]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
Moved script libraries into lualibs/folder, and added a patch to include the folder...
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
b62a5a84 2// Merlok - June 2011, 2012
15c4dc5a 3// Gerhard de Koning Gans - May 2008
534983d7 4// Hagen Fritsch - June 2010
bd20f8f4 5//
6// This code is licensed to you under the terms of the GNU GPL, version 2 or,
7// at your option, any later version. See the LICENSE.txt file for the text of
8// the license.
15c4dc5a 9//-----------------------------------------------------------------------------
bd20f8f4 10// Routines to support ISO 14443 type A.
11//-----------------------------------------------------------------------------
12
e30c654b 13#include "proxmark3.h"
15c4dc5a 14#include "apps.h"
f7e3ed82 15#include "util.h"
9ab7a6c7 16#include "string.h"
902cb3c0 17#include "cmd.h"
9ab7a6c7 18
15c4dc5a 19#include "iso14443crc.h"
534983d7 20#include "iso14443a.h"
20f9a2a1
M
21#include "crapto1.h"
22#include "mifareutil.h"
15c4dc5a 23
534983d7 24static uint32_t iso14a_timeout;
d19929cb 25uint8_t *trace = (uint8_t *) BigBuf+TRACE_OFFSET;
1e262141 26int traceLen = 0;
27int rsamples = 0;
28int tracing = TRUE;
29uint8_t trigger = 0;
b0127e65 30// the block number for the ISO14443-4 PCB
31static uint8_t iso14_pcb_blocknum = 0;
15c4dc5a 32
8f51ddb0 33// CARD TO READER - manchester
72934aa3 34// Sequence D: 11110000 modulation with subcarrier during first half
35// Sequence E: 00001111 modulation with subcarrier during second half
36// Sequence F: 00000000 no modulation with subcarrier
8f51ddb0 37// READER TO CARD - miller
72934aa3 38// Sequence X: 00001100 drop after half a period
39// Sequence Y: 00000000 no drop
40// Sequence Z: 11000000 drop at start
41#define SEC_D 0xf0
42#define SEC_E 0x0f
43#define SEC_F 0x00
44#define SEC_X 0x0c
45#define SEC_Y 0x00
46#define SEC_Z 0xc0
15c4dc5a 47
1e262141 48const uint8_t OddByteParity[256] = {
15c4dc5a 49 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
50 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
51 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
52 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
53 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
54 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
55 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
56 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
57 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
58 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
59 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
60 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
61 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
62 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
63 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
64 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
65};
66
1e262141 67
902cb3c0 68void iso14a_set_trigger(bool enable) {
534983d7 69 trigger = enable;
70}
71
902cb3c0 72void iso14a_clear_trace() {
73 memset(trace, 0x44, TRACE_SIZE);
8556b852
M
74 traceLen = 0;
75}
d19929cb 76
902cb3c0 77void iso14a_set_tracing(bool enable) {
8556b852
M
78 tracing = enable;
79}
d19929cb 80
b0127e65 81void iso14a_set_timeout(uint32_t timeout) {
82 iso14a_timeout = timeout;
83}
8556b852 84
15c4dc5a 85//-----------------------------------------------------------------------------
86// Generate the parity value for a byte sequence
e30c654b 87//
15c4dc5a 88//-----------------------------------------------------------------------------
20f9a2a1
M
89byte_t oddparity (const byte_t bt)
90{
5f6d6c90 91 return OddByteParity[bt];
20f9a2a1
M
92}
93
f7e3ed82 94uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 95{
5f6d6c90 96 int i;
97 uint32_t dwPar = 0;
72934aa3 98
5f6d6c90 99 // Generate the encrypted data
100 for (i = 0; i < iLen; i++) {
101 // Save the encrypted parity bit
102 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
103 }
104 return dwPar;
15c4dc5a 105}
106
534983d7 107void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 108{
5f6d6c90 109 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
15c4dc5a 110}
111
1e262141 112// The function LogTrace() is also used by the iClass implementation in iClass.c
5cd9ec01 113int RAMFUNC LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 114{
115 // Return when trace is full
81cd0474 116 if (traceLen >= TRACE_SIZE) return FALSE;
e30c654b 117
15c4dc5a 118 // Trace the random, i'm curious
119 rsamples += iSamples;
120 trace[traceLen++] = ((rsamples >> 0) & 0xff);
121 trace[traceLen++] = ((rsamples >> 8) & 0xff);
122 trace[traceLen++] = ((rsamples >> 16) & 0xff);
123 trace[traceLen++] = ((rsamples >> 24) & 0xff);
124 if (!bReader) {
125 trace[traceLen - 1] |= 0x80;
126 }
127 trace[traceLen++] = ((dwParity >> 0) & 0xff);
128 trace[traceLen++] = ((dwParity >> 8) & 0xff);
129 trace[traceLen++] = ((dwParity >> 16) & 0xff);
130 trace[traceLen++] = ((dwParity >> 24) & 0xff);
131 trace[traceLen++] = iLen;
132 memcpy(trace + traceLen, btBytes, iLen);
133 traceLen += iLen;
134 return TRUE;
135}
136
15c4dc5a 137//-----------------------------------------------------------------------------
138// The software UART that receives commands from the reader, and its state
139// variables.
140//-----------------------------------------------------------------------------
b62a5a84 141static tUart Uart;
15c4dc5a 142
6c1e2d95 143static RAMFUNC int MillerDecoding(int bit)
15c4dc5a 144{
9f693930 145 //int error = 0;
15c4dc5a 146 int bitright;
147
148 if(!Uart.bitBuffer) {
149 Uart.bitBuffer = bit ^ 0xFF0;
150 return FALSE;
151 }
152 else {
153 Uart.bitBuffer <<= 4;
154 Uart.bitBuffer ^= bit;
155 }
156
f7e3ed82 157 int EOC = FALSE;
15c4dc5a 158
159 if(Uart.state != STATE_UNSYNCD) {
160 Uart.posCnt++;
161
162 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
163 bit = 0x00;
164 }
165 else {
166 bit = 0x01;
167 }
168 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
169 bitright = 0x00;
170 }
171 else {
172 bitright = 0x01;
173 }
174 if(bit != bitright) { bit = bitright; }
175
176 if(Uart.posCnt == 1) {
177 // measurement first half bitperiod
178 if(!bit) {
179 Uart.drop = DROP_FIRST_HALF;
180 }
181 }
182 else {
183 // measurement second half bitperiod
184 if(!bit & (Uart.drop == DROP_NONE)) {
185 Uart.drop = DROP_SECOND_HALF;
186 }
187 else if(!bit) {
188 // measured a drop in first and second half
189 // which should not be possible
190 Uart.state = STATE_ERROR_WAIT;
9f693930 191 //error = 0x01;
15c4dc5a 192 }
193
194 Uart.posCnt = 0;
195
196 switch(Uart.state) {
197 case STATE_START_OF_COMMUNICATION:
198 Uart.shiftReg = 0;
199 if(Uart.drop == DROP_SECOND_HALF) {
200 // error, should not happen in SOC
201 Uart.state = STATE_ERROR_WAIT;
9f693930 202 //error = 0x02;
15c4dc5a 203 }
204 else {
205 // correct SOC
206 Uart.state = STATE_MILLER_Z;
207 }
208 break;
209
210 case STATE_MILLER_Z:
211 Uart.bitCnt++;
212 Uart.shiftReg >>= 1;
213 if(Uart.drop == DROP_NONE) {
214 // logic '0' followed by sequence Y
215 // end of communication
216 Uart.state = STATE_UNSYNCD;
217 EOC = TRUE;
218 }
219 // if(Uart.drop == DROP_FIRST_HALF) {
220 // Uart.state = STATE_MILLER_Z; stay the same
221 // we see a logic '0' }
222 if(Uart.drop == DROP_SECOND_HALF) {
223 // we see a logic '1'
224 Uart.shiftReg |= 0x100;
225 Uart.state = STATE_MILLER_X;
226 }
227 break;
228
229 case STATE_MILLER_X:
230 Uart.shiftReg >>= 1;
231 if(Uart.drop == DROP_NONE) {
232 // sequence Y, we see a '0'
233 Uart.state = STATE_MILLER_Y;
234 Uart.bitCnt++;
235 }
236 if(Uart.drop == DROP_FIRST_HALF) {
237 // Would be STATE_MILLER_Z
238 // but Z does not follow X, so error
239 Uart.state = STATE_ERROR_WAIT;
9f693930 240 //error = 0x03;
15c4dc5a 241 }
242 if(Uart.drop == DROP_SECOND_HALF) {
243 // We see a '1' and stay in state X
244 Uart.shiftReg |= 0x100;
245 Uart.bitCnt++;
246 }
247 break;
248
249 case STATE_MILLER_Y:
250 Uart.bitCnt++;
251 Uart.shiftReg >>= 1;
252 if(Uart.drop == DROP_NONE) {
253 // logic '0' followed by sequence Y
254 // end of communication
255 Uart.state = STATE_UNSYNCD;
256 EOC = TRUE;
257 }
258 if(Uart.drop == DROP_FIRST_HALF) {
259 // we see a '0'
260 Uart.state = STATE_MILLER_Z;
261 }
262 if(Uart.drop == DROP_SECOND_HALF) {
263 // We see a '1' and go to state X
264 Uart.shiftReg |= 0x100;
265 Uart.state = STATE_MILLER_X;
266 }
267 break;
268
269 case STATE_ERROR_WAIT:
270 // That went wrong. Now wait for at least two bit periods
271 // and try to sync again
272 if(Uart.drop == DROP_NONE) {
273 Uart.highCnt = 6;
274 Uart.state = STATE_UNSYNCD;
275 }
276 break;
277
278 default:
279 Uart.state = STATE_UNSYNCD;
280 Uart.highCnt = 0;
281 break;
282 }
283
284 Uart.drop = DROP_NONE;
285
286 // should have received at least one whole byte...
287 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
288 return TRUE;
289 }
290
291 if(Uart.bitCnt == 9) {
292 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
293 Uart.byteCnt++;
294
295 Uart.parityBits <<= 1;
296 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
297
298 if(EOC) {
299 // when End of Communication received and
300 // all data bits processed..
