
15c4dc5a 1061 case CMD_READER_LEGIC_RF:
1062 LegicRfReader(c->arg[0], c->arg[1]);
1063 break;
15c4dc5a 1064#endif
1065
1066#ifdef WITH_ISO14443b
6fc68747 1067 case CMD_READ_SRI_TAG:
1068 ReadSTMemoryIso14443b(c->arg[0]);
7e67e42f 1069 break;
22e24700 1070 case CMD_SNOOP_ISO_14443B:
abb21530 1071 SnoopIso14443b();
7e67e42f 1072 break;
22e24700 1073 case CMD_SIMULATE_TAG_ISO_14443B:
dccddaef 1074 SimulateIso14443bTag(c->arg[0]);
7e67e42f 1075 break;
7cf3ef20 1076 case CMD_ISO_14443B_COMMAND:
6fc68747 1077 //SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1078 SendRawCommand14443B_Ex(c);
7cf3ef20 1079 break;
15c4dc5a 1080#endif
1081
1082#ifdef WITH_ISO14443a
7e67e42f 1083 case CMD_SNOOP_ISO_14443a:
4d2e4eea 1084 SniffIso14443a(c->arg[0]);
7e67e42f 1085 break;
15c4dc5a 1086 case CMD_READER_ISO_14443a:
902cb3c0 1087 ReaderIso14443a(c);
15c4dc5a 1088 break;
7e67e42f 1089 case CMD_SIMULATE_TAG_ISO_14443a:
0db6ed9a 1090 SimulateIso14443aTag(c->arg[0], c->arg[1], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1091 break;
5acd09bd 1092 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1093 EPA_PACE_Collect_Nonce(c);
5acd09bd 1094 break;
d0f3338e 1095 case CMD_EPA_PACE_REPLAY:
1096 EPA_PACE_Replay(c);
1097 break;
15c4dc5a 1098 case CMD_READER_MIFARE:
810f5379 1099 ReaderMifare(c->arg[0], c->arg[1]);
15c4dc5a 1100 break;
20f9a2a1
M
1101 case CMD_MIFARE_READBL:
1102 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1103 break;
981bd429 1104 case CMD_MIFAREU_READBL:
aa60d156 1105 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1106 break;
4d2e4eea 1107 case CMD_MIFAREUC_AUTH:
1108 MifareUC_Auth(c->arg[0],c->d.asBytes);
f38a1528 1109 break;
981bd429 1110 case CMD_MIFAREU_READCARD:
74daee24 1111 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1112 break;
aa60d156 1113 case CMD_MIFAREUC_SETPWD:
1114 MifareUSetPwd(c->arg[0], c->d.asBytes);
117d9ec2 1115 break;
20f9a2a1
M
1116 case CMD_MIFARE_READSC:
1117 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1118 break;
1119 case CMD_MIFARE_WRITEBL:
1120 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1121 break;
95aeb706 1122 //case CMD_MIFAREU_WRITEBL_COMPAT:
1123 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1124 //break;
981bd429 1125 case CMD_MIFAREU_WRITEBL:
95aeb706 1126 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
aa60d156 1127 break;
c188b1b9 1128 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1129 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1130 break;
20f9a2a1
M
1131 case CMD_MIFARE_NESTED:
1132 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M
1133 break;
1134 case CMD_MIFARE_CHKKEYS:
1135 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M
1136 break;
1137 case CMD_SIMULATE_MIFARE_CARD:
1138 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1139 break;
8556b852
M
1140
1141 // emulator
1142 case CMD_MIFARE_SET_DBGMODE:
1143 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1144 break;
1145 case CMD_MIFARE_EML_MEMCLR:
1146 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1147 break;
1148 case CMD_MIFARE_EML_MEMSET:
1149 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1150 break;
1151 case CMD_MIFARE_EML_MEMGET:
1152 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1153 break;
1154 case CMD_MIFARE_EML_CARDLOAD:
1155 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M
1156 break;
1157
1158 // Work with "magic Chinese" card
d52e4e88 1159 case CMD_MIFARE_CSETBLOCK:
c2731f37 1160 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
545a1f38 1161 break;
d52e4e88 1162 case CMD_MIFARE_CGETBLOCK:
c2731f37 1163 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
8556b852 1164 break;
d52e4e88 1165 case CMD_MIFARE_CIDENT:
1166 MifareCIdent();
1167 break;
b62a5a84
M
1168
1169 // mifare sniffer
1170 case CMD_MIFARE_SNIFFER:
5cd9ec01 1171 SniffMifare(c->arg[0]);
b62a5a84 1172 break;
313ee67e 1173
aa60d156 1174 //mifare desfire
1175 case CMD_MIFARE_DESFIRE_READBL: break;
1176 case CMD_MIFARE_DESFIRE_WRITEBL: break;
1177 case CMD_MIFARE_DESFIRE_AUTH1:
