]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/iso14443a.c
setting svn:eol-style=native on files, part 1
[proxmark3-svn] / armsrc / iso14443a.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Gerhard de Koning Gans - May 2008
bd20f8f4 3//
4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
15c4dc5a 7//-----------------------------------------------------------------------------
bd20f8f4 8// Routines to support ISO 14443 type A.
9//-----------------------------------------------------------------------------
10
e30c654b 11#include "proxmark3.h"
15c4dc5a 12#include "apps.h"
f7e3ed82 13#include "util.h"
9ab7a6c7 14#include "string.h"
15
15c4dc5a 16#include "iso14443crc.h"
17
f7e3ed82 18static uint8_t *trace = (uint8_t *) BigBuf;
15c4dc5a 19static int traceLen = 0;
20static int rsamples = 0;
f7e3ed82 21static int tracing = TRUE;
15c4dc5a 22
23typedef enum {
24 SEC_D = 1,
25 SEC_E = 2,
26 SEC_F = 3,
27 SEC_X = 4,
28 SEC_Y = 5,
29 SEC_Z = 6
30} SecType;
31
f7e3ed82 32static const uint8_t OddByteParity[256] = {
15c4dc5a 33 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
34 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
35 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
36 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
37 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
38 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
39 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
40 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
41 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
42 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
43 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
44 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
45 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
46 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
47 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
48 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
49};
50
51// BIG CHANGE - UNDERSTAND THIS BEFORE WE COMMIT
52#define RECV_CMD_OFFSET 3032
53#define RECV_RES_OFFSET 3096
54#define DMA_BUFFER_OFFSET 3160
55#define DMA_BUFFER_SIZE 4096
56#define TRACE_LENGTH 3000
57
58//-----------------------------------------------------------------------------
59// Generate the parity value for a byte sequence
e30c654b 60//
15c4dc5a 61//-----------------------------------------------------------------------------
f7e3ed82 62uint32_t GetParity(const uint8_t * pbtCmd, int iLen)
15c4dc5a 63{
64 int i;
f7e3ed82 65 uint32_t dwPar = 0;
e30c654b 66
15c4dc5a 67 // Generate the encrypted data
68 for (i = 0; i < iLen; i++) {
69 // Save the encrypted parity bit
70 dwPar |= ((OddByteParity[pbtCmd[i]]) << i);
71 }
72 return dwPar;
73}
74
f7e3ed82 75static void AppendCrc14443a(uint8_t* data, int len)
15c4dc5a 76{
77 ComputeCrc14443(CRC_14443_A,data,len,data+len,data+len+1);
78}
79
f7e3ed82 80int LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader)
15c4dc5a 81{
82 // Return when trace is full
83 if (traceLen >= TRACE_LENGTH) return FALSE;
e30c654b 84
15c4dc5a 85 // Trace the random, i'm curious
86 rsamples += iSamples;
87 trace[traceLen++] = ((rsamples >> 0) & 0xff);
88 trace[traceLen++] = ((rsamples >> 8) & 0xff);
89 trace[traceLen++] = ((rsamples >> 16) & 0xff);
90 trace[traceLen++] = ((rsamples >> 24) & 0xff);
91 if (!bReader) {
92 trace[traceLen - 1] |= 0x80;
93 }
94 trace[traceLen++] = ((dwParity >> 0) & 0xff);
95 trace[traceLen++] = ((dwParity >> 8) & 0xff);
96 trace[traceLen++] = ((dwParity >> 16) & 0xff);
97 trace[traceLen++] = ((dwParity >> 24) & 0xff);
98 trace[traceLen++] = iLen;
99 memcpy(trace + traceLen, btBytes, iLen);
100 traceLen += iLen;
101 return TRUE;
102}
103
f7e3ed82 104int LogTraceInfo(byte_t* data, size_t len)
15c4dc5a 105{
106 return LogTrace(data,len,0,GetParity(data,len),TRUE);
107}
108
109//-----------------------------------------------------------------------------
110// The software UART that receives commands from the reader, and its state
111// variables.
112//-----------------------------------------------------------------------------
113static struct {
114 enum {
115 STATE_UNSYNCD,
116 STATE_START_OF_COMMUNICATION,
117 STATE_MILLER_X,
118 STATE_MILLER_Y,
119 STATE_MILLER_Z,
120 STATE_ERROR_WAIT
121 } state;
f7e3ed82 122 uint16_t shiftReg;
15c4dc5a 123 int bitCnt;
124 int byteCnt;
125 int byteCntMax;
126 int posCnt;
127 int syncBit;
128 int parityBits;
129 int samples;
130 int highCnt;
131 int bitBuffer;
132 enum {
133 DROP_NONE,
134 DROP_FIRST_HALF,
135 DROP_SECOND_HALF
136 } drop;
f7e3ed82 137 uint8_t *output;
15c4dc5a 138} Uart;
139
f7e3ed82 140static int MillerDecoding(int bit)
15c4dc5a 141{
142 int error = 0;
143 int bitright;
144
145 if(!Uart.bitBuffer) {
146 Uart.bitBuffer = bit ^ 0xFF0;
147 return FALSE;
148 }
149 else {
150 Uart.bitBuffer <<= 4;
151 Uart.bitBuffer ^= bit;
152 }
153
f7e3ed82 154 int EOC = FALSE;
15c4dc5a 155
156 if(Uart.state != STATE_UNSYNCD) {
157 Uart.posCnt++;
158
159 if((Uart.bitBuffer & Uart.syncBit) ^ Uart.syncBit) {
160 bit = 0x00;
161 }
162 else {
163 bit = 0x01;
164 }
165 if(((Uart.bitBuffer << 1) & Uart.syncBit) ^ Uart.syncBit) {
166 bitright = 0x00;
167 }
168 else {
169 bitright = 0x01;
170 }
171 if(bit != bitright) { bit = bitright; }
172
173 if(Uart.posCnt == 1) {
174 // measurement first half bitperiod
175 if(!bit) {
176 Uart.drop = DROP_FIRST_HALF;
177 }
178 }
179 else {
180 // measurement second half bitperiod
181 if(!bit & (Uart.drop == DROP_NONE)) {
182 Uart.drop = DROP_SECOND_HALF;
183 }
184 else if(!bit) {
185 // measured a drop in first and second half
186 // which should not be possible
187 Uart.state = STATE_ERROR_WAIT;
188 error = 0x01;
189 }
190
191 Uart.posCnt = 0;
192
193 switch(Uart.state) {
194 case STATE_START_OF_COMMUNICATION:
195 Uart.shiftReg = 0;
196 if(Uart.drop == DROP_SECOND_HALF) {
197 // error, should not happen in SOC
198 Uart.state = STATE_ERROR_WAIT;
199 error = 0x02;
200 }
201 else {
202 // correct SOC
203 Uart.state = STATE_MILLER_Z;
204 }
205 break;
206
207 case STATE_MILLER_Z:
208 Uart.bitCnt++;
209 Uart.shiftReg >>= 1;
210 if(Uart.drop == DROP_NONE) {
211 // logic '0' followed by sequence Y
212 // end of communication
213 Uart.state = STATE_UNSYNCD;
214 EOC = TRUE;
215 }
216 // if(Uart.drop == DROP_FIRST_HALF) {
217 // Uart.state = STATE_MILLER_Z; stay the same
218 // we see a logic '0' }
219 if(Uart.drop == DROP_SECOND_HALF) {
220 // we see a logic '1'
221 Uart.shiftReg |= 0x100;
222 Uart.state = STATE_MILLER_X;
223 }
224 break;
225
226 case STATE_MILLER_X:
227 Uart.shiftReg >>= 1;
228 if(Uart.drop == DROP_NONE) {
229 // sequence Y, we see a '0'
230 Uart.state = STATE_MILLER_Y;
231 Uart.bitCnt++;
232 }
233 if(Uart.drop == DROP_FIRST_HALF) {
234 // Would be STATE_MILLER_Z
235 // but Z does not follow X, so error
236 Uart.state = STATE_ERROR_WAIT;
237 error = 0x03;
238 }
239 if(Uart.drop == DROP_SECOND_HALF) {
240 // We see a '1' and stay in state X
241 Uart.shiftReg |= 0x100;
242 Uart.bitCnt++;
243 }
244 break;
245
246 case STATE_MILLER_Y:
247 Uart.bitCnt++;
248 Uart.shiftReg >>= 1;
249 if(Uart.drop == DROP_NONE) {
250 // logic '0' followed by sequence Y
251 // end of communication
252 Uart.state = STATE_UNSYNCD;
253 EOC = TRUE;
254 }
255 if(Uart.drop == DROP_FIRST_HALF) {
256 // we see a '0'
257 Uart.state = STATE_MILLER_Z;
258 }
259 if(Uart.drop == DROP_SECOND_HALF) {
260 // We see a '1' and go to state X
261 Uart.shiftReg |= 0x100;
262 Uart.state = STATE_MILLER_X;
263 }
264 break;
265
266 case STATE_ERROR_WAIT:
267 // That went wrong. Now wait for at least two bit periods
268 // and try to sync again
269 if(Uart.drop == DROP_NONE) {
270 Uart.highCnt = 6;
271 Uart.state = STATE_UNSYNCD;
272 }
273 break;
274
275 default:
276 Uart.state = STATE_UNSYNCD;
277 Uart.highCnt = 0;
278 break;
279 }
280
281 Uart.drop = DROP_NONE;
282
283 // should have received at least one whole byte...