301 return TRUE;
302 }
303 Uart.bitCnt = 0;
304 }
305
306 /*if(error) {
307 Uart.output[Uart.byteCnt] = 0xAA;
308 Uart.byteCnt++;
309 Uart.output[Uart.byteCnt] = error & 0xFF;
310 Uart.byteCnt++;
311 Uart.output[Uart.byteCnt] = 0xAA;
312 Uart.byteCnt++;
313 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
314 Uart.byteCnt++;
315 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
316 Uart.byteCnt++;
317 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
318 Uart.byteCnt++;
319 Uart.output[Uart.byteCnt] = 0xAA;
320 Uart.byteCnt++;
321 return TRUE;
322 }*/
323 }
324
325 }
326 else {
327 bit = Uart.bitBuffer & 0xf0;
328 bit >>= 4;
329 bit ^= 0x0F;
330 if(bit) {
331 // should have been high or at least (4 * 128) / fc
332 // according to ISO this should be at least (9 * 128 + 20) / fc
333 if(Uart.highCnt == 8) {
334 // we went low, so this could be start of communication
335 // it turns out to be safer to choose a less significant
336 // syncbit... so we check whether the neighbour also represents the drop
337 Uart.posCnt = 1; // apparently we are busy with our first half bit period
338 Uart.syncBit = bit & 8;
339 Uart.samples = 3;
340 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
341 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
342 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
343 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
344 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
2f2d9fc5 345 if(Uart.syncBit && (Uart.bitBuffer & 8)) {
15c4dc5a 346 Uart.syncBit = 8;
347
348 // the first half bit period is expected in next sample
349 Uart.posCnt = 0;
350 Uart.samples = 3;
351 }
352 }
353 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
354
355 Uart.syncBit <<= 4;
356 Uart.state = STATE_START_OF_COMMUNICATION;
357 Uart.drop = DROP_FIRST_HALF;
358 Uart.bitCnt = 0;
359 Uart.byteCnt = 0;
360 Uart.parityBits = 0;
9f693930 361 //error = 0;
15c4dc5a 362 }
363 else {
364 Uart.highCnt = 0;
365 }
366 }
367 else {
368 if(Uart.highCnt < 8) {
369 Uart.highCnt++;
370 }
371 }
372 }
373
374 return FALSE;
375}
376
377//=============================================================================
378// ISO 14443 Type A - Manchester
379//=============================================================================
b62a5a84 380static tDemod Demod;
15c4dc5a 381
6c1e2d95 382static RAMFUNC int ManchesterDecoding(int v)
15c4dc5a 383{
384 int bit;
385 int modulation;
9f693930 386 //int error = 0;
15c4dc5a 387
388 if(!Demod.buff) {
389 Demod.buff = 1;
390 Demod.buffer = v;
391 return FALSE;
392 }
393 else {
394 bit = Demod.buffer;
395 Demod.buffer = v;
396 }
397
398 if(Demod.state==DEMOD_UNSYNCD) {
399 Demod.output[Demod.len] = 0xfa;
400 Demod.syncBit = 0;
401 //Demod.samples = 0;
402 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
2f2d9fc5 403
404 if(bit & 0x08) {
405 Demod.syncBit = 0x08;
15c4dc5a 406 }
15c4dc5a 407
2f2d9fc5 408 if(bit & 0x04) {
409 if(Demod.syncBit) {
410 bit <<= 4;
411 }
412 Demod.syncBit = 0x04;
413 }
15c4dc5a 414
2f2d9fc5 415 if(bit & 0x02) {
416 if(Demod.syncBit) {
417 bit <<= 2;
15c4dc5a 418 }
2f2d9fc5 419 Demod.syncBit = 0x02;
15c4dc5a 420 }
15c4dc5a 421
593924e7 422 if(bit & 0x01 && Demod.syncBit) {
2f2d9fc5 423 Demod.syncBit = 0x01;
424 }
425
15c4dc5a 426 if(Demod.syncBit) {
427 Demod.len = 0;
428 Demod.state = DEMOD_START_OF_COMMUNICATION;
429 Demod.sub = SUB_FIRST_HALF;
430 Demod.bitCount = 0;
431 Demod.shiftReg = 0;
432 Demod.parityBits = 0;
433 Demod.samples = 0;
434 if(Demod.posCount) {
534983d7 435 if(trigger) LED_A_OFF();
15c4dc5a 436 switch(Demod.syncBit) {
437 case 0x08: Demod.samples = 3; break;
438 case 0x04: Demod.samples = 2; break;
439 case 0x02: Demod.samples = 1; break;
440 case 0x01: Demod.samples = 0; break;
441 }
442 }
9f693930 443 //error = 0;
15c4dc5a 444 }
445 }
446 else {
447 //modulation = bit & Demod.syncBit;
448 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
449
450 Demod.samples += 4;
451
452 if(Demod.posCount==0) {
453 Demod.posCount = 1;
454 if(modulation) {
455 Demod.sub = SUB_FIRST_HALF;
456 }
457 else {
458 Demod.sub = SUB_NONE;
459 }
460 }
461 else {
462 Demod.posCount = 0;
463 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
464 if(Demod.state!=DEMOD_ERROR_WAIT) {
465 Demod.state = DEMOD_ERROR_WAIT;
466 Demod.output[Demod.len] = 0xaa;
9f693930 467 //error = 0x01;
15c4dc5a 468 }
469 }
470 else if(modulation) {
471 Demod.sub = SUB_SECOND_HALF;
472 }
473
474 switch(Demod.state) {
475 case DEMOD_START_OF_COMMUNICATION:
476 if(Demod.sub == SUB_FIRST_HALF) {
477 Demod.state = DEMOD_MANCHESTER_D;
478 }
479 else {
480 Demod.output[Demod.len] = 0xab;
481 Demod.state = DEMOD_ERROR_WAIT;
9f693930 482 //error = 0x02;
15c4dc5a 483 }
484 break;
485
486 case DEMOD_MANCHESTER_D:
487 case DEMOD_MANCHESTER_E:
488 if(Demod.sub == SUB_FIRST_HALF) {
489 Demod.bitCount++;
490 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
491 Demod.state = DEMOD_MANCHESTER_D;
492 }
493 else if(Demod.sub == SUB_SECOND_HALF) {
494 Demod.bitCount++;
495 Demod.shiftReg >>= 1;
496 Demod.state = DEMOD_MANCHESTER_E;
497 }
498 else {
499 Demod.state = DEMOD_MANCHESTER_F;
500 }
501 break;
502
503 case DEMOD_MANCHESTER_F:
504 // Tag response does not need to be a complete byte!
505 if(Demod.len > 0 || Demod.bitCount > 0) {
506 if(Demod.bitCount > 0) {
507 Demod.shiftReg >>= (9 - Demod.bitCount);
508 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
509 Demod.len++;
510 // No parity bit, so just shift a 0
511 Demod.parityBits <<= 1;
512 }
513
514 Demod.state = DEMOD_UNSYNCD;
515 return TRUE;
516 }
517 else {
518 Demod.output[Demod.len] = 0xad;
519 Demod.state = DEMOD_ERROR_WAIT;
9f693930 520 //error = 0x03;
15c4dc5a 521 }
522 break;
523
524 case DEMOD_ERROR_WAIT:
525 Demod.state = DEMOD_UNSYNCD;
526 break;
527
528 default:
529 Demod.output[Demod.len] = 0xdd;
530 Demod.state = DEMOD_UNSYNCD;
531 break;
532 }
533
534 if(Demod.bitCount>=9) {
535 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
536 Demod.len++;
537
538 Demod.parityBits <<= 1;
539 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
540
541 Demod.bitCount = 0;
542 Demod.shiftReg = 0;
543 }
544
545 /*if(error) {
546 Demod.output[Demod.len] = 0xBB;
547 Demod.len++;
548 Demod.output[Demod.len] = error & 0xFF;
549 Demod.len++;
550 Demod.output[Demod.len] = 0xBB;
551 Demod.len++;
552 Demod.output[Demod.len] = bit & 0xFF;
553 Demod.len++;
554 Demod.output[Demod.len] = Demod.buffer & 0xFF;
555 Demod.len++;
556 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
557 Demod.len++;
558 Demod.output[Demod.len] = 0xBB;
559 Demod.len++;
560 return TRUE;
561 }*/
562
563 }
564
565 } // end (state != UNSYNCED)
566
567 return FALSE;
568}
569
570//=============================================================================
571// Finally, a `sniffer' for ISO 14443 Type A
572// Both sides of communication!
573//=============================================================================
574
575//-----------------------------------------------------------------------------
576// Record the sequence of commands sent by the reader to the tag, with
577// triggering so that we start recording at the point that the tag is moved
578// near the reader.
579//-----------------------------------------------------------------------------
5cd9ec01
M
580void RAMFUNC SnoopIso14443a(uint8_t param) {
581 // param:
582 // bit 0 - trigger from first card answer
583 // bit 1 - trigger from first reader 7-bit request
584
585 LEDsoff();
586 // init trace buffer
5f6d6c90 587 iso14a_clear_trace();
5cd9ec01
M
588
589 // We won't start recording the frames that we acquire until we trigger;
590 // a good trigger condition to get started is probably when we see a
591 // response from the tag.
592 // triggered == FALSE -- to wait first for card
593 int triggered = !(param & 0x03);
594
595 // The command (reader -> tag) that we're receiving.
15c4dc5a 596 // The length of a received command will in most cases be no more than 18 bytes.
597 // So 32 should be enough!
5cd9ec01
M
598 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
599 // The response (tag -> reader) that we're receiving.
600 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 601
5cd9ec01
M
602 // As we receive stuff, we copy it from receivedCmd or receivedResponse
603 // into trace, along with its length and other annotations.
604 //uint8_t *trace = (uint8_t *)BigBuf;
605
606 // The DMA buffer, used to stream samples from the FPGA
607 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
608 int8_t *data = dmaBuf;
609 int maxDataLen = 0;
610 int dataLen = 0;
15c4dc5a 611
5cd9ec01
M
612 // Set up the demodulator for tag -> reader responses.
613 Demod.output = receivedResponse;
614 Demod.len = 0;
615 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 616
5cd9ec01
M
617 // Set up the demodulator for the reader -> tag commands
618 memset(&Uart, 0, sizeof(Uart));
619 Uart.output = receivedCmd;
620 Uart.byteCntMax = 32; // was 100 (greg)//////////////////
621 Uart.state = STATE_UNSYNCD;
15c4dc5a 622
5cd9ec01
M
623 // Setup for the DMA.
624 FpgaSetupSsc();
625 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 626
5cd9ec01
M
627 // And put the FPGA in the appropriate mode
628 // Signal field is off with the appropriate LED
629 LED_D_OFF();
630 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
631 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
7e758047 632
5cd9ec01
M
633 // Count of samples received so far, so that we can include timing
634 // information in the trace buffer.
635 rsamples = 0;
636 // And now we loop, receiving samples.
637 while(true) {
638 if(BUTTON_PRESS()) {
639 DbpString("cancelled by button");
640 goto done;
641 }
15c4dc5a 642
5cd9ec01
M
643 LED_A_ON();
644 WDT_HIT();
15c4dc5a 645
5cd9ec01
M
646 int register readBufDataP = data - dmaBuf;
647 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
648 if (readBufDataP <= dmaBufDataP){
649 dataLen = dmaBufDataP - readBufDataP;
650 } else {
651 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP + 1;
652 }
653 // test for length of buffer
654 if(dataLen > maxDataLen) {
655 maxDataLen = dataLen;
656 if(dataLen > 400) {
657 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
658 goto done;
659 }
660 }
661 if(dataLen < 1) continue;
662
663 // primary buffer was stopped( <-- we lost data!
664 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
665 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
666 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
5cd9ec01
M
667 }
668 // secondary buffer sets as primary, secondary buffer was stopped
669 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
670 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
671 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
672 }
673
674 LED_A_OFF();
675
676 rsamples += 4;
677 if(MillerDecoding((data[0] & 0xF0) >> 4)) {
678 LED_C_ON();
679
680 // check - if there is a short 7bit request from reader
681 if ((!triggered) && (param & 0x02) && (Uart.byteCnt == 1) && (Uart.bitCnt = 9)) triggered = TRUE;
682
683 if(triggered) {
684 if (!LogTrace(receivedCmd, Uart.byteCnt, 0 - Uart.samples, Uart.parityBits, TRUE)) break;
685 }
686 /* And ready to receive another command. */
687 Uart.state = STATE_UNSYNCD;
688 /* And also reset the demod code, which might have been */
689 /* false-triggered by the commands from the reader. */
690 Demod.state = DEMOD_UNSYNCD;
691 LED_B_OFF();
692 }
693
694 if(ManchesterDecoding(data[0] & 0x0F)) {
695 LED_B_ON();
696
697 if (!LogTrace(receivedResponse, Demod.len, 0 - Demod.samples, Demod.parityBits, FALSE)) break;
698
699 if ((!triggered) && (param & 0x01)) triggered = TRUE;
700
701 // And ready to receive another response.
702 memset(&Demod, 0, sizeof(Demod));
703 Demod.output = receivedResponse;
704 Demod.state = DEMOD_UNSYNCD;
705 LED_C_OFF();
706 }
707
708 data++;
709 if(data > dmaBuf + DMA_BUFFER_SIZE) {
710 data = dmaBuf;
711 }
712 } // main cycle
713
714 DbpString("COMMAND FINISHED");
15c4dc5a 715
15c4dc5a 716done:
5cd9ec01
M
717 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
718 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x", maxDataLen, Uart.state, Uart.byteCnt);
719 Dbprintf("Uart.byteCntMax=%x, traceLen=%x, Uart.output[0]=%08x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
720 LEDsoff();
15c4dc5a 721}
722
15c4dc5a 723//-----------------------------------------------------------------------------
724// Prepare tag messages
725//-----------------------------------------------------------------------------
8f51ddb0 726static void CodeIso14443aAsTagPar(const uint8_t *cmd, int len, uint32_t dwParity)
15c4dc5a 727{
8f51ddb0 728 int i;
15c4dc5a 729
8f51ddb0 730 ToSendReset();
15c4dc5a 731
732 // Correction bit, might be removed when not needed
733 ToSendStuffBit(0);
734 ToSendStuffBit(0);
735 ToSendStuffBit(0);
736 ToSendStuffBit(0);
737 ToSendStuffBit(1); // 1
738 ToSendStuffBit(0);
739 ToSendStuffBit(0);
740 ToSendStuffBit(0);
8f51ddb0 741
15c4dc5a 742 // Send startbit
72934aa3 743 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 744
8f51ddb0
M
745 for(i = 0; i < len; i++) {
746 int j;
747 uint8_t b = cmd[i];
15c4dc5a 748
749 // Data bits
15c4dc5a 750 for(j = 0; j < 8; j++) {
15c4dc5a 751 if(b & 1) {
72934aa3 752 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 753 } else {
72934aa3 754 ToSend[++ToSendMax] = SEC_E;
8f51ddb0
M
755 }
756 b >>= 1;
757 }
15c4dc5a 758
0014cb46 759 // Get the parity bit
8f51ddb0
M
760 if ((dwParity >> i) & 0x01) {
761 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 762 } else {
72934aa3 763 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 764 }
8f51ddb0 765 }
15c4dc5a 766
8f51ddb0
M
767 // Send stopbit
768 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 769
8f51ddb0
M
770 // Convert from last byte pos to length
771 ToSendMax++;
8f51ddb0
M
772}
773
774static void CodeIso14443aAsTag(const uint8_t *cmd, int len){
775 CodeIso14443aAsTagPar(cmd, len, GetParity(cmd, len));
15c4dc5a 776}
777
778//-----------------------------------------------------------------------------
779// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
780//-----------------------------------------------------------------------------
8f51ddb0 781static void CodeStrangeAnswerAsTag()
15c4dc5a 782{
783 int i;
784
5f6d6c90 785 ToSendReset();
15c4dc5a 786
787 // Correction bit, might be removed when not needed
788 ToSendStuffBit(0);
789 ToSendStuffBit(0);
790 ToSendStuffBit(0);
791 ToSendStuffBit(0);
792 ToSendStuffBit(1); // 1
793 ToSendStuffBit(0);
794 ToSendStuffBit(0);
795 ToSendStuffBit(0);
796
797 // Send startbit
72934aa3 798 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 799
800 // 0
72934aa3 801 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 802
803 // 0
72934aa3 804 ToSend[++ToSendMax] = SEC_E;
15c4dc5a 805
806 // 1
72934aa3 807 ToSend[++ToSendMax] = SEC_D;
15c4dc5a 808
5f6d6c90 809 // Send stopbit
72934aa3 810 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 811
812 // Flush the buffer in FPGA!!