1178 MifareDES_Auth1(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1179 break;
1180 case CMD_MIFARE_DESFIRE_AUTH2:
1181 //MifareDES_Auth2(c->arg[0],c->d.asBytes);
1182 break;
1183 case CMD_MIFARE_DES_READER:
1184 //readermifaredes(c->arg[0], c->arg[1], c->d.asBytes);
1185 break;
1186 case CMD_MIFARE_DESFIRE_INFO:
1187 MifareDesfireGetInformation();
1188 break;
1189 case CMD_MIFARE_DESFIRE:
1190 MifareSendCommand(c->arg[0], c->arg[1], c->d.asBytes);
1191 break;
1192
add0504d 1193 case CMD_MIFARE_COLLECT_NONCES:
add0504d 1194 break;
20f9a2a1 1195#endif
810f5379 1196#ifdef WITH_EMV
1197 case CMD_EMV_TRANSACTION:
1198 EMVTransaction();
1199 break;
1200 case CMD_EMV_GET_RANDOM_NUM:
1201 //EMVgetUDOL();
1202 break;
1203 case CMD_EMV_LOAD_VALUE:
1204 EMVloadvalue(c->arg[0], c->d.asBytes);
1205 break;
1206 case CMD_EMV_DUMP_CARD:
1207 EMVdumpcard();
1208#endif
7e67e42f 1209#ifdef WITH_ICLASS
cee5a30d 1210 // Makes use of ISO14443a FPGA Firmware
1211 case CMD_SNOOP_ICLASS:
1212 SnoopIClass();
1213 break;
1e262141 1214 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1215 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1216 break;
1217 case CMD_READER_ICLASS:
1218 ReaderIClass(c->arg[0]);
1219 break;
f38a1528 1220 case CMD_READER_ICLASS_REPLAY:
f62b5e12 1221 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
f38a1528 1222 break;
e80aeb96
MHS
1223 case CMD_ICLASS_EML_MEMSET:
1224 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1225 break;
e98572a1 1226 case CMD_ICLASS_WRITEBLOCK:
1227 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1228 break;
1229 case CMD_ICLASS_READCHECK: // auth step 1
1230 iClass_ReadCheck(c->arg[0], c->arg[1]);
1231 break;
1232 case CMD_ICLASS_READBLOCK:
1233 iClass_ReadBlk(c->arg[0]);
1234 break;
1235 case CMD_ICLASS_AUTHENTICATION: //check
1236 iClass_Authentication(c->d.asBytes);
1237 break;
1238 case CMD_ICLASS_DUMP:
1239 iClass_Dump(c->arg[0], c->arg[1]);
1240 break;
1241 case CMD_ICLASS_CLONE:
1242 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
1243 break;
cee5a30d 1244#endif
1d0ccbe0 1245#ifdef WITH_HFSNOOP
1246 case CMD_HF_SNIFFER:
1247 HfSnoop(c->arg[0], c->arg[1]);
1248 break;
1249#endif
cee5a30d 1250
7e67e42f 1251 case CMD_BUFF_CLEAR:
117d9ec2 1252 BigBuf_Clear();
15c4dc5a 1253 break;
15c4dc5a 1254
1255 case CMD_MEASURE_ANTENNA_TUNING:
1256 MeasureAntennaTuning();
1257 break;
1258
1259 case CMD_MEASURE_ANTENNA_TUNING_HF:
1260 MeasureAntennaTuningHf();
1261 break;
1262
1263 case CMD_LISTEN_READER_FIELD:
1264 ListenReaderField(c->arg[0]);
1265 break;
1266
15c4dc5a 1267 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1268 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1269 SpinDelay(200);
1270 LED_D_OFF(); // LED D indicates field ON or OFF
1271 break;
1272
aaa1a9a2 1273 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: {
1c611bbd 1274 LED_B_ON();
117d9ec2 1275 uint8_t *BigBuf = BigBuf_get_addr();
0de8e387 1276 size_t len = 0;
1c611bbd 1277 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
0de8e387 1278 len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1279 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1280 }
1281 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1282 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1283 LED_B_OFF();
1c611bbd 1284 break;
aaa1a9a2 1285 }
15c4dc5a 1286 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
117d9ec2 1287 uint8_t *b = BigBuf_get_addr();
aaa1a9a2 1288 memcpy( b + c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1289 cmd_send(CMD_ACK,0,0,0,0,0);
1290 break;
aaa1a9a2 1291 }
1292 case CMD_DOWNLOAD_EML_BIGBUF: {
1293 LED_B_ON();
1294 uint8_t *cardmem = BigBuf_get_EM_addr();
1295 size_t len = 0;
1296 for(size_t i=0; i < c->arg[1]; i += USB_CMD_DATA_SIZE) {
1297 len = MIN((c->arg[1] - i), USB_CMD_DATA_SIZE);
1298 cmd_send(CMD_DOWNLOADED_EML_BIGBUF, i, len, CARD_MEMORY_SIZE, cardmem + c->arg[0] + i, len);
1299 }
1300 // Trigger a finish downloading signal with an ACK frame
1301 cmd_send(CMD_ACK, 1, 0, CARD_MEMORY_SIZE, 0, 0);
1302 LED_B_OFF();