284 if((Uart.bitCnt == 2) && EOC && (Uart.byteCnt > 0)) {
285 return TRUE;
286 }
287
288 if(Uart.bitCnt == 9) {
289 Uart.output[Uart.byteCnt] = (Uart.shiftReg & 0xff);
290 Uart.byteCnt++;
291
292 Uart.parityBits <<= 1;
293 Uart.parityBits ^= ((Uart.shiftReg >> 8) & 0x01);
294
295 if(EOC) {
296 // when End of Communication received and
297 // all data bits processed..
298 return TRUE;
299 }
300 Uart.bitCnt = 0;
301 }
302
303 /*if(error) {
304 Uart.output[Uart.byteCnt] = 0xAA;
305 Uart.byteCnt++;
306 Uart.output[Uart.byteCnt] = error & 0xFF;
307 Uart.byteCnt++;
308 Uart.output[Uart.byteCnt] = 0xAA;
309 Uart.byteCnt++;
310 Uart.output[Uart.byteCnt] = (Uart.bitBuffer >> 8) & 0xFF;
311 Uart.byteCnt++;
312 Uart.output[Uart.byteCnt] = Uart.bitBuffer & 0xFF;
313 Uart.byteCnt++;
314 Uart.output[Uart.byteCnt] = (Uart.syncBit >> 3) & 0xFF;
315 Uart.byteCnt++;
316 Uart.output[Uart.byteCnt] = 0xAA;
317 Uart.byteCnt++;
318 return TRUE;
319 }*/
320 }
321
322 }
323 else {
324 bit = Uart.bitBuffer & 0xf0;
325 bit >>= 4;
326 bit ^= 0x0F;
327 if(bit) {
328 // should have been high or at least (4 * 128) / fc
329 // according to ISO this should be at least (9 * 128 + 20) / fc
330 if(Uart.highCnt == 8) {
331 // we went low, so this could be start of communication
332 // it turns out to be safer to choose a less significant
333 // syncbit... so we check whether the neighbour also represents the drop
334 Uart.posCnt = 1; // apparently we are busy with our first half bit period
335 Uart.syncBit = bit & 8;
336 Uart.samples = 3;
337 if(!Uart.syncBit) { Uart.syncBit = bit & 4; Uart.samples = 2; }
338 else if(bit & 4) { Uart.syncBit = bit & 4; Uart.samples = 2; bit <<= 2; }
339 if(!Uart.syncBit) { Uart.syncBit = bit & 2; Uart.samples = 1; }
340 else if(bit & 2) { Uart.syncBit = bit & 2; Uart.samples = 1; bit <<= 1; }
341 if(!Uart.syncBit) { Uart.syncBit = bit & 1; Uart.samples = 0;
342 if(Uart.syncBit & (Uart.bitBuffer & 8)) {
343 Uart.syncBit = 8;
344
345 // the first half bit period is expected in next sample
346 Uart.posCnt = 0;
347 Uart.samples = 3;
348 }
349 }
350 else if(bit & 1) { Uart.syncBit = bit & 1; Uart.samples = 0; }
351
352 Uart.syncBit <<= 4;
353 Uart.state = STATE_START_OF_COMMUNICATION;
354 Uart.drop = DROP_FIRST_HALF;
355 Uart.bitCnt = 0;
356 Uart.byteCnt = 0;
357 Uart.parityBits = 0;
358 error = 0;
359 }
360 else {
361 Uart.highCnt = 0;
362 }
363 }
364 else {
365 if(Uart.highCnt < 8) {
366 Uart.highCnt++;
367 }
368 }
369 }
370
371 return FALSE;
372}
373
374//=============================================================================
375// ISO 14443 Type A - Manchester
376//=============================================================================
377
378static struct {
379 enum {
380 DEMOD_UNSYNCD,
381 DEMOD_START_OF_COMMUNICATION,
382 DEMOD_MANCHESTER_D,
383 DEMOD_MANCHESTER_E,
384 DEMOD_MANCHESTER_F,
385 DEMOD_ERROR_WAIT
386 } state;
387 int bitCount;
388 int posCount;
389 int syncBit;
390 int parityBits;
f7e3ed82 391 uint16_t shiftReg;
15c4dc5a 392 int buffer;
393 int buff;
394 int samples;
395 int len;
396 enum {
397 SUB_NONE,
398 SUB_FIRST_HALF,
399 SUB_SECOND_HALF
400 } sub;
f7e3ed82 401 uint8_t *output;
15c4dc5a 402} Demod;
403
f7e3ed82 404static int ManchesterDecoding(int v)
15c4dc5a 405{
406 int bit;
407 int modulation;
408 int error = 0;
409
410 if(!Demod.buff) {
411 Demod.buff = 1;
412 Demod.buffer = v;
413 return FALSE;
414 }
415 else {
416 bit = Demod.buffer;
417 Demod.buffer = v;
418 }
419
420 if(Demod.state==DEMOD_UNSYNCD) {
421 Demod.output[Demod.len] = 0xfa;
422 Demod.syncBit = 0;
423 //Demod.samples = 0;
424 Demod.posCount = 1; // This is the first half bit period, so after syncing handle the second part
425 if(bit & 0x08) { Demod.syncBit = 0x08; }
426 if(!Demod.syncBit) {
427 if(bit & 0x04) { Demod.syncBit = 0x04; }
428 }
429 else if(bit & 0x04) { Demod.syncBit = 0x04; bit <<= 4; }
430 if(!Demod.syncBit) {
431 if(bit & 0x02) { Demod.syncBit = 0x02; }
432 }
433 else if(bit & 0x02) { Demod.syncBit = 0x02; bit <<= 4; }
434 if(!Demod.syncBit) {
435 if(bit & 0x01) { Demod.syncBit = 0x01; }
436
437 if(Demod.syncBit & (Demod.buffer & 0x08)) {
438 Demod.syncBit = 0x08;
439
440 // The first half bitperiod is expected in next sample
441 Demod.posCount = 0;
442 Demod.output[Demod.len] = 0xfb;
443 }
444 }
445 else if(bit & 0x01) { Demod.syncBit = 0x01; }
446
447 if(Demod.syncBit) {
448 Demod.len = 0;
449 Demod.state = DEMOD_START_OF_COMMUNICATION;
450 Demod.sub = SUB_FIRST_HALF;
451 Demod.bitCount = 0;
452 Demod.shiftReg = 0;
453 Demod.parityBits = 0;
454 Demod.samples = 0;
455 if(Demod.posCount) {
456 switch(Demod.syncBit) {
457 case 0x08: Demod.samples = 3; break;
458 case 0x04: Demod.samples = 2; break;
459 case 0x02: Demod.samples = 1; break;
460 case 0x01: Demod.samples = 0; break;
461 }
462 }
463 error = 0;
464 }
465 }
466 else {
467 //modulation = bit & Demod.syncBit;
468 modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
469
470 Demod.samples += 4;
471
472 if(Demod.posCount==0) {
473 Demod.posCount = 1;
474 if(modulation) {
475 Demod.sub = SUB_FIRST_HALF;
476 }
477 else {
478 Demod.sub = SUB_NONE;
479 }
480 }
481 else {
482 Demod.posCount = 0;
483 if(modulation && (Demod.sub == SUB_FIRST_HALF)) {
484 if(Demod.state!=DEMOD_ERROR_WAIT) {
485 Demod.state = DEMOD_ERROR_WAIT;
486 Demod.output[Demod.len] = 0xaa;
487 error = 0x01;
488 }
489 }
490 else if(modulation) {
491 Demod.sub = SUB_SECOND_HALF;
492 }
493
494 switch(Demod.state) {
495 case DEMOD_START_OF_COMMUNICATION:
496 if(Demod.sub == SUB_FIRST_HALF) {
497 Demod.state = DEMOD_MANCHESTER_D;
498 }
499 else {
500 Demod.output[Demod.len] = 0xab;
501 Demod.state = DEMOD_ERROR_WAIT;
502 error = 0x02;
503 }
504 break;
505
506 case DEMOD_MANCHESTER_D:
507 case DEMOD_MANCHESTER_E:
508 if(Demod.sub == SUB_FIRST_HALF) {
509 Demod.bitCount++;
510 Demod.shiftReg = (Demod.shiftReg >> 1) ^ 0x100;
511 Demod.state = DEMOD_MANCHESTER_D;
512 }
513 else if(Demod.sub == SUB_SECOND_HALF) {
514 Demod.bitCount++;
515 Demod.shiftReg >>= 1;
516 Demod.state = DEMOD_MANCHESTER_E;
517 }
518 else {
519 Demod.state = DEMOD_MANCHESTER_F;
520 }
521 break;
522
523 case DEMOD_MANCHESTER_F:
524 // Tag response does not need to be a complete byte!