813 for(i = 0; i < 5; i++) {
72934aa3 814 ToSend[++ToSendMax] = SEC_F;
15c4dc5a 815 }
816
5f6d6c90 817 // Convert from last byte pos to length
818 ToSendMax++;
8f51ddb0 819}
15c4dc5a 820
8f51ddb0
M
821static void Code4bitAnswerAsTag(uint8_t cmd)
822{
823 int i;
824
5f6d6c90 825 ToSendReset();
8f51ddb0
M
826
827 // Correction bit, might be removed when not needed
828 ToSendStuffBit(0);
829 ToSendStuffBit(0);
830 ToSendStuffBit(0);
831 ToSendStuffBit(0);
832 ToSendStuffBit(1); // 1
833 ToSendStuffBit(0);
834 ToSendStuffBit(0);
835 ToSendStuffBit(0);
836
837 // Send startbit
838 ToSend[++ToSendMax] = SEC_D;
839
840 uint8_t b = cmd;
841 for(i = 0; i < 4; i++) {
842 if(b & 1) {
843 ToSend[++ToSendMax] = SEC_D;
844 } else {
845 ToSend[++ToSendMax] = SEC_E;
846 }
847 b >>= 1;
848 }
849
850 // Send stopbit
851 ToSend[++ToSendMax] = SEC_F;
852
853 // Flush the buffer in FPGA!!
854 for(i = 0; i < 5; i++) {
855 ToSend[++ToSendMax] = SEC_F;
856 }
857
5f6d6c90 858 // Convert from last byte pos to length
859 ToSendMax++;
15c4dc5a 860}
861
862//-----------------------------------------------------------------------------
863// Wait for commands from reader
864// Stop when button is pressed
865// Or return TRUE when command is captured
866//-----------------------------------------------------------------------------
f7e3ed82 867static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 868{
869 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
870 // only, since we are receiving, not transmitting).
871 // Signal field is off with the appropriate LED
872 LED_D_OFF();
873 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
874
875 // Now run a `software UART' on the stream of incoming samples.
876 Uart.output = received;
877 Uart.byteCntMax = maxLen;
878 Uart.state = STATE_UNSYNCD;
879
880 for(;;) {
881 WDT_HIT();
882
883 if(BUTTON_PRESS()) return FALSE;
884
885 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
886 AT91C_BASE_SSC->SSC_THR = 0x00;
887 }
888 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 889 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 890 if(MillerDecoding((b & 0xf0) >> 4)) {
891 *len = Uart.byteCnt;
892 return TRUE;
893 }
894 if(MillerDecoding(b & 0x0f)) {
895 *len = Uart.byteCnt;
896 return TRUE;
897 }
898 }
899 }
900}
28afbd2b 901
9ca155ba 902static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded);
28afbd2b 903int EmSend4bitEx(uint8_t resp, int correctionNeeded);
904int EmSend4bit(uint8_t resp);
905int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par);
906int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par);
907int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded);
908int EmSendCmd(uint8_t *resp, int respLen);
909int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par);
15c4dc5a 910
911//-----------------------------------------------------------------------------
912// Main loop of simulated tag: receive commands from reader, decide what
913// response to send, and send it.
914//-----------------------------------------------------------------------------
28afbd2b 915void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
15c4dc5a 916{
5f6d6c90 917 // Enable and clear the trace
81cd0474 918 tracing = TRUE;
5f6d6c90 919 iso14a_clear_trace();
81cd0474 920
15c4dc5a 921 // This function contains the tag emulation
81cd0474 922 uint8_t sak;
923
924 // The first response contains the ATQA (note: bytes are transmitted in reverse order).
925 uint8_t response1[2];
926
927 switch (tagType) {
928 case 1: { // MIFARE Classic
929 // Says: I am Mifare 1k - original line
930 response1[0] = 0x04;
931 response1[1] = 0x00;
932 sak = 0x08;
933 } break;
934 case 2: { // MIFARE Ultralight
935 // Says: I am a stupid memory tag, no crypto
936 response1[0] = 0x04;
937 response1[1] = 0x00;
938 sak = 0x00;
939 } break;
940 case 3: { // MIFARE DESFire
941 // Says: I am a DESFire tag, ph33r me
942 response1[0] = 0x04;
943 response1[1] = 0x03;
944 sak = 0x20;
945 } break;
946 case 4: { // ISO/IEC 14443-4
947 // Says: I am a javacard (JCOP)
948 response1[0] = 0x04;
949 response1[1] = 0x00;
950 sak = 0x28;
951 } break;
952 default: {
953 Dbprintf("Error: unkown tagtype (%d)",tagType);
954 return;
955 } break;
956 }
957
958 // The second response contains the (mandatory) first 24 bits of the UID
959 uint8_t response2[5];
960
961 // Check if the uid uses the (optional) part
962 uint8_t response2a[5];
963 if (uid_2nd) {
964 response2[0] = 0x88;
965 num_to_bytes(uid_1st,3,response2+1);
966 num_to_bytes(uid_2nd,4,response2a);
967 response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
968
969 // Configure the ATQA and SAK accordingly
970 response1[0] |= 0x40;
971 sak |= 0x04;
972 } else {
973 num_to_bytes(uid_1st,4,response2);
974 // Configure the ATQA and SAK accordingly
975 response1[0] &= 0xBF;
976 sak &= 0xFB;
977 }
978
979 // Calculate the BitCountCheck (BCC) for the first 4 bytes of the UID.
980 response2[4] = response2[0] ^ response2[1] ^ response2[2] ^ response2[3];
981
982 // Prepare the mandatory SAK (for 4 and 7 byte UID)
983 uint8_t response3[3];
984 response3[0] = sak;
985 ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
986
987 // Prepare the optional second SAK (for 7 byte UID), drop the cascade bit
988 uint8_t response3a[3];
989 response3a[0] = sak & 0xFB;
990 ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
991
254b70a4 992 uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
993 uint8_t response6[] = { 0x03, 0x3B, 0x00, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS
994 ComputeCrc14443(CRC_14443_A, response6, 3, &response6[3], &response6[4]);
81cd0474 995
3803d529 996 uint8_t *resp = NULL;
254b70a4 997 int respLen;
15c4dc5a 998
5f6d6c90 999 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
15c4dc5a 1000 // This will need
1001 // 144 data bits (18 * 8)
1002 // 18 parity bits
1003 // 2 Start and stop
1004 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1005 // 1 just for the case
1006 // ----------- +
1007 // 166
1008 //
1009 // 166 bytes, since every bit that needs to be send costs us a byte
1010 //
1011
254b70a4 1012 // Respond with card type
1013 uint8_t *resp1 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1014 int resp1Len;
15c4dc5a 1015
254b70a4 1016 // Anticollision cascade1 - respond with uid
1017 uint8_t *resp2 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + 166);
1018 int resp2Len;
15c4dc5a 1019
254b70a4 1020 // Anticollision cascade2 - respond with 2nd half of uid if asked
1021 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
1022 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
1023 int resp2aLen;
15c4dc5a 1024
254b70a4 1025 // Acknowledge select - cascade 1
1026 uint8_t *resp3 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*2));
1027 int resp3Len;
15c4dc5a 1028
254b70a4 1029 // Acknowledge select - cascade 2
1030 uint8_t *resp3a = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*3));
1031 int resp3aLen;
15c4dc5a 1032
254b70a4 1033 // Response to a read request - not implemented atm
1034 uint8_t *resp4 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*4));
28afbd2b 1035// int resp4Len;
15c4dc5a 1036
254b70a4 1037 // Authenticate response - nonce
1038 uint8_t *resp5 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*5));
1039 int resp5Len;
15c4dc5a 1040
254b70a4 1041 // Authenticate response - nonce
1042 uint8_t *resp6 = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET + (166*6));
1043 int resp6Len;
15c4dc5a 1044
254b70a4 1045 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
1046 int len;
15c4dc5a 1047
1048 // To control where we are in the protocol
1049 int order = 0;
1050 int lastorder;
1051
1052 // Just to allow some checks
1053 int happened = 0;
1054 int happened2 = 0;
1055
81cd0474 1056 int cmdsRecvd = 0;
1057 uint8_t* respdata = NULL;
1058 int respsize = 0;
28afbd2b 1059// uint8_t nack = 0x04;
15c4dc5a 1060
81cd0474 1061 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
15c4dc5a 1062
1063 // Prepare the responses of the anticollision phase
1064 // there will be not enough time to do this at the moment the reader sends it REQA
1065
1066 // Answer to request
1067 CodeIso14443aAsTag(response1, sizeof(response1));
254b70a4 1068 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
15c4dc5a 1069
1070 // Send our UID (cascade 1)
1071 CodeIso14443aAsTag(response2, sizeof(response2));
254b70a4 1072 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
15c4dc5a 1073
1074 // Answer to select (cascade1)
1075 CodeIso14443aAsTag(response3, sizeof(response3));
254b70a4 1076 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
15c4dc5a 1077
1078 // Send the cascade 2 2nd part of the uid
1079 CodeIso14443aAsTag(response2a, sizeof(response2a));
254b70a4 1080 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
15c4dc5a 1081
1082 // Answer to select (cascade 2)
1083 CodeIso14443aAsTag(response3a, sizeof(response3a));
254b70a4 1084 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
15c4dc5a 1085
1086 // Strange answer is an example of rare message size (3 bits)
8f51ddb0 1087 CodeStrangeAnswerAsTag();
28afbd2b 1088 memcpy(resp4, ToSend, ToSendMax);// resp4Len = ToSendMax;
15c4dc5a 1089
1090 // Authentication answer (random nonce)
1091 CodeIso14443aAsTag(response5, sizeof(response5));
254b70a4 1092 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
15c4dc5a 1093
254b70a4 1094 // dummy ATS (pseudo-ATR), answer to RATS
1095 CodeIso14443aAsTag(response6, sizeof(response6));
1096 memcpy(resp6, ToSend, ToSendMax); resp6Len = ToSendMax;
15c4dc5a 1097
254b70a4 1098 // We need to listen to the high-frequency, peak-detected path.
1099 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1100 FpgaSetupSsc();
15c4dc5a 1101
254b70a4 1102 cmdsRecvd = 0;
15c4dc5a 1103
254b70a4 1104 LED_A_ON();
1105 for(;;) {
1106
81cd0474 1107 if(!GetIso14443aCommandFromReader(receivedCmd, &len, RECV_CMD_SIZE)) {
254b70a4 1108 DbpString("button press");
1109 break;
1110 }
28afbd2b 1111
5f6d6c90 1112 if (tracing) {
28afbd2b 1113 LogTrace(receivedCmd,len, 0, Uart.parityBits, TRUE);
5f6d6c90 1114 }
28afbd2b 1115
254b70a4 1116 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1117 // Okay, look at the command now.