1303 break;
1304 }
15c4dc5a 1305 case CMD_READ_MEM:
1306 ReadMem(c->arg[0]);
1307 break;
1308
1309 case CMD_SET_LF_DIVISOR:
7cc204bf 1310 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1311 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1312 break;
1313
1314 case CMD_SET_ADC_MUX:
1315 switch(c->arg[0]) {
1316 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1317 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1318 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1319 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1320 }
1321 break;
1322
1323 case CMD_VERSION:
1324 SendVersion();
1325 break;
7838f4be 1326 case CMD_STATUS:
0de8e387 1327 SendStatus();
7838f4be 1328 break;
1329 case CMD_PING:
1330 cmd_send(CMD_ACK,0,0,0,0,0);
1331 break;
15c4dc5a 1332#ifdef WITH_LCD
1333 case CMD_LCD_RESET:
1334 LCDReset();
1335 break;
1336 case CMD_LCD:
1337 LCDSend(c->arg[0]);
1338 break;
1339#endif
1340 case CMD_SETUP_WRITE:
1341 case CMD_FINISH_WRITE:
1c611bbd 1342 case CMD_HARDWARE_RESET:
1343 usb_disable();
f62b5e12 1344 SpinDelay(2000);
15c4dc5a 1345 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1346 for(;;) {
1347 // We're going to reset, and the bootrom will take control.
1348 }
1c611bbd 1349 break;
15c4dc5a 1350
1c611bbd 1351 case CMD_START_FLASH:
15c4dc5a 1352 if(common_area.flags.bootrom_present) {
1353 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1354 }
1c611bbd 1355 usb_disable();
15c4dc5a 1356 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1357 for(;;);
1c611bbd 1358 break;
e30c654b 1359
15c4dc5a 1360 case CMD_DEVICE_INFO: {
902cb3c0 1361 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1362 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1363 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1364 break;
1365 }
1366 default:
15c4dc5a 1367 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1368 break;
15c4dc5a 1369 }
1370}
1371
1372void __attribute__((noreturn)) AppMain(void)
1373{
1374 SpinDelay(100);
9e8255d4 1375 clear_trace();
15c4dc5a 1376 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1377 /* Initialize common area */
1378 memset(&common_area, 0, sizeof(common_area));
1379 common_area.magic = COMMON_AREA_MAGIC;
1380 common_area.version = 1;
1381 }
1382 common_area.flags.osimage_present = 1;
1383
1384 LED_D_OFF();
1385 LED_C_OFF();
1386 LED_B_OFF();
1387 LED_A_OFF();
1388
b44e5233 1389 // Init USB device
313ee67e 1390 usb_enable();
15c4dc5a 1391
1392 // The FPGA gets its clock from us from PCK0 output, so set that up.
1393 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1394 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1395 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1396 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1397 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
1d0ccbe0 1398 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1399 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1400
1401 // Reset SPI
1402 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1403 // Reset SSC
1404 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1405
1406 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1407 // (the HF version by default)
1408 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1409
9ca155ba 1410 StartTickCount();
902cb3c0 1411
15c4dc5a 1412#ifdef WITH_LCD
15c4dc5a 1413 LCDInit();
15c4dc5a 1414#endif
1415
f62b5e12 1416 byte_t rx[sizeof(UsbCommand)];
902cb3c0 1417 size_t rx_len;
1418
15c4dc5a 1419 for(;;) {
313ee67e 1420 if (usb_poll()) {
1421 rx_len = usb_read(rx,sizeof(UsbCommand));
da198be4 1422 if (rx_len)
313ee67e 1423 UsbPacketReceived(rx,rx_len);
313ee67e 1424 }
15c4dc5a 1425 WDT_HIT();
1426
1427#ifdef WITH_LF
7838f4be 1428#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1429 if (BUTTON_HELD(1000) > 0)
1430 SamyRun();
7838f4be 1431#endif
1432#endif
1433#ifdef WITH_ISO14443a
1434#ifdef WITH_ISO14443a_StandAlone
1435 if (BUTTON_HELD(1000) > 0)
1436 StandAloneMode14a();
1437#endif
15c4dc5a 1438#endif
1439 }
1440}
Impressum, Datenschutz