]> git.zerfleddert.de Git - proxmark3-svn/blame - armsrc/appmain.c
Update cmdhfmfu.c (#332)
[proxmark3-svn] / armsrc / appmain.c
CommitLineData
15c4dc5a 1//-----------------------------------------------------------------------------
15c4dc5a 2// Jonathan Westhues, Mar 2006
3// Edits by Gerhard de Koning Gans, Sep 2007 (##)
bd20f8f4 4//
5// This code is licensed to you under the terms of the GNU GPL, version 2 or,
6// at your option, any later version. See the LICENSE.txt file for the text of
7// the license.
8//-----------------------------------------------------------------------------
9// The main application code. This is the first thing called after start.c
10// executes.
15c4dc5a 11//-----------------------------------------------------------------------------
12
b8e461ff 13#include <stdarg.h>
14
902cb3c0 15#include "usb_cdc.h"
16#include "cmd.h"
e30c654b 17#include "proxmark3.h"
15c4dc5a 18#include "apps.h"
f7e3ed82 19#include "util.h"
9ab7a6c7 20#include "printf.h"
21#include "string.h"
15c4dc5a 22#include "legicrf.h"
b8e461ff 23#include "hitag2.h"
24#include "hitagS.h"
31abe49f 25#include "lfsampling.h"
3000dc4e 26#include "BigBuf.h"
c89274cc 27#include "mifareutil.h"
d10e08ae 28#include "pcf7931.h"
15c4dc5a 29#ifdef WITH_LCD
902cb3c0 30 #include "LCD.h"
15c4dc5a 31#endif
32
e46fe044
CY
33// Craig Young - 14a stand-alone code
34#ifdef WITH_ISO14443a_StandAlone
35 #include "iso14443a.h"
36#endif
37
15c4dc5a 38//=============================================================================
39// A buffer where we can queue things up to be sent through the FPGA, for
40// any purpose (fake tag, as reader, whatever). We go MSB first, since that
41// is the order in which they go out on the wire.
42//=============================================================================
43
6a1f2d82 44#define TOSEND_BUFFER_SIZE (9*MAX_FRAME_SIZE + 1 + 1 + 2) // 8 data bits and 1 parity bit per payload byte, 1 correction bit, 1 SOC bit, 2 EOC bits
45uint8_t ToSend[TOSEND_BUFFER_SIZE];
15c4dc5a 46int ToSendMax;
47static int ToSendBit;
48struct common_area common_area __attribute__((section(".commonarea")));
49
15c4dc5a 50void ToSendReset(void)
51{
52 ToSendMax = -1;
53 ToSendBit = 8;
54}
55
56void ToSendStuffBit(int b)
57{
58 if(ToSendBit >= 8) {
59 ToSendMax++;
60 ToSend[ToSendMax] = 0;
61 ToSendBit = 0;
62 }
63
64 if(b) {
65 ToSend[ToSendMax] |= (1 << (7 - ToSendBit));
66 }
67
68 ToSendBit++;
69
6a1f2d82 70 if(ToSendMax >= sizeof(ToSend)) {
15c4dc5a 71 ToSendBit = 0;
72 DbpString("ToSendStuffBit overflowed!");
73 }
74}
75
76//=============================================================================
77// Debug print functions, to go out over USB, to the usual PC-side client.
78//=============================================================================
79
80void DbpString(char *str)
81{
9440213d 82 byte_t len = strlen(str);
83 cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
15c4dc5a 84}
85
86#if 0
87void DbpIntegers(int x1, int x2, int x3)
88{
902cb3c0 89 cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
15c4dc5a 90}
91#endif
92
93void Dbprintf(const char *fmt, ...) {
94// should probably limit size here; oh well, let's just use a big buffer
95 char output_string[128];
96 va_list ap;
97
98 va_start(ap, fmt);
99 kvsprintf(fmt, output_string, 10, ap);
100 va_end(ap);
e30c654b 101
15c4dc5a 102 DbpString(output_string);
103}
104
9455b51c 105// prints HEX & ASCII
d19929cb 106void Dbhexdump(int len, uint8_t *d, bool bAsci) {
9455b51c 107 int l=0,i;
108 char ascii[9];
d19929cb 109
9455b51c 110 while (len>0) {
111 if (len>8) l=8;
112 else l=len;
113
114 memcpy(ascii,d,l);
d19929cb 115 ascii[l]=0;
9455b51c 116
117 // filter safe ascii
d19929cb 118 for (i=0;i<l;i++)
9455b51c 119 if (ascii[i]<32 || ascii[i]>126) ascii[i]='.';
d19929cb 120
121 if (bAsci) {
122 Dbprintf("%-8s %*D",ascii,l,d," ");
123 } else {
124 Dbprintf("%*D",l,d," ");
125 }
126
9455b51c 127 len-=8;
128 d+=8;
129 }
130}
131
15c4dc5a 132//-----------------------------------------------------------------------------
133// Read an ADC channel and block till it completes, then return the result
134// in ADC units (0 to 1023). Also a routine to average 32 samples and
135// return that.
136//-----------------------------------------------------------------------------
137static int ReadAdc(int ch)
138{
f7e3ed82 139 uint32_t d;
15c4dc5a 140
141 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_SWRST;
142 AT91C_BASE_ADC->ADC_MR =
3b692427 143 ADC_MODE_PRESCALE(63 /* was 32 */) | // ADC_CLK = MCK / ((63+1) * 2) = 48MHz / 128 = 375kHz
144 ADC_MODE_STARTUP_TIME(1 /* was 16 */) | // Startup Time = (1+1) * 8 / ADC_CLK = 16 / 375kHz = 42,7us Note: must be > 20us
145 ADC_MODE_SAMPLE_HOLD_TIME(15 /* was 8 */); // Sample & Hold Time SHTIM = 15 / ADC_CLK = 15 / 375kHz = 40us
146
147 // Note: ADC_MODE_PRESCALE and ADC_MODE_SAMPLE_HOLD_TIME are set to the maximum allowed value.
148 // Both AMPL_LO and AMPL_HI are very high impedance (10MOhm) outputs, the input capacitance of the ADC is 12pF (typical). This results in a time constant
149 // of RC = 10MOhm * 12pF = 120us. Even after the maximum configurable sample&hold time of 40us the input capacitor will not be fully charged.
150 //
151 // The maths are:
152 // If there is a voltage v_in at the input, the voltage v_cap at the capacitor (this is what we are measuring) will be
153 //
154 // v_cap = v_in * (1 - exp(-RC/SHTIM)) = v_in * (1 - exp(-3)) = v_in * 0,95 (i.e. an error of 5%)
155 //
156 // Note: with the "historic" values in the comments above, the error was 34% !!!
157
15c4dc5a 158 AT91C_BASE_ADC->ADC_CHER = ADC_CHANNEL(ch);
159
160 AT91C_BASE_ADC->ADC_CR = AT91C_ADC_START;
3b692427 161
15c4dc5a 162 while(!(AT91C_BASE_ADC->ADC_SR & ADC_END_OF_CONVERSION(ch)))
163 ;
164 d = AT91C_BASE_ADC->ADC_CDR[ch];
165
166 return d;
167}
168
9ca155ba 169int AvgAdc(int ch) // was static - merlok
15c4dc5a 170{
171 int i;
172 int a = 0;
173
174 for(i = 0; i < 32; i++) {
175 a += ReadAdc(ch);
176 }
177
178 return (a + 15) >> 5;
179}
180
fdcfbdcc 181void MeasureAntennaTuningLfOnly(int *vLf125, int *vLf134, int *peakf, int *peakv, uint8_t LF_Results[])
15c4dc5a 182{
fdcfbdcc 183 int i, adcval = 0, peak = 0;
15c4dc5a 184
185/*
186 * Sweeps the useful LF range of the proxmark from
187 * 46.8kHz (divisor=255) to 600kHz (divisor=19) and
188 * read the voltage in the antenna, the result left
189 * in the buffer is a graph which should clearly show
190 * the resonating frequency of your LF antenna
191 * ( hopefully around 95 if it is tuned to 125kHz!)