1118 lastorder = order;
1119 if(receivedCmd[0] == 0x26) { // Received a REQUEST
15c4dc5a 1120 resp = resp1; respLen = resp1Len; order = 1;
81cd0474 1121 respdata = response1;
1122 respsize = sizeof(response1);
254b70a4 1123 } else if(receivedCmd[0] == 0x52) { // Received a WAKEUP
15c4dc5a 1124 resp = resp1; respLen = resp1Len; order = 6;
81cd0474 1125 respdata = response1;
1126 respsize = sizeof(response1);
254b70a4 1127 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // Received request for UID (cascade 1)
15c4dc5a 1128 resp = resp2; respLen = resp2Len; order = 2;
81cd0474 1129 respdata = response2;
1130 respsize = sizeof(response2);
254b70a4 1131 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x95) { // Received request for UID (cascade 2)
15c4dc5a 1132 resp = resp2a; respLen = resp2aLen; order = 20;
81cd0474 1133 respdata = response2a;
1134 respsize = sizeof(response2a);
254b70a4 1135 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x93) { // Received a SELECT (cascade 1)
15c4dc5a 1136 resp = resp3; respLen = resp3Len; order = 3;
81cd0474 1137 respdata = response3;
1138 respsize = sizeof(response3);
254b70a4 1139 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) { // Received a SELECT (cascade 2)
15c4dc5a 1140 resp = resp3a; respLen = resp3aLen; order = 30;
81cd0474 1141 respdata = response3a;
1142 respsize = sizeof(response3a);
254b70a4 1143 } else if(receivedCmd[0] == 0x30) { // Received a (plain) READ
28afbd2b 1144// resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1145// respdata = &nack;
1146// respsize = sizeof(nack); // 4-bit answer
5f6d6c90 1147 EmSendCmdEx(data+(4*receivedCmd[0]),16,false);
254b70a4 1148 Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
5f6d6c90 1149 // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
1150 respLen = 0;
254b70a4 1151 } else if(receivedCmd[0] == 0x50) { // Received a HALT
17331e14 1152// DbpString("Reader requested we HALT!:");
254b70a4 1153 // Do not respond
1154 resp = resp1; respLen = 0; order = 0;
81cd0474 1155 respdata = NULL;
1156 respsize = 0;
254b70a4 1157 } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) { // Received an authentication request
15c4dc5a 1158 resp = resp5; respLen = resp5Len; order = 7;
254b70a4 1159 respdata = response5;
1160 respsize = sizeof(response5);
1161 } else if(receivedCmd[0] == 0xE0) { // Received a RATS request
1162 resp = resp6; respLen = resp6Len; order = 70;
1163 respdata = response6;
1164 respsize = sizeof(response6);
81cd0474 1165 } else {
17331e14 1166 if (order == 7 && len ==8) {
1167 uint32_t nr = bytes_to_num(receivedCmd,4);
1168 uint32_t ar = bytes_to_num(receivedCmd+4,4);
1169 Dbprintf("Auth attempt {nr}{ar}: %08x %08x",nr,ar);
1170 } else {
1171 // Never seen this command before
1172 Dbprintf("Received unknown command (len=%d):",len);
1173 Dbhexdump(len,receivedCmd,false);
1174 }
1175 // Do not respond
1176 resp = resp1; respLen = 0; order = 0;
1177 respdata = NULL;
1178 respsize = 0;
81cd0474 1179 }
15c4dc5a 1180
1181 // Count number of wakeups received after a halt
1182 if(order == 6 && lastorder == 5) { happened++; }
1183
1184 // Count number of other messages after a halt
1185 if(order != 6 && lastorder == 5) { happened2++; }
1186
1187 // Look at last parity bit to determine timing of answer
1188 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1189 // 1236, so correction bit needed
9f693930 1190 //i = 0;
15c4dc5a 1191 }
1192
15c4dc5a 1193 if(cmdsRecvd > 999) {
1194 DbpString("1000 commands later...");
254b70a4 1195 break;
1196 } else {
15c4dc5a 1197 cmdsRecvd++;
1198 }
1199
81cd0474 1200 if(respLen > 0) {
81cd0474 1201 EmSendCmd14443aRaw(resp, respLen, receivedCmd[0] == 0x52);
1202 }
1203
1204 if (tracing) {
81cd0474 1205 if (respdata != NULL) {
1206 LogTrace(respdata,respsize, 0, SwapBits(GetParity(respdata,respsize),respsize), FALSE);
1207 }
4ab4336a 1208 if(traceLen > TRACE_SIZE) {
1209 DbpString("Trace full");
1210 break;
1211 }
81cd0474 1212 }
15c4dc5a 1213
81cd0474 1214 memset(receivedCmd, 0x44, RECV_CMD_SIZE);
254b70a4 1215 }
15c4dc5a 1216
1217 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1218 LED_A_OFF();
1219}
1220
9492e0b0 1221
1222// prepare a delayed transfer. This simply shifts ToSend[] by a number
1223// of bits specified in the delay parameter.
1224void PrepareDelayedTransfer(uint16_t delay)
1225{
1226 uint8_t bitmask = 0;
1227 uint8_t bits_to_shift = 0;
1228 uint8_t bits_shifted = 0;
1229
1230 delay &= 0x07;
1231 if (delay) {
1232 for (uint16_t i = 0; i < delay; i++) {
1233 bitmask |= (0x01 << i);
1234 }
1235 ToSend[++ToSendMax] = 0x00;
1236 for (uint16_t i = 0; i < ToSendMax; i++) {
1237 bits_to_shift = ToSend[i] & bitmask;
1238 ToSend[i] = ToSend[i] >> delay;
1239 ToSend[i] = ToSend[i] | (bits_shifted << (8 - delay));
1240 bits_shifted = bits_to_shift;
1241 }
1242 }
1243}
1244
1245
1246
1247
15c4dc5a 1248//-----------------------------------------------------------------------------
1249// Transmit the command (to the tag) that was placed in ToSend[].
9492e0b0 1250// Parameter timing:
1251// if NULL: ignored
1252// if == 0: return time of transfer
1253// if != 0: delay transfer until time specified
15c4dc5a 1254//-----------------------------------------------------------------------------
9492e0b0 1255static void TransmitFor14443a(const uint8_t *cmd, int len, uint32_t *timing)
15c4dc5a 1256{
9492e0b0 1257 int c;
e30c654b 1258
9492e0b0 1259 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1260
e30c654b 1261
9492e0b0 1262 if (timing) {
1263 if(*timing == 0) { // Measure time
1264 *timing = (GetCountMifare() + 8) & 0xfffffff8;
1265 } else {
1266 PrepareDelayedTransfer(*timing & 0x00000007); // Delay transfer (fine tuning - up to 7 MF clock ticks)
1267 }
1268 if(MF_DBGLEVEL >= 4 && GetCountMifare() >= (*timing & 0xfffffff8)) Dbprintf("TransmitFor14443a: Missed timing");
1269 while(GetCountMifare() < (*timing & 0xfffffff8)); // Delay transfer (multiple of 8 MF clock ticks)
1270 }
1271
1272 for(c = 0; c < 10;) { // standard delay for each transfer (allow tag to be ready after last transmission)
1273 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1274 AT91C_BASE_SSC->SSC_THR = 0x00;
1275 c++;
1276 }
1277 }
1278
1279 c = 0;
1280 for(;;) {
1281 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1282 AT91C_BASE_SSC->SSC_THR = cmd[c];
1283 c++;
1284 if(c >= len) {
1285 break;
1286 }
1287 }
1288 }
e30c654b 1289
15c4dc5a 1290}
1291
15c4dc5a 1292//-----------------------------------------------------------------------------
195af472 1293// Prepare reader command (in bits, support short frames) to send to FPGA
15c4dc5a 1294//-----------------------------------------------------------------------------
195af472 1295void CodeIso14443aBitsAsReaderPar(const uint8_t * cmd, int bits, uint32_t dwParity)
15c4dc5a 1296{
1297 int i, j;
1298 int last;
f7e3ed82 1299 uint8_t b;
e30c654b 1300
15c4dc5a 1301 ToSendReset();
e30c654b 1302
15c4dc5a 1303 // Start of Communication (Seq. Z)
72934aa3 1304 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1305 last = 0;
e30c654b 1306
195af472 1307 size_t bytecount = nbytes(bits);
15c4dc5a 1308 // Generate send structure for the data bits
195af472 1309 for (i = 0; i < bytecount; i++) {
15c4dc5a 1310 // Get the current byte to send
1311 b = cmd[i];
195af472 1312 size_t bitsleft = MIN((bits-(i*8)),8);
e30c654b 1313
195af472 1314 for (j = 0; j < bitsleft; j++) {
15c4dc5a 1315 if (b & 1) {
1316 // Sequence X
72934aa3 1317 ToSend[++ToSendMax] = SEC_X;
15c4dc5a 1318 last = 1;
1319 } else {
1320 if (last == 0) {
1321 // Sequence Z
72934aa3 1322 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1323 } else {
1324 // Sequence Y
72934aa3 1325 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1326 last = 0;
1327 }
1328 }
1329 b >>= 1;
1330 }
e30c654b 1331
195af472 1332 // Only transmit (last) parity bit if we transmitted a complete byte
1333 if (j == 8) {
1334 // Get the parity bit
1335 if ((dwParity >> i) & 0x01) {
1336 // Sequence X
1337 ToSend[++ToSendMax] = SEC_X;
1338 last = 1;
15c4dc5a 1339 } else {
195af472 1340 if (last == 0) {
1341 // Sequence Z
1342 ToSend[++ToSendMax] = SEC_Z;
1343 } else {
1344 // Sequence Y
1345 ToSend[++ToSendMax] = SEC_Y;
1346 last = 0;
1347 }
15c4dc5a 1348 }
1349 }
1350 }
e30c654b 1351
15c4dc5a 1352 // End of Communication
1353 if (last == 0) {
1354 // Sequence Z
72934aa3 1355 ToSend[++ToSendMax] = SEC_Z;
15c4dc5a 1356 } else {
1357 // Sequence Y
72934aa3 1358 ToSend[++ToSendMax] = SEC_Y;
15c4dc5a 1359 last = 0;
1360 }
1361 // Sequence Y
72934aa3 1362 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1363
15c4dc5a 1364 // Just to be sure!
72934aa3 1365 ToSend[++ToSendMax] = SEC_Y;
1366 ToSend[++ToSendMax] = SEC_Y;
1367 ToSend[++ToSendMax] = SEC_Y;
e30c654b 1368
15c4dc5a 1369 // Convert from last character reference to length
1370 ToSendMax++;
1371}
1372
195af472 1373//-----------------------------------------------------------------------------
1374// Prepare reader command to send to FPGA
1375//-----------------------------------------------------------------------------
1376void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
1377{
1378 CodeIso14443aBitsAsReaderPar(cmd,len*8,dwParity);
1379}
1380
9ca155ba
M
1381//-----------------------------------------------------------------------------
1382// Wait for commands from reader
1383// Stop when button is pressed (return 1) or field was gone (return 2)
1384// Or return 0 when command is captured
1385//-----------------------------------------------------------------------------
1386static int EmGetCmd(uint8_t *received, int *len, int maxLen)
1387{
1388 *len = 0;
1389
1390 uint32_t timer = 0, vtime = 0;
1391 int analogCnt = 0;
1392 int analogAVG = 0;
1393
1394 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
1395 // only, since we are receiving, not transmitting).
1396 // Signal field is off with the appropriate LED
1397 LED_D_OFF();
1398 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
1399
1400 // Set ADC to read field strength
1401 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
1402 AT91C_BASE_ADC->ADC_MR =
1403 ADC_MODE_PRESCALE(32) |
1404 ADC_MODE_STARTUP_TIME(16) |
1405 ADC_MODE_SAMPLE_HOLD_TIME(8);
1406 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ADC_CHAN_HF);
1407 // start ADC
1408 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1409
1410 // Now run a 'software UART' on the stream of incoming samples.