525 if(Demod.len > 0 || Demod.bitCount > 0) {
526 if(Demod.bitCount > 0) {
527 Demod.shiftReg >>= (9 - Demod.bitCount);
528 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
529 Demod.len++;
530 // No parity bit, so just shift a 0
531 Demod.parityBits <<= 1;
532 }
533
534 Demod.state = DEMOD_UNSYNCD;
535 return TRUE;
536 }
537 else {
538 Demod.output[Demod.len] = 0xad;
539 Demod.state = DEMOD_ERROR_WAIT;
540 error = 0x03;
541 }
542 break;
543
544 case DEMOD_ERROR_WAIT:
545 Demod.state = DEMOD_UNSYNCD;
546 break;
547
548 default:
549 Demod.output[Demod.len] = 0xdd;
550 Demod.state = DEMOD_UNSYNCD;
551 break;
552 }
553
554 if(Demod.bitCount>=9) {
555 Demod.output[Demod.len] = Demod.shiftReg & 0xff;
556 Demod.len++;
557
558 Demod.parityBits <<= 1;
559 Demod.parityBits ^= ((Demod.shiftReg >> 8) & 0x01);
560
561 Demod.bitCount = 0;
562 Demod.shiftReg = 0;
563 }
564
565 /*if(error) {
566 Demod.output[Demod.len] = 0xBB;
567 Demod.len++;
568 Demod.output[Demod.len] = error & 0xFF;
569 Demod.len++;
570 Demod.output[Demod.len] = 0xBB;
571 Demod.len++;
572 Demod.output[Demod.len] = bit & 0xFF;
573 Demod.len++;
574 Demod.output[Demod.len] = Demod.buffer & 0xFF;
575 Demod.len++;
576 Demod.output[Demod.len] = Demod.syncBit & 0xFF;
577 Demod.len++;
578 Demod.output[Demod.len] = 0xBB;
579 Demod.len++;
580 return TRUE;
581 }*/
582
583 }
584
585 } // end (state != UNSYNCED)
586
587 return FALSE;
588}
589
590//=============================================================================
591// Finally, a `sniffer' for ISO 14443 Type A
592// Both sides of communication!
593//=============================================================================
594
595//-----------------------------------------------------------------------------
596// Record the sequence of commands sent by the reader to the tag, with
597// triggering so that we start recording at the point that the tag is moved
598// near the reader.
599//-----------------------------------------------------------------------------
600void SnoopIso14443a(void)
601{
602// #define RECV_CMD_OFFSET 2032 // original (working as of 21/2/09) values
603// #define RECV_RES_OFFSET 2096 // original (working as of 21/2/09) values
604// #define DMA_BUFFER_OFFSET 2160 // original (working as of 21/2/09) values
605// #define DMA_BUFFER_SIZE 4096 // original (working as of 21/2/09) values
606// #define TRACE_LENGTH 2000 // original (working as of 21/2/09) values
607
608 // We won't start recording the frames that we acquire until we trigger;
609 // a good trigger condition to get started is probably when we see a
610 // response from the tag.
f7e3ed82 611 int triggered = TRUE; // FALSE to wait first for card
15c4dc5a 612
613 // The command (reader -> tag) that we're receiving.
614 // The length of a received command will in most cases be no more than 18 bytes.
615 // So 32 should be enough!
f7e3ed82 616 uint8_t *receivedCmd = (((uint8_t *)BigBuf) + RECV_CMD_OFFSET);
15c4dc5a 617 // The response (tag -> reader) that we're receiving.
f7e3ed82 618 uint8_t *receivedResponse = (((uint8_t *)BigBuf) + RECV_RES_OFFSET);
15c4dc5a 619
620 // As we receive stuff, we copy it from receivedCmd or receivedResponse
621 // into trace, along with its length and other annotations.
f7e3ed82 622 //uint8_t *trace = (uint8_t *)BigBuf;
15c4dc5a 623 //int traceLen = 0;
624
625 // The DMA buffer, used to stream samples from the FPGA
f7e3ed82 626 int8_t *dmaBuf = ((int8_t *)BigBuf) + DMA_BUFFER_OFFSET;
15c4dc5a 627 int lastRxCounter;
f7e3ed82 628 int8_t *upTo;
15c4dc5a 629 int smpl;
630 int maxBehindBy = 0;
631
632 // Count of samples received so far, so that we can include timing
633 // information in the trace buffer.
634 int samples = 0;
635 int rsamples = 0;
636
637 memset(trace, 0x44, RECV_CMD_OFFSET);
638
639 // Set up the demodulator for tag -> reader responses.
640 Demod.output = receivedResponse;
641 Demod.len = 0;
642 Demod.state = DEMOD_UNSYNCD;
643
644 // And the reader -> tag commands
645 memset(&Uart, 0, sizeof(Uart));
646 Uart.output = receivedCmd;
647 Uart.byteCntMax = 32; // was 100 (greg)////////////////////////////////////////////////////////////////////////
648 Uart.state = STATE_UNSYNCD;
649
650 // And put the FPGA in the appropriate mode
651 // Signal field is off with the appropriate LED
652 LED_D_OFF();
653 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_SNIFFER);
654 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
655
656 // Setup for the DMA.
657 FpgaSetupSsc();
658 upTo = dmaBuf;
659 lastRxCounter = DMA_BUFFER_SIZE;
f7e3ed82 660 FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
15c4dc5a 661
662 LED_A_ON();
663
664 // And now we loop, receiving samples.