192 */
fdcfbdcc
RAB
193
194 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
b014c96d 195 FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_ADC | FPGA_LF_ADC_READER_FIELD);
2bdd68c3 196 for (i=255; i>=19; i--) {
fdcfbdcc 197 WDT_HIT();
15c4dc5a 198 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, i);
199 SpinDelay(20);
3b692427 200 adcval = ((MAX_ADC_LF_VOLTAGE * AvgAdc(ADC_CHAN_LF)) >> 10);
fdcfbdcc
RAB
201 if (i==95) *vLf125 = adcval; // voltage at 125Khz
202 if (i==89) *vLf134 = adcval; // voltage at 134Khz
15c4dc5a 203
2bdd68c3 204 LF_Results[i] = adcval>>8; // scale int to fit in byte for graphing purposes
205 if(LF_Results[i] > peak) {
fdcfbdcc 206 *peakv = adcval;
2bdd68c3 207 peak = LF_Results[i];
fdcfbdcc 208 *peakf = i;
9f693930 209 //ptr = i;
15c4dc5a 210 }
211 }
212
2bdd68c3 213 for (i=18; i >= 0; i--) LF_Results[i] = 0;
fdcfbdcc
RAB
214
215 return;
216}
217
218void MeasureAntennaTuningHfOnly(int *vHf)
219{
15c4dc5a 220 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
fdcfbdcc
RAB
221 LED_A_ON();
222 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 223 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
224 SpinDelay(20);
fdcfbdcc
RAB
225 *vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
226 LED_A_OFF();
227
228 return;
229}
230
231void MeasureAntennaTuning(int mode)
232{
233 uint8_t LF_Results[256] = {0};
234 int peakv = 0, peakf = 0;
235 int vLf125 = 0, vLf134 = 0, vHf = 0; // in mV
236
237 LED_B_ON();
238
239 if (((mode & FLAG_TUNE_ALL) == FLAG_TUNE_ALL) && (FpgaGetCurrent() == FPGA_BITSTREAM_HF)) {
240 // Reverse "standard" order if HF already loaded, to avoid unnecessary swap.
241 MeasureAntennaTuningHfOnly(&vHf);
242 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
243 } else {
244 if (mode & FLAG_TUNE_LF) {
245 MeasureAntennaTuningLfOnly(&vLf125, &vLf134, &peakf, &peakv, LF_Results);
246 }
247 if (mode & FLAG_TUNE_HF) {
248 MeasureAntennaTuningHfOnly(&vHf);
249 }
250 }
15c4dc5a 251
3b692427 252 cmd_send(CMD_MEASURED_ANTENNA_TUNING, vLf125 | (vLf134<<16), vHf, peakf | (peakv<<16), LF_Results, 256);
d19929cb 253 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
2bdd68c3 254 LED_B_OFF();
255 return;
15c4dc5a 256}
257
258void MeasureAntennaTuningHf(void)
259{
260 int vHf = 0; // in mV
261
262 DbpString("Measuring HF antenna, press button to exit");
263
3b692427 264 // Let the FPGA drive the high-frequency antenna around 13.56 MHz.
265 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
266 FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
267
15c4dc5a 268 for (;;) {
15c4dc5a 269 SpinDelay(20);
3b692427 270 vHf = (MAX_ADC_HF_VOLTAGE * AvgAdc(ADC_CHAN_HF)) >> 10;
e30c654b 271
15c4dc5a 272 Dbprintf("%d mV",vHf);
273 if (BUTTON_PRESS()) break;
274 }
275 DbpString("cancelled");
3b692427 276
277 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
278
15c4dc5a 279}
280
281
15c4dc5a 282void ReadMem(int addr)
283{
f7e3ed82 284 const uint8_t *data = ((uint8_t *)addr);
15c4dc5a 285
286 Dbprintf("%x: %02x %02x %02x %02x %02x %02x %02x %02x",
287 addr, data[0], data[1], data[2], data[3], data[4], data[5], data[6], data[7]);
288}
289
290/* osimage version information is linked in */
291extern struct version_information version_information;
292/* bootrom version information is pointed to from _bootphase1_version_pointer */
0fa01ec7 293extern char *_bootphase1_version_pointer, _flash_start, _flash_end, _bootrom_start, _bootrom_end, __data_src_start__;
15c4dc5a 294void SendVersion(void)
295{
8e074056 296 char temp[USB_CMD_DATA_SIZE]; /* Limited data payload in USB packets */
297 char VersionString[USB_CMD_DATA_SIZE] = { '\0' };
e30c654b 298
299 /* Try to find the bootrom version information. Expect to find a pointer at
15c4dc5a 300 * symbol _bootphase1_version_pointer, perform slight sanity checks on the
301 * pointer, then use it.
302 */
303 char *bootrom_version = *(char**)&_bootphase1_version_pointer;
304 if( bootrom_version < &_flash_start || bootrom_version >= &_flash_end ) {
8e074056 305 strcat(VersionString, "bootrom version information appears invalid\n");
15c4dc5a 306 } else {
307 FormatVersionInformation(temp, sizeof(temp), "bootrom: ", bootrom_version);
8e074056 308 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
15c4dc5a 309 }
e30c654b 310
15c4dc5a 311 FormatVersionInformation(temp, sizeof(temp), "os: ", &version_information);
8e074056 312 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e30c654b 313
e6153040 314 FpgaGatherVersion(FPGA_BITSTREAM_LF, temp, sizeof(temp));
8e074056 315 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
e6153040 316 FpgaGatherVersion(FPGA_BITSTREAM_HF, temp, sizeof(temp));
8e074056 317 strncat(VersionString, temp, sizeof(VersionString) - strlen(VersionString) - 1);
0fa01ec7 318
e6153040 319 // Send Chip ID and used flash memory
0fa01ec7 320 uint32_t text_and_rodata_section_size = (uint32_t)&__data_src_start__ - (uint32_t)&_flash_start;
321 uint32_t compressed_data_section_size = common_area.arg1;
8e074056 322 cmd_send(CMD_ACK, *(AT91C_DBGU_CIDR), text_and_rodata_section_size + compressed_data_section_size, 0, VersionString, strlen(VersionString));
15c4dc5a 323}
324
bfb01844 325// measure the USB Speed by sending SpeedTestBufferSize bytes to client and measuring the elapsed time.
326// Note: this mimics GetFromBigbuf(), i.e. we have the overhead of the UsbCommand structure included.
67b7d6fa 327void printUSBSpeed(void)
bfb01844 328{
329 Dbprintf("USB Speed:");
67b7d6fa 330 Dbprintf(" Sending USB packets to client...");
bfb01844 331
67b7d6fa 332 #define USB_SPEED_TEST_MIN_TIME 1500 // in milliseconds
bfb01844 333 uint8_t *test_data = BigBuf_get_addr();
67b7d6fa 334 uint32_t end_time;
bfb01844 335
67b7d6fa 336 uint32_t start_time = end_time = GetTickCount();
337 uint32_t bytes_transferred = 0;
338
bfb01844 339 LED_B_ON();
67b7d6fa 340 while(end_time < start_time + USB_SPEED_TEST_MIN_TIME) {
341 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K, 0, USB_CMD_DATA_SIZE, 0, test_data, USB_CMD_DATA_SIZE);
342 end_time = GetTickCount();
343 bytes_transferred += USB_CMD_DATA_SIZE;
bfb01844 344 }
345 LED_B_OFF();
346
67b7d6fa 347 Dbprintf(" Time elapsed: %dms", end_time - start_time);
348 Dbprintf(" Bytes transferred: %d", bytes_transferred);
349 Dbprintf(" USB Transfer Speed PM3 -> Client = %d Bytes/s",
350 1000 * bytes_transferred / (end_time - start_time));
bfb01844 351
352}
353
c89274cc
CY
354/**
355 * Prints runtime information about the PM3.