1411 Uart.output = received;
1412 Uart.byteCntMax = maxLen;
1413 Uart.state = STATE_UNSYNCD;
1414
1415 for(;;) {
1416 WDT_HIT();
1417
1418 if (BUTTON_PRESS()) return 1;
1419
1420 // test if the field exists
1421 if (AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ADC_CHAN_HF)) {
1422 analogCnt++;
1423 analogAVG += AT91C_BASE_ADC->ADC_CDR[ADC_CHAN_HF];
1424 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
1425 if (analogCnt >= 32) {
1426 if ((33000 * (analogAVG / analogCnt) >> 10) < MF_MINFIELDV) {
1427 vtime = GetTickCount();
1428 if (!timer) timer = vtime;
1429 // 50ms no field --> card to idle state
1430 if (vtime - timer > 50) return 2;
1431 } else
1432 if (timer) timer = 0;
1433 analogCnt = 0;
1434 analogAVG = 0;
1435 }
1436 }
1437 // transmit none
1438 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1439 AT91C_BASE_SSC->SSC_THR = 0x00;
1440 }
1441 // receive and test the miller decoding
1442 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1443 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1444 if(MillerDecoding((b & 0xf0) >> 4)) {
1445 *len = Uart.byteCnt;
8f51ddb0 1446 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1447 return 0;
1448 }
1449 if(MillerDecoding(b & 0x0f)) {
1450 *len = Uart.byteCnt;
8f51ddb0 1451 if (tracing) LogTrace(received, *len, GetDeltaCountUS(), Uart.parityBits, TRUE);
9ca155ba
M
1452 return 0;
1453 }
1454 }
1455 }
1456}
1457
1458static int EmSendCmd14443aRaw(uint8_t *resp, int respLen, int correctionNeeded)
1459{
1460 int i, u = 0;
1461 uint8_t b = 0;
1462
1463 // Modulate Manchester
1464 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1465 AT91C_BASE_SSC->SSC_THR = 0x00;
1466 FpgaSetupSsc();
1467
1468 // include correction bit
1469 i = 1;
1470 if((Uart.parityBits & 0x01) || correctionNeeded) {
1471 // 1236, so correction bit needed
1472 i = 0;
1473 }
1474
1475 // send cycle
1476 for(;;) {
1477 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1478 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
1479 (void)b;
1480 }
1481 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1482 if(i > respLen) {
8f51ddb0 1483 b = 0xff; // was 0x00
9ca155ba
M
1484 u++;
1485 } else {
1486 b = resp[i];
1487 i++;
1488 }
1489 AT91C_BASE_SSC->SSC_THR = b;
1490
1491 if(u > 4) break;
1492 }
1493 if(BUTTON_PRESS()) {
1494 break;
1495 }
1496 }
1497
1498 return 0;
1499}
1500
8f51ddb0
M
1501int EmSend4bitEx(uint8_t resp, int correctionNeeded){
1502 Code4bitAnswerAsTag(resp);
0a39986e 1503 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
8f51ddb0 1504 if (tracing) LogTrace(&resp, 1, GetDeltaCountUS(), GetParity(&resp, 1), FALSE);
0a39986e 1505 return res;
9ca155ba
M
1506}
1507
8f51ddb0
M
1508int EmSend4bit(uint8_t resp){
1509 return EmSend4bitEx(resp, 0);
1510}
1511
1512int EmSendCmdExPar(uint8_t *resp, int respLen, int correctionNeeded, uint32_t par){
1513 CodeIso14443aAsTagPar(resp, respLen, par);
1514 int res = EmSendCmd14443aRaw(ToSend, ToSendMax, correctionNeeded);
1515 if (tracing) LogTrace(resp, respLen, GetDeltaCountUS(), par, FALSE);
1516 return res;
1517}
1518
1519int EmSendCmdEx(uint8_t *resp, int respLen, int correctionNeeded){
1520 return EmSendCmdExPar(resp, respLen, correctionNeeded, GetParity(resp, respLen));
1521}
1522
1523int EmSendCmd(uint8_t *resp, int respLen){
1524 return EmSendCmdExPar(resp, respLen, 0, GetParity(resp, respLen));
1525}
1526
1527int EmSendCmdPar(uint8_t *resp, int respLen, uint32_t par){
1528 return EmSendCmdExPar(resp, respLen, 0, par);
9ca155ba
M
1529}
1530
15c4dc5a 1531//-----------------------------------------------------------------------------
1532// Wait a certain time for tag response
1533// If a response is captured return TRUE
1534// If it takes to long return FALSE
1535//-----------------------------------------------------------------------------
f7e3ed82 1536static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1537{
1538 // buffer needs to be 512 bytes
1539 int c;
1540
1541 // Set FPGA mode to "reader listen mode", no modulation (listen
534983d7 1542 // only, since we are receiving, not transmitting).
1543 // Signal field is on with the appropriate LED
1544 LED_D_ON();
1545 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1c611bbd 1546
534983d7 1547 // Now get the answer from the card
1548 Demod.output = receivedResponse;
1549 Demod.len = 0;
1550 Demod.state = DEMOD_UNSYNCD;
15c4dc5a 1551
f7e3ed82 1552 uint8_t b;
15c4dc5a 1553 if (elapsed) *elapsed = 0;
1554
1555 c = 0;
1556 for(;;) {
534983d7 1557 WDT_HIT();
15c4dc5a 1558
9492e0b0 1559 // if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1560 // AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1561 // if (elapsed) (*elapsed)++;
1562 // }
534983d7 1563 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1564 if(c < iso14a_timeout) { c++; } else { return FALSE; }
1565 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
72934aa3 1566 if(ManchesterDecoding((b>>4) & 0xf)) {
15c4dc5a 1567 *samples = ((c - 1) << 3) + 4;
1568 return TRUE;
1569 }
1570 if(ManchesterDecoding(b & 0x0f)) {
1571 *samples = c << 3;
1572 return TRUE;
1573 }
534983d7 1574 }
1575 }
15c4dc5a 1576}
1577
9492e0b0 1578void ReaderTransmitBitsPar(uint8_t* frame, int bits, uint32_t par, uint32_t *timing)
15c4dc5a 1579{
9492e0b0 1580
dfc3c505 1581 CodeIso14443aBitsAsReaderPar(frame,bits,par);
1582
15c4dc5a 1583 // Select the card
9492e0b0 1584 TransmitFor14443a(ToSend, ToSendMax, timing);
534983d7 1585 if(trigger)
1586 LED_A_ON();
dfc3c505 1587
15c4dc5a 1588 // Store reader command in buffer
dfc3c505 1589 if (tracing) LogTrace(frame,nbytes(bits),0,par,TRUE);
15c4dc5a 1590}
1591
9492e0b0 1592void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par, uint32_t *timing)
dfc3c505 1593{
9492e0b0 1594 ReaderTransmitBitsPar(frame,len*8,par, timing);
dfc3c505 1595}
15c4dc5a 1596
9492e0b0 1597void ReaderTransmit(uint8_t* frame, int len, uint32_t *timing)
15c4dc5a 1598{
1599 // Generate parity and redirect
9492e0b0 1600 ReaderTransmitBitsPar(frame,len*8,GetParity(frame,len), timing);
15c4dc5a 1601}
1602
f7e3ed82 1603int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1604{
1605 int samples = 0;
20f9a2a1 1606 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
15c4dc5a 1607 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
7e758047 1608 if(samples == 0) return FALSE;
1609 return Demod.len;
15c4dc5a 1610}
1611
f89c7050
M
1612int ReaderReceivePar(uint8_t* receivedAnswer, uint32_t * parptr)
1613{
1614 int samples = 0;
1615 if (!GetIso14443aAnswerFromTag(receivedAnswer,160,&samples,0)) return FALSE;
1616 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1617 *parptr = Demod.parityBits;
1618 if(samples == 0) return FALSE;
1619 return Demod.len;
1620}
1621
7e758047 1622/* performs iso14443a anticolision procedure
534983d7 1623 * fills the uid pointer unless NULL
1624 * fills resp_data unless NULL */
79a73ab2 1625int iso14443a_select_card(byte_t* uid_ptr, iso14a_card_select_t* p_hi14a_card, uint32_t* cuid_ptr) {
ed258538 1626 uint8_t wupa[] = { 0x52 }; // 0x26 - REQA 0x52 - WAKE-UP
1627 uint8_t sel_all[] = { 0x93,0x20 };
1628 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1629 uint8_t rats[] = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0
1630 uint8_t* resp = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET); // was 3560 - tied to other size changes
79a73ab2 1631 byte_t uid_resp[4];
1632 size_t uid_resp_len;
15c4dc5a 1633
ed258538 1634 uint8_t sak = 0x04; // cascade uid
1635 int cascade_level = 0;
1636 int len;
79a73ab2 1637
ed258538 1638 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
9492e0b0 1639 ReaderTransmitBitsPar(wupa,7,0, NULL);
ed258538 1640 // Receive the ATQA
1641 if(!ReaderReceive(resp)) return 0;
902cb3c0 1642// Dbprintf("atqa: %02x %02x",resp[0],resp[1]);
1c611bbd 1643
ed258538 1644 if(p_hi14a_card) {
1645 memcpy(p_hi14a_card->atqa, resp, 2);
79a73ab2 1646 p_hi14a_card->uidlen = 0;
1647 memset(p_hi14a_card->uid,0,10);
1648 }
5f6d6c90 1649
79a73ab2 1650 // clear uid
1651 if (uid_ptr) {
1c611bbd 1652 memset(uid_ptr,0,10);
79a73ab2 1653 }
1654
ed258538 1655 // OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
1656 // which case we need to make a cascade 2 request and select - this is a long UID
1657 // While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
1658 for(; sak & 0x04; cascade_level++) {
1659 // SELECT_* (L1: 0x93, L2: 0x95, L3: 0x97)
1660 sel_uid[0] = sel_all[0] = 0x93 + cascade_level * 2;
1661
1662 // SELECT_ALL
9492e0b0 1663 ReaderTransmit(sel_all,sizeof(sel_all), NULL);
ed258538 1664 if (!ReaderReceive(resp)) return 0;
5f6d6c90 1665
ed258538 1666 // First backup the current uid
79a73ab2 1667 memcpy(uid_resp,resp,4);
1668 uid_resp_len = 4;
1669 // Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
5f6d6c90 1670
1671 // calculate crypto UID. Always use last 4 Bytes.
1672 if(cuid_ptr) {
1673 *cuid_ptr = bytes_to_num(uid_resp, 4);
79a73ab2 1674 }
e30c654b 1675
ed258538 1676 // Construct SELECT UID command
5f6d6c90 1677 memcpy(sel_uid+2,resp,5);
ed258538 1678 AppendCrc14443a(sel_uid,7);
9492e0b0 1679 ReaderTransmit(sel_uid,sizeof(sel_uid), NULL);
534983d7 1680
ed258538 1681 // Receive the SAK
1682 if (!ReaderReceive(resp)) return 0;
1683 sak = resp[0];
79a73ab2 1684
1685 // Test if more parts of the uid are comming
1686 if ((sak & 0x04) && uid_resp[0] == 0x88) {
1687 // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
1688 // http://www.nxp.com/documents/application_note/AN10927.pdf
ed258538 1689 memcpy(uid_resp, uid_resp + 1, 3);
79a73ab2 1690 uid_resp_len = 3;
1691 }
5f6d6c90 1692
79a73ab2 1693 if(uid_ptr) {
1694 memcpy(uid_ptr + (cascade_level*3), uid_resp, uid_resp_len);
1695 }
5f6d6c90 1696
79a73ab2 1697 if(p_hi14a_card) {
1698 memcpy(p_hi14a_card->uid + (cascade_level*3), uid_resp, uid_resp_len);
1699 p_hi14a_card->uidlen += uid_resp_len;
1700 }
ed258538 1701 }
79a73ab2 1702
ed258538 1703 if(p_hi14a_card) {
1704 p_hi14a_card->sak = sak;
1705 p_hi14a_card->ats_len = 0;
1706 }
534983d7 1707
ed258538 1708 if( (sak & 0x20) == 0) {
1709 return 2; // non iso14443a compliant tag
79a73ab2 1710 }
534983d7 1711
ed258538 1712 // Request for answer to select
5191b3d1 1713 AppendCrc14443a(rats, 2);
9492e0b0 1714 ReaderTransmit(rats, sizeof(rats), NULL);
1c611bbd 1715
5191b3d1 1716 if (!(len = ReaderReceive(resp))) return 0;
1717
1718 if(p_hi14a_card) {
ed258538 1719 memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
1720 p_hi14a_card->ats_len = len;
1721 }
5f6d6c90 1722
ed258538 1723 // reset the PCB block number
1724 iso14_pcb_blocknum = 0;
1725 return 1;
7e758047 1726}
15c4dc5a 1727
7e758047 1728void iso14443a_setup() {
9492e0b0 1729 // Set up the synchronous serial port
1730 FpgaSetupSsc();
7e758047 1731 // Start from off (no field generated)
1732 // Signal field is off with the appropriate LED
9492e0b0 1733// LED_D_OFF();
1734// FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1735 // SpinDelay(50);
15c4dc5a 1736
7e758047 1737 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
e30c654b 1738
7e758047 1739 // Now give it time to spin up.