665 for(;;) {
666 WDT_HIT();
667 int behindBy = (lastRxCounter - AT91C_BASE_PDC_SSC->PDC_RCR) &
668 (DMA_BUFFER_SIZE-1);
669 if(behindBy > maxBehindBy) {
670 maxBehindBy = behindBy;
671 if(behindBy > 400) {
672 DbpString("blew circular buffer!");
673 goto done;
674 }
675 }
676 if(behindBy < 1) continue;
677
678 smpl = upTo[0];
679 upTo++;
680 lastRxCounter -= 1;
681 if(upTo - dmaBuf > DMA_BUFFER_SIZE) {
682 upTo -= DMA_BUFFER_SIZE;
683 lastRxCounter += DMA_BUFFER_SIZE;
f7e3ed82 684 AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) upTo;
15c4dc5a 685 AT91C_BASE_PDC_SSC->PDC_RNCR = DMA_BUFFER_SIZE;
686 }
687
688 samples += 4;
689#define HANDLE_BIT_IF_BODY \
690 LED_C_ON(); \
691 if(triggered) { \
692 trace[traceLen++] = ((rsamples >> 0) & 0xff); \
693 trace[traceLen++] = ((rsamples >> 8) & 0xff); \
694 trace[traceLen++] = ((rsamples >> 16) & 0xff); \
695 trace[traceLen++] = ((rsamples >> 24) & 0xff); \
696 trace[traceLen++] = ((Uart.parityBits >> 0) & 0xff); \
697 trace[traceLen++] = ((Uart.parityBits >> 8) & 0xff); \
698 trace[traceLen++] = ((Uart.parityBits >> 16) & 0xff); \
699 trace[traceLen++] = ((Uart.parityBits >> 24) & 0xff); \
700 trace[traceLen++] = Uart.byteCnt; \
701 memcpy(trace+traceLen, receivedCmd, Uart.byteCnt); \
702 traceLen += Uart.byteCnt; \
703 if(traceLen > TRACE_LENGTH) break; \
704 } \
705 /* And ready to receive another command. */ \
706 Uart.state = STATE_UNSYNCD; \
707 /* And also reset the demod code, which might have been */ \
708 /* false-triggered by the commands from the reader. */ \
709 Demod.state = DEMOD_UNSYNCD; \
710 LED_B_OFF(); \
711
712 if(MillerDecoding((smpl & 0xF0) >> 4)) {
713 rsamples = samples - Uart.samples;
714 HANDLE_BIT_IF_BODY
715 }
716 if(ManchesterDecoding(smpl & 0x0F)) {
717 rsamples = samples - Demod.samples;
718 LED_B_ON();
719
720 // timestamp, as a count of samples
721 trace[traceLen++] = ((rsamples >> 0) & 0xff);
722 trace[traceLen++] = ((rsamples >> 8) & 0xff);
723 trace[traceLen++] = ((rsamples >> 16) & 0xff);
724 trace[traceLen++] = 0x80 | ((rsamples >> 24) & 0xff);
725 trace[traceLen++] = ((Demod.parityBits >> 0) & 0xff);
726 trace[traceLen++] = ((Demod.parityBits >> 8) & 0xff);
727 trace[traceLen++] = ((Demod.parityBits >> 16) & 0xff);
728 trace[traceLen++] = ((Demod.parityBits >> 24) & 0xff);
729 // length
730 trace[traceLen++] = Demod.len;
731 memcpy(trace+traceLen, receivedResponse, Demod.len);
732 traceLen += Demod.len;
733 if(traceLen > TRACE_LENGTH) break;
734
735 triggered = TRUE;
736
737 // And ready to receive another response.
738 memset(&Demod, 0, sizeof(Demod));
739 Demod.output = receivedResponse;
740 Demod.state = DEMOD_UNSYNCD;
741 LED_C_OFF();
742 }
743
744 if(BUTTON_PRESS()) {
745 DbpString("cancelled_a");
746 goto done;
747 }
748 }
749
750 DbpString("COMMAND FINISHED");
751
752 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
753 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
754
755done:
756 AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS;
757 Dbprintf("%x %x %x", maxBehindBy, Uart.state, Uart.byteCnt);
758 Dbprintf("%x %x %x", Uart.byteCntMax, traceLen, (int)Uart.output[0]);
759 LED_A_OFF();
760 LED_B_OFF();
761 LED_C_OFF();
762 LED_D_OFF();
763}
764
765// Prepare communication bits to send to FPGA
766void Sequence(SecType seq)
767{
768 ToSendMax++;
769 switch(seq) {
770 // CARD TO READER
771 case SEC_D:
772 // Sequence D: 11110000
773 // modulation with subcarrier during first half
774 ToSend[ToSendMax] = 0xf0;
775 break;
776 case SEC_E:
777 // Sequence E: 00001111
778 // modulation with subcarrier during second half
779 ToSend[ToSendMax] = 0x0f;
780 break;
781 case SEC_F:
782 // Sequence F: 00000000
783 // no modulation with subcarrier
784 ToSend[ToSendMax] = 0x00;
785 break;
786 // READER TO CARD
787 case SEC_X:
788 // Sequence X: 00001100
789 // drop after half a period
790 ToSend[ToSendMax] = 0x0c;
791 break;
792 case SEC_Y:
793 default:
794 // Sequence Y: 00000000
795 // no drop
796 ToSend[ToSendMax] = 0x00;
797 break;
798 case SEC_Z:
799 // Sequence Z: 11000000
800 // drop at start
801 ToSend[ToSendMax] = 0xc0;
802 break;
803 }
804}
805
806//-----------------------------------------------------------------------------
807// Prepare tag messages
808//-----------------------------------------------------------------------------
f7e3ed82 809static void CodeIso14443aAsTag(const uint8_t *cmd, int len)
15c4dc5a 810{
811 int i;
812 int oddparity;
813
814 ToSendReset();
815
816 // Correction bit, might be removed when not needed
817 ToSendStuffBit(0);
818 ToSendStuffBit(0);
819 ToSendStuffBit(0);
820 ToSendStuffBit(0);
821 ToSendStuffBit(1); // 1
822 ToSendStuffBit(0);
823 ToSendStuffBit(0);
824 ToSendStuffBit(0);
825
826 // Send startbit
827 Sequence(SEC_D);
828
829 for(i = 0; i < len; i++) {
830 int j;
f7e3ed82 831 uint8_t b = cmd[i];
15c4dc5a 832
833 // Data bits
834 oddparity = 0x01;
835 for(j = 0; j < 8; j++) {
836 oddparity ^= (b & 1);
837 if(b & 1) {
838 Sequence(SEC_D);
839 } else {
840 Sequence(SEC_E);
841 }
842 b >>= 1;
843 }
844
845 // Parity bit
846 if(oddparity) {
847 Sequence(SEC_D);
848 } else {
849 Sequence(SEC_E);
850 }
851 }
852
853 // Send stopbit
854 Sequence(SEC_F);
855
856 // Flush the buffer in FPGA!!
857 for(i = 0; i < 5; i++) {
858 Sequence(SEC_F);
859 }
860
861 // Convert from last byte pos to length
862 ToSendMax++;
863
864 // Add a few more for slop
865 ToSend[ToSendMax++] = 0x00;
866 ToSend[ToSendMax++] = 0x00;
867 //ToSendMax += 2;
868}
869
870//-----------------------------------------------------------------------------
871// This is to send a NACK kind of answer, its only 3 bits, I know it should be 4
872//-----------------------------------------------------------------------------
873static void CodeStrangeAnswer()
874{
875 int i;
876
877 ToSendReset();
878
879 // Correction bit, might be removed when not needed
880 ToSendStuffBit(0);
881 ToSendStuffBit(0);
882 ToSendStuffBit(0);
883 ToSendStuffBit(0);
884 ToSendStuffBit(1); // 1
885 ToSendStuffBit(0);
886 ToSendStuffBit(0);
887 ToSendStuffBit(0);
888
889 // Send startbit
890 Sequence(SEC_D);
891
892 // 0
893 Sequence(SEC_E);
894
895 // 0
896 Sequence(SEC_E);
897
898 // 1
899 Sequence(SEC_D);
900
901 // Send stopbit
902 Sequence(SEC_F);
903
904 // Flush the buffer in FPGA!!
905 for(i = 0; i < 5; i++) {
906 Sequence(SEC_F);
907 }
908
909 // Convert from last byte pos to length
910 ToSendMax++;
911
912 // Add a few more for slop
913 ToSend[ToSendMax++] = 0x00;
914 ToSend[ToSendMax++] = 0x00;
915 //ToSendMax += 2;
916}
917
918//-----------------------------------------------------------------------------
919// Wait for commands from reader
920// Stop when button is pressed
921// Or return TRUE when command is captured
922//-----------------------------------------------------------------------------
f7e3ed82 923static int GetIso14443aCommandFromReader(uint8_t *received, int *len, int maxLen)
15c4dc5a 924{
925 // Set FPGA mode to "simulated ISO 14443 tag", no modulation (listen
926 // only, since we are receiving, not transmitting).
927 // Signal field is off with the appropriate LED
928 LED_D_OFF();
929 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_LISTEN);
930
931 // Now run a `software UART' on the stream of incoming samples.
932 Uart.output = received;
933 Uart.byteCntMax = maxLen;
934 Uart.state = STATE_UNSYNCD;
935
936 for(;;) {
937 WDT_HIT();
938
939 if(BUTTON_PRESS()) return FALSE;
940
941 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
942 AT91C_BASE_SSC->SSC_THR = 0x00;
943 }
944 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 945 uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 946 if(MillerDecoding((b & 0xf0) >> 4)) {
947 *len = Uart.byteCnt;
948 return TRUE;
949 }
950 if(MillerDecoding(b & 0x0f)) {
951 *len = Uart.byteCnt;
952 return TRUE;
953 }
954 }
955 }
956}
957
958//-----------------------------------------------------------------------------
959// Main loop of simulated tag: receive commands from reader, decide what
960// response to send, and send it.