356**/
67b7d6fa 357void SendStatus(void)
c89274cc
CY
358{
359 BigBuf_print_status();
360 Fpga_print_status();
361 printConfig(); //LF Sampling config
67b7d6fa 362 printUSBSpeed();
c89274cc
CY
363 Dbprintf("Various");
364 Dbprintf(" MF_DBGLEVEL......%d", MF_DBGLEVEL);
365 Dbprintf(" ToSendMax........%d",ToSendMax);
366 Dbprintf(" ToSendBit........%d",ToSendBit);
bfb01844 367
368 cmd_send(CMD_ACK,1,0,0,0,0);
c89274cc 369}
15c4dc5a 370
86a83668 371#if defined(WITH_ISO14443a_StandAlone) || defined(WITH_LF)
15c4dc5a 372
15c4dc5a 373#define OPTS 2
374
86a83668
MHS
375void StandAloneMode()
376{
377 DbpString("Stand-alone mode! No PC necessary.");
15c4dc5a 378 // Oooh pretty -- notify user we're in elite samy mode now
379 LED(LED_RED, 200);
380 LED(LED_ORANGE, 200);
381 LED(LED_GREEN, 200);
382 LED(LED_ORANGE, 200);
383 LED(LED_RED, 200);
384 LED(LED_ORANGE, 200);
385 LED(LED_GREEN, 200);
386 LED(LED_ORANGE, 200);
387 LED(LED_RED, 200);
388
86a83668
MHS
389}
390
391#endif
392
393
394
395#ifdef WITH_ISO14443a_StandAlone
396void StandAloneMode14a()
397{
398 StandAloneMode();
399 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
400
15c4dc5a 401 int selected = 0;
c89274cc 402 int playing = 0, iGotoRecord = 0, iGotoClone = 0;
86a83668
MHS
403 int cardRead[OPTS] = {0};
404 uint8_t readUID[10] = {0};
405 uint32_t uid_1st[OPTS]={0};
406 uint32_t uid_2nd[OPTS]={0};
c89274cc
CY
407 uint32_t uid_tmp1 = 0;
408 uint32_t uid_tmp2 = 0;
409 iso14a_card_select_t hi14a_card[OPTS];
15c4dc5a 410
15c4dc5a 411 LED(selected + 1, 0);
412
413 for (;;)
414 {
6e82300d 415 usb_poll();
86a83668 416 WDT_HIT();
15c4dc5a 417 SpinDelay(300);
418
c89274cc 419 if (iGotoRecord == 1 || cardRead[selected] == 0)
15c4dc5a 420 {
c89274cc 421 iGotoRecord = 0;
15c4dc5a 422 LEDsoff();
423 LED(selected + 1, 0);
424 LED(LED_RED2, 0);
425
426 // record
86a83668 427 Dbprintf("Enabling iso14443a reader mode for [Bank: %u]...", selected);
15c4dc5a 428 /* need this delay to prevent catching some weird data */
429 SpinDelay(500);
86a83668
MHS
430 /* Code for reading from 14a tag */
431 uint8_t uid[10] ={0};
432 uint32_t cuid;
433 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
15c4dc5a 434
86a83668
MHS
435 for ( ; ; )
436 {
437 WDT_HIT();
c89274cc
CY
438 if (BUTTON_PRESS()) {
439 if (cardRead[selected]) {
440 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
441 break;
442 }
443 else if (cardRead[(selected+1)%OPTS]) {
444 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected+1)%OPTS);
445 selected = (selected+1)%OPTS;
446 break; // playing = 1;
447 }
448 else {
449 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
450 SpinDelay(300);
451 }
452 }
de77d4ac 453 if (!iso14443a_select_card(uid, &hi14a_card[selected], &cuid, true, 0))
86a83668
MHS
454 continue;
455 else
456 {
457 Dbprintf("Read UID:"); Dbhexdump(10,uid,0);
458 memcpy(readUID,uid,10*sizeof(uint8_t));
c89274cc 459 uint8_t *dst = (uint8_t *)&uid_tmp1;
86a83668
MHS
460 // Set UID byte order
461 for (int i=0; i<4; i++)
462 dst[i] = uid[3-i];
c89274cc 463 dst = (uint8_t *)&uid_tmp2;
86a83668
MHS
464 for (int i=0; i<4; i++)
465 dst[i] = uid[7-i];
c89274cc
CY
466 if (uid_1st[(selected+1)%OPTS] == uid_tmp1 && uid_2nd[(selected+1)%OPTS] == uid_tmp2) {
467 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
468 }
469 else {
470 if (uid_tmp2) {
471 Dbprintf("Bank[%d] received a 7-byte UID",selected);
472 uid_1st[selected] = (uid_tmp1)>>8;
473 uid_2nd[selected] = (uid_tmp1<<24) + (uid_tmp2>>8);
474 }
475 else {
476 Dbprintf("Bank[%d] received a 4-byte UID",selected);
477 uid_1st[selected] = uid_tmp1;
478 uid_2nd[selected] = uid_tmp2;
479 }
480 break;
481 }
86a83668
MHS
482 }
483 }
c89274cc
CY
484 Dbprintf("ATQA = %02X%02X",hi14a_card[selected].atqa[0],hi14a_card[selected].atqa[1]);
485 Dbprintf("SAK = %02X",hi14a_card[selected].sak);
86a83668
MHS
486 LEDsoff();
487 LED(LED_GREEN, 200);
488 LED(LED_ORANGE, 200);
489 LED(LED_GREEN, 200);
490 LED(LED_ORANGE, 200);
15c4dc5a 491
492 LEDsoff();
493 LED(selected + 1, 0);
15c4dc5a 494
c89274cc
CY
495 // Next state is replay:
496 playing = 1;
3fe4ff4f 497
86a83668 498 cardRead[selected] = 1;
86a83668 499 }
c89274cc
CY
500 /* MF Classic UID clone */
501 else if (iGotoClone==1)
3fe4ff4f 502 {
c89274cc
CY
503 iGotoClone=0;
504 LEDsoff();
505 LED(selected + 1, 0);
506 LED(LED_ORANGE, 250);
3fe4ff4f 507
3fe4ff4f 508
c89274cc
CY
509 // record
510 Dbprintf("Preparing to Clone card [Bank: %x]; uid: %08x", selected, uid_1st[selected]);
3fe4ff4f 511
c89274cc
CY
512 // wait for button to be released
513 while(BUTTON_PRESS())
514 {
515 // Delay cloning until card is in place
516 WDT_HIT();
517 }
518 Dbprintf("Starting clone. [Bank: %u]", selected);
519 // need this delay to prevent catching some weird data
520 SpinDelay(500);
521 // Begin clone function here:
522 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
523 UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
524 memcpy(c.d.asBytes, data, 16);