1740 // Signal field is on with the appropriate LED
1741 LED_D_ON();
1742 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
9492e0b0 1743 SpinDelay(7); // iso14443-3 specifies 5ms max.
534983d7 1744
1745 iso14a_timeout = 2048; //default
7e758047 1746}
15c4dc5a 1747
534983d7 1748int iso14_apdu(uint8_t * cmd, size_t cmd_len, void * data) {
1749 uint8_t real_cmd[cmd_len+4];
1750 real_cmd[0] = 0x0a; //I-Block
b0127e65 1751 // put block number into the PCB
1752 real_cmd[0] |= iso14_pcb_blocknum;
534983d7 1753 real_cmd[1] = 0x00; //CID: 0 //FIXME: allow multiple selected cards
1754 memcpy(real_cmd+2, cmd, cmd_len);
1755 AppendCrc14443a(real_cmd,cmd_len+2);
1756
9492e0b0 1757 ReaderTransmit(real_cmd, cmd_len+4, NULL);
534983d7 1758 size_t len = ReaderReceive(data);
b0127e65 1759 uint8_t * data_bytes = (uint8_t *) data;
1760 if (!len)
1761 return 0; //DATA LINK ERROR
1762 // if we received an I- or R(ACK)-Block with a block number equal to the
1763 // current block number, toggle the current block number
1764 else if (len >= 4 // PCB+CID+CRC = 4 bytes
1765 && ((data_bytes[0] & 0xC0) == 0 // I-Block
1766 || (data_bytes[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
1767 && (data_bytes[0] & 0x01) == iso14_pcb_blocknum) // equal block numbers
1768 {
1769 iso14_pcb_blocknum ^= 1;
1770 }
1771
534983d7 1772 return len;
1773}
1774
7e758047 1775//-----------------------------------------------------------------------------
1776// Read an ISO 14443a tag. Send out commands and store answers.
1777//
1778//-----------------------------------------------------------------------------
902cb3c0 1779void ReaderIso14443a(UsbCommand * c)
7e758047 1780{
534983d7 1781 iso14a_command_t param = c->arg[0];
1782 uint8_t * cmd = c->d.asBytes;
1783 size_t len = c->arg[1];
5f6d6c90 1784 size_t lenbits = c->arg[2];
9492e0b0 1785 uint32_t arg0 = 0;
1786 byte_t buf[USB_CMD_DATA_SIZE];
902cb3c0 1787
5f6d6c90 1788 if(param & ISO14A_CONNECT) {
1789 iso14a_clear_trace();
1790 }
9492e0b0 1791 iso14a_set_tracing(true);
e30c654b 1792
79a73ab2 1793 if(param & ISO14A_REQUEST_TRIGGER) {
9492e0b0 1794 iso14a_set_trigger(1);
1795 }
15c4dc5a 1796
534983d7 1797 if(param & ISO14A_CONNECT) {
1798 iso14443a_setup();
5f6d6c90 1799 if(!(param & ISO14A_NO_SELECT)) {
1800 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
1801 arg0 = iso14443a_select_card(NULL,card,NULL);
1802 cmd_send(CMD_ACK,arg0,card->uidlen,0,buf,sizeof(iso14a_card_select_t));
1803 }
534983d7 1804 }
e30c654b 1805
534983d7 1806 if(param & ISO14A_SET_TIMEOUT) {
1807 iso14a_timeout = c->arg[2];
1808 }
e30c654b 1809
534983d7 1810 if(param & ISO14A_SET_TIMEOUT) {
1811 iso14a_timeout = c->arg[2];
1812 }
e30c654b 1813
534983d7 1814 if(param & ISO14A_APDU) {
902cb3c0 1815 arg0 = iso14_apdu(cmd, len, buf);
79a73ab2 1816 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1817 }
e30c654b 1818
534983d7 1819 if(param & ISO14A_RAW) {
1820 if(param & ISO14A_APPEND_CRC) {
1821 AppendCrc14443a(cmd,len);
1822 len += 2;
15c4dc5a 1823 }
5f6d6c90 1824 if(lenbits>0) {
1825 ReaderTransmitBitsPar(cmd,lenbits,GetParity(cmd,lenbits/8), NULL);
1826 } else {
1827 ReaderTransmit(cmd,len, NULL);
1828 }
902cb3c0 1829 arg0 = ReaderReceive(buf);
9492e0b0 1830 cmd_send(CMD_ACK,arg0,0,0,buf,sizeof(buf));
534983d7 1831 }
15c4dc5a 1832
79a73ab2 1833 if(param & ISO14A_REQUEST_TRIGGER) {
9492e0b0 1834 iso14a_set_trigger(0);
1835 }
15c4dc5a 1836
79a73ab2 1837 if(param & ISO14A_NO_DISCONNECT) {
534983d7 1838 return;
9492e0b0 1839 }
15c4dc5a 1840
15c4dc5a 1841 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1842 LEDsoff();
15c4dc5a 1843}
b0127e65 1844
1c611bbd 1845
1c611bbd 1846// Determine the distance between two nonces.
1847// Assume that the difference is small, but we don't know which is first.
1848// Therefore try in alternating directions.
1849int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
1850
1851 uint16_t i;
1852 uint32_t nttmp1, nttmp2;
e772353f 1853
1c611bbd 1854 if (nt1 == nt2) return 0;
1855
1856 nttmp1 = nt1;
1857 nttmp2 = nt2;
1858
1859 for (i = 1; i < 32768; i++) {
1860 nttmp1 = prng_successor(nttmp1, 1);
1861 if (nttmp1 == nt2) return i;
1862 nttmp2 = prng_successor(nttmp2, 1);
1863 if (nttmp2 == nt1) return -i;
1864 }
1865
1866 return(-99999); // either nt1 or nt2 are invalid nonces
e772353f 1867}
1868
e772353f 1869
1c611bbd 1870//-----------------------------------------------------------------------------
1871// Recover several bits of the cypher stream. This implements (first stages of)
1872// the algorithm described in "The Dark Side of Security by Obscurity and
1873// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
1874// (article by Nicolas T. Courtois, 2009)
1875//-----------------------------------------------------------------------------
1876void ReaderMifare(bool first_try)
1877{
1878 // Mifare AUTH
1879 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1880 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1881 static uint8_t mf_nr_ar3;
e772353f 1882
1c611bbd 1883 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + FREE_BUFFER_OFFSET);
1884 traceLen = 0;
1885 tracing = false;
e772353f 1886
1c611bbd 1887 byte_t nt_diff = 0;
1888 byte_t par = 0;
1889 //byte_t par_mask = 0xff;
1890 static byte_t par_low = 0;
1891 bool led_on = TRUE;
1892 uint8_t uid[10];
1893 uint32_t cuid;
e772353f 1894
1c611bbd 1895 uint32_t nt, previous_nt;
1896 static uint32_t nt_attacked = 0;
1897 byte_t par_list[8] = {0,0,0,0,0,0,0,0};
1898 byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
e772353f 1899
1c611bbd 1900 static uint32_t sync_time;
1901 static uint32_t sync_cycles;
1902 int catch_up_cycles = 0;
1903 int last_catch_up = 0;
1904 uint16_t consecutive_resyncs = 0;
1905 int isOK = 0;
e772353f 1906
e772353f 1907
e772353f 1908
1c611bbd 1909 if (first_try) {
1910 StartCountMifare();
1911 mf_nr_ar3 = 0;
1912 iso14443a_setup();
1c611bbd 1913 while((GetCountMifare() & 0xffff0000) != 0x10000); // wait for counter to reset and "warm up"
9492e0b0 1914 sync_time = GetCountMifare() & 0xfffffff8;
1c611bbd 1915 sync_cycles = 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
1916 nt_attacked = 0;
1917 nt = 0;
1918 par = 0;
1919 }
1920 else {
1921 // we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
1922 // nt_attacked = prng_successor(nt_attacked, 1);
1923 mf_nr_ar3++;
1924 mf_nr_ar[3] = mf_nr_ar3;
1925 par = par_low;
1926 }
e30c654b 1927
15c4dc5a 1928 LED_A_ON();
1929 LED_B_OFF();
1930 LED_C_OFF();
1c611bbd 1931
1932
1933 for(uint16_t i = 0; TRUE; i++) {
1934
1935 WDT_HIT();
e30c654b 1936
1c611bbd 1937 // Test if the action was cancelled
1938 if(BUTTON_PRESS()) {
1939 break;
1940 }
1941
1942 LED_C_ON();
e30c654b 1943
1c611bbd 1944 if(!iso14443a_select_card(uid, NULL, &cuid)) {
9492e0b0 1945 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
1c611bbd 1946 continue;
1947 }
1948
1949 //keep the card active
f89c7050 1950 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1951
9492e0b0 1952 // CodeIso14443aBitsAsReaderPar(mf_auth, sizeof(mf_auth)*8, GetParity(mf_auth, sizeof(mf_auth)*8));
1c611bbd 1953
9492e0b0 1954 sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
1c611bbd 1955 catch_up_cycles = 0;
1956
1957 // if we missed the sync time already, advance to the next nonce repeat
1958 while(GetCountMifare() > sync_time) {
9492e0b0 1959 sync_time = (sync_time & 0xfffffff8) + sync_cycles;
1c611bbd 1960 }
e30c654b 1961
9492e0b0 1962 // Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked)
1963 ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);
f89c7050 1964
1c611bbd 1965 // Receive the (4 Byte) "random" nonce
1966 if (!ReaderReceive(receivedAnswer)) {
9492e0b0 1967 if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Couldn't receive tag nonce");
1c611bbd 1968 continue;
1969 }
1970
1c611bbd 1971 previous_nt = nt;
1972 nt = bytes_to_num(receivedAnswer, 4);
1973
1974 // Transmit reader nonce with fake par
9492e0b0 1975 ReaderTransmitPar(mf_nr_ar, sizeof(mf_nr_ar), par, NULL);
1c611bbd 1976
1977 if (first_try && previous_nt && !nt_attacked) { // we didn't calibrate our clock yet
1978 int nt_distance = dist_nt(previous_nt, nt);
1979 if (nt_distance == 0) {
1980 nt_attacked = nt;
1981 }
1982 else {
1983 if (nt_distance == -99999) { // invalid nonce received, try again
1984 continue;
1985 }
1986 sync_cycles = (sync_cycles - nt_distance);
9492e0b0 1987 if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
1c611bbd 1988 continue;
1989 }
1990 }
1991
1992 if ((nt != nt_attacked) && nt_attacked) { // we somehow lost sync. Try to catch up again...
1993 catch_up_cycles = -dist_nt(nt_attacked, nt);
1994 if (catch_up_cycles == 99999) { // invalid nonce received. Don't resync on that one.
1995 catch_up_cycles = 0;
1996 continue;
1997 }
1998 if (catch_up_cycles == last_catch_up) {
1999 consecutive_resyncs++;
2000 }
2001 else {
2002 last_catch_up = catch_up_cycles;
2003 consecutive_resyncs = 0;
2004 }
2005 if (consecutive_resyncs < 3) {
9492e0b0 2006 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d. nt_distance=%d. Consecutive Resyncs = %d. Trying one time catch up...\n", i, -catch_up_cycles, consecutive_resyncs);
1c611bbd 2007 }
2008 else {
2009 sync_cycles = sync_cycles + catch_up_cycles;
9492e0b0 2010 if (MF_DBGLEVEL >= 3) Dbprintf("Lost sync in cycle %d for the fourth time consecutively (nt_distance = %d). Adjusting sync_cycles to %d.\n", i, -catch_up_cycles, sync_cycles);
1c611bbd 2011 }
2012 continue;
2013 }
2014
2015 consecutive_resyncs = 0;
2016
2017 // Receive answer. This will be a 4 Bit NACK when the 8 parity bits are OK after decoding
2018 if (ReaderReceive(receivedAnswer))
2019 {
9492e0b0 2020 catch_up_cycles = 8; // the PRNG is delayed by 8 cycles due to the NAC (4Bits = 0x05 encrypted) transfer
1c611bbd 2021
2022 if (nt_diff == 0)
2023 {
2024 par_low = par & 0x07; // there is no need to check all parities for other nt_diff. Parity Bits for mf_nr_ar[0..2] won't change
2025 }
2026
2027 led_on = !led_on;
2028 if(led_on) LED_B_ON(); else LED_B_OFF();
2029
2030 par_list[nt_diff] = par;
2031 ks_list[nt_diff] = receivedAnswer[0] ^ 0x05;
2032
2033 // Test if the information is complete
2034 if (nt_diff == 0x07) {
2035 isOK = 1;
2036 break;
2037 }
2038
2039 nt_diff = (nt_diff + 1) & 0x07;
2040 mf_nr_ar[3] = (mf_nr_ar[3] & 0x1F) | (nt_diff << 5);
2041 par = par_low;
2042 } else {
2043 if (nt_diff == 0 && first_try)
2044 {
2045 par++;
2046 } else {
2047 par = (((par >> 3) + 1) << 3) | par_low;
2048 }
2049 }
2050 }
2051
2052 LogTrace((const uint8_t *)&nt, 4, 0, GetParity((const uint8_t *)&nt, 4), TRUE);
2053 LogTrace(par_list, 8, 0, GetParity(par_list, 8), TRUE);
2054 LogTrace(ks_list, 8, 0, GetParity(ks_list, 8), TRUE);
2055
2056 mf_nr_ar[3] &= 0x1F;
2057
2058 byte_t buf[28];
2059 memcpy(buf + 0, uid, 4);
2060 num_to_bytes(nt, 4, buf + 4);
2061 memcpy(buf + 8, par_list, 8);
2062 memcpy(buf + 16, ks_list, 8);
2063 memcpy(buf + 24, mf_nr_ar, 4);
2064
2065 cmd_send(CMD_ACK,isOK,0,0,buf,28);
2066
2067 // Thats it...