961//-----------------------------------------------------------------------------
962void SimulateIso14443aTag(int tagType, int TagUid)
963{
964 // This function contains the tag emulation
965
966 // Prepare protocol messages
f7e3ed82 967 // static const uint8_t cmd1[] = { 0x26 };
968// static const uint8_t response1[] = { 0x02, 0x00 }; // Says: I am Mifare 4k - original line - greg
15c4dc5a 969//
f7e3ed82 970 static const uint8_t response1[] = { 0x44, 0x03 }; // Says: I am a DESFire Tag, ph33r me
971// static const uint8_t response1[] = { 0x44, 0x00 }; // Says: I am a ULTRALITE Tag, 0wn me
15c4dc5a 972
973 // UID response
f7e3ed82 974 // static const uint8_t cmd2[] = { 0x93, 0x20 };
975 //static const uint8_t response2[] = { 0x9a, 0xe5, 0xe4, 0x43, 0xd8 }; // original value - greg
15c4dc5a 976
977
978
979// my desfire
f7e3ed82 980 static const uint8_t response2[] = { 0x88, 0x04, 0x21, 0x3f, 0x4d }; // known uid - note cascade (0x88), 2nd byte (0x04) = NXP/Phillips
15c4dc5a 981
982
983// When reader selects us during cascade1 it will send cmd3
f7e3ed82 984//uint8_t response3[] = { 0x04, 0x00, 0x00 }; // SAK Select (cascade1) successful response (ULTRALITE)
985uint8_t response3[] = { 0x24, 0x00, 0x00 }; // SAK Select (cascade1) successful response (DESFire)
15c4dc5a 986ComputeCrc14443(CRC_14443_A, response3, 1, &response3[1], &response3[2]);
987
988// send cascade2 2nd half of UID
f7e3ed82 989static const uint8_t response2a[] = { 0x51, 0x48, 0x1d, 0x80, 0x84 }; // uid - cascade2 - 2nd half (4 bytes) of UID+ BCCheck
15c4dc5a 990// NOTE : THE CRC on the above may be wrong as I have obfuscated the actual UID
991
992
993// When reader selects us during cascade2 it will send cmd3a
f7e3ed82 994//uint8_t response3a[] = { 0x00, 0x00, 0x00 }; // SAK Select (cascade2) successful response (ULTRALITE)
995uint8_t response3a[] = { 0x20, 0x00, 0x00 }; // SAK Select (cascade2) successful response (DESFire)
15c4dc5a 996ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
997
f7e3ed82 998 static const uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
15c4dc5a 999
f7e3ed82 1000 uint8_t *resp;
15c4dc5a 1001 int respLen;
1002
1003 // Longest possible response will be 16 bytes + 2 CRC = 18 bytes
1004 // This will need
1005 // 144 data bits (18 * 8)
1006 // 18 parity bits
1007 // 2 Start and stop
1008 // 1 Correction bit (Answer in 1172 or 1236 periods, see FPGA)
1009 // 1 just for the case
1010 // ----------- +
1011 // 166
1012 //
1013 // 166 bytes, since every bit that needs to be send costs us a byte
1014 //
1015
1016
1017 // Respond with card type
f7e3ed82 1018 uint8_t *resp1 = (((uint8_t *)BigBuf) + 800);
15c4dc5a 1019 int resp1Len;
1020
1021 // Anticollision cascade1 - respond with uid
f7e3ed82 1022 uint8_t *resp2 = (((uint8_t *)BigBuf) + 970);
15c4dc5a 1023 int resp2Len;
1024
1025 // Anticollision cascade2 - respond with 2nd half of uid if asked
1026 // we're only going to be asked if we set the 1st byte of the UID (during cascade1) to 0x88
f7e3ed82 1027 uint8_t *resp2a = (((uint8_t *)BigBuf) + 1140);
15c4dc5a 1028 int resp2aLen;
1029
1030 // Acknowledge select - cascade 1
f7e3ed82 1031 uint8_t *resp3 = (((uint8_t *)BigBuf) + 1310);
15c4dc5a 1032 int resp3Len;
1033
1034 // Acknowledge select - cascade 2
f7e3ed82 1035 uint8_t *resp3a = (((uint8_t *)BigBuf) + 1480);
15c4dc5a 1036 int resp3aLen;
1037
1038 // Response to a read request - not implemented atm
f7e3ed82 1039 uint8_t *resp4 = (((uint8_t *)BigBuf) + 1550);
15c4dc5a 1040 int resp4Len;
1041
1042 // Authenticate response - nonce
f7e3ed82 1043 uint8_t *resp5 = (((uint8_t *)BigBuf) + 1720);
15c4dc5a 1044 int resp5Len;
1045
f7e3ed82 1046 uint8_t *receivedCmd = (uint8_t *)BigBuf;
15c4dc5a 1047 int len;
1048
1049 int i;
1050 int u;
f7e3ed82 1051 uint8_t b;
15c4dc5a 1052
1053 // To control where we are in the protocol
1054 int order = 0;
1055 int lastorder;
1056
1057 // Just to allow some checks
1058 int happened = 0;
1059 int happened2 = 0;
1060
1061 int cmdsRecvd = 0;
1062
f7e3ed82 1063 int fdt_indicator;
15c4dc5a 1064
1065 memset(receivedCmd, 0x44, 400);
1066
1067 // Prepare the responses of the anticollision phase
1068 // there will be not enough time to do this at the moment the reader sends it REQA
1069
1070 // Answer to request
1071 CodeIso14443aAsTag(response1, sizeof(response1));
1072 memcpy(resp1, ToSend, ToSendMax); resp1Len = ToSendMax;
1073
1074 // Send our UID (cascade 1)
1075 CodeIso14443aAsTag(response2, sizeof(response2));
1076 memcpy(resp2, ToSend, ToSendMax); resp2Len = ToSendMax;
1077
1078 // Answer to select (cascade1)
1079 CodeIso14443aAsTag(response3, sizeof(response3));
1080 memcpy(resp3, ToSend, ToSendMax); resp3Len = ToSendMax;
1081
1082 // Send the cascade 2 2nd part of the uid
1083 CodeIso14443aAsTag(response2a, sizeof(response2a));
1084 memcpy(resp2a, ToSend, ToSendMax); resp2aLen = ToSendMax;
1085
1086 // Answer to select (cascade 2)
1087 CodeIso14443aAsTag(response3a, sizeof(response3a));
1088 memcpy(resp3a, ToSend, ToSendMax); resp3aLen = ToSendMax;
1089
1090 // Strange answer is an example of rare message size (3 bits)
1091 CodeStrangeAnswer();
1092 memcpy(resp4, ToSend, ToSendMax); resp4Len = ToSendMax;
1093
1094 // Authentication answer (random nonce)
1095 CodeIso14443aAsTag(response5, sizeof(response5));
1096 memcpy(resp5, ToSend, ToSendMax); resp5Len = ToSendMax;
1097
1098 // We need to listen to the high-frequency, peak-detected path.
1099 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1100 FpgaSetupSsc();
1101
1102 cmdsRecvd = 0;
1103
1104 LED_A_ON();
1105 for(;;) {
1106
1107 if(!GetIso14443aCommandFromReader(receivedCmd, &len, 100)) {
1108 DbpString("button press");
1109 break;
1110 }
1111 // doob - added loads of debug strings so we can see what the reader is saying to us during the sim as hi14alist is not populated
1112 // Okay, look at the command now.