525 SendCommand(&c);
526
527 Block read is similar:
528 UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
529 We need to imitate that call with blockNo 0 to set a uid.
530
531 The get and set commands are handled in this file:
532 // Work with "magic Chinese" card
533 case CMD_MIFARE_CSETBLOCK:
534 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
535 break;
536 case CMD_MIFARE_CGETBLOCK:
537 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
538 break;
539
540 mfCSetUID provides example logic for UID set workflow:
541 -Read block0 from card in field with MifareCGetBlock()
542 -Configure new values without replacing reserved bytes
543 memcpy(block0, uid, 4); // Copy UID bytes from byte array
544 // Mifare UID BCC
545 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
546 Bytes 5-7 are reserved SAK and ATQA for mifare classic
547 -Use mfCSetBlock(0, block0, oldUID, wantWipe, CSETBLOCK_SINGLE_OPER) to write it
548 */
549 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0}, testBlock0[16] = {0};
550 // arg0 = Flags == CSETBLOCK_SINGLE_OPER=0x1F, arg1=returnSlot, arg2=blockNo
551 MifareCGetBlock(0x3F, 1, 0, oldBlock0);
552 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
553 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
554 playing = 1;
555 }
556 else {
557 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0],oldBlock0[1],oldBlock0[2],oldBlock0[3]);
558 memcpy(newBlock0,oldBlock0,16);
559 // Copy uid_1st for bank (2nd is for longer UIDs not supported if classic)
560
561 newBlock0[0] = uid_1st[selected]>>24;
562 newBlock0[1] = 0xFF & (uid_1st[selected]>>16);
563 newBlock0[2] = 0xFF & (uid_1st[selected]>>8);
564 newBlock0[3] = 0xFF & (uid_1st[selected]);
565 newBlock0[4] = newBlock0[0]^newBlock0[1]^newBlock0[2]^newBlock0[3];
566 // arg0 = needWipe, arg1 = workFlags, arg2 = blockNo, datain
567 MifareCSetBlock(0, 0xFF,0, newBlock0);
568 MifareCGetBlock(0x3F, 1, 0, testBlock0);
569 if (memcmp(testBlock0,newBlock0,16)==0)
570 {
571 DbpString("Cloned successfull!");
572 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
3fe4ff4f 573 playing = 0;
c89274cc
CY
574 iGotoRecord = 1;
575 selected = (selected+1) % OPTS;
576 }
577 else {
578 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
579 playing = 1;
580 }
581 }
582 LEDsoff();
583 LED(selected + 1, 0);
15c4dc5a 584
86a83668 585 }
15c4dc5a 586 // Change where to record (or begin playing)
c89274cc 587 else if (playing==1) // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
15c4dc5a 588 {
15c4dc5a 589 LEDsoff();
590 LED(selected + 1, 0);
591
592 // Begin transmitting
593 if (playing)
594 {
595 LED(LED_GREEN, 0);
596 DbpString("Playing");
c89274cc
CY
597 for ( ; ; ) {
598 WDT_HIT();
599 int button_action = BUTTON_HELD(1000);
600 if (button_action == 0) { // No button action, proceed with sim
601 uint8_t data[512] = {0}; // in case there is a read command received we shouldn't break
86a83668 602 Dbprintf("Simulating ISO14443a tag with uid[0]: %08x, uid[1]: %08x [Bank: %u]", uid_1st[selected],uid_2nd[selected],selected);
c89274cc
CY
603 if (hi14a_card[selected].sak == 8 && hi14a_card[selected].atqa[0] == 4 && hi14a_card[selected].atqa[1] == 0) {
604 DbpString("Mifare Classic");
605 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data); // Mifare Classic
606 }
607 else if (hi14a_card[selected].sak == 0 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 0) {
608 DbpString("Mifare Ultralight");
609 SimulateIso14443aTag(2,uid_1st[selected],uid_2nd[selected],data); // Mifare Ultralight
610 }
611 else if (hi14a_card[selected].sak == 20 && hi14a_card[selected].atqa[0] == 0x44 && hi14a_card[selected].atqa[1] == 3) {
612 DbpString("Mifare DESFire");
613 SimulateIso14443aTag(3,uid_1st[selected],uid_2nd[selected],data); // Mifare DESFire
614 }
615 else {
616 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
617 SimulateIso14443aTag(1,uid_1st[selected], uid_2nd[selected], data);
618 }
619 }
620 else if (button_action == BUTTON_SINGLE_CLICK) {
621 selected = (selected + 1) % OPTS;
622 Dbprintf("Done playing. Switching to record mode on bank %d",selected);
623 iGotoRecord = 1;
624 break;
15c4dc5a 625 }
c89274cc
CY
626 else if (button_action == BUTTON_HOLD) {
627 Dbprintf("Playtime over. Begin cloning...");
628 iGotoClone = 1;
629 break;
630 }
631 WDT_HIT();
632 }
15c4dc5a 633
634 /* We pressed a button so ignore it here with a delay */
635 SpinDelay(300);
15c4dc5a 636 LEDsoff();
637 LED(selected + 1, 0);
638 }
639 else
640 while(BUTTON_PRESS())
641 WDT_HIT();
642 }
643 }
644}
86a83668
MHS
645#elif WITH_LF
646// samy's sniff and repeat routine
647void SamyRun()
e46fe044 648{
86a83668
MHS
649 StandAloneMode();
650 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
e46fe044 651
86a83668 652 int high[OPTS], low[OPTS];
15c4dc5a 653 int selected = 0;
654 int playing = 0;
3fe4ff4f 655 int cardRead = 0;
15c4dc5a 656
657 // Turn on selected LED
658 LED(selected + 1, 0);
659
660 for (;;)
661 {
6e82300d 662 usb_poll();
86a83668 663 WDT_HIT();
15c4dc5a 664
665 // Was our button held down or pressed?
666 int button_pressed = BUTTON_HELD(1000);
667 SpinDelay(300);
668
669 // Button was held for a second, begin recording
3fe4ff4f 670 if (button_pressed > 0 && cardRead == 0)
15c4dc5a 671 {
672 LEDsoff();
673 LED(selected + 1, 0);
674 LED(LED_RED2, 0);
675
676 // record
677 DbpString("Starting recording");
678
679 // wait for button to be released
680 while(BUTTON_PRESS())
681 WDT_HIT();
682
683 /* need this delay to prevent catching some weird data */
684 SpinDelay(500);
685
686 CmdHIDdemodFSK(1, &high[selected], &low[selected], 0);
098015eb 687 Dbprintf("Recorded %x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 688
689 LEDsoff();
690 LED(selected + 1, 0);
691 // Finished recording
692
693 // If we were previously playing, set playing off
694 // so next button push begins playing what we recorded
695 playing = 0;
3fe4ff4f 696
697 cardRead = 1;
698
699 }
700
701 else if (button_pressed > 0 && cardRead == 1)
702 {
703 LEDsoff();
704 LED(selected + 1, 0);
705 LED(LED_ORANGE, 0);
706
707 // record
098015eb 708 Dbprintf("Cloning %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 709
710 // wait for button to be released
711 while(BUTTON_PRESS())
712 WDT_HIT();
713
714 /* need this delay to prevent catching some weird data */
715 SpinDelay(500);
716
098015eb 717 CopyHIDtoT55x7(0, high[selected], low[selected], 0);
718 Dbprintf("Cloned %x %x%08x", selected, high[selected], low[selected]);
3fe4ff4f 719
720 LEDsoff();
721 LED(selected + 1, 0);
722 // Finished recording
723
724 // If we were previously playing, set playing off
725 // so next button push begins playing what we recorded
726 playing = 0;
727
728 cardRead = 0;
729
15c4dc5a 730 }
731
732 // Change where to record (or begin playing)
733 else if (button_pressed)
734 {
735 // Next option if we were previously playing
736 if (playing)
737 selected = (selected + 1) % OPTS;
738 playing = !playing;
739
740 LEDsoff();
741 LED(selected + 1, 0);
742
743 // Begin transmitting
744 if (playing)
745 {
746 LED(LED_GREEN, 0);
747 DbpString("Playing");
748 // wait for button to be released
749 while(BUTTON_PRESS())
750 WDT_HIT();
098015eb 751 Dbprintf("%x %x%08x", selected, high[selected], low[selected]);
15c4dc5a 752 CmdHIDsimTAG(high[selected], low[selected], 0);
753 DbpString("Done playing");
754 if (BUTTON_HELD(1000) > 0)
755 {
756 DbpString("Exiting");
757 LEDsoff();
758 return;
759 }
760
761 /* We pressed a button so ignore it here with a delay */
762 SpinDelay(300);
763
764 // when done, we're done playing, move to next option
765 selected = (selected + 1) % OPTS;
766 playing = !playing;
767 LEDsoff();
768 LED(selected + 1, 0);
769 }
770 else
771 while(BUTTON_PRESS())
772 WDT_HIT();
773 }
774 }
775}
15c4dc5a 776
e46fe044 777#endif
15c4dc5a 778/*
779OBJECTIVE
780Listen and detect an external reader. Determine the best location
781for the antenna.