2068 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2069 LEDsoff();
2070 tracing = TRUE;
20f9a2a1 2071}
1c611bbd 2072
20f9a2a1
M
2073//-----------------------------------------------------------------------------
2074// MIFARE 1K simulate.
2075//
2076//-----------------------------------------------------------------------------
2077void Mifare1ksim(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
2078{
50193c1e 2079 int cardSTATE = MFEMUL_NOFIELD;
8556b852 2080 int _7BUID = 0;
9ca155ba 2081 int vHf = 0; // in mV
9f693930 2082 //int nextCycleTimeout = 0;
8f51ddb0 2083 int res;
51969283 2084// uint32_t timer = 0;
0a39986e
M
2085 uint32_t selTimer = 0;
2086 uint32_t authTimer = 0;
2087 uint32_t par = 0;
9ca155ba 2088 int len = 0;
8f51ddb0 2089 uint8_t cardWRBL = 0;
9ca155ba
M
2090 uint8_t cardAUTHSC = 0;
2091 uint8_t cardAUTHKEY = 0xff; // no authentication
9f693930 2092 //uint32_t cardRn = 0;
51969283 2093 uint32_t cardRr = 0;
9ca155ba 2094 uint32_t cuid = 0;
9f693930 2095 //uint32_t rn_enc = 0;
51969283 2096 uint32_t ans = 0;
0014cb46
M
2097 uint32_t cardINTREG = 0;
2098 uint8_t cardINTBLOCK = 0;
9ca155ba
M
2099 struct Crypto1State mpcs = {0, 0};
2100 struct Crypto1State *pcs;
2101 pcs = &mpcs;
2102
8f51ddb0
M
2103 uint8_t* receivedCmd = eml_get_bigbufptr_recbuf();
2104 uint8_t *response = eml_get_bigbufptr_sendbuf();
9ca155ba 2105
8556b852 2106 static uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
9ca155ba 2107
0a39986e
M
2108 static uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
2109 static uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
9ca155ba 2110
0a39986e 2111 static uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
8556b852 2112 static uint8_t rSAK1[] = {0x04, 0xda, 0x17};
9ca155ba 2113
0014cb46
M
2114 static uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
2115// static uint8_t rAUTH_NT[] = {0x1a, 0xac, 0xff, 0x4f};
0a39986e 2116 static uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
0014cb46 2117
0a39986e
M
2118 // clear trace
2119 traceLen = 0;
2120 tracing = true;
51969283
M
2121
2122 // Authenticate response - nonce
2123 uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
9ca155ba 2124
8556b852
M
2125 // get UID from emul memory
2126 emlGetMemBt(receivedCmd, 7, 1);
2127 _7BUID = !(receivedCmd[0] == 0x00);
2128 if (!_7BUID) { // ---------- 4BUID
2129 rATQA[0] = 0x04;
2130
2131 emlGetMemBt(rUIDBCC1, 0, 4);
2132 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2133 } else { // ---------- 7BUID
2134 rATQA[0] = 0x44;
2135
2136 rUIDBCC1[0] = 0x88;
2137 emlGetMemBt(&rUIDBCC1[1], 0, 3);
2138 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
2139 emlGetMemBt(rUIDBCC2, 3, 4);
2140 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
2141 }
2142
9ca155ba 2143// -------------------------------------- test area
50193c1e 2144
9ca155ba 2145// -------------------------------------- END test area
8f51ddb0
M
2146 // start mkseconds counter
2147 StartCountUS();
9ca155ba
M
2148
2149 // We need to listen to the high-frequency, peak-detected path.
2150 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
2151 FpgaSetupSsc();
2152
2153 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
2154 SpinDelay(200);
2155
0014cb46 2156 if (MF_DBGLEVEL >= 1) Dbprintf("Started. 7buid=%d", _7BUID);
8f51ddb0
M
2157 // calibrate mkseconds counter
2158 GetDeltaCountUS();
9ca155ba
M
2159 while (true) {
2160 WDT_HIT();
9ca155ba 2161
8f51ddb0
M
2162 if(BUTTON_PRESS()) {
2163 break;
2164 }
2165
9ca155ba
M
2166 // find reader field
2167 // Vref = 3300mV, and an 10:1 voltage divider on the input
2168 // can measure voltages up to 33000 mV
2169 if (cardSTATE == MFEMUL_NOFIELD) {
2170 vHf = (33000 * AvgAdc(ADC_CHAN_HF)) >> 10;
2171 if (vHf > MF_MINFIELDV) {
0014cb46 2172 cardSTATE_TO_IDLE();
9ca155ba
M
2173 LED_A_ON();
2174 }
2175 }
2176
2177 if (cardSTATE != MFEMUL_NOFIELD) {
81cd0474 2178 res = EmGetCmd(receivedCmd, &len, RECV_CMD_SIZE); // (+ nextCycleTimeout)
9ca155ba
M
2179 if (res == 2) {
2180 cardSTATE = MFEMUL_NOFIELD;
2181 LEDsoff();
2182 continue;
2183 }
2184 if(res) break;
2185 }
2186
9f693930 2187 //nextCycleTimeout = 0;
8f51ddb0 2188
9ca155ba 2189// if (len) Dbprintf("len:%d cmd: %02x %02x %02x %02x", len, receivedCmd[0], receivedCmd[1], receivedCmd[2], receivedCmd[3]);
0a39986e
M
2190
2191 if (len != 4 && cardSTATE != MFEMUL_NOFIELD) { // len != 4 <---- speed up the code 4 authentication
8f51ddb0 2192 // REQ or WUP request in ANY state and WUP in HALTED state
0a39986e
M
2193 if (len == 1 && ((receivedCmd[0] == 0x26 && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == 0x52)) {
2194 selTimer = GetTickCount();
2195 EmSendCmdEx(rATQA, sizeof(rATQA), (receivedCmd[0] == 0x52));
2196 cardSTATE = MFEMUL_SELECT1;
2197
2198 // init crypto block
2199 LED_B_OFF();
2200 LED_C_OFF();
2201 crypto1_destroy(pcs);
2202 cardAUTHKEY = 0xff;
2203 }
2204 }
9ca155ba 2205
50193c1e
M
2206 switch (cardSTATE) {
2207 case MFEMUL_NOFIELD:{
2208 break;
2209 }
9ca155ba 2210 case MFEMUL_HALTED:{
0a39986e 2211 break;
9ca155ba 2212 }
50193c1e
M
2213 case MFEMUL_IDLE:{
2214 break;
2215 }
2216 case MFEMUL_SELECT1:{
9ca155ba
M
2217 // select all
2218 if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
2219 EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
0014cb46 2220 break;
9ca155ba
M
2221 }
2222
2223 // select card
0a39986e
M
2224 if (len == 9 &&
2225 (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
8556b852
M
2226 if (!_7BUID)
2227 EmSendCmd(rSAK, sizeof(rSAK));
2228 else
2229 EmSendCmd(rSAK1, sizeof(rSAK1));
9ca155ba
M
2230
2231 cuid = bytes_to_num(rUIDBCC1, 4);
8556b852
M
2232 if (!_7BUID) {
2233 cardSTATE = MFEMUL_WORK;
0014cb46
M
2234 LED_B_ON();
2235 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
2236 break;
8556b852
M
2237 } else {
2238 cardSTATE = MFEMUL_SELECT2;
2239 break;
2240 }
9ca155ba
M
2241 }
2242
50193c1e
M
2243 break;
2244 }
2245 case MFEMUL_SELECT2:{
0014cb46
M
2246 if (!len) break;
2247
8556b852 2248 if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
9ca155ba 2249 EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
8556b852
M
2250 break;
2251 }
9ca155ba 2252
8556b852
M
2253 // select 2 card
2254 if (len == 9 &&
2255 (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
2256 EmSendCmd(rSAK, sizeof(rSAK));
2257
2258 cuid = bytes_to_num(rUIDBCC2, 4);
2259 cardSTATE = MFEMUL_WORK;
2260 LED_B_ON();
0014cb46 2261 if (MF_DBGLEVEL >= 4) Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
8556b852
M
2262 break;
2263 }
0014cb46
M
2264
2265 // i guess there is a command). go into the work state.