1113 lastorder = order;
1114 i = 1; // first byte transmitted
1115 if(receivedCmd[0] == 0x26) {
1116 // Received a REQUEST
1117 resp = resp1; respLen = resp1Len; order = 1;
1118 //DbpString("Hello request from reader:");
1119 } else if(receivedCmd[0] == 0x52) {
1120 // Received a WAKEUP
1121 resp = resp1; respLen = resp1Len; order = 6;
1122// //DbpString("Wakeup request from reader:");
1123
1124 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] == 0x93) { // greg - cascade 1 anti-collision
1125 // Received request for UID (cascade 1)
1126 resp = resp2; respLen = resp2Len; order = 2;
1127// DbpString("UID (cascade 1) request from reader:");
1128// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1129
1130
1131 } else if(receivedCmd[1] == 0x20 && receivedCmd[0] ==0x95) { // greg - cascade 2 anti-collision
1132 // Received request for UID (cascade 2)
1133 resp = resp2a; respLen = resp2aLen; order = 20;
1134// DbpString("UID (cascade 2) request from reader:");
1135// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1136
1137
1138 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x93) { // greg - cascade 1 select
1139 // Received a SELECT
1140 resp = resp3; respLen = resp3Len; order = 3;
1141// DbpString("Select (cascade 1) request from reader:");
1142// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1143
1144
1145 } else if(receivedCmd[1] == 0x70 && receivedCmd[0] ==0x95) { // greg - cascade 2 select
1146 // Received a SELECT
1147 resp = resp3a; respLen = resp3aLen; order = 30;
1148// DbpString("Select (cascade 2) request from reader:");
1149// DbpIntegers(receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1150
1151
1152 } else if(receivedCmd[0] == 0x30) {
1153 // Received a READ
1154 resp = resp4; respLen = resp4Len; order = 4; // Do nothing
1155 Dbprintf("Read request from reader: %x %x %x",
1156 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1157
1158
1159 } else if(receivedCmd[0] == 0x50) {
1160 // Received a HALT
1161 resp = resp1; respLen = 0; order = 5; // Do nothing
1162 DbpString("Reader requested we HALT!:");
1163
1164 } else if(receivedCmd[0] == 0x60) {
1165 // Received an authentication request
1166 resp = resp5; respLen = resp5Len; order = 7;
1167 Dbprintf("Authenticate request from reader: %x %x %x",
1168 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1169
1170 } else if(receivedCmd[0] == 0xE0) {
1171 // Received a RATS request
1172 resp = resp1; respLen = 0;order = 70;
1173 Dbprintf("RATS request from reader: %x %x %x",
1174 receivedCmd[0], receivedCmd[1], receivedCmd[2]);
1175 } else {
1176 // Never seen this command before
1177 Dbprintf("Unknown command received from reader: %x %x %x %x %x %x %x %x %x",
1178 receivedCmd[0], receivedCmd[1], receivedCmd[2],
1179 receivedCmd[3], receivedCmd[3], receivedCmd[4],
1180 receivedCmd[5], receivedCmd[6], receivedCmd[7]);
1181 // Do not respond
1182 resp = resp1; respLen = 0; order = 0;
1183 }
1184
1185 // Count number of wakeups received after a halt
1186 if(order == 6 && lastorder == 5) { happened++; }
1187
1188 // Count number of other messages after a halt
1189 if(order != 6 && lastorder == 5) { happened2++; }
1190
1191 // Look at last parity bit to determine timing of answer
1192 if((Uart.parityBits & 0x01) || receivedCmd[0] == 0x52) {
1193 // 1236, so correction bit needed
1194 i = 0;
1195 }
1196
1197 memset(receivedCmd, 0x44, 32);
1198
1199 if(cmdsRecvd > 999) {
1200 DbpString("1000 commands later...");
1201 break;
1202 }
1203 else {
1204 cmdsRecvd++;
1205 }
1206
1207 if(respLen <= 0) continue;
1208
1209 // Modulate Manchester
1210 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_TAGSIM_MOD);
1211 AT91C_BASE_SSC->SSC_THR = 0x00;
1212 FpgaSetupSsc();
1213
1214 // ### Transmit the response ###
1215 u = 0;
1216 b = 0x00;
1217 fdt_indicator = FALSE;
1218 for(;;) {
1219 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1220 volatile uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1221 (void)b;
1222 }
1223 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1224 if(i > respLen) {
1225 b = 0x00;
1226 u++;
1227 } else {
1228 b = resp[i];
1229 i++;
1230 }
1231 AT91C_BASE_SSC->SSC_THR = b;
1232
1233 if(u > 4) {
1234 break;
1235 }
1236 }
1237 if(BUTTON_PRESS()) {
1238 break;
1239 }
1240 }
1241
1242 }
1243
1244 Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
1245 LED_A_OFF();
1246}
1247
1248//-----------------------------------------------------------------------------
1249// Transmit the command (to the tag) that was placed in ToSend[].
1250//-----------------------------------------------------------------------------
f7e3ed82 1251static void TransmitFor14443a(const uint8_t *cmd, int len, int *samples, int *wait)
15c4dc5a 1252{
1253 int c;
e30c654b 1254
15c4dc5a 1255 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1256
15c4dc5a 1257 if (wait)
1258 if(*wait < 10)
1259 *wait = 10;
e30c654b 1260
15c4dc5a 1261 for(c = 0; c < *wait;) {
1262 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1263 AT91C_BASE_SSC->SSC_THR = 0x00; // For exact timing!
1264 c++;
1265 }
1266 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1267 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1268 (void)r;
1269 }
1270 WDT_HIT();
1271 }
e30c654b 1272
15c4dc5a 1273 c = 0;
1274 for(;;) {
1275 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1276 AT91C_BASE_SSC->SSC_THR = cmd[c];
1277 c++;
1278 if(c >= len) {
1279 break;
1280 }
1281 }
1282 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
f7e3ed82 1283 volatile uint32_t r = AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1284 (void)r;
1285 }
1286 WDT_HIT();
1287 }
1288 if (samples) *samples = (c + *wait) << 3;
1289}
1290
1291//-----------------------------------------------------------------------------
1292// To generate an arbitrary stream from reader
1293//
1294//-----------------------------------------------------------------------------
f7e3ed82 1295void ArbitraryFromReader(const uint8_t *cmd, int parity, int len)
15c4dc5a 1296{
1297 int i;
1298 int j;
1299 int last;
f7e3ed82 1300 uint8_t b;
15c4dc5a 1301
1302 ToSendReset();
1303
1304 // Start of Communication (Seq. Z)
1305 Sequence(SEC_Z);
1306 last = 0;
1307
1308 for(i = 0; i < len; i++) {
1309 // Data bits
1310 b = cmd[i];
1311 for(j = 0; j < 8; j++) {
1312 if(b & 1) {
1313 // Sequence X
1314 Sequence(SEC_X);
1315 last = 1;
1316 } else {
1317 if(last == 0) {
1318 // Sequence Z
1319 Sequence(SEC_Z);
1320 }
1321 else {
1322 // Sequence Y
1323 Sequence(SEC_Y);
1324 last = 0;
1325 }
1326 }
1327 b >>= 1;
1328
1329 }
1330
1331 // Predefined parity bit, the flipper flips when needed, because of flips in byte sent
1332 if(((parity >> (len - i - 1)) & 1)) {
1333 // Sequence X
1334 Sequence(SEC_X);
1335 last = 1;
1336 } else {
1337 if(last == 0) {
1338 // Sequence Z
1339 Sequence(SEC_Z);
1340 }
1341 else {
1342 // Sequence Y
1343 Sequence(SEC_Y);
1344 last = 0;
1345 }
1346 }
1347 }
1348
1349 // End of Communication
1350 if(last == 0) {
1351 // Sequence Z
1352 Sequence(SEC_Z);
1353 }
1354 else {
1355 // Sequence Y
1356 Sequence(SEC_Y);
1357 last = 0;
1358 }
1359 // Sequence Y
1360 Sequence(SEC_Y);
1361
1362 // Just to be sure!
1363 Sequence(SEC_Y);
1364 Sequence(SEC_Y);
1365 Sequence(SEC_Y);
1366
1367 // Convert from last character reference to length
1368 ToSendMax++;
1369}
1370
1371//-----------------------------------------------------------------------------
1372// Code a 7-bit command without parity bit
1373// This is especially for 0x26 and 0x52 (REQA and WUPA)
1374//-----------------------------------------------------------------------------
f7e3ed82 1375void ShortFrameFromReader(const uint8_t bt)
15c4dc5a 1376{
1377 int j;
1378 int last;
f7e3ed82 1379 uint8_t b;
15c4dc5a 1380
1381 ToSendReset();
1382
1383 // Start of Communication (Seq. Z)
1384 Sequence(SEC_Z);
1385 last = 0;
1386
1387 b = bt;
1388 for(j = 0; j < 7; j++) {
1389 if(b & 1) {
1390 // Sequence X
1391 Sequence(SEC_X);
1392 last = 1;
1393 } else {
1394 if(last == 0) {
1395 // Sequence Z
1396 Sequence(SEC_Z);
1397 }
1398 else {
1399 // Sequence Y
1400 Sequence(SEC_Y);
1401 last = 0;
1402 }
1403 }
1404 b >>= 1;
1405 }
1406
1407 // End of Communication
1408 if(last == 0) {
1409 // Sequence Z
1410 Sequence(SEC_Z);
1411 }
1412 else {
1413 // Sequence Y
1414 Sequence(SEC_Y);
1415 last = 0;
1416 }
1417 // Sequence Y
1418 Sequence(SEC_Y);
1419
1420 // Just to be sure!