782
783INSTRUCTIONS:
784Inside the ListenReaderField() function, there is two mode.
785By default, when you call the function, you will enter mode 1.
786If you press the PM3 button one time, you will enter mode 2.
787If you press the PM3 button a second time, you will exit the function.
788
789DESCRIPTION OF MODE 1:
790This mode just listens for an external reader field and lights up green
791for HF and/or red for LF. This is the original mode of the detectreader
792function.
793
794DESCRIPTION OF MODE 2:
795This mode will visually represent, using the LEDs, the actual strength of the
796current compared to the maximum current detected. Basically, once you know
797what kind of external reader is present, it will help you spot the best location to place
798your antenna. You will probably not get some good results if there is a LF and a HF reader
799at the same place! :-)
800
801LIGHT SCHEME USED:
802*/
803static const char LIGHT_SCHEME[] = {
804 0x0, /* ---- | No field detected */
805 0x1, /* X--- | 14% of maximum current detected */
806 0x2, /* -X-- | 29% of maximum current detected */
807 0x4, /* --X- | 43% of maximum current detected */
808 0x8, /* ---X | 57% of maximum current detected */
809 0xC, /* --XX | 71% of maximum current detected */
810 0xE, /* -XXX | 86% of maximum current detected */
811 0xF, /* XXXX | 100% of maximum current detected */
812};
813static const int LIGHT_LEN = sizeof(LIGHT_SCHEME)/sizeof(LIGHT_SCHEME[0]);
814
815void ListenReaderField(int limit)
816{
3b692427 817 int lf_av, lf_av_new, lf_baseline= 0, lf_max;
818 int hf_av, hf_av_new, hf_baseline= 0, hf_max;
15c4dc5a 819 int mode=1, display_val, display_max, i;
820
3b692427 821#define LF_ONLY 1
822#define HF_ONLY 2
823#define REPORT_CHANGE 10 // report new values only if they have changed at least by REPORT_CHANGE
824
825
826 // switch off FPGA - we don't want to measure our own signal
827 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
828 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
15c4dc5a 829
830 LEDsoff();
831
3b692427 832 lf_av = lf_max = AvgAdc(ADC_CHAN_LF);
15c4dc5a 833
834 if(limit != HF_ONLY) {
3b692427 835 Dbprintf("LF 125/134kHz Baseline: %dmV", (MAX_ADC_LF_VOLTAGE * lf_av) >> 10);
15c4dc5a 836 lf_baseline = lf_av;
837 }
838
3b692427 839 hf_av = hf_max = AvgAdc(ADC_CHAN_HF);
15c4dc5a 840
841 if (limit != LF_ONLY) {
3b692427 842 Dbprintf("HF 13.56MHz Baseline: %dmV", (MAX_ADC_HF_VOLTAGE * hf_av) >> 10);
15c4dc5a 843 hf_baseline = hf_av;
844 }
845
846 for(;;) {
847 if (BUTTON_PRESS()) {
848 SpinDelay(500);
849 switch (mode) {
850 case 1:
851 mode=2;
852 DbpString("Signal Strength Mode");
853 break;
854 case 2:
855 default:
856 DbpString("Stopped");
857 LEDsoff();
858 return;
859 break;
860 }
861 }
862 WDT_HIT();
863
864 if (limit != HF_ONLY) {
3b692427 865 if(mode == 1) {
cf194819 866 if (ABS(lf_av - lf_baseline) > REPORT_CHANGE)
3b692427 867 LED_D_ON();
868 else
869 LED_D_OFF();
15c4dc5a 870 }
e30c654b 871
3b692427 872 lf_av_new = AvgAdc(ADC_CHAN_LF);
15c4dc5a 873 // see if there's a significant change
cf194819 874 if(ABS(lf_av - lf_av_new) > REPORT_CHANGE) {
3b692427 875 Dbprintf("LF 125/134kHz Field Change: %5dmV", (MAX_ADC_LF_VOLTAGE * lf_av_new) >> 10);
15c4dc5a 876 lf_av = lf_av_new;
877 if (lf_av > lf_max)
878 lf_max = lf_av;
15c4dc5a 879 }
880 }
881
882 if (limit != LF_ONLY) {
883 if (mode == 1){
cf194819 884 if (ABS(hf_av - hf_baseline) > REPORT_CHANGE)
3b692427 885 LED_B_ON();
886 else
887 LED_B_OFF();
15c4dc5a 888 }
e30c654b 889
3b692427 890 hf_av_new = AvgAdc(ADC_CHAN_HF);
15c4dc5a 891 // see if there's a significant change
cf194819 892 if(ABS(hf_av - hf_av_new) > REPORT_CHANGE) {
3b692427 893 Dbprintf("HF 13.56MHz Field Change: %5dmV", (MAX_ADC_HF_VOLTAGE * hf_av_new) >> 10);
15c4dc5a 894 hf_av = hf_av_new;
895 if (hf_av > hf_max)
896 hf_max = hf_av;
15c4dc5a 897 }
898 }
e30c654b 899
15c4dc5a 900 if(mode == 2) {
901 if (limit == LF_ONLY) {
902 display_val = lf_av;
903 display_max = lf_max;
904 } else if (limit == HF_ONLY) {
905 display_val = hf_av;
906 display_max = hf_max;
907 } else { /* Pick one at random */
908 if( (hf_max - hf_baseline) > (lf_max - lf_baseline) ) {
909 display_val = hf_av;
910 display_max = hf_max;
911 } else {
912 display_val = lf_av;
913 display_max = lf_max;
914 }
915 }
916 for (i=0; i<LIGHT_LEN; i++) {
917 if (display_val >= ((display_max/LIGHT_LEN)*i) && display_val <= ((display_max/LIGHT_LEN)*(i+1))) {
918 if (LIGHT_SCHEME[i] & 0x1) LED_C_ON(); else LED_C_OFF();
919 if (LIGHT_SCHEME[i] & 0x2) LED_A_ON(); else LED_A_OFF();
920 if (LIGHT_SCHEME[i] & 0x4) LED_B_ON(); else LED_B_OFF();
921 if (LIGHT_SCHEME[i] & 0x8) LED_D_ON(); else LED_D_OFF();
922 break;
923 }
924 }
925 }
926 }
927}
928
f7e3ed82 929void UsbPacketReceived(uint8_t *packet, int len)
15c4dc5a 930{
931 UsbCommand *c = (UsbCommand *)packet;
15c4dc5a 932
902cb3c0 933// Dbprintf("received %d bytes, with command: 0x%04x and args: %d %d %d",len,c->cmd,c->arg[0],c->arg[1],c->arg[2]);
934
15c4dc5a 935 switch(c->cmd) {
936#ifdef WITH_LF
31abe49f
MHS
937 case CMD_SET_LF_SAMPLING_CONFIG:
938 setSamplingConfig((sample_config *) c->d.asBytes);
939 break;
15c4dc5a 940 case CMD_ACQUIRE_RAW_ADC_SAMPLES_125K:
b9957414 941 cmd_send(CMD_ACK,SampleLF(c->arg[0], c->arg[1]),0,0,0,0);
15c4dc5a 942 break;
15c4dc5a 943 case CMD_MOD_THEN_ACQUIRE_RAW_ADC_SAMPLES_125K:
944 ModThenAcquireRawAdcSamples125k(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
945 break;
b014c96d 946 case CMD_LF_SNOOP_RAW_ADC_SAMPLES:
31abe49f 947 cmd_send(CMD_ACK,SnoopLF(),0,0,0,0);
b014c96d 948 break;
7e67e42f 949 case CMD_HID_DEMOD_FSK:
3fe4ff4f 950 CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
7e67e42f 951 break;
952 case CMD_HID_SIM_TAG:
3fe4ff4f 953 CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
7e67e42f 954 break;
abd6112f 955 case CMD_FSK_SIM_TAG:
956 CmdFSKsimTAG(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
957 break;
958 case CMD_ASK_SIM_TAG:
959 CmdASKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
960 break;
872e3d4d 961 case CMD_PSK_SIM_TAG:
962 CmdPSKsimTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
963 break;
964 case CMD_HID_CLONE_TAG:
1c611bbd 965 CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
7e67e42f 966 break;
a1f3bb12 967 case CMD_IO_DEMOD_FSK:
3fe4ff4f 968 CmdIOdemodFSK(c->arg[0], 0, 0, 1);
a1f3bb12 969 break;
3fe4ff4f 970 case CMD_IO_CLONE_TAG:
9f669cb2 971 CopyIOtoT55x7(c->arg[0], c->arg[1]);
a1f3bb12 972 break;
66707a3b 973 case CMD_EM410X_DEMOD:
974 CmdEM410xdemod(c->arg[0], 0, 0, 1);
975 break;
2d4eae76 976 case CMD_EM410X_WRITE_TAG:
977 WriteEM410x(c->arg[0], c->arg[1], c->arg[2]);
978 break;
7e67e42f 979 case CMD_READ_TI_TYPE:
980 ReadTItag();
981 break;
982 case CMD_WRITE_TI_TYPE:
983 WriteTItag(c->arg[0],c->arg[1],c->arg[2]);
984 break;
985 case CMD_SIMULATE_TAG_125K:
31d1caa5 986 LED_A_ON();
7e67e42f 987 SimulateTagLowFrequency(c->arg[0], c->arg[1], 1);
31d1caa5 988 LED_A_OFF();
7e67e42f 989 break;
990 case CMD_LF_SIMULATE_BIDIR:
991 SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
992 break;
3fe4ff4f 993 case CMD_INDALA_CLONE_TAG:
2414f978 994 CopyIndala64toT55x7(c->arg[0], c->arg[1]);
995 break;
3fe4ff4f 996 case CMD_INDALA_CLONE_TAG_L:
2414f978 997 CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
998 break;
1c611bbd 999 case CMD_T55XX_READ_BLOCK:
8e99ec25 1000 T55xxReadBlock(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1001 break;
1002 case CMD_T55XX_WRITE_BLOCK:
1003 T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
1004 break;
be2d41b7 1005 case CMD_T55XX_WAKEUP:
1006 T55xxWakeUp(c->arg[0]);
1c611bbd 1007 break;
66837a03 1008 case CMD_T55XX_RESET_READ:
1009 T55xxResetRead();
1010 break;
3fe4ff4f 1011 case CMD_PCF7931_READ:
1c611bbd 1012 ReadPCF7931();
1c611bbd 1013 break;
dc4300ba 1014 case CMD_PCF7931_WRITE:
d10e08ae 1015 WritePCF7931(c->d.asBytes[0],c->d.asBytes[1],c->d.asBytes[2],c->d.asBytes[3],c->d.asBytes[4],c->d.asBytes[5],c->d.asBytes[6], c->d.asBytes[9], c->d.asBytes[7]-128,c->d.asBytes[8]-128, c->arg[0], c->arg[1], c->arg[2]);
dc4300ba 1016 break;
1c611bbd 1017 case CMD_EM4X_READ_WORD:
7666f460 1018 EM4xReadWord(c->arg[0], c->arg[1],c->arg[2]);
1c611bbd 1019 break;
1020 case CMD_EM4X_WRITE_WORD:
7666f460 1021 EM4xWriteWord(c->arg[0], c->arg[1], c->arg[2]);
1c611bbd 1022 break;
dbf6e824
CY
1023 case CMD_AWID_DEMOD_FSK: // Set realtime AWID demodulation
1024 CmdAWIDdemodFSK(c->arg[0], 0, 0, 1);
7cfc777b 1025 break;
709665b5 1026 case CMD_VIKING_CLONE_TAG:
1027 CopyVikingtoT55xx(c->arg[0], c->arg[1], c->arg[2]);
1028 break;
e04475c4 1029 case CMD_COTAG:
1030 Cotag(c->arg[0]);
1031 break;
15c4dc5a 1032#endif
1033
d19929cb 1034#ifdef WITH_HITAG
1035 case CMD_SNOOP_HITAG: // Eavesdrop Hitag tag, args = type
1036 SnoopHitag(c->arg[0]);
1037 break;
1038 case CMD_SIMULATE_HITAG: // Simulate Hitag tag, args = memory content
1039 SimulateHitagTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1040 break;
1041 case CMD_READER_HITAG: // Reader for Hitag tags, args = type and function
1042 ReaderHitag((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1043 break;
4e12287d
RS
1044 case CMD_SIMULATE_HITAG_S:// Simulate Hitag s tag, args = memory content
1045 SimulateHitagSTag((bool)c->arg[0],(byte_t*)c->d.asBytes);
1046 break;
1047 case CMD_TEST_HITAGS_TRACES:// Tests every challenge within the given file
1048 check_challenges((bool)c->arg[0],(byte_t*)c->d.asBytes);
1049 break;
1050 case CMD_READ_HITAG_S://Reader for only Hitag S tags, args = key or challenge
1051 ReadHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes);
1052 break;
1053 case CMD_WR_HITAG_S://writer for Hitag tags args=data to write,page and key or challenge
1054 WritePageHitagS((hitag_function)c->arg[0],(hitag_data*)c->d.asBytes,c->arg[2]);
1055 break;
d19929cb 1056#endif
f168b263 1057
15c4dc5a 1058#ifdef WITH_ISO15693
1059 case CMD_ACQUIRE_RAW_ADC_SAMPLES_ISO_15693:
1060 AcquireRawAdcSamplesIso15693();
1061 break;
9455b51c 1062 case CMD_RECORD_RAW_ADC_SAMPLES_ISO_15693:
1063 RecordRawAdcSamplesIso15693();
1064 break;
1065
1066 case CMD_ISO_15693_COMMAND:
1067 DirectTag15693Command(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1068 break;
1069
1070 case CMD_ISO_15693_FIND_AFI:
1071 BruteforceIso15693Afi(c->arg[0]);
1072 break;
1073
1074 case CMD_ISO_15693_DEBUG:
1075 SetDebugIso15693(c->arg[0]);
1076 break;
15c4dc5a 1077
15c4dc5a 1078 case CMD_READER_ISO_15693:
1079 ReaderIso15693(c->arg[0]);
1080 break;
7e67e42f 1081 case CMD_SIMTAG_ISO_15693:
3fe4ff4f 1082 SimTagIso15693(c->arg[0], c->d.asBytes);
7e67e42f 1083 break;
15c4dc5a 1084#endif
1085
7e67e42f 1086#ifdef WITH_LEGICRF
1087 case CMD_SIMULATE_TAG_LEGIC_RF:
1088 LegicRfSimulate(c->arg[0], c->arg[1], c->arg[2]);
1089 break;
3612a8a8 1090
7e67e42f 1091 case CMD_WRITER_LEGIC_RF:
1092 LegicRfWriter(c->arg[1], c->arg[0]);
1093 break;
3612a8a8 1094
15c4dc5a 1095 case CMD_READER_LEGIC_RF:
1096 LegicRfReader(c->arg[0], c->arg[1]);
1097 break;
15c4dc5a 1098#endif
1099
1100#ifdef WITH_ISO14443b