2266 if (len != 4) break;
2267 cardSTATE = MFEMUL_WORK;
2268 goto lbWORK;
50193c1e
M
2269 }
2270 case MFEMUL_AUTH1:{
9ca155ba 2271 if (len == 8) {
51969283 2272 // --- crypto
9f693930
GY
2273 //rn_enc = bytes_to_num(receivedCmd, 4);
2274 //cardRn = rn_enc ^ crypto1_word(pcs, rn_enc , 1);
51969283
M
2275 cardRr = bytes_to_num(&receivedCmd[4], 4) ^ crypto1_word(pcs, 0, 0);
2276 // test if auth OK
2277 if (cardRr != prng_successor(nonce, 64)){
0014cb46
M
2278 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED. cardRr=%08x, succ=%08x", cardRr, prng_successor(nonce, 64));
2279 cardSTATE_TO_IDLE();
51969283
M
2280 break;
2281 }
2282 ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
2283 num_to_bytes(ans, 4, rAUTH_AT);
2284 // --- crypto
2285 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
0a39986e
M
2286 cardSTATE = MFEMUL_AUTH2;
2287 } else {
0014cb46 2288 cardSTATE_TO_IDLE();
9ca155ba 2289 }
0a39986e 2290 if (cardSTATE != MFEMUL_AUTH2) break;
50193c1e
M
2291 }
2292 case MFEMUL_AUTH2:{
9ca155ba 2293 LED_C_ON();
0a39986e 2294 cardSTATE = MFEMUL_WORK;
0014cb46 2295 if (MF_DBGLEVEL >= 4) Dbprintf("AUTH COMPLETED. sec=%d, key=%d time=%d", cardAUTHSC, cardAUTHKEY, GetTickCount() - authTimer);
50193c1e
M
2296 break;
2297 }
9ca155ba 2298 case MFEMUL_WORK:{
0014cb46 2299lbWORK: if (len == 0) break;
0a39986e 2300
51969283
M
2301 if (cardAUTHKEY == 0xff) {
2302 // first authentication
2303 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2304 authTimer = GetTickCount();
2305
2306 cardAUTHSC = receivedCmd[1] / 4; // received block num
2307 cardAUTHKEY = receivedCmd[0] - 0x60;
2308
2309 // --- crypto
2310 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2311 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2312 num_to_bytes(nonce, 4, rAUTH_AT);
2313 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2314 // --- crypto
2315
2316// last working revision
2317// EmSendCmd14443aRaw(resp1, resp1Len, 0);
2318// LogTrace(NULL, 0, GetDeltaCountUS(), 0, true);
2319
2320 cardSTATE = MFEMUL_AUTH1;
9f693930 2321 //nextCycleTimeout = 10;
51969283
M
2322 break;
2323 }
2324 } else {
2325 // decrypt seqence
2326 mf_crypto1_decrypt(pcs, receivedCmd, len);
2327
2328 // nested authentication
2329 if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
2330 authTimer = GetTickCount();
2331
2332 cardAUTHSC = receivedCmd[1] / 4; // received block num
2333 cardAUTHKEY = receivedCmd[0] - 0x60;
2334
2335 // --- crypto
2336 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
2337 ans = nonce ^ crypto1_word(pcs, cuid ^ nonce, 0);
2338 num_to_bytes(ans, 4, rAUTH_AT);
2339 EmSendCmd(rAUTH_AT, sizeof(rAUTH_AT));
2340 // --- crypto
2341
2342 cardSTATE = MFEMUL_AUTH1;
9f693930 2343 //nextCycleTimeout = 10;
51969283
M
2344 break;
2345 }
2346 }
0a39986e 2347
8f51ddb0
M
2348 // rule 13 of 7.5.3. in ISO 14443-4. chaining shall be continued
2349 // BUT... ACK --> NACK
2350 if (len == 1 && receivedCmd[0] == CARD_ACK) {
2351 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2352 break;
2353 }
2354
2355 // rule 12 of 7.5.3. in ISO 14443-4. R(NAK) --> R(ACK)
2356 if (len == 1 && receivedCmd[0] == CARD_NACK_NA) {
2357 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2358 break;
0a39986e
M
2359 }
2360
2361 // read block
2362 if (len == 4 && receivedCmd[0] == 0x30) {
51969283 2363 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2364 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2365 break;
2366 }
2367 emlGetMem(response, receivedCmd[1], 1);
2368 AppendCrc14443a(response, 16);
2369 mf_crypto1_encrypt(pcs, response, 18, &par);
2370 EmSendCmdPar(response, 18, par);
0a39986e
M
2371 break;
2372 }
2373
2374 // write block
2375 if (len == 4 && receivedCmd[0] == 0xA0) {
51969283 2376 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
8f51ddb0
M
2377 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2378 break;
2379 }
2380 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
9f693930 2381 //nextCycleTimeout = 50;
8f51ddb0
M
2382 cardSTATE = MFEMUL_WRITEBL2;
2383 cardWRBL = receivedCmd[1];
0a39986e 2384 break;
9ca155ba 2385 }
8f51ddb0 2386
0014cb46
M
2387 // works with cardINTREG
2388
2389 // increment, decrement, restore
2390 if (len == 4 && (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2)) {
2391 if (receivedCmd[1] >= 16 * 4 ||
2392 receivedCmd[1] / 4 != cardAUTHSC ||
2393 emlCheckValBl(receivedCmd[1])) {
2394 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2395 break;
2396 }
2397 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2398 if (receivedCmd[0] == 0xC1)
2399 cardSTATE = MFEMUL_INTREG_INC;
2400 if (receivedCmd[0] == 0xC0)
2401 cardSTATE = MFEMUL_INTREG_DEC;
2402 if (receivedCmd[0] == 0xC2)
2403 cardSTATE = MFEMUL_INTREG_REST;
2404 cardWRBL = receivedCmd[1];
2405
2406 break;
2407 }
2408
2409
2410 // transfer
2411 if (len == 4 && receivedCmd[0] == 0xB0) {
2412 if (receivedCmd[1] >= 16 * 4 || receivedCmd[1] / 4 != cardAUTHSC) {
2413 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2414 break;
2415 }
2416
2417 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd[1]))
2418 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2419 else
2420 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2421
2422 break;
2423 }
2424
9ca155ba 2425 // halt
0a39986e 2426 if (len == 4 && (receivedCmd[0] == 0x50 && receivedCmd[1] == 0x00)) {
9ca155ba 2427 LED_B_OFF();
0a39986e 2428 LED_C_OFF();
0014cb46
M
2429 cardSTATE = MFEMUL_HALTED;
2430 if (MF_DBGLEVEL >= 4) Dbprintf("--> HALTED. Selected time: %d ms", GetTickCount() - selTimer);
0a39986e 2431 break;
9ca155ba 2432 }
51969283 2433
8f51ddb0
M
2434 // command not allowed
2435 if (len == 4) {
2436 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2437 break;
2438 }
51969283
M
2439
2440 // case break
2441 break;
8f51ddb0
M
2442 }
2443 case MFEMUL_WRITEBL2:{
2444 if (len == 18){
2445 mf_crypto1_decrypt(pcs, receivedCmd, len);
2446 emlSetMem(receivedCmd, cardWRBL, 1);
2447 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
2448 cardSTATE = MFEMUL_WORK;
2449 break;
51969283 2450 } else {
0014cb46 2451 cardSTATE_TO_IDLE();
51969283 2452 break;
8f51ddb0 2453 }
8f51ddb0 2454 break;
50193c1e 2455 }
0014cb46
M
2456
2457 case MFEMUL_INTREG_INC:{
2458 mf_crypto1_decrypt(pcs, receivedCmd, len);
2459 memcpy(&ans, receivedCmd, 4);
2460 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2461 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2462 cardSTATE_TO_IDLE();
2463 break;
2464 }
2465 cardINTREG = cardINTREG + ans;
2466 cardSTATE = MFEMUL_WORK;
2467 break;
2468 }
2469 case MFEMUL_INTREG_DEC:{
2470 mf_crypto1_decrypt(pcs, receivedCmd, len);
2471 memcpy(&ans, receivedCmd, 4);
2472 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2473 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2474 cardSTATE_TO_IDLE();
2475 break;
2476 }
2477 cardINTREG = cardINTREG - ans;
2478 cardSTATE = MFEMUL_WORK;
2479 break;
2480 }
2481 case MFEMUL_INTREG_REST:{
2482 mf_crypto1_decrypt(pcs, receivedCmd, len);
2483 memcpy(&ans, receivedCmd, 4);
2484 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
2485 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
2486 cardSTATE_TO_IDLE();
2487 break;
2488 }
2489 cardSTATE = MFEMUL_WORK;
2490 break;
2491 }
50193c1e 2492 }
50193c1e
M
2493 }
2494
9ca155ba
M
2495 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2496 LEDsoff();
2497
0a39986e 2498 // add trace trailer
8f51ddb0 2499 memset(rAUTH_NT, 0x44, 4);
0a39986e
M
2500 LogTrace(rAUTH_NT, 4, 0, 0, TRUE);
2501
0014cb46 2502 if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, traceLen);
15c4dc5a 2503}
b62a5a84
M
2504
2505//-----------------------------------------------------------------------------
2506// MIFARE sniffer.
2507//
2508//-----------------------------------------------------------------------------
5cd9ec01
M
2509void RAMFUNC SniffMifare(uint8_t param) {
2510 // param:
2511 // bit 0 - trigger from first card answer
2512 // bit 1 - trigger from first reader 7-bit request
39864b0b
M
2513
2514 // C(red) A(yellow) B(green)
b62a5a84
M
2515 LEDsoff();
2516 // init trace buffer
d19929cb 2517 iso14a_clear_trace();
b62a5a84 2518
b62a5a84
M
2519 // The command (reader -> tag) that we're receiving.
2520 // The length of a received command will in most cases be no more than 18 bytes.
2521 // So 32 should be enough!
2522 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
2523 // The response (tag -> reader) that we're receiving.
2524 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
2525
2526 // As we receive stuff, we copy it from receivedCmd or receivedResponse
2527 // into trace, along with its length and other annotations.
2528 //uint8_t *trace = (uint8_t *)BigBuf;
2529
2530 // The DMA buffer, used to stream samples from the FPGA
2531 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
5cd9ec01
M
2532 int8_t *data = dmaBuf;
2533 int maxDataLen = 0;
2534 int dataLen = 0;
b62a5a84
M
2535
2536 // Set up the demodulator for tag -> reader responses.
2537 Demod.output = receivedResponse;
2538 Demod.len = 0;
2539 Demod.state = DEMOD_UNSYNCD;
2540
2541 // Set up the demodulator for the reader -> tag commands
2542 memset(&Uart, 0, sizeof(Uart));
2543 Uart.output = receivedCmd;
2544 Uart.byteCntMax = 32; // was 100 (greg)//////////////////
2545 Uart.state = STATE_UNSYNCD;
2546
2547 // Setup for the DMA.
2548 FpgaSetupSsc();
b62a5a84
M
2549 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
2550
2551 // And put the FPGA in the appropriate mode
2552 // Signal field is off with the appropriate LED
2553 LED_D_OFF();
2554 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
2555 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
39864b0b
M
2556
2557 // init sniffer
2558 MfSniffInit();
2559 int sniffCounter = 0;
b62a5a84 2560
b62a5a84
M
2561 // And now we loop, receiving samples.
2562 while(true) {
5cd9ec01
M
2563 if(BUTTON_PRESS()) {
2564 DbpString("cancelled by button");
2565 goto done;
2566 }
2567
b62a5a84
M
2568 LED_A_ON();
2569 WDT_HIT();
39864b0b
M
2570
2571 if (++sniffCounter > 65) {
2572 if (MfSniffSend(2000)) {
55acbb2a 2573 FpgaEnableSscDma();
39864b0b
M
2574 }
2575 sniffCounter = 0;
2576 }
5cd9ec01
M
2577
2578 int register readBufDataP = data - dmaBuf;
2579 int register dmaBufDataP = DMA_BUFFER_SIZE - AT91C_BASE_PDC_SSC->PDC_RCR;
2580 if (readBufDataP <= dmaBufDataP){
2581 dataLen = dmaBufDataP - readBufDataP;
2582 } else {
2583 dataLen = DMA_BUFFER_SIZE - readBufDataP + dmaBufDataP + 1;
2584 }
2585 // test for length of buffer
2586 if(dataLen > maxDataLen) {
2587 maxDataLen = dataLen;
2588 if(dataLen > 400) {
2589 Dbprintf("blew circular buffer! dataLen=0x%x", dataLen);
b62a5a84
M
2590 goto done;
2591 }
2592 }
5cd9ec01 2593 if(dataLen < 1) continue;
b62a5a84 2594
5cd9ec01
M
2595 // primary buffer was stopped( <-- we lost data!
2596 if (!AT91C_BASE_PDC_SSC->PDC_RCR) {
2597 AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) dmaBuf;
2598 AT91C_BASE_PDC_SSC->PDC_RCR = DMA_BUFFER_SIZE;
55acbb2a 2599 Dbprintf("RxEmpty ERROR!!! data length:%d", dataLen); // temporary
5cd9ec01
M
2600 }
2601 // secondary buffer sets as primary, secondary buffer was stopped
2602 if (!AT91C_BASE_PDC_SSC->PDC_RNCR) {
2603 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf;
b62a5a84
M
2604 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
2605 }
5cd9ec01
M
2606
2607 LED_A_OFF();
b62a5a84 2608
5cd9ec01 2609 if(MillerDecoding((data[0] & 0xF0) >> 4)) {
39864b0b 2610 LED_C_INV();
5cd9ec01 2611 // check - if there is a short 7bit request from reader
71d90e54 2612 if (MfSniffLogic(receivedCmd, Uart.byteCnt, Uart.parityBits, Uart.bitCnt, TRUE)) break;
5cd9ec01 2613
b62a5a84
M
2614 /* And ready to receive another command. */
2615 Uart.state = STATE_UNSYNCD;
39864b0b
M
2616
2617 /* And also reset the demod code */
b62a5a84 2618 Demod.state = DEMOD_UNSYNCD;
b62a5a84
M
2619 }
2620
5cd9ec01 2621 if(ManchesterDecoding(data[0] & 0x0F)) {
39864b0b 2622 LED_C_INV();
b62a5a84 2623
71d90e54 2624 if (MfSniffLogic(receivedResponse, Demod.len, Demod.parityBits, Demod.bitCount, FALSE)) break;
b62a5a84
M
2625
2626 // And ready to receive another response.
2627 memset(&Demod, 0, sizeof(Demod));
2628 Demod.output = receivedResponse;
2629 Demod.state = DEMOD_UNSYNCD;
39864b0b
M
2630
2631 /* And also reset the uart code */
2632 Uart.state = STATE_UNSYNCD;
b62a5a84
M
2633 }
2634
5cd9ec01
M
2635 data++;
2636 if(data > dmaBuf + DMA_BUFFER_SIZE) {
2637 data = dmaBuf;
b62a5a84
M
2638 }
2639 } // main cycle
2640
2641 DbpString("COMMAND FINISHED");
2642
2643done:
55acbb2a 2644 FpgaDisableSscDma();
39864b0b
M
2645 MfSniffEnd();
2646
55acbb2a 2647 Dbprintf("maxDataLen=%x, Uart.state=%x, Uart.byteCnt=%x Uart.byteCntMax=%x", maxDataLen, Uart.state, Uart.byteCnt, Uart.byteCntMax);
b62a5a84 2648 LEDsoff();
3803d529 2649}
Impressum, Datenschutz