1421 Sequence(SEC_Y);
1422 Sequence(SEC_Y);
1423 Sequence(SEC_Y);
1424
1425 // Convert from last character reference to length
1426 ToSendMax++;
1427}
1428
1429//-----------------------------------------------------------------------------
1430// Prepare reader command to send to FPGA
e30c654b 1431//
15c4dc5a 1432//-----------------------------------------------------------------------------
f7e3ed82 1433void CodeIso14443aAsReaderPar(const uint8_t * cmd, int len, uint32_t dwParity)
15c4dc5a 1434{
1435 int i, j;
1436 int last;
f7e3ed82 1437 uint8_t b;
e30c654b 1438
15c4dc5a 1439 ToSendReset();
e30c654b 1440
15c4dc5a 1441 // Start of Communication (Seq. Z)
1442 Sequence(SEC_Z);
1443 last = 0;
e30c654b 1444
15c4dc5a 1445 // Generate send structure for the data bits
1446 for (i = 0; i < len; i++) {
1447 // Get the current byte to send
1448 b = cmd[i];
e30c654b 1449
15c4dc5a 1450 for (j = 0; j < 8; j++) {
1451 if (b & 1) {
1452 // Sequence X
1453 Sequence(SEC_X);
1454 last = 1;
1455 } else {
1456 if (last == 0) {
1457 // Sequence Z
1458 Sequence(SEC_Z);
1459 } else {
1460 // Sequence Y
1461 Sequence(SEC_Y);
1462 last = 0;
1463 }
1464 }
1465 b >>= 1;
1466 }
e30c654b 1467
15c4dc5a 1468 // Get the parity bit
1469 if ((dwParity >> i) & 0x01) {
1470 // Sequence X
1471 Sequence(SEC_X);
1472 last = 1;
1473 } else {
1474 if (last == 0) {
1475 // Sequence Z
1476 Sequence(SEC_Z);
1477 } else {
1478 // Sequence Y
1479 Sequence(SEC_Y);
1480 last = 0;
1481 }
1482 }
1483 }
e30c654b 1484
15c4dc5a 1485 // End of Communication
1486 if (last == 0) {
1487 // Sequence Z
1488 Sequence(SEC_Z);
1489 } else {
1490 // Sequence Y
1491 Sequence(SEC_Y);
1492 last = 0;
1493 }
1494 // Sequence Y
1495 Sequence(SEC_Y);
e30c654b 1496
15c4dc5a 1497 // Just to be sure!
1498 Sequence(SEC_Y);
1499 Sequence(SEC_Y);
1500 Sequence(SEC_Y);
e30c654b 1501
15c4dc5a 1502 // Convert from last character reference to length
1503 ToSendMax++;
1504}
1505
1506//-----------------------------------------------------------------------------
1507// Wait a certain time for tag response
1508// If a response is captured return TRUE
1509// If it takes to long return FALSE
1510//-----------------------------------------------------------------------------
f7e3ed82 1511static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, int maxLen, int *samples, int *elapsed) //uint8_t *buffer
15c4dc5a 1512{
1513 // buffer needs to be 512 bytes
1514 int c;
1515
1516 // Set FPGA mode to "reader listen mode", no modulation (listen
1517 // only, since we are receiving, not transmitting).
1518 // Signal field is on with the appropriate LED
1519 LED_D_ON();
1520 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_LISTEN);
1521
1522 // Now get the answer from the card
1523 Demod.output = receivedResponse;
1524 Demod.len = 0;
1525 Demod.state = DEMOD_UNSYNCD;
1526
f7e3ed82 1527 uint8_t b;
15c4dc5a 1528 if (elapsed) *elapsed = 0;
1529
1530 c = 0;
1531 for(;;) {
1532 WDT_HIT();
1533
1534 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
1535 AT91C_BASE_SSC->SSC_THR = 0x00; // To make use of exact timing of next command from reader!!
1536 if (elapsed) (*elapsed)++;
1537 }
1538 if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
1539 if(c < 512) { c++; } else { return FALSE; }
f7e3ed82 1540 b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
15c4dc5a 1541 if(ManchesterDecoding((b & 0xf0) >> 4)) {
1542 *samples = ((c - 1) << 3) + 4;
1543 return TRUE;
1544 }
1545 if(ManchesterDecoding(b & 0x0f)) {
1546 *samples = c << 3;
1547 return TRUE;
1548 }
1549 }
1550 }
1551}
1552
f7e3ed82 1553void ReaderTransmitShort(const uint8_t* bt)
15c4dc5a 1554{
1555 int wait = 0;
1556 int samples = 0;
1557
1558 ShortFrameFromReader(*bt);
e30c654b 1559
15c4dc5a 1560 // Select the card
e30c654b 1561 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1562
15c4dc5a 1563 // Store reader command in buffer
1564 if (tracing) LogTrace(bt,1,0,GetParity(bt,1),TRUE);
1565}
1566
f7e3ed82 1567void ReaderTransmitPar(uint8_t* frame, int len, uint32_t par)
15c4dc5a 1568{
1569 int wait = 0;
1570 int samples = 0;
e30c654b 1571
15c4dc5a 1572 // This is tied to other size changes
f7e3ed82 1573 // uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
15c4dc5a 1574 CodeIso14443aAsReaderPar(frame,len,par);
e30c654b 1575
15c4dc5a 1576 // Select the card
e30c654b 1577 TransmitFor14443a(ToSend, ToSendMax, &samples, &wait);
1578
15c4dc5a 1579 // Store reader command in buffer
1580 if (tracing) LogTrace(frame,len,0,par,TRUE);
1581}
1582
1583
f7e3ed82 1584void ReaderTransmit(uint8_t* frame, int len)
15c4dc5a 1585{
1586 // Generate parity and redirect
1587 ReaderTransmitPar(frame,len,GetParity(frame,len));
1588}
1589
f7e3ed82 1590int ReaderReceive(uint8_t* receivedAnswer)
15c4dc5a 1591{
1592 int samples = 0;
1593 if (!GetIso14443aAnswerFromTag(receivedAnswer,100,&samples,0)) return FALSE;
1594 if (tracing) LogTrace(receivedAnswer,Demod.len,samples,Demod.parityBits,FALSE);
1595 return TRUE;
1596}
1597
1598//-----------------------------------------------------------------------------
1599// Read an ISO 14443a tag. Send out commands and store answers.
1600//
1601//-----------------------------------------------------------------------------
f7e3ed82 1602void ReaderIso14443a(uint32_t parameter)
15c4dc5a 1603{
1604 // Anticollision
f7e3ed82 1605 uint8_t wupa[] = { 0x52 };
1606 uint8_t sel_all[] = { 0x93,0x20 };
1607 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
1608 uint8_t sel_all_c2[] = { 0x95,0x20 };
1609 uint8_t sel_uid_c2[] = { 0x95,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
15c4dc5a 1610
1611 // Mifare AUTH
f7e3ed82 1612 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1613// uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00 };
e30c654b 1614
f7e3ed82 1615 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1616 traceLen = 0;
1617
1618 // Setup SSC
1619 FpgaSetupSsc();
1620
1621 // Start from off (no field generated)
1622 // Signal field is off with the appropriate LED
1623 LED_D_OFF();
1624 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1625 SpinDelay(200);
1626
1627 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1628 FpgaSetupSsc();
1629
1630 // Now give it time to spin up.