15c4dc5a 1101 case CMD_READ_SRI512_TAG:
51d4f6f1 1102 ReadSTMemoryIso14443b(0x0F);
15c4dc5a 1103 break;
7e67e42f 1104 case CMD_READ_SRIX4K_TAG:
51d4f6f1 1105 ReadSTMemoryIso14443b(0x7F);
7e67e42f 1106 break;
132a0217 1107 case CMD_SNOOP_ISO_14443B:
51d4f6f1 1108 SnoopIso14443b();
7e67e42f 1109 break;
132a0217 1110 case CMD_SIMULATE_TAG_ISO_14443B:
51d4f6f1 1111 SimulateIso14443bTag();
7e67e42f 1112 break;
7cf3ef20 1113 case CMD_ISO_14443B_COMMAND:
1114 SendRawCommand14443B(c->arg[0],c->arg[1],c->arg[2],c->d.asBytes);
1115 break;
15c4dc5a 1116#endif
1117
1118#ifdef WITH_ISO14443a
7e67e42f 1119 case CMD_SNOOP_ISO_14443a:
5cd9ec01 1120 SnoopIso14443a(c->arg[0]);
7e67e42f 1121 break;
15c4dc5a 1122 case CMD_READER_ISO_14443a:
902cb3c0 1123 ReaderIso14443a(c);
15c4dc5a 1124 break;
7e67e42f 1125 case CMD_SIMULATE_TAG_ISO_14443a:
28afbd2b 1126 SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
7e67e42f 1127 break;
3fe4ff4f 1128
5acd09bd 1129 case CMD_EPA_PACE_COLLECT_NONCE:
902cb3c0 1130 EPA_PACE_Collect_Nonce(c);
5acd09bd 1131 break;
3bb07d96
FM
1132 case CMD_EPA_PACE_REPLAY:
1133 EPA_PACE_Replay(c);
1134 break;
7e67e42f 1135
15c4dc5a 1136 case CMD_READER_MIFARE:
f168b263 1137 ReaderMifare(c->arg[0]);
15c4dc5a 1138 break;
20f9a2a1
M
1139 case CMD_MIFARE_READBL:
1140 MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1141 break;
981bd429 1142 case CMD_MIFAREU_READBL:
f168b263 1143 MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
981bd429 1144 break;
8258f409 1145 case CMD_MIFAREUC_AUTH:
1146 MifareUC_Auth(c->arg[0],c->d.asBytes);
a631936e 1147 break;
981bd429 1148 case CMD_MIFAREU_READCARD:
75377d29 1149 MifareUReadCard(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
117d9ec2 1150 break;
f168b263 1151 case CMD_MIFAREUC_SETPWD:
1152 MifareUSetPwd(c->arg[0], c->d.asBytes);
1153 break;
20f9a2a1
M
1154 case CMD_MIFARE_READSC:
1155 MifareReadSector(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1156 break;
1157 case CMD_MIFARE_WRITEBL:
1158 MifareWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1159 break;
4973f23d 1160 //case CMD_MIFAREU_WRITEBL_COMPAT:
1161 //MifareUWriteBlockCompat(c->arg[0], c->d.asBytes);
1162 //break;
981bd429 1163 case CMD_MIFAREU_WRITEBL:
4973f23d 1164 MifareUWriteBlock(c->arg[0], c->arg[1], c->d.asBytes);
f168b263 1165 break;
c48c4d78 1166 case CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES:
1167 MifareAcquireEncryptedNonces(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1168 break;
20f9a2a1
M
1169 case CMD_MIFARE_NESTED:
1170 MifareNested(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
f397b5cc
M
1171 break;
1172 case CMD_MIFARE_CHKKEYS:
1173 MifareChkKeys(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
20f9a2a1
M
1174 break;
1175 case CMD_SIMULATE_MIFARE_CARD:
1176 Mifare1ksim(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1177 break;
8556b852
M
1178
1179 // emulator
1180 case CMD_MIFARE_SET_DBGMODE:
1181 MifareSetDbgLvl(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1182 break;
1183 case CMD_MIFARE_EML_MEMCLR:
1184 MifareEMemClr(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1185 break;
1186 case CMD_MIFARE_EML_MEMSET:
1187 MifareEMemSet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1188 break;
1189 case CMD_MIFARE_EML_MEMGET:
1190 MifareEMemGet(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1191 break;
1192 case CMD_MIFARE_EML_CARDLOAD:
1193 MifareECardLoad(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
0675f200
M
1194 break;
1195
1196 // Work with "magic Chinese" card
3fe4ff4f 1197 case CMD_MIFARE_CSETBLOCK:
0675f200 1198 MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
545a1f38 1199 break;
3fe4ff4f 1200 case CMD_MIFARE_CGETBLOCK:
545a1f38 1201 MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
8556b852 1202 break;
3fe4ff4f 1203 case CMD_MIFARE_CIDENT:
1204 MifareCIdent();
1205 break;
b62a5a84
M
1206
1207 // mifare sniffer
1208 case CMD_MIFARE_SNIFFER:
5cd9ec01 1209 SniffMifare(c->arg[0]);
b62a5a84 1210 break;
a631936e 1211
20f9a2a1
M
1212#endif
1213
7e67e42f 1214#ifdef WITH_ICLASS
cee5a30d 1215 // Makes use of ISO14443a FPGA Firmware
1216 case CMD_SNOOP_ICLASS:
1217 SnoopIClass();
1218 break;
1e262141 1219 case CMD_SIMULATE_TAG_ICLASS:
ff7bb4ef 1220 SimulateIClass(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
1e262141 1221 break;
1222 case CMD_READER_ICLASS:
1223 ReaderIClass(c->arg[0]);
1224 break;
c3963755 1225 case CMD_READER_ICLASS_REPLAY:
aa53efc3 1226 ReaderIClass_Replay(c->arg[0], c->d.asBytes);
c3963755 1227 break;
aa53efc3 1228 case CMD_ICLASS_EML_MEMSET:
e80aeb96
MHS
1229 emlSet(c->d.asBytes,c->arg[0], c->arg[1]);
1230 break;
aa53efc3 1231 case CMD_ICLASS_WRITEBLOCK:
3ac22ee1 1232 iClass_WriteBlock(c->arg[0], c->d.asBytes);
1233 break;
1234 case CMD_ICLASS_READCHECK: // auth step 1
1235 iClass_ReadCheck(c->arg[0], c->arg[1]);
aa53efc3 1236 break;
1237 case CMD_ICLASS_READBLOCK:
3ac22ee1 1238 iClass_ReadBlk(c->arg[0]);
aa53efc3 1239 break;
3ac22ee1 1240 case CMD_ICLASS_AUTHENTICATION: //check
aa53efc3 1241 iClass_Authentication(c->d.asBytes);
1242 break;
1243 case CMD_ICLASS_DUMP:
3ac22ee1 1244 iClass_Dump(c->arg[0], c->arg[1]);
aa53efc3 1245 break;
1246 case CMD_ICLASS_CLONE:
3ac22ee1 1247 iClass_Clone(c->arg[0], c->arg[1], c->d.asBytes);
aa53efc3 1248 break;
cee5a30d 1249#endif
0472d76d 1250#ifdef WITH_HFSNOOP
1251 case CMD_HF_SNIFFER:
1252 HfSnoop(c->arg[0], c->arg[1]);
1253 break;
1254#endif
cee5a30d 1255
7e67e42f 1256 case CMD_BUFF_CLEAR:
117d9ec2 1257 BigBuf_Clear();
15c4dc5a 1258 break;
15c4dc5a 1259
1260 case CMD_MEASURE_ANTENNA_TUNING:
fdcfbdcc 1261 MeasureAntennaTuning(c->arg[0]);
15c4dc5a 1262 break;
1263
1264 case CMD_MEASURE_ANTENNA_TUNING_HF:
1265 MeasureAntennaTuningHf();
1266 break;
1267
1268 case CMD_LISTEN_READER_FIELD:
1269 ListenReaderField(c->arg[0]);
1270 break;
1271
15c4dc5a 1272 case CMD_FPGA_MAJOR_MODE_OFF: // ## FPGA Control
1273 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
1274 SpinDelay(200);
1275 LED_D_OFF(); // LED D indicates field ON or OFF
1276 break;
1277
1c611bbd 1278 case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
902cb3c0 1279
1c611bbd 1280 LED_B_ON();
117d9ec2 1281 uint8_t *BigBuf = BigBuf_get_addr();
1c611bbd 1282 for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
1283 size_t len = MIN((c->arg[1] - i),USB_CMD_DATA_SIZE);
3000dc4e 1284 cmd_send(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K,i,len,BigBuf_get_traceLen(),BigBuf+c->arg[0]+i,len);
1c611bbd 1285 }
1286 // Trigger a finish downloading signal with an ACK frame
3000dc4e 1287 cmd_send(CMD_ACK,1,0,BigBuf_get_traceLen(),getSamplingConfig(),sizeof(sample_config));
d3b1f4e4 1288 LED_B_OFF();
1c611bbd 1289 break;
15c4dc5a 1290
1291 case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
117d9ec2 1292 uint8_t *b = BigBuf_get_addr();
3fe4ff4f 1293 memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
1c611bbd 1294 cmd_send(CMD_ACK,0,0,0,0,0);
1295 break;
1296 }
15c4dc5a 1297 case CMD_READ_MEM:
1298 ReadMem(c->arg[0]);
1299 break;
1300
1301 case CMD_SET_LF_DIVISOR:
7cc204bf 1302 FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
15c4dc5a 1303 FpgaSendCommand(FPGA_CMD_SET_DIVISOR, c->arg[0]);
1304 break;
1305
1306 case CMD_SET_ADC_MUX:
1307 switch(c->arg[0]) {
1308 case 0: SetAdcMuxFor(GPIO_MUXSEL_LOPKD); break;
1309 case 1: SetAdcMuxFor(GPIO_MUXSEL_LORAW); break;
1310 case 2: SetAdcMuxFor(GPIO_MUXSEL_HIPKD); break;
1311 case 3: SetAdcMuxFor(GPIO_MUXSEL_HIRAW); break;
1312 }
1313 break;
1314
1315 case CMD_VERSION:
1316 SendVersion();
1317 break;
c89274cc 1318 case CMD_STATUS:
67b7d6fa 1319 SendStatus();
c89274cc
CY
1320 break;
1321 case CMD_PING:
1322 cmd_send(CMD_ACK,0,0,0,0,0);
1323 break;
15c4dc5a 1324#ifdef WITH_LCD
1325 case CMD_LCD_RESET:
1326 LCDReset();
1327 break;
1328 case CMD_LCD:
1329 LCDSend(c->arg[0]);
1330 break;
1331#endif
1332 case CMD_SETUP_WRITE:
1333 case CMD_FINISH_WRITE:
1c611bbd 1334 case CMD_HARDWARE_RESET:
1335 usb_disable();
15c4dc5a 1336 SpinDelay(1000);
1337 SpinDelay(1000);
1338 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1339 for(;;) {
1340 // We're going to reset, and the bootrom will take control.
1341 }
1c611bbd 1342 break;
15c4dc5a 1343
1c611bbd 1344 case CMD_START_FLASH:
15c4dc5a 1345 if(common_area.flags.bootrom_present) {
1346 common_area.command = COMMON_AREA_COMMAND_ENTER_FLASH_MODE;
1347 }
1c611bbd 1348 usb_disable();
15c4dc5a 1349 AT91C_BASE_RSTC->RSTC_RCR = RST_CONTROL_KEY | AT91C_RSTC_PROCRST;
1350 for(;;);
1c611bbd 1351 break;
e30c654b 1352
15c4dc5a 1353 case CMD_DEVICE_INFO: {
902cb3c0 1354 uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
1355 if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
1c611bbd 1356 cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
1357 break;
1358 }
1359 default:
15c4dc5a 1360 Dbprintf("%s: 0x%04x","unknown command:",c->cmd);
1c611bbd 1361 break;
15c4dc5a 1362 }
1363}
1364
1365void __attribute__((noreturn)) AppMain(void)
1366{
1367 SpinDelay(100);
9e8255d4 1368 clear_trace();
15c4dc5a 1369 if(common_area.magic != COMMON_AREA_MAGIC || common_area.version != 1) {
1370 /* Initialize common area */
1371 memset(&common_area, 0, sizeof(common_area));
1372 common_area.magic = COMMON_AREA_MAGIC;
1373 common_area.version = 1;
1374 }
1375 common_area.flags.osimage_present = 1;
1376
1377 LED_D_OFF();
1378 LED_C_OFF();
1379 LED_B_OFF();
1380 LED_A_OFF();
1381
3fe4ff4f 1382 // Init USB device
902cb3c0 1383 usb_enable();
15c4dc5a 1384
1385 // The FPGA gets its clock from us from PCK0 output, so set that up.
1386 AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
1387 AT91C_BASE_PIOA->PIO_PDR = GPIO_PCK0;
1388 AT91C_BASE_PMC->PMC_SCER = AT91C_PMC_PCK0;
1389 // PCK0 is PLL clock / 4 = 96Mhz / 4 = 24Mhz
1390 AT91C_BASE_PMC->PMC_PCKR[0] = AT91C_PMC_CSS_PLL_CLK |
0472d76d 1391 AT91C_PMC_PRES_CLK_4; // 4 for 24Mhz pck0, 2 for 48 MHZ pck0
15c4dc5a 1392 AT91C_BASE_PIOA->PIO_OER = GPIO_PCK0;
1393
1394 // Reset SPI
1395 AT91C_BASE_SPI->SPI_CR = AT91C_SPI_SWRST;
1396 // Reset SSC
1397 AT91C_BASE_SSC->SSC_CR = AT91C_SSC_SWRST;
1398
1399 // Load the FPGA image, which we have stored in our flash.
7cc204bf 1400 // (the HF version by default)
1401 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
15c4dc5a 1402
9ca155ba 1403 StartTickCount();
902cb3c0 1404
15c4dc5a 1405#ifdef WITH_LCD
15c4dc5a 1406 LCDInit();
15c4dc5a 1407#endif
1408
902cb3c0 1409 byte_t rx[sizeof(UsbCommand)];
1410 size_t rx_len;
1411
15c4dc5a 1412 for(;;) {
902cb3c0 1413 if (usb_poll()) {
1414 rx_len = usb_read(rx,sizeof(UsbCommand));
1415 if (rx_len) {
1416 UsbPacketReceived(rx,rx_len);
1417 }
1418 }
15c4dc5a 1419 WDT_HIT();
1420
1421#ifdef WITH_LF
e46fe044 1422#ifndef WITH_ISO14443a_StandAlone
15c4dc5a 1423 if (BUTTON_HELD(1000) > 0)
1424 SamyRun();
e46fe044
CY
1425#endif
1426#endif
1427#ifdef WITH_ISO14443a
1428#ifdef WITH_ISO14443a_StandAlone
1429 if (BUTTON_HELD(1000) > 0)
1430 StandAloneMode14a();
1431#endif
15c4dc5a 1432#endif
1433 }
1434}
Impressum, Datenschutz