1631 // Signal field is on with the appropriate LED
1632 LED_D_ON();
1633 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1634 SpinDelay(200);
1635
1636 LED_A_ON();
1637 LED_B_OFF();
1638 LED_C_OFF();
1639
1640 while(traceLen < TRACE_LENGTH)
1641 {
1642 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1643 ReaderTransmitShort(wupa);
e30c654b 1644
15c4dc5a 1645 // Test if the action was cancelled
1646 if(BUTTON_PRESS()) {
1647 break;
1648 }
e30c654b 1649
15c4dc5a 1650 // Receive the ATQA
1651 if (!ReaderReceive(receivedAnswer)) continue;
1652
1653 // Transmit SELECT_ALL
1654 ReaderTransmit(sel_all,sizeof(sel_all));
1655
1656 // Receive the UID
1657 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1658
15c4dc5a 1659 // Construct SELECT UID command
1660 // First copy the 5 bytes (Mifare Classic) after the 93 70
1661 memcpy(sel_uid+2,receivedAnswer,5);
1662 // Secondly compute the two CRC bytes at the end
1663 AppendCrc14443a(sel_uid,7);
1664
1665 // Transmit SELECT_UID
1666 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1667
15c4dc5a 1668 // Receive the SAK
1669 if (!ReaderReceive(receivedAnswer)) continue;
1670
1671 // OK we have selected at least at cascade 1, lets see if first byte of UID was 0x88 in
1672 // which case we need to make a cascade 2 request and select - this is a long UID
e30c654b 1673 // When the UID is not complete, the 3nd bit (from the right) is set in the SAK.
15c4dc5a 1674 if (receivedAnswer[0] &= 0x04)
1675 {
1676 // Transmit SELECT_ALL
1677 ReaderTransmit(sel_all_c2,sizeof(sel_all_c2));
e30c654b 1678
15c4dc5a 1679 // Receive the UID
1680 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1681
15c4dc5a 1682 // Construct SELECT UID command
1683 memcpy(sel_uid_c2+2,receivedAnswer,5);
1684 // Secondly compute the two CRC bytes at the end
1685 AppendCrc14443a(sel_uid_c2,7);
e30c654b 1686
15c4dc5a 1687 // Transmit SELECT_UID
1688 ReaderTransmit(sel_uid_c2,sizeof(sel_uid_c2));
e30c654b 1689
15c4dc5a 1690 // Receive the SAK
1691 if (!ReaderReceive(receivedAnswer)) continue;
1692 }
1693
1694 // Transmit MIFARE_CLASSIC_AUTH
1695 ReaderTransmit(mf_auth,sizeof(mf_auth));
1696
1697 // Receive the (16 bit) "random" nonce
1698 if (!ReaderReceive(receivedAnswer)) continue;
1699 }
1700
1701 // Thats it...
1702 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1703 LEDsoff();
1704 Dbprintf("%x %x %x", rsamples, 0xCC, 0xCC);
1705 DbpString("ready..");
1706}
1707
1708//-----------------------------------------------------------------------------
1709// Read an ISO 14443a tag. Send out commands and store answers.
1710//
1711//-----------------------------------------------------------------------------
f7e3ed82 1712void ReaderMifare(uint32_t parameter)
15c4dc5a 1713{
e30c654b 1714
15c4dc5a 1715 // Anticollision
f7e3ed82 1716 uint8_t wupa[] = { 0x52 };
1717 uint8_t sel_all[] = { 0x93,0x20 };
1718 uint8_t sel_uid[] = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1719
15c4dc5a 1720 // Mifare AUTH
f7e3ed82 1721 uint8_t mf_auth[] = { 0x60,0x00,0xf5,0x7b };
1722 uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
e30c654b 1723
f7e3ed82 1724 uint8_t* receivedAnswer = (((uint8_t *)BigBuf) + 3560); // was 3560 - tied to other size changes
15c4dc5a 1725 traceLen = 0;
1726 tracing = false;
e30c654b 1727
15c4dc5a 1728 // Setup SSC
1729 FpgaSetupSsc();
e30c654b 1730
15c4dc5a 1731 // Start from off (no field generated)
1732 // Signal field is off with the appropriate LED
1733 LED_D_OFF();
1734 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1735 SpinDelay(200);
e30c654b 1736
15c4dc5a 1737 SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
1738 FpgaSetupSsc();
e30c654b 1739
15c4dc5a 1740 // Now give it time to spin up.
1741 // Signal field is on with the appropriate LED
1742 LED_D_ON();
1743 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
1744 SpinDelay(200);
e30c654b 1745
15c4dc5a 1746 LED_A_ON();
1747 LED_B_OFF();
1748 LED_C_OFF();
e30c654b 1749
15c4dc5a 1750 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1751 ReaderTransmitShort(wupa);
1752 // Receive the ATQA
1753 ReaderReceive(receivedAnswer);
1754 // Transmit SELECT_ALL
1755 ReaderTransmit(sel_all,sizeof(sel_all));
1756 // Receive the UID
1757 ReaderReceive(receivedAnswer);
1758 // Construct SELECT UID command
1759 // First copy the 5 bytes (Mifare Classic) after the 93 70
1760 memcpy(sel_uid+2,receivedAnswer,5);
1761 // Secondly compute the two CRC bytes at the end
1762 AppendCrc14443a(sel_uid,7);
e30c654b 1763
15c4dc5a 1764 byte_t nt_diff = 0;
1765 LED_A_OFF();
1766 byte_t par = 0;
1767 byte_t par_mask = 0xff;
1768 byte_t par_low = 0;
f7e3ed82 1769 int led_on = TRUE;
e30c654b 1770
15c4dc5a 1771 tracing = FALSE;
1772 byte_t nt[4];
1773 byte_t nt_attacked[4];
1774 byte_t par_list[8];
1775 byte_t ks_list[8];
1776 num_to_bytes(parameter,4,nt_attacked);
1777
1778 while(TRUE)
1779 {
1780 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1781 SpinDelay(200);
1782 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
e30c654b 1783
15c4dc5a 1784 // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
1785 ReaderTransmitShort(wupa);
e30c654b 1786
15c4dc5a 1787 // Test if the action was cancelled
1788 if(BUTTON_PRESS()) {
1789 break;
1790 }
e30c654b 1791
15c4dc5a 1792 // Receive the ATQA
1793 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1794
15c4dc5a 1795 // Transmit SELECT_ALL
1796 ReaderTransmit(sel_all,sizeof(sel_all));
e30c654b 1797
15c4dc5a 1798 // Receive the UID
1799 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1800
15c4dc5a 1801 // Transmit SELECT_UID
1802 ReaderTransmit(sel_uid,sizeof(sel_uid));
e30c654b 1803
15c4dc5a 1804 // Receive the SAK
1805 if (!ReaderReceive(receivedAnswer)) continue;
e30c654b 1806
15c4dc5a 1807 // Transmit MIFARE_CLASSIC_AUTH
1808 ReaderTransmit(mf_auth,sizeof(mf_auth));
e30c654b 1809
15c4dc5a 1810 // Receive the (16 bit) "random" nonce
1811 if (!ReaderReceive(receivedAnswer)) continue;
1812 memcpy(nt,receivedAnswer,4);
1813
1814 // Transmit reader nonce and reader answer
1815 ReaderTransmitPar(mf_nr_ar,sizeof(mf_nr_ar),par);
e30c654b 1816
15c4dc5a 1817 // Receive 4 bit answer
1818 if (ReaderReceive(receivedAnswer))
1819 {
e30c654b 1820 if (nt_diff == 0)
15c4dc5a 1821 {
1822 LED_A_ON();
1823 memcpy(nt_attacked,nt,4);
1824 par_mask = 0xf8;
1825 par_low = par & 0x07;
1826 }
1827
1828 if (memcmp(nt,nt_attacked,4) != 0) continue;
1829
1830 led_on = !led_on;
1831 if(led_on) LED_B_ON(); else LED_B_OFF();
1832 par_list[nt_diff] = par;
1833 ks_list[nt_diff] = receivedAnswer[0]^0x05;
e30c654b 1834
15c4dc5a 1835 // Test if the information is complete
1836 if (nt_diff == 0x07) break;
e30c654b 1837
15c4dc5a 1838 nt_diff = (nt_diff+1) & 0x07;
1839 mf_nr_ar[3] = nt_diff << 5;
1840 par = par_low;
1841 } else {
1842 if (nt_diff == 0)
1843 {
1844 par++;
1845 } else {
1846 par = (((par>>3)+1) << 3) | par_low;
1847 }
1848 }
1849 }
e30c654b 1850
15c4dc5a 1851 LogTraceInfo(sel_uid+2,4);
1852 LogTraceInfo(nt,4);
1853 LogTraceInfo(par_list,8);
1854 LogTraceInfo(ks_list,8);
e30c654b 1855
15c4dc5a 1856 // Thats it...
1857 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1858 LEDsoff();
1859 tracing = TRUE;
1860}
Impressum, Datenschutz